Date: 15th May

Thank you Tutor Lambert and all partners who han been working hardly these months, focus in study and you will get your rewards in the righ time.

Uptades has been uptaded in the RDP. My advise is practice and undertand the topology so if questions change you can resolve by yourself.

Diag H2
Diag: H2+ Same with WB
filter key word: icmpv6.type == 134
and first frame id is 227 (FE80::666)
I remember the static route command:
R2(config)#ip mroute

1)What is the issue
R3 has no route to RP

2)You will ask what to your engineer ?
why is not in R3's RIB.

3)how to deal with current issues temporary ?
R3 (config) ip route

---> follow workbook to finish it


dont configure ip help-address and ip dhcp relay infor trusted on SW3/SW4 first.

Same wb

Advise when you are preparing
-Undertand very well the topology and protocols used in each TS or CFG
-Practice verifications commands (for preconfiguration)
-Read and undertand the requirements.
-follow workbook solution in its way or your way to practice.

Good luck for all you.

TS2 Diag2 H3

Date: 10th May

Configuration H3:
-ON HQ and DC1 I add ip multicast routing over all devices, whitout it, the multicast dont work.
-On The DC1 check the routers IDs for OSPF. Add bgp routers IDs in any Devices.
-The ospf proceess between R42 and R100 is 2 not 10.

Diag2 the same with Yang's feedback

Q1 SW400/SW401 add vlan access-map ATTACK 20 action forward,R40 rent time 2hours.
Q2. Same
Q4 route-map add to BGP out
Q5 same
Q6 same
Q7 R12,R2,R3,R5 ldp lost( it has mpls ip, but wrong one),R1 loopback0 add to OSFP,R5 RT export wrong
Q8 SW300/SW301 的vlan2000/vlan2001 all without ip dhcp reley information trust,SW310 without ip dhcp snooping imfomation op
Q9 same
Q10 R24/R25 ,NAT without outside,delete and add outside

Advice: plz read Yang's feedback on lab,it really helpful to me and two guys we took exam the same

TS1 DiagH2++ H3

Date: 8th May

The PC101 dont get IP.
-Mac Security configuration has the mac incorrect on SW2 port. Solution, delete bad mac and add correct mac in the Sw2 port security configuration to pc101.
-The configuration on e0/0 on PC101 was ip address dhcp client-id Ethernet0/0 hostname PC101. Solution: Scope R8 to PC101 add the host option.
Q2 Q3 Q4 Q5 Q6 Q7…. R3 R4 R5 R6…..

I change the route target export on R5 and R6 by 65100:5 and 65100:6 and also I change the Route target imports over R3 and R4.


Diag 2++
Same as spoto.

Config H3.
Same as spoto. I follow spoto solution.
-ON HQ and DC1 I add ip multicast routing over all devices, whitout it, the multicast dont work.
-On The DC1 check the routers IDs for OSPF. Add bgp routers IDs in any Devices.
-The ospf proceess between R42 and R100 is 2 not 10.

If anyone want the further I wrote u can ask for SPOTO

TS2 H3 H2+

LAB Combo

Troubleshooting : TS2 (new updates)
Diagnostics : H3
Configuration : H2+
Troublshooting - TS2
Recommendations: Strategize your troubleshooting techniques
Diagnostics - H3

No suprises here. Same as SPOTO.

In the 1st part, seq number was 133 for DHCP discovery packet with source Use 'bootp' here.
In the 2nd part, Server was and Attacker was Use tcp.port==1337 here.

Configuration - H2+

Almost same as SPOTO.

Recommendation: Understand the topology and traffic flow very well

TS1 DiagH3 CFG H2+

Date: 20th April
Troubleshooting : TS1
Diagnostics : H3
Configuration : H2+

Troublshooting - TS1

I did all the SPOTO TS Labs and get completely familiar with the scenario, I finished the TS in 90 Min.

Diagnostics - H3
Same as Spoto's workbook.

Configuration - H2+
General speaking a lot compatible with SPOTO work book, only 4.1 about QOS, it was saying "do not use access list". I left it un-answered.

Basic config (time consuming) were already done, e.g. putting the branch routers in the VRF and re-enter the IP address. it was good as you can focus on main items.

Important note: although basic configs where there, some of the IP addresses where not configured properly, I was troubleshooting the BGP connection and finally realized that the IP address is not based on the diagram. So, verify the IPs and basic config. one router-id not configured correctly and one BGP network command, was used for a loopback interface with the wrong IP, needed to correct the network in BGP.

Try to have some kind of guideline for yourself, I explain more, I had in my mind that I have to put 6 of "ip nhrp" command in tunnel, then I put the rest of commands in front of each (e.g ip nhrp nhs during the exam , there is a lot of stress, I didn't want to forget one command and waste my time for troubleshooting, so for configuration of the DMVPN, I knew that I need 6 "ip nhrp" and 4 "tunnel " commands. Similar concept for iBGP or MPLS.

My last recommendation, keep the last half an hour, I did one more review for the whole requirements and realized some small items were missed, fixed them and verified again.

Good luck all in your hard way and God bless you and your family
(CCIE path gives you and your family a hard time)


SW acl no seq 10 and 30
SW111 int et 1/2  no ip ospf cost  9
R23 loo0    no ip ospf  10 a 0 change to ip ospf 1 a 0。R22 change origin to igp
R21 route-map do not use , use it under bgp  
Change R60 tunnel0 mask
R15 bgp do not network ipv6 segment ,SW111 vlan2001 do not network ipv6 segment
R10 ospf :change AD ,R5 vrf RT config wrong 。

Do not solve it .

Ospf neighbor do not come up,R24tunnel OSPF  network is  PTM,R71 tunnel OSPF network is PTP,change R71 network to PTM

R25 acl do not config outside,copy R24 ip nat outside configuration .


   int et0/0  add ip add dhcp cli e 0/0
R51 had config vrf,do not change RD ,change RT.
R11 R12 R13 R14 R15 R16 ospf had config ,bgp had config,


Q1:SW2 E1/0 MAC address wrong,
shutdown interface first ,
delete the command ,
config correct mac address
no shutdown
Q2:R17 add ppp ipcp route default, clear ip route *
Q3:R2E E2/0 mask is wrong
Q4:R14 distribute list had deny, no the seq of access-list
Q5:R21,ip prefix add 194 segment,R22:BGP add ip next-hop-self
Q6:R25,network mask is wrong
Q7:copy  key configuration of R18 interface tunnel 0  to R19,
     R20  no passive E1/0
Q8:R7 R8  nat, add ip nat inside   R4 R6 E2/0  add ip ospf cost 1000
Q9:compare IPSec VPN configuration of R24 and  R7
Q10:R24 E0/0 config secondary address,delete it ,NAS  E0/0, shutdown no shutdown

TS1 H2 Diag H2 CFG


Q1, did not finish

Q2. r17 missing ppp ipcp route def

Q3. wrong subnet on R21

Q4. amended the access list or something like that on R13, R11 got load balance route to,
but the strange thing was, the metric does not match exam outcome request, R11 is showing both incoming links with large metric
something like xxxxx/7xxxxx.(exam request 1603/1703)

i used over 20 mins checking everything but cant find out why is that, i couldnt match exam request, so i gave up and as long
as they both had the same incoming metric and load balance

Q5. R12 : max path 2 , and someting else inside the mpls , i cant remember.

Q6. R22 had a wrong ipv6 next hop address

Q7 no ip split-horizon eigrp xxx missing on R15, R15 can ping R19 but not R17 and R18, i copied R19 int t0 config to R17 and R18,
it worked. also, while PC109 trace user1spokeX, the domain name out come mismatch with request in exam, amend it on R15,
i tried 20 mins to sort the issue with lots of different ways, suddenly the updated outcome matching exam equest after 20 mins later,
so dont panic it takes time

Q8. R7 ip nat outside missing, R5 and R6 missing export rt , R4 missing net

Q9. cryto map mismatch between R24 and R7, i think it was the group no.

Q10. add a mac address on PC


Same as work book nothing special


1 - ACL on SW1

2- ppp and chap config on R17

3- R22 interface was not in OSPF,
some problem on R5

4- very simple, just R12 with a shut interface

5- always takes me forever.
I changed many things.
R22 had bad RID for Ospf,
R3 had no ospf Nei towards R21

6- Simple fix to next hop

7- R18 had ACL on serial interface and was missing some nhrp commands. All routers needed shortcut, R15 needed redirect

8- Fixed LDP between R1/2,
bad nat on R8, added cost for interface E2/0 on R4/6,
fixed dhcp problem on R104

9- R21 had ACL that needed fixing,
R24 had bad encryption for tunnel,
R23 had bad NAT

10- fixed dhcp config on NAS


H2++ - same as spoto


CFG H1+ - looked like spoto .
I couldn't solve ssh
R20, did everything as per solution but ssh was denied

Couldn't remember encryption commands for DMVPN tunnel on VRF
Trace routes worked beautifully

Really ran out of time but happy I made it

TS2 H3 Diag H2 CFG


1.VACL is wrong,change access-list ,no seq 10 and no seq 30 ip ospf cost 9 (the interface of SW111 connect R15)
3.R23 loopback: OSPF process is wrong ,change OSPF 10 to OSPF 1
R22 and R23 use origina to control path, compare R12 and R13
SW210 ping one of the hop is wrong ,,R13 interface add ip os cost 11
4. R21 had config LP,but do not use it
5. R60 tunnel mask is /32,change to /24
6. SW111, OSPF DO NOT network VLAN 2001,
R15 redistribute OSPFv3 to BGP

7.R10 ospf config “DISTANCE OSPF EXTERNAL 19” ,change 19 to219.
R3 RT import wrong,R5 lo0 network wrong ospf process
9.R24 change tunnel interface ospf network,ip os net p2mp change to p2p
ip nat inside source static
Change to
ip nat inside source static

ip nat inside source static
Change to
ip nat outside source static


No 10
No 30
Ospf: no passive interface
Dhcp: change to infinite because lease is short

SW 111: ospf cost is 100
It deleted


This problem did not go well.
TE will succeed by changing origin.
However, the displayed AS-path was not displayed
My result was that the AS number of the third hop was 19999.
But the question was AS number 65002.

the content of BGP was that it did not touch.
I changed the route by setting the OSPF cost of R20 Lo 0  is 0 to   100.

R60 subnet is different. / 32 → / 24

VLAN 111 was not advertised to OSPFv 3 by SW 111.

The process ID of OSPF was different for R1 Lo 0.
In R 10 ospf  external was 19.
It changed to 201.

※ There were things
I was wasted in in ignoring.
· There was a router with mpls ldp router-id lo 0 and mpls label  protocol ldp set in R1 - R6, and a router not configured.

· The route-target imports its own export
I was worried about  changing.
However, it was described as separete 2 faults in the problem
sentence, and traceroute was the result that was requested and I
ignored it.

SW 300/301: vlan 2000 & 2001 ip dhcp relay information trust
SW 310: ip arp inspection
Dhcp: change to infinite because lease is short

Ospf network type is change

Q 10
Nat pool was set up.
I set up the ip nat outside source static . . .  
Command on R24 and R25 and it was able to telnet.

DIAG H3++ same   as spoto solutions

CFG H1+ same


vlan access-map ATTACK 20
  action forword
  nt vlan 2001
ip ospf 65001 area 0
router bgp 65001
  nei DC1 next-hop-self

Sw101:int E1/2 no ip ospf cost 1
  no access 1 2
access 1 per
access 2 per

  20 21 do not use route-map, 
route-map LP per 10
  se local 200
router bgp xx
  neighbor xx route-map

in tun 0
  ip ospf net point-to-multi

R15 router bgp 65101
  add ipv6 net *********

int loo 0
  ip ospf 10000 area 0

  route-tar ex 65003:3

  int vlan 2000
   ip dhcp relay infor trusted
in tun 0
  tun key 10000

R24/R25 add ip nat outside

LAB 2+

Layer 2: switch config vlan on exam ,but you need config MSTP by yourself
AS 65002 do not config OSPF, almost interface of access had associate to vlan 999 and shutdown.
R11\R12\R13\R14\SW1\SW2 preconfig with you do not need to config it .

R17\19\20\21  create VRF and associate interface to VRF
EIGRP area use as 1, 5 routers only network E0/0. You need network loopback 0 by yourself
BGP routers had config bgp ,but do not config route-id.
R52 and R58 ip address is wrong ,need modify to correct ip address . 


