Passed -- Cisco 300-115 -- Switch

Another down! Yay! Thoughts and comments time

The Test:

• I used 87 of the allotted 90 minutes to complete 44 questions with a mid 900 score. Remember, there is no going back so you have to answer the question then and there when it is presented. Waiting for an moment of clarity later in the exam isn't an option. You gotta grind it out right then when the questions/scenario comes up.
• Two or three of the questions had 4-6 parts on configuration review, analysis, troubleshooting and remediation options/recommendations. These chewed a significant chunk of time. Most of it was spent reading the questions to figure out what they are really asking plus reviewing the configs. These are the ones where you truly want more screen space. It felt like most of the time was spent using show commands and having to maneuver windows so I could see the relevant information between two or three devices. I'm sure dual monitors would have saved me about 5-10 minutes here.
•  There were three configuration items. The configuration tasks were somewhat long. 
• The steps had to be completed in a specific order compared to what is permitted in real life. I'm sure most people would do the steps in the order I chose. For example, configuring AAA, I always configure my authentication sources first, then do the actual AAA methods. However, on the test, AAA methods had to be done first, THEN the authentication source commands worked. That took 5+ minutes of going, "WTF, is there another way of configuring RADIUS/TACACS servers I don't know and didn't practice?" So I launched into the AAA methods and all of a sudden I could do my AAA servers after that. Basically if the command you -know- works doesn't work right away, try another portion of the question. The failing command may all of a sudden work later. 
• The configuration tasks had LOTS of requirements on a couple of them. Some of the validation for the early items relied upon the completion of the later items. I probably could have read the full question two or three times to figure out what order to do the steps, but I didn't.
• As you type your commands and change interface status you may get messages (even if you administratively shutdown the interfaces). Int up, protocol up. 2 seconds later, Int down, protocol down. Pretend its the TV, and don't believe everything you see. Check your interfaces with your commands. Check the changes you made with the other show commands (trunk, channels, monitor, dot1x, whatever).
• There were a handful of review the exhibit, here's a problem, what's the most like cause or what is the best remediation option.
• The rest were standard multiple choice fare including edge cases, do you know the protocols well, do you know the difference between protocols, etc.
• I thought there were two questions with no right answers. Example, what happens to a standby track priority when the track interface goes down and comes back up. Essentially, nothing in my book. Yes, it decrements, but then it returns to normal value. The question asked about the end state value. No delta or up and return weren't on the list.

Study Material:

• I used CBTNuggets video series from both Jeremy and Keith along with the Safaribooks version of the 300-115 Study Guide from Cisco Press.
• Jeremy's was a good introduction to most the topics. There wasn't always a lot of meat in the material in regards to answering the last bullet above.
• Keith and Jeremy's labs were very good. Again, I got to the point I could do the labs on my equipment (or least type the commands in the right order and location) by just looking at the topic that was going to be covered. One of the important points in these labs if to listen if either of them say something that would make you think, EDGE-case question! I went through Keith's twice and a couple of Jeremy's twice to catch these. The second time through on the labs, I paused the video after the setup and goals were established and tried to complete the task without watching the video. Good practice for the exam simulators.
• The SafariBooks piece had all the extreme information, what the min, what is the max, what are the timers, what are the defaults, what are the ports/protocols, etc. Safari also covered RPR, RPR+, SSO, and NSF.
• Practice tests were those provided by CBTNuggets via Transcender and SelfTest. The content in these bordered on useless. It seemed like 40% of the material was old and dated and not on the test (wireless, voice, cef, etc). In addition the explanations were wrong. (vtp version 2, not vtp-mode v2 like the explanation given). These were used mostly to get used to deciphering the test questions.

Study Environment

• Pure GNS3, v1.3. I used the IOU L2 images along with c7200 routers when I could. These did most of the commands. Short-comings on the images I used
• SPAN/RSPAN doesn't work at all. Just typed the commands to practice.
• Private VLAN doesn't "work". The commands are permitted and required in the correct order. However, the configuration isn't supported so no functional changes are done but the commands are there. The show commands pretty much work, but tell you, yep, it doesn't work.
• 802.1x not fully implemented on interfaces
• radius-server host didn't exist
• lldp doesn't exist
• vlan acls do not work
• sdm is not there
• ip dhcp snooping doesn't work right. commands are available, but turning it on with trusted ports causes DHCP to break. DAI is not there at all.
• int vlan x; ip add x.x.x.x; t didn't always work between the IOU devices, especially with FHRP protocols. EIGRP/OSPF would neighbor great, but the FHRP simply wouldn't see each other. I had to use the 7200 routers to do FHRP practice.
• RPR, RPR+, SSO don't work (duh)
• Stackwise isn't there (duh)
• None of these were a deal-breaker. If the command wasn't supported, I just watched the video, typed the command at the right location, review the video results, moved on. Its all about repetition to memorize the commands.
• Another thought on the GNS3 for practice was seeing the odd messages that shouldn't appear with a admin down interface made the strangeness on the exam simulator not so shocking.

Overall, the test was pretty much what I expected. I think only one question surprised me in terms of content. The testing objectives lined up well and the official study material did well to cover the objectives. It didn't hurt having 15 years of managing 2000+ campus switches so a lot of it was old hat.

Anyhow, onto TSHOOT. Good luck.

IINS 640-554 passed (CCNA Sec, WGU Course CNV1)

Passed. Only with a 918 out of a 1000.

Thoughts: This was a test with a high bar to reach. as stated in other notes, make sure you read the documents from the Cisco site beyond the book and the videos from CBTNuggets and Boson's tests. The books and videos will get you close, but the material from the others will get you the rest. I spent a lot of time in the CCP GUI and console the 2 days before the test. I re-reviewed my notes the night before.

GNS3 is almost required. I'm am using the most current version 1.2.1. Here is the practice I used (over and over and over).

• The Win7client was a VirtualBox Machine. It was used to manage all devices, ASDM and CCP. CCP IS dog-ass slow discovering. 
• One Proc, 2Gigs of RAM, 40G HDD
• Installed Apps included 
• ASDM -- for the ASA
• CCP -- for the routers
• Notepad++ -- cause i can't remember anything two seconds after i see it
• Chrome (w/adblock) -- my preferred
• Tftpd64
• to move asdm image back and forth to the ASA
• to provide file downloads for the IOS IPS
• default gateway was the IOS router (NOT THE ASA)
• Local/Host workstation
• Quad core Intel, 16gigs of RAM
• Connected to ISP router with physical connection. Physical connection is the Local Area Connection 2
• Served as VPN connection to the ASA.
• Routers
• 7200 series with IOS 15.0.x
• All routers had a 1GE Interface
• WANFU
• had qty 2 -- 2 port 100FE cards
• Was a DHCP client on g0/0 to get internet routable IP address. I hate looking at the damn yellow ! network icon on win7client box.
• did NAT (hey! a test objective) for other networks.
• Was known to blow up once IOS firewall was turned on (hey, another test objective!)
• Area4 & Area5 Routers
• Single 2 port 100fe cards
• Not shown interface was the interface used for vpn (f1/1 on both)
• Ran OSPF as the IGP. Redistributed on WANFU for default route.
• ASA used the known working image within GNS3. It spent most of its life OFF. It WILL eat a single core of your processor when it is on. Plus it is very fickle about keeping configs between reboots. As this is an entry-level course, redoing the interfaces didn't take long, and was good practice.
• The VMWare cloud hosted the ACS box. I'll figure out how to reconnect it. 

My practice labs I did a lot to get the commands down. Seeing enable secret level 6 0 level6pwd looks weird if you don't know what you are seeing. Test related info in bold. Maybe I'll write out a full step by step or some sort of solutions. Right now, please verify your work as you go. I just used this lab to reinforce what Keith Barker's Nuggets taught. I broke most of this out into sections. They can be done independently of each other AFTER the initialization section. 

• Initialization: basic connectivity 
• Give the routers IP addresses. I like loopbacks, so I added some. Mine were 10.0.255.25x/32. Also, make sure to set the g0/0 to DHCP client on WANFU
• Get IPv4 routing working. I used OSPF, everything in area0. Don't advertise the 192.168.xx.y nets. They are your site-to-site VPN networks. Notice you don't have to advertise them to get VPN working.
• Enable IPv6. Give the routers IPv6 addresses on all interfaces. 
• Get some sort of IPV6 routing working.
• Check your IPV6 interfaces and routing
• show ipv6 int brief
• ping 2001:... source 2001:..
• Configure NTP . Make WANFU master (ha!). use encryption. Set Area4 to use WANFU. Area5 will be done later. 
• Configure Users and CCP Login
• Create the users listed at the privilege listed
• enable secrets at the appropriate level with correct passwords
• TEST; login; give some rights.
• give all the boxes a domain-name (ip domain-name gns3.local is the syntax I used)
• turn on the web server on each router 
• turn on both insecure and secure methods
• use local authentication
• generate your certs for SSH
• On all but Area5 Router, turn on AAA authentication, authorization. Area5 gets it in the GUI. that sounds wrong
• Authorized exec and commands. Again use the user accounts for levels. practice with both default and NAMED method lists. I always set my lists to use local, then 2 or 3 of the other options (group tacacs, enable, local-case, etc). Heck create 2 types, MYTAC and MYLOCAL for authentication.
• configure vty lines to use the aaa authentication and authorization, using the methods just created
• On Area5 Router
• configure login on the vty terminals WITHOUT AAA.
• Turn on CCP. CCP FUN time. 
• Create a group of nodes, MYGNS3 is what i called them.
• I used loopback interfaces. Good practice in RL, but...up to you
• Discover your nodes! (good time to drink, use the facilities, talk to your family, order dinner). Yeah, it can be slow.
• Manage Area5 router's AAA in CCP
• Turn on AAA
• Configure the exact same method lists as WANFU and Area4
• Push the config out
• Manage NTP in CCP for Area5 Router. WANFU is the reference.
• Back to the consoles. Sad, so sad....
• enable views and login in with the root view. You did read what it told you when you turned it on?
• create more views! Assign some rights. commands exec all show ip; show ipv6; etc. test that bad boy. 
• Test everything now. Login right and wrong. 
• Debug AAA authentication/authorization
• test aaa group (yeah, no server, so what?). It fails, what a shock.

All right, i think we got most of the basics going and tested. CCP should work. AAA should work using local for SSH/Telnet. All routers are accessible. Life is good. NTP might work. I found NTP  tended to cause WANFU to suffer an emotional breakdown and have to be deleted and re-added. Saving would be good if all works in a way you like. Let's move on!

• All right! more fun! Lets go out of order and do VPN! Why? Cause the longer before I make WANFU do a whole lot, the better off I was. Back to CCP! If you don't understand the jargon, read the study guide, watch Keith Barkers videos. These are just practice labs to reinforce.
• Rediscover Area4 and Area5 Routers
• Create an new site-to-site VPN on area4 router
• DO NOT USE Defaults. be wild, be crazy, just dont DES. friends don't let friends DES. For your HAGLE, lets pick...AES192, MD5, Pre-shared (ilikevpn), DH group 5. Leave the lifetime alone. Seriously, pick your own options. copy-cat.
• for the phase 2 portion, lets pick MD5-HMAC, and AES 256.
• Your interest traffic will be....????
• (192.168.40.x going to 192.168.50.x)
• Your interface will be??? (f1/0)
• Push that bad boy out. 
• Ok, go clear the phase 1 that is pushed out by default by CCP. Defaults suck (well, not really, but what fun is letting someone else pick?)
• And lets go Area5 router and do the same thing! Fun. Switch nodes in CCP to Area5.
• Create a new site-to-site VPN. match it up with your others. 
• your interest traffic might need an adjustment? (the answer is yes)
• Push out the config. Destroy the default Phase 1 it sends. You are remembering what screen on CCP all this stuff is buried as you do this?
• To the console. About time. keep the CCP up tho. You'll want to view both
• Generate some interesting traffic. On Area4 Router; ping 192.168.50.1 source 192.168.40.1. If you did it right, the establishment of the tunnel might eat one or two packets, but otherwise work. nomnomnom. If not, well, crud. You get to troubleshoot! Haha! (or reboot the boxes and retry. i wont judge you. much. You have to suffer through a rediscovery in CCP. Another 5 minutes of your life lost waiting.).
• Practice your show commands
• show crypto ipsec ?; show crypto isakmp ?; show crypto map; show run. what does the map do and have in it? what does the sa option show you? Where is everything applied
• go to the GUI. check the tunnel status. Answer all the questions you had in the console via the GUI. 
• If you are feeling really spicy, turn on your debugs. debug crypto...bring the tunnels up/down etc.
• Do a show run. see what is in the crypto map. what is in the isakmp part. what is in the ipsec part. what does the ACL do and which one is it?
• We'll put off the ASA VPNs for a bit. Your host workstation will thank you.

Did your VPN work? if so, save it! we are moving on! Let do some more security, a security audit.

• Is CCP up and everything discovered. Yep. do it. Pull up your favorite 3-5 minute youtube video while you wait.
• Lets manage WANFU. Lets do a security audit!
• OMG! what should you trust and not trust
• No one trusts their internet. 
• Although i don't trust the guy configuring the rest of this lab, lets say the rest of we do for now (f/x interfaces and loopback0)
• DNS, use google 8.8.8.8, 8.8.4.4
• Run the security audit! go ahead and let it do service password-encryption, and some others if you feel it.
• Push it out if you are feeling lucky
• ALright! lets do a one step lock-down. save your config before you start (and gns environment)
• You'll need to see the screens.
• let it push out one time. I've always had craptacular luck and had to reload the OS at this point.
• read the screen. see what options you can turn up/down. 

That was fun? easy? simple? Onward. IOS based firewall next on WANFU

• get CCP going. manage WANFU.
• go ahead and turn up the down dmz interface, f1/1. 172.31.255.1/24 is good. I like using the boundary addresses to reinforce. everyone puts the lower bounds, practice on the upper. 
• you'll have to do this one a couple of times
• do a basic firewall
• do an advance firewall
• This is all virtual, so make up a virtual server for the dmz. if you are really feeling it, go ahead and connect it to the switch in a different vlan and attach some magic box running whatever service you let through

To be continued...