Poly-Lab experience; comments/questions
I want to provide some feedback on the Polymorphic Lab Assessment product, as well as offer some suggestions and hopefully get some answers to a few questions I have. I thought this would be the best spot for this thread.
First I want to commend INE as the product is pretty good. I think its an excellent resource and compliments the rest of the CCIE 2.0 product suite really well. I have attempted to complete 6 Poly Labs so far. Twice I didnt get them graded which was my own fault and once it failed to load the initial configurations. The Graded Labs and INE support are pretty bloody great so far. Response times are good and they were quick to refund the tokens if the problem wasnt mine.
I want to address a couple of items below. Its likely some of the points specific to questions answers being marked wrong are in fact me answering incorrectly, hopefully someone can point them out for me.
(a) Approximately 6 weeks or so ago I remember there being a Session Estimator on the homepage where you generate a lab. This doesnt seem to be there anymore from what I can tell. Did it disappear for everyone, just me, or am I blind?
(b) When a lab fails to load or you fail to have it graded it remains in the section 'Labs In Progress'. Their state is either Setup Not Completed or Expired. From what I can tell you cant reset them and load/take them again. Is there a way to do this and if not is there a way to remove them?
(c) The physical topology is static like the workbook labs which is fair enough. The logical topology is also relatively static; same IP addressing, location of IGP's etc. This is also fair enough I guess seeing as though the questions must be generated with certain constraints around what the network could look like. I can see myself after doing another 2 or 3 poly labs getting way too familiar with it. I am already getting the same tasks and am configuring them blindly based on previous experience. Dont get me wrong it is still a great learning tool, however, what happens when I am expert in all of the sections? I notice that the topology diagram has 'Assessor Lab Exam 1' in the bottom left corner. Is it fair to assume that there will be additional releases? If so do you have any estimate on this? Yell out if you want beta testers also ;-)
(d) Would it be worthwhile including a question/task ID for each of the tasks so that they can be referenced in threads? Are tasks pre defined or can a tasks include various dynamic points? Just a thought not a big deal..
(e) It doesnt look like the grading scripts check full reachability, do they? It would be awesome to have some criteria it checks full reachability in IGP and BGP from a couple of devices.
(f) I had a question requiring CBAC. I successfully completed the tasks however was marked incorrectly as I didnt use an explicit 'deny ip any any log' in the INBOUND ACL. Is it okay to rely on the implicit deny all or do I need to re-read the documentation. If not could the grading be updated?
(g) I had the following task:
3.4 BGP Routing Stability (3 pts)
* A flapping link inside AS 54 causes frequent updates and removals of BGP prefixes.
* Configure R6 and SW2 in AS 100 to suppress oscillating routes and set the exponential decay parameter to 5 minutes.
I immediately thought BGP dampening. I can see the exponential decay parameter in the 'sh ip bgp dampening parameters' output although I hadnt heard of it before. This was one of the labs I unfortunately didnt get graded. Can someone link me some good information on this as I dont fully understand how the half-life, re-use timers etc affect it. I couldnt find adequate information in the documentation.
(h) I had the following task:
1.3 VLAN Creation (3 pts)
* Create VLANs in all switches using the diagram provided as your reference. Do not change VLAN names from their default values.
* SW1 should advertise new VLANs and SW3 should learn them dynamically.
* Ensure that SW2 and SW3 do not participate in dynamic VLAN distribution.
* Use a key value of CISCO to secure VLAN information exchange and use the domain name CCIE.
I was slightly confused as to what the task wanted and ended up making SW1/SW2/SW3/SW4 serv/tran/cli/tran. I got the marks however thought perhaps * 3 above should be SW2 and SW4? Maybe not..
(i) I had the following task:
2.9 RIP Filtering (2 pts)
* Enable RIPv2 to exchange routing updates between SW2 and BB3.
* SW2 should not accept routes with an odd second octet from BB3.
* Do not use the offset-list or the distribute-list commands to accomplish this.
distance 255 220.127.116.11 0.0.0.0 29
access-list 29 permit 0.1.0.0 255.254.255.255
However the grading marked me incorrect. The assertion it is using is:
show running-config | include distribute-list.*Vlan8
(j) I had the following task:
5.3 Multicast Testing (2 pts)
* Ensure that R2 only accepts IGMP joins on its Ethernet interface from groups in the ranges 18.104.22.168/16, 22.214.171.124/16, 126.96.36.199/16, and 188.8.131.52/16.
* Use access-list number 22 and one access-list entry to accomplish this task.
* In order to facilitate a multicast test, join the Ethernet interface of R2 to group 184.108.40.206.
* Ensure you can ping the above group from R5 across your multicast domain.
The grading wanted 220.127.116.11 0.4.0.0, wouldnt it want 18.104.22.168? Once again I could just be over tired.
(k) I had the following task:
6.1 Congestion Avoidance (3 pts)
* Cconfigure R6 to randomly drop packets before congestion occurs on the Serial interface output queue.
* Ensure that traffic marked with critical precedence will not be dropped unless there are 50 packets in the output queue.
* If there are 70 critical packets in the output queue, R6 should randomly drop 4 out of every 16 of these packets.
* In the case that there are more than 70 critical packets in the output queue, they should all be dropped.
* Do not use any MQC commands to accomplish this task.
Should the mark probability denominator be 8 or 4?
I would of thought:
random-detect precedence 5 50 70 4
(l) I had the following task:
7.2 Filtering (3 pts)
* Recently you have noticed a large number of fragmented packets coming from behind BB3.
* This type of attack impacts the performance of your servers located on VLAN 17.
* Configure SW2 to drop all fragmented packets toward VLAN 17 IP addresses as they enter SW2.
* Use a named access-list NO_FRAGMENTS and the minimum amount of access-list entries to accomplish this task.
Should this be reachable-via rx or any and why? I would of thought any.
(m) I had a question requiring CBAC. I believe I only had it graded incorrectly as the parse in the grading script is not allowing for spaces. See below:
R3: Check the inspection global configuration settings.
This is a Match All type of assertion with the following parameters;
one-minute (sampling period) thresholds are [60:120]
max-incomplete sessions thresholds are [100:200]
max-incomplete tcp connections per host is 30. Block-time 1 minute.
tcp synwait-time is 10 sec
Rack9R3(tcl)#show ip inspect config
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [60 : 120]
connections max-incomplete sessions thresholds are [100 : 200]
Is it grading it incorrectly as their are spaces in the [x : y] output?
I hope this is a suitable arena for voicing these comments and questions. It would be great to get some feedback so I can fix my mistakes and get 100%. I would definitely recommend the Poly Labs as part of your overall preparation they are a great tool.