Hey Tyson,
The QOS policy that you refer to is Section 7.2 in the lab. You have to fix the bugs, when you do that it drops all telnet traffic from R5 that enters R2. This includes traffic to R1, so the authenticated telnet session that is created in 5.1 can still authenticate at the FW, but never complete the telnet session to R1. This seems like a mistake in the lab, I just wanted to make sure that it was a mistake and that I wasn't missing some weird little option. I have verified against the final configs and don't see how they could work. Terry Little (425) 894-4109 (m) (425) 468-1057 (o) From: Tyson Scott [mailto:[email protected]] Sent: Tuesday, June 15, 2010 11:54 AM To: 'Kingsley Charles'; Terry Little (terlittl) Cc: 'CCIE Sec' Subject: RE: [OSL | CCIE_Security] Yusuf Lab2 sec 5 The telnet hangs because there is a QoS policy on the device connected to the ASA that drops the traffic. Not sure if that is meant for troubleshooting or to break your configuration on purpose. Remove that policy and telnet will work fine. I haven't read the full lab so I can't comment as to why that policy is there. And I can't remember if it matched on a precedence value but if that was the case you can do local policy on the device originating the traffic to mark it to a different precedence. I wouldn't call it broken but a good way of having to understand the full topology. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, June 15, 2010 3:31 AM To: Terry Little (terlittl) Cc: CCIE Sec Subject: Re: [OSL | CCIE_Security] Yusuf Lab2 sec 5 Hi Terry I did lab 2 two times. The ASA cut-through proxy verification was not successful. I was able to telnet but it just hanged. First time I was not able to find the issue but the 2nd time I found that the ASA didn't have the route to R1. I suspect, there is a problem in the lab as I hit it two times. With regards Kings On Mon, Jun 14, 2010 at 11:11 PM, Terry Little (terlittl) <[email protected]> wrote: Kings, Do you have any idea how to resolve this, or it really just a problem with the lab...i.e. ask the proctor. J Terry Little (425) 894-4109 (m) (425) 468-1057 (o) From: Kingsley Charles [mailto:[email protected]] Sent: Monday, June 14, 2010 9:26 AM To: Terry Little (terlittl) Cc: CCIE Sec Subject: Re: [OSL | CCIE_Security] Yusuf Lab2 sec 5 Yes, there is some slight confusion there. With regards Kings On Mon, Jun 14, 2010 at 7:34 PM, Terry Little (terlittl) <[email protected]> wrote: I have a serious confusion concerning section 5.1 and how it interacts with section 7.2. 5.1 configures the ASA to authenticate telnet from R5 to R1. The traffic path is R5-R6-ASA1/c1-R2-R1. Ok this part is cool and works fine before you complete 7.2. 7.2 marks all telnet traffic reaching R6 from DLCI 65, and then R2 drops all the marked traffic. I do NOT see how these two can coexist. Any thoughts? What am I missing? Regards, Terry Little [email protected] Phone: +1 425 468 1057 Mobile: +1 425 894 4109 Cisco Systems, Inc. Network Consulting Engineer World Wide Security Services Practice Cisco.com - http://www.cisco.com This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
