Question: What number should I use for the authentication key and trusted key?
Answer: The default range is 1 to 4294967295, and you can use any number. Usually candidates use the first logical number available—1.
Question: Do I need to permit NTP (UDP port 123) for any hosts in the ACL on the ASA1/abc2 context or specific hosts?
Answer: Because the question does not restrict or mention anything about this ACL, you can permit UDP port 123 from any source to any destination. However, as a best practice, I recommend that you write a specific ACL, because you know the source and destination IP address in this task. Again, this is just a recommendation, not a requirement.
Question: Can I use the broadcastcommand or any NTP-related commands in interface configuration mode on R5 and Sw2?
Answer: Yes, you can enter NTP-related commands in interface configuration mode, because the question disallows entering commands in global configuration mode.
Section 2.0: Cisco Firewall (10 Points)
Question 2.1: Network Address Translation (NAT) (3 points)
Question: Can I enable NAT control for testing on ASA1 or ASA2?
Answer: The requirement is clear: do not enable NAT control. However, if you want to test some functionality, you can enable it, but be sure to disable it before completing this task.
Question: If I miss one small requirement, will I get partial credit?
Answer: All three requirements must be met to earn the points. There is no partial credit on the CCIE lab exam.
Question: Do I need to allow HTTP and HTTPS ports from a specific host/destination for the first task?
Answer: You are allowed to permit connections from any host to the web server on Sw1.
Question: The third task says not to use a staticcommand. Does this mean the use of the staticcommand or NAT translation in general?
Answer: It means the staticNAT command from a syntax perspective.
Question: For the third task, are you saying to configure address translation for the destination IP address?
Answer: Yes.
Question: Do I need to permit return traffic on the outside interface for the second and third tasks?
Answer: There is no need to configure ACL, because traffic is traversing from a higher-security (inside) interface to a lower-secu-rity (outside) interface.
Question 2.2: High-availability (HA) default route (3 points)
Question: What monitor ID number should I use when configuring the SLA monitoring process on ASA2?
Answer: The default range is 1 to 2147483647, and you can use any number. Usually candidates use the first logical number available—1—or sometimes 123, whichever is more convenient.
Question: What tracking ID number should I use when configuring the route tracking object on ASA2?
Answer: The default range is 1 to 500, and you can use any number. Usually candidates use the first logical number available—1.
Question: Can I configure or tune my dynamic routing protocol to control the default route injection when the primary default route fails on ASA2?
Answer: No. The question explicitly requires configuring a static backup default route.
Question: What administrative distance should I use for the secondary (backup) default route?
Answer: You can use any administrative distance number that is higher than the primary default route’s administrative distance.
Question: Is there an alternative solution if I do not use the SLA monitoring and route tracking feature?
Answer: Not that I can think of.
Question: What monitoring protocol do I use for tracking the target network?
Answer: The only option available on the Cisco ASA firewall to track route objects is using ipIcmpEcho (ICMP echo protocol).
There is no other option.
Question 2.3: Cisco IOS Zone Based Policy Firewall (ZFW) (4 points)
Question: The question says to use specific zone, zone-pair, and policy-map names. What about the class-map names?
Answer: If not specified, you can use any naming convention to complete the configuration task.
Question: How many class-maps and policy-maps are required to be configured?
Answer: Careful planning is required for the number of class-maps and policy-maps required to fulfill all the requirements. The best approach is to take each protocol and draft its own class-map matching the protocol and policy-map, applying inspection and any other action (optional) required to apply this traffic.
Question: Can I configure additional class-maps, policy-maps, or ACLs to complete the task?
Answer: Yes, you can configure any number of class-maps, policy-maps, or any other configuration as long as it is directly related to completing this task.
Question: Can I configure parameter-mapto complete this task?
Answer: Yes, some parts of the question may require configuring parameter-mapfor deep packet inspection, pattern matching regex, or other advanced filters.
Question: When matching protocols for inspection in class-map, can I use match protocol or match using ACL?
Answer: If not mentioned, you can use any method. However, best practice is to use match protocol, because it covers all varia-tions of the specific protocol inspection and also allows deep packet inspection parameters. On some occasions, you may have to use both to fulfill all the criteria.
Question: When configuring rate-limit, can I round the KB and MB parameters to 1000 instead of 1024?
Answer: Yes, you can use rounding to 1000. For example, 1 MB = 1000 KB, and 1 KB = 1000 bytes.
Section 3.0: Cisco VPN (16 Points)
Question 3.1: Configuring Cisco IOS CA server (3 points)
Question: Do I have to be exact in naming the server?
Answer: Yes. You must use the exact names shown in the output; they are case-sensitive.
Question: What name should I use to configure the trustpoint?
Answer: If not mentioned in the question requirement, you can use any name. Candidates generally use “cisco” because it is easy to remember.
Question: What if I am unable to get the CA server working or clients authenticating with the server?
Answer: You will lose points for this question and the later question that is linked with the CA server.
Question: Do I need to be explicit when opening ACL on the ASA1/abc2 context for CA enrollment traffic or any host?
Answer: Because the question does not restrict or mention anything about this ACL, you can permit from any source to any desti-nation. However, as a best practice, I recommend that you write a specific ACL, because you know the source and destination IP address in this task. Again, this is just a recommendation, not a requirement.
Question 3.2: Configuring a LAN-to-LAN IPsec tunnel using digital certificates (4 points)
Question: What name should I use for configuring the crypto map, transform set, trustpoint, and so on?
Answer: If not mentioned in the question requirement, you can use any name. Candidates generally use “cisco” because it is easy to remember.
Question: For the high-availability function, can I create a new loopback interface on R5? If so, what IP address subnet should I use?
Answer: Yes, you can configure a new Loopback1 interface on R5 (for peering) using any IP address and advertise this
Loopback1 into OSPF area 0 so that it is routable throughout the network. Ensure that ASA2 can ping this Loopback1 address.
Question: If my certificates are not populated and are having trouble with the CA, can I skip the certificate part and configure this task using the preshared key?
Answer: No. You will lose points, because the question clearly requires configuring this task using certificates.
Question: When I initiate a ping test to bring up the tunnel, usually I lose one or two pings when the tunnel is establishing, so the success rate is not always 100%. Is that OK, or will the proctor check for 100%?
Answer: The success rate can be any percentage greater than 0, as long as the ping works.
Question: This question seems long and has a lot of requirements. If I skip some of them, will I get partial credit?
Answer: No. The CCIE lab exam has no concept of partial credit. If you miss any item, you lose all points. The grading system is all or none.
Question 3.3: Troubleshooting DMVPN (3 points)
Question: Can you clarify the nature of injected faults?
Answer: Faults can be on any device within the DMVPN configuration or within the network topology around it. They also could be related to any of the non-VPN technologies, such as switching, routing, WAN link, IOS features, NAT, and ACL filtering, to name few. Secondly, faults injected could be related to either incorrect preconfiguration or missing commands to complete the configuration.
Question: Must I find the injected faults, or can I delete all DMVPN configurations and start fresh?
Answer: You cannot remove the DMVPN preconfiguration and start over. The faults injected must be found within the existing preconfiguration.
Question: If I can’t find all the faults, do I get partial credit for the ones I found?
Answer: All faults must be found to earn the total points. The CCIE lab exam offers no partial credit.
Question: Are all the faults on one device, or are they spread across multiple devices?
Answer: Faults are injected on multiple devices across the topology to create a more challenging scenario.
Question: Are all the faults related to DMVPN configuration only?
Answer: No. As mentioned earlier, faults can be anywhere within the DMVPN configuration or within the network topology around it. Faults also could be related to any of the non-VPN technologies.
Question: Do I need to be explicit when opening ACL on the ASA1/abc2 context for DMVPN traffic?
Answer: Because the question does not restrict or mention anything about this ACL, you can permit from any source to any desti-nation. However, as a best practice, I recommend that you write a specific ACL, because you know the source and destination IP address in this task. Again, this is just a recommendation, not a requirement.