Jump to content

CCIE EI Section 2.1


kat

Recommended Posts

there use to be a scenario where the devices managed by dnac did not have the correct management name/ipss, the api link is used to change this to the correct management names/ips. Last time a did the exam this was not requested, however not sure if there is some exam version that this is required, so best is to know how to do it


I do recall that there was a new question to configure tacacs via dnac on ise and to enable on line vty only of some routers, but i dont remember the exact wording or how that could be solved

Edited by jonny18
  • Like 3
Link to comment
Share on other sites

10 hours ago, jonny18 said:

there use to be a scenario where the devices managed by dnac did not have the correct management name/ipss, the api link is used to change this to the correct management names/ips. Last time a did the exam this was not requested, however not sure if there is some exam version that this is required, so best is to know how to do it


I do recall that there was a new question to configure tacacs via dnac on ise and to enable on line vty only of some routers, but i dont remember the exact wording or how that could be solved

FABD2 wants to use TACACS+ AAA service for secure communication into the four switches of their SDx infrastructure which are already present in the DNAC inventory:

- Use DNAC TACACS+ for Authentication & Authorization through ISE into all 4 switches: sw400, sw501, sw502 and sw510

- TACACS shared secret must be set to cisco

- TACACS must only be used on the vty lines

- Local authentication must remain as the only method for authenticating management users through the console

- The below accounts must be created in ISE for testing purposes: 
   netadmin - will provide full access to all commands
   This user must be configured in order to use password admin

- Note: Do not change/modify aaa authentication login default local. It is already present in all four switches

  • Like 1
Link to comment
Share on other sites

8 hours ago, ShoIProute said:

i have taken it a couple of times recently and i have not run into the " 

This is the hidden content, please
 and change newmgmtadd/oldmgmtadd" task on either attempt. Unless they're doing variation i think the one their going with is only the ISE/DNAC TACACS+ AAA for Section 2.1

Did you take section 2.1 first or 2.2?
I have heard that I should skip 2.1 first and try from 2.2.

 

  • Like 35
  • Thanks 5
  • Confused 1
Link to comment
Share on other sites

1 hour ago, kat said:

Did you take section 2.1 first or 2.2?
I have heard that I should skip 2.1 first and try from 2.2.

 

taken the exam recently i was referring to. but i would skip section 2.1 if u can. its very tricky and could potentially lock u out of the devices, so its best to avoid if possible.

  • Like 2
Link to comment
Share on other sites

13 minutes ago, ShoIProute said:

taken the exam recently i was referring to. but i would skip section 2.1 if u can. its very tricky and could potentially lock u out of the devices, so its best to avoid if possible.

Based on your experience, do 2.2-2.5 affect if I skip 2.1 first?

Link to comment
Share on other sites

1 hour ago, kat said:

Based on your experience, do 2.2-2.5 affect if I skip 2.1 first?

From my understanding, with the new 2.1 task (DNAC/ISE AAA TACACS+) that task is independent and no other tasks would depend on that one being completed.

Edited by ShoIProute
  • Like 1
Link to comment
Share on other sites

8 hours ago, ShoIProute said:

From my understanding, with the new 2.1 task (DNAC/ISE AAA TACACS+) that task is independent and no other tasks would depend on that one being completed.

Is it possible to pass the exam although I skip section 2.1?

Link to comment
Share on other sites

13 hours ago, kat said:

Is it possible to pass the exam although I skip section 2.1?

it should be. i think its only like 3 points. if u get most of the other tasks correct, u should be able to get enough points to afford skipping that one. remember, the name of the game is not to complete the lab 100%, but to get enough points to pass. i'm not sure how many points that is tho.

  • Like 1
Link to comment
Share on other sites

On 12/31/2022 at 12:02 PM, ShoIProute said:

it should be. i think its only like 3 points. if u get most of the other tasks correct, u should be able to get enough points to afford skipping that one. remember, the name of the game is not to complete the lab 100%, but to get enough points to pass. i'm not sure how many points that is tho.

Thank you

Can SW400-510 be syncretized by skipping 2.1?

Do I need some tasks before taking 2.2?

 

Link to comment
Share on other sites

On 1/2/2023 at 2:31 AM, Siscco said:

Guys , I still wonder how'd we get locked out from devices if we do 2.1 ? we are dealing with VTY login , still we got OOB isn't it ?

That is correct. Initially, i misunderstood this task and thought there were some AAA configs that needed to be manually configured locally on the switches, but those configs will be pushed out to VTY lines by the DNAC if done properly. And yes, u will still have OOB access to the switches via the console.

  • Like 2
Link to comment
Share on other sites

2 hours ago, ShoIProute said:

That is correct. Initially, i misunderstood this task and thought there were some AAA configs that needed to be manually configured locally on the switches, but those configs will be pushed out to VTY lines by the DNAC if done properly. And yes, u will still have OOB access to the switches via the console.

Yeah , Initially I thought the same. I do not see an option to Specifically select , VTY or CON in DNAC while we do 2.1 .

 

Any thoughts on that ?

Edited by Siscco
  • Like 1
Link to comment
Share on other sites

8 hours ago, Siscco said:

Yeah , Initially I thought the same. I do not see an option to Specifically select , VTY or CON in DNAC while we do 2.1 .

 

Any thoughts on that ?

I think the DNAC automatically automates that once u configure it as a "Network" AAA Server in "Network Settings". U have to make sure that ISE is configured as a TACACS Server in System Settings > Settings > Authentication and policy servers first tho. And the 'netadmin' username has to be configured in ISE with the shared secret (cisco) and privilege level and all of the AAA backend information in ISE.

Then when u go to re-provision the switches in DNAC, it should push out all the necessary AAA configs to them in the global config and VTY lines.

  • Like 1
Link to comment
Share on other sites

1 hour ago, ShoIProute said:

I think the DNAC automatically automates that once u configure it as a "Network" AAA Server in "Network Settings". U have to make sure that ISE is configured as a TACACS Server in System Settings > Settings > Authentication and policy servers first tho. And the 'netadmin' username has to be configured in ISE with the shared secret (cisco) and privilege level and all of the AAA backend information in ISE.

Then when u go to re-provision the switches in DNAC, it should push out all the necessary AAA configs to them in the global config and VTY lines.

I see. it looks like " aaa authentication login default local " is already preconfigured on all SDA switches. which might be the reason DNAC does not push the same to console? as it might intelligently automates the task ?

  • Like 1
Link to comment
Share on other sites

1 hour ago, ShoIProute said:

I think the DNAC automatically automates that once u configure it as a "Network" AAA Server in "Network Settings". U have to make sure that ISE is configured as a TACACS Server in System Settings > Settings > Authentication and policy servers first tho. And the 'netadmin' username has to be configured in ISE with the shared secret (cisco) and privilege level and all of the AAA backend information in ISE.

Then when u go to re-provision the switches in DNAC, it should push out all the necessary AAA configs to them in the global config and VTY lines.

Can SW400-510 be syncretized by skipping 2.1?

Do I need some tasks before taking 2.2?

Link to comment
Share on other sites

3 minutes ago, Siscco said:

I see. it looks like " aaa authentication login default local " is already preconfigured on all SDA switches. which might be the reason DNAC does not push the same to console? as it might intelligently automates the task ?

I think so

Link to comment
Share on other sites

3 minutes ago, kat said:

Can SW400-510 be syncretized by skipping 2.1?

Do I need some tasks before taking 2.2?

They are already managed and synced in the new version of the lab. U should not have to do anything to get the other tasks complete. The re-sync task was in the old version of the lab. I'm not sure if their still giving that anymore.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...