CCIE EI Section 2.1

[kat]

What is the current question about 2.1?

Is it just ISE or do I need to access 

This is the hidden content, please

• Sign In
• or
• Sign Up

 and change newmgmtadd/oldmgmtadd?
I have heard that postman is no longer required in Section 2.1

Edited December 26, 2022 by kat

[Siscco]

Section 2.1 is about integrating ISE and DNAC and not sure why do we need Postman to do that . 

[darkiori]

thanks

[kat]

10 hours ago, Siscco said:

Section 2.1 is about integrating ISE and DNAC and not sure why do we need Postman to do that . 

 Itt means that I don't need to access 

This is the hidden content, please

• Sign In
• or
• Sign Up

 and change newmgmtadd/oldmgmtadd anymore?

[jonny18]

there use to be a scenario where the devices managed by dnac did not have the correct management name/ipss, the api link is used to change this to the correct management names/ips. Last time a did the exam this was not requested, however not sure if there is some exam version that this is required, so best is to know how to do it

I do recall that there was a new question to configure tacacs via dnac on ise and to enable on line vty only of some routers, but i dont remember the exact wording or how that could be solved

Edited December 28, 2022 by jonny18

[ShoIProute]

10 hours ago, jonny18 said:

there use to be a scenario where the devices managed by dnac did not have the correct management name/ipss, the api link is used to change this to the correct management names/ips. Last time a did the exam this was not requested, however not sure if there is some exam version that this is required, so best is to know how to do it

I do recall that there was a new question to configure tacacs via dnac on ise and to enable on line vty only of some routers, but i dont remember the exact wording or how that could be solved

FABD2 wants to use TACACS+ AAA service for secure communication into the four switches of their SDx infrastructure which are already present in the DNAC inventory:

- Use DNAC TACACS+ for Authentication & Authorization through ISE into all 4 switches: sw400, sw501, sw502 and sw510

- TACACS shared secret must be set to cisco

- TACACS must only be used on the vty lines

- Local authentication must remain as the only method for authenticating management users through the console

- The below accounts must be created in ISE for testing purposes: 
   netadmin - will provide full access to all commands
   This user must be configured in order to use password admin

- Note: Do not change/modify aaa authentication login default local. It is already present in all four switches

[kat]

 Doesn't section 2.1 include  

This is the hidden content, please

• Sign In
• or
• Sign Up

 and change newmgmtadd/oldmgmtadd anymore?

And is section 2.1 just ISE(TACACS+ AAA)?

[ShoIProute]

1 hour ago, kat said:

 Doesn't section 2.1 include  

This is the hidden content, please

• Sign In
• or
• Sign Up

 and change newmgmtadd/oldmgmtadd anymore?

And is section 2.1 just ISE(TACACS+ AAA)?

i have taken it a couple of times recently and i have not run into the " 

This is the hidden content, please

• Sign In
• or
• Sign Up

 and change newmgmtadd/oldmgmtadd" task on either attempt. Unless they're doing variation i think the one their going with is only the ISE/DNAC TACACS+ AAA for Section 2.1

[kat]

8 hours ago, ShoIProute said:

i have taken it a couple of times recently and i have not run into the " 

This is the hidden content, please

• Sign In
• or
• Sign Up

 and change newmgmtadd/oldmgmtadd" task on either attempt. Unless they're doing variation i think the one their going with is only the ISE/DNAC TACACS+ AAA for Section 2.1

Did you take section 2.1 first or 2.2?
I have heard that I should skip 2.1 first and try from 2.2.

 

[ShoIProute]

1 hour ago, kat said:

Did you take section 2.1 first or 2.2?
I have heard that I should skip 2.1 first and try from 2.2.

 

taken the exam recently i was referring to. but i would skip section 2.1 if u can. its very tricky and could potentially lock u out of the devices, so its best to avoid if possible.

[kat]

13 minutes ago, ShoIProute said:

taken the exam recently i was referring to. but i would skip section 2.1 if u can. its very tricky and could potentially lock u out of the devices, so its best to avoid if possible.

Based on your experience, do 2.2-2.5 affect if I skip 2.1 first?

[ShoIProute]

1 hour ago, kat said:

Based on your experience, do 2.2-2.5 affect if I skip 2.1 first?

From my understanding, with the new 2.1 task (DNAC/ISE AAA TACACS+) that task is independent and no other tasks would depend on that one being completed.

Edited December 30, 2022 by ShoIProute

[kat]

8 hours ago, ShoIProute said:

From my understanding, with the new 2.1 task (DNAC/ISE AAA TACACS+) that task is independent and no other tasks would depend on that one being completed.

Is it possible to pass the exam although I skip section 2.1?

[ShoIProute]

13 hours ago, kat said:

Is it possible to pass the exam although I skip section 2.1?

it should be. i think its only like 3 points. if u get most of the other tasks correct, u should be able to get enough points to afford skipping that one. remember, the name of the game is not to complete the lab 100%, but to get enough points to pass. i'm not sure how many points that is tho.

[kat]

On 12/31/2022 at 12:02 PM, ShoIProute said:

it should be. i think its only like 3 points. if u get most of the other tasks correct, u should be able to get enough points to afford skipping that one. remember, the name of the game is not to complete the lab 100%, but to get enough points to pass. i'm not sure how many points that is tho.

Thank you

Can SW400-510 be syncretized by skipping 2.1?

Do I need some tasks before taking 2.2?

 

[Siscco]

Guys , I still wonder how'd we get locked out from devices if we do 2.1 ? we are dealing with VTY login , still we got OOB isn't it ?

Edited January 2, 2023 by Siscco

[ShoIProute]

On 1/2/2023 at 2:31 AM, Siscco said:

Guys , I still wonder how'd we get locked out from devices if we do 2.1 ? we are dealing with VTY login , still we got OOB isn't it ?

That is correct. Initially, i misunderstood this task and thought there were some AAA configs that needed to be manually configured locally on the switches, but those configs will be pushed out to VTY lines by the DNAC if done properly. And yes, u will still have OOB access to the switches via the console.

[Siscco]

2 hours ago, ShoIProute said:

That is correct. Initially, i misunderstood this task and thought there were some AAA configs that needed to be manually configured locally on the switches, but those configs will be pushed out to VTY lines by the DNAC if done properly. And yes, u will still have OOB access to the switches via the console.

Yeah , Initially I thought the same. I do not see an option to Specifically select , VTY or CON in DNAC while we do 2.1 .

 

Any thoughts on that ?

Edited January 4, 2023 by Siscco

[ShoIProute]

8 hours ago, Siscco said:

Yeah , Initially I thought the same. I do not see an option to Specifically select , VTY or CON in DNAC while we do 2.1 .

 

Any thoughts on that ?

I think the DNAC automatically automates that once u configure it as a "Network" AAA Server in "Network Settings". U have to make sure that ISE is configured as a TACACS Server in System Settings > Settings > Authentication and policy servers first tho. And the 'netadmin' username has to be configured in ISE with the shared secret (cisco) and privilege level and all of the AAA backend information in ISE.

Then when u go to re-provision the switches in DNAC, it should push out all the necessary AAA configs to them in the global config and VTY lines.

[Siscco]

1 hour ago, ShoIProute said:

I think the DNAC automatically automates that once u configure it as a "Network" AAA Server in "Network Settings". U have to make sure that ISE is configured as a TACACS Server in System Settings > Settings > Authentication and policy servers first tho. And the 'netadmin' username has to be configured in ISE with the shared secret (cisco) and privilege level and all of the AAA backend information in ISE.

Then when u go to re-provision the switches in DNAC, it should push out all the necessary AAA configs to them in the global config and VTY lines.

I see. it looks like " aaa authentication login default local " is already preconfigured on all SDA switches. which might be the reason DNAC does not push the same to console? as it might intelligently automates the task ?

[kat]

1 hour ago, ShoIProute said:

I think the DNAC automatically automates that once u configure it as a "Network" AAA Server in "Network Settings". U have to make sure that ISE is configured as a TACACS Server in System Settings > Settings > Authentication and policy servers first tho. And the 'netadmin' username has to be configured in ISE with the shared secret (cisco) and privilege level and all of the AAA backend information in ISE.

Then when u go to re-provision the switches in DNAC, it should push out all the necessary AAA configs to them in the global config and VTY lines.

Can SW400-510 be syncretized by skipping 2.1?

Do I need some tasks before taking 2.2?

[ShoIProute]

3 minutes ago, Siscco said:

I see. it looks like " aaa authentication login default local " is already preconfigured on all SDA switches. which might be the reason DNAC does not push the same to console? as it might intelligently automates the task ?

I think so

[ShoIProute]

3 minutes ago, kat said:

Can SW400-510 be syncretized by skipping 2.1?

Do I need some tasks before taking 2.2?

They are already managed and synced in the new version of the lab. U should not have to do anything to get the other tasks complete. The re-sync task was in the old version of the lab. I'm not sure if their still giving that anymore.

[Siscco]

4 minutes ago, ShoIProute said:

I think so

Thanks champ

[ShoIProute]

5 minutes ago, Siscco said:

Thanks champ

anytime!!