Vous êtes sur la page 1sur 13

1. Ticket Port Security ASW1 169.x.x.x IP on Client 1 Client 1 is getting a 169.x.x.

.x.x IP address & is unable to ping Client 2 as well as DSW1. The command sh interfaces fa1/0/1 on ASW1 will show following message in the first line enFastEthernet1/0/1 is down, line protocol is down (err-disabled) solution: On ASW1 port-security mac 0000.0000.0001, interface in err-disable state Configuration of ASW1 interface fa1/0/1 switchport mode access switchport port-security switchport port-security mac-address 0000.0000.0001 Answer: on asw1 delete portsecurity & do on interfaces shutdown, no shutdown Ans1)ASW1 Ans2)Port security Ans3)issue no switchport port-security mac-address 0000.0000.0001 command followed by shutdown & no shutdown commands on port fa1/0/1 on ASW1 Symptoms for this ticket:1- Client 1 is getting 169.x.x.x ip address 2- Client 1 is unable to ping Client 2 as well as DSW1. 3- sh interfaces fa1/0/1 will show following message in the first line enFastEthernet1/0/1 is down, line protocol is down (err-disabled) 4- sh running-config, you will see switchport port-security mac-address 0000.0000.0001 configured under fa1/0/1. Steps and commands: 1. Ipconfig on client 2. ASW1#show running-config look under fa1/0/1 config for Switchport statement 3. ASW1#show int fa1/0/1 check if int is in errdisable 2. Ticket Switchport Access VLAN 10 ASW1 169.x.x.x IP on both clients Client 1 & 2 are getting 169.x.x.x ip addresses and cant ping DSW1 or FTP Server but they are able to ping each other. Situation: in port channel configuration of ASW1 vlan 10 is not allowed. (Use L2 Diagram) Configuration of ASW1: interface FastEthernet1/0/1 switchport mode access switchport access vlan 1 ! interface FastEthernet1/0/2 switchport mode access switchport access vlan 1 On ASW1, on interfaces fa1/0/1, fa1/0/2 switchport access vlan 1 Answer: on ASW1 change switchport access vlan 1 to switchport access vlan 10 Ans1)ASW1 Ans2)Vlan Ans3)give command: interface range fa1/0/1 - 2 & switchport access vlan 10

Symptoms:1- Clinets are getting 169.x.x.x Ip address. 2- Clinet 1 can ping Client 2 and vice versa. 3- sh running-config command on ASW1 will not display switchport access vlan 10 under the interfaces fa1/0/1 and fa1/0/2 Commands and Steps: 1. ipconfig from client to check if it is getting 169.x.x.x ip 2. Asw1# show running-config check under fa1/0/1 check statement switchport access vlan 10 3. Show valn check if fa1/0/1 is member of Vlan 10 3. Ticket Switchport Trunk Allowed VLAN ASW1 169.x.x.x IP on client 1 Switchport to Switchport Connectivity Client 1 is getting 169.x.x.x ip address. Client 1 & 2 can ping each other but they are unable to ping DSW1 or FTP Server (Use L2/3 Diagram) Configuration of ASW1 interface PortChannel 13 switchport mode trunk switchport trunk allowed vlan 1-9 ! interface PortChannel 23 switchport mode trunk switchport trunk allowed vlan 1-9 ! interface FastEthernet1/0/1 switchport mode access switchport access vlan 10 ! interface FastEthernet1/0/2 switchport mode access switchport access vlan 10 Answer: on port channel 13, 23 disables all vlans and give switchport trunk allowed vlan 10, 200 Ans1)ASW1 Ans2)Switch to switch connectivity Ans3)int range portchannel13,portchannel 23 switchport trunk allowed vlan none switchport trunk allowed vlan 10,200 Symptoms of above ticket:1- Client 1 is getting 169.x.x.x ip address. 2- Clinet 1 can ping Client 2 and vice versa. 3- sh interfaces trunk you will not see vlan 10 in PO13 and PO23 under allowed Vlans on trunk Steps and Commands to use: 1. ipconfig on client and check if IP is 169.x.x.x 2. ASW1# show running-config to check in fa1/0/1 and fa1/0/2 access port vlan 10 3. ASW1# show interface truk check port 13 and 23 allowed vlan includes Vlan 10

4. Ticket Wrong DHCP Exclude R4 169.x.x.x IP on client 1 In this ticket, check the IP on Client1, if it gets 169.x.x.x then use the show run command on R4. If you see the ip dhcp exclude 10.2.1.1-1.10.2.1.253 then the DHCP range has been misconfigured. Configuration on R4 was: ! ip dhcp exclude 10.2.1.1-10.2.1.253 ! Ans1) R4 Ans2) DHCP Ans3) on R4 delete ip dhcp exclude 10.2.1.1-10.2.1.253 and apply ip dhcp-excluded 10.2.1.1-10.2.1.2 Tips: You can ping all the way from client to web server, that is the ticket of ipv6, when u open the ipv6 topology then u will see that one of ur routers cant ping each others ipv6 address, also another hint, u can check the MCQ of that ticket, the question will be related to ipv6. Steps and commands: 1. Ipconfig on client 1 2. R4#show run check DHCP exclude addresses 5. Ticket BGP Neighbour R1 Client 1 cannot ping Web Server Problem: Client 1 is able to ping 209.65.200.226 but cant ping the Web Server 209.65.200.241. Configuration on R1: router bgp 65001 no synchronization bgp log-neighbor-changes network 209.65.200.224 mask 255.255.255.252 neighbor 209.56.200.226 remote-as 65002 no auto-summary check bgp neighborship. **** show ip bgp sum**** The neighbors address in the neighbor command is wrong under router BGP. (use ipv4 Layer 3) Answer: need change on router mode on R1 neighbor 209.65.200.226 Ans1) R1 Ans2) BGP Ans3) delete the wrong neighbor statement and enter the correct neighbor address in the neighbor command (change neighbor 209.56.200.226 remote-as 65002 to neighbor 209.65.200.226 remote-as 65002) Following are the symptoms of above ticket:1- No one is able to ping Web Server. 2- Client 1 and all others can ping upto 209.65.200.226. 3- sh ip route BGP on R1, you will not see any BGP route. 4- sh ip bgp neighbor on R1, you will not see any active BGP neighbor.

Steps and commands: 1. Ipconfig on both clients 2. R1#show running-config 3. R1#show ip bgp 4. R1#show ip bgp neigh 6. Ticket NAT ACL R1 Client 1 & 2cannot ping Web Server Client 1 & 2 are not able to ping the web server 209.65.200.241, but all the routers & DSW1,2 can ping the server. NAT problem. (use ipv4 Layer 3) Answer: problem on R1 Nat acl Configuration on R1 ip nat inside source list nat_pool interface s0/0/0/1 overload ip access-list standard nat_pool permit 10.1.0.0 ! interface serial0/0/0/1 ip address 209.65.200.224 255.255.255.252 ip nat outside ! interface Serial0/0/0/0.12 ip address 10.1.1.1 255.255.255.252 ip nat inside ip ospf message-digest-key 1 md5 TSHOOT ip ospf authentication message-digest Answer: add to acl 1 permit ip 10.2.1.0 0.0.0.255 Ans1) R1 Ans2) NAT Ans3) Add the command permit 10.2.0.0 in the nat_pool access-list Steps and Commands: 1. Ipconfig on client 2. R1#show running-config 3. R1#show ip bgp 4. R1#show access-list 7. Ticket ACL Blocking IP R1 Client cannot ping Web Server Client is not able to ping the server. Except for R1, no one else can ping the server. (use ipv4 Layer 3) Problem:on R1 acl blocking ip Configuration on R1

router bgp 65001 no synchronization bgp log-neighbor-changes network 209.65.200.224 mask 255.255.255.252 neighbor 209.65.200.226 remote-as 65002 no auto-summary ! access-list 30 permit host 209.65.200.241 access-list 30 deny 10.1.0.0 0.0.255.255 access-list 30 deny 10.2.0.0 0.0.255.255 ! interface Serial0/0/0/1 ip address 209.65.200.224 255.255.255.252 ip nat outside ip access-group 30 in Answer: add permit 209.65.200.224 0.0.0.3 command to R1s ACL Ans1) R1 Ans2) IP Access list Ans3) Add permit 209.65.200.224 0.0.0.3 to R1s ACL Tips: Even R1 also would not be able to ping the web server or ISP(209.65.200.226). Since explicit deny of this ACL will not allow a reply to come back in to R1(since this ACL is applied in the in direction) from outside until a permit entry is included in ACL. This will also cause the BGP neighbor relationship get down. You will see one permit entry for web server only, which is not enough. You will see the contents of this ACL as below. ip access-list extended edge_security permit ip host 209.65.200.241 any deny ip 10.2.0.0 0.0.255.255 any deny ip 10.1.0.0 0.0.255.255 any deny ip host 127.0.0.1 any Thats why an entry of permit 209.65.200.224 0.0.0.3 any is required to solve this problem. And by the way, the entries for 10.x.x.x network is neither have any effect nor required in this ACL, they put these up only to confuse the candidates. Steps and commands: 1. Ipconfig on both clients 2. R1#show running-config 3. R1#show ip bgp 4. R1#show access-list 8. Ticket OSPF Authentication R1 Client can ping R2 but not R1 1.Client is unable to ping R1s serial interface from the client. Problem was disable authentication on R1, check where authentication is not given under router ospf of R1. (use ipv4 Layer 3)

Configuration on R1 was: interface Serial0/0/0/0.12 point-to-point ip address 10.1.1.1 255.255.255.252 ip nat inside ip ospf message-digest-key 1 md5 TSHOOT ! router ospf 1 log-adjacency-changes network 10.1.1.0 0.0.0.3 area 12 default-information originate always Configuration on R2 was: interface Serial0/0/0/0.12 point-to-point ip address 10.1.1.2 255.255.255.252 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 TSHOOT ! router ospf 1 log-adjacency-changes network 10.1.1.0 0.0.0.3 area 12 Answer: on R1 need command in router mode area 12 authentication message-digest Ans1) R1 Ans2) OSPF Ans3) ip ospf authentication message-digest command must be given on s0/0/0/0.12 Steps & Commands: 1. Ipconfig on client 2. R1#ping 10.2.1.3 3. R1#show running-config check interface s0/0/0/0 on R1 4. R1#show ospf neighbours check if R1 is forming neighborship with R2 5. R2#show ospf neighbours check if R2 is forming neighborship with R1 9. Ticket HSRP Track DSW1 DSW1 does not become active for HSRP HSRP was configured on DSW1 & DSW2. DSW1 is configured to be active but it does not become active. Configuration on DSW1: track 1 ip route 10.1.21.128 255.255.0.0 metric threshold threshold metric up 1 down 2 ! track 10 ip route 10.2.21.128 255.255.255.0 metric threshold threshold metric up 63 down 64 ! interface Vlan10 ip address 10.2.1.1 255.255.255.0 standby 10 ip 10.2.1.254 standby 10 priority 200

standby 10 preempt standby 10 track 1 decrement 60 Answer: (use IPv4 Layer 3 Topology) On dsw 1 interface vlan 10 mode run: no standby 10 track 1 decrement 60 standby 10 track 10 decrement 60 (ip for track command not exact for real exam) Ans1) DSW1 Ans2) HSRP Ans3) delete the command with track 1 and enter the command with track 10 (standby 10 track 10 decrement 60). Steps and commands:

1. Ipconfig on both clients


2. DSW1#show running-config 3. DSW1#show standby 4. DSW1#show standy vlan 10 10. Ticket IPV6 OSPF R2 cant ping R2s loopback interface or s0/0/0/0.12 IPv6 address DSW1 & R4 cant ping R2s loopback interface or s0/0/0/0.12 IPv6 address. R2 is not an OSPFv3 neighbour on R3 Situation: ipv6 ospf was not enabled on R2s serial interface connecting to R3. (use ipv6 Layer 3) Question: IPv6 loopback cannot ping the IPv6 loopback of DSW2. Situation:- R2 cant establish neighborship relation with R3 because it does not have any interfaces enabled in Area 0 Configuration of R2 ipv6 router ospf 6S router-id 2.2.2.2 ! interface s0/0/0/0.23 ipv6 address 2026::1:1/122 Configuration of R3 ipv6 router ospf 6 router-id 3.3.3.3 ! interface s0/0/0/0.23 ipv6 address 2026::1:2/122 ipv6 ospf 6 area 0 Answer: In interface configuration mode of s0/0/0/0.23 on R2: ipv6 ospf 6 area 12 Ans1) R2 Ans2) OSPFv3 Ans3) on the serial interface of R2, enter the command ipv6 ospf 6 area 0 (notice that it is area 0, not area 12) Symptoms:1- IPv6 ping from R1 to DSW1s loopback will timeout 2- IPv6 ping from R2 to DSW1s loopback will timeout

3- You will not see R3 as neighbor on R2 by entering ipv6 ospf neighbor command 4- By entering the command sh run you will not see ipv6 ospf 6 area 0 command under the interface S0/0/0.23 on R2 Steps and commands: 1. on both clients

2. R2#show ipv6 ospf neighbours 3. R3#show ipv6 ospf neighbours 11. Ticket VLAN Filter DSW1 Client 1 cannot ping Web Server Client 1 is getting the correct IP address from DHCP but Client 1 is not able to ping the server. Unable to ping DSW1 or the FTP Server(Use L2 Diagram). Answer: Vlan Access map is applied on DSW1 blocking the ip address of client 10.2.1.3 Configuration on DSW1 vlan access-map test1 10 drop match ip address 10 ! vlan filter test1 vlan-list 10 ! ip access-list standard 10 permit 10.2.0.0 0.0.255.255 ! interface VLAN10 ip address 10.2.1.1 255.255.255.0 Ans1) DSW1 (but in the exam maybe you have to choose ASW1) Ans2) Vlan access map Ans3)Remove vlan filter test1 from DSW1 Symptoms of this ticket. 1- Client 1 is getting the correct IP address from DHCP (i.e 10.2.1.3) 2- But Client 1 is unable to ping DSW1. 3- Client 1 is unable to ping FTP Server (10.2.2.10) Additonal information: VACL/PACL can be chosen for DSW1. You have to SCROLL DOWN to find the option Steps and commands: 1. Ipconfig on both clients 2. DSW1#show running-config Below P4S answer is wrong, right answer is D

12. Ticket EIGRP Passive Interface R4 Client 1 cannot ping R4 the neighborship between R4 and DSW1 wasnt establised. Client 1 cant ping R4 Configuration on R4 was: router eigrp 10 passive-interface default redistribute ospf 1 route-map OSPF->EIGRP network 10.1.4.4 0.0.0.3 network 10.1.4.8 0.0.0.3 default-metric 10000 100 255 1 10000 no auto-summary Answer 1) R4 Answer 2) IPv4 EIGRP Routing Answer 3) Remove Passive interface under EIGRP 10 (or in Interface f0/1 and f0/0, something like this) Tips: passive-interface default this command doesnt allow any interface to participate in eigrp process, so neighbor relationship will not be established, so we should remove it under eigrp. or add another command that enable eigrp process on specific interface which i want to participate in eigrp process.. the command>>no passive-interface fa 0/0 . Commands: 1. 2. 3. 4. Ipconfig on client R4#show run R4#show ip eigrp neigh DSW1 will not be a neighbor DSW1#show ip eigrp neigh

13. Ticket EIGRP -> Redistribution R4 Client 1 cannot Web Server Client 1 is not able to ping the Webserver DSW1 can ping fa0/1 of R4. However clients and DSW1 cant ping R4s S0/0/0/0.34 interface (10.1.1.10)

On R4 in router eigrp: router eigrp 10 network 10.1.4.5 0.0.0.0 no auto-summary redistribute ospf 1 metric 100 10 255 1 1500 route-map EIGRP_to_OSPF ! router ospf 1 network 10.1.1.8 0.0.0.0 area 34 redistribute eigrp 10 subnets ! route-map EIGRP->OSPF match ip address 1 Answer:change in router eigrp router-map name Ans1) R4 Ans2) Route redistribution Ans3) Change the name of the route-map under the router EIGRP or router OSPF process from EIGRP_to_OSPF to EIGRP->OSPF Tips: Here in the redistribution we are using route map to prevent routing loops. You must call/invoke the same route map (with the same name) the one you have created. The problem in this ticket is that they created the route map using EIGRP->OSPF name but in redistribution command they mistyped it as EIGRP_to_OSPF. So its only a issue of writing the wrong name which is required to correct Steps and Commands: 1. Ipconfig on both clients 2. R4#show running-config 3. R4#Show ip ospf neigh 4. R3#Show ip ospf neigh 14. Ticket EIGRP Wrong AS R4 Client 1 cannot Web Server DSW1 is still able to ping R4s fast Ethernet interface, because this interface is directly connected to DSW1, so no matter EIGRP is configured correctly or not DSW1 can ping fa0/0 interface (10.1.4.5 ). However clients and DSW1 will not be able to ping R4s S0/0/0.34 interface (10.1.1.10). Because to reach that side, it is required to work EIGRP properly Answer: change router AS on R4 from 1 to 10 Ans1) R4 Ans2) EIGRP Ans3) Change EIGRP AS number from 1 to 10 Following are the symptoms for above ticket:1- Clients and DSW1 is unable to ping R4s S0/0/0/0.34 interface 2- Clients and DSW1 can ping upto R4s Fa0/0 interface.

3- sh ip eigrp neighbor on DSW1 you will not see R4 as neighbor. 4- sh ip route on DSW1 you will not see any 10.x.x.x network route. Steps and commands: 1. ipconfig on both clients 2. DSW1#show ip eigrp neighbours 3. DSW1#show ip protocols 4. R4#show ip eigrp neighbours 15. Ticket IP Helper Address Missing DSW1 mils May 22nd, 2011 @Trainee i sort out 1 lab which i s IP HELPER ADDRESS MISSING on DSW1 client is not getting IP commands: 1. Ipconfig on client 2. DSW1#show run check under vlan 10 config if R4 fa0/0 ip is there

Now heres the summary device wise: ASW1 3 TTs 1. Port Security 2. Access VLAN 3. Switch to Switch connectivity DSW1 3 TTs 1. HSRP 2. VLAN Filter 3. IP Helper Address (this one is a rear possibility)

R4 4 TTs 1. DHCP Exclude Addresses 2. EIGRP Passive Interface 3. EIGRP to OSPF Redistribution 4. EIGRP Wrong AS No. (this one is a rear possibility)

R2 Only IPv6 TT

R1 4 TTs 1. BGP Wrong Neighbor address 2. BGP network address is missing in ACL Edge_Security 3. 10.2.x.x is missing from ACL NAT_Traffic 4. OSPF Authentication Message-Digest statement is missing under s0/0/0/0

Configuration wise strategy below are some important points: DSW1 is a link between Layer 2 and Layer 3 (EIGRP) R4 Redistribution point between EIGRP and OSPF R1 Local network interface with ISP via BGP R2 IPv6 Backbone area 0

NOTE: Every time after u click a TT, immediately type IPCONFIG on client on to see ip address. If ip is 169.x.x.x , u know that u have 4 tts ( Port security, Access vlan 10, Port channel >all are on ASW1 of layer 2 topology and DHCP on R4) If ip is 10.2.1.3 u have 2 options: OPTION 1: if u ping 10.1.1.1 or 10.1.1.2 (the problem is on R1 and u have 4 tts > NAT ACL, Layer 3 security, BGP and OSPF) OPTION 2: IF u cant ping 10.1.1.1 or 10.1.1.2 ( the problem is on R4 and DSW1(ASW1), and u have 3 tts>redistribution passive interface on L3 topology and VLAN access map on DSW1 or ASw1) The rest 2 tts are HSRP and IPV6.
ASW1 : A , Po , Ps DSW1 : H , V R1 : B , N , A , O R2 : IPv6 R4 : E , D , R , P Device Error Description ASW1 (169.x.x.x) A Access port not in VLAN 10 Po Port-Channel not allowing VLAN 10 Ps Port Security needs to be disabled

DSW1 H HSRP Track 10 V VLAN Filter (Correct answer is ASW1 not DSW1) R1 B BGP wrong Neighbor IP N NAT ACL miss configured A IP range not allowed in the ACL O OSPF Authentication issue R2 IPv6 OSPF ( Ipv6 topology ) ipv6 ip add R4 E EIGRP wrong AS D DHCP wrong exclude address host 1 R Route Redistribution (wrong route map name) P Passive Interface Under eigrp 10