1. Ticket – Port Security – ASW1 – 169.x.x.x IP on Client 1 Client 1 is getting a 169.x.x.x IP address & is unable to ping Client 2 as well as DSW1. The command ‘sh interfaces fa1/0/1′ on ASW1 will show following message in the first line ‘enFastEthernet1/0/1 is down, line protocol is down (err-disabled)’ solution: On ASW1 port-security mac 0000.0000.0001, interface in err-disable state Configuration of ASW1 interface fa1/0/1 switchport mode access switchport port-security switchport port-security mac-address 0000.0000.0001 Answer: on asw1 delete portsecurity & do on interfaces shutdown, no shutdown Ans1)ASW1 Ans2)Port security Ans3)issue “no switchport port-security mac-address 0000.0000.0001 command followed by shutdown & no shutdown commands on port fa1/0/1 on ASW1 Symptoms for this ticket:- 1- Client 1 is getting 169.x.x.x ip address 2- Client 1 is unable to ping Client 2 as well as DSW1. 3- ‘sh interfaces fa1/0/1′ will show following message in the first line ‘enFastEthernet1/0/1 is down, line protocol is down (err-disabled)’ 4- ‘sh running-config’, you will see ‘switchport port-security mac-address ’0000.0000.0001′ configured under fa1/0/1. Steps and commands: 1. Ipconfig – on client 2. ASW1#show running-config look under fa1/0/1 config for Switchport statement 3. ASW1#show int fa1/0/1 check if int is in errdisable 2. Ticket – Switchport Access VLAN 10 – ASW1 – 169.x.x.x IP on both clients Client 1 & 2 are getting 169.x.x.x ip addresses and can’t ping DSW1 or FTP Server but they are able to ping each other. Situation: in port channel configuration of ASW1 vlan 10 is not allowed. (Use L2 Diagram) Configuration of ASW1: interface FastEthernet1/0/1 switchport mode access
Transcript
1. Ticket – Port Security – ASW1 – 169.x.x.x IP on Client 1
Client 1 is getting a 169.x.x.x IP address & is unable to ping Client 2 as well as DSW1. The command ‘sh interfaces fa1/0/1′ on ASW1 will show following message in the first line‘enFastEthernet1/0/1 is down, line protocol is down (err-disabled)’
solution: On ASW1 port-security mac 0000.0000.0001, interface in err-disable state
Configuration of ASW1interface fa1/0/1switchport mode accessswitchport port-securityswitchport port-security mac-address 0000.0000.0001
Answer: on asw1 delete portsecurity & do on interfaces shutdown, no shutdown
Ans1)ASW1Ans2)Port securityAns3)issue “no switchport port-security mac-address 0000.0000.0001 command followed by shutdown & no shutdown commands on port fa1/0/1 on ASW1
Symptoms for this ticket:-
1- Client 1 is getting 169.x.x.x ip address2- Client 1 is unable to ping Client 2 as well as DSW1.3- ‘sh interfaces fa1/0/1′ will show following message in the first line ‘enFastEthernet1/0/1 is down, line protocol is down (err-disabled)’4- ‘sh running-config’, you will see ‘switchport port-security mac-address ’0000.0000.0001′ configured under fa1/0/1.
Steps and commands:
1. Ipconfig – on client2. ASW1#show running-config look under fa1/0/1 config for Switchport statement
3. ASW1#show int fa1/0/1 check if int is in errdisable
2. Ticket – Switchport Access VLAN 10 – ASW1 – 169.x.x.x IP on both clients
Client 1 & 2 are getting 169.x.x.x ip addresses and can’t ping DSW1 or FTP Server but they are able to ping each other.
Situation: in port channel configuration of ASW1 vlan 10 is not allowed. (Use L2 Diagram)Configuration of ASW1:interface FastEthernet1/0/1switchport mode accessswitchport access vlan 1!interface FastEthernet1/0/2switchport mode accessswitchport access vlan 1
On ASW1, on interfaces fa1/0/1, fa1/0/2 switchport access vlan 1
Answer: on ASW1 change switchport access vlan 1 to switchport access vlan 10
Symptoms:-1- Clinets are getting 169.x.x.x Ip address.2- Clinet 1 can ping Client 2 and vice versa.3- ‘sh running-config’ command on ASW1 will not display ‘switchport access vlan 10′ under the interfaces fa1/0/1 and fa1/0/2
Commands and Steps:
1. ipconfig from client to check if it is getting 169.x.x.x ip
2. Asw1# show running-config check under fa1/0/1 check statement ‘switchport access vlan 10’
3. Show valn check if fa1/0/1 is member of Vlan 10
3. Ticket – Switchport Trunk Allowed VLAN – ASW1 – 169.x.x.x IP on client 1
Switchport to Switchport Connectivity
Client 1 is getting 169.x.x.x ip address. Client 1 & 2 can ping each other but they are unable to ping DSW1 or FTP Server (Use L2/3 Diagram)Configuration of ASW1interface PortChannel 13switchport mode trunkswitchport trunk allowed vlan 1-9!interface PortChannel 23switchport mode trunkswitchport trunk allowed vlan 1-9!interface FastEthernet1/0/1switchport mode accessswitchport access vlan 10!interface FastEthernet1/0/2switchport mode accessswitchport access vlan 10
Answer: on port channel 13, 23 disables all vlans and give switchport trunk allowed vlan 10, 200
Ans1)ASW1Ans2)Switch to switch connectivityAns3)int range portchannel13,portchannel 23 switchport trunk allowed vlan none switchport trunk allowed vlan 10,200
Symptoms of above ticket:-1- Client 1 is getting 169.x.x.x ip address.2- Clinet 1 can ping Client 2 and vice versa.3- ‘sh interfaces trunk’ you will not see vlan 10 in PO13 and PO23 under allowed Vlans on trunk
Steps and Commands to use:
1. ipconfig on client and check if IP is 169.x.x.x
2. ASW1# show running-config to check in fa1/0/1 and fa1/0/2 access port vlan 10
3. ASW1# show interface truk check port 13 and 23 allowed vlan includes Vlan 10
4. Ticket –Wrong DHCP Exclude– R4 – 169.x.x.x IP on client 1
In this ticket, check the IP on Client1, if it gets 169.x.x.x then use the “show run” command on R4. If you see the “ip dhcp exclude 10.2.1.1-1.10.2.1.253″ then the DHCP range has been misconfigured.
Configuration on R4 was:
!ip dhcp exclude 10.2.1.1-10.2.1.253!
Ans1) R4Ans2) DHCPAns3) on R4 delete ip dhcp exclude 10.2.1.1-10.2.1.253 and apply ip dhcp-excluded 10.2.1.1-10.2.1.2
Tips:
You can ping all the way from client to web server, that is the ticket of ipv6, when u open the ipv6 topology then u will see that one of ur routers can’t ping each other’s ipv6 address, also another hint, u can check the MCQ of that ticket, the question will be related to ipv6….
Steps and commands:
1. Ipconfig on client 12. R4#show run – check DHCP exclude addresses
5. Ticket – BGP Neighbour – R1 – Client 1 cannot ping Web Server
Problem: Client 1 is able to ping 209.65.200.226 but can’t ping the Web Server 209.65.200.241.
check bgp neighborship. **** show ip bgp sum****The neighbor’s address in the neighbor command is wrong under router BGP. (use ipv4 Layer 3)
Answer: need change on router mode on R1 neighbor 209.65.200.226
Ans1) R1Ans2) BGPAns3) delete the wrong neighbor statement and enter the correct neighbor address in the neighbor command (change “neighbor 209.56.200.226 remote-as 65002″ to “neighbor 209.65.200.226 remote-as 65002″)
Following are the symptoms of above ticket:-
1- No one is able to ping Web Server.2- Client 1 and all others can ping upto 209.65.200.226.3- ‘sh ip route BGP’ on R1, you will not see any BGP route.4- ‘sh ip bgp neighbor’ on R1, you will not see any active BGP neighbor.
Steps and commands:
1. Ipconfig on both clients
2. R1#show running-config
3. R1#show ip bgp
4. R1#show ip bgp neigh
6. Ticket – NAT ACL – R1 – Client 1 & 2cannot ping Web Server
Client 1 & 2 are not able to ping the web server 209.65.200.241, but all the routers & DSW1,2 can ping the server.
NAT problem. (use ipv4 Layer 3)Answer: problem on R1 Nat acl
Configuration on R1ip nat inside source list nat_pool interface s0/0/0/1 overload
Answer: add permit 209.65.200.224 0.0.0.3 command to R1′s ACL
Ans1) R1Ans2) IP Access listAns3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL
Tips:
Even R1 also would not be able to ping the web server or ISP(209.65.200.226). Since explicit deny of this ACL will not allow a reply to come back in to R1(since this ACL is applied in the ‘in’ direction) from outside until a permit entry is included in ACL. This will also cause the BGP neighbor relationship get down.You will see one permit entry for web server only, which is not enough. You will see the contents of this ACL as below.
ip access-list extended edge_securitypermit ip host 209.65.200.241 anydeny ip 10.2.0.0 0.0.255.255 anydeny ip 10.1.0.0 0.0.255.255 anydeny ip host 127.0.0.1 any
Thats why an entry of ‘permit 209.65.200.224 0.0.0.3 any’ is required to solve this problem.And by the way, the entries for 10.x.x.x network is neither have any effect nor required in this ACL, they put these up only to confuse the candidates.
Steps and commands:
1. Ipconfig on both clients
2. R1#show running-config
3. R1#show ip bgp
4. R1#show access-list
8. Ticket – OSPF Authentication – R1 – Client can ping R2 but not R1
1.Client is unable to ping R1’s serial interface from the client.
Problem was disable authentication on R1, check where authentication is not given under router ospf of R1. (use ipv4 Layer 3)
Answer: on R1 need command in router mode area 12 authentication message-digest
Ans1) R1Ans2) OSPFAns3) ip ospf authentication message-digest command must be given on s0/0/0/0.12
Steps & Commands:
1. Ipconfig on client
2. R1#ping 10.2.1.3
3. R1#show running-config check interface s0/0/0/0 on R1
4. R1#show ospf neighbours check if R1 is forming neighborship with R2
5. R2#show ospf neighbours check if R2 is forming neighborship with R1
9. Ticket – HSRP Track – DSW1 – DSW1 does not become active for HSRP
HSRP was configured on DSW1 & DSW2. DSW1 is configured to be active but it does not become active.
Configuration on DSW1:
track 1 ip route 10.1.21.128 255.255.0.0 metric thresholdthreshold metric up 1 down 2!track 10 ip route 10.2.21.128 255.255.255.0 metric thresholdthreshold metric up 63 down 64!
DSW1 & R4 can’t ping R2′s loopback interface or s0/0/0/0.12 IPv6 address.R2 is not an OSPFv3 neighbour on R3Situation: ipv6 ospf was not enabled on R2’s serial interface connecting to R3. (use ipv6 Layer 3)
Question: IPv6 loopback cannot ping the IPv6 loopback of DSW2.Situation:- R2 can’t establish neighborship relation with R3 because it does not have any interfaces enabled in Area 0
Configuration of R2ipv6 router ospf 6Srouter-id 2.2.2.2!interface s0/0/0/0.23ipv6 address 2026::1:1/122
Configuration of R3ipv6 router ospf 6router-id 3.3.3.3!interface s0/0/0/0.23ipv6 address 2026::1:2/122ipv6 ospf 6 area 0
Answer:
In interface configuration mode of s0/0/0/0.23 on R2:ipv6 ospf 6 area 12
Ans1) R2Ans2) OSPFv3Ans3) on the serial interface of R2, enter the command ipv6 ospf 6 area 0 (notice that it is “area 0″, not “area 12″)
Symptoms:-1- IPv6 ping from R1 to DSW1′s loopback will timeout2- IPv6 ping from R2 to DSW1′s loopback will timeout3- You will not see R3 as neighbor on R2 by entering ‘ipv6 ospf neighbor’ command4- By entering the command ‘sh run’ you will not see ‘ipv6 ospf 6 area 0′ command under the interface S0/0/0.23 on R2
Steps and commands:
1. on both clients
2. R2#show ipv6 ospf neighbours
3. R3#show ipv6 ospf neighbours
11. Ticket – VLAN Filter – DSW1 – Client 1 cannot ping Web Server
Client 1 is getting the correct IP address from DHCP but Client 1 is not able to ping the server. Unable to ping DSW1 or the FTP Server(Use L2 Diagram).
Answer: Vlan Access map is applied on DSW1 blocking the ip address of client 10.2.1.3
Configuration on DSW1
vlan access-map test1 10dropmatch ip address 10!vlan filter test1 vlan-list 10!ip access-list standard 10permit 10.2.0.0 0.0.255.255!interface VLAN10ip address 10.2.1.1 255.255.255.0
Ans1) DSW1 (but in the exam maybe you have to choose ASW1)Ans2) Vlan access mapAns3)Remove vlan filter test1 from DSW1
Symptoms of this ticket.1- Client 1 is getting the correct IP address from DHCP (i.e 10.2.1.3)2- But Client 1 is unable to ping DSW1.3- Client 1 is unable to ping FTP Server (10.2.2.10)
Additonal information:
VACL/PACL can be chosen for DSW1. You have to SCROLL DOWN to find the option
Answer 1) R4Answer 2) IPv4 EIGRP RoutingAnswer 3) Remove “Passive interface” under EIGRP 10 (or in Interface f0/1 and f0/0, something like this)
Tips:
passive-interface defaultthis command doesn’t allow any interface to participate in eigrp process,so neighbor relationship will not be established,so we should remove it under eigrp.or add another command that enable eigrp process on specific interface which i want to participate in eigrp process..the command>>no passive-interface fa 0/0 .
Commands:
1. Ipconfig on client2. R4#show run
3. R4#show ip eigrp neigh – DSW1 will not be a neighbor
4. DSW1#show ip eigrp neigh
13. Ticket – EIGRP -> Redistribution – R4 – Client 1 cannot Web Server
Client 1 is not able to ping the WebserverDSW1 can ping fa0/1 of R4. However clients and DSW1 can’t ping R4′s S0/0/0/0.34 interface (10.1.1.10)
Ans1) R4Ans2) Route redistributionAns3) Change the name of the route-map under the router EIGRP or router OSPF process from ‘EIGRP_to_OSPF’ to ‘EIGRP->OSPF’
Tips:
Here in the redistribution we are using route map to prevent routing loops. You must call/invoke the same route map (with the same name) the one you have created. The problem in this ticket is that they created the route map using ‘EIGRP->OSPF’ name but in redistribution command they mistyped it as ‘EIGRP_to_OSPF’. So its only a issue of writing the wrong name which is required to correct
Steps and Commands:
1. Ipconfig on both clients
2. R4#show running-config
3. R4#Show ip ospf neigh
4. R3#Show ip ospf neigh
14. Ticket – EIGRP Wrong AS– R4 – Client 1 cannot Web Server
DSW1 is still able to ping R4′s fast Ethernet interface, because this interface is directly connected to DSW1, so no matter EIGRP is configured correctly or not DSW1 can ping fa0/0 interface (10.1.4.5 ). However clients and DSW1 will not be able to ping R4′s S0/0/0.34 interface (10.1.1.10). Because to reach that side, it is required to work EIGRP properly
Answer: change router AS on R4 from 1 to 10
Ans1) R4Ans2) EIGRPAns3) Change EIGRP AS number from 1 to 10
Following are the symptoms for above ticket:-
1- Clients and DSW1 is unable to ping R4′s S0/0/0/0.34 interface2- Clients and DSW1 can ping upto R4′s Fa0/0 interface.
3- ‘sh ip eigrp neighbor’ on DSW1 you will not see R4 as neighbor.4- ‘sh ip route’ on DSW1 you will not see any 10.x.x.x network route.
Steps and commands:
1. ipconfig – on both clients
2. DSW1#show ip eigrp neighbours
3. DSW1#show ip protocols
4. R4#show ip eigrp neighbours
15. Ticket – IP Helper Address Missing – DSW1
mils May 22nd, 2011
@Trainee
i sort out 1 lab which is — IP HELPER ADDRESS MISSING on DSW1
client is not getting IP
commands:
1. Ipconfig on client2. DSW1#show run – check under vlan 10 config if R4 fa0/0 ip is there
Now here’s the summary device wise:
ASW1 – 3 TTs
1. Port Security
2. Access VLAN
3. Switch to Switch connectivity
DSW1 – 3 TTs
1. HSRP
2. VLAN Filter
3. IP Helper Address (this one is a rear possibility)
R4 – 4 TTs
1. DHCP Exclude Addresses
2. EIGRP Passive Interface
3. EIGRP to OSPF Redistribution
4. EIGRP Wrong AS No. (this one is a rear possibility)
R2 – Only IPv6 TT
R1 – 4 TTs
1. BGP Wrong Neighbor address
2. BGP network address is missing in ACL Edge_Security
3. 10.2.x.x is missing from ACL NAT_Traffic
4. OSPF Authentication Message-Digest statement is missing under s0/0/0/0
Configuration wise strategy below are some important points:
DSW1 – is a link between Layer 2 and Layer 3 (EIGRP)
R4 – Redistribution point between EIGRP and OSPF
R1 – Local network interface with ISP via BGP
R2 – IPv6 Backbone area 0
NOTE: Every time after u click a TT, immediately type ” IPCONFIG” on client on to see ip address.
If ip is 169.x.x.x , u know that u have 4 tts ( Port security, Access vlan 10, Port channel –>all are on ASW1 of layer 2 topology and DHCP on R4)
If ip is 10.2.1.3 u have 2 options:
OPTION 1:if u ping 10.1.1.1 or 10.1.1.2 (the problem is on R1 and u have 4 tts –> NAT ACL, Layer 3 security, BGP and OSPF)
OPTION 2:IF u can’t ping 10.1.1.1 or 10.1.1.2 ( the problem is on R4 and DSW1(ASW1), and u have 3 tts–>redistribution passive interface on L3 topology and VLAN access map on DSW1 or ASw1)
The rest 2 tt’s are HSRP and IPV6.
ASW1 : A , Po , PsDSW1 : H , VR1 : B , N , A , OR2 : IPv6R4 : E , D , R , P
Device Error Description
ASW1 (169.x.x.x)A – Access port not in VLAN 10Po – Port-Channel not allowing VLAN 10Ps – Port Security needs to be disabled
DSW1H – HSRP Track 10V – VLAN Filter (Correct answer is ASW1 not DSW1)
R1B – BGP wrong Neighbor IPN – NAT ACL miss configuredA – IP range not allowed in the ACLO – OSPF Authentication issue
