EIGRP GRE Troubleshooting SimMarch 19th, 2018Go to commentsRefer to the topology below. Your company asks you to identify the issues in Phase 1 EIGRP implementation. You have console access on R1, R2, R3 Branch1 and Branch2 routers. Only use show commands to troubleshoot the issues.

Question 1

Explanation

R1 routing table does not have any EIGRP learned routes so R1 or the link between R1 & R2 is the most likely problem. We should check if the IP addresses on R1 and R2 are correct or not with the “show ip interface brief” command.

Note: You should check the IP address of R2 E0/0 interface (the interface connected to R1) as well.

Question 2

Explanation

The “main office” here refers to R2 (and other routers behind it). Check Branch2 with the “show ip route” command:

We can see Branch2 only uses 192.168.12.1 (Branch 1 – the secondary path) to reach R2 and the subnets behind. Branch2 does not use the primary path (directly connected to R2) so there must be a problem with the connection between R2 and Branch2. Check Branch2 router with the “show running-config” command and we can see an access-list is blocking EIGRP packets advertised to Branch2.

Question 3

Explanation

This issue is same as Question 2 but this time it is R3 which causes the issue. We can check R3 with the “show running-config” command.

Question 4

Explanation

In this question we should check the local routers to see if these subnets have been advertised or not as there are many issues in the path which prevent these subnets from being shown in the routing tables.

When checking Branch1 router, we notice “network 172.16.0.0” is missing under EIGRP 200 so answer D is correct.

VLAN Troubleshooting SimJanuary 27th, 2018Go to commentsRefer to the exhibit.

Your colleague has built a Layer 2 network in your client locations. You must verify the configuration and fix any issues identified as per customer requirements.Customer requirements:+ Verify if switch ports are assigned correct VLANs as shown in topology. Identify and fix any misconfiguration found in three switches+ Verify if trunk links are operational between switches and the IEEE 802.1Q trunk encapsulation method is used. Identify and fix any misconfiguration found in trunk configuration+ Make sure ports connected between switches are set as trunk ports

We are not sure about the details but here are the faults in this sim:

– Native VLAN mismatch between SW1 & SW3– Switchport mode mismatch: one in access mode while the other end in trunk mode -> need to change from access to trunk mode– One port in VLAN 500 while other port in VLAN 600

Recommended commands to solve this sim: show int trunk, show vlan, show run.

You can download and practice this sim with Packet Tracer at: http://www.9tut.com/download/9tut.com_CCNA_VLAN_Troubleshooting_Sim.zip

Commands to fix the issues:

SW1, SW2:interface e0/2 switchport mode access switchport access vlan 500interface e0/3 switchport mode access switchport access vlan 600

SW3:interface e0/0 (or interface e0/1 of SW1) switchport trunk encapsulation dot1q

 switchport mode trunk switchport trunk native vlan … (must match the native VLAN on the other end, use “show int trunk” command on SW1 to check SW1 native VLAN)

IPv6 OSPF SimSeptember 14th, 2017Go to commentsQuestion

All routers are running IPv6 OSPF with process ID 100. The loopback0 IPv4 address is the OSPF router ID of each router.

On HQ router, a provider link is provided and you have to configure an IPv6 default route on HQ and make sure this route is advertised in IPv6 OSPF process. Also troubleshoot why HQ is not forming IPv6 OSPF neighbor with BR.

Requirements:

1. Configure IPv6 default route on HQ router with default gateway of 2001:DB8:B:B1B2::12. Verify by pinging provider test IPv6 address 2001:DB8:0:1111::1 after configuring default route on HQ3. Make sure that the default route is advertised in IPv6 OSPF router HQ. This default route should be advertised only when HQ has a default route in its routing table4. Router HQ is not forming IPv6 OSPF neighbor with BR. Troubleshoot and solve the problem

Special Note: To gain the maximum number of points, you must complete the necessary configurations and fix IPv6 OSPF neighbor issue with router BR. IPv6 OSPFv3 must be configured without using address families. Do not change the IPv6 OSPF process ID.

Solution

1. Configure IPv6 default route on HQ router with default gateway of 2001:DB8:B:B1B2::1:

HQ(config)#ipv6 unicast-routingHQ(config)#ipv6 route ::/0 2001:DB8:B:B1B2::1

First we have to enable IPv6 routing with the “ipv6 unicast-routing” command then we configure a default route on HQ router.

2. Verify by pinging provider test IPv6 address 2001:DB8:0:1111::1 after configuring default route on HQ:

HQ#ping ipv6 2001:DB8:0:1111::1

Issue the ping test to see if the default route works. The ping must be successful.

3. Make sure that the default route is advertised in IPv6 OSPF router HQ. This default route should be advertised only when HQ has a default route in its routing table:

HQ(config)# ipv6 router ospf 100HQ(config-rtr)#default-information originate

The command “default-information originate” will generate a default route and send to all other routers in the OSPF domain, provided that the local router has a default route configured.

4. Router HQ is not forming IPv6 OSPF neighbor with BR. Troubleshoot and solve the problem

Maybe interface S1/0 of HQ was not enabled with IPv6 OSPF (verify by the “show run” or “show ipv6 ospf interface” command) so we have to enable it.

HQ(config)#interface s1/0HQ(config-if)#ipv6 ospf 100 area 0

After configuration use the “show ipv6 ospf neighbor” on HQ to see if BR is listed in the output.

GRE Multilink SimSeptember 11th, 2017Go to commentsRefer to the topology below and answer the following questions.

Note: There may be different faults in this sim so please notice the following faults:

1. ACL blocking traffic on interface between R2 and R32. The network was not advertised in EIGRP

3. Two routers couldn’t establish adjacency because of ACL4. Another two routers couldn’t establish adjacency because of wrong IP configuration on interface between them

Question 1

Explanation

The Branch2 network is communicating to the Server farm, which is connected to R2, via GRE Tunnel so we should check the GRE tunnel first to see if it is in “up/up” state with the “show ip interface brief” command on the two routers.

On Branch2:

On R2:

We see interfaces Tunnel0 at two ends are “up/up” which are good so we should check for the routing part on two routers with the “show running-config” command and pay attention to the static routing of each router. On Branch2 we see:

The destination IP address for this static route is not correct. It should be 192.168.24.1 (Tunnel0’s IP address of R2), not 192.168.24.10 -> Answer C is correct.

Note: You can use the “show ip route” command to check the routing configuration on each router but if the destination is not reachable (for example: we configure “ip route 10.10.10.0 255.255.255.0

192.168.24.10” on Branch2, but if 192.168.24.10 is unknown then Branch2 router will not display this routing entry in its routing table.

Note: The IP address or configuration may be different in the exam.

Question 2

Explanation

First we should check Branch3 (and R1) with the “show ip interface brief” command to find any Layer1/Layer 2 issue.

We see the interfaces connecting between them are in “up/down” states which indicates an Layer 2 issue so we should check the configuration of these interfaces carefully with the “show running-config” command and pay attention to these interfaces.

and on Branch3:

We learn from above config is R1 is using CHAP to authenticate Branch3 router (via the “ppp authentication chap” command on R1). Branch3 router is sending CHAP hostname “Branch_3” and

CHAP password “Branch3_Secret!” to R1 to be authenticated. Therefore we should check if R1 has already been configured with such username and password or not with the “show running-config” command on R1:

On R1 we see the configured username is “Branch3”, not “Branch_3” so the usernames here are mismatched and this is the problem -> Answer A is correct.

Question 3

Explanation

In this question we have to check each option to see if it is correct. When we check Branch3 router we notice that “network 192.168.10.0” command is missing under “router eigrp 100” -> Answer D is correct.

Note: In the exam you should check other config as well. There are some reports saying that the answer of this question is different in the exam (answer A).

Question 4

Explanation

This question clearly stated there is a WAN connectivity issue between R1 and Branch1 so we should check both of them with the “show ip interface brief” command. On R1:

On Branch1:

We can see that although the Multilink1 interfaces are in “up/up” state but they are not in the same subnet. According to the IP address scheme shown on the topology we can deduce the Multilink interface on Branch1 has been misconfigured, it should be 192.168.14.2 instead.

RIPv2 Troubleshooting SimOctober 16th, 2016Go to commentsRefer to the topology below and answer the questions using “show” commands.

Question 1

Server1 and Server2 are unable to communicate with the rest of the network. Your initial check with system administrators shows that IP address settings are correctly configured on the server side. What could be an issue?

A. The VLAN encapsulation is misconfigured on the router subinterfaces.B. The Router is missing subinterface configuration.C. The Trunk is not configured on the L2SW1 switch.D. The IP address is misconfigured on the primary router interface.

 

Answer: A

Explanation

Check the configuration of the interface that is connected to Server1 and Server2 on R2 with “show running-config” command.

We see that subinterface E0/1.100 has been configured with VLAN 200 (via “encapsulation dot1Q 200” command) while Server1 belongs to VLAN 100. Therefore this configuration is not correct. It should be “encapsulation dot1Q 100” instead. The same thing for interface E0/1.200, it should be “encapsulation dot1Q 200” instead.

Question 2

Users in the main office complain that they are unable to reach internet sites. You observe that internet traffic that is destined towards ISP router is not forwarded correctly on Router R1. What could be an issue?

Ping to Internet server shows the following results from R1:

R1#ping 209.165.200.225Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 209.165.200.225, timeout is 2 seconds:…..Success rate is 0 percent (0/5)

A. The next hop router address for the default route is incorrectly configured.B. Default route pointing to ISP router is not configured on Router R1.C. Default route pointing to ISP router is configured with AD of 225.D. Router R1 configured as DHCP client is not receiving default route via DHCP from ISP router.

 

Answer: B

Explanation

When all the users cannot reach internet sites we should check on the router connecting to the ISP to see if it has a default route pointing to the ISP or not. Use the “show ip route” command on R1:

We cannot find a default route on R1 (something like this: S* 0.0.0.0/0 [1/0] via 209.165.201.2) so maybe R1 was not configured with a default route. We can check with the “show running-config” on R1:

We need a default route (like “ip route 0.0.0.0 0.0.0.0 209.165.201.2”) but we cannot find here so we can conclude R1 was not be configured with a default route pointing to the ISP router.

Question 3

Examine R2 configuration, the traffic that is destined to R3 LAN network sourced from Router R2 is forwarded to R1 instead R3. What could be an issue?

R2#traceroute 10.10.12.1 source 10.10.10.1Type escape sequence to abort.Tracing the route to 10.10.12.1VRF info: (vrf in name/id, vrf out name/id)1 172.16.14.1 0 msec 1 msec 0 msec2 172.16.14.1 !H !H *

R2#

A. RIPv2 enabled on R3, but R3 LAN network that is not advertised into RIPv2 domain.B. RIPv2 routing updates are suppressed between R2 and R3 using passive interface feature.C. RIPv2 not enabled on R3.D. No issue that is identified; this behavior is normal since default route propagated into RIPv2 domain by Router R1.

 

Answer: C

Explanation

First we should check the routing table of R2 with the “show ip route” command.

In this table we cannot find the subnet “10.10.12.0/24” (R3 LAN network) so R2 will use the default route advertised from R1 (with the command “default-information originate” on R1) to reach unknown destination, in this case subnet 10.10.12.0/24 -> R2 will send traffic to 10.10.12.0/24 to R1.

Next we need to find out why R3 did not advertise this subnet to R2. A quick check with the “show running-config” on R3 we will see that R3 was not configured with RIP ( no “router rip” section). Therefore we can conclude RIPv2 was not enabled on R3.

Question 4

What is the correct statement below after examining the R1 routing table?

A. Traffic that is destined to 10.10.10.0/24 from R1 LAN network uses static route instead RIPv2 because the static route AD that is configured is less than the AD of RIPv2B. Traffic that is destined to 10.10.10.0/24 from R1 LAN network uses RIPv2 instead of static route

because the static route AD that is configured is higher than the AD of RIPv2C. Traffic that is destined to 10.10.10.0/24 from R1 LAN network uses static route instead of RIPv2 but the traffic is forwarded to the ISP instead of the internal networkD. Traffic that is destined to 10.10.10.0/24 from R1 LAN network uses RIPv2 instead of static route because the static route AD that is configured is 255

 

Answer: B

Explanation

Surely we have to use the “show ip route” command to check the R1 routing table.

As we see here, 10.10.10/24 is learned from RIP. Notice that although there is a static route on R1 to this destination (you can check with the “show running-config” on R1 to see the line “ip route 10.10.10.0 255.255.255.0 172.16.14.2 200”), this static route is not installed to the routing table

because it is not the best path because the Administrative Distance (AD) of this static route is 200 while the AD of RIP is 120 -> R1 chose the path with lowest AD so it chose path advertised via RIP.

DHCP SimOctober 16th, 2016Go to commentsRefer to the topology below and answer the questions.

You can download this lab and practice with Packet Tracer at http://www.9tut.com/download/9tut.com_DHCP_Sim.zip (note: In this Packet Tracer file we use FastEthernet instead of Ethernet connections; and interfaces Fa1/0, Fa1/1 instead of interfaces Et0/2, Et0/3)

Question 1

Examine the DHCP configuration between R2 and R3, R2 is configured as the DHCP server and R3 as the client. What is the reason R3 is not receiving the IP address via DHCP?

A. On R3, DHCP is not enabled on the interface that is connected to R2.B. On R3, the interface that is connected to R2 is in shutdown condition.C. On R2, the interface that is connected to R3 is in shutdown condition.D. On R2, the network statement in the DHCP pool configuration is incorrectly configured.

 

Answer: A

Explanation

First we should check which interface on R3 that is connected to R2 via the “show run” command.

From the description we learn interface E0/1 is connected to R2. Use the “show ip interface brief” command to verify the IP address of this interface.

Therefore we can conclude this interface does not have any IP address and there is no configuration on this interface (except the “description Link to R2” line).

If R3 wants to receive an IP address from R2 via DHCP, interface E0/1 should be configured with the command “ip address dhcp” so the answer “DHCP is not enabled on this interface” is correct.

Question 2

R1 router clock is synchronized with ISP router. R2 is supposed to receive NTP updates from R1. But you observe that R2 clock is not synchronized with R1. What is the reason R2 is not receiving NTP updates from R1?

A. R1 router Ethernet interface that is connected to R2 is placed in shutdown condition.B. R2 router Ethernet interface that is connected to R1 is placed in shutdown condition.C. The NTP server command not configured on R2 router.D. The IP address that is used in the NTP configuration on R2 router is incorrect.

 

Answer: D

Explanation

First we should verify if the ports connected between R1 and R2 is in “up/up” state with the “show ip interface brief” command on R1 & R2.

Note: We learn R1 & R2 connect to each other via E0/2 interface because the IP addresses of these interfaces belong to 192.168.10.0/30 subnet. Both of them are “up/up” so the link connecting between R1 & R2 is good.

Next we need to verify the ntp configuration on R2 with the “show running-config” command.

So there is only one command related to NTP configuration on R2 so we need to check if the IP address of 192.168.100.1 is correct or not. But from the “show ip interface brief” command on R1 we don’t see this IP -> This IP address is not correct. It should be 192.168.10.1 (IP address of interface E0/2 of R1), not 192.168.100.1.

Question 3

Why applications that are installed on PC’s in R2 LAN network 10.100.20.0/24 are unable to communicate with Server1?

A. A standard ACL statement that is configured on R1 is blocking the traffic sourced from R2 LAN network.B. A standard ACL statement that is configured on R1 is blocking the traffic sourced from Server1 network.C. A standard ACL statement that is configured on R2 is blocking the traffic sourced from Server1 network.D. A standard ACL statement that is configured on R2 is blocking the traffic sourced from R2 LAN network.

 

Answer: C

Explanation

We should check if we can ping from R1 to Server 1 or not:

The ping worked well so maybe R1 is good so we should check R2 first. We notice on R2 there is an access-list:

This access-list is applied to E0/2 interface with inbound direction. The purpose of this access-list is to block traffic with source IP address of 172.16.200.0/24 so it will block all traffic sent from Server 1 to us.

Question 4

Users complain that they are unable to reach internet sites. You are troubleshooting internet connectivity problem at main office. Which statement correctly identifies the problem on Router R1?

A. NAT configurations on the interfaces are incorrectly configured.B. NAT translation statement incorrectly configured.C. Interesting traffic for NAT ACL is incorrectly configured.D. Only static NAT translation configured from the server, missing Dynamic NAT or Dynamic NAT overloading for internal networks.

 

Answer: A

Explanation

If all users cannot access internet then R1 is most likely to cause the problem so we should check it first. From the “show running-config” command we will see:

We notice that interface E0/0 (connected to ISP) has been configured as “nat inside” while interfaces E0/1 & E0/2 (connected to our company) have been configured as “nat outside”. This is not correct because “nat inside” should be configured with interfaces connected to our company while “nat outside” should be configured with interfaces connected to the internet. Therefore we can conclude the NAT configuration on these interfaces is not correct.

EIGRP Troubleshooting SimOctober 7th, 2014Go to commentsQuestion

The topology below is running EIGRP. You are required to troubleshoot and resolve the EIGRP issues between the various routers. Use the appropriate show commands to troubleshoot the issues.

Instead of posting the output of “show run” commands we post here the commands entered on each router to reduce some useless lines. Also you can try solving questions by yourself before reading the answers.

R1:int lo0ip address 10.1.1.1 255.255.255.255int e0/0ip address 192.168.16.1 255.255.255.0int s1/1ip address 192.168.13.1 255.255.255.0bandwidth 1000int s1/3ip address 192.168.12.1 255.255.255.0!router eigrp 1network 192.168.12.0network 192.168.13.0network 192.168.16.0

R2:int lo0ip address 10.2.2.2 255.255.255.255int e0/0ip address 192.168.123.2 255.255.255.0int s2/1ip address 192.168.12.2 255.255.255.0! router eigrp 1network 10.2.2.2 0.0.0.0network 192.168.12.0network 192.168.123.0

R3:int lo0ip address 10.3.3.3 255.255.255.255int e0/0ip address 192.168.123.3 255.255.255.0int s2/1ip address 192.168.13.3 255.255.255.0! router eigrp 1network 10.3.3.3 0.0.0.0network 192.168.13.0network 192.168.123.0

R4:int lo0ip address 10.4.4.4 255.255.255.255int lo1ip address 10.4.4.5 255.255.255.255int lo2ip address 10.4.4.6 255.255.255.255int e0/0ip address 192.168.123.4 255.255.255.0!router eigrp 2network 10.4.4.4 0.0.0.0network 10.4.4.5 0.0.0.0network 10.4.4.6 0.0.0.0network 192.168.123.0

R5:int lo0ip address 10.5.5.5 255.255.255.255int lo1ip address 10.5.5.55 255.255.255.255int e0/0ip address 192.168.123.5 255.255.255.0!router eigrp 1network 10.5.5.5 0.0.0.0network 10.5.5.55 0.0.0.0network 10.10.10.0 0.0.0.255network 192.168.123.0

R6:int lo0ip address 10.6.6.6 255.255.255.255int e0/0ip address 192.168.16.6 255.255.255.0!router eigrp 1network 10.6.6.6 0.0.0.0

Note: In the exam, this sim uses IOS version 15 so “no auto-summary” is the default setting of EIGRP. You don’t have to type it.

You can download the pkt file to practice here: http://www.9tut.com/download/9tut.com_CCNA_EIGRP_Troubleshooting_Sim.zip

Question 1

Explanation

On R4 we see EIGRP is configured with AS 2 (router eigrp 2) while other routers are using AS 1 (router eigrp 1). Therefore R4 cannot see other routers and vice versa.

Note: There is another version of this question but the answer is D (as R4 misses the “network 10.4.4.4 0.0.0.0”, “network 10.4.4.5 0.0.0.0” and “network 10.4.4.6 0.0.0.0” statements).

Question 2

Explanation

For this question we have to check the routing table of R1 to find out the answer. Use the “show ip route” command on R1 we will get something like this:

There are three interfaces on R5 which are Loopback0: 10.5.5.5 ; Loopback1: 10.5.5.55; Ethernet0/0: 192.168.123.5 and all of them are advertised via 192.168.12.2 so we can conclude traffic from R1 to R5 goes through R2 (192.168.12.2 is the IP address of S2/1 interface of R2).

Note: Maybe there is another version of this question in the exam in which the answer should be “The traffic is equally load-balanced over R2 and R3”. Therefore please check the “show ip route” output carefully to see if there are more than one route to the destination.

Question 3

Explanation

From the configuration of R6 we learn that R6 is missing “network 192.168.16.0” command (the network between R1 & R6) under EIGRP so EIGRP neighbor relationship will not be formed between them.

Note: Please check the configuration of R6 carefully. If the “network 192.168.16.0” is not missing on R6 but the “metric weights” is configured like this:

R6:router eigrp  1 network 10.6.6.6 0.0.0.0 network 192.168.16.0 metric weights 0 0 0 1 1 1

Then you should check if R1 has the same “metric weights” or not. If not then the answer should be “K values are mismatched”.

For your information, EIGRP K values are the scale numbers that EIGRP uses in metric calculation . Mismatched K values can prevent neighbor relationships from being established. The syntax of “metric weights” command is:

metric weights tos k1 k2 k3 k4 k5 (with tos is the type of service and must always be zero)

Question 4

Explanation

R1 does not advertise its loopback 0 (10.1.1.1) to EIGRP therefore a ping to destination 10.5.5.55 (R5) from 10.1.1.1 will not be successful because R5 does not know how to reply to R1.

OSPF Neighbor SimOctober 6th, 2014Go to commentsQuestion

The topology below is running OSPF. You are required to troubleshoot and resolve the OSPF issues between the various routers. Use the appropriate show commands to troubleshoot the issues.

Instead of posting the output of “show run” commands we post here the commands entered on each router to reduce some useless lines. Also you can try solving questions by yourself before reading the answers.

R1interface Loopback0 description ***Loopback*** ip address 192.168.1.1 255.255.255.255 ip ospf 1 area 0!interface Ethernet0/0 description **Connected to R1-LAN** ip address 10.10.110.1 255.255.255.0 ip ospf 1 area 0!interface Ethernet0/1 description **Connected to L2SW** ip address 10.10.230.1 255.255.255.0 ip ospf hello-interval 25 ip ospf 1 area 0!router ospf 1 log-adjacency-changes

R2!interface Loopback0 description **Loopback** ip address 192.168.2.2 255.255.255.255 ip ospf 2 area 0!interface Ethernet0/0 description **Connected to R2-LAN** ip address 10.10.120.1 255.255.255.0 ip ospf 2 area 0!interface Ethernet0/1 description **Connected to L2SW** ip address 10.10.230.2 255.255.255.0 ip ospf 2 area 0!router ospf 2 log-adjacency-changes

R3username R6 password CISCO36!interface Loopback0 description **Loopback** ip address 192.168.3.3 255.255.255.255 ip ospf 3 area 0!interface Ethernet0/0 description **Connected to L2SW** ip address 10.10.230.3 255.255.255.0 ip ospf 3 area 0!interface Serial1/0 description **Connected to R4-Branch1 office** ip address 10.10.240.1 255.255.255.252 encapsulation ppp ip ospf 3 area 0!interface Serial1/1 description **Connected to

R5-Branch2 office** ip address 10.10.240.5 255.255.255.252 encapsulation ppp ip ospf hello-interval 50 ip ospf 3 area 0!interface Serial1/2 description **Connected to R6-Branch3 office** ip address 10.10.240.9 255.255.255.252 encapsulation ppp ip ospf 3 area 0 ppp authentication chap!router ospf 3 router-id 192.168.3.3!

R4!interface Loopback0 description **Loopback** ip address 192.168.4.4 255.255.255.255 ip ospf 4 area 2!interface Ethernet0/0 ip address 172.16.113.1 255.255.255.0 ip ospf 4 area 2!interface Serial1/0 description **Connected to R3-Main Branch office** ip address 10.10.240.2 255.255.255.252 encapsulation ppp ip ospf 4 area 2!router ospf 4 log-adjacency-changes

R5!interface Loopback0 description **Loopback** ip address 192.168.5.5 255.255.255.255 ip ospf 5 area 0!interface Ethernet0/0 ip address 172.16.114.1 255.255.255.0 ip ospf 5 area 0!interface Serial1/0 description **Connected to R3-Main Branch office** ip address 10.10.240.6 255.255.255.252 encapsulation ppp ip ospf 5 area 0!router ospf 5 log-adjacency-changes

R6username R3 password CISCO36!interface Loopback0 description **Loopback** ip address 192.168.6.6 255.255.255.255 ip ospf 6 area 0!interface Ethernet0/0 ip address 172.16.115.1 255.255.255.0 ip ospf 6 area 0!interface Serial1/0 description **Connected to R3-Main Branch office** ip address 10.10.240.10 255.255.255.252 encapsulation ppp ip ospf 6 area 0 ppp authentication chap!router ospf 6 router-id 192.168.3.3!

Note: Packet Tracer does not support enabling OSPF under interface mode (ip ospf 3 area 0). We don’t know why such a popular command is not supported so we can’t make a pkt file for this lab.

Question 1

Explanation

We learned it is a OSPF problem so we should check the interfaces between them first. On both R3 and R4 use “show running-config” command to check their S1/0 interfaces

R3#show running-config<<output omitted>>!interface Serial1/0  description **Connected to R4-Branch1 office**  ip address 10.10.240.1 255.255.255.252  encapsulation ppp  ip ospf 3 area 0!<<output omitted>>

R4#show running-config<<output omitted>>!interface Serial1/0  description **Connected to R3-Main Branch office**  ip address 10.10.240.2 255.255.255.252  encapsulation ppp  ip ospf 4 area 2!<<output omitted>>

In the output above we see their Area IDs are mismatched; interface S1/0 of R3 is in area 0 (R3: ip ospf 3 area 0) while interface s1/0 of R4 is in area 2 (R4: ip ospf 4 area 2).

Question 2

Explanation

Continue checking their connected interfaces with the “show running-config” command:

R3#show running-config<<output omitted>>!interface Serial1/1  description **Connected to R5-Branch2 office**  ip address 10.10.240.5 255.255.255.252  encapsulation ppp  ip ospf hello-interval 50  ip ospf 3 area 0

!<<output omitted>>

R5#show running-config<<output omitted>>!interface Serial1/0  description **Connected to R3-Main Branch office**  ip address 10.10.240.6 255.255.255.252  encapsulation ppp  ip ospf 5 area 0!<<output omitted>>

The only difference we can see here is the line “ip ospf hello-interval 50” on R3. This command sets the number of seconds R3 waits before sending the next hello packet out this interface. In this case after configuring this command, R3 will send hello packets to R5 every 50 seconds. But the default value of hello-interval is 10 seconds and R5 is using it. Therefore we can think of a hello interval mismatch problem here. You can verify with the “show ip ospf interface <interface>” command on each router.

R3#sh ip ospf int s1/1Serial1/1 is up, line protocol is up  Internet Address 10.10.240.5/30, Area 0  Process ID 3, Router ID 192.168.3.3, Network Type POINT_TO_POINT, Cost: 64  Enabled by interface config, including secondary ip addresses  Transmit Delay is 1 sec, State POINT_TO_POINT,  Timer intervals configured, Hello 50, Dead 200, Wait 200, Retransmit 5  oob-resync timeout 200  Hello due in 00:00:28  Supports Link-local Signaling (LLS)  Index 2/2, flood queue length 0  Next 0x0(0)/0x0(0)  Last flood scan length is 0, maximum is 0  Last flood scan time is 0 msec, maximum is 0 msec  Neighbor Count is 0, Adjacent neighbor count is 0  Suppress hello for 0 neighbor(s)

R5#sh ip ospf int s1/0Serial1/0 is up, line protocol is up  Internet Address 10.10.240.6/30, Area 0  Process ID 5, Router ID 10.10.240.6, Network Type POINT_TO_POINT, Cost: 64  Enabled by interface config, including secondary ip addresses  Transmit Delay is 1 sec, State POINT_TO_POINT,

  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5  oob-resync timeout 40  Hello due in 00:00:04  Supports Link-local Signaling (LLS)  Index 1/1, flood queue length 0  Next 0x0(0)/0x0(0)  Last flood scan length is 0, maximum is 0  Last flood scan time is 0 msec, maximum is 0 msec  Neighbor Count is 0, Adjacent neighbor count is 0  Suppress hello for 0 neighbor(s)

So we can see both hello and dead interval are mismatched because the dead interval always four times the value of hello interval, unless you manually configure the dead interval (with the ip ospf dead-interval <seconds> command).

Question 3

Explanation

Continue checking their connected interfaces with the “show running-config” command:

R1#show running-config<<output omitted>>!interface Ethernet0/1  description **Connected to L2SW**  ip address 10.10.230.1 255.255.255.0  ip ospf hello-interval 25  ip ospf 1 area 0!<<output omitted>>

R2#show running-config<<output omitted>>!interface Ethernet0/1  description **Connected to L2SW**  ip address 10.10.230.2 255.255.255.0  ip ospf 2 area 0!<<output omitted>>

We see the hello interval on R1 is not the same as R2 (and you can verify with the “show ip ospf interface <interface> command”) -> There is a hello and dead interval mismatch problem. We should configure “no ip ospf hello-interval 25” on R1.

Note: Maybe there are some versions of this question in the exam. For example there are some reports saying that Ethernet0/1 on R1 is shutdown (and this is the correct choice in the exam). So please be careful checking the config on the routers before choosing the correct answers.

Question 4

Explanation

R3#show running-config<<output omitted>>username R6 password CISCO36!interface Serial1/2  description **Connected to R6-Branch3 office**  ip address 10.10.240.9 255.255.255.252  encapsulation ppp  ip ospf 3 area 0  ppp authentication chap!<<output omitted>>!router ospf 3  router-id 192.168.3.3!<<output omitted>>

R6#show running-config<<output omitted>>username R3 password CISCO36!interface Serial1/0  description **Connected to R3-Main Branch office**  ip address 10.10.240.10 255.255.255.252  encapsulation ppp  ip ospf 6 area 0  ppp authentication chap!<<output omitted>>!router ospf 6  router-id 192.168.3.3!<<output omitted>>

We are not sure about the configuration of ppp authentication in this case. Some reports said that only one router has the “ppp authentication chap” command but it is just a trick and is not the problem here. The real problem here is R6 uses the same router-id of R3 (192.168.3.3) so OSPF neighborship cannot be established. In real life, such configuration error will be shown in the command line interface (CLI). So please check carefully for this question.

CCNA Access List Sim 2February 15th, 2014Go to commentsQuestion

Answer and Explanation

(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.zip

Corp1>enable (you may enter “cisco” as it passwords here)

We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.

Corp1#show running-config

We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).

Corp1#configure terminal

Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)

Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80

Deny other hosts access to the Finance Web Server via web

Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80

All other traffic is permitted

Corp1(config)#access-list 100 permit ip any any

Apply this access-list to Fa0/1 interface (outbound direction)

Corp1(config)#interface fa0/1Corp1(config-if)#ip access-group 100 out

Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.

In the exam, just click on host C to open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server via HTTP or not. If your configuration is correct then you can access it.

Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.

Finally, save the configuration

Corp1(config-if)#endCorp1#copy running-config startup-config

(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)

Notice: You might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.

Some modifications (mods):

Modification 1 (Mod 1):

permit host B from accessing finance server access-list 100 permit ip host 192.168.33.2 host 172.22.242.23

deny host B from accessing other servers (not the whole network)

access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15

permit everything else access-list 100 permit ip any any

Modification 2 (Mod 2):

Only allow Host C to to access the financial server

access-list 100 permit ip host 192.168.33.3 host 172.22.242.23

Not allow anyone else in any way communicate with the financial server

access-list 100 deny ip any host 172.22.242.23

Allow all other traffic access-list 100 permit ip any any

Modification 3 (Mod 3):

– Host C should be able to use a web browser(HTTP)to access the Finance Web Server

access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80

– Other types of access from host C to the Finance Web Server should be blocked– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked

access-list 100 deny ip any host 172.22.242.23(because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN)

– All hosts in the Core and local LAN should be able to access the Public Web Server *

access-list 100 permit ip any host(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you

should use “access-list 100 permit ip any any”

Modification 4 (Mod 4):

Host C should be able to use a web browser to access the financial web server

access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80

Other types of access from host C to the finance web server should be blocked

access-list 100 deny ip host 192.168.33.3 host 172.22.242.23

All hosts in the core and on the local LAN should be able to access the Public web server *

access-list 100 permit ip any host(The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any”

* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.

(Note: Don’t forget to apply this access list to the suitable interface or you will lose pointsinterface fa0/1ip access-group 100 out

And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)

I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).

Download this sim here

Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.

And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.