Workbook TS5 - WebIOU

Troubleshoot Workbook 21 January, 2012

TS5 - VRF

Troubleshooting Guidelines This section is comprised of a set of troubleshooting scenarios. You have a maximum of 2 hours to complete the section. The final score of this section is combined with the Configuration sections to comprise your final Pass or Fail status on the given lab exam. A candidate is required to pass both sections to achieve Cisco CCIE certification. You will be presented with preconfigured routers and Frame-Relay switches in the topology. DO NOT change the following configuration on the devices.

Hostname Enable password "cisco" Console line configuration For all of the authentication configuration in the lab, password is "cisco" unless changed to introduce a

break. Do NOT change AAA configuration unless explicitly stated in a question. Points are awarded for finding AND fixing inserted faults in the presented fully configured topology.

An inserted fault is an introduced break for a scenario that was previously working. Depending on the scenario, fixing the inserted faults could require multiple command lines on the same or multiple devices.

The resolution of one incident may depend on the resolution of previous incident(s). The dependency will not be visible if the tickets are resolved in sequence.

There are NO physical faults introduced in the presented topology. Do NOT change any routing protocol boundaries. Refer to the provided diagram. DO NOT REMOVE ANY FEATURE CONFIGURED IN ORDER TO RESOLVE AN INCIDENT, YOU MUST

RESOLVE MISCONFIGURATION RATHER THAN REMOVING IT ALL (examples: Access-lists, PBR, CoPP, MQC, etc.)

Static and default routes are NOT permitted unless preconfigured. These restrictions include floating static and those generated by routing protocols. Routes to Null0 that are generated of a dynamic routing protocol solution are permitted.

Tunneling and policy-routing are NOT permitted unless preconfigured. Dynamic Frame Relay mappings are NOT permitted. Points will be deducted for every incident in which candidate uses a prohibited solution. Candidates have control of all required devices in the topology. If required to verify the reachability from a host machine during the lab exam, use the ping command

with source option on the router that is shown connected to the subjected host in the diagram.

- 3 -

Q1 IP SLA. [2 Points] The IP Service Level Agreement configured between R14 and R9 is not working as expected Fix problem so that it matches the following outputs:

While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate.

Diagram involves getting tcpConnect thing with population the table in show ip sla statistics between R14 as querier and R9 as responder using Ports TCP 1025 (source) and 1026 (destination). Both Routers are in the same AS.

R15

R9

R16

R14

.5 E0/2

.6 E0/0.2 E0/1

.9 E0/1

.14 E0/0

EIGRP 222

AS 65222

172.16.14.X/30

PE

IP SLA Querier

IP SLA responder

SW3.13 E0/1

VL1617

VL1517

VL1416

E0/0

E0/1

E0/2E0/3

.10 E0/1

VL1415

.1 E0/0

E1/0

E1/1

E1/2 E1/3

R17.17 E0/0

.18 E0/1

Possible errors are:

A) Port and IP Adress wrong, can be swaped. B) Schedule Life not configured (must be forever). C) Check for eventual access-lists. D) IP sla responder missing.

R14# sh ip sla statistics

IPSLAs Latest Operation Statistics

IPSLA operation id: 10

Latest RTT: 17 milliseconds

Latest operation start time: 13:58:21 EST Tue Dec 18 2012

Latest operation return code: OK

Number of successes: 9

Number of failures: 0

Operation time to live: Forever

R9# sh ip sla responder

General IP SLA Responder on Control port 1967

General IP SLA Responder is: Enabled

Number of control message received: 170 Number of errors: 0

Recent sources:

10.1.1.14 [14:05:06.661 EST Tue Dec 18 2012]

10.1.1.14 [14:05:01.666 EST Tue Dec 18 2012]

10.1.1.14 [14:04:56.661 EST Tue Dec 18 2012]

10.1.1.14 [14:04:51.666 EST Tue Dec 18 2012]

10.1.1.14 [14:04:46.666 EST Tue Dec 18 2012]

Recent error sources:

Permanent Port IP SLA Responder

Permanent Port IP SLA Responder is: Enabled

tcpConnect Responder:

IP Address Port

10.1.1.9 1026

- 4 -

Explanations:

R9

ip sla responder tcp-connect ip address 10.1.1.9 port 1026

R14

ip sla 9 tcp-connect 10.1.1.14 1025 source-ip 10.1.1.9 source-port 1026 <<<< Port and IP Address wrong ! ip sla schedule 9 start-time now <<<< Change this to ip sla schedule 9 life forever start-time now

Q2 BGP. [3 Points] R14 from AS 65222 is not able to reach a Host on R20 on AS65333 Fix problem so that R14 can ping R20: R14# ping 10.1.1.20 so lo0


.17 E1/3

.62 E1/1

.61 E0/0

.90 E1/0

- Hint: Point to this ticket is to get route on RR R4 going to R9. - Hint: Ping Continuosly from Source to Destination and check when problem gets solved


A) BGP Session missing between R5 (RR) and R12 B) RR R5 Has a Route to R9 whereas RR R4 has not. Check Cluster-IDs!!

With 4 Clusters: Wrong Cluster-id on R4: Must be unique. Change it to 100.1.1.4

- 5 -

Q3 IPv6 Phone. [2 Points] R19 is acting as an IPv6 phone. Fix problem so that the IPv6 Phone can reach R13 on AS65004: Phone# ping XX:XX:XX::23 so loX

While you are resolving this issue, you are not allowed to configure Auto-Tunnel feature. Refer to the Troubleshooting guidelines to determine if your solution is appropriate.

R11 to R13 IPv6 Tunnel is DOWN, - Problem is NOT related to MPLS Cloud!! - Possibly wrong Tunnel Mode - Possibly loopback interface or a router is not routing protocols - Check Ipv6 Address auto-configuration on IPv6 Phone. - Possible OSPF neighbor problem. OSPF should be enabled through the tunnel - Posible Access-List implicitly denying Protocols 47 (GRE IPv4) or 41 (GRE IPv6IP).

Hint: Problem is in Tunnel Config. Configuring auto-tunnel leads to pings.


A) IPv6 Phone is missing interface level command “ipv6 address autoconfig default”. Check for “default” keyword B) IPv6 Phone is missing command “ipv6 unicast-routing” C) Wrong Tunnel interface mode. Remove command “tunnel mode mpls traffic-eng” and set it to “tunnel mode ipv6ip” or “tunnel mode gre" D) Tunnel Source missing on interface. Add interface level command “tunnel source loopback0” E) Wrong Destination IP Address configured on interface Tunnel F) Missing “ipv6 ospf 1 area 0” interface level command within Tunnel interface. G) Check for Posible Access-List implicitly denying Protocols 47 (GRE IPv4) or 41 (IPv6IP)

.17 E1/3

.62 E1/1

.61 E0/0

.90 E1/0

.29

E1/0

OSPF

are

a 6

- 6 -

Explanations:

R19 (IPv6 Phone)

ipv6 unicast-routing <<<< Missing!! - ADD ! interface Ethernet0/0 ipv6 enable ipv6 address autoconfig default <<<< Missing!! - ADD

R11 / R13

ipv6 unicast-routing ! interface Tunnel1 ip address 100.1.1.9 255.255.255.0 ipv6 address 2000:89::9/64 ipv6 ospf 1 area 0 <<<< Missing!! - ADD tunnel source Loopback0 <<<< Missing!! - ADD tunnel destination 88.1.1.1 <<<< Wrong!! - CHANGE tunnel mode mpls traffic-eng <<<< Wrong!! - REMOVE tunnel mode ipv6ip <<<< Missing!! - ADD

- 7 -

Q4 DNS. [2 Points] Ping from R20 to www.abc.com should resolve and reach the Web Server on the same AS. Packet count under ZBF map should increase with the ping traffic as shown in the output:


Zone Base Firewall is involved

R20.17 E0/1 .18 E0/1

.1 E0/0

.2 E0/0

.3 E0/0

PE

EIGRP AS 333

Ping www.abc.com

SW4

Web Serverwww.abc.com

Lo SW4192.168.133.100

DNS Server DMZ192.168.233.100

R21ZBF

R22.10 E0/0.9 E0/1

172.10.10.X/29

R20# ping www.abc.com Translating "www.abc.com" ... domain server (10.1.1.22) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.2.2, timeout is 2 seconds: !!!! Success rate is 100 percent (5/5), round-trip min / avg / max = 40/61/76 ms

R29# show policy-map type inspect zone-pair sessions

Policy exists on zp ZBF

Zone-pair: ZBF

Service-policy inspect: ZBF

Class-map: HTTP (match-any) Match: protocol http

0 packets, 0 bytes

30 second rate 0 bps

inspect

0 packets, 0 bytes

Class-map: DNS (match-any) Match: protocol dns

2 packets, 72 bytes


inspect

2 packets, 72 bytes

Class-map: ICMP (match-any) Match: protocol icmp

5 packets, 500 bytes


inspect


Class-map: class-default (match-any)

Match: any

Pass


- 8 -


DNS Section:

A) Client's “ip domain-lookup” is not configured B) Server-side “ip host www.cisco.com X.X.X.X” is not configured C) Access-List on SW4 is blocking ICMP Traffic.

ZBF Section:

E) Command “match protocol dns” missing in ZBF Config F) Command “match protocol icmp” missing in ZBF Config G) Zone Security applied incorrectly to interfaces. H) The DNS Server and Web Server IP addresses are reversed

R29

ip name-server 10.1.1.22 ip domain-lookup <<<< Missing - ADD

R31

ip host www.cisco.com 4.2.2.2 <<<< Missing - ADD ip dns server

- 9 -

Q5 PPP Multilink. [2 Points] Ping from R25 Loopback0 should reach a user located on R27 Fix the Network so R25 Loopback 0 can ping R27: R25# ping 10.1.1.27 source loopback0


R25

R26

S1/0

S1/1

S0/1S0/2

.1 E0/0.2 E0/0

MultilinkRIP v2

192.168.20.0/30

PPP MD5

DHCP/NAT

R27

- Multilink interface is down - PPP is not configured correctly across multilink and multilink is missing group statement Possible errors are:

A) R26 PPP multilink has ppp chap hostname/password mismatch with its adjacent router on username B) Username on R25 and R26 is incorrect along with password (Password must be CCIE). C) R25 and R26 are missing the multilink group command D) Authentication Commands missing under interface configuration.

You may have to save and reload both Multilink routers after you think that your config is correct. Explanations:

R25

username R26 password cisco <<<< Missing - ADD ! interface Serial0/0/0 description PPP-Multilink-1 bandwidth 2048 no ip address encapsulation ppp ppp multilink ppp multilink group 1 no clock rate 2000000 no cdp enable

R26

interface Multilink1 ip address x.x.x.x 255.255.255.252 ip nat outside ip inspect monitor out ip virtual-reassembly ppp multilink ppp multilink group 1 no cdp enable ! interface Serial0/0/1 description PPP-Multilink-2 bandwidth 2048 no ip address encapsulation ppp ppp multilink <<<< Missing - ADD ppp multilink group 1 <<<< Missing - ADD no fair-queue no clock rate 2000000 no cdp enable ppp authentication chap pap <<<< Missing - ADD ppp pap sent-username myrouter password CC1E <<<< Missing - ADD

- 10 -

- 11 -

Q6 Frame-Relay QoS. [2 Points] Traffic that is marked with IP Precedence 5/ToS 160 coming from R26 must reach R23 Fix problem so that the extended ping result in 100% success:


R26# ping Target IP address: 10.1.1.23 Repeat count [5]: 5 Extended commands [n]: y Source address or interface: Type of service [0]: 160 Set DF bit in IP header? [No]: Validate reply data? [No]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose [none]: Sweep range of sizes [n]: Type escape sequence to abort Sending 10000, 100-byte ICMP Echos to 10.1.1.23, timeout is 2 seconds: !!!!

R25# sh policy-map int s0/0/0 | be DLCI 254 Serial0/0/0: DLCI 254 -

Service-policy output: POLICY

Class-map: VOICE (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: ip precedence 5

police:

cir 12000 bps, bc 3000 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps

QoS Set

dscp ef

Packets marked 0

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

shape (average) cir 80000, bc 320, be 320

target shape rate 80000

lower bound cir 0, adapt to fecn 0

- 12 -

Scenario 1: MQC Class-Based Shaping: Possible errors are:

A) Policy-Map not applied under Frame-Relay map-class B) CIR is too small and results in packet loss. Raise it to higher value with command “shape average 96000” C) Match IP Precedence 5 missing under configured Class-Map. Explanations:

Nested MQC CB-Shaping over FR

class-map VOICE match ip precedence 5 <<<< Missing - ADD ! policy-map VOICE class VOICE priority percent 10 ! policy-map CISCO class class-default shape average 8000 <<<< Raise it to 96000 shape adaptive 8000 service-policy VOICE <<<< Nested call POLICY-MAP VOICE ! map-class frame-relay CCIE service-policy output CISCO <<<< Missing - ADD ! interface Se0/0 frame-relay interface-dlci 206 class CCIE <<<< interface call MAP-CLASS CCIE

FR1

R13

R23

R25

R26

R24

R28

.14 E0/0

.1 S1/0

S0/0

S0/1S0/2

.2 S1/0.17 E0/0

.3 S0/0

S1/0

S1/1

S0/1S0/2

.1 E0/0.2 E0/0

.18 E0/0

OSPF 3 Area 0MD5 Auth

10.10.10.X/29

234

235

253

254

243245

MultilinkRIP v2

192.168.20.0/30

PPP MD5

BGP AS 65004

.13 E0/1PE

AS 65004

QoS DLCI

Video Streamer

DHCP/NAT

R27

Local Service Provider (ISP)

2001:CC1E:ABCD:10:10:10:0:X/125

Multicast Boundary

MSDP Anycast RP 198.23.23.23

224.28.28.28

- 13 -

- 14 -

Q7 MSDP Multicast on Frame Relay. [2 Points] PC2 in has to get a Multicast Stream from R28 in AS65004. Fix problem so the ping results: R28# ping 224.28.28.28 re 5


.17 E1/3

.62 E1/1

.61 E0/0

.90 E1/0


A) R13 has access-list blockin multicast traffic B) R25 has access-list blockin multicast traffic through Policy in Control Plane. Make ACL deny traffic. C) R25 is missing interface level command “ip pim nbma-mode” D) Video streaming server R26 is missing "ip pim sparse-dense-mode" and "ip pim auto-rp listener" E) Auto-RP not configured. F) Wrong DR elected (R25). Raise Auto-RP Priority on R23 Frame Relay interface. G) Missing command “ip pim auto-rp listener” on involved routers

- 15 -

Explanations:

Note: In AS65004 there is frame relay area running multicast with multicast boundaries denying 224.0.1.39 and 224.0.1.40.

- MSDP Peering is UP. Use of Auto-RP 224.0.1.39 and 224.0.1.40 is denied at border. Whether this is an error or not

remains to be verified, because in boundaries denying 39 and 40 is usually part of the RP control mechanism solution.

R25

access-list 100 permit ip any host 224.23.23.23 <<<< Make it deny (2 -ves= +ve) ! class-map DRP match access-group 100 ! policy-map DRM class DRP drop ! control-plane service-policy input DRM ! interface Serial0/1 ip address 10.1.48.1 255.255.255.248 ip pim nbma-mode <<<< Missing ip pim sparse-mode encapsulation frame-relay frame-relay interface-dlci 100 frame-relay interface-dlci 200 ! interface loopback10 ip pim sparse-dense-mode <<<< Missing ! ip pim send-rp-announce Loopback10 scope 16 <<<< Missing ip pim send-rp-discovery Loopback10 scope 16

Auto RP filter by UDP 496 port

ip access-list extended UDP deny udp any eq pim-auto-rp 224.0.1.0 0.0.0.255 eq pim-auto-rp permit ip any any

Standard access-list applied to multicast boundary

access-list 10 deny 224.0.1.39 access-list 10 deny 224.0.1.40 access-list 10 permit any ! int Serial0/0 ip multicast boundary 10 in

- 16 -

Q8 IGP Routing (OSPF to BGP Redistribution). [3 Points] Traffic going from R32 must reach 4.2.2.2 going through R1 over the internet Fix problem so that the extended ping result in 100% success:

While you are resolving this issue, you are not allowed to redistribute bgp into ospf.. Refer to the Troubleshooting guidelines to determine if your solution is appropriate.


A) BGP Peering between R1 and R2, or R1 and R3 not configured. Configure it. Configuration Details are provided in Question. B) Host’s interface IP Address is Wrong; it cannot reach it’s configured Next-Hop. Fix it. C) Aggregated Route towards 4.2.2.2 is learned by R4 but it is suppressed. Remove suppression keyword. D) Network 10.0.0.0/8 is advertised as a summary. Remove network summarization. E) Route-Map on R5 with next-hop interface null0 set for prefix 4.0.0.0/8. Fix it. F) Network 10.1.1.0 not announced int OSPF Area 0 G) Missconfigured LoopBack on R13 with IP Address 4.2.2.2/32

Shutdown interface Loopback Clear arp-cache on all the way troughout the traceroute path

Explanations:

PC2# ping 4.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: !!!! Success rate is 100 percent (5/5), round-trip min / avg / max = 40/61/76 ms

- 17 -

Q9 MPLS. (2 Errors) [3 Points] Client connected to R34 in ACME’s Branch Office (AS65111) has to reach Server R31 in ACME HeadQuarters. Fix problem: RR#


SW5

SW6

R33

R12

R11

R13R9

R4

R2

R5

R7

R3

R10

R8

R29

R30

SW1 SW2

.9 E0/1

E0/3

.6 E0/2E0/1

.21 E0/0

E0/2

E1/0

E1/0

E1/1

E1/1

Server

.2 E0/0Client .1 E0/0 .6 E0/1

.5 E0/2

.2 E0/0

.33 E0/1

.37 E0/2

.1 E0/0 .9 E0/1

.10 E0/0 .77 E0/3

.41 E0/2

.34 E0/1

.38 E0/0

.45 E0/1

.5 E0/2.21 E0/3

.17 E1/3

.46 E0/1

.42 E0/0.62

E1/1

.13 E1/0.49 E0/3.6 E0/2

.78 E0/0

.61 E0

/0

.14 E0/0

User

E0/0 SVI .22E0/1

E0/2 E0/3 E0/2E0/3

E0/0 SVI .50

E0/1

R32

R34

RIP v2AS 65111

172.16.13.X/30

AS 65AAA

OSPF 5 Area 010.10.20.X/30

192.168.10.X/30

BGP AS 65001

PE

PE

PE

PE

PE

RR

RR

RR

RR

Cluster ID100.1.1.2

Cluster ID100.1.1.3

Cluster ID100.1.1.4

Cluster ID100.1.1.5

MSDP Anycast RP 198.23.23.23

IGMP Join

Internet AS 65535

R1

.18 E0/0

.10 E0/

1

E0/1 .30 E0/2

E0/3

E0/2

E1/0E1/1

R6

PC1 PC2

PC SVI 12PC SVI 11

PEvrf ACME

vrf ACMERD=111:111

Backdoor Link to R9

OSPF 3 Area 1

.26 E0/1

.25 E0/1

.18 E0/0

.94 E0/0

.93 E1/2

.89 E0/2

.90 E1/0.73 E0/3

.74 E0/2

.85 E0/0.86 E0/1

.29

E1/0

.30

E0/0

.54 E1/1

.53 E0/0

.17 E0/2

.22 E0/1

E0/0

VLAN 10

.57 SVI .65 SVI

OSPF 3 Area 0

Extended Backbone Global Telecom

Provider (ISP)

VLAN 11 VLAN 12

OSPF area 2

OSPF area 3

OSPF area 4

OSP

F ar

ea 6

OSPF area 5

IPv6

Tun

nel

OSP

F A

rea

0

.1 E0/0E0/0R31 E1/2 .14 E0/3

E1/2 .13 E0/3

VLAN 5

VLAN 6

VLAN 56

.5 SVI

E1/3

E1/3

10.1.1.100/24

10.1.1.1/24

ACME Corp Network office (branch)

ACME Corp Headquarter

192.168.10.X/30

.26 SVI 56.2 SVI 6

.29 SVI 60

.25 SVI 56Main Link to R10

Deafult RIP Route

VRF Static route pointed

to R29

VRF Static route pointed

to R30

VLAN 4VLAN 20

VLAN 48

- Check BGP to RIP Route Redistribution - Route not getting from BGP to last RIP Router in the queue. - R8 has a best route to R9 going through R10 based on lower IP Address of R9 - Missing Route between R8 and two Routers in the series.


A) R8 and/or R9 have MPLS configured with label protocol TDP. Change it to MPLS Label Protocol LDP. B) R8 is a PE connected to R6 and R7. R6 and R7 do not forward labels because they miss “ip cef” command. Add it C) MPBGP Neighbor isn’t active on PE. Use VPNv4 Address Family level command “neighbor X.X.X.X active” to fix it. D) R4 has MPLS MTU size wrongly configured on interfaces facing R9 and R10. Explanations:

R4

interface Ethernet3/0 mpls mtu 100 <<<< WRONG - FIX ! interface Ethernet4/0 mpls mtu 100 <<<< WRONG - FIX

- 18 -

Q10 MST. [2 Points] User has to ping a Server in two hops. Fix problem: RR#

While you are resolving this issue, you are not allowed to modify the configuration of SW6.. Refer to the Troubleshooting guidelines to determine if your solution is appropriate.

E0/3.21 E0/0

E0/2

.10 E0/1

E0/3

E0/2


A) VTP Sync, Trunk config, STP, VLANs, etc B) Both SW5 and SW6 are configured as VTP Client. Configure SW5 as Server. C) VTP Password Mismatch. D) SW6 is configured not to allow Vlan56 across its e3/1 trunk interface. Adjust priority on SW5 e3/1 for Vlan56 E) Server’s VTP Revision Number is too low; Client does not synchronize. Raise VTP Revision Number on Server. F) Interface VLAN 56 is configured as passive in the OSPF Process. Fix it

Documents

Workbook TS5 - WebIOU