Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
TS5 - VRF
Troubleshooting Guidelines
This section is comprised of a set of troubleshooting scenarios. You have a maximum of 2 hours to complete the section. The final score of this section is combined with the Configuration sections to comprise your final Pass or Fail status on the given lab exam. A candidate is required to pass both sections to achieve Cisco CCIE certification. You will be presented with preconfigured routers and Frame-Relay switches in the topology. DO NOT change the following configuration on the devices.
Hostname Enable password "cisco" Console line configuration For all of the authentication configuration in the lab, password is "cisco" unless changed to introduce a break. Do NOT change AAA configuration unless explicitly stated in a question. Points are awarded for finding AND fixing inserted faults in the presented fully configured topology. An inserted fault is an introduced break for a scenario that was previously working. Depending on the scenario, fixing the inserted faults could require multiple command lines on the same or multiple devices. The resolution of one incident may depend on the resolution of previous incident(s). The dependency will not be visible if the tickets are resolved in sequence. There are NO physical faults introduced in the presented topology. Do NOT change any routing protocol boundaries. Refer to the provided diagram. DO NOT REMOVE ANY FEATURE CONFIGURED IN ORDER TO RESOLVE AN INCIDENT, YOU MUST RESOLVE MISCONFIGURATION RATHER THAN REMOVING IT ALL (examples: Access-lists, PBR, CoPP, MQC, etc.) Static and default routes are NOT permitted unless preconfigured. These restrictions include floating static and those generated by routing protocols. Routes to Null0 that are generated of a dynamic routing protocol solution are permitted. Tunneling and policy-routing are NOT permitted unless preconfigured. Dynamic Frame Relay mappings are NOT permitted. Points will be deducted for every incident in which candidate uses a prohibited solution. Candidates have control of all required devices in the topology. If required to verify the reachability from a host machine during the lab exam, use the ping command with source option on the router that is shown connected to the subjected host in the diagram.
Q1 IP SLA.
[2 Points]
The IP Service Level Agreement configured between R14 and R9 is not working as expected Fix problem so that it matches the following outputs:
While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate.
R14# sh ip sla statistics IPSLAs Latest Operation Statistics R9# sh ip sla responder General IP 10 IPSLA operation id:SLA Responder on Control port 1967 General IP SLA Responder is: Enabled Latest RTT: 17 milliseconds Number Latest Recent Latest of controlstart time: 13:58:21 EST Tue Dec errors: 0 operation message received: 170 Number of 18 2012 sources: return code: OK operation
10.1.1.14 [14:05:06.661 EST Tue Dec 18 2012] Number of successes: 9 10.1.1.14 [14:05:01.666 EST Tue Dec 18 2012] Number of failures: 0 10.1.1.14 live: Forever Operation time to [14:04:56.661 EST Tue Dec 18 2012] 10.1.1.14 [14:04:51.666 EST Tue Dec 18 2012] 10.1.1.14 [14:04:46.666 EST Tue Dec 18 2012] Recent error sources: Permanent Port IP SLA Responder Permanent Port IP SLA Responder is: Enabled tcpConnect Responder: IP Address 10.1.1.9 Port 1026
Diagram involves getting tcpConnect thing with population the table in show ip sla statistics between R14 as querier and R9 as responder using Ports TCP 1025 (source) and 1026 (destination). Both Routers are in the same AS.
R15 .2 E0/1 .6 E0/0 VL1415 .1 E0/0 R14 IP SLA Querier .9 E0/1 E1/1 E1/0 E0/3 E0/2 VL1617 .14 E0/0 E1/2 E1/3 VL1517 E0/0 E0/1 .5 E0/2 .13 E0/1 R17 .17 E0/0
SW3
R9
-3-
Explanations:
R9
ip sla responder tcp-connect ip address 10.1.1.9 port 1026
R14
ip sla 9 tcp-connect 10.1.1.14 1025 source-ip 10.1.1.9 source-port 1026 <<<< Port and IP Address wrong ! ip sla schedule 9 start-time now <<<< Change this to ip sla schedule 9 life forever start-time now
Q2 BGP.
R14 from AS 65222 is not able to reach a Host on R20 on AS65333 Fix problem so that R14 can ping R20:
R14# ping 10.1.1.20 so lo0 While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate.
[3 Points]
/0 E1 .90
1E .6
E .17 3 1/
0 0/
2 .6
/1 E1
Hint: Point to this ticket is to get route on RR R4 going to R9. Hint: Ping Continuosly from Source to Destination and check when problem gets solved
-4-
Q3 IPv6 Phone.
R19 is acting as an IPv6 phone. Fix problem so that the IPv6 Phone can reach R13 on AS65004:
Phone# ping XX:XX:XX::23 so loX While you are resolving this issue, you are not allowed to configure Auto-Tunnel feature. Refer to the Troubleshooting guidelines to determine if your solution is appropriate.
[2 Points]
OSP Fa
rea 6
.29 E 1/0
.6 2
E1 /
.6 1
.17 / E1 3
E0 /0
.9 0 /0 E1
-5-
Explanations:
R19 (IPv6 Phone)
ipv6 unicast-routing ! interface Ethernet0/0 ipv6 enable ipv6 address autoconfig default
<<<< Missing!! - ADD
R11 / R13
ipv6 unicast-routing ! interface Tunnel1 ip address 100.1.1.9 255.255.255.0 ipv6 address 2000:89::9/64 ipv6 ospf 1 area 0 tunnel source Loopback0 tunnel destination 88.1.1.1 tunnel mode mpls traffic-eng tunnel mode ipv6ip
<<<< Missing!! - ADD <<<< Missing!! - ADD <<<< Wrong!! - CHANGE <<<< Wrong!! - REMOVE <<<< Missing!! - ADD
-6-
Q4 DNS.
[2 Points]
Ping from R20 to www.abc.com should resolve and reach the Web Server on the same AS. Packet count under ZBF map should increase with the ping traffic as shown in the output:
While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate.
R20# ping www.abc.com Translating "www.abc.com" ... domain server (10.1.1.22) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.2.2, timeout is 2 seconds: !!!! Success rate is 100 percent (5/5), round-trip min / avg / max = 40/61/76 ms
R29# show policy-map type inspect zone-pair sessions Policy exists on zp ZBF Zone-pair: ZBF Service-policy inspect: ZBF Class-map: HTTP (match-any) Match: protocol http 0 packets, 0 bytes 30 second rate 0 bps inspect 0 packets, 0 bytes Class-map: DNS (match-any) Match: protocol dns 2 packets, 72 bytes 30 second rate 0 bps inspect 2 packets, 72 bytes Class-map: ICMP (match-any) Match: protocol icmp 5 packets, 500 bytes 30 second rate 0 bps inspect 5 packets, 500 bytes Class-map: class-default (match-any) Match: any Pass 362 packets, 15302 bytes
EIGRP AS 333
172.10.10.X/29
.2 E0/0
SW4
Web Server www.abc.com Lo SW4 192.168.133.100
.17 E0/1 PE
.3 E0/0
R22
-7-
R29
ip name-server 10.1.1.22 ip domain-lookup
<<<< Missing - ADD
R31
ip host www.cisco.com 4.2.2.2 ip dns server
<<<< Missing - ADD
-8-
Q5 PPP Multilink.
Ping from R25 Loopback0 should reach a user located on R27 Fix the Network so R25 Loopback 0 can ping R27:
R25# ping 10.1.1.27 source loopback0 While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate.
[2 Points]
R25 S0/2
S0/1
RIP v2
R27
.2 E0/0 192.168.20.0/30
Multilink interface is down PPP is not configured correctly across multilink and multilink is missing group statement
Explanations:
R25
username R26 password cisco ! interface Serial0/0/0 description PPP-Multilink-1 bandwidth 2048 no ip address encapsulation ppp ppp multilink ppp multilink group 1 no clock rate 2000000 no cdp enable
<<<< Missing - ADD
R26
interface Multilink1 ip address x.x.x.x 255.255.255.252 ip nat outside ip inspect monitor out ip virtual-reassembly ppp multilink ppp multilink group 1 no cdp enable ! interface Serial0/0/1 description PPP-Multilink-2 bandwidth 2048 no ip address encapsulation ppp ppp multilink ppp multilink group 1 no fair-queue no clock rate 2000000 no cdp enable ppp authentication chap pap ppp pap sent-username myrouter password CC1E
-9-
- 10 -
Q6 Frame-Relay QoS.
[2 Points]
Traffic that is marked with IP Precedence 5/ToS 160 coming from R26 must reach R23 Fix problem so that the extended ping result in 100% success:
While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate.
R26# ping Target IP address: 10.1.1.23 Repeat count [5]: 5 Extended commands [n]: y Source address or interface: Type of service [0]: 160 Set DF bit in IP header? [No]: Validate reply data? [No]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose [none]: Sweep range of sizes [n]: Type escape sequence to abort Sending 10000, 100-byte ICMP Echos to 10.1.1.23, timeout is 2 seconds: !!!!
R25# sh policy-map int s0/0/0 | be DLCI 254 Serial0/0/0: DLCI 254 Service-policy output: POLICY Class-map: VOICE (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip precedence 5 police: cir 12000 bps, bc 3000 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps QoS Set dscp ef Packets marked 0 Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 shape (average) cir 80000, bc 320, be 320 target shape rate 80000 lower bound cir 0, adapt to fecn 0
- 11 -
MSDP Anycast RP 198.23.23.23 .1 S1/0 234 235 S0/0 S0/1 253 .3 S0/0 R25 S0/2 S0/1 254 .17 E0/0 .2 S1/0 R24 S1/0 .1 E0/0 S1/1 R26 DHCP/NAT S0/2 245 243 FR1 R28 .18 E0/0 Video Streamer 224.28.28.28
BGP AS 65004
QoS DLCI
RIP v2
R27
.2 E0/0 192.168.20.0/30
Explanations:
Nested MQC CB-Shaping over FR
class-map VOICE match ip precedence 5 ! policy-map VOICE class VOICE priority percent 10 ! policy-map CISCO class class-default shape average 8000 shape adaptive 8000 service-policy VOICE ! map-class frame-relay CCIE service-policy output CISCO ! interface Se0/0 frame-relay interface-dlci 206 class CCIE
<<<< Missing - ADD
- 12 -
- 13 -
[2 Points]
.6
E1 /
.6
.17 /3 E1
E0
/0
. 90 /0 E1
- 14 -
Explanations:
Note: In AS65004 there is frame relay area running multicast with multicast boundaries denying 224.0.1.39 and 224.0.1.40.
MSDP Peering is UP. Use of Auto-RP 224.0.1.39 and 224.0.1.40 is denied at border. Whether this is an error or not remains to be verified, because in boundaries denying 39 and 40 is usually part of the RP control mechanism solution.
R25
access-list 100 permit ip any host 224.23.23.23 ! class-map DRP match access-group 100 ! policy-map DRM class DRP drop ! control-plane service-policy input DRM ! interface Serial0/1 ip address 10.1.48.1 255.255.255.248 ip pim nbma-mode ip pim sparse-mode encapsulation frame-relay frame-relay interface-dlci 100 frame-relay interface-dlci 200 ! interface loopback10 ip pim sparse-dense-mode ! ip pim send-rp-announce Loopback10 scope 16 ip pim send-rp-discovery Loopback10 scope 16
<<<< Make it deny (2 -ves= +ve)
<<<< Missing
- 15 -
[3 Points]
PC2# ping 4.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: !!!! Success rate is 100 percent (5/5), round-trip min / avg / max = 40/61/76 ms
Explanations:
- 16 -
Q9 MPLS.
(2 Errors)
[3 Points]
Client connected to R34 in ACMEs Branch Office (AS65111) has to reach Server R31 in ACME HeadQuarters. Fix problem:
RR# While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate.
AS 65111
RIP v2
172.16.13.X/30 Client R34 .2 E0/0
Deafult RIP Route
Internet AS 65535
.6 E0/1 R33 .5 E0/2
vrf ACME RD=111:111 Extended Backbone
.1 E0/0
R1 .1 E0/0 .9 E0/1
BGP AS 65001
.89 E0/2
.90 E1/
.78 E0/0
a2
R11
192.168.10.X/30
3 Fa E0 / OSP
re
R7 . 74 E0 .18 E0/0 /
.73
.77
0 E0/ 3
.37 RR
RR
R2
E0 /0 E1 /1
R12 PE
R4 .21 E0/3
.6
Cluster ID 100.1.1.5
RR .42 E0/0
OS
PF
e ar
.29 E1/0
.5
.1 3
E0/
2
VLAN 4
E1 /0
Fa rea
PE
VLAN 20
OS P
.6
a3
1
/2 .9 3 E1 /3 E1 .17
.14
4
.53 E0/0 R9
E0 / 0
AS 65AAA
10.10.20.X/30
.17 E0/2
Backdoor Link to R9 VRF Static route pointed to R29
PE
R13
OSPF 5 Area 0
VLAN 6
SW1
ea 6 F ar
SW2
E0/3 E0/2
E0/2 10.1.1.1/24
SW6
E1/1
E1/2
/2 E0 3 / E0 E0 /2
R30
VLAN 10
O SP
E0/3
VLAN 11
VLAN 12
E0 /1
E1/0
VLAN 5
E0 /3
E1/1
.9 E
. 18 0/ 1
.5 SVI User
.25 SVI 56
SW5
E1/3
.3 0 E
E0/1 E1/2
0/0
E0 /0
Check BGP to RIP Route Redistribution Route not getting from BGP to last RIP Router in the queue. R8 has a best route to R9 going through R10 based on lower IP Address of R9 Missing Route between R8 and two Routers in the series.
Explanations:
R4
interface mpls mtu ! interface mpls mtu Ethernet3/0 100 Ethernet4/0 100
<<<< WRONG - FIX
- 17 -
Q10 MST.
User has to ping a Server in two hops. Fix problem:
RR# While you are resolving this issue, you are not allowed to modify the configuration of SW6.. Refer to the Troubleshooting guidelines to determine if your solution is appropriate.
[2 Points]
E0
/2
E0 /
.1
0 0/ 1E .2
E0 /1
/ E0 2 E0 /3
- 18 -