zone security INOUT

exit

int f0/1
zone-member security INOUT

ip http server

ip access-list extended INOUT

permit tcp any host 192.168.133.100 eq 80

class-map type inspect INOUT

match access-group name INOUT
exit

policy-map type inspect

policy-map type inspect INOUT

sh run | s route-map|access|redistribute|class|policy|prefix|ip route

ip multicast-r
ip pim aut lis

PC Multicast
============
1. ip multicast-r and ip pi aut li
all the devices the below command need to be apply
1. ip multicast-r
Page 3
Final TS5 ticket solution
ip pi aut li
under the connected interface
need to be configure ip pi sparse-m
sh run | s msdp|rp|boundary|mroute
sh ip pi nei
sh ip pi rp map
SW2
===
1. autorp and pim sparse-mode is missing
R5
===
1. pim rp-discovery and rp-announce interface is mismatch
2. msdp peer configuration is mismatch
3. mroute been configured
4. autorp listener command is missing
R13
===
1. boundary with access list configured
2. ip auto li and ip pi sparse-m not there
R23
===
1. RP discovery and Rp announce is mismatch
2. msdp peering mismatch
3. dr priotiy should be ther in the serial interface towards FR switch
R24
===
1. ip pim nbma mode must be there under the serial interface
R28
===
1. ip multicast-r and ip pi aut li, ip pi sparse-m
IGP
===
R2 and R3
==========
1. R1 neighbor shutdown command need to be removed and it should be activate
2. aggregate address summary for 10networks need to removed and add without summary
3. redistr os with metric
4. default information originate always should be ther under os domain
R13
===
Page 4
Final TS5 ticket solution
1. lo4 and lo10 should be shut
R4
===
1. static route need to manupulated AD value into 255
2. sh ip os int b ---it will show the cost --if cost value increased
put under the interface "no band and no ip os cost"
R5
===
1. static route need to manupulated AD value into 255
2. sh ip os int b ---it will show the cost --if cost value increased
put under the interface "no band and no ip os cost"
3. route-map need to be deleted to map to null 0
SW1
===
1.under the ospf process
1.1 max-lsa --made it as warning-only
1.2 need to be remove passive interface
1.3 access-list configured for default network
2.IP address/subneet of vl 11 mismatch
3.ip os network and authentication of both interface facing on R4 and R5
4.if question ask to load sharing the packet
1. int vl 11
ip route-cache cef
in fa0/1---facing on R4
ip route-cache
ip load-sharing per-packet
in fa1/1---facing on R5
ip route-cache
ip load-sharing per-packet
R17

access-list 18 deny 192.168.133.0 0.0.0.255

access-list 18 permit 192.168.133.0 0.0.0.255

will afterward permit route-map 20

R19
1) under router bgp 65001
neighbor 100.4.4.4 password cisco
2) and in address-family ipv4
neighbor 100.4.4.4 next-hop-self
3)ip as-path access-list 100 permit ^$ becoz of this only advertised
ip as-path access-list 100 permit .*

R4

1) router bgp 65001

bgp cluster-id 100.1.1.4

R5
1) router bgp 65001
address-family ipv4
no sync
2) router bgp 65001
address-family ipv4
neighbor 100.12.12.12
3) policy-map ABC
class R125
no drop
4) router bgp 65001
address-family ipv4
neighbor 100.4.4.4 activate

R12
1) router bgp 65001
address-family ipv4
no neighbor 100.4.4.4 activate
2) route-map ASPATH permit 10
match as-path 100
no set community no-advertise
3) router bgp 65001
address-family ipv4
neighbor 100.5.5.5 next-hop-self

R20
1) router eigrp 333
no auto-summary
2) route-map permit 20 required

SW4
1) router eigrp 333
no auto-summary

2) access-list 133 permit icmp any any

ticket3
IPV6

1)IPv6_Phone# int e0/0

ipv6 address autoconfig default ***/default missing /***

R18
2) ipv6 access-list DENY
deny ipv6 any any ****permit ipv6 any any****
3) ipv6 router ospf 1
no passive-interface Ethernet0/0
4) int e0/0
no ipv6 nd suppress-ra
5) int e0/1
ipv6 ospf 1 area 1

R11

interface Tunnel1
ip address 113.0.0.1 255.255.255.252
ipv6 address 2001:CC1E:ABCD:113::11/64
ipv6 ospf 1 area 0
1)tunnel source loopback 0 ****add this***
2)tunnel destination 100.13.13.13 ****add this***
3)tunnel mode ipv6ip ****add this***
4)NO tunnel mode mpls traffic-eng ****remove this and this will also remove "no
routing dynamic"***
no routing dynamic

R5
1)access-list 113 permit 41 any any ***PERMIT
2)access-list 113 permit gre any any ****PERMIT
access-list 113 permit ip any any

R13
interface Tunnel1
ip address 113.0.0.2 255.255.255.252
ipv6 address 2001:CC1E:ABCD:113::13/64
tunnel source loopbak0 ****add this***
tunnel destination 100.11.11.11
tunnel mode ipv6ip ****add this***
NO tunnel mode mpls traffic-eng ****remove this and this will also remove "no
routing dynamic"***
no routing dynamic
ipv6 ospf 1 area 0 ****add this***

R23
NO ipv6 route 2001:CC1E:ABCD:300::/64 Null0 ****remove this

int s1/0
frame-relay map ipv6 FE80::24 234

R24
map-class frame-relay frts
frame-relay end-to-end keepalive mode request //****change it to passive-reply/

ipv6 ospf network point-to-multipoint ///change it from broadcat to point-to-

multipoint//

ipv6 router ospf 1

no passive-interface Ethernet0/0

R28

interface Ethernet0/0
ipv6 address 2001:CC1E:ABCD:300:10:10:2:28/64
no ipv6 autoconfig default ***remove this***
ipv6 ospf 1 area 0 ***add this***
DNS

R20
ip domain lookup

ip name-server 192.168.133.100 Change this to DNS server ip 192.168.133.100

R21
class-map type inspect match-all INOUT ****match-any*****

policy-map type inspect INOUT

class type inspect INOUT
inspect
class class-default
pass

zone need to be applied on interfaces *******

SW4
///interface Vlan133
ip address 192.168.133.1 255.255.255.0
ip access-group 133 in
interface FastEthernet1/1
switchport access vlan 133
access-list 133 permit tcp host 192.168.133.100 any eq telnet///

need to add the below access-list

access-list 133 permit tcp host 192.168.133.100 eq telnet any

R22
policy-map DNS
class BLOCK
drop ****no drop****

ip http server ****remove no ***

ip dns server ****add this*****

no ip host www.abc.com 192.168.233.100 ***remove this

ip host www.abc.com 192.168.133.100 ****add this
R25
////interface Multilink1
ip unnumbered Loopback0
ip mtu 1400 ******remove this
ipv6 address 2001:CC1E:ABCD:200:10:10:2:25/64
ipv6 ospf 1 area 0
ppp authentication chap
ppp chap hostname cc1eR26 *****change it to ccleR25
ppp chap password 0 cisco
ppp multilink
ppp multilink fragment
ppp multilink links minimum 1
ppp multilink group 1////

/////interface Serial0/1
no ip address
encapsulation ppp
serial restart-delay 0
ppp multilink
ppp multilink group 100 *****change group to 1
!
interface Serial0/2
no ip address
encapsulation ppp
serial restart-delay 0
ppp multilink
ppp multilink group 1
!/////////

1) int s0/1
R25(config-if)#no ppp multilink group 100
R25(config-if)#ppp multilink group 1

R26

username ccleR26 password 0 cisco ****remove this

username ccleR25 password 0 cisco *****

///interface Multilink1
ip unnumbered Loopback0
ip mtu 1400 *****rmove this****
ip nat outside
no ip virtual-reassembly
ipv6 address 2001:CC1E:ABCD:200:10:10:2:26/64
ipv6 ospf 1 area 0
ppp authentication chap
ppp chap hostname ccleR25 *****change it to ccleR26
ppp chap password 0 cisc0 *****change it to cisco
ppp multilink
ppp multilink fragment
ppp multilink links minimum 1
ppp multilink group 1////

/////interface Serial1/0
no ip address
 encapsulation ppp
serial restart-delay 0
no fair-queue
ppp multilink//////

ppp multilink group 1 *****add this*****

//////interface Serial1/1
no ip address
encapsulation ppp
serial restart-delay 0
ppp multilink
ppp multilink group 1//////
!

no service dhcp *****need to enable

service dhcp
R24

key chain cisco

key 1
key-string ccie
key chain ccie
key 1
key-string cisco
!

interface Serial1/0
ip address 172.16.14.25 255.255.255.248
ip hello-interval eigrp 200 5
ip hold-time eigrp 200 15
ip authentication mode eigrp 200 md5
ip authentication key-chain eigrp 200 ccie
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay map ip 172.16.14.26 345 broadcast

R25

interface Serial0/0
ip address 172.16.14.26 255.255.255.248
ip hello-interval eigrp 200 5
ip hold-time eigrp 200 15
ip authentication mode eigrp 200 md5 ****ADD THIS
ip authentication key-chain eigrp 200 ccie ****ADD THIS
encapsulation frame-relay
ip policy route-map PPP
serial restart-delay 0
clock rate 64000
frame-relay map ip 172.16.14.25 354 broadcast

username R29 password 0 c1sco ****remove this & change the username & password to
R25 & cisco

interface Serial1/0
no ip address *****add ip address
ip address 1.1.100.1 255.255.255.252
encapsulation ppp
serial restart-delay 0
clock rate 64000
ppp authentication pap *****change it to chap
ppp chap hostname R29 *****change it to R25
ppp chap password 0 cisco
!
access-list 124 permit ip any 192.0.0.0 0.255.255.255
!
route-map PPP permit 10
match ip address 124
 set interface Null0 *****remove this
!
router rip *****add the whole rip process
version 2
network 1.0.0.0
no auto-summary
redistribute eigrp 200 metric 5

aaa authentication ppp default group tacacs+ *****change it to local-case(Use

case-sensitive local username authentication) instead of tacacs+

R29
username R25 password 0 c1sco ****remove this & change the username & password to
R25 & cisco

interface Serial2/0
ip address 1.1.100.2 255.255.255.252
encapsulation ppp
serial restart-delay 0
clock rate 64000
ppp authentication chap
ppp chap hostname R25 *****change it to R29
ppp chap password 0 cisco

router rip
version 1 *****change it to version 2
network 1.0.0.0
network 192.168.20.0
no auto-summary
!
enable password cisco *****required for telnet from r25

TICKET 6
Problem's and Solution:
R25
Problem:
class-map match-any MISSIONCRITICAL
match ip precedence 6 7
match access-group 25
class-map match-all voice
match ip precedence 5
match ip precedence 4
!
!
policy-map POLICY
class voice
priority percent 12
class MISSIONCRITICAL
bandwidth percent 30
interface Serial0/0
ip address 10.10.10.11 255.255.255.248
encapsulation frame-relay
frame-relay class frts
exit
map-class frame-relay frts
frame-relay end-to-end keepalive mode bidirectional
frame-relay cir 1000
frame-relay bc 8000

Solution:
R25#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R25(config)#class-map match-all MISSIONCRITICAL // Since output says match-all
R25(config-cmap)#exit
R25(config)#class-map match-any voice // Since output says match-any
R25(config-cmap)#no match ip precedence 4 // Only to match second output, Avoid it
if you are
asked to match first output
R25(config-cmap)#exit
R25(config)#policy-map POLICY
R25(config-pmap)# class voice
R25(config-pmap-c)# priority percent 25 // Since output says Bandwidth:25%
R25(config-pmap-c)# exit
R25(config-pmap)# class MISSIONCRITICAL
R25(config-pmap-c)# priority percent 30 // Since output says Bandwidth:30%
R25(config-pmap-c)# exit

R25(config)#interface Serial0/0
R25(config-if)#frame-relay traffic-shaping // Make sure this is applied
R25(config-if)# frame-relay class frts // Make sure this is applied
R25(config-if)# exit
R25#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R25(config)#map-class frame-relay frts
R25(config-map-class)# frame-relay end-to-end keepalive mode passive-reply //
Change to passive-reply
R25(config-map-class)# frame-relay cir 100000 or 96000 // Change as per the output
R25(config-map-class # frame-relay bc 8000 // Change as per the output
R25(config-map-class)#service-policy output POLICY //You woon't get the output on
R25 if this is not applied
CCIERNSLABS.COM ---> TS V5.6<---- 25th-February-14
New Fault's as on 10th November 2013
On R25
Problem:
1) Match the output
Solution:
class-map match-any MISSIONCRITICAL ( Manipulate match-any or match-all as per the
Output )
match ip precedence 6 7
match access-group 25
class-map match-any voice ( Manipulate match-any or match-all as per the Output )
match ip precedence 5
match ip precedence 4 ( Manipulate as per the Output )
match access-group 125 ( Manipulate as per the Output and create ACL entries )
match ip dscp ef ( Manipulate as per the Output ) OR
match ip precendence ef ( Manipulate as per the Output )
access-list 125 permit ip any any dscp ef // Remove This
access-list 125 permit ip any any dscp cs5 // Add This
-----------------------------------------------------------------------------------
----
CCIERNSLABS.COM ---> TS V5.6<---- 25th-February-14
On R25
Problem:
2) If ping ask's from R27 to R28 ,then make sure that OSPF neighborship between R25
and R24 is up
interface Serial0/0
ip address 10.10.10.11 255.255.255.248
frame-relay map ip 10.10.10.9 253 broadcast
frame-relay map ip 10.10.10.10 254 broadcast // This command could be Missing or
broadcast might
be missing
Solution:
interface Serial0/0
ip address 10.10.10.11 255.255.255.248
frame-relay map ip 10.10.10.9 253 broadcast
frame-relay map ip 10.10.10.10 254 broadcast
CCIERNSLABS.COM ---> TS V5.6<---- 25th-February-14
New Fault's as on 25th February 2014
On R25
Problem:
class-map match-any voice
match ip precedence 5
match ip precedence 4
match access-group 125
access-list 125 permit ip any any dscp ef
Solution:
access-list 125 permit ip any any dscp cs5 // Add this.