ccnp t shoot

Copyrights Networxx 20010-2015 Website: http://www.networxx.in; Email: [email protected]

Page 1 of 40

Comprehensive Coverage of the CCNP T-SHOOT Blueprint

Authored By:

Khawar Butt CCIE # 12353 (R/S, Security, SP, Voice)

CCNP Troubleshooting Lab

Workbook


Page 2 of 40

Module 1 Troubleshooting RIP

Authored By:


CCNP Troubleshooting Lab Workbook


Page 3 of 40

Scenario: R3 does not support RIPv2. R1, R2 and R4 have been configured to run RIPv2. Issue: Routes are not getting propagated. Make sure that R3 only run RIPv1 and R4 runs RIPv2. Make sure routes are getting propagated and reachable from all routers.

S 0/0 (.3)

S 0/0 (.2)

F 0/0(.1)

R2

192.1.12.0/2

R1

F 0/0 (.2) L0 10.1.1.1/16 L0 10.2.2.2/16

R3 192.1.34.0/2

R4

L0 4.4.4.4/16 L0 3.3.3.3/16

192.1.23.0/2

F 0/0(.4) F 0/0 (.3)

Lab 1 Troubleshooting RIPv1 and RIPv2 Issues


Page 4 of 40

Scenario: All routers should be configured to authenticate RIPv2 routing updates. R1 and R2 should use Clear Text authentication. All the other links should use the most secure authentication mechanism. Issue: Routes are not getting propagated. Make sure that all routes are reachable based on the above requirements.

S 0/0 (.3)

S 0/0 (.2)

F 0/0(.1)

R2

192.1.12.0/2

R1

F 0/0 (.2) L0 10.1.1.1/16 L0 10.2.2.2/16

R3 192.1.34.0/2

R4

L0 10.4.4.4/16 L0 10.3.3.3/16

192.1.23.0/2

F 0/0(.4) F 0/0 (.3)

Lab 2 Troubleshooting RIPv2 Authentication Issues


Page 5 of 40

Module 2 Troubleshooting EIGRP

Authored By:




Page 6 of 40

Scenario: R1, R2, R3 and R4 have been configured to run EIGRP in AS 12353. All Neighbor relationships should have been authenticated using a key ID of 1 and a key-string of C1SCO. Issue: Routes are not getting exchanged between the Routers. Make sure that all routes are reachable based on the above requirements.

S 0/0 (.3)

S 0/0 (.2)

F 0/0(.1)

R2

192.1.12.0/2

R1

F 0/0 (.2) L0 10.1.1.1/16 L0 10.2.2.2/16

R3 192.1.34.0/2

R4

L0 10.4.4.4/16 L0 10.3.3.3/16

192.1.23.0/2

F 0/0(.4) F 0/0 (.3)

Lab 1 Troubleshooting EIGRP Communication Issues


Page 7 of 40

Scenario: Routing should have been configured based on the following:

o R1 Default Route towards R2 o R2 Running EIGRP on the 192.1.23.0 network. R3 and the rest of

the networks should have reachability towards the Loopbacks on R1 and R2 and the physical link between R1 and R2. EIGRP should not run on Loopback or on the link between R1 and R2.

o R3 should have all the links advertised in EIGRP. o R4 should have run EIGRP on Physical link between R3 and R4. It

should have run RIPv2 on the Loopback and the physical link between R4 and R5. It should have performed mutual redistribution between RIP and EIGRP.

o R5 should have all the links advertised in RIPv2.

S 0/0 (.3)

S 0/0 (.2)

F 0/0(.1)

R2

192.1.12.0/2

R1

F 0/0 (.2) L0 10.1.1.1/16 L0 10.2.2.2/16

R3 192.1.34.0/2

R4

L0 10.4.4.4/16 L0 10.3.3.3/16

192.1.23.0/2

F 0/0(.4) F 0/0 (.3)

R5

L0 10.5.5.5/16

192.1.45.0/24

F 0/1(.4)

F 0/0(.5)

Lab 2 Troubleshooting EIGRP Redistribution Issues


Page 8 of 40

Issue: Routes are not getting exchanged between the Routers. Make sure that all routes are reachable based on the above requirements.


Page 9 of 40

Module 3 Troubleshooting OSPF

Authored By:




Page 10 of 40

Scenario: R1, R2, R3 and R4 have been configured to run OSPF. R1 and R2 should have been the Designated Routers for the Ethernet segment, with R1 having higher priority than R2. All loopbacks should have been advertised with their proper masks. All Routers should be communicating to each other using the highest level of authentication. Issue: Routes are not getting exchanged between the Routers. Make sure that all routes are reachable based on the above requirements.

F 0/0 (.4) F 0/0 (.3)

F 0/0 (.1) F 0/0 (.2)

R2 R1

L0 1.1.1.1/8 L0 2.2.2.2/8

R3 R4

L0 4.4.4.4/8 L0 3.3.3.3/8

L0 192.1.100.0/24

Lab 1 Troubleshooting OSPF Communication Issues


Page 11 of 40

Scenario: Routing should have been configured based on the following:

o R1 should have all the links advertised in EIGRP in AS 12353. o R2 running OSPF on the 192.1.23.0 network. R3 and the rest of

the networks should have reachability towards the Loopbacks on R1 and R2 and the physical link between R1 and R2. Run EIGRP 12353 on the physical link between R1 and R2.

o R3 should have all the links advertised in OSPF. o R4 should have run OSPF on Physical link between R3 and R4. It

should have run RIPv2 on the Loopback and the physical link between R4 and R5. It should have performed mutual redistribution between RIP and OSPF.

o R5 should have all the links advertised in RIPv2.

S 0/0 (.3)

S 0/0 (.2)

F 0/0(.1)

R2

192.1.12.0/2

R1

F 0/0 (.2) L0 10.1.1.1/16 L0 10.2.2.2/16

R3 192.1.34.0/2

R4

L0 10.4.4.4/16 L0 10.3.3.3/16

192.1.23.0/2

F 0/0(.4) F 0/0 (.3)

R5

L0 10.5.5.5/16

192.1.45.0/24

F 0/1(.4)

F 0/0(.5)

Lab 2 Troubleshooting OSPF Redistribution Issues


Page 12 of 40



Page 13 of 40

R1

Frame-Relay

R2

R3

R4

Scenario: R1 (The HUB) has been configured with two sub-interfaces, one of the two sub-interfaces is configured to connect R1 to R4, this sub-interface should have been configured in a point-to-point manner using the following IP addressing:

o R1 = 192.1.14.1 /24 o R4 = 192.1.14.4 /24

The second sub-interface on R1 should have been configured in a multipoint manner, and this sub-interface should have been configured to connect R1 to routers R2 and R3 using the following IP addressing:

o R1 = 192.1.123.1 /24 o R2 = 192.1.123.2 /24 o R3 = 192.1.123.3 /24

All routers be able to ping every IP address including their own within their IP address space. OSPF should have been configured on the routers to advertise the loopback networks. These routes should be reachable from all devices.

Lab 3 Troubleshooting OSPF Frame-Relay Issues


Page 14 of 40

Issue: Routes are not getting exchanged between the Routers. Make sure that all routes are reachable based on the above requirements. Restrictions:

Cannot create sub-interfaces on R2, R3 and R4.

Cannot change the network type on the point-to-point sub-interface on R1.

Cannot have a DR/BDR on the Multi-point network.


Page 15 of 40

Scenario: Routing should have been configured based on the above diagram. Also, the loopback networks from R1 and R4 should have been summarized using the longest possible summary address into other areas. Issue: Routes are not getting exchanged between the Routers. Make sure that all routes are reachable based on the above requirements.

Lab 4 Troubleshooting OSPF Multi-area & Summarization Issues

R2

F 0/0 (.3)

F 0/0 (.2)

S 0/0(.1) 192.1.12.0/24 R1 S 0/0 (.2)

L0 1.1.0.0

L3 1.1.3.0/24 L0 2.1.0.0

L3 2.1.3.0/24

S 0/0(.4)

R3

192.1.34.0/24

R4

S 0/0 (.3) L0 4.1.0.0

L3 4.1.3.0/24

L0 3.1.0.0

L3 3.1.3.0/24

192.1.23.0/24

Area 10

Area 0

Area 100


Page 16 of 40

Scenario: Routing should have been configured based on the above diagram. Area 10 routers should only have Intra-area routes. These routers have had connectivity to all routes in the network. Area 100 routers should have had Intra-area routes and Routes getting redistributed into OSPF from RIP. It should also reachability to all other routes in the network. Loopback on R2 and R3 should be injected into OSPF as external routes. All routers should have connectivity to the RIP routes.

Lab 5 Troubleshooting OSPF Stub Area Issues

F 0/0(.5)

R2

F 0/0 (.3)

F 0/0 (.2)

S 0/0(.1) 192.1.12.0/24 R1 S 0/0 (.2)

L0 1.1.0.0

L1 1.1.1.0/24 L0 2.1.0.0

L1 2.1.1.0/24

S 0/0(.4)

R3

192.1.34.0/24 R4 S 0/0 (.3)

L0 4.1.0.0

L1 4.1.1.0/24

L0 3.1.0.0

L1 3.1.1.0/24

192.1.23.0/24

Area 10

Area 0 Area 100

R5

L0 5.1.0.0/24

192.1.45.0/24

F 0/0(.4)

RIPv2


Page 17 of 40



Page 18 of 40

Scenario: Routing should have been configured based on the above diagram. The Virtual Link needed to be authenticated.


Lab 6 Troubleshooting OSPF Virtual Link Issues

R2

E 0/0 (.3)

E 0/0 (.2)

S 0/0(.1) 192.1.12.0/24 R1 S 0/0 (.2)

L0 1.1.0.0

L1 1.1.1.0/24 L0 2.1.0.0

L1 2.1.1.0/24

S 0/0(.4)

R3

192.1.34.0/24

R4

S 0/0 (.3) L0 4.1.0.0

L1 4.1.1.0/24

L0 3.1.0.0

L1 3.1.1.0/24

192.1.23.0/24

Area 0

Area 10

Area 100


Page 19 of 40

Module 4 Troubleshooting BGP

Authored By:




Page 20 of 40

Physical Layout

BGP Layout

Lab 1 Troubleshooting BGP Communication Issues

F 0/0 (.5) F 0/0 (.3)

F 0/0 (.2)

S 0/0(.1) R2 192.1.12.0/24 R1

S 0/0 (.2) L0 1.1.1.1/8 L0 2.2.2.2/8

S 0/0(.4)

R3

192.1.34.0/24

R4

S 0/0 (.3)

L0 4.4.4.4/8

L0 3.3.3.3/8

192.1.23.0/24

L1 12.1.0.1/16

L1 13.1.0.1/16

R5

192.1.45.0/24

F 0/0 (.4)

AS 1

R1 R2 R5

R3

R4

AS 234

AS 5


Page 21 of 40

Scenario: Routing has been as per diagram. The Inter-AS Links between the ASs is not advertised within the AS IGP and it should not. All the Loopbacks on all the routers should be reachable to each other. No Neighbor relationship should be established between R2 and R4. All I-BGP neighbor relationships should have been authenticated by using a password of Cisco. The I-BGP neighbors relationship should have been established based on Loopback 10 addresses (10.xx.xx.xx/24). This should have been advertised in the IGP.



Page 22 of 40

Physical Layout

BGP Layout

Lab 2 Troubleshooting BGP Filtering Issues

F 0/0 (.3)

F 0/0 (.2)

S 0/0(.1) R2 192.1.12.0/24 R1

S 0/0 (.2) L0 1.1.1.1/8 L0 2.2.2.2/8

S 0/0(.4)

R3

192.1.34.0/24

R4

S 0/0 (.3)

L0 4.4.4.4/8

L0 3.3.3.3/8

192.1.23.0/24

L1 12.1.0.1/16

L1 13.1.0.1/16

AS 1

R1 R2

R3

R4

AS 234


Page 23 of 40

Scenario: Routing has been as per diagram. Routes have been advertised as follows: R2

Loopback 1 192.2.1.1/24 Loopback 2 192.2.2.1/24 Loopback 3 192.2.3.1/24 Loopback 4 192.2.4.1/24 Loopback 5 192.2.5.1/24 Loopback 6 192.2.6.1/24 Loopback 7 192.2.7.1/24 Loopback 8 192.2.8.1/24

R3

Loopback 1 150.3.16.1/20 Loopback 2 150.3.36.1/22 Loopback 3 150.3.40.1/22 Loopback 4 150.3.50.1/23 Loopback 5 150.3.65.1/24 Loopback 6 150.13.0.1/16 Loopback 7 150.14.64.1/18

These routes should have been filtering using the following conditions:

R2 should have blocked all the 192.2.X.0 routes that have an odd number in the third octet from propagating outside the local AS using the distribute-list command with an ACL.

R4 should have blocked all the 192.2.X.0 routes that have an even number in the third octet from coming in using the distribute-list command with an ACL. The Distribute-list command. It should have been done globally for the BGP process.

R1 should have blocked all the 150.X.X.0 routes that have a subnet mask between 17 and 23 bits from coming in.

Issue: Routes are not getting filtered properly based on the above requirements. Make sure the routes are filtered based on the above requirements.


Page 24 of 40

Physical Layout

BGP Layout

Lab 3 Troubleshooting BGP Route Manipulation Issues

AS 1

R1

R4

R2

R3

AS 234

S 0/0 (.3)

F 0/0 (.3)

F 0/0 (.2)

S 0/0(.1) R2 192.1.12.0/24 R1

S 0/0 (.2) L0 1.1.1.1/8 L0 2.2.2.2/8

S 0/0(.4)

R3

192.1.34.0/24

R4

L0 4.4.4.4/8 L0 3.3.3.3/8

192.1.23.0/24

F 0/0 (.4)

F 0/0 (.1)

192.1.14.0/24


Page 25 of 40

Scenario: Routing has been as per diagram. Traffic flow between the 2 ASs should have been configured as follows:

All ingress (incoming) traffic to AS 234 should have been configured to use the path thru R4 using the MED attribute.

All egress (outgoing) traffic from AS 234 should have been configured to go through R2 in the outbound direction using the Local Preference attribute.

Traffic destined for the 1.0.0.0 network originating on R4 should have been configured to go thru directly to R1 instead of using R2 as the exit Router using the weight attribute on R4.

Issue: Routes are following the said pattern. Make sure the routes flow between AS 1 and AS 234 based on the above requirements.


Page 26 of 40

Module 5 Troubleshooting Other Technologies

Authored By:




Page 27 of 40

Scenario: A GRE tunnel should have been configured to route networks 10.1.1.0/24 and 10.3.3.0/24. The GRE Tunnel should have been running EIGRP in AS 13 to route the two networks. The GRE Tunnel network should have been 10.13.13.0/24. The tunnel should have used F 0/0 as the physical interface on R1 for setting up of the tunnel. The rest of the networks should have been configured in EIGRP 100. Traffic from network 3.0.0.0/8 to network 1.0.0.0/8 should always use the 192.1.112.0/24 link. All other traffic should use the routing table to route the traffic. A PBR route-map has been configured to do that.

Issue: The above requirements are not being met. Make sure the above requirements should be met.

Lab 1 Troubleshooting PBR and GRE Issues

L0 1.1.1.1/8

F 0/1(.1) 192.1.112.0/24 F 0/1 (.2)

S 0/0 (.3)

S 0/0 (.2)

F 0/0(.1)

R2

192.1.12.0/24 R1

F 0/0 (.2) L0 2.2.2.2/8

R3

L0 3.3.3.3/8

192.1.23.0/24

L1 10.1.1.1/24

L1 10.3.3.3/24


Page 28 of 40

Scenario: IPv6 routing has been configured on R1,R2, R3 and R4. IPv6 addresses should have been assigned to the Physcial links based on the following:

R1 F 0/0 2000:1:1:12::1 /64

R2 F 0/0 2000:1:1:12::2 /64

R2 S 0/0 2000:1:1:23::2 /64

R3 F 0/0 2000:1:1:34::3 /64

R3 S 0/0 2000:1:1:23::3 /64

R4 F 0/0 2000:1:1:34::4 /64 Loopback0 interfaces on all routers should have configured using the auto-assigned addresses as follows:

R1 Loopback0 2001:1:1:1::/64

R2 Loopback0 2001:2:2:2::/64

R3 Loopback0 2001:3:3:3::/64

R4 Loopback0 2001:4:4:4::/64

Lab 2 Troubleshooting IPv6 Communication Issues with RIPng

2000:192:1:23::/64

F 0/0

S 0/0

Lo 0 F 0/0 Lo 0

S 0/0

Lo 0 F 0/0 F 0/0 Lo 0

R1

R4 R3

R2

2000:192:1:12::/64

2000:192:1:34::/64


Page 29 of 40

RIPng should have been configured on all the routers to route the Loopback networks.



Page 30 of 40

Scenario: IPv6 routing has been configured on R1,R2, R3 and R4. IPv6 addresses should have been assigned to the Physcial links based on the following:

R1 F 0/0 2000:1:1:12::1 /64

R2 F 0/0 2000:1:1:12::2 /64

R2 S 0/0 2000:1:1:23::2 /64

R3 F 0/0 2000:1:1:34::3 /64

R3 S 0/0 2000:1:1:23::3 /64

R4 F 0/0 2000:1:1:34::4 /64 Loopback0 interfaces on all routers should have configured using the auto-assigned addresses as follows:

R1 Loopback0 2001:1:1:1::/64

R2 Loopback0 2001:2:2:2::/64

R3 Loopback0 2001:3:3:3::/64

R4 Loopback0 2001:4:4:4::/64

Lab 3 Troubleshooting IPv6 Communication Issues with OSPFv3

2000:192:1:23::/64

F 0/0

S 0/0

Lo 0 F 0/0 Lo 0

S 0/0

Lo 0 F 0/0 F 0/0 Lo 0

R1

R4 R3

R2

2000:192:1:12::/64

2000:192:1:34::/64


Page 31 of 40

OSPFv3 should have been configured on all the routers to route the Loopback networks.



Page 32 of 40

Module 6 Troubleshooting Switching Technologies

Authored By:




Page 33 of 40

Scenario: All Switches should have been configured in a VTP Domain CISCO. SW1 should have been configured as a Server and all other switches. The VTP communication should have been authenticated with a password of CCNP. All the trunk ports should have been configured with Dot1q as the encapsulation method.

Lab 1 Troubleshooting STP, VTP and Inter-VLAN Routing Issues

SW1

F 0/0 (.2)

F 0/0.1 (.1)

VLAN 40 (.15)

VLAN 30 (.15)

192.1.34.0/24 VLAN 30

192.1.13.0/24 VLAN 20

F 0/0 (.5)

R5

192.1.2.0/24 VLAN 40

R1

R2

192.1.15.0/24 VLAN 10

F 0/0.2 (.1)

F 0/0 (.4)

R4

R3

F0/0.1 (.3)

F0/0.2 (.3)


Page 34 of 40

The logical diagram, VLANs and IP addressing should have been configured to match the above diagram. A Loopback 0 interface should have been configured on each Rotuer with an IP Address of X.X.X.X/8 (where X is the Router # - R1=1, R2=2 .). Loopback 0 on SW1 as 15.15.15.15/8. EIGRP in AS 100 should have been run on all the routers and SW1 to provide reachability. SWI should have been configured as the Root bridge for VLANs 10 and 20. SW2 should have been configured as the Root Switch for VLANs 30 and 40. Issue: The above requirements are not being met. Make sure the above requirements should be met.


Page 35 of 40

Scenario: The following Filtering policy should have been implemented on SW1:

Deny IGMP in VLAN 10

Deny TFTP in VLAN 20

Deny ICMP and TFTP in VLAN 30

Lab 2 Troubleshooting Switch Security Issues

SW1

F 0/0 (.2)

F 0/0.1 (.1)

VLAN 40 (.15)

VLAN 30 (.15)

192.1.34.0/24 VLAN 30

192.1.13.0/24 VLAN 20

F 0/0 (.5)

R5

192.1.2.0/24 VLAN 40

R1

R2

192.1.15.0/24 VLAN 10

F 0/0.2 (.1)

F 0/0 (.4)

R4

R3

F0/0.1 (.3)

F0/0.2 (.3)


Page 36 of 40

There is a MAC address 0001.0012.2222 trying to attack VLAN 40. Block this MAC address from accessing any device in VLAN 40.

There is Security policy on your network such only R1 F0/0 and R2 F0/0 should be able to connect to Ports F 0/1 and F0/2 on SW1. Ports F 0/5 F 0/6 are in VLAN 40 on SW2. Some PCs are going to be connected to them in the future. These ports should have been configured to learn 2 MAC address dynamically. If a third device tried to connect to them, the ports should have been error disabled automatically. There are PCs that are connected or will be connected to SW1 ports F0/17 18. These ports should have been set with dot1x authentication. These ports should be put into VLAN 40 if authentication was successful. The authentication should have used a RADIUS server located at 192.1.2.100 using cisco as the key.

If the PC did not support Dot1X authentication, it should have been put into VLAN 60. If the user had failed the authentication, it should have been put into VLAN 61. Issue: The above requirements are not being met. Make sure the above requirements should be met.


Page 37 of 40

Scenario: SW1 and SW4 belong to the same company. SW2 and SW3 belong to the Service Provider. The Service provider is providing Layer-2 connectivity between the 2 sites for the company using Q-in-Q Tunneling. The Company has 2 VLANs (80 and 90). VLAN 80 on either site should have been able to connect to each other. VLAN 90 on either site should have been able to connect to each other. SW1 and SW4 should have been able to see each other in the Show CDP neighbor command as a neighbor. Issue: The above requirements are not being met. Make sure the above requirements should be met.

Lab 3 Troubleshooting Q-in-Q Tunneling Issues

VLAN 90

VLAN 90

VLAN 80

VLAN 80

SW1

SW4

SW3

SW2


Page 38 of 40

Scenario: The following VLAN should have been configured on SW1:

Vlan 10 as Private-Vlan Primary

Vlan 20 as Private-Vlan Community

Vlan 30 as Private-Vlan Isolated The VLANs should have been configured in the following manner:

R1 should be able to communicate to all other devices.

F 0/0 (.2)

F 0/0 (.1)

192.1.100.0/24

F 0/0 (.4)

R3

R1

R2

192.1.15.0/24 VLAN 10

R4

F0/0 (.3) F 0/0 (.5)

R5

VLAN 20 Community VLAN 30 Isolated

VLAN 10 Primary

Lab 4 Troubleshooting Private VLAN Issues


Page 39 of 40

R2 and R3 should be able to communicate to each other and R1 but should not have access to R4 or R5.

R4 and R5 should only be able to communicate to R1. They should not be able to communicate to each other or R2 or R3.



Page 40 of 40

Scenario: HSRP has been configured between R3 and R4 on VLAN 11. They are using .34 as the Virtual HSRP address. R3 should have been the preferred Router. R1 should have been pointing to the virtual HSRP address as the Default Gateway. Issue: The above requirements are not being met. Make sure the above requirements should be met.

F 0/0 (.3)

192.1.22.0/24 VLAN 20

F 0/0 (.1)

R1

R3

192.1.11.0/24 VLAN 11

F 0/1 (.3)

R2

F0/0(.2)

F 0/0 (.4)

F 0/1 (.4)

R4

Lab 5 Troubleshooting HSRP Issues

ccnp t shoot

Documents

r2 o r2

02r4 l0

02r1 f

troubleshooting ripv1

sure routes

o r1 default route

physical link

ripv2 routing updates