Cisco 300 135 by Tut 14q 30 07 2019 PDF

Exam Code: 300-135
Name: Troubleshooting and Maintaining Cisco IP Networks (TSHOOT v2.0)
The content of this material has not been reviewed by IT-Libraries team and is shared
as is it.
In order to maximize your chances of success we advise in studying the IT-Libraries
Premium Dumps
Feedback
If you have any questions please contact us at support@itlibraries.com
Special thanks to tut for sharing this.
Download IT-Libraries Premium Dumps
For more free exam dumps visit our website www.itlibraries.com

A guide for the TSHOOT Exam
For the TSHOOTv2 exam we will encounter:
+ Multiple Choice Questions

+ 12 Troubleshooting Tickets (check them at the right-side menu)
+ BGP Simlet
+ HSRP Simlet
Below is a summary of 17 Tickets you may see in the exam:
Device Error Description

1. Access port not in VLAN 10 (removed)
2. Port Channel not allowing VLAN 10
ASW1
3. Ports should be in access mode instead of trunking
4. Port security in fa1/0/1, fa1/0/2 interfaces
1. HSRP track 10 (removed)
DSW1 2. VLAN filter
3. DHCP IP Helper-address (APIPA addresses on clients)
1. Wrong IP of BGP neighbor
2. NAT Outside misconfigured
R1
3. WAN access-list statement missing
4. OSPF Authentication
R2 1. IPv6: enable OSPF
R3 1. IPv6: remove ―tunnel mode ipv6‖
1. EIGRP – wrong AS (removed)
2. Redistribute Route-map
R4
3. EIGRP Passive Interface (removed)
4. missing Redistribution from RIPng to OSPFv3
Notice that in the exam, the tickets are randomly given so the best way to troubleshooting is to
try pinging to all the devices from nearest to farthest from the client until you don‘t receive the
replies.
In each ticket you will have to answers three types of questions:
+ Which device causes problem

+ Which technology is used
+ How to fix it
One more thing to remember: you can only use ―show‖ commands to find out the problems and
you are not allowed to make any changes in the configuration. In fact, in the exam you can not
enter the global configuration mode!

Multiple Choice Questions
Question 1
Drag drop question about IPSec.
Answer:
+ show crypto isakmp sa detail: Verify the current SA lifetime and the time for next
renegotiation
+ show cryto ipsec sa peer: (verify) traffic flows in only one direction
+ show ip eigrp neighbor: Verify that routing protocol neighbor is established
+ debug crypto isakmp: Verify that the spoke router is sending udp 500 packet
Explanation
An example about the output of the ―show crypto isakmp sa detail‖ is shown below:
Router1#show crypto isakmp sa detail

Codes: C – IKE configuration mode, D – Dead Peer Detection
K – Keepalives, N – NAT-traversal
T – cTCP encapsulation, X – IKE Extended Authentication
psk – Preshared key, rsig – RSA signature
renc – RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 192.168.3.2 192.168.4.2 ACTIVE aes sha256 psk 5 11:54:20

Engine-id:Conn-id = SW:1
Verify whether the traffic flows in only one direction
The VPN tunnel between the spoke-to-spoke router is up, but unable to pass data traffic. The
following sample output is from the ―show crypto ipsec sa peer‖ command:
Spoke1# show crypto ipsec sa peer 172.16.2.11

local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)
#pkts encaps: 110, #pkts encrypt: 110
#pkts decaps: 0, #pkts decrypt: 0,
local crypto endpt.: 172.16.1.1,
remote crypto endpt.: 172.16.2.11
inbound esp sas:
spi: 0x4C36F4AF(1278669999)

outbound esp sas:
spi: 0x6AC801F4(1791492596)
================================================
Spoke2#sh crypto ipsec sa peer 172.16.1.1
local ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
#pkts encaps: 116, #pkts encrypt: 116,
#pkts decaps: 110, #pkts decrypt: 110,
local crypto endpt.: 172.16.2.11,
remote crypto endpt.: 172.16.1.1
inbound esp sas:
spi: 0x6AC801F4(1791492596)
outbound esp sas:
spi: 0x4C36F4AF(1278669999
There is no decap packets in Spoke1, which means esp packets are dropped somewhere in the
path return from Spoke2 towards spoke1.
The Spoke2 router shows both encap and decap, which means that ESP traffic is filtered before
reaching Spoke2. It may happen at the ISP end at Spoke2 or at any firewall in path between
Spoke2 router and Spoke1 router. After allowing ESP (IP Protocol 50), Spoke1 and Spoke2
both show encaps and decaps counters are incrementing.
Reference: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-
dmvpn/111976-dmvpn-troubleshoot-00.html#verifyonedirection
Further, check debug crypto isakmp to verify that the spoke router is sending udp 500 packet:
Router#debug crypto isakmp

04:14:44.450: ISAKMP:(0):Old State = IKE_READY
New State = IKE_I_MM1
04:14:44.450: ISAKMP:(0): beginning Main Mode exchange
04:14:44.450: ISAKMP:(0): sending packet to 172.17.0.1
my_port 500 peer_port 500 (I) MM_NO_STATE
04:14:44.450: ISAKMP:(0):Sending an IKE IPv4 Packet.
04:14:54.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
04:14:54.450: ISAKMP (0:0): incrementing error counter on sa,
attempt 1 of 5: retransmit phase 1
04:14:54.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
04:14:54.450: ISAKMP:(0): sending packet to 172.17.0.1
my_port 500 peer_port 500 (I) MM_NO_STATE
04:14:54.450: ISAKMP:(0):Sending an IKE IPv4 Packet.
04:15:04.450: ISAKMP (0:0): incrementing error counter on sa,
attempt 2 of 5: retransmit phase 1
04:15:04.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
The above debug output shows spoke router is sending udp 500 packet in every 10 seconds.

Reference: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-
dmvpn/111976-dmvpn-troubleshoot-00.html
Question 2
Refer to the exhibit. Which hashing method is being used for the enable secret?
…
enable secret 8 $fdiFJeJdfkjFkFjfdiKFjIgkdj/j90jdfsjifdsjFjfdPK
!
username admin privilege 15 password 7 0348378437387483E8787F
…
A. sha1
B. sha256
C. scrypt
D. md5
Answer: B
Explanation
To determine which scheme has been used to encrypt a specific password, check the digit
preceding the encrypted string in the configuration file. If that digit is a 7, the password has
been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed using
the stronger MD5 algorithm.
Note:
+ Type 5: MD5
+ Type 8: sha256
+ Type 9: scrypt
Question 3
Refer to the exhibit. PCB could not ping PCA. The admin has logged into each switch, starting
from SW1 and ending with SW2 and has examined the links between each. Which
troubleshooting method has been used?

A. top down
B. follow the path
C. bottom up
D. divide and conquer
Answer: B
Question 4
Drag drop question about GRE characteristics (Overlay and Underlay Network).
Answer:
Overlay network:
+ deencapsulates the tunnel header before routing
+ Virtual tunnel network
Underlay network:
+ Physical network
+ MTU must be increased to avoid fragmentation
Unused option: Must use IPv6 as the Layer 3 protocol
Note: The core routers are known as the underlay network. This is responsible for taking GRE
packets and transporting them from one side of the network to the other. The tunnel itself is the
overlay network. Packets passing through the overlay network are unaware of the routers in the
underlay
Question 5

Drag the GRE tunnel state from the left onto the correct description on the right.
Answer:
Match the various tunnel states to the corresponding description.
Up/up ————– tunnel is up and functional

Up/down ———- tunnel is up but not passing traffic
Administratively Down/down —— the shutdown command has been issued on the tunnel
interface
Reset/up ———- transient state where the next hop server is its own ip address
Explanation
Four Different Tunnel States

There are four possible states in which a GRE tunnel interface can be:
+ Up/up – This implies that the tunnel is fully functional and passes traffic. It is both
administratively up and it‘s protocol is up as well.
+ Administratively down/down – This implies that the interface has been administratively shut
down.
+ Up/down – This implies that, even though the tunnel is administratively up, something causes
the line protocol on the interface to be down.
+ Reset/down – This is usually a transient state when the tunnel is reset by software. This
usually happens when the tunnel is misconfigured with a Next Hop Server (NHS) that is it‘s
own IP address.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html
Question 6a
Refer to the exhibit.
aaa authentication login default group tacacs+ local-case line

aaa authentication login LOCAL-VTY line
….
username cisco password cisco123
!
line vty 0 4
password CiscoCisco
login authentication LOCAL-VTY
transport input all
User tries to connect to line vty 0 with username Cisco and password ―Cisco123‖ while
TACACS server is unreachable. What happens?
A. The user will be authenticated after the TACACS server fallback timer expires
B. The user will not be authenticated because the username is incorrect

C. The user will not be authenticated because the TACACS server is unreachable
D. The user will not be authenticated because the password is incorrect
Answer: D
Explanation
With this config, when the user tries to connect to line vty 0, the line password (which is
―CiscoCisco‖) must be used to authenticate. The TACACS server would never been used unless
we remove the ―login authentication LOCAL-VTY‖ statement (as the first aaa command ―aaa
authentication login default group tacacs+ local-case line‖ would be used for all VTY, console,
AUX line because of the ―default‖ group).
Question 6b
username cisco password 123456

aaa authentication login default local-case
Client try to connect with this command : ssh -l Cisco 123456. What he can reach the
destination
A. bad password
B. bad username
C. ?
D. ?
Answer: B
Explanation
The keyword ―local-case‖ is used in the authentication so the username is case-sensitive and we
can to write the username exactly.
Question 7
Refer to the exhibit. Why can‘t an user SCP to a server at 172.16.1.200 on Monday at 11:00
pm?
access-list 101 permit 89 any any

access-list 101 permit tcp any any eq 179
access-list 101 permit tcp any eq 179 any
access-list 101 permit gre any any

access-list 101 permit esp any any
access-list 101 deny ospf any any

access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq ssh time-range TIME
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq eq 500
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 4500
access-list 101 deny tcp any any eq 21
access-list 101 deny tcp any any eq 23
access-list 101 deny ip any any log
!
time-range TIME
periodic Mondy Wednesday Friday 6:00 to 18:00
!
interface Ethernet0/0
ip address 10.1.1.25 255.255.255.0
ip access-group 101 in
A. the ACL ―time-range‖ blocks the traffic

B. SCP is denied by ACL deny tcp any any eq 21
C. The ACL deny ip any any blocks the traffic
D. SCP is denied by ACL deny tcp any any eq 23
Answer: C
Explanation
The user cannot access the server on Monday at 11pm because of two reasons:
+ First, it does not match the time-range TIME (only allowed to access from 6am 6pm), defined
by the ACL statement ―access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq ssh
time-range TIME‖) so this traffic is continued to check with the rest of the ACL to see if there
is any matched entry for it.
+ Second, the last ACL statement drops this traffic as none of the above ACL statement
matched it.
So in this question the last line of the ACL is the place where the SCP traffic is dropped.
Note: SCP runs over TCP port 22 by default and connect via an encrypted connection or secure
shell connection (SSH).
Question 8
Drag and drop Windows and Cisco commands on the left to the corresponding description on
the right.
Answer:

+ C:> tracert [IP address]: uses path verification from the endpoint to the destination that is
unreachable
+ C:> ping [IP address]: identifies gateway reachability from an endpoint that is experiencing
the issue
+ Router# traceroute [IP address]: uses path verification from the network device where the
endpoint is connected
+ Router# ping [IP address]: identifies host reachability status from the closest network device
where the problem exists
Question 9
What is tshoot method use in DHCP problem?
A. top down
B. follow the path
C. bottom up
Answer: C
Explanation
Let‘s assume that you are researching a problem of a user that cannot browse a particular
website and while you are verifying the problem, you find that the user‘s workstation is not
even able to obtain an IP address through the DHCP process. In this situation it is reasonable to
suspect lower layers of the OSI model and take a bottom-up troubleshooting approach.
Reference: http://www.ciscopress.com/articles/article.asp?p=2273070&seqNum=2
Question 10
What is tshoot method use in spanning-tree?
A. top down
B. follow the path
C. bottom up
Answer: B
Question 11

C:> Tracert 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops

1 1ms 1ms 1ms 192.168.100.1
2 3ms 2ms 3ms 172.16.10.200
3 * * * Request timed out.
What is the next step to troubleshoot the issue?
A. Verify HQ Router and Firewall are in the same VLAN

B. traceroute to the WAN IP address of HQ
C. Ping the LAN IP address of the HQ router
D. Check MTU between BR and HQ
Answer: A
Explanation
The trace route stops at the inbound interface of the HQ router so the problem must be
somewhere between HQ and the Firewall so answer A is the best choice here.
Question 12
R1
int Gigabitethernet 0/2
ip address 10.10.20.2 255.255.55.0
!
int Gigabitethernet 0/3
ip address 10.10.30.2 255.255.55.0
R1#show management-interface interface

Management interface GigabitEthernet0/2
Protocol Packets processed
http 0

https 10
Management interface GigabitEthernet0/3
Protocol Packets processed
http 0
ssh 10
snmp 110
R2#ssh -l admin 10.10.20.2

%Destination unreachable, gateway or host down
A company is implementing Management Plane Protection (MPP) on its network. Which of the
following commands allows R2 successfully connect to R1 via SSH?
A. ssh -p 22 -l admin 10.10.30.2

B. ssh -v 2 -l admin 10.10.30.2
C. ssh -p 22 -l admin 10.10.20.2
D. ssh -v 2 -l admin 10.10.20.2
Answer: B
Explanation
SSH has the following options:
R1#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
-vrf Specify vrf name
WORD IP address or hostname of a remote system
In this question it seems R1 does not allow SSH to interface Gi0/2 of R1 (no traffic for SSH) so
we have to SSH to interface Gi0/3 instead.
Question 13
Refer to the exhibit.The traceroute fails from R1 to R3.What is the cause of the failure?
R1#traceroute 3.3.3.3
…
1 10.10.10.2 18msec

2 10.10.10.5 !A
…
!A
A. Redistribution of connected routes into OSPF in not configuration

B. An ACL applied inbound on fa0/1 of R3 is dropping the traffic
C. An ACL applied inbound on loopback0 of R2 is dropping the traffic
D. The loopback on R3 is in a shutdown state
Answer: B
Explanation
The !A is the response that indicates that you received a response of Administratively
Prohibited. This is the result when the traceroute is denied by an access list.
Note: The OSPF process ID is just locally significant but R2 is using two different OSPF
process IDs (#1 and #2) so they should be redistributed into each other like this:
router ospf 1
redistribute ospf 2 subnets
router ospf 2
redistribute ospf 1 subnets
But it is not the problem here.
============================ Tickets ===========================
Note: There are two cases for ticket 11 so please check them carefully
Ticket 1 – OSPF Authentication

1.Client is unable to ping R1‘s serial interface from the client.
Problem was disable authentication on R1, check where authentication is not given under router
ospf of R1. (use ipv4 Layer 3)
Configuration of R1:
interface Serial0/0/0
description Link to R2
ip address 10.1.1.1 255.255.255.252
ip nat inside
encapsulation frame-relay
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf network point-to-point
!

router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 10.1.2.0 0.0.0.255 area 12
network 10.1.10.0 0.0.0.255 area 12
default-information originate always
!
interface Serial0/0/0.12 point-to-point
ip address 10.1.1.2 255.255.255.252
ip ospf authentication message-digest
!
Answer: on R1 need command “ip ospf authentication message-digest‖
Ans1) R1
Ans2) IPv4 OSPF Routing
Ans3) Enable OSPF authentication on the s0/0/0 interface using the ―ip ospf authentication
message-digest‖ command.
Ticket 2 – HSRP Track (removed)

HSRP was configured on DSW1 & DSW2. DSW1 is configured to be active but it does not
become active.
Configuration of DSW1:
track 1 ip route 10.2.21.128 255.255.255.224 metric threshold

threshold metric up 1 down 2
!
track 10 ip route 10.1.21.128 255.255.255.224 metric threshold
threshold metric up 63 down 64
!
interface Vlan10
ip address 10.2.1.1 255.255.255.0
standby 10 ip 10.2.1.254
standby 10 priority 200
standby 10 preempt
standby 10 track 1 decrement 60
Answer: (use IPv4 Layer 3 Topology)
On DSW1 interface vlan 10 mode, type these commands:

no standby 10 track 1 decrement 60

standby 10 track 10 decrement 60
(ip for track command not exact for real exam)
Note: 10.1.21.129 is the IP address of a loopback interface on R4. This IP belongs to subnet
10.1.21.128/27.
Ans1) DSW1
Ans2) HSRP
Ans3) delete the command with track 1 and enter the command with track 10 (standby 10 track
10 decrement 60).
Note: For more information about IP route tracking and why the command ―threshold metric up
63 down 64″
Ticket 3 – BGP Neighbor

Problem: Client 1 is able to ping 209.65.200.226 but can‘t ping the Web Server 209.65.200.241.
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 209.65.200.224 mask 255.255.255.252
neighbor 209.56.200.226 remote-as 65002
no auto-summary
check bgp neighborship. **** show ip bgp sum****

The neighbor‘s address in the neighbor command is wrong under router BGP. (use ipv4 Layer
3)
Answer: need change on router mode on R1 neighbor 209.65.200.226
Ans1) R1
Ans2) BGP
Ans3) delete the wrong neighbor statement and enter the correct neighbor address in the
neighbor command (change ―neighbor 209.56.200.226 remote-as 65002″ to ―neighbor
209.65.200.226 remote-as 65002″)
Ticket 4 – NAT ACL

Configuration of R1
ip nat inside source list nat_traffic interface s0/0/1 overload
ip access-list standard nat_traffic

permit 10.1.0.0
!

description Link to R2
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip ospf authentication message-digest
!
description Link to ISP
ip address 209.65.200.225 255.255.255.252
ip nat outside
!
Ans1) R1
Ans2) IP NAT
Ans3) Under the ip access-list standard nat_traffic configuration enter the ‗permit 10.2.0.0
0.0.255.255‘ command.
Ticket 5 – R1 ACL
Configuration on R1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!
Answer:
Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‗ip access-list extended edge_security‘ configuration add the ‗permit ip
209.65.200.224 0.0.0.3 any‘ command.
Note:
+ This is the only ticket the extended access-list edge_security exists. In other tickets, the
access-list 30 is applied to the inbound direction of S0/0/1 of R1.
+ Although host 209.65.200.241 is permitted to go through the access-list (permit ip host

209.65.200.241 any) but clients cannot ping the web server because R1 cannot establish BGP
session with neighbor 209.65.200.226.

Ticket 6 – VLAN filter
Client 1 is not able to ping the server. Unable to ping DSW1 or the FTP Server(Use L2
Diagram).
Vlan Access map is applied on DSW1 blocking the ip address of client 10.2.1.3
Configuration on DSW1
vlan access-map test1 10
action drop
match ip address 10
action drop
match ip address 20
action forward
match ip address 30
action forward
!
vlan filter test1 vlan-list 10
!
access-list 10 permit 10.2.1.3
access-list 20 permit 10.2.1.4
access-list 30 permit 10.2.1.0 0.0.0.255
!
interface VLAN10
ip address 10.2.1.1 255.255.255.0
Ans1) DSW1
Ans2) VLAN ACL/Port ACL
Ans3) Under the global configuration mode enter no vlan filter test1 vlan-list 10 command.
Note: After choosing DSW1 for Ans1, next page (for Ans2) you have to scroll down to find the
VLAN ACL/Port ACL option. The scroll bar only appears in this ticket and is very difficult to
be seen. Also make sure you choose DSW1 (not ASW1) for the first question as there is also
"VLAN ACL/Port ACL" option for answer 2 if you choose ASW1 but it is wrong.
Ticket 7 – Port Security

Client 1 is unable to ping Client 2 as well as DSW1. The command ‗sh interfaces fa1/0/1′ will
show following message in the first line
‗FastEthernet1/0/1 is down, line protocol is down (err-disabled)‘
On ASW1 port-security mac 0000.0000.0001, interface in err-disable state
Configuration of ASW1
interface fa1/0/1

switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address 0000.0000.0001
Answer: on ASW1 delele port-security & do on interfaces shutdown, no shutdown
Ans1) ASW1
Ans2) Port security
Ans3) In Configuration mode, using the interface range Fa1/0/1 – 2, then no switchport port-
security, followed by shutdown, no shutdown interface configuration commands.
Ticket 8 – Switchport VLAN 10 (removed)

interface FastEthernet1/0/1
!
!
Answer:
Ans1) ASW1
Ans2) Access Vlans
Ans3) In Configuration mode, using the ‗interface range Fastethernet 1/0/1 – 2‘, then
‗switchport access vlan 10‘ command.
Ticket 9 – Switchport trunk

interface PortChannel13
switchport mode trunk
switchport trunk allowed vlan 20,200
!
interface PortChannel23
switchport mode trunk
switchport trunk allowed vlan 20,200
!
shutdown

!
Ans1)ASW1
Ans2)Switch to switch connectivity
Ans3)Under interface Port-Channel 13, 23, add vlan 10,200 and then no shutdown interface
fa1/0/1
Ticket 10 – EIGRP AS (removed)

Client 1 is not able to ping the Webserver
DSW1 can ping fa0/1 of R4 but can‘t ping s0/0/0.34
Check ip eigrp neighbors from DSW1 you will not see R4 as neighbor.(use ipv4 Layer 3)
‗Show ip route‘ on DSW1 you will not see any 10.x.x.x network route.
On DSW1 & DWS2 the EIGRP AS number is 10 (router eigrp 10) but on R4 it is 1 (router eigrp
1)
Answer: change router AS on R4 from 1 to 10
Ans1) R4
Ans2) EIGRP
Ans3) Change EIGRP AS number from 1 to 10
Ticket 11a – Redistribution Route-map

On R4:
router eigrp 10
redistribute ospf 1 route-map OSPF->EIGRP
network 10.1.4.0 0.0.0.255
network 10.1.10.0 0.0.0.255
network 10.1.21.128 0.0.0.3
default-metric 100000 100 100 1 1500
no auto-summary
!
route-map OSPF->EIGRP deny 10
match tag 90
route-map OSPF->EIGRP deny 20
set tag 110
Ans1) R4
Ans2) IPv4 Route Redistribution

Ans3) Change the ―route-map OSPF->EIGRP deny 20‖ to ―route-map OSPF->EIGRP permit
20‖
Explanation for this ticket:
In this topology, we are doing mutual redistribution at multiple points (between OSPF and
EIGRP on R4, DSW1 & DSW2), which is a very common cause of network problems,
especially routing loops so you should use route-map to prevent redistributed routes from
redistributing again into the original domain.
In this ticket, route-map is also used for this purpose. For example, the route-map ―EIGRP-
>OSPF‖ is used to prevent any routes that have been redistributed into OSPF from redistributed
again into EIGRP domain by tagging these routes with tag 90. These routes are prevented from
redistributed again by route-map OSPF->EIGRP by denying any routes with tag 90 set.
Ticket 11b – Redistribution Route-map

On R4:
router eigrp 10
network 10.1.4.0 0.0.0.255
network 10.1.10.0 0.0.0.255
network 10.1.21.128 0.0.0.3
default-metric 100000 100 100 1 1500
no auto-summary
!
route-map OSPF_to_EIGRP deny 10

match tag 90
route-map OSPF_to_EIGRP permit 20
set tag 110
Ans1) R4
Ans2) IPv4 Route Redistribution
Ans3) Under the EIGRP process, delete the ‗redistribute ospf 1 route-map OSPF->EIGRP‘
command and enter ‗redistribute ospf 1 route-map OSPF_to_EIGRP‘ command.
Ticket 12 – IPv6 OSPF

DSW1 & R4 can‘t ping R2‘s loopback interface or s0/0/0.12 IPv6 address.
R2 is not an OSPFv3 neighbor on R3
Situation: ipv6 ospf was not enabled on R2‘s serial interface connecting to R3. (use ipv6 Layer
3)
Configuration of R2
ipv6 router ospf 6
!

interface s0/0/0.23
ipv6 address 2026::1:1/122
Configuration of R3
ipv6 router ospf 6
router-id 3.3.3.3
!
interface s0/0/0.23
ipv6 address 2026::1:2/122
ipv6 ospf 6 area 0
Answer:
In interface configuration mode of s0/0/0.23 on R2:

ipv6 ospf 6 area 12
Ans1) R2
Ans2) IPv6 OSPF Routing
Ans3) on the serial interface of R2, enter the command ipv6 ospf 6 area 0 (notice that it is ―area
0″, not ―area 12″)
Ticket 13 – DHCP Helper-address

Note: Currently the link above is not up-to-date. We will update it soon.
Configuration on DSW1:
!
interface Vlan 10
ip address 10.2.1.1 255.255.255.0
ip helper-address 10.2.21.129
!
Note: In this ticket you will find port-security configured on ASW1 but it is not the problem.
Ans1) DSW1
Ans2) IP DHCP Server (or DHCP)
Ans3) on DSW1 delete ―ip helper-address 10.2.21.129‖ and apply ―ip helper-address
10.1.21.129‖ command
Ticket 14 – EIGRP Passive Interface

the neighborship between R4 and DSW1 wasn‘t establised. Client 1 can‘t ping R4
Configuration on R4:
router eigrp 10
passive-interface default
network 10.1.4.4 0.0.0.3

network 10.1.4.8 0.0.0.3
network 10.1.21.128 0.0.0.3
default-metric 10000 100 255 1 10000
no auto-summary
Answer 1) R4
Answer 2) IPv4 EIGRP Routing
Answer 3) enter no passive interface for interfaces connected to DSW1 under EIGRP process
(or in Interface f0/1 and f0/0, something like this)
Note: There is a loopback interface on this device which has an IP address of 10.1.21.129 so we
have to include the ―network 10.1.21.128 0.0.0.3‖ command.
* Just for your information, in fact Clients 1 & 2 in this ticket CANNOT receive IP addresses
from DHCP Server because DSW1 cannot reach 10.1.21.129 (an loopback interface on R4)
because of the ―passive-interface default‖ command. But in the exam you will see that Clients 1
& 2 can still get their IP addresses! It is a bug in the exam.
Ticket 15 – IPv6 GRE Tunnel

Problem: Loopback address on R1 (2026::111:1) is not able to ping the loopback address on
DSW2 (2026::102:1).
!
interface Tunnel34
no ip address
ipv6 address 2026::34:1/122
ipv6 enable
ipv6 ospf 6 area 34
tunnel source Serial0/0/0.34
tunnel destination 10.1.1.10
tunnel mode ipv6
!
interface Tunnel34
no ip address
ipv6 address 2026::34:2/122
ipv6 enable
ipv6 ospf 6 area 34
tunnel source Serial0/0/0
tunnel destination 10.1.1.9
!
Answer:
Ans1) R3

Ans2) Ipv4 and Ipv6 Interoperability
Ans3) Under the interface Tunnel34, remove ‗tunnel mode ipv6′ command
Ticket 16 – IPv6 RIPng OSPFv3

Redistribution
Problem: Loopback address on R1 (2026::111:1) is not able to ping the loopback address on
DSW2 (2026::102:1).
ipv6 router ospf 6
log-adjacency-changes
!
ipv6 router rip RIP_ZONE
redistribute ospf 6 metric 2 include-connected
!
Answer:
Ans1) R4
Ans2) Ipv6 OSPF Routing
Ans3) Under ipv6 ospf process add the ‗redistribute rip RIP_Zone include-connected‘ command
Ticket 17 – Switchport Encapsulation

On ASW1:
interface fa1/0/1
switport mode trunk
switport trunk encapsulation dot1q
interface fa1/0/2
switport mode trunk
switport trunk encapsulation dot1q
Answer:
Ans1) ASW1
Ans2) Access VLANs
Ans3) In configuration mode, use ‗interface range fa1/0/1-2‘ then ‗switchport mode access‘,
then ‗no switchport trunk encapsulation dot1q‘

Cisco 300 135 by Tut 14q 30 07 2019 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco 300 135 by Tut 14q 30 07 2019 PDF

Uploaded by

Copyright:

Available Formats

Exam Code: 300-135

Name: Troubleshooting and Maintaining Cisco IP Networks (TSHOOT v2.0)

Special thanks to tut for sharing this.

Download IT-Libraries Premium Dumps

For more free exam dumps visit our website www.itlibraries.com

+ Multiple Choice Questions

Below is a summary of 17 Tickets you may see in the exam:

Device Error Description

In each ticket you will have to answers three types of questions:

+ Which device causes problem

For more free exam dumps visit our website www.itlibraries.com

Drag drop question about IPSec.

Router1#show crypto isakmp sa detail

1001 192.168.3.2 192.168.4.2 ACTIVE aes sha256 psk 5 11:54:20

Verify whether the traffic flows in only one direction

Spoke1# show crypto ipsec sa peer 172.16.2.11

For more free exam dumps visit our website www.itlibraries.com

Router#debug crypto isakmp

For more free exam dumps visit our website www.itlibraries.com

For more free exam dumps visit our website www.itlibraries.com

Unused option: Must use IPv6 as the Layer 3 protocol

For more free exam dumps visit our website www.itlibraries.com

Match the various tunnel states to the corresponding description.

Up/up ————– tunnel is up and functional

Four Different Tunnel States

Refer to the exhibit.

aaa authentication login default group tacacs+ local-case line

For more free exam dumps visit our website www.itlibraries.com

Refer to the exhibit.

username cisco password 123456

access-list 101 permit 89 any any

For more free exam dumps visit our website www.itlibraries.com

access-list 101 deny ospf any any

A. the ACL ―time-range‖ blocks the traffic

For more free exam dumps visit our website www.itlibraries.com

What is tshoot method use in DHCP problem?

What is tshoot method use in spanning-tree?

Refer to the exhibit.

For more free exam dumps visit our website www.itlibraries.com

Tracing route to 8.8.8.8 over a maximum of 30 hops

What is the next step to troubleshoot the issue?

A. Verify HQ Router and Firewall are in the same VLAN

Refer to the exhibit.

R1#show management-interface interface

For more free exam dumps visit our website www.itlibraries.com

R2#ssh -l admin 10.10.20.2

A. ssh -p 22 -l admin 10.10.30.2

SSH has the following options:

For more free exam dumps visit our website www.itlibraries.com

A. Redistribution of connected routes into OSPF in not configuration

But it is not the problem here.

============================ Tickets ===========================

Ticket 1 – OSPF Authentication

For more free exam dumps visit our website www.itlibraries.com

Answer: on R1 need command “ip ospf authentication message-digest‖

Ticket 2 – HSRP Track (removed)

track 1 ip route 10.2.21.128 255.255.255.224 metric threshold

Answer: (use IPv4 Layer 3 Topology)

On DSW1 interface vlan 10 mode, type these commands:

For more free exam dumps visit our website www.itlibraries.com

Ticket 3 – BGP Neighbor

check bgp neighborship. **** show ip bgp sum****

Answer: need change on router mode on R1 neighbor 209.65.200.226

check bgp neighborship. show ip bgp sum