Professional Documents
Culture Documents
Labs PDF
Labs PDF
Instead of posting the output of “show run” commands we post here the commands entered on each router to reduce some useless
lines. Also you can try solving questions by yourself before reading the answers.
R1 R2 R3
interface Loopback0 ! username R6 password CISCO36
description ***Loopback*** interface Loopback0 !
ip address 192.168.1.1 description **Loopback** interface Loopback0
255.255.255.255 ip address 192.168.2.2 description **Loopback**
ip ospf 1 area 0 255.255.255.255 ip address 192.168.3.3
! ip ospf 2 area 0 255.255.255.255
interface Ethernet0/0 ! ip ospf 3 area 0
description **Connected to R1- interface Ethernet0/0 !
LAN** description **Connected to R2- interface Ethernet0/0
ip address 10.10.110.1 LAN** description **Connected to L2SW**
255.255.255.0 ip address 10.10.120.1 ip address 10.10.230.3
ip ospf 1 area 0 255.255.255.0 255.255.255.0
! ip ospf 2 area 0 ip ospf 3 area 0
interface Ethernet0/1 ! !
description **Connected to L2SW** interface Ethernet0/1 interface Serial1/0
ip address 10.10.230.1 description **Connected to L2SW** description **Connected to R4-
255.255.255.0 ip address 10.10.230.2 Branch1 office**
ip ospf hello-interval 25 255.255.255.0 ip address 10.10.240.1
ip ospf 1 area 0 ip ospf 2 area 0 255.255.255.252
! ! encapsulation ppp
router ospf 1 router ospf 2 ip ospf 3 area 0
log-adjacency-changes log-adjacency-changes !
interface Serial1/1
description **Connected to R5-
Branch2 office**
ip address 10.10.240.5
255.255.255.252
encapsulation ppp
ip ospf hello-interval 50
ip ospf 3 area 0
!
interface Serial1/2
description **Connected to R6-
Branch3 office**
ip address 10.10.240.9
255.255.255.252
encapsulation ppp
ip ospf 3 area 0
ppp authentication chap
!
router ospf 3
router-id 192.168.3.3
!
R4 R5 R6
! ! username R3 password CISCO36
interface Loopback0 interface Loopback0 !
description **Loopback** description **Loopback** interface Loopback0
ip address 192.168.4.4 ip address 192.168.5.5 description **Loopback**
255.255.255.255 255.255.255.255 ip address 192.168.6.6
ip ospf 4 area 2 ip ospf 5 area 0 255.255.255.255
! ! ip ospf 6 area 0
interface Ethernet0/0 interface Ethernet0/0 !
ip address 172.16.113.1 ip address 172.16.114.1 interface Ethernet0/0
255.255.255.0 255.255.255.0 ip address 172.16.115.1
ip ospf 4 area 2 ip ospf 5 area 0 255.255.255.0
! ! ip ospf 6 area 0
interface Serial1/0 interface Serial1/0 !
description **Connected to R3-Main description **Connected to R3-Main interface Serial1/0
Branch office** Branch office** description **Connected to R3-Main
ip address 10.10.240.2 ip address 10.10.240.6 Branch office**
255.255.255.252 255.255.255.252 ip address 10.10.240.10
encapsulation ppp encapsulation ppp 255.255.255.252
ip ospf 4 area 2 ip ospf 5 area 0 encapsulation ppp
! ! ip ospf 6 area 0
router ospf 4 router ospf 5 ppp authentication chap
log-adjacency-changes log-adjacency-changes !
router ospf 6
router-id 192.168.3.3
!
Question 1:
Explanation
We learned it is a OSPF problem so we should check the interfaces between them first. On both R3 and R4 use “show running-
config” command to check their S1/0 interfaces
R3#show running-config
<<output omitted>>
!
interface Serial1/0
description **Connected to R4-Branch1 office**
ip address 10.10.240.1 255.255.255.252
encapsulation ppp
ip ospf 3 area 0
!
<<output omitted>>
R4#show running-config
<<output omitted>>
!
interface Serial1/0
description **Connected to R3-Main Branch office**
ip address 10.10.240.2 255.255.255.252
encapsulation ppp
ip ospf 4 area 2
!
<<output omitted>>
In the output above we see their Area IDs are mismatched; interface S1/0 of R3 is in area 0 (R3: ip ospf 3 area 0) while interface
s1/0 of R4 is in area 2 (R4: ip ospf 4 area 2).
Question 2 :
Explanation
Continue checking their connected interfaces with the “show running-config” command:
R3#show running-config
<<output omitted>>
!
interface Serial1/1
description **Connected to R5-Branch2 office**
ip address 10.10.240.5 255.255.255.252
encapsulation ppp
ip ospf hello-interval 50
ip ospf 3 area 0
!
<<output omitted>>
R5#show running-config
<<output omitted>>
!
interface Serial1/0
description **Connected to R3-Main Branch office**
ip address 10.10.240.6 255.255.255.252
encapsulation ppp
ip ospf 5 area 0
!
<<output omitted>>
The only difference we can see here is the line “ip ospf hello-interval 50” on R3. This command sets the number of seconds R3 waits
before sending the next hello packet out this interface. In this case after configuring this command, R3 will send hello pack ets to R5
every 50 seconds. But the default value of hello-interval is 10 seconds and R5 is using it. Therefore we can think of a hello interval
mismatch problem here. You can verify with the “show ip ospf interface <interface>” command on each router.
So we can see both hello and dead interval are mismatched because the dead interval always four times the value of hello inte rval,
unless you manually configure the dead interval (with the ip ospf dead-interval <seconds>command).
Question 3 :
Explanation
Continue checking their connected interfaces with the “show running-config” command:
R1#show running-config
<<output omitted>>
!
interface Ethernet0/1
description **Connected to L2SW**
ip address 10.10.230.1 255.255.255.0
ip ospf hello-interval 25
ip ospf 1 area 0
!
<<output omitted>>
R2#show running-config
<<output omitted>>
!
interface Ethernet0/1
description **Connected to L2SW**
ip address 10.10.230.2 255.255.255.0
ip ospf 2 area 0
!
<<output omitted>>
We see the hello interval on R1 is not the same as R2 (and you can verify with the “show ip ospf interface <interface> comman d”) ->
There is a hello and dead interval mismatch problem. We should configure “no ip ospf hello-interval 25” on R1.
Note: Maybe there are some versions of this question in the exam. For example there are some reports saying that Ethernet0/1 on
R1 is shutdown (and this is the correct choice in the exam). So please be careful checking the config on the routers before choosing
the correct answers.
Question 4 :
Explanation
R3#show running-config
<<output omitted>>
username R6 password CISCO36
!
interface Serial1/2
description **Connected to R6-Branch3 office**
ip address 10.10.240.9 255.255.255.252
encapsulation ppp
ip ospf 3 area 0
ppp authentication chap
!
<<output omitted>>
!
router ospf 3
router-id 192.168.3.3
!
<<output omitted>>
R6#show running-config
<<output omitted>>
username R3 password CISCO36
!
interface Serial1/0
description **Connected to R3-Main Branch office**
ip address 10.10.240.10 255.255.255.252
encapsulation ppp
ip ospf 6 area 0
ppp authentication chap
!
<<output omitted>>
!
router ospf 6
router-id 192.168.3.3
!
<<output omitted>>
We are not sure about the configuration of ppp authentication in this case. Some reports said that only one router has the “p pp
authentication chap” command but it is just a trick and is not the problem here. The real problem here is R6 uses the same router-id
of R3 (192.168.3.3) so OSPF neighborship cannot be established. In real life, such configuration error will be shown in the c ommand
line interface (CLI). So please check carefully for this question.
Router>enable
Router#show running-config
Question 1 :
How can we fix the problem but only allow ping to work while disabling telnet?
Answer: E
Explanation
The question does not ask about ftp traffic so we don’t care about the two first lines. The 3rd line denies all telnet traffi c and the 4th
line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line
“access-list 104 deny icmp any any echo-reply” will not affect our icmp traffic because the “echo-reply” message will be sent over the
outbound direction.
Question 2 :
What will happen after issuing the command “ip access-group 114 in” to the fa0/0 interface?
Answer: B
Explanation
From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list
allows all traffic (ip) from 10.4.4.0/24 network
Question 3 :
What will happen after issuing the command “access-group 115 in” on the s0/0/1 interface?
Answer: A
Explanation
Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface
it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).
B is not correct because if telnet and ping can work then routing updates can, too.
D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.
But here raise a question…
The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be
accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router th rough
s0/0/1” seems right…
But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0
255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems
incorrect!
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from
both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can
guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show
running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply o ur access-
list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from
both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from th e LAN network.
In the exam, just click on host C to open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to
access Finance Web Server via HTTP or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP,
SMTP… then other hosts can access it, too.)
Notice: You might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement
carefully.
Some modifications (mods):
Modification 1 (Mod 1):
permit host B from accessing finance server access-list 100 permit ip host 192.168.33.2 host
172.22.242.23
deny host B from accessing other servers (not the whole access-list 100 deny ip host 192.168.33.2 172.22.242.16
network) 0.0.0.15
Only allow Host C to to access the financial server access-list 100 permit ip host 192.168.33.3 host
172.22.242.23
Not allow anyone else in any way communicate with the financial access-list 100 deny ip any host 172.22.242.23
server
– Host C should be able to use a web access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
browser(HTTP)to access the Finance Web Server
– Other types of access from host C to the Finance access-list 100 deny ip any host 172.22.242.23
Web Server should be blocked (because the requirement says we can not use more than 3 statements so
– All access from hosts in the Core or local LAN to we have to use “any” here for the hosts in the Core and hosts in local
the Finance Web Server should be blocked LAN)
– All hosts in the Core and local LAN should be access-list 100 permit ip any host
able to access the Public Web Server * (If the question asks this, surely it has to give you the IP of Public Web
Server) but in the exam you should use “access-list 100 permit ip any any”
Other types of access from host C to the finance access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
web server should be blocked
All hosts in the core and on the local LAN should access-list 100 permit ip any host
be able to access the Public web server * (The IP of Public Web Server will surely be given in this question) but in
the exam you should use “access-list 100 permit ip any any”
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web
server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of
Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100
permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP
address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read
the requirement carefully and use the access-list correctly)
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server)
can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop”
tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in
Simulation Mode.
4. EIGRP Troubleshooting Sim
Question :
The topology below is running EIGRP. You are required to troubleshoot and resolve the EIGRP issues between the various routers.
Use the appropriate show commands to troubleshoot the issues.
Instead of posting the output of “show run” commands we post here the commands entered on each router to reduce some useless
lines. Also you can try solving questions by yourself before reading the answers.
Note: In the exam, this sim uses IOS version 15 so “no auto-summary” is the default setting of EIGRP. You don’t have to type it.
Question 1 :
Explanation
On R4 we see EIGRP is configured with AS 2 (router eigrp 2) while other routers are using AS 1 (router eigrp 1). Therefore R4 cannot
see other routers and vice versa.
Question 2 :
Explanation
For this question we have to check the routing table of R1 to find out the answer. Use the “show ip route” command on R1 we will get
something like this:
There are three interfaces on R5 which are Loopback0: 10.5.5.5 ; Loopback1: 10.5.5.55; Ethernet0/0: 192.168.123.5 and all of them
are advertised via 192.168.12.2 so we can conclude traffic from R1 to R5 goes through R2 (192.168.12.2 is the IP address of S2/1
interface of R2).
Note: Maybe there is another version of this question in the exam in which the answer should be “The traffic is equally load-balanced
over R2 and R3”. Therefore please check the “show ip route” output carefully to see if there are more than one route to the
destination.
Question 3 :
Explanation
From the configuration of R6 we learn that R6 is missing “network 192.168.16.0” command (the network between R1 & R6) under
EIGRP so EIGRP neighbor relationship will not be formed between them.
Note: Please check the configuration of R6 carefully. If the “network 192.168.16.0” is not missing on R6 but the “metric weights” is
configured like this:
R6:
router eigrp 1
network 10.6.6.6 0.0.0.0
network 192.168.16.0
metric weights 0 0 0 1 1 1
Then you should check if R1 has the same “metric weights” or not. If not then the answer should be “K values are mismatched”.
For your information, EIGRP K values are the scale numbers that EIGRP uses in metric calculation . Mismatched K values can
prevent neighbor relationships from being established. The syntax of “metric weights” command is:
metric weights tos k1 k2 k3 k4 k5 (with tos is the type of service and must always be zero)
Question 4 :
Explanation
R1 does not advertise its loopback 0 (10.1.1.1) to EIGRP therefore a ping to destination 10.5.5.55 (R5) from 10.1.1.1 will not be
successful because R5 does not know how to reply to R1.
5. DHCP Sim
Question 1 :
Examine the DHCP configuration between R2 and R3, R2 is configured as the DHCP server and R3 as the client.
D. On R2, the network statement in the DHCP pool configuration is incorrectly configured.
Answer: A
Explanation/show commands:
Question 2 :
R1 router clock is synchronized with ISP router. R2 is supposed to receive NTP updates from R1. But you observe that R2 clock
is not synchronized with R1. What is the reason R2 is not receiving NTP updates from R1?
Answer: B
Explanation/show commands: No
picture showed to us.
Question 3 :
Why applications that are installed on PC’s in R2 LAN network 10.100.20.0/24 are unable to communicate with
server1?
A. A standard ACL statement that is configured on R1 is blocking the traffic sourced from R2 LAN network.
B. A standard ACL statement that is configured on R1 is blocking the traffic sourced from Server1 network.
C. A standard ACL statement that is configured on R2 is blocking the traffic sourced from Server1 network.
D. A standard ACL statement that is configured on R2 is blocking the traffic sourced from R2 LAN network.
Answer: C
Explanation/show commands:
Question 4 :
Users complain that they are unable to reach internet sites. You are troubleshooting internet connectivity problem at main
office. Which statement correctly identifies the problem on Router R1?
D. Only static NAT translation configured from the server, missing Dynamic NAT or Dynamic NAT overloading for internal
networks.
Answer: A
Explanation/show commands:
6. RIPv2 Sim
Router R1 connects the main office to internet, and routers R2 and R3 are internal routers
R1 sends default route into RIPv2 for internal routers to forward internet traffic to R1
Server1 and Server 2 are placed in VLAN 100 and 200 respectively, and are still running on stick
Question 1 :
Server1 and Server2 are unable to communicate with the rest of the network. Your initial check with system administrators
shows that IP address settings are correctly configured on the server side. What could be an issue?
Explanation/show command:
Question 2 :
Users in the main office complain that they are unable to reach internet sites. You observe that internet traffic that is destined
towards ISP router is not forwarded correctly on Router R1. What could be an issue?
…..
A. The next hop router address for the default route is incorrectly configured.
D. Router R1 configured as DHCP client is not receiving default route via DHCP from ISP router.
Answer: B
Explanation/show command:
Question 3 :
Examine R2 configuration, the traffic that is destined to R3 LAN network sourced from Router R2 is forwarded to
A. RIPv2 enabled on R3, but R3 LAN network that is not advertised into RIPv2 domain.
B. RIPv2 routing updates are suppressed between R2 and R3 using passive interface feature.
D. No issue that is identified; this behavior is normal since default route propagated into RIPv2 domain by Router R1
Answer: C
Explanation/show command:
Question 4 :
Answer: B
Explanation/show command: