GNS3 Lab Files, System and Networking: October 2011

Saturday, October 29, 2011

CCNP TSHOOT - Ticket 10

The problem state that DSW1 and DSW2 are configured as HSRP routes and DSW1 should be active router but instead, currently DSW2 is active.

Let's check DSW1's HSRP configuration.

DSW1#sh standby

Vlan10 - Group 10

State is Standby

4 state changes, last state change 00:02:07

Virtual IP address is 10.2.1.254

Active virtual MAC address is 0000.0c07.ac0a

Local virtual MAC address is 0000.0c07.ac0a (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 1.772 secs

Preemption enabled

Active router is 10.2.1.2, priority 100 (expires in 7.736 sec)

Standby router is local

Priority 90 (configured 150)

Track object 1 state Down decrement 60

IP redundancy name is "hsrp-Vl10-10" (default)

Yes, DSW1 is currently standby and not active router. Active router is 10.2.1.2 which is DSW2.

Let's check more detail of DSW1's HSRP configuration in VLAN 10.

DSW1#sh run int vlan 10

Building configuration...

Current configuration : 191 bytes

interface Vlan10

ip address 10.2.1.1 255.255.255.0

ip helper-address 10.1.4.5

standby 10 ip 10.2.1.254

standby 10 priority 150

standby 10 preempt

standby 10 track 1 decrement 60

end

---------------------------------------

Pay attention to "standby 10 track 1 decrement 60" which means it need to check more on "Track 1".

Let's check more from running-config.

DSW1#sh run | begin track

track 1 ip route 4.4.4.1 255.255.255.255 metric threshold

threshold metric up 1 down 2

track 10 ip route 4.4.4.4 255.255.255.255 metric threshold

threshold metric up 111 down 112

-----------------------

Two track objects are configured; track1 and track 10. Tracking objects are tracking to ip reachable to ip 4.4.4.4 which is the loopback IP of R4.

Metric threshold means if it's reachable, default "UP" value is 254 and "DOWN" value is 255

So, current DSW1 track object is 1 and it's tracking route to 4.4.4.1 which is unavailable. That's why, current DSW1's priority value will be (150 - 60 = 90) which is lower than the DSW2, which has default value 100.

It's mentioned in DSW1 's "sh standby" output.

Priority 90 (configured 150)

Track object 1 state Down decrement 60

IP redundancy name is "hsrp-Vl10-10" (default)

------------------------------------------------------

To fix it, change standby 10 track 1 decrement 60 DSW1's interface vlan 10 as follow.

DSW1(config)#int vlan 10

DSW1(config-if)#no standby 10 track 1 decrement 60

DSW1(config-if)#standby 10 track 10 decrement 60

------------------

Check again in DSW1 whether it's active or not

DSW1#sh standby

Vlan10 - Group 10

State is Active

5 state changes, last state change 00:00:47

Virtual IP address is 10.2.1.254

Active virtual MAC address is 0000.0c07.ac0a

Local virtual MAC address is 0000.0c07.ac0a (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.116 secs

Preemption enabled

Active router is local

Standby router is 10.2.1.2, priority 100 (expires in 8.184 sec)

Priority 150 (configured 150)

Track object 10 state Up decrement 60

IP redundancy name is "hsrp-Vl10-10" (default)

CCNP TSHOOT - Ticket 9

The problem state that R4 and DSW1 can't ping to R2's loopback IPV6 address (FEC0::2:2) or (Serial1/0.12's 2026::12:2).

Let's check from DSW1 first. Both failed as shown below.

DSW1#ping ipv6 2026::12:2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2026::12:2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

DSW1#ping ipv6 FEC0::2:2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to FEC0::2:2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

------------------------------------------

Check R2's IPV6 address to be sure whether they are up or not.

R2#sh ipv6 int brief

FastEthernet0/0 [administratively down/down]

FastEthernet0/1 [administratively down/down]

Serial1/0 [up/up]

Serial1/0.12 [up/up]

FE80::CE00:4FF:FE4C:0

2026::12:2

Serial1/0.23 [up/up]

FE80::CE00:4FF:FE4C:0

2026::1:1

Serial1/1 [administratively down/down]

Serial1/2 [administratively down/down]

Serial1/3 [administratively down/down]

Loopback2 [up/up]

FE80::CE00:4FF:FE4C:0

FEC0::2:2

----------------------------------------

Check OSPF IPV6 neighbour using "sh ipv6 ospf neighbor". One neighbour found with R1 but not with R3.

R2#sh ipv6 ospf neighbor

Neighbor ID Pri State Dead Time Interface ID Interface

1.1.1.1 1 FULL/ - 00:00:37 13 Serial1/0.12

Check the interface configuration connected to R3 which is s1/0.23. No OSPV3 configuration has configured.

R2#sh run int s1/0.23

Building configuration...

Current configuration : 145 bytes

interface Serial1/0.23 point-to-point

ip address 10.1.1.5 255.255.255.252

ipv6 address 2026::1:1/122

frame-relay interface-dlci 203

end

To be sure, double check again in the interface connected with R1.

R2#sh run int s1/0.12

Building configuration...

Current configuration : 245 bytes

interface Serial1/0.12 point-to-point

ip address 10.1.1.2 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 nass

ipv6 address 2026::12:2/122

ipv6 ospf 6 area 12

frame-relay interface-dlci 201

end

-------------------------------------------------

Missing configuration is "ipv6 ospf 6 area 0" which is the one needed to configured to be in OSPF V3 area 0.

Let's configure in R1 and ping again from DSW1. As soon as correct configuration completed, R2 is formed neighbour with R3 as shown below.

R2(config)#interface Serial1/0.23

R2(config-subif)#ipv6 ospf 6 area 0

R2(config-subif)#^Z

R2#

*Mar 1 00:16:48.055: %OSPFv3-5-ADJCHG: Process 6, Nbr 3.3.3.3 on Serial1/0.23 from LOADING to FULL, Loading Done

*Mar 1 00:16:49.435: %SYS-5-CONFIG_I: Configured from console by console

R2#

Ping to R2 from DSW1 again as follow.

DSW1#ping ipv6 FEC0::2:2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to FEC0::2:2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/109/156 ms

DSW1#ping ipv6 2026::12:2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2026::12:2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 52/83/108 ms

DSW1#

Friday, October 28, 2011

CCNP TSHOOT - Ticket 8

Check from Client1.

Client1#sh ip int brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.2.1.3 YES DHCP up up

FastEthernet0/1 unassigned YES NVRAM administratively down down

IP address 10.2.1.3 has assigned. Next step is start ping to 10.1.1.1

Client1#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

Ping failed to reach 10.1.1.1

-----------------------

Try ping to 10.1.4.5 (R4).

Client1#ping 10.1.4.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.4.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/55/80 ms

Ping reach to 10.1.4.5 but failed in R4's exit point 10.1.1.10

Here are the possible cause.

- Route redistribution from OSPF to EIGRP

- Wrong EIGRP AS number

Let's check in R4 first. Check EIGRP neighbour first. Font two neighbours, DSW1 and DSW2. So, R4's EIGRP is working well.

R4#sh ip eigrp neighbors

IP-EIGRP neighbors for process 10

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 10.1.4.10 Fa0/1 14 00:10:20 72 432 0 22

0 10.1.4.6 Fa0/0 11 00:10:26 39 234 0 19

--------------------------

Check OSPF neighbour again and it's also working well with R3.

R4#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

3.3.3.3 0 FULL/ - 00:00:39 10.1.1.9 Serial1/0.34

---------------

Check routing table again.

Gateway of last resort is 10.1.1.9 to network 0.0.0.0

4.0.0.0/32 is subnetted, 1 subnets

C 4.4.4.4 is directly connected, Loopback4

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

D 10.2.4.12/30 [90/30720] via 10.1.4.10, 00:12:29, FastEthernet0/1

[90/30720] via 10.1.4.6, 00:12:29, FastEthernet0/0

C 10.1.1.8/30 is directly connected, Serial1/0.34

C 10.1.4.8/30 is directly connected, FastEthernet0/1

D 10.2.1.0/24 [90/30720] via 10.1.4.10, 00:12:29, FastEthernet0/1

[90/30720] via 10.1.4.6, 00:12:30, FastEthernet0/0

D 10.2.2.0/24 [90/30720] via 10.1.4.10, 00:12:30, FastEthernet0/1

[90/30720] via 10.1.4.6, 00:12:30, FastEthernet0/0

C 10.1.4.4/30 is directly connected, FastEthernet0/0

O*IA 0.0.0.0/0 [110/65] via 10.1.1.9, 00:11:25, Serial1/0.34

----------------

None of the following networks are appearing in R4 but all can be reach via serial1.0.34 as OSPF is configured with NSSA, only default route is appearing in routing table.

10.1.1.8/30, 10.1.1.4/30 and 10.1.1.0/30

It can conclude that there is problem in redistribution routes.

Check how the default route is appearing in routing table. 10.1.1.9 can be reach from 3.3.3.3 but no route-map is appearing in default route 0.0.0.0

R4#sh ip route 0.0.0.0

Routing entry for 0.0.0.0/0, supernet

Known via "ospf 1", distance 110, metric 65, candidate default path, type inter area

Redistributing via eigrp 10

Last update from 10.1.1.9 on Serial1/0.34, 00:14:56 ago

Routing Descriptor Blocks:

* 10.1.1.9, from 3.3.3.3, 00:14:56 ago, via Serial1/0.34

Route metric is 65, traffic share count is 1

-------------------------------

It's time to check running config of R4 for redistribution. Here is R4's EIGRP process. It is redistributed route from OSPF with route map named "EIGRP->OSPF.

router eigrp 10

redistribute ospf 1 route-map EIGRP->OSPF

network 10.1.4.4 0.0.0.3

network 10.1.4.8 0.0.0.3

no auto-summary

Let's check route map EIGRP->OSPF in details.

route-map EIGRP_OSPF permit 10

set metric 102400 1000 128 1 1500

set tag 10

---------------

Finally, it's because of wrong route map named "EIGRP_OSPF"

Changed to correct route map name and check routing table again.

R4(config)#router eigrp 10

R4(config-router)#no redistribute ospf 1 route-map EIGRP->OSPF

R4(config-router)#redistribute ospf 1 route-map EIGRP_OSPF

R4(config-router)#^Z

------------------------------------

R4#sh ip route 0.0.0.0

Routing entry for 0.0.0.0/0, supernet

Known via "ospf 1", distance 110, metric 65, candidate default path, type inter area

Redistributing via eigrp 10

Advertised by eigrp 10 route-map EIGRP_OSPF

Last update from 10.1.1.9 on Serial1/0.34, 00:20:56 ago

Routing Descriptor Blocks:

* 10.1.1.9, from 3.3.3.3, 00:20:56 ago, via Serial1/0.34

Route metric is 65, traffic share count is 1

-------------

Checking route to 0.0.0.0 (default route) is showing now that it's advertised by route-map EIGRP_OSPF.

So, the fault device is R4 in route redistribution and can fix by changing the route-map name.

Thursday, October 27, 2011

CCNP TSHOOT - Ticket 7

Client1#sh ip int brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 unassigned YES DHCP up up

FastEthernet0/1 unassigned YES NVRAM administratively down down

------------------

No IP address has assigned to Client1. Check trunk status in ASW1.

ASW1#sh int trunk

Port Mode Encapsulation Status Native vlan

Po4 on 802.1q trunking 1

Po5 on 802.1q trunking 1

Port Vlans allowed on trunk

Po4 1-1005

Po5 1-1005

Port Vlans allowed and active in management domain

Po4 1,10,20

Po5 1,10,20

Port Vlans in spanning tree forwarding state and not pruned

Po4 1,10,20

Po5 1,10,20

----------------------

Trunks are properly configured.

Check access vlan in ASW1 again for fa1/0 as follow.

interface FastEthernet1/0

switchport access vlan 10

interface FastEthernet1/1

switchport access vlan 10

---------------------

Port fa1/0 has assigned with correct VLAN 10. So, it's working well.

So, let's move to DSW1 switch. Check EIGRP neighours relationship first as follow.

DSW1#sh ip eigrp neighbors

IP-EIGRP neighbors for process 10

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

2 10.2.2.1 Vl20 12 00:04:41 65 390 0 14

1 10.2.1.2 Vl10 12 00:04:41 72 432 0 15

0 10.2.4.14 Fa1/13 12 00:05:12 741 4446 0 13

---------------

Check carefully, network connected to R2, 10.1.4.X are not appearning in neighbours list. So, let's move to R4 to check it's EIGRP

Here is the result.

R4#sh ip eigrp neighbors

IP-EIGRP neighbors for process 1

The whole lab's EIGRP AS is 10 and it's not 1. So, the problem is in R4's EIGRP process.

Change back to EIGRP process from 1 to 10 in R4 will solve the problem.

The main cause of why Client1 not getting IP is, there is broken connection between DSW1 and R4's EIGRP process.

So, the error device is R4, EIGRP process, and can be fixed by changing EIGRP AS from 1 to 10.
---------------
Trying to ping from Client 1 to Web server 209.65.200.241 will fail because of missing EIGRP routes in OSPF network. So, only from R4 can reach and none of the devices behind R4 can't reach to OSPF and outside network.

To fix it, redistribute EIGRP (AS 10) routes to OSPF network in R4 as follow;

router ospf 1
redistribute eigrp 10 subnets

CCNP TSHOOT - Ticket 6

As usual, check the ip address of Client1.

Client1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM administratively down down

No IP address are getting and here are the following possibilities.
- ASW1 (wrong access vlan)
- ASW1 ( wrong vlan trunk allowed )

Ok, let's start check from ASW1.
As the previous tickets already have "access vlan", now start check directly VLAN trunk.
---------------------------------

ASW1#sh int trunk

Port Mode Encapsulation Status Native vlan
Po4 on 802.1q trunking 1
Po5 on 802.1q trunking 1

Port Vlans allowed on trunk
Po4 1-9,1002-1005
Po5 1-9,1002-1005

Port Vlans allowed and active in management domain
Po4 1
Po5 1

Port Vlans in spanning tree forwarding state and not pruned
Po4 1
Po5 1
----------------------------------
Here you will notice that trunk allowed vlan is excluded VLAN 10. Only VLAN 1-9 and 1002-1005 are allowed.

Let's change trunk allowed vlan in ASW1 as follows.

ASW1(config)#int range port-channel 4 - 5
ASW1(config-if-range)#no switchport trunk allowed vlan 1-9,1002-1005
ASW1(config-if-range)#switchport trunk allowed vlan 1-10,1002-1005

After wait a while, check in Client1 again and ip address 10.2.1.3 will be in placed as follow.

Client1#sh ip int brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.2.1.3 YES DHCP up up

FastEthernet0/1 unassigned YES NVRAM administratively down down

So, the problem is in ASW1, in switch to switch connectivity and can be fixed by adding VLAN 10 in port channel.

CCNP TSHOOT - Ticket 5

Check in Client1 first whether it's getting IP address from DHCP server or not.

Client1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
-------------
No IP address is getting in Client1. So, the problem will be in following devices.

- ASW1 (switch port access vlan )
- DSW1 (EIGRP ip routing)
- ASW1 (switchport trunk allowed vlan)
- R4 (Wrong EIGRP AS)
- DSW1 (ip helpder-address to DHCP server, R4)
--------------------------------------
Let's check in ASW1 first. To know which port is attach to ASW1, do as follow in ASW1

ASW1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
FastEthernet1/0 unassigned YES unset up up
-------------
Then, check detail config of FastEthernet1/0 using "sh run"

interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
switchport access vlan 10

---------

As seeing in above config of FastEthernet1/0, it is different with FastEthernet1/2 which is in vlan 10.

So, let's add access vlan 10 in FastEthernet1/0

ASW1(config)# int fa1/0
ASW1(config-if)#switchport access vlan 10

Wait for a few seconds and check in Client1 as follow whether it's getting IP address or not.

If still not getting IP address, shut down the interface and enable again as follow.

Client1#sh ip int brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 unassigned YES DHCP up up

FastEthernet0/1 unassigned YES NVRAM administratively down down

Client1#config t

Enter configuration commands, one per line. End with CNTL/Z.

Client1(config)#int fa0/0

Client1(config-if)#shut

Client1(config-if)#no shut

Client1(config-if)#^Z

Client1#sh ip int brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.2.1.3 YES DHCP up up

FastEthernet0/1 unassigned YES NVRAM administratively down down

So, the error is in ASW1, topology in error access vlan and can fix by adding "switchport access vlan 10"

CCNP TSHOOT - Ticket 4

Just a short note to remind, in exam, you can't use "sh run | include bgp" command. If you doubt which one you can use, check in CCNP Tshoot Demo from Cisco website.

Below are the processes to troubleshoot.

Client1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.2.1.3 YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Client1#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/80/128 ms
Client1#ping 209.65.200.225

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.65.200.225, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 80/89/108 ms
Client1#ping 209.65.200.226

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.65.200.226, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
------------------------------
Pinging stop in 209.65.200.226. Check BGP neighbour status first in R1.

R1#sh ip bgp summary
BGP router identifier 1.1.1.1, local AS number 65001
BGP table version is 2, main routing table version 2
1 network entries using 117 bytes of memory
1 path entries using 52 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 417 total bytes of memory
BGP activity 1/0 prefixes, 2/1 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
209.65.200.226 4 65002 0 0 0 0 0 never Active

-----------------------------------------------
R1 has broken BGP neighbour status with another router. As you see that, it's in Active state and no messages and prefix has received.

Let's check R1's bgp configuration.

router bgp 65001
no synchronization
bgp log-neighbor-changes
network 209.65.200.224 mask 255.255.255.252
neighbor 209.65.200.226 remote-as 65002
no auto-summary

------------------

It seems like BGP configuration is correct and something wrong in IP access-list. Check access-list in R1.

ip nat inside source list 10 interface Serial1/1 overload

access-list 10 permit 10.2.2.0 0.0.0.255

access-list 10 permit 10.2.4.0 0.0.0.255

access-list 10 permit 10.1.4.0 0.0.0.255

access-list 10 permit 10.10.4.0 0.0.0.255

access-list 10 permit 10.1.1.0 0.0.0.255

access-list 10 permit 10.2.1.0 0.0.0.255

access-list 40 permit 209.65.200.241

access-list 40 deny 10.1.0.0 0.0.255.255

access-list 40 deny 10.2.0.0 0.0.255.255

ipv6 router ospf 6

log-adjacency-changes

-----------------

Here is the problem. IP access-list 40 is not allowing 209.65.200.224/30 network and applied to Serial 1/1 interface. So, let's fix and solve the problem.

As soon as after doing following changes in R1, all are solved.

R1(config)#ip access-list standard 40

R1(config-std-nacl)#per

R1(config-std-nacl)#permit 209.65.200.224 0.0.0.3

R1(config-std-nacl)#^Z

R1#

*Mar 1 00:21:19.411: %SYS-5-CONFIG_I: Configured from console by console

*Mar 1 00:21:25.291: %BGP-5-ADJCHANGE: neighbor 209.65.200.226 Up

R1#

------------------------------

The problem device is R1, and it's related with ip access-list and can fixed by adding new access-list in access-list 40.

CCNP TSHOOT - Ticket 3

Here are the steps for troubleshooting.

Client1#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 76/101/116 ms

Client1#ping 209.65.200.225

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.65.200.225, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 52/91/140 ms

Client1#ping 209.65.200.226

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.65.200.226, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

-----------------------------------------------------------------

Ping stop responding in 209.65.200.226. By seeing this, it's clear that it might be IP access list is blocking.

Let's check in R1.

If you suspect that it can be because of BGP error, check BGP neighbours.

R1#sh ip bgp summary

BGP router identifier 1.1.1.1, local AS number 65001

BGP table version is 3, main routing table version 3

2 network entries using 234 bytes of memory

3 path entries using 156 bytes of memory

4/2 BGP path/bestpath attribute entries using 496 bytes of memory

1 BGP AS-PATH entries using 24 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 910 total bytes of memory

BGP activity 2/0 prefixes, 3/0 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

209.65.200.226 4 65002 11 10 3 0 0 00:06:22 2

Updated BGP messages and 2 prefix are receiving. It means that BGP is working properly.

Here is IP access-list from R1.

--------------------------

ip nat inside source list 10 interface Serial1/1 overload

access-list 10 permit 10.1.0.0 0.0.255.255

access-list 30 permit 209.65.200.241

access-list 30 deny 10.2.1.0 0.0.0.255

access-list 30 deny 10.1.4.0 0.0.0.255

access-list 30 deny 10.1.1.0 0.0.0.255

access-list 30 permit 209.65.200.224 0.0.0.3

access-list 40 permit 209.65.200.241

access-list 40 deny 10.1.0.0 0.0.255.255

access-list 40 deny 10.2.0.0 0.0.255.255

access-list 40 permit 209.65.200.224 0.0.0.3

ipv6 router ospf 6

log-adjacency-changes

-----------------------

There is no ip access list for 10.2.0.0 network in access-list 10 for NATing.

So, the error is in R1, topology in access-list and you can fix by adding 10.2.0.0 0.0.255.255 in access-list 10.

CCNP TSHOOT - Ticket 2

Lab topology will be the same as in Ticket 1.

You can also download complete topology file from Cisco website in PDF file. Check here https://learningnetwork.cisco.com/servlet/JiveServlet/download/52366-8599/TSHOOT%20Exam%20Topology.pdf

For demo exam, check out in http://www.cisco.com/web/learning/le3/le2/le37/le10/tshoot_demo.html

After wait for 2 minutes, check whether client1 get IP address or not.

Client1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.2.1.3 YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM administratively down down

Client 1 is getting IP address from DHCP server R4. So, let's ping to 10.1.1.1 as usual.

Client1#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!

Success. Client1 can ping to 10.1.1.1 all the way up to R1.

Let's ping one interface after another steps by steps as follow.

Client1#ping 209.65.200.225

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.65.200.225, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/92/112 ms

Client1#ping 209.65.200.226

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.65.200.226, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 208/228/248 ms

Client1#ping 209.65.200.241

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.65.200.241, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

Ping success up to 209.65.200.224 network and failed only in 209.65.200.240 network.

So, it's clear that two possible case;

- BGP neighbour relationship (or)

- IP access list

Let's check in R1's BGP and IP access-list

Check R1's BGP neighbour as follow.

R1#sh ip bgp summary

BGP router identifier 1.1.1.1, local AS number 65001

BGP table version is 2, main routing table version 2

1 network entries using 117 bytes of memory

1 path entries using 52 bytes of memory

2/1 BGP path/bestpath attribute entries using 248 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 417 total bytes of memory

BGP activity 1/0 prefixes, 1/0 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

209.56.200.226 4 65002 0 0 0 0 0 never Idle

Neighbour is idle and haven't received any message to and from.

Let's check neighbour configuration as follow in R1.

R1#sh run | include neighbor

bgp log-neighbor-changes

neighbor 209.56.200.226 remote-as 65002

Here is the problem. Actual neighbour IP address of next BGP router should be 209.65.200.226.

Let's fix it and it will worked.

So, the problem lies in R1, topology error is in BGP and fixed by changing the IP address of neighbour to 209.65.200.226.

CCNP TSHOOT - Ticket 1

I have a chance to download CCNP Tshoot GNS3 files from Internet to practice. I will not create new GNS3 files this time and I'll use the files which I found from Internet.

Use this link http://dl.dropbox.com/u/2749921/GNS_Tshoot.tar.gz to download all tickets. Thanks to the one who create all GNS3 files.

The lab topology is the same as you will see in exam.

All of the questions will ask you "client1 can't reach to WebSrv.

First of all, you need to check whether client1 has IP address or not. Check in console as follow.

Client1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.2.1.3 YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM administratively down down

Client1 has IP address 10.2.1.3. Let's ping to 10.1.1.1 which is Router 1.

Client1#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Ping is failed. So, let's check whether client1 can reach to router 2 (10.1.1.2)

Client1#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 96/124/160 ms

Then, you know where is the problem. It's between R1 and R2. Let's check more the configuration of R1 and R2.

As the topology is OSPF, check whether R1 is neighbour with R2 or not.

R1#sh ip ospf neighbor

R1#

No neighbour fond in R1. So, let's move to R2.

R2#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

3.3.3.3 0 FULL/ - 00:00:33 10.1.1.6 Serial1/0.23

R2 has neighbour with R3 (3.3.3.3). So, the problem is R1's OSPF configuration.

Check R1's OSPF configuration as follow.

R1#sh run | in
R1#sh run | include ospf
ipv6 ospf 6 area 12
ip ospf message-digest-key 1 md5 TSHOOT
ipv6 ospf 6 area 12
router ospf 1
ipv6 router ospf 6

Let's check again in R2.

R2#sh run | include ospf
ipv6 ospf 6 area 0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 TSHOOT
ipv6 ospf 6 area 12
ipv6 ospf 6 area 0
router ospf 1
ipv6 router ospf 6
--------------------------
What is the difference? In R1, ip ospf authentication message-digest is missing.
That's it. So, the problem is in R1, it's OSPF configuration and you already know how to fix it.

As soon as you fixed, neighbour will established between R1 and R2 and you can reach to WebSrv.

Tuesday, October 18, 2011

HSRP with VLAN interfaces

I'm looking for GNS3 file to simulate HSRP with two VLAN interfaces but failed to get the information. Finally, I managed to get through and I'll share soon.

Below is the topology diagram that I have simulated with GNS3.

Download completed GNS3 file from https://docs.google.com/leaf?id=0B889ogd4ltI2NDBiMzg5YjItNTcwYi00ODhmLWJiYzItYWIyZjk5ZDM3YjU3&hl

Here is brief description of lab topology.

R1 and R2 are HSRP active and standby routers for VLAN 100 and VLAN 200.
R3 is the layer 2 switch and enabled trunk in fa1/1 and fa1/2 to allow traffic from R4 (VLAN-100 PC) and R6 (VLAN-200 PC)
R1, R2 and R5 are in EIGRP 1 network and ip routing is enabling all routes including loopback of R5 (5.5.5.5).
Simple testing can be done by ping from VLAN 100 PC (R4) to R5's loopback ip 5.5.5.5
To simulate HSRP, try to track loopback of R1's interface status. When it's down, R1 will release it's active role to R2 for VLAN 100.
With same method, for VLAN 200, configure R2 as active role in VLAN 200. Track loopback 0 of R2's interface status. When it down, R2 will release it's active state for VLAN 200 to R1.
By doing so, both VLAN 100 and VLAN 200 will be online all the time even though any of either R1 or R2 down for redundancy.

Detail of configuration steps are as follows;

R1(config)#int fa1/1

R1(config-if)#int vlan 100

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#no shut

R1(config-if)#exit

R1(config)#int fa1/1

R1(config-if)#switchport trunk encapsulation dot1q

R1(config-if)#switchport mode trunk

R1(config-if)#

*Mar 1 00:02:05.887: %DTP-5-TRUNKPORTON: Port Fa1/1 has become dot1q trunk

R1(config-if)#exit

R1(config)#exit

R1#vlan

*Mar 1 00:02:17.683: %SYS-5-CONFIG_I: Configured from console by console

R1#vlan database

% Warning: It is recommended to configure VLAN from config mode,

as VLAN database mode is being deprecated. Please consult user

documentation for configuring VTP/VLAN in config mode.

R1(vlan)#vlan 100

VLAN 100 added:

Name: VLAN0100

R1(vlan)#exit

APPLY completed.

Exiting....

-----------------------------------------

R1#sh int status

Port Name Status Vlan Duplex Speed Type

Fa1/0 notconnect 1 auto auto 10/100BaseTX

Fa1/1 connected trunk a-full a-100 10/100BaseTX

Fa1/2 notconnect 1 auto auto 10/100BaseTX

Fa1/3 notconnect 1 auto auto 10/100BaseTX

Fa1/4 notconnect 1 auto auto 10/100BaseTX

Fa1/5 notconnect 1 auto auto 10/100BaseTX

Fa1/6 notconnect 1 auto auto 10/100BaseTX

Fa1/7 notconnect 1 auto auto 10/100BaseTX

Fa1/8 notconnect 1 auto auto 10/100BaseTX

Fa1/9 notconnect 1 auto auto 10/100BaseTX

Fa1/10 notconnect 1 auto auto 10/100BaseTX

Fa1/11 notconnect 1 auto auto 10/100BaseTX

Fa1/12 notconnect 1 auto auto 10/100BaseTX

Fa1/13 notconnect 1 auto auto 10/100BaseTX

Fa1/14 notconnect 1 auto auto 10/100BaseTX

Fa1/15 notconnect 1 auto auto 10/100BaseTX

-------------------------------------------------

R1#sh int vlan 100

Vlan100 is up, line protocol is up

Hardware is EtherSVI, address is c200.067c.0000 (bia c200.067c.0000)

Internet address is 192.168.1.1/24

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

1 packets output, 60 bytes, 0 underruns

0 output errors, 1 interface resets

0 output buffer failures, 0 output buffers swapped out

-------------------------------------

R1#sh int trunk

Port Mode Encapsulation Status Native vlan

Fa1/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa1/1 1-4094

Port Vlans allowed and active in management domain

Fa1/1 1,100

Port Vlans in spanning tree forwarding state and not pruned

Fa1/1 1,100

++++++++++++++++++++++++++++++++++++++++++++++++++++

switch(config)#int fa1/3

switch(config-if)#switchport mode access

switch(config-if)#switchport access vlan 100

----------------------------------------

Ping test as follow to R1 and R2 from R4 (VLAN100-PC)

PC#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/236/1044 ms

PC#ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/84 ms

--------------------------------------------

R2#sh int trunk

Port Mode Encapsulation Status Native vlan

Fa1/2 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa1/2 1-4094

Port Vlans allowed and active in management domain

Fa1/2 1,100,200

Port Vlans in spanning tree forwarding state and not pruned

Fa1/2 1,100,200

---------------------------------------------
Activate HSRP for VLAN 100 in R1 as follow.

R1(config)#int vlan 100

R1(config-if)#stan

R1(config-if)#standby 1 ip ?

A.B.C.D Virtual IP address

<cr>

R1(config-if)#standby 1 ip 192.168.1.10

R1(config-if)#standby 1 preempt

R1(config-if)#standby 1 priority 110

R1(config-if)#^Z

R1#

*Mar 1 00:21:29.123: %SYS-5-CONFIG_I: Configured from console by console

R1#

*Mar 1 00:21:41.831: %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Standby -> Active

--------------------------------------

R2 HSRP for VLAN 100 as follow;

R2#config t

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#int vlan 100

R2(config-if)#stan

R2(config-if)#standby 1 ip 192.168.1.10

R2(config-if)#standby 1 preempt

R2(config-if)#^Z

--------------------------------------

Check HSRP status as below.

R1#sh standby

Vlan100 - Group 1

State is Active

2 state changes, last state change 00:01:57

Virtual IP address is 192.168.1.10

Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 2.048 secs

Preemption enabled

Active router is local

Standby router is 192.168.1.2, priority 100 (expires in 8.496 sec)

Priority 110 (configured 110)

Group name is "hsrp-Vl100-1" (default)

-----------------------------------------------------------------

Activate for VLAN 200 as follow.

R1(config)#int vlan 200

R1(config-if)#standby 2 ip 192.168.2.10

R1(config-if)#standby 2 preempt

R1(config-if)#standby 2 priority 120

R1(config-if)#^Z

R1#

*Mar 1 00:24:35.923: %SYS-5-CONFIG_I: Configured from console by console

R1#

*Mar 1 00:24:46.487: %HSRP-5-STATECHANGE: Vlan200 Grp 2 state Standby -> Active

R1#

*Mar 1 00:25:13.551: %HSRP-5-STATECHANGE: Vlan200 Grp 2 state Active -> Speak

R1#

*Mar 1 00:25:23.551: %HSRP-5-STATECHANGE: Vlan200 Grp 2 state Speak -> Standby

------------------------------------------

VLAN 200 for R2 is as follow.

R2(config)#int vlan 200

R2(config-if)#standby 2 ip 192.168.2.10

R2(config-if)#standby 2 priority 250

R2(config-if)#standby 2 preempt

R2(config-if)#^Z

R2#

*Mar 1 00:25:13.143: %HSRP-5-STATECHANGE: Vlan200 Grp 2 state Speak -> Active

*Mar 1 00:25:13.699: %SYS-5-CONFIG_I: Configured from console by console

---------------------------------------------------

Final HSRP status for VLAN 100 and 200 are as follow in R1.

R1#sh standby

Vlan100 - Group 1

State is Active

2 state changes, last state change 00:04:50

Virtual IP address is 192.168.1.10

Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.892 secs

Preemption enabled

Active router is local

Standby router is 192.168.1.2, priority 100 (expires in 7.316 sec)

Priority 110 (configured 110)

Group name is "hsrp-Vl100-1" (default)

Vlan200 - Group 2

State is Standby

4 state changes, last state change 00:01:08

Virtual IP address is 192.168.2.10

Active virtual MAC address is 0000.0c07.ac02

Local virtual MAC address is 0000.0c07.ac02 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.600 secs

Preemption enabled

Active router is 192.168.2.2, priority 250 (expires in 9.548 sec)

Standby router is local

Priority 120 (configured 120)

Group name is "hsrp-Vl200-2" (default)

+++++++++++++++++++++++++++++++++++++++++++++++++++++

In R2,

R2#sh standby

Vlan100 - Group 1

State is Standby

1 state change, last state change 00:31:57

Virtual IP address is 192.168.1.10

Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.672 secs

Preemption enabled

Active router is 192.168.1.1, priority 110 (expires in 9.040 sec)

Standby router is local

Priority 100 (default 100)

Group name is "hsrp-Vl100-1" (default)

Vlan200 - Group 2

State is Active

1 state change, last state change 00:29:27

Virtual IP address is 192.168.2.10

Active virtual MAC address is 0000.0c07.ac02

Local virtual MAC address is 0000.0c07.ac02 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.660 secs

Preemption enabled

Active router is local

Standby router is 192.168.2.1, priority 120 (expires in 9.452 sec)

Priority 250 (configured 250)

Track object 20 state Up decrement 140

Group name is "hsrp-Vl200-2" (default)

++++++++++++++++++++++++++++++++++++++++++++++++++++

Shutdown loopback interface of R2' as below and monitor HSRP changes

R2(config)#int lo0

R2(config-if)#shut

R2(config-if)#

*Mar 1 00:54:51.655: %TRACKING-5-STATE: 20 interface Lo0 line-protocol Up->Down

R2(config-if)#

*Mar 1 00:54:53.651: %LINK-5-CHANGED: Interface Loopback0, changed state to administratively down

*Mar 1 00:54:53.735: %HSRP-5-STATECHANGE: Vlan200 Grp 2 state Active -> Speak

*Mar 1 00:54:54.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to down

R2(config-if)#

*Mar 1 00:55:03.735: %HSRP-5-STATECHANGE: Vlan200 Grp 2 state Speak -> Standby

R2(config-if)#

---------------------------------------------------------------------------

R2#sh standby

Vlan100 - Group 1

State is Standby

1 state change, last state change 00:33:43

Virtual IP address is 192.168.1.10

Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 2.104 secs

Preemption enabled

Active router is 192.168.1.1, priority 110 (expires in 7.564 sec)

Standby router is local

Priority 100 (default 100)

Group name is "hsrp-Vl100-1" (default)

Vlan200 - Group 2

State is Standby

3 state changes, last state change 00:01:23

Virtual IP address is 192.168.2.10

Active virtual MAC address is 0000.0c07.ac02

Local virtual MAC address is 0000.0c07.ac02 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.220 secs

Preemption enabled

Active router is 192.168.2.1, priority 120 (expires in 9.316 sec)

Standby router is local

Priority 110 (configured 250)

Track object 20 state Down decrement 140

Group name is "hsrp-Vl200-2" (default)

-------------------------------------------------

Initial HSRP active, standby state, normal traffic flow path is as shown below.

PC-VLAN100#traceroute 5.5.5.5

Type escape sequence to abort.

Tracing the route to 5.5.5.5

1 192.168.1.1 72 msec 28 msec 24 msec

2 172.16.1.5 76 msec * 88 msec

---------------------

PC-VLAN200#traceroute 5.5.5.5

Type escape sequence to abort.

Tracing the route to 5.5.5.5

1 192.168.2.2 36 msec 48 msec 28 msec

2 172.16.2.5 32 msec * 40 msec

+++++++++++++++++++++++++++++++++++++++++++++++

After shutdow lo0 from R2, check router path as below.

PC-VLAN200#traceroute 5.5.5.5

Type escape sequence to abort.

Tracing the route to 5.5.5.5

1 192.168.2.1 28 msec 60 msec 32 msec

2 172.16.1.5 28 msec * 32 msec

=============================

PC-VLAN100#traceroute 5.5.5.5

Type escape sequence to abort.

Tracing the route to 5.5.5.5

1 192.168.1.1 48 msec 28 msec 32 msec

2 172.16.1.5 64 msec * 88 msec

===================

Check the HSRP status of routers as follow;

R2#sh standby brief

P indicates configured to preempt.

Interface Grp Pri P State Active Standby Virtual IP

Vl100 1 100 P Standby 192.168.1.1 local 192.168.1.10

Vl200 2 250 P Active local 192.168.2.1 192.168.2.10

---------------------------------

R1#sh standby brief

P indicates configured to preempt.

Interface Grp Pri P State Active Standby Virtual IP

Vl100 1 110 P Active local 192.168.1.2 192.168.1.10

Vl200 2 120 P Standby 192.168.2.2 local 192.168.2.10

Why I create this blog?

I have search GNS3 lab files in Internet not only for preparing my certification exams but also for interest in Cisco.

But, sometime, it's difficult to get the one you want. Some lab files are very good but using too much routers which can have problem when opening and running.

That's why I created simple GNS3 files even though I'm not guru in networking.

All comments are welcome by sharing knowledge in networking.

If there is any error in my lab files, this is my lack of knowledge.

Recently, I have changed my mind to post not only GNS3 lab files but also to add other system and networking experiences as well.