Troubleshoot Workbook July, 2013 MPLSv3

MPLSv3 tickets
Q1. 5 faults: On R22 is not able to use Telnet to connect to R23 Loopback 0. Fix problem so that the following Telnet connection can be established: R22#telnet 10.1.1.23 /source-interface loopback 0 While you are resolving this issue, you are not allowed to remove any existing configuration, but you can change or add it.
R22
S1/0=.1

22 S0/0 DLCI LMI CISCO

OSPF Area 2 Net: 172.16.12.x/30

FR2 switch
S0/1 OSPF MD5 Auth

23

S0/0=.2

Output should match: show frame-relay end-to-end keepalive interface s0/0 | i DLCI

R23

Q2 4 faults: On R14, host 10.1.1.14 is not able to use Telnet to connect to host 10.1.1.8 and to host 10.1.1.7. Fix problem so that the following Telnet connection can be establish: R14#telnet 10.1.1.8 /source-interface loopback 0 R14#telnet 10.1.1.7 /source-interface loopback 0 While you are resolving this issue, you are not allowed to change any existing configuration on SW1. While you are resolving this issue, you are not allowed to create any new Layer 3 interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Make sure that you disconnect the telnet session after verification.

10.1.1.7

R7
E0/1=.9

E0/3=.25 E0/2=.17

E0/3=.26

R8
E0/2=.13

E0/1=.21

10.1.1.8

E0/0=.10 E0/3=.29

E0/1=.22

E0/1=.18

E0/0=.14

R9
E0/2=.37
OSPF MD5 Auth

R10
E0/2=.41

E0/3=.33 E0/0=.34

E0/0=.30

R11

E0/0=.38

E0/0=.42

R14

R12 OSPF Area 0 Net: 10.10.10.x/30

10.1.1.11

R13

10.1.1.14

10.1.1.12

SW1

SW2

Q3 9 faults: Host 200.20.20.20 attached to R20 is not able to ping host 192.168.20.1, which attached to R26 in RIP domain. Fix the problem so that the following ping results in 100 percent success: R20#ping 192.168.20.1 source lo3 While you are resolving this issue, you are not allowed to shutdown any existing interface. While you are resolving these faults, you are not allowed to add any new static or Layer 3 interfaces.

192.168.20.1

E0/0=.9

R24
S1/0=.2 345

RIP

E0/1=.2 S0/1

OSPF Area 0 Net: 172.16.11.x/30

S1/0=.1 S0/0

R26

E0/0=.10

DLCI LMI CISCO

FR1 switch S0/2 354

E0/0=.1

R21

E0/0=.2

R20
E0/1=.5

315

S0/0=.3

DLCI LMI CISCO 351

VPN Site A2 171.2.2.2

OSPF MD5 Auth

R25

R22
S1/0=.1

E0/0=.11

OSPF MD5 Auth 22

S0/0 DLCI LMI ANSI

R27 OSPF Area 1 NSSA Net: 172.16.13.x/29

10.1.1.27

OSPF Area 2 Net: 172.16.12.x/30

FR2 switch S0/1

OSPF MD5 Auth

23

S0/0=.2

R23

Q4 5 faults: All four provider edge PE routers must see Loopback 1 addresses of other three PE with two available paths in their own IPv4 BGP table and must see each of these prefixes in their IPv4 routing table as BGP prefix of which the next-hop is the remote PE loopbacks 0. Make sure to accomplish this task for all four PE. Use the following output as an example of what R3 must see.

BGP AS3 PE
S1/0=.1

R3
E0/0=.6

E0/1=.34

OSPF Area 0 Net: 192.168.10.x/30

PE
E0/0=.18

R5
E0/1=.22

E0/2=.5

iBGP E0/0=.5 RR E0/3=.17

iBGP E0/3=.33 E0/2=.29

E0/0=.21

E0/1=.9 E0/0=.10

R1

E0/2=.13

R2

RR E0/1=.25 E0/1=.26

iBGP

iBGP

PE

R4

E0/1=.30

iBG P MD5 Auth OSPF MD5 Auth

E0/0=.14

R6

PE

Q5 9 faults: R8 in VPN Site-A1 cannot ping host 171.2.2.2, which is attached to R20 in VPN Site-A2. Fix the problem so that the following ping resolves in 100 percent success: R8#ping 171.2.2.2

R20#ping 171.1.1.1

Outputs should match: R1# sh mpls ldp neighbor | i Peer LDP Ident

R2# sh mpls ldp neighbor | i Peer LDP Ident

While you are resolving this issue, you are not allowed to use permit any any or permit all in existing ACLs or prefix lists. This incident contains couple separate faults. While you are resolving these faults, you are not allowed to add any new static or Layer 3 interfaces.

BGP AS3 PE
S1/0=.1

R3
E0/0=.6

E0/1=.34

OSPF Area 0 Net: 192.168.10.x/30

PE
E0/0=.18

R5
E0/1=.22

E0/2=.5

iBGP E0/0=.5 RR E0/3=.17

iBGP E0/3=.33
E0/2=.29

E0/0=.21

E0/1=.9

R1

E0/2=.13

R2

RR

E0/1=.25 E0/1=.26

E0/0=.10

iBGP

iBGP

PE

R4

E0/1=.30

iBG P MD5 Auth

E0/0=.14

R6

PE
E0/2=.1

Area 101 10.10.10.4/30

OSPF MD5 Auth

OSPF MD5 Auth S1/0=.1

Area 101 Net: 172.32.10.x/30

OSPF MD5 Auth
E0/0=.6

S1/0=.2

CE

R8

VPN Site A1 171.1.1.1

VPN Site A2 171.2.2.2

R20

CE

Q6 6 faults: All six routers in Area 0 from the MPLS Core have been connected to IPv4-IPv6 dual-stack for testing purposes. R8 is simulating an IPv6 host: it must receive its IPv6 address directly from R5 and must not participate in any IPv6 routing protocol. Loopback 100 for R4 is simulating an IPv6 server with IPv6 address 2001:CC1E:100::100/128. The Ipv6 host R8 has lost connectivity to the IPv6 server. (R4 loopback 100). Fix the problem so that the following ping resolves in 100 percent success: R8#ping 2001:CC1E:100::100

You are NOT allowed to change any existing IPv6 ACL or add new lines to it. Also do not remove completely traffic filters from any interface. You are allowed to use any method to resolve this issue but you are not allowed to manually configure a specific IPv6 address in R8. You are also not allowed to add any new static route or Layer 3 interfaces.
BGP AS3 PE
S1/0=.1

R3
E0/0=.6

E0/1=.34

OSPF Area 0 Net: 192.168.10.x/30

PE
E0/0=.18

R5
E0/1=.22

E0/2=.5

iBGP E0/0=.5 RR E0/3=.17

iBGP E0/3=.33 E0/2=.29

E0/0=.21

E0/1=.9 E0/0=.10

R1

E0/2=.13

R2

RR

E0/1=.25
E0/1=.26

iBGP

iBGP

PE

R4

E0/1=.30

iBG P MD5 Auth OSPF MD5 Auth

E0/0=.14

R6

PE
E0/2=.1

Area 101 10.10.10.4/30

OSPF MD5 Auth

E0/0=.6

CE

R8
10.1.1.8

Q7 4 faults:

Traffic that is marked with IP precedence 4 and coming from hosts 10.1.1.11 or 10.1.1.12 must reach R7 or R8 with IP precedence 5. While resolving this issue, you are not allowed to modify the configuration of any existing ACL lines in R7, R8 or R9. Fix the problem so that the following extended ping result in 100 percent success:

Verify policy output to match Class SILVER, R9# show policy-map interface Ethernet0/0
10.1.1.7

R7
E0/1=.9

E0/3=.25 E0/2=.17

E0/3=.26

R8
E0/2=.13

E0/1=.21

10.1.1.8

E0/0=.10 E0/3=.29

E0/1=.22

E0/1=.18

E0/0=.14

R9
E0/2=.37
OSPF MD5 Auth

R10
E0/2=.41

E0/3=.33 E0/0=.34

E0/0=.30

R11

E0/0=.38

E0/0=.42

R14

R12 OSPF Area 0 Net: 10.10.10.x/30

10.1.1.11

R13

10.1.1.14

10.1.1.12

SW1

SW2

Q8 4 faults: R27 Ethernet 0/1 is supposed to stat administratively enabled at all times. (It is currently connected to a hub so will stay up/up once enabled). The administrator has configured and EEM script that should automatically reenable the interface if it is manually disabled. The script is not working as expected. Fix the issue so that the interface is automatically re-enabled when someone issues the shutdown command under the interface e0/1.

E0/0=.11

R27

OSPF Area 1 NSSA Net: 172.16.13.x/29

10.1.1.27

Q9 4 faults: Host 10.1.1.16 attached to R16 is not able to use Telnet to connect to host 10.1.1.19, which is attached to R19. Fix problem so that the following Telnet connection can be established: R16#telnet 10.1.1.19 /source-interface loopback 0 Do not remove or add any ACL line in this configuration. While you are resolving this issue, you are not allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Make sure that you disconnected the telnet session after verification.
EIGRP AS200 Net: 172.16.10.x/29
DHCP client 10.1.1.16 DHCP Server Network 172.16.10.16/29 E0/1

R17
NTP client

E0/0=.10 PPP CHAP

10.1.1.19

R19
E0/1=.1

E0/0=.19

NTP MD5 Auth

E0/0=.9

S0/1=.1

R16
NTP client E0/1 E0/0=.11

S1/0=.2 NTP Server

R15

DHCP client

R18
EIGRP MD5 Auth

Q10 4 faults: R20 Ethernet 1/0 must be able to use Telnet to connect to the host 172.16.11.10, which connected to R22 Ethernet 1/0. When using Telnet on port 23, the source address must always be translated to R22 Ethernet 1/0 before matching the destination host. When using Telnet on port 80, the source address must always be translated to R22 Loopback0. R20#telnet 172.16.11.10 R20#telnet 172.16.11.10 80 Do not use interface overload command. Fix the problem so that the following NAT entries are seen on R22, when the two aforementioned connections are successfully established (inside global IPs and outside global IPs and ports must match).

While you are resolving this issue, you are allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Make sure that you disconnected the telnet session after verification.
R20 OSPF Area 0 Net: 172.16.11.x/30 E0/1=.5

OSPF MD5 Auth

E0/0=.6

R22

E0/1=.9 E0/0=.10

TG1

Additional Tickets. Q11 4 faults: R15 act as NTP Server. Clients are R17 and R18. Fix the problem so that the following outputs are seen on R17 and R18: R18#sh ntp associations detail | i authenticate

R18#sh ntp status

While you are resolving this issue, you are allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Make sure that you disconnected the telnet session after verification.

EIGRP AS200 Net: 172.16.10.x/29

DHCP client 10.1.1.19 DHCP Server Network 172.16.10.16/29 E0/1 10.1.1.16

R17
NTP client

E0/0=.10

PPP CHAP NTP MD5 Auth

E0/0=.9

CE R15
NTP Server

R19
E0/1=.1

E0/0=.19

S0/1=.1

R16
NTP client
E0/1 E0/0=.11

S1/0=.2

DHCP client

R18
EIGRP MD5 Auth

Q12 4 faults: R7 in VPN Site-B2 cannot ping host 171.1.1.1, which is attached to R15 in VPN Site-B1. Fix the problem so that the following ping resolves in 100 percent success: R7#ping 171.1.1.1

R15#ping 171.2.2.2

Outputs should match: R1# sh mpls ldp neighbor | i Peer LDP Ident

R2# sh mpls ldp neighbor | i Peer LDP Ident

While you are resolving this issue, you are not allowed to change any configuration on R7 and R15. This incident contains couple separate faults. While you are resolving these faults, you are not allowed to add any new static or Layer 3 interfaces. While you are resolving this issue, you are allowed to create any new interfaces. Refer to the Troubleshooting guidelines to determine if your solution is appropriate. Make sure that you disconnected the telnet session after verification.
BGP AS3 PE
EIGRP AS101 MD5 Auth S1/0=.1

R3
E0/0=.6

E0/1=.34

OSPF Area 0 Net: 192.168.10.x/30

PE
E0/0=.18

1.1.10.x/30 CE R15
S0/0=.2

R5
E0/1=.22

E0/2=.5

iBGP E0/0=.5 RR E0/3=.17

iBGP E0/3=.33
E0/2=.29

E0/0=.21

E0/1=.9

R1

E0/2=.13

R2

RR E0/1=.25 E0/1=.26

E0/0=.10

iBGP

iBGP

PE
VPN Site B1 171.1.1.1

R4

E0/1=.30

iBG P MD5 Auth

E0/0=.14

R6

PE
E0/2=.1

OSPF MD5 Auth S1/0=.1

Area 101 10.10.10.0/30

OSPF MD5 Auth VPN Site B2 171.2.2.2 E0/0=.2

CE R7

10