This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• rase te start+p con-ig+ration an) reloa) a ro+ter to te )e-a+lt state.
• oa) te ro+ters an) sitces it s+pplie) scripts.
• in) an) correct all netor errors.
• Doc+%ent te correcte) netor.
cenario
or tis la, )o not +se login or passor) protection on any console lines to pre(ent acci)entalloco+t. se ciscoccna -or all passor)s in tis scenario.
Note 7eca+se tis la, is c+%+lati(e& yo+ ill ,e +sing all te nole)ge an) tro+,lesootingtecni+es tat yo+ a(e ac+ire) -ro% te pre(io+s %aterial to s+ccess-+lly co%plete tis la,.
+e4uire"ents
• $2 is te spanningtree root -or :AN 11& an) $3 is te spanningtree root -or :AN 30.
• $3 is a :*P ser(er it $2 as a client.
• *e serial lin ,eteen ;1 an) ;2 is ra%e ;elay.
• *e serial lin ,eteen ;2 an) ;3 +ses HDC encaps+lation.
• *e serial lin ,eteen ;1 an) ;3 is a+tenticate) +sing CHAP.
• ;2 %+st a(e sec+re login proce)+res ,eca+se it is te 'nternet e)ge ro+ter.
• All (ty lines& ecept tose ,elonging to ;2& allo connections only -ro% te s+,netsson in te topology )iagra%& ecl+)ing te p+,lic a))ress.
• $o+rce 'P a))ress spoo-ing so+l) ,e pre(ente) on all lins tat )o not connect to oter
ro+ters.
• ;o+ting protocols %+st ,e +se) sec+rely. <$P is +se) in tis scenario.
• ;3 %+st not ,e a,le to telnet to ;2 tro+g te )irectly connecte) serial lin.
• ;3 as access to ,ot :AN 11 an) 30 (ia its ast ternet port 0/1.
• *e **P ser(er so+l) not get any tra--ic tat as a so+rce a))ress o+tsi)e te s+,net.
All )e(ices a(e access to te **P ser(er.
• All )e(ices on te 192.168.10.0 s+,net %+st ,e a,le to get teir 'P a))resses -ro%
DHCP on ;1. *is incl+)es $1.
• All a))resses son in )iagra% %+st ,e reaca,le -ro% e(ery )e(ice.
Task ,: Loa$ +outers with the upplie$ cripts
!------------------------------------------! R1!------------------------------------------no service password-encryption!
All contents are Copyrigt ! 1992"200# Cisco $yste%s& 'nc. All rigts reser(e). *is )oc+%ent is Cisco P+,lic 'n-or%ation. Page 2 o- 22
enable secret ciscoccna!ip cef!ip dhcp pool Access1 network 1921611" 2##2##2##" network 192161"" 2##2##2##"! $he network was mistyped% causing the pool to be unreachable to the! correct subnet default-router 192161"1!no ip domain lookup!
ip dhcp e&cluded-address 192161"2 192161"2#'! $his statement does not belong because it e&cludes all of the address! space available for ()*+!frame-relay switching!username R, password " ciscoccnausername ccna password " ciscoccna!interface ast.thernet"/" ip address 192161"1 2##2##2##" duple& auto speed auto no shutdown!interface ast.thernet"/1 ip address 19216111 2##2##2##" duple& auto speed autono shutdown!interface 0erial"/"/" ip address 1"111 2##2##2##2#2 encapsulation frame-relay no keepalive clockrate 12""" frame-relay map ip 1"111 2"1
frame-relay map ip 1"112 2"1 broadcast no frame-relay inverse-arp frame-relay intf-type dce no shutdown!interface 0erial"/"/1 ip address 1",,1 2##2##2##2#2 encapsulation ppp ppp authentication chap no shutdown
All contents are Copyrigt ! 1992"200# Cisco $yste%s& 'nc. All rigts reser(e). *is )oc+%ent is Cisco P+,lic 'n-or%ation. Page 3 o- 22
CCNA ploration Accessing te AN Netor *ro+,lesooting a, 8.5.3 *ro+,lesooting nterprise Netors 3
!interface 0erial"/1/" no ip address shutdown clockrate 2""""""!
interface 0erial"/1/1 no ip address shutdown!router ospf 1 log-adacency-changes passive-interface ast.thernet"/" network 1"11" """2## area " network 1"22" """2## area " network 1"11" """, area " network 1"22" """, area "! $he wrong wildcard mask was configured% using the more common /2'! instead of the correct /," mask
network 192161"" """2## area " network 1921611" """2## area "!ip http server!ip access-list standard Anti-spoofing permit 192161"" """2## deny anyip access-list standard $3 permit 1"""" "2##2##2## permit 192161"" """2## permit 1921611" """2## permit 192162"" """2## permit 19216,"" """2##!line con " e&ec-timeout # " logging synchronousline au& "line vty " ' access-class $3 in login local!end!------------------------------------------! R2!------------------------------------------
no service password-encryption!hostname R2!security passwords min-length 6enable secret ciscoccna!aaa new-model!aaa authentication login local4auth local
All contents are Copyrigt ! 1992"200# Cisco $yste%s& 'nc. All rigts reser(e). *is )oc+%ent is Cisco P+,lic 'n-or%ation. Page 4 o- 22
CCNA ploration Accessing te AN Netor *ro+,lesooting a, 8.5.3 *ro+,lesooting nterprise Netors 3
aaa session-id common!ip cef!no ip domain lookup!
username ccna password " ciscoccna!interface 5oopback" ip address 2"916#2""2'# 2##2##2##22' ip access-group private in!interface ast.thernet"/1 ip address 192162"1 2##2##2##" ip access-group $$+ out ip access-group Anti-spoofing in ip nat inside ip nat outside duple& auto
speed auto no shutdown!!interface 0erial"/"/" ip address 1"112 2##2##2##2#2 ip nat outside ip nat inside encapsulation frame-relay no keepalive frame-relay map ip 1"111 2"1 broadcast frame-relay map ip 1"112 2"1 no frame-relay inverse-arp no shutdown!interface 0erial"/"/1 ip address 1"221 2##2##2##2#2 ip access-group R,-telnet in no shutdown! $his command was forgotten% preventing a connection to R2 ip nat outside ip nat inside! $he inside and outside interfaces are applied backwardsclockrate 12"""
! A common mistake is to forget the clock rate for an interface% which! prevents the link from coming up!
!router ospf 1 passive-interface ast.thernet"/1 network 1"11" """, area " network 1"22" """, area " network 192162"" """2## area " default-information originate !ip classless
All contents are Copyrigt ! 1992"200# Cisco $yste%s& 'nc. All rigts reser(e). *is )oc+%ent is Cisco P+,lic 'n-or%ation. Page 5 o- 22
CCNA ploration Accessing te AN Netor *ro+,lesooting a, 8.5.3 *ro+,lesooting nterprise Netors 3
ip route """" """" 2"916#2""226!no ip http serverip nat inside source list nat interface ast.thernet"/"ip nat inside source list A$ interface ast.thernet"/" overload! $he access list was mistyped% specifying that no 7+ address will
! be translated Also the overload keyword was omitted $his! prevents more than one translation at a time!ip access-list standard Anti-spoofing permit 192162"" """2## deny anyip access-list standard A$ permit 1"""" "2##2##2## permit 19216"" ""2##2##ip access-list standard private deny 128""1 deny 1"""" "2##2##2## deny 182""" ",12##2##
deny 19216"" ""2##2## permit any!ip access-list e&tended R,-telnet deny tcp host 1"222 host 1"221 e telnet deny tcp host 1",,2 host 1"221 e telnet deny tcp host 1921611, host 1"221 e telnet deny tcp host 19216,"1 host 1"221 e telnet permit ip any any!ip access-list standard $$+permit 192162"" """2##
CCNA ploration Accessing te AN Netor *ro+,lesooting a, 8.5.3 *ro+,lesooting nterprise Netors 3
!no aaa new-model!ip cef!no ip domain lookup
!username R1 password ciscoccnausername ccna password ciscoccna!interface ast.thernet"/1 no ip address duple& auto speed auto no shutdown!interface ast.thernet"/111 encapsulation dot1: 12 encapsulation dot1: 11
! $he 5A was mistyped% which puts the subnet on the wrong 5A ip address 1921611, 2##2##2##" no snmp trap link-status!interface ast.thernet"/1," encapsulation dot1: ," ip address 19216,"1 2##2##2##" ip access-group Anti-spoofing in!!interface 0erial"/"/" ip address 1",,2 2##2##2##2#2 encapsulation ppp clockrate 12#""" ppp authentication chap no shutdown!interface 0erial"/"/1 ip address 1"222 2##2##2##2#2 encapsulation lapb encapsulation hdlc! $he interface was wrongly configured as a lapb link no shutdown!router ospf 1 passive-interface ast.thernet"/1," network 1"22" """, area 1
network 1",," """, area 1 network 1921611" """2## area 1 network 19216,"" """2## area 1 network 1"22" """, area " network 1",," """, area " network 1921611" """2## area " network 19216,"" """2## area "! $he networks were accidentally put into the wrong area!ip classless
All contents are Copyrigt ! 1992"200# Cisco $yste%s& 'nc. All rigts reser(e). *is )oc+%ent is Cisco P+,lic 'n-or%ation. Page # o- 22
interface <igabit.thernet"/1 shutdown!interface <igabit.thernet"/2 shutdown!interface lan1 no ip address no ip route-cache!interface lan1" ip address dhcp no ip route-cache
!ip default-gateway 192161"1ip http server!line con " e&ec-timeout # " logging synchronousline vty " ' password ciscoccna loginline vty # 1# no login!end!-----------------------------------------! 02!-----------------------------------------no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname 02!security passwords min-length 6enable secret ciscoccna!
no aaa new-modelvtp domain **A4$roubleshootingvtp mode clientvtp password ciscoccnaip subnet-;ero!no ip domain-lookup!no file verify auto!
All contents are Copyrigt ! 1992"200# Cisco $yste%s& 'nc. All rigts reser(e). *is )oc+%ent is Cisco P+,lic 'n-or%ation. Page 9 o- 22
!interface ast.thernet"/' switchport trunk native vlan 99! $he native 5A was changed on 0, but was then forgotten $his native! 5A mismatch will produce errors while trunking switchport trunk allowed vlan 11%," switchport mode trunk!interface range ast.thernet"/#-2' shutdown!interface <igabit.thernet"/1 shutdown!interface <igabit.thernet"/2 shutdown!interface lan1 no ip address no ip route-cache!interface lan11 ip address 19216112 2##2##2##" no ip route-cache!ip http server!
line con " e&ec-timeout # " logging synchronousline vty " ' password ciscoccna loginline vty # 1# no login!end
All contents are Copyrigt ! 1992"200# Cisco $yste%s& 'nc. All rigts reser(e). *is )oc+%ent is Cisco P+,lic 'n-or%ation. Page 10 o- 22
interface lan1 no ip address no ip route-cache!interface lan," ip address 19216,"2 2##2##2##" no ip route-cache!ip default-gateway 19216,"1ip http server!line con " e&ec-timeout # "
logging synchronousline vty " 'password ciscoccna
loginline vty # 1# no login!end
Task 0: -in$ an$ 1orrect #ll Network Errors
Task 3: Veri& that +e4uire"ents #re -ull et
7eca+se ti%e constraints pre(ent tro+,lesooting a pro,le% on eac topic& only a select n+%,ero- topics a(e pro,le%s. Hoe(er& to rein-orce an) strengten tro+,lesooting sills& yo+ so+l)(eri-y tat eac re+ire%ent is %et. *o )o tis& present an ea%ple o- eac re+ire%ent =-orea%ple a show or $ebug co%%an)>.
*is is intentionally le-t (ag+e ,eca+se tere are %any ays to (eri-y te re+ire%ents. 7elo isan ea%ple -or re+ire%ent 1.
1 02=show spanning-tree 5A""11
0panning tree enabled protocol rstp Root 7( +riority 2'#8 Address ""1c#8ec2'" $his bridge is the root
!------------------------------------------! R1!------------------------------------------no service password-encryption!hostname R1!boot-start-markerboot-end-marker
username ccna password " ciscoccna!interface 5oopback" ip address 2"916#2""2'# 2##2##2##22' ip access-group private in!interface ast.thernet"/1 ip address 192162"1 2##2##2##" ip access-group $$+ out ip access-group Anti-spoofing in ip nat outside duple& auto speed auto!!interface 0erial"/"/" ip address 1"112 2##2##2##2#2 ip nat inside encapsulation frame-relay no keepalive frame-relay map ip 1"111 2"1 broadcast frame-relay map ip 1"112 2"1 no frame-relay inverse-arp!interface 0erial"/"/1 ip address 1"221 2##2##2##2#2 ip access-group R,-telnet in
ip nat inside clockrate 12"""!!router ospf 1 passive-interface ast.thernet"/1 network 1"11" """, area " network 1"22" """, area " network 192162"" """2## area " default-information originate
All contents are Copyrigt ! 1992"200# Cisco $yste%s& 'nc. All rigts reser(e). *is )oc+%ent is Cisco P+,lic 'n-or%ation. Page 15 o- 22
CCNA ploration Accessing te AN Netor *ro+,lesooting a, 8.5.3 *ro+,lesooting nterprise Netors 3
ip cef!no ip domain lookup!username R1 password " ciscoccnausername ccna password " ciscoccna
!interface ast.thernet"/1 no shutdown!interface ast.thernet"/111 encapsulation dot1: 11 ip address 1921611, 2##2##2##" no snmp trap link-status!interface ast.thernet"/1," encapsulation dot1: ," ip address 19216,"1 2##2##2##" ip access-group Anti-spoofing in
!!interface 0erial"/"/" ip address 1",,2 2##2##2##2#2 encapsulation ppp clockrate 12#""" ppp authentication chap!interface 0erial"/"/1 ip address 1"222 2##2##2##2#2!router ospf 1 passive-interface ast.thernet"/1," network 1"22" """, area " network 1",," """, area " network 1921611" """2## area " network 19216,"" """2## area "!ip http server!ip access-list standard Anti-spoofing permit 19216,"" """2## deny anyip access-list standard $3 permit 1"""" "2##2##2## permit 192161"" """2## permit 1921611" """2##
interface <igabit.thernet"/1 shutdown!interface <igabit.thernet"/2 shutdown!interface lan1 no ip address no ip route-cache!interface lan11 ip address 19216112 2##2##2##" no ip route-cache
switchport trunk allowed vlan 11%," switchport mode trunk!interface range ast.thernet"/#-2' shutdown!interface <igabit.thernet"/1 shutdown!interface <igabit.thernet"/2 shutdown!interface lan1 no ip address no ip route-cache!interface lan," ip address 19216,"2 2##2##2##" no ip route-cache!ip default-gateway 19216,"1ip http server!line con " e&ec-timeout # " logging synchronousline vty " '
password ciscoccna loginline vty # 1# no login!end
All contents are Copyrigt ! 1992"200# Cisco $yste%s& 'nc. All rigts reser(e). *is )oc+%ent is Cisco P+,lic 'n-or%ation. Page 21 o- 22
CCNA ploration Accessing te AN Netor *ro+,lesooting a, 8.5.3 *ro+,lesooting nterprise Netors 3
Task 5: 1lean 6p
rase te con-ig+rations an) reloa) te ro+ters. Disconnect an) store te ca,ling. or PC oststat are nor%ally connecte) to oter netors =s+c as te scool AN or to te 'nternet>&reconnect te appropriate ca,ling an) restore te *CP/'P settings.