642-832 CISCO CCNP-TSHOOT EXAMINATION PREP GUIDE [by viki]

GENERAL TIPS:

-All TT are valid, no need to memorizing the TT as well you need to understand

-Dumps, from exam collection, are not necessary for the exam… Networktut covers everything…

- The exam is very very easy, just stay calm and chill, you have so much time to do it, so don’t ever rush,

just take it easy. Some of the configuration is a bit tricky but you can easily find out the mistake.

-For HSRP TT – In the qus mentioned as HSRP

-For IPv6 TT – In the qus mentioned IPv6

- No need to logout of each router/switch/host after completing a ticket. Each configuration will be

defaulted to each ticket problem either when finishing a ticket or when aborting and selecting other

ticket

- Use additional command (NOT ONLY SHOW RUN) to understand the problem.

- The order of tickets is random, not necessarily in the order given here. The only way to identify each

ticket is following a strategy based on if you are receiving an IP address on the host, and if you can ping

routers and how many you can ping.

- Don’t ask “what topology should I use for XXX ticket”? All the topologies are representing the same

network and same connections. You should know that by now!! .

-L2 topology is a more “physical” representation of the exam network, and L3 topology is a more

“logical” representation of the network. Of course, it would be easier to look in the L3 topology if you

are looking for IP addresses, and in L2 if you are looking for a vlan mapping or something.

- Use the Cisco TS demo just to be familiar with the exam engine. You won’t find there the exam

topology, but a similar and basic one. The demo is only for you to know how the exam engine is going

to be like. Don’t expect to study anything from it.

-I wasted a lot of time trying to test some commands like “show interface status”, “show interface

desc”… they don’t work at all. The only command that is very useful was “show run”

-Please bear in mind whatever output you see in Networktut is just a small part of the whole config (in

real exam)…. the toughest part is going thru the running config and looking at the right place

familiarize with that

-The bug is still there for HSRP. you need to choose ASW1 instead of the correct answer DSW1…not

sure why Cisco has not rectified it. Mention TTs the same on your marking notepad.

The LIST OF Trouble Tickets:

Ticket 1 – OSPF Authentication

Ticket 2 – HSRP Track

Ticket 3 – BGP Neighbor

Ticket 4 – NAT ACL

Ticket 5 – R1 ACL

Ticket 6 – VLAN filter

Ticket 7 – Port Security

Ticket 8 – Switchport VLAN 10

Ticket 9 – Switchport trunk

Ticket 10 – EIGRP AS

Ticket 11 – EIGRP to OSPF

Ticket 12 – IPv6 OSPF

Ticket 13 – DHCP Range

Ticket 14 – EIGRP Passive Interface

[NOTE TICKETS WILL NOT BE IN THE SAME ORDER GIVEN HERE]

TOPOLOGY IDENTIFICATION:

“There is no really best way to choose which topology to use.

Most of the time use IPV4 topology as it contains most of the nodes with IP addresses and in the cause

of your troubleshooting

When you discovered that you need more details on the ASW1 & 2 switches that is when Layer 2

topology is used except for the ipv6 topology.

Any node on IPV4 topology that is in Layer 2 topology have same configuration irrespective of where

you click on the nodes.

List out all the trouble ticket on the white little board you will be giving and tick each ticket as you

answer them because this will let you know which tickets are remaining to look out for.”

Problem Device Problem Description Approach:

A – > ASW1 –> Access VLAN 10 (Layer 2 )host 1- 169.x.x.x

P – > ASW1 –> Port-Channel not allowing VLAN 10 (layer 2) host 1- 169.x.x.x

S – > ASW1 –> Port Security needs to be disabled (layer 2) host 1- 169.x.x.x

These three L2 topologies are the most easiest to identify so just click on all TTs and find 169.x.x.x in host

and note them down in your notepad.

H – > DSW1 –> HSRP Track 10 (layer 3) host 10.x.x.x. HSRP is mentioned in the Question Itself.

V – > DSW1 –> VLAN Filter (layer 2) host 1 -10.x.x.x

E – > R4 –> DHCP wrong exclude address host 1- 169.x.x.x

P – > R4 -> Passive Interface Under eigrp 10 host 1 – 10.x.x.x

R – > R4 –> Route Redistribution (layer 3) host 1- 10.x.x.x

6 – > R2 –> IPv6 OSPF (Ipv6 topology) ipv6 ip add. V6 is mentioned in the Question Itself.

B – > R1 –> BGP wrong Neighbor IP (layer 3) host 1 – 10.x.x.x

N – > R1 –> NAT ACL miss configured (layer 3) host 1- 10.x.x.x

A – > R1 –> ACL blocking traffic on int ( layer 3 )host 1- 10.x.x.x

O – > R1 –> OSPF Authentication issue ( layer 3 ) host 1 – 10.x.x.x

[13 TT]

NOTE MAKING STRATERGY:

4TTs – R1 – ACL, NAT, BGP, OSPF

3TTs – ASW1 – Switch to switch, port security, vlan

2TTs – DSW1 – HSRP, VLAN Access Map

1TT – R2 – OSPF V3

4TTs – R4 – DHCP, Route Redistribution, EIGRP Passive Interface, EIGRP AS

Note the 4-3-2-1-4 pattern. [14 TT]

-Then I started going through the TTs checking the IP address of C1 – only in 4 TTs does C1 have a

169.x.x.x address.

-I associated all the TTs in the exam with each device/technology as I listed on the write pad I was using

before I started solving and putting in the answers for the TTs.

-In this way, I was sure I didn’t mistake a TT with another solution.

AN EASIER VERSION OF BELAL’S:

Client 1 with 169.x.x.x.x = 4TT Client 1 Pings 10.1.1.1 & not the Server(209.65.200.241)- 3TT

1- ASW1 – Port Security 1- R1 – BGP

2- ASW1 – Access Vlan 2- R1 – ACL

3- ASW1 – Switch to Switch 3- R1 – NAT-ACL

4- R4 – DHCP Exclude

Client 1 Pings 10.1.1.2 & not 10.1.1.1- 1 TT Client 1 Cant Ping 10.1.1.1 – 3TT

1- R1 – OSPF Authentication 1- DSW1 – VLAN filter

2- R4 – Redistribution

3- R4 – Passive Interface

DISTINCT TT- 2 TT

1)- DSW1 – HSRP 2)- R2 – IPV6- OSPRv3 ! [13TT]

NOTES MAKING STRATERGY 2:

ASW1:

1) Access ports not in vlan10 –> Symptoms: Client1 IP add: 169.x.x.x not able to ping Client 2, DSW1,

FTP Server.

2) Port Chnl. not allowing vlan10 –> Symptoms: Client.1 IP add: 169.x.x.x not able to ping DSW1, FTP

Server but able to ping Cl.2.

3) Port Security–> Symp: Same as (1) i.e. Access ports not in vlan 10. 3TT

DSW1:

1) HSRP–> Issue will be mentioned in the ticket.

2) Vlan Filter–> Symp: Cl.1 ip add. 10.x.x.x, not able to ping DSW1, FTP Server. 2TT

R1:

1) OSPF Authn.–>Sym:Cl.1 ip add: 10.x.x.x & not able to ping s0/0/0/0.12(10.1.1.1) of R1.

2) NAT ACL–>Sym: All Routers & DSW1 can ping the Web Server (209.65.200.241) but Cl.1 (10.x.x.x)

cannot ping the Web Server.

3) R1 ACL–> Sym: Cl.1(10.x.x.x), the Routers, DSW1 cannot ping the Web Server.

4) Wrong IP BGP Neigh.–> Sym: Same as above. 4TT

R2:

OSPFv3 issue will be mentioned in the ticket about not able to ping loopback interface of R2. 1TT

R4:

1) EIGRP Passive Interface–>Sym: Cl.1(10.x.x.x), DSW1 not able to ping Fa0/0 & Fa0/1 of R4.

2) EIGRP Wrong AS No.–>Sym: Cl.1(10.x.x.x) not able to ping s0/0/0.34 (10.1.1.10) of R4 & s0/0/0.34

(10.1.1.9) of R3.

3) Redistribution wrong Route Map name–>Sym: Same as above.

4) DHCP Range misconfigured.–> Sym: Same as No. 2 of ASW1 but not sure whether Cl.1 will be able to

ping Cl.2 or not. 4TT

You can also write it in a short way to save time in exam as per your convenience. [14TT]

Troubleshooting TTs:

#Ipconfig on client

-If it is 169.x.x.x 4TT

1. ASW1 – access vlan 10 (#show-run and check ASW1 if 1/0/1 and 1/0/2 are in Vlan1, if they are stop!)

2. ASW1 – port security (#show-run ASW1 if 1/0/1 and 1/0/2 are in Vlan10, apply #sh int for both)

3. ASW1 – switch-to-switch (#show-run ASW1)

4. R4 – DHCP excluded (#show-run R4)

If client got IP address then 2 options:

-First, if client1 can ping 10.1.1.1 not to server 209.65.200.241 ALL IN R1 3TT

1. R1 – NAT (10.2.0.0) (#show-run R1)(#sh ip BGP summary)

2. R1 – BGP (56-65) (#show-run R1)(#sh ip BGP summary)

3. R1 – ACL (#show-run R1)(#sh ip BGP summary)

Client can’t ping 10.1.1.1 but it can ping to 10.1.1.2) then: 1TT

4. R1 – OSPF authentication (#show-run R1 + R2)

-Second, if client1 cannot ping 10.1.1.1 4 TT

1. DSW1 (ASW1) – vlan access map (vlan acl port)

This one cannot ping even gateway (Check vlan-filter command, which contain vlan access-map, this

contain access-list no., now check access-list no. It can drop the packet for PC connected to ASW1.)

2. R4 – OSPF redistribution (#show-run R4)(EIGRP->OSPF is created and EIGRP-TO-OSPF is used)

3. R4 – passive interface (#show-run R4)(#sh IP protocols )

4. It may different AS no. for EIGRP is used To verify –#Show IP protocols

Finally, there are distinct 2TT

-HSRP on DSW1. Check DSW1 Use track 10 instead of track 1 (#show run) and this is the only question

you will see tracking.

-IPv6 on R2. On serial interface use area 0, not area 12 (#show run) [14TT]

DETAILED HOW TO DO BASED APPROACH:

On client 1, do Ipconfig to get the IP address, 4TTs that the Ip address were 169.x.x.x (Using Layer 2)

I ping client 2 from 1 on the 4TTs, its only 1TT that there was no response so on ASW1 :

I did show vlan brief on the TT, int fa1/0/1 – 2 were in vlan 10 then i did sh int fa1/0/1 it was down,

I did show run i saw port-security mac 0000.0000.0001 on int fa1/01 which confirmed its port

security TT.

Then on the 3 remaining 169.x.x.x TTs, I did show vlan brief to know which vlan int fa1/0/1 and

fa1/0/2 were assigned. If int fa1/0/1 – 2 are in vlan 1, then it is Access Vlan TT.

Then on the third TT I did show run on fa1/0/1 – 2 they were in vlan 10, then show run reveals that

vlan 20,200 were allowed on int port channel 13 and 23 but it should be vlan 10,200 so I knew its

switch to switch TT

On the last TT I knew its DHCP TT .so I did show run on R4 and I saw ip dhcp exclude 10.2.1.1-

10.2.1.253. 4TT

Therefore 3TTS for ASW1-Port security, ASW1-Vlan and ASW1-Switch to switch and 1TT for R4-DHCP.

I searched the remaining TTs for IPv6 and HSRP questions which were stated clearly in the questions.

In HSRP TT it’s stated that DSW1 is configure to be active but it is not active do show run on DSW1

(using layer3) watch out for standby 10 track 1 decrement 60 which is wrong.

The Correct Answer is DSW1-HSRP- standby 10 track 10 decrement 60.

In OSPFv3 TT it is also stated clearly that DSW1 & R4 can’t ping R2's loopback interface then you

will know that the answer is R2-OSPv3- ipv6 ospf 6 area 0 on interface s0/0/0/0.23 2TT

THE REMAINING 7TT On client 1 do Ipconfig to get the IP address.

B) IP address was 10.2.1.3 on the 7TTs so on client 1,if u can ping 10.1.1.1 then there are

To get BGP, do show run on R1 watch out for neighbor 209.56.200.226 remote-as 65002 , Client 1 is

able to ping 209.65.200.226 but can’t ping the Web Server 209.65.200.241 then the answer will be

R1-BGP- change neighbor 209.56.200.226 remote-as 65002 to neighbor 209.65.200.226 remote-as

65002

To get NAT, do show run on R1, watch out for ip access-list standard nat_pool permit 10.1.0.0 its

suppose to be ip access-list standard nat_pool permit 10.1.0.0 and ip access-list standard nat_pool

permit 10.2.0.0 that is permit ip access-list standard nat_pool permit 10.2.0.0 is missing in the show

run so the answer will be R1-NAT- permit 10.2.0.0 in the nat_pool access-list

To get IP ACCESS LIST, do show run on R1, watch out for access-list 30 permit host 209.65.200.241 its

suppose to be access-list 30 permit host 209.65.200.241, access-list 30 permit host 209.65.200.224

0.0.0.3 that is access-list 30 permit host 209.65.200.224 0. 0.0.3 Is missing so the answer will be

R1- IP ACCESS LIST- Add permit 209.65.200.224 0.0.0.3

From client1 ping 10.1.1.1 no reply but there is reply if you ping 10.1.1.2 from client then you will

know that its OSPF then answer will be R1- OSPF- ip ospf authentication message-digest on int

s0/0/0/0.12

Therefore 4TTs for R1-BGP, NAT, IP ACCESS LIST and OSPF. 4TT

THE REMAINING 3TT

On client 1 do Ipconfig to get the ip address:

IP address was 10.2.1.3 on the 3TTs so on client 1 ping 10.1.1.1 there was no reply so I did show run

on DSW1 I saw vlan access-map test1 10. vlan filter test1 vlan-list 10 I knew its VLAN ACCESS MAP TT

but when I selected DSW1 I did not see the right technology that VLAN ACCESS MAP so I chose ASW1

so Answer is DSW1or ASW1- VLAN ACCESS MAP- Remove vlan filter test1 from DSW1 1TT

Remaining I knew the problem should be on R4

IP address was 10.2.1.3 on the 2TTs on client 1 ping 10.1.1.1 there was no reply so I did show run on

R4 if u see passive interface then the answer is R4-Passive interface- Remove Passive interface under

EIGRP 10 int fa0/1.

Last but not the least TT was on Route Redistribution where the route map was not configure very well

on router eigrp 10 but was configured very well on router ospf 1 just check if redistribute ospf 1 metric

100 10 255 1 1500 route-map EIGRP_to_OSPF is not the same with route map EIGRP->OSPF then you

will know its route redistribution problem answer will be

R4- Route redistribution-Change the name of the route-map under the router EIGRP or router OSPF

process from ‘EIGRP_to_OSPF’ to ‘EIGRP->OSPF’ 2TT

There was no TT on EIGRP AS.

IN SUMMARY:

3TTS-ASW1 (Port security, VLAN, Switch to Switch)

2TTS-DSW1 (HSRP, VLAN ACCESS MAP)

4TTS-R1 (BGP, NAT, ACL, OSPF)

1TTS-R2 (OSPFV3)

3TT-R4 (Passive Interface, Route Redistribution, DHCP Range) [13TT]

Fresh From a 1000/1000:

I had only one BUG IN exam For question access map. For this you need to choice Aswn1 to get correct

answer because if u make Dwsn1 U will see not there Option to get correct answer.

Well all those TT are the same all

The TT’s that I got are mentioned below:

1. ASW1 – Allowed Vlan

2. ASW1 – Port Security

3. ASW1 – Access Vlan

4. DSW1 – Access Map

5. DSW1 – HSRP Track

6. R4 – IP DHCP – first delete ip dhcp excluded-address 10.2.1.1 10.2.1.253 and then enter ip dhcp

excluded-address 10.2.1.1 – 10.2.1.2

7. R4- EIGRP AS

8. R4- EIGRP to OSPF

9. R2 – IPv6

10. R1 – NAT ACL

11. R1 – L3 Security – ACL

12. R1 – BGP – Wrong BGP Neighbor Address

13. R1 – OSPF Authentication

I didn’t get there any IP Helper there also I checked all TT and IP helper was not configured there.

Don’t lose your time use abort, abort and abort. Well now I want to describe how to find easier the TT

First with 4 TT which be ON R1.

You can Ping 10.1.1.1 which tickets are Nat, BGP, Access list, remember IN 3 TT U can ping 10.1.1.1

which is R1. Totally are 4 TT on R1 which IN one Ticket u cannot ping 10.1.1.1 but u can ping 10.1.1.2

which Ticket is Ospf authentication. 4TT

Also Find 2 TT HSRP and IPV6 which are so clearly as question. 2TT

Next step, FIND 4 TT which Client 1 Get IP address 169.x.x

Which are Access vlan 10 , port security issued on f0/1/0 , Trunking Interface.

These 3 TT you must Check ON ASW1. 3TT

One TT is ON R4 Layer 3 Topology which Client get IP 169.x.x.x

DHCP ON R4 router R4 – IP DHCP – first delete ip dhcp excluded-address 10.2.1.1 10.2.1.253 and then

enter ip dhcp excluded-address 10.2.1.1 – 10.2.1.2 1TT

Now, Find TT which Client get IP address 10.x.x.x but cannot ping the Gateway by Using abort

That Is Access Map but in this TT is one BUG and U need to choice ASW1 to get Correct answer because

doesn’t see any option Vlan ACL / Port ACL * IF u select AWS1 U will see this One Vlan Acl Port. 1TT

Now 2 TT Of R4 which Client get IP address 10.x.x.x

Route Redistribution and Passive Interfaces

When select One TT of them

In one you will see wrong redistribute I mean name of spelling of Route map

If you use abort and JUMP another TT U will see then Correctly Route map spelling name and u will see

another one new with Passive Interface under EIGRP. You must select R4 EIGRP-no passive interface

under eigrp process in Interface f0/1 and f0/0. 2TT

Better to Use 46Q there are all the answers the same when you select just there in that DUMP.

But 2 questions could be WRONG

For Interface Trunking allow vlan 10, Correct answer is 10.200 but according to that dump 10.20.200.

Another one Port security. For this one port security need to choice with shutdown and no shutdown

there on dump write something different right.

[13TT]

Finding out which ticket is having those particular issues:

If you can ping 10.1.1.1 but not beyond, then faulty device is definitely R1. It is simple. Any device

before that does not have faulty configuration. If you can reach R1 it means DSW1, R4, R3, R2 is allowing

you to reach R1. If any of them had wrong configuration then you would not be able to ping 10.1.1.1.

1. Can be faulty BGP neighbor. Wrong ip address of neighbor. Use show run. You know where to look.

Under router bgp 65001.–> sh ip bgp sum

2. Check NAT access list. Look for permit statement. If permit 10.2.0.0 0.0.255.255 is not present then it

is NAT Access list.

3. Check edge_security access list. If the permit statement is missing for — permit 209.65.200.224

0.0.0.3 then it is IPV4 layer 3 security.

So, you can see that if you can ping 10.1.1.1 but cannot ping 209.65.200.241 then 3 TT for R1.

Now if you can ping to 10.1.1.2 but cannot ping 10.1.1.1 then it is definitely R1. IP ospf authentication

message-digest on serial0/0/0/0.12 interface. Check configuration on R1. You will see that — ip ospf

authentication message-digest is missing. So it R1, OSPF, ip ospf authentication message digest.

In Summary, 3 TT — You can ping R1 but cannot ping 209.65.200.241

1 TT – You can ping 10.1.1.2 but cannot ping 10.1.1.1. 4TT

As soon as I opened a TT –> I used Ipconfig to see the ip address. If it is 169.XXX then 3 TT for ASW1.

ASW1 – 3 TT – if ip address is 169.xxxx

1. Switch port security: Symptoms for this ticket:

Client 1 is getting 169.x.x.x ip address, Client 1 is unable to ping Client 2 as well as DSW1.

‘sh interfaces fa1/0/1' will show following message in the first line

‘EnFastEthernet1/0/1 is down, line protocol is down (err-disabled)’

‘sh running-config’, you will see ‘switchport port-security Mac-address ’0000.0000.0001' configured

under fa1/0/1. If u did not have the port in err-disable mode but in the config there was a port security

mac 0.0.0.0. Command assigned so if u do show int fa 1/0/1 it will show it as UP so do not get confused

2. vlan1–> vlan10

3. Trunk allowed: int range portchannel13, portchannel23.

Switchport trunk allowed vlan none, switchport trunk allowed vlan 10,200 3TT

If HSRP mentioned then you know it is DSW1

If ipv6 or ospfV3 mentioned then you know it is R2. 2TT

Now if you cannot ping 10.1.1.1 or 10.1.1.2 then you come back near client. Like DSW1, R4.

DSW1 – 1 more TT — Vlan ACL – Look for VLAN Access Map 1TT

R4 – 3 TT: EIGRP Passive interface, DHCP on R4 which get IP add 169.x.x,

OSPF-to-EIGRP (OSPF->EIGRP), {R4 for passive Interface} 3TT

Also we may get have 2 TT new to identify them if client now get ip add 169.x.x

Now totally we have 3 TT ON R4, 4 TT on R1, Dws1 2 TT, R2 1 TT, and Asw1 3 TT.

* Note: The bug has been fixed recently so you can select DSW1 device, next page you have to scroll

down and you will find the VLAN Access List/PACL option.

[13TT]

SOME MCQS FACED:

4) Which two of the following options are categories of Network Maintenance tasks?

A – Firefighting

B – Interrupt-driven

C – Policy-based

D – Structured

E – Foundational

Answer: B D

5) The following commands are issued on a Cisco router:

Router (config)#access-list 199 permit tcp host 10.1.1.1 host 172.16.1.1

Router (config)# access-list 199 permit tcp host 172.16.1.1 host 10.1.1.1

Router# debug ip packet 199

What would be the output shown on the console?

A – All IP packets passing through the router

B – Only IP packets with the source address of 10.1.1.1

C – All IP packets from 10.1.1.1 to 172.16.1.1

D – All IP packets between 10.1.1.1 to 172.16.1.1

Answer: D

You have two NTP servers 10.1.1.1 & 10.1.1.2 and want to configure a router to use 10.1.1.2 as its NTP

server before falling back to 10.1.1.1. Which command will you use?

Answer: #ntp server 10.1.1.1,

# ntp server 10.1.1.2 prefer

The Bilal’s Strategy : mail belal_fouzi@yahoo.com

>> If it is 169.x.x.x there are 4TT

1. ASW1 – port security (#show-run ASW1 if 1/0/1 and 1/0/2 are in Vlan10, apply sh int for both)

2. ASW1 – access vlan 10 (#show-run and check ASW1 if 1/0/1 and 1/0/2 are in Vlan1, if they are,stop!)

3. ASW1 – switch-to-switch (#show-run ASW1)

4. R4 – DHCP excluded (#show-run R4)

——————————————————————-

->> If client got IP address then 2 options:

-First, if client1 can ping 10.1.1.1 not to server 209.65.200.241 ALL IN R1 3TT

1. R1 – NAT (10.2.0.0) (#show-run R1)(#sh ip BGP summary)

2. R1 – BGP (56-65) (#show-run R1)(#sh ip BGP summary)

3. R1 – ACL (#show-run R1)(#sh ip BGP summary)

-Second, Client can’t ping 10.1.1.1 but it can ping to 10.1.1.2) then: 1TT

4- R1 – OSPF authentication (#show-run R1 + R2)

-Thirdly, if client1 cannot ping 10.1.1.1, then 4 TT

1. DSW1 (ASW1) – vlan access map (vlan acl port) *** this one cannot ping even gateway (Check vlan-

filter command, which contain vlan access-map, this contain access-list no., now check access-list no. It

can drop the packet for PC connected to ASW1.)

2. R4 – Route redistribution: (#show-run R4) (EIGRP->OSPF is created and EIGRP-TO-OSPF is used)

3. R4 – EIGRP Passive Interface: passive interface (#show-run R4)(#sh IP protocols )

4- R4-EIGRP AS: AS number of EIGRP is different is used To verify – (#show IP protocols).

——————————————————————-

->> Finally, there are 2 distinct TTs, 2TT

- HSRP on DSW1: Check DSW1 Use track 10 instead of track 1 (show run) and this is the only question

you will see tracking.

- OSPF IPv6 on R2: On serial interface use area 0, not area 12 (show run), you will recognize this TT by

reading ticket because it is the only TT which says about IPv6. [14TT]

Bottom UP Strategy (slightly modified version of ENA):

Ipconfig – on client 1

If ip address is 169.x.x.x follow Step 1,

If ip is 10.x.x.x jump to Step 2 .

######

#Step 1# IF client IP is 169.x.x.x or no IP at all, there could be 5 TTs.

######

TT1: check fa1/0/1 port of ASW1 has ‘Port Security MAC Address 0000.0000.0001

TT2: check if fa1/0/1 is member of VLAN 10 on ASW1 – switchport access vlan 10

TT3: check if VLAN 10 is allowed on Trunk/Ether Channel PO13 and 23 on ASW1– Switch to Switch

connectivity

TT4: if Fa1/0/1 hasn’t got Port Security, and it is member of VLAN 10, and VLAN 10 is allowed on PO13

and 23, then check DHCP Exclude Addresses on R4.

TT5: if all above is O.K, don’t forget to check ‘IP Helper Address 10.1.4.5 (R4’s fa0/0 address) under VLAN

10 configuration on DSW1 [VERIFICATION REQUIRED]

#######

# Step 2 # IF client IP is 10.x.x.x

#######

TT6: Ping default gateway 10.2.1.254 (DSW1), if it failed, check VLAN Filter statement of DSW1.

no vlan filter test1 vlan-list 10

Trouble tickets on R1 (3 tt’s where you can ping 10.1.1.1 & 1 tt where you cant ping 10.1.1.1)

If pinging default gateway is O.K, then ping R1 10.1.1.1, if pinging is O.K then there could be three TTs.

TT7: If R1 can ping webserver, then R1, R2, R3, R4 and DSW1 and DSW2 can also ping web server. It is

telling you about ACL NAT_Traffic issue on R1.

If R1 cannot ping web server, there could be 2 TTs:

TT8: Check BGP neighbour address under BGP 65001 config on R1, wrong neighbour IP is entered.

TT9: Check ACL Edge_Security list if it go ‘permit 209.65.200.224 0.0.0.3 any’ statement

There’s another TT on R1:

TT10: Client cannot ping 10.1.1.1 and can ping 10.1.1.2. Check ‘ospf authentication message-digest’

statement on R1 under s0/0/0/0 config.

Now, client can ping DSW1 but cannot ping any IP of R1.

Ping fa0/0 interface of R4. If this fails, there are two TTs.

TT11: On R4, under EIGRP config, check if ‘passive default’ statement is there.

TT12: On R4, under EIGRP config, check if AS No. is 10

There’s another TT on R4, where client can ping fa0/0 of R4, but cannot ping s0/0/0/0.

TT13: Check redistribution statement under EIGRP and OSPF config on R4.

#####################

#Now two most easiest TTs #

#####################

TT14: DSW1 is not becoming active HSRP. Under VLAN 10 config of DSW1 it should be ‘standby 10 track

10 decrement 60’

TT15: IPv6 – R2 and R3 are not becoming members. Check ‘ipv6 ospf 6 area 0’ under s0/0/0/0.23 on R2

[15TT]

TIP: Always use first the L2 topology and check all 13TT. After you got all 3 L2 TT, Do em First. There’s an

exemption actually, this is in L3 topology which pertains to DHCP sever and not assigning an IP address

to client.

ALL THE BEST.

UPDATE THIS DOCUMENT TO MAKE IT MORE ACCURATE.