642-832 CISCO CCNP-TSHOOT EXAMINATION PREP GUIDE [by viki]

GENERAL TIPS: -All TT are valid, no need to memorizing the TT as well you need to understand -Dumps, from exam collection, are not necessary for the exam Networktut covers everything - The exam is very very easy, just stay calm and chill, you have so much time to do it, so dont ever rush, just take it easy. Some of the configuration is a bit tricky but you can easily find out the mistake. -For HSRP TT In the qus mentioned as HSRP -For IPv6 TT In the qus mentioned IPv6 - No need to logout of each router/switch/host after completing a ticket. Each configuration will be defaulted to each ticket problem either when finishing a ticket or when aborting and selecting other ticket - Use additional command (NOT ONLY SHOW RUN) to understand the problem. - The order of tickets is random, not necessarily in the order given here. The only way to identify each ticket is following a strategy based on if you are receiving an IP address on the host, and if you can ping routers and how many you can ping. - Dont ask what topology should I use for XXX ticket? All the topologies are representing the same network and same connections. You should know that by now!! . -L2 topology is a more physical representation of the exam network, and L3 topology is a more logical representation of the network. Of course, it would be easier to look in the L3 topology if you are looking for IP addresses, and in L2 if you are looking for a vlan mapping or something. - Use the Cisco TS demo just to be familiar with the exam engine. You wont find there the exam topology, but a similar and basic one. The demo is only for you to know how the exam engine is going to be like. Dont expect to study anything from it. -I wasted a lot of time trying to test some commands like show interface status, show interf ace desc they dont work at all. The only command that is very useful was show run -Please bear in mind whatever output you see in Networktut is just a small part of the whole config (in real exam). the toughest part is going thru the running config and looking at the right place familiarize with that -The bug is still there for HSRP. you need to choose ASW1 instead of the correct answer DSW1not sure why Cisco has not rectified it. Mention TTs the same on your marking notepad.

The LIST OF Trouble Tickets: Ticket 1 OSPF Authentication Ticket 2 HSRP Track Ticket 3 BGP Neighbor Ticket 4 NAT ACL Ticket 5 R1 ACL Ticket 6 VLAN filter Ticket 7 Port Security Ticket 8 Switchport VLAN 10 Ticket 9 Switchport trunk Ticket 10 EIGRP AS Ticket 11 EIGRP to OSPF Ticket 12 IPv6 OSPF Ticket 13 DHCP Range Ticket 14 EIGRP Passive Interface [NOTE TICKETS WILL NOT BE IN THE SAME ORDER GIVEN HERE]

TOPOLOGY IDENTIFICATION: There is no really best way to choose which topology to use. Most of the time use IPV4 topology as it contains most of the nodes with IP addresses and in the cause of your troubleshooting When you discovered that you need more details on the ASW1 & 2 switches that is when Layer 2 topology is used except for the ipv6 topology. Any node on IPV4 topology that is in Layer 2 topology have same configuration irrespective of where you click on the nodes. List out all the trouble ticket on the white little board you will be giving and tick each ticket as you answer them because this will let you know which tickets are remaining to look out for.

Problem Device Problem Description Approach: A > ASW1 > Access VLAN 10 (Layer 2 )host 1- 169.x.x.x P > ASW1 > Port-Channel not allowing VLAN 10 (layer 2) host 1- 169.x.x.x S > ASW1 > Port Security needs to be disabled (layer 2) host 1- 169.x.x.x These three L2 topologies are the most easiest to identify so just click on all TTs and find 169.x.x.x in host and note them down in your notepad. H > DSW1 > HSRP Track 10 (layer 3) host 10.x.x.x. HSRP is mentioned in the Question Itself. V > DSW1 > VLAN Filter (layer 2) host 1 -10.x.x.x E > R4 > DHCP wrong exclude address host 1- 169.x.x.x P > R4 -> Passive Interface Under eigrp 10 host 1 10.x.x.x R > R4 > Route Redistribution (layer 3) host 1- 10.x.x.x 6 > R2 > IPv6 OSPF (Ipv6 topology) ipv6 ip add. V6 is mentioned in the Question Itself.

B > R1 > BGP wrong Neighbor IP (layer 3) host 1 10.x.x.x N > R1 > NAT ACL miss configured (layer 3) host 1- 10.x.x.x A > R1 > ACL blocking traffic on int ( layer 3 )host 1- 10.x.x.x O > R1 > OSPF Authentication issue ( layer 3 ) host 1 10.x.x.x [13 TT]

NOTE MAKING STRATERGY: 4TTs R1 ACL, NAT, BGP, OSPF 3TTs ASW1 Switch to switch, port security, vlan 2TTs DSW1 HSRP, VLAN Access Map 1TT R2 OSPF V3 4TTs R4 DHCP, Route Redistribution, EIGRP Passive Interface, EIGRP AS Note the 4-3-2-1-4 pattern. -Then I started going through the TTs checking the IP address of C1 only in 4 TTs does C1 have a 169.x.x.x address. -I associated all the TTs in the exam with each device/technology as I listed on the write pad I was using before I started solving and putting in the answers for the TTs. -In this way, I was sure I didnt mistake a TT with another solution. [14 TT]

AN EASIER VERSION OF BELALS:

Client 1 with 169.x.x.x.x = 4TT 1- ASW1 Port Security 2- ASW1 Access Vlan 3- ASW1 Switch to Switch 4- R4 DHCP Exclude Client 1 Pings 10.1.1.1 & not the Server(209.65.200.241)- 3TT 1- R1 BGP 2- R1 ACL 3- R1 NAT-ACL

Client 1 Pings 10.1.1.2 & not 10.1.1.1- 1 TT 1- R1 OSPF Authentication

Client 1 Cant Ping 10.1.1.1 3TT 1- DSW1 VLAN filter 2- R4 Redistribution 3- R4 Passive Interface

DISTINCT TT- 2 TT 1)- DSW1 HSRP 2)- R2 IPV6- OSPRv3 ! [13TT]

NOTES MAKING STRATERGY 2:

ASW1: 1) Access ports not in vlan10 > Symptoms: Client1 IP add: 169.x.x.x not able to ping Client 2, DSW1, FTP Server. 2) Port Chnl. not allowing vlan10 > Symptoms: Client.1 IP add: 169.x.x.x not able to ping DSW1, FTP Server but able to ping Cl.2. 3) Port Security> Symp: Same as (1) i.e. Access ports not in vlan 10. DSW1: 1) HSRP> Issue will be mentioned in the ticket. 2) Vlan Filter> Symp: Cl.1 ip add. 10.x.x.x, not able to ping DSW1, FTP Server. R1: 1) OSPF Authn.>Sym:Cl.1 ip add: 10.x.x.x & not able to ping s0/0/0/0.12(10.1.1.1) of R1. 2) NAT ACL>Sym: All Routers & DSW1 can ping the Web Server (209.65.200.241) but Cl.1 (10.x.x.x) cannot ping the Web Server. 3) R1 ACL> Sym: Cl.1(10.x.x.x), the Routers, DSW1 cannot ping the Web Server. 4) Wrong IP BGP Neigh.> Sym: Same as above. R2: OSPFv3 issue will be mentioned in the ticket about not able to ping loopback interface of R2. R4: 1) EIGRP Passive Interface>Sym: Cl.1(10.x.x.x), DSW1 not able to ping Fa0/0 & Fa0/1 of R4. 2) EIGRP Wrong AS No.>Sym: Cl.1(10.x.x.x) not able to ping s0/0/0.34 (10.1.1.10) of R4 & s0/0/0.34 (10.1.1.9) of R3. 3) Redistribution wrong Route Map name>Sym: Same as above. 4) DHCP Range misconfigured.> Sym: Same as No. 2 of ASW1 but not sure whether Cl.1 will be able to ping Cl.2 or not. 4TT You can also write it in a short way to save time in exam as per your convenience. [14TT] 1TT 4TT 2TT 3TT

Troubleshooting TTs:
#Ipconfig on client -If it is 169.x.x.x 4TT

1. ASW1 access vlan 10 (#show-run and check ASW1 if 1/0/1 and 1/0/2 are in Vlan1, if they are stop!) 2. ASW1 port security (#show-run ASW1 if 1/0/1 and 1/0/2 are in Vlan10, apply #sh int for both) 3. ASW1 switch-to-switch (#show-run ASW1) 4. R4 DHCP excluded (#show-run R4) If client got IP address then 2 options: -First, if client1 can ping 10.1.1.1 not to server 209.65.200.241 ALL IN R1 1. R1 NAT (10.2.0.0) (#show-run R1)(#sh ip BGP summary) 2. R1 BGP (56-65) (#show-run R1)(#sh ip BGP summary) 3. R1 ACL (#show-run R1)(#sh ip BGP summary) Client cant ping 10.1.1.1 but it can ping to 10.1.1.2) then: 4. R1 OSPF authentication (#show-run R1 + R2) -Second, if client1 cannot ping 10.1.1.1 1. DSW1 (ASW1) vlan access map (vlan acl port) This one cannot ping even gateway (Check vlan-filter command, which contain vlan access-map, this contain access-list no., now check access-list no. It can drop the packet for PC connected to ASW1.) 2. R4 OSPF redistribution (#show-run R4)(EIGRP->OSPF is created and EIGRP-TO-OSPF is used) 3. R4 passive interface (#show-run R4)(#sh IP protocols ) 4. It may different AS no. for EIGRP is used To verify #Show IP protocols Finally, there are distinct 2TT 4 TT 1TT 3TT

-HSRP on DSW1. Check DSW1 Use track 10 instead of track 1 (#show run) and this is the only question you will see tracking. -IPv6 on R2. On serial interface use area 0, not area 12 (#show run) [14TT]

DETAILED HOW TO DO BASED APPROACH: On client 1, do Ipconfig to get the IP address, 4TTs that the Ip address were 169.x.x.x (Using Layer 2) I ping client 2 from 1 on the 4TTs, its only 1TT that there was no response so on ASW1 : I did show vlan brief on the TT, int fa1/0/1 2 were in vlan 10 then i did sh int fa1/0/1 it was down, I did show run i saw port-security mac 0000.0000.0001 on int fa1/01 which confirmed its port security TT. Then on the 3 remaining 169.x.x.x TTs, I did show vlan brief to know which vlan int fa1/0/1 and fa1/0/2 were assigned. If int fa1/0/1 2 are in vlan 1, then it is Access Vlan TT. Then on the third TT I did show run on fa1/0/1 2 they were in vlan 10, then show run reveals that vlan 20,200 were allowed on int port channel 13 and 23 but it should be vlan 10,200 so I knew its switch to switch TT On the last TT I knew its DHCP TT .so I did show run on R4 and I saw ip dhcp exclude 10.2.1.110.2.1.253.

4TT

Therefore 3TTS for ASW1-Port security, ASW1-Vlan and ASW1-Switch to switch and 1TT for R4-DHCP. I searched the remaining TTs for IPv6 and HSRP questions which were stated clearly in the questions. In HSRP TT its stated that DSW1 is configure to be active but it is not active do show run on DSW1 (using layer3) watch out for standby 10 track 1 decrement 60 which is wrong. The Correct Answer is DSW1-HSRP- standby 10 track 10 decrement 60. In OSPFv3 TT it is also stated clearly that DSW1 & R4 cant ping R2's loopback interface then you will know that the answer is R2-OSPv3- ipv6 ospf 6 area 0 on interface s0/0/0/0.23 2TT

THE REMAINING 7TT On client 1 do Ipconfig to get the IP address. B) IP address was 10.2.1.3 on the 7TTs so on client 1,if u can ping 10.1.1.1 then there are To get BGP, do show run on R1 watch out for neighbor 209.56.200.226 remote-as 65002 , Client 1 is able to ping 209.65.200.226 but cant ping the Web Server 209.65.200.241 then the answer will be R1-BGP- change neighbor 209.56.200.226 remote-as 65002 to neighbor 209.65.200.226 remote-as 65002 To get NAT, do show run on R1, watch out for ip access-list standard nat_pool permit 10.1.0.0 its suppose to be ip access-list standard nat_pool permit 10.1.0.0 and ip access-list standard nat_pool permit 10.2.0.0 that is permit ip access-list standard nat_pool permit 10.2.0.0 is missing in the show run so the answer will be R1-NAT- permit 10.2.0.0 in the nat_pool access-list

To get IP ACCESS LIST, do show run on R1, watch out for access-list 30 permit host 209.65.200.241 its suppose to be access-list 30 permit host 209.65.200.241, access-list 30 permit host 209.65.200.224 0.0.0.3 that is access-list 30 permit host 209.65.200.224 0. 0.0.3 Is missing so the answer will be R1- IP ACCESS LIST- Add permit 209.65.200.224 0.0.0.3 From client1 ping 10.1.1.1 no reply but there is reply if you ping 10.1.1.2 from client then you will know that its OSPF then answer will be R1- OSPF- ip ospf authentication message-digest on int s0/0/0/0.12 4TT

Therefore 4TTs for R1-BGP, NAT, IP ACCESS LIST and OSPF. THE REMAINING 3TT On client 1 do Ipconfig to get the ip address:

IP address was 10.2.1.3 on the 3TTs so on client 1 ping 10.1.1.1 there was no reply so I did show run on DSW1 I saw vlan access-map test1 10. vlan filter test1 vlan-list 10 I knew its VLAN ACCESS MAP TT but when I selected DSW1 I did not see the right technology that VLAN ACCESS MAP so I chose ASW1 so Answer is DSW1or ASW1- VLAN ACCESS MAP- Remove vlan filter test1 from DSW1 1TT Remaining I knew the problem should be on R4

IP address was 10.2.1.3 on the 2TTs on client 1 ping 10.1.1.1 there was no reply so I did show run on R4 if u see passive interface then the answer is R4-Passive interface- Remove Passive interface under EIGRP 10 int fa0/1. Last but not the least TT was on Route Redistribution where the route map was not configure very well on router eigrp 10 but was configured very well on router ospf 1 just check if redistribute ospf 1 metric 100 10 255 1 1500 route-map EIGRP_to_OSPF is not the same with route map EIGRP->OSPF then you will know its route redistribution problem answer will be R4- Route redistribution-Change the name of the route-map under the router EIGRP or router OSPF process from EIGRP_to_OSPF to EIGRP->OSPF 2TT There was no TT on EIGRP AS. IN SUMMARY: 3TTS-ASW1 (Port security, VLAN, Switch to Switch) 2TTS-DSW1 (HSRP, VLAN ACCESS MAP) 4TTS-R1 (BGP, NAT, ACL, OSPF) 1TTS-R2 (OSPFV3) 3TT-R4 (Passive Interface, Route Redistribution, DHCP Range) [13TT]

Fresh From a 1000/1000: I had only one BUG IN exam For question access map. For this you need to choice Aswn1 to get correct answer because if u make Dwsn1 U will see not there Option to get correct answer. Well all those TT are the same all The TTs that I got are mentioned below: 1. ASW1 Allowed Vlan 2. ASW1 Port Security 3. ASW1 Access Vlan 4. DSW1 Access Map 5. DSW1 HSRP Track 6. R4 IP DHCP first delete ip dhcp excluded-address 10.2.1.1 10.2.1.253 and then enter ip dhcp excluded-address 10.2.1.1 10.2.1.2 7. R4- EIGRP AS 8. R4- EIGRP to OSPF 9. R2 IPv6 10. R1 NAT ACL 11. R1 L3 Security ACL 12. R1 BGP Wrong BGP Neighbor Address 13. R1 OSPF Authentication I didnt get there any IP Helper there also I checked all TT and IP helper was not configured there. Dont lose your time use abort, abort and abort. Well now I want to describe how to find easier the TT First with 4 TT which be ON R1. You can Ping 10.1.1.1 which tickets are Nat, BGP, Access list, remember IN 3 TT U can ping 10.1.1.1 which is R1. Totally are 4 TT on R1 which IN one Ticket u cannot ping 10.1.1.1 but u can ping 10.1.1.2 which Ticket is Ospf authentication. 4TT Also Find 2 TT HSRP and IPV6 which are so clearly as question. 2TT

Next step, FIND 4 TT which Client 1 Get IP address 169.x.x Which are Access vlan 10 , port security issued on f0/1/0 , Trunking Interface. These 3 TT you must Check ON ASW1. One TT is ON R4 Layer 3 Topology which Client get IP 169.x.x.x DHCP ON R4 router R4 IP DHCP first delete ip dhcp excluded-address 10.2.1.1 10.2.1.253 and then enter ip dhcp excluded-address 10.2.1.1 10.2.1.2 1TT Now, Find TT which Client get IP address 10.x.x.x but cannot ping the Gateway by Using abort That Is Access Map but in this TT is one BUG and U need to choice ASW1 to get Correct answer because doesnt see any option Vlan ACL / Port ACL * IF u select AWS1 U will see this One Vlan Acl Port. 1TT Now 2 TT Of R4 which Client get IP address 10.x.x.x Route Redistribution and Passive Interfaces When select One TT of them In one you will see wrong redistribute I mean name of spelling of Route map If you use abort and JUMP another TT U will see then Correctly Route map spelling name and u will see another one new with Passive Interface under EIGRP. You must select R4 EIGRP-no passive interface under eigrp process in Interface f0/1 and f0/0. 2TT Better to Use 46Q there are all the answers the same when you select just there in that DUMP. But 2 questions could be WRONG For Interface Trunking allow vlan 10, Correct answer is 10.200 but according to that dump 10.20.200. Another one Port security. For this one port security need to choice with shutdown and no shutdown there on dump write something different right.

3TT

[13TT]

Finding out which ticket is having those particular issues: If you can ping 10.1.1.1 but not beyond, then faulty device is definitely R1. It is simple. Any device before that does not have faulty configuration. If you can reach R1 it means DSW1, R4, R3, R2 is allowing you to reach R1. If any of them had wrong configuration then you would not be able to ping 10.1.1.1. 1. Can be faulty BGP neighbor. Wrong ip address of neighbor. Use show run. You know where to look. Under router bgp 65001.> sh ip bgp sum 2. Check NAT access list. Look for permit statement. If permit 10.2.0.0 0.0.255.255 is not present then it is NAT Access list. 3. Check edge_security access list. If the permit statement is missing for permit 209.65.200.224 0.0.0.3 then it is IPV4 layer 3 security. So, you can see that if you can ping 10.1.1.1 but cannot ping 209.65.200.241 then 3 TT for R1. Now if you can ping to 10.1.1.2 but cannot ping 10.1.1.1 then it is definitely R1. IP ospf authentication message-digest on serial0/0/0/0.12 interface. Check configuration on R1. You will see that ip ospf authentication message-digest is missing. So it R1, OSPF, ip ospf authentication message digest. In Summary, 3 TT You can ping R1 but cannot ping 209.65.200.241 1 TT You can ping 10.1.1.2 but cannot ping 10.1.1.1. As soon as I opened a TT > I used Ipconfig to see the ip address. If it is 169.XXX then 3 TT for ASW1. ASW1 3 TT if ip address is 169.xxxx 1. Switch port security: Symptoms for this ticket: Client 1 is getting 169.x.x.x ip address, Client 1 is unable to ping Client 2 as well as DSW1. sh interfaces fa1/0/1' will show following message in the first line EnFastEthernet1/0/1 is down, line protocol is down (err-disabled) sh running-config, you will see switchport port-security Mac-address 0000.0000.0001' configured under fa1/0/1. If u did not have the port in err-disable mode but in the config there was a port security mac 0.0.0.0. Command assigned so if u do show int fa 1/0/1 it will show it as UP so do not get confused 2. vlan1> vlan10 3. Trunk allowed: int range portchannel13, portchannel23. Switchport trunk allowed vlan none, switchport trunk allowed vlan 10,200 If HSRP mentioned then you know it is DSW1 3TT 4TT

If ipv6 or ospfV3 mentioned then you know it is R2. Now if you cannot ping 10.1.1.1 or 10.1.1.2 then you come back near client. Like DSW1, R4. DSW1 1 more TT Vlan ACL Look for VLAN Access Map R4 3 TT: EIGRP Passive interface, DHCP on R4 which get IP add 169.x.x, OSPF-to-EIGRP (OSPF->EIGRP), {R4 for passive Interface} Also we may get have 2 TT new to identify them if client now get ip add 169.x.x Now totally we have 3 TT ON R4, 4 TT on R1, Dws1 2 TT, R2 1 TT, and Asw1 3 TT. * Note: The bug has been fixed recently so you can select DSW1 device, next page you have to scroll down and you will find the VLAN Access List/PACL option.

2TT

1TT

3TT

[13TT]

SOME MCQS FACED: 4) Which two of the following options are categories of Network Maintenance tasks? A Firefighting B Interrupt-driven C Policy-based D Structured E Foundational Answer: B D 5) The following commands are issued on a Cisco router: Router (config)#access-list 199 permit tcp host 10.1.1.1 host 172.16.1.1 Router (config)# access-list 199 permit tcp host 172.16.1.1 host 10.1.1.1 Router# debug ip packet 199 What would be the output shown on the console? A All IP packets passing through the router B Only IP packets with the source address of 10.1.1.1 C All IP packets from 10.1.1.1 to 172.16.1.1 D All IP packets between 10.1.1.1 to 172.16.1.1 Answer: D You have two NTP servers 10.1.1.1 & 10.1.1.2 and want to configure a router to use 10.1.1.2 as its NTP server before falling back to 10.1.1.1. Which command will you use? Answer: #ntp server 10.1.1.1, # ntp server 10.1.1.2 prefer

The Bilals Strategy : mail belal_fouzi@yahoo.com >> If it is 169.x.x.x there are 1. ASW1 port security (#show-run ASW1 if 1/0/1 and 1/0/2 are in Vlan10, apply sh int for both) 2. ASW1 access vlan 10 (#show-run and check ASW1 if 1/0/1 and 1/0/2 are in Vlan1, if they are,stop!) 3. ASW1 switch-to-switch (#show-run ASW1) 4. R4 DHCP excluded (#show-run R4) ->> If client got IP address then 2 options: -First, if client1 can ping 10.1.1.1 not to server 209.65.200.241 ALL IN R1 1. R1 NAT (10.2.0.0) (#show-run R1)(#sh ip BGP summary) 2. R1 BGP (56-65) (#show-run R1)(#sh ip BGP summary) 3. R1 ACL (#show-run R1)(#sh ip BGP summary) -Second, Client cant ping 10.1.1.1 but it can ping to 10.1.1.2) then: 4- R1 OSPF authentication (#show-run R1 + R2) -Thirdly, if client1 cannot ping 10.1.1.1, then 4 TT 1TT 3TT 4TT

1. DSW1 (ASW1) vlan access map (vlan acl port) *** this one cannot ping even gateway (Check vlanfilter command, which contain vlan access-map, this contain access-list no., now check access-list no. It can drop the packet for PC connected to ASW1.) 2. R4 Route redistribution: (#show-run R4) (EIGRP->OSPF is created and EIGRP-TO-OSPF is used) 3. R4 EIGRP Passive Interface: passive interface (#show-run R4)(#sh IP protocols ) 4- R4-EIGRP AS: AS number of EIGRP is different is used To verify (#show IP protocols). ->> Finally, there are 2 distinct TTs, 2TT

- HSRP on DSW1: Check DSW1 Use track 10 instead of track 1 (show run) and this is the only question you will see tracking. - OSPF IPv6 on R2: On serial interface use area 0, not area 12 (show run), you will recognize this TT by reading ticket because it is the only TT which says about IPv6. [14TT]

Bottom UP Strategy (slightly modified version of ENA):

Ipconfig on client 1 If ip address is 169.x.x.x follow Step 1, If ip is 10.x.x.x jump to Step 2 . ###### #Step 1# IF client IP is 169.x.x.x or no IP at all, there could be 5 TTs. ###### TT1: check fa1/0/1 port of ASW1 has Port Security MAC Address 0000.0000.0001 TT2: check if fa1/0/1 is member of VLAN 10 on ASW1 switchport access vlan 10 TT3: check if VLAN 10 is allowed on Trunk/Ether Channel PO13 and 23 on ASW1 Switch to Switch connectivity TT4: if Fa1/0/1 hasnt got Port Security, and it is member of VLAN 10, and VLAN 10 is allowed on PO13 and 23, then check DHCP Exclude Addresses on R4. TT5: if all above is O.K, dont forget to check IP Helper Address 10.1.4.5 (R4s fa0/0 address) under VLAN 10 configuration on DSW1 [VERIFICATION REQUIRED] ####### # Step 2 # IF client IP is 10.x.x.x ####### TT6: Ping default gateway 10.2.1.254 (DSW1), if it failed, check VLAN Filter statement of DSW1. no vlan filter test1 vlan-list 10 Trouble tickets on R1 (3 tts where you can ping 10.1.1.1 & 1 tt where you cant ping 10.1.1.1) If pinging default gateway is O.K, then ping R1 10.1.1.1, if pinging is O.K then there could be three TTs. TT7: If R1 can ping webserver, then R1, R2, R3, R4 and DSW1 and DSW2 can also ping web server. It is telling you about ACL NAT_Traffic issue on R1. If R1 cannot ping web server, there could be 2 TTs: TT8: Check BGP neighbour address under BGP 65001 config on R1, wrong neighbour IP is entered.

TT9: Check ACL Edge_Security list if it go permit 209.65.200.224 0.0.0.3 any statement Theres another TT on R1: TT10: Client cannot ping 10.1.1.1 and can ping 10.1.1.2. Check ospf authentication message-digest statement on R1 under s0/0/0/0 config. Now, client can ping DSW1 but cannot ping any IP of R1. Ping fa0/0 interface of R4. If this fails, there are two TTs. TT11: On R4, under EIGRP config, check if passive default statement is there. TT12: On R4, under EIGRP config, check if AS No. is 10 Theres another TT on R4, where client can ping fa0/0 of R4, but cannot ping s0/0/0/0. TT13: Check redistribution statement under EIGRP and OSPF config on R4. ##################### #Now two most easiest TTs # ##################### TT14: DSW1 is not becoming active HSRP. Under VLAN 10 config of DSW1 it should be standby 10 track 10 decrement 60 TT15: IPv6 R2 and R3 are not becoming members. Check ipv6 ospf 6 area 0 under s0/0/0/0.23 on R2 [15TT]

TIP: Always use first the L2 topology and check all 13TT. After you got all 3 L2 TT, Do em First. Theres an exemption actually, this is in L3 topology which pertains to DHCP sever and not assigning an IP address to client.

ALL THE BEST. UPDATE THIS DOCUMENT TO MAKE IT MORE ACCURATE.