Вы находитесь на странице: 1из 1106

CCNP TSHOOT

Lab Manual
Version 7

Instructor’s Answer Key

Cisco Networking Academy

Cisco Press
800 East 96th Street
Indianapolis, Indiana 46240 USA
ii CCNP TSHOOT Lab Manual Version 7

CCNA TSHOOT Lab Manual Version 7


Cisco Networking Academy
Copyright© 2015 Cisco Systems, Inc.
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage and retrieval
system, without written permission from the publisher, except for the inclusion of brief quotations in a review.
Printed in the United States of America
First Printing May 2015
Library of Congress Control Number: 2015932129
ISBN-13 :978-1-58713-403-6
ISBN-10: 1-58713-403-9

Instructor’s Answer Key


ISBN-13: 978-0-13-405122-2
ISBN-10: 0-13-405122-X

Warning and Disclaimer


This book is designed to provide information about networking. Every effort has been made to make this book
as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have
neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the
information contained in this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately
capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term
in this book should not be regarded as affecting the validity of any trademark or service mark.

This book is part of the Cisco Networking Academy” series from Cisco Press. The products
in this series support and complement the Cisco Networking Academy curriculum. If you
are using this book outside the Networking Academy, theo you are not preparing with a
Cisco trained and authorized Networking Academy provider.
For more information on the Cisco Networking Academy or to locate a Networking
Academy, please visit www.cisoo.com/edu.
CCNP TSHOOT Lab Manual Version 7 iii

Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and
value. Each book is crafted with care and precision, undergoing rigorous development that
involves the unique expertise of members from the professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments
regarding how we could improve the quality of this book, or otherwise alter it to better suit
your needs, you can contact us through email at feedback@ciscopress.com. Please make
sure to include the book title and ISBN in your message.
We greatly appreciate your assistance.

Publisher Paul Boger


Associate Publisher Dave Dusthimer
Business Operations Manager, Cisco Press Jan Cornelssen
Executive Editor Mary Beth Ray
Managing Editor Sandra Schroeder
Editorial Assistant Vanessa Evans
Cover Designer Mark Shirar
Proofreader Chuck Hutchinson
iv CCNP TSHOOT Lab Manual Version 7

Contents
Chapter 1: Troubleshooting Methods
No labs for this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2: Structured Troubleshooting


No labs for this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Chapter 3: Network Maintenance Tasks and Best Practices


Lab 3-1 Assembling Maintenance and Troubleshooting Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 4: Basic Switching and Routing Process and Effective IOS


Troubleshooting Commands
Lab 4-1 Layer 2 Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Lab 4-2 Mixed Layer 2-3 Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Chapter 5: Using Specialized Maintenance and Troubleshooting Tools


Lab 5-1 Second Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Chapter 6: Troubleshooting Case Study: SECHNIK Networking


Lab 6-1 IP Days. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Chapter 7: Troubleshooting Case Study: TINC Garbage Disposal


Lab 7-1 OSPF Opportunities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Chapter 8: Troubleshooting Case Study: PILE Forensic Accounting


Lab 8-1 EIGRP Blues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Lab 8-2 BGP Dance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575

Chapter 9: Troubleshooting Case Study: Bank of POLONA


Lab 9-1 Network Mirror. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
Lab 9-2 In Synch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711

Chapter 10: Troubleshooting Case Study: RADULKO Transport


Lab 10-1 Complex? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817
Lab 10-2 Sandbox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902
CCNP TSHOOT Lab Manual Version 7 v

About This Lab Manual


This is the only authorized Lab Manual for the Cisco Networking Academy CCNP TSHOOT
version 7 course.

A CCNP Routing and Switching certification equips students with the knowledge and
skills needed to plan, implement, secure, maintain, and troubleshoot converged enterprise
networks. The CCNP Routing and Switching certification requires candidates to pass three
120-minute exams—ROUTE 300-101, SWITCH 300-115, TSHOOT 300-135—that validate
the key competencies of network engineers.

The Cisco Networking Academy CCNP Routing and Switching curriculum consists of three
experience-oriented courses that employ industry-relevant instructional approaches to
prepare students for professional-level jobs: CCNP ROUTE: Implementing IP Routing, CCNP
SWITCH: Implementing IP Switching, and CCNP TSHOOT: Maintaining and Troubleshooting
IP Networks.

CCNP TSHOOT: Troubleshooting and Maintaining IP Networks


This course teaches students how to monitor and maintain complex, enterprise routed and
switched IP networks. Skills learned include the planning and execution of regular network
maintenance, as well as support and troubleshooting using technology based processes
and best practices, based on systematic and industry recognized approaches. Extensive
labs emphasize hands-on learning and practice to reinforce troubleshooting techniques.
CCNP ROUTE and CCNP SWITCH are both prerequisites for this course.

The 12 comprehensive labs in this manual emphasize hands-on learning and practice to
reinforce configuration skills.

Command Syntax Conventions


The conventions used to present command syntax in this book are the same conventions
used in the IOS Command Reference. The Command Reference describes these
conventions as follows:
• Boldface indicates commands and keywords that are entered literally as shown. In
actual configuration examples and output (not general command syntax), boldface
indicates commands that are manually input by the user (such as a show command).
• Italic indicates arguments for which you supply actual values.
• Vertical bars (|) separate alternative, mutually exclusive elements.
• Square brackets ([ ]) indicate an optional element.
• Braces ({ }) indicate a required choice.
• Braces within brackets ([{ }]) indicate a required choice within an optional element
CCNP TSHOOT Lab Manual Version 7 1

Chapter 1: Troubleshooting Methods


No labs for this chapter.
2 CCNP TSHOOT Lab Manual Version 7

Chapter 2: Structured Troubleshooting


No labs for this chapter.
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 3

Chapter 3: Network Maintenance Tasks and Best Practices


Lab 3-1 Assembling Maintenance and Troubleshooting Tools
Instructor Version
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Physical Topology
Physical topology for STUDENT version of lab
4 CCNP TSHOOT Lab Manual Version 7

Physical topology for INSTRUCTOR version of lab

Objectives
• Assign responsibility for a device or set of devices to team members (optional).
• Load the baseline configuration for each device in the topology.
• Use available tools to document key device configuration parameters, such as the interfaces in use,
IP addressing, routing protocols, VLANs, logging mechanisms, and security measures.
• Document the physical topology to support future troubleshooting tasks.
• Document the logical topology to support future troubleshooting tasks.

Background
You have been employed as a network engineering consultant by a company that has made a recent
acquisition. The documentation for the acquired company’s network is incomplete and outdated, so you need
to inventory their network architecture both logically and physically, per company documentation standards.
This will help you learn about the design and implementation of their network and ensure that you have
access to up-to-date and accurate network documentation to reference during future troubleshooting
procedures. One directive to your predecessor was to transition access layer switches to multilayer switches,
so static routing is implemented on the access layer switches until new multilayer switches are procured.
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 5

In this lab, you survey the baseline TSHOOT network. No problems are introduced in this lab. The TSHOOT
network will evolve over time as changes and enhancements are made. You will analyze and document the
current topology and device configuration parameters to develop familiarity with the baseline configurations
and network connections. You will review and fill out the provided documentation as you analyze the network.
You will assess and assemble tools that can be used for future maintenance and troubleshooting tasks.
Note: This lab uses Cisco ISR G2 routers running Cisco IOS 15.4(3) images with IP Base and Security
packages enabled, and Cisco Catalyst 3560 and 2960 switches running Cisco IOS 15.0(2) IP Services and
LAN Base images, respectively. The switches have Fast Ethernet interfaces, so the routing metrics for all
Ethernet links in the labs are calculated based on 100 Mb/s, although the routers have Gigabit Ethernet
interfaces. The 3560 and 2960 switches are configured with the SDM templates dual-ipv4-and-ipv6 routing
and lanbase-routing, respectively. Depending on the router or switch model and Cisco IOS Software version,
the commands available and output produced might vary from what is shown in this lab.
Instructor Notes:
• The lab topology should be pre-built prior to the students starting the lab. Ensure that all switches and
routers (ALS1, DLS1, DLS2, R1, R2, and R3) have the course lab configuration files installed in flash
memory. These can be downloaded from NetSpace. The baseline configurations for all devices are
included at the end of this lab. The configuration file for ALS1 can be copied into a text file using the
naming convention BASE-ALS1-Cfg.txt; similarly for DLS1, DLS2, R1, R2, and R3.
• Each device should have a directory named “tshoot” in flash. This directory should contain the
baseline configuration file for that device as well as configuration files for the other labs in this course.
• Instructors can use a TFTP server, a USB drive, or a flash memory card as source, and use the copy
or archive tar command to copy all course configuration files into the flash:/tshoot directory for
each device in the topology—see the Instructor Notes in Task 2, Step 1 for detailed instructions. This
procedure is done once at the beginning of the course. Keep the files on the TFTP server, too!
• For this lab and subsequent labs, the student is responsible for loading the baseline or trouble ticket
configurations as required using the procedure described in Task 2.
• Set the correct time on R2, which serves as the primary NTP server for the lab network. These labs
use Pacific Time Zone (see R2 baseline configuration), but each site should use their own time zone.

Required Resources
• 3 routers (Cisco IOS Release 15.4 or comparable)
Instructor note: The routers should have HWIC-2T WAN modules (supporting 8 Mb/s) rather than
HWIC-2A/S modules.
• 2 multilayer switches and 1 access layer switch (Cisco IOS Release 15.0(2) or comparable with Fast
Ethernet interfaces)
• SRV1 (PC with static IP address): Windows 7 with RADIUS, TFTP, and syslog servers, plus an SSH
client, SNMP monitor, and WireShark.
Instructor note: A RADIUS server is specified for SRV1, but it is not used with the baseline
configuration in this lab. The SSH client should support Diffie Hellman Group 14 (2048-bit modulus)
and the SNMP monitor should be v3-capable.
• PC-B (DHCP client): Windows 7 with SSH client and WireShark software
• PC-C (DHCP client): Windows 7 with SSH client and WireShark software
• Serial and Ethernet cables, as shown in the topology
• Rollover cables to configure the routers and switches via the console
6 CCNP TSHOOT Lab Manual Version 7

Instructor Notes:
• This lab is not a troubleshooting lab. It focuses on discovering the network, assembling
documentation, and identifying available troubleshooting and maintenance tools. A large part of the
documentation that students will need to reference as they progress is contained in this BASE lab.
• The main purpose of this lab is to have students analyze the network design and implementation,
familiarize themselves with the environment that they will be working in during the course, and
assemble the documentation that they will need to troubleshoot effectively in subsequent labs.
EMPHASIZE THIS POINT TO STUDENTS CLEARLY—SUBSEQUENT LABS WILL EXPECT
STUDENTS TO REFER BACK TO THE BASELINE WHENEVER THERE IS A QUESTION ABOUT
NETWORK PROTOCOLS OR VALUES FOR NETWORK PARAMETERS.
• Students can work in teams of two or more, or can work individually from a remote environment. If the
team consists of three people, each person can analyze and document one router and one switch.
Each student can also work with a single device and use Telnet or SSH to access the other devices
and map out the entire network, if time permits.
• The lab is divided into tasks. If time is a factor, Tasks 1 through 3 can be done in one session and
Tasks 4 through 6 in a subsequent session.
Task 1: Assign Responsibility for Each Device (optional)
Task 2: Load the Baseline Device Configuration Files
Task 3: Analyze and Document the Physical Lab Topology
Task 4: Analyze and Document the Logical Lab Topology
Task 5: Identify Troubleshooting and Maintenance Tools
Task 6: Identify Implemented Security Measures
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 7

Task 1: Assign Responsibility for Each Device (optional)


Step 1: Review the lab topology together with your team members.

Step 2: Assign responsibility for each device to a team member.


a. The team member who has primary responsibility for a device is in control of the console of that
device and changes to that device. No other team member should access the console, make
changes to the device, or execute disruptive actions, such as reloading or debugging, without
permission from the responsible team member.
b. All team members can access all devices via Telnet or SSH for non-disruptive diagnostic action
without permission of the responsible team member. Responsibilities can be reassigned during later
labs if necessary.
c. If working in teams, document responsibilities in the Device Responsibilities table.
Device Responsibilities Table

Device Description Responsible Team Member


R1 Core Router 1 Alf
R2 ISP Router Betty
R3 Core Router 2 Gam
ALS1 Access Layer Switch 1 Alf
DLS1 Distribution Layer Switch 1 Betty
DLS2 Distribution Layer Switch 2 Gam
SRV1 TFTP, syslog, SNMP Alf
PC-B User PC Betty
PC-C User PC Gam

Task 2: Load the Baseline Device Configuration Files


Use the following procedure on each device in the network to load the baseline configuration. The procedure
shown here is for a switch, but it is very similar to that of a router.
Note: The configuration files for this lab include ip host name ip-addr entries for all devices. This can be
helpful in accessing devices using Telnet with this lab. The ip host entries are only provided in this BASE lab,
as the device IP addresses will change in subsequent labs.

Instructor Notes:
The setup of the “tshoot” directory in flash, containing the appropriate device configuration files, was described in
the Instructor Notes of the Background section at the beginning of this lab.
The baseline configurations used with this lab do not include some features that might be present in an enterprise
network, such as NAT, ACLs, MST, LACP, GLBP, OSPF, and BGP. These features are implemented in the
context of particular troubleshooting scenarios presented as students progress through the course.
8 CCNP TSHOOT Lab Manual Version 7

Step 1: Verify the existence and location of the lab configuration files.
The course lab configuration files for a particular device should be in flash under the tshoot directory. Use the
show flash command to verify the presence of this directory. You can also verify the contents of the directory
using the cd and dir commands. If the directory and files are not present, contact your instructor.
Note: When the show flash command is used on a switch, it lists the directories and files at the root directory
but not the files within the directories. The following example uses the cd and dir commands on switch ALS1.
ALS1# show flash

Directory of flash:/

9 -rwx 916 Feb 28 1993 16:04:03 -08:00 vlan.dat


3 drwx 512 Sep 22 2014 10:40:59 -07:00 tshoot
5 -rwx 11792247 Feb 28 1993 16:24:48 -08:00 c2960-lanbasek9-mz.150-2.SE6.bin
6 -rwx 7192 Sep 26 2014 10:53:31 -07:00 multiple-fs
7 -rwx 106 Feb 28 1993 18:13:09 -08:00 info
8 -rwx 1906 Sep 26 2014 10:53:31 -07:00 private-config.text
10 -rwx 7199 Sep 26 2014 10:53:31 -07:00 config.text

27998208 bytes total (16070656 bytes free)


ALS1# cd tshoot
ALS1# dir
Directory of flash:/tshoot/

9 -rwx 7979 Sep 22 2014 11:26:14 -07:00 BASE-ALS1-Cfg.txt


<output omitted>

Alternatively, you can see the contents of the directory by specifying its name using the dir command. For
example:
ALS1# cd
ALS1# pwd
flash:
ALS1# dir flash:/tshoot
Directory of flash:/tshoot/

9 -rwx 7979 Sep 22 2014 11:26:14 -07:00 BASE-ALS1-Cfg.txt


<output omitted>

Note: When the show flash command is used on a router, it lists the directories and the files within them. The
following example uses only the show flash command on router R1. The tshoot directory and its contents are
listed.
R1# show flash:
-#- --length-- -----date/time------ path
1 103727964 Sep 18 2014 05:20:10 -07:00 c2900-universalk9-mz.SPA.154-3.M.bin
2 2857 Feb 22 2014 01:01:52 -08:00 pre_autosec.cfg
3 0 Sep 22 2014 11:39:18 -07:00 tshoot
4 3887 Sep 22 2014 11:42:20 -07:00 tshoot/BASE-R1-Cfg.txt
<output omitted>

Instructor Notes:
• To create a directory in flash memory, use the mkdir command.
Example:
ALS1# mkdir tshoot
Created dir flash:tshoot

The following example shows how to copy a configuration file from a TFTP server at IP address
10.1.100.1 to the flash:/tshoot directory on ALS1:
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 9

ALS1# copy tftp://10.1.100.1/BASE-ALS1-Cfg.txt flash:/tshoot

Note: This assumes the configuration files are in the TFTP server default directory.
• To prevent having to transfer files one at a time, use a program such as 7-Zip to create a tar file, say
device.tar, for all the course lab configuration files for that device on the TFTP server; then copy and
extract the configuration files with one command as follows:
ALS1# archive tar /xtract tftp://10.1.100.1/ALS1.tar flash:/tshoot

• You can view the contents of a particular file in flash using the UNIX or Cisco IOS more command. For
example:
ALS1# more flash:/tshoot/BASE-ALS1-Cfg.txt

This command displays the contents of the file a page at a time.

Step 2: Erase startup-config from NVRAM, and then reset the SDM template.
ALS1# erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
ALS1#
Sep 26 22:00:26.222: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
ALS1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ALS1(config)# sdm prefer lanbase-routing
ALS1(config)#
Sep 26 22:00:45.155: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:sdm
prefer lanbase-routing
ALS1(config)# exit
ALS1#
Sep 26 22:00:48.393: %SYS-5-CONFIG_I: Configured from console by console
ALS1# show sdm prefer
The current template is "lanbase-routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 255 VLANs.

number of unicast mac addresses: 4K


number of IPv4 IGMP groups + multicast routes: 0.25K
number of IPv4 unicast routes: 4.25K
number of directly-connected IPv4 hosts: 4K
number of indirect IPv4 routes: 256
number of IPv6 multicast groups: 0.375k
number of IPv6 unicast routes: 1.25K
number of directly-connected IPv6 addresses: 0.75K
number of indirect IPv6 unicast routes: 448
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.125k
number of IPv4/MAC security aces: 0.375k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0.375k
number of IPv6 security aces: 127

Note: For a 3560 switch, use the “dual-ipv4-and-ipv6 routing” template. If using another type of Cisco switch,
choose an SDM template that supports IPv4/IPv6 routing and IPv4/IPv6 ACEs. The SDM setting reverts to
the “default” template on a 2960 and the “desktop default” template on the 3560 after deleting startup-config,
so it is important to change the SDM template setting after deleting startup-config. Most time-stamped
logging messages, as seen in the output above, will be removed from the lab outputs going forward.
10 CCNP TSHOOT Lab Manual Version 7

Step 3: Delete the VLAN database from flash (switches only).


ALS1# delete vlan.dat
Delete flash:/vlan.dat? [confirm]

Step 4: Reload the device, but do not save the system configuration if prompted.
ALS1# reload

System configuration has been modified. Save? [yes/no]: no


Proceed with reload? [confirm]

Step 5: When the device restarts, do not enter the initial configuration dialog.
Press RETURN to get started!

--- System Configuration Dialog ---

Enable secret warning


----------------------------------
In order to access the device manager, an enable secret is required
If you enter the initial configuration dialog, you will be prompted for the enable
secret
If you choose not to enter the intial configuration dialog, or if you exit setup
without setting the enable secret,
please set an enable secret using the following CLI in configuration mode-
enable secret 0 <cleartext password>
----------------------------------
Would you like to enter the initial configuration dialog? [yes/no]: no

Note: On some platform/IOS combinations, a message appears after choosing not to enter the initial
configuration dialog, asking whether or not to “terminate autoinstall.” If this message appears, enter yes to
terminate autoinstall.

Step 6: Copy the specified lab device configuration file from flash to running-config.
Switch> enable
Switch# copy flash:/tshoot/BASE-ALS1-Cfg.txt running-config
Destination filename [running-config]?

Note: Although it is possible to copy the file to startup-config and reload the device, the RSA keys for SSH
cannot be generated from the startup-config file. The device configuration files loaded from flash contain
commands that remove any existing keys and create new keys. It is also possible to cut and paste the
configuration command sequences comprising the device configuration files into global configuration mode.

Step 7: Copy the running config to the startup config.


Depending on the platform/IOS combination, AUTOSAVE may automatically save a copy of running-
config to NVRAM for startup. AUTOSAVE does not copy the console line and vty line configurations from
running-config to startup-config. To ensure that the startup configuration is complete, manually copy:
ALS1# copy running-config startup-config
Building configuration...
[OK]

Note: If the device is rebooted at this point, you can log in with the username cisco and the password cisco.
To access privileged EXEC mode, use the enable secret: cisco.

Instructor note: One can cut and paste the respective compiled list of commands at the end of this lab into
global configuration mode on each device. The commands load too quickly with this approach, overflowing
the buffer and preventing the configuration sequences from loading properly. Configure the terminal emulator
to pause at least 100 ms after each carriage return; some systems may actually require 200 ms.
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 11

Step 8: Repeat Steps 1 through 7 for the other devices in the network.

Step 9: Configure the PCs.


a. Configure SRV1 with the static IPv4 address 10.1.100.1/24 and default gateway 10.1.100.254 (on
DLS1). Configure SRV1 with the static IPv6 address 2001:DB8:CAFE:100::1 and default gateway
2001:DB8:CAFE:100::D1 (on DLS1).
b. Configure PC-B and PC-C as DHCP clients for both IPv4 and IPv6.
Note: Make sure the PCs learn addresses of the form 2001:DB8:CAFE:x:ABCD:u:v:w where x is the
VLAN for the respective PC. Use ipconfig/release6 followed by ipconfig/renew6 to
release and renew the stateful IPv6 data. If necessary, reset the NIC. The SVI commands for VLANs
110, 120, and 200,
ipv6 nd prefix 2001:DB8:CAFE:x::/64 no-autoconfig
ipv6 nd managed-config-flag
set the IPv6 RA M, O, and A flags so that the Windows 7 stateful DHCPv6 clients populate a singular
GUA and appropriate link-local default routes, as seen in the ipconfig and route print outputs.

Step 10: Test basic network connectivity between devices.


a. Ping from PC-B to SRV1 at 10.1.100.1 and 2001:DB8:CAFE:100::1. Were the pings successful?
_________________________________________________________________________
Yes
b. Ping from ALS1 to R2 Lo1 at 2.2.2.2 and 2001:DB8:EFAC::2. Were the pings successful?
___________________________________________________________________________
Yes
Note: If the pings are not successful, contact your instructor.

Task 3: Analyze and Document the Physical Lab Topology


Note: At this time, only examine and document the physical connections. Documenting the logical topology, such
as subnets, IP addresses, and routing protocols, is addressed in Task 4 of this lab.

Step 1: Review the physical topology diagram on page 1 of the lab.

Step 2: Use Cisco Discovery Protocol and show commands to verify the Layer 1 and Layer 2
connections of the lab topology.
a. Use the show cdp command to discover the interfaces associated with the physical connections.
Fill in the correct device and interface designators in the following Device Links Table and label them
on the physical topology diagram on the first page of the lab.
ALS1# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID


DLS2.tshoot.net Fas 0/4 131 R S I WS-C3560- Fas 0/2
DLS2.tshoot.net Fas 0/3 131 R S I WS-C3560- Fas 0/1
DLS1.tshoot.net Fas 0/2 131 R S I WS-C3560- Fas 0/2
DLS1.tshoot.net Fas 0/1 131 R S I WS-C3560- Fas 0/1
12 CCNP TSHOOT Lab Manual Version 7

DLS1# show cdp neighbors


Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID


R1.tshoot.net Fas 0/5 167 R B S I CISCO2911 Gig 0/1
ALS1.tshoot.net Fas 0/2 153 R S I WS-C2960- Fas 0/2
ALS1.tshoot.net Fas 0/1 153 R S I WS-C2960- Fas 0/1
DLS2.tshoot.net Fas 0/4 177 R S I WS-C3560- Fas 0/4
DLS2.tshoot.net Fas 0/3 177 R S I WS-C3560- Fas 0/3

b. Review the configurations of the devices for using Layer 1 and Layer 2 features, such as trunks and
EtherChannels. Fill in the information in the Device Links Table and add it to the diagram. If a link is
accounted for from one device to another, it is not necessary to repeat the entry from the other
device. The first entry for ALS1, interface F0/1, is filled in as an example.
Which other commands could you use to identify Layer 1 and Layer 2 characteristics?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Answers will vary but could include: show run, show etherchannel summary, show
interfaces trunk, show interfaces switchport.
ALS1# show interfaces trunk

Port Mode Encapsulation Status Native vlan


Po1 on 802.1q trunking 666
Po2 on 802.1q trunking 666

Port Vlans allowed on trunk


Po1 99,110,120,200
Po2 99,110,120,200

Port Vlans allowed and active in management domain


Po1 99,110,120,200
Po2 99,110,120,200

Port Vlans in spanning tree forwarding state and not pruned


Po1 99,110,120
Po2 200

ALS1# show etherchannel summary


Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met


Lab 3-1 Assembling Maintenance and Troubleshooting Tools 13

u - unsuitable for bundling


w - waiting to be aggregated
d - default port

Number of channel-groups in use: 2


Number of aggregators: 2

Group Port-channel Protocol Ports


------+-------------+-----------+-----------------------------------------------
1 Po1(SU) - Fa0/1(P) Fa0/2(P)
2 Po2(SU) - Fa0/3(P) Fa0/4(P)

Device Links Table

From Device Interface To Device Interface Layer 1 and 2 Features


and Protocols Used

ALS1 F0/1 DLS1 F0/1 EtherChannel Po1,


802.1Q
ALS1 F0/2 DLS1 F0/2 EtherChannel Po1,
802.1Q
ALS1 F0/3 DLS2 F0/1 EtherChannel Po2,
802.1Q
ALS1 F0/4 DLS2 F0/2 EtherChannel Po2,
802.1Q
ALS1 F0/18 PC-B NIC 100Base-T

DLS1 F0/3 DLS2 F0/3 EtherChannel Po10,


802.1Q
DLS1 F0/4 DLS2 F0/4 EtherChannel Po10,
802.1Q
DLS1 F0/5 R1 G0/1 100 Mb/s, DLS1 F0/5 is
a routed L3 port (logical)
DLS1 F0/6 SRV1 NIC 100Base-T

DLS2 F0/5 R3 G0/1 100 Mb/s, DLS2 F0/5 is


a routed L3 port (logical)
DLS2 F0/18 PC-C NIC 100Base-T

R1 S0/0/0 R2 S0/0/0 WAN link, PPP


R2 S0/0/1 R3 S0/0/1 WAN link, PPP

c. Verify that all physical links shown in the diagram are operational. Which commands did you use?
______________________________________________________________________________
______________________________________________________________________________
Answers will vary but could include: show interfaces, show ip interface brief, show
interfaces description, show cdp neighbors, show interfaces status, show vlan.
14 CCNP TSHOOT Lab Manual Version 7

Step 3: Map the VLANs used in the lab to the devices in the diagram.
Fill in the VLAN Definition Table and label the physical topology diagram with the VLANs used for this topology.
Identify all host devices that are members of each VLAN. The first entry for VLAN 99 is filled in as an example.
VLAN Definition Table

VLAN # Name Description VLAN Members

99 MANAGEMENT Management VLAN ALS1, DLS1, DLS2


100 SERVERS Internal Servers DLS1, DLS2, SRV1
110 GUEST Guest VLAN ALS1, DLS1, DLS2, PC-C
120 OFFICE Office VLAN ALS1, DLS1, DLS2, PC-B
200 VOICE Voice VLAN ALS1, DLS1, DLS2
666 NATIVE IEEE 802.1Q Trunk VLAN ALS1, DLS1, DLS2
999 PARKING_LOT Unused Switch Ports ALS1, DLS1, DLS2

Step 4: Analyze spanning tree for the Layer 2 switched domain.


a. Analyze the spanning-tree characteristics of the Layer 2 switched portion of the network. Which type
of spanning-tree mode is implemented?
______________________________________________________________________________
Rapid Per VLAN Spanning Tree (Rapid PVST+)
b. Which switch is the root switch for each VLAN, and what are the configured spanning-tree priorities?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
DLS1 is the root bridge for VLANs 99, 110, and 120. For these VLANs, the DLS1 priority is 24576,
and the DLS2 priority is 28672. DLS2 is the root bridge for VLANs 100 and 200. For these VLANs,
the DLS1 priority is 28672, and the DLS2 priority is 24576.
c. What is the resulting spanning-tree topology for VLANs that have client devices connected?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
For VLANs 99, 110, and 120, ALS1-Po1=Root/FWD, ALS1-Po2=Altn/BLK, DLS1-Po1=Desg/FWD,
DLS1-Po10=Desg/FWD, DLS2-Po2=Desg/FWD, and DLS2-Po10=Root/FWD.
For VLAN 200, ALS1-Po1=Altn/BLK, ALS1-Po2=Root/FWD, DLS1-Po1=Desg/FWD, DLS1-
Po10=Root /FWD, DLS2-Po2=Desg/FWD, and DLS2-Po10=Desg/FWD. For VLAN 100, DLS1-
Po1=Desg/FWD, DLS1-Po10=Root /FWD, DLS2-Po2=Desg/FWD, and DLS2-Po10=Desg/FWD.
d. Which commands did you use to analyze the spanning-tree characteristics?
______________________________________________________________________________
______________________________________________________________________________
Answers will vary but could include show run and show spanning-tree vlan vlan-id.
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 15

Step 5: Diagram the spanning tree for VLAN 120.


a. Label the STP role and port status for each port channel used in the physical topology diagram
below.
VLAN 120 spanning tree for STUDENT version of lab
16 CCNP TSHOOT Lab Manual Version 7

VLAN 120 spanning tree for INSTRUCTOR version of lab

Output for VLAN 120 on all three switches is shown as an example:

ALS1# show spanning-tree vlan 120

VLAN0120
Spanning tree enabled protocol rstp
Root ID Priority 24696
Address 001b.2b74.8d80
Cost 12
Port 64 (Port-channel1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32888 (priority 32768 sys-id-ext 120)


Address 0024.50d1.9900
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Fa0/18 Desg FWD 19 128.18 P2p Edge
Po1 Root FWD 12 128.64 P2p
Po2 Altn BLK 12 128.72 P2p

DLS1# show spanning-tree vlan 120

VLAN0120
Spanning tree enabled protocol rstp
Root ID Priority 24696
Address 001b.2b74.8d80
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 17

This bridge is the root


Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24696 (priority 24576 sys-id-ext 120)


Address 001b.2b74.8d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 12 128.64 P2p
Po10 Desg FWD 12 128.136 P2p

DLS2# show spanning-tree vlan 120

VLAN0120
Spanning tree enabled protocol rstp
Root ID Priority 24696
Address 001b.2b74.8d80
Cost 12
Port 136 (Port-channel10)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 28792 (priority 28672 sys-id-ext 120)


Address 001e.4915.0300
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Po2 Desg FWD 12 128.72 P2p
Po10 Root FWD 12 128.136 P2p

b. If working as a team, discuss your findings with your teammates to ensure that all team members
understand the physical and data link aspects of the network design.

Student Notes
Use this space to make any additional notes regarding the physical configuration and the commands used.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
18 CCNP TSHOOT Lab Manual Version 7

Task 4: Analyze and Document the Logical Lab Topology


Step 1: Review the logical lab diagram and the subnets.
Review the IP subnets in the Subnet Table for the VLANs and WAN links that are used in the lab network.
Router interface designations from the physical topology diagram are provided in two copies of the logical
topology, one to be used for IPv4 data and one for IPv6 data.

Logical Topology for STUDENT version of lab (IPv4)


Lab 3-1 Assembling Maintenance and Troubleshooting Tools 19

Logical Topology for STUDENT version of lab (IPv6)

Subnet Table

Description IPv4 Subnet IPv6 Prefix Devices

VLANs
Management VLAN 99 10.1.99.0/24 2001:DB8:CAFE:99::/64 ALS1, DLS1, DLS2
Servers VLAN 100 10.1.100.0/24 2001:DB8:CAFE:100::/64 SRV1
Guest VLAN 110 10.1.110.0/24 2001:DB8:CAFE:110::/64 PC-C
Office VLAN 120 10.1.120.0/24 2001:DB8:CAFE:120::/64 PC-B
Management VLAN 10.1.99.0/24 2001:DB8:CAFE:200::/64 ALS1, DLS1, DLS2
WAN Links

DLS1 – R1 10.1.2.0/30 2001:DB8:CAFE:20::/64 DLS1 and R1 GE link


DLS2 – R3 10.1.2.12/30 2001:DB8:CAFE:212::/64 DLS2 and R3 GE link
R1 – R2 10.1.1.0/30 2001:DB8:CAFE:10::/64 R1 and R2 serial link
R2 – R3 10.1.1.4/30 2001:DB8:CAFE:14::/64 R2 and R3 serial link
20 CCNP TSHOOT Lab Manual Version 7

Logical Topology for INSTRUCTOR version of lab (IPv4)


Lab 3-1 Assembling Maintenance and Troubleshooting Tools 21

Logical Topology for INSTRUCTOR version of lab (IPv6)


22 CCNP TSHOOT Lab Manual Version 7

Step 2: Map the subnet scheme to the logical diagram.


In the previous step, the subnets were documented in the Subnet Table. Now document the host portion
of the addresses. To document the host part, research the routing tables and interface IP addresses of all
the devices. Document the interface IPv4 and IPv6 addresses in the IP Address Table and on the
associated logical topology diagram. Use only the number of the last octet for IPv4 addresses and the last
hextet for IPv6 addresses in the respective diagrams. The device names and interfaces are listed to help
identify the IP addresses. The entry for ALS1 VLAN 99 is shown as an example. If an interface is not in
use, indicate this in the Additional Information column. Account for all physical and virtual interfaces.
IP Address Table

Device Name Interface IPv4 Address/Prefix IPv6 Address/Prefix Additional Information


ALS1 Vlan 99 10.1.99.251/24 2001:DB8:CAFE:99::A1/64 SVI
ALS1 Vlan 110 10.1.110.251/24 2001:DB8:CAFE:110::A1/64 SVI
ALS1 Vlan 120 10.1.120.251/24 2001:DB8:CAFE:120::A1/64 SVI
ALS1 Vlan 200 10.1.200.251/24 2001:DB8:CAFE:200::A1/64 SVI
DLS1 Vlan 99 10.1.99.252/24 2001:DB8:CAFE:99::D1/64 SVI
DLS1 Vlan 100 10.1.100.252/24 2001:DB8:CAFE:100::D1/64 SVI
DLS1 Vlan 110 10.1.110.252/24 2001:DB8:CAFE:110::D1/64 SVI
DLS1 Vlan 120 10.1.120.252/24 2001:DB8:CAFE:120::D1/64 SVI
DLS1 Vlan 200 10.1.200.252/24 2001:DB8:CAFE:200::D1/64 SVI
DLS1 F0/5 10.1.2.1/30 2001:DB8:CAFE:20::D1/64 Routed Port to R1
DLS2 Vlan 99 10.1.99.253/24 2001:DB8:CAFE:99::D2/64 SVI
DLS2 Vlan 100 10.1.100.253/24 2001:DB8:CAFE:100::D2/64 SVI
DLS2 Vlan 110 10.1.110.253/24 2001:DB8:CAFE:110::D2/64 SVI
DLS2 Vlan 120 10.1.120.253/24 2001:DB8:CAFE:120::D2/64 SVI
DLS2 Vlan 200 10.1.200.253/24 2001:DB8:CAFE:200::D2/64 SVI
DLS2 F0/5 10.1.2.13/30 2001:DB8:CAFE:212::D2/64 Routed Port to R3
R1 G0/0 N/A N/A Not used at this time
R1 G0/1 10.1.2.2/30 2001:DB8:CAFE:20::1/64
R1 S0/0/0 10.1.1.1/30 2001:DB8:CAFE:10::1/64
R1 S0/0/1 N/A N/A Not used at this time
R1 Loopback 0 10.1.201.1/32 2001:DB8:CAFE:201:12/64
R2 G0/0 N/A N/A Not used at this time
R2 G0/1 N/A N/A Not used at this time
R2 S0/0/0 10.1.1.2/30 2001:DB8:CAFE:10::2/64
R2 S0/0/1 10.1.1.6/30 2001:DB8:CAFE:14::2/64
R2 Loopback 0 10.1.202.1/32 2001:DB8:CAFE:202::2/64
R2 Loopback 1 2.2.2.2/8 2001:DB8:EFAC::2/48
R3 G0/0 N/A N/A Not used at this time
R3 G0/1 10.1.2.14/30 2001:DB8:CAFE:212::3/64
R3 S0/0/0 N/A N/A Not used at this time
R3 S0/0/1 10.1.1.5/30 2001:DB8:CAFE:14::3/64
R3 Loopback 0 10.1.203.1/32 2001:DB8:CAFE:203::3/64
SRV1 NIC 10.1.100.1/24 2001:DB8:CAFE:100::1/64 Static address
PC-B NIC Varies Varies Address via DHCP
PC-C NIC Varies Varies Address via DHCP
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 23

Step 3: Analyze and document control plane logical configuration features.


Analyze the configurations of the devices for control plane features such as routing protocols, First Hop
Redundancy Protocols (FHRPs), Dynamic Host Configuration Protocol (DHCP), and network address
translation (NAT). Review, document, and discuss the following aspects of the logical network
configuration.
a. Is dynamic or static routing being used?
______________________________________________________________________________
dynamic
______________________________________________________________________________
b. If dynamic, which routing protocol?
______________________________________________________________________________
Classic EIGRP for IPv4/IPv6 on DLS1/DLS2, Named EIGRP for IPv4/IPv6 on R1/R2/R3
c. Are FHRPs in use, such as the Hot Standby Router Protocol (HSRP), Virtual Router Redundancy
Protocol (VRRP), or Gateway Load Balancing Protocol (GLBP)? If yes, which one?
______________________________________________________________________________
yes: HSRP version 1 for IPv4 on SVIs 99, 100, 110, 120, and 200 on DLS1 and DLS2
no: FHRP for IPv6
d. What is the active router for all relevant VLANs?
______________________________________________________________________________
______________________________________________________________________________
DLS1 is the active router for VLANs 99/110/120. DLS2 is the active router for VLANs 100/200.
e. From the PC-B command prompt, issue the tracert command to router R2 Lo0 at 10.1.202.1 for
IPv4 and 2001:DB8:CAFE:202:2 for IPv6. What path did the packets take in each case?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
IPv4: PC-B to DLS1 SVI 120 IP 10.1.120.252 (active HSRP router for VLAN 120) to R1 G0/1 IP
10.1.2.2 to R2 Lo0 IP 10.1.202.1.
C:\> tracert 10.1.202.1

Tracing route to 10.1.202.1 over a maximum of 30 hops:

1 2 ms 2 ms 1 ms 10.1.10.252
2 <1 ms <1 ms <1 ms 10.1.2.2
3 13 ms 13 ms 85 ms 10.1.202.1

Trace complete.

IPv6: PC-B to ALS1 SVI 120 IP 2001:DB8:CAFE:120::A1 to DLS1 SVI 99 IP 2001:DB8:CAFE:99::D1


to R1 G0/1 IP 2001:DB8:CAFE:20::1 to R2 Lo0 IP 2001:DB8:CAFE:202::2.
C:\> tracert 2001:db8:cafe:202::2

Tracing route to 2001:db8:cafe:202::2 over a maximum of 30 hops:


24 CCNP TSHOOT Lab Manual Version 7

1 41 ms 2 ms 5 ms 2001:db8:cafe:120::a1
2 1 ms 1 ms 1 ms 2001:db8:cafe:99::d1
3 1 ms <1 ms <1 ms 2001:db8:cafe:20::1
4 1 ms 14 ms 1 ms 2001:db8:cafe:202::2

Trace complete.

f. Are any access lists used to filter traffic on the network? If yes, describe their function.
______________________________________________________________________________
______________________________________________________________________________
Not at this time.
g. Is DHCP in use? If yes, which DHCP server is used and for which VLANs present in the logical
topology diagram?
______________________________________________________________________________
______________________________________________________________________________
Yes. DLS1 is the IPv4 and IPv6 DHCP server for VLANs 110, 120, and 200.
h. How does ALS1 send ICMP echo requests to SRV1 in VLAN 100, when ALS1 has no VLAN 100?
______________________________________________________________________________
ALS1 has a default route pointing to SVI 99 on DLS1 since DLS1 is the active router for VLAN 99.
i. If working as a team, discuss your findings with your teammates to ensure that all team members
understand the high-level design of the network.
Notes
Use this space to make any additional notes regarding the logical configuration and the commands used.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

Task 5: Identify Troubleshooting and Maintenance Tools


Step 1: Analyze device configurations for troubleshooting and maintenance features.
Analyze the configurations of the devices for services that support troubleshooting and maintenance, such as
syslog, Simple Network Management Protocol (SNMP), and other network management features.

Step 2: Document the troubleshooting and maintenance features.


a. Document the troubleshooting and maintenance applications or tools in use with the network devices
in the Troubleshooting and Maintenance Tools Table. An entry for system logging is provided as an
example.
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 25

Troubleshooting and Maintenance Tools Table

Configured Feature Devices Target Server Target Tool or Application

System message logging All SRV1 Syslog server

Configuration archive All SRV1 TFTP server

SNMP traps All SRV1 SNMP Monitor

NTP All R2 NTP server

NetFlow R1, R2, R3 Local Local on the router

b. If working as a team, discuss your findings with your teammates to ensure that all team members
know which maintenance and troubleshooting tools are available in the network.

Notes
Use this space to make any additional notes regarding troubleshooting and maintenance applications or tools.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

Task 6: Identify Implemented Security Measures


Step 1: Analyze device configurations for security-related features.
Analyze the configurations of your assigned devices for configuration options that help support a more
secure network implementation, such as password security, login authentication, secure remote
management, switch trunk and access port security, and VLANs. Record your entries in the Security
Features Table. An entry for password security is provided as an example.
Security Features Table

Security Feature Configured Implementation Method or Commands

Password security Enable secret, password encryption


Login authentication AAA local database authentication
Secure remote management SSH, IPv6 access list on ALS1 vty ports 0-4
Switch trunk port security Switchport mode trunk, nonegotiate, unused NATIVE VLAN
666, VLANs allowed on trunk
Switch access port security Switchport mode access, nonegotiate, PortFast, port security
on ALS1 (max three sticky MAC addresses)
Proxy ARP Disabled on SVIs no ip proxy-arp
VLAN security Unused ports placed in PARKING_LOT VLAN 999; only VLANs
in {99,100,110,120,200} are allowed on the trunks
26 CCNP TSHOOT Lab Manual Version 7

Notes
Use this space to make any additional notes regarding security measures.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
All SVIs have proxy ARP disabled per company security policy. Traditionally, an access layer switch, like
ALS1, is configured like a PC, with a default gateway and an IP address. But recall that a company directive
was to configure access layer switches with static routing while the company transitions to multilayer switches
at the access layer. The baseline configuration on ALS1 blocks IPv6 remote access to ALS1 using an IPv6
ACL on the vty lines. As a result, ALS1 is not accessible for remote configuration if IPv4 routing is disabled.
IPv4 routing on a 2960 requires the lanbase-routing SDM template; the dual-ipv4-and-ipv6 default SDM
template supports IPv6 routing, but not IPv4 routing. If remote access to ALS1 is lost, be sure to check the
SDM template setting on ALS1.
Note: Configuration command sequences for all devices are provided at the end of the lab. These are not
outputs resulting from entering the show running-config command. Only the non-default commands
used to configure the devices are included (along with no shutdown on appropriate interfaces).

Lab Debrief Notes


Use this space to make notes regarding the key concepts learned during the lab debrief discussions with your
instructor. This may include alternate solutions, methods, and processes; this may include procedure and
communication improvements; and this may include key commands and tools.
Note: This is your primary opportunity to document a baseline of the lab network before starting the
troubleshooting exercises. During the debrief session, ask your instructor for clarification of any aspects of the
network design and configurations that are unclear.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 27

Instructor Notes: Presented here are points for the instructor to emphasize during lab debrief discussions.
Lab Design and Implementation: The focus of this lab is to allow students to familiarize themselves with the
lab environment. However, not all students have the skills to independently map and analyze the network.
Therefore, it is important that the instructor take sufficient time to walk them through the physical and logical
topologies of the lab.
Be sure to review each major section (task) of the lab with the students to ensure that they have the network
properly documented, both physically and logically.
The following details are important to point out:
• Process for loading device configuration files.
• The multiple commands that can be used to gather information; discuss how different teams used
different commands and how each of those commands revealed information about the network.
• Physical topology characteristics such as trunking protocols, WAN protocols, and EtherChannel.
• The spanning-tree topology and which switch is the root for each of the relevant VLANs.
• The use of routed ports and switch virtual interfaces (SVIs) and where they are used.
• The use of HSRP and which router performs the active role for each VLAN.
• Which routers or switches perform the role of DHCP server for which VLANs?
• Which maintenance and troubleshooting services have been implemented, such as NTP, TFTP, SNMP,
syslog, and archive?
• Point out the use of the source interface SVI VLAN 99 on switches for logging, NTP, Telnet, SSH, and
SNMP. The routers use source interface Lo0 for logging, NTP, Telnet, SSH, and SNMP.
• Use of the archive utility in the configurations, how it records versions of the running-config file, and how
the path statement works to name files as they are sent to the TFTP server.
• Which security measures have been implemented, such as passwords, login authentication, trunks, and
port security?
Test points: Point out the main tests used in trouble tickets. The major Application Layer test used is
browsing to a specific IP address. The major Network Layer tests are ping and traceroute to a specific IP
address. Make clear that browsing the Internet should be possible from all clients. Most trouble tickets involve
problems related to a lack of connectivity from one host or area of the network to another, resulting in the
introduction of problems in the devices at OSI Layers 1, 2, 3, 4, and 7.
28 CCNP TSHOOT Lab Manual Version 7

Device Configurations
Important Instructor Note:
These are actual configuration command sequences (not running-config outputs). And no shutdown
commands are included for interfaces that should be up. Each device configuration compilation can be copied
from this lab and pasted into a text file and saved using the naming convention indicated in Task 2, Step 1 (for
example, BASE-ALS1-Cfg.txt).
Each text file can then be copied to the flash:/tshoot directory using and the copy or archive tar command
with a TFTP server, a USB stick, or a flash memory card as source. This preserves the no shutdown commands
for interfaces. The file in flash can then be loaded to running-config using the procedure described in Task 2.
Caution: Pasting the configurations into running-config and then copying them to flash does not preserve the no
shutdown commands for the interfaces: the interfaces must be enabled manually in this case.
Note: These configurations include ip host name ip-addr entries for all devices. This can be helpful in
accessing devices using Telnet or SSH. The ip host entries are only provided in this BASE lab because the
device IP addresses change in subsequent labs.

Switch ALS1
!BASE ALS1 Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ALS1
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
!
!
no ip domain-lookup
ip domain-name tshoot.net
ip host R1 10.1.2.2 10.1.1.1 10.1.201.1
ip host R2 10.1.1.2 10.1.1.6 10.1.202.1
ip host R3 10.1.1.5 10.1.2.14 10.1.203.1
ip host ALS1 10.1.99.1
ip host DLS1 10.1.99.252 10.1.2.1
ip host DLS2 10.1.99.253 10.1.2.13
ipv6 unicast-routing
!
errdisable recovery cause psecure-violation
errdisable recovery interval 120
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 29

!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan 99
name MANAGEMENT
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel2
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk native vlan 666
30 CCNP TSHOOT Lab Manual Version 7

switchport trunk allowed vlan 99,110,120,200


switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/5
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 31

interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description To PC-B
switchport access vlan 120
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
32 CCNP TSHOOT Lab Manual Version 7

switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:99::A1/64
no shutdown
!
interface Vlan110
ip address 10.1.110.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:110::A1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no shutdown
!
interface Vlan120
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 33

ip address 10.1.120.251 255.255.255.0


ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:120::A1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no shutdown
!
interface Vlan200
ip address 10.1.200.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:200::A1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no shutdown
!
crypto key gen rsa general-keys modulus 1024
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.99.254
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 route ::/0 2001:DB8:CAFE:99::D1
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps vlan-membership
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** BASE ALS1 Config ***^
!
ipv6 access-list REMOTEv6
deny ipv6 any any
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
ipv6 access-class REMOTEv6 in
logging synchronous
length 0
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
file prompt quiet
34 CCNP TSHOOT Lab Manual Version 7

!
end
!

Switch DLS1
!BASE DLS1 Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DLS1
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
ip host R1 10.1.2.2 10.1.1.1 10.1.201.1
ip host R2 10.1.1.2 10.1.1.6 10.1.202.1
ip host R3 10.1.1.5 10.1.2.14 10.1.203.1
ip host ALS1 10.1.99.251
ip host DLS1 10.1.99.252 10.1.2.1
ip host DLS2 10.1.99.253 10.1.2.13
!
ip dhcp excluded-address 10.1.120.251 10.1.120.254
ip dhcp excluded-address 10.1.200.251 10.1.200.254
ip dhcp excluded-address 10.1.110.251 10.1.110.254
!
ip dhcp pool VOICE
network 10.1.200.0 255.255.255.0
default-router 10.1.200.254
!
ip dhcp pool GUEST
network 10.1.110.0 255.255.255.0
default-router 10.1.110.254
!
ip dhcp pool OFFICE
network 10.1.120.0 255.255.255.0
default-router 10.1.120.254
!
!
ipv6 unicast-routing
ipv6 dhcp pool DHCPv6OFFICE
address prefix 2001:DB8:CAFE:120:ABCD::/80
domain-name tshoot.net
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 35

!
ipv6 dhcp pool DHCPv6VOICE
address prefix 2001:DB8:CAFE:200:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6GUEST
address prefix 2001:DB8:CAFE:110:ABCD::/80
domain-name tshoot.net
!
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 24576
spanning-tree vlan 100,200 priority 28672
!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
36 CCNP TSHOOT Lab Manual Version 7

switchport trunk native vlan 666


switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R1
no switchport
ip address 10.1.2.1 255.255.255.252
speed 100
duplex full
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:20::D1/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description FE to SRV1
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 37

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
38 CCNP TSHOOT Lab Manual Version 7

switchport access vlan 999


switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 39

switchport mode access


switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.252 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 priority 110
standby 99 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:99::D1/64
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.252 255.255.255.0
standby 100 ip 10.1.100.254
standby 100 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:100::D1/64
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.252 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 priority 110
standby 110 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:110::D1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 dhcp server DHCPv6GUEST
no shutdown
!
interface Vlan120
ip address 10.1.120.252 255.255.255.0
standby 120 ip 10.1.120.254
standby 120 priority 110
standby 120 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:120::D1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 dhcp server DHCPv6OFFICE
no shutdown
!
interface Vlan200
ip address 10.1.200.252 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:200::D1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 dhcp server DHCPv6VOICE
no shutdown
40 CCNP TSHOOT Lab Manual Version 7

!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
crypto key gen rsa general-keys modulus 1024
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 router eigrp 1
eigrp router-id 1.1.1.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** BASE DLS1 Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 41

!
end
!

Switch DLS2
!BASE DLS2 Config
!
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname DLS2
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
ip host R1 10.1.2.2 10.1.1.1 10.1.201.1
ip host R2 10.1.1.2 10.1.1.6 10.1.202.1
ip host R3 10.1.1.5 10.1.2.14 10.1.203.1
ip host ALS1 10.1.99.1
ip host DLS1 10.1.99.252 10.1.2.1
ip host DLS2 10.1.99.253 10.1.2.13
!
!
ipv6 unicast-routing
!
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 28672
spanning-tree vlan 100,200 priority 24576
!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
42 CCNP TSHOOT Lab Manual Version 7

name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 43

description Channel to DLS1


switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R3
no switchport
ip address 10.1.2.13 255.255.255.252
speed 100
duplex full
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:212::D2/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
44 CCNP TSHOOT Lab Manual Version 7

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description FE to PC-C
switchport access vlan 110
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 45

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.253 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:99::D2/64
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.253 255.255.255.0
standby 100 ip 10.1.100.254
standby 100 priority 110
standby 100 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:100::D2/64
ipv6 eigrp 1
no shutdown
!
46 CCNP TSHOOT Lab Manual Version 7

interface Vlan110
ip address 10.1.110.253 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:110::D2/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
no shutdown
!
interface Vlan120
ip address 10.1.120.253 255.255.255.0
standby 120 ip 10.1.120.254
standby 120 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:120::D2/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
no shutdown
!
interface Vlan200
ip address 10.1.200.253 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 priority 110
standby 200 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:200::D2/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
crypto key gen rsa general-keys modulus 1024
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 router eigrp 1
eigrp router-id 2.2.2.2
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 47

snmp-server enable traps vlancreate


snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** BASE DLS2 Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R1
!BASE R1 Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip host R1 10.1.2.2 10.1.1.1 10.1.201.1
48 CCNP TSHOOT Lab Manual Version 7

ip host R2 10.1.1.2 10.1.1.6 10.1.202.1


ip host R3 10.1.1.5 10.1.2.14 10.1.203.1
ip host ALS1 10.1.99.1
ip host DLS1 10.1.99.252 10.1.2.1
ip host DLS2 10.1.99.253 10.1.2.13
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
!
!
interface Loopback0
ip address 10.1.201.1 255.255.255.255
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:201::1/64
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FE to DLS1
ip address 10.1.2.2 255.255.255.252
ip flow ingress
duplex full
speed 100
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:20::1/64
no shutdown
!
interface Serial0/0/0
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.1 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:10::1/64
clock rate 2000000
no shutdown
!
interface Serial0/0/1
description WAN link to R3 (not used)
no ip address
shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 49

exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** BASE R1 Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
50 CCNP TSHOOT Lab Manual Version 7

file prompt quiet


!
end
!

Router R2
!BASE R2 Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip host R1 10.1.2.2 10.1.1.1 10.1.201.1
ip host R2 10.1.1.2 10.1.1.6 10.1.202.1
ip host R3 10.1.1.5 10.1.2.14 10.1.203.1
ip host ALS1 10.1.99.1
ip host DLS1 10.1.99.252 10.1.2.1
ip host DLS2 10.1.99.253 10.1.2.13
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
!
!
interface Loopback0
ip address 10.1.202.1 255.255.255.255
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:202::2/64
!
interface Loopback1
ip address 2.2.2.2 255.0.0.0
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:EFAC::2/48
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 51

interface GigabitEthernet0/1
description optional connection for PC-C w/ static address
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description WAN link to R1: 2 Mbps leased line
ip address 10.1.1.2 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:10::2/64
no shutdown
!
interface Serial0/0/1
description WAN link to R3: 2 Mbps leased line
ip address 10.1.1.6 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:14::2/64
clock rate 2000000
no shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
af-interface Loopback1
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
52 CCNP TSHOOT Lab Manual Version 7

sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** BASE R2 Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp master 3
!
!
archive
log config
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R3
!BASE R3 Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 53

aaa authentication login CONSOLE none


aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip host R1 10.1.2.2 10.1.1.1 10.1.201.1
ip host R2 10.1.1.2 10.1.1.6 10.1.202.1
ip host R3 10.1.1.5 10.1.2.14 10.1.203.1
ip host ALS1 10.1.99.1
ip host DLS1 10.1.99.252 10.1.2.1
ip host DLS2 10.1.99.253 10.1.2.13
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
!
!
interface Loopback0
ip address 10.1.203.1 255.255.255.255
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:203::3/64
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FE to DLS2
ip address 10.1.2.14 255.255.255.252
ip flow ingress
duplex full
speed 100
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:212::3/64
no shutdown
!
interface Serial0/0/0
description WAN link to R1 - (Not used)
no ip address
encapsulation ppp
shutdown
clock rate 2000000
!
interface Serial0/0/1
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.5 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:14::3/64
no shutdown
54 CCNP TSHOOT Lab Manual Version 7

!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** BASE R3 Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
Lab 3-1 Assembling Maintenance and Troubleshooting Tools 55

ntp source Loopback0


ntp update-calendar
ntp server 10.1.202.1
!
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

TCL Script for testing ping connectivity to all IPv4 addresses in baseline:
tclsh
foreach i {
10.1.100.1
10.1.100.252
10.1.100.253
10.1.100.254
10.1.99.251
10.1.99.252
10.1.99.253
10.1.99.254
10.1.110.1
10.1.110.251
10.1.110.252
10.1.110.253
10.1.110.254
10.1.120.1
10.1.120.251
10.1.120.252
10.1.120.253
10.1.120.254
10.1.200.251
10.1.200.252
10.1.200.253
10.1.200.254
10.1.2.1
10.1.2.2
10.1.1.1
10.1.1.2
10.1.2.13
10.1.2.14
10.1.1.5
10.1.1.6
10.1.201.1
10.1.202.1
10.1.203.1
2.2.2.2
} { puts [exec "ping $i"] }
tclquit

To use this script, paste it into User EXEC mode on any Cisco networking device.
56 CCNP TSHOOT Lab Manual Version 7

Chapter 4: Basic Switching and Routing Process and Effective


IOS Troubleshooting Commands
Chapter 4 Lab 4-1, Layer 2 Issues
Instructor Version
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Physical Topology
Lab 4-1 Layer 2 Issues 57

Logical Topology
58 CCNP TSHOOT Lab Manual Version 7

Objectives
• Load the device configuration files for each trouble ticket.
• Diagnose and resolve Layer 2 connectivity problems.
• Diagnose and resolve spanning-tree problems.
• Document the troubleshooting progress, configuration changes, and problem resolution.

Background
User computers, servers, and printers all connect to the access layer of the hierarchical model. With hundreds
or thousands of hosts attached, access devices such as Layer 2 switches are a common source of
networking issues. Physical and data-link problems at the access layer can include hardware, cabling, VLAN
assignment, spanning-tree, trunking protocol, or port security issues.
In this lab, you will troubleshoot various Layer 2 problems. For each task or trouble ticket, the scenario and
symptoms are described. While troubleshooting, you will discover the cause of the problem, correct it, and
then document the process and results.
Physical and Logical Topology Diagrams
The physical and logical topologies are provided at the beginning of the lab, including interface designations
and IPv4/IPv6 addresses, to assist the troubleshooting effort.
Note: This lab uses Cisco ISR G2 routers running Cisco IOS 15.4(3) images with IP Base and Security
packages enabled, and Cisco Catalyst 3560 and 2960 switches running Cisco IOS 15.0(2) IP Services and
LAN Base images, respectively. The 3560 and 2960 switches are configured with the SDM templates dual-
ipv4-and-ipv6 routing and lanbase-routing, respectively. Depending on the router or switch model and
Cisco IOS Software version, the commands available and output produced might vary from what is shown in
this lab. Any changes made to the baseline configurations or topology (other than errors introduced) are noted
in the trouble ticket so that you are aware of them prior to beginning the troubleshooting process.
Instructor Notes:
• The lab topology should be pre-built prior to the students starting the lab. Ensure that all switches and
routers (ALS1, DLS1, DLS2, R1, R2, and R3) have the course lab configuration files installed in flash
memory. These can be downloaded from NetSpace. The device configurations for all devices are
included at the end of this lab, either directly or by reference to the first trouble ticket. The
configuration file for ALS1 can be copied into a text file using the naming convention Labxy-ALS1-
TT-z-Cfg.txt where x is the chapter number, y is the lab number within the chapter, and z is the
uppercase letter indicating the particular trouble ticket in the lab; similarly for DLS1, DLS2, R1, R2, and
R3.
• The device configurations that contain trouble ticket errors and modifications from the baseline are
included at the end of the lab, and the errors in them are identified.
• All device configurations are provided for TT-A, including those that are the same as the baseline, as
defined in the BASE Lab. The configurations provided here are not running-config outputs.
• Device configurations can be used by instructors for cut-and-paste for TT-A and subsequent tickets—
use a terminal emulator line delay of at least 100 ms if pasting configurations directly into global
configuration mode on a device. Some systems may actually require 200 ms.
• Where a configuration is noted as being the same as a previous one, the only change is in the
MOTD, which identifies the Lab and TT. The errors in the configuration are commented and
highlighted as red text.
• Each device should have a directory named “tshoot” in flash. This directory should contain the
baseline configuration file for that device as well as configuration files for the other labs in this course.
Lab 4-1 Layer 2 Issues 59

• Instructors can use a TFTP server, a USB drive, or a flash memory card as source, and use the copy
or archive tar command to copy all course configuration files into the flash:/tshoot directory for
each device in the topology.
• For this lab and subsequent labs, the student is responsible for loading the baseline or trouble ticket
configurations as required using the procedure described in the BASE Lab.
• Set the correct time on R2, which serves as the primary NTP server for the lab network. These labs
use Pacific Time Zone, but each site should use their own time zone.
• If time is an issue, each task (trouble ticket) can be performed independently.

Required Resources
• 3 routers (Cisco IOS Release 15.4 or comparable)
• 2 multilayer switches and 1 access layer switch (Cisco IOS Release 15.0(2) or comparable with Fast
Ethernet interfaces), running SDM templates that support IPv4/IPv6 addressing/routing/ACLs
• SRV1 (PC with static IP address): Windows 7 with RADIUS, TFTP, and syslog servers, plus an SSH
client and WireShark software
• PC-B (DHCP client): Windows 7 with SSH client and WireShark software
• PC-C (DHCP client): Windows 7 with SSH client and WireShark software
• Serial and Ethernet cables
Instructor Notes:
• This lab is divided into multiple tasks. Each task is associated with a trouble ticket (TT) and
introduces one or more errors on one or more devices.
• Students can work individually or as a team. The problems introduced in this lab focus on the Layer 2
switching environment.
• Suggested actions and results presented during the troubleshooting process for each TT can be
shared with the students during debrief, or copies of the instructor version of the lab can be made
available to the students to assist them in verifying their work.
60 CCNP TSHOOT Lab Manual Version 7

Task 1: Trouble Ticket Lab 4-1 TT-A


Instructor note: This trouble ticket involves access switch ALS1 and DLS1 issues related to an incorrect
spanning-tree mode and a missing SERVERS VLAN.

Step 1: Review trouble ticket Lab 4-1 TT-A.


Late yesterday afternoon, access switch ALS1 failed, and you discovered that the power supply was not working.
A junior colleague was tasked with replacing ALS1 with a comparable switch.
When you arrived this morning, you asked him how things went. He told you that he had stayed late trying to
reconfigure ALS1, but was not entirely successful. Users on VLAN 120 have started to complain that they cannot
get access to the network server SRV1, and you are unable to use SSH to connect to ALS1 from SRV1. In
addition, syslog messages from ALS1 are not being received on SRV1.
Your task is to diagnose the issues and restore switch ALS1 as a fully functional access switch on the network.

Step 2: Load the device trouble ticket configuration files for TT-A.
Using the procedure described in the BASE Lab, verify that the lab configuration files are present in flash. Load
the configuration files indicated in the Device Configuration File Table.
Note: The following device access methods are in effect after loading the configuration files:
• Console access requires no username or password.
• SSH requires username cisco and password cisco.
• The enable password is cisco.

Device Configuration File Table

Device Name File to Load Notes


ALS1 Lab41-ALS1-TT-A-Cfg.txt This file contains configuration errors
DLS1 Lab41-DLS1-TT-A-Cfg.txt This file is the same as the baseline
DLS2 Lab41-DLS2-TT-A-Cfg.txt This file is the same as the baseline
R1 Lab41-R1-TT-A-Cfg.txt This file is the same as the baseline
R2 Lab41-R2-TT-A-Cfg.txt This file is the same as the baseline
R3 Lab41-R3-TT-A-Cfg.txt This file is the same as the baseline
SRV1 N/A Static IP: 10.1.100.1 and 2001:DB8:CAFE:100::1
Default gateway: 10.1.100.254/24 and 2001:DB8:CAFE:100::D1/64
PC-B N/A DHCP (release and renew for IPv4 and IPv6 after loading device configurations)
PC-C N/A DHCP (release and renew for IPv4 and IPv6 after loading device configurations)

Instructor note: The student loads the “broken” TT configuration files for all devices even though only the
configuration(s) indicated in the Notes column contains errors.

Step 3: Configure SRV1 and start the syslog and TFTP servers.
Ensure that SRV1 has static IP addresses as indicated in the Device Configuration File Table.
Start the syslog server on SRV1, which is the syslog server for the entire network. When the network is properly
configured, all devices send syslog messages to SRV1.
Start the TFTP server on SRV1, which is the archive server for the entire network. When the network is properly
configured, all devices send archives of their running configurations to this server whenever the running-config is
copied to the startup config. Ensure that the default TFTP directory on SRV1 is set to the directory where you
want to store the archives.
Lab 4-1 Layer 2 Issues 61

Instructor note: This lab uses Tftpd32 for both TFTP and syslog. Other comparable tools can be used. To
ensure full functionality, start Tftpd32 with the option “Run as administrator.” The TSHOOT labs use
ManageEngine MibBrowswer for SNMP monitoring—this software supports SNMPv3, but SNMPv2c is used in the
labs unless otherwise indicated.

Step 4: Release and renew the DHCP leases on PC-B and PC-C.
Ensure that PC-B and PC-C are configured as DHCP clients for IPv4 and IPv6.
After loading all TT-A device configuration files, issue the ipconfig /release and ipconfig /renew
commands on PC-B and PC-C.
Note: Problems introduced into the network by the trouble ticket might prevent one or both of these PCs from
acquiring an IP address. Do not assign either PC a static address.

Step 5: Outline the troubleshooting approach and validation steps.


Use this space to identify your troubleshooting approach and the key steps to verify that the problem is resolved.
Troubleshooting approaches to select from include the follow-the-path, perform-comparison, bottom-up, top-
down, divide-and-conquer, shoot-from-the-hip, and swap-components (move-the-problem) methods.
Note: In addition to a specific approach, you can use the generic troubleshooting process: defining a problem,
gathering information, analyzing the information, eliminating possible problem causes, formulating a hypothesis
about the likely cause of the problem, testing that hypothesis, and solving the problem.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
The bottom-up or follow-the-path method can be used. Other methods are the top-down, divide-and-conquer,
perform-comparison, swap-components, and shoot-from-the-hip approaches.
Verification steps can include:
Switch ALS1 can be reached using SSH from server SRV1.
PC-B, which is connected to switch ALS1, can acquire an IP address via DHCPv4.
PC-B, which is connected to switch ALS1, can ping server SRV1.
Syslog messages from ALS1 are received on SRV1.

Step 6: Record the troubleshooting process and configuration changes.


Use this log to document your actions and results during the troubleshooting process. List the commands you
used to gather information and, as you progress, record your thoughts as to what you think the problem might be
and what actions you will take to correct the problems.

Device Actions and Results


62 CCNP TSHOOT Lab Manual Version 7

Device Actions and Results

Responses will vary but could include:


• Pings from PC-B to SRV1 at 10.1.100.1 fail.
• Pings from PC-B to its default gateway 10.1.10.254 on DLS1 fail.
• A check of PC-B verifies that it is a DHCPv4 client but has not acquired an IPv4 address from DHCPv4
server DLS1.
• Pings from ALS1 to DLS1 (10.1.100.252) and DLS2 (10.1.100.253) fail.

TT-A issue 1—An incorrect spanning-tree mode is configured on ALS1.


• The clear arp-cache and show arp commands on DLS1 and DLS2 indicate no Layer 3 connectivity
between ALS1 and DLS1 or DLS2.
• The show cdp neighbors and show interfaces status commands on DLS1 and DLS2 indicate
that the physical links to ALS1 are connected.
• The show spanning-tree command on DLS1 and DLS2 indicates that the spanning-tree mode is
rapid-PVST+ and that there is a separate instance for each VLAN.
• The show spanning-tree command on ALS1 indicates that the spanning-tree mode is Multiple
Spanning Tree (MST) and that there is only one spanning-tree instance for all VLANs. Due to the
inconsistency of spanning-tree modes between ALS1 and DLS1 and DLS2, both EtherChannels (Po1 and
Po2) ports are in a broken (BKN) state (not forwarding). This is because a successful cooperation of MST
with rapid-PVST+ has certain prerequisites that have not been met in this topology.
Action: Change the spanning-tree mode on ALS1 to rapid-PVST+ to enable the port channels to forward on a
per spanning-tree basis. Refer to TT-A debrief for more information.
Verification: Pings from PC-B to SRV1 and other locations should now be successful.
Lab 4-1 Layer 2 Issues 63

TT-A issue 2—Management VLAN 99 is missing on ALS1.


• SSH from SRV1 to switch ALS1 management address 10.1.99.251 fails.
• The show ip interface brief command on ALS1 indicates that the VLAN 99 SVI interface is
configured with the correct IP address, but the protocol is down.
• The show vlan brief command on ALS1 indicates that the management VLAN 99 definition is
missing.
Action: Add VLAN 99 with the name MANAGEMENT to switch ALS1. Refer to TT-A debrief for more
information.
Verification: Using SSH from SRV1 to ALS1 should now be successful. The logging source interface on
ALS1 was set to SVI VLAN 99, so syslog messages can now be sent to SRV1.

Step 7: Document trouble ticket debrief notes.


Use this space to make notes of the key learning points that you picked up during the discussion of this trouble
ticket with your instructor. The notes can include problems encountered, solutions applied, useful commands
employed, alternate solutions, methods, and processes, and procedure and communication improvements.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
Trouble ticket TT-A Debrief—Instructor Notes:
TT-A Issue 1
On switch ALS1, the spanning-tree mode was set to MST, causing the uplink ports to be placed in broken
(BKN) spanning-tree state. This effectively blocks all traffic on the uplinks to switches DLS1 and DLS2. It
prevents DHCPv4 clients (PC-B, in this case) in VLAN 120 from getting their IP address information from
DHCPv4 server DLS1.
This issue can be remedied by issuing the following command on switch ALS1:
spanning-tree mode rapid-pvst
Note: If PC-B was rebooted, it might have acquired an autoconfigured IP address (169.254.x.x/16), but there
is no default gateway. It might be necessary to issue the ipconfig/release and ipconfig/renew
commands on DHCPv4 clients after the network device problems are resolved to allow PC-B to acquire an IP
address in the VLAN 120 subnet from DLS1.
TT-A Issue 2
You cannot use SSH to connect to switch ALS1 from server SRV1 (or from any other point in the network)
because VLAN 99, the management VLAN, is not present on switch ALS1. As a result, the VLAN interface on
switch ALS1 for VLAN 99 will be down. SVI VLAN 99 has been assigned a valid IP address, but this does not
affect the Layer 2 issues of the missing VLAN definition.
By issuing the following commands, the VLAN interface will become operational again, and connectivity to the
management address of switch ALS1 will be restored:
vlan 99
name MANAGEMENT
64 CCNP TSHOOT Lab Manual Version 7

Task 2: Trouble Ticket Lab 4-1 TT-B


Instructor note: This trouble ticket involves DLS1 and DLS2 issues related to incorrect port channel trunk
encapsulation. Remind students the baseline stipulates that VLAN 100 is not allowed on the port channel trunks
which connect to the access layer.
Step 1: Review trouble ticket Lab 4-1 TT-B.
After an equipment failure, a network technician was asked to configure bundled Ethernet links between the ALS1
access switch and the two distribution layer switches in the network (DLS1 and DLS2). Shortly after the changes
were made, users on ALS1 were unable to access the Internet (simulated by Lo1 on R2). You have been asked
to look into the problem and have determined that you are able to ping the Internet from SRV1.
Your task is to diagnose the issues, allow hosts on ALS1 to connect to the Internet via DLS1 or DLS2, and verify
that the switching environment redundant paths are functional, including trunk status and spanning tree.
Note: To simulate an Internet connection, you can ping the R2 Lo1 address at 2.2.2.2. Alternately, you can use
the PC browser to connect to 2.2.2.2. You will then be prompted for a login to the router management GUI by R2.
Enter the username cisco and enable password cisco.

Step 2: Load the device trouble ticket configuration files for TT-B.
Using the procedure described in the BASE Lab, verify that the lab configuration files are present in flash. Load
the configuration files indicated in the Device Configuration File Table.
Device Configuration File Table

Device Name File to Load Notes


ALS1 Lab41-ALS1-TT-B-Cfg.txt This file is the same as the baseline
DLS1 Lab41-DLS1-TT-B-Cfg.txt This file contains configuration errors
DLS2 Lab41-DLS2-TT-B-Cfg.txt This file contains configuration errors
R1 Lab41-R1-TT-B-Cfg.txt This file is the same as the baseline
R2 Lab41-R2-TT-B-Cfg.txt This file is the same as the baseline
R3 Lab41-R3-TT-B-Cfg.txt This file is the same as the baseline
SRV1 N/A Static IP: 10.1.100.1 and 2001:DB8:CAFE:100::1
Default gateway: 10.1.100.254/24 and
2001:DB8:CAFE:100::D1/64
PC-B N/A DHCP (release and renew for IPv4 and IPv6 after loading
device configurations)
PC-C N/A DHCP (release and renew for IPv4 and IPv6 after loading
device configurations)

Step 3: Configure SRV1 and start the syslog and TFTP servers as described in Task 1.

Step 4: Release and renew the DHCP lease for PC-B and PC-C as described in Task 1.

Step 5: Outline the troubleshooting approach and validation steps.


Use this space to identify your troubleshooting approach and the key steps to verify that the problem is resolved. .
Troubleshooting approaches to select from include follow-the-path, perform-comparison, bottom-up, top-down,
divide-and-conquer, shoot-from-the-hip, and swap-components (move-the-problem) methods.
Note: In addition to a specific approach, you can use the generic troubleshooting process.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
Lab 4-1 Layer 2 Issues 65

The bottom-up or follow-the-path method can be used. Other methods are the top-down, divide-and-conquer,
perform-comparison, swap-components, and shoot-from-the-hip approaches.
Verification steps can include:
PC-B, which is connected to switch ALS1, can acquire an IP address via DHCPv4.
PC-B, which is connected to switch ALS1, can ping and browse the Internet via IP.
Using the show cdp neighbors command on ALS1 indicates that both DLS1 and DLS2 are neighbors.
Using the show etherchannel summary command indicates that trunks to both DLS1 and DLS2 are up
and functional.
Further verification of the redundant switch paths could involve shutting down the port channel interface Po1
on DLS1 and pinging from PC-B to the Internet and then disabling the port channel interface Po2 on DLS2
and pinging from PC-B to the Internet.

Step 6: Record the troubleshooting process and configuration changes.


Use this log to document your actions and results during the troubleshooting process. List the commands you
used to gather information. As you progress, record what you think the problem might be and what actions you
will take to correct the problem.

Device Actions and Results


66 CCNP TSHOOT Lab Manual Version 7

Answers will vary but could include:


• Pings from PC-B to R2 Lo1 (simulated Internet 2.2.2.2) fail.
• Pings from PC-B to its default gateway 10.1.10.254 on DLS1 fail.
• A check of PC-B verifies that it is a DHCPv4 client but has not acquired an IPv4 address from DCHPv4
server DLS1.
• Pings from ALS1 to DLS1 (10.1.100.252) and DLS2 (10.1.100.253) fail.

TT-B issue 1—Encapsulation is set to ISL on DLS1 port channel interface Po1.
• The clear arp-cache and show arp commands on DLS1 and DLS2 indicate no Layer 3 connectivity
between ALS1 and DLS1 or DLS2.
• The show cdp neighbors command on ALS1 indicates that DLS1 and DLS2 are no longer its
neighbors.
• The show cdp neighbors command on DLS1 indicates that DLS2 and R1 are neighbors.
• The show interfaces status command on DLS1 indicates that the physical links to ALS1 are
connected.
• The show vlan id 120 command on ALS1 and DLS1 indicates that VLAN 120 contains the correct
ports.
• The show spanning-tree vlan 120 command on ALS1 and DLS1 indicates that all port channels
are designated and forwarding.
• The show interfaces trunk command on ALS1 indicates that Po1 (to DLS1) and Po2 (to DLS2)
both use 802.1 encapsulation and native VLAN 666.
• The show interfaces trunk command on DLS1 indicates that Po1 (to ALS1) uses Inter-Switch Link
(ISL) encapsulation, which is a mismatch with ALS1. No data frames will be transmitted.
Action: Change the encapsulation of DLS1 EtherChannel Po1 to 802.1Q (this also changes the physical
ports). Refer to TT-B debrief for more information.
Verification: PC-B should acquire an IP address from DHCPv4 server DLS1. You should now be able to
ping from PC-B to its default gateway 10.1.10.254 on DLS1. PC-B now has access to the Internet (R2
Lo1 – 2.2.2.2).

TT-B issue 2—Encapsulation is set to ISL on EtherChannel physical port interfaces.


• Next you must verify the existence of redundant paths from ALS1 to both DLS1 and DLS2.
• The show interfaces status command on DLS2 indicates that physical links to ALS1 are
suspended.
• The show cdp neighbors command on ALS1 indicates that DLS1 is now a neighbor, but DLS2 is not.
• The show spanning-tree command on DLS2 does not show Po2 (to ALS1).
• The show interfaces trunk command on DLS2 does not show Po2 (to ALS1).
• The show etherchannel summary command on ALS1 indicates Po1 (to DLS1) and Po2 (to DLS2) as
SU = Layer 2 and in use. All ports are P = bundled in the port channel.
• The show etherchannel summary command on DLS2 indicates Po2 (to ALS1) as SD = Layer 2 and
down. Ports F0/1 and F0/2 are s = suspended.
Lab 4-1 Layer 2 Issues 67

• The show running-config interface po2 command on DLS2 indicates that Po2 encapsulation is
dot1q, the native VLAN is 666, and the trunks allowed are 99, 110, 120, and 200.
• The show running-config interfaces F0/1 and F0/2 commands on DLS2 indicate that F0/1
encapsulation is ISL, the native VLAN is 666, and the trunk VLANs allowed are 99, 110, 120, and 200.
The physical port encapsulation is different than the port channel, which causes physical interfaces F0/1
and F0/2 to be suspended and the port channel interface to go down.
Action: Change the encapsulation on each physical interface to dot1q. Refer to TT-B debrief for more
information.
Verification: The show cdp neighbors command on ALS1 now indicates that both DLS1 and DLS2 are
neighbors. The show etherchannel summary command on DLS2 now indicates Po2 (to ALS1) as SU =
Layer 2 and in use. Ports F0/1 and F0/2 are P = bundled in the port channel.

Step 7: Document trouble ticket debrief notes.


Use this space to make notes of the key learning points that you picked up during the discussion of this trouble
ticket with your instructor. The notes can include problems encountered, solutions applied, useful commands
employed, alternate solutions, methods and processes, and procedure and communication improvements.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

Trouble Ticket TT-B Debrief—Instructor Notes


There are two separate problems with the uplinks between switch ALS1 and switches DLS1 and DLS2. The LAN
is set up using redundant connections from switch ALS1 to switches DLS1 and DLS2. Therefore, lack of
connectivity implies that there must be a problem with both redundant paths. To regain connectivity for the clients,
only one of the two issues needs to be resolved. However, to regain the redundancy that is inherent in the
physical network design, both issues must be diagnosed and resolved. Resolving one of the two problems might
restore connectivity, but leaves a hidden issue. Proper verification should uncover both issues. If the trunk
encapsulation problem is corrected on only DLS1 or DLS2, spanning tree adjusts the status of the ALS1 switch’s
Po1 and Po2 interfaces to account for the mismatch in the trunk encapsulation.
Ask the students if they found all issues and make them aware of the possibility of having hidden problems in a
redundant network. Discuss which verification techniques could be used to find these types of issues.
TT-B Issue 1
On switch DLS1, the trunk encapsulation on the EtherChannel toward access switch ALS1 has been changed to
ISL encapsulation. This causes all Layer 2 traffic on these links (including Cisco Discovery Protocol packets) to
fail. Changing parameters on the port channel automatically changes them on the physical member ports, thus
the parameter on the port channel and the individual ports remain consistent. The links stay up, and no errors
other than potential oversized frames are recorded on the interfaces because ISL on DLS1 and 802.1Q on ALS1
are both using a valid Ethernet frame format. To remedy this situation, configure the following commands on
DLS1:
interface Port-channel 1
switchport trunk encapsulation dot1q
68 CCNP TSHOOT Lab Manual Version 7

TT-B Issue 2
On switch DLS2, trunk encapsulation on the physical ports that are members of the EtherChannel toward the
access switch have been changed to ISL encapsulation. The changing of physical port encapsulation causes an
inconsistency between the configuration on the port channel 2 interface and the physical interfaces FastEthernet
0/1 and 0/2, which are members of the EtherChannel. This, in turn, causes the interfaces FastEthernet 0/1 and
0/2 to be suspended and the port channel interface to go down. To resolve this situation and restore the
consistency between the configuration of the port channel interface and the FastEthernet interfaces, configure the
following commands:
interface range FastEthernet 0/1 – 2
switchport trunk encapsulation dot1q

If the port channel interface is still down, try shutting down the port channel interface on both ends of the link
followed by entering the command no shut on both ends of the trunk; although technically this should not be
necessary, it often achieves the desired result.

Task 3: Trouble Ticket Lab 4-1 TT-C


Instructor note: This trouble ticket involves DLS2 with issues related to VLANs allowed on the trunk between the
DLS2 switch and DLS1 and ALS1.

Step 1: Review trouble ticket Lab 4-1 TT-C.


This morning, the help desk received a call from an external consultant that needed access to the SRV1 guest
account (simulated by ping). Her PC, PC-C, was plugged into one of the outlets that is patched to the guest VLAN
on switch DLS2. However, she has not been able to get an IPv4 address and cannot get onto the network.
Your task is to diagnose and solve this problem, making sure that the consultant gets access to SRV1.

Step 2: Load the device trouble ticket configuration files for TT-C.
Using the procedure described in the BASE Lab, verify that the lab configuration files are present in flash. Load
the configuration files indicated in the Device Configuration File Table.

Device Configuration File Table

Device Name File to Load Notes


ALS1 Lab41-ALS1-TT-C-Cfg.txt This file is the same as the baseline
DLS1 Lab41-DLS1-TT-C-Cfg.txt This file is the same as the baseline
DLS2 Lab41-DLS2-TT-C-Cfg.txt This file contains configuration errors
R1 Lab41-R1-TT-C-Cfg.txt This file is the same as the baseline
R2 Lab41-R2-TT-C-Cfg.txt This file is the same as the baseline
R3 Lab41-R3-TT-C-Cfg.txt This file is the same as the baseline
SRV1 N/A Static IP: 10.1.100.1 and 2001:DB8:CAFE:100::1
Default gateway: 10.1.100.254/24 and
2001:DB8:CAFE:100::D1/64
PC-B N/A DHCP (release and renew for IPv4 and IPv6 after loading
device configurations)
PC-C N/A DHCP (release and renew for IPv4 and IPv6 after loading
device configurations)
Lab 4-1 Layer 2 Issues 69

Step 3: Configure SRV1 and start the syslog and TFTP servers, as described in Task 1.

Step 4: Release and renew the DHCP lease for PC-B and PC-C as described in Task 1.

Step 5: Outline the troubleshooting approach and validation steps.


Use this space to identify your troubleshooting approach and the key steps to verify that the problem is resolved. .
Troubleshooting approaches to select from include follow-the-path, perform-comparison, bottom-up, top-down,
divide-and-conquer, shoot-from-the-hip, and swap-components (move-the-problem) methods.
Note: In addition to a specific approach, you can use the generic troubleshooting process.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
The bottom-up or follow-the-path method can be used. Other methods are the top-down, divide-and-conquer,
perform-comparison, swap-components, and shoot-from-the-hip approaches.
Verification steps can include:
PC-C, which is connected to switch DLS2, can acquire a VLAN 110 subnet IPv4 address via DHCPv4.
PC-C, which is connected to switch DLS2, can access SRV1 using ping.
Using the show vlan and show interfaces trunk commands indicates that VLAN 110 is defined and
allowed on both DLS2 trunks.

Step 6: Record the troubleshooting process and configuration changes.


Use this log to document your actions and results during the troubleshooting process. List the commands you
used to gather information. As you progress, record your thoughts as to what you think the problem might be and
which actions you take to correct the problem.

Device Actions and Results


70 CCNP TSHOOT Lab Manual Version 7

Device Actions and Results

Answers will vary but could include:


• Pings from PC-C on DLS2 to SRV1 fail.
• Pings from PC-C to its default (VLAN 110) gateway 10.1.110.254 fail.
• A check of PC-C verifies that it is a DHCPv4 client but has not acquired an IP address from DHCP server
DLS1.
• Pings from DLS2 (10.1.99.253) to ALS1 (10.1.99.1) and to DLS1 (10.1.99.252) are successful.
• The clear arp-cache and show arp commands on DLS2 indicate Layer 3 connectivity between
ALS1 and DLS1 or DLS2.
• The show interfaces status command on DLS2 indicates that the physical links to ALS1 and DLS1
are connected.
• The show cdp neighbors command on DLS2 indicates that ALS1, DLS2, and R3 are neighbors.
• The show vlan brief command on DLS2 indicates that VLAN 110 exists and contains the port to
which PC-C is connected (F0/18).
• The show spanning-tree vlan 110 command on DLS2 indicates that the only port that is
forwarding is F0/18. Port channel interfaces Po2 (to ALS1) and Po10 (to DLS1) are missing.
• The show interfaces trunk command on DLS2 indicates that EtherChannel trunk Po2 (to ALS1)
allows VLANs 120, 200, and 99. DLS2 Po10 (to DLS1) allows 99, 100, 120, and 200. Neither trunk allows
VLAN 110 (GUEST).
• The show running-config interface po2 and show running-config interface po10
commands on DLS2 confirm that Po2 encapsulation is dot1q and the native VLAN is 666. VLAN 110
(GUEST) is missing from the allowed VLANs on the trunks, which prevents packets from PC-C from
traversing the DLS2 to DLS1 or DLS2 to ALS1 trunks.
Action: Add VLAN 110 to EtherChannel trunks Po2 and Po10 (this also changes the physical ports). Refer to
TT-C debrief for more information.
Verification: You should now be able to ping from guest PC-C to SRV1.

Step 7: Document trouble ticket debrief notes.


Use this space to make notes of the key learning points that you picked up during the discussion of this trouble
ticket with your instructor. The notes can include problems encountered, solutions applied, useful commands
employed, alternate solutions and methods, and procedure and communication improvements.
_______________________________________________________________________________
_______________________________________________________________________________
Lab 4-1 Layer 2 Issues 71

_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

Trouble Ticket TT-C Debrief—Instructor Notes


There are two problems with the port-channel trunk configurations on DLS2. Neither trunk link allows VLAN 110
(the GUEST VLAN). To regain connectivity for the clients, only one of the two issues needs to be resolved.
However, to regain the redundancy that is inherent in the physical network design, both issues must be diagnosed
and resolved. Proper verification should uncover both issues.
Resolving one of the two problems might restore connectivity, but leaves a hidden issue. Ask the students if they
found all issues and make them aware of the possibility of having hidden problems in a redundant network.
Discuss which verification techniques could be used to find these types of issues.
TT-C Issue
The problem in this trouble ticket is caused by the omission of VLAN 110 (GUEST) from the list of allowed VLANs
on the trunks between switches DLS2 and ALS1 and between switches DLS2 and DLS1.
This issue can be remedied by issuing the following commands on DLS2:
DLS2(config)#int po2
DLS2(config-if)#switchport trunk allowed vlan add 110
DLS2(config-if)#int po10
DLS2(config-if)#switchport trunk allowed vlan add 110

After adding VLAN 110 to the list of allowed VLANs, PC-C should get an IP address from DLS1 via DHCPv4 and
ping SRV1.
72 CCNP TSHOOT Lab Manual Version 7

Device Configurations (Instructor version)


Note: All device configurations are provided for TT-A, including those that are the same as the baseline
as defined in the BASE Lab. The configurations provided here are not running-config outputs. They can
be used for cut-and-paste for TT-A and subsequent tickets. Where a configuration is noted as being the
same as a previous one, the only change is in the MOTD, which identifies the Lab and TT. The errors in
the configuration are commented and highlighted as red text.

Trouble Ticket—TT-A Configurations


Switch ALS1
!Lab 4-1 Switch ALS1 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ALS1
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
!
!
no ip domain-lookup
ip domain-name tshoot.net
ipv6 unicast-routing
!
errdisable recovery cause psecure-violation
errdisable recovery interval 120
!
spanning-tree mode mst
spanning-tree portfast default
! Error: STP mode is set to mst, but should be
vlan 110 rapid-pvst:
name GUEST
! spanning-tree mode rapid-pvst
vlan 120
name OFFICE
!
vlan 200 Error: Management VLAN 99 is missing:
name VOICE
! vlan 99
vlan 666 name MANAGEMENT
name NATIVE
!
Lab 4-1 Layer 2 Issues 73

vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel2
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
shutdown
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
shutdown
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/5
description PARKING_LOT
switchport access vlan 999
74 CCNP TSHOOT Lab Manual Version 7

switchport mode access


switchport nonegotiate
shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
Lab 4-1 Layer 2 Issues 75

switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description To PC-B
switchport access vlan 120
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
76 CCNP TSHOOT Lab Manual Version 7

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:99::A1/64
no ip proxy-arp
no shutdown
!
interface Vlan110
ip address 10.1.110.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:110::A1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan120
ip address 10.1.120.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:120::A1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan200
ip address 10.1.200.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:200::A1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
Lab 4-1 Layer 2 Issues 77

!
crypto key gen rsa general-keys modulus 1024
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.99.254
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 route ::/0 2001:DB8:CAFE:99::D1
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps vlan-membership
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-1 Switch ALS1 TT-A Config ***^
!
ipv6 access-list REMOTEv6
deny ipv6 any any
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
ipv6 access-class REMOTEv6 in
logging synchronous
length 0
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS1
!Lab 4-1 Switch DLS1 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DLS1
!
78 CCNP TSHOOT Lab Manual Version 7

!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
ip dhcp excluded-address 10.1.120.251 10.1.120.254
ip dhcp excluded-address 10.1.200.251 10.1.200.254
ip dhcp excluded-address 10.1.110.251 10.1.110.254
!
ip dhcp pool VOICE
network 10.1.200.0 255.255.255.0
default-router 10.1.200.254
!
ip dhcp pool GUEST
network 10.1.110.0 255.255.255.0
default-router 10.1.110.254
!
ip dhcp pool OFFICE
network 10.1.120.0 255.255.255.0
default-router 10.1.120.254
!
!
ipv6 unicast-routing
ipv6 dhcp pool DHCPv6OFFICE
address prefix 2001:DB8:CAFE:120:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6VOICE
address prefix 2001:DB8:CAFE:200:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6GUEST
address prefix 2001:DB8:CAFE:110:ABCD::/80
domain-name tshoot.net
!
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
!
spanning-tree vlan 99,110,120 priority 24576
spanning-tree vlan 100,200 priority 28672
!
!
vlan 99
name MANAGEMENT
!
Lab 4-1 Layer 2 Issues 79

vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
80 CCNP TSHOOT Lab Manual Version 7

switchport trunk allowed vlan 99,100,110,120,200


switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R1
no switchport
ip address 10.1.2.1 255.255.255.252
speed 100
duplex full
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:20::D1/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description FE to SRV1
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
Lab 4-1 Layer 2 Issues 81

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
82 CCNP TSHOOT Lab Manual Version 7

switchport access vlan 999


switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.252 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 priority 110
standby 99 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:99::D1/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.252 255.255.255.0
Lab 4-1 Layer 2 Issues 83

standby 100 ip 10.1.100.254


standby 100 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:100::D1/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.252 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 priority 110
standby 110 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:110::D1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6GUEST
no shutdown
!
interface Vlan120
ip address 10.1.120.252 255.255.255.0
standby 120 ip 10.1.120.254
standby 120 priority 110
standby 120 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:120::D1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6OFFICE
no shutdown
!
interface Vlan200
ip address 10.1.200.252 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:200::D1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6VOICE
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
crypto key gen rsa general-keys modulus 1024
!
no ip http server
no ip http secure-server
84 CCNP TSHOOT Lab Manual Version 7

!
!
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 router eigrp 1
eigrp router-id 1.1.1.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-1 Switch DLS1 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS2
!Lab 4-1 Switch DLS2 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname DLS2
!
!
logging buffered 16384
enable secret cisco
Lab 4-1 Layer 2 Issues 85

!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
!
ipv6 unicast-routing
!
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
spanning-tree vlan 99,110,120 priority 28672
spanning-tree vlan 100,200 priority 24576
!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
86 CCNP TSHOOT Lab Manual Version 7

interface Port-channel10
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R3
no switchport
ip address 10.1.2.13 255.255.255.252
speed 100
duplex full
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:212::D2/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
Lab 4-1 Layer 2 Issues 87

switchport mode access


switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
88 CCNP TSHOOT Lab Manual Version 7

switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description FE to PC-C
switchport access vlan 110
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
Lab 4-1 Layer 2 Issues 89

switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.253 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:99::D2/64
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.253 255.255.255.0
standby 100 ip 10.1.100.254
standby 100 priority 110
standby 100 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:100::D2/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.253 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:110::D2/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan120
ip address 10.1.120.253 255.255.255.0
standby 120 ip 10.1.120.254
standby 120 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:120::D2/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
90 CCNP TSHOOT Lab Manual Version 7

!
interface Vlan200
ip address 10.1.200.253 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 priority 110
standby 200 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:200::D2/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
crypto key gen rsa general-keys modulus 1024
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 router eigrp 1
eigrp router-id 2.2.2.2
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-1 Switch DLS2 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
Lab 4-1 Layer 2 Issues 91

!
ntp source Vlan99
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R1
!Lab 4-1 Router R1 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
!
!
interface Loopback0
ip address 10.1.201.1 255.255.255.255
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:201::1/64
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
92 CCNP TSHOOT Lab Manual Version 7

speed auto
!
interface GigabitEthernet0/1
description GE to DLS1
ip address 10.1.2.2 255.255.255.252
ip flow ingress
duplex full
speed 100
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:20::1/64
no shutdown
!
interface Serial0/0/0
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.1 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:10::1/64
clock rate 2000000
no shutdown
!
interface Serial0/0/1
description WAN link to R3 (not used)
no ip address
shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.1
!
Lab 4-1 Layer 2 Issues 93

!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-1 Router R1 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R2
!Lab 4-1 Router R2 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
94 CCNP TSHOOT Lab Manual Version 7

clock summer-time PDT recurring


!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
!
!
interface Loopback0
ip address 10.1.202.1 255.255.255.255
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:202::2/64
!
interface Loopback1
ip address 2.2.2.2 255.0.0.0
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:EFAC::2/48
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description optional connection for PC-C w/ static address
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description WAN link to R1: 2 Mbps leased line
ip address 10.1.1.2 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:10::2/64
no shutdown
!
interface Serial0/0/1
description WAN link to R3: 2 Mbps leased line
ip address 10.1.1.6 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:14::2/64
clock rate 2000000
no shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
Lab 4-1 Layer 2 Issues 95

passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-1 Router R2 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
96 CCNP TSHOOT Lab Manual Version 7

ntp master 3
!
!
archive
log config
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R3
!Lab 4-1 Router R3 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
!
!
interface Loopback0
ip address 10.1.203.1 255.255.255.255
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:203::3/64
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
Lab 4-1 Layer 2 Issues 97

!
interface GigabitEthernet0/1
description FE to DLS2
ip address 10.1.2.14 255.255.255.252
ip flow ingress
duplex full
speed 100
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:212::3/64
no shutdown
!
interface Serial0/0/0
description WAN link to R1 - (Not used)
no ip address
encapsulation ppp
shutdown
clock rate 2000000
!
interface Serial0/0/1
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.5 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:14::3/64
no shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.1
!
98 CCNP TSHOOT Lab Manual Version 7

!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-1 Router R3 TT-A Config ***^

!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 10.1.202.1
!
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Trouble Ticket—TT-B Configurations


Router R1—Same as TT-A

Router R2—Same as TT-A

Router R3—Same as TT-A

Switch ALS1
!Lab 4-1 Switch ALS1 TT-B Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ALS1
Lab 4-1 Layer 2 Issues 99

!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
!
!
no ip domain-lookup
ip domain-name tshoot.net
ipv6 unicast-routing
!
errdisable recovery cause psecure-violation
errdisable recovery interval 120
!
spanning-tree mode mst
spanning-tree portfast default
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel2
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
100 CCNP TSHOOT Lab Manual Version 7

no shutdown
!
interface FastEthernet0/1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
shutdown
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
shutdown
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/5
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
Lab 4-1 Layer 2 Issues 101

switchport mode access


switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
102 CCNP TSHOOT Lab Manual Version 7

switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description To PC-B
switchport access vlan 120
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
Lab 4-1 Layer 2 Issues 103

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:99::A1/64
no ip proxy-arp
no shutdown
!
interface Vlan110
ip address 10.1.110.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:110::A1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan120
ip address 10.1.120.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:120::A1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan200
ip address 10.1.200.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:200::A1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
crypto key gen rsa general-keys modulus 1024
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.99.254
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 route ::/0 2001:DB8:CAFE:99::D1
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps vlan-membership
snmp-server host 10.1.100.1 version 2c cisco
104 CCNP TSHOOT Lab Manual Version 7

!
!
banner motd ^*** Lab 4-1 Switch ALS1 TT-B Config ***^
!
ipv6 access-list REMOTEv6
deny ipv6 any any
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
ipv6 access-class REMOTEv6 in
logging synchronous
length 0
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS1

!Lab 4-1 Switch DLS1 TT-B Config


!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DLS1
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
Lab 4-1 Layer 2 Issues 105

no ip domain-lookup
ip domain-name tshoot.net
!
ip dhcp excluded-address 10.1.120.251 10.1.120.254
ip dhcp excluded-address 10.1.200.251 10.1.200.254
ip dhcp excluded-address 10.1.110.251 10.1.110.254
!
ip dhcp pool VOICE
network 10.1.200.0 255.255.255.0
default-router 10.1.200.254
!
ip dhcp pool GUEST
network 10.1.110.0 255.255.255.0
default-router 10.1.110.254
!
ip dhcp pool OFFICE
network 10.1.120.0 255.255.255.0
default-router 10.1.120.254
!
!
ipv6 unicast-routing
ipv6 dhcp pool DHCPv6OFFICE
address prefix 2001:DB8:CAFE:120:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6VOICE
address prefix 2001:DB8:CAFE:200:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6GUEST
address prefix 2001:DB8:CAFE:110:ABCD::/80
domain-name tshoot.net
!
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
!
spanning-tree vlan 99,110,120 priority 24576
spanning-tree vlan 100,200 priority 28672
!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
106 CCNP TSHOOT Lab Manual Version 7

ip ssh source-interface Vlan99


!
!
interface Port-channel1
description Channel to ALS1
switchport trunk encapsulation isl
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200 Error: Encapsulation is isl but should be
switchport mode trunk dot1q.
switchport nonegotiate
no shutdown Note: Changing the encapsulation on the
! port channel will change it on the physical
interface Port-channel10 interfaces.
description Channel to DLS2
switchport trunk encapsulation dot1q
interface Port-channel1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200 switchport trunk encapsulation
switchport mode trunk dot1q
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R1
no switchport
Lab 4-1 Layer 2 Issues 107

ip address 10.1.2.1 255.255.255.252


speed 100
duplex full
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:20::D1/64
no ip proxy-arp
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description FE to SRV1
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
108 CCNP TSHOOT Lab Manual Version 7

shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
Lab 4-1 Layer 2 Issues 109

!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.252 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 priority 110
standby 99 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:99::D1/64
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.252 255.255.255.0
standby 100 ip 10.1.100.254
standby 100 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:100::D1/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.252 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 priority 110
standby 110 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:110::D1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
110 CCNP TSHOOT Lab Manual Version 7

ipv6 dhcp server DHCPv6GUEST


no shutdown
!
interface Vlan120
ip address 10.1.120.252 255.255.255.0
standby 120 ip 10.1.120.254
standby 120 priority 110
standby 120 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:120::D1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6OFFICE
no shutdown
!
interface Vlan200
ip address 10.1.200.252 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:200::D1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6VOICE
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
crypto key gen rsa general-keys modulus 1024
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 router eigrp 1
eigrp router-id 1.1.1.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
Lab 4-1 Layer 2 Issues 111

snmp-server enable traps hsrp


snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-1 Switch DLS1 TT-B Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS2
!Lab 4-1 Switch DLS2 TT-B Config
!
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname DLS2
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
112 CCNP TSHOOT Lab Manual Version 7

!
ipv6 unicast-routing
!
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
spanning-tree vlan 99,110,120 priority 28672
spanning-tree vlan 100,200 priority 24576
!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation isl
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200 Error: Encapsulation is set to isl on physical
switchport mode trunk interfaces but port channel 2 is set to
switchport nonegotiate dot1q. Change to dot1q:
channel-group 2 mode on
no shutdown switchport trunk encapsulation
! dot1q
Lab 4-1 Layer 2 Issues 113

interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation isl
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200 Error: Encapsulation is isl but should be
switchport mode trunk dot1q:
switchport nonegotiate
channel-group 2 mode on switchport trunk encapsulation
no shutdown dot1q
!
interface FastEthernet0/3
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R3
no switchport
ip address 10.1.2.13 255.255.255.252
speed 100
duplex full
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:212::D2/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
114 CCNP TSHOOT Lab Manual Version 7

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description FE to PC-C
Lab 4-1 Layer 2 Issues 115

switchport access vlan 110


switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
116 CCNP TSHOOT Lab Manual Version 7

shutdown
!
interface Vlan99
ip address 10.1.99.253 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:99::D2/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.253 255.255.255.0
standby 100 ip 10.1.100.254
standby 100 priority 110
standby 100 preempt
ipv6 address FE80::D2
link-local
ipv6 address 2001:DB8:CAFE:100::D2/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.253 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:110::D2/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan120
ip address 10.1.120.253 255.255.255.0
standby 120 ip 10.1.120.254
standby 120 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:120::D2/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan200
ip address 10.1.200.253 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 priority 110
standby 200 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:200::D2/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
Lab 4-1 Layer 2 Issues 117

passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
crypto key gen rsa general-keys modulus 1024
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 router eigrp 1
eigrp router-id 2.2.2.2
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-1 Switch DLS2 TT-B Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!
118 CCNP TSHOOT Lab Manual Version 7

Trouble Ticket - TT-C Configurations


Switch ALS1 - Same as TT-B

Switch DLS1 - Same as TT-A

Router R1 – Same as TT-A

Router R2 – Same as TT-A

Router R3 – Same as TT-A

Switch DLS2
!Lab 4-1 Switch DLS2 TT-C Config
!
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname DLS2
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
!
ipv6 unicast-routing
!
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
spanning-tree vlan 99,110,120 priority 28672
spanning-tree vlan 100,200 priority 24576
!
!
vlan 99
name MANAGEMENT
!
vlan 100
Lab 4-1 Layer 2 Issues 119

name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,120,200
switchport mode trunk
switchport nonegotiate Error: VLAN 110 not allowed on trunks Po2
channel-group 2 mode on and Po10.
no shutdown
! Note: Adding it to the port channel will add
interface FastEthernet0/2 it to the physical interfaces.
description Channel to ALS1
switchport trunk encapsulation dot1q interface Port-channel2
switchport trunk native vlan 666 switchport trunk allowed vlan
switchport trunk allowed vlan 99,120,200
switchport mode trunk
add 110
switchport nonegotiate
channel-group 2 mode on interface Port-channel10
no shutdown switchport trunk allowed vlan
! add 110
interface FastEthernet0/3
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,120,200
120 CCNP TSHOOT Lab Manual Version 7

switchport mode trunk


switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R3
no switchport
ip address 10.1.2.13 255.255.255.252
speed 100
duplex full
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:212::D2/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
Lab 4-1 Layer 2 Issues 121

switchport access vlan 999


switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description FE to PC-C
switchport access vlan 110
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
122 CCNP TSHOOT Lab Manual Version 7

switchport access vlan 999


switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.253 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:99::D2/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.253 255.255.255.0
standby 100 ip 10.1.100.254
Lab 4-1 Layer 2 Issues 123

standby 100 priority 110


standby 100 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:100::D2/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.253 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:110::D2/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan120
ip address 10.1.120.253 255.255.255.0
standby 120 ip 10.1.120.254
standby 120 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:120::D2/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan200
ip address 10.1.200.253 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 priority 110
standby 200 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:200::D2/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
crypto key gen rsa general-keys modulus 1024
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
124 CCNP TSHOOT Lab Manual Version 7

ipv6 router eigrp 1


eigrp router-id 2.2.2.2
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-1 Switch DLS2 TT-C Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!
Lab 4-2 Mixed Layer 2-3 Connectivity 125

Lab 4-2 Mixed Layer 2-3 Connectivity


Instructor Version
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Physical Topology
126 CCNP TSHOOT Lab Manual Version 7

Logical Topology
Lab 4-2 Mixed Layer 2-3 Connectivity 127

Objectives
• Load the trouble ticket device configuration files for each trouble ticket.
• Diagnose and resolve problems related to switch virtual interfaces and multilayer switching.
• Diagnose and resolve problems related to First Hop Redundancy Protocols.
• Document troubleshooting progress, configuration changes, and problem resolution.

Background
Multilayer switches have the capability to act as routers by way of switch virtual interfaces (SVIs), routed
interfaces, and routing protocols. SVIs are Layer 3 logical interfaces representing VLANs and routed ports are
Layer 3 physical interfaces. Multilayer switches are frequently used as part of the LAN switch fabric and can
be configured with a First Hop Redundancy Protocol (FHRP). Two or more Layer 3 switches (or routers) can
provide redundant paths to the network edge for local hosts. A host is configured with a virtual default
gateway address. If one of the gateways goes down, the other can take over for the client without the client’s
knowledge. FHRPs used in CCNPv7.0 are Hot Standby Router Protocol (HSRP), Virtual Router Redundancy
Protocol (VRRP), and Gateway Load Balancing Protocol (GLBP).
In this lab, you will troubleshoot problems related to Layer 3 switching and FHRPs. For each task or trouble
ticket, the scenario and problem symptoms are described. While troubleshooting, you will discover the cause
of the problem, correct it, and then document the process and results.
Physical and Logical Topology Diagrams
The physical and logical topologies, including interface designations and IPv4/IPv6 addresses, are provided
to assist the troubleshooting effort.
Note: This lab uses Cisco ISR G2 routers running Cisco IOS 15.4(3) images with IP Base and Security
packages enabled, and Cisco Catalyst 3560 and 2960 switches running Cisco IOS 15.0(2) IP Services and
LAN Base images, respectively. The 3560 and 2960 switches are configured with the SDM templates dual-
ipv4-and-ipv6 routing and lanbase-routing, respectively. Depending on the router or switch model and
Cisco IOS Software version, the commands available and output produced might vary from what is shown in
this lab. Any changes made to the baseline configurations or topology (other than errors introduced) are noted
in the trouble ticket so that you are aware of them prior to beginning the troubleshooting process.
Instructor Notes:
• The lab topology should be pre-built prior to the students starting the lab. Ensure that all switches and
routers (ALS1, DLS1, DLS2, R1, R2, and R3) have the course lab configuration files installed in flash
memory. These can be downloaded from NetSpace. The device configurations for all devices are
included at the end of this lab, either directly or by reference to the first trouble ticket, TT-A. The
configuration file for ALS1 can be copied into a text file using the naming convention Labxy-ALS1-
TT-z-Cfg.txt where x is the chapter number, y is the lab number within the chapter, and z is the
uppercase letter indicating the particular trouble ticket in the lab; similarly for DLS1, DLS2, R1, R2, and
R3.
• The device configurations that contain trouble ticket errors and modifications from the baseline are
included at the end of the lab, and the errors in them are identified.
• All device configurations are provided for TT-A, including those that are the same as the baseline, as
introduced in the BASE Lab. The configurations provided here are not running-config outputs, but
rather sequences of commands that generate running-config files.
• Device configurations can be used by instructors for cut-and-paste for TT-A and subsequent tickets—
use a terminal emulator line delay of at least 100 ms if pasting configurations directly into global
configuration mode on a device. Some systems may actually require 200 ms.
• Where a configuration is noted as being the same as a previous one, the only change is in the
MOTD, which identifies the Lab and TT. The errors in the configurations are commented and
highlighted as red text.
128 CCNP TSHOOT Lab Manual Version 7

• Each device should have a directory named “tshoot” in flash. This directory should contain the
baseline configuration file for that device as well as configuration files for all labs in this course.
• Instructors can use a TFTP server, a USB drive, or a flash memory card as source, and use the copy
or archive tar command to copy all course configuration files into the flash:/tshoot directory for
each device in the topology.
• For this lab and subsequent labs, the student is responsible for loading the baseline or trouble ticket
configurations using the procedure described in the BASE Lab.
• Set the correct time on R2, which serves as the primary NTP server for the lab network. These labs
use Pacific Time Zone, but each site should use their own time zone.
• If time is an issue, each task (trouble ticket) can be performed independently.

Required Resources
• 3 routers (Cisco IOS Release 15.4 or comparable)
• 2 multilayer switches and 1 access layer switch (Cisco IOS Release 15.0(2) or comparable with Fast
Ethernet interfaces)
• SRV1 (PC with static IP address): Windows 7 with RADIUS, TFTP, and syslog servers, plus an SSH
client and WireShark software
• PC-B (DHCP client): Windows 7 with SSH client and WireShark software
• PC-C (DHCP client): Windows 7 with SSH client and WireShark software
• Serial and Ethernet cables, as shown in the topology
Instructor Notes:
• This lab is divided into multiple tasks. Each task is associated with a trouble ticket (TT) and
introduces one or more errors on one or more devices.
• Students can work individually or as a team. The problems introduced in this lab focus on the Layer 3
switching environment: DHCP, FHRP, addressing, SDM, and authentication.
• Suggested actions and results presented during the troubleshooting process for each TT can be
shared with the students during debrief, or copies of the instructor version of the lab can be made
available to the students to assist them in verifying their work.
Lab 4-2 Mixed Layer 2-3 Connectivity 129

Task 1: Trouble Ticket Lab 4-2 TT-A


Instructor note: This trouble ticket involves DLS1 issues related to DHCPv4 assigning an incorrect HSRP
default gateway address and a mismatch of HSRP parameters between DLS1 and DLS2.

Step 1: Review trouble ticket Lab 4-2 TT-A.


During last Friday’s maintenance window, a series of failover tests at headquarters and the branch offices were
executed. It was discovered during a reboot of switch DLS1 that connectivity between clients in OFFICE VLAN
120 and the Internet was lost. After router DLS1 came back online, the clients regained connectivity. This was not
the expected behavior, because the network provides gateway first-hop redundancy for clients in the OFFICE
VLAN to ensure correct failover during outages: If one of the HSRP switches fails, the hosts on the OFFICE VLAN
should still be able to access the Internet (by pinging R2 Lo1 2.2.2.2 during the outage).

Step 2: Load the device trouble ticket configuration files for TT-A.
Using the procedure described in the BASE Lab, verify that the lab configuration files are present in flash. Load
the proper configuration files indicated in the Device Configuration File Table.
Note: You can test the simulated Internet access by opening a browser and entering the IP address of the R2 Lo1
interface 2.2.2.2. You will be prompted for a username and password. You can gain access to the router GUI
management interface by entering username cisco and the enable password cisco.
Device Configuration File Table
Device Name File to Load Notes
ALS1 Lab42-ALS1-TT-A-Cfg.txt This file is the same as the baseline
DLS1 Lab42-DLS1-TT-A-Cfg.txt This file contains configuration errors
DLS2 Lab42-DLS2-TT-A-Cfg.txt This file contains configuration errors
R1 Lab42-R1-TT-A-Cfg.txt This file is the same as the baseline
R2 Lab42-R2-TT-A-Cfg.txt This file is the same as the baseline
R3 Lab42-R3-TT-A-Cfg.txt This file is the same as the baseline
SRV1 N/A Static IP: 10.1.100.1 and 2001:DB8:CAFE:100::1
Default gateway: 10.1.100.254/24 and 2001:DB8:CAFE:100::D1/64
PC-B N/A DHCP (release and renew for IPv4 and IPv6 after loading device
configurations)
PC-C N/A DHCP (release and renew for IPv4 and IPv6 after loading device
configurations)

Instructor note: The student loads the “broken” TT configuration files for all devices, although only the
configurations indicated in the Notes column have errors.

Step 3: Configure SRV1 and start the syslog and TFTP servers.
a. Ensure that SRV1 has the static IP address 10.1.100.1 and default gateway 10.1.100.254.
b. Start the syslog server on SRV1, which is the syslog server for the entire network. When the network
is properly configured, all devices send syslog messages to SRV1.
c. Start the TFTP server on SRV1, which is the archive server for the entire network. When the network
is properly configured, all devices send archives of their running configurations to this server
whenever the running config is copied to the startup config. Ensure that the default TFTP directory on
SRV1 is set to the directory where you want to store the archives.
Instructor notes:
• This lab uses Tftpd32 for both TFTP and syslog—other comparable tools can be used. For SNMP
monitoring, the TSHOOT labs use ManageEngine MibBrowser.
• For the trouble ticket to “work” correctly, the next step is very important—be sure to emphasize to
students to release and renew DHCP leases on PC-B and PC-C!
130 CCNP TSHOOT Lab Manual Version 7

Step 4: Release and renew the DHCP leases on PC-B and PC-C.
a. Ensure that PC-B and PC-C are configured as DHCP clients.
b. After loading all TT-A device configuration files, issue the ipconfig/release and
ipconfig/renew commands on PC-B and PC-C. You might need to repeat this process after the
TT problems have been resolved.
Note: Problems introduced into the network by the trouble ticket might prevent one or both of the PCs
from acquiring an IP address. Be sure to attempt to release and renew the DHCP leases on PC-B and
PC-C. Do not assign either PC a static address.

Step 5: Outline the troubleshooting approach and validation steps.


Use this space to identify your troubleshooting approach and the key steps to verify that the problem is resolved.
Troubleshooting approaches to select from include the follow-the-path, perform-comparison, bottom-up, top-
down, divide-and-conquer, shoot-from-the-hip, and swap-components (move-the-problem) methods.
Note: In addition to a specific approach, you can use the generic troubleshooting process: defining a problem,
gathering information, analyzing the information, eliminating possible problem causes, formulating a hypothesis
about the likely cause of the problem, testing that hypothesis, and solving the problem.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

The perform-comparison or shoot-from-the-hip method can be used. Other methods are the bottom-up, top-
down, divide-and-conquer, follow-the-path, and swap-components approaches.
Verification steps can include:
From PC-B (connected to switch ALS1), ping and browse the Internet using R2 Lo1 2.2.2.2 while DLS1 is
being rebooted.

Step 6: Record the troubleshooting process and configuration changes.


Use this log to document your actions and results during the troubleshooting process. List the commands you
used to gather information. As you progress, record your thoughts as to what you think the problem might be and
which actions you take to correct the problem.

Device Actions and Results


Lab 4-2 Mixed Layer 2-3 Connectivity 131

Device Actions and Results

TT-A Issue 1—An incorrect HSRP default gateway address for VLAN 120 is assigned by DHCP server DLS1.
Responses will vary but could include:
Before rebooting the DLS1 primary HSRP router (device up and functioning):
• Pings from PC-B to the R2 simulated Internet Lo1 2.2.2.2 succeed.
• Tracert from PC-B to the R2 simulated Internet Lo1 2.2.2.2 succeeds and follows the path DLS1
(10.1.120.252) to R1 (10.1.2.2) to R2 (2.2.2.2).
When rebooting the DLS1 primary HSRP router (simulating a device failure):
Instructor note: You can also shut down the Po1 and Po10 port channel interfaces on DLS1 to simulate
device failure.
• Pings from PC-B to the real IP address of the redundant router DLS2 10.1.120.253 succeed.
• Pings from PC-B to the virtual IP address 10.1.120.254 succeed.
• Pings from PC-B to the R2 simulated Internet Lo1 2.2.2.2 fail.
• Tracert from PC-B to the R2 simulated Internet Lo1 2.2.2.2 fails at first hop DLS1.
After DLS1 comes back up:
• There might be an issue with the routing protocol, but the show ip protocols command on DLS1
and DLS2 indicates that they are using EIGRP and routing for network 10.1.0.0/16.
• Also, the show ip route command on DLS1 and DLS2 indicates that a route exists to the R2
simulated ISP address 2.2.2.2 (learned via EIGRP).
• The show ip cef 2.2.2.2 command on DLS1 indicates that the next hop is 10.1.2.2 via F0/5.
• The show standby vlan 120 command on DLS1 indicates that the virtual IP address for VLAN
120 is 10.1.120.254 and that DLS1 is the local active router. The standby router is DLS2, and its SVI
VLAN 120 real IP address is 10.1.120.253.
• The show running-config interface vlan 120 command on DLS1 indicates that the SVI
VLAN 120 real IP address is 10.1.120.252 and that the virtual address is 10.1.120.254. Both are
correct according to the network documentation.
• The ipconfig command on PC-B indicates that it is a DHCPv4 client and that it is using the real IP
address (10.1.120.252) of the primary VLAN 120 router DLS1 as its default gateway rather than the
132 CCNP TSHOOT Lab Manual Version 7

virtual VLAN IP address (10.1.120.254). This is okay as long as DLS1 is up, but it does not provide
redundancy for VLAN 120 clients.
• A check of the network documentation indicates that DLS1 is the DHCPv4 server for the network.
• The show running-config | begin dhcp command on DLS1 indicates that the IPv4 DHCP
pool OFFICE specifies a default router of 10.1.120.252, which is the real IP address of DLS1 SVI
VLAN 120. It should specify the HSRP virtual IP address of 10.1.120.254.
Action: Change the default router for the OFFICE DHCP pool on DLS1 to 10.1.120.254. Refer to TT-A
debrief for more information. On PC-B, issue the ipconfig /release and ipconfig /renew
commands.
Verification: When DLS1 is reloaded (simulating an outage), packets are now routed through DLS2.
Also, DLS2 now changes from standby to active and allows hosts on VLAN 120 to access the Internet via
the backup.

TT-B Issue 2—HSRP VLAN 99 parameters mismatch between DLS1 and DLS2.
VLAN 120 clients can now access the Internet, but you still cannot ping from switch ALS1 to DLS2 when
DLS1 is reloaded to test the failover capability.

Responses will vary but could include:


When rebooting the DLS1 primary HSRP router (simulating a device failure):
• Pings from ALS1 to the real VLAN 99 IP address of the redundant router DLS2 10.1.99.253 succeed.
• Pings from ALS1 to the virtual VLAN 99 IP address 10.1.99.254 fail.
• When the primary router is down, if pings to the real IP address of the standby router are successful
but pings to the virtual IP address fail, there might be a problem with the FHRP.
• When pinging from switch ALS1 to DLS2, they communicate using management VLAN 99.
• The show standby vlan 99 command on DLS1 indicates that the group is 99 and that the state is
active. The group name is hsrp-Vl99-99. The virtual IP address for VLAN 99 is 10.1.99.254, and
DLS1 is the local active router. The standby router is unknown, indicating a problem with the HSRP
configuration.
• The debug standby packets command on DLS1 indicates that the DLS1 is sending HSRP “hello
out” messages from 10.1.99.252 for VLAN 99 Group 99, but no HSRP “hello in” messages are being
received from DLS2 (10.1.99.253). The reverse is true for DLS2. The routers are not exchanging
HSRP hello messages.
• The show running-config interface vlan 99 command on DLS1 confirms that the SVI 99
real IP address is 10.1.99.252, and the virtual IP address is 10.1.99.254. The group number is 99.
• The show standby vlan 99 command on DLS2 indicates that the group is 9 and that the state is
active. The group name is hsrp-Vl99-9. The virtual IP address for VLAN 99 is 10.1.99.245, and DLS2
is the local active router. The standby router is unknown, indicating a problem with the HSRP
configuration.
• The show running-config interface vlan 99 command on DLS2 confirms that the SVI
VLAN 99 real IP address is 10.1.99.253, and the virtual IP address is 10.1.99.245, which does not
match the DLS1 configuration and is incorrect according to the network documentation. The standby
group number is 9, which is also incorrect. It should be 99.
• A check of the network documentation indicates that the correct HSRP virtual IP address for VLAN 99
is 10.1.99.254.
Lab 4-2 Mixed Layer 2-3 Connectivity 133

Action: Change VLAN 99 on DLS1 to 10.1.99.254 and specify the standby group number 99, instead of
9. Refer to TT-A debrief for more information.
Verification: Now when DLS1 is reloaded (simulating an outage), ALS1 packets can still reach DLS2
using VLAN 99.

Step 7: Document trouble ticket debrief notes.


Use this space to make notes of the key learning points that you picked up during the discussion of this trouble
ticket with your instructor. The notes can include problems encountered, solutions applied, and useful commands
employed. It can also include alternate solutions, methods, and procedures and communication improvements.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

Trouble Ticket TT-A Debrief—Instructor Notes


TT-A Issue 1
Connectivity between clients in VLAN 120 OFFICE and the Internet is lost when switch DLS1 is rebooted.
The problem with clients in VLAN 120 is caused by using the real IP address of Layer 3 switch DLS1 as the
default gateway rather than the HSRP virtual IP address. The default gateway for clients is assigned via DHCP by
DLS1.
The ipconfig command on PC-B indicated that it is a DHCP client, and it was using the real IP address
(10.1.120.252) of the primary VLAN 120 router DLS1 as its default gateway rather than the virtual VLAN IP
address (10.1.120.254). This provides connectivity as long as DLS1 is up, but it does not provide redundancy for
VLAN 120 clients.
When DLS1 was up, the traceroute from PC-B to the R2 simulated Internet Lo1 2.2.2.2 succeeded and followed
the path DLS1 (10.1.120.252) to R1 (10.1.2.2) to R2 (2.2.2.2). A trace to a location reports the real IP address of
the hops on the path, not the virtual ones. Thus, the trace would have looked normal even though there might be
problems with HSRP. However, when DLS1 goes down, the real IP address that PC-B was using as its default
gateway is no longer available, and the traceroute fails at the first hop (DLS1).
To resolve this problem, the default gateway address that is assigned by DLS1 to VLAN 120 clients should be
changed as follows:
ip dhcp pool OFFICE
default-router 10.1.120.254

After this, the IP address on client PC-B should be released and renewed to force the client to update its default
gateway.

TT-A Issue 2
Connectivity between ALS1 and DLS2 is lost when switch DLS1 is rebooted.
The second problem is caused by mismatched HSRP parameters between Layer 3 switches DLS1 and DLS2 for
VLAN 100 MGMT. The HSRP group number and virtual IP address on DLS2 should be changed to match DLS1
as follows:
134 CCNP TSHOOT Lab Manual Version 7

interface vlan 99
no standby 9 ip 10.1.99.245
standby 99 ip 10.1.99.254
no standby 9 preempt
standby 99 preempt

Note: Additional HSRP group number information to share with students:


A problem in the HSRP configuration can be created when one router is configured with standby z ip where z is
the group number, while another router in the same network is configured with standby ip, omitting the standby
group number. Omitting the group number causes the router to create standby group 0. This will lead to two
standby groups being created on a common network, both claiming the same virtual IP and MAC address. This
problem is common and difficult to spot.

Task 2: Trouble Ticket Lab 4-2 TT-B


Instructor note: This trouble ticket involves ALS1 issues related to SVI status and addressing.

Step 1: Review trouble ticket Lab 4-2 TT-B.


Upon arriving at the office this morning, you find the following ticket in the system:
Switch ALS1 has been showing CRC errors on a group of eight ports for several days. It was suspected that
hardware was the cause. During yesterday evening’s maintenance window, the switch was replaced with a similar
switch from the lab. After this replacement, clients could connect, and no errors were shown on the ports.
However, making a backup of the ALS1 configuration to server SRV1 did not work, and no syslog messages from
ALS1 are being received by SRV1. The switch is not reachable via SSH from server SRV1. There was no time for
further research yesterday so, because there is no impact to users, it was decided to leave the switch and pick up
this issue the next day.
Your task is to diagnose the issue and restore connectivity between switch ALS1 and server SRV1. After
resolving the problem, make a backup of the configuration to server SRV1.

Step 2: Load the device trouble ticket configuration files for TT-B.
Load the proper configuration files indicated in the Device Configuration File Table.
Note: The following device access methods are in effect after loading the configuration files:
• Console access requires no username or password.
• SSH requires the username admin and password cisco.
• The enable password is cisco.
Device Configuration File Table
Device Name File to Load Notes
ALS1 Lab42-ALS1-TT-B-Cfg.txt This file contains configuration errors
DLS1 Lab42-DLS1-TT-B-Cfg.txt This file is the same as the baseline
DLS2 Lab42-DLS2-TT-B-Cfg.txt This file is the same as the baseline
R1 Lab42-R1-TT-B-Cfg.txt This file is the same as the baseline
R2 Lab42-R2-TT-B-Cfg.txt This file is the same as the baseline
R3 Lab42-R3-TT-B-Cfg.txt This file is the same as the baseline
SRV1 N/A Static IP: 10.1.100.1 and 2001:DB8:CAFE:100::1
Default gateway: 10.1.100.254/24 and 2001:DB8:CAFE:100::D1/64
PC-B N/A DHCP (release and renew for IPv4 and IPv6 after loading device
configurations)
PC-C N/A DHCP (release and renew for IPv4 and IPv6 after loading device
configurations)
Lab 4-2 Mixed Layer 2-3 Connectivity 135

Step 3: Configure SRV1 and start the syslog and TFTP servers, as described in Task 1.

Step 4: Release and renew the DHCP leases on PC-B and PC-C, as described in Task 1.

Step 5: Outline the troubleshooting approach and validation steps.


Use this space to identify your troubleshooting approach and the key steps to verify that the problem is resolved.
Troubleshooting approaches to select from include follow-the-path, perform-comparison, bottom-up, top-down,
divide-and-conquer, shoot-from-the-hip, and swap-components (move-the-problem) methods.
Note: In addition to a specific approach, you can use the generic troubleshooting process.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
The divide-and-conquer or shoot-from-the-hip method can be used. Other methods are the bottom-up, top-
down, perform-comparison, and swap-components approaches.
Verification steps can include:
Switch ALS1 can be reached by means of SSH from server SRV1.
Syslog messages from ALS1 are being received on SRV1.
The ALS1 configuration can be copied to the TFTP server running on server SRV1.

Step 6: Record the troubleshooting process and configuration changes.


Use this log to document your actions and results during the troubleshooting process. List the commands you
used to gather information. As you progress, record your thoughts as to what you think the problem might be and
which actions you take to correct the problem.

Device Actions and Results


136 CCNP TSHOOT Lab Manual Version 7

Device Actions and Results

Responses will vary but could include:


• Pings from PC-B to SRV1 at 10.1.100.1 succeed.
• Pings from PC-B to its default gateway 10.1.120.254 on DLS1 succeed.
• Pings from PC-B to all other network devices succeed.
• Pings from ALS1 to DLS1 (10.1.x.252) and DLS2 (10.1.x.253) fail for x = 99,110,120,200.
• Using SSH from SRV1 to ALS1 (10.1.x.251) fails for x = 99,110,120,200.
• Using SSH from SRV1 to DLS1 (10.1.x.252) succeeds for x = 99,110,120,200.

TT-B Issue—ALS1 SVIs all have IP addresses of the form 10.10.x.y. In particular, ALS1 has no interfaces in
the subnet 10.1.99.0/24, so ALS1 loses its default route pointing to 10.1.99.254.
• The show spanning-tree command on ALS1, DLS1, and DLS2 indicates the correct spanning-tree
mode of RSTP and a separate instance for each VLAN.
• The show vlan brief command on ALS1 indicates that the management VLAN 99 is defined and
active.
• The show vlan id 99 command on ALS1 indicates that the management VLAN 99 is defined and
active and contains ports Po1 and Po2.
• The show ip interface brief command on ALS1 indicates that SVIs 99,110,120,200 are up/up.
• The show ip interface vlan x command on ALS1, x = 99,110,120,200, indicates that the SVI x
IPv4 address is configured as 10.10.x.251/24, which is not part of the entire 10.1.0.0/16 network.
• Network documentation shows that, for x = 99,110,120,200, the ALS1 SVI x IPv4 address should be
10.1.x.251/24.
Action: Change the IPv4 addresses for the ALS1 SVIs to the correct ones shown in the network
documentation. Refer to TT-A debrief for more information.
Verification: SSH from SRV1 to ALS1 should now be successful. The logging source interface on ALS1 was
set to SVI 99, so syslog messages can now be sent to SRV1.

Step 7: Document trouble ticket debrief notes.


Use this space to make notes of the key learning points that you picked up during the discussion of this trouble
ticket with your instructor. The notes can include problems encountered, solutions applied, useful commands
employed, alternate solutions, methods and processes, and procedure and communication improvements.
_______________________________________________________________________________
_______________________________________________________________________________
Lab 4-2 Mixed Layer 2-3 Connectivity 137

_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
Trouble Ticket TT-B Debrief—Instructor Notes
TT-B Issue
The problem in this trouble ticket is because SVI x on ALS1 has been assigned an IPv4 address
10.10.x.251/24 that is not part of the 10.1.0.0/16 network; hence ALS1 cannot communicate with other
devices. In addition, SRV1 cannot successfully SSH or ping ALS1 at any of its SVI IPv4 addresses. A
review of network documentation shows that the ALS1 SVI x IPv4 address should be 10.1.x.251/24
where x = 99,110,120,200.
Because users can access all network resources via ping through switch ALS1, it is not likely to be a
Layer 2 issue. ALS1 cannot communicate with SRV1 for syslog or TFTP purposes, in particular. But
SRV1 can ping all the IPv4 addresses on all the devices in the network except ALS1. This tends to point
to a configuration problem with the ALS1 SVIs.
To solve the problem, issue the following commands for x = 99,110,120,200:
ALS1(config)# interface vlan x
ALS1(config-if)# ip address 10.1.x.251 255.255.255.0

Task 3: Trouble Ticket Lab 4-2 TT-C


Instructor note: This trouble ticket involves remote access issues with ALS1.

Step 1: Review trouble ticket Lab 4-2 TT-C.


Mary performed a password recovery on ALS1 last night after hours so that no users would be affected. This
morning no trouble tickets were posted and apparently employees have normal network access. You went to
reconfigure a switch port on ALS1 to the OFFICE VLAN for a new cubicle, but ping, Telnet, and SSH to ALS1 via
IPv4 are failing from the ISP management station at 10.1.202.1. You can ping ALS1 interfaces using IPv6. You try
to SSH via IPv6, but you get the message % Connection refused by remote host; you then recall
baseline policy dictates ALS1 to have an IPv6 ACL applied to its vty lines to prevent IPv6 access.
You check the logs on SRV1 and notice that all network devices indicate periodic entries from this morning,
except ALS1. You can SSH into DLS1 and DLS2, which have networks in common with ALS1; thinking that it may
be easier to attempt SSH from a device on the same network as VLAN 99, you try to SSH from SVI 99 on DLS1
directly to SVI 99 on ALS1. But Mary changed the account information for remote access on ALS1! You have no
option but to console into ALS1 to troubleshoot—fortunately you still have console access. Your task is to
reestablish remote access functionality to ALS1 via IPv4 from the ISP management station and reestablish
logging to SRV1 from ALS1.

Step 2: Load the device trouble ticket configuration files for TT-C.
Load the proper configuration files indicated in the Device Configuration File Table.
Device Configuration File Table
Device Name File to Load Notes
ALS1 Lab42-ALS1-TT-C-Cfg.txt This file contains configuration errors
DLS1 Lab42-DLS1-TT-C-Cfg.txt This file is the same as the baseline
138 CCNP TSHOOT Lab Manual Version 7

DLS2 Lab42-DLS2-TT-C-Cfg.txt This file is the same as the baseline


R1 Lab42-R1-TT-C-Cfg.txt This file is the same as the baseline
R2 Lab42-R2-TT-C-Cfg.txt This file is the same as the baseline
R3 Lab42-R3-TT-C-Cfg.txt This file is the same as the baseline
SRV1 N/A Static IP: 10.1.100.1 and 2001:DB8:CAFE:100::1
Default gateway: 10.1.100.254/24 and 2001:DB8:CAFE:100::D1/64
PC-B N/A DHCP (release and renew for IPv4 and IPv6 after loading device
configurations)
PC-C N/A DHCP (release and renew for IPv4 and IPv6 after loading device
configurations)

Step 3: Configure SRV1 and start the syslog and TFTP servers, as described in Task 1.

Step 4: Release and renew the DHCP leases on PC-B and PC-C, as described in Task 1.

Step 5: Outline the troubleshooting approach and validation steps.


Use this space to identify your troubleshooting approach and the key steps to verify that the problem is resolved.
Troubleshooting approaches to select from include follow-the-path, perform-comparison, bottom-up, top-down,
divide-and-conquer, shoot-from-the-hip, and swap-components (move-the-problem) methods.
Note: In addition to a specific approach, you can use the generic troubleshooting process.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
The divide-and-conquer or shoot-from-the-hip method can be used. Other methods are the bottom-up, top-
down, perform-comparison, and swap-components approaches.
Verification steps can include:
Switch ALS1 can be reached by means of SSH from the ISP management station at 10.1.202.1.
Syslog messages from ALS1 are being received on SRV1.
The ALS1 configuration can be copied to the TFTP server running on server SRV1.

Step 6: Record the troubleshooting process and configuration changes.


Use this log to document your actions and results during the troubleshooting process. List the commands you
used to gather information. As you progress, record your thoughts as to what you think the problem might be and
which actions you take to correct the problem.

Device Actions and Results


Lab 4-2 Mixed Layer 2-3 Connectivity 139

Device Actions and Results

Responses will vary but could include:


• Console access is still working.
• The enable secret password was still cisco (Mary reset it to what it was before).
• IPv4 pings from ALS1 to all IPv4 addresses fail, except to devices associated with VLANs 99, 110, 120,
and 200.
• IPv6 pings from ALS1 to all other devices in the network succeed.
• IPv4 pings from PC-B and PC-C to all other devices in the network succeed.
• The show vlan command on all switches indicates normal output.
• The show interfaces trunk command on all switches indicates normal output.
• The show etherchannel summary command on all switches indicates normal output.
• The show ipv6 route command on ALS1 shows output consistent with the baseline.
• The show ip interface brief command on ALS1 indicates SVIs 99,110,120,200 are up/up!
• The show ip route command on ALS1 is not supported.
• The global configuration mode command ip routing command is not supported on ALS1.
• The show sdm prefer command on ALS1 indicates that the dual-ipv4-and-ipv6 default template is
the current SDM template.
• The show run | include user command shows one account with username cisco, which is
consistent with the baseline configuration, so the secret must have been changed.

TT-C Issue—The SDM template is the wrong one—it is supposed to be the lanbase-routing template.
Action: Change the secret to cisco for username cisco. Save the configuration, and then change the SDM
template lanbase-routing and reboot so that lanbase-routing becomes the current template. Enable IPv4
140 CCNP TSHOOT Lab Manual Version 7

routing on ALS1 and configure the default route specified in the baseline, pointing to 10.1.99.254. Refer to
TT-A debrief for more information.
Verification: SSH from the ISP management station at 10.1.202.1 (simulated by Lo0 on R2 in the baseline
configuration). Check that logs for ALS1 are now being recorded on SRV1.

Step 7: Document trouble ticket debrief notes.


Use this space to make notes of the key learning points that you picked up during the discussion of this trouble
ticket with your instructor. The notes can include problems encountered, solutions applied, and useful commands
employed. It can also include alternate solutions, methods, and procedures and communication improvements.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
Trouble Ticket TT-C Debrief—Instructor Notes
TT-C Issue
The problem in this trouble ticket is caused by an unexpected source. When Mary performed password
recovery, ALS1 had to be reloaded as part of the procedure. In the process, an SDM template was
loaded that does not support IPv4 routing.
Because the spanning-tree, VLAN, trunk, and EtherChannel configurations were still functioning as usual,
the users were unaffected by the change, so no trouble tickets were reported.
Changing the SDM template back to lanbase-routing makes it possible to enable IP routing and restore
the default route pointing to 10.1.99.254.
Once the username account cisco has the secret changed back to cisco, remote IPv4 access is
restored.

Task 4: Trouble Ticket Lab 4-2 TT-D


Instructor note: This trouble ticket involves DLS1 and DLS2 issues related to HSRP authentication, storm
control, and logging.

Step 1: Review trouble ticket Lab 4-2 TT-D.


You assigned John the task of securing the HSRP implementation with MD5 authentication on the SERVERS
VLAN. After John completes the task, initial reports are promising, but turn out to be premature. Some company
guests are complaining about intermittent server access that seems to correlate with the HSRP authentication
changes. John often performs above-and-beyond expectations, and he took it upon himself to improve LAN
security by adding configuration commands on the multilayer switches to prevent traffic storms. Your task is to
review and verify the implementation of HSRP and fix issues that remain to return the network to a stable state.

Step 2: Load the device trouble ticket configuration files for TT-D.
Load the proper configuration files indicated in the Device Configuration File Table.
Device Configuration File Table
Lab 4-2 Mixed Layer 2-3 Connectivity 141

Device Name File to Load Notes


ALS1 Lab42-ALS1-TT-D-Cfg.txt This file is the same as the baseline
DLS1 Lab42-DLS1-TT-D-Cfg.txt This file contains configuration errors
DLS2 Lab42-DLS2-TT-D-Cfg.txt This file contains configuration errors
R1 Lab42-R1-TT-D-Cfg.txt This file is the same as the baseline
R2 Lab42-R2-TT-D-Cfg.txt This file is the same as the baseline
R3 Lab42-R3-TT-D-Cfg.txt This file is the same as the baseline
SRV1 N/A Static IP: 10.1.100.1 and 2001:DB8:CAFE:100::1
Default gateway: 10.1.100.254/24 and 2001:DB8:CAFE:100::D1/64
PC-B N/A DHCP (release and renew for IPv4 and IPv6 after loading device
configurations)
PC-C N/A DHCP (release and renew for IPv4 and IPv6 after loading device
configurations)

Instructor Note: Depending on the approach students take, the resolution of TT-D may take many different
routes. You may want to direct the students to first discover the logging issues so that they are better positioned
to troubleshoot the HSRP and storm control issues. Experience shows that the nature of the issues introduced
results in a variety of initial “states” presenting to the students. To effect a more uniform response, inform students
that by simply using the “shut, no shut” command sequence on down port-channel interfaces, all LAN
interfaces can be successfully brought up prior to troubleshooting the issues specific to the ticket; in the unusual
and unintended case that a student pod presents with suspended interfaces resulting from storm control, instruct
the students to reenter the storm control unicast level pps 15 command on the port-channel
interfaces of DLS1 and DLS2 (an effective, but admittedly unintuitive method); otherwise automatic addressing
problems will likely result and the traffic generation methods suggested for this ticket will not work (TTCP will send
traffic over the WAN instead of the LAN and pinging from PC-C to SRV1 will fail because PC-C will have no IP
address).

Step 3: Configure SRV1 and start the syslog and TFTP servers, as described in Task 1.
Instructor Note: You may want to hint to the students that they check that SRV1 is receiving TFTP- and syslog-
sourced messages as in the baseline.

Step 4: Release and renew the DHCP leases on PC-B and PC-C, as described in Task 1.
Instructor Note: You may want to reiterate to the students that all the EtherChannel interfaces should be up or
can be brought up without any configuration changes. This is important as it is expected that PC-B and PC-C
learn IP addresses before Step 5.

Step 5: Simulate traffic load from PC-C to SRV1.


Simulate server traffic load on from company guests: Enter the user EXEC mode commands ttcp receive on
R1 and ttcp transmit 10.1.2.2 on R3. A TTCP session can be stopped by entering Ctrl+Shift+6 followed
by x. Reenter the TTCP commands on R1 and R3 as necessary throughout this ticket.
To simulate the intermittent server access experienced by company guests, enter ping -t -l 19500
10.1.100.1 on PC-C—antivirus and firewall software may need to be disabled on some PCs to permit this
command. If requests are periodically timing out, then the server access issue has not been resolved!

Step 6: Outline the troubleshooting approach and validation steps.


Use this space to identify your troubleshooting approach and the key steps to verify that the problem is resolved.
Troubleshooting approaches to select from include follow-the-path, perform-comparison, bottom-up, top-down,
divide-and-conquer, shoot-from-the-hip, and swap-components (move-the-problem) methods.
Note: In addition to a specific approach, you can use the generic troubleshooting process.
142 CCNP TSHOOT Lab Manual Version 7

_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
The perform comparison method or top-down method can be used. Other methods include the bottom-up,
divide-and-conquer, shoot-from-the-hip, swap components, and follow-the-path approaches.
Verification steps can include:
Syslog and console messages regarding HSRP problems cease.
The show standby brief command on DLS1 and DLS2 reveals that the active and standby router roles
for each VLAN are consistent with the baseline.
Bandwidth is restored as verified by guests no longer complaining about server access.

Step 7: Record the troubleshooting process and configuration changes.


Use this log to document your actions and results during the troubleshooting process. List the commands you
used to gather information. As you progress, record your thoughts as to what you think the problem might be and
which actions you take to correct the problem.
Note: You might need to issue the ipconfig /release and ipconfig /renew commands on DHCP clients
after the network device problems are resolved.

Device Actions and Results


Lab 4-2 Mixed Layer 2-3 Connectivity 143

Device Actions and Results

Two useful commands for this ticket are described below. In this ticket the focus is on the unicast option.

Command Key Information Displayed

Displays storm control suppression levels set on the specified interface


show storm-control [interface-id] [broadcast | multicast |
for the specified traffic type. Interfaces will appear as Forwarding or
unicast]
Blocking or Link Down.

Displays the state of syslog error and event logging, and whether
show logging console logging is enabled. It also displays SNMP configuration
parameters.

The order that issues are resolved in this ticket may vary. Responses will vary but could include:
Syslog messages for DLS1 and DLS2 indicate that there is an HSRP authentication issue between them.
• The show standby vlan 100 command on DLS2 indicates that the group is 100 and the state is
active. The group name is hsrp-Vl100-100. The virtual IP address for VLAN 100 is 10.1.100.254, and
DLS2 is the local active router. This is correct according to the network documentation. The standby
router is unknown, indicating a problem with the HSRP configuration.
• The show standby vlan 100 command on DLS1 indicates that the group is 100 and the state is
active. The group name is hsrp-Vl100-100. The virtual IP address for VLAN 100 is 10.1.100.254, and
DLS1 is the local active router. DLS1 has a lower HSRP priority than DLS2 and should be the
standby for VLAN 100, not the active router. The standby router is unknown, indicating a problem with
the HSRP configuration.
• The show standby brief command on DLS1 and DLS2 indicates that the standby roles and
status for each device are correct for VLANs 99, 110, 120, and 200.
• The debug standby packets command on DLS1 and DLS2 generates no output.
• SRV1 shows no syslog messages relating to DLS1 or DLS2.
• The show logging command on DLS1 indicates that console logging is disabled and the syslog
server IPv4 address is 10.1.100.10. Similarly for DLS2.
Action: Enable console logging on DLS1 and DLS2. Change the configuration on DLS1 and DLS2 to
point to the correct IPv4 address of the syslog server: 10.1.100.1. Refer to TT-D debrief for more
information.
Verification: Console and syslog messages for DLS1 and DLS2 appear. .
• The debug standby packets command on DLS1 indicates that DLS1 is sending HSRP “hello out”
messages (from 10.1.100.252) for VLAN 100 Group 100, but hello messages from DLS2 are reported
on DLS1 as “Grp 100 Auth failed for Hello pkt from 10.1.10.253, MD5 auth failed.”
• The show running-config | begin standby command on both DLS1 and DLS2 confirms that
the SVI VLAN 100 is using MD5 authentication with a keychain of TEST. VLAN 100 on both devices
appears to be configured correctly.
• The show running-config | begin key command on both DLS1 and DLS2 confirms that
keychain TEST is configured with key 1 with a key string that is password encrypted. It is not known
what the key strings are, but they are most likely not the same and this is the problem.
• A check of the network documentation indicates that the key string was not documented.
144 CCNP TSHOOT Lab Manual Version 7

• The show key chain command on DLS2 shows that John “fat-fingered” the key and entered
cisoc.
Action: Change the keychain TEST on DLS2 to match DLS1 (cisco). Refer to TT-D debrief for more
information.
Verification: Syslog severity level 4 HSRP authentication messages should cease, and the two HSRP
devices should be able to authenticate.
• Console and syslog messages indicate a unicast storm detected on DLS1 and DLS2.
• The messages indicate that storm control is configured on some interfaces on DLS1 and DLS2. The
show running-config output on DLS1 and DLS2 shows that the two port-channel interfaces on
DLS1 and DLS2 have storm control configured (noting that when configured on an EtherChannel, the
settings propagate to the physical interfaces in the EtherChannel).
• Stopping the ping from R1 to SRV1 causes the storm control messages to cease. The complaints by
the guests accessing the servers must relate to the storm control configuration. (The HSRP
authentication issue was fixed, so it turns out the server access issues were not related to HSRP.)
• The storm control configuration was not in the baseline, so John must have added the configuration
when he configured HSRP authentication. John was not authorized to configure storm control.
Unfortunately, John did not understand the parameters for storm control, setting the unicast threshold
to 15 packets per second, which is very low compared to the maximum configurable 10,000,000,000
pps. The guest users are experiencing intermittent access to the servers because so many packets
are being dropped as a result of the storm control settings.
Action: Remove the storm control configuration. At a later date, add a proper storm control configuration.
Refer to TT-C debrief for more information.
Verification: The extended ping command on PC-C does not display any timeouts. Storm control
console and syslog messages are no longer generated.

Step 8: Document trouble ticket debrief notes.


Use this space to make notes of the key learning points that you picked up during the discussion of this trouble
ticket with your instructor. The notes can include problems encountered, solutions applied, and useful commands
employed. It can also include alternate solutions, methods, and procedures and communication improvements.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
Trouble Ticket TT-D Debrief—Instructor Notes
TT-D Issue
More so than most trouble tickets in this course, the behavior of the affected devices is determined largely
by the order in which the issues are resolved.
You may have noticed that the DLS1 and DLS2 command sequences were slightly reordered. The port-
channel interface configurations were moved to load after all the physical interface configurations. This
was done to provide some uniformity in the way the initial states present to students. Experience shows
that the initial EtherChannel states on DLS1 and DLS2 present differently for this ticket, but that
Lab 4-2 Mixed Layer 2-3 Connectivity 145

reordering the loading of the port-channel configurations (in particular, the storm control commands)
results in more uniform results—without the reordering, and less so with the reordering, students may see
a variety of distinct initial states for the constitutent physical interfaces in the EtherChannels (via show
etherchannel summary):
D—down, due to being in an err-disabled state as evidenced by the respective show
interfaces command output

s—suspended as a result of TT-B not loading as intended, and due to the storm control
configurations
P—bundled in port-channel
Console messages are fundamental to network troubleshooting. Without console messages, it is very
difficult to hone in on what the issues are. You may want to give a hint to the students that buffered
logging is still enabled on DLS1 and DLS2 (page to the end of the show logging output)—students will
discover that console messaging is disabled and trap logging is misconfigured at different stages of their
troubleshooting sequence for this ticket. Some students will attempt a debug command and discover in
this way that console logging is disabled; other students will realize that the frequency of console
messaging is much less than normal and discover in this manner that console logging is disabled.
The show commands indicate an HSRP problem, but the debug commands do not help until the logging
issues are fixed. Once the logging configuration for console and syslog are returned to the baseline
settings, the debug messages indicate that there is an MD5 authentication mismatch between DLS1 and
DLS2 on VLAN 100. Human nature normally dictates that we first elect to solve issues which involve
annoying, frequent, periodic console messages, so this is likely what students will do before addressing
storm control.
Using the show key chain command is the key method for solving the HSRP authentication issue.
The output
DLS2# show key chain
Key-chain TEST:
key 1 -- text "cisoc"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]

points directly to the solution. DLS1 transitions from Active to Standby HSRP state for VLAN 100.

Once the logging and authentication issues are resolved, it remains to determine why the guests are
complaining about intermittent access to the server. At this point it is important that the TTCP or the
extended ping traffic generation are in effect—remind students to implement the suggested traffic
generation techniques, as necessary. Without the traffic generation, students will not see the console
messages relating to storm control. The console and syslog messages, such as
Oct 14 07:59:36.138: %STORM_CONTROL-3-FILTERED: A Unicast storm detected on Fa0/4. A packet filter action has been
applied on the interface.

indicate a storm control issue. When the server traffic (simulated by TTCP and extended ping from PC-C)
is stopped, these messages stop. After removing the storm control configuration and resuming the TTCP
load, the messages do not resume and there are no longer any complaints from the guests regarding
intermittent server access.
There was no directive to implement storm control, so the configuration was not consistent with network
policy. Removing the storm control configuration completely is the best solution. Alternatively, increasing
the rising threshold to 100k pps (all ingress unicast traffic is blocked when 100k pps is exceeded) and
146 CCNP TSHOOT Lab Manual Version 7

increasing the falling threshold to 90k pps (ingress unicast traffic is blocked until the traffic rate drops
below 90k pps; if the falling threshold is not specified, it defaults to the same value as the rising threshold)
resolves the storm control issue, as evidenced by the absence of timeouts associated with the extended
ping on PC-C.
Note: The values of the rising and falling thresholds are specific to a particular network, and are
determined by conducting a thorough baseline analysis on the network.
Note: Occasionally entering Ctrl+Shift+6 followed by x fails to stop a TTCP session; in this case you can
SSH to the transmitting router, enter show tcp brief, find the transmission control block (TCB)
address associated with the TTCP session (indicated by port 5001), and enter clear tcp tcb
address.
Lab 4-2 Mixed Layer 2-3 Connectivity 147

Device Configurations (Instructor version)


Note: All device configurations are provided for TT-A. The configs provided here are not running-config
outputs. They can be used for cut-and-paste for TT-A and subsequent tickets. Where a config is noted as
being the same as a previous one, the only change is in the MOTD, which identifies the Lab and TT. The
errors in the configuration are commented and highlighted as red text.

Trouble Ticket—TT-A Configurations


Switch ALS1
!Lab 4-2 Switch ALS1 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ALS1
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
!
!
no ip domain-lookup
ip domain-name tshoot.net
ipv6 unicast-routing
!
errdisable recovery cause psecure-violation
errdisable recovery interval 120
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan 99
name MANAGEMENT
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
148 CCNP TSHOOT Lab Manual Version 7

vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel2
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
Lab 4-2 Mixed Layer 2-3 Connectivity 149

!
interface FastEthernet0/5
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
150 CCNP TSHOOT Lab Manual Version 7

interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description To PC-B
switchport access vlan 120
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
Lab 4-2 Mixed Layer 2-3 Connectivity 151

switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:99::A1/64
no ip proxy-arp
no shutdown
!
interface Vlan110
ip address 10.1.110.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:110::A1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan120
ip address 10.1.120.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:120::A1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan200
ip address 10.1.200.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:200::A1/64
152 CCNP TSHOOT Lab Manual Version 7

ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig


ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.99.254
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 route ::/0 2001:DB8:CAFE:99::D1
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps vlan-membership
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-2 Switch ALS1 TT-A Config ***^
!
ipv6 access-list REMOTEv6
deny ipv6 any any
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
ipv6 access-class REMOTEv6 in
logging synchronous
length 0
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS1
!Lab 4-2 Switch DLS1 TT-A Config
!
service timestamps debug datetime msec
Lab 4-2 Mixed Layer 2-3 Connectivity 153

service timestamps log datetime msec


service password-encryption
!
hostname DLS1
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
ip dhcp excluded-address 10.1.120.251 10.1.120.254
ip dhcp excluded-address 10.1.200.251 10.1.200.254
ip dhcp excluded-address 10.1.110.251 10.1.110.254
!
ip dhcp pool VOICE
network 10.1.200.0 255.255.255.0
default-router 10.1.200.254
!
ip dhcp pool GUEST
network 10.1.110.0 255.255.255.0
default-router 10.1.110.254
!
ip dhcp pool OFFICE
network 10.1.120.0 255.255.255.0
default-router 10.1.120.252
!
! 10.1.120.254
ipv6 unicast-routing
ipv6 dhcp pool DHCPv6OFFICE
address prefix 2001:DB8:CAFE:120:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6VOICE
address prefix 2001:DB8:CAFE:200:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6GUEST
address prefix 2001:DB8:CAFE:110:ABCD::/80
domain-name tshoot.net
!
errdisable recovery cause bpduguard
errdisable recovery cause storm-control
errdisable recovery interval 60
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 24576
154 CCNP TSHOOT Lab Manual Version 7

spanning-tree vlan 100,200 priority 28672


!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
Lab 4-2 Mixed Layer 2-3 Connectivity 155

no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R1
no switchport
ip address 10.1.2.1 255.255.255.252
speed 100
duplex full
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:20::D1/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description FE to SRV1
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
156 CCNP TSHOOT Lab Manual Version 7

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/19
description PARKING_LOT
Lab 4-2 Mixed Layer 2-3 Connectivity 157

switchport access vlan 999


switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.252 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 priority 110
standby 99 preempt
ipv6 address FE80::D1 link-local
158 CCNP TSHOOT Lab Manual Version 7

ipv6 address 2001:DB8:CAFE:99::D1/64


no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.252 255.255.255.0
standby 100 ip 10.1.100.254
standby 100 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:100::D1/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.252 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 priority 110
standby 110 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:110::D1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6GUEST
no shutdown
!
interface Vlan120
ip address 10.1.120.252 255.255.255.0
standby 120 ip 10.1.120.254
standby 120 priority 110
standby 120 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:120::D1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6OFFICE
no shutdown
!
interface Vlan200
ip address 10.1.200.252 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:200::D1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6VOICE
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
Lab 4-2 Mixed Layer 2-3 Connectivity 159

no passive-interface Vlan120
no passive-interface Vlan200
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 router eigrp 1
eigrp router-id 1.1.1.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
banner motd ^*** Lab 4-2 Switch DLS1 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS2
!Lab 4-2 Switch DLS2 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
160 CCNP TSHOOT Lab Manual Version 7

!
hostname DLS2
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
!
ipv6 unicast-routing
!
!
errdisable recovery cause bpduguard
errdisable recovery cause storm-control
errdisable recovery interval 60
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 28672
spanning-tree vlan 100,200 priority 24576
!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
Lab 4-2 Mixed Layer 2-3 Connectivity 161

interface Port-channel2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R3
no switchport
ip address 10.1.2.13 255.255.255.252
speed 100
duplex full
162 CCNP TSHOOT Lab Manual Version 7

ipv6 address FE80::D2 link-local


ipv6 address 2001:DB8:CAFE:212::D2/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
Lab 4-2 Mixed Layer 2-3 Connectivity 163

switchport access vlan 999


switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description FE to PC-C
switchport access vlan 110
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
164 CCNP TSHOOT Lab Manual Version 7

switchport access vlan 999


switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.253 255.255.255.0
standby 9 ip 10.1.99.245
standby 9 preempt standby 99 ip 10.1.99.254
ipv6 address FE80::D2 link-local standby 99 preempt
ipv6 address 2001:DB8:CAFE:99::D2/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.253 255.255.255.0
standby 100 ip 10.1.100.254
standby 100 priority 110
standby 100 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:100::D2/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.253 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:110::D2/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan120
Lab 4-2 Mixed Layer 2-3 Connectivity 165

ip address 10.1.120.253 255.255.255.0


standby 120 ip 10.1.120.254
standby 120 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:120::D2/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan200
ip address 10.1.200.253 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 priority 110
standby 200 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:200::D2/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 router eigrp 1
eigrp router-id 2.2.2.2
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-2 Switch DLS2 TT-A Config ***^
!
166 CCNP TSHOOT Lab Manual Version 7

line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R1
!Lab 4-2 Router R1 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
!
Lab 4-2 Mixed Layer 2-3 Connectivity 167

!
interface Loopback0
ip address 10.1.201.1 255.255.255.255
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:201::1/64
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description GE to DLS1
ip address 10.1.2.2 255.255.255.252
ip flow ingress
duplex full
speed 100
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:20::1/64
no shutdown
!
interface Serial0/0/0
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.1 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:10::1/64
clock rate 2000000
no shutdown
!
interface Serial0/0/1
description WAN link to R3 (not used)
no ip address
shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
!
crypto key gen rsa general-keys modulus 1024
168 CCNP TSHOOT Lab Manual Version 7

!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!

banner motd ^*** Lab 4-2 Router R1 TT-A Config ***^


!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 10.1.202.1
!
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R2
!Lab 4-2 Router R2 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
Lab 4-2 Mixed Layer 2-3 Connectivity 169

hostname R2
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
!
!
interface Loopback0
ip address 10.1.202.1 255.255.255.255
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:202::2/64
!
interface Loopback1
ip address 2.2.2.2 255.0.0.0
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:EFAC::2/48
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description optional connection for PC-C w/ static address
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description WAN link to R1: 2 Mbpsk leased line
ip address 10.1.1.2 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:10::2/64
no shutdown
!
interface Serial0/0/1
description WAN link to R3: 2 Mbps leased line
170 CCNP TSHOOT Lab Manual Version 7

ip address 10.1.1.6 255.255.255.252


ip flow ingress
encapsulation ppp
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:14::2/64
clock rate 2000000
no shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
af-interface Loopback1
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
Lab 4-2 Mixed Layer 2-3 Connectivity 171

snmp-server host 10.1.100.1 version 2c cisco


!
!
banner motd ^*** Lab 4-2 Router R2 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp master 3
!
!
archive
log config
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R3
!Lab 4-2 Router R3 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
username cisco secret cisco
!
172 CCNP TSHOOT Lab Manual Version 7

!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
!
!
interface Loopback0
ip address 10.1.203.1 255.255.255.255
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:203::3/64
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FE to DLS2
ip address 10.1.2.14 255.255.255.252
ip flow ingress
duplex full
speed 100
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:212::3/64
no shutdown
!
interface Serial0/0/0
description WAN link to R1 - (Not used)
no ip address
encapsulation ppp
shutdown
clock rate 2000000
!
interface Serial0/0/1
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.5 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:14::3/64
no shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
Lab 4-2 Mixed Layer 2-3 Connectivity 173

exit-address-family
!
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-2 Router R3 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!
174 CCNP TSHOOT Lab Manual Version 7

Trouble Ticket—TT-B Configurations


Router R1—Same as TT-A

Router R2—Same as TT-A

Router R3—Same as TT-A

Switch ALS1
!Lab 4-2 Switch ALS1 TT-B Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ALS1
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
!
!
no ip domain-lookup
ip domain-name tshoot.net
ipv6 unicast-routing
!
errdisable recovery cause psecure-violation
errdisable recovery interval 120
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan 99
name MANAGEMENT
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
Lab 4-2 Mixed Layer 2-3 Connectivity 175

name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel2
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/5
description PARKING_LOT
switchport access vlan 999
176 CCNP TSHOOT Lab Manual Version 7

switchport mode access


switchport nonegotiate
shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
Lab 4-2 Mixed Layer 2-3 Connectivity 177

switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description To PC-B
switchport access vlan 120
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
178 CCNP TSHOOT Lab Manual Version 7

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.10.99.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:99::A1/64 10.1.99.251
no ip proxy-arp
no shutdown
!
interface Vlan110
ip address 10.10.110.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:110::A1/64 10.1.110.251
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan120
ip address 10.10.120.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:120::A1/64 10.1.120.251
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan200
ip address 10.10.200.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:200::A1/64
10.1.200.251
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
Lab 4-2 Mixed Layer 2-3 Connectivity 179

!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.99.254
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 route ::/0 2001:DB8:CAFE:99::D1
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps vlan-membership
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-2 Switch ALS1 TT-B Config ***^
!
ipv6 access-list REMOTEv6
deny ipv6 any any
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
ipv6 access-class REMOTEv6 in
logging synchronous
length 0
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS1
!Lab 4-2 Switch DLS1 TT-B Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
180 CCNP TSHOOT Lab Manual Version 7

hostname DLS1
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
ip dhcp excluded-address 10.1.120.251 10.1.120.254
ip dhcp excluded-address 10.1.200.251 10.1.200.254
ip dhcp excluded-address 10.1.110.251 10.1.110.254
!
ip dhcp pool VOICE
network 10.1.200.0 255.255.255.0
default-router 10.1.200.254
!
ip dhcp pool GUEST
network 10.1.110.0 255.255.255.0
default-router 10.1.110.254
!
ip dhcp pool OFFICE
network 10.1.120.0 255.255.255.0
default-router 10.1.120.254
!
!
ipv6 unicast-routing
ipv6 dhcp pool DHCPv6OFFICE
address prefix 2001:DB8:CAFE:120:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6VOICE
address prefix 2001:DB8:CAFE:200:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6GUEST
address prefix 2001:DB8:CAFE:110:ABCD::/80
domain-name tshoot.net
!
!
errdisable recovery cause bpduguard
errdisable recovery cause storm-control
errdisable recovery interval 60
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 24576
spanning-tree vlan 100,200 priority 28672
!
Lab 4-2 Mixed Layer 2-3 Connectivity 181

!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
182 CCNP TSHOOT Lab Manual Version 7

interface FastEthernet0/3
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R1
no switchport
ip address 10.1.2.1 255.255.255.252
speed 100
duplex full
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:20::D1/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description FE to SRV1
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
Lab 4-2 Mixed Layer 2-3 Connectivity 183

switchport mode access


switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
184 CCNP TSHOOT Lab Manual Version 7

switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.252 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 priority 110
standby 99 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:99::D1/64
no ip proxy-arp
Lab 4-2 Mixed Layer 2-3 Connectivity 185

ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.252 255.255.255.0
standby 100 ip 10.1.100.254
standby 100 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:100::D1/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.252 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 priority 110
standby 110 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:110::D1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6GUEST
no shutdown
!
interface Vlan120
ip address 10.1.120.252 255.255.255.0
standby 120 ip 10.1.120.254
standby 120 priority 110
standby 120 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:120::D1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6OFFICE
no shutdown
!
interface Vlan200
ip address 10.1.200.252 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:200::D1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6VOICE
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
186 CCNP TSHOOT Lab Manual Version 7

!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 router eigrp 1
eigrp router-id 1.1.1.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
banner motd ^*** Lab 4-2 Switch DLS1 TT-B Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS2
!Lab 4-2 Switch DLS2 TT-B Config
!
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
Lab 4-2 Mixed Layer 2-3 Connectivity 187

hostname DLS2
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
!
ipv6 unicast-routing
!
!
errdisable recovery cause bpduguard
errdisable recovery cause storm-control
errdisable recovery interval 60
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 28672
spanning-tree vlan 100,200 priority 24576
!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel2
188 CCNP TSHOOT Lab Manual Version 7

description Channel to ALS1


switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R3
no switchport
ip address 10.1.2.13 255.255.255.252
speed 100
duplex full
ipv6 address FE80::D2 link-local
Lab 4-2 Mixed Layer 2-3 Connectivity 189

ipv6 address 2001:DB8:CAFE:212::D2/64


ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
190 CCNP TSHOOT Lab Manual Version 7

switchport mode access


switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description FE to PC-C
switchport access vlan 110
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
Lab 4-2 Mixed Layer 2-3 Connectivity 191

switchport mode access


switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.253 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:99::D2/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.253 255.255.255.0
standby 100 ip 10.1.100.254
standby 100 priority 110
standby 100 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:100::D2/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.253 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:110::D2/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan120
ip address 10.1.120.253 255.255.255.0
192 CCNP TSHOOT Lab Manual Version 7

standby 120 ip 10.1.120.254


standby 120 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:120::D2/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan200
ip address 10.1.200.253 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 priority 110
standby 200 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:200::D2/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 router eigrp 1
eigrp router-id 2.2.2.2
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-2 Switch DLS2 TT-B Config ***^
!
line con 0
Lab 4-2 Mixed Layer 2-3 Connectivity 193

exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Trouble Ticket—TT-C Configurations


Switch DLS1—Same as TT-B

Switch DLS2—Same as TT-B

Router R1—Same as TT-A

Router R2—Same as TT-A

Router R3—Same as TT-A

Switch ALS1
!Lab 4-2 Switch ALS1 TT-C Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ALS1
!
logging buffered 16384
enable secret cisco
!
username cisco secret 4 1wLgDhbOLsU0GdsP0B9e5YU2KA7gxZujqOLWf0j48q6
aaa new-model
! Change secret back to cisco.
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
194 CCNP TSHOOT Lab Manual Version 7

clock timezone PST -8


clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
!
no ip domain-lookup
ip domain-name tshoot.net
ipv6 unicast-routing
!
errdisable recovery cause psecure-violation
errdisable recovery interval 120
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan 99
name MANAGEMENT
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel2
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
Lab 4-2 Mixed Layer 2-3 Connectivity 195

!
interface FastEthernet0/2
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/5
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
196 CCNP TSHOOT Lab Manual Version 7

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description To PC-B
switchport access vlan 120
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
Lab 4-2 Mixed Layer 2-3 Connectivity 197

no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.251 255.255.255.0
198 CCNP TSHOOT Lab Manual Version 7

ipv6 address FE80::A1 link-local


ipv6 address 2001:DB8:CAFE:99::A1/64
no ip proxy-arp
no shutdown
!
interface Vlan110
ip address 10.1.110.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:110::A1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan120
ip address 10.1.120.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:120::A1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan200
ip address 10.1.200.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:200::A1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.99.254
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 route ::/0 2001:DB8:CAFE:99::D1
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps vlan-membership
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 4-2 Switch ALS1 TT-C Config ***^
!
ipv6 access-list REMOTEv6
deny ipv6 any any
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
ipv6 access-class REMOTEv6 in
Lab 4-2 Mixed Layer 2-3 Connectivity 199

logging synchronous
length 0
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!
tclsh
puts [open "flash:reset.tcl" w+] {
typeahead "\r"
puts [ exec "copy run start" ]
puts [ ios_config "sdm prefer dual-ipv4-and-ipv6 default" ]
typeahead “\r”
puts [ exec "reload" ]
}
TCL script reloads switch with “dual-ipv4-
tclquit
! and-ipv6 default template.” Save config,
tclsh reset.tcl change to “lanbase-routing,” and reload.
! Enable IPv4 routing and reconfigure the
default IPv4 route from the baseline.
Trouble Ticket—TT-D Configurations
Switch ALS1—Same as TT-A

Router R1—Same as TT-A

Router R2—Same as TT-A

Router R3—Same as TT-A

Switch DLS1
!Lab 4-2 Switch DLS1 TT-D Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DLS1
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
200 CCNP TSHOOT Lab Manual Version 7

!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
ip dhcp excluded-address 10.1.120.251 10.1.120.254
ip dhcp excluded-address 10.1.200.251 10.1.200.254
ip dhcp excluded-address 10.1.110.251 10.1.110.254
!
ip dhcp pool VOICE
network 10.1.200.0 255.255.255.0
default-router 10.1.200.254
!
ip dhcp pool GUEST
network 10.1.110.0 255.255.255.0
default-router 10.1.110.254
!
ip dhcp pool OFFICE
network 10.1.120.0 255.255.255.0
default-router 10.1.120.254
!
!
ipv6 unicast-routing
ipv6 dhcp pool DHCPv6OFFICE
address prefix 2001:DB8:CAFE:120:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6VOICE
address prefix 2001:DB8:CAFE:200:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6GUEST
address prefix 2001:DB8:CAFE:110:ABCD::/80
domain-name tshoot.net
!
key chain TEST
key 1
key-string 7 030752180500
!
errdisable recovery cause bpduguard
errdisable recovery cause storm-control
errdisable recovery interval 60
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 24576
spanning-tree vlan 100,200 priority 28672
!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
Lab 4-2 Mixed Layer 2-3 Connectivity 201

!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
interface Port-channel1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
storm-control unicast level pps 15
no shutdown
! Remove all storm control configurations on
interface Port-channel10 DLS1 and DLS2.
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
storm-control unicast level pps 15
no shutdown
!
Remove all storm control configurations on
interface FastEthernet0/1 DLS1 and DLS2.
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
202 CCNP TSHOOT Lab Manual Version 7

switchport trunk allowed vlan 99,100,110,120,200


switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R1
no switchport
ip address 10.1.2.1 255.255.255.252
speed 100
duplex full
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:20::D1/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description FE to SRV1
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
Lab 4-2 Mixed Layer 2-3 Connectivity 203

interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
204 CCNP TSHOOT Lab Manual Version 7

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.252 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 priority 110
standby 99 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:99::D1/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan100
Lab 4-2 Mixed Layer 2-3 Connectivity 205

ip address 10.1.100.252 255.255.255.0


standby 100 ip 10.1.100.254
standby 100 preempt
standby 100 authentication md5 key-chain TEST
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:100::D1/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.252 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 priority 110
standby 110 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:110::D1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6GUEST
no shutdown
!
interface Vlan120
ip address 10.1.120.252 255.255.255.0
standby 120 ip 10.1.120.254
standby 120 priority 110
standby 120 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:120::D1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6OFFICE
no shutdown
!
interface Vlan200
ip address 10.1.200.252 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:200::D1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
ipv6 dhcp server DHCPv6VOICE
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
no ip http server
no ip http secure-server
206 CCNP TSHOOT Lab Manual Version 7

!
!
logging source-interface Vlan99
logging host 10.1.100.10
no logging console
ipv6 router eigrp 1 Return to baseline configurations for console
eigrp router-id 1.1.1.1 and syslog logging:
!
! logging host 10.1.100.1
snmp-server community cisco RO logging console
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
banner motd ^*** Lab 4-2 Switch DLS1 TT-D Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS2
!Lab 4-2 Switch DLS2 TT-D Config
!
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname DLS2
!
Lab 4-2 Mixed Layer 2-3 Connectivity 207

!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
!
ipv6 unicast-routing
!
key chain TEST
key 1
key-string 7 00071A150B58
!
errdisable recovery cause bpduguard Error: Key chain added but key-string does
errdisable recovery cause storm-control not match DLS1. The DLS1 key-string is
errdisable recovery interval 60 cisco. The DLS2 key-string is cisoc.
!
spanning-tree mode rapid-pvst key chain TEST
spanning-tree extend system-id key 1
spanning-tree vlan 99,110,120 priority 28672 key-string cisco
spanning-tree vlan 100,200 priority 24576
!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
!
!
208 CCNP TSHOOT Lab Manual Version 7

interface Port-channel2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
storm-control unicast level pps 15
no shutdown
Remove all storm control configurations on
!
interface Port-channel10 DLS1 and DLS2.
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
storm-control unicast level pps 15
no shutdown
! Remove all storm control configurations on
interface FastEthernet0/1 DLS1 and DLS2.
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R3
no switchport
ip address 10.1.2.13 255.255.255.252
Lab 4-2 Mixed Layer 2-3 Connectivity 209

speed 100
duplex full
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:212::D2/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
210 CCNP TSHOOT Lab Manual Version 7

interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description FE to PC-C
switchport access vlan 110
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
Lab 4-2 Mixed Layer 2-3 Connectivity 211

interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.253 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:99::D2/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.253 255.255.255.0
standby 100 ip 10.1.100.254
standby 100 priority 110
standby 100 preempt
standby 100 authentication md5 key-chain TEST
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:100::D2/64
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.253 255.255.255.0
standby 110 ip 10.1.110.254
standby 110 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:110::D2/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
212 CCNP TSHOOT Lab Manual Version 7

no shutdown
!
interface Vlan120
ip address 10.1.120.253 255.255.255.0
standby 120 ip 10.1.120.254
standby 120 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:120::D2/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
interface Vlan200
ip address 10.1.200.253 255.255.255.0
standby 200 ip 10.1.200.254
standby 200 priority 110
standby 200 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:200::D2/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
ipv6 eigrp 1
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.10
no logging console
ipv6 router eigrp 1 Return to baseline configurations for console
eigrp router-id 2.2.2.2 and syslog logging:
!
! logging host 10.1.100.1
snmp-server community cisco RO logging console
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
Lab 4-2 Mixed Layer 2-3 Connectivity 213

!
!
banner motd ^*** Lab 4-2 Switch DLS2 TT-D Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!
214 CCNP TSHOOT Lab Manual Version 7

Chapter 5: Using Specialized Maintenance and


Troubleshooting Tools
Lab 5-1 Second Base
Instructor Version
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Physical Topology
Lab 5-1 Second Base 215

Objectives
• Establish an experimental baseline with support for IPv4 and IPv6 in first hop redundancy.
• Establish a second baseline with support for DHCP redundancy and stronger authentication, as well
as a consolidated and integrated FHRP solution for IPv4 and IPv6.

Background
Technologies are emerging and changing as rapidly as ever. Network administrators and network architects
have difficult decisions regarding the implementation of technology upgrades while maintaining security,
availability, reliability, and scalability. FHRP support for IPv6 is as important as it is for IPv4: HSRPv2 and
GLBP both support IPv6. GLBP has the advantage of built-in load balancing functionality. Finally, current
Cisco IOS releases support HMAC-SHA-256 routing protocol authentication.
Less cutting-edge, but very practical solutions are also recommended for a network upgrade. Redundant
DHCP servers improve reliability and availability for network users. MD5 authentication is supported for
routing protocols on multilayer switches, as well as for first hop redundancy protocols on distribution and core
layer devices.
To implement these technologies and solutions, two additional baselines, “Experimental BASE” and “Second
BASE,” are recommended. These baselines are developed beginning with the original baseline.
In the end, the Second BASE network baseline will be well positioned for the implementation of additional
technologies to optimize network performance. GLBP supports weighted load balancing for active forwarding
routers. Object tracking with IP SLAs extends FHRP redundancy options, compared to the more traditional
solutions involving HSRP with interface tracking. And Cisco IPv6 implementations support options to improve
performance in a redundant DHCP server environment.
For each task, the updated baseline specifications are described. Any troubleshooting that is required will
stem from issues naturally arising during the implementation of the new technologies. As always, problems
and solutions that present during network upgrades should be documented.

Physical and Logical Topology Diagrams


The new physical topology reflects a change to trunk links between the distribution and core devices. The
Experimental BASE and Second BASE logical topologies presented at the beginning of each task include
references and labeling to reflect updates with addressing, DHCP, FHRP, and protocol authentication.
The Experimental BASE logical topology describes the topology that results after completing Task 1. The
Second BASE logical topology describes the topology that results after completing Task 2.
Note: This lab uses Cisco ISR G2 routers running Cisco IOS 15.4(3) images with IP Base and Security
packages enabled, and Cisco Catalyst 3560 and 2960 switches running Cisco IOS 15.0(2) IP Services and
LAN Base images, respectively. The 3560 and 2960 switches are configured with the SDM templates dual-
ipv4-and-ipv6 routing and lanbase-routing, respectively. Depending on the router or switch model and
Cisco IOS Software version, the commands available and output produced might vary from what is shown in
this lab. Any changes made to the baseline configurations or topology (other than errors introduced) are noted
in the trouble ticket so that you are aware of them prior to beginning the troubleshooting process.
Instructor Notes:
• The lab topology should be pre-built prior to the students starting the lab. Ensure that all switches and
routers (ALS1, DLS1, DLS2, R1, R2, and R3) have the course lab configuration files installed in flash
memory. These can be downloaded from NetSpace. The device configurations for all devices are
included at the end of this lab, either directly or by reference to the first trouble ticket, TT-A. The
configuration file for ALS1 can be copied into a text file using the naming convention Labxy-ALS1-
TT-z-Cfg.txt where x is the chapter number, y is the lab number within the chapter, and z is the
uppercase letter indicating the particular trouble ticket in the lab; similarly for DLS1, DLS2, R1, R2, and
R3.
• The device configurations that contain trouble ticket errors and modifications from the baseline are
included at the end of the lab, and the errors in them are identified.
216 CCNP TSHOOT Lab Manual Version 7

• All device configurations are provided for TT-A, including those that are the same as the baseline, as
introduced in the BASE Lab. The configurations provided here are not running-config outputs, but
rather sequences of commands that generate running-config files.
• Device configurations can be used by instructors for cut-and-paste for TT-A and subsequent tickets—
use a terminal emulator line delay of at least 100 ms if pasting configurations directly into global
configuration mode on a device. Some systems may actually require 200 ms.
• Where a configuration is noted as being the same as a previous one, the only change is in the
MOTD, which identifies the Lab and TT. The errors in the configurations are commented and
highlighted as red text.
• Each device should have a directory named “tshoot” in flash. This directory should contain the
baseline configuration file for that device as well as configuration files for all labs in this course.
• Instructors can use a TFTP server, a USB drive, or a flash memory card as source, and use the copy
or archive tar command to copy all course configuration files into the flash:/tshoot directory for
each device in the topology.
• For this lab and subsequent labs, the student is responsible for loading the baseline or trouble ticket
configurations using the procedure described in the BASE Lab.
• Set the correct time on R2, which serves as the primary NTP server for the lab network. These labs
use Pacific Time Zone, but each site should use their own time zone.
• If time is an issue, each task (trouble ticket) can be performed independently.

Required Resources
• 3 routers (Cisco IOS Release 15.4 or comparable)
• 2 multilayer switches and 1 access layer switch (Cisco IOS Release 15.0(2) or comparable with Fast
Ethernet interfaces)
• SRV1 (PC with static IP address): Windows 7 with RADIUS, TFTP, and syslog servers, plus an SSH
client, SNMP monitor, and WireShark software
• PC-B (DHCP client): Windows 7 with SSH client and WireShark software
• PC-C (DHCP client): Windows 7 with SSH client and WireShark software
• Serial and Ethernet cables, as shown in the topology
Instructor Notes:
• This lab is divided into multiple tasks. Each task is associated with a trouble ticket (TT) and
introduces one or more errors on one or more devices.
• Students can work individually or as a team. No problems are intentionally introduced in this lab, but
troubleshooting is always involved when implementing new technologies. In this case, HSRPv2,
GLBP, redundant DHCP servers, MD5 FHRP authentication, and HMAC-SHA-256 EIGRP
authentication.
• Suggested actions and results presented during the troubleshooting process for each TT can be
shared with the students during debrief, or copies of the instructor version of the lab can be made
available to the students to assist them in verifying their work.
Lab 5-1 Second Base 217

Task 1: Network Baseline Upgrade Lab 5-1 TT-A


Instructor note: This task involves network baseline upgrades involving ALS1, DLS1, DLS2, R1, and R3.
Logical Topology (Experimental Base)
218 CCNP TSHOOT Lab Manual Version 7

Step 1: Review requirements ticket Lab 5-1 TT-A.


Your company network is already running a dual stack environment. But there is not FHRP support for IPv6. The
directive to you is to implement a two-stage migration plan with several objectives. In this first stage, the
distribution-to-core layer links change to trunks, as indicated in the logical topology. HSRPv2 for IPv6 is to be
implemented at the distribution layer and GLBP for IPv4 is to be implemented at the core layer—FHRP VLAN
priorities defined by the BASE configuration are maintained. Additional IPv4 excluded addresses are necessary to
accommodate the addressing changes.
You have the following tasks:
• Remove the HSRPv1 for IPv4 configurations.
• Configure HSRPv2 on DLS1 and DLS2 for IPv6 on SVI 99, 100, 110, 120, and 200.
• Exclude additional IPv4 addresses for DHCP to accommodate the addressing changes specified in the
logical topology.
• Change the routed links between the distribution and core layers to trunk links, using the addressing
specified in the logical topology.
• Configure GLBP on R1 and R3 for IPv4 on VLANs 99, 100, 110, 120, and 200.
• Verify the DHCP, FHRP, and EIGRP functionality.

Step 2: Load the pre-upgrade configuration files for TT-A.


Using the procedure described in the BASE Lab, verify that the lab configuration files are present in flash. Load
the proper configuration files indicated in the Device Configuration File Table.
Device Configuration File Table (pre-upgrade)

Device Name File to Load Notes


ALS1 Lab51-ALS1-TT-A-Cfg.txt This file is the same as the baseline
DLS1 Lab51-DLS1-TT-A-Cfg.txt This file is the same as the baseline
DLS2 Lab51-DLS2-TT-A-Cfg.txt This file is the same as the baseline
R1 Lab51-R1-TT-A-Cfg.txt This file is the same as the baseline
R2 Lab51-R2-TT-A-Cfg.txt This file is the same as the baseline
R3 Lab51-R3-TT-A-Cfg.txt This file is the same as the baseline
SRV1 N/A Static IP: 10.1.100.1 and 2001:DB8:CAFE:100::1
Default gateway: 10.1.100.254/24 and 2001:DB8:CAFE:100::D1/64
PC-B N/A DHCPv4 and DHCPv6
PC-C N/A DHCPv4 and DHCPv6

Instructor note: The student loads all the device files, which reproduce the baseline.

Step 3: Remove HSRP Version 1.


On DLS1 and DLS2, remove all configuration commands pertaining to HSRP. If any existing HSRP commands
are present when implementing HSRPv2, errors will result. To speed up the process, you can copy the SVI
portions of the show run output into Notepad, delete the interface commands unrelated to HSRP, prepend each
HSRP command with no, and paste the resulting configuration sequence back into global configuration mode; this
same Notepad text can be edited in Step 4, if desired, to speed up the configuration of HSRPv2 on the SVIs.

Step 4: Implement HSRP Version 2 for IPv6.


a. HSRPv2 is required for HSRP support of IPv6. For SVI 99, 100, 110, 120, and 200, enter the interface
configuration mode command standby version 2 to enable HSRPv2.
b. On each SVI, enter the command standby x ipv6 autoconfig where x is the VLAN number. This
command indicates that a virtual link-local IPv6 address will be generated automatically from the link-local
Lab 5-1 Second Base 219

prefix, FE80:/64, and a modified EUI-64 format interface identifier, where the EUI-64 interface identifier is
created from the relevant HSRP virtual MAC address. For example, 0005.73A0.0063 is the virtual MAC
address for group 99 in the HSRPv2 format because 99 in hexadecimal is 63, so the virtual link-local IPv6
address is FE80::5:73FF:FEA0:63.
The remaining SVI commands are configured exactly the same as in HSRPv1. For example, for SVI 99
on DLS1:
standby 99 priority 110
standby 99 preempt

c. Verify the configuration. DLS1 output shows the HSRPv2 active routers:
DLS1# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl99 99 110 P Active local FE80::D2 FE80::5:73FF:FEA0:63
Vl100 100 100 P Standby FE80::D2 local FE80::5:73FF:FEA0:64
Vl110 110 110 P Active local FE80::D2 FE80::5:73FF:FEA0:6E
Vl120 120 110 P Active local FE80::D2 FE80::5:73FF:FEA0:78
Vl200 200 100 P Standby FE80::D2 local FE80::5:73FF:FEA0:C8

More detail is shown here for SVI 99 on DLS1:


DLS1# show standby vlan 99
Vlan99 - Group 99 (version 2)
State is Active
2 state changes, last state change 00:40:52
Link-Local Virtual IPv6 address is FE80::5:73FF:FEA0:63 (conf auto EUI64)
Active virtual MAC address is 0005.73a0.0063
Local virtual MAC address is 0005.73a0.0063 (v2 IPv6 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.632 secs
Preemption enabled
Active router is local
Standby router is FE80::D2, priority 100 (expires in 11.008 sec)
Priority 110 (configured 110)
Group name is "hsrp-Vl99-99" (default)

d. Change the IPv6 address on SRV1 to 2001:DB8:CAFE:100::5. Change the IPv6 default gateway on
SRV1 to the virtual IPv6 address for VLAN 100: FE80::5:73FF:FEA0:64. Verify with an IPv6 ping to
2001:DB8:EFAC::2 (Lo1 on R2) that there is connectivity to the Internet from SRV1.
e. PC-B and PC-C lose IPv4 connectivity because their respective IPv4 default gateways are still the
HSRPv1 virtual IP addresses for the associated VLANs.
f. Change the IPv6 default route on ALS1 to point to the virtual IP for VLAN 99, FE80::5:73FF:FEA0:63:
ALS1(config)# ipv6 route ::/0 VLAN99 FE80::5:73FF:FEA0:63

g. IPv6 connectivity for PC-B and PC-C should be functional (if necessary, perform a NIC reset).
h. Perform a continuous IPv6 ping from PC-B to the Internet (Lo1 on R2) and simulate a failure of the active
router:
DLS1(config)# interface range f0/1-4
DLS1(config-if-range)# shutdown

Only a few ICMP request timeouts should occur during failover to DLS2.

Step 5: Exclude DHCPv4 addresses to be configured on the G0/1 subinterfaces of R1 and R3.
G0/1 on R1 and R3 requires subinterfaces corresponding to VLANs 99, 100, 110, 120, 200, and 666 (NATIVE).
Each of the corresponding addresses ending in .1 and .3 must be excluded from use by DHCPv4 on DLS1.
Extend the set of excluded addresses on DLS1 to include the first five addresses:
ip dhcp excluded-address 10.1.110.1 10.1.110.5
ip dhcp excluded-address 10.1.120.1 10.1.120.5
ip dhcp excluded-address 10.1.200.1 10.1.200.5

The SRV1 address 10.1.100.1 and configuration references to 10.1.100.1 will soon be replaced by 10.1.100.5.
220 CCNP TSHOOT Lab Manual Version 7

Step 6: Change the routed links to trunk links between the core and distribution layers.
a. On DLS1 and DLS2 port F0/5, enter the command switchport. The IPv4 and IPv6 configuration
commands are automatically removed. Enter the trunk commands to complete the configuration on the
multilayer switches:
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate

b. On R1 and R3 interface G0/1, remove the IPv4 and IPv6 addressing.


c. On R1 and R3, create the the native VLAN subinterface. Here is the R1 configuration:
R1(config)# interface g0/1.666
R1(config-subif)# encapsulation dot1q 666 native

d. On R1 and R3, create the subinterfaces for VLANs 99, 100, 110, 120, and 200. For example, configure
R1 with a subinterface associated with VLAN 99 as follows:
R1(config)# interface g0/1.99
R1(config-subif)# encapsulation dot1q 99
R1(config-subif)# ip address 10.1.99.1 255.255.255.0
R1(config-subif)# ipv6 address fe80::1 link-local
R1(config-subif)# ipv6 address 2001:DB8:CAFE:99::1/64

Because Classic EIGRP is already configured on the distribution switch SVIs and Named EIGRP is
already configured on the core routers, the IPv4 and IPv6 EIGRP adjacencies will automatically form!
Note that there are now four EIGRP multi-access neighbors on each VLAN (99, 100, 110, 120, and 200).
The subinterface IPv4 and IPv6 addresses on DLS2 end with .3 and ::3, respectively, as seen in the
logical topologies at the beginning of Task 1 (TT-A).

Step 7: Implement GLBP for IPv4.


a. GLBP supports IPv4 and IPv6. In this, the first stage of the network baseline upgrade, GLBP will only be
used for IPv4 support. Configure GLBP for IPv4 on subinterfaces 99, 100, 110, 120, and 200 of G0/0 of
R1 and R3, with the same priorities that are used with HSRPv2 for IPv6. For example, here are the
required GLBP commands for VLAN 99
interface GigabitEthernet0/1.99
glbp 99 ip 10.1.99.254
glbp 99 priority 110
glbp 99 preempt

and the required GLBP commands for VLAN 100


interface GigabitEthernet0/1.100
glbp 100 ip 10.1.100.254
glbp 100 preempt

b. After completing the GLBP configuration, verify the AVG and AVF status. For example, the output
R1# show glbp gigabitEthernet 0/1.99 brief
Interface Grp Fwd Pri State Address Active router Standby router
Gi0/1.99 99 - 110 Active 10.1.99.254 local 10.1.99.3
Gi0/1.99 99 1 - Listen 0007.b400.6301 10.1.99.3 -
Gi0/1.99 99 2 - Active 0007.b400.6302 local -

shows that
• R1 is the AVG for VLAN 99.
• R1 is currently an AVF for the GLBP virtual MAC address 0007.b400.6302: R1 serves as the
default gateway for hosts that receive ARP replies from the AVG with virtual MAC address
0007.b400.6302—note that your output may be reversed by the nature of GLBP’s round-robin
behavior, with R1 the AVF associated with MAC address 0007.b400.6301.
• R3 (we can infer) is currently an AVF for the GLBP virtual MAC address 0007.b400.6301: R3
serves as the default gateway for hosts that receive ARP replies from the AVG with virtual MAC
Lab 5-1 Second Base 221

address 0007.b400.6301—note that your output may be reversed by the nature of GLBP’s round-
robin behavior, with R3 the AVF associated with MAC address 0007.b400.6302.
Because weighting has not been configured, GLBP uses the default method, round-robin, resulting in one
AVF for each virtual MAC address. If weighting were configured, R1 and R3 could both be AVFs for each
virtual MAC address.
c. After releasing and renewing, the IPv4 addresses for PC-B and PC-C should now be in the new excluded
ranges for DHCPv4. Verify Internet IPv4 connectivity from PC-B and PC-C.
d. Change the IPv4 static IP address on SRV1 to 10.1.100.5/24 to remove the IP address conflict with
G0/1.100 on R1! Verify Internet IPv4 connectivity from SRV1.
e. Replace all instances of archiving, syslog, and SNMP commands containing “10.1.100.1” on all devices
with “10.1.100.5”. Restart the program(s) on SRV1 that handle archiving, syslog, and SNMP. Verify that
archiving, syslog, and SNMP are operating correctly.
f. Verify GLBP failover by performing a continuous IPv4 ping to the Internet from PC-B and SRV1 and
shutting down G0/1 on R1. Only a few ICMP echo requests should time out during failover and recovery.

Note: The configuration files to be loaded on the devices in Task 2 are obtained from the configuration files of the
devices at the end of Task 1. So one option is to continue at this point with Task 2 using the configurations
obtained by completing Task 1 (without loading the configuration files for TT-B).
222 CCNP TSHOOT Lab Manual Version 7

Task 2: Network Baseline Upgrade Lab 5-1 TT-B


Instructor note: This task involves network baseline upgrades involving all devices.
Logical Topology (Second BASE)
Lab 5-1 Second Base 223

Step 1: Review requirements ticket Lab 5-1 TT-B.


Some noticeable improvements in redundancy are now in place with the completion of stage one of the network
baseline upgrade (Experimental BASE). However, network technicians are reporting that some of the failover
behaviors and DHCP allocation behaviors are inconsistent. In order to provide a more reliable solution for the
employees, it is time to implement the second stage of the network baseline upgrade (Second BASE).
Both IPv4 and IPv6 FHRP redundancy will be handled by the core routers with GLBP. DLS2 will serve as a
redundant DHCP server for IPv4 and IPv6 to improve DHCP allocation performance and consistency. Route
authentication will be implemented on core and distribution devices to complete the network baseline upgrade.
And FHRP authentication for both IPv4 and IPv6 will be implemented. The new baseline will put the network in a
ready position for additional improvements, such as weighted load balancing and object tracking with IP SLAs.
Beginning with the Experimental BASE, you have the following tasks:
• Remove the HSRPv2 for IPv6 configurations.
• Configure GLBP for IPv6 on R1 and R3 for VLANs 99, 100, 110, 120, and 200.
• Verify the GLBP functionality for both IPv4 and IPv6.
• Configure DLS2 as a redundant DHCP server for IPv4 and IPv6.
• Configure MD5 route authentication for EIGRP at the distribution layer, and between the distribution and
core devices. Configure HMAC-SHA-256 authentication for EIGRP between the core devices.
• Configure GLBP MD5 authentication for IPv4 and IPv6.
• Verify GLBP and EIGRP functionality.

Step 2: Load the Experimental BASE configuration files for TT-B.


Using the procedure described in the BASE Lab, verify that the lab configuration files are present in flash. Load
the proper configuration files indicated in the Device Configuration File Table.
224 CCNP TSHOOT Lab Manual Version 7

Device Configuration File Table (from Experimental BASE)

Device Name File to Load Notes


ALS1 Lab51-ALS1-TT-B-Cfg.txt This file is the same as the Experimental BASE
DLS1 Lab51-DLS1-TT-B-Cfg.txt This file is the same as the Experimental BASE
DLS2 Lab51-DLS2-TT-B-Cfg.txt This file is the same as the Experimental BASE
R1 Lab51-R1-TT-B-Cfg.txt This file is the same as the Experimental BASE
R2 Lab51-R2-TT-B-Cfg.txt This file is the same as the Experimental BASE
R3 Lab51-R3-TT-B-Cfg.txt This file is the same as the Experimental BASE
SRV1 N/A Static IP: 10.1.100.5 and 2001:DB8:CAFE:100::5
Default gateway: 10.1.100.254 and FE80::5:73FF:FEA0:64
PC-B N/A DHCPv4 and DHCPv6
PC-C N/A DHCPv4 and DHCPv6

Instructor note: The student loads all the device files, which reproduce the Experimental BASE.

Step 3: Configure SRV1 and start the syslog and TFTP servers.
Note that the static IP address has changed for SRV1 to 10.1.100.5 because R1 G0/1.100 now has the IP
address 10.1.100.1. The IPv6 address and gateway on SRV1 are indicated in the table above; recall that the
gateway IPv6 address is the HSRPv2 virtual IPv6 address for VLAN 100.

Step 4: Remove HSRP Version 2.


On DLS1 and DLS2, remove all configuration commands pertaining to HSRP.

Step 5: Implement GLBP for IPv6.


a. GLBP is the only FHRP option that simultaneously supports IPV4 and IPv6 redundancy on the same
interface. The distribution layer devices do not support GLBP. The core routers support GLBP. Configure
GLBP for IPv6 on the subinterfaces of R1 and R3 corresponding to VLANs 99, 100, 110, 120, and 200.
The same group number cannot be used for IPv4 and IPv6: the network design prescribes adding 400 to
each VLAN number to obtain the respective GLBP group number. Use the same priorities as were
configured for GLBP for IPv4 (from Experimental BASE).
To illustrate, the IPv6 GLBP configuration for G0/1.99 on R1 introduces GLBP virtual IPv6
autoconfiguration, raises the default priority of 100 to 110, and implements preemptive AVG election:
interface GigabitEthernet0/1.99
glbp 499 ipv6 autoconfig
glbp 499 priority 110
glbp 499 preempt

The autoconfig keyword indicates that a virtual link-local IPv6 address for each AVF will be generated
automatically from the link-local prefix, FE80:/64, and a modified EUI-64 format interface identifier, where
the EUI-64 interface identifier is created from the relevant GLBP virtual MAC address. For example,
0007.B401.F302 is the virtual MAC address for AVF2 of GLBP group 499 in the GLBP format because
499 in hexadecimal is 1F3, so the virtual link-local IPv6 address for AFV2 is FE80::7:B4FF:FE01:F300.
This is the virtual IP address for all AVFs in GLBP group 499 (a GLBP group can have up to four AVFs).
For another illustration, the IPv6 GLBP configuration on G0/1.200 of R3 is consistent with that for IPv4:
interface GigabitEthernet0/1.200
glbp 600 ipv6 autoconfig
glbp 600 priority 110
glbp 600 preempt

b. Verify the IPv6 GLBP configuration. For example, since 600 in hexadecimal is 258, the output
R3# show glbp brief | include 600
Gi0/1.200 600 - 110 Active FE80::7:B4FF:FE02:5800
Gi0/1.200 600 1 - Active 0007.b402.5801 FE80::3 -
Gi0/1.200 600 2 - Listen 0007.b402.5802 local -
Lab 5-1 Second Base 225

indicates that the virtual IP address for AVFs in VLAN 200 is FE80::7:B4FF:FE02:5800, and that R3 is the
AVG for IPv6 GLBP group 600.
c. Change the IPv6 default gateway on SRV1 to FE80::7:B4FF:FE01:F400, the GLBP virtual IPv6 address
for VLAN 100.
d. Change the default route on ALS1 to point to FE80::7:B4FF:FE01:F300, the GLBP virtual IPv6 address
for VLAN 99.
e. Release and renew the IPv4/6 configurations on PC-B and PC-C. Verify that PC-B and PC-C have full
IPv4/6 connectivity.
f. Verify that SRV1 has full IPv4/6 connectivity.
g. Test IPv4 and IPv6 failover by performing simultaneous continuous pings from two command prompts on
SRV1 to 2.2.2.2 and 2001:DB8:ECAF::2 and then shutting down interface G0/1 on R3. Failover should
result in the timeout of just a few ICMP echo requests. Upon bringing G0/1 back up, the network
reconvergence will result in more timeouts.
h. Generate a continuous ping to 2.2.2.2 from PC-B and a continuous ping from PC-C to 2001:DB8:EFAC::2
and then shut down interface G0/1 on R1. The results should be similar to that from SRV1.

Step 6: Configure DHCP redundancy for IPv4 and IPv6.


a. Configure DLS2 as a redundant DHCP server. For the DHCPv6 configuration on DLS2, the DHCPv6
configuration on DLS1 can be copied onto DLS2. For the DHCPv4 configuration on DLS2, configure the
address space so that addresses are allocated from 10.1.x.129 through 10.1.x.250 on VLANs 110, 120,
and 200. To this end, paste the following command sequence into global configuration mode on DLS2:

ip dhcp excluded-address 10.1.120.251 10.1.120.254


ip dhcp excluded-address 10.1.200.251 10.1.200.254
ip dhcp excluded-address 10.1.110.251 10.1.110.254
ip dhcp excluded-address 10.1.110.1 10.1.110.128
ip dhcp excluded-address 10.1.120.1 10.1.120.128
ip dhcp excluded-address 10.1.200.1 10.1.200.128
!
ip dhcp pool VOICE
network 10.1.200.0 255.255.255.0
default-router 10.1.200.254
!
ip dhcp pool GUEST
network 10.1.110.0 255.255.255.0
default-router 10.1.110.254
!
ip dhcp pool OFFICE
network 10.1.120.0 255.255.255.0
default-router 10.1.120.254
!
ipv6 unicast-routing
ipv6 dhcp pool DHCPv6OFFICE
address prefix 2001:DB8:CAFE:120:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6VOICE
address prefix 2001:DB8:CAFE:200:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6GUEST
address prefix 2001:DB8:CAFE:110:ABCD::/80
domain-name tshoot.net
!
interface Vlan110
ipv6 dhcp server DHCPv6GUEST
!
interface Vlan120
ipv6 dhcp server DHCPv6OFFICE
!
interface Vlan200
ipv6 dhcp server DHCPv6VOICE
226 CCNP TSHOOT Lab Manual Version 7

Increase the line delay in your terminal emulator to at least 100 ms to avoid a buffer overflow, resulting in
some commands not being processed when you paste this configuration into global configuration mode of
DLS2.
b. On DLS1, add the following lines:
ip dhcp excluded-address 10.1.120.129 10.1.120.250
ip dhcp excluded-address 10.1.200.129 10.1.200.250
ip dhcp excluded-address 10.1.110.129 10.1.110.250

At this point, the addresses that DLS1 can allocate are:


10.1.110.6 to 10.1.110.128
10.1.120.6 to 10.1.120.128
10.1.200.6 to 10.1.200.128

And the addresses that DLS2 can allocate are:


10.1.110.129 to 10.1.110.250
10.1.120.129 to 10.1.120.250
10.1.200.129 to 10.1.200.250

The specifications for the IPv6 Neighbor Discovery Protocol (NDP) include the duplicate address
detection feature (DAD) to ensure that hosts are assigned unique IPv6 addresses. Note that the DHCPv6
address pool for each VLAN has over a trillion addresses.
Now, DLS1 allocates addresses from the first half of the IPv4 address space in each VLAN, and DLS2
allocates addresses in the second half of the IPv4 address space in each VLAN.
This completes the implementation of redundant DHCP servers for the network.

Step 7: Configure MD5 route authentication for EIGRP within the distribution layer and between
the distribution layer and the core layer.
a. Rotation of keys is enabled by the use of key chains. Each key is valid for the period defined by the
accept-lifetime and send-lifetime commands. Set the clock on the NTP master so that the time
is current. The setting here is just an example:
R2# clock set 09:05:00 Oct 29 2014

Create key chains on DLS1, DLS2, R1, and R3, starting in global configuration mode:
key chain morphism
key 3
key-string finite
accept-lifetime 00:00:00 Jun 1 2014 00:00:00 Sep 12 2015
send-lifetime 00:00:00 Jun 1 2014 00:00:00 Aug 12 2015
key 4
key-string smooth
accept-lifetime 00:00:00 Aug 12 2015 00:00:00 Dec 12 2016
send-lifetime 00:00:00 Sep 12 2015 00:00:00 Nov 12 2016
key 5
key-string flat
accept-lifetime 00:00:00 Nov 12 2016 00:00:00 Mar 12 2017
send-lifetime 00:00:00 Dec 12 2016 00:00:00 Feb 12 2017

The key lifetimes for the keys in the key chain overlap to avoid neighbor authentication failure during a
transition between keys.
Note: The key lifetimes on the distribution and core devices require the correct date and time for EIGRP
operation. If the current time does not fall in the range June 1, 2014 to February 12, 2017, EIGRP will not
converge—in this case, add a fixed number n as appropriate to each year appearing above (six times) so
that the resulting time ranges encompass the current time.
b. On each of SVI 99, 100, 110, 120, and 200 of DLS1 and DLS2, enter the following four commands:
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 morphism
ipv6 authentication mode eigrp 1 md5
ipv6 authentication key-chain eigrp 1 morphism
Lab 5-1 Second Base 227

c. On R1 and R3, configure the following commands, starting from global configuration mode:
router eigrp HQ
address-family ipv4 unicast autonomous-system 1
af-interface g0/1.99
authentication key-chain morphism
authentication mode md5
exit-af-interface
af-interface g0/1.100
authentication key-chain morphism
authentication mode md5
exit-af-interface
af-interface g0/1.110
authentication key-chain morphism
authentication mode md5
exit-af-interface
af-interface g0/1.120
authentication key-chain morphism
authentication mode md5
exit-af-interface
af-interface g0/1.200
authentication key-chain morphism
authentication mode md5
exit-af-interface
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
af-interface g0/1.99
authentication key-chain morphism
authentication mode md5
exit-af-interface
af-interface g0/1.100
authentication key-chain morphism
authentication mode md5
exit-af-interface
af-interface g0/1.110
authentication key-chain morphism
authentication mode md5
exit-af-interface
af-interface g0/1.120
authentication key-chain morphism
authentication mode md5
exit-af-interface
af-interface g0/1.200
authentication key-chain morphism
authentication mode md5
exit-af-interface
exit-address-family

Step 8: Configure HMAC-SHA-256 route authentication for EIGRP within the core layer.
On R1, R2, and R3, configure the following commands, starting from global configuration mode:
key chain manifold
key 0
key-string riemannian
accept-lifetime 00:00:00 Jun 1 2014 00:00:00 Sep 12 2015
send-lifetime 00:00:00 Jun 1 2014 00:00:00 Aug 12 2015
key 1
key-string symplectic
accept-lifetime 00:00:00 Aug 12 2015 00:00:00 Dec 12 2016
send-lifetime 00:00:00 Sep 12 2015 00:00:00 Nov 12 2016
key 2
key-string lie-group
accept-lifetime 00:00:00 Nov 12 2016 00:00:00 Mar 12 2017
send-lifetime 00:00:00 Dec 12 2016 00:00:00 Feb 12 2017
!
router eigrp HQ
address-family ipv4 unicast autonomous-system 1
af-interface s0/0/0
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
228 CCNP TSHOOT Lab Manual Version 7

exit-af-interface
af-interface s0/0/1
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
exit-address-family
address-family ipv6 unicast autonomous-system 1
af-interface s0/0/0
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
af-interface s0/0/1
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
exit-address-family

Note that authentication commands on the unused interfaces S0/0/1 of R1 and S0/0/0 of R3 are for future use.
This completes the configuration of EIGRP route authentication for Second BASE.

Step 9: Configure GLBP MD5 authentication for IPv4 and IPv6.


On R1 and R3, configure the following commands, starting from global configuration mode:
interface GigabitEthernet0/1.99
glbp 99 authentication md5 key-chain morphism
glbp 499 authentication md5 key-chain morphism
!
interface GigabitEthernet0/1.100
glbp 100 authentication md5 key-chain morphism
glbp 500 authentication md5 key-chain morphism
!
interface GigabitEthernet0/1.110
glbp 110 authentication md5 key-chain morphism
glbp 510 authentication md5 key-chain morphism
!
interface GigabitEthernet0/1.120
glbp 120 authentication md5 key-chain morphism
glbp 520 authentication md5 key-chain morphism
!
interface GigabitEthernet0/1.200
glbp 200 authentication md5 key-chain morphism
glbp 600 authentication md5 key-chain morphism

The same keys are used for GLBP as are used for route authentication between the distribution and core devices.

Step 10: Verify EIGRP and GLBP functionality.


a. There are many ways to verify EIGRP functionality. DLS1 has all IPv4 and IPv6 EIGRP routes:
DLS1# show ip route eigrp
<output omitted>
D 2.0.0.0/8 [90/2170144] via 10.1.100.3, 01:08:11, Vlan100
[90/2170144] via 10.1.100.1, 01:08:11, Vlan100
[90/2170144] via 10.1.99.3, 01:08:11, Vlan99
[90/2170144] via 10.1.99.1, 01:08:11, Vlan99
10.0.0.0/8 is variably subnetted, 19 subnets, 3 masks
D 10.1.1.0/30 [90/2170112] via 10.1.200.1, 01:08:11, Vlan200
[90/2170112] via 10.1.110.1, 01:08:11, Vlan110
[90/2170112] via 10.1.100.1, 01:08:11, Vlan100
[90/2170112] via 10.1.99.1, 01:08:11, Vlan99
D 10.1.1.1/32 [90/2682112] via 10.1.200.3, 01:08:09, Vlan200
[90/2682112] via 10.1.110.3, 01:08:09, Vlan110
[90/2682112] via 10.1.100.3, 01:08:09, Vlan100
[90/2682112] via 10.1.99.3, 01:08:09, Vlan99
D 10.1.1.2/32 [90/2170112] via 10.1.200.1, 01:08:11, Vlan200
[90/2170112] via 10.1.110.1, 01:08:11, Vlan110
[90/2170112] via 10.1.100.1, 01:08:11, Vlan100
[90/2170112] via 10.1.99.1, 01:08:11, Vlan99
D 10.1.1.4/30 [90/2170112] via 10.1.200.3, 01:08:09, Vlan200
[90/2170112] via 10.1.110.3, 01:08:09, Vlan110
Lab 5-1 Second Base 229

[90/2170112] via 10.1.100.3, 01:08:09, Vlan100


[90/2170112] via 10.1.99.3, 01:08:09, Vlan99
D 10.1.1.5/32 [90/2682112] via 10.1.200.1, 01:08:11, Vlan200
[90/2682112] via 10.1.110.1, 01:08:11, Vlan110
[90/2682112] via 10.1.100.1, 01:08:11, Vlan100
[90/2682112] via 10.1.99.1, 01:08:11, Vlan99
D 10.1.1.6/32 [90/2170112] via 10.1.200.3, 01:08:09, Vlan200
[90/2170112] via 10.1.110.3, 01:08:09, Vlan110
[90/2170112] via 10.1.100.3, 01:08:09, Vlan100
[90/2170112] via 10.1.99.3, 01:08:09, Vlan99
D 10.1.201.1/32 [90/2848] via 10.1.200.1, 01:08:11, Vlan200
[90/2848] via 10.1.110.1, 01:08:11, Vlan110
[90/2848] via 10.1.100.1, 01:08:11, Vlan100
[90/2848] via 10.1.99.1, 01:08:11, Vlan99
D 10.1.202.1/32 [90/2170144] via 10.1.100.3, 01:08:11, Vlan100
[90/2170144] via 10.1.100.1, 01:08:11, Vlan100
[90/2170144] via 10.1.99.3, 01:08:11, Vlan99
[90/2170144] via 10.1.99.1, 01:08:11, Vlan99
D 10.1.203.1/32 [90/2848] via 10.1.200.3, 01:08:09, Vlan200
[90/2848] via 10.1.110.3, 01:08:09, Vlan110
[90/2848] via 10.1.100.3, 01:08:09, Vlan100
[90/2848] via 10.1.99.3, 01:08:09, Vlan99
DLS1# show ipv6 route eigrp
<output omitted>
D 2001:DB8:CAFE:10::/64 [90/2170112]
via FE80::1, Vlan99
via FE80::1, Vlan120
via FE80::1, Vlan100
via FE80::1, Vlan110
via FE80::1, Vlan200
D 2001:DB8:CAFE:14::/64 [90/2170112]
via FE80::3, Vlan99
via FE80::3, Vlan100
via FE80::3, Vlan110
via FE80::3, Vlan200
via FE80::3, Vlan120
D 2001:DB8:CAFE:201::/64 [90/2848]
via FE80::1, Vlan99
via FE80::1, Vlan120
via FE80::1, Vlan100
via FE80::1, Vlan110
via FE80::1, Vlan200
D 2001:DB8:CAFE:202::/64 [90/2170144]
via FE80::1, Vlan99
via FE80::3, Vlan99
via FE80::1, Vlan120
via FE80::1, Vlan100
via FE80::3, Vlan100
via FE80::1, Vlan110
via FE80::3, Vlan110
via FE80::1, Vlan200
via FE80::3, Vlan200
via FE80::3, Vlan120
D 2001:DB8:CAFE:203::/64 [90/2848]
via FE80::3, Vlan99
via FE80::3, Vlan100
via FE80::3, Vlan110
via FE80::3, Vlan200
via FE80::3, Vlan120
D 2001:DB8:EFAC::/48 [90/2170144]
via FE80::1, Vlan99
via FE80::3, Vlan99
via FE80::1, Vlan120
via FE80::1, Vlan100
via FE80::3, Vlan100
via FE80::1, Vlan110
via FE80::3, Vlan110
via FE80::1, Vlan200
via FE80::3, Vlan200
via FE80::3, Vlan120
230 CCNP TSHOOT Lab Manual Version 7

b. There are many ways to verify GLBP functionality. R1 has a complete GLBP solution for IPv4 and IPv6:
R1# show glbp brief
Interface Grp Fwd Pri State Address Active router Standby router
Gi0/1.99 99 - 110 Active 10.1.99.254 local 10.1.99.3
Gi0/1.99 99 1 - Listen 0007.b400.6301 10.1.99.3 -
Gi0/1.99 99 2 - Active 0007.b400.6302 local -
Gi0/1.99 499 - 110 Active FE80::7:B4FF:FE01:F300
local FE80::3
Gi0/1.99 499 1 - Active 0007.b401.f301 local -
Gi0/1.99 499 2 - Listen 0007.b401.f302 FE80::3 -
Gi0/1.100 100 - 100 Standby 10.1.100.254 10.1.100.3 local
Gi0/1.100 100 1 - Active 0007.b400.6401 local -
Gi0/1.100 100 2 - Listen 0007.b400.6402 10.1.100.3 -
Gi0/1.100 500 - 100 Standby FE80::7:B4FF:FE01:F400
FE80::3 local
Gi0/1.100 500 1 - Listen 0007.b401.f401 FE80::3 -
Gi0/1.100 500 2 - Active 0007.b401.f402 local -
Gi0/1.110 110 - 110 Active 10.1.110.254 local 10.1.110.3
Gi0/1.110 110 1 - Listen 0007.b400.6e01 10.1.110.3 -
Gi0/1.110 110 2 - Active 0007.b400.6e02 local -
Gi0/1.110 510 - 110 Active FE80::7:B4FF:FE01:FE00
local FE80::3
Gi0/1.110 510 1 - Active 0007.b401.fe01 local -
Gi0/1.110 510 2 - Listen 0007.b401.fe02 FE80::3 -
Gi0/1.120 120 - 110 Active 10.1.120.254 local 10.1.120.3
Gi0/1.120 120 1 - Listen 0007.b400.7801 10.1.120.3 -
Gi0/1.120 120 2 - Active 0007.b400.7802 local -
Gi0/1.120 520 - 110 Active FE80::7:B4FF:FE02:800
local FE80::3
Gi0/1.120 520 1 - Active 0007.b402.0801 local -
Gi0/1.120 520 2 - Listen 0007.b402.0802 FE80::3 -
Gi0/1.200 200 - 100 Standby 10.1.200.254 10.1.200.3 local
Gi0/1.200 200 1 - Active 0007.b400.c801 local -
Gi0/1.200 200 2 - Listen 0007.b400.c802 10.1.200.3 -
Gi0/1.200 600 - 100 Standby FE80::7:B4FF:FE02:5800
FE80::3 local
Gi0/1.200 600 1 - Listen 0007.b402.5801 FE80::3 -
Gi0/1.200 600 2 - Active 0007.b402.5802 local -

This completes Task 2, creating Second BASE. This baseline will be reused in some other TSHOOT labs.
Lab 5-1 Second Base 231

Device Configurations (Instructor version)


Note: The TT-A device configurations are exactly the same as the BASE Lab configurations. The TT-B
device configurations are exactly the final configurations from completing Task 1 (Experimental BASE).
The final configurations at the end of Task 2 (Second BASE) are included for later use and the associated
filenames are
• Second-BASE-ALS1-Cfg.txt
• Second-BASE-DLS1-Cfg.txt
• Second-BASE-DLS2-Cfg.txt
• Second-BASE-R1-Cfg.txt
• Second-BASE-R2-Cfg.txt
• Second-BASE-R3-Cfg.txt

TT-A Configurations
Switch ALS1
!Lab 5-1 Switch ALS1 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ALS1
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
!
!
no ip domain-lookup
ip domain-name tshoot.net
ipv6 unicast-routing
!
errdisable recovery cause psecure-violation
errdisable recovery interval 120
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan 99
name MANAGEMENT
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
232 CCNP TSHOOT Lab Manual Version 7

vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
ip ssh dh min size 2048
!
!
interface Port-channel1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel2
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/5
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
Lab 5-1 Second Base 233

!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
234 CCNP TSHOOT Lab Manual Version 7

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description To PC-B
switchport access vlan 120
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
Lab 5-1 Second Base 235

!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:99::A1/64
no ip proxy-arp
no shutdown
!
interface Vlan110
ip address 10.1.110.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:110::A1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan120
ip address 10.1.120.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:120::A1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan200
ip address 10.1.200.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:200::A1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.99.254
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 route ::/0 2001:DB8:CAFE:99::D1
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps vlan-membership
snmp-server host 10.1.100.1 version 2c cisco
!
banner motd ^*** Lab 5-1 Switch ALS1 TT-A Config ***^
!
ipv6 access-list REMOTEv6
deny ipv6 any any
!
line con 0
exec-timeout 0 0
236 CCNP TSHOOT Lab Manual Version 7

logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
ipv6 access-class REMOTEv6 in
logging synchronous
length 0
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS1
!Lab 5-1 Switch DLS1 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DLS1
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
ip dhcp excluded-address 10.1.120.251 10.1.120.254
ip dhcp excluded-address 10.1.200.251 10.1.200.254
ip dhcp excluded-address 10.1.110.251 10.1.110.254
!
ip dhcp pool VOICE
network 10.1.200.0 255.255.255.0
default-router 10.1.200.254
!
ip dhcp pool GUEST
network 10.1.110.0 255.255.255.0
default-router 10.1.110.254
!
Lab 5-1 Second Base 237

ip dhcp pool OFFICE


network 10.1.120.0 255.255.255.0
default-router 10.1.120.254
!
!
ipv6 unicast-routing
ipv6 dhcp pool DHCPv6OFFICE
address prefix 2001:DB8:CAFE:120:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6VOICE
address prefix 2001:DB8:CAFE:200:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6GUEST
address prefix 2001:DB8:CAFE:110:ABCD::/80
domain-name tshoot.net
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 24576
spanning-tree vlan 100,200 priority 28672
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
ip ssh dh min size 2048
!
!
interface Port-channel1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
238 CCNP TSHOOT Lab Manual Version 7

switchport trunk native vlan 666


switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R1
no switchport
ip address 10.1.2.1 255.255.255.252
speed 100
duplex full
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:20::D1/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description FE to SRV1
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
Lab 5-1 Second Base 239

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
240 CCNP TSHOOT Lab Manual Version 7

switchport mode access


switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.252 255.255.255.0
no ip proxy-arp
standby 99 ip 10.1.99.254
standby 99 priority 110
standby 99 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:99::D1/64
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.252 255.255.255.0
no ip proxy-arp
standby 100 ip 10.1.100.254
Lab 5-1 Second Base 241

standby 100 preempt


ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:100::D1/64
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.252 255.255.255.0
no ip proxy-arp
standby 110 ip 10.1.110.254
standby 110 priority 110
standby 110 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:110::D1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 dhcp server DHCPv6GUEST
no shutdown
!
interface Vlan120
ip address 10.1.120.252 255.255.255.0
no ip proxy-arp
standby 120 ip 10.1.120.254
standby 120 priority 110
standby 120 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:120::D1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 dhcp server DHCPv6OFFICE
no shutdown
!
interface Vlan200
ip address 10.1.200.252 255.255.255.0
no ip proxy-arp
standby 200 ip 10.1.200.254
standby 200 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:200::D1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 dhcp server DHCPv6VOICE
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 router eigrp 1
eigrp router-id 1.1.1.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
242 CCNP TSHOOT Lab Manual Version 7

snmp-server contact support@tshoot.net


snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 5-1 Switch DLS1 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS2
!Lab 5-1 Switch DLS2 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname DLS2
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
Lab 5-1 Second Base 243

ip domain-name tshoot.net
!
!
ipv6 unicast-routing
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 28672
spanning-tree vlan 100,200 priority 24576
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
ip ssh dh min size 2048
!
!
interface Port-channel2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
244 CCNP TSHOOT Lab Manual Version 7

switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R3
no switchport
ip address 10.1.2.13 255.255.255.252
speed 100
duplex full
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:212::D2/64
ipv6 eigrp 1
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
Lab 5-1 Second Base 245

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description FE to PC-C
switchport access vlan 110
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
246 CCNP TSHOOT Lab Manual Version 7

switchport access vlan 999


switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.253 255.255.255.0
no ip proxy-arp
standby 99 ip 10.1.99.254
standby 99 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:99::D2/64
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.253 255.255.255.0
no ip proxy-arp
standby 100 ip 10.1.100.254
standby 100 priority 110
standby 100 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:100::D2/64
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.253 255.255.255.0
no ip proxy-arp
standby 110 ip 10.1.110.254
standby 110 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:110::D2/64
Lab 5-1 Second Base 247

ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig


ipv6 nd managed-config-flag
ipv6 eigrp 1
no shutdown
!
interface Vlan120
ip address 10.1.120.253 255.255.255.0
no ip proxy-arp
standby 120 ip 10.1.120.254
standby 120 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:120::D2/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
no shutdown
!
interface Vlan200
ip address 10.1.200.253 255.255.255.0
no ip proxy-arp
standby 200 ip 10.1.200.254
standby 200 priority 110
standby 200 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:200::D2/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 router eigrp 1
eigrp router-id 2.2.2.2
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 5-1 Switch DLS2 TT-A Config ***^
!
line con 0
exec-timeout 0 0
248 CCNP TSHOOT Lab Manual Version 7

logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R1
!Lab 5-1 Router R1 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 10.1.201.1 255.255.255.255
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:201::1/64
!
!
interface GigabitEthernet0/0
no ip address
Lab 5-1 Second Base 249

shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FE to DLS1
ip address 10.1.2.2 255.255.255.252
ip flow ingress
duplex full
speed 100
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:20::1/64
no shutdown
!
interface Serial0/0/0
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.1 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:10::1/64
clock rate 2000000
no shutdown
!
interface Serial0/0/1
description WAN link to R3 (not used)
no ip address
shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
ip forward-protocol nd
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
250 CCNP TSHOOT Lab Manual Version 7

snmp-server location TSHOOT Lab Facility


snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 5-1 Router R1 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 10.1.202.1
!
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R2
!Lab 5-1 Router R2 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
Lab 5-1 Second Base 251

!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 10.1.202.1 255.255.255.255
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:202::2/64
!
interface Loopback1
ip address 2.2.2.2 255.0.0.0
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:EFAC::2/48
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description optional connection for PC-C w/ static address
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description WAN link to R1: 2 Mbps leased line
ip address 10.1.1.2 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:10::2/64
no shutdown
!
interface Serial0/0/1
description WAN link to R3: 2 Mbps leased line
ip address 10.1.1.6 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:14::2/64
clock rate 2000000
no shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
af-interface Loopback1
passive-interface
exit-af-interface
!
topology base
exit-af-topology
252 CCNP TSHOOT Lab Manual Version 7

network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
ip forward-protocol nd
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 5-1 Router R2 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp master 3
!
!
archive
log config
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R3
!Lab 5-1 Router R3 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
Lab 5-1 Second Base 253

hostname R3
!
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 10.1.203.1 255.255.255.255
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:203::3/64
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FE to DLS2
ip address 10.1.2.14 255.255.255.252
ip flow ingress
duplex full
speed 100
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:212::3/64
no shutdown
!
interface Serial0/0/0
description WAN link to R1 - (Not used)
no ip address
encapsulation ppp
shutdown
clock rate 2000000
!
interface Serial0/0/1
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.5 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:14::3/64
no shutdown
!
!
router eigrp HQ
!
254 CCNP TSHOOT Lab Manual Version 7

address-family ipv4 unicast autonomous-system 1


!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
ip forward-protocol nd
!
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 5-1 Router R3 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
Lab 5-1 Second Base 255

hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

TT-B Configurations (Experimental BASE)


Router R2—Same as TT-A
Switch ALS1
!Lab 5-1 Switch ALS1 TT-B Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ALS1
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
!
!
no ip domain-lookup
ip domain-name tshoot.net
ipv6 unicast-routing
!
errdisable recovery cause psecure-violation
errdisable recovery interval 120
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan 99
name MANAGEMENT
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
256 CCNP TSHOOT Lab Manual Version 7

ip telnet source-interface Vlan99


ip ssh source-interface Vlan99
ip ssh dh min size 2048
!
!
interface Port-channel1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel2
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/5
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
Lab 5-1 Second Base 257

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
258 CCNP TSHOOT Lab Manual Version 7

switchport mode access


switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description To PC-B
switchport access vlan 120
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
Lab 5-1 Second Base 259

no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:99::A1/64
no ip proxy-arp
no shutdown
!
interface Vlan110
ip address 10.1.110.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:110::A1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan120
ip address 10.1.120.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:120::A1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan200
ip address 10.1.200.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:200::A1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.99.254
logging source-interface Vlan99
logging host 10.1.100.5
ipv6 route ::/0 VLAN99 FE80::5:73FF:FEA0:63
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps vlan-membership
snmp-server host 10.1.100.5 version 2c cisco
!
banner motd ^*** Lab 5-1 Switch ALS1 TT-B Config ***^
!
ipv6 access-list REMOTEv6
deny ipv6 any any
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
ipv6 access-class REMOTEv6 in
logging synchronous
length 0
transport input telnet ssh
!
260 CCNP TSHOOT Lab Manual Version 7

ntp source Vlan99


ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.5/$h-archive-config
write-memory
file prompt quiet
!
end
!
Switch DLS1
!Lab 5-1 Switch DLS1 TT-B Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DLS1
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
ip dhcp excluded-address 10.1.120.251 10.1.120.254
ip dhcp excluded-address 10.1.200.251 10.1.200.254
ip dhcp excluded-address 10.1.110.251 10.1.110.254
ip dhcp excluded-address 10.1.110.1 10.1.110.5
ip dhcp excluded-address 10.1.120.1 10.1.120.5
ip dhcp excluded-address 10.1.200.1 10.1.200.5
!
ip dhcp pool VOICE
network 10.1.200.0 255.255.255.0
default-router 10.1.200.254
!
ip dhcp pool GUEST
network 10.1.110.0 255.255.255.0
default-router 10.1.110.254
!
ip dhcp pool OFFICE
network 10.1.120.0 255.255.255.0
default-router 10.1.120.254
!
!
ipv6 unicast-routing
ipv6 dhcp pool DHCPv6OFFICE
address prefix 2001:DB8:CAFE:120:ABCD::/80
Lab 5-1 Second Base 261

domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6VOICE
address prefix 2001:DB8:CAFE:200:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6GUEST
address prefix 2001:DB8:CAFE:110:ABCD::/80
domain-name tshoot.net
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 24576
spanning-tree vlan 100,200 priority 28672
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
ip ssh dh min size 2048
!
!
interface Port-channel1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
262 CCNP TSHOOT Lab Manual Version 7

description Channel to ALS1


switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description FE to SRV1
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
Lab 5-1 Second Base 263

switchport access vlan 999


switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
264 CCNP TSHOOT Lab Manual Version 7

switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.252 255.255.255.0
no ip proxy-arp
standby version 2
standby 99 ipv6 autoconfig
standby 99 priority 110
standby 99 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:99::D1/64
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.252 255.255.255.0
no ip proxy-arp
standby version 2
standby 100 ipv6 autoconfig
standby 100 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:100::D1/64
ipv6 eigrp 1
no shutdown
!
Lab 5-1 Second Base 265

interface Vlan110
ip address 10.1.110.252 255.255.255.0
no ip proxy-arp
standby version 2
standby 110 ipv6 autoconfig
standby 110 priority 110
standby 110 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:110::D1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 dhcp server DHCPv6GUEST
no shutdown
!
interface Vlan120
ip address 10.1.120.252 255.255.255.0
no ip proxy-arp
standby version 2
standby 120 ipv6 autoconfig
standby 120 priority 110
standby 120 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:120::D1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 dhcp server DHCPv6OFFICE
no shutdown
!
interface Vlan200
ip address 10.1.200.252 255.255.255.0
no ip proxy-arp
standby version 2
standby 200 ipv6 autoconfig
standby 200 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:200::D1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 dhcp server DHCPv6VOICE
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface FastEthernet0/5
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.5
ipv6 router eigrp 1
eigrp router-id 1.1.1.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
266 CCNP TSHOOT Lab Manual Version 7

snmp-server enable traps vlancreate


snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.5 version 2c cisco
!
!
banner motd ^*** Lab 5-1 Switch DLS1 TT-B Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.5/$h-archive-config
write-memory
file prompt quiet
!
end
!
Switch DLS2
!Lab 5-1 Switch DLS2 TT-B Config
!
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname DLS2
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
!
ipv6 unicast-routing
!
Lab 5-1 Second Base 267

errdisable recovery cause bpduguard


!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 28672
spanning-tree vlan 100,200 priority 24576
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
ip ssh dh min size 2048
!
!
interface Port-channel2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/3
268 CCNP TSHOOT Lab Manual Version 7

description Channel to DLS1


switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R3
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
Lab 5-1 Second Base 269

!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description FE to PC-C
switchport access vlan 110
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
270 CCNP TSHOOT Lab Manual Version 7

interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.253 255.255.255.0
no ip proxy-arp
standby version 2
standby 99 ipv6 autoconfig
standby 99 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:99::D2/64
ipv6 eigrp 1
no shutdown
!
interface Vlan100
ip address 10.1.100.253 255.255.255.0
no ip proxy-arp
standby version 2
standby 100 ipv6 autoconfig
standby 100 priority 110
standby 100 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:100::D2/64
ipv6 eigrp 1
no shutdown
!
interface Vlan110
ip address 10.1.110.253 255.255.255.0
no ip proxy-arp
standby version 2
standby 110 ipv6 autoconfig
standby 110 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:110::D2/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
Lab 5-1 Second Base 271

ipv6 eigrp 1
no shutdown
!
interface Vlan120
ip address 10.1.120.253 255.255.255.0
no ip proxy-arp
standby version 2
standby 120 ipv6 autoconfig
standby 120 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:120::D2/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
no shutdown
!
interface Vlan200
ip address 10.1.200.253 255.255.255.0
no ip proxy-arp
standby version 2
standby 200 ipv6 autoconfig
standby 200 priority 110
standby 200 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:200::D2/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.5
ipv6 router eigrp 1
eigrp router-id 2.2.2.2
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.5 version 2c cisco
!
!
banner motd ^*** Lab 5-1 Switch DLS2 TT-B Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
272 CCNP TSHOOT Lab Manual Version 7

login authentication CONSOLE


line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.5/$h-archive-config
write-memory
file prompt quiet
!
end
!
Router R1
!Lab 5-1 Router R1 TT-B Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 10.1.201.1 255.255.255.255
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:201::1/64
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
Lab 5-1 Second Base 273

!
interface GigabitEthernet0/1
description FE to DLS1
no ip address
ip flow ingress
duplex full
speed 100
no shutdown
!
interface GigabitEthernet0/1.99
encapsulation dot1Q 99
ip address 10.1.99.1 255.255.255.0
glbp 99 ip 10.1.99.254
glbp 99 priority 110
glbp 99 preempt
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:99::1/64
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 10.1.100.1 255.255.255.0
glbp 100 ip 10.1.100.254
glbp 100 preempt
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:100::1/64
!
interface GigabitEthernet0/1.110
encapsulation dot1Q 110
ip address 10.1.110.1 255.255.255.0
glbp 110 ip 10.1.110.254
glbp 110 priority 110
glbp 110 preempt
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:110::1/64
!
interface GigabitEthernet0/1.120
encapsulation dot1Q 120
ip address 10.1.120.1 255.255.255.0
glbp 120 ip 10.1.120.254
glbp 120 priority 110
glbp 120 preempt
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:120::1/64
!
interface GigabitEthernet0/1.200
encapsulation dot1Q 200
ip address 10.1.200.1 255.255.255.0
glbp 200 ip 10.1.200.254
glbp 200 preempt
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:200::1/64
!
interface GigabitEthernet0/1.666
encapsulation dot1Q 666 native
!
interface Serial0/0/0
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.1 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:10::1/64
clock rate 2000000
no shutdown
!
interface Serial0/0/1
description WAN link to R3 (not used)
no ip address
shutdown
!
!
router eigrp HQ
274 CCNP TSHOOT Lab Manual Version 7

!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
ip forward-protocol nd
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.5
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.5 version 2c cisco
!
!
banner motd ^*** Lab 5-1 Router R1 TT-B Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 10.1.202.1
!
!
archive
log config
logging enable
logging size 50
Lab 5-1 Second Base 275

notify syslog contenttype plaintext


hidekeys
path tftp://10.1.100.5/$h-archive-config
write-memory
file prompt quiet
!
end
!
Router R3
!Lab 5-1 Router R3 TT-B Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 10.1.203.1 255.255.255.255
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:203::3/64
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FE to DLS2
no ip address
ip flow ingress
duplex full
speed 100
no shutdown
!
interface GigabitEthernet0/1.99
encapsulation dot1Q 99
ip address 10.1.99.3 255.255.255.0
glbp 99 ip 10.1.99.254
glbp 99 preempt
ipv6 address FE80::3 link-local
276 CCNP TSHOOT Lab Manual Version 7

ipv6 address 2001:DB8:CAFE:99::3/64


!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 10.1.100.3 255.255.255.0
glbp 100 ip 10.1.100.254
glbp 100 priority 110
glbp 100 preempt
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:100::3/64
!
interface GigabitEthernet0/1.110
encapsulation dot1Q 110
ip address 10.1.110.3 255.255.255.0
glbp 110 ip 10.1.110.254
glbp 110 preempt
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:110::3/64
!
interface GigabitEthernet0/1.120
encapsulation dot1Q 120
ip address 10.1.120.3 255.255.255.0
glbp 120 ip 10.1.120.254
glbp 120 preempt
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:120::3/64
!
interface GigabitEthernet0/1.200
encapsulation dot1Q 200
ip address 10.1.200.3 255.255.255.0
glbp 200 ip 10.1.200.254
glbp 200 priority 110
glbp 200 preempt
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:200::3/64
!
interface GigabitEthernet0/1.666
encapsulation dot1Q 666 native
!
interface Serial0/0/0
description WAN link to R1 - (Not used)
no ip address
encapsulation ppp
shutdown
clock rate 2000000
!
interface Serial0/0/1
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.5 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:14::3/64
no shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
Lab 5-1 Second Base 277

!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
ip forward-protocol nd
!
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.5
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.5 version 2c cisco
!
!
banner motd ^*** Lab 5-1 Router R3 TT-B Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.5/$h-archive-config
write-memory
file prompt quiet
!
end
!
278 CCNP TSHOOT Lab Manual Version 7

Second BASE
Instructor Note: The key lifetimes prescribed by the configurations on the distribution and core devices require
the correct date and time for EIGRP operation. If the current time does not fall in the range June 1, 2014 to
February 12, 2017, EIGRP will not converge—in this case, add a fixed number n as appropriate to each year
appearing in the key chain definitions so that the resulting time ranges encompass the current time. The
configurations below set the time and date to 9:05 on October 29, 2014.

Switch ALS1 Second-BASE-ALS1-Cfg.txt


!Second BASE ALS1 Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ALS1
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
!
!
no ip domain-lookup
ip domain-name tshoot.net
ipv6 unicast-routing
!
errdisable recovery cause psecure-violation
errdisable recovery interval 120
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan 99
name MANAGEMENT
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
ip ssh dh min size 2048
Lab 5-1 Second Base 279

!
!
interface Port-channel1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel2
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/5
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
280 CCNP TSHOOT Lab Manual Version 7

switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
Lab 5-1 Second Base 281

!
interface FastEthernet0/18
description To PC-B
switchport access vlan 120
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
282 CCNP TSHOOT Lab Manual Version 7

interface Vlan99
ip address 10.1.99.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:99::A1/64
no ip proxy-arp
no shutdown
!
interface Vlan110
ip address 10.1.110.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:110::A1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan120
ip address 10.1.120.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:120::A1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan200
ip address 10.1.200.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:200::A1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.99.254
logging source-interface Vlan99
logging host 10.1.100.5
ipv6 route ::/0 Vlan99 FE80::7:B4FF:FE01:F300
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps vlan-membership
snmp-server host 10.1.100.5 version 2c cisco
!

banner motd ^*** Second BASE ALS1 Config ***^


!
ipv6 access-list REMOTEv6
deny ipv6 any any
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
ipv6 access-class REMOTEv6 in
logging synchronous
length 0
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
Lab 5-1 Second Base 283

!
crypto key gen rsa general-keys modulus 1024
!
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.5/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS1 Second-BASE-DLS1-Cfg.txt


!Second BASE DLS1 Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DLS1
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
ip dhcp excluded-address 10.1.110.1 10.1.110.5
ip dhcp excluded-address 10.1.120.1 10.1.120.5
ip dhcp excluded-address 10.1.200.1 10.1.200.5
ip dhcp excluded-address 10.1.120.129 10.1.120.254
ip dhcp excluded-address 10.1.200.129 10.1.200.254
ip dhcp excluded-address 10.1.110.129 10.1.110.254
!
ip dhcp pool VOICE
network 10.1.200.0 255.255.255.0
default-router 10.1.200.254
!
ip dhcp pool GUEST
network 10.1.110.0 255.255.255.0
default-router 10.1.110.254
!
ip dhcp pool OFFICE
network 10.1.120.0 255.255.255.0
default-router 10.1.120.254
!
!
ipv6 unicast-routing
ipv6 dhcp pool DHCPv6OFFICE
284 CCNP TSHOOT Lab Manual Version 7

address prefix 2001:DB8:CAFE:120:ABCD::/80


domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6VOICE
address prefix 2001:DB8:CAFE:200:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6GUEST
address prefix 2001:DB8:CAFE:110:ABCD::/80
domain-name tshoot.net
!
key chain morphism
key 3
key-string finite
accept-lifetime 00:00:00 Jun 1 2014 00:00:00 Sep 12 2015
send-lifetime 00:00:00 Jun 1 2014 00:00:00 Aug 12 2015
key 4
key-string smooth
accept-lifetime 00:00:00 Aug 12 2015 00:00:00 Dec 12 2016
send-lifetime 00:00:00 Sep 12 2015 00:00:00 Nov 12 2016
key 5
key-string flat
accept-lifetime 00:00:00 Nov 12 2016 00:00:00 Mar 12 2017
send-lifetime 00:00:00 Dec 12 2016 00:00:00 Feb 12 2017
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 24576
spanning-tree vlan 100,200 priority 28672
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
ip ssh dh min size 2048
!
!
interface Port-channel1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
Lab 5-1 Second Base 285

switchport mode trunk


switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description FE to SRV1
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
286 CCNP TSHOOT Lab Manual Version 7

description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description PARKING_LOT
switchport access vlan 999
Lab 5-1 Second Base 287

switchport mode access


switchport nonegotiate
shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.252 255.255.255.0
no ip proxy-arp
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 morphism
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:99::D1/64
ipv6 eigrp 1
288 CCNP TSHOOT Lab Manual Version 7

ipv6 authentication mode eigrp 1 md5


ipv6 authentication key-chain eigrp 1 morphism
no shutdown
!
interface Vlan100
ip address 10.1.100.252 255.255.255.0
no ip proxy-arp
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 morphism
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:100::D1/64
ipv6 nd prefix 2001:DB8:CAFE:100::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 authentication mode eigrp 1 md5
ipv6 authentication key-chain eigrp 1 morphism
no shutdown
!
interface Vlan110
ip address 10.1.110.252 255.255.255.0
no ip proxy-arp
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 morphism
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:110::D1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 authentication mode eigrp 1 md5
ipv6 authentication key-chain eigrp 1 morphism
ipv6 dhcp server DHCPv6GUEST
no shutdown
!
interface Vlan120
ip address 10.1.120.252 255.255.255.0
no ip proxy-arp
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 morphism
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:120::D1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 authentication mode eigrp 1 md5
ipv6 authentication key-chain eigrp 1 morphism
ipv6 dhcp server DHCPv6OFFICE
no shutdown
!
interface Vlan200
ip address 10.1.200.252 255.255.255.0
no ip proxy-arp
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 morphism
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:200::D1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 authentication mode eigrp 1 md5
ipv6 authentication key-chain eigrp 1 morphism
ipv6 dhcp server DHCPv6VOICE
no shutdown
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
Lab 5-1 Second Base 289

!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.5
ipv6 router eigrp 1
eigrp router-id 1.1.1.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.5 version 2c cisco
!
!
banner motd ^*** Second BASE DLS1 Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.5/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS2
!Second BASE DLS2 Config
!
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname DLS2
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
290 CCNP TSHOOT Lab Manual Version 7

aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
!
ip dhcp excluded-address 10.1.120.251 10.1.120.254
ip dhcp excluded-address 10.1.200.251 10.1.200.254
ip dhcp excluded-address 10.1.110.251 10.1.110.254
ip dhcp excluded-address 10.1.110.1 10.1.110.128
ip dhcp excluded-address 10.1.120.1 10.1.120.128
ip dhcp excluded-address 10.1.200.1 10.1.200.128
!
ip dhcp pool VOICE
network 10.1.200.0 255.255.255.0
default-router 10.1.200.254
!
ip dhcp pool GUEST
network 10.1.110.0 255.255.255.0
default-router 10.1.110.254
!
ip dhcp pool OFFICE
network 10.1.120.0 255.255.255.0
default-router 10.1.120.254
!
!
ipv6 unicast-routing
!
ipv6 dhcp pool DHCPv6OFFICE
address prefix 2001:DB8:CAFE:120:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6VOICE
address prefix 2001:DB8:CAFE:200:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6GUEST
address prefix 2001:DB8:CAFE:110:ABCD::/80
domain-name tshoot.net
!
!
!
key chain morphism
key 3
key-string finite
accept-lifetime 00:00:00 Jun 1 2014 00:00:00 Sep 12 2015
send-lifetime 00:00:00 Jun 1 2014 00:00:00 Aug 12 2015
key 4
key-string smooth
accept-lifetime 00:00:00 Aug 12 2015 00:00:00 Dec 12 2016
send-lifetime 00:00:00 Sep 12 2015 00:00:00 Nov 12 2016
key 5
key-string flat
accept-lifetime 00:00:00 Nov 12 2016 00:00:00 Mar 12 2017
send-lifetime 00:00:00 Dec 12 2016 00:00:00 Feb 12 2017
!
!
!
errdisable recovery cause bpduguard
Lab 5-1 Second Base 291

!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 99,110,120 priority 28672
spanning-tree vlan 100,200 priority 24576
!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
ip ssh dh min size 2048
!
!
interface Port-channel2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/3
292 CCNP TSHOOT Lab Manual Version 7

description Channel to DLS1


switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R3
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
Lab 5-1 Second Base 293

!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description FE to PC-C
switchport access vlan 110
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
294 CCNP TSHOOT Lab Manual Version 7

interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.253 255.255.255.0
no ip proxy-arp
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 morphism
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:99::D2/64
ipv6 eigrp 1
ipv6 authentication mode eigrp 1 md5
ipv6 authentication key-chain eigrp 1 morphism
!
interface Vlan100
ip address 10.1.100.253 255.255.255.0
no ip proxy-arp
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 morphism
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:100::D2/64
ipv6 nd prefix 2001:DB8:CAFE:100::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 authentication mode eigrp 1 md5
ipv6 authentication key-chain eigrp 1 morphism
!
interface Vlan110
ip address 10.1.110.253 255.255.255.0
no ip proxy-arp
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 morphism
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:110::D2/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
Lab 5-1 Second Base 295

ipv6 eigrp 1
ipv6 authentication mode eigrp 1 md5
ipv6 authentication key-chain eigrp 1 morphism
ipv6 dhcp server DHCPv6GUEST
!
interface Vlan120
ip address 10.1.120.253 255.255.255.0
no ip proxy-arp
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 morphism
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:120::D2/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 authentication mode eigrp 1 md5
ipv6 authentication key-chain eigrp 1 morphism
ipv6 dhcp server DHCPv6OFFICE
!
interface Vlan200
ip address 10.1.200.253 255.255.255.0
no ip proxy-arp
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 morphism
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:200::D2/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 eigrp 1
ipv6 authentication mode eigrp 1 md5
ipv6 authentication key-chain eigrp 1 morphism
ipv6 dhcp server DHCPv6VOICE
!
!
router eigrp 1
network 10.1.0.0 0.0.255.255
passive-interface default
no passive-interface Vlan99
no passive-interface Vlan100
no passive-interface Vlan110
no passive-interface Vlan120
no passive-interface Vlan200
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.5
ipv6 router eigrp 1
eigrp router-id 2.2.2.2
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.5 version 2c cisco
!
!
banner motd ^*** Second BASE DLS2 Config ***^
!
296 CCNP TSHOOT Lab Manual Version 7

line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.5/$h-archive-config
write-memory
file prompt quiet
!
end
!
Router R1 Second-BASE-R1-Cfg.txt
!Second BASE R1 Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
key chain manifold
key 0
key-string Riemannian
accept-lifetime 00:00:00 Jun 1 2014 00:00:00 Sep 12 2015
send-lifetime 00:00:00 Jun 1 2014 00:00:00 Aug 12 2015
key 1
key-string symplectic
accept-lifetime 00:00:00 Aug 12 2015 00:00:00 Dec 12 2016
send-lifetime 00:00:00 Sep 12 2015 00:00:00 Nov 12 2016
key 2
key-string lie-group
accept-lifetime 00:00:00 Nov 12 2016 00:00:00 Mar 12 2017
send-lifetime 00:00:00 Dec 12 2016 00:00:00 Feb 12 2017
!
Lab 5-1 Second Base 297

key chain morphism


key 3
key-string finite
accept-lifetime 00:00:00 Jun 1 2014 00:00:00 Sep 12 2015
send-lifetime 00:00:00 Jun 1 2014 00:00:00 Aug 12 2015
key 4
key-string smooth
accept-lifetime 00:00:00 Aug 12 2015 00:00:00 Dec 12 2016
send-lifetime 00:00:00 Sep 12 2015 00:00:00 Nov 12 2016
key 5
key-string flat
accept-lifetime 00:00:00 Nov 12 2016 00:00:00 Mar 12 2017
send-lifetime 00:00:00 Dec 12 2016 00:00:00 Feb 12 2017
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 10.1.201.1 255.255.255.255
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:201::1/64
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FE to DLS1
no ip address
ip flow ingress
duplex full
speed 100
no shutdown
!
interface GigabitEthernet0/1.99
encapsulation dot1Q 99
ip address 10.1.99.1 255.255.255.0
glbp 99 ip 10.1.99.254
glbp 99 priority 110
glbp 99 preempt
glbp 99 authentication md5 key-chain morphism
glbp 499 ipv6 autoconfig
glbp 499 priority 110
glbp 499 preempt
glbp 499 authentication md5 key-chain morphism
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:99::1/64
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 10.1.100.1 255.255.255.0
glbp 100 ip 10.1.100.254
glbp 100 preempt
glbp 100 authentication md5 key-chain morphism
glbp 500 ipv6 autoconfig
glbp 500 preempt
glbp 500 authentication md5 key-chain morphism
ipv6 address FE80::1 link-local
298 CCNP TSHOOT Lab Manual Version 7

ipv6 address 2001:DB8:CAFE:100::1/64


!
interface GigabitEthernet0/1.110
encapsulation dot1Q 110
ip address 10.1.110.1 255.255.255.0
glbp 110 ip 10.1.110.254
glbp 110 priority 110
glbp 110 preempt
glbp 110 authentication md5 key-chain morphism
glbp 510 ipv6 autoconfig
glbp 510 priority 110
glbp 510 preempt
glbp 510 authentication md5 key-chain morphism
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:110::1/64
!
interface GigabitEthernet0/1.120
encapsulation dot1Q 120
ip address 10.1.120.1 255.255.255.0
glbp 120 ip 10.1.120.254
glbp 120 priority 110
glbp 120 preempt
glbp 120 authentication md5 key-chain morphism
glbp 520 ipv6 autoconfig
glbp 520 priority 110
glbp 520 preempt
glbp 520 authentication md5 key-chain morphism
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:120::1/64
!
interface GigabitEthernet0/1.200
encapsulation dot1Q 200
ip address 10.1.200.1 255.255.255.0
glbp 200 ip 10.1.200.254
glbp 200 preempt
glbp 200 authentication md5 key-chain morphism
glbp 600 ipv6 autoconfig
glbp 600 preempt
glbp 600 authentication md5 key-chain morphism
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:200::1/64
!
interface GigabitEthernet0/1.666
encapsulation dot1Q 666 native
!
interface Serial0/0/0
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.1 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:10::1/64
clock rate 2000000
no shutdown
!
interface Serial0/0/1
description WAN link to R3 (not used)
no ip address
shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
Lab 5-1 Second Base 299

!
af-interface GigabitEthernet0/1.99
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.100
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.110
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.120
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.200
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface Serial0/0/0
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
!
af-interface Serial0/0/1
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
af-interface GigabitEthernet0/1.99
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.100
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.110
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.120
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.200
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface Serial0/0/0
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
300 CCNP TSHOOT Lab Manual Version 7

!
af-interface Serial0/0/1
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
!
ip forward-protocol nd
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.5
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.5 version 2c cisco
!
!

banner motd ^*** Experimental BASE R1 ***^


!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 10.1.202.1
!
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.5/$h-archive-config
write-memory
file prompt quiet
!
end
!
Router R2 Second-BASE-R2-Cfg.txt
!Experimental BASE R2 Config
Lab 5-1 Second Base 301

!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
key chain manifold
key 0
key-string riemannian
accept-lifetime 00:00:00 Jun 1 2014 00:00:00 Sep 12 2015
send-lifetime 00:00:00 Jun 1 2014 00:00:00 Aug 12 2015
key 1
key-string symplectic
accept-lifetime 00:00:00 Aug 12 2015 00:00:00 Dec 12 2016
send-lifetime 00:00:00 Sep 12 2015 00:00:00 Nov 12 2016
key 2
key-string lie-group
accept-lifetime 00:00:00 Nov 12 2016 00:00:00 Mar 12 2017
send-lifetime 00:00:00 Dec 12 2016 00:00:00 Feb 12 2017
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 10.1.202.1 255.255.255.255
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:202::2/64
!
interface Loopback1
ip address 2.2.2.2 255.0.0.0
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:EFAC::2/48
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description optional connection for PC-C w/ static address
no ip address
shutdown
duplex auto
302 CCNP TSHOOT Lab Manual Version 7

speed auto
!
interface Serial0/0/0
description WAN link to R1: 2 Mbps leased line
ip address 10.1.1.2 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:10::2/64
no shutdown
!
interface Serial0/0/1
description WAN link to R3: 2 Mbps leased line
ip address 10.1.1.6 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:14::2/64
clock rate 2000000
no shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
af-interface Loopback1
passive-interface
exit-af-interface
!
af-interface Serial0/0/0
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
!
af-interface Serial0/0/1
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
af-interface Serial0/0/0
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
!
af-interface Serial0/0/1
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
Lab 5-1 Second Base 303

!
ip forward-protocol nd
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.5 version 2c cisco
!
!
banner motd ^*** Experimental BASE R2 Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp master 3
!
!
archive
log config
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.5/$h-archive-config
write-memory
file prompt quiet
!
end
!
Router R3 Second-BASE-R3-Cfg.txt
!Experimental BASE R3 Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
304 CCNP TSHOOT Lab Manual Version 7

aaa authentication login default local


aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
key chain manifold
key 0
key-string riemannian
accept-lifetime 00:00:00 Jun 1 2014 00:00:00 Sep 12 2015
send-lifetime 00:00:00 Jun 1 2014 00:00:00 Aug 12 2015
key 1
key-string symplectic
accept-lifetime 00:00:00 Aug 12 2015 00:00:00 Dec 12 2016
send-lifetime 00:00:00 Sep 12 2015 00:00:00 Nov 12 2016
key 2
key-string lie-group
accept-lifetime 00:00:00 Nov 12 2016 00:00:00 Mar 12 2017
send-lifetime 00:00:00 Dec 12 2016 00:00:00 Feb 12 2017
!
key chain morphism
key 3
key-string finite
accept-lifetime 00:00:00 Jun 1 2014 00:00:00 Sep 12 2015
send-lifetime 00:00:00 Jun 1 2014 00:00:00 Aug 12 2015
key 4
key-string smooth
accept-lifetime 00:00:00 Aug 12 2015 00:00:00 Dec 12 2016
send-lifetime 00:00:00 Sep 12 2015 00:00:00 Nov 12 2016
key 5
key-string flat
accept-lifetime 00:00:00 Nov 12 2016 00:00:00 Mar 12 2017
send-lifetime 00:00:00 Dec 12 2016 00:00:00 Feb 12 2017
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 10.1.203.1 255.255.255.255
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:203::3/64
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FE to DLS2
no ip address
ip flow ingress
duplex full
speed 100
no shutdown
!
interface GigabitEthernet0/1.99
Lab 5-1 Second Base 305

encapsulation dot1Q 99
ip address 10.1.99.3 255.255.255.0
glbp 99 ip 10.1.99.254
glbp 99 preempt
glbp 99 authentication md5 key-chain morphism
glbp 499 ipv6 autoconfig
glbp 499 preempt
glbp 499 authentication md5 key-chain morphism
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:99::3/64
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 10.1.100.3 255.255.255.0
glbp 100 ip 10.1.100.254
glbp 100 priority 110
glbp 100 preempt
glbp 100 authentication md5 key-chain morphism
glbp 500 ipv6 autoconfig
glbp 500 priority 110
glbp 500 preempt
glbp 500 authentication md5 key-chain morphism
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:100::3/64
!
interface GigabitEthernet0/1.110
encapsulation dot1Q 110
ip address 10.1.110.3 255.255.255.0
glbp 110 ip 10.1.110.254
glbp 110 preempt
glbp 110 authentication md5 key-chain morphism
glbp 510 ipv6 autoconfig
glbp 510 preempt
glbp 510 authentication md5 key-chain morphism
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:110::3/64
!
interface GigabitEthernet0/1.120
encapsulation dot1Q 120
ip address 10.1.120.3 255.255.255.0
glbp 120 ip 10.1.120.254
glbp 120 preempt
glbp 120 authentication md5 key-chain morphism
glbp 520 ipv6 autoconfig
glbp 520 preempt
glbp 520 authentication md5 key-chain morphism
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:120::3/64
!
interface GigabitEthernet0/1.200
encapsulation dot1Q 200
ip address 10.1.200.3 255.255.255.0
glbp 200 ip 10.1.200.254
glbp 200 priority 110
glbp 200 preempt
glbp 200 authentication md5 key-chain morphism
glbp 600 ipv6 autoconfig
glbp 600 priority 110
glbp 600 preempt
glbp 600 authentication md5 key-chain morphism
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:200::3/64
!
interface GigabitEthernet0/1.666
encapsulation dot1Q 666 native
!
interface Serial0/0/0
description WAN link to R1 - (Not used)
no ip address
encapsulation ppp
shutdown
clock rate 2000000
306 CCNP TSHOOT Lab Manual Version 7

!
interface Serial0/0/1
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.5 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:14::3/64
no shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet0/0
passive-interface
exit-af-interface
!
af-interface Loopback0
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1.99
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.100
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.110
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.120
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.200
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface Serial0/0/0
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
!
af-interface Serial0/0/1
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
af-interface GigabitEthernet0/1.99
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.100
authentication mode md5
Lab 5-1 Second Base 307

authentication key-chain morphism


exit-af-interface
!
af-interface GigabitEthernet0/1.110
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.120
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface GigabitEthernet0/1.200
authentication mode md5
authentication key-chain morphism
exit-af-interface
!
af-interface Serial0/0/0
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
!
af-interface Serial0/0/1
authentication mode hmac-sha-256 scheme
authentication key-chain manifold
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
!
ip forward-protocol nd
!
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.5
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.5 version 2c cisco
!
!
banner motd ^*** Experimental BASE R3 Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
308 CCNP TSHOOT Lab Manual Version 7

transport input telnet ssh


!
ntp source Loopback0
ntp update-calendar
ntp server 10.1.202.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.5/$h-archive-config
write-memory
file prompt quiet
!
end
!
Lab 6-1 IP Days 309

Chapter 6: Troubleshooting Case Study: SECHNIK Networking


Lab 6-1 IP Days
Instructor Version
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Physical Topology
310 CCNP TSHOOT Lab Manual Version 7

Logical Topology (First Baseline)


Lab 6-1 IP Days 311

Objectives
• Load the device configuration files for each trouble ticket.
• Diagnose and resolve problems related to IP addressing and NAT.
• Diagnose and resolve problems related to IP addressing and DHCP.
• Document the troubleshooting progress, configuration changes, and problem resolution.

Background
Network Address Translation (NAT) is routinely employed in small and large networks. NAT preserves the
public IPv4 address space and can provide a measure of security by using private addresses internally.
Network layer connectivity issues associated with NAT can include address pool definition, pool depletion,
address configuration, interface boundaries, and the type of NAT employed: static, dynamic, or Port Address
Translation (PAT).
DHCP is the most common method of assigning IP addressing information to end-user clients. Network layer
connectivity issues associated with DHCP include address pool definition, pool depletion, address and default
gateway configuration, and server accessibility. In this lab, you will troubleshoot various problems related to
NAT and DHCP.
For each task or trouble ticket, the trouble scenario and problem symptom are described. While
troubleshooting, you will discover the cause of the problem, correct it, and then document the process and
results.

NAT and DHCP Configuration


Your company has decided not to implement a hosted services data center because of cost considerations.
Because you will not be advertising a hosted services network, it was decided to discontinue the use of
Border Gateway Protocol (BGP) in favor of a simple default static configuration.
Phase 1 (TT-A and TT-B): Dynamic NAT will be used for internal IPv4 users accessing the Internet. Static
NAT will give teleworkers IPv4 access to some of the key internal servers. Your Internet service provider
(ISP) has assigned a block of public addresses using prefix 198.133.219.0/27. These addresses will be used
for dynamic NAT with the internal 10.1.0.0/16 network, as well as static NAT to specific servers. Server SRV1
will act as a test server that provides access to an internal web-based application for remote workers. Router
R1 will have a default route to the ISP (R2) and will redistribute that route into Enhanced Interior Gateway
Routing Protocol (EIGRP). The ISP will use an IPv4 static route to the NAT public address pool on R1 and an
IPv6 static route to the 2001:DB8:CAFE::/48 network.
Phase 2 (TT-C): A second DHCP server will be added in TT-C to support the branch office router R3 LAN.
Switch DLS2 will be configured to provide DHCP addresses to the R3 LAN clients. The following diagram
provides information on the NAT (Phase 1) and DHCP (Phase 2) implementation.
Instructor note: Public address blocks 198.133.219.0/24 and 209.165.200.224/27 belong to Cisco Systems,
Inc.
312 CCNP TSHOOT Lab Manual Version 7

Physical and Logical Topology Diagrams


The physical and logical topologies for the BASE Lab (First Baseline), with EIGRP, are provided to assist the
troubleshooting effort.
Note: This lab uses Cisco ISR G2 routers running Cisco IOS 15.4(3) images with IP Base and Security
packages enabled, and Cisco Catalyst 3560 and 2960 switches running Cisco IOS 15.0(2) IP Services and
LAN Base images, respectively. The 3560 and 2960 switches are configured with the SDM templates dual-
ipv4-and-ipv6 routing and lanbase-routing, respectively. Depending on the router or switch model and
Cisco IOS Software version, the commands available and output produced might vary from what is shown in
this lab.
Note: Any changes made to the BASE Lab configurations or topology (other than errors introduced) are noted
in the trouble ticket so that you are aware of them prior to beginning the troubleshooting process.
Instructor Notes:
• The lab topology should be pre-built prior to the students starting the lab. Ensure that all switches and
routers (ALS1, DLS1, DLS2, R1, R2, and R3) have the course lab configuration files installed in flash
memory. These can be downloaded from NetSpace. The device configurations for all devices are
included at the end of this lab, either directly or by reference to the first trouble ticket, TT-A. The
configuration file for ALS1 can be copied into a text file using the naming convention Labxy-ALS1-
TT-z-Cfg.txt where x is the chapter number, y is the lab number within the chapter, and z is the
uppercase letter indicating the particular trouble ticket in the lab; similarly for DLS1, DLS2, R1, R2, and
R3.
Lab 6-1 IP Days 313

• The device configurations that contain trouble ticket errors and modifications from the BASE Lab (at
the end of Lab 3-1) are included at the end of the lab, and the errors in them are identified.
• All device configurations are provided for TT-A, including those that are the same as the BASE Lab,
as introduced in Lab 3-1. The configurations provided here are not running-config outputs, but rather
sequences of commands that generate running-config files.
• Device configurations can be used by instructors for cut-and-paste for TT-A and subsequent tickets—
use a terminal emulator line delay of at least 100 ms if pasting configurations directly into global
configuration mode on a device. Some systems may actually require 200 ms.
• Where a configuration is noted as being the same as a previous one, the only change is in the
MOTD, which identifies the Lab and TT.
• Each device should have a directory named “tshoot” in flash. This directory should contain the
baseline configuration file for that device as well as configuration files for all labs in this course.
• Instructors can use a TFTP server, a USB drive, or a flash memory card as source, and use the copy
or archive tar command to copy all course configuration files into the flash:/tshoot directory for
each device in the topology.
• For this lab and subsequent labs, the student is responsible for loading the baseline or trouble ticket
configurations using the procedure described in the BASE Lab.
• Set the correct time on R2, which serves as the primary NTP server for the lab network. These labs
use Pacific Time Zone, but each site should use their own time zone.
• If time is an issue, each task (trouble ticket) can be performed independently.

Required Resources
• 3 routers (Cisco IOS Release 15.4 or comparable)
• 2 multilayer switches and 1 access layer switch (Cisco IOS Release 15.0(2) or comparable with Fast
Ethernet interfaces)
• SRV1 (PC with static IP address): Windows 7 with RADIUS, TFTP, and syslog servers, plus an SSH
client, SNMP monitor, and WireShark software
• PC-B (DHCP client): Windows 7 with SSH client and WireShark software
• PC-C (DHCP client): Windows 7 with SSH client and WireShark software
• Serial and Ethernet cables, as shown in the topology
Instructor Notes:
• This lab is divided into multiple tasks. Each task is associated with a trouble ticket (TT) and
introduces one or more errors on one or more devices.
• Students can work individually or as a team. The problems introduced in this lab relate to NAT and
DHCP.
• Suggested actions and results presented during the troubleshooting process for each TT can be
shared with the students during debrief, or copies of the instructor version of the lab can be made
available to the students to assist them in verifying their work.
314 CCNP TSHOOT Lab Manual Version 7

Task 1: Trouble Ticket Lab 6-1 TT-A


Instructor note: This trouble ticket involves device R1 and issues related to the static and dynamic
NAT configuration between the edge router and ISP.

Step 1: Review trouble ticket Lab 6-1 TT-A.


Your colleague has configured NAT on the edge router (R1), and the external users (simulated by R2 Lo0)
can access the test server on the internal private network via IPv4. However, host PC-B on the internal
network cannot access the Internet via IPv4 (simulated by R2 Lo0). Your task is to diagnose the problem and
verify that NAT is properly configured. In addition to external users accessing SRV1, internal users must also
be able to access the Internet.

Step 2: Load the device trouble ticket configuration files for TT-A.
Using the procedure described in the BASE Lab, verify that the lab configuration files are present in flash.
Load the proper configuration files indicated in the Device Configuration File Table. The files are based on the
First Baseline.
Note: You can gain access to the router GUI management interface through a web browser—when
prompted, enter the username cisco and the enable password cisco.
Device Configuration File Table

Device Name File to Load Notes


ALS1 Lab61-ALS1-TT-A-Cfg.txt This file contains configurations different than the first baseline
DLS1 Lab61-DLS1-TT-A-Cfg.txt This file contains configurations different than the first baseline
DLS2 Lab61-DLS2-TT-A-Cfg.txt This file contains configurations different than the first baseline
R1 Lab61-R1-TT-A-Cfg.txt This file contains configuration errors
R2 Lab61-R2-TT-A-Cfg.txt This file contains configurations different than the first baseline
R3 Lab61-R3-TT-A-Cfg.txt This file contains configurations different than the first baseline
SRV1 N/A Static IP: 10.1.100.1 and 2001:DB8:CAFE:100::1
Default gateway: 10.1.100.254/24 and 2001:DB8:CAFE:100::D1/64
PC-B N/A DHCPv4 and DHCPv6
PC-C N/A DHCPv4 and DHCPv6

Instructor note: The student loads the “broken” TT configuration files for all devices, although only the
configurations indicated in the Notes column have errors.

Step 3: Configure SRV1 and start the syslog and TFTP servers.

Step 4: Release and renew the DHCP leases.


a. Ensure that PC-B and PC-C are configured as a DHCP clients.
b. After loading all TT-A device configuration files, issue the ipconfig /release and ipconfig
/renew commands on both PCs.
Note: This trouble ticket assumes that PC-C is in its standard location (connected to F0/18 on DLS2).

Step 5: Outline the troubleshooting approach and validation steps.


Use this space to identify your troubleshooting approach and the key steps to verify that the problem is resolved.
Troubleshooting approaches to select from include the follow-the-path, perform-comparison, bottom-up, top-
down, divide-and-conquer, shoot-from-the-hip, and swap-components (move-the-problem) methods.
Lab 6-1 IP Days 315

Note: In addition to a specific approach, you can use the generic troubleshooting process: defining a problem,
gathering information, analyzing the information, eliminating possible problem causes, formulating a hypothesis
about the likely cause of the problem, testing that hypothesis, and solving the problem.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
The divide-and-conquer or follow-the-path method can be used. Other problem-solving methods are the
bottom-up, top-down, perform-comparison, shoot-from-the-hip, and swap-components approaches.
Verification steps can include:
• The R1 routing table shows a default route to the ISP and advertises it into EIGRP.
• Dynamic NAT allows office LAN client PC-B to access the Internet via the ISP (simulated by Lo0 on
R2).
• Static NAT allows remote users on R2 (simulated by Lo0) to access the SRV1 server on the internal
private network.

Step 6: Record the troubleshooting process and configuration changes.


Use this log to document your actions and results during the troubleshooting process. List the commands you
used to gather information. As you progress, record your thoughts as to what you think the problem might be and
which actions you take to correct the problem.

Device Actions and Results


316 CCNP TSHOOT Lab Manual Version 7

Device Actions and Results

Instructor Note: NAT is used with IPv4. There is full IPv6 connectivity in this network. Arguably one of the big
advantages of IPv6 is that network engineers do not have to use NAT anymore! NAT makes troubleshooting
any issue significantly more complicated, because one has to always take into account the order of
operations of NAT relative to other technologies affecting IPv4 packets on their journey. Also, with IPv6
configuration, complexity is greatly simplified by avoiding NAT.
The responses will vary but could include:
• Pings from the external user (R2 Lo0 address 192.168.2.1) to the SRV1 static NAT address
198.133.219.1 succeed.
• Pings from R1 to the Internet (R2 Lo0 address 192.168.2.1) sourced by R1 G0/1 (10.1.2.2) fail.
• Pings from PC-B to the Internet (R2 Lo0 address 192.168.2.1) fail. R1 reports that “Destination host is
unreachable.”
• Pings from PC-B to its (virtual) default gateway on VLAN 120 (10.1.120.254) succeed.

TT-A Issue
The dynamic NAT statement on R1 does not specify that it applies to inside addresses. As a result, no
translation of the internal 10.1.0.0/16 addresses takes place.
• The show ip route command on R1 indicates that the default route to the ISP (R2) is present. The
show ip route command on DLS1 confirms that the default route has been received (D*EX
0.0.0.0/0 to R1 10.1.2.2).
• After test pings from R2 S0/0/0 to the SRV1 static address, the show ip nat translations
command on R1 indicates an entry for the translation.
Pro Inside global Inside local Outside local Outside global
icmp 198.133.219.1:5 10.1.100.1:5 209.165.200.226:5 209.165.200.226:5
• After test pings from PC-B (10.1.10.1) to R2 Lo0 (192.168.2.1), the show ip nat translations
command indicates that there are no dynamic translations. The debug ip nat command issued on
R1 shows no activity.
• The ping 198.133.219.1 source lo0 repeat 100 command (SRV1 public address) is
issued on R2. Return to R1 debug shows static NAT is occurring normally.
Nov 18 18:15:03.798: NAT*: s=192.168.2.1, d=198.133.219.1->10.1.100.1 [1183]
Nov 18 18:15:03.802: NAT*: s=10.1.100.1->198.133.219.1, d=192.168.2.1 [3151]
• The debug ip icmp command is issued on R2, and the ping from PC-B to R2 Lo0 shows echo
replies being sent to destination 10.1.10.1 (PC-B). This confirms that there is no NAT occurring. R2
does not have a route to the 10.1.0.0/16 network.
• The show run | include ip nat command on R1 indicates that the NAT pool is defined, but
the ip nat source statement does not specify that the addresses to be translated are inside.
Action: Add the inside keyword to the configuration. See TT-A debrief for more information.
Verification:
• Pings from an external user (R2 Lo0 address 192.168.2.1) to the SRV1 static NAT address
198.133.219.1 succeed.
• Pings from PC-B to the Internet (R2 Lo0 address 192.168.2.1) succeed.
• The show ip nat translations command on R1 indicates that translations are occurring from
NTP requests (port 123) to R2 from internal devices such as DLS1 and others. These are being
translated dynamically.
Lab 6-1 IP Days 317

Pro Inside global Inside local Outside local Outside global


udp 198.133.219.9:123 10.1.99.251:123 192.168.2.1:123 192.168.2.1:123

Step 7: Document trouble ticket debrief notes.


Use this space to make notes of the key learning points that you picked up during the discussion of this trouble
ticket with your instructor. The notes can include problems encountered, solutions applied, and useful commands
employed. It can also include alternate solutions, methods, and procedures and communication improvements.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
Trouble Ticket TT-A debrief—Instructor Notes
The problem in this trouble ticket is that the dynamic NAT statement on R1—ip nat inside source
list 1 pool public-addrs—did not include the keyword inside. The ip nat source command is
actually used in an alternate way of configuring NAT without specifying inside and outside domains. However,
it is not used appropriately in this case, and as a result, no dynamic translation of the inside private addresses
(10.1.0.0/16) to the public pool of addresses (198.133.219.0/27) takes place. Query “Cisco NAT Virtual
Interface” on a search engine for further information regarding the ip nat source command.
When ip nat source list 1 pool public-addrs is entered, it is accepted without the inside
keyword. Omitting the inside keyword for dynamic NAT translation does not affect static NAT translation.
This is why the external user (R2 Lo0) can still access the internal server SRV1 on VLAN 100. The internal
address of SRV1 is 10.1.100.1, and the public static address is 198.133.219.1.
To correct the problem, use the following commands on router R1:
no ip nat source list 1 pool public-addrs
ip nat inside source list 1 pool public-addrs

Optional IPv6 Troubleshooting:


Not applicable! IPv6 is NAT-free!

Task 2: Trouble Ticket Lab 6-1 TT-B


Instructor note: This trouble ticket involves device R1 and issues related to the dynamic NAT pool and number
of addresses available.

Step 1: Review trouble ticket Lab 6-1 TT-B.


The NAT configuration has been corrected, and dynamic NAT is now functioning between internal hosts and
the ISP. However, some users have called the help desk stating that Internet access is inconsistent.
Sometimes it works, and other times it does not. Your task is to diagnose the problem and correct it. At a
minimum, propose a possible solution to the problem so that internal users can consistently access the
Internet.
318 CCNP TSHOOT Lab Manual Version 7

Step 2: Load the device trouble ticket configuration files for TT-B.
Using the procedure described in the BASE Lab, verify that the lab configuration files are present in flash.
Load the proper configuration files indicated in the Device Configuration File Table. The files are based on the
First Baseline.
Device Configuration File Table

Device Name File to Load Notes


ALS1 Lab61-ALS1-TT-B-Cfg.txt This file contains configurations different than the baseline
DLS1 Lab61-DLS1-TT-B-Cfg.txt This file contains configurations different than the baseline
DLS2 Lab61-DLS2-TT-B-Cfg.txt This file contains configurations different than the baseline
R1 Lab61-R1-TT-B-Cfg.txt This file contains configuration errors.
R2 Lab61-R2-TT-B-Cfg.txt This file contains configurations different than the baseline
R3 Lab61-R3-TT-B-Cfg.txt This file contains configurations different than the baseline
SRV1 N/A Static IP: 10.1.100.1 and 2001:DB8:CAFE:100::1
Default gateway: 10.1.100.254/24 and 2001:DB8:CAFE:100::D1/64
PC-B N/A DHCPv4 and DHCPv6
PC-C N/A DHCPv4 and DHCPv6

Instructor note: The student loads the “broken” TT configuration files for all devices, even though only the
configurations indicated in the Notes column contain errors.

Step 3: Configure SRV1 and start the syslog and TFTP servers.

Step 4: Release and renew the DHCP leases.


a. Ensure that PC-B and PC-C are configured as a DHCP clients.
b. After loading all TT-A device configuration files, issue the ipconfig /release and ipconfig
/renew commands on both PCs.
Note: This trouble ticket assumes that PC-C is in its standard location (connected to F0/18 on DLS2).

Step 5: Outline the troubleshooting approach and validation steps.


Use this space to identify your troubleshooting approach and the key steps to verify that the problem is resolved.
Troubleshooting approaches to select from include the follow-the-path, perform-comparison, bottom-up, top-
down, divide-and-conquer, shoot-from-the-hip, and swap-components (move-the-problem) methods.
Note: In addition to a specific approach, you can use the generic troubleshooting process: defining a problem,
gathering information, analyzing the information, eliminating possible problem causes, formulating a hypothesis
about the likely cause of the problem, testing that hypothesis, and solving the problem.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
The divide-and-conquer or follow-the-path method can be used. Other problem-solving methods are the
bottom-up, top-down, perform-comparison, shoot-from-the-hip, and swap components approaches.
Verification steps can include:
• Dynamic NAT allows office LAN client PC-B consistent access to the Internet via the ISP (simulated
by Lo0 on R2).
Lab 6-1 IP Days 319

• Static NAT allows remote users on R2 (simulated by Lo0) to access the SRV1 server on the internal
private network.

Step 6: Record the troubleshooting process and configuration changes.


Use this log to document your actions and results during the troubleshooting process. List the commands you
used to gather information. As you progress, record your thoughts as to what you think the problem might be and
which actions you take to correct the problem.

Device Actions and Results

Responses will vary but could include:


• Pings from an external user (R2 Lo0 address 192.168.2.1) to the SRV1 static NAT address
198.133.219.1 succeed.
• Pings from R1 to the Internet (R2 Lo0 address 192.168.2.1) sourced by R1 G0/1 (10.1.2.2) fail
occasionally.
• Pings from PC-B to the Internet (R2 Lo0 address 192.168.2.1) fail occasionally.
• Pings from PC-B to its default gateway VLAN 120 (10.1.120.254) on DLS1 succeed.

TT-B Issue
The dynamic NAT pool defined is very small and when all public addresses are taken, the next host that tries
to access the Internet fails.
• After test ping and Telnet attempts from PC-B to R2 Lo0 fail, the show ip nat translations
command on R1 indicates no entries for the translations. However, there are a number of other
entries from internal network devices accessing the R2 NTP server (port 123).
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
320 CCNP TSHOOT Lab Manual Version 7

--- 198.133.219.13 10.1.2.2 --- ---


udp 198.133.219.9:123 10.1.99.251:123 192.168.2.1:123 192.168.2.1:123
--- 198.133.219.9 10.1.99.251 --- ---
udp 198.133.219.11:123 10.1.99.252:123 10.1.202.1:123 10.1.202.1:123
--- 198.133.219.11 10.1.99.252 --- ---
udp 198.133.219.8:123 10.1.99.253:123 192.168.2.1:123 192.168.2.1:123
--- 198.133.219.8 10.1.99.253 --- ---
--- 198.133.219.1 10.1.100.1 --- ---
tcp 198.133.219.12:1191 10.1.110.1:1191 192.168.2.1:80 192.168.2.1:80
tcp 198.133.219.12:1192 10.1.110.1:1192 192.168.2.1:80 192.168.2.1:80
--- 198.133.219.12 10.1.110.1 --- ---
icmp 198.133.219.14:1 10.1.120.1:1 192.168.2.1:1 192.168.2.1:1
tcp 198.133.219.14:1033 10.1.120.1:1033 192.168.2.1:22 192.168.2.1:22
--- 198.133.219.14 10.1.120.1 --- ---
udp 198.133.219.10:123 10.1.203.1:123 192.168.2.1:123 192.168.2.1:123
--- 198.133.219.10 10.1.203.1 --- ---
• After test pings and Telnet attempts from PC-B to R2 Lo0 fail, the debug ip nat command on R1
indicates that translation was attempted but failed.
Oct 29 20:44:33.266: NAT: translation failed (A), dropping packet s=10.1.30.252
d=192.168.2.1
• The ping 198.133.219.1 source lo0 repeat 100 command is issued on R2. Returning to
R1 debug shows static NAT is occurring normally.
Oct 29 20:49:22.510: NAT*: s=192.168.2.1, d=198.133.219.1->10.1.100.1 [372]
Oct 29 20:49:22.514: NAT*: s=10.1.100.1->198.133.219.1, d=192.168.2.1 [733]
• Ping 192.168.2.1 (R2 Lo0) from PC-B. Debug shows no dynamic NAT is occurring.
• The debug ip icmp command entered on R1 and the ping from PC-B to R2 Lo0 shows host
unreachable messages sent back to 10.1.120.1 (PC-B) from R1. No NAT is occurring.
• After test pings and Telnet attempts from PC-B to R2 Lo0 fail, the show ip nat statistics
command on R1 indicates that the total number of addresses available in the address pool public-
addrs is only four. Four addresses have been allocated, which is 100% of the addresses available.
There are no more addresses to allocate. The pool shows multiple misses because clients are unable
to obtain a public address for translation.
pool public-addrs: netmask 255.255.255.248
start 198.133.219.3 end 198.133.219.6
type generic, total addresses 4, allocated 4 (100%), misses 12
• The clear ip nat translation * command removes all dynamic translations and leaves the
static translation to SRV1.
• A ping is issued from PC-B to the Internet (R2 Lo0 address 192.168.2.1). If the previous pings from
PC-B to the Internet failed, this one now succeeds.
Note: After clearing the dynamic translations, if a ping from PC-B is done quickly before the network
devices use up the addresses in the pool with NTP requests, a translation will be created for PC-B and
will remain in effect until it is aged out. While the translation is active, PC-B can continue to ping the
Internet.
• The show run | include ip nat (or show ip nat statistics) command on R1 indicates
that the total number of NAT addresses is only six (mask is 255.255.255.248 or /29 = 8 addresses
minus 2 = 6). The NAT pool public-addrs is assigned the starting address 198.133.219.3 and ending
address 198.133.219.6 for a total of only four potential dynamic addresses. Addresses 198.133.219.1
and 198.133.219.2 have been reserved for static assignment to servers.
Action:
Option 1: If the NAT address pool was defined incorrectly, change the address range and mask to include
the correct (larger) number of addresses.
Option 2: If the NAT address pool was defined correctly and is too small, obtain a larger address pool
from the ISP.
Option 3: Use the NAT overload feature, which maps IP addresses and port numbers, allowing a small
pool of addresses to be used for translation of many more devices. See TT-B debrief for more
information.
Lab 6-1 IP Days 321

Verification:
• If a larger pool is defined or overload is used, pings from PC-B to the Internet (R2 Lo0 address
192.168.2.1) succeed.
• The show ip nat translations command indicates that translations from PC-B (or other
devices) resulting from ping, Telnet, SSH, or HTTP, are occurring as required.

Step 7: Document trouble ticket debrief notes.


Use this space to make notes of the key learning points that you picked up during the discussion of this trouble
ticket with your instructor. The notes can include problems encountered, solutions applied, useful commands
employed, alternate solutions, methods and procedure, and procedure and communication improvements.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
Trouble Ticket TT-B Debrief—Instructor Notes
The problem in this trouble ticket is that the pool of public addresses available for dynamic translation is very
small. It is being consumed by network devices (DLS1, DLS2, R3, and so on) making Network Time Protocol
(NTP) requests of R2 (simulated ISP acting as the NTP server). When all public addresses are taken, the
next host that tries to ping, telnet, or browse the Internet fails. NAT debugging indicates that translation is
attempted but fails, and the packets are dropped.
Displaying NAT statistics shows that the total number of addresses available in the address pool public-
addrs is only four. When all four addresses have been allocated (100% of available), there are no more
addresses to allocate. Subsequent attempts to obtain a public address for translation result in multiple misses
being reported. If the dynamic translations are cleared, PC-B and other internal hosts can obtain an address
to access the Internet on a first-come, first-served basis, until the pool is depleted again.
A translation that is created remains in place until it is aged out. While the translation is active, the host or
network device is able to continue to access the Internet. Because network devices, such as switch DLS1,
continually request time updates from NTP server R2, the translation stays active and does not age out.
Note: Point out that the dynamic address depletion issue does not affect static translation for SRV1 because
a statically mapped public address is reserved for this server.
There are several possible solutions to the problem.
Option 1: The network administrator defined the NAT address pool incorrectly. If that is the case, you can
change the address range and mask to match the correct number of addresses assigned by the ISP.
Option 2: If the NAT address pool was defined correctly but is too small for the needs of the company, a
larger address pool can be obtained from the ISP (at some cost).
For options 1 and 2, you can correct the problem by issuing the following commands on router R1:
R1(config)#no ip nat inside source list 1 pool public-addrs

Dynamic mapping in use, do you want to delete all entries? [no]: yes

R1(config)#no ip nat pool public-addrs 198.133.219.3 198.133.219.6 netmask 255.255.255.248


R1(config)#ip nat pool public-addrs 198.133.219.5 198.133.219.30 netmask 255.255.255.224
R1(config)#ip nat inside source list 1 pool public-addrs
322 CCNP TSHOOT Lab Manual Version 7

Note: These commands create a pool of 26 usable addresses and reserve the first four addresses for static
assignment to servers.
Option 3 (chosen): Use the NAT overload feature, which maps address and port number combinations and
allows a small pool of addresses to be used for translation of many more internal addresses. This solution
does not require purchasing additional addresses from the ISP.
For option 3, you can correct the problem by issuing the following commands on router R1:
R1(config)#no ip nat inside source list 1 pool public-addrs

Dynamic mapping in use, do you want to delete all entries? [no]: yes

R1(config)#ip nat inside source list 1 pool public-addrs overload

Note: Point out that changing NAT pools and other settings should be performed during a regular
maintenance window, if possible, to minimize disruption of service and impact on users.

Task 3: Trouble Ticket Lab 6-1 TT-C


Instructor note: This trouble ticket involves DLS2 and R3 issues related to the DHCP server address pool
definition, DHCP relay, and duplicate addressing.

Step 1: Review trouble ticket Lab 6-1 TT-C.


The company is expanding and opening a new branch office LAN that will be connected to router R3. It has
been decided that switch DLS2 will provide DHCP services to this remote office. The branch office is
represented by test host PC-C, which will be configured as a DHCP client. Your colleague says he has
configured DHCP on DLS2 with a corresponding subnet and DHCP pool. However, test client PC-C has not
been able to access server SRV1. The first address in the pool should be excluded because it is reserved for
the R3 default gateway G0/0.
Your task is to verify VLAN configuration and DHCP services and that PC-C can access internal server SRV1.

Step 2: Load the device trouble ticket configuration files for TT-C.
Using the procedure described in the BASE Lab, verify that the lab configuration files are present in flash. Load
the proper configuration files indicated in the Device Configuration File Table. The files are based on the First
Baseline.
Device Configuration File Table

Device Name File to Load Notes


ALS1 Lab61-ALS1-TT-C-Cfg.txt This file contains configurations different than the baseline
DLS1 Lab61-DLS1-TT-C-Cfg.txt This file contains configurations different than the baseline
DLS2 Lab61-DLS2-TT-C-Cfg.txt This file contains configuration errors
R1 Lab61-R1-TT-C-Cfg.txt This file contains configurations different than the baseline
R2 Lab61-R2-TT-C-Cfg.txt This file contains configurations different than the baseline
R3 Lab61-R3-TT-C-Cfg.txt This file contains configuration errors
SRV1 N/A Static IP: 10.1.100.1 and 2001:DB8:CAFE:100::1
Default gateway: 10.1.100.254/24 and
2001:DB8:CAFE:100::D1/64
PC-B N/A DHCPv4 and DHCPv6
PC-C N/A DHCPv4 and DHCPv6
Lab 6-1 IP Days 323

Step 3: Configure SRV1 and start the syslog and TFTP servers.

Step 4: Release and renew the DHCP lease on PC-C.


a. Ensure that PC-C is configured as a DHCP client.
b. Connect PC-C to R3.
c. After loading all TT-C device configuration files, issue the ipconfig /release and ipconfig
/renew commands on PC-C.

Step 5: Outline the troubleshooting approach and validation steps.


Use this space to identify your troubleshooting approach and the key steps to verify that the problem is resolved.
Troubleshooting approaches to select from include the follow-the-path, perform-comparison, bottom-up, top-
down, divide-and-conquer, shoot-from-the-hip, and swap-components (move-the-problem) methods.
Note: In addition to a specific approach, you can use the generic troubleshooting process: defining a problem,
gathering information, analyzing the information, eliminating possible problem causes, formulating a hypothesis
about the likely cause of the problem, testing that hypothesis, and solving the problem.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
The follow-the-path or the divide-and-conquer method can be used. Other problem-solving methods are the
bottom-up, top-down, perform-comparison method, shoot-from-the-hip, and swap-components approaches.
Verification steps can include:
• PC-C receives an IP address from the DLS2 DHCP server on the 10.1.80.1/24 network.
• Pings from external PC-C to SRV1 (10.1.100.1) succeed.

Step 6: Record the troubleshooting process and configuration changes.


Use this log to document your actions and results during the troubleshooting process. List the commands you
used to gather information. As you progress, record your thoughts as to what you think the problem might be and
which actions you take to correct the problem.

Device Actions and Results


324 CCNP TSHOOT Lab Manual Version 7

Device Actions and Results

Instructor Note: The focus on this ticket is IPv4. But similar issues are introduced for IPv6. Time permitting,
students can also implement the fixes for DHCPv6.
Responses will vary but could include:
• Pings from external PC-C to SRV1 (10.1.100.1) fail.
• Pings from PC-C to its default gateway (R3 G0/0 10.1.80.1) fail.
• Pings from R3 to DLS2 F0/5 (10.1.2.13) succeed.

TT-C Issue 1
By default, router R3 does not forward DHCP (broadcast) requests from PC-C, and a helper address is not
configured on R3. As a result, PC-C cannot obtain its IP configuration from DHCP server DLS2.
• The show ip interface brief command on R3 indicates that interface G0/0 is UP/UP and is
configured with the correct IP address (10.1.80.1).
• The show ip route command on R3 indicates that network 10.1.80.0/24 is directly connected.
• The show ip protocols command on R3 indicates that network 10.1.80.0/24 is advertised under
EIGRP, as it should be.
• Interface G0/0 is configured as a passive interface in EIGRP, but this is not a problem because there
is no need to advertise this network to the branch office LAN.
• Pings from R3 to DLS2 F0/5 (10.1.2.13) succeed.
• A check of PC-C confirms that it is configured as a DHCP client, but it has a Windows “Autoconfigure”
address in the 169.254.0.0/16 range and has not received an IP address from a DHCP server.
• Issuing the ipconfig /release and ipconfig /renew commands at the PC-C command
prompt does not result in PC-C obtaining an IP address.
• The show ip dhcp bindings command on DLS2 indicates that no IP addresses are associated
with a client hardware (MAC) address.
• The show ip dhcp server statistics command on DLS2 indicates that no DHCPDISCOVER
or DHCPREQUEST messages have been received, and no DHCPOFFER messages have been
sent.
• The debug ip udp command on R3 indicates that UDP packets from the PC-C DHCP client
(source address 0.0.0.0 port 68) are being broadcast, looking for a DHCP server (destination address
255.255.255.255 port 67). These are being received by R3, but they are not being forwarded to the
DHCP server. There are no return packets from DLS2.
Oct 29 22:03:52:534: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length 308
• Routers do not forward DHCP broadcasts by default. The show ip interface G0/0 command on
R3 indicates that no helper address is configured to assist PC-C by directing broadcasts to DLS2.
Lab 6-1 IP Days 325

Action: Configure a helper address on the R3 interface G0/0 that directs broadcasts to the DHCP server
DLS2 interface F0/5 (10.1.2.13). See the TT-C debrief for more information.
Verification:
• Issuing the ipconfig /release and ipconfig /renew commands at the PC-C command
prompt does not result in PC-C obtaining an IP address. There must be another problem.
• Pings from external PC-C to SRV1 (10.1.100.1) fail. There must be another problem.

TT-C Issue 2
DHCP server DLS2 is configured to assign IP addresses in the 10.80.1.0/24 network instead of the
10.1.80.0/24 network. This results in PC-C not obtaining an IP address from the DHCP server.
• Pings from R3 to DLS2 F0/5 (10.1.2.13) succeed.
• A check of PC-C confirms that it is configured as a DHCP client, but it has an Autoconfigure address
in the 169.254.0.0/16 range and has not received an IP address from a DHCP server.
• Issuing the ipconfig /release and ipconfig /renew commands at the PC-C command
prompt does not result in PC-C obtaining an IP address.
• The show ip dhcp pool command on DLS2 indicates that pool Branch3 is defined with 254 total
addresses, no leased addresses, and no excluded addresses.
• The debug ip dhcp server events command on DLS2 indicates that it is receiving
DHCPDISCOVER messages and is sending notification of these messages to the R3 gateway IP
address 10.1.80.1 (giaddr). The debug on DLS2 also reports that no address pool corresponds to the
R2 G0/0 IP address.
• The show run | beg dhcp pool command on DLS2 indicates that pool Branch3 is defined to
assign addresses from the 10.80.1.0/24 range, but the default router address configured is the R3
G0/0 address of 10.1.80.1. The address range for the pool is incorrect. Even if DLS2 were able to
assign PC-C an IP address from this pool, PC-C would not be able to communicate with its default
gateway because they are on different networks.
Action: Change the network statement command on DLS2 to reference the correct range of
10.1.80.0/24. See TT-C debrief for more information.
Verification:
• PC-C receives an IP address from the DLS2 DHCP server on the 10.1.80.0/24 network.
• Pings from external PC-C to SRV1 (10.1.100.1) succeed.
TT-C Issue 3
DHCP server DLS2 is configured with an excluded address range of 10.1.80.252 to 10.1.80.254. The trouble
ticket states that the default gateway on a subnet should be excluded (in this case, 10.1.80.1).
Note: This does not prevent PC-C from obtaining an IP address, but the address that it receives will be
the next one in the range (10.1.80.2). The lack of exclusion for the R3 G0/0 IP address results in a
duplicate address error being reported on DLS2.
Oct 29 22:50:08: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 10.1.80.1.

• The show ip dhcp conflict command on DLS2 indicates that the first IP address in the pool,
10.1.80.1, was already in use and was detected by ARP.
DLS2# show ip dhcp conflict
IP address Detection method Detection time VRF
10.1.80.1 Ping Oct 29 2014 03:50 PM

• Issuing the ipconfig /release and ipconfig /renew commands at the PC-C command
prompt results in PC-C obtaining IP address 10.1.80.2 because 10.1.80.1 was in use.
• After correcting the Branch3 pool address range problem, pings from PC-C to DLS2 F0/5 (10.1.2.13)
succeed.
326 CCNP TSHOOT Lab Manual Version 7

• The show run | beg dhcp pool command on DLS2 indicates that the wrong addresses were
excluded from the pool of assignable addresses.
Action: Change the DHCP excluded address statement on DLS2 to reference the IP address of R3 G0/0
(10.1.80.1). See TT-C debrief for more information.
Verification: PC-C receives IP address 10.1.80.2 from the DLS2 DHCP server.

Step 7: Document trouble ticket debrief notes.


Use this space to make notes of the key learning points that you picked up during the discussion of this trouble
ticket with your instructor. The notes can include problems encountered, solutions applied, useful commands
employed, alternate solutions and methods, and procedure and communication improvements.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
Trouble Ticket TT-C Debrief—Instructor Notes
This trouble ticket has three issues. The first two issues prevent the client from obtaining an IP address from
the DHCP server. The third issue has to do with excluding the proper addresses from the DHCP pool.
TT-C Issue 1
DHCP discovery messages from the DHCP client are broadcasts. By default, routers do not forward DHCP
broadcasts. As a result, PC-C in the branch office LAN connected to R3 cannot reach the DHCP server DLS2
at headquarters to obtain an IP address. Configuring a helper address on R3 assists PC-C by directing
broadcasts to DLS2. Use the following commands to configure the helper address on R3 that points to the
DLS2 Fa0/5 interface IP address.
interface GigabitEthernet0/0
ip helper-address 10.1.2.13
This configuration allows DHCP discovery messages from PC-C to reach DLS2. However, PC-C still does not
receive its IP address.
Optional IPv6 Parallel Issue:
The DHCP relay command syntax is a bit different with IPv6. On R3:
interface GigabitEthernet0/0
ipv6 dhcp relay destination 2001:DB8:CAFE:212::D2

With DHCPv6 there is one additional command required on the DHCP server, DLS2:
interface FastEthernet0/5
ipv6 dhcp server DHCPv6Branch3

TT-C Issue 2
A second problem is the configuration of the DHCP pool on DLS2. DHCP server DLS2 is misconfigured to
assign IP addresses in the 10.80.1.0/24 network instead of the 10.1.80.0/24 network. This results in PC-C not
obtaining an IP address. DLS2 receives the PC-C DHCPDISCOVER messages relayed by R3 but compares
the gateway IP address of R3 (10.1.80.1) to the misconfigured address range defined in the pool
(10.80.1.0/24). They do not match, so DLS1 sends a message to R3 stating that no address pool corresponds
to the R3 G0/0 IP address. As a result, the DHCP message exchange process with PC-C terminates, and no
address is offered to PC-C.
Lab 6-1 IP Days 327

Point out that even if DLS2 were able to assign PC-C an IP address from this pool, PC-C would not be able to
communicate with its default gateway on R3 because they are on different networks.
To correct this problem, use the following command on DLS2 to remove the incorrect network pool definition
and replace it with the correct one:
ip dhcp pool Branch3
no network 10.80.1.0 255.255.255.0
network 10.1.80.0 255.255.255.0
Oct 29 22:50:08: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 10.1.80.1.

Note the address conflict error on DLS2 when DLS2 tries to assign IP address 10.1.80.1 (R3 G0/0) to PC-C.
This problem is addressed in the TT-C Issue 3 section.
What would happen if the IP address of R3 G/0 were changed to 10.80.1.1/24? PC-C would be able to obtain
an IP address but still would not be able to communicate with SRV1, because R3 does not advertise this
network under EIGRP.
Optional IPv6 Parallel Issue:
Incorrect IPv6 address pool for the R3 G0/0 IPv6 network:
ipv6 dhcp pool DHCPv6Branch3
address prefix 2001:DB8:CAFE:800:ABCD::/80

TT-C Issue 3
The third issue is related to the DHCP addresses excluded on DLS2. Address range 10.1.80.251 to
10.1.80.254 is being excluded, but this allows DLS2 to try to assign 10.1.80.1 the first address in the range,
which belongs to R3 G0/0 and should be excluded. The trouble ticket states that the default gateway on a
subnet should be excluded (in this case, 10.1.80.1).
The improper exclusion does not prevent PC-C from obtaining an IP address. When the problem in Issue 2 is
resolved, the DHCP server selects the 10.1.80.1 address for potential assignment to PC-C, but before
sending the DHCPOFFER, it first sends a series of pings to try to verify that the address is not already in use
by some other device. In this case, it is used on R3's G0/0 interface, so the DHCP server realizes there is a
conflict. The DHCP server then selects a different address for potential assignment to PC-C, runs the same
ping tests, does not detect a conflict, and sends the DHCPOFFER to PC-C, with the offer containing this
second address.
The address PC-C receives will be the next one in the range (10.1.80.2), but 10.1.80.1 will remain in a
conflicted state.
To correct this problem, issue the following commands on DLS2:
no ip dhcp excluded-address 10.1.80.251 10.1.80.254
ip dhcp excluded-address 10.1.80.1
Note: If servers, printers, or other devices are to be assigned static addresses on this subnet, a range can be
specified to exclude these addresses.
To remove the conflicted addresses, issue this command:
clear ip dhcp conflict *

Optional IPv6 Parallel Issue:


IPv6 Neighbor Discover Protocol (NDP) useds Duplicate Address Detection (DAD), so defining the IPv6
address space with the pool 2001:DB8:CAFE:80:ABCD::/80 is sufficient. It is not necessary to exclude IPv6
addresses when configuring DHCPv6.
328 CCNP TSHOOT Lab Manual Version 7

Device Configurations (Instructor version)


Note: All device configurations are provided for TT-A, including those that are the same as the baseline
as defined in the BASE Lab. The configs provided here are not running-config outputs. They can be used
for cut-and-paste for TT-A and subsequent tickets. Where a config is noted as being the same as a
previous one, the only change is in the MOTD, which identifies the Lab and TT.

Trouble Ticket—TT-A Configurations


Switch ALS1
!Lab 6-1 Switch ALS1 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ALS1
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
!
!
no ip domain-lookup
ip domain-name tshoot.net
ipv6 unicast-routing
!
errdisable recovery cause psecure-violation
errdisable recovery interval 120
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
!
vlan 99
name MANAGEMENT
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
Lab 6-1 IP Days 329

ip ssh source-interface Vlan99


ip ssh dh min size 2048
!
!
interface Port-channel1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel2
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to DLS1
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/5
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
330 CCNP TSHOOT Lab Manual Version 7

switchport access vlan 999


switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
Lab 6-1 IP Days 331

switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description To PC-B
switchport access vlan 120
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
332 CCNP TSHOOT Lab Manual Version 7

shutdown
!
interface Vlan99
ip address 10.1.99.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:99::A1/64
no ip proxy-arp
no shutdown
!
interface Vlan110
ip address 10.1.110.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:110::A1/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan120
ip address 10.1.120.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:120::A1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
interface Vlan200
ip address 10.1.200.251 255.255.255.0
ipv6 address FE80::A1 link-local
ipv6 address 2001:DB8:CAFE:200::A1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no ip proxy-arp
no shutdown
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.99.254
logging source-interface Vlan99
logging host 10.1.100.1
ipv6 route ::/0 2001:DB8:CAFE:99::D1
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps vlan-membership
snmp-server host 10.1.100.1 version 2c cisco
!
banner motd ^*** Lab 6-1 Switch ALS1 TT-A Config ***^
!
ipv6 access-list REMOTEv6
deny ipv6 any any
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
ipv6 access-class REMOTEv6 in
logging synchronous
length 0
transport input telnet ssh
!
ntp source Vlan99
Lab 6-1 IP Days 333

ntp server 192.168.2.1


!
crypto key gen rsa general-keys modulus 1024
!
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end

Switch DLS1
!Lab 6-1 Switch DLS1 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DLS1
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
ipv6 unicast-routing
no ip domain-lookup
ip domain-name tshoot.net
!
ip dhcp excluded-address 10.1.110.251 10.1.110.254
ip dhcp excluded-address 10.1.120.251 10.1.120.254
ip dhcp excluded-address 10.1.200.251 10.1.200.254
!
ip dhcp pool GUEST
network 10.1.110.0 255.255.255.0
default-router 10.1.110.254
!
ip dhcp pool OFFICE
network 10.1.120.0 255.255.255.0
default-router 10.1.120.254
!
ip dhcp pool VOICE
network 10.1.200.0 255.255.255.0
default-router 10.1.200.254
!
ipv6 dhcp pool DHCPv6GUEST
address prefix 2001:DB8:CAFE:110:ABCD::/80
domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6OFFICE
address prefix 2001:DB8:CAFE:120:ABCD::/80
334 CCNP TSHOOT Lab Manual Version 7

domain-name tshoot.net
!
ipv6 dhcp pool DHCPv6VOICE
address prefix 2001:DB8:CAFE:200:ABCD::/80
domain-name tshoot.net
!
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
spanning-tree vlan 99,110,120 priority 24576
spanning-tree vlan 100,200,300 priority 28672
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 300
name PEERING
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
ip ssh dh min size 2048
!
interface Port-channel1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200,300
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
Lab 6-1 IP Days 335

switchport trunk native vlan 666


switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200,300
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200,300
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R1
no switchport
ip address 10.1.2.1 255.255.255.252
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:20::D1/64
speed 100
duplex full
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description FE to SRV1
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
336 CCNP TSHOOT Lab Manual Version 7

shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
Lab 6-1 IP Days 337

interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.252 255.255.255.0
no ip proxy-arp
standby 99 ip 10.1.99.254
standby 99 priority 110
standby 99 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:99::D1/64
no shutdown
!
interface Vlan100
ip address 10.1.100.252 255.255.255.0
no ip proxy-arp
standby 100 ip 10.1.100.254
standby 100 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:100::D1/64
no shutdown
!
interface Vlan110
ip address 10.1.110.252 255.255.255.0
no ip proxy-arp
standby 110 ip 10.1.110.254
standby 110 priority 110
standby 110 preempt
ipv6 address FE80::D1 link-local
338 CCNP TSHOOT Lab Manual Version 7

ipv6 address 2001:DB8:CAFE:110::D1/64


ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 dhcp server DHCPv6GUEST
no shutdown
!
interface Vlan120
ip address 10.1.120.252 255.255.255.0
no ip proxy-arp
standby 120 ip 10.1.120.254
standby 120 priority 110
standby 120 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:120::D1/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 dhcp server DHCPv6OFFICE
no shutdown
!
interface Vlan200
ip address 10.1.200.252 255.255.255.0
no ip proxy-arp
standby 200 ip 10.1.200.254
standby 200 preempt
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:200::D1/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
ipv6 dhcp server DHCPv6VOICE
no shutdown
!
interface Vlan300
ip address 10.1.30.252 255.255.255.0
no ip proxy-arp
ipv6 address FE80::D1 link-local
ipv6 address 2001:DB8:CAFE:300::D1/64
no shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
topology base
exit-af-topology
network 10.1.0.0 0.0.255.255
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
Lab 6-1 IP Days 339

snmp-server enable traps port-security


snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 6-1 Switch DLS1 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 10.1.202.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Switch DLS2
!Lab 6-1 Switch DLS2 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname DLS2
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
!
ipv6 unicast-routing
!
340 CCNP TSHOOT Lab Manual Version 7

!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
spanning-tree vlan 99,110,120 priority 28672
spanning-tree vlan 100,200,300 priority 24576
!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 300
name PEERING
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
ip ssh dh min size 2048
!
interface Port-channel2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200,300
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
Lab 6-1 IP Days 341

no shutdown
!
interface FastEthernet0/3
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200,300
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200,300
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R3
no switchport
ip address 10.1.2.13 255.255.255.252
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:212::D2/64
speed 100
duplex full
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
342 CCNP TSHOOT Lab Manual Version 7

switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description FE to PC-C
switchport access vlan 110
switchport mode access
switchport nonegotiate
spanning-tree portfast
no shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
Lab 6-1 IP Days 343

shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.253 255.255.255.0
no ip proxy-arp
standby 99 ip 10.1.99.254
standby 99 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:99::D2/64
no shutdown
!
interface Vlan100
ip address 10.1.100.253 255.255.255.0
no ip proxy-arp
standby 100 ip 10.1.100.254
standby 100 priority 110
standby 100 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:100::D2/64
ipv6 nd prefix 2001:DB8:CAFE:100::/64 no-autoconfig
ipv6 nd managed-config-flag
no shutdown
!
interface Vlan110
ip address 10.1.110.253 255.255.255.0
no ip proxy-arp
standby 110 ip 10.1.110.254
standby 110 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:110::D2/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no shutdown
344 CCNP TSHOOT Lab Manual Version 7

!
interface Vlan120
ip address 10.1.120.253 255.255.255.0
no ip proxy-arp
standby 120 ip 10.1.120.254
standby 120 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:120::D2/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no shutdown
!
interface Vlan200
ip address 10.1.200.253 255.255.255.0
no ip proxy-arp
standby 200 ip 10.1.200.254
standby 200 priority 110
standby 200 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:200::D2/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no shutdown
!
interface Vlan300
ip address 10.1.30.253 255.255.255.0
no ip proxy-arp
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:300::D2/64
no shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
topology base
exit-af-topology
network 10.1.0.0 0.0.255.255
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
Lab 6-1 IP Days 345

!
banner motd ^*** Lab 6-1 Switch DLS2 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 192.168.2.1
!
crypto key gen rsa general-keys modulus 1024
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R1
!Lab 6-1 Router R1 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ipv6 address FE80::1 link-local
346 CCNP TSHOOT Lab Manual Version 7

ipv6 address 2001:DB8:CAFE:201::1/64


!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FE to DLS1
ip address 10.1.2.2 255.255.255.252
ip flow ingress
ip nat inside
duplex full
speed 100
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:20::1/64
no shutdown
!
interface Serial0/0/0
description WAN link to R2: 2 Mbps leased line
ip address 209.165.200.225 255.255.255.252
ip nat outside
ip flow ingress
encapsulation ppp
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:FEED::1/64
clock rate 2000000
no shutdown
!
interface Serial0/0/1
description WAN link to R3 (not used)
no ip address
shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
no passive-interface
exit-af-interface
!
topology base
redistribute static
exit-af-topology
network 10.1.2.0 0.0.0.3
network 192.168.1.1 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
no passive-interface
exit-af-interface
!
topology base
redistribute static 1544 2000 255 1 1500
exit-af-topology
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 209.165.200.226
Lab 6-1 IP Days 347

ipv6 route ::/0 2001:DB8:FEED::2/64


ipv6 route 2001:DB8:CAFE::/48 Null0
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
ip nat pool public-addrs 198.133.219.5 198.133.219.30 netmask 255.255.255.224
ip nat source list 1 pool public-addrs
ip nat inside source static 10.1.100.1 198.133.219.1
!
logging source-interface Loopback0
logging host 10.1.100.1
!
access-list 1 permit 10.1.0.0 0.0.255.255
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 6-1 Router R1 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 192.168.2.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R2
!Lab 6-1 Router R2 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
348 CCNP TSHOOT Lab Manual Version 7

logging buffered 16384


enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
description Internet
ip address 192.168.2.1 255.255.255.0
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:EFAC::2/48
!
interface Loopback1
ip address 2.2.2.2 255.0.0.0
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:DEED::2/48
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description optional connection for PC-C w/ static address
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description WAN link to R1: 2 Mbps leased line
ip address 209.165.200.226 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:FEED::2/64
no shutdown
!
interface Serial0/0/1
description WAN link to R3: 2 Mbps leased line
ip address 10.1.1.6 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::2 link-local
ipv6 address 2001:DB8:CAFE:14::2/64
clock rate 2000000
Lab 6-1 IP Days 349

shutdown
!
ip route 192.168.1.1 255.255.255.255 209.165.200.225
ip route 198.133.219.0 255.255.255.224 209.165.200.225
ipv6 route 2001:DB8:CAFE::/48 2001:DB8:FEED::1
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 6-1 Router R2 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp master 3
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R3
!Lab 6-1 Router R3 TT-A Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
!
logging buffered 16384
enable secret cisco
!
350 CCNP TSHOOT Lab Manual Version 7

aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 10.1.203.1 255.255.255.255
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:203::3/64
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FE to DLS1
ip address 10.1.2.14 255.255.255.252
ip flow ingress
duplex full
speed 100
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:212::3/64
no shutdown
!
interface Serial0/0/0
description WAN link to R1 - (Not used)
no ip address
encapsulation ppp
clock rate 2000000
shutdown
!
interface Serial0/0/1
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.5 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:14::3/64
shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface default
passive-interface
exit-af-interface
Lab 6-1 IP Days 351

!
af-interface GigabitEthernet0/1
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.1.2.12 0.0.0.3
network 10.1.203.1 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
!
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 6-1 Router R3 TT-A Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 192.168.2.1
!
archive
log config
logging enable
352 CCNP TSHOOT Lab Manual Version 7

logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Trouble Ticket—TT-B Configurations


Switch ALS1—Same as TT-A

Switch DLS1—Same as TT-A

Switch DLS2—Same as TT-A

Router R2—Same as TT-A

Router R3—Same as TT-A

Router R1
!Lab 6-1 Router R1 TT-B Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:201::1/64
Lab 6-1 IP Days 353

!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FE to DLS1
ip address 10.1.2.2 255.255.255.252
ip flow ingress
ip nat inside
duplex full
speed 100
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:20::1/64
no shutdown
!
interface Serial0/0/0
description WAN link to R2: 2 Mbps leased line
ip address 209.165.200.225 255.255.255.252
ip nat outside
ip flow ingress
encapsulation ppp
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:FEED::1/64
clock rate 2000000
no shutdown
!
interface Serial0/0/1
description WAN link to R3 (not used)
no ip address
shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
no passive-interface
exit-af-interface
!
topology base
redistribute static
exit-af-topology
network 10.1.2.0 0.0.0.3
network 192.168.1.1 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
no passive-interface
exit-af-interface
!
topology base
redistribute static 1544 2000 255 1 1500
exit-af-topology
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 209.165.200.226
ipv6 route ::/0 2001:DB8:FEED::2/64
354 CCNP TSHOOT Lab Manual Version 7

ipv6 route 2001:DB8:CAFE::/48 Null0


!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
ip nat pool public-addrs 198.133.219.3 198.133.219.6 netmask 255.255.255.248
ip nat inside source list 1 pool public-addrs
ip nat inside source static 10.1.100.1 198.133.219.1
!
logging source-interface Loopback0
logging host 10.1.100.1
!
access-list 1 permit 10.1.0.0 0.0.255.255
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 6-1 Router R1 TT-B Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 192.168.2.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!
Lab 6-1 IP Days 355

Trouble Ticket—TT-C Configurations


Switch ALS1—Same as TT-A

Switch DLS1—Same as TT-A

Router R2—Same as TT-A

Switch DLS2
!Lab 6-1 Switch DLS2 TT-C Config
!
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname DLS2
!
!
logging buffered 16384
enable secret cisco
!
username cisco secret cisco
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
system mtu routing 1500
vtp domain TSHOOT
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name tshoot.net
!
ipv6 unicast-routing
!
ip dhcp excluded-address 10.1.80.251 10.1.80.254
!
ip dhcp pool Branch3
network 10.80.1.0 255.255.255.0
default-router 10.1.80.1
!
ipv6 dhcp pool DHCPv6Branch3
address prefix 2001:DB8:CAFE:800:ABCD::/80
domain-name tshoot.net
!
!
errdisable recovery cause bpduguard
!
spanning-tree mode rapid-pvst
spanning-tree vlan 99,110,120 priority 28672
spanning-tree vlan 100,200,300 priority 24576
!
!
vlan 99
name MANAGEMENT
!
vlan 100
name SERVERS
!
vlan 110
name GUEST
356 CCNP TSHOOT Lab Manual Version 7

!
vlan 120
name OFFICE
!
vlan 200
name VOICE
!
vlan 300
name PEERING
!
vlan 666
name NATIVE
!
vlan 999
name PARKING_LOT
!
ip telnet source-interface Vlan99
ip ssh source-interface Vlan99
ip ssh dh min size 2048
!
interface Port-channel2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface Port-channel10
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200,300
switchport mode trunk
switchport nonegotiate
no shutdown
!
interface FastEthernet0/1
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/2
description Channel to ALS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,110,120,200
switchport mode trunk
switchport nonegotiate
channel-group 2 mode on
no shutdown
!
interface FastEthernet0/3
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport trunk allowed vlan 99,100,110,120,200,300
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/4
description Channel to DLS1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
Lab 6-1 IP Days 357

switchport trunk allowed vlan 99,100,110,120,200,300


switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
no shutdown
!
interface FastEthernet0/5
description FE to R3
no switchport
ip address 10.1.2.13 255.255.255.252
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:212::D2/64
speed 100
duplex full
spanning-tree bpduguard enable
no shutdown
!
interface FastEthernet0/6
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/7
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/8
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/9
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/10
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/11
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/12
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/13
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
358 CCNP TSHOOT Lab Manual Version 7

!
interface FastEthernet0/14
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/15
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/16
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/17
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/18
description FE to PC-C
switchport access vlan 110
switchport mode access
switchport nonegotiate
spanning-tree portfast
shutdown
!
interface FastEthernet0/19
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/20
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/21
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/22
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface FastEthernet0/23
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
Lab 6-1 IP Days 359

interface FastEthernet0/24
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/1
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface GigabitEthernet0/2
description PARKING_LOT
switchport access vlan 999
switchport mode access
switchport nonegotiate
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.1.99.253 255.255.255.0
no ip proxy-arp
standby 99 ip 10.1.99.254
standby 99 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:99::D2/64
no shutdown
!
interface Vlan100
ip address 10.1.100.253 255.255.255.0
no ip proxy-arp
standby 100 ip 10.1.100.254
standby 100 priority 110
standby 100 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:100::D2/64
ipv6 nd prefix 2001:DB8:CAFE:100::/64 no-autoconfig
ipv6 nd managed-config-flag
no shutdown
!
interface Vlan110
ip address 10.1.110.253 255.255.255.0
no ip proxy-arp
standby 110 ip 10.1.110.254
standby 110 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:110::D2/64
ipv6 nd prefix 2001:DB8:CAFE:110::/64 no-autoconfig
ipv6 nd managed-config-flag
no shutdown
!
interface Vlan120
ip address 10.1.120.253 255.255.255.0
no ip proxy-arp
standby 120 ip 10.1.120.254
standby 120 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:120::D2/64
ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig
ipv6 nd managed-config-flag
no shutdown
!
interface Vlan200
ip address 10.1.200.253 255.255.255.0
no ip proxy-arp
standby 200 ip 10.1.200.254
360 CCNP TSHOOT Lab Manual Version 7

standby 200 priority 110


standby 200 preempt
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:200::D2/64
ipv6 nd prefix 2001:DB8:CAFE:200::/64 no-autoconfig
ipv6 nd managed-config-flag
no shutdown
!
interface Vlan300
ip address 10.1.30.253 255.255.255.0
no ip proxy-arp
ipv6 address FE80::D2 link-local
ipv6 address 2001:DB8:CAFE:300::D2/64
no shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
topology base
exit-af-topology
network 10.1.0.0 0.0.255.255
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
topology base
exit-af-topology
exit-address-family
!
!
no ip http server
no ip http secure-server
!
!
logging source-interface Vlan99
logging host 10.1.100.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Vlan99
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 6-1 Switch DLS2 TT-C Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Vlan99
ntp server 192.168.2.1
!
crypto key gen rsa general-keys modulus 1024
Lab 6-1 IP Days 361

!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R1
!Lab 6-1 Router R1 TT-C Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
do clock set 09:05:00 Oct 29 2014
!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:201::1/64
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description FE to DLS1
ip address 10.1.2.2 255.255.255.252
ip flow ingress
ip nat inside
duplex full
362 CCNP TSHOOT Lab Manual Version 7

speed 100
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:20::1/64
no shutdown
!
interface Serial0/0/0
description WAN link to R2: 2 Mbps leased line
ip address 209.165.200.225 255.255.255.252
ip nat outside
ip flow ingress
encapsulation ppp
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:FEED::1/64
clock rate 2000000
no shutdown
!
interface Serial0/0/1
description WAN link to R3 (not used)
no ip address
shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
no passive-interface
exit-af-interface
!
topology base
redistribute static
exit-af-topology
network 10.1.2.0 0.0.0.3
network 192.168.1.1 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
no passive-interface
exit-af-interface
!
topology base
redistribute static 1544 2000 255 1 1500
exit-af-topology
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 209.165.200.226
ipv6 route ::/0 2001:DB8:FEED::2
ipv6 route 2001:DB8:CAFE::/48 Null0
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
ip nat pool public-addrs 198.133.219.5 198.133.219.30 netmask 255.255.255.224
ip nat inside source list 1 pool public-addrs overload
ip nat inside source static 10.1.100.1 198.133.219.1
Lab 6-1 IP Days 363

!
logging source-interface Loopback0
logging host 10.1.100.1
!
access-list 1 permit 10.1.0.0 0.0.255.255
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 6-1 Router R1 TT-C Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 192.168.2.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
write-memory
file prompt quiet
!
end
!

Router R3
!Lab 6-1 Router R3 TT-C Config
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
!
logging buffered 16384
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
!
clock timezone PST -8
clock summer-time PDT recurring
364 CCNP TSHOOT Lab Manual Version 7

do clock set 09:05:00 Oct 29 2014


!
!
no ip domain lookup
ip domain name tshoot.net
ip cef
ipv6 unicast-routing
ipv6 cef
!
username cisco secret cisco
!
!
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
ip ssh dh min size 2048
!
!
interface Loopback0
ip address 10.1.203.1 255.255.255.255
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:203::3/64
!
interface GigabitEthernet0/0
description FE to Branch Office
ip address 10.1.80.1 255.255.255.0
duplex full
speed 100
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:80::1/64
!ipv6 nd prefix 2001:DB8:CAFE:80::/64 no-autoconfig
!ipv6 nd managed-config-flag
no shutdown
!
interface GigabitEthernet0/1
description FE to DLS1
ip address 10.1.2.14 255.255.255.252
ip flow ingress
duplex full
speed 100
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8:CAFE:212::3/64
no shutdown
!
interface Serial0/0/0
description WAN link to R1 - (Not used)
no ip address
encapsulation ppp
clock rate 2000000
shutdown
!
interface Serial0/0/1
description WAN link to R2: 2 Mbps leased line
ip address 10.1.1.5 255.255.255.252
ip flow ingress
encapsulation ppp
ipv6 address FE80::3 link-local
ipv6 address 2001:DB8:CAFE:14::3/64
shutdown
!
!
router eigrp HQ
!
address-family ipv4 unicast autonomous-system 1
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
no passive-interface
exit-af-interface
!
Lab 6-1 IP Days 365

topology base
exit-af-topology
network 10.1.2.12 0.0.0.3
network 10.1.80.0 0.0.0.255
network 10.1.203.1 0.0.0.0
exit-address-family
!
address-family ipv6 unicast autonomous-system 1
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet0/1
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
!
!
crypto key gen rsa general-keys modulus 1024
!
ip http server
ip http secure-server
ip flow-top-talkers
top 3
sort-by bytes
cache-timeout 600000
!
!
logging source-interface Loopback0
logging host 10.1.100.1
!
!
snmp-server community cisco RO
snmp-server community san-fran RW
snmp-server trap-source Loopback0
snmp-server location TSHOOT Lab Facility
snmp-server contact support@tshoot.net
snmp-server enable traps eigrp
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server host 10.1.100.1 version 2c cisco
!
!
banner motd ^*** Lab 6-1 Router R3 TT-C Config ***^
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication CONSOLE
!
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input telnet ssh
!
ntp source Loopback0
ntp update-calendar
ntp server 192.168.2.1
!
archive
log config
logging enable
logging size 50
notify syslog contenttype plaintext
hidekeys
path tftp://10.1.100.1/$h-archive-config
366 CCNP TSHOOT Lab Manual Version 7

write-memory
file prompt quiet
!
end
!
Lab 7-1 OSPF Opportunities 367

Chapter 7: Troubleshooting Case Study: TINC Garbage


Disposal
Lab 7-1 OSPF Opportunities
Instructor Version
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Physical Topology
368 CCNP TSHOOT Lab Manual Version 7

Logical Topology (First Baseline)


Lab 7-1 OSPF Opportunities 369

Objectives
• Load the trouble ticket device configuration files for each trouble ticket.
• Diagnose and resolve problems related to the OSPF routing protocol.
• Diagnose and resolve problems related to route redistribution.
• Document troubleshooting progress, configuration changes, and problem resolution.

Background
In this lab, you troubleshoot various problems related to the Open Shortest Path First (OSPF) routing protocol
and route redistribution between routing protocols. For each task or trouble ticket, the trouble scenario and
problem symptom are described. While troubleshooting, you will discover the cause of the problem, correct it,
and then document the process and results.

Migrating from EIGRP to OSPF


Your company has decided to migrate from using Enhanced Interior Gateway Protocol (EIGRP) to OSPF as
the routing protocol. This migration will be executed in two phases.
The engineering team planned and designed the migration, but the support team must support the new
network, so they are involved in migrating the branch during Phase 2.
Phase 1—The headquarters central site campus is migrated to OSPF as well as one of the branch offices
(simulated by Lo0 on R3). EIGRP is still used on the WAN toward the R2 branch office. On router R1,
redistribution is configured between OSPF and EIGRP to ensure connectivity between headquarters and the
branch office connected to R2.
Phase 2—The R2 branch office (simulated by Lo0 on R2) is converted from EIGRP to OSPF, and all branch
offices are migrated so that OSPF is used in the entire network. Each branch site will be in a separate totally
stub area.
370 CCNP TSHOOT Lab Manual Version 7

Today is Saturday, and the engineering team has been busy implementing OSPF and removing EIGRP at the
headquarters site. Although you have not taken part in the actual implementation, some of the senior
engineers in the support team are on standby to assist during the verification and troubleshooting phase.
Together with the engineering team, you will have to make the decision on Sunday to either accept the
implementation or, if major issues are uncovered that would threaten the stability of the network, roll back to
the original configurations.

OSPF Network Design


Phases 1 and 2 of the OSPF design are depicted in the following figures. Backbone Area 0 contains the
FastEthernet interfaces on core Layer 3 switches DLS1 and DLS2 as well as the GigabitEthernet interfaces on
routers R1 and R3. Area 0 also includes VLAN 300 and the corresponding SVI, which have been added to these
two switches so that they can form an OSPF neighbor relationship and exchange routes. The headquarters
campus access VLANs 100, 110, 120, and 200 and management VLAN 99 are in OSPF Area 1. The R2 stub
network is in Area 2, and the R3 stub network is in Area 3.
Lab 7-1 OSPF Opportunities 371

Phase 1 OSPF Network Design


372 CCNP TSHOOT Lab Manual Version 7

Phase 2 OSPF Network Design

Test Plan
To test the branch connectivity using redistribution between EIGRP and OSPF and the eventual conversion to
only OSPF, branch routers R2 and R3 have been specifically prepared for both of these scenarios. Router R2
functions as the default gateway for the R2 LAN, while router R3 is the default gateway for the R3 LAN.
Router R2 runs EIGRP as usual. This allows testing the redistribution of EIGRP from the R2 branch office
LAN (simulated by R2 Lo0) to OSPF Area 0 and redistribution of OSPF into EIGRP using router R1 as an
Autonomous System Border Router (ASBR). Router R3 is configured to run OSPF as an Area Border Router
(ABR) between Area 0 and Area 3. The R3 branch office client is simulated by R3 Lo0.
After the completion of Phase 2, all routers except R2 should have OSPF routes. Area 2 is a totally stub area
and R2 should only have a default route to R1.
Note: Trouble ticket TT-A is related to the verification and acceptance of Phase 1 of the OSPF migration.
Trouble tickets TT-B, C, and D are related to the verification and acceptance of Phase 2 of the OSPF
migration. Any interfaces that have been shut down on routers R2 and R3 should remain shut down for the
duration of this lab exercise.
Lab 7-1 OSPF Opportunities 373

Physical and Logical Topology Diagrams


The physical and logical topologies for the BASE Lab (First Baseline), with EIGRP, are provided to assist the
troubleshooting effort.
Note: This lab uses Cisco ISR G2 routers running Cisco IOS 15.4(3) images with IP Base and Security
packages enabled, and Cisco Catalyst 3560 and 2960 switches running Cisco IOS 15.0(2) IP Services and
LAN Base images, respectively. The 3560 and 2960 switches are configured with the SDM templates dual-
ipv4-and-ipv6 routing and lanbase-routing, respectively. Depending on the router or switch model and
Cisco IOS Software version, the commands available and output produced might vary from what is shown in
this lab.
Note: Any changes made to the BASE Lab configurations or topology (other than errors introduced) are noted
in the trouble ticket so that you are aware of them prior to beginning the troubleshooting process.

Instructor Notes:
• The lab topology should be pre-built prior to the students starting the lab. Ensure that all switches and
routers (ALS1, DLS1, DLS2, R1, R2, and R3) have the course lab configuration files installed in flash
memory. These can be downloaded from NetSpace. The device configurations for all devices are
included at the end of this lab, either directly or by reference to the first trouble ticket, TT-A. The
configuration file for ALS1 can be copied into a text file using the naming convention Labxy-ALS1-
TT-z-Cfg.txt where x is the chapter number, y is the lab number within the chapter, and z is the
uppercase letter indicating the particular trouble ticket in the lab; similarly for DLS1, DLS2, R1, R2, and
R3.
• The device configurations that contain trouble ticket errors and modifications from the BASE Lab (at
the end of Lab 3-1) are included at the end of the lab, and the errors in them are identified.
• All device configurations are provided for TT-A, including those that are the same as the BASE Lab,
as introduced in Lab 3-1. The configurations provided here are not running-config outputs, but rather
sequences of commands that generate running-config files.
• Device configurations can be used by instructors for cut-and-paste for TT-A and subsequent tickets—
use a terminal emulator line delay of at least 100 ms if pasting configurations directly into global
configuration mode on a device. Some systems may actually require 200 ms.
• Where a configuration is noted as being the same as a previous one, the only change is in the
MOTD, which identifies the Lab and TT.
• Each device should have a directory named “tshoot” in flash. This directory should contain the
baseline configuration file for that device as well as configuration files for all labs in this course.
• Instructors can use a TFTP server, a USB drive, or a flash memory card as source, and use the copy
or archive tar command to copy all course configuration files into the flash:/tshoot directory for
each device in the topology.
• For this lab and subsequent labs, the student is responsible for loading the baseline or trouble ticket
configurations using the procedure described in the BASE Lab.
• Set the correct time on R2, which serves as the primary NTP server for the lab network. These labs
use Pacific Time Zone, but each site should use their own time zone.
• If time is an issue, each task (trouble ticket) can be performed independently.

Required Resources
• 3 routers (Cisco IOS Release 15.4 or comparable)
374 CCNP TSHOOT Lab Manual Version 7

• 2 multilayer switches and 1 access layer switch (Cisco IOS Release 15.0(2) or comparable with Fast
Ethernet interfaces)
• SRV1 (PC with static IP address): Windows 7 with RADIUS, TFTP, and syslog servers, plus an SSH
client, SNMP monitor, and WireShark software
• PC-B (DHCP client): Windows 7 with SSH client and WireShark software
• PC-C (DHCP client): Windows 7 with SSH client and WireShark software
• Serial and Ethernet cables, as shown in the topology
Instructor Notes:
• This lab is divided into multiple tasks. Each task is associated with a trouble ticket (TT) and
introduces one or more errors on one or more devices.
• Students can work individually or as a team. The problems introduced in this lab relate to OSPF and
route redistribution.
• Suggested actions and results presented during the troubleshooting process for each TT can be
shared with the students during debrief, or copies of the instructor version of the lab can be made
available to the students to assist them in verifying their work.

Task 1: Trouble Ticket Lab 7-1 TT-A


Instructor note: This trouble ticket involves device R1 and R2 issues related to OSPF and EIGRP route
redistribution.

Step 1: Review trouble ticket Lab 7-1 TT-A.


After the completion of Phase 1—implementation of OSPF in the headquarters portion of the network and the
redistribution between EIGRP and OSPF—the connectivity from the office LAN on the R2 branch router to server
SRV1 at headquarters is tested. A ping from the R2 LAN client (sourced by Lo0 on R2) to server SRV1 fails.
Your task is to diagnose this problem and, if possible, resolve it. Connectivity from the R2 LAN to server SRV1 is
mandatory to consider this phase of the migration successful.

Step 2: Load the device trouble ticket configuration files for TT-A.
Using the procedure described in the BASE Lab, verify that the lab configuration files are present in flash. Load
the proper configuration files indicated in the Device Configuration File Table. The files are based on the First
Baseline.
Note: You can gain access to the router GUI management interface through a web browser—when prompted,
enter the username cisco and the enable password cisco.
Instructor note: Although it is not considered security best practice, the lab configuration files set the VTY line
exec-timeout to 0 0 to facilitate performance of this lab.
Device Configuration File Table

Device Name File to Load Notes


ALS1 Lab71-ALS1-TT-A-Cfg.txt This file is the same as the first baseline
DLS1 Lab71-DLS1-TT-A-Cfg.txt This file contains configurations different than the first baseline
DLS2 Lab71-DLS2-TT-A-Cfg.txt This file contains configurations different than the first baseline
R1 Lab71-R1-TT-A-Cfg.txt This file contains configuration errors.
R2 Lab71-R2-TT-A-Cfg.txt This file contains configurations different than the first baseline
R3 Lab71-R3-TT-A-Cfg.txt This file contains configurations different than the first baseline
SRV1 N/A Static IP: 10.1.100.1 and 2001:DB8:CAFE:100::1
Lab 7-1 OSPF Opportunities 375

Device Name File to Load Notes


Default gateway: 10.1.100.254/24 and 2001:DB8:CAFE:100::D1/64
PC-B N/A DHCPv4 and DHCPv6
PC-C N/A DHCPv4 and DHCPv6

Instructor note: The student loads the “broken” TT configuration files for all devices, although only the
configurations indicated in the Notes column have errors.

Step 3: Configure SRV1 and start the syslog and TFTP servers.

Step 4: Release and renew the DHCP lease on PC-B.


Ensure that PC-B is configured as a DHCP client for both IPv4 and IPv6 in the OFFICE VLAN.
After loading all TT-A device configuration files, issue the ipconfig /release and ipconfig /renew
commands on PC-B.

Step 5: Outline the troubleshooting approach and validation steps.


Use this space to identify your troubleshooting approach and the key steps to verify that the problem is resolved.
Troubleshooting approaches to select from include the follow-the-path, perform-comparison, bottom-up, top-
down, divide-and-conquer, shoot-from-the-hip, and swap-components (move-the-problem) methods.
Note: In addition to a specific approach, you can use the generic troubleshooting process: defining a problem,
gathering information, analyzing the information, eliminating possible problem causes, formulating a hypothesis
about the likely cause of the problem, testing that hypothesis, and solving the problem.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
The follow-the-path or perform-comparison approach can be used.
Verification steps can include:
• The R2 LAN client (sourced by Lo0 on R2) in the EIGRP routing domain can ping server SRV1 in the
OSPF routing domain.
• The R2 routing table shows external routes learned via R1 OSPF-to-EIGRP redistribution.
• The DLS1 routing table shows external routes learned via R1 EIGRP-to-OSPF redistribution.

Step 6: Record the troubleshooting process and configuration changes.


Use this log to document your actions and results during the troubleshooting process. List the commands you
used to gather information. As you progress, record your thoughts as to what you think the problem might be and
which actions you take to correct the problem.

Device Actions and Results


376 CCNP TSHOOT Lab Manual Version 7

Device Actions and Results

Instructor Notes:
• The focus on this ticket is IPv4. But the exact same issues are introduced for IPv6. Time permitting,
students can implement the fixes for OSPFv3 and EIGRP for IPv6.
• On R1, traditional OSPFv2 for IPv4 with process ID 1 is used for peering with DLS1.
• On R1, the address family implementation of OSPFv3 for IPv6 with process ID 2 is used for peering
with DLS1.
• Recall that IPv6 is the transport protocol for both address families when address family
implementations of OSPFv3 are configured for both IPv4 and IPv6; in this case, a neighbor must also
support the address family implementation of OSPFv3.
• Cisco 3560 switches do not support the address family implementation of OSPFv3, but they do
support the address family implementation of EIGRP for IPv4 and IPv6.
The responses will vary but could include:
• Pings from the R2 LAN client (sourced by Lo0 10.1.202.1 on R2) to server SRV1 fail.
• Pings from R2 (sourced by S0/0/0 10.1.1.2 on R2) to server SRV1 fail.
• Pings from R2 (sourced by S0/0/0 10.1.1.2 on R2) to R1 S0/0/0 (10.1.1.1) succeed.
• Pings from SRV1 to its default gateway VLAN 100 (10.1.100.254) succeed.
• Pings from SRV1 to all other network devices in the OSPF domain succeed.
• Pings from SRV1 to any R2 address (for example, 10.1.1.2) fail. DLS1 reports: “Destination host
unreachable.”

TT-A Issue 1
R1 is not sending OSPF routes into the EIGRP AS. The redistribution of OSPF routes into EIGRP fails
because no seed metric is specified for the redistribute ospf command under EIGRP.
Lab 7-1 OSPF Opportunities 377

• The show ip route 10.1.100.0 255.255.255.0 command (SRV1 subnet) on R2 (in the
EIGRP domain) indicates that the subnet is not in the routing table.
• The show ip route 10.1.100.1 255.255.255.0 command on R1 indicates that the route is
known via OSPF 1 and that it is redistributing via EIGRP, but it is not being advertised by EIGRP.
• A check of the OSPF migration plan indicates that server SRV1 is in OSPF Area 1.
• The show ip ospf bor