Jump to content


15

TS3++ Summary


74 replies to this topic

#1 plonker

plonker

    Advanced Member

  • Members
  • PipPipPip
  • 106 posts
  • 38 thanks

Posted 13 January 2012 - 09:52 PM

All,
This is my notes on TS3++ from the forum threads. Is there any new issues and solution that i have miss ?
  • NTP
R13 needs to sync with NTP server on R5

SUMMARY ISSUES:

- (r9/r11) blocking ACL (fix it by adding permit statement for ntp traffic)
Modify acl to allow ntp packets (udp 123)
- (r5/r13) ntp authentication (check trusted key, ntp authenticate, password mismatch)

COMMANDS:
ntp logging
sh ntp status
Sh ntp ass details
sh run | s ntp
  • ZBF
show policy-map type inspect command and want R31 to be able to telnet R30. R31 was in outside zone, R30 was in inside zone.

SUMMARY ISSUES:

- (r29) check route-map match output (should be match-any)
- (r29) check service-policy for zone-pair (should be correct configured)
- (r29) check zones on interfaces (should be correct (inbound/outbound)
zones on interface where inverted
- (r29) class-map match output (should be match-all)

- in the class-map, in the given output there was NO `match protocol icmp` ,
so in order to match that output and make that class-map work, I just removed the match protocol icmp command from that class-map and it worked.

COMMANDS:
show show policy-map type inspect
show zone security
show run | s zone

( policy map match-all to match-any)
  • Frame Relay
Requires R15 to telnet to R13 and R14 loopbacks .
SUMMARY ISSUES:

- (r13/r14/r15) wrong ip address/mask (fix it according to scheme)
- (r13/r14/r15) missing static maps (add frame-relay map (BROADCAST))
frame-realy map on R15 to R13 was missing

- (r13/r14/r15) check interface status (it should be UP)
- (r13/r14/r15) wrong LMI type/missing encapsulation
R14 only had an IP so had to configure encap , no frame inver arp etc

- (r13/r14/r15) wrong ip ospf network type (it should be multipoint)
ospf broadcast was configured on R15 and R13 so that needs to be added as well on R14

- All other routers configed for P2MP and R13 is not. Remove configs from main interface and create a new P2MP, add configs.

COMMANDS:
show frame-relay route (FRSW)
show frame-relay map
show frame-relay pvc
sh ip int br
sh run | s interface
  • OSPF
Requires R20 to telnet to R28

SUMMARY ISSUES:

- (r16/r17) wrong ip ospf network type (it should be broadcast)
- (r8) missing redistribution configuration (mutual redistribution ospf/bgp only particular loopback)
- (r27) missing bgp next-hop-self statements (just add it for the neighbor R28)
- (r16/r18) authentication issue for virtual-link (virtual-link should be up (md5))
- (r16) blocking distribute-list (fix/remove it) ---- Blocking ICMP traffic

With bgp ospf redistribution restriction was "do not change area 1 ospf" requirement.
(Area 1 is between R16 and R8). Asked the proctor what this means, listed him the alternative methods and he said it is ok to make redistribution on r8 so i did that.
  • IPV6
Requires to ping from R1 to R4 loopback

SUMMARY ISSUES:
- (r3) OSPF neighborship cause blocking ACL (should add explicit rules for link-local addresses)
ACL was permitting only R1 s global unicast ipv6 address.
OSPF is formed through local address. But I skipped that and added a line in that acl as
permit ipv6 any any

- (r1/r4) not advertisement loopbacks into ospf (enable it for ospf process)
- (r1) wrong router-id (fix it)

permit 89 any host FF02::5
permit 89 any host FF02::6
permit 89 any host FE80::CE0B:16FF:FEC0:10
permit icmp any any
permit tcp any any eq telnet
deny ipv6 any any

COMMANDS:
ping
sh run | s interface
sh ipv6 int br
sh ipv6 ospf interface br
sh ipv6 ospf neighbor
  • HSRP
HSRP - required to match show standby on R23 and R22

SUMMARY ISSUES:

- (r22) check track status (it should be UP)
- (r21) redistribution misconfig (check metric/route-map)
- (r13) default-information-originate always/ nssa efault-information-originate

If the track is required to be up and its not, make sure the tracked route is learned in R22/R23. Example would be to generate default route in to OSPF NSSA area on R13 and correct the redistribution between OPF and EIGRP in R21 (add metric values in to EIGRP redistribution).

- (r13/r14) missing frame-relay map (add frame-relay map (BROADCAST)
- (r22/r23) authentication wrong (check password)
- (r22/r23) preemt/priority misconfig (fix it according to diagram)

COMMANDS:
ping
sh track (it should be UP)
sh run | s standby
show frame-relay route (FRSW)
show frame-relay map
show frame-relay pvc
sh ip int br

(Remove preempt from R23 + change priority on R22)
  • RIP

SUMMARY ISSUES:

- (r25) ppp authentication (check username and password)
password was incorrect between the PPP link , configuration seemed fine normal ppp chap authentication from one side only however password was encrypted so i just removed it and put cisco and it worked

- (r25/r26) rip version mismatch (should be version 2)

COMMANDS:
show ip protocols | b rip (check version)
show ip int br
ping (check directly connected)

  • MSTP

Requires tracing from R10 to R9 in one hop.
Not allowed to configure anything on Sw2 that was the restriction



SUMMARY ISSUES:

- (r9/r10) check PBR (fix route-map)
On R10, there is a route map which selects certain traffic, this is having an explicit deny. Put another route-map with the permit statement

- (sw1/sw2) check trunk settings (all vlans should be allowed)
Allow the Vlan 109 on trunk link
- (sw1/sw2) check mst configuration (should be sync)
- (sw1/sw2) check spanning-tree priority
SW1 wasn't allowed to touch! i changed the port-priority on sw2's interface which was in ALTERNATE state for the MST for which the devices were not part of.

One trunk link was not letting VLAN 109 (R9 - R10 vlan). So that link was forwarding in STP. The other link was letting vlan 109 but it was in blocking state though.
So performed spanning-tree mst 2 priority 0 on fa0/3 lin on SW2.

COMMANDS:

show route-map (fix it)
show spanning-tree (on root switch should be no blocking ports)
show interface trunk
traceroute


  • BGP
Can not modify any configs in AS 100 and AS 300. Ensure R28 can see show informations below:


R28#sh ip bgp nei 10.1.1.26 | se Prefix activity|state
Prefix activity

Prefixes Current: 3 36 (Consumes 1872 bytes)
Prefixes Total: 3 66
Implicit Withdraw: 0 15
Explicit Withdraw: 0 15
Used as bestpath: n/a 1
Used as multipath: n/a 0
Outbound Inbound
Connection state is ESTAB, I/O status: 1, unread input bytes: 0

In my case the local pref and MED were equal i think.

BGP - as stated before by others R28 needs to see R1 prefix in bgp table but prefer i think path from R287 , there is a show output that you need to match , when you do it on R28 you only see one entry and not two as required only AS 200 is allowed to be configured


SUMMARY ISSUES:

- (r7) bgp maxas-limit (remove)
- (r8) bgp default local-preference (should be the same as r7)

COMMANDS:

show run | s router bgp (check policy settings (route-map, maxas-limit, etc)
sh ip bgp | i network (r1 loopback0)



BGP ( strange thing comes here... i spend around half an hour on this ticket, i am sure something wrong was happing...!!)
the question was to make R28 prefer R26 as exit point, they already mention in the question that you are not allowed to change anything on
AS100&AS300 devices.
i changed the MED values on both R7 and R8, after that R28 start preferring routes across R26 (i.e R7)
but that was one fault, they said there is two faults..
the thing is that they want R28 to see two routes fot 1.100.100.100 and prefer the one across R26,
but here is the strange things happened..
R7 does not see 1.100.100.100 reflected from R6. i reviewed all AS200 devices configuration to see why R7 does not see anything
but i could not find why
what was very strange, i am sure some thing wrong was happening.. you are restricted to fix only AS200 devices..


BGP
on R7 - there was maxas limit - remove
on R8 - match the bgp local-pref to be the same as R7 - being 200



1- Problem description:
  • R28 must see 2 paths in BGP table
  • R28 must select path through R26
  • We're not allowed to touch AS100 - 300 configuration
  • Some people mentioned MED values mus not be changed
2- Identify and Isolate the problem:
  • As limited in the question, all the changes must be done in AS200(R7, R8, R6)
  • R7, R8 are RR clients to R6 --> check the neighbor relationships between them
  • R7 misconfiguration(Max aslimit)
  • If anything seems OK and still path with lower MED is preferred(Through R27), we can make AS-prepend on R8 for 1.100.100.100
  • MSDP
MSDP- Guys you need to really workout the scenario where there are 2 serial links b/w R1 and R2 one for MP-BGP and other for ipv4. R3 and R2 were the RP mentioned. I enabled Auto-RP since i wanted to save some time and not copy-pasting the RP address to all routers. Again too many config to look at including OSPF/EIGRP/BGP.


SUMMARY ISSUES:

- (r1/r3) wrong msdp peer settings (ip msdp peer 10.1.1.X connect-source loopback 0 remote-as XXX)
all configs are there. R1 and R3 should be MSDP neighbors. Wrong msdp statement on R1.

- (r9) blocking ACL (ip igmp access-group 10)
- (r6/r8/r9) missing rp configuration (ip pim rp-address)
make sure the R13 all the way through R8 has ip pim rp-address x.x.x.x configured.

- (r6/r8/r9) missing pim configuration (ip pim sparse-dense-mode)
- (r1) - mutual redistribution between bgp/ospf (into bgp for address-family ipv4 multicast)
- (R1/R3) Wrong loopbacks used for MSDP


COMMANDS:
sh ip msdp peer (should be up)
ping (MSDP peers should be reachable)

With MSDP there were two links between r1 and r2 one for unicast bgp neighborship the other for multicast bgp neighborship( address-family multicast config !). So yes there was also a address family multicast bgp neighborship used as well. Static rp was configured, however RP settings were missing on R6 and R8.
Msdp was between r2 and r3. Wrong loopbacks were used in msdp. MSDP - R1 and R2 were the RP , lots of configurations , multicast bgp in addition to an enormous ACL denying alot of multicast addresses i dont know if they were even related or not but i couldn’t get both loopback to ping each other in the first place !! Spend alot of time but couldn’t get it to work

Thanked by 14 Members:
mosseg , dhatrinath , kushalavaiya251 , sinkhole99 , mobayrak , pingo , asif76 , ashcisco , xilo , hanoi2010 , hasi , adecad , MUATH , aneeshiscool

#2 JamJunkie

JamJunkie

    Advanced Member

  • Members
  • PipPipPip
  • 411 posts
  • 78 thanks

Posted 13 January 2012 - 10:26 PM

With MSDP there were two links between r1 and r2 one for unicast bgp neighborship the other for multicast bgp neighborship( address-family multicast config !). So yes there was also a address family multicast bgp neighborship used as well. Static rp was configured, however RP settings were missing on R6 and R8.

^ Awesome, this is the new issue I was trying to affirm.  Thanks!

#3 studier

studier

    Advanced Member

  • Members
  • PipPipPip
  • 97 posts
  • 487 thanks

Posted 14 January 2012 - 01:24 AM

Very nicely done.   Do you have something like this for the TS4?

#4 HectorRG

HectorRG

    Advanced Member

  • Members
  • PipPipPip
  • 128 posts
  • 14 thanks

Posted 14 January 2012 - 01:36 AM

Guys those solutions were applied today and even couldnt pass we need to workout more ts

#5 mariodoe

mariodoe

    Member

  • Members
  • PipPip
  • 10 posts
  • 1 thanks

Posted 14 January 2012 - 01:39 AM

good reading!

#6 JamJunkie

JamJunkie

    Advanced Member

  • Members
  • PipPipPip
  • 411 posts
  • 78 thanks

Posted 14 January 2012 - 01:40 AM

^ So you had the test today?

Ok so we need to confirm if the questions are the same or different.

Also were there two physical interfaces between R1 and R2 or no.

I passed TS easily (all 10 questions 1 hour 10 minutes) - but had mpls TS and not this one - next time I'll probably get this one.

Thanked by 1 Member:
daywalker

#7 plonker

plonker

    Advanced Member

  • Members
  • PipPipPip
  • 106 posts
  • 38 thanks

Posted 14 January 2012 - 02:13 AM

View PostHectorRG, on 14 January 2012 - 01:36 AM, said:

Guys those solutions were applied today and even couldnt pass we need to workout more ts

How different we're the questions you got from what I listed here ? I would appreciate if you can add additional information.

#8 HectorRG

HectorRG

    Advanced Member

  • Members
  • PipPipPip
  • 128 posts
  • 14 thanks

Posted 14 January 2012 - 02:30 AM

Msd where R3 was not enabled for ipv4 multicast on bgp
Ntp just changed access list to permit udp
Ospf pinging from R20 to R28, there was an access list outbound in R17 blocking icm, just add to permit icmp and worked ping between r20 to r28, besides mutual redistribution r8 and still wrong,!
Zone base firewall theres a new access list on class map type inspect just chaned the class map to match any and ping worked from r30 to r 31 and still wrong
Mstp just changed the port blocking to forward in order to let pass vlan 109 and the trace route was one hope

Thanked by 1 Member:
plonker

#9 plonker

plonker

    Advanced Member

  • Members
  • PipPipPip
  • 106 posts
  • 38 thanks

Posted 14 January 2012 - 02:33 AM

View PostJamJunkie, on 13 January 2012 - 10:26 PM, said:

With MSDP there were two links between r1 and r2 one for unicast bgp neighborship the other for multicast bgp neighborship( address-family multicast config !). So yes there was also a address family multicast bgp neighborship used as well. Static rp was configured, however RP settings were missing on R6 and R8.

^ Awesome, this is the new issue I was trying to affirm.  Thanks!

Check this one ,
https://supportforums.cisco.com/docs/DOC-4871.pdf

Thanked by 1 Member:
OscarBravo11

#10 plonker

plonker

    Advanced Member

  • Members
  • PipPipPip
  • 106 posts
  • 38 thanks

Posted 14 January 2012 - 02:38 AM

View PostHectorRG, on 14 January 2012 - 02:30 AM, said:

Msd where R3 was not enabled for ipv4 multicast on bgp
Ntp just changed access list to permit udp
Ospf pinging from R20 to R28, there was an access list outbound in R17 blocking icm, just add to permit icmp and worked ping between r20 to r28, besides mutual redistribution r8 and still wrong,!
Zone base firewall theres a new access list on class map type inspect just chaned the class map to match any and ping worked from r30 to r 31 and still wrong
Mstp just changed the port blocking to forward in order to let pass vlan 109 and the trace route was one hope

Sorry you didn't pass, but looks like you got most of them right.

#11 JamJunkie

JamJunkie

    Advanced Member

  • Members
  • PipPipPip
  • 411 posts
  • 78 thanks

Posted 14 January 2012 - 03:31 AM

In the actual exam Cisco usually tells you how many faults there are.

The more difficult questions usually are worth 3 points and have 2 faults.

Those who are taking the exam - watch for this on the MSDP question and report on the number of faults - so we can figure out what could possibly be wrong.

Edited by JamJunkie, 14 January 2012 - 03:31 AM.


#12 HectorRG

HectorRG

    Advanced Member

  • Members
  • PipPipPip
  • 128 posts
  • 14 thanks

Posted 14 January 2012 - 04:11 AM

Please guys what stuff is available for studying troubleshooting please recommend a few ones

#13 JamJunkie

JamJunkie

    Advanced Member

  • Members
  • PipPipPip
  • 411 posts
  • 78 thanks

Posted 14 January 2012 - 05:42 AM

^  Cisco has a trouble shooting VOD.

INE has a lot of good trouble shooting CODs.


What I did was build the topology in gn3 and reverse engineer problems into it.

- I put all the problems in, make a snapshot and then time myself while resolving it.

-  Don't use show running config

- Always ask your self what is the most efficient procedure for solving the problem.

- master show commands and debug. also use of access-lists for verification.

- now once you solve all known tickets - put your own variations in.  you must expect that cisco will change at least some of the tickets by the time you take the test.

I'm going to build the t3 topology with end to end multicasting and MSDP, and focus on rpf check, mtrace, static mroute, multicast bgp, no ip mroute cache, etc.

You really can't afford to miss a 3 mark question in troubleshooting.




-

#14 Ricaphys

Ricaphys

    Member

  • Banned
  • PipPip
  • 36 posts
  • 104 thanks

Posted 14 January 2012 - 09:09 AM

we need to focus on msdp question as it is 3 marks and is enough to let u down in tshoot.

Thanked by 1 Member:
gyaseries



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Organization

Community

Downloads

Test Providers

Site Info


Go to top