Jump to content
Johnsonrama

Pass LAB (K5) but faile TSHOOT K4 (switch))

Recommended Posts

hi budy , sorry for your lab but keep going ..... i would like to know witch lab did you get after the t.shoot session ? i will be on line tomorrow at the same time . thk s going for my lab next month .

Edited by akpaandy

Share this post


Link to post
Share on other sites

Hi Guys

 

Can someone explain the below questions:

 

-R8 cannot reach IPv6 server CC1E:200:200:: 200 (loopback 200) on R4. Fix the problem so that reach ability is established using any method. But do not use static route. (Do not use Dynamic routing)

 

-Telnet traffic from R20 to host 100.100.10.10 (Host 28’s loopback 100 not!!! R23 Okay!!!) should be translated with the Ethernet ip address of R22 as NAT source address. HTTP traffic from host 28 to host 100.100.10.10 (R23’s loopback 100) should be translated with the loopback ip address of R22 as NAT source address. Fix the problem so that it can be meet.

 

When I put ip nat outside under the serial interface the OSPF relationship is going down

 

Thanks,

Elie

Share this post


Link to post
Share on other sites

Hi Guys

 

Can someone explain the below questions:

 

-R8 cannot reach IPv6 server CC1E:200:200:: 200 (loopback 200) on R4. Fix the problem so that reach ability is established using any method. But do not use static route. (Do not use Dynamic routing)

 

-Telnet traffic from R20 to host 100.100.10.10 (Host 28’s loopback 100 not!!! R23 Okay!!!) should be translated with the Ethernet ip address of R22 as NAT source address. HTTP traffic from host 28 to host 100.100.10.10 (R23’s loopback 100) should be translated with the loopback ip address of R22 as NAT source address. Fix the problem so that it can be meet.

 

When I put ip nat outside under the serial interface the OSPF relationship is going down

 

Thanks,

Elie

 

 

Hi Brain007,

 

For the First question you need to use some thing called IPv6 auto config. Search it on the internet and you will find the solution. For the second one, the policy map that is used is having two statements, remove the second statement that is a blank statement and every thing should work just fine.

 

Regards,

Share this post


Link to post
Share on other sites

Hi seyd

 

thank you for youre help

 

Everybody is failing from troubleshooting, I dont know how cover it 100%.

the mistake can be easy or not !!

 

the icmp traffic stream from host 10.1.1.12 to host 10.1.1.8 is marked with TOS 128. Fix the problem so the stream can be marked with desired precedence critical

 

what is the ping command to verify that the traffic is being marked when ip put show policy-map int eth0/3 , the packet is not being marked

 

R12#ping

Protocol [ip]:

Target IP address: 10.1.1.8

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.1.1.12

Type of service [0]: 160

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.8, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.12

 

 

lass-map: SILVER (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 102

Match: access-group 135

police:

cir 1000000 bps, bc 31250 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps

QoS Set

precedence 5

Packets marked 0

 

Class-map: BRONZE (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 101

 

the packet marked with ip precedence 5 is 0

Share this post


Link to post
Share on other sites

if the access-list of the traffic marked with the TOS 128 (flash-override) is matched under the SILVER class-map, then you have a problem of the "match-all" statement. since as i can see above, there are 2 ACLs matched under the SILVER class-map.

 

so the solution if the TOS 128 traffic ACL is one of the matched ACLs under the SILVER class-map is changing the class-map to "match-any" instead to make the marking work!

 

cheers

Share this post


Link to post
Share on other sites

Hi seyd

 

thank you for youre help

 

Everybody is failing from troubleshooting, I dont know how cover it 100%.

the mistake can be easy or not !!

 

the icmp traffic stream from host 10.1.1.12 to host 10.1.1.8 is marked with TOS 128. Fix the problem so the stream can be marked with desired precedence critical

 

what is the ping command to verify that the traffic is being marked when ip put show policy-map int eth0/3 , the packet is not being marked

 

R12#ping

Protocol [ip]:

Target IP address: 10.1.1.8

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.1.1.12

Type of service [0]: 160

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.8, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.12

 

 

lass-map: SILVER (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 102

Match: access-group 135

police:

cir 1000000 bps, bc 31250 bytes

conformed 0 packets, 0 bytes; actions:

transmit

exceeded 0 packets, 0 bytes; actions:

drop

conformed 0 bps, exceed 0 bps

QoS Set

precedence 5

Packets marked 0

 

Class-map: BRONZE (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 101

 

the packet marked with ip precedence 5 is 0

 

1. Your configuration is not completely right. match-all on the class-map of SILVER shows that the traffic must match both access-list 102 and 135 before the policy-map will mark the traffic as critical. You have to change it to match-any or completely remove access-group 135 from the class-map.

2. Your extended ping test should match service 128 not 160. the traffic is expected to come in as precedence flash-override and remarked as critical on R9.

3. Before you can successfully test your config. you have to configure either Copp or access-list on R8 matching the expected traffic. after runing you extended ping, you can now check your access-list if it matches ip precedence of 5 ( critical)

 

Below is the expected config on R9 and TEST method

 

R9

 

class-map match-any SILVER

match access-group 102

match access-group 135

 

 

policy-map CPP

class SILVER

police cir 1000000

conform-action transmit

exceed-action transmit

set precedence 5

 

TEST YOUR CONFIG

R8

 

ip access-list extended falala

permit ip host 10.1.1.12 host 10.1.1.8 precedence critical

permit ip any any

 

interface Ethernet0/1

ip address 10.10.10.21 255.255.255.252

ip access-group falala in

 

 

R12

 

R12#ping

Protocol [ip]:

Target IP address: 10.1.1.8

Repeat count [5]: 11

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.1.1.12

Type of service [0]: 128

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 11, 100-byte ICMP Echos to 10.1.1.8, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.12

!!!!!!!!!!!

Success rate is 100 percent (11/11), round-trip min/avg/max = 36/60/140 ms

R12#

 

RESULT

 

R8#sh access-lists falala

Extended IP access list falala

10 permit ip host 10.1.1.12 host 10.1.1.8 precedence critical (33 matches)

20 permit ip any any (50 matches)

Edited by falala

Share this post


Link to post
Share on other sites
[quote name='falala' timestamp='1305844740' post='424167']
1. Your configuration is not completely right. match-all on the class-map of SILVER shows that the traffic must match both access-list 102 and 135 before the policy-map will mark the traffic as critical. You have to change it to match-any or completely remove access-group 135 from the class-map.
2. Your extended ping test should match service 128 not 160. the traffic is expected to come in as precedence flash-override and remarked as critical on R9.
3. Before you can successfully test your config. you have to configure either Copp or access-list on R8 matching the expected traffic. after runing you extended ping, you can now check your access-list if it matches ip precedence of 5 ( critical)

Below is the expected config on R9 and TEST method

R9

class-map match-any SILVER
match access-group 102
match access-group 135


policy-map CPP
class SILVER
police cir 1000000
conform-action transmit
exceed-action transmit
set precedence 5

TEST YOUR CONFIG
R8

ip access-list extended falala
permit ip host 10.1.1.12 host 10.1.1.8 precedence critical
permit ip any any

interface Ethernet0/1
ip address 10.10.10.21 255.255.255.252
ip access-group falala in


R12

R12#ping
Protocol [ip]:
Target IP address: 10.1.1.8
Repeat count [5]: 11
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.12
Type of service [0]: 128
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 11, 100-byte ICMP Echos to 10.1.1.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.12
!!!!!!!!!!!
Success rate is 100 percent (11/11), round-trip min/avg/max = 36/60/140 ms
R12#

RESULT

R8#sh access-lists falala
Extended IP access list falala
10 permit ip host 10.1.1.12 host 10.1.1.8 precedence critical (33 matches)



falala nibilomakusi thats great!
20 permit ip any any (50 matches)
[/quote]

Share this post


Link to post
Share on other sites

Hi Brain007,

 

For the First question you need to use some thing called IPv6 auto config. Search it on the internet and you will find the solution. For the second one, the policy map that is used is having two statements, remove the second statement that is a blank statement and every thing should work just fine.

 

Regards,

 

 

For the second one, I meet the same situation "When I put ip nat outside under the serial interface the OSPF relationship is going down". And I can't find the "policy map" setting on R22 as you said.

 

Regards,

Edited by stomima

Share this post


Link to post
Share on other sites

Hi Guys

 

Can someone explain the below questions:

 

-R8 cannot reach IPv6 server CC1E:200:200:: 200 (loopback 200) on R4. Fix the problem so that reach ability is established using any method. But do not use static route. (Do not use Dynamic routing)

 

-Telnet traffic from R20 to host 100.100.10.10 (Host 28’s loopback 100 not!!! R23 Okay!!!) should be translated with the Ethernet ip address of R22 as NAT source address. HTTP traffic from host 28 to host 100.100.10.10 (R23’s loopback 100) should be translated with the loopback ip address of R22 as NAT source address. Fix the problem so that it can be meet.

 

When I put ip nat outside under the serial interface the OSPF relationship is going down

 

Thanks,

Elie

 

Guys,

 

Answering this questions below:

 

-R8 cannot reach IPv6 server CC1E:200:200:: 200 (loopback 200) on R4. Fix the problem so that reach ability is established using any method. But do not use static route.

 

Solution:

This loopback200 is located on R4 as mentioned on the question.

 

On R4, the interface connected to R2 is not enable ipv6 ospf 1 area 1, then you have to add this config. You will see OSPF neighbor comes up

On R5, the interface connected to R2 is not enable ipv6 ospf 1 area 0, then you have to add this config. You will see OSPF neighbor comes up

On R5, the interface connected to R8 is not enable ipv6 ospf 1 area 0, then you have to add this config. You will see OSPF neighbor comes up with R8 and then able to ping from R8 to R4. Actually, the ip address should be CC1e:200:200:200::200

 

interface Loopback200

no ip address

ipv6 address CC1E:200:200:200::200/64

ipv6 ospf 1 area 1

 

That's will fix the problem.

 

[]'s

 

Adilson

Share this post


Link to post
Share on other sites

I Think Who tell us that he got K5 and pass it is lying because its not coming and also its not right in the cert and pass ccie lab the solutions so any one can confirm that please we in the end help each other to pass one target

Share this post


Link to post
Share on other sites

[hide][/hide]

Guys,

 

Answering this questions below:

 

-R8 cannot reach IPv6 server CC1E:200:200:: 200 (loopback 200) on R4. Fix the problem so that reach ability is established using any method. But do not use static route.

 

Solution:

This loopback200 is located on R4 as mentioned on the question.

 

On R4, the interface connected to R2 is not enable ipv6 ospf 1 area 1, then you have to add this config. You will see OSPF neighbor comes up

On R5, the interface connected to R2 is not enable ipv6 ospf 1 area 0, then you have to add this config. You will see OSPF neighbor comes up

On R5, the interface connected to R8 is not enable ipv6 ospf 1 area 0, then you have to add this config. You will see OSPF neighbor comes up with R8 and then able to ping from R8 to R4. Actually, the ip address should be CC1e:200:200:200::200

 

interface Loopback200

no ip address

ipv6 address CC1E:200:200:200::200/64

ipv6 ospf 1 area 1

 

That's will fix the problem.

 

[]'s

 

Adilson

 

 

 

it's working dude,

 

 

please can u explain how we can resolve natting issue & 2nd ticket in which we need established ospf b/w r22 & r23, when i applied ip nat outside over serial interface, my interface goes down.

Share this post


Link to post
Share on other sites

Some guys are not truthful...and we easily believe anything we see on this forum. Some pple have like 5 ids, ...asking questions and answering themselves.

 

Stop distracting pple, is better not to say anything than to tell lie.

Some can even say K9, TS7+.....Ummmm? Some love to hear others failing. Why????

Share this post


Link to post
Share on other sites

Guys don't distract others there is nothing more than K2+ K4 K6 and TS3++ TS4+, those all all active, k5 is pretty much dead.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...