A network associate is configuring a router for the CCNA Training company to provide internet access. The ISP has provided the company six public IP addresses of 198.18.184.105 198.18.184.110. The company has 14 hosts that need to access the internet simultaneously. The hosts in the CCNA Training company LAN have been assigned private space addresses in the range of 192.168.100.17 – 192.168.100.30.
The task is to complete the NAT configuration using all IP addresses assigned by the ISP to provide Internet access for the hosts in the Weaver LAN. Functionality can be tested by clicking on the host provided for testing.
Configuration information
router name – Weaver
inside global addresses – 198.18.184.105 198.18.184.110/29
inside local addresses – 192.168.100.17 – 192.168.100.30/28
number of inside hosts – 14
The following have already been configured on the router:
- The basic router configuration
- The appropriate interfaces have been configured for NAT inside and NAT outside
- The appropriate static routes have also been configured (since the company will be a stub network, no routing protocol will be required.)
- All passwords have been temporarily set to “cisco”
The CCNA Training company has 14 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from 198.18.184.105 to 198.18.184.110/29. Therefore we have to use NAT overload (or PAT)
Double click on the Weaver router to open it
Router>enable Router#configure terminal
First you should change the router’s name to Weaver
Router(config)#hostname Weaver
Create a NAT pool of global addresses to be allocated with their netmask (/29 = 255.255.255.248). There were reports that the simulator in the real exam did not accept “prefix-length” keryword so you should use “netmask” keyword.
Weaver(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248
Create a standard access control list that permits the addresses that are to be translated
Establish dynamic source translation, specifying the access list that was defined in the prior step
Weaver(config)#ip nat inside source list 1 pool mypool overload
This command translates all source addresses that pass access list 1, which means a source address from 192.168.100.17 to 192.168.100.30, into an address from the pool named mypool (the pool contains addresses from 198.18.184.105 to 198.18.184.110)
Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports
The question said that appropriate interfaces have been configured for NAT inside and NAT outside statements.
This is how to configure the NAT inside and NAT outside, just for your understanding:
To configure the router (R2-RC) click on the console host icon that is connected to a router by a serial console cable (shown in the diagram as a dashed black line)
Image may be NSFW. Clik here to view.
CCNA Training Company recently installed a new router in their office. Complete the network installation by performing the initial router configurations and configuring RIPV2 routing using the router command line interface (CLI) on the R2-RC.
Name of the router is R2-RC
Enable-secret password is cisco1
The password to access user EXEC mode using the console is cisco2
The password to allow telnet access to the router is cisco3
IPV4 addresses must be configured as follows:
Ethernet network 209.165.202.128/27 – router has last assignable host address in subnet
Serial network is 192.0.2.16/28 – router has last assignable host address in the subnet. Interfaces should be enabled.
Router protocol is RIP V2
Attention :
In practical examinations, please note the following, the actual information will prevail.
1. Name of the router is xxx
2. Enable-secret password is xxx
3. Password to access user EXEC mode using the console is xxx
4. The password to allow telnet access to the router is xxx
5. IP information
Note: We should use classful networks (209.165.202.0 & 192.0.2.0) when configuring RIP. If we use detailed networks (209.165.202.128 & 192.0.2.16) the router will automatically convert them into classful networks.
You have been hired by Specialty Hardware Incorporated to document the layout of the network. Complete the following tasks: Complete the network topology shown in the graphic by dragging the labels below with the appropriate router types, interface types, and IP addresses to the graphic . Find the information you need by using the router console attached to the R-CENTER router.
This is the simplest lab question in four labs you see in the real CCNA exam. First we should identify the types of these routers by using the show cdp neighbors command:
Image may be NSFW. Clik here to view.
There are 3 columns we should pay more attention to:
+ Local Interface: the interface on the device you are using “show cdp neighbors” command. In this case it is the interface of R-CENTER router
+ Platform: the platform of neighbor device
+ Port ID: the neighbor device’s port or interface on which the CDP packets are multicast
From the exhibit, the “Local Interface”, “Platform” and “Port ID” columns, we can identify where these four routers should be placed and their corresponding associated ports
Image may be NSFW. Clik here to view.
Finally, use the show running-config command to find out the ip addresses of four interfaces on R-CENTER
Image may be NSFW. Clik here to view.
And we can easily assign corresponding ip addresses to four neighbor routers, which are on the same network with R-CENTER router’s interfaces
Image may be NSFW. Clik here to view.
Please remember in the real CCNA Exam the routers’ types, ip addresses and interfaces may be different! So make sure you understand how it works.
After adding R3 router, no routing updates are being exchanged between R3 and the new location. All other inter connectivity and Internet access for the existing locations of the company are working properly.
The task is to identify the fault(s) and correct the router configuration to provide full connectivity between the routers.
Access to the router CLI can be gained by clicking on the appropriate host. All passwords on all routers are cisco.
We should check the configuration of the new added router first because it does not function properly while others work well. From the command line interface of R3 router, enter the show running-config command
Image may be NSFW. Clik here to view.
From the output above, we know that this router was wrongly configured with an autonomous number (AS) of 22. When the AS numbers among routers are mismatched, no adjacency is formed.
(You should check the AS numbers on other routers for sure)
To solve this problem, we simply re-configure router R3 with the following commands:
R3>enable (you have to enter cisco as its password here)
R3#configure terminal
R3(config)#no router eigrp 22
R3(config)#router eigrp 212
R3(config-router)#network 192.168.60.0
R3(config-router)#network 192.168.77.0
R3(config-router)#no auto-summary
R3(config-router)#end
R3#copy running-config startup-config
Check R1 router with the show running-config command:
Image may be NSFW. Clik here to view.
Notice that it is missing a definition to the network R3. Therefore we have to add it so that it can recognize R3 router
R1>enable (you have to enter cisco as its password here)
R1#configure terminal
R1(config)#router eigrp 212
R1(config-router)#network 192.168.77.0
R1(config-router)#end
R1#copy running-config startup-config
Now the whole network will work well. You should check again with ping command from router R3 to other routers!
Modifications:
Maybe in this EIGRP Sim you will see the “passive-interface …” command somewhere in R1 configuration. If the link between R1 to R2 (or R3, r4) routers has the “passive interface” then we have to remove it with the “no passive-interface …” command because it prevents EIGRP update from being sent on that interface. But if the “passive interface” is applied to the link between R1 and ISP router then we just leave it. Don’t use the “no passive-interface s1/0″ on R1 because the link between R1 & ISP doesn’t need EIGRP to run on it. A static route from R1 to ISP & “ip default-network” command in R1 are the correct answers.
(Note: The “ip default-network” command in R1 will advertise the static route of R1 (to go to the Internet) to other routers (R2,R3,R4) so that they can access the Internet too). In the exam you will see these lines in R1 configuration:
!
ip default-network 198.0.18.0
ip route 0.0.0.0 0.0.0.0 198.0.18.5
!
This topology contains 3 routers and 1 switch. Complete the topology.
Drag the appropriate device icons to the labeled Device
Drag the appropriate connections to the locations labeled Connections.
Drag the appropriate IP addresses to the locations labeled IP address
(Hint: use the given host addresses and Main router information)
To remove a device or connection, drag it away from the topology.
Use information gathered from the Main router to complete the configuration of any additional routers. No passwords are required to access the Main router. The config terminal command has been disabled for the HQ router. The router does not require any configuration.
Configure each additional router with the following:
Configure the interfaces with the correct IP address and enable the interfaces.
Set the password to allow console access to consolepw
Set the password to allow telnet access to telnetpw
Set the password to allow privilege mode access to privpw
Note: Because routes are not being added to the configurations, you will not be able to ping through the internetwork.
All devices have cable autosensing capabilities disabled.
All hosts are PC’s
Specify appropriate devices and drag them on the “Device” boxes
For the device at the bottom-right box, we notice that it has 2 interfaces Fa0/2 and Fa0/4; moreover the link connects the PC on the right with the device on the bottom-right is a straight-through link -> it is a switch
The question stated that this topology contains 3 routers and 1 switch -> two other devices are routers
Place them on appropriate locations as following:
Image may be NSFW. Clik here to view.
(Host D and host E will be automatically added after placing two routers. Click on them to access neighboring routers)
Specify appropriate connections between these devices:
+ The router on the left is connected with the Main router through FastEthernet interfaces: use a crossover cable
+ The router on the right is connected with the Main router through Serial interfaces: use a serial cable
+ The router on the right and the Switch: use a straight-through cable + The router on the left and the computer: use a crossover cable
(To remember which type of cable you should use, follow these tips:
- To connect two serial interfaces of 2 routers we use serial cable
– To specify when we use crossover cable or straight-through cable, we should remember: Group 1: Router, Host, Server Group 2: Hub, Switch
One device in group 1 + One device in group 2: use straight-through cable
Two devices in the same group: use crossover cable
For example: we use straight-through cable to connect switch to router, switch to host, hub to host, hub to server… and we use crossover cable to connect switch to switch, switch to hub, router to router, host to host… )
Image may be NSFW. Clik here to view.
Assign appropriate IP addresses for interfaces:
From Main router, use show running-config command:
Image may be NSFW. Clik here to view.
(Notice that you may see different IP addresses in the real CCNA exam, the ones shown above are just used for demonstration)
From the output we learned that the ip address of Fa0/0 interface of the Main router is 192.168.152.177/28. This address belongs to a subnetwork which has:
And we can pick up an ip address from the list that belongs to this subnetwork: 192.168.152.190 and assign it to the Fa0/0 interface the router on the left
Use the same method for interface Serial0/0 with an ip address of 192.168.152.161
You will need Packet Tracer version 5.3 or above to open these files. It’s totally free! You can download this software but you need to register first or you can find a mirror download with google (with keyword “download packet tracer”)
Please notice that in real exam, you have to click on host (PC) to access command-line-interface of the router, not the router itself.
You work as a network technician at 9tut.com. Study the exhibit carefully. You are required to perform configurations to enable Internet access. The Router ISP has given you six public IP addresses in the 198.18.32.65 198.18.32.70/29 range.
9tut.com has 62 clients that needs to have simultaneous internet access. These local hosts use private IP addresses in the 192.168.6.65 – 192.168.6.126/26 range.
You need to configure Router1 using the PC1 console.
You have already made basic router configuration. You have also configured the appropriate NAT interfaces; NAT inside and NAT outside respectively.
Now you are required to finish the configuration of Router1.
The company has 62 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from 198.18.32.65 to 198.18.32.70/29 => we have to use NAT overload (or PAT)
Double click on PC1 to access Router1′s command line interface
Router1>enable Router1#configure terminal
Create a NAT pool of global addresses to be allocated with their netmask (notice that /29 = 248)
Router1(config)#ip nat pool mypool 198.18.32.65 198.18.32.70 netmask 255.255.255.248
Create a standard access control list that permits the addresses that are to be translated
Establish dynamic source translation, specifying the access list that was defined in the prior step
Router1(config)#ip nat inside source list 1 pool mypool overload
This command translates all source addresses that pass access list 1, which means a source address from 192.168.6.65 to 192.168.6.126, into an address from the pool named mypool (the pool contains addresses from 198.18.32.65 to 198.18.32.70)
Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports
The question said that appropriate interfaces have been configured for NAT inside and NAT outside statements.
This is how to configure the NAT inside and NAT outside, just for your understanding:
For this question we only need to use the show running-config command to answer all the questions below
Router>enable Router#show running-config
Image may be NSFW. Clik here to view.
Image may be NSFW. Clik here to view.
Image may be NSFW. Clik here to view.
Question 1:
Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?
A – Correctly assign an IP address to interface fa0/1
B – Change the ip access-group command on fa0/0 from “in” to “out”
C – Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D – Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E – Remove access-group 106 in from interface fa0/0 and add access-group 104 in
Answer: E
Explanation:
Let’s have a look at the access list 104:
Image may be NSFW. Clik here to view.
The question does not ask about ftp traffic so we don’t care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line “access-list 104 deny icmp any any echo-reply” will not affect our icmp traffic because the “echo-reply” message will be sent over the outbound direction.
Question 2:
What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?
A – Attempts to telnet to the router would fail
B – It would allow all traffic from the 10.4.4.0 network
C – IP traffic would be passed through the interface but TCP and UDP traffic would not
D – Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface
Answer: B
Explanation:
From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network
Question 3:
What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?
A – No host could connect to Router through s0/0/1
B – Telnet and ping would work but routing updates would fail.
C – FTP, FTP-DATA, echo, and www would work but telnet would fail
D – Only traffic from the 10.4.4.0 network would pass through the interface
Answer: A
Explanation:
First let’s see what was configured on interface S0/0/1:
Image may be NSFW. Clik here to view.
Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).
B is not correct because if telnet and ping can work then routing updates can, too.
D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.
But here raise a question…
The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…
But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Image may be NSFW. Clik here to view.
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
Image may be NSFW. Clik here to view.
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1 Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
permit host B from accessing finance server
access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
deny host B from accessing other servers (not the whole network)
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit everything else
permit ip any any
Only allow Host C to to access the financial server
access-list 100 permit ip host 192.168.33.3 host 172.22.242.23
Not allow anyone else in any way communicate with the financial server
access-list 100 deny ip any host 172.22.242.23
Allow all other traffic
permit ip any any
- Host C should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
access-list 100 deny ip any host 172.22.242.23
(because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN)
- All hosts in the Core and local LAN should be able to access the Public Web Server *
access-list 100 permit ip any host
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any”
Host C should be able to use a web browser to access the financial web server
Other types of access from host C to the finance web server should be blocked
access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
All hosts in the core and on the local LAN should be able to access the Public web server *
access-list 100 permit ip any host
(The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any”
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
Image may be NSFW. Clik here to view.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
This task requires you to use the CLI of Sw-AC3 to answer five multiple-choice questions. This does not require any configuration.
To answer the multiple-choice questions, click on the numbered boxes in the right panel.
Image may be NSFW. Clik here to view.
There are five multiple-choice questions with this task. Be sure to answer all five questions before leaving this item.
Notice: All the images in this VTP LAB are used for demonstration only, you will see slightly different images in the real CCNA exam. You can download this sim to practice here (but notice that this sim is not perfect, only for practicing purpose): http://www.9tut.com/download/9tut.com_CCNA_vtp_sim.pka
If you are not sure about VTP, please read my VTP Tutorial
Note: In this VTP sim, you have to answer 5 questions. After answering the first question, click on the number boxes to move to other questions. If you click “Next” at the first question, you will lose points for 4 remaining questions.
Question 1
What interface did Sw-AC3 associate with source MAC address 0010.5a0c.ffba ?
a) Fa0/1
b) Fa0/3
c) Fa0/6
d) Fa0/8
e) Fa0/9
f) Fa0/12
Answer: Fa 0/8
Explanation: to find out which interface associated with a given MAC address, use the show mac-address-table command. It shows the learned MAC addresses and their associated interfaces. After entering this command, you will see a MAC address table like this:
Image may be NSFW. Clik here to view.
From this table we can figure out that the MAC address 0010.5a0c.ffba is associated with interface Fa0/8.
Note: There are some reports that the “show mac-address-table” command does not exist in the exam. So in the exam, if you cannot use the “show mac-address-table” command then try using the “show mac address-table” (without “-”) instead.
Question 2
What ports on Sw-AC3 are operating has trunks (choose three)?
a) Fa0/1
b) Fa0/3
c) Fa0/4
d) Fa0/6
e) Fa0/9
f) Fa0/12
Answer: Fa0/3, Fa0/9 and Fa0/12
Explanation: Use the show interface trunk command to determine the trunking status of a link and VLAN status. This command lists port, its mode, encapsulation and whether it is trunking. The image below shows how it works:
Image may be NSFW. Clik here to view.
(This image is used for demonstration only)
Question 3
What kind of router is VLAN-R1?
a) 1720
b) 1841
c) 2611
d) 2620
Answer: 2620
Explanation: VLAN-R1 is the router directly connected to Sw-Ac3 switch, so we can use the show cdp neighbors command to see:
1. Neighbor Device ID : The name of the neighbor device;
2. Local Interface : The interface to which this neighbor is heard
3. Capability: Capability of this neighboring device – R for router, S for switch, H for Host etc.
4. Platform: Which type of device the neighbor is
5. Port ID: The interface of the remote neighbor you receive CDP information
6. Holdtime: Decremental hold time in seconds
Sample output of show cdp neighbors command:
Image may be NSFW. Clik here to view.
One thing I want to notice you is “Local Intrfce” in the image above refers to the local interface on the device you are running the “show cdp neighbors” command
Question 4
Which switch is the root bridge for VLAN 1?
Answer: Sw-DS1
Explanation: First we use the show spanning-tree vlan 1 to view the spanning-tree information of VLAN 1
Image may be NSFW. Clik here to view.
From the “Cost 19″, we learn that the root switch is directly connected to the Sw-Ac3 switch over a 100Mbps Ethernet link
Notice that if you see all of the interface roles are Desg (designated) then you can confirm Sw-Ac3 switch is the root bridge for this VLAN (VLAN 1).
If you see there is at least one Root port in the interface roles then you can confirm Sw-Ac3 is not the root bridge because root bridge does not have root port. In this case, we notice that the root port on Sw-Ac3 switch is FastEthernet0/12, so we have to figure out which switch is associated with this port -> it is the root bridge. You can verify it with the show cdp neighbors command:
Image may be NSFW. Clik here to view.
The “Local Intrfce” column refers to the interface on the switch running “show cdp neighbors” command. In this case, Sw-DS1 is associated with interface FastEthernet0/12 -> Sw-DS1 is the root bridge
Question 5
What address should be configured as the default-gateway for the host connected to interface fa 0/4 of SW-Ac3?
Answer: 192.168.44.254
Explanation:
First we have to identify which VLAN interface Fa0/4 belongs to by the show vlan command
Image may be NSFW. Clik here to view.
From the exhibit we know that VLAN 44 is configured on router using sub-interface Fa0/0.44 with IP address 192.168.44.254/24
Image may be NSFW. Clik here to view.
Therefore the default gateway of the host should be 192.168.44.254
Question 6
From which switch did Sw-Ac3 receive VLAN information ?
Answer: Sw-AC2
Explanation: to view the VTP configuration information, use the show vtp status command
Image may be NSFW. Clik here to view.
So we knew Sw-Ac3 received VLAN information from 163.5.8.3 (notice:the IP address may be different). Finally we use the show cdp neighbors detail to find out who 163.5.8.3 is:
Image may be NSFW. Clik here to view.
Question 7
Refer to the exibit, SwX was taken out of the production network for maintenance. It will be reconnected to the Fa 0/16 port of Sw-Ac3. What happens to the network when it is reconnected and a trunk exists between the two switches?
Image may be NSFW. Clik here to view.
A – All VLANs except the default VLAN will be removed from all switches
B – All existing switches will have the students, admin, faculty, Servers, Management, Production, and no-where VLANs
C – The VLANs Servers, Management, Production and no-where will replace the VLANs on SwX
D – The VLANs Servers, Management, Production and no-where will be removed from existing switches
Answer and Explanation:
First we should view the VTP configuration of switch Sw-Ac3 by using the show vtp status command on Sw-Ac3
Image may be NSFW. Clik here to view.
Notice that its configuration revision number is 5 and VTP Domain Name is home-office
Next, from the exhibit we know that SwX has a revision number of 6, which is greater than that of Sw-Ac3 switch, and both of them have same VTP Domain Name called “home-office”.
Image may be NSFW. Clik here to view.
Therefore SwX will replace vlan information on other switches with its own information. We should check vlan information of Sw-Ac3 switch with show vlan command
Image may be NSFW. Clik here to view.
So the correct answer is D – The VLANs Servers, Management, Production and no-where will be removed from existing switches
Please notice that in the real CCNA exam you may see a different configuration revision of Sw-Ac3 or of SwX. In general, which switch has a higher revision number it will become the updater and other switches will overwrite their current databases with the new information received from the updater (provided that they are on the same domain and that switch is not in transparent mode). In particular, if the revision number of SwX is lower than that of Sw-Ac3, the answer should be “C – The VLANs Servers, Management, Production and no-where will replace the VLANs on SwX”.
Also, some recent comments have said that the new switch’s VTP Operating Mode is Server but the answer is still the same.
Note: If a switch is in client mode and has a higher Revision number, it can still update other Server switches (with lower Revision numbers).
Question 8
Out of which ports will a frame be forwarded that has source mac-address 0010.5a0c.fd86 and destination mac-address 000a.8a47.e612? (Choose three)
A – Fa0/8
B – Fa0/3
C – Fa0/1
D – Fa0/12
Answer: B C D
Explanation:
First we check to see which ports the source mac-address and the destination mac-address belong to by using show mac-address-table command
Image may be NSFW. Clik here to view.
We notice that the source mac-address 0010.5a0c.fd86 is listed in the table and it belongs to Vlan 33 but we can’t find the destination mac-address 000a.8a47.e612 in this table. In this case, the switch will flood to all ports of Vlan 33 and flood to all the trunk links, except the port it received this frame (port Fa0/6). Therefore from the output above, we can figure out it will flood this frame to Fa0/1, Fa0/3 and Fa0/12.
Please notice that the “show mac-address-table” command just lists information that was learned by the switch, it means that there can be other ports besides Fa0/1, Fa0/3 and Fa0/12 belong to Vlan 33. You can use the show vlan command to see which ports belong to vlan 33
Image may be NSFW. Clik here to view.
And we found other ports which belong to vlan 33, they are Fa0/2, Fa0/5 and Fa0/7. Our switch will flood the frame to these ports, too.
And we can check which trunk ports will receive this frame by the show interface trunk command
Image may be NSFW. Clik here to view.
-> Port Fa0/9 will also receive this frame!
Note: Some reports said there is another version of this question. A reader on 9tut commented:
Another question on the VTP SIM was” What will be the destination MAC address of a packet with Source IP address 192.168.44.1 and destination IP address 192.0.2.X (doesn’t really matter what will be the Dest. IP address, since it will be sent to the router).
The answer is simple:
Since the source IP address belongs to VLAN 44, the default gw of the sender is the Router’s Subinterface 192.168.44.254, and this is where the packet will be sent. Thus, you need to perform a ‘show cdp nei’ on the Sw-AC3 in order to find the local FastEthernet port where the router is connected. Then execute a “show mac address-table” (this command was functioning) and find the mac address associated with the previous port. This is the answer.
Question 9
If one of the host connected to Sw-AC3 wants to send something for the ip 190.0.2.5 (or any ip that is not on the same subnet) what will be the destination MAC address?
Answer and Explanation:
Because the destination address is not on the same subnet with the switch, it will forward the packet to its default gateway. So we have to find out who is the default gateway of this switch by using the show running-config command
Image may be NSFW. Clik here to view.
From the output, we notice that its default-gateway is 192.168.1.254. In fact, we can easily guess that its default gateway should be a layer 3 device like a router; and in this case, the VLAN-R1 router. To verify our theory, use the show cdp neighbor detail command and focus on the description of VLAN-R1 router
Image may be NSFW. Clik here to view.
From this output, we can confirm the switch’s default gateway is VLAN-R1 router (with the IP address of 192.168.1.254). And “the interface: FastEthernet0/3″ tells us that the switch is connected to VLAN-R1 router through Fa0/3 port (Fa0/3 is the port on the switch).
Finally we just need to use the show mac-address-table command to find out which MAC address is associated with this interface
Image may be NSFW. Clik here to view.
(Notice that in the real CCNA exam the MAC address or port may be different)
And we find out the corresponding MAC address is 000a.b7e9.8360. Although there are some entries of port Fa0/3 with different Vlans but they have the same MAC address
Refer to the topology. Your company has decided to connect the main office with three other remote branch offices using point-to-point serial links. You are required to troubleshoot and resolve OSPF neighbor adjacency issues between the main office and the routers located in the remote branch offices.
Image may be NSFW. Clik here to view.
Instead of posting the output of “show run” commands we post here the commands entered on each router to reduce some useless lines. Also you can try solving questions by yourself before reading the answers.
R1 interface Loopback0 description ***Loopback*** ip address 192.168.1.1 255.255.255.255 ip ospf 1 area 0 ! interface Ethernet0/0 description **Connected to R1-LAN** ip address 10.10.110.1 255.255.255.0 ip ospf 1 area 0 ! interface Ethernet0/1 description **Connected to L2SW** ip address 10.10.230.1 255.255.255.0 ip ospf hello-interval 25 ip ospf 1 area 0 ! router ospf 1 log-adjacency-changes
R2 ! interface Loopback0 description **Loopback** ip address 192.168.2.2 255.255.255.255 ip ospf 2 area 0 ! interface Ethernet0/0 description **Connected to R2-LAN** ip address 10.10.120.1 255.255.255.0 ip ospf 2 area 0 ! interface Ethernet0/1 description **Connected to L2SW** ip address 10.10.230.2 255.255.255.0 ip ospf 2 area 0 ! router ospf 2 log-adjacency-changes
R3 username R6 password CISCO36 ! interface Loopback0 description **Loopback** ip address 192.168.3.3 255.255.255.255 ip ospf 3 area 0 ! interface Ethernet0/0 description **Connected to L2SW** ip address 10.10.230.3 255.255.255.0 ip ospf 3 area 0 ! interface Serial1/0 description **Connected to R4-Branch1 office** ip address 10.10.240.1 255.255.255.252 encapsulation ppp ip ospf 3 area 0 ! interface Serial1/1 description **Connected to R5-Branch2 office** ip address 10.10.240.5 255.255.255.252 encapsulation ppp ip ospf hello-interval 50 ip ospf 3 area 0 ! interface Serial1/2 description **Connected to R6-Branch3 office** ip address 10.10.240.9 255.255.255.252 encapsulation ppp ip ospf 3 area 0 ppp authentication chap ! router ospf 3 router-id 192.168.3.3 !
R4 ! interface Loopback0 description **Loopback** ip address 192.168.4.4 255.255.255.255 ip ospf 4 area 2 ! interface Ethernet0/0 ip address 172.16.113.1 255.255.255.0 ip ospf 4 area 2 ! interface Serial1/0 description **Connected to R3-Main Branch office** ip address 10.10.240.2 255.255.255.252 encapsulation ppp ip ospf 4 area 2 ! router ospf 4 log-adjacency-changes
R5 ! interface Loopback0 description **Loopback** ip address 192.168.5.5 255.255.255.255 ip ospf 5 area 0 ! interface Ethernet0/0 ip address 172.16.114.1 255.255.255.0 ip ospf 5 area 0 ! interface Serial1/0 description **Connected to R3-Main Branch office** ip address 10.10.240.6 255.255.255.252 encapsulation ppp ip ospf 5 area 0 ! router ospf 5 log-adjacency-changes
R6 username R3 password CISCO36 ! interface Loopback0 description **Loopback** ip address 192.168.6.6 255.255.255.255 ip ospf 6 area 0 ! interface Ethernet0/0 ip address 172.16.115.1 255.255.255.0 ip ospf 6 area 0 ! interface Serial1/0 description **Connected to R3-Main Branch office** ip address 10.10.240.10 255.255.255.252 encapsulation ppp ip ospf 6 area 0 ppp authentication chap ! router ospf 6 router-id 192.168.3.3 !
Question 1
An OSPF neighbor adjacency is not formed between R3 in the main office and R4 in the Branch1 office. What is causing the problem?
A. There is an area ID mismatch. B. There is a Layer 2 issue; an encapsulation mismatch on serial links. C. There is an OSPF hello and dead interval mismatch. D. The R3 router ID is configured on R4.
Answer: A
Explanation
We learned it is a OSPF problem so we should check the interfaces between them first. On both R3 and R4 use “show running-config” command to check their S1/0 interfaces
R3#show running-config <<output omitted>> ! interface Serial1/0 description **Connected to R4-Branch1 office** ip address 10.10.240.1 255.255.255.252 encapsulation ppp ip ospf 3 area 0 ! <<output omitted>>
R4#show running-config <<output omitted>> ! interface Serial1/0 description **Connected to R3-Main Branch office** ip address 10.10.240.2 255.255.255.252 encapsulation ppp ip ospf 4 area 2 ! <<output omitted>>
In the output above we see their Area IDs are mismatched; interface S1/0 of R3 is in area 0 (R3: ip ospf 3 area 0) while interface s1/0 of R4 is in area 2 (R4: ip ospf 4 area 2).
Question 2
An OSPF neighbor adjacency is not formed between R3 in the main office and R5 in the Branch2 office. What is causing the problem?
A. There is an area ID mismatch. B. There is a PPP authentication issue; a password mismatch. C. There is an OSPF hello and dead interval mismatch. D. There is a missing network command in the OSPF process on R5.
Answer: C
Explanation
Continue checking their connected interfaces with the “show running-config” command:
R3#show running-config <<output omitted>> ! interface Serial1/1 description **Connected to R5-Branch2 office** ip address 10.10.240.5 255.255.255.252 encapsulation ppp ip ospf hello-interval 50 ip ospf 3 area 0 ! <<output omitted>>
R5#show running-config <<output omitted>> ! interface Serial1/0 description **Connected to R3-Main Branch office** ip address 10.10.240.6 255.255.255.252 encapsulation ppp ip ospf 5 area 0 ! <<output omitted>>
The only difference we can see here is the line “ip ospf hello-interval 50″ on R3. This command sets the number of seconds R3 waits before sending the next hello packet out this interface. In this case after configuring this command, R3 will send hello packets to R5 every 50 seconds. But the default value of hello-interval is 10 seconds and R5 is using it. Therefore we can think of a hello interval mismatch problem here. You can verify with the “show ip ospf interface <interface>” command on each router.
R3#sh ip ospf int s1/1 Serial1/1 is up, line protocol is up Internet Address 10.10.240.5/30, Area 0 Process ID 3, Router ID 192.168.3.3, Network Type POINT_TO_POINT, Cost: 64 Enabled by interface config, including secondary ip addresses Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 50, Dead 200, Wait 200, Retransmit 5 oob-resync timeout 200 Hello due in 00:00:28 Supports Link-local Signaling (LLS) Index 2/2, flood queue length 0 Next 0×0(0)/0×0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s)
R5#sh ip ospf int s1/0 Serial1/0 is up, line protocol is up Internet Address 10.10.240.6/30, Area 0 Process ID 5, Router ID 10.10.240.6, Network Type POINT_TO_POINT, Cost: 64 Enabled by interface config, including secondary ip addresses Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:04 Supports Link-local Signaling (LLS) Index 1/1, flood queue length 0 Next 0×0(0)/0×0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s)
So we can see both hello and dead interval are mismatched because the dead interval always four times the value of hello interval, unless you manually configure the dead interval (with the ip ospf dead-interval <seconds> command).
Question 3
R1 does not form an OSPF neighbor adjacency with R2. Which option would fix the issue?
A. R1 ethernet0/1 is shutdown. Configure no shutdown command. B. R1 ethernet0/1 configured with a non-default OSPF hello interval of 25; configure no ip ospf hello-interval 25 C. R2 ethernet0/1 and R3 ethernet0/0 are configured with a non-default OSPF hello interval of 25; configure no ip ospf hello-interval 25 D. Enable OSPF for R1 ethernet0/1; configure ip ospf 1 area 0 command under ethernet0/1
Answer: B
Explanation
Continue checking their connected interfaces with the “show running-config” command:
R1#show running-config <<output omitted>> ! interface Ethernet0/1 description **Connected to L2SW** ip address 10.10.230.1 255.255.255.0 ip ospf hello-interval 25 ip ospf 1 area 0 ! <<output omitted>>
R2#show running-config <<output omitted>> ! interface Ethernet0/1 description **Connected to L2SW** ip address 10.10.230.2 255.255.255.0 ip ospf 2 area 0 ! <<output omitted>>
We see the hello interval on R1 is not the same as R2 (and you can verify with the “show ip ospf interface <interface> command”) -> There is a hello and dead interval mismatch problem. We should configure “no ip ospf hello-interval 25″ on R1.
Note: Maybe there are some versions of this question in the exam. For example there are some reports saying that Ethernet0/1 on R1 is shutdown (and this is the correct choice in the exam). So please be careful checking the config on the routers before choosing the correct answers.
Question 4
An OSPF neighbor adjacency is not formed between R3 in the main office and R6 in the Branch3 office. What is causing the problem?
A. There is an area ID mismatch. B. There is a PPP authentication issue; the username is not configured on R3 and R6. C. There is an OSPF hello and dead interval mismatch. D. The R3 router ID is configured on R6.
Answer: D
Explanation
R3#show running-config <<output omitted>> username R6 password CISCO36 ! interface Serial1/2 description **Connected to R6-Branch3 office** ip address 10.10.240.9 255.255.255.252 encapsulation ppp ip ospf 3 area 0 ppp authentication chap ! <<output omitted>> ! router ospf 3 router-id 192.168.3.3 ! <<output omitted>>
R6#show running-config <<output omitted>> username R3 password CISCO36 ! interface Serial1/0 description **Connected to R3-Main Branch office** ip address 10.10.240.10 255.255.255.252 encapsulation ppp ip ospf 6 area 0 ppp authentication chap ! <<output omitted>> ! router ospf 6 router-id 192.168.3.3 ! <<output omitted>>
We are not sure about the configuration of ppp authentication in this case. Some reports said that only one router has the “ppp authentication chap” command but it is just a trick and is not the problem here. The real problem here is R6 uses the same router-id of R3 (192.168.3.3) so OSPF neighborship cannot be established. In real life, such configuration error will be shown in the command line interface (CLI). So please check carefully for this question.
Refer to the topology. Your company has connected the routers R1, R2 and R3 with serial links. R2 and R3 are connected to the switches SW1 and SW2, respectively. SW1 and SW2 are also connected to the routers R4 and R5.
The EIGRP routing protocol is configured. You are required to troubleshoot and resolve the EIGRP issues between the various routers. Use the appropriate show commands to troubleshoot the issues.
Image may be NSFW. Clik here to view.
Instead of posting the output of “show run” commands we post here the commands entered on each router to reduce some useless lines. Also you can try solving questions by yourself before reading the answers.
R1: int lo0 ip address 10.1.1.1 255.255.255.255 int e0/0 ip address 192.168.16.1 255.255.255.0 int s1/1 ip address 192.168.13.1 255.255.255.0 bandwidth 1000 int s1/3 ip address 192.168.12.1 255.255.255.0 ! router eigrp 1 network 192.168.12.0 network 192.168.13.0 network 192.168.16.0
R2: int lo0 ip address 10.2.2.2 255.255.255.255 int e0/0 ip address 192.168.123.2 255.255.255.0 int s2/1 ip address 192.168.12.2 255.255.255.0 ! router eigrp 1 network 10.2.2.2 0.0.0.0 network 192.168.12.0 network 192.168.123.0
R3: int lo0 ip address 10.3.3.3 255.255.255.255 int e0/0 ip address 192.168.123.3 255.255.255.0 int s2/1 ip address 192.168.13.3 255.255.255.0 ! router eigrp 1 network 10.3.3.3 0.0.0.0 network 192.168.13.0 network 192.168.123.0
R4: int lo0 ip address 10.4.4.4 255.255.255.255 int lo1 ip address 10.4.4.5 255.255.255.255 int lo2 ip address 10.4.4.6 255.255.255.255 int e0/0 ip address 192.168.123.4 255.255.255.0 ! router eigrp 2 network 10.4.4.4 0.0.0.0 network 10.4.4.5 0.0.0.0 network 10.4.4.6 0.0.0.0 network 192.168.123.0
R5: int lo0 ip address 10.5.5.5 255.255.255.255 int lo1 ip address 10.5.5.55 255.255.255.255 int e0/0 ip address 192.168.123.5 255.255.255.0 ! router eigrp 1 network 10.5.5.5 0.0.0.0 network 10.5.5.55 0.0.0.0 network 10.10.10.0 0.0.0.255 network 192.168.123.0
R6: int lo0 ip address 10.6.6.6 255.255.255.255 int e0/0 ip address 192.168.16.6 255.255.255.0 ! router eigrp 1 network 10.6.6.6 0.0.0.0
Note: In the exam, this sim uses IOS version 15 so “no auto-summary” is the default setting of EIGRP. You don’t have to type it.
The loopback interfaces on R4 with the IP addresses of 10.4.4.4/32, 10.4.4.5/32 and 10.4.4.6/32 are not appearing in the routing table of R5. Why are the interfaces missing?
A. The interfaces are shutdown, so they are not being advertised. B. R4 has been incorrectly configured to be in another AS, so it does not peer with R5. C. Automatic summarization is enabled, so only the 10.0.0.0 network is displayed. D. The loopback addresses haven’t been advertised, and the network command is missing on R4.
Answer: B
Explanation
On R4 we see EIGRP is configured with AS 2 (router eigrp 2) while other routers are using AS 1 (router eigrp 1). Therefore R4 cannot see other routers and vice versa.
Question 2
Which path does traffic take from R1 to R5?
A. The traffic goes through R2. B. The traffic goes through R3. C. The traffic is equally load-balanced over R2 and R3. D. The traffic is unequally load-balanced over R2 and R3.
Answer: A
Explanation
For this question we have to check the routing table of R1 to find out the answer. Use the “show ip route” command on R1 we will get something like this:
Image may be NSFW. Clik here to view.
There are three interfaces on R5 which are Loopback0: 10.5.5.5 ; Loopback1: 10.5.5.55; Ethernet0/0: 192.168.123.5 and all of them are advertised via 192.168.12.2 so we can conclude traffic from R1 to R5 goes through R2 (192.168.12.2 is the IP address of S2/1 interface of R2).
Note: Maybe there is another version of this question in the exam in which the answer should be “The traffic is equally load-balanced over R2 and R3″. Therefore please check the “show ip route” output carefully to see if there are more than one route to the destination.
Question 3
Router R6 does not form an EIGRP neighbor relationship correctly with router R1. What is the cause for this misconfiguration?
A. The K values mismatch. B. The AS does not match. C. The network command is missing. D. The passive-interface command is enabled.
Answer: C
Explanation
From the configuration of R6 we learn that R6 is missing “network 192.168.16.0″ command (the network between R1 & R6) under EIGRP so EIGRP neighbor relationship will not be formed between them.
Question 4
Study the following output taken on R1:
R1#ping 10.5.5.55 source 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.5.5.55, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 . . . . . Success rate is 0 percent (0/5)
Why are the pings failing?
A. The network statement is missing on R5. B. The loopback interface is shut down on R5. C. The network statement is missing on R1. D. The IP address that is configured on the Lo1 interface on R5 is incorrect.
Answer: C
Explanation
R1 does not advertise its loopback 0 (10.1.1.1) to EIGRP therefore a ping to destination 10.5.5.55 (R5) from 10.1.1.1 will not be successful because R5 does not know how to reply to R1.
Refer to the topology below and answer the questions.
Image may be NSFW. Clik here to view.
You can download this lab and practice with Packet Tracer at http://www.9tut.com/download/9tut.com_DHCP_Sim.zip (note: In this Packet Tracer file we use FastEthernet instead of Ethernet connections; and interfaces Fa1/0, Fa1/1 instead of interfaces Et0/2, Et0/3)
Question 1
Examine the DHCP configuration between R2 and R3, R2 is configured as the DHCP server and R3 as the client. What is the reason R3 is not receiving the IP address via DHCP?
A. On R3, DHCP is not enabled on the interface that is connected to R2.
B. On R3, the interface that is connected to R2 is in shutdown condition.
C. On R2, the interface that is connected to R3 is in shutdown condition.
D. On R2, the network statement in the DHCP pool configuration is incorrectly configured.
Answer: A
Explanation
First we should check which interface on R3 that is connected to R2 via the “show run” command.
Image may be NSFW. Clik here to view.
From the description we learn interface E0/1 is connected to R2. Use the “show ip interface brief” command to verify the IP address of this interface.
Image may be NSFW. Clik here to view.
Therefore we can conclude this interface does not have any IP address and there is no configuration on this interface (except the “description Link to R2” line).
If R3 wants to receive an IP address from R2 via DHCP, interface E0/1 should be configured with the command “ip address dhcp” so the answer “DHCP is not enabled on this interface” is correct.
Question 2
R1 router clock is synchronized with ISP router. R2 is supposed to receive NTP updates from R1. But you observe that R2 clock is not synchronized with R1. What is the reason R2 is not receiving NTP updates from R1?
A. R1 router Ethernet interface that is connected to R2 is placed in shutdown condition.
B. R2 router Ethernet interface that is connected to R1 is placed in shutdown condition.
C. The NTP server command not configured on R2 router.
D. The IP address that is used in the NTP configuration on R2 router is incorrect.
Answer: D
Explanation
First we should verify if the ports connected between R1 and R2 is in “up/up” state with the “show ip interface brief” command on R1 & R2.
Image may be NSFW. Clik here to view.
Note: We learn R1 & R2 connect to each other via E0/2 interface because the IP addresses of these interfaces belong to 192.168.10.0/30 subnet. Both of them are “up/up” so the link connecting between R1 & R2 is good.
Next we need to verify the ntp configuration on R2 with the “show running-config” command.
Image may be NSFW. Clik here to view.
So there is only one command related to NTP configuration on R2 so we need to check if the IP address of 192.168.100.1 is correct or not. But from the “show ip interface brief” command on R1 we don’t see this IP -> This IP address is not correct. It should be 192.168.10.1 (IP address of interface E0/2 of R1), not 192.168.100.1.
Question 3
Why applications that are installed on PC’s in R2 LAN network 10.100.20.0/24 are unable to communicate with Server1?
A. A standard ACL statement that is configured on R1 is blocking the traffic sourced from R2 LAN network.
B. A standard ACL statement that is configured on R1 is blocking the traffic sourced from Server1 network.
C. A standard ACL statement that is configured on R2 is blocking the traffic sourced from Server1 network.
D. A standard ACL statement that is configured on R2 is blocking the traffic sourced from R2 LAN network.
Answer: C
Explanation
We should check if we can ping from R1 to Server 1 or not:
Image may be NSFW. Clik here to view.
The ping worked well so maybe R1 is good so we should check R2 first. We notice on R2 there is an access-list:
Image may be NSFW. Clik here to view.
This access-list is applied to E0/2 interface with inbound direction. The purpose of this access-list is to block traffic with source IP address of 172.16.200.0/24 so it will block all traffic sent from Server 1 to us.
Question 4
Users complain that they are unable to reach internet sites. You are troubleshooting internet connectivity problem at main office. Which statement correctly identifies the problem on Router R1?
A. NAT configurations on the interfaces are incorrectly configured.
B. NAT translation statement incorrectly configured.
C. Interesting traffic for NAT ACL is incorrectly configured.
D. Only static NAT translation configured from the server, missing Dynamic NAT or Dynamic NAT overloading for internal networks.
Answer: A
Explanation
If all users cannot access internet then R1 is most likely to cause the problem so we should check it first. From the “show running-config” command we will see:
Image may be NSFW. Clik here to view.
We notice that interface E0/0 (connected to ISP) has been configured as “nat inside” while interfaces E0/1 & E0/2 (connected to our company) have been configured as “nat outside”. This is not correct because “nat inside” should be configured with interfaces connected to our company while “nat outside” should be configured with interfaces connected to the internet. Therefore we can conclude the NAT configuration on these interfaces is not correct.
Refer to the topology below and answer the questions using “show” commands.
Image may be NSFW. Clik here to view.
Question 1
Server1 and Server2 are unable to communicate with the rest of the network. Your initial check with system administrators shows that IP address settings are correctly configured on the server side. What could be an issue?
A. The VLAN encapsulation is misconfigured on the router subinterfaces. B. The Router is missing subinterface configuration. C. The Trunk is not configured on the L2SW1 switch. D. The IP address is misconfigured on the primary router interface.
Answer: A
Explanation
Check the configuration of the interface that is connected to Server1 and Server2 on R2 with “show running-config” command.
Image may be NSFW. Clik here to view.
We see that subinterface E0/1.100 has been configured with VLAN 200 (via “encapsulation dot1Q 200” command) while Server1 belongs to VLAN 100. Therefore this configuration is not correct. It should be “encapsulation dot1Q 100” instead. The same thing for interface E0/1.200, it should be “encapsulation dot1Q 200” instead.
Question 2
Users in the main office complain that they are unable to reach internet sites. You observe that internet traffic that is destined towards ISP router is not forwarded correctly on Router R1. What could be an issue?
Ping to Internet server shows the following results from R1:
R1#ping 209.165.200.225 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 209.165.200.225, timeout is 2 seconds: ….. Success rate is 0 percent (0/5)
A. The next hop router address for the default route is incorrectly configured. B. Default route pointing to ISP router is not configured on Router R1. C. Default route pointing to ISP router is configured with AD of 225. D. Router R1 configured as DHCP client is not receiving default route via DHCP from ISP router.
Answer: B
Explanation
When all the users cannot reach internet sites we should check on the router connecting to the ISP to see if it has a default route pointing to the ISP or not. Use the “show ip route” command on R1:
Image may be NSFW. Clik here to view.
We cannot find a default route on R1 (something like this: S* 0.0.0.0/0 [1/0] via 209.165.201.2) so maybe R1 was not configured with a default route. We can check with the “show running-config” on R1:
Image may be NSFW. Clik here to view.
We need a default route (like “ip route 0.0.0.0 0.0.0.0 209.165.201.2”) but we cannot find here so we can conclude R1 was not be configured with a default route pointing to the ISP router.
Question 3
Examine R2 configuration, the traffic that is destined to R3 LAN network sourced from Router R2 is forwarded to R1 instead R3. What could be an issue?
R2#traceroute 10.10.12.1 source 10.10.10.1 Type escape sequence to abort. Tracing the route to 10.10.12.1 VRF info: (vrf in name/id, vrf out name/id) 1 172.16.14.1 0 msec 1 msec 0 msec 2 172.16.14.1 !H !H *
R2#
A. RIPv2 enabled on R3, but R3 LAN network that is not advertised into RIPv2 domain. B. RIPv2 routing updates are suppressed between R2 and R3 using passive interface feature. C. RIPv2 not enabled on R3. D. No issue that is identified; this behavior is normal since default route propagated into RIPv2 domain by Router R1.
Answer: C
Explanation
First we should check the routing table of R2 with the “show ip route” command.
Image may be NSFW. Clik here to view.
In this table we cannot find the subnet “10.10.12.0/24” (R3 LAN network) so R2 will use the default route advertised from R1 (with the command “default-information originate” on R1) to reach unknown destination, in this case subnet 10.10.12.0/24 -> R2 will send traffic to 10.10.12.0/24 to R1.
Next we need to find out why R3 did not advertise this subnet to R2. A quick check with the “show running-config” on R3 we will see that R3 was not configured with RIP ( no “router rip” section). Therefore we can conclude RIPv2 was not enabled on R3.
Question 4
What is the correct statement below after examining the R1 routing table?
A. Traffic that is destined to 10.10.10.0/24 from R1 LAN network uses static route instead RIPv2 because the static route AD that is configured is less than the AD of RIPv2 B. Traffic that is destined to 10.10.10.0/24 from R1 LAN network uses RIPv2 instead of static route because the static route AD that is configured is higher than the AD of RIPv2 C. Traffic that is destined to 10.10.10.0/24 from R1 LAN network uses static route instead of RIPv2 but the traffic is forwarded to the ISP instead of the internal network D. Traffic that is destined to 10.10.10.0/24 from R1 LAN network uses RIPv2 instead of static route because the static route AD that is configured is 255
Answer: B
Explanation
Surely we have to use the “show ip route” command to check the R1 routing table.
Image may be NSFW. Clik here to view.
As we see here, 10.10.10/24 is learned from RIP. Notice that although there is a static route on R1 to this destination (you can check with the “show running-config” on R1 to see the line “ip route 10.10.10.0 255.255.255.0 172.16.14.2 200”), this static route is not installed to the routing table because it is not the best path because the Administrative Distance (AD) of this static route is 200 while the AD of RIP is 120 -> R1 chose the path with lowest AD so it chose path advertised via RIP.
Refer to the topology below and answer the following questions.
Image may be NSFW. Clik here to view.
Question 1
Explanation
The Branch2 network is communicating to the Server farm, which is connected to R2, via GRE Tunnel so we should check the GRE tunnel first to see if it is in “up/up” state with the “show ip interface brief” command on the two routers.
On Branch2:
Image may be NSFW. Clik here to view.
On R2:
Image may be NSFW. Clik here to view.
We see interfaces Tunnel0 at two ends are “up/up” which are good so we should check for the routing part on two routers with the “show running-config” command and pay attention to the static routing of each router. On Branch2 we see:
Image may be NSFW. Clik here to view.
The destination IP address for this static route is not correct. It should be 192.168.24.1 (Tunnel0’s IP address of R2), not 192.168.24.10 -> Answer C is correct.
Note: You can use the “show ip route” command to check the routing configuration on each router but if the destination is not reachable (for example: we configure “ip route 10.10.10.0 255.255.255.0 192.168.24.10” on Branch2, but if 192.168.24.10 is unknown then Branch2 router will not display this routing entry in its routing table.
Note: The IP address or configuration may be different in the exam.
Question 2
Explanation
First we should check Branch3 (and R1) with the “show ip interface brief” command to find any Layer1/Layer 2 issue.
Image may be NSFW. Clik here to view.
We see the interfaces connecting between them are in “up/down” states which indicates an Layer 2 issue so we should check the configuration of these interfaces carefully with the “show running-config” command and pay attention to these interfaces.
Image may be NSFW. Clik here to view.
and on Branch3:
Image may be NSFW. Clik here to view.
We learn from above config is R1 is using CHAP to authenticate Branch3 router (via the “ppp authentication chap” command on R1). Branch3 router is sending CHAP hostname “Branch_3” and CHAP password “Branch3_Secret!” to R1 to be authenticated. Therefore we should check if R1 has already been configured with such username and password or not with the “show running-config” command on R1:
Image may be NSFW. Clik here to view.
On R1 we see the configured username is “Branch3”, not “Branch_3” so the usernames here are mismatched and this is the problem -> Answer A is correct.
Question 3
Explanation
In this question we have to check each option to see if it is correct. When we check Branch3 router we notice that “network 192.168.10.0” command is missing under “router eigrp 100” -> Answer D is correct.
Image may be NSFW. Clik here to view.
Question 4
Explanation
This question clearly stated there is a WAN connectivity issue between R1 and Branch1 so we should check both of them with the “show ip interface brief” command. On R1:
Image may be NSFW. Clik here to view.
On Branch1:
Image may be NSFW. Clik here to view.
We can see that although the Multilink1 interfaces are in “up/up” state but they are not in the same subnet. According to the IP address scheme shown on the topology we can deduce the Multilink interface on Branch1 has been misconfigured, it should be 192.168.14.2 instead.
All routers are running IPv6 OSPF with process ID 100. The loopback0 IPv4 address is the OSPF router ID of each router.
On HQ router, a provider link is provided and you have to configure an IPv6 default route on HQ and make sure this route is advertised in IPv6 OSPF process. Also troubleshoot why HQ is not forming IPv6 OSPF neighbor with BR.
Requirements:
1. Configure IPv6 default route on HQ router with default gateway of 2001:DB8:B:B1B2::1
2. Verify by pinging provider test IPv6 address 2001:DB8:0:1111::1 after configuring default route on HQ
3. Make sure that the default route is advertised in IPv6 OSPF router HQ. This default route should be advertised only when HQ has a default route in its routing table
4. Router HQ is not forming IPv6 OSPF neighbor with BR. Troubleshoot and solve the problem
Image may be NSFW. Clik here to view.
Solution
1. Configure IPv6 default route on HQ router with default gateway of 2001:DB8:B:B1B2::1:
First we have to enable IPv6 routing with the “ipv6 unicast-routing” command then we configure a default route on HQ router.
2. Verify by pinging provider test IPv6 address 2001:DB8:0:1111::1 after configuring default route on HQ:
HQ#ping ipv6 2001:DB8:0:1111::1
Issue the ping test to see if the default route works. The ping must be successful.
3. Make sure that the default route is advertised in IPv6 OSPF router HQ. This default route should be advertised only when HQ has a default route in its routing table:
The command “default-information originate” will generate a default route and send to all other routers in the OSPF domain, provided that the local router has a default route configured.
4. Router HQ is not forming IPv6 OSPF neighbor with BR. Troubleshoot and solve the problem
Maybe interface S1/0 of HQ was not enabled with IPv6 OSPF (verify by the “show run” or “show ipv6 ospf interface” command) so we have to enable it.
HQ(config)#interface s1/0 HQ(config-if)#ipv6 ospf 100 area 0
After configuration use the “show ipv6 ospf neighbor” on HQ to see if BR is listed in the output.
We are not sure about the details but here are the faults in this sim:
– Native VLAN mismatch between SW1 & SW3
– Switchport mode mismatch: one in access mode while the other end in trunk mode -> need to change from access to trunk mode
– One port in VLAN 500 while other port in VLAN 600
Refer to the topology below. Your company asks you to identify the issues in Phase 1 EIGRP implementation. You have console access on R1, R2, R3 Branch1 and Branch2 routers. Only use show commands to troubleshoot the issues.
Image may be NSFW. Clik here to view.
Question 1
Explanation
R1 routing table does not have any EIGRP learned routes so R1 or the link between R1 & R2 is the most likely problem. We should check if the IP addresses on R1 and R2 are correct or not with the “show ip interface brief” command.
Image may be NSFW. Clik here to view.
Note: You should check the IP address of R2 E0/0 interface (the interface connected to R1) as well.
Question 2
Explanation
The “main office” here refers to R2 (and other routers behind it). Check Branch2 with the “show ip route” command:
Image may be NSFW. Clik here to view.
We can see Branch2 only uses 192.168.12.1 (Branch 1 – the secondary path) to reach R2 and the subnets behind. Branch2 does not use the primary path (directly connected to R2) so there must be a problem with the connection between R2 and Branch2. Check Branch2 router with the “show running-config” command and we can see an access-list is blocking EIGRP packets advertised to Branch2.
Image may be NSFW. Clik here to view.
Question 3
Explanation
This issue is same as Question 2 but this time it is R3 which causes the issue. We can check R3 with the “show running-config” command.
Image may be NSFW. Clik here to view.
Question 4
Explanation
In this question we should check the local routers to see if these subnets have been advertised or not as there are many issues in the path which prevent these subnets from being shown in the routing tables.
When checking Branch1 router, we notice “network 172.16.0.0” is missing under EIGRP 200 so answer D is correct.
You are tasked to configure Internet access on a router. The ISP has provided the company six public IP addresses of 198.18.184.105 198.18.184.110. The company has 14 hosts that need to access the internet simultaneously. The hosts in the company LAN have been assigned private space addresses in the range of 192.168.100.17 – 192.168.100.30.
The following have already been configured on the router:
– Router basic configuration
– Interfaces have been configured for NAT inside (Fa0/0) and NAT outside (s0/0)
– The appropriate static routes have also been configured
– All passwords have been temporarily set to “cisco”
Tasks:
+ Use NAT to provide Internet access to all hosts in the company LAN.
+ Name the router TUT
+ Inside global addresses: 198.18.184.105 198.18.184.110/29
+ Inside local addresses: 192.168.100.17 – 192.168.100.30/28
+ Numer of inside hosts: 14
The CCNA Training company has 14 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from 198.18.184.105 to 198.18.184.110/29. Therefore we have to use NAT overload (or PAT)
Double click on the TUT router to open it
Router>enable Router#configure terminal
First you should change the router’s name to TUT
Router(config)#hostname TUT
Create a NAT pool of global addresses to be allocated with their netmask (/29 = 255.255.255.248). There were reports that the simulator in the real exam did not accept “prefix-length” keryword so you should use “netmask” keyword.
TUT(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248
Create a standard access control list that permits the addresses that are to be translated
Establish dynamic source translation, specifying the access list that was defined in the prior step
TUT(config)#ip nat inside source list 1 pool mypool overload
This command translates all source addresses that pass access list 1, which means a source address from 192.168.100.17 to 192.168.100.30, into an address from the pool named mypool (the pool contains addresses from 198.18.184.105 to 198.18.184.110)
Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports
The question said that appropriate interfaces have been configured for NAT inside and NAT outside statements.
This is how to configure the NAT inside and NAT outside, just for your understanding:
TUT Company recently installed a new router in their office. Complete the network installation by performing the initial router configurations and configuring RIPv2 routing using the router command line interface (CLI) on the R2-TUT.
Name of the router is R2-TUT Enable-secret password is cisco1 The password to access user EXEC mode using the console is cisco2 The password to allow telnet access to the router is cisco3 IPV4 addresses must be configured as follows: Ethernet network 213.123.20.128/27 – router has last assignable host address in subnet Serial network is 200.0.1.16/28 – router has last assignable host address in the subnet. Interfaces should be enabled. Router protocol is RIPv2
Note: We should use classful networks (213.123.20.0 & 200.0.1.0) when configuring RIP. If we use detailed networks (213.123.20.128 & 200.0.1.16) the router will automatically convert them into classful networks.
