Qn1 – Layer 2 (2 Points)

NOTE: The IOU has a bug. Delete #ip nat inside on e0/1 and e0/3 interface of R7 and R8
to get around the bug. If you don’t delete this, OSPF neighbor may not form.

Banco Bank Headquarter

PC101 should successfully access Server 1 behind SW1

PC101 cannot access R7/R8, fix the problem that that PC101 can ping R7

PC101#traceroute SERVER1

Type escape sequence to abort.

Tracing the route to SERVER1 (172.16.200.200)
VRF info: (vrf in name/id, vrf out name/id)
 1 172.16.100.1 0 msec 0 msec 0 msec
 2 172.16.1.21 1 msec 0 msec 0 msec
 3 SERVER1 (172.16.200.200) 0 msec *  1 msec
1. Ensure Directly Connected
1.1. Step 1: Server 1 and PC101 get IP Address
1. The interface E0/0 of Server 1 and PC101 rely on DHCP to get their IP address. Need
client-id ( 01 + mac_address)
2. SW1 need to network the prefix 172.16.200.0/24 under OSPF process because DHCP
server need routes to reply to DHCP requests
Use this command to test
#ping 172.7.7.7 source vlan200

3. SW2 need network the prefix 172.16.100.0/24 under OSPF process because DHCP server
need routes to reply to DHCP requests
Use this command to test
#ping 172.8.8.8 source vlan100
4. Are the configurations about IP address pool an gateway on R7 and R8 are correct ?

1.2. Step 2: Gateway Device Configs

1. SW1 helper-address x.x.x.x ( point to the loopback0 of R7) under VLAN200
2. SW2 helper-address x.x.x.x ( point to the loopback0 of R8) under VLAN100
3. The interface E1/0 needs to set to VLAN200 for SW1, set to VLAN100 for SW2
4. Are the IP addresses of interface SVI (vlan 100 and vlan 200) correct?

1.3. Step 3: The Interfaces must be up

1. If there was port-security, set the three mac addresses to 1 (under terminal device, port
security, and DHCP binding), and then shutdown/no shutdown

2. Check OSPF Neighbors

1. SW1 and SW2 need to create VLAN12
2. Interface E0/0 need to allow VLAN12 (because of STP, only E0/0 is forwarding)
3. Need network the Layer 3 interface for building OSPF neighbors
3. Resolve Data Transfer
1. If directly connected is no problem, and OSPF neighbors and routes are normal, but
can’t appear the outputs, mostly because of ACL, check whether there is a call ACL.

ANS Q1 – Layer 2
# Device Commands Validations
1 Check whether PC101 and Server1 are able to get IP addresses
PC101 sh ip int brief No IP Address
sh run int e0/0 client-id E0/0 used for DHCP
R8 sh run | s pool Check client-id and match with the PC101 mac-
address.
SW2 sh run int e1/0 Check the SW2 int e1/0 for the port-security
mac-address
Fault 1 – PC101 mac-address is different from
the R8 dhcp pool client-identifier and SW2 port
security mac-address.
Fix PC101

int e0/0
no mac-address
mac-address xxxx

SW2

int e1/0
shutdown
no shut

Note: the mac-address mismatch may cause port-security

violation
 PC101

show ip int brief /--Check if you get IP Address--/

Server1 sh ip int brief Check E0/0 receive IP address. If no ip address,

note the mac address to compare with R7.
SW1 sh run int vlan 200 ip-helper address 172.7.7.7 and 172.8.8.8 must
be present.
SW1 p 172.7.7.7 so Check whether SW1 can ping R7
vlan200
Server1 ping 172.16.200.1 Ping the Gateway. If it can’t follow the same
troubleshooting process as PC101
2 Check L2 Configurations – VLAN and Switchport of SW2 and SW1
SW1/ sh vlan brief Check if VLAN12 is present
SW2 Fault 2: Missing VLAN 12 on SW1/SW2
Fix SW1/SW2

vlan 12

SW1/ sh run int e1/0 Fault 3: switchport access vlan wrong on SW2
SW2 Fault 4: switchport access vlan wrong on SW1
Fix SW1

int e1/0
switchport access vlan 200

SW2

int e1/0
switchport access vlan 100

SW2 sh int trunk Fault 5 - VLAN 12 is missing from Allowed VLANs

SW2 sh run int e0/0 There may be mst 2 port-priority 192

Check other interfaces
#sh run int e0/1

SW2 sh sp mst conf VLAN 12 may be on instance 2

SW2 sh span mst 2 All the interfaces are fw mode in SW2

Fix
SW2
int ran e0/0-3
 no switchport tr allowed vlan except 12

SW2 sh ip int brief May notice E0/0 down

SW2 sh int e1/0 May notice err-disabled
sh int st err-dis Fault 6 – Err-Disabled Port. Need shut and no-
shut e1/0
Fix SW2

int E1/0
shutdown
no shutdown
sh ip int brief /--Ensure the SVI and E1/0 interface up--/

PC101

sh ip int brief /--Check if you get IP Address--/

ping 172.10.100.1 /--Check gateway connectivity --/

NOTE: if you don’t get an ip address, do a #shut and #no shut on PC101
e0/0 interface

3 Check Gateway(L3) Configurations on SW1 and SW2

SW2 sh vlan brief e1/0 is assigned with VLAN100
SW2 sh ip int brief Fault 7 – Gateway IP Address must be
172.16.100.1
Fix SW2

int vlan 100

ip address 172.16.100.1 255.255.255.0

SW2 sh run int vlan 100 The following is found

#ip helper-address 172.7.7.7
Fault 8 – DHCP Relay must point to R8
Fix SW2
 int vlan 100
ip helper-address 172.8.8.8

/-NOTE: You can copy and paste the config from SW1--/

PC101

sh ip int brief /--Check if you can get IP Address--/

R8 sh run | s dhcp pool It may have the DHCP pool for Server only. PC1
ip address 172.16.100.200 may be missing.
Hence, we need to check the DHCP pool from R7
Fault 9 – #default-router 172.16.200.1
missing on R8
R7 sh run | s dhcp pool You can find the PC101 ip address in R8
Fix R8

ip dhcp pool HOST1

default-router 172.16.100.1

SW2
ping 172.8.8.8 source vlan 100 /--Ensure ping successful--/

PC101
sh ip int br /--If no IP obtained, check SW2 port-security -/

4 Check OSPF Neighbor

SW2 sh ip ospf nei 3 OSPF neighbors must be present. If OSPF
between SW1 and SW2 missing, check ospf
configuration on both SW1 and SW2.
Ensure the following network statement on SW1

network 172.16.1.21 0.0.0.0

Ensure the following network statement on SW2

network 172.16.1.22 0.0.0.0

SW1/ sh ip ospf int br All costs may be 1. If OSPF Nbrs value is 0,

SW2 means no prefix advertised.

SW1/ sh run | s r o Fault 10 - passive-interface vlan12 on SW1

SW2
 Fix SW1

router ospf 65100

no passive-interface vlan12

show ip route

/--The 172.16.200.0/24 is no longer load balanced. Also, 172.16.100.0/24

prefix present --/

SW2

sh ip ospf nei /--Three neighbors should show --/

show ip route /-- The 172.16.200.0/24 prefix goes through 172.16.1.21 --/

SW2 sh ip route ospf 172.16.200.0/24 next hop should be Vlan12

172.16.200.0/24 may exist and load balanced.
But the trunk between SW1 and SW2 should be
preferred. There is some interface
misconfiguration on OSPF cost
T Testing
PC101 ping 172.16.200.200
traceroute 172.16.200.200

1 172.16.100.1 /--first hop is GW --/

2 172.16.1.21 /--second hop is VLAN 12 --/
3 SERVER1

TS1 Q1 – L2 Fault Summary and Remediation

# Device Fault Remediation

1 PC101 Mac Address Change to Mac address to R8 Pool and SW2 E1/0
2 SW1/SW2 Missing VLAN 12 Add VLAN 12 to SW1/SW2
3 SW2 Int E1/0 Change #swichport access vlan 100
4 SW1 Int E1/0 Change #swichport access vlan 200
5 SW2 Trunk VLAN 12 is missing from allowed VLANs on the trunk
6 SW2 Error-Disabled Run #shut and #no shut to bring up the interface
E1/0
7 SW2 VLAN100 IP Change IP Address of VLAN100 to 172.16.100.1
8 SW2 DHCP Relay Missing ip-helper address 172.8.8.8 under interface
vlan100
9 R8 DHCP Server Missing #dhcp-server 172.16.100.1 on R8
1 SW1 Passive Interface Remove passive-interface from Router process 65100
0 on VLAN12

Concepts
 The requirement is that PC101 access Server1 through SW2 and SW1 as shown in the
figure below.
 SW1 and SW2 are L3 Switches. SW2 is the GW for VLAN 100 where PC101 is connected
to. SW1 is the GW for VLAN 101 where Server1 is connected to.
 R7 and R8 are DHCP Servers. R7 is the DHCP server for Server1 and R8 is the DHCP
server for PC101. Hence, we need to configure #ip helper-address on SW2 and
SW1
 OSPF Area 0 is used for the area (SW1, SW2, R7 and R8).

 There are three mac addresses that we need to check PC101 E0/0, SW2 E1/0 port
security and R8 DHCP pool client identifier. They must all match.
  PC101 may have a mac-address config on e0/0, which you can change if you find that to
be the fault. But, if this config doesn’t exist, check the default mac address using #sh int
e0/0 command
 SW1 and SW2 use VLAN12 to connect. e0/0-3 interfaces are used for trunking. VLAN12
must be allowed on that trunk.
 If VLAN12 is down, there could be two reasons
o You will need to add VLAN12 into VLAN database
o VLAN12 may not be allowed on the trunk
 When you practice BT5, you will see the ACL issue

Troubleshooting Tips
 If OSPF neighbors are fine, DHCP helper address is configured on SW1/SW2, mac
addresses on PC101,SW2 and R8 are consistent, SW2 port e1/0 is not error-disabled,
Still, the PC101 is still unable to receive an IP address, the problem is with the e1/0
VLAN.
 If you get the following output, it means that the traffic is from SW2 is not going through
SW1. Check #passsive-interface on SW1/SW2
PC101#traceroute SERVER1
Translating "SERVER1"...domain server (172.8.8.8) [OK]

Type escape sequence to abort.

Tracing the route to SERVER1 (172.16.200.200)
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.100.1 1 msec 0 msec 0 msec
2 172.16.1.9 0 msec 1 msec 0 msec /--Incorrect hop. Traffic going through R7
3 172.16.1.2 0 msec 1 msec 0 msec
4 SERVER1 (172.16.200.200) 1 msec * 0 msec