A guide for the TSHOOT Exam

For the TSHOOTv2 exam we will encounter:

+ Multiple Choice Questions

+ 12 Troubleshooting Tickets (check them at the right-side menu)
+ BGP Simlet
+ HSRP Simlet

Below is a summary of 17 Tickets you may see in the exam:

Device Error Description

1. Access port not in VLAN 10 (removed)
2. Port Channel not allowing VLAN 10
ASW1
3. Ports should be in access mode instead of trunking
4. Port security in fa1/0/1, fa1/0/2 interfaces
1. HSRP track 10 (removed)
DSW1 2. VLAN filter
3. DHCP IP Helper-address (APIPA addresses on clients)
1. Wrong IP of BGP neighbor
2. NAT Outside misconfigured
R1
3. WAN access-list statement missing
4. OSPF Authentication
R2 1. IPv6: enable OSPF
R3 1. IPv6: remove ―tunnel mode ipv6‖
1. EIGRP – wrong AS (removed)
2. Redistribute Route-map
R4
3. EIGRP Passive Interface (removed)
4. missing Redistribution from RIPng to OSPFv3

Notice that in the exam, the tickets are randomly given so the best way to troubleshooting is to
try pinging to all the devices from nearest to farthest from the client until you don‘t receive the
replies.

In each ticket you will have to answers three types of questions:

+ Which device causes problem

+ Which technology is used
+ How to fix it

One more thing to remember: you can only use ―show‖ commands to find out the problems and
you are not allowed to make any changes in the configuration. In fact, in the exam you can not
enter the global configuration mode!
Multiple Choice Questions
http://www.networktut.com/multiple-choice-questions

Question 1

Which of the following features allows a router to install a floating route in its routing table
when the GRE tunnel is disrupted?

A. tracking objects
B. IP SLA
C. ?
D. GRE keepalive

Answer: D

Explanation

GRE tunnels are designed to be completely stateless. This means that each tunnel endpoint does
not keep any information about the state or availability of the remote tunnel endpoint. A
consequence of this is that the local tunnel endpoint router does not have the ability to bring the
line protocol of the GRE Tunnel interface down if the remote end of the tunnel is unreachable.
The ability to mark an interface as down when the remote end of the link is not available is used
in order to remove any routes (specifically static routes) in the routing table that use that
interface as the outbound interface. Specifically, if the line protocol for an interface is changed
to down, then any static routes that point out that interface are removed from the routing table.
This allows for the installation of an alternate (floating) static route or for Policy Based Routing
(PBR) in order to select an alternate next-hop or interface.

Normally, a GRE Tunnel interface comes up as soon as it is configured and it stays up as long
as there is a valid tunnel source address or interface which is up. The tunnel destination IP
address must also be routable. This is true even if the other side of the tunnel has not been
configured. This means that a static route or PBR forwarding of packets via the GRE tunnel
interface remains in effect even though the GRE tunnel packets do not reach the other end of the
tunnel.

Before GRE keepalives were implemented, there were only ways to determine local issues on
the router and no way to determine problems in the intervening network. For example, the case
in which the GRE tunneled packets are successfully forwarded, but are lost before they reach
the other end of the tunnel. Such scenarios would cause data packets that go through the GRE
tunnel to be ―black holed‖, even though an alternate route that uses PBR or a floating static
route via another interface might be available. Keepalives on the GRE tunnel interface are used
in order to solve this issue in the same way as keepalives are used on physical interfaces.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118370-technote-gre-00.html
Question 2

Refer to the exhibit.

access-list 101 permit 89 any any

access-list 101 permit tcp any 10.1.1.1 0.0.0.0 eq 179
access-list 101 permit tcp any eq 179 any
access-list 101 permit gre any any
access-list 101 permit tcp nse any
access-list 101 deny ospf any any
access-list 101 permit tcp 10.1.1.1 172.16.1.0 0.0.0.255 eq 22
access-list 101 permit tcp 10.1.1.1 172.16.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp 10.1.1.1 172.16.1.0 0.0.0.255 eq 80
access-list 101 deny tcp 10.1.1.1 172.16.1.0 0.0.0.255 eq 2

Which two routing protocols are permitted by the ACL above? (Choose two)

A. BGP
B. OSPF
C. EIGRP
D. GRE
E. NSE (something like that)

Answer: A B

Explanation

BGP operates on TCP port 179 and the ACL statements ―access-list 101 permit tcp any 10.1.1.1
eq 179‖ and ―access-list 101 permit tcp any eq 179 any‖ allows BGP to go through.

The protocol number (not port number) of OSPF is 89 so the first ACL statement ―permit 89
any any‖ is same as ―permit ospf any any‖ -> Answer B is correct.

EIGRP runs directly over IP using IP protocol number 88 – it does not use TCP or UDP. In the
above ACL statements there is no line for EIGRP so it will be dropped by implicit ―deny all‖
statement at the end of the ACL -> Answer C is not correct.

GRE is allowed with the ―access-list 101 permit gre any any‖ statement so GRE is correct but
this question asks about ―routing protocol‖ so GRE is not a valid option.

Note: Keep in mind that there is a big difference between a port number and a protocol
number. In an ACL, the number behind the keyword ―eq‖ (equal) is a port number, not a
protocol number. For example, IP is protocol number 4, ICMP is 1, EIGRP is 88, and OSPF is
protocol number 89.

Question 3
Refer to the exhibit.

R1
int Gigabitethernet 0/2
ip address 10.10.20.2 255.255.55.0
!
int Gigabitethernet 0/3
ip address 10.10.30.2 255.255.55.0

R1#show management-interface interface G0/2

Protocol Packets processed interface Packets
http 0
https 10
SNMP 0

R1#show management-interface interface Gi0/3

interface Packets
SSH 10
hsrp 20
xxxx 30

R2#ssh -l admin 10.10.20.2

%failure

A company is implementing Management Plane Protection (MPP) on its network. Which of the
following commands allows R2 successfully connect to R1 via SSH?

A. ssh -p 22 -l admin 10.10.30.2

B. ssh -v 2 -l admin 10.10.30.2
C. ssh -p 22 -l admin 10.10.20.2
D. ssh -v 2 -l admin 10.10.20.2

Answer: B

Explanation

SSH has the following options:

R1#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
-vrf Specify vrf name
WORD IP address or hostname of a remote system

In this question it seems R1 does not allow SSH to interface Gi0/0 of R1 (via the line ―SSH 0‖)
so we have to SSH to interface Gi0/2 instead.

Question 4

Section 1
R1#debug ip ospf hello
…
Section 2
R1#
Debugging is
Condition 1 – username
Condition 2 – int g0/2
Section 3
R1#debug ip ospf hello
…

Which of the following commands results in the Section 2 of the output above?

A.
R#debug condition username
R#debug condition interface g0/2

B.
R# debug condition interface g0/2
R#debug condition username

C.
R(conf)# debug condition username
R(conf)#debug condition interface g0/2

D.
R(conf)#debug condition interface g0/2
R(conf)# debug condition username

Answer: A

Explanation

The ―debug condition‖ command must be issued in Privileged mode (not global configuration
mode)

Question 5
Two hosts (PC A & PC B) in the same subnet (IP addresses 10.10.10.10 & 10.10.10.30, both
/24) connected to Layer 2 switches each (using ports g0/5). The layer 2 switches connect to
other switches which connects to a Multilayer (L3) switch.

What is the reason PC A cannot reach PC B?

A. IP routing is not enabled in the L3 switch

B. Interfaces g0/5 of the switches are in different VLANs
C. PC A and PC B are in different subnets
D. Interfaces Gi0/1 and Gi0/2 are not in an Etherchannel port

Answer: B

Explanation

Suppose all the related ports are in up/up state then there are only two reasons that PCA & PCB
cannot communicate:
+ These two PCs are in different VLANs
+ The ports on L3 switch that are connected to two Layer 2 switches are routing ports (with ―no
switchport‖ command)

Question 6

Refer to the exhibit

R1#show access-list
IP access-list extended Super_User
1 permit ip host xxxx host xxxxx
2 permit ip host xxxx host xxxxx
3 permit ip host xxxx host xxxxx
4 permit ip host xxxx host xxxxx
5 permit ip host xxxx host xxxxx
6 permit ip host xxxx host xxxxx
7 permit ip host xxxx host xxxxx
8 permit ip host xxxx host xxxxx
9 permit ip host xxxx host xxxx

Which of the following commands inserts five additional lines to the ACL Entry Sequence
between lines 3 and 4 without changing the existing configuration?

A. R(conf)# ip access-list resequence Super_User 1 6

B. R(conf)# ip access-list resequence Super_User 1 5
C. R(conf-nacl)# ip access-list resequence Super_User 1 6
D. R(conf-nacl)# ip access-list resequence Super_User 1 5

Answer: A

Explanation

The command ―ip access-list resequence access-list-name starting-sequence-number

increment‖ (for example: ―Router(config)# ip access-list resequence Super_User 1 6‖) will
resequence the ―Super_User‖ ACL using the starting sequence number (1) and the increment of
sequence numbers (6). After this command the ―Super_User‖ ACL will be like this:

R1#show access-list
IP access-list extended Super_User
1 permit ip host xxxx host xxxxx
7 permit ip host xxxx host xxxxx
13 permit ip host xxxx host xxxxx
19 permit ip host xxxx host xxxxx
25 permit ip host xxxx host xxxxx
31 permit ip host xxxx host xxxxx
37 permit ip host xxxx host xxxxx
43 permit ip host xxxx host xxxxx
49 permit ip host xxxx host xxxx

-> We can insert five additional lines between two consecutive lines now.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-
3s/sec-data-acl-xe-3s-book/sec-acl-seq-num.html

Question 7
An engineer performed a router upgrade. After an unexpected reboot, the router loaded with the
old IOS version instead of the new one. What is the problem?

A. The configuration register is set to 0x2103

B. The old IOS image is corrupted
C. The new IOS image is corrupted
D. The boot loader is not present

Answer: D

Question 8

An exhibit with output of BGP debug

%TCP-6-….: Active to Idle

…
%TCP-6-BADAUTH: No MD5 digest from 192.168.1.1(179) to 192.168.4.1(45577) tabled-0
%TCP-6-BADAUTH: No MD5 digest from 192.168.4.1(179) to 192.168.1.1(45577) tabled-0

Why are the two routers not forming BGP neighborship?

A. Mismatched BGP authentication

B. Mismatched BGP Autonomous System numbers
C. Mismatched Hello and Hold timer
D. Mismatched BGP peer-group

Answer: A

Question 9

An exhibit that displays the outputs of show interface tunnel0 for two routers. Tunnel 0 is
up/up on one router and up/down on the other router.
Which of the following commands can quickly show the cause of the up/down state of Tunnel0
on the second router?

A. show ip interface brief

B. sh ip protocols (or something else)
C. show ip route
D. show ip gre

Answer: C

Question 10
A hub and spoke topology consisting of some routers and switches. Host A is attached to the
spoke network and Host B is attached to the hub network. There is a set of commands beside
the topology:

Client A cannot reach client B while other Spokes can reach client B. What command in the
configuration is the cause of the problem?

A. ip nhrp network-id 12345

B. tunnel source e0/1
C. ip nhrp shortcut
D. tunnel mode gre multipoint

Answer: B

Note: Please check to see the NHRP address is wrong. Please read more about DMVPN and
NHRP at https://www.digitaltut.com/dmvpn-tutorial

Question 11 – Drag and Drop

Answer:

Match the various tunnel states to the corresponding description.

Up/up ————– tunnel is up and functional

Up/down ———- tunnel is up but not passing traffic
Administratively Down/down —— tunnel is administratively shutdown (shutdown by
configuration or an administrator)
Reset/up ———- tunnel is ….. (maybe ―misconfigured with a Next Hop Server (NHS) that is
it‘s own IP address.‖)

Explanation

Four Different Tunnel States

There are four possible states in which a GRE tunnel interface can be:
+ Up/up – This implies that the tunnel is fully functional and passes traffic. It is both
administratively up and it‘s protocol is up as well.
+ Administratively down/down – This implies that the interface has been administratively shut
down.
+ Up/down – This implies that, even though the tunnel is administratively up, something causes
the line protocol on the interface to be down.
+ Reset/down – This is usually a transient state when the tunnel is reset by software. This
usually happens when the tunnel is misconfigured with a Next Hop Server (NHS) that is it‘s
own IP address.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html

Question 12

Refer to the exhibit.

enable secret 8 8asdknkjajf89nklasdnflkjajnslkdf

username cisco privilleage 15 password 7 8273872397892
no aaa new-model
line vty 0 4
login local

Which reversible encryption method is used?

A. SNMP
B. Local authentication
C. Enable
D. VTY

Answer: B

============================ Tickets ===========================

Note: There are two cases for ticket 11 so please check them carefully

Ticket 1 – OSPF Authentication

1.Client is unable to ping R1‘s serial interface from the client.

Problem was disable authentication on R1, check where authentication is not given under router
ospf of R1. (use ipv4 Layer 3)

Configuration of R1:

interface Serial0/0/0
description Link to R2
ip address 10.1.1.1 255.255.255.252
ip nat inside
encapsulation frame-relay
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf network point-to-point
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 10.1.2.0 0.0.0.255 area 12
network 10.1.10.0 0.0.0.255 area 12
default-information originate always
!

Configuration of R2:
interface Serial0/0/0.12 point-to-point
ip address 10.1.1.2 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 TSHOOT
!

Answer: on R1 need command “ip ospf authentication message-digest‖

Ans1) R1
Ans2) IPv4 OSPF Routing
Ans3) Enable OSPF authentication on the s0/0/0 interface using the ―ip ospf authentication
message-digest‖ command.

Ticket 2 – HSRP Track (removed)

HSRP was configured on DSW1 & DSW2. DSW1 is configured to be active but it does not
become active.

Configuration of DSW1:

track 1 ip route 10.2.21.128 255.255.255.224 metric threshold

threshold metric up 1 down 2
!
track 10 ip route 10.1.21.128 255.255.255.224 metric threshold
threshold metric up 63 down 64
!

interface Vlan10
ip address 10.2.1.1 255.255.255.0
standby 10 ip 10.2.1.254
standby 10 priority 200
standby 10 preempt
standby 10 track 1 decrement 60

Answer: (use IPv4 Layer 3 Topology)

On DSW1 interface vlan 10 mode, type these commands:

no standby 10 track 1 decrement 60
standby 10 track 10 decrement 60
(ip for track command not exact for real exam)

Note: 10.1.21.129 is the IP address of a loopback interface on R4. This IP belongs to subnet
10.1.21.128/27.

Ans1) DSW1
Ans2) HSRP
Ans3) delete the command with track 1 and enter the command with track 10 (standby 10 track
10 decrement 60).

Note: For more information about IP route tracking and why the command ―threshold metric up
63 down 64″ is used here please read this tutorial: http://networktut.iptut.com/hsrp-ip-route-
tracking.

Ticket 3 – BGP Neighbor

Problem: Client 1 is able to ping 209.65.200.226 but can‘t ping the Web Server 209.65.200.241.

Configuration of R1:
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 209.65.200.224 mask 255.255.255.252
neighbor 209.56.200.226 remote-as 65002
no auto-summary

check bgp neighborship. **** show ip bgp sum****

The neighbor‘s address in the neighbor command is wrong under router BGP. (use ipv4 Layer
3)

Answer: need change on router mode on R1 neighbor 209.65.200.226

Ans1) R1
Ans2) BGP
Ans3) delete the wrong neighbor statement and enter the correct neighbor address in the
neighbor command (change ―neighbor 209.56.200.226 remote-as 65002″ to ―neighbor
209.65.200.226 remote-as 65002″)

Ticket 4 – NAT ACL

Configuration of R1

!
interface Serial0/0/1
ip address 209.65.200.225 255.255.255.252
ip nat outside
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip nat outside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest

Ans1) R1
Ans2) NAT
Ans3) Under interface Serial0/0/0 delete the ip nat outside command and add the ip nat inside
command.

Ticket 5 – R1 ACL
Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!

Answer:

Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‗ip access-list extended edge_security‘ configuration add the ‗permit ip
209.65.200.224 0.0.0.3 any‘ command.

Note:

+ This is the only ticket the extended access-list edge_security exists. In other tickets, the
access-list 30 is applied to the inbound direction of S0/0/1 of R1.

+ Although host 209.65.200.241 is permitted to go through the access-list (permit ip host

209.65.200.241 any) but clients cannot ping the web server because R1 cannot establish BGP
session with neighbor 209.65.200.226.

Ticket 6 – VLAN filter

Client 1 is not able to ping the server. Unable to ping DSW1 or the FTP Server(Use L2
Diagram).

Vlan Access map is applied on DSW1 blocking the ip address of client 10.2.1.3

Configuration on DSW1
vlan access-map test1 10
action drop
match ip address 10
vlan access-map test1 20
action drop
match ip address 20
vlan access-map test1 30
action forward
match ip address 30
vlan access-map test1 40
action forward
!
vlan filter test1 vlan-list 10
!
access-list 10 permit 10.2.1.3
access-list 20 permit 10.2.1.4
access-list 30 permit 10.2.1.0 0.0.0.255
!
interface VLAN10
ip address 10.2.1.1 255.255.255.0

Ans1) DSW1
Ans2) VLAN ACL/Port ACL
Ans3) Under the global configuration mode enter no vlan filter test1 vlan-list 10 command.

Note: After choosing DSW1 for Ans1, next page (for Ans2) you have to scroll down to find the
VLAN ACL/Port ACL option. The scroll bar only appears in this ticket and is very difficult to
be seen. Also make sure you choose DSW1 (not ASW1) for the first question as there is also
"VLAN ACL/Port ACL" option for answer 2 if you choose ASW1 but it is wrong.
Ticket 7 – Port Security
Client 1 is unable to ping Client 2 as well as DSW1. The command ‗sh interfaces fa1/0/1′ will
show following message in the first line
‗FastEthernet1/0/1 is down, line protocol is down (err-disabled)‘

On ASW1 port-security mac 0000.0000.0001, interface in err-disable state

Configuration of ASW1
interface fa1/0/1
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address 0000.0000.0001

Answer: on ASW1 delele port-security & do on interfaces shutdown, no shutdown

Ans1) ASW1
Ans2) Port security
Ans3) In Configuration mode, using the interface range Fa1/0/1 – 2, then no switchport port-
security, followed by shutdown, no shutdown interface configuration commands.

Ticket 8 – Switchport VLAN 10 (removed)

Configuration of ASW1
interface FastEthernet1/0/1
switchport mode access
!
interface FastEthernet1/0/2
switchport mode access
!

Answer:

Ans1) ASW1
Ans2) Access Vlans
Ans3) In Configuration mode, using the ‗interface range Fastethernet 1/0/1 – 2‘, then
‗switchport access vlan 10‘ command.

Ticket 9 – Switchport trunk

Configuration of ASW1
interface PortChannel13
switchport mode trunk
switchport trunk allowed vlan 20,200
!
interface PortChannel23
switchport mode trunk
switchport trunk allowed vlan 20,200
!
interface FastEthernet1/0/1
switchport mode access
switchport access vlan 10
shutdown
!
interface FastEthernet1/0/2
switchport mode access
switchport access vlan 10

Ans1)ASW1
Ans2)Switch to switch connectivity
Ans3)Under interface Port-Channel 13, 23, add vlan 10,200 and then no shutdown interface
fa1/0/1

Ticket 10 – EIGRP AS (removed)

Client 1 is not able to ping the Webserver
DSW1 can ping fa0/1 of R4 but can‘t ping s0/0/0.34

Check ip eigrp neighbors from DSW1 you will not see R4 as neighbor.(use ipv4 Layer 3)
‗Show ip route‘ on DSW1 you will not see any 10.x.x.x network route.

On DSW1 & DWS2 the EIGRP AS number is 10 (router eigrp 10) but on R4 it is 1 (router eigrp
1)

Answer: change router AS on R4 from 1 to 10

Ans1) R4
Ans2) EIGRP
Ans3) Change EIGRP AS number from 1 to 10

Ticket 11a – Redistribution Route-map

On R4:
router eigrp 10
redistribute ospf 1 route-map OSPF->EIGRP
network 10.1.4.0 0.0.0.255
network 10.1.10.0 0.0.0.255
network 10.1.21.128 0.0.0.3
default-metric 100000 100 100 1 1500
no auto-summary
!
route-map OSPF->EIGRP deny 10
match tag 90
route-map OSPF->EIGRP deny 20
set tag 110

Ans1) R4
Ans2) IPv4 Route Redistribution
Ans3) Change the ―route-map OSPF->EIGRP deny 20‖ to ―route-map OSPF->EIGRP permit
20‖

Explanation for this ticket:

In this topology, we are doing mutual redistribution at multiple points (between OSPF and
EIGRP on R4, DSW1 & DSW2), which is a very common cause of network problems,
especially routing loops so you should use route-map to prevent redistributed routes from
redistributing again into the original domain.

In this ticket, route-map is also used for this purpose. For example, the route-map ―EIGRP-
>OSPF‖ is used to prevent any routes that have been redistributed into OSPF from redistributed
again into EIGRP domain by tagging these routes with tag 90. These routes are prevented from
redistributed again by route-map OSPF->EIGRP by denying any routes with tag 90 set.

Ticket 11b – Redistribution Route-map

On R4:
router eigrp 10
redistribute ospf 1 route-map OSPF->EIGRP
network 10.1.4.0 0.0.0.255
network 10.1.10.0 0.0.0.255
network 10.1.21.128 0.0.0.3
default-metric 100000 100 100 1 1500
no auto-summary
!

route-map OSPF_to_EIGRP deny 10

match tag 90
route-map OSPF_to_EIGRP permit 20
set tag 110

Ans1) R4
Ans2) IPv4 Route Redistribution
Ans3) Under the EIGRP process, delete the ‗redistribute ospf 1 route-map OSPF->EIGRP‘
command and enter ‗redistribute ospf 1 route-map OSPF_to_EIGRP‘ command.

Ticket 12 – IPv6 OSPF

DSW1 & R4 can‘t ping R2‘s loopback interface or s0/0/0.12 IPv6 address.
R2 is not an OSPFv3 neighbor on R3
Situation: ipv6 ospf was not enabled on R2‘s serial interface connecting to R3. (use ipv6 Layer
3)

Configuration of R2
ipv6 router ospf 6
!
interface s0/0/0.23
ipv6 address 2026::1:1/122

Configuration of R3
ipv6 router ospf 6
router-id 3.3.3.3
!
interface s0/0/0.23
ipv6 address 2026::1:2/122
ipv6 ospf 6 area 0

Answer:

In interface configuration mode of s0/0/0.23 on R2:

ipv6 ospf 6 area 12

Ans1) R2
Ans2) IPv6 OSPF Routing
Ans3) on the serial interface of R2, enter the command ipv6 ospf 6 area 0 (notice that it is ―area
0″, not ―area 12″)

Ticket 13 – DHCP Helper-address

Note: Currently the link above is not up-to-date. We will update it soon.

Configuration on DSW1:

!
interface Vlan 10
ip address 10.2.1.1 255.255.255.0
ip helper-address 10.2.21.129
!

Note: In this ticket you will find port-security configured on ASW1 but it is not the problem.

Ans1) DSW1
Ans2) IP DHCP Server (or DHCP)
Ans3) on DSW1 delete ―ip helper-address 10.2.21.129‖ and apply ―ip helper-address
10.1.21.129‖ command
Ticket 14 – EIGRP Passive Interface
the neighborship between R4 and DSW1 wasn‘t establised. Client 1 can‘t ping R4
Configuration on R4:
router eigrp 10
passive-interface default
redistribute ospf 1 route-map OSPF->EIGRP
network 10.1.4.4 0.0.0.3
network 10.1.4.8 0.0.0.3
network 10.1.21.128 0.0.0.3
default-metric 10000 100 255 1 10000
no auto-summary

Answer 1) R4
Answer 2) IPv4 EIGRP Routing
Answer 3) enter no passive interface for interfaces connected to DSW1 under EIGRP process
(or in Interface f0/1 and f0/0, something like this)

Note: There is a loopback interface on this device which has an IP address of 10.1.21.129 so we
have to include the ―network 10.1.21.128 0.0.0.3‖ command.

* Just for your information, in fact Clients 1 & 2 in this ticket CANNOT receive IP addresses
from DHCP Server because DSW1 cannot reach 10.1.21.129 (an loopback interface on R4)
because of the ―passive-interface default‖ command. But in the exam you will see that Clients 1
& 2 can still get their IP addresses! It is a bug in the exam.

Ticket 15 – IPv6 GRE Tunnel

Problem: Loopback address on R1 (2026::111:1) is not able to ping the loopback address on
DSW2 (2026::102:1).

Configuration of R3:
!
interface Tunnel34
no ip address
ipv6 address 2026::34:1/122
ipv6 enable
ipv6 ospf 6 area 34
tunnel source Serial0/0/0.34
tunnel destination 10.1.1.10
tunnel mode ipv6
!

Configuration of R4:
interface Tunnel34
no ip address
 ipv6 address 2026::34:2/122
ipv6 enable
ipv6 ospf 6 area 34
tunnel source Serial0/0/0
tunnel destination 10.1.1.9
!

Answer:
Ans1) R3
Ans2) Ipv4 and Ipv6 Interoperability
Ans3) Under the interface Tunnel34, remove ‗tunnel mode ipv6′ command

Ticket 16 – IPv6 RIPng OSPFv3

Redistribution
Problem: Loopback address on R1 (2026::111:1) is not able to ping the loopback address on
DSW2 (2026::102:1).

Configuration of R4:
ipv6 router ospf 6
log-adjacency-changes
!
ipv6 router rip RIP_ZONE
redistribute ospf 6 metric 2 include-connected
!

Answer:
Ans1) R4
Ans2) Ipv6 OSPF Routing
Ans3) Under ipv6 ospf process add the ‗redistribute rip RIP_Zone include-connected‘ command

Ticket 17 – Switchport Encapsulation

On ASW1:

interface fa1/0/1
switchport access vlan 10
switport mode trunk
switport trunk encapsulation dot1q
interface fa1/0/2
switchport access vlan 10
switport mode trunk
switport trunk encapsulation dot1q

Answer:
Ans1) ASW1
Ans2) Access VLANs
Ans3) In configuration mode, use ‗interface range fa1/0/1-2‘ then ‗switchport mode access‘,
then ‗no switchport trunk encapsulation dot1q‘