###BeginTicket7###
Ticket 7 : Port Security
Topology Overview (Actual Troubleshooting lab design is for below network design)
Client Should have IP 10.2.1.3
EIGRP 100 is running between switch DSW1 & DSW2
OSPF (Process ID 1) is running between R1, R2, R3, R4
Network of OSPF is redistributed in EIGRP
BGP 65001 is configured on R1 with Webserver cloud AS 65002
HSRP is running between DSW1 & DSW2 Switches
The company has created the test bed shown in the layer 2 and layer 3 topology exhibits.
This network consists of four routers, two layer 3 switches and two layer 2 switches.
In the IPv4 layer 3 topology, R1, R2, R3, and R4 are running OSPF with an OSPF process
number 1.
DSW1, DSW2 and R4 are running EIGRP with an AS of 10. Redistribution is enabled where
necessary.
R1 is running a BGP AS with a number of 65001. This AS has an eBGP connection to AS 65002
in the ISP’s network. Because the company’s address space is in the private range.
R1 is also providing NAT translations between the inside (10.1.0.0/16 & 10.2.0.0/16) networks and
outside (209.65.0.0/24) network.
ASW1 and ASW2 are layer 2 switches.
NTP is enabled on all devices with 209.65.200.226 serving as the master clock source.
The client workstations receive their IP address and default gateway via R4’s DHCP server.
The default gateway address of 10.2.1.254 is the IP address of HSRP group 10 which is running
on DSW1 and DSW2.
In the IPv6 layer 3 topology R1, R2, and R3 are running OSPFv3 with an OSPF process number 6.
DSW1, DSW2 and R4 are running RIPng process name RIP_ZONE.
The two IPv6 routing domains, OSPF 6 and RIPng are connected via GRE tunnel running over the
underlying IPv4 OSPF domain. Redistrution is enabled where necessary.
Recently the implementation group has been using the test bed to do a ‘proof-of-concept’ on
several implementations. This involved changing the configuration on one or more of the devices.
You will be presented with a series of trouble tickets related to issues introduced during these
configurations.
Note: Although trouble tickets have many similar fault indications, each ticket has its own issue
and solution.
Each ticket has 3 sub questions that need to be answered & topology remains same.
Question-1 Fault is found on which device,
Question-2 Fault condition is related to,
Question-3 What exact problem is seen & what needs to be done for solution
– –
Client is unable to ping IP 209.65.200.241
Solution
Steps need to follow as below:-
When we check on client 1 & Client 2 desktop we are not receiving DHCP address from R4
ipconfig —– Client will be getting 169.X.X.X
On ASW1 port Fa1/0/ 1 & Fa1/0/2 access port VLAN 10 was assigned but when we checked
interface it was showing down
Sh run ——- check for running config of int fa1/0/1 & fa1/0/2 (switchport access Vlan 10 will be
there with switch
port security command). Now check as below
Sh int fa1/0/1 & sh int fa1/0/2
– –
As seen on interface the port is in err-disable mode so need to clear port.
Change required: On ASW1, we need to remove port-security under interface fa1/0/1 & fa1/0/2.
——————————————————————————————————————————
###EndTicket7###
The implementations group has been using the test bed to do a ‘proof-of-concept’ that
requires both Client 1 and Client 2 to access the WEB Server at 209.65.200.241. After
several changes to the network addressing, routing scheme, DHCP services, NTP services,
layer 2 connectivity, FHRP services, and device security, a trouble ticket has been opened
indicating that Client 1 cannot ping the 209.65.200.241 address.
Use the supported commands to isolated the cause of this fault and answer the following
questions.
What is the solution to the fault condition?
A.
In Configuration mode, using the interface range Fa 1/0/1 – 2, then no switchport port-security
interface configuration commands. Then in exec mode clear errdisable interface fa 1/01 – 2 vlan
10 command
B.
In Configuration mode, using the interface range Fa 1/0/1 – 2, then no switchport port-security,
followed by shutdown, no shutdown interface configuration commands.
C.
In Configuration mode, using the interface range Fa 1/0/1 – 2, then no switchport port-security
interface configuration commands.
D.
In Configuration mode, using the interface range Fa 1/0/1 – 2, then no switchport port-security
interface configuration commands. Then in exec mode clear errdisable interface fa 1/0/1, then
clear errdisable interface fa 1/0/2 commands.
Explanation:
——
On ASW1, we need to remove port-security under interface fa1/0/1 & fa1/0/2.
Reference:
http://www.cisco.com/en/US/tech/ABC389/ABC621/technologies_tech_note09186a00806cd87b.shtml
==========================================================================