Lab requirements:
Set up the topology, import the pre-configuration, and troubleshoot the following errors.
1. R4 cannot learn the host entries mounted on R5;
2. The OSPF neighbor between R6 and R7 cannot start;
3. R4 cannot form OSPF neighbors with R2 and R3;
4. R7 cannot form an IPsec neighbor with R8 or R9;
5. The host on R5 cannot be pinged to the host on R9;
6. Ensure that the packets sent from the host on R5 to the host on R9 with the IP priority of 1 are 2 in the OSPF environment and 5 in the OSPF environment;
7. You cannot run the show run command or run conf t from R3 to R6 using the password ADMIN of CISCO.
Tutorial topology:
650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px "title =" clip_image002 "border =" 0 "alt =" clip_image002 "height =" 334 "src =" http://www.bkjia.com/uploads/allimg/131227/022S21D8-0.gif "/>
Tutorial steps:
1. R1 cannot learn host entries on R5
Run the show run command on S0/1 of R4 and S0/0 of 51 respectively:
R4:
Username R4 password 0 CISCOR4
Interface Serial0/1
Ip address 172.16.45.1 255.255.255.252
Encapsulation ppp
Serial restart-delay 0
Ppp authentication chap
Ppp chap hostname R4
Ppp chap password 0 CISCOR4
R5:
Username R5 password 0 CISCOR5
Interface Serial0/0
Ip address 172.16.45.2 255.255.255.252
Encapsulation ppp
Serial restart-delay 0
Ppp authentication chap
Ppp chap hostname R5
Ppp chap password 0 CISCOR5
R4 and R5 are both PPP-authenticated clients and server-side, leading to the inability to establish a connection.
Solution:
Change R4 to the PPP authentication server, and R5 to the PPP authentication client.
R4 (config) # int s0/1
R4 (config-if) # no ppp chap hostname R4
R4 (config-if) # no ppp chap password 0 CISCOR4
R5 (config) # int s0/0
R5 (config) # no username R5 password CISCOR5
R5 (config-if) # no ppp authentication chap
R5 (config-if) # ppp chap hostname R4
R5 (config-if) # ppp chap password 0 CISCOR4
2. The OSPF neighbor between R6 and R7 cannot start.
Run show key chain on R6 and R7 respectively:
R6 # show key chain
Key-chain sovand:
Key 1 -- text "cisco"
Accept lifetime (always valid)-(always valid) [valid now]
Send lifetime (always valid)-(always valid) [valid now]
R7 # show key chain
Key-chain cisco:
Key 1 -- text "cisc0"
Accept lifetime (always valid)-(always valid) [valid now]
Send lifetime (always valid)-(always valid) [valid now
From the above command, we can see that the two sides do not match the VPN password, so no neighbor relationship can be established.
Solution:
Change the verification password of both parties to the same.
R7 (config) # key chain cisco
R7 (config-keychain) # key 1
R7 (config-keychain-key) # key-string cisco
R7 (config-keychain-key) # end
3. R4 cannot form OSPF neighbors with R2 and R3.
Run the show run command on the S0/2 and S0/0 interfaces of FR1 and R4:
FR1:
Interface Serial0/2
No ip address
Encapsulation frame-relay
Serial restart-delay 0
Clock rate 64000
Frame-relay lm-type cisco
Frame-relay intf-type dce
Frame-relay route 402 interface Serial0/0 204
Frame-relay route 403 interface Serial0/1 304
R4:
Interface Serial0/0
Ip address 172.16.234.40 **********
Encapsulation frame-relay
Ip ospf network broadcast
Serial restart-delay 0
No arp frame-relay
Frame-relay map ip address 172.16.234.30 403 broadcast
Frame-relay map ip address 172.16.234.20 402 broadcast
No frame-relay inverse-arp
Frame-relay lm-type ansi
It can be found that R4 and FR1 are encapsulated with different frame relay protocols, so it is impossible to establish a frame relay connection.
Solution:
Modify the Frame Relay protocol in the R4 encapsulation to cisco.
R4 (config) # int s0/0
R4 (config-if) # frame-relay lm-type cisco
View the establishment of Frame Relay adjacent information:
* Mar 1 00:28:30. 635: % LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
FR1 # show frame-relay rou
Input Intf Input Dlci Output Intf Output Dlci Status
Serial0/0 203 Serial0/1 302 active
Serial0/0 204 Serial0/2 402 active
Serial0/1 302 Serial0/0 203 active
Serial0/1 304 Serial0/2 403 active
Serial0/2 402 Serial0/0 204 active
Serial0/2 403 Serial0/1 304 active
The anti-Frame Relay neighbor has been completely established, but the OSPF neighbor still does not get up. Continue to find the cause and debug the OSPF neighbor on R4.
R4 # debug ip ospf
OSPF adjacency events debugging is on
R4 #
* Mar 1 01:23:31. 639: OSPF: Rcv pkt from 172.16.234.30, Serial0/0, area 0.0.0.0: src not on the same network
* Mar 1 01:23:31. 639: OSPF: Rcv pkt from 172.16.234.30, Serial0/0, area 0.0.0.0: src not on the same network
* Mar 1 01:23:31. 639: OSPF: Rcv pkt from 172.16.234.30, Serial0/0, area 0.0.0.0: src not on the same network
The interface IP address of R4 is not in the same network segment as R2 and R3, so a neighbor cannot be created.
Solution:
Modify the interface addresses of R2, R3, and R4 to the same network segment, and set the mask to 255.255.255.255.192 ..
R2 (config) # int s0/0
R2 (config-if) # ip address 172.16.234.20 255.255.255.192
R3 (config) # int s0/0
R3 (config-if) # ip address 172.16.234.30 255.255.255.192
R4 (config) # int s0/0
R4 (config-if) # ip address 172.16.234.40 255.255.255.192
Establish a complete adjacent area:
R2 #
* Mar 1 00:24:19. 367: % OSPF-5-ADJCHG: Process 1, Nbr 172.16.234.30 on Serial0/0 from LOADING to FULL, Loading Done
* Mar 1 00:29:17. 451: % OSPF-5-ADJCHG: Process 1, Nbr 172.16.234.40 on Serial0/0 from LOADING to FULL, Loading Done
R3 #
* Mar 1 00:24:20. 083: % OSPF-5-ADJCHG: Process 1, Nbr 172.16.234.20 on Serial0/0 from LOADING to FULL, Loading Done
* Mar 1 00:29:11. 151: % OSPF-5-ADJCHG: Process 1, Nbr 172.16.234.40 on Serial0/0 from LOADING to FULL, Loading Done
R4 #
* Mar 1 00:29:10. 943: % OSPF-5-ADJCHG: Process 1, Nbr 172.16.234.30 on Serial0/0 from LOADING to FULL, Loading Done
* Mar 1 00:29:18. 099: % OSPF-5-ADJCHG: Process 1, Nbr 172.16.234.20 on Serial0/0 from LOADING to FULL, Loading Done
4. R7 cannot form an IPsec neighbor with R8 or R9.
Run the show run int S0/0 command on the s0/0 port of FR2:
Interface Serial0/0
No ip address
Encapsulation frame-relay
Serial restart-delay 0
Clock rate 64000
Frame-relay route 708 interface Serial0/1 807
Frame-relay route 709 interface Serial0/2 907
!
It is found that the S0/0 port of FR2 is not configured as DCE. Therefore, a frame relay connection cannot be established.
Solution:
Set S0/0 of FR2 to DCE.
FR2 (config) # int s0/0
FR2 (config-if) # frame-relay intf-type dce
Frame Relay is up, but the neighbor of the VPN gateway is intermittent:
08: 39: 28: % DUAL-5-NBRCHANGE: IP-EIGRP (0) 2: Neighbor 10.2.99.1 (FastEthernet0/24) is down: retry limit exceeded
08: 39: 33: % DUAL-5-NBRCHANGE: IP-EIGRP (0) 2: Neighbor 10.2.99.1 (FastEthernet0/24) is up: new adjacency
View the interface configurations of R8 and R9:
R8:
Interface Serial0/0
Ip address 172.16.100.8 255.255.255.0
Encapsulation frame-relay
Serial restart-delay 0
No arp frame-relay
Frame-relay map ip address 172.16.100.7 807
No frame-relay inverse-arp
R9:
Interface Serial0/0
Ip address 172.16.100.9 255.255.255.0
Encapsulation frame-relay
Serial restart-delay 0
No arp frame-relay
Frame-relay map ip address 172.16.100.7 907
No frame-relay inverse-arp
!
The broadcast parameter is not configured in the static ing of Frame Relay between R8 and R9. Therefore, you cannot send a message advertised to the other party by means of the VPN.
Solution:
Add the broadcast parameter to the static ing of Frame Relay.
R8 (config-if) # int s0/0
R8 (config-if) # frame-relay map ip address 172.16.100.7 807 broadcast
R9 (config-if) # int s0/0
R9 (config-if) # frame-relay map ip address 172.16.100.7 907 broadcast
Establish a complete adjacent area:
R7 #
* Mar 1 00:41:19. 659: % DUAL-5-NBRCHANGE: IP-EIGRP (0) 1: Neighbor 172.16.100.9 (Serial0/0) is up: new adjacency
* Mar 1 00:41:19. 847: % DUAL-5-NBRCHANGE: IP-EIGRP (0) 1: Neighbor 172.16.100.8 (Serial0/0) is up: new adjacency
R8 #
* Mar 1 00:41:20. 799: % DUAL-5-NBRCHANGE: IP-EIGRP (0) 1: Neighbor 172.16.100.7 (Serial0/0) is up: new adjacency
R9 #
* Mar 1 00:41:20. 735: % DUAL-5-NBRCHANGE: IP-EIGRP (0) 1: Neighbor 172.16.100.7 (Serial0/0) is up: new adjacency
5. The R5 host cannot ping the host on R9.
Due to the failure and troubleshooting of various routing protocols, but R5 cannot ping R9, it may be due to redistribution. Run show run | section route on R4 and R6 respectively.
R6:
Router VPN 1
Redistribute ospf 1
Network 172.16.67.6 0.0.0.0
No auto-summary
!
Router ospf 1
Log-adjacency-changes
Redistribute Fig 1
Network 172.16.36.6 0.0.0.0 area 0
R4:
Router rip
Version 2
Redistribute ospf 1
Passive-interface Serial0/0
Network 172.16.0.0
No auto-summary
In R6, the metric value is not set when OSPF is re-distributed to OSPF, and when OSPF is re-distributed to OSPF, The subnet parameter is not added. In R4, the number of hops is not set when OSPF is redistributed to RIP. Therefore, redistribution fails.
Solution:
The network type is redistributed to the source image in the source image. When the source image is redistributed to the source image in the source image, the target image is redistributed to the source image in the source image.
R6 (config) # router ospf 1
R6 (config-router) # redistribute image1 subnets
R6 (config) # router VPN 1
R6 (config-router) # redistribute ospf 1 metric 1000 33 255 1 1500
R4 (config) # router rip
R4 (config-router) # redistribute ospf 1 metric 3
After the configuration is complete, view the route table. The interface address of R9 obtained by R5:
R5 # show ip rou rip
172.16.0.0/16 is variably subnetted, 7 subnets, 4 masks
R 172.16.234.0/26 [120/1] via 172.16.45.1, 00:00:19, Serial0/0
R 172.16.36.0/24 [120/3] via 172.16.45.1, 00:00:19, Serial0/0
R 172.16.100.0/24 [120/3] via 172.16.45.1, 00:00:19, Serial0/0
R 172.16.67.0/24 [120/3] via 172.16.45.1, 00:00:19, Serial0/0
6. Ensure the IP priority of the host on R5 to the host on R9.
Configure the PBR inbound traffic policy on the VBR of each routing protocol, and change it to the corresponding IP priority when distributing the traffic again.
Solution:
R4 (config) # access-list 101 permit ip host 172.16.5.1 host 1.1.1.1 // create an ACL to match the host of R5 and R9
R4 (config) # route-map sovand permit 10 // create a route map
R4 (config-route-map) # match ip add 101 // match Control List No. 101
R4 (config-route-map) # set ip precedence 2 // set priority to 2 for matching data
R4 (config) # int s0/1
R4 (config-if) # ip policy route-map sovand // call PBR at the ingress
R6 (config) # access-list 101 permit ip host 172.16.5.1 host 1.1.1.1 precedence 2
R6 (config) # route-map sovand permit 10
R6 (config-route-map) # match ip add 101
R6 (config-route-map) # set ip precedence 5
R6 (config) # int e0/0
R6 (config-if) # ip policy route-map sovand
Test:
R5 # ping 1.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.5.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 188/282/380 MS
R9 (config) # access-list 101 permit ip any precedence 5
R9 # debug ip packet 101
R9 #
* Mar 1 01:20:35. 383: IP: tableid = 0, s = 1.1.1.1 (local), d = 172.16.5.1 (Serial0/0), routed via FIB
* Mar 1 01:20:35. 383: IP: s = 1.1.1.1 (local), d = 172.16.5.1 (Serial0/0), len 100, sending
* Mar 1 01:20:35. 707: IP: tableid = 0, s = 172.16.5.1 (Serial0/0), d = 1.1.1.1 (Loopback0), routed via RIB
* Mar 1 01:20:35. 707: IP: s = 172.16.5.1 (Serial0/0), d = 1.1.1.1, len 100, rcvd 4
* Mar 1 01:20:35. 711: IP: tableid = 0, s = 1.1.1.1 (local), d = 172.16.5.1 (Serial0/0), routed via FIB
* Mar 1 01:20:35. 711: IP: s = 1.1.1.1 (local), d = 172.16.5.1 (Serial0/0), len 100, sending
R9 successfully receives a packet with a priority of 5, proving that the configuration is successful.
7. R3 telnet to R6 without the corresponding permission to execute the command
Run the show run command on R6 and the telnet user permission is 0. The show run and conf t permissions are not used:
R3 # telnet 172.16.36.6
Trying 172.16.36.6... Open
User Access Verification
Username: CISCO
Password:
R6 # show run
^
% Invalid input detected at '^' marker.
Solution:
Change the user permission to 15:
R6 (config) # no username CISCO password 0 ADMIN
R6 (config) # username CISCO privilege 15 password ADMIN
Telnet R6 through R3 again:
R3 # telnet 172.16.36.6
Trying 172.16.36.6... Open
User Access Verification
Username: CISCO
Password:
R6 # show run
Building configuration...
R6 # conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6 (config )#
This article is from the "Searching" blog. For more information, contact the author!