ENARSI Skills Assessment – Troubleshooting (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
Addressing Table
Device | Interface | IPv4 Address/Mask | IPv6 Address/Prefix Length | Link-Local Address |
---|---|---|---|---|
R1 | G0/0/0 | 209.165.200.1/24 | 2001:db8:200::1/64 | fe80::1:1 |
G0/0/1 | 10.165.249.1/24 | 2001:db8:249::1/64 | fe80::1:2 | |
Loopback 0 | 10.0.0.1/24 | 2001:db8:10::1/64 | fe80::1:3 | |
Loopback 1 | 10.165.248.1/24 | 2001:db8:248::1/64 | fe80::1:4 | |
R2 | G0/0/0 | 209.165.200.2/24 | 2001:db8:200::2/64 | fe80::2:1 |
G0/0/1 | 209.165.201.2/24 | 2001:db8:201::2/64 | fe80::2:2 | |
Loopback 0 | 172.16.0.1/24 | 2001:db8:172::1/64 | fe80::2:3 | |
Loopback 1 | 209.165.224.1/24 | 2001:db8:224::1/64 | fe80::2:4 | |
R3 | G0/0/0 | 209.165.201.1/24 | 2001:db8:201::1/64 | fe80::3:1 |
G0/0/1 | 192.168.241.1/24 | 2001:db8:241::1/64 | fe80::3:2 | |
Loopback 0 | 192.168.0.1/24 | 2001:db8:192::1/64 | fe80::3:3 | |
Loopback 1 | 192.168.240.1/24 | 2001:db8:240::1/64 | fe80::3:4 | |
D1 | G1/0/11 | 10.165.249.2/25 | 2001:db8:249::2/64 | fe80::d1:1 |
VLAN 250 | 10.165.250.1/24 | 2001:db8:24a::1/64 | fe80::d1:2 | |
VLAN 251 | 10.165.251.1/24 | 2001:db8:24b::1/64 | fe80::d1:3 | |
D2 | G1/0/11 | 192.168.241.2/24 | 2001:db8:241::2/64 | fe80::d2:1 |
VLAN 242 | 192.168.242.1/24 | 2001:db8:242::1/64 | fe80::d2:2 | |
VLAN 243 | 192.168.243.1/24 | 2001:db8:243::1/64 | fe80::d2:3 | |
A1 | VLAN 250 | 10.165.250.2/24 | 2001:db8:24a::2/64 | fe80::a1:1 |
PC1 | NIC | DHCP | SLAAC | EUI-64/CGA |
PC2 | NIC | 10.165.251.5/24 | 2001:db8:24b::5/64 | EUI-64/CGA |
PC3 | NIC | DHCP | SLAAC | EUI-64/CGA |
PC4 | NIC | DHCP | SLAAC | EUI-64/CGA |
Objectives
Troubleshoot network issues related to the configuration and operation of routing protocols.
Background / Scenario
This is the same topology that you built in Part 1 of the ENARSI SA. In this topology, R1 and D1 are EIGRP neighbors and R3 and D2 are OSPF neighbors. R1, R2, and R3 are all speaking BGP for their respective ASNs. Switch A1 is supporting host access for a AAA server. You will be loading configurations with intentional errors onto the network. Your tasks are to FIND the error(s), document your findings and the command(s) or method(s) used to fix them, FIX the issue(s) presented here and then test the network to ensure both of the following conditions are met:
1) the complaint received in the ticket is resolved
2) full reachability is restored
Note: The routers used with CCNP hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.4 (universalk9 image). The switches used in the labs are Cisco Catalyst 3650 with Cisco IOS XE Release 16.9.4 (universalk9 image) and Cisco Catalyst 2960 with Cisco IOS Release 15.2(2) (lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and the output produced might vary from what is shown in the labs. Refer to the Router Interface Summary Table at the end of the lab for the correct interface identifiers.
Note: Make sure that the devices have been erased and have no startup configurations. If you are unsure, contact your instructor.
Note: The default Switch Database Manager (SDM) template on a Catalyst 2960 does not support IPv6. You must change the default SDM template to the dual-ipv4-and-ipv6 default template using the sdm prefer dual-ipv4-and-ipv6 default
global configuration command. Changing the template will require a reboot.
Instructor Note: Refer to the Instructor Lab Manual for the procedures to initialize and reload devices.
Required Resources
• 3 Routers (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
• 2 Switches (Cisco 3650 with Cisco IOS XE Release 16.9.4 universal image or comparable)
• 1 Switch (Cisco 2960 with Cisco IOS Release 15.2(2) lanbasek9 image or comparable)
• 3 PCs (Choice of operating system with terminal emulation program installed)
• 1 PC (Choice of operating system with a server running configured RADIUS (Optional))
• Console cables to configure the Cisco IOS devices via the console ports
• Ethernet and serial cables as shown in the topology
Scenario
You had the network working to specifications and took a week off. While you were gone, a junior administrator and a security engineer were tasked to improve the network. The opposite occurred. Now you are tasked with fixing the network.
The instructions the junior administrator and security engineer were given were as follows:
- Reduce the number of TCP sessions between R1 and R3.
- Apply IPv4 and IPv6 filters to the outward-facing interfaces on R1 and R3 to ensure that inbound traffic sourced from their local networks is dropped.
- Reduce the size of the EIGRP routing table on R1.
- Reduce the number of route entries R1 is sending to R2.
- Incorporate AAA using the AAA server at 209.165.251.5 to secure remote access to all devices in the AS 10 and AS 192 networks.
They did not document things as they were supposed to, so all you have been told is things are not working as they should be. You need to fix all of this as soon as possible!
Use the commands listed below to load the configuration files for this skills assessment:
Instructor Note: Commands for uploading the configuration are provided at the end of this document.
Device | Command |
---|---|
R1 | copy flash:/enarsi/sa-tshoot-r1-config.txt run |
R2 | copy flash:/enarsi/sa-tshoot-r2-config.txt run |
R3 | copy flash:/enarsi/sa-tshoot-r3-config.txt run |
D1 | copy flash:/enarsi/sa-tshoot-d1-config.txt run |
D2 | copy flash:/enarsi/sa-tshoot-d2-config.txt run |
A1 | copy flash:/enarsi/sa-tshoot-a1-config.txt run |
• Console Passwords on all devices are cisco12345. If a username is required, use admin.
• Remote access should be available using the username raduser and password upass123.
Instructor Note: If you are using a RADIUS server, update the RADIUS username and password as necessary.
• PC2 must be configured with static addresses as shown in the topology diagram/addressing table. PC1, PC3, and PC4 will dynamically acquire IPv4 and IPv6 addresses.
• When you have fixed the ticket, change the MOTD on EACH DEVICE using the following command:
banner motd # This is $(hostname) FIXED Skills Assessment #
• Save the configuration by issuing the wri
command (on each device).
• Inform your instructor that you are finished.
• After the instructor approves your solution, issue the reset.now privileged EXEC command. This script will clear your configurations and reload the devices.
Instructor Notes:
This skills assessment contains several intentional errors. The list below is mapped to the tasks given the junior administrator and security engineer:
1. Reduce the number of TCP sessions between R1 and R3.
The junior administrator did not complete the configuration – at both R1 and R3, the ebgp-multihop command was excluded. The commands to fix this error are:
Router R1
conf t router bgp 10 neighbor 192.168.0.1 ebgp-multihop 3 neighbor 2001:db8:192::1 ebgp-multihop 3 exit end
Router R3
config t router bgp 192 neighbor 10.0.0.1 ebgp-multihop 3 neighbor 2001:db8:10::1 ebgp-multihop 3 exit end
2. Apply IPv4 and IPv6 filters to the outward-facing interfaces on R1 and R3 to ensure that inbound traffic sourced from their local networks is dropped.
R3 has the default-information originate
command, but it does not seem to be working. D2 does not see the default route. R2 is sending it, as R1 has it. The issue is that the MY-X-NETWORKS filter at the G0/0/0 ingress is denying 0.0.0.0. The filters configured on R1 are correct. The commands to fix this on R3 are as follows:
config t ip access-list standard MY-4-NETWORKS no 30 exit ipv6 access-list MY-6-NETWORKS no permit ipv6 any any exit end clear ip bgp * soft
3. Reduce the size of the EIGRP routing table at R1.
The junior administrator used the wrong mask on the summary address at D1, so the networks from D1 are not all being advertised to R1. The commands to fix this on D1 are as follows:
conf t router eigrp ENARSI-SA address-family ipv4 unicast autonomous-system 1 af-interface g1/0/11 no summary-address 10.165.250.0 255.255.255.0 summary-address 10.165.250.0 255.255.254.0 exit-af-interface exit-address-family address-family ipv6 unicast autonomous-system 1 af-interface g1/0/11 no summary-address 2001:db8:240::/48 summary-address 2001:db8:240::/46 exit-af-interface exit-address-family end
4. Reduce the number of route entries R1 is sending to R2.
R1 is missing static routes for the summaries it is advertising into BGP; R2 and R3 only have routes to the 10.0.0.0 network in ASN 10. The commands to fix this on R1 are as follows:
conf t ip route 10.165.248.0 255.255.252.0 null0 ipv6 route 2001:db8:248::/46 null0 end
5. Incorporate AAA using the AAA server at 209.165.251.5 to secure remote access to all devices in the AS 10 and AS 192 networks.
The security engineer did this correctly.
Router Interface Summary Table
Router Model | Ethernet Interface #1 | Ethernet Interface #2 | Serial Interface #1 | Serial Interface #2 |
---|---|---|---|---|
1800 | Fast Ethernet 0/0 (F0/0) | Fast Ethernet 0/1 (F0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
1900 | Gigabit Ethernet 0/0 (G0/0) | Gigabit Ethernet 0/1 (G0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
2801 | Fast Ethernet 0/0 (F0/0) | Fast Ethernet 0/1 (F0/1) | Serial 0/1/0 (S0/1/0) | Serial 0/1/1 (S0/1/1) |
2811 | Fast Ethernet 0/0 (F0/0) | Fast Ethernet 0/1 (F0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
2900 | Gigabit Ethernet 0/0 (G0/0) | Gigabit Ethernet 0/1 (G0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
4221 | Gigabit Ethernet 0/0/0 (G0/0/0) | Gigabit Ethernet 0/0/1 (G0/0/1) | Serial 0/1/0 (S0/1/0) | Serial 0/1/1 (S0/1/1) |
4300 | Gigabit Ethernet 0/0/0 (G0/0/0) | Gigabit Ethernet 0/0/1 (G0/0/1) | Serial 0/1/0 (S0/1/0) | Serial 0/1/1 (S0/1/1) |
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.
Uploading Configuration Files
Use the commands below to create the configuration files on the lab devices for each trouble ticket in this lab. The TCL script commands help create and copy the configurations. However, the configuration commands could also be copied and pasted directly into global config mode on each device. Simply remove the TCL script commands, enter the enable and configure t commands on the device, and copy and paste the configuration commands.
Important: The device requires a folder in flash named enarsi. Use the dir command to verify. If the folder is missing, then create it using the mkdir flash:/enarsi privileged exec command.
Reset scripts
These TCL scripts will completely clear and reload the device in preparation for the next ticket. Copy and paste the appropriate script to the appropriate device.
Router Reset Script
tclsh puts [ open "flash:/enarsi/reset.tcl" w+ ] { typeahead "\n" copy running-config startup-config typeahead "\n" erase startup-config puts "Reloading the router" typeahead "\n" reload } tclquit
D1/D2 (Cisco 3650) Reset Script – The default 3650 SDM template supports IPv6, so it is not set by this script.
tclsh puts [ open "flash:/enarsi/reset.tcl" w+ ] { typeahead "\n" copy running-config startup-config typeahead "\n" erase startup-config delete /force vlan.dat puts "Reloading the switch" typeahead "\n" reload } tclquit
A1 (Cisco 2960 Script) – The default 2960 SDM template does not support IPv6, so this script includes that setting.
tclsh puts [ open "flash:reset.tcl" w+ ] { typeahead "\n" copy running-config startup-config typeahead "\n" erase startup-config delete /force vlan.dat delete /force multiple-fs ios_config "sdm prefer lanbase-routing" typeahead "\n" puts "Reloading the switch in 1 minute, type reload cancel to halt" typeahead "\n" reload } tclquit
R1 Configuration File Scripts
tclsh puts [ open "flash:/enarsi/sa-tshoot-r1-config.txt" w+ ] { hostname R1 no ip domain lookup ipv6 unicast-routing banner motd # This is R1, ENARSI SA Part 2 # enable secret cisco12345 username admin privilege 15 algorithm-type scrypt secret cisco12345 interface g0/0/0 ip address 209.165.200.1 255.255.255.0 ipv6 address fe80::1:1 link-local ipv6 address 2001:db8:200::1/64 no shutdown exit interface g0/0/1 ip address 10.165.249.1 255.255.255.0 ipv6 address fe80::1:2 link-local ipv6 address 2001:db8:249::1/64 no shutdown exit interface s0/1/0 ip address 209.165.202.1 255.255.255.0 ipv6 address fe80::1:3 link-local ipv6 address 2001:db8:202::1/64 no shutdown exit interface s0/1/1 ip address 209.165.203.1 255.255.255.0 ipv6 address fe80::1:4 link-local ipv6 address 2001:db8:203::1/64 no shutdown exit interface loopback 0 ip address 10.0.0.1 255.255.255.0 ipv6 address fe80::1:5 link-local ipv6 address 2001:db8:10::1/64 no shutdown exit interface loopback 1 ip address 10.165.248.1 255.255.255.0 ipv6 address fe80::1:6 link-local ipv6 address 2001:db8:248::1/64 no shutdown exit ip route 192.168.0.1 255.255.255.255 s0/1/0 209.165.202.2 ip route 192.168.0.1 255.255.255.255 s0/1/1 209.165.203.2 ipv6 route 2001:db8:192::1/128 s0/1/0 2001:db8:202::2 ipv6 route 2001:db8:192::1/128 s0/1/1 2001:db8:203::2 ip access-list standard MY-4-NETWORKS permit 10.0.0.0 0.0.0.255 permit 10.165.248.0 0.0.3.255 exit route-map FILTER-MY-4-NETS deny 10 match ip address MY-4-NETWORKS exit route-map FILTER-MY-4-NETS permit 20 ipv6 access-list MY-6-NETWORKS permit 2001:db8:248::/46 any permit 2001:db8:10::/64 any exit route-map FILTER-MY-6-NETS deny 10 match ipv6 address MY-6-NETWORKS exit route-map FILTER-MY-6-NETS permit 20 router bgp 10 no bgp default ipv4-unicast neighbor 209.165.200.2 remote-as 172 neighbor 192.168.0.1 remote-as 192 neighbor 192.168.0.1 update-source loopback 0 neighbor 2001:db8:200::2 remote-as 172 neighbor 2001:db8:192::1 remote-as 192 neighbor 2001:db8:192::1 update-source loopback 0 address-family ipv4 unicast neighbor 209.165.200.2 activate neighbor 192.168.0.1 activate neighbor 192.168.0.1 route-map FILTER-MY-4-NETS in neighbor 209.165.200.2 route-map FILTER-MY-4-NETS in network 10.0.0.0 mask 255.255.255.0 network 10.165.248.0 mask 255.255.252.0 exit address-family ipv6 unicast neighbor 2001:db8:200::2 activate neighbor 2001:db8:192::1 activate neighbor 2001:db8:200::2 route-map FILTER-MY-6-NETS in neighbor 2001:db8:192::1 route-map FILTER-MY-6-NETS in network 2001:db8:10::/64 network 2001:db8:248::/46 exit exit router eigrp ENARSI-SA address-family ipv4 unicast autonomous-system 1 eigrp router-id 0.4.10.1 network 10.0.0.0 network 10.165.248.0 network 10.165.249.0 topology base redistribute bgp 10 metric 1000000 10 255 1 1500 exit exit-address-family address-family ipv6 unicast autonomous-system 1 eigrp router-id 0.6.10.1 topology base redistribute bgp 10 metric 1000000 10 255 1 1500 exit af-interface g0/0/0 shutdown exit-af-interface exit-address-family exit aaa new-model radius server MY-RADIUS address ipv4 10.165.251.5 auth-port 1812 acct-port 1813 key $trongPass exit aaa authentication login VTY-CONTROL group radius local line con 0 logging synchronous exec-timeout 0 0 exit line vty 0 4 transport input telnet exec-timeout 5 0 login authentication VTY-CONTROL exit alias exec reset.now tclsh flash:/enarsi/reset.tcl end } tclquit
R2 Configuration File Scripts
tclsh puts [ open "flash:/enarsi/sa-tshoot-r2-config.txt" w+ ] { hostname R2 no ip domain lookup ipv6 unicast-routing banner motd # This is R2, ENARSI SA Part 2 # enable secret cisco12345 username admin privilege 15 algorithm-type scrypt secret cisco12345 interface g0/0/0 ip address 209.165.200.2 255.255.255.0 ipv6 address fe80::2:1 link-local ipv6 address 2001:db8:200::2/64 no shutdown exit interface g0/0/1 ip address 209.165.201.2 255.255.255.0 ipv6 address fe80::2:2 link-local ipv6 address 2001:db8:201::2/64 no shutdown exit interface loopback 0 ip address 172.16.0.1 255.255.255.0 ipv6 address fe80::2:3 link-local ipv6 address 2001:db8:172::1/64 no shutdown exit interface loopback 1 ip address 209.165.224.1 255.255.255.0 ipv6 address fe80::2:4 link-local ipv6 address 2001:db8:224::1/64 no shutdown exit ip route 0.0.0.0 0.0.0.0 null0 ipv6 route ::/0 null0 router bgp 172 no bgp default ipv4-unicast bgp router-id 4.6.172.2 neighbor 209.165.200.1 remote-as 10 neighbor 209.165.201.1 remote-as 192 neighbor 2001:db8:200::1 remote-as 10 neighbor 2001:db8:201::1 remote-as 192 address-family ipv4 unicast neighbor 209.165.200.1 activate neighbor 209.165.201.1 activate network 172.16.0.0 mask 255.255.255.0 network 209.165.224.0 network 0.0.0.0 mask 0.0.0.0 exit address-family ipv6 unicast neighbor 2001:db8:200::1 activate neighbor 2001:db8:201::1 activate network 2001:db8:172::/64 network 2001:db8:224::/64 network ::/0 exit exit line con 0 logging synchronous exec-timeout 0 0 exit line vty 0 4 login local transport input telnet exec-timeout 5 0 exit alias exec reset.now tclsh flash:/enarsi/reset.tcl end } tclquit
R3 Configuration File Scripts
tclsh puts [ open "flash:/enarsi/sa-tshoot-r3-config.txt" w+ ] { hostname R3 no ip domain lookup ipv6 unicast-routing banner motd # This is R3, ENARSI SA Part 2 # enable secret cisco12345 username admin privilege 15 algorithm-type scrypt secret cisco12345 interface g0/0/0 ip address 209.165.201.1 255.255.255.0 ipv6 address fe80::3:1 link-local ipv6 address 2001:db8:201::1/64 no shutdown exit interface g0/0/1 ip address 192.168.241.1 255.255.255.0 ipv6 address fe80::3:2 link-local ipv6 address 2001:db8:241::1/64 no shutdown exit interface s0/1/0 ip address 209.165.202.2 255.255.255.0 ipv6 address fe80::3:3 link-local ipv6 address 2001:db8:202::2/64 no shutdown exit interface s0/1/1 ip address 209.165.203.2 255.255.255.0 ipv6 address fe80::3:4 link-local ipv6 address 2001:db8:203::2/64 no shutdown exit interface loopback 0 ip address 192.168.0.1 255.255.255.0 ipv6 address fe80::3:5 link-local ipv6 address 2001:db8:192::1/64 no shutdown exit interface loopback 1 ip address 192.168.240.1 255.255.255.0 ipv6 address fe80::3:6 link-local ipv6 address 2001:db8:240::1/64 no shutdown exit ip access-list standard MY-4-NETWORKS permit 192.168.0.0 0.0.0.255 permit 192.168.240.0 0.0.3.255 permit 0.0.0.0 0.0.0.0 exit route-map FILTER-MY-4-NETS deny 10 match ip address MY-4-NETWORKS exit route-map FILTER-MY-4-NETS permit 20 ipv6 access-list MY-6-NETWORKS permit any 2001:db8:240::/46 permit any 2001:db8:192::/64 permit any ::/0 exit route-map FILTER-MY-6-NETS deny 10 match ipv6 address MY-6-NETWORKS exit route-map FILTER-MY-6-NETS permit 20 ip route 10.0.0.1 255.255.255.255 s0/1/0 209.165.202.1 ip route 10.0.0.1 255.255.255.255 s0/1/1 209.165.203.1 ipv6 route 2001:db8:10::1/128 s0/1/0 2001:db8:202::1 ipv6 route 2001:db8:10::1/128 s0/1/1 2001:db8:203::1 ip route 192.168.240.0 255.255.248.0 null0 ipv6 route 2001:db8:240::/46 null0 router bgp 192 neighbor 209.165.201.2 remote-as 172 neighbor 10.0.0.1 remote-as 10 neighbor 10.0.0.1 update-source loopback 0 neighbor 2001:db8:201::2 remote-as 172 neighbor 2001:db8:10::1 remote-as 10 neighbor 2001:db8:10::1 update-source loopback 0 address-family ipv4 unicast neighbor 209.165.201.2 activate neighbor 10.0.0.1 activate neighbor 209.165.201.2 route-map FILTER-MY-4-NETS in neighbor 10.0.0.1 route-map FILTER-MY-4-NETS in network 192.168.240.0 mask 255.255.248.0 network 192.168.0.0 exit address-family ipv6 unicast neighbor 2001:db8:201::2 activate neighbor 2001:db8:10::1 activate neighbor 2001:db8:201::2 route-map FILTER-MY-6-NETS in neighbor 2001:db8:10::1 route-map FILTER-MY-6-NETS in network 2001:db8:240::/46 network 2001:db8:192::/64 exit exit router ospfv3 1 router-id 0.0.192.3 address-family ipv4 unicast passive-interface default no passive-interface g0/0/1 default-information originate exit address-family ipv6 unicast passive-interface default no passive-interface g0/0/1 default-information originate exit exit interface g0/0/1 ospfv3 1 ipv4 area 0 ospfv3 1 ipv6 area 0 exit interface loopback 0 ip ospf network point-to-point ipv6 ospf network point-to-point ospfv3 1 ipv4 area 0 ospfv3 1 ipv6 area 0 exit interface loopback 1 ip ospf network point-to-point ipv6 ospf network point-to-point ospfv3 1 ipv4 area 0 ospfv3 1 ipv6 area 0 exit aaa new-model radius server MY-RADIUS address ipv4 10.165.251.5 auth-port 1812 acct-port 1813 key $trongPass exit aaa authentication login VTY-CONTROL group radius local line con 0 logging synchronous exec-timeout 0 0 exit line vty 0 4 transport input telnet exec-timeout 5 0 login authentication VTY-CONTROL exit alias exec reset.now tclsh flash:/enarsi/reset.tcl end } tclquit
D1 Configuration File Scripts
tclsh puts [ open "flash:/enarsi/sa-tshoot-d1-config.txt" w+ ] { hostname D1 no ip domain lookup ip routing ipv6 unicast-routing banner motd # This is D1, ENARSI SA Part 2 # enable secret cisco12345 username admin privilege 15 algorithm-type scrypt secret cisco12345 vlan 250 name Users exit vlan 251 name Servers exit interface range g1/0/1-24 switchport mode access shutdown interface g1/0/11 no switchport ip address 10.165.249.2 255.255.255.0 ipv6 address fe80::d1:1 link-local ipv6 address 2001:db8:249::2/64 no shutdown exit interface g1/0/23 switchport mode access spanning-tree portfast switchport access vlan 250 no shutdown exit interface vlan 250 ip address 10.165.250.1 255.255.255.0 ipv6 address fe80::d1:2 link-local ipv6 address 2001:db8:24A::1/64 no shutdown exit interface vlan 251 ip address 10.165.251.1 255.255.255.0 ipv6 address fe80::d1:3 link-local ipv6 address 2001:db8:24B::1/64 no shutdown exit interface range g1/0/5-6 switchport mode trunk channel-group 1 mode active no shutdown exit ip dhcp excluded-address 10.165.250.1 10.165.250.5 ip dhcp pool VLAN250DHCP network 10.165.250.0 255.255.255.0 default-router 10.165.250.1 exit router eigrp ENARSI-SA address-family ipv4 unicast autonomous-system 1 eigrp router-id 0.4.10.2 network 10.165.249.0 network 10.165.250.0 network 10.165.251.0 af-interface vlan 250 passive-interface exit af-interface g1/0/11 summary-address 10.165.250.0 255.255.255.0 exit af-interface vlan 251 passive-interface exit exit-address-family address-family ipv6 unicast autonomous-system 1 eigrp router-id 0.6.10.2 af-interface g1/0/11 summary-address 2001:db8:240::/48 exit af-interface vlan 250 passive-interface exit af-interface vlan 251 passive-interface exit exit-address-family exit aaa new-model radius server MY-RADIUS address ipv4 10.165.251.5 auth-port 1812 acct-port 1813 key $trongPass exit aaa authentication login VTY-CONTROL group radius local line con 0 logging synchronous exec-timeout 0 0 exit line vty 0 4 transport input telnet exec-timeout 5 0 login authentication VTY-CONTROL exit alias exec reset.now tclsh flash:/enarsi/reset.tcl end } tclquit
D2 Configuration File Scripts
tclsh puts [ open "flash:/enarsi/sa-tshoot-d2-config.txt" w+ ] { hostname D2 no ip domain lookup ip routing ipv6 unicast-routing banner motd # This is D2, ENARSI SA Part 2 # enable secret cisco12345 username admin privilege 15 algorithm-type scrypt secret cisco12345 vlan 242 name Users exit interface range g1/0/1-24 switchport mode access shutdown interface g1/0/11 no switchport ip address 209.165.241.2 255.255.255.0 ipv6 address fe80::d2:1 link-local ipv6 address 2001:db8:241::2/64 no shutdown exit interface g1/0/23 switchport mode access spanning-tree portfast switchport access vlan 242 no shutdown exit interface g1/0/24 switchport mode access spanning-tree portfast switchport access vlan 243 no shutdown exit interface vlan 242 ip address 192.168.242.1 255.255.255.0 ipv6 address fe80::d2:2 link-local ipv6 address 2001:db8:242::1/64 no shutdown exit interface vlan 243 ip address 192.168.243.1 255.255.255.0 ipv6 address fe80::d1:3 link-local ipv6 address 2001:db8:243::1/64 no shutdown exit ip dhcp excluded-address 192.168.242.1 192.168.242.5 ip dhcp pool VLAN242DHCP network 192.168.242.0 255.255.255.0 default-router 192.168.242.1 exit ip dhcp excluded-address 192.168.243.1 192.168.243.5 ip dhcp pool VLAN243DHCP network 192.168.243.0 255.255.255.0 default-router 192.168.243.1 exit router ospfv3 1 router-id 0.0.192.2 address-family ipv4 unicast passive-interface default no passive-interface g1/0/11 exit address-family ipv6 unicast passive-interface default no passive-interface g1/0/11 exit exit interface g1/0/11 ospfv3 1 ipv4 area 0 ospfv3 1 ipv6 area 0 exit interface vlan 242 ospfv3 1 ipv4 area 0 ospfv3 1 ipv6 area 0 exit interface vlan 243 ospfv3 1 ipv4 area 0 ospfv3 1 ipv6 area 0 exit aaa new-model radius server MY-RADIUS address ipv4 10.165.251.5 auth-port 1812 acct-port 1813 key $trongPass exit aaa authentication login VTY-CONTROL group radius local line con 0 logging synchronous exec-timeout 0 0 exit line vty 0 4 transport input telnet exec-timeout 5 0 login authentication VTY-CONTROL exit alias exec reset.now tclsh flash:/enarsi/reset.tcl end } tclquit
A1 Configuration File Scripts
tclsh puts [ open "flash:/enarsi/sa-tshoot-a1-config.txt" w+ ] { hostname A1 no ip domain lookup banner motd # This is A1, ENARSI SA Part 2 # enable secret cisco12345 username admin privilege 15 algorithm-type scrypt secret cisco12345 vlan 251 name Servers exit interface range f0/1-24 switchport mode access shutdown exit interface f0/23 switchport mode access switchport access vlan 250 spanning-tree portfast no shutdown exit interface f0/24 switchport mode access switchport access vlan 251 spanning-tree portfast no shutdown exit interface vlan 250 ip address 10.165.250.2 255.255.255.0 ipv6 address fe80::a1:1 link-local ipv6 address 2001:db8:24A::2/64 no shutdown exit ip default-gateway 10.165.250.1 interface f0/23 shutdown exit interface range f0/1-3 switchport mode trunk channel-group 1 mode active no shutdown exit line con 0 logging synchronous exec-timeout 0 0 exit aaa new-model radius server MY-RADIUS address ipv4 10.165.251.5 auth-port 1812 acct-port 1813 key $trongPass exit aaa authentication login VTY-CONTROL group radius local line con 0 logging synchronous exec-timeout 0 0 exit line vty 0 4 transport input telnet exec-timeout 5 0 login authentication VTY-CONTROL exit alias exec reset.now tclsh flash:/enarsi/reset.tcl end } tclquit