思科新版CCNP 642-832(TSHOOT)考试介�B
思科, 新版CCNP, 642-832
思科CCNP认证642-832 TSHOOT网络排错考试情况
642-832 TSHOOT: Troubleshooting and Maintaining Cisco IP Networks
642-832 TSHOOT: 排错和维护思科IP网络
考试编号: 642-832
所属认证: CCNP
考试时间: 120分钟
考试题量: 53道
通过分数:790
考试语言: 英语
考试机构: Pearson VUE
考试题型: 选择题,拖图题, 实验题
技术种类:思科资深工程师
职业方向:路由与交换
考试费用: 每门考试150美元,折合人民币1700元左右
思科CCNP认证642-832 TSHOOT网络排错考试描述
642-832 TSHOOT是为获取思科认证网络专业工程师CCNP的资格认证考试。IT认证考试资源网提醒通过642-832就证明网络工程师拥有重要的网络知识和技能,其中包括:制定和实施一个复杂路由交换企业网络的有规律的维护计划 ,依据系统的技术知识和遵从ITIL体系标准,来执行网络排错。
思科CCNP认证642-832 TSHOOT网络排错考试大纲
维护和监控网络性能
制定一个计划,以监控和管理网络
使用IOS工具执行网络监控
对基于IOS设备进行巡检
隔离次优互联网络运行准确定义的OSI分层模型
故障排查 多层协议网络系统
故障排查 EIGRP
故障排查 OSPF
故障排查 eBGP
故障排查 路由重分布解决方案
故障排查 DHCP客户端和服务器解决方案
故障排查 NAT
故障排除 第一跳冗余协议
故障排查 IPv6路由
故障排查 IPv6和IPv4互操作性
故障排查 交换机和交换机之间VLAN的互通性
故障排查 基于VLAN的环路防护
故障排查 基于VLAN访问端口
故障排查 私有虚拟局域网(PVLAN)
故障排查 端口安全
故障排查 一般交换机安全
故障排查 VACL和PACL
故障排查 交换机虚拟接口(SVIs)
故障排查 交换机引擎冗余
故障排查 交换机支持的高级服务(例如:无线,语音和视频)
故障排查 语音支持解决方案
故障排查 视频支持解决方案
故障排查 三层安全特性
故障排查 思科路由使用ACL进行安全访问的问题
故障排查 关于AAA服务器认证和授权访问的配置问题
故障排查 关于IOS服务的安全问题(例如:finger,NTP,HTTP,FTP,RCP等等)
CCNP 832 考试做题技巧:
考试分为:选择,托图题,和实验题
一般选择和托图题共三道。拖图题被人称为DD,实验排错被人称为TT。有时候,选择提和拖图题在出题方式上可以置换,所以尽量理解题意最好。
下面下来准备选择题:(考试题目,都是从这里挑的,也称为题库,一般会挑两道,剩下一道为拖图题,当然有时候三道全是选择)
642-832选择题l Q1
What will be alternative for: ip ftp username xxxxxx ip ftp password yyyyyy
Answer:
ip http client username xxxxxx
ip http client password yyyyyy
l Q2
What will happen if you configure 2 routers to be NTP servers?
Answer:
The router will choose the best reliable server and will synchronise with it.
l Q3
What happens if you run the command: logging console warnings.
Answer:
Warning, Critical, Alert, Emergencies
l Q4
Network Maintenance: Choose from the list 2 network maintaining types.
Answer:
Structured
Interrupt Driven
l Q5
Link/Interface is up and protocol is also up But cdp neighbor not working?
Answer:
Data link layer.
l Q6
access�\list 199 permit tcp host 10.1.1.1 host 172.16.1.1
access�\list 199 permit tcp host 172.16.1.1 host 10.1.1.1
debug ip packet 199 What would be the output shown on the console?
Answer:
Only communication between host 10.1.1.1 and host 172.16.1.1
l Q7
The interface is up and protocol is up. When do you get these messages?
%LINEPROTO�\5�\UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to up
%LINKDOWN�\3�\SERIAL:
Answer:
the first message is a severity 3 log message
下面讲拖图题:(左边为题目和答案,右边为答案解释和记忆方法)
642-832拖图题DD1:
FCAPS:网络管理的5种基本功能
Fault Management �\�\�\�\�\�\�\�\�\�\�\�\�\�\�\�\�\ F
Configuration Management�\�\�\�\�\�\�\�\�\�\�\�\�\�\ C
Accounting Management�\�\�\�\�\�\�\�\�\�\�\�\�\�\�\ A
DD2:
FACPS�\�\�\�\�\�\ Fault, Configuration, Accounting, Performance, Security (ISO)
ITIL�\�\�\�\�\�\�\ framework for it prof
Cisco lifecycle�\�\�\model is often referred to as the PPDIOO model
TMN�\�\�\�\�\�\Telecommunications Management Network (ITU�\T)
PS:
ITIL即IT基础架构库(Information Technology Infrastructure Library, ITIL,信息技术基础架构库
PPDIOO:Prepare-Plan-Design-Implement-Operate-Optimize
DD3:
EEM �\�\�\�\�\�\�\�\�\�\�\�\�\�\ CLI
SDM �\�\�\�\�\�\�\�\�\�\�\�\�\�\ GUI
FTP �\�\�\�\�\�\�\�\�\�\�\�\�\�\ Backup
PS:
CLI(command-line interface,命令行界面)
GUI(Graphical User Interface,图形用户界面 )
SDM(Security Device Manager)是Cisco公司提供的全新图形化路由器管理工具;
EEM(Embeded Event Manager)是Cisco IOS的嵌入式事件管理器;
===========================================
2个托图:
FCAPS�\�\�\�\�\�\�\�\model defined by ISO
ITIL�\�\�\�\�\�\�\�\�\ framework
TNM�\�\�\�\�\�\�\�\�\ITU-T
Cisco lifecycle�\�\�\�\�\PPDIOO
这个托图没什么说的
EEM,IP,SLA �\�\�\�\�\�\�\�\�\�\�\�\�\�\ CLI
SDM,CNA�\�\�\�\�\�\�\�\�\�\�\�\�\�\�\ GUI
FTP,TFTP,SCP�\�\�\�\�\�\�\�\�\�\�\�\�\�\Backup
这个托图注意左边这列中每行的迹象都要记牢,有可能考每行中的任意一个
下面就是实验题目了(排错:TT)经过我测试cisco的demo,发现
其实就是思科做了几个flash:同是一个拓扑,根据排错问题分为了三张小拓扑,IPv4, IPv6,layer2/layer3
考试的时候都一直再问:从client1 ,client2 去访问WEB server,ping不通,是什么原因?做题的时候,你只要点击client,然后去ping web
Server就行了,哪里不通,你就查看哪里,找出设备问题就行了。
思科提供了demo,可以看下:
http://www.cisco.com/web/learning/le3/le2/le37/le10/tshoot_demo.html
然后选择排错1,然后点击页面下面的拓扑,点击client1,开始排错。
最后定位到ping R1都通,ISP也通,但是web server不通。如下图:
因为web server不能调试,ISP 也不能调试,100%的问题就在R1上,
因为R1自身的接口可以通信,所以问题应该是路由问题------静态路由问题!然后点击R1如下图:enable ,show running(查看配置信息)
找到问题,开始做题:
说明你的答案在3个问题的正确答案中都对了。
考试的时候做题步骤一样:(注意:考试题目说让你修改配置,并且指出那里错误-------实际上不会要你去修改。因为考试都是选择题目。牢记只是要你找出错误点,并不需要你改错。所谓实验题,也是选择题)
所以,这个考试很简单。3天就可以通过这个考试。
下面总结常见的考点:
TT题库如下:
Ticket 1
1.Client is unable to ping R1’s serial interface from the client.
Problem was disable authentification on R1, check where authentication is not given under router ospf of R1. (use ipv4 Layer 3)
conf R1 was:
interface Serial0/0.12 point-to-point
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip ospf message-digest-key 1 md5 TSHOOT
router ospf 1
log-adjacency-changes
network 10.1.1.0 0.0.0.3 area 12
default-information originate always
conf R2 was:
interface Serial0/0.12 point-to-point
ip address 10.1.1.2 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 TSHOOT
Answer: on R1 need comand in router mode
area 12 authentication message-digest
Ans1) R1
Ans2) ipv4 OSPF
Ans3) ip ospf authentication message-digest command must be given on s0/0/0
Replace the ‘Answer’ with following statement
On R1 need the command in interface configuration mode of S0/0/0 (not in router mode)
Symptoms of above ticket are as below:-
1- No one is able to ping 10.1.1.1 (R1’s S0/0/0 int) except R2.
2- Client 1 is able to ping upto 10.1.1.2 (R2’s S0/0.12 int).
3- ‘Sh ip ospf neighbor’ command on R1 will not show any neighbor
4- ‘sh ip route ospf’ command on R1 will not show any OSPF route
Ticket 2
HSRP: DSW1 does not become active.
conf on dw1:
track 1 ip route 10.28.123.123 255.255.0.0 metric threshold
threshold metric up 1 down 2
!
track 10 ip route 11.11.11.11 255.255.255.0 metric threshold
threshold metric up 63 down 64
interface Vlan10
ip address 10.2.1.1 255.255.255.0
standby 10 ip 10.2.1.254
standby 10 priority 200
standby 10 preempt
standby 10 track 1 decrement 60
Answer: (use IPv4 Layer 3 Topology)
On dsw 1 interface vlan 10 mode run:
no standby 10 track 1 decrement 60
standby 10 track 10 decrement 60
(ip for track command not exact for real exam)
Ans1) DSW1
Ans2) HSRP
Ans3) delete the command with track 1 and enter the command with track 10.
Ticket 3
configuration on R1:
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 209.65.200.224 mask 255.255.255.252
neighbor 209.56.200.226 remote-as 65002
no auto-summary
check bgp neighborship. **** show ip bgp sum****
The neighbor’s address in the neighbor command is wrong under router BGP. (use ipv4 Layer 3)
Answer: need change on router mode on R1 neighbor 209.65.200.226
Ans1) R1
Ans2) BGP
Ans3) delete the wrong neighbor statement and enter the correct neighbor address in the neighbor command (change 209.56.200.226 to 209.65.200.226)
Correction in problem statement:-
In the above ticket R1 and all others are able to ping 209.65.200.226 but not the Web Server only. This is because R1 is directly connected to 209.65.200.226 and BGP is not required in order to ping directly connected network and as soon as R1 knows about 209.65.200.224 network all other devices are also able to ping 209.65.200.226, since they are coming to R1 for any unknown route, because of default route propagate through R1′s OSPF (using ‘default-information originate always’ command). However Web Server is not accessible until BGP configured properly between R1 and ISP(209.65.200.226) because only then R1 will receive the information about Web Server’s network.
Following are the symptoms of above ticket:-
1- No one is able to ping Web Server.
2- Client 1 and all others can ping upto 209.65.200.226.
3- ‘sh ip route BGP’, you will not see any BGP route.
4- ‘sh ip bgp neighbor’ on R1, you will not see any active BGP neighbor.
Ticket 4
Client is not able to ping the web server, but the routers can ping the server. NAT problem. (use ipv4 Layer 3)
problem on R1 Nat acl
Answer:add to acl 1 permit ip 10.2.1.0 0.0.0.255
Ans1) R1
Ans2) IP NAT
Ans3) under NAT access list, enter the command permit 10.2.0.0 0.0.255.255
R4, R3, R2 can ping 209.65.200.241
Ticket 5
Client is not able to ping the server. Except for R1, no one else can ping the server. (use ipv4 Layer 3)
Problem:on R1 acl blocking ip
acl something like this:
deny 10.2.1.0
deny 10.1.4.0
deny 10.1.1.0
Answer: add permit 209.65.200.241command to R1′s ACL
Ans1) R1
Ans2) IPv4 Layer3 Security
Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL
Even R1 also would not be able to ping the web server or ISP(209.65.200.226). Since explicit deny of this ACL will not allow a reply to come back in to R1(since this ACL is applied in the ‘in’ direction) from outside until a permit entry is included in ACL. This will also cause the BGP neighbor relationship get down.
You will see one permit entry for web server only, which is not enough. You will see the contents of this ACL as below.
ip access-list extended edge_security
permit ip host 209.65.200.241 any
deny ip 10.2.0.0 0.0.255.255 any
deny ip 10.1.0.0 0.0.255.255 any
deny ip host 127.0.0.1 any
Thats why an entry of ‘permit 209.65.200.224 0.0.0.3 any’ is required to solve this problem.And by the way, the entries for 10.x.x.x network is neither have any effect nor required in this ACL, they put these up only to confuse the candidates.
R4, R3, R2 can not ping 209.65.200.226
Ticket 6
Client 1 is not able to ping the server. Unable to ping DSW1(Use L2 Diagram).
Vlan Access map is applied on DSW1 blocking the ip address of client 10.2.1.3
Ans1) DSW1
Ans2) Vlan access map
Ans3)No vlan filter 10
Symptoms of this ticket.
1- Client 1 is getting the correct IP address from DHCP (i.e 10.2.1.3)
2- But Client 1 is unable to ping DSW1.
3- Client 1 is unable to ping FTP Server (10.2.2.10)
Ticket 7
Client 1 is not able to ping the server
Situation: Unable to ping DSW1(User layer 2).
On ASW1 portsecurity mac 0000.0000.0001, interface in err-disable state
Answer:on asw1 delele portsecurity & do on interfaces shutdown, no shutdown
Ans1)ASW1
Ans2)Port security
Ans3)On fa1/0/1 and fa1/0/2 do disable port security and do shut, no shut.
Symptoms for this ticket:-
1- Client 1 is getting 169.x.x.x ip address
2- Client 1 is unable to ping Client 2 as well as DSW1.
3- ‘sh interfaces fa1/0/1′ will show following message in the first line
‘enFastEthernet1/0/1 is down, line protocol is down (err-disabled)’
4- ‘sh running-config’, you will see ‘switchport port-security mac-address ’0000.0000.0001′ configured under fa1/0/1.
Ticket 8
Client 1 is not able to ping the server
Situation: Unable to ping DSW1 & in port channel configuratioin of ASW1 vlan 10 is not allowed. (Use L2 Diagram)
On ASW1, on interfaces fa0/1, fa0/2 switchport access vlan 1
Answer: on ASW1 change switchport access vlan 1 to switchport access vlan 10
Ans1)ASW1
Ans2)Access vlan
Ans3)give command: interface range fa1/0/1-/2 switchport access vlan 10
Kindly correct the situation in the above ticket. Because you have mentioned situation of another ticket and solution of another. The correct situation is:-
Situation: Clients are unable to ping DSW1, because their access ports aren’t configured for VLAN 10 on ASW1 (both ports are in the default VLAN1).
Symptoms:-
1- Clinets are getting 169.x.x.x Ip address.
2- Clinet 1 can ping Client 2 and vice versa.
3- ‘sh running-config’ command will not display ‘switchport access vlan 10′ under the interfaces fa1/0/1 and fa1/0/2 .
Ticket 9
cant ping to web server 209.65.200.241
Situation: Unable to ping DSW1 & in port channel configuratioin of ASW1 vlan 10 is not allowed. (Use L2 Diagram)question was about EtherChanel
client can’t obtain ip address(169.x.x.x)
on ASW1 trunks allow vlan 20,200
Answ:on port channel 23 give switchport trunk allowed vlan 10,200
Ans1)ASW1
Ans2)Switch to switch connectivity
Ans3)on port channel 23 give switchport trunk allowed vlan 10,200
Symptoms of above ticket:-
1- Client 1 is getting 169.x.x.x ip address.
2- Clinet 1 can ping Client 2 and vice versa.
3- ‘sh interfaces trunk’ you will not see vlan 10 in PO13 and PO23 under allowed Vlans on trunk
Ticket 10
Client 1 is not able to ping the server
Situation: Unable to ping R4 fast ethernet port from dsw1.
Check ip eigrp neighbors from DSW1 you will not see R4 as neighbor.(use ipv4 Layer 3)
On DSW1 & DWS2 the EIGRP AS number is 10 (router eigrp 10) but on R4 it is 1 (router eigrp 1)
Answ: change router AS on R4 from 1 to 10
Ans1) R4
Ans2) IP4 EIGRP
Ans3) Change eigrp AS number from 1 to 10
Kindly correct the above situation as per following:-
DSW1 is still able to ping R4′s fast Ethernet interface, because this interface is directly connected to DSW1, so no matter EIGRP is configured correctly or not DSW1 can ping fa0/0 interface (10.1.4.5 ). However clients and DSW1 will not be able to ping R4′s S0/0/0.34 interface (10.1.1.10). Because to reach that side, it is required to work EIGRP properly. Following are the symptoms for above ticket:-
1- Clients and DSW1 is unable to ping R4′s S0/0/0/0.34 interface
2- Clients and DSW1 can ping upto R4′s Fa0/0 interface.
3- ‘sh ip eigrp neighbor’ on DSW1 you will not see R4 as neighbor.
4- ‘sh ip route’ on DSW1 you will not see any 10.x.x.x network route.
Ticket 11
Client 1 is not able to ping the server
Situation: Unable to ping serial interface of R4 from the clients.
On R4 in router eigrp:
redistribute ospf 1 route-map EIGRP_to_OSPF
BUT route-map was named:
route-map EIGRP->OSPF
Answer:change in router eigrp router-map name
Ans1) R4
Ans2) route redistribution
Ans3) change the name of the route-map under the router EIGRP or router OSPF process from ‘to’ to ‘->’.
Ticket 12
IPV6 loopback of R2 cannot be pinged from DSW1’s loopback.
Situation: ipv6 ospf was not enabled on R2’s serial interface connecting to R3. (use ipv6 Layer 3)
Answer:
interface configuration mode:
ipv6 ospf 6 area 12
Ans1) R2
Ans2) IPV6 ospf
Ans3) on the serial interface of R2, enter the command ipv6 ospf 6 area 0 (make sure to check the IPV6 topology before choose Answer 3 because the options look similar)
Kindly update the question statement. The above mentioned not as per the exam. Although the problem lies in R2 but they asked question for R1.
Question: IPv6 loopback cannot ping the IPv6 loopback of DSW2.
Situation:- R2 can’t establish neighborship relation with R3 because it dose not have any interfaces enabled in Area 0.
Symptoms:-
1- IPv6 ping from R1 to DSW1′s loopback will timeout
2- IPv6 ping from R2 to DSW1′s loopback will timeout
3- You will not see R3 as neighbor on R2 by entering ‘ipv6 ospf neighbor’ command
4- By entering the command ‘sh run’ you will not see ‘ipv6 ospf 6 area 0′ command under the interface S0/0/0.23 on R2.
TT图表型汇总:(word采用web版视图可以看完整的图表汇总)
TT问题汇总 |
|||
设备 |
错误描述 |
答案描述 |
判断依据 |
ASW1 |
Port Security |
Ans1)ASW1 |
1、ping client2 fail |
VLAN ACCESS vlan10 |
Ans1)ASW1 |
1、ping DSW1 fail、没有得到正确IP地址 |
|
VLAN TRUNK |
Ans1)ASW1 |
1、ping DSW1 fail、没有得到正确IP地址 |
|
DSW1 |
HSRP Track |
Ans1) DSW1 |
问题:DSW1 does not become active. |
VLAN Filter |
Ans1) DSW1 |
1、client ping DSW1 fail、得到IP地址 |
|
R4 |
EIGRP AS |
Ans1) R4 |
1、ping R4 serial端口 fail |
EIGRP Redistribute |
Ans1) R4 |
1、ping R4 serial端口 fail |
|
R2&R3 |
IP v6 |
Ans1) R2 |
1、问题是IPV6 loopback of R2 cannot be pinged from DSW1’s loopback |
R1 |
OSPF Authentication |
Ans1) R1 |
1、ping R1内网口fail |
BGP Neighbor |
Ans1) R1 |
1、ping ISP fail |
|
NAT ACL |
Ans1) R1 |
1、ping ISP fail |
|
R1 ACL |
Ans1) R1 |
1、ping ISP fail |
|
R3 |
TUNNEL配错了,在R3上,把TUNNEL的源配错了 |
||
OSPF |
IPV4 ospf /宣告的10.1.1.0网段 |
最后平时练习的话,可以使用PT来做练习:可以模拟考试中12个排错中的9个。如下图:
我这里也做好了相关的PKT文件(就是排错的实验环境)
这里有9个TT,还有3个没有模拟,一个是HSRP,一个是VACL,一个是route redistribution,因为PT有些命令不能打,所以没有这3个,建议记住就好。如下图: