CCNP 832 排错考试秘籍

 

思科新版CCNP 642-832(TSHOOT)考试介�B

思科, 新版CCNP, 642-832

思科CCNP认证642-832 TSHOOT网络排错考试情况

642-832 TSHOOT: Troubleshooting and Maintaining Cisco IP Networks

642-832 TSHOOT: 排错和维护思科IP网络

考试编号: 642-832

所属认证: CCNP

考试时间: 120分钟

考试题量: 53道

通过分数:790

考试语言: 英语

考试机构: Pearson VUE

考试题型: 选择题,拖图题, 实验题

技术种类:思科资深工程师

职业方向:路由与交换

考试费用: 每门考试150美元,折合人民币1700元左右

思科CCNP认证642-832 TSHOOT网络排错考试描述

642-832 TSHOOT是为获取思科认证网络专业工程师CCNP的资格认证考试。IT认证考试资源网提醒通过642-832就证明网络工程师拥有重要的网络知识和技能,其中包括:制定和实施一个复杂路由交换企业网络的有规律的维护计划 ,依据系统的技术知识和遵从ITIL体系标准,来执行网络排错。

思科CCNP认证642-832 TSHOOT网络排错考试大纲

维护和监控网络性能

制定一个计划,以监控和管理网络

使用IOS工具执行网络监控

对基于IOS设备进行巡检

隔离次优互联网络运行准确定义的OSI分层模型

故障排查 多层协议网络系统

故障排查 EIGRP

故障排查 OSPF

故障排查 eBGP

故障排查 路由重分布解决方案

故障排查 DHCP客户端和服务器解决方案

故障排查 NAT

故障排除 第一跳冗余协议

故障排查 IPv6路由

故障排查 IPv6和IPv4互操作性

故障排查 交换机和交换机之间VLAN的互通性

故障排查 基于VLAN的环路防护

故障排查 基于VLAN访问端口

故障排查 私有虚拟局域网(PVLAN)

故障排查 端口安全

故障排查 一般交换机安全

故障排查 VACL和PACL

故障排查 交换机虚拟接口(SVIs)

故障排查 交换机引擎冗余

故障排查 交换机支持的高级服务(例如:无线,语音和视频)

故障排查 语音支持解决方案

故障排查 视频支持解决方案

故障排查 三层安全特性

故障排查 思科路由使用ACL进行安全访问的问题

故障排查 关于AAA服务器认证和授权访问的配置问题

故障排查 关于IOS服务的安全问题(例如:finger,NTP,HTTP,FTP,RCP等等)

CCNP 832 考试做题技巧:

考试分为:选择,托图题,和实验题

一般选择和托图题共三道。拖图题被人称为DD,实验排错被人称为TT。有时候,选择提和拖图题在出题方式上可以置换,所以尽量理解题意最好。

下面下来准备选择题:(考试题目,都是从这里挑的,也称为题库,一般会挑两道,剩下一道为拖图题,当然有时候三道全是选择)

642-832选择题

l Q1

What will be alternative for: ip ftp username xxxxxx ip ftp password yyyyyy

Answer:

ip http client username xxxxxx

ip http client password yyyyyy

l Q2

What will happen if you configure 2 routers to be NTP servers?

Answer:

The router will choose the best reliable server and will synchronise with it.

l Q3

What happens if you run the command: logging console warnings.

Answer:

Warning, Critical, Alert, Emergencies

l Q4

Network Maintenance: Choose from the list 2 network maintaining types.

Answer:

Structured

Interrupt Driven

l Q5

Link/Interface is up and protocol is also up But cdp neighbor not working?

Answer:

Data link layer.

l Q6

access�\list 199 permit tcp host 10.1.1.1 host 172.16.1.1

access�\list 199 permit tcp host 172.16.1.1 host 10.1.1.1

debug ip packet 199 What would be the output shown on the console?

Answer:

Only communication between host 10.1.1.1 and host 172.16.1.1

l Q7

The interface is up and protocol is up. When do you get these messages?

%LINEPROTO�\5�\UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to up

%LINKDOWN�\3�\SERIAL:

Answer:

the first message is a severity 3 log message

下面讲拖图题:(左边为题目和答案,右边为答案解释和记忆方法)

642-832拖图题

DD1

FCAPS:网络管理的5种基本功能

Fault Management �\�\�\�\�\�\�\�\�\�\�\�\�\�\�\�\�\ F

Configuration Management�\�\�\�\�\�\�\�\�\�\�\�\�\�\ C

Accounting Management�\�\�\�\�\�\�\�\�\�\�\�\�\�\�\ A

DD2:

FACPS�\�\�\�\�\�\ Fault, Configuration, Accounting, Performance, Security (ISO)

ITIL�\�\�\�\�\�\�\ framework for it prof

Cisco lifecycle�\�\�\model is often referred to as the PPDIOO model

TMN�\�\�\�\�\�\Telecommunications Management Network (ITU�\T)

PS:

ITIL即IT基础架构库(Information Technology Infrastructure Library, ITIL,信息技术基础架构库

PPDIOO:Prepare-Plan-Design-Implement-Operate-Optimize

DD3:

EEM �\�\�\�\�\�\�\�\�\�\�\�\�\�\ CLI

SDM �\�\�\�\�\�\�\�\�\�\�\�\�\�\ GUI

FTP �\�\�\�\�\�\�\�\�\�\�\�\�\�\ Backup

PS

CLI(command-line interface,命令行界面)

GUI(Graphical User Interface,图形用户界面 )

SDM(Security Device Manager)是Cisco公司提供的全新图形化路由器管理工具;

EEM(Embeded Event Manager)是Cisco IOS的嵌入式事件管理器;

===========================================

2个托图:

FCAPS�\�\�\�\�\�\�\�\model defined by ISO

ITIL�\�\�\�\�\�\�\�\�\ framework

TNM�\�\�\�\�\�\�\�\�\ITU-T

Cisco lifecycle�\�\�\�\�\PPDIOO

这个托图没什么说的

EEM,IP,SLA �\�\�\�\�\�\�\�\�\�\�\�\�\�\ CLI

SDM,CNA�\�\�\�\�\�\�\�\�\�\�\�\�\�\�\ GUI

FTP,TFTP,SCP�\�\�\�\�\�\�\�\�\�\�\�\�\�\Backup

这个托图注意左边这列中每行的迹象都要记牢,有可能考每行中的任意一个

下面就是实验题目了(排错:TT)经过我测试cisco的demo,发现

其实就是思科做了几个flash:同是一个拓扑,根据排错问题分为了三张小拓扑,IPv4, IPv6,layer2/layer3

考试的时候都一直再问:从client1 ,client2 去访问WEB server,ping不通,是什么原因?做题的时候,你只要点击client,然后去ping web

Server就行了,哪里不通,你就查看哪里,找出设备问题就行了。

思科提供了demo,可以看下:

http://www.cisco.com/web/learning/le3/le2/le37/le10/tshoot_demo.html

然后选择排错1,然后点击页面下面的拓扑,点击client1,开始排错clip_image002

clip_image004

最后定位到ping R1都通,ISP也通,但是web server不通。如下图:

clip_image006

因为web server不能调试,ISP 也不能调试,100%的问题就在R1上,

因为R1自身的接口可以通信,所以问题应该是路由问题------静态路由问题!然后点击R1如下图:enable ,show running(查看配置信息)

clip_image008

找到问题,开始做题:

clip_image010

clip_image012

clip_image014

clip_image016

clip_image018

说明你的答案在3个问题的正确答案中都对了。

考试的时候做题步骤一样:(注意:考试题目说让你修改配置,并且指出那里错误-------实际上不会要你去修改。因为考试都是选择题目。牢记只是要你找出错误点,并不需要你改错。所谓实验题,也是选择题)

所以,这个考试很简单。3天就可以通过这个考试。

下面总结常见的考点:

clip_image020

TT题库如下:

Ticket 1

1.Client is unable to ping R1’s serial interface from the client.

Problem was disable authentification on R1, check where authentication is not given under router ospf of R1. (use ipv4 Layer 3)

conf R1 was:
interface Serial0/0.12 point-to-point
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip ospf message-digest-key 1 md5 TSHOOT
router ospf 1
log-adjacency-changes
network 10.1.1.0 0.0.0.3 area 12
default-information originate always

conf R2 was:
interface Serial0/0.12 point-to-point
ip address 10.1.1.2 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 TSHOOT

Answer: on R1 need comand in router mode
area 12 authentication message-digest

Ans1) R1
Ans2) ipv4 OSPF
Ans3) ip ospf authentication message-digest command must be given on s0/0/0

Replace the ‘Answer’ with following statement
On R1 need the command in interface configuration mode of S0/0/0 (not in router mode)

Symptoms of above ticket are as below:-
1- No one is able to ping 10.1.1.1 (R1’s S0/0/0 int) except R2.
2- Client 1 is able to ping upto 10.1.1.2 (R2’s S0/0.12 int).
3- ‘Sh ip ospf neighbor’ command on R1 will not show any neighbor
4- ‘sh ip route ospf’ command on R1 will not show any OSPF route

Ticket 2

HSRP: DSW1 does not become active.

conf on dw1:
track 1 ip route 10.28.123.123 255.255.0.0 metric threshold
threshold metric up 1 down 2
!
track 10 ip route 11.11.11.11 255.255.255.0 metric threshold
threshold metric up 63 down 64

interface Vlan10
ip address 10.2.1.1 255.255.255.0
standby 10 ip 10.2.1.254
standby 10 priority 200
standby 10 preempt
standby 10 track 1 decrement 60

Answer: (use IPv4 Layer 3 Topology)

On dsw 1 interface vlan 10 mode run:
no standby 10 track 1 decrement 60
standby 10 track 10 decrement 60
(ip for track command not exact for real exam)

Ans1) DSW1
Ans2) HSRP
Ans3) delete the command with track 1 and enter the command with track 10.

Ticket 3

configuration on R1:
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 209.65.200.224 mask 255.255.255.252
neighbor 209.56.200.226 remote-as 65002
no auto-summary

check bgp neighborship. **** show ip bgp sum****
The neighbor’s address in the neighbor command is wrong under router BGP. (use ipv4 Layer 3)

Answer: need change on router mode on R1 neighbor 209.65.200.226

Ans1) R1
Ans2) BGP
Ans3) delete the wrong neighbor statement and enter the correct neighbor address in the neighbor command (change 209.56.200.226 to 209.65.200.226)

Correction in problem statement:-
In the above ticket R1 and all others are able to ping 209.65.200.226 but not the Web Server only. This is because R1 is directly connected to 209.65.200.226 and BGP is not required in order to ping directly connected network and as soon as R1 knows about 209.65.200.224 network all other devices are also able to ping 209.65.200.226, since they are coming to R1 for any unknown route, because of default route propagate through R1′s OSPF (using ‘default-information originate always’ command). However Web Server is not accessible until BGP configured properly between R1 and ISP(209.65.200.226) because only then R1 will receive the information about Web Server’s network.
Following are the symptoms of above ticket:-

1- No one is able to ping Web Server.
2- Client 1 and all others can ping upto 209.65.200.226.
3- ‘sh ip route BGP’, you will not see any BGP route.
4- ‘sh ip bgp neighbor’ on R1, you will not see any active BGP neighbor.

Ticket 4

Client is not able to ping the web server, but the routers can ping the server. NAT problem. (use ipv4 Layer 3)
problem on R1 Nat acl

Answer:add to acl 1 permit ip 10.2.1.0 0.0.0.255

Ans1) R1
Ans2) IP NAT
Ans3) under NAT access list, enter the command permit 10.2.0.0 0.0.255.255

R4, R3, R2 can ping 209.65.200.241

Ticket 5

Client is not able to ping the server. Except for R1, no one else can ping the server. (use ipv4 Layer 3)

Problem:on R1 acl blocking ip
acl something like this:
deny 10.2.1.0
deny 10.1.4.0
deny 10.1.1.0

Answer: add permit 209.65.200.241command to R1′s ACL

Ans1) R1
Ans2) IPv4 Layer3 Security
Ans3) Add permit 209.65.200.224 0.0.0.3 to R1
s ACL

Even R1 also would not be able to ping the web server or ISP(209.65.200.226). Since explicit deny of this ACL will not allow a reply to come back in to R1(since this ACL is applied in the ‘in’ direction) from outside until a permit entry is included in ACL. This will also cause the BGP neighbor relationship get down.
You will see one permit entry for web server only, which is not enough. You will see the contents of this ACL as below.

ip access-list extended edge_security
permit ip host 209.65.200.241 any
deny ip 10.2.0.0 0.0.255.255 any
deny ip 10.1.0.0 0.0.255.255 any
deny ip host 127.0.0.1 any

Thats why an entry of ‘permit 209.65.200.224 0.0.0.3 any’ is required to solve this problem.And by the way, the entries for 10.x.x.x network is neither have any effect nor required in this ACL, they put these up only to confuse the candidates.

R4, R3, R2 can not ping 209.65.200.226

Ticket 6

Client 1 is not able to ping the server. Unable to ping DSW1(Use L2 Diagram).

Vlan Access map is applied on DSW1 blocking the ip address of client 10.2.1.3

Ans1) DSW1
Ans2) Vlan access map
Ans3)No vlan filter 10

Symptoms of this ticket.
1- Client 1 is getting the correct IP address from DHCP (i.e 10.2.1.3)
2- But Client 1 is unable to ping DSW1.
3- Client 1 is unable to ping FTP Server (10.2.2.10)

Ticket 7

Client 1 is not able to ping the server
Situation: Unable to ping DSW1(User layer 2).
On ASW1 portsecurity mac 0000.0000.0001, interface in err-disable state

Answer:on asw1 delele portsecurity & do on interfaces shutdown, no shutdown

Ans1)ASW1
Ans2)Port security
Ans3)On fa1/0/1 and fa1/0/2 do disable port security and do shut, no shut.

Symptoms for this ticket:-

1- Client 1 is getting 169.x.x.x ip address
2- Client 1 is unable to ping Client 2 as well as DSW1.
3- ‘sh interfaces fa1/0/1′ will show following message in the first line
‘enFastEthernet1/0/1 is down, line protocol is down (err-disabled)’
4- ‘sh running-config’, you will see ‘switchport port-security mac-address ’0000.0000.0001′ configured under fa1/0/1.

Ticket 8

Client 1 is not able to ping the server
Situation: Unable to ping DSW1 & in port channel configuratioin of ASW1 vlan 10 is not allowed. (Use L2 Diagram)
On ASW1, on interfaces fa0/1, fa0/2 switchport access vlan 1

Answer: on ASW1 change switchport access vlan 1 to switchport access vlan 10

Ans1)ASW1
Ans2)Access vlan
Ans3)give command: interface range fa1/0/1-/2 switchport access vlan 10

Kindly correct the situation in the above ticket. Because you have mentioned situation of another ticket and solution of another. The correct situation is:-

Situation: Clients are unable to ping DSW1, because their access ports aren’t configured for VLAN 10 on ASW1 (both ports are in the default VLAN1).

Symptoms:-
1- Clinets are getting 169.x.x.x Ip address.
2- Clinet 1 can ping Client 2 and vice versa.
3- ‘sh running-config’ command will not display ‘switchport access vlan 10′ under the interfaces fa1/0/1 and fa1/0/2 .

Ticket 9

cant ping to web server 209.65.200.241
Situation: Unable to ping DSW1 & in port channel configuratioin of ASW1 vlan 10 is not allowed. (Use L2 Diagram)question was about EtherChanel
client can’t obtain ip address(169.x.x.x)
on ASW1 trunks allow vlan 20,200

Answ:on port channel 23 give switchport trunk allowed vlan 10,200

Ans1)ASW1
Ans2)Switch to switch connectivity
Ans3)on port channel 23 give switchport trunk allowed vlan 10,200

Symptoms of above ticket:-
1- Client 1 is getting 169.x.x.x ip address.
2- Clinet 1 can ping Client 2 and vice versa.
3- ‘sh interfaces trunk’ you will not see vlan 10 in PO13 and PO23 under allowed Vlans on trunk

Ticket 10

Client 1 is not able to ping the server
Situation: Unable to ping R4 fast ethernet port from dsw1.

Check ip eigrp neighbors from DSW1 you will not see R4 as neighbor.(use ipv4 Layer 3)

On DSW1 & DWS2 the EIGRP AS number is 10 (router eigrp 10) but on R4 it is 1 (router eigrp 1)

Answ: change router AS on R4 from 1 to 10

Ans1) R4
Ans2) IP4 EIGRP
Ans3) Change eigrp AS number from 1 to 10

Kindly correct the above situation as per following:-
DSW1 is still able to ping R4′s fast Ethernet interface, because this interface is directly connected to DSW1, so no matter EIGRP is configured correctly or not DSW1 can ping fa0/0 interface (10.1.4.5 ). However clients and DSW1 will not be able to ping R4′s S0/0/0.34 interface (10.1.1.10). Because to reach that side, it is required to work EIGRP properly. Following are the symptoms for above ticket:-

1- Clients and DSW1 is unable to ping R4′s S0/0/0/0.34 interface
2- Clients and DSW1 can ping upto R4′s Fa0/0 interface.
3- ‘sh ip eigrp neighbor’ on DSW1 you will not see R4 as neighbor.
4- ‘sh ip route’ on DSW1 you will not see any 10.x.x.x network route.

Ticket 11

Client 1 is not able to ping the server
Situation: Unable to ping serial interface of R4 from the clients.

On R4 in router eigrp:
redistribute ospf 1 route-map EIGRP_to_OSPF

BUT route-map was named:
route-map EIGRP->OSPF

Answer:change in router eigrp router-map name

Ans1) R4
Ans2) route redistribution
Ans3) change the name of the route-map under the router EIGRP or router OSPF process from
to to ->.

Ticket 12

IPV6 loopback of R2 cannot be pinged from DSW1’s loopback.
Situation: ipv6 ospf was not enabled on R2’s serial interface connecting to R3. (use ipv6 Layer 3)

Answer:
interface configuration mode:
ipv6 ospf 6 area 12

Ans1) R2
Ans2) IPV6 ospf
Ans3) on the serial interface of R2, enter the command ipv6 ospf 6 area 0 (make sure to check the IPV6 topology before choose Answer 3 because the options look similar)

Kindly update the question statement. The above mentioned not as per the exam. Although the problem lies in R2 but they asked question for R1.

Question: IPv6 loopback cannot ping the IPv6 loopback of DSW2.
Situation:- R2 can’t establish neighborship relation with R3 because it dose not have any interfaces enabled in Area 0.

Symptoms:-
1- IPv6 ping from R1 to DSW1′s loopback will timeout
2- IPv6 ping from R2 to DSW1′s loopback will timeout
3- You will not see R3 as neighbor on R2 by entering ‘ipv6 ospf neighbor’ command
4- By entering the command ‘sh run’ you will not see ‘ipv6 ospf 6 area 0′ command under the interface S0/0/0.23 on R2.

TT图表型汇总:(word采用web版视图可以看完整的图表汇总)

TT问题汇总

设备

错误描述

答案描述

判断依据

ASW1

Port Security

Ans1)ASW1
Ans2)Port security
Ans3)On fa1/0/1 and fa1/0/2 do disable port security and do shut, no shut

1、ping client2 fail
2、在ASW1上用 ‘sh interfaces fa1/0/1′ 看到FastEthernet1/0/1 is down, line protocol is down (err-disabled)
3、ASW1配置中有switchport port-security mac-address ’0000.0000.0001

VLAN ACCESS vlan10

Ans1)ASW1
Ans2)Access vlan
Ans3)give command: interface range fa1/0/1-/2 switchport access vlan 10

1、ping DSW1 fail、没有得到正确IP地址
2、client对应端口没有配置switchport access vlan 10

VLAN TRUNK

Ans1)ASW1
Ans2)Switch to switch connectivity
Ans3)on port channel 13
、23 give switchport trunk allowed vlan 10,200

1、ping DSW1 fail、没有得到正确IP地址
2、在ASW1上用‘sh interfaces trunk’看到PO13 and PO23 allow vlans中看不到vlan 10

DSW1

HSRP Track

Ans1) DSW1
Ans2) HSRP
Ans3) delete the command with track 1 and enter the command with track 10

问题:DSW1 does not become active.
再看有没有DSW1上standby 10 track 1

VLAN Filter

Ans1) DSW1
Ans2) Vlan ACL/ Port ACL
Ans3) No vlan filter 10
注意:考试有bug,ans1可能需要选择ASW1

1、client ping DSW1 fail、得到IP地址
2、client ping ftp server fail
3、在DSW1上看到 vlan filter test1 vlan-list 10

R4

EIGRP AS

Ans1) R4
Ans2) IPV4 EIGRP
Ans3) Change eigrp AS number from 1 to 10

1、ping R4 serial端口 fail
2、在DSW1上sh ip eigrp neighbor看不到R4
3、在DSW1上sh ip route看不到10.*.*.*
4、在R4上看EIGRP配置

EIGRP Redistribute

Ans1) R4
Ans2) route redistribution
Ans3) change the name of the route-map under the router EIGRP or router OSPF process from
‘to’ to ‘->’

1、ping R4 serial端口 fail
2、在R4上看redistribute ospf 1 route-map EIGRP_to_OSPF

R2&R3

IP v6

Ans1) R2
Ans2) IPV6 ospf
Ans3) on the serial interface of R2, enter the command ipv6 ospf 6 area 0

1、问题是IPV6 loopback of R2 cannot be pinged from DSW1’s loopback
2、在R2上看是否有ipv6 ospf 6 area 0

R1

OSPF Authentication

Ans1) R1
Ans2) ipv4 OSPF
Ans3) ip ospf authentication message-digest command must be given on s0/0/0

1、ping R1内网口fail
3、R2)ip ospf authentication message digest
4、R1 没有

BGP Neighbor

Ans1) R1
Ans2) BGP
Ans3) delete the wrong neighbor statement and enter the correct neighbor address in the neighbor command (change 209.56.200.226 to 209.65.200.226)

1、ping ISP fail
2、看R1上neighbor 209.56.200.226 remote-as 65002 或者network 209.56.200.0 mask 0.0.0.255

NAT ACL

Ans1) R1
Ans2) IP NAT
Ans3) under NAT access list, enter the command permit 10.2.0.0 0.0.255.255

1、ping ISP fail
2、再看R1 NAT access list有没有10.2.0.0

R1 ACL

Ans1) R1
Ans2) IPv4 Layer3 Security
Ans3) Add permit 209.65.200.224 0.0.0.3 to R1
′s ACL

1、ping ISP fail
2、看R1 扩展access list是否缺permit 209.65.200.224 0.0.0.3 any

R3

TUNNEL配错了,在R3上,把TUNNEL的源配错了

OSPF

IPV4 ospf /宣告的10.1.1.0网段

最后平时练习的话,可以使用PT来做练习:可以模拟考试中12个排错中的9个。如下图:

clip_image022

我这里也做好了相关的PKT文件(就是排错的实验环境)

这里有9个TT,还有3个没有模拟,一个是HSRP,一个是VACL,一个是route redistribution,因为PT有些命令不能打,所以没有这3个,建议记住就好。如下图:

clip_image024

你可能感兴趣的:(职场,休闲,思科,考试题,考试时间)