CCIE Lab Test Lab133
Lab8 update
Ip address 133.YY.0.0/16 and YY is your rack number.
Section 1: bridging and switching (17 points)
1. frame-relay setup: (3 points)
frame-relay with full mash and can only use the pvc marked in topology. R5 can use two subinterfaces, one to r2 and r3, one to r4. can’t use subinterfaces in other routers.
注意记得要写no frame inverse-arp
2. cat3550 switch setup: (3 points)
|
VLAN_A |
2 |
R2-e0 |
Sw1-f0/2 |
|
|
|
R3-e0 |
Sw1-f0/3 |
|
VLAN_B |
5 |
R5-e0 |
Sw1-f0/5 |
|
VLAN_C |
6 |
R6-e1 |
Sw1-f0/6 |
|
VLAN_BB1 |
11 |
R1-e0 |
Sw1-f0/1 |
|
|
|
BB1-e0 |
Sw1-f0/10 |
|
VLAN_BB2 |
12 |
R4-e0 |
Sw1-f0/4 |
|
|
|
BB2-e0 |
Sw2-f0/10 |
3. trunk: (2 points) sw1-sw2, f0/23 and f0/24, trunk dot1q, 不允许协商。
Sw1:
Int range f0/23 – 24
Sw trunk encapsulation dot1q
Sw mode trunk
Sw nonegotiate
4. pagp: (2 points) sw1 and sw2 f0/23、f0/24 config to a logical port. Stp must enable forwarding on all of the interface. Vtp must be continued to transit between sw1 and sw2.
Sw1 & sw2
Int range f0/23 – 24
Channel-group 1 mode desirable no-silent
5. vtp: (2 points) config sw1 vtp mode server and sw2 mode client. And the vtp domain is VTP+YY.
Sw1:
Vtp mode server
Vtp domain VTP03
Sw2:
Vtp mode client
Vtp domain VTP03
6. voice vlan: there is a ip phone 7960 connect sw1 f0/7, require voice on voice vlan 200 and data on VLAN_A. A PC connects to it. voice phone support 802.1Q. voice vlan 200 name VOICE.
sw1:
mls qos enable qos for the entire switch;
vlan 200 name voice
int f0/7
mls qos trust cos classify ingress traffic packets with packet cos values. For untagged packets, use the port default cos value;
sw voice vlan 200 instruct the cisco ip phone to forward all voice traffic through the specified vlan. By default, the cisco ip phone forwards the voice traffic with an 802.1Q priority of 5;
sw acc vlan 2
7. atm: (2 points) r6 have atm3/0 ip address is 192.4.yy.1/24. Use PPP over ATM. The other end ip address is 192.4.yy.254 with vpi 0. pvc number is 400+yy. From your routers, you can ping the interface.
R6:
Section 2: IGP (28 points) after finished, all of the interfaces will be displayed on all the routers.
1. ospf: (11 or 12 points)
a) r2/r3/r5 frame relay and isdn interface in area 0. r5 can use two subinterfaces. All other routers can’t use subinterface. Not use “ip ospf network point-to-multipoint” and “ip ospf network broadcast” on all of the routers. R2 and r3 ethernet in area 3. r5 and r6 serial link in area 5 and VLAN_C in area 6. sw1 in VLAN_A and sw2 in VLAN_C. area 6 will only have intra and internal routes and sw2 will access others network vice versa. (5 points)
r5上使用neighbor命令
把r2的lo0放在area 3中
r5上area 5 virtual-link 133.3.6.6
r6上area 5 virtual-link 133.3.5.5
r6:
router ospf 3
area 5 virtual-link 133.3.5.5
area 6 stub
sw2:
router ospf 3
network 133.3.8.8 0.0.0.0 area 6
area 6 stub
sw1:
router ospf 3
network 133.3.7.7 0.0.0.0 area 3
network 133.3.23.7 0.0.0.0 area 3
b) ospf authentication: (3 points) r2 manager worry about the security of frame-relay network between r3 and r5. hope use most available authentication method.
在r2、r3、r5的接口配置md5的认证。
Int s0
Ip ospf authentication message-digest
Ip ospf message-digest key 1 md5 cisco
c) 修改ospf cost使千兆链路的cost的值为5。(3 points) 其它接口的cost也会按照比例变化。
在所有ospf的router and switch
router ospf 3
auto-cost reference-bandwidth 5000
2. rip (5 points)
config ripv2 on r1 to bb1. r1从bb1接收到多条路由,199.172.z.0 (199.172.1.0-199.172.14.0). 过滤仅让even routes (偶数路由)进入你的网络,并把这些路由通过eigrp分发到其他路由器上, 你仅能通告133.yy.0.0给bb1.
R1:
Router rip
Ver 2
Network 150.100.0.0
Redistribute eigrp 3 metric 3
Distribute-list 1 in e0
Distribute-list 2 out e0
Access-list 1 permit 199.172.0.0 0.0.254.0
Access-list 2 permit 133.3.0.0
3. is-is (4 points)
is-is should run on the frame relay between r4 and r5. VLAN_B, r4 and r5 with level2 net 47.0001. e0/0 on r4 is not part of
R4:
Int s0/0
Ip router
Clns router
Frame map clns 405 b
Router
Passive-interface loop0 需要将loop0 Redistribute 进协议
Redistribute connect route-map
Net 47.0001.0000.0000.0004.00
Match interface e0/0
R5:
Int s0/0.2
Ip router
Clns router
Frame map clns 504 b
Router
Net 47.0001.0000.0000.0005.00
Redistribute ospf 3 metric 20
Router ospf 3
Redistribute
Redistribute connected metric 200 subnets route-map
Match int s0/0.2 e0
4. eigrp (6 points)
a) the only interfaces that eigrp update are serial interface between r1 and r2. as number is your rack number. (2 points). r1 redistribute rip and eigrp bi-direction. R2 redistribute eigrp and ospf bi-direction. Lookback0要被放入eigrp.
R1:
Router eigrp 3
No auto-summary
Redistribute rip
Default-metric 10000 100 255 1 1500
b) 在r1中增加4个loopback interface: loop1 151.100.32.1/24; loop2 151.100.33.1/24; loop3 151.100.34.1/24; loop4 151.100.35.1/24, summary the four loopback interfaces to one route. 不能做16位的summary,保证summary后的路由在all ospf routers的metric为100。(3 points)
r1:
int s0
ip summary-address eigrp 3 151.100.32.0 255.255.252.0
router eigrp
network 151.100.32.0 0.0.3.255
no auto-summary
r2:
router ospf 3
redistribute eigrp 3 subnets metric 100
router eigrp 3
redistribute ospf 3
default-metric 10000 100 255 1 1500
c) r1 loop0 should redistributed throughout the network by eigrp. (1 point)
关于r1的loop0分发有两个办法,可以用network再eigrp里发布,也可以redistribute connected, 我认为应该用network宣告,然后再用passive-interface loopback0,不让eigrp的包在lo0出现。而且也不用在rip里再分布,因为rip在从eigrp的重分布里学到loopback0的路由。
R1:
Router eigrp 3
Network 133.3.1.0 0.0.0.255
5. atm interface (2 points)
Let all routers in your network can ping the atm interface 192.4.yy.1/24 and 192.4.yy.254. But you can’t use any network command.
我的ATM是这么做的,但估计错了
R6:
Int virtual-template 1
Ip address 192.4.3.1 255.255.255.0 这里好象不用写封装PPP,因为我没加但show这个虚端口时也是PPP的,但奇怪的是端口状态为down、down,但是能ping通。
Int atm3/0
Pvc 0/403
encapsulation aal5ciscoppp virtual-template 1
Protocol ip 192.4.3.1
No protocol ip inarp 我忘记加这条了,但好象题目里也没有特指要加
Router ospf 3
Redistribute connected metric 60 subnets route-map atm_to_ospf 把ATM接口重分发。
Route-map atm_to_ospf permit 10
Match int atm3/0
6. loopback interface (2 points)
all the loopback interface (except r1) should put into router protocol. 必须出现在路由表里。
Section 3: dial (8 points)
1. basic configuration (2 points) r5 and r3 can ping each other. Use chap authentication and interesting flow are all the ip packets. Don’t use multilink.
2. 为了省钱,如果是R3呼叫R5,则R5需要挂断这个呼叫并重新发起对R3的呼叫。
3. route control (3 points) when r5 and r3 frame relay down. R5 and r3 still have the full routes, even when r3’s s0 and Ethernet interface down. When it has better path to reach topology, let isdn down. Don’t use backup interface.
注意isdn交换机的类型是机柜上提供的。电话号码是提供给对方播的号码。考试时提供了spid号,号码与电话号码一致
R5:
Isdn switch-type basic-net3
Username r3 pass cisco
Int bri 0
En ppp
Ip addr 133.3.35.5 255.255.255.252
Dialer map ip 133.3.35.6 name r3 class CALLBACK broadcast 7040703
Dialer-group 1
Ppp callback accept
Ppp authentication chap
No peer neighbor-route
Ip ospf demand-circuit
Map-class CALLBACK
dialer callback-server username
Dialer-list 1 protocol ip permit any
R3:
Isdn switch-type basic-net3
Username r5 pass cisco
Int bri 0
En ppp
Ip addr 133.3.35.6 255.255.255.252
Dialer-map ip 133.3.35.5 name r5 broadcast 7040703
Dialer-group 1
Ppp callback request
Ppp authentication chap
No cdp enable 我认为这句不用加,不加也不会由于它的原因激活ISDN
No peer neighbor-route
Dialer-list 1 protocol ip any
我这样做只能67%
Section 4: bgp (14 points)
1. ebgp (3 points) r1 connect with bb1 ip address 150.100.1.254 (as254), r4 connect bb2 ip 150.100.2.254 (as254). Config r4 使从as254学到的路由的weight值为1000。
R1:
Router bgp 3
No syn 我认为这个不用加
No auto-summary 这个我也有疑义
Bgp router-id 133.3.1.1
Neighbor 150.100.1.254 remote-as 254
R4:
Router bgp 3
No syn 我认为这个不用加
No auto-summary 这个我也有疑义
Bgp router-id 133.3.4.4
Neighbor 150.100.2.254 remote-as 254
Neighbor 150.100.2.254 weight 1000
2. ibgp (4 points)
all ibgp routers出于管理性,扩展性和冗余考虑,用最少的配置ibgp网络。所有ibgp路由应该从r5学到,r1和r5的loopback0 加入到ibgp中。只要路径在,ibgp就不能断掉。
R5:
Router bgp 3
Network 133.3.5.0 mask 255.255.255.0
Nei ipeer peer-group
Nei ipeer remote-as 3
Nei ipeer update-source loop0
Nei ipeer route-reflector-client
Nei 133.3.1.1 peer-group ipeer
Nei 133.3.4.4 peer-group ipeer
R1:
Router bgp 3
Network 133.3.1.0 mask 255.255.255.0
Nei ipeer peer-group
Nei ipeer remote-as 3
Nei ipeer update-source loop0
Nei 133.3.5.5 peer-group ipeer
R4:
Router bgp 3
Nei ipeer peer-group
Nei ipeer remote-as 3
Nei ipeer update-source loop0
Nei 133.3.5.5 peer-group ipeer
3. r4 loopback (3 points)
there is a loopback1 in r5 with ip addr 200.200.yy.yy/24. 向ibgp neighbor广播这条路由但ibgp neighbor不能再向区域外广播这条路由。不能用as-path控制。
R5:
Int loop1
Ip addr 200.200.3.3 255.255.255.0
Router bgp 3
Network 200.200.3.0
Nei ipeer route-map NOEXPORT out
Nei ipeer send-community
!
Route-map NOEXPORT permit 10
Match ip address prefix-list1
Set community no-export
Route-map NOEXPORT permit 20
!
Ip prefix-list 1 seq 5 permit 200.200.3.0/24
4. R5 loopback transit control (4 points)
配置r1和r4,使as254访问r1的loopback0的流量选择r1,访问r5的loopback0选择r4。当r1、r4任意一个链路down,as254仍然可以访问这两个loopback。只向as254广播这两个loopback地址,即使将来网络扩充
R4:
Router bgp 3
Nei 150.100.2.254 route-map SELECT out
Access-list 1 permit 133.3.1.0
Access-list 5 permit 133.3.5.0
Route-map SELECT permit 10
Match ip address 1
Set metric 200
Route-map SELECT permit 20
Match ip address 5
Set metric 100
R1:
Router bgp 3
Nei 150.100.1.254 route-map SELECT out
Access-list 1 permit 133.3.1.0
Access-list 5 permit 133.3.5.0
Route-map SELECT permit 10
Match ip address 1
Set metric 100
Route-map SELECT permit 20
Match ip address 5
Set metric 200
Section 5: security (9 points)
1. mac security (3 points)
sw1的f0/15下作mac-address-list, deny Ethernet type 6000的帧。
Sw1:
Mac access-list extended BLOCK_ETH6000
Deny any any etype-6000
Permit any any
Int f0/15
Sw mode access 需要看题中是否说了接的host,如果没说,不要加这句。
Mac access-group BLOCK_ETH6000 in
2. 在sw1的f0/8(好象是这个端口)上做802.1X端口认证,用最少AAA语句,使用Radius,但没有给Radius参数,让端口平时处于unauthentificated状态,当端口down-up时让端口进行认证
SW1:
Aaa new-module
Aaa authentication dot1x default group radius
Int f0/8
Dot1x port-control auto
3. Reflexive Access Lists. 在R1与BB1之间要允许BGP,RIP和ICMP数据包,我们网络内部可以与外部进行通信,使用udp和tcp流量,但必须是由内部发起的。
R1:
Ip access-list extended outbound
Permit icmp any any
Permit udp any any reflect traffic
Permit tcp any any reflect traffic
Ip access-list extended inbound
Permit tcp any any eq bgp
Permit tcp any eq bgp any
Permit udp any eq rip any eq rip
Permit icmp any any
evaluate traffic
不一定对
Section 6: ios feature (6 points)
1. SNMP (4 points) 在R5上配置SNMP,给定150.100.100.100是SNMPserver,由于安全的原因只允许这台服务器对R5进行SNMP操作,通信字符串是“CiscoWorks”要求有读写权限。R5只发送BGPtrap,允许网管主机对R5进行重启操作。发送trap时要带着通信字符串一起发送。
R5:
Access-list 10 permit 150.100.100.100
snmp-server community CiscoWorks ro 10
snmp-server enable traps bgp
snmp-server system-shutdown
这题我应该是没有得分,所以这样做是错的
2. TFTP: (2 point) R5上设置,能够在R3 IOS失败时提供IOS image"c2600-ios-image"。 R3上不能有任何配置,包括boot system和registra。
R5:
tftp-server flash:c2600-ios-image
不一定对
Section 7: qos (7 points)
1. Commited rate limit: 网内的计算机要运行BB1那边的一个服务器(地址150.100.1.240)上的应用程序,使用udp端口5000~6000。要求对此应用进行速率限制,基本速率是3Mbps,normal burst rate is 200Kbps,excess burst rate is 300Kbps。符合这个限制的以高优先级传送,不符合的数据则把数据包优先级设置为普通并进行best-effort转发。除此以外的数据,基本数率是800K,normal burst rate is 100Kbps,normal burst rate is 150Kbps。此数据包优先级为普通,如果超过BE则要求drop。
2. RTP: R5和R6帧中继启动RTP头压缩,所有的VC都要有压缩,但只有当进入的包进行了压缩时才启用压缩。不需要进行TCP头压缩。
3. Voice vlan: (3 points)
在sw1 f0/7 (voice vlan) ,端口上收到所有的包后,将COS改成1。(注意没有说是语音还是其他的数据包,我理解是所有的包),
SW1:
Mls qos
Int f0/7
Sw priority extend cos 1
Msl qos cos 1
Mls qos cos override
通过sh mls qos int f0/7检测。
我的QOS没有得分,所以还要大家自己研究
Section 8: multicast (6 points)
1. 使用pim sparse mode in r4 e0/0 s0/0, r5 VLAN_B s0/0, r2 s0/0。在r4上使用igmp加入组239.255.4.4、239.255.8.8、239.255.12.12,但不允许在e0/0中使用。使用静态指定rp地址为r2的s0/0口地址。要求三台路由器都能ping通这三个地址。R2只给239.255.0.0到239.255.255.255充当rp.
2. 现在要让239.255.4.4不能使用r2作为rp,但仍然要在三台路由器上都能ping通三个地址。
我的Multicast没有得分,所以还要大家自己研究
section 9: multiservice (6 points)
1. 远端atm有一3002号码,可能接传真机,所以要限制一下速率
R6:
Dialer-peer voice 1 pots
Destination-pattern 4030
Port 2/0/0
Dialer-peer voice 2 pots
Destination-pattern 4031
Port 2/0/1
Dialer-peer voice 10 voip
Destination-pattern 3002
Session target ipv4:192.1.3.254
Fax-rate 9600
2. VOICE 中,默认配置有消除背景噪音功能,现要删除此功能。
Voice-port 2/0/0
No comfort-noice
Voice-port 2/0/1
No comfort-noice
浙公网安备 33010602011771号