Switching
Do not send DTP frames across this interrface:switchport nonegotiate
Traffic for VLANs not locally assingned to a switch should not be received over any trunk links:vtp pruning
SW1 should not trunk VLANs 7, 77, and 777 with SW3 and SW4:
| interface range Fa0/16,Fa0/19 |
多播地址分配:
- 从224.0.0.0至224.0.0.255被IANA保留为网络协议使用。例如:244.0.0.1:全主机组,244.0.0.2:全多播路由器组,244.0.0.3:全DVMRP路由器组,244.0.0.5:全OSPF路由器组。在这一范围的多播包不会被转发出本地网络,也不会考虑多播包的TTL值。
- 地址从239.0.0.0至239.255.255.255作为管理范围地址(administratively scoped multicast address),保留为私有内部域使用(如192.168.x..x)
- 224.0.1.0—238.255.255.255可以用与Internet上的
接口流量过滤:
- IP:ip access-group ACL
- IPv6:ipv6 traffic-filter ACL
Permit ICMP echo requests and replies:要在in方向引用echo,out方向引用echo-reply
Permit BGP:要应用两条:
permit tcp any any eq bgp
permit tcp any eq bgp any
Permit DNS lookups and zone transfers:DNS有两个端口:
permit tcp any any eq domain
permit udp any any eq domain
由于自反列表对本地始发的条目没用,所以如果要让对端响应本地发送的ping和telnet包能返回,必须在本地添加条目
ip access-list extended IN_ACL
permit icmp any any echo-reply
permit tcp any eq telnet any established
主机名映射到IP地址
- IPv4:ip host NAME IP_ADD
- IPv6:ipv6 host NAME IPv6_ADD
Rate Limiting:
单位:cir:bit/s,Bc:bytes
logging:
logging on 启用logging到所有的目的
acl的log message必须包括MAC地址或者接口信息:access-list 101 permit icmp any any log-input
R4 and R5 should include their hostname in the syslog messages. logging origin-id {hostname|ip|string}
将键盘输入记录到syslog服务器上,如果服务器失效,则路由器本地记录最多500条记录
| archive |
R3 should not generate a log when its interface Serial1/0 changes status, but should generate a log when a Frame Relay DLCI changes status:
| interface Serial1/0 |
log messages should be time stamped with the current date and time, including the millisecond.
| service timestamps log datetime msec |
• In order to help track down this device in the future configure SW2 to notify the network management station at 187.X.3.100 whenever a new MAC address is learned in VLAN 28.
• The network management server will be expecting community-string to be CISCOTRAP.
| interface FastEthernet0/24 |
• For further logging accuracy configure R6 to get network time from BB1.
• R6’s time zone should be set to Pacific time, and automatically adjust for daylight savings time.
• Additionally log messages sent to the syslog server should include R6’s local clock’s time to the millisecond.
| service timestamps log datetime msec localtime show-timezone |
A log message should only be generated once 10 access-list hits have been accumulated.
| ip access-list log-update threshold 10 |
RMON(Remote Monitoring):
配置分为两部分:rmon alarm和rmon event
rmon event分为产生log或者trap,log发送到log服务器,trap发送到snmp服务器
例题:
- In order to help detect possible flood attacks in the future configure R2 to generate an SNMP trap when the interface input unicast packets (ifEntry.11.1) value rises more than 15000 per minute, and when the value falls back below 5000 per minute.
- The sampling interval should be every sixty seconds.
- When the 15000 threshold is breached an event should be generated that reads “Above 15000 for ifInUcastPkts”.
- When the value falls back to 5000 an event should be generated that reads “Below 5000 for ifInUcastPkts”.
- The server to send these SNMP traps to is 183.X.17.100.
- This server will be expecting the community string to be IETRAP.
| rmon alarm 1 ifEntry.11.1 60 delta rising-threshold 15000 1 falling-threshold 5000 2 |
NTP:
NTP认证:
| ntp authentication-key 1 md5 CISCO |
• All devices in BGP AS 100 are physically located in Chicago, IL (CST -6), while all devices in BGP AS 200 are physically located in Reno, NV (PST -8).
• Configure these devices to reflect the appropriate time zone and daylight savings time configuration.
| R1, R2, R3, SW1: |
流量统计:
*Filter so that packets with the translated address in question 3.1 are counted (YY.YY.4.254)
*disable accouting for all other source address过滤,只有在 question 3.1的 IP 地址的数据包被记帐.屏蔽其他源地址的记帐
| r6 |
| interface Serial1/0 |
Your manager has expressed interest in finding out what kind of applications users in VLAN 6 are using while at the office. Configure R6 to collect information about application traffic being sent to and received from VLAN 6 and store it locally.
| interface GigabitEthernet0/1 |
接口下数据包压缩:
HDLC:compress stac
PPP:
compress stac:Stacker is more CPU intensive but more forgiving on memory utilization.
compress predictor:Predictor is less CPU intensive but utilizes more memory.
Configure R4 and R5 to maximize efficiency on this link by guessing character streams in frames sent over the link.
| interface Serial0/1 |
Frame-Relay:
frame-relay map ip IP_addr 304 broadcast {rtp|tcp} header-compression
• Configure the Frame Relay connection between R3 and R4 to support RTP header compression.
• This compression should support up to 15 connections.
• R3 should only compress RTP headers if it is receiving RTP headers that are compressed.
• R3 should not perform RTP header compression with any other routers.
| R3: |
TCP 报头压缩
• TCP traffic sent over the link between R1 and R3 should be subject to header compression.
• Allow for the maximum number of TCP sessions to be compressed over this link.
| interface Serial1/0 |
BGP:
aggregate-address 148.1.0.0 255.255.128.0 summary-only
=======
aggregate-address 148.1.0.0 255.255.128.0 suppress-map SUPPRESS_MAP
!
route-map SUPPRESS_MAP permit 10
neighbor IBGP route-map fuck out
route-map fuck permit 100
set ip next-hop peer-address
======
neighbor IBGP next-hop-self //如果题目要求不能使用next-hop-self则可以使用上面route-map的方法
neighbor 187.1.45.5 remove-private-as 向外通告路由的时候去掉私有AS
BGP COMMUNITY
Config R6 to attach the community value 20YY:50 to all BGP prefixes that it advertises to external peers
Ensure that the community value is propagated to all EBGP and IBGP speakers through out your topology and BB1 BB2.
在 R6 上 进行配置,发向外部对等的 BGP 前缀附加团体值 20YY:50.确定,这个团体值通过你的拓朴和BB1 BB2能够被通告给所有的EBGP 和 IBGP.(需求不全,R6 上没有发布出去的路由,但做法一样,关键还是看当时的需求)
| r6 |
Configure your network so that if the Frame Relay circuit on R6 goes down the BGP peering session with BB1 is not declared down until a hello packet has not been heard for 30 seconds.
| R6: 默认情况下,当链路中断,BGP会话也立刻中断 |
在使用route-map为路由条目添加属性的时候记得在最后添加空的route-map条目,用来向对端发送没属性的路由条目
Configure AS 400 so that BB3 still thinks SW1 is stilll in AS 100:
| router bgp 400 |
Configure AS400,that AS 400 will not provide transit for traffic coming from AS 54 and its customers that is destined for AS 254:AS 400不向AS 54通告AS254始发的路由
| router bgp 400 |
Configure your network so these AS numbers do not leak out onto the rest of the network when AS 300 is advertising prefixes that have been originated in either AS 65001 or AS 65002.
| router bgp 300 |
• To minimize the impact on the rest of the network configure R4 to add a penalty of 1000 to BGP prefixes each time a withdrawn message is received for them.
• R4 should stop advertising these unstable prefixes when their penalty value exceeds 3000.
• Once a stable prefix’s penalty falls below 1000 it should be reinstalled in the BGP table as an active prefix.
• Ensure that no stable prefix’s advertisement is withdrawn for more than 30 minutes.
| router bgp 100 可以使用route-map设置,也可以直接使用bgp dampening设置 若是直接是用bgp dampening 则可以不加具体的值表示使用默认参数,如果使用route-map,则必须手工输入默认值set dampening 15 750 2000 60 |
• In order to more evenly distribute the traffic load configure your network so that all traffic from AS 100 destined for prefixes originated in AS 54 transits the link to BB1.
• In addition to this configure your network so that all traffic from AS 100 destined for prefixes that are from customers of AS 54 is sent out towards BB3.
• In the case that the link to BB1 is down traffic for prefixes that have been originated inside AS 54 should still be able to be rerouted to BB3.
• All of this configuration should be done on R6.
| router bgp 100 neighbor 54.1.7.254 route-map BB1 in neighbor 204.12.1.254 route-map BB3 in ! ip as-path access-list 1 permit _54$ ! route-map BB1 permit 10 match as-path 1 set local-preference 200 ! route-map BB1 permit 20 ! route-map BB3 permit 10 match as-path 1 ! route-map BB3 permit 20 set local-preference 200 |
Network monitoring engineers in your NOC have reported that R6 is dangerously low on memory. You have determined that a large BGP table is consuming all of R6’s memory. In order to reduce the amount of
memory required by the BGP process configure R6 to only accept prefixes from BB1 that have been originated by themselves and their directly connected customers.
| router bgp 100 neighbor 54.1.3.254 filter-list 25 in ! ip as-path access-list 25 permit ^54(_[0-9]+)?$ |
• Configure R4 to advertise the 10.X.4.0/24 subnet into BGP.
• Ensure that the 10.X.4.0/24 prefix shows up on R1 as 10.0.0.0/8.
• Do not use the aggregate address or network command to accomplish this task.
| router bgp 400 自动汇总:
|
• Users throughout your network have been complaining about periodic reachability problems to networks throughout the BGP domain. After further investigation you have determined that these reachability problems
only occur when R4 loses connectivity to the Frame Relay cloud. However, your NOC engineers have verified that the PPP link to R5 is working correctly.
• Configure your network to resolve these users’ connectivity problems.
| R3: 中间的路由器没有运行BGP,所以会造成路由黑洞,EBGP学到的路由,next-hop对于中间的路由器来说不可达 |
• In order to prevent against further fluctuations in the BGP table affecting your network configure R4 and R6 so that they will not accept more that 150000 prefixes in from AS 54.
• Additionally configure your network so that you are alerted via syslog when the amount of prefixes learned from AS 54 exceeds 135000.
| router bgp 100 |
Configure SW3&SW4 to become members of as 1000+YY as follows: 配置 SW3和SW4成为 1000+YY(也就是100Y)的成员,原来预配置没有把这里做上,是让我们自己做.
*SW1&SW2 are peers whit both SW3&SW4 *SW1 和 SW2 与 SW3,SW4 两个都成为对等体,说白了就是让 SW1,SW2 做两个反射器(RR).
*SW3&SW4 do not peer with each other *SW3和 SW4不能成为邻居
*ensure that SW1&SW2 can recognize updates from each other has belongs to the same cluster mamily. *确定 SW1和 SW2能够彼此认可更新,并且属于一个相同的簇ID.
| Sw1 |
Configure R6 to adverstise a BGP default route to all external neighbors if the network Y.Y.30.0/30 in BGP tables.
配置R6,如果BGP 表有Y.Y.30.0/30表项,则向EBGP 对等组发布一条默认路由.
我们要做的就是让bgp 表里面存在该条路由的时候发送默认路由,而不管路由表里存在不存在。配置如下:
| router bgp 2005 neighbor external default-originate route-map default |
Router Hardening
- Drop all source routed packets:no ip source-route
- Disable CDP and proxy-arp on the Ethernet segment to BB2:(接口下) no ip proxy-arp no cdp enable
- Disable BOOTP server:no ip bootp server
- A banner message should be displayed to all users that telnet into the router that states: Access to this device or the attached networks is prohibited without express written permission. Violators will be shot on sight:
banner login "Access to this device or the attached networks is prohibited without express written permission. Violators will be shot on sight." - Silently discard packets that are denied:no ip unreachables 默认是开启的,当路由器收到一个包,但不知道目的,会发送ICMP Host Unreachable到源,关闭,则只会出现timeout
OSPF
OSPF花费计算:
默认的参考带宽为100M,即auto-cost reference-bandwidth 100,若要使用10Gbps的以太接口,必须更改reference-bandwidth 10000以上,才能计算出正确的cost
RSVP:ip rsvp bandwidth [interface-kbps [single-flow-kbps]]
Assume that each call can reserve up to 64Kbps, and that no more than 128Kbps can be reserved at any given time:
ip rsvp bandwidth 128 64
防护DoS 攻击
TCP intercept允许路由器截取TCP SYN数据包。使路由器作为服务器的代理,发送SYN ACK来响应客户的请求。TCP intercept有两种模式,第一种是截取(intercept)模式,另一种是观察(watch)模式。在截取模式下,路由器会主动的截取TCP会话。在观察模式下,路由器不会截取TCP会话,而是检视TCP会话,如果会话在30秒(默认)内还没有成功建立,路由器会发送TCP RST数据包到服务器,服务器会释放分配给TCP会话的资源
In order to help deal with these attacks configure R4 to send a TCP reset to the web server for any TCP sessions that fail to reach the established state after 15 seconds.
| ip tcp intercept list 125 //设置监视哪些host |
configure R4 to drop packets without a verifiable source address received on the connection to BB3
| 旧命令: 新命令 |
使用Unicast reverse path forwarding通常用来防止DoS攻击,若使用在不对称的网络中,可能会产生问题
RackYYR1 only forwards the packets that the source address should in routing table to R4,if not conform,please log;conform un-log.only permit packets originated from genuine vlan A ip address,block faked ip addresses and log.regular traffic should not be impacted by this configuration.
R1 should refuse all of the spoofing attack and log.
| r1(config)#ip cef 此命令最后的 access-list_number为可选项,含义如下: 当unicast reverse-path验证成功, 该包必将被转发。 当unicast reverse-path 验证失败,该包是被转发还是被丢弃,依赖于access-list. 如果 access-list允许,则该包被转发。 如果 access-list拒绝,则该包被丢弃。 |
通过HTTP管理路由器:
o Use TCP port 8080
o Only permit access from the 136.X.2.0/24 subnet
o Authenticate users using local username WEB and the password be stored in the router’s configuration as an CISCO
o This password should MD5 hash.
| username WEB secret CISCO //This password should MD5 hash |
Autoinstall
Configure R5 to use the 136.X.5.0/30 subnet for communication with the new router and provide it with IP address 136.X.5.2 via BOOTP:
| interface Serial0/0.555 point-to-point |
privilege
| privilege exec level 1 debug ip rip //允许特权1使用debug rip,这个与undebug通常一起使用 |
TELNET
| 命令 | 说明 |
| ip tcp synwait-time wait-time | wait-time为(0-300),修改TELNET登录的超时时间 |
Configure R3 to display a “Host Failed” message of “Connection Unsuccessful” when a telnet session to R4’s Loopback 0 interface fails.
| ip host R4 150.1.4.4 这是登录失败方自己产生message,也可以在被登陆方的vty线程下使用refuse-message来在登录失败方产生message |
配置wccp
| 命令 | 说明 |
| ip wccp web-cache {redirect-list 25 } ! interface Ethernet0/0 ip wccp web-cache redirect [in | out] ! access-list 25 deny 187.1.3.50 access-list 25 permit any | 配置监听哪些地址的HTTP请求 监听进站(in)或出站(out)方向的HTTP请求,即发送到HTTP服务器的方向 |
配置帧中继keepalives
| 命令 | 说明 |
| interface Serial0/0.54 point-to-point frame-relay interface-dlci 405 class EEK ! map-class frame-relay EEK frame-relay end-to-end keepalive mode {bidirectional | request | reply | passive-reply} frame-relay end-to-end keepalive timer send 15 |
|
MLS
ip优先级到DSCP的映射:mls qos map ip-prec-dscp 0 0 0 0 32 40 0 0
使用show mls qos map ip-prec-dscp查看
interface FastEthernet0/2
mls qos trust ip-precedence //配置接口信任IP优先级
注意:记得开启mls qos
在 RackYYSw1的 f0/4上配置 Cos和 round roubin queue的一个 Map:
Cos 6 7 map to queue 1
Cos 5 4 map to queue 2
Cos 3 2 map to queue 3
Cos 1 0 map to queue 4
| RackYYSw1: mls qos //打开 QOS int f0/4 mls qos trust cos //使用 COS wrr-queue cos-map 1 6 7 wrr-queue cos-map 2 4 5 wrr-queue cos-map 3 2 3 wrr-queue cos-map 4 0 1 |
wrr-queue min-reserve
在SW1的Fa0/1上配置使得
minimum-reserve level 2 to 20 packets and assign to egress queue 1;
minimum-reserve level 3 to 40 packets and assign to egress queue 2;
minimum-reserve level 5 to 80 packets and assign to egress queue 3.
(具体数值要到时看题目)
| mls qos min-reserve 2 20 mls qos min-reserve 3 40 mls qos min-reserve 5 80 interface fastethernet0/1 wrr-queue min-reserve 1 2 wrr-queue min-reserve 2 3 wrr-queue min-reserve 3 5 |
multicast
defense against multicast dos attack there is a concern that hacker may launch dos attack again r5 with muticast group membership traffic .
configure r5 so that it will accept only 100 igmp reports at any time but this limit does not apply to the group 224.3.3.3
| R5的接口下: ip igmp limit 100 exept 99 access-list 99 permit 224.3.3.3 //只不限制224.3.3.3 |
anycast配置
| R4 and R5: ip multicast-routing ! interface Loopback1 ip address 150.1.0.255 255.255.255.255 ip pim sparse-mode ! interface Ethernet0/0 ip pim sparse-mode ! interface Ethernet0/1 ip pim sparse-mode ! router ospf 1 network 150.1.0.255 0.0.0.0 area 0 R4: ip msdp peer 150.1.5.5 connect-source Loopback0 R5: ip msdp peer 150.1.4.4 connect-source Loopback0 |
如果使用ip pim sparse-mode,若要配置AutoRP,则应该在其他非RP和代理的路由器上将224.0.1.39和224.0.1.40加入多播组:ip pim autorp listener
配置所有的设备,如果一个或者两个RP fail了,将不会转变为dense模式:no ip pim dm-fallback
In order to help alleviate this problem configure R2 so that it waits at least 300ms between consecutive RPF checks.
R2:
ip multicast rpf backoff 300 5000
过滤PIM流量:ip pim neighbor-filter ACL //ACL为邻居的接口地址,不和邻居形成PIM邻居
• R1 should not allow R5 to become a PIM neighbor. However, R5 should still allow clients on VLAN 5 to receive multicast traffic for this group.
interface Serial0/0
ip address 191.1.125.1 255.255.255.0
ip pim neighbor-filter 1
!
access-list 1 deny 191.1.125.5 //R5与R1相连的接口的地址
access-list 1 permit any
R5:
interface Ethernet0/0
ip pim dense-mode
ip igmp helper-address 191.1.125.1
限制客户能加入哪些多播组,(To limit which multicast groups clients on a segment can join): interface Ethernet0/0 或者: interface Ethernet0/0
路由器配置:
ip igmp access-group 50
!
access-list 50 permit 225.25.25.25
access-list 50 permit 226.26.26.26
ip multicast boundary 50
!
access-list 50 permit 225.25.25.25
access-list 50 permit 226.26.26.26
配置SW1,SW2,so that hosts connected to bb1 and bb2 can only join specific multicast groups and regeditr via IGMP with R1,R2 respectively. sw1
limit joins on bb1 to a range of 224.111.1.0/24
limit joins on bb2 to a range of 224.222.2.0/24
交换机配置:
ip igmp profile 1
permit
range 224.111.1.0 224.111.1.255
interface FastEthernet0/10
ip igmp filter 1
Sw2
ip igmp profile 1
permit
range 224.222.2.0 224.222.2.255
!
interface FastEthernet0/10
ip igmp filter 1
• Your company’s development engineers are testing a new multicast application on VLAN 3 that utilizes IGMPv2. In order to assist in their development process they have requested that you configure R3 to poll the segment for multicast group membership every 5 seconds.
• In addition to this they have requested that R3 prune a multicast group off the interface if the application has not responded within 3 seconds of receiving a host-query message from R3.
• Lastly, to prevent the new application from interfering with the normal operation of your network configure R3 so that traffic from the business critical multicast feed 226.37.1.1 cannot be sent to VLAN 3 or accepted from VLAN 3.
| R3: |
• For ease of management and future multicast configuration changes configure R1 to map multicast groups 239.0.0.0 – 239.255.255.255 to R3 and multicast groups 226.0.0.0 – 238.255.255.255 to R5. ip pim send-rp-discovery Loopback0 scope 16
• Use the minimum number of access-lists and access-list entries on R1 to accomplish this
ip pim rp-announce-filter rp-list 25 group-list 26
ip pim rp-announce-filter rp-list 50 group-list 51
!
access-list 25 permit 150.1.3.3
access-list 26 permit 239.0.0.0 0.255.255.255
access-list 50 permit 150.1.5.5
access-list 51 deny 224.0.0.0 1.255.255.255
access-list 51 deny 239.0.0.0 0.255.255.255
access-list 51 permit 224.0.0.0 15.255.255.255
In order to reduce the impact of this application on your network configure SW1 so that no more than 1Mbps of multicast traffic is sent out towards R3:
| interface FastEthernet0/3 |
Configure the network so that multicast groups which use R3 as their RP cannot build a shortest path source tree. Instead these multicast groups should always use a shared tree.
| ip pim spt-threshold infinity group-list 52 配置使除了与组波源直接相连的接口外,都要经过RP spt-threshold主要用来对于那些发送组播数据包小,间隔长的应用需要使用稀疏模式,同时通过配置SPT阀值来保持所生成的组播路径树 |
| ip pim spt-threshold 128 |
SNMP
configure R2 to generate a log message whenever a device attempts to poll them using the Read-Only community string of ‘public’:
| R2: |
Configure R6 to be managed via SNMP
• The first network management server’s IP address is 141.X.7.100 and second network management server’s IP address is 141.X.77.100.
• Both network management servers will be expecting the RO community string to be CISCORO, the RW community string to be CISCORW, and the community string CISCO to be used for traps.
• The first network management server will be using SNMPv1 and the second SNMP server will be using SNMPv2c.
• R6 should generate SNMP traps for changes relating to HSRP status, but these traps should only be sent to the second network management server
• Allow R6 to be reloaded via SNMP
| snmp-server community CISCO_RO RO 2 snmp-server community CISCO_RW RW 2 snmp-server enable traps hsrp snmp-server system-shutdown //to be reloaded via SNMP snmp-server host 141.1.7.100 CISCO snmp-server host 141.1.77.100 version 2c CISCO hsrp ! access-list 2 permit 141.1.77.100 access-list 2 permit 141.1.7.100 |
IOS MENU
menu NOC title # #
menu NOC prompt #
menu NOC text 1.
menu NOC command 1.
menu NOC options 1.
menu NOC clear-screen
| username NOC password 0 CISCO username NOC autocommand menu NOC ! menu NOC title # Menu for NOC users # menu NOC prompt # Choose your selection: # menu NOC text 1. Ping R5 menu NOC command 1. ping 150.1.5.5 menu NOC options 1. pause menu NOC text 2. Traceroute to R5 menu NOC command 2. trace 150.1.5.5 menu NOC options 2. pause menu NOC text 3. Exit menu NOC command 3. exit menu NOC clear-screen ! line vty 0 4 login local |
EIGRP
Metric = [k1 * bandwidth + (k2 * bandwidth)/(256 - load) + k3 * delay] * [k5/(reliability + k4)]
默认情况下 Metric = (10的七次方/BWKbps + DLYusec/10) * 256
• In order to get the maximum benefit of this granularity configure the EIGRP domain so that bandwidth, delay, and load are taken into account when computing metrics.
• Also to ensure that bandwidth is always the major factor in metric calculation, configure the EIGRP domain so that bandwidth is three times more significant than either load or delay in the calculation.
| router eigrp 200 k1=1 k2=0 k3=1 k4=0 k5=0 |
• Configure the network in such a way that EIGRP query messages are not sent to R2 in the event of a network failure anywhere in the EIGRP domain.
| router eigrp 10 默认情况下,EIGRP邻居丢失,既发送更新信息(update),又发送查询信息(query),若邻居为stub,则只对stub区域发送更新信息 |
DNS
Ensure that if your administrators mistype a command when working on the console the router it does not try to resolve the mistyped command via DNS.
| line con 0 |
TUNNEL
As an additional integrity check ensure that any corrupt packets received on the VPN interface are discarded.
| tunnel checksum |
Security
Until there is a patch available for the vulnerability configure R4 filter off all HTTP GET requests that contain ‘root.exe’ in them which come from BB2.
| ip cef |
IP SLA
• The service level agreement (SLA) between your company and AS 54 dictates that AS 54 will guarantee 99.999% uptime and a maximum latency of 20ms on the Frame Relay link between R6 and BB1.
• In order to ensure that AS 54 is fulfilling this SLA configure R6 to poll the Loopback address 115.0.0.1 of BB1 via 1250 byte ICMP ping packets every 30 seconds.
• R6 should account for ICMP ping packets that have a delay which exceeds 25ms.
• In order to avoid this problem configure the network in such a way that users in VLAN 26 use R6 as their default gateway, but only if AS 54 is honoring the service agreement on the circuit between R6 and BB1.
• If AS 54 is in violation of this agreement users in VLAN 26 should use R2 as their default gateway.
• The network administrators have informed you that all these users have their default gateways set to 174.X.26.254.
| R6: |
OSPF
ospf里面都要打 auto-cost reference 10000 不然在 sw1和sw2 路由表里面会出现三条负载均衡
Cisco’s OSPF implementation does not support LSA 6 (multicast OSPF). By default, every time one of these LSAs is received, a syslog message is generated. To disable this behavior issue the OSPF routing process subcommand:
router ospf 1
ignore lsa mospf
Ensure that the RIP routes redistributed on R6 are not passed from OSPF and then back into EIGRP on R3 and SW2.
| R3: |
To minimize WAN utilization OSPF traffic should only be sent over the Frame Relay segment during initial adjacency establishment and when changes occur in the OSPF topology.
| interface Serial0/0.54 point-to-point |
OSPF path selection will always choose an Intra-Area route over an Inter-Area route. Therefore when R4 goes to forward traffic to VLAN 5, which is advertised into area 0, it will choose the area 0 interface to R3 as opposed to the area 1
interface to R5. By configuring a virtual-link between R4 and R5 VLAN 5 will be advertised as an area 0 Intra-Area route directly from R5 to R4 over the PPP link.
RIP
这里要有一个值得注意的地方,那就是考试的时候我们无法进入bb,查看路由表,之前有人说
查看rip的数据库来进行查看,我觉得这样也不准确。最好的办法是使用查看debug ip rip。
现实出来的metric值就是bb的metric值。
r4#debug ip rip
RIP protocol debugging is on
r4#
*Mar 1 05:23:08.882: RIP: sending v2 update to 224.0.0.9 via Ethernet0 (150.100.15.1)
*Mar 1 05:23:08.886: RIP: build update entries
*Mar 1 05:23:08.890: 5.5.2.2/32 via 0.0.0.0, metric 5, tag 0
*Mar 1 05:23:08.894: 5.5.3.3/32 via 0.0.0.0, metric 5, tag 0
• The network administrator has requested that R5 and SW1 authenticate each other using the password of CISCO2005.
• For added security R5 and SW1 should rotate their keys used for this authentication. This key rotation should occur at 11:45 PM Dec 31st, 2005.
• The new key to use for authentication is CISCO2006.
• To help ensure that R5 and SW1’s key rotation does not result in a network outage allow for the both keys to be accepted 30 minutes prior to and after the scheduled key rotation time.
| R5 and SW1: |
• SW3 and SW4 should use RIPv2 for reachability to the rest of the network but the rest of the network should use EIGRP for reachability to the Ethernet segment between them and their Loopback0 subnets.
• SW3 and SW4 should use EIGRP routes for reachability to subnets within the 150.X.0.0/16 network.
| SW3 and SW4: |
路由过滤
- 对不需要接受的路由设置管理距离为255 distance 255 0.0.0.0 255.255.255.255 ACL
- offset-list ACL {in|out} NUM
- distribute-list
core-dump
• Configure R6 to send a core dump via FTP to the server 148.X.3.100.
• The file name to send is R6DUMP.txt.
• Use the username R6CORE and the password CISCO when sending this file to the FTP server.
| ip ftp username R6CORE |
MAC filter
• After numerous attempts to get the company’s graphics department to migrate their legacy servers to IP you have decided configure the network to only allow IPv4 traffic and necessary layer 2 traffic to transit VLAN 56.
• Use a named ACL called IPONLY to accomplish this.
| ip access-list extended IPONLY |
In order to limit the number of PCs that can connect to the network through these ports configure SW1 to shutdown an interface connected to the meeting room for 60 seconds if it learns more than two MAC addresses on it.
| SW1: errdisable recovery cause psecure-violation errdisable recovery interval 60 ! interface FastEthernet0/7 switchport mode access switchport port-security maximum 2 switchport port-security |
Configure SW1 to stop this router which has the MAC address of 0030.1369.87a0 from communicating if it is connected to either interface Fa0/7 or Fa0/8.
| SW1: mac-address-table static 0030.1369.87a0 vlan 17 drop |
IPv6
• Enable IPv6 on the Frame Relay segment between R1, R2, and R4 using the addresses 2001:CC1E:X:124::Y/64.
• Use link-local addresses in the format FE80::Y on these devices.
| interface Serial0/0 |
• Configure OSPFv3 area 0 on the Frame Relay segment between R1, R2, and R4.
• Do not use the ipv6 ospf network command to accomplish this.
| R1: |
在ipv6的路由协议之间重分布,各个路由协议都要重分布connected:redistribute connected R2:
ipv6 router ospf 1
redistribute connected
redistribute rip RIPng
!
ipv6 router rip RIPng
redistribute connected metric 1
redistribute ospf 1 metric 1
DHCP
这里有个注意的地方:如果题目里面有” diasble dynamic arp learning on the interface” 就应该在yy.yy.55.254的接口上面打入“arp authorized”,这条命令就是关闭此接口的动态学习mac地址。如果没有那句话,就不需要在接口上面打“arp authorized”
• You have been informed that a DHCP server will be installed on VLAN 56 to service hosts in VLANs 5 and 56, however you don’t know what the IP address of the server will be.
• Configure R5 to forward DHCP requests received on VLAN 5 to this server that will be located in VLAN 56.
| R5: |
• R1 should supply hosts in VLAN 367 with IP addresses in the range of 139.Y.0.100 to 139.Y.0.200. Lab13 9.2
• The default gateway for these hosts should be R6.
• If R6 is down R3 should be the default gateway.
• Hosts in VLAN 367 should not have to re-lease an address once they have one.
• Additionally these hosts should use the domain name InternetworkExpert.com.
| R1: |
rate-limit
网内的计算机要运行BB1那边的一个服务器(地址150.100.1.240)上的应用程序,使用udp端口5000~6000.要求对此应用进行速率限制,基本速率是3Mbps,normal burst rate is 200Kbps,excess burst rate is 300Kbps.符合这个限制的以高优先级传送,不符合的数据,则把数据包优先级设置为普通并进行best-effort转发.除此以外的数据,基本数率是800Kbps,normal burst rate is 100Kbps,excess burst rate is 150Kbps.此数据包优先级为普通,如果超过BE则要求drop.在R1 E0上做
| R1: ip cef int e0 rate-limit output access-group 101 3000000 25000 37500 conform-action set-prec-transmit 5 exceed-action set-prec-transmit 0 rate-limit output 800000 12500 18750 conform-action set-prec-transmit 0 exceed-action drop access-list 101 permit udp any host 150.100.1.240 range 5000 6000 注意:Burst Rate 单位是Kbps, 而Burst 单位是byte ,因此 Normal Burst 是 200000/8=25000 |
IPv6 Tunnel
Without using additional ipv6 address,make ipv6 traffic tunnel through the ipv4 frame relay network.
Tunneling on r4 and r1.
use the stable destination for tunnel.
Runn RIPng for the ipv6 address.
Make sure you can ping all the ipv6 address.
| R1: |
broadcast suppres
Configure RackYYR1,RackYYR3 and RackYYR4 ’s frame relay interfaces so that so that broadcast flooding can be avoided.
Use the following parameters:
Maximum transmission rate:120 packets per second;
Maximum byte transmission rate of 260k bytes per second;
Limit the queue size to 240 packets;
| r4(config)#int s0/0/0 验证:在路由器R1, R3 , R4 上用show interface s0/0命令进行验证。 |
UDP Broadcast Managemen
from BB3,there are snmp trap ip broadcast should be forwarded r6,the client in bb2(150.1.2.254) should receive.
| r6(config)#ip forward-protocol udp snmptrap |
CBAC (基于上下文的访问控制)
• the telnet session will timeout in 30 min
• all telnet session need to audited.
| ip inspect audit-trail |
dot1x
1.5 SW1上做Guest Vlan 999, SW3:fa0/11 – 18 做端口认证,不支持802.1x的划分到Guest Vlan,认证失败的也划分到Guest Vlan. 跟无敌一的需求一样,并且给出了 radius-server地址和Key.
| sw1(config)#vlan 999 |
