查看完整版本: CCIE的题（最后部份）

CCIE的题（最后部份）

[color=#ff6600][font=宋体][size=10.5pt][size=5][color=#000000][font=宋体]Section 5: IP FEATURE[/font][font=宋体]（8 分）（100%）[/font][/color][/size][size=3][color=#000000][b][font=宋体][size=10.5pt]1.HSRP[/size][/font][/b][b][font=宋体][size=10.5pt]（2）[/size][/font][/b][/color][/size]
[size=3][color=#000000][font=宋体][size=10.5pt]R2[/size][/font][font=宋体][size=10.5pt]和R5的E0口做HSRP,平时R5作为ACTIVE ROUTER,R5的S0口DOWN是R2接管为ACTIVE ROUTER,除非R5 DOWN时R2同时DOWN.在r2跟5之间做用yy.yy.14.1这个地址[/size][/font][/color][/size]
[color=#ff6600][font=宋体][size=10.5pt][size=3]R2[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]standby use-bia[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]standby 1 ip 1.1.14.1[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]standby 1 preempt[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]standby 1 track s0[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]R5[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]standby use-bia[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]standby 1 ip 1.1.14.1[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]standby 1 pri 105[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]standby 1 preempt[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]standby 1 track s0[/size][/size][/font][/color]
[font=宋体][size=10.5pt][b][size=3][color=#000000][/color][/size][/b][/size][/font]
[size=3][color=#000000][b][font=宋体][size=10.5pt]2.DHCP[/size][/font][/b][b][font=宋体][size=10.5pt]（3）[/size][/font][/b][/color][/size]
[size=3][color=#000000][font=宋体][size=10.5pt]R5[/size][/font][font=宋体][size=10.5pt]作为DHCP SERVER, [/size][/font][/color][/size]
[font=宋体][size=10.5pt][size=3][color=#000000]要求：[/color][/size][/size][/font]
[font=宋体][size=10.5pt][size=3][color=#000000]
domain-name:cisco.com[/color][/size][/size][/font]
[font=宋体][size=10.5pt][size=3][color=#000000]给以太网段分配ip address.[/color][/size][/size][/font]
[font=宋体][size=10.5pt][size=3][color=#000000]Dns-server:150.100.1.50,150.100.1.51[/color][/size][/size][/font]
[font=宋体][size=10.5pt][size=3][color=#000000]永不释放ip address[/color][/size][/size][/font]
[font=宋体][size=10.5pt][size=3][color=#000000]指定网关YY.YY.14.1[/color][/size][/size][/font]
[color=red][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]service dhcp[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]no ip dhcp conflict logging[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ip dhcp excluded-add 1.1.14.1[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ip dhcp excluded-add 1.1.14.2[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ip dhcp excluded-add 1.1.14.5[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ip dhcp pool abc[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
network 1.1.14.0 /24[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
domain-name cisco.com[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
dns-server 150.100.1.50 150.100.1.51[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
default-router 1.1.14.1[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
lease infinite[/size][/size][/font][/color]
[color=red][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[font=宋体][size=10.5pt][size=3][color=#000000][/color][/size][/size][/font]
[size=3][color=#000000][b][font=宋体][size=10.5pt]3.[b]NTP[/b][/size][/font][/b][b][font=宋体][size=10.5pt]（3）[/size][/font][/b][/color][/size]
[size=3][color=#000000][font=宋体][size=10.5pt]R4 [/size][/font][font=宋体][size=10.5pt]和SW2要和 R3同步[/size][/font][font=宋体][size=10.5pt][/size][/font][/color][/size]
[font=宋体][size=10.5pt][size=3][color=#000000]同步后R4和SW2的[/color][color=#000000]strutum is 3.[/color][color=#339966]([/color][color=#339966]只要求配R4)[/color][/size][/size][/font]
[font=宋体][size=10.5pt][size=3][color=#000000]使用authentication.[/color][/size][/size][/font]
[font=宋体][size=10.5pt][size=3][color=#000000]It can be syncronize only if there is path between routers. [/color][/size][/size][/font]
[color=#ff6600][font=宋体][size=10.5pt][size=3]R3[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp master 2[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp source loo 0[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp authenticate[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp authentication-key 1 md5 cisco[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp trusted-key 1 [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]R4,sw2[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp server 1.1.3.3 key 1 source loo 0[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp authenticate[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp authentication-key 1 md5 cisco[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp trusted-key 1[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]sw2[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp server 1.1.3.3 key 1 source loo 0[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp authenticate[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp authentication-key 1 md5 cisco[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ntp trusted-key 1[/size][/size][/font][/color]
[color=red][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[color=red][font=宋体][size=10.5pt][size=3]检验：sh ntp s,
sh ntp a[/size][/size][/font][/color]
[color=red][font=宋体][size=10.5pt][size=3]看到R4和SW2学到的精度stratum是不是3[/size][/size][/font][/color]
[color=red][font=宋体][size=10.5pt][size=3]也可以在R3上设置一个时间,sh clock ,clock set [/size][/size][/font][/color]
[color=red][font=宋体][size=10.5pt][size=3]然后过一会看R4和SW2是否学到了，达到时间同步[/size][/size][/font][/color]
[font=宋体][size=10.5pt][size=3][color=#000000][/color][/size][/size][/font]
[font=宋体][size=10.5pt][size=3][color=#000000][/color][/size][/size][/font]
[size=5][color=#000000][font=宋体]Section 6: MULTICAST ( 6[/font][font=宋体]分3-3)(100%)[/font][font=宋体][size=9pt][/size][/font][/color][/size][size=3][color=#000000][font=宋体][size=10.5pt][b]1.[/b][/size][/font][font=宋体][size=10.5pt]You use spase-mode. configure multicast on the e1(to bb2),s0 of R5;s0,s1 of r3;s1,e0 of r4. Use the lo0 of r4 as the static rp.Join the e1(to bb2)of r5 in the group 239.255.8.8.[/size][/font][font=宋体][size=10.5pt]从所有启动组波的router可以ping通该组。[color=red][/color][/size][/font][/color][/size]
[color=#ff6600][font=宋体][size=10.5pt][size=3]R3[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ip multicast-routing[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]int s0[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip pim sparse-mode [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip pim nbma-mode[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]int s0.1[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip pim sparse-mode [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip pim nbma-mode[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]int s1[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip pim sparse-mode [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip pim nbma-mode[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ip pim rp-address 1.1.4.4[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]R4[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ip multicast-routing[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]int s1[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip pim sparse-mode [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip pim nbma-mode [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]int e0[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip pim sparse-mode [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ip pim rp-address 1.1.4.4[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]R5[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ip multicast-routing[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]int s0[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip pim sparse-mode [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip pim nbma-mode [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]int e0[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip pim sparse-mode [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip igmp join-group 239.255.8.8[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ip pim rp-address 1.1.4.4[/size][/size][/font][/color]
[align=left][color=red][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color][/align]
[align=left][size=3][color=#339966][font=宋体][size=10.5pt]2.[/size][/font][/color][color=#339966][font=宋体][size=10.5pt]在R4上配置使[/size][/font][/color][color=#339966][font=宋体][size=10.5pt]其在没有活动的组成员时，过了6秒离开组。[/size][/font][/color][/size][/align]
[align=left][color=#339966][font=宋体][size=10.5pt][size=3]int e0/0[/size][/size][/font][/color][/align]
[align=left][color=#339966][font=宋体][size=10.5pt][size=3]   [/size][/size][/font][/color][font=宋体][size=9.5pt]ip igmp query-max-response-time 6[/size][/font][color=black][font=宋体][size=10.5pt][/size][/font][/color][/align]
[size=5][color=#000000][font=宋体]Section 7: QOS[/font][font=宋体]（[/font][font=宋体]9[/font][font=宋体]分[/font][font=宋体]）[/font][font=宋体](66%)[/font][/color][/size][b][font=宋体][size=12pt]1．
[/size][/font][/b][b][font=宋体][size=12pt]wrr-queue min-reserve[/size][/font][/b][b][font=宋体][size=12pt][/size][/font][/b]
[size=3][color=#339966][font=宋体][size=10.5pt]在SW1的F[/size][/font][/color][color=#339966][font=宋体][size=10.5pt]a0/1[/size][/font][/color][color=#339966][font=宋体][size=10.5pt]上配置使得[/size][/font][/color][/size]
[color=#339966][font=宋体][size=3]minimum-reserve level 2 to 20 packets and assign to egress queue 1;[/size][/font][/color]
[color=#339966][font=宋体][size=3]minimum-reserve level 3 to 40 packets and assign to egress queue 2;[/size][/font][/color]
[color=#339966][font=宋体][size=3]minimum-reserve level 5 to 80 packets and assign to egress queue 3.[/size][/font][/color]
[size=3][color=#339966][font=宋体]([/font][/color][color=#339966][font=宋体]具体数值要到时看题目)[/font][/color][color=#339966][font=宋体][/font][/color][/size]
[color=#339966][font=宋体][size=3][/size][/font][/color]
[color=#339966][font=宋体][size=3]mls qos min-reserve 2 20[/size][/font][/color]
[color=#339966][font=宋体][size=3]mls qos min-reserve 3 40[/size][/font][/color]
[color=#339966][font=宋体][size=3]mls qos min-reserve 5 80[/size][/font][/color]
[color=#339966][font=宋体][size=3][/size][/font][/color]
[color=#339966][font=宋体][size=3]interface fastethernet0/1 [/size][/font][/color]
[color=#339966][font=宋体][size=3]
wrr-queue min-reserve 1 2 [/size][/font][/color]
[color=#339966][font=宋体][size=3]
wrr-queue min-reserve 2 3 [/size][/font][/color]
[size=3][color=#339966][font=宋体]
wrr-queue min-reserve 3 5[/font][/color][color=black][font=宋体][/font][/color][/size]
[color=#ff6600][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[font=宋体][size=10.5pt][size=3][color=#000000][/color][/size][/size][/font]
[color=#000000][b][font=宋体][size=10.5pt][size=3]2．[/size]
[/size][/font][/b][b][font=宋体][size=10.5pt][size=3]CLASS-BASED WFQ (3[/size][/size][/font][/b][b][font=宋体][size=10.5pt][size=3]分) [/size][/size][/font][/b][/color]
[font=宋体][size=10.5pt][size=3][color=#000000]Configure r4 so that if congestion between 9 to 10 AM users on VLAN_D will have 20% of the bandwidth reserved for web traffic to server 199.172.11.11 on VLAN_BB1 and 20% for telnet to all device within you network topology. At other times no bandwidth[/color][/size][/size][/font]
[font=宋体][size=10.5pt][size=3][color=#000000]should be reserved percentage are based on the available interface bandwidth.[/color][/size][/size][/font]
[font=宋体][size=10.5pt][size=3][color=#000000][/color][/size][/size][/font]
[color=#ff6600][font=宋体][size=10.5pt][size=3]ip cef[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]time-range 9-10[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
periodic daily 9:00 to 10:00[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]access 102 permit tcp any host 199.172.11.11 eq www
time-range 9-10 [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]access 103 permit tcp any any eq telnet
time-range 9-10 [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]class-map match-all www[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
match access-group 102[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]class-map match-all telnet[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
match access-group 103[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]policy-map bwpercent[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
class www[/size][/size][/font][/color]
[size=3][color=#ff6600][font=宋体][size=10.5pt]
bandwidth remaining percent 20
([/size][/font][/color][color=#ff6600][font=宋体][size=10.5pt]根据接口的实际可利用带宽进行保留)[/size][/font][/color][/size]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
class telnet[/size][/size][/font][/color]
[size=3][color=#ff6600][font=宋体][size=10.5pt]
bandwidth remaining percent 20
([/size][/font][/color][color=#ff6600][font=宋体][size=10.5pt]根据接口的实际可利用带宽进行保留)[/size][/font][/color][/size]
[color=#ff6600][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]int s0[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
service-policy output bwpercent[/size][/size][/font][/color]
[font=宋体][size=10.5pt][size=3][color=#000000][/color][/size][/size][/font]
[color=#000000][b][font=宋体][size=10.5pt][size=3]3．[/size]
[/size][/font][/b][b][font=宋体][size=10.5pt][size=3]Discard Eligible (3[/size][/size][/font][/b][b][font=宋体][size=10.5pt][size=3]分)[/size][/size][/font][/b][/color]
[font=宋体][size=3][color=#000000]The frame-relay between R1 and R6 experimenting heavy congestion this should result in OSPF lost neighbor. Configure R1 and R6 so that Fame-Relay provider does not drop any OSPF packet during congestion.[/color][/size][/font]
[color=#ff6600][size=3][font=宋体]R1:[/font][/size][/color]
[font=宋体][size=10pt]！[/size][/font][font=宋体][size=10pt][/size][/font]
[font=宋体][size=10pt]frame-relay de-list 1 protocol ip list 101[/size][/font]
[font=宋体][size=10pt]![/size][/font]
[font=宋体][size=10pt]interface Serial0.1 point-to-point (1.1.8.1/30)[/size][/font]
[font=宋体][size=10pt]
frame-relay de-group 1 106[/size][/font]
[font=宋体][size=10pt]![/size][/font]
[font=宋体][size=10pt]access-list 101 deny ospf any any[/size][/font]
[font=宋体][size=10pt]access-list 101 permit ip any any[/size][/font]
[font=宋体][size=10pt]![/size][/font][color=#ff6600][font=宋体][/font][/color]
[color=#ff6600][font=宋体][size=3][/size][/font][/color]
[b][color=#ff6600][font=宋体][size=3]R6:[/size][/font][/color][/b]
[font=宋体][size=10pt]！[/size][/font][font=宋体][size=10pt][/size][/font]
[font=宋体][size=10pt]frame-relay de-list 1 protocol ip list 101[/size][/font]
[font=宋体][size=10pt]![/size][/font]
[font=宋体][size=10pt]interface Serial1.1 point-to-point (1.1.8.2/30)[/size][/font]
[font=宋体][size=10pt]
frame-relay de-group 1 601[/size][/font]
[font=宋体][size=10pt]![/size][/font]
[font=宋体][size=10pt]access-list 101 deny ospf any any[/size][/font]
[font=宋体][size=10pt]access-list 101 permit ip any any[/size][/font]
[font=宋体][size=10pt]![/size][/font][color=#ff6600][font=宋体][size=10.5pt][/size][/font][/color]
[align=left][font=宋体][size=10.5pt][size=3][color=#000000][/color][/size][/size][/font][/align]
[align=left][font=宋体][size=10.5pt][size=3][color=#000000][/color][/size][/size][/font][/align]
[size=5][color=#000000][font=宋体]Section 8: SECURITY[/font][font=宋体]（[/font][font=宋体]9[/font][font=宋体]分[/font][font=宋体]）(0%)[/font][/color][/size][b][color=#339966][font=宋体][size=10.5pt][size=3]1.[/size]
[/size][/font][/color][/b][b][color=#339966][font=宋体][size=10.5pt][size=3]SYN_FLOOD[/size][/size][/font][/color][/b]
[size=3][b][color=#339966][font=宋体][size=10.5pt]在R1上配置，[/size][/font][/color][/b][b][color=#339966][font=宋体][size=10.5pt]怀疑有VLAN A有PC对BB1里的服务器150.100.1.240(具体要看考试题)进行SYN_FLOOD攻击[/size][/font][/color][/b][b][color=#339966][font=宋体][size=10.5pt]，[/size][/font][/color][/b][b][color=#339966][font=宋体][size=10.5pt]配置R1使得允许[/size][/font][/color][/b][b][color=#339966][font=宋体][size=10.5pt]路由器等待20秒，然后关闭那些未成功建立连接的请求。[/size][/font][/color][/b][b][color=#339966][font=宋体][size=10.5pt][/size][/font][/color][/b][/size]
[b][color=#339966][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color][/b]
[color=#339966][font=宋体][size=10.5pt][b][size=3]Ip tcp intercept list 100[/size][/b][/size][/font][/color]
[color=#339966][font=宋体][size=10.5pt][b][size=3]Ip tcp intercept mode intercept[/size][/b][/size][/font][/color]
[color=#339966][font=宋体][size=10.5pt][b][size=3]Ip tcp intercept connection-timeout 20[/size][/b][/size][/font][/color]
[color=#339966][font=宋体][size=10.5pt][b][size=3]![/size][/b][/size][/font][/color]
[size=3][color=#339966][font=宋体][size=10.5pt][b]acc 100 per tcp 1.1.14.0 0.0.0.255 host 150.100.1.240[/b][/size][/font][/color][color=#ff6600][font=宋体][size=10.5pt][/size][/font][/color][/size]
[font=宋体][size=10.5pt][size=3][color=#000000][/color][/size][/size][/font]
[font=宋体][size=10.5pt][b][size=3][color=#000000][/color][/size][/b][/size][/font]
[size=3][color=#000000][b][font=宋体][size=10.5pt]2.Dynamic access:
[/size][/font][/b][b][font=宋体][size=10.5pt]（3分）[/size][/font][/b][b][font=宋体][size=10.5pt][/size][/font][/b][/color][/size]
[font=宋体][size=10.5pt][size=3][color=#000000]Some support engineer on vlan 14 want to access your topology at some time,but they must first be authenticated by r4 then they can access unrestrictly.r4 use local authentication.[/color][/size][/size][/font]
[size=3][color=#000000][font=宋体][size=10.5pt]User name is ccie ,password is cisco.[/size][/font][font=宋体][size=10.5pt]绝对超时时间是10 MIN,IDLE超时2MIN后断开连接。Make sure you don’t influnce the normal routing protocol and other question rules.[/size][/font][/color][/size]
[font=宋体][size=10.5pt][size=3][color=#000000][/color][/size][/size][/font]
[size=3][font=宋体][size=10.5pt][color=#000000]Support engineers who come in through VLAN_D must be given occasional access to the rest of your YY.YY.0.0 net they will telnet from sw1 to R4 E0/0 and give their credentials once this is done they will have [/color][color=#339966]unrestricted access[/color][color=#000000] to the rest of the network Use local authentication on R4 allows unrestricted access for 10 minutes and 2 minutes idle. Make sure the existing feature of this link (connectivity, route) is not compromise. User name is ccie[/color][/size][/font][font=宋体][size=10.5pt][color=#000000]，[/color][color=#000000]password is cisco.[/color][color=green]([/color][color=#339966]题目明确说了在配完后，要保证[/color][/size][/font][color=#339966][font=宋体][size=10.5pt]telnet, ping, routing [/size][/font][/color][color=#339966][font=宋体][size=10.5pt]的流量[/size][/font][/color][color=#339966][font=宋体][size=10.5pt]，并确认了应该加[/size][/font][/color][color=#339966][font=宋体][size=10.5pt]host[/size][/font][/color][color=#339966][font=宋体][size=10.5pt]参数[/size][/font][/color][color=#339966][font=宋体][size=10.5pt])[/size][/font][/color][font=宋体][size=10.5pt][/size][/font][/size]
[color=#ff6600][font=宋体][size=10.5pt][size=3]R4[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]user ccie pass cisco[/size][/size][/font][/color]
[size=3][color=#ff6600][font=宋体][size=10.5pt]user ccie autocommand access-enable [/size][/font][/color][color=#339966][font=宋体][size=10.5pt]host[/size][/font][/color][color=#ff6600][font=宋体][size=10.5pt] timeout 2[/size][/font][/color][/size]
[color=#ff6600][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[color=#339966][font=宋体][size=10.5pt][size=3]acc 122 dynamic abc timeout 10 permit ip
any any[/size][/size][/font][/color]
[size=3][color=#339966][font=宋体][size=10.5pt]acc 122 permit tcp any host 1.1.13.4 eq telnet[/size][/font][/color][color=#ff6600][font=宋体][size=10.5pt] [/size][/font][/color][/size]
[color=#339966][font=宋体][size=10.5pt][size=3]acc 122 permit ospf any any [/size][/size][/font][/color]
[color=#339966][font=宋体][size=10.5pt][size=3]acc 122 permit icmp any any[/size][/size][/font][/color]
[color=#339966][font=宋体][size=10.5pt][size=3]acc 122 permit tcp any eq telnet any[/size][/size][/font][/color]
[size=3][color=#339966][font=宋体][size=10.5pt]([/size][/font][/color][color=#339966][font=宋体][size=10.5pt]此处还需仔细考虑)[/size][/font][/color][/size]
[color=#ff6600][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]int e0[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
ip access-group 122 in [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]line vty 0 4 [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]
login local[/size][/size][/font][/color]
[color=red][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[size=3][color=red][font=宋体][size=10.5pt]///[/size][/font][/color][color=red][font=宋体][size=10.5pt]测试如果出现如下结果表明成功了，具体测试方法： [/size][/font][/color][/size]
[font=宋体][size=10.5pt][size=3][/size][/size][/font]
[size=3][color=red][font=宋体][size=10.5pt]1.[/size][/font][/color][color=red][font=宋体][size=10.5pt]从sw1
ping
R4之后的任何路由器,结果是有路由也不通[/size][/font][/color][/size]
[size=3][color=red][font=宋体][size=10.5pt]2.[/size][/font][/color][color=red][font=宋体][size=10.5pt]从sw1
telnet R4的e0接口[/size][/font][/color][/size]
[size=3][color=red][font=宋体][size=10.5pt]
[/size][/font][/color][color=red][font=宋体][size=10.5pt]用户名: ccie 口令: cisco[/size][/font][/color][/size]
[size=3][color=red][font=宋体][size=10.5pt]3.[/size][/font][/color][color=red][font=宋体][size=10.5pt]从sw1
ping
R4之后的任何路由器,结果是连通的[/size][/font][/color][/size]
[size=3][color=red][font=宋体][size=10.5pt]4.
10[/size][/font][/color][color=red][font=宋体][size=10.5pt]分钟后,从sw1
ping
R4之后的任何路由器的结果又是不通[/size][/font][/color][/size]
[font=宋体][size=10.5pt][size=3][/size][/size][/font]
[color=red][font=宋体][size=10.5pt][size=3]结论:[/size][/size][/font][/color]
[size=3][color=red][font=宋体][size=10.5pt]Dynamic acl[/size][/font][/color][color=red][font=宋体][size=10.5pt]利用telnet为vlan14得用户到本机架拓扑的访问开辟了一个临时通道.[/size][/font][/color][/size]
[color=blue][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[color=blue][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[color=blue][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[size=3][color=#000000][b][font=宋体][size=10.5pt]3.switch security[/size][/font][/b][b][font=宋体][size=10.5pt]（[/size][/font][/b][b][font=宋体][size=10.5pt]3[/size][/font][/b][b][font=宋体][size=10.5pt]分[/size][/font][/b][b][font=宋体][size=10.5pt]）[/size][/font][/b][b][font=宋体][size=10.5pt][/size][/font][/b][/color][/size]
[font=宋体][size=10.5pt][size=3][color=#000000][/color][/size][/size][/font]
[size=3][color=#000000][font=宋体][size=10.5pt]r5,r2[/size][/font][font=宋体][size=10.5pt]连接sw1的端口只能允许r5和r2的physical address.[/size][/font][/color][/size]
[font=宋体][size=10.5pt][size=3][color=#000000]生成violation时要log.The aging can surviving the switch’s rebooting.[/color][/size][/size][/font]
[color=red][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[font=宋体][size=10.5pt][size=3][color=#000000]VLAN_B need tight (high) security, configure the ports in this VLAN to physical address of the routers that are currently attached to them. [/color][/size][/size][/font]
[font=宋体][size=10.5pt][size=3][color=#000000]This configuration should survive the reboot of the switch. [/color][/size][/size][/font]
[font=宋体][size=10.5pt][size=3][color=#000000]Log violations of this policy while allowing correct traffic to proceed. [/color][/size][/size][/font]
[color=red][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[size=3][color=#ff6600][font=宋体][size=10.5pt]SW2[/size][/font][/color][color=#ff6600][font=宋体][size=10.5pt]：[/size][/font][/color][/size]
[color=#ff6600][font=宋体][size=10.5pt][size=3]int f0/2[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]switchport mode access[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]switchport port-security[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]switchport port-security maximum 1[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]switchport port-security mac-address 0002.b967.4180 [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]switchport port-security violation restrict[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]![/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]int f0/5[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]switchport mode access[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]switchport port-security[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]switchport port-security maximum 1[/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]switchport port-security mac-address 0002.c417.1951 [/size][/size][/font][/color]
[color=#ff6600][font=宋体][size=10.5pt][size=3]switchport port-security violation restrict[/size][/size][/font][/color]
[color=red][font=宋体][size=10.5pt][size=3][/size][/size][/font][/color]
[size=3][color=blue][font=宋体][size=10.5pt]///[/size][/font][/color][color=blue][font=宋体][size=10.5pt]注意shutdown端口后才能绑定mac-address，否则端口会报告地址重复。R2和R5以太口的mac地址可以在sw2上用[/size][/font][/color][font=宋体][size=10.5pt][color=#000000]sh mac-address-table interface [/color][/size][/font][color=blue][font=宋体][size=10.5pt]命令来看，也可以在R2和R5上直接[/size][/font][/color][font=宋体][size=10.5pt][color=#000000]sh int[/color]
[/size][/font][color=blue][font=宋体][size=10.5pt]来看。注意使用[/size][/font][/color][font=宋体][size=10.5pt][color=#000000]restrict[/color][/size][/font][color=blue][font=宋体][size=10.5pt]关键字，因为这个关键字可以完成log的任务，其他的都不行。[/size][/font][/color][/size]
[/size][/font][/color]

[[i] 本帖最后由 rswzy 于 2007-6-21 21:10 编辑 [/i]]

CCIE 真的是十分难以测量........

谢谢，下来看看

ddddddddddddd

好东西了。。收藏了

谢谢分享，学习一下！

ddddddddddddddddddddddddddddd

安全部分不是很好，下来看看，希望物有所值～