|
黄金长老
 
- UID
- 156629
- 帖子
- 572
- 精华
- 0
- 积分
- 1210
- 菊花元
- 660 元
- 威望
- 11 点
- 阅读权限
- 40
- 来自
- 四川成都
- 在线时间
- 68 小时
- 注册时间
- 2007-6-20
- 最后登录
- 2008-10-22
|
顶楼
大 中
小 发表于 2007-6-21 20:40 只看该作者
CCIE的题(最后部份)
Section 5: IP FEATURE(8 分)(100%)1.HSRP(2)
R2和R5的E0口做HSRP,平时R5作为ACTIVE ROUTER,R5的S0口DOWN是R2接管为ACTIVE ROUTER,除非R5 DOWN时R2同时DOWN.在r2跟5之间做用yy.yy.14.1这个地址
R2
standby use-bia
standby 1 ip 1.1.14.1
standby 1 preempt
standby 1 track s0
R5
standby use-bia
standby 1 ip 1.1.14.1
standby 1 pri 105
standby 1 preempt
standby 1 track s0
2.DHCP(3)
R5作为DHCP SERVER,
要求:
domain-name:cisco.com
给以太网段分配ip address.
Dns-server:150.100.1.50,150.100.1.51
永不释放ip address
指定网关YY.YY.14.1
service dhcp
no ip dhcp conflict logging
ip dhcp excluded-add 1.1.14.1
ip dhcp excluded-add 1.1.14.2
ip dhcp excluded-add 1.1.14.5
ip dhcp pool abc
network 1.1.14.0 /24
domain-name cisco.com
dns-server 150.100.1.50 150.100.1.51
default-router 1.1.14.1
lease infinite
3.NTP(3)
R4 和SW2要和 R3同步
同步后R4和SW2的strutum is 3.(只要求配R4)
使用authentication.
It can be syncronize only if there is path between routers.
R3
ntp master 2
ntp source loo 0
ntp authenticate
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
R4,sw2
ntp server 1.1.3.3 key 1 source loo 0
ntp authenticate
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
sw2
ntp server 1.1.3.3 key 1 source loo 0
ntp authenticate
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
检验:sh ntp s,
sh ntp a
看到R4和SW2学到的精度stratum是不是3
也可以在R3上设置一个时间,sh clock ,clock set
然后过一会看R4和SW2是否学到了,达到时间同步
Section 6: MULTICAST ( 6分3-3)(100%)1.You use spase-mode. configure multicast on the e1(to bb2),s0 of R5;s0,s1 of r3;s1,e0 of r4. Use the lo0 of r4 as the static rp.Join the e1(to bb2)of r5 in the group 239.255.8.8.从所有启动组波的router可以ping通该组。
R3
ip multicast-routing
int s0
ip pim sparse-mode
ip pim nbma-mode
int s0.1
ip pim sparse-mode
ip pim nbma-mode
int s1
ip pim sparse-mode
ip pim nbma-mode
ip pim rp-address 1.1.4.4
R4
ip multicast-routing
int s1
ip pim sparse-mode
ip pim nbma-mode
int e0
ip pim sparse-mode
ip pim rp-address 1.1.4.4
R5
ip multicast-routing
int s0
ip pim sparse-mode
ip pim nbma-mode
int e0
ip pim sparse-mode
ip igmp join-group 239.255.8.8
ip pim rp-address 1.1.4.4
2.在R4上配置使其在没有活动的组成员时,过了6秒离开组。
int e0/0
ip igmp query-max-response-time 6
Section 7: QOS(9分)(66%)1.
wrr-queue min-reserve
在SW1的Fa0/1上配置使得
minimum-reserve level 2 to 20 packets and assign to egress queue 1;
minimum-reserve level 3 to 40 packets and assign to egress queue 2;
minimum-reserve level 5 to 80 packets and assign to egress queue 3.
(具体数值要到时看题目)
mls qos min-reserve 2 20
mls qos min-reserve 3 40
mls qos min-reserve 5 80
interface fastethernet0/1
wrr-queue min-reserve 1 2
wrr-queue min-reserve 2 3
wrr-queue min-reserve 3 5
2.
CLASS-BASED WFQ (3分)
Configure r4 so that if congestion between 9 to 10 AM users on VLAN_D will have 20% of the bandwidth reserved for web traffic to server 199.172.11.11 on VLAN_BB1 and 20% for telnet to all device within you network topology. At other times no bandwidth
should be reserved percentage are based on the available interface bandwidth.
ip cef
time-range 9-10
periodic daily 9:00 to 10:00
access 102 permit tcp any host 199.172.11.11 eq www
time-range 9-10
access 103 permit tcp any any eq telnet
time-range 9-10
class-map match-all www
match access-group 102
class-map match-all telnet
match access-group 103
policy-map bwpercent
class www
bandwidth remaining percent 20
(根据接口的实际可利用带宽进行保留)
class telnet
bandwidth remaining percent 20
(根据接口的实际可利用带宽进行保留)
int s0
service-policy output bwpercent
3.
Discard Eligible (3分)
The frame-relay between R1 and R6 experimenting heavy congestion this should result in OSPF lost neighbor. Configure R1 and R6 so that Fame-Relay provider does not drop any OSPF packet during congestion.
R1:
!
frame-relay de-list 1 protocol ip list 101
!
interface Serial0.1 point-to-point (1.1.8.1/30)
frame-relay de-group 1 106
!
access-list 101 deny ospf any any
access-list 101 permit ip any any
!
R6:
!
frame-relay de-list 1 protocol ip list 101
!
interface Serial1.1 point-to-point (1.1.8.2/30)
frame-relay de-group 1 601
!
access-list 101 deny ospf any any
access-list 101 permit ip any any
!
Section 8: SECURITY(9分)(0%)1.
SYN_FLOOD
在R1上配置,怀疑有VLAN A有PC对BB1里的服务器150.100.1.240(具体要看考试题)进行SYN_FLOOD攻击,配置R1使得允许路由器等待20秒,然后关闭那些未成功建立连接的请求。
Ip tcp intercept list 100
Ip tcp intercept mode intercept
Ip tcp intercept connection-timeout 20
!
acc 100 per tcp 1.1.14.0 0.0.0.255 host 150.100.1.240
2.Dynamic access:
(3分)
Some support engineer on vlan 14 want to access your topology at some time,but they must first be authenticated by r4 then they can access unrestrictly.r4 use local authentication.
User name is ccie ,password is cisco.绝对超时时间是10 MIN,IDLE超时2MIN后断开连接。Make sure you don’t influnce the normal routing protocol and other question rules.
Support engineers who come in through VLAN_D must be given occasional access to the rest of your YY.YY.0.0 net they will telnet from sw1 to R4 E0/0 and give their credentials once this is done they will have unrestricted access to the rest of the network Use local authentication on R4 allows unrestricted access for 10 minutes and 2 minutes idle. Make sure the existing feature of this link (connectivity, route) is not compromise. User name is ccie,password is cisco.(题目明确说了在配完后,要保证telnet, ping, routing 的流量,并确认了应该加host参数)
R4
user ccie pass cisco
user ccie autocommand access-enable host timeout 2
acc 122 dynamic abc timeout 10 permit ip
any any
acc 122 permit tcp any host 1.1.13.4 eq telnet
acc 122 permit ospf any any
acc 122 permit icmp any any
acc 122 permit tcp any eq telnet any
(此处还需仔细考虑)
int e0
ip access-group 122 in
line vty 0 4
login local
///测试如果出现如下结果表明成功了,具体测试方法:
1.从sw1
ping
R4之后的任何路由器,结果是有路由也不通
2.从sw1
telnet R4的e0接口
用户名: ccie 口令: cisco
3.从sw1
ping
R4之后的任何路由器,结果是连通的
4.
10分钟后,从sw1
ping
R4之后的任何路由器的结果又是不通
结论:
Dynamic acl利用telnet为vlan14得用户到本机架拓扑的访问开辟了一个临时通道.
3.switch security(3分)
r5,r2连接sw1的端口只能允许r5和r2的physical address.
生成violation时要log.The aging can surviving the switch’s rebooting.
VLAN_B need tight (high) security, configure the ports in this VLAN to physical address of the routers that are currently attached to them.
This configuration should survive the reboot of the switch.
Log violations of this policy while allowing correct traffic to proceed.
SW2:
int f0/2
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address 0002.b967.4180
switchport port-security violation restrict
!
int f0/5
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address 0002.c417.1951
switchport port-security violation restrict
///注意shutdown端口后才能绑定mac-address,否则端口会报告地址重复。R2和R5以太口的mac地址可以在sw2上用sh mac-address-table interface 命令来看,也可以在R2和R5上直接sh int
来看。注意使用restrict关键字,因为这个关键字可以完成log的任务,其他的都不行。
[ 本帖最后由 rswzy 于 2007-6-21 21:10 编辑 ]
附件: 您所在的用户组无法下载或查看附件
搜索更多相关主题的帖子:
CCIE 后部
|
