设为首页收藏本站language→→ 语言切换

鸿鹄论坛

 找回密码
 论坛注册

QQ登录

先注册再绑定QQ

查看: 3202|回复: 29
收起左侧

[LAB战报] H3,分享一下

[复制链接]
发表于 2017-10-11 07:04:13 | 显示全部楼层 |阅读模式
First about the new config topology. It looks like a bit more of B12 Tshoot where it has 65001 to 65007 AS. However still few more devices were included.& B/ B. Q: t: V; s- }4 A$ Q

' y3 R! R; m" X; e* S4 G" h# @; C1 bLayer 2 connection:: B- p1 G0 ?. O7 h& \2 q

  |; N" {. i3 x; EI have to configure all the heard queaters and office Trunk, spanning tree config with portfast and they asked to unshut automatically after 10 mins which is that error disable recovery thing, I had to configure around 15 switches or more actually. Fortunetely they have configured VLAN properly on all the switches which I cross checked. So do not worry about vlan configuration.
0 ?2 `# z# Z9 c! G- p7 v$ |( [* }0 S( j0 A
They MST and specific traffic should be following in one direction and other traffic should be going in another direction.
' I6 h, H5 G/ l' I& |& t8 r3 |* ~$ U2 w. T
PPP :
/ O" E8 t  |+ s2 Q0 `1 S4 X/ _0 \. V2 m1 p7 m1 x" U+ }; A
They asked the same for one device which is R70 in B12 diagram.
" H! A  {3 A: `( r# i# G, [5 _2 |
OSPF:+ }2 E, l' j0 ?% q/ Z
( N0 F$ {$ Y. b
They asked to configure one entire AS with P2P and DR both simultaneously and asked to match them. Basically routers were P2P and switch two vlan they asked for DR. However in the output both were in DR state which i could not get. May if some knows this let me know.; _$ q: I  ?  n. U0 I4 T: ~

+ ?  ]. q$ o3 R, P5 ]2 I) t300 VLan2001 ------ 301 vlan 2001 I formed OSPF so one can be DR and other would BDR. In exam they mentioned both showing DR.) R$ x% T4 {7 }& u5 F0 O' y; q" e- }  Q

: k" t$ K6 K& v9 x& J+ f1 l/ _: LIn another AS they have asked to reduces the LSA type 1 Prefixes. When i checked ospf 1 area 0 was configured on all the interfaces. So I removed and configured network under the OSPF. Also they mentioned Loopback and passive interface should be published seperately which means we should not remove OSPF 1 are 0 from them ... Correct me if i am wrong on this.
1 t  ]* [" g7 G
; ^- E% ~" D% Y' w  U7 s. @BGP :; N2 b9 [! \# j6 \! r

: P( l% q% L: q- p6 ?. q0 l! _They asked configured 10 devices with IBGP and R13 device as RR.
! G* H7 k! m: \3 O# A  `; T# v* T5 u% ^, V  y
Next question was difficult. In traceroute they asked for load balancing from this above IBGP network for specific network 10.3.200.254. However I got only one IP to go through it.5 O/ ^8 ?: X% H( k* G) f

* y/ E5 f0 n0 E+ o5 qWhen checked the IBGP i was have two routes one coming from R10 and R11 and via RR R13. The best path was R10 because of the lowest neighbor ID. I gave maximum path everywhere and tried to check Still the path was not going as expected. Only one way it took always. ( If any one knows how to do a load balance on this let me know )
1 S* {7 W. }6 d2 H3 i/ _% T8 h3 s# E
Then They asked to summarize only in all the AS with 10.1.0.0/16 to 10.7.0.0/16 network.) R  e  Q, L  z0 p3 ^
# I3 n# E# F+ x3 @; I3 c' l" b
I did till 10.6.0.0/16. However 10.7.0.0 is the PPP network. From the there was no BGP or OSPF or DMVPN. So I was a bit confused how to send the network out. Also for that network they asked for IPSEC encryption. I thought intially it was using DMPVPN. However there was no Tunnel pre configuration so we need to figure out how to publish.9 x+ D) n7 {( Y3 ?
. m1 L5 g6 ^6 m! F6 E
They asked to publish a Default route on One AS domain using OSPF.
. R2 P2 i- C0 t8 s) ]; H" ~- ^% L) e- t" s9 u
In all the gate way routers we need to form the EBGP peer. where some it was configured some it was not configuring including the VRF section. IN VRF there was no RD information as well.% R, ]7 v& G( q$ W
& a( R: q8 G3 A% c3 l! n
Also in the gateway routers we need to send out only 10.1.0.0 to 10.7.0.0 including default route only.6 b7 _2 t9 x  n/ U4 h5 I2 y

; @. T, s7 Y, ~! }* b% v1 Y/ s  i5 MThen in VRF we have for form a IBGP no RR in this and then form a VPNV4 Then import and export on all the 4 routers each other. It was R3,R5,R6,R7 in the topology.
8 g% Y+ H" V) p8 x( {" _  e( G. {+ _0 R9 H0 O; D# H5 V% L
IN DMVPN the HUB was travelling to spoke in without VRF and SPoke BGP towards internet was configured in VRF. So i had to use tunnel vrf command on spoke alone to make it up. They messed up with crypto as well. the Key wont be correct. so we need to correct and apply. Then we need to form the EBGP and there is one test from R60 which needs to go via DMPVPN That worked for me fine.7 y4 p2 Z8 k" ~* y4 ?2 w* p& ^6 F

& q3 z  M/ x* {: G* V$ MThen 3 PING test in 65004 network. One has to go through DMVPN and the other test should go via R41. However it went for me Via R40 . They mentioned we can change anything on 65004 and not on DC. The DC was destination we are pinging. I Increased the LP for one network to prefer DMVPN and another to prefer via R40. Howevr still the return path was using R40 and not R41.
( p* h0 v$ |, D/ `( e! n6 {5 x5 b1 t
$ \% {- X1 @3 |2 Y: _Then I Blocked the 10.4.0.0 network which was advertise in R40 going towards VRF towards DC. Then it automatically preferred the other path. Before this I tried with LP and MED it did not worked. ( may be i am wrong in doing this ) We can also try checking for weight change.
' j' {: B3 p1 t; V- |
9 f$ q" [9 o3 y) b3 w4 qThere was also one test in 65004 were they asked to ping 8.8.8.8. There was no NAT question so I was not sure where is ISP located. Because in diagram we have around 3 ISP i believe., F$ y# k- |) E7 A+ _
$ i( ?; G3 }9 v. \$ T, k' L6 h
Then I tried to finish IPV6 and TIme was over for me.# ~5 ~3 N0 x; k3 e- v' m

; g+ D/ K& O4 u2 b4 D1 P& W% HIn IPV6 They asked to configure IBGP between R14, R15 and Sw 111 where the server 1 is connected.4 X2 {3 z8 Q% ~5 O; C6 C3 k

* Q0 o- n# q- @. [  b5 a( othey R9 was ISP which needs to formed with EBGP with R14 and R15. R9 will advertise all routes. we need to filter and allow only default route towards R14, R15. Then we need to aggregate the Network towards R9 . similarly we need to advertise Sw111 vlan 2001 where the Server 1 connected. After doing this i was able to ping to R9 using sw111 vlan 2001. However I was not able to ping from Server1. The PC had Ipv6 address autoconfig and ipv6 nd autoconfig default command on it. ( If any command needs to be added on PC let me know ).- Y3 G! [9 ^8 b* w4 s! g, k

$ i( n1 h: x8 {; W6 ?4 U- CSince i was not having enough time i could not see the other topics properly But i made a note of it. In multicast they are asked to verify some RP mapping and Mroute verification which was different. Then they asked to block a SNMP OID which cause a high CPU. Snoofing attacks and IPv6 one question and finally they asked some QOS question. The main problem is section 4 and 5 having like 15 lines to read so i was not able to read it completely.
% R3 j# Q5 W( p5 V. S  N* k
6 y: t/ U, `/ O: u2 R1 m: W0 L6 NThis is all I know If some one get to know more please post as well as if someone get to know the key also let me know.
% o) w- ^1 s( J+ x4 p3 }0 ^
5 K  j! w% A- [" h, V' N% J. E* P

h3

h3

评分

参与人数 2好评度 +1 鸿鹄币 +80 威望 +2 收起 理由
苏格拉没有底 + 1 很给力!
小乔 + 80 + 2 很给力!

查看全部评分

发表于 2017-10-11 09:37:17 | 显示全部楼层
感谢分享,希望尽快看到更多的更详细的战报和解法
地板 2017-10-11 09:37:17 回复 收起回复
回复 支持 反对

使用道具 举报

发表于 2017-10-11 09:39:51 | 显示全部楼层
感谢分享,希望尽快看到更多的更详细的战报和解法
5# 2017-10-11 09:39:51 回复 收起回复
回复 支持 反对

使用道具 举报

发表于 2017-10-11 10:01:47 | 显示全部楼层
thanks a lot
8# 2017-10-11 10:01:47 回复 收起回复
回复 支持 反对

使用道具 举报

发表于 2017-10-11 21:49:50 | 显示全部楼层
感谢楼主分享!
14# 2017-10-11 21:49:50 回复 收起回复
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 论坛注册

本版积分规则

QQ|Archiver|手机版|小黑屋|sitemap|鸿鹄论坛 ( 京ICP备14027439号 )  

GMT+8, 2024-3-29 05:01 , Processed in 0.072642 second(s), 13 queries , Redis On.  

  Powered by Discuz!

  © 2001-2024 HH010.COM

快速回复 返回顶部 返回列表