|
|
HI,
2 ] X. h) P* E* ]( U: e- k; e& S0 D2 T; c% I% X. u: Q2 [
New account but old user, for know reasons:)
% N X* R9 n) Z7 c# N
z9 T* n' t9 f6 ATook K8 recently and failed. If you have your lab scheduled in Europe then be ready. Everyone in Brussels is getting it now.
9 l/ L5 @4 N$ X. O1 W" s/ _8 k1 A- a- h6 J8 m' q0 @+ F
Below is what I remember from the exam, can someone update main K8 thread with the relevant information?
2 g) g! `; L2 T$ ~ V; u4 e" O+ m6 y& }- G: _! L% |
I have also drawn physical, ipv6, vpnv4 and igp topologies - check out shared section.. x( c- {2 m! j2 a; b3 O
; y0 `6 g* t8 `
2 m: L5 L4 V7 }; N6 I
IP addressing
& l9 t, |: H2 mLoopbacks: 10Y.X.X.X
! H G8 Z7 M* V$ IEIGRP domain: 10.Y.XX.X
/ N+ M H6 N1 fRIP domain: 10.10Y.XX.X
5 {' V$ Y" C1 @. a, M9 _& [OSPF domain: 10.20Y.XX.X. D4 B6 E, m4 ~% i7 J; }
+ z' i7 e6 Y! v2 T. g( j4 H+ |) TLayer2
1 S8 M. i' S$ i; yBlock unknown unicast/multicast9 f$ A; f( S7 ?+ K+ i
3 portchannels – defined load balancing method
5 h8 X7 k/ m. t. ?Enable bpdu filter on all BB links on 3 switches. Fa0/10 on sw4 was shutdown." U0 K& h+ A/ A$ K, b9 r
Vlan1 to be tagged on all switches.- L* l% c; U: P4 s/ o" ?1 ?* P% d
STP – rpvst on all switches, with default timers. Sw1 to be root for all vialns 1-4094, sw2 to be secondary. Question indicated to make sure it always stays as root. Used priority 05 M3 l/ b" G# L! p t f5 i, I
Back to back Frame raly links. – configured # frame-relay switching + interface-type dce; C( }- N. v6 K. X6 v7 {, v( w5 u
PPP encapsulation between R5 R3. No auth, just encapsulation ppp.
9 z/ Y3 P6 D) L& wDisble DTP on all trunks6 z# t" z6 ?. d& ~( L6 b
All unused ports on all switches to be assigned into vlan 999 and shutdown. Including Gig ports$ N$ ^( S4 V* I) n
Ports in on sw1 I think connecting to routers R3 and R1 should have port – security enabled. 1 mac address per port, dynamically learned and it should survive reboot.2 y- \9 ^5 U% O& f" o
6 `/ N1 D5 b) S4 E- JL2 security
1 s) c4 y( K4 c' S: z5 users will connect to ports in vlan500. Users connected to these ports should not be able to talk to each other, just to their gateway. Also portfast to be enabled on those., S: y) B4 |7 F5 ?8 p/ P, D J
L2 Acl – reference single named ACL to block SMTP, DNS and HTTP traffic to users from and to Vlan500 on sw36 c' v2 L) h$ Y1 n4 A$ c4 ]; q
/ C. c, \- O4 C& a" Y# u% {
Layer3
' n1 a1 a" J8 e/ q' c, E1 ?Loopback were shown as belonging to OSPF, however in guidelines they said that loopbacks can be advertised into both EIGRP and OSPF (helpful with iBGP peering)2 E) }4 I7 s4 A7 F( s
Enable OSPF 100 as per diagram1 ^) ]% b& I5 e8 }! R* j: m
SW1 vlan 13, 16 and 68 should always be designated router.
5 P3 r) G; [' ~: kR3 and R1 ports (connecting to SW1) – should always be in DROTHER state
7 V1 Y: }# ~( W* @4 AArea 1 to be stub but with ability to have exterior routes redistributed into it.4 W2 v h5 m7 j
SW1 to originate default route everywhere in OSPF domain Q. Y- l4 |, r* H0 m6 m- J) P8 F- X
3 T, O4 \; @: ?: Q5 `
Enable EIGRP YY as per diagram% s. i0 ]7 \) ^8 w
Redistribute EIGRP into OSPF and vice versa on R5 only. Make sure prefixes are still reachable when link between R5 R4 goes down.( _% K% J) ~2 I
Redistribute on Sw1 from RIP to OSPF (or both do not remember at the moment) –question said to make sure there are no routing loops and not to use any static routes to solve them.! J8 k9 M6 Q: Z* ]: z F1 I
2 f6 Y9 M9 S$ z3 ZIPv6
) |$ w" ]6 Q8 o/ e9 [Enable ipv6 OSPF and EIGRP . Redistribute between both on SW3
/ q' W9 j! h/ r, J3 c6 h' JCreate tunnel between R1 and R3 – they give you all the details for it and run EIGRP on that.
. G1 r. G3 J( t5 N G1 w& n; D% S5 Z0 B
BGP,0 Q" P) N# \- d" M! N6 |& O4 O
iBGP with R1 as route reflector. R1 can only start bgp session. Use md5 for each session" B9 w" S* r# }: V0 [
eBGP – enable from R4 and R5 to AS 254. Need as-path prepending on on R5 and next-hop-self on both routers.# e9 y2 W, b+ H7 M. ]5 e
4 Q* n0 L+ w( Z$ |
L3 MPLS
% t/ t2 l' ?: \3 ]4 LMPLS ldp to be enabled between R3, R5, R1 and R2
3 v8 `0 b6 J0 J7 dF0/1 on R3 is simulating connection to cust SITE1 vrf' f0 v6 B, r3 c. ~/ m' v
Fo/1 on R2 is simulating connection to cust SITE2 vrf8 K+ L/ [# H- o2 d h0 v
They ask you to ping and traceroute and to make sure traffic between both loopbacks goes over MPLS.
; _6 X/ V4 O8 G3 b' T0 ~8 IR3 connects to Sw2 int f0/4 (I think) – interfaces is a L3 interface6 Q: g" y, N5 K! ?, Z5 b: |3 K
R2 connects to Sw2 int f0/2 – interface is a L2 interface.- p5 U: ^5 E% t3 y
R3 talks to R5 using rd 3:3 (pretty much exact wording)5 Y" _) ]8 J$ u( b$ R! v
R2 talks to R5 using rd2:2( \1 O1 j' I& t$ V* b& t" {
SW2 has got 2 loopback interfaces L71 71.71.71.71 and L72 72.72.72.72. you need to make sure there are two separate routing tables on R2 for vrf SITE1 and vrf Site2. You will need to put loopbacks and L3 uplinks into corresponding VRFs" k; ]* Z5 p3 ~/ `$ z( X$ Q/ n
They also want you to enable BGP as a PE-CE protocol with customer’s ASN set to BGP777
; m4 o6 u9 ^9 E5 ]R5 is acting as a RR for VPN traffic only. They do not allow you to configure direct R2 – R3 vpnv4 neighbor. All needs to be done via R5.* m, T$ b. T9 {
2 C) f* _4 B) U$ m9 ]; ?Services:
$ Q6 E5 F9 x Q* ?% M$ p3 F
" d4 V. h7 o8 _, ^1 UNTP:! R# f% j3 ~' F- J5 h* H
Enable NTP between R1 and R3, R5 make sure it survives reload?- s' c$ O: G$ }& }9 ~
GLBP – between R4 R5 on vlan 45. Assign IP to the group, configure R5 with weighting of 150 and make sure that it handles 3 responses to R4’s 1. ) I set R4 as 50.
3 q9 M. B6 `8 _9 ~. W+ C/ xThe also ask you to enable Md5 password using key-string
0 V, y& t* j7 dSYSLOG3 B( B; h* t B- P- j+ K
To make sure that any config changes are logged and syslog is notified. They said that local memory should not store nay information. Only 10 lines to be stored and sensitive information should not be logged – hidekeys
" E- Q2 C& J; b' {Policy based routing. o! z# l0 s, N) D
Loopback 148 – on switch 3 – 148.0.0.8/32
4 c8 n# f# R% U% t7 o) Q! Q tLoopback 148 – on R4 – 148.0.0.4/32
* g) w8 m/ N) Q7 m" S' xMake sure that traffic from L148 on Sw3 to L148 on R4, and only that traffic is routed via vlan18. If vlan 18 is down the traffic should be dropped. Advertise both loopbacks into eigrp
) w1 j$ K, r) S
6 J. x1 n" x: p7 B0 }$ yEEM6 C0 l5 A0 G4 t7 U: o& f n
They give you pattern to match and ask you to bounce interfaces in certain order.
: [* q; D* i7 C5 l' a: RUsername authentication
2 |6 B: w+ }. t) F' h2 users, admin and guest.% a7 u8 c! w) K& p. W
When admin logs in then he should go straight to enable. Guest is needs to go to normal moed, the one with Router> mode.4 U' @0 |" {5 A7 ~; J
Lines vty 0 16 should use ssh, your config should not affect console.
; D" R3 C5 N- T% \) a+ t
) a; H* Q; I- HMulticast:& X7 P! [5 @8 I
Enable industry standard method of advertising RP.+ f. j4 e" u6 h) V% R: X
Configure Loopback1 with 200.100.100.100 on R3 and R2 and advertise these to OSPF/EIGRP1 ^# v- _+ Y1 c$ w7 {/ w6 _: v+ I
There will be senders in vlan68 and int f0/1 of R4 will join the 232.1.1.1 group.3 n2 j* K" y8 ^0 u! A
Use sparse-mode everywhere in OSPF and EIGRP domains.
7 l9 B0 x" o8 }R2 and R3 should advertise Loopback 1 as RP
$ m6 ]4 F8 t# q1 L" n0 JR2 and R3 should have MSDP enabled.
8 J/ p, E( J- K PLater question asks to only allow vlan68 to allow to register wit RP – restriction on both RPs+ Z8 e, I5 e/ k4 _2 m, E9 j; z3 b
! H/ L" ?; G, F7 ?+ r/ y) B
QoS
' ~# M- I ?+ l5 {$ `Policy on R5 with 3 class maps. Classification based on ACL’s. They tell you what naming convention to use. 1 class for for SSH traffic – police based on cir,
# I& D1 N+ A. Q0 L, W2nd for WWW, HTTPS traffic- drop all traffic (match any)
7 K- R U d6 d* N0 q* T& uand the last one was and ACL for icmp echo and echo reply – police based on packet rate.
6 e$ Q% w& C3 ]) J2 A$ `% i, _" X5 Z: e! }
L3 MPLS VPN QoS
. l5 }4 ~& n7 n! dDidn’t do this one – it was saying something about traffic leaving our core towards CE should be classified based on the last MPLS tag?? – something like that
3 G* i- _/ d( N( p3 d7 MAlso something about possible need of reconfiguring class maps.
; w# q" R1 z. Z: }7 AConfig has some predefined MPLS class-maps and the classification is done based on qos-groups.3 M5 r6 U0 L4 L- v7 j* n* p
$ E" p/ u( a/ ^( m, e0 w3 zHope this helps) n: v$ R0 A9 i* R
6 |/ X# Z& ]; b _( z: h
|
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
[复制链接]
发表于 2013-4-26 17:19:44
置顶卡
喧嚣卡
变色卡
千斤顶