|
|
Don't forget to share your startup-configs/solutions/etc and help each other !
1 S: w7 h% Y: ?% `. m0 R" G4 F- U! I1 q, d( Q: ] e( Y2 v9 A8 |4 S7 C
Questions we know so far as of 30th of October 2017 :3 s1 ^2 R; M: r: p6 f/ o( i
. \% K1 O" N: ~
Hidden Content ; E, W5 t# F! a ~; m. `: W
0 ~7 i$ n6 U+ S$ j6 S8 m6 y0 w( T3 m. r' G. q _
Layer 2 :+ Q' [9 z- h8 u( q2 {" }
- VTP turned off
. d% Q% O% z" x, c- One single command to let the access ports forward immediately
$ D5 I( C. ^* T$ u4 Q- One single command to let the access ports shutdown immediately when receiving BPDU
! y) D3 c4 E8 a- c+ }- After 10 minutes, ports must attempt to recover after being shut down by receiving a BPDU., ` v& {$ C, e" Q# M! e
- None of the switches may generate a TC (?)
) X1 S/ Z9 h6 }6 J2 J4 k+ N5 H6 D- All trunks must use dot1q
4 ~$ Z. \$ R/ y* J t4 o- All switches must disable trunking negociation
1 K* }* g4 k v6 u- LACP port channels on all locations+ j7 q. q3 C1 D7 i# q+ y0 {2 P
- Distribution switches must initiate the negociation (po1 & po2)- \7 M. r. X; F/ }; A' a5 Q
- The link between SW300 and SW301 (e0/2) is trunk allowing only VLAN 3001 in MST instance 3. The two other port channels (towards SW310) are allowing the rest of the VLANs.
5 s4 R4 u, [0 p2 [4 n+ X( ~4 ^8 ]( W4 ]: S" A5 z
PPP :5 q! G" J# A' c _. s( i- c
- PPPoE on R70 towards SP#2
) h# s3 ^- T2 C7 l+ g* B1 }$ [5 F, g, j' | \
OSPF:
7 w7 \' I* W# m) W! x9 T- All ospf links were eitehr P2P or LOOP (routers)9 I* s2 b0 b5 v
- Only VLAN interfaces were shared (switches)
7 W" |/ s" n, N# V8 \, F- {- Be aware of the costs of the interfaces - they want some to be cost 10, other 100.8 ^3 y) l1 ?; Q, q" F) j
- OSPF in all locations should originate a default route to all internal devices regardless0 }& c7 E6 n; ^& P q
3 D# D. c) c2 H3 ~: x- OSPF in DC1:
0 e7 @9 t6 M! c; i- Make sure that the routers do not advertise LSA1 except when the interfaces are passive2 t( F' }9 ~% x% M1 b1 L) b
- OSPF CPU optimization
8 h/ {: {( t4 m( E4 E7 @% ]$ s0 I1 v H+ q) d
- OSPF in HQ:+ Y; E/ \" @+ G
- Make sure that when you do 'show ip ospf interfaces' and 'show ip ospf neighbor' you see the hostnames.
$ G$ Z7 }+ R5 t
" r0 z' d; P: |* nBGP part 1:
* S V* ^) K2 Q+ h P; h" W
3 B8 H" `! `& b2 _- K6 [3 k- DC1 :
" g m* V& ^/ g2 e w/ b6 z. v- iBGP with R13 RR but with single line for all peers)
9 ]; g+ F6 I9 {# X2 L- Each peer must install 2 paths to every destination7 S) T, j* D7 ~' x
- All sessions protected with MD5 auth.( ?) G% m$ J7 }# I4 \ D
- DC2 : iBGP with R23 RR
- y$ o. E0 V; C. ?/ D- Traceroute from R12 to 10.3.200.254 load-balanced.& D. ~6 [; k: R M
- Global SP 1 : iBGP full mesh + vpnv4
% L" @5 `- k/ U; N4 f& e0 o+ a1 K- DC 1 to DC 2:3 F& D+ p8 Q2 w
- There is only 1 connection R12 to R22. You must run BGP there and advertise only local aggregate prefix.; I5 Y) i( q3 i
0 l- |. g/ s3 M9 g \- i
- BGP part 2:
5 r! @- l4 @- N& K; ]7 _- Every border gateway should advertise an aggregate for its site without specific routes.
2 z$ h) o+ n+ ~9 q# |- The DC1 should be the only site in the topology that should be able to originate all 7 /16 aggregates and advertise them to all locations.. |/ t9 F6 C+ I, T
- These aggregates should be advertised as soon as the eBGP peering comes up.
: o9 D) J( S6 _5 n0 [
0 x6 w0 o/ L( X9 _; P6 N- \- Large office BGP:9 {7 t1 m" Z8 a2 Y/ H: w9 v
- Make R41 primary path for both inbound and outbound traffic. Do not use any filtering to achieve this.5 e0 {( D) l& }. `$ O
- Full mesh of iBGP between R40,R41, SW400, SW401 and R42.- ~, N# I, R7 G4 G
- Traceroute Load balanced from Server 1 had to 100.100.100.100 (partner, 100/24).7 Q3 Y7 U" n+ N3 ?" A- I# f
- R42 runs OSPF 1 and iBGP with the rest of large office devices
' J- o& T$ @8 ~& [& |2 d, t- R42 runs also OSPF 2 area 0 with R100.: N: X5 D% F4 I' e( ]& x8 w. d
- R42 do mutual redistribution between OSPF 2 and BGP 65004.8 {- x9 d5 [" ]( h* b9 L8 B
- R42 is the only device in the whole topology to be authorized to redistribute.5 O/ ?) l1 |9 b. N5 T+ [# T
& k; p/ k6 V: R- Medium office:
- q+ j! }; _- ]4 Y* n( r, k+ a0 O- Make sure that R50 is the primary path for all locations (in and out) except for the networks that are learned over the DMVPN via R51.
1 s% c, K$ p+ b* S0 k3 r: x- k$ j; _
- Small office:
" e$ N x2 {( i( O- All prefixes learned by R60 must include AS 19999 and 29999 in their AS path./ I# r4 u8 c% y# }7 B2 p
- Another version : Default route (from global bgp table) must include AS19999 in its AS path.
- y3 J4 z: L0 u3 X* W6 Q; h$ o' N; Z. V) P2 {. I( J- L( V
- Partner :
3 p5 p" H5 P( l0 m- Must receive every /16 of the topology + default (as OSPF E2).* f. Y2 k9 `3 `3 b; \) P& |
& I5 q, D, w3 _) l
IPv6' G& E% `4 h( q8 ?5 S8 I; v1 q
- Server 1 must ping 8.8.8.8 over IPv6 address.
0 q1 C: E1 p# H; F- SW111 must be configured with iBGP to R14 and R15.
) _9 j0 H3 _0 s! k# i7 r& g2 {- SW111 must advertise vlan 2001
5 [0 V) _' y+ w- A9 m/ i) s' H- SW111 must implement IPv6 DHCP server to offer an address to Server12 Y. V9 P! }* S9 e
- Make sure that SW111 must have a mechanism for blocking rouge IPv6 advertisements.9 Q- ] n M; Q: V8 W- f
- R9 is ISP which needs to formed with EBGP with R14 and R15. q- |* I! @! F8 |* E9 G
- R9 will advertise all routes.0 R* e% n3 I6 S2 F' F& {6 c2 ], L7 B2 p' y
- Filter and allow only default route towards R14, R15.$ A8 D1 z* T" ~0 R3 ~- N+ h) Z
- Aggregate summary only the internal networks towards R9.
0 X4 q3 _( R5 p8 A5 e- Server1 is configured with Ipv6 address autoconfig and ipv6 nd autoconfig default command on it.
: H7 E% a z5 p' ^) Q9 X
) {3 O- e1 T1 a+ ]+ B* GMulticast part 1:6 N' X/ p1 s% ~; y( `) g s
- DC1 must have R14 and R15 with same IP address of Lo1 and must use AutoRP to advertise group-to-RP mapping- a9 d1 e7 i7 A; F9 T/ h6 A
- R13 is the source, User1 behind SW110 is the receiver.
8 B. f/ ~4 \4 m) j4 _1 m, p1 C" _
5 h7 |. W# Z3 P9 FMulticast part 2:) A1 C( @0 [. d; B. N. X. m
- HQ must have R30 and R31 as anycast RP and AutoRP.
; u+ o' I7 v. l" e0 f- User3 is the sender, R13 in DC1 is the receiver.+ K$ \ m" N- H% a5 h; a
- Hostname must be seen when doing 'show ip pim rp map'.
1 ~0 M! X0 [: e0 o; A% [7 Y2 H- Output given with RP responsible of specific range of groups.; s: Q5 Z4 B: Q N7 X1 t1 u5 I
* Q* V4 V6 X9 e
DMVPN7 u/ }' c6 n4 q3 Z# m2 W+ v% K# A5 ]
- R14 is HUB, R60 and R51 are spokes.1 |# n. Z2 b; r
- All WAN interfaces of spokes are in vrf INTERNET., b7 |" z1 h# E' k4 j H
- WAN interface of R14 is in global table.
# U+ Q, q5 `+ X& o- A9 P- DMVPN phase 3./ t3 l8 |% f# ?2 w, W& b8 @/ V4 ~# U
- Run BGP on top of it.
& ~( Z* L7 a0 W$ I, Z0 O- Make sure that the hub is AS 65001 and do not need to be configured when new spokes are connected
/ v1 s5 V& W, k4 G* e; a- Make sure that all spokes are in AS65100.7 E8 k. ~% o) n4 D5 ~3 d
- The traffic between spokes should flow directly.3 w$ [, H/ ~# A% r: k4 G
8 Q( P, i9 i: s& w3 K6 L5 w9 o1 YMPLS6 H5 _- E( b- {' C: |+ E4 X% H
- All to be configured from scratch.8 a9 ?. O6 O7 n" r! r
- Traceroute from Server 1 to Partner with every hop load balanced.
. j' a5 Q1 W* R' u' `- There is only 1 VRF.$ r$ z' Q' Q3 m+ A& ?% x
- Offices must not communicate directly between each other.' h, b; x) W: M1 |' J7 n
7 H8 a6 g$ j7 d" hVPN/ f% z7 i+ U# k' d) f7 M
- LAN to LAN (D)VTI between R24 and R71.
' D) T* |) ~( Q3 @- IPSEC Encryption
7 v: E( w7 p& N( e4 `, L- R70 must advertise a /16 for this site and all other locations must reach it.
5 O5 g$ T8 P; w$ {- T7 ?- You need to be careful with the NAT! (Double NAT ?)* K* p e e" y* D. Z- ^
! l: T0 c ]9 ^; Y$ ?6 ^. T/ q
SERVICES
( Q% }; Y' Y7 L K8 q7 Y# r- QoS on R50.
7 A# u, T5 z3 x2 O - 4 classes of traffic.
" _0 v9 ]0 Q8 F' E( p7 M( b - They must be marked and you have to assign bandwidth to each of them based on percentage.
$ s) }0 O& p! w: q3 @. ~ j- HSRPv6 on SW300 and SW301 with IPv6 route preference
; I6 k; Y. `. R$ _: X4 n- HSRPv4 on SW300 and SW3012 B* |1 M/ t5 O6 k; u2 \
- SW600 users must have Internet acccess.
* d- g+ r. d2 H4 Y1 f, @5 G - The task says "you must use 1 static route and PBR on R60"
- l: g! s* r& G, }/ Q- R42 must implement a mechanism for IP spoofing protection, based on source ip address of OSPF updates without any ACLs or prefix lists% j7 i# \9 U( ?" t) y# r; \
- Must block a SNMP OID (dot1dBridge) which cause high CPU.
: R, J1 A6 h; H& P ^' p+ g8 U- R14, R15, R24, R25, R61 must offer Internet Access to clients.# y/ M/ a. m" U& K7 }
/ U ^9 P. O L r! i% ^
VERIFICATIONS8 f, L, ?2 |; C% d1 D, S2 c
- 3 PING test in 65004 network.
1 Q9 {' y& X4 e6 d - One has to go through DMVPN2 R4 ]9 ~% K6 o$ N6 U/ H! ~
- Second should go from User4 to Server 1 in DC1 using R41 in each direction.
2 h" ~% \' I( U w7 C For this one, we can change anything on 65004 but not on DC.
$ a2 g/ D% }( t0 S- Y# b1 `; G& o - Last one, ping 8.8.8.8 from User4./ k! o$ q' l" V7 @
6 H% B# j$ g$ _. d2 n
|
评分
-
查看全部评分
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
发表于 2017-11-1 15:00:02
置顶卡
喧嚣卡
变色卡
千斤顶
xiexie