|
|
TS1
) m7 V& L$ p- M/ ZTicket 1 - acl on vlan 128 |. I7 Y) s8 T1 l+ ?5 _' D
Ticket 2 - se4/0 was frame relay3 k. G# D2 {- j) ~& T- ]
Ticket 3 - R21 has bad Router-id# `; A: T# y3 [0 v: A X$ f
Ticket 4 - passive interface on R12 h: J7 k0 `1 s: b9 ]
Ticket 5 - R5 was missing RRC under the peergroup, R4 was not apart of peergroup and route-map appended to peergroup for next hop
. w/ n9 ~6 N0 {. N' [# a( h% wTicket 6 - neighbor was done over the ipv6 p2p under address family ipv4, address family ipv6 was blank on both routers4 P8 v( f8 @" u) y9 }! A% B
Ticket 7 - ACL on R14 blocks most protocols for dmvpn and isakmp, nhrp shortcut missing from 2 spokes and r15 had 2 ip host mappings for R28 loopback(look at the trace and see which host mapping is correct)
2 {: A" A) t' V/ n6 _Ticket 8 - SW 3 was not advertising lan segment of R104 in ospf, ip os cost needed to be added to R4 and R62 Y/ l( s D2 l" W# d* O- ~
Ticket 9 - ACL on R21 blocks ip segment from R23, R24 missing ip host mapping for dns% Q! Y& V/ [2 u& [' x
Ticket 10 - NAS server missing client identifier under interface, ip domain lookup missing on R23, |1 I4 @+ ?* @% C
9 M/ F* r6 F O! c* Y& _
DIAG) j i/ d: T. I) d3 i$ ] Y3 @3 I# F
, D) p& x- `% w- O
DHCP" v( @2 ^) n. K, v C+ P
filtered with bootp to find only discover messages.. (think DORA for flow), console log on relay switch shows no trusted ports: E& U2 m1 U7 }! @
filtered cdp to find where the trace was done" G) @( Q @5 T
" L9 [( o" s' _2 M
TCL# u @. F( J# |& c3 z" R0 T
port is given in the possible answers(key note), x# i0 r) v' b+ k* {
filtered http.request.method==GET to figure out who did the http request. The Ip you see in the source is the victim/router accessing the Hacker phishing server. once you get that ip, all the rest will make sense. just follow the tcp flow4 @2 \4 R7 x; u% k! r
5 t# ^4 r" s5 U% n, i( ^0 Z5 KCONFIG, e# j1 v4 w F3 O1 [
H2
7 X R( D/ I0 X D0 Q* [. v7 k4 |; B! \9 `
i did not follow spoto as you will fail miserably if you do. my advice is read all of the section you are on before you start your configs, i was able to consolidate most of my configs.
; w' W" { _ @0 T6 {9 B) d- L6 i' B& f: p; r
. F# Q8 j/ Q C( \8 cSection 1
3 j- x: h+ J! r! H) {; ~ z2 H5 F q$ J" L
1.1
, E$ g' M# Y) B+ |6 JA table is provided for all locations in 65002, note that you need to configure the remote offices as well or your connectivity will not work!
: ~) D$ D8 A2 i/ H( Y- J5 B' h* Kstraight forward, key note is the snmp trap and syslog, there is a command under spanning tree i think its spanning-tree logging, the other is the snmp-server syslog or something like that
* I% k! c j! U) }
0 Q* G7 @6 W2 a1 X# u1.2
' r4 T! i. {6 Irpvst on sw3 for all normal range vlans. straight forward, no comments here% |( A! \: n3 H% [
g- k* ^: t! x2 J5 H0 n/ Q
0 N7 z$ z, K! P2 d3 t ~) @6 C8 ~
1.3
: E! N% T9 I1 y! d% `3 e7 placp, port channels were already defined on access layer switches. so its just to enable and assign the lacp to interfaces
5 r/ k0 R8 v% k( P$ m
- u$ [; f# k" L$ s e' b) `% ?1.4
2 p# R$ J! C& G+ O$ d! OEasy peasy, no need to comment here
) A3 `; L4 q$ h& }2 Q2 n- D# ~/ Y! v7 ?
: P9 Z4 f0 P) G# G0 g: fSection 2 ( the motherload)" o, ], q2 c3 ?- e7 H$ Q9 C
5 ?7 R# j* t. P) t- x+ H0 qhere is where you really really need to read the fine details. then you would know what design you need to implement. the outputs are there for a reason!!!: Z. t) h1 O4 R) ]9 K9 M" k
5 {: Z! p B, u. r4 _% f
2.1
8 z- P$ v' R+ C9 H2 F9 }" S4 ]6 Gospf was already configured in 65002. but your task is to verify everything works. note that for the remote offices i had to teardown the ospf process on the edge routers in order to get the switches to be the DR which was required. My little trick for AS65001 was to configure ospf and mpls in one go.6 s( d5 j; d: a# E
3 y' `0 l G* n( l9 p' V! r2.2% ?% f2 C, V; w6 {+ D# }$ p
default route needed in ospf domain, jump to dmvpn and configure stub are 51 one time to avoid double work. my trick was to everything needs to talk to R17, so as you go about configuring, ping to R17 and you can forget about having to come back to doublecheck. Note dont forget the ip os priority 0 for the spokes!!!1 P6 `' F! L2 Y. J$ D
5 ?+ C5 D# V8 [! y' O6 f" V1 d2.35 H8 g: o1 X+ b# F f
i used eigrp upgrade and the eigrp default route-tag and route-tag notation in global. Configuring route maps was too much work.  Note that i had to set the tag in the lo52 route-map. I didnt get the correct delay in the output though..... t& K3 y/ z7 O6 M9 V$ R/ w
5 Y7 Y) t+ P. I# K2 q) H% G3 ?2.4
& c+ p# t- e. l/ A* }& C5 R% i' }IBGP was already configured in 65002 as well as the Ebgp neighbors. I simply redistribute OSPF to BGP and default originate always in the ospf process. Note that i was not asked to send a 10.0.0.0/8 prefix from the DC, i was asked to summarize their local /16 subnet and push a default to all remote peers. The traffic pattern is for the DC to route inter office traffic via the Default route from R15 and R16.
0 `: k% U" G; M; e- J9 [5 {1 JIf you look at the output shown, you'll see as path 65001 65001 which tells you that you need to do as override in the L3VPN core
) f" v* M# R. d4 n8 J6 T2 U ?9 K7 k6 x
Ipv4 bgp was requested on R1 being a RR. My trick was to do ipv4, vpnv4 on R1, all remote pe were ipv4,vpnv4, ipv4 vrf (vrf on router) configured the vrf and the import/export route targets all in one go...
: a+ s' I d" z: Z3 \ w2 i- o) w Q$ ^1 A" o) Y- ]; l
2.5
$ y% P& o `7 n8 i7 x* u( RBecause as overide is required, i chose bgp attribute site of origin for the blocking of redundant advertisements. Its easy to use as it appends a tag to traffic coming in. no need to set extended communities etc..& \% b1 W& y7 @+ Q) x. Y
" x1 R/ d6 P( ]
& _$ j5 E0 D5 d6 i% A! [4 |. Y7 I2.6
3 o& q7 ]- M t5 Z$ {7 o! H4 @
! y/ z, Z) D" b6 Z; ui did a agg summary between R18 and R57 as the policies section denied me from using route-maps, so unsuppress-map was out of the question..7 o8 i( Y; M0 j6 K7 J' H. W [
7 C" J- d$ u+ l5 L2 _
# L4 w4 Y# W% C. T! h4 h9 R# B
2.7
) T9 n5 T4 n. y! u% h0 H7 r+ g v- E: _
I did a routemap to match tag and another eith deny tag. My restrictions were acl,prefix list and ad distance. spoto tells you to do ospf external distance but that breaks the rules4 T7 ~! g& M0 w% t- W0 ?. \
! H, R6 h9 c# ]2.8
1 x6 Y& q; x% e' s0 ?, J) Wi added the prefix to a prefix list and appended it to the neighbor, so my prefix list looking like+ [. F- X% T5 w, D# L, ?; n: `
per 10.2.100.0/241 {( T1 c, k3 d9 o! d
per 10.0.0.0/8+ v) N5 l* \8 Z. ^+ [$ k" R& L* L3 R
6 H6 u: ~+ k3 j; b3 D( }* m1 X5 u
i did bgp backdoor on R15, R16, R55, R56 for the routes. at end of exam, these /24 prefixes need to be seen as ospf/eigrp external rather than ebgp...
* l) c: h& E" C$ y" o; F8 `2 \8 r; |/ B. r
2.9
2 w* T1 V. F1 j" n5 wno comments here, its normal ospfv38 b8 K4 P- g" p' B( w
8 m1 u8 O ]1 Q
2.10
# S/ b8 K8 b/ r3 ~0 V' kno comments here, its normal ipv6 hsrp' [# c2 Q+ d: H2 n7 o- b
: J* O# M2 y/ e1 w. Z' q2 y
2.11) b! @7 n3 G) m" Y6 k
normal multicast, note dont forget to use pim nbma for the dmvpn
( K1 C \0 \5 a# r6 e) k; e7 s6 q( h; s, u9 d9 d
& J4 e0 O5 o/ _7 a3.1& ]- f: j4 j9 W$ p! Y, M8 j& N
No preconfigs were given, you have to configure everything, dont forget to add the crypto profile # F: \: Q1 P/ p8 n5 |! |
5 z+ P" G' a5 @+ U4 W0 G; X6 R
+ e) K0 }' |7 z4 T$ C( w( e- q) n" B
3.2
% Z% [/ x% s. O% @; a5 `" dConfigured as part of my layer 36 d. H# E4 }6 e4 d
2 l! x' Q5 K5 Y$ H2 ?3.3
4 N: l- I- k! c" o) U$ F4 z
3 t, P3 g' T4 Ienabled mpls in Jacobs and did local as on the core routers, i was debating if to remove the bgp 65006 or local as as the wording was confusing. they said to recover the bgp process but not touch R55,R56,R58.. so i wasnt sure but i just did local as. I did not do as-override as there is no other offices with that as path. Note that R58 has a eigrp default to null0, summary metric should take care of it K# h& H2 k2 x F: f+ p
; _7 x3 _) r. P8 D
3.4 ) x1 ?, K4 S- q5 D* g
configured as part of my layer 37 ]4 s& d) |7 `; P4 v$ d
DC imports all remote route targets, all other targets import DC alone5 d! X8 o6 w" [; W
4 w0 m# h8 f% A3 m8 Z/ pSection 4# Y- D# B9 Y1 Y! B& R3 z2 `3 w
4 n& `5 ^' P7 h7 g2 N8 R! E% e
4.19 G7 m7 Z( K5 y( }* C
$ X4 ^4 T8 l( ^) q1 O8 `9 P6 xsimple ACL denying active protocols, class-map to bind acl, policy to action the class-map and then attach to control plane
1 `$ _) J8 `8 ?( t5 ]3 N: f1 U( C% B# l
4.2/ y. k, H V6 I9 D
normal DHCP snooping, no comments here
7 w# m) P- N5 l- I. }* e6 ^# }) A( m& W( e2 E4 x; E6 e
) |& O& q! K9 a5 hSection 5
: x1 _! L, |6 `: z8 }8 n5.1
5 p+ z/ _/ Z! c* t, ^$ P7 o! u3 mi only created one dhcp pool for all of VLAN100
4 Z1 j, u% j1 V0 Ono static assignments to R101
9 e- ~7 I2 v0 Y
1 s9 O9 T- k, i8 e2 o$ |- a5.2
. v' J, V( z7 F, g! ZSimple NAT overload4 N, H: ]6 p/ }" S/ `# D
4 _( C- g# v' ^( \! e8 U! l
5.3-4* t9 O4 c8 u: _, b$ j! A+ p# _
" j/ k& d7 w* X0 P, e* H
normal hsrp with tracking* G1 o, N% d; T7 }
|
评分
-
查看全部评分
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
发表于 2018-3-10 12:17:33
置顶卡
喧嚣卡
变色卡
千斤顶
