飞琼君·WebOS

=== 信不信由你 ===

HCIE 实验TS_PlanB错点整理

发布于 2020-10-22 | 分类于 HCIE备考 | 31分钟 | 5796字数 | 浏览量

解题的步骤总结如下:

  1. 查看全局配置
# 局部显示配置命令
dis th # 在全局模式下执行
# 查看当前设备所有配置
display  current-configuration
  1. 查看协议配置(有过滤规则需要查看相应的过滤规则)
dis cu conf stp/ospf/bgp/msdp...
dis stp instance 1 bri # stp实例
  1. 查看协议运行状态
dis mux-vlan
dis eth-trunk 12
  1. 查看接口配置
dis cu int g0/0/0...

MSTP+Eth-Trunk+BGP ADV

要求

  • site1中,CLIENT1属于VLAN12,CLIENT2属于VLAN34;MSTP中的VLAN12属于instance1,vlan34属于instance2;两个instance的主备根桥分别在SW1和SW2上,并且要求CLIENT1访问R1时经过的路径是SW3-SW1-R1,CLIENT2访问R1时经过的路径是SW3-SW2-R1
  • site1中,LSW1-LSW2之间的所有链路要求做eth-trunk的捆绑,并且此eth-trunk要求做src-dst-ip负载
  • R1访问VLAN12时经过的路径是R1-LSW1-LSW3,访问VLAN34时经过的路径是R1-LSW2-LSW3;只允许在AS300中实现,并且确保你的解决方案不要影响AS100、AS300以外的其他AS

设备

  • site1:SW1/2/3
  • AS100:AR1

建议

  1. 先查看sw3上的部分全局配置、stp配置,再查看4个接口的配置
  2. sw1与sw2同时操作,先查看部分全局配置,再查看stp配置、查看接口配置、eth-trunk配置,最后查看bgp配置
  3. AR1上先查看bgp配置,再查看接口配置

操作

# 全局配置
# sw1
dis th
stp en
stp ins 1 root pri

dis cu conf mst

dis eth-trunk 12
int Eth-Trunk 12
dis th
load-balance src-dst-ip 
dis cu int eth-t 12

dis cu conf bgp
bgp 300
dis th # MED策略配置给备份路由,即10.1.34.0
undo network 10.1.23.0 255.255.255.0
undo network 10.1.12.0 255.255.255.0
network 10.1.12.0 255.255.255.0   

int e0/0/21
dis th
port trunk allow vlan all  # mstp关键现象步骤

# sw2
dis th

dis cu conf mst

dis eth-trunk 12
int Eth-Trunk 12
dis th
undo trunkport e0/0/18
undo trunkport e0/0/20
undo trunkport e0/0/21
mode lacp-static
load-balance src-dst-ip 
trunkport e0/0/18
trunkport e0/0/20 # 因为int e0/0/19有配置,所以需要删除其配置才能添加
int e0/0/19
dis th
port hybrid vlan 1
eth-trunk 12
dis cu int eth-t 12

dis cu conf bgp
bgp 300
dis th # MED策略配置给备份路由,即10.1.12.0
network 10.1.12.0 255.255.255.0 route-policy MED 
undo network 10.1.34.0 255.255.255.0
network 10.1.34.0 255.255.255.0

int e0/0/22
dis th
port trunk allow vlan all   # mstp关键现象步骤

# sw3
dis th
stp mode mstp

dis cu conf mst
    stp region-configuration # 使用sw1的配置
    region-name HCIE
    instance 1 vlan 12
    instance 2 vlan 34
    active region-configuration

int e0/0/2
dis th
port default vlan 34
undo stp ins 2 cost
int eth 0/0/21
dis th
undo stp instance 1 cost
stp instance 2 cost 3000000
port trunk allow vlan all
int eth 0/0/22
dis th
undo stp instance 2 cost
stp instance 1 cost 8000000

# AR1
dis cu conf bgp
bgp 100
dis th
ipv4-family vpn-instance 1
undo peer 10.1.100.100   # 10.1.100.100,10.1.200.200的as号均为300
peer 10.1.100.100 as-number 300

int g2/0/1
dis th
ip binding vpn-instance 1
ip address 10.1.100.1 255.255.255.0 
int g2/0/2
dis th
ip binding vpn-instance 1
ip address 10.1.200.1 255.255.255.0 

#-----------------------------------------------------
# 检查
# Eth-Trunk
# SW1/2
dis eth-t 12 # WorkingMode: STATIC;Hash arithmetic: According to SIP-XOR-DIP;e0/0/18.19.20的状态均为Select

# BGP ADV
# AR1
dis bgp vpnv4 vpn-ins 1 peer # 两个邻居都Established
dis bgp vpnv4 vpn-ins 1 rou # 10.1.12.0(10.1.100.100的MED为0)和10.1.34.0(10.1.200.200的MED为0)均出现两条路由的负载
tracert -vpn-instance 1 10.1.12.11 # 10.1.100.100--10.1.12.11
tracert -vpn-instance 1 10.1.34.22 # 10.1.200.200--10.1.34.22

# MSTP
# client1/2
tracert 10.1.1.1 #client1:10.1.12.1--10.1.1.1;client2:10.1.34.1--10.1.1.1
# SW3
dis stp bri
dis stp instance 1 bri
dis stp instance 2 bri

Mux-Vlan+MPLS-VPN+OSPF+BGP+IPv6 BGP

要求

  • site4中,AR24、AR25、AR26在一个网段中,同时都运行了ISIS协议,要求AR26能和AR24、AR25都能形成邻居关系,但是AR24与AR25不能形成邻居关系在AR24和AR25上虽然能看到彼此的邻居关系,但是不是在R26-SW8-R24-R25这一网段上成为邻居关系,而是在R24-R25-SW7这一网段上成为邻居,符合题目要求。通过LSW8的二层VLAN技术以及其他设备排除错误点来实现此要求,【注意】配置过程中不能在LSW8上删除和增加新的VLAN
  • site1与Site4为同一个VPN客户的两个站点,现在site1里的CLIENT无法和site4里的CLIENT通信,解决此问题,【注意】不要删除现有配置,可修改解决
  • AS100中所有设备都运行了OSPF,但是部分设备的邻居关系有问题,解决此问题
  • 要求AS100中AR12的loopback0口能够访问AS200中的AR9的loopback0口,但是现在两个loopback口地址无法访问,请解决该问题
  • AS200中AR9 AR4 AR5上面各有一个IPV6客户站点(loopback1模拟),AS100中有AR2 AR7上各有一个IPV6客户站点(loopback1模拟),要求这几个站点都能互通,并且要求双向路径要优选AR2-AR4之间的链路,一旦主用链路出现问题在使用备用链路AR2-AR5;现在这几个站点之间的互通存在部分问题,请解决;

设备

  • site4的SW8、AR26/25/24
  • AS100的AR1/2/3/6/7/8/13/12
  • AS200的AR9

建议

  1. 做通site4中的mux-vlan
  2. AS100中的OSPF
  3. AS100中的BGP、MPLS
  4. AS200中的ISIS、BGP、MPLS
  5. AR1和AR23之间的VPN
  6. AR12和AR9之间的通信(主要涉及route-policy)

操作

#-----------------------------Mux-Vlan------------------------
# 协议运行状态
# sw8
dis mux-vlan
int e0/0/1
dis th
undo port mux-vlan enable
port default vlan 1
int e0/0/2
dis th
undo port mux-vlan enable
port default vlan 1
vlan 100
dis th
undo subordinate separate
undo subordinate group 50
subordinate separate 50
q
port-group group-member e0/0/1 e0/0/2
port link access
port default vlan 50
port mux-vlan enable
q

# AR24
dis cu conf isis
int g0/0/0
dis th
isis authentication-mode md5 cipher hcie
undo mtu


# AR25
dis cu conf isis
isis 100
dis th
undo domain-authentication-mode
int g0/0/0
dis th
isis authentication-mode md5 cipher hcie

# AR26
dis cu conf isis
int g0/0/0
dis th
isis authentication-mode md5 cipher hcie
isis dis-pri  127

#-----------------------------------------------------
# 检查
# sw8
dis mux-vlan # 100(e0/0/3)为principal,50为隔离型从且有两个接口(e/0/0/1和e/0/0/2)
# AR24/25/26
dis isis peer  #AR24/25/26相互建立邻居
# AR26
dis ip rou pro isis # 去往10.4.128.23/24的两条路由负载


#-----------------------------OSPF------------------------
# AR1
dis cu conf ospf
dis cu | in ip-pre
undo ip ip-prefix 2
ip ip-prefix 2 permit 100.1.1.2 32
ip ip-prefix 2 permit 0.0.0.0 0 less-equal 32
dis cu | in ip-pre
ospf 100
dis th
a 1
undo network 100.1.16.1 0.0.0.0
a 0 
network 100.1.16.1 0.0.0.0
dis ospf peer bri # 此时AR1和AR6、AR2均建立邻居

# AR2(无问题,问题发生在邻居身上)
dis cu conf ospf
dis ospf peer bri 
int g0/0/0
dis th
int g0/0/1
dis th
int g0/0/2
dis th

# AR3
dis cu conf ospf
dis ospf peer bri 
int g0/0/0
dis th
undo ospf timer dead
int g0/0/1
dis th
undo ospf timer dead
dis ospf peer bri

# AR13(只看100,无问题)
dis cu conf ospf
dis ospf peer bri

# AR8
dis cu conf ospf
ospf 100
a 0
network 100.1.78.8 0.0.0.0
dis ospf peer bri
int g0/0/1
dis th

# AR7
dis cu conf ospf
ospf 100 router-id 100.1.1.7
return
reset ospf process
y
sys
ospf 100
dis th
a 0
undo authentication-mode
dis ospf peer bri
int g0/0/1
dis th
ospf timer hello 10
dis ospf peer bri

# AR6(无问题)
dis cu conf ospf
dis ospf peer bri

#-----------------------------------------------------
# 检查
# AR1/2/3/13/8/7/6
dis ospf peer bri  # 直连的路由器均为ospf邻居


#-----------------------------BGP100------------------------
# 由于以AR7为反射中心,所以先看AR7
# AR7
dis cu conf bgp
bgp 100
dis th
undo peer 100.1.1.12
peer 100.1.1.12 as-number 100
peer 100.1.1.12 connect-interface LoopBack0
ipv4-family unicast
dis th
peer 100.1.1.6 reflect-client
peer 100.1.1.12 reflect-client
peer 100.1.1.13 reflect-client
q
ipv6-family unicast 
network 2002:100:7:1::1 128
q
dis th
ipv4-family vpnv4
peer 100.1.1.2 reflect-client
peer 100.1.1.13 reflect-client
q
dis th
dis bgp peer # AR8/12出问题
int g0/0/1
dis th
mpls
mpls ldp
int g2/0/0
dis th
mpls
mpls ldp
q
dis bgp peer
dis ip rou # 可以看到100.1.1.8是直连路由,下一跳为lo 1,此现象不对
undo mpls
y
mpls lsr-id 100.1.1.7
mpls
mpls ldp
int lo 1
undo ip addr
int g0/0/0
mpls
mpls ldp
int g0/0/1
mpls
mpls ldp
int g0/0/2
mpls
mpls ldp
int g2/0/0
mpls
mpls ldp
q
dis bgp peer # AR12还不行


# AR12
dis cu conf bgp
bgp 100
dis th
undo peer 100.1.1.7 connect-interface 
peer 100.1.1.7 connect-interface lo 0
ipv4-family unicast
undo reflector cluster-id 
q
dis bgp peer

#-----------------------------------------------------
# 检查
# 此部分通过做完bgp200一起检查

#-----------------------------BGP200(和ISIS)------------------------
# AR23测试
tracert lsp -a 200.1.1.23 ip 200.1.1.4 32
tracert lsp -a 200.1.1.23 ip 200.1.1.5 32 #此时不通,说明AR9上存在问题

# AR9
dis cu | in mpls
dis ip int bri # 200.200.200.9是lo 1的地址
undo mpls
mpls lsr-id 200.1.1.9
mpls
mpls ldp
q
int g0/0/0
mpls
mpls ldp
int g0/0/1
mpls
mpls ldp
int g0/0/2
mpls
mpls ldp
dis cu conf bgp  
bgp 200
dis th
undo network 200.1.1.9 255.255.255.255
ipv6-family unicast 
dis th
peer 2002:200:1:1::4 reflect-client 
peer 2002:200:1:1::5 reflect-client 

# AR4
dis cu conf isis
dis cu conf acl-basic
acl 2000
dis th
undo rule 5
rule 5 permit source 200.1.1.9 0
q
dis cu conf bgp
bgp 200
dis th
ipv4-family unicast
dis th
undo import-route isis 2000
import-route isis 200
undo network 200.1.1.4 255.255.255.255

# AR5
dis cu conf isis
dis cu conf bgp
bgp 200
dis th
ipv4-family unicast
undo network 200.1.1.5 255.255.255.255
peer 200.1.1.9 next-hop-local
q
dis th

# AR23
dis cu conf isis
isis 100
dis th
import-route bgp
dis cu conf bgp
bgp 200
dis th
ipv4-family vpn-instance 1
undo import-route isis 200
import-route isis 100
dis cu conf route-policy 
acl 2000
dis th
rule permit source 10.1.34.0 0
rule permit source 10.1.1.1 0
q
dis bgp vpnv4 all rou  # 只能查看到10.4的路由,没有10.1的路由,此时回查AR2上有没有
dis cu | in vpn

# AR1
dis cu | in vpn
ip vpn-instance 1
# 如果可以删除现有配置,加入后面这一行:undo vpn-target 200:10
vpn-target 200:100 
dis th
q
dis bgp vpnv4 all rou

# AR4
dis mpls interface
int p 5/0/0
dis th

# AR2
dis mpls interface
int p 5/0/0
dis th
mpls
# 如果没说不能删除现有配置,还需要如下操作
# int g2/0/0
# dis th
# undo mpls ldp

# AR23测试
tracert lsp -a 200.1.1.23 ip 200.1.1.4 32
tracert lsp -a 200.1.1.23 ip 200.1.1.5 32 


#-----------------------------BGP------------------------ 
# AR2
dis cu conf bgp
dis cu cong route-policy
route-policy AS-PATH permit node 1 
apply as-path 100 100 additive   # 原题中为100 200,那么这些路由就无法传递到as200中
acl 200
dis th
rule 25 permit source 100.1.1.7 0
rule 30 permit source 100.1.225.0 0.0.0.255 # 把其中的deny全部改为permit
bgp 100
dis th  # LP是将引入的路由的本地优先级设置为200,AS-PATH是将发布出去的路由添加路径属性
ipv4-family unicast
dis th
undo  peer 200.100.24.4 route-policy LP export
peer 200.100.24.4 route-policy LP import
undo peer 200.100.25.5 route-policy AS-PATH import
peer 200.100.25.5 route-policy AS-PATH export
ipv6-family unicast
dis th
undo peer 2002:200:100:24::4 route-policy LP export
peer 2002:200:100:24::4 route-policy LP import
undo peer 2002:200:100:25::5 route-policy AS-PATH import
peer 2002:200:100:25::5 route-policy AS-PATH export

#-----------------------------------------------------
# 检查
# AR24/25
dis ip rou pro isis  # 已经有10.1.12和10.1.34的路由
# AR26
dis ip rou pro isis # 已经有10.1.12、10.1.34、10.1.1.1的路由,并且全部为两条路由
# client12
tracert 10.1.12.11 # 通
tracert 10.1.34.22 # 通
# client 1
tracert 10.4.126.12 # 通
# client 2
tracert 10.4.126.12 # 通
# AR12
ping -a 100.1.1.12 200.1.1.9 # 通
#AR9
ping -a 200.1.1.9 100.1.1.12 # 通
# IPv6 BGP
# AR9/2
dis bgp ipv6 peer # 均有到达AR4/5的邻居
# AR7
tracert ipv6 -a 2002:100:7:1::1 2002:200:9:1::1 # (lo 1地址)第2跳为AR4
# AR9
tracert ipv6 -a 2002:200:9:1::1 2002:100:7:1::1 # 第1跳为AR4
# AR4
int p 5/0/0
shutdown
# AR7
tracert ipv6 -a 2002:100:7:1::1 2002:200:9:1::1 # 第2跳为AR5
# AR9
tracert ipv6 -a 2002:200:9:1::1 2002:100:7:1::1 # 第1跳为AR5
# AR4
int p 5/0/0
undo shutdown

Sham-Link+VRRP+DHCP

要求

  • Site2与Site3为同一个VPN客户的两个站点,现在AR10与AR20上面的客户(loopback0模拟)都能互通,请解决此问题;并且要求当AS100连接正常的时候,两个客户的数据包通信必须经过AS100;但是AS100出现问题的时候,两个站点可以通过备份链路进行通信
  • Site2中AR10与AR11要为LSW4的PC4提供第一跳网关冗余服务,虚拟网关地址为10.2.129.254和10.2.129.253;在配置正确的情况下,VRRP配置后的状态信息如下: 为了加速VRRP的收敛,使用BFD跟踪上行链路状态以及VRRP的邻居关系
  • Site2中,AR10 AR11是DHCP服务器并且相互备份。要求CLIENT7能通过DHCP服务器获取到地址10.2.129.100;要求CLIENT8只能获取指定地址为10.2.129.101;现在CLIENT8有时无法获取地址,请解决;

设备

  • Site2的AR10/11
  • AS100的AR6/13
  • Site3的AR20

建议

  1. VRRP
  2. DHCP
  3. Sham-Link

操作

#-----------------------------VRRP------------------------
# AR10
dis vrrp bri
int g0/0/0 
dis th
vrrp vrid 1 authentication-mode md5 hcie
vrrp vrid 2 authentication-mode md5 hcie
vrrp vrid 2 virtual-ip 10.2.129.253
undo vrrp vrid 2 virtual-ip 10.2.129.251
vrrp vrid 1 preempt-mode timer delay 1
q
dis bfd session all
dis cu |  in bfd  # 缺少"session-name 2 increased 120"需要在接口下配置
undo bfd 2
bfd 2 bind peer-ip 10.2.129.11 source-ip 10.2.129.10 auto
int g0/0/0
vrrp vrid 2 track bfd-session session-name 2 increased 120
dis bfd session all

# AR11
dis vrrp bri
int g0/0/0 
dis th
vrrp vrid 1 authentication-mode md5 hcie
vrrp vrid 2 authentication-mode md5 hcie
vrrp vrid 2 preempt-mode timer delay 1
vrrp vrid 2 priority 200
dis bfd session all
dis cu |  in bfd
dis bfd session all

# AR6
dis bfd session all
dis cu |  in bfd
bfd 1 bind peer-ip 10.2.128.11 vpn-instance 2 source-ip 10.2.128.6 auto
dis bfd session all

#-----------------------------------------------------
# 检查
# AR6/10/11
dis bfd session all # 两个相邻会话均建立
# AR10/11
dis vrrp # 对照配置要求进行纠错

#-----------------------------DHCP------------------------
# AR10
dis cu | i pool
ip pool HCIE
dis th  # 复制到记事本进行修改
q
undo ip pool HCIE
y
ip pool HCIE
 gateway-list 10.2.129.254 
 network 10.2.129.0 mask 255.255.255.0 
 excluded-ip-address 10.2.129.102 10.2.129.200
 static-bind ip-address 10.2.129.101 mac-address 5489-98cf-3513
 static-bind ip-address 10.2.129.100 mac-address 5489-98cf-0549 
 dns-list 8.8.8.8 
 domain-name huawei.com
q
dhcp enable
int g0/0/0
dhcp select global

# AR11
dis cu | i pool
ip pool HCIE
dis th
q
undo ip pool HCIE
y
ip pool HCIE
 gateway-list 10.2.129.253
 network 10.2.129.0 mask 255.255.255.0 
 excluded-ip-address 10.2.129.1 10.2.129.99
 static-bind ip-address 10.2.129.101 mac-address 5489-98cf-3513
 static-bind ip-address 10.2.129.100 mac-address 5489-98cf-0549 
 dns-list 8.8.8.8 
 domain-name huawei.com
q
dhcp enable
int g0/0/0
dhcp select global

# sw4
int e0/0/1
dis th  # 需要有dhcp snooping trusted
int e0/0/3
dis th # 需要有dhcp snooping trusted
int e0/0/4
dis th
port hybrid untagged vlan 1
int e0/0/5
dis th
port hybrid untagged vlan 1

#-----------------------------------------------------
# 检查
# Client7/8
基础配置--IPv4--DHCP--应用
命令行--ipconfig  # 7的地址为10.2.129.100,8的地址为10.2.129.101


#-----------------------------Sham-Link------------------------
# Sham-Link配置在AS100中的AR6/13(ASBR)
# AR6
int lo 2
dis th
ip binding vpn-instance 2
ip address 100.1.136.6 255.255.255.255
dis cu conf ospf
ospf 110
dis th
a 0
undo sham-link 100.1.136.6 100.1.136.13
a 1
sham-link 100.1.136.6 100.1.136.13
q
q
dis cu conf bgp 
bgp 100
ipv4-family vpn-instance 2 
network 100.1.136.6 255.255.255.255
dis mpls ldp int

int s3/0/0
dis th
dis ospf peer bri #110上g口2个邻居


# AR13
int lo 2
dis th
dis cu conf ospf
ospf 110
dis th
import bgp
a 1
undo network 100.1.136.13 0.0.0.0
undo sham-link 100.1.136.13 100.1.136.100
sham-link 100.1.136.13 100.1.136.6
q
q
dis cu conf bgp 
bgp 100
ipv4-family vpn-instance 2 
undo network 100.1.136.0 255.255.255.0
network 100.1.136.13 255.255.255.255
import-route ospf 110
dis mpls ldp int # g2/0/1未开启ldp
int g2/0/1
mpls ldp

# AR10
int s3/0/0
dis th
ospf network-type broadcast
dis ospf peer bri #110上s口两个邻居,g口1个

# AR11
int s3/0/0
dis th
fr map ip 10.2.128.10 110 broadcast
undo ip addr
ip address 10.2.128.11 255.255.255.0
dis ospf peer bri  # 110上s口两个邻居,g口1个
int s3/0/1
dis th
aaa
dis th
local-user hcie password cipher hcie
int s3/0/1
dis th
dis ip int bri #  s3/0/1UP

# AR20
int s3/0/0
dis th
ppp chap password cipher hcie
ospf cost 100
dis ip int bri #  s3/0/0UP

#-----------------------------------------------------
# 检查
# 测试lo 0是否通
# AR10
tracert -a 10.2.1.10 10.3.1.20 #7跳,通
# AR20
tracert -a 10.3.1.20 10.2.1.10 #7跳,通
# 测试备份链路
# AR6
int s3/0/0
shutdown
# AR10
tracert -a 10.2.1.10 10.3.1.20 #2跳,通
# AR20
tracert -a 10.3.1.20 10.2.1.10 # 2跳,通
# 恢复后链路
# AR6
int s3/0/0
un shutdown
# AR10
tracert -a 10.2.1.10 10.3.1.20 #7跳,通
# AR20
tracert -a 10.3.1.20 10.2.1.10 # 7跳,通

Telnet+IPv6+QoS

要求

  • Site3中,AR16 AR17 AR18帧中继网络中运行ospf,使用默认的网络类型;要求AR18能通过telnet远程管理AR16、AR17;现在AR18无法远程管理;解决此问题已满足以下表项;要求AR16的telnet认证方式为AAA,AR16上存在两个用户,admin用户级别为15级,guest用户级别为1级,要求两个用户都能认证telnet登录;要求AR17的认证方法为password;所有telnet到AR17的用户级别无需求,但是能支持命令要求截图一致。
  • Site2与Site3配置了IPV6,并且运行OSPFV3协议;参与的设备有AR10、AR11、AR18、AR20;AR18与AR20之间通过tunnel相通;现在环境中的IPV6 CLIENT 13、IPV6 CLIENT 9 、IPV6 CLIENT16无法实现互相通信,请解决
  • Site3中AR20上一个用户( loopback0模拟)和AR18的一个用户(loopback0模拟)要进行语音通信,使用的音频编码G.711,每路语音需要64Kbps的带宽,目前从AR20到AR18的语音质量不够好,需要在AR19上部署QOS;以保证语音流量的服务质量(反向流量不要求)

设备

  • site2的AR10/11
  • site3的AR16/17/18/19/20

建议

  1. Telnet
  2. IPv6
  3. Qos

操作

#-----------------------------Telnet------------------------
# AR16(SPOKE)
int s3/0/0
dis th
ospf dr-priority 0
undo ospf timer hello
ospf network-type broadcast
fr map ip 10.3.129.17 608 broadcast
ping 10.3.129.17
ping 10.3.129.18
aaa 
dis th
local-user admin password cipher hcie
local-user admin privilege level 15
local-user admin service-type telnet
local-user guest password cipher hcie
q
user-interface vty 0 4
dis th
authentication-mode aaa

# AR17(SPOKE)
int s3/0/0
dis th
ospf dr-priority 0
ping 10.3.129.16
ping 10.3.129.18
user-interface vty 0 4
dis th
user privilege level 0
set authentication password cipher hcie

# AR18(HUB)
int s3/0/0
dis th
undo fr inarp
ospf dr-priority 100
ospf network-type broadcast
fr map ip 10.3.129.17 807 broadcast
ping 10.3.129.16
ping 10.3.129.17

#-----------------------------------------------------
# 检查
# AR18(输入密码后的界面,不需要sys)
telnet 10.3.1.16
admin
hcie
sys
q
q
telnet 10.3.1.16
guest
hcie
sys  # 报错才对
dis local-user
q
telnet 10.3.1.17
hcie
sys   # 报错才对
q

#-----------------------------IPv6------------------------
# AR10
dis cu conf ospfv3

# AR11
dis cu conf ospfv3
a 1
undo abr-summary 2002:10:2:131::13 128
abr-summary 2002:10:2:131::13 128

# AR18
dis cu conf ospfv3
ospfv3 1
dis th
undo silent-interface Tunnel0/0/100
int tun 0/0/100
dis th
undo ipv6 address 2002:100:101::18/64
ipv6 address 2002:100:100::18/64
undo ospfv3 1 area 0.0.0.1
ospfv3 1 area 0.0.0.0
tunnel-protocol gre # 下面4行配置直接复制AR20的最后4行,然后修改一下目的地址为20
source LoopBack0
destination 10.3.1.20
gre key 123

# AR20
dis cu conf ospfv3
ospfv3 1
dis th
undo silent-interface Tunnel0/0/100
a 1
undo abr-summary 2002:10:3:18::18 128
abr-summary 2002:10:3:18::18 128
int tun 0/0/100
dis th
undo ipv6 address FE80::18 link-local
ipv6 address FE80::20 link-local
undo ospfv3 1 area 0.0.0.1
ospfv3 1 area 0.0.0.0

#-----------------------------------------------------
# 检查
# AR18/20/10/11
dis ospfv3 peer # AR18/20在a0中为邻居;AR20\11\10在a1中为邻居
# client13,将其网关改成AR10的g0/0/1的地址
ping 2002:10:3:18::16
ping 2002:10:3:209::9  # 全通
# client 9,将其网关改成AR20的g0/0/1的地址
ping 2002:10:3:18::16
ping 2002:10:2:131::13 # 全通
# client 16,将其网关改成AR18的g0/0/0的地址,同时将IPv6地址最后一位改为16
ping 2002:10:3:209::9
ping 2002:10:2:131::13 # 全通


#-----------------------------Qos------------------------
# AR19
dis cu  # 然后将配置复制到记事本进行查看修改
acl name UDP 3999  
undo rule 5
rule 1 permit udp source 10.3.1.20 0 destination 10.3.1.18 0 destination-port range 16384 32767

traffic behavior cbq
dis th
undo queue llq 
queue llq bandwidth 64

traffic behavior remark
dis th
undo remark dscp
remark dscp ef

traffic policy cbq
dis th
undo classifier match-ef
classifier match-udp behavior cbq

traffic policy remark-ef
dis th
undo classifier match-udp
classifier match-ef behavior remark

int g0/0/0  # AR20到AR18,反向流量无需求,则g0/0/0为入方向,s3/0/0为出方向
dis th
undo traffic-policy outbound
traffic-policy remark-ef inbound 

int s3/0/0
dis th
undo traffic-policy inbound  
traffic-policy cbq outbound

#-----------------------------------------------------
# 检查
# 此题只能检查配置,即流量方向、规则等

NAT+msdp

要求

  • site5中通过安全接入AS,client11现在无法通过网关AR27访问到公网AS100、AS200
  • AS100与AS200要部署域间组播;AR7是AS100中的RP,AR9是AS200中的RP;AS100中AR22上有一台视频服务器,AS200中AR23上有一个组播接收者要加入组239.1.1.1,现在客户无法收到组播数据,无法观看相应的视频;请解决该问题;

设备

  • AS100的AR22/7
  • AS200的AR9
  • site5的AR27

建议

  1. NAT
  2. msdp

操作

#-----------------------------NAT------------------------
# AR27
int s3/0/0
dis th
ppp chap password cipher hcie
q
dis cu | i  route
undo ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
ip route-static 0.0.0.0 0.0.0.0 s3/0/0
dis cu conf acl # 规则号为2000
dis cu conf nat  # 在接口下调用地址组,组号为1
nat outbound 2000 address-group 1
q
dis nat out # 有一条s3/0/0

# AR9
int s3/0/0
dis th
isis enable 200
ppp authentication-mode chap
aaa
dis th
local-user hcie password cipher hcie
local-user hcie service-type ppp

#-----------------------------------------------------
# 检查
ping 200.1.1.23/9/4/5
ping 100.1.1.1/2/3/6/7/8/13/21/22/12  # 1/3/6/13不通,与AR2上的acl 2000规则有关

#-----------------------------msdp------------------------
# AR22
int g0/0/1
dis th
undo igmp enable
undo igmp static-group 239.1.1.1
pim sm
int g0/0/0
dis th
dis ospf int  #已经宣告进,且为DR

# AR7
dis cu conf pim
pim 
dis th
c-bsr lo 0
dis pim neighbor # 缺少邻居AR2
int g0/0/2
dis th
pim sm
q
dis pim neighbor # 4个邻居齐了
dis pim rp # RP为100.1.1.7
dis cu conf msdp
msdp
peer 200.1.1.9 password cipher hcie
dis msdp bri  # 200.1.1.9已经UP

# AR9(AS200采用静态的方式指定RP)
dis cu conf pim
pim 
dis th
static-rp 200.1.1.9
dis cu conf msdp
msdp
dis th
peer 100.1.1.7 connect-interface LoopBack0
peer 100.1.1.7 password cipher hcie
dis msdp bri  # 100.1.1.7已经UP

# AR4
dis cu conf pim
pim 
dis th
static-rp 200.1.1.9
dis pim nei # 缺少AR2
int p 5/0/0
dis th
pim sm
dis pim nei # AR2的pos口配置pim sm之后邻居齐全

# AR5
dis cu conf pim

# AR23
dis cu conf pim
pim 
dis th
static-rp 200.1.1.9
dis pim nei
int g0/0/1
dis th
undo igmp static-group 239.1.1.1
pim sm
igmp enable

# AR2
int p 5/0/0
dis th
pim sm
dis pim nei # AR4的pos口配置pim sm之后邻居齐全
dis cu conf acl-basic 
acl 2000
dis th
rule 30 permit source 100.1.225.0 0.0.0.255


#-----------------------------------------------------
# 检查
# Client6:组播---加入
# AR22:ping multicast 239.1.1.1
# AR9
dis msdp sa-cache 出现 (100.1.225.254, 239.1.1.1)
# AR23/9/4/2/7/21/22
dis pim routing-table #都出现 (100.1.225.254, 239.1.1.1)
# HCIE备考
HCIE 实验TS_PlanB要求整理 上一篇
HCIE 实验TS_PlanB 下一篇
0%