飞琼君·WebOS

=== 信不信由你 ===

HCIE 实验TS_PlanA

发布于 2020-11-28 | 分类于 HCIE备考 | 14分钟 | 2651字数 | 浏览量

不考BGP、IPv6 BGP、msdp

TS排错PlanA

eth-trunksite1的sw1/2

  • Site1中,LSW1-LSW2之间的所有链路要求做eth-trunk的捆绑,并且此eth-trunk要求做src-dst-ip负载;
# sw1
dis eth-trunk
int eth 12
dis th
undo trunkport e0/0/18
mode lacp-static
load-balance src-dst-ip
trunkport eth 0/0/18 to 0/0/20

# sw2
dis eth-trunk
int eth 12
dis  th
load-balance src-dst-ip
trunkport eth 0/0/20

MSTP+BGP ADVsite1的sw1/2/3,bgp100的AR1

  • site1中,CLIENT1属于VLAN12,CLIENT2属于VLAN34;MSTP中的VLAN12属于instance1,vlan34属于instance2;两个instance的主备根桥分别在SW1和SW2上,并且要求CLIENT1访问R1时经过的路径是SW3-SW1-R1;同时要求CLIENT2访问R1时经过的路径是SW3-SW2-R1;
  • R1访问VLAN12时经过的路径是R1-LSW1-LSW3;访问VLAN34时经过的路径是R1-LSW2-LSW3;只允许在AS300中实现,并且确保你的解决方案不要影响AS100 AS300以外的其他AS;
# sw1
dis th
int e0/0/21
dis th
port trunk all vlan all
dis cu conf mst
bgp 300
dis th
undo network 10.1.12.0 255.255.255.0
network 10.1.12.0 255.255.255.0

# sw2
dis th
stp instance 2 root primary
int e0/0/22
dis th
port trunk all vlan all
q
dis cu conf mst
    stp region-configuration # 使用sw1的配置
    region-name HCIE
    instance 1 vlan 12
    instance 2 vlan 34
    active region-configuration
bgp 300
dis th
network 10.1.12.0 255.255.255.0 route-policy MED
undo network 10.1.34.0 255.255.255.0
network 10.1.34.0 255.255.255.0


# sw3
dis th
stp mode mstp
int e0/0/21
dis th
port trunk all vlan all
int e0/0/22
dis th
port trunk all vlan all
dis cu conf mst
int e0/0/1
dis th
undo stp cost 
port link-type access
port default vlan 12
int e0/0/2
dis th
port link-type access
port default vlan 12
int e0/0/3
dis th
port link-type access
port default vlan 34
int e0/0/4
dis th
port link-type access
port default vlan 34

# AR1
int g2/0/2
dis th
int g2/0/1
dis th
ip binding vpn-instance 1
bgp 100
dis th
ipv4-family vpn-instance 1
peer 10.1.100.100 as 300  # sw1
peer 10.1.200.200 as 300  # sw2
import-route direct

mux-vlansite4的AR24/25/26和sw8

  • Site4中,AR24、AR25、AR26在一个网段中,同时都运行了ISIS协议,要求AR26能和AR24、AR25都能形成邻居关系,但是AR24与AR25不能形成邻居关系;通过LSW8的二层VLAN技术以及其他设备排除错误点来实现此要求: 注意;配置过程中不能在LSW8上删除和增加新的VLAN;
# sw8
dis mux-vlan
vlan 100
undo subordinate group 30  50
subordinate separate 50
port-group group-member g0/0/1 g0/0/2
port link-type access
port default vlan 50
port mux-vlan enable
q
int g0/0/3
dis th
port default vlan 100
port mux-vlan enable

# AR24
isis 100
dis th
int g0/0/0
dis th
isis authen md5 cipher hcie

# AR25
isis 100
dis th
int g0/0/0
dis th
isis authen md5 cipher hcie

# AR26
isis 100
dis th
is-level level-2
int g0/0/0
dis th
isis authen md5 cipher hcie
isis dis-pri 127

MPLS-VPNAS100和AS200的所有设备

  • Site1与Site4为同一个VPN客户的两个站点,现在site1里的CLIENTS无法和site4里的CLIENT通信,请解决此问题;注意:不要删除现有配置,可修改解决
# AR1
dis cu conf vpn # 主要查看RD和RT值
ip vpn-instance 1
vpn-target 200:100
dis bgp vpnv4 all rou

# AR2
dis cu conf vpn # 主要查看RD和RT值
ip vpn-instance 1
vpn-target 200:100
bgp 100
dis th
ipv4-family vpnv4
policy vpn-target
ipv4-family vpn-instance 1
peer 200.100.24.4 as 200
peer 200.100.25.5 as 200
q
q
dis bgp vpnv4 all rou

# AR4
dis cu conf vpn # 主要查看RD和RT值
ip vpn-instance 1
vpn-target 200:100
bgp 200
dis th
ipv4-family vpnv4
policy vpn-target
int g0/0/1
mpls
mpls ldp
q
dis bgp vpnv4 all rou

# AR5
dis cu conf vpn # 主要查看RD和RT值
ip vpn-instance 1
vpn-target 200:100
bgp 200
dis th
ipv4-family vpnv4
policy vpn-target

#AR9
dis cu | i mpls
undo mpls
y
mpls lsr-id 200.1.1.9
int g0/0/0
mpls
mpls ldp
int g0/0/1
mpls
mpls ldp
int g0/0/2
mpls
mpls ldp

# AR23
dis cu conf vpn # 主要查看RD和RT值
tracert lsp -a 200.1.1.23 ip 200.1.1.4 32
tracert lsp -a 200.1.1.23 ip 200.1.1.5 32
dis bgp vpnv4 all rou
isis 100
import bgp
bgp 200
dis th
dis cu conf route
acl 2000
dis th
rule permit source 10.1.34.0 0
rule permit source 10.1.1.1 0
acl 2001
dis th
rule permit
dis bgp vpnv4 all rou

# AR26
dis ip rou pro isis

VRRPsite2的AR10/11

  • Site2中AR10与AR11要为LSW4的PC4提供第一跳网关冗余服务,虚拟网关地址为10.2.129.254和10.2.129.253;在配置正确的情况下,VRRP配置后的状态信息如下; 为了加速VRRP的收敛,使用BFD跟踪上行链路状态以及VRRP的邻居关系;(最终结果要和下面的信息一致)
# AR10
int g0/0/0
dis th
vrrp vrid 1 authentication-mode md5 hcie
vrrp vrid 2 authentication-mode md5 hcie
vrrp vrid 2 virtual-ip 10.2.129.253
undo vrrp vrid 2 virtual-ip 10.2.129.251
vrrp vrid 1 preempt-mode timer delay 1
vrrp vrid 2 preempt-mode timer delay 1
vrrp6 vrid 1 virtual-ip FE80::1 link-local
vrrp6 vrid 1 virtual-ip 2002:10:2:129::254
vrrp6 vrid 1 priority 200
q
dis cu | i bfd
undo bfd 2
bfd 2 bind peer-ip 10.2.129.11 source-ip 10.2.129.10 auto
undo bfd 1
bfd 1 bind peer-ip 10.2.128.2 source-ip 10.2.128.1 auto
int g0/0/0
vrrp vrid 1 track bfd-session session-name 1 reduced 120
vrrp vrid 2 track bfd-session session-name 2 increased 120

# AR11
int g0/0/0
dis th
vrrp vrid 1 authentication-mode md5 hcie
vrrp vrid 2 authentication-mode md5 hcie
vrrp vrid 2 priority 200
vrrp vrid 2 preempt-mode timer delay 1
undo vrrp6 vrid 1
vrrp6 vrid 1 virtual-ip FE80::2 link-local
vrrp6 vrid 1 virtual-ip 2002:10:2:129::254
dis cu | i bfd
undo bfd 1
bfd 1 bind peer-ip 10.2.128.6 source-ip 10.2.128.5 auto
int g0/0/0
vrrp vrid 1 track bfd-session session-name 1 increased 120
vrrp vrid 2 track bfd-session session-name 2 reduced 120

# AR116
dis cu | i bfd

DHCPsite2的AR10/11和SW4

  • Site2中,AR10 AR11是DHCP服务器并且相互备份,要求CLIENT7能通过DHCP服务器获取到地址10.2.129.100;要求CLIENT8只能获取指定地址为10.2.129.101;现在CLIENT8有时无法获取地址,请解决;
# AR10
dis cu conf ip-pool # 将配置复制到记事本进行修改
    1. 网关错误,修改为254
    2. 网络错误,修改为10.2.129.0/24
    3. 缺少排除地址
    2. 两个mac错误
undo ip pool hcie
    刷入配置
dhcp enable
int g0/0/0
dhcp select global

# AR11
dis cu conf ip-pool # 将配置复制到记事本进行修改
    1. 第二个mac错误
undo ip pool hcie
    刷入配置
dhcp enable
int g0/0/0
dhcp select global

# sw4
int e0/0/1
dhcp snooping trusted
int e0/0/3
dhcp snooping trusted
int e0/0/5
undo dhcp snooping trusted

sham-linkAS100的AR6/13/7/8,site3的AR20

  • Site2与Site3为同一个VPN客户的两个站点,现在AR10与AR20上面的客户(loopback0模拟)都能互通;请解决此问题;并且要求当AS100连接正常的时候,两个客户的数据包通信必须经过AS100;但是AS100出现问题的时候,两个站点可以通过备份链路进行通信;
# AR8
ospf 100
dis th
ospf 100 router-id 100.1.1.8
return
reset ospf proccess
ospf 100
a 0
network 100.1.78.8 0.0.0.0
authentication-mode md5 1 cipher hcie
osfp 110
dis th
a 0
undo sham-link 100.1.136.13 100.1.136.6
a 1
undo network 100.1.136.13 0.0.0.0
sham-link 100.1.136.6 100.1.136.13



# AR7
ospf 100
dis th
a 0
undo authentication-mode  
int g0/0/1
dis th
undo ospf timer hello 
bgp 100
dis th
ipv4-famliy vpnv4
peer 100.1.1.6 reflect-client
peer 100.1.1.13 reflect-client

# AR6
ospf 110
dis th
a 1
undo network 10.2.128.6 0.0.0.0
network 10.2.128.9 0.0.0.0
int lo 1
dis th
ip binding vpn-instance 2
ip address 100.1.136.6 255.255.255.255
bgp 100
dis th

# AR13
osfp 110
dis th
a 1
undo sham-link 100.1.136.6 100.1.136.13
sham-link 100.1.136.13 100.1.136.6
int lo 1
dis th
bgp 100
dis th
ipv4-famliy vpn-instance 2
network 100.1.136.13 255.255.255.255

# AR116
ospf 110
dis th

# AR10
ospf 110
dis th
a 1
network 10.2.128.1 0.0.0.0
q
tracert -a 10.2.1.10 10.3.1.20

# AR11
int s3/0/1
dis th
ospf cost 100
ospf 110
dis th
a 1
network 10.2.128.5 0.0.0.0

# AR20
int s3/0/0
dis th
ospf cost 100

IPv6AS100的AR10/11,site3的AR20/18

  • Site2与Site3配置了IPV6,并且运行OSPFV3协议;参与的设备有AR10、AR11、AR18、AR20;AR18与AR20之间通过tunnel相通;现在环境中的IPV6 CLIENT 13、IPV6 CLIENT 9 、IPV6 CLIENT10无法实现互相通信,请解决;
# AR18
int t 0/0/100
dis th
undo ospfv3 1 area 0.0.0.1
ospfv3 1 area 0.0.0.0
ospfv3
dis th
undo silent-interface t 0/0/100

# AR20
int t 0/0/100
dis th
gre key 123
ospfv3
dis th
a 0
abr-summary 2002:10:3:209:: 64

Telnetsite3的AR16/17/18

  • Site3中,AR16 AR17 AR18帧中继网络中运行ospf,使用默认的网络类型;要求AR18能通过telnet远程管理AR16、AR17;现在AR18无法远程管理;解决此问题已满足以下表项;要求AR16的telnet认证方式为AAA,AR16上存在两个用户,admin用户级别为15级,guest用户级别为1级要求两个用户都能认证telnet登录;要求AR17的认证方法为password;所有telnet到AR17的用户级别无需求,但是能支持命令要求截图一致。
# AR16
aaa
dis th
local-user admin privilege level 15
local-user admin password cipher hcie
local-user guest password cipher hcie
local-user admin service-type telnet
user-interface vty 0 4
dis th
authentication-mode aaa
acl 2001
rule 5 permit source 10.3.1.18 0
int s3/0/0
dis th
ospf dr-priority 0

# AR17
user-interface vty 0 4
dis th
# user privilege level 0 # 这是默认级别,如果没有就对了
set authentication password cipher hcie
int s3/0/0
dis th
ospf dr-priority 0

# AR18
int s3/0/0
dis th
ospf dr-priority 255

Qossite3的AR19

  • Site3中AR20上一个用户( loopback0模拟)和AR18的一个用户(loopback0模拟)要进行语音通信,使用的音频编码G.711,每路语音需要64Kbps的带宽,目前从AR20到AR18的语音质量不够好,需要在AR19上部署QOS;以保证语音流量的服务质量(反向流量不要求);
# AR19
dis cu  # 复制到记事本进行修改

acl name UDP 3999  
dis th
rule 1 permit udp source 10.3.1.20 0 destination 10.3.1.18 0 destination-port range 16384 32767  # 由tcp改为udp

traffic behavior cbq
dis th
undo queue llq 
queue llq bandwidth 64

traffic behavior remark
dis th
undo remark dscp
remark dscp ef

int g0/0/0  # AR20到AR18,反向流量无需求,则g0/0/0为入方向,s3/0/0为出方向
dis th
undo traffic-policy outbound
traffic-policy remark-ef inbound 

int s3/0/0
dis th

NATAR27/9

  • Site5中通过安全接入AS,client11现在无法通过网关AR27访问到公网AS100、AS200;解决此问题已满足以下表项;
# AR27
dis cu | i  route
ip route-static 0.0.0.0 0.0.0.0 s3/0/0 # 或者指向200.1.209.9
dis cu conf acl # 规则号为2000
dis cu conf nat  # 在接口下调用地址组,组号为1
int s3/0/0
dis th
ppp chap password cipher hcie
nat outbound 2000 address-group 1
q
dis nat out # 有一条s3/0/0

# AR9
int s3/0/0
dis th
isis enable 200
ppp authentication-mode chap
aaa
dis th
local-user hcie password cipher hcie
# HCIE备考
HCIE-TS_PlanA与PlanB之间的重要区别 上一篇
HCIE 实验TS_PlanB要求整理 下一篇
0%