CCIE SP实验:Features(特性)备战笔记
Protected-Port
命令:
Switch(config-if)# switchport protected
说明:
1,Protected port 必须同时在同一交换机配置
2,Traffic只是在两个porected ports间转发被限制(二层转发)
3,Protected port在EtherChannel中有效
Port-Blocking
命令:
Switch(config-if)# switchport block multicast
Switch(config-if)# switchport block unicast
说明:
1, 用于阻止unknown destination MAC addresses单播和组播
2, 放行广播包用于MAC地址学习
3, 可以在protected or unprotected端口上配置
FR Subinterface
1,子接口规避split horizon原则,默认为multipoint
2,Subinterface为point-to-point,不需要配置Inverse-ARP
3,Subinterface为multipoint,要么用Inverse-ARP(Dynamic),要么用FR MAP(Static)
4,如果打开static map...Inverse-ARP被Disabled.默认为Enable Inverse-ARP
OSPF安全
要求:
R1,R2和R3在同一网段,R1/R2间运行OSPF,并且并进行邻居论证,R3不能收到任何R1/R2的OPSF报文
R1/R2配置:
#interface G0/0
#ip address 150.1.12.1/2 255.255.255.0
#ip ospf network point-to-multipoint non-broadcast
#ip ospf message-digest-key 1 md5 CCIE
#router ospf 1
#network 150.1.12.1/2 0.0.0.0 area 0
#neighbour 150.1.12.1/2
说明:
OPSF的网络类型为point-to-multipoint,类似FR中的默认接口配置,可以自动选择
DR/BDR,加上non- broadcast选项,即是无broadcast报文发送,也就是无法发现邻居,在 OPSF 进程中加入neighbour,手动指定邻居,即完全达到了题目的要求!
BGP Community
命令:
#ip bgp-community new-format
即是community的格式为AA:NN,其中AA为AS号,NN为AS中要使用的community数(NN )多可能为EBGP或是客户的AS号,因此有时候也可以称为AA:ASN格式)
说明:
此命令非默认配置, 需要在所有需要配置(接受/发送new-format的community)路由器上配置,Juniper/Cisco都支持此相同的命令格式.
MPLS TTL Control
命令:
#no mpls ip propogate-ttl forwarded
默认情问下,VPN用户traceroute时,是可以看到SP Core里的所有路由器的,一旦no掉此命令,用户就只能traceroute到其网关和用户网络内的Hops.
MPLS Syslog
命令:
#mpls ip traffic-eng lsp setups
#mpls ip traffic-eng lsp teardown
#logging 150.1.1.31 (Syslog Server)
默认下Syslog不log TE LSP的状态,以上两条命令打开Syslog对 LSP的setup/teardwon进行追踪记录.
IGP Loopback0
1, OSPF中,对loopback地址的宣告总是/32主机地址, 但如果实际
配置的地址不是/32位,那么在LDP的MPLS Label分布中,是会出问题,这和LDP 分发Label的原理有关.解法办法是在Loopback接口下改变OSPF网络类型:ip ospf network point-to-point,这样,宣告出去的路由条目就是实际
配置的子网位数了.
2, 在ISIS for IP的进程中,有两种方式可以把Loopback接口加入ISIS进程,第一种是直接在接口下ip router isis,这和物理接理上的操作是一致的,另一种方法比效奇妙,即是在Router isis进程下,用命令passive-interface looback x,本意思是不在此端口发送update,换句话说,此端口已自然地被加入到ISIS进程中了.
OSPF Fast Hello Packets
此Feature适合用于LAN网段,默认情况下,在OSPF中Hello Interval:10 second, Dead Interval:40 Second.
配置Fast Hello后,Hello Interval为1 second. 命令后跟上1秒内发送的Hello包数量,即是实际的Hello Internal小于1 second. 能很大的提高OSPF领导响应速度,加快OSPF收敛. (ISIS中也有FHP的概念,
配置类似OSPF)命令如下:
#interface ethernet 1/0
#ip ospf dead-interval minimal hello-multiplier 5
LDP Message Priority
命令: mpls ldp tcp pak-priority
设置LDP message的TOS为6,提高 LDP Message,包括LDP Keepalive的优先级, 避免在网络Congestion时,LDP邻居终断.
PPPOE认证
要求:R5作为Client Request/R6 作为DSLAM Respond, MD5认证.
R5
配置:
username ccie password 0 ccie
vpdn enable
vpdn-group 1
request-dialin
protocol pppoe
!
interface F0/0
pppoe enable
pppoe-client dial-pool-number 1 -----------Dialer interface #
!
interface Dialer 1
ip address 150.1.12.1 255.255.255.0
mtu 1492
encapsulation ppp
ppp authentication chap
ppp chap hostname CCIE---------------------username is ccie,password is ccie
dialer-group 1
dialer-persistent--------------------------Not teardown until shutdown interface
R6
配置
username ccie password 0 ccie
vpdn enable
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
!
interface F0/0
pppoe enable
!
interface Virtual-Template 1
ip address 150.1.12.2 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname CCIE---------------------username is ccie,password is ccie
dialer-group 1
dialer-persistent
pppoe limit per-mac 1----------------------only one host per MAC
Frame-Relay Keepalive
A,LMI Keepalive
时间默认间隔为10seconds,用于维护LMI状态信息,保持端口Active,在FR Switch (DCE)和Router(DTE)间发送,是基于RFC标准,
配置于Serial接口,如果No Keepalive,将自动关掉LMI功能.
配置时建议在Router端设为快于Frame-Relay Switch两到三秒,即7 or 8秒.
配置:
#interface serial 1/0
#keepalive 8
B,FR end-to-end keepalive
属于Cisco专有Feature,源于LMI,用于在DTE间维护端到端信息,为端口状态接供参考数据.Keepalive状态为双向,有四种模式,分别为:Request Mode,Reply Mode, Bidirectional Mode and Pass-Reply.
Reqest Side和Send Side
配置时,需要注意两边模式的匹配.
配置:
R1,Keepalive请求端
router1(config) interface serial 0/0.1 point-to-point
router1(config-if) ip address 10.1.1.1 255.255.255.0
router1(config-if) frame-relay interface-dlci 16
router1(config-if) frame-relay class ccie
router1(config)# map-class frame-relay ccie
router1(config-map-class)# frame-relay end-to-end keepalive mode request(bidirectional)
router1(config-map-class)# frame-relay end-to-end keepalive timer send 5
R2,Keepalive响应端
router2(config) interface serial 1/1.1 point-to-point
router2(config-if) ip address 10.1.1.2 255.255.255.0
router2(config-if) frame-relay interface-dlci 16
router2(config-if) frame-relay class ccie
router2(config)# map-class frame-relay ccie
router2(config-map-class)# frame-relay end-to-end keepalive mode reply(bidirectional)
router1#show frame-relay end-to-end keepalive
LMI Keepalive应该为IP Service Agreement Feature--未经证实.
NTP认证
R1为NTP Client,R2为一级时钟源,采用MD5论证.
Router1
#ntp authentication-key md5 ccie
#ntp authenticate
#ntp trusted-key 1
#ntp source loopback 0
#ntp server 150.1.1.100 key 1
Router2
#ntp authentication-key 1 md5 ccie
#ntp master 1
NetFlow Log
R6把Serial0/0上收集到的Netflow数据发送到Netflow数据收集器150.1.1.100, Netflow格式为Version 5, UDP 9996.
Router6
#interface serial 0/0
#ip route-cache flow
#ip flow-export version 5
#ip flow-export destination 150.1.1.100 9996
