router isis 1234
advertise passive-only
passive-interface Loopback0
advertise passive-only:即只通告设置为被动口的路由(如果你把loopback口设置为被动口,那么只通告loopback口的路由出去)
Wednesday, December 4, 2019
Tuesday, December 3, 2019
CCIE LAB
考试内容:
1、TS(Troubleshooting)故障排错
考察排除网络故障的能力。考试模拟网络环境,比如某台服务器不能访问,让你找出问题并解决。改模块需要在设备上配置。
2、DIAG(Diagnose)故障诊断
考察网络故障分析能力。这个模块是没有设备操作,考场会给你网络需求、问题,给出设备的配置,日志信息,让你分析网络故障发生的原因。该模块没有设备可以配置。
3、CFG(Configuration)配置:
考察构建网络的能力,考场给出需求,拓扑,按照要求完成网络搭建。该模块需要在设备上配置。
分数分布和通过分数:
CCIE LAB 考试分数总分100分,每个模块需>=80%才能拿到CCIE证书。
TS(Troubleshooting)故障排错的的总分是24分,要求该模块>=20分,才能通过CCIE考试。
DIAG(Diagnose)故障诊断的总分是6分,要求该模块>=4分,才能通过CCIE考试。
CFG(Configuration)配置的总分是70分,要求该模块>=56分,才能通过CCIE考试。
考试时间:
CCIE LAB考试时间为8小时。
TS(Troubleshooting)故障排错的考试时间最多可以用到2.5小时,也可以提早结束该模块考试,如1.5H做好,可以直接选择结束该模块考试进入到下个模块。
DIAG(Diagnose)故障诊断考试时间固定0.5小时,不能提早结束。
CFG(Configuration)配置的考试时间是总时长8小时扣掉TS和DIAG的时长。
PS:TS最多可以用到2.5小时。
1、TS(Troubleshooting)故障排错
考察排除网络故障的能力。考试模拟网络环境,比如某台服务器不能访问,让你找出问题并解决。改模块需要在设备上配置。
2、DIAG(Diagnose)故障诊断
考察网络故障分析能力。这个模块是没有设备操作,考场会给你网络需求、问题,给出设备的配置,日志信息,让你分析网络故障发生的原因。该模块没有设备可以配置。
3、CFG(Configuration)配置:
考察构建网络的能力,考场给出需求,拓扑,按照要求完成网络搭建。该模块需要在设备上配置。
分数分布和通过分数:
CCIE LAB 考试分数总分100分,每个模块需>=80%才能拿到CCIE证书。
TS(Troubleshooting)故障排错的的总分是24分,要求该模块>=20分,才能通过CCIE考试。
DIAG(Diagnose)故障诊断的总分是6分,要求该模块>=4分,才能通过CCIE考试。
CFG(Configuration)配置的总分是70分,要求该模块>=56分,才能通过CCIE考试。
考试时间:
CCIE LAB考试时间为8小时。
TS(Troubleshooting)故障排错的考试时间最多可以用到2.5小时,也可以提早结束该模块考试,如1.5H做好,可以直接选择结束该模块考试进入到下个模块。
DIAG(Diagnose)故障诊断考试时间固定0.5小时,不能提早结束。
CFG(Configuration)配置的考试时间是总时长8小时扣掉TS和DIAG的时长。
PS:TS最多可以用到2.5小时。
双出口NAT
+------+ +------+
| ISPA | | ISPB |
+-----++ +-+----+
| |
++--------++
| 2960 |
+----+-----+
|
+---+---+
| 4451 |
+---+---+
|
|
+--+---+
| 3925 |
+------+
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address dhcp
ip nat outside
!
interface GigabitEthernet0/0/0.20
encapsulation dot1Q 20
ip address dhcp
ip nat outside
!
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip policy route-map Lan
load-interval 30
negotiation auto
!
ip nat inside source route-map nat interface GigabitEthernet0/0/0.10 overload
ip nat inside source route-map nat2 interface GigabitEthernet0/0/0.20 overload
ip route 0.0.0.0 0.0.0.0 10.1.1.1 10 track 1
ip route 0.0.0.0 0.0.0.0 10.1.2.1 20 track 2
!
ip access-list extended nat //please use acl like this, permit icmp XXX, permit TCP XXX, permit udp XXXX
permit icmp 192.168.1.0 0.0.0.255 any
permit tcp 192.168.1.0 0.0.0.255 any
permit udp 192.168.1.0 0.0.0.255 any
ip access-list extended test
permit icmp 192.168.1.0 0.0.0.255 any
permit tcp 192.168.1.0 0.0.0.255 any
permit udp 192.168.1.0 0.0.0.255 any
ip sla 1
icmp-echo 10.1.1.1 source-interface GigabitEthernet0/0/0.10
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 10.1.2.1 source-interface GigabitEthernet0/0/0.20
frequency 5
ip sla schedule 2 life forever start-time now
!
route-map Lan permit 10
match ip address test
set ip next-hop verify-availability 10.1.1.1 10 track 1
set ip next-hop verify-availability 10.1.2.1 20 track 2
!
route-map nat2 permit 10
match ip address nat
match interface GigabitEthernet0/0/0.20
!
route-map nat permit 10
match ip address nat
match interface GigabitEthernet0/0/0.10
!
--------------------------------------------
Test:
1. Test the ISP A failed:
1. Check router interface:
Router#show ip int b
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 unassigned YES NVRAM up up
Gi0/0/0.10 unassigned YES DHCP up up <<<<<<<<<<<<< ISP A, due to ISP issue, not receive the dhcp address.
Gi0/0/0.20 10.1.2.4 YES DHCP up up <<<<<<<<<<<<< ISP B
GigabitEthernet0/0/1 192.168.1.1 YES NVRAM up up
1. Simulator the PC access network
C10-RU09-3925#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
1. Check nat translation:
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.1.2.4:55 192.168.1.10:55 8.8.8.8:55 8.8.8.8:55
tcp 10.1.2.4:5064 192.168.1.10:33231 10.124.41.40:49 10.124.41.40:49
udp 10.1.2.4:512 192.168.1.10:123 10.64.58.51:123 10.64.58.51:123
icmp 10.1.2.4:53 192.168.1.10:53 192.168.1.1:53 192.168.1.1:53
tcp 10.1.2.4:5063 192.168.1.10:26148 10.124.41.40:49 10.124.41.40:49
1. Check route-map :
route-map Lan, permit, sequence 10
Match clauses:
ip address (access-lists): test
Set clauses:
ip next-hop verify-availability 10.1.1.1 10 track 1 [down] <<<<<<<<<<<<<ISPA track down, the isp failed.
ip next-hop verify-availability 10.1.2.1 20 track 2 [up]
Policy routing matches: 29 packets, 2698 bytes <<<<<<<<<<<<<this counter will increase
route-map nat2, permit, sequence 10
Match clauses:
ip address (access-lists): nat
interface GigabitEthernet0/0/0.20
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map nat, permit, sequence 10
Match clauses:
ip address (access-lists): nat
interface GigabitEthernet0/0/0.10
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Resume the ISP A:
1. Found the interface connected to ISP A interface received an ip address log:
*Sep 23 12:33:33.727: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0/0/0.10 assigned DHCP address 10.1.1.4, mask 255.255.255.0, hostname Router
2. DHCP status:
Router# show dhcp lease
Temp IP addr: 10.1.2.4 for peer on Interface: GigabitEthernet0/0/0.20
Temp sub net mask: 255.255.255.0
DHCP Lease server: 10.1.2.1, state: 5 Bound
DHCP transaction id: 1BDC
Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs
Next timer fires after: 11:57:32
Retry count: 0 Client-ID: cisco-00fe.c8cd.9ef0-Gi0/0/0.20
Client-ID hex dump: 636973636F2D303066652E633863642E
396566302D4769302F302F302E3230
Hostname: Router
Temp IP addr: 10.1.1.4 for peer on Interface: GigabitEthernet0/0/0.10
Temp sub net mask: 255.255.255.0
DHCP Lease server: 10.1.1.1, state: 5 Bound
DHCP transaction id: 1BE0
Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs
Temp default-gateway addr: 10.3.3.1
Next timer fires after: 11:59:56
Retry count: 0 Client-ID: cisco-00fe.c8cd.9ef0-Gi0/0/0.10
Client-ID hex dump: 636973636F2D303066652E633863642E
396566302D4769302F302F302E3130
Hostname: Router
1. Default route changed from 10.1.2.1 to 10.1.1.1 //the default router change need the sla status and track status changed, the track status need up.
Router#show ip route
<snip>
Gateway of last resort is 10.1.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [20/0] via 10.1.2.1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
Router#show ip route
<snip>
Gateway of last resort is 10.1.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [10/0] via 10.1.1.1
Log: *Sep 23 12:33:46.780: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up
1. Check NAT translation:
a) Router#clear ip nat translation * // clear ip nat record
b) Use client access the network:
C10-RU09-3925#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
c) Check nat record on router:
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.1.1.4:5062 192.168.1.10:42040 10.124.41.40:49 10.124.41.40:49
icmp 10.1.1.4:58 192.168.1.10:58 8.8.8.8:58 8.8.8.8:58
Total number of translations: 2
d) Route-map counter:
Router#show route-map
route-map Lan, permit, sequence 10
Match clauses:
ip address (access-lists): test
Set clauses:
ip next-hop verify-availability 10.1.1.1 10 track 1 [up] //the track 1 & track 2 is up, but the ISP A is high priority internet output
ip next-hop verify-availability 10.1.2.1 20 track 2 [up]
Policy routing matches: 44 packets, 4160 bytes //counter increase
route-map nat2, permit, sequence 10
Match clauses:
ip address (access-lists): nat
interface GigabitEthernet0/0/0.20
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map nat, permit, sequence 10
Match clauses:
ip address (access-lists): nat
interface GigabitEthernet0/0/0.10
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Update: please use like this access:
ip access-list extended test
deny icmp 192.168.1.0 0.0.0.255 host 192.168.1.1 //deny the source access to the router connection address , if not, you cannot ping the router connection address, like ping 192.168.1.1 so 192.168.1.10, If not deny, the source will math the below list and it will send to nat process, but this is access to the router link address, it will be drop.
permit icmp 192.168.1.0 0.0.0.255 any
permit tcp 192.168.1.0 0.0.0.255 any
permit udp 192.168.1.0 0.0.0.255 any
Subscribe to:
Comments (Atom)