Académique Documents
Professionnel Documents
Culture Documents
1.1.1.1 VLAN
Create VLANs 3, 5, 18, 26, 41, 43 and 62 on switches SW1 and SW2. Create
VLAN 43 on switch SW3.
Apply VLANs to access interfaces according to the table below.
SW1 Eth0/0/21
SW1/SW2:
vlan batch 3 5 18 26 41 43 62
SW3:
vlan 43
SW1:
interface Ethernet0/0/1
port link-type access
port default vlan 3
interface Ethernet0/0/2
port link-type access
port default vlan 26
interface Ethernet0/0/4
port link-type access
port default vlan 41
interface Ethernet0/0/5
port link-type access
port default vlan 5
interface Ethernet0/0/6
port link-type access
port default vlan 26
interface Ethernet0/0/21
port link-type access
port default vlan 62
SW2:
interface Ethernet0/0/1
port link-type access
port default vlan 18
interface Ethernet0/0/3
port link-type access
port default vlan 18
interface Ethernet0/0/4
port link-type access
port default vlan 43
interface Ethernet0/0/6
port link-type access
port default vlan 62
SW3:
interface Ethernet0/0/22
port link-type access
port default vlan 43
interface Ethernet0/0/12
eth-trunk 34
interface Ethernet0/0/13
eth-trunk 34
1.1.1.3 Trunk
All links between switches SW1, SW2, SW3 and SW4 should be configured as
trunk links, allow VLANs 1 through to 4094 across all trunks.
SW1:
interface Ethernet0/0/10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface Ethernet0/0/11
port link-type trunk
port trunk allow-pass vlan 2 to 4094
SW2:
interface Ethernet0/0/14
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface Ethernet0/0/15
port link-type trunk
port trunk allow-pass vlan 2 to 4094
SW3:
interface Ethernet0/0/10
port link-type trunk
SW4:
interface Ethernet0/0/11
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface Ethernet0/0/15
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface Eth-Trunk34
port link-type trunk
port trunk allow-pass vlan 2 to 4094
1.1.1.4 GVRP
Enable GVRP on switches to enable SW3 and SW4 to learn statically configured
VLAN information from SW1 and SW2.
SW1:
gvrp
interface Ethernet0/0/10
gvrp
interface Ethernet0/0/11
gvrp
SW2:
gvrp
interface Ethernet0/0/14
gvrp
interface Ethernet0/0/15
gvrp
SW3:
gvrp
interface Ethernet0/0/10
gvrp
interface Ethernet0/0/14
gvrp
interface Eth-Trunk34
gvrp
SW4:
gvrp
interface Ethernet0/0/11
gvrp
interface Ethernet0/0/15
gvrp
interface Eth-Trunk34
gvrp
1.1.1.5 MSTP
Switches SW1, SW2, SW3 and SW4 run MSTP as follows.
VLANs 3, 5 and 18 are in instance 1 for which SW1 should be primary root and
SW2 the secondary root. VLANs 26, 41, 43 and 62 are in instance 2, for which
SW2 is the primary root and SW1 is the secondary root. The MSTP region name is
HW and revision level is 1.
Interface E0/0/20 on SW1 is directly connected to a PC. Ensure that E0/0/20 enters
the forwarding state as soon as the PC is connected and the link becomes active.
E0/0/20 should to be shut down automatically after receiving BPDUs and should
recover after 50s.
SW1-SW4:
stp region-configuration
region-name HW
revision-level 1
instance 1 vlan 3 5 18
instance 2 vlan 26 41 43 62
active region-configuration
SW1:
stp instance 1 root primary
stp instance 2 root secondary
stp bpdu-protection
error-down auto-recovery cause bpdu-protection interval 50
interface Ethernet0/0/20
stp edged-port enable
SW2:
R1:
interface Serial1/0/0
link-protocol fr
undo fr inarp
fr map ip 10.1.12.2 102 broadcast
ip address 10.1.12.1 255.255.255.0
interface Serial2/0/0
link-protocol fr
undo fr inarp
fr map ip 10.1.145.4 104 broadcast
fr map ip 10.1.145.5 105 broadcast
ip address 10.1.145.1 255.255.255.0
R2:
interface Serial1/0/0
link-protocol fr
undo fr inarp
interface Serial1/0/0.1
fr dlci 201
fr map ip 10.1.12.1 201 broadcast
R3:
interface Serial1/0/0
link-protocol fr
undo fr inarp
interface Serial1/0/0.1 p2p
fr dlci 302
ip address 10.1.23.3 255.255.255.0
R4:
interface Serial1/0/0
link-protocol fr
undo fr inarp
fr map ip 10.1.145.1 401 broadcast
fr map ip 10.1.145.5 401 broadcast
ip address 10.1.145.4 255.255.255.0
R5:
interface Serial1/0/0
link-protocol fr
undo fr inarp
fr map ip 10.1.145.1 501 broadcast
fr map ip 10.1.145.4 501 broadcast
ip address 10.1.145.5 255.255.255.0
R1:
router id 10.1.1.1
interface Serial1/0/1
ip address 10.1.13.1 255.255.255.0
interface GigabitEthernet0/0/0
ip address 10.1.10.1 255.255.255.0
interface LoopBack0
ip address 10.1.1.1 255.255.255.0
R2:
router id 10.1.2.2
interface Ethernet2/0/0
ip address 10.1.26.2 255.255.255.0
interface LoopBack0
ip address 10.1.2.2 255.255.255.0
R3:
router id 10.1.3.3
interface Ethernet2/0/1
ip address 10.1.32.3 255.255.255.0
interface Serial1/0/1
ip address 10.1.13.3 255.255.255.0
interface LoopBack0
ip address 10.1.3.3 255.255.255.0
R4:
router id 10.1.4.4
interface Ethernet2/0/0
ip address 10.1.41.4 255.255.255.0
interface Ethernet2/0/1
ip address 157.68.3.4 255.255.255.0
interface Serial1/0/1
ip address 10.1.45.4 255.255.255.0
interface LoopBack0
ip address 10.1.4.4 255.255.255.0
R5:
router id 10.1.5.5
interface Ethernet2/0/0
ip address 10.1.50.5 255.255.255.0
interface Serial1/0/1
ip address 10.1.45.5 255.255.255.0
interface LoopBack0
ip address 10.1.5.5 255.255.255.0
R6:
router id 10.1.6.6
interface Ethernet2/0/1
ip address 157.68.2.6 255.255.255.0
interface Serial1/0/1
ip address 157.68.1.6 255.255.255.0
interface GigabitEthernet0/0/0
ip address 10.1.26.6 255.255.255.0
interface LoopBack0
ip address 10.1.6.6 255.255.255.0
SW1:
router id 10.1.41.11
interface Vlanif3
ip address 10.1.33.11 255.255.255.0
interface Vlanif41
ip address 10.1.41.11 255.255.255.0
interface Vlanif62
ip address 10.1.62.11 255.255.255.0
SW2:
interface Vlanif18
ip address 10.1.32.22 255.255.255.0
interface Vlanif62
ip address 10.1.62.22 255.255.255.0
49.0001 and all routers are Level 1 routers. Set the system ID to 0000.0000.000X
and the IS-IS process ID to Y.
On R6, import BB2 network segment 157.68.2.0/24 into IS-IS and set the cost of
imported routes to 200 and tag to 200.
R1:
isis 1
is-level level-1
cost-style wide
network-entity 49.0001.0000.0000.0001.00
interface Serial1/0/0
isis enable 1
interface Serial1/0/1
isis enable 1
interface LoopBack0
isis enable 1
R2:
isis 1
is-level level-1
cost-style wide
network-entity 49.0001.0000.0000.0002.00
interface Ethernet2/0/0
isis enable 1
interface Serial1/0/0.1
isis enable 1
interface Serial1/0/0.2 p2p
isis enable 1
interface LoopBack0
isis enable 1
R3:
isis 1
is-level level-1
cost-style wide
network-entity 49.0001.0000.0000.0003.00
interface Ethernet2/0/1
isis enable 1
interface Serial1/0/0.1 p2p
isis enable 1
interface Serial1/0/1
isis enable 1
interface LoopBack0
isis enable 1
R6:
isis 1
is-level level-1
cost-style wide
network-entity 49.0001.0000.0000.0006.00
interface GigabitEthernet0/0/0
isis enable 1
interface LoopBack0
isis enable 1
SW2:
isis 1
is-level level-1
cost-style wide
network-entity 49.0001.0000.0000.0022.00
interface Vlanif18
isis enable 1
Note:
This section requires the specific network segment 157.68.2.0/24 to be imported into IS-IS.
Therefore, filter routes during route import. For example, since ip-prefix matches the exact
mask length of routes, it is preferred for route operations over ACLs that only match the
address segment. Use ACLs when ip-prefix is unable to solve problems.
This section of the exam also requires tag setting for external routes imported into IS-IS. IS-
IS routes have a narrow cost style by default, but a wide cost style must be set for them to
carry the tag. Therefore, you need to change the cost style of imported routes.
R1:
isis 1
nexthop 10.1.12.2 weight 1
R2:
interface Ethernet2/0/0
isis circuit-type p2p
isis ppp-negotiation 3-way only
R3:
isis 1
nexthop 10.1.23.2 weight 1
R6:
interface GigabitEthernet0/0/0
isis circuit-type p2p
isis ppp-negotiation 3-way only
Note:
IS-IS supports two network types: broadcast networks (DIS is elected) and P2P networks
(DIS is not elected).
Broadcast is the default IS-IS network type on an Ethernet network. Change it to P2P to
prevent DIS election on the network segment.
In IS-IS, neighbor relationships are established on a P2P network in either two-way
handshake or three-way handshake mode. In the two-way handshake mode established by
default, IS-IS neighbor statuses on both ends of the link may be mismatched. This problem will
not occur in three-way handshake mode. For this part of the exam, change the handshake
mode from two-way to three-way manually.
R2:
interface Serial1/0/0.1
isis authentication-mode simple plain HuaWei
interface Serial1/0/0.2 p2p
isis authentication-mode simple plain HuaWei
R3:
interface Serial1/0/0.1 p2p
isis authentication-mode simple plain HuaWei
interface Serial2/0/0
ospf network-type broadcast
R4:
ospf 1
peer 10.1.145.1
area 0.0.0.0
network 10.1.4.4 0.0.0.0
network 10.1.145.4 0.0.0.0
R5:
ospf 1
peer 10.1.145.1
area 0.0.0.0
network 10.1.5.5 0.0.0.0
network 10.1.50.5 0.0.0.0
network 10.1.145.5 0.0.0.0
R4, R5:
interface Serial1/0/0
ospf dr-priority 0
ospf network-type broadcast
interface LoopBack0
ospf network-type broadcast
R4:
ospf 1
import-route direct route-policy Loo40
area 0.0.0.1
network 10.1.41.4 0.0.0.0
vlink-peer 10.1.41.11
area 0.0.0.2
network 10.1.45.4 0.0.0.0
area 0.0.0.4
interface LoopBack40
ip address 10.1.40.4 255.255.255.0
route-policy Loo40 permit node 10
if-match ip-prefix Loo40
#
ip ip-prefix Loo40 index 10 permit 10.1.40.0 24
SW1:
ospf 1
area 0.0.0.1
interface Vlanif62
ospf filter-lsa-out ase acl 2000
SW2:
ospf 1
area 0.0.0.1
network 10.1.62.22 0.0.0.0
Note:
1. The network segment connecting SW1 and SW2 belongs to Area 3, a non-backbone area
not directly connected to Area 0. Establish a virtual link between R4 and SW1 to connect Area
3 to Area 0.
2. The external routes to be imported when configuring an ABR in an NSSA are: routes
carried in Type 5 LSAs into other areas, and routes carried in Type 7 LSAs into the NSSA.
Specify the no-import-route parameter on the ABR if the external routes it imports are not
required learning for the NSSA. Configure the nssa no-import-route command on R4 in Area
4 as required by this section.
3. This section requires that external routes imported by R4 not be imported into Area 3.
Area 3 is a common area and so requires routes carried in Type 5 LSAs to be filtered on its
ABR. Use ACLs on the ABR to prohibit these routes from being advertised into Area 3. An
additional measure against the import of external routes to SW2 and consequently into Area 3
is to prevent such routes imported by R4 from being imported by R1 into IS-IS. However, these
external routes will not be imported to SW2 and then into Area 3, so this operation is not
required. This is because of route tag and filtering that prevent routing loops and sub-optimal
routes when two routing protocols on two devices import routes from each other. The route tag
and filtering used for OSPF and IS-IS protocols thus prevents routes imported from OSPF into
IS-IS through R1 from being imported from SW2 into OSPF.
R4:
ospf 1
area 0.0.0.2
vlink-peer 10.1.5.5
R5:
ospf 1
area 0.0.0.2
vlink-peer 10.1.4.4
After a vlink is configured, traffic is load balanced between the FR network and the PPP
link. Set the cost of the interface on the network segment 10.1.45.0 to a smaller value (the
default value is 48).
R4 and R5:
interface Serial1/0/1
ospf cost 47
The network segment 10.1.45.0 is preferred and the FR link functions as the backup.
R4:
interface Serial1/0/0
ospf authentication-mode md5 1 plain HuaWei
ospf 1
area 1
vlink-peer 10.1.41.11 md5 1 plain HuaWei
area 2
vlink-peer 10.1.5.5 md5 1 plain HuaWei
R5:
interface Serial1/0/0
ospf authentication-mode md5 1 plain HuaWei
ospf 1
area 2
vlink-peer 10.1.4.4 md5 1 plain HuaWei
SW1
ospf 1
area 1
vlink-peer 10.1.4.4 md5 1 plain HuaWei
Note:
1. When configuring authentication in OSPF Area 0, pay attention to virtual links because
they belong to Area 0. In the exam, a virtual link must be established between R4 and SW1.
Ensure that it is established by configuring Area 0 authentication on SW1 after Area 0
authentication is configured on R4.
2.1.1.9 RIP
Run RIPv2 on R6 and ensure that only BB1-connected S1/0/1 can send and receive
packets.
On R6, configure RIP and IS-IS to import routes from each other. Configure IS-IS
to summarize imported RIP routes so that other IS-IS routers can only view the
summarized route 212.18.0.0/22.
Configure R6 to set the cost of routes imported by IS-IS to 200 and tag to 200.
Disable RIP automatic summarization and use manual summarization on R6 so that
it sends only one route 10.1.0.0/16 to BB1.
R6:
rip 1
undo summary
version 2
network 157.68.0.0
import-route isis 1
filter-policy ip-prefix to_bb1 export Serial1/0/1
interface Ethernet2/0/1
undo rip output
undo rip input
isis 1
import-route rip 1 cost 200 tag 200 level-1 route-policy from_bb1
summary 212.18.0.0 255.255.252.0 level-1 tag 200
int s1/0/1
rip summary-address 10.1.0.0 255.255.0.0 avoid-feedback
Note:
1. BB1 and BB2 connect to R6 with IP addresses from the same unsubnetted network. RIP
can only advertise routes to the unsubnetted network segment. However, this section requires
that only S1/0/1 connecting R6 to BB1 send and receive RIP packets. Therefore, configure the
interface connecting R6 to BB2 not to send or receive RIP routes to control RIP packet flow.
In RIP, the passive-interface function can only prohibit RIP from sending Update packets but
cannot prohibit RIP from receiving Update packets.
2. After RIP and IS-IS import routes from each other, IS-IS can learn four specific routes
from RIP: 212.18.0.0/24, 212.18.1.0/24, 212.18.2.0/24, and 212.18.3.0/24. This section
requires that other IS-IS routers can view only the summarized route 212.18.0.0/22. To meet
this requirement, configure route summarization when IS-IS imports RIP routes and use ip-
prefix for exact route matching to filter other imported external routes.
3. When RIP imports IS-IS routes, configure route summarization because all learned IS-IS
routes are specific routes. To filter 157.68.3.0/24, the BB3 route that does not belong to the
network segment 10.1.0.0, use ip-prefix for exact route matching so that R6 sends BB1 only
one route 10.1.0.0/16.
R1:
isis 1
import-route ospf 1 level-1 tag 122 route-policy OSPF2ISIS
summary 10.1.4.0 255.255.254.0 level-1
ospf 1
import-route isis 1 tag 1022 route-policy ISIS2OSPF
preference ase route-policy external
SW2:
isis 1
import-route ospf 1 level-1 tag 2210 route-policy OSPF2ISIS
summary 10.1.4.0 255.255.254.0 level-1
ospf 1
R3:
interface Ethernet2/0/1
isis cost 20
Note:
Routing loops and sub-optimal routes may occur when two routing protocols on two devices
import routes from each other.
After one OSPF external route is imported into IS-IS through R1, this route may be imported
into OSPF again through SW2 unless you filter it.
Multiple methods can filter these routes. For example, use ACLs or ip-prefix to match
specific routes for filtering. However, these matching policies need to be manually modified
when routes on the network change, resulting in poor scalability. As both OSPF and IS-IS
routes can carry the tag, set the tag to filter routes imported between two routing protocols.
In OSPF, the preference of internal and external routes is 10 and 150 respectively. In IS-IS,
both routes prefer a preference of 15. In this exam, after R1 imports an OSPF external route
into IS-IS, SW2 can learn this route through OSPF and IS-IS. Route selection rules dictate
that SW2 will use the route learned through IS-IS, leading to a sub-optimal route. To prevent
this, change the OSPF external route preference to a value between 10 and 15.
OSPF routes are imported on SW2 and filtered by R1, and OSPF routes are imported on R1
and filtered by SW2. There may be other methods.
Device Device
1 2
R4 BB3
R4 R5
R5 R1
R1 R3
R1 R2
R3 SW2
R3 R2
R2 R6
R6 BB2
R1:
bgp 200
peer 10.1.2.2 as-number 200
peer 10.1.13.3 as-number 300
peer 10.1.145.5 as-number 400
ipv4-family unicast
peer 10.1.145.4 enable
peer 10.1.2.2 enable
peer 10.1.13.3 enable
R2:
bgp 200
peer 10.1.1.1 as-number 200
peer 10.1.1.1 connect-interface LoopBack0
peer 10.1.23.3 as-number 300
peer 10.1.6.6 as-number 200
peer 10.1.6.6 connect-interface LoopBack0
ipv4-family unicast
peer 10.1.1.1 enable
peer 10.1.1.1 reflect-client
peer 10.1.23.3 enable
peer 10.1.6.6 enable
peer 10.1.6.6 reflect-client
R3:
bgp 300
R4:
bgp 400
peer 10.1.5.5 as-number 400
peer 10.1.5.5 connect-interface LoopBack0
peer 157.68.3.254 as-number 33
ipv4-family unicast
peer 10.1.5.5 enable
peer 157.68.3.254 enable
R5:
bgp 400
peer 10.1.4.4 as-number 400
peer 10.1.4.4 connect-interface LoopBack0
peer 10.1.145.1 as-number 200
ipv4-family unicast
peer 10.1.145.1 enable
peer 10.1.4.4 enable
R6:
bgp 200
peer 10.1.2.2 as-number 200
peer 10.1.2.2 connect-interface LoopBack0
peer 157.68.2.254 as-number 22
peer 157.68.2.254 password simple HW
ipv4-family unicast
peer 10.1.2.2 enable
peer 157.68.2.254 enable
SW2:
bgp 300
peer 10.1.32.3 as-number 300
ipv4-family unicast
peer 10.1.32.3 enable
Note:
IP addresses of physical interfaces on routers may become invalid due to line faults. This
will interrupt BGP neighbor relationships established using these IP addresses. This problem
does occur on loopback interfaces, especially when there are redundant routes between two
BGP routers. Therefore, the use of loopback interface addresses enhances BGP connection
reliability and is common in IBGP connections.
Note:
R4 and R5 establish the BGP connection through Loopback0 interfaces so that BGP function
is maintained when the serial link between them is interrupted.
R1 and R5 establish an EBGP connection so that the next hop of BGP routes to AS 33 that
are received by R1 from R5 is 10.1.145.5. However, these BGP routes on R5 still point to R4.
When data destined for AS 33 is sent from R1, the data will be sent to R5 using BGP routing.
After discovering that the next hop of the data in the BGP routing table does not reside on a
directly connected network segment, R5 performs recursive route query. In this case of an
interrupted serial link between R4 and R5, R5 finds the directly connected next hop
10.1.145.4. The special FR structure prevents R5 from directly sending the data to R4. R5 can
only send the data to R1 instead, causing a routing loop during data transmission between R1
and R5.
To prevent this loop and ensure normal data transmission when the serial link between R4
and R5 is interrupted, change the BGP next hop.
SW2:
bfd
bgp 300
peer 10.1.32.3 bfd min-tx-interval 300 min-rx-interval 300
peer 10.1.32.3 bfd enable
R2:
bgp 200
peer 10.1.1.1 advertise-community
R4:
bgp 400
ipv4-family unicast
aggregate 10.1.0.0 16 detail-suppressed as-set
R6:
bgp 200
aggregate 220.20.0.0 22 attribute-policy attribute origin-policy origin
peer 10.1.2.2 advertise-community
Note:
AS_Path information carried in specific routes will be lost during route summarization. To
prevent the summarized route from being sent back to the ASs that specific routes pass
through, use the as-set parameter to allow the summarized route to carry the numbers of these
ASs.
R3:
bgp 300
ipv4-family unicast
peer 10.1.32.22 route-policy DEFAULT export
peer 10.1.32.22 default-route-advertise
R2:
bgp 200
ipv4-family unicast
peer 10.1.23.3 route-policy ONLY200 export
if-match as-path-filter 1
ip as-path-filter 1 permit ^$
R3
route-policy PRE permit node 10
apply preferred-value 10
bgp 300
peer 10.1.23.2 route-policy PRE import
4.1.1.1 PIM
Enable multicast routing on R1, R2, R4 and SW1.
Enable PIM sparse mode on FR links from R1 to R2 and from R1 to R4.
Enable PIM sparse mode on R4 E2/0/0, R1 G0/0/0, SW1 VLAN 3 and SW1
VLAN 41.
R1:
multicast routing-enable
interface Serial2/0/0
pim sm
interface Serial1/0/0
pim sm
interface GigabitEthernet0/0/0
pim sm
R2:
multicast routing-enable
interface Serial1/0/0.1 p2p
pim sm
R4:
multicast routing-enable
interface Ethernet2/0/0
pim sm
interface Serial1/0/0
pim sm
SW1:
multicast routing-enable
interface Vlanif3
pim sm
interface Vlanif41
pim sm
4.1.1.2 RP
The IP address of Loopback 0 on R1 is used as RP for the following multicast
ranges.
225.10.0.0 - 225.10.255.255
225.26.0.0 - 225.26.255.255
225.42.0.0 - 225.42.255.255
225.58.0.0 - 225.58.255.255
The IP address of Loopback 0 on R4 is used as RP for the following multicast
ranges.
226.37.0.0 - 226.37.255.255
226.45.0.0 - 226.45.255.255
227.37.0.0- 227.37.255.255
227.45.0.0 - 227.45.255.255
Configure minimum number of ACL rules to achieve this.
4.1.1.3 IGMP
Configure R1 G0/0/0 to send IGMP General Query messages at 5 second intervals.
The maximum response time for IGMP Query messages should be 3s on R1
G0/0/0.
Use an ACL to prevent users on R1 G0/0/0 segment from joining the multicast
group 226.37.1.1.
R1:
interface GigabitEthernet0/0/0
igmp enable
igmp timer query 5
igmp max-response-time 3
v. Section 5: IPv6
R3:
ipv6
interface Serial1/0/1
ipv6 enable
ipv6 address 2001:10:1:13::3/64
interface Ethernet2/0/1
ipv6 enable
ipv6 address 2001:10:1:32::3/64
SW2:
ipv6
interface Vlanif18
ipv6 enable
ipv6 address 2001:10:1:32::22/64
5.1.1.2 RIPng
Enable RIPng on the PPP link between R1 and R3.
Enable RIPng on the Ethernet link between R3 and SW2.
R1:
ripng 1
interface Serial1/0/1
ripng 1 enable
R3:
ripng 1
interface Serial1/0/1
ripng 1 enable
interface Ethernet2/0/1
ripng 1 enable
SW2:
ripng 1
interface Vlanif18
ripng 1 enable
R1:
traffic classifier data
if-match dscp af11
traffic classifier video
if-match dscp af21
traffic classifier control
if-match dscp cs6
drop-profile data
wred dscp
dscp 10 low-limit 70 high-limit 85 discard-percentage 60
drop-profile video
wred dscp
dscp 18 low-limit 80 high-limit 95 discard-percentage 60
traffic behavior data
queue af bandwidth pct 45
drop-profile data
traffic behavior video
queue af bandwidth pct 30
drop-profile video
traffic behavior control
queue ef bandwidth pct 5
R3:
interface Serial1/0/1
qos car inbound cir 2000 cbs 376000 pbs 626000 green pass yellow discard red discard
Note:
Use different optimization policies for packets with different DSCP priorities.
Configure filtering conditions based on source and destination IP addresses and port
numbers.
7.1.1.3 uRPF
DoS attacks with forged source IP addresses occur on E2/0/1 of R3. To solve this
problem, use URPF for IPV4 packets on E2/0/1 of R3.
Configure uRPF for IPv6 packets on R3 E2/0/1. Packets with a source addresses in
the FIB may be forwarded. It is not necessary for the outbound interface in the FIB
to match the inbound interface of the packets.
R3:
interface Ethernet2/0/1
urpf strict
Note:
Compared with the loose mode, the strict mode offers better defense against DoS attacks
with forged source IP addresses.
Section 8: IP feature
8.1 NetStream
NMS personnel require key information in packets received by G0/0/0 on R6
through NetStream. Set the packet sampling interval to 100 ms and configure
aggregation using Protocol-Port to collect exported packets. The address of the
NetStream server is 10.1.26.200 and the port number is 6000. The exported packets
must carry BGP next hop information and MPLS information.
R6:
int g0/0/0
ip netstream sampler fix-time 100 inbound
ip netstream inbound
ip netstream aggregation protocol-port
enable
export version 9
ip netstream export source 10.1.26.6
ip netstream export host 10.1.26.200 6000
Note:
1. Time-based regular sampling meets sampling requirements.
2. Exported version v9 meets the statistical requirements.