CCIE Security Lab Combat Learning

I. Source of information:

Now CCIE Security Lab are all V4, but did not find the relevant books on the Internet, can only see the V3, honestly said that the translation of people is not very good, but did not find the corresponding English version available for downloading, can only make up to see.

A.pdf Book

http://file1.51cto.com/?mod=getCode&n=6055rB+G69I9PUJvRigTCTGq5NUL+ bjura06su1iviizjyvnnlvzbkamtqcrphrkl2r4e1bkz+evgqi+ Cplbv3afit04uskh2az3lbeskkfwhrodio4dmudgprgexrlgfczcxmxvajdhg2h++tdwmlv5sbxvwe4abuukalj0eq

B. Attached CD-ROM

Http://static.ishare.down.sina.com.cn/12842876.7z?ssig=uUI0pdcgPj&Expires=1365091200&KID=sina,ishare &ip=1364952020,218.88.5.&fn=ccie%e5%ae%89%e5%85%a8lab%e5%ae%9e%e6%88%98.7z

Two. Questions or doubts:

A.lab1

LAB1 's English version: http://www.ciscopress.com/articles/article.asp?p=169684

1.R1 Redundant Management switch

The subject asks R4,R5, R1 can manage the switch 10.10.45.45 and configure redundancy, to prevent the link between the R1 and R4, R1 can still manage the switch, view the R1 configuration does not have to go to the switch to manage the address of the route, just configured on the switch two metric values different default routes, so that can not meet the problem Please.

My understanding:

① two static routes on the switch

IP Route 10.50.13.80 255.255.255.240 10.10.45.4

IP Route 10.50.13.128 255.255.255.240 10.10.45.5

② also configures two static routes on R1, metric values are different, and configuration track

Track 1 interface ETHERNET0/2 Line-protocol

Track 2 interface ETHERNET0/3 Line-protocol

IP Route 10.10.45.0 255.255.255.0 10.50.13.84 Track 1

IP Route 10.10.45.0 255.255.255.0 10.50.13.135 Track 2

2.BGP of Next-hop-self

① 's learned route from EBGP, if you do not change the next hop to self, can cause internal IBGP to not learn the external route because normally the external address inside is unreachable

②next-hop-self only changes the route learned from EBGP to change the next hop to its own address when you tell IBGP peer instead of going to the next hop of the route learned from IBGP, that is, A-b-c is the same as 1 router, AB establishes the neighbor, the BC establishes the neighbor, B is the route reflector, b The route learned from C, when told a, does not change the next hop address

③ The following is the content attached to the CD, *>I122.122.122.0/24 10.50.13.129 This is obviously the R2 (IBGP peer) address, the next hop address for the R1 address, should not be (is this the previous version of iOS?) ）

R5#show IP BGP

BGP table version is 255, the local router ID is 5.5.5.5

Status Codes:s suppressed, D damped, H history, * valid, > Best, I-internal

Origin codes:i-IGP, E-EGP,? -Incomplete

Network Next Hop Metric locprf Weight Path

*>I16.16.16.0/24 10.50.13.129 0 3 I

*>I111.111.111.0/24 10.50.13.129 0 0 I

*>I122.122.122.0/24 10.50.13.129 0 0 I

*> 144.144.144.0/24 10.10.45.4 0 0 2 I

*>I166.166.166.0/24 10.50.13.129 0 3 I

The following is the result of the actual test (my interface address is different from the interface address in the book, My interface address Mantissa is the number of the router)

R5#show IP BGP

BGP table version is 7, the local router ID is 5.5.5.5

Status Codes:s suppressed, D damped, H history, * valid, > Best, I-internal,

R Rib-failure, S stale

Origin codes:i-IGP, E-EGP,? -Incomplete

Network Next Hop Metric locprf Weight Path

*>I16.16.16.0/24 10.50.13.131 0 0 3 I

*>I111.111.111.0/24 10.50.13.131 0 0 I

* I122.122.122.0/24 10.50.13.42 0 0 I

*> 144.144.144.0/24 10.10.45.4 0 0 2 I

*>I166.166.166.0/24 10.50.13.131 0 0 3 I

---cannot reach 10.50.13.42 for R5 because the R1 and R5 interface address is a 27-bit mask, inconsistent with 10.50.13.42 's 28 mask, causing RIPV1 to not be able to tell the route to R5.

The---can be resolved by declaring the net 10.50.13.32 mask 255.255 255.240来 in R1 BGP, but this can also cause R3 and R4 to learn the internal route through EBGP

---Another solution is: R1 turns off BGP synchronization because R2 OSPF uses the default-information originate always command to generate a default route that can be rerouted through R1 to RIPv1, Makes R5 also have a default route.

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/