CCIE Lab分解实验练习(Plannet_Practice_Labs)_.Vol_2

ccie,java,安全,教程,文集,资料,工具书

本文由cuiguohao66贡献
pdf文档可能在WAP端浏览体验不佳。建议您优先选择TXT，或下载源文件到本机查看。
IT认证部落 CCIE-LAB
CCIE Lab Practice Exam II
Introduction
Advanced Practice Lab for the CCIE R&S Lab Exam
Introduction
This is an additional 4 hours of advanced material. This material will build on top of the previous CCIE Practice lab (Practice CCIE Lab Exam I). There is no need to erase any previous configuration, and the final configurations used for part 1 will be used as the starting configurations for this lab.
Network Diagrams
Practice Lab for the CCIE R&S Lab Exam Part II
The applicable network diagrams are shown below: Diagram 1: IP Addressing/Network Topology
Study Guide From
IT认证部落 CCIE-LAB
Diagram 2: Routing Protocol Topology
Study Guide From
IT认证部落 CCIE-LAB
Lab Configuration Tasks Configuration Tasks
Study Guide From
IT认证部落 CCIE-LAB
Note: CCIE Lab Practice Exam I must be completed before this lab, as the final lab configurations is used as the starting point for this lab.
1.0 Switching STEP 1 (2 points)
1. Make sure that you can adjust the configuration of the range of ports, 19 - 20, using the name "Ether".
STEP 2 (2 points)
1. Ensure that port 0/15 on CAT1 will not forward normal traffic until the device connected to it has authenticated with the RADIUS server at 140.4.55.5 using the default authentication port and the key "cisco".
STEP 3 (2 points)
1. Using an extended named access list on CAT2, block all traffic from Ethernet Type 6000 on port 0/5.
2.0 OSPF STEP 1 (2 points)
1. Configure the link between CK6 and CK8 with Clear Text Authentication using the password "ccie".
STEP 2 (2 points)
1. Setup area 100 to use MD5 authentication with the password "cisco".
3.0 Redistribution STEP 1 (2 points)
1. Ensure that the RIP routes are seen as a single route past CAT1. No NULL0 routes should be seen in any routing table.
4.0 BGP STEP 1 (2 points)
Study Guide From
IT认证部落 CCIE-LAB
1. Shut down CK6's Frame Relay interface and ensure that CAT2 can still ping the 211.1.1.1 address and that CAT1 can still ping the 199.36.36.36 address.
STEP 2 (1 point)
1. AS 100 should receive the 199.36.36.0/24 network with a metric of 1000 from CAT1 -- do not change anything on the Backbone router.
5.0 DLSW + STEP 1 (2 points)
1. Ensure that all of the routers that CK6 may peer with know that it has no available NetBIOS. Do this without the use of an access list.
6.0 CAR STEP 1 (4 points)
1. Apply
queuing inbound on CK13's ATM 2/0 interface such that: a. Any DNS traffic that conforms to 1 Mbps with a normal burst of 1.5 Mbps and a maximum

ccie,java,安全,教程,文集,资料,工具书

burst of 3 Mbps should have its precedence set to "flash-override". If the traffic exceeds these settings, it should have its precedence set to "routine". b. Any Telnet traffic that conforms to 800000 bps with a normal burst of 1.2 Mbps and a maximum burst of 1.6 Mbps should have its precedence set to "critical". If the traffic exceeds these settings, it should have its precedence set to "priority".
c.
All other traffic should pass untouched.
7.0 Multicast STEP 1 (2 points)
1. Allow Multicast traffic to traverse CK13's ATM 2/0 interface. However, ensure that the multicast address 225.13.13.13 does not go in or out of the ATM 2/0 interface.
8.0 CBWFQ STEP 1 (4 points)
Study Guide From
IT认证部落 CCIE-LAB
1. Translate the following Custom Queue list into a CBWFQ and apply it outbound to CK13's Serial 1/0 interface. Don't use access lists to identify the traffic.
2. 3. 4. 5. 6. 7. 8. 9. 10. queue-list 1 protocol ip 1 udp 53 queue-list 1 protocol ip 2 tcp 23 queue-list 1 protocol ip 3 udp 123 queue-list 1 protocol ip 4 queue-list 1 default 5 queue-list 1 queue 1 byte-count 2000 queue-list 1 queue 2 byte-count 2000 queue-list 1 queue 4 byte-count 2500 queue-list 1 queue 5 byte-count 2000
9.0 NTP STEP 1 (3 points)
1. Configure CK6 as the NTP master. 2. Use authentication. 3. CK13 and CK8 should use CK6 as their server.
10. IOS Features STEP 1 (2 points)
1. Configure CK5 so that each Telnet keystroke is not sent as a separate packet. Make sure that the router accumulates the keystrokes until an acknowledgement is received for the previous packet.
Lab Solution Guide
Advanced CCIE Practice Lab II Solution Guide
Study Guide From
IT认证部落 CCIE-LAB
Solutions
Initial Configuration
The initial configurations for this advanced practice lab are the same as the final configurations for the standard lab (CCIE Lab Practice Exam I). In other words, this lab starts where the other lab finishes.
1.0 Switching STEP 1 (2 points)
1. Make sure that you can adjust the configuration of the range of ports, 19 - 20, using the name "Ether". We are going to create a macro for the range of interfaces 19-20 so that we can identify them with the name "Ether". Since it doesn't tell us which switch to do this on, we will do it on both CAT1 and CAT2. The command for both switches will be the same:
define interface-range Ether FastEthernet0/19 - 20
To use this interface range macro, type in:
CAT1(config)#interface range macro Ether
This will allow you to configure ports 19-20 simultaneously.
STEP 2 (2 points)
1. Ensure that port 0/15 on CAT1 will not forward normal traffic until the device connected to it has authenticated with the RADI
US server at 140.4.55.5 using the default authentication port and the key "cisco".
Here, they are looking for us to set up 802.1x por

ccie,java,安全,教程,文集,资料,工具书

t-based authentication. As soon as port 0/15 comes up, the switch will challenge the device hooked to it. If the authentication fails, no traffic will get through. If the authentication succeeds, traffic will be forwarded as normal. To set this up, we need to turn on AAA. We need to specify that we are doing dot1x authentication using a RADIUS server.
aaa new-model aaa authentication dot1x RESTRICT group radius
Instead of naming the method RESTRICT, you could simply use the default method. We then need to turn on the authentication on the correct port. The authentication can be done only on a Layer 3 port or on a static access port. In this case, we are not given a Layer 3 address, so we must tell the port that it is strictly an access port or we will get an error when we try to apply the authentication. Study Guide From
IT认证部落 CCIE-LAB
interface FastEthernet0/15 switchport mode access no ip address dot1x port-control auto
Finally, we need to specify the RADIUS server that the switch is going to use for the actual authentication. It states that we are using the default authentication ports for the RADIUS server, so there is no need to type those in.
CAT1(config)#radius-server host 140.4.55.5 key cisco
When you look at the final configuration for this command, you will notice that it did add the default ports into the command. It also automatically added a second line telling the switch to retry 3 times when trying to reach the RADIUS server.
radius-server host 140.4.55.5 auth-port 1812 acct-port 1813 key cisco radius-server retransmit 3
STEP 3 (2 points)
1. Using an extended named access list on CAT2, block all traffic from Ethernet Type 6000 on port 0/5. This is an obscure question. When most people hear "extended named access lists", they think IP. In this case, to filter Ethernet Type 6000 traffic, we need to use an Extended Named MAC Access List. We are going to create the access list in global config and apply it inbound to port 0/5. Don't forget that an Extended Named MAC Access List has an implicit deny at the end, just like all other access lists.
CAT2:
mac access-list extended BLOCK deny any any etype-6000
permit any any interface FastEthernet0/5 mac access-group BLOCK in
2.0 OSPF STEP 1 (2 points)
1. Configure the link between CK6 and CK8 with Clear Text Authentication using the password "ccie".
Study Guide From
IT认证部落 CCIE-LAB
We are going to authenticate only the serial link between CK6 and CK8, not area 68, using clear text authentication. This is done with two commands on each side of the serial interface. Nothing goes under the router process.
CK6:
interface Serial0 ip ospf authentication ip ospf
authentication-key ccie
CK8:
interface Serial0 ip ospf authentication ip ospf authentication-key ccie
STEP 2 (2 Points)
1. Setup area 100 t

ccie,java,安全,教程,文集,资料,工具书

o use MD5 authentication with the password "cisco". Here we are going to authenticate area 100 using MD5 authentication. For area authentication, there are two steps. Under the router process, you tell it which type of authentication the area is going to use. Then, under the interfaces that are going to form a neighbor relationship with another router in the same area, you issue the key that they are going to exchange.
CK1:
router ospf 1 area 100 authentication message-digest interface Ethernet0 ip ospf message-digest-key 1 md5 cisco
CK2:
router ospf 1 area 100 authentication message-digest interface Ethernet0 ip ospf message-digest-key 1 md5 cisco interface Loopback0 ip ospf message-digest-key 1 md5 cisco
Study Guide From
IT认证部落 CCIE-LAB
CK8:
router ospf 1 area 100 authentication message-digest interface Ethernet0 ip ospf message-digest-key 1 md5 cisco
3.0 Redistribution STEP 1 (2 points)
1. Ensure that the RIP routes are seen as a single route past CAT1. No NULL0 routes should be seen in any routing table. All of the RIP routes should be visible to all of the OSPF routers. Now we need to summarize these RIP routes into a single route on CAT1 to keep our routing table small. We are going to use a summaryaddress command under the OSPF process on CAT1. The summary-address command is used to summarize external routes that have been redistributed into OSPF. It is always done on the ASBR. When this summary-address command is issued, it will inject a NULL0 route into the routing table of CAT1. We need to remove this NULL0 route. That is done with the no discard-route external command. This command will stop external NULL0 routes from being placed into the routing table. If we did an "area X range" to summarize internal OSPF routes on an ABR, we would use the no discard-route internal command to remove the internal NULL0 route.
CAT1:
router ospf 1 no discard-route external summary-address 192.168.0.0 255.255.252.0
4.0 BGP STEP 1 (2 points)
1. Shut down CK6's Frame Relay interface and ensure that CAT2 can still ping the 211.1.1.1 address and that CAT1 can still ping the 199.36.36.36 address. If we shut down CK6's Frame Relay interface, CAT2 will still be able to ping the 211.1.1.1 address. However, CAT1 will not be able to ping the 199.36.36.36 address. When CAT1 tries to ping the 199.36.36.36 address, it will first send the packet to CK8, so let's start there by looking at CK8's routing table: 170.1.0.0/24 is subnetted, 1 subnets Study Guide From
IT认证部落 CCIE-LAB
O E2 170.1.1.0 [110/20] via 140.4.88.35, 00:00:48, Ethernet1 140.4.0.0/16 is variably subnetted, 16 subnets, 2 masks
…… O E2 O E2 O O IA O E2 O E2 140.4.5.0/24 [110/20] via 140.4.68.6,
00:00:49, Serial0 140.4.6.0/24 [110/20] via 140.4.68.6, 00:00:49, Serial0 140.4.35.0/24 [110/11] via 140.4.88.35, 01:10:15, Ethernet1 140.4.36.

ccie,java,安全,教程,文集,资料,工具书

0/24 [110/85] via 140.4.100.1, 00:00:49, Ethernet0 140.4.56.0/24 [110/20] via 140.4.68.6, 00:00:51, Serial0 140.4.65.0/24 [110/20] via 140.4.68.6, 00:00:51, Serial0
C C C
140.4.68.0/24 is directly connected, Serial0 140.4.88.0/24 is directly connected, Ethernet1 140.4.100.0/28 is directly connected, Ethernet0
O IA 140.4.113.0/24 [110/84] via 140.4.100.1, 00:00:51, Ethernet0
B B 199.36.36.0/24 [20/0] via 140.4.6.6, 01:08:35 211.1.1.0/24 [200/0] via 170.1.1.254, 01:10:17
O E2 192.168.0.0/22 [110/20] via 140.4.88.35, 00:00:51, Ethernet1
B 208.0.0.0/4 [200/0] via 140.4.35.35, 01:10:17 In order for CK8 to reach the 199.36.36.0 network, it is going to send the packet to the next hop, 140.4.6.6. For CK8 to reach the 140.4.6.6 address, it is going to send the packet to CK6's Serial 0 interface, 140.4.68.6. Let's look at CK6's routing table to see what it is going to do with the packet:
170.1.0.0/24 is subnetted, 1 subnets O E2 170.1.1.0 [110/20] via 140.4.68.8, 00:07:10, Serial0
140.4.0.0/16 is variably subnetted, 16 subnets, 2 masks ……
O IA O IA 140.4.35.0/24 [110/75] via 140.4.68.8, 00:07:11, Serial0 140.4.36.0/24 [110/149] via 140.4.68.8, 00:07:11, Serial0
Study Guide From
IT认证部落 CCIE-LAB
C C
C O IA O IA O IA B B
140.4.56.0/24 is directly connected, Ethernet0 140.4.65.0/24 is directly connected, BRI0
140.4.68.0/24 is directly connected, Serial0 140.4.88.0/24 [110/74] via 140.4.68.8, 00:07:12, Serial0 140.4.100.0/28 [110/74] via 140.4.68.8, 00:07:12, Serial0 140.4.113.0/24 [110/148] via 140.4.68.8, 00:07:12, Serial0 199.36.36.0/24 [200/0] via 140.4.36.36, 01:16:00 211.1.1.0/24 [20/0] via 140.4.8.8, 01:16:00
O E2 192.168.0.0/22 [110/20] via 140.4.68.8, 00:07:12, Serial0
B 208.0.0.0/4 [20/0] via 140.4.8.8, 01:16:00 Looking at CK6, we see that, in order for it to reach the 199.36.36.0 network, it is going to use the next hop 140.4.36.36, and for CK6 to reach 140.4.36.36 it is going to send the route back to CK8, 140.4.68.8. There is a loop when we shut down CK6's Frame interface; CK6, CK8, and CAT1 will not be able to reach the 199.36.36.36address when CK6's Frame is down.
To fix this problem, use Policy Routing on CK8. Instead of having CK8 send the packets destined for 199.36.36.36 to CK6, we are going to have it send them to CK1. CK1 will forward the packets to CK13, which will finally forward them to CAT2. The first thing we are going to do is to create our access list. The access list is going to permit any traffic that is destined for the 199.36.36.36 address. CK8: access-list 150 permit ip any host 199.36.36.36 We are then going to create the route map that will set the packets next hop on CK1's Ethernet interface. The route map is going to match the access list that we
have created and then set those packets that are destined for 199.36.36.36 to have a next hop of 140.4.100.1. CK8: route-map FORBGP permit 10
m

ccie,java,安全,教程,文集,资料,工具书

atch ip address 150
set ip next-hop 140.4.100.1
We are going to apply this as both a Local and Interface Policy. We are going to apply it as a Local Policy so that any traffic that CK8 generates that is destined for the 199.36.36.36 address will be forwarded to CK1. Study Guide From
IT认证部落 CCIE-LAB
CK8: ip local policy route-map FORBGP
We are also going to apply the policy on the Ethernet 1 interface and the Serial 0 interface. Applying it on the Ethernet 1 interface will allow us to forward any packets that come in the interface from CAT1, destined for 199.36.36.36, to CK1. Applying it to Serial 0 will allow us to forward any packets that come in the interface from CK6, destined for 199.36.36.36, to CK1.
CK8:
interface Ethernet1
ip policy route-map FORBGP
interface Serial0
ip policy route-map FORBGP
The policy routing will not change the way that our routing table looks. However, when a packet comes in Serial 0 or Ethernet 1 interface, it will be run through the policy. If it matches the policy, it will be forwarded to CK1. If it doesn't match the policy, it will be routed normally. Also, any traffic generated by CK8 will be run through the policy. If the traffic matches the policy, it will be forwarded to CK1. If it doesn't match the policy, it will be routed normally. Policy routing will override normal routing.
STEP 2 (1 Point)
1. AS 100 should receive the 199.36.36.0/24 network with a metric of 1000 from CAT1 -- do not change anything on the Backbone router.
Here we are going to adjust the MED that Backbone 1 uses to see the 199.36.36.36 route. The MED should always be applied outbound, so there is no need to change anything on the Backbone 1 router -which you are locked out of anyway. On CAT1, we are going to create a route map that matches the single 199.36.36.0/24 network and changes its MED to 1000. It will let all other routes through untouched. We'll then apply this route map outbound to AS 100.
CAT1:
router bgp 3500
neighbor 170.1.1.254 route-map ADJUST out
ip prefix-list MED seq 5 permit 199.36.36.0/24
Study Guide From
IT认证部落 CCIE-LAB
route-map ADJUST permit 10 match ip address prefix-list MED
set metric 1000
route-map ADJUST permit 20
5.0 DLSW+ STEP 1 (2 points)
1. Ensure that all of the routers that CK6 may peer with know that it has no available NetBIOS. Do this without the use of an access list. Normally, we could use an access list to accomplish this. NetBIOS uses SAPS F0 and F1 (F0 is the sending SAP and F1 is the receiving SAP). The access list would be in the 200 range and would deny 0xF0F0 0x0101 while permitting all other SAPS. We would then apply this access list to all of our r
emote-peer statements with the lsap-output-list command. To accomplish this without using an access list, we are going to use the dlsw icannotre

ccie,java,安全,教程,文集,资料,工具书

ach command. DLSW will tell all routers that it peers up with that it can or cannot reach certain things during the capabilities exchange portion of the peering. We are going to specify that CK6 does not have the NetBIOS SAP so that none of the other routers will look to CK6 for any NetBIOS names. We specify only the sending SAP in the icannotreach statement.
CK6:
dlsw icannotreach sap F0
6.0 CAR STEP 1 (4 points)
1. Apply queuing inbound on CK13's ATM 2/0 interface such that: a. Any DNS traffic that conforms to 1 Mbps with a normal burst of 1.5 Mbps and a maximum burst of 3 Mbps should have its precedence set to "flash-override". If the traffic exceeds these settings, it should have its precedence set to "routine". b. Any Telnet traffic that conforms to 800000 bps with a normal burst of 1.2 Mbps and a
Study Guide From
IT认证部落 CCIE-LAB
maximum burst of 1.6 Mbps should have its precedence set to "critical". If the traffic exceeds these settings, it should have its precedence set to "priority".
c.
All other traffic should pass untouched.
Here, we are going to set the precedence values on the traffic coming in on the ATM 2/0 interface. We are going to use CAR to adjust the precedence of the inbound traffic types. We don't want to affect all inbound traffic, only DNS and Telnet. We are going to create access lists to specify those types of traffic. We are then going to set the precedence to a specific value if the traffic conforms to the bandwidth limitations, and another, lower precedence if the traffic does not conform to the bandwidth limitations. All of the precedence values are given, with their names. To enter the precedence values into the rate-limit command, we need to know their numerical values. An easy way to do this is to type in an extended access list as follows: (Don't finish it though, just use it to get the precedence values.)
CK13(config)#access-list 100 permit ip any any precedence ? <0-7>
critical flash Precedence value Match packets with critical precedence (5) Match packets with flash precedence (3)
flash-override Match packets with flash override precedence (4)
immediate internet network priority routine Match packets with immediate precedence (2) Match packets with internetwork control precedence (6) Match packets with network control precedence (7) Match packets with priority precedence (1) Match packets with routine precedence (0)
The first value in the rate-limit command, the average, is in bits per second, while the normal burst and the maximum burst are in bytes per second. All of the values given to you are in bits per second so you are going to have to convert them for the burst values.
CK13:
interface ATM2/0
rate-limit input access-group
190 1000000 187500 375000 conform-action set-prec-transmit 4 exceed-action set-prec-transmit 0
Study Guide From
IT认证部落

ccie,java,安全,教程,文集,资料,工具书

CCIE-LAB
rate-limit input access-group 180 800000 150000 200000 conform-action set-prec-transmit 5 exceed-action set-prec-transmit 1
access-list 180 permit tcp any any eq telnet access-list 190 permit udp any any eq domain
7.0 Multicast STEP 1 (2 points)
1. Allow Multicast traffic to traverse CK13's ATM 2/0 interface. However, ensure that the multicast address 225.13.13.13 does not go in or out of the ATM 2/0 interface. To get the multicast traffic to pass across the ATM cloud, we are going to specify the PIM mode for the interface. We then want to limit which multicast groups traffic can pass across the link. We want all of the multicast traffic to go across except the 225.13.13.13 group. We are going to accomplish this with the ip multicast boundary command. We are going to create an access list that denies the specified group and permits all others, and then apply the access list to the multicast boundary so that only those groups specified in the access list are denied. The multicast boundary will stop the specified multicast groups both inbound and outbound.
CK13:
interface ATM2/0
ip pim dense-mode
ip multicast boundary 50
access-list 50 deny 225.13.13.13 access-list 50 permit any
8.0 CBWFQ STEP 1 (4 points)
1. Translate the following Custom Queue list into a CBWFQ and apply it outbound to CK13's Serial 1/0 interface. Don't use access lists to identify the traffic.
Study Guide From
IT认证部落 CCIE-LAB
2. 3. 4.
queue-list 1 protocol ip 1 udp 53 queue-list 1 protocol ip 2 tcp 23 queue-list 1 protocol ip 3 udp 123
5. 6. 7. 8. 9. 10.
queue-list 1 protocol ip 4 queue-list 1 default 5 queue-list 1 queue 1 byte-count 2000 queue-list 1 queue 2 byte-count 2000 queue-list 1 queue 4 byte-count 2500 queue-list 1 queue 5 byte-count 2000
Here, we are going to translate this Custom Queue list into a CBWFQ. When doing this, there are a couple of important things to remember. It states that we cannot use access lists to accomplish this. We need to know what protocols the port numbers given to us correspond to. UDP 53 is DNS; TCP 23 is TELNET; and UDP 123 is NTP. We also need to know that the default byte-count of a queue is 1500. There is no byte-count listed for queue 3, NTP, so it will have the default byte-count of 1500. To figure out what percentages of bandwidth each of these queues are going to have for the CBWFQ, we are going to add up the total byte count of all the queues and treat that as 100% of the bandwidth. Once we have our 100%, we are going to divide the individual queues to find our percentages.
We have 2000, 2000, 1500, 2500, and 2000. Adding those together, we get 10000 as our total bandwidth. If we divide each of the queues by 10000, we will come out
with:
DNS = 20% of the bandwidth Telnet = 20% of the bandwidth NTP = 15% of the bandwidth IP = 25% of the bandwidth Default = 20% of the bandw

ccie,java,安全,教程,文集,资料,工具书

idth
We need to create a class map for each of these types of traffic except the Default. There is a built-in class for the Default traffic called "class-default". This built-in class will automatically encompass any traffic not specified in the other class maps. Also, by default, only 75% of the traffic can be applied to the classes. The other 25% is reserved for the Default traffic. In this case, we want 80% available for the other classes and only 20% of the bandwidth to be available for the Default traffic, so we have two options. We can change the "max-reserved-bandwidth" on the Serial 1/0 interface to 80%. This would
Study Guide From
IT认证部落 CCIE-LAB
allow us to reserve 80% of the bandwidth for our classes and have 20% left over for the Default traffic. If we chose this way, we would not use class-default under the policy map. The other option is the one that we chose. We have changed max-reserved-bandwidth to 100% under the Serial 1/0 interface, and then specified 20% of the bandwidth for class-default. In this case, we are reserving 100% of the bandwidth in the policy map. Based on the protocols that we are matching, we will use NBAR to match protocols.
CK13: class-map match-all TELNET
match protocol telnet
class-map match-all IP
match protocol ip
class-map match-all NTP
match protocol ntp
class-map match-all DNS
match protocol dns
policy-map CONVERT class DNS bandwidth percent 20 class TELNET bandwidth percent 20 class NTP bandwidth percent 15 class IP bandwidth percent 25
class class-default
Study Guide From
IT认证部落 CCIE-LAB
bandwidth percent 20
interface Serial1/0
max-reserved-bandwidth 100 service-policy output CONVERT
9.0 NTP STEP 1 (3 points)
1. Configure CK6 as the NTP master. Whenever you run NTP, four things should be set on all routers, whether they are the Master or Clients. Those things are the time zone, summertime, and the timestamps for the logging and debug messages so they show the date and time, instead of the router's uptime. You will lose points if you do not set these four things. On the Master, you should also set the clock before doing any of the other configurations. There is no mention of what stratum the master should have, so we are just going to leave the default stratum of 8 alone. It is also recommended that you configure an interface to be the source of all of the NTP updates. This way the update source will not change, no matter which interface the NTP packets are exiting. We have chosen to use the Loopback interface since it is always active. (Note: If you set your clock before configuring your time zone and summertime, use GMT time, because the router will adjust for
the time zone you enter.)
CK6:
clock set 13:34:00 20 July 2004
service timestamps debug datetime service timestamps log datetime
clock time

ccie,java,安全,教程,文集,资料,工具书

zone PST -8 clock summer-time PDT recurring
ntp source Loopback0 ntp master Study Guide From
IT认证部落 CCIE-LAB
1. Use authentication. 2. CK13 and CK8 should use CK6 as their server. The authentication on NTP is a little different from most other things. The Master is not the one doing the authenticating. The Client is going to authenticate the Master. We are going to have CK8 and CK13 use CK6 as their Master. To accomplish this, we are going to add one line, the authentication key, to the Master. All of the other configuration will go on the Clients.
CK6: ntp authentication-key 1 md5 cisco CK8:
service timestamps debug datetime service timestamps log datetime
clock timezone PST -8 clock summer-time PDT recurring
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp server 140.4.6.6 key 1
CK13:
service timestamps debug datetime service timestamps log datetime
clock timezone PST -8 clock summer-time PDT recurring ntp authentication-key 1 md5 cisco
Study Guide From
IT认证部落 CCIE-LAB
ntp authenticate
ntp trusted-key 1
ntp server 140.4.6.6 key 1 To verify that the authentication is working, issue the show ntp associations detail command on one of the Clients.
CK8#show ntp assoc detail
140.4.6.6 configured, authenticated, our_master, sane, valid, stratum 8 ref ID 127.127.7.1, time C4A95E79.12A7C079 (14:28:25.072 PDT Wed Jul 21 2004) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.03, reach 377, sync dist 18.661 delay 35.11 msec, offset 2.4039 msec, dispersion 1.08 precision 2**19, version 3 org time C4A95EA7.628B4D20 (14:29:11.384 PDT Wed Jul 21 2004) rcv time C4A95EA7.666CB9C4 (14:29:11.400 PDT Wed Jul 21 2004) xmt time C4A95EA7.5D364C4D (14:29:11.364 PDT Wed Jul 21 2004) filtdelay = 35.11 35.19 35.29 36.03 35.14 34.87 34.88 35.17 filtoffset = 2.40 1.94 1.08 0.79 0.27 0.20 0.26 0.23 filterror = 0.02 0.99 1.97 2.94 2.96 2.98 2.99 3.01
If you do not see the keyword "authenticated" in the first line of the output, authentication is not working. You will still receive the time from the NTP master; however, it will not stop a rogue Master from sending the wrong time.
10. IOS Features STEP 1 (2 Points)
Study Guide From
IT认证部落 CCIE-LAB
1. Configure CK5 so that each Telnet keystroke is not sent as a separate packet. Make sure that the router accumulates the keystrokes until an acknowledgement is received for the previous packet. By default, each keystroke in a Telnet session is sent as an individual packet. This can cause a "small packet" problem by using more bandwidth than needed. John Nagle came up
with an algorithm that will send the first keystroke as an individual packet, but will buffer the following keystrokes until an acknowledgment

ccie,java,安全,教程,文集,资料,工具书

is received. It will continue this process, buffering keystrokes, until the acknowledgement is received. This conserves bandwidth. It takes only one line to implement the Nagle algorithm.
CK5:
service nagle
Study Guide From

本文来源：https://www.bwwdw.com/article/jox1.html