ccnp tshoot lab manual configuration files
-
- 3598 Reviews
The frame to which the Native VLAN belongs is not tagged when it passes the trunk .
aggregate-address 192.168.0.0 255.255.0.0 as-set after, R1 can only learn to 2.0 , the summary route are rejected, the reason is 1.0 carries no-adver of Community Community , when the summary route plus the as-set keyword after Will inherit its community , so the summary route also carries no-adver , this time
Exit
802.1q
13
END
Because ARP 's response does not need arp request is a prerequisite to send directly, so an attacker can construct arp reply message is sent to the target of attack, to refresh the attacker's arp table, to achieve the same arp deceitful purposes.
32 bits
Dhcp-snooping
4.3.1 improvements 35
* i100.0.1.0/24
Values are " i ", which is better than "?"
R4#sh ip ro 192.168.1.0
Detailed rules
Route-map test deny 10 match tag 1111
Neighbor 3.3.3.3 update-source Loopback0 neighbor 3.3.3.3 next-hop-self
Next Hop
Reviewer
15
Experimental example: Calling in the distribution list
Configuration last modified by 0.0.0.0 at 3-5-93 02:01:49
1,10,20,30
Experimental verification
1
After the MAC sublayer of A is added to the MAC address and the LENGTH field, it is sent to the data link.
BGP
Each sequence number statement in the Route-map is equivalent to each row in the access control list. Top-down processing in the order of the serial number, once the matching sequence is found, it will not continue to search.
!
Port
Static routes
In the IGP , the network command is used to determine which interfaces to send and receive routing updates, and which directly connected networks.
.*
However, we found that R4 did not pass these two routes to R5 , which is because of the effect of IBGP 's horizontal splitting principle. According to the IBGP split horizon principle, a BGP router, if it learns BGP routes from its IBGP neighbors , will not be able to pass these BGP routes to other IBGP neighbors. The reason for setting this rule is that BGP anti-ring needs to resort to
The configuration of R5 is as follows:
Async Async interface
Set the outgoing interface of the data
100.0.1.0 the BGP route, preferably up to R5 .
Discard (that is , the combination of disabling, blocking, and listening in 802.1D )
Static Routing
10.1.13.1
Note that the main TC while timer is timed on the port, and the BPDU sent by the port will be set by the TC bit , and the BPDU will also be sent out from the root port.
If the aggregate-address does not contain any keywords, the details are also passed, and the summary route is also passed.
Vlans in spanning tree forwarding state and not pruned
BVI Bridge-Group Virtual Interface
Experimental example: Called when republishing
Administrative distance problem
Trunking
* i100.0.2.0/24
R1 uses 1.1.1.1 as the update source, trying to establish a BGP connection with 2.2.2.2 , and the local IP address of R2 is 1.1.1.1 , and
LocPrf
Interface vlan 10
The configuration of R4 is as follows:
UDLD mode of operation
If the local end has this feature enabled, the next-hop device does not support CDP , then switch to the next next-hop . If there is no next-hop , skip the PBR.
The mapped ethernet vlan will be blocked
Metric
Neighbor 5.5.5.5 update-source Loopback0
?
4
The route -map used by exist-map has at least the following two match statements:
Ip default-network 172.16.3.0
Represents a range. Matches only one of the characters contained in the range.
*>i
Redirection enabled
The following priorities are reduced in order: default-originate (for each neighbor configuration), default-information-originate (for each address cluster configuration), network , redistribute , aggregate-address
?
Native vlan
Ip default-network 172.16.3.0
EtherType
Internal 0 packets, 0 bytes
After SW3 receives this message, it knows that SW2 no longer has vlan10 users, and no longer needs vlan10 traffic, so it will trim vlan10 on its own FA0/22 port :
Passive interface
SW1(config-if)# switchport nonegotiate
Port-Security
Route metric is 0, traffic share count is 60
At this time , the policy is used for R4 on R1 , and the route AS_PATH of 10.0 is inserted into the AS number of 100 100 , and R5 is preferably R3 . Why on R5 will select R3 , through experimental results, where R5 received two routes, one from the Federal EBGP neighbors, one from EBGP neighbors, the final preferred EBGP routing neighbors.
Basic experiment
In the BGP table, only one route is preferred, which should be R3 (because R3 's RouterID3.3.3.3 is less than R5 's 5.5.5.5 )
1
Route-map test permit 10 Set origin incom
Select the route with the smallest neighbor IP address ( the address of the neighbor in the neighbor configuration of BGP , that is, the update source IP of the neighbor )
Priority 120 (configured)
SW1(config-if)# switchport trunk allowed vlan ?
Next, at R1 onto 30.30.30.0/24 to ping 10 th ICMP packets, can then R2 see the corresponding traffic on:
Holddown timers are ignored in some versions of IOS , that is, they do not take effect even if they are set.
Interface s0/0
Unicast Update
100
The configuration of R2 is similar to the above. The key is to look at the configuration of R3 :
...
R5#show ip bgp 11.11.11.0
MED
Milne 's packet was sent to Roo because he learned the wrong one.
Dialer Dialer interface
However, not all switch interconnection interface is set to DAI 's trust no problems will,ccnp tshoot lab manual configuration files, in certain circumstances, it will leave a security risk. For example, FIG still above, assuming A switch does not support the DAI , if B is 3/3 port configured as Trust , then PC1 it can flow on to the B and PC2 for ARP spoofing, even if B run the DAI . Therefore, DAI is only to ensure that the terminal PC connected to the switch running DAI cannot perform illegal ARP actions.