IP3级实操题库
上联端口:
interface Ethernet1/1 description to yuanqu-3552 port link-type trunk
port trunk permit vlan 2000
3、园区交换机 vlan 2000 下联端口:
interface Ethernet1/1 description to loudao switch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 2000
上联端口:
interface GigabitEthernet7/1 description to huiju switch duplex full speed 1000 port link-type trunk
undo port trunk permit vlan 1 port trunk permit vlan 2000
4、一级汇聚交换机 vlan 2001 acl number 4000
rule 0 permit ingress 2000 to 3535 egress any
下联端口:
interface GigabitEthernet2/1/2 stp disable
description To_yuanqu switch speed 1000 duplex full
port link-type hybrid
port hybrid vlan 2001 untagged vlan filter disable (启用QINQ)
traffic-redirect inbound link-group 4000 rule 0 system-index 41 nested-vlan 2001 (对匹配ACL4000 rule 0即内层VLAN为2000~3535规则的报文封装上外层VLAN 2001标签)
Page 13 of 20
IP3级实操题库
上联端口:
interface GigabitEthernet6/1/4 description To_BAS speed 1000 duplex full
port link-type hybrid
port hybrid vlan 2001 tagged
5、BAS(以5200G为例)
radius-server group fzrad
radius-server authentication 61.131.96.199 1812 weight 0 radius-server accounting 61.131.96.199 1813 weight 0 radius-server shared-key (radius密码) radius-server attribute translate
radius-attribute translate NAS-Port Nas-port-QinQ send
ip pool fuzhou-1 local
gateway 59.61.122.1 255.255.254.0 section 0 59.61.122.2 59.61.122.254 section 1 59.61.123.1 59.61.123.254 dns-server 218.85.157.99
dns-server 218.85.152.99 secondary
interface Virtual-Template1 ppp authentication-mode auto
ppp keepalive interval 40 retransmit 3 aaa
authentication-scheme fzauth accounting-scheme fzacct domain fzadsl
authentication-scheme fzauth accounting-scheme fzacct flow-statistic up flow-statistic down radius-server group fzrad idle-cut 60 0 ip-pool fuzhou-1
下联汇聚端口:
interface GigabitEthernet7/0/1.2001
pppoe-server bind virtual-template 1 //绑定拨号虚模板
user-vlan 2000 qinq-vlan 2001 //匹配内层VLAN2000,外层VLAN2001
Page 14 of 20
IP3级实操题库
undo shutdown bas
access-type layer2-subscriber //配置BAS接口下接入的用户类型为二层用户
十九、 在一台MPLS VPN PE路由器上有三个网络结构为全联通的VPN用户,分
别是VPN-A(rd 64000:0001、rt 64000:0001)、VPN-B(rd 64000:0002、rt 64000:0002)、VPN-C(rd 64000:0002、rt 64000:0002),它们原先是不互通的,现在需要通过控制使VPN-A能够访问VPN-B和VPN-C的资源,VPN-B和VPN-C仍旧不能互访,请列出实现方式和相关命令。 答案:
在IP VRF VPN-A下增加Route-target import 64000:0002和Route-target import 64000:0003,IP VRF VPN-B下增加Route-target import 64000:0001,IP VRF VPN-C下增加Route-target import 64000:0001。
二十、 在一个以太网中有三台路由器已经形成了OSPF邻接状态,分别是路由
器A(RID =1.1.1.1, OSPF priority 100)、路由器B(RID =2.2.2.2, OSPF priority 0)、路由器C(RID =3.3.3.3, OSPF priority 0),请问:此以太广播网中OSPF的DR路由器为哪一台?为什么?三台路由器中两两邻居状态是怎样的? 答案:
1. RA,其它两台priority 0
2. RA-RB FULL,RA-RC FULL,RB-RC 2WAY
二十一、 描述BAS(华为5200G)上防病毒的配置内容和具体配置(至少应
列举出6个病毒端口) 答案:
1. 病毒端口确定 2. 配置ACL
3. 配置traffic classifier,匹配相应的ACL
4. 配置traffic behavior,确定traffic classifier的动作是允许还是拒绝 5. 配置traffic policy,关联traffic classifier/traffic behavior 6. 配置全局traffic-policy,应用traffic policy
Page 15 of 20
IP3级实操题库
实际网络描述/配置』 acl number 6000
1、用于控制Blaster蠕虫的传播
rule 5 permit tcp source any destion any destination eq 4444 rule 10 permit udp source any destion any destination eq 69 2、用于控制Blaster蠕虫的扫描和攻击
rule 15 permit tcp source any destion any destination eq 135 rule 20 permit udp source any destion any destination eq 135 rule 25 permit tcp source any destion any destination eq 139 rule 30 permit udp source any destion any destination eq 139 rule 35 permit tcp source any destion any destination eq 445 rule 40 permit udp source any destion any destination eq 445 rule 45 permit tcp source any destion any destination eq 593 rule 50 permit udp source any destion any destination eq 593 3、用于控制 Slammer 蠕虫的传播
rule 55 permit udp source any destion any destination eq 1434 4、用于控制震荡波的传播
rule 60 permit tcp source any destination any destination-port eq 5554 rule 65 permit tcp source any destination any destination-port eq 9995 rule 70 permit tcp source any destination any destination-port eq 9996 5、其他的防病毒列表
rule 75 permit tcp source any destination any destination-port eq 1068 rule 80 permit tcp source any destination any destination-port eq 5800 rule 85 permit tcp source any destination any destination-port eq 5900 rule 90 permit tcp source any destination any destination-port eq 10080 rule 95 permit tcp source any destination any destination-port eq 3208 rule 100 permit tcp source any destination any destination-port eq 1871 rule 105 permit tcp source any destination any destination-port eq 4510 rule 110 permit udp source any destination any destination-port eq 4334 rule 115 permit tcp source any destination any destination-port eq 4331 rule 120 permit tcp source any destination any destination-port eq 4557 rule 125 permit udp destination-port eq netbios-ns rule 130 permit udp destination-port eq netbios-dgm
traffic classifier antivirus operator or if-match acl 6000
#traffic behavior antivirus deny
#traffic policy webandanti-in
classifier antivirus behavior antivirus traffic policy webandanti-out
classifier antivirus behavior antivirus #traffic-policy webandanti-in inbound traffic-policy webandanti-out outbound
Page 16 of 20
