Essay 1 multicast

The multicast network uses PIM-SM to construct a multicast distribution tree, R3 is RP and group
member 1 and 2 join group G1.

1) Which multicast protocols should be deployed on the interfaces marked 1, 2 and 3 in the figure?
Only list the protocols that must be deployed and explain in detail why these Protocols need to
be deployed. (5 points)

2) RP plays very important role in the PIM-SM network. In large-scale multicast network, how to
ensure the reliability of RP and reduce the burden of RP?

Describe the solution in detail, including the reasons for choosing the solution. (5 points)

Solution-1

(1) Interfaces 1,2 and 3 need to run IGMP and PIM-SM protocols.

The reason for running IGMP is that group membership management is realized through the IGMP
protocol where the PC needs to apply for group addition through IGMP, and the router needs to use the
IGMP protocol to query and maintain IGMP table entries to determine whether there are multicast
receivers. Data is forwarded according to the situation.

The reason for running PIM-SM are:

First, in order to form PIM entries, the PIM protocol needs to be opened. When multicast data arrives,
multicast data traffic is forwarded according to the multicast forwarding entries. Secondly, there is RP in
this network, and PIM DM does not need RP. so the mode of PIM is SM. When the IGMP protocol
detects certain multicast member in certain multicast topology, it will use PIM SM to generate PIM [* G)
table entry, and continue to join to the RP direction to form shared tree RPT and guide the traffic to be
forwarded. In addition, when the group member DR forwards multicast traffic exceeding a certain
threshold, it will trigger the RPT to STP switch. The group member DR sends join message to the
multicast source, constructs (S,G) entries along the way, and then the group The broadcast traffic is
forwarded to the receiver along the new SPT.

If the PC does not support the IGMP protocol:

At this time, interfaces 1, 2, and only need to be configured with PIM SM and static grouping. The reason
for configuring PIM SM is the same as above.

Reason for configuring static group addition: pc does not support IGMP protocol. Therefore, in order to
statically generate IGMP entries, the device can maintain the entries and generate PIM entries. Finally,
the data is directed to be forwarded to the interface, so that the PC can obtain the multicast traffic.

Solution-2

The following points need to be paid attention when deploying RP in large multicast network

1) Is the multicast network single-region or multi-region: In a single-region multicast network, the

multicast source and receiver are in the same region, and only one RP can be deployed in the region. If it
is multi-area multicast network, an RP needs to be deployed in each area, and MSDP neighbors need to
be configured between RPs to advertise multicast source information to ensure that multicast source
receivers are in cross-domain groups in different areas Broadcast traffic forwarding.

2) Non-optimal path: Deploying single RP in large network cannot meet shortest path of all leaf routers
to the RP. Therefore, multiple RPs need to be deployed at different locations on the network and
configured as Anycast RP. Anycast RP device needs to configure the same RP address and announce it to
IGP to ensure that the leaf router selects the nearest RP through IGP routing, so as to solve the problem
of non-optimal path. Anycast RP neighbors advertise the multicast source information to each other to
ensure that the multicast source and receivers are registered to forward multicast traffic in different RP
scenarios.

RP reliability guarantee: By deploying multiple RP and providing the same multicast group service,
reliability and redundancy can be improved. RP configuration mode can use static or BSR dynamic
notification.

How to reduce the burden of RP: There are several ways to reduce the burden of RP?

1) Multi-static RP: The leaf routers are configured with different static RPs re the leaf routers are
manually configured to register with different RPs to reduce the burden of RPs. MOSP neighbors
need to be configured between static RPs to advertise multicast source information.
2) Anycast RP: Configure Anycast RP to realize that leaf routers register to different RPs according
to IGP routing, reducing the burden of RP.
3) Hash-mask realizes RF load sharing: Using the hash-mask advertised by the BSR can realize RP
load sharing in scenarios where multiple RPs provide the same group of servers (with the same
group mask length).

(3) Expansion Reasons for configuring MSDP:

With the increase in network size and the convenience of controlling multicast resources, the
administrator divides PIM network into multiple PIM-SM domains, domain developed to solve the
interconnection between multiple PIM-SM domains The inter-multicast solution is used to discover the
multicast source information in other PIM-SM domains. Currently, only ipv4 network deployment is
supported. The intra domain multicast routing protocol must be PIM-SM.
 Essay2 MPLS VPN

As shown in the figure below, the enterprise uses the MPLS VPN network. There are two existing
services. The video service "video" only needs to communicate between branch 2 and the headquarters.
The RT of branch 2 is deployed as shown in the figure. Please plan and design the RT values on PE1 and
PE3.

The video service "video” only needs branch 2 to communicate with the headquarters, and the voice
"voip" service needs to communicate between branches as well as between branches and headquarters.
The RT of branch 2 is deployed as shown in the figure. Please plan and design the RT values on PE1 and
PE3.

Solution-1

(1) According to the requirement of the subject, if the branches cannot communicate directly, they
must communicate through the headquarters. We can use the H-S MPLS VPN architecture
networking that is, PE1 as Hub PE, PE2 and PE3 as Spoke PE. At this time, the RT value is planned
as follows:

In PE1

VPN: Video im:100:101 ex:100:100

VPN: Voip-in im: 200:100

VPN: Voip-out ex: 200:101

In PE3:

VPN: Voip im: 200:101. ex: 200:100

(2) In addition, if the branches can communicate directly without going through the headquarters,
and the RT value of PE2 can be adjusted, we can also use the full mesh networking mode (full
mesh), that is, PE1, PE2, and PE2 are established in pairs. MP-BGP neighbors, or P1 as an RR
device, PE1, PE2, PE3, and RR establish MP-BGP neighbor. At this time, the RT value is planned
as follows:
In PE1

VPN Video im: 100101 ex: 100:100

VPN Voip im: 200:100 ex 200:101

in PE2

VPN: Video im: 100:100 9x:100:101

VPN: Voip im:200:101 ex:200:101 200-101

In PE3

VPN: Voip im:200:L01 Ex:200:100 200-101

2. Strictly follow the above RT value planning. If the users of branch 1 report that the voip business is
communicating with the headquarters business, but cannot communicate with branch 2, please analyze
the possible causes of the failure.

(1) Hub spoke networking:

Routing problem: VPNv4 neighbor failure of PE1 and PE2, IGP/BGP failure of PE2 and CE2, routing
import failure of PE2 etc.

LDP problem: the next hop of the VPNv4 route of PE1/PE3, that is the 32-bit LSP of PE2 is not
generated. LDP configuration, MPLS configuration, static LSP configuration failure, etc.

(2) Full Mesh networking (Assuming that PE1, PE2, and PE3 follows the Full Mesh networking mode)

Routing problems: VPN neighbor failures of PE1 and PE2, routing failures of PE2 and CE2, routing

import failures of PE2 etc.

LDP problem: PE3 goes to the next hop of VPNv4 route, that is, the 32-bit LSP of PE2 is not

generated, LDP configuration, MPLS configuration, static LSP configuration failure etc.
In the above figure, AR1 and AR2 are in AS100, and AR3 and AR4 are in AS200. The BGP neighbor
relationship is established as shown in the figure above.

(1) At this time, it is found that the EBGP neighbor relationship between AR2 and AR4 is not
normally established. How should troubleshoot this fault? Write out the troubleshooting steps
and process in detail.
(2) There is an external route 10.1.1.1 on the AR1 device. How can the device in A5200 access
10.1.1.1, preferably from the AR1-AR3 link? Please use multiple methods to complete the
requirements.

Solution-1

There is problem with the EBGP neighbor relationship of AR-2 and AR-4. There are many possible
reasons. You can check one by one according to the following possible reasons,

1) IGP fails
2) The protocol version is generally V4, and inconsistencies cannot be established because the
various versions of BGP will not be backward compatible.
3) The router IDs of neighbors conflict.
4) The configured neighbor’s AS number is wrong. When establishing neighbor. it will check
whether the AS number in the OPEN message is consistent.
5) Using Loopback interface to establish neighbors is not configured with peer connect-interface
command.
6) The peer ebgp-max-hop is not configured when establishing EBGP neighbors with the Loopback
port.
7) The address clusters at both ands do not match (ordinary BGP and vpnv4).
8) The authentication information is inconsistent. The peers configured for authentication under
the BGP process, and the authentication keys must be consistent in

MD5 authentication: only for TCP authentication, the authentication information is in the option
field of the TCP message.
 Keychain authentication: Authentication is performed on TCP and BGP messages. The authentication
information is placed in the option field of the TCP message and also in the BGP message.

9) The peer valid ttl-hops (GTSM) configuration is incorrect: If the GTSM function is enabled for the
directly connected EBGP peer, the fast-sensing function of the directly connected EBGP peer
interface will be invalid. Because BGP considers that the peer is not directly connected. When
the TTL value of packet sent by an LDP peer is within the range of [ 255-hops +1.255] the packet
received otherwise packet will be discarded. For example the effective TTL range of LDP packets
sent by the peer with the transmission address 2.2.2.9 on the LSR is 254-255.

Command: [HUAWEI-bgp] peer 2.2.2.9 valid-ttl-hops 2

10) The number of routes sent by the peer exceeds the value set by the peer route-limit command.
11) The peer ignore is configured on the peer, which prohibits establishing session with the peer
and clears all related routes, similar to reset bgp.
12) ACL filters the TCP port number 179.

First test the connectivity between the IP addresses of AR2 and AR4 to establish neighbors, and perform
ping test to test whether the IP addresses of the BGP neighbors established between AR2 and AR are
reachable. If they are not reachable, use the 2-point method to go down from the network layer first.
Perform troubleshooting and confirm the reachability of the interface IP address and routing. If there is
no problem with the network layer configuration, continue to troubleshoot the link layer fault, such as
whether the link layer protocol is consistent, and if it is PPP link, check whether the PPP authentication
is normal. After the link layer fault is rectified, if it still fails, the cause of the fault may be at the physical
layer. Check transmission line problems, interface physical failures, interface shutdowns, interface board
failures, transmission equipment and other problems.

If the network layer can communicate normally, you need to enter the upper layer to analyze whether
BGP TCP port 179 is disabled in the transport layer. if not, the possible cause is in the BGP protocol.
Check the BGP protocol configuration problems, such as:

a. Whether the BGP Router IDs of AR2 and AR4 conflict.

b. Whether AR2 and AR4 are configured with BGP authentication, information requirements must
be consistent.
c. AR2 and AR4 are the established EBGP neighbor relationship, whether their own AS number
and neighbor AS number are configured correctly.
d. Establishing EBGP neighbors with non-directly connected addesses (for example, using loopback
ports) requires that the loopback port addresses at both ends are reachable. Check whether the
neighbor configuration specifies EBGP TTL multi-hop and whether the update source address is
correctly configured.
e. Configure peer ignore GTSM and the address Clusters at both ends do not match.
Solution-2

1) On AR2, configure the Router-Policy for AR4 so that the MED value of the 10.1.1.1 route passed
from AR2 to AR4 is relatively large.
2) . On AR2 configure Route-Policy for AR4, so that the number of AS-Paths about 10.1.1.1 routing
that AR2 transmits to AR4 is more.
3) IF 10.1. 1.1 is imported into BGP via network, you can use the Router-policy command on AR2 to
change the origin attribute of 10.1.1.1 route to "Incomplete". if you import into BGP via import,
you need to use it on AR1 The Router-policy command changes the origin attribute of the
10.1.1.1 route to IGP. In this way. the AR1-AR3 path will be selected according to the origin
attribute I>E>?.

Use the BGP Route-Policy (routing policy tool) to complete the requirements, which can be completed
according to the BGP routing attributes.

If AR1 and AR2 are used to control the routing, the AR3 of AS200 is realized, and AR4 is preferably the
link between AR1-AR3.

1. Use the AS-path attribute to control route selection. AS-path is generally recognized attribute.
The rule for route selection through AS-path is that the shorter the AS-path, the less the number
of ASs recorded in the BGP route, the better the route. So AR1 normally advertises the AS-PATH
attribute when sanding routes of 10.1.1.1 to AR3. When AR2 sends routes to AR4, use Route-
policy to add its own AS number 100 to the front of AS- path. (Note that it is not recommended
to add EBGP It is not recommended to add other AS numbers to the neighbor's AS number to
avoid the subsequent impact of the AS-PATH anti-loop mechanism on routing transmission). In
principle, it is only necessary to ensure that the AS-PATH length transmitted from AR1 to AR3 is
less than the AS-path transmitted from AR2 to AR4. The length of the PATH can not only meet
the routing requirement, but also can control the AS-PATH length when receiving 10.1.1.1
routes on AR3 and AR4, and also can realize the routing function.
2. Use the origin attribute to control route selection. Configure the origin attribute of the 10.1.1.1
route advertised to AR3 on AR1 as "i" and configure the origin attribute of 10.1.1.1 route
advertised to AR4 as “?” on AR2. In the case of the same AS-PATH attribute, comparing the
origin attribute can also achieve access to 10.1.1.1 through the AR1-AR3 path or you can set the
origin attribute value to achieve routing requirements when AR3 and AR4 receive 10.1.1.1
routes.
3. Use the MED attribute to control route selection. MED is an optional non-transitional attribute.
When AR1 sends routes to AR3, configure MED to a smaller value by using route-policy or
modify MED to larger value when AR2 sends routes to AR4. The value of can affect the routing
of AS200 devices, and can also receive 10.1.1.1 routing in AR3 and AR4 to modify the MED
attribute to achieve path control requirements.
4. Configure the local-preference of 10.1.1.1 routing on AR3 and AR4 to influence the AS 200
device to prefer the AR1-AR3 link. Local-preference is recognized arbitrary attribute. Route
selection is based on local-preference. The, larger the value, the more preferred. The route sent
from AR1 on AR3 can be increased by using the Route-policy command to increase the value of
 the local-preference attribute or AR4 The route sent from AR2 uses the route-policy command
to reduce the value of the local priority attribute.

All the above methods can complete AR3 and AR4 access 10.1.1.1 preferably using the AR1- AR3 link.
 (1) What are the reasons for the blurring of the video between the headquarter and the branch and
the out-of-syne voice and image? (2 minutes)
(2) Now in order to ensure the communication quality between headquarter and the branch. QOS is
deployed between them, ask which device to deploy no (only need to write the device name)?
(1 point). How to deploy QOS, need to specify detailed configuration parameter information (3
points).
(3) The branch is now accessing the external, network. under normal circumstances, the bandwidth
used is 100M. When the link is congested, the bandwidth is guaranteed to be 50M. How to
implement it? (Explain the specific reasons) (4 points).

Solution

1) Due to network delay, jitter, congestion and packet loss.

2) Theoretically, the differentiated service model needs to be deployed end-to-end according to the
division of DS domains. Considering the deployment of GRE tunnels, assuming that AR2 and AR3 do not
have the ability to be managed by enterprise administrators, QoS needs to be deployed on AR1 and AR4.

On the side of the headquarters AR1 connected to the internal network interface use ACL to perform
complex flow classification technology, classify FTP, video, and voice services, and perform classification
configuration through MQC command lines, and use traffic behavior commands to transfer FTP, video,
and voice service packets Perform re-marking, configure flow policy to bind traffic classification and
traffic behavior, and apply it to the inbound direction of the internal network side interface to complete
the re-marking of service traffic. Assume that voice traffic is marked as EF, video traffic is marked as
af41, and ftp traffic is marked as af3l.

After the business packets are classified and re-marked, they will be tunnel encapsulated by the GRE
protocol, and new IP header will be generated. Because the DSCP value of the new IP header will inherit
the DSCP value of the inner IP packet by default when GRE encapsulation is performed, it can be Directly
use the DSCP value of the outer IP packet header to implement simple flow classification of service
packets, that is, after the voice traffic DSCP value remarked as EF for GRE encapsulation, the DSCP value
of the outer IP packet header is still EF.
Use the MQC flow classification command on AR1 to perform simple flow classification based on the
DSCP value of the outer IP header in the GRE packet, that is, EF is classified as voice traffic, AF41 is
classified as video traffic and AF31 is classified as FTP traffic.

Use the CBQ queue, use the classifier behavior command to allocate EF traffic to the EF queue/LLQ
queue, and configure sufficient and supervised bandwidth value. For the command, refer to queue of
bandwidth, allocate the video traffic to the AF queue, and allocate the bandwidth. FTP The traffic is
allocated to the second AF queue and the bandwidth is allocated. The other unclassified traffic is placed
in the default class and scheduled with WFQ queue. Finally, the traffic classification and traffic behavior
are associated with the flow strategy, and then applied to the physical interface on the external network
side of AR1 or the outbound direction of the GRE tunnel port. The difference is that the physical port
implements CBQ queues for both GRE traffic and non-GRE traffic. The GRE tunnel port only implements
CBO queues for GRE traffic. The key lies in the reasonableness of bandwidth parameter configuration to
ensure the effect of QOS.

Like AR4, the DSCP value of the inner IP header after de-encapsulation of the GRE packet remains
unchanged, and simple flow classification is performed based on the DSCP value. Voice traffic, video
traffic, and FTP traffic can still be classified. The AR4 intranet interface is outbound In direction, so
configure the CBQ queue to allocate the same reasonable bandwidth value as AR1

Reverse traffic can also be configured using the same. idea.

(3) Speed limit technology and CBQ, can be used in the outbound direction of the interface of the
branch router AR4 connected to the external network.

Rate limiting Configure outbound traffic shaping or traffic policing on the interface of the AR4 connected
to the external network that is, the interface view. configuration limits the maximum bandwidth to'
100M, refer to the command Qos car outbound or qos gts. Through the MQC command line of CBQ,
classify the traffic of the branch accessing the external network in the traffic classification (use ACL to
match the traffic) allocate this part of the traffic to the AF queue in the traffic behavior, and allocate
50M bandwidth for the AF queue. That is the traffic behavior is trying to queue AF bandwidth 51200,
and the minimum bandwidth used in congestion is set to 50M. The traffic classification and traffic
behavior associated in the traffic policy are applied in the outbound direction of the external network
interface.

The characteristics of the AF queue: each AF queue corresponds to type of the packet, and the user can
set the bandwidth occupied by each type of packet. When the system schedules messages out of the
queue, the massages are sent out of the queue according to the bandwidth set by the user for all types
of messages, So that fair scheduling of all types of queues can be realized. When the interface has
remaining bandwidth, the AF queue shares the remaining bandwidth according to the weight.
The above figure shows small enterprise nétwork organization. AR1 is used as an egress router to
connect to the ISP network and LSW1 is used as a DHCP server.

{1} At this time, some customers have Introspected that PC1 and PC2 could not obtain IP addresses.
What kind of reasons do you think caused this problem?

{2) After the fault is resolved by you, please analyze what attacks may exist in the above environment,
and how can you improve the security of access users?

Solution-1

{1}

1. There may be illegal DHCP Sever access, causing the PC to obtain the wrong address. The principle of
the attack: since there is no authentication mechanism between the DHCP Server and the DHCP Client. if
DHCP server is randomly added to the network, it can assign IP addresses and other network parameters
to the client (because if there are multiple DHCP Servers to The DHCP client responds to the DHCP
OFFER massage. the DHCP client generally only receives and uses the first/first received DHCP OFFER
message). If the DHCP server assigns the wrong IP address and other network parameters to the user, it
will cause great harm to the network.

How to prevent In order to attack the DHCP Server counterfeiter, you can configure the
"Trustad/Untrusted" working mode of the device interface. Set the interface directly or indirectly
connected to legitimate DHCP server as trusted excuse, and set other interfaces as untrusted interfaces.
Subsequent DHCP response massages received from the Untrusted" interface will be directly discarded,
which can effectively prevent attacks by DHCP Server counterfeiters.

2. There may be DHCP starvation attack. resulting in exhaustion of IP addresses. Principle of the attack If
large number of attackers maliciously apply for IP addresses under the access device interface, the IF
addresses in the DHCP Server will be quickly exhausted and other legitimate users will not be able to
provides IP address allocation services. On the other hand, the DHCP Server usually only confirms the
client's MAC address according to the CHADDR (Client Hardware Address) field in the DHCP Request
massage (after receiving the DHCP-REQUEST request massage sent by the DHCP client) The DHCP server
finds whether there is corresponding lease record according to the MAC address carried in the
DHCPREQUEST message. If there is, it sends DHCP-ACK message as response to notify the DHCP client
that the assigned IP address can be used. If the corresponding lease record is not found If the lease
record is recorded, the ODHCP-NAK message is sent as response) if an attacker continuously changes the
CHADDR field to apply for an IP address from. DHCP and Server, it will also cause the address pool on
the DHCP Server to be exhausted making it impossible to provide IP addresses for other normal users.

How to prevent: In order to prevent large number of DHCP users from maliciously applying for IP
addresses.

After the snooping function, you can configure the maximum number of DHCP users allowed on the
device interface to teach. When the number of users reaches this value, no user is allowed to
successfully apply for an IP address through this device or interface. The attack by changing the CHADDR
field in the DHCP Request message can enable the device to detect whether the MAC in the header of
the DHCP Request massage is consistent with the CHADDR field in the DHCP data area. Subsequent
devices will check whether the MAC address in the header of the DHCP Request massage sent is. equal
to the CHADDR value, and if they are equal, forward it or discard it.

3. There is an ARP spoofing attack, which causes large number of ARP tables to be flipped. Attack
principle: The attacker pretends to be another device to send ARP reply or gratuitous ARP, and fills the
source MAC in the ARP message with the attacker's MAC address. After the attacker receives the ARP
message it refreshes the binding of the local ARP table. Relationships, and eventually result in normal
access traffic being sent to the attacker.

How to prevent:

Switch on DAI: Use the DHCP snooping binding table to cooperate with DAI to prevent ARP spoofing
attacks.

implementation principle: Use DHCP snooping binding table (dynamic and static binding table) to defend
against man-in-the-middle attacks. When the device receives an ARP packet, jt compares the source IP,
source MAC, VLAN, and interface information corresponding to the ARP packet with the information in
the binding table. If the information matches, it means that the user who sent the ARP packet is
legitimate user. The ARP packet of this user passed. Otherwise, it is considered as an attack and the ARP
packet is discarded.

Solution-2

1) For internal employees, use AAA combined with Dot1x authentication to control the wired PC
terminal interface.

2) For dumb terminals, use AAA combined with MAC authentication for access control.
3) For external visitors, AAA combined with portal authentication can be used for access control.

4) Enable DHCP snooping on the access layer switch combined with IPSG to prevent source address
spoofing.

5) Enable port security on the access layer switch to limit the number and legitimacy of PCs connected
to the interface.
Essay6 Cutover

A company plans to purchase two Huawei equipment to replace Cisco' sold equipment, and answer
the following questions

(1) When replacing equipment. "How to ensure business stability as much as possible, please provide
solutions.

2) If two Huawei devices are to be virtualized, what are the methods and what are the points.

Solution-1

1. Analyze the current network topology. analyze the planning of the current network topology (link
type, cost, interconnection IP, interconnection interface, etc.), analyze the current network traffic model
(routing protocol, data flow characteristics, traffic model, related interface access and exit) Traffic
information collection). current network equipment configuration backup, and hardware board analysis.

2. Equipment and version risks (analysis of equipment performance and specifications, risks of version
features and countermeasures.

3. Implement risk analysis and countermeasures for major operations, verify and review cutover plans,
rollback plans, and implement cutover under the authorization of the owner.

4. Analysis of business interruption time: This cutover is completed in two times, so there will be period
of business interruption. If the cutover is successfully completed, the longest business interruption time
will not exceed xx time.

For the first cutover, if allowed, connect Huawei equipment to the existing network and direct service
traffic to Huawei equipment. if there is an accident in the cutover, the fallback mechanism will be
activated immediately, and the service interruption time will not exceed xx minutes. Time includes the
time required for normal cutover, fault judgment time, and routing protocol convergence time.

In the second cutover, another Huawei device was replaced with Cisco device, and business traffic was
shared among the two Huawei devices as required. If there is an accident. in, the cutover, the rollback
mechanism will be activated immediately. The longest service interruption time will not exceed x<
minutes. The time includes the time required for normal cutover, failure judgment time, and routing
protocol convergence time).

Attachment Preparations before the cutover operation is implemented.

1. Operation application

2. Implementation review.

3. Link and transmission

4. Hardware, software and auxiliary materials.

5. Equipment software configuration preparation.

6. New equipment power-on and function test.

7. Account number, password and remote login method.

8. Data backup and traffic collection.

9. Network closure (optional).

10 Business status.

11. Operation test.

12. Rollback Plan.

Solution-2

Two devices are virtualized. In order to be applicable to different enterprise network scenarios, the
commonly used methods are:

1. Gateway virtualization: technology VRRP, the campus network convergence layer deploys VRRP
combined with MSTP architecture.
2. System-level virtualization technology CSS, CSS2, campus network convergence layer, core layer
deployment, no VRRP architecture.
3. M-LAG a process virtualization technology is often used in data center network to realize switch
/server dual-homing access deployment.

VRRP

VRRP combines 2 or more devices to form virtual routing device and use the IP address of the virtual
routing device as the user’s default gateway to communicate with the external network. When the a
gateway device fails, the VRRP mechanism can elect a new gateway device to undertake data traffic,
thereby ensure reliable network communication.

Note:

1) When VRRP switch between main and backup it takes long time in order of seconds so we can
bind BFD technology needs to be linked to speed up the convergence speed.
2) The control plane of backup and main devices are deployed independently, which may cause
inconsistent forward and return paths of terminal routes.
3) The master device and the MSTP root bridge device must be consistent to avoid bypassing
upstream and downstream traffic, resulting in poor traffic paths.
CSS: Virtual Chassis System, generally used for modular switches (87700, $7900, $9700, 512700,
CE12800, CE16800), two physical switches are aggregated into one logical switch through CSS, providing
more slots for business access. The uplink redundant links of the original downlink switches are
interconnected through link aggregation (Eth-Trunk) and the CSS system to avoid blocking redundant
links, improve link utilization, link load sharing across devices, and improve links Bandwidth utilization
and simplified network architecture, no complicated MSTP configuration, centralized management and
maintenance Switches through CSS, reducing user deployment and maintenance costs.

Support cluster card stacking and service card stacking, as well as switch board hardware cluster CSS2,
where CSS2 provides the industry's lowest inter-frame forwarding delay. When the switches in the CSS
are started, they will start competition to form master/backup relationship. The master switch is
responsible for managing the entire cluster. There is only one master switch in the cluster. When the
master switch fails the backup switch will take over all the services of the original master switch. Thora is
only one backup switch in the CSS. The software version and configuration files of the main switch are
uniformly used in the stacking system to form unified control plane, which logical constitutes switch.

Note:

1. The use of CSS for device version update iterations and system patch upgrades must have a
corresponding cutover plan.

2. As far as possible, each member device has an uplink port connected to different member devices of
the CSS, so that. when any device fails, the upstream traffic will not be affected.

3. When devices are stacked, it is recommended that the stacking bandwidth between the two devices
be the same, otherwise the bandwidth of the stacking system is equal to the smallest stacking
bandwidth in the system.

4. When the stacking system is connected to other network devices, it is recommended to use the Eth-
Trunk interface to connect, and each member switch of the CSS can have port added to the Eth-Trunk.

5. lt is recommended to enable the local priority forwarding function, and the stacking line deployment
should consider the problem of stacking board failure.

6. When the stacking link fails, dual-master situation will occur, and dual-master detection mechanism
needs to be deployed.

M-lag: M-LAG (Multichassis Link Aggregation Group) is cross-device link aggregation group. It is
mechanism to realize cross-device link aggregation, which can realize link aggregation between multiple
devices, thereby improving link reliability. From the single- board level to the device level, dual-active
system is formed.

In order to ensure reliability, the switch needs to consider the redundancy backup of the link when
accessing the network, which can be achieved by deploying MSTP and other disruptive protocols, but
the link utilization rate is low and bandwidth resources are wasted.

In order to achieve redundant backup and improve link utilization. M-LAG is deployed between two
Huawei switches to realize dual-homing access of witches or servers. The switches form load sharing and
perform traffic forwarding together, acting as one of the devices. When failure occurs, the traffic can be
quickly switched to another device to ensure the normal operation of the business.

Note:

1. The types of the two devices that make up the M-LAG must be the same. It is recommended that the
models and versions of the two devices are the same.

2. The two devices forming M-LAG need to be configured with root bridge and bridgeID or V-STP, and
appear as one device for STP protocol calculation, otherwise there may be a loop.

3. When configuring M-LAG based on the root bridge method, the bridge IDs of the two devices that
make up the M-LAG must be configured with the same bridgeID, and the root priority is configured to be
the highest. Ensure that the two devices of the M-LAG are the root nodes. In scenarios where M-LAG is
configured in bridge mods STP multi-process is not supported.

4. Peer-link malfunctions, causing dual-master conflicts. DAD Link needs to be deployed to solve the
dual-master conflicts.
Essay7 Packet loss

(1) Users report packet loss in the network, how would you troubleshoot it? (6 points)

(2) What do you think are possible reasons for packet loss in the network? {4 points)

Solution-1

(1) Usually, the network packet loss investigation can be based on the network architecture
investigation, the seven layer-model investigations, etc. The troubleshooting steps are as follows:

1. Check whether the packet loss is caused by the user terminal problem, such as (network card, anti-
virus software, operating system. etc.}, you can directly replace it with other normal terminal
equipment, and observe whether the network packet loss problem still exists, and if it exists, Follow the
steps: If it does not exist, the investigation is complete.

2. Ping the user's gateway for long time and observe the packet loss. If there is packet loss, it is judged
that the packet loss is layer-2 packet loss, and step-3 is performed. If there is no packet loss, determine
that the packet joss is Layer-3 packet loss, and goto step 8.

3. Check whether the link flaps on the access switch. If the port through which Ping packet passes is
repeatedly Up/Down, the Ping packet will be lost. Enable debugging switch in user view: terminal
debugging, terminal monitor. If there is change in the port status, check whether the port speed
configuration and port duplex mode are correct, and whether the relevant attribute configuration of the
opposite port is consistent. You can try to plug or replace the network cable or replace the optical
module to solve the problem. If the port passed by the ping packet is normal, go to step-4.

4. Check whether the switch has Joop protocol oscillation. Check whether loop protocols such as STP are
enabled on the device. If the loop protocol oscillates, it will affect the forwarding and processing of
ICMP packets. If the relevant loop protocol is enabled on the device, check the status of the loop
protocol repeatedly during the Ping packet loss period to confirm whether there is loop protocol
oscillation. It can be combined with checking whether the port status is abnormal to determine whether
it is the oscillation caused by the loop protocol. If there is problem, observe whether the packet loss
phenomenon exists after the modification and the investigation is completed if the packet is no longer
lost. If there is still packet loss, go to step 5.

5. Check whether there is packet loss or wrong packet on the switch port. Execute the display interface
command to repeatedly check whether the port has Discard loss count or other error packet count
increases. The Discard loss count shows whether the port traffic is congested. if congestion occurs,
configure to increase the current buffer of the port and observe whether the packet loss phenomenon
still exists. If the packet loss phenomenon disappears, the troubleshooting is successful. If the packet
loss still exists or the port is not congested, go to step 6.

6. Check whether the CPU usage of the switch is high. Use the dispiay-cpu-usage command to view the
CPU usage and judge based on the displayed result. Use the display cpu-defend statistics command to
view the statistics of the packets sent to the CPU, determine whether there are too many protocol
packets that are-discarded 'because they are too late to be processed, and check whether the network is
under attack. If there is an attack, you can configure the attack source penalty or the focal-attack-
strategy blacklist for processing. After the processing is completed, observe the matter packet loss
phenomenon still exists. If it does not exist, the investigation is successful, if it still exists or the network
does not have the problem of high CPU usage, go to step-7

7. If the fault still exists, call the Huawei 400 hotline or apply to Huawei engineers for on-site Support.

8. Use the tracert command to determine the location of packet loss in the Layer-3 network in
conjunction with the port message transmission and reception, and proceed to step 9.

9. Check whether the device route is fluctuating. observe the next hop information of the route to the
destination IP, and whether the outgoing port information has changed. If it changes frequently. check
whether there are IP address conflicts, port fluctuations, and other issues. If there is problem, modify it
according to the original network plan, and observe "whether there is still packet loss in the network
after the modification. If the packet loss disappears, the investigation is successful. After the
modification, the packet loss still exists, or the route does not fluctuate, go to step 10.

10. Check whether ARP is oscillating. Observe whether ARP oscillates, including whether there are
changes in MAC, VLAN, and outgoing ports. Generally, the aging time decreases slowly from 20 minutes.
If the ARP aging time is refreshed to 20 minutes quickly, it means that the ARP is refreshed. It is
recommended to check whether there is an IP address conflict or loop. If there is problem, modify it
according to the original network plan, and observe whether there is still packet loss in the network
after the modification. If the packet loss disappears, the investigation is successful. After the
modification, the packet loss still exists, or the ARP does not oscillate, go to step 11.

11. Check whether the CPCAR of the ICMP packet is lost. Use the display cpu-defend statistics Packet-
types icmp all command to repeatedly check whether there is CPCAR packet loss and observe whether
ICMP packets are dropped (Drop). If there is drop count, the CPCAR value can be enlarged appropriately
to make the ICMP packets normal Send and receive processing. After the operation is completed,
observe whether the packet loss phenomenon still exists. If it does not exist, the investigation is
successful. If it still exists or there is no problem with CPCAR, go to step 12.

12. Check whether the CPU usage is high. Use the display cpu-usage command to view the CPU usage
and judge based on the displayed result. Use the display cpu-defend statistics command to view the
statistics of the packets sent to the CPU, determine whether there are too many protocol packets that
are discarded because they are too late to be processed, and we check whether the network is under
attack. if there is an attack, you can configure the attack source penalty or the local attack strategy
blacklist for processing. After the Processing is completed, observe whether the packet loss
phenomenon still exists. If it does not exist, the investigation is successful. If it still exists or the network
does not have the problem of high CPU usage, go to step 13.

13. If the fault still exists, call the Huawei 400 hotline or apply to Huawei engineers for on-site Support.
Essay8 FTP

1). Please discuss the working principle of FTP (6 point)

2). FTP and NAT are combined in the network. What should I pay attention to when using FTP in the
firewall scenario? (4 points)

Solution-1

1). FTP protocol has 2 working: passive mode and active mode.

The FTP protocol uses -2 channels, control channel and data channel.

The working principle of passive mode is as follows:

Control channel establishment: The client randomly generates source port N to access port 21 of the
FTP Server. After completing the TCP 3-way handshake, the server informs the client (x.x.x.x pl, p2)
where is x.x.x.x the server's own IP address, P1, P2 are random positive integers generated by the
server.

Data channel establishment: The client uses N+1 as the source port, accesses the server’s pl*256+p2
port, completes the TCP 3-way handshake of the data channel, and establishes the data channel. In this
mode, both channels are initiated by the client.

The working principle of active mode is as follows:

Control channel establishment: The client randomly generates source port to access port 21 of the FTP
server, completes the 3-way TCP handshake, and the client informs the server (x.x.x.x.pl.p2), where
X.X.X.X is the client IP address, Pi, P2 are random positive integers generated by the client.

Data channel establishment: The FTP server uses the source port 20 port to access the client's N+1 port
(N+1=p1*256+p2), completes the 3-way handshake of the data channel TCP and establishes the data
channel.

Solution-2

2). After the combination of FTP and NAT, ASPF (application layer packet filtering) and ALG {application
layer proxy gateway) functions need to be enabled on the firewall to access FTP services normally.

In the case of active mode and passive mode, if the firewall security policy only allows the traffic of the
control channel, the access of the FTP service cannot be realized normally, because the port number
negotiated by the FTP data channel is random and cannot be accurately predicted. The firewall can
dynamically release the traffic of the data channel and the ASPF function needs to be enabled, that is, by
analyzing the application layer information of the FTP control channel, predict the behavior of the data
channel Message in advance. Create Server-map table based on the IP and port in the application layer
information. After the packets generated by the subsequent data channel reach the Firewall they hit the
Server- map table entry. They are no longer restricted by the security Policy and are dynamically
released, and the session table entry is generated.

In the scenario of combining NAT, after configuring the ALG function, in active mode, the FW analyzes
the application layer information of the PORT command and converts the private network IP and private
network port carried in-the PORT command into public network address and public network port. Then
forward to the server, and create Server-map table. The server initiates data connection to the
converted public network address and public network port. After the message reaches the FW, it hits
the Server-map entry and automatically converts the destination address and port to the real private
network address, thereby releasing the data of the data channel.

In the passive mode. the FW analyzes the application layer information of the PASV Command OK
command, converts the private network IP and private network port carried in the command into public
network address and public network port, and then forwards it to the client, and creates Server-map
table. The client initiates data connection to the converted public network address and public network
port. After the message reaches the FW, it hits the Server-map entry and automatically converts the
destination address and port to the real private network address, thereby releasing the data of the data
channel.
As shown in the figure, it is an enterprise network with OSPF deployed. The network is connected to the
Internet through AR1 and AR2. AR1 AR2, AR1 AR2 and AR3 and AR4 are networked in oral format. Please
answer the following questions:

1). When the PC routing is changed, the routing table of the area where the server is located is not
affected. How to plan the area reasonably?

(Problem description 2: When the routing of the area where the PC is located is changed the routing
table of the area where the server is located is not affected, how to plan the area reasonably?

2). When the terminal accesses the external network, it mainly uses R3->R1 and R4->R2 as backup.How
to achieve this?

Solution-1

According to the subject requirements, three areas can be divided. AR1, AR2, AR3, and AR4 are
deployed in the backbone area, AR3, AR5, and AR6 are deployed in non-backbone area 1, AR4, AR7 are
deployed in non-backbone area 2, and area-2 is sat to be Totally Stub area. In this way, the area where
the server is located, that is, completely stub area 2. there will be route in this area and default route
generated by default type 3 LSA. When the route where the PC is located changes, the route in the area
where the server is located will not change.

In addition, if the area where the server is located is not deployed as fully stub area, then aggregated
routes can also bs deployed on the ABRs of area 0 and area 1. In this way, when PC routing aggregation
changes within the range, it will not affect the routing in the area where the server is located.
Solution-2

You can increase the overhead of the R2-R4 link.

In order to ensure the stability and reliability of the corporate network, you can configure dual-exit fixed
addresses by routing. Once route is lost, users can continue to access the Internet through other backup
routes. Users can increase the overhead of the R2-R4 link to create the main and backup links to ensure
that data can be switched normally and. users can Surf the Internet smoothly.

Three Expansion/Extension.

When the network administrator wants to access the external network (or the internet) the main route
is R3->R1. How to choose route?

Solution 1:

Deploy PBR on AR4, and modify the next-hop to access the external network to AR3 to implement route
selection.

Specific deployment:

Create a local PBR (acl 3000 matches the: next-hop)

Run the apply command to configure the local PBR action (apply output-interface)

Apply the IP local policy-based-route globally in the system-view.

Solution-2

Configure AR2 as STUB router. The STUB router increases the link metric in the LSA generated by the
router (65535) tell other OSPF routers not to use this router to forward data and then select routes.
Specific deployment:

In OSPF view, stub-router to choose the route.

Solution-3

Modify the link cost value between AR2-AR4 (the smaller the cost the higher the priority) is greater than
the COST of AR1-AR3, which affects route selection. Specifically modify the inbound interface ospf cost
100.
As shown in the figure, the enterprise uses an AR router as an export device The router: is configured
with NAT Outbound to provides Internet access services for private network users. At the same time,
NAT Server is configured to publish the private network Webserver to the public network to provide
services for external network users. The Operator only assigned public network IP to this unit, which
serves as the IP address of the AR outbound interface and the public network mapping address of NAT
Outbound and NAT Server.

1). At present, intranet users cannot access the Web Server through, domain name, but public network
users access normally, and intranet users access the public network normally. How can you solve this
problem? Please give specific two solutions and the application advantages of different solutions.

2). The user's web server is provided for users on the external network. At this time, the user wants to
improve the reliability of the web server as much as possible. How do you think that the network level
should meet the needs of customers?

Solution-1

1. Deploy DNS Server inside the enterprise to provide Web Server domain name resolution services for
private network users. At the same time, it is necessary to configure the public network DNS Server on
the DNS Server and enable the DNS relay function. Ensure that the domain name accessed by private
network users can continue to be forwarded to the public network DNS server for recursive query if it
does not exist on the internal DNS server.

2. if the DNS Server cannot be deployed in the enterprise, the egress router can be used as "the DNS
Server. Configure the local static domain name mapping through the "ip host domain-name 1P"
command on the AR1 egress router, configure the public network DNS Server through the "dns server
IP" command on the AR1, and use the "dns proxy enable" command to enable DNS relay Proxy function.

Ensure that the domain name accessed by private network users can continue to be forwarded to the
public network DNS Server for recursive query when there is no local static mapping on AR1.

3. Both schemes and need to add additional equipment and configuration. At the same time, it is
necessary to modify the configuration of private network users to configure DNS Server as internal DNS
Server or egress router. These schemes will increase cost and configuration workload. These problems
can be solved by configuring the DNS mapping function on AR1. DNS mapping is proprietary technology
of Huawei. Domain name resolution is achieved by analyzing DNS Request messages and then answering
DNS Reply. To enable the DNS mapping function, you must first enable the ALG DNS function. Use the
"nat alg dns enable" command to enable the DNS ALG function on the AR1, and use the "nat dns-map
domain-name IP port protocol-type" command to configure the domain name mapping.

Configuration example: "Nat dns-map www.huawei.com 192.168.0.1 80 tcp". After dns mapping is
enabled, AR1 will parse all received DNS Request massages, compare the domain name requested in the
message with the locally configured domain name mapping, and if they match, replace the DNS Server
to reply to the DNS client with DNS Reply massage, and use the configuration replies to the mapped IP
address. Otherwise check the local static DNS configuration and forward it to the public network DNS
Server if it does not match.

Solution-2

The reliability of Web Server can be improved through the following aspect.

1. Deploy multiple Web Servers at the same time to build server cluster, improve the reliability of Web
Servers, and avoid business interruptions caused by single-point deployment.

2. Deploy load balancing equipment for server clusters to achieve load-sharing of Web Server access
traffic, and at the same time, you can enable the reverse proxy function on the load balancing
equipment. By replacing the Web Server, the client access traffic is first received, and then distributed to
different Web Servers through load. Thereby reducing the access pressure of the server and avoiding
TCP semi-connection attacks and DDOS attacks.

3. Add WAF (Web Application Firewall) equipment to protect the security of Web Server and avoid SQL
injection attacks, command line injection attacks, XSS cross-site scripting attacks, Web missed scans, and
DDOS attacks against Web Server.

4. Deploy multiple egress routers for dual-home access to the Internet, and detect the network status of
the Internet in realtime through the default route single-arm BFD or default route + NQA, to achieve
rapid switching after Internet failure is detected. For the internal network, two egress routers, can be:
configured as the same VRRP group, and the Internet status can be monitored by means of single-arm
BFD or NQA track, to realize the active/standby switching of VRRP. and ensure the rapid switching of
internal network traffic.

5. Deploy Firewalls to achieve network isolation, achieve isolation of internal and external networks and
DMZ networks by dividing zones, and control traffic access between zones to improve security through
policies.
(1) In the office network, what configuration will you make for the aggregation switch and the access
switch? (6 points)

(2) In order to improve office network security what security precautions will you deploy? (4 points)

Solution-1

(1) Configuration on the access switch:

1. VLAN configuration: According to the question, there are two departments in the office network. Use
VLAN technology to divide each department into the next LAN. For example, department 1 belongs to
VLAN 10, and department belongs to VLAN 20. An additional VLAN needs to be created in this network
to manage the network, such as VLAN30. Create VLAN 10 20 30 on the access switch. The downstream
interfaces are assigned to the corresponding VLANS, respectively in ACCESS mode. The uplink interface
uses TRUNK mode, allowing access to departmental VLANs and management VLANs.

2. VLAIF creation: Since the switch needs to be operated and maintained after the device is put on the
shelf, the management VLANIF is configured on the access switch for subsequent management
connection IP, such as creating VLANIF30, configuring IP 192.162.30.2 and 192.168.30.3.

3. Routing: Configure the management route or the default route 0.0.0.0/0 on the access switch to point
to the aggregation switch, which is used for the backhaul route from the device to the workstation,
otherwise the access switch will not be able to reply to the workstation.

4. Edge port: Since the downstream interface of the access switch is used for terminal access, the edge
port is configured. Otherwise, after the terminal is connected, the port can forward data only after 30
seconds, which will affect the user experience.

5. ETH-TRUNK: Since the office network needs certain degree of redundancy and robustness, ETH-
TRUNK is used for link bundling when the access switch and the aggregation switch are interconnected,
to prevent the network from being paralyzed due to single link or interface failure.
Configuration on the aggregation switch:

1. VLAN configuration: According to the question, there are two departments in the office network, and
each department is divided into LAN using VLAN technology. For example, department 1 belongs to
VLAN 10, and department 2 belongs to VLAN 20. An additional VLAN needs to be created in this network
to manage the network, such as VLAN30_ Create VLAN16 20 30 on the aggregation switch. The
downstream interface uses TRUNK mode to release departmental VLAN and management VLAN.

2. VLANIF creation: Because departmental equipment has cross-network segment. Business mutual
access requirements, VLANIF10: 192.168.10.254 and VLANIF20: 192.168.20.254 are created on the
aggregation switch as the gateway of the access terminal. And create VLANIF30: 192.168.30.1 as the
management address on the aggregation switch.

3. Connect to the border routers: There are many solutions.

The first solution is to configure the uplink interface of the aggregation switch SW1 as Layer 3 port and
directly configure the IP to connect tothe router.

The second solution: Create an un allocated VLAN such as VLAN 40. Connect the switch uplink interface
ACCESS VLAN 40, and configure an IP address on the VLANIF 40 to connect to the router.

The third solution: Configure the uplink port of SW1 to TRUNK mode to allow departmental service
VLAN. This solution requires VLAN termination on the router, which is generally, used when the gateway
is configured on the router. It is recommended to use Plan 1 and 2.

4. Routing: Configure the default route on the aggregation switch to point to the router. After the
configuration is completed, the northbound traffic in the network will be smoothly sent to the router.

5. ETH-TRUNK: Since the office network needs a certain degree of redundancy and robustness, ETH-
TRUNK is used for link-bundling when the access switch and the aggregation switch are interconnected,
to prevent the network from being paralyzed due to single link or interface failure.

6. DHCP SERVER: Since the terminal equipment in the office network needs an address, the workload of
static address Configuration is less than that of scalability so DHCP is used to assign the addresses.
Configure the corresponding DHCP address pool on the aggregation switch and call it under the VLANIF.

Solution-2

1. DHCP snooping: Since DHCP is used for address allocation, it is necessary to prevent attackers from
illegally obtaining addresses or affecting normal users to obtain and use addresses. Therefore, configure
DHCP SNOOPING on the switch, and use the trust function and monitoring function for DHCP-related
prevention. Prevent DHCP Server counterfeit attacks, prevent non-DHCP user attacks, prevent DHCP
packet flooding attacks, prevent counterfeit DHCP packet attacks, and prevent counterfeit DHCP packet
attacks.

2. STP protection: Since STP is used on the switch for Layer-2 ring protection, root protection can be
configured to prevent unauthorized access outside the switch. Configure loop protection to prevent the
RP or AP port from failing to receive BPDUs for long time and FORWARDING to cause network loops.
Configure BPDU protection to prevent edge ports from performing STP calculations after receiving
BPDUs. Configure TC flood protection to prevent malicious attacks on switching devices by forging TC
BPDU packets.

3. ARP defense: There may be ARP flooding attacks, MISS attacks or spoofing attacks in the network For
ARP or ARP MISS attacks, the ARP packet rate limiting function, the ARP MISS rate limiting function, the
strict ARP entry learning function, and the ARP entry limiting function can be deployed. For ARP spoofing
attacks, you can configure and deploy the ARP table entry curing function, the ARP table entry strict
learning function, the getaway sending gratuitous ARP function, and the dynamic ARP detection
function.

4. Admission control: The possibility of illegal user access in the network MAC authentication, 802.1x
authentication, PORTAL authentication, RADIUS authentication or. SACG can be used.

5. Source IP protection: For IP attacks that may occur in the network, IPSG or URPF can be deployed to
protect the source IP.
Essay 12 BGP RR

Prepare to purchase 2 devices as RR devices in the network. There are the following 2 problems with RR
devices

1). For RR equipment, please state the most critical performance indicators you think and give the
reason (4 points).

2). For RR equipment, is there any requirement for the specification of the interface board? Do you
think lower specification or higher specification is required, please explain the reason (6 points).

Solution-1

(1) CPU Processing capacity.

(2) Routing table entry carrying capacity.

Reason: The RR needs to accept and transmit large number of BGP routes. Because the BGP protocol
only reflects the best routes, large number of BGP route selection calculations need to be performed,
which requires high CPU processing capabilities. The RR carries large amount of routing information. All
clients/non-clients/EBGP neighbors need to pass through the RR reflector or transmit routing
information, which requires high specifications for routing table entries.

Solution-2

According to whether the RR is responsible for forwarding service traffic, the specifications of the
interface board are selected pertinently. if the RR is responsible for both the maintenance and
transmission of BGP routes and the forwarding of service traffic, high-specification interface board
needs to be selected. If the RR only needs to be responsible for the maintenance and transmission of
BGP routes, it does not need to perform the forwarding of service packets. You can choose low-spec
interface board.
Essay13 Campus network planning
(1) In the office network, what configuration will you make for the aggregation switch and the
access switch?
(2) In order to improve office network security, what security Precautions will you deploy?
Solution (1)
1. Analysis from a cost perspective: The gateway placed at the convergence layer has lower
performance requirements for the access layer switches, which can reduce networking costs
(The access layer can only choose layer 2 switches, and the system version can be a simplified
version).
2. Analyze from the perspective of resources: Putting on the aggregation layer has advantages.
VLANs on different access switches use the same IP address segment. Avoid waste, reduce the
interconnection address segment between access and aggregation, and reduce the number of
neighbors of the routing protocol.
3. Analysis from the perspective of business migration and capacity expansion: Putting it at the
convergence layer has advantages because the-same VLANs on different accesses communicate
with each other. So the migration of physical, locations (in the casa of the relocation of the
computer room, etc.) does not require redeployment of new IP address Segments.
4. Analysis from the perspective of gateway redundancy: Convergence has advantages. It is easy
to run VRRP and other technologies between two converges to implement gateways.
For example, stacking and other technologies are needed to implement the access, which has
poor scalability.
5. Analyze from the perspective of service deployment: the deployment of convergence has
advantages. All configuration core gateways can be configured remotely. On-site engineers only
need to assign interfaces to designated VLANs. The test computer configures the designated IP
and PING the gateway. There is no need to consider routing protocol issues on site.
6. The office network is generally suitable for deployment at the convergence layer, because the
office network attaches great importance to network expansion and migration.

Solution (2)
1. The access layer device VLAN can be used independently, and the broadcast domain is
terminated by the access layer device, supporting the deployment of more broadcast domains.
2. Different network segments belonging to a switch can visit each other without going through
the aggregation switch, which improves the access efficiency.
3. Routing control is more refined and flexible, access and aggregation run three-layer router
protocol. Non-blocking link, equal-cost route
Path load sharing improves bandwidth utilization.
4. Convenient fault location.
5. The broadcast domain becomes smaller, reducing the flooding range of broadcast traffic and
reducing network performance overhead.
6. There is no need to deploy the STP protocol on a large scale, and there is no need to maintain
the MAC address information of the entire network, reducing the specifications of the two-layer
table entry, and facilitating network expansion.
Essay14 IS-IS Network cutover
(1) In the office network, what configuration will you make for the aggregation switch and the
access switch?
(2) In order to improve office network security, what security Precautions will you deploy?
Solution 1
(1) There may be several reasons why Router A cannot learn routing after running ISIS:
1. The multi-topology mode is inconsistent: the same multi-topology mode of the device
configuration (for example, the existence of Standard and IPv6 at the same time) will cause the
failure of IPv6 route selection and no routing.
2. 1S-IS neighbor establishment fails. The reasons for the failure of neighbor establishment are
as follows:
1) Level types are inconsistent (Level 2 on one side, Level 1 on the other)
2) The area ID is inconsistent (only for Level 1, Level 2 does not check the area ID)
3) Inconsistent network types
4) Configure interface authentication, the authentication type or password is inconsistent
5) Inconsistent MTU
6) System-id conflict
7 The number of Max area is inconsistent
8) Inconsistent topology types (ST on one side and MT on the other)
9) Broadcast network interconnection IP addresses are not in the same network segment.
10) Layer2 ACL filtering IS-IS Packets
3. Area authentic (level1) or Domain authentication (Level2) is configured and the authentication
type does not match or the password does not match.
4. Set the Overload bit in the LSP: Upon receiving the LSP with the Overload set, IS-IS will
Only calculate the local route of the device advertised by the LSP, but not the forwarding route
that needs to pass through the device.
5. LSP-fragmentation: if the LSP is fragmented and the 0th fragment is lost, the route cannot be
calculated. Because only 0 slices will contain LSP header information, other slices only contain
data. Therefore, it is necessary to ensure the integrity of the received LSP after LSP
fragmentation.
6. Route filtering: Use filter- policy to configure inbound route filtering, which filters the routes
advertised by IS-IS to the RIB table, causing the "display ip routing" to fail to see routes.

Solution 2
1. If Router A does not support multiple topologies, it will cause IS-IS neighbor establishment
with Router D to fail. The IIH packet sent by Route rD carries the Multi Topology TLV (299),
while the IIH packet sent by Router A does not carry it eventually, the establishment of IS-IS
neighbors between Router A and Router D failed.
2. AS shown in the topology, among the four devices, Router B only enables IPv4, while the
other devices enable both IPv4 and IPv6. According to the cost configuration given in the
topology, the optimal path from Router A to Router C is RA-->RB->RC. After RA, RB, and RC
enable IPv6 multi-topology, the default mode is Standard (standard mode), and IPv4 and IPv6
routing are calculated uniformly, and IPv4 and 1Pv6 will choose the same forwarding path.
Therefore, both the IPv4 and IPv6 routes from Router A to Router C will choose the same path
(RA--->RB--->RC), but because there is no IS-IS IPv6 neighbor established between Router A
and Router B, the route selection fails. In the and. there are only IPv4 routes OF Router C but no
IPv6 routes on Router A.
Solution: Configure the IPv6 multi-topology mode to IPv6 on Router A, Router B, and Router c.
The command is “ipv6 enable topology ipv6” After changing the multi-topology mode to IPv6,
IPv4 and IPv6 routing will be calculated separately.
Essay15 Large-scale enterprise network fallure convergence

The networking of a large enterprise network is shown in the figure:

NE40E-1belongs to AS200, and NE40-2 belongs to AS300.
The four routers in AS100 establish an IBGP neighbor relationship. AR-2 and AR-3 are BGP
route reflectors RR, which reflect routes for AR-1 and AR-4. There is no direct link between
AR-1 and AR-4, so the BGP traffic between them must be forwarded through RR.
NE40E- in AS 200 sends data to the destination NE40E-2 through the main path AR-1----AR-3--
-- AR-4. Paths AR-1---AR-2---AR-4 are alternate paths.
By adjusting the cost value of IGP, the route is optimized to the AR-1---AR-3---AR-4 path to
forward BGP traffic.
1) Now it is found that after the IGP cost adjustment is completed, the main route is not AR-1---
AR-3---AR-4, please list the possible reasons.
(2) When AR-3 fails, IS-IS quickly converges after the device restarts. AR-1 directs BGP traffic
to AR-2 for forwarding. When AR-3 finishes restarting, the BGP traffic from AR-1 to AR-4 is
temporarily interrupted, and the traffic resumes after a few minutes. Please analyze what caused
it? How to solve this problem, write the configuration command.

Solution (1)
1) A loop will be generated between AR4, AR5 and AR6
The cause of the problem: AR2 and AR3 are used as ABRs, and the 10.1.1.1 Type 1 LSA in the
AREA 0 area will be converted to Type 3 LSA and passed to AREA1. However, because AR4
and AR5 are also ABRs and have active adjacencies in the backbone area, Type 3 LSAs received
from non-backbone areas are only received without calculation, and there is no inter-domain
route to 10.1.1.1 on AR4 and AR5. After configuring virtual links on AR2 and AR4, connect the
divided backbone areas together through virtual links. AR4, AR5, and AR6 learn the intra-
domain route of 10.1.1.1 through the backbone area. After the cost of the interconnection
interface between AR2 and AR4 is modified to 1000, the forwarding path from AR4 to AR2
becomes AR4-AR5-AR3-AR2, and the intercommunication between AR4 and AR2 needs to
bypass AR5 and AR3. When AR4 accesses the 10.1.1.1 route, AR4 sends the traffic to AR5,
AR5 to AR6, and AR6 sends back to AR4, forming a forwarding loop between AR4, AR5, and
AR6.
(2) If AR2 is a Huawei device and AR4 is a Cisco device, 'there will be the following problems
when connecting.
The Cisco default virtual link is a demand circuit and the DC bit in the Option field is set in the
OSPF Hello message Used to establish the virtual link. Huawei regards the virtual link as a
point-to-point link, and the OSPF hello Message used to establish the virtual link does not set the
DC bit. Since Huawei and Cisco have different methods for establishing virtual links, the
following problems may exist.
1. Different ways of maintaining neighbor relations
Huawei maintains the virtual link neighbor relationship by periodically sending hello messages,
while Cisco will suppress the Hallo messages after establishing virtual link neighbors and stop
sending them. Eventually, the virtual link neighbors maintained by Huawei will time out and the
neighbor relationship will be disconnected.
2. Different LSA maintenance methods
Cisco will set the LSA DNA (Do not age) advertised through the virtual link to indicate that
the LSA will never age. The purpose of this is to avoid link congestion and performance
degradation of forwarding equipment caused by regular maintenance of LSA. The reason is
because the virtual link is a unicast adjacency relationship between non-directly connected
devices, and LSA transmission needs to be forwarded through an intermediate network. If there
are low-speed links or devices with poor performance in the network, sending a large number of
LSAs regularly will cause link congestion and device performance degradation.
Although this approach reduces the problem of link congestion and performance degradation of
forwarding equipment caused by regular maintenance of LSA, it will also cause
LSAs to be unable to be deleted and remain in the link state database forever, forming a zombie
LSA, occupying a large amount of memory resources. Huawei maintains virtual links through
point-to-point network types to solve the problem of zombie LSA.
OSPFv3 network planning

(1) OSPFv3 protocol runs between routers. How many LSAs are there in area 0 and area 1? How
many of each?
(2)The OSPFv3 neighbor cannot be established between AR2 and AR4. Please analyze the
reason.
(3) How to plan the network if AR2 can establish OSPEv3 neighbors with AR1 and AR3, but
cannot establish OSPFv3 neighbors between AR1 and AR3?

Solution
(1) (The method for advertising loopback port routing on R3 and R4 is not clear in the
requirements, so two methods are written in the answer. Which one is used depends on the actual
needs of the examination room)
1. R3 and R4 announce loopback routes through network
Area0 contains 3 Type 1 LSA (Router LSA), Type 2 LSA (Network LSA), 3 Type 3 LSA (Inter
Area Prefix LSA).3 Type 8 LSA {Link LSA}, 9 Type LSA (Intra Area Prefix LSA) 2 Area 1
contains 2 Type 1 LSA {Router LSA). 2 Type 3 LSA {Inter Area Prefix LSA), 2 Type 8 LSA
(link LSA) and 2 Type 9 LSA Intra Area Prefix LSA)
2. R3 and R4 announce the loopback route by redistributing the direct connection Area0 contains
3 Type 1 LSAs (Router LSA), 1 Type 2 LSA (Network LSA), 2 Type 3 LSAs (Inter
Area Prefix LSA), 1 Type 5 LSA (AS External LSA), and Type 8 LSA {Link LSA) 3, Type 9
LSA {Intra Area Prefix LSA) 1.
Area 1 contains 2 Type 1 LSA (Router LSA). 1 Type 3 LSA (Inter Area Prefix LSA), 2 Type 7
LSA {NSSA LSA), 2 Type 8 LSA {Link LSA}, and Type 9 LSA (Intra Area Prefix LSA) 2
(2)The point-to-point link connection between AR2 and AR4 in the topology may cause the
establishment of OSPFv3 neighbors for the following reasons:
1. Hello timer or Dead timer doss not match
2. Router id conflict
2. Instance ID does not match
4. Region ID does not match
5. The authentication type or authentication password does not match.
6. Network types are inconsistent (Different network types have different Hello and Dead timers.
and neighbor establishment will fail duo to the mismatch between Hallo and Dead timers. For
example, one side is P2P, the other side is NBMA)
7. The area types are inconsistent (one side is a normal area, and the other is a special area)
8. Link-Local address conflict of interconnection interface.
9. ACL filtered NDP packets (NR and NS packets).

If the OSPFv3 neighbor relationship can be established, but the neighbor relationship cannot be
connected, the reasons are as follows:
1. The MTU values of the two ends do not match (one side is in the exchange state, and the other
side is in the exchange state. Or both sides are in the start State).
2. The link state request list or link state retransmission list is not empty (stay in the loading
state).
According to the needs of the subject, it can be achieved through the following schemas.
Scenario 1: The switch is configured with MUX VLAN and the primary and secondary VLANs
are divided to achieve access isolation.
Access isolation can be achieved by configuring MUX VLAN on the switch, adding the ports
R2 connected to the switch to the primary VLAN and adding the ports R1 and R32 connected to
the switch to the isolated secondary VLAN. According to the access principle of MUX VLAN,
the ports of the isolated slave VLAN cannot communicate with each other, but can communicate
with the main VLAN. It can meet the requirement that ARI, AR3, and AR2 establish OSPFv3
neighbor relationships but not between ARI and AR3.

Option 2: Use Hybrid role port to achieve access isolation

Use Huawei's Hybrid port mode to achieve access isolation, and configure the port mode
connecting R1, R2 and R3 to Hybrid on the switch. The specific configuration method is as
follows.
1) The Port connected to R2 is configured with PVID 200 and VLAN 100 and 300 are added in
the untagged list.
2. The- port connected to R1 is configured with PVID 100, and VLAN 200 is added to the
untagged list.
3. The port connected to R3 is configured with PVID 300, and VLAN 200 is added to the
untagged list.
Through the above configuration, R2 can communicate with R1 and R3, but R1 and R3 cannot
communicate with each other. It can meet the requirement that AR1, AR3, and AR2 establish
OSPFv3 neighbor relationships, but AR1 and AR3 do not.
Solution 3: Use key-chain to achieve authentication isolation
Use the key-chain list to achieve authentication isolation, enable key-chain authentication on
AR1, AR2, and AR3, and configure the authentication keys respectively. The configuration
method is as follows:
1. R2 configures two KEYs in the key-chain, KEY1 and KEY2, assuming KEY1 = A and KEY2
=B.
2. R1 configures a KEY in the key-chain, KEY = A.
3. R3 configures a KEY in the key-chain, KEY = B.
Through the configuration, it can be seen that the key-chain of R2 contains both the keys of
R1 and R3, which can establish neighbor relationships with R2 and R3 respectively. However,
the key-chain of R2 and R3 does not contain the key of the other party. So the neighbor
relationship cannot be established. Meet the establishment needs.

Scheme 4: Utilize NMBA network type unicast to establish neighbor relationship Configure the
network types of AR1, AR2, and AR3 as NBMA. The NBMA network type cannot discover
neighbors through multicast, but can only establish neighbor unicast by configuring peers. You
can manually configure AR1 and AR3 as Peer on AR2, but only configure AR3 as
Peer on ARI and AR3. Neighbor isolation is achieved through peer configuration to meet the
needs of neighbor establishment.
Essay17 STP

(1) All switches in this topology run RSTP. Please write down the port role of each port?
(2) Assuming that the bridge priority of SW6 is the same as that of SW1, but the MAC address
of SW6 is smaller, what problems will occur in this network topology? How to prevent, please
write a plan.
Solution:
(1)
(2)
Since the priority of SW1 and SW6 are equal, and the MAC of SW6 is smaller. SW6 will be
elected as the root bridge, and the calculation of spanning tree will be performed again.
Configure root protection for the interface connecting the SW5 device and SW6
Interface gig x/x/x
STP root-protection
For a designated port with Root protection enabled, its port role can only be maintained as a
designated port. Once the designated port with Root Protection enabled receives a higher priority
RST BPDU, the port state will enter the Discarding state, and no more packets will be
forwarded. After a period of time (usually twice the Forward Delay), if the port has not received
a higher priority RST BPDU, the port will automatically return to the normal Forwarding state.
Essay18 MPLS

(I) As shown in the figure, when 4 routers use OSPF interconnection, the MPLS enterprise
network LSP tunnel is established, but it is found that the establishment of the LSP tunnel fails,
Then what are the factors that affect the establishment of the MPLS public network LSP? (Write
at least 4 points) (4 points)
(2) In the MPLS VPM network, why is the tracert command not applicable (*** will be echoed
in the middle)? (3 points)

Solution
(1)
The factors that may affect the establishment of LSP are as follows:
1. By default, only LSPs are established for non-physical interface host routing, and determine
whether the loopback interface address is 32 bits
2. Whether LDP protocol packets are filtered by ACL. TCP UDP port 646
3. Whether the transport address route established by the LDP session is reachable, and whether
the authentication configuration of the LDP session is correct.
4. LDP LSR-ID conflict
5. In the multi-area scenario, is there route summary for the routes that need to establish LSPs or
OSPF external routes?
6. Whether the triggering strategy of LSP is correct and whether LSP firing is configured.
7. Whether the interface is enabled with MPLS and LDP.
(2)
The reason that the tracert command is not applicable is related to the processing mechanism of
the TTL value of the message in the: MPLS VPN. In MPLS there are two processing
mechanisms for packet TTL, one is uniform: mode and the other is pipe mode. First, the
mechanism of MPLS's handling of TTL is as follows.
In Uniform mods, the TTL value when adding a label to a packet is to subtract one from the
TTL value of the IP packet and copy it to the TTL value of the label. When tracert detects hop by
hop it starts from ttl=1, and ttl+1 for each hop for path tacking, when a packet with a tag ttl=1 is
received, the device will generate a ttl timeout ICMP packet and reply to the source host. At this
time, if the message has one label, then the ICMP message with the ttl timeout will return the
packet to the source host by searching the local route by default At this time, if the local route
does not have the route of the source host, an echo will appear *** IF the massage has two layers
of labels, the ICMP message with TIL timeout will continue to be forwarded along the LSP of
the destination address and return to the source host. At this time, it will not be echoed as ***.
In Cross domain option B |scenario, when ASBR directly has one layer of label, there will be an
echo *** problem, and a solution to this problem is.
(1) Modify the ttl value processing mode to uniform (uniform is the default mode)
(2). Execute the mpls command to enter the MPLS view. (On the cross-domain ASBR device).
(3) Execute the command undo ttl expiration pop (use LSP to return ICMP response message)
In PIP mode, when the message is labeled, the TTL value of the label is decoupled from the
TTL of the IP massage, and a label with a fixed TTL value is added, which usually default to
255, which makes it impossible to carry out messages on the public network through tracert in
the pipe mode. The detection of the forwarding path hides the network structure of the public
network.
Essay19 Campus Gateway

(1) In the campus network, what are the advantages of deploying the gateway at the
convergence layer? (5 points) SA
(2) In the campus network, what are the advantages of deploying the gateway at the access
layer? (5 paints)

Solution
(1) The advantages of the gateway on the convergence layer:
1. Analyze from the perspective of cost putting it at the convergence layer has advantages and
lowers the performance requirements of the access equipment and reduces the cost. (Access
switches can only require Layer 2, the version can be a simplified version of LI) depending on
the number of access switches, the larger the number, the more obvious the cost advantage.
2. Analysis from the perspective of resources: it is advantageous to put on the aggregation layer.
VLANs on different access switches use the same IP address segment to avoid waste, reduce the
interconnection address segment between access and aggregation, and reduce the number of
neighbors of the routing protocol.
3. Analysis from the perspective of partial business migration and expansion: it is advantageous
to put it at the convergence layer. Because the same VLAN on different accesses is
interconnected, the migration of the physical location (in the case of the relocation of the
computer room etc.) does not need to re-deploy a new IP Address segment.
4. Analysis from the perspective of gateway redundancy: it is advantageous to put it in the
convergence, and it is easy to run VRRP and other techn0logies between the two convergences
to realize the gateway.
5. Analysis from the perspective of business deployment: Convergence has advantages. All
configuration core gateways can be configured remotely. On-site engineers only need to assign
interfaces to designated VLANs, test computer configuration designated IP, and PING gateways.
There is no need to consider routing protocols on site.
Note: Office networks are generally suitable for deployment in convergence, because office
networks focus on network expansion and migration.

(2)
The advantages of the gateway on the access layer.
1. Analyze from the perspective of isolating the broadcast domain: it is advantageous to release
access, and the broadcast domain can be divided. When problems such as ARP viruses occur in
the local area network, the affected area can be controlled.
2. Analyze from the perspective of fault location: If there is a problem in which network segment
has the advantage of access, the physical location can be found directly according to the topology
map.
3. Analyze from the perspective of routing control: Putting access has advantages and running
routing protocols between access and convergence, there are many ways to control the flow of
traffic (such as OSPF routing, internal>intermediate> outer 1> outer 2). e.g (Policy routing and
other technologies)
4. Analyze from the perspective of avoiding loops: Putting access has advantages no need to run
spanning tree or SMART-LINK technology.
5. Analyze from the perspective of line efficiency: routing protocols with advantages for access
can achieve load sharing (flow-by-flow or packet-by-packet), while the layer 2 protocol can only
achieve active and standby. Or implement load sharing among different groups. The service
exchanges between different network segments that belong to the same switch do not need to go
through the aggregation switch, so the access efficiency is improved.
6. Analysis from the perspective of risk putting access has advantages. To realize that the same
network segment must be connected to the same access switch, the physical location is isolated,
and the risk is small. Big.
Note: The production network (Confidential network) is generally suitable for deployment in
access, because the risk is small
Essay20 Multicast stream forwarding

The network is connected to the Internet, add the PIM-SM protocol is configured on the router to
provide ASM services for users in the network, so that all user hosts that join the same multicast
group can access multicast streams sent from any source to the group.
(1) After configuring the multicast network the multicast source sends multicast data and finds
that the RP does not generate entries. The DR directly connected to the source did not want the
RP (Router E) to send a registration message. How to troubleshoot the problem?
(2) After the first step of the Operation, the problem is solved, but the new problem is that after
the source: DR sends a registration message to the RP, the registration outgoing interface always
exists. How can I troubleshoot it?
(3)In order to increase the controllability of multicast, it is required that the BSR can only serve
the PIM-SM domain. How to achieve this?

Solution.
(1)
The receiver cannot receive the multicast traffic for the following reasons:
1. The IGMP version configuration error between the leaf router and the receiver: the
consistency of the IGMP version needs to be ensured between the leaf router and the receiver.
The general group query messages in the three versions of IGMP are consistent and the versions
are not distinguished. But each version has an independent group membership report. If the
version of the inquirer and the receiver are inconsistent, downgrade compatibility is required. If
the querier or receiver dos not support downgrade compatibility, there will be no IGMP Group
information on the querier.
2. The port of the leaf router connected to the receiver is not enabled with the PIM protocol:
If the port of the leaf router connected to the receiver is not enabled with the PIM protocol, the
port cannot be used as the outgoing interface (Outgoing list) of the multicast routing table,
resulting in the receiver cannot receive the multicast stream.
3. PIM neighbor establishment failed: PIM neighbor establishment failed, and the multicast
reservation table could not be created. The reasons that affect the establishment of PIM
neighbors are as follows.
1) The PIM protocol is net enabled under the interconnection interface
2) IP address conflict of interconnection interface
3) ACL filtered 224.0.0.13 multicast packets
4. RP problem: Static RP or dynamic RP can be configured in PIM-SM mode. The possible
problems are as follows
1) Static RP
1. The static RP address is incorrectly configured
2. The configured static RP address route is unreachable
3. The static RP is bound to the group filtering policy
4. The static RP address RPF check failed
2 Dynamic RP (BSR)
1. Candidate BSR is not configured or configured incorrectly.
2. Candidate RP is not configured or configured incorrectly.
3. The route to the BSR address is unreachable.
4. The BSR address RPF check failed.
5. The route of the RP address is unreachable.
6. RP address RFF check failed.
7. The candidate RP is bound to a group filtering policy.
5. RPF check failed: RPF will perform RPF check on the multicast source, BSR and RP. If the
check fails, it will affect the multicast routing table and multicast traffic. The principles of RPF
inspection are as follows.
Note: The interface used for RPF check must enable PIM protocol
1) Priority comparison Priority
1. If there are unicast routes, MBGP routes, and multicast static routes to check IP
(multicast source, BER, RP), at the same time. Compare the priorities of different
routing types, the smaller the priority, the better.
2. If the priorities are the same, multicast static> MBGP> unicast routing.
3. If there is only unicast routing, compare the mask length of the unicast routing,
the longer the better,
4. If it the mask length is the same, compare the next hop IP address of the route,
the larger the IP- address, the better.
2) The mask length is compared first
1. If there are unicast routes, MBGP routes, and multicast static routes to check IP
(multicast source, BSR, RP) at the same time. Compare the mask lengths of
different routing types. The longer the mask length, the better.
2 if the mask length is the same, compare the priorities of different routing types,
the smaller the priority, the better.
3. If the priorities are the same, choose Multicast Static> MBGP> Unicast Route.
 4 If there is only unicast routing, compare the IP address of the next hop of the
routing. The larger the IP address, the better.
6. The interface of the first-hop router connected to the multicast source is not enabled with the
PIM protocol.
7. The first-hop router is not configured with a static RP or has not received the candidate RP
information advertised by the BSR.
8. The route from the first hop router to the RP is unreachable, resulting in failure to register with
the RP.
9. The route from the RP to the multicast source is unreachable or the RPF check fails, and the
(S, G) join cannot be sent to the multicast source to establish an SPT forwarding tree.
10. There is no (*.G) table on the RP, and the RPT forwarding tree cannot be used to forward
traffic to the receiver.

(2)
If there are recipients of IGMPv1, v2, and v2 in the network at the same time in order to ensure
compatibility between protocols, multiple versions can work at the same time. The version of the
IGMP querier needs to be configured as IGMPv1, because the general group query messages of
the three versions of IGMP are the same and recipients of different versions can receive it. If the
receiver’s version is higher than the inquirer's Version, the receiver will be downgraded to the
same version as the inquirer to achieve compatibility. Therefore in order to achieve
interoperability, the IGMP version of the querier needs to be configured as the lowest version
IGMP v1.
The following is the original text of Hedex: {for reference only)
In the evolution process of the three versions the processing of protocol messages is backward
compatible. Therefore, although the format of protocol messages of each version is different,
routers running higher versions of IGMP can recognize IGMP massages of lower versions. For
example, the multicast device of the v2 version can correctly handle the joining of the v1 host
and the multicast device of the v3 version can correctly handle the joining of the v1 and v2 hosts.
When the multicast device receives an IGMP join message from a host with a lower version it
will automatically reduce the compatible version of the multicast group to the version
corresponding to the host and work on this version.
When a multicast device working in v2 or v3 receives a Report message sent by an IGMPv1
host, it will automatically set the compatibility mode of the multicast group to v1 mode. In this
case the device ignores IGMPv2 leave massages for this group. When a multicast device
working in version 3 receives a Report message of version v2, it will automatically set the
compatibility mode of the multicast group to v2 mode. In this case, the device ignores the source
list of IGMPv3 BLOCK messages, IGMPv3 TO_IN messages, and IGMPv3 TO_EX messages
that is, suppressing IGMPv3's function of selecting multicast sources. When a multicast device is
upgraded from a lower version to a higher version through manual configuration, if there are
multicast groups, these multicast groups continue to work in the compatibility mode of the lower
version until all hosts with the lower version exit the multicast group.