资源描述
路由sshaaa authentication login ssh localaaa authentication enable default enableenable password 0 123456 username admin password 0 123456 ip sshd enableip sshd auth-method sship sshd auth-retries 5ip sshd timeout 60TELNETR1_config#aaa authentication login default localR1_config#aaa authentication enable default enable R1_config#enable password 0 ruijieR1_config#line vty 0 4R1_config_line#login authentication defaultR1_config_line#password 0 cisco方法 2,不需要经过 3A 认证R1_config#aaa authentication login default noneR1_config#aaa authentication enable default enableR1_config#enable password 0 ciscoR1_config#line vty 0 4R1_config_line#login authentication defaultCHAP 认证 单向认证,密码可以不一致R2_config#aaa authentication ppp test localR2_config#username R2 password 0 123456R2_config_s0/2#enc pppR2_config_s0/2#ppp authentication chap testR2_config_s0/2#ppp chap hostname R1R1_config#aaa authentication ppp test localR1_config#username R1 password 0 123456R1_config_s0/1#enc pppR1_config_s0/1#ppp authentication chap testR1_config_s0/1#ppp chap hostname R2pap 认证 双向认证,密码要求一致R2_config#aaa authentication ppp test localR2_config#username R2 password 0 123456R2_config_s0/2#enc pppR2_config_s0/2#ppp authentication pap testR2_config_s0/2#ppp pap sent-username R1 password 123456R1_config#aaa authentication ppp test localR1_config#username R1 password 0 123456R1_config_s0/1#enc pppR1_config_s0/1#ppp authentication pap testR1_config_s0/1#ppp pap sent-username R2 password 123456FRRouter-A_config_s1/1#encapsulation frame-relay !封装帧中继协议 Router-A_config_s1/1#frame-relay local-dlci 17 !设置本地 DLCI 号 Router-A_config_s1/1# frame-relay intf-type dce !配置 FR 的 DCE Router-A_config_s1/1# frame-relay map 192.168.1.2 pvc 17 broadcast !配置 DLCI 与对端 IP 的映射 VrrpInt g0/4vrrp 1 associate 192.168.20.254 255.255.255.0vrrp 1 priority 120 设置优先级,为主vrrp 1 preempt 开启抢占vrrp 1 track interface Serial0/1 30 追踪上行接口,防止上行接口 DOWN 了,自动降低优先级Int g0/6vrrp 1 associate 192.168.20.254 255.255.255.0vrrp 1 priority 100 设置优先级,为备,默认为 100vrrp 1 preempt 开启抢占vrrp 1 track interface Serial0/2 30 追踪上行接口,防止上行接口 DOWN 了,自动降低优先级RIP 验证,只有 V2 支持验证interface Serial0/2 接口起验证和配密码ip rip authentication simpleip rip password 123456RIP 改单播router ripnei 192.168.1.1 RIP 定时器router riptimers update 10 更新时间timers exipire 30 失效时间timers hosddown 50 抑制时间ospfrouter os 1net 192.168.1.0 255.255.255.0 ar 0 不能写 32 位掩码OSPF 虚链路ROUTER OS 2 进程起用AR 1 VI 2.2.2.2 对方 ROUTER-IDOSPF 汇总ROUTER OS 2 进程起用ar 0 range 192.168.0.0 255.255.252.0OSPF 验证ROUTER OS 2 明文AR 0 AUTHEN SP 进程给需要验证的区域启用验证 INT S0/1IP OS passw 123456 接口配置密码密文router os 2ar 0 authen meint s0/1ip os me 1 md5 123456bgp router bgp 100 no synchronization bgp 全互联必须要关闭同步检查nei 192.168.12.1 remot 200 与 AS 外部路由建立邻居 nei 2.2.2.2 remot 100 与 AS 内部路由建立邻居nei 2.2.2.2 up lo0 改更新接口为环回接口nei 2.2.2.2 next-hop-self 改下一跳为自己net 2.2.2.0 通告路由表里面有的路由ACL路由上面的 ACL 要写子网掩码,不能写反掩码!基于时间的 ACLtime-range acl 定义一个时间范围periodic weekdays 09:00 to 12:00periodic weekdays 14:00 to 17:00IP accesslist extended time 写一个基于时间的 acl,调用时间段deny ip 192.168.10.0 255.255.255.0 any time-range aclpermit ip any anyint g0/4 应用到接口ip access-group time inint g0/6ip access-group time in静态 NATip route 0.0.0.0 0.0.0.0 192.168.12.2ip nat inside source static 192.168.10.10 192.168.12.1int g0/6ip nat inints0/1ip nat outNAPTip access-list standard NAT 定义要转换的 IP 网段permit 192.168.10.0 255.255.255.0ip nat pool NAT 192.168.23.10 192.168.23.20 255.255.255.0 创建转换的 IP 地址池ip nat inside source list NAT pool NAT overload 关联要转换的 IP 网段和地址池 ip route default 192.168.23.3 写一条缺省路由,下一跳为出口网关的下一跳router rip 如果跑路由协议,要把缺省重分发到动态路由redistribute static interface Serial0/1 运用到内网接口 ip nat inside interface Serial0/2 运用到外网接口ip nat outsideroute-mapip acce sta acl 定义要匹配的流量per 192.168.20.0 255.255.255.0 route-map SHENMA 10 permit ma ip add acl 调用 ACLset ip next-hop 192.168.12.1 改下一跳int g0/3ip po route-map SHENMA 定义到原接口DHCP给路由接口分配 IP,不能是 S 口!R1ip dhcpd enableip dhcpd pool 1network 192.168.12.0 255.255.255.0range 192.168.12.10 192.168.12.20R2interface GigaEthernet0/6ip address dhcp给 PC 分配 IP,底层网络要起路由互通!实验全网起了 RIP 协议R1ip dhcpd enableip dhcpd pool 2network 192.168.1.0 255.255.255.0range 192.168.1.10 192.168.1.20default-router 192.168.1.1R2ip dhcpd enable 要开启 DHCP 服务!interface GigaEthernet0/4ip address 192.168.1.1 255.255.255.0ip helper-address 192.168.12.2 设置 DHCP 服务器 IPVPN (GRE)int t0ip add 172.168.10.1 255.255.255.0 给 T0 配 IPt so s0/2 源,路由的出接口t de 192.168.23.3 目的,对端的出接口 IP,注意,要可达t key 123456 T0 口密码,两端要一致exitip route 192.168.20.0 255.255.255.0 t0 用 T0 口写一条要到达网段的静态路由int t0ip add 172.168.10.3 255.255.255.0t so s0/1t de 192.168.12.1t key 123456exitip route 192.168.10.0 255.255.255.0 t0VPN (IPSEC)R1crypto ipsec transform-set SHENMA 设置转换集transform-type esp-des esp-md5-hmac 转换集的加密方式ip access-list extended 100 匹配感兴趣流permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0crypto map HAN 10 ipsec-isakmp set peer 192.168.23.3 设置对等体set transform-set SHENMA 关联转换集 match address 100 关联感兴趣流interface Serial0/2 进接口调用crypto map HANR3crypto ipsec transform-set SHENMA 设置转换集transform-type esp-des esp-md5-hmac 转换集的加密方式,两端要一致ip access-list extended 100 匹配感兴趣流permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0crypto map HAN 10 ipsec-isakmp set peer 192.168.12.1 设置对等体set transform-set SHENMA 关联转换集 match address 100 关联感兴趣流interface Serial0/1 进接口调用crypto map HAN VPN (IKE)crypto isakmp key SHENMA 192.168.23.3 255.255.255.0 设置公共用密钥crypto isakmp policy 10 设置 IKE 策略hash md5 au preenc desgroup 1lifetime 86400crypto ipsec transform-set SHENMA 设置转换集transform-type esp-Des esp-Md5-hmacip access-list extended 100 匹配感兴趣流permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0crypto map SHENMA 10 ipsec-isakmp 设置 IPSEC 加密映射set peer 192.168.23.3set transform-set SHENMAmatch address 100int s0/2 调用到接口crypto map SHENMAQOSint g0/4ip add 192.168.10.1 255.255.255.0no shutint g0/6ip add 192.168.20.1 255.255.255.0no shutint s0/1ip add 192.168.12.1 255.255.255.0phy spe 64000no shutip route 0.0.0.0 0.0.0.0 192.168.12.2 ip access-list ex 1 定义 ACL 抓取流量permit ip 192.168.10.0 255.255.255.0 2.2.2.0 255.255.255.0ip access-list ex 2permit ip 192.168.20.0 255.255.255.0 2.2.2.0 255.255.255.0priority 1 protocol ip high list 1 写一个 IP 协议的优先列表,调用 ACL 1 里面的地址,级别为 HIGH priority 1 protocol ip low list 2 写一个 IP 协议的优先列表,调用 ACL 2 里面的地址,级别为 LOW int s0/1 进接口调用priority 1 交换banner motd 系统登录标题telnettelnet-server enable 开启 TELNETtelnet-server max-connection 16 最大连接数sshusername ssh password 0 123456 ssh-server enable 开启 SSHssh-server timeout 60 连接超时时间ssh-server max-connection 16 最大连接数ssh-server authentication-retries 5 重连次数ssh-server host-key create rsa 创建新的主机密钥vrrp1,首先要给所有的 VLAN 配上 IPINT VLAN 10IP ADD 192.168.10.1 255.255.255.0NO SHUT2,创建一个 VRRP 组ROUTER VRRP 10VIRTUAL-IP 192.168.10.254 给虚拟 IPINT VLAN 10 关联 VLANPRIORITY 120 给优先级(默认 100)ENABLE 激活STPSW1spanning-tree 开启 STPspanning-tree mode mstp 改为 MSTP 模式spanning-tree mst configurtaion 配置域name shenma 域名revision-level 3 修正级别instance 1 vlan 10;20 在实例里面关联 VLANinstance 2 vlan 30;40 exitspanning-tree mst 1 priority 4096 给实例配置优先级,越小的级别越高spanning-tree mst 2 priority 8192SW2spanning-tree 开启 STPspanning-tree mode mstp 改为 MSTP 模式spanning-tree mst configurtaion 配置域name shenma 域名revision-level 3 修正级别instance 1 vlan 10;20 在实例里面关联 VLANinstance 2 vlan 30;40 exitspanning-tree mst 1 priority 8192 给实例配置优先级,越小的级别越高spanning-tree mst 2 priority 4096SW21spanning-tree 开启 STPspanning-tree mode mstp 改为 MSTP 模式spanning-tree mst configurtaion 配置域name shenma 域名revision-level 3 修正级别instance 1 vlan 10;20 在实例里面关联 VLANinstance 2 vlan 30;40 AM 端口安全am enableint e1/0/1am port am mac-ip-pool 0000.1111.2222 192.168.10.1端口镜像monitor session 1 source int e1/0/1 bothmonitor session 1 destination int e1/0/15RIPRouter rip Net 192.168.1.0/24Router os 1Net 192.168.1.0 0.0.0.255 ar 0AclFirewall enableIp access-list ex 100Per ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 单臂路由R1 int g0/5no shutinterface GigaEthernet0/5.1encapsulation dot1Q 100ip address 192.168.10.1 255.255.255.0interface GigaEthernet0/5.2encapsulation dot1Q 200ip address 192.168.20.1 255.255.255.0interface GigaEthernet0/5.3encapsulation dot1Q 300ip address 192.168.30.1 255.255.255.0SW1vlan 100sw int e1/0/1-2vlan 200sw int e1/0/3-4vlan 300sw int e1/0/5-6int e1/0/20sw mo trsw tr all vlan all端口聚合PORT-GROUP 1 创建一个组INT E1/0/17-18 聚合端口要设置为 TRUNK SW MO TR SW TR ALL VLAN ALL PORT-GROUP 1 MO ON 设置聚合端口的模式为自动匹配EXITINT PORT-CHANNAL 1 进入聚合端口配置模式,也要设置为 TRUNKSW MO TR SW TR ALL VLAN ALLEXITdhcpSERV DHCP 开启 DHCP 服务IP DHCP POOL VLAN10 创建地址池NETW 192.168.10.0 255.255.255.0def 192.168.10.1le 2dns 8.8.8.8ip dhcp ex 192.168.10.1 192.168.10.10 排除地址范围dhcp 中继serv dhcpip for udp bootint vlan 10ip he 192.168.12.2dhcp snoopingserv dhcp 开启 DHCP 服务ip dhcp snooping enable 开启 DHCP SNOOPING 功能ip dhcp snooping binding enable 开启 SNOOPING 绑定功能int e1/0/20 ip dhcp snooping trust 设置接口为信任接口,一般是与服务器相连的接口int e1/0/1 ip dhcp snooping binding user-control 设置端口自动绑定获取 DHCP 的地址设置端口手动绑定 MAC,VLAN,IP,端口信息(全局模式) ip dhcp snooping binding user 00-11-22-33-44-55 address 192.168.22.22 vlan 1 int e1/0/5 ipv66 to 4greipv6 unicast-routing 允许单播路由interface Tunnel0ipv6 enable 开启 IPV6ipv6 address 2001:23:1/64tunnel source 192.168.12.1 本端接口地址tunnel destination 192.168.12.2 对端接口地址tunnel mode gre ip 隧道模式改为 GREtunnel key 123456 隧道密码,两端一致ipv6 route 3:/64 Tunnel0 写一条下一跳为 TUNNEL 0 的 IPV6 静态,不能写默认静态 natInternet(config)#ip route 0.0.0.0 0.0.0.0 fa0/1 ipv4 网络要可达NAT-PT(config)#ip route 0.0.0.0 0.0.0.0 fa0/1NAT-PT(config)#ipv6 nat prefix 2001:db8:feed:/96 设置一个全局 NAT 前缀,掩码必须 96 位 NAT-PT(config)#ipv6 nat v4v6 source 10.10.10.2 2001:db8:feed:2 写 4 TO 6 地址转换,需要到达的地址都要写, 不需要与本地同一网段NAT-PT(config)#ipv6 nat v4v6 source 192.168.1.10 2001:db8:feed:3 NAT-PT(config)#ipv6 nat v6v4 source 2001:db8:cafe:ffff:2 10.10.20.5 写 6 to 4 地址转换,需要到达的地址都要写,不需要与本地同一网段int g0/4 调用到接口,进出都要调用ipv6 natint g0/4ipv6 natpatipv4 网络要可达NAT-PT(config)#ipv6 nat prefix 2001:db8:feed:/96 设置一个全局 NAT前缀,掩码必须 96 位NAT-PT(config)#ipv6 nat v4v6 source 10.10.10.2 2001:db8:feed:2 写 4 TO 6 地址转换,需要到达的地址都要写NAT-PT(config)#ipv6 nat v4v6 source 192.168.1.10 2001:db8:feed:3 不需要与本地同一网段NAT-PT(config)#ipv6 access-list cafe 把 IPV6 要转换的网段匹配出来NAT-PT(config-ipv6-acl)#permit ipv6 2001:db8:cafe:/48 anyNAT-PT(config-ipv6-acl)#exitNAT-PT(config)#ipv6 nat v6v4 pool ipv4 10.10.20.5 10.10.20.6 prefix-length 24 写一个 6 TO 4 的 NAT 地址池,不需要已知网段NAT-PT(config)#ipv6 nat v6v4 source list cafe pool ipv4 overload 把要转换的网段与地址池关联 int g0/4ipv6 natint g0/4ipv6 natripingipv6 router rip 100 全局创建 RIP 实例,名字为 100exitinterface GigaEthernet0/4 ipv6 enable 开启 IPV6ipv6 address 2001:1/64ipv6 rip 100 enable 启动为 100 的实例 需要宣告的接口要设置ospfv3ipv6 router ospf 1 全局创建 ospf,进程为 1int g0/6ipv6 enableipv6 address 2001:1/64ipv6 ospf 1 area 0 宣告本接口为 area 0需要宣告的接口要设置
展开阅读全文