CCNP零散知识点实验配置
CCNP路由实验---1、EIGRP的基本配置
CCNP路由实验---1、EIGRP的基本配置一、实验目的1、掌握EIGRP的基本配置。
2、掌握EIGRP的通配符掩配置方法。
3、掌握EIGRP的自动汇总特性,以及如何关闭自动汇总。
4、掌握EIGRP的手工汇总。
二、实验拓扑实验步骤:1、配置各路由器的名称、相连接口IP地址;R1(config)#int s1/1R1(config-if)#ip add 172.16.1.1 255.255.255.252R1(config-if)#no shutR1(config)#int loopback 0R1(config-if)#ip add 10.1.0.1 255.255.255.0R1(config-if)#int loopback 1R1(config-if)#ip add 10.1.1.1 255.255.255.0R1(config-if)#int loopback 2R1(config-if)#ip add 10.1.2.1 255.255.255.0R1(config-if)#int loopback 3R1(config-if)#ip add 10.1.3.1 255.255.255.0其它R2、R3类似进行配置。
配置完后用ping命令确认各路由器的直连口的互通性。
2、配置EIGRP协议,设置自治系统号为80R1:R1(config)#router eigrp 80R1(config-router)#network 172.16.0.0R2:R2(config)#router eigrp 80R2(config-router)#network 172.16.0.0R2(config-router)#network 111.111.0.0R3:R3(config)#router eigrp 80R3(config-router)#network 172.16.0.0备注:通常在路由器上配置EIGRP宣告通路网络时使用两种方法,方法1:network +主类网络号,这样可以将路由器上相关地址的接口直接加入到EIGRP 路由进程中去;方法2:使用通配符掩码进行配置,例如network X.X.X.X 0.0.0.X。
CCNA 思科配置实验
思科配置实验(适用于CCNA)1. 设置计算机ip地址设置PCA 的IP地址为:10.65.1.1 255.255.0.0 网关:10.65.1.2 设置PCB 的IP地址为:10.66.1.1 255.255.0.0 网关:10.66.1.2 设置ROA f0/0 IP 为:10.65.1.2 255.255.0.0设置ROA f0/1 IP 为:10.66.1.2 255.255.0.0设置计算机PCA的ip地址和网关的操作:[rootPCA root]# ifconfig eth0 10.65.1.1 netmask 255.255.0.0 [rootPCA root]# ifconfig[rootPCA root]# route add default gw 10.65.1.2[rootPCA root]# route设置计算机PCB的ip地址和网关的操作:[rootPCB root]# ifconfig eth0 10.66.1.1 netmask 255.255.0.0 [rootPCB root]# ifconfig[rootPCA root]# route add default gw 10.66.1.2[rootPCA root]# route2. 双击Router A,配置路由器的接口IP地址:router>enrouter#conf trouter(config)#hostname roaroa(config)int f0/0roa(config-if)#ip address 10.65.1.2 255.255.0.0roa(config-if)#no shutdown (默认是shutdown)roa(config-if)#exitroa(config)int f0/1roa(config-if)#ip address 10.66.1.2 255.255.0.0roa(config-if)#no shutroa(config)int s0/0roa(config-if)#ip address 10.67.1.2 255.255.0.0roa(config-if)#no shutroa(config-if)#clock rate 64000roa(config)int s0/1roa(config-if)#ip address 10.68.1.2 255.255.0.0roa(config-if)#no shutroa(config-if)#exitroa(config)#ip routing (默认是关闭的)3.检查网络联通情况[rootPCA root]# ping 10.65.1.2 (通) (ping自己的网关) [rootPCA root]# ping 10.66.1.2 (通) (ping f0/1) [rootPCA root]# ping 10.66.1.1 (通) (ping PCB) [rootPCA root]# ping 10.67.1.2 (不通) (端口空时down) [rootPCA root]# ping 10.68.1.2 (不通) (端口空时down)[rootPCB root]# ping 10.66.1.2 (通) (ping自己的网关) [rootPCB root]# ping 10.65.1.2 (通) (ping f0/0) [rootPCB root]# ping 10.65.1.1 (通) (ping PCA) [rootPCB root]# ping 10.67.1.2 (不通) (端口s0/0空时down) [rootPCB root]# ping 10.68.1.2 (不通) (端口s0/1空时down)roa#ping 10.65.1.1 (通) (ping PCA)roa#ping 10.65.1.2 (通) (ping f0/0)roa#ping 10.66.1.1 (通) (ping PCB)roa#ping 10.66.1.2 (通) (ping f0/1)roa#ping 10.67.1.2 (不通) (端口s0/0空时down)roa#ping 10.68.1.2 (不通) (端口s0/1空时down)下面我们做这个几个小实验:(1) 将路由器的接口f0/0关闭roa#conf troa(config)#int f0/0roa(config-if)#shutdownroa(config-if)#endroa#ping 10.65.1.2 (不通,端口down掉)roa#show int f0/0 (f0/0 is down,line proto is down) [rootPCA root]# ping 10.65.1.2 (不通)激活f0/0端口:roa(config)#int f0/0roa(config-if)#no shutroa(config-if)#endroa#ping 10.65.1.2 (通)去掉PCA与f0/0的连线roa#sh int f0/0 (f0/0 is up,line proto is down)roa#ping 10.65.1.2 (不通)roa#sh int s0/0 (s0/0 is down,line proto is down)roa#sh int s0/1 (s0/1 is down,line proto is down) serial口当没有连线时???(2) 关闭路由器的路由roa#conf troa(config)#no ip routing[rootPCA root]# ping 10.65.1.2 (通) (ping 自己的网关)[rootPCA root]# ping 10.66.1.1 (不通)(路由器不能转发了)[rootPCB root]# ping 10.66.1.2 (通) (ping 自己的网关)[rootPCB root]# ping 10.65.1.1 (不通)(路由器不能转发了)计算机可以ping与其相连的端口,但不能ping通下面的计算机,因为no ip routing后不具备转发的功能了。
CCNA实验,CCNA笔记,CCNA配置大全
CCNA实验,CCNA笔记,CCNA配置⼤全⼀ACL1,标准ACLR2(config)#access-list 1 deny 172.16.1.0 0.0.0.255 //定义ACLR2(config)#access-list 1 permit anyR2(config)#interface Serial0/0/0R2(config-if)#ip access-group 1 in //在接⼝下应⽤ ACLR2(config)#access-list 2 permit 172.16.3.1R2(config-if)#line vty 0 4R2(config-line)#access-class 2 in //在 vty 下应⽤ACLR2(config-line)#password ciscoR2(config-line)#login2,扩展ACLR1(config)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq www R3(config)#access-list 101 permit ip any any R3(config)#interface g0/0R3(config-if)#ip access-group 101 inR1#show ip access-lists3,基于时间的ACLR3(config)#time-range time //定义时间范围R3(config-time-range)#periodic weekdays 8:00 to 18:00R3(config)#access-list 111 permit tcp host 172.16.3.1 host 2.2.2.2 eq telnet time-range time //在访问控制列表中调⽤ time-rangeR3(config)#access-list 111 permit tcp host 172.16.3.1 host 192.168.12.2 eq telnet time-range timeR3(config)#access-list 111 permit tcp host 172.16.3.1 host 192.168.23.2 eq telnet time-range timeR3(config)#interface g0/0R3(config-if)#ip access-group 111 in4,命名ACLR1(config)#ip access-list extended ext1R1(config-ext-nacl)#permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq wwwR1(config)#interface g0/0R1(config-if)#ip access-group ext1 inR2(config)#ip access-list standard standR2(config-std-nacl)#deny 172.16.1.0 0.0.0.255R2(config-std-nacl)#permit anyR2(config)#interface Serial0/0/0R2(config-if)#ip access-group stand in⼆,密码设置可以从五个⽅⾯来给路由器设置密码。
CCNP ICW实验手册
实验一:MPLS配置实验环境:三台路由器Ethernet接口相连,接口配置如图要求:在三台路由器相连的接口分别启用MPLS,查看相应的结果,在启用前使其在OSPF下互通。
步骤一:接口配置连通性,启用OSPF路由协议R1(config-if)#int e0/1R1(config-if)#ip add 10.1.1.1 255.255.255.0R1(config-if)#no shutdownR1(config)#int e0/0R1(config-if)#ip add 20.1.1.1 255.255.255.0R1(config-if)#no shR1(config)#router ospf 100 启用路由协议,发布接口R1(config-router)#net 10.1.1.0 0.0.0.255 area 0R1(config-router)#net 20.1.1.0 0.0.0.255 area 0R2(config)#int e0/1R2(config-if)#ip add 20.1.1.2 255.255.255.0R2(config-if)#no shR2(config-if)#int e0/0R2(config-if)#ip add 30.1.1.1 255.255.255.0R2(config-if)#no shR2(config)#router ospf 100R2(config-router)#net 20.1.1.0 0.0.0.255 area 0R2(config-router)#net 30.1.1.0 0.0.0.255 area 0R3(config)#int e0/1R3(config-if)#ip add 30.1.1.2 255.255.255.0R3(config-if)#no shR3(config-if)#int e0/0R3(config-if)#ip add 40.1.1.1 255.255.255.0R3(config-if)#no shR3(config-if)#exitR3(config)#router ospf 100R3(config-router)#net 30.1.1.0 0.0.0.255 area 0R3(config-router)#net 30.1.1.0 0.0.0.255 area 0步骤二:查看路由,并测试连通性R1#show ip route →查看路由表20.0.0.0/24 is subnetted, 1 subnetsC 20.1.1.0 is directly connected, Ethernet0/040.0.0.0/24 is subnetted, 1 subnetsO 40.1.1.0 [110/30] via 20.1.1.2, 00:00:15, Ethernet0/010.0.0.0/24 is subnetted, 1 subnetsC 10.1.1.0 is directly connected, Ethernet0/130.0.0.0/24 is subnetted, 1 subnetsO 30.1.1.0 [110/20] via 20.1.1.2, 00:00:15, Ethernet0/0 R2#show ip route20.0.0.0/24 is subnetted, 1 subnetsC 20.1.1.0 is directly connected, Ethernet0/140.0.0.0/24 is subnetted, 1 subnetsO 40.1.1.0 [110/20] via 30.1.1.2, 00:00:23, Ethernet0/0 10.0.0.0/24 is subnetted, 1 subnetsO 10.1.1.0 [110/20] via 20.1.1.1, 00:00:23, Ethernet0/130.0.0.0/24 is subnetted, 1 subnetsC 30.1.1.0 is directly connected, Ethernet0/0R3#show ip route →查看路由表,都也学到相关路由20.0.0.0/24 is subnetted, 1 subnetsO 20.1.1.0 [110/20] via 30.1.1.1, 00:00:06, Ethernet0/140.0.0.0/24 is subnetted, 1 subnetsC 40.1.1.0 is directly connected, Ethernet0/010.0.0.0/24 is subnetted, 1 subnetsO 10.1.1.0 [110/30] via 30.1.1.1, 00:00:06, Ethernet0/1 30.0.0.0/24 is subnetted, 1 subnetsC 30.1.1.0 is directly connected, Ethernet0/1R1#ping 40.1.1.1 →测试连通性Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 40.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms R3#ping 10.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms 步骤三:启用相关接口的MPLS,及快速转发功能R1(config)#ip cef →启用快速转发功能R1(config)#int e0/0R1(config-if)#mpls ip →接口启用MPLSR2(config)#ip cefR2(config)#int e0/1R2(config-if)#mpls ipR2(config-if)#int e0/0R2(config-if)#mpls ipR3(config)#ip cefR3(config)#int e0/1R3(config-if)#mpls ip步骤四:查看MPLS状态R1#show mpls forwarding-table →查看MPLS转发表Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface16 16 40.1.1.0/24 0 Et0/0 20.1.1.217 Pop tag 30.1.1.0/24 0 Et0/0 20.1.1.2R2#show mpls forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface16 Pop tag 40.1.1.0/24 0 Et0/0 30.1.1.217 Pop tag 10.1.1.0/24 0 Et0/1 20.1.1.1R3#show mpls forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface16 Pop tag 20.1.1.0/24 0 Et0/1 30.1.1.117 17 10.1.1.0/24 0 Et0/1 30.1.1.1R1#show ip cef summary 查看CEF转发汇总信息及标记信息IP CEF with switching (Table Version 16), flags=0x016 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 016 leaves, 18 nodes, 20896 bytes, 21 inserts, 5 invalidations0 load sharing elements, 0 bytes, 0 referencesuniversal per-destination load sharing algorithm, id 86C8F0BF3(0) CEF resets, 0 revisions of existing leavesResolution Timer: Exponential (currently 1s, peak 1s)0 in-place/0 aborted modificationsrefcounts: 4877 leaf, 4864 nodeTable epoch: 0 (16 entries at this epoch)Adjacency Table has 2 adjacenciesR2#show ip cef summaryIP CEF with switching (Table Version 17), flags=0x017 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 017 leaves, 18 nodes, 21032 bytes, 22 inserts, 5 invalidations0 load sharing elements, 0 bytes, 0 referencesuniversal per-destination load sharing algorithm, id FCD3DE863(0) CEF resets, 0 revisions of existing leavesResolution Timer: Exponential (currently 1s, peak 1s)0 in-place/0 aborted modificationsrefcounts: 4879 leaf, 4864 nodeTable epoch: 0 (17 entries at this epoch)Adjacency Table has 4 adjacenciesR3#show ip cef summaryIP CEF with switching (Table Version 16), flags=0x016 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 016 leaves, 18 nodes, 20896 bytes, 21 inserts, 5 invalidations0 load sharing elements, 0 bytes, 0 referencesuniversal per-destination load sharing algorithm, id 86B9347C3(0) CEF resets, 0 revisions of existing leavesResolution Timer: Exponential (currently 1s, peak 1s) 0 in-place/0 aborted modificationsrefcounts: 4877 leaf, 4864 nodeTable epoch: 0 (16 entries at this epoch)Adjacency Table has 2 adjacencies注:也可用show ip cef detail这条命令来查看详细信息R1#ping 40.1.1.1 测试连通性!!!!!R3#ping 10.1.1.1!!!!!步骤五:显示当前配置信息R1#show runhostname R1ip cef!interface Ethernet0/0ip address 20.1.1.1 255.255.255.0half-duplextag-switching ip!interface Ethernet0/1ip address 10.1.1.1 255.255.255.0half-duplex!router ospf 100network 10.1.1.0 0.0.0.255 area 0network 20.1.1.0 0.0.0.255 area 0!endR2#show runhostname R2!ip cef!interface Ethernet0/0ip address 30.1.1.1 255.255.255.0 half-duplextag-switching ip!interface Ethernet0/1ip address 20.1.1.2 255.255.255.0 half-duplextag-switching ip!router ospf 100network 20.1.1.0 0.0.0.255 area 0 network 30.1.1.0 0.0.0.255 area 0 !endR3#show runhostname R3!ip cef!interface Ethernet0/0ip address 40.1.1.1 255.255.255.0 half-duplex!interface Ethernet0/1ip address 30.1.1.2 255.255.255.0 half-duplextag-switching ip!router ospf 100network 30.1.1.0 0.0.0.255 area 0 network 40.1.1.0 0.0.0.255 area 0 !end实验二:ipsec site-to-siteVPN配置环境:两台路由器串口相连,接口配置如图要求:用两个LOOP口模拟VPN感兴趣流来建立IPSEC VPN,IKE1阶段用预共享密钥,IKE2阶段哈希算法用sha,加密算法用DES.步骤一:接口基本配置,并测试连通性R1(config)#int s0R1(config-if)#ip add 10.1.1.1 255.255.255.0R1(config-if)#clock rate 64000R1(config-if)#no shR1(config)#int loop 0R1(config-if)#ip add 1.1.1.1 255.255.255.0R2(config)#int s1R2(config-if)#ip add 10.1.1.2 255.255.255.0R2(config-if)#no shR2(config)#int loop 0R2(config-if)#ip add 1.1.2.1 255.255.255.0R1#ping 10.1.1.2 →测试连通性,再做IPSEC!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 msR2#ping 10.1.1.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms配置二:配置IKE1和IKE2两个阶段,并应用到接口R1(config)#crypto isakmp policy 10 →IKE1阶段策略R1(config-isakmp)#authen pre-share →将验证修改为预共享R1(config)#crypto isakmp key cisco address 10.1.1.2 →定义预共享密钥R1(config)#crypto ipsec transform myset esp-sha-hmac esp-des→定义2阶段的转换集R1(config)#access-list 100 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255→定义加密感兴趣流R1(config)#crypto map mymap 10 ipsec-isakmp →定义2阶段加密图% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.R1(config-crypto-map)#match address 100 →将列表应用到加密图R1(config-crypto-map)#set peer 10.1.1.2 →指定对等体R1(config-crypto-map)#set transform-set myset →将转换集映射到加密图R1(config)#int s0R1(config-if)#crypto map mymap →将加密图应用到接口R1(config)#ip route 1.1.2.0 255.255.255.0 20.1.1.2→指定隧道感兴趣流的路由走向R2(config)#crypto isakmp policy 10 →R2与R1端策略要匹配R2(config-isakmp)#authentication pre-shareR2(config-isakmp)#exitR2(config)#crypto isakmp key cisco address 10.1.1.1 →密钥一致,地址相互指R2(config)#crypto ipsec transform-set myset esp-des esp-sha-hmacR2(cfg-crypto-trans)#exit →两端必须匹配,默认即为tunnel模式R2(config)#access-list 102 permit ip 1.1.2.0 0.0.0.255 1.1.1.0 0.0.0.255→感兴趣流,两端互指R2(config)#crypto map mymap 10 ipsec-isakmp →加密图% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.R2(config-crypto-map)#set peer 10.1.1.1 →对端的物理地址R2(config-crypto-map)#set transform-set mysetR2(config-crypto-map)#match address 102R2(config-crypto-map)#exitR2(config)#ip route 1.1.1.0 255.255.255.0 10.1.1.1 →加密图感兴趣流的路由R2(config)#int s1R2(config-if)#crypto map mymap →加密映射应用到接口下步骤三:测试流是否加密,直接用接口ping出R1#ping 1.1.2.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/33/36 msR2#ping 1.1.1.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/33/36 ms分别在R1和R2上查看两个阶段的关联R1#show crypto isakmp sa →没有任何关联dst src state conn-id slotR2#show crypto isakmp sadst src state conn-id slotR1#show crypto ipsec sa 没有任何加密包,关联也没有建立interface: Serial0Crypto map tag: mymap, local addr. 10.1.1.1local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (1.1.2.0/255.255.255.0/0/0)current_peer: 10.1.1.2PERMIT, flags={origin_is_acl,}#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2path mtu 1500, media mtu 1500current outbound spi: 0inbound esp sas:inbound ah sas:inbound pcp sas:outbound esp sas:outbound ah sas:outbound pcp sas:R2#show crypto ipsec sainterface: Serial1Crypto map tag: mymap, local addr. 10.1.1.2local ident (addr/mask/prot/port): (1.1.2.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)current_peer: 10.1.1.1PERMIT, flags={origin_is_acl,}#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.1.1.1path mtu 1500, media mtu 1500current outbound spi: 0inbound esp sas:inbound ah sas:inbound pcp sas:outbound esp sas:outbound ah sas:outbound pcp sas:步骤四:用扩展ping来触发感兴趣流量R1#ping ipTarget IP address: 1.1.2.1Repeat count [5]: 10 →将包调为10个,否则一个ping看不到效果Extended commands [n]: ySource address or interface: 1.1.1.1Sending 10, 100-byte ICMP Echos to 1.1.2.1, timeout is 2 seconds:....!!!!!! →已经触发了感兴趣流,并且ping通Success rate is 60 percent (6/10), round-trip min/avg/max = 84/84/84 ms步骤五:再次查看两个阶段的关联,以及加密情况R1#show crypto isa sa →IKE1阶段关联已建立为快速模式dst src state conn-id slot10.1.1.2 10.1.1.1QM_IDLE 1 0R1#show crypto ipsec sa→IKE2阶段关联建立,并加密了流量,隧道也已成功建立interface: Serial0Crypto map tag: mymap, local addr. 10.1.1.1local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (1.1.2.0/255.255.255.0/0/0)current_peer: 10.1.1.2PERMIT, flags={origin_is_acl,}#pkts encaps: 6, #pkts encrypt: 6, #pkts digest 6#pkts decaps: 6, #pkts decrypt: 6, #pkts verify 6#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 14, #recv errors 0local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2path mtu 1500, media mtu 1500current outbound spi: 84AEB2E6inbound esp sas:spi: 0x1E44AB1D(507816733)transform: esp-des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2000, flow_id: 1, crypto map: mymapsa timing: remaining key lifetime (k/sec): (4607999/3520)IV size: 8 bytesreplay detection support: Yinbound ah sas:inbound pcp sas:outbound esp sas:spi: 0x84AEB2E6(2226041574)transform: esp-des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2001, flow_id: 2, crypto map: mymapsa timing: remaining key lifetime (k/sec): (4607999/3520)IV size: 8 bytesreplay detection support: Youtbound ah sas:outbound pcp sas:R2#show crypto isa sadst src state conn-id slot10.1.1.2 10.1.1.1 QM_IDLE 1 0R2#show crypto ipsec sainterface: Serial1Crypto map tag: mymap, local addr. 10.1.1.2local ident (addr/mask/prot/port): (1.1.2.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)current_peer: 10.1.1.1PERMIT, flags={origin_is_acl,}#pkts encaps: 6, #pkts encrypt: 6, #pkts digest 6#pkts decaps: 6, #pkts decrypt: 6, #pkts verify 6#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.1.1.1path mtu 1500, media mtu 1500current outbound spi: 1E44AB1Dinbound esp sas: →进站流已经产生spi: 0x84AEB2E6(2226041574)transform: esp-des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2000, flow_id: 1, crypto map: mymapsa timing: remaining key lifetime (k/sec): (4607999/3502)IV size: 8 bytesreplay detection support: Yinbound ah sas:inbound pcp sas:outbound esp sas: →出站流已经产生spi: 0x1E44AB1D(507816733)transform: esp-des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2001, flow_id: 2, crypto map: mymapsa timing: remaining key lifetime (k/sec): (4607999/3502)IV size: 8 bytesreplay detection support: Youtbound ah sas:outbound pcp sas:配置五:查看当前的配置R1#show runhostname R1!crypto isakmp policy 10authentication pre-sharecrypto isakmp key cisco address 10.1.1.2!crypto ipsec transform-set myset esp-des esp-sha-hmac!crypto map mymap 10 ipsec-isakmpset peer 10.1.1.2set transform-set mysetmatch address 102!interface Loopback0ip address 1.1.1.1 255.255.255.0!interface Serial0ip address 10.1.1.1 255.255.255.0clockrate 64000crypto map mymap!ip route 1.1.2.0 255.255.255.0 10.1.1.2!access-list 102 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255 !endR2#show runhostname R2!crypto isakmp policy 10authentication pre-sharecrypto isakmp key cisco address 10.1.1.1!crypto ipsec transform-set myset esp-des esp-sha-hmac!crypto map mymap 10 ipsec-isakmpset peer 10.1.1.1set transform-set mysetmatch address 102!interface Loopback0ip address 1.1.2.1 255.255.255.0!interface Serial1ip address 10.1.1.2 255.255.255.0crypto map mymap!ip route 1.1.1.0 255.255.255.0 10.1.1.1!access-list 102 permit ip 1.1.2.0 0.0.0.255 1.1.1.0 0.0.0.255 !end实验三:GRE VPN的配置环境:三台路由器串口相连,接口配置如图要求:在R1和R3之间建立GRE隧道,地址如图步骤一:接口配置连通性,R1(config)#int s0R1(config-if)#ip add 20.1.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#int lo0R1(config-if)#ip add 10.1.1.1 255.255.255.0 →虚拟私有网络R1(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.2 →上互联网的缺省路由ISP(config)#int s0 →ISP路由器虚拟互联网ISP(config-if)#ip add 30.1.1.1 255.255.255.0ISP(config-if)#cl ra 64000ISP(config-if)#no shISP(config-if)#int s1ISP(config-if)#ip add 20.1.1.2 255.255.255.0ISP(config-if)#cl ra 64000ISP(config-if)#no shR3(config)#int s1R3(config-if)#ip add 30.1.1.2 255.255.255.0R3(config-if)#no shR3(config-if)#int loo 0R3(config-if)#ip add 40.1.1.1 255.255.255.0→虚拟私有网络R3(config-if)#exitR3(config)#ip route 0.0.0.0 0.0.0.0 30.1.1.2→上互联网的缺省路由步骤二:测试哪些可达,哪些不可达R3#ping 10.1.1.1 →由于ISP没有私网的路由Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:U.U.USuccess rate is 0 percent (0/5)R3#ping 20.1.1.1 →合法地址是能够通讯的Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 56/60/64 ms步骤三:实施GRE隧道技术R1(config)#int tunnel 0 →进入隧道接口R1(config-if)#ip add 100.1.1.1 255.255.255.0 →指定IP地址,两端要在一个网段R1(config-if)#tunnel source s0 →指定承载隧道的源和目的接口R1(config-if)#tunnel destination 30.1.1.2R1(config-if)#no shR1(config)#ip route 40.1.1.0 255.255.255.0 tunnel0 →为私有网络指路由走tunnel接口R3(config)#int tunnel 0R3(config-if)#ip add 100.1.1.2 255.255.255.0R3(config-if)#tunnel source s1 →互指源和目的R3(config-if)#tunnel destination 20.1.1.1R3(config-if)#no shR3(config-if)#exitR3(config)#ip route 10.1.1.0 255.255.255.0 tunnel 0 →指对端的私有网络步骤四:做PING测试R1#ping 40.1.1.1 →都已PING通,证明GRE隧道已建立Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 40.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 72/72/76 msR1#ping 10.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 72/72/76 ms步骤五:验证结果R1#show int tunnel 0Tunnel0 is up, line protocol is up →tunnel接口已经UPHardware is TunnelInternet address is 100.1.1.1/24R3#show int tunnel 0Tunnel0 is up, line protocol is upHardware is TunnelInternet address is 100.1.1.2/24R1#show int tunnel 0 accounting →tunnel接口的统计信息,包的统计Tunnel0Protocol Pkts In Chars In Pkts Out Chars Out IP 10 1000 10 1000R3#show int tunnel 0 accountingTunnel0Protocol Pkts In Chars In Pkts Out Chars Out IP 10 1000 10 1000步骤六:显示当前配置R1#show runhostname R1!interface Loopback0ip address 10.1.1.1 255.255.255.0!interface Tunnel0ip address 100.1.1.1 255.255.255.0tunnel source Serial0tunnel destination 30.1.1.2!interface Serial0ip address 20.1.1.1 255.255.255.0!ip route 0.0.0.0 0.0.0.0 20.1.1.2ip route 40.1.1.0 255.255.255.0 Tunnel0!EndISP#show runhostname ISP!interface Serial0ip address 30.1.1.1 255.255.255.0clockrate 64000!interface Serial1ip address 20.1.1.2 255.255.255.0clockrate 64000!endR3#show runhostname R3!interface Loopback0ip address 40.1.1.1 255.255.255.0!interface Tunnel0ip address 100.1.1.2 255.255.255.0tunnel source s1tunnel destination 20.1.1.1!interface Serial1ip address 30.1.1.2 255.255.255.0!ip route 0.0.0.0 0.0.0.0 30.1.1.2ip route 10.1.1.0 255.255.255.0 Tunnel0 !end实验四:静态VS.动态Crypto Map静态的crypto map条目的一个问题是,必须指定远程对等设备的IP地址.如果本地或者远程R动态获得它们的地址信息是,会变得非常困难.topology10.1.1.0/24-router1-172.16.171.10----172.16.171.20-router2-10.1.2.0/24Basic routeRouter1:ip route 0.0.0.0 0.0.0.0 172.16.171.20Router2:ip route 0.0.0.0 0.0.0.0 172.16.171.10IKE Phase I policyRouter1:crypto isakmp policy 1authentication per-sharedhash md5encryption 3desgroup 2crypto isakmp 6 key cisco address 172.16.171.20Router2:crypto isakmp policy 1authentication per-sharedhash md5encr 3desgroup 2crypto isakmp key cisco address 0.0.0.0 0.0.0.0IPSec Phase II policyRouter1:crypto ipsec transform-set cisco esp-des esp-sha-hmacaccess-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255Static Crypto Mapcrypto map vpn 10 ipsec-isakmpset peer 172.16.171.20set transform-set ciscomatch address list 101Router2:crypto ipsec transform-set cisco esp-des esp-sha-hmacDynamic Crypto Mapcrypto dynamic-map dynamap 10set transform-set ciscocrypto map vpn 10 ipsec-isakmp dynamic dynamapApply VPN ConfigurationRouter1:interface s0crypto map vpnRouter2:interface s0crypto map vpn实验五:IPSEC over GRE Configuration技术特点利用tunnel跑动态路由协议,ipsec over gretopology1.1.1.12.2.2.2| |Lo0 Lo0| |10.1.1.0/24-router1-172.16.171.10--------------172.16.171.20-router2-10.1.2.0 /24| || tunnel |----------------------------------------------------------Basic configurationRouter1:Interface tunnel 12ip add 192.168.100.1 255.255.255.0tunnel source 172.16.171.10tunnel dest 172.16.171.20router eigrp 100no aunet 1.1.1.0 0.0.0.255net 10.1.1.0 0.0.0.255net 192.168.100.0 0.0.0.255Router2:Interface tunnel 21ip add 192.168.100.2 255.255.255.0tunnel source 172.16.171.20tunnel dest 172.16.171.10router eigrp 100no aunet 2.2.2.0 0.0.0.255net 10.1.2.0 0.0.0.255net 192.168.100.0 0.0.0.255IKE Phase I policyRouter1:crypto isakmp policy 1authentication per-sharedhash md5encr 3desgroup 2crypto isakmp key cisco address 2.2.2.2 or 172.16.171.20Router2:crypto isakmp policy 1authentication per-sharedhash md5encr 3desgroup 2crypto isakmp key cisco address 1.1.1.1 or 172.16.171.10IPSec Phase II policyRouter1:crypto ipsec transform-set cisco esp-des esp-sha-hmacaccess-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 crypto map cisco 10 ipsec-isakmpset peer 2.2.2.2 or 172.16.171.20set transform-set ciscoset pfsmatch address 101Router2:crypto ipsec transform-set cisco esp-des esp-sha-hmacaccess-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 crypto map cisco 10 ipsec-isakmpset peer 1.1.1.1 or 172.16.171.10set transform-set ciscoset pfsmatch address 101Apply VPN ConfigurationRouter1:interface s0crypto map ciscointerface tu 12crypto map ciscoRouter2:interface s0crypto map ciscointerface tu 21crypto map cisconote:peer 设置为 1.1.1.1 or 2.2.2.2 时封装格式如下ip – gre – ip - esp – ip – datapeer 设置为 172.16.171.10 or 172.16.171.20 时封装格式如下ip – esp – ip – data实验6:GRE over IPSEC Configuration技术特点IPsec (ESP) tunnels only IP unicast trafficGRE encap non-ip and ip multicast or broadcast packets into ip unicast packets Using a GRE tunnel inside an ipsec tunnel uses only three SA (at maximum)topology10.1.1.0/24-router1-172.16.100.1----172.16.100.2-router2-10.1.2.0/24| || tunnel |-------------------------------------192.168.100.0/24Basic configurationRouter1:Interface tunnel 12ip add 192.168.100.1 255.255.255.0tunnel source 172.16.100.1tunnel dest 172.16.100.2router eigrp 100no aunet 10.1.1.0 0.0.0.255net 192.168.100.0 0.0.0.255Router2:Interface tunnel 21ip add 192.168.100.2 255.255.255.0tunnel source 172.16.100.2tunnel dest 172.16.100.1router eigrp 100no aunet 10.1.2.0 0.0.0.255net 192.168.100.0 0.0.0.255IKE Phase I policyRouter1:crypto isakmp policy 1authentication per-sharedhash md5encr 3desgroup 2crypto isakmp key cisco address 172.16.100.2Router2:crypto isakmp policy 1authentication per-sharedhash md5encr 3desgroup 2crypto isakmp key cisco address 172.16.100.1IPSec Phase II policyRouter1:crypto ipsec transform-set cisco esp-des esp-sha-hmac mode transportaccess-list 101 permit gre any anycrypto map cisco 10 ipsec-isakmpset peer 172.16.100.2set transform-set ciscoset pfsmatch address 101Router2:crypto ipsec transform-set cisco esp-des esp-sha-hmac mode transportaccess-list 101 permit gre any anycrypto map cisco 10 ipsec-isakmpset peer 172.16.100.1set transform-set ciscoset pfsmatch address 101Apply VPN ConfigurationRouter1:interface e0/0crypto map ciscoRouter2:interface e0/0crypto map cisco实验七:Ezvpn的配置环境:路由器(cisco)r1在一个公司的总部为EZVPN的server,远程internet用户要访问总部的内网,远程用户用的是cisco的EZVPN软件。
CCNP中文实验手册
Gateway of last resort is not set
R2 的配置 R2(config)# key chain cisco Æ定义 chain 名称 R2(config-keychain)# key 1 Ækey 值编号,须一致 R2(config-keychain-key)# key-string aaa Æ定义密钥,须一致 R2(config)# interface s1 R2(config-if)# ip authentication mode eigrp 100 md5 Æ启用 eigrp 验证模式 md5 R2(config-if)# ip authentication key-chain eigrp 100 cisco Æ将 chain 应用到验证
步骤五:查看路由表
R1#show ip route Æ显示路由表,如下图显示证明验证通过 D 为 eigrp 路由 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
CCNA网络基础知识1——11章-配置和测试网络
CCNA⽹络基础知识1——11章-配置和测试⽹络11.3 配置Cisco设备:IOS基础配置⽂件 启动配置⽂件(即 startup-config⽂件)存储在⾮易失RAM(NVRAM) 中。
每次路由器启动或重新加载时,都会将 startup-config ⽂件加载到内存中。
该配置⽂件⼀旦加载到内存中,就被视为运⾏配置⽂件(即 running-config) 。
修改运⾏配置⽂件会⽴即影响 Cisco 设备的运⾏。
修改之后,管理员可以选择将更改保存到 startup-config ⽂件中,下次重启设备时将会使⽤修改后的配置。
如果在设备关闭前,没有把对 running-config ⽂件的更改保存到 startup-config ⽂件中,那些更改也将会丢失。
介绍 Cisco IOS 模式 主要的模式有以下⼏种: ⽤户执⾏模式 特权执⾏模式,enable,disable 全局配置模式,configure terminal 其他特定配置模式,例如,在路由模式下执⾏的命令将仅影响特定的路由过程。
常⽤热键和快捷⽅式 1. Tab Tab键⽤于补全缩写命令或参数。
2. Ctrl + R 重新显⽰命令⾏。
3. Ctrl - Z 退出配置模式并返回到特权执⾏模式。
4. 向上和向下箭头 调⽤历史命令。
5. Ctrl-Shift-6 当从CLI启动⼀个IOS进程(例如ping 或traceroute)后,该命令会运⾏到完成或被中断为⽌。
当该进程正在运⾏时,CLI⽆响应,请按Ctrl-Shift-6,再按X键。
6. Ctrl-C 终⽌命令的输出并退出配置模式。
7. 缩写命令或关键字IOS检查命令 show是基本的检查命令。
show arp, show mac-address-table show startup-config show running-config show ip interfaces show interfaces show version11.4 利⽤Cisco IOS进⾏基本配置11.4.1 命名设备 hostname no hostname11.4.2 限制设备访问:配置⼝令和标语 ⼝令有以下⼏种: 控制台⼝令 使能⼝令 使能加密⼝令VTY⼝令⼀、控制台⼝ 进⼊全局配置模式下, line console 0 password login⼆、 Enable⼝令和Enable加密⼝令 请尽可能使⽤enable secret 命令。
CCNP中文实验手册5-1:配置在多区域中配置集成IS-IS
实验5-1:配置在多区域中配置集成IS-IS【实验目的】:在本次实验中,你将配置你的机架为中间系统-中间系统路由协议。
在完成本次实验之后,你需要完成下列任务:连接其它设置使用IS-IS路由协议【实验拓扑】:注意:图中x为所在机架编号,y为路由器编号。
【实验帮助】:如果出现任何问题,可以向在值的辅导老师提出并请求提供帮助。
【命令列表】:【任务一】:在多区域中配置集成ISIS实验过程:第一步:配置ISIS在你的实验路由器上。
PxR1和PxR3应该是在区域49.00x1,PxR2和PxR4应该是在区域49.00x2。
每一个路由器分配的NET如下表所示:路由器 NET 示范(机架7)PxR1 49.00x1.yyyy.yyyy.yyyy.00 49.0071.1111.1111.1111.00PxR2 49.00x2.yyyy.yyyy.yyyy.00 49.0072.2222.2222.2222.00PxR3 49.00x1.yyyy.yyyy.yyyy.00 49.0071.3333.3333.3333.00PxR4 49.00x2.yyyy.yyyy.yyyy.00 49.0072.4444.4444.4444.00第二步:在所有的路由器激活的串口,环回接口和以及网接口,使用ip router isis命令激活IS-IS路由协议。
第三步:保持边界路由器为缺省的IS L1/L2类型,使用适当的IS-IS路由配置命令设置内部路由器仅参与IS-IS L1路由。
配置完成之后,所有区域之间的通讯都应该能到达边界路由器。
第四步:所有的路由器缺省是参与L1/L2 ISIS路由。
L1仅仅与区域匹配的路由器通讯。
因此由于PxR3和PxR4在不同的区域,他们之间不会形成邻接关系,他们仅仅与直接相连的边界路由器形成邻接。
PxR1和PxR2将形成L2通讯。
查看内部路由器上的IS-IS拓扑结构,注意这个内部路由器应该与边界路由器建立L1邻接关系。
思科基础实验(中英文对照)CCNA,CCNP实验
目录实验一路由器基本配置 (1)实验二静态路由 (3)实验三缺省路由 (5)实验四静态路由&缺省路由&CDP协议 (7)实验五三层交换机实现VLAN间通信 (9)实验六Vtp (11)实验七生成树STP (13)实验八RIP路由协议1 (17)实验九RIP路由协议2 (19)实验十OSPF单区域1 (21)实验十一OSPF单区域2 (22)实验十二OSPF单区域3 (24)实验十三EIGRP (26)实验十四ACL标准访问控制列表 (29)实验十五扩展ACL -1 (31)实验十六扩展ACL -2 (33)实验十七专家级访问控制列表 (36)实验十八动态NAT (37)实验十九NAT地址转换 (39)实验二十单臂路由 (41)实验二十一PPP chap认证 (43)实验二十二研究应用层和传输层协议 (44)实验二十三检查路由 (45)实验二十四研究ICMP 数据包 (47)实验二十五研究第2 层帧头 (49)实验二十六地址解析协议(ARP) (50)实验二十七中间设备用作终端设备 (52)实验二十八管理设备配置 (54)实验一路由器基本配置一、实验设备一台路由器,一台PC,配置线一条。
二、实验要求1.更改路由器名称为RA2.设置password为cisco1,secret为cisco2,vty为cisco3,并要求所有密码都加密。
3.关闭域名查找,命令输入同步。
4.配置以太网口的IP为202.119.249.2195.设置登陆提示信息6.对串行口进行描述(描述信息为:welcome to lixin lab)7.将上述信息保存到tftp server8.将实验过程配置写在记事本中进行粘贴。
9.配置VTY访问权限。
10.禁止路由器进行域名解析。
三、实验步骤Router>enableRouter#configure terminalRouter(config)#hostname RA 设置路由器名RA(config)#enable password cisco1 设置密码RA(config)#enable secret cisco2 设置加密密码RA (config)#no ip domain-lookup关闭域名查找(当我们打错命令时,不会去查找DNS,造成延时)RA (config)#line console 0RA (config-line)#logging synchronous命令输入达到同步(信息提示不会打断你的输入)RA (config-line)#exec-timeout 0 0 设置永久不超时RA (config-line)#exitRA(config)#line vty 0 4RA(config-line)#(enable)password cisco3 设置vty密码RA(config-line)#exitRA(config)#service password-encryption 对密码加密RA(config)#int fastEthernet 0/0RA(config-if)#ip address 202.119.249.1 255.255.255.0 对以太网口fa0/0配置IP RA(config-if)#no shutdown 开启端口RA(config-if)#exitRA(config)#banner motd & welcome welcome to ccna lab & 设置登陆提示信息RA(config)#int fa0/1RA(config-if)#description this is a fast port 描述端口信息RA(config-if)#exitRA(config)#copy running-config tftp 把信息保存到tftp实验二静态路由一、实验设备两台28系列型号路由器通过串口相连。
CCNA实验报告四
CCNA实验报告四——EIGRP路由协议配置1.实验目的1.掌握EIGRP路由协议的基本配置2.掌握EIGRP的通配符掩码配置方法3.掌握EIGRP的自动汇总特性,以及如何关闭自动汇总4.掌握EIGRP的手工汇总5.掌握通过ip default-network命令配置EIGRP默认网络2.实验内容根据拓扑进行EIGRP路由协议的基本配置,自动汇总、手工汇总以及通告默认网络同时在配置的基础上,理解掌握EIGRP路由协议。
3.实验原理EIGRP是一种距离矢量路由协议。
EIGRP使用了一种称为扩散更新算法DUAL,在多台路由器之间通过一种并行的方式执行路由的计算,从而在保持无环路的拓扑时可以随时获得较快的收敛。
EIGRP 的路由更新仍然是吧距离矢量传送给它直连的邻居。
但是这种更新并非周期性的。
是部分更新,所以比典型的距离矢量路由协议使用的带宽要少得多。
4.实验拓扑5.路由器配置1.路由器A配置2.路由器B配置3.路由器C配置6.实验总结通过这次实验我了解EIGRP协议的相关内容,以及EIGRP协议与rip协议的不同之处。
Rip协议时周期性的进行路由表的更新。
而EIGRP协议只是对路由表进行部分更新,加快了网络的收敛速度。
在要想使EIGRP协议正确执行,即两台路由器如果想通过EIGRP协议进行通信,必须具备三个条件:1.自治域系统必须一样。
2.度量标准必须一样。
3.认证方式必须一样。
并且EIGRP协议支持自动汇总和手动汇总。
如果要手动汇总,就要先通过no auto-summary关闭自动汇总。
这次实验我掌握了EIGRP协议的配置操作,以及其作用原理和范围,为以后的学习打下好的基础。
这次实验虽然学到了很多内容,但还有很多不太熟练的地方,我会多进行一些相关的配置,以提高自己的水平,争取达到熟练掌握。
ccna实验手册
东莞斯瑞教育中心CCNA实验手册V5.0CCNA实验手册实验一基础实验一、拓扑图如下:二、实验目的1、掌握CISCO设备的基础配置。
2、2台设备能够ping 通。
3、熟练使用各种show命令查看设备状态。
三、实验要求:假设公司架设了一条东莞到香港的专线,作为网络管理员的你需要完成设备的基本配置,两台设备要PING通。
四、实验步骤:1、按照拓扑图所示,搭建实验平台2、完成CISCO设备的基础配置➢基本配置包括。
➢设置主机名称和设备标识。
➢关闭设备的DNS查询功能。
➢开启光标跟随功能。
➢设置超时时间,要求HongKong超时时间是10分30秒,DongGuan永远不超时。
➢配置控制台密码,配置VTY密码,配置特权密码,启用密码加密服务。
➢完成基本和辅助配置之后,按照拓扑图配置好设备的IP地址,测试相邻设备之间能否ping通。
➢使用CDP协议查看邻居设备信息,可以对设备进行远程telnet。
➢保存配置文件后,备份IOS软件和配置文件。
3、配置如下:设备命名:Router(config)#hostname dongguanDongguan(config)#关闭DNS查询:Router(config)#no ip domain-lookup注释:IOS软件会把未知的命令当做网络上设备的主机名称,通过广播去查找这台设备,这个过程需要比较久的时间,用这个命令可以避免DNS查询过程,节省时间。
启用光标跟随:Router(config)#line console 0Router(config-line)#logging synchronous注释:IOS软件会对系统状态变化自动的跳出提示信息,这会打乱我们的命令输入会影响我们命令的输入,启动光标跟随可以解决这个问题。
设置超时时间Router(config)#line console 0Router(config-line)#exec-timeout 0(分) 0 (秒)『永不超时』注释:当我们一段时间没有对设备进行操作后,会自动跳出登录,好比windows系统在多长时间没有活动后自动锁定,需要我们重新登录。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
CCNP零散知识点实验1、R1(config)#do ping 2.2.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/54/80 ms R1(config)#R2(config)#do ping 1.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/59/96 ms R2(config)#配置R1interface FastEthernet0/0ip address 12.0.0.1 255.255.255.0no shutdowninterface FastEthernet0/1ip address 1.1.1.1 255.255.255.0no shutdownrouter eigrp 1network 1.1.1.0 0.0.0.255network 12.0.0.0 0.0.0.255no auto-summaryR2interface Loopback1ip address 2.2.2.2 255.255.255.0no shutdowninterface FastEthernet0/0ip address 12.0.0.2 255.255.255.0no shutdownrouter eigrp 1network 2.2.2.0 0.0.0.255network 12.0.0.0 0.0.0.255no auto-summary2、把R1的start文件分别用tee参数复制到主机的TFTP和FTP R1#WRBuilding configuration...[OK]Copy到主机TFTPR1#Copy到主机ftpR1(config)#ip ftp username admin R1(config)#ip ftp password adminR1#show startup-config | tee ftp://192.168.1.2/R1.cfg2、配置成tftp服务器,让R2通过tftp把R1的配置startup文件复制到自己的flash 中R1(config)#tftp-server nvram:startup-config假设TFTP服务器R2#copy tftp://12.0.0.1 flashAddress or name of remote host [12.0.0.1]?Source filename [startup-config]?Destination filename [r2-confg]?Accessing tftp://12.0.0.1/startup-config...Erase flash: before copying? [confirm]Erasing the flash filesystem will remove all files! Continue? [confirm]Erasing device... eeeeeeeeeeeeeeeeeeeee。
eeeee ...erasedErase of flash: completeLoading startup-config from 12.0.0.1 (via FastEthernet0/0): ![OK - 880 bytes]Verifying checksum... OK (0x26D)880 bytes copied in 0.604 secs (1457 bytes/sec)R2#show flash:System CompactFlash directory:File Length Name/status1 880 r2-confg[944 bytes used, 16776268 available, 16777212 total]16384K bytes of ATA System CompactFlash (Read/Write)SDM配置HTTP配置R1(config)#ip http serverR1(config)#ip http secure-server% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]R1(config)#*Mar 1 00:29:35.275: %SSH-5-ENABLED: SSH 1.99 has been enabled*Mar 1 00:29:35.467: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificateR1(config)#username CCIE PRivilege 15 PAssword 123R1(config)#ip http authentication localSDM安装如果是HTTPS勾选HTTPS修改EIGRP变成OSPF需要查看好命令后再发送启用OSPF效果对端删除EIGRP修改为OSPFR2(config)#no router eigrp 1R2(config)#router ospf 1R2(config-router)#net 12.0.0.0 0.0.0.255 area 0R2(config-router)#exitR2*Mar 1 00:52:27.695: %OSPF-5-ADJCHG: Process 1, Nbr 12.0.0.1 on FastEthernet0/0 from LOADING to FULL, Loading DoneR1*Mar 1 00:52:45.403: %OSPF-5-ADJCHG: Process 1, Nbr 12.0.0.2 on FastEthernet0/0 from LOADING to FULL, Loading Done查看路由表R2(config)#do show ip roGateway of last resort is not set1.0.0.0/24 is subnetted, 1 subnetsO 1.1.1.0 [110/2] via 12.0.0.1, 00:00:43, FastEthernet0/012.0.0.0/24 is subnetted, 1 subnetsC 12.0.0.0 is directly connected, FastEthernet0/0R2(config)#配置archiveR1(config)#archiveR1(config-archive)#复制到本机TFTPR1(config-archive)#path tftp://192.168.1.2/R1复制到本机FTPR1(config-archive)#path ftp://192.168.1.2/R1.cfg执行动作产生R1(config-archive)#write-memoryR1(config-archive)#time-period 1 1分钟自动保存R1(config-archive)#do wrBuilding configuration...[OK]!!R1(config)#do show archiveThe next archive file will be named tftp://192.168.1.2/R1-1-2Archive # Name1 tftp://192.168.1.2/R1-1-1 <- Most Recent一分钟自动保存效果IP accounting不管源IP还是目IP,只记录出站流量,且是穿越的流量R2(config)# f0/0R2(config-if)#ip accounting效果未出现NETFLOWR2(config)#int f0/0R2(config-if)#ip flow ingressR2(config)#do show ip cache flowIP packet size distribution (5 total packets):1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000IP Flow Switching Cache, 278544 bytes1 active, 4095 inactive, 1 added3 ager polls, 0 flow alloc failuresActive flows timeout in 30 minutesInactive flows timeout in 15 secondsIP Sub Flow Cache, 25800 bytes0 active, 1024 inactive, 0 added, 0 added to flow0 alloc failures, 0 force free1 chunk, 1 chunk addedlast clearing of statistics neverProtocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowSrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa0/0 12.0.0.1 Local 12.0.0.2 01 0000 0800 5R2(config)#SLAR2(config)#ip sla 1R2(config-ip-sla)#tcp-connect 12.0.0.1 23 source-ip 12.0.0.2R2(config-ip-sla-tcp)#frequency 60R2(config)#ip sla schedule 1 start-time now life foreverR1(config)#ip sla responderR2(config)#do show ip sla statisticsRound Trip Time (RTT) for Index 1Latest RTT: NoConnection/Busy/TimeoutLatest operation start time: *04:10:23.194 UTC Fri Mar 1 2002Latest operation return code: No connectionNumber of successes: 0Number of failures: 1Operation time to live: ForeverR2(config)#R1#show ip sla responderIP SLAs Responder is: EnabledNumber of control message received: 2 Number of errors: 0Recent sources:12.0.0.2 [04:12:54.214 UTC Fri Mar 1 2002]12.0.0.2 [04:11:54.266 UTC Fri Mar 1 2002]Recent error sources:R1#TrackR2(config)#Track 1 interface loopback 1 line-protocolR2(config)#ip route 1.0.0.0 255.0.0.0 12.0.0.1 track 1效果Int lo 1Sh*Mar 1 04:17:12.170: %TRACKING-5-STATE: 1 interface Lo1 line-protocol Up->DowndSNMPR1(config)#snmp-server location shanghaiR1(config)#snmp-server contact EricR1(config)#snmp-server host 192.168.1.2cisco 发送到SNMP管理器R1(config)#snmp-server community RW测试尝试修改查看完整配置:R1R1#show runBuilding configuration...Current configuration : 2857 bytes!version 12.4service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption!hostname R1!boot-start-markerboot-end-marker!!no aaa new-modelmemory-size iomem 5ip cef!!!!no ip domain lookupip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!multilink bundle-name authenticated!!!!!!!!!!!!!!!!!!crypto pki trustpoint TP-self-signed-998521732enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-998521732revocation-check nonersakeypair TP-self-signed-998521732!!crypto pki certificate chain TP-self-signed-998521732certificate self-signed 0130820238 308201A1 A0030201 02020101 300D0609 2A864886 F70D0101 0405003030312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 39393835 32313733 32301E17 0D303230 33303130 30323933355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3939 3835323137333230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100B3371D59 5D95B930 66001A3A 73BEDAA7 69772FDF 02BE5098 053B9EF4 C1375AE154039A26 365AFE6C 82676699 FADF6783 8099A158 338458C9 BFE1CC4F 555B41C8C5F4E0F5 685F8B87 10D2C3EC 7B823EBB 3EC9B88D CDBE94E9 3FE7F6B9 7C5D2DD24D58F872 F6CE046B A1761D5B 5053982F E65B22E0 F70F3429 3FF7447E 199D32B502030100 01A36230 60300F06 03551D13 0101FF04 05300301 01FF300D 0603551D11040630 04820252 31301F06 03551D23 04183016 80146C97 BCD11C95 784961B5161D02F3 54164AAE CC78301D 0603551D 0E041604 146C97BC D11C9578 4961B5161D02F354 164AAECC 78300D06 092A8648 86F70D01 01040500 03818100 776280C1D2F57B94 2CA2903A D9CD21CC 4DF2DEEE C3DF3317 B786EBB0 51CCDADA 92802ED0BFBABFB5 628D509A FF0D9675 27B41DFF 712388BB 3EFE3827 6CED7A8A07D26B7752996559 86C80474 47BF83A5 35FA8AA8 19639462 7C58CD71 F6F555D1 098599C5AD03B1A0 002042BE 671FE413 30382BF2 325D1553 8941C62C CBE42750 quit!!archivelog confighidekeyspath ftp://192.168.1.2/R1.cfg!!!!ip ftp username adminip ftp password admin!!!!interface Loopback0ip address 1.1.1.1 255.255.255.0!interface FastEthernet0/0ip address 12.0.0.1 255.255.255.0duplex autospeed auto!interface FastEthernet0/1ip address 192.168.1.1 255.255.255.0duplex autospeed auto!router ospf 1log-adjacency-changesnetwork 1.1.1.0 0.0.0.255 area 0network 12.0.0.0 0.0.0.255 area 0network 192.168.1.0 0.0.0.255 area 0!ip forward-protocol nd!!ip http serverip http secure-server!ip sla respondersnmp-server community RW ROsnmp-server location shanghaisnmp-server contact Ericsnmp-server host 192.168.1.2 cisco!!!!!tftp-server nvram:startup-config!control-plane!!!!!!!!!!line con 0exec-timeout 0 0line aux 0line vty 0 4!!endR1#R2R2#show runBuilding configuration...Current configuration : 1372 bytes!version 12.4service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption!hostname R2!boot-start-markerboot-end-marker!enable password 123!no aaa new-modelmemory-size iomem 5ip cef!!!!no ip domain lookupip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!multilink bundle-name authenticated !!!!!!!!!!!!!!!!!!!!!archivelog confighidekeys!!!!track 1 interface Loopback1 line-protocol!!!!interface Loopback1ip address 2.2.2.2 255.255.255.0ip accounting output-packetsshutdown!interface FastEthernet0/0ip address 12.0.0.2 255.255.255.0ip flow ingressduplex autospeed auto!interface FastEthernet0/1no ip addressshutdownduplex autospeed auto!router ospf 1log-adjacency-changesnetwork 2.2.2.0 0.0.0.255 area 0network 12.0.0.0 0.0.0.255 area 0!ip forward-protocol ndip route 1.0.0.0 255.0.0.0 12.0.0.1 track 1!!ip http serverno ip http secure-server!ip sla 1tcp-connect 12.0.0.1 23 source-ip 12.0.0.2 source-port 30181 ip sla schedule 1 life forever start-time nowaccess-list 100 permit tcp host 12.0.0.1 host 12.0.0.2 eq telnet access-list 100 permit icmp host 12.0.0.1 host 12.0.0.2!!!!!control-plane!!!!!!!!!!line con 0exec-timeout 0 0 line aux 0line vty 0 4 password 123 login!!endR2#。