CCNA实验指导书

ＣＣＮＡ　实验手册标准实验目录前言.............................................................................................................................................................- 3 - 第1篇：设备管理专题实验...........................................................................................................................- 4 - 实验01：熟悉互联操作系统..................................................................................................................- 4 - 实验02：路由器的物理模块配置..........................................................................................................- 6 - 实验03：路由器的基本配置................................................................................................................- 12 - 实验04：思科发现协议CDP................................................................................................................- 15 - 实验05：管理路由器的配置文件........................................................................................................- 16 - 实验06：路由器、交换机密码的恢复................................................................................................- 16 - 实验07：路由器IOS映像文件管理......................................................................................................- 18 - 实验08：Telnet登录设备配置..............................................................................................................- 21 - 实验09：使用SDM配置设备................................................................................................................- 22 - 第2篇：交换原理专题实验.........................................................................................................................- 27 - 实验10：Catalyst 2900配置.................................................................................................................- 27 - 实验11：交换机端口安全....................................................................................................................- 30 - 实验12：虚拟局域网配置....................................................................................................................- 32 - 实验13：VLAN中继协议VTP..............................................................................................................- 35 - 实验14：生成树协议STP.....................................................................................................................- 37 - 实验15：无线局域网配置....................................................................................................................- 38 - 第3篇：路由协议专题实验.........................................................................................................................- 40 - 实验16：IP地址相关练习题.................................................................................................................- 40 - 实验17：单臂路由通信解决方案........................................................................................................- 44 - 实验18：静态路由与默认路由实验....................................................................................................- 46 - 实验19：路由信息协议(RIP)实验.......................................................................................................- 47 - 实验20：增强内部网关协议(EIGRP)实验..........................................................................................- 49 - 实验21：开放式最短路径优先协议(OSPF)实验................................................................................- 51 - 第4篇：广域网专题实验.............................................................................................................................- 52 - 实验22：串口链路HDLC、PPP封装实验...........................................................................................- 52 - 实验23：串口链路帧中继封装实验....................................................................................................- 54 - 第5篇：业务应用专题实验.........................................................................................................................- 57 - 实验24：IP访问控制列表(IP Access-List)...........................................................................................- 57 - 实验25：网络地址翻译(NAT)..............................................................................................................- 61 -第1篇：设备管理专题实验实验01：熟悉互联操作系统实验目的掌握超级终端配置要点了解IOS的启动过程。

西安.威克诺CCNA and CCNP实验手册v1.0Derek Liu2010-10-1网址：电话：400—715—8369E-mail：liupeng@ 此文档内容献给所有喜爱Cisco的人，有任何问题可以使用邮件和我交流，文档主要是CCNA和CCNP实验此版本目前只包含基础实验、静态路由实验以及RIP实验，实验手册会不断的进行更新，请关注最新版本（目前版本为V1.0）！目录实验手册 (3)基础实验 (3)一、制作平行线和交叉线： (3)二、路由器的基本配置： (4)三、连通性实验： (5)路由实验 (9)实验物理拓扑： (9)一、静态路由： (9)实验一：简单静态路由 (9)实验二：静态汇总路由 (12)实验三：静态缺省路由 (13)实验四：浮动路由 (14)实验五：负载均衡 (16)实验六：递归表查询 (18)二、动态路由： (20)1、Routing information Protocol （RIPv1 and RIPv2） (20)实验一：基本的RIP配置 (20)实验二：RIPv1不连续子网 (22)实验三：RIPv2、认证、被动接口 (24)实验四：RIPv2单播更新 (26)实验五：RIPv2水平分割 (28)实验六：Offset-list (31)实验七：RIP手动汇总 (33)实验八：RIP缺省路由 (35)实验手册基础实验一、制作平行线和交叉线：①平行线制作方法：平行线的制作线序，一头是568B 另一头也是568B（请看下图）从左向右数，橙白橙绿白蓝蓝白绿棕白棕。

②交叉线制作方法：交叉线的制作线序，一头是568A 另一头是568B（请看下图）二、路由器的基本配置：路由器模式详解：路由器基本命令详解：Router>enable //进入特权模式Router#disable //退出特权模式Router#configgure terminal //进入全局配置模式Router(config)#enable password [ 密码] //配置用户模式到特权模式的明文密码Router(config)#enable secret [ 密码] //配置用户模式到特权模式的密文密码Router(config)#service password-encryption //将路由器中所有明文的密码转为加密形式显示Router(config)#hostname [ 名字] //修改设备名称Router(config)#no ip domain-lookup //关闭命令域名解析Router(config)#banner motd $ [ text ] $ //修改login提示信息Router(config)#line console 0 //进入console 口配置模式Router(config-line)#password [ 密码] //配置使用console口管理设备的密码Router(config-line)#login //允许登陆，可以说将刚刚配置的密码生效。

CCNA实验手册Openlab西安分公司时代教育潘熙实验一：设备登陆及基础配置实验要求：使用console线登录路由器或交换机并进行基础配置实验目的：了解如何使用console 线登陆路由器或交换机及基础配置1.1设备的登陆方式一共有两种：.使用console线和超级终端或secureCRT登陆设备；部分电脑可能不存在com口，可以使用DB-9转USB接口进行转换.通过网络远程登陆设备，常使用telnet或ssh2，但默认情况下设备远程并未被开启，可手工开启同时设备需可以进行网络通信；1.2 当console线连接后，使用超级终端或secureCRT登录.计算机开始菜单----程序--------附件------通讯------超级终端.配置超级终端1）配置区号（随便配置） 2）点击确定3）选择主机上的com口，台式机一般仅存在com1口；使用USB转接口时，插入不同USB接口时对应com口编号可能为其他数值，需选择正确的接口4）点击还原为默认，使用默认参数，确定后登陆5)设备正在启动.使用secureCRT通过console口登陆配置CRT1）开启CRT选择在标签中连接2）在弹出窗口选择新建会话 3）在弹出窗口中选择serial4）在弹出窗口中选择正确的com接口编号，配置比特波为默认的96005）会话名称用于用户标记该会话 6）使用创建的会话连接1.3设备基础配置在初登设备时，由于设备没有可加载的startup-config或者寄存器值为不加载startup-config，设备会询问管理员是否进入初始化配置模式；初始化配置模式类似于问答模式，由设备提出问题管理员进行选择回答来对设备进行部分配置；但这种方法我们极少使用，因为直接手动配置来的更方便和直接，故选择NO.开启进行基础配置：Router> 用户模式Router>enable 键入授权Router# 特权模式Router#config terminal 键入配置终端Enter configuration commands, one per line. End with CNTL/Z.Router(config)# 全局配置模式Router(config)#line console 0 进入console口Router(config-line)# 线路配置模式（其他模式的一种）Router(config-line)#logging synchronous 日志同步Router(config-line)#exec-timeout 0 0 超时计时器为0分0秒，即为永不超时，也可以使用 no exec-timeout 来关闭该计时器；但切记使用关闭命令时一定要将服务单词打、输齐，否则可能错误的关闭其他服务Router(config-line)#exitRouter(config)#no ip domain-lookup 关闭域名解析Router(config)#hostname R3 修改默认主机名为R3R3(config)#.基础配置--加密部分配置用户模式进入特权模式的密码R3(config)#enable ?password Assign the privileged level passwordsecret Assign the privileged level secretR3(config)#enable password ciscoR3(config)#enable secret cisco123注：选择password时在running-config中看到密码为明文；选择secret时在running-config中看到密码为密文；两种均使用时，secret密码生效可通过service password-encryption 命令开启密码加密服务，让running中所有以password开头的密码均变成简单的密文；.配置console口密码：R3(config)#R3(config)#line console 0R3(config-line)#password ciscoR3(config-line)#login注：此时由于使用password命令，所以在running-config中和enable密码一样；一定要配置login，可以理解为确认使用该密码来登录推荐做法：R3(config)#username ccna privilege 15 secret cisco 定义用户名为ccna权限15级（超级管理员）密码为running-config中密文的ciscoR3(config)#line console 0R3(config-line)#login local 要求console口使用本地用户数据来验证登录当输入login local后先前配置的login被覆盖.保存配置R3#copy running-config startup-configDestination filename [startup-config]?Building configuration...[OK]R3#或者使用写入R3#writeBuilding configuration...[OK]R3#实验二交换机简单端口安全配置实验要求：1、交换机开启端口安全服务，pc1和pc2所在位置更换主机后交换机逻辑关闭接口；2、Pc3和pc4所在位置更换主机后交换不关闭接口但数据包将不会被转发实验目的：了解交换机简单端口工作原理、配置2.1 sw1 配置sw1(config)#interface range fastEthernet 0/1 -2sw1(config-if-range)# 同时对交换机快速以太网1、2口进行配置sw1(config-if-range)#switchport mode access 要求接口模式为接入sw1(config-if-range)#switchport port-security 开启交换机接口端口安全服务配置交换端口安全服务接口绑定的mac地址获取方法：1）可以手工输入，注意输入格式为3个16位点隔开2）也可让交换机将通过该接口数据的源mac地址自动粘连绑定sw1(config-if-range)#switchport port-security mac-address ?H.H.H 48 bit mac addresssticky Configure dynamic secure addresses as stickysw1(config-if-range)#switchport port-security mac-address sticky配置接口最多绑定地址数量，不同交换机最大数量不同sw1(config-if-range)#switchport port-security maximum ?<1-132> Maximum addressessw1(config-if-range)#switchport port-security maximum 1注：当以上条件配置完成后，如果有未被绑定的源mac地址出现在该接口时，交换机将会逻辑关闭该接口。

CCNA Security 1.0.1Instructor Packet Tracer ManualThis document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusiveuse by instructors in the CCNA Security course as part of an official CiscoNetworking Academy Program.PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH OperationsInstructor VersionTopology DiagramAddressing TableLearning Objectives•Configure routers as NTP clients.•Configure routers to update the hardware clock using NTP.•Configure routers to log messages to the syslog server.•Configure routers to timestamp log messages.•Configure local users.•Configure VTY lines to accept SSH connections only.•Configure RSA key pair on SSH server.•Verify SSH connectivity from PC client and router client.IntroductionThe network topology shows three routers. You will configure NTP and Syslog on all routers. You will configure SSH on R3.Network Time Protocol (NTP) allows routers on the network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source have more consistent time settings and Syslog messages generated can be analyzed more easily. This can help when troubleshooting issues with network problems and attacks. When NTP is implemented in the network, it can be set up to synchronize to a private master clock, or to a publicly available NTP server on the Internet.The NTP Server is the master NTP server in this lab. You will configure the routers to allow the software clock to be synchronized by NTP to the time server. Also, you will configure the routers to periodically update the hardware clock with the time learned from NTP. Otherwise, the hardware clock will tend to gradually lose or gain time (drift) and the software clock and hardware clock may become out of synchronization with each other. The Syslog Server will provide message logging in this lab. You will configure the routers to identify the remote host (Syslog server) that will receive logging messages.You will need to configure timestamp service for logging on the routers. Displaying the correct time and date in Syslog messages is vital when using Syslog to monitor a network. If the correct time and date of a message is not known, it can be difficult to determine what network event caused the message.R2 is an ISP connected to two remote networks: R1 and R3. The local administrator at R3 can perform most router configurations and troubleshooting; however, since R3 is a managed router, the ISP needs access to R3 for occasional troubleshooting or updates. To provide this access in a secure manner, the administrators have agreed to use Secure Shell (SSH).You use the CLI to configure the router to be managed securely using SSH instead of Telnet. SSH is a network protocol that establishes a secure terminal emulation connection to a router or other networking device. SSH encrypts all information that passes over the network link and provides authentication of the remote computer. SSH is rapidly replacing Telnet as the remote login tool of choice for network professionals.The servers have been pre-configured for NTP and Syslog services respectively. NTP will not require authentication. The routers have been pre-configured with the following:•Enable password: ciscoenpa55•Password for vty lines: ciscovtypa55•Static routingTask 1: Configure routers as NTP Clients.S tep 1.T es t C onnectivity•Ping from PC-C to R3.•Ping from R2 to R3.•Telnet from PC-C to R3. Exit the Telnet session.•Telnet from R2 to R3. Exit the Telnet session.S tep 2.C onfigure R1, R2 and R3 as NT P clients.R1(config)# ntp server 192.168.1.5R2(config)# ntp server 192.168.1.5R3(config)# ntp server 192.168.1.5Verify client configuration using the command show ntp status.S tep 3.C onfigure routers to update hardware clock.Configure R1, R2 and R3 to periodically update the hardware clock with the time learned from NTP.R1(config)# ntp update-calendarR2(config)# ntp update-calendarR3(config)# ntp update-calendarVerify that the hardware clock was updated using the command show clock.S tep 4.C onfigure routers to times tamp log mes s ages.Configure timestamp service for logging on the routers.R1(config)# service timestamps log datetime msecR2(config)# service timestamps log datetime msecR3(config)# service timestamps log datetime msecTask 2: Configure routers to log messages to the Syslog Server.S tep 1.C onfigure the routers to identify the remote hos t (S ys log S erver) that will receive logging mes s ages.R1(config)# logging host 192.168.1.6R2(config)# logging host 192.168.1.6R3(config)# logging host 192.168.1.6The router console will display a message that logging has started.S tep 2.Verify logging configuration us ing the command s how logging.S tep 3.E xamine logs of the S ys log s erver.From the Config tab of the Syslog server’s dialogue box, select the Syslog services button. Observe the logging messages received from the routers.Note: Log messages can be generated on the server by executing commands on the router. For example, entering and exiting global configuration mode will generate an informational configuration message.Task 3: Configure R3 to support SSH connections.S tep 1.C onfigure a domain name.Configure a domain name of on R3.R3(config)# ip domain-name S tep 2.C onfigure us ers for login from the S S H client on R3.Create a user ID of SSHadmin with the highest possible privilege level and a secret password ofciscosshpa55.R3(config)# username SSHadmin privilege 15 secret ciscosshpa55S tep 3.C onfigure the incoming VT Y lines on R3.Use the local user accounts for mandatory login and validation. Accept only SSH connections.R3(config)# line vty 0 4R3(config-line)# login localR3(config-line)# transport input sshS tep 4.E ras e exis ting key pairs on R3.Any existing RSA key pairs should be erased on the router.R3(config)#crypto key zeroize rsaNote: If no keys exist, you might receive this message: % No Signature RSA Keys found in configuration.S tep 5.G enerate the R S A encryption key pair for R3.The router uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure the RSA keys with a modulus of 1024. The default is 512, and the range is from 360 to 2048.R3(config)# crypto key generate rsa [Enter]The name for the keys will be: Choose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]:1024% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]Note: The command to generate RSA encryption key pairs for R3 in Packet Tracer differs from those used in the lab.S tep 6.Verify the S S H configuration.Use the show ip ssh command to see the current settings. Verify that the authentication timeout and retries are at their default values of 120 and 3.S tep 7.C onfigure S S H timeouts and authentication parameters.The default SSH timeouts and authentication parameters can be altered to be more restrictive. Set the timeout to 90 seconds, the number of authentication retries to 2, and the version to 2.R3(config)# ip ssh time-out 90R3(config)# ip ssh authentication-retries 2R3(config)# ip ssh version 2Issue the show ip ssh command again to confirm that the values have been changed.S tep 8.Attempt to connect to R3 via T elnet from P C-C.Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to R3 via Telnet.PC> telnet 192.168.3.1This connection should fail, since R3 has been configured to accept only SSH connections on the virtual terminal lines.S tep 9.C onnect to R3 us ing S S H on P C-C.Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to R3 via SSH. When prompted for the password, enter the password configured for the administrator ciscosshpa55.PC> ssh –l SSHadmin 192.168.3.1S tep 10.C onnect to R3 us ing S S H on R2.In order to troubleshoot and maintain the R3 router, the administrator at the ISP must use SSH to access the router CLI. From the CLI of R2, enter the command to connect to R3 via SSH version 2 using the SSHadmin user account. When prompted for the password, enter the password configured for the administrator: ciscosshpa55.R2# ssh –v 2 –l SSHadmin 10.2.2.1S tep 11.C heck res ults.Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed.PT Activity: Configure AAA Authentication on Cisco Routers Instructor VersionTopology DiagramAddressing TableLearning Objectives•Configure a local user account on R1 and authenticate on the console and VTY lines using local AAA.•Verify local AAA authentication from the R1 console and the PC-A client.•Configure a server-based AAA authentication using TACACS+.•Verify server-based AAA authentication from PC-B client.•Configure a server-based AAA authentication using RADIUS.•Verify server-based AAA authentication from PC-C client.IntroductionThe network topology shows routers R1, R2 and R3. Currently all administrative security is based on knowledge of the enable secret password. Your task is to configure and test local and server-based AAA solutions.You will create a local user account and configure local AAA on router R1 to test the console and VTY logins.•User account: Admin1 and password admin1pa55You will then configure router R2 to support server-based authentication using the TACACS+ protocol. The TACACS+ server has been pre-configured with the following:•Client: R2 using the keyword tacacspa55•User account: Admin2 and password admin2pa55Finally, you will configure router R3 to support server-based authentication using the RADIUS protocol. The RADIUS server has been pre-configured with the following:•Client: R3 using the keyword radiuspa55•User account: Admin3 and password admin3pa55The routers have also been pre-configured with the following:•Enable secret password: ciscoenpa55•RIP version 2Note: The console and VTY lines have not been pre-configured.Task 1: Configure Local AAA Authentication for Console Access on R1S tep 1.T es t connectivity.•Ping from PC-A to PC-B.•Ping from PC-A to PC-C.•Ping from PC-B to PC-C.S tep 2.C onfigure a local us ername on R1.Configure a username of Admin1 and secret password of admin1pa55.R1(config)# username Admin1 password admin1pa55S tep 3.C onfigure local AAA authentication for cons ole acces s on R1.Enable AAA on R1 and configure AAA authentication for console login to use the local database.R1(config)# aaa new-modelR1(config)# aaa authentication login default localS tep 4.C onfigure the line cons ole to us e the defined AAA authentication method.Enable AAA on R1 and configure AAA authentication for console login to use the default method list.R1(config)# line console 0R1(config-line)# login authentication defaultS tep 5.Verify the AAA authentication method.Verify the user EXEC login using the local database.R1(config-line)# end%SYS-5-CONFIG_I: Configured from console by consoleR1# exitR1 con0 is now availablePress RETURN to get started.************ AUTHORIZED ACCESS ONLY *************UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.User Access VerificationUsername: Admin1Password: admin1pa55R1>Task 2: Configure Local AAA Authentication for VTY Lines on R1S tep 1.C onfigure a named lis t AAA authentication method for VT Y lines on R1.Configure a named list called TELNET-LOGIN to authenticate logins using local AAA.R1(config)# aaa authentication login TELNET-LOGIN localS tep 2.C onfigure the VT Y lines to us e the defined AAA authentication method.Configure the VTY lines to use the named AAA method.R1(config)# line vty 0 4R1(config-line)# l ogin authentication TELNET-LOGINR1(config-line)# endS tep 3.Verify the AAA authentication method.Verify the Telnet configuration. From the command prompt of PC-A, Telnet to R1.PC> telnet 192.168.1.1************ AUTHORIZED ACCESS ONLY *************UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.User Access VerificationUsername: Admin1Password: admin1pa55R1>Task 3: Configure Server-Based AAA Authentication Using TACACS+ on R2S tep 1.C onfigure a backup local databas e entry called Admin.For backup purposes, configure a local username of Admin and secret password of adminpa55.R2(config)# username Admin password adminpa55S tep 2.Verify the T AC AC S+ S erver configuration.Select the TACACS+ Server. From the Config tab, click on AAA and notice that there is a Network configuration entry for R2 and a User Setup entry for Admin2.S tep 3.C onfigure the T AC AC S+ s erver s pecifics on R2.Configure the AAA TACACS server IP address and secret key on R2.R2(config)# tacacs-server host 192.168.2.2R2(config)# tacacs-server key tacacspa55S tep 4.C onfigure AAA login authentication for cons ole acces s on R2.Enable AAA on R2 and configure all logins to authenticate using the AAA TACACS+ server and if not available, then use the local database.R2(config)# aaa new-modelR2(config)# aaa authentication login default group tacacs+ localS tep 5.C onfigure the line cons ole to us e the defined AAA authentication method.Configure AAA authentication for console login to use the default AAA authentication method.R2(config)# line console 0R2(config-line)# login authentication defaultS tep 6.Verify the AAA authentication method.Verify the user EXEC login using the AAA TACACS+ server.R2(config-line)# end%SYS-5-CONFIG_I: Configured from console by consoleR2# exitR2 con0 is now availablePress RETURN to get started.************ AUTHORIZED ACCESS ONLY *************UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.User Access VerificationUsername: Admin2Password: admin2pa55R2>CCNA SecurityTask 4: Configure Server-Based AAA Authentication Using RADIUS on R3S tep 1.C onfigure a backup local databas e entry called Admin.For backup purposes, configure a local username of Admin and secret password of adminpa55.R3(config)# username Admin password adminpa55S tep 2.Verify the R ADIUS S erver configuration.Select the RADIUS Server. From the Config tab, click on AAA and notice that there is a Network configuration entry for R3 and a User Setup entry for Admin3.S tep 3.C onfigure the R ADIUS s erver s pecifics on R3.Configure the AAA RADIUS server IP address and secret key on R3.R3(config)# radius-server host 192.168.3.2R3(config)# radius-server key radiuspa55S tep 4.C onfigure AAA login authentication for cons ole acces s on R3.Enable AAA on R3 and configure all logins to authenticate using the AAA RADIUS server and if not available, then use the local database.R3(config)# aaa new-modelR3(config)# aaa authentication login default group radius localS tep 5.C onfigure the line cons ole to us e the defined AAA authentication method.Configure AAA authentication for console login to use the default AAA authentication method.R3(config)# line console 0R3(config-line)# login authentication defaultS tep 6.Verify the AAA authentication method.Verify the user EXEC login using the AAA TACACS+ server.R3(config-line)# end%SYS-5-CONFIG_I: Configured from console by consoleR3# exitR3 con0 is now availablePress RETURN to get started.************ AUTHORIZED ACCESS ONLY *************UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.User Access VerificationUsername: Admin3Password: admin3pa55R3>S tep 7.C heck res ults.Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed.PT Activity: Configure IP ACLs to Mitigate AttacksInstructor VersionTopology DiagramAddressing TableObjectives•Verify connectivity among devices before firewall configuration.•Use ACLs to ensure remote access to the routers is available only from management station PC-C.•Configure ACLs on R1 and R3 to mitigate attacks.•Verify ACL functionality.IntroductionAccess to routers R1, R2, and R3 should only be permitted from PC-C, the management station. PC-C is also used for connectivity testing to PC-A, a server providing DNS, SMTP, FTP, and HTTPS services.Standard operating procedure is to apply ACLs on edge routers to mitigate common threats based on source and/or destination IP address. In this activity, you create ACLs on edge routers R1 and R3 to achieve this goal. You then verify ACL functionality from internal and external hosts.The routers have been pre-configured with the following:•Enable password: ciscoenpa55•Password for console: ciscoconpa55•Username for VTY lines: SSHadmin•Password for VTY lines: ciscosshpa55•IP addressing•Static routingTask 1: Verify Basic Network ConnectivityVerify network connectivity prior to configuring the IP ACLs.S tep 1.F rom the P C-C command prompt, ping the P C-A s erver.S tep 2.F rom the P C-C command prompt, S S H to the router R2 L o0 interface. E xit the S S H s es s ion.S tep 3.F rom P C-C, open a web brows er to the P C-A s erver (us ing the IP addres s) to dis play the web page. C los e the brows er on P C-C.S tep 4.F rom the P C-A s erver command prompt, ping P C-C.Task 2: Secure Access to RoutersS tep 1.C onfigure AC L10 to block all remote acces s to the routers except from P C-C.Use the access-list command to create a numbered IP ACL on R1, R2, and R3.R1(config)# access-list 10 permit 192.168.3.3 0.0.0.0R2(config)# access-list 10 permit 192.168.3.3 0.0.0.0R3(config)# access-list 10 permit 192.168.3.3 0.0.0.0S tep 2.Apply AC L 10 to ingres s traffic on the VT Y lines.Use the access-class command to apply the access list to incoming traffic on the VTY lines.R1(config-line)# access-class 10 inR2(config-line)# access-class 10 inR3(config-line)# access-class 10 inS tep 3.Verify exclus ive acces s from management s tation P C-C.SSH to 192.168.2.1 from PC-C (should be successful). SSH to 192.168.2.1 from PC-A (should fail).PC> ssh –l SSHadmin 192.168.2.1Task 3: Create a Numbered IP ACL 100On R3, block all packets containing the source IP address from the following pool of addresses: 127.0.0.0/8, any RFC 1918 private addresses, and any IP multicast address.S tep 1. C onfigure AC L 100 to block all s pecified traffic from the outs ide network.You should also block traffic sourced from your own internal address space if it is not an RFC 1918 address (in this activity, your internal address space is part of the private address space specified in RFC 1918).Use the access-list command to create a numbered IP ACL.R3(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 anyR3(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 anyR3(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 anyR3(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 anyR3(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 anyR3(config)# access-list 100 permit ip any anyS tep 2.Apply the AC L to interface S erial 0/0/1.Use the ip access-group command to apply the access list to incoming traffic on interface Serial 0/0/1.R3(config)# interface s0/0/1R3(config-if)# ip access-group 100 inS tep 3.C onfirm that the s pecified traffic entering interface S erial 0/0/1 is dropped.From the PC-C command prompt, ping the PC-A server. The ICMP echo replies are blocked by the ACL since they are sourced from the 192.168.0.0/16 address space.S tep 4.R emove the AC L from interface S erial 0/0/1.Remove the ACL. Otherwise, all traffic from the outside network (being addressed with private source IP addresses) will be denied for the remainder of the PT activity.Use the no ip access-group command to remove the access list from interface Serial 0/0/1.R3(config)# interface s0/0/1R3(config-if)# no ip access-group 100 inTask 4: Create a Numbered IP ACL 110Deny all outbound packets with source address outside the range of internal IP addresses.S tep 1.C onfigure AC L110 to permit only traffic from the ins ide network.Use the access-list command to create a numbered IP ACL.R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 anyS tep 2.Apply the AC L to interface F0/1.Use the ip access-group command to apply the access list to incoming traffic on interface F0/1.R3(config)# interface fa0/1R3(config-if)# ip access-group 110 inTask 5: Create a Numbered IP ACL 120Permit any outside host to access DNS, SMTP, and FTP services on server PC-A, deny any outside host access to HTTPS services on PC-A, and permit PC-C to access R1 via SSH.S tep 1.Verify that P C-C can acces s the P C-A via HT T P S us ing the web brows er.Be sure to disable HTTP and enable HTTPS on server PC-A.S tep 2.C onfigure AC L 120 to s pecifically permit and deny the s pecified traffic.Use the access-list command to create a numbered IP ACL.R1(config)# access-list 120 permit udp any host 192.168.1.3 eq domainR1(config)# access-list 120 permit tcp any host 192.168.1.3 eq smtpR1(config)# access-list 120 permit tcp any host 192.168.1.3 eq ftpR1(config)# access-list 120 deny tcp any host 192.168.1.3 eq 443R1(config)# access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq22S tep 3.Apply the AC L to interface S0/0/0.Use the ip access-group command to apply the access list to incoming traffic on interface S0/0/0.R1(config)# interface s0/0/0R1(config-if)# ip access-group 120 inS tep 4.Verify that P C-C cannot acces s P C-A via HT T P S us ing the web brows er.Task 6: Modify An Existing ACLPermit ICMP echo replies and destination unreachable messages from the outside network (relative to R1); deny all other incoming ICMP packets.S tep 1.Verify that P C-A cannot s ucces s fully ping the loopback interface on R2.S tep 2.Make any neces s ary changes to AC L 120 to permit and deny the s pecified traffic.Use the access-list command to create a numbered IP ACL.R1(config)# access-list 120 permit icmp any any echo-replyR1(config)# access-list 120 permit icmp any any unreachableR1(config)# access-list 120 deny icmp any anyR1(config)# access-list 120 permit ip any anyS tep 3.Verify that P C-A can s ucces s fully ping the loopback interface on R2.S tep 4.C heck res ults.Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed.PT Activity: Configuring Context-Based Access Control (CBAC) Instructor VersionTopology DiagramAddressing TableLearning Objectives•Verify connectivity among devices before firewall configuration.•Configure an IOS firewall with CBAC on router R3•Verify CBAC functionality using ping, Telnet, and HTTP.IntroductionContext-Based Access Control (CBAC) is used to create an IOS firewall. In this activity, you will create a basic CBAC configuration on edge router R3. R3 provides access to resources outside of the network for hosts on the inside network. R3 blocks external hosts from accessing internal resources. After the configuration is complete, you will verify firewall functionality from internal and external hosts.The routers have been pre-configured with the following:•Enable password: ciscoenpa55•Password for console: ciscoconpa55•Password for vty lines: ciscovtypa55•IP addressing•Static routing•All switch ports are in VLAN 1 for switches S1 and S3.Task 1: Block Traffic From OutsideS tep 1.Verify B as ic Network C onnectivity.Verify network connectivity prior to configuring the IOS firewall.•From the PC-C command prompt, ping the PC-A server.•From the PC-C command prompt, Telnet to the Router R2 S0/0/1 interface: IP address 10.2.2.2. Exit the Telnet session.•From PC-C, open a web browser to the PC-A server to display the web page. Close the browser on PC-C.•From the PC-A server command prompt, ping PC-C.S tep 2.C onfigure a named IP AC L on R3 to block all traffic originating from the outs ide network.Use the ip access-list extended command to create a named IP ACL.R3(config)# ip access-list extended OUT-INR3(config-ext-nacl)# deny ip any anyR3(config-ext-nacl)# exitS tep 3.Apply the AC L to interface S erial 0/0/1.R3(config)# interface s0/0/1R3(config-if)# ip access-group OUT-IN inS tep 4.C onfirm that traffic entering interface S erial 0/0/1 is dropped.From the PC-C command prompt, ping the PC-A server. The ICMP echo replies are blocked by the ACL. Task 2: Create a CBAC Inspection RuleS tep 1.C reate an ins pection rule to ins pect IC MP, T elnet, and HTT P traffic.R3(config)# ip inspect name IN-OUT-IN icmpR3(config)# ip inspect name IN-OUT-IN telnetR3(config)# ip inspect name IN-OUT-IN httpS tep 2.T urn on time-s tamped logging and C B AC audit trail mes s ages.Use the ip inspect audit-trail command to turn on CBAC audit messages to provide a record of network access through the firewall, including illegitimate access attempts. Enable logging to the syslog server,192.168.1.3, with the logging host command. Make sure that logged messages are timestamped.R3(config)# ip inspect audit-trailR3(config)# service timestamps debug datetime msecR3(config)# logging host 192.168.1.3S tep 3.Apply the ins pection rule to egres s traffic on interface S0/0/1.R3(config-if)# ip inspect IN-OUT-IN outS tep 4.Verify that audit trail mes s ages are being logged on the s ys log s erver.•From PC-C, test connectivity to PC-A with ping, Telnet, and HTTP. Ping and HTTP should be successful. Note that PC-A will reject the Telnet session.•From PC-A, test connectivity to PC-C with ping and Telnet. All should be blocked.•Review the syslog messages on server PC-A: click the Config tab and then click the SYSLOG option.Task 3: Verify Firewall FunctionalityS tep 1.Open a T elnet s es s ion from P C-C to R2.The Telnet should succeed. While the Telnet session is active, issue the command show ip inspect sessions on R3. This command displays the existing sessions that are currently being tracked and inspected by CBAC.R3# show ip inspect sessionsEstablished SessionsSession 100424296 (192.168.3.3:1031)=>(10.1.1.2:23) telnet SIS_OPENExit the Telnet session.S tep 2.F rom P C-C, open a web brows er to the P C-A s erver web page us ing the s erver IP addres s. The HTTP session should succeed. While the HTTP session is active, issue the command show ip inspect sessions on R3.R3# show ip inspect sessionsEstablished SessionsSession 104637440 (192.168.3.3:1032)=>(192.168.1.3:http SIS_OPENNote: If the HTTP session times out before you execute the command on R3, you will have to click the Go button on PC-C to generate a session between PC-C and PC-A.Close the browser on PC-C.。

CCNA思科配置实验思科配置实验（适用于CCNA）1. 设置计算机ip地址设置PCA 的IP地址为：10.65.1.1 255.255.0.0 网关：10.65.1.2 设置PCB 的IP地址为：10.66.1.1 255.255.0.0 网关：10.66.1.2 设置ROA f0/0 IP 为：10.65.1.2 255.255.0.0设置ROA f0/1 IP 为：10.66.1.2 255.255.0.0设置计算机PCA的ip地址和网关的操作：[rootPCA root]# ifconfig eth0 10.65.1.1 netmask 255.255.0.0 [rootPCA root]# ifconfig[rootPCA root]# route add default gw 10.65.1.2[rootPCA root]# route设置计算机PCB的ip地址和网关的操作：[rootPCB root]# ifconfig eth0 10.66.1.1 netmask 255.255.0.0 [rootPCB root]# ifconfig[rootPCA root]# route add default gw 10.66.1.2[rootPCA root]# route2. 双击Router A，配置路由器的接口IP地址：router>enrouter#conf trouter(config)#hostname roaroa(config)int f0/0roa(config-if)#ip address 10.65.1.2 255.255.0.0roa(config-if)#no shutdown (默认是shutdown)roa(config-if)#exitroa(config)int f0/1roa(config-if)#ip address 10.66.1.2 255.255.0.0roa(config-if)#no shutroa(config)int s0/0roa(config-if)#ip address 10.67.1.2 255.255.0.0roa(config-if)#no shutroa(config-if)#clock rate 64000roa(config)int s0/1roa(config-if)#ip address 10.68.1.2 255.255.0.0roa(config-if)#no shutroa(config-if)#exitroa(config)#ip routing (默认是关闭的)3．检查网络联通情况[rootPCA root]# ping 10.65.1.2 (通) (ping自己的网关) [rootPCA root]# ping 10.66.1.2 (通) (ping f0/1) [rootPCA root]# ping 10.66.1.1 (通) (ping PCB) [rootPCA root]# ping 10.67.1.2 (不通) (端口空时down) [rootPCA root]# ping 10.68.1.2 (不通) (端口空时down)[rootPCB root]# ping 10.66.1.2 (通) (ping自己的网关) [rootPCB root]# ping 10.65.1.2 (通) (ping f0/0) [rootPCB root]# ping 10.65.1.1 (通) (ping PCA) [rootPCB root]# ping 10.67.1.2 (不通) (端口s0/0空时down) [rootPCB root]# ping 10.68.1.2 (不通) (端口s0/1空时down)roa#ping 10.65.1.1 (通) (ping PCA)roa#ping 10.65.1.2 (通) (ping f0/0)roa#ping 10.66.1.1 (通) (ping PCB)roa#ping 10.66.1.2 (通) (ping f0/1)roa#ping 10.67.1.2 (不通) (端口s0/0空时down)roa#ping 10.68.1.2 (不通) (端口s0/1空时down)下面我们做这个几个小实验：(1) 将路由器的接口f0/0关闭roa#conf troa(config)#int f0/0roa(config-if)#shutdownroa(config-if)#endroa#ping 10.65.1.2 (不通，端口down掉)roa#show int f0/0 (f0/0 is down，line proto is down) [rootPCA root]# ping 10.65.1.2 (不通)激活f0/0端口:roa(config)#int f0/0roa(config-if)#no shutroa(config-if)#endroa#ping 10.65.1.2 (通)去掉PCA与f0/0的连线roa#sh int f0/0 (f0/0 is up，line proto is down)roa#ping 10.65.1.2 (不通)roa#sh int s0/0 (s0/0 is down，line proto is down)roa#sh int s0/1 (s0/1 is down，line proto is down) serial口当没有连线时(2) 关闭路由器的路由roa#conf troa(config)#no ip routing[rootPCA root]# ping 10.65.1.2 (通) (ping 自己的网关)[rootPCA root]# ping 10.66.1.1 (不通)(路由器不能转发了)[rootPCB root]# ping 10.66.1.2 (通) (ping 自己的网关)[rootPCB root]# ping 10.65.1.1 (不通)(路由器不能转发了)计算机可以ping与其相连的端口，但不能ping通下面的计算机，因为no ip routing后不具备转发的功能了。