CISCO-CCNA实验指南.doc

l Telnet和ssh登录GNS3模拟1Telnetenconf tint f0/0ip address no shutexitenable password 123456789/设置特权exec密码service password-encryption/对密码进行加密/line vty 0 4password 123456789/虚拟终端密码login/允许登录或username liaozuobiao password yufanglin/本地用户名数据库设置密码line vty 0 4login local/2、sshenconf tint f0/0ip address no shutexitusername liaozuobiao secret yufanglinhostname R1/主机名 在ios设备上标注RSA密钥对时需要hostname和domain-nameip domain-name /域名ip ssh version 2crypto key generate rsa general-keys modulus 1024 /密钥类型和长度line vty 0 4login local/本地用户名数据库transport input ssh/使用ssh作为登录程序exit调试结果：在R2这个主机上键入命令l 端口安全特性Packet tracer 模拟配置命令：enconf tint f0/1switchport mode access /定义为主机访问端口，注意在trunk、EtherChannel端口上不起作用switchport access vlan 1switchport port-security/启动端口安全特性，这步很关键， Dont forget，因为默认是禁用的switchport port-security maximum 1 /设置接口关联最大设备数switchport port-security violation shutdown /设置违反安全性规则时接口应该干什么switchport port-security mac-address sticky /设置粘性学习调试：从主机0 ping 主机1，发现能够ping通然后将f0/1断开，接至主机2（未连接），如图：主机2 ping 主机1，不能够ping通，且端口f0/1自动关闭，要恢复的话先shutdown 再no shut发现端口恢复至开启状态。当违反端口安全性时，可以在配置模式下使用以下命令重新设置接口：errdisable recovery cause psecure-vialotionl VLAN和聚合gns3模拟R3：enconf tno ip routingint f0/0ip address no shutR4：enconf tno ip routingint f0/0ip address no shutR5：enconf tno ip routingint f0/0ip address no shutR6enconf tno ip routingint f0/0ip address no shutSW1：envlan databasevtp server/vtp sever模式vtp domain VtpSev/域名vtp password liaozuobiao/密钥vtp pruning/启动修剪vlan 10/vlan 20/创建vlanexitconf tint f0/0switchport mode access/接入模式switchport access vlan 10/将端口分配给vlan10int f0/1switchport mode accessswitchport access vlan 20int range f0/11 - 15switchport mode trunk/中继模式switchport trunk allowed vlan all/允许所有vlan通过switchport trunk native vlan 1/设置本地vlan/exitint range f0/11 - 15channel-protocol pagp/pagp聚合协议channel-group 1 mode on/配置端口聚合为打开模式或（gns3不能配置）exitlacp system-priority 100/设置系统优先级int range f0/11 - 15channel-protocol lacp/lacp聚合协议channel-group 1 mode active/启动端口聚合为积极模式lacp port-priority 100/端口优先级/SW2：envlan databasevtp clientvtp password liaozuobiaoexitconf tint f0/0switchport mode accessswitchport access vlan 10int f0/1switchport mode accessswitchport access vlan 20int range f0/11 - 15switchport mode trunkswitchport trunk allowed vlan allswitchport trunk native vlan 1/exitint range f0/11 - 15channel-protocol pagpchannel-group 1 mode on或exitlacp system-priority 100int range f0/11 - 15channel-protocol lacpchannel-group 1 mode activelacp port-priority 100/l 单臂路由Packet tracer 模拟交换机:enconf tint vlan 1ip address /设置管理地址no shutexitip default-gateway /设置默认网关int f0/1switchport mode accessswitchport access vlan 2int f0/2switchport mode accessswitchport access vlan 3int f0/3switchport mode trunk/设置端口模式为vlan中继路由器:enconf tint f0/1ip address no shutint f0/1.1/配置子接口encapsulation dot1q 2/封装802.1q协议 并设置与子接口相关联的vlan号ip address 0 /设置子接口ip地址int f0/1.2encapsulation dot1q 3ip address 0 int f0/0ip address no shut调试结果：从主机0 ping 主机1发现能够ping通，再从主机2 ping ip地址即交换机的管理地址发现可以ping通 所以在交换机上可以配置 telnet 或ssh登录，主机2充当管理角色，详见telnet登录配置。下面H3C路由器部分 配置：int f0/1ip address 24int f0/1.1ip address 0 24vlan-type dot1q vid 2/封装802.1q协议 并设置与子接口相关联的vlan号l DHCPGNS3模拟配置如下：enconf tservice dhcp/启动dhcp服务器特性ip dhcp pool pool1/创建一个地址池network /24/指定要分配给客户端的IP地址范围dns-server 53/将dns服务器地址分配给客户端netbios-name-server 53/将wins服务器地址分配给客户端default-router /将默认网关分配给客户端lease 6/设置租赁期import all/将为更高级别服务器导入的dhcp选项 即将isp的dhcp服务器选项导入exitip dhcp ping timeout 600 /设置服务器测试其地址池地址是否正在使用的等待应答时间ip dhcp excluded-address /设置排除地址范围ip dhcp excluded-address 53 54int f0/0ip address no shutend调试和实验结果：xp设置为自动获取ip地址,使用ipconfig/release 然后用ipconfig/renew再用 ipconfig/all开启dns服务器（在VMware虚拟机中的Windows Server 2003系统）发现获取的dns服务器地址 能够解析可以用clear ip dhcp binding 清除已分配的客户端地址，使其可以被其他设置为自动获取ip的暂无ip地址的客户端自动获取l NAT/NAPTPacket tracer 模拟配置：enconf tip nat inside source static 54 /定义nat静态转换int f0/0ip nat inside /在连接到内部的接口上指定insideint f0/1ip nat outside /在连接到外部的接口上指定outsideexitaccess-list 1 deny 54 /配置acl访问控制列表access-list 1 permit 55 ip nat pool nat_pool1 netmask /定义地址池ip nat inside source list 1 pool nat_pool1 overload /定义napt动态转换，若是nat无需overloadint f0/0ip nat insideint f0/1ip nat outside调试：在internet上的一台主机ping 内部服务器的内部全局地址如果是ping 发现不能ping通，原因是如果不是静态NAT，外部无法主动发起对内部主机的通信主机0 ping 外部主机则能够ping 通并且可用packet tracer的功能查看转换过程：使用 show ip nat translation 查看动态条目使用show ip nat statistics 查看地址转换统计信息另外，可以用 clear ip nat translation */inside/outside清除所有动态或指定条目下面是debug调试：l HDLC/PPPHDLC为默认封装。若配置为其他协议封转后，想使用hdlc，可以用在接口配置模式encapsulation hdlc /封装hdlc高级数据链路控制协议keepalive 10 /设置轮询时间间隔ppp封装pap认证：R0: /服务端enconf thostname R0 /配置路由器名称username R1 password cisco /配置本地用户，用户名称最好为对方路由器名称int s0/0/0encapsulation ppp/封装ppp协议ppp authentication pap /ppp验证为pap协议R1: /客户端enconf thostname R1int s0/0/0encap ppp /封装ppp协议ppp pap sent-username R1 password cisco /客户端提供服务端用于验证的用户名和密码结果为：两者通过验证，可以互相ping通ppp封装chap认证：chap:R0:enconf thostname R0username R1 password cisco /对端主机名作本地用户名int s0/0/0encap pppppp authentication chap /ppp验证为chap协议R1:enconf thostname R1username R0 password cisco /对端主机名作本地用户名int s0/0/0encap pppppp authentication chap /ppp验证为chap协议调试结果：l ACL访问控制列表标准acl限制对路由器vty的访问：enconf taccess-list 1 permit access-list 1 deny 55line vty 0 4password liaozuobiaoaccess-class 1 in/标准acl应用在vty上，若是out则唯一例外地把列表源ip当作目的ip对待在主机1上telnet在主机0上telnet扩展acl控制列表：R0:enconf thostname R0access-list 100 permit tcp host host established /允许.1到.2的返回tcp流量access-list 100 permit tcp host eq wwwaccess-list 100 permit icmp 55 echo-replyaccess-list 100 deny ip any anyint f0/1ip access-group 100 inexitline vty 0 4password yufanglinR1:enconf thostname R1line vty 0 4password liaozuobiaoexitip route 验证第一条acl：第一条acl的作用是允许到的返回tcp流量（即带有标志的tcp流量）所以，从telnet 然后从返回应答给是符合的，而从 直接telnet 的流量是不符合的验证第二条acl：只允许主机1 访问web 服务器：不允许其他主机访问web服务器验证第三条acl：只允许回送应答（echo-reply）进入接口，不允许之外的icmp消息进入（例如echo回送消息）即本例中只允许服务器 ping其他主机，不允许其他主机ping 路由器上ping服务器上ping其他主机主机 上ping以上的编号acl改为命名acl：enconf tip access-list standard do_not_enterpermit deny 55line vty 0 4password liaozuobiaoaccess-class do_not_enter inR0:enconf thostname R0ip access-list extended do_not_enterpermit tcp host host establishedpermit tcp host eq wwwpermit icmp 55 echo-replydeny ip any anyexitint f0/1ip access-group do_not_enter inexitline vty 0 4password yufanglinR1:enconf thostname R1line vty 0 4password liaozuobiaoexitip route l Frame Relay配置帧中继交换机：FrSwitch:enconf tframe-relay switching /将路由器配置为帧中继交换机int s1/0encapsulation frame-relay /封装帧中继clock rate 64000 /设置串口时钟速率frame-relay lmi-type cisco /设置帧中继的lmi类型frame-relay intf-type dce/设置帧中继接口类型frame-relay route 102 int s1/1 201 /配置帧中继DLCI路由frame-relay route 103 int s1/2 301no shutint s1/1encapsulation frame-relayclock rate 64000frame-relay lmi-type ciscoframe-relay intf-type dceframe-relay route 201 int s1/0 102frame-relay route 203 int s1/2 302no shutint s1/2encapsulation frame-relayclock rate 64000frame-relay lmi-type ciscoframe-relay intf-type dceframe-relay route 301 int s1/0 103frame-relay route 302 int s1/1 203no shut将第三层地址映射到本地DLCI号动态解析：R1:R2:R3:enconf tint s1/0encap frame-relayframe-relay lmi-type cisco /设置lmi类型frame-relay inverse-arp /逆向ARPint s1/0ip add no shutip add no shutip add no shut手动解析：R1:int s1/0no frame-relay inverse-arp /关闭帧中继逆向解析frame-relay map ip 102/建立手动解析映射frame-relay map ip 103R2:int s1/0no frame-relay inverse-arpframe-relay map ip 201frame-relay map ip 203R3:int s1/0no frame-relay inverse-arpframe-relay map ip 301frame-relay map ip 302配置有子接口的帧中继：多点子接口：R0:enconf tint s0/0/0encap frame-relay ietfframe-relay lmi-type ciscono shutexitint s0/0/0.1 multipoint /多点子接口ip address frame-relay interface-dlci 102/将DLCI关联到子接口 多点子接口上可分配多个DLCIframe-relay interface-dlci 103exitrouter ripnetwork network R1:enconf tint s0/0/0encap frame-relay ietfframe-relay lmi-type ciscono shutexitint s0/0/0ip address no shutexitip route /解决水平分割问题而采用静态路由的方法router ripnetwork network R2:enconf tint s0/0/0encap frame-relay ietfframe-relay lmi-type ciscono shutexitint s0/0/0ip address no shutexitip route router ripnetwork network 主机1上ping主机2：点对点子接口：R1、R2取消静态路由，其他保持不变。使用点对点子接口从而克服了rip等路由协议的水平分割问题。点对点子接口：R0:enconf tint s0/0/0encap frame-relay ietfframe-relay lmi-type ciscono shutexitint s0/0/0.1 point-to-point/点对点子接口ip address frame-relay interface-dlci 102 /为不同的子接口分配不同的DLCI，并分配不同网段的ipint s0/0/0.2 point-to-pointip address frame-relay interface-dlci 103exitrouter ripnetwork network network R1:enconf tint s0/0/0encap frame-relay ietfframe-relay lmi-type ciscono shutexitint s0/0/0ip address no shutexitrouter ripnetwork network R2:enconf tint s0/0/0encap frame-relay ietfframe-relay lmi-type ciscono shutexitint s0/0/0ip address no shutexitrouter ripnetwork network 从主机2ping主机1发现可以ping通l ISDN/DCCboson模拟器模拟Router1:enconf tisdn switch-type basic-net3 /设置交换机类型为basic-net3int bri 0/0ip add encap pppdialer string 8281391 /设置拨号串dialer-group 1 /设置拨号组号为1，把BRI0接口与拨号列表1相关联isdn spid1/设置spid1no shutexitdialer-list 1 protocol ip permit /设置拨号列表1Router2:enconf tisdn switch-type basic-net3int bri 0/0ip add encap pppdialer string 8828316dialer-group 1isdn spid1o shutexitdialer-list 1 protocol ip permitl RIP路由协议Packet tracer模拟配置：其他ip地址配置略RTA:enconf troute rip/启动rip路由选择协议 ，rip是有类协议network /设置哪些接口参与路由选择进程network network version 2/设置版本no auto-summary /关闭路由协议自动聚合功能，不连续网段的路由汇总会出错RTB:enconf troute ripnetwork network version 2no auto-summarypassive-interface f0/0 /设置f0/0为被动接口 不发送rip协议报文，但接收RTC:enconf troute ripnetwork network version 2no auto-summarypassive-interface f0/0RTD:enconf troute ripnetwork network version 2no auto-summarypassive-interface f0/0调试结果：在PCB上ping PCDl EIGRP路由协议PC1:enconf thostname PC1no ip routingint f0/0ip address no shutexitip default-gateway PC2:enconf thostname PC2no ip routingint f0/0ip address no shutexitip default-gateway PC3:enconf thostname PC3no ip routingint f0/0ip address no shutexitip default-gateway R1:enconf thostname R1int f0/0ip address no shutint f0/1ip address no shutint f1/0ip address no shutexitrouter eigrp 100 /进入eigrp的子配置模式network /配置接口相连的网络network 55network 55key chain R1Chain /创建密钥链 指定密钥名称key 1 /指定密钥号 相邻路由器必须相同key-string 0123456789 /指定密钥字符串 相邻路由器必须相同int f0/1ip authentication mode eigrp 100 md5 /在接口上为特定AS启用MD5身份验证ip authentication key-chain eigrp 100 R1Chain /在接口上启用密钥链int f1/0ip authentication mode eigrp 100 md5ip authentication key-chain eigrp 100 R1ChainR2:enconf thostname R2int f0/0ip address no shutint f0/1ip address no shutexitrouter eigrp 100network network 55key chain R2Chainkey 1key-string 0123456789int f0/1ip authentication mode eigrp 100 md5ip authentication key-chain eigrp 100 R2ChainR3:enconf thostname R3int f1/0ip address no shutint f0/0ip address no shutexitrouter eigrp 100network network 55l OSPF路由选择协议R1:enconf thostname R1router ospf 1 /配置路由选择进程 process_ID 在不同路由器之间不需匹配area 1 authentication message-digest /配置区域级身份验证，若有接口设置，则接口设置优先network 55 area 0 /配置接口相连子网 并将接口放在相应区域network 55 area 1int s0/0/1ip ospf authentication-key 123456 /OSPF身验认证，在接口上设置ip ospf authentication /认证方式为明文认证int f0/0ip ospf message-digest-key 1 md5 liao /认证方式为MD5认证R2:enconf thostname R2router ospf 1network 55 area 0network 55 area 2int s0/0/0ip ospf authentication-key 123456ip ospf authentication message-digestR3:enconf thostname R3router ospf 1area 1 authentication message-digestnetwork 55 area 1network 55 area 1passive-interface f0/1int f0/0ip ospf message-digest-key 1 md5 liaoR4:enconf thostname R4router ospf 1network 55 area 2network 55 area 2passive-int f0/1l VPN虚拟专用网GNS3模拟首先，配置帧中继（此处略，参考帧中继Frame Relay实验）网络通后再配置VPNR1:enconf tcrypto isakmp policy 1/配置IKE策略1encryption 3des/设置加密算法为3desauthentication pre-share/IKE策略1的验证方法设为pre-sharegroup 2/1024位Diffie-Hellmanexitcrypto isakmp key test123 address /设置与共享密钥为test123crypto ipsec transform-set VPNtag ah-md5-hmac esp-des/创建交换集 设AH 和DESendconf tcrypto map VPNdemo 10 ipsec-isakmp/定义保密映射，创建保密图set peer /设置隧道对端IP地址set transform-set VPNtag/指定要使用的交换集match address 101/授权保密列表来确定受保护的流量int tunnel 0/定义隧道接口ip address /设置隧道IPtunnel source /设置隧道源地址tunnel destination /隧道目的端地址crypto map VPNdemo/应用保密图于此接口no shutexitip route /设置默认路由ip route /设置到网段的路由access-list 101 permit gre host host /定义存取列表int s1/0crypto map VPNdemo /应用保密图于此接口R2:enconf tcrypto isakmp policy 1encryption 3desauthentication pre-sharegroup 2exitcrypto isakmp key test123 address crypto ipsec transform-set VPNtag ah-md5-hmac esp-desendconf tcrypto map VPNdemo 10 ipsec-isakmpset peer set transform-set VPNtagmatch address 101int tunnel 0ip address tunnel source tunnel destination crypto map VPNdemono shutexitip route ip route access-list 101 permit gre host host int s1/0crypto map VPNdemo测试结果：2、Packet tracer 5.3模拟R1:enconf tcrypto isakmp policy 1encryption 3desauthentication pre-sharegroup 2exitcrypto isakmp key test123 address crypto ipsec transform-set VPNtag ah-md5-hmac esp-desendconf tcrypto map VPNdemo 10 ipsec-isakmpset peer set transform-set VPNtagmatch address 101int tunnel 0ip address tunnel source s0/1/0tunnel destin