神州数码路由交换配置命令(全过程).doc

路由sshaaa authentication login ssh localaaa authentication enable default enableenable password 0 123456 username admin password 0 123456 ip sshd enableip sshd auth-method sship sshd auth-retries 5ip sshd timeout 60TELNETR1_config#aaa authentication login default localR1_config#aaa authentication enable default enable R1_config#enable password 0 ruijieR1_config#line vty 0 4R1_config_line#login authentication defaultR1_config_line#password 0 cisco方法2，不需要经过3A认证R1_config#aaa authentication login default noneR1_config#aaa authentication enable default enableR1_config#enable password 0 ciscoR1_config#line vty 0 4R1_config_line#login authentication defaultCHAP认证 单向认证，密码可以不一致R2_config#aaa authentication ppp test localR2_config#username R2 password 0 123456R2_config_s0/2#enc pppR2_config_s0/2#ppp authentication chap testR2_config_s0/2#ppp chap hostname R1R1_config#aaa authentication ppp test localR1_config#username R1 password 0 123456R1_config_s0/1#enc pppR1_config_s0/1#ppp authentication chap testR1_config_s0/1#ppp chap hostname R2pap认证 双向认证，密码要求一致R2_config#aaa authentication ppp test localR2_config#username R2 password 0 123456R2_config_s0/2#enc pppR2_config_s0/2#ppp authentication pap testR2_config_s0/2#ppp pap sent-username R1 password 123456R1_config#aaa authentication ppp test localR1_config#username R1 password 0 123456R1_config_s0/1#enc pppR1_config_s0/1#ppp authentication pap testR1_config_s0/1#ppp pap sent-username R2 password 123456FRRouter-A_config_s1/1#encapsulation frame-relay ！封装帧中继协议 Router-A_config_s1/1#frame-relay local-dlci 17 ！设置本地 DLCI 号 Router-A_config_s1/1# frame-relay intf-type dce ！配置 FR的 DCE Router-A_config_s1/1# frame-relay map 192.168.1.2 pvc 17 broadcast ！配置 DLCI 与对端 IP的映射 VrrpInt g0/4vrrp 1 associate 192.168.20.254 255.255.255.0 vrrp 1 priority 120 设置优先级，为主vrrp 1 preempt 开启抢占 vrrp 1 track interface Serial0/1 30 追踪上行接口，防止上行接口DOWN了，自动降低优先级Int g0/6vrrp 1 associate 192.168.20.254 255.255.255.0 vrrp 1 priority 100 设置优先级，为备，默认为100vrrp 1 preempt 开启抢占 vrrp 1 track interface Serial0/2 30 追踪上行接口，防止上行接口DOWN了，自动降低优先级RIP 验证，只有V2支持验证interface Serial0/2 接口起验证和配密码 ip rip authentication simple ip rip password 123456RIP改单播router ripnei 192.168.1.1 RIP定时器router riptimers update 10 更新时间timers exipire 30 失效时间timers hosddown 50 抑制时间ospfrouter os 1net 192.168.1.0 255.255.255.0 ar 0 不能写32位掩码OSPF 虚链路ROUTER OS 2 进程起用AR 1 VI 2.2.2.2 对方ROUTER-IDOSPF 汇总ROUTER OS 2 进程起用ar 0 range 192.168.0.0 255.255.252.0OSPF 验证ROUTER OS 2 明文AR 0 AUTHEN SP 进程给需要验证的区域启用验证 INT S0/1IP OS passw 123456 接口配置密码密文router os 2ar 0 authen meint s0/1ip os me 1 md5 123456bgp router bgp 100 no synchronization bgp全互联必须要关闭同步检查nei 192.168.12.1 remot 200 与AS外部路由建立邻居 nei 2.2.2.2 remot 100 与AS内部路由建立邻居nei 2.2.2.2 up lo0 改更新接口为环回接口nei 2.2.2.2 next-hop-self 改下一跳为自己net 2.2.2.0 通告路由表里面有的路由ACL路由上面的ACL要写子网掩码,不能写反掩码！基于时间的ACLtime-range acl 定义一个时间范围 periodic weekdays 09:00 to 12:00 periodic weekdays 14:00 to 17:00IP accesslist extended time 写一个基于时间的acl，调用时间段 deny ip 192.168.10.0 255.255.255.0 any time-range acl permit ip any anyint g0/4 应用到接口ip access-group time inint g0/6ip access-group time in静态NATip route 0.0.0.0 0.0.0.0 192.168.12.2ip nat inside source static 192.168.10.10 192.168.12.1int g0/6ip nat inints0/1ip nat outNAPTip access-list standard NAT 定义要转换的IP网段 permit 192.168.10.0 255.255.255.0ip nat pool NAT 192.168.23.10 192.168.23.20 255.255.255.0 创建转换的IP地址池ip nat inside source list NAT pool NAT overload 关联要转换的IP网段和地址池 ip route default 192.168.23.3 写一条缺省路由，下一跳为出口网关的下一跳router rip 如果跑路由协议，要把缺省重分发到动态路由 redistribute static interface Serial0/1 运用到内网接口 ip nat inside interface Serial0/2 运用到外网接口 ip nat outsideroute-mapip acce sta acl 定义要匹配的流量per 192.168.20.0 255.255.255.0 route-map SHENMA 10 permit ma ip add acl 调用ACLset ip next-hop 192.168.12.1 改下一跳int g0/3ip po route-map SHENMA 定义到原接口DHCP给路由接口分配IP，不能是S口！R1ip dhcpd enableip dhcpd pool 1 network 192.168.12.0 255.255.255.0 range 192.168.12.10 192.168.12.20R2interface GigaEthernet0/6 ip address dhcp给PC分配IP,底层网络要起路由互通！实验全网起了RIP协议R1ip dhcpd enableip dhcpd pool 2 network 192.168.1.0 255.255.255.0 range 192.168.1.10 192.168.1.20 default-router 192.168.1.1R2ip dhcpd enable 要开启DHCP服务！interface GigaEthernet0/4 ip address 192.168.1.1 255.255.255.0 ip helper-address 192.168.12.2 设置DHCP服务器IPVPN （GRE）int t0ip add 172.168.10.1 255.255.255.0 给T0配IPt so s0/2 源，路由的出接口t de 192.168.23.3 目的，对端的出接口IP，注意，要可达t key 123456 T0口密码，两端要一致exitip route 192.168.20.0 255.255.255.0 t0 用T0口写一条要到达网段的静态路由int t0ip add 172.168.10.3 255.255.255.0t so s0/1t de 192.168.12.1t key 123456exitip route 192.168.10.0 255.255.255.0 t0VPN (IPSEC)R1crypto ipsec transform-set SHENMA 设置转换集 transform-type esp-des esp-md5-hmac 转换集的加密方式ip access-list extended 100 匹配感兴趣流 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0crypto map HAN 10 ipsec-isakmp set peer 192.168.23.3 设置对等体 set transform-set SHENMA 关联转换集 match address 100 关联感兴趣流interface Serial0/2 进接口调用 crypto map HANR3crypto ipsec transform-set SHENMA 设置转换集 transform-type esp-des esp-md5-hmac 转换集的加密方式,两端要一致ip access-list extended 100 匹配感兴趣流 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0crypto map HAN 10 ipsec-isakmp set peer 192.168.12.1 设置对等体 set transform-set SHENMA 关联转换集 match address 100 关联感兴趣流interface Serial0/1 进接口调用 crypto map HAN VPN (IKE)crypto isakmp key SHENMA 192.168.23.3 255.255.255.0 设置公共用密钥crypto isakmp policy 10 设置IKE策略 hash md5 au pre enc des group 1 lifetime 86400 crypto ipsec transform-set SHENMA 设置转换集transform-type esp-Des esp-Md5-hmacip access-list extended 100 匹配感兴趣流 permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0crypto map SHENMA 10 ipsec-isakmp 设置IPSEC加密映射 set peer 192.168.23.3 set transform-set SHENMA match address 100int s0/2 调用到接口crypto map SHENMAQOSint g0/4ip add 192.168.10.1 255.255.255.0no shutint g0/6ip add 192.168.20.1 255.255.255.0no shutint s0/1ip add 192.168.12.1 255.255.255.0phy spe 64000no shutip route 0.0.0.0 0.0.0.0 192.168.12.2 ip access-list ex 1 定义ACL抓取流量permit ip 192.168.10.0 255.255.255.0 2.2.2.0 255.255.255.0ip access-list ex 2permit ip 192.168.20.0 255.255.255.0 2.2.2.0 255.255.255.0priority 1 protocol ip high list 1 写一个IP协议的优先列表，调用ACL 1里面的地址，级别为HIGH priority 1 protocol ip low list 2 写一个IP协议的优先列表，调用ACL 2里面的地址，级别为LOW int s0/1 进接口调用priority 1 交换banner motd 系统登录标题telnettelnet-server enable 开启TELNETtelnet-server max-connection 16 最大连接数sshusername ssh password 0 123456 ssh-server enable 开启SSHssh-server timeout 60 连接超时时间ssh-server max-connection 16 最大连接数ssh-server authentication-retries 5 重连次数ssh-server host-key create rsa 创建新的主机密钥vrrp1，首先要给所有的VLAN配上IPINT VLAN 10IP ADD 192.168.10.1 255.255.255.0NO SHUT2，创建一个VRRP组ROUTER VRRP 10VIRTUAL-IP 192.168.10.254 给虚拟IPINT VLAN 10 关联VLANPRIORITY 120 给优先级（默认100）ENABLE 激活STPSW1spanning-tree 开启STPspanning-tree mode mstp 改为MSTP模式spanning-tree mst configurtaion 配置域name shenma 域名revision-level 3 修正级别instance 1 vlan 10;20 在实例里面关联VLANinstance2 vlan 30;40 exitspanning-tree mst 1 priority 4096 给实例配置优先级，越小的级别越高spanning-tree mst 2 priority 8192SW2spanning-tree 开启STPspanning-tree mode mstp 改为MSTP模式spanning-tree mst configurtaion 配置域name shenma 域名revision-level 3 修正级别instance 1 vlan 10;20 在实例里面关联VLANinstance2 vlan 30;40 exitspanning-tree mst 1 priority 8192 给实例配置优先级，越小的级别越高spanning-tree mst 2 priority 4096SW21spanning-tree 开启STPspanning-tree mode mstp 改为MSTP模式spanning-tree mst configurtaion 配置域name shenma 域名revision-level 3 修正级别instance 1 vlan 10;20 在实例里面关联VLANinstance2 vlan 30;40 AM端口安全am enableint e1/0/1am port am mac-ip-pool 0000.1111.2222 192.168.10.1端口镜像monitor session 1 source int e1/0/1 bothmonitor session 1 destination int e1/0/15RIPRouter rip Net 192.168.1.0/24Router os 1Net 192.168.1.0 0.0.0.255 ar 0AclFirewall enableIp access-list ex 100Perip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 单臂路由R1 int g0/5no shutinterface GigaEthernet0/5.1 encapsulation dot1Q 100 ip address 192.168.10.1 255.255.255.0interface GigaEthernet0/5.2 encapsulation dot1Q 200 ip address 192.168.20.1 255.255.255.0interface GigaEthernet0/5.3 encapsulation dot1Q 300 ip address 192.168.30.1 255.255.255.0SW1vlan 100 sw int e1/0/1-2vlan 200 sw int e1/0/3-4vlan 300 sw int e1/0/5-6int e1/0/20sw mo trsw tr all vlan all端口聚合PORT-GROUP 1 创建一个组INT E1/0/17-18 聚合端口要设置为TRUNK SW MO TR SW TR ALL VLAN ALL PORT-GROUP 1 MO ON 设置聚合端口的模式为自动匹配EXITINT PORT-CHANNAL 1 进入聚合端口配置模式，也要设置为TRUNKSW MO TR SW TR ALL VLAN ALLEXITdhcpSERV DHCP 开启DHCP服务IP DHCP POOL VLAN10 创建地址池NETW 192.168.10.0 255.255.255.0def 192.168.10.1le 2dns 8.8.8.8ip dhcp ex 192.168.10.1 192.168.10.10 排除地址范围dhcp 中继serv dhcpip for udp bootint vlan 10ip he 192.168.12.2dhcp snoopingserv dhcp 开启DHCP服务ip dhcp snooping enable 开启DHCP SNOOPING 功能ip dhcp snooping binding enable 开启 SNOOPING 绑定功能int e1/0/20 ip dhcp snooping trust 设置接口为信任接口，一般是与服务器相连的接口int e1/0/1 ip dhcp snooping binding user-control 设置端口自动绑定获取DHCP的地址设置端口手动绑定MAC,VLAN,IP,端口信息（全局模式） ip dhcp snooping binding user 00-11-22-33-44-55 address 192.168.22.22 vlan 1 int e1/0/5 ipv66 to 4greipv6 unicast-routing 允许单播路由interface Tunnel0 ipv6 enable 开启IPV6 ipv6 address 2001:23:1/64 tunnel source 192.168.12.1 本端接口地址 tunnel destination 192.168.12.2 对端接口地址 tunnel mode gre ip 隧道模式改为GRE tunnel key 123456 隧道密码，两端一致ipv6 route 3:/64 Tunnel0 写一条下一跳为TUNNEL 0的IPV6静态，不能写默认静态natInternet(config)#ip route 0.0.0.0 0.0.0.0 fa0/1 ipv4网络要可达NAT-PT(config)#ip route 0.0.0.0 0.0.0.0 fa0/1NAT-PT(config)#ipv6 nat prefix 2001:db8:feed:/96 设置一个全局NAT前缀，掩码必须96位 NAT-PT(config)#ipv6 nat v4v6 source 10.10.10.2 2001:db8:feed:2 写4 TO 6 地址转换，需要到达的地址都要写, 不需要与本地同一网段NAT-PT(config)#ipv6 nat v4v6 s