CCNA安全- snp ssh syslog 翻译.docx

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH OperationsAddressing TableDeviceInterfaceIP AddressSubnet MaskDefault GatewaySwitch PortR1FA0/1N/AS1 FA0/5S0/0/0 (DCE)52N/AN/AR2S0/0/052N/AN/AS0/0/1 (DCE)52N/AN/AR3FA0/1N/AS3 FA0/5S0/0/52N/AN/APC-ANICS1 FA0/6PC-BNICS2 FA0/18PC-CNICS3 FA0/6Learning ObjectivesConfigure routers as NTP clients.配置路由器作为NTP客户端。Configure routers to update the hardware clock using NTP.配置路由器使用NTP自动更新硬件时钟。Configure routers to log messages to the syslog server.配置路由器把日志信息存储在系统日志服务器上。Configure routers to timestamp log messages.配置路由器给日志信息打上时间戳。Configure local users.配置本地用户。Configure VTY lines to accept SSH connections only.配置虚拟接口，仅仅允许ssh连接。Configure RSA key pair on SSH server.在ssh server上面配置RSA密钥对。Verify SSH connectivity from PC client and router client.验证从PC端到路由器之间的SSH连接。IntroductionThe network topology shows three routers. You will configure NTP and Syslog on all routers. You will configure SSH on R3.网络拓扑中有三个路由器。你将在所有路由器上配置NTP和Syslog。在R3路由器上配置SSH。Network Time Protocol (NTP) allows routers on the network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source have more consistent time settings and Syslog messages generated can be analyzed more easily. This can help when troubleshooting issues with network problems and attacks. When NTP is implemented in the network, it can be set up to synchronize to a private master clock, or to a publicly available NTP server on the Internet.NTP可以使网络上的路由器可以自动同步到NTP服务器的设置。一组NTP客户端从一个来源来获得一致的时间信息，生成的日志信息分析起来更加容易。当NTP在网络中实现后，被设置同步于一个私人的主时钟，或者同步于互联网上的NTP服务器。The NTP Server is the master NTP server in this lab. You will configure the routers to allow the software clock to be synchronized by NTP to the time server. Also, you will configure the routers to periodically update the hardware clock with the time learned from NTP. Otherwise, the hardware clock will tend to gradually lose or gain time (drift) and the software clock and hardware clock may become out of synchronization with each other.实验中的NTP服务器是主NTP服务器。可以设定路由器去允许软件时钟同步，也可以设定路由器周期性的同步硬件时钟。否则硬件时钟和软件时钟会逐渐的不一致。The Syslog Server will provide message logging in this lab. You will configure the routers to identify theremote host (Syslog server) that will receive logging messages.Syslog服务器则提供消息日志中。你可以设定路由器来确定远程的主机是不是可以接收到日志消息。You will need to configuretimestamp service for logging on the routers. Displaying the correct time and date in Syslog messages is vital when using Syslog to monitor a network. If the correct time and date of a message is not known, it can be difficult to determine what network event caused the message.你需要在路由器为日志配置时间戳服务。当使用Syslog来监控一个网络的时候，那么在系统日志中显示正确的时间和日期则是一个很重要的因素。如果没有正确的消息时间和日期，那么很难决定什么网络时间导致了消息的发生。R2 is an ISP connected to two remote networks: R1 and R3. The local administrator at R3 can perform most router configurations and troubleshooting; however, since R3 is a managed router, the ISP needs access to R3 for occasional troubleshooting or updates. To provide this access in a secure manner, the administrators have agreed to use Secure Shell (SSH).R2是一个ISP，连接两个远程的网络，R1和R3。R3本地的管理员可以配置最大限度的路由器配置和故障处理。由于R3是一个管理路由器，ISP 需要为了不时地的故障维修和更新。为了保证安全，管理员要使用SSH。You use the CLI to configure the router to be managed securely using SSH instead of Telnet. SSH is a network protocol that establishes a secure terminal emulation connection to a router or other networking device. SSH encrypts all information that passes over the network link and provides authentication of the remote computer. SSH is rapidly replacing Telnet as the remote login tool of choice for network professionals.你可以使用命令行来配置SSH来代替Telnet。SSH是一个网络协议用来建立终端同道来连接路由器和其他网络设备。SSH 加密网络连接的信息并且提供远程主机的认证。SSH是一个替代远程登录工具。The servers have been pre-configured for NTP and Syslog services respectively. NTP will not require authentication. The routers have been pre-configured with the following:Enable password:ciscoenpa55Password for vty lines:ciscovtypa55Static routing服务器已经预设基本服务，路由器做的预先设置如下：Task 1: Configure routers as NTP Clients. Step 1. Test Connectivity 测试连通性Ping from PC-C to R3. Ping命令Ping from R2 to R3.Telnet from PC-C to R3. Tenlnet命令Telnet from R2 to R3.Step 2. Configure R1, R2 and R3 as NTP clients.Verify client configuration using the commandshow ntp status.验证客户端配置状态，使用show ntp status 命令。Step 3. Configure routers to update hardware clock.Configure R1, R2 and R3 to periodically update the hardware clock with the time learned from NTP.Verify that the hardware clock was updated using the commandshow clock.配置R1，R2和R3路由器，使得周期性的从NTP服务器更新硬件时钟。使用show clock 看硬件时钟的更新状态。Step 4. Configure routers to timestamp log messages.配置路由器的日志消息时间戳Step 5.Configuretimestamp service for logging on the routers. Task 2: Configure routers to log messages to the Syslog Server.任务2：配置路由器，把日志信息，传递到系统日志服务器上。Step 1. Configure the routers to identify theremote host (Syslog Server) that will receive logging messages.The router console will display a message that logging has started.步骤1：在路由器上指明远程系统日志服务器。路由器端会显示一个信息，表明日志已经运行。Step 2. Verify logging configuration using the command show logging.步骤2：确定配置信息，使用show 命令。Step 3. Examine logs of the Syslog server. From theConfigtab of the Syslog servers dialogue box, select theSyslog servicesbutton. Observe the logging messages received from the routers.Note:Log messages can be generated on the server by executing commands on the router. For example, entering and exiting global configuration mode will generate an informational configuration message.步骤3.在系统日志服务器上检查日志信息。从配置标签上，选择syslog services 按钮。查看从路由器获得的信息。提醒：日志信息会在服务器端出现。比如你可以试着进入和退出全局配置模式。Task 3: Configure R3 to support SSH connections.任务3：配置R3，让其支持SSH连接。Step 1. Configure a domain name.Configure a domain name on R3.步骤1:。配置域名。 在R3上，配置域名为。Step 2. Configure users for login from the SSH client on R3.Create a user ID ofSSHadminwith the highest possible privilege level and a secret password ofciscosshpa55.步骤2.在R3上配置登陆SSH使用的用户名。 创建一个用户名为SSHadmin，密码为ciscosshpa55，权限设置为高等级。Step 3. Configure the incoming VTY lines on R3.Use the local user accounts for mandatory login and validation. Accept only SSH connections.步骤3.在R3上配置虚拟终端连接。 限制使用本地帐号，并且只接受SSH连接。Step 4. Erase existing key pairs on R3.Any existing RSA key pairs should be erased on the router.Note:If no keys exist, you might receive this message: % No Signature RSA Keys found in configuration.步骤4.删除R3路由器已有的密钥对。 注意：如果本来没有密钥对，你将会看到这样的消息：“% No Signature RSA Keys found in configuration.”Step 5. Generate the RSA encryption key pair for R3.The router uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure the RSA keys with a modulus of1024. The default is 512, and the range is from 360 to 2048.R3(config)#crypto key generate rsaEnterThe name for the keys will be: R3.Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus 512:1024% Generating 1024 bit RSA keys, keys will be non-exportable.OKNote:The command to generate RSA encryption key pairs for R3 in Packet Tracer differs from those used in the lab.步骤5.在R3上生成RSA密钥对。路由器使用密钥对的信息来认证和加密SSH数据。可以定义密钥的长度为1024位。默认值是512，可以选择的范围是从360到2048.提示：在Packet Tracer输入的生成RSA密钥对命令和在真实设备上的命令有所差异。Step 6. Verify the SSH configuration.Use theshow ip sshcommand to see the current settings. Verify that the authentication timeout and retries are at their default values of 120 and 3.步骤6.确认SSH配置。使用show ip ssh命令看配置。确定认证超时和重试配置为120和3.Step 7. Configure SSH timeouts and authentication parameters.The default SSH timeouts and authentication parameters can be altered to be more restrictive. Set the timeout to90seconds, the number of authentication retries to2, and the version to2.Issue theshow ip sshcommand again to confirm that the values have been changed.步骤7.配置SSH超时设定和认证参数。可以把SSH的超时设定和认证参数设定的更为严格。把超时设定设置为90秒，把认证重试次数设定为2，把版本设置为2.Step 8. Attempt to connect to R3 via Telnet from PC-C.Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to R3 via Telnet.PCtelnet This connection should fail, since R3 has been configured to accept only SSH connections on the virtual terminal lines.步骤8.尝试从PC-C连接R3，使用telnet的方式。打开PC-C,输入下列命令：PCtelnet 连接将显示不成功，因为我们在R3上面配置的仅仅接受SSH连接。Step 9. Connect to R3 using SSH on PC-C.Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to R3 via SSH. When prompted for the