document/ccna60d
2
0
Fork 0
mirror of https://github.com/gnu4cn/ccna60d.git synced 2024-05-21 04:55:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

Updated.

Browse Source
This commit is contained in:
Peng Hailin 2022-05-26 10:54:31 +08:00
parent 92123dfe25
commit 8100bc5228
18 changed files with 1276 additions and 1226 deletions

279
d01-Networks-Cables-OSI-and-TCP-Models.md
View File

@ -210,24 +210,24 @@ FDDI 网络中会用到双环连接的环形拓扑,以提供在一个环失效
*表 1.1 -- 物理和逻辑拓扑*
<table style="width: 100%">
<tr>
<th>拓扑</th><th>物理</th><th>逻辑</th>
</tr>
<tr>
<td>总线</td><td>总线</td><td>总线</td>
</tr>
<tr>
<td>星形</td><td>星形</td><td>总线</td>
</tr>
<tr>
<td>令牌环</td><td>星形</td><td>环形</td>
</tr>
<tr>
<td>点对点</td><td>总线</td><td>总线</td>
</tr>
<tr>
<td>FDDI</td><td>环形</td><td>环形</td>
</tr>
<tr>
<th>拓扑</th><th>物理</th><th>逻辑</th>
</tr>
<tr>
<td>总线</td><td>总线</td><td>总线</td>
</tr>
<tr>
<td>星形</td><td>星形</td><td>总线</td>
</tr>
<tr>
<td>令牌环</td><td>星形</td><td>环形</td>
</tr>
<tr>
<td>点对点</td><td>总线</td><td>总线</td>
</tr>
<tr>
<td>FDDI</td><td>环形</td><td>环形</td>
</tr>
</table>
## OSI 和 TCP 模型
@ -244,16 +244,30 @@ OSI 模型将所有网络功能划分为七个不同的层。该层次化模型
*表 1.2 OSI 模型*
<table>
<tr>
<th>层 #</th><th>层名</th>
</tr>
<tr><td>7</td><td>应用层Application</td></tr>
<tr><td>6</td><td>表示层, Presentation</td></tr>
<tr><td>5</td><td>会话层, Session</td></tr>
<tr><td>4</td><td>传输层, Transport</td></tr>
<tr><td>3</td><td>网络层, Network</td></tr>
<tr><td>2</td><td>数据链路层, Data Link</td></tr>
<tr><td>1</td><td>物理层, Physical</td></tr>
<tr>
<th>层 #</th><th>层名</th>
</tr>
<tr>
<td>7</td><td>应用层Application</td>
</tr>
<tr>
<td>6</td><td>表示层, Presentation</td>
</tr>
<tr>
<td>5</td><td>会话层, Session</td>
</tr>
<tr>
<td>4</td><td>传输层, Transport</td>
</tr>
<tr>
<td>3</td><td>网络层, Network</td>
</tr>
<tr>
<td>2</td><td>数据链路层, Data Link</td>
</tr>
<tr>
<td>1</td><td>物理层, Physical</td>
</tr>
</table>
"**A**ll **P**eople **S**eem **T**o **N**eed **D**ata **P**rocessing"
@ -385,31 +399,21 @@ TCP/IP 模型已由四层更新为五层,所以你会在考试中被问到有
*表 1.3 五层的 TCP 模型*
<table>
<tr>
<th>应用Application</th>
<td>仍未封装的数据,</td>
<td></td>
</tr>
<tr>
<th>传输Transport</th>
<td>将 TCP 头部添加到数据上TCP header added to the data</td>
<td><b></b>Segment</td>
</tr>
<tr>
<th>网络Network</th>
<td>IP 头部被添加上去(包括 IP 地址), IP header added(including IP address)</td>
<td><b></b>Packet</td>
</tr>
<tr>
<th>数据链路Data Link</th>
<td>添加数据链路头部(数据链路地址), Data Link header added(Data Link address)</td>
<td><b></b>Frame</td>
</tr>
<tr>
<th>物理Physical</th>
<td>转变成电信号, Turned into electrical signals</td>
<td>线路上的<b></b>Bits on the wire</td>
</tr>
<tr>
<th>应用Application</th><td>仍未封装的数据,</td><td></td>
</tr>
<tr>
<th>传输Transport</th><td>将 TCP 头部添加到数据上TCP header added to the data</td><td><b></b>Segment</td>
</tr>
<tr>
<th>网络Network</th><td>IP 头部被添加上去(包括 IP 地址), IP header added(including IP address)</td><td><b></b>Packet</td>
</tr>
<tr>
<th>数据链路Data Link</th><td>添加数据链路头部(数据链路地址), Data Link header added(Data Link address)</td><td><b></b>Frame</td>
</tr>
<tr>
<th>物理Physical</th><td>转变成电信号, Turned into electrical signals</td><td>线路上的<b></b>Bits on the wire</td>
</tr>
</table>
你可能会被问及 TCP/IP 模型与 OSI 模型的对应关系。如表 1.4 所示:
@ -417,43 +421,30 @@ TCP/IP 模型已由四层更新为五层,所以你会在考试中被问到有
*表 1.4 -- TCP/IP 模型到 OSI 模型的对应关系*
<table>
<tr>
<th>层号Layer #</th>
<th>OSI 模型</th>
<th>TCP 模型</th>
</tr>
<tr>
<td>7</td>
<td>应用, Application</td>
<td rowspan="3">应用, Application</td>
</tr>
<tr>
<td>6</td>
<td>表示, Presentation</td>
</tr>
<tr>
<td>5</td>
<td>会话, Session</td>
</tr>
<tr>
<td>4</td>
<td>传输, Transport</td>
<td>主机到主机, Host to Host</td>
</tr>
<tr>
<td>3</td>
<td>网络, Network</td>
<td>网际网络, Internetwork</td>
</tr>
<tr>
<td>2</td>
<td>数据链路, Data Link</td>
<td rowspan="2">网络接口, Network Interface</td>
</tr>
<tr>
<td>1</td>
<td>物理, Physical</td>
</tr>
<tr>
<th>层号Layer #</th><th>OSI 模型</th><th>TCP 模型</th>
</tr>
<tr>
<td>7</td><td>应用, Application</td><td rowspan="3">应用, Application</td>
</tr>
<tr>
<td>6</td><td>表示, Presentation</td>
</tr>
<tr>
<td>5</td><td>会话, Session</td>
</tr>
<tr>
<td>4</td><td>传输, Transport</td><td>主机到主机, Host to Host</td>
</tr>
<tr>
<td>3</td><td>网络, Network</td><td>网际网络, Internetwork</td>
</tr>
<tr>
<td>2</td><td>数据链路, Data Link</td><td rowspan="2">网络接口, Network Interface</td>
</tr>
<tr>
<td>1</td><td>物理, Physical</td>
</tr>
</table>
思科选择了新的 TCP 模型而不再是 OSI 模型作为网络框架,但仍要求你理解 OSI 模型,所以在大纲中保留了 OSI 模型。
@ -461,35 +452,24 @@ TCP/IP 模型已由四层更新为五层,所以你会在考试中被问到有
*表 1.5 新旧 TCP 模型对比*
<table>
<tr>
<th>旧 TCP 模型, Old TCP Model</th>
<th>层, Layer</th>
<th>新 TCP 模型, New TCP Model</th>
</tr>
<tr>
<td>应用, Application</td>
<td>5</td>
<td>应用, Application</td>
</tr>
<tr>
<td>传输, Transport</td>
<td>4</td>
<td>传输, Transport</td>
</tr>
<tr>
<td>互联网, Internet</td>
<td>3</td>
<td>网络, Network</td>
</tr>
<tr>
<td rowspan="2">链路/网络接口, Link/Network Interface</td>
<td>2</td>
<td>数据链路, Data Link</td>
</tr>
<tr>
<td>1</td>
<td>物理, Phycial</td>
</tr>
<tr>
<th>旧 TCP 模型, Old TCP Model</th><th>层, Layer</th><th>新 TCP 模型, New TCP Model</th>
</tr>
<tr>
<td>应用, Application</td><td>5</td><td>应用, Application</td>
</tr>
<tr>
<td>传输, Transport</td><td>4</td><td>传输, Transport</td>
</tr>
<tr>
<td>互联网, Internet</td><td>3</td><td>网络, Network</td>
</tr>
<tr>
<td rowspan="2">链路/网络接口, Link/Network Interface</td><td>2</td><td>数据链路, Data Link</td>
</tr>
<tr>
<td>1</td><td>物理, Phycial</td>
</tr>
</table>
## TCP/IP
@ -807,48 +787,24 @@ ANSI/TIA/EIA-568-A 标准中对以太网线的类别进行了定义,有 3 类
*表 1.6 常见以太网标准*
<table>
<tr>
<th>速率</th>
<th>名称</th>
<th>IEEE 名称</th>
<th>IEEE 标准</th>
<th>线缆类型/长度</th>
</tr>
<tr>
<td>10Mbps</td>
<td>以太网Ethernet</td>
<td>10BASE-T</td>
<td>802.3</td>
<td>铜线/100米</td>
</tr>
<tr>
<td>100Mbps</td>
<td>快速以太网FastEthernet</td>
<td>100BASE-T</td>
<td>802.3u</td>
<td>铜线/100米, Copper/100m</td>
</tr>
<tr>
<td>1000Mbps</td>
<td>千兆以太网GigabitEthernet</td>
<td>1000BASE-LX</td>
<td>802.3z</td>
<td>光纤/5000米Fibre/5000m</td>
</tr>
<tr>
<td>1000Mbps</td>
<td>千兆以太网</td>
<td>1000BASE-T</td>
<td>802.3ab</td>
<td>铜线/100米, Copper/100m</td>
</tr>
<tr>
<td>10Gbps</td>
<td>万兆以太网TenGigabitEthernet</td>
<td>10GBASE-T</td>
<td>802.3an</td>
<td>铜线/100米, Copper/100m</td>
</tr>
<tr>
<th>速率</th><th>名称</th><th>IEEE 名称</th><th>IEEE 标准</th><th>线缆类型/长度</th>
</tr>
<tr>
<td>10Mbps</td><td>以太网Ethernet</td><td>10BASE-T</td><td>802.3</td><td>铜线/100米</td>
</tr>
<tr>
<td>100Mbps</td><td>快速以太网FastEthernet</td><td>100BASE-T</td><td>802.3u</td><td>铜线/100米, Copper/100m</td>
</tr>
<tr>
<td>1000Mbps</td><td>千兆以太网GigabitEthernet</td><td>1000BASE-LX</td><td>802.3z</td><td>光纤/5000米Fibre/5000m</td>
</tr>
<tr>
<td>1000Mbps</td><td>千兆以太网</td><td>1000BASE-T</td><td>802.3ab</td><td>铜线/100米, Copper/100m</td>
</tr>
<tr>
<td>10Gbps</td><td>万兆以太网TenGigabitEthernet</td><td>10GBASE-T</td><td>802.3an</td><td>铜线/100米, Copper/100m</td>
</tr>
</table>
思科喜欢将线缆规格有关的问题偷偷摸摸地放到考试中去,**所以务必要记住这个表格**。
@ -1830,4 +1786,3 @@ My_Router(config)#router rip
My_Router(config-router)#network 10.0.0.0
My_Router(config-router)#
```

146
d03-Trunking-DTP-and-Inter-VLAN-Routing.md
View File

@ -708,90 +708,97 @@ Fa0/2 1-99,201-4094
**实验步骤Walkthrough**
1. 你需要在每台 PC 上添加 IP 地址。可自由选择,只要求它们在同一子网上。
2. 在交换机 A 上设置主机名hostname, 创建 VLAN 2, 并将连接 PC 的那个接口放到 VLAN 2 中。如你愿意,你也可以赋予 VLAN 2 一个名称。
```console
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname SwitchA
SwitchA(config)#vlan 2
SwitchA(config-vlan)#name 60days
SwitchA(config-vlan)#interface FastEthernet0/1
SwitchA(config-if)#switchport mode access
SwitchA(config-if)#switchport access vlan 2
SwitchA(config-if)#^Z
SwitchA#show vlan brief
VLAN Name Status Ports
---- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5,
Fa0/6, Fa0/7, Fa0/8, Fa0/9,
Fa0/10, Fa0/11, Fa0/12, Fa0/13,
Fa0/14, Fa0/15, Fa0/16, Fa0/17,
Fa0/18, Fa0/19, Fa0/20, Fa0/21,
Fa0/22, Fa0/23, Fa0/24
2 60days active Fa0/1
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SwitchA#
```
```console
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname SwitchA
SwitchA(config)#vlan 2
SwitchA(config-vlan)#name 60days
SwitchA(config-vlan)#interface FastEthernet0/1
SwitchA(config-if)#switchport mode access
SwitchA(config-if)#switchport access vlan 2
SwitchA(config-if)#^Z
SwitchA#show vlan brief
VLAN Name Status Ports
---- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5,
Fa0/6, Fa0/7, Fa0/8, Fa0/9,
Fa0/10, Fa0/11, Fa0/12, Fa0/13,
Fa0/14, Fa0/15, Fa0/16, Fa0/17,
Fa0/18, Fa0/19, Fa0/20, Fa0/21,
Fa0/22, Fa0/23, Fa0/24
2 60days active Fa0/1
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SwitchA#
```
3. 将中继链路设置为中继模式。
```console
SwitchA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA(config)#int FastEthernet0/2
SwitchA(config-if)#switchport mode trunk
SwitchA#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-1005
```
```console
SwitchA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA(config)#int FastEthernet0/2
SwitchA(config-if)#switchport mode trunk
SwitchA#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-1005
```
4. 如你愿意,设置在该中继链路上仅允许 VLAN 2。
```console
SwitchA(config)#int FastEthernet0/2
SwitchA(config-if)#switchport trunk allowed vlan 2
SwitchA(config-if)#^Z
SwitchA#
%SYS-5-CONFIG_I: Configured from console by console
SwitchA#show int trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 2
```
```console
SwitchA(config)#int FastEthernet0/2
SwitchA(config-if)#switchport trunk allowed vlan 2
SwitchA(config-if)#^Z
SwitchA#
%SYS-5-CONFIG_I: Configured from console by console
SwitchA#show int trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 2
```
5. 此时,如你自其中一台 PC ping 往另一台,将会失败。这是因为一边是在 VLAN 1 中,另一边在 VLAN 2 中。
```console
PC>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.1.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss)
```
```console
PC>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.1.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss)
```
6. 此时在交换机 B 上配置同样的那些命令。创建 VLAN、将交换机 PC 端口放入 VLAN 2并将该接口设置为接入模式还要将中继链路设置为 “中继”。
7. 现在你就可以从一台 PC 实现跨越中继链路 ping 通另一 PC 了。
```console
PC>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=188ms TTL=128
Reply from 192.168.1.1: bytes=32 time=78ms TTL=128
Reply from 192.168.1.1: bytes=32 time=94ms TTL=128
Reply from 192.168.1.1: bytes=32 time=79ms TTL=128
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 78ms, Maximum = 188ms, Average = 109ms
```
```console
PC>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=188ms TTL=128
Reply from 192.168.1.1: bytes=32 time=78ms TTL=128
Reply from 192.168.1.1: bytes=32 time=94ms TTL=128
Reply from 192.168.1.1: bytes=32 time=79ms TTL=128
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 78ms, Maximum = 188ms, Average = 109ms
```
### VTP 实验
@ -805,4 +812,3 @@ Approximate round trip times in milli-seconds:
- 在两台交换机上都配置 VTP 修剪VTP pruning
- 在两台交换机上检查(展示) VTP 配置
- 在两台交换机上配置不同的 VTP 域及口令,并重复上述过程;观察结果的不同

365
d04-Router-and-Switch-Security.md
View File

@ -1313,124 +1313,132 @@ address 0004.c16f.8741 on port Gi0/2.
1. 使用某个启用秘密口令an enable secret password登入使用保护启用模式Protect Enable mode。通过登出特权模式Privileged mode并再度登入来进行测试。
```console
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable secret cisco
Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router#exi
Router con0 is now available
Press RETURN to get started.
Router>en
Password:
Router#
```
```console
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable secret cisco
Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router#exi
Router con0 is now available
Press RETURN to get started.
Router>en
Password:
Router#
```
2. 设置一个启用口令enable pasword接着加入口令加密服务service password encryption。此操作在实际路由器上很少执行因为这是不安全的做法。
```console
Router(config)#no enable secret
Router(config)#enable password cisco
Router(config)#service pass
Router(config)#service password-encryption
Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router#show run
Building configuration...
Current configuration: 480 bytes
!version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname Router
!
enable password 7 0822455D0A16
```
```console
Router(config)#no enable secret
Router(config)#enable password cisco
Router(config)#service pass
Router(config)#service password-encryption
Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router#show run
Building configuration...
Current configuration: 480 bytes
!version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname Router
!
enable password 7 0822455D0A16
```
3. 对 Telnet 线路进行保护。建立一个本地用户名及其口令,并令到用户在登入路由器时,使用此用户名和口令。
```console
Router(config)#line vty 0 ?
<1-15>
Last Line number
<cr>
Router(config)#line vty 0 15
Router(config-line)#login local
Router(config-line)#exit
Router(config)#username in60days password cisco
Router(config)#
```
之前你已经测试过 Telnet 了,但请无需担心在加入一台 PC 及 Telnet 到路由器,会受到要求用户名和口令的提示。
```console
Router(config)#line vty 0 ?
<1-15>
Last Line number
<cr>
Router(config)#line vty 0 15
Router(config-line)#login local
Router(config-line)#exit
Router(config)#username in60days password cisco
Router(config)#
```
之前你已经测试过 Telnet 了,但请无需担心在加入一台 PC 及 Telnet 到路由器,会受到要求用户名和口令的提示。
4. 用一个口令来保护控制台。只需在控制台端口上直接设置一个口令就行。
```console
Router(config)#line console 0
Router(config-line)#password cisco
```
通过将控制台线从路由器拔出,并再次插入路由器,就可以对此进行测试。同样,如有一个替代端口,也可为其设置口令进行保护。
```console
Router(config)#line console 0
Router(config-line)#password cisco
```
```console
Router(config)#line aux 0
Router(config-line)#password cisco
```
通过将控制台线从路由器拔出,并再次插入路由器,就可以对此进行测试。同样,如有一个替代端口,也可为其设置口令进行保护。
```console
Router(config)#line aux 0
Router(config-line)#password cisco
```
5. 通过仅允许 SSH 流量进入,来保护 Telnet 线路。还可以仅允许 SSH 流量发出。该命令需要一个安全镜像a security image才能工作。
```console
Router(config)#line vty 0 15
Router(config-line)#transport input ssh
Router(config-line)#transport output ssh
```
```console
Router(config)#line vty 0 15
Router(config-line)#transport input ssh
Router(config-line)#transport output ssh
```
6. 添加一个今日横幅消息a banner message of the day, MOTD。将告知路由器已结束输入的字符设为 ”X“界定符the delimiting character
```console
Router(config)#banner motd X
Enter TEXT message.
End with the character X.
Do not use this router without authorization. X
Router(config)#
Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console
Exit
Router con0 is now available
Press RETURN to get started.
Do not use this router without authorization.
Router>
```
```console
Router(config)#banner motd X
Enter TEXT message.
End with the character X.
Do not use this router without authorization. X
Router(config)#
Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console
Exit
Router con0 is now available
Press RETURN to get started.
Do not use this router without authorization.
Router>
```
7. 关闭整个路由器的思科发现协议。还可以使用命令 `no cdp enable interface`,只关闭某个接口上的思科发现协议。
```console
Router(config)#no cdp run
```
可通过在关闭思科发现协议前,连接一台交换机或路由器到该路由器,并执行 `show cdp neighbor (detail)` 命令,来测试上面的命令是否起作用。
```console
Router(config)#no cdp run
```
可通过在关闭思科发现协议前,连接一台交换机或路由器到该路由器,并执行 `show cdp neighbor (detail)` 命令,来测试上面的命令是否起作用。
8. 设置路由器将日志消息发送到网络上的某台主机。
```console
Router#conf t
Enter configuration commands, one per line.
End with CNTL/Z.
Router(config)#logging ?
A.B.C.D IP address of the logging host
buffered Set buffered logging parameters
console Set console logging parameters
host Set syslog server IP address and parameters
on Enable logging to all enabled destinations
trap Set syslog server logging level
userinfo Enable logging of user info on privileged mode enabling
Router(config)#logging 10.1.1.1
```
```console
Router#conf t
Enter configuration commands, one per line.
End with CNTL/Z.
Router(config)#logging ?
A.B.C.D IP address of the logging host
buffered Set buffered logging parameters
console Set console logging parameters
host Set syslog server IP address and parameters
on Enable logging to all enabled destinations
trap Set syslog server logging level
userinfo Enable logging of user info on privileged mode enabling
Router(config)#logging 10.1.1.1
```
### 交换机安全基础实验Basic Switch Security Lab
@ -1448,111 +1456,120 @@ Router(config)#logging 10.1.1.1
2. 登入 VTY 线路并建立使用本地用户名和口令的远程登陆访问Telnet access referring to a local username and password
```console
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line vty 0 ?
<1-15> Last Line number
<cr>
Switch(config)#line vty 0 15
Switch(config-line)#?
Switch(config-line)#login local
Switch(config-line)#exit
Switch(config)#username in60days password cisco
Switch(config)#
```
```console
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line vty 0 ?
<1-15> Last Line number
<cr>
Switch(config)#line vty 0 15
Switch(config-line)#?
Switch(config-line)#login local
Switch(config-line)#exit
Switch(config)#username in60days password cisco
Switch(config)#
```
3. 为交换机上的 `VLAN 1` 添加一个 IP 地址(所有端口都自动在 `VLAN 1` 中)。此外, 将 `192.168.1.1` 加到 PC 的 `FastEthernet` 接口上。
```console
Switch(config)#interface vlan1
Switch(config-if)#ip address 192.168.1.2 255.255.255.0
Switch(config-if)#no shut
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to up
Switch(config-if)#^Z ← press Ctrl+Z keys
Switch#
Switch#ping 192.168.1.1 ← test connection from switch to PC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 31/31/32 ms
Switch#
```
```console
Switch(config)#interface vlan1
Switch(config-if)#ip address 192.168.1.2 255.255.255.0
Switch(config-if)#no shut
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to up
Switch(config-if)#^Z ← press Ctrl+Z keys
Switch#
Switch#ping 192.168.1.1 ← test connection from switch to PC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 31/31/32 ms
Switch#
```
4. 通过从 PC 远程登陆到交换机来测试远程登陆。
!["测试远程登陆"](images/0407.png)
!["测试远程登陆"](images/0407.png)
5. IT 经理改变主意,要仅使用 SSH 访问,那么就在 VTY 线路上修改配置。仅有那些确定的交换机型号和 IOS 版本才支持 `SSH` 命令。
```console
Switch(config)#line vty 0 15
Switch(config-line)#transport input ssh
```
```console
Switch(config)#line vty 0 15
Switch(config-line)#transport input ssh
```
6. 现在从 PC 尝试登入交换机。因为仅允许 SSH 此连接将失败。
!["Telnet 失败"](images/0409.png)
!["Telnet 失败"](images/0409.png)
7. 在交换机上为 `FastEthernet` 端口设置端口安全。如你未将端口设置为接入模式(而是动态模式或者中继模式)的话,此操作将失败。
```console
Switch(config)#interface FastEthernet0/1
Switch(config-if)#switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#
```
```console
Switch(config)#interface FastEthernet0/1
Switch(config-if)#switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#
```
8. 硬性设置 PC 的 MAC 地址为该端口的允许地址。在 PC 的命令行上使用命令 `ipconfig/all` 来查看其 MAC 地址。再就要检查端口安全的状态和设置了。
```console
Switch(config-if)#switchport port-security mac-address 0001.C7DD.CB18
Switch(config-if)#^Z
Switch#show port-security int FastEthernet0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0001.C7DD.CB18:1
Security Violation Count : 0
```
```console
Switch(config-if)#switchport port-security mac-address 0001.C7DD.CB18
Switch(config-if)#^Z
Switch#show port-security int FastEthernet0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0001.C7DD.CB18:1
Security Violation Count : 0
```
9. 修改 PC 的 MAC 地址,如你无法修改,可以将另一台设备插入该交换机端口。这将会令到该端口关闭,因为破坏了安全设置。下面的屏幕截图展示了 Packet Tracer 中修改 MAC 地址的地方。
!["PT 修改 MAC 地址"](images/0410.png)
!["PT 修改 MAC 地址"](images/0410.png)
10. 你将看到 FastEthernet 端口立即宕掉。
```console
Switch#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Switch#
%SYS-5-CONFIG_I: Configured from console by console
Switch#show port-security interface FastEthernet0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0001.C7DD.CB19:1
Security Violation Count : 1
```
```console
Switch#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Switch#
%SYS-5-CONFIG_I: Configured from console by console
Switch#show port-security interface FastEthernet0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0001.C7DD.CB19:1
Security Violation Count : 1
```
>**注意:** 请重复本实验,直到理解这些命令,并在不看上述实验步骤的情况下输入这些命令为止(本书的其它实验也要这样做)。

218
d05-IP-Addressing.md
View File

@ -161,12 +161,24 @@ IP 版本 4(IPv4设计用于解决设备命名问题。IPv4 使用二进制
**表5.2 -- 十进制、十六进制和二进制位数Decimal, Hex, and Binary Digits**
<table>
<tr><th>十进制Decimal</th><td>`0`</td><td>`1`</td><td>`2`</td><td>`3`</td><td>`4`</td><td>`5`</td><td>`6`</td><td>`7`</td></tr>
<tr><th>十六进制Hex</th><td>`0`</td><td>`1`</td><td>`2`</td><td>`3`</td><td>`4`</td><td>`5`</td><td>`6`</td><td>`7`</td></tr>
<tr><th>二进制Binary</th><td>`0000`</td><td>`0001`</td><td>`0010`</td><td>`0011`</td><td>`0100`</td><td>`0101`</td><td>`0110`</td><td>`0111`</td></tr>
<tr><th>十进制Decimal</th><td>`8`</td><td>`9`</td><td>`10`</td><td>`11`</td><td>`12`</td><td>`13`</td><td>`14`</td><td>`15`</td></tr>
<tr><th>十六进制Hex</th><td>`8`</td><td>`9`</td><td>`A`</td><td>`B`</td><td>`C`</td><td>`D`</td><td>`E`</td><td>`F`</td></tr>
<tr><th>二进制Binary</th><td>`1000`</td><td>`1001`</td><td>`1010`</td><td>`1011`</td><td>`1100`</td><td>`1101`</td><td>`1110`</td><td>`1111`</td></tr>
<tr>
<th>十进制Decimal</th><td>`0`</td><td>`1`</td><td>`2`</td><td>`3`</td><td>`4`</td><td>`5`</td><td>`6`</td><td>`7`</td>
</tr>
<tr>
<th>十六进制Hex</th><td>`0`</td><td>`1`</td><td>`2`</td><td>`3`</td><td>`4`</td><td>`5`</td><td>`6`</td><td>`7`</td>
</tr>
<tr>
<th>二进制Binary</th><td>`0000`</td><td>`0001`</td><td>`0010`</td><td>`0011`</td><td>`0100`</td><td>`0101`</td><td>`0110`</td><td>`0111`</td>
</tr>
<tr>
<th>十进制Decimal</th><td>`8`</td><td>`9`</td><td>`10`</td><td>`11`</td><td>`12`</td><td>`13`</td><td>`14`</td><td>`15`</td>
</tr>
<tr>
<th>十六进制Hex</th><td>`8`</td><td>`9`</td><td>`A`</td><td>`B`</td><td>`C`</td><td>`D`</td><td>`E`</td><td>`F`</td>
</tr>
<tr>
<th>二进制Binary</th><td>`1000`</td><td>`1001`</td><td>`1010`</td><td>`1011`</td><td>`1100`</td><td>`1101`</td><td>`1110`</td><td>`1111`</td>
</tr>
</table>
将二进制转换成十六进制及十进制是相当简单的如表5.3所示。
@ -174,9 +186,15 @@ IP 版本 4(IPv4设计用于解决设备命名问题。IPv4 使用二进制
**表5.3 -- 二进制到十六进制、十进制的转换**
<table>
<tr><th>十进制Decimal</th><td>`13`</td><td>`6`</td><td>`2`</td><td>`12`</td></tr>
<tr><th> 十六进制, Hex</th><td>`D`</td><td>`6`</td><td>`2`</td><td>`C`</td></tr>
<tr><th> 二进制Binary</th><td>`1101`</td><td>`0110`</td><td>`0010`</td><td>`1100`</td></tr>
<tr>
<th>十进制Decimal</th><td>`13`</td><td>`6`</td><td>`2`</td><td>`12`</td>
</tr>
<tr>
<th> 十六进制, Hex</th><td>`D`</td><td>`6`</td><td>`2`</td><td>`C`</td>
</tr>
<tr>
<th> 二进制Binary</th><td>`1101`</td><td>`0110`</td><td>`0010`</td><td>`1100`</td>
</tr>
</table>
相对于二进制,十六进制对人类来讲更易于掌握,其又能够近似于二进制那样为计算机和网络设备所使用。任何的数都可由十六进制构造出来,这点跟二进制和十进制一样;如下面的例子一样,只需计算`16`的乘积。
@ -726,67 +744,76 @@ IP 地址分配的规则有:**网络上的每个地址,都要是其主机所
1. Convert 1111 to hex and decimal
```console
Hex = F
Decimal = 15
```
```console
Hex = F
Decimal = 15
```
2. Convert 11010 to hex and decimal
```console
Hex = 1A
Decimal = 26
```
```console
Hex = 1A
Decimal = 26
```
3. Convert 10000 to hex and decimal
```console
Hex = 10
Decimal = 16
```
```console
Hex = 10
Decimal = 16
```
4. Convert 20 to binary and hex
```console
Binary = 10100
Hex = 14
```
```console
Binary = 10100
Hex = 14
```
5. Convert 32 to binary and hex
```console
Binary = 100000
Hex = 20
```
```console
Binary = 100000
Hex = 20
```
6. Convert 101 to binary and hex
```console
Binary = 1100101
Hex = 65
```
```console
Binary = 1100101
Hex = 65
```
7. Convert A6 from hex to binary and decimal
```console
Binary = 10100110
Decimal = 166
```
```console
Binary = 10100110
Decimal = 166
```
8. Convert 15 from hex to binary and decimal
```console
Binary = 10101
Decimal = 21
```
```console
Binary = 10101
Decimal = 21
```
9. Convert B5 from hex to binary and decimal
```console
Binary = 10110101
Decimal = 181
```
```console
Binary = 10110101
Decimal = 181
```
## 第五天的实验
### 路由器上的IP分址实验
@ -805,62 +832,66 @@ IP 地址分配的规则有:**网络上的每个地址,都要是其主机所
1. 先是明确路由器上的串行借口编号你的路由器与上面拓扑图中的可能有所不同。同时还要明确串行链路的哪一端连接的是DCE线因为在该端是需要`clock rate`命令的。
```console
Router>en
Router#sh ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/1/0 unassigned YES unset administratively down down
Vlan1 unassigned YES unset administratively down down
Router#
Router#show controllers Serial0/1/0
M1T-E3 pa: show controller:
PAS unit 0, subunit 0, f/w version 2-55, rev ID 0x2800001, version 2
idb = 0x6080D54C, ds = 0x6080F304, ssb=0x6080F4F4
Clock mux=0x30, ucmd_ctrl=0x0, port_status=0x1
line state: down
DCE cable, no clock rate
```
```console
Router>en
Router#sh ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/1/0 unassigned YES unset administratively down down
Vlan1 unassigned YES unset administratively down down
Router#
Router#show controllers Serial0/1/0
M1T-E3 pa: show controller:
PAS unit 0, subunit 0, f/w version 2-55, rev ID 0x2800001, version 2
idb = 0x6080D54C, ds = 0x6080F304, ssb=0x6080F4F4
Clock mux=0x30, ucmd_ctrl=0x0, port_status=0x1
line state: down
DCE cable, no clock rate
```
2. 在一侧为路由器加上主机名及IP地址如该侧是DCE就为其加上时钟速率the clock rate
```console
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname RouterA
RouterA(config)#interface s0/1/0
RouterA(config-if)#ip add 192.168.1.1 255.255.255.0
RouterA(config-if)#clock rate 64000
RouterA(config-if)#no shut
%LINK-5-CHANGED: Interface Serial0/1/0, changed state to downRouterA(config-if)#
```
```console
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname RouterA
RouterA(config)#interface s0/1/0
RouterA(config-if)#ip add 192.168.1.1 255.255.255.0
RouterA(config-if)#clock rate 64000
RouterA(config-if)#no shut
%LINK-5-CHANGED: Interface Serial0/1/0, changed state to downRouterA(config-if)#
```
3. 为另一侧加上主机名和IP地址。同时使用`no shut`命令将该接口开启。
```console
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname RouterB
RouterB(config)#int s0/1/0
RouterB(config-if)#ip address 192.168.1.2 255.255.255.0
RouterB(config-if)#no shut
%LINK-5-CHANGED: Interface Serial0/1/0, changed state to down
RouterB(config-if)#^Z
RouterB#
%LINK-5-CHANGED: Interface Serial0/1/0, changed state to up
```
```console
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname RouterB
RouterB(config)#int s0/1/0
RouterB(config-if)#ip address 192.168.1.2 255.255.255.0
RouterB(config-if)#no shut
%LINK-5-CHANGED: Interface Serial0/1/0, changed state to down
RouterB(config-if)#^Z
RouterB#
%LINK-5-CHANGED: Interface Serial0/1/0, changed state to up
```
4. 用`ping`命令测试连接。
```console
RouterB#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
```
```console
RouterB#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
```
>**注意:** 如ping不工作就要反复检查确保在正确的路由器上加上了`clock rate`命令。还要确保正确插入了线缆,并使用命令 `show controllers serial x/x/x`, 这里的接口编号是你的路由器上的。
@ -871,4 +902,3 @@ Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
- 十进制到二进制的转换(随机数字)
- 二进制到十进制的转换(随机数字)
- IPv4 子网划分(随机网络和场景)

479
d06-NAT.md
View File

@ -315,118 +315,124 @@ NAT故障中十次有九次都是由于路由器管理员忘记了把`ip nat
2. 在路由器`A`上需要加入一个IP地址以模拟LAN上的一台主机。**通过一个环回接口,可以实现这个目的**。
```console
RouterA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#interface Loopback0
RouterA(config-if)#ip add 10.1.1.1 255.0.0.0
RouterA(config-if)#
```
```console
RouterA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#interface Loopback0
RouterA(config-if)#ip add 10.1.1.1 255.0.0.0
RouterA(config-if)#
```
3. 为进行测试,需要告诉`Router B`将发往任何网络的任何流量,都发往`Router A`。通过一条静态路由完成这个。
```console
RouterB#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterB(config)#ip route 0.0.0.0 0.0.0.0 Serial0/1/0
RouterB(config)#
```
```console
RouterB#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterB(config)#ip route 0.0.0.0 0.0.0.0 Serial0/1/0
RouterB(config)#
```
4. 要测试该条静态路由是否工作,通过从`Router A`上的环回接口对`Router B`进行`ping`操作。
```console
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
RouterA#
```
```console
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
RouterA#
```
5. 在`Router A`上配置一个静态NAT条目。使用NAT将地址`10.1.1.1`, 在其离开该路由器时,转换成`172.16.1.1`。同样需要告诉路由器哪个是NAT的内部接口哪个是外部接口。
```console
RouterA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int Loopback0
RouterA(config-if)#ip nat inside
RouterA(config-if)#int Serial0/1/0
RouterA(config-if)#ip nat outside
RouterA(config-if)#
RouterA(config-if)#ip nat inside source static 10.1.1.1 172.16.1.1
RouterA(config)#
```
```console
RouterA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int Loopback0
RouterA(config-if)#ip nat inside
RouterA(config-if)#int Serial0/1/0
RouterA(config-if)#ip nat outside
RouterA(config-if)#
RouterA(config-if)#ip nat inside source static 10.1.1.1 172.16.1.1
RouterA(config)#
```
6. 打开NAT调试如此就可以看到转换的进行。此时再执行另一个扩展`ping`操作(自`L0`接口的并查看NAT表。因为IOS的不同你的输出可能与我的不一样。
```console
RouterA#debug ip nat
IP NAT debugging is on
RouterA#
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [11]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [11]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [12]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [12]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [13]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [13]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [14]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [14]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [15]
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/46/110 ms
RouterA#
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [15]
RouterA#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.1:10 10.1.1.1:10 192.168.1.2:10 192.168.1.2:10
icmp 172.16.1.1:6 10.1.1.1:6 192.168.1.2:6 192.168.1.2:6
icmp 172.16.1.1:7 10.1.1.1:7 192.168.1.2:7 192.168.1.2:7
icmp 172.16.1.1:8 10.1.1.1:8 192.168.1.2:8 192.168.1.2:8
icmp 172.16.1.1:9 10.1.1.1:9 192.168.1.2:9 192.168.1.2:9
--- 172.16.1.1 10.1.1.1 --- ---
RouterA#
```
```console
RouterA#debug ip nat
IP NAT debugging is on
RouterA#
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [11]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [11]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [12]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [12]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [13]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [13]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [14]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [14]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [15]
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/46/110 ms
RouterA#
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [15]
RouterA#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.1:10 10.1.1.1:10 192.168.1.2:10 192.168.1.2:10
icmp 172.16.1.1:6 10.1.1.1:6 192.168.1.2:6 192.168.1.2:6
icmp 172.16.1.1:7 10.1.1.1:7 192.168.1.2:7 192.168.1.2:7
icmp 172.16.1.1:8 10.1.1.1:8 192.168.1.2:8 192.168.1.2:8
icmp 172.16.1.1:9 10.1.1.1:9 192.168.1.2:9 192.168.1.2:9
--- 172.16.1.1 10.1.1.1 --- ---
RouterA#
```
7. 记住路由器随后很快就会清除该NAT转换为其它IP地址使用这个/这些NAT地址而对其进行清理。
```console
NAT: expiring 172.16.1.1 (10.1.1.1) icmp 6 (6)
NAT: expiring 172.16.1.1 (10.1.1.1) icmp 7 (7)
```
```console
NAT: expiring 172.16.1.1 (10.1.1.1) icmp 6 (6)
NAT: expiring 172.16.1.1 (10.1.1.1) icmp 7 (7)
```
>译者注: 通过本实验,要注意三个问题:一是**可路由地址可以是外部接口同一网段的地址,也可以不是**;二是**NAT超时问题该参数可以设置**;三是**环回接口的使用, 常用来模拟LAN中的计算机**。
@ -450,157 +456,162 @@ NAT: expiring 172.16.1.1 (10.1.1.1) icmp 7 (7)
2. 需要给`RouterA`添加两个IP地址来模拟LAN上的主机。通过两个环回接口可以达到这个目的。这两个IP地址将位处不同子网但都以`10`地址开头。
```console
RouterA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#interface Loopback0
RouterA(config-if)#ip add 10.1.1.1 255.255.255.0
RouterA(config-if)#int l1 ← short for Loopback1
RouterA(config-if)#ip address 10.2.2.2 255.255.255.0
RouterA(config-if)#
```
```console
RouterA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#interface Loopback0
RouterA(config-if)#ip add 10.1.1.1 255.255.255.0
RouterA(config-if)#int l1 ← short for Loopback1
RouterA(config-if)#ip address 10.2.2.2 255.255.255.0
RouterA(config-if)#
```
3. 为了进行测试,需要告诉`RouterB`将到任何网络的任何流量,都发往`RouterA`。用一条静态路由完成这点。
```console
RouterB#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterB(config)#ip route 0.0.0.0 0.0.0.0 Serial0/1/0
RouterB(config)#
```
```console
RouterB#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterB(config)#ip route 0.0.0.0 0.0.0.0 Serial0/1/0
RouterB(config)#
```
4. 在`RouterA`上,从环回接口向`RouterB`发出`ping`操作,以此来测试该静态路由是否工作。
```console
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
RouterA#
```
```console
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
RouterA#
```
5. 在`RouterA`上配置一个NAT地址池。在本实验中使用地址池`172.16.1.1`到`172.16.1.10`。任何以`10`开头的地址都将成为一个NAT。记住你**必须**指定NAT的内部和外部接口否则NAT就不会工作。
```console
RouterA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int l0
RouterA(config-if)#ip nat inside
RouterA(config)#int l1
RouterA(config-if)#ip nat inside
RouterA(config-if)#int Serial0/1/0
RouterA(config-if)#ip nat outside
RouterA(config-if)#exit
RouterA(config)#ip nat pool 60days 172.16.1.1 172.16.1.10 netmask 255.255.255.0
RouterA(config)#ip nat inside source list 1 pool 60days
RouterA(config)#access-list 1 permit 10.1.1.0 0.0.0.255
RouterA(config)#access-list 1 permit 10.2.1.0 0.0.0.255
RouterA(config)#
```
**命令`ip nat pool`创建出地址池。需要给地址池一个自己选择的名称。而命令`netmask`告诉路由器应用到地址池上的网络掩码**。
```console
RouterA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int l0
RouterA(config-if)#ip nat inside
RouterA(config)#int l1
RouterA(config-if)#ip nat inside
RouterA(config-if)#int Serial0/1/0
RouterA(config-if)#ip nat outside
RouterA(config-if)#exit
RouterA(config)#ip nat pool 60days 172.16.1.1 172.16.1.10 netmask 255.255.255.0
RouterA(config)#ip nat inside source list 1 pool 60days
RouterA(config)#access-list 1 permit 10.1.1.0 0.0.0.255
RouterA(config)#access-list 1 permit 10.2.1.0 0.0.0.255
RouterA(config)#
```
**命令`source list`告诉路由器查看的ACL。该条ACL告诉路由器哪些网络将与NAT地址池进行匹配和转换**。
**命令`ip nat pool`创建出地址池。需要给地址池一个自己选择的名称。而命令`netmask`告诉路由器应用到地址池上的网络掩码**
**命令`source list`告诉路由器查看的ACL。该条ACL告诉路由器哪些网络将与NAT地址池进行匹配和转换**
6. 打开NAT调试如此才可以看到转换的发生。接着执行扩展`ping`(自`L0`和`L1`发出的并查看NAT表。因为IOS平台的不同你的输出可能和下面的不一样。将会看到NAT地址池中的两个地址正在用到。
```console
RouterA#debug ip nat
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [26]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [16]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [27]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [17]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [28]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [18]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [29]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [19]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [30]
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/28/32 ms
RouterA#
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [20]
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.2.2.2
Type of service [0]:
Set DF bit in IP header? [no]:Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
NAT: s=10.2.2.2->172.16.1.2, d=192.168.1.2 [31]
!
NAT*: s=192.168.1.2, d=172.16.1.2->10.2.2.2 [21]
NAT: s=10.2.2.2->172.16.1.2, d=192.168.1.2 [32]
!
NAT*: s=192.168.1.2, d=172.16.1.2->10.2.2.2 [22]
NAT: s=10.2.2.2->172.16.1.2, d=192.168.1.2 [33]
!
NAT*: s=192.168.1.2, d=172.16.1.2->10.2.2.2 [23]
NAT: s=10.2.2.2->172.16.1.2, d=192.168.1.2 [34]
!
NAT*: s=192.168.1.2, d=172.16.1.2->10.2.2.2 [24]
NAT: s=10.2.2.2->172.16.1.2, d=192.168.1.2 [35]
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
RouterA#
NAT*: s=192.168.1.2, d=172.16.1.2->10.2.2.2 [25]
RouterA#show ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.1:16 10.1.1.1:16 192.168.1.2:16 192.168.1.2:16
icmp 172.16.1.1:17 10.1.1.1:17 192.168.1.2:17 192.168.1.2:17
icmp 172.16.1.1:18 10.1.1.1:18 192.168.1.2:18 192.168.1.2:18
icmp 172.16.1.1:19 10.1.1.1:19 192.168.1.2:19 192.168.1.2:19
icmp 172.16.1.1:20 10.1.1.1:20 192.168.1.2:20 192.168.1.2:20
icmp 172.16.1.2:21 10.2.2.2:21 192.168.1.2:21 192.168.1.2:21
icmp 172.16.1.2:22 10.2.2.2:22 192.168.1.2:22 192.168.1.2:22
icmp 172.16.1.2:23 10.2.2.2:23 192.168.1.2:23 192.168.1.2:23
icmp 172.16.1.2:24 10.2.2.2:24 192.168.1.2:24 192.168.1.2:24
icmp 172.16.1.2:25 10.2.2.2:25 192.168.1.2:25 192.168.1.2:25
RouterA#
```
```console
RouterA#debug ip nat
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [26]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [16]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [27]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [17]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [28]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [18]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [29]
!
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [19]
NAT: s=10.1.1.1->172.16.1.1, d=192.168.1.2 [30]
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/28/32 ms
RouterA#
NAT*: s=192.168.1.2, d=172.16.1.1->10.1.1.1 [20]
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.2.2.2
Type of service [0]:
Set DF bit in IP header? [no]:Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
NAT: s=10.2.2.2->172.16.1.2, d=192.168.1.2 [31]
!
NAT*: s=192.168.1.2, d=172.16.1.2->10.2.2.2 [21]
NAT: s=10.2.2.2->172.16.1.2, d=192.168.1.2 [32]
!
NAT*: s=192.168.1.2, d=172.16.1.2->10.2.2.2 [22]
NAT: s=10.2.2.2->172.16.1.2, d=192.168.1.2 [33]
!
NAT*: s=192.168.1.2, d=172.16.1.2->10.2.2.2 [23]
NAT: s=10.2.2.2->172.16.1.2, d=192.168.1.2 [34]
!
NAT*: s=192.168.1.2, d=172.16.1.2->10.2.2.2 [24]
NAT: s=10.2.2.2->172.16.1.2, d=192.168.1.2 [35]
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
RouterA#
NAT*: s=192.168.1.2, d=172.16.1.2->10.2.2.2 [25]
RouterA#show ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.1:16 10.1.1.1:16 192.168.1.2:16 192.168.1.2:16
icmp 172.16.1.1:17 10.1.1.1:17 192.168.1.2:17 192.168.1.2:17
icmp 172.16.1.1:18 10.1.1.1:18 192.168.1.2:18 192.168.1.2:18
icmp 172.16.1.1:19 10.1.1.1:19 192.168.1.2:19 192.168.1.2:19
icmp 172.16.1.1:20 10.1.1.1:20 192.168.1.2:20 192.168.1.2:20
icmp 172.16.1.2:21 10.2.2.2:21 192.168.1.2:21 192.168.1.2:21
icmp 172.16.1.2:22 10.2.2.2:22 192.168.1.2:22 192.168.1.2:22
icmp 172.16.1.2:23 10.2.2.2:23 192.168.1.2:23 192.168.1.2:23
icmp 172.16.1.2:24 10.2.2.2:24 192.168.1.2:24 192.168.1.2:24
icmp 172.16.1.2:25 10.2.2.2:25 192.168.1.2:25 192.168.1.2:25
RouterA#
```
### NAT Overload实验

1
d07-IPv6.md
View File

@ -966,4 +966,3 @@ FastEthernet0/0 is up, line protocol is up
- 将十进制转换成十六进制(随机数字)
- 将十六进制转换成十进制(随机数字)
- IPv6子网划分随机网络和场景

2
d08-Integrating-IPv4-and-IPv6-Network-Environments.md
View File

@ -1,4 +1,4 @@
# 第8天 IPv4与IPv6共存的网络环境
# 第8天 IPv4 IPv6 共存的网络环境
**Integrating IPv4 and IPv6 Network Environments**

244
d09-ACL.md
View File

@ -755,54 +755,58 @@ Extended IP access list 100 in
1. 配置上面的网络。在两台路由器上加入一条静态路由,领导到任何网络的任何流量都从串行接口发出。这么做的原因是,尽管这不是一个路由实验,仍然需要路由的流量。把`.1`地址加到路由器`A`的串行接口,`.2`地址加到路由器`B`的串行接口。
```console
RouterA(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0
RouterB(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0
```
```console
RouterA(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0
RouterB(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0
```
2. 在路由器A上配置一条标准ACL放行`192.168.1.0/10`网络。默认情况下,其它所有网络都将被阻止。
```console
RouterA(config)#access-list 1 permit 192.168.1.0 0.0.0.63
RouterA(config)#int Serial0/1/0
RouterA(config-if)#ip access-group 1 in
RouterA(config-if)#exit
RouterA(config)#exit
RouterA#
```
```console
RouterA(config)#access-list 1 permit 192.168.1.0 0.0.0.63
RouterA(config)#int Serial0/1/0
RouterA(config-if)#ip access-group 1 in
RouterA(config-if)#exit
RouterA(config)#exit
RouterA#
```
3. 从路由器`B`上测试该条ACL默认将使用`10.0.0.1`地址。
```console
RouterB#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
```
```console
RouterB#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
```
4. 以源地址`192.168.1.1`来做另一个ping测试这将没有问题。
```console
RouterB#ping
Protocol [ip]:
Target IP address: 10.0.0.1
Repeat count [5]:Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
```
```console
RouterB#ping
Protocol [ip]:
Target IP address: 10.0.0.1
Repeat count [5]:Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
```
### 扩展ACL实验
@ -820,41 +824,44 @@ Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
1. 配置上述网络。在路由器`B`上加入一条静态路由,令到前往所有网络的所有流量都从串行接口上发出。这么做是因为,尽管这不是一个路由实验,仍然需要路由流量。
```console
RouterB(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0
```
```console
RouterB(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0
```
2. 在路由器`A`上配置一条扩展ACL。仅允许往环回接口上发起Telnet流量。
```console
RouterA(config)#access-list 100 permit tcp any host 172.20.1.1 eq 23
RouterA(config)#int s0/1/0
RouterA(config-if)#ip access-group 100 in
RouterA(config-if)#line vty 0 15
RouterA(config-line)#password cisco
RouterA(config-line)#login
RouterA(config-line)#^Z
RouterA#
```
上面的那条ACL编号为`100`, 这就告诉路由器它是一条扩展ACL。所要允许的是TCP。该条ACL允许来自任何网络的目的地址为`172.20.1.1`的Telnet端口端口号为`23`。在执行`show run`命令时,就会看到,路由器实际上会将端口号替换为其对应的名称,就像下面演示的这样。
```console
RouterA(config)#access-list 100 permit tcp any host 172.20.1.1 eq 23
RouterA(config)#int s0/1/0
RouterA(config-if)#ip access-group 100 in
RouterA(config-if)#line vty 0 15
RouterA(config-line)#password cisco
RouterA(config-line)#login
RouterA(config-line)#^Z
RouterA#
```
```console
access-list 100 permit tcp any host 172.20.1.1 eq telnet
```
上面的那条ACL编号为`100`, 这就告诉路由器它是一条扩展ACL。所要允许的是TCP。该条ACL允许来自任何网络的目的地址为`172.20.1.1`的Telnet端口端口号为`23`。在执行`show run`命令时,就会看到,路由器实际上会将端口号替换为其对应的名称,就像下面演示的这样。
```console
access-list 100 permit tcp any host 172.20.1.1 eq telnet
```
3. 现在从路由器B上做一个Telnet测试。首先往路由器`A`的串行接口上Telnet将会被阻止。接着测试环回接口。
```console
RouterB#telnet 10.0.0.1
Trying 10.0.0.1 ...
% Connection timed out; remote host not responding
RouterB#telnet 172.20.1.1
Trying 172.20.1.1 ...Open
User Access Verification ←password wont show when you type it
Password:
RouterA> ←Hit Control+Shift+6 together and then let go and press the X key to quit.
```
```console
RouterB#telnet 10.0.0.1
Trying 10.0.0.1 ...
% Connection timed out; remote host not responding
RouterB#telnet 172.20.1.1
Trying 172.20.1.1 ...Open
User Access Verification ←password wont show when you type it
Password:
RouterA> ←Hit Control+Shift+6 together and then let go and press the X key to quit.
```
> **注意:** 我们会在其它实验中涉及ACLs但你真的需要完全地掌握这些内容。为此要尝试其它的TCP端口比如`80`、`25`等等。另外要试试那些UDP端口比如`53`。如没有将一台PC接上路由器则是无法对这些其它端口进行测试的。
@ -874,67 +881,70 @@ RouterA> ←Hit Control+Shift+6 together and then let go and press the X key to
1. 配置上面的网络。在两台路由器上加入一条静态路由,领导到任何网络的任何流量都从串行接口发出。这么做的原因是,尽管这不是一个路由实验,仍然需要路由的流量。
```console
RouterA(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0
RouterB(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0
```
```console
RouterA(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0
RouterB(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0
```
2. 在路由器`B`上加入一条扩展的命名ACL。只放行主机`172.20.1.1`,阻止其它任何主机或网络。
```console
RouterB(config)#ip access-list extended blockping
RouterB(config-ext-nacl)#permit icmp host 172.20.1.1 any
RouterB(config-ext-nacl)#exit
RouterB(config)#int s0/1/0
RouterB(config-if)#ip access-group blockping in
RouterB(config-if)#
```
```console
RouterB(config)#ip access-list extended blockping
RouterB(config-ext-nacl)#permit icmp host 172.20.1.1 any
RouterB(config-ext-nacl)#exit
RouterB(config)#int s0/1/0
RouterB(config-if)#ip access-group blockping in
RouterB(config-if)#
```
3. 现在分别从路由器`A`的串行接口和换回接口发出`ping`来测试该条ACL。
```console
RouterA#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.20.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.20.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/34/47 ms
```
> **注意:** 你需要搞清楚各种服务以及各种服务所用到的端口。否则要配置ACL就会非常棘手。本条ACL相当简单因此可以仅用一行完成。在有着路由协议运行时需要放行它们。
```console
RouterA#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.20.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.20.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/34/47 ms
```
要放行RIP就要像这样指定。
> **注意:** 你需要搞清楚各种服务以及各种服务所用到的端口。否则要配置ACL就会非常棘手。本条ACL相当简单因此可以仅用一行完成。在有着路由协议运行时需要放行它们
```console
access-list 101 permit udp any any eq rip
```
要放行RIP就要像这样指定。
要放行OSPF要像这样指定。
```console
access-list 101 permit udp any any eq rip
```
```console
access-list 101 permit ospf any any
```
要放行OSPF要像这样指定。
要放行EIGRP要像这样指定。
```console
access-list 101 permit ospf any any
```
```console
access-list 101 permit eigrp any any
```
要放行EIGRP要像这样指定。
```console
access-list 101 permit eigrp any any
```

1
d10-Routing-Concepts.md
View File

@ -762,4 +762,3 @@ network 12.12.12.0
- 自R1向R2的环回接口进行`ping`操作,以测试连通性
- 执行一条`show ip route`命令来检查经由RIP收到了那些路由
- 执行一条`show ip protocols`命令来检查有配置了RIP且RIP在设备上是允许着的

100
d11-Static-Routing.md
View File

@ -170,57 +170,61 @@ Code: * - installed in RIB
**实验步骤**
1. 按照上面的拓扑图分配IP地址。`Router A`可以是`192.168.1.1/30`, `Router B`可以是`.2`。
2. 通过串行链路进行`ping`操作,以确保该链路是工作的。
3. 在`Router A`上指定一条静态路由,将到`10.1.1.0/10`网络的所有流量,从串行接口发送出去。当然要使用你自己的串行端口编号;不要只是拷贝我的配置,你的接口有不同编号!
```console
RouterA(config)#ip route 10.0.0.0 255.192.0.0 Serial0/1/0
RouterA(config)#exit
RouterA#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/28/32 ms
RouterA#
RouterA#show ip route
Codes: C - Connected, S - Static, I - IGRP, R - RIP, M - Mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - Candidate default, U - Per-user static route, o - ODR
P - Periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/10 is subnetted, 1 subnets
S 10.0.0.0 is directly connected, Serial0/1/0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial0/1/0
RouterA#
RouterA#show ip route 10.1.1.1
Routing entry for 10.0.0.0/10
Known via “static”, distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Serial0/1/0
Route metric is 0, traffic share count is 1
RouterA#
```
```console
RouterA(config)#ip route 10.0.0.0 255.192.0.0 Serial0/1/0
RouterA(config)#exit
RouterA#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/28/32 ms
RouterA#
RouterA#show ip route
Codes: C - Connected, S - Static, I - IGRP, R - RIP, M - Mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - Candidate default, U - Per-user static route, o - ODR
P - Periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/10 is subnetted, 1 subnets
S 10.0.0.0 is directly connected, Serial0/1/0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Loopback0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial0/1/0
RouterA#
RouterA#show ip route 10.1.1.1
Routing entry for 10.0.0.0/10
Known via “static”, distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Serial0/1/0
Route metric is 0, traffic share count is 1
RouterA#
```
4. 在`Router B`上配置一条静态路由,将到`172.16.1.0/24`网络的所有流量,发到下一跳地址`192.168.1.1`。
```console
RouterB(config)#ip route 172.16.1.0 255.255.255.0 192.168.1.1
RouterB(config)#exit
RouterB#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
RouterB#show ip route 172.16.1.1
Routing entry for 172.16.1.0/24
Known via “static”, distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.1.1
Route metric is 0, traffic share count is 1
RouterB#
```
```console
RouterB(config)#ip route 172.16.1.0 255.255.255.0 192.168.1.1
RouterB(config)#exit
RouterB#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
RouterB#show ip route 172.16.1.1
Routing entry for 172.16.1.0/24
Known via “static”, distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.1.1
Route metric is 0, traffic share count is 1
RouterB#
```

62
d14-DHCP-and-DNS.md
View File

@ -86,6 +86,7 @@ DHCP服务器可被配置为在一个名为租期的特定时期赋予某台
1. **DHCP发现数据包**DHCP Discover packet当某台设备启动后同时其被配置为通过DHCP取得一个地址时就会发出一个自UDP端口`68`(UDP port `68`, `bootpc`到UDP端口`67`(UDP port `67`, `bootps`的广播数据包。该数据包将到达网络上的所有设备包括任何位处网络上的可能的DHCP服务器。
**DHCP提议数据包**DHCP Offer packet本地网络上的DHCP服务器看到由客户端发出的广播发现报文the broadcasted Discover message就用UDP源端口`bootps 67`及目的端口`bootpc 68`, 同样以广播地址的形式发回一个响应就是DHCP提议数据包。之所以同样以广播地址形式是因为客户端此时仍然没有IP地址而无法接收单播数据包。
2. **DHCP请求数据包**DHCP Request packet, 一旦客户端工作站收到由DHCP服务器做出的提议an offer made by the DHCP server它就会发出一个广播用于告知所有DHCP服务器它已接受了来自某台服务器的提议DHCP请求报文到某台特定的DHCP服务器并再度使用UDP源端口`bootpc 68`及目的端口`bootps 67`。**客户端可能会收到来自多台DHCP服务器的提议但它只需单独一个IP地址所以它必需选择一台DHCP服务器**(基于服务器标识),而选择通常都是按照"先到,先服务"原则完成的on a "first-come, first-served" basis
@ -413,45 +414,49 @@ Router#pinging 192.168.1.2
1. 如你使用着家用电脑或笔记本电脑就将网络适配器设置为自动获取IP地址。在Packet Tracer中也可这样设置。让后使用交叉线将PC连接到路由器的以太网端口。
![网络适配器设置](images/1410.png)
![网络适配器设置](images/1410.png)
2. 将IP地址`172.16.1.1 255.255.0.0`加入到路由器接口。如忘记了这个怎么配置,就请看看前面的实验。要确保`no shut`该接口。
3. 配置DHCP地址池。接着为地址配置一个`3`天`3`小时`5`分的租期。最后将`1`到`10`的地址排除在分配给主机的地址之外。假设这些地址已为其它服务器或接口使用。
```console
Router#conf t
Router(config)#ip dhcp pool 60days
Router(dhcp-config)#network 172.16.0.0 255.255.0.0
Router1(dhcp-config)#lease 3 3 5 ← command wont work on Packet Trer
Router1(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 172.16.1.1 172.16.1.10
Router(config)#
```
```console
Router#conf t
Router(config)#ip dhcp pool 60days
Router(dhcp-config)#network 172.16.0.0 255.255.0.0
Router1(dhcp-config)#lease 3 3 5 ← command wont work on Packet Trer
Router1(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 172.16.1.1 172.16.1.10
Router(config)#
```
4. 执行一个`ipconfig /all`命令查看是否有IP地址分配到PC。如旧地址仍在使用就需要执行一下`ipconfig /renew`命令。
```console
PC>ipconfig /all
Physical Address................: 0001.C7DD.CB19
IP Address......................: 172.16.0.1
Subnet Mask.....................: 255.255.0.0
Default Gateway.................: 0.0.0.0
DNS Servers.....................: 0.0.0.0
```
```console
PC>ipconfig /all
Physical Address................: 0001.C7DD.CB19
IP Address......................: 172.16.0.1
Subnet Mask.....................: 255.255.0.0
Default Gateway.................: 0.0.0.0
DNS Servers.....................: 0.0.0.0
```
5. 如想要的话可回到DHCP地址池配置模式DHCP Pool Configuration mode加入一个默认网关及DNS服务器地址它们也将在主机PC上得到设置。
```console
Router(config)#ip dhcp pool 60days
Router(dhcp-config)#default-router 172.16.1.2
Router(dhcp-config)#dns-server 172.16.1.3
PC>ipconfig /renew
IP Address......................: 172.16.0.1
Subnet Mask.....................: 255.255.0.0
Default Gateway.................: 172.16.1.2
DNS Server......................: 172.16.1.3
```
```console
Router(config)#ip dhcp pool 60days
Router(dhcp-config)#default-router 172.16.1.2
Router(dhcp-config)#dns-server 172.16.1.3
PC>ipconfig /renew
IP Address......................: 172.16.0.1
Subnet Mask.....................: 255.255.0.0
Default Gateway.................: 172.16.1.2
DNS Server......................: 172.16.1.3
```
### 路由器上的DNS实验
@ -464,4 +469,3 @@ DNS Server......................: 172.16.1.3
接着尝试解析一些公网网站名字,比如通过`ping www.cisco.com`。
请访问[www.in60days.com](http://www.in60days.com), 观看我是怎么完成这个实验的。

1
d15-Layer_1-and-Layer_2-Troubleshooting.md
View File

@ -869,4 +869,3 @@ Fa0/12 0 1 0
- 测试`show interface trunk`命令
- 测试`show VTP status`命令
- 测试`show VTP counter`命令

246
d31-Spanning-Tree-Protocol.md
View File

@ -730,143 +730,149 @@ STP故障通常有以下三类STP issues usually fall within the following th
1. 设置各台交换机的主机名并将其用交叉线连接起来。此时可以检查它们之间的接口是否被设置到“trunk”中继。
```console
Switch#show interface trunk
```
```console
Switch#show interface trunk
```
2. 在将一侧设置为中继链路之前,可能看不到中继链路变成活动的。
```console
SwitchB#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB(config)#int FastEthernet0/1
SwitchB(config-if)#switchport mode trunk
SwitchB(config-if)#^Z
SwitchB#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1
```
```console
SwitchB#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB(config)#int FastEthernet0/1
SwitchB(config-if)#switchport mode trunk
SwitchB(config-if)#^Z
SwitchB#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1
```
3. 将看到另一交换机是留作自动模式的。
```console
SwitchA#show int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1
```
```console
SwitchA#show int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 auto n-802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1
```
4. 在每台交换机上创建出两个VLANs。
```console
SwitchA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA(config)#vlan 2
SwitchA(config-vlan)#vlan 3
SwitchA(config-vlan)#^Z
SwitchA#
%SYS-5-CONFIG_I: Configured from console by console
SwitchA#show vlan brief
VLAN Name Status Ports
---- ------------------ ------- --------------------
1 default active Fa0/2, Fa0/3, Fa0/4,
Fa0/5, Fa0/6, Fa0/7,
Fa0/8, Fa0/9, Fa0/10,
Fa0/11, Fa0/12, Fa0/13,
Fa0/14, Fa0/15, Fa0/16,
Fa0/17, Fa0/18, Fa0/19,
Fa0/20, Fa0/21, Fa0/22,
Fa0/23, Fa0/24
2 VLAN0002 active
3 VLAN0003 active
1002 fddi-default active
1003 token-ring-default active
```
同时也在交换机B上创建出VLANs拷贝上面的命令
```console
SwitchA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA(config)#vlan 2
SwitchA(config-vlan)#vlan 3
SwitchA(config-vlan)#^Z
SwitchA#
%SYS-5-CONFIG_I: Configured from console by console
SwitchA#show vlan brief
VLAN Name Status Ports
---- ------------------ ------- --------------------
1 default active Fa0/2, Fa0/3, Fa0/4,
Fa0/5, Fa0/6, Fa0/7,
Fa0/8, Fa0/9, Fa0/10,
Fa0/11, Fa0/12, Fa0/13,
Fa0/14, Fa0/15, Fa0/16,
Fa0/17, Fa0/18, Fa0/19,
Fa0/20, Fa0/21, Fa0/22,
Fa0/23, Fa0/24
2 VLAN0002 active
3 VLAN0003 active
1002 fddi-default active
1003 token-ring-default active
```
同时也在交换机B上创建出VLANs拷贝上面的命令
5. 确定哪台交换机是VLANs 2和3的根桥。
```console
SwitchB#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770
Address 0001.972A.7A23
This bridge is the root
Hello Time 2 sec
Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 0001.972A.7A23
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
--------- ---- --- ---- -------- ----
Fa0/1 Desg FWD 19 128.1 P2p
```
可以看到Switch B是根。在交换机A上完成同样的命令并对VLAN 3进行检查。优先级是32768加上VLAN编号这里就是2.最低MAC地址将确定出根桥。
```console
SwitchB#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770
Address 0001.972A.7A23
This bridge is the root
Hello Time 2 sec
Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 0001.972A.7A23
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
--------- ---- --- ---- -------- ----
Fa0/1 Desg FWD 19 128.1 P2p
```
```console
SwitchB#show spanning-tree vlan 3
VLAN0003
Spanning tree enabled protocol ieee
Root ID Priority 32771
Address 0001.972A.7A23
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32771 (priority 32768 sys-id-ext 3)
Address 0001.972A.7A23
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------- ---- --- ---- -------- ----
Fa0/1 Desg FWD 19 128.1 P2p
```
可以看到Switch B是根。在交换机A上完成同样的命令并对VLAN 3进行检查。优先级是32768加上VLAN编号这里就是2.最低MAC地址将确定出根桥。
这里Switch A的MAC地址较高这就是为何其不会成为根桥的原因`00101123D245`
```console
SwitchB#show spanning-tree vlan 3
VLAN0003
Spanning tree enabled protocol ieee
Root ID Priority 32771
Address 0001.972A.7A23
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32771 (priority 32768 sys-id-ext 3)
Address 0001.972A.7A23
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------- ---- --- ---- -------- ----
Fa0/1 Desg FWD 19 128.1 P2p
```
这里Switch A的MAC地址较高这就是为何其不会成为根桥的原因`00101123D245`
6. 将另一个交换机设置为VLANs 2和3的根桥。对VLAN 2使用命令`spanning-tree vlan 2 priority 4096`以及对VLAN 3的`spanning-tree vlan 3 root primary`命令。
```console
SwitchA(config)#spanning-tree vlan 2 priority 4096
SwitchA(config)#spanning-tree vlan 3 root primary
SwitchA#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 4098
Address 0010.1123.D245
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 4098 (priority 4096 sys-id-ext 2)
Address 0010.1123.D245
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
--------- ---- --- ---- -------- ----
Fa0/1 Desg FWD 19 128.1 P2p
SwitchA#show spanning-tree vlan 3
VLAN0003
Spanning tree enabled protocol ieee
Root ID Priority 24579
Address 0010.1123.D245
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24579 (priority 24576 sys-id-ext 3)
Address 0010.1123.D245
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
--------- ---- --- ---- -------- ----
Fa0/1 Desg FWD 19 128.1 P2p
SwitchA#
```
> **注意:** 尽管Switch B有较低的桥IDSwitch A还是被强制作为根桥。
```console
SwitchA(config)#spanning-tree vlan 2 priority 4096
SwitchA(config)#spanning-tree vlan 3 root primary
SwitchA#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 4098
Address 0010.1123.D245
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 4098 (priority 4096 sys-id-ext 2)
Address 0010.1123.D245
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
--------- ---- --- ---- -------- ----
Fa0/1 Desg FWD 19 128.1 P2p
SwitchA#show spanning-tree vlan 3
VLAN0003
Spanning tree enabled protocol ieee
Root ID Priority 24579
Address 0010.1123.D245
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24579 (priority 24576 sys-id-ext 3)
Address 0010.1123.D245
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
--------- ---- --- ---- -------- ----
Fa0/1 Desg FWD 19 128.1 P2p
SwitchA#
```
> **注意:** 尽管Switch B有较低的桥IDSwitch A还是被强制作为根桥。

25
d32-Rapid-Spanning-Tree-Protocol.md
View File

@ -145,22 +145,23 @@ Root bridge for: VLAN0050, VLAN0060, VLAN0070
1. 检查交换机上的生成树模式。
```console
SwitchA#show spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0002 VLAN0003
```
```console
SwitchA#show spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0002 VLAN0003
```
2. 将模式改为RSTP并再度检查。
```console
SwitchA(config)#spanning-tree mode rapid-pvst
SwitchA#show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0002 VLAN0003
```
```console
SwitchA(config)#spanning-tree mode rapid-pvst
SwitchA#show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0002 VLAN0003
```
3. 用RSTP模式来重复第31天的实验。
4. 你可以预先预测出那些端口将是根/指定/阻塞端口吗can you predict which ports will be Root/Designated/Blocking beforehand

187
d36-EIGRP.md
View File

@ -2649,108 +2649,113 @@ IP-EIGRP (AS 150): Topology entry for 10.3.3.0/24
### 实验步骤
1. 基于上面的拓扑配置上所有IP地址。确保可以经由串行链路`ping`通。
2. 在两台路由器上以自治系统编号30, 配置EIGRP。
```console
RouterA(config)#router eigrp 30
RouterA(config-router)#net 172.20.0.0
RouterA(config-router)#net 10.0.0.0
RouterA(config-router)#^Z
RouterA#
RouterB#conf t
Enter configuration commands, one per line.
End with CNTL/Z.
RouterB(config)#router eigrp 30
RouterB(config-router)#net 10.0.0.0
%DUAL-5-NBRCHANGE: IP-EIGRP 30: Neighbor 10.0.0.1 (Serial0/1/0) is up: new adjacency
RouterB(config-router)#net 192.168.1.0
```
```console
RouterA(config)#router eigrp 30
RouterA(config-router)#net 172.20.0.0
RouterA(config-router)#net 10.0.0.0
RouterA(config-router)#^Z
RouterA#
RouterB#conf t
Enter configuration commands, one per line.
End with CNTL/Z.
RouterB(config)#router eigrp 30
RouterB(config-router)#net 10.0.0.0
%DUAL-5-NBRCHANGE: IP-EIGRP 30: Neighbor 10.0.0.1 (Serial0/1/0) is up: new adjacency
RouterB(config-router)#net 192.168.1.0
```
3. 对两台路由器上的路由表分别进行检查。
```console
RouterA#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.0.0.0/8 is a summary, 00:01:43, Null0
C 10.0.0.0/30 is directly connected, Serial0/1/0
172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.20.0.0/16 is a summary, 00:01:43, Null0
C 172.20.1.0/24 is directly connected, Loopback0
D 192.168.1.0/24 [90/20640000] via 10.0.0.2, 00:00:49, Serial0/1/0
RouterA#
```
```console
RouterB#show ip route
...
[Truncated Output]
...
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.0.0.0/8 is a summary, 00:01:21, Null0
C 10.0.0.0/30 is directly connected, Serial0/1/0
D 172.20.0.0/16 [90/20640000] via 10.0.0.1, 00:01:27, Serial0/1/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
D 192.168.1.0/24 is a summary, 00:01:21, Null0
C 192.168.1.0/26 is directly connected, Loopback0
RouterB#
```
```console
RouterA#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.0.0.0/8 is a summary, 00:01:43, Null0
C 10.0.0.0/30 is directly connected, Serial0/1/0
172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.20.0.0/16 is a summary, 00:01:43, Null0
C 172.20.1.0/24 is directly connected, Loopback0
D 192.168.1.0/24 [90/20640000] via 10.0.0.2, 00:00:49, Serial0/1/0
RouterA#
```
```console
RouterB#show ip route
...
[Truncated Output]
...
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.0.0.0/8 is a summary, 00:01:21, Null0
C 10.0.0.0/30 is directly connected, Serial0/1/0
D 172.20.0.0/16 [90/20640000] via 10.0.0.1, 00:01:27, Serial0/1/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
D 192.168.1.0/24 is a summary, 00:01:21, Null0
C 192.168.1.0/26 is directly connected, Loopback0
RouterB#
```
4. 查明两台路由器都对各个网络进行着自动汇总。并于随后在路由器B上关闭自动汇总。
```console
RouterB#show ip protocols
Routing Protocol is “eigrp 30”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 30
Automatic network summarization is in effect
Automatic address summarization:
192.168.1.0/24 for Serial0/1/0
Summarizing with metric 128256
10.0.0.0/8 for Loopback0
Summarizing with metric 20512000
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
10.0.0.1 90 496078
Distance: internal 90 external 170
RouterB(config)#router eigrp 30
RouterB(config-router)#no auto-summary
```
```console
RouterB#show ip protocols
Routing Protocol is “eigrp 30”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 30
Automatic network summarization is in effect
Automatic address summarization:
192.168.1.0/24 for Serial0/1/0
Summarizing with metric 128256
10.0.0.0/8 for Loopback0
Summarizing with metric 20512000
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
10.0.0.1 90 496078
Distance: internal 90 external 170
RouterB(config)#router eigrp 30
RouterB(config-router)#no auto-summary
```
5. 对路由器A上的路由表进行检查。
```console
RouterA#show ip route
...
[Truncated Output]
...
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.0.0.0/8 is a summary, 00:00:04, Null0
C 10.0.0.0/30 is directly connected, Serial0/1/0
172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.20.0.0/16 is a summary, 00:00:04, Null0
C 172.20.1.0/24 is directly connected, Loopback0
192.168.1.0/26 is subnetted, 1 subnets
D 192.168.1.0 [90/20640000] via 10.0.0.2, 00:00:04, Serial0/1/0
RouterA#
```
```console
RouterA#show ip route
...
[Truncated Output]
...
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.0.0.0/8 is a summary, 00:00:04, Null0
C 10.0.0.0/30 is directly connected, Serial0/1/0
172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.20.0.0/16 is a summary, 00:00:04, Null0
C 172.20.1.0/24 is directly connected, Loopback0
192.168.1.0/26 is subnetted, 1 subnets
D 192.168.1.0 [90/20640000] via 10.0.0.2, 00:00:04, Serial0/1/0
RouterA#
```
请访问[www.in60days.com](http://www.in60days.com),免费观看作者完成此试验。

1
d38-EIGRP-For-IPv6.md
View File

@ -251,4 +251,3 @@ EIGRP-IPv6 Protocol for AS(1)
- 使用`show ipv6 eigrp topology`命令对EIGRP的拓扑进行检查
请访问[www.in60days.com](http://www.in60days.com/)并免费观看作者如何完成的此实验。

132
d39-OSPF.md
View File

@ -1221,79 +1221,83 @@ __实验步骤__
2. 将OSPF添加到路由器`A`。将`Loopback0`上的网络放入到`Area 1`,将那个`10`网络放入到`Area 0`。
```console
RouterA(config)#router ospf 4
RouterA(config-router)#network 172.20.1.0 0.0.0.255 area 1
RouterA(config-router)#network 10.0.0.0 0.0.0.3 area 0
RouterA(config-router)#^Z
RouterA#
%SYS-5-CONFIG_I: Configured from console by console
RouterA#show ip protocols
Routing Protocol is “ospf 4”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 172.20.1.1
Number of areas in this router is 2. 2 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
172.20.1.0 0.0.0.255 area 1
10.0.0.0 0.0.0.3 area 0
Routing Information Sources:
Gateway Distance Last Update
172.20.1.1 110 00:00:09
Distance: (default is 110)
```
```console
RouterA(config)#router ospf 4
RouterA(config-router)#network 172.20.1.0 0.0.0.255 area 1
RouterA(config-router)#network 10.0.0.0 0.0.0.3 area 0
RouterA(config-router)#^Z
RouterA#
%SYS-5-CONFIG_I: Configured from console by console
RouterA#show ip protocols
Routing Protocol is “ospf 4”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 172.20.1.1
Number of areas in this router is 2. 2 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
172.20.1.0 0.0.0.255 area 1
10.0.0.0 0.0.0.3 area 0
Routing Information Sources:
Gateway Distance Last Update
172.20.1.1 110 00:00:09
Distance: (default is 110)
```
3. 将OSPF添加到路由器`B`。将该环回网络放入到OSPF的`Area 40`。
```console
RouterB(config)#router ospf 2
RouterB(config-router)#net 10.0.0.0 0.0.0.3 area 0
RouterB(config-router)#
00:22:35: %OSPF-5-ADJCHG: Process 2, Nbr 172.20.1.1 on Serial0/1/0 from LOADING to FULL, Loading Done
RouterB(config-router)#net 192.168.1.0 0.0.0.63 area 40
RouterB(config-router)# ^Z
RouterB#show ip protocols
Routing Protocol is “ospf 2”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 192.168.1.1
Number of areas in this router is 2. 2 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
10.0.0.0 0.0.0.3 area 0
192.168.1.0 0.0.0.63 area 40
Routing Information Sources:
Gateway Distance Last Update
172.20.1.1 110 00:01:18
192.168.1.1 110 00:00:44
Distance: (default is 110)
```
```console
RouterB(config)#router ospf 2
RouterB(config-router)#net 10.0.0.0 0.0.0.3 area 0
RouterB(config-router)#
00:22:35: %OSPF-5-ADJCHG: Process 2, Nbr 172.20.1.1 on Serial0/1/0 from LOADING to FULL, Loading Done
RouterB(config-router)#net 192.168.1.0 0.0.0.63 area 40
RouterB(config-router)# ^Z
RouterB#show ip protocols
Routing Protocol is “ospf 2”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 192.168.1.1
Number of areas in this router is 2. 2 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
10.0.0.0 0.0.0.3 area 0
192.168.1.0 0.0.0.63 area 40
Routing Information Sources:
Gateway Distance Last Update
172.20.1.1 110 00:01:18
192.168.1.1 110 00:00:44
Distance: (default is 110)
```
4. 对两台路由器上的路由表进行检查。查找那些OSPF通告的网络。将见到一个`IA`也就是OSPF的区域间inter-area。还将见到OSPF的`AD`也就是管理距离Administrative Distance`110`。
```console
RouterA#sh ip route
...
[Truncated Output]
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/1/0
172.20.0.0/24 is subnetted, 1 subnets
C 172.20.1.0 is directly connected, Loopback0
192.168.1.0/32 is subnetted, 1 subnets
O IA 192.168.1.1 [110/65] via 10.0.0.2, 00:01:36, Serial0/1/0
RouterA#
```
```console
RouterA#sh ip route
...
[Truncated Output]
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/1/0
172.20.0.0/24 is subnetted, 1 subnets
C 172.20.1.0 is directly connected, Loopback0
192.168.1.0/32 is subnetted, 1 subnets
O IA 192.168.1.1 [110/65] via 10.0.0.2, 00:01:36, Serial0/1/0
RouterA#
```
5. 在两台路由器上分别执行一些可用的OSPF命令。
```console
RouterA#sh ip ospf ?
<1-65535> Process ID numberborder-routers Border and Boundary Router Information
database Database summary
interface Interface information
neighbor Neighbor list
```
```console
RouterA#sh ip ospf ?
<1-65535> Process ID numberborder-routers Border and Boundary Router Information
database Database summary
interface Interface information
neighbor Neighbor list
```
请访问[www.in60days.com](http://www.in60days.com)并观看作者是如何完成该实验的。

13
d40-Syslog-SNMP-and-Netflow.md
View File

@ -369,16 +369,17 @@ IP数据流基于五个上至七个的一套IP数据包属性它们
1. 在那些希望对信息进行捕获并在流缓存中存储的所有接口上,使用接口配置命令`ip flow ingress`把接口配置为将数据流捕获进入NetFlow缓存。重要的是记住NetFlow仅在每个接口的基础上配置的Configure the interface to capture flows into the NetFlow cache using the `ip flow ingress` interface configuration command on all interfaces for which you want information to be captured and stored in the flow cache. It is important to remember that NetFlow is configured on a per-interface basis only
> **Dario先生的提醒**:命令`ip route-cache flow`可在物理接口及其下的所有子接口上开启NetFlow数据流the `ip route-cache flow` command will enable flows on the physical interface and all subinterfaces associated with it
> 而`ip flow ingress`命令则将开同一接口上的单个子接口、而非所有子接口上开启NetFlow数据流。这在对观看某个接口的子接口`X`、`Y`及`Z`上的数据流不感兴趣,而真正想要观看同一接口上的子接口`A`、`B`与`C`子接口上的数据流时,此命令就很好用。
> 此外在NetFlow版本5下唯一选项是使用`ip flow ingress`命令来监视上传统计数据with NetFlow v5, the only option was to monitor inbound statistics using the `ip flow ingress` command。不过随着NetFlow版本9的发布现在就了使用`ip flow egress`命令,来对离开各个接口的流量进行监控的选择了。
> **Dario先生的提醒**:命令`ip route-cache flow`可在物理接口及其下的所有子接口上开启NetFlow数据流the `ip route-cache flow` command will enable flows on the physical interface and all subinterfaces associated with it
> 而`ip flow ingress`命令则将开同一接口上的单个子接口、而非所有子接口上开启NetFlow数据流。这在对观看某个接口的子接口`X`、`Y`及`Z`上的数据流不感兴趣,而真正想要观看同一接口上的子接口`A`、`B`与`C`子接口上的数据流时,此命令就很好用。
> 此外在NetFlow版本5下唯一选项是使用`ip flow ingress`命令来监视上传统计数据with NetFlow v5, the only option was to monitor inbound statistics using the `ip flow ingress` command。不过随着NetFlow版本9的发布现在就了使用`ip flow egress`命令,来对离开各个接口的流量进行监控的选择了。
> **注意:** 从思科IOS版本`12.4(2)T`及`12.2(18)SXD`起,已将命令`ip flow ingress`替换为`ip route-cache flow`命令。而从思科IOS版本`12.2(25)S`起,命令`show running configuration` 的输出已被修改,因此命令`ip route-cache flow`命令,以及`ip flow ingress`命令,将在二者之一被配置后,出现在`show running-configuration`的输出中。
> **注意:** 从思科IOS版本`12.4(2)T`及`12.2(18)SXD`起,已将命令`ip flow ingress`替换为`ip route-cache flow`命令。而从思科IOS版本`12.2(25)S`起,命令`show running configuration` 的输出已被修改,因此命令`ip route-cache flow`命令,以及`ip flow ingress`命令,将在二者之一被配置后,出现在`show running-configuration`的输出中。
随后NetFlow信息就存储在本地路由器上同时可在本地设备上使用`show ip cache flow`查看到。
随后NetFlow信息就存储在本地路由器上同时可在本地设备上使用`show ip cache flow`查看到。
在打算将数据导出到NetFlow收集器的情况下将需要两个额外任务如下
在打算将数据导出到NetFlow收集器的情况下将需要两个额外任务如下
2. 使用全局配置命令`ip flow-export version [1 | 5 | 9]`配置思科IOS NetFlow的版本或格式。NetFlow版本`1``v1`是在首个NetFlow发布中所支持的最初格式。在用于分析导出的NetFlow数据的应用仅支持该版本时才应使用此版本。相比版本`1`,版本`5`导出更多的字段,同时也是应用最广泛的版本。而版本`9`则是最新的思科IOS NetFlow版本也是一个新的IETF标准的基础。版本`9`是一个灵活的导出格式版本。