数字校园网

访问层交换机ASwitch1

访问层交换机ASwitch1基本参数

hostname ASwitch1
enable secret secretpasswd
line vty 0 15
login
password youguess
exce-timeout 5 30
line con 0
exce-timeout 5 30
logging synchronous
exit
no ip domain-lookup

访问层交换机ASwitch1的管理ip 默认网关

只能是vlan1 即本征vlan 如：192.168.0.0/24 假设为192.168.0.5/24 网关：192.168.0.254/24
interface vlan 1
ip address 192.168.0.5 255.255.255.0
no shutdown
ip default-gateway 192.168.0.254

访问层交换机ASwitch1的vtp
vtp mode client

访问层交换机ASwitch1端口参数
interface range Fastethernet 0/1-24
duplex full
speed 100
spanning-tree portfast

访问层交换机ASwitch1的访问端口
interface range Fastethernet 0/1-10
switchport mode access
switchport access vlan 30

interface range Fastethernet 0/11-20
switchport mode access
switchport access vlan 40

访问层交换机ASwitch1的主干道端口

interface range Fastethernet 0/23-24
switchport mode trunk

访问层交换机ASwitch1的其他设置
spanning-tree uplinkfast
spanning-tree backbonefast

分布层交换机DSwitch1

分布层交换机DSwitch1基本参数
configure terminal
hostname DSwitch1
enable secret youguess
line con 0
logging synchronous
exec-timeout 5 30
line vty 0 15
password abc
login
exec-timeout 5 30
exit
no ip domain-lookup

分布层交换机DSwitch1的管理ip 默认网关
interface vlan 1
ip address 192.168.0.3 255.255.255.0
no switch
exit
ip default-gateway 192.168.0.254

分布层交换机DSwitch1的vtp（共享相同vlan定义数据库的交换机构成一个vtp管理器，每一个vtp管理域都有一个共同的vtp管理域域名，不同vtp管理域的交换机之间不交换vtp通告信息）
vtp domain xczz
vtp mode server
vtp pruning

分布层交换机DSwitch1上定义vlan
configure terminal
vlan 10
name jxl
vlan 11
name jxl2
vlan 20
name xsgy
vlan 21
name xsgy2
vlan 30
name cwc
vlan 40
name xzbg
vlan 50
name tsg
vlan 51
name tsg2
vlan 60
name sxl
vlan 70
name xsct
vlan 100
name fwqq

分布层交换机DSwitch1的端口基本参数
interface range Fastethernet 0/1-24
duplex full
speed 100

interface range Fastethernet 0/1-10
switchport mode access
switchport access vlan 100
spanning-tree portfast

interface range Fastethernet 0/23-24
switchport mode trunk
interface range gigabitethernet 0/1-2
switchport mode trunk

分布层交换机DSwitch1的3层交换机功能
ip routing
interface vlan 10
ip address 192.168.1.254 255.255.255.0
no shutdown
interface vlan 11
ip address 192.168.11.254 255.255.255.0
no shutdown
interface vlan 20
ip address 192.168.2.254 255.255.255.0
no shutdown
interface vlan 21
ip address 192.168.21.254 255.255.255.0
no shutdown
interface vlan 30
ip address 192.168.3.254 255.255.255.0
no shutdown
interface vlan 40
ip address 192.168.4.254 255.255.255.0
no shutdown
interface vlan 50
ip address 192.168.5.254 255.255.255.0
no shutdown
interface vlan 51
ip address 192.168.51.254 255.255.255.0
no shutdown
interface vlan 60
ip address 192.168.6.254 255.255.255.0
no shutdown
interface vlan 70
ip address 192.168.7.254 255.255.255.0
no shutdown
interface vlan 100
ip address 192.168.100.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0 0.0.0.0 192.168.0.254

核心层交换机CSwitch1
configure terminal
hostname CSwitch1
enable secret youguess
line con 0
logging synchronous
exec-timeout 5 30
line vty 0 15
password abc
login
exec-timeout 5 30
exit
no ip domain-lookup

核心层交换机CSwitch1的管理ip 默认网关
interface vlan 1
ip address 192.168.0.1 255.255.255.0
no switch
exit
ip default-gateway 192.168.0.254

核心层交换机CSwitch1的vtp（共享相同vlan定义数据库的交换机构成一个vtp管理器，每一个vtp管理域都有一个共同的vtp管理域域名，不同vtp管理域的交换机之间不交换vtp通告信息）
vtp mode client

核心层交换机CSwitch1的端口基本参数
interface range Fastethernet 4/1-32
duplex full
speed 100
switchport mode access

switchport access vlan 1
spanning-tree portfast

interface range Fastethernet 3/1-2
switchport mode trunk

interface port-channel 1
switchport
interface gigabitethernet 2/1-2
channel-group 1 mode desirable non-silent
no shutdown

核心层交换机CSwitch1的路由功能
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.254

交换机的基本操作
enable
config
interface vlan 1
ip address 192.168.1.1 255.255.255.0
no shutdown
telnet-user davy password Aa123456
ip http server
web-user davy password Aa123456
enable password level admin Aa23456
copy startup-config tftp://192.168.1.2/startup01
copy running-config tftp://192.168.1.2/running01
copy  tftp://192.168.1.2/startup01 startup-config
copy  tftp://192.168.1.2/running01 running-config

hostname <hostname>
reload
set default
language chinease (english)
write
show arp
show flash
show running-config
show startup-config
show mac-address-table [static/aging-time/blackhole][address<mac-addr>][vlan<vlanID>][interface<interace-name>]
show interface ethernet<interface-list>
show vlan [brief/internal usage/private-vlan][id <vlanID>][name <vlan-name>][summary]
clock set <HH:MM:SS><YYYY/MM/DD>
ip host <hostname><ip_addr>
no ip host <hostname><ip_addr>
setup

单交换机或跨交换机设置
vlan 100
switchport interface ethernet 0/0/6

interface ethernet 0/0/24
switchport interface mode trunk
switchport trunk allow vlan 100

堆叠交换机
stacking enable duplex interface Ethernet 0/1/1
stacking priority 80
reload
聚合端口
port-group 1
interface Ethernet 0/0/1-2
port-group 1 mode active
生成树协议
spanning-tree
spanning-tree interface Ethernet 0/0/1
spanning-tree interface Ethernet 0/0/2
端口地址绑定
mac-address static address 00-88-99-66-65-43 vlan 1 interface Ethernet 0/0/10
interface ethernet 0/0/10
switchport port-security
show mac-address-table
端口镜像与嗅探
monitor session 1 source interface Ethernet 0/0/1
monitor session 1 source interface Ethernet 0/0/3
monitor session 1 destination interface Ethernet 0/0/20

路由器配置

接入路由器InternetRouter基本参数
config terminal
hostname InternetRouter
enable secret youguess
line con 0
logging synchronous
exce-timeout 5 30
line vty 0 4
password abc
login
exce-timeout 5 30
exit
ip domain-lookup

接入路由器InternetRouter接口参数
interface Fastethernet 0/0
ip address 192.168.0.254 255.255.255.0
no shutdown
interface serial 0/0
ip address 193.1.1.1 255.255.255.253
no shutdown

接入路由器InternetRouter的路由功能
ip Route 0.0.0.0 0.0.0.0 serial 0/0
ip route 192.168.0.0 255.255.248.0 192.168.0.3
ip route 192.168.100.0 255.255.255.0 192.168.0.3

接入路由器InternetRouter的nat
interface Fastethernet 0/0
ip nat inside
interface serial 0/0
ip nat outside
ip access-list 1 permit 192.168.0.0 0.0.0.255
ip nat inside source static 192.168.100.1 202.206.222.1
ip nat inside source static 192.168.100.2 202.206.222.2
ip nat inside source static 192.168.100.3 202.206.222.3

ip nat inside source list 1 interface serial 0/0 overload

接入路由器InternetRouter的acl
对外屏蔽SNMP
access-list 101 deny udy any any eq snmp
access-list 101 deny udy any any eq snmptrap
access-list 101 permit ip any any
interface serial 0/0
ip access-group 101 in
对外屏蔽telnet
access-list 101 deny tcp any any eq telnet
access-list 101 permit ip any any
interface serial 0/0
ip access-group 101 in
对外屏蔽其他不安全协议（文件共享2049 远程执行rsh512 远程登录rlogin513 rcmd514 远程调用sunrpc111）
access-list 101 deny tcp any any range 512 514
access-list 101 deny tcp any any eq 111
access-list 101 deny udp any any eq 111
access-list 101 deny tcp any any range 2049
access-list 101 permit ip any any
interface serial 0/0
ip access-group 101 in
针对dos攻击
access-list 101 deny icmp any any eq echo-request
access-list 101 deny udp any any eq echo
interface serial 0/0
ip access-group 101 in
interface Fastethernet 0/0
no ip directed-broadcast
保护路由自身安全
line vty 0 4
access-class 2 in
exit
access-list 2 permit 192.168.100.0 0.0.0.255

1 子网隔离 抑制广播风暴
2 维护路由表与其他路由器交换路由信息
3 数据包的差错检查和拥塞控制
4 实现对数据包的过滤记账

路由器操作步骤
enable
configure terminal
hostname RouteA
interface Fastethernet 0/1
ip address 192.168.0.139 255.255.255.0
on shutdown
show ip interface fastethernet 0/1
show ip interface brief
line vty 0 4
login
password cisco
end

telnet 192.168.0.139
enable secret cisco
enable password cisco

telnet 192.168.0.139
copy running-config startup-config 或 write memory
show running-config

路由的基本协议
rip
igrp
eigrp
ospf
静态nat
动态nat

静态路由配置
1702-1
interface f 0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
interface s 0/2
ip address 192.168.20.1 255.255.255.0
no shutdown

ip route 192.168.30.0 255.255.255.0 192.168.20.2
ip route 192.168.40.0 255.255.255.0 192.168.20.2

2611
interface s 0/3
ip address 192.168.20.2 255.255.255.0
physical-layer speed 6400
no shutdown
show interface s 0/3
interface s 0/2
ip address 192.168.30.1 255.255.255.0
physical-layer speed 6400
no shutdown
show interface s 0/2

ip 192.168.10.0 255.255.255.0 192.168.20.1
ip 192.168.40.0 255.255.255.0 192.168.30.2

1702-2
interface s 0/2
ip address 192.168.30.2 255.255.255.0
no shutdown
onterface f 0/0
ip address 192.168.40.1 255.255.255.0
no shutdown

ip 192.168.10.0 255.255.255.0 192.168.30.1
ip 192.168.20.0 255.255.255.0 192.168.30.1

动态路由配置
1702-1
no ip 192.168.30.0 255.255.255.0 192.168.20.2
no ip 192.168.40.0 255.255.255.0 192.168.20.2
route rip
network 192.168.40.0 255.255.0.0

no route rip
route ospf 100
network 192.168.10.0 255.255.255.0 area 0
network 192.168.20.0 255.255.255.0 area 0

2611
no ip 192.168.10.0 255.255.255.0 192.168.20.1
no ip 192.168.40.0 255.255.255.0 192.168.30.2
route rip
network 192.168.0.0 255.255.0.0

no route rip
route ospf 100
network 192.168.20.0 255.255.255.0 area 0
network 192.168.30.0 255.255.255.0 area 0

1702-2
no ip 192.168.10.0 255.255.255.0 192.168.30.1
no ip 192.168.20.0 255.255.255.0 192.168.30.1
route rip
network 192.168.0.0 255.255.0.0

no route rip
route ospf 100
network 192.168.30.0 255.255.255.0 area 0
network 192.168.40.0 255.255.255.0 area 0

nat功能
2611
interface s0/3
ip address 211.1.1.2.255.255.255.0
physical-layer speed 64000
no shutdown
interface f0/0
ip address 211.2.2.1 255.255.255.0

1702-1
interface f0/0
ip address 192.168.1.1 255.255.255.0
interface s0/2
ip address 211.1.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 211.1.1.2
211.2.2.2上建网站，发现192.168.1.10的计算机可以ping通192。168.1.1，也可以ping通211.1.1.1，但是无法ping通211.1.1.2，更无法访问211.2.2.2上的网站。所以：
配置1702-1
interface s0/2
ip nat outside
interface f0/0
ip net inside
exit
ip access-list standard natacl
permit 192.168.1.0 255.255.255.0
exit
ip nat inside source list natacl interface s0/2
ip nat inside source static tcp 192.168.1.10 80 211.1.1.1 80