Switch Configuration
(1) Mode Switch:
switch> user mode, the device can view the part of
SW-3ceng>enable
SW-3ceng # to enter privileged mode, you can view more content;
SW-3ceng#configure terminal
SW-3ceng (config) # global configuration mode, the device can be configured
SW-3ceng(config)#int g1/0/52
SW-3ceng (config-if) # interface mode
exit to exit a
end directly retreated privileged mode (ctrl + z)
In privileged mode command can be used
mac-address-the Table Show # View mac address table **
the SET 14 May 2019 17:07:30 Clock # Set time: every minute, DMY
ip interface the Brief Show # view the status of all interfaces **
(Note: Only when the Status display and Protocol are "up" when, for communication)
cdp neighbors Show # View the neighbors and the local connection **
History How # View command history
running-config Show # to view the current switch configuration has not been saved (the restart on failure; just write a "memory")
the Write # to save the configuration
the Startup-running-config Copy config # saved in the running configuration to the startup configuration file
the Startup-config Show # switch every boot time will be automatically loaded configuration (restart is still valid; wrote the "hard" in doing permanent storage)
reload # reboot
Remote management steps:
The first step: to switch configuration IP
SW1(config)#interface vlan 1
SW1(config-if)#ip address 192.168.1.100 255.255.255.0
SW1(config-if)#no sh
Step Two: Configure telnet
SW1 (config) #line vty 0 4 # 0 represents a virtual interface; 4 represents the maximum allowed number of registrants
SW1 (config-line) #password 123456 # Set the remote login password
SW1 (config-line) #login # activation
The third step: enter the privileged mode password
Plaintext password SW1 (config) #enable password enable #password represented
SW1 (config) #enable secret enable2 #secret represented ciphertext password; if both are present, then the ciphertext into effect
To make the console port security configuration
SW1(config)#line console 0
SW1 (config-line) # exec-timeout 0 0 # Set the timeout time, a 0 represents a first min; second S represents 0; 0 0 indicates no timeout (laboratory environment only)
SW1 (config-line) #password console # console login password set
SW1 (config-line) #logging synchronous # set the cursor to follow
SW1 (config-line) #login # activation
SW1 (config) #no ip domain-lookup # closed DNS
SW1 # erase startup-config # clear all configuration
ssh configuration
conf t
username test password password
ip domain-name www.test.com // domain is used to generate public and private keys
crypto key generate rsa // generate a public key and a private key one pair rsa algorithm
line vty 0 4
transport input ssh/all
login local
exit
ssh -l username 192.168.1.254 // use ssh to connect the device to the analog PC
Simple router configuration
Router (config) # int G0 / 0 # into the physical interface
Router (config-IF) # IP address 192.168.1.254 255.255.255.0 # Configure IP subnet mask and
Router (config-IF) # NO SH # open interfaces - the state of the default router interfaces are down in all
Ssh to the router settings
The first step: Specify login and activate
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#transport input all
Step two:
R1 (config) #username R1 password 123456 # Set the local user name and password
R1 (config) #ip domain-name www.R1.com # Set the local domain name
R1 (config) #crypto key generate rsa # keys generated
third step:
R1 (config) #enable password 123456 # Set the password to enter privileged mode
SW2 (config) #ip default-gateway 192.168.2.254 # If the switch also want to achieve inter-network communication, you must configure the gateway
S router port configuration
interface Serial0/2/0
ip address 12.1.1.2 255.255.255.0
clock rate 1000000 # Configure the bandwidth of the client
Binding mac address:
> Arp -s 157.55.85.212 00-AA-00-62-c6-09 .... add static items. # On PC
Router (config) # arp 10.0.0.95 0013.240a.b219 ARPA F0 / 0 binding on # router, generally binding "second line" of the mac address of the device
Switch (config) # ARP 10.0.0.12 90fb.a695.4445 ARPA F0 / 2 binding on the switch #
Switch in the "port security", to open at the interface port security
(1) enable port security on an interface switch:
Int f0/1
Port security switch (mac address table to prevent flooding):
Switch (config) #interface f0 / 1 // enter f0 / 1 Interface
Switch (config-IF) # switchport access the MODE // Change the switch mode access
Switch (config-if) #switchport port-security // Enable port security protection mechanism
Switch (config-if) #switchport port-security maximum 1 // allow maximum learning mac address is 1
Switch (config-if) #switchport port-security violation shutdown / protect (protection: mac but does not close the port learning;) / restrict (transmission log count increases, but does not close the port)
// break the rules interface shutdown
Switch(config-if)#switchport port-security mac-address sticky
// sticky MAC address (manual binding heavy workload, so automatic learning and paste)
show port-security // View Security Configuration
switchport port-security mac-address 00D0.9752.DB78 // interface is bound to the mac address of the switch; if mac is illegal, the direct interface is error-dis state
do show int f0 / 1 // View port status
errdiasble recovery cause psecure-violation after // 300s interfaces return to normal state (illegal traffic will still trigger interface is closed)
errdisable recovery interval 30 // set the recovery time 30s (manual only to shut again no shut to open)
show errdisable recovery // view recovery status
show port-security // open interfaces which security
show port-security int f0 / 4 // view secure an interface
vlan Related Commands
1 ) View:
SW1 (config) # do vlan Show the Brief # View brief information of vlan
SW1(config)#no vlan 1
Default VLAN 1 may not be deleted. # Vlan1 default can not be deleted
(2 ) create and delete vlan command
SW1(config)#vlan 20
SW1(config-vlan)#name xiaoshoubu
SW1(config)#no vlan 30
( 3 ) the interface is added to vlan in
SW1(config)#int f0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 20
For simultaneous operation of multiple interfaces:
Switch(config)# interface range f0/1 – 10
Switch(config-if-range)# switchport access vlan 20
.Trunk link
SW1(config)#int f0/5
SWl (config-IF) # switchport MODE trunk # trunk interface is added to the
SWl (config-IF) # switchport allowed vlan Trunk All # vlan by allowing all
Single-arm routing
R1(config)#int f0/0
Rl (config-IF) # NO SH # physical interface must be enabled
Rl (config) # int F0 / 0.3 # incoming subinterface
Rl (config-subif) # encapsulation dot1Q. 3 # Set encapsulation format 802.1q, corresponding vlan is vlan3
Rl (config-subif) #i P 192.168.3.254 255.255.255.0 the Add # subinterface set to Ip (Gateway)
The VTP server mode:
MODE server VTP / Client / transparent # to server mode is the default mode of switch
Domain test vtp # set vtp domain name test
password 123 VTP # provided joined to a domain password 123
Version 2 vtp # set vtp version number is 2
In the Server and Client mode, VTP configuration information and vlan information is not in the show run , but rather to save the Flash inside.
Switch#delete flash:/vlan.dat
Three switches configuration:
(1) Layer 2 interfaces convert three interfaces:
Step 1: Create vlan
3L-1(config)#vlan 10
3L-1(config-vlan)#vlan 30
3L-1(config-vlan)#vlan 20
3L-1(config-if)#int vlan 20
3L-1(config-if)#ip add 192.168.20.254 255.255.255.0
3L-1(config-if)#no sh
3L-1 (config) #ip routing # turn routing function
3L-2(config)#int f0/2
3L-2 (config-if) #no switchport # is converted into a three-layer interfaces directly with IP
3L-2(config-if)#ip add 192.168.40.254 255.255.255.0
3L-2(config-if)#no sh
STP command
SW1 # show spanning-tree # vlan show spanning all the
SW1 # show spanning-tree detail # to view details of vlan
If the interface is configured Portfast, then the interface will immediately (1-3s) forwarding state.
Switch(config)#int f0/1
Switch(config-if)#swithport mode access
Switch(config-if)#spanning-tree portfast
3L-1 (config) # spanning-tree vlan 10 root primary # switch configured to present the main root bridge vlan10, will automatically reduce the priority (based on 32768) 8192
3L-1 (config) # spanning-tree vlan 20 root secondary # configure the switch to the root bridge vlan20, it will automatically reduce the priority 4096 (based on 32768)
EtherChannel
Ethernet channel: EthernetChannel, increasing the link bandwidth, improved fault tolerance, and load balancing effect.
SW1 (config) #int range f0 / 1 - 2 # into the physical interface
SW1 (config-if-range) # channel-group 1 mode on # Set Ethernet link to group 1, group number of sides to be consistent.
SW1(config-if-range)#switchport mode trunk
SW1 (config-if-range) #switchport trunk allowed vlan all # set as trunk, and allow all pass vlan
SW2 # show etherchannel summary # View EtherChannel results
HSRP configuration
R1: the main vlan10
interface FastEthernet0 / 0.10 # vlan If there are multiple, to be used on the router routing-arm (sub-interface information corresponding to vlan)
encapsulation dot1Q 10
ip address 192.168.10.100 255.255.255.0 # Configure IP sub-interface
standby version 2 #HSRP version number
standby 10 ip 192.168.10.254 # Set HSRP Virtual IP (PC gateway)
standby 10 priority 105 # Set the priority for local called the Active vlan10
standby preempt # Configure the preemption mode, as long as the state is restored, will be called Active
standby 0 track FastEthernet0 / 1 # arranged to monitor the interface, if the interface Down, HSRP is considered failure; state will switch the HSRP
standby 0 track FastEthernet0/0
R2: is the backup vlan10
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.200 255.255.255.0
standby version 2
standby 10 ip 192.168.10.254
standby 10 track FastEthernet0/0
standby 10 track FastEthernet0/1
show standby brief # View brief information of HSRP
Three switches to configure HSRP
Configuring EtherChannel:
interface FastEthernet0/3
channel-group 1 mode on
switchport trunk encapsulation dot1q
switchport mode trunk
When configuring HSRP, look at the gateway physical interface or SVI virtual interface; where the gateway, which in interface configuration HSRP.
ACL
ACL using the steps of:
Step 1: Create ACL
access-list 10 deny 192.168.1.1 0.0.0.0 // 192.168.1.1 0.0.0.0 on behalf of the host 192.168.1.1 === host 192.168.1.1
access-list 10 permit host 192.168.1.2
Step two: Apply to the interface
int f0/1
ip access-group 1 in / out ## is applied to try to flow into the interface
Extended ACL: filtered based on the IP source and destination, the source and destination port, protocol-based data do; 100--199 number
access-list 100 permit tcp host 192.168.1.1 host 192.168.30.1 eq www
access-list 100 permit ip host 192.168.1.1 192.168.20.0 0.0.0.255
access-list 100 deny icmp host 192.168.1.1 host 192.168.30.1
access-list 100 permit tcp host 192.168.1.1 host 192.168.30.1 eq telnet
access-list 100 permit udp host 192.168.1.1 host 192.168.30.1 eq domain
access-list 100 permit tcp host 192.168.1.1 host 192.168.30.1 eq domain
access-list 100 permit tcp host 192.168.1.1 host 192.168.30.1 eq ftp
access-list 100 permit tcp host 192.168.1.1 host 192.168.30.1 eq 20
access-list 100 permit tcp host 192.168.1.1 host 192.168.30.1 established
access-list 100 permit tcp host 192.168.1.1 host 192.168.30.1 range 1024 65535
、
DHCP configuration
DHCP client and server on the same network segment: direct access
R2#show run | section dhcp
ip dhcp excluded-address 192.168.10.254 # Set excluded addresses
ip dhcp pool vlan10 # Create an address pool called vlan10
network 192.168.10.0 255.255.255.0 # Set client segment - Scope
default-router 192.168.10.254 # Set the gateway to the client
dns-server 114.114.114.114 # to the DNS client settings
DHCP command:
ip dhcp pool vlan10
network segment subnet
dns-server 114.114.114.114
default-router 192.168.10.254
exit
ip dhcp excluded-address address exclusion
NAT: Network Address Translation, role - to convert private addresses to public addresses; hides the true network addresses; save the IPV4 address; the IPv4 into IPv6.
Static Transfer : one, a private network address corresponding to a public IP address.
The first step: declarations and external interfaces
int f0/0
ip nat inside
int f0/1
ip nat outside
Step Two: Set the NAT
ip nat inside source within the static external IP network IP
Dynamic conversion: many to many, multiple private IP network corresponding to the plurality of public IP
The first step: declarations and external interfaces
int f0/0
ip nat inside
int f0/1
ip nat outside
Step two: Defining the Internet network segment
access-list 10 permit 192.168.10.0 0.0.0.255
The third step: Define the NAT
ip nat inside source list 10 interface f0/1 overload
4. Experimental Procedure
first step:
Division vlan and trunk link
int f0/1
sw mode access
sw acc vlan 10
int f0/3
sw mode trunk
sw trunk allow vlan all
Configuration-arm routing:
int f0/0
no sh
int f0/0.10
encapsulation dot1q 10 # encapsulation format set dot1q, corresponding vlan is vlan10
ip address 192.168.10.254 255.255.255.0 # configure IP interfaces to the child
no sh
int f0/0.20
encapsulation dot1q 20
ip address 192.168.20.254 255.255.255.0
no sh
Router PC simulation of command
no ip routing # disable the routing function
int f0/0
ip address 192.168.30.30 255.255.255.0
ip default-gateway 192.168.30.254
int f0/0
ip address dhcp # Set the interface address dhcp
Configuring DHCP
ip dhcp pool vlan10
network segment subnet
dns-server 114.114.114.114
default-router 192.168.10.254
exit
ip dhcp excluded-address address exclusion
DHCP Relay Agent
On the gateway configuration corresponding to the client:
int f0/0.10
ip helper-address 192.168.30.30
int f0/0.20
ip helper-address 192.168.30.30
Step Two: Configure NAT
Configuring PAT:
int f0/0.10
ip nat inside
int f0/0.20
ip nat inside
int e1/0
ip nat outside
ip nat inside source list 10 interface Ethernet1/0 overload
Configuring Static
int f0/0.30
ip nat inside
ip nat inside source static 192.168.30.30 12.1.1.3
Step Three: Configure access / trunk LAN link on the right
HSRP Configuration - to solve the problem of redundant gateway
R4#show run | s standby
standby 30 ip 192.168.30.254 # configure virtual IP
standby 30 priority 105 # 105 configured priority, the default is 100, who is a front large who
standby 30 preempt # preemption mode
standby 30 track 1 decrement 10 # default penalty value 10 indicates the interface If down, this then priority on the basis of 100 minus 10
standby 30 track 2 decrement 10 # port tracking
HSRP backup router configuration:
R5#show run | s standby
standby 30 ip 192.168.30.254
standby 30 track 1 decrement 10
standby 30 track 2 decrement 10
Note: routing communication problems within the network.
.RIp configuration
(1) S analog public network port: '
int s2/0
clock rate 1000000 # serial link, into DCE (server: carrier), and the DTE (client); the clock frequency of the client to the server is allocated bandwidth.
ip address 12.1.1.2
no sh
(2) RIP configuration:
router rip
network 11.1.1.0
(3) Check the routing table:
show ip route
RIPv2 configuration
router rip
version 2
network 11.1.1.0
no auto-summary # turn off auto-summary
RIpv2 certification
enable
conf t
key chain test // define a key chain, both ends can be different
key on the key definition key chain 1 // (ID key value must be the same)
key-string cisco // set key code
int f0/1
ip rip authentication key-chain test // interfaces using keychain
ip rip authentication mode md5 // specified interface using md5
ospf configuration
Basic Configuration:
router ospf 110 # 110 represents ospf process ID, local effective
network 12.1.1.0 0.0.0.255 area 0 # declared segments, anti-mask, the region numbered 0; 0 Note area is a special area called the "backbone region" in order to communicate between only the same area.
debug ip ospf adj # view ospf neighbor build process
R3 # show ip ospf neighbor # neighbor relations table
VPN configuration
Configuration IPsecPVPN
R1 configuration
(1) configuration of the first stage - the secret key security, password
R1 (config) #crypto isakmp policy 10 # Set the first phase, policy number 10
Encryption R1 (config-isakmp) #encryption 3des # secret key provided to 3des
R1 (config-isakmp) #authentication pre-share # authentication pre-set shared key
R1 (config-isakmp) #hash md5 # integrity check keys used md5
R1 (config-isakmp) #group 2 # DH done using the secondary encryption keys to interact
R1(config-isakmp)#exit
R1 (config) #crypto isakmp key 0 cisco address 34.1.1.2 # secret key is defined as Cisco; Ip of the public network is terminated 34.1.1.2
(2) configuring the second phase - the setting data encryption
R1 (config) #crypto ipsec transform-set R1-R4 esp-3des encryption esp-md5-hmac # setting data for 3DES; the ESP protocol is used; ensure the integrity of data is md5
R1 (cfg-crypto-trans) #mode tunnel # tunnel mode data transmission
R1(cfg-crypto-trans)#exit
R1(config)#
(3) Configuration ACL (for those who encrypt data - traffic of interest)
R1(config)#access-list 100 permit ip host 192.168.10.1 host 192.168.20.1
(4) Configuration Map
R1 (config) #crypto map Beijing-Shanghai 10 ipsec-isakmp # Define a policy map map, name is Beijing-Shanghai, No. 10
R1 (config-crypto-map) #match address 100 # matching traffic interest
R1 (config-crypto-map) #set peer 34.1.1.2 # matching public address peer
R1 (config-crypto-map) #set transform-set R1-R4 # context switches set
(5) applied to the interface
R1(config)#int e1/0
R1(config-if)#crypto map Beijing-Shanghai
R4 configurations:
(1) configuration of the first stage - the secret key security, password
R4(config)#crypto isakmp policy 10
R4(config-isakmp)#encryption 3des
R4(config-isakmp)#hash md5
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#group 2
R4(config-isakmp)#exit
R4(config)#crypto isakmp key 0 cisco address 12.1.1.1
(2) configuring the second phase - the setting data encryption
R4(config)#crypto ipsec transform-set R4-R1 esp-3des esp-md5-hmac
R4(cfg-crypto-trans)#mode tunnel
(3) Configuration ACL (for those who encrypt data - traffic of interest)
R4(config)#access-list 100 permit ip host 192.168.20.1 host 192.168.10.1
(4) Configuration Map
R4(config)#crypto map Shanghai-Beijing 10 ipsec-isakmp
R4(config-crypto-map)#match add 100
R4(config-crypto-map)#set peer 12.1.1.1
R4(config-crypto-map)#set transform-set R4-R1
R4(config-crypto-map)#exit
(5) applied to the interface
R4(config)#int e1/1
R4(config-if)#crypto map Shanghai-Beijing
R4(config-if)#exit
Check the command:
R2 # show crypto isakmp policy # the first stage
Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
R2 # isakmp sa # show crypto first phase of the negotiation state, Active consultation success
Crypto IPv4 ISAKMP SA
dst src state conn-id status
34.1.1.2 12.1.1.1 QM_IDLE 1001 ACTIVE
R2 # show crypto ipsec transform-set # to see the second phase of the conversion set
Transform set default: {esp-aes esp-sha-hmac} # default set conversion
will negotiate = { Transport, },
Transform set BJ-TJ: {esp-3des esp-md5-hmac} # set custom transform
will negotiate = { Tunnel, },
R2 # show crypto map # View map strategy
R2 # show crypto engine connections active # Check the number of encrypting and decrypting data packets