路由器
路由器的主机名配置 Router > enable
Router # config terminal Router (config) # hostname Router2500
Router2500 (config) # exit Router2500 #
路由器工作时间的配置 Router #clock set hh:mm:ss date month year或Router #clock set hh:mm:ss month date year
路由器以太口IP的配置 Router2500 >enable
Router 2500# config terminal Router 2500(config) # interface ethernet 0
Router2500(config-if) # ip address 192.168.0.1 255.255.255.0
Router2500(config-if) # ip address 192.168.0.2
255.255.255.0 secondary Router2500(config-if) # no shutdown
Router2500(config-if) # end Router2500 # show interface e0 (show interface ethernet 0)
Router2500 # ping 192.168.0.1
路由器串口IP的配置 DTC串口配置命令序列: Router2500 >enable
Router 2500# config terminal Router 2500(config) # interface serial 0 Router2500(config-if) # ip address 172.16.0.1 255.255.0.0 Router2500(config-if) # no shutdown
Router2500(config-if) # end Router2500 # show interface s0
Router2500 # ping 172.16.0.1
DCE串口配置命令序列: Router2500 >enable
Router 2500# config terminal Router 2500(config) # interface serial 0 Router2500(config-if) # ip address 172.16.0.1 255.255.0.0 Router2500(config-if) #clock rate 64000
Router2500(config-if) # no shutdown
Router2500(config-if) # end Router2500 # show interface
s0
Router2500 # ping 172.16.0.1
路由器口令设置
设置控制台访问口令 Router2500 >enable
Router2500 # config terminal Router2500 (config) # line console 0
Router2500 (config-line) # login
Router2500 (config-line) # password cisco
Router2500 (config-line) # end Router2500 # exit
设置远程主机Telnet访问口令
RouterB>enable
RouterB # config terminal RouterB (config) # line vty 0 4
RouterB (config-line) # login RouterB (config-line) # password cisco
RouterB (config-line) # end RouterB # exit
设置特权模式访问口令 Router2500 >enable
Router2500 # config terminal Router2500 (config) # enable password cisco (密码明文显示)
Router2500 (config) # end Router2500 # show running-config
Router2500 # config terminal Router2500 # no enable password
Router2500 (config) # enable secret cisco
Router2500 # show running-config
Router2500 (config) # no enable secret 保存路由器配置
将RAM中的当前配置信息(运行的配置)存放到NVRAM中作为下一次的启动配置. Router2500 # copy running-config startup-config Router2500 # write memory Router2500 # show
running-config ( 显示当前配置)
Router2500 # show
startup-config( 显示启动配置)
清除NVRAM中的内容 Router2500 # erase startup-config
对于非直连路由,下一跳为相邻路由器的IP地址 a. 2621A Configuration Router>en
Router#config t
Router (config)#hostname 2621A
2621A(Config)#interface fa0/0 2621A(Config-if)#ip address 172.16.10.1 255.255.255.0 2621A(Config-if)#no shut b. 2501A Configuration Router>en
Router#config t
Router(config) # hostname 2501A
2501A(config)# int e0
2501A(config-if)# ip address 172.16.10.2 255.255.255.0 2501A(config-if)# no shut 2501A(config-if)# int s0 2501A(config-if)# ip address 172.16.20.1 255.255.255.0 2501A(config-if)# no shut c. 2501B Configuration Router>en
Router#config t
Router(config)#hostname 2501B
2501B(config)#int e0
2501B(config-if)#ip address 172.16.30.1 255.255.255.0 2501B(config-if)#no shut 2501B(config-if)#int s0 2501B(config-if)#ip address 172.16.20.2 255.255.255.0 2501B(config-if)#clock rate 64000
2501B(config-if)#no shut 2501B(config-if)#int s1 2501B(config-if)#ip address 172.16.40.1 255.255.255.0 2501B(config-if)#clock rate 64000
2501B(config-if)#no shut d. 2501C Configuration Router>en
Router#config t
Router(config)# hostname 2501C
2501C(config)# int e0
2501C(config-if)# ip address 172.16.50.1 255.255.255.0 2501C(config-if)# no shut 2501C(config-if)# int s0 2501C(config-if)# ip address 172.16.40.2 255.255.255.0 2501C(config-if)# no shut
设置静态路由 a. 2621A
The following networks must
be configured in the routing table:
172.16.20.0 172.16.30.0 172.16.40.0 172.16.50.0
2621A(Config)# ip route 172.16.20.0 255.255.255.0 172.16.10.2
2621A(Config)# ip route 172.16.30.0 255.255.255.0 172.16.10.2
2621A(Config)# ip route 172.16.40.0 255.255.255.0 172.16.10.2
2621A(Config)# ip route 172.16.50.0 255.255.255.0 172.16.10.2 b. 2501A
The following static routes must be configured on the 2501A router: 172.16.30.0 172.16.40.0 172.16.50.0
2501A(Config)# ip route 172.16.30.0 255.255.255.0 172.16.20.2
2501A(Config)# ip route 172.16.40.0 255.255.255.0 172.16.20.2
2501A(Config)# ip route 172.16.50.0 255.255.255.0 172.16.20.2 c. 2501B
Only two routers need to be added:
172.16.10.0 172.16.50.0.
2501B(Config)#ip route 172.16.10.0 255.255.255.0 172.16.20.1
2501B(Config)#ip route 172.16.50.0 255.255.255.0 172.16.40.2 d. 2501C
The routing table needs to know about networks 172.16.10.0 172.16.20.0 172.16.30.0
2501C(Config)# ip route 172.16.10.0 255.255.255.0 172.16.40.1
2501C(Config)# ip route 172.16.20.0 255.255.255.0 172.16.40.1
2501C(Config)# ip route 172.16.30.0 255.255.255.0 172.16.40.1
RIP协议的配置 a. 2621A
2621A# config t
2621A(config)# no ip route 172.16.20.0 255.255.255.0 172.16.10.2
2621A(config)# no ip route 172.16.30.0 255.255.255.0 172.16.10.2
2621A(config)# no ip route 172.16.40.0 255.255.255.0 172.16.10.2
2621A(config)# no ip route 172.16.50.0 255.255.255.0 172.16.10.2
2621A(config)# router rip 2621A(config-router)# network 172.16.0.0 2621A(config-router)#^Z 2621A# b. 2501A
2501A# config t
2501A(config)# no ip route 172.16.30.0 255.255.255.0 172.16.20.2
2501A(config)# no ip route 172.16.40.0 255.255.255.0 172.16.20.2
2501A(config)# no ip route 172.16.50.0 255.255.255.0 172.16.20.2
2501A(config)# router rip 2501A(config-router)# network 172.16.0.0 2501A(config-router)#^Z 2501A# c. 2501B
2501B# config t
2501B(config)# no ip route 172.16.10.0 255.255.255.0 172.16.20.1
2501B(config)# no ip route 172.16.50.0 255.255.255.0 172.16.40.2
2501B(config)# router rip 2501B(config-router)# network 172.16.0.0 2501B(config-router)# ^Z 2501B# d. 2501C
RouterC# config t
RouterC(config)# no ip route 0.0.0.0 0.0.0.0 172.16.40.1 RouterC(config)# router rip RouterC(config-router)# network 172.16.0.0 RouterC(config-router)# ^Z RouterC#
IGRP协议的配置 a.2621A
2621A# config t
2621A(config)# router igrp10
2621A(config-router)#network 172.16.0.0
2621A(config-router)#^Z 2621A# b. 2501A
2501A# config t
2501A(config)# router igrp 10 2501A(config-router)# netw 172.16.0.0
2501A(config-router)# ^Z 2501A# c.2501B
2501B#config t
2501B(config)# router igrp 10 2501B(config-router)# netw 172.16.0.0
2501B(config-router)#^Z 2501B# d. 2501C
2501C# config t
2501C(config)# router igrp 10 2501C(config-router)# netw 172.16.0.0
2501C(config-router)#^Z RouterC#
功能:拒绝来自于172.16.40子网的所有主机访问Server Router # config t
Router(config) # access-list 10 deny 172.16.40.0 0.0.0.255
Router(config) # access-list 10 permit any
( or Router(config) #
access-list 10 permit 0.0.0.0 255.255.255.255)
Router(config) # interface ethernet 0
Router(config-if) # ip access-group 10 out 功能:通过标准ACL限制主机172.16.10.3对路由器的Telnet访问
RouterA(config)# access-list 50 permit host 172.16.10.3 RouterA(config)#line vty 0 4 RouterA(config-line)#access-class 50 in
功能:在R2上用扩展列表禁止R3 telnet、FTP到R1 R2 # config t
R2(config) # access-list 120 deny tcp 10.2.23.0
0.0.0.255 host 10.1.12.1 eq 23 R2(config) # access-list 120 deny tcp 10.2.23.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 23
R2(config) # access-list 120 deny tcp 10.2.23.0 0.0.0.255
host 10.1.12.1 eq 21
R2(config) #access-list 120 permit ip any any
R2(config) # interface serial 0 R2(config-if) # ip access-group 120 out
1)限制主机192.168.0.222到网络131.107.0.0/16的ICMP流量
RB(config)#access 101 deny icmp host 192.168.0.222 131.107.0.0 0.0.255.255
RB(config)#access 101 permit ip any any
RB(config)#int e0
RB(config-if)#ip access-group 101 in
RB(config-if)#no ip access-group 101 in
2)限制网络192.168.0.0/24到所有网络的ICMP流量 RB(config)#access 102 deny icmp 192.168.0.0 0.0.0.255 any
RB(config)#access 102 permit ip any any
RB(config)#int e0
RB(config-if)#ip access-group 102 in
RB(config-if)#no ip access-group 102 in
3)只允许主机192.168.0.99通过Telnet访问131.107.0.0/16网段
RB(config)#access 103 permit tcp host 192.168.0.99
131.107.0.0 0.0.255.255 eq 23 RB(config)#int e0
RB(config-if)#ip access-group 103 in
RB(config-if)#no ip access-group 103 in
4)使所有其他网段只能访问192.168.0.0/24的WWW、FTP、TELNET服务
RB(config)#access 104 permit tcp any 192.168.0.0 0.0.0.255 eq www
RB(config)#access 104 permit tcp any 192.168.0.0 0.0.0.255 eq ftp
RB(config)#access 104 permit tcp any 192.168.0.0 0.0.0.255 eq telnet
交换机
交换机的主机名配置 Switch (config) # hostnamehostname
工作在第二层的交换机IP地址配置
可以在全局配置模式下执行如下的命令,为管理VLAN(默认情况下是VLAN1分配IP地址。
Switch (config) # interface vlanvlan-id
Switch (config-if) # ip
addressip-addressnetmask Switch (config-if) #ip
default-gatewayip-address Switch (config-if) # no shutdown
第3层端口的配置
Switch(config)# interfacetype mod/num
Switch(config-if)# no switchport
Switch(config-if)# ip addressip-address mask[secondary] SVI端口的配置 Switch(config)# interface vlanvlan-id
Switch(config-if)# ip addressip-address mask[secondary]
交换机的口令安全性配置 Switch (config)#line con 0 Switch
(config-line)#passwordpassword
Switch (config-line)#login Switch (config-l)# line vty 0 15 Switch
(config-line)#passwordpassword
Switch (config-line)#login
配置VTP模式
Switch (config)#vtp mode {server | client | transparent } Switch (config)#vtp passwordpassword 配置VTP版本
Switch (config)#vtp version {1 | 2 }
端口安全性的配置 端口上激活保护功能
Switch (config- if )#switchport port-sercurity 接口配置命令
Switch (config- if )#switchport port-sercurity maximum max-address
端口安全性的配置
Switch (config- if )#switchport port-sercurity maximum
max-address
必须确定使用端口保护的接口
Switch (config- if )#switchport port-sercurity violation
{shutdown | restrict | protect } 查看MAC地址表 Switch # show mac-address-table 设置永久地址
Switch(config)#mac-address-table permanent [MAC Address] [type slot/port]
设置限制性静态地址
Switch(config)#mac-address-table restricted static [mac address] [type slot/port] [source interface list] 删除表项 Switch#clear
mac-address-table
[dynamic|permanent|restricted]
认证端口
Switch (config-if)#description description-string
使用接口配置命令“no
description”移除一个描述。 端口速度
Switch (config-if)#speed {10 | 100 | auto} 端口模式
Switch (config-if)#duplex {auto | full | half }
改变交换机转发类型 查看
Switch # show port system 改变
Switch (config) # switching-mode
{fragment-free|store-and-forward}
网络安全
步骤1:保证系统安全。实现对设备和/或系统的安全防护,目的是防止对网络系统的非授权访问:
a> “身份认证系统”,比如一次口令,允许经过认证和授权的用户进行访问; b> “加密”可以对数据流进行隐蔽;
c> “防火墙”可以允许或拒绝特定的数据流,从而只允许合法的数据流和服务;
网络设备配置与管理
