2010年8月31日

GNS3中使用wireshark擷取封包

GNS3可以支援呼叫Wireshark程式來擷取封包
使用方式如下:
先在其中一台Router設備上,Ping的另一端的Router,先讓該Link上有流量在跑
R4#ping 172.16.40.1 size 2000 repeat 1000
接著在GNS3中按右鍵點選該Link線路,並選擇Capture

再點選Source來源的Interface

選好後,便可以看到wireshark擷取封包的狀況
要觀看最新擷取到封包的話,可以在wireshark中上方按View->Reload或是直接按Ctrl+R更新

2010年8月29日

英文單字備忘

SWITCH-642-813 chapter 2 英文單字備忘
threshold
KK [ˋθrɛʃhold], DJ [ˋθreʃhəuld]
1. 門檻[C]
propagate
KK [ˋprɑpə͵get], DJ [ˋprɔpəgeit]
1. 繁殖, 增殖
assumption
KK [əˋsʌmpʃən], DJ [əˋsʌmpʃən]
1. 假定, 設想[U][C][+(that)]
explicitly
KK [ɪkˋsplɪsɪtlɪ], DJ [ikˋsplisitli]
明白地; 明確地

inspect
KK [ɪnˋspɛkt], DJ [inˋspekt]
1. 檢查; 審查
drastic
KK [ˋdræstɪk], DJ [ˋdræstik]
1. 激烈的, 猛烈的
simplification
KK [͵sɪmpləfəˋkeʃən], DJ [͵simplifiˋkeiʃən]
1. 單純化
recursive
KK [rɪˋkɝsɪv], DJ [riˋkə:siv]
【電腦】遞歸的
undergo
KK [͵ʌndɚˋgo], DJ [͵ʌndəˋgəu]
1. 經歷; 經受; 忍受
firm
KK [fɝm], DJ [fə:m]
1. 穩固的; 牢固的; 結實的
grasp
KK [græsp], DJ [grɑ:sp]
1. 抓牢; 握緊; 抱住
complex
KK [ˋkɑmplɛks], DJ [ˋkɔmpleks]
1. 複雜的, 錯綜複雜的; 難懂的
ingress
KK [ˋɪngrɛs], DJ [ˋingres]
1. 進入、入口
flurry
KK [ˋflɝɪ], DJ [ˋflʌri]
1. 陣風、慌張; 混亂
pull off
脫下
simultaneously
KK [saɪməlˋtenɪəslɪ], DJ [saiməlˋteiniəsli]
同時地
portion
KK [ˋporʃən], DJ [ˋpɔ:ʃən]
1. (一)部分[C][(+of)]
egress
KK [ˋigrɛs], DJ [ˋi:gres]
1. 外出、出路
appropriate
KK [əˋproprɪ͵et], DJ [əˋprəupriət]
適當的, 恰當的, 相稱的[(+to/for)]
ternary
KK [ˋtɝnərɪ], DJ [ˋtə:nəri]
1. 三個的; 第三的
compile
KK [kəmˋpaɪl], DJ [kəmˋpail]
1. 匯編; 編輯
utilize
KK [ˋjut!͵aɪz], DJ [ˋju:tilaiz]
【書】利用
specialized
KK [ˋspɛʃəl͵aɪzd], DJ [ˋspeʃəlaizd]
1. 專門的; 專科的
prepopulate - 預填充
consult
KK [kənˋsʌlt], DJ [kənˋsʌlt]
1. 與...商量
penalty
KK [ˋpɛn!tɪ], DJ [ˋpenəlti]
1. 處罰; 刑罰[U][C][(+for)]
decrement
KK [ˋdɛkrɪmənt], DJ [ˋdekrimənt]
減少, 減少量, 減少率
exception
KK [ɪkˋsɛpʃən], DJ [ikˋsepʃən]
1. 例外; 例外的人(或事物)[C][(+to...
occur
KK [əˋkɝ], DJ [əˋkə:]
1. 發生
manipulate
KK [məˋnɪpjə͵let], DJ [məˋnipjuleit]
1. (熟練地)操作, 運用
criterion
KK [kraɪˋtɪrɪən], DJ [kraiˋtiəriən]
(判斷、批評的)標準, 準則, 尺度[C]
criteria
KK [kraɪˋtɪrɪə], DJ [kraiˋtiəriə]
(criterion的複數)
punt
KK [pʌnt], DJ [pʌnt]
平底船
tailored
KK [ˋtelɚd], DJ [ˋteiləd]
1. 定做的; 合身的
stale
1
KK [stel], DJ [steil]
1. 不新鮮的, 腐壞的; 污濁的
discrepancy
KK [dɪˋskrɛpənsɪ], DJ [disˋkrepənsi]
不一致, 不符, 差異; 不一致之處[U][C]...
ordinarily
KK [ˋɔrdn͵ɛrɪlɪ], DJ [ˋɔ:dn͵rili]
通常地, 慣常地; 一般地; 平常地
duplicate
KK [ˋdjuplə͵ket], DJ [ˋdju:pli͵keit]
1. 複製; 複寫; 影印, 拷貝
implement
KK [ˋɪmpləmənt], DJ [ˋimplimənt]
1. 工具; 器具; 用具
evaluate
KK [ɪˋvæljʊ͵et], DJ [iˋvæljueit]
1. 估...的價
abstract
KK [ˋæbstrækt], DJ [ˋæbstrækt]
1. 抽象的
pattern
KK [ˋpætɚn], DJ [ˋpætən]
1. 花樣, 圖案
relevant
KK [ˋrɛləvənt], DJ [ˋrelivənt]
1. 有關的; 切題的; 恰當的
concatenate
KK [kɑnˋkætə͵net], DJ [kɔnˋkætineit]
使連鎖; 把...連成一串; 使連接
quantity
KK [ˋkwɑntətɪ], DJ [ˋkwɔntiti]
1. 量[U]

SWITCH-642-813 chapter 3 英文單字備忘
magnitude
KK [ˋmægnə͵tjud], DJ [ˋmægnitju:d]
1. 巨大, 廣大[U]
scalability - 可擴展性
leverage
KK [ˋlɛvərɪdʒ], DJ [ˋlevəridʒ]
1. 槓桿作用; 槓桿效率、手段; 力量; 影響力
migrate
KK [ˋmaɪ͵gret], DJ [ˋmaigreit]
1. 遷移; 移居
predominant
KK [prɪˋdɑmənənt], DJ [priˋdɔminənt]
1. 佔優勢的; 佔支配地位的[(+over)]
arrange
KK [əˋrendʒ], DJ [əˋreindʒ]
1. 整理; 佈置;安排; 籌備
modular
KK [ˋmɑdʒəlɚ], DJ [ˋmɔdjulə]
1. 模件的
rectangular
KK [rɛkˋtæŋgjəlɚ], DJ [rekˋtæŋgjulə]
1. 矩形的, 長方形
proprietary
KK [prəˋpraɪə͵tɛrɪ], DJ [prəˋpraiətəri]
1.所有人的, 業主的;所有人似的;私有的,私營的;專賣的;專利的
tedious
KK [ˋtidɪəs], DJ [ˋti:diəs]
冗長乏味的; 使人厭煩的
periodically
KK [pɪrɪˋɑdɪklɪ], DJ [piəriˋɔdikli]
1. 週期性地
in-line
KK [ˋɪnˋlaɪn], DJ [ˋinˋlain]
【電】同軸的
truncated
KK [ˋtrʌŋketɪd], DJ [ˋtrʌŋkeitid]
縮短了的; 截形的; 斜截頭的

2010年8月28日

NM-16ESW模組 VS Catalyst switches

NM-16ESW模組與一般Catalyst switches相比缺少的功能:
GNS3中無法模擬出來的功能:
Access Switch Device Manager (SDM) Template
ACL - Improved Merging Algorithm
ARP Optimization
BGP Increased Support of Numbered as-path Access Lists to 500
BGP Restart Neighbor Session After max-prefix Limit Reached
BGP Route-Map Continue Support for Outbound Policy
Clear Counters Per Port
DHCP Snooping
DHCP Snooping Counters
Diagnotics Options on bootup
ErrDisable Reactivation Per Port
ErrDisable timeout
EtherChannel
EtherChannel - Flexible PAgP
Etherchannel Guard
Fallback Bridging

Flex Link Bi-directional Fast Convergence
Flex Link VLAN Load-Balancing
Flex Links Interface Preemption
GOLD - Generic Online Diagnostics
IEEE 802.1ab, Link Layer Discovery Protocol
IEEE 802.1s - Multiple Spanning Tree (MST) Standard Compliance
IEEE 802.1s VLAN Multiple Spanning Trees
IEEE 802.1t
IEEE 802.1W Spanning Tree Rapid Reconfiguration
IEEE 802.1x - Auth Fail Open
IEEE 802.1x - Auth Fail VLAN
IEEE 802.1x - VLAN Assignment
IEEE 802.1x - Wake on LAN Support
IEEE 802.1x Authenticator
IEEE 802.1X Multi-Domain Authentication
IEEE 802.1x RADIUS Accounting
IEEE 802.1x with Port Security
IEEE 802.3ad Link Aggregation (LACP)
IEEE 802.3af Power over Ethernet
IGMP Fast Leave
IGMP Version 1
IGRP
IP Phone Detection Enhancements
IP Phone Enhancement - PHY Loop Detection
IPSG (IP Source Guard)
Jumbo Frames
L2PT - Layer 2 Protocol Tunneling
MAC Authentication Bypass
MLD Snooping
Multicast Etherchannel Load Balancing
NAC - L2 IEEE 802.1x
NAC - L2 IP
NAC - L2 IP with Auth Fail Open
Packet-Based Storm Control
Per Port Per VLAN Policing
Port Security
Port Security on Private VLAN Ports
Private VLANs
QoS Policy Propagation via Border Gateway Protocol (QPPB)
Rapid-Per-VLAN-Spanning Tree (Rapid-PVST)
Reduced MAC Address Usage
Remote SPAN (RSPAN)
Smart Port
Spanning Tree Protocol (STP) - Loop Guard
Spanning Tree Protocol (STP) - Portfast
Spanning Tree Protocol (STP) - PortFast BPDU Filtering
Spanning Tree Protocol (STP) - Portfast Support for Trunks
Spanning Tree Protocol (STP) - Root Guard
Spanning Tree Protocol (STP) - Uplink Load Balancing
SRR (Shaped Round Robin)
Standby Supervisor Port Usage
STP Syslog Messages
Switching Database Manager (SDM)
Trunk Failover
Trusted boundary (extended trust for CDP devices)
Unicast Mac Filtering
UniDirectional Link Detection (UDLD)
VLAN Access Control List (VACL)
VLAN Aware Port Security
Weighted Tail Drop (WTD)

2010年8月22日

Exam Schedule

在天瓏買了兩本原文書,要準備來考CCNP了
原文書真是有夠貴的,一本要價2040元
買了兩本打折後花了3672元,還送了一張貴賓卡

目前擬定的Exam Schedule每半年要考過一科
SWITCH(642-813)預計2011/2/22完成

ROUTE(642-902)預計2011/8/22完成

TSHOOT(642-832)預計2012/2/22完成



2010年8月17日

新版CCNP考試內容


Cisco官方考試說明
ROUTE (Implementing Cisco IP Routing) 642-902

1. 規劃路由服務需求
Planning Routing Services to Requirements
.評估複雜的企業網路需求
 Assessing Complex Enterprise Network Requirements
.一般維護過程和程序
 Common Maintain Process and Procedure
2. 建置以 EIGRP 為基礎的解決方案
Implementing an EIGRP based Solution
.運用 EIGRP 協定規劃路由建置
 Planning Routing Implementations with EIGRP
.在企業區域網路架構下建置與辨識基本的 EIGRP 協定
 Implementing and Verifying Basic EIGRP for the Enterprise LAN Architecture
.在企業區域網路架構下設定與辨識 EIGRP 協定
 Configuring and Verifying EIGRP for the Enterprise WAN Architecture
.建置與辨識 EIGRP 驗證
 Implementing and Verifying EIGRP Authentication
.企業網路中進階 EIGRP 特色
 Advanced EIGRP Features in an Enterprise Network

3. 建置以 OSPF 路由協定為基礎方案之大型多重區域網路
Implementing a Scalable Multiarea Network OSPF Based Solution
.依據 OSPF 大型企業路由協定做建置規劃
 Planning Routing Implementations with OSPF Scalable Routing Protocol
.OSPF 路由協定之封包如何運作行程
 How OSPF Packet Process Work
.在複雜企業網路下提升路由效能
 Improving Routing Performance in a Complex Enterprise Network
.設定與驗證 OSPF 路由
 Configuring and Verifying OSPF Routing
.設定與驗證 OSPF 摘述
 Configuring and Verifying OSPF Summarization
.設定與驗證特殊 OSPF 協定區域類型
 Configuring and Verifying OSPF Special Area Types
.設定與驗證 OSPF 協定認證
 Configuring and Verifying OSPF Authentication
4. 建置以 IPv4 為基礎的位址重配解決方案
Implement an Ipv4-based Redistribution Solution
.評估網路之路由效能與安全性問題
 Assessing Network Routing Performance and Security Issues
.使用多重 IP 路由協定運作一個網路
 Operating a Network Using Multiple IP Routing Protocols
.設定與驗證路由重新配置方案
 Configuring and Verifying Route Redistribution
5. 建置路徑控制
Implementing Path Control
.評估路徑控制效能問題
 Assessing Path Control Network Performance Issues
6. 企業網路環境與 ISP 業者網路之間的互聯
Connection of an Enterprise Network to an ISP Network
.規劃企業到 ISP 業者間的互聯
 Planning the Enterprise-to-ISP connection
.分析評估使用 BGP 的優勢
 Considering the Advantages of Using BGP
.比較 EBGP 與 IBGP 的使用
 Comparing the Functions and Uses of EBGP and IBGP
.設定與驗證基本 BGP 運作
 Configuring and Verifying Basic BGP Operations
.使用 BGP 的屬性與路徑選擇行程
 Using the BGP Attributes and Path Selection Process
.分公司與遠端工作者的 IPv6 位址與路由建置
 Ipv6 and Routing for Branch Offices and Remote Workers

SWITCH (Implementing Cisco Switch Networks) 642-813

1. 分析企業網路設計
Analyzing Campus Network Designs
.企業網路環境架構
 Enterprise Campus Architecture
.思科網路設備建置生命週期
 Cisco Lifecycle and Network Implementation
2. 企業網路環境下建置虛擬區域網路VLANs
Implementing VLANs in Campus Networks
.運用 VLAs 網路拓樸圖練習實作
 Applying Best Practices for VLAN Topologies
.設定私有的 VLANs
  Configuring Private VLANs
.使用 EtherChannel 設定連線集合
 Configuring Link Aggregation with EtherChannel
3. 建置 Spanning Tree
Implementing Spanning Tree
.強化 Spanning Treevu 協定
 Spanning Tree Protocol Enhancements
.描述 STP 穩定機制
 Describing STP Stability Mechanisms
4. 建置內部 VLANs 路由
Implementing Inter-VLAN Routing
.描述 VLANs 間的路由
 Describing Routing Between VLANs
.使用思科快速遞送原理佈建多層交換
 Deploying Multilayer Switching with Cisco Express Forwarding
5. 建置高可用性網路環境
Implementing a High Available Network
.了解何謂高可用性
 Understanding High Availability
.建置高可用性網路
 Implementing High Availability
6. 設定第三層高可用性
Configuring Layer 3 High Availability
.使用 HSRP 技術設定第三層備援機制
 Configuring Layer 3 Redundancy with HSRP
.使用 VRRP 與 GLBP 技術設定第三層備援機制
 Configuring Layer 3 Redundancy with VRRP and GLBP
7. 企業網路環境下如何將網路服務遺失與資料威脅傷害最小化
Minimizing Service Loss and Data Theft in a Campus Network
.了解交換機制之安全問題
 Understanding Switch Security Issues
.對於 VLAN 被攻擊的防護措施
 Protecting Against VLAN Attacks
.對於冒名攻擊的防護
 Protecting Against Spoofing Attacks
.網路服務安全防護
 Securing Network Services
8. 企業環境下便利的語音與視訊服務
Accommodating Voice and Video in Campus Network
.企業網路環境下語音支援規劃
 Planning for Support of Voice in Campus Network
.企業網路環境下網路語音的整合與驗證
 Integrating and Verifying VoIP in a Campus Infrastructure
.在企業網路環境下與專家合作打造親和便利之語音視訊服務
 Working with Specialist to Accommodate Voice and Video on Campus Switches
9. 在企業環境中整合無線區域網路
Integrating Wireless LANs into Campus Network
.無線區域網路與企業網路的比較
 Comparing WLANs with Campus Networks
.評估企業網路中無線區與網路所帶來的衝擊
 Assessing the Impact of WLANs on Campus Networks
.整備企業架構下的無線區域網路
 Preparing the Campus Infrastructure for WLANs

TSHOOT (Troubleshooting and Maintaining Cisco IP Networks) 642-832

1. 為複雜網路環境維護規劃
Planning Maintenance for Complex Networks
.維護理論運用
 Applying Maintenance Methodologies
.一般維護行程與流程
 Common Maintenance Process and Procedure
.網路維護工具,軟體與相關資源
 Network Maintenance Tools, Applications and Resources
2. 為企業網路環境規劃除錯行程
Planning Troubleshooting Process for Complex Enterprise Networks
.除錯方法理論的運用
 Applying Troubleshooting Methodologies
.規劃與建置除錯流程
 Planning and Implementing Troubleshooting Procedures
.企業網路維護行程下整合除錯
 Integrating Troubleshooting into the Network Maintenance Process
3. 診斷工具與軟體的維護與除錯
Maintenance and Troubleshooting Tools and Applications
.使用思科 IOS 評估基本診斷工具組
 Assessing a Basic Diagnostic Toolkit Using Cisco IOS Software
.使用特殊維護與除錯工具
 Using Specialized Maintenance and Troubleshooting Tools
4. 企業網路交換機制方案之維護與除錯
Maintaining and Troubleshooting Campus Switching-Based Solution
.VLANs 除錯
 Troubleshooting VLANs
.Spanning Tree 除錯
 Troubleshooting Spanning Tree
.虛擬交換介面與內部 VLAN 路由除錯
 Troubleshooting Switched Virtual Interfaces and Inter-VLAN Routing
.FHRPs 除錯
 Troubleshooting FHRPs
.交換器效能問題除錯
 Troubleshooting Performance Problems on Switches
5. 以路由為基礎解決方案之維護與除錯
Maintaining and Troubleshooting Routing-Based Solutions
.網路層之間連結錯
 Troubleshooting Network Layer Connectivity
.EIGRP 除錯
 Troubleshooting EIGRP
.OSPF 除錯
 Troubleshooting OSPF
.路由重新配置除錯
 Troubleshooting Route Redistribution
.BGP 除錯
 Troubleshooting BGP
.路由器上效能問題除錯
 Troubleshooting Performance Problems on Routers
6. 網路安全方案維護與除錯
Maintaining and Troubleshooting Network Security Solutions
.安全防護功能除錯
 Troubleshooting Security Features
.安全防護重點複習
 Security Features Review
7. 企業網路維護與除錯整合
Maintaining and Troubleshooting Integrated, Complex Enterprise Networks
.複雜企業環境除錯
 Troubleshooting Complex Environments

2010年8月16日

Frame Relay Lab實作

其中R2模擬為訊框中繼交換機、R1與R3為一般Router
R2訊框中繼交換機的設定
R2#configure t
R2(config)#frame-relay switching
#啟用訊框中繼交換機功能
R2(config)#interface ser0/0
R2(config-if)#encapsulation frame-relay
R2(config-if)#int ser0/1
R2(config-if)#encapsulation frame-relay
R2(config-if)#int ser0/0
R2(config-if)#frame-relay intf-type dce
#讓這個界面成為訊框中繼的DCE界面,這與路由器的DCE介面是不同的
R2(config-if)#frame-relay route 102 interface ser0/1 201
#如果從PVC 102收到訊框,就利用PVC 201從int s0/1傳送出去
R2(config-if)#clock rate 64000
#讓界面成為DCE裝置端,這與訊框中繼的DCE不同
R2(config-if)#no shutdown

R2(config-if)#int ser 0/1
R2(config-if)#frame-relay intf-type dce
R2(config-if)#frame-relay route 201 interface ser0/0 102
##如果從PVC 201收到訊框,就利用PVC 102從int s0/0傳送出去
R2(config-if)#clock rate 64000
R2(config-if)#no shutdown
R2(config-if)#end

R1的frame relay設定
R1#configure t
R1(config)#interface ser0/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#no shutdown
R1(config-if)#int s0/0.102 point-to-point
R1(config-subif)#ip address 172.16.10.1 255.255.255.0
R1(config-subif)#frame-relay interface-dlci 102
R1(config-fr-dlci)#exit
R1(config-subif)#exit

R3的frame relay設定
R3#configure t
R3(config)#int s0/0
R3(config-if)#encapsulation frame-relay
R3(config-if)#no shutdown
R3(config-if)#int s0/0.201 point-to-point
R3(config-subif)#ip address 172.16.10.2 255.255.255.0
R3(config-subif)#frame-relay interface-dlci 201
R3(config-fr-dlci)#end

R1設定default route
R1#configure t
R1(config)#interface fa1/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R3(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 172.16.10.2
R1(config)#end

R3設定default route
R3#configure t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#int
R3(config)#interface fa1/0
R3(config-if)#ip address 192.168.20.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 172.16.10.1
R3(config)#end

PC的設定
NAME IP/CIDR GATEWAY
PC1 192.168.10.2/24 192.168.10.1
PC2 192.168.20.2/24 192.168.20.1

測試是否有PING通
VPCS 1 >ping 192.168.20.2
192.168.20.2 icmp_seq=1 time=23.858 ms
192.168.20.2 icmp_seq=2 time=17.115 ms
192.168.20.2 icmp_seq=3 time=54.599 ms
192.168.20.2 icmp_seq=4 time=17.274 ms
192.168.20.2 icmp_seq=5 time=24.120 ms

VPCS 1 >trace 192.168.20.2
traceroute to 192.168.20.2, 64 hops max
1 192.168.10.1 4.266 ms 6.676 ms 4.128 ms
2 172.16.10.2 17.545 ms 12.691 ms 12.690 ms
3 192.168.20.2 18.085 ms 19.270 ms 11.842 ms

檢查訊框中繼交換機設定
R2#show frame-relay ?
end-to-end Frame-relay end-to-end VC information
fragment show frame relay fragmentation information
ip show frame relay IP statistics
lmi show frame relay lmi statistics
map Frame-Relay map table
multilink Show Multilink Frame Relay bundle information
pvc show frame relay pvc statistics
qos-autosense show frame relay qos-autosense information
route show frame relay route
traffic Frame-Relay protocol statistics
vc-bundle FR VC-Bundle
vofr Show frame-relay VoFR statistics

R2#show frame-relay route
Input Intf Input Dlci Output Intf Output Dlci Status
Serial0/0 102 Serial0/1 201 active
Serial0/1 201 Serial0/0 102 active


R2#show frame-relay lmi

LMI Statistics for interface Serial0/0 (Frame Relay DCE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Rcvd 355 Num Status msgs Sent 355
Num Update Status Sent 0 Num St Enq. Timeouts 79

LMI Statistics for interface Serial0/1 (Frame Relay DCE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Rcvd 309 Num Status msgs Sent 309
Num Update Status Sent 0 Num St Enq. Timeouts 108


2010年8月14日

NAT-Lab實作


Router_A的設定
紅色字體為ACL的設定
Router_A#show run
Building configuration...
Current configuration : 754 bytes
!
version 12.4
no service password-encryption
!
hostname Router_A
!
ip ssh version 1
!
interface FastEthernet0/0
ip address 61.1.1.5 255.255.255.252
ip nat outside
duplex auto
speed auto
!

interface FastEthernet0/1
ip address 10.1.4.1 255.255.255.252
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
!
ip nat pool TTT 61.1.1.5 61.1.1.5 netmask 255.255.255.252
ip nat inside source list 1 pool TTT overload

ip classless
ip route 0.0.0.0 0.0.0.0 61.1.1.6
!
!
access-list 1 permit 10.1.0.0 0.0.255.255
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
!
!
end

從PC_0去Ping PC_1後,查看NAT的轉換狀態
Router_A#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 61.1.1.5:41 10.1.8.2:41 61.1.1.10:41 61.1.1.10:41
icmp 61.1.1.5:42 10.1.8.2:42 61.1.1.10:42 61.1.1.10:42
icmp 61.1.1.5:43 10.1.8.2:43 61.1.1.10:43 61.1.1.10:43
icmp 61.1.1.5:44 10.1.8.2:44 61.1.1.10:44 61.1.1.10:44

查看NAT的組態資料
Router_A#show ip nat statistics
Total translations: 0 (0 static, 0 dynamic, 0 extended)
Outside Interfaces: FastEthernet0/0
Inside Interfaces: FastEthernet0/1
Hits: 42 Misses: 44
Expired translations: 44
Dynamic mappings:
-- Inside Source
access-list 1 pool TTT refCount 0
pool TTT: netmask 255.255.255.252
start 61.1.1.5 end 61.1.1.5
type generic, total addresses 1 , allocated 0 (0%), misses 0


三顆Router上的Routing設定(有設定Default Route)
Router_A#show ip route
Gateway of last resort is 61.1.1.6 to network 0.0.0.0
10.0.0.0/30 is subnetted, 2 subnets
C 10.1.4.0 is directly connected, FastEthernet0/1
R 10.1.8.0 [120/1] via 10.1.4.2, 00:00:13, FastEthernet0/1
61.0.0.0/30 is subnetted, 1 subnets
C 61.1.1.4 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 61.1.1.6

Router_B#show ip route
61.0.0.0/30 is subnetted, 2 subnets
C 61.1.1.4 is directly connected, FastEthernet0/0
C 61.1.1.8 is directly connected, FastEthernet0/1

Router_C#show ip route
Gateway of last resort is 10.1.4.1 to network 0.0.0.0
10.0.0.0/30 is subnetted, 2 subnets
C 10.1.4.0 is directly connected, FastEthernet0/1
C 10.1.8.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 10.1.4.1

2010年8月12日

ACL-Lab實作


實驗一:標準式IP存取清單
只允許172.16.30.0網段的電腦進入172.16.10.0的網路
Router_A#configure t
Enter configuration commands, one per line. End with CNTL/Z.
Router_A(config)#access-list 10 permit 172.16.30.0 0.0.0.255
Router_A(config)#interface fa0/0
Router_A(config-if)#ip access-group 10 out
Router_A(config-if)#exit
Router_A(config)#exit

Router_A#show access-lists
Standard IP access list 10
permit 172.16.30.0 0.0.0.255
Router_A#show ip interface fa0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 172.16.10.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 10
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent

實驗二:延伸式IP存取清單
阻止172.16.10.1(Host_A)主機對Router_B路由器(172.16.20.2)的Telnet連線
但該Host_A主機仍可以ping到Router_B的IP(172.16.20.2)
Router_A#configure t
Enter configuration commands, one per line. End with CNTL/Z.
Router_A(config)#access-list 110 deny tcp host 172.16.10.1 host 172.16.20.2 eq 23
Router_A(config)#access-list 110 permit ip any any
Router_A(config)#interface fa0/0
Router_A(config-if)#ip access-group 110 in
Router_A(config-if)#exit
Router_A(config)#exit
Router_A#show access-lists
Extended IP access list 110
deny tcp host 172.16.10.1 host 172.16.20.2 eq telnet
permit ip any any

Router_A#show ip interface fa0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 172.16.10.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 110
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent

測試telnet是否會被ACL阻擋
Host_A>telnet 172.16.20.2
Trying 172.16.20.2 ...
% Connection timed out; remote host not responding

Host_A>ping 172.16.20.2
Pinging 172.16.20.2 with 32 bytes of data:
Reply from 172.16.20.2: bytes=32 time=50ms TTL=254
Reply from 172.16.20.2: bytes=32 time=80ms TTL=254
Reply from 172.16.20.2: bytes=32 time=50ms TTL=254
Reply from 172.16.20.2: bytes=32 time=60ms TTL=254

2010年8月8日

跨Vlan Lab實作二 (Router on a stick)



Router的設定
R1#config t
R1(config)#line console 0
R1(config-line)#exec-timeout 0 0
R1(config-line)#logging synchronous
R1(config-line)#exit
R1(config)#interface fa0/0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fa0/0.10
R1(config-subif)#encapsulation dot1Q 10
R1(config-subif)#ip address 10.0.0.1 255.255.255.0
R1(config-subif)#exit
R1(config)#interface fa0/0.20
R1(config-subif)#encapsulation dot1Q 20
R1(config-subif)#ip address 20.0.0.1 255.255.255.0
R1(config-subif)#exit
R1(config)#interface fa0/0.30
R1(config-subif)#encapsulation dot1Q 30
R1(config-subif)#ip address 30.0.0.1 255.255.255.0
R1(config-subif)#exit
R1(config)#end

R1#show ip int brief
Interface IP-Address OK? Method Status Prot ocol
FastEthernet0/0 unassigned YES unset up up
FastEthernet0/0.10 10.0.0.1 YES manual up up
FastEthernet0/0.20 20.0.0.1 YES manual up up
FastEthernet0/0.30 30.0.0.1 YES manual up up
R1#wr

重要:每台Switch上面都需先有Vlan 10、20、30的資料
Trunk port上面才會轉送Vlan 10、20、30的封包
(Trunk port只會轉送Vlan database裡面有的Vlan封包)

SW_A的設定
SW_A(config)#line console 0
SW_A(config-line)#exec-timeout 0 0
SW_A(config-line)#logging synchronous
SW_A(config-line)#exit
SW_A(config)#exit
SW_A#vlan database
SW_A(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
SW_A(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
SW_A(vlan)#vlan 30
VLAN 30 added:
Name: VLAN0030
SW_A(vlan)#exit
SW_A#configure t
Enter configuration commands, one per line. End with CNTL/Z.
SW_A(config)#interface fa0/0
SW_A(config-if)#switchport mode trunk
SW_A(config-if)#switchport trunk encapsulation dot1q
SW_A(config-if)#no shut
SW_A(config-if)#exit
SW_A(config)#int
SW_A(config)#interface fa0/10
SW_A(config-if)#switchport mode access
SW_A(config-if)#switchport access vlan 10
SW_A(config-if)#no shutdown
SW_A(config-if)#exit
SW_A(config)#interface fa0/15
SW_A(config-if)#switchport mode access
SW_A(config-if)#switchport access vlan 20
SW_A(config-if)#no shutdown
SW_A(config-if)#exit
SW_A(config)#int
SW_A(config)#interface range fa0/13 - 14
SW_A(config-if-range)#switchport mode trunk
SW_A(config-if-range)#switchport trunk encapsulation dot1q
SW_A(config-if-range)#no shutdown
SW_A(config-if-range)#exit
SW_A(config)#exit
SW_A#wr

SW_B的設定
SW_B#config t
SW_B(config)#line console 0
SW_B(config-line)#exec-t
SW_B(config-line)#exec-timeout 0 0
SW_B(config-line)#lin
SW_B(config-line)#loggg
SW_B(config-line)#log
SW_B(config-line)#logg
SW_B(config-line)#logging sysc
SW_B(config-line)#logging sys
SW_B(config-line)#logging sy
SW_B(config-line)#logging synchronous
SW_B(config-line)#exit
SW_B(config)#exit
SW_B#vlan database
SW_B(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
SW_B(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
SW_B(vlan)#vlan 30
VLAN 30 added:
Name: VLAN0030
SW_B(vlan)#exit
SW_B#configure t
Enter configuration commands, one per line. End with CNTL/Z.
SW_B(config)#interface range fa0/3 - 4
SW_B(config-if-range)#switchport mode trunk
SW_B(config-if-range)#switchport trunk encapsulation dot1q
SW_B(config-if-range)#no shutdown
SW_B(config-if-range)#exit
SW_B(config)#interface range fa0/13 - 14
SW_B(config-if-range)#switchport mode trunk
SW_B(config-if-range)#switchport trunk encapsulation dot1q
SW_B(config-if-range)#no shutdown
SW_B(config-if-range)#exit
SW_B(config)#interface fa0/10
SW_B(config-if)#switchport mode access
SW_B(config-if)#switchport access vlan 10
SW_B(config-if)#no shutdown
SW_B(config-if)#exit
SW_B(config)#interface fa0/15
SW_B(config-if)#switchport mode access
SW_B(config-if)#switchport access vlan 30
SW_B(config-if)#no shutdown
SW_B(config-if)#exit
SW_B(config)#exit
SW_B#wr

SW_C的設定
SW_C#configure t
SW_C(config)#line console 0
SW_C(config-line)#exec-timeout 0 0
SW_C(config-line)#logging synchronous
SW_C(config-line)#end
SW_C#vlan database
SW_C(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
SW_C(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
SW_C(vlan)#vlan 30
VLAN 30 added:
Name: VLAN0030
SW_C(vlan)#exit
SW_C#configure t
SW_C(config)#interface range fa0/3 - 4
SW_C(config-if-range)#switchport mode trunk
SW_C(config-if-range)#switchport trunk encapsulation dot1q
SW_C(config-if-range)#no shutdown
SW_C(config-if-range)#exit
SW_C(config)#interface fa0/10
SW_C(config-if)#switchport mode access
SW_C(config-if)#switchport access vlan 20
SW_C(config-if)#exit
SW_C(config-if)#interface fa0/15
SW_C(config-if)#switchport mode access
SW_C(config-if)#switchport access vlan 30
SW_C(config-if)#no shutdown
SW_C(config-if)#exit
SW_C(config)#exit
SW_C#wr

最後再測試是否有Ping 通

2010年8月7日

跨Vlan Lab實作一


Router的設定
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int F0/0
Router(config-if)#speed 100
Router(config-if)#duplex full
Router(config-if)#no shut
Router(config-if)#int f0/0.10
Router(config-subif)#encapsulation dot1q 10
Router(config-subif)#ip address 10.0.0.1 255.255.255.0
Router(config-if)#int F0/1
Router(config-if)#speed 100
Router(config-if)#duplex full
Router(config-if)#no shut

Router(config-if)#int f0/1.20
Router(config-subif)#encapsulation dot1q 20
Router(config-subif)#ip address 20.0.0.1 255.255.255.0
Router(config-if)#int F1/0
Router(config-if)#speed 100
Router(config-if)#duplex full
Router(config-if)#no shut
Router(config-if)#int f1/0.30
Router(config-subif)#encapsulation dot1q 30
Router(config-subif)#ip address 30.0.0.1 255.255.255.0
Router(config-if)#end
Router#copy run start

Sales_Switch的設定
Sales_Switch>en
Sales_Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Sales_Switch(config)#vlan 10
Sales_Switch(config-vlan)#name Sales
Sales_Switch(config)#int F1/0
Sales_Switch(config-if)#switchport mode access
Sales_Switch(config-if)#switchport access vlan 10
Sales_Switch(config-if)#spanning-tree portfast
Sales_Switch(config-if)#no shut
Sales_Switch(config-if)#int F1/1
Sales_Switch(config-if)#switchport mode access
Sales_Switch(config-if)#switchport access vlan 10
Sales_Switch(config-if)#spanning-tree portfast
Sales_Switch(config-if)#no shut
Sales_Switch(config-if)#int F1/15
Sales_Switch(config-if)#speed 100
Sales_Switch(config-if)#duplex full
Sales_Switch(config-if)#switchport mode trunk
Sales_Switch(config-if)#switchport trunk encapsulation dot1q
Sales_Switch(config-if)#no shut
Sales_Switch(config-if)#int vlan 1
Sales_Switch(config-if)#ip add 10.0.0.2 255.255.255.0
Sales_Switch(config)#exit
Sales_Switch(config)#ip default-gateway 10.0.0.1
Sales_Switch(config)#exit
Sales_Switch#copy run start

MIS_Switch的設定
MIS_Switch>en
MIS_Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
MIS_Switch(config)#vlan 20
MIS_Switch(config-vlan)#name MIS
MIS_Switch(config)#int F1/0
MIS_Switch(config-if)#switchport mode access
MIS_Switch(config-if)#switchport access vlan 20
MIS_Switch(config-if)#spanning-tree portfast
MIS_Switch(config-if)#no shut
MIS_Switch(config-if)#int F1/1
MIS_Switch(config-if)#switchport mode access
MIS_Switch(config-if)#switchport access vlan 20
MIS_Switch(config-if)#spanning-tree portfast
MIS_Switch(config-if)#no shut
MIS_Switch(config-if)#int F1/15
MIS_Switch(config-if)#speed 100
MIS_Switch(config-if)#duplex full
MIS_Switch(config-if)#switchport mode trunk
MIS_Switch(config-if)#switchport trunk encapsulation dot1q
MIS_Switch(config-if)#no shut
MIS_Switch(config-if)#int vlan 1
MIS_Switch(config-if)#ip add 20.0.0.2 255.255.255.0
MIS_Switch(config)#exit
MIS_Switch(config)#ip default-gateway 20.0.0.1
MIS_Switch(config)#exit
MIS_Switch#copy run start

IT_Switch的設定
IT_Switch>en
IT_Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
IT_Switch(config)#vlan 30
IT_Switch(config-vlan)#name IT
IT_Switch(config)#int F1/0
IT_Switch(config-if)#switchport mode access
IT_Switch(config-if)#switchport access vlan 30
IT_Switch(config-if)#spanning-tree portfast
IT_Switch(config-if)#no shut
IT_Switch(config-if)#int F1/1
IT_Switch(config-if)#switchport mode access
IT_Switch(config-if)#switchport access vlan 30
IT_Switch(config-if)#spanning-tree portfast
IT_Switch(config-if)#no shut
IT_Switch(config-if)#int F1/15
IT_Switch(config-if)#speed 100
IT_Switch(config-if)#duplex full
IT_Switch(config-if)#switchport mode trunk
IT_Switch(config-if)#switchport trunk encapsulation dot1q
IT_Switch(config-if)#no shut
IT_Switch(config-if)#int vlan 1
IT_Switch(config-if)#ip add 30.0.0.2 255.255.255.0
IT_Switch(config)#exit
IT_Switch(config)#ip default-gateway 30.0.0.1
IT_Switch(config)#exit
IT_Switch#copy run start

測試是否可
跨Vlan成功PING通
VPCS 1 >trace 30.0.0.4
traceroute to 30.0.0.4, 64 hops max
1 10.0.0.1 14.348 ms 3.705 ms 2.266 ms
2 30.0.0.4 6.273 ms 6.307 ms 4.841 ms

VPCS 1 >ping 20.0.0.3
20.0.0.3 icmp_seq=1 time=4.440 ms
20.0.0.3 icmp_seq=2 time=5.840 ms
20.0.0.3 icmp_seq=3 time=9.301 ms
20.0.0.3 icmp_seq=4 time=3.420 ms
20.0.0.3 icmp_seq=5 time=3.991 ms

VPCS 1 >ping 20.0.0.4
20.0.0.4 icmp_seq=1 time=3.315 ms
20.0.0.4 icmp_seq=2 time=3.787 ms
20.0.0.4 icmp_seq=3 time=4.505 ms
20.0.0.4 icmp_seq=4 time=4.245 ms
20.0.0.4 icmp_seq=5 time=4.587 ms