交换机
交换机远程管理
int vlanif 1
ip add 192.168.1.150 255.255.255.0
q
user vty 0 4
set auth password cipher 123
user privilege level 3
q
telnet AAA认证
telnet server enable \\开启远程管理服务(默认开启)
user-internface vty 0 4 \\进入虚拟终端接口并设置用户连接数
authentication-mode aaa \\设置认证模式aaa
protocol inbound telnet
aaa \\启用aaa认证
local-user user1 password cipher user001 \\创建用户设置密码
local-user user1 service-type telnet \\设置允许的远程方式为telnet
local-user user1 privilege level 15 \\设置用户的权限级别
display current-configuration
修改交换机名字
sysname sw0102
查看当前端口的配置
int e0/0/0
display this
查看配置
display current-configuration
down端口
int g0/0/0
shutdown
交换机mac地址表
display mac-address
交换机的本网桥地址
dis bridge mac-address
交换机信息表
dis system-information
vlan
vlan 10
vlan batch 10 20
端口加入vlan
int e0/0/1
port link-type access
port default vlan 10
display port vlan 查看
创建trunk链路
int e0/0/1
port link-type trunk
port trunk allow-pass vlan all
port group e0/0/0 e0/0/2
port link-type trunk
port trunk allow-pass vlan all
prot trunk pvid vlan 100 修改trunk的pvid
int e0/0/1
undo port trunk allow-pass vlan 2-4094
mstp配置
stp mode mstp 修改模式为mstp
stp region-configuration
region-name hcie 给区域创建名字
instance 10 vlan 10
instance 20 vlan 20 创建实例20绑定vlan20
active region-configuration 激活配置区域
stp instance 10 priority 0 调整交换机为根交换机
stp instance 10 priority 0 调整交换机为根交换机
stp instance 10 priority 4096 调整交换机为次根交换机 0 4096 8172
dis curr config mst
查看命令
display stp brief
dis port vlan
dis ip int b
Eth-trunk静态
int Eth-Trunk 1 创建链路聚合接口1
mode manual load-balance 设置模式为静态负载均衡模式
trunkport g0/0/1 添加接口成员
trunkport g0/0/2
port link-type trunk 配置eth-trunk的类型为trunk
port trunk allow-pass vlan all 配置trunk链路允许所有vlan
display eth-trunk 1 查看
Eth-trunk LACP模式
int eth-trunk 1
mode lacp-static
trunkport g0/0/1
trunkport g0/0/2
trunkport g0/0/3
port link trunk
port trunk allow vlan all
max active-linknumber 2 设置为2条链路
lacp preempt enable 开启抢占模式 两个交换机都要开启
lacp priority 100 修改设备的优先级 小的为主设备 默认32768
display eth-trunk 1 查看
display eth-trunk 1
设置交换机的最大活动链路为2 默认为8
int eth-trunk 1 进入eth-trunk 1
max active-linknumber 2 设置为2条链路
sys
lacp priority 100 修改设备的优先级 小的为主设备 默认32768
int eth-trunk 1
lacp preempt enable 开启抢占模式 两个交换机都要开启
mux-vlan
vlan batch 100 200 300
vlan 100 进入vlan100
mux-vlan 将vlan100设置为主vlan
subordinate group 300 将vlan300设置为组vlan
subordinate separate 200 将vlan200设置为隔离vlan
int e0/0/1 端口加入vlan
port link access
port default vlan 100
port mux-vlan enable 开启mux-vlan功能
display mux-vlan
端口隔离组
vlan 10
port group e0/0/1 to e0/0/5
int e0/0/1
port-isolate group 1
三层交换机删除vlanif
undo int vlanif100
路由器
端口配置IP
int g0/0/0
ip add 192.168.10.254 24
远程登录
user-interface vty 0 4
authentication-mode password
Please configure the login password: password
路由子接口 单臂路由
int g/0/0/0.10
dot1q termination vid 10
ip add 192.168.10.254 24
arp broadcast enable
int g/0/0/0.20
dot1q termination vid 20
ip add 192.168.20.254 24
arp broadcast enable
查看端口IP地址
display ip int brief
查看路由表
dsiplay ip routing-table
手动添加路由表
ip route-static 目标网路 子网掩码 下一跳
ip route-static 192.168.3.2 24 192.168.2.2
undo route-static 192.168.3.2 24 192.168.2.2 删除静态路由
子接口(单臂路由)
int g/0/0/0.10 进入子接口1-4096
dot1q termination vid 10 接口绑定vlan10
ip add 192.168.10.254 24
arp broadcast enable 开启arp广播
浮动路由配置
ip route-static 0.0.0.0 0 192.168.40.1 preference 70
VRRP 负载均衡 网关冗余
u t m
sys
int g0/0/0
ip add 192.168.1.252 24
q
int g0/0/0
vrrp vrid 1 virtual-ip 192.168.1.254
vrrp vrid 1 priority 200
display vrrp
display vrrp brief
VRRP路由追踪
u t m
sys
int g0/0/0
ip add 192.168.1.252 24
q
int g0/0/0
vrrp vrid 1 virtual-ip 192.168.1.254
vrrp vrid 1 priority 200
vrrp vrid 1 track int g0/0/1 reduced 110
VRRP明文认证
int g0/0/0
vrrp vrid 1 virtual-ip 192.168.1.254
vrrp vrid 1 priority 200
vrrp vrid 1 auth simple 1234 对方也要配置1234为密码
抓包可以看到密码
vrrp vrid 1 authentivation-mode simple 1234 完整命令
display this 查看当前端口的配置
VRRP密文认证
int g0/0/0
vrrp vrid 1 virtual-ip 192.168.1.254
vrrp vrid 1 priority 200
vrrp vrid 1 auth md5 1234 对方也要配置1234为密码
抓包可以看到密码
vrrp vrid 1 authentivation-mode md5 1234
查看配置
display current-configuration
BFD双向转发检测机制
静态
bfd 开启bfd的功能
q
bfd ac bind peer-ip 192.168.23.3
discriminator local 1
discriminator remote 3
commit
q
bfd 开启bfd的功能
q
bfd ca bind peer-ip 192.168.12.1
discriminator local 3
discriminator remote 1
commit
q
display bfd session all
vrrp vrid 6 track bfd-session 3 increased 110 与vrrp联动 3是本地或者远程的标识符
DHCP服务器全局模式
int g0/0/0
ip add 192.168.1.254 24
q
dhcp enable
ip pool it
network 192.168.1.0 mask 24
gateway-list 192.168.1.254
dns-list 8.8.8.8
lease day 3
excluded-ip-address 192.168.1.1 192.168.1.2
int g0/0/0
dhcp select global
display ip pool name vlan10 used 已经使用的IP
DHCP中继
中继路由器 配置在网关上:
dhcp enable
int g0/0/0
dhcp select relay
dhcp relay server-ip 192.168.20.254
基本ACL
acl 2000
rule 10 deny source 192.168.1.0 0.0.0.255
int g0/0/0/
traffic-filter outbound acl 2000
高级ACL
acl 3000
rule 10 permit tcp source 192.168.3.1 0 destination 192.168.3.1 0 destination-port eq 80
rule 20 permit ip source 192.168.3.1 0 destination 192.168.3.0 0.0.0.255
rule 30 deny ip source 192.168.3.1 0 destination any
int g0/0/1
traffic-filter inbound acl 3000
仅能ping通server
acl 10 permit ICMP source 192.168.3.1 0 destination 192.168.3.1 0
acl 3000
undo rule 10 删除
NAT-PAT
nat address-group 5 200.1.1.5 200.1.1.9
nat address-group 4 200.1.1.5 200.1.1.5 只有一个地址
acl 2000
rule 5 permit source 192.168.1.0 0.0.0.255
int g0/0/1
nat outbound 2000 address-group 5
PAT-EasyIP
acl 2000
rule 5 permit source 192.168.1.0 0.0.0.255
int g0/0/1
nat outbound 2000
直接使用出口的IP 200.1.1.1
内网服务器映射到外网
int g0/0/1
nat server protocol tcp global 200.1.1.8 80 inside 192.168.1.1 80
nat server protocol tcp global 200.1.1.8 21 inside 192.168.1.2 21
OSPF
u t m
sys
int g0/0/1
ip add 192.168.1.254 24
int g0/0/0
ip add 192.168.12.1 24
q
-----------默认---------------
ospf
area 0
network 192.168.1.0 0.0.0.255
network 192.168.12.0 0.0.0.255
------------推荐-----------------
ospf 1 router-Id 1.1.1.1
area 0
network 192.168.1.0 0.0.0.255
network 192.168.12.0 0.0.0.255
display ospf peer brief
display ip routing-table protocol ospf
display ospf brief
display ospf lsdb
ospf宣告静态路由
ospf 1
import-route static 5类
ospf宣告默认路由,缺省路由,默认路由
ospf 1
default-route-advertise 5类
ospf路由汇总
ABR(区域边界路由 )
R1----R2----R3----R4----R5----R6
abr R34area0 abs asbr
R1:
ospf 1 router-id 1.1.1.1
area 12
network 192.168.12.0 0.0.0.255
network 10.10.1.1 0.0.0.255
network 10.10.2.2 0.0.0.255
network 10.10.3.3 0.0.0.255
在ABR(区域边界路由器)
ospf 1
area 12
abr-summary 10.10.0.0 16
ASBR(自动系统边界路由器)
R1----R2----R3----R4----R5----R6
abr R34area0 abs asbr
R6:
int loop 1
ip add 10.50.1.1 24
int loop 2
ip add 10.50.2.1 24
int loop 3
ip add 10.50.3.1 24
ospf 1
import-route direct 以外部路由方式宣告进路由表里
ospf 1
asbr-summary 10.50.0.0 255.255.0.0
ospf认证
链路认证
明文认证
R2:
int g0/0/0
ospf auth simple hice
R3:
int g0/0/1
ospf auth simple hcie
int g0/0/0
ospf auth simple hcie
R4:
int g0/0/1
ospf auth simple hcie
密文认证
R4:
int g0/0/0
ospf auth md5 10 hcie
R5:
int g0/0/1
ospf auth md5 10 hcie
区域认证
ospf 1
area 0
auth md5 5 123456
链路认证的优先级大于区域认证
OSPF虚链路
R2:
ospf 1
area 34
vlink-peer 5.5.5.5
R5:
ospf 1
area 34
vlink-peer 2.2.2.2
OSPF Gre
R2 -------让隧道两端互相通信:
int loop 0
ip add 10.10.25.2 24
q
ospf 1
area 34
network 10.10.25.0 0.0.0.255
----------建立隧道接口 选工具(Gre) 指定源IP 指定目标IP---------------------
int Tunnel0/0/25
tunnel-protocol gre
source 10.10.25.2
destination 10.10.25.5
---------给隧道接口配置IP地址 将隧道接口的网段宣告进区域0----------------
int Tunnel0/0/15
ip add 192.168.12.2 24
q
ospf 1
area 0
network 192.168.12.0 0.0.0.255
R5:
int loop 0
ip add 10.10.25.5 24
q
ospf 1
area 34
network 10.10.25.0 0.0.0.255
int Tunnel0/0/25
tunnel-protocol gre
source 10.10.25.5 24
destination 10.10.25.2
int Tunnel10/0/15
ip add 192.168.25.5 24
q
ospf 1
area 0
network 192.168.25.0 0.0.0.255
OSPF多线程导入
R2:
u t m
sys
int g0/0/1
ip add 192.168.12.1 24
int g0/0/0
ip add 192.168.23.2 24
q
ospf 1 router-id 2.2.2.2
area 34
net 192.168.23.0 0.0.0.255
R2:
ospf 3 router-id 2.2.2.2
area 12
network 192.168.12.0 0.0.0.255
q
ospf 1
import-route ospf 3
ospf 3
import-route ospf 1
OSPF路由表管理
修改开销:到网段的花费 距离
R2:
int g0/0/2
ospf cost 3
OSPF路由过滤之route-policy
只将R2上的一条静态宣告进路由
R2:
int g0/0/0
ip add 192.168.12.2 24
int g0/0/1
ip add 192.168.23.1 24
q
ip route-static 192.168.1.0 24 192.168.12.1
ip route-static 192.168.2.0 24 192.168.12.1
--------------------------------------------------
只引入192.168.2.0 不引入1.0 宣告时
ospf 1
import-route static route-policy yunxu20
q
route-policy yunxu20 permit node 10
if-match acl 2000
q
acl 2000
rule 10 permit 192.168.2.0 0.0.0.255
OSPF路由过滤之LSA过滤
R5
acl 2000
rule 10 deny source 192.168.12.0 0.0.0.255
rule 20 permit source any
ospf 1
area 78
filter 2000 import
AC-AP
第一步:规划vlan和IP地址,让AP能自动获取IP地址并告诉AP谁是AC 中继
第二步:AC上离线导入AC的mac地址,DHCP上配置规划好的无线地址池
第三步:AC配置AP上的地址、无线名称、密码等进行下发
---------------------SW1-----------------------------
sys
vlan batch 200 210 10 20 30 40
port group g0/0/1 to g0/0/5
port link trunk
port trunk allow vlan all
q
int vlan200
ip add 192.168.200.254 24
int vlan88
ip add 192.168.88.254 24
q
dhcp enable
int vlan200
dhcp select relay
dhcp relay server 192.168.88.1
int vlan210
ip add 192.168.210.254 24
vlan batch 10 20 30 40
int vlan10
ip add 192.168.10.254 24
dhcp select relay
dhcp relay server-ip 192.168.88.1
q
int vlan20
ip add 192.168.20.254 24
dhcp select relay
dhcp relay server-ip 192.168.88.1
q
int vlan30
ip add 192.168.30.254 24
dhcp select relay
dhcp relay server-ip 192.168.88.1
q
int vlan40
ip add 192.168.40.254 24
dhcp select relay
dhcp relay server-ip 192.168.88.1
q
-------------------SW 3 4 5 6--------------------------------------
sys
vlan batch 200 210 88
int g0/0/1
port link trunk
port trunk allow vlan all
port trunk pvid vlan 200
int g0/0/2
port link trunk
port trunk allow vlan all
---------------------SW 1-----------------------------------------------
sys
vlan batch 200 210 88
int g0/0/2
port link trunk
port trunk allow vlan all
int g0/0/3
port link acc
port def vlan 210
int g0/0/1
port link acc
port def vlan 88
-------------------DHCP------------------------------------------
DHCP:
dhcp enable
ip pool vlan200
network 192.168.200.0 mask 24
gate 192.168.200.254
exclude 192.168.200.251 192.168.200.253
option 43 sub-option 3 ascii 192.168.210.1
q
int g0/0/0
ip add 192.168.88.1 24
dhcp select global
q
ip route-static 0.0.0.0 0 192.168.88.254
-----------------------------------------
ip pool vlan10
network 192.168.10.0 mask 24
gateway-list 192.168.10.254
dns 8.8.8.8
lease day 3
exclude 192.168.10.251 192.168.10.253
q
ip pool vlan20
network 192.168.20.0 mask 24
gateway-list 192.168.20.254
dns 8.8.8.8
lease day 3
exclude 192.168.20.251 192.168.20.253
q
ip pool vlan30
network 192.168.20.0 mask 24
gateway-list 192.168.30.254
dns 8.8.8.8
lease day 3
exclude 192.168.30.251 192.168.30.253
q
ip pool vlan40
network 192.168.40.0 mask 24
gateway-list 192.168.40.254
dns 8.8.8.8
lease day 3
exclude 192.168.40.251 192.168.40.253
q
AC:
sys
vlan 210
q
int g0/0/1
port link acc
port def vlan 210
int vlan210
ip add 192.168.210.1 24
q
ip route-static 0.0.0.0 0 192.168.210.254
剩下的步骤AC6605
capwap source int vlan210
wlan
ap-id 1 ap-mac 00e0-fcbd-4350
ap-id 2 ap-mac 00e0-fc42-7c30
ap-id 3 ap-mac 00e0-fcb8-3b40
ap-id 4 ap-mac 00e0-fc0c-70d0
regulatory-domain-profile name zhongguo
country-code CN
q
ap-group name vlan10
regulator zhongguo
y
q
ap-group name vlan20
regulator zhongguo
y
q
ap-group name vlan30
regulator zhongguo
y
q
ap-group name vlan40
regulator zhongguo
y
q
ap-id 1
ap-name vlan10
ap-group vlan10
y
q
ap-id 2
ap-name vlan20
ap-group vlan20
y
q
ap-id 3
ap-name vlan30
ap-group vlan30
y
q
ap-id 4
ap-name vlan40
ap-group vlan40
y
q
wlan
ssid-profile name vlan10
ssid vlan10
q
ssid-profile name vlan20
ssid vlan20
q
ssid-profile name vlan30
ssid vlan30
q
ssid-profile name vlan40
ssid vlan40
q
security-profile name vlan1020
security wpa2 psk pass-phrase a12345678 aes
q
security-profile name vlan3040
security wpa2 psk pass-phrase a12345678 aes
q
vlan pool vlan10
vlan 10
vlan pool vlan20
vlan 20
vlan pool vlan30
vlan 30
vlan pool vlan40
vlan 40
wlan
vap-profile name vlan10
ssid-profile vlan10
security-profile vlan1020
service-vlan vlan-pool vlan10
q
vap-profile name vlan20
ssid-profile vlan20
security-profile vlan1020
service-vlan vlan-pool vlan20
q
vap-profile name vlan30
ssid-profile vlan30
security-profile vlan3040
service-vlan vlan-pool vlan30
q
vap-profile name vlan40
ssid-profile vlan40
security-profile vlan3040
service-vlan vlan-pool vlan40
q
ap-group name vlan10
vap-profile vlan10 wlan 1 radio 0
vap-profile vlan10 wlan 1 radio 1
q
ap-group name vlan20
vap-profile vlan20 wlan 1 radio 0
vap-profile vlan20 wlan 1 radio 1
q
ap-group name vlan30
vap-profile vlan30 wlan 1 radio 0
vap-profile vlan30 wlan 1 radio 1
q
ap-group name vlan40
vap-profile vlan40 wlan 1 radio 0
vap-profile vlan40 wlan 1 radio 1
AP
dis ip int b
dis system-information
防火墙
默认密码
admin
Admin@123
y
Admin@123
123..com
123..com
使用网页管理
u t m
sys
int g0/0/0
ip add 192.168.10.230 24
service https permit
service ping permit
service enable
quit
web-manager timeout 1440
return
save
y