本次实验所用到的PK文件,链接如下:
PK文件传送门
提取码为:a9ne
拓扑如下:
ps:cisco做题模拟器如果有路由器需要输入密码进入特权模式时,如下图所示:
可以使用端口绕过的方法,操作如下:
随便进入一个interface端口,然后再进入CLI模式下根据你的目的一路exit即可。
tips:不知道一个命令下级命令可以用 ?查看。
PART1:
Step 1: Test connectivity. All devices should be able to ping all other IP addresses.
看到ping all address,必然是先检测所有主机及路由的IP地址都能ping通。
使用ping命令即可
Step 2: Configure OSPF MD5 authentication for all the routers in area 0.
Configure OSPF MD5 authentication for all the routers in area 0.
内容大致是将所有的路由器都放入ospf协议下的区域零中。
R1命令如下:
R1(config)#router ospf 1
R1(config-router)#area 0 authentication message-digest R2与R3也是同样的命令。
操作完成后可以看到如下的信息:
00:10:17: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.2 on Serial0/0/0 from FULL to DOWN, Neighbor Down: Dead timer expired可以看到此路由器已经进入了ospf协议下的区域零中,跟R2断开了联系。
Step 3: Configure the MD5 key for all the routers in area 0.
Configure an MD5 key on the serial interfaces on R1, R2 and R3. Use the password MD5pa55 for key 1.
内容大致为将所有区域零的路由增加密码。
R1命令如下:
R1(config)#interface s0/0/0
R1(config-if)#ip ospf message-digest-key 1 md5 MD5pa55R2与R3的命令区别只体现在代码上。
以上配完后,会出现以下字段:
00:20:30: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.1 on Serial0/0/0 from LOADING to FULL, Loading Done又转化为了FULL状态,说明链接再次形成。
Step 4: Verify configurations.
a. Verify the MD5 authentication configurations using the commands show ip ospf interface.
b. Verify end-to-end connectivity.
这里只是查看ospf状态。config模式下使用 do show ip ospf interface即可查看。
PART1完整代码如下:
R1:
router ospf 1
area 0 authentication message-digest
interface Serial0/0/0
ip ospf message-digest-key 1 md5 MD5pa55R2:
router ospf 1
area 0 authentication message-digest
interface Serial0/0/0
ip ospf message-digest-key 1 md5 MD5pa55
interface Serial0/0/1
ip ospf message-digest-key 1 md5 MD5pa55R3:
router ospf 1
area 0 authentication message-digest
interface Serial0/0/1
ip ospf message-digest-key 1 md5 MD5pa55Part 2: Configure NTP
Step 1: Enable NTP authentication on PC-A.
a. On PC-A, click NTP under the Services tab to verify NTP service is enabled.
b. To configure NTP authentication, click Enable under Authentication. Use key 1 and password NTPpa55 for authentication.
先把PC-A的ntp服务打开,如下图操作:
所指箭头的部分全部完成后就算打开NTP服务了。
Step 2: Configure R1, R2, and R3 as NTP clients.Verify client configuration using the command show ntp status.
config模式下输入do show ntp status查看ntp状态。
Step 3: Configure routers to update hardware clock.
Configure R1, R2, and R3 to periodically update the hardware clock with the time learned from NTP.
Exit global configuration and verify that the hardware clock was updated using the command show clock.
更新路由器时间与NTP服务器一致。
R1命令及中间查看过程如下:
R1(config)#ntp server 192.168.1.5 key 1
R1(config)#ntp u
R1(config)#ntp update-calendar
R1(config)#do show clock
*20:37:1.868 UTC Tue Nov 5 2019
R1(config)#do show ntp status
Clock is synchronized, stratum 2, reference is 192.168.1.5
nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is 2**19
reference time is E140DA5E.0000010A (20:36:46.266 UTC Tue Nov 5 2019)
clock offset is 0.00 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec.看到ntp协议生效,路由器时间也与NTP服务器对应。
Step 4: Configure NTP authentication on the routers.
Configure NTP authentication on R1, R2, and R3 using key 1 and password NTPpa55.
大意为开启NTP安全验证。
R1命令如下:
R1(config)# ntp authenticate
R1(config)# ntp trusted-key 1
R1(config)# ntp authentication-key 1 md5 NTPpa55Step 5: Configure routers to timestamp log messages.
Configure timestamp service for logging on the routers.
给路由器加时间戳,R1命令如下:
R1(config)#service timestamps log datetime msecPART2完整代码:
R1,R2与R3:
ntp authentication-key 1 md5 080F787E19185042 7
ntp authenticate
ntp trusted-key 1
ntp server 192.168.1.5 key 1
ntp update-calendar
service timestamps log datetime msec注:do show running-config中密码被加密,但不影响做题。
Part 3: Configure Routers to Log Messages to the Syslog Server
Step 1: Configure the routers to identify the remote host (Syslog Server) that will receive logging messages.
The router console will display a message that logging has started.
大概是设置路由器log被Syslog Server监听。
R1,R2,R3命令如下:
logging 192.168.1.6Step 2: Verify logging configuration.
Use the command show logging to verify logging has been enabled.
还是查看。do show logging
Step 3: Examine logs of the Syslog Server.
From the Services tab of the Syslog Server’s dialogue box, select the Syslog services button. Observe the logging messages received from the routers.Note: Log messages can be generated on the server by executing commands on the router. For example, entering and exiting global configuration mode will generate an informational configuration message. You may need to click a different service and then click Syslog again to refresh the message display.
这时可以进行一些操作证明路由器活动能被Syslog Server监听,操作如下:
R1可以一直用exit退出到特权模式。再用conf t进入,发现Syslog Server活动如下图:
说明已经能监听路由了。
Part 4: Configure R3 to Support SSH Connections
Step 1: Configure a domain name.
Configure a domain name of ccnasecurity.com on R3.
R3命令如下:
ip domain-name ccnasecurity.comStep 2: Configure users for login to the SSH server on R3.
Create a user ID of SSHadmin with the highest possible privilege level and a secret password of ciscosshpa55.
命令如下:
username SSHadmin privilege 15 secret 5 ciscosshpa55Step 3: Configure the incoming vty lines on R3.
Use the local user accounts for mandatory login and validation. Accept only SSH connections.
命令如下:
line vty 0 4
login local
transport input sshStep 4: Erase existing key pairs on R3.
Any existing RSA key pairs should be erased on the router.Note: If no keys exist, you might receive this message: % No Signature RSA Keys found in configuration.
先留着。。。
Step 5: Generate the RSA encryption key pair for R3.
The router uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure the RSA keys with a modulus of 1024. The default is 512, and the range is from 360 to 2048.
命令如下:
R3(config-line)#crypto key generate rsa
The name for the keys will be: R3.ccnasecurity.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]Step 6: Verify the SSH configuration.
Use the show ip ssh command to see the current settings. Verify that the authentication timeout and retries are at their default values of 120 and 3.
还是查看。
Step 7: Configure SSH timeouts and authentication parameters.
The default SSH timeouts and authentication parameters can be altered to be more restrictive. Set the timeout to 90 seconds, the number of authentication retries to 2, and the version to 2.Issue the show ip ssh command again to confirm that the values have been changed.
设置SSH属性,命令如下:
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 90Step 8: Attempt to connect to R3 via Telnet from PC-C.
Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to R3 via Telnet.PC> telnet 192.168.3.1This connection should fail because R3 has been configured to accept only SSH connections on the virtual terminal lines.
我们来看看SSH的效果
可以看到telnet协议无法访问192.168.3.1了。
Step 9: Connect to R3 using SSH on PC-C.Open the Desktop of PC-C.
Select the Command Prompt icon. From PC-C, enter the command to connect to R3 via SSH. When prompted for the password, enter the password configured for the administrator ciscosshpa55.
PC> ssh –l SSHadmin 192.168.3.1
还是看效果,如下:
可以看到,已成功进入。
Step 10: Connect to R3 using SSH on R2.
To troubleshoot and maintain R3, the administrator at the ISP must use SSH to access the router CLI. From the CLI of R2, enter the command to connect to R3 via SSH version 2 using the SSHadmin user account. When prompted for the password, enter the password configured for the administrator: ciscosshpa55.
看效果,如下:
成功进入,至此实验做完了!
979
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
