###### tags: `informatics` # Packet Tracer notes ### <mark>switch command</mark> * switch上 顯示address table ```= en //privilege mode show mac-address-table //show clear mac-address-table //clear ``` * 設定密碼 ```= <no secret-----------------------------------------------> enable config t enable password ccna123 hostname SW1-CE-1F exit <with secret---------------------------------------------> enable config t enable secret ccna456 //use md5 to secret password , previlige higher than normal <show----------------------------------------------------> show run //running configuration file ``` * router 有需多擴充槽可增加Lan - router 可接 console 線(淺藍色線with RS232)到筆電螢幕，控制router - switch仍須IP - router 0/0 0/1 0/2 上面為router 的controller ,下面為port號碼 ##<mark>設定router 下的Lan</mark> * 設定router gigabit 0/0 or 0/1 or 0/2... - 1張controller 有多個port - 先設定controller / port 和對應ip & mask ```= en config t int gi0/1 //針對不同網路介面 no shut // 預設shutdown(for security),需打開 ip address 192.168.2.254 255.255.255.0 //設定 router g0/1 的 gateway & mask ``` ## <mark>telnet (plantext 明碼)</mark> * ```= config t //login with privilege line vty 0 15 //virtual termianl 0~15 password ccna789 login --------------------------------------- //create users and allow remote login config t username {username} password {password} show users //查詢本地帳號 line console 0 //進入console mode login local //啟動本地帳號 exit line vty 0 15 //enter vty mode login local //啟動本地帳號 exit ``` ## <mark>SSH</mark> * ```= en config t hostname {roter name} ip domain-name {router_domain_name} username {username} secret {password} //create user crypto key generate rsa 1024 ``` ## <mark>Save changes</mark> * 存在本機 ```= en copy run start //save change to router reload //restart ``` * router設定備援到server(use TFTP) ```= en copy run startup //save run change to start copy run tftp //save run change use tftp copy start tftp //save start use tftp ``` ## <mark>清空router設定</mark> * ```= erase start erase run ``` ## <mark>ip planning</mark> * 子網遮罩 : 網路真正的大小 * 網路設定: IP , 子網遮罩 , default gateway * ```= 255.255.255.? //for 32 hosts calc: 256-32=224 -> 255.255.255.224 / 27 11111111,11111111,11111111,11100000 for real : 30 hosts 網路位子 + broadcast+ default gateway ``` * ```= 140.134.30.0/25 255.255.255.0/25 //128hosts , 0~127 255.255.255.128 /25 //128hosts , 128~255 ``` ## <mark>config multi network</mark>  * for router * ```= en config t int fa0/0 no shut ip address 140.134.30.254 255.255.255.0 exit int fa0/1 no shut ip address 140.134.10.126 255.255.255.128 exit ``` * ```= lookback addr: 12.0.0.0/8 test DHCP service add hard network private ip addr ``` ## <mark>Routing Table</mark> * ```= show ip route ``` ## <mark>P2P settings</mark> *  * R0 設為192.168.3.1 * R1 設為192.168.3.2 * 可從router 進行```do ping``` 測試 ## <mark>static route</mark>  若要從PC0 ping PC3，兩台router要設static route #### ip route {remote target & mask} {出口介面} * R1 ```= en conf t ip route 172.30.0.0 255.255.0.0 fa0/1 ``` * R2 ```= en conf t ip route 192.168.10.0 255.255.255.0 fa0/1 ``` ## Static Route , 更改route 路徑 (next hop) * conf t ```= // delete exist route rules // no ip route {target's first ip} {target mask} no ip route 192.168.2.0 255.255.255.0 // ip route {target} {target mask} {via where (next hop)} ip route 192.168.2.0 255.255.255.0 192.168.3.2 ```   ## <mark>default route (s*)</mark> * ```= ip route 0.0.0.0 {subnet_mask or next_hop_ip} {網路介面} ip route 0.0.0.0 0.0.0.0 gi0/2 ```   ethereal tcpreal wireshark ## ==路由協定== * RIP-v2 * OSPF-V2 #### RIPv2(有線) (動態路由)   #### 雙邊皆需要開啟RIPv2 * R0 ```= #R0 en conft router rip version 2 no auto-summary network 140.134.2.0//宣告那些網路介面參與rip network 140.134.4.4//宣告那些網路介面參與rip network 140.134.4.8//宣告那些網路介面參與rip ``` * R1 ```= en conf t router rip version 2 no auto-summary network 140.134.1.0//宣告那些網路介面參與rip network 140.134.4.0//宣告那些網路介面參與rip network 140.134.4.4//宣告那些網路介面參與rip ``` * R2 ```= en conft router rip version 2 no auto-summary network 140.134.4.0//宣告那些網路介面參與rip network 140.134.4.8//宣告那些網路介面參與rip ``` #### 查看router學習狀況 * ```= show ip route //查看學習狀況 ``` #### R2設定(加上cht) ```= #R2 en conft router rip version 2 no auto-summary network 192.168.2.0//宣告那些網路介面參與rip network 140.134.4.0//宣告那些網路介面參與rip network 140.134.4.8//宣告那些網路介面參與rip ``` 中華電信使用OSPF BGP，而非RIPv2 ### ==Edge Router== * R2預設路由，將所有ip(不認識) * 需要告訴 R0 R1(via RIP) * ```= ip route 0.0.0.0 0.0.0.0 gi0/0 router rip default-information originate ``` ### <mark>RIP2 vs OSPF2</mark> * RIP2 * Hop * 只有告所鄰居自己的資訊 * 記憶體使用較少 * dymanic of network (WSN) * 適合用在無線感測網路 * 網路骨幹不能太大 * 網路拓樸表計算出收斂時間convergence time(較慢) * 適合用於固網 * OSPF * 距離向量(根據實際的網速) * 告所所有人自己的資訊 * 記憶體使用較多(需要知道所有連接狀態 * WSN x * OSPF * ```= en conf t router ospf {number} //network 加入OSPF //network {ip名稱} {wildcard} area {num} network {起始位置} {結束位置} area 0 ``` * ```= #r0 en conf t router ospf 10 //網路1,2加入OSPF (10 網路1,2拿出來分享) network 172.30.1.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.3 area 0 default-information originate //預設路由右送 ``` * ```= #r1 conf t router ospf 30 //網路2,3加入OSPF (20 網路2,3拿出來分享) network 172.30.2.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.3 area 0 default-information originate //預設路由右送 ``` * ```= show ip ospf neightbor //觀察neightbor ``` * ==邊際路由器要設預設路由== 不懂的路由往預設路由送 ```= en conf t ip route 0.0.0.0 0.0.0.0 {interface} // gi0/2 router ospf 30 default-information originate -------------------------------------------------- 另一個端點的router也要記得設 default route ``` ```= e.g. CHT en conf t ip route 0.0.0.0 0.0.0.0 {interface} // gi0/0 ``` <kbd></kbd> ### <mark>OSPF明碼認證</mark> * ospf 的密碼認證(plaintext authentication) * symmetric key (+-)or assymmetric key(+-) * 連線的兩端(two routers)皆須要啟動認證 ```= R1 en conf t int gi 0/0 ip ospf authentication //啟動明碼認證 ip ospf authentication-key {password}//仍需密碼，對稱金鑰 ``` ```= R0 en conf t int gi 0/0 ip ospf authentication //啟動明碼認證 ip ospf authentication-key {password}//仍需密碼，對稱金鑰 ``` * <font color=blue>另一種設置方式</font> * 用於一個ospf 有多個area時的認證設定 ```= router ospf 1 area 0 authentication network 192.168.1.0 0.0.0.255 area 0 interface GigabitEthernet0/1 ip ospf authentication ip ospf authentication-key cisco123 ``` ### <mark>OSPF密碼認證</mark> ```= R1 en conf t int gi 0/0 ip ospf authentication message-digest//啟動密碼認證 ip ospf message-digest-key 1 md5 {password}// ``` * <font color=blue>另一種設置方式</font> * 用於一個ospf 有多個area時的認證設定 ```= router ospf 1 area 0 authentication message-digest network 192.168.1.0 0.0.0.255 area 0 interface GigabitEthernet0/1 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 cisco123 ``` --- <kbd></kbd> ------ ### <mark>OSPF 進階</mark> <kbd> </kbd> ```= #R1 router ospf 10 network 172.30.1.0 0.0.0.255 area 0 network 192.168.10.0 0.0.0.255 area 0 router-id 1.1.1.1 copy run start reload ``` ```= #R2 router ospf 20 network 172.30.2.0 0.0.0.255 area 0 network 192.168.10.0 0.0.0.255 area 0 router-id 2.2.2.2 copy run start reload ``` ```= #R3 router ospf 30 network 192.168.10.0 0.0.0.255 area 0 network 192.168.20.0 0.0.0.3 area 1 router-id 3.3.3.3 copy run start reload ``` ```= #R4 router ospf 40 network 172.30.1.0 0.0.0.255 area 1 network 192.168.20.0 0.0.0.3 area 1 router-id 4.4.4.4 copy run start reload ``` <font color=blue>DR,BDR</font>=>若開機時間相近，由<font color=blue>OSPF-ID(router-id)大</font>的人當DR，否則以<font color=blue>開機順序</font>決定誰當老大。 <font color=blue>修改 ospf priority</font> 也可以決定誰當老大，但也是要同時開機才行 ```= //修改priority en conf t int gi0/0 ip ospf priority 10 ``` ```= show ip ospf neighbor// ospf 鄰居 show ip ospf int // ospf 詳盡資訊 ``` <font color=orange>Hello</font> : 10秒檢查一次存活狀態 <font color=orange>Dead</font> : 40秒確認存活狀態 <kbd></kbd> ```= show ip route ``` <kbd></kbd> O IA 從外部學習到的網路，由其他人給的資訊 ### <mark> star network 的OSPF設定</mark> *  --- * config ospf先設定老大 *  --- *  --- *  --- * 延伸網路架構 *  --- * R3 *  --- * R2先前已設定過，再加入area 1 的設定即可 *  * 對R2來說 有兩個老大(BR) * 點對點網路誰當老大不重要(R2,R3)  --- ### <mark>DR BDR </mark> * DR : dseignated router * BDR (Dother) : backup router  * 在ospf中要選老大(A)，(先設定) * 只須跟DR做認證即可，而不須溝通所有的routers --- ### <mark>星狀VS環狀網路架構</mark> *  --- * 地形關係使用環狀網路 * 星狀網路管理優於環狀網路，亦可節省IPs *  --- ### <mark>BGP</mark>  ### <mark>vlan</mark> * 不同switch 下的相同vlan * 透過tagging & untagging 達到跨橋目的 *  * ```= en conf t vlan 10 name students vlan 20 name teachers //switch 將介面加入到對應vlan int range fa0/1-2 switchport access vlan 10 int range fa0/3-4 switchport access vlan 20 do show vlan //switch to switch 要改成trunk link int fa0/24 switch mode trunk //Router 需要在介面上設定對應vlan int gi0/0 int gi0/0.10 encapsulation dot1Q 10 ip adress 192.168.10.126 255.255.255.128 exit int gi0/0 int gi0/0.20 encapsulation dot1Q 20 ip adress 192.168.10.254 255.255.255.128 exit //(siwtch) 查看界面 do show int fa0/24 ``` * 新增或移除vlan ```= switchport trunk allowed vlan add 10 //新增 switchport trunk allowed vlan remove 10 //移除 ``` * 讓兩邊vlan互通，必須通過router ! <kbd></kbd> <kbd></kbd> ### <mark>Layer-3 Switch 之 vlan 設定</mark> <kbd></kbd> * 設定vlan ```= //設定multi-layer switch 0 的vlan vlan 10 name students exit vlan 20 name teachers exit //設定mmulti-layer switch 1 的vlan vlan 10 name students exit vlan 20 name teachers exit ``` * 在兩台switch分別設定哪些介面加入vlan ```= int renge fa0/1-2 switchport mode access switchport access vlan 10 exit int renge fa0/11-12 switchport mode access switchport access vlan 20 exit ``` * 設定兩台L3-switch之間的trunk link ```= int fa 0/24 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,20 exit ``` * 開啟 L3 routing 功能 ```= ip routing ``` * 設定其中一台switch 當作gateway ```= L3-Switch1(config)# interface vlan 10 L3-Switch1(config-if)# ip address 192.168.10.126 255.255.255.128 L3-Switch1(config-if)# no shutdown L3-Switch1(config-if)# exit L3-Switch1(config)# interface vlan 20 L3-Switch1(config-if)# ip address 192.168.20.254 255.255.255.128 L3-Switch1(config-if)# no shutdown L3-Switch1(config-if)# exit ``` ### <mark>指定root</mark> *  * 2種方法: priority , primary * priority 提高: 數字越低，優先權越高 * 每個vlan 都有自己的spanning tree，選選一個switch當root * 以修改 priority 方式改成root * ```= //SW1F spanning-tree vlan 1 priority 4096 ``` * 以修改成 primary 方式改成root * ```= //SW1F spanning-tree vlan 1 root primary ``` * 備援: 設定第二台當老二 * ```= //SW2F conf t spanning-tree vlan 1 root secondary ``` ### <mark>設定switch 的特定port不能參與spanning tree</mark> *  * BPDU guard for malicious connection * ```= //SW3F conf t int fa0/3 spanning-tree bpduguard enable ``` ### <mark>設定Ether channel</mark> * 2個port 設定為同一個邏輯port *  * ```= //sample //雙邊都要設 //int {interface} //channel-group {num} mode active //SW1F conf t int fa0/2 channel-group 1 mode active int fao/3 channel-group 1 mode active //SW2F conf t int fa0/1 channel-group 1 mode active int fao/3 channel-group 1 mode active //檢查logical port show etherchannel summary show ip int brief ``` ### <mark>定好的Ether channel 改成trunk link</mark> * 可讓vlan通過 *  * ```= //SW1 show etherchannel summary //先確認group 找到 port int po2 switchport mode trunk show int trunk ``` *  * ```= //SW0 show etherchannel summary //找到 group int {po?} switchport mode trunk show int trunk ``` ### 設定NAT *  * ```= //設定gi0/0 0/1 NAT //Router int gi0/0 ip nat inside int gi0/1 ip nat outside ``` * IP NAT 一對一對應(server) * ```= ip nat inside source static 192.168.10.1 200.200.200.1 ip nat inside source static 192.168.10.2 200.200.200.2 show ip nat translation ``` * 多對一 , 設定pool > 設定access-list > 設定access-list 可存取pool * ```= //IP NAT 多對一(or 多對多)對應(other pcs) //ip nat pool {name} {起始 & public IPs 空格隔開} {結束public IP}netmask {mask} //設定pool，目前只設 2 public IP ip nat pool R0NAT 200.200.200.3 200.200.200.4 netmask 255.255.255.0 //設定access-list，設定overload，可多對一連線(NAT->PAT) access-list 1 permit 192.168.10.0 0.0.0.255 access-list 1 deny any ip nat inside source list 1 pool R0NAT overload ### <mark>AAA server </mark> 1. 啟動aaa 認證 * ```= aaa new-model ``` 2. 設定本地帳號密碼，或是也可加入其他AAA server認證 的資訊 ```= //local username ccna123 password ccna123 //en 的password enable password ccna456 //tacas-server tacas-server host {host-ip} key {password} //radius-server radius-server host {host-ip} key {password} ``` 3. 定義server group(for備援) ```= aaa group server tacacs+ myauthservers server {server-ip1} server {server-ip2} ``` 5. 加入，認證的來源(也就是加入2所設定的資訊) >定義認證規則 * ```= // aaa authentication login {default | myname...} {到哪裡驗證enable ,local, group radius,line,none ....} aaa authentication login default group radius local none ``` default: 若是預設，則直接套用所有line group radius : radius伺服器群 5. 設定登入由哪個認證規則來認證 ```= enable login authentication default line vty 0 15 login authentication default ```  ---  ---