WordPress.com



SW-R_ConfCommandsSW-R INITIAL CONFIGURATIONs PART 1SwitchRouter(config)#hostname SwRSwitchRouter(config)#no ip domain-lookup *SwR(config)#enable secret classSwR(config)#banner motd #SwR Initial Config#SwR(config)# service password-encryptionSwR(config)# line console 0SwR(config-line)# password ciscoSwR(config-line)# loginSwR(config-line)# exitSwR(config)# line vty 0 4SwR(config-line)# password v123SwR(config-line)# loginSwR(config-line)# exitR(config)# line aux 0 Sadece Router da var Aux confR(config-line)# password auxpassR(config-line)# exitSwR(config-line)# loginSwR(config)# interface g0/0SwR(config-if)# description LAN to HRSwR(config-if)# exitSwR#clock set 11:00:00 28 april 2013R(config)# security passwords min-length 8 ** Sadece Router da varSwR(config)#no logging console ***SwR(config)#line console 0SwR(config-line)#exec-timeout 0 15 ****SwR(config-line)#no logging synchronous *****SwR(config)#show running-config | section eigrp ******SwR(config)#login block-for 120 attempts 3 within 60 ******** DNS aramalar?n? devre d??? b?rak?r.** Password policy, parola politikas? belirlemek i?in kullan?l?r. ?rn minimum 8 karakter olacak gibi.*** Ekrana gelen console log lar?n? devre d??? b?rak?r. (Concole ekran?na log dü?mesin isteuyebilirsiniz) Bu komutu kullan?rken routerda ?al??an ?u komutu config)#login on-success komutu ile beraber kullan?p consola log dü?mesini telnet ile ba?lanarak dene,**** 0 dakika 15 saniye sonra timeout olup console moduna dü?ecek. 0 0 parametresi girersen hi? timeout olmaz******Console interrupt lar? devre d??? b?rak?r. Yazmaya devam eder. E?er loggin synchronous dersek komut yaz?m?nda prob ??kar?r. Ctrl + Z ile priveledge moda ge?erek konsol mesajlar?n?n etkisini g?rebilirsin.****** tüm yap?land?rma yerine filtreleyerek g?rüntüler*******60 saniye i?inde ü? ba?ar?s?z oturum a?ma giri?imi yap?ld???nda oturum a?ma giri?imlerini 120 saniye süreyle engeller.SW-R INITIAL CONFIGURATIONs PART 2SwR#show aliases *SwR(config)#alias exec sr show running-config **SwR(config)#do srSwR(config)#exitno swiR#sr* varsay?lan komut k?saltmalar? (takma adlar?) g?rüntüler. Kendimizde custom alias ekleyebiliriz. **config modda alias komutu ile k?saltma eklemek i?in kullan?l?r. Show Running-Config komutu ksaltmas? sr olarak belirlendi. Ancak alias ger?ek cihazda yada GNS3 te deneyebilirsiniz.SW-R HELPKomut tamamlanmas? i?in TAB, yard?m i?in ? kullan?l?r. Komutu nas?l tamamlayaca??n?z? ya da hangi parametre kullanaca??n?z? ? ile ??renebiliriz.SwR(config)# service password-encryption ? <cr> **E?er parametre kalmam??sa alt sat?rda <cr> g?rünecektir. (carrier return)ROUTER IP-HELPERR(config)#ip helper-address 192.168.2.254 **192.168.2.254 dhcp server adresidir** dhcp server da iki adet pool tan?mlamay? unutmaSW DUBLEX-SPEED-MDIXSwR(config)#interface fastEthernet 0/1SwR(config-if)#dublex full *SwR(config-if)#speed 100 **SwR(config-if)#mdix auto*dublex mod varsay?lan auto dur**speed varsay?lan auto dur***dublex ve speed komutlar? do?rulamak i?in show interfaces fastEthernet 0/1Mdix komutu do?rulamak i?in Show controllers fa 0/1 phy | include Auto-MDIXAncak bu komutu PT desteklemiyor.L3 MULTILAYER SWITCHCORE(config)#interface fastEthernet 0/1CORE(config-if)#no switchportCORE(config-if)#ip add 192.168.1.1 255.255.255.0CORE(config-if)#exitCORE(config)#ip routing **Bu sat?ra kadar PC1 den arayüzüne ping atabilirsin, 10.0.0.1 (server taraf? arayüzüne) ping atabilirsin ancak harici networkteki bir host a ping atamazs?n. Default ta ip route kapal?d?r. A?man gerek.SW DHCP SNOOPING (müdahalesi)SW NTPFR HUB ROUTER CONFLondonLondon_HQ(config)#int s0/0/0London_HQ(config-if)#no shutdownLondon_HQ(config-if)#encapsulation frame-relayLondon_HQ(config-if)#frame-relay lmi-type q933a *London_HQ(config)#int s0/0/0.100 point-to-pointLondon_HQ(config-subif)#frame-relay interface-dlci 100London_HQ(config-subif)#ip address 192.168.10.1 255.255.255.252FR SPOKE ROUTERS CONFWarsaw&Munih&ParisWMP(config)#int s0/0/0WMP(config)#no shutdownWMP(config-if)#encapsulation frame-relay ietf **WMP(config-if)#frame-relay interface-dlci 700WMP(config-if)#ip add 192.168.10.10 255.255.255.252EIGRP CONFLondon&Warsaw&Munih&ParisLWMP(config)#router eigrp 100LWMP(config-router)#network 192.168.10.0LWMP(config-router)# no auto-summary*lmi-type; ansi, cisco, q933a** manually configured to use IETF encapsulation***eigrp konfigure ederken network 192.168.0.0 yani nas?l olsa 192.168.0.0 ile ba?layanlar? da??tacak gibi komut girersen kom?uluk kurulmaz. Subnet mask yazmaz isen default /24 u al?r 192.168.0.0 bu da e?le?me olmaad?? anlam?na gelir.OSPF CONFMunich_B1& Munich_B2Munich_B1(config)#router ospf 1Munich_B1(config-router)#network 192.168.30.0 0.0.0.3 area 0PPP and CHAP CONFMunich_B1& Munich_B2Router(config)#hostname Munich_B1Munich_B1(config)#username Munic_B2 password ciscoMunich_B1&2(config)#int s0/0/1Munich_B1&2(config-if)#encapsulation pppMunich_B1&2(config-if)#ppp authentication chapPPP and PAP CONFRouter(config)#hostname Munich_B1Munich_B1(config)#username Munic_B2 password ciscoMunich_B1 (config)#int s0/0/1Munich_B1(config-if)#ppp pap sent-username Munich_B1 password ciscoMunich_B1&2(config)#int s0/0/1Munich_B1&2(config-if)#encapsulation pppMunich_B1&2(config-if)#ppp authentication papREDISTRIBUTION EIGRP 100 SUBNET INTO OSPF 1 CONFMunich_B1(config)#ro ospf 1Munich_B1(config-router)#redistribute eigrp 100 subnetDEFAULT ROUTE CONFMunich_B1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0ADVERTISE DEFAULT ROUTE with EIGRPMunich_B1(config)#router eigrp 100Munich_B1(config-router)#redistribute static *ADVERTISE DEFAULT ROUTE with OSPFMunich_B1(config)#router ospf 1Munich_B1(config-router)#default-information originate ***EIGRP ile da??t?lan varsay?lan rota di?er routerlarda external ifadesi ile ??yle bir prefix ile g?rüntülenir D*EX ve AD si [170/…] …**OSPF ile da??t?lan varsay?lan rota di?er routerlarda external ifadesi ile ??yle bir prefix ile g?rüntülenir O*E2 0.0.0.0/0 [110/…] …STATIC ROUTE CONFLondon_HQ(config)#ip route 192.168.30.0 255.255.255.0 s0/0/0.200VTP CONFMode server;Core_Switch(config)#vtp mode serverCore_Switch(config)#vtp domain CATCCore_Switch(config)#vtp password LISBONMode Client;Distribution_Switch1(config)#vtp mode clientDistribution_Switch1(config)#vtp domain CATCDistribution_Switch1(config)#vtp password LISBONTRUNK CONFCore_Switch(config)#interface range fa 0/1-5Core_Switch(config-if-range)#switchport mode trunkCore_Switch(config-if-range)#switchport nonegotiate *NATIVE CONF in TRUNK LINKsCore_Switch(config)#interface range fa 0/1-5Core_Switch(config-if-range)#switchport trunk native 99ACCESS CONFSwitch_Floor4(config)#interface range fa 0/1-4Switch_Floor4(config-if-range)#switchport mode Access*DTP framelerinin ge?i?ine izin vermeyece?i i?in switchport mode lar? manuel atan?r. Access ya da Trunk ADDING VLAN CONFCore_Switch(config)#vlan 10Core_Switch(config-vlan)#name ENGINEERINGASSIGN VLAN CONFSwitch_Floor1(config)#interface range fa 0/1-5Switch_Floor1(config-if-range)#switchport mode accessSwitch_Floor1(config-if-range)#switchport access vlan 10VOICE PORTs CONFSwitch_Floor1(config)#interface range fa 0/16-20Switch_Floor1(config-if-range)#switchport mode accessSwitch_Floor1(config-if-range)#switchport voice vlan 20SWITCH PORTTA DATA&VOICE AYNI PORTTA da OLAB?L?YORSwitch_Floor1(config-if-range)#switchport mode accessSwitch_Floor1(config-if-range)#switchport access vlan 10Switch_Floor1(config-if-range)#switchport voice vlan 20SWITCHPORT SECURITY CONFSwitch_Floor1(config)#interface range fa 0/1-5Switch_Floor1(config-if-range)#switchport mode accessSwitch_Floor1(config-if-range)#switchport port-security Switch_Floor1(config-if-range)#switchport port-security maximum 1 *Switch_Floor1(config-if-range)#switchport port-security mac-address sticky Switch_Floor1(config-if-range)#switchport port-security violation shutdown ***maximum 1 komut sat?r? girilmeye bilir, varsay?lan? 1 dir.**shutdown komut sat?r? girilmeye bilir, varsay?lan? shutdown durINTER-VLAN CONFParis(config)#int fa0/0Paris(config-if)#no shParis(config-if)#int fa0/0.10Paris(config-subif)#encapsulation dot1Q 10Paris(config-subif)#ip add 192.168.10.33 255.255.255.224INTER-VLAN CONF in NATIVEParis(config-subif)#int fa0/0.99Paris(config-subif)#encapsulation dot1Q 99 nativeParis(config-subif)#ip add 192.168.10.161 255.255.255.224STP CONFDistribution_Switch1(config)#spanning-tree vlan 1,10,20,30,99 priority 4096Distribution_Switch1(config)#spanning-tree vlan 40 priority 8192ya daDistribution_Switch1(config)#spanning-tree vlan 1,10,20,30,99 root primaryDistribution_Switch1(config)#spanning-tree vlan 40 root secondaryENABLE RSTP CONF.Distribution_Switch1(config)#spanning-tree mode rapid-pvstDHCPv4 CONFParis(config)#ip dhcp pool ENGINEERINGParis(dhcp-config)#network 192.168.10.32 255.255.255.224Paris(dhcp-config)#default-router 192.168.10.33Paris(dhcp-config)#dns-server 192.168.20.101Paris(dhcp-config)#exitParis(config)#ip dhcp excluded-address 192.168.10.33 192.168.10.142,STATIC & DINAMIC NATStatic;London_HQ(config)#ip nat inside source static 192.168.20.110 200.200.200.246Dinamik Y1;London_HQ(config)#ip nat pool BMWPool 200.200.200.241 200.200.200.245 netmask 255.255.255.248London_HQ(config)#access-list 1 permit 192.168.0.0 0.0.255.255London_HQ(config)#ip nat inside source list 1 pool BMWPool overloadDinamik Y2;London_HQ(config)#access-list 1 permit 192.168.0.0 0.0.255.255London_HQ(config)#ip nat inside source list 1 interface s0/0/1 overloadARAY?ZLERDE NAT CONF.if;London_HQ(config)#int s0/0/0London_HQ(config-if)#ip nat insideLondon_HQ(config-if)#int s0/0/1London_HQ(config-if)#ip nat outsidesubif;London_HQ(config-if)#int s0/0/0.100London_HQ(config-subif)#ip nat insideLondon_HQ(config-subif)#int s0/0/0.200London_HQ(config-subif)#ip nat insideLondon_HQ(config-subif)#int s0/0/0.300London_HQ(config-subif)#ip nat insideLondon_HQ(config-if)#int s0/0/1London_HQ(config-if)#ip nat outsideEIGRP DETAILs CONF.Eigrp Routing Conf;HQ(config)#router eigrp 100HQ(config-router)#network 10.0.0.0 *HQ(config-router)#no auto-summaryHQ(config-router)#redistribute staticHQ(config-router)#passive-interface f0/0HQ(config-router)#eigrp stub **Eigrp summarizationHQ(config)#int s0/0/0HQ(config-if)#ip summary-address eigrp 100 10.10.10.0 255.255.255.128* Instructions; AS 100 and do not use wildcardmask**Hub and Spoke a?larda router? Hub olarak (burada stub olarak isimlendiriliyor) yap?land?r?yor. Parametreleri;connected, receive-only,redistributed, static, summary.Parametresiz kullan?ld???nda connected-summary parametreleri varsay?lan olarak etkinle?tirilmi? oluyor. Connected->Ba?l? olanlar? da??t demek. ?rnek olarak C 10.10.10.0/24 olup eigrp yap?land?rmas?nda auto-summary etkin olsa bile 10.0.0.0 de?il 10.10.10.0 olarak da??t?r.Summary->Arayüzde elle ?zetlemi? rota da??t?l?r. ?rnek D 10.0.0.0/14 null diye bir ?zet rota varsa oda da??t?lacak demek.Stub router?n bir ?zelli?ide kom?u router?n stub routera hi?bir zaman query g?ndermeyece?idir.OSPF DETAILs CONF.Ospf Routing Conf;HQ(config-router)#router ospf 1HQ(config-router)#network 172.16.100.96 0.0.0.15 area 0HQ(config-router)#network 172.16.100.120 0.0.0.3 area 0HQ(config-router)#network 172.16.100.124 0.0.0.3 area 0HQ(config-router)#default-information originateHQ(config-router)#passive-interface f0/0OSPF PAKETLERININ SIFRELENMESIOspf Authen Conf;HQ(config-router)#router ospf 1HQ(config-router)#area 0 authentication message-digestSIFRELEME ICIN ARAYUZLERDEKI CONF.HQ; s0/0/0, S0/1/0 , R1; s0/0/0, fa0/1 , R2; s0/0/0, fa0/1 HQ(config)#int s0/0/0HQ(config-if)#ip ospf message-digest-key 5 md5 itasecretOSPF PRIORTY CONF.HQ(config)#int fa0/0HQ(config-if)#ip ospf priority 255HQ(config-if)#^ZHQ#clear ip ospf process Reset ALL OSPF processes? [no]: yesNot:Priorty de?eri 0 ise se?ime kat?lmayacak, Priorty de?eri en büyük olan DRSonraki en büyük olan DROther se?ilecekBANDWIDTH CONFHQ(config)#int s0/1/0HQ(config-if)#bandwidth 384ACL CONF.Intstruction 1;Filter inbound traffic from the Internet. Configure and apply a single ACL numbered 100 on the correct router that will implement the following policy in order:Allow only HTTP access to the Inside Web Server at its public address 128.107.0.10.Allow all established TCP connections.Allow all ICMP replies and unreachable messages.HQ(config)#access-list 100 permit tcp any host 128.107.0.10 eq 80HQ(config)#access-list 100 permit tcp any any established HQ(config)#access-list 100 permit icmp any any echo-reply HQ(config)#access-list 100 permit icmp any any unreachable HQ(config)#int s0/0/1HQ(config-if)#ip access-group 100 inIntstruction 2;Filter traffic from the R2 LAN. Configure and apply on the router a single ACL numbered 115 that will limit network traffic and will implement the following policy:Hosts from the LAN connected to the Fa0/0 interface of R2 are blocked from accessing hosts on the R1 R&D LAN.All other traffic is allowed anywhere.HQ(config)#access-list 115 deny ip 172.16.100.0 0.0.0.63 172.16.100.64 0.0.0.31HQ(config)#access-list 115 permit ip any anyHQ(config)#int fa0/0HQ(config-if)#ip access-group 115 inIntstruction 3;Configure and apply an access control list with the case-sensitive name NO_WEB based on the following security policy:VLAN 20 is only allowed web access beyond BR2.All other VLAN 20 access beyond BR2 is denied.All other traffic is allowed.BR2(config)#ip access-list extended NO_WEBBR2(config-ext-nacl)#permit tcp 172.16.1.192 0.0.0.31 any eq 80BR2(config-ext-nacl)#deny ip 172.16.1.192 0.0.0.31 anyBR2(config-ext-nacl)#permit ip any anyBR2(config-ext-nacl)#exitBR2(config)#int fa0/1BR2(config-if)#ip access-group NO_WEB outBR2(config)#int s0/0/0.101BR2(config-if)#ip access-group NO_WEB outIntstruction 4;Because ISP represents connectivity to the Internet, configure a named ACL called?FIREWALL?in the following order:Allow inbound HTTP requests to the server.Allow only established TCP sessions from ISP and any source beyond ISP.Allow only inbound ping replies from ISP and any source beyond ISP.Explicitly block all other inbound access from ISP and any source beyond ISP.HQ(config)#ip access-list extended FIREWALLHQ(config-ext-nacl)#permit tcp any host 209.165.200.246 eq 80HQ(config-ext-nacl)#permit tcp any any established HQ(config-ext-nacl)#permit icmp any any echo-reply HQ(config-ext-nacl)#deny ip any anyHQ(config-ext-nacl)#exitHQ(config)#int s0/1/0HQ(config-if)#ip access-group FIREWALL inPASSWORD RECOVERY CONF.Press Ctrl + C or Ctrl + Break when the router is initializing to open rommon 1 >rommon 1 > confreg 0X2142rommon 2 > resetRouter>Router>enRouter#copy startup-config running-config *Destination filename [running-config]? HQ#conf tEnter configuration commands, one per line. End with CNTL/Z.HQ(config)#enable secret newPassHQ(config)#config-register 0X2102HQ(config)#do wri* En ?nemli ad?m buras?. Kay?tl? yap?land?rmay? ?a??r. Yanl??l?kla ?al??an yap?land?rmay? kay?tl? yap?land?rmaya kopyalama e?er yaparsan at kendini denizeSW REMOTE MANAGEMENT CONF.S2(config)#interface vlan 1S2(config-if)#ip address 10.10.10.98 255.255.255.240S2(config-if)#no shutdownS2(config-if)#exitS2(config)#ip default-gateway 10.10.10.97Not: enable & vty parolas? verildi?inde uzaktan eri?im do?rulanabilir.Unutma ping att???nda echo-reply iki kez ba?ar?s?z olacak sonra do?rulayacak.?al??m?yor sanma!!!ACL CONF.Intstruction 5;The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access * to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.Corp1#show ip interface briefInterface IP-Address OK? Method Status ProtocolFastEthernet0/0 192.168.33.254 YES manual up upFastEthernet0/1 172.22.242.30 YES manual up upSerial0/0 198.18.196.65 YES manual up upCorp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80Corp1(config)#access-list 100 permit ip any anyCorp1(config)#interface fa0/1Corp1(config-if)#ip access-group 100 outCorp1(config-if)#endCorp1#copy running-config startup-config*Sorudaki “…ONLY host C web access” ifadesi ?ok ?nemli. TCP 80 i i?aret ediyorIntstruction 6;The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host B Access * to the Finance Web Server. Deny host B from accessing the other servers. All other traffic is permitted.Corp1(config)# access-list 100 permit ip host 192.168.33.2 host 172.22.242.23Corp1(config)# access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 **Corp1(config)#access-list 100 permit ip any anyCorp1(config)#interface fa0/1Corp1(config-if)#ip access-group 100 outCorp1(config-if)#endCorp1#copy running-config startup-config*Sorudaki “… ONLY host B access” ifadesi ?ok ?nemli. ip i i?aret ediyor**Sunucular?n a? adresi, kullan?labilir IP aral?? ve maskesi ?u ?ekildedir172.16.242.16/28255.255.255.240Intstruction 7;The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. Also host C should be denied to access any other services of Finance Web Server. No other hosts will access to the Finance Web Server. All other traffic is permitted.Corp1(config)# access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80Corp1(config)# access-list 100 deny ip any host 172.22.242.23Corp1(config)#access-list 100 permit ip any anyCorp1(config)#interface fa0/1Corp1(config-if)#ip access-group 100 outCorp1(config-if)#endCorp1#copy running-config startup-configIntstruction 8;The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host D should be able to use a web browser(HTTP)to access the Finance Web Server. Other types of access from host D to the Finance Web Server should be blocked. All access from hosts in the Core or local LAN to the Finance Web Server should be blocked. All hosts in the Core and local LAN should be able to access the Public Web Server.Corp1(config)# access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80Corp1(config)# access-list 100 deny ip any host 172.22.242.23Corp1(config)#access-list 100 permit ip any anyCorp1(config)#interface fa0/1Corp1(config-if)#ip access-group 100 outCorp1(config-if)#endCorp1#copy running-config startup-configEIGRP CONF.R1Fa0/0:?192.168.77.33S1/0:?198.0.18.6S0/1:?192.168.60.25S0/0:?192.168.36.13R2Fa0/0:?192.168.60.97Fa0/1:?192.168.60.113S0/0:?192.168.36.14R3Fa0/0:?192.168.77.34Fa0/1:?192.168.60.65Fa1/0:?192.168.60.81R4Fa0/0:?192.168.60.129Fa0/1:?192.168.60.145S0/1:?192.168.60.26R3#configure terminalR3(config)#no router eigrp 22R3(config)#router eigrp 212R3(config-router)#network 192.168.60.0R3(config-router)#network 192.168.77.0R3(config-router)#no auto-summaryR3(config-router)#endR3#copy running-config startup-configR1(config)#router eigrp 212R1(config-router)#network 192.168.77.0R1(config-router)#endR1#copy running-config startup-configif the “passive interface” is applied to the link between R1 and ISP router like this:R1:!router eigrp 212passive-interface s1/0!then we just leave it. Don’t use the “no passive-interface s1/0″ on R1 because the link between R1 & ISP doesn’t need EIGRP to run on it. A static route from R1 to ISP & “ip default-network” command in R1 are correct so that all the routers (R1, R2, R3, R4) can access the Internet.(Note: The “ip default-network” command in R1 will advertise the static route of R1 (to go to the Internet) to other routers (R2,R3,R4) so that they can access the Internet too). In the exam you will see these lines in R1 configuration:!ip default-network 198.0.18.0ip route 0.0.0.0 0.0.0.0 198.0.18.5!If you want to learn more about “ip default-network” command please read: CONF in SW1Switch(config)#hostname SW1SW1(config)#int vlan 1SW1(config-if)#ip add 192.168.1.254 255.255.255.0SW1(config-if)#no shSW1(config-if)#exiSW1(config)#enable secret classSW1(config)#line vty 0 4SW1(config-line)#password qwertySW1(config-line)#loginSW1(config-line)#exiSW1(config)#ip default-gateway 192.168.1.1SW1(config)#do wriBuilding configuration...DenerkenPC>telnet 192.168.1.254Trying 192.168.1.254 ...OpenUser Access VerificationPassword:SSH in R1Router(config)#hostname R1R1(config)#ip domain-name *R1(config)#crypto key generate rsa **The name for the keys will be: R1.How many bits in the modulus [512]: 1024R1(config)#username admin privilege 15 password 123 ***R1(config)#line vty 0 15R1(config-line)#login localR1(config-line)#transport input sshR1(config-line)#exiR1(config)#ip ssh version 2R1(config)#do wriBuilding configuration...DenerkenPC>ssh -l admin 192.168.2.1OpenPassword:*ip domain-name komutu ?nemli; RSA anahtar ?iftinin ismi art?k cihaz?n ismi ile de e?le?tirilerek R1. olacak.**Enter a bast?ktan sonra crypto key bit de?eri girilir. Varsay?lan 512 bit ?ifrelemedir. 2048 e kadar ?ifrelemeyi destekler. ***Eklenen admin kullan?c?s?na en yüksek ayr?cal?k de?eri olan 15 atan?yor. Varsay?lan ayr?cal?k kullan?lacaksa kullan?c? ad? ?u ?ekilde de yap?land?r?labilir.R1(config)#username admin password 123IPv6 CONFR1(config)#int g0/0R1(config-if)# ipv6 address 2001:DB8:1:1::1/64yadaR1(config-if)# ipv6 address 2001:DB8:1:1::/64 eui-64R1(config-if)# ipv6 address FE80::1 link-local *R1(config)# ipv6 unicast-routing ***Link-Local Adres Statik olarak yap?land?r?ld?FE80::1 link local adresi host cihazlarda GW olarak yap?land?r?lacak**Direk ba?l? external bir a?a yada uzak a?a ipv6 y? route yapabilmesi i?in ?artNot:global bir ipv6 atamadanda ipv6 enable diyerek link-local adresi etkinle?tirmek mümkün show ipv6 interface brief ile g?rülebilir. Ancak global bir adres verdi?inde zaten etkinle?tirmi? olaca?? i?in ipv6 enable demene gerek yok,CONSOLE INTERRUPT CONF.R1(config)#line console 0R1(config-line)# no logging synchronous *R1(config-line)#exec-timeout 2 30 **R1(config-line)#exec-timeout 0 0 ****Console interrupt mesajlar?n? ?nlemek i?in kullan?l?r.**Exec Timeout interval de?eri 2 dakika 30 saniye***Exec Timeout interval de?eri 0 0 no timeout demek yani exec moda dü?meyecekEIGRP LOAD BALANCE CONF.Router(config-router)# maximum-paths valueEIGRP for IPV6 CONFR1(config)#int g0/0R1(config-if)#ipv6 address FE80::1 link-local *R1(config-if)#int s0/0/0R1(config-if)#ipv6 address FE80::1 link-localR1(config-if)#int s0/0/1R1(config-if)#ipv6 address FE80::1 link-localR1(config)# ipv6 router eigrp 2%IPv6 routing not enabled **R1(config)# ipv6 unicast-routingR1(config)# ipv6 router eigrp 2R1(config-rtr)# eigrp router-id 1.0.0.0R1(config-rtr)# no shutdown ***R1(config-rtr)# passive-interface g0/0R1(config)#int g0/0R1(config-if)#ipv6 eigrp 2R1(config-if)#int s0/0/0R1(config-if)# ipv6 eigrp 2R1(config-if)#int s0/0/1R1(config-if)# ipv6 eigrp 2PASSIVE INTERFACE for IPv6 CONFR2(config)# ipv6 router eigrp 2R2(config-rtr)# passive-interface s0/1/0R2(config-rtr)#no auto-summary ****MANUALLY SUMMARY CONFR3(config)# int s0/0/0R3(config-if)# ipv6 summary-address eigrp 2 2001:DB8:CAFE::/48R3(config)# int s0/0/1R3(config-if)# ipv6 summary-address eigrp 2 2001:DB8:CAFE::/48EIGRP for IPv6 DEFAULT ROUTE and PROPAGATION CONF.R2(config)# ipv6 route ::/0 s0/1/0R2(config)# ipv6 router eigrp 2R2(config-rtr)#redistribute static ******R2 statik link local bütün arayüzlerinde FE80:2 ve R3 statik link local bütün arayüzlerinde FE80:3 ve**IPv6 y?nlendirmesi etkinle?tirilmeden ?nce komut denenirse hata verir.***EIGRP IPv6 varsay?lan olarak devre d???d?r. No shutdown ile etkinle?tirilmelidir.****B?yle bir komut EIGRP IPv6 da kullan?lmaz. ?ünkü otomatik ?zetleme EIGRP IPv6 otomatik ?zetlemeyi desteklemiyor. ?ünkü IPv6 s?n?fl? network mant??? yok. Peki ?zetleme i?lemi nas?l olacak. Statik olarak arayüzlerde ?zetleme yap?lacak yukar?daki gibi.*****Varsay?lan rota prefix EX ve AD si [170/…] dir.EIGRP KEY-CHAINDHCPv6 ?N B?LG?ipv6 unicast-routing gerekli mi? Neden?R1(config)#interface GigabitEthernet0/0R1(config-if)# no shR1(config-if)# ipv6 enableR1(config-if)# do show ipv6 interface gi0/0 * Joined group address(es): FF02::1:FF3B:5001----R1(config)# ipv6 unicast-routingR1(config)# do show ipv6 interface gi0/0 ** Joined group address(es): FF02::1 FF02::2 FF02::1:FF3B:5001*Yukar?daki kodlar? nas?l yorumlamak laz?m? Bir arayüzde sadece ipv6 etkinle?tirildi?inde (ipv6 enable) sadece multicast FF02::1 adresi g?rünür.**yap?land?rmaya ipv6 unicast-routing komutu eklendi?inde arayüzde multicast FF02::2 adresi de g?rünür. Buradan ?u sonucu ??karabiliriz.Hangi y?ntem (SLAAC, Stateless DHCPV6, Stateful DHCPv6) kullan?l?rsa kullan?ls?n RS FF02::1, RA FF02::2 ile ger?ekle?ti?i i?in ipv6 unicast-routing komutu ?art. ?zetle; Bir sunucunun RA g?nderbilmesi i?in bu kod sat?r? gereklidir.SLAAC – StateLess Auto Configuration (Client PC0- Server R1)--- *R1(config)#interface GigabitEthernet0/0R1(config-if)# ipv6 address 2001:1111:1111::1/64R1(config-if)# ipv6 enableR1(config-if)# no shR1(config-if)#do sh ipv6 inter brieGigabitEthernet0/0 [up/up]FE80::207:ECFF:FE3B:50012001:1111:1111::1 --- **R1(config)#ipv6 unicast-routingR1(config)#interface GigabitEthernet0/0R1(config-if)# ipv6 address 2001:1111:1111::1/64R1(config-if)# ipv6 enableR1(config-if)# no shR1(config-if)#do sh ipv6 inter brieGigabitEthernet0/0 [up/up]FE80::207:ECFF:FE3B:50012001:1111:1111::1 *PC0 da Auto-Config se?ilerek dhcpv6 istemcisi olarak yap?land?r?ld???nda NDP ile kaynak ipsi FE80::2E0:F9FF:FE78:3412 (pc0 link-local) hedef ip si FF02::2 (ayn? linkteki bütün ipv6 routerlar?n? temsil eden multicast) ile ke?if yap?yor. Ancak R1 de ipv6 unicast-routing komutu yaz?lmad??? i?in router RA mesaj? g?nderemiyor.**SLAAC yap?land?rmas? i?in kritik kod sat?r? ekleniyor (ipv6 unicast-routing). Bir sunucunun RA g?nderbilmesi i?in bu kod sat?r? gereklidir.***Yap?land?rman?n sonunda g0/0 arayüzüne atanm?? bir global unicast adresin ?n eki kullan?larak PC lobal bir ip ald?SLAAC – StateLess Auto Configuration (Server R1 - Client R2)R1(config)#ipv6 unicast-routingR1(config)#interface GigabitEthernet0/1R1(config-if)# ipv6 address 2001:1212:1212::1/64R1(config-if)# ipv6 enableR1(config-if)# no shR2(config)#interface GigabitEthernet0/1R2(config-if)#no shR2(config-if)#ipv6 enableR2(config-if)#ipv6 address autoconfig*SLAAC y?nteminde bayraklar varsay?lan (M:0, O:0) kullan?l?r. ?stemciye sadece bu RA y? kullan demektir.STATELESS DHCPv6 – SLAAC ve DHCPv6(Client PC0- Server R1)R1(config)#ipv6 unicast-routingR1(config-if)#ipv6 dhcp pool STATELESS_IPV6R1(config-dhcpv6)#dns-server 2001:1111:1111::1010R1(config-dhcpv6)#domain-name R1(config-dhcpv6)#exitR1(config)#interface GigabitEthernet0/0R1(config-if)#no shR1(config-if)#ipv6 address 2001:1111:1111::1/64R1(config-if)#ipv6 dhcp server STATELESS_DHCPR1(config-if)#ipv6 nd other-config-flagR1(config-if)#ipv6 enable*DHCPv6 istemcisi etkinle?tirildi?inde DHCPv6 sunucusuna FF02::1::2 SOLICIT mesaj? g?nderilir.**StateLess Dhcpv6 y?nteminde bayraklar varsay?lan (M:0, O:1) kullan?l?r. ?stemciye sadece bu RA y? ve bir DHCPv6 sunucusu kullan demektir. (adresleme bilgileri i?in RA, DNS ve Domain gibi di?er bilgileri i?in DHCPv6 kullan?l?r) SLAAC ve DHCPv6 birlikte kullan?lmal?d?r.***Beklentim ?u y?nde idi; g0/0 prefix kullanarak global ip alacak SLAAC yap?land?r?ld??? i?in, DNS yi ve Domain name i de alacak Stateless DHCPv6 yap?land?r?ld??? i?in Sonu? istemci PC link-local ip ald? (sebep tamamen PT), dns yi de yine R1 den ald?.STATELESS DHCPv6 – SLAAC ve DHCPv6 (Server R1 - Client R2)R1(config)#ipv6 unicast-routingR1(config-if)#ipv6 dhcp pool STATELESS_IPV6R1(config-dhcpv6)#dns-server 2001:1111:1111::1010R1(config-dhcpv6)#domain-name R1(config-dhcpv6)#exitR1(config)#interface GigabitEthernet0/1R1(config-if)#no shR1(config-if)#ipv6 address 2001:1212:1212::1/64R1(config-if)#ipv6 dhcp server STATELESS_DHCPR1(config-if)#ipv6 nd other-config-flagR1(config-if)#ipv6 enableR2(config)#interface GigabitEthernet0/1R2(config-if)#no shR2(config-if)#ipv6 enableR2(config-if) ipv6 address autoconfigSTATEFUL DHCPv6 – Sadece DHCPv6 (Client PC0- Server R1)R1(config)#ipv6 unicast-routingR1(config)#ipv6 dhcp pool STATELESS_IPV6R1(config-dhcpv6)#dns-server 2001:1111:1111::1010R1(config-dhcpv6)#domain-name R1(config-dhcpv6)#exitR1(config)#interface GigabitEthernet0/0R1(config-if)#no shR1(config-if)#ipv6 address 2001:1111:1111::1/64R1(config-if)#ipv6 dhcp server STATELESS_DHCPR1(config-if)#ipv6 nd other-config-flagR1(config-if)#ipv6 enable*StateFul Dhcpv6 y?nteminde bayraklar varsay?lan (M:1, O:0) kullan?l?r. ?stemciye bir DHCPv6 sunucusu kullan demektir.**Beklentim ?u y?nde idi; g0/0 prefix kullanarak global ip alacak, dns ve domain name bilgilerini de dhcpV6 dan alacak Sonu? istemci PC link-local ip ald? (sebep tamamen PT), dns yi de yine R1 den ald?.STATEFUL DHCPv6 – Sadece DHCPv6 (Server R1 - Client R2)R1(config)#ipv6 unicast-routingR1(config)#ipv6 dhcp pool STATEFUL_IPV6R1(config-dhcpv6)#address prefix 2001:1212:1212::/64 lifetime infinitiveR1(config-dhcpv6)#dns-server 2001:1111:1111::1010R1(config-dhcpv6)#domain-name R1(config-dhcpv6)#exitR1(config)#interface GigabitEthernet0/1R1(config-if)#no shR1(config-if)#ipv6 address 2001:1212:1212::1/64R1(config-if)#ipv6 dhcp server STATEFUL_IPV6R1(config-if)#ipv6 nd managed-config-flagR1(config-if)#ipv6 enableR2(config)#interface GigabitEthernet0/1R2(config-if)#no shR2(config-if)#ipv6 enableR2(config-if)#ipv6 address dhcp ? buradan sonra eksik komut var diyor ???DHCP SPOOFING (Müdahalesi)S1 Enable Snooping and TrustPort---ip dhcp snooping ip dhcp snooping vlan 1 interface range fa0/1-2 ip dhcp snooping trust S2 Enable Snooping and TrustPort---ip dhcp snooping ip dhcp snooping vlan 1 interface range fa0/1 ip dhcp snooping trustS2 Enable RateLimit on UnTrustPort---interface fa0/3 ip dhcp snooping limit rate 5Do?rulamak i?in kullan?lan komutlar;show ip dhcp snoopingshow ip dhcp binding* ip dhcp snooping global modda snooping etkinle?tirilir. ?ok ?nemli bir ayr?nt? bu kod etkinle?tirildi?inde tüm portlar varsay?lan untrust olur.** ip dhcp snooping vlan 1 ayr?ca vlan 1 imiz i?in de etkinle?tirmeye ihtiyac?m?z var. Dhcp sunucumuz hangi vlan drubunda ise (ki bizim ?rne?imizde vlan 1) o vlan i?in etkinle?tirilir. 10, 20, 15-18 gibi kombinasyonlar da ge?erlidir.*** ip dhcp snooping trust trust port yap?l?r.**** ip dhcp snooping limit rate 5 (unrust portlar.pps yani saniyede 5 paket ile s?n?rland?r?l?yor, DoS ataklar?n? s?n?rl?yor) ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download