Вы находитесь на странице: 1из 10

PPP

HDLC - The default encapsulation type on point-to-point connections, dedicated links, and circuit-switched connections when the link uses two Cisco devices. HDLC is now the basis for synchronous PPP used by many servers to connect to a WAN, most commonly the Internet. PPP - Provides router-to-router and host-tonetwork connections over synchronous and asynchronous circuits. PPP works with several network layer protocols, such as IP and Internetwork Packet Exchange (IPX). PPP also has built-in security mechanisms such as PAP and CHAP. Most of this chapter deals with PPP. Configuring HDLC Encapsulation Router(config-if)#encapsulation hdlc Use this command for the both side of the serial port. Configuring PPP Encapsulation Router(config-if)#encapsulation ppp Use this command for the both side of the serial port. Configuring PPP with Authentication Authentication - Peer routers exchange authentication messages. Two authentication choices are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Authentication is explained in the next section. Password Authentication Protocpol (PAP) provides a simple method for a remote node to establish its identity using a two-way handshake. PAP is not interactive. When the ppp authentication pap command is used, the username and password are sent as one LCP data package, rather than the server sending a login prompt and waiting for a response. The figure shows that after PPP completes the link establishment phase, the remote node repeatedly sends a username-password pair across the link until the sending node acknowledges it or terminates the connection. Configuring PAP Authentication R1(config)#username R2 password cisco123 R1(config)#interface s0/0/0 R1(config-if)#encapsulation ppp R1(config-if)#ppp authentication pap R1(config-if)#ppp pap sent-username R1 password cisco123 Challenge Handshake Authentication Protocol (CHAP) Once authentication is established with PAP, it essentially stops working. This leaves the network vulnerable to attack. Unlike PAP, which only authenticates once, CHAP conducts periodic challenges to make sure that the remote node still has a valid password value. The password value is variable and changes unpredictably while the link exists. After the PPP link establishment phase is complete, the local router sends a challenge message to the remote node. Configuring CHAP Authentication R3(config)#username R2 password cisco123 R3(config)#interface s0/0/1 R3(config-if)#encapsulation ppp R3(config-if)#ppp authentication chap

FRAME RELAY
R2(config-router)#version 2 R2(config-router)#net 10.0.0.0 R2(config-router)# default-information originate R2(config-router)#no auto-summery R2(config-router)#exit R2(config)#interface serial0/0/0 R2(config-if)#encapsulation frame-relay R2(config-if)#frame-relay map ip 10.10.10.1 201 broadcast R2(config-if)#frame-relay map ip 10.10.10.3 203 broadcast R2(config-if)#no shutdown Router R3 configuration R3(config)#int fa 0/0 R3(config-if)#ip add 192.168.30.1 255.255. 255.0 R3(config-if)#no sh R3(config-if)#int se 0/0/0 R3(config-if)#ip add 10.1.1.3 255.255.255.0 R3(config-if)#exit R3(config)#router rip R3(config-router)#version 2 R3(config-router)#net 10.0.0.0 R3(config-router)#net 192.168.30.0 R3(config-router)#no auto-summery R3(config-router)#exit R3(config)#interface serial0/0/0 R3(config-if)#encapsulation frame-relay R3(config-if)#frame-relay map ip 10.10.10.1 301 broadcast R3(config-if)#frame-relay map ip 10.10.10.2 302 broadcast R3(config-if)#no shutdown Router ISP Configuration ISP(config)#int fa 0/0 ISP(config-if)# ip add 209.165.200.1 255.255.255.224 ISP(config-if)#no sh ISP(config-if)#int se 0/0/1 ISP(config-if)# ip add 209.165.200.226 255.255.255.224

Router R1 configuration R1(config)#int fa 0/1 R1(config-if)#ip add 192.168.10.1 255.255. 255.0 R1(config-if)#no sh R1(config-if)#int se 0/0/0 R1(config-if)#ip add 10.1.1.1 255.255.255.0 R1(config-if)#exit R1(config)#router rip R1(config-router)#version 2 R1(config-router)#net 10.0.0.0 R1(config-router)#net 192.168.10.0 R1(config-router)#no auto-summery R1(config-router)#exit R1(config)#interface serial0/0/0 R1(config-if)#encapsulation frame-relay R1(config-if)#frame-relay map ip 10.10.10.2 102 broadcast R1(config-if)#frame-relay map ip 10.10.10.3 103 broadcast R1(config-if)#no shutdown Router R2 Configuration R2(config)#int se 0/0/1 R2(config-if)#ip add 209.165.200.225 255.255.255.224 R2(config-if)#no sh R2(config-if)#int se 0/0/0 R2(config-if)#ip add 10.1.1.2 255.255.255.0 R2(config-if)#exit R2(config)#ip route 0.0.0.0 0.0.0.0 se 0/0/1 R2(config)#router rip

FRAME RELAY
ISP(config-if)#clock rate 64000 ISP(config-if)#exit ISP(config)#ip route 10.10.10.0 255.255.255.0 Serial0/0/1 ISP(config)#ip route 192.168.30.0 255.255. 255.0 Serial0/0/1 ISP(config)#ip route 192.168.10.0 255.255. 255.0 Serial0/0/1 R1(config-if)#frame-relay lmi-type ansi

Cloud configuration Step1: open config tab Step2:select Serial1from the left side manue bare Step3:configure LMI as Cisco or ANSI Step4:write DLCI and Name, then click Add Step5:Then select Frame Relay from left side and configure then click add We can use router as Frame-relay and to configure it command will be FR-Switch(config)#frame-relay switching FR-Switch(config)#interface serial 0/0/0 FR-Switch(config)#clock rate 64000 FR-Switch(config-if)#encapsulation frame-relay FR-Switch(config-if)#frame-relay intf-type dce FR-Switch(config-if)#frame-relay route 102 interface serial 0/0/1 201 FR-Switch(config-if)#frame-relay route 103 interface serial 0/1/0 301 FR-Switch(config-if)#no shutdown For every serial port we have to configure. Now if cloud is configure with LMI type ANSI then we have to use a command for the serial port of the R1, R2, R3 R1(config-if)#interface s0/0/0

ACL
Standard ACL Command Syntax Access-list (number) Number of an ACL. This is a decimal number from 1 to 99 Deny Denies access if the condition are matched Permit Permits access if the conditions are matched Wildcard Masking The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits. However, they are used for different purposes and follow different rules. Wildcard masks use binary 1s and 0s to filter individual or groups of IP addresses to permit or deny access to resources based on an IP address. By carefully setting wildcard masks, you can permit or deny a single or several IP addresses Wildcard masks use the following rules to match binary 1s and 0s: Wildcard mask bit 0 - Match the corresponding bit value in the address Wildcard mask bit 1 - Ignore the corresponding bit value in the address In the second example, the wildcard mask stipulates that anything will match. The wildcard mask is equivalent to the subnet mask 0.0.0.0. The first example the wildcard mask stipulates that every bit in the IP 192.168.1.1must match exactly. The wildcard mask is equivalent to the subnet mask 255.255.255.255.

In the third example, the wildcard mask stipulates that it will match any host within the 192.168.1.0 /24 network. The wildcard mask is equivalent to the subnet mask 255.255.255.0.

In the Fourth example, the first two octets and first four bits of the third octet must match exactly. The last four bits in the third octet and the last octet can be any valid number. This results in a mask that checks for 192.168.16.0 to 192.168.31.0

ACL
Configuring Standard ACLs The full syntax of the standard ACL command is as follows: Router(config)#access-list [acccess-list-number] [deny | permit] [remark source] [sourcewildcard] Router(config)# access-list [acccess-listnumber] [permit|deny] any Appling Standard ACL on Interfaces Router(config-if)#ip access-group {access-listnumber(1-99)} {in | out} Creating Standard named ACLs Router(config)# ip access-list standard {name} Router(config-std-nacl)# [permit|deny|remark] {source [source wildcard]} Router(config-std-nacl)# [permit|deny] any Now apply Standard Named ACL on Interfaces Router(config-if)#ip access-group {access-listname} {in | out} Monitoring and Verifying ACLs Router#show name} access-lists {acces-list-number| Configuring Extended ACLs Router(config)# access-list [access-list-no.(100199)] {deny|permit} [protocol] {source} {source-wildcard} [any] [operator] [port] Router(config)# access-list [access-list-no.(100199)] {deny|permit} any any Protocol: Name or number of an Internet protocol. Common keywords include icmp, ip, tcp, or udp. To match any Internet protocol (including ICMP, TCP, and UDP) use the ip keyword. Operator: Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). Port: The decimal number or name of a TCP or UDP port. Appling Extendad ACL on Interfaces Router(config-if)#ip access-group [access-listno.(100-199)] [in|out] Creating Extended named ACLs Router(config)# ip access-list extended {name} Router(config-std-nacl)# {deny|permit} [protocol] {source} {source-wildcard} [any] [operator] [port] Now apply Standard Named ACL on Interfaces Router(config-if)#ip access-group {access-listname} {in | out}

DHCP
Configure Server0 as DHCP Server From config tab select DHCP and configure DHCP

Configure R1 router as DHCP Server R1(config)#ip dhcp excluded-address 172.16.20.1 R1(config)#ip dhcp pool R1LAN R1(dhcp-config)#network 172.16.20.0 255.255.255.0 R1(dhcp-config)#default-router 172.16.20.1 Now configure R2 router so that Fa0/1 can get 172.16.20.0/24 network and Fa0/0 can get 172.16.10.0/24 network R2(config)#int fa 0/1 R2(config-if)#ip helper-address 123.123.123.2 R2(config)#int fa 0/1 R2(config-if)#ip helper-address 192.168.10.100

NAT
Static NAT
Step 1 Action Establish static translation between an inside local address and an inside global address. Router(config)#ip nat inside source static local-ip globalip Specify the inside interface. Router(config)#interface type number Mark the interface as connected to the inside. Router(config-if)#ip nat inside Exit interface configuration mode. Router(config-if)# exit Specify the outside interface. Router(config)#interface type number Mark the interface as connected to the outside. Router(config-if)#ip nat outside Note Enter the global command no ip nat inside source static to remove the static source translation. Enter the interface command. The CLI prompt will change from (config)# to(config-if)#.

3 4 5 6

NAT
Configuring Dynamic NAT
Step 1 Action Define a pool of global addresses to be allocated as needed. Router(config)#ip nat pool name start-ip end-ip netmask {netmask } Define a standard access list permitting those addresses that are to be translated. Router(config)#access-list access-listnumber permit source [source-wildcard] Establish dynamic source translation, specifying the access list defined in the prior step. Router(config)#ip nat inside source list access-list-number pool name Specify the inside interface. Router(config)#interface type number Mark the interface as connected to the inside. Router(config-if)#ip nat inside Specify the outside interface. Router(config)#interface type number Mark the interface as connected to the outside. Router(config-if)#ip nat outside Notes Enter the global command no ip nat pool name to remove the pool of global addresses. Enter the global command no access-list access-list-number to remove the access list. Enter the global command no ip nat inside source to remove the dynamic source translation. Enter the interface command. The CLI prompt will change from (config)# to (config-if)#.

5 6 7

NAT
Configuring NAT Overload for a Single Public IP Address
Step 1 Action Define a standard access list permitting those addresses that are to be translated. Router(config)#access-list acl-number permit source [source-wildcard] Establish dynamic source translation, specifying the access list defined in the prior step. Router(config)#ip nat inside source list acl-number interface interface overload Specify the inside interface. Router(config)#interface type number Router(config-if)#ip nat inside Specify the outside interface. Router(config-if)#interface type number Router(config-if)#ip nat outside Notes Enter the global command no access-list access-list-number to remove the access list. Enter the global command no access-list access-list-number to remove the access list. Enter the interface command. The CLI prompt will change from (config)# to (config-if)#.

NAT
Configuring NAT Overload for a Pool of Public IP Addresses
Step 1 Action Define a standard access list permitting those addresses that are to be translated. Router(config)#access-list acl-number permit source [source-wildcard] Specify the global address, as a pool, to be used for overloading. Router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}. Establish overload translation. Router {config}#ip nat inside source list acl-number pool name overload. Specify the inside interface. Router(config)#interface type number Router(config-if)#ip nat inside Specify the outside interface. Router(config-if)#interface type number Router(configif)#ip nat outside Notes Enter the global command no access-list access-list-number to remove the access list.

Enter the interface command. The CLI prompt will change from (config)# to (config-if)#.