Network Management Review – Chapter 1-6

Chapter 2 Basic Configuration of Router

Overview

1. How to Access a Router 如何取得路由器的访问权限

  • (1)Using HyperTerminal through Console port 通过控制台接口,使用终端进行管理
  • (2)Management the router via Telnet 通过Telnet来管理(实验中用到的方法)
  • (3)Management the router via WEB 通过Web管理页面来管理
  • (4)Management the router via SNMP 通过SNMP来管理(详见Chapter 11)

2. IP Static Routing 静态路由

# 添加静态路由
Ruijie(config)#ip route network-number network-mask { ip-address | interface-id [ ip-address ] } [ distance ] [ enabled | disabled|permanent|weight | tag ]
# 删除静态路由
Ruijie(config)#no ip route network-number network-mask { ip-address | interface-id [ ip-address ] } [ distance ] 

RIP

1. RIP Overview

  • (1)RIP is a distance vector routing protocols 距离向量路由协议
  • (2)Advertised routes with hop counts greater than 15 are unreachable. 通告的路由跳数大于15就认为是不可达的(所以只能用于小型网络)
  • (3)Exchanges the routing information by using the UDP packets, with the UDP port number to be 520 使用UDP端口520来交换路由信息
  • (4)Version: RIPv1 & RIPv2

2. RIP configuration

  • (1)Creating the RIP Routing Process 创建RIP路由进程
Router(config)# router rip
  • (2)Associated networks 关联网络
Router(config-router)# network network-number
  • (3)Defining the RIP version 定义RIP版本
Router(config-router)# version {1 | 2} 
  • (4)Configuring Route Summary 配置RIP自动汇总
  • Automatic RIP route summary: the routes of subnets are automatically converged into the routes of a classful network when they pass through the border of the classful network.
    By default, RIPv2 will automatically perform summary.
Router(config-router)# no auto-summary 
  • (5)Configuring RIP Clock Adjustment 配置RIP时钟调整
Router(config-router)# timers basci 30 180 120
  • (6)Configuring Split Horizon 配置水平分割
Router(config-if)# no ip split-horizon
  • (7)RIP Passive Interface RIP被动接口
  • A Router port just learned RIP routings, not advertise them. 端口只是学习RIP路由,但是不广播路由。
Router(config-router)#passive-interface {default |interface-type interface-num} 
  • (8)RIP Unicast Update RIP单播更新
  • RIP routing information needs to be transmitted over a non-broadcast networks, or necessary to restrict an interface circular broadcasting Routing updates packets.
Router(config-router)# neighbor ip-address 

3. Configuring RIP Authentication

Ruijie(config-if)# ip rip authentication mode  {text | md5}
Ruijie(config-if)# ip rip authentication  text-password password-string
Ruijie(config-if)# ip rip authentication key-chain key-chain-name 

OSPF

1. Introduction to OSPF protocol

  • (1)Open Shortest Path First (OSPF) is a link-state routing protocol OSPF是一种链路状态路由协议
  • (2)OSPF Message encapsulation OSPF的消息封装
    • An OSPF message is encapsulated in IP a packet. In the IP packet header, the protocol field is set to 89,the destination address is set to one of two multicast addresses: 224.0.0.5 or 224.0.0.6.
    • 可以封装为IP报文,其IP头部的协议类型字段为89,目的地址是多播地址,可以是224.0.0.5或224.0.0.6的其中一个。
    • If the OSPF packet is encapsulated in an Ethernet frame, the destination MAC address is also a multicast address: 01-00-5E-00-00-05 or 01-00-5E-00-00-06.
    • 如果OSPF数据包被封装在以太网帧之中,那么其目的MAC地址也是一个多播地址,可以是01-00-5E-00-00-05或者01-00-5E-00-00-06。
  • (3)OSPF’s major advantages over RIP are its fast convergence and its scalability to much larger network implementations. OSPF相比RIP的优势是更快的收敛速度,以及适用于更大型的网络实现
  • (4)OSPF uses Dijkstra’s shortest path first (SPF) algorithm to create an SPF tree. OSPF使用Dijkstra最短路径优先算法
  • (5)OSPF has a default administrative distance of 110. OSPF默认管理距离为110跳
  • (6)OSPF routing area OSPF路由区域:The OSPF routing area can be divided into several areas, which are connected via a backbone area. Every non-backbone area must be directly connected to the backbone area. OSPF路由区域可以分为一些通过主干网络连接的区域,每个非主干网络都必须直接连接到主干网络之上。

2. OSPF Configuration Task List

  • (1)Creating an OSPF routing process (mandatory) 创建OSPF路由进程
Ruijie (config)# router ospf [process_id [vrf vrf-name]]
Ruijie (config-router)# network address wildcard-mask area area-id
Router(config-router)#router-id ip-address
  • (2)Using the Loopback Address as the Router ID 使用回环地址作为路由ID
Ruijie (config)# interface loopback 1
Ruijie (config-if)# ip address ip-address mask  
  • (3)Configuring the OSPF Area Parameters 配置OSPF区域参数
//Set plain-text authentication as the authentication mode for the area
//设置明文认证模式作为区域的认证模式
Ruijie (config-router)#area area-id authentication
//Set MD5 authentication as the authentication mode for the area
//设置MD5认证模式作为区域的认证模式
Ruijie (config-router)#area area-id authentication message-digest
//Set the area as a stub area no-summary: Set the area as a stub area to prevent the ABR between areas from sending summary-LSAs to the stub area
Ruijie (config-router)#area area-id stub [no-summary]
//Configure the cost of the default route sent to the stub area
//配置默认花费(cost)
Ruijie (config-router)#area area-id default-cost cost
  • (4)Configuring the Route Summary between OSPF Areas 配置在OSPF区域之间的路由汇总
//Configuring Route Summary When Routes Are Redistributed to the OSPF
//配置路由汇总(当路由被重新分配到OSPF的时候)
Ruijie (config-router)# area area-id range ip-address mask [advertise | not-advertise] [cost cost]
//Configure the external route summary
//配额外的路由汇总
Ruijie (config-router)# summary-address ip-address mask[not-advertise | tag tag-id]
  • (5)Configuring the OSPF to Accommodate Different Physical Networks 配置OSPF以适应不同的物理网络
  • To configure the network type, execute the following commands in the interface configuration mode:
//Configure the OSPF network type.
Ruijie(config-if)#ip ospf network {broadcast | non-broadcast | point-to-point | {point-to-multipoint [non-broadcast]}

(6)Configuring OSPF interface parameters 配置OSPF接口参数

//Enter the interface configuration mode.
//进入接口配置模式
Ruijie (config)# interface interface-id
//(Optional) Define the interface cost
//(可选)定义接口的花费(cost)
Ruijie (config-if)# ip ospf cost cost-value
//(Optional) Set the Hello message send interval, which must be the same for all the nodes of the entire network.
//(可选)设置Hello消息发送间隔,在整个网络的所有节点必须相同
Ruijie (config-if)#ip ospf hello-interval seconds
//(Optional) Set the dead interval for the adjacent router, which must be the same for all the nodes of the entire network.
//(可选)设置失去联系的间隔,在整个网络的所有节点必须相同
Ruijie (config-if)#ip ospf dead-interval seconds
//(Optional), used to elect the Designated Router (DR) and Backup Designated Router (BDR).
Ruijie (config-if)#ip ospf priority number  

VRRP

1. VRRP Overview

  • (1)VRRP Background
    • Virtual Router Redundancy Protocol (VRRP):When the active device is faulty, multiple devices within a VRRP group are mapped to a virtual device. 虚拟路由冗余协议:当一个活动的设备出现错误时,VRRP组中的多个设备可以被映射为虚拟设备(作为候补)
    • VRRP ensures one and only one device to send packets on behalf of the virtual device at one time, while the host sends messages to that virtual device. VRRP保证了在主机向虚拟设备发送消息的时候,在同一时刻该虚拟设备中有且只有一个(真实的物理)设备在发送报文。
    • The device that forwards packets is elected as the master device. The others are in the backup roles. 转发报文的设备是主要设备,其余设备是备用角色。
  • (2)VRRP working principles VRRP工作原理
    • The VRRP protocol adopts the preempt(抢占式) method to select the master device. VRRP协议选用抢占式的方法去选择主要设备
    • First condition 第一条件:the highest priority 更高的优先权
    • Second condition 第二条件: larger IP address 更大的IP地址(数值上)
    • The master device will send a VRRP multicast packet, advertisement packet, at periodical intervals to backup device 主要设备将会每个周期性的间隔,向备用设备发送一个VRRP的多播通告报文(用来告知主要设备正常工作)
    • If the backup device within the group doesn’t receive the message from the master device for a long time, the status itself will be switched to the Master, If there is more than one device within the group which can become Master, repeat the preempt process in step 1. 如果组内的备用设备长时间没有接收到主要设备发来的报文,这个备用设备的状态将转换为主要,如果组内有超过一个以上的设备可以转换为主要状态,那么就重复上面的选择条件进行选择。

2. VRRP Configuration Task List

  • (1)Enabling VRRP Backup Function (required) 启用VRRP备用方法(必需)
//Enable VRRP.
Ruijie(config-if)# vrrp group ip ipaddress [secondary]
//Disable VRRP.
Ruijie(config-if)# no vrrp group ip ipaddress [secondary]  
  • (2)Setting the Authentication String of the VRRP Backup Group (optional) 为VRRP备用组设置一个认证字符串(可选)
//Set the authentication string of the VRRP.
Ruijie(config-if)# vrrp group authentication string
//Remove the configuration.
Ruijie(config-if)# no vrrp group authentication string
  • (3)Setting the Broadcast Interval of the VRRP Backup Group (optional) 设置VRRP备用组的广播间隔(可选)
//Set the master device VRRP advertisement interval.
Ruijie(config-if)# vrrp group timers advertise interval
//Restore to the default value.
Ruijie(config-if)# no vrrp group timers advertise interval 
  • (4)Setting the Preemption Mode of Device in the VRRP Backup Group (optional) 设置VRRP备用组设备的抢占模式(可选)
//Set the preemptive mode for the VRRP group
Ruijie(config-if)# vrrp group preempt [delay seconds]
//Set the non-preemptive mode for the VRRP group
Ruijie(config-if)# no vrrp group preempt 
  • (5)Setting the Device Priority in the VRRP Backup Group (optional) 设置VRRP备用组中设备的优先级(可选)
//Set the priority of the VRRP backup group.
Ruijie(config-if)# vrrp group priority level
//Restore the default of the VRRP priority.
Ruijie(config-if)# no vrrp group priority level  
  • (6)Setting the Interface to be Monitored by the VRRP Backup Group (optional) 设置被VRRP备份组监视的接口(可选)
//Set the interface to be monitored by the VRRP backup group.
Ruijie(config-if)# vrrp group track interface-type number [interface –priority]
//Remove the setting of the interface to be monitored by the VRRP backup group.
Ruijie(config-if)# no vrrp group track interface-type number 
  • (7)Setting the VRRP Broadcast Timer Learning Function (optional) 设置VRRP广播计时器学习方法(可选)
//Set the timer learning function
Ruijie(config-if)# vrrp group timers learn
//Cancel the timer learning function
Ruijie(config-if)# no vrrp group timers learn  
  • (8)Setting the Description String of Device in the VRRP Backup Group (optional)设置VRRP备份组中设备的描述字符串(可选)
//Set the description string of the VRRP
Ruijie(config-if)# vrrp group description textgroup.
//Remove the description string of the VRRP group.
Ruijie(config-if)# no vrrp group description 

3. VRRP Monitoring and Maintenance VRRP监视和维护

//Check the current VRRP status.
Ruijie# show vrrp [brief | group]
//Show the VRRP status of the specified  network interface.
Ruijie# show vrrp interface type number [brief] 

Chapter 3 Switching Technology

VLAN

1. VLAN Overview

  • The division of VLAN is not restricted by the physical locations of network ports. Unicast, broadcast and multicast frames on layer 2 are forwarded and distributed within a VLAN, not being allowed to directly go to other VLANs
  • 划分VLAN不受网络端口的物理位置所限制。在二层上的单播、广播和多播帧将会在VLAN之内被转发和分发,不允许直接到达其他VLAN

2. Types of VLANs

  • (1)Data VLAN
  • (2)Default VLAN
  • (3)Native VLAN

3. VLAN Trunks

  • Ethernet trunks carry the traffic of multiple VLANs over a single link. A VLAN trunk allows you to extend the VLANs across an entire network. A VLAN trunk does not belong to a specific VLAN.
  • 以太网trunk使用单个链路承载多个VLAN的流量。VLAN trunk允许延长你的VLAN穿过整个网络。VLAN trunk不属于任何一个特别的VLAN。

4. Overview of Switch Interface Types

  • (1)L2 Interfaces 二层接口:Switch Port 交换端口,L2 Aggregate Ports(AP) 二层总端口
  • (2)L3 Interfaces 三层接口: SVI (Switch virtual interface) 交换虚接口、Routed Port 可路由的接口、L3 Aggregate Ports 三层总端口

5. Types of Switch Ports

  • (1)ACCESS port 访问端口
  • (2)Trunk ports trunk端口

6. Configuration of VLAN and Trunk VLAN和trunk的配置

  • (1)Add a VLAN 添加一个VLAN
Switch(config)# vlan vlan-id
Switch(config-vlan)# name vlan-name
  • (2)Delete a VLAN 删除一个VLAN
Switch(config)# no vlan vlan-id 
  • (3)Assign a Switch Port 分配一个交换端口
Switch(config)# interface interface-id
Switch(config)# interface range {port-range}(端口范围)
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan vlan-id
  • (4)Configure an 802.1Q Trunk 配置一个802.1Q标准的trunk端口
Switch(config)# interface interface-id
Switch(config-if)#switchport mode trunk 
  • (5)Specifies the default Trunk Port VLAN 具体说明trunk端口的默认VLAN
Switch(config-if)#switchport trunk native vlan vlan-id 
  • (6)Define a Trunk Port VLAN Permission list 定义trunk端口的VLAN权限列表(允许和阻止哪些VLAN)
Switch(config-if)# switchport trunk allowed vlan { all | [add| remove | except]} vlan-list 

7. Configure inter-VLAN communication 配置VLAN间通信

  • (1)Router-on-a-Stick 单臂路由 :using IEEE 802.1Q to start a sub-interface into trunk mode on the router, enable communication between VLAN 使用IEEE 802.1Q标准在路由器上以trunk模式去启用一个子接口,从而启用VLAN之间的通信
Router(config)# Interface interface-id
Router(config-if)#no ip address
Router(config-if)#exit
Router(config)#interface fastethernet slot-number/interface-number.subinterface-number
Ruijie(config-subif)#encapsulation dot1Q VlanID
Router(config-subif)#ip address ip-address mask 
  • (2)Configure inter-VLAN routing using three-layer switch 使用三层交换机配置VLAN间路由
Switch(config)# interface vlan vlan-id
Switch(config-if)# ip address ip-address mask 

8. PVLAN

  • A private VLAN divides the layer 2 broadcast domain of a VLAN into several sub domains 私有VLAN可以将二层VLAN广播域划分成一些子域
  • Each sub domain consists of a private VLAN pair 每个子域由两个私有VLAN部分组成: primary VLAN and secondary VLAN 主要VLAN和次要VLAN,次要VLAN又分为隔离VLAN和社区VLAN.
  • Isolated VLAN 隔离VLAN: Layer 2 communication is not possible for the ports in the same isolated VLAN. Only one isolated VLAN in a private VLAN domain. 在相同的隔离VLAN中,不允许端口之间的二层通信,一个私有VLAN域中只有一个隔离VLAN。
  • Community VLAN 社区VLAN: The ports in the same community VLAN can perform layer 2 communication, but not with the ports in other community VLANs. Not only one in a private VLAN domain. 相同社区VLAN的端口之间的二层通讯是允许的,但是与其他社区VLAN的端口的二层通信不被允许,在一个私有VLAN域中可以有不止一个。
  • Promiscuous port 混杂端口: a port in the primary VLAN, can communicate with any port 主要VLAN中的端口,可以和任何端口通信
  • Promiscuous Trunk Port 混杂trunk端口, can be the member port of multiple ordinary VLANs and private VLANs, and can communicate with any port in the same VLAN. 可以是多个普通VLAN和私有VLAN的成员端口,并且可以与相同VLAN中的端口通信。
  • Isolated port 隔离端口: a port in the isolated VLAN, can only communicate with the promiscuous port. 隔离VLAN中的端口,只能和混杂端口通信。
  • Isolated Trunk Port, can be the member port of multiple ordinary VLANs and PVLANs.
    only communicate with the promiscuous port in the isolated VLAN; 可以是多个普通VLAN和私有VLAN的成员端口,只能和各自隔离VLAN中的混杂端口通信。

    • in the community VLAN,it can communicate with the community ports in the same community VLAN and the promiscuous port; 在社区VLAN中,可以和相同社区VLAN的社区端口,以及混杂端口通信
    • in the ordinary VLAN, it follows the 802.1Q rule. 在普通VLAN中,遵循802.1Q规则
  • Community port 社区端口, a port in the community VLAN, can communicate with other community ports in the same community VLAN as well as the promiscuous port in the primary VLAN. 社区VLAN中的端口,可以和相同社区VLAN中的其他社区端口通信,还可以和主要VLAN的混杂端口通信。
  • (1)Configuring a VLAN as a Private VLAN 配置私有VLAN
//Enter the VLAN configuration mode.
Router(config)#vlan vid
//Configure a private VLAN.
Router(config-vlan)#private-vlan{community | isolated| primary}
//Remove the configured private VLAN.
Router(config-vlan)#no private-vlan{community | isolated | primary}
//Show a private VLAN
Router#show vlan private-vlan [type]  
  • (2)Associating the Secondary VLANs with the Primary VLAN 将次要VLAN关联至主要VLAN
//Enter the primary VLAN configuration mode.
Router(config)#vlan p_vid
//Associate with the secondary VLANs.
Router(config-vlan)#private-vlan association {svlist | add svlist | remove svlist}
//Remove the association with all the secondary VLANs.
Router(config-vlan)#no private-vlan association 
  • (3)Mapping Secondary VLANs to the Layer 3 Interface of the Primary VLAN 将次要VLAN映射到三层接口上的主要VLAN
//Enter the interface configuration mode of the primary VLAN.
Router(config)#interface vlan p_vid
//Map the secondary VLANs to the layer 3 SVI of the primary VLAN.
Router(config-vlan)#private-vlan mapping {svlist | add svlist | remove svlist}
  • (4)Configuring a Layer 2 Interface as the Host Port of a Private VLAN 配置一个二层接口为私有VLAN的主端口
//Configure the interface as the host interface of the private VLAN.
Router(config-if)#switchport mode private-vlan host
//Remove the configuration.
Router(config-if)#no switchport mode
// Exit the interface mode.
Router(config-if)#End
//Associate the layer 2 interface with the private VLAN.
Router(config-if)#switchport private-vlan host-association p_vid s_vid
//Remove the association.
Router(config-if)#no switchport private-vlan host-association 
  • (5)Configuring a Layer 2 Interface as the Isolated PVLAN Trunk Port 配置一个二层接口为隔离私有VLAN的trunk接口
//Configure the trunk mode.
Router(config-if)#switchport mode trunk
//Associate the Layer2 port and the private VLAN.p_vid: primary vlan id; s_vid: secondary vlan id.Remove the configuration.
Router(config-if)#switchport private-vlan association trunk p_vid s_vid
//或者:
Router(config-if)# no switchport private-vlan association trunk p_vid s_vid 
  • (6)Configuring a Layer 2 Interface as the Promiscuous Port of a Private VLAN 配置一个二层接口为私有VLAN的混杂接口
//Configure the interface as the promiscuous port of the private VLAN.
Router(config-if)#switchport mode private-vlan promiscuous
// Remove the configuration.
Router(config-if)#no switchport mode
//Map the secondary VLANs to the promiscuous port.
(config-if)#switchport private-vlan mapping p_vid {svlist | add svlist | remove svlist}

WLAN

1. Wireless Network Overview 无线网络概览

  • Wireless network is a type of computer network where communication or exchange data among various devices on the network are carried out without the use of cables
  • 无线网络是一种在网络中不使用线缆,并通过多种设备通信或者交换数据的计算机网络

2. Wireless Technologies / Standards

  • Internationally, the three key organizations influencing WLAN standards are: ITU-R,IEEE and Wi-Fi Alliance
  • 国际上关于WLAN的标准主要的三个有影响力的组织是:ITU-R、IEEE和Wi-Fi联盟

3. Configuring Fat AP 配置“胖”无线接入点

  • (1)Configuring WLAN 配置无线局域网
// Enters WLAN configuration mode.
Ruijie(config)#dot11 wlan 1
// Configures SSID.
Ruijie(dot11-wlan-config)# ssid fat_ap
// Configures WLAN VLAN ID.
Ruijie(dot11-wlan-config)# vlan 1
// Displays the configured SSID.
Ruijie(dot11-wlan-config)# broadcast-ssid 
  • (2)Configuring Wireless Parameters 配置无线参数
// Enters Dot11radio interface configuration mode.
Ruijie(config)# interface Dot11radio 1/0
// Configures radio channels.
Ruijie(config-if-Dot11radio 1/0)#channel 11
// Configures the RF mode of the radio
Ruijie(config-if-Dot11radio 1/0)#radio-type 802.11b
// Sets a country code.
Ruijie(config-if-Dot11radio 1/0)#country-code CNI
//Sets the channel width to 40 MHz.
Ruijie(config-if-Dot11radio 1/0)# chan-width 40  

4. Wireless LAN Security

  • (1)WLAN Link Authentication WLAN链路认证
    • Open System Authentication 开放系统认证
    • Shared Key Authentication 共享密钥认证
  • (2)Access Authentication 访问认证
    • PSK Access Authentication 预共享密钥访问认证(我们平时常用的方式)
    • 802.1x Access Authentication 802.1x访问认证(使用认证服务器认证)
  • (3)Wireless Encryption 无线加密
    • WEP ( Wired Equivalent Privacy )
    • TKIP ( Temporal Key Integrity Protocol )Encryption
    • AES( Advanced Encryption Standard ) – CCMP Encryption
  • (4)Configuring WLAN Security 配置WLAN安全
// Configure the security policy of  WLAN 1
Ruijie(config)#wlansec 1
//Configure link authentication method,here adopts open system authentication
Ruijie(wlansec)# security static-wep-key authentication open
//Configure security mode
//Enable wpa security mode
Ruijie(wlansec)# security wpa enable
//Or, Enable RSN security mode
Ruijie(wlansec)# security rsn  enable
//Enable encryption mode AES-CCMP
Ruijie(wlansec)#security wpa ciphers aes enable
//Or WPA-TKIP
Ruijie(wlansec)#security wpa ciphers tkip  enable
//Configure the authentication mode of WPA/RSN in wireless security mode .
// Enable PSK authentication mode
Ruijie(wlansec)# security wpa akm psk enable
//configure PSK to 12345.
Ruijie(wlansec)# security wpa akm psk set-key ascci 12345  

Chapter 4 Enterprise Campus Security

ACL

1. Types of Basic ACLs

  • (1)Standard ACLs 标准访问控制列表: Standard ACLs allow you to permit or deny traffic from source IP addresses. 标准ACL可以让你通过源IP地址允许或者阻止流量
  • (2)Extended ACLs 扩展访问控制列表: Extended ACLs filter IP packets based on several attributes. 扩展ACL可以让你基于几种属性来过滤IP报文(IP、协议类型、端口)

2. Configuring Basic ACL in the global configuration mode

//Define an access list
Ruijie(config)# access-list id {deny | permit} {src src-wildcard | host src | any | interface idx} [time-range tm-rng-name]
//Select the interface to which the access list is to be applied.
Ruijie(config)# interface interface
//Apply the access list to the specific interface.
Ruijie(config-if)# ip access-group id { in | out }  

3. Entering Criteria Statements 使用符合标准的语句

  • You must have at least one permit statement in an ACL or all traffic is blocked. 在一个ACL中你必须有至少一个允许的语句,否则所有的流量都会被阻止。(默认阻止原则)

4. Where to Place ACLs 在哪里放置ACL?

  • Every ACL should be placed where it has the greatest impact on efficiency. The basic rules are: 每个ACL都应该放在最有效率的地方,基本的规则如下:
  • (1)Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. 将扩展ACL放置在尽可能接近你想阻止的流量的源头的地方,这样一来,不受欢迎的流量将被过滤并且不会穿过网络基础设施。
  • (2)Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. 因为标准ACL不具体说明目的地址,所以请将它们放置在尽可能接近目标的地方。

Switch Security Issues 交换机安全问题

1. Port Security 端口安全

  • Port security function allows the packets to enter the switch port by the source MAC address, source MAC+IP address or source IP address. 端口安全方法可以按照源MAC地址、源MAC地址和源IP地址或者源IP地址来允许数据包进入交换端口。
  • (1) Configuration of Secure Ports and Violation(违例) Handling Modes
Ruijie(config)# interface gigabitethernet 0/3
Ruijie(config-if)# switchport mode access
Ruijie(config-if)# switchport port-security
Ruijie(config-if)# switchport port-security maximum 8
Ruijie(config-if)# switchport port-security violation protect
//converts the secure addresses learned dynamically to the statically configured
Ruijie(config-if)# switchport port-security mac-address sticky 
  • (2)Configuration of Secure Addresses on the Secure Port
//In the global configuration mode, manually configure the secure addresss on the port.
Ruijie(config)# switchport port-security interface interface-id mac-address mac-address]vlan [vlan_id]
//In the interface configuration mode, add secure addresses for secure ports by using the following commands:
Ruijie(config-if)# switchport port-security [ mac-address mac-address ] vlan [vlan_id]
//In the interface configuration mode, manually configure the secure addresss on the port.
Ruijie(config-if)# switchportport-security [ mac-address sticky mac-address ]vlan [vlan_id]

2. ARP-CHECK ARP检查

  • Use the following commands to configure ARP-CHECK in the privileged mode:
//Enter the interface configuration mode.
Ruijie(config)#interface interface-id
//Enable arp check.
Ruijie(config-if)# arp-check
//Disable arp check.
Ruijie(config-if)# no arp-check
//Restore to the default configuration: enabled.
Ruijie(config-if)#arp-check auto 
  • 3. DoS Protection Configuration Dos保护配置
//Enable Land attack protection function
Ruijie(config)# ip deny land
//Enable invalid TCP message attack protection function
Ruijie(config)# ip deny invalid-tcp
//Enable self-consumption message attack protection function
Ruijie(config)# ip deny invalid-l4port 

Router Security Issues 路由器安全问题

1. Securing Remote Administrative Access to Routers 安全的远程管理权限

  • (1)Preventing Logins on Unused Lines 阻止在不用的链路上登录
R1(config)#line aux 0
R1(config-line)#no password
R1(config-line)#login
%Login disable on line 65, until 'password' is set
R1(config-line)#exit
R1(config)#
  • (2)Control Incoming VTY Access 控制传入的VTY访问
R1(config)#line vty 0 4
R1(config-line)#no transport input
R1(config-line)#transport input telnet ssh
R1(config-line)#exit
  • (3)Additional VTY Security Configurations 额外的VTY安全配置
R1(config)#line vty 0 4
R1(config-line)#exec-timeout 3
R1(config-line)#exit
R1(config)#service tcp-keepalives-in
  • (4)Ensures at least one VTY line is available to the administrator 确认有至少一个VTY链路可用于管理员
R1(config)#line vty 0 4
R1(config-line)#login
R1(config-line)#password cisco123
R1(config-line)#access-class 12 in
R1(config)#access-list 12 permit host 192.168.1.2
  • (5)Implementing SSH to Secure Remote Administrative Access 使用SSH实现安全的远程管理权限
//Step 1: Set router parameters
R2(config)#hostname R2
//Step 2: Set the domain name
R2(config)#ip domain-name cisco.com
//Step 3: Generate asymmetric keys
R2(config)#crypto key generate rsa
//Step 4: Configure local authentication and vty
R2(config)#username student secret cisco
R2(config)#line vty 0 4
R2(config-line)#transport input ssh
R2(config-line)#login local
//Step 5: Configure SSH timeouts (optional)
R2(config)#ip ssh time-out 15
R2(config)#ip ssh authentication-retries 2

Chapter 5 NAT

1. NAT types NAT类型

  • (1)Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. When a host with a private IP address requests access to the Internet, dynamic NAT chooses an IP address from the pool that is not already in use by another host. 动态NAT使用一个公有地址池,并且按照先来先服务的原则分配这些地址。当一个有私有IP地址的主机请求访问互联网时,动态NAT将在地址池中选择一个没有被其他主机使用的IP地址。
  • (2)Static NAT uses a one-to-one mapping of local and global addresses, and these mappings remain constant. Static NAT is particularly useful for web servers or hosts that is accessible from the Internet. 静态NAT使用本地和全局地址之间的一对一映射,并且这些映射是保持不变的。静态NAT对于那些在互联网上可访问的Web服务器或主机尤其有用。

2. NAT Overload

  • NAT overloading (sometimes called Port Address Translation or PAT) maps multiple private IP addresses to a single public IP address or a few addresses. NAT重载(有时候被称为端口地址转换或者PAT)将多个私有地址映射到一个单独的或者很少的一些公有地址。

3. Configuring Dynamic NAT 配置动态NAT

Router(config)#ip nat pool pool-name start-ip end-ip {netmask netmask|prefix-length prefix-length}
Router(config)#access-list acl-number permit source [source-wildcard]
Router(config)#ip nat inside source list acl-number pool pool-name
Router(config)#interface type number
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface type number
Router(config-if)#ip nat outside
Router(config-if)#exit

4. Configuring Static NAT 配置静态NAT

Router(config)#ip nat inside source static local-ip global-ip
Router(config)#interface type number
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface type number
Router(config-if)#ip nat outside
Router(config-if)#exit

5. Configuring NAT Overload 配置NAT重载

  • (1)Configuring NAT Overload for a Single Public IP Address 为单个公共IP地址配置NAT重载
Router(config)#access-list acl-number permit source [source-wildcard]
Router(config)#ip nat inside source list acl-number interface interface-name overload
Router(config)#interface type number
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface type number
Router(config-if)#ip nat outside
Router(config-if)#exit
  • (2)Configuring NAT Overload for a Pool of Public IP Addresses 为一个公共IP地址池配置NAT重载
Router(config)#access-list acl-number permit source [source-wildcard]
Router(config)#ip nat pool pool-name start-ip end-ip {netmask netmask|prefix-length prefix-length}
Router(config)#ip nat inside source list acl-number pool pool-name overload
Router(config)#interface type number
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface type number
Router(config-if)#ip nat outside
Router(config-if)#exit

Chapter 6 WAN

1. PPP Protocol Configuration PPP协议配置

R3(config)#interface serial 0/0
//Enabling PPP on an Interface
R3(config-if)#encapsulation ppp
//Compression:affect system performance
R3(config-if)#compress [predictor | stac]
//Link Quality Monitoring:incoming and outgoing directions
R3(config-if)#ppp quality 80
//Load Balancing Across Links
R3(config-if)#ppp multilink

2. MPLS Configuration MPLS配置

//Enabling MPLS Forwarding Globally
//After MPLS forwarding is enabled, the device first forwards packets according to their labels
Ruijie(config)# mpls ip
//Enabling LDP Globally
//Enables LDP for a VRF instance and enters LDP configuration mode.
Ruijie(config)# mpls router ldp [vrf-name]
//Configures the LDP router ID
Ruijie(config-mpls-router)# ldp router-id interface loopback id   !
//Enabling Label Switching on an Interface
//Enables MPLS forwarding on an interface.
Ruijie(config-if-type ID)# label-switching
//Enabling LDP on an Interface
//Enables LDP on an interface.
Ruijie(config-if-type ID)# mpls ip