Escolar Documentos
Profissional Documentos
Cultura Documentos
. concedida permisso para imprimir e copiar este documento para distribuio no comercial e uso exclusivo dos instrutores no curso CCNA Exploration: Acessando a WAN como parte do programa oficial Cisco Networking Academy.
Endereo IP
N/A 192.168.10.1 10.12.12.1 10.13.13.1 10.1.1.1 N/A 10.12.12.2 192.168.20.1 10.1.1.2 10.2.2.1 N/A
Mscara de sub-rede
N/A 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.252 N/A 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.252 N/A
Gateway padro
N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 4
Fa0/1.13 Fa0/1.30 S0/0/1 S1 S2 S3 PC1 PC3 VLAN10 VLAN20 VLAN30 Placa de rede Placa de rede
Objetivos de aprendizagem
Para concluir este laboratrio: Cabo de rede de acordo com o diagrama de topologia. Apagar a configurao de inicializao e recarregar o roteador no estado padro. Perform basic configuration tasks on a router. Configurar e ativar interfaces. Configurar Spanning Tree Protocol. Configurar servidores e cliente VTP. Configurar VLANs nos switches. Configurar o roteamento RIP em todos os roteadores. Configurar o roteamento OSPF em todos os roteadores. Configurar o roteamento EIGRP em todos os roteadores.
Cenrio
Neste laboratrio, voc ir revisar os conceitos bsicos de roteamento e de comutao. Tente fazer o mximo possvel sozinho. Consulte o material anterior quando voc no conseguir continuar sozinho. Nota: configurar trs protocolos de roteamento separados RIP, OSPF e EIGRP para rotear a mesma rede no efetivamente uma prtica recomendada. Essa deve ser considerada uma prtica no recomendada, no sendo algo que deveria ser feito em uma rede de produo. Isso feito aqui para que voc possa examinar os principais protocolos de roteamento antes de continuar, alm de ver uma ilustrao clara do conceito de distncia administrativa.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 4
Configure uma senha no modo EXEC como "class". Configure o seguinte banner de mensagem do dia: Acesso no autorizado expressamente proibido e ser punido nos termos da lei". Configure uma senha para as conexes de console. Configure o log sncrono. Configure uma senha para as conexes vty. Salve a configurao de execuo na NVRAM.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 4
Etapa 2: Testar conectividade executando ping em todos os endereos na Tabela de endereamento. Etapa 3: Verificar a tabela de roteamento.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 4
Interface
Fa0/1 S0/0/0 Lo0 S0/0/0 S0/0/1 Fa0/1 S0/0/1 Placa de rede Placa de rede
Endereo IP
192.168.10.1 10.1.1.1 209.165.200.225 10.1.1.2 10.2.2.1 192.168.30.1 10.2.2.2 192.168.10.10 192.168.30.10
Mscara de sub-rede
255.255.255.0 255.255.255.252 255.255.255.224 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.0
Gateway padro
N/A N/A N/A N/A N/A N/A N/A 192.168.10.1 192.168.30.1
R2
R3 PC1 PC3
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 20
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Cabo de rede de acordo com o diagrama de topologia. Apagar a configurao de inicializao e recarregar o roteador no estado padro. Executar tarefas de configurao bsica em um roteador. Configurar e ativar interfaces. Configurar o roteamento OSPF em todos os roteadores. Configurar o encapsulamento PPP em todas as interfaces seriais. Obter informaes sobre os comandos debug ppp negotiation e debug ppp packet. Saber como alterar o encapsulamento nas interfaces seriais de PPP para HDLC. Interrromper intencionalmente e restaurar o encapsulamento PPP CHAP. Configurar a autenticao PPP PAP e CHAP. Interromper intencionalmente e restaurar a autenticao PPP PAP e CHAP.
Cenrio
Neste laboratrio, voc ir aprender a configurar o encapsulamento PPP em links seriais usando a rede mostrada no diagrama da topologia. Voc tambm aprender a restaurar links seriais aos seus encapsulamentos de HDLC padro. Preste ateno especial na sada do roteador quando voc interrrompe intencionalmente o encapsulamento PPP. Isso o ajudar no laboratrio de identificao e soluo de problemas associado a este captulo. Por fim, voc ir configurar as autenticaes PPP PAP e PPP CHAP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 20
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 20
Etapa 2: Verificar se voc tem total conectividade de rede. Use os comandos show ip route e ping para verificar a conectividade. R1#show ip route <sada do comando omitida> O C O O C 192.168.30.0/24 [110/1563] via 10.1.1.2, 00:33:56, Serial0/0/0 192.168.10.0/24 is directly connected, FastEthernet0/1 209.165.200.0/27 is subnetted, 1 subnets 209.165.200.225 [110/782] via 10.1.1.2, 00:33:56, Serial0/0/0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks 10.2.2.0/30 [110/1562] via 10.1.1.2, 00:33:56, Serial0/0/0 10.1.1.0/30 is directly connected, Serial0/0/0
R1#ping 192.168.30.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms R1# R2#show ip route <sada do comando omitida> O O C C C 192.168.30.0/24 [110/782] via 10.2.2.2, 00:33:04, Serial0/0/1 192.168.10.0/24 [110/782] via 10.1.1.1, 00:33:04, Serial0/0/0 209.165.200.0/27 is subnetted, 1 subnets 209.165.200.224 is directly connected, Loopback0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks 10.2.2.0/30 is directly connected, Serial0/0/1 10.1.1.0/30 is directly connected, Serial0/0/0
R2#ping 192.168.30.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms R2#ping 192.168.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms R2# R3#show ip route <sada do comando omitida> C O 192.168.30.0/24 is directly connected, FastEthernet0/1 192.168.10.0/24 [110/1563] via 10.2.2.1, 00:32:01, Serial0/0/1 209.165.200.0/27 is subnetted, 1 subnets
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 20
O C O
209.165.200.225 [110/782] via 10.2.2.1, 00:32:01, Serial0/0/1 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks 10.2.2.0/30 is directly connected, Serial0/0/1 10.1.1.0/30 [110/1562] via 10.2.2.1, 00:32:01, Serial0/0/1
R3#ping 209.165.200.225 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 209.165.200.225, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms R3#ping 192.168.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms R3#
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 5 de 20
R3#show interface serial 0/0/1 Serial0/0/1 is up, line protocol is up Hardware is GT96K Serial Internet address is 10.2.2.2/30 MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set <sada do comando omitida> Etapa 2: Utilizar comandos de depurao em R1 e R2 para ver os efeitos da configurao de PPP. R1#debug ppp negotiation PPP protocol negotiation debugging is on R1#debug ppp packet PPP packet display debugging is on R1# R2#debug ppp negotiation PPP protocol negotiation debugging is on R2#debug ppp packet PPP packet display debugging is on R2# Etapa 3: Alterar o encapsulamento das interfaces seriais de HDLC para PPP. Altere o tipo de encapsulamento no link entre R1 e R2 e observe os efeitos. Se voc comear a receber muitos dados de depurao, utilize o comando undebug all para desativ-la. R1(config)#interface serial 0/0/0 R1(config-if)#encapsulation ppp R1(config-if)# *Aug 17 19:02:53.412: %OSPF-5-ADJCHG: Process 1, Nbr 209.165.200.225 on Serial0/0/0 from FULL to DOWN, Neighbor Down: Interface down or detached R1(config-if)# *Aug 17 19:02:53.416: Se0/0/0 PPP: Phase is DOWN, Setup *Aug 17 19:02:53.416: Se0/0/0 PPP: Using default call direction *Aug 17 19:02:53.416: Se0/0/0 PPP: Treating connection as a dedicated line *Aug 17 19:02:53.416: Se0/0/0 PPP: Session handle[E4000001] Session id[0] *Aug 17 19:02:53.416: Se0/0/0 PPP: Phase is ESTABLISHING, Active Open *Aug 17 19:02:53.424: Se0/0/0 LCP: O CONFREQ [Closed] id 1 len 10 *Aug 17 19:02:53.424: Se0/0/0 LCP: MagicNumber 0x63B994DE (0x050663B994DE) R1(config-if)# *Aug 17 19:02:55.412: Se0/0/0 PPP: Outbound cdp packet dropped *Aug 17 19:02:55.432: Se0/0/0 LCP: TIMEout: State REQsent *Aug 17 19:02:55.432: Se0/0/0 LCP: O CONFREQ [REQsent] id 2 len 10 *Aug 17 19:02:55.432: Se0/0/0 LCP: MagicNumber 0x63B994DE (0x050663B994DE) *Aug 17 19:02:56.024: Se0/0/0 PPP: I pkt type 0x008F, datagramsize 24 link[illegal] *Aug 17 19:02:56.024: Se0/0/0 UNKNOWN(0x008F): Non-NCP packet, discarding
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 6 de 20
R1(config-if)# *Aug 17 19:02:57.252: Se0/0/0 PPP: I pkt type 0x000F, datagramsize 84 link[illegal] *Aug 17 19:02:57.252: Se0/0/0 UNKNOWN(0x000F): Non-NCP packet, discarding *Aug 17 19:02:57.448: Se0/0/0 LCP: TIMEout: State REQsent *Aug 17 19:02:57.448: Se0/0/0 LCP: O CONFREQ [REQsent] id 3 len 10 *Aug 17 19:02:57.448: Se0/0/0 LCP: MagicNumber 0x63B994DE (0x050663B994DE) R1(config-if)# *Aug 17 19:02:58.412: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to down R2(config)#interface serial 0/0/0 R2(config-if)#encapsulation ppp R2(config-if)# *Aug 17 19:06:48.848: Se0/0/0 PPP: Phase is DOWN, Setup *Aug 17 19:06:48.848: Se0/0/0 PPP: Using default call direction *Aug 17 19:06:48.848: Se0/0/0 PPP: Treating connection as a dedicated line *Aug 17 19:06:48.848: Se0/0/0 PPP: Session handle[C6000001] Session id[0] *Aug 17 19:06:48.848: Se0/0/0 PPP: Phase is ESTABLISHING, Active Open *Aug 17 19:06:48.856: Se0/0/0 LCP: O CONFREQ [Closed] id 1 len 10 *Aug 17 19:06:48.856: Se0/0/0 LCP: MagicNumber 0x63BD388C (0x050663BD388C) *Aug 17 19:06:48.860: Se0/0/0 PPP: I pkt type 0xC021, datagramsize 14 link[ppp] *Aug 17 19:06:48.860: Se0/0/0 LCP: I CONFACK [REQsent] id 1 len 10 R2(config-if)# *Aug 17 19:06:48.860: Se0/0/0 LCP: MagicNumber 0x63BD388C (0x050663BD388C) R2(config-if)# *Aug 17 19:06:50.864: Se0/0/0 LCP: TIMEout: State ACKrcvd *Aug 17 19:06:50.864: Se0/0/0 LCP: O CONFREQ [ACKrcvd] id 2 len 10 *Aug 17 19:06:50.864: Se0/0/0 LCP: MagicNumber 0x63BD388C (0x050663BD388C) *Aug 17 19:06:50.868: Se0/0/0 PPP: I pkt type 0xC021, datagramsize 14 link[ppp] *Aug 17 19:06:50.868: Se0/0/0 LCP: I CONFREQ [REQsent] id 61 len 10 *Aug 17 19:06:50.868: Se0/0/0 LCP: MagicNumber 0x63BDB9A8 (0x050663BDB9A8) *Aug 17 19:06:50.868: Se0/0/0 LCP: O CONFACK [REQsent] id 61 len 10 *Aug 17 19:06:50.868: Se0/0/0 LCP: MagicNumber 0x63BDB9A8 (0x050663BDB9A8) *Aug 17 19:06:50.868: Se0/0/0 PPP: I pkt type 0xC021, datagramsize 14 link[ppp] *Aug 17 19:06:50.868: Se0/0/0 LCP: I CONFACK [ACKsent] id 2 len 10 *Aug 17 19:06:50.868: Se0/0/0 LCP: MagicNumber 0x63BD388C (0x050663BD388C) *Aug 17 19:06:50.868: Se0/0/0 LCP: State is Open *Aug 17 19:06:50.872: Se0/0/0 PPP: Phase is FORWARDING, Attempting Forward *Aug 17 19:06:50.872: Se0/0/0 PPP: Phase is ESTABLISHING, Finish LCP *Aug 17 19:06:50.872: Se0/0/0 PPP: Phase is UP *Aug 17 19:06:50.872: Se0/0/0 IPCP: O CONFREQ [Closed] id 1 len 10 *Aug 17 19:06:50.872: Se0/0/0 IPCP: Address 10.1.1.2 (0x03060A010102)
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 7 de 20
*Aug 17 19:06:50.872: Se0/0/0 CDPCP: O CONFREQ [Closed] id 1 len 4 *Aug 17 19:06:50.872: Se0/0/0 PPP: Process pending ncp packets *Aug 17 19:06:50.876: Se0/0/0 PPP: I pkt type 0x8021, datagramsize 14 link[ip] *Aug 17 19:06:50.876: Se0/0/0 IPCP: I CONFREQ [REQsent] id 1 len 10 *Aug 17 19:06:50.876: Se0/0/0 IPCP: Address 10.1.1.1 (0x03060A010101) *Aug 17 19:06:50.876: Se0/0/0 PPP: I pkt type 0x8207, datagramsize 8 link[cdp] *Aug 17 19:06:50.876: Se0/0/0 IPCP: O CONFACK [REQsent] id 1 len 10 *Aug 17 19:06:50.876: Se0/0/0 IPCP: Address 10.1.1.1 (0x03060A010101) *Aug 17 19:06:50.876: Se0/0/0 CDPCP: I CONFREQ [REQsent] id 1 len 4 *Aug 17 19:06:50.876: Se0/0/0 CDPCP: O CONFACK [REQsent] id 1 len 4 *Aug 17 19:06:50.876: Se0/0/0 PPP: I pkt type 0x8021, datagramsize 14 link[ip] *Aug 17 19:06:50.876: Se0/0/0 IPCP: I CONFACK [ACKse R2(config-if)#nt] id 1 len 10 *Aug 17 19:06:50.876: Se0/0/0 IPCP: Address 10.1.1.2 (0x03060A010102) *Aug 17 19:06:50.876: Se0/0/0 IPCP: State is Open *Aug 17 19:06:50.876: Se0/0/0 PPP: I pkt type 0x8207, datagramsize 8 link[cdp] *Aug 17 19:06:50.876: Se0/0/0 IPCP: Install route to 10.1.1.1 *Aug 17 19:06:50.880: Se0/0/0 CDPCP: I CONFACK [ACKsent] id 1 len 4 *Aug 17 19:06:50.880: Se0/0/0 CDPCP: State is Open *Aug 17 19:06:50.880: Se0/0/0 PPP: O pkt type 0x0021, datagramsize 80 *Aug 17 19:06:50.880: Se0/0/0 IPCP: Add link info for cef entry 10.1.1.1 *Aug 17 19:06:50.884: Se0/0/0 PPP: I pkt type 0x0021, datagramsize 80 link[ip] *Aug 17 19:06:51.848: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up R2(config-if)# *Aug 17 19:06:51.888: Se0/0/0 LCP-FS: I ECHOREQ [Open] id 1 len 12 magic 0x63BDB9A8 *Aug 17 19:06:51.888: Se0/0/0 LCP-FS: O ECHOREP [Open] id 1 len 12 magic 0x63BD388C <sada do comando omitida> *Aug 17 19:07:00.936: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.10.1 on Serial0/0/0 from LOADING to FULL, Loading Done O que acontece quando uma extremidade do link serial encapsulado com PPP e a outra extremidade do link encapsulado com HDLC? _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 8 de 20
Por quais etapas o PPP passa quando a outra extremidade do link serial em R2 est configurada com encapsulamento PPP? _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ O que acontece quando o encapsulamento PPP configurado em cada extremidade do link serial? _____________________________________________________________________ _____________________________________________________________________ Etapa 4: Desativar depurao. Desative a depurao caso voc ainda no tenha utilizado o comando undebug all. R1#undebug all Port Statistics for unclassified packets is not turned on. All possible debugging has been turned off R1# R2#undebug all Port Statistics for unclassified packets is not turned on. All possible debugging has been turned off R2# Etapa 5: Alterar o encapsulamento de HDLC para PPP nas duas extremidades do link serial entre R2 e R3. R2(config)#interface serial0/0/1 R2(config-if)#encapsulation ppp R2(config-if)# *Aug 17 20:02:08.080: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.30.1 on Serial0/0/1 from FULL to DOWN, Neighbor Down: Interface down or detached R2(config-if)# *Aug 17 20:02:13.080: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down R2(config-if)# *Aug 17 20:02:58.564: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up R2(config-if)#
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 9 de 20
*Aug 17 20:03:03.644: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.30.1 on Serial0/0/1 from LOADING to FULL, Loading Done R2(config-if)# *Aug 17 20:03:46.988: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down R3(config)#interface serial 0/0/1 R3(config-if)#encapsulation ppp R3(config-if)# *Aug 17 20:04:27.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up *Aug 17 20:04:30.952: %OSPF-5-ADJCHG: Process 1, Nbr 209.165.200.225 on Serial0/0/1 from LOADING to FULL, Loading Done Quando o protocolo de linha no link serial ativado e a adjacncia OSPF restaurada? _____________________________________________________________________ _____________________________________________________________________ Etapa 6: Verificar se PPP agora o encapsulamento nas interfaces seriais. R1#show interface serial0/0/0 Serial0/0/0 is up, line protocol is up Hardware is GT96K Serial Internet address is 10.1.1.1/30 MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP open Open: CDPCP, IPCP, loopback not set <sada do comando omitida> R2#show interface serial 0/0/0 Serial0/0/0 is up, line protocol is up Hardware is GT96K Serial Internet address is 10.1.1.2/30 MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP open Open: CDPCP, IPCP, loopback not set <sada do comando omitida> R2#show interface serial 0/0/1 Serial0/0/1 is up, line protocol is up Hardware is GT96K Serial Internet address is 10.2.2.1/30 MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP open Open: CDPCP, IPCP, loopback not set <sada do comando omitida> R3#show interface serial 0/0/1
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 10 de 20
Serial0/0/1 is up, line protocol is up Hardware is GT96K Serial Internet address is 10.2.2.2/30 MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP open Open: CDPCP, IPCP, loopback not set <sada do comando omitida>
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 11 de 20
Por que as duas interfaces seriais so desativadas, ativadas, e ento desativadas novamente? _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ Voc consegue pensar em outra forma de alterar o encapsulamento de uma interface serial do PPP para o encapsulamento HDLC padro que no seja utilizando o comando encapsulation hdlc? (Dica: isso tem a ver com o comando no.) _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________
Etapa 2: Restaurar o encapsulamento PPP nas duas interfaces seriais de R2. R2(config)#interface s0/0/0 R2(config-if)#encapsulation ppp *Aug 17 20:53:06.612: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up R2(config-if)# interface s0/0/1 *Aug 17 20:53:10.856: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.10.1 on Serial0/0/0 from LOADING to FULL, Loading Done R2(config-if)#encapsulation ppp *Aug 17 20:53:23.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up R2(config-if)# *Aug 17 20:53:24.916: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.30.1 on Serial0/0/1 from LOADING to FULL, Loading Done R2(config-if)#
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 12 de 20
*Aug 22 18:58:58.423: %OSPF-5-ADJCHG: Process 1, Nbr 209.165.200.225 on Serial0/0/0 from FULL to DOWN, Neighbor Down: Interface down or detached R1(config-if)#ppp pap sent-username R2 password cisco
O que acontece quanto a autenticao PPP PAP configurada somente em uma extremidade do link serial? _____________________________________________________________________ _____________________________________________________________________ R2(config)#username R2 password cisco R2(config)#interface Serial0/0/0 R2(config-if)#ppp authentication pap R2(config-if)#ppp pap sent-username R1 password cisco R2(config-if)# *Aug 23 16:30:33.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up R2(config-if)# *Aug 23 16:30:40.815: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.10.1 on Serial0/0/0 from LOADING to FULL, Loading Done R2(config-if)# O que acontece quando a autenticao PPP PAP configurada nas duas extremidades do link serial? _____________________________________________________________________ _____________________________________________________________________ Etapa 2: Configurar autenticao PPP CHAP no link serial entre R2 e R3. Na autenticao PAP, a senha no criptografada. Embora isso seja certamente melhor do que nenhuma autenticao, ainda altamente prefervel criptografar a senha que estiver sendo enviada pelo link. O protocolo CHAP criptografa a senha. R2(config)#username R3 password cisco R2(config)#int s0/0/1 R2(config-if)#ppp authentication chap R2(config-if)# *Aug 23 18:06:00.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down R2(config-if)# *Aug 23 18:06:01.947: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.30.1 on Serial0/0/1 from FULL to DOWN, Neighbor Down: Interface down or detached R2(config-if)# R3(config)#username R2 password cisco *Aug 23 18:07:13.074: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up R3(config)#int s0/0/1 R3(config-if)#
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 13 de 20
*Aug 23 18:07:22.174: %OSPF-5-ADJCHG: Process 1, Nbr 209.165.200.225 on Serial0/0/1 from LOADING to FULL, Loading Done R3(config-if)#ppp authentication chap R3(config-if)#
Observe que o protocolo de linha na interface serial 0/0/1 altera o estado para UP mesmo antes da interface ser configurada para autenticao CHAP. Voc pode adivinhar por que isso acontece? _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ Etapa 3: Revisar a sada do comando debug. Para compreender o processo CHAP, exiba a sada do comando debug ppp authentication em R2 e R3. Em seguida, desative a interface serial 0/0/1 em R2 e emita o comando no shutdown na interface serial 0/0/1 em R2. R2#debug ppp authentication A depurao da autenticao PPP est ativa R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#int s0/0/1 R2(config-if)#shutdown R2(config-if)# *Aug 23 18:19:21.059: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.30.1 on Serial0/0/1 from FULL to DOWN, Neighbor Down: Interface down or detached R2(config-if)# *Aug 23 18:19:23.059: %LINK-5-CHANGED: Interface Serial0/0/1, changed state to administratively down *Aug 23 18:19:24.059: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down R2(config-if)#no shutdown *Aug 23 18:19:55.059: *Aug 23 18:19:55.059: line *Aug 23 18:19:55.059: id[49] *Aug 23 18:19:55.059: *Aug 23 18:19:55.063: state to up *Aug 23 18:19:55.063: *Aug 23 18:19:55.067: *Aug 23 18:19:55.067: *Aug 23 18:19:55.067: *Aug 23 18:19:55.067: *Aug 23 18:19:55.071: *Aug 23 18:19:55.071: *Aug 23 18:19:55.071: Se0/0/1 PPP: Using default call direction Se0/0/1 PPP: Treating connection as a dedicated Se0/0/1 PPP: Session handle[5B000005] Session Se0/0/1 PPP: Authorization required %LINK-3-UPDOWN: Interface Serial0/0/1, changed Se0/0/1 Se0/0/1 Se0/0/1 Se0/0/1 Se0/0/1 Se0/0/1 Se0/0/1 Se0/0/1 CHAP: O CHALLENGE id 48 len 23 from "R2" CHAP: I CHALLENGE id 2 len 23 from "R3" CHAP: Using hostname from unknown source CHAP: Using password from AAA CHAP: O RESPONSE id 2 len 23 from "R2" CHAP: I RESPONSE id 48 len 23 from "R3" PPP: Sent CHAP LOGIN Request PPP: Received LOGIN Response PASS
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 14 de 20
*Aug 23 18:19:55.071: Se0/0/1 PPP: Sent LCP AUTHOR Request *Aug 23 18:19:55.075: Se0/0/1 PPP: Sent IPCP AUTHOR Request *Aug 23 18:19:55.075: Se0/0/1 LCP: Received AAA AUTHOR Response PASS *Aug 23 18:19:55.075: Se0/0/1 IPCP: Received AAA AUTHOR Response PASS *Aug 23 18:19:55.075: Se0/0/1 CHAP: O SUCCESS id 48 len 4 *Aug 23 18:19:55.075: Se0/0/1 CHAP: I SUCCESS id 2 len 4 *Aug 23 18:19:55.075: Se0/0/1 PPP: Sent CDPCP AUTHOR Request *Aug 23 18:19:55.075: Se0/0/1 CDPCP: Received AAA AUTHOR Response PASS *Aug 23 18:19:55.079: Se0/0/1 PPP: Sent IPCP AUTHOR Request *Aug 23 18:19:56.075: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up R2(config-if)# *Aug 23 18:20:05.135: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.30.1 on Serial0/0/1 from LOADING to FULL, Loading Done R3#debug ppp authentication A depurao da autenticao PPP est ativa R3# *Aug 23 18:19:04.494: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down R3# *Aug 23 18:19:04.494: %OSPF-5-ADJCHG: Process 1, Nbr 209.165.200.225 on Serial0/0/1 from FULL to DOWN, Neighbor Down: Interface down or detached *Aug 23 18:19:05.494: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down R3# *Aug 23 18:19:36.494: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up *Aug 23 18:19:36.494: Se0/0/1 PPP: Using default call direction *Aug 23 18:19:36.494: Se0/0/1 PPP: Treating connection as a dedicated line *Aug 23 18:19:36.494: Se0/0/1 PPP: Session handle[3C000034] Session id[52] *Aug 23 18:19:36.494: Se0/0/1 PPP: Authorization required *Aug 23 18:19:36.498: Se0/0/1 CHAP: O CHALLENGE id 2 len 23 from "R3" *Aug 23 18:19:36.502: Se0/0/1 CHAP: I CHALLENGE id 48 len 23 from "R2" *Aug 23 18:19:36.502: Se0/0/1 CHAP: Using hostname from unknown source *Aug 23 18:19:36.506: Se0/0/1 CHAP: Using password from AAA *Aug 23 18:19:36.506: Se0/0/1 CHAP: O RESPONSE id 48 len 23 from "R3" *Aug 23 18:19:36.506: Se0/0/1 CHAP: I RESPONSE id 2 len 23 from "R2" R3# *Aug 23 18:19:36.506: Se0/0/1 PPP: Sent CHAP LOGIN Request *Aug 23 18:19:36.506: Se0/0/1 PPP: Received LOGIN Response PASS *Aug 23 18:19:36.510: Se0/0/1 PPP: Sent LCP AUTHOR Request *Aug 23 18:19:36.510: Se0/0/1 PPP: Sent IPCP AUTHOR Request *Aug 23 18:19:36.510: Se0/0/1 LCP: Received AAA AUTHOR Response PASS *Aug 23 18:19:36.510: Se0/0/1 IPCP: Received AAA AUTHOR Response PASS *Aug 23 18:19:36.510: Se0/0/1 CHAP: O SUCCESS id 2 len 4 *Aug 23 18:19:36.510: Se0/0/1 CHAP: I SUCCESS id 48 len 4 *Aug 23 18:19:36.514: Se0/0/1 PPP: Sent CDPCP AUTHOR Request *Aug 23 18:19:36.514: Se0/0/1 PPP: Sent IPCP AUTHOR Request *Aug 23 18:19:36.514: Se0/0/1 CDPCP: Received AAA AUTHOR Response PASS R3# *Aug 23 18:19:37.510: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 15 de 20
R3# *Aug 23 18:19:46.570: %OSPF-5-ADJCHG: Process 1, Nbr 209.165.200.225 on Serial0/0/1 from LOADING to FULL, Loading Done R3#
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 16 de 20
*Aug 24 15:54:17.215: %SYS-5-CONFIG_I: Configured from console by console R3#copy run start Destination filename [startup-config]? Building configuration... [OK] R3#reload Aps dar o comando reload, qual o status do protocolo de linha na serial 0/0/1? _____________________________________________________________________ _____________________________________________________________________ Etapa 4: Restaurar autenticao PPP CHAP, alterando a senha em R3. R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#username R2 password cisco R3(config)# *Aug 24 16:11:10.679: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up R3(config)# *Aug 24 16:11:19.739: %OSPF-5-ADJCHG: Process 1, Nbr 209.165.200.225 on Serial0/0/1 from LOADING to FULL, Loading Done R3(config)#
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 17 de 20
clockrate 64000 ppp authentication pap ppp pap sent-username R2 password 0 cisco no shutdown ! ! ! router ospf 1 network 10.1.1.0 0.0.0.3 area 0 network 192.168.10.0 0.0.0.255 area 0 ! ! banner motd ^CCUnauthorized access strictly prohibited and prosecuted to the full extent of the law^C ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 line vty 0 4 password cisco login ! end R2#show run !<sada do comando omitida> ! hostname R2 ! ! enable secret class ! ! no ip domain lookup ! username R3 password 0 cisco username R2 password 0 cisco ! ! ! interface Loopback0 ip address 209.165.200.225 255.255.255.224 ! ! ! interface Serial0/0/0 ip address 10.1.1.2 255.255.255.252 encapsulation ppp ppp authentication pap ppp pap sent-username R1 password 0 cisco no shutdown !
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 18 de 20
interface Serial0/0/1 ip address 10.2.2.1 255.255.255.252 encapsulation ppp clockrate 64000 ppp authentication chap no shutdown ! ! router ospf 1 network 10.1.1.0 0.0.0.3 area 0 network 10.2.2.0 0.0.0.3 area 0 network 209.165.200.224 0.0.0.31 area 0 ! ! banner motd ^CUnauthorized access strictly prohibited and prosecuted to the full extent of the law^C ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 line vty 0 4 password cisco login ! end R3#show run !<sada do comando omitida> ! hostname R3 ! ! enable secret class ! ! ! no ip domain lookup ! username R2 password 0 cisco ! ! ! interface FastEthernet0/1 ip address 192.168.30.1 255.255.255.0 no shutdown ! ! interface Serial0/0/1 ip address 10.2.2.2 255.255.255.252 encapsulation ppp ppp authentication chap no shutdown
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 19 de 20
! router ospf 1 network 10.2.2.0 0.0.0.3 area 0 network 192.168.30.0 0.0.0.255 area 0 ! ! banner motd ^CUnauthorized access strictly prohibited and prosecuted to the full extent of the law^C ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 line vty 0 4 password cisco login ! end
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 20 de 20
Endereo IP
10.0.0.1 172.16.0.1 172.16.0.9 209.165.200.161 172.16.0.2 172.16.0.5 10.0.0.129
Mscara de sub-rede
255.255.255.128 255.255.255.252 255.255.255.252 255.255.255.224 255.255.255.252 255.255.255.252 255.255.255.128
Gateway padro
N/A N/A N/A N/A N/A N/A N/A
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 4
Objetivos de aprendizagem
Para concluir este laboratrio: Cabo de rede de acordo com o diagrama de topologia. Apagar a configurao de inicializao e recarregar o roteador no estado padro. Executar tarefas de configurao bsica em um roteador. Configurar e ativar interfaces. Configurar o roteamento OSPF em todos os roteadores. Configurar o encapsulamento PPP em todas as interfaces seriais. Alterar o encapsulamento nas interfaces seriais de PPP para HDLC. Interrompa e restaure o encapsulamento PPP CHAP intencionalmente. Configurar autenticao PPP CHAP. Interromper e restaurar autenticao PPP CHAP intencionalmente.
Cenrio
Neste laboratrio, voc ir aprender a configurar o encapsulamento PPP em links seriais usando a rede mostrada no diagrama de topologia. Voc tambm configurar a autenticao CHAP do PPP. Se voc precisar de assistncia, consulte o laboratrio de configurao PPP bsico, mas tente fazer isso por conta prpria.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 4
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 4
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 4
Endereo IP
10.0.0.1 172.16.0.1 172.16.0.9 209.165.200.161 172.16.0.2 172.16.0.5
Mscara de sub-rede
255.255.255.128 255.255.255.252 255.255.255.252 255.255.255.224 255.255.255.252 255.255.255.252
Gateway padro
N/A N/A N/A N/A N/A N/A
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 6
Objetivos de aprendizagem
Para concluir este laboratrio: Cabo de rede de acordo com o diagrama de topologia. Apagar a configurao de inicializao e recarregar o roteador no estado padro. Carregue roteadores com scripts. Localize e corrija todos os erros de rede. Documentar a rede corrigida.
Cenrio
Os roteadores da sua empresa foram configurados por um engenheiro de rede sem experincia. Vrios erros na configurao resultaram em problemas de conectividade. Seu chefe lhe pediu para solucionar problemas, corrigir os erros de configurao e documentar seu trabalho. Com seus conhecimentos de PPP e mtodos de teste padro, identifique e corrija os erros. Certifique-se de que todos os links seriais usem autenticao PPP CHAP e de que todas as redes sejam alcanveis.
ip address 172.16.0.1 255.255.255.248 no fair-queue clockrate 64000 ! interface Serial0/0/1 ip address 172.16.0.9 255.255.255.252 encapsulation ppp ppp authentication pap ! router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.0.127 area 0 network 172.16.0.4 0.0.0.3 area 0 network 172.16.0.8 0.0.0.3 area 0 ! ip classless ! ip http server ! control-plane ! banner motd ^CUnauthorized access strictly prohibited and prosecuted to the full extent of the law^C ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 line vty 0 4 password cisco login ! end R2 enable configure terminal ! hostname R2 ! enable secret class ! no ip domain lookup ! username R1 password 0 cisco username R3 password 0 class ! interface Loopback0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Pgina 3 de 6
! interface FastEthernet0/1 ip address 209.165.200.161 255.255.255.224 shutdown duplex auto speed auto ! interface Serial0/0/0 ip address 172.16.0.2 255.255.255.252 encapsulation ppp no fair-queue ppp authentication chap ! interface Serial0/0/1 ip address 172.16.0.5 255.255.255.252 ! router ospf 1 log-adjacency-changes network 172.16.0.0 0.0.0.3 area 0 network 172.16.0.4 0.0.0.3 area 0 network 209.165.200.128 0.0.0.31 area 0 ! ip classless ! ip http server ! control-plane ! banner motd ^CUnauthorized access strictly prohibited and prosecuted to the full extent of the law^C ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 line vty 0 4 password cisco login ! end R3 enable configure terminal ! hostname R3 ! enable secret class ! no ip domain lookup ! username R1 password 0 cisco username R3 password 0 ciscco !
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Pgina 4 de 6
interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 ip address 10.0.0.129 255.255.255.0 duplex auto speed auto ! interface Serial0/0/0 ip address 172.16.0.10 255.255.255.252 no fair-queue clockrate 64000 ! interface Serial0/0/1 encapsulation ppp ppp authentication pap ! router ospf 1 log-adjacency-changes network 10.0.0.128 0.0.0.127 area 0 network 192.16.0.4 0.0.0.3 area 0 network 192.16.0.8 0.0.0.3 area 0 ! ip classless ! ip http server ! control-plane ! banner motd ^CUnauthorized access strictly prohibited and prosecuted to the full extent of the law^C ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 line vty 0 4 password cisco login ! end
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 5 de 6
Tarefa 2: Localizar e corrigir todos erros de rede Tarefa 3: Documentar a rede corrigida
Agora que voc corrigiu todos os erros e testou a conectividade em toda a rede, documente a configurao final de cada dispositivo.
Tarefa 4: Limpar
Apague as configuraes e recarregue os roteadores. Desconecte e guarde o cabeamento. Para PCs normalmente conectados a outras redes, como a LAN escolar ou a Internet), reconecte o cabeamento apropriado e restaure as configuraes TCP/IP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 6 de 6
Interface
Fa0/0 S0/0/1 S0/0/1 Lo 0 VLAN1 Placa de rede
Endereo IP
192.168.10.1 10.1.1.1 10.1.1.2 209.165.200.225 192.168.10.2 192.168.10.10
Mscara de sub-rede
255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.224 255.255.255.0 255.255.255.0
Gateway padro
N/A N/A N/A N/A 192.168.10.1 192.168.10.1
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Cabo de rede de acordo com o diagrama de topologia. Apagar a configurao de inicializao e recarregar o roteador no estado padro.
Pgina 1 de 25
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
Execute tarefas de configurao bsica em um roteador. Configurar e ativar interfaces. Configure o roteamento EIGRP em todos os roteadores. Configure encapsulamento Frame Relay em todas as interfaces seriais. Configurar um roteador como um switch de Frame Relay. Compreender a sada dos comandos show frame-relay. Aprender os efeitos do comando debug frame-relay lmi. Interromper intencionalmente e restaurar um link de Frame Relay. Alterar o tipo de encapsulamento Frame Relay do padro Cisco para IETF. Alterar o tipo de LMI Frame Relay de Cisco para ANSI. Configurar uma subinterface Frame Relay.
Cenrio
Neste laboratrio, voc ir aprender a configurar o encapsulamento Frame Relay em links seriais usando a rede mostrada no diagrama de topologia. Voc tambm aprender a configurar um roteador como um switch frame relay. H padres Cisco e padres abertos que se aplicam ao Frame Relay. Voc aprender ambos. Preste ateno especial na seo de laboratrio em que voc divide intencionalmente as configuraes de Frame Relay. Isso o ajudar no laboratrio de soluo de problemas associado a este captulo.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
Basic configurations for all routers enable configure terminal hostname [R1, R2, FR-Switch] no ip domain-lookup enable secret class banner motd ^CUnauthorized access strictly prohibited, violators will be prosecuted to the full extent of the law^C ! ! ! line console 0 logging synchronous password cisco login ! line vty 0 4 password cisco login end copy running-config startup-config
Basic configurations for switch enable configure terminal hostname [S1] no ip domain-lookup enable secret class banner motd ^CUnauthorized access strictly prohibited, violators will be prosecuted to the full extent of the law^C ! ! ! line console 0 logging synchronous password cisco login ! line vty 0 15 password cisco login end copy running-config startup-config
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
R1 interface serial 0/0/1 ip address 10.1.1.1 255.255.255.252 shutdown !As interfaces seriais devem permanecer desativadas at que o !switch Frame Relay seja configurado interface fastethernet 0/0 ip address 192.168.10.1 255.255.255.0 no shutdown router eigrp 1 no auto-summary network 10.0.0.0 network 192.168.10.0 ! R2 interface serial 0/0/1 ip address 10.1.1.2 255.255.255.252 shutdown !As interfaces seriais devem permanecer desativadas at que o !switch Frame Relay seja configurado interface loopback 0 ip address 209.165.200.225 255.255.255.224 router eigrp 1 no auto-summary network 10.0.0.0 network 209.165.200.0 !
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
O que um PVC e como ele utilizado? _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Etapa 1: Configurar FR Switch como um switch Frame Relay e criar um PVC entre R1 e R2. Este comando permite a comutao Frame Relay globalmente no roteador, permitindo encaminhar quadros com base no DLCI de entrada, e no no endereo IP: FR-Switch(config)#frame-relay switching Altere o tipo de encapsulamento da interface para Frame Relay. Assim como HDLC ou PPP, Frame Relay um protocolo da camada de enlace que especifica o enquadramento do trfego da Camada 2. FR-Switch(config)#interface serial 0/0/0 FR-Switch(config)#clock rate 64000 FR-Switch(config-if)#encapsulation frame-relay A alterarao do tipo de interface para DCE solicita ao roteador que envie keepalives LMI e permite aplicar instrues de rota Frame Relay. Voc no pode configurar PVCs utilizando o comando frame-relay route entre duas interfaces DTE Frame Relay. FR-Switch(config-if)#frame-relay intf-type dce Nota: os tipos de interface Frame Relay no precisam corresponder ao tipo de interface fsica subjacente. Uma interface serial DTE fsica pode funcionar como uma interface DCE Frame Relay e uma interface DCE fsica pode funcionar como uma interface DTE Frame Relay lgica. Configure o roteador para encaminhar trfego de entrada na interface serial 0/0/0 com DLCI 102 para serial 0/0/1 com uma DLCI de sada 201. FR-Switch(config-if)#frame-relay route 102 interface serial 0/0/1 201 FR-Switch(config-if)#no shutdown Essa configurao cria dois PVCs: uma de R1 para R2 (DLCI 102) e uma de R2 para R1 (DLCI 201). Voc pode verificar a configurao utilizando o comando show frame-relay pvc. FR-Switch(config-if)#interface serial 0/0/1 FR-Switch(config)#clock rate 64000 FR-Switch(config-if)#encapsulation frame-relay FR-Switch(config-if)#frame-relay intf-type dce FR-Switch(config-if)#frame-relay route 201 interface serial 0/0/0 102 FR-Switch(config-if)#no shutdown FR-Switch#show frame-relay pvc Estatsticas PVC de interface Serial0/0/0 (Frame Relay DCE) Local Switched Unused Active 0 0 0 Inactive 0 1 0 Deleted 0 0 0 Static 0 0 0
DLCI = 102, DLCI USAGE = SWITCHED, PVC STATUS = INACTIVE, INTERFACE = Serial0/0/0
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Pgina 5 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
input pkts 0 output pkts 0 in bytes 0 out bytes 0 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec switched pkts 0 Detailed packet drop counters: no out intf 0 out intf down 0 no out PVC 0 in PVC down 0 out PVC down 0 pkt too big 0 shaping Q full 0 pkt above DE 0 policing drop 0 pvc create time 00:03:33, last time pvc status changed 00:00:19 Estatsticas PVC de interface Serial0/0/1 (Frame Relay DCE) Local Switched Unused Active 0 0 0 Inactive 0 1 0 Deleted 0 0 0 Static 0 0 0
DLCI = 201, DLCI USAGE = SWITCHED, PVC STATUS = INACTIVE, INTERFACE = Serial0/0/1 input pkts 0 output pkts 0 in bytes 0 out bytes 0 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec switched pkts 0 Detailed packet drop counters: no out intf 0 out intf down 0 no out PVC 0 in PVC down 0 out PVC down 0 pkt too big 0 shaping Q full 0 pkt above DE 0 policing drop 0 pvc create time 00:02:02, last time pvc status changed 00:00:18 Observe o 1 na coluna Inativa. O PVC criado no tem nenhuma extremidade configurada. O switch Frame Relay sabe disso e marcou o PVC como Inativo. Emita o comando show frame-relay route. Esse comando mostra uma rota Frame Relay existente, suas interfaces, DLCIs e status. Essa a rota de Camada 2 que o trfego Frame Relay transporta pela rede. No o confunda com roteamento IP de Camada 3. FR-Switch#show frame-relay route Input Intf Serial0/0/0 Input Dlci 102 Output Intf Serial0/0/1 Output Dlci 201 Status inativo
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 6 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
Serial0/0/1
201
Serial0/0/0
102
inativo
Etapa 2: Configurar R1 para Frame Relay. Inverse ARP permite a extremidades distantes de um link Frame Relay detectar dinamicamente umas as outras e fornece um mtodo dinmico de mapeamento de endereos IP para DLCIs. Embora seja til, o inverse ARP nem sempre confivel. A prtica recomendada mapear estaticamente endereos IP para DLCIs e desabilitar inverse-arp. R1(config)#interface serial 0/0/1 R1(config-if)#encapsulation frame-relay R1(config-if)#no frame-relay inverse-arp Por que voc desejaria mapear um endereo IP para um DLCI? _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ O comando frame-relay map mapeia estaticamente um endereo IP para um DLCI. Alm de mapear o IP para um DLCI, o software Cisco IOS permite mapear vrios outros endereos do protocolo da Camada 3. A palavra-chave broadcast no comando a seguir envia um trfego de multicast ou broadcast com destino a este link pelo DLCI. A maioria dos protocolos de roteamento exige a palavra-chave broadcast para funcionar corretamente em Frame Relay. Voc pode utilizar a palavra-chave broadcast em vrios DLCIs na mesma interface. O trfego replicado para todos os PVCs. R1(config-if)#frame-relay map ip 10.1.1.2 102 broadcast Para que o roteador seja capaz de executar ping na interface, um segundo mapa deve ser criado para mapear o DLCI para a interface local. R1(config-if)#frame-relay map ip 10.1.1.1 102 O DLCI mapeado para o endereo IP local ou o endereo IP na outra extremidade do PVC? _____________________________________________________________________________ R1(config-if)#no shutdown Por que o comando no shutdown utilizado depois do comando no frame-relay inverse-arp? _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ Etapa 3: Configurar R2 para Frame Relay. R2(config)#interface serial 0/0/1 R2(config-if)#encapsulation frame-relay R2(config-if)#no frame-relay inverse-arp
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Pgina 7 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
R2(config-if)#frame-relay map ip 10.1.1.1 201 broadcast Para que o roteador seja capaz de executar ping na interface, um segundo mapa deve ser criado para mapear o DLCI para a interface local. R2(config-if)#frame-relay map ip 10.1.1.2 201 R2(config-if)#no shutdown A esta altura, voc recebe mensagens indicando que as interfaces foram ativadas e que a adjacncia de vizinho EIGRP foi estabelecida. R1#*Sep 9 17:05:08.771: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.1.2 (Serial0/0/1) is up: new adjacency R2#*Sep 9 17:05:47.691: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.1.1 (Serial0/0/1) is up: new adjacency O comando show ip route mostra tabelas de roteamento completas. R1: R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C D C R2: R2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set D C C 192.168.10.0/24 [90/20514560] via 10.1.1.1, 00:26:03, Serial0/0/1 209.165.200.0/27 is subnetted, 1 subnets 209.165.200.224 is directly connected, Loopback0 10.0.0.0/30 is subnetted, 1 subnets 10.1.1.0 is directly connected, Serial0/0/1 192.168.10.0/24 is directly connected, FastEthernet0/0 209.165.200.0/24 [90/20640000] via 10.1.1.2, 00:00:07, Serial0/0/1 10.0.0.0/30 is subnetted, 1 subnets 10.1.1.0 is directly connected, Serial0/0/1
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 8 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms R2#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms Etapa 2: Obter informaes de PVC. O comando show frame-relay pvc exibe as informaes de todos os PVCs configurados no roteador. A sada do comando tambm inclui o DLCI associado. R1: R1#show frame-relay pvc PVC Statistics for interface Serial0/0/1 (Frame Relay DTE) Local Switched Unused Active 1 0 0 Inactive 0 0 0 Deleted 0 0 0 Static 0 0 0
DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/1 input pkts 5 output pkts 5 in bytes 520 out bytes 520 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec pvc create time 10:26:41, last time pvc status changed 00:01:04
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 9 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
R2: R2#show frame-relay pvc PVC Statistics for interface Serial0/0/1 (Frame Relay DTE) Local Switched Unused Active 1 0 0 Inactive 0 0 0 Deleted 0 0 0 Static 0 0 0
DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/1 input pkts 5 output pkts 5 in bytes 520 out bytes 520 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec pvc create time 10:25:31, last time pvc status changed 00:00:00 Switch FR: FR-Switch#show frame-relay pvc PVC Statistics for interface Serial0/0/0 (Frame Relay DCE) Local Switched Unused Active 0 1 0 Inactive 0 0 0 Deleted 0 0 0 Static 0 0 0
DLCI = 102, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0 input pkts 0 output pkts 0 in bytes 0 out bytes 0 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec switched pkts 0 Detailed packet drop counters: no out intf 0 out intf down 0 no out PVC 0 in PVC down 0 out PVC down 0 pkt too big 0 shaping Q full 0 pkt above DE 0 policing drop 0 pvc create time 10:28:31, last time pvc status changed 00:03:57
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 10 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
PVC Statistics for interface Serial0/0/1 (Frame Relay DCE) Local Switched Unused Active 0 1 0 Inactive 0 0 0 Deleted 0 0 0 Static 0 0 0
DLCI = 201, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/1 input pkts 0 output pkts 0 in bytes 0 out bytes 0 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec switched pkts 0 Detailed packet drop counters: no out intf 0 out intf down 0 no out PVC 0 in PVC down 0 out PVC down 0 pkt too big 0 shaping Q full 0 pkt above DE 0 policing drop 0 pvc create time 10:27:00, last time pvc status changed 00:04:03 Etapa 3: Verificar mapeamentos Frame Relay. O comando show frame-relay map exibe informaes sobre os mapeamentos estticos e dinmicos de endereos da Camada 3 para DLCIs. Como o ARP inverso foi desativado, s h mapas estticos. R1: R1#show frame-relay map Serial0/0/1 (up): ip 10.1.1.2 dlci 102(0x66,0x1860), static, broadcast, CISCO, status defined, active R2: R2#show frame-relay map Serial0/0/1 (up): ip 10.1.1.1 dlci 201(0xC9,0x3090), static, broadcast, CISCO, status defined, active Switch FR: Como FR Switch funciona como um dispositivo de Camada 2, no h necessidade de mapear endereos da Camada 3 para DLCIs da Camada 2.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 11 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
Etapa 4: Depurar a LMI Frame Relay. Para que serve a LMI em uma rede Frame Relay? _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Quais so os trs tipos diferentes de LMI? _____________________________________________________________________________ Que DLCI a LMI Cisco opera? _____________________________________________________________________________ Execute o comando debug frame-relay lmi. A sada do comando fornece informaes detalhadas sobre todos os dados LMI. Como keepalives so enviados a cada 10 segundos, talvez voc precise aguardar at ver uma sada do comando. A sada do comando debug mostra dois pacotes LMI: o primeiro de sada e o segundo de entrada. R1#debug frame-relay lmi Frame Relay LMI debugging is on Displaying all Frame Relay LMI data R1# *Aug 24 06:19:15.920: Serial0/0/1(out): StEnq, myseq 196, yourseen 195, DTE up *Aug 24 06:19:15.920: datagramstart = 0xE73F24F4, datagramsize = 13 *Aug 24 06:19:15.920: FR encap = 0xFCF10309 *Aug 24 06:19:15.920: 00 75 01 01 00 03 02 C4 C3 *Aug 24 06:19:15.920: *Aug 24 06:19:15.924: Serial0/0/1(in): Status, myseq 196, pak size 21 *Aug 24 06:19:15.924: RT IE 1, length 1, type 0 *Aug 24 06:19:15.924: KA IE 3, length 2, yourseq 196, myseq 196 *Aug 24 06:19:15.924: PVC IE 0x7 , length 0x6 , dlci 102, status 0x2 , bw 0 R1#undebug all Port Statistics for unclassified packets is not turned on. All possible debugging has been turned off Observe que a sada do comando mostra um pacote LMI de sada com um nmero de sequncia 196. A ltima mensagem LMI recebida do FR Switch tinha o nmero de sequncia 195.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 12 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
*Aug 24 06:19:15.920: Serial0/0/1(out): StEnq, myseq 196, yourseen 195, DTE up Esta linha indica uma mensagem LMI de entrada do FR Switch para R1 com nmero de sequncia 196.
*Aug 24 06:19:15.924: PVC IE 0x7 , length 0x6 , dlci 102, status 0x2 , bw 0 Tarefa 5: Identificao e soluo de problemas Frame Relay.
H vrias ferramentas disponveis para identificao e soluo de problemas de conectividade Frame Relay. Para obter informaes sobre como identificar e solucionar problemas, voc ir encerrar a conexo Frame Relay estabelecida anteriormente e, em seguida, restabelec-la. Etapa 1: Remover o mapa de quadro de R1. R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface serial0/0/1 R1(config-if)#encapsulation frame-relay R1(config-if)#no frame-relay map ip 10.1.1.2 102 broadcast Agora que voc removeu a instruo do mapa de quadro de R1, tente executar ping no roteador R1 a partir do roteador R2. Voc no obter nenhuma resposta. R2#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Alm disso, voc deve obter mensagens da console informando que a adjacncia EIGRP ativada e desativada. R1(config-if)#*Sep 9 17:28:36.579: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.1.2 (Serial0/0/1) is down: Interface Goodbye received R1(config-if)#*Sep 9 17:29:32.583: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.1.2 (Serial0/0/1) is up: new adjacency R1(config-if)#*Sep 9 17:32:37.095: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.1.2 (Serial0/0/1) is down: retry limit exceeded R2#*Sep 9 17:29:15.359: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.1.1 (Serial0/0/1) is down: holding time expired Emita o comando debug ip icmp em R1: R1#debug ip icmp ICMP packet debugging is on
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 13 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
Agora execute ping na interface serial de R1 novamente. A mensagem de depurao a seguir exibida em R1: R2#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1#*Sep 9 17:42:13.415: ICMP: echo R1#*Sep 9 17:42:15.411: ICMP: echo R1#*Sep 9 17:42:17.411: ICMP: echo R1#*Sep 9 17:42:19.411: ICMP: echo R1#*Sep 9 17:42:21.411: ICMP: echo Por que h falha no ping? _____________________________________________________________________________ _____________________________________________________________________________ Emitir o comando show frame-relay map retorna uma linha em branco. R1#show frame-relay map R1# Desative toda a depurao com o comando undebug all e reaplique o comando frame-relay map ip, mas sem utilizar a palavra-chave broadcast. R1#undebug all Port Statistics for unclassified packets is not turned on. All possible debugging has been turned off R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface serial0/0/1 R1(config-if)#encapsulation frame-relay R1(config-if)#frame-relay map ip 10.1.1.2 102 R2#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/41/44 ms Observe que, muito embora haja xito nos pings, a adjacncia EIGRP continua caindo (sendo ativada e desativada). reply reply reply reply reply sent, sent, sent, sent, sent, src src src src src 10.1.1.1, 10.1.1.1, 10.1.1.1, 10.1.1.1, 10.1.1.1, dst dst dst dst dst 10.1.1.2 10.1.1.2 10.1.1.2 10.1.1.2 10.1.1.2
Conforme mostrado por essa mensagem de depurao, o pacote ICMP de R2 est atingindo R1.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 14 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
R1(config-if)#*Sep 9 17:47:58.375: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.1.2 (Serial0/0/1) is up: new adjacency R1(config-if)#*Sep 9 17:51:02.887: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.1.2 (Serial0/0/1) is down: retry limit exceeded R1(config-if)#*Sep 9 17:51:33.175: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.1.2 (Serial0/0/1) is up: new adjacency R1(config-if)#*Sep 9 17:54:37.687: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.1.2 (Serial0/0/1) is down: retry limit exceeded Por que a adjacncia EIGRP continua caindo? _____________________________________________________________________________ _____________________________________________________________________________ Substitua a instruo do mapa Frame Relay e inclua a palavra-chave broadcast desta vez. Verifique se a tabela de roteamento completa restaurada e se voc tem conectividade fim-a-fim completa. R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface serial0/0/1 R1(config-if)#encapsulation frame-relay R1(config-if)#frame-relay map ip 10.1.1.2 102 broadcast R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C D C 192.168.10.0/24 is directly connected, FastEthernet0/0 209.165.200.0/27 is subnetted, 1 subnets 209.165.200.224 [90/20640000] via 10.1.1.2, 00:00:05, Serial0/0/1 10.0.0.0/30 is subnetted, 1 subnets 10.1.1.0 est conectado diretamente, Serial0/0/1
Etapa 2: Alterar o tipo de encapsulamento Frame Relay. O software IOS Cisco d suporte a dois tipos de encapsulamento Frame Relay: o encapsulamento Cisco padro e o encapsulamento IETF . Altere o encapsulamento Frame Relay em serial0/0/1 no R2 para IETF. R2(config-if)#encapsulation frame-relay ietf Observe se a interface no desativada. Voc pode se surpreender com isso. Os roteadores Cisco podem interpretar corretamente quadros Frame Relay que utilizam o encapsulamento Frame Relay Cisco padro ou o encapsulamento Frame Relay IETF. Se a rede for composta integralmente de roteadores Cisco, no far nenhuma diferena utilizar o encapsulamento Frame Relay Cisco padro ou o IETF. Os roteadores Cisco compreendem ambos os tipos de quadros de entrada. No entanto, se voc tiver roteadores de fornecedores diferentes que utilizam Frame Relay, o padro IETF dever ser utilizado. O comando encapsulation frame-relay ietf fora o roteador Cisco a encapsular seus quadros de
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Pgina 15 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
sada utilizando o padro IETF. Esse padro pode ser compreendido corretamente pelo roteador de outro fornecedor. R2#show interface serial 0/0/1 Serial0/0/1 is up, line protocol is up
Hardware is GT96K Serial
Internet address is 10.1.1.2/30 MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
Encapsulation FRAME-RELAY IETF, loopback not set <sada do comando omitida> FR-Switch#show int s0/0/0 Serial0/0/0 is up, line protocol is up
Hardware is GT96K Serial
MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, Encapsulation FRAME-RELAY, loopback not set
Observe a diferena na sada entre os dois comandos show interface. Tambm observe se a adjacncia EIGRP ainda est ativada. Embora estejam utilizando tipos de encapsulamento diferentes, FR Switch e R2 ainda esto passando trfego. Altere o tipo de encapsulamento novamente para o padro: R2(config-if)#encapsulation frame-relay Etapa 4: Alterar o tipo LMI. Em R2, altere o tipo LMI para ANSI. R2#configure terminal Enter configuration commands, one per line. R2(config)#interface serial 0/0/1 R2(config-if)#encapsulation frame-relay R2(config-if)#frame-relay lmi-type ansi R2(config-if)#^Z R2#copy run start Destination filename [startup-config]? Building configuration... [OK] End with CNTL/Z.
*Sep 9 18:41:08.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to down *Sep 9 18:41:08.351: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.1.1 (Serial0/0/1) is down: interface down R2#show interface serial 0/0/1 Serial0/0/1 is up, line protocol is down R2#show frame-relay lmi LMI Statistics for interface Serial0/0/1 (Frame Relay DTE) LMI TYPE = ANSI
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 16 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
Invalid Unnumbered info 0 Invalid dummy Call Ref 0 Invalid Status Message 0 Invalid Information ID 0 Invalid Report Request 0 Num Status Enq. Sent 1391 Num Update Status Rcvd 0 Last Full Status Req 00:00:27
Invalid Prot Disc 0 Invalid Msg Type 0 Invalid Lock Shift 0 Invalid Report IE Len 0 Invalid Keep IE Len 0 Num Status msgs Rcvd 1382 Num Status Timeouts 10 Last Full Status Rcvd 00:00:27
Se continuar emitindo o comando show frame-relay lmi, voc observar um aumento nos tempos realados . Aps 60 segundos, a interface altera seu estado para Up Down, porque R2 e FR Switch deixaram de trocar keepalives ou outras informaes sobre status do link. Execute o comando debug frame-relay lmi. Observe que os pacotes LMI deixam de ser mostrados em pares. Enquanto todas as mensagens LMI de sada so registradas em log, nenhuma mensagem de entrada mostrada. Isso porque R2 est esperando ANSI LMI, e FR Switch est enviando Cisco LMI. R2#debug frame-relay lmi DTE down *Aug 25 04:34:25.774: datagramstart = 0xE73F2634, datagramsize = 14 *Aug 25 04:34:25.774: FR encap = 0x00010308 *Aug 25 04:34:25.774: 00 75 95 01 01 00 03 02 14 00 *Aug 25 04:34:25.774: Deixe a depurao ativada e restaure o tipo LMI para Cisco em R2. R2(config-if)#frame-relay lmi-type cisco *Aug 25 04:42:45.774: Serial0/0/1(out): StEnq, myseq 2, yourseen 1, DTE down *Aug 25 04:42:45.774: datagramstart = 0xE7000D54, datagramsize = 13 *Aug 25 04:42:45.774: FR encap = 0xFCF10309 *Aug 25 04:42:45.774: 00 75 01 01 01 03 02 02 01 *Aug 25 04:42:45.774: *Aug 25 04:42:45.778: Serial0/0/1(in): Status, myseq 2, pak size 21 *Aug 25 04:42:45.778: RT IE 1, length 1, type 0 *Aug 25 04:42:45.778: KA IE 3, length 2, yourseq 2 , myseq 2 *Aug 25 04:42:45.778: PVC IE 0x7 , length 0x6 , dlci 201, status 0x2 , bw 0 *Aug 25 04:42:55.774: Serial0/0/1(out): StEnq, myseq 3, yourseen 2, DTE up *Aug 25 04:42:55.774: datagramstart = 0xE7001614, datagramsize = 13 *Aug 25 04:42:55.774: FR encap = 0xFCF10309 *Aug 25 04:42:55.774: 00 75 01 01 01 03 02 03 02 *Aug 25 04:42:55.774: *Aug 25 04:42:55.778: Serial0/0/1(in): Status, myseq 3, pak size 21 *Aug 25 04:42:55.778: RT IE 1, length 1, type 0 *Aug 25 04:42:55.778: KA IE 3, length 2, yourseq 1 , myseq 3 *Aug 25 04:42:55.778: PVC IE 0x7 , length 0x6 , dlci 201, status 0x2 , bw 0 *Aug 25 04:42:56.774: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up Como voc pode ver, o nmero de sequncia LMI foi redefinido como 1, e R2 comeou a compreender as mensagens LMI que chegam do FR Switch. Aps a troca de mensagens LMI entre FR Switch e R2, a interface alterou seu estado para Up.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 17 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 18 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
Active 2 0 0
Inactive 0 0 0
Deleted 0 0 0
Static 0 0 0
DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/1 input pkts 319 output pkts 279 in bytes 20665 out bytes 16665 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 193 out bcast bytes 12352 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec pvc create time 04:43:35, last time pvc status changed 01:16:05 DLCI = 112, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/1.112 input pkts 15 output pkts 211 in bytes 2600 out bytes 17624 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 200 out bcast bytes 16520 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec pvc create time 00:19:16, last time pvc status changed 00:18:56 R2: R2#show frame-relay pvc PVC Statistics for interface Serial0/0/1 (Frame Relay DTE) Local Switched Unused Active 2 0 0 Inactive 0 0 0 Deleted 0 0 0 Static 0 0 0
DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/1 input pkts 331 output pkts 374 in bytes 19928 out bytes 24098 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 331 out bcast bytes 21184 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec pvc create time 05:22:55, last time pvc status changed 01:16:36
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 19 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
DLCI = 212, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/1.212 input pkts 217 output pkts 16 in bytes 18008 out bytes 2912 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 6 out bcast bytes 1872 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec pvc create time 00:19:37, last time pvc status changed 00:18:57 Switch FR: FR-Switch#show frame-relay pvc PVC Statistics for interface Serial0/0/0 (Frame Relay DCE) Local Switched Unused Active 0 2 0 Inactive 0 0 0 Deleted 0 0 0 Static 0 0 0
DLCI = 102, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0 input pkts 335 output pkts 376 in bytes 20184 out bytes 24226 dropped pkts 2 in pkts dropped 2 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec switched pkts 333 Detailed packet drop counters: no out intf 0 out intf down 0 no out PVC 0 in PVC down 0 out PVC down 2 pkt too big 0 shaping Q full 0 pkt above DE 0 policing drop 0 pvc create time 05:23:43, last time pvc status changed 01:18:32 DLCI = 112, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0 input pkts 242 output pkts 18 in bytes 20104 out bytes 3536 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec switched pkts 242 Detailed packet drop counters: no out intf 0 out intf down 0 no out PVC 0
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 20 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
in PVC down 0 out PVC down 0 pkt too big 0 shaping Q full 0 pkt above DE 0 policing drop 0 pvc create time 00:21:41, last time pvc status changed 00:21:22 PVC Statistics for interface Serial0/0/1 (Frame Relay DCE) Local Switched Unused Active 0 2 0 Inactive 0 0 0 Deleted 0 0 0 Static 0 0 0
DLCI = 201, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/1 input pkts 376 output pkts 333 in bytes 24226 out bytes 20056 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec switched pkts 376 Detailed packet drop counters: no out intf 0 out intf down 0 no out PVC 0 in PVC down 0 out PVC down 0 pkt too big 0 shaping Q full 0 pkt above DE 0 policing drop 0 pvc create time 05:23:14, last time pvc status changed 01:39:39 DLCI = 212, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/1 input pkts 18 output pkts 243 in bytes 3536 out bytes 20168 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec switched pkts 18 Detailed packet drop counters: no out intf 0 out intf down 0 no out PVC 0 in PVC down 0 out PVC down 0 pkt too big 0 shaping Q full 0 pkt above DE 0 policing drop 0 pvc create time 00:21:36, last time pvc status changed 00:21:20 R1: R1#show frame-relay map Serial0/0/1 (up): ip 10.1.1.2 dlci 102(0x66,0x1860), static, broadcast, CISCO, status defined, active Serial0/0/1.112 (up): point-to-point dlci, dlci 112(0x70,0x1C00), broadcast status defined, active
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 21 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
R2: R2#show frame-relay map Serial0/0/1 (up): ip 10.1.1.1 dlci 201(0xC9,0x3090), static, broadcast, CISCO, status definido, ativo Serial0/0/1.212 (up): point-to-point dlci, dlci 212(0xD4,0x3440), broadcast status defined, active FR Switch: FR-Switch#show frame-relay route Input Intf Serial0/0/0 Serial0/0/0 Serial0/0/1 Serial0/0/1 Input Dlci 102 112 201 212 Output Intf Serial0/0/1 Serial0/0/1 Serial0/0/0 Serial0/0/0 Output Dlci 201 212 102 112 Status ativo ativo ativo ativo
Agora depure a LMI Frame Relay. R1#debug frame-relay lmi *Aug 25 DTE up *Aug 25 *Aug 25 *Aug 25 *Aug 25 *Aug 25 *Aug 25 *Aug 25 *Aug 25 *Aug 25 05:58:50.902: Serial0/0/1(out): StEnq, myseq 136, yourseen 135, 05:58:50.902: 05:58:50.902: 05:58:50.902: 05:58:50.902: 05:58:50.906: 05:58:50.906: 05:58:50.906: 05:58:50.906: 05:58:50.906: datagramstart = 0xE7000354, datagramsize = 13 FR encap = 0xFCF10309 00 75 01 01 00 03 02 88 87 Serial0/0/1(in): Status, myseq 136, pak size 29 RT IE 1, length 1, type 0 KA IE 3, length 2, yourseq 136, myseq 136 PVC IE 0x7 , length 0x6 , dlci 102, status 0x2 , bw 0 PVC IE 0x7 , length 0x6 , dlci 112, status 0x2 , bw 0
Observe que so listados dois DLCIs na mensagem LMI de FR Switch para R1. R2#debug frame-relay lmi *Aug *Aug *Aug *Aug *Aug *Aug *Aug *Aug *Aug *Aug 25 25 25 25 25 25 25 25 25 25 06:08:35.774: 06:08:35.774: 06:08:35.774: 06:08:35.774: 06:08:35.774: 06:08:35.778: 06:08:35.778: 06:08:35.778: 06:08:35.778: 06:08:35.778: Serial0/0/1(out):StEnq, myseq 7,yourseen 4,DTE up datagramstart = 0xE73F28B4, datagramsize = 13 FR encap = 0xFCF10309 00 75 01 01 00 03 02 07 04 Serial0/0/1(in): Status, myseq 7, pak size 29 RT IE 1, length 1, type 0 KA IE 3, length 2, yourseq 5 , myseq 7 PVC IE 0x7,length 0x6, dlci 201, status 0x2, bw 0 PVC IE 0x7,length 0x6, dlci 212, status 0x2, bw 0
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 22 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
Configuraes finais
R1#show run <sada do comando omitida> ! hostname R1 enable secret class no ip domain lookup ! interface FastEthernet0/0 ip address 192.168.10.1 255.255.255.0 no shutdown ! interface Serial0/0/1 ip address 10.1.1.1 255.255.255.252 encapsulation frame-relay frame-relay map ip 10.1.1.2 102 broadcast no frame-relay inverse-arp no shutdown ! interface Serial0/0/1.112 point-to-point ip address 10.1.1.5 255.255.255.252 frame-relay interface-dlci 112 ! router eigrp 1 network 10.0.0.0 network 192.168.10.0 no auto-summary ! ! banner motd ^CUnauthorized access prohibited, violators will be prosecuted to the full extent of the law.^C ! line con 0 password cisco logging synchronous login line aux 0 line vty 0 4 login password cisco ! end R2#show run <sada do comando omitida> ! hostname R2 ! ! enable secret class ! ! no ip domain lookup
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Pgina 23 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
! ! interface Loopback0 ip address 209.165.200.225 255.255.255.224 ! ! interface Serial0/0/1 ip address 10.1.1.2 255.255.255.252 encapsulation frame-relay frame-relay map ip 10.1.1.1 201 broadcast no frame-relay inverse-arp frame-relay lmi-type cisco no shutdown ! interface Serial0/0/1.212 point-to-point ip address 10.1.1.6 255.255.255.252 frame-relay interface-dlci 212 ! router eigrp 1 network 10.0.0.0 network 209.165.200.0 no auto-summary ! ! line con 0 password cisco logging synchronous login line aux 0 line vty 0 4 password cisco login ! end FR-Switch#show run <sada do comando omitida> ! hostname FR-Switch ! enable secret class ! no ip domain lookup switch frame relay ! ! ! ! interface Serial0/0/0 no ip address encapsulation frame-relay clockrate 64000 frame-relay intf-type dce frame-relay route 102 interface Serial0/0/1 201 frame-relay route 112 interface Serial0/0/1 212 no shutdown
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Pgina 24 de 25
CCNA Exploration Acessando a WAN: Frame Relay Laboratrio 3.5.1: Frame Relay bsico
! interface Serial0/0/1 no ip address encapsulation frame-relay clock rate 64000 frame-relay intf-type dce frame-relay route 201 interface Serial0/0/0 102 frame-relay route 212 interface Serial0/0/0 112 no shutdown ! ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login ! end
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 25 de 25
Tabela de endereamento
Dispositivo R1 R2 PC1 PC3 Interface Fa0/1 S0/0/0 Fa0/1 S0/0/1 Placa de rede Placa de rede Endereo IP 172.16.1.254 10.1.2.1 172.16.2.254 10.1.2.2 172.16.1.1 172.16.2.1 Mscara de sub-rede 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.0 Gateway padro N/A N/A N/A N/A 172.16.1.254 172.16.2.254
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 4
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Cabo de rede de acordo com o diagrama de topologia. Apagar a configurao de inicializao e recarregar o roteador no estado padro. Execute tarefas de configurao bsica em um roteador. Configurar e ativar interfaces. Configure o roteamento EIGRP em todos os roteadores. Configurar o encapsulamento Frame Relay em todas as interfaces seriais. Configurar um PVC Frame Relay. Interromper intencionalmente e restaurar um PVC Frame Relay. Configurar subinterfaces Frame Relay. Interromper e restaurar o PVC intencionalmente.
Cenrio
Neste laboratrio, voc ir configurar o Frame Relay usando a rede mostrada no diagrama de topologia. Se voc precisar de assistncia, consulte o laboratrio de Frame Relay bsico. No entanto, tente fazer o mximo possvel.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 4
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 4
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 4
Tabela de endereamento
Dispositivo R1 R2 Interface Lo0 S0/0/0 Lo0 S0/0/1 Endereo IP 172.18.11.254 172.18.221.1 172.18.111.254 172.18.221.2 Mscara de sub-rede 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.252 Gateway padro N/A N/A N/A N/A
Objetivos de aprendizagem
Praticar habilidades de identificao e soluo de problemas de Frame Relay.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 5
Cenrio
Neste laboratrio, voc ir praticar a soluo de problemas em um ambiente de Frame Relay configurado incorretamente. Carregue ou pea ao instrutor para carregar as configuraes abaixo em seus roteadores. Localize e repare todos os erros nas configuraes e estabelea a conectividade fim-a-fim. Sua configurao final deve corresponder ao diagrama de topologia e tabela de endereamento. Todas as senhas so definidas como cisco, exceto a senha enable secret, definida como class.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 5
! router eigrp 1 network 172.18.221.0 network 172.18.11.0 no auto-summary ! ! ! line con 0 password cisco logging synchronous linha auxiliar 0 line vty 0 4 password cisco login ! end Roteador 2 ! hostname R2 ! enable secret class ! no ip domain lookup ! interface Loopback0 ip address 172.18.111.254 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown no fair-queue ! interface Serial0/0/1 ip address 172.18.221.2 255.255.255.252 encapsulation frame-relay frame-relay map ip 172.18.221.1 181 no frame-relay inverse-arp frame-relay lmi-type ansi ! router eigrp 1 network 172.18.221.0 network 172.18.111.0
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 5
no auto-summary ! ! ! line con 0 password cisco logging synchronous linha auxiliar 0 line vty 0 4 login ! end FR-Switch ! Nome do host FR-Switch ! ! enable secret class ! ! ! no ip domain lookup switch frame relay ! ! ! ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 no ip address encapsulation frame-relay no fair-queue clockrate 125000 frame-relay intf-type dce frame-relay route 182 interface Serial0/0/1 181 no shutdown ! interface Serial0/0/1 no ip address clockrate 125000 encapsulation frame-relay frame-relay intf-type dce no shutdown !
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 5
! line con 0 password cisco logging synchronous line aux 0 line vty 0 4 password cisco login ! end
Tarefa 2: Identificar e solucionar problemas de conexo Frame Relay entre R1 e R2. Tarefa 3: Documentar as configuraes do roteador
Em cada roteador, emita o comando show run e capture as configuraes.
Tarefa 4: Limpar
Apague as configuraes e recarregue os roteadores. Desconecte e guarde o cabeamento. Para hosts PC normalmente conectados a outras redes, como a LAN escolar ou a Internet), reconecte o cabeamento apropriado e restaure as configuraes TCP/IP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 5 de 5
Tabela de endereamento
Dispositivo R1 Interface Fa0/1 S0/0/0 Fa0/1 S0/0/0 S0/0/1 Lo0 Fa0/1 S0/0/1 VLAN10 VLAN20 Endereo IP 192.168.10.1 10.1.1.1 192.168.20.1 10.1.1.2 10.2.2.1 209.165.200.225 192.168.30.1 10.2.2.2 192.168.10.2 192.168.30.2 Mscara de sub-rede 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.224 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.0 Gateway padro N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
R2
R3 S1 S3
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 28
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Cabo de rede de acordo com o diagrama de topologia. Apagar a configurao de inicializao e recarregar o roteador no estado padro. Executar tarefas de configurao bsica em um roteador. Configurar a segurana bsica de roteador. Desabilitar os servios e as interfaces Cisco no usados. Proteja redes de empresa de ataques externos e internos bsicos. Entender e gerenciar os arquivos de configurao do Cisco IOS e o sistema de arquivos da Cisco. Configurar e utilizar o Cisco SDM (Security Device Manager) e o SDM Express para configurar a segurana bsica do roteador. Configurar VLANs nos switches.
Cenrio
Neste laboratrio, voc ir aprender a configurar a segurana de rede bsica usando a rede mostrada no diagrama de topologia. Voc saber como configurar segurana do roteador de trs maneiras diferentes: utilizando a CLI, o recurso auto-secure e o Cisco SDM. Voc tambm aprender a gerenciar o software IOS Cisco.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 28
Crie uma interface de loopback em R2 para simular a conexo com a Internet. Configure um servidor TFTP no PC2. Se voc precisar baixar o software do servidor TFTP, uma opo ser: http://tftpd32.jounin.net/
Etapa 2: Configurar interfaces Ethernet. Configure as interfaces Ethernet do PC1, do PC3 e do Servidor TFTP com os endereos IP e os gateways na Tabela de endereamento no incio do laboratrio. Etapa 3: Testar a configurao do PC, executando ping no gateway padro em todos os PCs e no servidor TFTP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 28
R1(config-lin)#line vty 0 4 R1(config-lin)#login authentication LOCAL_AUTH O que voc observa no ser seguro quanto seguinte seo da configurao de execuo: R1#show run <sada de comando omitida> ! enable secret 5 $1$.DB7$DunHvguQH0EvLqzQCqzfr1 ! aaa new-model ! aaa authentication login LOCAL_AUTH local ! username ccna password 0 ciscoccna ! <sada de comando omitida> ! banner motd ^CUnauthorized access strictly prohibited, violators will be prosecuted to the full extent of the law^C ! line con 0 login authentication LOCAL_AUTH linha auxiliar 0 line vty 0 4 login authentication LOCAL_AUTH ! __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ Para aplicar criptografia simples s senhas, digite o seguinte comando no modo de configurao global: R1(config)#service password-encryption Verifique isso com o comando show run. R1#show run service password-encryption ! enable secret 5 $1$.DB7$DunHvguQH0EvLqzQCqzfr1 ! aaa new-model ! aaa authentication login LOCAL_AUTH local ! username ccna password 7 0822455D0A1606141C0A <sada de comando omitida> ! banner motd ^CCUnauthorized access strictly prohibited, violators will be prosecuted to the full extent of the law^C ! line con 0
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 28
login authentication LOCAL_AUTH linha auxiliar 0 line vty 0 4 login authentication LOCAL_AUTH ! Etapa 2: Proteger as linhas de console e VTY. O roteador pode fazer logout em uma linha ociosa por um determinado perodo. Se um engenheiro de rede tiver feito login em um dispositivo de rede e for chamado repentinamente, este comando far o logout do usurio automaticamente depois do perodo especificado. Os seguintes comandos causam o logout na linha aps 5 minutos. R1(config)#line console 0 R1(config-lin)#exec-timeout 5 0 R1(config-lin)#line vty 0 4 R1(config-lin)#exec-timeout 5 0 O seguinte comando impede tentativas de login de fora bruta. O roteador bloquear tentativas de login durante 5 minutos se houver falha em duas tentativas de login em 2 minutos. Ele especialmente definido baixo para este laboratrio. Uma medida adicional registrar em log sempre que isso acontecer. R1(config)#login block-for 300 attempt 2 within 120 R1(config)#security authentication failure rate 2 log Para verificar isso, tente se conectar a R1 em R2 via Telnet com um nome de usurio e senha incorretos. Em R2: R2#telnet 10.1.1.1 Trying 10.1.1.1 ... Open Unauthorized access strictly prohibited, violators will be prosecuted to the full extent of the law User Access Verification Username: cisco Password: % Authentication Failed User Access Verification Username: cisco Password: % Authentication Failed [Connection to 10.1.1.1 closed by foreign host] R2#telnet 10.1.1.1 Trying 10.1.1.1 ... % Connection refused by remote host
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 5 de 28
Em R1: *Sep 10 12:40:11.211: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 12:40:11 UTC Mon Sep 10 2007
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 6 de 28
R3(config-keychain)#key 1 R3(config-keychain-key)#key-string cisco Para utilizar a chave, todas as interfaces que participam de atualizaes RIP precisam ser configuradas. Elas sero as mesmas interfaces habilitadas utilizando-se o comando no passive-interface anterior. R1 R1(config)#int s0/0/0 R1(config-if)#ip rip authentication mode md5 R1(config-if)#ip rip authentication key-chain RIP_KEY A esta altura, R1 deixa de receber atualizaes RIP de R2, porque R2 ainda no foi configurado para utilizar uma chave para atualizaes de roteamento. Voc pode exibir isso em R1, utilizando o comando show ip route e confirmando se no h nenhuma rota de R2 exibida na tabela de roteamento. Limpe rotas IP com clear ip route * ou aguarde o timeout das rotas. R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, *- candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C C 10.0.0.0/8 is variably subnetted, 1 subnets, 1 masks 10.1.1.0/24 is directly connected, Serial0/0/0 192.168.10.0 is directly connected, Serial0/0/0
Configure R2 e R3 para utilizar a autenticao de roteamento. Lembre-se de que todas as interfaces ativas devem ser configuradas. R2 R2(config)#int s0/0/0 R2(config-if)#ip rip authentication R2(config-if)#ip rip authentication R2(config)#int s0/0/1 R2(config-if)#ip rip authentication R2(config-if)#ip rip authentication
R3 R3(config)#int s0/0/1 R3(config-if)#ip rip authentication mode md5 R3(config-if)#ip rip authentication key-chain RIP_KEY Etapa 3: Verificar se o roteamento RIP ainda funciona. Depois de todos os trs roteadores serem configurados para utilizar a autenticao de roteamento, as tabelas de roteamento devem ser preenchidas novamente com todas as rotas RIP. Agora R1 deve ter todas as rotas via RIP. Confirme isso com o comando show ip route. R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 7 de 28
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, *-candidate default, U-per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set R C R R C 192.168.30.0/24 [120/2] via 10.1.1.2, 00:00:16, Serial0/0/0 192.168.10.0/24 is directly connected, FastEthernet0/1 192.168.20.0/24 [120/1] via 10.1.1.2, 00:00:13, Serial0/0/0 10.0.0.0/8 is variably subnetted, 2 subnets, 1 masks 10.2.2.0/24 [120/1] via 10.1.0.2, 00:00:16, Serial0/0/0 10.1.1.0/24 is directly connected, Serial0/0/0
Tarefa 5: Registrando a Atividade em Log com protocolo de gerenciamento de rede comum (SNMP)
Etapa 1: Configurar registro em log SNMP no servidor syslog. O registro em log SNMP pode ser til na monitorao da atividade de rede. As informaes capturadas podem ser enviadas para um servidor syslog na rede, onde podem ser analisadas e arquivadas. Voc deve tomar cuidado ao configurar o registro em log (syslog) no roteador. Ao escolher o host de log designado, lembre-se de que o host de log deve ser conectado a uma rede confivel ou protegida ou interface de um roteador isolada e dedicada. Neste laboratrio, voc ir configurar PC1 como o servidor syslog para R1. Use o comando logging para escolher o endereo IP do dispositivo para o qual mensagens SNMP so enviadas. Neste exemplo, o endereo IP do PC1 utilizado. R1(config)#logging 192.168.10.10 Nota: PC1 dever ter software de syslog instalado e em execuo se voc quiser exibir mensagens de syslog. Na prxima etapa, voc definir o nvel de gravidade para mensagens a serem enviadas para o servidor syslog. Etapa 2: Configurar o nvel de gravidade SNMP. O nvel de mensagens SNMP pode ser ajustado para permitir ao administrador determinar que tipos de mensagens so enviados para o dispositivo syslog. Roteadores oferecem suporte a nveis diferentes de registro em log. Os oito nveis vo de 0 (emergncias), indicando que o sistema est instvel, a 7 (depurao), que envia mensagens que incluem informaes do roteador. Para configurar os nveis de gravidade, voc utiliza a palavra-chave associada ao nvel, conforme mostrado na tabela. Nvel de gravidade 0 1 2 3 4 5 Palavra-chave emergencies alerts critical errors warnings notifications Descrio Sistema inutilizvel Ao imediata obrigatria Condies crticas Condies de erro Condies de aviso Condio normal, mas significativa
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 8 de 28
6 7
informational debugging
O comando logging trap define o nvel de gravidade. O nvel de gravidade inclui o nvel especificado e qualquer coisa abaixo dele (gravidade). Defina R1 para o nvel 4 a fim de capturar mensagens com os nveis de gravidade 4, 3, 2 e 1. R1(config)#logging trap warnings Qual o perigo de definir o nvel de gravidade muito alto ou baixo? __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ Nota: se voc tiver instalado software syslog em PC1, gere e procure em um software syslog as mensagens.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 9 de 28
Serial0/0/1
unassigned
YES unset
Etapa 2: Desabilitar servios globais no utilizados. Muitos servios no so necessrios na maioria das redes modernas. Deixar servios no utilizados habilitados mantm portas abertas, que podem ser utilizadas para comprometer uma rede. Desabilite todos esses servios em R1. R1(config)#no R1(config)#no R1(config)#no R1(config)#no R1(config)#no R1(config)#no R1(config)#no R1(config)#no R1(config)#no R1(config)#no service pad service finger service udp-small-server service tcp-small-server ip bootp server ip http server ip finger ip source-route ip gratuitous-arps cdp run
Etapa 3: Desabilitar servios da interface no utilizados. Estes comandos so digitados no nvel da interface, devendo ser aplicados a todas as interfaces em R1. R1(config-if)#no R1(config-if)#no R1(config-if)#no R1(config-if)#no R1(config-if)#no R1(config-if)#no ip redirects ip proxy-arp ip unreachables ip directed-broadcast ip mask-reply mop enabled
Etapa 4: Utilizar o AutoSecure para proteger um roteador Cisco. Utilizando um nico comando no modo CLI, o recurso AutoSecure permite desabilitar servios IP comuns que podem ser explorados para ataques de rede e habilitar servios IP e recursos que podem ajudar na defesa de uma rede sob ataque. O AutoSecure simplifica a configurao de segurana de um roteador e protege a configurao do roteador. Utilizando o recurso AutoSecure, voc pode aplicar os mesmos recursos de segurana que acabou de aplicar (exceto a proteo do RIP) a um roteador muito mais rapidamente. Como voc j protegeu R1, utilize o comando auto secure em R3. R3#auto secure --AutoSecure Configuration --***AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 10 de 28
Is this router connected to internet? [no]: yes Enter the number of interfaces facing the internet [1]: 1 Interface IP-Address OK? Method FastEthernet0/0 unassigned YES unset FastEthernet0/1 192.168.30.1 YES manual Serial0/0/0 unassigned YES manual Serial0/0/1 10.2.2.2 YES manual Enter the interface name that is facing the internet: Securing Management plane services... Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp Enable secret is either not configured or Is the same as enable password Enter the new enable password: ciscoccna Confirm the enable password: ciscoccna Enter the new enable password: ccnacisco Confirm the enable password: ccnacisco Configuration of local user database Enter the username: ccna Enter the password: ciscoccna Confirm the password: ciscoccna Configuring AAA local authentication Configuring Console, Aux and VTY lines for local authentication, exec-timeout, and transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected: 300 Maximum Login failures with the device: 5 Maximum time period for crossing the failed login attempts: 120 Configure SSH server? Yes Enter domain-name: cisco.com Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp Status down up down up Serial0/0/1 Protocol down up down up
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 11 de 28
no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces Securing Forwarding plane services... Enabling CEF (This might impact the memory requirements for your platform) Enabling unicast rpf on all interfaces connected to internet Configure CBAC firewall feature: no Tcp intercept feature is used prevent tcp syn attack On the servers in the network. Create autosec_tcp_intercept_list To form the list of servers to which the tcp traffic is to be observed Enable TCP intercept feature: yes This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd security passwords min-length 6 security authentication failure rate 10 log enable password 7 070C285F4D061A061913 username ccna password 7 045802150C2E4F4D0718 aaa new-model aaa authentication login local_auth local line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet linha auxiliar 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet line tty 1 login authentication local_auth exec-timeout 15 0 line tty 192 login authentication local_auth exec-timeout 15 0
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 12 de 28
login block-for 300 attempts 5 within 120 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Serial0/0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial0/0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial0/1/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial0/1/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef access-list 100 permit udp any any eq bootpc interface Serial0/0/1 ip verify unicast source reachable-via rx allow-default 100 ip tcp intercept list autosec_tcp_intercept_list ip tcp intercept drop-mode random ip tcp intercept watch-timeout 15 ip tcp intercept connection-timeout 3600 ip tcp intercept max-incomplete low 450 ip tcp intercept max-incomplete high 550
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 13 de 28
! end Apply this configuration to running-config? [yes]:yes The name for the keys will be: R3.cisco.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] R3# 000045: *Nov 16 15:39:10.991 UTC: %AUTOSEC-1-MODIFIED: AutoSecure configuration has been Modified on this device Como voc pode ver, o recurso AutoSecure muito mais rpido a configurao linha por linha. No entanto, h vantagens em fazer isso manualmente, como voc ver no laboratrio de identificao e soluo de problemas. Ao utilizar o AutoSecure, voc pode desabilitar um servio de que precisa. Antes de utilizar o AutoSecure, sempre tome cuidado e pense nos servios obrigatrios.
8679424 bytes available (23252992 bytes used) Basta observarmos essa lista, e j podemos determinar o seguinte: A imagem para um roteador 1841 (c1841-ipbase-mz.124-1c.bin). O roteador est utilizando a imagem IP base (c1841-ipbase-mz.124-1c.bin). A verso do IOS Cisco 12.4(1c) (c1841-ipbase-mz.124-1c.bin). O SDM est instalado no dispositivo (sdmconfig-18xx.cfg, sdm.tar).
Voc pode utilizar o comando dir all para mostrar todos os arquivos no roteador. R1#dir all Directory of archive:/ No files in directory No space information available Directory of system:/
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 14 de 28
3 1 2
dr-x -rwdr-x
0 979 0
No space information available Directory of nvram:/ 189 190 191 1 -rw----rw-rw979 5 979 0 <no <no <no <no date> date> date> date> startup-config private-config underlying-config ifIndex-table
196600 bytes total (194540 bytes free) Directory of flash:/ 1 -rw- 13937472 2 -rw1821 3 -rw- 4734464 4 -rw833024 5 -rw- 1052160 6 -rw1038 7 -rw102400 8 -rw491213 9 rw398305 10 -rw- 1684577 k9.pkg May May May May May May May May May May 05 05 05 05 05 05 05 05 05 05 2007 2007 2007 2007 2007 2007 2007 2007 2007 2007 20:08:50 20:25:00 20:25:38 20:26:02 20:26:30 20:26:56 20:27:20 20:27:50 20:29:08 20:28:32 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 c1841-ipbase-mz.124-1c.bin sdmconfig-18xx.cfg sdm.tar es.tar common.tar home.shtml home.tar 128MB.sdf sslclient-win-1.1.0.154.pkg securedesktop-ios-3.1.1.27-
31932416 bytes total (8679424 bytes free) Etapa 2: Transferir arquivos com TFTP. O TFTP utilizado durante o arquivamento e a atualizao do software IOS Cisco de um dispositivo. Neste laboratrio, no entanto, no utilizamos arquivos do IOS Cisco reais porque qualquer equvoco feito na digitao dos comandos poderia ocasionar a excluso da imagem do IOS Cisco do dispositivo. Ao final desta seo, h um exemplo de como deve ser uma transferncia TFTP no IOS Cisco. Por que importante ter uma verso atualizada do software IOS Cisco? __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ Durante a transferncia de arquivos via TFTP, importante assegurar que o servidor TFTP e o roteador consigam se comunicar. Uma maneira de testar isso executando ping entre esses dispositivos. Para comear a transferncia do software IOS Cisco, crie um arquivo no servidor TFTP chamado test na pasta raiz TFTP. Cada programa TFTP muda de acordo com o local no qual os arquivos esto armazenados. Consulte o arquivo de ajuda do servidor TFTP para determinar a pasta raiz. Em R1, recupere o arquivo e salve-o na memria flash. R1#copy tftp flash Address or name of remote host []? 192.168.20.254 (endereo IP do servidor TFTP) Source filename []? Test (nome do arquivo criado e salvo no servidor TFTP)
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 15 de 28
Destination filename [test]? test-server (Um nome arbitrrio para o arquivo quando salvo no roteador) Accessing tftp://192.168.20.254/test... Loading test from 192.168.20.254 (via FastEthernet0/1): ! [OK - 1192 bytes] 1192 bytes copied in 0,424 secs (2811 bytes/sec) Verifique a existncia do arquivo na memria flash com o comando show flash. R1#show flash -#- -- length-- -----date/time------ path 1 13937472 May 05 2007 21:13:20 +00:00 2 1821 May 05 2007 21:29:36 +00:00 3 4734464 May 05 2007 21:30:14 +00:00 4 833024 May 05 2007 21:30:42 +00:00 5 1052160 May 05 2007 21:31:10 +00:00 6 1038 May 05 2007 21:31:36 +00:00 7 102400 May 05 2007 21:32:02 +00:00 8 491213 May 05 2007 21:32:30 +00:00 9 1684577 May 05 2007 21:33:16 +00:00 10 398305 May 05 2007 21:33:50 +00:00 11 1192 Sep 12 2007 07:38:18 +00:00
c1841-ipbase-mz.124-1c.bin sdmconfig-18xx.cfg sdm.tar es.tar common.tar home.shtml home.tar 128MB.sdf securedesktop-ios-3.1.1.27-k9.pkg sslclient-win-1.1.0.154.pkg test-server
8675328 bytes available (23257088 bytes used) Os roteadores tambm podem funcionar como servidores TFTP. Isso poder ser til se houver um dispositivo que precise de uma imagem e voc tiver um que j esteja usando essa imagem. Tornaremos R2 um servidor TFTP para R1. Lembre-se de que essas imagens do IOS Cisco so especficas de plataformas de roteador e requisitos de memria. Tome cuidado ao transferir uma imagem do IOS Cisco de um roteador para outro. A sintaxe do comando : tftp-server nvram: [nome de arquivo1 [alias nome de arquivo2] O comando abaixo configura R2 como um servidor TFTP. R2 fornece seu arquivo de configurao de inicializao para dispositivos que o solicitam via TFTP (estamos utilizando a configurao de inicializao por conta da simplicidade e da facilidade). A palavra-chave alias permite a dispositivos solicitar o arquivo utilizando o alias test, e no o nome de arquivo completo. R1(config)#tftp-server nvram:startup-config alias test Agora podemos solicitar o arquivo em R2 utilizando R1. R1#copy tftp flash Address or name of remote host []? 10.1.1.2 Source filename []? teste Destination filename []? test-router Accessing tftp://10.1.1.2/test... Loading test from 10.1.1.2 (via Serial0/0/0): ! [OK - 1192 bytes] 1192 bytes copied in 0,452 secs (2637 bytes/sec) Novamente, verificar se o arquivo test foi copiado com xito com o comando show flash
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 16 de 28
R1#show flash -#- --length-1 13937472 2 1821 3 4734464 4 833024 5 1052160 6 1038 7 102400 8 491213 9 1684577 10 398305 11 1192 12 1192
-----date/time-----May 05 2007 21:13:20 May 05 2007 21:29:36 May 05 2007 21:30:14 May 05 2007 21:30:42 May 05 2007 21:31:10 May 05 2007 21:31:36 May 05 2007 21:32:02 May 05 2007 21:32:30 May 05 2007 21:33:16 May 05 2007 21:33:50 Sep 12 2007 07:38:18 Sep 12 2007 07:51:04
path +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00
c1841-ipbase-mz.124-1c.bin sdmconfig-18xx.cfg sdm.tar es.tar common.tar home.shtml home.tar 128MB.sdf securedesktop-ios-3.1.1.27-k9.pkg sslclient-win-1.1.0.154.pkg test-server test-router
8671232 bytes available (23261184 bytes used) Como voc no deseja que arquivos no utilizados ocupem espao importante da memria, exclua-os agora da memria flash de R1. Tome muito cuidado ao fazer isso! Apagar a memria flash acidentalmente ir significar a necessidade de reinstalao de toda a imagem do IOS do roteador. Se o roteador solicitar erase flash, ser sinal de que algo est muito errado. raro voc desejar apagar toda a memria flash. O nico momento legtimo em que isso acontece quando voc est atualizando o IOS para uma imagem de IOS maior. Se voc vir o prompt erase flash como neste exemplo, PARE IMEDIATAMENTE. NO pressione enter. Pea ajuda ao seu instrutor IMEDIATAMENTE. Erase flash: ?[confirm] no R1#delete flash:test-server Delete filename [test-server]? Delete flash:test? [confirm] R1#delete flash:test-router Delete filename [test-router]? Delete flash:test-router? [confirm] Verifique se os arquivos foram excludos, emitindo o comando show flash. R1#show flash -#- --length-1 13937472 2 1821 3 4734464 4 833024 5 1052160 6 1038 7 102400 8 491213 9 1684577 10 398305 -----date/time-----May 05 2007 21:13:20 May 05 2007 21:29:36 May 05 2007 21:30:14 May 05 2007 21:30:42 May 05 2007 21:31:10 May 05 2007 21:31:36 May 05 2007 21:32:02 May 05 2007 21:32:30 May 05 2007 21:33:16 May 05 2007 21:33:50 path +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00
c1841-ipbase-mz.124-1c.bin sdmconfig-18xx.cfg sdm.tar es.tar common.tar home.shtml home.tar 128MB.sdf securedesktop-ios-3.1.1.27-k9.pkg sslclient-win-1.1.0.154.pkg
8679424 bytes available (23252992 bytes used) Este um exemplo de uma transferncia TFTP de um arquivo de imagem do IOS Cisco. NO complete nos roteadores. Apenas leia.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 17 de 28
R1#copy tftp flash Address or name of remote host []? 10.1.1.2 Source filename []? c1841-ipbase-mz.124-1c.bin Destination filename []? flash:c1841-ipbase-mz.124-1c.bin Accessing tftp://10.1.1.2/c1841-ipbase-mz.124-1c.bin... Loading c1841-ipbase-mz.124-1c.bin from 10.1.1.2 (via Serial0/0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <sada de comando omitida> !!!!!!!!!!!!!!!!!!!!!!!!!!!! [OK - 13937472 bytes] 13937472 bytes copied in 1113,948 secs (12512 bytes/sec) Etapa 3: Recuperar uma senha utilizando ROMmon. Se, por alguma razo, no conseguir mais acessar um dispositivo porque voc no sabe, perdeu, ou esqueceu uma senha, voc ainda assim poder obter acesso, alterando o registro de configurao. O registro de configurao informa ao roteador que configurao carregar durante a inicializao. No registro de configurao, voc pode instruir o roteador a inicializar a partir de uma configurao em branco no protegida por senha. A primeira etapa da alterao do registro de configurao exibir a configurao atual utilizando o comando show version. Essas etapas so executadas em R3. R3#show version Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Tue 25-Oct-05 17:10 by evmiller ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) R3 uptime is 25 minutes System returned to ROM by reload at 08:56:50 UTC Wed Sep 12 2007 System image file is "flash:c1841-ipbase-mz.124-1c.bin" Cisco 1841 (revision 7.0) with 114688K/16384K bytes of memory. Processor board ID FTX1118X0BN 2 FastEthernet interfaces 2 Low-speed serial(sync/async) interfaces DRAM configuration is 64 bits wide with parity disabled. 191K bytes de NVRAM. 31360K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 Em seguida, recarregue o roteador e envie uma interrupo durante a inicializao. A tecla Break diferente em computadores diferentes. Normalmente, ela fica no canto superior direito do teclado. Uma interrupo faz o dispositivo entrar em um modo chamado ROMmon. Esse modo no exige do dispositivo ter acesso a um arquivo de imagem do IOS Cisco. Nota: o Hyperterminal exige uma sequncia Ctrl-Break. Para outro software de emulao de terminal, verifique as combinaes padro da sequncia da tecla Break.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 18 de 28
R3#reload Proceed with reload? [confirm] *Sep 12 08:27:28.670: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command. System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. PLD version 0x10 GIO ASIC version 0x127 c1841 platform with 131072 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled Readonly ROMMON initialized rommon 1 > Altere o registro de configurao para um valor que carrega a configurao inicial do roteador. Essa configurao no tem uma senha configurada, mas d suporte a comandos do IOS Cisco. Altere o valor do registro de configurao para 0x2142. rommon 1 > confreg 0x2142 Agora que ele foi alterado, podemos inicializar o dispositivo com o comando reset. rommon 2 > reset program load complete, entry point: 0x8000f000, size: 0xcb80 program load complete, entry point: 0x8000f000, size: 0xcb80 program load complete, entry point: 0x8000f000, size: 0xd4a9a0 Self decompressing the image : ########################################################### ############################################################################# # [OK] <sada de comando omitida> --- System Configuration Dialog --Would you like to enter the initial configuration dialog? [yes/no]: no Press RETURN to get started! Etapa 4: Restaurar o roteador. Agora copiamos a configurao de inicializao para a configurao de execuo, restauramos a configurao e alteramos o registro de configurao novamente para o padro (0x2102). Para copiar a configurao de inicializao da NVRAM para a memria de execuo, digite copy startup-config running-config. Tome cuidado! No digite copy running-config startupconfig, ou voc apagar a configurao de inicializao. Router#copy startup-config running-config Destination filename [running-config]? {enter} 2261 bytes copied em 0,576 secs (3925 bytes/sec)
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 19 de 28
R3#:show running-config <sada de comando omitida> enable secret 5 $1$31P/$cyPgoxc0R9y93Ps/N3/kg. ! <sada de comando omitida> ! key chain RIP_KEY key 1 key-string 7 01100F175804 username ccna password 7 094F471A1A0A1411050D ! interface FastEthernet0/1 ip address 192.168.30.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast shutdown duplex auto speed auto ! interface Serial0/0/1 ip address 10.2.2.2 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast shutdown ip rip authentication mode md5 ip rip authentication key-chain RIP_KEY ! <sada de comando omitida> ! line con 0 exec-timeout 5 0 logging synchronous login authentication transport output telnet line aux 0 exec-timeout 15 0 logging synchronous login authentication local_auth transport output telnet line vty 0 4 exec-timeout 15 0 logging synchronous login authentication local_auth transport input telnet ! end Nessa configurao, o comando shutdown exibido em todas as interfaces porque todas elas esto desativadas no momento. Mas o mais importante que agora voc pode ver as senhas (senha de enable, enable secret, VTY, senhas de console) em um formato criptografado ou desprotegido. Voc pode reutilizar senhas no-criptografadas. Voc deve alterar senhas criptografadas para uma nova senha.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 20 de 28
R3#configure terminal Enter configuration commands, one per line. R3(config)#enable secret ciscoccna R3(config)#username ccna password ciscoccna R3(config)#interface FastEthernet0/1 R3(config-if)#no shutdown R3(config)#interface Serial0/0/1 R3(config-if)#no shutdown
Voc pode emitir um comando show ip interface brief para confirmar se a configurao da interface est correta. Todas as interfaces que voc deseja usar devem ser exibidas como ativadas. R3#show ip interface brief Interface IP-Address FastEthernet0/0 unassigned FastEthernet0/1 192.168.30.1 Serial0/0/1 unassigned Serial0/0/0 10.2.2.2 OK? YES YES YES YES Method NVRAM NVRAM NVRAM NVRAM Status Protocol administratively down down up up administratively down down up up
Digite config-register valor do registro de configurao. A varivel valor do registro de configurao o valor registrado na Etapa 3 ou 0x2102. Salve a configurao de execuo. R3(config)#config-register 0x2102 R3(config)#end R3#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] Quais so as desvantagens da recuperao de senha? __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 21 de 28
9 10 11 12
05 05 25 26
Se NO estiver instalado no roteador, o SDM dever ser instalado para continuar. Consulte o seu instrutor para obter instrues. Etapa 1: Conectar-se ao R2 utilizando o servidor TFTP. Crie um nome de usurio e senha em R2. R2(config)#username ccna password ciscoccna Habilite o servidor http seguro em R2 e conecte-se a R2 utilizando um navegador no servidor TFTP. R2(config)#ip http secure-server % Generating 1024 bit RSA Keys, Keys Will be non-exportable... [OK] R2(config)# *Nov 16 16:01:07.763: %SSH-5-ENABLED: SSH 1.99 has been enabled *Nov 16 16:01:08.731: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate R2(config)#end R2#copy run start No servidor TFTP, abra um navegador e navegue at https://192.168.20.1/. Faa login com o nome de usurio e senha configurados anteriormente: nome de usurio: ccna senha: ciscoccna Selecione Cisco Router and Security Device Manager Abra o Internet Explorer e digite o endereo IP para R2 na barra de endereos. Uma nova janela aberta. Verifique se todos os bloqueadores de popup foram desativados no navegador. Tambm verifique se o JAVA est instalado e atualizado.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 22 de 28
Etapa 2: Navegar at o recurso Security Audit. Clique no boto Configure no canto superior esquerdo da janela.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 23 de 28
Ela oferece uma rpida explicao do que o recurso Security Audit faz. Clique em Next para abrir a janela Security audit interface configuration.
Uma interface dever ser classificada como externa (no confivel) se voc no tiver certeza da legitimidade do trfego que chega interface. Nesse exemplo, FastEthernet0/1 e Serial0/1/0 no so confiveis porque Serial0/1/0 est diante da Internet e Fastethernet0/1 est diante da parte de acesso da rede, e trfego no legtimo pode ser gerado. Depois de selecionar as interfaces externa e interna, clique em Next. Uma nova janela aberta indicando que o SDM est realizando uma auditoria de segurana.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 24 de 28
Como voc pode ver, a configurao padro no segura. Clique no boto Close para continuar. Etapa 4: Aplicar configuraes ao roteador.
Clique no boto Fix All para fazer todas as alteraes de segurana sugeridas. Em seguida, clique no boto Next.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 25 de 28
Digite em uma mensagem de banner a ser utilizada como a mensagem do dia para o roteador e clique em Next.
Em seguida, defina o nvel de gravidade dos traps de log que o roteador deve enviar ao servidor syslog. O nvel de gravidade definido como depurao para este cenrio. Clique em Next para exibir uma sumarizao das alteraes a serem feitas no roteador.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 26 de 28
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 27 de 28
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 28 de 28
Tabela de endereamento
Dispositivo R1 R2 Interface Fa0/1 S0/0/1 Fa0/1 S0/0/1 Lo0 Fa0/1 S0/0/1 S0/0/0 VLAN10 VLAN30 Placa de rede Placa de rede Placa de rede Endereo IP 192.168.10.1 10.1.1.1 192.168.20.1 10.2.2.1 209.165.200.225 192.168.30.1 10.2.2.2 10.1.1.2 192.168.10.2 192.168.30.2 192.168.10.10 192.168.30.10 192.168.20.254 Mscara de sub-rede 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.224 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Gateway padro N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 192.168.10.1 192.168.30.1 192.168.20.1
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 4
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Cabo de rede de acordo com o diagrama de topologia. Apagar a configurao de inicializao e recarregar o roteador no estado padro. Executar tarefas de configurao bsica em um roteador. Configurar e ativar interfaces. Configurar a segurana bsica do roteador. Desabilitar os servios e as interfaces Cisco no usados. Proteja redes de empresa de ataques externos e internos bsicos. Entender e gerenciar os arquivos de configurao do Cisco IOS e o sistema de arquivos da Cisco. Configurar e utilizar o Cisco SDM (Security Device Manager) para configurar a segurana bsica do roteador.
Cenrio
Neste laboratrio, voc ir configurar a segurana usando a rede mostrada no diagrama de topologia. Se voc precisar de assistncia, consulte o laboratrio de segurana bsico. No entanto, tente fazer o mximo possvel. Para este laboratrio, no use a proteo por senha ou login em nenhuma linha de console porque isso pode causar o logout acidental. No entanto, voc ainda deve proteger a linha de console usando outros meios. Use ciscoccna para todas as senhas deste laboratrio.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 4
Etapa 2: Configurar interfaces Ethernet. Configure as interfaces Ethernet do PC1, do PC3 e do Servidor TFTP com os endereos IP e os gateways na tabela de endereamento no incio do laboratrio. Etapa 3: Testar a configurao do PC, executando ping no gateway padro em todos os PCs e no servidor TFTP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 4
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 4
Tabela de endereamento
Dispositivo R1 R2 Interface Fa0/1 S0/0/1 Fa0/1 S0/0/1 Lo0 Fa0/1 S0/0/1 S0/0/0 VLAN10 VLAN30 Placa de rede Placa de rede Placa de rede Endereo IP 192.168.10.1 10.1.1.1 192.168.20.1 10.2.2.1 209.165.200.225 192.168.30.1 10.2.2.2 10.1.1.2 192.168.10.2 192.168.30.2 192.168.10.10 192.168.30.10 192.168.20.254 Mscara de sub-rede 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.224 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Gateway padro N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 192.168.10.1 192.168.30.1 192.168.20.1
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 9
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Cabo de rede de acordo com o diagrama de topologia. Apagar a configurao de inicializao e restaurar o estado padro de todos os roteadores. Carregar roteadores com scripts fornecidos. Localize e corrija todos os erros de rede. Documentar a rede corrigida.
Cenrio
Sua empresa contratou recentemente um novo engenheiro de rede que criou alguns problemas de segurana na rede com configuraes incorretas e omisses. Seu chefe lhe pediu para corrigir os erros que o novo engenheiro cometeu ao configurar os roteadores. Enquanto corrige os problemas, verifique se todos os dispositivos esto seguros, mas ainda acessveis para administradores, e que todas as redes so alcanveis. Todos os roteadores devem ser acessveis com SDM em PC1. Verificar se um dispositivo seguro usando ferramentas como Telnet e ping. O uso no autorizado dessas ferramentas deve ser bloqueado. Por outro lado, o uso autorizado deve ser permitido. Para este laboratrio, no use a proteo por login ou senha em nenhuma linha de console para impedir o bloqueio acidental. Use ciscoccna para todas as senhas deste cenrio.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 9
no ip gratuitous-arps ip cef ! no ip dhcp use vrf connected ! no ip bootp server ! key chain RIP_KEY key 1 key-string cisco username ccna password ciscoccna ! interface FastEthernet0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp no shutdown duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp duplex auto speed auto no shutdown ! ! interface Serial0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp no shutdown no fair-queue clockrate 125000 ! interface Serial0/0/1 ip address 10.1.1.1 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip rip authentication mode md5 ip rip authentication key-chain RIP_KEY no shutdown ! interface Serial0/1/0 no ip address no ip redirects no ip unreachables no ip proxy-arp no shutdown clockrate 2000000
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 9
! interface Serial0/1/1 no ip address no ip redirects no ip unreachables no ip proxy-arp no shutdown ! router rip version 2 passive-interface default no passive-interface Serial0/0/0 network 10.0.0.0 network 192.168.10.0 no auto-summary ! ip classless ! no ip http server ! logging 192.168.10.150 no cdp run ! line con 0 exec-timeout 5 0 logging synchronous transport output telnet line aux 0 exec-timeout 15 0 logging synchronous login authentication LOCAL_AUTH transport output telnet line vty 0 4 exec-timeout 5 0 logging synchronous login authentication LOCAL_AUTH transport input telnet ! end R2: no service pad service timestamps debug datetime msec service timestamps log datetime msec ! hostname R2 ! security authentication failure rate 10 log security passwords min-length 6 enable secret ciscoccna ! aaa new-model ! aaa authentication login local_auth local ! aaa session-id common
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 9
! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no ip source-route no ip gratuitous-arps ip cef ! no ip dhcp use vrf connected ! no ip bootp server ! ! username ccna password ciscoccna ! interface Loopback0 ip address 209.165.200.225 255.255.255.224 ! interface FastEthernet0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast shutdown duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.20.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast duplex auto speed auto no shutdown ! interface Serial0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast shutdown no fair-queue ! interface Serial0/0/1 ip address 10.2.2.1 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 5 de 9
ip rip authentication mode md5 ip rip authentication key-chain RIP_KEY clockrate 128000 no shutdown ! interface Serial0/1/0 no ip address no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast shutdown ! interface Serial0/1/1 no ip address no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast shutdown clockrate 2000000 ! router rip version 2 no passive-interface Serial0/0/1 network 10.0.0.0 network 192.168.20.0 network 209.165.200.224 no auto-summary ! ip classless ! no ip http server ! logging trap debugging logging 192.168.10.150 ! line con 0 exec-timeout 5 0 logging synchronous transport output telnet line aux 0 exec-timeout 15 0 logging synchronous login authentication LOCAL_AUTH transport output telnet line vty 0 4 exec-timeout 0 0 logging synchronous login authentication LOCAL_AUTH transport input telnet ! end R3: no service pad
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 6 de 9
service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! security authentication failure rate 10 log security passwords min-length 6 enable secret ciscoccna ! aaa new-model ! aaa authentication login local_auth local ! aaa session-id common ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero no ip source-route no ip gratuitous-arps ip cef ! ! no ip dhcp use vrf connected ! no ip bootp server ! key chain RIP_KEY key 1 key-string Cisco ! interface FastEthernet0/0 no ip address no ip redirects no ip proxy-arp no ip directed-broadcast duplex auto speed auto shutdown ! interface FastEthernet0/1 ip address 192.168.30.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast no shutdown duplex auto
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 7 de 9
speed auto ! interface Serial0/0/0 ip address 10.1.1.2 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast clockrate 125000 ! interface Serial0/0/1 ip address 10.2.2.2 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast ! router rip version 2 passive-interface default no passive-interface Serial0/0/0 no passive-interface Serial0/0/1 network 10.0.0.0 network 192.168.30.0 no auto-summary ! ip classless ! ip http server ! logging trap debugging logging 192.168.10.150 no cdp run ! control-plane ! line con 0 exec-timeout 5 0 logging synchronous transport output telnet line aux 0 exec-timeout 15 0 logging synchronous login authentication LOCAL_AUTH transport output telnet line vty 0 4 exec-timeout 15 0 logging synchronous login authentication LOCAL_AUTH transport input telnet ! end
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 8 de 9
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 9 de 9
Interface
Fa0/0 Fa0/1 S0/0/0 Fa0/1 S0/0/0 S0/0/1 Lo0 Fa0/1 S0/0/1 Vlan1
Endereo IP
192.168.10.1 192.168.11.1 10.1.1.1 192.168.20.1 10.1.1.2 10.2.2.1 209.165.200.225 192.168.30.1 10.2.2.2 192.168.10.2
Mscara de sub-rede
255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.224 255.255.255.0 255.255.255.252 255.255.255.0
Gateway padro
N/A N/A N/A N/A N/A N/A N/A N/A N/A 192.168.10.1
R2
R3 S1
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 10
CCNA Exploration Acessando a WAN: ACLs Laboratrio 5.5.1: Listas de controle de acesso bsico
Vlan1 Vlan1 Placa de rede Placa de rede Placa de rede Placa de rede
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Crie o padro nomeado e as ACLs estendidas nomeadas. Aplique o padro nomeado e as ACLs estendidas nomeadas. Testar as ACLs de nomenclatura padro e estendida. Solucionar problemas das ACLs de nomenclatura padro e estendida.
Cenrio
Neste laboratrio, voc ir aprender a configurar a segurana de rede bsica utilizando listas de controle de acesso. Voc ir aplicar ACLs padro e estendidas.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 10
CCNA Exploration Acessando a WAN: ACLs Laboratrio 5.5.1: Listas de controle de acesso bsico
Configure uma interface de loopback em R2 para simular o ISP. Configure endereos IP para a interface VLAN 1 em cada switch. Configure cada switch usando o gateway padro apropriado. Verificar a conectividade completa do IP usando o comando ping.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 10
CCNA Exploration Acessando a WAN: ACLs Laboratrio 5.5.1: Listas de controle de acesso bsico
Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.11.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds: Packet sent with a source address of 192.168.11.1 U.U.U Success rate is 0 percent (0/5) Voc deve ver a mensagem a seguir na console de R3: *Sep 4 03:22:58.935: %SEC-6-IPACCESSLOGNP: list STND-1 denied 0 0.0.0.0 -> 192.168.11.1, 1 packet No modo EXEC privilegiado em R3, emita o comando show access-lists. Voc v a sada de dados semelhante ao seguinte. Cada linha de uma ACL tem um contador associado que mostra quantos pacotes corresponderam regra. Standard IP access list STND-1 10 deny 192.168.11.0, wildcard bits 0.0.0.255 log (5 matches) 20 permit any (25 matches) A finalidade desta ACL foi bloquear hosts da rede 192.168.11.0/24. Qualquer outro host, como os na rede 192.168.10.0/24, deve ter permisso para acessar as redes em R3. Faa outros testes entre PC1 e PC3 para assegurar que esse trfego no esteja bloqueado. Voc tambm pode utilizar um ping estendido da interface Fa0/0 em R1 para a interface Fa0/1 em R3. R1#ping ip Target IP address: 192.168.30.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.10.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds: Packet sent with a source address of 192.168.10.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/44 ms
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 10
CCNA Exploration Acessando a WAN: ACLs Laboratrio 5.5.1: Listas de controle de acesso bsico
Uma poltica adicional desta rede informa que apenas dispositivos da LAN 192.168.10.0/24 tm permisso para alcanar redes internas. Os computadores nesta LAN no podem acessar a Internet. Portanto, o acesso desses usurios ao endereo IP 209.165.200.225 deve ser bloqueado. Como este requisito precisa ser aplicado na origem e no destino, uma ACL estendida obrigatria. Nesta tarefa, voc est configurando uma ACL estendida em R1 que impede trfego com origem em qualquer dispositivo na rede 192.168.10.0/24 de acessar o host 209.165.200.255 (o ISP simulado). Esta ACL ser aplicada sada da interface serial 0/0/0 do R1. Uma prtica recomendada tpica para aplicar ACLs estendidas coloc-las o mais prximo possvel da origem. Antes de comear, verifique se voc consegue executar ping em 209.165.200.225 no PC1. Etapa 1: Configurar uma ACL estendida nomeada. No modo de configurao global, crie uma ACL estendida padro chamada EXTEND-1. R1(config)#ip access-list extended EXTEND-1 Observe que o prompt do roteador alterado para indicar que agora voc est no modo de configurao ACL estendido. Nesse prompt, adicione as instrues necessrias para bloquear o trfego da rede 192.168.10.0/24 para o host. Use a palavra-chave host ao definir o destino. R1(config-ext-nacl)#deny ip 192.168.10.0 0.0.0.255 host 209.165.200.225 Lembre-se de que "deny all" implcito bloqueia todos os demais trfegos sem a instruo permit adicional. Adicione a instruo permit para garantir que outro trfego no esteja bloqueado. R1(config-ext-nacl)#permit ip any any Etapa 2: Aplicar a ACL. Com ACLs padro, a prtica recomendada colocar a ACL o mais perto possvel do destino. As ACLs estendidas costumam ser colocadas prximas da origem. A ACL EXTEND-1 ser colocada na interface Serial e filtrar o trfego de sada. R1(config)#interface serial 0/0/0 R1(config-if)#ip access-group EXTEND-1 out R1(config-if)#end R1#copy run start Etapa 3: Testar a ACL. Em PC1, execute ping na interface de loopback em R2. Esses pings devem falhar, pois todo o trfego da rede 192.168.10.0/24 ser filtrado quando o destino for 209.165.200.225. Se o destino for qualquer outro endereo, os pings devem ter xito. Confirme-a, executando ping em R3 a partir do dispositivo de rede 192.168.10.0/24. Nota: o recurso de ping estendido em R1 no pode ser utilizado para testar essa ACL, porque o trfego ter origem dentro de R1 e jamais ser testado em relao ACL aplicada interface serial R1. Voc pode ainda verificar isto emitindo o comando show ip access-list em R1 depois de executar ping. R1#show ip access-list Extended IP access list EXTEND-1 10 deny ip 192.168.10.0 0.0.0.255 host 209.165.200.225 (4 matches) 20 permit ip any any
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 5 de 10
CCNA Exploration Acessando a WAN: ACLs Laboratrio 5.5.1: Listas de controle de acesso bsico
Nesta tarefa, voc ir configurar uma ACL padro para permitir que hosts de duas redes acessem as linhas VTY. Todos os demais hosts so negados. Verifique se voc pode enviar um telnet ao R2 do R1 e do R3. Etapa 1: Configurar os ACL. Configure uma ACL padro nomeada em R2 que permita trfego entre 10.2.2.0/30 e 192.168.30.0/24. Negue todos os demais trfegos. Chame a ACL TASK-5. R2(config)#ip access-list standard TASK-5 R2(config-std-nacl)#permit 10.2.2.0 0.0.0.3 R2(config-std-nacl)#permit 192.168.30.0 0.0.0.255 Etapa 2: Aplicar a ACL. Entre no modo de configurao das linhas VTY de 0 a 4. R2(config)#line vty 0 4 Use o comando access-class para aplicar a ACL s linhas vty na direo de entrada. Observe que ele diferente do comando que costumava aplicar ACLs a outras interfaces. R2(config-line)#access-class TASK-5 in R2(config-line)#end R2#copy run start Etapa 3: Testar a ACL Telnet de R1 para R2. Observe que R1 no tem endereos IP no intervalo de endereos listado nas instrues de permisso ACL TASK-5. Deve haver falha nas tentativas de conexo. R1# telnet 10.1.1.2 Trying 10.1.1.2 % Connection refused by remote host Em R3, execute telnet em R2. Ser apresentado a voc um prompt para a senha de linha VTY. R3# telnet 10.1.1.2 Trying 10.1.1.2 Open CUnauthorized access strictly prohibited, violators will be prosecuted to the full extent of the law. User Access Verification Password: Por que as tentativas de conexo de outras redes falham mesmo no estando especificamente listadas na ACL? _________________________________________________________________________________ _________________________________________________________________________________
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 6 de 10
CCNA Exploration Acessando a WAN: ACLs Laboratrio 5.5.1: Listas de controle de acesso bsico
Em uma tarefa anterior, voc criou e aplicou uma ACL padro nomeada em R3. Use o comando show running-config para exibir a ACL e sua localizao. Voc deve ver que uma ACL chamada STND-1 foi configurada e aplicada de entrada na Serial 0/0/1. Lembre-se de que essa ACL foi criada para impedir todo o trfego da rede com um endereo de origem da rede 192.168.11.0/24 de acessar a rede local em R3. Para remover a ACL, v para o modo de configurao da interface serial 0/0/1 no R3. Utilize o comando no ip access-group STND-1 in para remover a ACL da interface. R3(config)#interface serial 0/0/1 R3(config-if)#no ip access-group STND-1 in Utilize o comando show running-config para confirmar se a ACL foi removida da Serial 0/0/1. Etapa 2: Aplicar ACL STND-1 em S0/0/1 de sada. Para testar a importncia do sentido da filtragem ACL, reaplique a ACL STND-1 interface Serial 0/0/1. Desta vez, a ACL filtrar o trfego de sada em vez do trfego de entrada. Lembre-se de usar a palavrachave out ao aplicar a ACL. R3(config)#interface serial 0/0/1 R3(config-if)#ip access-group STND-1 out Etapa 3: Testar a ACL. Testar a ACL executando ping do PC2 para o PC3. Como alternativa, use um ping estendido em R1. Observe que ping executado com xito desta vez e os contadores ACL no so incrementados. Confirme-a, emitindo o comando show ip access-list em R3. Etapa 4: Restaurar a configurao original da ACL. Remova a ACL da direo de sada e reaplique-a na direo de entrada. R3(config)#interface serial 0/0/1 R3(config-if)#no ip access-group STND-1 out R3(config-if)#ip access-group STND-1 in Etapa 5: Aplicar TASK-5 interface R2 serial 0/0/0 de entrada. R2(config)#interface serial 0/0/0 R2(config-if)#ip access-group TASK-5 in Etapa 6: Testar a ACL. Tente se comunicar com qualquer dispositivo conectado a R2 ou R3 de R1 ou redes conectadas. Observe que toda a comunicao bloqueada; no entanto, os contadores ACL no so incrementados. Isso ocorre por causa do "negar tudo" implcito no final de cada ACL. Essa instruo deny impedir todo o trfego de entrada para serial 0/0/0 de qualquer origem que no seja R3. Essencialmente, isso causar a remoo de R1 da tabela de roteamento. Voc deve ver mensagens semelhantes s impressas a seguir nas consoles de R1 e R2 (como demorar um pouco para que o relacionamento de vizinho OSPF seja desativado, tenha pacincia): *Sep 4 09:51:21.757: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.11.1 on Serial0/0/0 from FULL to DOWN, Neighbor Down: Dead timer expired Quando voc receber essa mensagem, emita o comando show ip route em R1 e R2 para ver quais rotas foram removidas da tabela de roteamento. Remova a ACL TASK-5 da interface e salve as configuraes. R2(config)#interface serial 0/0/0
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 7 de 10
CCNA Exploration Acessando a WAN: ACLs Laboratrio 5.5.1: Listas de controle de acesso bsico
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 8 de 10
CCNA Exploration Acessando a WAN: ACLs Laboratrio 5.5.1: Listas de controle de acesso bsico
hostname R2 ! enable secret class ! no ip domain lookup ! interface Loopback0 ip address 209.165.200.225 255.255.255.224 ! interface FastEthernet0/1 ip address 192.168.20.1 255.255.255.0 no shutdown ! interface Serial0/0/0 ip address 10.1.1.2 255.255.255.252 no shutdown ! interface Serial0/0/1 ip address 10.2.2.1 255.255.255.252 clockrate 125000 no shutdown ! router ospf 1 no auto-cost network 10.1.1.0 0.0.0.3 area 0 network 10.2.2.0 0.0.0.3 area 0 network 192.168.20.0 0.0.0.255 area 0 network 209.165.200.224 0.0.0.31 area 0 ! ip access-list standard TASK-5 permit 10.2.2.0 0.0.0.3 permit 192.168.30.0 0.0.0.255 ! banner motd ^Unauthorized access strictly prohibited, violators will be prosecuted to the full extent of the law.^ ! line con 0 password cisco logging synchronous login ! line vty 0 4 access-class TASK-5 in password cisco login ! Roteador 3 hostname R3 ! enable secret class ! no ip domain lookup ! interface FastEthernet0/1
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 9 de 10
CCNA Exploration Acessando a WAN: ACLs Laboratrio 5.5.1: Listas de controle de acesso bsico
ip address 192.168.30.1 255.255.255.0 no shutdown ! interface Serial0/0/1 ip address 10.2.2.2 255.255.255.252 ip access-group STND-1 in no shutdown ! router ospf 1 network 10.2.2.0 0.0.0.3 area 0 network 192.168.30.0 0.0.0.255 area 0 ! ip access-list standard STND-1 deny 192.168.11.0 0.0.0.255 log permit any ! banner motd ^Unauthorized access strictly prohibited, violators will be prosecuted to the full extent of the law.^ ! line con 0 password cisco logging synchronous login ! line vty 0 4 password cisco login ! end
Tarefa 8: Limpar
Apague as configuraes e recarregue os roteadores. Desconecte e guarde o cabeamento. Para PCs normalmente conectados a outras redes, como a LAN escolar ou a Internet), reconecte o cabeamento apropriado e restaure as configuraes TCP/IP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 10 de 10
Tabela de endereamento
Dispositivo R1 Interface S0/0/0 Fa0/1 S0/0/0 R2 S0/0/1 Lo 0 R3 PC 1 PC 3 S0/0/1 Fa0/1 Placa de rede Placa de rede Endereo IP 10.1.0.1 10.1.1.254 10.1.0.2 10.3.0.1 10.13.205.1 10.3.0.2 10.3.1.254 10.1.1.1 10.3.1.1 Mscara de sub-rede 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.0.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Gateway padro N/A N/A N/A N/A N/A N/A N/A 10.1.1.254 10.3.1.254
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 3
CCNA Exploration Acessando a WAN: ACLs Laboratrio 5.5.2: Listas de controle de acesso avanado
Objetivos de aprendizagem
Para concluir este laboratrio: Crie o padro nomeado e as ACLs estendidas nomeadas. Aplique o padro nomeado e as ACLs estendidas nomeadas. Testar as ACLs de nomenclatura padro e estendida. Solucionar problemas das ACLs de nomenclatura padro e estendida.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 3
CCNA Exploration Acessando a WAN: ACLs Laboratrio 5.5.2: Listas de controle de acesso avanado
Nota: isso pode exigir vrias listas de acesso. Verifique a configurao e documente o procedimento de testes. Por que a ordem das instrues access list to importante? __________________________________________________________________________________ __________________________________________________________________________________
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 3
Tabela de endereamento
Dispositivo R1 Interface S0/0/0 Fa0/1 S0/0/0 R2 S0/0/1 Lo 0 R3 S0/0/1 Fa0/1 Endereo IP 10.1.0.1 10.1.1.254 10.1.0.2 10.3.0.5 10.13.205.1 10.3.0.6 10.3.1.254 Mscara de sub-rede 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.0.0 255.255.255.0 255.255.255.0 Gateway padro N/A N/A N/A N/A N/A N/A N/A
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 3
PC 1 PC 3
10.1.1.1 10.3.1.1
255.255.255.0 255.255.255.0
10.1.1.254 10.3.1.254
Objetivos de aprendizagem
Para concluir este laboratrio: Cabo de rede de acordo com o diagrama de topologia. Apagar a configurao de inicializao e recarregar o roteador no estado padro. Carregue roteadores com scripts. Localize e corrija todos os erros de rede. Documentar a rede corrigida.
Cenrio
Voc trabalha para uma operadora regional com clientes que recentemente passaram por vrias falhas na segurana. Algumas polticas de segurana foram implementadas que no atendiam s necessidades especficas dos clientes. O departamento foi solicitado a examinar a configurao, realizar testes e alterar a configurao conforme necessrio para proteger os roteadores do cliente. Assegure-se de que as configuraes finais implementem as seguintes polticas de segurana: Clientes R1 e R3 solicitam que apenas os PCs locais possam acessar linhas VTY. Registre em log todas as tentativas por outros dispositivos para acessar as linhas VTY. As redes locais R1 e R3 no devem ter permisso para enviar ou receber trfego entre si. Todo o trfego restante deve ter permisso entre R1 e R3.
Um mnimo de instrues ACL deve ser utilizado e aplicado de entrada nas interfaces seriais de R2. OSPF utilizado para distribuir informaes de roteamento. Todas as senhas, exceto a senha secreta de habilitar, so definidas como cisco. A senha secreta de habilitar definida como class.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 3
Tarefa 4: Limpar
Apague as configuraes e recarregue os roteadores. Desconecte e guarde o cabeamento. Para PCs normalmente conectados a outras redes, como a LAN escolar ou a Internet), reconecte o cabeamento apropriado e restaure as configuraes TCP/IP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 3
Tabela de endereamento
Dispositivo Interface S0/0/0 R1 Fa0/0 Fa0/1 S0/0/0 R2 S0/0/1 Fa0/0 ISP S0/0/1 Endereo IP 10.1.1.1 192.168.10.1 192.168.11.1 10.1.1.2 209.165.200.225 192.168.20.1 209.165.200.226 Mscara de sub-rede 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Prepare a rede. Execute as configuraes bsicas de roteador. Configure um servidor DHCP do Cisco IOS. Configurar roteamentos esttico e padro Configure a NAT esttica. Configure NAT dinmica usando um conjunto de endereos.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 13
Cenrio
Neste laboratrio, voc ir configurar os servios DHCP e NAT IP. Um roteador o servidor DHCP. O outro roteador encaminha solicitaes de DHCP ao servidor. Voc tambm definir as configuraes de NAT estticas e dinmicas, inclusive sobrecarga de NAT. Quando voc concluir as configuraes, verifique a conectividade entre os endereos internos e externos.
Nota: em vez de anexar um servidor a R2, voc pode configurar uma interface de loopback em R2 para utilizar o endereo IP 192.168.20.254/24. Se fizer isso, voc no precisar configurar a interface Fast Ethernet.
Tarefa 3: Configurar PC1 e PC2 para receber um endereo IP por meio de DHCP
Em um PC com Windows, v at Start -> Control Panel -> Network Connections -> Local Area Connection. Clique com o boto direito do mouse em Local Area Connection e selecione Properties.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 13
Role para baixo e realce Internet Protocol (TCP/IP). Clique no boto Properties.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 13
Quando isso for feito em PC1 e PC2, eles estaro prontos para receber um endereo IP de um servidor DHCP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 13
Quais so os resultados do teste? ____________________________________ Por que so esses os resultados? _________________________________________ Etapa 4: Configurar um endereo auxiliar. Os servios de rede, como DHCP, dependem de broadcasts da Camada 2 para funcionar. Quando esto em uma sub-rede diferente dos clientes, os dispositivos que fornecem esses servios no podem receber os pacotes de broadcast. Como o servidor DHCP e os clientes DHCP no esto na mesma sub-rede, configure R1 para encaminhar broadcasts DHCP para R2, que o servidor DHCP, utilizando o comando de configurao da interface ip helper-address. Observe que ip helper-address deve ser configurado em todas as interfaces envolvidas. R1(config)#interface fa0/0 R1(config-if)#ip helper-address 10.1.1.2 R1(config)#interface fa0/1 R1(config-if)#ip helper-address 10.1.1.2 Etapa 5: Liberar e renovar os endereos IP em PC1 e PC2. Dependendo dos PCs terem sido utilizados em um laboratrio diferente, ou conectado Internet, eles talvez j tenham aprendido um endereo IP automaticamente de um servidor DHCP diferente. Precisamos limpar esse endereo IP, utilizando os comandos ipconfig /release e ipconfig /renew.
Etapa 6: Verificar a configurao DHCP. Voc pode verificar a configurao do servidor DHCP de vrios modos diferentes. Emita o comando ipconfig em PC1 e PC2 para verificar se agora eles receberam um endereo IP dinamicamente. Voc pode emitir ento os comandos no roteador para obter mais informaes. O comando show ip dhcp binding fornece informaes sobre todos os endereos DHCP atualmente atribudos. Por exemplo, a sada a seguir mostra que o endereo IP 192.168.10.11 foi designado para o endereo MAC 3031.632e.3537.6563. O aluguel do IP expira no dia 14 de setembro de 2007 s 19h33. R1#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ User name 192.168.10.11 0063.6973.636f.2d30. Sep 14 2007 07:33 PM
Type Automatic
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 5 de 13
3031.632e.3537.6563. 2e30.3634.302d.566c. 31 O comando show ip dhcp pool exibe informaes sobre todas as ferramentas DHCP configuradas atualmente no roteador. Nesta sada do comando, o conjunto R1Fa0 configurado em R1. Um endereo foi alugado desse conjunto. O prximo cliente a solicitar um endereo receber 192.168.10.12. R2#show ip dhcp pool Pool R1Fa0 : Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 254 Leased addresses : 1 Pending event : none 1 subnet is currently in the pool : Current index IP address range 192.168.10.12 192.168.10.1 - 192.168.10.254
Leased addresses 1
O comando debug ip dhcp server events pode ser extremamente til durante a identificao e soluo de problemas de aluguis DHCP com um servidor DHCP IOS Cisco. Esta a sada do comando de depurao em R1 aps a conexo com um host. Observe que a poro realada mostra DHCP informando ao cliente um endereo 192.168.10.12 e uma mscara 255.255.255.0 *Sep 13 21:04:18.072: DHCPD: Sending notification of DISCOVER: *Sep 13 21:04:18.072: DHCPD: htype 1 chaddr 001c.57ec.0640 *Sep 13 21:04:18.072: DHCPD: remote id 020a0000c0a80b01010000000000 *Sep 13 21:04:18.072: DHCPD: circuit id 00000000 *Sep 13 21:04:18.072: DHCPD: Seeing if there is an internally specified pool class: *Sep 13 21:04:18.072: DHCPD: htype 1 chaddr 001c.57ec.0640 *Sep 13 21:04:18.072: DHCPD: remote id 020a0000c0a80b01010000000000 *Sep 13 21:04:18.072: DHCPD: circuit id 00000000 *Sep 13 21:04:18.072: DHCPD: there is no address pool for 192.168.11.1. *Sep 13 21:04:18.072: DHCPD: Sending notification of DISCOVER: R1# *Sep 13 21:04:18.072: DHCPD: htype 1 chaddr 001c.57ec.0640 *Sep 13 21:04:18.072: DHCPD: remote id 020a0000c0a80a01000000000000 *Sep 13 21:04:18.072: DHCPD: circuit id 00000000 *Sep 13 21:04:18.072: DHCPD: Seeing if there is an internally specified pool class: *Sep 13 21:04:18.072: DHCPD: htype 1 chaddr 001c.57ec.0640 *Sep 13 21:04:18.072: DHCPD: remote id 020a0000c0a80a01000000000000 *Sep 13 21:04:18.072: DHCPD: circuit id 00000000 R1# *Sep 13 21:04:20.072: DHCPD: Adding binding to radix tree (192.168.10.12) *Sep 13 21:04:20.072: DHCPD: Adding binding to hash tree *Sep 13 21:04:20.072: DHCPD: assigned IP address 192.168.10.12 to client 0063.6973.636f.2d30.3031.632e.3537.6563.2e30.3634.302d.566c.31. *Sep 13 21:04:20.072: DHCPD: Sending notification of ASSIGNMENT: *Sep 13 21:04:20.072: DHCPD: address 192.168.10.12 mask 255.255.255.0 *Sep 13 21:04:20.072: DHCPD: htype 1 chaddr 001c.57ec.0640 *Sep 13 21:04:20.072: DHCPD: lease time remaining (secs) = 86400 *Sep 13 21:04:20.076: DHCPD: Sending notification of ASSIGNMENT: *Sep 13 21:04:20.076: DHCPD: address 192.168.10.12 mask 255.255.255.0 R1# *Sep 13 21:04:20.076: DHCPD: htype 1 chaddr 001c.57ec.0640
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 6 de 13
*Sep 13 21:04:20.076:
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 7 de 13
Etapa 1: Definir um conjunto de endereos globais. Crie um conjunto de endereos para os quais os endereos de origem correspondentes so traduzidos. O comando a seguir cria um conjunto chamado MY-NAT-POOL que traduz endereos comparados em um endereo IP disponvel no intervalo 209.165.200.241 a 209.165.200.246. R2(config)#ip nat pool MY-NAT-POOL 209.165.200.241 209.165.200.246 netmask 255.255.255.248 Etapa 2: Criar uma lista de controle de acesso estendida para identificar quais endereos so traduzidos. R2(config)#ip access-list extended NAT R2(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 any R2(config-ext-nacl)#permit ip 192.168.11.0 0.0.0.255 any Etapa 3: Estabelecer traduo da origem dinmica, vinculando o conjunto lista de controle de acesso. Um roteador pode ter mais de um conjunto NAT e mais de uma ACL. O comando a seguir informa ao roteador qual conjunto de endereos ele dever usar para traduzir os hosts permitidos pela ACL. R2(config)#ip nat inside source list NAT pool MY-NAT-POOL Etapa 4: Especificar interfaces NAT internas e externas. Voc j especificou as interfaces interna e externa para sua configurao de NAT esttico. Agora adicione a interface serial vinculada a R1 como uma interface interior. R2(config)#interface serial 0/0/0 R2(config-if)#ip nat inside Etapa 5: Verificar a configurao. Ping ISP entre PC1 ou a interface Fast Ethernet em R1 usando ping estendido. Em seguida, use os comandos show ip nat translations e show ip nat statistics no R2 para verificar o NAT. R2#show ip nat translations Pro Inside global Inside local icmp 209.165.200.241:4 192.168.10.1:4 --- 209.165.200.241 192.168.10.1 --- 209.165.200.254 192.168.20.254 Outside local 209.165.200.226:4 ----Outside global 209.165.200.226:4 -----
R2#show ip nat statistics Total active translations: 2 (1 static, 1 dynamic; 0 extended) Outside interfaces: Serial0/0/1 Inside interfaces: Serial0/0/0, Loopback0 Hits: 23 Misses: 3 CEF Translated packets: 18, CEF Punted packets: 0 Expired translations: 3 Dynamic mappings: -- Inside Source [Id: 1] access-list NAT pool MY-NAT-POOL refcount 1 pool MY-NAT-POOL: netmask 255.255.255.248 start 209.165.200.241 end 209.165.200.246 type generic, total addresses 6, allocated 1 (16%), misses 0 Queued Packets: 0
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 8 de 13
Para identificar e solucionar problemas com NAT, voc pode utilizar o comando debug ip nat. Ative a depurao NAT e repita o ping de PC1. R2#debug ip nat IP NAT debugging is on R2# *Sep 13 21:15:02.215: NAT*: *Sep 13 21:15:02.231: NAT*: *Sep 13 21:15:02.247: NAT*: *Sep 13 21:15:02.263: NAT*: *Sep 13 21:15:02.275: NAT*: *Sep 13 21:15:02.291: NAT*: *Sep 13 21:15:02.307: NAT*: *Sep 13 21:15:02.323: NAT*: *Sep 13 21:15:02.335: NAT*: *Sep 13 21:15:02.351: NAT*: R2#
s=192.168.10.11->209.165.200.241, d=209.165.200.226 s=209.165.200.226, d=209.165.200.241->192.168.10.11 s=192.168.10.11->209.165.200.241, d=209.165.200.226 s=209.165.200.226, d=209.165.200.241->192.168.10.11 s=192.168.10.11->209.165.200.241, d=209.165.200.226 s=209.165.200.226, d=209.165.200.241->192.168.10.11 s=192.168.10.11->209.165.200.241, d=209.165.200.226 s=209.165.200.226, d=209.165.200.241->192.168.10.11 s=192.168.10.11->209.165.200.241, d=209.165.200.226 s=209.165.200.226, d=209.165.200.241->192.168.10.11
[25] [25] [26] [26] [27] [27] [28] [28] [29] [29]
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 9 de 13
Etapa 3: Verificar a configurao. Ping ISP entre PC1 ou a interface Fast Ethernet em R1 usando ping estendido. Em seguida, use os comandos show ip nat translations e show ip nat statistics no R2 para verificar o NAT. R2#show ip nat translations Pro Inside global Inside local icmp 209.165.200.225:6 192.168.10.11:6 --- 209.165.200.254 192.168.20.254 Outside local 209.165.200.226:6 --Outside global 209.165.200.226:6 ---
R2#show ip nat statistics Total active translations: 2 (1 static, 1 dynamic; 1 extended) Outside interfaces: Serial0/0/1 Inside interfaces: Serial0/0/0, Loopback0 Hits: 48 Misses: 6 CEF Translated packets: 46, CEF Punted packets: 0 Expired translations: 5 Dynamic mappings: -- Inside Source [Id: 2] access-list NAT interface Serial0/0/1 refcount 1 Queued Packets: 0 Nota: na tarefa anterior, voc poderia ter adicionado a palavra-chave overload ao comando ip nat inside source list NAT pool MY-NAT-POOL para permitir mais de seis usurios simultneos.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 10 de 13
! router ospf 1 network 10.1.1.0 0.0.0.3 area 0 network 192.168.10.0 0.0.0.255 area 0 network 192.168.11.0 0.0.0.255 area 0 ! ! banner motd ^C *********************************** !!!AUTHORIZED ACCESS ONLY!!! *********************************** ^C ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login ! end R2#show run ! hostname R2 ! ! enable secret class ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.11.1 192.168.11.10 ! ip dhcp pool R1Fa0 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 192.168.11.5 ! ip dhcp pool R1Fa1 network 192.168.11.0 255.255.255.0 dns-server 192.168.11.5 default-router 192.168.11.1 ! no ip domain lookup ! interface Loopback0 ip address 192.168.20.254 255.255.255.0
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 11 de 13
ip nat inside ip virtual-reassembly ! ! ! interface Serial0/0/0 ip address 10.1.1.2 255.255.255.252 ip nat inside ip virtual-reassembly ! interface Serial0/0/1 ip address 209.165.200.225 255.255.255.252 ip nat outside ip virtual-reassembly clock rate 125000 ! router ospf 1 network 10.1.1.0 0.0.0.3 area 0 network 192.168.20.0 0.0.0.255 area 0 default-information originate ! ip route 0.0.0.0 0.0.0.0 209.165.200.226 ! ! no ip http server no ip http secure-server ip nat inside source list NAT interface Serial0/0/1 overload ip nat inside source static 192.168.20.254 209.165.200.254 ! ip access-list extended NAT permit ip 192.168.10.0 0.0.0.255 any permit ip 192.168.11.0 0.0.0.255 any ! ! banner motd ^C *********************************** !!!AUTHORIZED ACCESS ONLY!!! *********************************** ^C ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login !
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 12 de 13
end
ISP#show run <sada de comando omitida> ! hostname ISP ! enable secret class ! no ip domain lookup ! interface Serial0/0/1 ip address 209.165.200.226 255.255.255.252 no shutdown ! ! ! ip route 209.165.200.240 255.255.255.240 Serial0/0/1 ! banner motd ^C *********************************** !!!AUTHORIZED ACCESS ONLY!!! *********************************** ^C ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login line vty 0 4 password cisco logging synchronous login ! end
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 13 de 13
Tabela de endereamento
Dispositivo Interface S0/0/0 R1 Fa0/0 Fa0/1 S0/0/0 R2 S0/0/1 Fa0/0 ISP S0/0/1 Endereo IP 172.16.0.1 172.16.10.1 172.16.11.1 172.16.0.2 209.165.201.1 172.16.20.1 209.165.201.2 Mscara de sub-rede 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Prepare a rede. Execute as configuraes bsicas de roteador. Configure um servidor DHCP do Cisco IOS. Configurar roteamentos esttico e padro. Configure a NAT esttica.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 3
Cenrio
Neste laboratrio, configure os servios de endereo IP usando a rede mostrada no diagrama de topologia. Se voc precisar de assistncia, consulte o laboratrio de configurao bsico de DHCP e NAT. No entanto, tente fazer o mximo possvel.
Nota: em vez de anexar um servidor a R2, voc pode configurar uma interface de loopback em R2 para utilizar o endereo IP 172.16.20.254/24. Se fizer isso, voc no precisar configurar a interface Fast Ethernet.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 3
Etapa 3: Configurar um endereo auxiliar. Configure endereos auxiliares para que broadcasts dos broadcasts de cliente sejam encaminhados para o servidor DHCP. Etapa 4: Verificar a configurao DHCP.
Tarefa 8: Limpar
Apague as configuraes e recarregue os roteadores. Desconecte e guarde o cabeamento. Para hosts PC normalmente conectados a outras redes, como a LAN escolar ou a Internet), reconecte o cabeamento apropriado e restaure as configuraes TCP/IP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 3
Tabela de endereamento
Dispositivo Interface S0/0/0 R1 Fa0/0 Fa0/1 S0/0/0 R2 S0/0/1 Fa0/0 ISP S0/0/1 Endereo IP 172.16.0.1 172.16.10.1 172.16.11.1 172.16.0.2 209.165.201.1 172.16.20.1 209.165.201.2 Mscara de sub-rede 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Prepare a rede. Carregue roteadores com scripts. Localize e corrija todos os erros de rede. Documentar a rede corrigida.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 5
Cenrio
Os roteadores, R1 e R2, da sua empresa foram configurados por um engenheiro de rede sem experincia. Vrios erros na configurao resultaram em problemas de conectividade. Seu chefe lhe pediu para solucionar problemas, corrigir os erros de configurao e documentar seu trabalho. Com seus conhecimentos de DHCP, NAT e mtodos de teste padro, identifique e corrija os erros. Certifique-se de que todos os clientes tenham total conectividade. O ISP foi configurado corretamente. Assegure-se de que a rede d suporte ao seguinte: 1. O roteador R2 deve funcionar como o servidor DHCP para as redes 172.16.10.0/24 e 172.16.11.0/24 conectadas a R1. 2. Todos os PCs conectados a R1 devem receber um endereo IP na rede correta via DHCP. 3. O trfego das redes locais R1 que entram pela interface Serial 0/0/0 em R2 e saem pela interface Serial 0/0/1 em R2 devem receber a traduo NAT com um conjunto de endereos fornecidos pelo ISP. 4. O servidor interno deve ser alcanvel fora das redes utilizando o endereo IP 209.165.201.30 e dentro das redes utilizando o endereo 172.16.20.254
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 5
! line con 0 password cisco logging synchronous login line vty 0 4 password cisco logging synchronous login ! end R2 hostname R2 ! enable secret class ! ip dhcp excluded-address 172.16.10.1 172.16.10.3 ip dhcp excluded-address 172.16.11.1 172.16.11.3 ! ip dhcp pool R1_LAN10 network 172.16.10.0 255.255.255.0 dns-server 172.16.20.254 ! ip dhcp pool R1_LAN11 network 172.16.11.0 255.255.255.0 dns-server 172.16.20.254 ! no ip domain lookup ! interface FastEthernet0/0 ip address 172.16.20.1 255.255.255.0 ip nat inside no shutdown ! interface Serial0/0/0 ip address 172.16.0.2 255.255.255.252 no shutdown ! interface Serial0/0/1 ip address 209.165.201.1 255.255.255.252 ip nat outside clock rate 125000 no shutdown ! router rip version 2 network 172.16.0.0 default-information originate no auto-summary ! ip route 0.0.0.0 0.0.0.0 209.165.201.2 ! ip nat pool NAT_POOL 209.165.201.9 209.165.201.14 netmask 255.255.255.248 ip nat inside source list NAT_ACL pool NATPOOL overload
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 5
! ip access-list standard NAT_ACL permit 172.16.10.0 0.0.0.255 ! banner motd $AUTHORIZED ACCESS ONLY$ ! line con 0 password cisco logging synchronous login line vty 0 4 password cisco logging synchronous login ! end ISP hostname ISP ! enable secret class ! interface Serial0/0/1 ip address 209.165.201.2 255.255.255.252 no shutdown ! ip route 0.0.0.0 0.0.0.0 Serial0/0/1 ! banner motd $AUTHORIZED ACCESS ONLY$ ! line con 0 password cisco logging synchronous login line vty 0 4 password cisco logging synchronous login ! end
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 5
Pings de teste de ISP e R1 no devem receber a traduo NAT conforme evidenciado por um show ip nat translations or a debug ip nat em R2.
Tarefa 4: Limpar
Apague as configuraes e recarregue os roteadores. Desconecte e guarde o cabeamento. Para hosts PC normalmente conectados a outras redes, como a LAN escolar ou a Internet), reconecte o cabeamento apropriado e restaure as configuraes TCP/IP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 5 de 5
Objetivos de aprendizagem
Criar uma rede Testar uma rede Interromper uma rede Identificar e solucionar problemas Coletar sintomas Corrigir o problema Documentar o problema e a soluo
Cenrio
Nesta atividade, voc e outro aluno criaro a rede exibida no diagrama de topologia. Voc configurar o NAT, DHCP e OSPF e ento verificar a conectividade. Quando a rede estiver funcionando completamente, um aluno apresentar diversos erros. Em seguida, o outro aluno usar tcnicas de soluo de problemas para isolar e resolver o problema. Em seguida, os alunos invertero as funes e repetiro o processo. Esta atividade pode ser feita em equipamento real ou com o Packet Tracer.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Pgina 1 de 2
Tarefa 9: Limpar
Apague as configuraes e recarregue os roteadores. Desconecte e guarde o cabeamento. Para hosts PC normalmente conectados a outras redes, como a LAN escolar ou a Internet), reconecte o cabeamento apropriado e restaure as configuraes TCP/IP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 2
Tabela de endereamento
Dispositivo Interface Fa0/0 Fa0/1 S0/0/0 S0/0/1 Fa0/1 S0/0/0 S0/0/1 Lo0 Fa0/1 Fa0/1.11 Fa0/1.30 S0/0/0 S0/0/1 VLAN10 VLAN11 Endereo IP 192.168.10.1 192.168.11.1 10.1.1.1 10.3.3.1 192.168.20.1 10.1.1.2 10.2.2.1 209.165.200.225 N/A 192.168.11.3 192.168.30.1 10.3.3.2 10.2.2.2 DHCP 192.168.11.2 Mscara de sub-rede 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.224 N/A 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.0 Gateway padro N/A N/A N/A N/A N/A N/A N/A 209.165.200.226 N/A N/A N/A N/A N/A N/A N/A
R1
R2
R3
S1 S2
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 12
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Cabo de rede de acordo com o diagrama de topologia Apagar a configurao de inicializao e recarregar o estado padro de um roteador Carregar os roteadores e os switches com scripts fornecidos Localizar e corrigir todos os erros de rede Documentar a rede corrigida
Cenrio
Foi solicitado que voc corrija os erros de configurao na rede da empresa. Para este laboratrio, no use a proteo por login ou senha em nenhuma linha de console para impedir o bloqueio acidental. Use ciscoccna para todas as senhas deste cenrio. Nota: como este laboratrio cumulativo, voc utilizar todo o conhecimento e as tcnicas de identificao e soluo de problemas aprendidas no material anterior para concluir este laboratrio com xito.
Requisitos
S2 a raiz de spanning tree para VLAN 11, e S3 a raiz de spanning tree para VLAN 30. S3 um servidor VTP com S2 como um cliente. O link serial entre R1 e R2 Frame Relay. Verifique se todos os roteadores podem executar ping em suas interfaces Frame Relay. O link serial entre R2 e R3 usa encapsulamento HDLC. O link serial entre R1 e R3 usa PPP. O link serial entre R1 e R3 autenticado com o uso de CHAP. R2 deve ter procedimentos de login seguros por ser o roteador de extremidade da Internet.
Todas as linhas vty, exceto as pertencentes a R2, s permitem conexes das sub-redes mostradas no diagrama de topologia, excluindo-se o endereo pblico. Dica: R2# telnet 10.1.1.1 /source-interface loopback 0 Trying 10.1.1.1 ... % Conexo recusada por host remoto O spoofing do endereo IP de origem deve ser impedido em todos os links que no se conectam a outros roteadores. Os protocolos de roteamento devem ser seguros. Todos os roteadores RIP devem utilizar autenticao MD5. R3 no deve ser capaz de executar telnet para R2 pelo link serial conectado diretamente. R3 tem acesso a VLANs 11 e 30 pela porta Fast Ethernet 0/0.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 12
O servidor TFTP no deve obter nenhum trfego que possua endereo de origem fora da sub-rede. Todos os dispositivos tm acesso ao servidor TFTP. Todos os dispositivos na sub-rede 192.168.10.0 devem ser capazes de obter os endereos IP de DHCP em R1. Isso inclui o S1. R1 deve ser acessvel via SDM. Todos os endereos mostrados no diagrama devem ser alcanveis em todos os dispositivos.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 12
frame-relay map ip 10.1.1.2 201 broadcast no frame-relay inverse-arp no shutdown ! interface Serial0/0/1 ip address 10.3.3.1 255.255.255.252 ip rip authentication mode md5 ip rip authentication key-chain RIP_KEY encapsulation ppp ppp authentication chap no shutdown ! ! router rip version 2 passive-interface default network 192.168.10.0 network 192.168.11.0 no auto-summary ! ip classless ! no ip http server ! ip access-list standard Anti-spoofing permit 192.168.10.0 0.0.0.255 deny any ip access-list standard VTY permit 10.0.0.0 0.255.255.255 permit 192.168.10.0 0.0.0.255 permit 192.168.11.0 0.0.0.255 permit 192.168.20.0 0.0.0.255 permit 192.168.30.0 0.0.0.255 ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 access-class VTY in login local ! end !-----------------------------------------! R2 !-----------------------------------------no service password-encryption ! hostname R2 ! security passwords min-length 6 enable secret ciscoccna ! aaa new-model !
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 12
aaa authentication login LOCAL_AUTH local aaa session-id common ! ip cef ! no ip domain lookup ! key chain RIP_KEY key 1 key-string cisco username ccna password 0 ciscoccna ! interface Loopback0 description Simulated ISP Connection ip address 209.165.200.245 255.255.255.224 ! interface FastEthernet0/0 ip address 192.168.20.1 255.255.255.0 ip access-group TFTP out ip access-group Anti-spoofing in ip nat outside duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 ip address 10.1.1.2 255.255.255.0 ip nat inside encapsulation frame-relay no keepalive frame-relay map ip 10.1.1.1 201 broadcast no frame-relay inverse-arp ! interface Serial0/0/1 ip address 10.2.2.1 255.255.255.0 ip access-group R3-telnet in ip nat inside ip rip authentication mode md5 ip rip authentication key-chain RIP_KEY clockrate 128000 ! ! router rip version 2 passive-interface default no passive-interface Serial0/0/0 no passive-interface Serial0/0/1 network 10.0.0.0 network 192.168.20.0 default-information originate
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 5 de 12
no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 209.165.200.226 ! no ip http server ip nat inside source list NAT interface FastEthernet0/0 overload ! ip access-list standard Anti-spoofing permit 192.168.20.0 0.0.0.255 deny any ip access-list standard NAT permit 10.0.0.0 0.255.255.255 permit 192.168.0.0 0.0.255.255 ! ip access-list extended R3-telnet deny tcp host 10.2.2.2 host 10.2.2.1 eq telnet deny tcp host 10.3.3.2 host 10.2.2.1 eq telnet deny tcp host 192.168.11.3 host 10.2.2.1 eq telnet deny tcp host 192.168.30.1 host 10.2.2.1 eq telnet permit ip any any ! ip access-list standard TFTP permit 192.168.20.0 0.0.0.255 ! control-plane ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 exec-timeout 15 0 logging synchronous login authentication local_auth transport output telnet line vty 0 4 exec-timeout 15 0 logging synchronous login authentication local_auth transport input telnet ! end !-----------------------------------------! R3 !-----------------------------------------no service password-encryption ! hostname R3 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model ! ip cef
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 6 de 12
! no ip domain lookup ! key chain RIP_KEY key 1 key-string cisco username R1 password 0 ciscoccna username ccna password 0 ciscoccna ! interface FastEthernet0/1 no shutdown ! interface FastEthernet0/1.11 encapsulation dot1Q 11 ip address 192.168.11.3 255.255.255.0 no snmp trap link-status ! interface FastEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 ip access-group Anti-spoofing in no snmp trap link-status ! ! interface Serial0/0/0 ip address 10.3.3.2 255.255.255.252 encapsulation ppp clockrate 125000 ppp authentication chap ! interface Serial0/0/1 ip address 10.2.2.2 255.255.255.252 ! router rip version 2 passive-interface default no passive-interface FastEthernet0/0.11 no passive-interface FastEthernet0/0.30 no passive-interface Serial0/0/0 no passive-interface Serial0/0/1 network 10.0.0.0 network 192.168.11.0 network 192.168.30.0 no auto-summary ! ip classless ! ip http server ! ip access-list standard Anti-spoofing permit 192.168.30.0 0.0.0.255 deny any ip access-list standard VTY permit 10.0.0.0 0.255.255.255 permit 192.168.10.0 0.0.0.255
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 7 de 12
permit 192.168.11.0 0.0.0.255 permit 192.168.20.0 0.0.0.255 permit 192.168.30.0 0.0.0.255 ! control-plane ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 exec-timeout 15 0 logging synchronous line vty 0 4 access-class VTY in exec-timeout 15 0 logging synchronous login local ! end !----------------------------------------! S1 !----------------------------------------no service password-encryption ! hostname S1 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain CCNA_Troubleshooting vtp mode transparent vtp password ciscoccna ip subnet-zero ! no ip domain-lookup ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 10 ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access ! interface FastEthernet0/2 switchport access vlan 10 switchport mode access ! interface range FastEthernet0/3-24 !
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 8 de 12
interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address no ip route-cache ! interface Vlan10 ip address dhcp no ip route-cache ! ip default-gateway 192.168.10.1 ip http server ! control-plane ! line con 0 exec-timeout 0 0 logging synchronous line vty 0 4 password ciscoccna login line vty 5 15 no login ! end !----------------------------------------! S2 !----------------------------------------no service password-encryption ! hostname S2 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain CCNA_Troubleshooting vtp mode transparent vtp password ciscoccna ip subnet-zero ! no ip domain-lookup ! no file verify auto ! spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 11 priority 24576 spanning-tree vlan 30 priority 28672 ! vlan internal allocation policy ascending
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 9 de 12
! interface FastEthernet0/1 switchport access vlan 11 switchport mode access ! interface FastEthernet0/2 switchport access vlan 11 switchport mode access ! interface FastEthernet0/3 switchport trunk native vlan 99 switchport trunk allowed vlan 11,30 switchport mode trunk ! interface FastEthernet0/4 switchport trunk native vlan 99 switchport trunk allowed vlan 11,30 switchport mode trunk ! interface range FastEthernet0/5-24 shutdown ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address no ip route-cache ! interface Vlan11 ip address 192.168.11.2 255.255.255.0 no ip route-cache ! ip http server ! control-plane ! line con 0 exec-timeout 0 0 logging synchronous line vty 0 4 password ciscoccna login line vty 5 15 no login ! end !----------------------------------------! S3 !----------------------------------------no service password-encryption !
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 10 de 12
hostname S3 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain CCNA_troubleshooting vtp mode server vtp password ciscoccna ip subnet-zero ! no ip domain-lookup ! no file verify auto ! spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 11 priority 28672 spanning-tree vlan 30 priority 24576 ! vlan internal allocation policy ascending ! ! interface FastEthernet0/1 switchport trunk allowed vlan 30 switchport mode trunk ! interface FastEthernet0/2 switchport access vlan 30 switchport mode access ! interface FastEthernet0/3 switchport trunk native vlan 99 switchport trunk allowed vlan 11,30 switchport mode trunk ! interface FastEthernet0/4 switchport trunk native vlan 99 switchport trunk allowed vlan 11,30 switchport mode trunk ! interface range FastEthernet0/5-24 shutdown ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address no ip route-cache ! interface Vlan30
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 11 de 12
ip address 192.168.30.2 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.30.1 ip http server ! control-plane ! line con 0 exec-timeout 5 0 logging synchronous line vty 0 4 password ciscoccna login line vty 5 15 no login ! end
Tarefa 2: Localizar e corrigir todos erros de rede Tarefa 3: Verificar se os requisitos foram totalmente atendidos Tarefa 4: Documentar a rede corrigida Tarefa 5: Limpar
Apague as configuraes e recarregue os roteadores. Desconecte e guarde o cabeamento. Para PC normalmente conectados a outras redes (como a rede local escolar ou a Internet), reconecte o cabeamento apropriado e restaure as configuraes TCP/IP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 12 de 12
Tabela de endereamento
Dispositivo Interface Fa0/0 Fa0/1 S0/0/0 S0/0/1 Fa0/1 S0/0/0 S0/0/1 Lo0 Fa0/1 Fa0/1.11 Fa0/1.30 S0/0/0 S0/0/1 VLAN10 VLAN11 VLAN30 Placa de rede Endereo IP 192.168.10.1 192.168.11.1 10.1.1.1 10.3.3.1 192.168.20.1 10.1.1.2 10.2.2.1 209.165.200.225 N/A 192.168.11.3 192.168.30.1 10.3.3.2 10.2.2.2 DHCP 192.168.11.2 192.168.30.2 DHCP Mscara de sub-rede 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.224 N/A 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.0 Gateway padro N/A N/A N/A N/A N/A N/A N/A 209.165.200.226 N/A N/A N/A N/A N/A N/A N/A N/A
R1
R2
R3
S1 S2 S3 PC1
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 12
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Cabo de rede de acordo com o diagrama de topologia Apagar a configurao de inicializao e recarregar o estado padro de um roteador Carregar os roteadores e os switches com scripts fornecidos Localizar e corrigir todos os erros de rede Documentar a rede corrigida
Cenrio
Para este laboratrio, no use a proteo por login ou senha em nenhuma linha de console para impedir o bloqueio acidental. Use ciscoccna para todas as senhas deste laboratrio. Nota: como este laboratrio cumulativo, voc utilizar todo o conhecimento e as tcnicas de identificao e soluo de problemas aprendidas no material anterior para concluir este laboratrio com xito.
Requisitos
S2 a raiz de spanning tree para VLAN 11, e S3 a raiz de spanning tree para VLAN 30. S3 um servidor VTP com S2 como um cliente. O link serial entre R1 e R2 Frame Relay. O link serial entre R2 e R3 usa encapsulamento HDLC. O link serial entre R1 e R3 autenticado com o uso de CHAP. R2 deve ter procedimentos de login seguros por ser o roteador de extremidade da Internet. Todas as linhas vty, exceto as pertencentes a R2, s permitem conexes das sub-redes mostradas no diagrama de topologia, excluindo-se o endereo pblico. O spoofing do endereo IP de origem deve ser impedido em todos os links que no se conectam a outros roteadores. Os protocolos de roteamento devem ser usados com segurana. O EIGRP usado neste cenrio. R3 no deve ser capaz de executar telnet para R2 pelo link serial conectado diretamente. R3 tem acesso a VLANs 11 e 30 via porta Fast Ethernet 0/1. O servidor TFTP no deve obter nenhum trfego que possua endereo de origem fora da sub-rede. Todos os dispositivos tm acesso ao servidor TFTP. Todos os dispositivos na sub-rede 192.168.10.0 devem ser capazes de obter os endereos IP de DHCP em R1. Isso inclui o S1. Todos os endereos mostrados no diagrama devem ser alcanveis em todos os dispositivos.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 12
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 12
ppp authentication chap no shutdown ! ! router eigrp 10 passive-interface default no passive-interface FastEthernet0/0 no passive-interface FastEthernet0/1 no passive-interface Serial0/0/0 no passive-interface Serial0/0/1 network 10.1.1.0 0.0.0.255 network 10.2.2.0 0.0.0.255 network 192.168.10.0 0.0.0.255 network 192.168.11.0 0.0.0.255 no auto-summary ! ip route 0.0.0.0 0.0.0.0 10.1.1.2 ! ip http server ! ip access-list standard Anti-spoofing permit 192.168.10.0 0.0.0.255 deny any ip access-list standard VTY permit 10.0.0.0 0.255.255.255 permit 192.168.10.0 0.0.0.255 permit 192.168.11.0 0.0.0.255 permit 192.168.20.0 0.0.0.255 permit 192.168.30.0 0.0.0.255 ! line con 0 exec-timeout 5 0 logging synchronous line aux 0 line vty 0 4 access-class VTY in login local ! end !-----------------------------------------! R2 !-----------------------------------------no service password-encryption ! hostname R2 ! security passwords min-length 6 enable secret ciscoccna ! aaa new-model ! aaa authentication login local_auth local aaa session-id common ! ip cef
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 12
! no ip domain lookup ! username ccna password 0 ciscoccna ! interface Loopback0 ip address 209.165.200.225 255.255.255.224 ip access-group private in ! interface FastEthernet0/1 ip address 192.168.20.1 255.255.255.0 ip access-group TFTP out ip access-group Anti-spoofing in ip nat outside no shutdown ! ! interface Serial0/0/0 ip address 10.1.1.2 255.255.255.252 ip nat inside encapsulation frame-relay no keepalive frame-relay map ip 10.1.1.1 201 broadcast frame-relay map ip 10.1.1.2 201 no frame-relay inverse-arp no shutdown ! interface Serial0/0/1 ip address 10.2.2.1 255.255.255.252 ip nat inside clockrate 128000 no shutdown ! ! router eigrp 100 passive-interface default no passive-interface FastEthernet0/1 no passive-interface Serial0/0/0 no passive-interface Serial0/0/1 no passive interface lo0 network 10.1.1.0 0.0.0.3 network 10.2.2.0 0.0.0.3 network 192.168.20.0 0.0.0.255 network 209.165.200.0 0.0.0.7 no auto-summary ! ip route 0.0.0.0 0.0.0.0 209.165.200.226 ! no ip http server ip nat inside source list NAT interface FastEthernet0/0 overload ! ip access-list standard Anti-spoofing permit 192.168.20.0 0.0.0.255 deny any ip access-list standard NAT
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 5 de 12
permit 10.0.0.0 0.255.255.255 permit 192.168.0.0 0.0.255.255 ip access-list standard private deny 127.0.0.1 deny 10.0.0.0 0.255.255.255 deny 172.16.0.0 0.15.255.255 deny 192.168.0.0 0.0.255.255 permit any ! ip access-list extended R3-telnet deny tcp host 10.2.2.2 host 10.2.2.1 eq telnet deny tcp host 10.3.3.2 host 10.2.2.1 eq telnet deny tcp host 192.168.11.3 host 10.2.2.1 eq telnet deny tcp host 192.168.30.1 host 10.2.2.1 eq telnet ! ip access-list standard TFTP permit 192.168.20.0 0.0.0.255 ! control-plane ! line con 0 exec-timeout 5 0 logging synchronous line aux 0 exec-timeout 15 0 logging synchronous login authentication local_auth transport output telnet line vty 0 4 exec-timeout 15 0 logging synchronous login authentication local_auth transport input telnet ! end !-----------------------------------------! R3 !-----------------------------------------no service password-encryption ! hostname R3 ! security passwords min-length 6 ! no aaa new-model ! ip cef ! no ip domain lookup ! username R1 password ciscoccna username ccna password ciscoccna ! interface FastEthernet0/1
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 6 de 12
no shutdown ! interface FastEthernet0/1.11 encapsulation dot1Q 11 ip address 192.168.11.3 255.255.255.0 no snmp trap link-status ! interface FastEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 ip access-group Anti-Spoofin in no shutdown ! ! interface Serial0/0/0 ip address 10.3.3.2 255.255.255.252 encapsulation ppp ppp authentication pap ! interface Serial0/0/1 ip address 10.2.2.2 255.255.255.252 no shutdown ! router eigrp 10 network 10.3.3.0 0.0.0.3 network 10.2.2.0 0.0.0.3 network 192.168.11.0 0.0.0.255 network 192.168.30.0 0.0.0.255 no auto-summary ! ip classless ! ip http server ! ip access-list standard Anti-spoofing permit 192.168.30.0 0.0.0.255 deny any ip access-list standard VTY permit 10.0.0.0 0.255.255.255 permit 192.168.10.0 0.0.0.255 permit 192.168.11.0 0.0.0.255 permit 192.168.20.0 0.0.0.255 permit 192.168.30.0 0.0.0.255 ! ! line con 0 exec-timeout 5 0 logging synchronous line aux 0 exec-timeout 15 0 logging synchronous line vty 0 4 access-class VTY out exec-timeout 15 0 logging synchronous
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 7 de 12
login local ! end !----------------------------------------! S1 !----------------------------------------no service password-encryption ! hostname S1 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain CCNA_Troubleshooting vtp mode transparent vtp password ciscoccna ip subnet-zero ! no ip domain-lookup ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 10 ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access ! interface FastEthernet0/2 switchport access vlan 10 switchport mode access ! interface range FastEthernet0/3-24 ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address no ip route-cache ! interface Vlan10 ip address dhcp no ip route-cache ! ip default-gateway 192.168.10.1 ip http server
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 8 de 12
! line con 0 exec-timeout 5 0 logging synchronous line vty 0 4 password ciscoccna login line vty 5 15 no login ! end !----------------------------------------! S2 !----------------------------------------no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname S2 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain CCNA_Troubleshooting vtp mode Client vtp password ciscoccna ip subnet-zero ! no ip domain-lookup ! no file verify auto ! spanning-tree mode mst spanning-tree extend system-id spanning-tree vlan 30 priority 4096 ! vlan internal allocation policy ascending ! interface FastEthernet0/1 switchport access vlan 11 switchport mode access ! interface FastEthernet0/2 switchport access vlan 11 switchport mode access ! interface FastEthernet0/3 switchport trunk allowed vlan 11,30 switchport mode trunk ! interface FastEthernet0/4 switchport trunk allowed vlan 11,30 switchport mode trunk
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 9 de 12
! interface range FastEthernet0/5-24 shutdown ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address no ip route-cache ! interface Vlan11 ip address 192.168.11.2 255.255.255.0 no ip route-cache ! ip http server ! control-plane ! line con 0 exec-timeout 5 0 logging synchronous line vty 0 4 password ciscoccna login line vty 5 15 no login ! end !----------------------------------------! S3 !----------------------------------------no service password-encryption ! hostname S3 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain CCNA_Troubleshooting vtp mode Server vtp password ciscoccna ip subnet-zero ! no ip domain-lookup ! no file verify auto ! spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 11 priority 4096
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 10 de 12
vlan internal allocation policy ascending ! Vlan 11,30 ! interface FastEthernet0/1 switchport trunk allowed vlan 11,30 switchport mode trunk ! interface FastEthernet0/2 switchport access vlan 30 switchport mode access ! interface FastEthernet0/3 switchport trunk allowed vlan 11,30 switchport mode trunk ! interface FastEthernet0/4 switchport trunk allowed vlan 11,30 switchport mode trunk ! interface range FastEthernet0/5-24 shutdown ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address no ip route-cache ! interface Vlan30 ip address 192.168.30.2 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.30.1 ip http server ! line con 0 exec-timeout 5 0 logging synchronous line vty 0 4 password ciscoccna login line vty 5 15 no login ! end
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 11 de 12
Tarefa 2: Localizar e corrigir todos erros de rede Tarefa 3: Verificar se os requisitos foram totalmente atendidos Tarefa 4: Documentar a rede corrigida Tarefa 5: Limpar
Apague as configuraes e recarregue os roteadores. Desconecte e guarde o cabeamento. Para hosts PC normalmente conectados a outras redes (como a LAN escolar ou a Internet), reconecte o cabeamento apropriado e restaure as configuraes TCP/IP.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 12 de 12
Tabela de endereamento
Dispositivo Interface Fa0/0 Fa0/1 S0/0/0 S0/0/1 Fa0/1 S0/0/0 S0/0/1 Lo0 Fa0/1 Fa0/1.11 Fa0/1.30 S0/0/0 S0/0/1 VLAN10 VLAN11 VLAN30 Placa de rede Endereo IP 192.168.10.1 192.168.11.1 10.1.1.1 10.3.3.1 192.168.20.1 10.1.1.2 10.2.2.1 209.165.200.225 N/A 192.168.11.3 192.168.30.1 10.3.3.2 10.2.2.2 DHCP 192.168.11.2 192.168.30.2 192.168.10.10 Mscara de sub-rede 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.224 N/A 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Gateway padro N/A N/A N/A N/A N/A N/A N/A 209.165.200.226 N/A N/A N/A N/A N/A N/A N/A N/A 192.168.10.1
R1
R2
R3
S1 S2 S3 PC1
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 1 de 12
Objetivos de aprendizagem
Aps concluir este laboratrio, voc ser capaz de: Cabo de rede de acordo com o diagrama de topologia. Apagar a configurao de inicializao e recarregar o roteador no estado padro. Carregar os roteadores e os switches com scripts fornecidos. Localize e corrija todos os erros de rede. Documentar a rede corrigida.
Cenrio
Para este laboratrio, no use a proteo por login ou senha em nenhuma linha de console para impedir o bloqueio acidental. Use ciscoccna para todas as senhas deste cenrio. Nota: como este laboratrio cumulativo, voc utilizar todo o conhecimento e as tcnicas de identificao e soluo de problemas aprendidas no material anterior para concluir este laboratrio com xito.
Requisitos
S2 a raiz de spanning tree para VLAN 11, e S3 a raiz de spanning tree para VLAN 30. S3 um servidor VTP com S2 como um cliente. O link serial entre R1 e R2 Frame Relay. O link serial entre R2 e R3 usa encapsulamento HDLC. O link serial entre R1 e R3 autenticado com o uso de CHAP. R2 deve ter procedimentos de login seguros por ser o roteador de extremidade da Internet. Todas as linhas vty, exceto as pertencentes a R2, s permitem conexes das sub-redes mostradas no diagrama de topologia, excluindo-se o endereo pblico. O spoofing do endereo IP de origem deve ser impedido em todos os links que no se conectam a outros roteadores. Os protocolos de roteamento devem ser usados com segurana. O OSPF usado neste cenrio. R3 no deve ser capaz de executar telnet para R2 pelo link serial conectado diretamente. R3 tem acesso a VLANs 11 e 30 via porta Fast Ethernet 0/1. O servidor TFTP no deve obter nenhum trfego que possua endereo de origem fora da sub-rede. Todos os dispositivos tm acesso ao servidor TFTP. Todos os dispositivos na sub-rede 192.168.10.0 devem ser capazes de obter os endereos IP de DHCP em R1. Isso inclui o S1. Todos os endereos mostrados no diagrama devem ser alcanveis em todos os dispositivos.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 2 de 12
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 3 de 12
ip address 10.3.3.1 255.255.255.252 encapsulation ppp ppp authentication chap no shutdown ! interface Serial0/1/0 no ip address shutdown clockrate 2000000 ! interface Serial0/1/1 no ip address shutdown ! router ospf 1 log-adjacency-changes passive-interface FastEthernet0/0 network 10.1.1.0 0.0.0.255 area 0 network 10.2.2.0 0.0.0.255 area 0 network 192.168.10.0 0.0.0.255 area 0 network 192.168.11.0 0.0.0.255 area 0 ! ip http server ! ip access-list standard Anti-spoofing permit 192.168.10.0 0.0.0.255 deny any ip access-list standard VTY permit 10.0.0.0 0.255.255.255 permit 192.168.10.0 0.0.0.255 permit 192.168.11.0 0.0.0.255 permit 192.168.20.0 0.0.0.255 permit 192.168.30.0 0.0.0.255 ! line con 0 exec-timeout 5 0 logging synchronous line aux 0 line vty 0 4 access-class VTY in login local ! end !-----------------------------------------! R2 !-----------------------------------------no service password-encryption ! hostname R2 ! security passwords min-length 6 enable secret ciscoccna ! aaa new-model !
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 4 de 12
aaa authentication login local_auth local aaa session-id common ! ip cef ! no ip domain lookup ! username ccna password 0 ciscoccna ! interface Loopback0 ip address 209.165.200.245 255.255.255.224 ip access-group private in ! interface FastEthernet0/1 ip address 192.168.20.1 255.255.255.0 ip access-group TFTP out ip access-group Anti-spoofing in ip nat inside duplex auto speed auto ! ! interface Serial0/0/0 ip address 10.1.1.2 255.255.255.252 ip nat outside encapsulation frame-relay no keepalive frame-relay map ip 10.1.1.1 201 broadcast frame-relay map ip 10.1.1.2 201 no frame-relay inverse-arp ! interface Serial0/0/1 ip address 10.2.2.1 255.255.255.252 ip access-group R3-telnet in ip nat outside ! ! router ospf 1 passive-interface FastEthernet0/1 network 10.1.1.0 0.0.0.3 area 0 network 10.2.2.0 0.0.0.3 area 0 ! ip classless ip route 0.0.0.0 0.0.0.0 209.165.200.226 ! no ip http server ip nat inside source list nat interface FastEthernet0/0 ! ip access-list standard Anti-spoofing permit 192.168.20.0 0.0.0.255 deny any ip access-list standard NAT permit 10.0.0.0 0.255.255.255 permit 192.168.0.0 0.0.255.255 ip access-list standard private
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 5 de 12
deny 127.0.0.1 deny 10.0.0.0 0.255.255.255 deny 172.0.0.0 0.31.255.255 deny 192.168.0.0 0.0.255.255 permit any ! ip access-list extended R3-telnet deny tcp host 10.2.2.2 host 10.2.2.1 eq telnet deny tcp host 10.3.3.2 host 10.2.2.1 eq telnet deny tcp host 192.168.11.3 host 10.2.2.1 eq telnet deny tcp host 192.168.30.1 host 10.2.2.1 eq telnet permit ip any any ! ip access-list standard TFTP permit 192.168.20.0 0.0.0.255 ! line con 0 exec-timeout 5 0 logging synchronous line aux 0 exec-timeout 15 0 logging synchronous login authentication local_auth transport output telnet line vty 0 4 exec-timeout 15 0 logging synchronous login authentication local_auth transport input telnet ! end !-----------------------------------------! R3 !-----------------------------------------no service password-encryption ! hostname R3 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model ! ip cef ! no ip domain lookup ! username R1 password ciscoccna username ccna password ciscoccna ! interface FastEthernet0/1 no ip address duplex auto speed auto no shutdown
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 6 de 12
! interface FastEthernet0/1.11 encapsulation dot1Q 12 ip address 192.168.11.3 255.255.255.0 no snmp trap link-status ! interface FastEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 ip access-group Anti-spoofing in ! ! interface Serial0/0/0 ip address 10.3.3.2 255.255.255.252 encapsulation ppp clockrate 125000 ppp authentication chap no shutdown ! interface Serial0/0/1 ip address 10.2.2.2 255.255.255.252 encapsulation lapb no shutdown ! router ospf 1 passive-interface FastEthernet0/1.30 network 10.2.2.0 0.0.0.3 area 1 network 10.3.3.0 0.0.0.3 area 1 network 192.168.11.0 0.0.0.255 area 1 network 192.168.30.0 0.0.0.255 area 1 ! ip classless ! ip http server ! ip access-list standard Anti-spoofing permit 192.168.30.0 0.0.0.255 deny any ip access-list standard VTY permit 10.0.0.0 0.255.255.255 permit 192.168.10.0 0.0.0.255 permit 192.168.11.0 0.0.0.255 permit 192.168.20.0 0.0.0.255 permit 192.168.30.0 0.0.0.255 ! line con 0 exec-timeout 5 0 logging synchronous line aux 0 exec-timeout 15 0 logging synchronous line vty 0 4 access-class VTY in exec-timeout 15 0 logging synchronous
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 7 de 12
login local ! end !----------------------------------------! S1 !----------------------------------------no service password-encryption ! hostname S1 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain CCNA_Troubleshooting vtp mode transparent vtp password ciscoccna ip subnet-zero ! no ip domain-lookup ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 10 ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access ! interface FastEthernet0/2 switchport access vlan 10 switchport mode access ! interface range FastEthernet0/3-24 ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address no ip route-cache ! interface Vlan10 ip address dhcp no ip route-cache ! ip default-gateway 192.168.10.1 ip http server
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 8 de 12
! line con 0 exec-timeout 5 0 logging synchronous line vty 0 4 password ciscoccna login line vty 5 15 no login ! end !----------------------------------------! S2 !----------------------------------------no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname S2 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain CCNA_Troubleshooting vtp mode client vtp password ciscoccna ip subnet-zero ! no ip domain-lookup ! no file verify auto ! spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 11 priority 24576 spanning-tree vlan 30 priority 28672 ! vlan internal allocation policy ascending ! interface FastEthernet0/1 switchport access vlan 11 switchport mode access ! interface FastEthernet0/2 switchport access vlan 11 switchport mode access ! interface FastEthernet0/3 switchport trunk allowed vlan 11,30 switchport mode trunk ! interface FastEthernet0/4 switchport trunk allowed vlan 11,30
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 9 de 12
switchport mode trunk ! interface range FastEthernet0/5-24 shutdown ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address no ip route-cache ! interface Vlan11 ip address 192.168.11.2 255.255.255.0 no ip route-cache ! ip http server ! line con 0 exec-timeout 5 0 logging synchronous line vty 0 4 password ciscoccna login line vty 5 15 no login ! end !----------------------------------------! S3 !----------------------------------------no service password-encryption ! hostname S3 ! security passwords min-length 6 enable secret ciscoccna ! no aaa new-model vtp domain CCNA_Troubleshooting vtp mode Server vtp password ciscoccna ip subnet-zero ! no ip domain-lookup ! no file verify auto ! spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 11 priority 28672 spanning-tree vlan 30 priority 24576
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 10 de 12
! vlan internal allocation policy ascending ! vlan 30 ! interface FastEthernet0/1 switchport trunk allowed vlan 11 switchport mode trunk ! interface FastEthernet0/2 switchport access vlan 30 switchport mode access ! interface FastEthernet0/3 switchport trunk native vlan 99 switchport trunk allowed vlan 11,30 switchport mode trunk ! interface FastEthernet0/4 switchport trunk native vlan 99 switchport trunk allowed vlan 11,30 switchport mode trunk ! interface range FastEthernet0/5-24 shutdown ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address no ip route-cache ! interface Vlan30 ip address 192.168.30.2 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.30.1 ip http server ! line con 0 exec-timeout 5 0 logging synchronous line vty 0 4 password ciscoccna login line vty 5 15 no login ! end
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 11 de 12
Tarefa 2: Localizar e corrigir todos erros de rede Tarefa 3: Verificar se os requisitos foram totalmente atendidos
Como as restries de tempo impedem a soluo de um problema em cada tpico, apenas um determinado nmero de tpicos tem problemas. No entanto, para reforar e fortalecer habilidades na soluo de problemas, voc deve verificar se cada requisito atendido. Para fazer isso, apresente um exemplo de cada requisito (por exemplo um comando show ou debug).
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Pgina 12 de 12