ccna_part2

CCNA Ti liu dnh cho hc vin

VSIC Education Corporation Trang 128

BI 20: CU HNH OSPF GIA WINDOWS SERVER 2003 V ROUTER

1. Gii thiu :

Trong bi lab ny chng ta s kho st cu hnh OSPF gia mt my Server s dng Windows 2003 v router.

PC c th c s dng lm Router, ng thi c th tch hp vo h thng router v nh tuyn thng qua giao thc chun OSPF.

2. M t bi lab v hnh :

hnh bi lab nh hnh v, chng ta s cu hnh loopback 0 cho cc router. a ch IP ca cc interface c ghi trn hnh. Lu , khi cu hnh IP cho server, chng ta khng cu hnh default gateway.

Server hot ng ging nh Router, n s trao i cc thng tin nh tuyn thng qua giao thc OSPF v c th bit c cc mng 10.0.0.0, 12.0.0.0 u xa. 3. Cu hnh cho cc router :

Chng ta cu hnh cho cho cc router nh sau : Vsic1#sh run Building configuration... Current configuration : 592 bytes version 12.1 hostname Vsic1 interface Loopback0 ip address 10.0.0.1 255.255.0.0 interface Serial0



ip address 192.168.1.1 255.255.255.0 router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.255.255 area 0 network 192.168.1.0 0.0.0.255 area 0

end

Vsic2#sh run Building configuration...

Current configuration : 712 bytes version 12.1 hostname Vsic2 interface Loopback0 ip address 11.1.0.1 255.0.0.0 interface Ethernet0 ip address 15.1.0.1 255.0.0.0 interface Serial0 ip address 192.168.1.2 255.255.255.0 no fair-queue clockrate 64000 interface Serial1 ip address 170.1.0.1 255.255.0.0 router ospf 1 log-adjacency-changes network 11.1.0.0 0.255.255.255 area 0 network 15.0.0.0 0.255.255.255 area 0 network 170.1.0.0 0.0.255.255 area 0 network 192.168.1.0 0.0.0.255 area 0 end Vsic3#sh run Building configuration... Current configuration : 608 bytes version 12.1 hostname Vsic3 interface Loopback0 ip address 12.1.0.1 255.255.255.252 interface Serial0 ip address 170.1.0.2 255.255.0.0 clockrate 64000 router ospf 1 log-adjacency-changes network 12.1.0.0 0.0.0.3 area 0 network 170.1.0.0 0.0.255.255 area 0 end

4. Cu hnh cho server :



Chng ta vo Start Program Administrative Tools Routing And Remote Access. Sau chn PC chng ta mun cu hnh ri nhp chut phi chn Configure and Enable Routing and Remote Access.

Ri nhn Next chn Custom Configuration Next chn Lan routing Next Finish Yes. Click vo IP routing, bn ca s bn phi chng ta nhp chut phi vo General ri chn New Routing Protocol

Chn Open Shortest Path Frist (OSPF) OK Nhp chut phi vo OSPF (trong IP routing) chn New Interface. Trong ca s hin ra chn Local Area Connection OK Trong ca s hin ra, nh du chn Enable OSPF for this address, trong phn Network Type, ta chn mc Broadcast. Sau nhn OK.



Chng ta c th set cost cho route ny bng cch nhp gi tr vp Cost, v u tin cho router bng cch nhp gi tr vo Router priority. Router no c u tin cao nht s l designated router. Nhp chut phi vo OSPF chn Properties. Trong ca s hin ra chn Enable antonomous system boundary router.



Click vo tab Areas, chn 0.0.0.0 nhn Edit

Trong ca s va hin ra, b Enable plaintext password OK



Chng ta nhn chut phi vo OSPF chn Show Link-state Database. Trong ca s hin ra chng ta s tht c cc mng ca router Vsic1, Vsic2, Vsic3.

By gi chng ta s ping ti cc mng ca ba router kim tra.



Chng ta ping thnh cng mng 10.0.0.0 ca Vsic1, cc bn tip tc ping ti cc mng khc kim tra v chc chn s thnh cng. Nh vy ton mng lin lc c vi nhau. Vic chy OSPF gia Winserver 2003 v router thnh cng. 5. T thc hnh s dng Dynagen :

i vi bi thc hnh ny, ta c th s dng my tnh hin hnh chy h iu hnh 2003 hay c th s dng my o.

Trc tin ta kim tra vic ci t admin tool Routing v Remote Access trong Win 2003. Sau tin hnh Bridge card mng ca my s dng vi Router VSIC2.



Chy file lab20ospfs.net thc hnh v chnh a ch card mng ph hp vi PC win

2003 # Simple lab [localhost] [[3640]] image = \Program Files\Dynamips\images\C3640_IS_MZ122_3.BIN # On Linux / Unix use forward slashes: # image = /opt/7200-images/c7200-jk9o3s-mz.124-7a.image ram=96 [[ROUTER VSIC1]] model=3640 s1/0 = VSIC2 s1/0 [[router VSIC2]] s1/1 = VSIC3 s1/1 F0/0 = NIO_gen_eth:\Device\NPF_{3E56FAD7-7D96-4763-AD9E-6232CA66410B} thay i a ch mng dng ny

model=3640 [[ROUTER VSIC3]] model=3640 # No need to specify an adapter here, it is taken care of # by the interface specification under Router VSIC1

Chng ta bt u thc hnh, ta hy th thm 1 giao thc c trong admin tool Routing v Remote Access l RIP.



Phn 4 : ACCESS LIST v NAT BI 21: STANDAR ACCESS LIST

1. Gii thiu: -Mt trong nhng cng c rt quan trng trong Cisco Router c dng trong lnh vc security l Access List. y l mt tnh nng gip bn c th cu hnh trc tip trn Router to ra mt danh sch cc a ch m bn c th cho php hay ngn cn vic truy cp vo mt a ch no .

-Access List c 2 loi l Standard Access List v Extended Access List. -Standard Access List: y l loi danh sch truy cp m khi cho php hay ngn cn vic truy cp,Router ch kim tra mt yu t duy nht l a ch ngun(Source Address) -Extended Access List: y l loi danh sch truy cp m rng hn so vi loi Stanhdar,cc yu t v a ch ngun, a ch ch,giao thc,port..s c kim tra trc khi Router cho php vic truy nhp hay ngn cn. 2. M t bi lab v hnh :

-Bi Lab ny gip bn thc hin vic cu hnh Standard Access List cho Cisco Router vi mc ch ngn khng cho host truy cp n router VSIC2.

3. Cu hnh router :

Router Vsic1

Vsic1#show run



Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Vsic1 ! ip subnet-zero ! process-max-time 200 ! interface Ethernet0 ip address 11.0.0.1 255.255.255.0 no ip directed-broadcast ! interface Serial0 ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast ! interface Serial1 no ip address no ip directed-broadcast shutdown ! ip classless no ip http server ! line con 0 transport input none line 1 8 line aux 0 line vty 0 4 ! end

Router Vsic2 Vsic2#show run Building configuration... Current configuration: ! version 12.1 service timestamps debug uptime



service timestamps log uptime no service password-encryption ! hostname Vsic2 ! ip subnet-zero ! interface Ethernet0 no ip address shutdown ! interface Serial0 ip address 192.168.1.2 255.255.255.0 clockrate 56000 ! interface Serial1 no ip address shutdown ! ip classless no ip http server ! line con 0 transport input none line 1 8 line aux 0 line vty 0 4 ! end Host: IP Address:11.0.0.2 Subnet mask:255.255.255.0 Gateway:11.0.0.1

-Bn thc hin vic nh tuyn cho cc Router nh sau(Dng giao thc RIP): Vsic1(config)#router rip Vsic1(config-router)#net 192.168.1.0 Vsic1(config-router)#net 11.0.0.0 Vsic2(config)#router rip Vsic2(config-router)#net 192.168.1.0 Vsic2(config-router)#net 10.0.0.0

-Bn thc hin kim tra qu trnh nh tuyn:

Vsic2#ping 192.168.1.1



Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/34/36 ms Vsic2#ping 11.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/34/36 ms Vsic2#ping 11.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.0.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/34/40 ms

-Sau qu trnh nh tuyn,kim tra chc chn rng mng c thng,bn thc hin vic to Access List Standar ngn khng cho Router Vsic 2 ping vo Host.

-V khi lu thng,gi tin mun n c a ch ca Host bt but phi i qua Router Vsic1.

-Bn thc hin to Access List trn Router Vsic 1 nh sau:

Vsic1#conf t Enter configuration commands, one per line. End with CNTL/Z. Vsic1(config)#access-list 1 deny 11.0.0.2 0.0.0.0 //t chi s truy nhp ca a ch 11.0.0.2//

-Lc ny bn thc hin lnh Ping t Host n VSIC2



-Bn thy lnh Ping thc hin vn thnh cng, l do l bn cha m ch Access list trn interface ethernet0 ca router Vsic1 Vsic1(config)#int e0 Vsic1(config-if)#ip access-group 1 in //ngn cn ng vo ca serial 0 theo access group 1// -Sau khi apply access list vo interface ethernet 0, ta ping t PC1 n VSIC2.

By gi ta i a ch ca PC thnh 11.0.0.3, v th ping li 1 ln na.



-Bn thy lnh Ping vn khng thnh cng, l do l khi khng tm thy a ch source

(a ch l) trong danh sch Access list, router s mc nh thc hin Deny any,v vy bn phi thay i mc nh ny. Sau y l lnh debug ip packet ti VSIC1 khi thc hin lnh ping trn.

Vsic1(config)#access-list 1 permit any

-Lc ny bn thc hin li lnh Ping t PC1 n VSIC2



-Bn thy lnh Ping thnh cng, n y bn cu hnh xong Standard Access List. 4. T cu hnh bng Dynagen: Click file lab21acls.net v cu hnh theo s sau:

Thay v apply ACL ti interface Fa0/0 theo chiu in, ta c th hin i vi interface s1/0 theo chiu out. Ta cu hnh tng t v test theo hng dn ca bi trn.



BI 22: EXTENDED ACCESS LIST 1. Gii thiu :

- bi trc bn thc hin vic cu hnh Standard Access List, bi Lab ny bn s tip tc tm hiu su hn v Extended Access List. y l m rng ca Standard Access List, trong qu trnh kim tra, Router s kim tra cc yu t v a ch ngun, ch,giao thc v port 2. M t bi lab v hnh :

-Mc ch ca bi Lab:Bn thc hin cu hnh Extended Access List sao cho Host1 khng th Telnet vo Router Vsic 2 nhng vn c th duyt web qua Router Vsic2

Bn thc hin hnh nh sau:

Bn thc hin vic cu hnh cho Router v Host nh hnh trn: 3. Cu hnh router :

Host1: IP Address:11.0.0.2 Subnet mask:255.255.255.0 Gateway:11.0.0.1



Host2: IP Address:10.0.0.2 Subnet mask:255.255.255.0 Gateway:10.0.0.1 Router Vsic1: vsic1#show run Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vsic1 ! ip subnet-zero ! process-max-time 200 ! interface Ethernet0 ip address 11.0.0.1 255.255.255.0 no ip directed-broadcast ! interface Serial0 ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast ! interface Serial1 no ip address no ip directed-broadcast shutdown ! line con 0 transport input none line 1 8 line aux 0 line vty 0 4 ! end Router Vsic2



Building configuration... Current configuration: ! version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vsic2 ! enable secret 5 $1$V7En$XlyfRt14RWv2KPO9goxVt. //mt khu secret l Router// ! ip subnet-zero ! interface Ethernet0 ip address 10.0.0.1 255.255.255.0 ! interface Serial0 ip address 192.168.1.2 255.255.255.0 no fair-queue clockrate 56000 ! interface Serial1 no ip address shutdown ! ip classless no ip http server ! line con 0 transport input none line 1 8 line aux 0 line vty 0 4 password cisco login ! end

-Bn thc hin vic nh tuyn(s dng Rip) vsic1(config)#router rip vsic1(config-router)#net 11.0.0.0 vsic1(config-router)#net 192.168.1.0



vsic2(config)#router rip vsic2(config-router)#net 10.0.0.0 vsic2(config-router)#net 192.168.1.0

-Bn thc hin lnh Ping kim tra qu trnh nh tuyn.Sau khi chc chn rng qu trnh nh tuyn thnh cng.

-Ti Router Vsic2 bn thc hin cu lnh:

vsic2(config)#ip http server //Cu lnh ny dng gi mt http server trn Router// -Lc ny Router s ng vai tr nh mt Web Server -Sau khi qu trnh nh tuyn thnh cng,bn thc hin cc bc Telnet v duyt

Web t Host 1 vo Router Vsic2. -Ch : thnh cng vic Telnet bn phi Login cho ng line vty v t mt

khu cho ng ny( y l Cisco) Telnet:

Duyt web



Bn nhp vo User Name v Password User name:Vsic2 Password:Router

-Cc bc trn thnh cng,bn thc hin vic cu hnh Access list vsic2#conf t Enter configuration commands, one per line. End with CNTL/Z. vsic2(config)#access-list 101 deny tcp 11.0.0.2 0.0.0.0 192.168.1.2 0.0.0.0 eq telnet

vsic2(config)#int s0 vsic2(config-if)#ip access-group 101 in

-Bn thc hin li vic Telnet nh trn,bn nhn thy qu trnh Telnet khng thnh cng nhng bc duyt Web ca bn cng khng thnh cng.

-Theo yu cu bn ch ngn cm Telnet nhng cho php qu trnh duyt Web

Telnet



Duyt Web

- thnh cng bc duyt Web,bn thc hin cu lnh thay i vic Deny any mc nh ca Access List.

vsic2(config)#access-list 101 permit ip any any -Bn ch rng cc cu lnh trong Access List extended khng ging nh trong Access List Standard v trong Access List Extended,Router s kim tra c a ch ngun,ch,giao thc v port..Permit ip any any c ngha l cho php tt c cc a ch ngun v ch khc(khng tm thy trong danh sch Access List) chy trn nn giao thc IP i qua.

Lc ny bn thc hin li qu trnh duyt web



Bn nhp vo User Name v Password User name:Vsic2 Password:Router

-n y bn thnh cng vic cu hnh cho Extended Access List,bn thc hin c yu cu to Access List cho Router vi mc ch ngn cm vic Telnet vo Router v cho php qu trnh duyt Web vo Router.Bn cng c th m rng thm hnh vi nhiu Router thc tp vic cu hnh Access List cho Router vi nhng yu cu bo mt khc nhau.

4. T Thc hnh bng Dynagen: S dng file lab22acle.net thc hnh. S v cch cu hnh tng t nh trn.



BI 23: TN CNG ROUTER BNG FLOOD

1. M t bi lab v cu hnh :

hnh bi lab trn hnh trn, chng ta s bt http server trn router Vsic2 v Deny Service ny bng DoS trn S0 ca router Vsic2 a ch l 192.168.1.2, ta cu hnh access-list 101 p vo interface S0, ni dung ca access-list 101 ny l cm tt c cc gi i vo interface ny (s dng Defense). 2. Cu hnh ca Router :

Cu hnh ca cc router : Vsic1#show run Building configuration... Current configuration : 559 bytes version 12.1 hostname Vsic1 interface Ethernet0 ip address 10.1.0.1 255.255.255.0 interface Serial0 ip address 192.168.1.1 255.255.255.0 no fair-queue clockrate 64000 router rip network 10.0.0.0 network 192.168.1.0 end Vsic2#show run Building configuration... Current configuration : 616 bytes version 12.1 hostname Vsic2 interface Loopback0



ip address 11.1.0.1 255.255.255.0 interface Serial0 ip address 192.168.1.2 255.255.255.0 router rip network 11.0.0.0 network 192.168.1.0 ip http server access-list 101 deny tcp any 10.1.0.0 0.0.0.255 access-list 101 permit ip any any end Chng ta bt http server trn router Vsic2 bng cch : Vsic2(config)#ip http server

3. Thc thi DoS :

Sau khi cu hnh xong, ta chy th Web Service trn router 2501 bng vo Internet explorer browser, v nhp vo khung Address : http://192.168.3.1/ v chc chn Service ny ang chy.

By gi, chng ta vo command prompt khi ng chng trnh bonk (http://www.packetstorm.net/)

Chng trnh ny s gi packet lin tc n a ch m chng ta nhp vo (Interface S0 ca Vsic2). Lc ny to router Vsic2 chng ta cu hnh access-list l deny tt c cc gi n a ch 192.168.1.2 (interface S0 ca Vsic2). Chng ta c th xem qu trnh u tin l khi mi bt u gi gi t phn mm file chy bonk, nhng gi t phn mm ny gi b deny : (s dng cu lnh debug ip packet detail hin th thng tin v cc gi trn Vsic2)

01:35:27: IP: s=192.168.1.2 (local), d=58.78.126.160, len 56, unroutable 01:35:28: IP: s=234.163.97.104 (Serial0), d=192.168.1.2, len 56, access denied 01:35:28: IP: s=90.18.161.21 (Serial0), d=192.168.1.2, len 56, access denied 01:35:28: IP: s=192.168.1.2 (local), d=90.18.161.21, len 56, unroutable 01:35:29: IP: s=212.188.230.189 (Serial0), d=192.168.1.2, len 56, access denied



01:35:29: IP: s=95.72.43.45 (Serial0), d=192.168.1.2, len 56, access denied 01:35:29: IP: s=192.168.1.2 (local), d=95.72.43.45, len 56, unroutable 01:35:30: IP: s=137.183.32.171 (Serial0), d=192.168.1.2, len 56, access denied 01:35:30: IP: s=34.183.126.195 (Serial0), d=192.168.1.2, len 56, access denied

Tuy nhin trong qu trnh deny router Vsic2 phi a gi vo d liu ca mnh

phn tch. Trong khi file chy bonk gi gi mt cch lin tc, nn cha y 2 pht sau th interface serial 0 ca Vsic2 b down v service http ca n v vy cng s b down lun. Chng ta khng th duyt web lc ny.

01:35:31: IP: s=192.168.1.2 (local), d=190.191.154.23, len 56, unroutable 01:35:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:35:32: IP: s=68.190.155.4 (Serial0), d=192.168.1.2, len 56, access denied 01:35:32: IP: s=192.168.1.2 (local), d=68.190.155.4, len 56, unroutable.

Sau khi down mt thi gian, router s t ng up interface S0 ln li. Nu khng cn

ghn na th s hot ng bnh thng. 01:35:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up



BI 24: CU HNH NAT STATIC 1. Gii thiu :

Nat (Network Address Translation) l mt giao thc dng cung cp s chuyn i IP trong 1 min a ra mt mi trng khc thng qua mt IP c ng k chuyn i thng tin gia 2 mi trng (either Local or Global) .

u im ca NAT( Network Nat Translation ) l chuyn i cc IP adress ring trong mng n IP adress inside c Cung cp khi ng k .

Cc loi a ch : Inside Local : l cc a ch bn trong mng ni b ( gateway) Inside Global :l cc a ch ngoi cng GATEWAY , l a ch Nat c

ng k. Trong bi nay l :172.17.0.1/24 Outside Global : l cc h thng mng bn ngoi cc mi trng

Cch thc chuyn i mt IP public v mt IP private s khng c hiu qu khi chng ta trin khai rng cho tt c cc host trong mng, bi v khi lm nh vy ta s khng c a ch cung cp. Nat tnh thng c p dng khi ta s dng a ch public lm WebServer hay FTP Server,v.v.


Cc PC ni vi router bng cp cho, hai router ni vi nhau bng cp serial. a ch IP ca cc interface v PC c cho trn hnh v Trong bi lab ny, router Vsic2 c cu hnh nh mt ISP, router Vsic1 c cu hnh nh mt gateway 3. Cu hnh :

Chng ta cu hnh cho cc router nh sau : Router#conf t Vsic2(config)#enable password cisco Route r(config)#hostname Vsic2 Vsic2(config)#interface serial 0 Vsic2(config-if)#ip address 192.168.0.1 255.255.255.0 Vsic2(config-if)# no shut Vsic2(config-if)#clock rate 64000 Vsic2(config)#interface ethernet 0 Vsic2(config-if)#ip address 10.1.0.1 255.255.0.0 Vsic2(config-if)#no shut Vsic1(config)#interface serial 0 Vsic1(config-if)#ip address 192.168.0.2 255.255.255.0



Vsic1(config)#ip nat outside cu hnh interface S0 l interface outside Vsic1(config)#interface ethernet 0 Vsic1(config-if)#ip address 11.1.0.1 255.255.0.0 Vsic1(config-if)#no shut Vsic1(config-if)#ip nat intside Cu hnh interface E0 l interface inside

Chng ta tin hnh cu hnh Static NAT cho Vsic1 bng cu lnh : Vsic1(config)#ip nat inside source static 10.1.0.2 172.17.0.1 Cu lnh trn c ngha l : cc gi tin xut pht t PC2 khi qua router( vo t interface

E0) Vsic1 ra ngoi( ra khi interface S0) s c i a ch IP source t 11.1.0.2 thnh a ch 172.17.0.1 (y l a ch c ng k vi ISP)

Chng ta tin hnh t Static Route cho 2 Router Vsic2 v Vsic1. Vsic1(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1 Vsic2(config)#ip route 172.17.0.0 255.255.0.0 192.168.0.2 a ch 172.17.0.1 l Address c ng k. Trn thc t ISP ch route xung user

bng a ch ng k ny. kim tra vic NAT ca router Vsic1 nh th no chng ta s dng cu lnh sau: Vsic1#sh ip nat translation Pro Inside global Inside local Outside local Outside global --- 172.17.0.1 11.1.0.2 --- --- kim tra router Vsic1 chuyn i a ch nh th no chng ta s dng cu lnh

debug ip nat trn router Vsic1 v v ping t PC1 n PC2( hay interface loopback gi lp).



Ta c th s dng lnh ping t Router Vsic2 vo bn trong Server( a ch 172.17.0.1)

ca chng ta,

Nh vy bn ngoi mun tng tc c vi Server bn trong phi truy cp vo

a ch IP l 172.17.0.1.

4. T thc hnh bng Dynagen : Ta s dng file lab24nats.net thc hnh. Ta thc hnh tng t nh trn vi s

nh sau :



Bt thm debug ip packet VSIC2 xem packet t PC1 ti VSIC2.



BI 25:CU HNH NAT OVERLOAD 1. Gii thiu :

NAT (Network Address Translation) dng chuyn i cc private address thnh a ch public address. Cc gi tin t mng ni b ca user gi ra ngoi, khi n router bin a ch IP source s c chuyn i thnh a ch public m user ng k vi ISP. iu ny cho php cc gi tin t mng ni b c th c gi ra mng ngoi (Internet).

NAT c cc loi : NAT static, NAT pool, NAT overload. NAT static cho php chuyn i mt a ch ni b thnh mt a ch public. NAT pool cho php chuyn i cc a ch ni b thnh mt trong dy a ch public. NAT overload cho php chuyn i cc a ch ni b thnh mt a ch public Trong k thut NAT overload, router s s dng thm cc port cho cc a ch khi chuyn

i. 2. Cc cu lnh s dng trong bi lab :

ip nat {inside | outside} Cu hnh interface l inside hay outside

ip nat inside source {list {accesslistnumber | name} pool name [overload] | static localip globalip} Cho php chuyn a ch ni b thnh a ch public

ip nat pool name startip endip {netmask | prefixlength prefixlength} [type rotary] To NAT pool

show ip nat translations Xem cc thng tin v NAT

debug ip nat Xem hot ng ca NAT


hnh bi lab nh hnh trn. Router Vsic1 c cu hnh inteface loopback 0, loopback

1, loopback 2. Router Vsic2 c cu hnh interface loopback 0. Hai router c ni vi nhau bng cp Serial. Ta gi lp 3 lp mng lo0, lo1, lo2 l nhng mng bn trong, khi cc traffic bn trong mng ny i ra ngoi ( ra khi S0) s c chuyn i a ch.

4. Cu hnh router :



Hai router c cu hnh cc interface nh sau : Vsic1#sh run Building configuration... Current configuration : 630 bytes hostname Vsic1 interface Loopback0 ip address 10.1.0.1 255.255.0.0 interface Loopback1 ip address 11.1.0.1 255.255.0.0 interface Loopback2 ip address 12.1.0.1 255.255.0.0 interface Serial0 ip address 192.168.1.1 255.255.255.0 end Vsic2#sh run Building configuration... Current configuration : 644 bytes hostname Vsic2 interface Loopback0 ip address 13.1.0.1 255.255.0.0 interface Serial0 ip address 192.168.1.2 255.255.255.0 no fair-queue clockrate 64000 end

Chng ta cu hnh NAT trn router Vsic1 theo cc bc sau : Bc 1 : Cu hnh cc interface inside v outside

Trong bi lab ny, chng ta cu hnh cho cc interface loopback ca Vsic1 l inside cn interface serial 0 l out side.

Vsic1(config)#in lo0 Vsic1(config-if)#ip nat inside Vsic1(config)#in lo1 Vsic1(config-if)#ip nat inside Vsic1(config-if)#in lo2 Vsic1(config-if)#ip nat inside Vsic1(config-if)#in s0 Vsic1(config-if)#ip nat outside Vsic1(config-if)#exit

Bc 2 : To access list cho php mng no c NAT.

Chng ta cu hnh cho php mng 10.1.0.0/16 v mng 11.1.0.0/16 c cho php, cm mng 12.1.0.0/16

Vsic1(config)# access-list 1 deny 12.1.0.0 0.0.255.255 Vsic1(config)#access-list 1 permit any



Bc 3 : To NAT pool cho router Vsic1 Cu hnh NAT pool tn Vsic1 c a ch t 172.1.1.1/24 n 172.1.1.5/24 Vsic1(config)#ip nat pool Vsic1 172.1.1.1 172.1.1.5 netmask 255.255.255.0

Bc 4 : Cu hnh NAT cho router Vsic1(config)#ip nat inside source list 1 pool Vsic1 overload Cu lnh trn cu hnh overload cho NAT pool

Bc 5 : nh tuyn cho router Vsic1(config)#ip route 13.1.0.0 255.255.0.0 192.168.1.2 Vsic2(config)#ip route 172.1.1.0 255.255.255.0 192.168.1.1 Lu : i vi router Vsic2, nu ta nh tuyn theo dng : Vsic2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

th chng ta c th ping thy c cc mng trong router Vsic1 (10.1.0.0/16, 11.1.0.0/16). Nhng thc t, ISP ch nh tuyn xung cho user bng a ch m user ng k (Inside global address).

Bc 6 : Kim tra hot ng ca NAT

Chng ta s kim tra NAT bng cu lnh debug ip nat Vsic1#debug ip nat

IP NAT debugging is on Sau khi bt debug NAT, chng ta s ping n loopback0 ca Vsic2 t loopback0 ca Vsic1. Ta gi lp traffic t host 10.1.0.1 n mng 13.1.0.1. Lc ny khi traffic ca 10.1.0.1 qua S0 s chuyn i a ch.

Vsic1#ping Protocol [ip]: Target IP address: 13.1.0.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.1.0.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 13.1.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/44 ms Vsic1# 00:31:12: NAT: s=10.1.0.1->172.1.1.1, d=13.1.0.1 [190] 00:31:12: NAT*: s=13.1.0.1, d=172.1.1.1->10.1.0.1 [190] 00:31:12: NAT: s=10.1.0.1->172.1.1.1, d=13.1.0.1 [191] 00:31:12: NAT*: s=13.1.0.1, d=172.1.1.1->10.1.0.1 [191]



00:31:12: NAT: s=10.1.0.1->172.1.1.1, d=13.1.0.1 [192] 00:31:12: NAT*: s=13.1.0.1, d=172.1.1.1->10.1.0.1 [192] 00:31:12: NAT: s=10.1.0.1->172.1.1.1, d=13.1.0.1 [193] 00:31:12: NAT*: s=13.1.0.1, d=172.1.1.1->10.1.0.1 [193] 00:31:12: NAT: s=10.1.0.1->172.1.1.1, d=13.1.0.1 [194] 00:31:12: NAT*: s=13.1.0.1, d=172.1.1.1->10.1.0.1 [194]

T kt qu trn ta thy c, cc gi tin t mng 10.1.0.1 c i source IP thnh 171.1.1.1. S dng cu lnh show ip nat translations xem cc thng v NAT

Vsic1#sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp 172.1.1.1:2459 10.1.0.1:2459 13.1.0.1:2459 13.1.0.1:2459 icmp 172.1.1.1:2460 10.1.0.1:2460 13.1.0.1:2460 13.1.0.1:2460 icmp 172.1.1.1:2461 10.1.0.1:2461 13.1.0.1:2461 13.1.0.1:2461 icmp 172.1.1.1:2462 10.1.0.1:2462 13.1.0.1:2462 13.1.0.1:2462 icmp 172.1.1.1:2463 10.1.0.1:2463 13.1.0.1:2463 13.1.0.1:2463

Cc s c in m l port NAT s dng cho a ch 10.1.0.1. Lp li cc bc trn kim tra NAT cho loopback 1, loopback 2 ca router Vsic1

Vsic1#ping Protocol [ip]: Target IP address: 13.1.0.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 11.1.0.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 13.1.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/44 ms Vsic1# 00:33:16: NAT: s=11.1.0.1->172.1.1.1, d=13.1.0.1 [210] 00:33:16: NAT*: s=13.1.0.1, d=172.1.1.1->11.1.0.1 [210] 00:33:16: NAT: s=11.1.0.1->172.1.1.1, d=13.1.0.1 [211] 00:33:16: NAT*: s=13.1.0.1, d=172.1.1.1->11.1.0.1 [211] 00:33:16: NAT: s=11.1.0.1->172.1.1.1, d=13.1.0.1 [212] 00:33:16: NAT*: s=13.1.0.1, d=172.1.1.1->11.1.0.1 [212] 00:33:17: NAT: s=11.1.0.1->172.1.1.1, d=13.1.0.1 [213] 00:33:17: NAT*: s=13.1.0.1, d=172.1.1.1->11.1.0.1 [213] 00:33:17: NAT: s=11.1.0.1->172.1.1.1, d=13.1.0.1 [214] 00:33:17: NAT*: s=13.1.0.1, d=172.1.1.1->11.1.0.1 [214]



Vsic1#sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp 172.1.1.1:6407 11.1.0.1:6407 13.1.0.1:6407 13.1.0.1:6407 icmp 172.1.1.1:6408 11.1.0.1:6408 13.1.0.1:6408 13.1.0.1:6408 icmp 172.1.1.1:6409 11.1.0.1:6409 13.1.0.1:6409 13.1.0.1:6409 icmp 172.1.1.1:6410 11.1.0.1:6410 13.1.0.1:6410 13.1.0.1:6410 icmp 172.1.1.1:6411 11.1.0.1:6411 13.1.0.1:6411 13.1.0.1:6411

Vsic1#ping Protocol [ip]: Target IP address: 13.1.0.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 12.1.0.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 13.1.0.1, timeout is 2 seconds: ..

Success rate is 0 percent (0/5) i vi 12.1.0.1, chng ta khng ping ra ngoi c v mng 12.1.0.0/16 b cm trong access list 1. ng router Vsic2, chng ta ping xung cc loopback ca router Vsic1

Vsic2#ping 10.1.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:

..... Success rate is 0 percent (0/5) Vsic2#ping 11.1.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.1.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Vsic2#ping 12.1.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Nhn xt : tt c u khng thnh cng Nguyn nhn l router Vsic2 khng c route

no n cc loopback ca router Vsic1. Trong thc t, ta cng c kt qu tng t do ISP ch



nh tuyn xung a ch m user ng k, cn cc a ch mng bn trong ca user th khng c ISP nh tuyn. 5. T thc hnh bng Dynagen:

Ta click vo file lab25nato.net thc hnh tng t nh bi trn. Tuy nhin ta c thay mng gi lp lo0 bng mt mng LAN.

Ta s dng PC ping ra ngoi v bt debug theo di trn router, ta s thy s chuyn i a ch xy ra ti router.

Hc vin trong bi t thc hnh nn kt hp gia static NAT v dynamip NAT. Ta c c th gi s trng hp l trong mng c 1 Web Server, v Web Server c NAT static khi i ra ngoi v ngc li. Cn li nhng PC khc trong mng s dng NAT overload ra Internet.

thc hin thnh cng c bi ny, ta test bng cch PC bn trong c th ping ra ngoi v ngoi c th truy cp Web Server bn trong.



Phn 5 : WAN BI 26: CU HNH PPP PAP V CHAP

1. Gii thiu :

PPP (Point-to-Point Protocol) l giao thc ng gi c s dng thc hin kt ni trong mng WAN. PPP bao gm LCP (Link Control Protocol) v NCP (Network Control Protocol). LCP c dng thit lp kt ni point-to-point, NCP dng cu hnh cho cc giao thc lp mng khc nhau.

PPP c th c cu hnh trn cc interface vt l sau : Asynchronous serial : cng serial bt ng b Synchronous serial : cng serial ng b High-Speed Serial Interface (HSSI) : cng serial tc cao Integrated Services Digital Network (ISDN) Qu trnh to session ca PPP gm ba giai on (phase): Link-establishment phase Authentication phase (ty chn) Network layer protocol phase Ty chn xc nhn (authentication) gip cho vic qun l mng d dng hn. PPP s

dng hai cch xc nhn l PAP (Password Authentication Protocol) v CHAP (Challenge Handshake Authentication Protocol).

PAP l dng xc nhn two-way handshake. Sau khi to lin kt node u xa s gi usename v password lp i lp li cho n khi nhn c thng bo chp nhn hoc t chi. Password trong PAP c gi i dng clear text (khng m ha).

CHAP l dng xc nhn three-way handshake. Sau khi to lin kt, router s gi thng ip challenge cho router u xa. Router u xa s gi li mt gi tr c tnh ton da trn password v thng ip challenge cho router. Khi nhn c gi tr ny, router s kim tra li xem c ging vi gi tr ca n tnh hay khng. Nu ng, th router xem gi xc nhn ng v kt ni c thit lp; ngc li, kt ni s b ngt ngay lp tc. 2. Cc cu lnh s dng trong bi lab :

username name password password Cu hnh tn v password cho CHAP v PAP. Tn v password ny phi ging vi router u xa.

encapsulation ppp Cu hnh cho interface s dng giao thc PPP

ppp authentication (chap chap pap pap chap pap) Cu hnh cho interface s dng PAP, CHAP, hoc c hai. Trong trng hp c hai c s dng, giao thc u tin c s dng trong qu trnh xc nhn; nu nh giao thc u b t chi hoc router u xa yu cu dng giao thc th hai th giao thc th hai c dng.

ppp pap sent-username username password password Cu hnh username v password cho PAP

debug ppp authentication Xem trnh t xc nhn ca PAP v CHAP




hnh bi lab nh hnh v. Hai router c t tn l Vsic, Vsic2 v c ni vi nhau bng cp serial. a ch IP ca cc interface nh hnh trn.

4. Cu hnh router :

a) Bc 1 : t tn v a ch cho cc interface Vsic1#sh run Building configuration... Current configuration : 497 bytes version 12.1 hostname Vsic1 enable password cisco interface Serial0 ip address 192.168.1.1 255.255.255.0 clockrate 64000 end Vsic2#sh run Building configuration... Current configuration : 423 bytes version 12.1 hostname Vsic2 enable password cisco interface Serial0 ip address 192.168.1.2 255.255.255.0 end

Chng ta s kim tra trng thi ca cc cng bng cu lnh show ip interface brief Vsic2#sh ip interface brief

Interface IP-Address OK? Method Status Protocol Ethernet0 unassigned YES unset administratively down down Serial0 192.168.1.2 YES manual up up Serial1 unassigned YES unset administratively down down

Cng serial ca router Vsic2 up. Lm tng t kim tra trng thi cc cng ca

router Vsic1. Chng ta s dng cu lnh show interfaces serial bit c cc thng s ca

interface serial cc router Vsic2#sh interfaces serial 0



Serial0 is up, line protocol is up Hardware is HD64570 Internet address is 192.168.1.2/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input 00:00:02, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 15 packets input, 846 bytes, 0 no buffer Received 15 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 19 packets output, 1708 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up Vsic1#sh int s 0 Serial0 is up, line protocol is up Hardware is HD64570 Internet address is 192.168.1.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 00:11:35 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 21 packets input, 2010 bytes, 0 no buffer Received 21 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 23 packets output, 1280 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 output buffer failures, 0 output buffers swapped out 7 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up



C hai cng serial ca hai router u s dng giao thc ng gi l HDLC v trng thi ca c hai u l up

b) Bc 2 : Cu hnh PPP PAP, CHAP Cu hnh PPP PAP

ng router Vsic1, chng ta s cu hnh PPP cho interface serial 0 bng cu lnh encapsulation ppp Vsic1(config)#in s0 Vsic1(config-if)#encapsulation ppp Kim tra trng thi interface serial 0 ca router Vsic1

Vsic1#sh ip int brie Interface IP-Address OK? Method Status Protocol Ethernet0 unassigned YES unset administratively down down Serial0 192.168.1.1 YES manual up down Serial1 unassigned YES unset administratively down down Vsic1#sh int s 0 Serial0 is up, line protocol is down Hardware is HD64570 Internet address is 192.168.1.1/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Keepalive set (10 sec) LCP REQsent Closed: IPCP, CDPCP Last input 00:00:08, output 00:00:01, output hang never Last clearing of "show interface" counters 00:00:15 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1 packets input, 22 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 7 packets output, 98 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up

Nhn xt : interface serial 0 ca router Vsic1 b down, ng ngha vi interface serial 0 ca router Vsic2 cng b down. Nguyn nhn l hai interface ny s dng giao thc ng gi khc nhau. (Interface serial 0 ca router Vsic1 s dng PPP cn Vsic2 s dng HDLC). V vy chng ta phi cu hnh cho interface serial 0 ca router Vsic2 cng s dng giao thc PPP. Vsic2(config)#in s0



Vsic2(config-if)#encapsulation ppp By gi chng ta s kim tra trng thi ca cc interface

Vsic2#sh int s0 Serial0 is up, line protocol is up Hardware is HD64570 Internet address is 192.168.1.2/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Keepalive set (10 sec) LCP Open Open: IPCP, CDPCP Last input 00:00:01, output 00:00:01, output hang never Last clearing of "show interface" counters 00:00:18 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 15 packets input, 1004 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 13 packets output, 976 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up C hai interface ca hai router up tr li. Do c hai c cu hnh s dng cng

giao thc ng gi l PPP. Trc khi cu hnh PAP cho hai interface chng ta s dng cu lnh debug ppp authentication xem trnh t trao i thng tin ca PAP. Vsic2#debug ppp authentication

PPP authentication debugging is on Chng ta s cu hnh PAP cho c hai interface serial 0 nh sau : Vsic1(config)#username Vsic2 password cisco Vsic1(config)#in s0 Vsic1(config-if)#ppp authentication pap Vsic1(config-if)#ppp pap sent-username Vsic1 password cisco Vsic2(config)#username Vsic1 password cisco Vsic2(config)#in s0 Vsic2(config-if)#ppp authentication pap Vsic2(config-if)#ppp pap sent-username Vsic2 password cisco Lu :

Trong cu lnh username name password password , name v password phi trng vi name v password ca router u xa.



Cn trong cu lnh ppp pap sent-username name password password , name v password l ca chnh router chng ta cu hnh

Sau khi chng ta cu hnh PAP xong trn route Vsic2, th mn hnh s xut hin trnh t ca PAP

00:09:49: Se0 PPP: Phase is AUTHENTICATING, by both 00:09:49: Se0 PAP: O AUTH-REQ id 1 len 18 from "Vsic2" 00:09:49: Se0 PAP: I AUTH-REQ id 1 len 18 from "Vsic1" 00:09:49: Se0 PAP: Authenticating peer Vsic1 00:09:49: Se0 PAP: O AUTH-ACK id 1 len 5 00:09:49: Se0 PAP: I AUTH-ACK id 1 len 5 00:09:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up

ngha ca cc thng bo :

Dng thng bo 1 : PPP thc hin xc nhn hai chiu Dng thng bo 2 : Vsic2 gi yu cu xc nhn Dng thng bo 3 : Nhn yu cu xc nhn t Vsic1 Dng thng bo 4 : Nhn xc nhn ca Vsic1 Dng thng bo 5 : Gi xc nhn ng n Vsic1 Dng thng bo 6 : Nhn xc nhn ng t Vsic1

Dng thng bo 7 : Trng thi ca interface c chuyn sang UP Nh vy hai interface ca router Vsic1 v Vsic2 up. Chng ta ng router Vsic2 ping interface serial 0 ca router Vsic1 kim tra. Vsic2#ping 192.168.1.1

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 14.1.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/44/60 ms

Cu hnh PPP CHAP

Trc khi cu hnh PPP CHAP cho hai interface chng ta g b PAP c hai router Vsic1(config)#in s0 Vsic1(config-if)#no ppp authentication pap Vsic1(config-if)#no ppp pap sent-username Vsic1 password cisco Vsic2(config)#in s0 Vsic2(config-if)#no ppp authentication pap Vsic2(config-if)#no ppp pap sent-username Vsic2 password cisco By gi chng ta s cu hnh CHAP bng cu lnh ppp authentication chap Vsic1(config)#in s0

Vsic1(config-if)#ppp authentication chap

Vsic2(config)#in s0 Vsic2(config-if)#ppp authentication chap

Lu : khi cu hnh PPP CHAP chng ta vn phi cu hnh cho interface serial s dng giao thc ng gi PPP bng cu lnh encapsulation ppp v cng phi s dng cu lnh



username name password password cu hnh name v password cho giao thc CHAP thc hin xc nhn. y, chng ta khng thc hin li cc cu lnh v bc cu hnh PAP chng ta thc hin ri. Do chng ta s dng cu lnh debug ppp authentication router Vsic2, nn khi cu hnh CHAP xong hai router th mn hnh s hin thng bo nh sau : (console c ni vi router Vsic2) 00:15:08: Se0 CHAP: O CHALLENGE id 1 len 28 from "Vsic2" 00:15:08: Se0 CHAP: I CHALLENGE id 2 len 28 from "Vsic1" 00:15:08: Se0 CHAP: O RESPONSE id 2 len 28 from "Vsic2" 00:15:08: Se0 CHAP: I RESPONSE id 1 len 28 from "Vsic1" 00:15:08: Se0 CHAP: O SUCCESS id 1 len 4 00:15:08: Se0 CHAP: I SUCCESS id 2 len 4 00:15:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up ngha ca cc cu thng bo :

Dng thng bo 1 : Vsic2 gi thng bo challenge n router Vsic1 Dng thng bo 2 : Vsic2 nhn thng bo challenge t router Vsic1 Dng thng bo 3 : Vsic2 gi response n router Vsic1 Dng thng bo 4 : Vsic2 nhn response t router Vsic1 Dng thng bo 5 : Vsic2 gi xc nhn thnh cng n Vsic1 Dng thng bo 6 : Vsic2 nhn xc nhn thnh cng t Vsic1 Dng thng bo 7 : Trng thi ca interface serial c chuyn sang UP

Hai interface serial ca router Vsic1 v Vsic2 UP, chng ta ng router Vsic2 ping n interface serial 0 ca router Vsic1 kim tra

Vsic2#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 14.1.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/44/60 ms

Nu nh name v password trong cu lnh username name password password khng ng th trng thi ca interface s b down. Do qu trnh xc nhn gia hai interface s s dng name v password ny. Nu nh khng khp th kt ni s b hy 5. T thc hnh bng Dynagen:

y l s n gin, hc vin ch cn chy file lab26ppp.net thc hnh bi trn.



BI 27:CU HNH ISDN BASIC 1. Gii thiu :

ISDN (Integrated Services Digital Network) l mt cng ngh truyn dn tc cao v quay s c s dng rng ri .H thng mng ny c to ra cach y 20 nm v c ng dng rng ri ti U.S.A u nm 1990.

ISDN l mng phc v cho vic truyn dn d liu s mt mng ISDN BRI t tiu chun c th t ti tc 128Kbps.

D liu c up ln sau mi 10 giy mng ISDN cho php truyn dn cc tn hiu s,cc knh s ng thi trn dy in thoi analog thng thng v u bn kia c gii m qua modem hay cc thit b khc . 2. M t bi lab v hnh :

Trong bi ny chng ta s s dng mt thit b m phng ISDN. Chng ta s ni hai

router vo thit b bng cp thng. 3. Cu hnh :

a. Cu hnh cho router Vsic2: Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname Vsic2 Vsic2(config)#isdn switch-type basic-ni cu hnh loi ISDN switch Vsic2(config)#dialer-list 1 protocol ip permit Vsic2(config)#username Vsic1 password cisco Vsic2(config)#interface bri 0 Vsic2(config-if)#encapsulation ppp cu hnh giao thc ng gi l PPP Vsic2(config-if)#ip address 200.10.1.2 255.255.255.0 Vsic2(config-if)#isdn spid1 21 21 S SPID number 21 phone numbers 21 Vsic2(config-if)#dialer-group 1 Vsic2(config-if)#dialer map ip 200.10.1.1 name Vsic1 broadcast 11 cu hnh s ca router u xa Ahena2 thc hin cuc gi Vsic2(config-if)#ppp authentication chap cu hnh PPP CHAP Vsic2(config-if)#no shut Vsic2(config-if)#

b. Cu hnh cho router Vsic1 : Router(config)#hostname Vsic1 Vsic1(config)#isdn switch-type basic-ni



Vsic1(config)#dialer-list 1 protocol ip permit Vsic1(config)#username Vsic2 password cisco Vsic1(config)#interface bri 0 Vsic1(config-if)#encapsulation ppp Vsic1(config-if)# Vsic1(config-if)#ip address 200.10.1.1 255.255.255.0 Vsic1(config-if)#isdn spid1 11 11 Vsic1(config-if)#dialer-group 1 Vsic1(config-if)#dialer map ip 200.10.1.2 name Vsic2 broadcast 21 Vsic1(config-if)#ppp authentication chap Vsic1(config-if)#no shut Sau khi cu hnh xong chng ta kim tra li bng cch : Vsic2#sh run Building configuration... Current configuration : 726 bytes ! version 12.1 ! hostname Vsic2 ! username Vsic1 password 0 cisco ! ip subnet-zero ! isdn switch-type basic-ni ! interface BRI0 ip address 200.10.1.2 255.255.255.0 encapsulation ppp dialer map ip 200.10.1.1 name Vsic1 broadcast 11 dialer-group 1 isdn switch-type basic-ni isdn spid1 21 ppp authentication chap ! dialer-list 1 protocol ip permit end Vsic2#sh interfaces bri 0 BRI0 is up, line protocol is up (spoofing) Hardware is BRI Internet address is 200.10.1.2/24 MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Last input never, output 00:00:22, output hang never Last clearing of "show interface" counters 00:18:04



Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/16 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 1 abort 10 packets output, 80 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 output buffer failures, 0 output buffers swapped out 111 carrier transitions Chng ta kim tra trng thi kt ni ca lin kt ISDN bng cu lnh sau : Vsic1#sh isdn status Global ISDN Switchtype = basic-net3 ISDN BRI0 interface dsl 0, interface ISDN Switchtype = basic-net3 Layer 1 Status: ACTIVE Layer 2 Status: TEI = 64, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED Layer 3 Status: 0 Active Layer 3 Call(s) Active dsl 0 CCBs = 0 The Free Channel Mask: 0x80000003 Number of L2 Discards = 0, L2 Session ID = 13 Total Allocated ISDN CCBs = 0 Vsic2#sh isdn status Global ISDN Switchtype = basic-net3 ISDN BRI0 interface dsl 0, interface ISDN Switchtype = basic-net3 Layer 1 Status: ACTIVE Layer 2 Status: TEI = 67, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED Layer 3 Status: 0 Active Layer 3 Call(s) Active dsl 0 CCBs = 0 The Free Channel Mask: 0x80000003 Number of L2 Discards = 0, L2 Session ID = 3 Total Allocated ISDN CCBs = 0 Nu cu hnh ng th trng thi ca Layer 1 l ACTIVE v Layer 2 l MULTIPLE_FRAME_ESTABLISHED



ng router Vsic2, chng ta ping a ch 200.10.1.1 kim tra kt ni : Vsic2#ping 200.10.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.10.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms Nhn xt : ping thnh cng v router Vsic2 thc hin kt ni vi router Vsic1 s dng interface dialer 0

Vsic2#sh interfaces bri 0 BRI0 is up, line protocol is up (spoofing) Hardware is BRI Internet address is 200.10.1.2/24 MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Last input 00:00:05, output 00:00:05, output hang never Last clearing of "show interface" counters 00:09:45 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/16 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 103 packets input, 1111 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 70 packets output, 309 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 output buffer failures, 0 output buffers swapped out 5 carrier transitions

Lnh show dialer dng ch trng thi knh B s ngt, st gim (drop) sau 120 giy inactive. Trng thi giao tip BRI ca router Athen2 c xc nh vi trng thi ca router Athnena1.Cng giao tip BRI0 c ch dn n knh D ca mng trong trang thi ny l UP/UP (spoofing state) chng t rng knh D hot ng Vsic2#sh dialer BRI0 - dialer type = ISDN Dial String Successes Failures Last DNIS Last status 11 1 0 01:31:13 successful 0 incoming call(s) have been screened. 0 incoming call(s) rejected for callback. BRI0:1 - dialer type = ISDN Idle timer (120 secs), Fast idle timer (20 secs)



Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is idle BRI0:2 - dialer type = ISDN Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is idle Vsic1#show dialer BRI0 - dialer type = ISDN Dial String Successes Failures Last DNIS Last status 21 0 1 00:01:43 failed 0 incoming call(s) have been screened. 0 incoming call(s) rejected for callback. BRI0:1 - dialer type = ISDN Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is idle BRI0:2 - dialer type = ISDN Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is idle By gi nu nh i s s SPID hay l s Phone numbers th trng thi s thay i, h thng ng nhin l s khng th kt ni c.

Vsic2(config)#interface bri0 Vsic2(config-if)#no isdn spid1 21 21 Vsic2(config-if)#isdn spid1 14 14 Vsic2(config-if)#no shut Vsic2(config-if)# 02:16:31: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BRI0, TEI 70 changed to down Vsic2(config-if)#dialer idle-timeout 20 cu hnh thi gian idle-timeout l 20s Vsic2(config-if)#no shut Vsic2(config-if)#^Z Vsic2#

Vsic1#ping 200.10.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.10.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) 4. Cch t thc hnh bng Boson Netsim :



M chng trnh Boson Netsim bt u thc hnh. Ta vo FileLoad NetmapChn file lab27ISDN.top. S ging nh s thc hnh trn, spid1 vn l 11 v 22.. Ta ch rng trong trng trnh simulation Boson Netsim khc 1 cht so vi cu hnh thc t, chng ta phi thm dial string v trong lnh isdn spid1 ch cn ch s spid1 l , khng cn phi ch ra s in thoi trong lnh ny. Sau y l cu hnh trn Router VSIC1 vo VSIC2 ca Boson Netsim, khi cu hnh xong ta test bng lnh ping gia 2 u router VSIC1 v VSIC2.



BI 28: CU HNH ISDN DDR 1. Gii thiu :

ISDN (Integrated Services Digital Network) l mng s tch hp a dch v, cung cp cho chng ta nhiu loi hnh dch v s khc nhau, bao gm : data v thoi. ISDN cho php truyn cc knh s ng thi trn dy in thoi thng thng.

K thut dial-on-demand routing (DDR) c pht trin bi Cisco cho php chng ta s dng ng dy in thoi to thnh mt mng WAN. DDR cho php router thc hin kt ni khi c traffic c gi v ngt kt ni khi khng cn n. iu ny gip chng ta tit kim c chi ph rt nhiu.

Trong k thut DDR, ch khi gp interesting traffic router mi thc hin kt ni, ngoi ra th khng. iu ny gip chng ta qun l c mng tt hn.

Ngoi ra, DDR s dng idle timeout xc nh thi gian router ngt kt ni nu nh khng c interesting traffic no c gi.

2. Cc cu lnh s dng trong bi lab :

isdn switch-type switch-type Cu hnh loi ca ISDN switch

isdn spid1 spidnumber [ldn] Cu hnh s SPID v ldn

dialer-list dialer-group-num protocol protocol-name {permit | deny | list access-list-number} To dialer list nh ngha intersting traffic cho router.

dialer-group group-number Nhng dialer list vo mt interface

dialer idle-timeout seconds Cu hnh thi gian idle-timeout

dialer poolmember number To dialer pool

dialer pool number Nhng mt dialer interface vo dialer pool

dialer remotename username Cu hnh tn ca router u xa

dialer string dialstring Cu hnh s quay kt ni vi router u xa




Trong bi Lab ny chng ta s dng hai router c cng BRI v thit b m phng mi trng ISDN. Cp ni t cng BRI ca router n thit b m phng mi trng BRI l cp thng. Chng ta khi to Loopback 0, Loopback 1, Loopback 2 c hai router. a ch cc cng c ch thch ngay trn hnh. Password ca c hai router l : cisco 4. Mc tiu bi lab :

Cu hnh kt ni gia hai router thng qua mi trng ISDN trong ch d Dial-on-demand routing (DDR) s dng interface dialer. 5. Cu hnh router :

Bc 1: cu hnh tn router, cc interface loopback v m ng telnet hai router

VSIC1#sh run Current configuration : 1301 bytes version 12.1 hostname VSIC1 enable password cisco interface Loopback0 ip address 10.1.0.1 255.255.255.0 interface Loopback1 ip address 11.1.0.1 255.255.255.0 interface Loopback2 ip address 12.1.0.1 255.255.255.0 line con 0 line aux 0 line vty 0 4 password cisco login end VSIC2#sh run Current configuration : 1204 bytes version 12.1 hostname VSIC2 enable password cisco interface Loopback0 ip address 13.1.0.1 255.255.255.0 interface Loopback1 ip address 14.1.0.1 255.255.255.0 interface Loopback2 ip address 15.1.0.1 255.255.255.0 line con 0 line aux 0 line vty 0 4 password cisco login end



Bc 2: Cu hnh loi ISDN Switch s dng v s SPID v ldn.

S SPID v ldn c cung cp bi nh cung cp dch v ISDN. VSIC1#conf t VSIC1(config)#isdn switch-type basic-net3 Cu hnh loi ISDN witch VSIC1(config)# in bri0 VSIC1(config-if)#isdn spid1 21 21 Cu hnh s SPID v ldn VSIC2#conf t VSIC2(config)#isdn switch-type basic-net3 VSIC2(config)# in bri0 VSIC2(config-if)#isdn spid1 11 11

Bc 3 : nh tuyn cho cc router

y chng ta dng Static route nh tuyn cho cc router ch khng dng cc giao thc nh tuyn ng nh RIP, IGRP L do ta phi dng static route se c gii thch mc Nguyn nhn khng nn dng cc giao thc nh tuyn ng trong cu hnh ISDN DDR

VSIC1#conf t VSIC1(config)#ip route 13.1.0.0 255.255.255.0 192.168.0.2 VSIC1(config)#ip route 14.1.0.0 255.255.255.0 192.168.0.2 VSIC1(config)#ip route 15.1.0.0 255.255.255.0 192.168.0.2

VSIC2#conf t VSIC2(config)#ip route 10.1.0.0 255.255.255.0 192.168.0.1 VSIC2(config)#ip route 11.1.0.0 255.255.255.0 192.168.0.1 VSIC2(config)#ip route 12.1.0.0 255.255.255.0 192.168.0.1

Bc 4 : Cu hnh interesting traffic

Router ch thc hin kt ni khi v ch khi gp cc interesting traffic; ngoi ra, router s khng kt ni. Interesting traffic c nh ngha cho router bng : loi traffic, ngun hoc ch n ca mt gi tin. (thng qua access list). Interesting traffic c cu hnh bng cu lnh dialer-list. Trong bi ny, i vi router VSIC1, chng ta cu hnh interesting traffic l tt c cc traffic khc traffic telnet n mng 14.1.0.0/24. Chng ta dng Extended access list cu hnh.

VSIC1#conf t VSIC1(config)#access-list 101 deny tcp any 14.1.0.0 0.0.0.255 eq telnet VSIC1(config)#access-list 101 permit ip any any VSIC1(config)#dialer-list 1 protocol ip list 1

i vi router VSIC2, cu hnh cc traffic ca mng 13.1.0.0/24 v 14.1.0.0/24 l interesting traffic. Chng ta dng Standard access list cu hnh.

VSIC2#conf t VSIC2(config)#access-list 1 permit 13.1.0.0 0.0.0.255 VSIC2(config)#access-list 1 permit 14.1.0.0 0.0.0.255 VSIC2(config)#dialer-list 1 protocol ip list 1

Bc 5 : Cu hnh interface dialer cho router



Trong bi chng ta s dng PPP thay cho HDLC v PPP c tnh bo mt cao. Mc nh ca router Cisco s dng HDLC.

VSIC1(config)#username VSIC2 password cisco VSIC1(config-if)#in bri0 VSIC1(config-if)#encapsulation ppp VSIC1(config-if)#ppp authentication chap VSIC1(config-if)#dialer pool-member 1 Cu hnh interface BRI0 thuc dialer pool 1 VSIC1(config-if)#no shut VSIC1(config-if)#exit VSIC1(config)#in dialer 1 VSIC1(config-if)# ip address 192.168.0.1 255.255.255.0 VSIC1(config-if)#encapsulation ppp VSIC1(config-if)#ppp authentication chap VSIC1(config-if)#dialer remote-name VSIC2 Cu hnh tn router kt ni VSIC1(config-if)#dialer string 11 Cu hnh s gi cho router VSIC1(config-if)#dialer pool 1 Cu hnh interface dialer 1 thuc pool 1 VSIC1(config-if)#dialer idle-timeout 180 Router s ngt kt ni nu nh khng c traffic no truyn trong khong thi gian cu hnh VSIC1(config-if)#dialer-group 1 S dng dialer list 1 cho interface ny VSIC1(config-if)#no shut VSIC1(config-if)#exit

Cu hnh tng t cho router VSIC2

VSIC2(config)#username VSIC1 password cisco VSIC2(config-if)#in bri0 VSIC2(config-if)#encapsulation ppp VSIC2(config-if)#ppp authentication chap VSIC2(config-if)#dialer pool-member 1 VSIC2(config-if)#no shut VSIC2(config-if)#exit VSIC2(config)#in dialer 0 VSIC2(config-if)# ip address 192.168.0.2 255.255.255.0 VSIC2(config-if)#encapsulation ppp VSIC2(config-if)#ppp authentication chap VSIC2(config-if)#dialer remote-name VSIC1 VSIC2(config-if)#dialer string 21 VSIC2(config-if)#dialer pool 1 VSIC2(config-if)#dialer idle-timeout 180 VSIC2(config-if)#dialer-group 1 VSIC2(config-if)#no shut VSIC2(config-if)#exit

6. Kim tra kt qu :

Kim tra trng thi kt ni ca interface BRI0 VSIC1#sh isdn status



Global ISDN Switchtype = basic-net3 ISDN BRI0 interface dsl 0, interface ISDN Switchtype = basic-net3 Layer 1 Status: ACTIVE Layer 2 Status: TEI = 64, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED Layer 3 Status: 1 Active Layer 3 Call(s) CCB:callid=8004, sapi=0, ces=1, B-chan=1, calltype=DATA Active dsl 0 CCBs = 1 The Free Channel Mask: 0x80000002 Number of L2 Discards = 0, L2 Session ID = 0 Total Allocated ISDN CCBs = 1

Nu cu hnh ng th trng thi ca Layer 1 l ACTIVE v Layer 2 l MULTIPLE_FRAME_ESTABLISHED.

Kim tra cc interesting traffic. ng router VSIC2, chng ta ping t interface loopback 1 (14.1.0.1) n interface loopback 2 (12.1.0.1) ca router VSIC1 VSIC2#ping

Protocol [ip]: Target IP address: 12.1.0.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 14.1.0.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]:

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.0.1, timeout is 2 seconds:

00:30:15: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 00:30:15: %DIALER-6-BIND: Interface BR0:1 bound to profile Di0.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 32/35/36 ms 00:30:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1,

changed state to up 00:30:21: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 21

VSIC1 Nhn xt : ping thnh cng v router VSIC2 thc hin kt ni vi router VSIC1 s dng interface dialer 0



Chng ta dng cu lnh show isdn active xem nhng thng tin v cuc kt ni hin hnh VSIC2#sh isdn active ISDN ACTIVE Call Type

Calling Number

Called Number

Remote Name

Seconds Used

Seconds Left

Seconds Idle

Charges Units/currency

Out 21 VSIC1 14 167 12 0 Cn 167 giy na th router s ngt kt ni nu nh khng c interesting traffic no gi qua ng kt ni. Chng ta ch khong 180 giy na kim tra vic router ngt kt ni t ng (Lu : khng ping bt c mng no!) Sau 180 giy chng ta s c kt qu nh sau : VSIC2#

00:33:16: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di0 00:33:16: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from 21 VSIC1, call lasted 181 seconds 00:33:17: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down 00:33:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to down

Router ngt t ng ngt kt ni khi khng c interesting traffic no c gi qua ng truyn. Lm li cc bc trn kim tra cc interesting traffic cn li ca router VSIC2. VSIC2#ping

Protocol [ip]: Target IP address: 10.1.0.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 13.1.0.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]:

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.0.1, timeout is 2 seconds: 00:30:15: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 00:30:15: %DIALER-6-BIND: Interface BR0:1 bound to profile Di0.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 32/35/36 ms 00:30:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed

state to up 00:30:21: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 21 VSIC1

v sau 180 giy, ta c :



VSIC2# 00:33:16: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di0 00:33:16: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from 21 VSIC1, call lasted 181 seconds 00:33:17: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down 00:33:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to down

Khi ta thc hin ping mt mng no ca router VSIC1 t interface loopback 2 (15.1.0.1) th router s khng kt ni. Do cc gi tin t mng 15.1.0.0/24 khng phi l interesting traffic. VSIC2#ping

Protocol [ip]: Target IP address: 11.1.0.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 15.1.0.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.1.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) VSIC2#sh isdn active

ISDN ACTIVE Call Type

Calling Number

Called Number

Remote Name

Seconds Used

Seconds Left

Seconds Idle


By gi chng ta se kim tra interesting traffic ca router VSIC1. ng router VSIC1, chng ta ping n 14.1.0.1 t mt interface loopback bt k.

VSIC1#ping Protocol [ip]: Target IP address: 14.1.0.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.1.0.1 Type of service [0]: Set DF bit in IP header? [no]:



Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 14.1.0.1, timeout is 2 seconds: 00:38:30: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 00:38:30: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 32/34/36 ms VSIC1# 00:38:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1,

changed state to up VSIC1# 00:38:36: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 11 VSIC2

Nhn xt : router thc hin kt ni vi router VSIC2, v gi tin c truyn i. Ch sau 180 giy router t ng ngt kt ni. Sau chng ta thc hin telnet n 14.1.0.1.

VSIC1#telnet 14.1.0.1 Trying 14.1.0.1 ... % Connection timed out; remote host not responding

Nhn xt : chng ta khng th telnet c. Nguyn nhn l do chng ta cm telnet n mng 14.1.0.0 t bt k mt mng no(access-list 101 deny tcp any 14.1.0.0 0.0.0.255 eq telnet). Do , traffic telnet n 14.1.0.1 khng phi l interesting traffic nn router khng thc hin kt ni.

Chng ta telnet n 13.1.0.1 : VSIC1#telnet 13.1.0.1 Trying 13.1.0.1 ... 00:42:30: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 00:42:30: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1 open 00:42:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed

state to up 00:42:36: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 11 VSIC2 User Access Verification Password: cisco Chng ta nhp password l cisco telnet vo VSIC2 VSIC2>

Nhn xt : router thc hin kt ni. Do chng ta telnet vo mng 13.1.0.0/24 ch khng phi mng 14.1.0.0. y l mt interesting traffic.

7. Nguyn nhn khng nn dng cc giao thc nh tuyn ng trong cu hnh ISDN

DDR thy c nguyn nhn chng ta s cu hnh giao thc RIP trn c 2 router thay cho

static route.



Chng ta xa NVRAM, reload c hai route trc khi cu hnh li cc router nh sau :

VSIC1#sh run Building configuration... Current configuration : 1205 bytes version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption hostname VSIC1 enable password cisco username VSIC2 password cisco isdn switch-type basic-net3 interface Loopback0 ip address 10.1.0.1 255.255.255.0 interface Loopback1 ip address 11.1.0.1 255.255.255.0 interface Loopback2 ip address 12.1.0.1 255.255.255.0 interface BRI0 no ip address encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3 isdn spid1 21 21 ppp authentication chap interface Dialer1 ip address 192.168.0.1 255.255.255.0 encapsulation ppp dialer pool 1 dialer remote-name VSIC2 dialer idle-timeout 180 dialer string 11 dialer-group 1 ppp authentication chap



access-list 1 permit any dialer-list 1 protocol ip list 1 router rip network 10.0.0.0 network 11.0.0.0 network 12.0.0.0 network 192.168.0.0 line con 0 line aux 0 line vty 0 4 password cisco login end VSIC2#sh run Building configuration... Current configuration : 1150 bytes version 12.1 hostname VSIC2 enable password cisco username VSIC1 password cisco isdn switch-type basic-net3 interface Loopback0 ip address 13.1.0.1 255.255.255.0 interface Loopback1 ip address 14.1.0.1 255.255.255.0 interface Loopback2 ip address 15.1.0.1 255.255.255.0 interface BRI0 no ip address encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3 isdn spid1 11 11 ppp authentication chap interface Dialer0 ip address 192.168.0.2 255.255.255.0 encapsulation ppp dialer pool 1 dialer remote-name VSIC1 dialer idle-timeout 180 dialer string 21 dialer-group 1 ppp authentication chap



access-list 1 permit any dialer-list 1 protocol ip list 1 router rip network 13.0.0.0 network 14.0.0.0 network 15.0.0.0 network 192.168.0.0 line con 0 line aux 0 line vty 0 4 password cisco login end S dng cu lnh show ip route kim tra li bng nh tuyn ca cc router : VSIC2#sh ip Gateway of last resort is not set R 10.0.0.0/8 [120/1] via 192.168.0.1, 00:00:03, Dialer0 R 11.0.0.0/8 [120/1] via 192.168.0.1, 00:00:03, Dialer0 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, Dialer0 C 192.168.0.1/32 is directly connected, Dialer0 R 12.0.0.0/8 [120/1] via 192.168.0.1, 00:00:03, Dialer0 13.0.0.0/24 is subnetted, 1 subnets C 13.1.0.0 is directly connected, Loopback0 14.0.0.0/24 is subnetted, 1 subnets C 14.1.0.0 is directly connected, Loopback1 15.0.0.0/24 is subnetted, 1 subnets C 15.1.0.0 is directly connected, Loopback2

Kim tra li kt ni hin hnh bng lnh show isdn active (lc ny hai router kt

ni vi nhau, do ta cu hnh tt c cc gi tin u l interesting traffic : access-list 1 permit any nn khi RIP gi cc gi routing update th router t ng kt ni).

VSIC1#sh isdn active ISDN ACTIVE Call Type

Calling Number

Called Number

RemoteName

SecondsUsed

SecondsLeft

Seconds Idle

ChargesUnits/currency

Out 11 VSIC2 350 152 27 0

C sau khong 30 giy chng ta lp li cu lnh show isdn active kim tra thi gian cn li router ngt kt ni (Lu : khng truyn bt k mt traffic no qua li gia hai router ta c c kt qu chnh xc)

VSIC1#sh isdn active ISDN ACTIVE Call Calling Called Remote Seconds Seconds Seconds Charges



Type Number Number Name Used Left Idle Units/currency Out 11 VSIC2 359 171 8 0


Calling Number

Called Number

Remote Name

SecondsUsed

SecondsLeft

SecondsIdle


Out 11 VSIC2 375 154 25 0


Calling Number

Called Number

Remote Name

Seconds Used

Seconds Left

Seconds Idle


Out 11 VSIC2 377 179 0 0 Nhn xt : thi gian cn li router t ng ngt kt ni (idle-timeout) khng bao gi xung c 0. Do giao thc RIP c 30 giy gi update mt ln. Tng t cho cc giao thc nh tuyn ng khc. Trong trng hp thi gian idle-timeout nh hn 30 giy th router s ng ngt kt ni lin tc. V vy chng ta khng nn s dng nh tuyn ng trong cu hnh ISDN DDR. S dng static route s cho hiu qu cao hn.



BI 29: CU HNH FRAME RELAY CN BN

1. Gii thiu :

Frame Relay l k thut m rng ca k thut ISDN. Frame relay s dng k thut chuyn mch gi thit lp mt mng WAN. Frame Relay to ra nhng ng kt ni o ni cc mng LAN li vi nhau to thnh mt mng WAN. Mng Frame Relay s dng cc switch kt ni cc mng li vi nhau. K thut Frame Relay c s dng rng ri ngy nay, do c gi thnh r hn rt nhiu so vi leased line.

Frame Relay hot ng lp Data link trong OSI v s dng giao thc LAPF (Link Access Procedure for Frame Relay). Frame Relay s dng cc frame chuyn d liu qua li gia cc thit b u cui ca user (DTE) thng qua cc thit b DCE ca mng Frame Relay.

ng kt ni gia hai DTE thng qua mng Frame Relay c gi l mt mch o (VC : Virtual Circuit). Cc VC c thit lp bng cch gi cc thng ip bo hiu (signaling message) n mng; c gi l switched virtual circuits (SVCs). Nhng ngy nay, ngi ta thng s dng permanent virtual circuits (PVCs) to kt ni. PVC l cc ng kt ni c cu hnh trc bi cc Frame Relay Switch v cc thng tin chuyn mch ca gi c lu trong switch.

Trong Frame Relay, nu mt frame b li th s b hy ngay m khng c mt thng bo no.

Cc router ni vi mng Frame Relay c th c nhiu ng kt ni o n nhiu mng khc nhau. Do , Frame Relay gip chng ta tit kim rt nhiu v khng cn cc mng phi lin kt trc tip vi nhau.

Cc ng kt ni o (VC) c cc DLCI (Data Link Channel Identifier) ca ring n. DLCI c cha trong cc frame khi n c chuyn i trong mng Frame Relay.

Trong Frame Relay, ngi ta thng s dng mng hnh sao kt ni cc mng LAN vi nhau hnh thnh mt mng WAN (c gi l hub and spoke topology)

trong hnh ny, mng trung tm c gi l hub, cc mng remote1, remote2, remote3, remote4 v remote5 c gi l spoke. Mi spoke ni vi hub bng mt ng kt ni o (VC). Trong hnh trn nu ta mun cc spoke c th lin lc c vi nhau th ch cn to



ra cc VC gia cc spoke vi nhau. hnh ny gip ta to ra mt mng WAN c gi thnh r hn rt nhiu so vi s dng leased line, do cc mng ch cn mt ng ni vi mng Frame Relay.

Frame Relay s dng split horizon chng lp. Split horizon khng cho php routing update tr ngc v interface gi. V trong frame relay, chng ta c th to nhiu ng PVC trn mt interface vt l, do s b lp nu khng c split horizon. Trong mng WAN s dng leased line, cc DTE c ni trc tip vi nhau nhng trong mng s dng Frame Relay, cc DTE c ni vi nhau thng qua mt mng Frame Relay gm nhiu Switch. Do chng ta phi map a ch lp mng Frame Relay vi a ch IP ca DTE u xa. Chng ta c th map bng cch s dng cc cu lnh. Nhng vic ny c th c thc hin t ng bng LMI v Inverse ARP. LMI (Local Management Interface) c trao i gia DTE v DCE (Frame Relay switch), c dng kim tra hot ng v thng bo tnh trng ca VC, iu khin lung, v cung cp s DLCI cho DTE. LMI c nhiu loi l : cisco (chun ring ca Cisco), ansi (theo chun ANSI Annex D) v q933a (theo chun ITU q933 Annex A). Khi router mi c ni vi mng Frame Relay, router s gi LMI n mng hi tnh trng. Sau mng s gi li router mt thng ip LMI vi cc thng s ca ng VC c cu hnh. Khi router mun map mt VC vi a ch lp mng, router s gi thng ip Inverse ARP bao gm a ch lp mng (IP) ca router trn ng VC n vi DTE u xa. DTE u xa s gi li mt Inverse ARP bao gm a ch lp mng ca n, t router map a ch ny vi s DLCI ca VC. 2. Cc cu lnh s dng trong bi lab :

encapsulation framerelay [cisco | ietf] Cu hnh giao thc ng gi Frame Relay cho interface. Router h tr hai loi ng gi Frame Relay l Cisco v ietf.

framerelay intftype [dce | dte | nni] Cu hnh cho loi Frame Relay switch cho interface. S dng cho router ng vai tr l mt frame relay switch.

framerelay lmitype {ansi | cisco | q933a} Cu hnh loi LMI s dng cho router

framerelay route indlci outinterface outdlci To PVC gia cc interface trn router ng vai tr l mt frame relay switch

framerelay switching Cu hnh cho router hot ng nh mt frame relay switch

show framerelay pvc [type number [dlci]] Xem thng s ca cc ng PVC c cu hnh trm router

show framerelay route Xem tnh trng cng nh thng s c cu hnh cho cc ng PVC. Cu lnh ny c s dng cho router ng vai tr l frame relay switch

show framerelay map Xem cc thng s v map gia DLCI u gn vi IP u xa

show framerelay lmi [type number] Xem cc thng s ca LMI gia router vi Frame relay switch.




hnh bi lab nh hnh trn. Router FrameSwitch c cu hnh l mt frame relay switch. Hai u cp serial ni vi router FrameSwitch l DCE. Router VSIC1 v VSIC2 s dng giao thc RIP. 4. Cu hnh router :

Chng ta cu hnh cho cc interface ca router VSIC1 v VSIC2 nh sau :

VSIC1#sh run Building configuration... Current configuration : 599 bytes version 12.1 hostname VSIC1 interface Loopback0 ip address 10.1.0.1 255.255.255.0 interface Serial0 ip address 192.168.1.1 255.255.255.0 router rip network 10.0.0.0 network 192.168.1.0 end VSIC2#sh run Building configuration... Current configuration : 601 bytes version 12.1 hostname VSIC2 interface Loopback0 ip address 11.1.0.1 255.255.255.0 interface Serial0 ip address 192.168.1.2 255.255.255.0 router rip



network 11.0.0.0 network 192.168.1.0 end

Chng ta tin hnh cu hnh frame realy cho hai router VSIC1 v VSIC2 VSIC1(config)#in s0 VSIC1(config-if)#encapsulation frame-relay S dng giao thc ng gi Frame Relay cho interface S0 VSIC1(config-if)#frame-relay lmi-type ansi Cu hnh kiu ca LMI l ANSI VSIC2(config)#in s0 VSIC2(config-if)#encapsulation frame-relay VSIC2(config-if)#frame-relay lmi-type ansi Sau khi cu hnh frame relay cho router VSIC1 v VSIC2, chng ta s cu hnh cho router FrameSwitch tr thnh mt frame relay switch nh sau : FrameSwitch(config)#frame-relay switching Cu hnh cho router tr thnh mt Frame Relay Switch FrameSwitch(config)#in s0 FrameSwitch(config-if)#encapsulation frame-relay FrameSwitch(config-if)#frame-relay lmi-type ansi FrameSwitch(config-if)#frame-relay intf-type dce Cu hnh interface serial 0 l Frame Relay DCE FrameSwitch(config-if)#clock rate 64000 Cung cp xung clock 64000 bps cho DTE FrameSwitch(config-if)#frame-relay route 102 interface s1 201

FrameSwitch(config-if)#no shut FrameSwitch(config)#in s1

FrameSwitch(config-if)#encapsulation frame-relay FrameSwitch(config-if)#frame-relay lmi-type ansi FrameSwitch(config-if)#frame-relay intf-type dce FrameSwitch(config-if)#clock rate 64000 FrameSwitch(config-if)#frame-relay route 201 interface s0 102

FrameSwitch(config-if)#no shut Cu lnh frame-relay route 102 interface s1 201 c ngha : bt k mt frame relay traffic no c DLCI l 102 n interface serial 0 ca router s c gi ra interface serial 1 vi DLCI l 201. Tng t cho cu lnh frame-relay route 201 interface s0 102 : bt k frame relay traffic no c DCLI l 201 n interface serial 1 s c gi ra serial 0 vi DLCI l 102. Hai cu lnh trn c s dng to ra mt PVC gia S0 v S1. kim tra xem router FrameSwitch c hot ng nh mt frame relay switch hay cha chng ta s dng cu lnh show frame-relay pvc

FrameSwitch#sh frame-relay pvc PVC Statistics for interface Serial0 (Frame Relay DCE) Active Inactive Deleted Static Local 0 0 0 0 Switched 1 0 0 0 Unused 0 0 0 0



DLCI = 102, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0 input pkts 3 output pkts 3 in bytes 186 out bytes 166 dropped pkts 1 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 Num Pkts Switched 3 pvc create time 00:01:04, last time pvc status changed 00:00:40 PVC Statistics for interface Serial1 (Frame Relay DCE) Active Inactive Deleted Static Local 0 0 0 0 Switched 1 0 0 0 Unused 0 0 0 0 DLCI = 201, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial1 input pkts 4 output pkts 3 in bytes 200 out bytes 186 dropped pkts 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 Num Pkts Switched 3 pvc create time 00:00:45, last time pvc status changed 00:00:43

DLCI USAGE ch cho ta bit hai interface S0, S1 hot ng ch frame relay switch v ACTIVE. ng thi thng bo ca cu lnh cn cho ta bit c s gi c chuyn mch qua interface (Num Pkts Switched 3).

Nh vy, t kt qu trn ta bit c rng router FrameSwitch ang hot ng nh mt Frame Relay Switch. Chng ta s kim tra tnh trng ca LMI gia router FrameSwitch v hai router VSIC1, VSIC2 bng cu lnh show frame lmi

FrameSwitch#show frame lmi LMI Statistics for interface Serial0 (Frame Relay DCE) LMI TYPE = ANSI Invalid Unnumbered info 0 Invalid Prot Disc 0 Invalid dummy Call Ref 0 Invalid Msg Type 0 Invalid Status Message 0 Invalid Lock Shift 0 Invalid Information ID 0 Invalid Report IE Len 0 Invalid Report Request 0 Invalid Keep IE Len 0 Num Status Enq. Rcvd 20 Num Status msgs Sent 20 Num Update Status Sent 0 Num St Enq. Timeouts 0 LMI Statistics for interface Serial1 (Frame Relay DCE) LMI TYPE = ANSI Invalid Unnumbered info 0 Invalid Prot Disc 0 Invalid dummy Call Ref 0 Invalid Msg Type 0



Invalid Status Message 0 Invalid Lock Shift 0 Invalid Information ID 0 Invalid Report IE Len 0 Invalid Report Request 0 Invalid Keep IE Len 0 Num Status Enq. Rcvd 16 Num Status msgs Sent 16 Num Update Status Sent 0 Num St Enq. Timeouts 0

Cu lnh cho ta bit c thng tin ca tt c cc interface ca router hot ng ch Frame relay. ( y l interface S0 v S1)

By gi chng ta s kim tra cc frame relay route trn router Frameswitch bng cu lnh show frame route

FrameSwitch#sh frame-relay route Input Intf Input Dlci Output Intf Output Dlci Status Serial0 102 Serial1 201 active Serial1 201 Serial0 102 active Kt qu cu lnh cho chng ta bit rng traffic n interface serial 0 vi DLCI 102s c chuyn mch qua serial 1 vi DLCI 201; ngc li, traffic n serial 1 vi DLCI 201 s c chuyn mch qua serial 0 vi DLCI 102. ng thi cu lnh cng ch ra l c hai DLCI u hot ng. Chuyn sang router VSIC1, chng ta s kim tra xem DLCI 102 trn interface serial 0 c hot ng hay cha bng cch : VSIC1#sh frame-relay pvc PVC Statistics for interface Serial0 (Frame Relay DTE) Active Inactive Deleted Static Local 1 0 0 0 Switched 0 0 0 0 Unused 0 0 0 0 DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0 input pkts 8 output pkts 7 in bytes 646 out bytes 570 dropped pkts 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 7 out bcast bytes 570 pvc create time 00:02:58, last time pvc status changed 00:02:38

Nhn xt : Interface serial 0 ca router VSIC1 hot ng nh mt frame relay DTE, v DLCI 102 hot ng.

Mc nh Cisco s dng Inverse ARP map a ch IP u xa ca PVC vi DLCI ca interface u gn. Do chng ta khng cn phi thc hin thm bc ny. kim tra vic ny chng ta s dng cu lnh show frame-relay map VSIC1#sh frame-relay map

Serial0 (up): ip 192.168.1.2 dlci 102(0xC9,0x3090), dynamic, broadcast, status defined, active



Kt qu cu lnh cho ta bit, DLCI 102 hot ng trn interface serial 0 v c map vi a ch IP 102.168.1.2 ca interface serial 0 VSIC2, v vic map ny l t ng. Lp li cc bc tng t kim tra cho router VSIC2

VSIC2#sh frame-relay pvc PVC Statistics for interface Serial0 (Frame Relay DTE) Active Inactive Deleted Static Local 1 0 0 0 Switched 0 0 0 0 Unused 0 0 0 0 DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0 input pkts 10 output pkts 11 in bytes 858 out bytes 934 dropped pkts 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 11 out bcast bytes 934 pvc create time 00:04:05, last time pvc status changed 00:04:05 VSIC2#sh frame-relay map

Serial0 (up): ip 192.168.1.1 dlci 201(0xC9,0x3090), dynamic, broadcast,, status defined, active

Nhn xt : DLCI 201 hot ng trn interface serial 0 ca VSIC2 v c map vi a ch IP 192.168.1.1

By gi chng ta s kim tra cc mng c th lin lc c vi nhau cha bng cch ln lt ng hai router v ping n cc interface loopback ca router u xa. VSIC1#ping 11.1.0.1

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.1.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/60 ms VSIC2#ping 10.1.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/64 ms

Nh vy, cc mng c th lin lc c vi nhau. V router FrameSwitch thc hin tt chc nng frame relay switch. 5. T thc hnh bng Dynagen:

Chy file lab29frcb.net thc hnh vi s sau:

ccna_part2

Documents