Download presentation
Presentation is loading. Please wait.
1
配置网络设置 在中小型企业或 ISP 工作 – 第 5 章
2
目标 对路由器进行初始配置 使用 Cisco SDM 为 Cisco ISR 配置 LAN 连接、Internet 连接以及 NAT。
使用 Cisco IOS 软件的 Cisco IOS CLI 为 Cisco 路由器配置 LAN 连接、Internet 连接以及 NAT。 配置用户所在地与 ISP 之间的 WAN 连接。 描述、安装并配置独立式 LAN 交换机。
3
内容 5.1 初始 ISR 路由器配置 5.2 使用 SDM 配置 ISR 5.3 使用 IOS CLI 配置路由器
5.4 初始 Cisco 2960 交换机配置 5.5 将 CPE 连接到 ISP
4
5.1 初始 ISR 路由器配置
5
5.1.1 Integrated Services Router (ISR)
The Cisco Integrated Services Router (ISR) is one of the most popular series of networking devices designed to support growing business needs. The ISR combines features such as routing and switching functions, security, voice, LAN and WAN connectivity into a single device. This makes the ISR ideal for small to medium-sized businesses and for ISP managed customers. ISR 在单台设备中整合了多种功能,例如路由和交换、安全、语音、LAN 和 WAN 连接,ISR 也因此而成为中小型企业以及 ISP 客户的理想选择。
6
5.1.1 Integrated Services Router (ISR)
系统电源 LED (SYS-PWR) 系统活动(SYS ACT)
7
5.1.1 Integrated Services Router (ISR)
High-speed WAN Interface Card (HWIC) Slots: Compact Flash Module: Single Slot USB Port: Fast Ethernet Ports: Console Port: Four Port Ethernet Switch:
8
5.1.1 Integrated Services Router (ISR)
Cisco Internetwork Operating System (IOS) 软件以模块(称为“映像”)的形式提供给客户。 The Cisco Internetwork Operating System (IOS) software provides features that enable a Cisco device to send and receive network traffic using a wired or wireless network. IOS software is offered to customers in modules called images. These images support various features for businesses of every size. The entry-level Cisco IOS software image is called the IP Base image. The Cisco IOS IP Base software supports small to medium-sized businesses and supports routing between networks. Other Cisco IOS software images add services to the IP Base image. For example, to use advanced security features, install the Advanced Security image. This gives the added functionality necessary to configure advanced security capabilities, private networking and firewalls. There are many different IOS images available, as well as different versions of each image. These images are designed to operate on specific models of routers, switches and ISRs. It is important to know what image and version is loaded on a device before beginning the configuration process.
9
5.1.2 ISR 的物理安装 全新 Cisco 1841 ISR 随附的配件有: DB-9-to-DB-25 modem adapter
全新 Cisco 1841 ISR 随附的配件有: 一根 RJ45-to-DB9 控制台电缆 一个 DB-9-to-DB-25 调制解调器适配器 一根电源线 产品注册卡(又称 Cisco.com 卡) Cisco 1841 路由器的合规信息和安全信息 路由器和安全设备管理器 (SDM) 快速入门指南 Cisco 1800 系列集成多业务路由器(模块)快速入门指南 Router and Security Device Manager (SDM) Quick Start Guide
10
ISR 的物理安装 安装新的 Cisco 1841 ISR 时,需要使用特殊的工具和设备,不过大多数 ISP 和技术人员工作室都配备有这些工具和设备。此外,根据设备的型号和所订购的可选设备,可能还需要一些额外的特殊设备。 一般而言,安装新设备所需的工具包括: 装有终端仿真程序(例如“超级终端”)的 PC 电缆扎带和 2 号十字螺丝起子 用于 WAN 接口、LAN 接口和 USB 接口的电缆 此外,还需要连接 WAN 和宽带通信服务所必需的设备和装置,例如集线器或调制解调器。
11
5.1.2 ISR 的物理安装 遵循以下步骤为 1841 ISR 加电: 1. 稳固安装设备机箱或外壳,并将其接地。
2. 插上外接 CF 卡。 3. 连接电源线。 4. 配置 PC 上的终端仿真软件,并将 PC 连接到控制台端口。 5. 打开路由器。 6. 观察 PC 上显示的启动消息,确保没有错误发生。 这样,便可以开始配置设备,将其接入网络。 Before beginning any equipment installation, be sure to read the Quick Start guide and other documentation that is included with the device. The documentation contains important safety and procedural information to prevent accidental damage to the equipment during installation. Follow these steps to perform a power up procedure on an 1841 ISR: 1. Securely mount and ground the device chassis, or case. 2. Seat the external compact flash card. 3. Connect the power cable. 4. Configure terminal emulating software on the PC and connect the PC to the console port. 5. Turn on the router. 6. Observe the start-up messages on the PC to check for any errors. At this point, the device is now ready to be configured to participate in the network. Lab Powering Up an Integrated Service Router.pdf 实验操作 给集成多业务路由器加电.pdf
12
5.1.3 带内与带外路由器配置 技术人员使用带外管理来为网络设备进行初始配置。
将 PC 接入网络以执行配置和监控任务时,可以采用两种方式:带内管理与带外管理。 带外管理 带外管理要求计算机直接连接到要配置的网络设备的控制台端口或辅助端口 (AUX)。这种连接方式不需要启用该设备的本地网络连接。技术人员使用带外管理来为网络设备进行初始配置。只有经过正确配置,设备才能加入网络。此外,当网络连接不正常导致无法通过网络访问设备时,也可考虑采用带外管理方式。要执行带外管理任务,需要在 PC 上安装终端仿真客户端。 带内管理 带内管理通过网络连接来监控网络设备以及更改设备配置。为了让计算机连接到设备以执行带内管理任务,设备必须至少通过一个正常工作的网络接口连接到网络。在对 Cisco 设备进行带内管理时,可使用两种 TCP/IP 协议访问设备:Telnet 和 HTTP。它们分别使用 Telnet 客户端程序和 Web 浏览器来监控网络设备或更改其配置。 技术人员使用带外管理来为网络设备进行初始配置。 使用 Telnet 客户端程序和 Web 浏览器来监控网络设备或更改其配置。
13
5.1.4 Cisco IOS 程序 Cisco IOS 命令行界面 (CLI) 是一种基于文本的程序,用户可通过输入并执行 Cisco IOS 命令来配置、监控和维护 Cisco 设备。 经验丰富的用户可借助 CLI 快速完成各种简单或复杂的配置。几乎所有的 Cisco 网络设备都采用近似的 CLI。 Cisco CLI 可用于带内和带外管理任务。 The Cisco IOS command line interface (CLI) is a text-based program that enables the entering and executing of Cisco IOS commands to configure, monitor, and maintain Cisco devices. Use CLI commands to alter the configuration of the device and to display the current status of processes on the router. For experienced users, using the CLI offers many time-saving features for creating both simple and complex configurations. Almost all Cisco networking devices use a similar CLI. When the router has completed the power on sequence, and the Router> command appears, the CLI can be used to enter Cisco IOS commands. Technicians familiar with the commands and operation of the CLI find it is easy to monitor and configure a variety of different networking devices. The Cisco CLI can be used with either in-band or out-of-band management tasks. The CLI has an extensive help system that assists in setting up and monitoring devices.
14
5.1.4 Cisco IOS 程序 Cisco Router and Security Device Manager (SDM) 是一种图形用户界面 (GUI) 设备管理工具。与 CLI 不同的是,SDM 只能以带内管理的方式运行。SDM Express 简化了初始路由器配置的过程。 完整版本的 SDM 软件包还支持一些更为高级的配置,例如: 配置额外的 LAN 和 WAN 连接 创建防火墙 配置 VPN 连接 执行安全任务 In addition to the Cisco IOS CLI, other tools are available to assist in configuring a Cisco router or ISR. Cisco Router and Security Device Manager (SDM) is a graphical user interface (GUI) device management tool. Unlike CLI, SDM can be used only for in-band management tasks. SDM Express simplifies initial router configuration. It uses a step-by-step approach to create a basic router configuration quickly and easily. Use the full SDM package to perform more advance configurations such as: Configure additional LAN and WAN connections Create firewalls Configure VPN connections Perform security tasks SDM supports a wide range of Cisco IOS software releases and is available free of charge on many Cisco routers. SDM is pre-installed on the flash memory of the Cisco 1800 Series ISR. If the router comes with the SDM installed, Cisco recommends that SDM is used to perform the initial router configuration. This is done by contacting the router via a preset network port on the router.
15
5.1.4 Cisco IOS 程序 并不是所有 Cisco 设备都支持 SDM。而且,SDM 也不支持 CLI 提供的某些命令。在采用 SDM 执行初始配置之后,有些时候仍需使用 CLI 来最终完成配置。因此,要为 Cisco 设备提供支持,要求对这两种方法都熟练掌握。
16
5.1.4 Cisco IOS 程序 Determine when to use CLI or SDM
17
5.1.5 设置配置文件 术语“运行配置”是指设备上当前正在运行的配置,其中含有定义了设备如何在网络上运作的命令。保存在random access memory (RAM) Running Configuration File The term running configuration refers to the current configuration running on the device. It contains the commands used to determine how the device operates on the network. The running configuration is stored within the device working memory. The device working memory is a type of random access memory (RAM) that does not keep information when the power is turned off. The running configuration is lost each time the device is shut down unless the running configuration is saved to the startup configuration file. Startup Configuration File The startup configuration file is the saved configuration file that sets the configuration properties of the device each time the device is powered on. This file is stored in nonvolatile random access memory (NVRAM). NVRAM is used to store files that will be saved, even if power to the device is turned off. When a Cisco router is first powered on, it loads the IOS to working memory. Next, the startup configuration file is copied from NVRAM to RAM. This becomes the initial running configuration. Changes to the running configuration are not automatically saved to the startup configuration file. It is necessary to manually copy the running configuration to the startup configuration file if changes are to be saved when the device is powered off. Cisco CLI uses the command copy running-config startup-config to save the router's running configuration to the startup configuration. The Cisco SDM has an option that can be set to save the router running configuration to the startup configuration each time a command is completed. View the Router Configurations.pka 启动配置文件是经过保存的配置文件,其中设定了设备每次通电启动时采用的配置属性。保存在非易失存储器 nonvolatile random access memory (NVRAM)中。 Cisco CLI 使用命令copy running-config startup-config 将路由器的运行配置保存到启动配置。 PT 探索运行配置文件和启动配置文件.pka
18
5.1.6 记录路由器的配置 能满足客户需求的路由器配置 依赖于网络而运行的应用软件,这些软件可能会受升级工作的影响
In a business, there can be hundreds of employees using software programs that rely on constant network connectivity. Planning the router installation and upgrade is a critical step in minimizing interruptions to employees. Planning enables exploration of options on paper, when it is easy and inexpensive to correct errors. Technical staff from an ISP usually meet with business customers to plan how to upgrade the routers. Depending on the size of the project, there might be many planning sessions. During those planning sessions, the technician determines: The configuration of the router to meet customer needs Software programs that rely on the network that may be affected by the upgrade The technician works with the client's IT personnel to decide which router configuration to use and to develop the procedure that verifies the router configuration. From this information, a written specification is created. The technician uses this specification to create the configuration checklist. 技术人员与客户的 IT 人员共同合作,确定要使用的路由器配置,并制定路由器配置的验证方法。在这些信息的基础上,再撰写书面的技术规范。随后,技术人员根据这份技术规范来创建配置核对表。
19
5.1.6 记录路由器的配置 配置核对表列出了最常见的配置组件清单,通常包括每种组件的说明和配置设置。
在排查之前所配置路由器的故障时,技术人员也会用到核对表。 A configuration checklist is a useful tool for ensuring that everything is configured correctly on new router installations. Technicians also use the checklist when troubleshooting previously configured routers. The configuration checklist provides a list of the most commonly configured components. It typically includes an explanation of each component and its configuration settings. There are many different formats for configuration checklists, including some that are quite complex. ISPs should ensure that support technicians have, and know how to use, router configuration checklists.
20
5.2使用 SDM 配置 ISR
21
5.2.1 使用 SDM 配置 ISR Cisco SDM Express 是 Cisco Router and Security Device Manager 附带的一项工具,可简化创建基本路由器配置的过程。开始使用 SDM Express 进行配置时,需要先将 PC 上的网卡连接到要配置的路由器或 ISR 的以太网端口。 SDM Express 使用八个步骤来协助创建基本的路由器配置: 概述 基本配置 LAN IP 地址 DHCP Internet (WAN) 防火墙 安全设置 总结 还可为路由器配置 WAN 连接、防火墙以及多达 30 项的安全增强功能。 Cisco SDM Express is a tool bundled within the Cisco Router and Security Device Manager that makes it easy to create a basic router configuration. To start using SDM Express, connect a PC Network Interface Card to an Ethernet port on the router or ISR being configured. SDM Express uses eight configuration steps to assist in creating a basic router configuration: Overview Basic Configuration LAN IP Address DHCP Internet (WAN) Firewall Security Settings Summary The SDM Express windows provide step-by-step guidance to create the initial configuration of the router. After the initial configuration is completed the router is available on the LAN. The router can also have a WAN connection, a firewall and up to 30 security enhancements configured.
22
5.2.1 使用 SDM 配置 ISR 向网络添加新设备时,必须确保该设备能正常工作。如果添加的设备配置有误,则可能导致整个网络瘫痪。
The addition of one poorly configured device can cause an entire network to fail.
23
5.2.2 SDM Express Basic configuration: 主机名 Host Name 域名 Domain Name
SDM Username and password 使能加密口令Enable Secret Password Basic Configuration The Basic Configuration screen is used to: Name the router that is being configured Enter the domain name for the organization Control access to SDM Express, Cisco Router and Security Device Manager, and the command-line interface (CLI) The following information is necessary to enter when using the Basic Configuration Wizard: Host Name The name of the router Domain Name The domain name for the organization. (An example of a domain name is cisco.com, but domain names can end with a different suffix, such as .org or .net.) SDM Username and Password The username and password used to access SDM Express to configure and monitor the router (password must be at least 6 characters long) Enable Secret Password The password that controls user access to the router, which affects the ability to make configuration changes using CLI using Telnet or the console ports (password must be at least 6 characters long)
24
5.2.2 SDM Express LAN ip address: IP 地址字段 点分十进制格式 Subnet Mask(子网掩码)字段
Subnet Bits(子网位数)字段 To configure the router interface to participate on the connected local network, enter the LAN configuration settings. IP Address Field The IP address for the LAN interface in dotted-decimal format Address can be a private IP address if the device is installed in a network that uses Network Address Translation (NAT) or Port Address Translation (PAT) Note: Write down this address. When the router is restarted, this address is the one used to run SDM Express, not the address that was provided in the Quick Start Guide. Subnet Mask Field The subnet mask for the network Identifies the network portion of the IP Subnet Bits Field Number of bits used to define the network portion of the IP Can be used instead of the subnet mask Wireless Parameters Fields Use to specify the SSID of the wireless network Appear if the router has a wireless interface and Yes was clicked in the Wireless Interface Configuration window
25
5.2.2 SDM Express 动态主机配置协议 (DHCP) 是为主机设备分配 IP 地址的一种简单方案。
Enable DHCP server on the LAN interface(在 LAN 接口上启用 DHCP 服务器)复选框 Starting IP Address(起始 IP 地址)字段 Ending IP Address(结束 IP 地址)字段 DHCP 动态主机配置协议 (DHCP) 是为主机设备分配 IP 地址的一种简单方案。DHCP 会在网络主机通电时为主机动态分配 IP 地址,并在主机关机时收回该地址。通过这种方式,便可在主机不再需要地址的时候重用这些地址。通过 SDM Express,可将路由器配置为 DHCP 服务器,以便为内部本地网络中的设备(例如 PC)分配地址。 要将设备配置为 DHCP,需要输入以下信息: Enable DHCP server on the LAN interface(在 LAN 接口上启用 DHCP 服务器)复选框 选中该框后,路由器便会为 LAN 上的设备分配私有 IP 地址。 IP 地址租借给主机的时间为一天。 Starting IP Address(起始 IP 地址)字段 IP 地址范围中最小的地址,默认情况下根据为 LAN 接口输入的 IP 地址和子网掩码来确定。 需要时可更改该地址,但必须与所配置的 LAN 接口位于同一网络(子网)内。 Ending IP Address(结束 IP 地址)字段 IP 地址范围中最大的有效地址,默认情况下根据为 LAN 接口指定的 IP 地址和子网掩码来确定。 可更改该地址以缩小地址池规模 必须与起始 IP 地址字段中的 IP 地址位于同一网络内
26
5.2.2 SDM Express Primary Domain Name Server(首选域名服务器)字段
Secondary Domain Name Server(备用域名服务器)字段 接下来,配置其它 DHCP 参数。 Domain Name(域名)字段 组织的域名 该名称作为 DHCP 配置的一部分指定给主机。 Primary Domain Name Server(首选域名服务器)字段 首选 DNS 服务器的 IP 地址 用于解析网络中的 URL 和域名 Secondary Domain Name Server(备用域名服务器)字段 备用 DNS 服务器的 IP 地址(若有) 在首选 DNS 服务器没有响应时使用 Use these DNS values for DHCP clients(将这些 DNS 值用于 DHCP 客户端)复选框 若选中此框,则 DHCP 服务器会将配置的 DNS 设置指定给 DHCP 客户端 如果 LAN 接口上启用了 DHCP 服务器,则此选项会激活
27
SDM Express
28
5.2.3 配置串行 WAN 连接 5.2.3.1 Configuring an Internet (WAN) Connection
Routers can also be connected via a serial connection, which connect networks that are separated by large geographic distances. These WAN network interconnections require that the serial connection be made through a telecommunications service provider, or TSP. Serial connections are usually lower-speed links, compared to Ethernet links and require additional configuration. Be sure to determine the type of connection and protocol encapsulation required prior to setting up the connection. Serial Encapsulation The protocol encapsulation must be the same at both ends of a serial connection. Some encapsulation types require authentication parameters, like username and password, to be configured. Encapsulation types include: High-Level Data Link Control (HDLC) Frame Relay Point-to-Point Protocol (PPP) The protocol encapsulation must be the same at both ends of a serial connection.
29
5.2.3 配置串行 WAN 连接 Static IP Address(静态 IP 地址) IP Unnumbered(借用 IP)
Address Type(地址类型)列表 Static IP Address(静态 IP 地址) 适用于帧中继、PPP 和 HDLC 等封装类型。 IP Unnumbered(借用 IP) 将串行接口地址设置为共享路由器上另一工作接口的 IP 地址。 IP Negotiated(协商得到 IP) 路由器通过 PPP 自动获取 IP 地址 选择 Easy IP (协商得到的 IP)。 Address Type List Depending on the type of encapsulation selected, different methods are available to obtain an IP address for the serial interface. Static IP Address Available with Frame Relay, PPP, and HDLC encapsulation types. Enter the IP address and subnet mask to configure a static IP address. IP Unnumbered Sets the serial interface address to match the IP address one of the router's other functional interfaces. IP Negotiated The router obtains an IP address automatically through PPP Select Easy IP (IP Negotiated). The router will obtain an IP address automatically through PPP lab configuring Dynamic NAT with SDM.pdf 实验操作 使用 SDM Express 配置 ISR.pdf
30
5.2.4 Cisco SDM and SDM Express
SDM 支持 SDM Express 具备的大多数功能;而且,SDM 的 GUI 界面功能更强,支持更多的配置选项。因此,使用 SDM Express 配置完基本配置后,许多用户会切换到 SDM。 Use either Cisco SDM Express and Cisco SDM to configure a router. SDM supports many of the same features that SDM Express supports; however, SDM has a more advanced GUI interface, with more configuration options available. For this reason, once a basic configuration of the router is configured using SDM Express, many users switch to using SDM.
31
5.2.5 使用 Cisco SDM 配置动态 NAT 动态 NAT 允许内部本地网络中的主机共享分配给 WAN 接口的注册 IP 地址。
Use the Cisco SDM Basic NAT Wizard to configure NAT on a router. The type of NAT that is configured by default is dynamic NAT. Dynamic NAT enables the hosts on the internal local network to share the registered IP address assigned to the WAN interface. In this manner, hosts with internal private addresses can have access to the Internet. Only the hosts with the internal address ranges specified in the SDM configuration are translated. It is important to verify that all address ranges that need access to the Internet are included. Steps for configuring NAT include: 1. Enable NAT Configuration Using SDM 2. Navigate Through the NAT Wizard 3. Select the Interface and Set IP Ranges 4. Review Configuration 实验操作 使用 SDM 配置动态 NAT.pdf
32
5.3使用 IOS CLI 配置路由器
33
5.3.1 命令行界面和模式 两种级别 : 用户执行权限 特权执行权限 两种级别都可使用口令或用户名和口令的组合加以保护。
命令仅限于获取设备操作信息的命令,以及用于故障排查的 ping 或 traceroute。 特权执行权限 两种级别都可使用口令或用户名和口令的组合加以保护。 使用 Cisco IOS CLI 配置和监控设备的方式与使用 SDM 的方式有较大差异。CLI 不提供逐步配置说明,因此这种方法需要更细致的规划和更精深的专业知识。 CLI 命令模式 Cisco IOS 支持两种级别的命令行界面权限:用户执行权限和特权执行权限。 路由器或其它 IOS 设备通电后,其访问级别默认为用户权限。我们将这种情况称为设备处于用户执行模式下。用户模式以命令行提示符 Router> 指示。 用户执行模式下可执行的命令仅限于获取设备操作信息的命令,以及用于故障排查的 ping 或 traceroute。 要输入可更改设备运作的命令,则需特权级别的访问权限。在命令提示符下输入 enable 并按 Enter 即可进入特权执行模式。命令行提示符也会发生改变以反映模式的变化。特权模式的提示符是 Router#。要禁用特权模式并让设备返回用户模式,可在命令提示符下输入 disable 或 exit。 用户执行模式和特权执行模式都可使用口令或用户名和口令的组合加以保护。
34
5.3.1 命令行界面和模式 配置 Cisco IOS 设备时,首先需要进入特权执行模式。然后进入全局配置模式,键入命令:configure terminal 或 config t。 显示命令行提示符 Router(config)# 时,代表已进入全局配置模式。在此模式下输入的任何命令都会立即生效,并有可能改变设备的运行方式。 Configuring a Cisco IOS device begins with entering the privileged EXEC mode. The privileged mode grants access to the various configuration modes used to set up the device. To obtain access to the configuration commands, first enter the mode that allows access to these commands. In most cases, commands will be configured to the running configuration file from the terminal. To access these commands, the user must enter global configuration mode. To enter global configuration, type the command: configure terminal or config t. Command Line Interface and Modes-ELAB.txt Global configuration mode is indicated by the command line prompt Router(config)#. Remember that any commands entered in this mode will take effect immediately and can alter the operation of the device. 电子实验 进入命令模式.mht
35
5.3.2 使用 Cisco IOS CLI 在配置设备时,对上下文敏感的帮助功能尤为有用。
在命令提示符下输入 help 或 ? 即会显示帮助系统的简短说明 con? conf ? 如果出现 <cr>,则表示当前的命令已经完整。 The Cisco IOS CLI is full of features that help in recalling commands needed to configure a device. These features are one reason why network technicians prefer to use the Cisco IOS CLI to configure routers. The context-sensitive help feature is especially useful when configuring a device. Entering help or the ? at the command prompt displays a brief description of the help system: Router# help Context-sensitive help can provide suggestions for completing a command. If the first few characters of a command are known, but the exact command is not, enter as much of the command as possible, followed by a ?. Note that there is no space between the command characters and the ?. Additionally, request help at any point to determine additional parameters that complete a command. Do this by entering part of the command, followed by a space, and then the ?. For example, entering the command configure at the command prompt followed by a space and a question mark produces a list of possible variations of the configure command. Choose one of these variations to complete the command string. The appearance of <cr> indicates that the command is now complete. Press the enter key to enter the command. If a ? is entered and nothing matches, the help list will be empty. This indicates that the command string is not a supported command.
36
5.3.2 使用 Cisco IOS CLI % Incomplete command 输入的命令不完整
%Invalid input detected 输入的命令有误。 使用错误指示符(^ 符号)来提示出错的地方。 Users will sometimes make a mistake when typing a command. CLI provides output indicating an unrecognized or incomplete command. The % symbol indicates error marker messages. For example, if the command interface is entered with no other parameters, the output shows that it is an incomplete command (% Incomplete command.). Use the ? to see additional parameters. If an incorrect command is entered, the error message would read: %Invalid input detected. It is sometimes hard to see the mistake within an incorrectly entered command. Fortunately, the CLI provides error isolation in the form of an error indicator, a caret symbol (^). The ^ symbol appears at the point in the command string where there is an incorrect or unrecognized character. This enables the user to return to the point where the error was made and use the help function to determine the correct command to use.
37
5.3.2 使用 Cisco IOS CLI 若要更改系统在终端会话中记录的命令行的数目,使用 terminal history size 或 history size 命令。可记录的命令最大数目为 256,默认10 Ctrl-P Ctrl-N Tab Another feature of the Cisco IOS CLI is the ability to recall previously typed commands. This feature is particularly useful for recalling long or complex commands or entries. The command history is enabled by default and the system records ten command lines in the history buffer. To change the number of command lines the system records during a terminal session, use the terminal history size or the history size command. The maximum number of commands is 256. To recall the most recent command in the history buffer, press Ctrl-P or the Up Arrow key. Repeat this process to recall successively older commands. To return to a more recent command in the history buffer, press Ctrl-N or the Down Arrow key. Repeat this process to recall successively more recent commands. Command Shortcuts CLI recognizes partially-typed commands based on their first unique character. For example, type int instead of interface. Press the Tab key, and CLI will automatically complete the command entry. The Tab key simply acknowledges visually that the router has understood the specific command that was intended. On most computers, additional select and copy functions are available. A previous command string may be copied and then pasted or inserted as the current command entry. CLI 可根据命令中第一个独特字符识别出只键入了部分字符的命令。例如,键入 int (而无需键入interface)。然后按 Tab 键,CLI 即会自动将该命令条目补充完整。
38
5.3.2 使用 Cisco IOS CLI PT 5.3.2.5 探索 Cisco IOS CLI.pka 5.3.2.4
Exploring the Cisco IOS CLI PT 探索 Cisco IOS CLI.pka
39
5.3.3 使用 show Command Cisco IOS CLI show被网络技术人员广泛采用, 查看配置文件、设备接口以及过程处理的状态,并可用来校验设备运行状态。无论设备是使用 CLI 或 SDM 来配置,都可使用 Show 命令。 几乎路由器的每个过程或功能的状态都可使用 show 命令显示出来。比较常用的 show 命令有: show running-config show interfaces show arp show ip route show users show version The Cisco IOS CLI enables a user to display relevant information about the configuration and operation of the device. To obtain this information, show commands are used. The Cisco IOS CLI show commands are used extensively by network technicians These commands are used to view configuration files, the status of the device interfaces and processes and to verify the device operational status. Show commands are available whether the device is configured using the CLI or the SDM configuration tool. The status of nearly every process or function of the router can be displayed using a show command. Using Show Commmands-ELAB.txt Using the Cisco IOS show Commands.pka 电子实验 查看路由器接口信息.mht PT 使用 Cisco IOS Show 命令.pka
40
5.3.4 基本配置 启动配置文件存储在设备的 NVRAM 中。 Router# show startup-config
Router# show running-config 要将对运行配置所作的更改复制到已保存的启动配置文件中,请使用命令: Router# copy run start 或 write 警告:如果在copy 命令中键入 startup-config 时出现拼写错误,则可能导致路由器中的IOS丢失(没有注意系统的提示信息并连续按回车键),因此本命令的输入一定要使用<Tab>键来完成(避免拼写错误),有一些设备支持write命令。 The startup configuration file is stored on the device in NVRAM. This file is loaded into working memory and begins operation when the device is powered on. To view the contents of the startup configuration file, use the command: Router#show startup-config The running configuration is the set of commands that is currently active in the device RAM. When the device is powered on, the running configuration is identical to the stored startup configuration. To view the current running configuration use the command: Router#show running-config Remember, if the CLI is used to alter the running configuration, it must be copied to the startup configuration file, or the changes will be lost when the device is powered off. To copy the changes made to the running configuration back to the stored startup configuration file, use the command: Router#copy run start
41
5.3.4 基本配置 IOS 设备的初始配置包括设备名称及口令配置,其中口令用于控制对设备各个功能的访问。
使能口令和使能加密口令 用于限制对特权执行模式的访问,从而避免路由器配置被非授权用户修改。 The initial configuration of an IOS device involves configuring a device name and then the passwords that are used to control access to the various functions of the device. A device should be given a unique name as one of the first configuration tasks. This task is accomplished in global configuration mode with the following command: Router(config)#hostname [name] When the Enter key is pressed, the prompt will change from the default host name, which is Router, to the newly configured host name. Once a hostname is configured on a device, the next configuration step should be configuring passwords to prevent access to the device by unauthorized individuals. The enable password and enable secret commands are used to restrict access to the privileged EXEC mode, preventing unauthorized users from making configuration changes to the router. The following commands are used to set the passwords: Router(config)#enable password [password ] Router(config)#enable secret [password ] The difference between the enable password and the enable secret is that the enable password command is not encrypted by default. If the enable password is set, followed by the enable secret, the enable secret will override the enable password. enable password 与 enable secret 的区别在于 enable password 命令在默认情况下不加密。如果在设置使能口令后又设置了使能加密口令,则使能加密口令会覆盖使能口令。
42
5.3.4 基本配置 可使用 PC 连接到设备的控制台端口对设备执行初始配置。
一旦设备接入网络,即可通过网络连接访问该设备,这种访问视为一种虚拟终端连接。要检查口令设置是否正确,可使用 show running-config 命令。 There are multiple ways to access a device to perform configuration tasks. One of these ways is to use a PC attached to the console port on the device. This type of connection is frequently used for initial device configuration. To set the password for console connection access, first enter the global configuration mode. Once there, use the following command: This will prevent unauthorized users from accessing user mode from the console port. Once the device is connected to the network, it can be accessed over the network connection. When the device is accessed through the network, it is considered a virtual terminal connection. The password must be configured on the virtual port. To verify that the passwords are set correctly, use the show running-config command. These passwords are stored in the running-configuration in clear text. It is possible to set encryption on all passwords stored within the router, so that they are not easily seen by unauthorized individuals. The command service password encryption will ensure that passwords are encrypted. Perform an Initial Router Configuration-78% error password,secret password.pka 命令 service password-encryption 可确保口令 (console, vty and enable password) 得到加密。 PT 进行路由器初始配置.pka
43
5.3.5 Configuring an Interface
路由器接口用于连接网络,并具有与所连接网络对应的 IP 地址和子网掩码。 WAN 连接则需要使用 ISP 提供的串行连接。与以太网接口不同,串行接口使用时钟信号来控制通信计时,我们将其称为“时钟频率”。 在大多数环境中,调制解调器或 CSU/DSU 之类的数据通信设备 (DCE) 提供时钟频率。默认情况下,Cisco 路由器属于 DTE 设备或数据终端设备,表示路由器从 DCE 设备接收时钟频率。 为了使路由器能够在网络之间转发流量,必须为路由器配置接口,使之加入到需要转发数据的网络中。路由器接口用于连接网络,并具有与所连接网络对应的 IP 地址和子网掩码。 接口分为许多不同的类型,串行接口和以太网接口是最为常见的两种。本地网络连接使用以太网接口。 WAN 连接则需要使用 ISP 提供的串行连接。与以太网接口不同,串行接口使用时钟信号来控制通信计时,我们将其称为“时钟频率”。 在大多数环境中,调制解调器或 CSU/DSU 之类的数据通信设备 (DCE) 提供时钟频率。默认情况下,Cisco 路由器属于 DTE 设备或数据终端设备,表示路由器从 DCE 设备接收时钟频率。 如有必要,也可将路由器配置为 DCE 设备。如果路由器要作为 DCE 设备连接,则必须在路由器接口上设置时钟频率,以控制 DCE/DTE 连接的计时。 如有必要,也可将路由器配置为 DCE 设备。如果路由器要作为 DCE 设备连接,则必须在路由器接口上设置时钟频率,以控制 DCE/DTE 连接的计时。
44
5.3.5 Configuring an Interface
配置接口的步骤包括: 1. 指定接口的类型和接口端口号 2. 指定接口的描述 3. 配置接口 IP 地址和子网掩码 4. 设置时钟频率(如果将串行接口配置为 DCE) 5. 启用接口 no shutdown To configure any interface on the router, it is necessary to be in the global configuration mode. Configuring an Ethernet interface is very similar to configuring a serial interface. One of the main differences is that a serial interface must have a clock rate set if it is acting as a DCE device. The steps to configure an interface include: 1. Specify the type of interface and the interface port number 2. Specify a description of the interface 3. Configure the interface IP address and subnet mask 4. Set the clock rate, if configuring a serial interface as a DCE 5. Enable the interface Once an interface is enabled, it may be necessary to turn off an interface for maintenance or troubleshooting. In this case, use the shutdown command. Configuring an Interface-ELAB Configure Serial and Ethernet Interfaces.pka Configuring Basic Router Setting with IOS CLI.pdf 在直接互连的串行链路上(例如实验室),其中一端必须作为 DCE 提供时钟信号。时钟功能的启用及其速度是在时钟频率命令中设定的。可用的时钟频率(位每秒)包括:1200、2400、9600、19200、38400、56000、64000、72000、125000、148000、500000、800000、 、 、 以及 。其中,有些位速率在某些串行接口上不受支持,这取决于特定接口的性能。用于设置时钟频率以及启用串行接口的命令如上所示。 电子实验 在路由器上配置通信的串行接口.mht PT 配置串行和以太网接口.pka 实验操作 使用 IOS CLI 配置基本路由器设置.pdf
45
5.3.6 配置默认路由 默认路由用来告知路由器在这种情况下应如何转发数据包。只有当路由器不清楚应将数据包发往何处时,才会使用默认路由。
默认路由通常指向通往 Internet 的路径中的下一跳路由器。默认路由的配置需要使用下一跳路由器的 IP 地址,或者本路由器用来转发到未知目的网络流量的接口。 A router will forward packets from one network to another based on the destination IP address specified in the packet. It examines the route table to determine where to forward the packet to reach the destination network. If the router does not have a route to a specific network in its routing table, a default route can be configured to tell the router how to forward the packet. The default route is used by the router only if the router does not know where to send a packet. Usually the default route points to the next hop router on the path to the Internet. The information needed to configure the default route is the IP address of the next hop router, or the interface that the router uses to forward traffic with an unknown destination network. To configure the default route on a Cisco ISR you must be in Global configuration mode: Router(config)#ip route <Next Hop IP Address> or Router(config)#ip route <interface> <port number> Configure a Default Route.pka ip route fastethernet 0/ PT 配置默认路由.pka
46
5.3.7 配置 DHCP 服务 可以通过 Cisco IOS CLI 为路由器配置 DHCP 服务器的功能。
使用配置了 DHCP 的路由器可简化网络中的 IP 地址管理。 通过 CLI 配置 DHCP 时,有八个基本的步骤: 1. 创建 DHCP 地址池 2. 指定子网 3. 设置排除的 IP 地址 4. 指定域名 5. 设置 DNS 服务器 IP 地址 6. 设置默认路由器 7. 设置租用持续时间 8. 检查配置 Configure a DHCP Server It is possible to configure a router with Cisco IOS CLI to function as a DHCP server. Using a router configured with DHCP simplifies the management of IP addresses on a network; the administrator only needs to update a single, central router when IP configuration parameters change. Configuring DHCP on a router using CLI is a little more complex than configuring it using SDM, because Global Configuration mode must first be activated. Configuring a Cisco Router as a DHCP Server.pka PT 将 Cisco 路由器配置为 DHCP 服务器.pka
47
5.3.8 使用 Cisco IOS CLI 配置静态 NAT
在网络上采用 NAT 的目的是使具有内部私有地址的主机也能在 Internet 上通信。 要为内部服务器提供允许 Internet 访问的地址,方法之一便是提供静态 NAT 转换。 静态 NAT 可确保指定给内部网络中主机的地址始终转换为同一已注册 IP 地址。 在网络上采用 NAT 的目的是使具有内部私有地址的主机也能在 Internet 上通信。配置 NAT 时,至少应将一个接口配置为内部接口,这表示该接口用于连接内部私有网络。另一个接口(通常为访问 Internet 用的外部接口)则必须配置为外部接口。内部网络中的设备通过外部接口与外界通信时,其地址便会转换为一个或多个注册 IP 地址。 有时,位于内部网络中的服务器需要允许外界通过 Internet 访问。这就要求该服务器具有特定的注册地址,能够为外部用户识别。要为内部服务器提供允许 Internet 访问的地址,方法之一便是提供静态 NAT 转换。 静态 NAT 可确保指定给内部网络中主机的地址始终转换为同一已注册 IP 地址。 Configure Static NAT on a Cisco Router.pka 5.3.8 Configuring NAT and DHCP with IOS CLI.pdf PT 在 Cisco 路由器上配置静态 NAT.pka 实验操作 使用 IOS CLI 配置 NAT 和 DHCP.pdf
48
5.3.9 将 Cisco 路由器配置备份到 TFTP 服务器
路由器必须能够通过网络连接访问运行 TFTP 的服务器。将运行配置保存到启动配置文件后,再将启动配置保存到 TFTP 服务器。 还可使用 copy running-config tftp 命令,将运行配置的当前副本存储在 TFTP 服务器上。 要恢复备份的配置文件,需确保路由器上已配置至少一个可通过网络访问 TFTP 服务器的接口。 将保存在TFTP服务器上的配置文件,恢复到内存中,并立即生效。但不能覆盖端口的shutdown状态。 Once a router is configured, the running configuration should be saved to the startup configuration file. It is also a good idea to save the configuration file in another location, such as a network server. If the NVRAM fails or becomes corrupt and the router cannot load the startup configuration file, another copy is available. Configuration files can be saved to a network server using the TFTP protocol. The TFTP enabled server must be accessible to the router via a network connection. Once the running configuration is saved to the startup configuration file, save the startup configuration to the TFTP server. 1. Enter the copy startup-config tftp command. 2. Enter the IP address of the host where the configuration file will be stored. 3. Enter the name to assign to the configuration file or accept the default. 4. Answer yes to confirm each choice. A current copy of the running configuration can also be stored on a TFTP server using the copy running-config tftp command. Restore To restore the backup configuration file, be sure the router has at least one interface configured and can access the TFTP server over the network. 1. Enter the copy tftp running-config command 2. Enter the IP address of the remote host where the TFTP server is located. 3. Enter the name of the configuration file or accept the default name. 4. Confirm the configuration filename and the tftp server address Backing Up a Cisco Router Configuration to a TFTP Server-未做copy sta tftp就100%,可做.pka PT 将 Cisco 路由器配置备份到 TFTP 服务器.pka
49
5.4初始 Cisco 2960 交换机配置
50
5.4.1 独立交换机 交换机可以根据帧中的目的 MAC 地址,将来自一个端口的消息流从另外一个端口转发出去。
Cisco Catalyst 2960 系列以太网交换机适用于中型网络或公司分支机构的网络。 在 OSI 模型中,交换机执行第 2 层(即数据链路层)的功能。 As customer networks grow, it is often necessary to add larger, more capable switches to support additional users. A switch is a device that is able to direct a stream of messages coming in one port, out of another port based on the destination MAC address within the frame. A switch cannot route traffic between two different local networks. In the context of the OSI model, a switch performs the Layer 2, known as the data-link layer function. There are several models of Ethernet switches available depending on user requirements. The Cisco Catalyst 2960 Series Ethernet switch is designed for medium-sized, and branch office networks. This type of switch is a fixed-configuration, standalone device, and does not use modules or flash card slots. The physical configuration can not change. For this reason, the switch must be purchased with the physical configuration in mind. They are designed to provide 10/100 Fast Ethernet and 10/100/1000 Gigabit Ethernet connectivity to desktop computers. The 2960 series Ethernet switches use Cisco IOS software and can be configured using the GUI-based Cisco Network Assistant or through the CLI. Cisco Catalyst 2960 系列以太网交换机是固定配置的独立式设备,不使用模块,也不具备闪存卡插槽,其物理配置无法更改。
51
5.4.1 独立交换机 Status LEDs SYST LED: 琥珀色(Amber):系统已通电,但工作不正常。
RPS LED: 冗余电源系统 Port Status, or STAT, the Default Port Mode Duplex LED: Speed LED: 10/100 and 10/100/1000 Ports SFP Ports 状态 LED SYST LED: 显示系统是否通电,以及设备工作是否正常。 绿色:系统工作正常。 琥珀色:系统已通电,但工作不正常。 RPS LED: 这是冗余电源系统 (RPS) LED,用于显示 RPS 状态。 绿色:RPS 已连接,能够在需要的时候提供后备电力。 闪烁的绿色:RPS 已连接,但目前正在为其它设备提供电力,因此无法使用。 琥珀色:RPS 处于待机模式或发生故障。 闪烁的琥珀色:交换机的内部电源发生故障,RPS 正在为交换机供电。 模式按钮与端口状态 LED: 端口 LED 显示有关交换机以及各个端口的信息。 模式按钮: 模式 (Mode) 按钮用于选择端口模式:状态模式、双工模式或速度模式。要选择或更改模式,按“Mode”按钮,直到所需的模式高亮显示。LED 的意义取决于端口模式设置。 端口状态或 STAT(默认端口模式)LED: 不亮: 无链路,或者端口因管理原因关闭。 绿色:存在链路。 闪烁的绿色: 端口正在传送或接收数据。 交替显示绿色与琥珀色:链路存在故障。可能是错误帧影响了连通性,或者是检测到过多的冲突、CRC 错误或者帧重组和长度错误。 琥珀色:端口设有“生成树协议”(STP) 阻碍,目前没有转发数据。 闪烁的琥珀色:端口设有 STP 阻碍,目前正在发送或接收数据。 双工 LED: 端口的双工模式(即 DUPLX),为全双工或半双工。 不亮: 端口在半双工模式下工作。 绿色:端口在全双工模式下工作。 速度 LED: 速度 (SPEED) 模式:10/100 端口、10/100/1000 端口以及 SPF 模块端口的运行速度。 对于 10/100/1000 端口: 不亮: 端口的工作速度为 10 Mbps 绿色:端口的工作速度为 100 Mbps。 闪烁的绿色: 端口的工作速度为 1000 Mbps。 对于 SFP 模块端口: 不亮:端口的工作速度为 10 Mbps。 闪烁的绿色:端口的工作速度为 1000 Mbps。 10/100 与 10/100/1000 端口: 10/100 以太网端口可设置为支持 10 或 100 Mbps 的速度。 10/100/1000 端口以 10、100 或 1000 Mbps 的速度工作。 SFP 端口: 千兆能力的以太网 SFP 端口可用于支持光纤和铜缆收发模块。光纤收发器支持光缆。铜缆收发器支持带 RJ-45 水晶头的 5 类电缆。 由于光纤和铜缆收发器是插入千兆以太网 SFP 端口中,因此在发生损坏时能够在现场轻松更换。 控制台端口: 通过 RJ-45-to-DB-9 电缆将交换机连接到 PC。 用于带外管理任务。 Console Port Used for out-of-band management tasks
52
5.4.1 独立交换机 每个交换机端口都可以在半双工或全双工模式下工作。端口处于半双工模式时,在任意指定的时间,它只能发送或接收数据,两者不能同时进行。 端口及其所连接的设备必须设置为相同的双工模式。如果设置不相同,则会造成双工不匹配的情况,从而产生大量的冲突,降低通信质量。 如果交换机处于自动协商模式,而所连接的设备不支持此功能,则交换机会: 使用所连接设备的速度(10、100、1000) 默认为半双工模式 即使连接的端口不支持自动协商,速度参数也能够自动调整。 Each switch port can operate in either half-duplex or full-duplex mode. When a port is in half-duplex mode, at any given time, it can either send or receive data but not both. When a port is in full-duplex mode, it can simultaneously send and receive data, doubling the throughput. Both the port and the connected device must be set to the same duplex mode. If they are not the same, this creates a duplex mismatch and can lead to excessive collisions and degrade communication. Switch ports can have the speed and duplex set manually or can use auto negotiation. Autonegotiation occurs when the port can auto-detect the speed and duplex of the device that is connected to the port. Autonegotiation is enabled by default on many Cisco switches. For autonegotiation to be successful, both connected devices must support it. If the switch is in autonegotiation mode and the connected device does not support it, the switch will: Use the speed of the other device (10, 100, 1000) Default to half-duplex mode This can create issues if the non-autonegotiating device is set to full duplex mode, because the switch defaults to half-duplex. If the connected device does not autonegotiate, manually configure the duplex settings on the switch to match the duplex settings on the connected device. The speed parameter can adjust itself even if the connected port does not autonegotiate.
53
5.4.1 独立交换机 IP-Base 软件映像为交换机提供基本的交换功能。其它 Cisco IOS 软件映像则为 IP Base 映像提供更多的服务。 The Cisco Catalyst 2960 switch is supported by Cisco IOS switch software. The Cisco Catalyst 2960 switch IOS image choices are similar to software images available on the Cisco 1841 ISR router. The IP-base software image is supplied with the Cisco Catalyst 2960 switch. The IP-base software image provides the switch with basic switching capabilities. Other Cisco IOS software images supply additional services to the IP Base image.
54
5.4.2 为 Cisco 2960 交换机加电 交换机加电的三个基本步骤为: 1. 检查组件 2. 连接交换机电缆 3. 打开交换机电源
交换机一打开,便会执行加电自检 (POST)。POST 过程中执行一系列测试来检查交换机工作是否正常,此时 LED 会闪烁。 Powering up a Cisco 2960 switch is similar to powering up a Cisco 1841 ISR. Perform this procedure to power up a Cisco 2960 switch. The three basic steps for powering up a switch include: 1. Check the Components 2. Connect the Cables to the Switch 3. Power on the Switch Once the switch is on, the power-on self-test (POST) begins. During POST, the LEDs blink while a series of tests determine that the switch is functioning properly. POST has completed when the SYST LED rapidly blinks green. If the switch fails POST, the SYST LED turns amber. When a switch fails the POST test, it is necessary to return the switch for repairs. Once all startup procedures are finished, the Cisco 2960 switch is ready to configure. Powering Up a Cisco Catalyst 2960 Switch.pdf POST 完成后,SYST LED 会迅速闪烁绿光。如果交换机未能通过 POST,则 SYST LED 变为琥珀色。对于不能通过 POST 测试的交换机,需要将其送回以进行维修。 实验操作 给 Cisco Catalyst 2960 交换机加电.pdf
55
5.4.3 初始交换机配置 上述中的某些方法采用 IP 连接或 Web 浏览器来连接交换机,这就需要用到 IP 地址。
为了使用基于 IP 的管理产品或通过 Telnet 会话来管理 Cisco 交换机,有必要为交换机配置一个管理 IP 地址。 一旦指定了管理 IP 地址,这些工具便可通过该 IP 地址来访问交换机。如果未指定地址,则需要直接连接到控制台端口,并使用终端仿真程序来执行配置任务。 There are multiple options available to configure and manage a Cisco LAN switch. These options include: Cisco IOS Command Line Interface (CLI) Cisco Network Assistant Cisco Device Manager CiscoView Management Software SNMP Network Management Products Some of these options use IP connectivity or a web-browser to connect to the switch, this requires the use of an IP address. Unlike router interfaces, switch ports are not assigned IP addresses. In order to use an IP-based management product or Telnet session to manage a Cisco switch, it is necessary to configure a management IP address on the switch. Once the management IP address is assigned, these tools can use that IP address to access the switch. Until this address is assigned, it is necessary to connect directly to the console port and use a terminal emulation program to perform configuration tasks.
56
5.4.3 初始交换机配置 为了能从本网段上管理管理,必需”开启” 为了能从其它网段上管理管理 (还需要设置相应的口令)
The Cisco Catalyst 2960 switch comes preconfigured and only needs to be assigned basic security information before being connected to the network. The commands to configure hostname and passwords on the switch are the same commands used to configure the ISR. In order to use an IP-based management product or Telnet with a Cisco switch, configure a management IP address. There is one virtual local network, VLAN 1, preconfigured in the switch to provide access to management functions. To configure the IP address assigned to the management interface on VLAN 1, enter global configuration mode. Switch>enable Switch#configure terminal Next, enter the interface configuration mode for VLAN 1. Switch(config)#interface vlan 1 Set the IP address, subnet mask and default gateway for the management interface. The IP address must be valid for the local network where the switch is installed. Switch(config-if)#ip address Switch(config-if)#exit Switch(config)#ip default-gateway Switch(config)#end Save the configuration by using the copy running-configuration startup-configuration command. Intial Switch Configuration-ELAB Perform an Initial Switch Configuration.pka (还需要设置相应的口令) Cisco Catalyst 2960 交换机出厂时已经过预配置,只需设置基本安全信息即可接入网络。为方便用户执行管理功能,交换机上预配置了一个虚拟本地网络 VLAN 1。为管理接口设置 IP 地址、子网掩码和默认网关。该 IP 地址必须与交换机所在的本地网络匹配。使用 copy running-configuration startup-configuration 命令保存配置。 电子实验 配置 2950 交换机.mht PT 执行交换机初始配置.pka
57
5.4.4 接连 LAN 交换机与路由器 交换机使用直通电缆与路由器相连。交换机和路由器上的 LED 指示灯提示连接是否成功。
使用 show running-configuration 命令检查交换机 VLAN 1上管理接口的 IP 地址 ping 指定给交换机 VLAN 1 的管理接口 IP 地址。 Connect the Switch to the Network To connect the switch to a router, use a straight-through cables. LED lights on the switch and router indicate that the connection is successful. Once the switch and router are connected, determine if the two devices are able to exchange messages. 1. Check the IP address configuration Use the show running-configuration command to verify that the IP address of the management interface on the switch VLAN 1, and the IP address of the directly connected router interface are on the same local network. 2. Use the ping command to test the connection. From the command line interface on the switch, ping the IP address of the directly-connected router interface. Repeat the process from the command line interface on the router by pinging the management interface IP address assigned to the switch VLAN 1. If the ping is not successful, verify the connections and configurations again. Check to ensure that all cables are correct and that connections are seated. After the switch and router are successfully communicating, connect the individual PCs to the switch using straight-through cables. Access layer switch ports are accessible through the structured cabling at wall outlets. This is a potential entry point to the network by unauthorized users. Switches provide a feature called port security. It is possible to limit the number of addresses that can be learned on an interface. If the number of MAC addresses per port is limited to 1, the first address dynamically learned by the switch becomes the secure address. Configuring and Connecting the Switch to the LAN.pka COnfiguring the Cisco 2960 Switch.pdf 交换机具有称为“端口安全性”的功能。借助该功能,可以限制接口所认可的地址数量。如果将每个端口的 MAC 地址数量限制为 1,那么交换机动态获知的第一个地址即为安全地址。 PT 配置交换机并将其连接到 LAN.pka 实验操作 配置 Cisco 2960 交换机.pdf
58
5.4.4 接连 LAN 交换机与路由器 Cisco 发现协议 (CDP) 是交换机、ISR 或路由器采用的一种信息收集工具,用于与直接连接的其它 Cisco 设备共享信息。 CDP 收集的信息包括: 设备标识符 - 配置的主机名 地址列表 - 第 3 层地址(若已配置) 端口标识符 - 直接连接的端口,例如:serial 0/0/0 功能列表 - 设备提供的各种功能 平台 - 设备的硬件平台,例如 Cisco 1841 可以显示相邻设备的第三层的 IP 地址 CDP Cisco Discovery Protocol (CDP) is an information-gathering tool used on a switch, ISR or router to share information with other directly connected Cisco devices. By default, CDP begins running when the device boots up. It then sends periodic messages, known as CDP advertisements, onto its directly connected networks. CDP operates at Layer 2 only and can be used on many different types of local networks, including Ethernet and serial networks. Because it is a Layer 2 protocol, it can be used to determine the status of a directly connected link when no IP address has been configured, or if the IP address is incorrect. Two Cisco devices that are directly connected on the same local network are referred to as being neighbors. The concept of neighbor devices is important to understand when interpreting the output of CDP commands. Information gathered by CDP includes: Device identifiers - configured host name Address list - Layer 3 address, if configured Port identifier - directly connected port, for example: serial 0/0/0 Capabilities list - function or functions provided by the device Platform - hardware platform of the device, for example Cisco 1841 The outputs from the show cdp neighbors and show cdp neighbors detail commands display the information that a Cisco device collects from its directly connected neighbors. Viewing CDP information does not require the user to log into the remote devices. Because CDP collects and displays a lot of information about directly connected neighbors, without requiring a login to those neighbors, it is usually disabled in production networks. Mapping a Network using CDP.pka PT 使用 CDP 绘制网络图.pka
59
5.5将 CPE 连接到 ISP
60
5.5.1 安装 CPE 安装在客户位置的网络设备称为“客户端设备” customer premise equipment (CPE)。
在客户驻地安装任何设备之前,必须在 ISP 内部配置和测试该设备。 确定路由器配置无误后,准备好所有网络电缆、电源线、管理电缆、制造商文档、制造商软件、配置文档和路由器安装所需的特殊工具。 新路由器的安装可能会对正常业务造成干扰。 现场技术人员会根据路由器安装计划,在客户驻地安装路由器。 为客户安装设备时,必须以专业的方式完成工作。 One of the main responsibilities of an on-site network technician is to install and upgrade equipment located at the customer's home or business. Network devices installed at the customer location are called customer premise equipment (CPE). Before any equipment is installed at the customer site, the devices are configured and tested at the ISP site. Anything that is not functioning as expected can be replaced or fixed immediately. The network technician makes sure the router is fully configured and that the router configuration is verified. The router is then repackaged for shipment or delivery to the customer. Once the router is known to be configured correctly, all network cables, power cables, management cables, manufacturer documentation, manufacturer software, configuration documentation and the special tools needed for router installation are assembled. An inventory checklist is used to verify that all necessary equipment needed to install the router is present. Usually the network technician signs the checklist, indicating that everything has been verified. The signed and dated inventory checklist is included with the router when it is packaged for shipping to the customer premise. The installation of a new router can be disruptive for a business. Many businesses rely on the Internet for their business correspondence and often have e-commerce services that must be accessed during the day. It may be impossible to install or upgrade network equipment during normal business hours. If the installation of the new equipment will cause the network to be down, the network technician, the ISP sales person and a representative of the company prepare a router installation plan. This plan ensures that the customer will experience a minimum of disruption in service while the new equipment is installed. The on-site network technician installs the router at the customer premise, following a router installation plan. This often means the router must be installed after normal working hours or on the weekend. The router installation plan identifies who the customer contact is and what the arrangements are for after-hours access. When installing customer equipment, it is important to complete the job in a professional manner. This means that all network cables are labeled and fastened together or run through proper cable management equipment. Excess lengths of cable should be coiled and secured out of the way. Update the documentation to include the current configuration for the router, and update the network diagrams to show the location of the equipment and cables that are installed. After the router is successfully installed and tested, the network technician completes the installation checklist. The completed checklist is verified by the customer representative. The verification of the router installation often involves demonstrating that the router is correctly configured and that services that depend on the router also work. When the customer representative is satisfied that the router has been correctly installed and is operational, they sign and date the checklist. Sometimes there is a formal acceptance document that is in addition to the checklist. This procedure is often called the sign-off phase. It is critical that the customer representative signs off on the job because then the ISP can bill the customer for the work. 成功安装并测试路由器后,网络技术人员需要填写安装核对表。检验路由器安装时,一般需要向客户演示,让他们了解路由器已正确配置。 客户代表确认路由器已正确安装且运行正常后,便在核对表上签名并注明日期。。这个环节一般称为“签核”(sign-off) 阶段。让客户代表对您所做的工作进行签核非常重要,因为经过签核后,ISP 才能向客户收取相关费用。
61
5.5.1 安装 CPE 5.5.1.4 Installation Documentation
When customer equipment is configured and installed on the customer premise, it is important to document the entire process. Documentation includes all aspects of how the equipment is configured, diagrams of how the equipment is installed, and checklists to validate the correct installation. If a new configuration is needed, compare the documentation with the previous router configuration to determine if and how the new configuration has changed. Start documenting the work during the installation of the router. All cables and equipment should be correctly labeled and indicated on a diagram to simplify future identification. Follow an installation and verification checklist when installing a router. This checklist will list the tasks needed to be completed at the customer's premises. An installation and verification checklist helps a network technician avoid errors and ensures that the installation is done efficiently and correctly. Leave a copy of the final documentation with the customer.
62
5.5.1 安装 CPE 专业形象 着装 言行 要确保自己能以最为专业的方式代表公司出现在客户面前。
许多公司都要求现场技术人员穿着统一制服,或者对其着装有着严格的规定。 言行 与客户交谈时,言谈必须谦恭有礼,而且要完整回答客户提出的所有问题。如果客户提问涉及到技术人员不了解的信息,务必记录下客户的问题,并尽快予以跟进。 Professional Image Many IT jobs require site visits to customer premises on a regular basis to install and troubleshoot equipment. In the eyes of the customer the network technician is a professional who has the responsibility to support their network. A professional knows how to make the customer feel at ease and confident in the technician's skills. There are things network technicians can do to ensure that they represent their organization in the most professional manner possible. Dress for Success On the first visit to a customer location, it is important for the technician to make a good first impression. The way the technicians are dressed and their personal grooming is the first thing the customer notices. If the technician makes a bad first impression, it may be difficult to change that impression and gain the customer's confidence. Many employers provide a uniform or have a dress code for their on-site technicians. Language and Attitude Remember that the network technician is at the customer location to provide a service. The language and attitude of the technician reflect on the organization that the technician represents. A customer may be anxious or concerned about how the new equipment will operate. When speaking with a customer, be polite and respectful, and answer all customer questions. If additional information is required, be sure to write down the customer inquiry and follow up on it as soon as possible.
63
5.5.2 工作场所的安全 在安装网络设备时,需遵循安全章程,尽量避免出现危险状况。许多公司都会对员工进行安全培训。 5.5.2.1
It is important to minimize the risk of injury when installing network equipment by following good safety practices. Many employers offer safety training as part of their employee services. Ladders Use ladders to reach high locations for installation of networking cable or to install wireless access points in places that are difficult to reach. To reduce the risk of falling off the ladder or dropping equipment while climbing on the ladder, work with a partner whenever possible. High or Dangerous Locations Sometimes network equipment and cables must be installed in high and dangerous places, such as on the side of a building, on roof tops, or in an internal structure that is not accessible by a ladder. These sorts of installations must be done very carefully. Using a safety harness reduces the risk of falling. Electrical Equipment If there is a risk of damaging or coming in contact with any electrical lines when mounting hardware, contact the customer's electrician to ensure the risk of electrical shock is reduced. Coming in contact with electrical equipment during the installation may result in serious personal injury. Awkward Spaces Network equipment is often installed in narrow and awkward spaces. Ensure that the work area is properly lighted. Determine the best way to lift and install equipment to minimize the risks. Heavy Equipment Networking devices can be large and heavy. Plan to have the correct equipment and trained personnel when heavy equipment needs to be installed at a customer's site.
64
5.5.3 通过 WAN 连接客户 如果公司或组织的办公地点分布在不同地区,就可能需要通过电信服务提供商 (TSP) 来将不同位置的 LAN 连接在一起。 各个组织一般是租用电信服务提供商网络的连接。这些连接着位于不同地区的 LAN 的网络称为“广域网”(WAN)。组织自身维护着两端 LAN 的所有策略和管理工作,但通信服务提供商网络内部的策略则仍由 ISP 管控。 New equipment at the customer site must be connected back to the ISP to provide Internet services. When customer equipment is upgraded, it sometimes necessary to also upgrade the type of connectivity provided by the ISP. Wide Area Networks When a company or organization has locations that are separated by large geographical distances, it may be necessary to use the telecommunications service provider (TSP) to interconnect the LANs at the different locations. Telecommunications service providers operate large regional networks that can span long distances. Traditionally, TSPs transported voice and data communications on separate networks. Increasingly, these providers are offering converged information network services to their subscribers. Individual organizations usually lease connections through the telecommunications service provider network. These networks that connect LANs in geographically separated locations are referred to as Wide Area Networks (WANs). Although the organization maintains all of the policies and administration of the LANs at both ends of the connection, the policies within the communications service provider network are controlled by the ISP. WAN connections come in a variety of different types. WAN connections vary in the type of connector used, in bandwidth and in cost. As small businesses grow they will begin to require the increased bandwidth offered by some of the more expensive WAN connections. An ISP sells these various types of WAN connections to their clients. One of the jobs at an ISP or medium-sized business will be to assess the needs for a WAN connection. 有多种不同类型的 WAN 连接,这些类型使用的连接方式、提供的带宽和所需的成本都各有不同。随着小型企业的发展,他们对带宽的要求也会逐渐提升,这就需要采用一些更为昂贵的 WAN 连接。ISP 将这些不同类型的 WAN 连接销售给客户。ISP 或中型企业的任务之一便是评估 WAN 连接需求。
65
5.5.3 通过 WAN 连接客户 在分组交换 WAN 连接中,网络接入 TSP 的交换网络。该 TSP 网络由许多客户共享。与电路交换网络不同,此方式不需要实际预留来源与目的地之间的电路。每个客户都拥有自己的虚电路。虚电路是指发送方与接受方之间的逻辑路径,而不是物理路径。帧中继便是典型的分组交换网络。 电路交换连接的运作方式类似于通过电话网络拨打电话。给朋友打电话时,需要摘下听筒、建立电路然后拨对方的电话号码。完成通话后,便挂上电话,从而断开电路。ISDN 或拨号连接便属于电路交换 WAN 连接。 在点对点连接方式中,需预先定义好客户点之间使用的电信服务提供商 (TSP) 网络路径。点对点线路通常租借自 TSP,这些线路一般称为“租用线路”。点对点连接一般是最为昂贵的 WAN 连接方式,其价格取决于所需的带宽以及两个连接点之间的距离。 There are three types of serial WAN connections. Point-to-Point A point-to-point WAN connection is a predefined communications path from the customer premises through a telecommunications service provider (TSP) network. Point-to-point lines are usually leased from a TSP. These lines are often called leased lines. Point-to-point connections are typically the most expensive of the WAN connection types and are priced based on bandwidth required and distance between the two connected points. Circuit Switched A circuit switched connection functions similarly to the way a phone call is made over a telephone network. When making a phone call to a friend, the caller picks up the phone, opens the circuit, and dials the number. The caller hangs up the phone when finished and the closes the circuit. An example of a circuit switched WAN connection is an ISDN or dial-up connection. Packet Switched In a packet switched WAN connection, networks have connections into the TSP switched network. Many customers share this TSP network. Instead of the circuit being physically reserved from source to destination, as in a circuit switched network. Each customer has their own virtual circuit. A virtual circuit is a logical path between the sender and receiver, not a physical path. An example of a packet switched network is Frame Relay.
66
5.5.4 选择 WAN 连接 选择哪一种方案,很大程度上取决于 WAN 连接的带宽和成本。
There are a lot of choices when choosing a WAN for a business. The choice made is largely dependent on the bandwidth and cost of the WAN connection. Smaller businesses are not able to afford some of the more expensive WAN connection options, such as SONET or ATM WAN connections. They usually install the less expensive DSL, cable, and T1 connections. Availability for the higher bandwidth WAN connections can be limited in geographically isolated locations. If the offices supported are close to an urban center, then there are more WAN choices. Another factor that affects the decision on which WAN to choose is the nature of how the business plans to use the new WAN connection. If the business provides services over the Internet, it may require higher upstream bandwidth than a business that uses services hosted by ISPs on the Internet. For example, if a business hosts a Web servers for an e-commerce business, the business needs enough upstream bandwidth to accommodate the number of external customers that visit their site. On the other hand, if the business has their e-commerce site managed by an ISP, then they do not require as much upstream bandwidth. For some businesses, the ability to get a service level agreement (SLA) attached to their WAN connection will also affect their decision. Less expensive WAN connections like dialup, DSL, and cable connections typically do not come with a SLA, whereas more expensive connections do. 对于某些企业来说,WAN 连接是否有附加的服务等级协议 (SLA) 也会影响到他们对 WAN 方式的选择。
67
5.5.4 选择 WAN 连接 规划 WAN 升级时有许多事项需要考虑。 现有的基础架构
There are many things to consider when planning a WAN upgrade. The ISP initiates the process by analyzing the customer needs and reviewing the available options. A proposal is then generated for the customer. Existing Infrastructure Included in the proposal is an explanation of existing infrastructure. This explanation is necessary because it helps the customer understand how the existing WAN connection provides services to their home or business. Customer Requirements This section of the proposal describes why a WAN upgrade is necessary for the business. It outlines where the current WAN connection does not meet the customer needs. It also includes a list of requirements that the new WAN connection must meet to satisfy the current and future customer requirements. WAN Options A list of all of the available WAN choices with the corresponding bandwidth, cost, and other features that are applicable for the business is included in the proposal. The recommended choice is indicated, including possible other options. Present the Plan When the WAN upgrade proposal is completed, expect to present it to the business decision makers. They review the document and consider the options. Once they have made their decision, work with them to develop a schedule and coordinate the WAN upgrade process. Planning a WAN Upgrade.pdf 实验操作 规划 WAN 升级.pdf
68
5.5.5 使用 SSH 配置Cisco 路由器 在客户驻地安装新网络设备后,必须从远程 ISP 位置对设备加以监控。
Connecting to a Device at the Customer Site After a new network device is installed at the customer premise, it must be monitored from the remote ISP location. There are also times that minor configuration changes need to be made without a technician physically being at the customer site. A Telnet client can be used over an IP network connection to connect to a device in-band for the purpose of monitoring and administering it. Telnet is not a secure protocol, however. Telnet sends all the information between the PC and the device in a clear text format. This means that the username and password used to authenticate the device can easily be discovered. To protect the device being administering over the network, a different and more secure terminal emulation protocol should be used. Secure Shell (SSH) is a protocol that functions similarly to Telnet. SSH protects all authentication and transmitted data using encryption. SSH allows safe access a remote device over an insecure network, such as the Internet. There are two versions of the SSH service, which one is supported is dependent on the IOS image loaded on the device. There are many different SSH client software packages for PCs to choose from. When choosing an SSH client, make sure it supports the SSH version configured on the device. Configuring a Remote Router Using SSH.pdf Secure Shell (SSH) 加密所有身份认证信息和传输的数据,允许通过不安全的网络(例如 Internet)对远程设备进行安全访问。SSH 服务有两种版本,设备具体支持哪一种取决于所加载的 IOS 映像。 实验操作 使用 SSH 配置远程路由器.pdf
69
5.5.6 配置 WAN 连接 某些 WAN 连接支持以太网接口。其它 WAN 连接则支持串行接口。
租用线路的 WAN 连接通常使用串行连接,而且需要“通道服务单元/数据服务单元”(CSU/DSU) 才能接入 ISP 的网络。ISP 端的设备也需要配置才能通过 CSU/DSU 与客户驻地通信。 When a WAN connection is configured, the configuration approach depends on what type of WAN connection required. Some WAN connections support Ethernet interfaces. Other WAN connections support serial interfaces. Leased line WAN connections typically use a serial connection and require a Channel Service Unit/Data Service Unit (CSU/DSU) to attach to the ISP's network. The ISP equipment needs to be configured so it can communicate through the CSU/DSU to the customer's premises. For a serial connection it is important to have a preconfigured clock rate that is the same on both ends of the connection. The clock rate is set by the DCE device, which is typically the CSU/DSU. The Data Terminal Equipment (DTE) device, typically the router, accepts the clock rate set by the DCE. Cisco's default serial encapsulation is HDLC. It can be changed to PPP, which provides a more flexible encapsulation and supports authentication by the remote device. Configure a Serial Connection between a Customer Network and an ISP-不做封装可以得100%,但ping不通.pka 对于串行连接,必须在连接两端预先配置相同的时钟频率。时钟频率由 DCE 设备(一般为 CSU/DSU)设置。该数据终端设备(DTE,一般为路由器)接受由 DCE 设定的时钟频率。 Cisco 的默认串行封装为 HDLC。可将其更改为 PPP,后者能提供更为灵活的封装,而且支持远程设备验证。 PT 配置客户和 ISP 之间的串行连接.pka
70
总结 将 PC 连接到网络设备执行配置和监控任务的方法有两种:带内管理和带外管理。 Cisco SDM 用来配置新的 Cisco ISR。
Cisco IOS CLI 用于对 Cisco 设备进行高级配置,并可配置不支持 SDM 的旧式设备 show命令是用于校验路由器配置和排查配置故障的基本工具。 为 VLAN1 配置 IP 地址后,可使用 SSH 或其它 TCP/IP 应用程序(例如网络管理软件)远程管理交换机。 为客户所在地安装客户设备时,必须完整记录下整个过程。 在客户所在地工作时,务必遵循工作场所的企业文化以及工作场所安全要求。 WAN 连接是能够长距离传送网络信号的一种网络连接类型。 Cisco 设备支持使用 Telnet 或 SSH 通过 WAN 连接远程配置。 1.Cisco 1841 ISR 中的关键组件包括: HWIC 插槽 袖珍闪存模块 USB 端口 两个 10/100 快速以太网端口< 控制台和辅助端口 SYS PWR LED Cisco IOS 软件映像 将 PC 连接到网络设备执行配置和监控任务的方法有两种:带内管理和带外管理。 2.Cisco Router and Security Device Manager (SDM) 是一种图形用户界面 (GUI) 工具,可用来配置、监控和维护 Cisco 设备。我们推荐采用 Cisco SDM 来配置新的 Cisco ISR。 Cisco IOS 命令行界面 (CLI) 是基于文本的程序,允许用户通过输入并执行 Cisco IOS 命令来配置、监控和维护 Cisco 设备。Cisco IOS CLI 用于对 Cisco 设备进行高级配置,并可配置不支持 SDM 的旧式设备。 配置核对表工作助手是非常重要的一种工具,有助于保证客户获得想要的配置。 3.SDM Express 是 Cisco Router and Security Device Manager 附带的一种工具,可简化创建基本路由器配置的过程。 SDM 的 GUI 界面功能更强,支持更多的配置选项。 SDM 与 SDM Express 都使用基于 GUI 的配置向导来简化 Cisco 设备的配置过程。 这两种工具可以配置的功能包括:基本配置、LAN IP 配置、DHCP、WAN IP 配置以及 NAT。 4.CLI 不提供逐步配置说明;因此这种方法需要更细致的规划和更深入的专业知识。 使用 Cisco IOS CLI 配置路由器时,特权执行、全局配置以及接口这三种模式都会用到。 对上下文敏感的帮助可提供有关如何完成命令以及如何使用附加命令参数的建议。 5.show命令是用于校验路由器配置和排查配置故障的基本工具。 启动配置文件存储在 NVRAM 中,该文件会加载到工作内存中,使设备开始工作。 运行配置是设备 RAM 中当前活动命令的集合。 CLI 可用于配置路由器名称、口令、串行接口和以太网接口以及 DHCP 和 NAT。 6.Cisco Catalyst 2960 系列交换机的关键组件包括: 24 个 10/100 以太网端口 端口状态 LED</li><li>模式按钮 控制台端口</li><li>两用 10/100/1000 或 SFP 端口 Cisco IOS 基于 LAN 的软件映像 2960 支持对双工模式和速度进行端口自动协商。 7.为 VLAN1 配置 IP 地址时,可使用 SSH 或其它 TCP/IP 应用程序(例如网络管理软件)远程管理交换机。 基本的交换机配置包括:用于访问交换机以及 Cisco CLI 配置命令的交换机名称及加密口令。 8.安装在客户位置的网络设备称为客户端设备 (CPE)。 为客户所在地安装客户设备时,必须完整记录下整个过程,包括设备的配置方式、设备的安装图以及校验安装情况的核对表。 在客户所在地工作时,务必遵循工作场所的企业文化以及工作场所安全要求。 9.WAN 连接是能够长距离传送网络信号的一种网络连接类型。 串行 WAN 连接分为三种类型:点对点、电路交换和分组交换。要选择合适的 WAN,必须经过细致周到的计划和考虑。 Cisco 设备支持使用 Telnet 或 SSH 通过 WAN 连接远程配置。推荐使用 SSH。 有些 WAN 连接支持以太网接口。其它 WAN 连接则支持串行接口。
Similar presentations