CCNA 4 PRAKTISK PRØVE NOTER Af Adam Andersen TEC CISCO
Indhold PPP with Authentication... 2 Configure PPP PAP / CHAP Authentication... 2 Multi link... 2 Debug serial / PPP... 2 Configure Static/Dynamic NAT... 3 Debug NAT show running-config... 3 Configuring GRE... 3 Configuring GRE IPSec... 4 Debug... 4 Configure Frame-Relay... 5 NTP / Timestamp / debugging / SNMP... 5 NTP client... 5 Debugging level... 5 SNMP accesslist... 5 Debug NTP / Time / logging / SNMP / NetFlow... 6 1 S ide
PPP with Authentication R3(config)# interface serial 0/0/0 R3(config-if)# encapsulation ppp R3(config-if)# compress [ predictor stac ] Configure PPP PAP / CHAP Authentication R1(config)# username R3 secret class R1(config)# interface s0/0/0 R1(config-if)# ppp authentication pap R1(config-if)# ppp pap sent-username R1 password cisco CHAP Router(config)# hostname ISP ISP(config)# username R3 secret cisco ISP(config)# interface s0/0/0 ISP(config-if)# ppp authentication chap R3(config)# username ISP secret cisco R3(config)# interface serial0/1/0 R3(config-if)# ppp authentication chap Multi link interface multilink Debug serial / PPP show interfaces serial show controllers show controllers cbus show controllers serial debug ppp authentication 2 S ide
Configure Static/Dynamic NAT Static R1(config)#ip nat inside source static 172.16.16.1 64.100.50.1 Interface private IP R1(config)#ip nat inside Interface public IP R1(config)#ip nat outside Dynamic R2(config)#ip nat pool dynamic 209.165.76.196 209.165.76.199 netmask 255.255.255.252 R2(config)#access-list 1 permit 172.16.0.0 0.0.255.255 R2(config)#ip nat inside source list 1 pool dynamic Interface private IP inside NAT R1(config)#ip nat inside Interface public IP outside NAT R1(config)#ip nat outside PAT R2(config)#ip nat pool R2POOL 209.165.202.129 209.165.202.129 netmask 255.255.255.252 R2(config)#ip access-list standard R2NAT R2(config)#ip nat inside source list R2NAT pool R2POOL overload Debug NAT show running-config show ip nat translations show ip nat statistics show ip nat translation timeout clear ip nat translation Configuring GRE RA(config)#interface tunnel 0 RA(config-if)#ip address 10.10.10.1 255.255.255.252 RA(config-if)#tunnel source serial 0/0/0 RA(config-if)#tunnel destination 209.165.122.2 RA(config-if)#tunnel mode gre ip Static tunnel route to private IP RA(config)# ip route 192.168.2.0 255.255.255.0 10.10.10.2 RB(config)# ip route 192.168.1.0 255.255.255.0 10.10.10.1 3 S ide
Configuring GRE IPSec R1(config)# license boot module c2900 technology-package securityk9 Configure ACL 101 to identify the traffic from the LAN on R1 to the LAN on R2 and R3 as interesting. This interesting traffic will trigger the IPsec VPN to be implemented whenever there is traffic between the R1 and R2 - R3 LANs. All other traffic sourced from the LANs will not be encrypted. Remember that because of the implicit deny any, there is no need to add the statement to the list. R1(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.3.255 Configure the ISAKMP Phase 1 Configure the crypto ISAKMP policy 101 properties on R1 along with the shared crypto key cisco. Default values do not have to be configured therefore only the encryption, key exchange method, and DH method must be configured. R1(config)# crypto isakmp policy 101 R1(config-isakmp)# encryption aes R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 5 R1(config-isakmp)# exit Generate isakmp keys for each peer of R1(config)# crypto isakmp key cisco address 64.100.13.2 R1(config)# crypto isakmp key cisco address 64.102.46.2 Configure the ISAKMP Phase 2 properties Create the transform-set VPN-SET to use esp-aes and esp-sha-hmac. Then create the crypto map VPN-MAP that binds all of the Phase 2 parameters together. Use sequence number 101 and identify it as an ipsec-isakmp map. R1(config)# crypto ipsec transform-set R1_Set esp-aes esp-sha-hmac R1(config)# crypto map R1_Map 101 ipsec-isakmp R1(config-crypto-map)# set peer 64.100.13.2 R1(config-crypto-map)# set peer 64.102.46.2 R1(config-crypto-map)# set transform-set R1_Set R1(config-crypto-map)# match address 101 R1(config-crypto-map)# exit Configure the crypto map on the outgoing interface. Finally, bind the R1_Map crypto map to the outgoing Serial 0/0/0 interface. Note: This is not graded. R1(config)# interface S0/0/0 R1(config-if)# crypto map R1_Map Debug Show version 4 S ide
Configure Frame-Relay Encapsulation R1(config)# interface s0/0/0 R1(config-if)# encapsulation frame-relay MAP IP WITH DLCI R1(config)# interface s0/0/0 R1(config-if)# frame-relay map ip 10.1.1.2 102 broadcast R1(config-if)# frame-relay map ip 10.1.1.3 103 broadcast Set LMI type R1(config-if)# frame-relay lmi-type ansi NTP / Timestamp / debugging / SNMP Clock set NTP server Ntp master 1 NTP client Ntp server [ntp master ip] ntp update-calendar timestamp R1(config)#service timestamps log datetime msec Debugging level R1(config)#logging trap debugging Syslog R1(config)# logging 192.168.1.3 SNMP accesslist R1(config)#ip access-list standard SNMP-ACCES SNMP R1(config-std-nacl)#snmp-server community SA-LAB ro SNMP-ACCESS R1(config)#snmp-server host 192.168.11.3 version 2c SA-LAB R1(config)#snmp-server enable traps R2(config-if)#ip flow ingress R2(config-if)#ip flow egress R2(config)#ip flow-export destination 192.168.22.3 9996 R2(config)#ip flow-export version 9 5 S ide
Debug NTP / Time / logging / SNMP / NetFlow Show clock Show ntp associations Show logging Show snmp show snmp community Show ip cache flow show ip flow interface 6 S ide