CCNA学习&实验-[完结]

在学习完CCNA前都一直更新, 这份文档的创建时间是17-09-15, 每次更新都将会直接更新文档时间以用于置顶. 另外,这篇文档主要用来记录一些CCNA相关的思科IOS的操作和命令. ( 毕竟我不是学网工的,所以里面的一些看法可能不是很准确 ). 实验的主要参考资料: CCNA学习指南(7th), 以及乾颐堂CCNA3.0的视频.

大实验环境介绍

啊, 提到这个实验环境我真的快要疯掉了. 首先先说昨天晚上我一个人在实验室瞎JB搞了几个小时, 终于把GNS3搞好了 ( 你们这个不行啊, 难道就不能配一个一体化的环境?? ) 接着又因为那个蠢CiscoIOU的license搞得焦头烂额. 为什么这个许可文件不能跟着GNS3一起打包啊, 混蛋. 所以又在GayHub上面找到了一个使用Python写的生成器. 最后才解决了这个问题.

来自未来的补充: 不知道当时的我怎么这么憨…这东西一点也不麻烦啊…

接着终于配置好了. 你们这个也太吃CPU和内存了吧. 我只是放了三台设备, 连拓扑都没, 光开个机虚拟机的CPU就已经飙到100了, 学习体验极差 (/滑稽) — [虽然如此,不过本人最后还是使用的GNS3…不折腾了]

初次进入IOS.

IOS好像都是使用telnet进行的远程连接, 不明白为啥我每次进去都已经是特权模式了, 所谓特权模式其实就有点像sudo的感觉, 命令提示符是井字号**#** 而一般的模式是右尖号**>**. 进入和退出特权模式的指令是enable和disable. 接着先来进行时间和时区的修改吧.

时间和时区

Branch>
Branch>enable
Password:
Branch#show clock
16:00:51.683 UTC Fri Nov 21 1997

时间完全不对啊, 我们先来进行时区的修改, 因为即使你把时间调整正确了, 但是时区不对那当你进行时区调整的时候时间就又发生变化了.

首先我们进入配置终端的模式:

Branch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#clock timezone BJS +8
Nov 21 16:03:33.660: %SYS-6-CLOCKUPDATE: System clock has been updated from 16:03:33 UTC Fri Nov 21 1997 to 00:03:33 BJS Sat Nov 22 1997, configured from console by console.
Branch(config)#end
Nov 21 16:03:57.150: %SYS-5-CONFIG_I: Configured from console by console
Branch#show clock
00:04:03.333 BJS Sat Nov 22 1997

OK, 接下来来进行时间的调整吧:

Branch#clock set 13:28:00 15 Sep 2017
Sep 15 05:28:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:04:52 BJS Sat Nov 22 1997 to 13:28:00 BJS Fri Sep 15 2017, configured from console by console.
Branch#show clock
13:28:06.507 BJS Fri Sep 15 2017

这样就完成了时区的调整.

第一次的Ping

实验拓扑: (两台三层路由, 都通过Ethernet0/1接口进行连接)

要做的事情很简单, 打开接口, 设置IP, Ping!

首先打开HQ的终端:

HQ#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#interface e0/1
HQ(config-if)#no shutdown
*Sep 15 05:39:15.873: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
*Sep 15 05:39:16.877: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up
HQ(config-if)#ip address 192.168.1.2 255.255.255.0
HQ(config-if)#end
*Sep 15 05:39:32.875: %SYS-5-CONFIG_I: Configured from console by console

关于这里的end, 和exit是有区别的, 其中exit可以理解成是返回上级, 而end则是直接退出config菜单.

接着进入Branch的终端, 执行一样的命令但是将IP设置成192.168.1.1:

Branch(config-if)#ip address 192.168.1.1 255.255.255.0

这样就行了, 开始Ping吧:

Branch#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 5/5/6 ms

HQ这边:

HQ#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms

其中 ! 表示通, 而 . 表示不通.

这里补充一个更改主机名:

HQ#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#hostname HQ
HQ(config)#hostname Test
Test(config)#hostname HQ
HQ(config)#

另外设立密码:

HQ#configure terminal
HQ(config)#enable password justin
HQ(config)#end
*Sep 15 09:42:58.855: %SYS-5-CONFIG_I: Configured from console by console
HQ#disable
HQ>enable
Password: # 输错
Password: # 输错again
Password:
HQ#

设置加密密码:

在较旧的机器上, 这个选项可能不会起作用, password是指明文密码, 而加密的密码是secret, 设置方法如下:

HQ#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#enable password justin
HQ(config)#enable secret justin
The enable secret you have chosen is the same as your enable password.
This is not recommended.  Re-enter the enable secret.

HQ(config)#enable secret bieber
HQ(config)#

配置远程管理虚拟线缆

我们在Branch端进行设置, 接着通过HQ端进行连接 (他们已经是能够Ping通的了)

Branch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#line vty 4
Branch(config-line)#password justin
Branch(config-line)#transport input all
Branch(config-line)#end
Branch#
Sep 15 10:28:11.083: %SYS-5-CONFIG_I: Configured from console by console

接着转到HQ端:

HQ#telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Password:
Branch>
Branch>show tcp brief
TCB       Local Address               Foreign Address             (state)
F5D0FE10  192.168.1.1.23             192.168.1.2.50223           ESTAB

结束实验前的保存

正常情况下, 我们正在运行的配置是保存在RAM中的, 所以为了在下一次的时候仍然保留现在运行的配置就是要进行保存, 那么, 保存到哪里呢? 也就是非易失性存储器(NVRAM).

可以使用show XX-config来查看各个配置的情况.

HQ#show running-config
HQ#show startup-config

如果先要进行保存, 可以直接进行write操作, 或者使用copy将running-config拷贝到startup-config.

HQ#show clock
*18:38:16.862 BJS Fri Sep 15 2017
HQ#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#end
HQ#
*Sep 15 10:38:36.749: %SYS-5-CONFIG_I: Configured from console by console
HQ#show running-config
Building configuration...

Current configuration : 1991 bytes
!
! Last configuration change at 18:38:36 BJS Fri Sep 15 2017
!
HQ#show startup-config
Using 1991 out of 32768 bytes
!
! Last configuration change at 18:37:44 BJS Fri Sep 15 2017
!
HQ#write
Building configuration...
[OK]
HQ#show startup-config
Using 1991 out of 32768 bytes
!
! Last configuration change at 18:38:36 BJS Fri Sep 15 2017
!

实验时间是18:38, 我们强制写入running-config, 查看时间18:38没问题 ,但是这个时候我们的startup-config就过时了(18:37).执行写入命令, 查看startup-confiig时间, 已被更新.

事实上, 我们也可以使用copy来进行有方向的拷贝.

HQ#copy running-config startup-config

如果要擦除所有的配置文件:

HQ#write erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
*Sep 15 10:52:17.132: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
HQ#show startup-config
startup-config is not present

接着重启设备的命令:

HQ#reload
Proceed with reload? [confirm]

*Sep 15 10:53:59.786: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
unix_reload()

如果这个时候你没有进行保存:

Branch#reload

System configuration has been modified. Save? [yes/no]:

这个问题的其实就是问你是否进行保存. 看自己了吧.

IOS的中断测试很奇怪, 是CTRL+SHIFT+6 而CTRL+C是指退出到特权模式.

其他

设置旗标

HQ#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#banner motd X This is my HQ router! X # 第一种方法
HQ(config)#banner motd X # 第二种方法
Enter TEXT message.  End with the character 'X'.
This is my HQ router!
X
HQ(config)#end
HQ#
*Sep 17 02:22:51.397: %SYS-5-CONFIG_I: Configured from console by console
HQ#logout
# 当再次建立连接的时候:
HQ con0 is now available

Press RETURN to get started.

This is my HQ router!

HQ#

历史

HQ#show history
  ping 192.168.1.1
  ping 192.168.1.2
  ping 192.168.1.3
  show history
HQ#terminal history size 100

终端长度

HQ#terminal length ?
  <0-512>  Number of lines on screen (0 for no pausing)

管道

HQ#show history | include show # 包含show的
  show history
  show history
  show history
  show history | include show
HQ#show history | section conf # 显示所有和conf有关的
  configure
  configure
  configure terminal
  configure ter
  show history | section conf

密码加密

什么意思? 我们刚刚不是使用了secret吗? 请看:

HQ#show run
...(omitted)
enable secret 5 $1$l86G$JudkPOGyI5PrPlv0/3zeI1
enable password justin
...(omitted)
line vty 0
 password justin
 login 

除了我们设置的secret是加了密的, 其他都是明文, 这太危险了 其实只需要一条命令就能解决这种现象:

HQ#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#service password-encryption 
HQ(config)#end
HQ#show run
...
enable secret 5 $1$l86G$JudkPOGyI5PrPlv0/3zeI1
enable password 7 0501131C354540
...
line vty 0
 password 7 0705345F5A0017
 login

局域网

查看MAC表: (仅用于交换机[或者说二层设备, 并且这个MAC表是只有二层设备才具有的.])

Switch#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

那么MAC地址表是怎么形成的呢? 默认情况下是通过自动学习(dynamic, 当交换机转发或泛洪以太网帧的时候从源字段提取MAC地址和接口的关联), 另外还有静态的方式.

路由和主机远程管理交换机

实验拓扑:

说明: 这个实验中PC1和Branch其实是同一个设备(但这并不影响我们进行实验, 因为他们都属于数据终端设备, 而交换机属于数据通信设备), 但是PC1我们关闭了路由功能, 而Branch是开启了路由的.

PC1(config)#no ip routing
PC1(config)#

另外, 我们打开交换机的路由转发:

SW1(config)#ip routing 

下面开始进行环境设置:

路由器:

Branch#conf terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#interface e0/0
Branch(config-if)#no shu
*Sep 16 07:50:30.459: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Sep 16 07:50:31.468: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Branch(config-if)#ip address 10.1.10.254 255.255.255.0
Branch(config-if)#end
Branch#
*Sep 16 07:50:55.772: %SYS-5-CONFIG_I: Configured from console by console

主机:

PC1#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
PC1(config)#interface e0/1 
PC1(config-if)#no shu 
*Sep 16 07:51:38.765: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
*Sep 16 07:51:39.774: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up
PC1(config-if)#ip address 10.1.10.100 255.255.255.0
PC1(config-if)#exi
PC1(config)#ip default-gateway 10.1.10.254

交换机:

# 首先我们查看一下MAC地址表, 后面的小彩蛋会用到
SW1#show mac address-table 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
SW1#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface vlan 1
SW1(config-if)#no shut
SW1(config-if)#ip address 
*Sep 16 07:57:12.448: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
*Sep 16 07:57:13.450: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
SW1(config-if)#ip address 10.1.10.99 255.255.255.0
SW1(config-if)#exi
SW1(config)#ip default-gateway 10.1.10.254
SW1(config)#end
SW1#
*Sep 16 07:57:50.319: %SYS-5-CONFIG_I: Configured from console by console

Ping测试:

SW1#ping 10.1.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 5/5/6 ms
SW1#ping 10.1.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/4/5 ms

成功, 接下来进行远程telnet:

主机:

PC1#telnet 10.1.10.99
Trying 10.1.10.99 ... Open


Password required, but none set

[Connection to 10.1.10.99 closed by foreign host]

出现了问题. 原来是虚拟线缆的密码没有设置:

SW1#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#line vty 0 4
SW1(config-line)#password justin
SW1(config-line)#end
SW1#
*Sep 16 08:04:17.977: %SYS-5-CONFIG_I: Configured from console by console

再次尝试:

PC1#telnet 10.1.10.99
Trying 10.1.10.99 ... Open

User Access Verification

Password: 
SW1>

使用路由器也能够进行远程管理. 实验结束.

小彩蛋:

SW1#show mac address-table 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    aabb.cc00.0100    DYNAMIC     Et0/0
   1    aabb.cc00.0410    DYNAMIC     Et0/1
Total Mac Addresses for this criterion: 2

这个路由表就是在我们进行Ping测试的时候学习到的.

另外当你远程进入到了设备进行管理的时候, 你可能会发现设置时远端设备没有日志输出, 但是真正被操作的那台会有显示. 这一点也不好, 因为日志可以为我们提供大量有用的信息, 怎么开启呢?

SW1#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#end

另外一边:

*Sep 17 03:58:42.057: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.10.254)

现在我们开启:

SW1#terminal monitor 
SW1#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#end
SW1#
*Sep 17 03:59:31.949: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.10.254)

子网与简单静态路由

实验拓扑:

和上面一样, 还是先进行IP地址和接口的配置:

HQ:

HQ#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#inte e0/1
HQ(config-if)#no shut
*Sep 17 03:17:47.514: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
*Sep 17 03:17:48.519: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up
HQ(config-if)#ip address 192.168.1.1 255.255.255.0 
HQ(config-if)#exi
HQ(config)#inter e0/0
HQ(config-if)#no shut 
*Sep 17 03:18:13.821: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Sep 17 03:18:14.827: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
HQ(config-if)#ip address 10.1.10.23 255.255.255.240 
HQ(config-if)#end                
HQ#
*Sep 17 03:19:13.905: %SYS-5-CONFIG_I: Configured from console by console

Branch:

Branch#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#inter e0/1
Branch(config-if)#no shut
Branch(config-if)#ip address 192.1
*Sep 17 03:20:51.347: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
*Sep 17 03:20:52.349: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up
Branch(config-if)#ip address 192.168.1.2 255.255.255.252
Branch(config-if)#exi
Branch(config)#inter e0/0
Branch(config-if)#ip address 172.16.1.100 255.255.255.248
Branch(config-if)#end
Branch#
*Sep 17 03:22:30.740: %SYS-5-CONFIG_I: Configured from console by console

在进行ping测试之前, 先来观察一下双方的路由表:

HQ:

HQ#show ip rou
...(omitted)
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.10.16/28 is directly connected, Ethernet0/0
L        10.1.10.23/32 is directly connected, Ethernet0/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Ethernet0/1
L        192.168.1.1/32 is directly connected, Ethernet0/1

Branch:

Branch#show ip rou
...(omitted)
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.1.96/29 is directly connected, Ethernet0/0
L        172.16.1.100/32 is directly connected, Ethernet0/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/30 is directly connected, Ethernet0/1
L        192.168.1.2/32 is directly connected, Ethernet0/1

那么, 问题来了, 两台路由器现在可以直接进行通信吗?

我们来测试一下:

HQ#ping 192.168.1.2 source e0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 m

另外一边:

Branch#ping 192.168.1.1 source e0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms

尽管他们的子网掩码不同仍然没有问题, 但是双方的e0/0(这才是我们所需要的)不能够进行通信, 为了能够使他们通信, 我们可以考虑进行手动增加一条静态路由:

HQ:

HQ(config)#ip route 172.16.1.96 255.255.255.248 e0/1 
HQ(config)#end
HQ#
*Sep 17 03:33:43.157: %SYS-5-CONFIG_I: Configured from console by console
HQ#ping 172.16.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 6/6/6 ms

Branch:

Branch(config)#ip route 10.1.10.16 255.255.255.240 e0/1
Branch(config)#end
Branch#
*Sep 17 03:36:40.131: %SYS-5-CONFIG_I: Configured from console by console
Branch#ping 10.1.10.23            
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.23, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 5/6/8 ms

现在我们再来观察一下他们的路由:

HQ#show ip route 
...(omitted)
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.10.16/28 is directly connected, Ethernet0/0
L        10.1.10.23/32 is directly connected, Ethernet0/0
      172.16.0.0/29 is subnetted, 1 subnets
S        172.16.1.96 is directly connected, Ethernet0/1
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Ethernet0/1
L        192.168.1.1/32 is directly connected, Ethernet0/1

其中S就是指该路由为静态路由:

也可以直接指明:

Branch#show ip route static 
...(omitted)
      10.0.0.0/28 is subnetted, 1 subnets
S        10.1.10.16 is directly connected, Ethernet0/1

实验结束.

附赠大礼包:

报文与分片

默认的MTU是1500, 我们可以通过查看接口来获得值:

HQ#show inter e0/1
Ethernet0/1 is up, line protocol is up 
  Hardware is AmdP2, address is aabb.cc00.0110 (bia aabb.cc00.0110)
  Internet address is 192.168.1.1/24
  MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec, 
  ...(omitted)

另外我们的Branch也是这样:

Branch#show inter e0/1
Ethernet0/1 is up, line protocol is up 
  Hardware is AmdP2, address is aabb.cc00.0310 (bia aabb.cc00.0310)
  Internet address is 192.168.1.2/24
  MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,
  ...(omitted)

接下来还是进行熟悉的Ping操作:

Branch#ping 192.168.1.1 df-bit 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

这里添加了一个限定参数, df-bit在命令执行的输出中我们也可以看到有DF的字样, 什么玩意呢这是, DF就是Don’t fragment的意思啦, 也就是不要进行分片. 从上述的结果看不出来什么, 因为发送的报文大小是100bytes, 现在我们发送>1500的报文:

Branch#ping 192.168.1.1 df-bit size 1501
Type escape sequence to abort.
Sending 5, 1501-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with the DF bit set
.....
Success rate is 0 percent (0/5)

发不过去了. 移除DF标志位:

Branch#ping 192.168.1.1 size 1501       
Type escape sequence to abort.
Sending 5, 1501-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

顺利发送.

玩上瘾了, 再来一个子网广播小实验:

HQ#ping 192.168.1.255
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.255, timeout is 2 seconds:

Reply to request 0 from 192.168.1.2, 6 ms
Reply to request 1 from 192.168.1.2, 5 ms
Reply to request 2 from 192.168.1.2, 5 ms
Reply to request 3 from 192.168.1.2, 5 ms

嘿嘿, 收到了Branch的回信, 接着在试试Branch的那一端:

Branch#ping 192.168.1.155
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.155, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

咦? 没有人回应? 还记得上面我们特意把他们的子网掩码设置的不同吗, 所以这里的Branch的广播地址应该是:

Branch#ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:

Reply to request 0 from 192.168.1.1, 4 ms
Reply to request 1 from 192.168.1.1, 5 ms
Reply to request 2 from 192.168.1.1, 4 ms

这就可以了.

ARP实验

实验拓扑和上面一样:

路由的配置保持不变, 现在我们再来实验. 首先我在HQ上做了一点手脚, 现在 先不说 我们再次来进行Ping测试:

HQ#ping 172.16.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/4/5 ms

是通的, 接着我们进行Branch的Ping测试:

Branch#ping 10.1.10.16
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.16, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

不同了, 但是HQ->Branch是通的啊. 现在我们查看一下Branch的ARP表:

Branch#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.1.10.16              0   Incomplete      ARPA   
Internet  172.16.1.100            -   aabb.cc00.0300  ARPA   Ethernet0/0
Internet  192.168.1.1             1   aabb.cc00.0110  ARPA   Ethernet0/1
Internet  192.168.1.2             -   aabb.cc00.0310  ARPA   Ethernet0/1

我们都知道ARP的作用是做MAC和IPADDR的转换, 尤其是当在这个试验中的直连路由中. 我们明明配置了静态路由, 但是依然没法Ping到10.1.10.16. 原因就出自HQ那一端:

HQ#sh ip interface e0/1
Ethernet0/1 is up, line protocol is up
  Internet address is 192.168.1.1/24
  ...(omitted)
  Proxy ARP is disabled

Proxy ARP被关闭了!这就是为什么Branch无法获得MAC地址, 我们的HQ不告诉他了. 这就是说 事实上路由包括两个部分: 决策和执行. 光有路线还不行, 还需要有行动.

重新开启e0/1接口的代理ARP, Branch就可以通信了.

HQ#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#inter e0/1
HQ(config-if)#ip proxy-arp 
HQ(config-if)#end

Branch:

Branch#ping 10.1.10.16
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.16, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 5/5/5 ms

注意: 第一个包绝对不会通. 另外, 如果你想要实现MAC INCOMLETE的效果, 首先要记得清空Branch的ARP缓存才行.

同样, 如果现在再次将HQ的代理ARP关闭, Ping测试的结果还是通的. 这就是因为Branch上有ARP的缓存 ( 这个缓存的老化时间特别长 ).

从这个实验也可以看出, 直接设置出接口的静态路由是有弊端的, 那么更好的方式其实是设置下一跳路由, 这样玩的:

Branch(config)#no ip route 10.1.10.16 255.255.255.240

先关闭路由, Ping不通现在.

接着重写路由, 但这次写成下一跳的形式:

Branch(config)#ip route 10.1.10.16 255.255.255.240 192.168.1.1

关闭HQ的代理ARP功能, 清空本地ARP缓存:

HQ#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#inter e0/1
HQ(config-if)#no ip proxy-arp 
HQ(config-if)#end
HQ#
*Sep 17 08:38:08.122: %SYS-5-CONFIG_I: Configured from console by console

Branch:

Branch#clear ip arp 10.1.10.16
Branch#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.16.1.100            -   aabb.cc00.0300  ARPA   Ethernet0/0
Internet  192.168.1.1            23   aabb.cc00.0110  ARPA   Ethernet0/1
Internet  192.168.1.2             -   aabb.cc00.0310  ARPA   Ethernet0/1

激动人心的时候到了:

Branch#ping 10.1.10.16
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.16, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/5 ms

超级顺畅.

Branch#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.16.1.100            -   aabb.cc00.0300  ARPA   Ethernet0/0
Internet  192.168.1.1             0   aabb.cc00.0110  ARPA   Ethernet0/1
Internet  192.168.1.2             -   aabb.cc00.0310  ARPA   Ethernet0/1

ARP解析项也没了, 所以这样的好处还有节约性能.

另外,为了保险, 其实可以接口和下一跳一起写的. 最后配置的结果就是:

Branch(config)#ip route 10.1.10.16 255.255.255.240 e0/1 192.168.1.1
Branch(config)#do sh ip rou 
...(omitted)
      10.0.0.0/28 is subnetted, 1 subnets
S        10.1.10.16 [1/0] via 192.168.1.1, Ethernet0/1
...(omitted)

别忘了先把之前的路由删除了啊.

静态路由&浮动路由

默认路由实验:

实验拓扑:

路由器配置就忽略了, 基本和上面的几个实验的配置没有什么区别.

现在我们在HQ写一个明细路由(也就是非默认路由).

HQ(config)#ip route 10.1.10.0 255.255.255.0 e0/1 192.168.1.1

Check一下:

HQ#sh ip rou
...(omitted)
      10.0.0.0/24 is subnetted, 1 subnets
S        10.1.10.0 [1/0] via 192.168.1.1, Ethernet0/1

接着给Branch配一个默认路由, 默认路由其实就是0.0.0.0/0了.

Branch#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#ip route 0.0.0.0 0.0.0.0 e0/1
%Default route without gateway, if not a point-to-point interface, may impact performance
Branch(config)#no ip route 0.0.0.0 0.0.0.0 e0/1
Branch(config)#ip route 0.0.0.0 0.0.0.0 e0/1 192.168.1.2

上面第一次的设置有警告了, 如果你不在一个点对点网络中, 这样做会影响性能.

当然了, 总不能所有的包都从一个出口出去了, 这样岂不是会把我们的Branch累死.

所以最好的方法就是综合设置下一跳和出接口.

配置完成了, 那么现在我们就来看一下路由表吧:

Branch#sh ip ro
S*    0.0.0.0/0 [1/0] via 192.168.1.2, Ethernet0/1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

这个S*是什么呢? 这被称为候选默认路由.

从这个实验我们引出浮动路由的实验:

静态默认路由和路由负载均衡的实验

实验拓扑:

( 妈呀, 画图累死了.

先按照实验拓扑中的状态进行配置.

我现在配置的越来越熟练了哈哈哈.

你可以参考下面的配置, 当然是建议自己动手啦~

PC1 [路由模拟]:

PC1#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
PC1(config)#inter e0/1
PC1(config-if)#no sh
PC1(config-if)#ip addr 10.1.
*Sep 17 13:33:43.877: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
*Sep 17 13:33:44.882: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up
PC1(config-if)#ip addr 10.1.10.100 255.255.255.0
PC1(config-if)#exi
PC1(config)#ip default-gateway 10.1.10.254              
PC1(config)#no ip routing
PC1(config)#end
PC1#
*Sep 17 13:34:18.742: %SYS-5-CONFIG_I: Configured from console by console

Branch:

Branch#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#inter e0/0
Branch(config-if)#no sh
Branch(config-if)#ip address 
*Sep 17 13:36:02.132: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Sep 17 13:36:03.139: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Branch(config-if)#ip address 10.1.10.254 255.255.255.0
Branch(config-if)#exi
Branch(config)#inte e0/1
Branch(config-if)#no sh
Branch(config-if)#ip addre 1
*Sep 17 13:36:24.959: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
*Sep 17 13:36:25.965: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up
Branch(config-if)#ip addre 192.168.1.1 255.255.255.0
Branch(config-if)#exi
Branch(config)#ip route 0.0.0.0 0.0.0.0 e0/1 192.168.1.2
Branch(config)#end
Branch#
*Sep 17 13:36:36.208: %SYS-5-CONFIG_I: Configured from console by console

HQ:

HQ#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#inte e0/1
HQ(config-if)#no sh
HQ(config-if)#ip addr 192.168.1
*Sep 17 13:37:21.008: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
*Sep 17 13:37:22.013: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up
HQ(config-if)#ip addr 192.168.1.2 255.255.255.0
HQ(config-if)#exi
HQ(config)#inte e0/0
HQ(config-if)#no sh
HQ(config-if)#ip addr 
*Sep 17 13:37:33.536: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Sep 17 13:37:34.537: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
HQ(config-if)#ip addr 172.16.1.1 255.255.255.0
HQ(config-if)#exi
HQ(config)#ip route 0.0.0.0 0.0.0.0 e0/1 192.168.1.1
HQ(config)#end
*Sep 17 13:37:53.594: %SYS-5-CONFIG_I: Configured from console by console

Server [路由模拟]:

Server#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
Server(config)#inte e0/0
Server(config-if)#no sh
Server(config-if)#ip address 172.1
*Sep 17 13:38:18.541: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Sep 17 13:38:19.547: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Server(config-if)#ip address 172.16.1.2 255.255.255.0
Server(config-if)#exi
Server(config)#no ip routing
Server(config)#ip default-gateway 172.16.1.1
Server(config)#end
Server#
*Sep 17 13:38:54.270: %SYS-5-CONFIG_I: Configured from console by console

进行Ping测试:

PC1 –> Server:

PC1#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

Server –> PC1:

Server#ping 10.1.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

OK, 他们可以通信了.

接着上面的来, 我们来实现路由表的负载均衡. 现在我们在Branch和HQ之间加上一根串行线:也就变成了这样

开始配置Branch和HQ之间的serial接口:

HQ#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#inter s2/0
HQ(config-if)#no sh
HQ(config-if)#ip address 200.
*Sep 17 14:14:05.632: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
*Sep 17 14:14:06.633: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
HQ(config-if)#ip address 200.202.100.2 255.255.255.0
HQ(config-if)#end
HQ#ping 
*Sep 17 14:14:15.225: %SYS-5-CONFIG_I: Configured from console by console
HQ#ping 200.202.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.202.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/10 ms

Branch同理.

Branch#conf ter 
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#ip route 0.0.0.0 0.0.0.0 s2/0
Branch(config)#end
Branch#
*Sep 17 14:15:14.748: %SYS-5-CONFIG_I: Configured from console by console

这一次就没有警告了, 看到没. 查看路由表, 就会看到有两个下一跳. 这就是路由表的负载均衡

并且, 检查arp表, 我们发现, 串行线路是不会有ARP记录的.

浮动静态路由的实验

所谓浮动路由, 其实就是管理距离(或者我们说叫优先级吧) , 如果我们吧刚刚设置的serial口的路由距离调的高一些, 就可以实现浮动路由, 也就是使这一条成为备份.

Branch#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#ip route 0.0.0.0 0.0.0.0 s2/0 10
Branch(config)#end
Branch#sh i
*Sep 17 14:23:15.496: %SYS-5-CONFIG_I: Configured from console by console
Branch#sh ip rou
S*    0.0.0.0/0 [1/0] via 192.168.1.2, Ethernet0/1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.10.0/24 is directly connected, Ethernet0/0
L        10.1.10.254/32 is directly connected, Ethernet0/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Ethernet0/1
L        192.168.1.1/32 is directly connected, Ethernet0/1
      200.202.100.0/24 is variably subnetted, 2 subnets, 2 masks
C        200.202.100.0/24 is directly connected, Serial2/0
L        200.202.100.1/32 is directly connected, Serial2/0
Branch#

看到没, 原本的哪一个默认路由已经看不到了. 测试一下吧:

首先先给HQ加上路由:

HQ#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#ip route 10.1.10.0 255.255.255.0 s2/0
HQ(config)#end
HQ#
*Sep 17 14:25:26.060: %SYS-5-CONFIG_I: Configured from console by console

接着, 关闭接口:

Branch#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#inte e0/1 
Branch(config-if)#sh
Branch(config-if)#end
Branch#
*Sep 17 14:26:19.050: %SYS-5-CONFIG_I: Configured from console by console
Branch#
*Sep 17 14:26:20.541: %LINK-5-CHANGED: Interface Ethernet0/1, changed state to administratively down
*Sep 17 14:26:21.545: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to down

HQ同理: (这说一下, 在我看的视频中讲的是如果你关闭一端的接口, 那么另一端的接口会自动的断掉, 但是模拟器好像并不会做到这一点)

HQ#conf te
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#inte e0/1 
HQ(config-if)#sh
HQ(config-if)#end
HQ#
*Sep 17 14:26:45.056: %SYS-5-CONFIG_I: Configured from console by console
HQ#
HQ#
*Sep 17 14:26:46.287: %LINK-5-CHANGED: Interface Ethernet0/1, changed state to administratively down
*Sep 17 14:26:47.292: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to down

现在再使用PC1去Ping Server:

PC1#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/10 ms

Server也可和PC1正常通信.

这个时候查看路由表就可以看到s2/0这一条了.

浮动路由实验结束.

小彩蛋:

这个时候如果你进行大量的Ping测试, 会明显看出速率的降低.

PC1#ping 172.16.1.2 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/6 ms
-------关闭接口前后的分割线-----------
PC1#ping 172.16.1.2 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 6/9/12 ms

路由规则

最长匹配原则

什么是最长匹配原则呢? 其实就是更精确的路由更优先走的意思了, 我们沿用上一次实验的拓扑来进行:

在进行实验前, 我将之前关闭的接口重新打开, 接着将HQ的serial路由改成管理距离为10的备用路由. 也就是说现在的Branch和HQ的路由情况如下:

Branch#sh run | s rou
ip route 0.0.0.0 0.0.0.0 Ethernet0/1 192.168.1.2
ip route 0.0.0.0 0.0.0.0 Serial2/0 10

HQ:

HQ#sh run | s rou
ip route 0.0.0.0 0.0.0.0 Ethernet0/1 192.168.1.1
ip route 0.0.0.0 0.0.0.0 Serial2/0 10

那么现在我们调整Branch端的路由, 增加一条更精确的, 通往黑洞的路由:

Branch(config)#ip route 172.16.1.0 255.255.255.0 null0

接着使用PC1尝试和服务器通信:

PC1#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

目标不可达.

接着我们再给Branch增加一条更更精确的正确路由:

Branch(config)#ip route 172.16.1.1 255.255.255.255 e0/1 192.168.1.2
Branch#sh ip rou sta  
S*    0.0.0.0/0 is directly connected, Ethernet0/1
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
S        172.16.1.0/24 is directly connected, Null0
S        172.16.1.1/32 [1/0] via 192.168.1.2, Ethernet0/1

再试试:

PC1#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

通了, 这就是最长匹配原则.

VLAN技术

实验一: 简单vlan的配置, 初次尝试简单vlan划分

实验拓扑:

配置完成之后, 我们查看一下SW1当前的VLAN信息:

SW1#sh vlan 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/0, Et0/1, Et0/2, Et0/3
                                                Et1/0, Et1/1, Et1/2, Et1/3
                                                Et2/0, Et2/1, Et2/2, Et2/3
                                                Et3/0, Et3/1, Et3/2, Et3/3

就是默认的配置, 所有的接口都从VLAN1走, 现在我们尝试创建两个VLAN:

SW1(config)#vlan 10
SW1(config-vlan)#name 507a
SW1(config-vlan)#vlan 20
SW1(config-vlan)#name 507b

接着划分VLAN(其实把接口划分到VLAN上):

SW1#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface range e0/0 -1 
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#switchport access vlan 10

查看一下vlan10的信息:

SW1#sh vlan id 10

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
10   507a                             active    Et0/0, Et0/1
....(omitted)

测试一下数据包是否是通的:

PC1#ping 10.1.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

实验二: access模式vlan, 交换机之间的vlan划分

这里使用的交换机都是三层交换机. 继续沿用我们上面的拓扑, 但是稍微升级一下:

这里省略PC2的配置, 因为和PC1几乎一样.

首先我们配置一下SW1的vlan20的模式:

SW1#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#int e0/2
SW1(config-if)#switchport mo acc
SW1(config-if)#switchport acc vlan 20 
SW1(config-if)#end
SW1#
*Sep 18 12:45:36.057: %SYS-5-CONFIG_I: Configured from console by console

接着进入SW2进行相对应的配置:

SW2(config)#vlan 10
SW2(config-vlan)#name 507a
SW2(config-vlan)#
*Sep 18 12:52:06.159: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on Ethernet0/2 (1), with SW1 Ethernet0/2 (20).
SW2(config-vlan)#vlan 20
SW2(config-vlan)#name 507b

这个时候你的SW2开始报错, 其实你的SW1也有报错, 这是说你的本征VLAN不匹配, 就是说你的SW1配置了access, 但是SW2没有.

那么现在就赶紧配置上吧:

SW2#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#int e0/2
SW2(config-if)#switchport mo acc
SW2(config-if)#switchport acc vlan 20
SW2(config-if)#end

以及别忘了, 我们要把PC2也加入vlan20: [ 这里犯蠢了, 可以直接用range的. ]

SW2(config)#int e0/1
SW2(config-if)#swi
SW2(config-if)#switchport mode acc
SW2(config-if)#switchport acc vlan 20
SW2(config-if)#end

接着, 我们把SW1的vlan20打开端口, 配置充当网关的IP:

SW1(config)#int vlan 20
SW1(config-if)#no sh
SW1(config-if)#
*Sep 18 13:02:23.072: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down
SW1(config-if)#ip add
*Sep 18 13:02:25.643: %LINK-3-UPDOWN: Interface Vlan20, changed state to up
*Sep 18 13:02:26.650: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
SW1(config-if)#ip addr 10.1.20.254 255.255.255.0

接着我们测试连通性:

PC2#ping 10.1.20.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.20.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

我觉得OK.

第三个实验: trunk vlan的实现, 首先要加一个e0/3的网线:

现在开始配置SW1的trunk:

Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#int range e0/2 -3
SW1(config-if-range)#switch
SW1(config-if-range)#switchport mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.
% Range command terminated because it failed on Ethernet0/2

出现了报错, 这个原因是因为我们的e0/2端口配置的是access结果进行了自动协商, 所以我们现需要进行手工指定一下封装格式, 接着就不会报错了.

SW1(config-if-range)#switchport trunk encapsulation dot1q 
SW1(config-if-range)#switchport mode tru

SW2同理. 配置完成之后 我们查看一下trunk情况:

SW2#sh int tru

Port        Mode             Encapsulation  Status        Native vlan
Et0/2       on               802.1q         trunking      1
Et0/3       on               802.1q         trunking      1

两端一样的配置才可以.

现在, PC2还可以Ping通网关吗?

PC2#ping 10.1.20.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.20.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

没问题, 经过了trunk的解包, 最后变成和一般的ETH II包相同的头部了. ( 这里感觉说的不对, 现在只是做做实验配置啥的, 下次进行抓包实验就知道了. )

之所以没有打上VLAN ID, 是因为报文经过了本征VLAN, 其实就是native vlan.

收到不打tag的包默认只能转给本征VLAN.

中途休息

下面一些简单的命令使用记录就是根据CCNA学习指南中第6,7章节所讲述的内容. 其中有一些在一开始的初入IOS中已经记录过了, 所以这里不再赘述.

实验拓扑没有, 只有一台单独的路由器/交换机.

显示版本, 主机名, 旗标, 密码, 接口描述, 密码这些都已经说过了, 所以略过.

SSH的设定:

Router#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname router 
router(config)#ip domain-name yaoxuannn.com
router(config)#username router password justin13wyx
router(config)#crypto key generate rsa general-keys modulus 2048
The name for the keys will be: router.yaoxuannn.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)

router(config)#
*Sep 19 05:01:11.887: %SSH-5-ENABLED: SSH 1.99 has been enabled
router(config)#line vty 0 4
router(config-line)#transport input ssh telnet

于是, 我一直都没有成功登录. 虽然是连接到了主机, 但是总是密码错误被拒绝. ( 好气

do:

这个其实就像有点像vim等里面的!命令啦.

IOU1#sh ip int b   
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES NVRAM  administratively down down    
Ethernet0/1                192.168.1.2     YES manual up                    up      
Ethernet0/2                unassigned      YES NVRAM  administratively down down    
Ethernet0/3                unassigned      YES NVRAM  administratively down down    
Ethernet1/0                unassigned      YES NVRAM  administratively down down    
Ethernet1/1                unassigned      YES NVRAM  administratively down down    
Ethernet1/2                unassigned      YES NVRAM  administratively down down    
Ethernet1/3                unassigned      YES NVRAM  administratively down down    
Serial2/0                  unassigned      YES NVRAM  administratively down down    
Serial2/1                  unassigned      YES NVRAM  administratively down down    
Serial2/2                  unassigned      YES NVRAM  administratively down down    
          
IOU1#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
IOU1(config)#sh ip int b
                 ^
% Invalid input detected at '^' marker.

IOU1(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES NVRAM  administratively down down    
Ethernet0/1                192.168.1.2     YES manual up                    up      
Ethernet0/2                unassigned      YES NVRAM  administratively down down    
Ethernet0/3                unassigned      YES NVRAM  administratively down down    
Ethernet1/0                unassigned      YES NVRAM  administratively down down    
Ethernet1/1                unassigned      YES NVRAM  administratively down down    
Ethernet1/2                unassigned      YES NVRAM  administratively down down    
Ethernet1/3                unassigned      YES NVRAM  administratively down down    
Serial2/0                  unassigned      YES NVRAM  administratively down down    
Serial2/1                  unassigned      YES NVRAM  administratively down down    
Serial2/2                  unassigned      YES NVRAM  administratively down down 

查看当前的会话:

Router#sh users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00   
   2 vty 0                idle                 00:00:10 192.168.1.2

  Interface    User               Mode         Idle     Peer Address

奇怪的是, 我明明使用telnet连接到了远端设备, 但是使用下面的命令似乎一点用都没, 奇怪, 难道是模拟器的缘故, 还是我哪里操作不对?

IOU1#telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Password: 
Router>sh sess
% No connections open

神奇.

没有想到, 这么快就结束了. 早知道就不设置这个标题了. ( 果然这种实践性的东西看书就是麻烦 )

VLAN-self

话说之前一直都没怎么搞定trunk, 本征vlan, access到底是个什么玩意. 于是….我自己设计了一个实验来彻底搞懂他们! ( 所以现在了解了很多, 差不多明白了hhh )

实验拓扑如下:

现在我们进行一下配置, 主要有: PC{1,2,3,4}的初始化设置, 开启端口, 关闭路由, 设置IP; SW{1,2}对主机的access设置, vlan设置和划分, SW之间的配置(*).

省略主机的设置, 下面是SW1的配置:

SW1#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#vlan 10
SW1(config-vlan)#name 507a
SW1(config-vlan)#vlan 20
SW1(config-vlan)#name 507b
SW1(config-vlan)#int e0/1
SW1(config-if)#sw mo acc
SW1(config-if)#sw acc vlan 10
SW1(config-if)#int e0/2
SW1(config-if)#sw mo acc 
SW1(config-if)#sw acc vlan 20
SW1(config-if)#end
SW1#
*Sep 19 15:08:02.531: %SYS-5-CONFIG_I: Configured from console by console
SW1#

SW2几乎和SW1一样的配置, 所以也省略了.

SW1#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#int e0/0
SW1(config-if)#sw tr en do
SW1(config-if)#sw mo tru
SW1(config-if)#end

同上, SW2也是这样. 现在进行Ping测试:

PC1#ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

现在的状态是, PC1仅仅可以Ping通PC3. PC2仅仅可以Ping通PC4. 原因很简单了, 就是VLAN ID匹配嘛~.

那么有趣的是, 怎么使得PC2和PC3进行通信, PC1和PC4进行通信呢?

首先我们如果采用一般的方法肯定是行不通的. 其实这种跨ID的通信, 可以认定为vlan跳跃攻击. 做法其实很简单 , 只要把SW1的本征VLAN配置成SW1一方你想要通信的那个, SW2的本征VLAN配置成你想要SW2那一边通信的一方就行了.

先不考虑后果, 我们来配一配再试试

PC1#ping 192.168.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

肯定是不通的嘛~

SW1(config)#int e0/0
SW1(config-if)#sw tr na
SW1(config-if)#sw tr native vlan 10
SW1(config-if)#end

另外一边:

SW2(config)#int e0/0
SW2(config-if)#sw tr 
*Sep 19 15:21:23.782: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on Ethernet0/0 (1), with SW1 Ethernet0/0 (10).
SW2(config-if)#sw tr na vlan 20
SW2(config-if)#end

刚刚配好SW1的时候你会发现有报错, 也就是本征VLAN不匹配的报错, 不用管它.

这个报错会一直跟随着你,但是:

PC1#ping 192.168.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

啊哈哈哈, 竟然通了! 真神奇!

但是遗憾的是:

PC1#ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

咦咦咦? 自己家的东西怎么Ping不通? 其实啊, PC1是可以访问到PC3的, Ping不同的缘故只是因为PC3返回的reply报文携带的vlan10ID被SW1进行了帧过滤到了PC2身上, 接着PC2就把他丢弃了. 这个可以通过进行抓包进行分析. – (注: 这个情况发生的前提条件式PC1有PC3的arp缓存.)

附: 抓包截图:

而返回的报文中:

根本没有插入携带vlanID帧.

补充: 本征VLAN其实也是可以打上tag的, 使用下面的命令就可以:

SW1(config)#vlan dot1q tag native 

STP生成树

简单的说, 生成树协议是为了避免出现二层设备环路所造成的: 广播风暴, 单点帧拷贝, MAC表不稳定而开发的802.1D协议组.

( 生成树好烦啊…

好像我也做不出什么实验, 烦死了 ,随便丢个拓扑图给你:

这里的SW1和SW2构成了环路.

你猜一猜, 如果这个时候我用PC1去PingPC2, 是否能通呢?

实践出真知, 我们来试试

PC1#ping 192.168.1.200            
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

没问题!和你想的是否一样呢?

哈哈哈你是不是觉得就算通了, 其实效率很低呢? 我们再来试试:

PC1#ping 192.168.1.200 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.1.200, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/2/21 ms

平均2ms, 并没有被拉慢速度. 很神奇吧, 这就是生成树的力量, 我们来看看:

SW1#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    10
             Address     aabb.cc00.0200
             Cost        100
             Port        2 (Ethernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr 
Et0/1               Root FWD 100       128.2    Shr 
Et0/2               Altn BLK 100       128.3    Shr 

看到没, 生成树机制使得e0/2接口处于block状态. 所以才没造成环路! 那么这个接口就不能用了吗? 当然不是, 我们查看一下接口就明白了:

SW1#sh ip int b
Interface              IP-Address      OK? Method Status                Protocol
Ethernet0/0            unassigned      YES unset  up                    up      
Ethernet0/1            unassigned      YES unset  up                    up      
Ethernet0/2            unassigned      YES unset  up                    up     

是up的状态.

所以说这是个逻辑上的block, 而且仅仅适用于vlan10这个环境.

现在我们强制打开这个端口看看会出现什么现象:

SW1(config-if)#spanning-tree bpdufilter enable

过一小会而查看一下:

SW1#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    10
             Address     aabb.cc00.0200
             Cost        100
             Port        2 (Ethernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr 
Et0/1               Root FWD 100       128.2    Shr 
Et0/2               Desg LRN 100       128.3    Shr 

接口变成来了LRN状态, 说明正在学习. ( 其实在LRN之前还有一个LIS的状态, 如果你点的快的话或许能看到

接着三口均为转发状态:

SW1#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    10
             Address     aabb.cc00.0200
             Cost        100
             Port        2 (Ethernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr 
Et0/1               Root FWD 100       128.2    Shr 
Et0/2               Desg FWD 100       128.3    Shr 

再Ping试试: ( 为了实验效果, 请清除arp缓存 )

PC1#ping 192.168.1.200 repeat 100
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.1.200, timeout is 2 seconds:
..............!.......................................................
...................
Success rate is 1 percent (1/89), round-trip min/avg/max = 99/99/99 ms

这个时候查看交换机的CPU, 你会发现会被疯狂占用. 而且其实这个时候, 你的命令敲的已经不是那么顺畅了.

如果这是真机后果可能会比你想象的严重.

赶紧变回来吧.

SW1(config-if)#spanning-tree bpdufilter disable

生成树的调整和实施

还是这样的拓扑图, 首先我们来切换根桥, 也就是通过调整优先级来实施.

SW1#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    32778
             Address     aabb.cc00.0100
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr 
Et0/1               Desg FWD 100       128.2    Shr 
Et0/2               Desg FWD 100       128.3    Shr 

显然现在的根网桥就是SW1这只, 现在我们把它切换到SW2上:

SW2(config)#spanning-tree vlan 10 priority 0
SW2#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    10
             Address     aabb.cc00.0200
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    10   (priority 4096 sys-id-ext 10)
             Address     aabb.cc00.0200
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr 
Et0/1               Desg FWD 100       128.2    Shr 
Et0/2               Desg FWD 100       128.3    Shr 

很简单吧, 合理的修改优先级来优化根位置. 在原本BLK的接口变得FWD的时候, 他也是经历了LIS, LRN的过程的.

接着我们再看看, trunk对于vlan的控制, 老实说我觉得这个实验应该在之前说VLAN的时候做的:

SW1#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    10
             Address     aabb.cc00.0200
             Cost        100
             Port        2 (Ethernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr 
Et0/1               Root FWD 100       128.2    Shr 
Et0/2               Altn BLK 100       128.3    Shr 

显然我们当前的SW1的0/2端口是被堵住的, 现在我们不允许VLAN ID为10的帧通过e0/2会怎么样呢?

SW1(config-if)#sw tr allowed vlan remove 10
SW1#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    10
             Address     aabb.cc00.0200
             Cost        100
             Port        2 (Ethernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr 
Et0/1               Root FWD 100       128.2    Shr 

没有了, 同时之前的潜在环路也消失了, 也就是说逻辑上已经不需要vlan10的生成树来封堵它了.通过这样的配置就可以实现链路的负载了.

接下来再说一个超级有用的二层交换的命令, 这个小实验建议手要快一点(建议使用分开的Tab, 这方便观察结果, 首先展示实验结果:

PC1#ping 192.168.1.200 r 1000000
Type escape sequence to abort.
Sending 1000000, 100-byte ICMP Echos to 192.168.1.200, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...................!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.....!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

这个是想表达什么呢? 首先我们开始进行批量的ping, 接着将SW1的e0/1接口关闭, 于是出现了第一次的中断, 但是我在关闭接口之后立即又打开了它, 但是显然, 差不多经历了30s数据包才继续通信, 接着我再次将SW1的e0/1接口关闭, 于是出现了第二次的中断, 接着, 和第一次不同的是:

SW1(config-if)#spanning-tree portfast 
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

%Portfast has been configured on Ethernet0/0 but will only
 have effect when the interface is in a non-trunking mode.

接着再次打开了端口, 与第一次不同的是, 通信状态立即回复.

这个就是fastport, 这个选项使得生成树直接跳过LIS-LRN-FWD的30s时间, 而直接进入FWD状态.

如果说一个接口一个接口的配置太麻烦了, 也可以直接配个全局的, 就是:

SW1(config)#spanning-tree portfast normal default 

如此即可.

那么这个fastport是不是有点不安全呢? 想象这么一种情况:

(当然也不一定就是黑客啥的, 如果有一些网络管理员不小心把交换机啥的配置在了这个地方也会有造成网络崩溃的危险)这个时候, 我们需要SW能够拥有识别和保护的能力, 这就是现在要说的BPDUGUARD 也就是受到BPDU包, 那么就会将接口关闭. ( 实验不好做, 不想做了

(结果还是做了) 我们把SW1的e0/1端口上加上这个选项:

SW1(config)#int e0/1
SW1(config-if)#span bpdug enab
SW1(config-if)#end
SW1#
*Sep 20 12:29:53.672: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Et0/1 with BPDU Guard enabled. Disabling port.
*Sep 20 12:29:53.672: %PM-4-ERR_DISABLE: bpduguard error detected on Et0/1, putting Et0/1 in err-disable state
SW1#
*Sep 20 12:29:54.248: %SYS-5-CONFIG_I: Configured from console by console
*Sep 20 12:29:54.683: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to down
SW1#
*Sep 20 12:29:55.684: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to down

直接就被关闭了. 现在查看端口显示:

SW1#sh int e0/1
Ethernet0/1 is down, line protocol is down (err-disabled) 

这里的err-disable可以进行自动回复, 还可以一定间隔自动回复:

SW1(config)#errdisable recovery cause bpduguard 
SW1(config)#errdisable recovery interval 30

这里就是说, 回复因为bpduguard造成的err-disabled, 第二个是说, 每个30s进行回复 (不过我自己实验的时候, 发现连个卵用都没有. 1分钟之后的更新, 当你把这个接口上的guard关掉之后才会看到自动回复的日志)

这个命令也可以进行全局设置, 但是必须结合fastport才可以.

以太通道的建立

实验拓扑:

和上面的拓扑没什么区别, 但这一次总结配置了很多说过的东西. 接下来注意到e0/1和e0/2中间的那个小圈. 之前说过e0/1和e0/2由于会形成环路, 所以生成树会堵塞其中一个接口. 但是如果我们能够把这两条路当成是生成树的一个接口, 那么不仅能够提升带宽, 还可以增加冗余. 这个技术就是以太通道

先来查看一下当前接口和生成树的状态:

SW2#sh run int e0/0
Building configuration...

Current configuration : 109 bytes
!
interface Ethernet0/0
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast edge
 spanning-tree bpduguard enable
end

SW2#sh run int e0/1
Building configuration...

Current configuration : 90 bytes
!
interface Ethernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
end

SW2#sh run int e0/2
Building configuration...

Current configuration : 90 bytes
!
interface Ethernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
end

SW1这边:

SW1#sh run int e0/0         
Building configuration...

Current configuration : 109 bytes
!
interface Ethernet0/0
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast edge
 spanning-tree bpduguard enable
end

SW1#sh run int e0/1
Building configuration...

Current configuration : 90 bytes
!
interface Ethernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
end

SW1#sh run int e0/2
Building configuration...

Current configuration : 90 bytes
!
interface Ethernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
end

而目前的生成树:

SW1#sh span vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    32778
             Address     aabb.cc00.0300
             Cost        100
             Port        2 (Ethernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     aabb.cc00.0500
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr Edge 
Et0/1               Root FWD 100       128.2    Shr 
Et0/2               Altn BLK 100       128.3    Shr 

作为根桥的SW2:

SW2#sh span vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    32778
             Address     aabb.cc00.0300
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     aabb.cc00.0300
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr Edge 
Et0/1               Desg FWD 100       128.2    Shr 
Et0/2               Desg FWD 100       128.3    Shr 

现在我们把e0/1和e0/2捆绑起来:

SW1(config-if-range)#channel-group 1 mode active 
Creating a port-channel interface Port-channel 1

SW1(config-if-range)#
*Sep 21 04:00:19.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to down
*Sep 21 04:00:19.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to down
SW1(config-if-range)#
*Sep 21 04:00:21.192: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to up
*Sep 21 04:00:21.192: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up
SW1(config-if-range)#
*Sep 21 04:00:27.353: %EC-5-L3DONTBNDL2: Et0/1 suspended: LACP currently not enabled on the remote port.
*Sep 21 04:00:27.374: %EC-5-L3DONTBNDL2: Et0/2 suspended: LACP currently not enabled on the remote port.
SW1(config-if-range)#

端口先进行了关闭, 接着又Up起来, 接着收到了消息, LACP没有在远端端口上开启. 在SW2上进行完全相同的操作( 这个地方SW2可以有多个方案选择, active或者passive )

完成了之后来看一下效果:

SW1#sh etherchannel summary 
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      N - not in use, no aggregation
        f - failed to allocate aggregator

        M - not in use, minimum links not met
        m - not in use, port not aggregated due to minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

        A - formed by Auto LAG


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)         LACP      Et0/1(P)    Et0/2(P)    

U即表示已经在使用.

那么这个时候我们的生成树会变成什么样的呢? 很好奇吧, 我们来看一下:

SW2#sh span vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    32778
             Address     aabb.cc00.0300
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     aabb.cc00.0300
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr Edge 
Po1                 Desg FWD 56        128.65   Shr 

原先FWD的e0/1和BLK的e0/2端口现在合成成了一个FWD的Po1, 注意到Nbr也发生了变化.

SW2#sh int Po1
Port-channel1 is up, line protocol is up (connected) 
  Hardware is EtherChannel, address is aabb.cc00.0310 (bia aabb.cc00.0310)
  MTU 1500 bytes, BW 20000 Kbit/sec, DLY 1000 usec, 
  ...(omitted)

带宽是原来的两倍!

VTP协议-VLAN中继协议

在做实验之前, 我们先说说这个VTP协议, 简单的说就是为了VLAN配置信息的同步, 也可以理解成是一台交换机进行统一部署. VTP共有3个版本, 各个版本之间不兼容, 所以说, 如果要进行VTP, 就要保证交换机之间的版本号一致.

除此之外, 还需要满足: 交换机之间的VTP管理域名相同, 至少有一台VTP服务器, VTP的密码相同, 以及只在trunk上工作. 这很好理解

值得注意的是, VTP不是基于C/S架构的, 这就是说, 一个VTP域中可以存在多个服务器.

实验拓扑:

SW3和SW4暂时没有开机.

现在我们在SW上查看一下当前vtp的状态:

SW#sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : 
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc80.0200
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 5
Configuration Revision            : 0
MD5 digest                        : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD 
                                    0x56 0x9D 0x4A 0x3E 0xA5 0x69 0x35 0xBC 

要关注的地方是version版本号(1), Mode模式(Server, 这是默认值), 已存在的vlan和配置版本(这个配置版本就有一点像程序的版本号, 每次进行vlan的修改,删除,新增都会使得这个值加一)

SW1也是一台vtp server,略过.

现在我们在SW上进行下面的操作:

SW(config)#vtp domain jky   
Changing VTP domain name from NULL to jky
SW(config)#vtp version 2

提示说VTP域名从没有到变成了jky, 现在查看SW1或者SW2的vtp status, 你就会发现:

SW1#sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : jky
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc80.0100
Configuration last modified by 0.0.0.0 at 9-21-17 05:23:53
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 5
Configuration Revision            : 1
MD5 digest                        : 0x7C 0x50 0x18 0xD1 0xBF 0x8C 0xF3 0x39 
                                    0x58 0xC0 0x7B 0x6E 0xDD 0x66 0xFF 0x90 

版本号变成了2, 而且域的名字也变成了jky, 另外我之前说过的Conf Revision也自动加了一.

现在我们尝试为SW和SW1添加相同的vtp密码:

SW(config)#vtp password jky507
Setting device VTP password to jky507

开始为SW配置VLAN:

SW(config)#vlan 10
SW(config-vlan)#name 507a
SW(config-vlan)#vlan 20
SW(config-vlan)#name 507b
SW(config-vlan)#vlan 30,40,50
SW(config-vlan)#end

来看看SW1是否得到了更新和同步:

SW1#sh vlan b

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/1, Et0/2, Et0/3, Et1/0
                                                Et1/1, Et1/2, Et1/3, Et2/0
                                                Et2/1, Et2/2, Et2/3, Et3/0
                                                Et3/1, Et3/2, Et3/3
10   507a                             active    
20   507b                             active    
30   VLAN0030                         active    
40   VLAN0040                         active    
50   VLAN0050                         active    
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 

看吧, SW1和SW的vlan保持了一致! 那, 没有设置密码的SW2显然就没有得到同步了.

SW2#sh vlan b 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/0, Et0/2, Et0/3, Et1/0
                                                Et1/1, Et1/2, Et1/3, Et2/0
                                                Et2/1, Et2/2, Et2/3, Et3/0
                                                Et3/1, Et3/2, Et3/3
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 

接下来, 你来猜一猜, 如果我现在把SW2的vtp密码设置上, 他会得到同步吗?

SW2(config)#vtp pas jky507
Setting device VTP password to jky507
SW2(config)#end
SW2#sh vlan
*Sep 21 05:31:32.763: %SYS-5-CONFIG_I: Configured from console by console
SW2#sh vlan b

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/0, Et0/2, Et0/3, Et1/0
                                                Et1/1, Et1/2, Et1/3, Et2/0
                                                Et2/1, Et2/2, Et2/3, Et3/0
                                                Et3/1, Et3/2, Et3/3
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 
SW2#sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : jky
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc80.0500
Configuration last modified by 0.0.0.0 at 9-21-17 05:23:53
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 5
Configuration Revision            : 1
MD5 digest                        : 0xF4 0xD1 0xC8 0xA8 0xAB 0xFF 0x33 0x7E 
                                    0x84 0xCC 0xD5 0x91 0xA7 0x16 0x8D 0xBC 

挨 ? 按理说现在SW2和SW1的环境应该是一样的呀, 为什么没有用呢? 这里就要说IOS的一个大大大大的坑了, 这个VTP的触发条件就是对VLAN的操作, 如果没有, 不好意思. 他不会进行同步. 这样的话我们可以尝试对VLAN进行一些操作来触发它, 比如:

SW(config)#vlan 99
SW(config-vlan)#no vlan 99
SW(config)#

这个时候查看SW2的vlan配置, 就已经和SW, SW1保持一致了.

好了, 到了把SW3和SW4开机的时候了.

别忘了把trunk先开开:

SW3(config)#int e0/0
SW3(config-if)#sw tr en do
SW3(config-if)#sw mo tr
SW3(config-if)#end

接着我们尝试一下client模式.

SW3(config)#vtp mode client
Setting device to VTP Client mode for VLANS.
SW3(config)#do sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : 
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc80.0300
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Feature VLAN:
--------------
VTP Operating Mode                : Client
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 5
Configuration Revision            : 0
MD5 digest                        : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD 
                                    0x56 0x9D 0x4A 0x3E 0xA5 0x69 0x35 0xBC 

这个时候先别急着试, 我们说过vtp的同步是要很多条件的.

SW3(config)#vtp password jky507
Setting device VTP password to jky507
SW3(config)#vtp version 2
Cannot modify version in VTP client mode unless the system is in VTP version 3
SW3(config)#vtp domain jky
Changing VTP domain name from NULL to jky

如果是Client模式, 你是不能进行version的变更的, 同时, 如果你想要进行vlan配置的改变:

SW3(config)#vlan 10
VTP VLAN configuration not allowed when device is in CLIENT mode.

是不被允许的.

接着我们把SW4和SW的接口down掉.

最后一定不要忘记:

SW4(config)#vtp password jky507
Setting device VTP password to jky507
SW4(config)#vtp domain jky
Changing VTP domain name from NULL to jky
SW4(config)#vtp mode client
Setting device to VTP Client mode for VLANS.
SW4(config)#^Z

OK, 我们来测试一下Client的转发和续传:

这次我们特地在SW1上进行更改

SW1(config)#vlan 50
SW1(config-vlan)#name 508
SW1(config-vlan)#^Z

看看SW4怎么样了:

SW4#sh vlan b

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/1, Et0/2, Et0/3, Et1/0
                                                Et1/1, Et1/2, Et1/3, Et2/0
                                                Et2/1, Et2/2, Et2/3, Et3/0
                                                Et3/1, Et3/2, Et3/3
10   507a                             active    
20   507b                             active    
30   506                              active    
40   505                              active    
50   508                              active    
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 

更新了, 这次更新显然是SW3转发给SW4得到的, 其实不仅Client可以进行转发, 由于这一次我们是在SW1上做的改变, 所以这同时也证明Server端也是可以进行转发的, 同时也可以进行同步.

除了这两种模式, 还有一种透明模式, 这种模式就像是自治一般, 允许更改但是不能进行发布. 这种模式相较于Server和Client更加可靠其实, 至于为什么, 你自己想吧. 所以一般我们推荐使用transport模式.

HCRP小实验

这个实验很简单, 拓扑也很simple, 就是感受一下虚拟IP而已.

最简单的连接了 不说直接配.

HQ(config)#int e0/0
HQ(config-if)#standby 1 ip 192.168.1.254
HQ(config-if)#^Z
...(omitted)
*Sep 21 06:53:11.122: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 1 state Standby -> Active

看到输出, e0/0的第一组状态变成了Active.

我们把Branch也设置成同样的.

Branch(config)#int e0/0
Branch(config-if)#standby 1 ip 192.168.1.254
Branch(config-if)#^Z
Branch#
*Sep 21 06:54:43.377: %SYS-5-CONFIG_I: Configured from console by console
Branch#
*Sep 21 06:55:06.347: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 1 state Speak -> Standby

此时的Branch就相当是一台热备路由了. 我们来观察一下standby的状态:

Branch#sh standby b
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Et0/0       1    100   Standby 192.168.1.20    local           192.168.1.254

显示本地设备是standby的状态, 这个时候使用HQ查看是相反的两个. 那么如果我想使得Branch成为Active的状态, 有什么办法么?

这里的Active其实参考的是上面的Pri值, 也就是优先级, 越大越优先.

Branch(config-if)#standby 1 priority 125
Branch(config-if)#^Z

过了很久, 你本以为会有什么消息输出, 结果没有.

查看一下状态吧:

Branch#sh standby b
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Et0/0       1    125   Standby 192.168.1.20    local           192.168.1.254

改是改过来了, 但是就没有切换状态呀.

这个时候, 就需要Branch主动发出请求了, 也就是需要进行一个属性的调用:

Branch(config-if)#standby 1 preempt 
Branch(config-if)#^Z
Branch#
*Sep 21 07:01:11.706: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 1 state Standby -> Active

同时, HQ那边也还会有提示:

HQ#
*Sep 21 07:01:11.707: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 1 state Active -> Speak
HQ#
*Sep 21 07:01:22.034: %HSRP-5-STATECHANGE: Ethernet0/0 Grp 1 state Speak -> Standby

最后我们来Ping这虚拟IP试试吧:

HQ#ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/6 ms

第一个包是在进行ARP请求 虚拟IP的实验完成.

VLAN间路由

实验拓扑:

似曾相识?emmmm..就是这样.

我们还是先把基本的属性配置好. 现在的问题是, 我们想要使得PC1和PC2进行通信, 之前我们说过可以使用修改本征VLAN使得帧不携带VLANID的方法, 但是这显然不好, 现在我们通过单臂路由的实现使PC1和PC2进行通信.

首先确认除Branch以外的设备都已经配置完成. 现在我们进入Branch的配置:

Branch#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#int e0/0.10
Branch(config-subif)#en
Branch(config-subif)#encapsulation do
Branch(config-subif)#encapsulation dot1Q 10
Branch(config-subif)#ip addr 10.1.10.254 255.255.255.0
Branch(config-subif)#exi
Branch(config)#int e0/0.20
Branch(config-subif)#en do 20
Branch(config-subif)#ip addr 10.1.20.254 255.255.255.0
Branch(config-subif)#exi
Branch(config)#int e0/0
Branch(config-if)#no sh
Branch(config-if)#^Z
Branch#
*Sep 21 08:47:44.945: %SYS-5-CONFIG_I: Configured from console by console
Branch#
*Sep 21 08:47:46.257: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Sep 21 08:47:47.266: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up

好, 进行测试. 激动人心的时刻到了:

PC2#ping 10.1.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

太好了:

PC1#ping 10.1.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

如果你的PC1和PC2无法通信, 请检查一下:

• SW1和SW2对应VLAN的生成树, 其中SW1有10和20的两个生成树实例
• trunk的配置是否完成(一共有两个交换机trunk, 路由器的子接口两个dot1q封装)
• vlan的划分是否完成.

SVI交换虚拟接口

实验拓扑:

这个实验的关键点在于SW的三层交换.

我们配置三个VLAN10, 20, 30分别使用access模式划分给PC1, PC2, 路由器Branch. 接着为SW配置路由表, 将默认路由指向VLAN30. 最好手动开启交换功能.

To tell you from the heart, 这个实验我没有做成功. 虽然我排查了很久确定没有出错, 但是就是无法使得PC1和Branch通信.

这个实验中SW配置了默认路由, 确定了SW到每一个节点的连通, 我也确定我敲了SW的 ip routing 命令, 但是就是不转发! 到底是为什么呢? 在这里贴下SW的配置, 如果你能发现问题 请告知 : )

SW2:

SW#sh ip rout
S*    0.0.0.0/0 [1/0] via 192.168.3.254, Vlan30
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Vlan10
L        192.168.1.100/32 is directly connected, Vlan10
      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.2.0/24 is directly connected, Vlan20
L        192.168.2.100/32 is directly connected, Vlan20
      192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.3.0/24 is directly connected, Vlan30
L        192.168.3.100/32 is directly connected, Vlan30

SW#sh run int e0/1
Building configuration...

Current configuration : 80 bytes
!
interface Ethernet0/1
 switchport access vlan 10
 switchport mode access
end

SW#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    32778
             Address     aabb.cc00.0100
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/1               Desg FWD 100       128.2    Shr Edge 

interface Vlan1
 no ip address
 shutdown 
!         
interface Vlan10
 ip address 192.168.1.100 255.255.255.0
!         
interface Vlan20
 ip address 192.168.2.100 255.255.255.0
!         
interface Vlan30
 ip address 192.168.3.100 255.255.255.0
!         
ip forward-protocol nd

DHCP实现

首先我们的实验拓扑:

和我们设置单臂路由的时候几乎一样. 现在我们先关闭PC1和PC2的IP地址. 接着重新设置IP获取方式为DHCP.下述配置:

PC1(config)#int e0/1
PC1(config-if)#no ip addr # 关闭IP地址
PC1(config-if)#ip addr dhcp # 设置成DHCP动态获取

接着我们要把路由器设置成为一台DHCP服务器:

Branch(config)#ip dhcp pool VLAN10
Branch(dhcp-config)#network 10.1.10.0 255.255.255.0
Branch(dhcp-config)#default-router 10.1.10.254
Branch(dhcp-config)#dns-server 114.114.114.114 223.5.5.5
Branch(dhcp-config)#domain-name yaoxuannn.com
Branch(dhcp-config)#exi
Branch(config)#ip dhcp pool VLAN20
Branch(dhcp-config)#network 10.1.20.0 255.255.255.0
Branch(dhcp-config)#default-router 10.1.20.254
Branch(dhcp-config)#dns-server 223.5.5.5 114.114.114.114
Branch(dhcp-config)#domain-name yaoxuannn.com
Branch(dhcp-config)#exi
Branch(config)#ip dhcp excluded-address ?
  A.B.C.D  Low IP address
  vrf      VRF name for excluded address range

Branch(config)#ip dhcp excluded-address 10.1.10.250 10.1.10.254
Branch(config)#ip dhcp excluded-address 10.1.20.250 10.1.20.254

这个时候, PC1和PC2会收到消息:

PC2#
*Sep 21 11:31:17.361: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/1 assigned DHCP address 10.1.20.1, mask 255.255.255.0, hostname PC2

很简单吧~

有趣的是, 我们的DHCP事实上很有趣. 我们来抓个包看看.

这是释放IP的时候所发的包.

有意思的是:

有没有发现, 所有的包都是广播啊!哈哈哈这个是不是和你想象的不太一样啊.

另外, 如果出现了IP地址冲突, 是需要网络管理员进行手动的修改的.命令就是:

Branch#sh ip dhcp conflict 
IP address        Detection method   Detection time          VRF
Branch#clear ip dhcp conflict ?
  *        Clear all address conflicts
  A.B.C.D  Clear a specific conflict
  vrf      DHCP vrf conflicts

另外还可以查看当前IP池的分配情况:

Branch#sh ip dhcp pool

Pool VLAN10 :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0 
 Total addresses                : 254
 Leased addresses               : 1
 Pending event                  : none
 1 subnet is currently in the pool :
 Current index        IP address range                    Leased addresses
 10.1.10.2            10.1.10.1        - 10.1.10.254       1

Pool VLAN20 :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0 
 Total addresses                : 254
 Leased addresses               : 1
 Pending event                  : none
 1 subnet is currently in the pool :
 10.1.20.2            10.1.20.1        - 10.1.20.254       1

如果是更想知道IP分配给了谁, 这样看:

Branch#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
10.1.10.1           0063.6973.636f.2d61.    Sep 23 2017 01:40 AM    Automatic
                    6162.622e.6363.3030.
                    2e30.3531.302d.4574.
                    302f.31
10.1.20.1           0063.6973.636f.2d61.    Sep 23 2017 01:40 AM    Automatic
                    6162.622e.6363.3030.
                    2e30.3431.302d.4574.
                    302f.31	

接下来, 我们扯扯DHCP中继.

使用的场景在DHCP服务器和客户端不在同一个网络中, 这个时候广播不能跨越网络到达DHCP服务器, 所以我们要将广播封装成单播来实现.

现在我们来将CMCC设置成DHCP服务器, 路由器Branch设置了两个dot1q封装的子接口分别对应PC1所处的VLAN10和PC2所处的VLAN20.

直接来看路由器的配置:

Branch(config)#int e0/0   
Branch(config-if)#no sh
Branch(config-if)#int e0/0.10
Branch(config-subif)#encapsulation dot1q 10
Branch(config-subif)#ip addr 192.168.1.100 255.255.255.0
Branch(config-subif)#ip helper-address 172.16.1.100
Branch(config-subif)#exi

这里的helper-address就是将广播封装成单播发出去的.

PC1会受到DHCP分配消息:

*Sep 22 02:40:14.398: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/1 assigned DHCP address 192.168.1.1, mask 255.255.255.0, hostname PC1

同理, PC2和路由器的子接口也做相似的操作就行了.

BGP

BGP称为边际网关协议, 用于在AS之间进行自动的邻居间的单播路由. 现在我们用一个超小的实验来模拟一下:

现在我们有两个AS, 为了使得AS号100里的PC1和AS号200里的PC2通信, 我们先通过DHCP的方式使得PC1和PC2自动获得IP地址, 接着评定Branch和HQ之间的连通:

Branch#sh ip dhcp pool Branch

Pool Branch :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0 
 Total addresses                : 254
 Leased addresses               : 1
 Pending event                  : none
 1 subnet is currently in the pool :
 Current index        IP address range                    Leased addresses
 192.168.1.2          192.168.1.1      - 192.168.1.254     1
 ----------------------
 HQ#sh ip dhcp pool HQ 

Pool HQ :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0 
 Total addresses                : 254
 Leased addresses               : 1
 Pending event                  : none
 1 subnet is currently in the pool :
 Current index        IP address range                    Leased addresses
 192.168.2.2          192.168.2.1      - 192.168.2.254     1

还是惯例, Ping一下试试:

Branch#ping 172.16.2.100     
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

好啦 开始设置我们的BGP, 这样来:

Branch(config)#router bgp 100
Branch(config-router)#neighbor 172.16.2.100 remote-as 200
Branch(config-router)#end
Branch#
*Sep 22 11:57:34.347: %SYS-5-CONFIG_I: Configured from console by console

对面也这么设置, 过一小会就会有BGP的邻居up的消息:

Branch#
*Sep 22 11:58:12.494: %BGP-5-ADJCHANGE: neighbor 172.16.2.100 Up 

激动人心的时候到啦, 我!要!通!信!

PC1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

嘿嘿, 失败了. 为啥? 是因为我们还没有进行BGP路由的发布

现在试试:

Branch(config)#router bgp 100
Branch(config-router)#network 192.168.1.0 mask 255.255.255.0
Branch(config-router)#network 172.16.0.0 mask 255.255.0.0
Branch(config-router)#^Z

接着对方:

HQ(config)#router bgp 200
HQ(config-router)#network 192.168.2.0 mask 255.255.255.0
HQ(config-router)#network 172.16.0.0 mask 255.255.0.0
HQ(config-router)#^Z

现在再试试,就可以通信了

PC1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms

建议, 在发布前, 中, 后经常查看一下路由表, 以及使用:

Branch#sh ip bgp
BGP table version is 6, local router ID is 192.168.1.100
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *   172.16.0.0       172.16.2.100             0             0 200 i
 *>                   0.0.0.0                  0         32768 i
 *>  192.168.1.0      0.0.0.0                  0         32768 i
 *>  192.168.2.0      172.16.2.100             0             0 200 i

你会有很多发现, 对BGP发布也会更理解.

OSPF

不想打字.

配置完成之后, 我们直接进行OSPF路由的设置:

	Branch#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#router ospf 1
Branch(config-router)#router-id 1.1.1.1
Branch(config-router)#exi
Branch(config)#int e0/0
Branch(config-if)#ip ospf 1 area 0
Branch(config-if)#exi
Branch(config)#int e0/1
Branch(config-if)#ip ospf 1 area 0
Branch(config-if)#end

同样另外一边也做同样的事, 但是这里的ospf的进程号是可以不一样的, 而router-id自然是需要不一样的.

接着我们就会受到消息通知, 这个时候查看OSPF的邻居也可以看到了:

Branch#
*Sep 22 13:30:02.975: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Ethernet0/0 from LOADING to FULL, Loading Done
Branch#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:35    172.16.1.2      Ethernet0/0

好了, 这样就行了. 比BGP要容易多了!

PC1#ping 192.168.2.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

接着, 没完. 你会发现有个东西不对劲:

Branch#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:37    172.16.1.2      Ethernet0/0
Branch#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:34    172.16.1.2      Ethernet0/0
Branch#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:33    172.16.1.2      Ethernet0/0

死亡时间在减少 但是你又发现, 这个时间每次到了30的时候会自动增加回去.

是这样, 死亡时间是指收到Hello的时间间隔, 如果一直没收到DeadTime就会一直减少, 直到降为0. 因此我关闭了Branch这边的ospf路由, 于是HQ这边就会一直收不到Hello消息导致时间一直在下降:

HQ#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        00:00:00    172.16.1.1      Ethernet0/0
HQ#sh ip ospf nei
HQ#
*Sep 22 14:10:11.105: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Ethernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

当时间降为0的时候, 邻居就会被删除.

接下来说说这个Hello消息, 该消息时间默认是10s一次. 如何修改这个Hello时间呢?

Branch(config)#int e0/0
Branch(config-if)#ip ospf hello-interval 15

结果过了一会你发现, 挨!我的邻居怎么又被删除了?

Branch(config-if)#
*Sep 22 14:16:46.466: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Ethernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

这个Hello时间, 要求必须一致. 所以一端改了, 另一端也是需要进行更改的.

HQ(config)#int e0/0
HQ(config-if)#ip ospf hello-interval 15
HQ(config-if)#end
*Sep 22 14:18:07.735: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Ethernet0/0 from LOADING to FULL, Loading Done
HQ#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        00:00:58    172.16.1.1      Ethernet0/0

这样就可以了. (虽然默认死亡时间是Hello时间的4倍, 但是我们也是可以进行设置的, 同理,两端也要一致

由一个很重要的东西没有提到, 那就是区域. 这个玩意决定着邻居的发现和建立关系, 必须一致才行.

RIP

都到RIP了, 这个文章终于快结束了, 好开心. 做了这么多的实验. 虽然我觉得没有什么意思…(好吧, 其实我觉得我走错路了, 玩这些东西简直就是在浪费我的时间啊. 还是老老实实去看我的Linux运维吧..我又不搞这些JB东西…不过呢..写都写了, 不如就把这篇完成掉,收个好尾好了. 做完RIP的实验之后就只剩VPN的实施和ACL了. 把这些结束, 我就继续更新Linux的文章啦!)

OK, 还是像往常一样, 把我们的实验拓扑图拿出来~~:

其实和上面的OSPF的图是一样的啦, 这次我不使用OSPF而是使用RIP来实施路由. 这样来操作:
Branch:

Branch(config)#router rip
Branch(config-router)#version 2
Branch(config-router)#no auto-summary 
Branch(config-router)#passive-interface default
Branch(config-router)#network 172.16.1.0
Branch(config-router)#network 192.168.1.0
Branch(config-router)#neighbor 172.16.1.2
Branch(config-router)#^Z

HQ:

HQ(config)#router rip
HQ(config-router)#version 2
HQ(config-router)#no auto-summary 
HQ(config-router)#passive-interface default 
HQ(config-router)#netwo 192.168.2.0
HQ(config-router)#netwo 172.16.1.0
HQ(config-router)#nei 172.16.1.1
HQ(config-router)#end

接下来就行了, 这就是RIP最经典的配置了.

PC1#ping 192.168.2.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

我们说过RIPv1和v2是不兼容的, 但是就是要折腾一下才好玩嘛, 现在我们把一端的版本改成1版本

HQ(config)#router rip
HQ(config-router)#version 1
HQ(config-router)#no passive-interface default

另外一边也把接口调整一下:

Branch(config)#router rip
Branch(config-router)#no passive-interface default 

现在我们来查看一下两方的路由协议信息:

Branch#sh ip protocols 
...(omitted)
Routing Protocol is "rip"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Sending updates every 30 seconds, next due in 3 seconds
  Invalid after 180 seconds, hold down 180, flushed after 240
  Redistributing: rip
  Neighbor(s):
    172.16.1.2
  Default version control: send version 2, receive version 2
    Interface             Send  Recv  Triggered RIP  Key-chain
    Ethernet0/0           2     2                                    
    Ethernet0/1           2     2         
    ..(omitted)

如你所见, Branch这边接受版本2, 发送版本2. 那么猜也能猜出来了, HQ那边是指接受和发送版本1的报文了, 这样两人是没有办法建立关系的. 但是我们可以使用命令来使得某一个接口接受特定版本的报文从而解决兼容问题.

Branch(config)#int r e0/0 -1
Branch(config-if-range)#ip rip send version 1 2
Branch(config-if-range)#ip rip re version 1 2 

现在其实已经通了. 因为由一方是两种版本都可使用的.

我们在实验时关闭了自动汇总功能, 这个汇总其实就是我们说的路由汇总啦.

PAP认证

实验拓扑异常简单:

其实只是为了展示一下PPP而已嘛

HQ一端做这样的处理:

HQ#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#int s2/0
HQ(config-if)#no sh
HQ(config-if)#ip addr 202.10.100.10 255.255.255.0
HQ(config-if)#encapsulation ppp
HQ(config-if)#
*Sep 23 05:45:18.209: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
HQ(config-if)#ppp authentication pap
HQ(config-if)#exi
HQ(config)#username justin password justin
HQ(config)#service password-encryption 
HQ(config)#end

接着另外一端:

Branch(config)#in s2/0
Branch(config-if)#no sh
Branch(config-if)#ip addr 202.102
*Sep 23 05:47:05.729: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
*Sep 23 05:47:06.729: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
Branch(config-if)#ip addr 202.10.100.20 255.255.255.0
Branch(config-if)#en
Branch(config-if)#encapsulation ppp
*Sep 23 05:47:23.553: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to down
Branch(config-if)#ppp pap sent-username justin password justi 
# 这里我故意输错密码
Branch(config-if)#ppp pap sent-username justin password justin
Branch(config-if)#
*Sep 23 05:48:32.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
Branch(config-if)#end
Branch#
*Sep 23 05:48:48.907: %SYS-5-CONFIG_I: Configured from console by console
Branch#

我在另外一端打开了debug调试, 于是在收到了错误的密码之后, 信息:

*Sep 23 05:48:30.334: Se2/0 PPP: Using default call direction
*Sep 23 05:48:30.334: Se2/0 PPP: Treating connection as a dedicated line
*Sep 23 05:48:30.334: Se2/0 PPP: Session handle[3400000F] Session id[15]
*Sep 23 05:48:30.354: Se2/0 PAP: I AUTH-REQ id 1 len 17 from "justin"
*Sep 23 05:48:30.354: Se2/0 PAP: Authenticating peer justin
*Sep 23 05:48:30.354: Se2/0 PPP: Sent PAP LOGIN Request
*Sep 23 05:48:30.354: Se2/0 PPP: Received LOGIN Response FAIL
*Sep 23 05:48:30.354: Se2/0 PAP: O AUTH-NAK id 1 len 26 msg is "Authentication failed"

密码正确之后, 双方都显示接口up, 并且:

*Sep 23 05:48:32.386: Se2/0 PPP: Using default call direction
*Sep 23 05:48:32.386: Se2/0 PPP: Treating connection as a dedicated line
*Sep 23 05:48:32.386: Se2/0 PPP: Session handle[39000010] Session id[16]
*Sep 23 05:48:32.402: Se2/0 PAP: I AUTH-REQ id 1 len 18 from "justin"
*Sep 23 05:48:32.402: Se2/0 PAP: Authenticating peer justin
*Sep 23 05:48:32.403: Se2/0 PPP: Sent PAP LOGIN Request
*Sep 23 05:48:32.403: Se2/0 PPP: Received LOGIN Response PASS
*Sep 23 05:48:32.409: Se2/0 PAP: O AUTH-ACK id 1 len 5

CHAP

先来搞一个单向认证的, 十分简单:

Router1(config)#int s2/0
Router1(config-if)#no sh
Router1(config-if)#ip add
*Sep 23 06:07:37.658: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
*Sep 23 06:07:38.666: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
Router1(config-if)#ip addr 202.10.100.10 255.255.255.0
Router1(config-if)#encapsulation ppp
Router1(config-if)#ppp authn
*Sep 23 06:07:56.329: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to down
Router1(config-if)#ppp authen chap
Router1(config-if)#exi     
Router1(config)#username justin password justin
Router1(config)#service password-encryption 
Router1(config)#end

同样这个时候我打开了debug, 可以看到.

在我们为Router2设置的时候, router1一直在尝试进行挑战:

*Sep 23 06:11:13.788: Se2/0 PPP: Using default call direction
*Sep 23 06:11:13.788: Se2/0 PPP: Treating connection as a dedicated line
*Sep 23 06:11:13.788: Se2/0 PPP: Session handle[72000027] Session id[39]
*Sep 23 06:11:13.822: Se2/0 CHAP: O CHALLENGE id 1 len 28 from "Router1"

接着当我们设置了正确的主机名和密码之后:

*Sep 23 06:14:23.736: Se2/0 PPP: Using default call direction
*Sep 23 06:14:23.736: Se2/0 PPP: Treating connection as a dedicated line
*Sep 23 06:14:23.736: Se2/0 PPP: Session handle[BE000047] Session id[70]
*Sep 23 06:14:23.773: Se2/0 CHAP: O CHALLENGE id 1 len 28 from "Router1"
*Sep 23 06:14:23.784: Se2/0 CHAP: I RESPONSE id 1 len 27 from "justin"
*Sep 23 06:14:23.784: Se2/0 PPP: Sent CHAP LOGIN Request
*Sep 23 06:14:23.784: Se2/0 PPP: Received LOGIN Response PASS
*Sep 23 06:14:23.790: Se2/0 CHAP: O SUCCESS id 1 len 4
Router1#
*Sep 23 06:14:23.790: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up

这是一个单向的认证. 十分简单.

接着我们来看看双向认证是个什么样子

其实是一样的, 就是把Router2也设置上用户和密码, 但是奇怪的事情发生了, 尽管我们把Router1也设置对了(发送主机名和密码) 但是.

Router1(config-if)#
*Sep 23 06:18:58.433: Se2/0 AUTH: Timeout 8
*Sep 23 06:18:58.433: Se2/0 CHAP: O CHALLENGE id 9 len 27 from "justin"
*Sep 23 06:18:58.450: Se2/0 CHAP: I CHALLENGE id 9 len 27 from "justin"
*Sep 23 06:18:58.450: Se2/0 CHAP: Ignoring Challenge with local name

另外一边:

Router2(config-if)#
*Sep 23 06:19:08.457: Se2/0 AUTH: Timeout 9
*Sep 23 06:19:08.457: Se2/0 CHAP: O CHALLENGE id 10 len 27 from "justin"
*Sep 23 06:19:08.457: Se2/0 CHAP: I CHALLENGE id 10 len 27 from "justin"
*Sep 23 06:19:08.457: Se2/0 CHAP: Ignoring Challenge with local name

都在疯狂的超时, 奇怪. 我们确认一下配置: (为了确认效果, 暂时把password-encryption的服务撤掉)

Router1#sh run int s2/0
Building configuration...

Current configuration : 197 bytes
!
interface Serial2/0
 ip address 202.10.100.10 255.255.255.0
 encapsulation ppp
 ppp authentication chap
 ppp chap hostname justin
 ppp chap password 0 justin
 serial restart-delay 0
end
---------
Router2#sh run int s2/0
Building configuration...

Current configuration : 197 bytes
!
interface Serial2/0
 ip address 202.10.100.20 255.255.255.0
 encapsulation ppp
 ppp authentication chap
 ppp chap hostname justin
 ppp chap password 0 justin
 serial restart-delay 0
end

奇怪, 确认了也没有问题, 难道是用户名不能一样吗?

Router2(config)#username bieber password justin

接着:

Router1(config-if)#ppp chap hostname bieber

突然之间:

*Sep 23 06:28:19.557: Se2/0 CHAP: O CHALLENGE id 9 len 27 from "justin"
*Sep 23 06:28:19.558: Se2/0 CHAP: I CHALLENGE id 9 len 27 from "bieber"
*Sep 23 06:28:19.558: Se2/0 PPP: Sent CHAP SENDAUTH Request
*Sep 23 06:28:19.558: Se2/0 PPP: Received SENDAUTH Response PASS
*Sep 23 06:28:19.558: Se2/0 CHAP: Using hostname from interface CHAP
*Sep 23 06:28:19.558: Se2/0 CHAP: Using password from AAA
*Sep 23 06:28:19.558: Se2/0 CHAP: O RESPONSE id 9 len 27 from "justin"
*Sep 23 06:28:19.564: Se2/0 CHAP: I RESPONSE id 9 len 27 from "bieber"
*Sep 23 06:28:19.564: Se2/0 PPP: Sent CHAP LOGIN Request
*Sep 23 06:28:19.564: Se2/0 PPP: Received LOGIN Response PASS
*Sep 23 06:28:19.570: Se2/0 CHAP: O SUCCESS id 9 len 4
*Sep 23 06:28:19.575: Se2/0 CHAP: I SUCCESS id 9 len 4
Router2#
*Sep 23 06:28:19.576: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up

连密码都不需要输入, 接口工作了.