1, BASIC CONFIGURE HOSTNAME, IP ADDRESS ACCORDING TO THE DIAGRAM
# AC1: Hostname, Etherchannel, Trunk, Native Vlan 100
# AC1 SPEED UP
# STEP 1: HOSTNAME AC1
enable
config terminal
hostname AC1
line console 0
loggin synch
no exec-timeout
no ip domain-lookup
line console 0
privilege level 15
no login
line vty 0 4
privilege level 15
no login
end
wr
====================================================
# STEP 1: HOSTNAME DS1
enable
config terminal
hostname DS1
line console 0
loggin synch
no exec-timeout
no ip domain-lookup
line console 0
privilege level 15
no login
line vty 0 4
privilege level 15
no login
end
wr
===================================================
# STEP 1: HOSTNAME DS2
enable
config terminal
hostname DS2
line console 0
loggin synch
no exec-timeout
no ip domain-lookup
line console 0
privilege level 15
no login
line vty 0 4
privilege level 15
no login
end
wr
====================================================
# STEP 1: HOSTNAME CS1
enable
config terminal
hostname CS1
line console 0
loggin synch
no exec-timeout
no ip domain-lookup
line console 0
privilege level 15
no login
line vty 0 4
privilege level 15
no login
end
wr
====================================================
# STEP 1: HOSTNAME CS2
enable
config terminal
hostname CS2
line console 0
loggin synch
no exec-timeout
no ip domain-lookup
line console 0
privilege level 15
no login
line vty 0 4
privilege level 15
no login
end
wr
====================================================
# STEP 1: HOSTNAME SWSERVER
enable
config terminal
hostname SWSERVER
line console 0
loggin synch
no exec-timeout
no ip domain-lookup
line console 0
privilege level 15
no login
line vty 0 4
privilege level 15
no login
end
wr
====================================================
# STEP 1: HOSTNAME GW1
enable
config terminal
hostname GW1
line console 0
loggin synch
no exec-timeout
no ip domain-lookup
line console 0
privilege level 15
no login
line vty 0 4
privilege level 15
no login
end
wr
====================================================
# STEP 1: HOSTNAME GW2
enable
config terminal
hostname GW2
line console 0
loggin synch
no exec-timeout
no ip domain-lookup
line console 0
privilege level 15
no login
line vty 0 4
privilege level 15
no login
end
wr
====================================================
# CS1: CONFIGURE IP ADDRESS
config terminal
interface f0/12
no switchport
ip address 192.168.40.1 255.255.255.0
no shutdown
exit
interface f0/13
no switchport
ip address 10.10.10.1 255.255.255.0
no shutdown
exit
interface f0/14
no switchport
ip address 192.168.100.1 255.255.255.0
no shutdown
exit
interface f0/15
no switchport
ip address 192.168.10.1 255.255.255.0
no shutdown
end
wr
=====================================================
# CS2: CONFIGURE IP ADDRESS
config terminal
interface f0/12
no switchport
ip address 192.168.50.1 255.255.255.0
no shutdown
exit
interface f0/13
no switchport
ip address 20.20.20.1 255.255.255.0
no shutdown
exit
interface f0/14
no switchport
ip address 192.168.100.2 255.255.255.0
no shutdown
exit
interface f0/15
no switchport
ip address 192.168.20.1 255.255.255.0
no shutdown
end
wr
=====================================================
# GW1: CONFIGURE IP ADDRESS
config terminal
interface f0/1
ip address 10.10.10.2 255.255.255.0
no shutdown
exit
interface f0/0
ip address dhcp
no shutdown
end
wr
====================================================
# GW2: CONFIGURE IP ADDRESS
config terminal
interface f0/1
ip address 20.20.20.2 255.255.255.0
no shutdown
exit
interface f0/0
ip address dhcp
no shutdown
end
wr
====================================================
2, DS1; DS2; AC1 CONFIGURE ETHERCHANNEL; TRUNK; NATIVLAN 100; VTP; STP
# STEP 2: IP ADDRESS; ETHERCHANNEL; TRUNK; NATIVE VLAN 100
# DS1: IP address; Etherchannel, Trunk, Native Vlan 100
config terminal
interface f0/13
no switchport
ip address 192.168.30.1 255.255.255.0
no shutdown
exit
interface f0/12
no switchport
ip address 192.168.10.2 255.255.255.0
no shutdown
exit
interface f0/11
no switchport
ip address 192.168.50.2 255.255.255.0
no shutdown
exit
interface range f0/14 - 15
channel-group 1 mode on
exit
interface port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan except 100
end
wr
====================================================
# DS2: IP address; Etherchannel, Trunk, Native Vlan 100
config terminal
interface f0/14
no switchport
ip address 192.168.30.2 255.255.255.0
no shutdown
exit
interface f0/15
no switchport
ip address 192.168.20.2 255.255.255.0
no shutdown
exit
interface f0/11
no switchport
ip address 192.168.40.2 255.255.255.0
no shutdown
exit
interface range f0/12 - 13
channel-group 2 mode on
exit
interface port-channel 2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan except 100
end
wr
====================================================
# AC1: IP address; Etherchannel, Trunk, Native Vlan 100
config terminal
interface range f0/14 - 15
channel-group 1 mode on
exit
interface port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan except 100
exit
interface range f0/12 - 13
channel-group 2 mode on
exit
interface port-channel 2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan except 100
end
wr
====================================================
# Testing Etherchannel, Trunk
# show interface trunk
# show etherchannel summary
=====================================================
# STEP 3: CONFIGURE VTP; VLAN
# DS1: VTPserver, Vlan
vlan database
vtp domain newstar
vtp password newstar
vtp server
vlan 10
vlan 20
vlan 30
vlan 40
exit
config terminal
vtp file nvram:vlan.dat
end
wr
=================================================
# DS2: VTPserver, Vlan
vlan database
vtp domain newstar
vtp password newstar
vtp server
vlan 10
vlan 20
vlan 30
vlan 40
exit
config terminal
vtp file nvram:vlan.dat
end
wr
=================================================
# AC1: VTP Client
vlan database
vtp domain newstar
vtp password newstar
vtp client
exit
config terminal
vtp file nvram:vlan.dat
end
wr
=================================================
# AC1: Switchport access vlan
config terminal
interface range f0/0 - 2
switchport mode access
switchport access vlan 10
exit
interface range f0/3 - 5
switchport mode access
switchport access vlan 20
exit
interface range f0/6 - 8
switchport mode access
switchport access vlan 30
exit
interface range f0/9 - 11
switchport mode access
switchport access vlan 40
exit
interface range f0/0 - 11
spanning-tree portfast
no shutdown
end
wr
==============================================
# STEP 4: CONFIGURE STP
# DS1: STP is Root
config terminal
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary
spanning-tree vlan 30 root primary
spanning-tree vlan 40 root primary
end
wr
===============================================
# DS2: STP is Secondary
config terminal
spanning-tree vlan 10 root secondary
spanning-tree vlan 20 root secondary
spanning-tree vlan 30 root secondary
spanning-tree vlan 40 root secondary
end
wr
===============================================
# STEP 5: CONFIGURE HSRP; IP ADDRESS VLAN
# DS1: HSRP
config terminal
interface vlan 10
ip address 172.16.10.1 255.255.255.0
standby 10 ip 172.16.10.254
no shutdown
exit
interface vlan 20
ip address 172.16.20.1 255.255.255.0
standby 20 ip 172.16.20.254
no shutdown
exit
interface vlan 30
ip address 172.16.30.1 255.255.255.0
standby 30 ip 172.16.30.254
no shutdown
exit
interface vlan 40
ip address 172.16.40.1 255.255.255.0
standby 40 ip 172.16.40.254
no shutdown
end
wr
===================================================
# DS2: HSRP
config terminal
interface vlan 10
ip address 172.16.10.2 255.255.255.0
standby 10 ip 172.16.10.254
no shutdown
exit
interface vlan 20
ip address 172.16.20.2 255.255.255.0
standby 20 ip 172.16.20.254
no shutdown
exit
interface vlan 30
ip address 172.16.30.2 255.255.255.0
standby 30 ip 172.16.30.254
no shutdown
exit
interface vlan 40
ip address 172.16.40.2 255.255.255.0
standby 40 ip 172.16.40.254
no shutdown
end
wr
===================================================
# STEP 6: DS1 IS ACTIVE VLAN 10; 20; DS2 IS ACTIVE 30; 40
# DS1: is active for Vlan 10;20
config terminal
interface vlan 10
standby 10 preempt
standby 10 priority 110
exit
interface vlan 20
standby 20 preempt
standby 20 priority 110
end
wr
===================================================
# DS2: is active for Vlan 30;40
config terminal
interface vlan 30
standby 30 preempt
standby 30 priority 110
exit
interface vlan 40
standby 40 preempt
standby 40 priority 110
end
wr
===================================================
# Testing HSRP
# show standby brief
===================================================
# STEP 7: CS1; CS2 CONFIGURE HSRP
# CS1: HSRP
config terminal
interface f0/14
standby 1 ip 192.168.100.254
end
wr
===================================================
# CS2: HSRP
config terminal
interface f0/14
standby 1 ip 192.168.100.254
end
wr
===================================================
# Testing HSRP
# show standby brief
===================================================
3, ROUTING WITH OSPF GUARANTEE CONVERGE NETWORK
# STEP 8: CS1;CS2; DS1;DS2;GW1;GW2 CONFIGURE ROUTING
# CS1: ROUTING WITH OSPF
config terminal
router ospf 1
network 192.168.10.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0
network 10.10.10.0 0.0.0.255 area 0
end
wr
===================================================
# CS2: ROUTING WITH OSPF
config terminal
router ospf 1
network 192.168.20.0 0.0.0.255 area 0
network 192.168.50.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0
network 20.20.20.0 0.0.0.255 area 0
end
wr
===================================================
# DS1: ROUTING WITH OSPF
config terminal
router ospf 1
network 192.168.10.0 0.0.0.255 area 0
network 192.168.50.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 172.16.10.0 0.0.0.255 area 0
network 172.16.20.0 0.0.0.255 area 0
network 172.16.30.0 0.0.0.255 area 0
network 172.16.40.0 0.0.0.255 area 0
end
wr
===================================================
# DS2: ROUTING WITH OSPF
config terminal
router ospf 1
network 192.168.20.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 172.16.10.0 0.0.0.255 area 0
network 172.16.20.0 0.0.0.255 area 0
network 172.16.30.0 0.0.0.255 area 0
network 172.16.40.0 0.0.0.255 area 0
end
wr
===================================================
# GW1: ROUTING WITH OSPF
config terminal
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
end
wr
====================================================
# GW2: ROUTING WITH OSPF
config terminal
router ospf 1
network 20.20.20.0 0.0.0.255 area 0
end
wr
====================================================
# Testing ROUTING
# show ip route
===================================================
# STEP 9: CONFIGURE GW1;GW2 TO ALL PC GO TO INTERNET
# GW1: PAT TO GO TO INTERNET
config terminal
access-list 1 permit any
ip nat inside source list 1 interface f0/0 overload
interface f0/0
ip nat outside
exit
interface f0/1
ip nat inside
end
wr
====================================================
# GW2: PAT TO GO TO INTERNET
config terminal
access-list 1 permit any
ip nat inside source list 1 interface f0/0 overload
interface f0/0
ip nat outside
exit
interface f0/1
ip nat inside
end
wr
====================================================
# STEP 10: CONFIGURE GW1;GW2 TO ADVERTISMENT DEFAULT ROUTE
# GW1: ADVERTISMENT DEFAULT ROUTE
config terminal
router ospf 1
default-information originate
end
wr
=====================================================
# GW2: ADVERTISMENT DEFAULT ROUTE
config terminal
router ospf 1
default-information originate
end
wr
======================================================
# STEP 11: DS1; DS2 CONFIGURE PASSIVE-INTERFACE
# DS1: PASSIVE-INTERFACE
config terminal
router ospf 1
passive-interface default
no passive-interface f0/12
no passive-interface f0/11
no passive-interface f0/13
end
wr
=====================================================
# DS2: PASSIVE-INTERFACE
config terminal
router ospf 1
passive-interface default
no passive-interface f0/15
no passive-interface f0/11
no passive-interface f0/14
end
wr
====================================================
# STEP 12: DS1; DS2 CONFIGURE IP HELPER-ADDRESS
# DS1: ip helper-address
config terminal
interface vlan 10
ip helper-address 192.168.100.253
exit
interface vlan 20
ip helper-address 192.168.100.253
exit
interface vlan 30
ip helper-address 192.168.100.253
exit
interface vlan 40
ip helper-address 192.168.100.253
end
wr
====================================================
# DS2: ip helper-address
config terminal
interface vlan 10
ip helper-address 192.168.100.253
exit
interface vlan 20
ip helper-address 192.168.100.253
exit
interface vlan 30
ip helper-address 192.168.100.253
exit
interface vlan 40
ip helper-address 192.168.100.253
end
wr
====================================================
# STEP 13: CONFIGURE DHCP SERVER ON 2K3
# DHCP server 2k3
Create Scope Vlan10 (create pool)
Ip address range: 172.16.10.50-172.16.10.100
Default gateway: 172.16.10.254
DNS servers: 8.8.8.8
Create Scope Vlan20 (create pool)
Ip address range: 172.16.20.50-172.16.20.100
Default gateway: 172.16.20.254
DNS servers: 8.8.8.8
Create Scope Vlan30 (create pool)
Ip address range: 172.16.30.50-172.16.30.100
Default gateway: 172.16.30.254
DNS servers: 8.8.8.8
Create Scope Vlan40 (create pool)
Ip address range: 172.16.40.50-172.16.40.100
Default gateway: 172.16.40.254
DNS servers: 8.8.8.8
====================================================
CONFIGURE DOT1X (Enable AAA; configure RADIUS server;enable 802.1x globally; configure interface for 802.1x; define local user authentication)
1, BASIC CONFIGURE HOSTNAME
# SW1 SPEED UP
# STEP 1: HOSTNAME SW1
enable
config terminal
hostname SW1
line console 0
loggin synch
no exec-timeout
no ip domain-lookup
line console 0
privilege level 15
no login
line vty 0 4
privilege level 15
no login
end
wr
=============================================
# STEP 2: ASSING IP ADDRESS FOR INTERFACE VLAN1; USERNAME, PASSWORD
config terminal
username admin password 123
interface vlan 1
ip address 192.168.100.1 255.255.255.0
end
wr
==============================================
# STEP 3: (Enable AAA; configure RADIUS server;enable 802.1x globally; configure interface for 802.1x; define local user authentication)
config terminal
aaa new-model
radius-server host 192.168.100.253 key 123456
aaa authentication dot1x defaul group radius
aaa authorization network default group radius
dot1x system-auth-control
interface range f0/1 - 23
switchport mode access
dot1x port-control auto
end
wr
=========================================================================
# STEP 4: CONFIGURE VLAN
config terminal
vlan 10,20,30,40
end
wr
======================================================
# CONFIGURE CISCOSECURE ACS
# Configure AAA Server
# AAA Server Name: Server; # AAA Server IP Address: 192.168.100.253
# Configure AAA Client Hostname
# AAA AAA Client Hostname: client; # AAA Client IP Address: 192.168.100.1
# Create UserSetup: u1; u2; u3; u4. pass: 12345678
# Create GroupSetup: Vlan 10; Vlan 20; Vlan 30; Vlan 40 -> Editseting
===============================================================
# STEP 5: Test
# test aaa group radius server 192.168.100.253 u1 12345678 legacy
===========================================
====================THE END================
Không có nhận xét nào:
Đăng nhận xét