神州数码路由交换配置命令(全)

路由
ssh
aaa authentication login ssh local
aaa authentication enable default enable
enable password 0 123456
username admin password 0 123456
ip sshd enable
ip sshd auth-method ssh
ip sshd auth-retries 5
ip sshd timeout 60
TELNET
R1_config#aaa authentication login default local R1_config#aaa authentication enable default enable R1_config#enable password 0 ruijie
R1_config#line vty 0 4
R1_config_line#login authentication default
R1_config_line#password 0 cisco
方法2，不需要经过3A认证
R1_config#aaa authentication login default none
R1_config#aaa authentication enable default enable R1_config#enable password 0 cisco
R1_config#line vty 0 4
R1_config_line#login authentication default
CHAP认证单向认证，密码可以不一致
R2_config#aaa authentication ppp test local
R2_config#username R2 password 0 123456
R2_config_s0/2#enc ppp
R2_config_s0/2#ppp authentication chap test
R2_config_s0/2#ppp chap hostname R1
R1_config#aaa authentication ppp test local
R1_config#username R1 password 0 123456
R1_config_s0/1#enc ppp
R1_config_s0/1#ppp authentication chap test
R1_config_s0/1#ppp chap hostname R2
pap认证双向认证，密码要求一致
R2_config#aaa authentication ppp test local
R2_config#username R2 password 0 123456
R2_config_s0/2#enc ppp
R2_config_s0/2#ppp authentication pap test
R2_config_s0/2#ppp pap sent-username R1 password 123456
R1_config#aaa authentication ppp test local
R1_config#username R1 password 0 123456
R1_config_s0/1#enc ppp
R1_config_s0/1#ppp authentication pap test
R1_config_s0/1#ppp pap sent-username R2 password 123456
FR
Router-A_config_s1/1#encapsulation frame-relay ！封装帧中继协议
Router-A_config_s1/1#frame-relay local-dlci 17 ！设置本地DLCI 号
Router-A_config_s1/1# frame-relay intf-type dce ！配置FR的DCE
Router-A_config_s1/1# frame-relay map 192.168.1.2 pvc 17 broadcast ！配置DLCI 与对端IP的映射
Vrrp
Int g0/4
vrrp 1 associate 192.168.20.254 255.255.255.0
vrrp 1 priority 120 设置优先级，为主
vrrp 1 preempt 开启抢占
vrrp 1 track interface Serial0/1 30 追踪上行接口，防止上行接口DOWN了，自动降低优先级
Int g0/6
vrrp 1 associate 192.168.20.254 255.255.255.0
vrrp 1 priority 100 设置优先级，为备，默认为100
vrrp 1 preempt 开启抢占
vrrp 1 track interface Serial0/2 30 追踪上行接口，防止上行接口DOWN了，自动降低优先级
RIP 验证，只有V2支持验证
interface Serial0/2 接口起验证和配密码
ip rip authentication simple
ip rip password 123456
RIP改单播
router rip
nei 192.168.1.1
RIP定时器
router rip
timers update 10 更新时间
timers exipire 30 失效时间
timers hosddown 50 抑制时间
ospf
router os 1
net 192.168.1.0 255.255.255.0 ar 0 不能写32位掩码
OSPF 虚链路
ROUTER OS 2 进程起用
AR 1 VI 2.2.2.2 对方ROUTER-ID
OSPF 汇总
ROUTER OS 2 进程起用
ar 0 range 192.168.0.0 255.255.252.0
OSPF 验证
ROUTER OS 2 明文
AR 0 AUTHEN SP 进程给需要验证的区域启用验证
INT S0/1
IP OS passw 123456 接口配置密码
密文
router os 2
ar 0 authen me
int s0/1
ip os me 1 md5 123456
bgp
router bgp 100
no synchronization bgp全互联必须要关闭同步检查nei 192.168.12.1 remot 200 与AS外部路由建立邻居
nei 2.2.2.2 remot 100 与AS内部路由建立邻居
nei 2.2.2.2 up lo0 改更新接口为环回接口
nei 2.2.2.2 next-hop-self 改下一跳为自己
net 2.2.2.0 通告路由表里面有的路由
ACL
路由上面的ACL要写子网掩码,不能写反掩码！！！！！
基于时间的ACL
time-range acl 定义一个时间范围
periodic weekdays 09:00 to 12:00
periodic weekdays 14:00 to 17:00
IP access－list extended time 写一个基于时间的acl，调用时间段
deny ip 192.168.10.0 255.255.255.0 any time-range acl
permit ip any any
int g0/4 应用到接口
ip access-group time in
int g0/6
ip access-group time in
静态NAT
ip route 0.0.0.0 0.0.0.0 192.168.12.2
ip nat inside source static 192.168.10.10 192.168.12.1
int g0/6
ip nat in
ints0/1
ip nat out
NAPT
ip access-list standard NAT 定义要转换的IP网段
permit 192.168.10.0 255.255.255.0
ip nat pool NAT 192.168.23.10 192.168.23.20 255.255.255.0 创建转换的IP地址池ip nat inside source list NAT pool NAT overload 关联要转换的IP网段和地址池
ip route default 192.168.23.3 写一条缺省路由，下一跳为出口网关的下一跳
router rip 如果跑路由协议，要把缺省重分发到动态路由redistribute static
interface Serial0/1 运用到内网接口
ip nat inside
interface Serial0/2 运用到外网接口
ip nat outside
route-map
ip acce sta acl 定义要匹配的流量per 192.168.20.0 255.255.255.0
route-map SHENMA 10 permit
ma ip add acl 调用ACL
set ip next-hop 192.168.12.1 改下一跳
int g0/3
ip po route-map SHENMA 定义到原接口
DHCP
给路由接口分配IP，不能是S口！！！
R1
ip dhcpd enable
ip dhcpd pool 1
network 192.168.12.0 255.255.255.0
range 192.168.12.10 192.168.12.20
R2
interface GigaEthernet0/6
ip address dhcp
给PC分配IP,底层网络要起路由互通！！！！
实验全网起了RIP协议
R1
ip dhcpd enable
ip dhcpd pool 2
network 192.168.1.0 255.255.255.0
range 192.168.1.10 192.168.1.20
default-router 192.168.1.1
R2
ip dhcpd enable 要开启DHCP服务！
interface GigaEthernet0/4
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.12.2 设置DHCP服务器IP
VPN （GRE）
int t0
ip add 172.168.10.1 255.255.255.0 给T0配IP
t so s0/2 源，路由的出接口
t de 192.168.23.3 目的，对端的出接口IP，注意，要可达t key 123456 T0口密码，两端要一致
exit
ip route 192.168.20.0 255.255.255.0 t0 用T0口写一条要到达网段的静态路由
int t0
ip add 172.168.10.3 255.255.255.0
t so s0/1
t de 192.168.12.1
t key 123456
exit
ip route 192.168.10.0 255.255.255.0 t0
VPN (IPSEC)
R1
crypto ipsec transform-set SHENMA 设置转换集
transform-type esp-des esp-md5-hmac 转换集的加密方式
ip access-list extended 100 匹配感兴趣流
permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
crypto map HAN 10 ipsec-isakmp
set peer 192.168.23.3 设置对等体
set transform-set SHENMA 关联转换集
match address 100 关联感兴趣流
interface Serial0/2 进接口调用
crypto map HAN
R3
crypto ipsec transform-set SHENMA 设置转换集
transform-type esp-des esp-md5-hmac 转换集的加密方式,两端要一致
ip access-list extended 100 匹配感兴趣流
permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
crypto map HAN 10 ipsec-isakmp
set peer 192.168.12.1 设置对等体
set transform-set SHENMA 关联转换集
match address 100 关联感兴趣流
interface Serial0/1 进接口调用
crypto map HAN
VPN (IKE)
crypto isakmp key SHENMA 192.168.23.3 255.255.255.0 设置公共用密钥crypto isakmp policy 10 设置IKE策略
hash md5
au pre
enc des
group 1
lifetime 86400
crypto ipsec transform-set SHENMA 设置转换集
transform-type esp-Des esp-Md5-hmac
ip access-list extended 100 匹配感兴趣流
permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
crypto map SHENMA 10 ipsec-isakmp 设置IPSEC加密映射
set peer 192.168.23.3
set transform-set SHENMA
match address 100
int s0/2 调用到接口
crypto map SHENMA
QOS
int g0/4
ip add 192.168.10.1 255.255.255.0
no shut
ip add 192.168.20.1 255.255.255.0
no shut
int s0/1
ip add 192.168.12.1 255.255.255.0
phy spe 64000
no shut
ip route 0.0.0.0 0.0.0.0 192.168.12.2
ip access-list ex 1 定义ACL抓取流量
permit ip 192.168.10.0 255.255.255.0 2.2.2.0 255.255.255.0
ip access-list ex 2
permit ip 192.168.20.0 255.255.255.0 2.2.2.0 255.255.255.0
priority 1 protocol ip high list 1 写一个IP协议的优先列表，调用ACL 1里面的地址，级别为HIGH
priority 1 protocol ip low list 2 写一个IP协议的优先列表，调用ACL 2里面的地址，级别为LOW
int s0/1 进接口调用
priority 1
交换
banner motd 系统登录标题
telnet
telnet-server enable 开启TELNET
telnet-server max-connection 16 最大连接数
ssh
username ssh password 0 123456
ssh-server enable 开启SSH
ssh-server timeout 60 连接超时时间
ssh-server max-connection 16 最大连接数
ssh-server authentication-retries 5 重连次数
ssh-server host-key create rsa 创建新的主机密钥
1，首先要给所有的VLAN配上IP
INT VLAN 10
IP ADD 192.168.10.1 255.255.255.0
NO SHUT
2，创建一个VRRP组
ROUTER VRRP 10
VIRTUAL-IP 192.168.10.254 给虚拟IP
INT VLAN 10 关联VLAN
PRIORITY 120 给优先级（默认100）
ENABLE 激活
STP
SW1
spanning-tree 开启STP
spanning-tree mode mstp 改为MSTP模式
spanning-tree mst configurtaion 配置域
name shenma域名
revision-level 3 修正级别
instance 1 vlan10;20 在实例里面关联VLAN
instance2 vlan30;40
exit
spanning-tree mst 1priority 4096 给实例配置优先级，越小的级别越高spanning-tree mst 2 priority 8192
SW2
spanning-tree 开启STP
spanning-tree mode mstp 改为MSTP模式
spanning-tree mst configurtaion 配置域
name shenma域名
revision-level 3 修正级别
instance 1 vlan10;20 在实例里面关联VLAN
instance2 vlan30;40
exit
spanning-tree mst 1priority 8192 给实例配置优先级，越小的级别越高spanning-tree mst 2 priority 4096
SW21
spanning-tree 开启STP
spanning-tree mode mstp 改为MSTP模式
spanning-tree mst configurtaion 配置域
name shenma域名
revision-level 3 修正级别
instance 1 vlan10;20 在实例里面关联VLAN
instance2 vlan30;40
AM端口安全
am enable
int e1/0/1
am port
am mac-ip-pool 0000.1111.2222 192.168.10.1
端口镜像
monitor session 1 source int e1/0/1 both
monitor session 1 destination int e1/0/15
RIP
Router rip
Net 192.168.1.0/24
Router os 1
Net 192.168.1.0 0.0.0.255 ar 0
Acl
Firewall enable
Ip access-list ex 100
Per ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
单臂路由
R1
int g0/5
no shut
interface GigaEthernet0/5.1
encapsulation dot1Q 100
ip address 192.168.10.1 255.255.255.0
interface GigaEthernet0/5.2
encapsulation dot1Q 200
ip address 192.168.20.1 255.255.255.0
interface GigaEthernet0/5.3
encapsulation dot1Q 300
ip address 192.168.30.1 255.255.255.0
SW1
vlan 100\
sw int e1/0/1-2
vlan 200
sw int e1/0/3-4
vlan 300
sw int e1/0/5-6
int e1/0/20
sw mo tr
sw tr all vlan all
端口聚合
PORT-GROUP 1 创建一个组
INT E1/0/17-18 聚合端口要设置为TRUNK
SW MO TR
SW TR ALL VLAN ALL
PORT-GROUP 1 MO ON 设置聚合端口的模式为自动匹配
EXIT
INT PORT-CHANNAL 1 进入聚合端口配置模式，也要设置为TRUNK SW MO TR
SW TR ALL VLAN ALL
EXIT
dhcp
SERV DHCP 开启DHCP服务
IP DHCP POOL VLAN10 创建地址池
NETW 192.168.10.0 255.255.255.0
def 192.168.10.1
le 2
dns 8.8.8.8
ip dhcp ex 192.168.10.1 192.168.10.10 排除地址范围
dhcp 中继
serv dhcp
ip for udp boot
int vlan 10
ip he 192.168.12.2
dhcp snooping
serv dhcp 开启DHCP服务
ip dhcp snooping enable 开启DHCP SNOOPING 功能
ip dhcp snooping binding enable 开启SNOOPING 绑定功能
int e1/0/20
ip dhcp snooping trust 设置接口为信任接口，一般是与服务器相连的接口
int e1/0/1
ip dhcp snooping binding user-control 设置端口自动绑定获取DHCP的地址
设置端口手动绑定MAC,VLAN,IP,端口信息（全局模式）
ip dhcp snooping binding user 00-11-22-33-44-55 address 192.168.22.22 vlan 1 int e1/0/5
ipv6
6 to 4
gre
ipv6 unicast-routing 允许单播路由
interface Tunnel0
ipv6 enable 开启IPV6
ipv6 address 2001:23::1/64
tunnel source 192.168.12.1 本端接口地址
tunnel destination 192.168.12.2 对端接口地址
tunnel mode gre ip 隧道模式改为GRE
tunnel key 123456 隧道密码，两端一致
ipv6 route 3::/64 Tunnel0 写一条下一跳为TUNNEL 0的IPV6静态，不能写默认
静态nat
Internet(config)#ip route 0.0.0.0 0.0.0.0 fa0/1 ipv4网络要可达
NA T-PT(config)#ip route 0.0.0.0 0.0.0.0 fa0/1
NA T-PT(config)#ipv6 nat prefix 2001:db8:feed::/96 设置一个全局NAT前缀，掩码必须96位
NA T-PT(config)#ipv6 nat v4v6 source 10.10.10.2 2001:db8:feed::2 写4 TO 6 地址转换，需要到达的地址都要写, 不需要与本地同一网段
NA T-PT(config)#ipv6 nat v4v6 source 192.168.1.10 2001:db8:feed::3
NA T-PT(config)#ipv6 nat v6v4 source 2001:db8:cafe:ffff::2 10.10.20.5 写6 to 4 地址转换，需要到达的地址都要写,不需要与本地同一网段
int g0/4 调用到接口，进出都要调用
ipv6 nat
int g0/4
ipv6 nat
pat
ipv4 网络要可达
NA T-PT(config)#ipv6 nat prefix 2001:db8:feed::/96 设置一个全局NAT 前缀，掩码必须96位
NA T-PT(config)#ipv6 nat v4v6 source 10.10.10.2 2001:db8:feed::2 写4 TO 6 地址转换，需要到达的地址都要写
NA T-PT(config)#ipv6 nat v4v6 source 192.168.1.10 2001:db8:feed::3 不需要与本地同一网段
NA T-PT(config)#ipv6 access-list cafe 把IPV6要转换的网段匹配出来
NA T-PT(config-ipv6-acl)#permit ipv6 2001:db8:cafe::/48 any
NA T-PT(config-ipv6-acl)#exit
NA T-PT(config)#ipv6 nat v6v4 pool ipv4 10.10.20.5 10.10.20.6 prefix-length 24 写一个6 TO 4 的NAT地址池,不需要已知网段
NA T-PT(config)#ipv6 nat v6v4 source list cafe pool ipv4 overload 把要转换的网段与地址池关联
int g0/4
ipv6 nat
int g0/4
ipv6 nat
riping
ipv6 router rip 100 全局创建RIP实例，名字为100
exit
interface GigaEthernet0/4
ipv6 enable 开启IPV6
ipv6 address 2001::1/64
ipv6 rip 100 enable 启动为100的实例
需要宣告的接口要设置
ospfv3
ipv6 router ospf 1 全局创建ospf，进程为1 int g0/6
ipv6 enable
ipv6 address 2001::1/64
ipv6 ospf 1 area 0 宣告本接口为area 0 需要宣告的接口要设置。