Muna ci gaba da nazarin ayyukan tsarin cibiyar sadarwa na gasar zakarun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararrun Ƙwararru.
Labarin zai rufe ayyuka masu zuwa:
- AKAN DUKAN na'urori, ƙirƙiri musaya mai kama-da-wane, fastoci, da mu'amalar madauki. Sanya adiresoshin IP bisa ga topology.
- Kunna tsarin SLAAC don ba da adiresoshin IPv6 a cikin hanyar sadarwar MNG akan hanyar sadarwa ta RTR1;
- A kan musaya mai kama-da-wane a cikin VLAN 100 (MNG) akan masu sauyawa SW1, SW2, SW3, kunna yanayin daidaitawa ta IPV6;
- AKAN DUKAN na'urori (sai dai PC1 da WEB) da hannu suna sanya adiresoshin mahaɗi-na gida;
- A kan DUK masu sauyawa, kashe DUKAN tashoshin jiragen ruwa da ba a yi amfani da su a cikin aikin ba kuma canja wurin zuwa VLAN 99;
- A kunna SW1, kunna makulli na minti 1 idan kalmar sirri ta shigar da kuskure sau biyu a cikin dakika 30;
- Dole ne a sarrafa dukkan na'urori ta hanyar SSH sigar 2.
An gabatar da topology na cibiyar sadarwa a Layer na zahiri a cikin zane mai zuwa:
An gabatar da topology na cibiyar sadarwa a matakin haɗin bayanai a cikin zane mai zuwa:
Ana gabatar da topology na cibiyar sadarwa a matakin cibiyar sadarwa a cikin zane mai zuwa:
Pre-saitin
Kafin aiwatar da ayyukan da ke sama, yana da daraja saita maɓallin canzawa akan SW1-SW3, saboda zai fi dacewa don bincika saitunan su a nan gaba. Za a bayyana saitin sauyawa dalla-dalla a cikin labarin na gaba, amma a yanzu kawai saituna za a bayyana.
Mataki na farko shine ƙirƙirar vlans tare da lambobi 99, 100 da 300 akan duk masu sauyawa:
SW1(config)#vlan 99
SW1(config-vlan)#exit
SW1(config)#vlan 100
SW1(config-vlan)#exit
SW1(config)#vlan 300
SW1(config-vlan)#exit
Mataki na gaba shine don canja wurin dubawar g0/1 zuwa SW1 zuwa lambar vlan 300:
SW1(config)#interface gigabitEthernet 0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 300
SW1(config-if)#exit
Matsalolin f0/1-2, f0/5-6, waɗanda ke fuskantar wasu maɓalli, yakamata a canza su zuwa yanayin gangar jikin:
SW1(config)#interface range fastEthernet 0/1-2, fastEthernet 0/5-6
SW1(config-if-range)#switchport trunk encapsulation dot1q
SW1(config-if-range)#switchport mode trunk
SW1(config-if-range)#exit
A kan sauya SW2 a cikin yanayin akwati za a sami musaya f0/1-4:
SW2(config)#interface range fastEthernet 0/1-4
SW2(config-if-range)#switchport trunk encapsulation dot1q
SW2(config-if-range)#switchport mode trunk
SW2(config-if-range)#exit
A kan sauya SW3 a yanayin gangar jikin za a sami musaya f0/3-6, g0/1:
SW3(config)#interface range fastEthernet 0/3-6, gigabitEthernet 0/1
SW3(config-if-range)#switchport trunk encapsulation dot1q
SW3(config-if-range)#switchport mode trunk
SW3(config-if-range)#exit
A wannan mataki, saitunan canzawa za su ba da damar musayar fakiti masu alamar, wanda ake buƙata don kammala ayyuka.
1. Ƙirƙirar musaya mai kama-da-wane, fastoci, da madaidaicin madogara akan DUKAN na'urori. Sanya adiresoshin IP bisa ga topology.
Za a fara saita na'ura mai ba da hanya tsakanin hanyoyin sadarwa BR1. Dangane da topology na L3, anan kuna buƙatar saita nau'in nau'in madauki, wanda kuma aka sani da loopback, lamba 101:
// Создание loopback
BR1(config)#interface loopback 101
// Назначение ipv4-адреса
BR1(config-if)#ip address 2.2.2.2 255.255.255.255
// Включение ipv6 на интерфейсе
BR1(config-if)#ipv6 enable
// Назначение ipv6-адреса
BR1(config-if)#ipv6 address 2001:B:A::1/64
// Выход из режима конфигурирования интерфейса
BR1(config-if)#exit
BR1(config)#
Don duba matsayin ƙirar ƙirar da aka ƙirƙira, zaku iya amfani da umarnin show ipv6 interface brief:
BR1#show ipv6 interface brief
...
Loopback101 [up/up]
FE80::2D0:97FF:FE94:5022 //link-local адрес
2001:B:A::1 //IPv6-адрес
...
BR1#
Anan zaka iya ganin cewa loopback yana aiki, yanayin sa UP. Idan ka duba ƙasa, za ka iya ganin adiresoshin IPv6 guda biyu, kodayake umarni ɗaya kawai aka yi amfani da shi don saita adireshin IPv6. Gaskiyar ita ce FE80::2D0:97FF:FE94:5022 adireshi ne na hanyar haɗin yanar gizo wanda aka sanya lokacin da aka kunna ipv6 akan hanyar sadarwa tare da umarnin ipv6 enable.
Kuma don duba adireshin IPv4, yi amfani da irin wannan umarni:
BR1#show ip interface brief
...
Loopback101 2.2.2.2 YES manual up up
...
BR1#
Don BR1, ya kamata ku saita hanyar haɗin g0/0 nan da nan; anan kawai kuna buƙatar saita adireshin IPv6:
// Переход в режим конфигурирования интерфейса
BR1(config)#interface gigabitEthernet 0/0
// Включение интерфейса
BR1(config-if)#no shutdown
BR1(config-if)#ipv6 enable
BR1(config-if)#ipv6 address 2001:B:C::1/64
BR1(config-if)#exit
BR1(config)#
Kuna iya duba saitunan tare da umarni iri ɗaya show ipv6 interface brief:
BR1#show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::290:CFF:FE9D:4624 //link-local адрес
2001:B:C::1 //IPv6-адрес
...
Loopback101 [up/up]
FE80::2D0:97FF:FE94:5022 //link-local адрес
2001:B:A::1 //IPv6-адрес
Bayan haka, za a daidaita na'ura mai ba da hanya tsakanin hanyoyin sadarwa na ISP. Anan, bisa ga aikin, za a saita lambar madauki 0, amma banda wannan, ya fi dacewa don saita ƙirar g0/0, wanda yakamata ya sami adireshin 30.30.30.1, saboda a cikin ayyuka na gaba ba za a faɗi komai game da shi ba. kafa wadannan musaya. Na farko, an saita lambar loopback 0:
ISP(config)#interface loopback 0
ISP(config-if)#ip address 8.8.8.8 255.255.255.255
ISP(config-if)#ipv6 enable
ISP(config-if)#ipv6 address 2001:A:C::1/64
ISP(config-if)#exit
ISP(config)#
tawagar show ipv6 interface brief Kuna iya tabbatar da cewa saitunan dubawa daidai ne. Sa'an nan interface g0/0 aka saita:
BR1(config)#interface gigabitEthernet 0/0
BR1(config-if)#no shutdown
BR1(config-if)#ip address 30.30.30.1 255.255.255.252
BR1(config-if)#exit
BR1(config)#
Bayan haka, za a daidaita na'ura mai ba da hanya tsakanin hanyoyin sadarwa RTR1. Anan kuma kuna buƙatar ƙirƙirar lambar madauki 100:
BR1(config)#interface loopback 100
BR1(config-if)#ip address 1.1.1.1 255.255.255.255
BR1(config-if)#ipv6 enable
BR1(config-if)#ipv6 address 2001:A:B::1/64
BR1(config-if)#exit
BR1(config)#
Hakanan akan RTR1 kuna buƙatar ƙirƙirar 2 Virtual subinterfaces don vlans masu lambobi 100 da 300. Ana iya yin haka kamar haka.
Da farko, kuna buƙatar kunna ƙirar ta jiki g0/1 ba tare da umarnin rufewa ba:
RTR1(config)#interface gigabitEthernet 0/1
RTR1(config-if)#no shutdown
RTR1(config-if)#exit
Sa'an nan kuma an ƙirƙira subinterfaces masu lambobi 100 da 300 kuma an daidaita su:
// Создание подынтерфейса с номером 100 и переход к его настройке
RTR1(config)#interface gigabitEthernet 0/1.100
// Установка инкапсуляции типа dot1q с номером vlan'a 100
RTR1(config-subif)#encapsulation dot1Q 100
RTR1(config-subif)#ipv6 enable
RTR1(config-subif)#ipv6 address 2001:100::1/64
RTR1(config-subif)#exit
// Создание подынтерфейса с номером 300 и переход к его настройке
RTR1(config)#interface gigabitEthernet 0/1.300
// Установка инкапсуляции типа dot1q с номером vlan'a 100
RTR1(config-subif)#encapsulation dot1Q 300
RTR1(config-subif)#ipv6 enable
RTR1(config-subif)#ipv6 address 2001:300::2/64
RTR1(config-subif)#exit
Lambar subinterface na iya bambanta da lambar vlan da za ta yi aiki a cikinta, amma don dacewa yana da kyau a yi amfani da lambar subinterface wanda ya dace da lambar vlan. Idan kun saita nau'in rufewa lokacin da kuke saita ƙaramin fuska, yakamata ku saka lamba wanda yayi daidai da lambar vlan. Don haka bayan umarnin encapsulation dot1Q 300 subinterface kawai zai wuce ta cikin fakitin vlan mai lamba 300.
Mataki na ƙarshe a cikin wannan aikin shine RTR2 na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Haɗin da ke tsakanin SW1 da RTR2 dole ne ya kasance a cikin yanayin samun dama, maɓallin sauyawa zai wuce zuwa RTR2 kawai fakitin da aka yi niyya don lambar vlan 300, an bayyana wannan a cikin ɗawainiyar kan L2 topology. Sabili da haka, kawai keɓan mahallin jiki ne kawai za a daidaita shi akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa na RTR2 ba tare da ƙirƙirar fastoci ba:
RTR2(config)#interface gigabitEthernet 0/1
RTR2(config-if)#no shutdown
RTR2(config-if)#ipv6 enable
RTR2(config-if)#ipv6 address 2001:300::3/64
RTR2(config-if)#exit
RTR2(config)#
Sa'an nan interface g0/0 aka saita:
BR1(config)#interface gigabitEthernet 0/0
BR1(config-if)#no shutdown
BR1(config-if)#ip address 30.30.30.2 255.255.255.252
BR1(config-if)#exit
BR1(config)#
Wannan yana kammala daidaitawar hanyoyin sadarwa na na'ura mai ba da hanya tsakanin hanyoyin sadarwa don aikin na yanzu. Za a daidaita sauran hanyoyin sadarwa yayin da kuke kammala ayyuka masu zuwa.
a. Kunna tsarin SLAAC don fitar da adiresoshin IPv6 a cikin hanyar sadarwar MNG akan hanyar sadarwa ta RTR1
Ana kunna tsarin SLAAC ta tsohuwa. Abinda kawai kuke buƙatar yi shine kunna IPv6 routing. Kuna iya yin haka tare da umarni mai zuwa:
RTR1(config-subif)#ipv6 unicast-routing
Ba tare da wannan umarnin ba, kayan aikin suna aiki azaman mai watsa shiri. A wasu kalmomi, godiya ga umarnin da ke sama, yana yiwuwa a yi amfani da ƙarin ayyuka na ipv6, ciki har da bayar da adiresoshin ipv6, kafa hanyar tafiya, da dai sauransu.
b. A kan musaya na kama-da-wane a cikin VLAN 100 (MNG) akan masu sauyawa SW1, SW2, SW3, ba da damar IPV6 yanayin daidaitawa ta atomatik.
Daga L3 topology a bayyane yake cewa an haɗa masu sauyawa zuwa VLAN 100. Wannan yana nufin cewa ya zama dole don ƙirƙirar musaya masu kama-da-wane akan masu sauyawa, sannan kawai sanya su don karɓar adiresoshin IPv6 ta tsohuwa. An yi daidaitaccen tsarin farko don masu sauyawa su sami adiresoshin tsoho daga RTR1. Kuna iya kammala wannan aikin ta amfani da jerin umarni masu zuwa, wanda ya dace da duk masu sauyawa guda uku:
// Создание виртуального интерфейса
SW1(config)#interface vlan 100
SW1(config-if)#ipv6 enable
// Получение ipv6 адреса автоматически
SW1(config-if)#ipv6 address autoconfig
SW1(config-if)#exit
Kuna iya duba komai tare da umarni iri ɗaya show ipv6 interface brief:
SW1#show ipv6 interface brief
...
Vlan100 [up/up]
FE80::A8BB:CCFF:FE80:C000 // link-local адрес
2001:100::A8BB:CCFF:FE80:C000 // полученный IPv6-адрес
Baya ga adireshin mahaɗin-gida, adireshin ipv6 da aka karɓa daga RTR1 ya bayyana. An kammala wannan aikin cikin nasara, kuma dole ne a rubuta umarni iri ɗaya akan sauran maɓallan.
Tare da A kan DUKAN na'urori (sai dai PC1 da WEB) da hannu suna sanya adiresoshin mahaɗi-na gida
Adireshin IPv6-lambobi talatin ba su da daɗi ga masu gudanarwa, don haka yana yiwuwa a canza hanyar haɗin kai da hannu, rage tsawonsa zuwa ƙaramin ƙima. Ayyukan ba su faɗi kome ba game da adireshin da za a zaɓa, don haka an ba da zaɓi na kyauta a nan.
Misali, akan sauya SW1 kuna buƙatar saita adireshin mahaɗin-gidan fe80::10. Ana iya yin wannan tare da umarni mai zuwa daga yanayin daidaitawar da aka zaɓa:
// Вход в виртуальный интерфейс vlan 100
SW1(config)#interface vlan 100
// Ручная установка link-local адреса
SW1(config-if)#ipv6 address fe80::10 link-local
SW1(config-if)#exit
Yanzu yin magana yana da kyau sosai:
SW1#show ipv6 interface brief
...
Vlan100 [up/up]
FE80::10 //link-local адреc
2001:100::10 //IPv6-адрес
Baya ga adireshin haɗin-gida, adireshin IPv6 da aka karɓa kuma ya canza, tun lokacin da aka ba da adireshin bisa ga adireshin mahaɗin-gida.
A kan sauya SW1 ya zama dole a saita adireshin mahaɗi-gida ɗaya kawai akan mu'amala ɗaya. Tare da na'ura mai ba da hanya tsakanin hanyoyin sadarwa na RTR1, kuna buƙatar yin ƙarin saiti - kuna buƙatar saita hanyar haɗin gwiwa-na gida akan fassarori biyu, akan madauki, kuma a cikin saitunan da suka biyo baya shima ramin 100 interface zai bayyana.
Don guje wa rubutattun umarni ba dole ba, zaku iya saita adireshin mahaɗin-gida ɗaya akan duk musaya a lokaci ɗaya. Kuna iya yin wannan ta amfani da kalmar maɓalli range bi da jera duk musaya:
// Переход к настройке нескольких интерфейсов
RTR1(config)#interface range gigabitEthernet 0/1.100, gigabitEthernet 0/1.300, loopback 100
// Ручная установка link-local адреса
RTR1(config-if)#ipv6 address fe80::1 link-local
RTR1(config-if)#exit
Lokacin duba musaya, za ku ga cewa an canza adiresoshin mahaɗin-na gida akan duk hanyoyin da aka zaɓa:
RTR1#show ipv6 interface brief
gigabitEthernet 0/1.100 [up/up]
FE80::1
2001:100::1
gigabitEthernet 0/1.300 [up/up]
FE80::1
2001:300::2
Loopback100 [up/up]
FE80::1
2001:A:B::1
Duk sauran na'urori ana saita su ta hanya iri ɗaya
d. A kan DUK masu sauyawa, kashe DUK tashoshin jiragen ruwa da ba a yi amfani da su a cikin aikin ba kuma canza su zuwa VLAN 99
Babban ra'ayin shine hanya ɗaya ta zaɓar musaya masu yawa don saita ta amfani da umarnin range, sannan kawai ya kamata ka rubuta umarni don canja wurin zuwa vlan da ake so sannan ka kashe hanyoyin sadarwa. Misali, canza SW1, bisa ga L1 topology, za su sami nakasassu na tashar jiragen ruwa f0/3-4, f0/7-8, f0/11-24 da g0/2. Ga wannan misali saitin zai kasance kamar haka:
// Выбор всех неиспользуемых портов
SW1(config)#interface range fastEthernet 0/3-4, fastEthernet 0/7-8, fastEthernet 0/11-24, gigabitEthernet 0/2
// Установка режима access на интерфейсах
SW1(config-if-range)#switchport mode access
// Перевод в VLAN 99 интерфейсов
SW1(config-if-range)#switchport access vlan 99
// Выключение интерфейсов
SW1(config-if-range)#shutdown
SW1(config-if-range)#exit
Lokacin duba saitunan tare da sanannen umarni, yana da kyau a lura cewa duk tashar jiragen ruwa da ba a yi amfani da su ba dole ne su sami matsayi Gudanar da ƙasa, yana nuni da cewa tashar jiragen ruwa ta lalace:
SW1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
...
fastEthernet 0/3 unassigned YES unset administratively down down
Don ganin wane vlan tashar jiragen ruwa ke ciki, zaku iya amfani da wani umarni:
SW1#show ip vlan
...
99 VLAN0099 active Fa0/3, Fa0/4, Fa0/7, Fa0/8
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gig0/2
...
Duk hanyoyin da ba a yi amfani da su ba yakamata su kasance a nan. Yana da kyau a lura cewa ba zai yiwu a canja wurin musaya zuwa vlan ba idan ba a ƙirƙiri irin wannan vlan ba. Don wannan dalili ne a cikin saitin farko an ƙirƙiri duk vlans masu mahimmanci don aiki.
e. A kunna SW1, kunna kulle na minti 1 idan an shigar da kalmar sirri kuskure sau biyu a cikin daƙiƙa 30.
Kuna iya yin haka tare da umarni mai zuwa:
// Блокировка на 60с; Попытки: 2; В течение: 30с
SW1#login block-for 60 attempts 2 within 30
Hakanan zaka iya duba waɗannan saitunan kamar haka:
SW1#show login
...
If more than 2 login failures occur in 30 seconds or less,
logins will be disabled for 60 seconds.
...
Inda aka bayyana karara cewa bayan yunƙuri biyu da ba su yi nasara ba a cikin daƙiƙa 30 ko ƙasa da haka, za a toshe ikon shiga na daƙiƙa 60.
2. Duk na'urori dole ne su kasance masu sarrafa su ta hanyar SSH version 2
Domin samun damar na'urori ta hanyar SSH version 2, dole ne a fara saita kayan aiki, don haka don dalilai na bayanai, za mu fara saita kayan aiki tare da saitunan masana'anta.
Kuna iya canza sigar huda kamar haka:
// Установить версию SSH версии 2
Router(config)#ip ssh version 2
Please create RSA keys (of at least 768 bits size) to enable SSH v2.
Router(config)#
Tsarin yana tambayarka don ƙirƙirar maɓallan RSA don SSH sigar 2 don aiki. Bi shawarar tsarin mai wayo, zaku iya ƙirƙirar maɓallan RSA tare da umarni mai zuwa:
// Создание RSA ключей
Router(config)#crypto key generate rsa
% Please define a hostname other than Router.
Router(config)#
Tsarin baya bada izinin aiwatar da umarni saboda ba a canza sunan mai masauki ba. Bayan canza sunan mai watsa shiri, kuna buƙatar sake rubuta umarnin tsara maɓalli:
Router(config)#hostname R1
R1(config)#crypto key generate rsa
% Please define a domain-name first.
R1(config)#
Yanzu tsarin baya ba ku damar ƙirƙirar maɓallan RSA saboda rashin sunan yanki. Kuma bayan shigar da sunan yankin, zai yiwu a ƙirƙiri maɓallan RSA. Maɓallan RSA dole ne su kasance aƙalla raƙuman 768 tsayi don sigar SSH 2 ta yi aiki:
R1(config)#ip domain-name wsrvuz19.ru
R1(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
A sakamakon haka, shi dai itace cewa don aiki SSHv2 wajibi ne:
- Canja sunan mai masauki;
- Canja sunan yanki;
- Ƙirƙirar maɓallan RSA.
Labarin da ya gabata ya nuna yadda ake canza sunan mai masauki da sunan yanki akan duk na'urori, don haka yayin da ake ci gaba da daidaita na'urori na yanzu, kawai kuna buƙatar ƙirƙirar maɓallan RSA:
RTR1(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Sigar SSH 2 tana aiki, amma har yanzu ba a daidaita na'urorin gabaki ɗaya ba. Mataki na ƙarshe shine saita kayan aikin wasan bidiyo na kama-da-wane:
// Переход к настройке виртуальных консолей
R1(config)#line vty 0 4
// Разрешение удаленного подключения только по протоколу SSH
RTR1(config-line)#transport input ssh
RTR1(config-line)#exit
A cikin labarin da ya gabata, an daidaita tsarin AAA, inda aka saita tantancewa akan na'urori masu aunawa ta hanyar amfani da bayanan gida, kuma mai amfani, bayan tantancewa, nan da nan ya shiga yanayin gata. Gwajin mafi sauƙi na ayyukan SSH shine ƙoƙarin haɗi zuwa kayan aikin ku. RTR1 yana da madauki tare da adireshin IP 1.1.1.1, kuna iya gwada haɗawa zuwa wannan adireshin:
//Подключение по ssh
RTR1(config)#do ssh -l wsrvuz19 1.1.1.1
Password:
RTR1#
Bayan makullin -l Shigar da shiga na mai amfani, sannan kalmar wucewa. Bayan tantancewa, nan da nan mai amfani ya canza zuwa yanayin gata, wanda ke nufin cewa an daidaita SSH daidai.
source: www.habr.com