Siyaqhubeka nokuhlaziya imisebenzi yemojula Yenethiwekhi yomqhudelwano we-WorldSkills ekwazini "Inethiwekhi Nokuphathwa Kwesistimu".
Imisebenzi elandelayo izocatshangelwa esihlokweni:
- Kuwo WONKE amadivayisi, dala izixhumanisi ezibonakalayo, izindawo ezingaphansi, nezisetshenziswa ze-loopback. Yabela amakheli e-IP ngokuya nge-topology.
- Nika amandla indlela ye-SLAAC ukuze ikhiphe amakheli e-IPv6 kunethiwekhi ye-MNG kusixhumi esibonakalayo serutha ye-RTR1;
- Ezixhunyweni ezibonakalayo ku-VLAN 100 (MNG) kumaswishi SW1, SW2, SW3, nika amandla imodi yokumisa ngokuzenzakalela ye-IPv6;
- Kuwo WONKE amadivayisi (ngaphandle kwe-PC1 ne-WEB) yabela ngokuzenzakalelayo izixhumanisi zamakheli endawo;
- Kuzo ZONKE izinguquko, khubaza ZONKE izimbobo ezingasetshenzisiwe emsebenzini futhi udlulisele ku-VLAN 99;
- Ekushintsheni i-SW1, vula ukukhiya iminithi elingu-1 uma iphasiwedi ifakwe ngokungalungile kabili phakathi nemizuzwana engama-30;
- Wonke amadivayisi kufanele aphatheke nge-SSH version 2.
I-topology yenethiwekhi isendlalelo esibonakalayo yethulwa kumdwebo olandelayo:
I-topology yenethiwekhi ezingeni lesixhumanisi sedatha yethulwa kumdwebo olandelayo:
I-topology yenethiwekhi ezingeni lenethiwekhi yethulwa kumdwebo olandelayo:
ukuhlela kusengaphambili
Ngaphambi kokwenza imisebenzi engenhla, kufanelekile ukusetha ukushintshwa okuyisisekelo kokushintsha SW1-SW3, njengoba kuzoba lula kakhulu ukuhlola izilungiselelo zabo esikhathini esizayo. Ukusethwa kokushintsha kuzochazwa ngokuningiliziwe esihlokweni esilandelayo, kodwa okwamanje yizilungiselelo kuphela ezizochazwa.
Isinyathelo sokuqala ukwakha ama-vlan anezinombolo ezingu-99, 100 no-300 kuwo wonke ama-switch:
SW1(config)#vlan 99
SW1(config-vlan)#exit
SW1(config)#vlan 100
SW1(config-vlan)#exit
SW1(config)#vlan 300
SW1(config-vlan)#exit
Isinyathelo esilandelayo ukudlulisa isikhombimsebenzisi esithi g0/1 siye ku-SW1 siye kunombolo ye-vlan 300:
SW1(config)#interface gigabitEthernet 0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 300
SW1(config-if)#exit
I-interfaces f0/1-2, f0/5-6, ebhekene namanye amaswishi, kufanele ishintshelwe kumodi ye-trunk:
SW1(config)#interface range fastEthernet 0/1-2, fastEthernet 0/5-6
SW1(config-if-range)#switchport trunk encapsulation dot1q
SW1(config-if-range)#switchport mode trunk
SW1(config-if-range)#exit
Ekushintsheni i-SW2 kumodi ye-trunk kuzoba ne-interface f0/1-4:
SW2(config)#interface range fastEthernet 0/1-4
SW2(config-if-range)#switchport trunk encapsulation dot1q
SW2(config-if-range)#switchport mode trunk
SW2(config-if-range)#exit
Ekushintsheni i-SW3 kumodi ye-trunk kuzoba khona ukuxhumana f0/3-6, g0/1:
SW3(config)#interface range fastEthernet 0/3-6, gigabitEthernet 0/1
SW3(config-if-range)#switchport trunk encapsulation dot1q
SW3(config-if-range)#switchport mode trunk
SW3(config-if-range)#exit
Kulesi sigaba, izilungiselelo zokushintsha zizovumela ukushintshaniswa kwamaphakethe amakiwe, okudingekayo ukuze kuqedelwe imisebenzi.
1. Dala izixhumanisi ezibonakalayo, izindawo ezingaphansi, nezixhumi ezibonakalayo ze-loopback kuwo WONKE amadivayisi. Yabela amakheli e-IP ngokuya nge-topology.
Umzila BR1 uzolungiswa kuqala. Ngokusho kwe-L3 topology, lapha udinga ukumisa isikhombimsebenzisi sohlobo lwe-loop, eyaziwa nangokuthi i-loopback, inombolo engu-101:
// Π‘ΠΎΠ·Π΄Π°Π½ΠΈΠ΅ loopback
BR1(config)#interface loopback 101
// ΠΠ°Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ ipv4-Π°Π΄ΡΠ΅ΡΠ°
BR1(config-if)#ip address 2.2.2.2 255.255.255.255
// ΠΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ipv6 Π½Π° ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ΅
BR1(config-if)#ipv6 enable
// ΠΠ°Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ ipv6-Π°Π΄ΡΠ΅ΡΠ°
BR1(config-if)#ipv6 address 2001:B:A::1/64
// ΠΡΡ
ΠΎΠ΄ ΠΈΠ· ΡΠ΅ΠΆΠΈΠΌΠ° ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°
BR1(config-if)#exit
BR1(config)#
Ukuhlola isimo se-interface esidaliwe, ungasebenzisa umyalo show ipv6 interface brief:
BR1#show ipv6 interface brief
...
Loopback101 [up/up]
FE80::2D0:97FF:FE94:5022 //link-local Π°Π΄ΡΠ΅Ρ
2001:B:A::1 //IPv6-Π°Π΄ΡΠ΅Ρ
...
BR1#
Lapha ungabona ukuthi i-loopback iyasebenza, isimo sayo UP. Uma ubheka ngezansi, ungabona amakheli amabili e-IPv6, nakuba umyalo owodwa kuphela osetshenzisiwe ukusetha ikheli le-IPv6. Iqiniso liwukuthi FE80::2D0:97FF:FE94:5022 isixhumanisi-ikheli lendawo elinikezwa lapho i-ipv6 inikwe amandla kusixhumi esibonakalayo esinomyalo ipv6 enable.
Futhi ukuze ubuke ikheli le-IPv4, sebenzisa umyalo ofanayo:
BR1#show ip interface brief
...
Loopback101 2.2.2.2 YES manual up up
...
BR1#
Ku-BR1, kufanele ulungise ngokushesha isixhumi esibonakalayo se-g0/0; lapha udinga nje ukusetha ikheli le-IPv6:
// ΠΠ΅ΡΠ΅Ρ
ΠΎΠ΄ Π² ΡΠ΅ΠΆΠΈΠΌ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°
BR1(config)#interface gigabitEthernet 0/0
// ΠΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°
BR1(config-if)#no shutdown
BR1(config-if)#ipv6 enable
BR1(config-if)#ipv6 address 2001:B:C::1/64
BR1(config-if)#exit
BR1(config)#
Ungahlola izilungiselelo ngomyalo ofanayo show ipv6 interface brief:
BR1#show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::290:CFF:FE9D:4624 //link-local Π°Π΄ΡΠ΅Ρ
2001:B:C::1 //IPv6-Π°Π΄ΡΠ΅Ρ
...
Loopback101 [up/up]
FE80::2D0:97FF:FE94:5022 //link-local Π°Π΄ΡΠ΅Ρ
2001:B:A::1 //IPv6-Π°Π΄ΡΠ΅Ρ
Okulandelayo, irutha ye-ISP izolungiselelwa. Lapha, ngokomsebenzi, inombolo ye-loopback engu-0 izocushwa, kodwa ngaphandle kwalokhu, kungcono ukumisa i-interface ye-g0/0, okufanele ibe nekheli elithi 30.30.30.1, ngesizathu sokuthi emisebenzini elandelayo akukho lutho oluzoshiwo ngalo. ukusetha lezi zokuxhumana. Okokuqala, inombolo ye-loopback engu-0 iyalungiswa:
ISP(config)#interface loopback 0
ISP(config-if)#ip address 8.8.8.8 255.255.255.255
ISP(config-if)#ipv6 enable
ISP(config-if)#ipv6 address 2001:A:C::1/64
ISP(config-if)#exit
ISP(config)#
iqembu show ipv6 interface brief Ungaqinisekisa ukuthi izilungiselelo zesixhumi esibonakalayo zilungile. Bese kulungiselelwa isixhumi esibonakalayo se-g0/0:
BR1(config)#interface gigabitEthernet 0/0
BR1(config-if)#no shutdown
BR1(config-if)#ip address 30.30.30.1 255.255.255.252
BR1(config-if)#exit
BR1(config)#
Okulandelayo, irutha ye-RTR1 izolungiswa. Lapha futhi udinga ukudala inombolo ye-loopback engu-100:
BR1(config)#interface loopback 100
BR1(config-if)#ip address 1.1.1.1 255.255.255.255
BR1(config-if)#ipv6 enable
BR1(config-if)#ipv6 address 2001:A:B::1/64
BR1(config-if)#exit
BR1(config)#
Futhi ku-RTR1 udinga ukudala i-subinterface engu-2 ebonakalayo yama-vlan anezinombolo u-100 no-300. Lokhu kungenziwa ngale ndlela elandelayo.
Okokuqala, udinga ukunika amandla isixhumi esibonakalayo se-g0/1 ngaphandle komyalo wokuvala shaqa:
RTR1(config)#interface gigabitEthernet 0/1
RTR1(config-if)#no shutdown
RTR1(config-if)#exit
Bese kwakhiwa futhi kulungiswe ama-subinterface anezinombolo 100 no-300:
// Π‘ΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ΠΏΠΎΠ΄ΡΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° Ρ Π½ΠΎΠΌΠ΅ΡΠΎΠΌ 100 ΠΈ ΠΏΠ΅ΡΠ΅Ρ
ΠΎΠ΄ ΠΊ Π΅Π³ΠΎ Π½Π°ΡΡΡΠΎΠΉΠΊΠ΅
RTR1(config)#interface gigabitEthernet 0/1.100
// Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΠΈΠ½ΠΊΠ°ΠΏΡΡΠ»ΡΡΠΈΠΈ ΡΠΈΠΏΠ° dot1q Ρ Π½ΠΎΠΌΠ΅ΡΠΎΠΌ vlan'a 100
RTR1(config-subif)#encapsulation dot1Q 100
RTR1(config-subif)#ipv6 enable
RTR1(config-subif)#ipv6 address 2001:100::1/64
RTR1(config-subif)#exit
// Π‘ΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ΠΏΠΎΠ΄ΡΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° Ρ Π½ΠΎΠΌΠ΅ΡΠΎΠΌ 300 ΠΈ ΠΏΠ΅ΡΠ΅Ρ
ΠΎΠ΄ ΠΊ Π΅Π³ΠΎ Π½Π°ΡΡΡΠΎΠΉΠΊΠ΅
RTR1(config)#interface gigabitEthernet 0/1.300
// Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΠΈΠ½ΠΊΠ°ΠΏΡΡΠ»ΡΡΠΈΠΈ ΡΠΈΠΏΠ° dot1q Ρ Π½ΠΎΠΌΠ΅ΡΠΎΠΌ vlan'a 100
RTR1(config-subif)#encapsulation dot1Q 300
RTR1(config-subif)#ipv6 enable
RTR1(config-subif)#ipv6 address 2001:300::2/64
RTR1(config-subif)#exit
Inombolo yesixhumi esingezansi ingase yehluke kunenombolo ye-vlan ezosebenza kuyo, kodwa ukuze kube lula kungcono ukusebenzisa inombolo yesixhumi esingaphansi ehambisana nenombolo ye-vlan. Uma usetha uhlobo lwe-encapsulation lapho usetha i-subinterface, kufanele ucacise inombolo efana nenombolo ye-vlan. Ngakho emva komyalo encapsulation dot1Q 300 i-subinterface izodlula kuphela kumaphakethe we-vlan anenombolo 300.
Isinyathelo sokugcina kulo msebenzi kuzoba irutha ye-RTR2. Ukuxhumana phakathi kwe-SW1 ne-RTR2 kufanele kube kumodi yokufinyelela, isixhumi esibonakalayo sokushintshwa sizodlulela ku-RTR2 kuphela amaphakethe ahloselwe inombolo ye-vlan 300, lokhu kushiwo emsebenzini ku-topology ye-L2. Ngakho-ke, isikhombimsebenzisi esibonakalayo kuphela esizolungiswa kumzila we-RTR2 ngaphandle kokudala ama-subinterfaces:
RTR2(config)#interface gigabitEthernet 0/1
RTR2(config-if)#no shutdown
RTR2(config-if)#ipv6 enable
RTR2(config-if)#ipv6 address 2001:300::3/64
RTR2(config-if)#exit
RTR2(config)#
Bese kulungiselelwa isixhumi esibonakalayo se-g0/0:
BR1(config)#interface gigabitEthernet 0/0
BR1(config-if)#no shutdown
BR1(config-if)#ip address 30.30.30.2 255.255.255.252
BR1(config-if)#exit
BR1(config)#
Lokhu kuqedela ukucushwa kwezixhumanisi ze-router zomsebenzi wamanje. Izixhumi ezibonakalayo ezisele zizolungiswa njengoba uqedela imisebenzi elandelayo.
a. Nika amandla indlela ye-SLAAC ukuze ikhiphe amakheli e-IPv6 kunethiwekhi ye-MNG kusixhumi esibonakalayo serutha ye-RTR1
Indlela ye-SLAAC inikwe amandla ngokuzenzakalela. Into kuphela okudingeka uyenze ukunika amandla umzila we-IPv6. Ungakwenza lokhu ngomyalo olandelayo:
RTR1(config-subif)#ipv6 unicast-routing
Ngaphandle kwalo myalo, okokusebenza kusebenza njengomsingathi. Ngamanye amazwi, ngenxa yomyalo ongenhla, kuyenzeka ukusebenzisa imisebenzi eyengeziwe ye-ipv6, okuhlanganisa ukukhipha amakheli e-ipv6, ukusetha umzila, njll.
b. Kuma-virtual interfaces ku-VLAN 100 (MNG) kumaswishi SW1, SW2, SW3, nika amandla imodi yokumisa ngokuzenzakalela ye-IPv6
Kusuka ku-topology ye-L3 kuyacaca ukuthi ukushintsha kuxhunywe ku-VLAN 100. Lokhu kusho ukuthi kuyadingeka ukudala i-interfaces ebonakalayo kumaswishi, bese ubela kuphela ukuthola amakheli e-IPv6 ngokuzenzakalelayo. Ukulungiselelwa kokuqala kwenziwa ngokunembile ukuze amaswishi akwazi ukuthola amakheli azenzakalelayo ku-RTR1. Ungaqedela lo msebenzi usebenzisa uhlu olulandelayo lwemiyalo, olufanele wonke amaswishi amathathu:
// Π‘ΠΎΠ·Π΄Π°Π½ΠΈΠ΅ Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΠΎΠ³ΠΎ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°
SW1(config)#interface vlan 100
SW1(config-if)#ipv6 enable
// ΠΠΎΠ»ΡΡΠ΅Π½ΠΈΠ΅ ipv6 Π°Π΄ΡΠ΅ΡΠ° Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈ
SW1(config-if)#ipv6 address autoconfig
SW1(config-if)#exit
Ungahlola yonke into ngomyalo ofanayo show ipv6 interface brief:
SW1#show ipv6 interface brief
...
Vlan100 [up/up]
FE80::A8BB:CCFF:FE80:C000 // link-local Π°Π΄ΡΠ΅Ρ
2001:100::A8BB:CCFF:FE80:C000 // ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΡΠΉ IPv6-Π°Π΄ΡΠ΅Ρ
Ngokungeziwe ekhelini le-link-lendawo, ikheli le-ipv6 elitholwe ku-RTR1 livele. Lo msebenzi uqedwe ngempumelelo, futhi imiyalo efanayo kufanele ibhalwe kumaswishi asele.
Nge. Kuwo WONKE amadivayisi (ngaphandle kwe-PC1 ne-WEB) yabela ngokuzenzakalelayo izixhumanisi zamakheli endawo
Amakheli e-IPv6 anezinhlamvu ezingamashumi amathathu awajabulisi kubalawuli, ngakho-ke kuyenzeka ukuthi uguqule isixhumanisi sendawo mathupha, unciphise ubude baso kube inani elincane. Imisebenzi ayisho lutho mayelana nokuthi yimaphi amakheli ongawakhetha, ngakho ukukhetha kwamahhala kunikezwa lapha.
Isibonelo, ekushintsheni i-SW1 udinga ukusetha isixhumanisi-ikheli lendawo fe80::10. Lokhu kungenziwa ngomyalo olandelayo ovela kumodi yokumisa yesibonisi esikhethiwe:
// ΠΡ
ΠΎΠ΄ Π² Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΡΠΉ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ vlan 100
SW1(config)#interface vlan 100
// Π ΡΡΠ½Π°Ρ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠ° link-local Π°Π΄ΡΠ΅ΡΠ°
SW1(config-if)#ipv6 address fe80::10 link-local
SW1(config-if)#exit
Manje ukukhuluma kubukeka kukhanga kakhulu:
SW1#show ipv6 interface brief
...
Vlan100 [up/up]
FE80::10 //link-local Π°Π΄ΡΠ΅c
2001:100::10 //IPv6-Π°Π΄ΡΠ΅Ρ
Ngokungeziwe ekhelini lendawo elixhumanisayo, ikheli le-IPv6 elitholiwe nalo lishintshile, njengoba ikheli likhishwa ngokusekelwe ekhelini lendawo elixhunywe.
Ekushintsheni i-SW1 bekudingeka ukusetha ikheli lendawo elilodwa kuphela esixhumi esibonakalayo. Ngerutha ye-RTR1, udinga ukwenza izilungiselelo ezengeziwe - udinga ukusetha isixhumanisi-sendawo kuma-subinterfaces amabili, ku-loopback, futhi ezilungiselelweni ezilandelayo kuzovela isixhumi esibonakalayo se-tunnel 100.
Ukuze ugweme ukubhala okungadingekile kwemiyalo, ungasetha isixhumanisi esifanayo-ikheli lendawo kuzo zonke izixhumanisi ngesikhathi esisodwa. Ungakwenza lokhu usebenzisa igama elingukhiye range okulandelwa ukufakwa kuhlu zonke izixhumanisi:
// ΠΠ΅ΡΠ΅Ρ
ΠΎΠ΄ ΠΊ Π½Π°ΡΡΡΠΎΠΉΠΊΠ΅ Π½Π΅ΡΠΊΠΎΠ»ΡΠΊΠΈΡ
ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠΎΠ²
RTR1(config)#interface range gigabitEthernet 0/1.100, gigabitEthernet 0/1.300, loopback 100
// Π ΡΡΠ½Π°Ρ ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠ° link-local Π°Π΄ΡΠ΅ΡΠ°
RTR1(config-if)#ipv6 address fe80::1 link-local
RTR1(config-if)#exit
Lapho ubheka izixhumanisi, uzobona ukuthi amakheli ezixhumanisi zendawo ashintshiwe kuzo zonke izixhumanisi ezikhethiwe:
RTR1#show ipv6 interface brief
gigabitEthernet 0/1.100 [up/up]
FE80::1
2001:100::1
gigabitEthernet 0/1.300 [up/up]
FE80::1
2001:300::2
Loopback100 [up/up]
FE80::1
2001:A:B::1
Wonke amanye amadivaysi amiswe ngendlela efanayo
d. Kuzo ZONKE izinguquko, khubaza ZONKE izimbobo ezingasetshenziswa emsebenzini futhi udlulisele ku-VLAN 99
Umbono oyisisekelo uyindlela efanayo yokukhetha izixhumanisi zokusebenzelana eziningi ukuze ulungiselele usebenzisa umyalo range, futhi kuphela lapho kufanele ubhale imiyalo yokudlulisela ku-vlan oyifunayo bese uvala izixhumanisi. Isibonelo, shintsha i-SW1, ngokuya nge-topology ye-L1, izoba nezimbobo u-f0/3-4, f0/7-8, f0/11-24 kanye ne-g0/2 ekhutshaziwe. Kulesi sibonelo isilungiselelo sizoba kanje:
// ΠΡΠ±ΠΎΡ Π²ΡΠ΅Ρ
Π½Π΅ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΡ
ΠΏΠΎΡΡΠΎΠ²
SW1(config)#interface range fastEthernet 0/3-4, fastEthernet 0/7-8, fastEthernet 0/11-24, gigabitEthernet 0/2
// Π£ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΡΠ΅ΠΆΠΈΠΌΠ° access Π½Π° ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ°Ρ
SW1(config-if-range)#switchport mode access
// ΠΠ΅ΡΠ΅Π²ΠΎΠ΄ Π² VLAN 99 ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠΎΠ²
SW1(config-if-range)#switchport access vlan 99
// ΠΡΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠΎΠ²
SW1(config-if-range)#shutdown
SW1(config-if-range)#exit
Uma uhlola izilungiselelo ngomyalo osuvele owaziwa, kubalulekile ukuqaphela ukuthi wonke amachweba angasetshenzisiwe kufanele abe nesimo zokuphatha phansi, okubonisa ukuthi imbobo ivaliwe:
SW1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
...
fastEthernet 0/3 unassigned YES unset administratively down down
Ukuze ubone ukuthi iyiphi i-vlan ekhona, ungasebenzisa omunye umyalo:
SW1#show ip vlan
...
99 VLAN0099 active Fa0/3, Fa0/4, Fa0/7, Fa0/8
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gig0/2
...
Zonke izixhumi ezibonakalayo ezingasetshenzisiwe kufanele zibe lapha. Kuyaqapheleka ukuthi ngeke kwenzeke ukudlulisa ukuxhumana ku-vlan uma i-vlan enjalo ingakadalwa. Kungenxa yale njongo ukuthi ekusetheni kokuqala wonke ama-vlans adingekayo ukuze asebenze adalwe.
e. Ekushintsheni i-SW1, nika amandla ukukhiya iminithi elingu-1 uma iphasiwedi ifakwe ngokungalungile kabili phakathi nemizuzwana engama-30.
Ungakwenza lokhu ngomyalo olandelayo:
// ΠΠ»ΠΎΠΊΠΈΡΠΎΠ²ΠΊΠ° Π½Π° 60Ρ; ΠΠΎΠΏΡΡΠΊΠΈ: 2; Π ΡΠ΅ΡΠ΅Π½ΠΈΠ΅: 30Ρ
SW1#login block-for 60 attempts 2 within 30
Ungaphinda uhlole lezi zilungiselelo ngendlela elandelayo:
SW1#show login
...
If more than 2 login failures occur in 30 seconds or less,
logins will be disabled for 60 seconds.
...
Lapho kuchazwa ngokucacile ukuthi ngemva kwemizamo emibili engaphumelelanga phakathi nemizuzwana engu-30 noma ngaphansi, amandla okungena azovinjelwa imizuzwana engu-60.
2. Wonke amadivayisi kufanele aphatheke nge-SSH version 2
Ukuze amadivayisi afinyeleleke ngenguqulo 2 ye-SSH, kuyadingeka ukuthi uqale ulungiselele okokusebenza, ngakho-ke ngezinjongo zokwaziswa, sizoqale silungise okokusebenza ngezilungiselelo zasefekthri.
Ungashintsha inguqulo ye-puncture kanje:
// Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΡΡ Π²Π΅ΡΡΠΈΡ SSH Π²Π΅ΡΡΠΈΠΈ 2
Router(config)#ip ssh version 2
Please create RSA keys (of at least 768 bits size) to enable SSH v2.
Router(config)#
Uhlelo likucela ukuthi udale okhiye be-RSA ukuze kusebenze inguqulo 2 ye-SSH. Ngokulandela iseluleko sesistimu ehlakaniphile, ungakha okhiye be-RSA ngomyalo olandelayo:
// Π‘ΠΎΠ·Π΄Π°Π½ΠΈΠ΅ RSA ΠΊΠ»ΡΡΠ΅ΠΉ
Router(config)#crypto key generate rsa
% Please define a hostname other than Router.
Router(config)#
Isistimu ayivumeli umyalo ukuthi usetshenziswe ngoba igama lomethuleli alikashintshwa. Ngemva kokushintsha igama lomethuleli, udinga ukubhala umyalo wokukhiqiza ukhiye futhi:
Router(config)#hostname R1
R1(config)#crypto key generate rsa
% Please define a domain-name first.
R1(config)#
Manje uhlelo alukuvumeli ukuthi udale okhiye be-RSA ngenxa yokuntuleka kwegama lesizinda. Futhi ngemva kokufaka igama lesizinda, kuzokwazi ukudala okhiye be-RSA. Okhiye be-RSA kufanele okungenani babe ngamabhithi angu-768 ubude ukuze inguqulo 2 ye-SSH isebenze:
R1(config)#ip domain-name wsrvuz19.ru
R1(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Ngenxa yalokho, kuvela ukuthi ukuze i-SSHv2 isebenze kuyadingeka:
- Shintsha igama lomethuleli;
- Shintsha igama lesizinda;
- Khiqiza okhiye be-RSA.
Isihloko sangaphambilini sibonise indlela yokushintsha igama lomethuleli negama lesizinda kuwo wonke amadivayisi, ngakho-ke ngenkathi uqhubeka nokulungisa amadivayisi amanje, udinga kuphela ukukhiqiza okhiye be-RSA:
RTR1(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Inguqulo 2 ye-SSH iyasebenza, kodwa amadivayisi awakalungiswa ngokugcwele. Isinyathelo sokugcina kuzoba ukusetha ama-virtual consoles:
// ΠΠ΅ΡΠ΅Ρ
ΠΎΠ΄ ΠΊ Π½Π°ΡΡΡΠΎΠΉΠΊΠ΅ Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΡΡ
ΠΊΠΎΠ½ΡΠΎΠ»Π΅ΠΉ
R1(config)#line vty 0 4
// Π Π°Π·ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ ΡΠ΄Π°Π»Π΅Π½Π½ΠΎΠ³ΠΎ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ ΡΠΎΠ»ΡΠΊΠΎ ΠΏΠΎ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Ρ SSH
RTR1(config-line)#transport input ssh
RTR1(config-line)#exit
Esihlokweni esandulele, imodeli ye-AAA yalungiswa, lapho ukuqinisekiswa kwakusethwe kuma-virtual consoles kusetshenziswa isizindalwazi sendawo, futhi umsebenzisi, ngemva kokuqinisekisa, kwadingeka ukuthi angene ngokushesha kumodi enelungelo. Ukuhlola okulula kakhulu kokusebenza kwe-SSH ukuzama ukuxhuma kumishini yakho. I-RTR1 ine-loopback enekheli lasesizindeni se-inthanethi elithi 1.1.1.1, ungazama ukuxhuma kuleli kheli:
//ΠΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΠΏΠΎ ssh
RTR1(config)#do ssh -l wsrvuz19 1.1.1.1
Password:
RTR1#
Ngemva kokhiye -l Faka igama lokungena lomsebenzisi okhona, bese kuba nephasiwedi. Ngemva kokuqinisekisa, umsebenzisi ngokushesha ushintshela kumodi eyilungelo, okusho ukuthi i-SSH imiswe ngendlela efanele.
Source: www.habr.com