AThena Lab HuongDan Hoc CCNA

92 Nguyn nh Chiu, DaKao, Qun 1, Tp HCM 2 Bis inh Tin Hong P.
a Kao Qun 1 TPHCM Hotline: 090 78 79 477 Website: www.athena.edu.vn
Bi: Recovery IOS bng Xmodem v TFTPDNLD

Khi ta cn nng cp hoc phc hi h iu hnh cho Router, m hin ti khng cn c mt IOS no cn tn ti trong Router th hai phng php c th thc hin l Xmodem v TFTPDNLD. Ta s lm nhng m hnh lab di y.
I. Xmodem
Router
Console
Xmodem thng c s dng trong trng hp phc hi h iu hnh cho mt con Router m n khng cn h iu hnh. Router ch c boot vo rommon. Ngoi ra ta c th dng phng thc ny trong trng hp khng c mt TFTP Server hoc khng c mt kt ni n mt network no c. Trong trng hp ny ta ch
Ging Vin: L nh Nhn Email: nhanld@athenvn.com
92 Nguyn nh Chiu, DaKao, Qun 1, Tp HCM 2 Bis inh Tin Hong P.a Kao Qun 1 TPHCM Hotline: 090 78 79 477 Website: www.athena.edu.vn
c duy nht mt kt ni t PC n Router thng qua cng console. Tuy nhin phng thc truyn ny kh tn thi gian. Mc nh khi ta dng chng trnh hyperterminal ca Window hoc cc chng trnh khc kt ni n Router thng qua cng console th ta tc truyn file l 9600 bps. Tuy nhin nu ta tc truyn nh vy th qu trnh ny kh lu. V vy lc ny ta chuyn tc truyn d liu vo Router ln 115200 bps. Ta s vo ch rommon ca Router bng t hp phm Ctrl + Break v chuyn tc giao tip gia Router v PC ln 115200 bps. rommon 1 >confreg Configuration Summary enabled are: break/abort has effect console baud: 9600 boot: the ROM Monitor do you wish to change the configuration? y/n [n]: y enable "diagnostic mode"? y/n [n]: enable "use net in IP bcast address"? y/n [n]: enable "load rom after netboot fails"? y/n [n]: enable "use all zero broadcast"? y/n [n]: disable "break/abort has effect"? y/n [n]: enable "ignore system config info"? y/n [n]: change console baud rate? y/n [n]: y enter rate: 0 = 9600, 1 = 4800, 2 = 1200, 3 = 2400 4 = 19200, 5 = 38400, 6 = 57600, 7 = 115200 [0]: 7 change the boot characteristics? y/n [n]: Configuration Summary enabled are: break/abort has effect console baud: 115200
boot: the ROM Monitor do you wish to change the configuration? y/n [n]: You must reset or power cycle for new config to take effect. rommon 2 >reset Qu trnh trn ta c th lm nhanh hn bng cch chuyn s config register t s hot ng bnh thng l 0x2102 thnh s 0x3822 bng cu lnh rommon 1 > confreg 0x3822 Sau khi lm n y ta s thy rng chng trnh hyperterminal ca ta lc ny khng cn giao tip c vi Router na bi v mc nh hyperterminal hot ng 9600 bps cn Router lc ny hot ng 115200 bps. Ta m li chng trnh hyperterminal v chnh tc hot ng ca n ln 115200 bps. Lc ny ta s bt u qu trnh np h iu hnh cho Router bng giao thc xmodem rommon 1 > rommon 1 >xmodem -? xmodem: illegal option -- ? usage: xmodem [-cyrx] <destination filename> -c CRC-16 -y ymodem-batch protocol -r copy image to dram for launch -x do not launch on download completion rommon 2 > rommon 2 > rommon 2 > xmodem -c c1600-is-mz.122-10a.bin
Do not start the sending program yet... File size Checksum File name 9939820 bytes (0x97ab6c) 0x4991 c2600-ismz.122-7a.bin Ta bt u qu trnh gi IOS bng cch vo Transfer / Send File. Chn IOS mnh cn np v phng thc truyn l Xmodem. Tuy nhin ta nn ch xem rng IOS mnh np vo c thch hp vi dung lng flash ca router v loi router. Xem hnh 1; 2; 3 bn di
Hnh 1.
Hnh 2.
Hnh 3.
Sau khi qu trnh ta truyn IOS thnh cng ta nn kim tra li flash ca Router v chuyn s config register li thnh 0x2102 rommon 9 >dir flash: File size Checksum File name 3686656 bytes (0x384100) 0x1a5e c1600-sy-mz.12116.bin rommon 10 >confreg 0x2102 You must reset or power cycle for new config to take effect. rommon 11 >reset System Bootstrap, Version 12.0(19981130:173850) [rameshs-120t_lava 114], DEVELOPMENT SOFTWARE Copyright (c) 1994-1998 by cisco Systems, Inc. Simm with parity detected, ignoring onboard DRAM C1600 platform with 16384 Kbytes of main memory program load complete, entry point: 0x4020060, size: 0x15568c %SYS-6-BOOT_MESSAGES: Messages above this line are from the boot loader. program load complete, entry point: 0x2005000, size: 0x3840e0 Self decompressing the image : ######################################## ################
II. TFTPDNLD - Trong iu kin c network th ta nn recovery IOS bng phng php TFTPDNLD v tc truyn file ca giao thc ny hn hn Xmodem. - Lc ny ta cn c mt PC vi vai tr l TFTP Server. - S kt ni nh bn di v nhp nhng lnh bn di nhm thit lp nhng thng s kt ni Router c th kt ni n PC.
Router
Fa0/0 Console
1 2 TFTP Sever
rommon 17 > ?
rommon 18 > set rommon 19 > IP_ADDRESS=192.168.1.1 rommon 20 > IP_SUBNET_MASK=255.255.255.0 rommon 21 > DEFAULT_GATEWAY=192.168.1.2 rommon 22 > TFTP_SERVER=192.168.1.2 rommon 23 > TFTP_FILE=c2600-advsecurityk9-mz.124-8d.bin rommon 24 > tftpdnld IP_ADDRESS: 192.168.1.1 IP_SUBNET_MASK: 255.255.255.0 DEFAULT_GATEWAY: 192.168.1.2 TFTP_SERVER: 192.168.1.2 TFTP_FILE: c2600-is-mz.113-2.0.3.Q Invoke this command for disaster recovery only. WARNING: all existing data in all partitions on flash will be lost! Do you wish to continue? y/n: [n]: y Ta m chng trnh TFTP Sever trn PC v quan st qu trnh hot ng Receiving c2600-is-mz.113-2.0.3.Q from 171.69.1.129 !!!!!.!!!!!!!!!!!!!!!!!!!.!! File reception completed. Copying file c2600-is-mz.113-2.0.3.Q to flash. Erasing flash at 0x607c0000 program flash location 0x60440000 rommon 22 >
Bi: Lab SSH

R1 S2/0 Lo 10.0.0.1/24 Fa0/0 1 2 1 12.0.0.0/30 S2/0 2 R2 Lo 20.0.0.1/24
192.168.1.0/24
Trong bi lab trc ta bit cu hnh router t xa thng qua giao thc telnet tuy nhin telnet l mt giao thc khng c tnh bo mt. Thng tin c gi i di dng cleartext. Nh vy nng cao tnh bo mt ta s dng giao thc SSH thay th cho telnet.
Cc bc cn phi lm cho bi lab nh sau - Cu hnh a ch IP vo cc interface ca router . Cu hnh static route trn Router 1 v Router 2 - Ping kim tra tng segment trong m hnh. - Cu hnh SSH trn Router 1 v Router 2. - Capture li thng tin c trao i trn ng truyn. 1. Cu hnh a ch IP v nh tuyn cho m hnh bng static route a. Router 1 Router>enable Router#configure terminal Router(config)#interface serial 2/0 Router(config-if)#ip address 12.0.0.1 255.255.255.252 Router(config-if)#no shutdown Router(config)#exit Router(config)#interface serial fa0/0 Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#no shutdown Router(config)#exit Router(config)#interface loopback 0 Router(config)#ip address 10.0.0.1 255.255.255.0
Router(config)#exit Router(config)#ip route 0.0.0.0 0.0.0.0 12.0.0.2 b. Router 2 Router>enable Router#configure terminal Router(config)#interface serial 2/0 Router(config-if)#ip address 12.0.0.2 255.255.255.252 Router(config-if)#no shutdown Router(config-if)#clock rate 64000 Router(config)#exit Router(config)#interface loopback 0 Router(config)#ip address 20.0.0.1 255.255.255.0 Router(config)#exit Router(config)#ip route 192.168.1.0 255.255.255.0 12.0.0.1 Router(config)#ip route 10.0.0.0 255.255.255.0 12.0.0.1 2. Qu trnh kim tra - T Router 1 ping n cc IP ca Router 2 - PC ta dng lnh ipconfig v ping t PC n cc interface ca Router 1 v Router 2
3. Cu hnh SSH trn Router 1 v Router 2 cu hnh SSH ta cn phi cu hnh mt s phn nh sau: Cu hnh hostname Cu hnh domain name To ra key t hostname v domain name trn To ra mt username v password cho user ng nhp vo Router. Cu hnh mt s tnh nng cho giao thc SSH trn router. Cu hnh cho giao thc SSH vo ng vty. Trn Router 1 ta nhp vo nhng lnh sau: Router(config)#hostname R1 R1(config)#ip domain name abc.com R1(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R1.abc.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] *June 24 19:25:30.035: %SSH-5-ENABLED: SSH 1.99 has been enabled R1(config)# ip ssh time-out 60 R1(config)# ip ssh authentication-retries 2 R1(config)# ip ssh version 2 R1(config)# username cisco password cisco R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# transport input ssh R1(config-line)# exit Tng t ta cu hnh cho Router 2 Router(config)#hostname R2 R2(config)#ip domain name bcd.com R2(config)#crypto key generate rsa general-keys modulus 1024 The name for the keys will be: R2.bcd.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] *June 24 19:25:30.035: %SSH-5-ENABLED: SSH 1.99 has been enabled R2(config)# ip ssh time-out 60 R2(config)# ip ssh authentication-retries 2 R2(config)# ip ssh version 2 R2(config)# username cisco123 password cisco123 R2(config)# line vty 0 4 R2(config-line)# login local R2(config-line)# transport input ssh R2(config-line)# exit PC ta to kt ni SSH n Router 1 thng qua chng trnh Putty
Lc ny ta phi chp nhn key c to thng qua thut ton RSA to kt ni SSH.
Ta nhp vo username v password tng ng m ta to trn Router 1 ng nhp vo Router 1
ng giao din dng lnh ca Router 1, to kt ni SSH n Router 2 ta cn phi nhp cu lnh sau: R1#ssh -v 2 -l cisco123 -p 22 12.0.0.2
Nhm mc ch kim tra tnh nng bo mt ca giao thc SSH ta thc hin qu trnh capture cc lung traffic trao i trn router . Hnh u tin l ta capture traffic t PC n Router1.
Bi: Truy cp vo Router thng qua SDM
Ta c thng cu hnh cc thit b ca Cisco thng qua giao din CLI tuy nhin Cisco cng h tr cu hnh thit b thng qua giao din ha. Mt sn phm GUI c Cisco h tr cu hnh router c gi l Security Device Manager. SDM l mt ng dng Web-base hot ng trn nn Java. SDM c ci t sn trong flash mt s dng sn phm router v admin c th cu hnh router bng trnh duyt Web kt hp vi SSL v Java. Trong qu trnh cu hnh SDM dng SSL admin cu hnh v dng SSH tng tc ngc tr li vi giao din web ca admin. SDM khng c h tr tt c dng router. Ta c th vo www.cisco.com/go/sdm kim tra xem router ca mnh c c h tr hay khng. Nu nh mt router cha c c ci t SDM th ta c th install n vo router. IOS ti thiu c th install SDM l version 12.2 v flash ca router phi c sn t 5 8 MB. Ta s thc hin bi lab theo s nh sau:
Router 1 192.168.1.0/24 2
Fa0/0
Cc bc ta cn lm trong bi lab nh sau: Cu hnh cn bn Cu hnh SDM cho router Install SDM vo PC Kt ni t PC n Router
1. Cu hnh cn bn Trc khi cu hnh ng nhp vo router thng qua giao din SDM th ta cng phi cu hnh cn bn cho router nh sau Router> enable Router# configure terminal
Router(config)# interface fastethernet 0/0 Router(config-if)# ip address 192.168.1.1 255.255.255.0 Router(config-if)# no shutdown Router(config-if)#exit Cu hnh a ch IP vo PC.
Tip theo ta kim tra xem a ch IP c cu hnh v ping kim tra t PC n router.
2. Cu hnh SDM cho Router Ta s nhp vo nhng lnh theo cu trc nh bn di Router(config)# hostname router_name Router(config)# ip domain-name domain_name Router(config)# ip http server Router(config)# ip http secure-server Router(config)# ip http authentication local Router(config)# username username privilege 15 secret 0 password Router(config)# ip http timeout-policy idle seconds life seconds requests number Router(config)# line vty 0 15 Router(config-line)# privilege level 15 Router(config-line)# login local Router(config-line)# transport input ssh Router(config-line)# exit SDM s dng SSL send qu trnh cu hnh v dng SSH tr li giao din ca ngi ang cu hnh. Tuy nhin c hai giao thc SSL v SSH iu yu cu phi c cp key theo thut ton RSA. to ra c key ta cn phi c hostname v ip domain name. Tuy nhin trong qu trnh ny ta khng cn phi to key mt cch manual bi v ln u tin ta ng nhp vo router thng qua giao din SDM th router s t ng to ra key. V cp key s c dng trong qu trnh SSL v SSH. Bi v SDM c hot ng trn giao din Web-base nn hai cu lnh ip http server v ip http secure-server c dng kch hot Web Server, tnh nng SSL trn Router. Cu lnh ip http authentication xc nhn dng local database. Username account ng nhp vo router phi l privilege 15. Cu lnh ip http timeout policy ch l mt cu lnh option. Tuy nhin ta nn dng n xc nhn thi gian m kt ni SDM c duy tr.
Bin idle xc nhn s giy m mt kt ni web c duy tr trong trng hp l khng c data c gi hay nhn. Mc nh l 180 giy. Bin life xc nhn s giy m kt ni web c lu tr trong web server t khi kt ni ny c to. Mc nh l 180 giy nhng ta c th iu chnh tng ln 86400 giy. Bin requests gii hn s kt ni ng thi vo router. Mc nh l 1 Phn cui l ta s cu hnh VTY apply vo trong SSH. Qu trnh ny c dng tng tc vi router. c th cu hnh bng SDM th username ng nhp phi l privilege 15 v trong qu trnh cu hnh trn th ta ang chng thc bng local database nn ta nhp cu lnh login local. Router>enable Router#configure terminal Router(config)#hostname R1 R1(config)#ip domain name abc.com R1(config)# ip http server R1(config)# ip http secure-server R1(config)# username cisco privilege 15 password cisco R1(config)# line vty 0 4 R1(config-line)# login local R1(config -line)# transport input ssh R1(config -line)# end 3. Truy cp vo Router thng qua giao din SDM Ta c th truy cp vo router thng qua giao thc http hoc l https. Ta s thc hin qu trnh ci t SDM vo trong PC hoc vo trong Router. y ta ch thc hin qu trnh ci t vo trong PC. Ta chn vo setup.exe trong SDM.zip
Ta Click Next lm tip
Ta chn vo button I accept terms of the license agreement . Chn Next
y ta c nhiu la chn This computer ch install SDM trn mt my tnh no , Cisco Router install vo trong Router trong trng hp ny th router phi c t 5 8 MB free trn flash ca router. Mc cui cng ta install trn c hai. y ta ch chn This computer v lm tip theo wizard ca n.
Ta c th chn ni lu tr hoc chn ng dn mc nh v Next tip tc.
Ta chn install bt u qu trnh ci t v Finish.
Sau khi ci t xong, ngoi desktop xut hin thm mt icon Cisco SDM bn ngoi desktop. Ta thc hin qu trnh connect vo router thng qua giao din SDM da trn giao thc http nh sau
a. SDM-HTTP Vo Cisco SDM nhp vo a ch IP ca Router. Tuy nhin ta phi tt i chc nng Block pop-up Window trnh duyt Web. Lc ny s xut hin mt forum login ta ng nhp. Ta nhp vo username v password vi privilege 15.
Trnh duyt Web s tr v cho ta mn hnh Cisco Router and Security Device Manager
Lc ny, Router s yu cu ta to mi mt username v password thay th cho username v password ta nhp vo router t giao din console ca n.
Ta Click OK v reconnect li router t PC thng qua Cisco SDM . n y ta thc hin li qu trnh login bng username v password mi.
n y ta thc hin xong qu trnh ng nhp vo Router thng qua SDM. Ta c giao din cu hnh router nh bn di.
Ta thc hin qu trnh capture kt ni trn ta nhn xt rng n ang hot ng da trn giao thc http port 80. Tuy nhin lm nh vy th khng c tnh bo mt cho vic router.
b. SDM-HTTPS Nu ta cu hnh router thng qua http th qu trnh ta lm s b d dng sniffer. Lc ny ta s chuyn sang dng SSL kt hp vi SDM cu hnh Router. c th hot ng c trn SSL trc tin ta phi thy c certifiacate do IOS ca router to ra. trnh duyt web nhp https://192.168.1.1 , trnh duyt web s bo rng certificate ny c vn . Tuy nhin kt ni vo router ta phi chp nhn certificate ny. V chng ch ny khng c thc trong mi trng internet nn trnh duyt web cnh bo cho ngi dng.
n y ta phi chp nhn certificate ny c th to c kt ni SSL. Ta click vo Or you can add an exception . V click vo Add exception lu tr certificate vo trong trnh duyt Web. Ta c th kim tra certificate l do IOS ca router t sinh ra.
Click vo Get Certificate
Click vo Confirm Security Exception. Router s tr li cho ta mn hnh login. Ta nhp vo username v password c cu hnh.
Lc ny ta c th kt ni n router bng SDM v chy trn protocol SSL. Ta cho vo The device has https enabled and want to use it
Okay, ta chp nhn certificate ny. Ta lm li qu trnh ng nhp nh SDM, to mt username password mi nh hnh bn di.
Ta logon vo Router bng username v password mi.
Ta capture lung traffic t Router n PC ta thy giao thc ang hot ng y l SSL.
Bi: VPN IPSEC SITE TO SITE

PRE-SHARED KEY
Cu hnh Pre-shared key cho site to site VPN ta cn phi lm mt s bc nh sau: 1. 2. 3. 4. Nhng vic cn chun b cho vic cu hnh IPSec v Preshared key. Cu hnh IKE (Internet Key Exchange). Cu hnh IPSec. Kim tra qu trnh cu hnh.
I. Mt s cng vic ta cn kim tra trc Kim tra cc kt ni c cu hnh thng cha. Kim tra xem Access-list c cho php dng IPSec hay khng. Kim tra xem router cho php qu trnh crypto hay khng. Xc nhn xem interface no s c apply qu trnh crypto. Chnh sch crypto no s c apply.
II. Cu hnh IKE Trong mode IKE cho php ng b ha IPSec policy n remote user. Sau khi lm xong qu trnh ny cho php cc client kt ni n router download mt ip address v cc cu hnh network thng qua DHCP. a ch IP ny c dng nh l mt a ch bn trong c dng trong qu trnh ng gi tin di nn IPSec v n cng c dng xem n c tng ng vi IPSec policy hay khng. Qu trnh cu hnh IKE vi pre-shared bao gm 4 bc:
enable isakmp To policy cho IKE Cu hnh tnh ng b cho IKE v pre-shared key Kim tra qu trnh hot ng ca IKE.
a. Enable isakmp Dng cu lnh crypto isakmp enable trong global mode. b. To chnh sch cho IKE Sau khi enable isakmp trn router k n ta cn xc nh xem policy no s c apply. Mt s cng vic ta cn phi xc nh nh sau: - S priority no s c gn vo policy. Trong qu trnh ny th s priority cng nh th u tin ca n cng cao. iu ny rt cn thit khi ta cu hnh nhiu IKE policy. - Phng thc m ha thng tin s c dng l g ? Mc nh router dng DES tuy nhin ta c th chuyn sang dn 3DES - Phng thc hash c dng. Mc nh router dng SHA ta c th chuyn sang dng MD5 - Phng thc chng thc c dng. y ta s cu hnh dng pre-shared key. - K n l Diffie Hellman group no s c dng. Mc nh l group 1 768 bit Diffie Hellman c dng v ta cng c th chuyn sang dng group 2 1024 bit Diffie Hellman. - Lifetime c gn vo cho Internet Key Exchange security associate. Cc cu lnh ta s dng tng ng vi nhng mc trn nh sau: - u tin l ta to ra mt policy bng cu lnh sau crypto isakmp policy priority c gn trong global mode. - Xc nh phng thc m ha vi cu lnh encryption {des|3des}
- Xc nh phng thc hash bng cu lnh hash {sha|md5} - Xc nh phng thc chng thc bng cu lnh authentication {rsasig|rsa-encr|pre-share} - Xc nh Diffe-Hellman group c dng group {1|2} - Xc nh thi gian sng lifetime seconds 3. Cu hnh tnh ng b cho IKE v Pre-share key Sau khi ta cu hnh IKE policy cho cc thit b th bc k tip ta lm y s l thit lp tnh ng b (identity) cho IKE v pre-share key cho cc thit b. Mc nh th router dng IP address cho qu trnh ng b gia cc thit b. Tuy nhin ta c th chuyn sang dng hostname cho qu trnh ng b. Mc nh th router dng IP address cho qu trnh ny. Cu lnh dng chuyn nh sau: crypto isakmp identity {address | hostname} Cu hnh pre-share key l qu trnh m ta phi lm. Bn phi xc nh preshare-key no s c dng cho cc thit b trong mng ca mnh. Preshare key phi c cu hnh ging nhau trn cc peer. Bi v cc peer ca ika chng thc vi nhau bng to v gi nhng key c hash m n bao gm preshare key trong . V peer nhn s to li key bng cch dng chung thut ton hash v preshare key. Cu lnh cu hnh nh sau: crypto isakmp key keystring {address peer-address | hostname peer hostname}
Ta c s bi lab nh sau:
S0 172.18.124.2 /24 S0 172.18.124.1 /24
INTERNET
E0 10.10.10.1 /24
E0 10.10.20.1 /24
Trc khi cu hnh Internet Key Exchange trn router ta cu hnh a ch vo cc interface ca n nh sau: R1#configure terminal R1(config)#int s 1/0 R1(config-if)#ip add 172.18.214.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#clock rate 64000 R1(config-if)#exit R1(config-if)#int fastethernet 0/0 R1(config-if)#ip add 10.10.10.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#no keepalive
R1(config-if)#exit
R2#configure terminal R2(config)#int s 1/0 R2(config-if)#ip add 172.18.214.2 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#clock rate 64000 R2(config-if)#exit R2(config-if)#int fastethernet 0/0 R2(config-if)#ip add 10.10.20.1 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#no keepalive R2(config-if)#exit
Ta cu hnh Internet Key Exchange trn Router 1 v Router 2 nh sau R1#conf t Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp enable R1(config)#crypto isakmp policy 2 R1(config-isakmp)#encryption 3des R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#exit R1(config)#crypto isakmp key cisco address 172.18.124.2 R1(config)#^Z R1#
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#crypto isakmp enable R2(config)#crypto isakmp policy 2 R2(config-isakmp)#encryption 3des R2(config-isakmp)#hash md5 R2(config-isakmp)#authentication pre-share R2(config-isakmp)#exit
R2(config)#crypto isakmp key cisco address 172.18.124.1 R2(config)#^Z R2# Lc ny th ta cu hnh isakmp policy. xem li ta kim tra li ta c cu hnh nh th no th ta dng lnh show crypto isakmp xem li cc thng s ca isakmp policy. R1#show crypto isakmp policy Protection suite of priority 2 encryption algorithm: 3DES--Triple Data Encryption Standard (168 bit keys) hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES--Data Encryption Standard hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature (56 bit keys) Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit R1#
R2#show crypto isakmp policy Protection suite of priority 2 encryption algorithm: 3DES--Triple Data Encryption Standard hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES--Data Encryption Standard hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit R2# Qu trnh chng thc bng IKE h tr chng thc cho cc thit b, cha h tr chng thc cho user. Tuy nhin nu ta dng chng thc bng Extended Authentication (XAuth)th n cho php ta lm iu ny. XAuth s kt hp vi AAA
chng thc cho user sau khi ta chng thc cho cc thit b. Ta cu hnh nh sau: R1(config)#crypto isakmp key cisco address 172.18.124.2 no-xauth
III. Cu hnh IPSec Ging nh cu hnh pre-share key, ta nn xc nh ta cn phi lm l bao nhiu bc. Qu trnh ny bao gm 5 bc nh sau: To ra transform set. Thit lp lifetime cho IPSec SA. To ra access-list v n c dng xc nh c th traffic no c m ha. To crypto map. Apply crypto map ny vo mt interface c th. 1. To ra Transform set - Transform set l cng c nhm mc ch bo v lung thng tin. V n s c to khi ta cu hnh payload authentication, payload encryption v IPSec. Ging nh cu hnh chng thc vic cu hnh transform set phi c ging nhau trn cc thit b. V d ta phi cu hnh tn cho qu trnh transform set phi ging nhau. cu hnh transform set ta dng cu lnh nh sau
crypto ipsec transform-set transform-set-name {[transform1] [transform2] [transform3]}
mc ny ta c mt s chn la nh sau transform-set-name tn ca qu trnh transform1 c th chn l ah-md5-hmac hoc ah-sha-hmac. transform2 c th esp-des esp-3des hoc esp-null. transform3 c th esp-md5-hmac hoc esp-sha-hmac. - Mc nh IPSec mode ang dng tunnel. Ta c th chuyn sang dng dng transport bng cu lnh: mode {tunnel | transport}
2. Lifetime cho IPSec SA Ta xt thi gian lifetime cho IPSec nhm mc ch xc nhn xem IPSec SA s c hiu lc trong khong thi gian l bao lu cho n khi n cn c thng lng li xin li. y bn c th cu hnh bng hai cch: mt l trong global mode v hai l trong crypto map. Khi cu hnh lifetime th ta xc nh hai thng s l: second v kilobytes. Thng s second dng xc nh thi gian sng cho IPSec SA trc khi n b ht hn.Mc nh thi gian sng l 3600 second. Thng s kilobyte xc nh kch thc gi tin. Mc nh kch thc gi tin 4608000 kilobyte. Hai cu lnh nh sau.
crypto ipsec security-association lifetime seconds seconds crypto ipsec security-association lifetime kilobytes kilobytes
3. To Access list Sau khi xt cu hnh transform set v lifetime. Vic k tip ta cn phi lm l cu hnh access list n bo v data flow ca IPSec. cu hnh extended access list cho IPSec ta cn phi xc nh mt s vic nh sau: Chn outbound traffic bo v X l inbound traffic cho vic chn la traffic IPSec. X l inbound traffic cho mc ch filter nhng traffic cn c protect. Ngoi ra khi ta m phn cho qu trnh x l IKE, th access list xc nh khi no chp nhn nhng yu cu IPSec SA.
4. To Crypto map IPSec SA c thit lp ch thng qua cu lnh crypto map. Lnh crypto map dng kt ni mt hay nhiu trnh t li vi nhau. Mt trnh t c i din bi mt IPSec SA. Mi trnh t crypto map xc nh mt s vic c th nh sau: Traffic no cn c bo v Lung thng tin n remote peer no cn c protect Transform no c dng bo v traffic IPSec SA s c thit lp thng qua thng IKE hay l manual Ngoi ra cn c cc bin khc dng cho vic m t xc nh life time cho crypto map
Tt c mi trnh t trong crypto map c kt ni cht ch vi nhau thng qua name of crypto map. Mi mt trnh t ch c th l mt trong nhng dng sau: - Cisco: trong trnh t ny th Cisco Encryption Technology c dng thay th cho IPSec. - IPSec-maunal: trong trnh t ny th IKE khng c dng thit lp IPSec SA. - IPSec isakmp: dng IKE thit lp IPSec SA. y ta ch bn v cch dng IKE thit lp IPSec. Ta dng cu lnh nh sau: crypto map map-name seq-num ipsec-isakmp map name: l tn dng trong qu trnh crypto map seq num: s th t trong qu trnh crypto map ( 1 65535 ) vi s nh c u tin cao hn. Sau khi ta dng cu lnh trn th ta s ng nhp vo mode ca crypto map mode. y ta xc nh mt s bin nh sau: - match address {access-list-number | name}: cu lnh ny phi c xc nh access list no c apply. - set peer {peer - address | hostname - peer }: xc nh IPSec peer. - set transform-set transform-setname [transform-set-name2 transformsetname6]: xc nh transform set c dng trong qu trnh IPSec. 5. Applied Crypto map Sau khi bn to ra IPSec tunnel th bc k tip l bn phi apply n vo mt interface c th. apply ta phi vo interface mode v dng cu lnh: crypto map map-name
V mc ch redundancy, bn c th apply mt crypto map vo mt interface. Mc nh th n nh sau: - Mi mt interface c mt SA database. - IP address ca local interface c dng nh l local address c dng cho IPSec traffic. Nu nh mun dng crypto map trn nhiu interface bn cn phi xc nh interface . Ta c th lm nh sau: Mi interface s tng ng vi mt IPSec SA database c thit lp vo mt thi im. Cn cc traffic no c chia s trn tt c interface th n dng chung mt crypto map. IP address ca interface c nh ngha thng c dng trong trng hp ny l local ip address v n c dng IPSec traffic ti im xut pht ban u v ch cn n c chia s dng chung mt crypto map set. crypto map map-name local-address local-id nh ngha mt interface ta dng cu lnh nh trn global mode vi mapname l tn ca crypto map v local-id l IP address ca interface ang c nh ngha.
Cu hnh Crypto IPSec vi tn l test v Crypto map vi tn l test1 nh sau R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#crypto ipsec tramsform-set test esp-des
R1(cfg-crypto-trans)#exit R1(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 R1(config)#cryto map test1 100 ipsec-isakmp R1(config-crypto-map)#match address 100 R1(config-crypto-map)#set transform-set test R1(config-crypto-map)#set peer 172.18.124.2 R1(config-crypto-map)#exit R1(config)#interface s0/0 R1(config-if)#crypto map test1 R1(config-if)#^Z R1#
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#crypto ipsec tramsform-set test esp-des R2(cfg-crypto-trans)#exit R2(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 R2(config)#cryto map test1 100 ipsec-isakmp
R2(config-crypto-map)#match address 100 R2(config-crypto-map)#set transform-set test R2(config-crypto-map)#set peer 172.18.124.1 R2(config-crypto-map)#exit R2(config)#interface s1/0 R2(config-if)#crypto map test1 R2(config-if)#^Z R2# Ngoi ra nu ta mun thc hin qu trnh chng thc cho user bng XAuth th phi xc nhn user v group no c thm quyn. Lc ny ta cn dng AAA thc hin qu trnh ny v dng crypto map apply AAA ta to ra.
IV. Kim tra v thm nh qu trnh hot ng ca IPSec - Dng lnh show crypto isakmp sa cho ta bit cc tt c active SA ang c trn thit b. R1#show crypto isakmp sa dst src state conn-id slot
172.18.124.2 172.18.124.1 QM_IDLE 82 0 - Mun xem cu hnh transform set th dng cu lnh show crypto ipsec transform-set
R1#show crypto ipsec transform-set Transform set test: { esp-des } will negotiate = { Tunnel, } - Kim tra xem mt IPSec SA ang hot ng th dng lnh show crypto ipsec sa R1#show crypto ipsec sa interface: Serial0/0 Crypto map tag: test1, local addr. 10.1.1.1 local ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/0/0) current_peer: 10.1.1.2 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2 path mtu 1500, media mtu 1500
current outbound spi: 20890A6F inbound esp sas: spi: 0x257A1039(628756537) transform: esp-des , in use settings ={Tunnel, } slot: 0, conn id: 26, crypto map: test1 sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y inbound ah sas: outbound esp sas: spi: 0x20890A6F(545852015) transform: esp-des , in use settings ={Tunnel, } slot: 0, conn id: 27, crypto map: test1 sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y
outbound ah sas:

AThena Lab HuongDan Hoc CCNA

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AThena Lab HuongDan Hoc CCNA

Uploaded by

Copyright:

Available Formats

92 Nguyn nh Chiu, DaKao, Qun 1, Tp HCM 2 Bis inh Tin Hong P.

a Kao Qun 1 TPHCM Hotline: 090 78 79 477 Website: www.athena.edu.vn

Bi: Recovery IOS bng Xmodem v TFTPDNLD

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Bi: Lab SSH

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ta nhp vo username v password tng ng m ta to trn Router 1 ng nhp vo Router 1

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Bi: Truy cp vo Router thng qua SDM

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ta Click Next lm tip

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ta chn vo button I accept terms of the license agreement . Chn Next

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ta c th chn ni lu tr hoc chn ng dn mc nh v Next tip tc.

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ta chn install bt u qu trnh ci t v Finish.

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Click vo Get Certificate

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ta logon vo Router bng username v password mi.

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Bi: VPN IPSEC SITE TO SITE

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

S0 172.18.124.2 /24 S0 172.18.124.1 /24

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

lifetime: 86400 seconds, no volume limit R1#

crypto ipsec transform-set transform-set-name {[transform1] [transform2] [transform3]}

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

Ging Vin: L nh Nhn Email: nhanld@athenvn.com

You might also like