CCNP 813 AAA 实验
需求:
有两台交换机:接入层ASW1,汇聚层DSW1。
- 在靠近终端部分启用Radius验证,也就是在ASW1上启用Radius。Raidus服务器为172.120.39.46,Raidus Key:rad123
- 对VLAN20进行限制,要求IP地址在172.120.40.0/24内,否则将数据包丢弃。过滤实施在靠近服务器端
AAA配置
ASW1(config)#aaa new-model ASW1(config)#aaa authentication login default line none ASW1(config)#aaa authentication dot1x default group radius ASW1(config)#radius-server host 172.120.39.46 key rad123 ASW1(config)#dot1x system-auth-control ASW1(config)#interface fastethernet 0/1 ASW1(config-if)#switchport mode access ASW1(config-if)#dot1x port-control auto ASW1(config-if)#end ASW1#copy running-config startup-config
vlan内地址过滤
DSW1(config)#ip access-list standard 10 DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255 DSW1(config-ext-nacl)#exit DSW1(config)#vlan access-map MYACCMAP 10 DSW1(config-access-map)#match ip address 10 DSW1(config-access-map)#action forward DSW1(config-access-map)#exit DSW1(config)#vlan access-map MYACCMAP 20 DSW1(config-access-map)#action drop DSW1(config-access-map)#exit DSW1(config)#vlan filter MYACCMAP vlan-list 20 DSW1(config)#end DSW1#copy running-config startup-config
GNS3下帧中继实验
FR
FR#conf t Enter configuration commands, one per line. End with CNTL/Z. FR(config)#frame-relay switching FR(config)#int s1/0 FR(config-if)#clock rate 64000 FR(config-if)#encapsulation frame-relay FR(config-if)#no frame-relay inverse-arp FR(config-if)#no arp frame-relay FR(config-if)#frame-relay intf-type dce FR(config-if)#frame-relay route 102 interface s1/1 201 FR(config-if)#frame-relay route 103 interface s1/2 301 FR(config-if)#frame-relay route 104 interface s1/3 401 FR(config-if)#no shutdown FR(config-if)#exit FR(config)#int s1/1 FR(config-if)#clock rate 64000 FR(config-if)#encapsulation frame-relay FR(config-if)#no frame-relay inverse-arp FR(config-if)#no arp frame-relay FR(config-if)#frame-relay intf-type dce FR(config-if)#frame-relay route 201 interface s1/0 102 FR(config-if)#no shutdown FR(config-if)#exit FR(config)#int s1/2 FR(config-if)#clock rate 64000 FR(config-if)#clock rate 64000 FR(config-if)#encapsulation frame-relay FR(config-if)#no frame-relay FR(config-if)#no frame-relay inverse-arp FR(config-if)#no arp frame-relay FR(config-if)#frame-relay intf-type dce FR(config-if)#frame-relay route 301 interface s1/0 103 FR(config-if)#no shutdown FR(config-if)#exit FR(config)#int s1/3 FR(config-if)#clock rate 64000 FR(config-if)#encapsulation frame-relay FR(config-if)#no frame-relay inverse-arp FR(config-if)#no arp frame-relay FR(config-if)#frame-relay intf-type dce FR(config-if)#frame-relay route 401 interface s1/0 104 FR(config-if)#no shut FR(config-if)#exit
可以查看一下帧中继映射表,查看一下映射关系
FR#show frame-relay route
Input Intf Input Dlci Output Intf Output Dlci Status
Serial1/0 102 Serial1/1 201 inactive
Serial1/0 103 Serial1/2 301 inactive
Serial1/0 104 Serial1/3 401 inactive
Serial1/1 201 Serial1/0 102 inactive
Serial1/2 301 Serial1/0 103 inactive
Serial1/3 401 Serial1/0 104 inactive
Input Intf Input Dlci Output Intf Output Dlci Status
Serial1/0 102 Serial1/1 201 inactive
Serial1/0 103 Serial1/2 301 inactive
Serial1/0 104 Serial1/3 401 inactive
Serial1/1 201 Serial1/0 102 inactive
Serial1/2 301 Serial1/0 103 inactive
Serial1/3 401 Serial1/0 104 inactive
R1
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int s1/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#no frame-relay inverse-arp
R1(config-if)#no arp frame-relay
R1(config-if)#no shutdown
R1(config-if)#int s1/0.1 point-to-point
R1(config-subif)#ip address 12.12.12.12 255.255.255.0
R1(config-subif)#frame-relay interface-dlci 102
R1(config-fr-dlci)#exit
R1(config-subif)#exit
R1(config)#int s1/0.2 multipoint
R1(config-subif)#ip address 192.168.0.1 255.255.255.0
R1(config-subif)#frame-relay map ip 192.168.0.3 103 broadcast
R1(config-subif)#frame-relay map ip 192.168.0.4 104 broadcast
R1(config-subif)#end
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int s1/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#no frame-relay inverse-arp
R1(config-if)#no arp frame-relay
R1(config-if)#no shutdown
R1(config-if)#int s1/0.1 point-to-point
R1(config-subif)#ip address 12.12.12.12 255.255.255.0
R1(config-subif)#frame-relay interface-dlci 102
R1(config-fr-dlci)#exit
R1(config-subif)#exit
R1(config)#int s1/0.2 multipoint
R1(config-subif)#ip address 192.168.0.1 255.255.255.0
R1(config-subif)#frame-relay map ip 192.168.0.3 103 broadcast
R1(config-subif)#frame-relay map ip 192.168.0.4 104 broadcast
R1(config-subif)#end
R2可以采用两种配置方式
第一种:直接在物理端口上配置
R2(config)#int s1/0
R2(config-if)#encapsulation frame-relay
R2(config-if)#ip address 12.12.12.21 255.255.255.0
R2(config-if)#no frame-relay inverse-arp
R2(config-if)#no arp frame-relay
R2(config-if)#frame-relay map ip 12.12.12.12 201 #这里只能使用frame-relay map,不能够使用frame-relay interface-dlci。
R2(config-if)#no shutdown
R2(config-if)#end
R2(config-if)#encapsulation frame-relay
R2(config-if)#ip address 12.12.12.21 255.255.255.0
R2(config-if)#no frame-relay inverse-arp
R2(config-if)#no arp frame-relay
R2(config-if)#frame-relay map ip 12.12.12.12 201 #这里只能使用frame-relay map,不能够使用frame-relay interface-dlci。
R2(config-if)#no shutdown
R2(config-if)#end
第二种:在子接口上配置
R2(config-if)#int s1/0.1 multipoint #这里指定点对点和点对多点均可,可根据实际需要设置
R2(config-subif)#ip address 12.12.12.21 255.255.255.0
R2(config-subif)#frame-relay interface-dlci 201 #这里也可以使用frame-relay map
R2(config-fr-dlci)#exit
R2(config-subif)#exit
R2(config-subif)#ip address 12.12.12.21 255.255.255.0
R2(config-subif)#frame-relay interface-dlci 201 #这里也可以使用frame-relay map
R2(config-fr-dlci)#exit
R2(config-subif)#exit
R3与R4的配置方式与R2相同
R3
R3(config)#int s1/0
R3(config-if)#encapsulation frame-relay
R3(config-if)#no frame-relay inverse-arp
R3(config-if)#no arp frame-relay
R3(config-if)#ip address 192.168.0.3 255.255.255.0
R3(config-if)#frame-relay map ip 192.168.0.1 301 broadcast
R3(config-if)#no shutdown
R3(config-if)#end
R3(config-if)#encapsulation frame-relay
R3(config-if)#no frame-relay inverse-arp
R3(config-if)#no arp frame-relay
R3(config-if)#ip address 192.168.0.3 255.255.255.0
R3(config-if)#frame-relay map ip 192.168.0.1 301 broadcast
R3(config-if)#no shutdown
R3(config-if)#end
R4
R4(config)#int s1/0
R4(config-if)#encapsulation frame-relay
R4(config-if)#no frame-relay inverse-arp
R4(config-if)#no arp frame-relay
R4(config-if)#ip address 192.168.0.4 255.255.255.0
R4(config-if)#frame-relay map ip 192.168.0.1 401 broadcast
R4(config-if)#no sh
R4(config-if)#end
R4(config-if)#encapsulation frame-relay
R4(config-if)#no frame-relay inverse-arp
R4(config-if)#no arp frame-relay
R4(config-if)#ip address 192.168.0.4 255.255.255.0
R4(config-if)#frame-relay map ip 192.168.0.1 401 broadcast
R4(config-if)#no sh
R4(config-if)#end