一.HSRP
1.启用HSRP功能,并配置虚拟IP地址
Switch(config-if)#standby group-unmber ip ip-address
Switch(config-if)#standby 1 ip 192.168.1.82.配置本路由器的HSRP优先级(主路由配置)
Switch(config-if)#standby group-unmber priority priority
Switch(config-if)#standby 1 priority 1013.配置HSRP抢占
Switch(config-if)#standby group-unmber preempt
Switch(config-if)#standby 1 preempt4.配置接口跟踪(主路由配置)
Switch(config-if)#standby group-unmber track interface-type/number
Switch(config-if)#standby 1 track FastEthernet0/0二.ACL
1.配置标准ACL
Router(config)#access-list access-list-number {remark |permit|deny} source source-wildcard
Router(config)#access-list 1 deny host 192.168.1.2Router(config)#access-list 1 permit any2.配置命名ACL
Router(config)#ip access-list [ standsrd | extended ] access-list_name
Router(config-ext-nacl)#deny [ tcp | udp | ip ] host ip-address host ip-address eq [ ftp | telnet ]
Router(config-ext-nacl)# permit ip any any
Router(config)#ip access-list extended telnetRouter(config)#ip access-list extended telnetRouter(config-ext-nacl)#deny tcp host 192.168.1.2 host 2.2.2.2 eq telnetRouter(config-ext-nacl)#deny tcp host 192.168.1.2 host 192.168.12.2 eq telnetRouter(config-ext-nacl)#permit ip any anyRouter(config)#ip access-list extended ftpRouter(config-ext-nacl)#deny tcp host 192.168.2.2 host 192.168.4.2 eq ftpRouter(config-ext-nacl)#permit ip any any3.接口应用ACL表
Router(config-if)#ip access-group access-list-number {in|out}
Router(config-if)#ip access-group 1 outRouter(config-if)#ip access-group 1 in三.DHCP
1.创建DHCP地址池
Router(config-if)#ip dhcp pool pool_name
Router(config)#service dhcp //开启DHCP服务Router(config-if)#ip dhcp pool cisco2.配置DHCP服务器要分配的网络和掩码
Router(dhcp-config)#network network-number mask
Router(dhcp-config)#network 192.168.1.0 255.255.255.03.配置分配给客户端的默认网关
Router(dhcp-config)#default-router address
Router(dhcp-config)#default-router 192.168.1.14.配置分配给客户端的DNS服务器
Router(dhcp-config)#dns-server address
Router(dhcp-config)#dns-server 192.168.2.25.指定DHCP排除的地址
Router(config)#ip dhcp excluded-address address
Router(config)#ip dhcp excluded-address 192.168.1.1Router(config)#ip dhcp excluded-address 192.168.2.16.配置DHCP中继地址
Router(config)#ip helper-address address
Router(config)#ip helper-address 192.168.12.2四.二层安全
1.配置接口为访问模式和开启端口安全
Switch(config-if)#switch mode access
Switch(config-if)#switch port-security
Switch(config-if)#switchport mode accessSwitch(config-if)#switchport port-security2.配置交换机端口下的MAC条目最大数量
Switch(config-if)#switch port-security maximum maximum
Switch(config-if)#switchport port-security maximum 23.配置交换机端口自动粘滞终端设备的MAC地址
Switch(config-if)#switch port-security mac-address sticky
Switch(config-if)#switchport port-security mac-address sticky4.配置交换机端口安全惩罚模式
Switch(config-if)#switch port-security violation {protect|shutdown|restrict}
Switch(config-if)#switchport port-security violation restrict!!!附加:
①启用DHCP监听功能、可信端口和请求速率限制
Switch(config)#ip dhcp snooping
Switch(config-if)#ip dhcp snooping trust
Switch(config-if)#ip dhcp snooping limit rate rate
Switch(config)#ip dhcp snoopingSwitch(config)#int f0/1Switch(config-if)#ip dhcp snooping trustSwitch(config-if)#ip dhcp snooping limit rate 20②设置接口为trunk、不协商模式和请求速率限制
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport nonegotiate
Switch(config-if)#switchport mode trunkSwitch(config-if)#switchport nonegotiate③开启全局端口加速
Switch(config)#spanning-tree portfast default
Switch(config)#spanning-tree portfast default④启用BPDU过滤功能
Switch(config-if)#spanning-tree bpduguard enable
Switch(config-if)#spanning-tree bpduguard enable五.重分发
1.RIP重分发进OSPF
Router(config-route)#redistribute rip metric metric-value subnets
Router(config)#router ospf 100Router(config-route)#redistribute rip metric 30 subnets2.OSPF重分发进RIP
Router(config-route)#redistribute ospf process-id metric metric-value
Router(config)#router ripRouter(config-route)#redistribute ospf 100 metric 13.OSPF重分发进EIGRP
Router(config-route) #redistribute ospf process-id metric [100000 100 255 1 1500]
一种协议重分布进 EIGRP,初始 Metric 值无限大,这样的路由不会被传递,所以会看不到 OSPF 重分布进 EIGRP 的路由。需要手工指定 Metric 解决。
Router(config)#router eigrp 100Router(config-route)#redistribute ospf 100 metric 100000 100 255 1 1500 //带宽、延迟、可靠性、负载、MTU4.EIGRP重分发进OSPF
Router(config-route)#redistribute eigrp process-id metric metric-value subnets
Router(config)#router ospf 100Router(config-route)#redistribute eigrp 100 metric 10 subnets六.路由策略
1.将所有接口配置为被动接口,并手动激活特定接口
Router(config-router)#passivve-interface default
Router(config-router)#no passivve-interface type-name
Router(config-router)#passivve-interface defaultRouter(config-router)#no passive-interface FastEthernet0/0Router(config-router)#no passive-interface FastEthernet0/12.配置管理距离
Router(config-router)#distance ad-number address wildcard-mask
Router(config)#router ospf 1Router(config-router)#distance 130 3.3.3.3 0.0.0.0Router(config)#router ripRouter(config-router)#distance 105 192.168.34.4 0.0.0.0七.PAT
1.通过ACL抓取网段
Router(config)#access-list access-list-number permit address wildcard-mask
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.2552.将ACL指定的内部局部地址与指定的NAT地址池进行关联,完成动态NAT配置,并配置端口NAT的过载
Router(config)#ip nat inside source list access-list-number interface type-name overload
Router(config)#ip nat inside source list 1 interface FastEthernet0/1 overload3.配置NAT外部接口和内部接口
Router(config-if)#ip nat {inside|outside}
Router(config)#int f0/0Router(config-if)#ip nat insideRouter(config)#int f0/1Router(config-if)#ip nat outside八.IPV6
1.配置IPV6地址
Router(config)#ipv6 unicast-routing //开启IPV6单播路由功能
Router(config-if)#ipv6 address ipv6-address/mask
Router(config-if)#ipv6 address 2001::1/642.开启IPV6单播路由功能并配置静态路由
Router(config)#ipv6 unicast-routing
Router(config)#ipv6 route ipv6-target-address/mask interface-type/number ipv6-address
Router(config)#ipv6 unicast-routing //配置ipv6协议之前一定要先开启该功能Router(config)#ipv6 route 2002::/64 FastEthernet0/0 2012::23.配置RIP
Router(config)#ipv6 router rip tag //启用RIPng进程
Router(config-if)#ipv6 rip tag enable //在接口上激活RIPng
Router(config)#ipv6 router rip ciscoRouter(config)#int l 0Router(config-if)#ipv6 rip cisco enableRouter(config)#int f0/0Router(config-if)#ipv6 rip cisco enable4.配置OSPFv3
Router(config)#ipv6 router ospf process-id //启动OSPFv3路由进程
Router(config-rtr)#router-id a.b.c.d //配置路由器ID
Router(config-if)#ipv6 ospf process-id area area-id //激活参与OSPFv3的接口
Router(config)#ipv6 router ospf 110Router(config-rtr)#router-id 3.3.3.3Router(config)#int l 0Router(config-if)#ipv6 ospf 110 area 0Router(config)#int f0/0Router(config-if)#ipv6 ospf 110 area 05.配置EIGRP
Router(config)#ipv6 router eigrp process-id //启动EIGRP路由进程
Router(config-rtr)#no shutdown //一定要开启!
Router(config-rtr)#eigrp router-id a.b.c.d /配置路由器ID
Router(config-if)#ipv6 eigrp process-id //激活参与EIGRP的接口
Router(config)#ipv6 router eigrp 90Router(config-rtr)#router-id 5.5.5.5Router(config-rtr)#no shutdownRouter(config)#int l 0Router(config-if)#ipv6 eigrp 90Router(config)#int f0/0Router(config-if)#ipv6 eigrp 90九.IPV6隧道
Router(config)#ipv6 unicast-routing //开启IPV6单播路由功能
Router(config)#interface Tunnel 0 //进入Tunnel进行端口配置
Router(config-if)#ipv6 enable //如果没有给IPV6地址则开启此功能自动获取IPV6地址
Router(config-if)#tunnel mode ipv6ip //配置tunnel为IPV6IP
Router(config-if)#tunnel source interface-type //配置隧道的出接口
Router(config-if)#tunnel destination ip-address //配置隧道目的IP地址
Router(config)#interface Tunnel 0Router(config-if)ipv6 enableRouter(config-if)tunnel mode ipv6ipRouter(config-if)tunnel source FastEthernet0/1Router(config-if)tunnel destination 192.168.23.3十.VPN
Router(config)#ipv6 unicast-routing //开启IPV6单播路由功能
Router(config)#interface Tunnel 0 //进入Tunnel进行端口配置
Router(config-if)#ip address ip-address //配置接口的IP地址
Router(config-if)#tunnel mode gre ip //配置tunnel为gre ip
Router(config-if)#tunnel source interface-type //配置隧道的出接口
Router(config-if)#tunnel destination ip-address //配置隧道目的IP地址
Router(config)#interface Tunnel 0Router(config-if)ip address 192.168.3.1 255.255.255.0Router(config-if)tunnel mode gre ipRouter(config-if)tunnel source f0/1Router(config-if)tunnel destination 100.100.24.4
