网络设计与管理实践

DHCP和网络地址转换

首都师范大学信息工程学院liuyu@mail.cnu.edu.cn

DHCP服务配置 # ip dhcp pool global（配置一个根地址池， global是地址池的名称，你可以采用有意义的字符串来表示）

#network 192.168.0.0 255.255.0.0（动态分配的地址段）

#domain-name ghq.com（为客户机配置域后缀） #dns-server 192.168.1.1（为客户机配置 DNS服务器） #netbios-name-server 192.168.1.1（为客户机配置 wins #netbios-node-type h-node（为客户机配置 h节点模式）

#lease 30 （地址租用期为 30天）

#next-server 192.168.1.248 （配置 PXE引导 TFTP服务位置）

DHCP排除地址 IP地址 192.168.1.1至 192.168.1.5不能用于动态分配   ip dhcp excluded-address 192.168.1.1 192.16

8.1.5取消地址冲突记录日志 

no ip dhcp conflict logging

网络地址转换

网络地址转换 NAT

Inside addressing

Outside addressing

Interface Configuration

ip nat { inside | outside }

标记接口是内部还是外部

Defining a pool

ip nat pool <name> <start-ip> <end-ip> { netmask <netmask> | prefix-length <prefix-length> } [ type { rotary } ]

定一个地址池

Defining ACLs

access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255

Enabling translation of inside source addresses ip nat inside source list <acl> pool <name>

[overload]

ip nat inside source static <local-ip><global-ip>

Enabling translation of inside destination addresses ip nat inside destination list <acl> pool <na

me>

ip nat inside destination static <global-ip> <local-ip>

Enabling translation of outside source addresses ip nat outside source list <acl> pool <nam

e>

ip nat outside source static <global-ip> <local-ip> }

Configuring translation timeouts

ip nat translation timeout <seconds>

ip nat translation udp-timeout <seconds> ip nat translation dns-timeout <seconds> ip nat translation tcp-timeout <seconds> ip nat translation finrst-timeout <seconds>

CONFIGURATION EXAMPLES

translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 nets to the globally-unique 171.69.233.208/28 network.

内部  192.168.1.0或者 192.168.2.0外部 171.69.233.208/28

CONFIGURATION EXAMPLES ip nat pool net-20 171.69.233.208 171.69.233.223 netmask 255.255.255.

240 ip nat inside source list 1 pool net-20 ! interface Ethernet0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface Ethernet1 ip address 192.168.1.94 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255

CONFIGURATION EXAMPLES

translates between inside hosts addressed from the 9.114.11.0 net to the globally unique 171.69.233.208/28 network.

Packets from outside hosts addressed from 9.114.11.0 net (the "true" 9.114.11.0 net) are translated to appear to be from net 10.0.1.0/24.

CONFIGURATION EXAMPLES ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.2

55.255.240 ip nat pool net-10 10.0.1.0 10.0.1.255 netmask <netmask> 255.255.255.0 ip nat inside source list 1 pool net-20 ip nat outside source list 1 pool net-10 ! interface Ethernet0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface Ethernet1 ip address 9.114.11.39 255.255.255.0 ip nat inside ! access-list 1 permit 9.114.11.0 0.0.0.255

More flexible pool configuration

ip nat pool <name> { netmask <mask> | prefix-length <length> } [ type { rotary } ]

Router(config)#ip nat pool fred prefix-length 24 Router(config-ipnat-pool)#address 171.69.233.

225 171.69.233.226 Router(config-ipnat-pool)#address 171.69.233.

228 171.69.233.238

Translating to interface's address ip nat inside source list <number> interfac

e <interface> overload

ip nat inside source list 1 interface Serial0 overload

Static translations with ports

ip nat inside source static { tcp | udp } <localaddr> <localport> <globaladdr> <globalport>

ip nat inside source static tcp 192.168.10.1 25 171.69.232.209 25

SSH

配置 hostname和 ip domain-name Router#configure terminal Router(config)#hostname HOSTNAMEHOSTNA(config)#ip domain-name ie.cnu.edu.

cn

SSH

配置登录用户名和密码（以本地认证为例）  (config)#username test password 0 test

配置 SSH服务  crypto key generate rsa hoose the size of the key modulus in the range of 360 to 20

48 for your General Purpose Keys. Choosing a key modulus greater t

han 512 may take a few minutes. How many bits in the modulus [512]: Generating 512 bit RSA keys ...[OK]

SSH

c2621XM-B#sh ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authenti

cation retries: 3

停止 SSH服务  crypto key zeroize rsa

SSH

设置 SSH参数 ip ssh {[time-out seconds]} | [authentication-re

tries interger]}