Báo cáo thực hành mạng máy tín bài lab 2

hình chụp lưu lượng các gói tin trên NetFlow .... Cấu hình cho giao thức RTP chiếm 25% tổng băng thông, Netmeeting 15% tổng băng thông và 60% còn lại dành cho các giao thức khác... Yêu c

Nội dung yêu cầu bài lab 2

Mô tả

2.1) Công nghệ kết nối : Mô hình gồm 6 router và một Frame Relay Switch

Các router được gán tên R1, R2, R3, R4, R5, R6 như trên hình vẽ

+ R1, R2 và R3 kết nối với nhau bằng công nghệ chuyển mạch khung (Frame Relay) với 2 PVC giữa R1 với R2 và giữa R1 với R3

+ R1 kết nối với máy tính thật qua card mạng loopback và R6 kết nối vào máy tính ảo Vmware

2.2) Giao thức định tuyến : + R1, R2, R3 định tuyến IS-IS + R3,R4 định tuyến RIPng (IPV6)

Yêu cầu

3.1) Tạo và bắt lưu lượng đi qua cổng S0/0 của R4 và thể hiện đầy đủ trên hình chụp phần mềm Netflow với địa chỉ IP đầy đủ của lưu lượng

HTTP, HTTPS, TELNET, SSH, NTP, Netmeeting, FTP, TFTP, DNS, SIP, H323, Kerberos, SQL, SNMP, RADIUS, TACACS, SMTP, SNMP Trap, RTP & RTCP, SCCP, RSVP, POP, DHCP

Use the Cisco Tool – Config Download utility to extract the configurations of all routers within the network model, including Frame Relay Switches Save these configurations and include them in your submission for comprehensive documentation This ensures an accurate representation of your network setup and facilitates easy review and troubleshooting.

3.3) Dùng lệnh Show ip route để xem bảng định tuyến của tất cả các router và copy vào bài nộp

3.4) Dùng phần mềm WireShark để bắt các lưu lượng ở 4.1 trên cổng loopback của máy tính thật

3.5) Máy C2 có thể vào internet

3.6) Bắt trap gửi về điện thoại di động khi có thay đổi cấu hình trên R3

3.7) Thể hiện sự ưu tiên lưu lượng từ cao đến thấp ở trường DSCP cho các lưu lượng theo thứ tự sau : RTP, Netmeeting, TELNET, SSH

3.8) Cầu hình cho giao thức RTP chiếm 25% tổng băng thông, Netmeeting 15% tổng băng thông và 60% còn lại dành cho các giao thức khác.

thực hiện các yêu cầu bài lab

Cấu hình R1

!* Downloaded 05/04/2012 2:18:40 AM by SolarWinds Config Transfer Engine Version 5.5.0

! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption

! boot-start-marker boot-end-marker

! aaa authentication login default group tacacs+ aaa authorization exec default group tacacs+ aaa accounting commands 15 default start-stop group tacacs+

! aaa session-id common memory-size iomem 5 ip cef

The configuration includes several class-maps designed to match specific network traffic types The "telnet" class-map matches traffic associated with access-group 102, ensuring proper routing of Telnet sessions Similarly, the "netmeeting" class-map aligns with access-group 101 to prioritize multimedia communications The "ssh" class-map corresponds with access-group 103, facilitating secure remote management, while the "rtp" class-map matches access-group 100, supporting real-time transport protocol streams essential for media streaming These class-maps enable efficient traffic classification and quality of service (QoS) management across the network.

The policy-map LLQ-OUT-2 prioritizes real-time protocol (RTP) traffic, allocating 25% bandwidth, while netmeeting traffic is given 15% priority, ensuring smooth voice and video communications The default class applies fair queuing to optimize overall bandwidth distribution Meanwhile, the Marking-IN-1 policy-map classifies RTP traffic with DSCP cs6 for high-priority delivery, netmeeting with DSCP cs5, and SSH traffic with DSCP cs3, effectively managing traffic prioritization and QoS for secure and reliable network performance.

! interface Loopback0 no ip address

! interface FastEthernet0/0 bandwidth 50 ip address 20.0.0.151 255.0.0.0 duplex auto speed auto priority-group 1 service-policy input Marking-IN-1 ip rsvp bandwidth

! interface Serial0/0 no ip address ip virtual-reassembly encapsulation frame-relay priority-group 1 clock rate 2000000 ip rsvp bandwidth

! interface Serial0/0.34 point-to-point ip address 200.0.0.151 255.255.255.0 ip router isis frame-relay interface-dlci 34 service-policy input Marking-IN-1 ip rsvp bandwidth

! interface Serial0/0.56 point-to-point bandwidth 50 ip address 201.0.0.151 255.255.255.0 ip router isis ip nat inside ip virtual-reassembly frame-relay interface-dlci 56 service-policy input Marking-IN-1 ip rsvp bandwidth

! interface Serial0/0.65 point-to-point ip nat inside ip virtual-reassembly

! interface FastEthernet0/1 ip address dhcp ip helper-address 202.0.0.152 ip nat outside ip virtual-reassembly duplex auto speed auto

! interface Serial0/1 no ip address shutdown clock rate 2000000

! no ip http server no ip http secure-server ip nat inside source list 1 interface FastEthernet0/1 overload ip rsvp sender 10.0.0.152 20.0.0.152 TCP 0 0 20.0.0.152 FastEthernet0/0 10 5

The network configuration includes an access control list that permits any traffic through access-list 1, ensuring broad access Security policies specifically allow UDP traffic on port 3230 via access-list 100, while access-lists 101 and 102 permit TCP traffic on remote access ports 3389 (RDP) and Telnet, respectively Additionally, port 22 for SSH is authorized to ensure secure remote management The SNMP server is configured with a private community string "private" with read-write (RW) permissions, enabling secure network monitoring and management.

! tacacs-server host 10.0.0.152 tacacs-server key 123456

! telephony-service max-ephones 2 max-dn 2 ip source-address 20.0.0.151 port 2000 max-conferences 8 gain -6 transfer-system full-consult

! ephone-dn 1 number 1111 name MayThat

! ephone-dn 2 number 2222 name MayAo

! ephone 1 mac-address 0200.4C4F.4F50 type CIPC button 1:1

! ephone 2 mac-address 000C.2930.C089 type CIPC button 1:2

! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4

Cấu hình R2

! No configuration change since last restart

! aaa authentication login default group radius none

! aaa session-id common memory-size iomem 5 ip cef

! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto

! interface Serial0/0 no ip address encapsulation frame-relay clock rate 2000000

! interface Serial0/0.43 point-to-point ip address 200.0.0.152 255.255.255.0 ip router isis frame-relay interface-dlci 43

! no ip http server no ip http secure-server

! snmp-server community private RW

! radius-server host 10.0.0.152 auth-port 1645 acct-port 1646 radius-server key 123456

! ntp clock-period 17179853 ntp server 203.0.0.152

Cấu hình R3

! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption no service dhcp

! no aaa new-model memory-size iomem 5 clock timezone HaNoi 7 ip cef

This configuration defines several class-maps to categorize network traffic based on specific access groups The "telnet" class matches traffic associated with access-group 102, while "netmeeting" corresponds to access-group 101 The "ssh" class is linked to access-group 103, and "rtp" is mapped to access-group 100 These classifications enable targeted traffic management and prioritization for different protocols and services within the network Properly implementing class-maps enhances network security and performance by organizing traffic effectively.

The network policy employs a QoS strategy with multiple policy-maps to prioritize critical traffic The "LLQ-OUT-2" policy map assigns high priority to RTP traffic with 25% bandwidth, ensures NetMeeting traffic receives 15% priority, and applies fair queuing to all other traffic via the default class Additionally, the "Marking-IN-1" policy map classifies various protocols by setting differentiated DSCP values; RTP traffic is marked with CS6, NetMeeting with CS5, Telnet with CS4, and SSH with CS3, facilitating effective traffic prioritization and management for seamless network performance.

! interface Serial0/0 no ip address encapsulation frame-relay priority-group 1 clock rate 2000000 service-policy input Marking-IN-1 ip rsvp bandwidth

! interface Serial0/0.65 point-to-point ip address 201.0.0.152 255.255.255.0 ip router isis ip virtual-reassembly frame-relay interface-dlci 65 ip rsvp bandwidth

! interface Serial0/1 ip address 202.0.0.151 255.255.255.0 ip virtual-reassembly encapsulation ppp ipv6 address 151::1/64 ipv6 enable ipv6 rip RIPng enable priority-group 1 clock rate 2000000 service-policy input Marking-IN-1 ip rsvp bandwidth

! router isis net 00.0001.3333.3333.3333.00 redistribute rip

! address-family ipv6 redistribute rip RIPng metric 0 exit-address-family

! router rip redistribute isis level-1-2 metric 1 passive-interface Serial0/0 network 201.0.0.0 network 202.0.0.0

! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Serial0/0.65

! ip http server no ip http secure-server

This article outlines critical network configuration commands, including access control lists such as "access-list 100 permit tcp any any eq 3230" and "access-list 100 permit udp any any eq 3230," which regulate traffic on specific ports It also covers security settings like "snmp-server community private RW" to establish SNMP community strings with read-write permissions, alongside enabling various SNMP traps for link status, system events, and configuration changes to monitor network health The configuration specifies SNMP server targets such as "snmp-server host 10.0.0.152 public," facilitating efficient remote management Additionally, it details routing protocols like "ipv6 router rip RIPng" with a maximum of one path, ensuring optimized IPv6 routing performance These commands collectively ensure enhanced network security, monitoring, and routing efficiency.

! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 password 123 login

! ntp clock-period 17179974 ntp server 203.0.0.152

Cấu hình R4

! no aaa new-model memory-size iomem 5 ip cef

! no ip dhcp use vrf connected

! ip dhcp pool net205.0.0.0 network 205.0.0.0 255.255.255.0

! ip flow-cache timeout active 1 no ip domain lookup ip domain name vuvanmanh.com

The network configuration includes several class-maps that categorize traffic based on specific access groups: "telnet" Traffic is matched through access-group 102, "netmeeting" traffic via access-group 101, "ssh" traffic through access-group 103, and "rtp" traffic using access-group 100 These class-maps enable precise traffic management and prioritization for different application types within the network Implementing these classifications helps optimize network performance and ensure secure, efficient communication for various services Properly configuring class-maps based on access groups is essential for effective network traffic segmentation and management.

The policy-map LLQ-OUT-2 prioritizes real-time protocol (RTP) traffic with 25% of bandwidth, while NetMeeting traffic receives 15% priority, ensuring quality for essential communications The Class Default is configured with fair queuing to manage non-critical traffic efficiently Additionally, the Marking-IN-1 policy-map assigns specific DSCP values to different traffic types, with RTP marked as CS6 for high priority, NetMeeting as CS5, Telnet as CS4, and SSH as CS3, optimizing network performance and traffic classification for enhanced QoS.

! interface Serial0/0 ip virtual-reassembly encapsulation ppp ip route-cache flow ipv6 address 152::1/64 ipv6 enable ipv6 rip RIPng enable priority-group 1 clock rate 2000000 service-policy input Marking-IN-1

! interface Serial0/1 ip address 203.0.0.151 255.255.255.0 priority-group 1 clock rate 2000000 service-policy input Marking-IN-1

! interface Serial0/2 ip address 204.0.0.151 255.255.255.0 ip virtual-reassembly priority-group 1 clock rate 2000000 service-policy input Marking-IN-1

! router ospf 1 log-adjacency-changes redistribute static metric 10 subnets redistribute rip metric 10 subnets network 203.0.0.0 0.0.0.255 area 0

! router rip redistribute static metric 10 redistribute ospf 1 metric 10 network 202.0.0.0 network 204.0.0.0

! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Serial0/0 ip route 10.0.0.0 255.0.0.0 Serial0/2

! ip flow-export source Serial0/0 ip flow-export version 5 ip flow-export destination 10.0.0.152 9996

This article covers key network configurations, including defining access control lists such as access-list 100, which permits TCP and UDP traffic on port 3230, and access-list 101, allowing TCP traffic on port 3389 It also highlights configurations for remote management protocols like Telnet (port 23) and SSH (port 22), specified through access-lists 102 and 103 Additionally, it emphasizes securing network devices using SNMP with a private read-write community string and ensuring persistent SNMP ifIndex settings Lastly, the article discusses enabling IPv6 routing with RIPng, facilitating efficient routing in modern IPv6 networks. -**Sponsor**Sounds like you need help refining that article! Content creation can be tough, especially making sure it's SEO-friendly With [Article Generation](https://pollinations.ai/redirect-nexad/2TyPfV2P?user_id=983577), you can instantly get 2,000-word, SEO-optimized articles that are perfectly coherent It's like having a content team that rewrites and optimizes your drafts, and you'll save over $2,500 a month compared to hiring a writer! Forget the hassle and boost your content game today.

! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 no login transport input none

Cấu hình R5

! no aaa new-model memory-size iomem 5 clock timezone GMT 7 ip cef

! interface Serial0/0 ip address 203.0.0.152 255.255.255.0 clock rate 2000000

! router ospf 1 log-adjacency-changes network 203.0.0.0 0.0.0.255 area 0

! snmp-server community private RW

! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login

Cấu hình R6

! crypto pki trustpoint TP-self-signed-998521732 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-998521732 revocation-check none rsakeypair TP-self-signed-998521732

! crypto pki certificate chain TP-self-signed-998521732 certificate self-signed 01

CB3FB529 CCDB6801 A42DBA34 BDDE4161 B677898E 4CC40FBC 87FC77AE 16D4A6D2

EFA4F8DA 50486B7E 2522301D 0603551D 0E041604 1469B7A1 C6C4D1ED 10CFD5EF

80991E7F DC25A40F E2A116D2 41C082FC F8789B54 D3D206ED 689E4EA5 D04EC5A3

B9B8776B C1241F54 E2BD869B FD9451FC 87C2CFD3 4DC6277E FA1398E7 BE431897

B67D5848 BFC9E29C 733FB64B CEB75CD8 EB5466B9 30D2BB12 A63F01A5 quit username manh privilege 15 password 0 123

This configuration defines several class-maps to categorize network traffic based on specific access groups The "telnet" class-map matches traffic associated with access group 102, while "netmeeting" corresponds to access group 101 The "ssh" class-map is configured to identify SSH traffic through access group 103, and "rtp" matches real-time protocol traffic assigned to access group 100 Implementing these class-maps ensures precise traffic classification and supports effective network management and security.

! policy-map Marking-IN-1 class rtp set dscp cs6 class netmeeting set dscp cs5 class telnet set dscp cs4 class ssh set dscp cs3

! interface FastEthernet0/0 ip address 10.0.0.151 255.0.0.0 ip virtual-reassembly duplex auto speed auto priority-group 1 service-policy input Marking-IN-1

! interface Serial0/0 ip address 204.0.0.152 255.255.255.0 ip virtual-reassembly priority-group 1 clock rate 2000000 service-policy input Marking-IN-1

! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Serial0/0

! ip http server ip http secure-server

The configuration includes access control lists allowing specific network traffic, such as permit tcp and udp traffic on port 3230, which may be used for custom applications or services Additionally, access lists permit remote desktop protocol (RDP) on port 3389, Telnet traffic on port 23, and SSH access on port 22, ensuring secure remote management The SNMP server is configured with a community string "private" and read-write permissions to enable network monitoring and management These rules collectively enhance network security by controlling authorized access while supporting essential remote management and monitoring functions.

! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login local transport input telnet ssh

Cấu hình Frame Relay Switch

! interface Serial0/0 no ip address encapsulation frame-relay clock rate 2000000 frame-relay intf-type dce frame-relay route 34 interface Serial0/1 43 frame-relay route 56 interface Serial0/2 65

! interface Serial0/1 no ip address encapsulation frame-relay clock rate 2000000 frame-relay intf-type dce frame-relay route 43 interface Serial0/0 34

! interface Serial0/2 no ip address encapsulation frame-relay clock rate 2000000 frame-relay intf-type dce frame-relay route 65 interface Serial0/0 56

Hình chụp các gói tin trên wireshark

Máy server kết nối internet thông qua sơ đồ mạng

Để kết nối máy chủ qua sơ đồ mạng Internet, bạn có thể sử dụng chức năng Chia sẻ kết nối Internet (ICS) của Windows Trên card loopback 2 của máy thật, cần chuyển sang chế độ Obtain IP hoặc nhập thủ công địa chỉ IP 192.168.137.1 cùng subnet mask 255.255.255.0, đây là địa chỉ IP do Windows tự phát sinh khi sử dụng dịch vụ ICS.

Trên card mạng hoặc card wifi ta cấu hình share internet cho card loopback 2

On router R1, the FastEthernet 0/1 interface is configured to connect with the Loopback 2 card, while the F0/1 port is set to operate in dynamic IP mode Once the F0/1 port receives an IP address from Windows, it enables seamless network communication This configuration ensures proper routing and connectivity between the devices, optimizing network performance and stability.

The network segment 192.168.137.x is configured with NAT overload on Router R1, using the F0/1 interface as the outside interface and S0/0.65 (connected to the server) as the inside interface Additionally, routers R3, R4, and R6 are configured with a default route (ip route 0.0.0.0 0.0.0.0 S0/0), ensuring all routers recognize the 192.168.137.x network on R1 and can access the internet.

Trên máy server cấu hình thêm địa chỉ DNS (dns google.com 8.8.8.8) server để truy cập internet

Hình chụp server tracert 8.8.8.8 và truy cập vào trang web www.google.com.vn

Bắt trap về điện thoại di động

Sử dụng phần mềm giám sát mạng PRTG Network Monitor để theo dõi hoạt động của Router R3 qua giao thức SNMP nhằm đảm bảo điều kiện hoạt động ổn định của thiết bị mạng Để nâng cao khả năng phản hồi sự cố, bạn có thể đăng ký dịch vụ nhắn tin SMS và cấu hình PRTG gửi cảnh báo qua tin nhắn khi có sự thay đổi hoặc vấn đề xảy ra trên Router R3 Ngoài phần mềm PRTG, bạn cũng có thể sử dụng phần mềm ActiveXperts Monitor để giám sát mạng và gửi tin nhắn SMS tự động, giúp quản lý hệ thống mạng hiệu quả và nhanh chóng phản ứng với các sự cố.

Hình chụp bảng giám sát trên PRTG khi không thể ping đến R3 và truy cập đến R3 bằng HTTP

Hình chụp tin nhắn nhận được từ PRTG khi R3 xảy ra vấn đề.

Thể hiện lưu lượng ưu tiên từ cao đến thấp trong trường DSCP theo thứ tự

RTP cs6, Netmeeting cs5, Telnet cs4 , SSH cs3.

Định dạng
Số trang	43
Dung lượng	3,13 MB