首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册

正在浏览:   1 名游客



« 1 (2) 3 4 »


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
十一章队列和拥塞

11.1. Fast Switching和CEF

提问 给路由器配置最有效的包交换算法

回答

Fast Switching缺省是启用的

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip route-cache

Router(config-if)#exit

Router(config)#end

Router#

如果使用策略,需要下面的命令

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip route-cache policy

Router(config-if)#exit

Router(config)#end

Router#

CEF缺省是没有启用的,全局和端口启用

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#ip cef

Router(config)#interface FastEthernet0/0

Router(config-if)#ip route-cache cef

Router(config-if)#exit

Router(config)#end

Router#

注释 除了上面的policy参数以外,还有下面的参数来保证进出是同一物理接口

Router(config)#interface Serial0/0

Router(config-if)#ip route-cache same-interface

可以使用下面命令进行验证show cef interface show cef drop 和 show cef not-cef-switched show ip cef

11.2. 设置DSCP 或者TOS位

提问 路由器标记特定数据包的DSCP或者TOS位

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 101 permit any eq ftp any

Router(config)#access-list 101 permit any any eq ftp

Router(config)#access-list 102 permit any eq ftp-data any

Router(config)#access-list 102 permit any any eq ftp-data

Router(config)#class-map match-all ser00-ftpcontrol

Router(config-cmap)#description branch ftp control traffic

Router(config-cmap)#match input-interface serial0/0

Router(config-cmap)#match access-group 101

Router(config-cmap)#exit

Router(config)#class-map match-all ser00-ftpdata

Router(config-cmap)#description branch ftp data traffic

Router(config-cmap)#match input-interface serial0/0

Router(config-cmap)#match access-group 102

Router(config-cmap)#exit

Router(config)#policy-map serialftppolicy

Router(config-pmap)#description branch ftp traffic policy

Router(config-pmap)#class ser00-ftpcontrol

Router(config-pmap-c)#set ip precedence immediate

Router(config-pmap-c)#exit

Router(config-pmap)#class ser00-ftpdata

Router(config-pmap-c)#set ip precedence priority

Router(config-pmap-c)#exit

Router(config-pmap)#exit

Router(config)#interface serial0/0

Router(config-if)#ip route-cache policy

Router(config-if)#service-policy input serialftppolicy

Router(config-if)#exit

Router(config)#end

Router#

注释 先使用classmap来定义特殊的数据流,然后使用policymap来对TOS位进行标记

11.3. 使用优先级队列(Priority Queuing)

提问 使用优先级队列这种严格的方式来保证高优先级的数据先被处理

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 101 permit ip any any precedence 5 tos 12

Router(config)#access-list 102 permit ip any any precedence 4

Router(config)#access-list 103 permit ip any any precedence 3

Router(config)#priority-list 1 protocol ip high list 101

Router(config)#priority-list 1 protocol ip medium list 102

Router(config)#priority-list 1 protocol ip normal list 103

Router(config)#priority-list 1 default low

Router(config)#interface Ethernet0

Router(config-if)#priority-group 1

Router(config-if)#exit

Router(config)#end

Router#

注释 单纯使用优先级队列可能会导致高优先级的数据占用掉所有的带宽。precedence 5 tos 12 等同于dscp ef。缺省情况下会被不匹配的数据包归入到normal优先级队列,本例中特别配置其归入了low优先级队列。Show interface命令可以看到缺省各个队列大小(high优先级为20个,medium为40个,依次递增)

Output queue (queue priority: size/max/drops):

high: 0/20/0, medium: 0/40/0, normal 0/60/0, low 0/80/0

可以使用Router(config)#priority-list 1 queue-limit 10 15 25 35 命令来修改。建议使用LLQ或者CBWFQ来替代单纯的优先级队列

11.4. 使用自定义队列(Custom Queuing)

提问 根据数据流中IP优先级的不同来自定义队列共享带宽

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 103 permit ip any any precedence 5

Router(config)#access-list 104 permit ip any any precedence 4

Router(config)#access-list 105 permit ip any any precedence 3

Router(config)#access-list 106 permit ip any any precedence 2

Router(config)#access-list 107 permit ip any any precedence 1

Router(config)#queue-list 1 protocol ip 3 list 103

Router(config)#queue-list 1 protocol ip 4 list 104

Router(config)#queue-list 1 protocol ip 5 list 105

Router(config)#queue-list 1 queue 5 byte-count 3000 limit 55

Router(config)#queue-list 1 protocol ip 6 list 106

Router(config)#queue-list 1 protocol ip 7 list 107

Router(config)#queue-list 1 default 8

Router(config)#interface HSSI0/0

Router(config-if)#custom-queue-list 1

Router(config-if)#exit

Router(config)#end

Router#

注释 通过配置自定义队列可以生成16个应用队列和1个系统队列。

Queuing strategy: custom-list 1

Output queues: (queue #: size/max/drops)

0: 0/20/0 1: 0/20/0 2: 0/20/0 3: 0/20/0 4: 0/20/0

5: 0/55/3 6: 5/20/0 7: 0/20/0 8: 0/20/0 9: 0/20/0

10: 0/20/0 11: 0/20/0 12: 0/20/0 13: 0/20/0 14: 0/20/0

15: 0/20/0 16: 0/20/0

缺省情况下自定义队列不会对无分类的数据流进行队列归属,所以需要配置一个缺省队列。缺省情况下每个队列会读取1500字节,每个队列可最多保存20个数据包,可以通过queue-list 1 queue 5 byte-count 3000 limit 55 命令来修改。

对于这种队列方式需要注意的是队列是基于字节的不是基于数据包的,所以对于字节下的数据流会发送相对多的数据包,但是总体来说流量是平均的。此种方式也是比较老的方案,推荐使用CBWFQ

11.5. 自定义队列混和优先级队列

提问 高优先级数据优先处理,低优先级数据共享带宽

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 101 permit ip any any precedence 7

Router(config)#access-list 102 permit ip any any precedence 6

Router(config)#access-list 103 permit ip any any precedence 5

Router(config)#access-list 104 permit ip any any precedence 4

Router(config)#access-list 105 permit ip any any precedence 3

Router(config)#access-list 106 permit ip any any precedence 2

Router(config)#access-list 107 permit ip any any precedence 1

Router(config)#queue-list 1 protocol ip 1 list 101

Router(config)#queue-list 1 protocol ip 2 list 102

Router(config)#queue-list 1 protocol ip 3 list 103

Router(config)#queue-list 1 protocol ip 4 list 104

Router(config)#queue-list 1 protocol ip 5 list 105

Router(config)#queue-list 1 protocol ip 6 list 106

Router(config)#queue-list 1 protocol ip 7 list 107

Router(config)#queue-list 1 lowest-custom 4

Router(config)#interface HSSI0/0

Router(config-if)#custom-queue-list 1

Router(config-if)#exit

Router(config)#end

Router#

注释 相比11.4多了一个queue-list 1 lowest-custom 4 ,这样123.被定义为优先级队列

11.6. 使用加权公平队列(Weighted Fair Queuing)

提问 根据TOS/DSCP位来转发数据包

回答

缺省情况下WFQ会自动在小于2M速率的接口启用

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#interface Serial0/0

Router(config-if)#fair-queue 64 512 10

Router(config-if)#exit

Router(config)#end

Router#

注释 WFQ在没有TOS/DSCP标记的情况下依然可以工作。命令后面的参数分为三个,第一个为丢弃阀值,某个队列如果超过64个数据包,以后的数据包就会被丢弃,第二个为动态队列数目,是16的倍数,如果端口有很多的数据流建议增加,第三个为RSVP预留队列,缺省为0。

11.7. 使用基于类的加权公平队列(Using Class-Based Weighted Fair Queuing)

提问 在端口上配置基于类的加权公平队列

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#class-map highprec

Router(config-cmap)#description Highest priority Prec=5

Router(config-cmap)#match ip precedence 5

Router(config-cmap)#exit

Router(config)#class-map medhiprec

Router(config-cmap)#description Medium-high priority Prec=4

Router(config-cmap)#match ip precedence 4

Router(config-cmap)#exit

Router(config)#class-map medloprec

Router(config-cmap)#description Medium-low priority Prec=2,3

Router(config-cmap)#match ip precedence 2 3

Router(config-cmap)#exit

Router(config)#policy-map cbwfqpolicy

Router(config-pmap)#class highprec

Router(config-pmap-c)#bandwidth percent 25

Router(config-pmap-c)#exit

Router(config-pmap)#class medhiprec

Router(config-pmap-c)#bandwidth percent 25

Router(config-pmap-c)#exit

Router(config-pmap)#class medloprec

Router(config-pmap-c)#bandwidth percent 25

Router(config-pmap-c)#exit

Router(config-pmap)#class class-default

Router(config-pmap-c)#fair-queue 512

Router(config-pmap-c)#queue-limit 96

Router(config-pmap-c)#exit

Router(config-pmap)#exit

Router(config)#interface serial0/1

Router(config-if)#service-policy output cbwfqpolicy

Router(config-if)#exit

Router(config)#end

Router#

注释

11.8. 使用NBAR

提问 使用NBAR(Network Based Application Recognition)在应用层对数据进行识别和分类

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip cef

Router1(config)#class-map INTERACTIVE

Router1(config-cmap)#match protocol citrix

Router1(config-cmap)#match protocol telnet

Router1(config-cmap)#exit

Router1(config)#policy-map QoSPolicy

Router1(config-pmap)#class INTERACTIVE

Router1(config-pmap-c)#bandwidth percent 50

Router1(config-pmap-c)#set dscp ef

Router1(config-pmap-c)#exit

Router1(config-pmap)#class class-default

Router1(config-pmap-c)#bandwidth percent 20

Router1(config-pmap-c)#random-detect dscp-based

Router1(config-pmap-c)#exit

Router1(config-pmap)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-fi)#service-policy inbound QoSPolicy

Router1(config-if)#exit

Router1(config)#end

Router1#

思科支持在网上下载PDLM(Packet Description Language Module)来激活NBAR分类

Router1#show flash



System flash directory:

File Length Name/status

1 23169076 c2600-ipvoice-mz.124-10.bin

2 3100 bittorrent.pdlm

[23172304 bytes used, 9857836 available, 33030140 total]

32768K bytes of processor board System flash (Read/Write)



Router1#Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip nbar pdlm flash://bittorrent.pdlm

Router1(config)#class-map BITTORRENT

Router1(config-cmap)#match protocol bittorrent

Router1(config-cmap)#exit

Router1(config)#end

Router1#

也可以使用NBAR来自动对网络协议进行分类统计

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip nbar protocol-discovery

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 NBAR会增加CPU利用率。Router1#show ip nbar protocol-discovery top-n 5 可以显示出NBAR所识别各个协议数据统计

<!--[if !supportLists]-->11.9. <!--[endif]-->使用WRED来控制拥塞

提问

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#class-map Prec5

Router(config-cmap)#description Critical

Router(config-cmap)#match ip precedence 5

Router(config-cmap)#exit

Router(config)#policy-map cb_wred

Router(config-pmap)#class Prec5

Router(config-pmap-c)#random-detect dscp-based

Router(config-pmap-c)#exit

Router(config-pmap)#class class-default

Router(config-pmap-c)#fair-queue 512

Router(config-pmap-c)#queue-limit 96

Router(config-pmap-c)#random-detect dscp-based

Router(config-pmap-c)#exit

Router(config-pmap)#exit

Router(config)#interface HSSI0/1

Router(config-if)#service-policy output cb_wred

Router(config-if)#exit

Router(config)#end

Router#



注释

11.10. 使用RSVP

提问 在网络中启用RSVP

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 15 permit ip 192.168.1.0 0.0.0.255

Router(config)#interface FastEthernet0/0

Router(config-if)#ip rsvp bandwidth 128 56

Router(config-if)#ip rsvp neighbor 15

Router(config-if)#exit

Router(config)#end

Router#



注释 配置RSVP之前,接口要配置WFQ, CBWFQ, 或者WRED

11.11. Manual RSVP Reservations

提问

回答

Sender主机(192.168.100.202)连接R1

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 192.168.100.21 255.255.255.0

Router1(config-if)#ip rsvp bandwidth 128 56

Router1(config-if)#exit

Router1(config)#interface Serial0/0

Router1(config-if)#no ip address

Router1(config-if)#encapsulation frame-relay

Router1(config-if)#fair-queue 64 256 37

Router1(config-if)#ip rsvp bandwidth

Router1(config-if)#exit

Router1(config)#interface Serial0/0.1 point-to-point

Router1(config-subif)#ip address 192.168.55.9 255.255.255.252

Router1(config-subif)#frame-relay interface-dlci 904

Router1(config-fr-dlci)#ip rsvp bandwidth 128 56

Router1(config-subif)#exit

Router1(config)#ip rsvp sender 192.168.9.100 192.168.100.202 UDP 1300 1300 192.168.100.202 FastEthernet0/0 55 1

Router1(config)#end

Router1#

Receiver主机(192.168.9.100)连接R4

Router4# configure terminal

Router4(config)#interface Ethernet0/0

Router4(config-if)#ip address 192.168.9.3 255.255.255.0

Router4(config-if)#ip rsvp bandwidth 128 56

Router4(config-if)#exit

Router4(config)#interface Serial0/0

Router4(config-if)#no ip address

Router4(config-if)#encapsulation frame-relay

Router4(config-if)#fair-queue 64 256 37

Router4(config-if)#ip rsvp bandwidth

Router4(config-if)#exit

Router4(config)#interface Serial0/0.1 point-to-point

Router4(config-subif)#ip address 192.168.56.5 255.255.255.252

Router4(config-subif)#frame-relay interface-dlci 107

Router4(config-fr-dlci)#ip rsvp bandwidth 128 56

Router4(config-subif)#exit

Router4(config)#ip rsvp reservation 192.168.9.100 192.168.100.202 UDP 1300 1300 192.168.9.100 Ethernet0/0 FF RATE 55 1

Router4(config)#end

Router4#

注释

11.12. 聚合RSVP的预留(Aggregating RSVP Reservations)

提问 聚合多个RSVP这样核心网络不需要对每个数据流进行追踪

回答

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface FastEthernet0/0

Router2(config-if)#ip address 192.168.101.1 255.255.255.0

Router2(config-if)#ip rsvp bandwidth 128 56

Router2(config-if)#ip rsvp data-packet classification none

Router2(config-if)#ip rsvp resource-provider none

Router2(config-if)#exit

Router2(config)#interface Serial0/0.1 point-to-point

Router2(config-subif)#ip address 192.168.55.10 255.255.255.252

Router2(config-subif)#frame-relay interface-dlci 409

Router2(config-fr-dlci)#ip rsvp bandwidth 128 56

Router2(config-subif)#ip rsvp data-packet classification none

Router2(config-subif)#ip rsvp resource-provider none

Router2(config-subif)#exit

Router2(config)#end

Router2#



注释 RSVP扩展性不强,对于核心网络还是使用传统的DSCP标记方式,12.2(2)T的IOS引入了新的办法来解决此问题,核心路由器配置RSVP来支持RSVP Requests,但是队列的时候不需要使用RSVP的信息

11.13. Using Generic Traffic Shaping

提问

回答

注释

11.14. Using Frame-Relay Traffic Shaping

提问

回答

注释

11.15. Using Committed Access Rate

提问

回答

注释

11.16. 部署基于标准的PHB(Per-Hop Behavior)

提问 配置基于规范的根据DSCP位的PHB

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#class-map EF

Router(config-cmap)#description Real-time application traffic

Router(config-cmap)#match ip precedence 5

Router(config-cmap)#exit

Router(config)#class-map AF1x

Router(config-cmap)#description Priority Class 1

Router(config-cmap)#match ip precedence 1

Router(config-cmap)#exit

Router(config)#class-map AF2x

Router(config-cmap)#description Priority Class 2

Router(config-cmap)#match ip precedence 2

Router(config-cmap)#exit

Router(config)#class-map AF3x

Router(config-cmap)#description Priority Class 3

Router(config-cmap)#match ip precedence 3

Router(config-cmap)#exit

Router(config)#class-map AF4x

Router(config-cmap)#description Priority Class 4

Router(config-cmap)#match ip precedence 4

Router(config-cmap)#exit

Router(config)#policy-map cbwfq_pq

Router(config-pmap)#class EF

Router(config-pmap-c)#priority 58 800

Router(config-pmap-c)#exit

Router(config-pmap)#class AF1x

Router(config-pmap-c)#bandwidth percent 15

Router(config-pmap-c)#random-detect dscp-based

Router(config-pmap-c)#exit

Router(config-pmap)#class AF2x

Router(config-pmap-c)#bandwidth percent 15

Router(config-pmap-c)#random-detect dscp-based

Router(config-pmap-c)#exit

Router(config-pmap)#class AF3x

Router(config-pmap-c)#bandwidth percent 15

Router(config-pmap-c)#random-detect dscp-based

Router(config-pmap-c)#exit

Router(config-pmap)#class AF4x

Router(config-pmap-c)#bandwidth percent 15

Router(config-pmap-c)#random-detect dscp-based

Router(config-pmap-c)#exit

Router(config-pmap)#class class-default

Router(config-pmap-c)#fair-queue 512

Router(config-pmap-c)#queue-limit 96

Router(config-pmap-c)#exit

Router(config-pmap)#exit

Router(config)#interface HSSI0/1

Router(config-if)#service-policy output cbwfqpolicy

Router(config-if)#exit

Router(config)#end

Router#

注释

11.17. AutoQoS

提问 配置路由器自动生成Voip或者一般数据包的QoS策略配置

回答

一种是针对VoIP数据的

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip cef

Router1(config)#interface Serial0/0

Router1(config-if)#no ip address

Router1(config-if)#encapsulation frame-relay

Router1(config-if)#exit

Router1(config)#interface Serial0/0.1 point-to-point

Router1(config-subif)#ip address 192.168.55.9 255.255.255.252

Router1(config-subif)#frame-relay interface-dlci 904

Router1(config-fr-dlci)#auto qos voip

%Creating new map-class.

Router1(config-fr-dlci)#exit

Router1(config-subif)#exit

Router1(config)#end

Router1#

*Mar 1 01:32:55.031: %RMON-5-FALLINGTRAP: Falling trap is generated because the

value of cbQosCMDropBitRate.1169.1171 has fallen below the falling-threshold va

lue 0

Router1#

针对一般的IP数据包,第一步是流量模式的收集

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip cef

Router1(config)#interface Serial0/0

Router1(config-if)#no ip address

Router1(config-if)#encapsulation frame-relay

Router1(config-if)#exit

Router1(config)#interface Serial0/0.1 point-to-point

Router1(config-subif)#ip address 192.168.55.9 255.255.255.252

Router1(config-subif)#frame-relay interface-dlci 904

Router1(config-fr-dlci)#auto discovery qos

Router1(config-fr-dlci)#exit

Router1(config-subif)#exit

Router1(config)#end

Router1#

第二步是生成策略

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface Serial0/0.1 point-to-point

Router1(config-subif)#frame-relay interface-dlci 904

Router1(config-fr-dlci)#auto qos

%Creating new map-class.

Router1(config-fr-dlci)#no auto discovery qos

Router1(config-fr-dlci)#exit

Router1(config-subif)#exit

Router1(config)#end

Router1#

注释 AutoQoS很好,但是有下面几个限制:只能针对点对点的链路,不能和frame map或者virtual templates一起使用,不能用于SVC,两端必须同时配置,必须禁止掉所有的服务策略或者access-groups即使用于其他的端口,要启用CEF。针对VoIP的AutoQoS引自12.2(15)T,通过一个宏来生成配置,可以用show auto qos来查看。针对通用IP数据流的引自12.3(7)T,自动针对数据流分类至十个不同类别,要先用auto qos然后再no掉原来的discovery。注意的是你如果后来想不用auto qos了,虽然可以no auot qos但是还是有很多配置是没法自动清除的,记得要保存之前的show auto qos的输出。AutoQoS不是万能的,要慎用

<!--[if !supportLists]-->11.18. <!--[endif]-->查看队列参数

提问 查看当前端口的队列配置

回答

Router#show queue FastEthernet0/0

Router#show queuing

注释 配置优先级队列或者自定义队列的时候show queue命令没有相应的输出

2007/3/5 22:19
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
第十二章隧道和VPN


12.1. 创建Tunnel

提问 ="FONT-FAMILY: 宋体">通过隧道的方式在网络中传输IP数据

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface Tunnel1

Router1(config-if)#ip address 192.168.35.6 255.255.255.252

Router1(config-if)#tunnel source 172.25.1.5

Router1(config-if)#tunnel destination 172.25.1.7

Router1(config-if)#exit

Router1(config)#end

Router1#

Router5#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router5(config)#interface Tunnel3

Router5(config-if)#ip address 192.168.35.5 255.255.255.252

Router5(config-if)#tunnel source 172.25.1.7

Router5(config-if)#tunnel destination 172.25.1.5

Router5(config-if)#exit

Router5(config)#end

Router5#

注释 Tunnel的配置中也可以使用tunnel source Ethernet0 的方式来捆绑到端口。产生出来的虚拟隧道接口通常会一直UP,即使对端关机,12.2(8)T后引入了keeplive参数可以对隧道的状态进行监控,keepalive 3 2 每隔3秒一个Keeplive,如果两次没收到就认为端口当掉。如果对数据包的完整性或者防止乱序包,可以配置tunnel checksum,tunnel sequence-datagrams,但需要注意的是GRE不是TCP,数据包丢弃了不会重传。缺省情况下隧道的模式GRE,也可以通过tunnel mode ipip 命令来改变其模式。由于GRE是封装IP数据包所以不可避免地产生了MTU的问题,对于TCP连接可以使用ip tcp path-mtu-discovery,但对于非TCP的GRE,需要使用tunnel path-mtu-discovery。在12.2(13)T以后引入了tunnel path-mtu-discovery min-mtu 500 来定义最小的MTU从而保证安全

12.2. 其他协议隧道至IP

提问 通过隧道的方式在IP网络中传输其他协议数据,比如IPX

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipx routing AAAA.BBBB.0001

Router1(config)#interface Tunnel1

Router1(config-if)#ipx network AAA

Router1(config-if)#tunnel source 172.25.1.5

Router1(config-if)#tunnel destination 172.25.1.7

Router1(config-if)#exit

Router1(config)#end

Router1#

Router5#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ipx routing AAAA.BBBB.0002

Router5(config)#interface Tunnel3

Router5(config-if)#ipx network AAA

Router5(config-if)#tunnel source 172.25.1.7

Router5(config-if)#tunnel destination 172.25.1.5

Router5(config-if)#exit

Router5(config)#end

Router5#

注释 注意的是隧道模式里面只有GRE模式是支持IPX的。同时可以在隧道接口下配置多个不同的协议从而支持在隧道中封装多个协议

Router1(config)#interface Tunnel1

Router1(config-if)#ip address 192.168.35.6 255.255.255.252

Router1(config-if)#ipx network AAA

Router1(config-if)#tunnel source 172.25.1.5

Router1(config-if)#tunnel destination 172.25.1.7

Router1(config-if)#exit

Router1(config)#end

Router1#

12.3. 隧道和动态路由协议

提问 在隧道中传递路由协议

回答

怎么解决到tunnel destination的路由不是通过tunnel接口的问题,第一种方法是静态路由

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface Tunnel1

Router1(config-if)#ip address 192.168.35.6 255.255.255.252

Router1(config-if)#tunnel source 172.25.1.5

Router1(config-if)#tunnel destination 172.22.1.2

Router1(config-if)#exit

Router1(config)#ip route 172.22.1.2 255.255.255.255 172.25.1.1

Router1(config)#router eigrp 55

Router1(config-router)#network 192.168.35.0

Router1(config-router)#exit

Router1(config)#end

Router1#

第二种对tunnel接口采用另外的路由协议,从而排除此地址在互联的路由协议中

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface Tunnel1

Router1(config-if)#ip address 192.168.35.6 255.255.255.252

Router1(config-if)#tunnel source 172.25.1.5

Router1(config-if)#tunnel destination 172.22.1.2

Router1(config-if)#exit

Router1(config)#router eigrp 55

Router1(config-router)#network 172.22.0.0

Router1(config-router)#network 172.25.0.0

Router1(config-router)#end

Router1(config)#router rip

Router1(config-router)#network 192.168.35.0

Router1(config-router)#exit

Router1(config)#end

Router1#

第三种方法路由过滤

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface Tunnel1

Router1(config-if)#ip address 192.168.35.6 255.255.255.252

Router1(config-if)#tunnel source 172.25.1.5

Router1(config-if)#tunnel destination 172.22.1.2

Router1(config-if)#exit

Router11(config)#ip prefix-list TUNNELROUTES seq 10 permit 192.168.0.0/16 ge 17

Router1(config)#router eigrp 55

Router1(config-router)#network 172.22.0.0

Router1(config-router)#network 172.25.0.0

Router1(config-router)#network 192.168.35.0

Router1(config-router)#distribute-list prefix TUNNELROUTES out Tunnel1

Router1(config-router)#exit

Router1(config)#end

Router1#



注释 前两种很简单但是冗余性和扩展性不好,推荐第三种

12.4. 查看隧道状态

提问 查看隧道状态

回答

Router1#show interface Tunnel5

Router1#ping 192.168.66.6

Router1#ping 172.22.1.4



注释

12.5. 在GRE隧道中创建一个加密的路由器到路由器的VPN

提问 通过预共享密匙的方法创建互联网连接路由器的加密VPN

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#crypto isakmp policy 10

Router1(config-isakmp)#encr aes 256

Router1(config-isakmp)#authentication pre-share

Router1(config-isakmp)#group 2

Router1(config-isakmp)#exit

Router1(config)#crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth

Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256

Router1(cfg-crypto-trans)#mode transport

Router1(cfg-crypto-trans)#exit

Router1(config)#crypto map TUNNELMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Router1(config-crypto-map)#set peer 172.16.2.1

Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM

Router1(config-crypto-map)#match address 102

Router1(config-crypto-map)#exit

Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1

Router1(config)#interface Tunnel1

Router1(config-if)#ip address 192.168.1.1 255.255.255.252

Router1(config-if)#tunnel source 172.16.1.1

Router1(config-if)#tunnel destination 172.16.2.1

Router1(config-if)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 172.16.1.1 255.255.255.0

Router1(config-if)#ip access-group 101 in

Router1(config-if)#crypto map TUNNELMAP

Router1(config-if)#exit

Router1(config)#access-list 101 permit gre host 172.16.2.1 host 172.16.1.1

Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1

Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp

Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1

Router1(config)#access-list 101 deny ip any any log

Router1(config)#interface Loopback0

Router1(config-if)#ip address 192.168.16.1 255.255.255.0

Router1(config-if)#exit

Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2

Router1(config)#ip route 192.168.15.0 255.255.255.0 192.168.1.2

Router1(config)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#crypto isakmp policy 10

Router2(config-isakmp)#encr aes 256

Router2(config-isakmp)#authentication pre-share

Router2(config-isakmp)#group 2

Router2(config-isakmp)#exit

Router2(config)#crypto isakmp key TUNNELKEY01 address 172.16.1.1

Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256

Router2(cfg-crypto-trans)#mode transport

Router2(cfg-crypto-trans)#exit

Router2(config)#crypto map TUNNELMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Router2(config-crypto-map)#set peer 172.16.1.1

Router2(config-crypto-map)#set transform-set TUNNEL-TRANSFORM

Router2(config-crypto-map)#match address 102

Router2(config-crypto-map)#exit

Router2(config)#access-list 102 permit gre host 172.16.2.1 host 172.16.1.1

Router2(config)#interface Tunnel1

Router2(config-if)#ip address 192.168.1.2 255.255.255.252

Router2(config-if)#tunnel source 172.16.2.1

Router2(config-if)#tunnel destination 172.16.1.1

Router2(config-if)#exit

Router2(config)#interface FastEthernet0/0

Router2(config-if)#ip address 172.16.2.1 255.255.255.0

Router2(config-if)#ip access-group 101 in

Router2(config-if)#crypto map TUNNELMAP

Router2(config-if)#exit

Router2(config)#access-list 101 permit gre host 172.16.1.1 host 172.16.2.1

Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1

Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp

Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1

Router2(config)#access-list 101 deny ip any any log

Router2(config)#interface Loopback0

Router2(config-if)#ip address 192.168.15.1 255.255.255.0

Router2(config-if)#exit

Router2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2

Router2(config)#ip route 192.168.16.0 255.255.255.0 192.168.1.1

Router2(config)#end

Router2#



注释 第一步首先使用ISAKMP来生成合适的密匙交换策略,当双方协商SA参数时,先从优先级低的策略开始,使用show crypto isakmp policy来查看当前策略。然后定义初始的密匙crypto isakmp key,这里可以基于IP地址也可以基于主机名,如果基于主机名对端要配置crypto isakmp identity hostname,用show crypto isakmp key来验证。show crypto isakmp sa 用来查看协商的ISAKMP SA状态,而最后的IPSec SA通过show crypto ipsec sa 来查看。下一步是定义IPSec的transform set,是定义如何处理符合的数据包,并且要定义Ipsec的透明模式,缺省使用隧道模式,对于GRE使用透明模式,GRE隧道比传统的IPSec隧道好在更简单和更灵活,比如可以传递动态路由协议等。最后使用crypto map命令整合。最后要注意的是crypto map应用于接收GRE数据包的接口而不是tunnel接口。

show crypto engine connections active 显示当前连接情况

12.6. 在两个路由器的Lan接口之间创建加密VPN

提问 使用预共享密匙的方式创建加密VPN通过互联网连接的两个LAN接口

回答

R1

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#crypto isakmp policy 10

Router1(config-isakmp)#encr aes 256

Router1(config-isakmp)#authentication pre-share

Router1(config-isakmp)#group 2

Router1(config-isakmp)#exit

Router1(config)#crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth

Router1(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256

Router1(cfg-crypto-trans)#exit

Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1

Router1(config)#crypto map LAN2LANMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Router1(config-crypto-map)#set peer 172.16.2.1

Router1(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM

Router1(config-crypto-map)#match address 103

Router1(config-crypto-map)#exit

Router1(config)#access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip address 192.168.16.1 255.255.255.0

Router1(config-if)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 172.16.1.1 255.255.255.0

Router1(config-if)#ip access-group 101 in

Router1(config-if)#crypto map LAN2LANMAP

Router1(config-if)#exit

Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2

Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1

Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp

Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1

Router1(config)#access-list 101 deny ip any any log

Router1(config)#end

Router1#

R2

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#crypto isakmp policy 10

Router2(config-isakmp)#encr aes 256

Router2(config-isakmp)#authentication pre-share

Router2(config-isakmp)#group 2

Router2(config-isakmp)#exit

Router2(config)#crypto isakmp key TUNNELKEY01 address 172.16.1.1

Router2(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256

Router2(cfg-crypto-trans)#exit

Router2(config)#crypto map LAN2LANMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Router2(config-crypto-map)#set peer 172.16.1.1

Router2(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM

Router2(config-crypto-map)#match address 103

Router2(config-crypto-map)#exit

Router2(config)#access-list 103 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255



Router2(config)#interface FastEthernet0/1

Router2(config-if)#description Internal LAN

Router2(config-if)#ip address 192.168.15.1 255.255.255.0

Router2(config-if)#exit

Router2(config)#interface FastEthernet0/0

Router2(config-if)#description Connection to Internet

Router2(config-if)#ip address 172.16.2.1 255.255.255.0

Router2(config-if)#crypto map LAN2LANMAP

Router2(config-if)#exit

Router2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2

Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1

Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp

Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1

Router2(config)#access-list 101 deny ip any any log

Router2(config)#end

Router2#



注释 这里跟前节区别在于12.5建立的是可路由的加密VPN。前面配置了mode transport 而这里使用了IPSec隧道缺省的隧道模式。在ACL配置上前者允许的是GRE的数据包,这里是内部LAN接口之间的数据包,所以这里两个互联是桥接,前者两个互联是路由。通常我们更喜欢路由模式多一些

12.7. 生成RSA 密匙

提问 生成共享的RSA密匙用于加密或者认证

回答

先在R1上生成自己的pubkey

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#crypto key generate rsa

The name for the keys will be: Router1.oreilly.com

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.



How many bits in the modulus [512]: 1024

Generating RSA keys ...

[OK]



Router1(config)#end

Router1#show crypto key mypubkey rsa

% Key pair was generated at: 01:19:45 EST Mar 1 2003

Key name: Router1.oreilly.com

Usage: General Purpose Key

Key Data:

30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338

D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC

B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9

FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742

2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001

% Key pair was generated at: 01:19:52 EST Mar 1 2003

Key name: Router1.oreilly.com.server

Usage: Encryption Key

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00BD928A BD5637E6

2265621C 3AC57138 911CA27D 11F40AA1 E657EA26 6EBF654C 952A3319 D421A33C

E2ECA87E CD7E050C 8A8FE64D B73954EA BF2ED639 BC6A8F74 5B9550EA 4119E796

A97430E2 4B1BF7D3 ED1469FF AEA83690 A0FEA871 BBFBE8AD 19020301 0001

Router1#

然后拷贝粘贴到对端路由器

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#crypto key pubkey-chain rsa

Router2(config-pubkey-chain)#addressed-key 192.168.99.1

Router2(config-pubkey-key)#address 192.168.99.1

Router2(config-pubkey-key)#key-string

Enter a public key as a hexidecimal number ....



Router2(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338

Router2(config-pubkey)#D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC

Router2(config-pubkey)#B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9

Router2(config-pubkey)#FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742

Router2(config-pubkey)#2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001

Router2(config-pubkey)#quit

Router2(config-pubkey-key)#exit

Router2(config-pubkey-chain)#exit

Router2(config)#end

Router2#show crypto key pubkey-chain rsa address 192.168.99.1

Key address: 192.168.99.1

Usage: General Purpose Key

Source: Manually entered

Data:

30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338

D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC

B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9

FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742

2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001





Router2#

注释 由于密匙里面包含路由器名和域名,所以必须首先配置

Router1(config)#hostname Router1

Router1(config)#ip domain-name oreilly.com

如果修改上面配置则密匙无效。通过命令crypto key zeroize rsa 来删除当前密匙

12.8. 使用RSA密匙创建路由器到路由器的VPN

提问 利用RSA密匙创建一个加密的VPN

回答

R1

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#crypto key pubkey-chain rsa

Router1(config-pubkey-chain)#addressed-key 172.16.2.1

Router1(config-pubkey-key)#address 172.16.2.1

Router1(config-pubkey-key)#key-string

Enter a public key as a hexidecimal number ....

Router1(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00EB0AB2

Router1(config-pubkey)#EA33B519 0CD95EFF EDFD4723 BED73640 97981CC0 1FC83FBF 5C6DF97C 8CB8CE0A

Router1(config-pubkey)#C5FE959D 1E055002 83B92EF4 35B69545 C3217E5F E0C32A73 44FD2373 15979E77

Router1(config-pubkey)#75598BE0 B4A4E7B2 3C318C2D 3BF3B192 8B71D8C9 A1E0F929 0E84BDAD EC909833

Router1(config-pubkey)#BC425170 400BD26A 319E632F 4E9649F5 BA7ADA40 5A94B09C 05F8414E 33020301 0001

Router1(config-pubkey)#quit

Router1(config-pubkey-key)#exit

Router1(config-pubkey-chain)#exit



Router1(config)#crypto isakmp policy 100

Router1(config-isakmp)#encryption aes 256

Router1(config-isakmp)#authentication rsa-encr

Router1(config-isakmp)#group 2

Router1(config-isakmp)#exit

Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256

Router1(cfg-crypto-trans)#mode transport

Router1(cfg-crypto-trans)#exit

Router1(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Router1(config-crypto-map)#set peer 172.16.2.1

Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM

Router1(config-crypto-map)#match address 102

Router1(config-crypto-map)#exit

Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1

Router1(config)#interface Tunnel1

Router1(config-if)#ip address 192.168.1.1 255.255.255.252

Router1(config-if)#tunnel source 172.16.1.1

Router1(config-if)#tunnel destination 172.16.2.1

Router1(config-if)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 172.16.1.1 255.255.255.0

Router1(config-if)#ip access-group 101 in

Router1(config-if)#crypto map TUNNEL-RSA

Router1(config-if)#exit

Router1(config)#access-list 101 permit gre host 172.16.2.1 host 172.16.1.1

Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1

Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp

Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1

Router1(config)#access-list 101 deny ip any any log

Router1(config)#end

Router1#

R2

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#crypto key pubkey-chain rsa

Router2(config-pubkey-chain)#addressed-key 172.16.1.1

Router2(config-pubkey-key)#address 172.16.1.1

Router2(config-pubkey-key)#key-string

Enter a public key as a hexidecimal number ....



Router2(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A0830E

Router2(config-pubkey)#01E4B6E1 08823E41 8A98A7F4 DB0E6277 1E7AA500 F7B620CA 49BCBEBA B0A0455A

Router2(config-pubkey)#114BA6B9 5ADE0D2E 7DC3EFC1 D7D07015 01C83E08 7305ED3C 71F04B44 31A1C574

Router2(config-pubkey)#C0E6ACA2 C191DB07 3D347F88 2D2884BF 99C2AF80 45BC1BE9 6D2BF684 B60C04E6

Router2(config-pubkey)#0F3D5C09 7C26694F 8FB75F90 2FA1DF46 94401D54 82ACA366 E621DD04 4B020301 0001

Router2(config-pubkey)#quit

Router2(config-pubkey-key)#exit

Router2(config-pubkey-chain)#exit

Router2(config)#crypto isakmp policy 100

Router2(config-isakmp)#encryption aes 256

Router2(config-isakmp)#authentication rsa-encr

Router2(config-isakmp)#group 2

Router2(config-isakmp)#exit

Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256

Router2(cfg-crypto-trans)#mode transport

Router2(cfg-crypto-trans)#exit

Router2(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp

Router2(config-crypto-map)#set peer 172.16.1.1

Router2(config-crypto-map)#set transform-set TUNNEL-TRANSFORM

Router2(config-crypto-map)#match address 102

Router2(config-crypto-map)#exit

Router2(config)#access-list 102 permit gre host 172.16.2.1 host 172.16.1.1

Router2(config)#interface Tunnel1

Router2(config-if)#ip address 192.168.1.2 255.255.255.252

Router2(config-if)#tunnel source 172.16.2.1

Router2(config-if)#tunnel destination 172.16.1.1

Router2(config-if)#exit

Router2(config)#interface FastEthernet0/0

Router2(config-if)#ip address 172.16.1.1 255.255.255.0

Router2(config-if)#ip access-group 101 in

Router2(config-if)#crypto map TUNNEL-RSA

Router2(config-if)#exit

Router2(config)#access-list 101 permit gre host 172.16.1.1 host 172.16.2.1

Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1

Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp

Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1

Router2(config)#access-list 101 deny ip any any log

Router2(config)#end

Router2#

注释 类似12.3和12.6

12.9. 创建主机到路由器的VPN

提问 从远端主机到路由器的VPN连接

回答

只有路由器的配置,没有主机上软件的配置

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#aaa new-model

Router1(config)#aaa authentication login default group tacacs+

Router1(config)#aaa authentication enable default group tacacs+

Router1(config)#tacacs-server host 172.25.1.1

Router1(config)#tacacs-server key NEOSHI

Router1(config)#crypto isakmp policy 10

Router1(config-isakmp)#encryption 3des

Router1(config-isakmp)#authentication pre-share

Router1(config-isakmp)#group 2

Router1(config-isakmp)#exit

Router1(config)#crypto ipsec transform-set VPN-TRANSFORMS ah-sha-hmac esp-sha-hmac esp-3des

Router1(cfg-crypto-trans)#mode tunnel

Router1(cfg-crypto-trans)#exit

Router1(config)#crypto dynamic-map VPN-USER-MAP 50

Router1(config-crypto-map)#description A dynamic crypto map for VPN users

Router1(config-crypto-map)#match address 115

Router1(config-crypto-map)#set transform-set VPN-TRANSFORMS

Router1(config-crypto-map)#exit

Router1(config)#access-list 115 deny any 224.0.0.0 35.255.255.255

Router1(config)#access-list 115 deny any 172.25.1.255 0.0.0.0

Router1(config)#access-list 115 permit any any

Router1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp dynamic VPN-USER-MAP

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip address 172.25.1.5 255.255.255.0

Router1(config-if)#crypto map CRYPTOMAP

Router1(config-if)#exit

Router1(config)#exit

Router1#

注释 由于主机可能来自任意地址所以这里使用过了dynamic crypto maps

12.10. 创建SSL VPN

提问 使用路由器的WebVPN服务来创建SSL VPN

回答

Core#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Core(config)#hostname Core

Core(config)#ip domain-name oreilly.com

Core(config)#aaa new-model

Core(config)#aaa authentication login local_auth local

Core(config)#username ijbrown secret ianspassword

Core(config)#username kdooley secret kevinspassword

Core(config)#crypto pki trustpoint WEBVPN

Core(ca-trustpoint)#enrollment selfsigned

Core(ca-trustpoint)#rsakeypair WEBVPN 1024

Core(ca-trustpoint)#subject-name CN=WEBVPN OU=cookbooks O=oreilly

Core(ca-trustpoint)#exit

Core(config)#crypto pki enroll WEBVPN

The router has already generated a Self Signed Certificate for

trustpoint TP-self-signed-3299111097.

If you continue the existing trustpoint and Self Signed Certificate

will be deleted.



Do you want to continue generating a new Self Signed Certificate? [yes/no]:yes

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]: no

Generate Self Signed Router Certificate? [yes/no]: yes



Router Self Signed Certificate successfully created



Core(config)#interface Loopback0

Core(config-if)#ip address 172.25.100.2 255.255.255.255

Core(config-if)#exit

Core(config)#webvpn enable gateway-addr 172.25.100.2

Core(config)# Core(config)#webvpn

Core(config-webvpn)#ssl trustpoint WEBVPN

Core(config-webvpn)#ssl encryption 3des-sha1

Core(config-webvpn)#title "Cisco Cookbook WebVPN Portal"

Core(config-webvpn)#url-list COOKBOOKURLS

Core(config-webvpn-url)#heading "Cookbook URLs"

Core(config-webvpn-url)#url-text "Cisco Cookbook" url-value "http://www.oreilly.com/catalog/ciscockbk/"

Core(config-webvpn-url)#url-text "Perl Cookbook" url-value

"http://www.oreilly.com/catalog/perlckbk2/"

Core(config-webvpn-url)#heading "Cisco URLs"

Core(config-webvpn-url)#url-text "The Books" url-value

"http://www.oreilly.com/pub/topic/cisco"

Core(config-webvpn-url)#exit

Core(config-webvpn)#port-forward list SERVERLOGIN local-port 20003 remote-server 172.25.1.1 remote-port 23

Core(config-webvpn)#exit

Core(config)#end

Core#

注释 12.3(14)T引入了WebVPN服务,但是只能在特定的平台上,只能支持SSLv3,不支持TLS,不支持思科SSL VPN 客户端软件。附带说一下最后的port forward配置,当用户连接上WebVPN后,使用telnet到本地的20003端口就会转发至172.25.1.1的23端口

<!--[if !supportLists]-->12.11. <!--[endif]-->查看IPSec协议状态

提问 查看VPN状态

回答

显示ISAKMP security associations.

Router1#show crypto isakmp sa

IPSec security associations

Router1#show crypto ipsec sa

查看活动的IPSec连接

Router1#show crypto engine connections active

查看被丢弃的数据包

Router1#show crypto engine connections dropped-packet

查看配置的IPSec crypto maps

Router1#show crypto map

对于 dynamic crypto maps

Router1#show crypto dynamic-map

2007/3/5 22:21
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
第十三章拨号备份

13.1. 自动拨号备份

提问 当广域网链路中断得时候自动拨号恢复备份链路

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface BRI0/0

Router1(config-if)#ip address 10.1.99.55 255.255.255.0

Router1(config-if)#encapsulation ppp

Router1(config-if)#dialer idle-timeout 300

Router1(config-if)#dialer map ip 10.1.99.1 name dialhost broadcast 95551212

Router1(config-if)#dialer load-threshold 50 either

Router1(config-if)#dialer-group 1

Router1(config-if)#isdn switch-type basic-ni

Router1(config-if)#isdn spid1 800555123400 5551234

Router1(config-if)#isdn spid2 800555123500 5551235

Router1(config-if)#ppp authentication chap

Router1(config-if)#ppp multilink

Router1(config-if)#exit

Router1(config)#username dialhost password dialpassword

Router1(config)#ip route 0.0.0.0 0.0.0.0 10.1.99.1 180

Router1(config)#dialer-list 1 protocol ip list 101

Router1(config)#access-list 101 deny eigrp any any

Router1(config)#access-list 101 permit ip any any

Router1(config)#router eigrp 55

Router1(config-router)#network 10.0.0.0

Router1(config-router)#end

Router1#

注释 isdn switch-type 定义对端ISDN交换机类型,中国用basic-net3。通过Router1#show isdn status 来查看当前状态

Router1#show isdn status

Global ISDN Switchtype = basic-ni

ISDN BRI1/0 interface

dsl 8, interface ISDN Switchtype = basic-ni

Layer 1 Status:

ACTIVE

Layer 2 Status:

TEI = 85, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED

TEI = 86, Ces = 2, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED

TEI 85, ces = 1, state = 8(established)

spid1 configured, spid1 sent, spid1 valid

TEI 86, ces = 2, state = 8(established)

spid2 configured, spid2 sent, spid2 valid

Layer 3 Status:

0 Active Layer 3 Call(s)

Activated dsl 8 CCBs = 0

The Free Channel Mask: 0x80000003

Total Allocated ISDN CCBs = 2

Router1#

说明得是关注流量触发了拨号接通以后所有得数据都可以传输,不仅仅是关注流量

13.2. 使用拨号接口

提问 捆绑多个物理接口为一个拨号接口

回答

捆绑两个ISDN BRI接口

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface BRI0/0

Router1(config-if)#encapsulation ppp

Router1(config-if)#dialer pool-member 1

Router1(config-if)#isdn switch-type basic-ni

Router1(config-if)#isdn spid1 800555123400 5551234

Router1(config-if)#isdn spid2 800555123500 5551235

Router1(config-if)#ppp authentication chap

Router1(config-if)#exit

Router1(config)#interface BRI0/1

Router1(config-if)#encapsulation ppp

Router1(config-if)#dialer pool-member 1

Router1(config-if)#isdn switch-type basic-ni

Router1(config-if)#isdn spid1 800555123600 5551236

Router1(config-if)#isdn spid2 800555123700 5551237

Router1(config-if)#ppp authentication chap

Router1(config-if)#exit

Router1(config)#interface Dialer1

Router1(config-if)#ip address 10.1.99.55 255.255.255.0

Router1(config-if)#encapsulation ppp

Router1(config-if)#dialer remote-name dialhost

Router1(config-if)#dialer pool 1

Router1(config-if)#dialer idle-timeout 300

Router1(config-if)#dialer string 95551212

Router1(config-if)#dialer load-threshold 50 either

Router1(config-if)#dialer-group 1

Router1(config-if)#ppp authentication chap

Router1(config-if)#ppp multilink

Router1(config-if)#exit

Router1(config)#username dialhost password dialpassword

Router1(config)#ip route 0.0.0.0 0.0.0.0 10.1.99.1 180

Router1(config)#dialer-list 1 protocol ip list 101

Router1(config)#access-list 101 deny eigrp any any

Router1(config)#access-list 101 permit ip any any

Router1(config)#router eigrp 55

Router1(config-router)#network 10.0.0.0

Router1(config-router)#end

Router1#

主机端

dialhost#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

dialhost(config)#username Router1 password dialpassword

dialhost(config)#controller T1 0

dialhost(config-controller)#framing esf

dialhost(config-controller)#clock source line primary

dialhost(config-controller)#linecode b8zs

dialhost(config-controller)#pri-group timeslots 1-24

dialhost(config-controller)#exit

dialhost(config)#interface Serial0:23

dialhost(config-if)#encapsulation ppp

dialhost(config-if)#dialer rotary-group 1

dialhost(config-if)#dialer-group 1

dialhost(config-if)#isdn switch-type primary-dms100

dialhost(config-if)#isdn not-end-to-end 56

dialhost(config-if)#exit

dialhost(config)#interface Dialer1

dialhost(config-if)#ip address 10.1.99.1 255.255.255.0

dialhost(config-if)#encapsulation ppp

dialhost(config-if)#dialer in-band

dialhost(config-if)#dialer idle-timeout 300

dialhost(config-if)#dialer-group 1

dialhost(config-if)#no peer default ip address

dialhost(config-if)#ppp authentication chap

dialhost(config-if)#ppp multilink

dialhost(config-if)#exit

dialhost(config)#access-list 101 deny eigrp any any

dialhost(config)#access-list 101 permit ip any any

dialhost(config)#dialer-list 1 protocol ip list 101

dialhost(config)#router eigrp 55

dialhost(config-router)#network 10.0.0.0

dialhost(config-router)#exit

dialhost(config)#end

dialhost#

注释 本节实现得结果和13.1相同,配置也基本相同,不同得是这里没有使用dialer map命令,在物理接口上也没有配置IP地址,相关配置都在定义得逻辑拨号接口Dialer1上。在Server端使用了PRI

13.3. 在AUX端口使用异步Modem

提问 在路由器得AUX端口连接异步Modem,用其作为拨号备份

回答

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface Async65

Router2(config-if)#encapsulation ppp

Router2(config-if)#dialer in-band

Router2(config-if)#dialer pool-member 1

Router2(config-if)#ppp authentication chap

Router2(config-if)#async default routing

Router2(config-if)#exit

Router2(config)#interface Dialer1

Router2(config-if)#ip address 10.1.99.56 255.255.255.0

Router2(config-if)#encapsulation ppp

Router2(config-if)#dialer remote-name dialhost

Router2(config-if)#dialer pool 1

Router2(config-if)#dialer idle-timeout 300

Router2(config-if)#dialer string 95551212

Router2(config-if)#dialer-group 1

Router2(config-if)#ppp authentication chap

Router2(config-if)#exit

Router2(config)#line aux 0

Router2(config-line)#modem inout

Router2(config-line)#transport input all

Router2(config-line)#no exec

Router2(config-line)#speed 115200

Router2(config-line)#exit

Router2(config)#username dialhost password dialpassword

Router2(config)#ip route 0.0.0.0 0.0.0.0 10.1.99.1 180

Router2(config)#dialer-list 1 protocol ip list 101

Router2(config)#access-list 101 deny eigrp any any

Router2(config)#access-list 101 permit ip any any

Router2(config)#router eigrp 55

Router2(config-router)#network 10.0.0.0

Router2(config-router)#exit

Router2(config)#end

Router2#

注释 开始要先通过show line查找出AUX口得vty号码,也就是interface Async65 ,然后使用前面提到得拨号接口得方法进行配置,多了一个async default routing命令,因为缺省情况下异步口是禁止启用路由协议得。在对AUX端口配置时,首先一定要使用no exec来避免出现Modem不能响应得问题,同时建议调整速率,否则会缺省9.6 Kbps。

13.4. 使用备份接口

提问 在广域网物理接口断掉得情况下拨号

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface Serial0/0

Router1(config-if)#backup delay 0 300

Router1(config-if)#backup interface BRI0/0

Router1(config-if)#encapsulation frame-relay

Router1(config-if)#down-when-looped

Router1(config-if)#exit

Router1(config)#interface Serial0/0.1 point-to-point

Router1(config-subif)#ip address 10.1.1.10 255.255.255.252

Router1(config-subif)#frame-relay interface-dlci 50

Router1(config-subif)#exit

Router1(config)#interface BRI0/0

Router1(config-if)#ip address 10.1.99.55 255.255.255.0

Router1(config-if)#encapsulation ppp

Router1(config-if)#dialer idle-timeout 300

Router1(config-if)#dialer map ip 10.1.99.1 name dialhost broadcast 95551212

Router1(config-if)#dialer load-threshold 50 either

Router1(config-if)#dialer-group 1

Router1(config-if)#isdn switch-type basic-ni

Router1(config-if)#isdn spid1 800555123400 5551234

Router1(config-if)#isdn spid2 800555123500 5551235

Router1(config-if)#ppp authentication chap

Router1(config-if)#ppp multilink

Router1(config-if)#exit

Router1(config)#dialer-list 1 protocol ip permit

Router1(config)#end

Router1#

注释 备份接口得配置要放在物理接口上而不是子接口上。一般不推荐使用此方法进行备份,因为很多广域网链路得问题不能体现在物理接口down掉上,并且在正常情况下会使备份接口处于禁用状态,这样会需要重新拨号,不能使用show isdn status等命令进行查看状态等问题。

13.5. 使用Dialer Watch

提问 使用思科得Dialer Watch特性来触发拨号备份

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface BRI0/0

Router1(config-if)#ip address 10.1.99.55 255.255.255.0

Router1(config-if)#encapsulation ppp

Router1(config-if)#dialer map ip 10.1.1.0 name dialhost broadcast 95551212

Router1(config-if)#dialer map ip 10.2.0.0 name dialhost broadcast 95551212

Router1(config-if)#dialer map ip 10.1.99.1 name dialhost broadcast 95551212

Router1(config-if)#dialer load-threshold 50 either

Router1(config-if)#dialer watch-group 1

Router1(config-if)#dialer-group 1

Router1(config-if)#isdn switch-type basic-ni

Router1(config-if)#isdn spid1 800555123400 5551234

Router1(config-if)#isdn spid2 800555123500 5551235

Router1(config-if)#ppp authentication chap

Router1(config-if)#ppp multilink

Router1(config-if)#exit

Router1(config)#router eigrp 55

Router1(config-router)#network 10.0.0.0

Router1(config-router)#exit

Router1(config)#username dialhost password cisco

Router1(config)#access-list 101 deny eigrp any any

Router1(config)#access-list 101 permit ip any any

Router1(config)#dialer-list 1 protocol ip list 101

Router1(config)#dialer watch-list 1 ip 10.2.0.0 255.255.0.0

Router1(config)#dialer watch-list 1 ip 10.1.1.0 255.255.255.0

Router1(config)#dialer watch-list 1 delay route-check initial 300

Router1(config)#dialer watch-list 1 delay disconnect 15

Router1(config)#end

Router1#

注释 Dialer Watch通过跟踪路由表中特定路由前缀得存在情况来判断是否需要触发拨号,这里要特别注意得是例子中监控了两个路由前缀,必须两个路由前缀都消失才会触发拨号。还是建议使用13.1中得浮动路由方式来进行拨号备份

13.6. 使用Virtual Templates

提问 使用Virtual Templates得方式来配置拨号备份

回答

dialhost#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

dialhost(config)#username Router1 password dialpassword

dialhost(config)#interface BRI0/0

dialhost(config-if)#no ip address

dialhost(config-if)#encapsulation ppp

dialhost(config-if)#dialer pool-member 1

dialhost(config-if)#isdn switch-type basic-ni

dialhost(config-if)#isdn point-to-point-setup

dialhost(config-if)#isdn spid1 800555123400 5551234

dialhost(config-if)#isdn spid2 800555123500 5551235

dialhost(config-if)#ppp authentication chap

dialhost(config-if)#ppp multilink

dialhost(config-if)#exit

dialhost(config)#interface Dialer1

dialhost(config-if)#no ip address

dialhost(config-if)#encapsulation ppp

dialhost(config-if)#dialer idle-timeout 300

dialhost(config-if)#dialer-group 1

dialhost(config-if)#no peer default ip address

dialhost(config-if)#ppp authentication chap

dialhost(config-if)#ppp multilink

dialhost(config-if)#exit

dialhost(config)#access-list 101 deny eigrp any any

dialhost(config)#access-list 101 permit ip any any

dialhost(config)#dialer-list 1 protocol ip list 101

dialhost(config)#router eigrp 55

dialhost(config-router)#network 10.0.0.0

dialhost(config-router)#exit

dialhost(config)#interface Loopback1

dialhost(config-if)#ip address 10.1.99.1 255.255.255.0

dialhost(config-if)#exit

dialhost(config)#interface Virtual-Template1

dialhost(config-if)#ip unnumbered Loopback1

dialhost(config-if)#encapsulation ppp

dialhost(config-if)#ppp authentication chap

dialhost(config-if)#ppp multilink

dialhost(config-if)#ppp multilink load-threshold 50 either

dialhost(config-if)#exit

dialhost(config)#virtual-profile virtual-template 1

dialhost(config)#end

dialhost#

注释 一般用于中心得拨号服务器,类似于13.2但是在Dialer 接口下也没有配置IP地址,而是配置在Virtual Template上

13.7. 确保断线正常

提问 当主链路恢复以后确保备份链路断线正常

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface Serial0/0.1 point-to-point

Router1(config-subif)#bandwidth 56

Router1(config-subif)#exit

Router1(config)#interface BRI0/0

Router1(config-subif)#bandwidth 54

Router1(config-subif)#end

Router1#

注释 通过配置带宽得方式来调整主备接口得metric值,从而避免在路由计算时选用备份接口

13.8. 查看拨号备份状态

提问 查看拨号备份状态

回答

Router1#show dialer

Router1#show backup

Router1#show isdn status

Router1#show isdn active

Router1#show isdn history



注释 show dialer里面比较有意思得信息是Dial reason: ip (s=10.1.99.55, d=224.0.0.10),从而确定是什么数据触发得拨号

<!--[if !supportLists]-->13.9. <!--[endif]-->拨号备份排错

提问 查找拨号备份失败原因

回答

Router1#debug ppp authentication

Router1#debug dialer

2007/3/5 22:22
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
第十四章NTP和时钟

14.1. 路由器日志显示时间戳

提问 在路由器的日志和排错信息里面显示时间

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#service timestamps log datetime localtime

Router(config)#service timestamps debug datetime localtime

Router(config)#end

Router#



注释 还可以在命令后面加上show-timezone, msec等参数让时间戳包含时区信息和毫秒级

14.2. 设置时间

提问 设置路由器时间

回答

内部时钟

Router#clock set 14:27:22 January 29 2006

Router#

高端路由器使用电池保存时间

Router#calendar set 14:34:39 January 29 2006

Router#

注释 如果没有电池保护路由器重启时间配置消失,show calendar一方面可以显示目前时钟,也可以用来验证是否有电池保护,内部时钟和calendar时钟不一致时可以使用clock update-calendar或者clock read-calendar来互相同步

14.3. 设置时区

提问 设置路由器时区

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#clock timezone EST 5

Router(config)#end

Router#

注释 缺省路由器使用UTC就是以前的GMT

14.4. 夏时制调整

提问 路由器自动对时钟进行夏时制调整

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#clock summer-time EDT date 26 oct 2003 02:00 6 apr 2003 02:00

或者

Router(config)#clock summer-time AEDT recurring last sun oct 02:00 last sun mar 02:00

Router(config)#end

Router#



注释 缺省是没有夏时制的,启用后可以使用show clock detail来验证

14.5. 时钟同步(NTP)

提问 路由器自动同步网络时间

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#clock timezone EST -5

Router(config)#clock summer-time EDT recurring

Router(config)#ntp server 172.25.1.1

Router(config)#end

Router#

对于不支持NTP的路由器,使用SNTP

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#clock timezone EST -5

Router(config)#clock summer-time EDT recurring

Router(config)#sntp server 172.25.1.1

Router(config)#end

Router#

注释 可以使用ntp source loopback0 或者ntp server 10.1.1.1 source Serial 0/0 命令来指定NTP发送的源地址。由于NTP同步的是内部时钟,所以需要配置ntp update-calendar 来同时同步其calendar时钟

14.6. 配置NTP 冗余

提问 配置多个NTP服务器的方式来提供冗余

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#clock timezone EST -5

Router(config)#clock summer-time EDT recurring

Router(config)#ntp server 172.25.1.1

Router(config)#ntp server 10.121.33.231

Router(config)#ntp peer 192.168.12.12

Router(config)#end

Router#

注释 无

14.7. 设置路由器为网络NTP服务器

提问设置路由器为网络NTP服务器,成为网络的主时钟源

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#clock timezone EST 5

Router(config)#clock summer-time EDT recurring

Router(config)#clock calendar-valid

Router(config)#ntp master 8

Router(config)#end

Router#

注释 这里设置ntp master 8使其成为Stratum level 8,尽量不要配置其为1

14.8. 调整NTP同步周期

提问 调整多久路由器发送NTP数据包来验证同步

回答

NTP不允许手动修改同步频率,但是内置的算法可以自动调整此频率

注释 开始为64秒一个周期,如果网络足够稳定此周期会逐渐增加,最长到1024秒,如下例

Router>show ntp associations

address ref clock st when poll reach delay offset disp

*~172.25.1.1 130.207.244.240 2 440 1024 377 1.6 -3.23 5.6

+~172.25.1.3 204.152.184.72 2 829 1024 377 1.7 8.06 0.9

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Router>



14.9. NTP 发送周期性广播包保持更新

提问 工作于广播模式下,不需要周期性去查询

回答

服务器端

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#clock timezone EST -5

Router1(config)#clock summer-time EDT recurring

Router1(config)#ntp server 172.25.1.1

Router1(config)#ntp server 172.25.1.2

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ntp broadcast

Router1(config-if)#end

Router1#

客户端

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#clock timezone EST -5

Router2(config)#clock summer-time EDT recurring

Router2(config)#ntp broadcastdelay 4

Router2(config)#interface Ethernet0

Router2(config-if)#ntp broadcast client

Router2(config-if)#end

Router2#

注释 工作于广播模式时间数据包是单方向的,通过broadcastdelay来控制周期,广播模式不妨碍客户端工作于服务器客户端模式

14.10. NTP发送周期性组播包保持更新

提问 工作于组播模式下,不需要周期性去查询

回答

服务器端

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#clock timezone EST -5

Router1(config)#clock summer-time EDT recurring

Router1(config)#ntp server 172.25.1.1

Router1(config)#ntp server 172.25.1.3

Router1(config)#interface FastEthernet 0/0

Router1(config-if)#ntp multicast 224.0.1.1 ttl 1

Router1(config-if)#end

Router1#

客户端

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#clock timezone EST -5

Router1(config)#clock summer-time EDT recurring

Router1(config)#ntp server 172.25.1.1

Router1(config)#ntp server 172.25.1.3

Router1(config)#interface FastEthernet 0/0

Router1(config-if)#ntp multicast 224.0.1.1 ttl 1

Router1(config-if)#end

Router1#

注释 组播相对于广播的好处不用多说了,并且在这个模式的初始客户端会先发送一些单播包来测量延迟,以使时间更准确,需要注意的是不是所有的设备都支持这种组播模式

14.11. 基于接口开启NTP

提问 路由器配置为NTP服务器,但是某些端口禁止NTP服务

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#interface Serial0/1

Router(config-if)#ntp disable

Router(config-if)#end

Router#

或者

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 107 deny udp any eq 123 any eq 123

Router(config)#access-list 107 permit ip any any

Router(config)#interface Serial0/1

Router(config-if)#ip access-group 107 in

Router(config-if)#end

Router#



注释 控制列表的方式更严格,第一种只是阻止了相应的associations,但阻止不了NTP数据包

14.12. NTP 认证

提问 鉴权NTP数据包保证安全

回答

服务器端

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ntp authentication-key 2 md5 neoshi

Router1(config)#ntp authenticate

Router1(config)#ntp trusted-key 2

Router1(config)#end

Router1#

客户端

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ntp authentication-key 2 md5 neoshi

Router2(config)#ntp authenticate

Router2(config)#ntp trusted-key 2

Router2(config)#ntp server 172.25.1.5 key 2

Router2(config)#end

Router2#

注释 对于广播或者组播模式key配置为ntp broadcast key 2 和ntp multicast key 2

14.13. 限制NTP Peers数目

提问 限制路由器可以接受的NTP Peers的数目

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#ntp max-associations 30

Router(config)#end

Router#

注释 无

14.14. 限制Peers

提问 对NTP服务进行更好粒度的控制

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 88 permit host 172.25.1.1

Router(config)#access-list 88 permit host 10.1.1.1

Router(config)#access-list 99 permit 172.25.0.0 0.0.255.255

Router(config)#access-list 99 permit 10.2.0.0 0.0.255.255

Router(config)#clock timezone EST -5

Router(config)#clock summer-time EDT recurring

Router(config)#ntp server 172.25.1.1 version 3

Router(config)#ntp server 10.1.1.1 version 3

Router(config)#ntp access-group peer 88

Router(config)#ntp access-group serve-only 99

Router(config)#end

Router#



注释 路由器只允许内部时钟从ACL88定义的两个服务器中获得同步,同时只有ACL99定义的两个网段的客户端可以从本设备请求时间信息

14.15. 设定时钟周期

提问 希望调整自动生成的ntp clock-period xxxxxx 数值

回答

路由器在重启之后会自动生成一个时钟周期来加速再同步,不建议删除或者修改

Router#show running-config | include clock-period

ntp clock-period 17180200

Router#

注释 无

14.16. 检查NTP状态

提问 查看当前NTP状态

回答

Router>show clock detail

Router>show ntp status

Router>show ntp associations

Router>show ntp associations detail



注释 Router>show clock detail

.15:54:33.079 EST Sun Jan 29 2006

Time source is NTP

此输出前面有个.代表此时钟没有同步

14.17. NTP排错

提问 解决NTP出错的问题

回答

NTP非常稳定,出问题很大可能性就是连接性的问题

Router#debug ntp packets

注释 Router#debug ntp packet

NTP packets debugging is on

.Mar 21 02:39:18: NTP: xmit packet to 172.25.1.5:

.Mar 21 02:39:18: leap 3, mode 3, version 3, stratum 0, ppoll 64

.Mar 21 02:39:18: rtdel 28C7 (159.286), rtdsp 2444 (141.663), refid AC190101

.Mar 21 02:39:18: ref C043C43F.47A9CD5C (21:30:23.279 EST Wed Mar 20 2003)

.Mar 21 02:39:18: org 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

.Mar 21 02:39:18: rec 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

.Mar 21 02:39:18: xmt C043C656.4DFC7394 (21:39:18.304 EST Wed Mar 20 2003)

.Mar 21 02:39:25: NTP: rcv packet from 172.25.1.5 to 172.16.2.2 on Fa0/0.1:

.Mar 21 02:39:25: leap 3, mode 3, version 3, stratum 0, ppoll 64

.Mar 21 02:39:25: rtdel 286E (157.928), rtdsp 0EC6 (57.709), refid AC190101

.Mar 21 02:39:25: ref C043C4D7.1D633CDE (21:32:55.114 EST Wed Mar 20 2003)

.Mar 21 02:39:25: org 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

.Mar 21 02:39:25: rec 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)

.Mar 21 02:39:25: xmt C043C65D.1D0A6CBC (21:39:25.113 EST Wed Mar 20 2003)

.Mar 21 02:39:25: inp C043C65D.1296E3C7 (21:39:25.072 EST Wed Mar 20 2003)

上面是一个debug的输出,从中看到了来自server的数据包显示为stratum 0,代表服务器没有同步,既然上游服务器没有同步,本地服务器就更不能同步了

14.18. NTP 日志

提问 记录重要的NTP事件

回答

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ntp logging

Router2(config)#end

Router2#

注释 此命令来自12.3(7)T,下面是一个日志记录

Router2#show logging | include NTP

000019: Jan 29 10:57:52.633 EST: %NTP-5-PEERSYNC: NTP synced to peer 172.25.1.5

000020: Jan 29 10:57:52.637 EST: %NTP-6-PEERREACH: Peer 172.25.1.5 is reachable

000024: Jan 29 11:01:20.653 EST: %NTP-4-PEERUNREACH: Peer 172.25.1.5 is unreachable

000026: Jan 29 11:15:11.985 EST: %NTP-4-UNSYNC: NTP sync is lost



14.19. Extended Daylight Saving Time

注释 美国为了节省能源从2007年开始调整了夏时制的设置,此略去

NTP 服务器配置

注释 主机配置暂略去

2007/3/5 22:23
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
新进会员
注册日期:
1970/1/1 8:00
所属群组:
注册会员
帖子: 1
等级: 1; EXP: 0
HP : 0 / 0
MP : 0 / 0
离线
这个真的好长,要花时间记和操作熟练。ps:我们这的CCNA光培训就2000rmb简直就是抢人。

2007/3/11 23:40
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
新进会员
注册日期:
1970/1/1 8:00
所属群组:
注册会员
帖子: 1
等级: 1; EXP: 0
HP : 0 / 0
MP : 0 / 0
离线
ding

2007/3/13 2:16
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
新进会员
注册日期:
1970/1/1 8:00
所属群组:
注册会员
帖子: 1
等级: 1; EXP: 0
HP : 0 / 0
MP : 0 / 0
离线
为什么不形成文档资料?

2007/3/16 4:29
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
Cisco IOS Cookbook 中文精简版第十六章路由器接口

16.1. 查看接口状态

提问 查看当前路由器接口状态

回答

Router1#show interfaces

Router1#show interfaces FastEthernet0/1

Router1#show ip interface brief

Router1#show ip interface FastEthernet0/1



注释 show interface命令得输出有很多得信息,网上一些中文文档详细介绍输出得含义,这里不翻译了。Txload和rxload这两个测量值得周期缺省是5分钟,可以使用load-interval 60 命令来修改其为60秒,必须是30得倍数,最长10分钟。再来一个隐藏命令

Router1#show interfaces FastEthernet0/1 stats

FastEthernet0/1

Switching path Pkts In Chars In Pkts Out Chars Out

Processor 294567 18704930 239526 22219870

Route cache 7758 681257 48303 6129834

Total 302325 19386187 287829 28349704

Processor是process switching,Route cache是Fast Switching

16.2. 配置串行接口

提问 为广域网连接配置串行接口

回答

Router3#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router3(config)#interface Serial1

Router3(config-if)#description WAN Connection to Chicago

Router3(config-if)#ip address 192.168.99.5 255.255.255.252

Router3(config-if)#encapsulation hdlc

Router3(config-if)#clock rate 56000

Router3(config-if)#no shutdown

Router3(config-if)#exit

Router3(config)#end

Router3#

注释 在DCE侧需要配置clock rate,如果是DTE配置了clock rate路由器会忽略此配置。通过show controller serial 命令来判断连接线缆得类型。缺省情况路由器会认为串口为1.544M带宽,而实际可能不是,为了准确进行路由协议度量值计算,需要人工bandwidth命令来修改,注意这里得单位是Kilobits每秒,而clock rate是bits每秒

16.3. 使用内置T1 CSU/DSU

提问 使用内置T1 CSU/DSU配置广域网连接

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface Serial0/1

Router1(config-if)#ip address 192.168.99.9 255.255.255.252

Router1(config-if)#no shutdown

Router1(config-if)#service-module t1 timeslots 1-12

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 缺省每个channel使用64Kbps,如果电路是56k的需要在上述service module命令后面加上speed 56。还有很多的参数,需要和对端一致

Router1(config-if)#service-module t1 linecode ami

Router1(config-if)#service-module t1 data-coding inverted

Router1(config-if)#service-module t1 framing sf

Router1(config-if)#service-module t1 fdl ansi

Router1(config-if)#service-module t1 fdl att

Router1(config-if)#service-module t1 remote-alarm-enable

通常运营商会提供时钟,如果在实验网络需要其成为DCE需要配置service-module t1 clock source internal 来提供时钟

16.4. 使用内置ISDN PRI 模块

提问 配置内置ISDN PRI 模块

回答

Router8#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router8(config)#isdn switch-type primary-dms100

Router8(config)#controller T1 0

Router8(config-controlle)#framing esf

Router8(config-controlle)#clock source line primary

Router8(config-controlle)#linecode b8zs

Router8(config-controlle)#pri-group timeslots 1-24

Router8(config-controlle)#exit

Router8(config)#end

Router8#

注释 无

16.5. 使用内置56 Kbps CSU/DSU

提问 配置内置56 Kbps CSU/DSU

回答

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface Serial0/1

Router2(config-if)#ip address 192.168.99.25 255.255.255.252

Router2(config-if)#no shutdown

Router2(config-if)#service-module 56k clock rate 9.6

Router2(config-if)#exit

Router2(config)#end

Router2#

注释 这种模块没有见过,有点晕,先略一下

16.6. 配置异步串行接口

提问 配置一个同步/异步串行接口工作于异步模式

回答

Router3#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router3(config)#interface Serial1/7

Router3(config-if)#physical-layer async

Router3(config-if)#encapsulation ppp

Router3(config-if)#exit

Router3(config)#line 40

Router3(config-line)#speed 115200

Router3(config-line)#exit

Router3(config)#end

Router3#

注释 在配置了physical-layer async命令以后需要查看line号

Router3#show line

Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int

0 CTY - - - - - 0 0 0/0 -

40 TTY 9600/9600 - - - - - 0 0 0/0 Se1/7

65 AUX 2400/2400 F - - - - 0 0 0/0 -

看到Se1/7为line 40,同时其速率变为9600,所以需要使用speed命令来修改速率

16.7. 配置ATM子接口

提问 基于PVC得ATM链路互联

回答

老方法

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface ATM0/0

Router2(config-if)#no ip address

Router2(config-if)#exit

Router2(config)#interface ATM0/0.1 point-to-point

Router2(config-subif)#description PVC to New York

Router2(config-subif)#ip address 192.168.250.146 255.255.255.252

Router2(config-subif)#atm pvc 1 0 60 aal5snap 10000 5000 3 oam 5

Router2(config-subif)#exit

Router2(config)#end

Router2#

11.3以后使用思科特性周期性发送ATM OAM信元来测试VC

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface ATM0/0

Router2(config-if)#no ip address

Router2(config-if)#exit

Router2(config)#interface ATM0/0.1 point-to-point

Router2(config-subif)#description PVC to New York

Router2(config-subif)#ip address 192.168.250.146 255.255.255.252

Router2(config-subif)#pvc 0/60

Router2(config-if-atm-vc)#vbr-nrt 10000 5000 30

Router2(config-if-atm-vc)#oam-pvc manage 5

Router2(config-if-atm-vc)#exit

Router2(config)#end

Router2#

注释 第一种方法验证Router2#show atm pvc 0/60

ATM0/0.1: VCD: 1, VPI: 0, VCI: 60, etype:0x0, AAL5 - LLC/SNAP, Flags: 0x830

PeakRate: 10000, Average Rate: 5000, Burst Cells: 96, VCmode: 0xE000

OAM frequency: 5 second(s), InARP frequency: 15 minute(s)

InPkts: 1292959637, OutPkts: 3327374998, InBytes: 2196038015, OutBytes: 813592646

InPRoc: 19959239, OutPRoc: 24660, Broadcasts: 19481389

InFast: 1212924649, OutFast: 3297025318, InAS: 60075750, OutAS: 10843631

OAM F5 cells sent: 6804133, OAM cells received: 6740056

Status: ACTIVE

VCD是本地有效,VPI VCI必须和对端相同,至于封装协议推荐是AAL5SNAP,如果需要支持PPP则改为AAL5CISCOPPP

在新方法里面已经没有配置VCD了,并且如果3个OAM信元没有收到就会标记此接口断掉,在12.2(4)T后还引入了Router2(config)#snmp-server enable traps atm pvc extension oam failure loopback 来支持SNMP告警

16.8. 设置有效载荷绕码(Payload Scrambling)

提问

回答

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface ATM0/0

Router2(config-if)#atm ds3-scramble (atm e3-scramble)

Router2(config-if)#exit

Router2(config)#end

Router2#

Router4#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router4(config)#interface ATM0/0

Router4(config-if)#atm scrambling cell-payload

Router4(config-if)#exit

Router4(config)#end

Router4#



注释 暂略

16.9. 传统的ATM承载IP(Classical IP Over ATM)

提问 配置路由器支持SVC和传统的ATM承载IP

回答

首先ATMARP Server

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface ATM1/0

Router1(config-if)#no ip address

Router1(config-if)#atm ilmi-keepalive

Router1(config-if)#pvc 0/5 qsaal

Router1(config-if-atm-vc)#exit

Router1(config-if)#pvc 0/16 ilmi

Router1(config-if-atm-vc)#exit

Router1(config-if)#exit

Router1(config)#interface ATM1/0.1 multipoint

Router1(config-subif)#ip address 192.168.123.1 255.255.255.0

Router1(config-subif)#atm esi-address A000C0A87B01.01

Router1(config-subif)#atm arp-server self

Router1(config-subif)#exit

Router1(config)#end

Router1#

其他Client

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface ATM1/0

Router2(config-if)#no ip address

Router2(config-if)#atm ilmi-keepalive

Router2(config-if)#pvc 0/5 qsaal

Router2(config-if-atm-vc)#exit

Router2(config-if)#pvc 0/16 ilmi

Router2(config-if-atm-vc)#exit

Router2(config-if)#exit

Router2(config)#interface ATM1/0.1 multipoint

Router2(config-subif)#ip address 192.168.123.2 255.255.255.0

Router2(config-subif)#atm esi-address A000C0A87B02.01

Router2(config-subif)#atm arp-server nsap 47.00918100000000e014cd0001.A000C0A87B01.01

Router2(config-subif)#exit

Router2(config)#end

Router2#

注释 除了上面的使用ATM SVC以外,还有Local Area Network Emulation (LANE)和Multiple Protocols over ATM (MPOA)也支持,都是解决Quasi Signaling Application Adaptation Layer (QSAAL) 协议和nterim Local Management Interface (ILMI)的问题。在客户机配置arp服务器的地址要记得加上前缀,并不仅仅是服务器的ESI地址

16.10. 配置以太网接口特性

提问 对以太网接口得速率,双工等特性进行配置

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/0

Router1(config-if)#media-type 100BaseX

Router1(config-if)#duplex full

Router1(config-if)#speed 100

Router1(config-if)#mac-address 0AAA.ABCD.0101

Router1(config-if)#arp timeout 60

Router1(config-if)#keepalive 5

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 无

16.11. 配置令牌环接口特性

提问 配置令牌环接口

回答

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface TokenRing0

Router2(config-if)#ring-speed 4

Router8(config-if)#full-duplex

Router2(config-if)#mac-address 0006.1111.aaaa

Router2(config-if)#exit

Router2(config)#end

Router2#

注释 不是所有得令牌环模块都支持全双工

16.12. 使用ISL协议配置Vlan Trunks

提问 使用ISL协议配置Vlan Trunks

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/0

Router1(config-if)#no ip address

Router1(config-if)#speed 100

Router1(config-if)#full-duplex

Router1(config-if)#exit

Router1(config)#interface FastEthernet0/0.1

Router1(config-subif)#encapsulation isl 1

Router1(config-subif)#ip address 172.25.1.5 255.255.255.0

Router1(config-subif)#exit

Router1(config)#interface FastEthernet0/0.2

Router1(config-subif)#encapsulation isl 2

Router1(config-subif)#ip address 172.16.2.1 255.255.255.0

Router1(config-subif)#exit

Router1(config)#interface FastEthernet0/0.3

Router1(config-subif)#encapsulation isl 574

Router1(config-subif)#ip address 10.22.1.2 255.255.255.0

Router1(config-subif)#exit

Router1(config)#end

Router1#

注释 通常所说的单臂路由,ISL是思科特有的

Router1#show interfaces FastEthernet0/0.3

Encapsulation ISL Virtual LAN, Color 574.

在12.2(4)T以后增加了

Router1(config)#interface FastEthernet0/0.1

Router1(config-if)#ip unnumbered Loopback0

16.13. 使用802.1Q协议配置VLAN Trunks

提问 使用802.1Q协议配置Vlan Trunks

回答

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface FastEthernet1/0

Router2(config-if)#no ip address

Router2(config-if)#speed 100

Router2(config-if)#full-duplex

Router2(config-if)#exit

Router2(config)#interface FastEthernet1/0.1

Router2(config-subif)#encapsulation dot1Q 1 native

Router2(config-subif)#ip address 172.25.1.47 255.255.255.0

Router2(config-subif)#exit

Router2(config)#interface FastEthernet1/0.2

Router2(config-subif)#encapsulation dot1Q 2

Router2(config-subif)#ip address 172.25.22.4 255.255.255.0

Router2(config-subif)#exit

Router2(config)#interface FastEthernet1/0.3

Router2(config-subif)#encapsulation dot1Q 548

Router2(config-subif)#ip address 172.20.1.1 255.255.255.0

Router2(config-subif)#exit

Router2(config)#end

Router2#

注释 这里面要注意的是native vlan的配置,缺省是vlan 1,但是也可以设定为其他的,要保证路由器的native vlan和交换机的是一致的

<!--[if !supportLists]-->16.14. <!--[endif]-->LPD Printer Support

提问 把打印机接到路由器的异步串行口上

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#printer rtlpr1 line 161

Router1(config)#end

Router1#

注释 首先要有一台主机支持Berkeley Unix LPD print program,然后配置主机etc/printcap 把打印工作转到路由器,然后你的打印机要支持串口连接,最后通过show line的命令找到AUX端口的line号,也就是上例子中的161,同时建议下面配置

Router1(config)#line aux 0

Router1(config-line)#no exec

Router1(config-line)#no login

Router1(config-line)#no password

Router1(config-line)#transport input none

Router1(config-line)#speed 115200

Router1(config-line)#exit

Router1#show printer

Printer Line Rotary Errors Connections Datafiles Controlfiles Bytes

rtlpr1 161 0 0 0 0 0 0

Router1#

2007/3/21 7:31
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
Cisco IOS Cookbook 中文精简版第十七章 SNMP

17.1. 配置SNMP

提问 在路由器上启用基本的SNMP服务

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server community ORARO ro

Router(config)#snmp-server community ORARW rw

Router(config)#end

Router#

从12.0以后启用了另一种配置方式

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server group COOKRO v1

Router(config)#snmp-server user TESTRO1 COOKRO v1

Router(config)#snmp-server group BOOKRO v2c

Router(config)#snmp-server user TESTRO2 BOOKRO v2c

Router(config)#end

注释 注意的是这里启用的仅仅是简单SNMP服务,只会响应SNMP的GET和SET请求,不会发送SNMP traps informs.由于SNMP V1和V2c都是明文传输community值所以需要后续的一些安全限制。show snmp group可以用来验证

17.2. 通过SNMP工具获得路由器信息

注释 可以使用snmpget, snmpwalk,snmpset命令直接对MIB进行查询,建议使用Solarwinds等图形化工具,暂略。

思科MIBs信息:http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

17.3. 为SNMP访问配置一些路由器重要信息

提问 为SNMP访问提供类似路由器位置,序列号等重要信息

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server contact Ian Brown 416-555-2943

Router(config)#snmp-server location 999 Queen St. W., Toronto, Ont.

Router(config)#snmp-server chassis-id JAX123456789

Router(config)#end

Router#

注释 无

<!--[if !supportLists]-->17.4. <!--[endif]-->使用SNMP获得批量路由设备信息

注释 使用perl脚本来进行批量化操作,暂略

17.5. 使用控制列表来限制SNMP访问

提问 使用控制列表的方式来提高SNMP访问的安全性

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255

Router(config)#access-list 99 permit host 10.1.1.1

Router(config)#access-list 99 deny any

Router(config)#snmp-server community ORARO ro 99

Router(config)#access-list 98 permit 172.25.1.0 0.0.0.255

Router(config)#snmp-server community ORARW rw 98

Router(config)#end

Router#

SNMP Group的方法

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255

Router(config)#access-list 99 permit host 10.1.1.1

Router(config)#access-list 99 deny any

Router(config)#snmp-server group COOKRO v1 access 99

Router(config)#snmp-server user TESTRO1 COOKRO v1

Router(config)#end

Router#

从12.3(2)T以后支持命名控制列表

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip access-list standard SNMPACL

Router2(config-std-nacl)#permit 172.25.1.0 0.0.0.255

Router2(config-std-nacl)#permit host 10.1.1.1

Router2(config-std-nacl)#deny any

Router2(config-std-nacl)#snmp-server community ORARO1 ro SNMPACL

Router2(config)#end

Router2#

注释 无

17.6. 记录非授权的SNMP尝试

提问 对非授权的SNMP尝试进行日志记录

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255

Router(config)#access-list 99 permit host 10.1.1.1

Router(config)#access-list 99 deny any log

Router(config)#snmp-server community ORARO ro 99

Router(config)#snmp-server community ORARW rw 99

Router(config)#end

Router#

注释

Router#show access-list 99

Standard IP access list 99

permit 10.1.1.1 (1293 matches)

permit 172.25.1.0, wildcard bits 0.0.0.255 (630 matches)

deny any log (17 matches)

Router#show logging

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)

Console logging: disabled

Monitor logging: level debugging, 26 messages logged

Logging to: vty2(0)

Buffer logging: level debugging, 49 messages logged

Trap logging: level informational, 53 message lines logged

Logging to 172.25.1.1, 53 message lines logged

Logging to 172.25.1.3, 53 message lines logged



Log Buffer (4096 bytes):

Apr 15 22:33:21: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.22.13 1 packet

Apr 15 22:39:18: %SEC-6-IPACCESSLOGS: list 99 denied 10.121.212.11 3 packets

Router#

17.7. 限制MIB访问

提问 限制特定的MIB可以被SNMP来访问

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255

Router(config)#access-list 99 deny any log

Router(config)#snmp-server view ORAVIEW mib-2 included

Router(config)#snmp-server view ORAVIEW at excluded

Router(config)#snmp-server view ORAVIEW cisco included

Router(config)#snmp-server community ORARO view ORAVIEW ro 99

Router(config)#snmp-server view RESTRICTED lsystem.55 included

Router(config)#snmp-server community ORARW view RESTRICTED rw 99

Router(config)#end

Router#

SNMP Group方式

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server view ORAVIEW mib-2 included

Router(config)#snmp-server view ORAVIEW at excluded

Router(config)#snmp-server view ORAVIEW cisco included

Router(config)#snmp-server group TEST v1 read ORAVIEW

Router(config)#snmp-server user ORARO TEST v1

Router(config)#snmp-server view RESTRICTED lsystem.55 included

Router(config)#snmp-server group TEST2 v1 write RESTRICTED

Router(config)#snmp-server user ORARW TEST2 v1

Router(config)#end

Router#

注释

Router#show snmp view

ORAVIEW mib-2 - included nonvolatile active

ORAVIEW at - excluded nonvolatile active

ORAVIEW cisco - included nonvolatile active

v1default internet - included volatile active

v1default internet.6.3.15 - excluded volatile active

v1default internet.6.3.16 - excluded volatile active

v1default internet.6.3.18 - excluded volatile active

RESTRICTED cisco - included nonvolatile active

RESTRICTED lsystem.55 - included nonvolatile active

Router#

17.8. 使用SNMP来修改路由器当前配置

提问 使用SNMP来下载或者上传路由器配置文件

回答

以安装了NETSNMP的Freebsd为例

首先路由器启用SNMP

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server community ORARW rw

Router(config)#end

下载配置

Freebsd% touch /tftpboot/router.cfg

Freebsd% chmod 666 /tftpboot/router.cfg

Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.55.172.25.1.1 s router.cfg

enterprises.9.2.1.55.172.25.1.1 = "router.cfg"

Freebsd%

修改配置后上传保存

Freebsd% echo "no ip source-route" > /tftpboot/new.cfg

Freebsd% echo "end" >> /tftpboot/new.cfg

Freebsd% chmod 666 /tftpboot/new.cfg

Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.53.172.25.1.1 s new.cfg

enterprises.9.2.1.53.172.25.1.1 = "new.cfg"

Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.54.0 i 1

enterprises.9.2.1.54.0 = 1

Freebsd%

注释 .1.3.6.1.4.1.9.2.1.55是思科MIB中发送当前配置文件的OID值,172.25.1.1是TFTP服务器地址。在修改配置文件时候注意最后要加上end命令,注意这时的OID是.1.3.6.1.4.1.9.2.1.53。最后一个snmpset命令是对上传配置进行保存。当然上述操作都可以使用Solarwinds软件实现

17.9. 使用SNMP来升级IOS

提问 通过SNMP来远端升级路由器IOS

回答

首先路由器配置

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server community ORARW rw

Router(config)#end

下载当前的IOS

Freebsd% touch /tftpboot/c2600-jk9o3s-mz.122-7a.bin

Freebsd% chmod 666 /tftpboot/c2600-jk9o3s-mz.122-7a.bin

Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.10.9.172.25.1.1 s c2600-jk9o3s-mz.122-7a.bin

enterprises.9.2.10.9.172.25.1.1 = "c2600-jk9o3s-mz.122-7a.bin"

Freebsd%

升级IOS

Freebsd% chmod 666 /tftpboot/c2600-jk9o3s-mz.122-7a.bin

Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.10.6.0 i 1

enterprises.9.2.10.6.0 = 1

Freebsd% snmpset v1 -c ORARW Router.1.3.6.1.4.1.9.2.10.12.172.25.1.1 s c2600-jk9o3s-mz.122-7a.bin

enterprises.9.2.10.12.172.25.1.1 = "c2600-jk9o3s-mz.122-7a.bin"

Freebsd%

注释 例子中的Router是路由器的机器名也可以使用IP地址,.1.3.6.1.4.1.9.2.10.9.是相应的OID。在对IOS升级的时候第一步做的是清除Flash,第二步才是上传IOS。这种可以使用脚本来实现IOS的集中管理。

17.10. 使用SNMP来进行批量的配置修改

注释 使用perl脚本来进行批量化操作,暂略

17.11. 避免非授权的配置修改

提问 只允许特定的设备来通过SNMP和TFTP来发送和接收配置信息

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 92 permit 172.25.1.1

Router(config)#access-list 92 deny any log

Router(config)#snmp-server tftp-server-list 92

Router(config)#snmp-server community ORARW rw

Router(config)#end

Router#

从12.3(2)T开始支持命名控制列表

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip access-list standard TFTPACL

Router2(config-std-nacl)#permit 172.25.1.1

Router2(config-std-nacl)#deny any log

Router2(config-std-nacl)#exit

Router2(config)#snmp-server tftp-server-list TFTPACL

Router2(config)#snmp-server community ORARW rw

Router2(config)#end

Router2#

注释 要注意的是这里限制的仅仅是通过SNMP发起的TFTP会话,对其他的文件传输不受影响。另外这里的控制列表是全局性的,不能针对特定的community值

17.12. 保持接口表名的永久性

提问 即使重启也能保证SNMP使用相同的接口名

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server ifindex persist

Router(config)#end

Router#

也可以对单独接口:

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#interface Serial0/0

Router(config-if)#snmp ifindex persist

Router(config-if)#exit

Router(config)#end

Router#



注释 很多工程师不知道内部SNMP接口号是会变的,这样在进行查询的时候会出错,比如下面的例子,FastEthernet1/0的ifindex是5

Freebsd% snmpwalk v1 -c ORARO Router ifDescr

interfaces.ifTable.ifEntry.ifDescr.1 = "BRI0/0"

interfaces.ifTable.ifEntry.ifDescr.2 = "Ethernet0/0"

interfaces.ifTable.ifEntry.ifDescr.3 = "BRI0/0:1"

interfaces.ifTable.ifEntry.ifDescr.4 = "BRI0/0:2"

interfaces.ifTable.ifEntry.ifDescr.5 = "FastEthernet1/0"

interfaces.ifTable.ifEntry.ifDescr.6 = "Null0"

interfaces.ifTable.ifEntry.ifDescr.7 = "Loopback0"

重启以后再查询就变成2了

Freebsd% snmpwalk v1 -c ORARO Router ifDescr

interfaces.ifTable.ifEntry.ifDescr.1 = "Ethernet0/0"

interfaces.ifTable.ifEntry.ifDescr.2 = "FastEthernet1/0"

interfaces.ifTable.ifEntry.ifDescr.3 = "Null0"

interfaces.ifTable.ifEntry.ifDescr.4 = "Loopback0"

这样就会给网管造成困难

17.13. 启用SNMP Traps和Informs

提问 配置路由器针对特定事件产生Traps或者Informs

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server enable traps

Router(config)#snmp-server host 172.25.1.1 ORATRAP config entity envmon hsrp

Router(config)#snmp-server host nms.oreilly.com ORATRAP bgp snmp envmon

Router(config)#end

Router#

从SNMP v2c开始路由器支持SNMP Informs

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server enable informs

Router(config)#snmp-server host 172.25.1.1 informs version 2c ORATRAP snmp envmon

Router(config)#end

Router#

注释 这里的Traps是路由器主动提供的,不是针对SNMP request的响应。可以snmp-server enable traps envmon 来发送特定的TRAPS,也可以针对不同的NMS主机发送不同的traps

17.14. 以SNMP Trap的形式发送Syslog

提问 把Syslog封装成SNMP Traps或者Informs

回答

Traps

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#logging history informational

Router(config)#snmp-server enable traps syslog

Router(config)#snmp-server host 172.25.1.1 ORATRAP syslog

Router(config)#end

Router#

Informs

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#logging history informational

Router(config)#snmp-server enable informs

Router(config)#snmp-server host 172.25.1.1 informs version 2c ORATRAP syslog

Router(config)#end

Router#



注释 Router#clear counters

Clear "show interface" counters on all interfaces [confirm]

Router#

May 28 10:07:04: %CLEAR-5-COUNTERS: Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)

上述的Syslog信息会变成下面的SNMP消息

Freebsd% tail snmptrapd.log

May 28 10:07:04 freebsd snmptrapd[77759]: 172.25.25.1: Enterprise Specific Trap (1) Uptime: 18 days, 22:35:26.99, enterprises.9.9.41.1.2.3.1.2.118 = "CLEAR", enterprises.9.9.41.1.2.3.1.3.118 = 6, enterprises.9.9.41.1.2.3.1.4.118 = "COUNTERS", enterprises.9.9.41.1.2.3.1.5.118 = "Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)", enterprises.9.9.41.1.2.3.1.6.118 = Timeticks: (163652698) 18 days, 22:35:26.98

Freebsd%



17.15. 设定SNMP包大小

提问 修改缺省的SNMP包大小

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server packetsize 1480

Router(config)#end

Router#

注释 缺省为1500字节

17.16. 设定SNMP队列大小

提问 增加SNMP Trap队列大小

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server queue-length 25

Router(config)#snmp-server inform pending 40

Router(config)#end

Router#

注释 缺省对Trap的队列是10个trap消息,对Inform是25个。可以通过show snmp来查看队列配置和丢弃的Trap包

17.17. 设定SNMP 超时时长

提问 调整SNMP Trap的超时时长

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server trap-timeout 60

Router(config)#snmp-server inform timeout 120

Router(config)#end

Router#

注释 准确说是重传等待时长

17.18. 禁止端口的Up/Down Traps

提问 忽略特定端口的链路状态告警

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#interface Serial0/0

Router(config-if)#no snmp trap link-status

Router(config-if)#exit

Router(config)#end

Router#

注释 比如特定的拨号接口等

17.19. 设定SNMP Traps的源发送地址

提问 设定SNMP Traps消息的源发送地址

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server host 172.25.1.1 ORATRAP

Router(config)#snmp-server trap-source loopback0

Router(config)#end

Router#

注释 无

17.20. 使用RMON来发送Traps

提问 实现当CPU超过警戒后发送trap或者其他重要事件发送trap

回答

CPU超过特定阀值

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#rmon event 1 log trap ORATRAP description "CPU on Router has exceeded threshold" owner ijbrown

Router(config)#rmon event 2 log description "CPU on Router has normalized" owner ijbrown

Router(config)#rmon alarm 1 lsystem.57.0 60 absolute rising-threshold 70 1 falling-threshold 40 2 owner ijbrown

Router(config)#end

Router#

内存利用超过特定阀值

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#rmon event 4 log trap ORATRAP description "Low memory condition on Router" owner ijbrown

Router(config)#rmon event 5 log trap ORATRAP description "Low Memory condition cleared on Router" owner ijbrown

Router(config)#rmon alarm 3 lsystem.8.0 60 absolute rising-threshold 1500000 5 falling-threshold 1000000 4 owner ijbrown

Router(config)#end

Router#

链路利用率超过固定阀值

er#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#rmon event 6 log trap ORATRAP description "Bandwidth utilization has exceeded threshold on Router interface Serial 0/0" owner ijbrown

Router(config)#rmon event 7 log trap ORATRAP description "Bandwidth utilization has normalized on Router interface Serial 0/0" owner ijbrown

Router(config)#! Configure inbound alarm on Serial0/0 (ifNumber 3)

Router(config)#rmon alarm 4 lifEntry.6.3 300 absolute rising-threshold 1000000 6 falling-threshold 800000 7 owner ijbrown

Router(config)#! Configure outbound alarm on Serial0/0 (ifNumber 3)

Router(config)#rmon alarm 5 lifEntry.8.3 300 absolute rising-threshold 1000000 6 falling-threshold 800000 7 owner ijbrown

Router(config)#end

Router#

注释 路由器内置了这种廉价的监控方案

Router>show rmon events

Event 1 is active, owned by ijbrown

Description is CPU on Router has exceeded threshold

Event firing causes log and trap to community ORATRAP, last fired 00:00:00

Event 2 is active, owned by ijbrown

Description is CPU on Router has normalized

Event firing causes log, last fired 2w2d

Current log entries:

index time description

1 2w2d CPU on Router has normalized

Router>

17.21. 启用SNMPv3

提问 启用SNMPv3提供安全性

回答

(noAuthNoPriv):

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server view TESTV3 mib-2 include

Router(config)#snmp-server group NOTSAFE v3 noauth read TESTV3

Router(config)#snmp-server user WEAK NOTSAFE v3

Router(config)#end

Router#

(authNoPriv):

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server view TESTV3 mib-2 include

Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3

Router(config)#snmp-server user cking ORAROV3 v3 auth md5 daytona19y

Router(config)#end

Router#

(authPriv)

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server view TESTV3 mib-2 include

Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3

Router(config)#snmp-server user bpugsley ORAROV3 v3 auth md5 hockeyrules priv des56 shortguy

Router(config)#end

Router#



注释 v3最大的优点就是增加了安全性,有例子中三种模式可以选择

17.22. 高强度SNMPv3加密

提问 增强V3的加密

回答

从12.4(2)T开始增强了加密方法

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv 3des privpass

Router1(config)#end

Router1#

或者

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv aes 128 privpass

Router1(config)#end

Router1#

注释 无

<!--[if !supportLists]-->17.23. <!--[endif]-->使用 SAA

提问 配置路由器自动轮询另一台设备来获得性能统计

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#rtr responder

Router1(config)#rtr 10

Router1(config-rtr)#type echo protocol ipIcmpEcho 10.1.2.3

Router1(config-rtr)#tag ECHO_TEST

Router1(config-rtr)#threshold 1000

Router1(config-rtr)#frequency 300

Router1(config-rtr)#exit

Router1(config)#rtr schedule 10 life 2147483647 start-time now

Router1(config)#rtr 20

Router1(config-rtr)#type jitter dest-ipaddr 10.1.2.3 dest-port 99 num-packets 100

Router1(config-rtr)#tag JITTER_TEST

Router1(config-rtr)#frequency 300

Router1(config-rtr)#exit

Router1(config)#rtr schedule 20 life 100000 start-time now ageout 3600

Router1(config)#exit

Router1#

目标路由器,用来响应SAA测试

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#rtr responder

Router2(config)#exit

Router2#

注释 无

2007/3/21 7:35
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
Cisco IOS Cookbook 中文精简版第十八章日志

18.1. 启用本地路由器日志

提问 实现路由器自身保存日志记录,而不仅仅是显示在终端上

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#logging buffered informational

Router(config)#end

Router#

注释 缺省日志记录为debugging级别,例子中为informational忽略掉了debug消息。禁用使用下面命令

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#no logging buffered

Router(config)#end

Router#



18.2. 设定日志记录大小

提问 改变路由器保存日志记录的大小

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#logging buffered 16000

Router(config)#end

Router#

注释 要注意的是改变了大小后,原有的日志记录会被清除。

18.3. 清除路由器日志记录

提问 清除路由器日志记录

回答

Router#clear logging

Clear logging buffer [confirm]<enter>

Router#

注释 无

18.4. 发送日志到屏幕显示

提问 在终端屏幕实时显示日志记录

回答

启用

Router#terminal monitor

Router#

禁用

Router#terminal no monitor

Router#

注释 缺省情况下日志记录只会在console端显示,要在VTY会话显示就必须使用上述命令

18.5. 使用远端日志服务器

提问 发送日志记录到远端日志服务器

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#logging 172.25.1.1

Router(config)#end

Router#

12.2(15)T后也可以使用下面命令格式

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#logging host 172.25.1.1

Router2(config)#end

Router2#

注释 在12.2(15)T后增加了一个特性可以使发送的记录中包含了主机名,下面这是原始的日志记录

Jul 15 20:35:07 172.25.1.100: Jul 15 20:35:07.499 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)

下面这个是使用特性后的记录

Jul 15 20:37:05 172.25.1.100: Router2: Jul 15 20:37:05.173 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)

配置方法:Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#logging origin-id hostname

Router2(config)#end

Router2#

18.6. Unix服务器上启用Syslog服务

提问 配置Unix服务器接收syslog记录

回答

一般只需要在/etc/syslog.conf

local7.info /var/log/rtrlog

注释 缺省情况路由器使用local7 logging facility

18.7. 修改缺省Log Facility

提问 修改缺省Log Facility

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#logging host 172.25.1.1

Router(config)#logging facility local6

Router(config)#end

Router#

注释 无

18.8. 限制特定日志记录发送至服务器

提问 限制特定等级的日志记录发送至服务器

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#logging host 172.25.1.1

Router(config)#logging trap notifications

Router(config)#end

Router#

注释 无

18.9. 设定Syslog消息的源地址

提问 路由器Syslog消息的源地址使用特定地址

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#logging host 172.25.1.1

Router(config)#logging source-interface Loopback0

Router(config)#end

Router#

注释 这样如果在日志服务器上设置了地址翻译就可以实现下述的效果

Apr 2 20:27:01 172.25.2.6 94: %SYS-5-CONFIG_I: Configured from on vty0

Apr 2 20:27:48 Boston 95: %SYS-5-CONFIG_I: Configured from on vty0

18.10. 记录路由器日志记录到不同的文件

注释 略

18.11. 维护服务器上的日志记录

注释 使用脚本实现日志记录的自动存档等功能 略

18.12. 测试日志服务器的配置

注释 使用脚本来测试日志服务器的配置是否正确 略

18.13. 避免常见的消息被记录

提问 在日志记录中禁止一些常见的端口状态等消息

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#interface Serial0/0

Router(config-if)#no logging event link-status

Router(config-if)#no logging event dlci-status-change

Router(config-if)#no logging event subif-link-status

Router(config-if)#exit

Router(config)#end

Router#

注释 略

18.14. 日志记录的流量控制

提问 限制发送到服务器的日志流量

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#logging host 172.25.1.1

Router(config)#logging rate-limit 30 except warnings

Router(config)#end

Router#

对控制台口的日志记录数目控制

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#logging rate-limit console 25 except warnings

Router(config)#end

Router#

注释 无

18.15. 启用日志统计

提问 统计路由器日志的类型和数目

回答

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#logging count

Router2(config)#end

Router2#

注释

Router2#show logging count

Facility Message Name Sev Occur Last Time

==================================================================================

NTP PEERREACH 6 3 Jul 13 20:31:34.441

NTP PEERSYNC 5 1 Jul 13 20:23:03.571

NTP PEERUNREACH 4 3 Jul 13 20:22:00.435

NTP RESTART 6 1 Jan 31 14:13:33.769

------------- ------------------------------- ----------------------------------

NTP TOTAL 8



18.16. 生成XML格式的日志记录

提问 以XML格式来发送日志

回答

Router2# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#logging console xml

Router2(config)#logging monitor xml

Router2(config)#logging buffered xml

Router2(config)#logging host 172.25.1.1 xml

Router2(config)#end

Router2#

注释 12.2(15)T引入此特性,方便后处理

<!--[if !supportLists]-->18.17. <!--[endif]-->修改日志记录

提问 希望修改系统日志记录的一些属性

回答

首先要写特定的TCL脚本(delcounters.tcl 脚本用于过滤掉包含counters的日志)

# delcounters.tcl This script deletes all log messages that

# have the mnemonic "COUNTERS".

if { [string compare -nocase COUNTERS $::mnemonic ] == 0 } {

return ""

} else {

return $::orig_msg

}

然后引用此脚本

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#logging filter tftp://172.25.1.1/delcounters.tcl

Router2(config)#logging host 172.25.1.1 filtered

Router2(config)#end

Router2#

注释 Embedded Syslog Manager (ESM) 引自12.3(2)T,提供一个程序化的接口可以对日志进行过滤,修改等全面控制,主要是使用TCL脚本来进行控制.

2007/3/21 7:37
应用扩展 工具箱






可以查看帖子.
不可发帖.
不可回复.
不可编辑自己的帖子.
不可删除自己的帖子.
不可发起投票调查.
不可在投票调查中投票.
不可上传附件.
不可不经审核直接发帖.

[高级搜索]



系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号