首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册

正在浏览:   1 名游客



« 1 2 (3) 4 »


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
Cisco IOS Cookbook 中文精简版第十九章 访问列表


19.1. 基于源或者目的地址过滤

提问 阻止来自某地址或者发送至某地址的数据包

回答

使用标准控制列表来阻止特定源地址的数据包

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 50 deny host 10.2.2.2

Router1(config)#access-list 50 permit any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 50 in

Router1(config-if)#exit

Router1(config)#end

Router1#

使用扩展控制列表来阻止特定源地址和目的地址的数据包

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 150 deny ip host 10.2.2.2 host 172.25.25.1

Router1(config)#access-list 150 permit ip any any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 150 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释

19.2. 给ACL添加注释

提问 给控制列表添加注释方便阅读

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 50 remark Authorizing thy trespass with compare Router1(config)#access-list 50 deny host 10.2.2.2

Router1(config)#access-list 50 permit 10.2.2.0 0.0.0.255

Router1(config)#access-list 50 permit any

Router1(config)#end

Router1#

或者

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip access-list standard TESTACL

Router2(config-std-nacl)#remark Authorizing thy trespass with compare

Router2(config-std-nacl)#deny host 10.2.2.2

Router2(config-std-nacl)#permit 10.2.2.0 0.0.0.255

Router2(config-std-nacl)#permit any

Router2(config-std-nacl)#end

Router2#

注释 在show access list命令中是看不到注释的

19.3. 基于应用过滤

提问 根据不同的应用来进行过滤

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 151 permit tcp any any eq www

Router1(config)#access-list 151 deny tcp any any gt 1023

Router1(config)#access-list 151 permit icmp any any

Router1(config)#access-list 151 permit udp any any eq ntp

Router1(config)#access-list 151 deny ip any any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 151 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 无

19.4. 基于TCP头标签过滤

提问 根据TCP头字段中的标签位进行过滤

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 161 deny tcp any any ack fin psh rst syn urg

Router1(config)#access-list 161 deny tcp any any rst syn

Router1(config)#access-list 161 deny tcp any any rst syn fin

Router1(config)#access-list 161 deny tcp any any rst syn fin ack

Router1(config)#access-list 161 deny tcp any any syn fin

Router1(config)#access-list 161 deny tcp any any syn fin ack

Router1(config)#end

Router1#

从12.3(4)T以后开始启用新的命令格式

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip access-list extended TCPFLAGFILTER

Router2(config-ext-nacl)#deny tcp any any match-all +ack +fin +psh +rst +syn +urg

Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn

Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin

Router2(config-ext-nacl)#deny tcp any any match-all +rst +syn +fin +ack

Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin

Router2(config-ext-nacl)#deny tcp any any match-all +syn +fin +ack

Router2(config-ext-nacl)#end

Router2#

注释 TCP头字段中有六种标签位设置ACK,SYN,FIN,RST,PSH和URG。在新的命令格式中引入了match-all和match-any两个关键词,match-any和传统过滤方式一致,只关心特定标志位设置而不管其他标志位设置,match-all必须符合特定的标志位设置。

19.5. 限制TCP会话的方向

提问 过滤TCP会话 只允许客户端发起应用

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 148 permit tcp any eq telnet any established

Router1(config)#access-list 148 deny ip any any

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip access-group 148 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释

19.6. 基于多端口应用的过滤

提问 过滤某些开启多端口的应用

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 152 permit tcp any any eq ftp

Router1(config)#access-list 152 permit tcp any any eq ftp-data established

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip access-group 152 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 对于其他多端口的可以使用下面的格式

Router1(config)#access-list 154 permit udp any any range 6000 6063

Router1(config)#access-list 155 deny udp any any gt 1023

Router1(config)#access-list 156 permit udp any any lt 1024

Router1(config)#access-list 157 permit udp any any neq 666

19.7. 基于DSCP和TOS的过滤

提问 根据IP服务质量信息进行过滤

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 162 permit ip any any dscp af11

Router1(config)#end

或者

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 162 permit ip any any tos max-reliability

Router1(config)#end



注释

19.8. 记录触发的控制列表

提问 记录触发控制列表的包信息

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 150 permit ip any any log

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 150 in

Router1(config-if)#exit

Router1(config)#end

Router1#

更详细点的信息

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 150 permit tcp any any log-input

Router1(config)#access-list 150 permit ip any any

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 150 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 第一个例子的日志信息

Feb 6 13:01:19: %SEC-6-IPACCESSLOGRP: list 150 permitted ospf 10.1.1.1 -> 224.0.0.5, 9 packets

Feb 6 13:01:19: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 10.1.1.1 -> 10.1.1.2 (0/0), 4 packets

第二个例子的日志信息

Feb 6 14:56:34: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.1(0) (FastEthernet0/0.1 0010.4b09.5700) -> 172.25.25.1(0), 1 packet

注意的是log-input参数只能适应于扩展控制列表

19.9. 记录TCP会话

提问 记录TCP会话数目

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 122 permit tcp any any eq telnet established

Router1(config)#access-list 122 permit tcp any any eq telnet

Router1(config)#access-list 122 permit ip any any

Router1(config)#interface Serial0/0

Router1(config-if)#ip access-group 122 in

Router1(config-if)#exit

Router1(config)#end

Router1#

或者

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 121 permit tcp any any eq telnet syn

Router1(config)#access-list 121 permit tcp any any eq telnet

Router1(config)#access-list 121 permit ip any any

Router1(config)#interface Serial0/0

Router1(config-if)#ip access-group 121 in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 对于第一个例子

Router1#show access-list 122

Extended IP access list 122

permit tcp any any eq telnet established (3843 matches)

permit tcp any any eq telnet (6 matches)

permit ip any any (31937 matches)

Router1#

从输出可以看到总共有六个Telnet会话通过接口,3,843 + 6 = 3,849 个Telnet数据包

19.10. 分析ACL日志条目

注释 使用脚本来分析生成的ACL日志,暂略

19.11. 使用命名和单反控制列表

提问 在命名控制列表中使用一个单反控制列表

回答

一个基本的命名控制列表类似数字控制列表

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip access-list standard STANDARD-ACL

Router1(config-std-nacl)#remark This is a standard ACL

Router1(config-std-nacl)#permit any log

Router1(config-std-nacl)#exit

Router1(config)#ip access-list extended EXTENDED-ACL

Router1(config-ext-nacl)#remark This is an extended ACL

Router1(config-ext-nacl)#deny tcp any any eq www

Router1(config-ext-nacl)#permit ip any any log

Router1(config-ext-nacl)#exit

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group STANDARD-ACL in

Router1(config-if)#exit

Router1(config)#end

Router1#

下面是在其中内嵌单反控制列表来允许单反向的Ping

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip access-list extended PING-OUT

Router1(config-ext-nacl)#permit icmp any any reflect ICMP-REFLECT timeout 15

Router1(config-ext-nacl)#permit ip any any

Router1(config-ext-nacl)#exit

Router1(config)#ip access-list extended PING-IN

Router1(config-ext-nacl)#evaluate ICMP-REFLECT

Router1(config-ext-nacl)#deny icmp any any log

Router1(config-ext-nacl)#permit ip any any

Router1(config-ext-nacl)#exit

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group PING-OUT out

Router1(config-if)#ip access-group PING-IN in

Router1(config-if)#end

Router1#

注释 在例子中单反控制列表可以对返回的ICMP Response进行控制


19.12. 处理被动模式FTP

提问 对被动模式的FTP来进行区分

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 144 permit tcp any gt 1023 any eq ftp

Router1(config)#access-list 144 permit tcp any gt 1023 any gt 1023

Router1(config)#access-list 144 deny ip any any

Router1(config)#interface Serial0/0.1

Router1(config-subif)#ip access-group 144 in

Router1(config-subif)#exit

Router1(config)#end

Router1#

注释 被动模式下的FTP,客户端会再对服务器发送一个高于1024端口的链接,所以对于此类会话必须开启所有高于1024的端口,例子中的配置虽然能够解决此问题,但是减少了安全性,在以后的章节会介绍更有效的处理方式

19.13. 使用基于时间的控制列表

提问 对应用基于时间段进行控制

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#time-range NOSURF

Router1(config-time-range)# periodic weekdays 9:00 to 17:00

Router1(config-time-range)#exit

Router1(config)#ip access-list extended NOSURFING

Router1(config-ext-nacl)# deny tcp any any eq www time-range NOSURF

Router1(config-ext-nacl)# permit ip any any

Router1(config-ext-nacl)#exit

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip access-group NOSURFING in

Router1(config-if)#end

Router1#

注释 在时间段的配置上你可以配置多个periodic,

19.14. 基于非连续端口的过滤

提问 配置一种高效的非连续端口的过滤

回答

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip access-list extended OREILLY

Router2(config-ext-nacl)#permit tcp any host 172.25.100.100 eq 80 23 25 110 514 21

Router2(config-ext-nacl)#end

Router2#

注释 通常对于连续端口的过滤可以使用permit tcp any any range 20 25此类的命令,而对于非连续端口的过滤则要使用多个类似permit tcp any host 172.25.100.100 eq 80 的命令,自从12.3(7)T以后则可以使用上例中的配置方式来进行简化。

19.15. 控制列表编辑

提问 直接对控制列表进行编辑

回答

插入一个条目至现有的控制列表中

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip access-list extended OREILLY

Router2(config-ext-nacl)#12 permit tcp any host 172.25.100.100 eq 20

Router2(config-ext-nacl)#end

Router2#

重新对控制列表序列号进行调整

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip access-list resequence OREILLY 10 10

Router2(config)#end

Router2#

删除特定的控制列表条目

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip access-list extended OREILLY

Router2(config-ext-nacl)#no 60

Router2(config-ext-nacl)#end

Router2#

注释 从12.3(2)T以后路由器增加了对控制列表条目序列号的支持,缺省10递增,这样可以方便对控制列表进行编辑

Router2#show ip access-lists OREILLY

Extended IP access list OREILLY

10 permit tcp any host 172.25.100.100 eq www

20 permit tcp any host 172.25.100.100 eq telnet

30 permit tcp any host 172.25.100.100 eq smtp

40 permit tcp any host 172.25.100.100 eq pop3

50 permit tcp any host 172.25.100.100 eq cmd



<!--[if !supportLists]-->19.16. <!--[endif]-->基于IPv6过滤

提问 对Ipv6的数据包进行过滤

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 access-list EXAMPLES

Router1(config-ipv6-acl)#permit ipv6 AAAA:5::/64 any

Router1(config-ipv6-acl)#permit ipv6 host AAAA:5::FE:1 any

Router1(config-ipv6-acl)#permit tcp any any eq telnet established

Router1(config-ipv6-acl)#deny tcp any any eq telnet syn

Router1(config-ipv6-acl)#sequence 55 permit udp any any eq snmp

Router1(config-ipv6-acl)#remark this is a comment

Router1(config-ipv6-acl)#sequence 66 remark this comment has a sequence number

Router1(config-ipv6-acl)#permit icmp any any reflect ICMP-REFLECT

Router1(config-ipv6-acl)#deny ipv6 any host AAAA:6::1 log

Router1(config-ipv6-acl)#deny ipv6 any any log-input

Router1(config-ipv6-acl)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 traffic-filter EXAMPLES in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 Ipv6过滤只能使用命名式控制列表,当然也继承了命名式控制列表的所有优点。

2007/3/21 7:39
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
Cisco IOS Cookbook 中文精简版第二十章 DHCP


20.1. 使用IP Helper Addresses命令

提问 配置路由器对DHCP Request转发的支持

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface Ethernet0

Router1(config-if)#ip helper-address 172.25.1.1

Router1(config-if)#ip helper-address 172.25.10.7

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 使用IP Helper Address命令把路由器配置成为一个DHCP代理服务器,转发客户端的DHCP Request至配置的ip helper address。

20.2. 限制IP Helper Addresses命令的影响

提问 配置IP Helper Address命令以后导致链路利用率增高或者DHCP服务器负荷增高

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#no ip forward-protocol udp tftp

Router1(config)#no ip forward-protocol udp nameserver

Router1(config)#no ip forward-protocol udp domain

Router1(config)#no ip forward-protocol udp time

Router1(config)#no ip forward-protocol udp netbios-ns

Router1(config)#no ip forward-protocol udp netbios-dgm

Router1(config)#no ip forward-protocol udp tacacs

Router1(config)#end

Router1#

注释 缺省情况下IP Helper命令会转发很多UDP广播数据包,不仅仅是DHCP数据包,并且不能针对不同的服务器转发不同的广播包

20.3. 使用DHCP来动态配置路由器IP地址

提问 配置路由器动态获得IP地址

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip address dhcp

Router1(config-if)#end

Router1#

Interface FastEthernet0/1 assigned DHCP address 172.25.1.57, mask 255.255.255.0

Router1#

注释 在12.2(8)T之前此命令仅仅适用于以太网接口。从12.3(8)T以后可以对DHCP选项进行控制,下例配置为不获得DNS服务器

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/1

Router1(config-if)#no ip dhcp client request dns-nameserver

Router1(config-if)#end

另外对于获得的缺省路由,管理距离为254

S* 0.0.0.0/0 [254/0] via 172.25.1.1

从12.3(4)T开始增加了对获得地址释放和重新获得的支持

Router1#release dhcp FastEthernet0/1

Router1#renew dhcp FastEthernet0/1

20.4. 通过DHCP来对客户端进行动态IP地址分配

提问 配置路由器成为DHCP服务器

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#service dhcp

Router1(config)#ip dhcp pool 172.25.1.0/24

Router1(dhcp-config)#network 172.25.1.0 255.255.255.0

Router1(dhcp-config)#default-router 172.25.1.1

Router1(dhcp-config)#exit

Router1(config)#ip dhcp excluded-address 172.25.1.1 172.25.1.50

Router1(config)#ip dhcp excluded-address 172.25.1.200 172.25.1.255

Router1(config)#end

Router1#

注释 注意的是要配置excluded命令来排除某些地址,防止出现地址冲突

20.5. 配置DHCP的配置选项

提问 配置更多的DHCP配置选项提供给客户端

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip dhcp pool ORAserver

Router1(dhcp-config)#host 172.25.1.34 255.255.255.0

Router1(dhcp-config)#client-name bigserver

Router1(dhcp-config)#default-router 172.25.1.1 172.25.1.3

Router1(dhcp-config)#domain-name oreilly.com

Router1(dhcp-config)#dns-server 172.25.1.1 10.1.2.3

Router1(dhcp-config)#netbios-name-server 172.25.1.1

Router1(dhcp-config)#netbios-node-type h-node

Router1(dhcp-config)#option 66 ip 10.1.1.1

Router1(dhcp-config)#option 33 ip 192.0.2.1 172.25.1.3

Router1(dhcp-config)#option 31 hex 01

Router1(dhcp-config)#lease 2

Router1(dhcp-config)#exit

Router1(config)#end

Router1#

注释 Option 66 定义TFTP服务器; Option 33定义静态路由; Option 31定义客户端使用IRDP.

20.6. 配置DHCP的分配时长

提问 修改缺省DHCP分配时长

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip dhcp pool 172.25.2.0/24

Router1(dhcp-config)#lease 2 12 30

Router1(dhcp-config)#exit

Router1(config)#end

Router1#

注释 缺省分配为一天,配置选项为天,小时,分钟

20.7. 分配静态IP地址

提问 每次都分配给某个特定设备特定IP地址

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip dhcp pool IAN

Router1(dhcp-config)#host 172.25.1.33 255.255.255.0

Router1(dhcp-config)#client-identifier 0100.0103.85e9.87

Router1(dhcp-config)#client-name win2k

Router1(dhcp-config)#default-router 172.25.1.1

Router1(dhcp-config)#domain-name oreilly.com

Router1(dhcp-config)#dns-server 172.25.1.1

Router1(dhcp-config)#exit

Router1(config)#end

Router1#

注释 这里通过MAC地址来绑定某个IP地址。Client-identifier后面跟的是MAC地址,不过比传统MAC地址多了0100,代表是以太网,对于更多的媒介类型值参考RFC 3232中的Number Hardware Type部分

Router1#show ip dhcp binding

IP address Hardware address Lease expiration Type

172.25.1.33 0100.0103.85e9.87 Infinite Manual

172.25.1.52 0100.50da.2a5e.a2 Apr 11 2006 09:00 PM Automatic

172.25.1.53 0100.0103.ea1b.ed Apr 11 2006 08:58 PM Automatic



20.8. 配置一个DHCP 数据库客户端

提问 在另一个设备上备份当前的DHCP数据库

回答

FTP方式

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip dhcp database ftp://dhcp:bindsave@172.25.1.1/dhcp-leases

Router1(config)#end

Router1#

TFTP 方式

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip dhcp database tftp://172.25.1.1/dhcp-leases

Router1(config)#end

Router1#

RCP方式

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip dhcp database rcp://dhcp@172.25.1.1/dhcp-leases

Router1(config)#end

Router1#

注释 通常DHCP数据库保存于内存,如果重启就会丢失,可以使用上述方式进行备份从而不会丢失,通过下述命令验证

Router1#show ip dhcp database

URL : ftp://dhcp:bindsave@172.25.1.1/dhcp-leases

Read : Never

Written : Apr 09 2006 10:24 PM

Status : Last write succeeded. Agent information is up-to-date.

Delay : 300 seconds

Timeout : 300 seconds

Failures : 1

Successes: 30

20.9. 在同一子网配置多个DHCP服务器

提问 在同一子网配置多个DHCP服务器来增加可用性

回答

Router1:

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip dhcp pool 172.22.1.0/24

Router1(dhcp-config)#network 172.22.1.0 255.255.255.0

Router1(dhcp-config)#default-router 172.22.1.1

Router1(dhcp-config)#domain-name oreilly.com

Router1(dhcp-config)#dns-server 172.25.1.1 10.1.2.3

Router1(dhcp-config)#exit

Router1(config)#ip dhcp excluded-address 172.22.1.1 172.22.1.49

Router1(config)#ip dhcp excluded-address 172.22.1.150 172.22.1.254

Router1(config)#ip dhcp database ftp://dhcp:bindsave@172.25.1.1/dhcp-leases-rtr1

Router1(config)#end

Router1#

Router2:

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip dhcp pool 172.22.1.0/24

Router2(dhcp-config)#network 172.22.1.0 255.255.255.0

Router2(dhcp-config)#default-router 172.22.1.1

Router2(dhcp-config)#domain-name oreilly.com

Router2(dhcp-config)#dns-server 172.25.1.1 10.1.2.3

Router2(dhcp-config)#exit

Router2(config)#ip dhcp excluded-address 172.22.1.1 172.22.1.149

Router2(config)#ip dhcp database ftp://dhcp:bindsave@172.25.1.1/dhcp-leases-rtr2

Router2(config)#end

Router2#

注释 要确保配置的地址池不重复,Router1 分配地址为从172.25.1.50到172.25.1.149, Router2 分配地址为从 172.25.1.150 到172.25.1.254,

20.10. DHCP静态映射

提问 根据某个文本文件来进行IP地址的静态指配

回答

先在TFTP服务器上创建此文本文件

Freebsd% cat /tftpboot/dhcp.static

*time* Aug 17 2006 03:52 PM

*version* 2

!IP address Type Hardware address Lease expiration

10.1.1.16 /24 id 0100.104b.33da.74 Infinite

10.1.1.17 /24 id 0100.0dbc.eff6.38 Infinite

10.1.1.18 /24 id 0100.0a5e.4001.27 Infinite

10.1.1.19 /24 id 0100.0331.327e.41 Infinite

10.1.1.20 /24 id 0100.0d60.b21a.4c Infinite

*end*

Freebsd%

路由器配置

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip dhcp pool OREILLY

Router1(dhcp-config)#origin file tftp://172.25.1.1/dhcp.static

Router1(dhcp-config)#default-router 10.1.1.1

Router1(dhcp-config)#dns-server 172.25.1.1 172.25.1.3

Router1(dhcp-config)#domain-name oreilly.com

Router1(dhcp-config)#lease 3

Router1(dhcp-config)#end

Router1#



注释 20.7讲到的静态地址分配需要一个特定的DHCP Pool,扩展性不强,从12.3(11)T以后可以使用特定的文本文件来进行指配,不过必须遵照一定的格式。如果文本文件修改后需要生效,必须先no service dhcp 来停止DHCP服务然后service dhcp 命令重新启用来生效

<!--[if !supportLists]-->20.11. <!--[endif]-->安全DHCP IP地址指派

提问 同步ARP和DHCP地址绑定来防止出现IP地址欺骗

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip dhcp pool OREILLY

Router1(dhcp-config)#update arp

Router1(dhcp-config)#end

Router1#

注释 从12.2(15)T开始思科引入了安全DHCP IP地址指派(DHCP secured IP address assignment),启用此特性后会针对每个DHCP绑定增加一个安全ARP条目,从而防止对此条目的修改,即使使用clear arp-cache命令也会保证此条目不被清除

20.12. 显示DHCP状态

提问 显示DHCP服务器的状态

回答

显示绑定和相应的分配时长

Router1#show ip dhcp binding

显示地址冲突

Router1#show ip dhcp conflict

显示数据库状态

Router1#show ip dhcp database

显示全局DHCP数据统计

Router1#show ip dhcp server statistics

注释

Router1#show ip dhcp server statistics

Memory usage 17996

Address pools 4

Database agents 1

Automatic bindings 2

Manual bindings 1

Expired bindings 3

Malformed messages 0



Message Received

BOOTREQUEST 0

DHCPDISCOVER 63

DHCPREQUEST 203

DHCPDECLINE 1

DHCPRELEASE 27

DHCPINFORM 19



Message Sent

BOOTREPLY 0

DHCPOFFER 63

DHCPACK 139

DHCPNAK 2

Router1#

<!--[if !supportLists]-->20.13. <!--[endif]-->DHCP排错

提问 对DHCP出现的问题进行排错

回答

Router1#debug ip dhcp server events

Router1#debug ip dhcp server packet

注释 无

2007/3/21 7:41
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
Cisco IOS Cookbook 中文精简版第二十一章 NAT

21.1. 配置基本NAT功能

ONT-FAMILY: 宋体">提问 在路由器上启用基本的NAT功能

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

Router(config)#ip nat inside source list 15 interface FastEthernet0/0 overload

Router(config)#interface FastEthernet0/2

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet0/0

Router(config-if)#ip address 172.16.1.5 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注释 例子中的配置实现了对地址段192.168.0.0/16访问外部网络重写为172.16.1.5的功能,基本的地址翻译功能

21.2. 动态分配外部地址

提问 从某个特定的地址池来动态分配地址

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0

Router(config)#ip nat inside source list 15 pool NATPOOL

Router(config)#interface FastEthernet 0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet 0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet1/0

Router(config-if)#ip address 172.16.1.2 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注释 ip nat inside source list 15 pool NATPOOL 定义了翻译出去的地址池,如果地址池可以地址用完新的翻译将不成功,如果加上了overload参数将会从第一个地址开始翻译进行复用。另外这里的地址池并不一定要和outside端口的地址在同一网段,只要有相应的路由就可以
21.3. 静态分配外部地址

提问 翻译某些特定的内部地址为特定的外部地址

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10

Router(config)#ip nat inside source static 192.168.1.16 172.16.1.11

Router(config)#interface FastEthernet 0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet 0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet1/0

Router(config-if)#ip address 172.16.1.2 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注释 静态地址翻译

21.4. 地址静态和动态翻译结合

提问 静态和动态地址翻译相结合

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 15 deny 192.168.1.15 0.0.0.0

Router(config)#access-list 15 deny 192.168.1.16 0.0.0.0

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10

Router(config)#ip nat inside source static 192.168.1.16 172.16.1.11

Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0

Router(config)#ip nat inside source list 15 pool NATPOOL overload

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet0/0

Router(config-if)#ip address 172.16.1.2 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注释 这里的控制列表把所要静态内部地址排除了,当然这一步也不是必须的,因为静态翻译的优先级要高于动态翻译的,不过静态翻译的外部地址必须要从动态翻译的地址池中排除。

21.5. 使用Route Maps来进行翻译规则控制

提问 使用Route Maps来进行更好的静态地址翻译

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 172.16.1.5 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 172.16.2.5 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#interface FastEthernet0/2

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#ip nat inside source route-map ISP-1 interface FastEthernet0/0 overload

Router(config)#ip nat inside source route-map ISP-2 interface FastEthernet0/1 overload

Router(config)#route-map ISP-1 permit 10

Router(config-route-map)#match interface FastEthernet0/0

Router(config-route-map)#exit

Router(config)#route-map ISP-2 permit 10

Router(config-route-map)#match interface FastEthernet0/1

Router(config-route-map)#exit

Router(config)#end

Router#

注释 适用于多个outside端口的情况

21.6. 同时两个方向地址翻译

提问 同时对内部地址和外部地址进行翻译

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 15 deny 192.168.1.15

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

Router(config)#access-list 16 deny 172.16.5.25

Router(config)#access-list 16 permit 172.16.0.0 0.0.255.255

Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0

Router(config)#ip nat pool INBOUNDNAT 192.168.15.100 192.168.15.200 netmask 255.255.255.0

Router(config)#ip nat inside source list 15 pool NATPOOL overload

Router(config)#ip nat inside source list 16 pool INBOUNDNAT overload

Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10

Router(config)#ip nat outside source static 172.16.5.25 192.168.15.5

Router(config)#ip route 192.168.15.0 255.255.255.0 Ethernet0/0

Router(config)#interface FastEthernet 0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet 0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#interface Ethernet0/0

Router(config-if)#ip address 172.16.1.2 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注释 暂无
21.7. 网络前缀重写

提问 简单的改变某个网络段的前缀

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#ip nat outside source static network 172.16.0.0 172.17.0.0 /16 no-alias

Router(config)#ip route 172.16.0.0 255.255.0.0 Ethernet1/0

Router(config)#ip route 172.17.0.0 255.255.0.0 Ethernet1/0

Router(config)#interface FastEthernet 0/0

Router(config-if)#ip address 10.1.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet1/0

Router(config-if)#ip address 172.16.1.6 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注释 适用于两个网络互访而地址段冲突的情况

21.8. 使用NAT来进行服务器负荷分担

提问 多个服务器使用同一IP地址从而实现应用的负荷分担

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#ip nat pool WEBSERVERS 192.168.1.101 192.168.1.105 netmask 255.255.255.0 type rotary

Router(config)#access-list 20 permit host 192.168.1.100

Router(config)#ip nat inside destination list 20 pool WEBSERVERS

Router(config)#end

Router#

注释 这里不同点在于使用了rotary的参数和使用了destination而不是source在翻译规则中,当然这种是穷人的负载均衡解决方案

21.9. 基于状态的NAT切换

提问 在高可用性网络中部署NAT,这样一台设备坏掉的情况下另一台可以切换起到NAT作用

回答

RouterA

Router-A#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-A(config)#access-list 11 permit any

Router-A(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0

Router-A(config)#ip nat inside source list 11 pool NATPOOL mapping-id 1

Router-A(config)#interface FastEthernet0/0

Router-A(config-if)#ip address 192.168.1.3 255.255.255.0

Router-A(config-if)#ip nat inside

Router-A(config-if)#standby 1 ip 192.168.1.1

Router-A(config-if)#standby 1 preempt

Router-A(config-if)#standby 1 name SNATGROUP

Router-A(config-if)#exit

Router-A(config)#interface Serial0/0

Router-A(config-if)#ip address 172.17.55.2 255.255.255.252

Router-A(config-if)#ip nat outside

Router-A(config-if)#exit

Router-A(config)#ip nat Stateful id 1

Router-A(config-ipnat-snat)#redundancy SNATGROUP

Router(config-ipnat-snat-red)#mapping-id 1

Router(config-ipnat-snat-red)#exit

Router-A(config)#end

Router-A#

RouterB

Router-B#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-B(config)#access-list 11 permit any

Router-B(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0

Router-B(config)#ip nat inside source list 11 pool NATPOOL mapping-id 1

Router-B(config)#interface FastEthernet0/0

Router-B(config-if)#ip address 192.168.1.2 255.255.255.0

Router-B(config-if)#ip nat inside

Router-B(config-if)#standby 1 ip 192.168.1.1

Router-B(config-if)#standby 1 priority 90

Router-B(config-if)#standby 1 preempt

Router-B(config-if)#standby 1 name SNATGROUP

Router-B(config-if)#exit

Router-B(config)#interface Serial0/0

Router-B(config-if)#ip address 172.17.55.6 255.255.255.252

Router-B(config-if)#ip nat outside

Router-B(config-if)#exit

Router-B(config)#ip nat Stateful id 1

Router-B(config-ipnat-snat)#redundancy SNATGROUP

Router(config-ipnat-snat-red)#mapping-id 1

Router(config-ipnat-snat-red)#exit

Router-B(config)#end

Router-B#

注释 虽然说通过使用HSRP可以解决可用性的问题,但是不能同步NAT翻译表,从12.2(13)T以后思科引入了基于状态的NAT(SNAT),这样可以保持两台设备的翻译表同步,其关键命令为ip nat Stateful 要注意的是这里的Stateful是大写开头的,这里是区分大小写的。另外SNAT只和HSRP连用,不能跟VRRP或者GLBP一起作用。同时也可以使用多组HSRP的形式来保持负载均衡。

21.10. 调整NAT 时长

提问 调整NAT翻译表中条目的时长

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#ip nat translation tcp-timeout 500

Router(config)#ip nat translation udp-timeout 30

Router(config)#ip nat translation dns-timeout 30

Router(config)#ip nat translation icmp-timeout 30

Router(config)#ip nat translation finrst-timeout 30

Router(config)#ip nat translation syn-timeout 30

Router(config)#end

Router#

也可以限制翻译表的最大条目数

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#ip nat translation max-entries 1000

Router(config)#end

Router#

注释 缺省TCP为24小时,UDP为5分钟,DNS为1分钟

21.11. 修改FTP的TCP端口

提问 FTP服务器使用非正常端口

回答

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 19 permit 192.168.55.5

Router(config)#ip nat service list 19 ftp tcp port 8021

Router(config)#ip nat service list 19 ftp tcp port 21

Router(config)#end

Router#

注释 在12.2(4)T后思科引入了no-payload关键词来防止对数据包载荷的地址信息进行修改

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 172.16.1.5 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#ip nat inside source static 192.168.1.10 172.16.1.5 no-payload

Router(config)#end

Router#

21.12. 检查NAT状态

提问 查看当前NAT信息

回答

Router#show ip nat translation

Router#clear ip nat translation *

Router#clear ip nat translation inside 172.18.3.2

Router#clear ip nat translation outside 192.168.1.10

Router#show ip nat statistics

Router#clear ip nat statistics

注释 Router#show ip nat translation

Pro Inside global Inside local Outside local Outside global

"Inside global" 为内部设备翻译的地址"Inside local"为内部设备的真实地址"Outside local" 为外部设备翻译的地址"Outside global" 为外部设备的真实地址,global addresses在outside, local addresses 在 inside.

<!--[if !supportLists]-->21.13. <!--[endif]-->NAT排错

提问 对NAT进行排错

回答

Router#debug ip nat

Router#debug ip nat detailed

Router#debug ip nat 15

Router#debug ip nat 15 detailed



注释 无

2007/3/21 7:43
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
Cisco IOS Cookbook 中文精简版第二十二章第一跳冗余协议


22.1. 配置基本HSRP

提问 "FONT-FAMILY: 宋体">当主用路由器当掉以后备份路由器可以接管主用路由器的IP地址和MAC地址

回答

Router1:

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet 0/1

Router1(config-if)#ip address 172.22.1.3 255.255.255.0

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120

Router1(config-if)#exit

Router1(config)#end

Router1#

Router2:

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface FastEthernet 1/0

Router2(config-if)#ip address 172.22.1.2 255.255.255.0

Router2(config-if)#standby 1 ip 172.22.1.1

Router2(config-if)#standby 1 priority 110

Router2(config-if)#exit

Router2(config)#end

Router2#

注释 由于HSRP虚拟出来的MAC地址跟组相关,所以可能会出现同一交换机收到多个相同的MAC地址的情况,这时候就需要用standby 1 mac-address 0000.0c07.ad01 命令来人工指定一个MAC地址

<!--[if !supportLists]-->22.2. <!--[endif]-->使用HSRP 强占特性

提问 强制某个路由器启动后一直在组中处于主用状态

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet 0/1

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120

Router1(config-if)#standby 1 preempt

Router1(config-if)#exit

Router1(config)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface FastEthernet 1/0

Router2(config-if)#standby 1 ip 172.22.1.1

Router2(config-if)#standby 1 priority 110

Router2(config-if)#standby 1 preempt

Router2(config-if)#exit

Router2(config)#end

Router2#

注释 正常情况下当LAN端口up后就会发生强占,而此时可能网络还没有收敛,所以建议配置强占延迟时间,让路由器启动后过一段时间再发起强占standby 1 preempt delay 60

22.3. 配置HSRP对接口问题追踪的支持

提问 当主用路由器的上联端口出现问题后主动切换到备用路由器

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/1

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120

Router1(config-if)#standby 1 preempt

Router1(config-if)#standby 1 track Serial0/0 20

Router1(config-if)#exit

Router1(config)#end

Router1#

从12.2(15)T后引入更多可追踪实例

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#track 11 interface Serial1/1 ip routing

Router1(config-track)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120

Router1(config-if)#standby 1 preempt

Router1(config-if)#standby 1 track 11 decrement 50

Router1(config-if)#end

Router1#

注释 Router1#show track

Track 11

Interface Serial1/1 ip routing

IP routing is Down (hw admin-down, ip disabled)

1 change, last change 00:12:48

Tracked by:

HSRP FastEthernet0/0 1

22.4. HSRP负载均衡

提问 在两台或者多台HSRP路由器上实现流量的负载均衡

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip address 172.22.1.3 255.255.255.0

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120

Router1(config-if)#standby 1 preempt

Router1(config-if)#standby 2 ip 172.22.1.2

Router1(config-if)#standby 2 priority 110

Router1(config-if)#standby 2 preempt

Router1(config-if)#exit

Router1(config)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface FastEthernet1/0

Router2(config-if)#ip address 172.22.1.4 255.255.255.0

Router2(config-if)#standby 1 ip 172.22.1.1

Router2(config-if)#standby 1 priority 110

Router2(config-if)#standby 1 preempt

Router2(config-if)#standby 2 ip 172.22.1.2

Router2(config-if)#standby 2 priority 120

Router2(config-if)#standby 2 preempt

Router2(config-if)#exit

Router2(config)#end

Router2#

注释 由于出现两个网关,所以需要在终端设备上分开配置各自的缺省网关。

22.5. HSRP中ICMP重定向

提问 在HSRP中启用ICMP重定向

回答

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface FastEthernet 1/0

Router2(config-if)#no ip redirects

Router2(config-if)#standby redirects disable

Router2(config-if)#exit

Router2(config)#end

Router2#

注释

22.6. 调整HSRP定时器

提问 调整备份路由器接管主用路由器所需时长

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/1

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120

Router1(config-if)#standby 1 preempt

Router1(config-if)#standby 1 timers 1 3

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 缺省Hello包时长为3秒,10秒后会接管,如果主用路由器调整时长,整个组内的路由器都要调整为相同的时长。最短可以到达毫秒Router1(config-if)#standby 1 timers msec 100 msec 300

22.7. 在令牌环网络中使用HSRP

提问 在令牌环网络中配置HSRP

回答

如果只用IP协议配置同前面例子,如果还有其他协议,特别是使用了source-route bridging就用下面的配置方法

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface Tokenring0

Router1(config-if)#ip address 172.22.1.3

Router1(config-if)#standby ip 172.22.1.1

Router1(config-if)#standby use-bia

Router1(config-if)#standby priority 120

Router1(config-if)#standby preempt

Router1(config-if)#exit

Router1(config)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface Tokenring0

Router2(config-if)#ip address 172.22.1.2

Router2(config-if)#standby ip 172.22.1.1

Router2(config-if)#standby use-bia

Router2(config-if)#standby priority 110

Router2(config-if)#standby preempt

Router2(config-if)#exit

Router2(config)#end

Router2#

注释 由于令牌环网络会用到设备的MAC地址信息,所以如果HSRP用到虚拟MAC就会出问题,因此在配置中使用了burned-in address (BIA)来代替MAC来避免出现问题

22.8. 配置HSRP 的SNMP支持

提问 启用HSRP的SNMP Traps

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#snmp-server enable traps hsrp

Router1(config)#snmp-server host 172.25.1.1 ORATRAP

Router1(config)#end

Router1#

注释 无

22.9. 增加HSRP的安全性

提问 提高HSRP的安全

回答

组内设备使用相同的配置

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet 0/1

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 120

Router1(config-if)#standby 1 authentication NEOSHI

Router1(config-if)#exit

Router1(config)#end

Router1#

从12.3(2)T后支持MD5加密密码

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/1

Router1(config-if)#standby 1 ip 10.1.1.1

Router1(config-if)#standby 1 priority 200

Router1(config-if)#standby 1 authentication md5 key-string OREILLY

Router1(config-if)#end

Router1#

为了防止其他路由器成为主用路由器,设置本路由器高优先级

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet 0/1

Router1(config-if)#standby 1 ip 172.22.1.1

Router1(config-if)#standby 1 priority 255

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 无

22.10. 显示HSRP状态信息

提问 显示HSRP状态信息

回答

Router2#show standby

Router2#show standby FastEthernet 1/0

Router2#show standby brief

注释

22.11. HSRP排错

提问 对HSRP进行排错

回答

Router2#debug standby errors

Router2#debug standby events

Router2#debug standby packets

Router2#debug standby terse

注释

22.12. 启用HSRP 版本2

提问 部署HSRPv2

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/1

Router1(config-if)#standby version 2

Router1(config-if)#standby 4095 ip 10.1.1.1

Router1(config-if)#standby 4095 timers msec 15 msec 50

Router1(config-if)#standby 4095 priority 200

Router1(config-if)#standby 4095 preempt

Router1(config-if)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface FastEthernet0/0

Router2(config-if)#standby version 2

Router2(config-if)#standby 4095 ip 10.1.1.1

Router2(config-if)#standby 4095 timers msec 15 msec 50

Router2(config-if)#standby 4095 priority 150

Router2(config-if)#standby 4095 preempt

Router2(config-if)#end

Router2#

注释 从12.3(4)T后开始支持HSRPv2,主要是扩展了可用组数,从v1的256个组到现在的4095个组,使用不同的MAC地址和组播地址,因此不能混用

22.13. VRRP

提问 在思科路由器上启用VRRP

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip address 10.1.1.2 255.255.255.0

Router1(config-if)#vrrp 1 ip 10.1.1.1

Router1(config-if)#vrrp 1 preempt

Router1(config-if)#vrrp 1 priority 200

Router1(config-if)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface FastEthernet0/0

Router2(config-if)#ip address 10.1.1.3 255.255.255.0

Router2(config-if)#vrrp 1 ip 10.1.1.1

Router2(config-if)#vrrp 1 preempt

Router2(config-if)#vrrp 1 priority 150

Router2(config-if)#end

Router2#



注释 注意在鉴权的配置上如果思科和非思科设备搭配可能会有问题。在配置定时器上只能配置Hello间隔,可以在主路由器上配置,备份路由器可以通过配置vrrp 1 timers learn 命令来自动学习,可以为配置添加描述,也支持Track

<!--[if !supportLists]-->22.14. <!--[endif]-->GLBP

提问 配置GLBP来实现流量的自动负荷分担

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 172.22.1.3 255.255.255.0

Router1(config-if)#glbp 1 ip 172.22.1.1

Router1(config-if)#exit

Router1(config)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#interface FastEthernet0/0

Router2(config-if)#ip address 172.22.1.2 255.255.255.0

Router2(config-if)#glbp 1 ip 172.22.1.1

Router2(config-if)#exit

Router2(config)#end

Router2#

注释 GLBP通过组内设备轮回的相应虚拟MAC地址来实现自动的负荷分担,当然也可以使用其他的分担方式,比如权重等,这样不需要通过配置多HSRP组的方式实现了均衡,并且所有设备使用同一的网关地址.

2007/3/21 7:45
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
23.1. 配置PIM-DM 下的组播

提问 配置路由器基本的组播功能

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 192.168.1.1 255.255.255.0

Router1(config-if)#ip pim dense-mode

Router1(config-if)#exit

Router1(config)#interface Serial1/0

Router1(config-if)#ip address 192.168.2.5 255.255.255.252

Router1(config-if)#ip pim dense-mode

Router1(config-if)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip multicast-routing

Router2(config)#interface FastEthernet0/0

Router2(config-if)#ip address 192.168.3.1 255.255.255.0

Router2(config-if)#ip pim dense-mode

Router2(config-if)#exit

Router2(config)#interface Serial1/0

Router2(config-if)#ip address 192.168.2.6 255.255.255.252

Router2(config-if)#ip pim dense-mode

Router2(config-if)#end

Router2#

注释 密集模式适合于组播发送方和接收方近距离的情况,发送方很少但是接收方数量很大。

23.2. 配置PIM-SM和BSR 下的组播路由

提问 配置稀疏模式下的组播路由,使用BSR来分发RP信息

回答

参与组播的正常路由器

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#ip pim rp-address 192.168.15.5

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 192.168.1.1 255.255.255.0

Router1(config-if)#ip pim sparse-mode

Router1(config-if)#interface Serial1/0

Router1(config-if)#ip address 192.168.2.5 255.255.255.252

Router1(config-if)#ip pim sparse-mode

Router1(config-if)#end

Router1#

RP候选路由器和BSR候选路由器

Router-RP1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-RP1(config)#ip multicast-routing

Router-RP1(config)#interface Loopback0

Router-RP1(config-if)#ip address 192.168.12.1 255.255.255.255

Router-RP1(config-if)# ip pim sparse-mode

Router-RP1(config-if)#exit

Router-RP1(config)#interface FastEthernet0/0

Router-RP1(config-if)#ip address 192.168.1.1 255.255.255.0

Router-RP1(config-if)#ip pim sparse-mode

Router-RP1(config-if)#exit

Router-RP1(config)#interface Serial1/0

Router-RP1(config-if)#ip address 192.168.2.5 255.255.255.252

Router-RP1(config-if)#ip pim sparse-mode

Router-RP1(config-if)#exit

Router-RP1(config)#ip pim rp-address 192.168.12.1 15

Router-RP1(config)#ip pim rp-candidate loopback0 group-list 15

Router-RP1(config)#ip pim bsr-candidate loopback0 1

Router-RP1(config)#access-list 15 permit 239.5.5.0 0.0.0.255

Router-RP1(config)#access-list 15 deny any

Router-RP1(config)#end

Router-RP1#

注释 对于稀疏模式需要配置一个汇集点Rendezvous Point (RP)来作为组播最短路径树Shortest Path Trees (SPT)的根。配置路由器使用RP有两种方法,一种是Router1使用的静态指定的方式ip pim rp-address 192.168.15.5 另一种就是动态的发现RP,这又有两种方式来实现,第一种是思科专有的Auto-RP,另一种就是本例中的Bootstrap Router。在Router-RP1中首先使用ip pim rp-candidate来宣告自己为可能RP,然后使用ip pim bsr-candidate来配置为Bootstrap Router (BSR).BSR目的就是发布网络中所有可能的RP信息。另外需要指出的是建议还要配置ip pim rp-address 192.168.12.1 15 尤其是在12.3以后的IOS。BSR模式需要PIM-SM v2支持。

23.3. 配置PIM-SM 和Auto-RP 下的组播路由

提问配置稀疏模式下的组播路由,使用Auto-RP来分发RP信息

回答

参与组播的正常路由器

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#ip pim rp-address 192.168.15.5

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 192.168.1.1 255.255.255.0

Router1(config-if)#ip pim sparse-dense-mode

Router1(config-if)#exit

Router1(config)#interface Serial1/0

Router1(config-if)#ip address 192.168.2.5 255.255.255.252

Router1(config-if)#ip pim sparse-dense-mode

Router1(config-if)#end

Router1#

候选RP路由器

Router-RP1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-RP1(config)#ip multicast-routing

Router-RP1(config)#interface Loopback0

Router-RP1(config-if)#ip address 192.168.12.1 255.255.255.255

Router-RP1(config-if)#ip pim sparse-dense-mode

Router-RP1(config-if)#exit

Router-RP1(config)#interface FastEthernet0/0

Router-RP1(config-if)#ip address 192.168.1.1 255.255.255.0

Router-RP1(config-if)#ip pim sparse-dense-mode

Router-RP1(config-if)#exit

Router-RP1(config)#interface Serial1/0

Router-RP1(config-if)#ip address 192.168.2.5 255.255.255.252

Router-RP1(config-if)#ip pim sparse-dense-mode

Router-RP1(config-if)#exit

Router-RP1(config)#ip pim send-rp-announce loopback0 scope 16 group-list 15

Router-RP1(config)#ip pim send-rp-discovery scope 16

Router-RP1(config)#access-list 15 permit 239.5.5.0 0.0.0.255

Router-RP1(config)#access-list 15 deny any

Router-RP1(config)#end

Router-RP1#

注释 在Auto-RP方式下,增加了sparse-dense-mode 模式,使用了专有的224.0.1.39 and 224.0.1.40.两个组播地址

23.4. 过滤PIM邻居

提问 防止路由器从其他设备接收到PIM数据包

回答

在R1上配置过滤对R2

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 192.168.1.1 255.255.255.0

Router1(config-if)#ip pim sparse-mode

Router1(config-if)#ip pim neighbor-filter 18

Router1(config-if)#exit

Router1(config)#access-list 18 deny any

Router1(config)#end

Router1#

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip multicast-routing

Router2(config)#interface FastEthernet0/0

Router2(config-if)#ip address 192.168.1.2 255.255.255.0

Router2(config-if)#ip pim dense-mode

Router2(config-if)#ip igmp helper-address 192.168.1.1

Router2(config-if)#end

Router2#

注释 对PIM邻居的过滤除了可以实现安全以外,还可以做到Multicast stub routing

23.5. 低频度组播包应用的支持

提问 配置对于低频度组播包应用的支持

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#ip pim spt-threshold 10 group-list 15

Router1(config)#access-list 15 permit 239.5.5.55

Router1(config)#access-list 15 deny any

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 192.168.1.1 255.255.255.0

Router1(config-if)#ip pim sparse-dense-mode

Router1(config-if)#exit

Router1(config)#interface Serial1/0

Router1(config-if)#ip address 192.168.2.5 255.255.255.252

Router1(config-if)#ip pim sparse-mode

Router1(config-if)#end

Router1#

注释 对于那些发送组播数据包小,间隔长的应用需要使用稀疏模式,同时通过配置SPT阀值来保持所生成的组播路径


23.6. 在Frame Relay或者ATM 网络中使用组播

提问 在NBMA网络中使用PIM-SM

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#interface Serial0/0

Router1(config-if)#encapsulation frame-relay

Router1(config-if)#ip pim sparse-mode

Router1(config-if)#ip pim nbma-mode

Router1(config-if)#end

Router1#

注释 对于通常的NBMA网络中的NBMA接口无法区分下联不同接口的组播请求,通过ip pim nbma-mode命令来各自邻居的组播请求

23.7. 配置CGMP

提问 配置路由器和Catalyst交换机之间使用CGMP通讯

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip pim sparse-dense-mode

Router1(config-if)#ip cgmp

Router1(config-if)#end

Router1#

注释 不同交换机上启用CGMP的命令可能不同,也不是所有的交换机都支持CGMP

23.8. 使用IGMP版本3

提问 配置IGMPv3

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#ip pim ssm default

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip pim sparse-dense-mode

Router1(config-if)#ip igmp version 3

Router1(config-if)#end

Router1#

如果想使用Source-Specific Multicast(SSM)特性,但是终端设备不支持v3,可以使用思科的IGMP v3lite

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#ip pim ssm default

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip pim sparse-dense-mode

Router1(config-if)#ip igmp v3lite

Router1(config-if)#end

Router1#

注释 v3里面最有用的特性就是SSM,不但可以指定想要接收的组播组,还可以指定组播源

23.9. 静态组播路由和组成员

提问 使用静态条目来取代动态的组播路由和组成员

回答

静态组播路由:

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#ip mroute 192.168.15.0 255.255.255.0 192.168.98.6

Router1(config)#interface Tunnel0

Router1(config-if)#ip address 192.168.98.5 255.255.255.252

Router1(config-if)#ip pim sparse-dense-mode

Router1(config-if)#tunnel mode gre ip

Router1(config-if)#end

Router1#

静态组成员

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip pim sparse-dense-mode

Router1(config-if)#ip igmp join-group 239.5.5.55

Router1(config-if)#end

Router1#

注释 在12.3(2)T后引入了相近的ip igmp join-group命令,好处是此命令使用fast switching来处理组播包

23.10. 启用MOSPF来进行组播路由

提问 使用MOSPF来分发组播路由表

回答 思科不支持MOSPF

23.11. 启用DVMRP来进行组播路由

提问 配置DVMRP来支持组播路由

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip pim sparse-dense-mode

Router1(config-if)#ip dvmrp unicast-routing

Router1(config-if)#ip dvmrp summary-address 192.168.0.0 255.255.0.0

Router1(config-if)#end

Router1#

注释 思科对DVMRP的支持也不是全面的,更多的是作为DVMRP和PIM之间的网关,而目前网络中很少有DVMRP的部署,推荐使用PIM,PIM使用的是单播的路由表,而DVMRP是自己维护一个组播路由表,使用224.0.0.4这个组播地址来交换邻居信息

23.12. DVMRP 隧道

提问 建立DVMRP隧道来穿越不支持组播的网络

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#interface Tunnel0

Router1(config-if)#ip unnumbered FastEthernet0/0

Router1(config-if)#ip pim sparse-dense-mode

Router1(config-if)#ip dvmrp unicast-routing

Router1(config-if)#tunnel source FastEthernet0/0

Router1(config-if)#tunnel destination 192.168.99.15

Router1(config-if)#tunnel mode dvmrp

Router1(config-if)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 192.168.1.1 255.255.255.0

Router1(config-if)#ip pim sparse-dense-mode

Router1(config-if)#end

Router1#

注释 DVMRP隧道是建立在思科路由器和传统的支持DVMRP的设备上,两台思科设备之间不支持这种隧道,这种隧道只能封装的是组播包,隧道接口和源接口都必须启用PIM。

23.13. 配置双向PIM(Configuring Bidirectional PIM)

提问 配置网络对双向PIM的支持

回答

RP路由器

Router-RP1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-RP1(config)#ip multicast-routing

Router-RP1(config)#ip pim bidir-enable

Router-RP1(config)#ip pim rp-address 192.168.12.1 bidir

Router-RP1(config)#ip pim rp-candidate Loopback0 group-list 15 bidir

Router-RP1(config)#ip pim bsr-candidate Loopback0 1

Router-RP1(config)#access-list 15 permit 239.5.5.0 0.0.0.255

Router-RP1(config)#access-list 15 deny any

Router-RP1(config)#interface Loopback0

Router-RP1(config-if)#ip address 192.168.12.1 255.255.255.255

Router-RP1(config-if)# ip pim sparse-mode

Router-RP1(config-if)#exit

Router-RP1(config)#interface FastEthernet0/0

Router-RP1(config-if)#ip address 192.168.1.1 255.255.255.0

Router-RP1(config-if)#ip pim sparse-mode

Router-RP1(config-if)#exit

Router-RP1(config)#interface Serial1/0

Router-RP1(config-if)#ip address 192.168.2.5 255.255.255.252

Router-RP1(config-if)#ip pim sparse-mode

Router-RP1(config-if)#exit

Router-RP1(config)#end

Router-RP1#

其他路由器

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#ip pim bidir-enable

Router1(config)#ip pim rp-address 192.168.12.1 bidir

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip address 192.168.1.2 255.255.255.0

Router1(config-if)#ip pim sparse-mode

Router1(config-if)#interface Serial1/0

Router1(config-if)#ip address 192.168.3.5 255.255.255.252

Router1(config-if)#ip pim sparse-mode

Router1(config-if)#end

Router1#

注释 双向PIM类似PIM-SM,但是在机理上稍微有所不同,如果要部署双向PIM一定要在全网路由器上都配置支持,版本都要在12.2以上

23.14. 使用TTL来控制组播范围

提问 确保组播只作用于特定的网络范围

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip multicast ttl-threshold 16

Router1(config-if)#end

Router1#

注释 这里的配置更多取决于组播服务器对TTL的定义,通常本地TTL为1,部门为16,企业为64,互联网为128。另外跟单播不同的是,如果TTL超期被丢弃不会返回ICMP TTL超时的错误消息

23.15. 使用Administratively Scoped Addressing来控制组播范围

提问 使用RFC2365中定义的管理范围地址来控制组播的分发

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#access-list 15 deny 239.255.0.0 0.0.255.255

Router1(config)#access-list 15 permit any

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip multicast boundary 15

Router1(config-if)#end

Router1#

注释 由于使用TTL来控制更多依赖于组播应用,所以使用了上例的控制方法,针对239.0.0.0到 239.255.255.255的组播地址,不同的应用和范围使用不同的地址段,对地址段进行控制。这里的命令不同于在端口配置简单的过滤列表,还对PIM的消息进行了控制,从而防止加入组播树

23.16. 使用MBGP来交换组播路由信息

提问 使用MBGP在两个网络中互相交换组播路由信息

回答

首先在ASBR上启用组播路由和对本地组播进行过滤

Router-ASBR1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-ASBR1(config)#ip multicast-routing

Router-ASBR1(config)#access-list 15 deny 239.0.0.0 0.255.255.255

Router-ASBR1(config)#access-list 15 deny 224.0.1.39

Router-ASBR1(config)#access-list 15 deny 224.0.1.40

Router-ASBR1(config)#access-list 15 permit any

Router-ASBR1(config)#interface Serial0/0

Router-ASBR1(config-if)#ip multicast boundary 15

Router-ASBR1(config-if)#ip multicast ttl-threshold 64

Router-ASBR1(config-if)#ip pim dense-mode

Router-ASBR1(config-if)#end

Router-ASBR1#

然后配置MBGP

Router-ASBR1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-ASBR1(config)#router bgp 65530

Router-ASBR1(config-router)#network 10.0.0.0 mask 255.0.0.0

Router-ASBR1(config-router)#neighbor 10.15.32.1 remote-as 65531

Router-ASBR1(config-router)#address-family ipv4 multicast

Router-ASBR1(config-router-af)#neighbor 10.15.32.1 activate

Router-ASBR1(config-router-af)#end

Router-ASBR1#

注释 MBGP并不像PIM一样是一种组播路由协议,只是用来传递路由信息,所以在配置中还有PIM的配置

23.17. 使用MSDP来发现外部源

提问 使用MSDP来发现另一个自治域的组播源

回答

Router-ASBR1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-ASBR1(config)#ip multicast-routing

Router-ASBR1(config)#interface Loopback0

Router-ASBR1(config-if)#ip address 192.168.12.1 255.255.255.255

Router-ASBR1(config-if)# ip pim sparse-mode

Router-ASBR1(config-if)#interface FastEthernet0/0

Router-ASBR1(config-if)#ip address 192.168.1.1 255.255.255.0

Router-ASBR1(config-if)#ip pim sparse-mode

Router-ASBR1(config-if)#exit

Router-ASBR1(config)#interface Serial1/0

Router-ASBR1(config-if)#ip address 192.168.2.5 255.255.255.252

Router-ASBR1(config-if)#ip multicast boundary 15

Router-ASBR1(config-if)#ip multicast ttl-threshold 64

Router-ASBR1(config-if)#ip pim sparse-mode

Router-ASBR1(config-if)#exit

Router-ASBR1(config)#ip pim rp-candidate loopback0

Router-ASBR1(config)#ip pim bsr-candidate loopback0 1

Router-ASBR1(config-if)#router bgp 65530

Router-ASBR1(config-router)#network 10.0.0.0 mask 255.0.0.0

Router-ASBR1(config-router)#neighbor 192.168.2.6 remote-as 65531

Router-ASBR1(config-router)#address-family ipv4 multicast

Router-ASBR1(config-router-af)#neighbor 192.168.2.6 activate

Router-ASBR1(config-router-af)#exit

Router-ASBR1(config-router)#exit

Router-ASBR1(config)#ip msdp peer 192.168.2.6

Router-ASBR1(config)#ip msdp sa-request 192.168.2.6

Router-ASBR1(config)#access-list 15 deny 239.0.0.0 0.255.255.255

Router-ASBR1(config)#access-list 15 deny 224.0.1.39

Router-ASBR1(config)#access-list 15 deny 224.0.1.40

Router-ASBR1(config)#access-list 15 permit any

Router-ASBR1(config)#end

Router-ASBR1#

注释 这里面主要是配置了sa对端来发布如果有新源的消息
23.18. 配置 Anycast RP

提问配置两个或者多个RP来让路由器自动选择最近的

回答

第一个RP的配置

Router-RP1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-RP1(config)#ip multicast-routing

Router-RP1(config)#interface Loopback0

Router-RP1(config-if)# ip address 10.4.4.4 255.255.255.255

Router-RP1(config-if)#exit

Router-RP1(config)#interface Loopback1

Router-RP1(config-if)# ip address 192.168.99.1 255.255.255.255

Router-RP1(config-if)# ip pim sparse-dense-mode

Router-RP1(config-if)#exit

Router-RP1(config)#ip pim send-rp-announce Loopback1 scope 16 group-list 22

Router-RP1(config)#ip pim send-rp-discovery Loopback1 scope 16

Router-RP1(config)#ip msdp peer 10.5.5.5 connect-source Loopback0

Router-RP1(config)#access-list 22 permit 239.0.0.0 0.255.255.255.255

Router-RP1(config)#end

Router-RP1#

第二个RP的配置

Router-RP2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-RP2(config)#ip multicast-routing

Router-RP2(config)#interface Loopback0

Router-RP2(config-if)# ip address 10.5.5.5 255.255.255.255

Router-RP2(config-if)#exit

Router-RP2(config)#interface Loopback1

Router-RP2(config-if)# ip address 192.168.99.1 255.255.255.255

Router-RP2(config-if)# ip pim sparse-dense-mode

Router-RP2(config-if)#exit

Router-RP2(config)#ip pim send-rp-announce Loopback1 scope 16 group-list 22

Router-RP2(config)#ip pim send-rp-discovery Loopback1 scope 16

Router-RP2(config)#ip msdp peer 10.4.4.4 connect-source Loopback0

Router-RP2(config)#access-list 22 permit 239.0.0.0 0.255.255.255.255

Router-RP2(config)#end

Router-RP2#

注释 PIM-SM有个缺陷就是在一个组播组里面只能有一个RP,冗余性不够。而Anycast通过配置相同的Anycast地址,然后利用单播路由协议来保证采用最近的RP,不同的RP之间可以利用MSDP来保证组播源的信息同步

23.19. 转化广播为组播

提问 把基于广播的应用转为组播包在网络中传递

回答

第一跳路由器

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip multicast-routing

Router1(config)#access-list 115 permit any any udp 3535

Router1(config)#access-list 115 deny any any udp

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip directed broadcast

Router1(config-if)#ip multicast helper-map broadcast 239.3.5.35 115

Router1(config-if)#exit

Router1(config)#ip pim sparse-dense-mode

Router1(config)#ip forward-protocol udp 3535

Router1(config)#end

Router1#

最后一跳路由器

Router2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router2(config)#ip multicast-routing

Router2(config)#access-list 115 permit any any udp 3535

Router2(config)#access-list 115 deny any any udp

Router2(config)#interface Ethernet0

Router2(config-if)#ip address 192.168.9.1 255.255.255.0

Router2(config-if)#ip directed broadcast

Router2(config-if)#ip multicast helper-map 239.3.5.35 192.168.9.255 115

Router2(config-if)#ip pim sparse-dense-mode

Router2(config-if)#exit

Router2(config)#ip igmp join-group 239.3.5.35

Router2(config)#ip forward-protocol udp 3535

Router2(config)#end

Router2#

注释 IP Multicast Helper的特性帮助路由器实现了此种转换,但是此种转化比较耗费CPU,仅仅是临时解决方案

23.20. 显示组播状态信息

提问 显示组播状态信息

回答

Router#show ip mroute

Router#show ip mroute count

Router#show ip mroute active

Router#show ip igmp groups

Router#show ip igmp interface

Router#show ip pim neighbor

Router#show ip pim interface

Router#show ip pim rp

Router#show ip msdp count

Router#show ip msdp peer 192.168.201.15

Router#show ip msdp summary

Router#show ip rpf 192.168.3.2

Router#mstat 192.168.3.2 239.5.5.55

注释 无

23.21. 组播路由排错

提问 组播路由排错

回答

Router#debug ip mrouting

Router#debug ip mpacket 239.5.5.55

Router#debug ip igmp

注释 无

2007/3/22 2:48
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
24.1. 本地移动性(Local Area Mobility)

mal>提问 配置本地移动性来实现设备的网络漫游

回答

归属地路由器HomeRouter

RouterHome#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterHome(config)#interface FastEthernet0/0

RouterHome(config-if)#ip address 192.168.10.1 255.255.255.0

RouterHome(config-if)#ip proxy-arp

RouterHome(config-if)#ip mobile arp

RouterHome(config-if)#exit

RouterHome(config)#router eigrp 99

RouterHome(config-router)#network 192.168.10.0

RouterHome(config-router)#default-metric 10000 10 255 1 1500

RouterHome(config-router)#redistribute mobile

RouterHome(config-router)#no auto-summary

RouterHome(config-router)#exit

RouterHome(config)#end

RouterHome#

访问地路由器ForeignRouter

RouterForeign#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterForeign(config)#interface FastEthernet0/0

RouterForeign(config-if)#ip address 192.168.110.1 255.255.255.0

RouterForeign(config-if)#ip proxy-arp

RouterForeign(config-if)#ip mobile arp

RouterForeign(config-if)#exit

RouterForeign(config)#router eigrp 99

RouterForeign(config-router)#network 192.168.100.0

RouterForeign(config-router)#default-metric 10000 10 255 1 1500

RouterForeign(config-router)#redistribute mobile

RouterForeign(config-router)#no auto-summary

RouterForeign(config-router)#exit

RouterForeign(config)#end

RouterForeign#

注释 Local Area Mobility是思科通过Proxy Arp来实现的一种简单移动IP,只是作为没有DHCP的暂时替代方案,当访问地使用ARP查到了访问设备以后会在路由表生成一条主机路由,然后此主机路由会通过路由协议被归属地所学到,比如访问地的ARP和路由表

RouterForeign#show ip arp FastEthernet0/0

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.110.1 - 000e.d7d6.1060 ARPA FastEthernet0/0

Internet 192.168.10.109 1 00b0.64ab.0580 ARPA FastEthernet0/0

Internet 192.168.110.9 21 0000.0c75.c684 ARPA FastEthernet0/0

RouterForeign#

RouterForeign#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route



Gateway of last resort is not set



C 192.168.110.0/24 is directly connected, FastEthernet0/0

192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks

M 192.168.10.109/32 [3/1] via 192.168.10.109, 00:17:59, FastEthernet0/0

D 192.168.10.0/24 [90/2172416] via 192.168.55.11, 00:29:43, Serial0/0

C 192.168.55.0/24 is directly connected, Serial0/0

RouterForeign#

归属地通过EIGRP学到

RouterHome#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route



Gateway of last resort is not set



D 192.168.110.0/24 [90/2172416] via 192.168.55.12, 00:31:43, Serial0/0

192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks

D EX 192.168.10.109/32 [170/2172416] via 192.168.55.12, 00:18:19, Serial0/0

C 192.168.10.0/24 is directly connected, FastEthernet0/0

C 192.168.55.0/24 is directly connected, Serial0/0

RouterHome#

24.2. 归属地代理(Home Agent)配置

提问 配置路由器成为移动终端的归属地代理

回答

RouterHome#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterHome(config)#interface Loopback0

RouterHome(config-if)#ip address 192.168.9.1 255.255.255.255

RouterHome(config-if)#exit

RouterHome(config)#router mobile

RouterHome(config-router)#exit

RouterHome(config)#router eigrp 99

RouterHome(config-router)#redistribute mobile

RouterHome(config-router)#network 192.168.9.0

RouterHome(config-router)#network 192.168.10.0

RouterHome(config-router)#default-metric 10000 10 255 1 1500

RouterHome(config-router)#no auto-summary

RouterHome(config-router)#exit

RouterHome(config)#ip mobile home-agent address 192.168.9.1

RouterHome(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0

RouterHome(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0

RouterHome(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii neoshi

RouterHome(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii neoshi

RouterHome(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii neoshi

RouterHome(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii neoshi

RouterHome(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii neoshi

RouterHome(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii neoshi

RouterHome(config)#end

RouterHome#

注释 配置归属地代理是配置移动IP的第一步,首先是基本的移动IP配置然后是定义Home Agent的IP地址和定义移动终端的地址段,最后是配置对不同移动终端的认证,对于认证也可以使用AAA来增强扩展性

RouterHome(config)#aaa new-model

RouterHome(config)#aaa authorization ipmobile default group tacacs+

RouterHome(config)#ip mobile secure mn-aaa spi 200 algorithm md5

注意一点移动IP隧道使用的IP协议号是55

24.3. 访问地代理(Foreign Agent)配置

提问 配置路由器成为移动终端的访问地代理

回答

RouterForeign#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterForeign(config)#router mobile

RouterForeign(config-router)#exit

RouterForeign(config)#router eigrp 99

RouterForeign(config-router)#network 192.168.110.0

RouterForeign(config-router)#no auto-summary

RouterForeign(config-router)#exit

RouterForeign(config)#interface Ethernet0/0

RouterForeign(config-if)#ip address 192.168.110.1 255.255.255.0

RouterForeign(config-if)#ip irdp

RouterForeign(config-if)#ip mobile foreign-service

RouterForeign(config-if)#exit

RouterForeign(config)#ip mobile foreign-agent care-of Ethernet0/0

RouterForeign(config)#end

RouterForeign#

注释 移动IP的第二步配置就是配置访问地代理,初始配置和归属地代理配置基本相同,然后就是在接口启用IRDP,移动终端通过IRDP来发现访问地代理地址,然后启用归属地代理,最后是配置归属地的转交地址(care-of address)此地址用来和归属地地址建立隧道。有趣的是不论在归属地还是访问地的配置中都没有定义对端的地址,因为这个地址在移动终端会宣告。

另外为了增加安全性可以配置归属地代理和访问地代理的认证

RouterHome(config)#ip mobile secure foreign-agent 192.168.110.1 spi 100 key ascii neoshi

RouterForeign(config)#ip mobile secure home-agent 192.168.9.1 spi 100 key ascii neoshi

24.4. 配置路由器成为移动终端

提问 配置路由器作为移动终端

回答

RouterMobile#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterMobile(config)#router mobile

RouterMobile(config-router)#exit

RouterMobile(config)#ip mobile secure home-agent 192.168.9.1 spi 100 key ascii neoshi

RouterMobile(config)#ip mobile router

RouterMobile(mobile-router)#address 192.168.10.112 255.255.255.0

RouterMobile(mobile-router)#home-agent 192.168.9.1

RouterMobile(mobile-router)#exit

RouterMobile(config)#interface FastEthernet0/0

RouterMobile(config-if)#ip address 192.168.10.112 255.255.255.0

RouterMobile(config-if)#ip irdp

RouterMobile(config-if)#ip mobile router-service roam

RouterMobile(config-if)#ip mobile router-service solicit

RouterMobile(config-if)#exit

RouterMobile(config)#end

RouterMobile#

注释 从12.2(4)T以后路由器开始支持配置为移动终端

24.5. 反向隧道转发(Reverse-Tunnel Forwarding)

提问 强制所有数据包都通过隧道转发来避免网络中为了防止地址欺骗所定义的控制列表

回答

RouterMobile#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterMobile(config)#ip mobile router

RouterMobile(mobile-router)#reverse-tunnel

RouterMobile(mobile-router)#exit

RouterMobile(config)#end

RouterMobile#

注释 由移动终端回程的数据包到了访问地代理后可能会通过本地路由而不是通过隧道转发回归属地代理,这样可能回违反访问地代理的安全策略,因此启用此特性来强制回程数据包也必须通过隧道转发,不过这个特性需要协商,验证:

RouterForeign#show ip mobile tunnel

Mobile Tunnels:



Tunnel0:

src 192.168.110.1, dest 192.168.9.1

encap IP/IP, mode reverse-allowed, tunnel-users 1

IP MTU 1480 bytes

Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never

outbound interface Serial0/0

FA created, fast switching enabled, ICMP unreachable enabled

105 packets input, 8462 bytes, 0 drops

0 packets output, 0 bytes

RouterForeign#

24.6. 配置归属地代理HSRP支持来增加冗余性

提问 通过配置多个归属地代理来增加冗余

回答

RouterHome1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterHome1(config)#interface FastEthernet0/0

RouterHome1(config-if)#ip address 192.168.9.2 255.255.255.0

RouterHome1(config-if)#standby 1 ip 192.168.9.1

RouterHome1(config-if)#standby 1 name HA-GROUP

RouterHome1(config-if)#exit

RouterHome1(config)#router mobile

RouterHome1(config-router)#exit

RouterHome1(config)#router eigrp 99

RouterHome1(config-router)#redistribute mobile

RouterHome1(config-router)#network 192.168.9.0

RouterHome1(config-router)#network 192.168.10.0

RouterHome1(config-router)#default-metric 10000 10 255 1 1500

RouterHome1(config-router)#no auto-summary

RouterHome1(config-router)#exit

RouterHome1(config)#ip mobile home-agent address 192.168.9.1

RouterHome1(config)#ip mobile home-agent redundancy HA-GROUP virtual-network

RouterHome1(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0

RouterHome1(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0

RouterHome1(config)#ip mobile secure home-agent 192.168.9.3 spi 100 key ascii cisco

RouterHome1(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii cookbook

RouterHome1(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii cookbook

RouterHome1(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii cookbook

RouterHome1(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii cookbook

RouterHome1(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii cookbook

RouterHome1(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii cookbook

RouterHome1(config)#end

RouterHome1#

RouterHome2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterHome2(config)#interface FastEthernet0/0

RouterHome2(config-if)#ip address 192.168.9.3 255.255.255.0

RouterHome2(config-if)#standby 1 ip 192.168.9.1

RouterHome2(config-if)#standby 1 name HA-GROUP

RouterHome2(config-if)#exit

RouterHome2(config)#router mobile

RouterHome2(config-router)#exit

RouterHome2(config)#router eigrp 99

RouterHome2(config-router)#redistribute mobile

RouterHome2(config-router)#network 192.168.9.0

RouterHome2(config-router)#network 192.168.10.0

RouterHome2(config-router)#default-metric 10000 10 255 1 1500

RouterHome2(config-router)#no auto-summary

RouterHome2(config-router)#exit

RouterHome2(config)#ip mobile home-agent address 192.168.9.1

RouterHome2(config)#ip mobile home-agent redundancy HA-GROUP virtual-network

RouterHome2(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0

RouterHome2(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0

RouterHome2(config)#ip mobile secure home-agent 192.168.9.2 spi 100 key ascii cisco

RouterHome2(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii cookbook

RouterHome2(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii cookbook

RouterHome2(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii cookbook

RouterHome2(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii cookbook

RouterHome2(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii cookbook

RouterHome2(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii cookbook

RouterHome2(config)#end

RouterHome2#

注释 使用HSRP的虚拟地址来作为归属地地址来增加冗余,另外多了ip mobile home-agent redundancy HA-GROUP virtual-network 命令来关联相应的HSRP组,同时需要配置两个归属地代理之间的认证来同步信息ip mobile secure home-agent 192.168.9.3 spi 100 key ascii cisco

2007/4/3 3:29
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
25.1. 自动配置接口IPv6 地址

e="FONT-FAMILY: 宋体">提问 在接口启用IPv6,自动生成IPv6地址

回答

一种是使用autoconfig方式

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 unicast-routing

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 address autoconfig

Router1(config-if)#end

Router1#

一种是使用EUI-64方式 来生成IPv6 地址的主机部分,然后组合已定义的网络部分

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 unicast-routing

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 address AAAA::/64 eui-64

Router1(config-if)#end

Router1#

注释 ipv6 unicast-routing命令是用来启动路由协议,尽管不用该命令你一样可以配置v6地址,也可以使用v6的Ping等命令,甚至配置静态路由来联通网络,但是还是建议配置此命令。对于autoconfig方式一是会自动生成前缀为FE80::/10的linklocal地址另外会查询DHCP来获得地址。对于EUI方式会根据MAC地址来生成前缀为AAAA::/64Global Unicast地址

25.2. 手动配置接口IPv6 地址

提问 手动给接口配置IPv6地址

回答

配置Unicast地址:

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 unicast-routing

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 address AAAA::1/64

Router1(config-if)#exit

Router1(config)#end

Router1#

配置Anycast地址

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 unicast-routing

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 address AAFF::1/64 anycast

Router1(config-if)#exit

Router1(config)#end

Router1#

配置 link-local地址

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 unicast-routing

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 address FE80::1 link-local

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 配置了unicast地址会自动根据EUI方式生成Linklocal地址。Anycast在root dns遭受攻击中发挥了很大作用,看一个命令输出

Router1#show ipv6 interface FastEthernet0/0

FastEthernet0/0 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::20E:84FF:FE24:4E70

Global unicast address(es):

AAAA::1, subnet is AAAA::/64

AAFF::1, subnet is AAFF::/64 [ANY]

Joined group address(es):

FF02::1

FF02::2

FF02::1:FF00:1

FF02::1:FF24:4E70

MTU is 1500 bytes

ICMP error messages limited to one every 100 milliseconds

ICMP redirects are enabled

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds

ND advertised reachable time is 0 milliseconds

ND advertised retransmit interval is 0 milliseconds

ND router advertisements are sent every 200 seconds

ND router advertisements live for 1800 seconds

Hosts use stateless autoconfig for addresses.

Router1#

25.3. 配置IPv6 DHCP服务

提问 在路由器上启用DHCP服务器特性来提供IPv6地址

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 dhcp database flash:/DHCPv6-db

Router1(config)#ipv6 local pool VLAN10-pool AAAA:1::/48 64

Router1(config)#ipv6 local pool VLAN11-pool AAAA:11::/48 64

Router1(config)#ipv6 dhcp pool DHCPv6POOL

Router1(config-dhcp)#prefix-delegation AAAA:1::23F6:33BA/64 00030001000E84244E70

Router1(config-dhcp)#prefix-delegation pool VLAN10-pool

Router1(config-dhcp)#dns-server AAAA:1::19

Router1(config-dhcp)#domain-name oreilly.com

Router1(config-dhcp)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 address AAAA:1::1/64

Router1(config-if)#ipv6 address FE80::1 link-local

Router1(config-if)#ipv6 nd managed-config-flag

Router1(config-if)#ipv6 nd other-config-flag

Router1(config-if)#ipv6 dhcp server DHCPv6POOL rapid-commit preference 1 allow-hint

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 此特性仅限于高端路由器

Router1#show ipv6 dhcp pool DHCPv6POOL

DHCPv6 pool: DHCPv6POOL

Static bindings:

Binding for client 00030001000E84244E70

IA PD: IA ID not specified

Prefix: AAAA:1::23F6:33BA/64

preferred lifetime 604800, valid lifetime 2592000

Prefix pool: VLAN10-pool

preferred lifetime 604800, valid lifetime 2592000

DNS server: AAAA:1::19

Domain name: oreilly.com

Active clients: 0

Router1#

25.4. 配置RIP的IPv6版本

提问 配置支持IPv6路由的RIP

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 unicast-routing

Router1(config)#ipv6 router rip RIP_PROC

Router1(config-rtr)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 address AAAA:5:1/64

Router1(config-if)#ipv6 rip RIP_PROC enable

Router1(config-if)#exit

Router1(config)#interface Serial0/0

Router1(config-if)#ipv6 address AAAA:1:2/64

Router1(config-if)#ipv6 rip RIP_PROC enable

Router1(config-if)#frame-relay map ipv6 AAAA:1:3 206 broadcast

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 ipv6版本的RIP区别在于不需要配置network命令,在路由表中看到的下一跳地址都是linklocal地址:

Router1#show ipv6 route rip

IPv6 Routing Table - 9 entries

Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP

U - Per-user Static route

I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary

O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

R AAAA:2::/64 [120/2]

via FE80::2E0:1EFF:FE7F:9E41, FastEthernet0/0

R AAAA:95::/64 [120/2]

via FE80::2E0:1EFF:FE7F:9E41, FastEthernet0/0

R AAAA:99::/64 [120/2]

via FE80::20E:D7FF:FED6:1060, FastEthernet0/0

Router1#

还有一个比较好用的命令

Router1#show ipv6 rip next-hops

RIP process "RIP_PROC", Next Hops

FE80::2E0:1EFF:FE7F:9E41/FastEthernet0/0 [2 paths]

FE80::20E:D7FF:FED6:1060/FastEthernet0/0 [7 paths]

FE80::200:CFF:FE75:C684/FastEthernet0/0 [2 paths]

FE80::2E0:1EFF:FE7F:9E41/Serial0/0 [2 paths]

Router1#

25.5. 修改RIP的缺省参数

提问 修改诸如定时器,管理距离等RIP参数

回答

修改定时器

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 unicast-routing

Router1(config)#ipv6 router rip RIP_PROC

Router1(config-rtr)#timers 15 60 5 120

Router1(config-rtr)#exit

Router1(config)#end

Router1#

修改管理距离

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 unicast-routing

Router1(config)#ipv6 router rip RIP_PROC

Router1(config-rtr)#distance 100

Router1(config-rtr)#exit

Router1(config)#end

Router1#

关闭水平分割

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 unicast-routing

Router1(config)#ipv6 router rip RIP_PROC

Router1(config-rtr)#no split-horizon

Router1(config-rtr)#exit

Router1(config)#end

Router1#

注释 思科并没有给IPv6版本和v4版本一样的可修改参数

Router1#show ipv6 rip

RIP process "RIP_PROC", port 521, multicast-group FF02::9, pid 125

Administrative distance is 120. Maximum paths is 16

Updates every 15 seconds, expire after 60

Holddown lasts 5 seconds, garbage collect after 120

Split horizon is on; poison reverse is off

Default routes are not generated

Periodic updates 755, trigger updates 3

Interfaces:

FastEthernet0/0

Loopback0

Redistribution:

None

Router1#

25.6. RIP中IPv6路由的过滤和度量值的修改

提问 对RIP生成的路由表再加工

回答

地址汇总

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 rip RIP_PROC summary-address AAAA:99::8:0/109

Router1(config-if)#exit

Router1(config)#end

Router1#

宣告缺省路由

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 rip RIP_PROC default-information originate

Router1(config-if)#exit

Router1(config)#end

Router1#

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 rip RIP_PROC default-information only

Router1(config-if)#exit

Router1(config)#end

Router1#

路由过滤

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 prefix-list BLOCK_2E6 seq 5 deny AAAA:2E6::/64 le 128

Router1(config)#ipv6 prefix-list BLOCK_2E6 seq 10 permit ::/0 le 128

Router1(config)#ipv6 prefix-list ALLOW_2222 seq 5 permit AAAA:2222::/64 le 128

Router1(config)#ipv6 prefix-list ALLOW_2222 seq 10 deny ::/0 le 128

Router1(config)#ipv6 router rip RIP_PROC

Router1(config-rtr)#distribute-list prefix-list BLOCK_2E6 in FastEthernet0/0

Router1(config-rtr)#distribute-list prefix-list ALLOW_2222 out FastEthernet0/0

Router1(config-rtr)#exit

Router1(config)#end

Router1#

修改度量值

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface Serial0/0

Router1(config-if)#ipv6 rip RIP_PROC metric-offset 5

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 基本配置方法和IPv4相同,在路由过滤的Prefixlist中V6只能接受prefix list的配置,后面不能跟accesslist作为参数

25.7. 配置OSPF的IPv6版本

提问 配置支持IPv6的OSPF v3

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip cef

Router1(config)#ipv6 cef

Router1(config)#ipv6 unicast-routing

Router1(config)#ipv6 router ospf 1

Router1(config-rtr)#router-id 1.0.0.1

Router1(config-rtr)#area 0 range AAAA:5::/64

Router1(config-rtr)#exit

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 address AAAA:5::1/64

Router1(config-if)#ipv6 ospf 1 area 0

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 这里有个比较有意思的router id问题,在v4情况下会自动根据IP地址来选择,但是在纯v6环境下没有v4的地址,所以就必须配置router id,否则ospf不能正常运行

25.8. OSPF中IPv6路由过滤和度量值修改

提问 对OSPF生成的路由表再加工

回答

修改默认代价值

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 router ospf 1

Router1(config-rtr)#auto-cost reference-bandwidth 1000

%OSPFv3: Reference bandwidth is change.

Please ensure reference bandwidth is consistent across all routers.

Router1(config-rtr)#exit

Router1(config)#end

Router1#

修改特定链路的代价值

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ipv6 ospf cost 500

Router1(config)#end

Router1#

路由过滤

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 prefix-list BLOCK_99_E seq 5 deny AAAA:99::E:0/112

Router1(config)#ipv6 prefix-list BLOCK_99_E seq 10 permit ::/0 le 128

Router1(config)#ipv6 router ospf 1

Router1(config-rtr)#distribute-list prefix-list BLOCK_99_E in

Router1(config-rtr)#exit

Router1(config)#end

Router1#

注释 类似于v4的配置

25.9. 路由重分布

提问 不同路由协议之间进行再分布

回答

再分布OSPF到RIP

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 router rip RIP_PROC

Router1(config-rtr)#redistribute ospf 1 metric 5

Router1(config-rtr)#exit

Router1(config)#end

Router1#

再分布RIP到OSPF

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 router ospf 1

Router1(config-rtr)#redistribute rip RIP_PROC

Router1(config-rtr)#exit

Router1(config)#end

Router1#

OSPF宣告缺省路由

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 router ospf 1

Router1(config-rtr)#default-information originate always

Router1(config-rtr)#exit

Router1(config)#end

Router1#

注释 也可以使用routemap等高级方法

25.10. 配置MBGP

提问 在不同的自治域系统使用MBGP来传递IPv6路由信息

回答

单v6环境

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#router bgp 65520

Router1(config-router)#no bgp default ipv4-unicast

Router1(config-router)#neighbor AAAA:5::2 remote-as 65522

Router1(config-router)#neighbor AAAA:5::AA9 remote-as 65521

Router1(config-router)#address-family ipv6

Router1(config-router-af)#neighbor AAAA:5::2 activate

Router1(config-router-af)#neighbor AAAA:5::AA9 activate

Router1(config-router-af)#network AAAA:2222::2/64

Router1(config-router-af)#no synchronization

Router1(config-router-af)#exit-address-family

Router1(config-router)#exit

Router1(config)#end

Router1#

V4和v6混和环境

Router9#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router9(config)#router bgp 65521

Router9(config-router)#no bgp default ipv4-unicast

Router9(config-router)#neighbor AAAA:5::1 remote-as 65520

Router9(config-router)#neighbor 192.168.1.103 remote-as 65525

Router9(config-router)#address-family ipv4

Router9(config-router-af)#redistribute connected

Router9(config-router-af)#neighbor 192.168.1.103 activate

Router9(config-router-af)#no auto-summary

Router9(config-router-af)#no synchronization

Router9(config-router-af)#exit-address-family

Router9(config-router)#address-family ipv6

Router9(config-router-af)#neighbor AAAA:5::1 activate

Router9(config-router-af)#network AAAA:FE::1/64

Router9(config-router-af)#network AAAA:BBBB::1/64

Router9(config-router-af)#no synchronization

Router9(config-router-af)#exit-address-family

Router9(config-router)#exit

Router9(config)#end

Router9#

注释 和V4配置最大的不同是增加了no bgp default ipv4-unicast命令,因为缺省情况BGP只会发布v4的前缀给邻居。查看邻居状态使用show bgp summary,而对于纯v4邻居使用的是show ip bgp summary命令

25.11. 在现有IPv4网络中传递IPv6数据

提问 通过现有的IPv4网络来互联两个IPv6网络

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#interface Loopback1

Router1(config-if)#ip address 10.15.1.11 255.255.255.255

Router1(config-if)#exit

Router1(config)#interface Tunnel1

Router1(config-if)#ipv6 address BBBB:1::1/126

Router1(config-if)#ipv6 rip RIP_PROC enable

Router1(config-if)#tunnel source 10.15.1.11

Router1(config-if)#tunnel destination 172.16.11.9

Router1(config-if)#exit

Router1(config)#end

Router1#

Router9#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router9(config)#interface Loopback1

Router9(config-if)#ip address 172.16.11.9 255.255.255.255

Router9(config-if)#exit

Router9(config)#interface Tunnel1

Router9(config-if)#ipv6 address BBBB:1::2/126

Router9(config-if)#ipv6 rip RIP_PROC enable

Router9(config-if)#tunnel source 172.16.11.9

Router9(config-if)#tunnel destination 10.15.1.11

Router9(config-if)#exit

Router9(config)#end

Router9#

注释 这种GRE隧道的配置相比前面的例子要简单的多,问题也少很多,因为封装前后的协议类型是不同的

25.12. IPv6和IPv4之间转化

提问 配置路由器成为IPv4和IPv网络之间的网关

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ipv6 access-list ALLOWED-NAT-DEVS

Router1(config-ipv6-acl)# permit ipv6 any any

Router1(config-ipv6-acl)#exit

Router1(config)#ipv6 nat prefix ::FFFF:0.0.0.0/96 v4-mapped ALLOWED-NAT-DEVS

Router1(config)#ipv6 nat v6v4 source AAAA:5::AA9 192.168.56.100

Router1(config)#interface FastEthernet0/0

Router1(config-if)#no ip address

Router1(config-if)#ipv6 address AAAA:5::2012/64

Router1(config-if)#ipv6 nat

Router1(config-if)#exit

Router1(config)#interface Serial0/0

Router1(config-if)#ip address 192.168.55.12 255.255.255.0

Router1(config-if)#ipv6 nat

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 12.2(13)T后路由器可以作为v6和v4之间的协议转化器,对于v6访问v4地址,可以采用"IPv4-Mapped IPv6 Address" 把a.b.c.d翻译为::FFFF:A.B.C.D,而对于v4访问v6地址,只能采用静态映射的方式(ipv6 nat v6v4),这种地址翻译没有配置inside或者outside接口

2007/4/3 3:30
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
第二十六章MPLS

26.1. 配置基本的MPLS P路由器

提问 配置MPLS核心网络里面的P路由器

回答

Router-P1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-P1(config)#ip cef

Router-P1(config)#mpls ip

Router-P1(config)#interface FastEthernet0/0

Router-P1(config-if)#description connection to Router-PE2

Router-P1(config-if)#ip address 10.1.2.11 255.255.255.0

Router-P1(config-if)#mpls ip

Router-P1(config-if)#exit

Router-P1(config)#interface Serial0/0

Router-P1(config-if)#description connection to Router-PE1

Router-P1(config-if)#ip address 10.1.1.14 255.255.255.252

Router-P1(config-if)#mpls ip

Router-P1(config-if)#exit

Router-P1(config)#interface Serial0/1

Router-P1(config-if)#description connection to Router-PE3

Router-P1(config-if)#ip address 10.1.1.10 255.255.255.252

Router-P1(config-if)#mpls ip

Router-P1(config-if)#exit

Router-P1(config)#interface Loopback0

Router-P1(config-if)#ip address 10.0.0.11 255.255.255.255

Router-P1(config-if)#exit

Router-P1(config)#router ospf 99

Router-P1(config-router)#router-id 10.0.0.11

Router-P1(config-router)#network 10.0.0.0 0.255.255.255 area 0

Router-P1(config-router)#exit

Router-P1(config)#end

Router-P1#

注释 对于P路由器就是启用CEF和在端口启用MPLS,对于tag-switching ip instead 和mpls ip两个命令都基本一致,对于是否配置ldp或者tdp也不是必要的,路由器会自动适应。有三个验证命令:

Router-P1#show mpls interfaces

Interface IP Tunnel Operational

FastEthernet0/0 Yes (tdp) No Yes

Serial0/0 Yes (tdp) No Yes

Serial0/1 Yes (tdp) No Yes

Router-P1#show mpls ldp neighbor

Peer TDP Ident: 10.0.0.2:0; Local TDP Ident 10.0.0.11:0

TCP connection: 10.0.0.2.711 - 10.0.0.11.28185

State: Oper; PIEs sent/rcvd: 0/82; Downstream

Up time: 01:04:45

TDP discovery sources:

Serial0/0, Src IP addr: 10.1.1.13

Addresses bound to peer TDP Ident:

10.0.0.2 10.1.1.2 10.1.1.13

Router-P1#show mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

16 Pop tag 10.0.0.2/32 7697 Se0/0 point2point

17 Pop tag 10.1.1.0/30 0 Se0/0 point2point

18 Pop tag 10.0.0.3/32 6685 Se0/1 point2point

26.2. 配置基本的MPLS PE路由器

提问 配置MPLS网络的运营商边界路由器来互联用户网络

回答

配置三台PE路由器

Router-PE1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE1(config)#ip cef

Router-PE1(config)#mpls ip

Router-PE1(config)#interface Serial0/0

Router-PE1(config-if)#description Connection to Router-P1

Router-PE1(config-if)#ip address 10.1.1.13 255.255.255.252

Router-PE1(config-if)#mpls ip

Router-PE1(config-if)#exit

Router-PE1(config)#interface Loopback0

Router-PE1(config-if)#ip address 10.0.0.2 255.255.255.255

Router-PE1(config-if)#exit

Router-PE1(config)#router ospf 99

Router-PE1(config-router)#router-id 10.0.0.2

Router-PE1(config-router)#network 10.0.0.0 0.255.255.255 area 0

Router-PE1(config-router)#exit

Router-PE1(config)#ip vrf NetworkA

Router-PE1(config-vrf)#rd 100:1

Router-PE1(config-vrf)#route-target export 100:1

Router-PE1(config-vrf)#route-target import 100:1

Router-PE1(config-vrf)#exit

Router-PE1(config)#ip vrf NetworkB

Router-PE1(config-vrf)#rd 100:2

Router-PE1(config-vrf)#route-target export 100:2

Router-PE1(config-vrf)#route-target import 100:2

Router-PE1(config-vrf)#exit

Router-PE1(config)#interface Ethernet0/0

Router-PE1(config-if)#description connection to customer A, site 1

Router-PE1(config-if)#ip vrf forwarding NetworkA

Router-PE1(config-if)#ip address 192.168.1.1 255.255.255.0

Router-PE1(config-if)#exit

Router-PE1(config)#interface Ethernet0/1

Router-PE1(config-if)#description connection to customer B, site 1

Router-PE1(config-if)#ip vrf forwarding NetworkB

Router-PE1(config-if)#ip address 192.168.11.1 255.255.255.0

Router-PE1(config-if)#exit

Router-PE1(config)#router bgp 100

Router-PE1(config-router)#bgp log-neighbor-changes

Router-PE1(config-router)#neighbor 10.0.0.3 remote-as 100

Router-PE1(config-router)#neighbor 10.0.0.3 update-source Loopback0

Router-PE1(config-router)#neighbor 10.0.0.4 remote-as 100

Router-PE1(config-router)#neighbor 10.0.0.4 update-source Loopback0

Router-PE1(config-router)#address-family ipv4 vrf NetworkA

Router-PE1(config-router-af)#no auto-summary

Router-PE1(config-router-af)#no synchronization

Router-PE1(config-router-af)#redistribute connected

Router-PE1(config-router-af)#exit-address-family

Router-PE1(config-router)#adress-family ipv4 vrf NetworkB

Router-PE1(config-router-af)#no auto-summary

Router-PE1(config-router-af)#no synchronization

Router-PE1(config-router-af)#redistribute connected

Router-PE1(config-router-af)#exit-address-family

Router-PE1(config-router)#address-family vpnv4

Router-PE1(config-router-af)#neighbor 10.0.0.3 activate

Router-PE1(config-router-af)#neighbor 10.0.0.3 send-community extended

Router-PE1(config-router-af)#neighbor 10.0.0.4 activate

Router-PE1(config-router-af)#neighbor 10.0.0.4 send-community extended

Router-PE1(config-router-af)#exit-address-family

Router-PE1(config-router)#exit

Router-PE1(config)#end

Router-PE1#

Router-PE2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE2(config)#ip cef

Router-PE2(config)#mpls ip

Router-PE2(config)#interface FastEthernet0/0

Router-PE2(config-if)#no ip address

Router-PE2(config-if)#exit

Router-PE2(config)#interface FastEthernet0/0.1

Router-PE2(config-if)#description Connection to Router-P1

Router-PE2(config-if)#encapsulation dot1Q 10

Router-PE2(config-if)#ip address 10.1.2.4 255.255.255.0

Router-PE2(config-if)#mpls ip

Router-PE2(config-if)#exit

Router-PE2(config)#interface Loopback0

Router-PE2(config-if)#ip address 10.0.0.3 255.255.255.255

Router-PE2(config-if)#exit

Router-PE2(config)#router ospf 99

Router-PE2(config-router)#router-id 10.0.0.3

Router-PE2(config-router)#network 10.0.0.0 0.255.255.255 area 0

Router-PE2(config-router)#exit

Router-PE2(config)#ip vrf NetworkA

Router-PE2(config-vrf)#rd 100:1

Router-PE2(config-vrf)#route-target export 100:1

Router-PE2(config-vrf)#route-target import 100:1

Router-PE2(config-vrf)#exit

Router-PE2(config)#ip vrf NetworkB

Router-PE2(config-vrf)#rd 100:2

Router-PE2(config-vrf)#route-target export 100:2

Router-PE2(config-vrf)#route-target import 100:2

Router-PE2(config-vrf)#exit

Router-PE2(config)#interface FastEthernet0/0.2

Router-PE2(config-if)#description Connection to customer A, site 2

Router-PE2(config-if)#encapsulation dot1Q 102

Router-PE2(config-if)#ip address 192.168.3.1 255.255.255.0

Router-PE2(config-if)#mpls ip

Router-PE2(config-if)#exit

Router-PE2(config)#router bgp 100

Router-PE2(config-router)#bgp log-neighbor-changes

Router-PE2(config-router)#neighbor 10.0.0.2 remote-as 100

Router-PE2(config-router)#neighbor 10.0.0.2 update-source Loopback0

Router-PE2(config-router)#neighbor 10.0.0.3 remote-as 100

Router-PE2(config-router)#neighbor 10.0.0.3 update-source Loopback0

Router-PE2(config-router)#address-family ipv4 vrf NetworkA

Router-PE2(config-router-af)#no auto-summary

Router-PE2(config-router-af)#no synchronization

Router-PE2(config-router-af)#redistribute connected

Router-PE2(config-router-af)#exit-address-family

Router-PE2(config-router)#address-family vpnv4

Router-PE2(config-router-af)#neighbor 10.0.0.2 activate

Router-PE2(config-router-af)#neighbor 10.0.0.2 send-community extended

Router-PE2(config-router-af)#neighbor 10.0.0.4 activate

Router-PE2(config-router-af)#neighbor 10.0.0.4 send-community extended

Router-PE2(config-router-af)#exit-address-family

Router-PE2(config-router)#exit

Router-PE2(config)#end

Router-PE2#

Router-PE3#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE3(config)#ip cef

Router-PE3(config)#mpls ip

Router-PE3(config)#interface Serial0/0

Router-PE3(config-if)#description Connection to Router-P1

Router-PE3(config-if)#ip address 10.1.1.9 255.255.255.252

Router-PE3(config-if)#mpls ip

Router-PE3(config-if)#exit

Router-PE3(config)#interface Loopback0

Router-PE3(config-if)#ip address 10.0.0.3 255.255.255.255

Router-PE3(config-if)#exit

Router-PE3(config)#router ospf 99

Router-PE3(config-router)#router-id 10.0.0.3

Router-PE3(config-router)#network 10.0.0.0 0.255.255.255 area 0

Router-PE3(config-router)#exit

Router-PE3(config)#ip vrf NetworkA

Router-PE3(config-vrf)#rd 100:1

Router-PE3(config-vrf)#route-target export 100:1

Router-PE3(config-vrf)#route-target import 100:1

Router-PE3(config-vrf)#exit

Router-PE3(config)#ip vrf NetworkB

Router-PE3(config-vrf)#rd 100:2

Router-PE3(config-vrf)#route-target export 100:2

Router-PE3(config-vrf)#route-target import 100:2

Router-PE3(config-vrf)#exit

Router-PE3(config)#interface Ethernet0/0

Router-PE3(config-if)#description connection to customer A, site 3

Router-PE3(config-if)#ip vrf forwarding NetworkA

Router-PE3(config-if)#ip address 192.168.2.1 255.255.255.0

Router-PE3(config-if)#exit

Router-PE3(config)#interface Ethernet0/1

Router-PE3(config-if)#description connection to customer B, site 2

Router-PE3(config-if)#ip vrf forwarding NetworkB

Router-PE3(config-if)#ip address 192.168.10.1 255.255.255.0

Router-PE3(config-if)#exit

Router-PE3(config)#router bgp 100

Router-PE3(config-router)#bgp log-neighbor-changes

Router-PE3(config-router)#neighbor 10.0.0.2 remote-as 100

Router-PE3(config-router)#neighbor 10.0.0.2 update-source Loopback0

Router-PE3(config-router)#neighbor 10.0.0.4 remote-as 100

Router-PE3(config-router)#neighbor 10.0.0.4 update-source Loopback0

Router-PE3(config-router)#address-family ipv4 vrf NetworkA

Router-PE3(config-router-af)#no auto-summary

Router-PE3(config-router-af)#no synchronization

Router-PE3(config-router-af)#redistribute connected

Router-PE3(config-router-af)#exit-address-family

Router-PE3(config-router)#adress-family ipv4 vrf NetworkB

Router-PE3(config-router-af)#no auto-summary

Router-PE3(config-router-af)#no synchronization

Router-PE3(config-router-af)#redistribute connected

Router-PE3(config-router-af)#exit-address-family

Router-PE3(config-router)#address-family vpnv4

Router-PE3(config-router-af)#neighbor 10.0.0.2 activate

Router-PE3(config-router-af)#neighbor 10.0.0.2 send-community extended

Router-PE3(config-router-af)#neighbor 10.0.0.4 activate

Router-PE3(config-router-af)#neighbor 10.0.0.4 send-community extended

Router-PE3(config-router-af)#exit-address-family

Router-PE3(config-router)#exit

Router-PE3(config)#end

Router-PE3#

注释 对于PE路由器首先是类似P路由器的基本MPLS配置,然后是配置了两个客户网络的VRF,其中rd用来作为MP BGP发布此VRF路由的标签,route target用来告诉MP BGP那个rd与之共享路由。在关联接口和VRF的时候要先配置ip vrf forwarding命令然后配置IP地址,通过show ip vrf来验证。然后就是MP-BGP的配置,这里和平常BGP配置最大的不同就是必须有send-community extended的配置,因为VRF的信息是通过这个值来宣告的,两个验证命令show ip route vrf NetworkA和ping vrf NetworkA 192.168.2.9 source 192.168.1.1

26.3. 配置基本的MPLS CE路由器

提问 配置客户网络的边界路由器

回答

Router-CE-A1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-CE-A1(config)#interface FastEthernet0/0.1

Router-CE-A1(config-if)#encapsulation dot1Q 101

Router-CE-A1(config-if)#ip address 192.168.1.5 255.255.255.0

Router-CE-A1(config-if)#exit

Router-CE-A1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

Router-CE-A1(config)# exit

Router-CE-A1#

注释 CE路由器没有特殊的配置,只是需要到MPLS网络的路由而已,这里使用的是静态路由,使用其他动态路由协议也可以,这样两个不同的站点可以互通路由表

26.4. 配置ATM网络的MPLS

提问 配置运行于ATM网络上的MPLS

回答

根据ATM交换机性能的不同大概有两种配置,一种是不参与MPLS只是基本的信元传递

Router-PE1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE1(config)#ip cef

Router-PE1(config)#mpls ip

Router-PE1(config)#interface ATM1/0

Router-PE1(config-if)#no ip address

Router-PE1(config-if)#exit

Router-PE1(config)#interface ATM1/0.1 mpls

Router-PE1(config-if)#ip address 10.1.1.2 255.255.255.252

Router-PE1(config-if)#mpls ip

Router-PE1(config-if)#exit

Router-PE1(config)#end

Router-PE1#

Router-PE3#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE3(config)#ip cef

Router-PE3(config)#mpls ip

Router-PE3(config)#interface ATM1/0

Router-PE3(config-if)#no ip address

Router-PE3(config-if)#exit

Router-PE3(config)#interface ATM1/0.1 mpls

Router-PE3(config-if)#ip address 10.1.1.1 255.255.255.252

Router-PE3(config-if)#mpls ip

Router-PE3(config-if)#exit

Router-PE3(config)#end

Router-PE3#

ATM switch 交换机需要配置两个PVCs: 一个用于控制VC一个用户数据VC:

Switch-P2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch-P2(config)#interface ATM0/1/2

Switch-P2(config-if)#no ip address

Switch-P2(config-if)#exit

Switch-P2(config)#interface ATM0/1/3

Switch-P2(config-if)#no ip address

Switch-P2(config-if)#atm pvc 0 32 interface ATM0/1/2 0 32

Switch-P2(config-if)#atm pvc 1 33 interface ATM0/1/2 1 33

Switch-P2(config-if)#exit

Switch-P2(config)#end

Switch-P2#

另一种新的ATM交换机可以参与类似P路由器那样的MPLS包转发

Router-PE1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE1(config)#ip cef

Router-PE1(config)#mpls ip

Router-PE1(config)#interface ATM1/0

Router-PE1(config-if)#no ip address

Router-PE1(config-if)#exit

Router-PE1(config)#interface ATM1/0.1 mpls

Router-PE1(config-if)#ip address 10.1.1.2 255.255.255.252

Router-PE1(config-if)#mpls ip

Router-PE1(config-if)#exit

Router-PE1(config)#end

Router-PE1#

Router-PE3#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE3(config)#ip cef

Router-PE3(config)#mpls ip

Router-PE3(config)#interface ATM1/0

Router-PE3(config-if)#no ip address

Router-PE3(config-if)#exit

Router-PE3(config)#interface ATM1/0.1 mpls

Router-PE3(config-if)#ip address 10.1.1.6 255.255.255.252

Router-PE3(config-if)#mpls ip

Router-PE3(config-if)#exit

Router-PE3(config)#end

Router-PE3#

Switch-P2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch-P2(config)#ip cef

Switch-P2(config)#mpls ip

Switch-P2(config)#interface ATM0/1/2

Switch-P2(config-if)#ip address 10.1.1.5 255.255.255.252

Switch-P2(config-if)#mpls ip

Switch-P2(config-if)#exit

Switch-P2(config)#interface ATM0/1/3

Switch-P2(config-if)#ip address 10.1.1.1 255.255.255.252

Switch-P2(config-if)#mpls ip

Switch-P2(config-if)#exit

Switch-P2(config)#interface Loopback0

Switch-P2(config-if)#ip address 10.0.0.1 255.255.255.255

Switch-P2(config-if)#exit

Switch-P2(config)#router ospf 99

Switch-P2(config-router)#router-id 10.0.0.1

Switch-P2(config-router)#network 10.0.0.0 0.255.255.255 area 0

Switch-P2(config-router)#exit

Switch-P2(config)#end

Switch-P2#

注释 注意这里的配置是不全的是,只是和ATM有关的配置。第一种方式由于VC的配置所以扩展性不强,而另一种参与了IGP所以增强了扩展性

26.5. PE-CE 之间运行RIP

提问 PE和CE路由器之间启用RIP路由协议

回答

Router-CE-A2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-CE-A2(config)#router rip

Router-CE-A2(config-router)#version 2

Router-CE-A2(config-router)#network 10.0.0.0

Router-CE-A2(config-router)#network 192.168.3.0

Router-CE-A2(config-router)#end

Router-CE-A2#

Router-PE2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE2(config)#router rip

Router-PE2(config-router)#version 2

Router-PE2(config-router)#address-family ipv4 vrf NetworkA

Router-PE2(config-router-af)#version 2

Router-PE2(config-router-af)#redistribute bgp 100 metric 4

Router-PE2(config-router-af)#network 192.168.3.0

Router-PE2(config-router-af)#exit-address-family

Router-PE2(config-router)#exit

Router-PE2(config)#router bgp 100

Router-PE2(config-router)#address-family ipv4 vrf NetworkA

Router-PE2(config-router-af)#redistribute rip metric 4

Router-PE2(config-router-af)#end

Router-PE2#



注释 这里需要注意的是RIP不是全局启用的,只是在特定的VRF下面的配置address-family ipv4 vrf NetworkA,另外需要配置RIP和MP-BGP之间的路由再分布。这里的再分布和传统再分布不同的是,分布到IGP的路由不是标记为外部路由的

26.6. PE-CE之间运行OSPF

提问 PE和CE路由器之间启用OSPF路由协议

回答

两个不同站点的CE路由器

Router-CE-A1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-CE-A1(config)#router ospf 55

Router-CE-A1(config-router)#network 192.168.1.0 0.0.0.255 area 0

Router-CE-A1(config-router)#network 192.168.5.0 0.0.0.255 area 0

Router-CE-A1(config-router)#end

Router-CE-A1#

Router-CE-A2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-CE-A2(config)#router ospf 55

Router-CE-A2(config-router)#network 192.168.3.0 0.0.0.255 area 0

Router-CE-A2(config-router)#end

Router-CE-A2#

两个相应站点的PE路由器

Router-PE1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE1(config)#router ospf 155 vrf NetworkA

Router-PE1(config-router)#redistribute bgp 100 subnets

Router-PE1(config-router)#network 192.168.1.0 0.0.0.255 area 0

Router-PE1(config-router)#exit

Router-PE1(config)#router bgp 100

Router-PE1(config-router)#address-family ipv4 vrf NetworkA

Router-PE1(config-router-af)#redistribute ospf 155

Router-PE1(config-router-af)#exit-address-family

Router-PE1(config-router)#end

Router-PE1#

Router-PE2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE2(config)#router ospf 155 vrf NetworkA

Router-PE2(config-router)#redistribute bgp 100 subnets

Router-PE2(config-router)#network 192.168.3.0 0.0.0.255 area 0

Router-PE2(config-router)#exit

Router-PE2(config)#router bgp 100

Router-PE2(config-router)#address-family ipv4 vrf NetworkA

Router-PE2(config-router-af)#redistribute ospf 155

Router-PE2(config-router-af)#exit-address-family

Router-PE2(config-router)#end

Router-PE2#

注释 这里只是和路由相关的配置,其他配置略去。12.2(8)T以后有shamlink这种特性来通过类似虚拟链路的方式修改OSPF的路由条目,从inter-area路由变为intra-area路由,

Router-PE1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE1(config)#interface Loopback155

Router-PE1(config-if)#ip vrf forwarding NetworkA

Router-PE1(config-if)#ip address 192.168.155.1 255.255.255.255

Router-PE1(config-if)#exit

Router-PE1(config)#router ospf 155 vrf NetworkA

Router-PE1(config-router)#area 0 sham-link 192.168.155.1 192.168.155.2 cost 10

Router-PE1(config-router)#redistribute bgp 100 subnets

Router-PE1(config-router)#network 192.168.1.0 0.0.0.255 area 0

Router-PE1(config-router)#end

Router-PE1#

Router-PE2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE2(config)#interface Loopback155

Router-PE2(config-if)#ip vrf forwarding NetworkA

Router-PE2(config-if)#ip address 192.168.155.2 255.255.255.255

Router-PE2(config-if)#exit

Router-PE2(config)#router ospf 155 vrf NetworkA

Router-PE2(config-router)#area 0 sham-link 192.168.155.2 192.168.155.1 cost 10

Router-PE2(config-router)#redistribute bgp 100 subnets

Router-PE2(config-router)#network 192.168.3.0 0.0.0.255 area 0

Router-PE2(config-router)#end

Router-PE2#

26.7. PE-CE之间运行EIGRP

提问 PE和CE路由器之间启用EIGRP路由协议

回答

Router-CE-A1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-CE-A1(config)#router eigrp 156

Router-CE-A1(config-router)#network 192.168.1.0

Router-CE-A1(config-router)#network 192.168.5.0

Router-CE-A1(config-router)#no auto-summary

Router-CE-A1(config-router)#end

Router-CE-A1#

Router-CE-A2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-CE-A2(config)#router eigrp 156

Router-CE-A2(config-router)#network 10.0.0.0

Router-CE-A2(config-router)#network 192.168.3.0

Router-CE-A2(config-router)#no auto-summary

Router-CE-A2(config-router)#end

Router-CE-A2#

Router-PE1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE1(config)#router eigrp 1001

Router-PE1(config-router)#no auto-summary

Router-PE1(config-router)#address-family ipv4 vrf NetworkA

Router-PE1(config-router-af)#redistribute bgp 100 metric 10000 10 255 1 1500

Router-PE1(config-router-af)#network 192.168.1.0

Router-PE1(config-router-af)#no auto-summary

Router-PE1(config-router-af)#autonomous-system 156

Router-PE1(config-router-af)#exit-address-family

Router-PE1(config-router)#exit

Router-PE1(config)#router bgp 100

Router-PE1(config-router)#address-family ipv4 vrf NetworkA

Router-PE1(config-router-af)#redistribute eigrp 156

Router-PE1(config-router-af)#exit-address-family

Router-PE1(config-router)#exit

Router-PE1(config)#end

Router-PE1#

Router-PE2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE2(config)#router eigrp 1001

Router-PE2(config-router)#auto-summary

Router-PE2(config-router)#address-family ipv4 vrf NetworkA

Router-PE2(config-router-af)#redistribute bgp 100 metric 10000 10 255 1 1500

Router-PE2(config-router-af)#network 192.168.3.0

Router-PE2(config-router-af)#no auto-summary

Router-PE2(config-router-af)#autonomous-system 156

Router-PE2(config-router-af)#exit-address-family

Router-PE2(config-router)#end

Router-PE2#

注释 注意的是VRF中自治域系统的配置和相应再分发是选择的AS配置,要确保PE和CE的一致,对PE这里有两个EIGRP的AS号

26.8. PE-CE之间运行BGP

提问 PE和CE路由器之间启用BGP路由协议

回答

Router-CE-A1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-CE-A1(config)#router bgp 65535

Router-CE-A1(config-router)#neighbor 192.168.1.1 remote-as 100

Router-CE-A1(config-router)#redistribute ospf 155

Router-CE-A1(config-router)#no synchronization

Router-CE-A1(config-router)#no auto-summary

Router-CE-A1(config-router)#exit

Router-CE-A1(config)#router ospf 155

Router-CE-A1(config-router)#redistribute bgp 65535 subnets

Router-CE-A1(config-router)#network 192.168.5.0 0.0.0.255 area 0

Router-CE-A1(config-router)#end

Router-CE-A1#

Router-CE-A2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-CE-A2(config)#router bgp 65534

Router-CE-A2(config-router)#neighbor 192.168.3.1 remote-as 100

Router-CE-A2(config-router)#network 10.8.8.0 mask 255.255.255.0

Router-CE-A2(config-router)#network 192.168.3.0

Router-CE-A2(config-router)#no synchronization

Router-CE-A2(config-router)#no auto-summary

Router-CE-A2(config-router)#end

Router-CE-A2#

Router-PE1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE1(config)#router bgp 100

Router-PE1(config-router)#address-family ipv4 vrf NetworkA

Router-PE1(config-router-af)#neighbor 192.168.1.5 remote-as 65535

Router-PE1(config-router-af)#neighbor 192.168.1.5 activate

Router-PE1(config-router-af)#end

Router-PE1#

Router-PE2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE2(config)#router bgp 100

Router-PE2(config-router)#address-family ipv4 vrf NetworkA

Router-PE2(config-router-af)#neighbor 192.168.3.8 remote-as 65534

Router-PE2(config-router-af)#neighbor 192.168.3.8 activate

Router-PE2(config-router-af)#end

Router-PE2#

注释 这里仍然不是全部的配置。对于BGP来说就不需要再配置再分布了,不过很少有运营商会支持客户网络的BGP互联

26.9. MPLS上的QoS

提问 配置MPLS上QoS的支持

回答

Router-PE1#configure terminal

Router-PE1(config)#class-map match-any med-priority

Router-PE1(config-cmap)#match precedence 1

Router-PE1(config-cmap)#match precedence 2

Router-PE1(config-cmap)#exit

Router-PE1(config)#class-map match-any high-priority

Router-PE1(config-cmap)#match precedence 3

Router-PE1(config-cmap)#match precedence 4

Router-PE1(config-cmap)#match precedence 5

Router-PE1(config-cmap)#exit

Router-PE1(config)#class-map match-any realtime-priority

Router-PE1(config-cmap)#match precedence 6

Router-PE1(config-cmap)#match dscp ef

Router-PE1(config-cmap)#exit

Router-PE1(config)#policy-map MPLS-priority

Router-PE1(config-pmap)#class realtime-priority

Router-PE1(config-pmap-c)#priority percent 10

Router-PE1(config-pmap-c)#set mpls experimental topmost 3

Router-PE1(config-pmap-c)#exit

Router-PE1(config-pmap)#class high-priority

Router-PE1(config-pmap-c)#bandwidth percent 10

Router-PE1(config-pmap-c)#queue-limit 20

Router-PE1(config-pmap-c)#set mpls experimental topmost 2

Router-PE1(config-pmap-c)#exit

Router-PE1(config-pmap)#class med-priority

Router-PE1(config-pmap-c)#bandwidth percent 15

Router-PE1(config-pmap-c)#queue-limit 50

Router-PE1(config-pmap-c)#set mpls experimental topmost 1

Router-PE1(config-pmap-c)#exit

Router-PE1(config-pmap)#class class-default

Router-PE1(config-pmap-c)#bandwidth percent 40

Router-PE1(config-pmap-c)#random-detect

Router-PE1(config-pmap-c)#set mpls experimental topmost 0

Router-PE1(config-pmap-c)#exit

Router-PE1(config-pmap)#exit

Router-PE1(config)#interface Serial0/0

Router-PE1(config-if)#service-policy output MPLS-priority

Router-PE1(config-if)#exit

Router-PE1(config)#end

Router-PE1#

Router-P1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-P1(config)#class-map match-any med-priority

Router-P1(config-cmap)#match mpls experimental topmost 1

Router-P1(config-cmap)#exit

Router-P1(config)#class-map match-any high-priority

Router-P1(config-cmap)#match mpls experimental topmost 2

Router-P1(config-cmap)#exit

Router-P1(config)#class-map match-any realtime-priority

Router-P1(config-cmap)#match mpls experimental topmost 3

Router-P1(config-cmap)#exit

Router-P1(config)#policy-map MPLS-priority

Router-P1(config-pmap)#class realtime-priority

Router-P1(config-pmap-c)#priority percent 10

Router-P1(config-pmap-c)#exit

Router-P1(config-pmap)#class high-priority

Router-P1(config-pmap-c)#bandwidth percent 10

Router-P1(config-pmap-c)#queue-limit 20

Router-P1(config-pmap-c)#exit

Router-P1(config-pmap)#class med-priority

Router-P1(config-pmap-c)#bandwidth percent 15

Router-P1(config-pmap-c)#queue-limit 50

Router-P1(config-pmap-c)#exit

Router-P1(config-pmap)#class class-default

Router-P1(config-pmap-c)#bandwidth percent 40

Router-P1(config-pmap-c)#random-detect

Router-P1(config-pmap-c)#exit

Router-P1(config-pmap)#exit

Router-P1(config)#interface FastEthernet0/0

Router-P1(config-if)#service-policy output MPLS-priority

Router-P1(config-if)#exit

Router-P1(config)#end

Router-P1#

注释 简单的说就是PE做客户网络数据包的DSCP或者IP优先级位和MPLS EXP优先级位之间的转化,EXP目前只能支持四种类型的数据包。很有用的验证命令

Router-P1#show policy interface FastEthernet0/0

FastEthernet0/0



Service-policy output: MPLS-priority



Class-map: realtime-priority (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: mpls experimental topmost 3

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

Strict Priority

Output Queue: Conversation 264

Bandwidth 10 (%)

Bandwidth 10000 (kbps) Burst 250000 (Bytes)

(pkts matched/bytes matched) 0/0

(total drops/bytes drops) 0/0

26.10. Autoroute 和MPLS流量工程

提问 使用autoroute特性来自动维护MPLS网络的流量工程路径

回答

Router-PE1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE1(config)#mpls traffic-eng tunnels

Router-PE1(config)#interface Loopback0

Router-PE1(config-if)#ip address 10.0.0.2 255.255.255.255

Router-PE1(config-if)#exit

Router-PE1(config)#interface Tunnel11

Router-PE1(config-if)#ip unnumbered Loopback0

Router-PE1(config-if)#tunnel destination 10.0.0.3

Router-PE1(config-if)#tunnel mode mpls traffic-eng

Router-PE1(config-if)#tunnel mpls traffic-eng autoroute announce

Router-PE1(config-if)#tunnel mpls traffic-eng priority 7 7

Router-PE1(config-if)#tunnel mpls traffic-eng bandwidth 256

Router-PE1(config-if)#tunnel mpls traffic-eng path-option 1 explicit name def-PE3

Router-PE1(config-if)#exit

Router-PE1(config)#interface Tunnel12

Router-PE1(config-if)#ip unnumbered Loopback0

Router-PE1(config-if)#tunnel destination 10.0.0.3

Router-PE1(config-if)#tunnel mode mpls traffic-eng

Router-PE1(config-if)#tunnel mpls traffic-eng autoroute announce

Router-PE1(config-if)#tunnel mpls traffic-eng priority 7 7

Router-PE1(config-if)#tunnel mpls traffic-eng bandwidth 256

Router-PE1(config-if)#tunnel mpls traffic-eng path-option 1 explicit name hi-PE3

Router-PE1(config-if)#exit

Router-PE1(config)#interface Serial0/0

Router-PE1(config-if)#ip address 10.1.1.13 255.255.255.252

Router-PE1(config-if)#mpls traffic-eng tunnels

Router-PE1(config-if)#tag-switching ip

Router-PE1(config-if)#ip rsvp bandwidth 512

Router-PE1(config-if)#exit

Router-PE1(config)#interface ATM1/0.1 tag-switching

Router-PE1(config-subif)#ip address 10.1.1.2 255.255.255.252

Router-PE1(config-subif)#mpls traffic-eng tunnels

Router-PE1(config-subif)#tag-switching ip

Router-PE1(config-subif)#ip rsvp bandwidth 4000

Router-PE1(config-subif)#exit

Router-PE1(config)#router ospf 99

Router-PE1(config-router)#router-id 10.0.0.2

Router-PE1(config-router)#log-adjacency-changes

Router-PE1(config-router)#network 10.0.0.0 0.255.255.255 area 0

Router-PE1(config-router)#mpls traffic-eng router-id Loopback0

Router-PE1(config-router)#mpls traffic-eng area 0

Router-PE1(config-router)#exit

Router-PE1(config)#ip explicit-path name def-PE3 enable

Router-PE1(cfg-ip-expl-path)#next-address 10.1.1.14

Explicit Path name def-PE3:

1: next-address 10.1.1.14

Router-PE1(cfg-ip-expl-path)#next-address 10.1.1.9

Explicit Path name def-PE3:

1: next-address 10.1.1.14

2: next-address 10.1.1.9

Router-PE1(cfg-ip-expl-path)#exit

Router-PE1(config)#ip explicit-path name hi-PE3 enable

Router-PE1(cfg-ip-expl-path)#next-address 10.1.1.1

Explicit Path name hi-PE3:

1: next-address 10.1.1.1

Router-PE1(cfg-ip-expl-path)#next-address 10.1.1.6

Explicit Path name hi-PE3:

1: next-address 10.1.1.1

2: next-address 10.1.1.6

Router-PE1(cfg-ip-expl-path)#exit

Router-PE1(config)#end

Router-PE1#

Router-PE3#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE3(config)#mpls traffic-eng tunnels

Router-PE3(config)#interface Loopback0

Router-PE3(config-if)#ip address 10.0.0.3 255.255.255.255

Router-PE3(config-if)#exit

Router-PE3(config)#interface Tunnel11

Router-PE3(config-if)#ip unnumbered Loopback0

Router-PE3(config-if)#tunnel destination 10.0.0.2

Router-PE3(config-if)#tunnel mode mpls traffic-eng

Router-PE3(config-if)#tunnel mpls traffic-eng autoroute announce

Router-PE3(config-if)#tunnel mpls traffic-eng priority 7 7

Router-PE3(config-if)#tunnel mpls traffic-eng bandwidth 256

Router-PE3(config-if)#tunnel mpls traffic-eng path-option 1 explicit name def-PE1

Router-PE3(config-if)#exit

Router-PE3(config)#interface Tunnel12

Router-PE3(config-if)#ip unnumbered Loopback0

Router-PE3(config-if)#tunnel destination 10.0.0.2

Router-PE3(config-if)#tunnel mode mpls traffic-eng

Router-PE3(config-if)#tunnel mpls traffic-eng autoroute announce

Router-PE3(config-if)#tunnel mpls traffic-eng priority 7 7

Router-PE3(config-if)#tunnel mpls traffic-eng bandwidth 256

Router-PE3(config-if)#tunnel mpls traffic-eng path-option 1 explicit name hi-PE1

Router-PE3(config-if)#exit

Router-PE3(config)#interface Serial0/0

Router-PE3(config-if)#ip address 10.1.1.9 255.255.255.252

Router-PE3(config-if)#mpls traffic-eng tunnels

Router-PE3(config-if)#tag-switching ip

Router-PE3(config-if)#ip rsvp bandwidth 512

Router-PE3(config-if)#exit

Router-PE3(config)#interface ATM1/0.1 tag-switching

Router-PE3(config-subif)#ip address 10.1.1.6 255.255.255.252

Router-PE3(config-subif)#mpls traffic-eng tunnels

Router-PE3(config-subif)#tag-switching ip

Router-PE3(config-subif)#ip rsvp bandwidth 4000

Router-PE3(config-subif)#exit

Router-PE3(config)#router ospf 99

Router-PE3(config-router)#router-id 10.0.0.3

Router-PE3(config-router)#log-adjacency-changes

Router-PE3(config-router)#network 10.0.0.0 0.255.255.255 area 0

Router-PE3(config-router)#mpls traffic-eng router-id Loopback0

Router-PE3(config-router)#mpls traffic-eng area 0

Router-PE3(config-router)#exit

Router-PE3(config)#ip explicit-path name def-PE1 enable

Router-PE3(cfg-ip-expl-path)#next-address 10.1.1.10

Explicit Path name def-PE1:

1: next-address 10.1.1.10

Router-PE3(cfg-ip-expl-path)#next-address 10.1.1.13

Explicit Path name def-PE1:

1: next-address 10.1.1.10

2: next-address 10.1.1.13

Router-PE3(cfg-ip-expl-path)#exit

Router-PE3(config)#ip explicit-path name hi-PE1 enable

Router-PE3(cfg-ip-expl-path)#next-address 10.1.1.5

Explicit Path name hi-PE1:

1: next-address 10.1.1.5

Router-PE3(cfg-ip-expl-path)#next-address 10.1.1.2

Explicit Path name hi-PE1:

1: next-address 10.1.1.5

2: next-address 10.1.1.2

Router-PE3(cfg-ip-expl-path)#exit

Router-PE3(config)#end

Router-PE3#

Router-P1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-P1(config)#mpls traffic-eng tunnels

Router-P1(config)#interface Loopback0

Router-P1(config-if)#ip address 10.0.0.11 255.255.255.255

Router-P1(config-if)#exit

Router-P1(config)#interface Serial0/0

Router-P1(config-if)#ip address 10.1.1.14 255.255.255.252

Router-P1(config-if)#tag-switching ip

Router-P1(config-if)#mpls traffic-eng tunnels

Router-P1(config-if)#ip rsvp bandwidth 512

Router-P1(config-if)#exit

Router-P1(config)#interface Serial0/1

Router-P1(config-if)#ip address 10.1.1.10 255.255.255.252

Router-P1(config-if)#tag-switching ip

Router-P1(config-if)#mpls traffic-eng tunnels

Router-P1(config-if)#ip rsvp bandwidth 512

Router-P1(config-if)#exit

Router-P1(config)#router ospf 99

Router-P1(config-router)#router-id 10.0.0.11

Router-P1(config-router)#log-adjacency-changes

Router-P1(config-router)#network 10.0.0.0 0.255.255.255 area 0

Router-P1(config-router)#mpls traffic-eng router-id Loopback0

Router-P1(config-router)#mpls traffic-eng area 0

Router-P1(config-router)#exit

Router-P1(config)#end

Router-P1#

注释 很复杂啊,还没很明白

26.11. MPLS上的组播

提问 配置MPLS网络对客户组播的支持

回答

Router-C-An#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-C-An(config)#ip multicast-routing

Router-C-An(config)#interface FastEthernet0/0

Router-C-An(config-if)#ip address 192.168.5.12 255.255.255.0

Router-C-An(config-if)#ip pim sparse-dense-mode

Router-C-An(config-if)#exit

Router-C-An(config)#end

Router-C-An#

Router-CE-A1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-CE-A1(config)#ip multicast-routing

Router-CE-A1(config)#interface FastEthernet0/0.1

Router-CE-A1(config-subif)#encapsulation dot1Q 101

Router-CE-A1(config-subif)#ip address 192.168.1.5 255.255.255.0

Router-CE-A1(config-subif)#ip pim sparse-dense-mode

Router-CE-A1(config-subif)#exit

Router-CE-A1(config)#interface FastEthernet0/0.2

Router-CE-A1(config-subif)#encapsulation dot1Q 111

Router-CE-A1(config-subif)#ip address 192.168.5.1 255.255.255.0

Router-CE-A1(config-subif)#ip pim sparse-dense-mode

Router-CE-A1(config-subif)#exit

Router-CE-A1(config)#end

Router-CE-A1#

Router-CE-A2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-CE-A2(config)#ip multicast-routing

Router-CE-A2(config)#interface Loopback0

Router-CE-A2(config-if)#ip address 10.8.8.8 255.255.255.255

Router-CE-A2(config-if)#ip pim sparse-dense-mode

Router-CE-A2(config-if)#ip igmp join-group 239.1.1.1

Router-CE-A2(config-if)#exit

Router-CE-A2(config)#interface Ethernet0

Router-CE-A2(config-if)#ip address 192.168.3.8 255.255.255.0

Router-CE-A2(config-if)#ip pim sparse-dense-mode

Router-CE-A2(config-if)#exit

Router-CE-A2(config)#end

Router-CE-A2#

Router-PE1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE1(config)#ip multicast-routing

Router-PE1(config)#interface Loopback0

Router-PE1(config-if)#ip address 10.0.0.2 255.255.255.255

Router-PE1(config-if)#ip pim sparse-dense-mode

Router-PE1(config-if)#exit

Router-PE1(config)#interface Serial0/0

Router-PE1(config-if)#ip address 10.1.1.13 255.255.255.252

Router-PE1(config-if)#ip pim sparse-dense-mode

Router-PE1(config-if)#tag-switching ip

Router-PE1(config-if)#exit

Router-PE1(config)#ip multicast-routing vrf NetworkA

Router-PE1(config)#ip vrf NetworkA

Router-PE1(config-vrf)#rd 100:1

Router-PE1(config-vrf)#route-target export 100:1

Router-PE1(config-vrf)#route-target import 100:1

Router-PE1(config-vrf)#mdt default 239.100.100.1

Router-PE1(config-vrf)#exit

Router-PE1(config)#interface Loopback155

Router-PE1(config-if)#ip vrf forwarding NetworkA

Router-PE1(config-if)#ip address 192.168.155.1 255.255.255.255

Router-PE1(config-if)#ip pim sparse-dense-mode

Router-PE1(config-if)#exit

Router-PE1(config)#interface Ethernet0/0

Router-PE1(config-if)#description connection to customer A, site 1

Router-PE1(config-if)#ip vrf forwarding NetworkA

Router-PE1(config-if)#ip address 192.168.1.1 255.255.255.0

Router-PE1(config-if)#ip pim sparse-dense-mode

Router-PE1(config-if)#exit

Router-PE1(config)#ip pim vrf NetworkA send-rp-announce Loopback155 scope 15

Router-PE1(config)#ip pim vrf NetworkA send-rp-discovery Loopback155 scope 15

Router-PE1(config)#end

Router-PE1#

Router-PE2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-PE2(config)#ip multicast-routing

Router-PE2(config)#interface Loopback0

Router-PE2(config-if)#ip address 10.0.0.4 255.255.255.255

Router-PE2(config-if)#ip pim sparse-dense-mode

Router-PE2(config-if)#exit

Router-PE2(config)#interface FastEthernet0/0.1

Router-PE2(config-subif)#encapsulation dot1Q 10

Router-PE2(config-subif)#ip address 10.1.2.4 255.255.255.0

Router-PE2(config-subif)#ip pim sparse-dense-mode

Router-PE2(config-subif)#tag-switching ip

Router-PE2(config-subif)#exit

Router-PE2(config)#ip multicast-routing vrf NetworkA

Router-PE2(config)#ip vrf NetworkA

Router-PE2(config-vrf)#rd 100:1

Router-PE2(config-vrf)#route-target export 100:1

Router-PE2(config-vrf)#route-target import 100:1

Router-PE2(config-vrf)#mdt default 239.100.100.1

Router-PE2(config-vrf)#exit

Router-PE2(config)#interface Loopback155

Router-PE2(config-if)#ip vrf forwarding NetworkA

Router-PE2(config-if)#ip address 192.168.155.2 255.255.255.255

Router-PE2(config-if)#ip pim sparse-dense-mode

Router-PE2(config-if)#exit

Router-PE2(config)#interface FastEthernet0/0.2

Router-PE2(config-subif)#encapsulation dot1Q 102

Router-PE2(config-subif)#ip vrf forwarding NetworkA

Router-PE2(config-subif)#ip address 192.168.3.1 255.255.255.0

Router-PE2(config-subif)#ip pim sparse-dense-mode

Router-PE2(config-subif)#exit

Router-PE2(config)#end

Router-PE2#

Router-P1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-P1(config)#ip multicast-routing

Router-P1(config)#interface FastEthernet0/0

Router-P1(config-if)#ip address 10.1.2.11 255.255.255.0

Router-P1(config-if)#ip pim sparse-dense-mode

Router-P1(config-if)#tag-switching ip

Router-P1(config-if)#exit

Router-P1(config)#interface Serial0/0

Router-P1(config-if)#ip address 10.1.1.14 255.255.255.252

Router-P1(config-if)#ip pim sparse-dense-mode

Router-P1(config-if)#tag-switching ip

Router-P1(config-if)#exit

Router-P1(config)#interface Serial0/1

Router-P1(config-if)#ip address 10.1.1.10 255.255.255.252

Router-P1(config-if)#ip pim sparse-dense-mode

Router-P1(config-if)#tag-switching ip

Router-P1(config-if)#exit

Router-P1(config)#end

Router-P1#

注释 无

26.12. 服务商不能我能

提问 通过其他方式来实现运营商所不能提供的特性

回答

Router-CE-A1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-CE-A1(config)#ip multicast-routing

Router-CE-A1(config)#interface FastEthernet0/0.1

Router-CE-A1(config-if)#encapsulation dot1Q 101

Router-CE-A1(config-if)#ip address 192.168.1.5 255.255.255.0

Router-CE-A1(config-if)#exit

Router-CE-A1(config)#interface Loopback1

Router-CE-A1(config-if)#ip address 192.168.101.1 255.255.255.255

Router-CE-A1(config-if)#exit

Router-CE-A1(config)#interface Tunnel1

Router-CE-A1(config-if)#ip address 192.168.152.1 255.255.255.252

Router-CE-A1(config-if)#tunnel source 192.168.101.1

Router-CE-A1(config-if)#tunnel destination 192.168.101.2

Router-CE-A1(config-if)#ip pim sparse-dense-mode

Router-CE-A1(config-if)#exit

Router-CE-A1(config)#router bgp 65535

Router-CE-A1(config-router)#neighbor 192.168.1.1 remote-as 100

Router-CE-A1(config-router)#network 192.168.1.0

Router-CE-A1(config-router)#network 192.168.101.1 mask 255.255.255.255

Router-CE-A1(config-router)#no synchronization

Router-CE-A1(config-router)#no auto-summary

Router-CE-A1(config-router)#exit

Router-CE-A1(config)#router ospf 155

Router-CE-A1(config-router)#network 192.168.5.0 0.0.0.255 area 0

Router-CE-A1(config-router)#network 192.168.152.0 0.0.0.255 area 0

Router-CE-A1(config-router)#exit

Router-CE-A1(config)#end

Router-CE-A1#

Router-CE-A2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router-CE-A2(config)#ip multicast-routing

Router-CE-A2(config)#interface Ethernet0

Router-CE-A2(config-if)#ip address 192.168.3.8 255.255.255.0

Router-CE-A2(config-if)#exit

Router-CE-A2(config)#interface Loopback1

Router-CE-A2(config-if)#ip address 192.168.101.2 255.255.255.255

Router-CE-A2(config-if)#exit

Router-CE-A2(config)#interface Tunnel1

Router-CE-A2(config-if)#ip address 192.168.152.2 255.255.255.252

Router-CE-A2(config-if)#tunnel source 192.168.101.2

Router-CE-A2(config-if)#tunnel destination 192.168.101.1

Router-CE-A2(config-if)#ip pim sparse-dense-mode

Router-CE-A2(config-if)#exit

Router-CE-A2(config)#router bgp 65534

Router-CE-A2(config-router)#neighbor 192.168.3.1 remote-as 100

Router-CE-A2(config-router)#network 192.168.3.0

Router-CE-A2(config-router)#network 192.168.101.2 mask 255.255.255.0

Router-CE-A2(config-router)#no synchronization

Router-CE-A2(config-router)#no auto-summary

Router-CE-A2(config-router)#exit

Router-CE-A2(config)#router ospf 155

Router-CE-A2(config-router)#network 10.8.8.0 0.0.0.255 area 0

Router-CE-A2(config-router)#network 192.168.152.0 0.0.0.255 area 0

Router-CE-A2(config-router)#exit

Router-CE-A2(config)#end

Router-CE-A2#

注释 这里只是CE的配置,PE配置参考26.8。这里在服务商只支持BGP互联的网络中实现了OSPF和组播的传递

2007/4/10 5:54
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
网站管理员
注册日期:
1970/1/1 8:00
所属群组:
网站管理员
注册会员
帖子: 56
等级: 6; EXP: 34
HP : 0 / 133
MP : 18 / 19720
离线
第二十七章安全(完)

27.1. 使用AutoSecure

提问 tyle="FONT-FAMILY: 宋体">傻瓜化的方式来加固你的路由器

回答

Router2#auto secure

--- AutoSecure Configuration ---



*** AutoSecure configuration enhances the security of

the router, but it will not make it absolutely resistant

to all security attacks ***



AutoSecure will modify the configuration of your device.

All configuration changes will be shown. For a detailed

explanation of how the configuration changes enhance security

and any possible side effects, please refer to Cisco.com for

Autosecure documentation.

At any prompt you may enter '?' for help.

Use ctrl-c to abort this session at any prompt.



Gathering information about the router for AutoSecure



Is this router connected to internet? [no]:

<Removed for brevity>

注释 12.3(1)开始路由器增加了autosecure的特性来通过问题的方式自动对路由器进行加固,下面是一个生成的配置实例

Router2#show auto secure config

no service finger

no service pad

no service udp-small-servers

no service tcp-small-servers

service password-encryption

service tcp-keepalives-in

service tcp-keepalives-out

no cdp run

no ip bootp server

no ip http server

no ip finger

no ip source-route

no ip gratuitous-arps

no snmp-server community public

no snmp-server community private

banner ^C Test ^C

security passwords min-length 6

security authentication failure rate 10 log

enable password 7 00071A1507545B54

aaa new-model

aaa authentication login local_auth local

line con 0

login authentication local_auth

exec-timeout 5 0

transport output telnet

line aux 0

login authentication local_auth

exec-timeout 10 0

transport output telnet

line vty 0 6

login authentication local_auth

transport input telnet

login block-for 5 attempts 5 within 6



crypto key generate rsa general-keys modulus 1024

ip ssh time-out 60

ip ssh authentication-retries 2

line vty 0 6

transport input ssh telnet

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

logging facility local2

logging trap debugging

service sequence-numbers

logging console critical

logging buffered

interface FastEthernet0/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

!

interface Serial0/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

!

ip cef

Router2#



27.2. 使用基于上下文的控制列表(Context-Based Access-Lists)

提问 配置路由器类似防火墙的高级过滤功能

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 166 deny ip any any

Router1(config)#access-list 167 permit tcp any any eq telnet

Router1(config)#ip inspect name Telnet tcp

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 166 in

Router1(config-if)#ip access-group 167 out

Router1(config-if)#ip inspect Telnet out

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 必须安装了支持IOS防火墙特性集的IOS才可以有此功能。CBAC提供了类似防火墙的状态检查功能,可以动态的生成控制列表来允许回程的数据包,对于上述例子,回来的telnet数据包可以允许通过

Router1#show ip inspect sessions

Established Sessions

Session 821061C0 (172.25.1.1:1379)=>(10.2.2.2:23) tcp SIS_OPEN

Router1#

对于以前提到的被动FTP访问问题,也可以采用才方法安全解决

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 155 permit tcp any any eq ftp

Router1(config)#access-list 155 deny ip any any

Router1(config)#ip inspect name TEST ftp

Router1(config)#interface Serial0/0

Router1(config-subif)#ip access-group 155 in

Router1(config-subif)#ip inspect TEST in

Router1(config-subif)#exit

Router1(config)#end

Router1#

Router1#show ip access-list 155

Extended IP access list 155

permit tcp host 172.20.1.2 eq 11252 host 172.25.1.3 eq 49155 (1415 matches)

permit tcp any any eq ftp (151 matches)

deny ip any any (3829 matches)

Router1#

同时也提供了对不同的会话的定时器配置

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip inspect tcp idle-time 1800

Router1(config)#ip inspect udp idle-time 20

Router1(config)#ip inspect tcp finwait-time 1

Router1(config)#ip inspect tcp synwait-time 15

Router1(config)#end

Router1#

通过show ip inspect config命令来显示当前CBAC的配置

也增加了对log的支持ip inspect name Telnet tcp audit-trail on

27.3. 透明IOS防火墙

提问 配置路由器作为2层防火墙

回答

首先配置Integrated Routing and Bridging (IRB)的支持

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#bridge 1 protocol ieee

Router1(config)#interface FastEthernet0/0

Router1(config-if)#bridge-group 1

Router1(config-if)#interface FastEthernet0/1

Router1(config-if)#bridge-group 1

Router1(config-if)#exit

Router1(config)#bridge irb

Router1(config)#bridge 1 route ip

Router1(config)#interface BVI1

Router1(config-if)#ip address 172.25.1.101 255.255.255.0

Router1(config-if)#no shutdown

Router1(config-if)#end

Router1#

然后配置防火墙的检查规则和ACL

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip inspect name OREILLY tcp

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip inspect OREILLY in

Router1(config-if)#exit

Router1(config)#access-list 111 deny tcp any host 172.25.1.102 eq 23

Router1(config)#access-list 111 permit ip any any

Router1(config)#access-list 112 deny ip any any

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip access-group 111 in

Router1(config-if)#interface FastEthernet0/1

Router1(config-if)#ip access-group 112 in

Router1(config-if)#end

Router1#

注释 从12.3(7)T开始支持这种2层防火墙或者说透明防火墙的支持,这样可以透明于网络不需要做地址的更改,采用了CBAC的方式来过滤

27.4. 防止拒绝服务攻击

提问 通过对半开放连接的限制来防范拒绝服务攻击

回答

Router1#configure terminal

Router1(config)#access-list 109 permit ip any host 192.168.99.2

Router1(config)#ip tcp intercept list 109

Router1(config)#ip tcp intercept max-incomplete high 10

Router1(config)#ip tcp intercept one-minute high 15

Router1(config)#ip tcp intercept max-incomplete low 5

Router1(config)#ip tcp intercept one-minute low 10

Router1(config)#end

Router1#

注释 除了上述的配置以外还可以对丢弃模式等进行控制

Router1(config)#ip tcp intercept drop-mode random

Router1(config)#ip tcp intercept watch-timeout 15

Router1(config)#ip tcp intercept mode watch

比较有用的一个统计命令

Router1#show tcp intercept statistics

Intercepting new connections using access-list 109

9 incomplete, 1 established connections (total 10)

8 connection requests per minute

Router1#

27.5. 在非标准端口检查应用

提问 检查非标准端口的应用

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip port-map http port tcp 8000

Router1(config)#end

Router1#

注释 也可以将PAM应用于特定的地址

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 22 permit host 10.1.2.14

Router1(config)#ip port-map http port 8080 list 22

Router1(config)#end

Router1#

Router1#show ip port-map http

Default mapping: http tcp port 80 system defined

Default mapping: http tcp port 8000 user defined

Host specific: http tcp port 8080 in list 22 user defined

27.6. 入侵监测和预防

提问 利用内置的入侵监测软件来防范攻击

回答

12.3(8)T之前叫IDS

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 21 deny 192.168.100.205

Router1(config)#access-list 21 permit any

Router1(config)#ip audit notify log

Router1(config)#ip audit info action alarm drop reset

Router1(config)#ip audit attack action alarm drop reset

Router1(config)#ip audit smtp spam 10

Router1(config)#ip audit signature 1107 disable

Router1(config)#ip audit signature 2004 disable

Router1(config)#ip audit name COOKBOOK info list 21 action alarm drop reset

Router1(config)#ip audit name COOKBOOK attack list 21 action alarm drop reset

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip audit COOKBOOK in

Router1(config-if)#exit

Router1(config)#end

Router1#

以后叫IPS

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 21 deny 192.168.100.205

Router1(config)#access-list 21 permit any

Router1(config)#ip ips name NEOSHI list 21

Router1(config)#ip ips signature 4050 disable

Router1(config)#ip ips fail closed

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip ips NEOSHI in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 Router1#show ip ips statistics

Signature statistics [process switch:fast switch]

signature 4050:0 packets checked: [0:85]

Interfaces configured for ips 1

Session creations since subsystem startup or last reset 0

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [0:0:0]

Last session created never

Last statistic reset never

27.7. 登录密码重试锁定

提问 防止对登录密码的暴力破解

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#username kwiley password test123

Router1(config)#aaa new-model

Router1(config)#aaa authentication login local_auth local

Router1(config)#aaa local authentication attempts max-fail 6

Router1(config)#line vty 0 4

Router1(config-line)#login authentication local_auth

Router1(config-line)#end

Router1#

注释 12.3(14)T以后开始可以限制对登录密码的尝试限定,解除锁定使用Router1#clear aaa local user lockout username kwiley 当然要防止黑客利用才方法对合法用户名进行故意的锁定攻击

27.8. 认证代理(Authentication Proxy)

提问 对单个用户进行认证和授权的访问控制

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#aaa new-model

Router1(config)#aaa authorization auth-proxy default local

Router1(config)#ip auth-proxy auth-proxy-banner http

Router1(config)#ip auth-proxy name HTTPPROXY http

Router1(config)#ip admission auth-proxy-banner http

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip auth-proxy HTTPPROXY

Router1(config-if)#ip http server

Router1(config)#ip http authentication local

Router1(config)#end

Router1#

注释 此认证代理可以截取用户的访问请求,然后用户可以在任何地方输入认证信息后访问,查看当前的认证缓存

Router1#show ip auth-proxy cache

Authentication Proxy Cache

Client Name ijbrown, Client IP 172.25.1.52, Port 4224, timeout 60, Time Remaining 53, state ESTAB

2007/4/10 5:56
应用扩展 工具箱


回复: Cisco IOS Cookbook 中文精简版
新进会员
注册日期:
1970/1/1 8:00
所属群组:
注册会员
帖子: 1
等级: 1; EXP: 0
HP : 0 / 0
MP : 0 / 0
离线
多谢楼主共享!

2008/12/13 21:57
应用扩展 工具箱






可以查看帖子.
不可发帖.
不可回复.
不可编辑自己的帖子.
不可删除自己的帖子.
不可发起投票调查.
不可在投票调查中投票.
不可上传附件.
不可不经审核直接发帖.

[高级搜索]



系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号