点此下载
分析此次与DNS事件瘫痪前因后果,暴风影音\dnspod为何处在事件风口浪尖
如何应对,F5的解决方案是什么。
暴风影音DNS事件分析
Reply
Category Archives: 项目案例
配置组播(最少配置)
这两天集团要进行全国视频多播转播重要活动,我这边也得配合,所以就配了下组播,总结如下:
1.保证链路上所有网络设备支持组播(具体接入层交换机只要打开IGMP snooping即可)
2.RP设备开启自动RP和候选BSR,这样其他设备就不用静态指定RP地址了。
我的测试环境如下:
北京用户(测试电脑,上面开一个发多播的软件)—-BJ_CISCO2960——BJ_CISCO2851 ——-专线———XA_cisco7206——XA_CISCO4507——傻瓜交换机——西安用户(电脑上开一个多播接收软件)
1.在北京2851上配置多播
全局下:ip multicast-routing
所有需要的接口下:
ip pim sparse-mode
ip pim send-rp-announce 10.7.30.2 scope 16 这里的IP表示RP地址,建议用环回地址 16描述穿越的跳数 根据实际情况写
ip pim send-rp-discovery scope 16
ip pim bsr-candidate GigabitEthernet0/0 0 在没配这个语句前,接收端总是不能连上服务段,必须在其他设备上手工静态配RP地址才行,配了这个语句后其他设备不配静态RP也可以正确连了。
其他中间设备:
全局下 ip multicast-routing
相关接口下ip pim sparse-mode
三层交换机:
全局下 ip multicast-routing
相关VLAN接口下ip pim sparse-mode
接入层交换机:
ip igmp snooping
测试命令:
sh ip pim neighbor
sh ip pim rp
sh ip mroute 特别注意(S,G)项目,看有无测试的源,以及对应的outgoing出口和incoming入口。
Cisco4507#sh ip pim rp
Group: 224.44.44.44, RP: 10.7.30.2, v2, uptime 00:26:20, expires 00:02:39
Group: 239.255.255.250, RP: 10.7.30.2, v2, uptime 00:26:20, expires 00:02:39
Group: 224.55.55.55, RP: 10.7.30.2, v2, uptime 00:26:20, expires 00:02:39
组播测试软件下载:http://www.mvn.cn/download-info.htm
[转]RTR/SLA 在多ISP环境下下的应用–已经更新,切换后线路恢复时,已能自动恢复
如上图所示,我朋友一个项目,核心路由器是7206,然后接三个PIX535,分别用与移动、电信、网通的互联,业主要求选路优化、自动切换,我搭建了上图来模拟实际环境,其中,R7与R4,5,6之间放置一个交换机用于模拟由于光电收发器引起的以太网终结性。具体思路采用电信网络写静态路由,默认走移动,并在用RTR/SLA检测网络的可达性。对于IP规划,用172.16.xy.0/30来进行Rx与Ry互联,其中172.16.xy.1用于x.y里2个数字较小的路由器上,即:R3和R6的互联,R3端:172.16.36.1/30,R6端是172.16.36.2/30。另外:
172.16.14.0/30—-模拟移动网络
172.16.25.0/30—-模拟电信网络
172.16.36.0/30—-模拟网通网络
————实际情况里因为不知道移动的IP地址段,所以具体路由写电信和网通的,默认的写移动的。下面是一些关键步骤的讲解:
R4,R5,R6上的配置(以R4为例)
1、 配置NAT和路由
ip route 0.0.0.0 0.0.0.0 172.16.14.1———指向移动端的IP
ip route 10.0.0.0 255.0.0.0 172.16.47.2———回指,通信是双向的
int s1/0
ip nat out
int e0/0
ip nat in
access-list 1 permit 10.0.0.0 0.255.255.255
ip nat inside source list 1 inter s1/0 overload
2、 配置ACL————————-为什么要这样配置呢?实际情况中也是必须的,你猜猜
no access-list 100
access-list 100 deny icmp any host 172.16.25.1 log
access-list 100 deny icmp any host 172.16.36.1 log—log参数不需要,此处是为了观察实验效果
access-list 100 permit icmp any any
int e0/0
ip access-group 100 in
R7上的配置
1、配置SLA
ip sla monitor 1——–建立监视组–监视移动端的IP
type echo protocol ipIcmpEcho 172.16.14.1 source-interface Loopback0—采用icmp协议来监视,即发出icmp echo包来探测对端的可达性,source-interface,指定探测数据的源IP,
timeout 999—-999ms,不能大于frequency的值
frequency 1——–1s,即1s 发送一个
exit—————-下同
ip sla monitor 2——–建立监视组–监视电信端的IP
type echo protocol ipIcmpEcho 172.16.25.1 source-interface Loopback0
timeout 999
frequency 1
exit
ip sla monitor 3——–建立监视组–监视网通端的IP
type echo protocol ipIcmpEcho 172.16.36.1 source-interface Loopback0
timeout 999
frequency 1
exit
ip sla monitor schedule 1 life forever start-time now
ip sla monitor schedule 2 life forever start-time now
ip sla monitor schedule 3 life forever start-time now——–定义sla监视组的schedule,life ,forever,开始时间,now,看的懂的吧。
2、定义track组
track 111 rtr 1 reachability
track 222 rtr 2 reachability
track 333 rtr 3 reachability
3、 写路由
ip route 0.0.0.0 0.0.0.0 172.16.47.1 name to_cmobile track 111———————————①
ip route 0.0.0.0 0.0.0.0 172.16.57.1 name to_telecom track 222 22—————————–②
ip route 0.0.0.0 0.0.0.0 172.16.67.1 name to_cnc track 333 33———————————-③
ip route 172.16.25.0 255.255.255.252 172.16.57.1 name to_telecom track 222—————④
ip route 172.16.36.0 255.255.255.252 172.16.67.1 name to_cnc track 333——————–⑤
这里的路由是关键,路由写的好坏决定RTR/SLA能否真正发挥作用,下面对5条路由进行详细点评:
第①条:主默认路由,在网络正常的情况下,除电信网通的具体路由之外,都走移动这一条线路,Ad值是默认的1,并根据track组111的情况来决定是否将此路由放入到路由表中,即当移动端IP可达时,放入7206的路由表里。
第②条:指向电信的默认路由,AD为22,当移动链路失效时,TRACK111 time out,路由①消失,此时,路由②出现在7206的路由表里,保证网络的畅通并无路由黑洞。
第③条:和第二条一样,不同的是AD为33。
第④条:此条其实应该代表了一批静态路由,汇总后的CHINANET的路由大概有250条左右,并根据track组的状态来决定此一批静态路由是否出现在7206的路由表里。
第⑤条:和第四条一样,代表了大概160条网通路由。
4、 RTR跨三层监测的逻辑死循环
由于此case中,RTR监测组监测的是目标已经跨了三层,所以存在一个逻辑死循环,以R7–SW—-R4—R1,为例,R7跨了R4在监测R1上与R4互连的端口,当检测到那个端口down掉之后,相关路由按计划的消失,但问题出现了,但移动的这根线路恢复时,
一方面:不考虑RTR/SLA,R7本身需要一条路由指向移动端的互联端口,或者静态,或者动态,此处为默认路由,没有这一条默认路由,就无法到达被监测的互联端口。
另一方面:移动的线路down掉之后,TRACK111监测组还一直在工作:他不断的还以R7的 L0的IP为源IP,向被监测的互联端口发送ICMP ECHO 探测包,只要结果是time out,路由器就不会把R4上的默认路由放入到路由表里。OK,逻辑死循环出现,路由器无法在物理线路回复后将流量回归。
5、 一个CISCO隐藏命令 RTR RESET
RTR RESET这里介绍一个关于RTR的隐藏命令:RTR RESET(CONFIG模式下),此命令的作用是讲SLA/RTR功能重置,并在将配置文件里关于SLA的配置去掉,用了此命令后,路由恢复、流量逐渐回归
6、 使用RESET之后的配置恢复
这个。。。好象没什么好讲的,最简单的是在特权模式下:config mem,将内存中的配置信息重新写入到NVRAM里的配置文件里。一切正常
对于死循环的解决方案:
对于此死循环的解决方案:在原配置中,为了ICMP ECHO REQUEST包到达被探测目的IP,是采用了默认路由或者与模拟ISP网段的几个路由,经鸟人小灰狼的提醒,把达到被探测目的IP写几条专门的路由,并且不track(的确也没track的必要),这样一但线路恢复,也不会因为死循环而致使探测包无法到达目的,相关配置就是增加以下三条路由:
ip route 172.16.14.1 255.255.255.255 172.16.47.1 name rtr-cnc
ip route 172.16.25.1 255.255.255.255&n
bsp;172.16.57.1 name&
nbsp;rtr-cm
ip route 172.16.36.1 255.255.255.255 172.16.67.1 name rtr-telecom
7、 上面R4,R5,R6上的那些ACL是干什么的?
ISP之间是互联互通的,如果不用这些ACL deny掉相关的ICMP包,将会引起网络的不端的震荡。
我们还是以R4为例来说明,假设移动的线路断掉了,那原来的默认路由消失,去电信的AD为22的静态路由出现在路由表里,此时,SLA MONITOR 1的ICMP ECHO包通过此条默认路由,跨越ISP,到达了移动端的IP,这样一来,TRACK 111 返回的给路由器的信息就是OK,那么原先AD为1的路由取代了AD为22的默认路由出现在了路由表里,接着,SLA在路由收敛完成,CEF表重写完毕后,SLA MOTITOR 1 发出的ICMP ECHO包又time out了,因为实际上移动进来的线路是断开着的…………于是网络开始大震荡,比西门大哥和潘姐姐的木板床震荡的还厉害。
附配置:
R1(config-if)#do sh ru
Building configuration…
Current configuration : 1063 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
!
!
!
interface Loopback0
ip address 11.11.11.1 255.255.255.255
!
interface Serial1/0
ip address 172.16.14.1 255.255.255.252
serial restart-delay 0
no fair-queue
!
interface Serial1/1
ip address 172.16.12.1 255.255.255.252
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 11.11.11.1 0.0.0.0 area 0
network 172.16.12.0 0.0.0.3 area 0
network 172.16.14.0 0.0.0.3 area 0
!
ip http server
ip classless
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
!
!
end
===================================================
R2#do sh run
^
% Invalid input detected at ’^' marker.
R2#sh run
Building configuration…
Current configuration : 1078 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
!
!
!
interface Loopback0
ip address 22.22.22.1 255.255.255.255
!
interface Serial1/0
ip address 172.16.12.2 255.255.255.252
serial restart-delay 0
no fair-queue
!
interface Serial1/1
ip address 172.16.23.1 255.255.255.252
serial restart-delay 0
!
interface Serial1/2
ip address 172.16.25.1 255.255.255.252
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 22.22.22.1 0.0.0.0 area 0
network 172.16.12.0 0.0.0.3 area 0
network 172.16.23.0 0.0.0.3 area 0
network 172.16.25.0 0.0.0.3 area 0
!
ip http server
ip classless
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
!
!
end
=========================================================
r3#sh run
Building configuration…
Current configuration : 1063 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
!
!
!
interface Loopback0
ip address 33.33.33.1 255.255.255.255
!
interface Serial1/0
ip address 172.16.23.2 255.255.255.252
serial restart-delay 0
no fair-queue
!
interface Serial1/1
ip address 172.16.36.1 255.255.255.252
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 33.33.33.1 0.0.0.0 area 0
network 172.16.23.0 0.0.0.3 area 0
network 172.16.36.0 0.0.0.3 area 0
!
ip http server
ip classless
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
!
!
end
===========================================================
R4(config-if)#do sh run
Building configuration…
Current configuration : 1360 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
!
!
!
interface Loopback0
ip address 44.44.44.1 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.47.1 255.255.255.252
ip access-group 100 in
ip nat inside
full-duplex
!
interface Ethernet0/1
no ip address
shutdown
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Serial1/0
ip address 172.16.14.2 255.255.255.252
ip nat outside
serial restart-delay 0
no fair-queue
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip nat inside source list 1 interface Serial1/0 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.14.1
ip route 10.0.0.0 255.0.0.0 172.16.47.2
!
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 100 deny icmp any host 172.16.25.1 log
access-list 100 deny icmp any host 172.16.36.1 log
access-list 100 permit icmp any any
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
!
!
end
===========================================================
R5(config-if)#do sh run
Building configuration…
Current configuration : 1385 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
!
!
!
interface Loopback0
ip address 55.55.55.1 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.57.1 255.255.255.252
ip access-group 100 in
ip access-group 100 out
ip nat inside
full-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
no fair-queue
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
ip address 172.16.25.2 255.255.255.252
ip nat outside
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip nat inside source list 1 interface Serial1/2 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.25.1
ip route 10.0.0.0 255.0.0.0 172.16.57.2
!
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 100 deny icmp any host 172.16.14.1 log
access-list 100 deny icmp any host 172.16.36.1 log
access-list 100 permit icmp any any
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
!
!
end
===================================================================
R6(config-if)#do sh run
Building configuration…
Current configuration : 1396 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R6
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
!
!
!
interface Loopback0
ip address 66.66.66.1 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.67.1 255.255.255.252
ip access-group 100 in
ip nat inside
full-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Serial1/0
no ip address
ip nat outside
shutdown
serial restart-delay 0
no fair-queue
!
interface Serial1/1
ip address 172.16.36.2 255.255.255.252
ip nat outside
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip nat inside source list 1 interface Serial1/1 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.36.1
ip route 10.0.0.0 255.0.0.0 172.16.67.2
!
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 100 deny icmp host 10.0.0.1 host 172.16.14.1 log
access-list 100 deny icmp host 10.0.0.1 host 172.16.25.1 log
access-list 100 permit icmp any any
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
!
!
end
=======================================================================
R7#sh run
Building configuration…
Current configuration : 1752 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R7
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
7#sh run
Building configuration…
Current configuration : 1752 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R7
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
ip sla monitor 1
type echo protocol ipIcmpEcho 172.16.14.1 source-interface Loopback0
timeout 999
frequency 1
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 172.16.25.1 source-interface Loopback0
timeout 999
frequency 1
ip sla monitor schedule 2 life forever start-time now
ip sla monitor 3
type echo protocol ipIcmpEcho 172.16.36.1 source-interface Loopback0
timeout 999
frequency 1
ip sla monitor schedule 3 life forever start-time now
!
!
track 111 rtr 1 reachability
!
track 222 rtr 2 reachability
!
track 333 rtr 3 reachability
!
!
!
!
!
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/0
ip address 172.16.47.2 255.255.255.252
full-duplex
!
interface Ethernet0/1
ip address 172.16.57.2 255.255.255.252
full-duplex
!
interface Ethernet0/2
ip address 172.16.67.2 255.255.255.252
full-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.47.1 name to_cmobile track 111
ip route 0.0.0.0 0.0.0.0 172.16.57.1 22 name to_telecom track 222
ip route 172.16.25.0 255.255.255.252 172.16.57.1 name to_telecom track 222
ip route 0.0.0.0 0.0.0.0 172.16.67.1 33 name to_cnc track 333
ip route 172.16.36.0 255.255.255.252 172.16.67.1 name to_cnc track 333
ip route 172.16.14.1 255.255.255.255 172.16.47.1 name rtr-cnc
ip route 172.16.25.1 255.255.255.255 172.16.57.1 name rtr-cm
ip route 172.16.36.1 255.255.255.255 172.16.67.1 name rtr-telecom
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
!
end
【原创】用CISCO VPN-Client4.01连接扩展验证-VPN-SERVER配置
不使用扩展验证方式配置见:www.mycisco.cn/post/170.html
PC(10.0.0.1、网关10.0.0.254)—————–(e0/0:10.0.0.254)ROUTER3620(lo0:172.16.0.1)
IOS版本c3620-ik9o3s7-mz.123-21.bin
Building configuration…
Current configuration : 1853 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpnserver
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login xauthen local
!利用AAA配置扩展验证,由于没有AAA服务器,只调用了本地
aaa authorization network groupauthor local
!使用AAA服务器查找组策略,这里使用本地,这个本地组策略也可以不配,在后面的加密影射中,调用本地组策略名即可
aaa session-id common
ip subnet-zero
!
!
ip cef
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username lin password 0 cisco
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
!指定组策略属性,并进入组策略配置模式,这些配置会被push给客户端
crypto isakmp client configuration group clientgroup
key cisco123
!如果客户段是靠preshared key来确定自己身份的话,那么这个KEY配置就是必须的,它可以和扩展验证里的不同
dns 61.148.1.8
wins 61.148.1.7
pool ippool
!调用本地地址池,不同的组策略可以调用不同的本地地址池,它要和全局下配置的地址池名一致.
!
!
!培植IPSEC转换集
crypto ipsec transform-set ipsectrans esp-3des esp-md5-hmac
!
!配置动态影射摸班,调用转换集,因为不知道peer的IP地址,也不知道要match那些感兴趣流,所以用动态加密影射.
crypto dynamic-map dynamicmap 1
set transform-set ipsectrans
!
!
!下面开始将组策略模式配置和扩展验证应用到具体的加密影射上.
!
crypto map actmap client authentication list xauthen
!如果这里不用扩展验证,则可省略上面语句.
!下面这个语句是启用IKE的组策略查询,它将依赖于list后面的名称来查询AAA或者本地的组策略!
crypto map actmap isakmp authorization list groupauthor
!采用扩展组策略,如果不用扩展组策略则用下面这个语句使用本地手工配置的客户组,授权语句不可以省略,否则IKE协商过不去.!crypto map actmap isakmp authorization list clientgroup
crypto map actmap client configuration address respond
!上面的语句,是让VPN服务段响应客户段发起的地址请求,当然也可以使用initiate参数来主动发起请求(适合1.x版本客户段软件),两个参数可同时用.
crypto map actmap 1 ipsec-isakmp dynamic dynamicmap
!使用IKE来负责ipsec的协商,关联动态影射摸班.
!
!
!
interface Loopback0
ip address 172.16.0.1 255.255.0.0
!
interface Ethernet0/0
ip address 10.0.0.254 255.0.0.0
full-duplex
crypto map actmap
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip local pool ippool 192.168.10.1 192.168.10.254
!本地地址池,可以配置多条不同的地址池语句.
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
软件配置:
建立新连接,注意的就是在新建的时候密码要填与客户组对应的密码,这里是cisco123.
然后连接,在连接过程中会额外再弹出一个要求输入用户名和密码的提示框,这时候输入AAA对应的,这里是lin,cisco.
【原创】用CISCO VPN-Client4.01连接VPN-SERVER配置
拓扑:
PC(10.0.0.1、网关10.0.0.254)—————–(e0/0:10.0.0.254)ROUTER3620(lo0:172.16.0.1)
IOS版本c3620-ik9o3s7-mz.123-21.bin
主要配置步骤:
1.培植IKE策略
2.配置IKE阶段的客户段配置参数(组配置模式)
2.1地址池
2.2KEY值(可户端用来确定自己组身份.)
2.3其他可选配置
3.配置IPSEC转换集合,供动态影射模板调用
4.配置动态影射模板,调用3步骤的转换集
5.配置实际加密影射
5.1配置加密隐射中的IKE组策略查询名(调用上面IKE客户组名)
5.2配置加密影射中的客户段地址响应
5.3在加密影射中调用动态模板
6.配置本地地址池
7.配置相关的路由
8.关联加密影射到接口
vpnserver#sh run
Building configuration…
Current configuration : 1663 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpnserver
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!配置第一阶段协商策略,IKE策略
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
!配置IKE客户端配置组参数,其中clientgroup是自己任意命名
crypto isakmp client configuration group clientgroup
key cisco123 #客户端软件所用的密码
dns 61.148.1.8 #客户段用的DNS,可选
wins 61.148.1.7 #客户段WINS,可选
pool ippool #注意这里还必须调用一下地址池
!
!
!配置IPSEC转换集,供下面的动态影射模板调用
crypto ipsec transform-set ipsectrans esp-3des esp-md5-hmac
!
!配置动态影射摸班,并调用IPSEC转换集
crypto dynamic-map dynamicmap 1
set transform-set ipsectrans
!
!
!配置真实的加密影射,并关联IKE的授权列表,响应客户段地址请求
crypto map actmap isakmp authorization list clientgroup
crypto map actmap client configuration address respond
!调用动态影射模板
crypto map actmap 1 ipsec-isakmp dynamic dynamicmap
!
!
!
interface Loopback0
ip address 172.16.0.1 255.255.0.0
!
interface Ethernet0/0
ip address 10.0.0.254 255.0.0.0
full-duplex
!关联到接口
crypto map actmap
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
!配置本地地址池
ip local pool ippool 192.168.10.1 192.168.10.254
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
检验:
vpnserver#sh crypto ipsec sa
interface: Ethernet0/0
Crypto map tag: actmap, local addr. 10.0.0.254
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.13/255.255.255.255/0/0)
current_peer: 10.0.0.100:500
PERMIT, flags={}
#pkts encaps: 57, #pkts encrypt: 57, #pkts digest 57
#pkts decaps: 288, #pkts decrypt: 288, #pkts verify 288
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.254, remote crypto endpt.: 10.0.0.100
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: DC3CB5CD
inbound esp sas:
spi: 0x71F177C4(1911650244)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: actmap
sa timing: remaining key lifetime (k/sec): (4468647/2307)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDC3CB5CD(3694966221)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: actmap
sa timing: remaining key lifetime (k/sec): (4468684/2305)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
vpnserver#sh crypto isakmp sa
dst src state conn-id slot
10.0.0.254 10.0.0.100 QM_IDLE 2 0
说明:用VPN-CLIENT软件4。01连接成功。但需要注意:由于路由器是用的dynamips模拟器,和本电脑网卡桥接,用本电脑上的client软件可以连上,但是数据是只发不收,改用非本电脑连接则一切正常。还需要注意就是PC上一定要设置路由器的IP为网关,否则连接不上(client软件会提示加载网关失败)
(测试split tunnel没成功,不知道是AC
L问题还是模拟器问
[原创]eigrp基本试验
[原创]怎么解释ip unnumered与RIP的种种情况??
下面的所有实验用RIPV1的收发机制怎么来解释其路由表结果?
拓扑:(lo0)R1(S1/1)—————-(S1/0)R2
相同的主类,都有子网,相同的子网掩码长度
R1
interface Loopback0
ip address 172.16.1.1 255.255.255.0
interface Serial1/1
ip unnumbered Loopback0
serial restart-delay 0
router rip
network 172.16.0.0
R2
interface Loopback0
ip address 172.16.2.2 255.255.255.0
interface Serial1/0
ip unnumbered Loopback0
serial restart-delay 0
router rip
network 172.16.0.0
结果:
R1:Gateway of last resort is not set
172.16.0.0/24 is subnetted, 3 subnets
R 172.16.0.0 [120/1] via 172.16.2.2, 00:00:07, Serial1/1
C 172.16.1.0 is directly connected, Loopback0
R 172.16.2.0 [120/1] via 172.16.2.2, 00:00:07, Serial1/1
R2:Gateway of last resort is not set
172.16.0.0/24 is subnetted, 3 subnets
R 172.16.0.0 [120/1] via 172.16.1.1, 00:00:07, Serial1/0
R 172.16.1.0 [120/1] via 172.16.1.1, 00:00:07, Serial1/0
C 172.16.2.0 is directly connected, Loopback0
相互PING都能通
相同主类,都含子网,不同的子网掩码长度
R1:配置不变,R2LO0地址改为ip add 172.16.65.2 255.255.192.0
结果:
R1Gateway of last resort is not set
172.16.0.0/24 is subnetted, 3 subnets
R 172.16.0.0 [120/1] via 172.16.65.2, 00:00:02, Serial1/1
C 172.16.1.0 is directly connected, Loopback0
R 172.16.64.0 [120/1] via 172.16.65.2, 00:00:02, Serial1/1
R2:Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
R 172.16.0.0/18 [120/1] via 172.16.1.1, 00:00:05, Serial1/0
R 172.16.1.0/32 [120/1] via 172.16.1.1, 00:00:05, Serial1/0
C 172.16.64.0/18 is directly connected, Loopback0
想不通为什么出现上面的路由表结果~~~~~
R1上PING 172.16.65.2不同,R2 ping 172.16.1.1也不通。
不通:R1的3个子网全是/24掩码,没有172。16。65。2这样的可匹配的网络。
R2上PING 172.16.1.1的时候172.16.0.0/18可以匹配,但是到了R1后R1回不来也不通。
相同主类,都无子网
R1
interface Loopback0
ip address 172.16.1.1 255.255.0.0
interface Serial1/1
ip unnumbered Loopback0
serial restart-delay 0
router rip
network 172.16.0.0
R2
interface Loopback0
ip address 172.16.2.2 255.255.0.0
interface Serial1/0
ip unnumbered Loopback0
serial restart-delay 0
router rip
network 172.16.0.0
结果:
两边都是主类直连,无其他路由,显然不能相互PING通。(这也不符合要求,2路由器接口处于相同网段)
C 172.16.0.0/16 is directly connected, Loopback0
总结:相同主类,必须具有相同的子网掩码才能正常在RIP/IGRP下工作。
不同主类,都有子网,子网掩码长度相同
R1
interface Loopback0
ip address 172.16.1.1 255.255.255.0
interface Serial1/1
ip unnumbered Loopback0
serial restart-delay 0
router rip
network 172.16.0.0
R2
interface Loopback0
ip address 182.16.2.2 255.255.255.0
interface Serial1/0
ip unnumbered Loopback0
serial restart-delay 0
router rip
network 182.16.0.0
结果:
R1:Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Loopback0
182.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
R 182.16.2.0/32 [120/1] via 182.16.2.2, 00:00:19, Serial1/1
R 182.16.0.0/16 [120/1] via 182.16.2.2, 00:00:19, Serial1/1
R2:Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
R 172.16.0.0/16 [120/1] via 172.16.1.1, 00:00:16, Serial1/0
R 172.16.1.0/32 [120/1] via 172.16.1.1, 00:00:16, Serial1/0
182.16.0.0/24 is subnetted, 1 subnets
C 182.16.2.0 is directly connected, Loopback0
相互都能PING通,双方都将对方的子网号用/32标记成主机路由,从 version 11.0(2)开始都自动为对方产生一个主类条目。
不同主类,都有子网,子网掩码长度不同
R1
interface Loopback0
ip address 172.16.1.1 255.255.255.0
interface Serial1/1
ip unnumbered Loopback0
serial restart-delay 0
router rip
network 172.16.0.0
R2
interface Loopback0
ip address 182.16.2.130 255.255.255.128
interface Serial1/0
ip unnumbered Loopback0
serial restart-delay 0
router rip
network 182.16.0.0
结果:
R1:
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Loopback0
182.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
R 182.16.2.128/32 [120/1] via 182.16.2.130, 00:00:12, Serial1/1
R 182.16.0.0/16 [120/1] via 182.16.2.130, 00:00:12, Serial1/1
R2:Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
R 172.16.0.0/16 [120/1] via 172.16.1.1, 00:00:21, Serial1/0
R 172.16.1.0/32 [120/1] via 172.16.1.1, 00:00:21, Serial1/0
182.16.0.0/25 is subnetted, 1 subnets
C 182.16.2.128 is directly connected, Loopback0
相互都能PING通,双方都将对方的子网号用/32标记成主机路由,从 version 11.0(2)开始都自动为对方产生一个主类条目。
不同主类,都无子网
R1
interface Loopback0
ip address 172.16.1.1 255.255.0.0
interface Serial1/1
ip unnumbered Loopback0
serial restart-delay 0
router rip
network 172.16.0.0
R2
interface Loopback0
ip address 182.16.2.2 255.255.0.0
interface Serial1/0
ip unnumbered Loopback0
serial restart-delay 0
router rip
network 182.16.0.0
结果:
R1:Gateway of last resort is not set
C 172.16.0.0/16 is directly connected, Loopback0
R 182.16.0.0/16 [120/1] via 182.16.2.2, 00:00:08, Serial1/1<
/p>
R2:Gateway of last r
esort is not set
R 172.16.0.0/16 [120/1] via 172.16.1.1, 00:00:23, Serial1/0
C 182.16.0.0/16 is directly connected, Loopback0
相互都能PING通,从 version 11.0(2)开始都自动为对方产生一个主类条目
总结:不同主类,怎么着在RIP/IGRP下都通。
上面的所有实验用RIPV1的收发机制怎么来解释其路由表结果?
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8d.shtml
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00801ec9e0.shtml
[原创]DHCP原理及试验
DHCP支持3种IP地址分配机制:
1. 自动分配Automatic allocation,dhcp 分配一个永久的IP地址给客户端
2. 动态分类Dynamic allocation,DHCP分配一个有时间限制的IP地址给库户端(或者直到客户端明确的放弃地址)
3. 手工分配 Manual allocation 管理员分配IP地址给客户端,DHCP只是简单的将所分配的地址传递给客户端。
DHCP桢格式是基于BOOTP的,确保了和BOOTP的兼容性。
CISCO ios全面支持DHCP,支持管理分配,地址获取,如果一个DHCP服务不能满足当前要求,它可以向其他DHCP发起请求。
DHCP交换过程
发送DHCPDISCOVER广播 span> Client—————————————————àServer DHCPOFFER单播 Client<—————————————————– Serve DHCPrequest广播 Client—————————————————àServer DHCPACK单播 Client<—————————————————– Server 首先客户端发出一个DHCP的发现广播,所有DHCP服务器都会接到这个请求,所有的DHCP服务器都回应一个OFFER单播,这个单播提供了具体的配置参数。 客户端会选择使用第一个收到的OFFER,并发送一个request广播。这个广播会被所有刚才提供了OFFER的DHCP服务器接到,因此其他的未被使用的DHCP服务器可以收回自己刚才的OFFER。 正确的DHCP服务器返回一个ACK单播确认这次OFFER。 另:如果在DHCPSERVER提供的OFFER里参数有错误,那么客户端会发出一个DHCPdecline广播信息给DHCP服务器。 如果在协商期间发生错误或者客户端太长时间不响应服务器,那服务器会发出一个DHCPNAK的拒绝广播消息,表明刚才提供的OFFER没有被分配。 DHCP如何选择正确的地址给客户端: 1. 如果客户端不是直接相连(DHCP发现广播消息里的giaddr字段非0),那么DHCP服务器会选择一个包含这个字段地址所在子网的地支池。 2. 如果客户端是直接相连的,那么就会选择包含接收到DHCP发现广播的接口所在子网的地址池,也就是会选一个和接收到请求的接口一样子网的地址池。如果接口有辅助IP,那么仅当主IP所在池被耗尽时才用它。 DHCP中继代理 某个主机起到一个代理作用,将一个物理网络的DHCP客户请求转发到其他非直连的DHCP服务器上,并将回应转发给客户端,这个过程是透明的。 DHCP的数据库是按照树状来组织的 根是一个网络
分支是一个子网
叶子是绑定给客户端的IP
下一级继承上一级的参数,因此像域名这样的参数应该配置在高层如网络或者子网络。
实验内容:
[阿,网站终于好了,原创]发BGP实验1-理解BGP基本特性
转:某公司的实际出口路由器配置,QoS+NAT+一些ALC
Current configuration : 3568 bytes
!
!
version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname xxxxxx
!
enable secret 5 $1$uJPt$/Uh
!
clock timezone China 8
ip subnet-zero
no ip source-route
ip cef
!
!
ip name-server x.x.x.x
ip name-server x.x.x.x
!
no ip bootp server
!
class-map match-any premium_class
description For premium
match protocol fasttrack
match protocol http
match protocol icmp
match protocol napster
match protocol netshow
match protocol pcanywhere
match protocol realaudio
match protocol streamwork
match protocol vdolive
match protocol cuseeme
match protocol telnet
match protocol secure-http
match access-group 110
match ip precedence 5
match ip precedence 4
match ip precedence 3
class-map match-any normal_calss
description For normal
match protocol ftp
match protocol imap
match protocol pop3
match protocol secure-ftp
match protocol secure-imap
match protocol secure-pop3
match protocol smtp
match access-group 120
match ip precedence 2
match ip precedence 1
!
!
policy-map qos_policy_map
class premium_class
bandwidth percent 50
random-detect
random-detect exponential-weighting-constant 4
police cir 2000000 bc 10000 be 10000
conform-action transmit
exceed-action transmit
class normal_calss
bandwidth percent 25
random-detect
random-detect exponential-weighting-constant 4
police cir 2000000 bc 2000 be 2000
conform-action transmit
exceed-action drop
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0 secondary
ip access-group 130 in
ip verify unicast reverse-path
ip nat inside
ip route-cache same-interface
ip route-cache policy
ip policy route-map qos
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
bandwidth 2048
ip address x.x.x.x 255.255.255.252
ip verify unicast reverse-path
no ip proxy-arp
ip nat outside
rate-limit input 2000000 20000 20000 conform-action transmit exceed-action drop
ip route-cache policy
service-policy output qos_policy_map
no cdp enable
!
ip nat inside source list 10 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 192.168.0.0 255.255.255.0 192.168.1.1
ip route 192.168.1.0 255.255.255.0 192.168.0.1
no ip http server
no ip pim bidir-enable
!
!
access-list 10 remark NAT
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 110 remark normal
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 remark premium
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
access-list 130 remark anti BT and anti-virus
access-list 130 deny tcp any any range 6881 6890 time-range work
access-list 130 deny tcp any range 6881 6890 any time-range work
access-list 130 deny tcp any any range 6969 6979 time-range work
access-list 130 deny tcp any range 6969 6979 any time-range work
access-list 130 deny tcp any any range 7000 7100 time-range work
access-list 130 deny tcp any range 7000 7100 any time-range work
access-list 130 deny tcp any any range 9995 9996
access-list 130 deny tcp any range 9995 9996 any
access-list 130 deny tcp any any eq 5554
access-list 130 deny tcp any eq 5554 any
access-list 130 permit ip any any
no cdp run
route-map qos permit 10
match ip address 110
set ip precedence priority
!
route-map qos permit 20
match ip address 120
set ip precedence critical
!
banner motd ^CUnauthorized access will be Prosecuted!!!^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password 7 121A0C0411045D5D7C
login
!
time-range work
periodic weekdays 8:30 to 18:00
!
!
end
我公司有两个内网段:192.168.0.0/24,192.168.1.0/24。
192.168.0.0/24为低优先级内网段,192.168.1.0/24为高优先级内网段。
在class-map中premium_class类包括了192.168.1.0/24高优先级内网段,采用NBAR匹配实时性较高的应用如:napster、netshow、pcanywhere、realaudio、streamwork、vdolive、cuseeme、telnet、Http等。normal_class类包括了192.168.0.0/24低优先级内网段,采用NBAR匹配实时性不强的应用如:ftp、pop3、smtp等。
在policy-map中针对不同的class,采取不同的策略。如:CBWFQ、WRED等。因为我公司互联网带宽为2M,故考虑WRED中的指数加权因子为4,最小阀值为5,最大阀值为17,标记几率分母为1。
在route-map(PBR)中采用匹配不同的ACL 110#,ACL 120#。设置不同的IP precedence值。
(转载编辑:这里好象还不能叫PBR,没牵涉到策略路由,只是利用了route-map设置ip precedence)
在F 0/0以太口上增加inbound policy–ACL 130#,在上班时间8:30到18:00禁止BT下载。限制震荡波病毒的端口。
在S 0/0串口上采用Input CAR策略。对进入S 0/0串口的流量进行整形。
mycisco.cn:
总体效果看上去很不错