第十六章路由器接口
16.1. 查看接口状态
提问 查看当前路由器接口状态
回答
Router1#
show interfaces
Router1#
show interfaces FastEthernet0/1
Router1#
show ip interface brief
Router1#
show ip interface FastEthernet0/1
注释 show interface命令得输出有很多得信息,网上一些中文文档详细介绍输出得含义,这里不翻译了。Txload和rxload这两个测量值得周期缺省是5分钟,可以使用
load-interval 60 命令来修改其为60秒,必须是30得倍数,最长10分钟。再来一个隐藏命令
Router1#
show interfaces FastEthernet0/1 stats
FastEthernet0/1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 294567 18704930 239526 22219870
Route cache 7758 681257 48303 6129834
Total 302325 19386187 287829 28349704
Processor是process switching,Route cache是Fast Switching
16.2. 配置串行接口
提问 为广域网连接配置串行接口
回答
Router3#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#
interface Serial1
Router3(config-if)#
description
WAN Connection to Chicago
Router3(config-if)#
ip address 192.168.99.5 255.255.255.252
Router3(config-if)#
encapsulation hdlc
Router3(config-if)#
clock rate 56000
Router3(config-if)#
no shutdown
Router3(config-if)#
exit
Router3(config)#
end
Router3#
注释 在DCE侧需要配置clock rate,如果是DTE配置了clock rate路由器会忽略此配置。通过show controller serial 命令来判断连接线缆得类型。缺省情况路由器会认为串口为1.544M带宽,而实际可能不是,为了准确进行路由协议度量值计算,需要人工bandwidth命令来修改,注意这里得单位是Kilobits每秒,而clock rate是bits每秒
16.3. 使用内置T1 CSU/DSU
提问 使用内置T1 CSU/DSU配置广域网连接
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface Serial0/1
Router1(config-if)#
ip address 192.168.99.9 255.255.255.252
Router1(config-if)#
no shutdown
Router1(config-if)#
service-module t1 timeslots 1-12
Router1(config-if)#
exit
Router1(config)#
end
Router1#
注释 缺省每个channel使用64Kbps,如果电路是56k的需要在上述service module命令后面加上speed 56。还有很多的参数,需要和对端一致
Router1(config-if)#
service-module t1 linecode ami
Router1(config-if)#
service-module t1 data-coding inverted
Router1(config-if)#
service-module t1 framing sf
Router1(config-if)#
service-module t1 fdl ansi
Router1(config-if)#
service-module t1 fdl att
Router1(config-if)#
service-module t1 remote-alarm-enable
通常运营商会提供时钟,如果在实验网络需要其成为DCE需要配置
service-module t1 clock source internal 来提供时钟
16.4. 使用内置ISDN PRI 模块
提问 配置内置ISDN PRI 模块
回答
Router8#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router8(config)#
isdn switch-type primary-dms100
Router8(config)#
controller T1 0
Router8(config-controlle)#
framing esf
Router8(config-controlle)#
clock source line primary
Router8(config-controlle)#
linecode b8zs
Router8(config-controlle)#
pri-group timeslots 1-24
Router8(config-controlle)#
exit
Router8(config)#
end
Router8#
注释 无
16.5. 使用内置56 Kbps CSU/DSU
提问 配置内置56 Kbps CSU/DSU
回答
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface Serial0/1
Router2(config-if)#
ip address 192.168.99.25 255.255.255.252
Router2(config-if)#
no shutdown
Router2(config-if)#
service-module 56k clock rate 9.6
Router2(config-if)#
exit
Router2(config)#
end
Router2#
注释 这种模块没有见过,有点晕,先略一下
16.6. 配置异步串行接口
提问 配置一个同步/异步串行接口工作于异步模式
回答
Router3#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#
interface Serial1/7
Router3(config-if)#
physical-layer async
Router3(config-if)#
encapsulation ppp
Router3(config-if)#
exit
Router3(config)#
line 40
Router3(config-line)#
speed 115200
Router3(config-line)#
exit
Router3(config)#
end
Router3#
注释 在配置了physical-layer async命令以后需要查看line号
Router3#show line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
0 CTY - - - - - 0 0 0/0 -
40 TTY 9600/9600 - - - - - 0 0 0/0 Se1/7
65 AUX 2400/2400 F - - - - 0 0 0/0 -
看到Se1/7为line 40,同时其速率变为9600,所以需要使用speed命令来修改速率
16.7. 配置ATM子接口
提问 基于PVC得ATM链路互联
回答
老方法
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface ATM0/0
Router2(config-if)#
no ip address
Router2(config-if)#
exit
Router2(config)#
interface ATM0/0.1
point-to-point
Router2(config-subif)#
description PVC to New York
Router2(config-subif)#
ip address 192.168.250.146 255.255.255.252
Router2(config-subif)#
atm pvc 1 0 60 aal5snap 10000 5000 3 oam 5
Router2(config-subif)#
exit
Router2(config)#
end
Router2#
11.3以后使用思科特性周期性发送ATM OAM信元来测试VC
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface ATM0/0
Router2(config-if)#
no ip address
Router2(config-if)#
exit
Router2(config)#
interface ATM0/0.1
point-to-point
Router2(config-subif)#
description PVC to New York
Router2(config-subif)#
ip address 192.168.250.146 255.255.255.252
Router2(config-subif)#
pvc 0/60
Router2(config-if-atm-vc)#
vbr-nrt 10000 5000 30
Router2(config-if-atm-vc)#
oam-pvc manage 5
Router2(config-if-atm-vc)#
exit
Router2(config)#
end
Router2#
注释 第一种方法验证Router2#
show atm pvc 0/60
ATM0/0.1: VCD: 1, VPI: 0, VCI: 60, etype:0x0, AAL5 - LLC/SNAP, Flags: 0x830
PeakRate: 10000, Average Rate: 5000, Burst Cells: 96, VCmode: 0xE000
OAM frequency: 5 second(s), InARP frequency: 15 minute(s)
InPkts: 1292959637, OutPkts: 3327374998, InBytes: 2196038015, OutBytes: 813592646
InPRoc: 19959239, OutPRoc: 24660, Broadcasts: 19481389
InFast: 1212924649, OutFast: 3297025318, InAS: 60075750, OutAS: 10843631
OAM F5 cells sent: 6804133, OAM cells received: 6740056
Status: ACTIVE
VCD是本地有效,VPI VCI必须和对端相同,至于封装协议推荐是AAL5SNAP,如果需要支持PPP则改为AAL5CISCOPPP
在新方法里面已经没有配置VCD了,并且如果3个OAM信元没有收到就会标记此接口断掉,在12.2(4)T后还引入了Router2(config)#
snmp-server enable traps atm pvc extension oam failure loopback 来支持SNMP告警
16.8. 设置有效载荷绕码(Payload Scrambling)
提问
回答
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface ATM0/0
Router2(config-if)#
atm ds3-scramble
(atm e3-scramble)
Router2(config-if)#
exit
Router2(config)#
end
Router2#
Router4#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router4(config)#
interface ATM0/0
Router4(config-if)#
atm scrambling cell-payload
Router4(config-if)#
exit
Router4(config)#
end
Router4#
注释 暂略
16.9. 传统的ATM承载IP(Classical IP Over ATM)
提问 配置路由器支持SVC和传统的ATM承载IP
回答
首先ATMARP Server
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface ATM1/0
Router1(config-if)#
no ip address
Router1(config-if)#
atm ilmi-keepalive
Router1(config-if)#
pvc 0/5 qsaal
Router1(config-if-atm-vc)#
exit
Router1(config-if)#
pvc 0/16
ilmi
Router1(config-if-atm-vc)#
exit
Router1(config-if)#
exit
Router1(config)#
interface ATM1/0.1
multipoint
Router1(config-subif)#
ip address 192.168.123.1 255.255.255.0
Router1(config-subif)#
atm esi-address A000C0A87B01.01
Router1(config-subif)#
atm arp-server self
Router1(config-subif)#
exit
Router1(config)#
end
Router1#
其他Client
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface ATM1/0
Router2(config-if)#
no ip address
Router2(config-if)#
atm ilmi-keepalive
Router2(config-if)#
pvc 0/5 qsaal
Router2(config-if-atm-vc)#
exit
Router2(config-if)#
pvc 0/16 ilmi
Router2(config-if-atm-vc)#
exit
Router2(config-if)#
exit
Router2(config)#
interface ATM1/0.1
multipoint
Router2(config-subif)#
ip address 192.168.123.2 255.255.255.0
Router2(config-subif)#
atm esi-address A000C0A87B02.01
Router2(config-subif)#
atm arp-server nsap
47.00918100000000e014cd0001.A000C0A87B01.01
Router2(config-subif)#
exit
Router2(config)#
end
Router2#
注释 除了上面的使用ATM SVC以外,还有Local Area Network Emulation (LANE)和Multiple Protocols over ATM (MPOA)也支持,都是解决Quasi Signaling Application Adaptation Layer (QSAAL) 协议和nterim Local Management Interface (ILMI)的问题。在客户机配置arp服务器的地址要记得加上前缀,并不仅仅是服务器的ESI地址
16.10. 配置以太网接口特性
提问 对以太网接口得速率,双工等特性进行配置
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
media-type 100BaseX
Router1(config-if)#
duplex full
Router1(config-if)#
speed 100
Router1(config-if)#
mac-address
0AAA.ABCD.0101
Router1(config-if)#
arp timeout 60
Router1(config-if)#
keepalive 5
Router1(config-if)#
exit
Router1(config)#
end
Router1#
注释 无
16.11. 配置令牌环接口特性
提问 配置令牌环接口
回答
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface TokenRing0
Router2(config-if)#
ring-speed 4
Router8(config-if)#
full-duplex
Router2(config-if)#
mac-address 0006.1111.aaaa
Router2(config-if)#
exit
Router2(config)#
end
Router2#
注释 不是所有得令牌环模块都支持全双工
16.12. 使用ISL协议配置Vlan Trunks
提问 使用ISL协议配置Vlan Trunks
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
no ip address
Router1(config-if)#
speed 100
Router1(config-if)#
full-duplex
Router1(config-if)#
exit
Router1(config)#
interface FastEthernet0/0.1
Router1(config-subif)#
encapsulation isl 1
Router1(config-subif)#
ip address
172.25.1.5 255.255.255.0
Router1(config-subif)#
exit
Router1(config)#
interface FastEthernet0/0.2
Router1(config-subif)#
encapsulation isl 2
Router1(config-subif)#
ip address
172.16.2.1 255.255.255.0
Router1(config-subif)#
exit
Router1(config)#
interface FastEthernet0/0.3
Router1(config-subif)#
encapsulation isl 574
Router1(config-subif)#
ip address
10.22.1
.2 255.255.255.0
Router1(config-subif)#
exit
Router1(config)#
end
Router1#
注释 通常所说的单臂路由,ISL是思科特有的
Router1#
show interfaces
FastEthernet0/0.3
Encapsulation ISL Virtual LAN, Color 574.
在12.2(4)T以后增加了
Router1(config)#
interface FastEthernet0/0.1
Router1(config-if)#
ip unnumbered
Loopback0
16.13. 使用802.1Q协议配置VLAN Trunks
提问 使用802.1Q协议配置Vlan Trunks
回答
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface FastEthernet1/0
Router2(config-if)#
no ip address
Router2(config-if)#
speed 100
Router2(config-if)#
full-duplex
Router2(config-if)#
exit
Router2(config)#
interface FastEthernet1/0.1
Router2(config-subif)#
encapsulation dot1Q 1
native
Router2(config-subif)#
ip address 172.25.1.47 255.255.255.0
Router2(config-subif)#
exit
Router2(config)#
interface FastEthernet1/0.2
Router2(config-subif)#
encapsulation dot1Q 2
Router2(config-subif)#
ip address
172.25.22.4 255.255.255.0
Router2(config-subif)#
exit
Router2(config)#
interface FastEthernet1/0.3
Router2(config-subif)#
encapsulation dot1Q 548
Router2(config-subif)#
ip address
172.20.1.1 255.255.255.0
Router2(config-subif)#
exit
Router2(config)#
end
Router2#
注释 这里面要注意的是native vlan的配置,缺省是vlan 1,但是也可以设定为其他的,要保证路由器的native vlan和交换机的是一致的
16.14. LPD Printer Support
提问 把打印机接到路由器的异步串行口上
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
printer rtlpr1 line 161
Router1(config)#
end
Router1#
注释 首先要有一台主机支持Berkeley Unix LPD print program,然后配置主机
etc/printcap 把打印工作转到路由器,然后你的打印机要支持串口连接,最后通过show line的命令找到AUX端口的line号,也就是上例子中的161,同时建议下面配置
Router1(config)#
line aux 0
Router1(config-line)#
no exec
Router1(config-line)#
no login
Router1(config-line)#
no password
Router1(config-line)#
transport input none
Router1(config-line)#
speed 115200
Router1(config-line)#
exit
Router1#
show printer
Printer Line Rotary Errors Connections Datafiles Controlfiles Bytes
rtlpr1 161 0 0 0 0 0 0 Router1#
第十七章 SNMP
17.1. 配置SNMP
提问 FONT-FAMILY: 宋体">在路由器上启用基本的SNMP服务
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server community ORARO ro
Router(config)#
snmp-server community ORARW rw
Router(config)#
end
Router#
从12.0以后启用了另一种配置方式
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server group COOKRO v1
Router(config)#
snmp-server user TESTRO1 COOKRO v1
Router(config)#
snmp-server group BOOKRO v2c
Router(config)#
snmp-server user TESTRO2 BOOKRO v2c
Router(config)#
end
注释 注意的是这里启用的仅仅是简单SNMP服务,只会响应SNMP的GET和SET请求,不会发送SNMP traps informs.由于SNMP V1和V2c都是明文传输community值所以需要后续的一些安全限制。
show snmp group可以用来验证
17.2. 通过SNMP工具获得路由器信息
注释 可以使用snmpget, snmpwalk,snmpset命令直接对MIB进行查询,建议使用Solarwinds等图形化工具,暂略。
思科MIBs信息:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
17.3. 为SNMP访问配置一些路由器重要信息
提问 为SNMP访问提供类似路由器位置,序列号等重要信息
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server contact
Ian Brown 416-555-2943
Router(config)#
snmp-server location
999 Queen St. W., Toronto, Ont.
Router(config)#
snmp-server chassis-id
JAX123456789
Router(config)#
end
Router#
注释 无
17.4. 使用SNMP获得批量路由设备信息
注释 使用perl脚本来进行批量化操作,暂略
17.5. 使用控制列表来限制SNMP访问
提问 使用控制列表的方式来提高SNMP访问的安全性
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
access-list 99 permit
172.25.1.0 0.0.0.255
Router(config)#
access-list 99 permit host
10.1.1
.1
Router(config)#
access-list 99 deny any
Router(config)#
snmp-server community ORARO ro
99
Router(config)#
access-list 98 permit
172.25.1.0 0.0.0.255
Router(config)#
snmp-server community
ORARW
rw
98
Router(config)#
end
Router#
SNMP Group的方法
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
access-list 99 permit
172.25.1.0 0.0.0.255
Router(config)#
access-list 99 permit host
10.1.1
.1
Router(config)#
access-list 99 deny any
Router(config)#
snmp-server group COOKRO v1 access 99
Router(config)#
snmp-server user TESTRO1 COOKRO v1
Router(config)#
end
Router#
从12.3(2)T以后支持命名控制列表
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
ip access-list standard SNMPACL
Router2(config-std-nacl)#
permit
172.25.1.0 0.0.0.255
Router2(config-std-nacl)#
permit host
10.1.1
.1
Router2(config-std-nacl)#
deny any
Router2(config-std-nacl)#
snmp-server community ORARO1 ro SNMPACL
Router2(config)#
end
Router2#
注释 无
17.6. 记录非授权的SNMP尝试
提问 对非授权的SNMP尝试进行日志记录
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
access-list
99
permit
172.25.1.0 0.0.0.255
Router(config)#
access-list
99
permit
host
10.1.1
.1
Router(config)#
access-list
99
deny
any log
Router(config)#
snmp-server community
ORARO
ro
99
Router(config)#
snmp-server community ORARW rw
99
Router(config)#
end
Router#
注释
Router#
show access-list 99
Standard IP access list 99
permit 10.1.1.1 (1293 matches)
permit 172.25.1.0, wildcard bits 0.0.0.255 (630 matches)
deny any
log (17 matches)
Router#
show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 26 messages logged
Logging to: vty2(0)
Buffer logging: level debugging, 49 messages logged
Trap logging: level informational, 53 message lines logged
Logging to 172.25.1.1, 53 message lines logged
Logging to 172.25.1.3, 53 message lines logged
Log Buffer (4096 bytes):
Apr 15 22:33:21: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.22.13 1 packet
Apr 15 22:39:18: %SEC-6-IPACCESSLOGS: list 99 denied 10.121.212.11 3 packets
Router#
17.7. 限制MIB访问
提问 限制特定的MIB可以被SNMP来访问
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
access-list
99
permit
172.25.1.0 0.0.0.255
Router(config)#
access-list
99
deny
any log
Router(config)#
snmp-server view
ORAVIEW
mib-2 included
Router(config)#
snmp-server view ORAVIEW at excluded
Router(config)#
snmp-server view ORAVIEW cisco included
Router(config)#
snmp-server community ORARO view ORAVIEW ro
99
Router(config)#
snmp-server view RESTRICTED lsystem.55 included
Router(config)#
snmp-server community ORARW view RESTRICTED rw
99
Router(config)#
end
Router#
SNMP Group方式
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server view ORAVIEW mib-2 included
Router(config)#
snmp-server view ORAVIEW at excluded
Router(config)#
snmp-server view ORAVIEW cisco included
Router(config)#
snmp-server group TEST v1 read ORAVIEW
Router(config)#
snmp-server user ORARO TEST v1
Router(config)#
snmp-server view RESTRICTED lsystem.55 included
Router(config)#
snmp-server group TEST2 v1 write RESTRICTED
Router(config)#
snmp-server user ORARW TEST2 v1
Router(config)#
end
Router#
注释
Router#
show snmp view
ORAVIEW mib-2 - included nonvolatile active
ORAVIEW at - excluded nonvolatile active
ORAVIEW cisco - included nonvolatile active
v1default internet - included volatile active
v1default internet.6.3.15 - excluded volatile active
v1default internet.6.3.16 - excluded volatile active
v1default internet.6.3.18 - excluded volatile active
RESTRICTED cisco - included nonvolatile active
RESTRICTED lsystem.55 - included nonvolatile active
Router#
17.8. 使用SNMP来修改路由器当前配置
提问 使用SNMP来下载或者上传路由器配置文件
回答
以安装了NETSNMP的Freebsd为例
首先路由器启用SNMP
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server community
ORARW rw
Router(config)#
end
下载配置
Freebsd%
touch
/tftpboot/router.cfg
Freebsd%
chmod 666
/tftpboot/router.cfg
Freebsd%
snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.55.172.25.1.1 s
router.cfg
enterprises.9.2.1.55.172.25.1.1 = "router.cfg"
Freebsd%
修改配置后上传保存
Freebsd%
echo "no ip source-route" >
/tftpboot/new.cfg
Freebsd%
echo "end" >>
/tftpboot/new.cfg
Freebsd%
chmod 666 /tftpboot/new.cfg
Freebsd%
snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.53.172.25.1.1 s
new.cfg
enterprises.9.2.1.53.172.25.1.1 = "new.cfg"
Freebsd%
snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.54.0 i 1
enterprises.9.2.1.54.0 = 1
Freebsd%
注释 .1.3.6.1.4.1.9.2.1.55是思科MIB中发送当前配置文件的OID值,172.25.1.1是TFTP服务器地址。在修改配置文件时候注意最后要加上end命令,注意这时的OID是.1.3.6.1.4.1.9.2.1.53。最后一个snmpset命令是对上传配置进行保存。当然上述操作都可以使用Solarwinds软件实现
17.9. 使用SNMP来升级IOS
提问 通过SNMP来远端升级路由器IOS
回答
首先路由器配置
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server community ORARW rw
Router(config)#
end
下载当前的IOS
Freebsd%
touch
/tftpboot/c2600-jk9o3s-mz.122-7a.bin
Freebsd%
chmod 666
/tftpboot/c2600-jk9o3s-mz.122-7a.bin
Freebsd%
snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.10.9.172.25.1.1 s c2600-jk9o3s-mz.122-7a.bin
enterprises.9.2.10.9.172.25.1.1 = "c2600-jk9o3s-mz.122-7a.bin"
Freebsd%
升级IOS
Freebsd%
chmod 666
/tftpboot/c2600-jk9o3s-mz.122-7a.bin
Freebsd%
snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.10.6.0 i
1
enterprises.9.2.10.6.0 = 1
Freebsd%
snmpset v1 -c ORARW Router.1.3.6.1.4.1.9.2.10.12.172.25.1.1 s
c2600-jk9o3s-mz.122-7a.bin
enterprises.9.2.10.12.172.25.1.1 = "c2600-jk9o3s-mz.122-7a.bin"
Freebsd%
注释 例子中的Router是路由器的机器名也可以使用IP地址,.1.3.6.1.4.1.9.2.10.9.是相应的OID。在对IOS升级的时候第一步做的是清除Flash,第二步才是上传IOS。这种可以使用脚本来实现IOS的集中管理。
17.10. 使用SNMP来进行批量的配置修改
注释 使用perl脚本来进行批量化操作,暂略
17.11. 避免非授权的配置修改
提问 只允许特定的设备来通过SNMP和TFTP来发送和接收配置信息
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
access-list 92 permit
172.25.1.1
Router(config)#
access-list 92 deny
any
log
Router(config)#
snmp-server tftp-server-list
92
Router(config)#
snmp-server community ORARW rw
Router(config)#
end
Router#
从12.3(2)T开始支持命名控制列表
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
ip access-list standard TFTPACL
Router2(config-std-nacl)#
permit 172.25.1.1
Router2(config-std-nacl)#
deny any log
Router2(config-std-nacl)#
exit
Router2(config)#
snmp-server tftp-server-list TFTPACL
Router2(config)#
snmp-server community ORARW rw
Router2(config)#
end
Router2#
注释 要注意的是这里限制的仅仅是通过SNMP发起的TFTP会话,对其他的文件传输不受影响。另外这里的控制列表是全局性的,不能针对特定的community值
17.12. 保持接口表名的永久性
提问 即使重启也能保证SNMP使用相同的接口名
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server ifindex persist
Router(config)#
end
Router#
也可以对单独接口:
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
interface
Serial0/0
Router(config-if)#
snmp ifindex persist
Router(config-if)#
exit
Router(config)#
end
Router#
注释 很多工程师不知道内部SNMP接口号是会变的,这样在进行查询的时候会出错,比如下面的例子,FastEthernet1/0的ifindex是5
Freebsd%
snmpwalk v1 -c ORARO Router ifDescr
interfaces.ifTable.ifEntry.ifDescr.1 = "BRI0/0"
interfaces.ifTable.ifEntry.ifDescr.2 = "Ethernet0/0"
interfaces.ifTable.ifEntry.ifDescr.3 = "BRI0/0:1"
interfaces.ifTable.ifEntry.ifDescr.4 = "BRI0/0:2"
interfaces.ifTable.ifEntry.ifDescr.5 = "FastEthernet1/0"
interfaces.ifTable.ifEntry.ifDescr.6 = "Null0"
interfaces.ifTable.ifEntry.ifDescr.7 = "Loopback0"
重启以后再查询就变成2了
Freebsd%
snmpwalk v1 -c ORARO Router ifDescr
interfaces.ifTable.ifEntry.ifDescr.1 = "Ethernet0/0"
interfaces.ifTable.ifEntry.ifDescr.2 = "FastEthernet1/0"
interfaces.ifTable.ifEntry.ifDescr.3 = "Null0"
interfaces.ifTable.ifEntry.ifDescr.4 = "Loopback0"
这样就会给网管造成困难
17.13. 启用SNMP Traps和Informs
提问 配置路由器针对特定事件产生Traps或者Informs
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server enable traps
Router(config)#
snmp-server host 172.25.1.1 ORATRAP config entity envmon hsrp
Router(config)#
snmp-server host
nms.oreilly.com ORATRAP
bgp snmp envmon
Router(config)#
end
Router#
从SNMP v2c开始路由器支持SNMP Informs
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server enable informs
Router(config)#
snmp-server host 172.25.1.1 informs version 2c ORATRAP snmp envmon
Router(config)#
end
Router#
注释 这里的Traps是路由器主动提供的,不是针对SNMP request的响应。可以
snmp-server enable traps envmon 来发送特定的TRAPS,也可以针对不同的NMS主机发送不同的traps
17.14. 以SNMP Trap的形式发送Syslog
提问 把Syslog封装成SNMP Traps或者Informs
回答
Traps
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
logging history informational
Router(config)#
snmp-server enable traps syslog
Router(config)#
snmp-server host 172.25.1.1 ORATRAP syslog
Router(config)#
end
Router#
Informs
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
logging history informational
Router(config)#
snmp-server enable informs
Router(config)#
snmp-server host 172.25.1.1 informs version 2c ORATRAP syslog
Router(config)#
end
Router#
注释 Router#
clear counters
Clear "show interface" counters on all interfaces [confirm]
Router#
May 28 10:07:04: %CLEAR-5-COUNTERS: Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)
上述的Syslog信息会变成下面的SNMP消息
Freebsd%
tail snmptrapd.log
May 28 10:07:04 freebsd snmptrapd[77759]: 172.25.25.1: Enterprise Specific Trap (1) Uptime: 18 days, 22:35:26.99, enterprises.9.9.41.1.2.3.1.2.118 = "CLEAR", enterprises.9.9.41.1.2.3.1.3.118 = 6, enterprises.9.9.41.1.2.3.1.4.118 = "COUNTERS", enterprises.9.9.41.1.2.3.1.5.118 = "Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)", enterprises.9.9.41.1.2.3.1.6.118 = Timeticks: (163652698) 18 days, 22:35:26.98
Freebsd%
17.15. 设定SNMP包大小
提问 修改缺省的SNMP包大小
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server packetsize
1480
Router(config)#
end
Router#
注释 缺省为1500字节
17.16. 设定SNMP队列大小
提问 增加SNMP Trap队列大小
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server queue-length
25
Router(config)#
snmp-server inform pending 40
Router(config)#
end
Router#
注释 缺省对Trap的队列是10个trap消息,对Inform是25个。可以通过show snmp来查看队列配置和丢弃的Trap包
17.17. 设定SNMP 超时时长
提问 调整SNMP Trap的超时时长
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server trap-timeout
60
Router(config)#
snmp-server inform timeout 120
Router(config)#
end
Router#
注释 准确说是重传等待时长
17.18. 禁止端口的Up/Down Traps
提问 忽略特定端口的链路状态告警
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
interface
Serial0/0
Router(config-if)#
no snmp trap link-status
Router(config-if)#
exit
Router(config)#
end
Router#
注释 比如特定的拨号接口等
17.19. 设定SNMP Traps的源发送地址
提问 设定SNMP Traps消息的源发送地址
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server host
172.25.1.1 ORATRAP
Router(config)#
snmp-server trap-source loopback0
Router(config)#
end
Router#
注释 无
17.20. 使用RMON来发送Traps
提问 实现当CPU超过警戒后发送trap或者其他重要事件发送trap
回答
CPU超过特定阀值
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
rmon event 1 log trap
ORATRAP description "CPU on Router has exceeded threshold" owner
ijbrown
Router(config)#
rmon event 2 log description "CPU on Router has normalized" owner ijbrown
Router(config)#
rmon alarm 1 lsystem.57.0 60 absolute rising-threshold
70 1 falling-threshold
40 2 owner ijbrown
Router(config)#
end
Router#
内存利用超过特定阀值
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
rmon event 4 log trap
ORATRAP
description "Low memory condition on Router" owner
ijbrown
Router(config)#
rmon event 5 log trap
ORATRAP
description "Low Memory condition cleared on Router" owner
ijbrown
Router(config)#
rmon alarm 3 lsystem.8.0 60 absolute rising-threshold
1500000 5
falling-threshold
1000000 4
owner
ijbrown
Router(config)#
end
Router#
链路利用率超过固定阀值
er#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
rmon event 6 log trap
ORATRAP
description "Bandwidth utilization has exceeded threshold on Router interface Serial 0/0" owner
ijbrown
Router(config)#
rmon event 7 log trap
ORATRAP
description "Bandwidth utilization has normalized on Router interface Serial 0/0" owner
ijbrown
Router(config)#
! Configure inbound alarm on Serial0/0 (ifNumber 3)
Router(config)#
rmon alarm 4 lifEntry.6.3
300 absolute rising-threshold
1000000 6
falling-threshold
800000 7
owner ijbrown
Router(config)#
! Configure outbound alarm on Serial0/0 (ifNumber 3)
Router(config)#
rmon alarm 5 lifEntry.8.3 300 absolute rising-threshold
1000000 6 falling-threshold 800000 7 owner ijbrown
Router(config)#
end
Router#
注释 路由器内置了这种廉价的监控方案
Router>
show rmon events
Event 1 is active, owned by ijbrown
Description is CPU on Router has exceeded threshold
Event firing causes log and trap to community ORATRAP, last fired 00:00:00
Event 2 is active, owned by ijbrown
Description is CPU on Router has normalized
Event firing causes log, last fired 2w2d
Current log entries:
index time description
1 2w2d CPU on Router has normalized
Router>
17.21. 启用SNMPv3
提问 启用SNMPv3提供安全性
回答
(
noAuthNoPriv):
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server view TESTV3 mib-2 include
Router(config)#
snmp-server group
NOTSAFE
v3 noauth read
TESTV3
Router(config)#
snmp-server user WEAK NOTSAFE v3
Router(config)#
end
Router#
(
authNoPriv):
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server view TESTV3 mib-2 include
Router(config)#
snmp-server group ORAROV3 v3 auth read
TESTV3
Router(config)#
snmp-server user
cking ORAROV3
v3 auth md5 daytona19y
Router(config)#
end
Router#
(
authPriv)
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
snmp-server view TESTV3 mib-2 include
Router(config)#
snmp-server group ORAROV3 v3 auth read
TESTV3
Router(config)#
snmp-server user
bpugsley ORAROV3
v3 auth md5
hockeyrules priv des56 shortguy
Router(config)#
end
Router#
注释 v3最大的优点就是增加了安全性,有例子中三种模式可以选择
17.22. 高强度SNMPv3加密
提问 增强V3的加密
回答
从12.4(2)T开始增强了加密方法
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv 3des privpass
Router1(config)#
end
Router1#
或者
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv aes 128 privpass
Router1(config)#
end
Router1#
注释 无
17.23. 使用 SAA
提问 配置路由器自动轮询另一台设备来获得性能统计
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
rtr responder
Router1(config)#
rtr 10
Router1(config-rtr)#
type echo protocol ipIcmpEcho 10.1.2.3
Router1(config-rtr)#
tag ECHO_TEST
Router1(config-rtr)#
threshold 1000
Router1(config-rtr)#
frequency 300
Router1(config-rtr)#
exit
Router1(config)#
rtr schedule 10 life 2147483647 start-time now
Router1(config)#
rtr 20
Router1(config-rtr)#
type jitter dest-ipaddr 10.1.2.3
dest-port 99 num-packets 100
Router1(config-rtr)#
tag JITTER_TEST
Router1(config-rtr)#
frequency 300
Router1(config-rtr)#
exit
Router1(config)#
rtr schedule 20 life 100000 start-time now ageout 3600
Router1(config)#
exit
Router1#
目标路由器,用来响应SAA测试
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
rtr responder
Router2(config)#
exit
Router2#
注释 无
第十八章日志
18.1. 启用本地路由器日志
提问 实现路由器自身保存日志记录,而不仅仅是显示在终端上
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
logging buffered informational
Router(config)#
end
Router#
注释 缺省日志记录为debugging级别,例子中为informational忽略掉了debug消息。禁用使用下面命令
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
no logging buffered
Router(config)#
end
Router#
18.2. 设定日志记录大小
提问 改变路由器保存日志记录的大小
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
logging buffered 16000
Router(config)#
end
Router#
注释 要注意的是改变了大小后,原有的日志记录会被清除。
18.3. 清除路由器日志记录
提问 清除路由器日志记录
回答
Router#
clear logging
Clear logging buffer [confirm]
Router#
注释 无
18.4. 发送日志到屏幕显示
提问 在终端屏幕实时显示日志记录
回答
启用
Router#
terminal monitor
Router#
禁用
Router#
terminal no monitor
Router#
注释 缺省情况下日志记录只会在console端显示,要在VTY会话显示就必须使用上述命令
18.5. 使用远端日志服务器
提问 发送日志记录到远端日志服务器
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
logging 172.25.1.1
Router(config)#
end
Router#
12.2(15)T后也可以使用下面命令格式
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
logging host
172.25.1.1
Router2(config)#
end
Router2#
注释 在12.2(15)T后增加了一个特性可以使发送的记录中包含了主机名,下面这是原始的日志记录
Jul 15 20:35:07 172.25.1.100: Jul 15 20:35:07.499 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)
下面这个是使用特性后的记录
Jul 15 20:37:05 172.25.1.100:
Router2: Jul 15 20:37:05.173 EDT: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty0 (172.25.1.1)
配置方法:Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
logging origin-id hostname
Router2(config)#
end
Router2#
18.6. Unix服务器上启用Syslog服务
提问 配置Unix服务器接收syslog记录
回答
一般只需要在
/etc/syslog.conf
local7.info /var/log/rtrlog
注释 缺省情况路由器使用local7 logging facility
18.7. 修改缺省Log Facility
提问 修改缺省Log Facility
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
logging host 172.25.1.1
Router(config)#
logging facility local6
Router(config)#
end
Router#
注释 无
18.8. 限制特定日志记录发送至服务器
提问 限制特定等级的日志记录发送至服务器
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
logging host
172.25.1.1
Router(config)#
logging trap notifications
Router(config)#
end
Router#
注释 无
18.9. 设定Syslog消息的源地址
提问 路由器Syslog消息的源地址使用特定地址
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
logging host
172.25.1.1
Router(config)#
logging source-interface Loopback0
Router(config)#
end
Router#
注释 这样如果在日志服务器上设置了地址翻译就可以实现下述的效果
Apr 2 20:27:01 172.25.2.6 94: %SYS-5-CONFIG_I: Configured from on vty0
Apr 2 20:27:48 Boston 95: %SYS-5-CONFIG_I: Configured from on vty0
18.10. 记录路由器日志记录到不同的文件
注释 略
18.11. 维护服务器上的日志记录
注释 使用脚本实现日志记录的自动存档等功能略
18.12. 测试日志服务器的配置
注释 使用脚本来测试日志服务器的配置是否正确略
18.13. 避免常见的消息被记录
提问 在日志记录中禁止一些常见的端口状态等消息
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
interface
Serial0/0
Router(config-if)#
no logging event link-status
Router(config-if)#
no logging event dlci-status-change
Router(config-if)#
no logging event subif-link-status
Router(config-if)#
exit
Router(config)#
end
Router#
注释 略
18.14. 日志记录的流量控制
提问 限制发送到服务器的日志流量
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
logging host
172.25.1.1
Router(config)#
logging rate-limit
30 except warnings
Router(config)#
end
Router#
对控制台口的日志记录数目控制
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
logging rate-limit
console 25 except warnings
Router(config)#
end
Router#
注释 无
18.15. 启用日志统计
提问 统计路由器日志的类型和数目
回答
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
logging count
Router2(config)#
end
Router2#
注释
Router2#
show logging count
Facility Message Name Sev Occur Last Time
==================================================================================
NTP PEERREACH 6 3 Jul 13 20:31:34.441
NTP PEERSYNC 5 1 Jul 13 20:23:03.571
NTP PEERUNREACH 4 3 Jul 13 20:22:00.435
NTP RESTART 6 1 Jan 31 14:13:33.769
------------- ------------------------------- ----------------------------------
NTP TOTAL 8
18.16. 生成XML格式的日志记录
提问 以XML格式来发送日志
回答
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
logging console xml
Router2(config)#
logging monitor xml
Router2(config)#
logging buffered xml
Router2(config)#
logging host 172.25.1.1 xml
Router2(config)#
end
Router2#
注释 12.2(15)T引入此特性,方便后处理
18.17. 修改日志记录
提问 希望修改系统日志记录的一些属性
回答
首先要写特定的TCL脚本(delcounters.tcl 脚本用于过滤掉包含counters的日志)
# delcounters.tcl This script deletes all log messages that
# have the mnemonic "COUNTERS".
if { [string compare -nocase COUNTERS $::mnemonic ] == 0 } {
return ""
} else {
return $: rig_msg
}
然后引用此脚本
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
logging filter
tftp://172.25.1.1/delcounters.tcl
Router2(config)#
logging host 172.25.1.1 filtered
Router2(config)#
end
Router2#
注释 Embedded Syslog Manager (ESM) 引自12.3(2)T,提供一个程序化的接口可以对日志进行过滤,修改等全面控制,主要是使用TCL脚本来进行控制。
第十九章 访问列表
19.1. 基于源或者目的地址过滤
提问 阻止来自某地址或者发送至某地址的数据包
回答
使用标准控制列表来阻止特定源地址的数据包
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 50 deny host 10.2.2.2
Router1(config)#
access-list 50 permit any
Router1(config)#
interface Serial0/1
Router1(config-if)#
ip access-group 50 in
Router1(config-if)#
exit
Router1(config)#
end
Router1#
使用扩展控制列表来阻止特定源地址和目的地址的数据包
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 150 deny ip host 10.2.2.2 host 172.25.25.1
Router1(config)#
access-list 150 permit ip any any
Router1(config)#
interface Serial0/1
Router1(config-if)#
ip access-group 150 in
Router1(config-if)#
exit
Router1(config)#
end
Router1#
注释
19.2. 给ACL添加注释
提问 给控制列表添加注释方便阅读
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 50 remark Authorizing thy trespass with compare Router1(config)#
access-list 50 deny host 10.2.2.2
Router1(config)#
access-list 50 permit 10.2.2.0 0.0.0.255
Router1(config)#
access-list 50 permit any
Router1(config)#
end
Router1#
或者
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
ip access-list standard TESTACL
Router2(config-std-nacl)#
remark Authorizing thy trespass with compare
Router2(config-std-nacl)#
deny host 10.2.2.2
Router2(config-std-nacl)#
permit 10.2.2.0 0.0.0.255
Router2(config-std-nacl)#
permit any
Router2(config-std-nacl)#
end
Router2#
注释 在show access list命令中是看不到注释的
19.3. 基于应用过滤
提问 根据不同的应用来进行过滤
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 151 permit tcp any any eq www
Router1(config)#
access-list 151 deny tcp any any gt 1023
Router1(config)#
access-list 151 permit icmp any any
Router1(config)#
access-list 151 permit udp any any eq ntp
Router1(config)#
access-list 151 deny ip any any
Router1(config)#
interface Serial0/1
Router1(config-if)#
ip access-group 151 in
Router1(config-if)#
exit
Router1(config)#
end
Router1#
注释 无
19.4. 基于TCP头标签过滤
提问 根据TCP头字段中的标签位进行过滤
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 161 deny tcp any any ack fin psh rst syn urg
Router1(config)#
access-list 161 deny tcp any any rst syn
Router1(config)#
access-list 161 deny tcp any any rst syn fin
Router1(config)#
access-list 161 deny tcp any any rst syn fin ack
Router1(config)#
access-list 161 deny tcp any any syn fin
Router1(config)#
access-list 161 deny tcp any any syn fin ack
Router1(config)#
end
Router1#
从12.3(4)T以后开始启用新的命令格式
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
ip access-list extended TCPFLAGFILTER
Router2(config-ext-nacl)#
deny tcp any any match-all +ack +fin +psh +rst +syn +urg
Router2(config-ext-nacl)#
deny tcp any any match-all +rst +syn
Router2(config-ext-nacl)#
deny tcp any any match-all +rst +syn +fin
Router2(config-ext-nacl)#
deny tcp any any match-all +rst +syn +fin +ack
Router2(config-ext-nacl)#
deny tcp any any match-all +syn +fin
Router2(config-ext-nacl)#
deny tcp any any match-all +syn +fin +ack
Router2(config-ext-nacl)#
end
Router2#
注释 TCP头字段中有六种标签位设置ACK,SYN,FIN,RST,PSH和URG。在新的命令格式中引入了match-all和match-any两个关键词,match-any和传统过滤方式一致,只关心特定标志位设置而不管其他标志位设置,match-all必须符合特定的标志位设置。
19.5. 限制TCP会话的方向
提问 过滤TCP会话 只允许客户端发起应用
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 148 permit tcp any eq telnet any established
Router1(config)#
access-list 148 deny ip any any
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip access-group 148 in
Router1(config-if)#
exit
Router1(config)#
end
Router1#
注释
19.6. 基于多端口应用的过滤
提问 过滤某些开启多端口的应用
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 152 permit tcp any any eq ftp
Router1(config)#
access-list 152 permit tcp any any eq ftp-data established
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip access-group 152 in
Router1(config-if)#
exit
Router1(config)#
end
Router1#
注释 对于其他多端口的可以使用下面的格式
Router1(config)#
access-list 154 permit udp any any range 6000 6063
Router1(config)#
access-list 155 deny udp any any gt 1023
Router1(config)#
access-list 156 permit udp any any lt 1024
Router1(config)#
access-list 157 permit udp any any neq 666
19.7. 基于DSCP和TOS的过滤
提问 根据IP服务质量信息进行过滤
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 162 permit ip any any dscp af11
Router1(config)#
end
或者
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 162 permit ip any any tos max-reliability
Router1(config)#
end
注释
19.8. 记录触发的控制列表
提问 记录触发控制列表的包信息
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 150
permit ip any any log
Router1(config)#
interface Serial0/1
Router1(config-if)#
ip access-group 150 in
Router1(config-if)#
exit
Router1(config)#
end
Router1#
更详细点的信息
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 150
permit tcp any any log-input
Router1(config)#
access-list 150
permit ip any any
Router1(config)#
interface Serial0/1
Router1(config-if)#
ip access-group 150 in
Router1(config-if)#
exit
Router1(config)#
end
Router1#
注释 第一个例子的日志信息
Feb 6 13:01:19: %SEC-6-IPACCESSLOGRP: list 150 permitted ospf 10.1.1.1 -> 224.0.0.5, 9 packets
Feb 6 13:01:19: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 10.1.1.1 -> 10.1.1.2 (0/0), 4 packets
第二个例子的日志信息
Feb 6 14:56:34: %SEC-6-IPACCESSLOGP: list 150 permitted tcp 172.25.1.1(0) (FastEthernet0/0.1 0010.4b09.5700) -> 172.25.25.1(0), 1 packet
注意的是log-input参数只能适应于扩展控制列表
19.9. 记录TCP会话
提问 记录TCP会话数目
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 122 permit tcp any any eq telnet established
Router1(config)#
access-list 122 permit tcp any any eq telnet
Router1(config)#
access-list 122 permit ip any any
Router1(config)#
interface
Serial0/0
Router1(config-if)#
ip access-group 122 in
Router1(config-if)#
exit
Router1(config)#
end
Router1#
或者
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 121 permit tcp any any eq telnet syn
Router1(config)#
access-list 121 permit tcp any any eq telnet
Router1(config)#
access-list 121 permit ip any any
Router1(config)#
interface
Serial0/0
Router1(config-if)#
ip access-group 121 in
Router1(config-if)#
exit
Router1(config)#
end
Router1#
注释 对于第一个例子
Router1#
show access-list 122
Extended IP access list 122
permit tcp any any eq telnet established (3843 matches)
permit tcp any any eq telnet (
6 matches)
permit ip any any (31937 matches)
Router1#
从输出可以看到总共有六个Telnet会话通过接口,3,843 + 6 = 3,849 个Telnet数据包
19.10. 分析ACL日志条目
注释 使用脚本来分析生成的ACL日志,暂略
19.11. 使用命名和单反控制列表
提问 在命名控制列表中使用一个单反控制列表
回答
一个基本的命名控制列表类似数字控制列表
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip access-list standard STANDARD-ACL
Router1(config-std-nacl)#
remark This is a standard ACL
Router1(config-std-nacl)#
permit any log
Router1(config-std-nacl)#
exit
Router1(config)#
ip access-list extended EXTENDED-ACL
Router1(config-ext-nacl)#
remark This is an extended ACL
Router1(config-ext-nacl)#
deny tcp any any eq www
Router1(config-ext-nacl)#
permit ip any any log
Router1(config-ext-nacl)#
exit
Router1(config)#
interface Serial0/1
Router1(config-if)#
ip access-group STANDARD-ACL in
Router1(config-if)#
exit
Router1(config)#
end
Router1#
下面是在其中内嵌单反控制列表来允许单反向的Ping
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip access-list extended PING-OUT
Router1(config-ext-nacl)#
permit icmp any any reflect ICMP-REFLECT timeout 15
Router1(config-ext-nacl)#
permit ip any any
Router1(config-ext-nacl)#
exit
Router1(config)#
ip access-list extended PING-IN
Router1(config-ext-nacl)#
evaluate ICMP-REFLECT
Router1(config-ext-nacl)#
deny icmp any any log
Router1(config-ext-nacl)#
permit ip any any
Router1(config-ext-nacl)#
exit
Router1(config)#
interface Serial0/1
Router1(config-if)#
ip access-group PING-OUT out
Router1(config-if)#
ip access-group PING-IN in
Router1(config-if)#
end
Router1#
注释 在例子中单反控制列表可以对返回的ICMP Response进行控制
19.12. 处理被动模式FTP
提问 对被动模式的FTP来进行区分
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
access-list 144 permit tcp any gt 1023 any eq ftp
Router1(config)#
access-list 144 permit tcp any gt 1023 any gt 1023
Router1(config)#
access-list 144 deny ip any any
Router1(config)#
interface Serial0/0.1
Router1(config-subif)#
ip access-group 144 in
Router1(config-subif)#
exit
Router1(config)#
end
Router1#
注释 被动模式下的FTP,客户端会再对服务器发送一个高于1024端口的链接,所以对于此类会话必须开启所有高于1024的端口,例子中的配置虽然能够解决此问题,但是减少了安全性,在以后的章节会介绍更有效的处理方式
19.13. 使用基于时间的控制列表
提问 对应用基于时间段进行控制
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
time-range NOSURF
Router1(config-time-range)#
periodic weekdays 9:00 to 17:00
Router1(config-time-range)#
exit
Router1(config)#
ip access-list extended NOSURFING
Router1(config-ext-nacl)#
deny tcp any any eq www time-range NOSURF
Router1(config-ext-nacl)#
permit ip any any
Router1(config-ext-nacl)#
exit
Router1(config)#
interface FastEthernet0/1
Router1(config-if)#
ip access-group NOSURFING in
Router1(config-if)#
end
Router1#
注释 在时间段的配置上你可以配置多个periodic,
19.14. 基于非连续端口的过滤
提问 配置一种高效的非连续端口的过滤
回答
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
ip access-list extended OREILLY
Router2(config-ext-nacl)#
permit tcp any host 172.25.100.100 eq 80 23 25 110 514 21
Router2(config-ext-nacl)#
end
Router2#
注释 通常对于连续端口的过滤可以使用
permit tcp any any range 20 25此类的命令,而对于非连续端口的过滤则要使用多个类似
permit tcp any host 172.25.100.100 eq 80 的命令,自从12.3(7)T以后则可以使用上例中的配置方式来进行简化。
19.15. 控制列表编辑
提问 直接对控制列表进行编辑
回答
插入一个条目至现有的控制列表中
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
ip access-list extended OREILLY
Router2(config-ext-nacl)#
12 permit tcp any host 172.25.100.100 eq 20
Router2(config-ext-nacl)#
end
Router2#
重新对控制列表序列号进行调整
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
ip access-list resequence OREILLY 10 10
Router2(config)#
end
Router2#
删除特定的控制列表条目
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
ip access-list extended OREILLY
Router2(config-ext-nacl)#
no 60
Router2(config-ext-nacl)#
end
Router2#
注释 从12.3(2)T以后路由器增加了对控制列表条目序列号的支持,缺省10递增,这样可以方便对控制列表进行编辑
Router2#
show ip access-lists OREILLY
Extended IP access list OREILLY
10 permit tcp any host 172.25.100.100 eq www
20 permit tcp any host 172.25.100.100 eq telnet
30 permit tcp any host 172.25.100.100 eq smtp
40 permit tcp any host 172.25.100.100 eq pop3
50 permit tcp any host 172.25.100.100 eq cmd
19.16. 基于IPv6过滤
提问 对Ipv6的数据包进行过滤
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ipv6 access-list EXAMPLES
Router1(config-ipv6-acl)#
permit ipv6 AAAA:5::/64
any
Router1(config-ipv6-acl)#
permit ipv6 host AAAA:5::FE:1
any
Router1(config-ipv6-acl)#
permit tcp any any eq telnet established
Router1(config-ipv6-acl)#
deny tcp any any eq telnet syn
Router1(config-ipv6-acl)#
sequence 55
permit udp any any eq snmp
Router1(config-ipv6-acl)#
remark this is a comment
Router1(config-ipv6-acl)#
sequence 66
remark this comment has a sequence number
Router1(config-ipv6-acl)#
permit icmp any any reflect ICMP-REFLECT
Router1(config-ipv6-acl)#
deny ipv6 any host AAAA:6::1 log
Router1(config-ipv6-acl)#
deny ipv6 any any log-input
Router1(config-ipv6-acl)#
exit
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ipv6 traffic-filter EXAMPLES in
Router1(config-if)#
exit
Router1(config)#
end
Router1#
注释 Ipv6过滤只能使用命名式控制列表,当然也继承了命名式控制列表的所有优点。
第二十章 DHCP
20.1. 使用IP Helper Addresses命令
提问 配置路由器对DHCP Request转发的支持
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface Ethernet0
Router1(config-if)#
ip helper-address
172.25.1.1
Router1(config-if)#
ip helper-address
172.25.10.7
Router1(config-if)#
exit
Router1(config)#
end
Router1#
注释 使用IP Helper Address命令把路由器配置成为一个DHCP代理服务器,转发客户端的DHCP Request至配置的ip helper address。
20.2. 限制IP Helper Addresses命令的影响
提问 配置IP Helper Address命令以后导致链路利用率增高或者DHCP服务器负荷增高
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
no ip forward-protocol udp tftp
Router1(config)#
no ip forward-protocol udp nameserver
Router1(config)#
no ip forward-protocol udp domain
Router1(config)#
no ip forward-protocol udp time
Router1(config)#
no ip forward-protocol udp netbios-ns
Router1(config)#
no ip forward-protocol udp netbios-dgm
Router1(config)#
no ip forward-protocol udp tacacs
Router1(config)#
end
Router1#
注释 缺省情况下IP Helper命令会转发很多UDP广播数据包,不仅仅是DHCP数据包,并且不能针对不同的服务器转发不同的广播包
20.3. 使用DHCP来动态配置路由器IP地址
提问 配置路由器动态获得IP地址
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface FastEthernet0/1
Router1(config-if)#
ip address dhcp
Router1(config-if)#
end
Router1#
Interface FastEthernet0/1 assigned DHCP address 172.25.1.57, mask 255.255.255.0
Router1#
注释 在12.2(8)T之前此命令仅仅适用于以太网接口。从12.3(8)T以后可以对DHCP选项进行控制,下例配置为不获得DNS服务器
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface FastEthernet0/1
Router1(config-if)#
no ip dhcp client request dns-nameserver
Router1(config-if)#
end
另外对于获得的缺省路由,管理距离为254
S* 0.0.0.0/0 [254/0] via 172.25.1.1
从12.3(4)T开始增加了对获得地址释放和重新获得的支持
Router1#
release dhcp FastEthernet0/1
Router1#
renew dhcp FastEthernet0/1
20.4. 通过DHCP来对客户端进行动态IP地址分配
提问 配置路由器成为DHCP服务器
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
service dhcp
Router1(config)#
ip dhcp pool 172.25.1.0/24
Router1(dhcp-config)#
network
172.25.1.0 255.255.255.0
Router1(dhcp-config)#
default-router
172.25.1.1
Router1(dhcp-config)#
exit
Router1(config)#
ip dhcp excluded-address
172.25.1.1 172.25.1.50
Router1(config)#
ip dhcp excluded-address
172.25.1.200 172.25.1.255
Router1(config)#
end
Router1#
注释 注意的是要配置excluded命令来排除某些地址,防止出现地址冲突
20.5. 配置DHCP的配置选项
提问 配置更多的DHCP配置选项提供给客户端
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip dhcp pool
ORAserver
Router1(dhcp-config)#
host
172.25.1.34 255.255.255.0
Router1(dhcp-config)#
client-name
bigserver
Router1(dhcp-config)#
default-router
172.25.1.1 172.25.1.3
Router1(dhcp-config)#
domain-name
oreilly.com
Router1(dhcp-config)#
dns-server
172.25.1.1 10.1.2.3
Router1(dhcp-config)#
netbios-name-server
172.25.1.1
Router1(dhcp-config)#
netbios-node-type
h-node
Router1(dhcp-config)#
option 66 ip 10.1.1.1
Router1(dhcp-config)#
option 33 ip
192.0.2.1 172.25.1.3
Router1(dhcp-config)#
option 31 hex 01
Router1(dhcp-config)#
lease 2
Router1(dhcp-config)#
exit
Router1(config)#
end
Router1#
注释 Option 66 定义TFTP服务器; Option 33定义静态路由; Option 31定义客户端使用IRDP.
20.6. 配置DHCP的分配时长
提问 修改缺省DHCP分配时长
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip dhcp pool
172.25.2.0/24
Router1(dhcp-config)#
lease 2 12 30
Router1(dhcp-config)#
exit
Router1(config)#
end
Router1#
注释 缺省分配为一天,配置选项为天,小时,分钟
20.7. 分配静态IP地址
提问 每次都分配给某个特定设备特定IP地址
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip dhcp pool
IAN
Router1(dhcp-config)#
host
172.25.1.33 255.255.255.0
Router1(dhcp-config)#
client-identifier
0100.0103.85e9.87
Router1(dhcp-config)#
client-name
win2k
Router1(dhcp-config)#
default-router
172.25.1.1
Router1(dhcp-config)#
domain-name
oreilly.com
Router1(dhcp-config)#
dns-server
172.25.1.1
Router1(dhcp-config)#
exit
Router1(config)#
end
Router1#
注释 这里通过MAC地址来绑定某个IP地址。Client-identifier后面跟的是MAC地址,不过比传统MAC地址多了0100,代表是以太网,对于更多的媒介类型值参考RFC 3232中的Number Hardware Type部分
Router1#
show ip dhcp binding
IP address Hardware address Lease expiration Type
172.25.1.33 0100.0103.85e9.87 Infinite Manual
172.25.1.52 0100.50da.2a5e.a2 Apr 11 2006 09:00 PM Automatic
172.25.1.53 0100.0103.ea1b.ed Apr 11 2006 08:58 PM Automatic
20.8. 配置一个DHCP 数据库客户端
提问 在另一个设备上备份当前的DHCP数据库
回答
FTP方式
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip dhcp database
ftp://dhcp:[email protected]/dhcp-leases
Router1(config)#
end
Router1#
TFTP 方式
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip dhcp database
tftp://172.25.1.1/dhcp-leases
Router1(config)#
end
Router1#
RCP方式
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip dhcp database
rcp://[email protected]/dhcp-leases
Router1(config)#
end
Router1#
注释 通常DHCP数据库保存于内存,如果重启就会丢失,可以使用上述方式进行备份从而不会丢失,通过下述命令验证
Router1#
show ip dhcp database
URL :
ftp://dhcp:[email protected]/dhcp-leases
Read : Never
Written : Apr 09 2006 10:24 PM
Status : Last write succeeded. Agent information is up-to-date.
Delay : 300 seconds
Timeout : 300 seconds
Failures : 1
Successes: 30
20.9. 在同一子网配置多个DHCP服务器
提问 在同一子网配置多个DHCP服务器来增加可用性
回答
Router1:
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip dhcp pool
172.22.1.0/24
Router1(dhcp-config)#
network
172.22.1.0 255.255.255.0
Router1(dhcp-config)#
default-router
172.22.1.1
Router1(dhcp-config)#
domain-name
oreilly.com
Router1(dhcp-config)#
dns-server
172.25.1.1 10.1.2.3
Router1(dhcp-config)#
exit
Router1(config)#
ip dhcp excluded-address
172.22.1.1 172.22.1.49
Router1(config)#
ip dhcp excluded-address
172.22.1.150 172.22.1.254
Router1(config)#
ip dhcp database
ftp://dhcp:[email protected]/dhcp-leases-rtr1
Router1(config)#
end
Router1#
Router2:
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
ip dhcp pool
172.22.1.0/24
Router2(dhcp-config)#
network
172.22.1.0 255.255.255.0
Router2(dhcp-config)#
default-router
172.22.1.1
Router2(dhcp-config)#
domain-name
oreilly.com
Router2(dhcp-config)#
dns-server
172.25.1.1 10.1.2.3
Router2(dhcp-config)#
exit
Router2(config)#
ip dhcp excluded-address
172.22.1.1 172.22.1.149
Router2(config)#
ip dhcp database
ftp://dhcp:[email protected]/dhcp-leases-rtr2
Router2(config)#
end
Router2#
注释 要确保配置的地址池不重复,Router1 分配地址为从172.25.1.50到172.25.1.149, Router2 分配地址为从 172.25.1.150 到172.25.1.254,
20.10. DHCP静态映射
提问 根据某个文本文件来进行IP地址的静态指配
回答
先在TFTP服务器上创建此文本文件
Freebsd%
cat /tftpboot/dhcp.static
*time* Aug 17 2006 03:52 PM
*version* 2
!IP address Type Hardware address Lease expiration
10.1.1.16 /24 id 0100.104b.33da.74 Infinite
10.1.1.17 /24 id 0100.0dbc.eff6.38 Infinite
10.1.1.18 /24 id 0100.0a5e.4001.27 Infinite
10.1.1.19 /24 id 0100.0331.327e.41 Infinite
10.1.1.20 /24 id 0100.0d60.b21a.4c Infinite
*end*
Freebsd%
路由器配置
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip dhcp pool OREILLY
Router1(dhcp-config)#
origin file tftp://172.25.1.1/dhcp.static
Router1(dhcp-config)#
default-router 10.1.1.1
Router1(dhcp-config)#
dns-server 172.25.1.1 172.25.1.3
Router1(dhcp-config)#
domain-name oreilly.com
Router1(dhcp-config)#
lease 3
Router1(dhcp-config)#
end
Router1#
注释 20.7讲到的静态地址分配需要一个特定的DHCP Pool,扩展性不强,从12.3(11)T以后可以使用特定的文本文件来进行指配,不过必须遵照一定的格式。如果文本文件修改后需要生效,必须先
no service dhcp 来停止DHCP服务然后
service dhcp 命令重新启用来生效
20.11. 安全DHCP IP地址指派
提问 同步ARP和DHCP地址绑定来防止出现IP地址欺骗
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip dhcp pool OREILLY
Router1(dhcp-config)#
update arp
Router1(dhcp-config)#
end
Router1#
注释 从12.2(15)T开始思科引入了安全DHCP IP地址指派(DHCP secured IP address assignment),启用此特性后会针对每个DHCP绑定增加一个安全ARP条目,从而防止对此条目的修改,即使使用clear arp-cache命令也会保证此条目不被清除
20.12. 显示DHCP状态
提问 显示DHCP服务器的状态
回答
显示绑定和相应的分配时长
Router1#
show ip dhcp binding
显示地址冲突
Router1#
show ip dhcp conflict
显示数据库状态
Router1#
show ip dhcp database
显示全局DHCP数据统计
Router1#
show ip dhcp server statistics
注释
Router1#
show ip dhcp server statistics
Memory usage 17996
Address pools 4
Database agents 1
Automatic bindings 2
Manual bindings 1
Expired bindings 3
Malformed messages 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 63
DHCPREQUEST 203
DHCPDECLINE 1
DHCPRELEASE 27
DHCPINFORM 19
Message Sent
BOOTREPLY 0
DHCPOFFER 63
DHCPACK 139
DHCPNAK 2
Router1#
20.13. DHCP排错
提问 对DHCP出现的问题进行排错
回答
Router1#
debug ip dhcp server events
Router1#
debug ip dhcp server packet
注释 无
第二十一章 NAT
21.1. 配置基本NAT功能
ONT-FAMILY: 宋体">提问在路由器上启用基本的NAT功能
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#
ip nat inside source list 15 interface FastEthernet0/0 overload
Router(config)#
interface FastEthernet0/2
Router(config-if)#
ip address 192.168.1.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
interface FastEthernet0/1
Router(config-if)#
ip address 192.168.2.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
interface Ethernet0/0
Router(config-if)#
ip address 172.16.1.5 255.255.255.252
Router(config-if)#
ip nat outside
Router(config-if)#
exit
Router(config)#
end
Router#
注释 例子中的配置实现了对地址段192.168.0.0/16访问外部网络重写为172.16.1.5的功能,基本的地址翻译功能
21.2. 动态分配外部地址
提问 从某个特定的地址池来动态分配地址
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#
ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0
Router(config)#
ip nat inside source list 15 pool NATPOOL
Router(config)#
interface FastEthernet 0/0
Router(config-if)#
ip address
192.168.1.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
interface FastEthernet 0/1
Router(config-if)#
ip address
192.168.2.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
interface Ethernet1/0
Router(config-if)#
ip address
172.16.1.2 255.255.255.0
Router(config-if)#
ip nat outside
Router(config-if)#
exit
Router(config)#
end
Router#
注释
ip nat inside source list 15 pool NATPOOL 定义了翻译出去的地址池,如果地址池可以地址用完新的翻译将不成功,如果加上了overload参数将会从第一个地址开始翻译进行复用。另外这里的地址池并不一定要和outside端口的地址在同一网段,只要有相应的路由就可以。
21.3. 静态分配外部地址
提问 翻译某些特定的内部地址为特定的外部地址
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
ip nat inside source static 192.168.1.15 172.16.1.10
Router(config)#
ip nat inside source static 192.168.1.16 172.16.1.11
Router(config)#
interface FastEthernet 0/0
Router(config-if)#
ip address
192.168.1.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
interface FastEthernet 0/1
Router(config-if)#
ip address
192.168.2.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
interface Ethernet1/0
Router(config-if)#
ip address
172.16.1.2 255.255.255.0
Router(config-if)#
ip nat outside
Router(config-if)#
exit
Router(config)#
end
Router#
注释 静态地址翻译
21.4. 地址静态和动态翻译结合
提问 静态和动态地址翻译相结合
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
access-list 15 deny 192.168.1.15 0.0.0.0
Router(config)#
access-list 15 deny 192.168.1.16 0.0.0.0
Router(config)#
access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#
ip nat inside source static 192.168.1.15 172.16.1.10
Router(config)#
ip nat inside source static 192.168.1.16 172.16.1.11
Router(config)#
ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0
Router(config)#
ip nat inside source list 15 pool NATPOOL overload
Router(config)#
interface FastEthernet0/0
Router(config-if)#
ip address
192.168.1.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
interface FastEthernet0/1
Router(config-if)#
ip address
192.168.2.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
interface Ethernet0/0
Router(config-if)#
ip address
172.16.1.2 255.255.255.0
Router(config-if)#
ip nat outside
Router(config-if)#
exit
Router(config)#
end
Router#
注释 这里的控制列表把所要静态内部地址排除了,当然这一步也不是必须的,因为静态翻译的优先级要高于动态翻译的,不过静态翻译的外部地址必须要从动态翻译的地址池中排除。
21.5. 使用Route Maps来进行翻译规则控制
提问 使用Route Maps来进行更好的静态地址翻译
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
interface FastEthernet0/0
Router(config-if)#
ip address 172.16.1.5 255.255.255.252
Router(config-if)#
ip nat outside
Router(config-if)#
exit
Router(config)#
interface FastEthernet0/1
Router(config-if)#
ip address 172.16.2.5 255.255.255.252
Router(config-if)#
ip nat outside
Router(config-if)#
exit
Router(config)#
interface FastEthernet0/2
Router(config-if)#
ip address 192.168.1.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
ip nat inside source route-map ISP-1
interface FastEthernet0/0
overload
Router(config)#
ip nat inside source route-map ISP-2
interface FastEthernet0/1
overload
Router(config)#
route-map ISP-1
permit 10
Router(config-route-map)#
match interface FastEthernet0/0
Router(config-route-map)#
exit
Router(config)#
route-map ISP-2
permit 10
Router(config-route-map)#
match interface FastEthernet0/1
Router(config-route-map)#
exit
Router(config)#
end
Router#
注释 适用于多个outside端口的情况
21.6. 同时两个方向地址翻译
提问 同时对内部地址和外部地址进行翻译
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
access-list 15 deny 192.168.1.15
Router(config)#
access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#
access-list 16 deny 172.16.5.25
Router(config)#
access-list 16 permit 172.16.0.0 0.0.255.255
Router(config)#
ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0
Router(config)#
ip nat pool INBOUNDNAT 192.168.15.100 192.168.15.200 netmask 255.255.255.0
Router(config)#
ip nat inside source list 15 pool NATPOOL overload
Router(config)#
ip nat inside source list 16 pool INBOUNDNAT overload
Router(config)#
ip nat inside source static 192.168.1.15 172.16.1.10
Router(config)#
ip nat outside source static
172.16.5.25 192.168.15.5
Router(config)#
ip route 192.168.15.0 255.255.255.0 Ethernet0/0
Router(config)#
interface FastEthernet 0/0
Router(config-if)#
ip address
192.168.1.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
interface FastEthernet 0/1
Router(config-if)#
ip address
192.168.2.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
interface Ethernet0/0
Router(config-if)#
ip address
172.16.1.2 255.255.255.0
Router(config-if)#
ip nat outside
Router(config-if)#
exit
Router(config)#
end
Router#
注释 暂无
21.7. 网络前缀重写
提问 简单的改变某个网络段的前缀
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
ip nat outside source static network 172.16.0.0 172.17.0.0 /16 no-alias
Router(config)#
ip route 172.16.0.0 255.255.0.0 Ethernet1/0
Router(config)#
ip route 172.17.0.0 255.255.0.0 Ethernet1/0
Router(config)#
interface FastEthernet 0/0
Router(config-if)#
ip address
10.1.1
.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
interface Ethernet1/0
Router(config-if)#
ip address
172.16.1.6 255.255.255.252
Router(config-if)#
ip nat outside
Router(config-if)#
exit
Router(config)#
end
Router#
注释 适用于两个网络互访而地址段冲突的情况
21.8. 使用NAT来进行服务器负荷分担
提问 多个服务器使用同一IP地址从而实现应用的负荷分担
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
interface FastEthernet0/0
Router(config-if)#
ip address 192.168.1.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
interface FastEthernet0/1
Router(config-if)#
ip address 192.168.2.1 255.255.255.0
Router(config-if)#
ip nat outside
Router(config-if)#
exit
Router(config)#
ip nat pool WEBSERVERS 192.168.1.101 192.168.1.105
netmask 255.255.255.0
type rotary
Router(config)#
access-list 20
permit host 192.168.1.100
Router(config)#
ip nat inside destination list 20
pool WEBSERVERS
Router(config)#
end
Router#
注释 这里不同点在于使用了rotary的参数和使用了destination而不是source在翻译规则中,当然这种是穷人的负载均衡解决方案
21.9. 基于状态的NAT切换
提问 在高可用性网络中部署NAT,这样一台设备坏掉的情况下另一台可以切换起到NAT作用
回答
RouterA
Router-A#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-A(config)#
access-list 11 permit any
Router-A(config)#
ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0
Router-A(config)#
ip nat inside source list 11 pool NATPOOL mapping-id 1
Router-A(config)#
interface FastEthernet0/0
Router-A(config-if)#
ip address 192.168.1.3 255.255.255.0
Router-A(config-if)#
ip nat inside
Router-A(config-if)#
standby 1
ip 192.168.1.1
Router-A(config-if)#
standby 1
preempt
Router-A(config-if)#
standby 1
name SNATGROUP
Router-A(config-if)#
exit
Router-A(config)#
interface Serial0/0
Router-A(config-if)#
ip address 172.17.55.2 255.255.255.252
Router-A(config-if)#
ip nat outside
Router-A(config-if)#
exit
Router-A(config)#
ip nat Stateful id 1
Router-A(config-ipnat-snat)#
redundancy SNATGROUP
Router(config-ipnat-snat-red)#
mapping-id 1
Router(config-ipnat-snat-red)#
exit
Router-A(config)#
end
Router-A#
RouterB
Router-B#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-B(config)#
access-list 11 permit any
Router-B(config)#
ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0
Router-B(config)#
ip nat inside source list 11 pool NATPOOL mapping-id 1
Router-B(config)#
interface FastEthernet0/0
Router-B(config-if)#
ip address 192.168.1.2 255.255.255.0
Router-B(config-if)#
ip nat inside
Router-B(config-if)#
standby 1 ip 192.168.1.1
Router-B(config-if)#
standby 1
priority 90
Router-B(config-if)#
standby 1 preempt
Router-B(config-if)#
standby 1 name SNATGROUP
Router-B(config-if)#
exit
Router-B(config)#
interface Serial0/0
Router-B(config-if)#
ip address 172.17.55.6 255.255.255.252
Router-B(config-if)#
ip nat outside
Router-B(config-if)#
exit
Router-B(config)#
ip nat Stateful id 1
Router-B(config-ipnat-snat)#
redundancy SNATGROUP
Router(config-ipnat-snat-red)#
mapping-id 1
Router(config-ipnat-snat-red)#
exit
Router-B(config)#
end
Router-B#
注释 虽然说通过使用HSRP可以解决可用性的问题,但是不能同步NAT翻译表,从12.2(13)T以后思科引入了基于状态的NAT(SNAT),这样可以保持两台设备的翻译表同步,其关键命令为
ip nat Stateful 要注意的是这里的Stateful是大写开头的,这里是区分大小写的。另外SNAT只和HSRP连用,不能跟VRRP或者GLBP一起作用。同时也可以使用多组HSRP的形式来保持负载均衡。
21.10. 调整NAT 时长
提问 调整NAT翻译表中条目的时长
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
ip nat translation tcp-timeout 500
Router(config)#
ip nat translation udp-timeout 30
Router(config)#
ip nat translation dns-timeout 30
Router(config)#
ip nat translation icmp-timeout
30
Router(config)#
ip nat translation finrst-timeout 30
Router(config)#
ip nat translation syn-timeout 30
Router(config)#
end
Router#
也可以限制翻译表的最大条目数
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
ip nat translation max-entries 1000
Router(config)#
end
Router#
注释 缺省TCP为24小时,UDP为5分钟,DNS为1分钟
21.11. 修改FTP的TCP端口
提问 FTP服务器使用非正常端口
回答
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
access-list
19
permit 192.168.55.5
Router(config)#
ip nat service list 19 ftp tcp port 8021
Router(config)#
ip nat service list 19 ftp tcp port 21
Router(config)#
end
Router#
注释 在12.2(4)T后思科引入了no-payload关键词来防止对数据包载荷的地址信息进行修改
Router#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
interface FastEthernet0/0
Router(config-if)#
ip address 172.16.1.5 255.255.255.252
Router(config-if)#
ip nat outside
Router(config-if)#
exit
Router(config)#
interface FastEthernet0/1
Router(config-if)#
ip address 192.168.1.1 255.255.255.0
Router(config-if)#
ip nat inside
Router(config-if)#
exit
Router(config)#
ip nat inside source static 192.168.1.10 172.16.1.5 no-payload
Router(config)#
end
Router#
21.12. 检查NAT状态
提问 查看当前NAT信息
回答
Router#
show ip nat translation
Router#
clear ip nat translation *
Router#
clear ip nat translation inside 172.18.3.2
Router#
clear ip nat translation outside 192.168.1.10
Router#
show ip nat statistics
Router#
clear ip nat statistics
注释 Router#
show ip nat translation
Pro Inside global Inside local Outside local Outside global
"Inside global" 为内部设备翻译的地址"Inside local"为内部设备的真实地址"Outside local" 为外部设备翻译的地址"Outside global" 为外部设备的真实地址,global addresses在outside, local addresses 在 inside.
21.13. NAT排错
提问 对NAT进行排错
回答
Router#
debug ip nat
Router#
debug ip nat detailed
Router#
debug ip nat 15
Router#
debug ip nat 15
detailed
注释 无
第二十二章第一跳冗余协议
22.1. 配置基本HSRP
提问 "FONT-FAMILY: 宋体">当主用路由器当掉以后备份路由器可以接管主用路由器的IP地址和MAC地址
回答
Router1:
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface FastEthernet 0/1
Router1(config-if)#
ip address
172.22.1.3 255.255.255.0
Router1(config-if)#
standby 1 ip
172.22.1.1
Router1(config-if)#
standby 1 priority
120
Router1(config-if)#
exit
Router1(config)#
end
Router1#
Router2:
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface
FastEthernet 1/0
Router2(config-if)#
ip address
172.22.1.2 255.255.255.0
Router2(config-if)#
standby 1 ip
172.22.1.1
Router2(config-if)#
standby 1 priority
110
Router2(config-if)#
exit
Router2(config)#
end
Router2#
注释 由于HSRP虚拟出来的MAC地址跟组相关,所以可能会出现同一交换机收到多个相同的MAC地址的情况,这时候就需要用
standby
1 mac-address 0000.0c07.ad01 命令来人工指定一个MAC地址
22.2. 使用HSRP 强占特性
提问 强制某个路由器启动后一直在组中处于主用状态
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface
FastEthernet 0/1
Router1(config-if)#
standby 1 ip
172.22.1.1
Router1(config-if)#
standby 1 priority
120
Router1(config-if)#
standby 1 preempt
Router1(config-if)#
exit
Router1(config)#
end
Router1#
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface
FastEthernet 1/0
Router2(config-if)#
standby 1 ip
172.22.1.1
Router2(config-if)#
standby 1 priority
110
Router2(config-if)#
standby 1 preempt
Router2(config-if)#
exit
Router2(config)#
end
Router2#
注释 正常情况下当LAN端口up后就会发生强占,而此时可能网络还没有收敛,所以建议配置强占延迟时间,让路由器启动后过一段时间再发起强占standby 1 preempt delay 60
22.3. 配置HSRP对接口问题追踪的支持
提问 当主用路由器的上联端口出现问题后主动切换到备用路由器
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface
FastEthernet0/1
Router1(config-if)#
standby 1 ip
172.22.1.1
Router1(config-if)#
standby 1 priority
120
Router1(config-if)#
standby 1 preempt
Router1(config-if)#
standby 1 track
Serial0/0 20
Router1(config-if)#
exit
Router1(config)#
end
Router1#
从12.2(15)T后引入更多可追踪实例
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
track 11 interface Serial1/1 ip routing
Router1(config-track)#
exit
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
standby 1 ip 172.22.1.1
Router1(config-if)#
standby 1 priority 120
Router1(config-if)#
standby 1 preempt
Router1(config-if)#
standby 1 track 11 decrement 50
Router1(config-if)#
end
Router1#
注释 Router1#
show track
Track 11
Interface Serial1/1 ip routing
IP routing is Down (hw admin-down, ip disabled)
1 change, last change 00:12:48
Tracked by:
HSRP FastEthernet0/0 1
22.4. HSRP负载均衡
提问 在两台或者多台HSRP路由器上实现流量的负载均衡
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface
FastEthernet0/1
Router1(config-if)#
ip address
172.22.1.3 255.255.255.0
Router1(config-if)#
standby 1 ip
172.22.1.1
Router1(config-if)#
standby 1 priority 120
Router1(config-if)#
standby 1 preempt
Router1(config-if)#
standby 2 ip
172.22.1.2
Router1(config-if)#
standby 2 priority 110
Router1(config-if)#
standby 2 preempt
Router1(config-if)#
exit
Router1(config)#
end
Router1#
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface
FastEthernet1/0
Router2(config-if)#
ip address
172.22.1.4 255.255.255.0
Router2(config-if)#
standby 1 ip
172.22.1.1
Router2(config-if)#
standby 1 priority 110
Router2(config-if)#
standby 1 preempt
Router2(config-if)#
standby 2 ip
172.22.1.2
Router2(config-if)#
standby 2 priority 120
Router2(config-if)#
standby 2 preempt
Router2(config-if)#
exit
Router2(config)#
end
Router2#
注释 由于出现两个网关,所以需要在终端设备上分开配置各自的缺省网关。
22.5. HSRP中ICMP重定向
提问 在HSRP中启用ICMP重定向
回答
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#interface FastEthernet 1/0
Router2(config-if)#no ip redirects
Router2(config-if)#standby redirects disable
Router2(config-if)#exit
Router2(config)#end
Router2#
注释
22.6. 调整HSRP定时器
提问 调整备份路由器接管主用路由器所需时长
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface FastEthernet0/1
Router1(config-if)#
standby 1 ip
172.22.1.1
Router1(config-if)#
standby 1 priority
120
Router1(config-if)#
standby 1 preempt
Router1(config-if)#
standby 1 timers
1 3
Router1(config-if)#
exit
Router1(config)#
end
Router1#
注释 缺省Hello包时长为3秒,10秒后会接管,如果主用路由器调整时长,整个组内的路由器都要调整为相同的时长。最短可以到达毫秒Router1(config-if)#standby 1 timers msec 100 msec 300
22.7. 在令牌环网络中使用HSRP
提问 在令牌环网络中配置HSRP
回答
如果只用IP协议配置同前面例子,如果还有其他协议,特别是使用了source-route bridging就用下面的配置方法
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface Tokenring0
Router1(config-if)#
ip address 172.22.1.3
Router1(config-if)#
standby ip
172.22.1.1
Router1(config-if)#
standby use-bia
Router1(config-if)#
standby priority
120
Router1(config-if)#
standby preempt
Router1(config-if)#
exit
Router1(config)#
end
Router1#
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface Tokenring0
Router2(config-if)#
ip address 172.22.1.2
Router2(config-if)#
standby ip
172.22.1.1
Router2(config-if)#
standby use-bia
Router2(config-if)#
standby priority
110
Router2(config-if)#
standby preempt
Router2(config-if)#
exit
Router2(config)#
end
Router2#
注释 由于令牌环网络会用到设备的MAC地址信息,所以如果HSRP用到虚拟MAC就会出问题,因此在配置中使用了burned-in address (BIA)来代替MAC来避免出现问题
22.8. 配置HSRP 的SNMP支持
提问 启用HSRP的SNMP Traps
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
snmp-server enable traps hsrp
Router1(config)#
snmp-server host
172.25.1.1 ORATRAP
Router1(config)#
end
Router1#
注释 无
22.9. 增加HSRP的安全性
提问 提高HSRP的安全
回答
组内设备使用相同的配置
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface
FastEthernet 0/1
Router1(config-if)#
standby 1 ip
172.22.1.1
Router1(config-if)#
standby 1 priority
120
Router1(config-if)#
standby 1 authentication
NEOSHI
Router1(config-if)#
exit
Router1(config)#
end
Router1#
从12.3(2)T后支持MD5加密密码
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface FastEthernet0/1
Router1(config-if)#
standby 1 ip 10.1.1.1
Router1(config-if)#
standby 1 priority 200
Router1(config-if)#
standby 1 authentication md5 key-string OREILLY
Router1(config-if)#
end
Router1#
为了防止其他路由器成为主用路由器,设置本路由器高优先级
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface
FastEthernet 0/1
Router1(config-if)#
standby 1 ip 172.22.1.1
Router1(config-if)#
standby 1 priority
255
Router1(config-if)#
exit
Router1(config)#
end
Router1#
注释 无
22.10. 显示HSRP状态信息
提问 显示HSRP状态信息
回答
Router2#
show standby
Router2#
show standby
FastEthernet 1/0
Router2#
show standby brief
注释
22.11. HSRP排错
提问 对HSRP进行排错
回答
Router2#
debug standby errors
Router2#
debug standby events
Router2#
debug standby packets
Router2#
debug standby terse
注释
22.12. 启用HSRP 版本2
提问 部署HSRPv2
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface FastEthernet0/1
Router1(config-if)#
standby version 2
Router1(config-if)#
standby 4095 ip 10.1.1.1
Router1(config-if)#
standby 4095 timers msec 15 msec 50
Router1(config-if)#
standby 4095 priority 200
Router1(config-if)#
standby 4095 preempt
Router1(config-if)#
end
Router1#
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface FastEthernet0/0
Router2(config-if)#
standby version 2
Router2(config-if)#
standby 4095 ip 10.1.1.1
Router2(config-if)#
standby 4095 timers msec 15 msec 50
Router2(config-if)#
standby 4095 priority 150
Router2(config-if)#
standby 4095 preempt
Router2(config-if)#
end
Router2#
注释 从12.3(4)T后开始支持HSRPv2,主要是扩展了可用组数,从v1的256个组到现在的4095个组,使用不同的MAC地址和组播地址,因此不能混用
22.13. VRRP
提问 在思科路由器上启用VRRP
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface FastEthernet0/1
Router1(config-if)#
ip address 10.1.1.2 255.255.255.0
Router1(config-if)#
vrrp 1 ip 10.1.1.1
Router1(config-if)#
vrrp 1 preempt
Router1(config-if)#
vrrp 1 priority 200
Router1(config-if)#
end
Router1#
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface FastEthernet0/0
Router2(config-if)#
ip address 10.1.1.3 255.255.255.0
Router2(config-if)#
vrrp 1 ip 10.1.1.1
Router2(config-if)#
vrrp 1 preempt
Router2(config-if)#
vrrp 1 priority 150
Router2(config-if)#
end
Router2#
注释 注意在鉴权的配置上如果思科和非思科设备搭配可能会有问题。在配置定时器上只能配置Hello间隔,可以在主路由器上配置,备份路由器可以通过配置vrrp 1 timers learn 命令来自动学习,可以为配置添加描述,也支持Track
22.14. GLBP
提问 配置GLBP来实现流量的自动负荷分担
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip address 172.22.1.3 255.255.255.0
Router1(config-if)#
glbp 1 ip 172.22.1.1
Router1(config-if)#
exit
Router1(config)#
end
Router1#
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
interface FastEthernet0/0
Router2(config-if)#
ip address 172.22.1.2 255.255.255.0
Router2(config-if)#
glbp 1
ip 172.22.1.1
Router2(config-if)#
exit
Router2(config)#
end
Router2#
注释 GLBP通过组内设备轮回的相应虚拟MAC地址来实现自动的负荷分担,当然也可以使用其他的分担方式,比如权重等,这样不需要通过配置多HSRP组的方式实现了均衡,并且所有设备使用同一的网关地址
第二十三章 IP组播
23.1. 配置PIM-DM 下的组播
提问 配置路由器基本的组播功能
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip address 192.168.1.1 255.255.255.0
Router1(config-if)#
ip pim dense-mode
Router1(config-if)#
exit
Router1(config)#
interface Serial1/0
Router1(config-if)#
ip address 192.168.2.5 255.255.255.252
Router1(config-if)#
ip pim dense-mode
Router1(config-if)#
end
Router1#
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
ip multicast-routing
Router2(config)#
interface FastEthernet0/0
Router2(config-if)#
ip address 192.168.3.1 255.255.255.0
Router2(config-if)#
ip pim dense-mode
Router2(config-if)#
exit
Router2(config)#
interface Serial1/0
Router2(config-if)#
ip address 192.168.2.6 255.255.255.252
Router2(config-if)#
ip pim dense-mode
Router2(config-if)#
end
Router2#
注释 密集模式适合于组播发送方和接收方近距离的情况,发送方很少但是接收方数量很大。
23.2. 配置PIM-SM和BSR 下的组播路由
提问 配置稀疏模式下的组播路由,使用BSR来分发RP信息
回答
参与组播的正常路由器
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
ip pim rp-address 192.168.15.5
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip address 192.168.1.1 255.255.255.0
Router1(config-if)#
ip pim sparse-mode
Router1(config-if)#
interface Serial1/0
Router1(config-if)#
ip address 192.168.2.5 255.255.255.252
Router1(config-if)#
ip pim sparse-mode
Router1(config-if)#
end
Router1#
RP候选路由器和BSR候选路由器
Router-RP1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-RP1(config)#
ip multicast-routing
Router-RP1(config)#
interface Loopback0
Router-RP1(config-if)#
ip address 192.168.12.1 255.255.255.255
Router-RP1(config-if)#
ip pim sparse-mode
Router-RP1(config-if)#
exit
Router-RP1(config)#
interface FastEthernet0/0
Router-RP1(config-if)#
ip address 192.168.1.1 255.255.255.0
Router-RP1(config-if)#
ip pim sparse-mode
Router-RP1(config-if)#
exit
Router-RP1(config)#
interface Serial1/0
Router-RP1(config-if)#
ip address 192.168.2.5 255.255.255.252
Router-RP1(config-if)#
ip pim sparse-mode
Router-RP1(config-if)#
exit
Router-RP1(config)#
ip pim rp-address 192.168.12.1 15
Router-RP1(config)#
ip pim rp-candidate loopback0 group-list 15
Router-RP1(config)#
ip pim bsr-candidate loopback0 1
Router-RP1(config)#
access-list 15 permit 239.5.5.0 0.0.0.255
Router-RP1(config)#
access-list 15 deny any
Router-RP1(config)#
end
Router-RP1#
注释 对于稀疏模式需要配置一个汇集点Rendezvous Point (RP)来作为组播最短路径树Shortest Path Trees (SPT)的根。配置路由器使用RP有两种方法,一种是Router1使用的静态指定的方式
ip pim rp-address 192.168.15.5 另一种就是动态的发现RP,这又有两种方式来实现,第一种是思科专有的Auto-RP,另一种就是本例中的Bootstrap Router。在Router-RP1中首先使用
ip pim rp-candidate来宣告自己为可能RP,然后使用
ip pim bsr-candidate来配置为Bootstrap Router (BSR).BSR目的就是发布网络中所有可能的RP信息。另外需要指出的是建议还要配置
ip pim rp-address 192.168.12.1 15 尤其是在12.3以后的IOS。BSR模式需要PIM-SM v2支持。
23.3. 配置PIM-SM 和Auto-RP 下的组播路由
提问配置稀疏模式下的组播路由,使用Auto-RP来分发RP信息
回答
参与组播的正常路由器
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
ip pim rp-address 192.168.15.5
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip address 192.168.1.1 255.255.255.0
Router1(config-if)#
ip pim sparse-dense-mode
Router1(config-if)#
exit
Router1(config)#
interface Serial1/0
Router1(config-if)#
ip address 192.168.2.5 255.255.255.252
Router1(config-if)#
ip pim sparse-dense-mode
Router1(config-if)#
end
Router1#
候选RP路由器
Router-RP1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-RP1(config)#
ip multicast-routing
Router-RP1(config)#
interface Loopback0
Router-RP1(config-if)#
ip address 192.168.12.1 255.255.255.255
Router-RP1(config-if)#
ip pim sparse-dense-mode
Router-RP1(config-if)#
exit
Router-RP1(config)#
interface FastEthernet0/0
Router-RP1(config-if)#
ip address 192.168.1.1 255.255.255.0
Router-RP1(config-if)#
ip pim sparse-dense-mode
Router-RP1(config-if)#
exit
Router-RP1(config)#
interface Serial1/0
Router-RP1(config-if)#
ip address 192.168.2.5 255.255.255.252
Router-RP1(config-if)#
ip pim sparse-dense-mode
Router-RP1(config-if)#
exit
Router-RP1(config)#
ip pim send-rp-announce loopback0 scope 16 group-list 15
Router-RP1(config)#
ip pim send-rp-discovery scope 16
Router-RP1(config)#
access-list 15 permit 239.5.5.0 0.0.0.255
Router-RP1(config)#
access-list 15 deny any
Router-RP1(config)#
end
Router-RP1#
注释 在Auto-RP方式下,增加了
sparse-dense-mode 模式,使用了专有的224.0.1.39 and 224.0.1.40.两个组播地址
23.4. 过滤PIM邻居
提问 防止路由器从其他设备接收到PIM数据包
回答
在R1上配置过滤对R2
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip address 192.168.1.1 255.255.255.0
Router1(config-if)#
ip pim sparse-mode
Router1(config-if)#
ip pim neighbor-filter
18
Router1(config-if)#
exit
Router1(config)#
access-list 18 deny any
Router1(config)#
end
Router1#
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
ip multicast-routing
Router2(config)#
interface FastEthernet0/0
Router2(config-if)#
ip address 192.168.1.2 255.255.255.0
Router2(config-if)#
ip pim dense-mode
Router2(config-if)#
ip igmp helper-address
192.168.1.1
Router2(config-if)#
end
Router2#
注释 对PIM邻居的过滤除了可以实现安全以外,还可以做到Multicast stub routing
23.5. 低频度组播包应用的支持
提问 配置对于低频度组播包应用的支持
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
ip pim spt-threshold 10 group-list 15
Router1(config)#
access-list 15 permit 239.5.5.55
Router1(config)#
access-list 15 deny any
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip address 192.168.1.1 255.255.255.0
Router1(config-if)#
ip pim sparse-dense-mode
Router1(config-if)#
exit
Router1(config)#
interface Serial1/0
Router1(config-if)#
ip address 192.168.2.5 255.255.255.252
Router1(config-if)#
ip pim sparse-mode
Router1(config-if)#
end
Router1#
注释 对于那些发送组播数据包小,间隔长的应用需要使用稀疏模式,同时通过配置SPT阀值来保持所生成的组播路径树
23.6. 在Frame Relay或者ATM 网络中使用组播
提问 在NBMA网络中使用PIM-SM
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
interface Serial0/0
Router1(config-if)#
encapsulation frame-relay
Router1(config-if)#
ip pim sparse-mode
Router1(config-if)#
ip pim nbma-mode
Router1(config-if)#
end
Router1#
注释 对于通常的NBMA网络中的NBMA接口无法区分下联不同接口的组播请求,通过ip pim nbma-mode命令来各自邻居的组播请求
23.7. 配置CGMP
提问 配置路由器和Catalyst交换机之间使用CGMP通讯
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip pim sparse-dense-mode
Router1(config-if)#
ip cgmp
Router1(config-if)#
end
Router1#
注释 不同交换机上启用CGMP的命令可能不同,也不是所有的交换机都支持CGMP
23.8. 使用IGMP版本3
提问 配置IGMPv3
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
ip pim ssm default
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip pim sparse-dense-mode
Router1(config-if)#
ip igmp version 3
Router1(config-if)#
end
Router1#
如果想使用Source-Specific Multicast(SSM)特性,但是终端设备不支持v3,可以使用思科的IGMP v3lite
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
ip pim ssm default
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip pim sparse-dense-mode
Router1(config-if)#
ip igmp v3lite
Router1(config-if)#
end
Router1#
注释 v3里面最有用的特性就是SSM,不但可以指定想要接收的组播组,还可以指定组播源
23.9. 静态组播路由和组成员
提问 使用静态条目来取代动态的组播路由和组成员
回答
静态组播路由:
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
ip mroute 192.168.15.0 255.255.255.0 192.168.98.6
Router1(config)#
interface Tunnel0
Router1(config-if)#
ip address 192.168.98.5 255.255.255.252
Router1(config-if)#
ip pim sparse-dense-mode
Router1(config-if)#
tunnel mode gre ip
Router1(config-if)#
end
Router1#
静态组成员
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip pim sparse-dense-mode
Router1(config-if)#
ip igmp join-group 239.5.5.55
Router1(config-if)#
end
Router1#
注释 在12.3(2)T后引入了相近的ip igmp join-group命令,好处是此命令使用fast switching来处理组播包
23.10. 启用MOSPF来进行组播路由
提问 使用MOSPF来分发组播路由表
回答 思科不支持MOSPF
23.11. 启用DVMRP来进行组播路由
提问 配置DVMRP来支持组播路由
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip pim sparse-dense-mode
Router1(config-if)#
ip dvmrp unicast-routing
Router1(config-if)#
ip dvmrp summary-address
192.168.0.0 255.255.0.0
Router1(config-if)#
end
Router1#
注释 思科对DVMRP的支持也不是全面的,更多的是作为DVMRP和PIM之间的网关,而目前网络中很少有DVMRP的部署,推荐使用PIM,PIM使用的是单播的路由表,而DVMRP是自己维护一个组播路由表,使用224.0.0.4这个组播地址来交换邻居信息
23.12. DVMRP 隧道
提问 建立DVMRP隧道来穿越不支持组播的网络
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
interface Tunnel0
Router1(config-if)#
ip unnumbered FastEthernet0/0
Router1(config-if)#
ip pim sparse-dense-mode
Router1(config-if)#
ip dvmrp unicast-routing
Router1(config-if)#
tunnel source FastEthernet0/0
Router1(config-if)#
tunnel destination 192.168.99.15
Router1(config-if)#
tunnel mode dvmrp
Router1(config-if)#
exit
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip address 192.168.1.1 255.255.255.0
Router1(config-if)#
ip pim sparse-dense-mode
Router1(config-if)#
end
Router1#
注释 DVMRP隧道是建立在思科路由器和传统的支持DVMRP的设备上,两台思科设备之间不支持这种隧道,这种隧道只能封装的是组播包,隧道接口和源接口都必须启用PIM。
23.13. 配置双向PIM(Configuring Bidirectional PIM)
提问 配置网络对双向PIM的支持
回答
RP路由器
Router-RP1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-RP1(config)#
ip multicast-routing
Router-RP1(config)#
ip pim bidir-enable
Router-RP1(config)#
ip pim rp-address 192.168.12.1 bidir
Router-RP1(config)#
ip pim rp-candidate Loopback0 group-list 15 bidir
Router-RP1(config)#
ip pim bsr-candidate Loopback0 1
Router-RP1(config)#
access-list 15 permit 239.5.5.0 0.0.0.255
Router-RP1(config)#
access-list 15 deny any
Router-RP1(config)#
interface Loopback0
Router-RP1(config-if)#
ip address 192.168.12.1 255.255.255.255
Router-RP1(config-if)#
ip pim sparse-mode
Router-RP1(config-if)#
exit
Router-RP1(config)#
interface FastEthernet0/0
Router-RP1(config-if)#
ip address 192.168.1.1 255.255.255.0
Router-RP1(config-if)#
ip pim sparse-mode
Router-RP1(config-if)#
exit
Router-RP1(config)#
interface Serial1/0
Router-RP1(config-if)#
ip address 192.168.2.5 255.255.255.252
Router-RP1(config-if)#
ip pim sparse-mode
Router-RP1(config-if)#
exit
Router-RP1(config)#
end
Router-RP1#
其他路由器
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
ip pim bidir-enable
Router1(config)#
ip pim rp-address 192.168.12.1 bidir
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip address 192.168.1.2 255.255.255.0
Router1(config-if)#
ip pim sparse-mode
Router1(config-if)#
interface Serial1/0
Router1(config-if)#
ip address 192.168.3.5 255.255.255.252
Router1(config-if)#
ip pim sparse-mode
Router1(config-if)#
end
Router1#
注释 双向PIM类似PIM-SM,但是在机理上稍微有所不同,如果要部署双向PIM一定要在全网路由器上都配置支持,版本都要在12.2以上
23.14. 使用TTL来控制组播范围
提问 确保组播只作用于特定的网络范围
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip multicast ttl-threshold 16
Router1(config-if)#
end
Router1#
注释 这里的配置更多取决于组播服务器对TTL的定义,通常本地TTL为1,部门为16,企业为64,互联网为128。另外跟单播不同的是,如果TTL超期被丢弃不会返回ICMP TTL超时的错误消息
23.15. 使用Administratively Scoped Addressing来控制组播范围
提问 使用RFC2365中定义的管理范围地址来控制组播的分发
回答
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
access-list 15 deny 239.255.0.0 0.0.255.255
Router1(config)#
access-list 15 permit any
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip multicast boundary 15
Router1(config-if)#
end
Router1#
注释 由于使用TTL来控制更多依赖于组播应用,所以使用了上例的控制方法,针对239.0.0.0到 239.255.255.255的组播地址,不同的应用和范围使用不同的地址段,对地址段进行控制。这里的命令不同于在端口配置简单的过滤列表,还对PIM的消息进行了控制,从而防止加入组播树
23.16. 使用MBGP来交换组播路由信息
提问 使用MBGP在两个网络中互相交换组播路由信息
回答
首先在ASBR上启用组播路由和对本地组播进行过滤
Router-ASBR1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-ASBR1(config)#
ip multicast-routing
Router-ASBR1(config)#
access-list 15 deny 239.0.0.0 0.255.255.255
Router-ASBR1(config)#
access-list 15 deny 224.0.1.39
Router-ASBR1(config)#
access-list 15 deny 224.0.1.40
Router-ASBR1(config)#
access-list 15 permit any
Router-ASBR1(config)#
interface Serial0/0
Router-ASBR1(config-if)#
ip multicast boundary 15
Router-ASBR1(config-if)#
ip multicast ttl-threshold 64
Router-ASBR1(config-if)#
ip pim dense-mode
Router-ASBR1(config-if)#
end
Router-ASBR1#
然后配置MBGP
Router-ASBR1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-ASBR1(config)#
router bgp 65530
Router-ASBR1(config-router)#
network 10.0.0.0 mask 255.0.0.0
Router-ASBR1(config-router)#
neighbor 10.15.32.1 remote-as 65531
Router-ASBR1(config-router)#
address-family ipv4 multicast
Router-ASBR1(config-router-af)#
neighbor 10.15.32.1 activate
Router-ASBR1(config-router-af)#
end
Router-ASBR1#
注释 MBGP并不像PIM一样是一种组播路由协议,只是用来传递路由信息,所以在配置中还有PIM的配置
23.17. 使用MSDP来发现外部源
提问 使用MSDP来发现另一个自治域的组播源
回答
Router-ASBR1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-ASBR1(config)#
ip multicast-routing
Router-ASBR1(config)#
interface Loopback0
Router-ASBR1(config-if)#
ip address 192.168.12.1 255.255.255.255
Router-ASBR1(config-if)#
ip pim sparse-mode
Router-ASBR1(config-if)#
interface FastEthernet0/0
Router-ASBR1(config-if)#
ip address 192.168.1.1 255.255.255.0
Router-ASBR1(config-if)#
ip pim sparse-mode
Router-ASBR1(config-if)#
exit
Router-ASBR1(config)#
interface Serial1/0
Router-ASBR1(config-if)#
ip address 192.168.2.5 255.255.255.252
Router-ASBR1(config-if)#
ip multicast boundary 15
Router-ASBR1(config-if)#
ip multicast ttl-threshold 64
Router-ASBR1(config-if)#
ip pim sparse-mode
Router-ASBR1(config-if)#
exit
Router-ASBR1(config)#
ip pim rp-candidate loopback0
Router-ASBR1(config)#
ip pim bsr-candidate loopback0 1
Router-ASBR1(config-if)#
router bgp 65530
Router-ASBR1(config-router)#
network 10.0.0.0 mask 255.0.0.0
Router-ASBR1(config-router)#
neighbor 192.168.2.6 remote-as 65531
Router-ASBR1(config-router)#
address-family ipv4 multicast
Router-ASBR1(config-router-af)#
neighbor 192.168.2.6 activate
Router-ASBR1(config-router-af)#
exit
Router-ASBR1(config-router)#
exit
Router-ASBR1(config)#
ip msdp peer 192.168.2.6
Router-ASBR1(config)#
ip msdp sa-request 192.168.2.6
Router-ASBR1(config)#
access-list 15 deny 239.0.0.0 0.255.255.255
Router-ASBR1(config)#
access-list 15 deny 224.0.1.39
Router-ASBR1(config)#
access-list 15 deny 224.0.1.40
Router-ASBR1(config)#
access-list 15 permit any
Router-ASBR1(config)#
end
Router-ASBR1#
注释 这里面主要是配置了sa对端来发布如果有新源的消息
23.18. 配置 Anycast RP
提问配置两个或者多个RP来让路由器自动选择最近的
回答
第一个RP的配置
Router-RP1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-RP1(config)#
ip multicast-routing
Router-RP1(config)#
interface Loopback0
Router-RP1(config-if)#
ip address 10.4.4.4 255.255.255.255
Router-RP1(config-if)#
exit
Router-RP1(config)#
interface Loopback1
Router-RP1(config-if)#
ip address 192.168.99.1 255.255.255.255
Router-RP1(config-if)#
ip pim sparse-dense-mode
Router-RP1(config-if)#
exit
Router-RP1(config)#
ip pim send-rp-announce Loopback1 scope 16 group-list 22
Router-RP1(config)#
ip pim send-rp-discovery Loopback1 scope 16
Router-RP1(config)#
ip msdp peer 10.5.5.5 connect-source Loopback0
Router-RP1(config)#
access-list 22 permit 239.0.0.0 0.255.255.255.255
Router-RP1(config)#
end
Router-RP1#
第二个RP的配置
Router-RP2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-RP2(config)#
ip multicast-routing
Router-RP2(config)#
interface Loopback0
Router-RP2(config-if)#
ip address 10.5.5.5 255.255.255.255
Router-RP2(config-if)#
exit
Router-RP2(config)#
interface Loopback1
Router-RP2(config-if)#
ip address 192.168.99.1 255.255.255.255
Router-RP2(config-if)#
ip pim sparse-dense-mode
Router-RP2(config-if)#
exit
Router-RP2(config)#
ip pim send-rp-announce Loopback1 scope 16 group-list 22
Router-RP2(config)#
ip pim send-rp-discovery Loopback1 scope 16
Router-RP2(config)#
ip msdp peer 10.4.4.4 connect-source Loopback0
Router-RP2(config)#
access-list 22 permit 239.0.0.0 0.255.255.255.255
Router-RP2(config)#
end
Router-RP2#
注释 PIM-SM有个缺陷就是在一个组播组里面只能有一个RP,冗余性不够。而Anycast通过配置相同的Anycast地址,然后利用单播路由协议来保证采用最近的RP,不同的RP之间可以利用MSDP来保证组播源的信息同步
23.19. 转化广播为组播
提问 把基于广播的应用转为组播包在网络中传递
回答
第一跳路由器
Router1#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#
ip multicast-routing
Router1(config)#
access-list 115 permit any any udp 3535
Router1(config)#
access-list 115 deny any any udp
Router1(config)#
interface FastEthernet0/0
Router1(config-if)#
ip directed broadcast
Router1(config-if)#
ip multicast helper-map broadcast 239.3.5.35 115
Router1(config-if)#
exit
Router1(config)#
ip pim sparse-dense-mode
Router1(config)#
ip forward-protocol udp 3535
Router1(config)#
end
Router1#
最后一跳路由器
Router2#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#
ip multicast-routing
Router2(config)#
access-list 115 permit any any udp 3535
Router2(config)#
access-list 115 deny any any udp
Router2(config)#
interface Ethernet0
Router2(config-if)#
ip address 192.168.9.1 255.255.255.0
Router2(config-if)#
ip directed broadcast
Router2(config-if)#
ip multicast helper-map 239.3.5.35 192.168.9.255 115
Router2(config-if)#
ip pim sparse-dense-mode
Router2(config-if)#
exit
Router2(config)#
ip igmp join-group 239.3.5.35
Router2(config)#
ip forward-protocol udp 3535
Router2(config)#
end
Router2#
注释 IP Multicast Helper的特性帮助路由器实现了此种转换,但是此种转化比较耗费CPU,仅仅是临时解决方案
23.20. 显示组播状态信息
提问 显示组播状态信息
回答
Router#
show ip mroute
Router#
show ip mroute count
Router#
show ip mroute active
Router#
show ip igmp groups
Router#
show ip igmp interface
Router#
show ip pim neighbor
Router#
show ip pim interface
Router#
show ip pim rp
Router#
show ip msdp count
Router#
show ip msdp peer 192.168.201.15
Router#
show ip msdp summary
Router#
show ip rpf 192.168.3.2
Router#
mstat 192.168.3.2 239.5.5.55
注释 无
23.21. 组播路由排错
提问 组播路由排错
回答
Router#
debug ip mrouting
Router#
debug ip mpacket 239.5.5.55
Router#
debug ip igmp