Cisco howto: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(25 dazwischenliegende Versionen von einem anderen Benutzer werden nicht angezeigt)
Zeile 1: Zeile 1:
==Unprivilegierter Modus==
+
=Cisco Router Grundlagen=
 
+
*[[Cisco Router Grundlagen]]
===Befehle anzeigen===
+
=Einrichten eines SSH Servers=
cisco2600>?
+
*[[CISCO SSH Server]]  
Exec commands:
+
=Accesslisten=
  clear            Reset functions
+
*[[CISCO Accesslisten]]
  disable          Turn off privileged commands
+
=NAT=
  disconnect      Disconnect an existing network connection
+
*[[CISCO NAT]]
  enable          Turn on privileged commands
+
=Logging=
  exit            Exit from the EXEC
+
*[[CISCO Logging]]
 
+
=IPSEC Site to Site VPN=
 
 
===Show nachgeordnete Befehle anzeigen===
 
cisco2600>show ?
 
  backup        Backup status
 
  c2600          Show c2600 information
 
  cca            CCA information
 
  cdapi          CDAPI information
 
  cef            Cisco Express Forwarding
 
  class-map      Show QoS Class Map
 
  clock          Display the system clock
 
  compress      Show compression statistics
 
  connection    Show Connection
 
 
 
===Version anzeigen===
 
cisco2600>show version
 
Cisco Internetwork Operating System Software
 
IOS (tm) C2600 Software (C2600-D-M), Version 12.0(7)T3,  RELEASE SOFTWARE (fc1)
 
TAC Support: http://www.cisco.com/tac
 
Copyright (c) 1986-2003 by cisco Systems, Inc.
 
Compiled Fri 04-Jul-03 05:02 by dchih
 
Image text-base: 0x80008088, data-base: 0x808D2AD0
 
 
ROM: System Bootstrap, Version 12.2(6r),  RELEASE SOFTWARE (fc1)
 
 
cisco2600 uptime is 24 minutes
 
System returned to ROM by power-on
 
System image file is "flash:c2600-d-mz.120-7.T3.bin"
 
 
cisco 2610 (MPC860) processor (revision 0x00) with 26624K/6144K bytes of memory.
 
Processor board ID JAD062603WX (2830545266)
 
M860 processor: part number 0, mask 49
 
Bridging software.
 
X.25 software, Version 3.0.0.
 
1 Ethernet/IEEE 802.3 interface(s)
 
1 Serial network interface(s)
 
32K bytes of non-volatile configuration memory.
 
8192K bytes of processor board System flash (Read/Write)
 
 
 
==Enable Modus==
 
 
 
===Wechsel in den Enable Modus===
 
cisco2600>enable
 
Password: (blind eintippen)
 
cisco2600#
 
 
 
==Konfiguration sichern und wiederherstellen==
 
 
 
===Alte Konfiguration sichern===
 
cisco2600# copy flash:c2600-d-mz.120-7.T3.bin tftp:
 
Address or name of remote host []? 192.168.240.1                         
 
Destination filename [c2600-d-mz.120-7.T3.bin]? cisco2600/c2600-flash (Unterordner mit lese-und schreibrechten)                 
 
 
 
===Alte Konfiguration wiederherstellen===
 
cisco2600# copy tftp: running-config
 
cisco2600# Address or name of remote host []? 192.168.240.1
 
cisco2600# Source filename []? cisco2600/c2600-flash
 
cisco2600# Destination filename [running-config]?
 
 
 
 
 
==Konfigurations Modus==
 
 
 
===Wechsel in den Konfigurations Modus===
 
 
 
cisco2600#configure terminal
 
Enter configuration commands, one per line.  End with CNTL/Z.
 
cisco2600(config)#
 
 
 
 
 
==Grundkonfiguration==
 
 
 
===Setzen des Hostnamens===
 
 
 
cisco2600#configure terminal
 
cisco2600(config)#hostname unkerich
 
unkerich(config)#exit
 
unkerich#
 
 
 
===Setzen des Domainnamens===
 
unkerich#
 
unkerich(config)#ip domain-name schluries.int
 
unkerich(config)#exit
 
unkerich#
 
 
 
===Eintellen der Interfaceparameter (100basetx, 100basefull)===
 
 
 
unkerich#configure terminal
 
unkerich(config)#interface ethernet 0/0
 
unkerich(config-if)#ip address 192.168.250.97 255.255.240.0
 
unkerich(config)#interface ethernet 1/0
 
unkerich(config-if)#ip address 172.22.2.1 255.255.255.0
 
unkerich(config-if)#exit
 
 
 
===Aktivieren der Interfaces===
 
unkerich#configure terminal
 
unkerich(config)#interface ethernet 0/0
 
unkerich(config-if)#no shutdown
 
unkerich(config-if)#interface ethernet 1/0
 
unkerich(config-if)#no shutdown         
 
unkerich(config-if)#exit
 
unkerich(config)#
 
 
 
===Anzeige des Status des Interfaces===
 
 
unkerich#show interfaces ethernet 1/0
 
Ethernet1/0 is up, line protocol is up
 
  Hardware is AmdP2, address is 000a.4142.abd0 (bia 000a.4142.abd0)
 
  Internet address is 172.22.2.1/24
 
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
 
      reliability 255/255, txload 1/255, rxload 1/255
 
  Encapsulation ARPA, loopback not set
 
  Keepalive set (10 sec)
 
  ARP type: ARPA, ARP Timeout 04:00:00
 
  Last input never, output 00:00:09, output hang never
 
  Last clearing of "show interface" counters never
 
  Queueing strategy: fifo
 
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
 
  5 minute input rate 0 bits/sec, 0 packets/sec
 
  5 minute output rate 0 bits/sec, 0 packets/sec
 
    0 packets input, 0 bytes, 0 no buffer
 
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
 
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 
    0 input packets with dribble condition detected
 
    19 packets output, 2766 bytes, 0 underruns
 
    0 output errors, 0 collisions, 1 interface resets
 
    0 babbles, 0 late collision, 0 deferred
 
    0 lost carrier, 0 no carrier
 
    0 output buffer failures, 0 output buffers swapped out
 
unkerich#
 
 
 
 
 
 
 
===Setzen der statischen Routen (Letzter Wert immer auf 1 setzen)===
 
unkerich(config)#ip route 0.0.0.0 0.0.0.0 192.168.240.100 1
 
 
 
==Diverse IP Befehle==
 
 
 
==Domainname setzen==
 
unkerich(config)#ip domain-name alpha.quadrant
 
 
 
==Nameserver einstellen==
 
unkerich(config)#ip name-server 192.168.240.21
 
 
 
==IP einem Hostnamen zu ordnen==
 
unkerich(config)#ip host my-laptop 192.168.250.2
 
 
 
==Benutzen von Klassenlosen netzen erlauben==
 
unkerich(config)#ip classless
 
 
 
==Klassenloses Netz mit der Nummer 0 erlauben ==
 
unkerich(config)#ip subnet-zero
 
 
 
 
 
===Setzen des Telnet Passwortes===
 
 
 
  unkerich#configure terminal
 
  unkerich(config)#line vty 0 4
 
  unkerich(config)#password suxer
 
  unkerich(config)#exit
 
  unkerich#
 
 
 
 
 
===Setzen des Enable Passwortes===
 
 
 
Falls kein enable-passwort vergeben ist, mit
 
enable password (unverschlüsselt)
 
oder
 
enable secret (verschlüsselt)
 
ein passwort vergeben.
 
 
 
 
 
==Einrichten eines SSH Servers==
 
 
===Enabling AAA ===
 
aaa new-model
 
 
 
===rsa key generieren und starten===
 
unkerich#configure terminal
 
unkerich(config)#crypto key generate rsa                                       
 
The name for the keys will be: unkerich.schluries.int                         
 
Choose the size of the key modulus in the range of 360 to 2048 for your       
 
General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
 
                                                                               
 
How many bits in the modulus [512]: ''1024''                                       
 
  % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]            
 
                                                                             
 
unkerich(config)#                                                             
 
*Mar  1 01:22:47.054: %SSH-5-ENABLED: SSH 1.99 has been enabled 
 
unkerich(config)#exit
 
unkerich#
 
 
 
===ssh time out einstellen===
 
unkerich(config)#ip ssh time-out 120                                           
 
 
 
===user anlegen===                                                                               
 
unkerich(config)#username admin password oimel
 
 
 
===rsa key löschen===
 
unkerich(config)#crypto key zeroize rsa
 
 
 
==Misc==
 
 
 
===Warmstart des Sytems===
 
unkerich#write memory
 
Building configuration...
 
[OK]
 
unkerich#
 
 
 
===Einstellen der Uhrzeit===
 
unkerich#clock set 14:11:40 18 MAY 2009
 
 
 
===Einstellen der Default Sommerzeit===
 
unkerich(config)#clock summer-time MEST recurring last Sunday March 2:00 last Sunday October 3:00 60
 
 
 
===Einstellung der Zeitzone===
 
unkerich(config)#clock timezone MEZ 1
 
 
 
 
 
===Anzeigen der Uhrzeit (detaliert)===
 
unkerich#show clock detail
 
16:20:41.014 MEST Mon May 18 2009
 
Time source is user configuration
 
Summer time starts 02:00:00 MET Sun Mar 29 2009
 
Summer time ends 03:00:00 MEST Sun Oct 25 2009
 
 
 
===Einstellen des NTP Server===
 
unkerich(config)#ntp server 195.145.119.188 source ethernet 0/0
 
 
 
==Accesslisten==
 
'''Alle Zugriffslisten enden mit einem impliziten Deny'''
 
 
===Standardlisten von 1 bis 99===
 
'''Nur die Quelladresse wird geprüft'''
 
unkerich#configure terminal
 
unkerich(config)#access-list 1 permit 172.21.1.1
 
unkerich(config)#access-list 1 deny  172.21.1.0 0.0.0.255
 
unkerich(config)#exit
 
unkerich#
 
 
 
===Erweitertelisten von 100 bis 199===
 
unkerich#
 
unkerich#configure terminal
 
unkerich(config)#access-list 100 permit tcp any host 192.168.240.100 eq www
 
unkerich(config)#access-list 100 permit tcp any 192.168.240.0  0.0.16.255 eq 22
 
unkerich(config)# exit
 
unkerich#
 
 
 
===Benannte Accesslisten Standard===
 
unkerich#
 
unkerich#configure terminal
 
unkerich(config)#ip access-list standard sorry-acl
 
unkerich(config-std-nacl)#permit 192.168.24.1
 
unkerich(config-std-nacl)#deny 192.168.24.0 0.0.0.255
 
unkerich(config)# exit
 
unkerich#
 
 
 
===Benannte Accesslisten Extended===
 
unkerich#
 
unkerich#configure terminal
 
unkerich(config)#ip access-list extented schade-acl
 
unkerich(config-ext-nacl)#permit tcp any host 192.168.240.21 eq 53
 
unkerich(config-ext-nacl)#permit udp any host 192.168.240.21 eq 53
 
unkerich(config-ext-nacl)#exit
 
unkerich(config)# exit
 
unkerich#
 
 
 
 
 
===Anwenden der Accesslisten===
 
unkerich#
 
unkerich#configure terminal
 
unkerich(config-if)#ip access-group 1 out
 
unkerich(config-if)#ip access-group 100 out
 
unkerich(config-if)#ip access-group sorry-acl out
 
unkerich(config-if)#ip access-group schade-acl out
 
unkerich(config-if)#exit
 
unkerich(config)#
 
 
 
===Anzeigen der Accesslisten===
 
unkerich#show ip access-lists 
 
Standard IP access list 1
 
    permit 172.21.1.1
 
    deny  172.21.1.0, wildcard bits 0.0.0.255
 
Standard IP access list sorry-acl
 
    permit 192.168.24.1
 
    deny  192.168.24.0, wildcard bits 0.0.0.255
 
Extended IP access list 100
 
    permit tcp any host 192.168.240.100 eq www
 
    permit tcp any 192.168.224.0 0.0.16.255 eq 22
 
Extended IP access list schade-acl
 
    permit tcp any host 192.168.240.21 eq domain
 
    permit udp any host 192.168.240.21 eq domain
 
 
 
unkerich#show access-lists 
 
  Standard IP access list 1
 
      permit 172.21.1.1
 
      deny  172.21.1.0, wildcard bits 0.0.0.255
 
  Standard IP access list sorry-acl
 
      permit 192.168.24.1
 
      deny  192.168.24.0, wildcard bits 0.0.0.255
 
  Extended IP access list 100
 
      permit tcp any host 192.168.240.100 eq www
 
      permit tcp any 192.168.224.0 0.0.16.255 eq 22
 
  Extended IP access list schade-acl
 
      permit tcp any host 192.168.240.21 eq domain
 
      permit udp any host 192.168.240.21 eq domain
 
 
 
==NAT==
 
 
 
===NAT Inside und Outside Interfaces festlegen===
 
unkerich#
 
unkerich#configure terminal
 
unkerich(config)#interface ethernet 0/0
 
unkerich(config-if)#ip nat outside
 
unkerich(config-if)#exit
 
unkerich(config)#interface ethernet 1/0
 
unkerich(config-if)#ip nat inside
 
unkerich(config-if)#exit
 
unkerich#
 
 
 
===NAT Pool festlegen hier wird mit der aussenip überladen===
 
unkerich#
 
unkerich#configure terminal
 
unkerich(config)ip nat pool unkerich-pool 192.168.249.62 192.168.249.62 prefix-length 24
 
unkerich(config-if)#exit
 
unkerich#
 
 
 
===NAT ACL dem NAT Pool zuordnen===
 
unkerich#
 
unkerich#configure terminal
 
unkerich(config)ip nat inside source rolist 130 pool unkerich-pool overload
 
unkerich(config-if)#exit
 
unkerich#
 
 
 
===NAT Pool festlegen NAT ACL dem NAT Pool zuordnen (Alternative)===
 
unkerich#
 
unkerich#configure terminal
 
unkerich(config)# ip nat inside source list 130 interface Ethernet0/0 overload
 
unkerich(config-if)#exit
 
unkerich#
 
 
 
===NAT ACL festlegen===
 
unkerich#
 
unkerich#configure terminal
 
unkerich(config)access-list 7 permit 172.22.2.0 0.0.0.255
 
unkerich(config-if)#exit
 
unkerich#
 
 
 
===Aktive NAT anzeigen===
 
unkerich#show ip nat translations
 
Pro Inside global        Inside local          Outside local        Outside global
 
tcp 192.168.250.97:35798  172.22.2.2:35798      192.168.250.1:22      192.168.250.1:22
 
tcp 192.168.250.97:48960  172.22.2.2:48960      192.168.250.1:22      192.168.250.1:22
 
tcp 192.168.250.97:48961  172.22.2.2:48961      192.168.250.1:22      192.168.250.1:22
 
tcp 192.168.250.97:48962  172.22.2.2:48962      192.168.250.1:22      192.168.250.1:22
 
tcp 192.168.250.97:48963  172.22.2.2:48963      192.168.250.1:22      192.168.250.1:22
 
tcp 192.168.250.97:48964  172.22.2.2:48964      192.168.250.1:22      192.168.250.1:22
 
 
 
===Aktive NAT löschen===  
 
unkerich#clear ip nat translations *
 
 
 
===Inside NAT===
 
unkerich#configure terminal
 
unkerich(config)#ip nat inside source static tcp 172.22.2.2 22 192.168.250.97 22 extendable               
 
unkerich(config)#exit
 
unkerich#
 
 
 
 
 
 
 
==IPSEC Site to Site VPN==
 
 
*[[CISCO IPSEC Site to Site VPN]]
 
*[[CISCO IPSEC Site to Site VPN]]
 +
=Cisco Configuration Professional=
 +
*[[Cisco Configuration Professional]]
 +
=Diagnose=
 +
*[[Cisco Router Diagnose]]
 +
=DHCP einrichten=
 +
*[[Cisco DHCP SERVER]]
 +
=Cisco 1800 pppoe (nur für 1811/12?)=
 +
*[[Cisco Router PPPOE]]
 +
=Hot Standby Router Protocol (HSRP)=
 +
*[[Hot Standby Router Protocol (HSRP)]]
 +
=Policy-Based Routing=
 +
*[[Cisco Policy-Based Routing]]
 +
=Misc=
 +
*[[Cisco Router Misc]]
  
==Diagnose==
+
=Debug=
+
*[[Cisco Debug]]
===Ping einfach===
+
=OSPF=
unkerich#ping arilon
+
*[[Cisco OSPF]]
 
Type escape sequence to abort.
 
Sending 5, 100-byte ICMP Echos to 192.168.240.1, timeout is 2 seconds:
 
!!!!!
 
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
 
 
 
===Ping erweitert===
 
unkerich#ping             
 
Protocol [ip]:
 
Target IP address: 192.168.240.100
 
Repeat count [5]:
 
Datagram size [100]:
 
Timeout in seconds [2]:
 
Extended commands [n]: y
 
Source address or interface: 172.22.2.1
 
Type of service [0]:
 
Set DF bit in IP header? [no]:
 
Validate reply data? [no]:
 
Data pattern [0xABCD]:
 
Loose, Strict, Record, Timestamp, Verbose[none]:
 
Sweep range of sizes [n]:
 
Type escape sequence to abort.
 
Sending 5, 100-byte ICMP Echos to 192.168.240.100, timeout is 2 seconds:
 
!!!!!
 
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms
 
 
 
===Traceroute===
 
unkerich#traceroute www.1fck.de
 
Translating "www.1fck.de"...domain server (192.168.240.21) [OK]
 
 
Type escape sequence to abort.
 
Tracing the route to www.1fck.de (78.46.48.17)
 
 
  1 zonk.alpha.quadrant (192.168.254.17) 0 msec 0 msec 4 msec
 
  2 83-169-166-158-isp.superkabel.de (83.169.166.158) 8 msec 4 msec 8 msec
 
  3 83-169-176-158-isp.superkabel.de (83.169.176.158) 12 msec 12 msec 16 msec
 
  4 83-169-183-102-isp.superkabel.de (83.169.183.102) 16 msec 12 msec 12 msec
 
  5 83-169-128-86-isp.superkabel.de (83.169.128.86) 12 msec 16 msec 17 msec
 
  6 83-169-128-89-isp.superkabel.de (83.169.128.89) 16 msec 12 msec 12 msec
 
  7 decix-gw.hetzner.de (80.81.192.164) 16 msec 16 msec 20 msec
 
  8 hos-bb1.juniper1.rz8.hetzner.de (213.239.240.240) 20 msec 20 msec 20 msec
 
  9 gi.4.1.rs3k7.rz8.hetzner.de (213.239.242.41) 20 msec 16 msec 16 msec
 
  10 www.1fck.de (78.46.48.17) 16 msec 16 msec 16 msec
 
 
 
==Debugging==
 
===ICMP===
 
unkerich#debug ip icmp
 
ICMP packet debugging is on
 
unkerich#terminal monitor
 
unkerich#
 
6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2
 
6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2
 
6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2
 
6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2
 
6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2
 
6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2
 
6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2
 
6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2
 
unkerich# no debug all
 
 
 
===Dialer===
 
unkerich#debug dialer packets
 
Dial on demand packets debugging is on
 
 
 
 
 
 
 
==Misc==
 
 
 
===Webserver aktivieren===
 
unkerich#configure terminal
 
unkerich(config)#ip http server
 
unkerich(config)#exit
 
unkerich#
 
 
 
===DHCP einrichten===
 
unkerich#configure terminal
 
unkerich(config)#ip dhcp excluded-address 172.22.2.1 172.22.2.10
 
unkerich(config)#ip dhcp pool my-dhcppool
 
unkerich(dhcp-config)#network 172.22.2.0 255.255.255.0
 
unkerich(dhcp-config)#dns-server 192.168.240.21
 
unkerich(dhcp-config)#default-router 172.22.2.1
 
unkerich(config)#exit
 
unkerich#
 
 
 
==Cisco 1800 pppoe (nur für 1811/12?)==
 
 
 
===Virtual Private Dialup Network Group Number konfigurieren===
 
 
 
VPDN aktivieren
 
Router(config)# vpdn enable
 
Erstellt und assoziiert eine VPDN-Gruppe mit einem benutzerdefinierten oder VPDN-Profil
 
Router(config-vpdn)# vpdn group 1
 
Erstelle eine request-dialin-subgruppe, welches die Einwahl-Richtung angibt und den tunnel initiiert
 
Router(config-vpdn-grp)# request-dialin
 
Spezifiziert die IP, zu welcher anfragen getunnelt werden
 
Router(config-vpdn-grp)# initiate to 192.168.1.1
 
spezifiziert die Art der Session, welche die subgruppe herstellen kann
 
Router(config-vpdn-grp)# protocol pppoe
 
 
===Fast Ethernet WAN Interfaces konfigurieren===
 
 
 
WAN interface
 
Router(config)#interface fastethernet 0
 
Konfiguriert den pppoe-client
 
Router(config-if)# pppoe-client dial-pool-number 1
 
aktiviert das Interface
 
Router(config-if)# no shutdown
 
 
===Dialer Interface konfigurieren===
 
 
Erstellt das Dialer-Interface
 
Router(config)# interface dialer 0
 
Router(config-if)# ip address negotiated
 
Router(config-if)# ip mtu 1492
 
Router(config-if)# encapsulation ppp
 
Router(config-if)# ppp authentication chap
 
Router(config-if)# dialer pool 1
 
Router(config-if)# dialer group 1
 
Router(config-if)# exit
 
Router(config)# dialer-list 1 protocol ip permit
 
Router(config)# ip route 10.10.25.2 0.255.255.255 dialer 0
 
 
===NAT konfigurieren===
 
Router(config)# ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 0.0.0.255
 
 
 
Router(config)# ip nat inside source list 1 interface dialer 0 overload
 
oder
 
Router(config)# ip nat inside source list acl1 pool pool1
 
 
 
Router(config)# interface vlan 1
 
Router(config-if)# ip nat inside
 
Router(config-if)# no shutdown
 
Router(config-if)# exit
 
Router(config)#interface fastethernet 0
 
Router(config-if)# ip nat outside
 
Router(config-if)# no shutdown
 
Router(config-if)# exit
 
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
 
  
==Links==
+
=Links=
 
[http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml IPsec von Cisco Router zu Cisco PIX VPN]
 
[http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml IPsec von Cisco Router zu Cisco PIX VPN]
  

Aktuelle Version vom 4. November 2021, 14:58 Uhr

Cisco Router Grundlagen

Einrichten eines SSH Servers

Accesslisten

NAT

Logging

IPSEC Site to Site VPN

Cisco Configuration Professional

Diagnose

DHCP einrichten

Cisco 1800 pppoe (nur für 1811/12?)

Hot Standby Router Protocol (HSRP)

Policy-Based Routing

Misc

Debug

OSPF

Links

IPsec von Cisco Router zu Cisco PIX VPN

Konfigurationsbeispiele

Vorlage:HOWTO Vorlage:Passwords

Abgerufen von „http://wiki.ixheim.de/index.php?title=Cisco_howto&oldid=29318