Cisco howto
Version vom 22. Januar 2016, 11:40 Uhr von Thomas (Diskussion | Beiträge) (→IPSEC Site to Site VPN)
Unprivilegierter Modus
Befehle anzeigen
cisco2600>? Exec commands: clear Reset functions disable Turn off privileged commands disconnect Disconnect an existing network connection enable Turn on privileged commands exit Exit from the EXEC
Show nachgeordnete Befehle anzeigen
cisco2600>show ? backup Backup status c2600 Show c2600 information cca CCA information cdapi CDAPI information cef Cisco Express Forwarding class-map Show QoS Class Map clock Display the system clock compress Show compression statistics connection Show Connection
Version anzeigen
cisco2600>show version Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-D-M), Version 12.0(7)T3, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Fri 04-Jul-03 05:02 by dchih Image text-base: 0x80008088, data-base: 0x808D2AD0 ROM: System Bootstrap, Version 12.2(6r), RELEASE SOFTWARE (fc1) cisco2600 uptime is 24 minutes System returned to ROM by power-on System image file is "flash:c2600-d-mz.120-7.T3.bin" cisco 2610 (MPC860) processor (revision 0x00) with 26624K/6144K bytes of memory. Processor board ID JAD062603WX (2830545266) M860 processor: part number 0, mask 49 Bridging software. X.25 software, Version 3.0.0. 1 Ethernet/IEEE 802.3 interface(s) 1 Serial network interface(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write)
Enable Modus
Wechsel in den Enable Modus
cisco2600>enable Password: (blind eintippen) cisco2600#
Konfiguration sichern und wiederherstellen
Alte Konfiguration sichern
cisco2600# copy flash:c2600-d-mz.120-7.T3.bin tftp: Address or name of remote host []? 192.168.240.1 Destination filename [c2600-d-mz.120-7.T3.bin]? cisco2600/c2600-flash (Unterordner mit lese-und schreibrechten)
Alte Konfiguration wiederherstellen
cisco2600# copy tftp: running-config cisco2600# Address or name of remote host []? 192.168.240.1 cisco2600# Source filename []? cisco2600/c2600-flash cisco2600# Destination filename [running-config]?
Konfigurations Modus
Wechsel in den Konfigurations Modus
cisco2600#configure terminal Enter configuration commands, one per line. End with CNTL/Z. cisco2600(config)#
Grundkonfiguration
Setzen des Hostnamens
cisco2600#configure terminal cisco2600(config)#hostname unkerich unkerich(config)#exit unkerich#
Setzen des Domainnamens
unkerich# unkerich(config)#ip domain-name schluries.int unkerich(config)#exit unkerich#
Eintellen der Interfaceparameter (100basetx, 100basefull)
unkerich#configure terminal unkerich(config)#interface ethernet 0/0 unkerich(config-if)#ip address 192.168.250.97 255.255.240.0 unkerich(config)#interface ethernet 1/0 unkerich(config-if)#ip address 172.22.2.1 255.255.255.0 unkerich(config-if)#exit
Aktivieren der Interfaces
unkerich#configure terminal unkerich(config)#interface ethernet 0/0 unkerich(config-if)#no shutdown unkerich(config-if)#interface ethernet 1/0 unkerich(config-if)#no shutdown unkerich(config-if)#exit unkerich(config)#
Anzeige des Status des Interfaces
unkerich#show interfaces ethernet 1/0
Ethernet1/0 is up, line protocol is up
Hardware is AmdP2, address is 000a.4142.abd0 (bia 000a.4142.abd0)
Internet address is 172.22.2.1/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:09, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
19 packets output, 2766 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
unkerich#
Setzen der statischen Routen (Letzter Wert immer auf 1 setzen)
unkerich(config)#ip route 0.0.0.0 0.0.0.0 192.168.240.100 1
Diverse IP Befehle
Domainname setzen
unkerich(config)#ip domain-name alpha.quadrant
Nameserver einstellen
unkerich(config)#ip name-server 192.168.240.21
IP einem Hostnamen zu ordnen
unkerich(config)#ip host my-laptop 192.168.250.2
Benutzen von Klassenlosen netzen erlauben
unkerich(config)#ip classless
Klassenloses Netz mit der Nummer 0 erlauben
unkerich(config)#ip subnet-zero
Setzen des Telnet Passwortes
unkerich#configure terminal unkerich(config)#line vty 0 4 unkerich(config)#password suxer unkerich(config)#exit unkerich#
Setzen des Enable Passwortes
Falls kein enable-passwort vergeben ist, mit
enable password (unverschlüsselt)
oder
enable secret (verschlüsselt)
ein passwort vergeben.
Einrichten eines SSH Servers
Enabling AAA
aaa new-model
rsa key generieren und starten
unkerich#configure terminal
unkerich(config)#crypto key generate rsa
The name for the keys will be: unkerich.schluries.int
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
unkerich(config)#
*Mar 1 01:22:47.054: %SSH-5-ENABLED: SSH 1.99 has been enabled
unkerich(config)#exit
unkerich#
ssh time out einstellen
unkerich(config)#ip ssh time-out 120
user anlegen
unkerich(config)#username admin password oimel
rsa key löschen
unkerich(config)#crypto key zeroize rsa
Misc
Warmstart des Sytems
unkerich#write memory Building configuration... [OK] unkerich#
Einstellen der Uhrzeit
unkerich#clock set 14:11:40 18 MAY 2009
Einstellen der Default Sommerzeit
unkerich(config)#clock summer-time MEST recurring last Sunday March 2:00 last Sunday October 3:00 60
Einstellung der Zeitzone
unkerich(config)#clock timezone MEZ 1
Anzeigen der Uhrzeit (detaliert)
unkerich#show clock detail 16:20:41.014 MEST Mon May 18 2009 Time source is user configuration Summer time starts 02:00:00 MET Sun Mar 29 2009 Summer time ends 03:00:00 MEST Sun Oct 25 2009
Einstellen des NTP Server
unkerich(config)#ntp server 195.145.119.188 source ethernet 0/0
Accesslisten
NAT
Logging
IPSEC Site to Site VPN
Diagnose
Ping einfach
unkerich#ping arilon Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.240.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Ping erweitert
unkerich#ping Protocol [ip]: Target IP address: 192.168.240.100 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 172.22.2.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.240.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms
Traceroute
unkerich#traceroute www.1fck.de Translating "www.1fck.de"...domain server (192.168.240.21) [OK] Type escape sequence to abort. Tracing the route to www.1fck.de (78.46.48.17) 1 zonk.alpha.quadrant (192.168.254.17) 0 msec 0 msec 4 msec 2 83-169-166-158-isp.superkabel.de (83.169.166.158) 8 msec 4 msec 8 msec 3 83-169-176-158-isp.superkabel.de (83.169.176.158) 12 msec 12 msec 16 msec 4 83-169-183-102-isp.superkabel.de (83.169.183.102) 16 msec 12 msec 12 msec 5 83-169-128-86-isp.superkabel.de (83.169.128.86) 12 msec 16 msec 17 msec 6 83-169-128-89-isp.superkabel.de (83.169.128.89) 16 msec 12 msec 12 msec 7 decix-gw.hetzner.de (80.81.192.164) 16 msec 16 msec 20 msec 8 hos-bb1.juniper1.rz8.hetzner.de (213.239.240.240) 20 msec 20 msec 20 msec 9 gi.4.1.rs3k7.rz8.hetzner.de (213.239.242.41) 20 msec 16 msec 16 msec 10 www.1fck.de (78.46.48.17) 16 msec 16 msec 16 msec
Debugging
ICMP
unkerich#debug ip icmp ICMP packet debugging is on unkerich#terminal monitor unkerich# 6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2 6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2 6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2 6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2 6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2 6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2 6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2 6d02h: ICMP: echo reply sent, src 172.22.2.1, dst 172.22.2.2 unkerich# no debug all
Dialer
unkerich#debug dialer packets Dial on demand packets debugging is on
Misc
Webserver aktivieren
unkerich#configure terminal unkerich(config)#ip http server unkerich(config)#exit unkerich#
DHCP einrichten
Cisco 1800 pppoe (nur für 1811/12?)
Virtual Private Dialup Network Group Number konfigurieren
VPDN aktivieren
Router(config)# vpdn enable
Erstellt und assoziiert eine VPDN-Gruppe mit einem benutzerdefinierten oder VPDN-Profil
Router(config-vpdn)# vpdn group 1
Erstelle eine request-dialin-subgruppe, welches die Einwahl-Richtung angibt und den tunnel initiiert
Router(config-vpdn-grp)# request-dialin
Spezifiziert die IP, zu welcher anfragen getunnelt werden
Router(config-vpdn-grp)# initiate to 192.168.1.1
spezifiziert die Art der Session, welche die subgruppe herstellen kann
Router(config-vpdn-grp)# protocol pppoe
Fast Ethernet WAN Interfaces konfigurieren
WAN interface
Router(config)#interface fastethernet 0
Konfiguriert den pppoe-client
Router(config-if)# pppoe-client dial-pool-number 1
aktiviert das Interface
Router(config-if)# no shutdown
Dialer Interface konfigurieren
Erstellt das Dialer-Interface
Router(config)# interface dialer 0 Router(config-if)# ip address negotiated Router(config-if)# ip mtu 1492 Router(config-if)# encapsulation ppp Router(config-if)# ppp authentication chap Router(config-if)# dialer pool 1 Router(config-if)# dialer group 1 Router(config-if)# exit Router(config)# dialer-list 1 protocol ip permit Router(config)# ip route 10.10.25.2 0.255.255.255 dialer 0
NAT konfigurieren
Router(config)# ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 0.0.0.255
Router(config)# ip nat inside source list 1 interface dialer 0 overload
oder
Router(config)# ip nat inside source list acl1 pool pool1
Router(config)# interface vlan 1 Router(config-if)# ip nat inside Router(config-if)# no shutdown Router(config-if)# exit Router(config)#interface fastethernet 0 Router(config-if)# ip nat outside Router(config-if)# no shutdown Router(config-if)# exit Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255