《路由器配置基础及科技网》由会员分享,可在线阅读,更多相关《路由器配置基础及科技网(97页珍藏版)》请在金锄头文库上搜索。
1、路由器配置基础及科技网路由器配置基础及科技网网络介绍网络介绍中国科技网技术部 陈江宁内容介绍路由器配置介绍路由器配置介绍路由器基础知识介绍路由器基础知识介绍监控与故障诊断监控与故障诊断 基本测试方法基本测试方法设备配置存取及其备份设备配置存取及其备份路由器启动顺序及密码恢复路由器启动顺序及密码恢复保护保护Internet连接安全连接安全中国科技网介绍中国科技网介绍中国科技网的结构简介中国科技网的结构简介中国科技网网络设备简介中国科技网网络设备简介国内外出口简介国内外出口简介网络管理简介网络管理简介路由器基础知识介绍外部配置的途径Router各种模式配置模式配置模式及方法配置模式及方法主要内容外
2、部配置的途径可以通过各种途径进行配置Console PortNetwork ManagementStationvty 0-4VirtualTerminalsInterfacesAuxiliary PortTFTP ServerRouterUser EXEC Mode只限于路由器的某一些有限的权限登录到机器的缺省状态Router#Privileged EXEC Mode有检查,配置,调试等所有权限通过enable可进入此状态Setup Mode初始配置状态以对话的方式来创建一个基本配置才出厂的机器或删了startup-config的机器开机后自动进入或手动用setup命令进入Router(con
3、fig)#Global Configuration Mode全局配置状态在特权执行态输入configterminalOther Configuration ModesRouter(config - mode)#开机后60秒内按ctrl+break键则进入该态在机器不能正常自动引导时进行RXBOOT ModeRouter模式其他的配置状态在特权执行状态输入相应的命令时进入.Router(config)#RouterRouter#Other Configuration ModesExit路由器配置模式综述UserEXECmodePrivilegedEXECmodeGlobalconfigurati
4、onmodeInterfaceSubinterfaceControllerMap-listMap-classLineRouterIPX-routerRoute-mapConfiguration ModeRouter(config-if)#Router(config-subif)#Router(config-controller)#Router(config-map-list)#Router(config-map-class)#Router(config-line)#Router(config-router)#Router(config-ipx-router)#Router(config-rou
5、te-map)#Prompt基本的路由器设置步骤一:配置主机名;步骤二:在路由器上设置口令;步骤三:在路由器的接口上配置IP地址;步骤四:在路由器上配置路由协议;步骤五:配置路由器串行接口参数;步骤六:激活接口,检查网络的连通性;步骤七:创建IP主机表;步骤八:配置“noipdomain-lookup”;步骤九:利用CDP协议查看与该路由器相连的网络设备基本的路由器设置(续)步骤十:显示路由器上的IP路由表,检查网络的连通性,应确认能够成功的ping通网络中其他的路由器;步骤十一:检查路由器的路由表,并通过“showipprotocols”检查路由器的协议配置;步骤十二:诊断网络利用debug
6、等命令来捕获路由更新信息;步骤十三:利用showversion查看CiscoIOS版本和路由器的类型;步骤十四:保存路由器的配置;配置路由器的标示Router NameRouter(config)# hostname TokyoTokyo#Login BannerTokyo(config)# banner motd CWelcome to router TokyoAccounting Department3rd Floor C#Interface DescriptionTokyo(config)# interface e 0Tokyo(config-if)# description Engin
7、eering LAN, Bldg. 18为路由器及其端口配置标示信息配置密码Router(config)# line console 0Router(config-line)#exec-timeout 15 0Router(config-line)# loginRouter(config-line)# password ciscoConsole Password Virtual Terminal Password Router(config)# line vty 0 4Router(config-line)# login Router(config-line)# password ciscoE
8、nable Password Router(config)# enable secret san-franPerform Password EncryptionRouter(config)# service password-encryption(set passwords here)Router(config)# no service password-encryptionRouter (config-if) #分配地址和掩码针对端口配置IP地址设定允许使用子网掩码配置IP地址ip address ip-address subnet-maskRouter (config) #ip subne
9、t-zeroRouter (config) #ip classless定义静态ARP缓存Arp ip-address hardware-address type aliasARP 封装类型封装类型 Arp arpa:IEEE 802.3 Ethernet(缺省值)Arp probe:IEEE 802.3网络的HP-Probe协议Arp snap:支持RFC 1402的FDDI和令牌环网络的arp报文提供有主机名到IP地址的解析Router (config) #使用DNS服务ip name-server server-address1 server-address2 . server-addre
10、ss6 ip domain-name ip domain-lookupBOOTSYSTEM列表从flash启动系统从网络服务器启动系统从ROM启动系统(Cisco7500上BOOTFLASH)Router(config)boot system flash: rsp-IOSRouter(config)boot system flash slot0: rsp-IOSRouter(config)config-register 0x010FRouter(config)boot system romRouter(config)boot system FTP rsp-IOS 10.6.1.11Router
11、(config)boot system flash slot1: rsp-IOSRouterwrRouterreloadDefinesapathtoanIPdestinationnetworkorsubnetip route network mask address | interface distance Router (config) #配置静态路由举例:静态路由ip route 172.16.1.0 255.255.255.0 172.16.2.1172.16.2.0Cisco A172.16.1.0 255.255.255.0172.16.2.1Cisco BE0S0S1S2S0172
12、.16.2.2Make changes in configuration modes修改配置修改配置Examine results检查结果检查结果Router# show running-configIntendedresults?No修改现有配置修改现有配置Router(config)# no .Router# config memRouter# copy tftp running-configRouter# erase startup-configRouter# reloadYesSave changes to backup保存配置保存配置Router# copy running-conf
13、ig startup-configRouter# copy running-config tftpExamine backup file检查备份配置检查备份配置Router# show startup-config配置修改后的保存监控与故障诊断 RouterA#show versionCisco Internetwork Operating System SoftwareIOS (tm) 2500 Software (C2500-JS40-L), Version 11.2(5), RELEASE SOFTWARE (fc1)Copyright (c) 1986-1997 by cisco Sy
14、stems, Inc.Compiled Tue 01-Apr-97 09:12 by ckralikImage text-base: 0x0303F9A8, data-base: 0x00001000ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWAREROM: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWARE (fc1)RouterA uptime is 1 day, 5 hours, 50 minutesSystem restarted
15、by reloadSystem image file is flash:c2500-js40-l.112-5.bin, booted via flash-More-show version 命令Router# show running-configBuilding configuration.Current configuration:!version 11.2!- More -Router# show startup-configUsing 1108 out of 130048 bytes!version 11.2!hostname router- More -show running-co
16、nfig 命令show startup-config 命令Usewrite terminalwithRelease10.3andearlierUseshow configwithRelease10.3andearlierRouter# show interface serial 1Serial1 is up, line protocol is up Hardware is cxBus Serial Description: 56Kb Line San Jose - MP : : : : : : : : : :Operational.Connection Problem.Interface Pr
17、oblem.Disabled .Serial1 is up, line protocol is upSerial1 is up, line protocol is downSerial1 is down, line protocol is downSerial1 is administratively down, line protocol is down激活信号激活信号Keepalives载波信号载波信号Carrier Detectshow interfaceserial清除show interface中的计数器Router# clear countersRouter# show inter
18、face serial 1Serial1 is up, line protocol is up Hardware is cxBus Serial Description: 56Kb Line San Jose - MP Internet address is 150.136.190.203, subnet mask is 255.255.255.0 MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation HDLC, loopback not set, keepalive set (10
19、 sec) Last input 0:00:07, output 0:00:00, output hang never Last clearing of show interface counters 2w4d Output queue 0/40, 0 drops; input queue 0/75, 0 drops Five minute input rate 0 bits/sec, 0 packets/sec Five minute output rate 0 bits/sec, 0 packets/sec 16263 packets input, 1347238 bytes, 0 no
20、buffer Received 13983 broadcasts, 0 runts, 0 giants 2 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 2 abort 0 input packets with dribble condition detected 22146 packets output, 2383680 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets, 0 restarts 1 carrier transitionsRouter
21、 show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate defaultGateway of last
22、resort is not set 144.253.0.0 is subnetted (mask is 255.255.255.0), 1 subnetsC 144.253.100.0 is directly connected, Ethernet1R 133.3.0.0 R 153.50.0.0 120/1 via 183.8.128.12, 00:00:09, Ethernet0 183.8.0.0 is subnetted (mask is 255.255.255.128), 4 subnetsR 183.8.0.128 120/1 via 183.8.128.130, 00:00:17
23、, Serial0 120/1 via 183.8.64.130, 00:00:17, Serial1C 183.8.128.0 is directly connected, Ethernet0C 183.8.64.128 is directly connected, Serial1C 183.8.128.128 is directly connected, Serial0R 192.3.63.0 列出IP路由表Router show ip protocolRouting Protocol is igrp 300 Sending updates every 90 seconds, next d
24、ue in 55 seconds Invalid after 270 seconds, hold down 280, flushed after 630 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates IGRP metric we
25、ight K1=1, K2=0, K3=1, K4=0, K5=0 IGRP maximum hopcount 100 IGRP maximum metric variance 1 Redistributing: igrp 300 Routing for Networks: 183.8.0.0 144.253.0.0 Routing Information Sources: Gateway Distance Last Update 144.253.100.1 100 0:00:52 183.8.128.12 100 0:00:43 183.8.64.130 100 0:01:02 Distan
26、ce: (default is 100) -More-show ip protocol命令RAMInternetwork Operating SystemProgramsTables and BuffersActiveConfigurationFileBackupConfigurationFileOperating SystemsInterfacesRouter状态检查命令Router# show versionFlashRouter# show processes CPURouter# show protocolsRouter# show memRouter# show stacksRout
27、er# show buffersRouter# show flashRouter# show running-configRouter# write termRouter# show startup-configRouter# show configNVRAMRouter# show interfacesShowingCDPNeighborsRouterA#show cdp neighborsCapability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge, S - Switch, H - Host, I - IGM
28、PDevice ID Local Intrfce Holdtme Capability Platform Port ID Router Ser 0 151 R 2522 Ser 1 SwitchA0050BD855780 Eth 0 165 T s 1900 2RouterA#show cdp neighbors detail-Device ID: RouterBEntry address(es): IP address: 198.121.200.1 Novell address: 1002.0000.0c01.1111Platform: cisco 2522, Capabilities: R
29、outerInterface: Serial1, Port ID (outgoing port): Serial0Holdtime : 149 secshowcdpentryRouterA#sh cdp entry *-Device ID: RouterB Entry address(es): IP address: 10.1.1.2 Platform: cisco 2522, Capabilities: Router Interface: Serial0, Port ID (outgoing port): Serial1Holdtime : 168 secVersion :Cisco Int
30、ernetwork Operating System Software IOS (tm) 2500 Software (C2500-JS-L), Version 12.0(3), RELEASE SOFTWARE (fci)Copyright (c) 1986-1999 by cisco Systems, Inc.Compiled Mon 08-Feb-99 18:18 by phanguyeSwitchBRouterARouterBSwitchA10.3.3.210.3.3.110.1.1.110.1.1.210.2.2.110.2.2.2S0S1telnet操作Initiate a ses
31、sionDenver telnet parisEnd a sessionParis exitSuspend a sessionEscape sequenceParis DenverResume a sessionDenver Disconnect a sessionDenver disconnect parisDisplay sessionsDenver# show sessionsConnHostAddressIdleConn Name 1Paris131.108.100.152 0Paris 2Tokyo127.102.57.63 0Tokyo*TokyoParisDenver理解cisc
32、o错误消息系统错误消息格式:系统错误消息格式:Facility subfacility Severity Mnemonic: Message TextFacility 指出错误消息涉及的设备名。该值可以是协议、硬件设备或者系统软件模块;Subfacility 它仅与通道接口处理器(CIP)卡有关;Sererity 它是一个范围在0到7之间的数字。数字的值越小,严重程度越高;Mnemonic 唯一标识错误信息的单值代码,该代码通常可以暗示错误的类型;Message Text 它是错误信息的简短描述,其中包括涉及的路由器硬件和软件信息;注:并不是所有的消息都涉及到故障或者问题的状况,某些消息显示的
33、是状态方面的注:并不是所有的消息都涉及到故障或者问题的状况,某些消息显示的是状态方面的信息信息信息记录指定记录到系统日志服务器中消息的调试级别,命令:loggingtraplevel指定系统日志数据包含有特定接口的ip地址,而不管数据包通过哪个接口流出路由器,命令:loggingsource-interfacetypenumber将消息记录到系统日志服务器主机,命令:loggingon启用在日志消息中加入时戳功能,命令:servicetimestampslog|debugdatetimemseclocaltimeshow-timezone事件日志记录步骤事件日志记录步骤:信息记录Console
34、TerminalUNIX Host(Running Syslog Server)Buffers131.108.1.8(default)Telnet Terminalno logging bufferedterminal monitorlogging onlogging 131.108.1.8show logginglogging bufferedDebug OutputandSystem ErrorMessages基本测试方法测试综述ApplicationPresentationSessionTransportNetworkData LinkPhysical7654321telnetpingt
35、raceshow ip routeshow interface验证地址的配置ApplicationTransportInternetNetwork InterfaceHardwareApplicationTransportInternetNetwork InterfaceHardwareTelnetTelnettelnetICMPpingtracetracetrace使用ping命令测试各种协议的报文能够被正确的路由吗?Echo RequestEcho ReplyNetwork Layer测试网络的连接状况Router ping 172.16.101.1Type escape sequence
36、 to abort.Sending 5, 100-byte ICMP Echos to 172.16.101.1, timeout is 2 seconds:.!Success rate is 80 percent, round-trip min/avg/max = 6/6/6 msRouterPing!响应成功接收 .请求超时U目的不可达P协议不可达N 网络不可达Iping被中断 (for example, Ctrl-Shift-6 X)? ?不可知报文类型Router# pingProtocol ip:Target IP address: 192.168.101.162Repeat cou
37、nt 5:Datagram size 100:Timeout in seconds 2:Extended commands n: ySource address:Type of service 0:Set DF bit in IP header? no: yesData pattern 0xABCD:Loose, Strict, Record, Timestamp, Verbosenone:Sweep range of sizes n:Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.101.162,
38、 timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 msRouter#Ping命令支持多协议Ping(扩展)使用trace 命令数据报文传输时经过那条路径?Rome172.16.33.5YorkLondon172.16.12.3Paris172.16.16.2Network LayerYork# trace ROMEType escape to abort.Tracing the route to ROME (172.16.33.5)1 LONDON (172.1
39、6.12.3) 1000 msec 8 msec 4 msec2 PARIS (172.16.16.2) 8 msec 8 msec 8 msec3 ROME (172.16.33.5) 8 msec 8 msec 4 msec York#通过端口地址表示数据到达的地点Router# trace aba.nyc.milType escape sequence to abort.Tracing the route to aba.nyc.mil (26.0.0.73) (172.16.1.6) 1000 msec 8 msec 4 msec2barrnet- (172.16.16.2) 8 ms
40、ec 8 msec 8 msec3external-a-gateway.stanford.edu (192.42.110.225) 8 msec 4 msec 4 (131.119.254.6) 8 msec 8 msec 8 (131.119.3.8) 12 msec 12 msec 8 msec6moffett-fld-mb.in.mil (192.52.195.1) 216 msec 120 msec 132 msec7aba.nyc.mil (26.0.0.73) 412 msec * 664 msecIPTraceH主机不可达P协议不可达N网络不可达U端口不可达*报文超时?_ 报
41、文类型不能识别测试ApplicationLayer使用telnet你能登陆远程的路由器吗?ParisTelnetYorkParisApplication设备代码、配置存取及其备份从NVRAM中加载配置文件ConsoleIOSSetup utilityshowstartup-configshowrunning-configLoadandexecuteconfigfromNVRAMIfnoconfiginNVRAM,entersetupmodeConfigConfigRAMNVRAMRouter# show running-configBuilding configuration.Current
42、configuration:!version 11.2!- More -Router# show startup-configUsing 1108 out of 130048 bytes!version 11.2!hostname router- More -show running-config 命令show startup-config 命令Displaycurrentandsavedconfiguration保存配置文件保存配置文件ConfigConfigRAMNVRAMNVRAMcopy running startup=writecopy startup running (merge)
43、保存配置文件保存配置文件ConfigConfigConsoleRAMNVRAMNVRAMTerminalTFTPservercopy running startupcopy startup running (merge)TFTPservercopy start tftpcopy tftp startcopy run tftpcopy tftp run (merge)config term(merge)CopystartuptftpAccess_Server#copy?flashCopyfromsystemflashflh-logCopyFLHlogfiletoservermopCopyfrom
44、aMOPserverrcpCopyfromanrcpserverrunning-configCopyfromcurrentsystemconfigurationstartup-configCopyfromstartupconfigurationtftpCopyfromaTFTPserverAccess_Server#copystartup-config?rcpCopytoanrcpserverrunning-configUpdate(mergewith)currentsystemconfigurationtftpCopytoaTFTPserverAccess_Server#copystartu
45、p-configtftpRemotehost?172.18.7.114Nameofconfigurationfiletowriteaccess_server-confg?Writefileaccess_server-confgonhost172.18.7.114?confirmWritingaccess_server-confg!OK备份IOSImagesNetworkserverFLASHFLASHRouterc2500-js-l_120-3.binNetworkserver备份备份IOSImagesIOSImagesCheck access to the serverRouterNetwo
46、rkserverwg_ro_a#show flashSystem flash directory:File Length Name/status 1 10084696 c2500-js-l_120-3.bin 10084760 bytes used, 6692456 available, 16777216 total16384K bytes of processor board System flash (Read ONLY)查看查看IOSImagesIOSImagesVerifyFlashmemoryhasroomfortheIOSimage创建创建ImageImage备份备份Backupc
47、urrentfilespriortoupdatingFlashNetworkserverFLASHFLASHcopy flash tftp创建Image备份(续)Access_Server#copyflashtftpSystemflashdirectory:FileLengthName/status13988176/igs-im-l_111-22.bin3988240bytesused,4400368available,8388608totalAddressornameofremotehost255.255.255.255?172.18.7.114Sourcefilename?/igs-im-
48、l_111-22.binDestinationfilename/igs-im-l_111-22.bin?Verifyingchecksumfor/igs-im-l_111-22.bin(file#1).OKCopy/igs-im-l_111-22.binfromFlashtoserveras/igs-im-l_111-22.bin?yes/noyes!UploadtoserverdoneFlashcopytook00:00:53hh:mm:sswg_ro_a#copy tftp flashAddress or name of remote host 10.1.1.1? Source filen
49、ame ? c2500-js-l_120-3.binDestination filename c2500-js-l_120-3.bin? Accessing tftp:/10.1.1.1/c2500-js-l_120-3.bin.Erase flash: before copying? confirmErasing the flash filesystem will remove all files! Continue? confirmErasing device. eeeee (output omitted) .erasedErase of flash: completeLoading c2
50、500-js-l_120-3.bin from 10.1.1.1 (via Ethernet0): !(output omitted)OK - 10084696/20168704 bytesVerifying checksum. OK (0x9AA0)10084696 bytes copied in 309.108 secs (32636 bytes/sec)wg_ro_a#恢复恢复ImageImage备份备份EraseFlashoccursbeforeloadingnewimageNotemessagethatimagealreadyexistsNetworkserverFLASHFLASH
51、系统启动综述系统启动的顺序通过终端不断反馈启动的信息核查硬件核查硬件查找并载入查找并载入 Cisco IOS software image查找并调用路由器的配置信息查找并调用路由器的配置信息启动的顺序RAMROMBootstrapLoad BootstrapTFTP ServerFlashROMCiscoInternetworkOperatingSystemLocate and LoadOperating SystemConsoleTFTP ServerNVRAMConfigurationFileLocate and LoadConfiguration Fileor Enter Setup M
52、odeConfigurationregisterbits3,2,1,and0setbootoptionCheckconfigurationregistervaluewithshow version配置注册号配置注册号Configuration Register Boot Field Value0x00x2 to 0xF0x1MeaningUse ROM monitor mode(Manually boot using the b command)Examine NVRAM for boot system commands (0x2 default if router has Flash)Aut
53、omatically boot from ROM(Provides IOS subset)Router#configure terminalRouter(config)#config-register 0x2102Ctrl-ZRouter#reload默认0x2102,即:0010000100000010从右开始数,为第0位.第15位第0-3位:0000-ROMMON,0001-MinIOS其它正常启动第6位:即0x2142,忽略配置文件注册号注册号RecoveringaLostPassword(例)重新启动路由器重新启动路由器,在在60秒内按秒内按 ctrl + break 键键, 后按回车
54、后按回车;在在 下键入下键入 o/r 0x2142在在 下键入下键入 i ;在在 进进 入入 setup模模 式式 后后 ,不不 进进 行行 配配 置置 (键键 入入 no),进进 入入 Router(boot)状态状态;Router(boot) enableRouter(boot)# config terminalRouter(boot)(config)# enable secret 你所配置的口令你所配置的口令Router(boot)(config)# config-register 0x2102Router(boot)(config)# +ZRouter(boot)# write Rou
55、ter(boot) #reload保护管理接口的安全细调线路参数特权级允许对网络设备进行受限制的访问限制Telnet的访问控制对路由器的http访问网络基础设施的安全主要内容保护管理接口的安全初始安装之后立即配置口令确保特权级口令与用户级口令不同在口令中使用混合字符以使口令破解企图难于成功不要将口令保存在易发现的地方不要使用易被猜出来的口令经常更换口令不要在生产环境中使用“cisco”或其他明显的衍生词作为cisco路由器的口令设置安全口令的技巧设置安全口令的技巧保护管理接口的安全保护控制台(console)端口访问安全特权模式口令口令加密Router(config)#line console
56、 0Router(config-line)#loginRouter(config-line)#password ciscoRouter(config)#enable secret level level password|encryption-type encrypted-passwordRouter(config)#service password-encryptionRouter(config)#line console 0设置线路超时值设置线路超时值Router(configline)#exec-timeout 2 30可调节的其他线路类型可调节的其他线路类型Router(config)
57、#line ? Fisrt line number aux Auxiliary line console Primary terminal line tty Terminal controller vty Virtual terminal细调线路参数级别级别1被预先定义为启用用户模式访问特权被预先定义为启用用户模式访问特权级别级别2到到14时可以定制的用户模式特权级别时可以定制的用户模式特权级别级别级别15被预先定义为启用特权模式访问级别,与被预先定义为启用特权模式访问级别,与“enable”命令所允许的访命令所允许的访问级别相同问级别相同Priviledge mode level level
58、 command|reset commandMode : 指定配置模式,包括可执行(exec)、配置(configure)、线 路(line)、接口(interface)模式以及所有其他路由器配置模式level level: 设置一个从0到15的特权级别与指定的命令向关联Command: 指定上述特权级别与其之关联的命令reset command:重置所指定命令的特权级别设置多个特权级别特权级别通过修改用户的特权级别,你可以为用户分配更细微通过修改用户的特权级别,你可以为用户分配更细微的权限的权限IOS路由器路由器privilege configure level 3 usernamepriv
59、ilege exec level 3 copy run startprivilege exec level 3 pingprivilege exec level 3 show runprivilege exec level 3 showenable secret level 3 ciscoTelnet端口在路由器上被称为虚拟终端端口(vty)必须配置一个启用口令在路由器上才能通过telnet获得启用访问权采用“access-class”和“access-list”命令限制telnet访问限制由“transportinput”命令允许连接到路由器上的连接类型关闭入“ipalias”、“nocdp
60、enable”等命令,以防止通过vty端口对路由器的攻击限制来自特定限制来自特定IP地址的地址的telnet访问访问定义一个包含所允许定义一个包含所允许IP地址的标准访问控制列表地址的标准访问控制列表通过通过“access-class” 命令将访问控制列表施加到命令将访问控制列表施加到vty线路上去线路上去控制Telnet访问Virtual Ports (vty 0 through 4)控制虚拟终端的访问RSM143(config)#access-list 1 permit 172.16.41.3RSM143(config)#line vty 0 4RSM143(config-line)#ac
61、cess-class 1 inTelnet 172.16.41.143172.16.41.3172.16.41.143控制HTTP访问RSM143(config)#access-list1permit172.16.41.3RSM143(config)#iphttpserverRSM143(config)#iphttpaccess-class1RSM143(config)#iphttpauthenticationlocalRSM143(config)#usernamestudentpasswordcisco172.16.41.3172.16.41.143HTTP 管理站点管理站点缺省情况下缺省情
62、况下HTTP访问时关闭的;访问时关闭的;配置一个访问控制列表指定访问路由器上的配置一个访问控制列表指定访问路由器上的tcp端口端口80的地址;的地址;HTTP使用与控制台和使用与控制台和vty访问相似的口令安全机制;访问相似的口令安全机制;控制TCP/IP服务访问控制DoS攻击防护记录(logging)边界路由器事件保护Internet连接安全主要内容控制TCP/IP服务控制路由器所提供控制路由器所提供TCP/IP服务的命令服务的命令No service tcp-small-servers 禁止对网络主机的一些低端口禁止对网络主机的一些低端口tcp服务进行访问,包服务进行访问,包括括Disca
63、rd、Charagen、Daytime端口端口No service udp-small-serversNo service finger禁止路由器处理禁止路由器处理finger协议请求,阻止远程用户查询协议请求,阻止远程用户查询No ip domain-lookup在边界路由器上禁止基于在边界路由器上禁止基于IP DNS的主机名对地址的的主机名对地址的转换转换禁止对网络主机的一些低端口禁止对网络主机的一些低端口udp服务进行访问,包服务进行访问,包括括Discard、Charagen、Daytime端口端口No ip tcp selective-ack禁止禁止TCP选择性应答,对性能有所影响,
64、但是增加选择性应答,对性能有所影响,但是增加了抵御了抵御DoS攻击的能力攻击的能力No cdp run全局性禁止全局性禁止Cisco发现协议发现协议No ip rsh-enable将路由器配置成不允许远端用户用将路由器配置成不允许远端用户用rsh在路由器上执在路由器上执行命令行命令控制TCP/IP服务在接口模式下控制在接口模式下控制TCP/IP服务的命令服务的命令No ip proxy-arp在接口上禁止代理在接口上禁止代理arpNo ip redirectsNo ip tcp path-mtu-discovery在接口上禁止所有从路由器自身发起的新在接口上禁止所有从路由器自身发起的新TCP连
65、接连接的的MTU发现。启用发现。启用MTU发现会增加遭受发现会增加遭受DOS攻击的攻击的可能性可能性No ip unreachable在接口上禁止产生在接口上禁止产生icmp不可到达信息不可到达信息禁止禁止cisco ios软件在被要求经与数据包接受端口相软件在被要求经与数据包接受端口相同的端口上重发该数据包发送重定向消息。这可以同的端口上重发该数据包发送重定向消息。这可以限制在端口上扫描情况下路由器的反馈信息限制在端口上扫描情况下路由器的反馈信息No cdp enable在接口上禁止在接口上禁止cdpNo ip directed-broadcast关闭关闭ip定向广播,防止路由器在分布式定向
66、广播,防止路由器在分布式DoS攻击中变攻击中变为广播放大器。缺省命令为广播放大器。缺省命令路由安全静态路由控制路由通告路由认证控制访问进入数据包过滤外出数据包过滤DoS攻击防护防止DDos攻击防止网络设备成为DDos攻击的参与者采用访问控制列表对所有的入流量进行过滤,滤除源地址为私有和保留地址的数据包过滤所有的外出流量,以防止源ip地址欺骗采用承诺访问速率(committedaccessrate,CAR)对icmp数据包风暴进行限速对SYN包进行速率限制使用ipverifyunicastreverse-path网络接口命令用NAT和PAT管理地址防范分布式D.O.S攻击的配置对对ICMP报文设
67、置流率限制报文设置流率限制Router(config)#interface serial 0Router(config-if)# rate-limit output access-group 105 1540000 512000 786000 conform-action transmit exceed-action dropRouter(config)#access-list 105 permit icmp any any echo-reply首先,利用访问控制对数据包进行分类,定义出icmp数据流再次,CAR有选择的将数据流量限制在指定的带宽之内其次,确定在配置CAR之前,接口上的CEF功
68、能已经打开防范分布式D.O.S攻击的配置为为SYN报文设置流率限制报文设置流率限制 Router#show interfaces rate-limit首先,测量正常的首先,测量正常的SYN流量,帮助建立接口上正常流量速率的基准流量,帮助建立接口上正常流量速率的基准其次,我们应尽量将其次,我们应尽量将SYN的速率限制得尽可能低的速率限制得尽可能低Router(config)#interface serial 0Router(config-if)# rate-limit output access-group 150 1540000 512000 786000 conform-action tra
69、nsmit exceed-action dropRouter(config)#access-list 150 permit tcp any host eq wwwRouter(config)#access-list 150 permit tcp any host eq established再次,启用边界设备的日志功能,以帮助追踪再次,启用边界设备的日志功能,以帮助追踪DDoS攻击攻击路由器防止病毒的安全配置1、 用于控制用于控制NachiNachi蠕虫的扫描蠕虫的扫描 access-list 110 deny icmp any any echo access-list 110 deny ic
70、mp any any echo 2 2、用于控制、用于控制BlasterBlaster蠕虫的传播蠕虫的传播 access-list 110 deny tcp any any eq 4444 access-list 110 deny tcp any any eq 4444 access-list 110 deny udp any any eq 69 access-list 110 deny udp any any eq 69 3 3、用于控制、用于控制BlasterBlaster蠕虫的扫描和攻击蠕虫的扫描和攻击 access-list 110 deny tcp any any eq 135 ac
71、cess-list 110 deny tcp any any eq 135 access-list 110 deny udp any any eq 135 access-list 110 deny udp any any eq 135 access-list 110 deny tcp any any eq 139 access-list 110 deny tcp any any eq 139 access-list 110 deny udp any any eq 139 access-list 110 deny udp any any eq 139 access-list 110 deny t
72、cp any any eq 445 access-list 110 deny tcp any any eq 445 access-list 110 deny udp any any eq 445 access-list 110 deny udp any any eq 445 access-list 110 deny tcp any any eq 593 access-list 110 deny tcp any any eq 593 access-list 110 deny udp any any eq 593 access-list 110 deny udp any any eq 593 4
73、4、用于控制、用于控制 Slammer Slammer 蠕虫的传播蠕虫的传播 access-list 110 deny udp any any eq 1434access-list 110 deny udp any any eq 1434 access-list 110 permit ip any any access-list 110 permit ip any any 5 5、关闭可能存在的漏洞、关闭可能存在的漏洞 access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 127.0.0.0 0.
74、255.255.255 any access-list 101 deny ip 172.16.0.0 0.240.255.255 any access-list 101 deny ip 172.16.0.0 0.240.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any 中国科技网介绍中国科技网的结构简介中国科技网网络设备简介国内外出口简介网络管理简介中国科技网发展简介&CSTNET是中国最早实现与Internet全
75、功能互联的网络,经历了三个不同的发展阶段:NCFCCASNETCSTNET&NCFC:中关村地区教育与科研示范网络&CASNET:中国科学院网接入类型:*光纤*卫星*DDN*微波*ISDN*HDSL&CSTNET:以NCFC及CASNET为基础,连接中科院以外的一批中国科技单位而构成的全国性科技网络中国科技网遍布全国的网络部署遍布全国的网络部署网络结构示意图网络结构示意图Cisco高端路由器Cisco 12000Cisco 7500Cisco 7600Cisco低端路由器Cisco 3600Cisco 2600思科三层交换机Catalyst 6500Catalyst 4500Catalyst
76、3500国内出口介绍国内出口介绍国内出口国内出口Cernet-中国教育网中国教育网1GChinaNet-中国电信中国电信1GChina 169-中国网通中国网通1GBJNAP-北京交换中心北京交换中心1G国际出口介绍(北京)国际出口介绍(北京)SPRINT1-USA155MSPRINT2-USA155MKhabarobsk-Russian155M国际出口介绍(香港)国际出口介绍(香港)ASNetTWRegion- TW1G 2005-01HK-IX- HK1G 2005-04Chicago-W- USA155M 2005-01APAN-JPOTC- JP1G 2004-12Mega-iAdv.
77、 HK1G 2005-03GoogleCorp.google1G 2005-03Korea KISTI 10G 2005-07GLORIAD简介简介北半球第一条高北半球第一条高速环网速环网中俄美三方共同中俄美三方共同合作创建合作创建 发展目标发展目标-全全环链路带宽达到环链路带宽达到10G服务科研机构,服务科研机构,为海量科研数据的为海量科研数据的共享和传输提供畅共享和传输提供畅通的网络环境(高通的网络环境(高能物理,生物学,能物理,生物学,天体科学等)天体科学等)服务目标服务目标成成为世界科研网络的为世界科研网络的基础平台基础平台国内外出口国内外出口连接示意图连接示意图155M线路质量监控网
78、络流量监控网络设备性能监控路由器日志监控流量的协议分析安全管理(安全管理(TACACSTACACS认证)认证)AAA认证:认证:*Authorization *Authentication *Accounting 谢谢大家!谢谢大家!A2D5H8KbNfQiUlXo#s%v(y0B3F6I9LdOgRjVmYq!t&w-z1C4G7JbMePhTkWnZr$u(x+A2E5H8KcNfRiUlXp#s%v)y0C3F6IaLdOgSjVmYq!t*w-z1D4G7JbMeQhTkWYq!t*w-A1D4G8JbMeQhTlWoZr%u(x+B2E6H9KcOfRiUmXp!s&v)z0C3F7
79、IaMdPgSkVnYq$t*x-A1D5G8JbNeQiTlWo#r%u(y+B2E6H9LcOfRjUmXp!s&w)z0C4F7IaMdPhSkVnZq$t*x-A2D5G8KbNeQiTlXo#r%v(y+B3E6I9LcOgRjUmYp!t&w)z1C4F7JaMdPhSkWnZq$u*x-A2D5H8KbNfQiTlXo#s%v(y0B3E6I9LdOgRjVmYp!t&w-z1C4G7JaMePhTkWnZr$u*x+A2E5H8KcNfQiUlXo#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1D4G7JbMePhTkWoZr$u(x+A2E5H9KcNfRiUlX
80、p#s&v)y0C3F6IaLdPgSjVnYq!t*w-A1D4G8JbMeQhTkWoZr%u(x+B2E5H9KcOfRiUmXp#s&v)z0C3F7ePhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s&v)y0C3F6IaLdOgSjVnYq!t*w-z1D4G8JbMeQhTkWoZr%u(x+B2E5H9KcOfRiUmXp#s&v)z0C3F7IaLdPgSkVnYq8KcNfQiUlXo#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1D4G7JbMePhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s&v)y0C3F6IaLdPgSjVnYq
81、!t*w-A1D4G8JbMeQhTkWoZr%u(x+B2E5H9KcOfRiUmXp#*x-A2D5H8KbNfQiTlXo#s%v(y0B3E6I9LdOgRjVmYp!t&w-z1C4G7JaMePhTkWnZr$u*x+A2E5H8KcNfQiUlXo#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1D4G7JbMePhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s&v)y0C3F6IaLdPgSjVnYq!t*w-A1D4G8JbMeQhTkWoZr%u(x+B2E5H9KcOfRiUmXp#s&v)z0C3F7IaLdPgSkVnYq$t*w-A1D5G8J
82、bNeQhTlWo#r%u(y+B2E6H9LcOfRjUmXp!s&v)z0C4F7IaMdPgSkVnZq$t*x-A1D5G8KbNeQiTlWo#r%v(y+B3E6H9LcOgRjUmYp!s&w)z1C4F7JaMdPhSkWnZq$u*x-A2D5G8KbNfQiTlXo#r%v(y0B3E6I9LcOgRjVmYp!t&w)z1C4G7JaMePhSkWnZr$u*x+A2D5H8KcNfQiUlXo#s%v)y0F7JaMdPhSkVnZq$u*x-A2D5G8KbNfQiTlXo#r%v(y0B3E6I9LcOgRjVmYp!t&w)z1C4G7JaMePhSkWnZr$u
83、*x+A2D5H8KcNfQiUlXo#s%v(y0B3F6I9LdOgRjVmYq!t&w-z1C4G7JbMePhTkWnZr$u(x+A2E5H8KcNfRiUlXp#s%v)y0C3F6IaLdOgSjVnYq!t*w-z1D4G8JbMeQhTkWoZr$u(x+B2E5H9KcNfRiUmXp#s&v)y0C3F7IaLdPgSjVnYq$t*w-A1D4G8JbNeQhTlWoZr%u(y+B2E6H9KcOfRjUmXp!s&v)z0C3F7IaMdPgSkVnYq$t*x-A1D5G8JbNeQiTlWo#r%u(y+B3E6H9LcOfRjUmYp!s&w)z0C4F7Ja
84、MdPhSkVnZq$u*x-A2D5G8KbNeQiTlXo#r%v(y+B3E6I9LcOgRjUmYp!t&w)z1C4F7JaMePWo#r%u(y+B3E6H9LcOfRjUmYp!s&w)z0C4F7JaMdPhSkVnZq$t*x-A2D5G8KbNeQiTlXo#r%v(y+B3E6I9LcOgRjUmYp!t&w)z1C4F7JaMePhSkWnZq$u*x+A2D5H8KbNfQiUlXo#s%v(y0B3E6I9LdOgRjVmYp!t&w-z1C4G7JaMePhTkWnZr$u*x+A2E5H8KcNfQiUlXp#s%v)y0B3F6IaLdOgSjVmYq!t*w
85、-z1D4G7JbMeQhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s&v)y0C3F6IaLdPgSjVnYq!t*w-A1D4G8JbMeQhTlWoZr%u(x+B2E6H9KcOfRiUmXp!s&v)z0C3F7IaLdPgSkVnYq$t*w-A1D5G8JbNeQhTlWo#r%u(y+B2E6H9LcOfRjUmXp!s&w)z0C4F7IaMdPhSkVnZq$t*x-A2D5G8KbNeQiTlWo#r%v(y+B3E6H9LcOgRjUmYp!s&w)z1C4F7JaMdPhSkWnZq$y+B2E6H9L6H9LcOfRjUmXp!s&w)z0C4F7Ia
86、MdPhSkVnZq$t*x-A2D5G8KbNeQiTlXo#r%v(y+B3E6I9LcOgRjUmYp!s&w)z1C4F7JaMdPhSkWnZq$u*x-A2D5H8KbNfQiTlXo#s%v(y0B3E6I9LdOgRjVmYp!t&w-z1C4G7JaMePhTkWnZr$u*x+A2D5H8KcNfQiUlXo#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1D4G7JbMePhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s&v)C4G7JaMePhSkWnZr$u*x+A2D5H8KcNfQiUlXo#s%v)y0B3F6I9LdOgSjVmYq!t&
87、w-z1D4G7JbMePhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s%v)y0C3F6IaLdOgSjVnYq!t*w-z1D4G8JbMeQhTkWoZr%u(x+B2E5H9KcOfRiUmXp#s&v)z0C3F7IaLdPgSkVnYq$t*w-A1D4G8JbNeQhTlWoZr%u(y+B2E6H9KcOfRjUmXp!s&v)z0C4F7IaMdPgSkVnZ(x+B2E5H9KcOfRiUmXp#s&v)z0C3F7IaLdPgSjVnYq$t*w-A1D4G8JbNeQhTlWoZr%u(y+B2E6H9KcOfRjUmXp!s&v)z0C4F7IaMdPg
88、SkVnZq$t*x-A1D5G8KbNeQiTlWo#r%u(y+B3E6H9LcOfRjUmY(y0B3E6I9LcOgRjVmYp!t&w)z1C4G7JaMePhSkWnZr$u*x+A2D5H8KcNfQiUlXo#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1C4G7JbMePhTkWnZr$u(x+A2E5H8KcNfRiUlXp#s%v)y0C3F6IaLdOgSjVnYq!t*w-z1D4G8JbMeQhTkWoZr%u(x+B2E5H9KcNfRiUmXp#s&v)y0C3F7IaLdPgSjVnYq$t*w-A1D4G8JbNeQhTlWoZr%u(y+B2E
89、6H9KcOfRjUmXp!s&v)z0C4F7IaMdeQhTkWoZr%u(x+B2E5H9KcOfRiUmXp#s&v)z0C3F7IaLdPgSjVnYq$t*w-A1D4G8JbNeQhTlWoZr%u(y+B2E6H9KcOfRjUmXp!s&v)z0C4F7IaMdPgSkVnZq$t*x-A1D5G8KbNeQiTlWo#r%u(y+B3E6H9LcOfRjUmYp!s&w)z0C4F7JaMdPhSkVnZq$u*x-A2D5G8KbNfQiTlXo#r%v(y0B3E6I9LcOgRjVmYp!t&w)z1C4F7JaMePhSkWnZq$u+B3E6H9LcOfRjUmY
90、p!s&w)z0C4F7JaMdPhSkVnZq$u*x-A2D5G8KbNfQiTlXo#r%v(y0B3E6I9LcOgRjUmYp!t&w)z1C4F7JaMePhSkWnZq$u*x+A2D5H8KbNfQiUlXo#s%v(y0B3F6I9LdOgRjVmYq!t&w-z1C4G7JbMePhTkWnZr$u*x+A2E5H8KcNfQiUlXp#s%v)y0B3F6IaLdOgSjVmYq!t*w-z1D4G7JbMeQhTkWoZr$u(x+B2E5H9OgRjVmYq!t&w-z1C4G7JaMePhTkWnZr$u*x+A2E5H8KcNfQiUlXp#s%v)y0B3F6I
91、aLdOgSjVmY(y+B3E6H9LcOfRjUmYp!s&w)z0C4F7JaMdPhSkVnZq$t*x-A2D5G8KbNeQiTlXo#r%v(y+B3E6I9LcOgRjUmYp!t&w)z1C4F7JaMePhSkWnZq$u*x+A2D5H8KbNfQiUlXo#s%v(y0B3E6I9LdOgRjVmYp!t&w-z1C4G7JaMePhTkWnZ(y+B3E6I9LcOgRjUmYp!t&w)z1C4F7JaMePhSkWnZq$u*x+A2D5H8KbNfQiTlXo#s%v(y0B3E6I9LdOgRjVmYp!t&w-z1C4G7JaMePhTkWnZr$u*x+A
92、2E5H8KcNfQiUlXp#w)z1C4F7JaMdPhSkWnZq$u*x-A2D5H8KbNfQiTlXo#s%v(y0B3E6I9LdOgRjVmYp!t&w-z1C4G7JaMePhTkWnZr$u*x+A2E5H8KcNfQiUlXp#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1D4G7JbMePhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s&v)y0C3F6IaLdPgSjVnYq!t*w-A1D4G8fOgRjUmYp!t&w)z1C4F7JaMdPhSkWnZq$u*x-A2D5H8KbNfQiTlXo#s%v(y0B3E6I9LdOgRjVmY
93、p!t&w-z1C4G7JaMePhTkWnZr$u*x+A2E5H8KcNfQiUlXp#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1D4GbNfQiTlXo#s%v(y0B3E6I9LdOgRjVmYp!t&w-z1C4G7JaMePhTkWnZr$u*x+A2D5H8KcNfQiUlXo#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1D4G7JbMePhTkWoZr$u(x+A2E5H9KcNfmYp!t&w-z1C4G7JaMePhSkWnZr$u*x+A2D5H8KcNfQiUlXo#s%v)y0fRiUlXp#s&v)y0C3F6IaLdOgSjVnYq!
94、t*w-z1D4cNfQiUlXo#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1D4G7JbMePhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s%v)y0C3F6IaLdOgSjVnYq!t*w-z1D4G8JbMeQhTkWoZr%u(x+B2E5H9KcOfRiUmXp#s&v)z0C3F7IaLdPgSkVnYq$t*w-A1D4G8JbNeQhTlWoZr%u(y+B2E6H9KcOfRjUmXp!s&v)z0C4F7IaMdPgSkVnZq$t*x-A1D5G8KbNeUmXp#s&v)z0C3F7IaLdPgSjVnYq$t*w-A1D4G8JbNeQhTlWoZr%u(y+B2E6H9
