informaciya
ob IOS dlya znayushchih parol'
Nabory vozmozhnostej (feature set) dlya versii 11.1 (12)
YA
rassmatrivayu tol'ko mladshie serii (Cisco 2500, AS5100), pro ATM ni
slova, pro IBM protokoly
tozhe)(potrebnosti v pamyati dany dlya Cisco 2500 -
ispolnenie iz flesha)(RMON alarm and events
realizovany dazhe dlya naborov, v kotoryh net RMON):
-
igs-i-l(4 FLASH, 4 DRAM): IP
-
igs-im-l(4 FLASH, 4 DRAM): IP/RMON
-
igs-ir-l(8/4): IP/IBM Base
-
igs-imr-l(8/4): IP/IBM/RMON
-
igs-in-l(8/4): IP/IPX
-
igs-imn-l(8/4): IP/IPX/RMON
-
igs-inr-l(8/4): IP/IPX/IBM Base
-
igs-imnr-l(8/4): IP/IPX/IBM/RMON
-
igs-ainr-l(8/8): IP/IPX/IBM/APPN
-
igs-d-l(8/4): Desktop (s etogo urovnya
nachinaetsya AppleTalk, DECnet IV)
-
igs-dr-l(8/4): Desktop/IBM Base
-
igs-j-l(8/6): Enterprise (s etogo urovnya
nachinaetsya ES-IS i IS-IS, DECnet V, Apoolo domain, VINES, ISO, XNS
kerberos dlya login,
translyaciya
protokolov, Xremote)
-
igs-jm-l(8/6): Enterprise/RMON
-
igs-aj-l(16/8): Enterprise/APPN
-
CFRAD(4/4) (Cisco Frame Relay Access Device)
-
igs-p-l(4/4): Remote Access Server (net
vsyakih IBMovskih i prochih
nestandarnyh veshchej, zato est' vse, chto
neobhodimo dlya
normal'noj raboty, net RMONa,ISDN, OSPF, EGP,
mosta, zato est'
translyaciya
protokolov, TN3270, Xremote, PAD, LAT, NETBEUI
cherez PPP,
avtokonfiguraciya modemov)
-
igs-g-l(4/2): ISDN
-
LAN FRAD(4/4)
-
OSPF LAN FRAD(4/4)
Oshibki versii 11.1 (tol'ko te, kotorye mne interesny)
11.1(12)
-
esli razreshen uchet
soedineniya, no ne razreshen uchet exec, to pri 2-om
soedinenii
pol'zovatelya Cisco
peregruzhaetsya.
-
ne
poderzhivaetsya interrupt-level IP fragmentation
-
DHCP proxy-client ne
obrabatyvaet DHCP pakety ot servera s
DHCP-opciej ravnoj nulyu
-
RADIUS CLASS attribut
razrushaetsya, chto ne
pozvolyaet
ispol'zovat' MERIT server
-
aaa accounting system start-stop tacacs+ ne
vsegda peredaet soobshchenie "system restarted" (ne
uspevaet ustoyat'sya tablica
marshrutizacii) -
ispol'zujte: ip host-routing
-
show accounting mozhet vyzvat'
perezagruzku
-
problema pri otsutsvii svyazi s RADIUS
serverom (ne
predlagaet vvesti enable password)
-
problemy s shifrovkoj dlinnyh (bol'she 11
simvolov) parolej
administratora - mozhet
obrezat'sya do 11 simvolov
-
snmp-server trap-source rabotaet
neverno
-
pool manager ihogda pozhiraet pamyat' I/O
-
groh po komande no boot system flash
(vvedite polnoe imya fajla)
-
vklyuchenie szhatiya STAC na async linii mozhet
podvesit' Cisco
-
nel'zya
ispol'zovat' ping s paketom 2048 bajt
-
otklyuchenie 10Base2 kabelya ne
opuskaet interfejs
-
tunel' ne rabotaet, esli bandwidth bol'she 2048
-
icmp redirect ne
posylaetsya, esli vhodnoj paket tipa ECHO-REPLY
-
BGP s
rasshirennym ACL i default-originate route-map
grohaetsya
-
pri nekotoryh usliviyah
staticheskij marshrut so
sleduyushchim uzlom,
dostizhimym cherez
staticheskij marshrut, ne
zanositsya v tablicu
-
ne rabotaet trace na
sobstvennyj ip-adres
-
ne rabotaet szhatie
zagolovkov TCP na vyhodnyh liniyah PPP
-
nadezhnyj PPP-rezhim ne rabotaet na
asinhronnyh liniyah
-
szhatie zagolovkov TCP ne
sovmestimo s multilink TCP, a
preduprezhdeniya ob etom ne
delaetsya
11.1(11)
-
exec-timeout vyrubaet dazhe
aktivnyj telnet (libo
vernites' k 11.1(10), libo
postav'te 0)
-
BGP i OSPF rabotayut
nestabil'no
-
ip igmp query-interval 0
podveshivaet sistemu
-
nizkoskorostnye sync/async porty
nesposobny
obrabatyvat' pakety razmerom bol'she 1500
(postav'te na oboih koncah MTU men'she 1498)
11.1(10)
-
reset script modema ne
vypolnyaetsya, esli PPP-sessiya
zavershilas' normal'no
-
tacacs+ vyzyvaet pozhiranie pamyati
(nachinaya s versiii 11.0(10)
-
inogda byvaet Bus Error
-
inogda telnet zamiraet na 20 sekund,
nazhmite lyubuyu klavishu
-
show ip bgp iconsistence-as inogda
perezagruzhaet kisku
-
rasshirennyj ACL inogda
propuskaet fragmenty, esli
vklyuchena
zhurnalizaciya
-
po no shutdown dlya group async kiska inogda
perezagruzhaetsya
-
esli est' PPP, to inogda
proishodit Bus error
bolee starye
modifikacii ya ne
rassmatrivayu, no
kolichestvo ih
vpechatlyaet
Nabory
vozmozhnostej (feature set) dlya versii 11.0(16)(u menya
est' tol'ko 11.0(14))
Rassmatrivaetsya tol'ko Cisco 2500 (vse ochen'
pohozhe na 11.1,
potrebnosti v pamyati dany dlya Cisco 2500 -
ispolnenie iz flesha) :
-
IP(4 MB Flash/2 DRAM)
-
IP/IBM Base(8/4)
-
IP/IPX(4/4)
-
IP/IPX/IBM Base(8/4)
-
IP/IPX/IBM APPN(8/8)
-
Desktop(8/4)
-
Desktop/IBM Base(8/4)
-
Enterprise(8/6)
-
Enterprise/APPN(8/8)
-
CFRAD(4/2)
-
ISDN(4/2)
-
LAN FRAD(8/4)
-
Remote Access Server(4/4)
Oshibki versii 11.0(tol'ko te, kotorye mne interesny)
11.0(16):
-
service password-encription
obrezaet paroli do 11 simvolov
-
esli serial
ustanovlen v loopback
apparatnym signalom, to chtoby vyvesti ego iz etogo
sostoyaniya, nado vydat' komandu no loopback
11.0(14):
-
Cisco 2511 inogda
perezagruzhaetsya so slovami sched-3-pagezero: low memory
-
vklyuchenie TACACS+ privodit k
pozhiraniyu pamyati (poyavilos' v versii 11.0(10)
-
inogda byvaet bus error
-
OSPF inogda privodit k krahu
-
rasshirennyj ACL inogda
propuskaet fragmenty, esli
vklyuchena
zhurnalizaciya
-
esli est' PPP, to inogda
proishodit Bus error
-
inogda podvisaet async
kontroller vmeste s 4 modemami
11.0(13):
-
kogda pinguesh'
sinhronnyj DDR s
ustanovlennym szhatiem HDLC,
marshrutizator
sbrasyvaetsya
-
perezagruzhaj kazhdye 3 nedeli, esli
ispol'zuetsya SPX
-
ne-TCP obratnoe
soedinenie mozhet vyzvat' groh
marshrutizatora (nachalos' s 11.0(11.1)
11.0(12):
-
pakety k TACAS+ mogut byt'
zaderzhany na 9 sekund, esli DNS ne
skonfigurirovan na
marshrutizatore (libo sdelajte no ip domain-lookup, libo
dobav'te IP adres TACACS+ servera k
lokal'noj tablice hostov)
-
esli zadacha zanyala men'she vremeni, chem
potrebovalos' chtoby
dostuchat'sya do TACACS+, to stop-zapis'
teryaetsya
-
esli alias rasshiritsya v stroku dlinnee 256, to
kiska grohnetsya
11.0(11) i ranee:
-
service compress-config mozhet
podveshivat'
-
ispol'zovanie DNS dlya poiska alias
grohaet kisku
-
ne nado govorit' ip address na
podklyuchennyj k PPP
interfejs
-
PAP ne rabotaet s TACACS+
-
na Cisco 2511 inogda srazu 4 porta menyayut DSR pri
odnom sobytii
-
encapsulation ppp (ili async mode dedicated)
privodit k pauze
neopredelennoj dliny, esli vydana dlya gruppy
-
pri tyazheloj zagruzke Cisco 2509-2511 mogut
zavisnut' ili bus error
-
inogda posle copy tftp running
otvalivaetsya
apparatnaya
sinhronizaciya
-
esli
ispol'zovat' autoselect v
kombinacii s TACACS+, to tablica
marshrutov budet soderzhat' tablicu
marshrutov dlya IP-adresa po
umolchaniyu, dazhe esli TACACS+ pomenyal etot adres
-
rasshirennyj ACL s
ispol'zovaniem konechnyh UDP adresov,
rabotaet neverno
Nabory vozmozhnostej (feature set) dlya versii 11.2 (7a)(u menya
est' tol'ko 11.2(05))
Dlya versii 11.2
parallel'no vedutsya 3 vetki: 11.2
(naibolee stabil'naya, tol'ko
ispravleniya oshibok), 11.2 P
(ispravlenie oshibok i novoe
oborudovanie), 11.2 F
(ispravlenie oshibok, novoe
oborudovanie i
mezhplatformennaya
sovmestimost').
Trebovaniya k pamyati (dlya versii 11.2 Cisco 2500):
-
Enterprise i vyshe: 8MB flash, 6MB DRAM
-
vse, chto nizhe: 8MB flash, 4MB DRAM. YA
rassmatrivayu tol'ko mladshie serii (Cisco 1000, 1600, 2500, 4000, AS5100,
AS5200), pro ATM ni slova, pro IBM
protokoly tozhe.
Imena fajlov sm. v
http://www.cisco.com/univercd/data/doc/software/11_2/relnotes/rn112.htm
Image
Name Mapping from Release 11.1 to Release 11.2
|
|
|
Cisco 1005 |
|
|
-
c1005-bnxy-mz
|
c1005-bny-mz |
|
-
c1005-bxy-mz
|
c1005-by-mz |
|
-
c1005-nxy-mz
|
c1005-ny-mz |
|
-
c1005-xy-mz
|
c1005-y-mz |
|
-
c1005-xy2-mz
|
c1005-y2-mz |
|
Cisco 2500 Series |
|
| IP/IPX/IBM/APPN |
-
igs-ainr-l
|
c2500-ainr-l |
| Enterprise/APPN |
-
igs-aj-l
|
c2500-ajs-l |
|
-
igs-c-l
|
c2500-c-l |
| Desktop |
-
igs-d-l
|
c2500-d-l |
| Desktop/IBM Base |
-
igs-dr-l
|
c2500-ds-l |
|
-
igs-f-l
|
c2500-f-l |
|
-
igs-fin-l
|
c2500-fin-l |
| ISDN |
-
igs-g-l
|
c2500-g-l |
| IP |
-
igs-i-l
|
c2500-i-l |
| IP/RMON |
-
igs-im-l
|
c2500-is-l |
| IP/IPX/RMON |
-
igs-imn-l
|
c2500-ds-l |
| IP/IPX/IBM/RMON |
-
igs-imnr-l
|
c2500-ds-l |
| IP/IBM/RMON |
-
igs-imr-l
|
c2500-is-l |
| IP/IPX |
-
igs-in-l
|
c2500-d-l |
| IP/IBM Base |
-
igs-ir-l
|
c2500-is-l |
| IP/IPX/IBM base |
-
igs-inr-l
|
c2500-ds-l |
| Enterprise/RMON |
-
igs-jm-l
|
c2500-js-l |
| Enterprise |
-
igs-j-l
|
c2500-j-l |
|
Cisco AS5200 |
|
|
-
as5200-iz-l
|
c5200-is-l |
|
-
as5200-dz-l
|
c5200-ds-l |
|
-
as5200-jmz-l
|
c5200-js-l |
|
Cisco 4000 Series |
|
|
-
xx-ainr-mz
|
c4000-ainr-mz |
|
-
xx-aj-mz
|
c4000-ajs-mz |
|
-
xx-d-mz
|
c4000-d-mz |
|
-
xx-dr-mz
|
c4000-ds-mz |
|
-
xx-i-mz
|
c4000-is-mz |
|
-
xx-in-mz
|
c4000-d-mz |
|
-
xx-inr-mz
|
c4000-ds-mz |
|
-
xx-ir-mz
|
c4000-is-mz |
|
-
xx-j-mz
|
c4000-j-mz |
|
Cisco 4500 Series |
|
|
-
c4500-aj-mz
|
c4500-ajs-mz |
|
-
c4500-dr-mz
|
c4500-ds-mz |
|
-
c4500-ir-mz
|
c4500-is-mz |
|
-
c4500-in-mz
|
c4500-d-mz |
|
-
c4500-inr-mz
|
c4500-ds-mz |
|
Cisco 7000 Series |
|
|
-
gs7-aj-mz
|
c7000-aj-mz |
|
-
gs7-ajv-mz
|
c7000-ajv-mz |
|
-
gs7-jv-mz
|
c7000-jv-mz |
|
-
gs7-j-mz
|
c7000-j-mz |
|
Cisco 7200 Series |
|
|
-
c7200-aj-mz
|
c7200-ajs-mz |
|
-
c7200-dr-mz
|
c7200-ds-mz |
|
-
c7200-j-mz
|
c7200-js-mz |
|
Cisco 7500 Series and Cisco 7000 with RSP7000 |
|
|
-
rsp-aj-mz
|
rsp-ajsv-mz |
|
-
rsp-j-mz
|
rsp-jsv-mz |
|
-
rsp-ajv-mz
|
rsp-ajsv-mz |
|
-
rsp-jv-mz
|
rsp-jsv-mz |
Kazhdyj nabor mozhet imet' 4
modifikacii: bazovaya,
rasshirennaya (PLUS), shifrovka 40 bit,
shifrovka 56 bit (ne na kazhdoj
platforme vozmozhny
opredelennye pakety i ih
modifikacii):
-
c2500-i- IP:
parallel'naya
marshrutizaciya i most, GRE,
sovmeshchennaya
marshrutizaciya i most (nachinaya s 11.2), IP, LAN extention host, multiring,
prozrachnye i
perevodnye mosty, VLAN (ISL i IEEE 802.10 -
tol'ko Cisco 4500 i s versii 11.2 i
modifikaciya Plus), Combinet Packet Protocol (CPP - s
versii 11.2), Dialer Profiles (s versii 11.2), Frame Relay, Frame Relay Traffic
shaping (s 11.2),
polumost/polumarshrutizator (s 11.2), HDLC, PPP, SMDS, switched 56, X.25,
polosa
propuskaniya po zaprosu,
nastraivaemye
prioritety ocheredej, dial backup, dial-on-demand,
szhatie zagolovka,
soedineniya i payroll(?), snapshot routing, weighted fair queuing, BGP, BGP4
(s 11.2), EGP, IGRP, enhanced IGRP,
optimizaciya EIGRP (s 11.2),
poimennovannye IP ACL (s 11.2),
translyaciya setevyh adresov (s 11.2 i Plus), NHRP,
marshrutizaciya po zaprosu (s 11.2), OSPF, OSPF Not-So-Stubby-Areas (s 11.2),
OSPF on demand circuit (RFC 1793 - s 11.2), PIM (protocol independent multicast),
policy based routing, RIP, RIP2 (s 11.1), generic traffic shaping (s 11.2),
Random Early Detection (RED - s 11.2), resource reservation protocol (RSVP
- s 11.2), AutoInstall,
avtomaticheskaya
konfiguraciya modemov (s 11.1), HTTP-server (s 11.2), RMON events and alarms
(s 11.1), polnyj RMON (tol'ko 2500, s 11.2 i Plus), SNMP, telnet,
spiski dostupa,
rasshirennye spiski dostupa, Lock and Key (s 11.2), MAC security for hubs
(s 11.2), MD5 routing authentication,
shifrovka na setevom urovne (tol'ko
modifikaciya encrypt), RADIUS (s 11.1), TACACS+, asynchronous master interfaces,
PPP, SLIP, CPPP, CSLIP, DHCP, IP pooling, rlogin, telnet, X.25 PAD
-
c2500- IP/IPX(etot nabor
otsutstvuet dlya 11.2):
dobavleno IPX, IPXWAN 2.0, ISDN, IPX RIP, NLSP, IPXCP
-
c2500- Desktop(IP/IPX/AppleTalk/DEC):
dobavleno AppleTalk 1 i 2, DECnet IV, Virtual Private Dial-UP network (s
11.2), AURP, RTMP, SMRP, ARAP 1.0/2.0, ATCP, MacIP
-
c2500- Enterpise: dobavleno Apollo Domain, Banyan Vines, DECnet V, OSI, XNS,
Frame Relay SVC (s 11.2), multichassis multilink PPP (MPP - s 11.2), ES-IS,
IS-IS, SRTP, Kerberos login (s 11.1),
podderzhka klientov Kerberos V (s 11.2),
translyaciya protokolov (LAT, telnet, PPP, rlogin, X.25, TN3270), IPX i ARAP
na virtual'nyh
asinhronnyh
interfejsah, NASI (s 11.1), NetBEUI poverh PPP (s 11.1), LAT, TN3270, Xremote
-
c2500- Enterprise and APPN
-
c2500- IP/IPX/IBM and APPN
-
c2500- Desktop/IBM and APPN
Dlya Cisco 1000 i 1600 (tol'ko 11.1 i 11.2):
-
IP
-
IP/IPX
-
IP/Apple Talk
-
IP/IPX/Apple Talk
Dlya Cisco 1005:
-
IP/OSPF/PIM
-
IP/Async
-
IP/IPX/Async
Dlya Cisco 2500 i AS5100
dopolnitel'no:
-
c2500- CFRAD
-
c2500- LAN FRAD
-
c2500- ISDN
-
c2500-p- Remote Access Server (2509-2512 i AS5100): AppleTalk 1 i 2 (s 11.2),
DECnet IV (tol'ko 11.0), GRE,
sovmeshchennaya
marshrutizaciya i most (nachinaya s 11.2), IP, multiring, IPX, source-route bridging
(s 11.2), prozrachnyj most (s 11.2),
prozrachnye i
perevodnye mosty, CPP (s 11.2), dialer profiles (s 11.2), Frame Relay, Frame
Relay Traffic shaping (s 11.2),
polumost/polumarshrutizator (s 11.2), HDLC, IPXWAN 2.0, multichassis multilink
PPP (MPP - s 11.2), PPP, switched 56, Virtual Private Dial-UP network (s
11.2), X.25, polosa
propuskaniya po zaprosu,
nastraivaemye
prioritety ocheredej, dial backup, dial-on-demand,
szhatie zagolovka,
soedineniya i payroll(?), snapshot routing, weighted fair queuing, BGP
(tol'ko 11.0), BGP4 net sovsem, EGP (tol'ko 11.0), EIGRP,
optimizaciya EIGRP (s 11.2), IGRP, NHRP
(tol'ko 11.0),
marshrutizaciya po zaprosu (s 11.2), OSPF
(tol'ko 11.0), PIM, policy based routing, RIP, RIP2 (s 11.1), AURP, IPX RIP,
RTMP, generic traffic shaping (s 11.2), utoInstall,
avtomaticheskaya
konfiguraciya modemov (s 11.1), HTTP-server (s 11.2), RMON events and alarms
(s 11.1), SNMP, telnet, piski dostupa,
rasshirennye spiski dostupa, Lock and Key (s 11.1), MD5 routing authentication,
RADIUS (s 11.1), TACACS+,
translyaciya protokolov (LAT, telnet, PPP, rlogin, X.25, TN3270), ARAP 1.0/2.0,
asynchronous master interfaces, PPP, SLIP, CPPP, CSLIP, ATCP, DHCP, IP pooling,
IPX i ARAP na
virtual'nyh
asinhronnyh
interfejsah, IPXCP, MacIP, NASI (s 11.1), NetBEUI
poverh PPP (s 11.1), login, telnet, X.25 PAD, LAT, TN3270, Xremote
Oshibki v versii 11.2 (tol'ko te, kotorye menya zadevayut).
11.2(7):
-
inogda
perezagruzka po show accounting
-
v chat-script neverno
zapominayutsya cntrl-simvoly
-
esli ip identd i
ustanovlen tacacs+, to
perezagruzka, esli:
-
ispol'zuetsya vneshnij DNS
-
TACACS+ server upal
-
pol'zovatel' zashel cherez enable
-
vydal telnet
-
pri
formatirovanii flesha tipov A6, A7, AA on ne
raspoznaetsya (Intel 28F004S5/08S5/16S5)
-
pri udalenii ip default-network ne
udalyaetsya zapis' o gateway
-
Cisco 2511 cherez nedelyu raboty mozhet
skazat', chto net pamyati
11.2(6):
-
ne stoit delat' copy tftp flash mezhdu dvumya
kiskami
-
esli dialer dtr, to kiska ne
podnimaet signal DTR
-
asinhronnyj
kontroller inogda zavisaet
-
na
nizkoskorostnyh portah
obyazatel'no stavit' MTU men'she 1498
-
nepravil'nyj LCP NAK paket grohaet kisku
11.2(5):
-
telnet mozhet podvisat' na 20 sekund
-
rasshirennyj ACL inogda
propuskaet fragmenty, esli zadana
zhurnalizaciya
11.2(4) i nizhe:
-
pri vklyuchenii TACACS+
ponemnogu ischezaet pamyat' (nachinaya s 11.0(10)
-
nel'zya ochistit' telnet-sessiyu s
nepustym vhodnym buferom
-
inogda gruppa iz 4
posledovatel'nyh portov zavisaet
-
pozhiranie pamyati cherez 29 chasov raboty
-
bystro
zavershivshiesya zadachi ne popadayut v zhurnal ucheta tacacs+
-
obratnye soedineniya ne-TCP mogut
grohnut' kisku
-
pakety k TACAS+ mogut byt'
zaderzhany na 9 sekund, esli DNS ne
skonfigurirovan na
marshrutizatore (libo sdelajte no ip domain-lookup, libo
dobav'te IP adres TACACS+ servera k
lokal'noj tablice hostov)
Otlichiya v versiyah (X.25, DECnet, AppleTalk, VINES , IBM , ATM ne opisany)
Novoe v versii 11.0 (nachinaya s 11.0(11)
tol'ko
ispravlyayutsya oshibki):
-
uluchshenie v rabote s pulom IP-adresov - 11.0(3)
-
Multilink PPP dlya PPP
-
odnovremennoe
ispol'zovanie Flash raznyh
proizvoditelej - 11.0(3) - nuzhen
zagruzchik 10.2(7a)
-
PPP callback - 11.0(3)
-
kucha novogo v nachal'noj versii ne
opisana
Novoe v versii 11.1 (nachinaya s 11.1(6) tol'ko
ispravlyayutsya oshibki):
-
NHRP dlya IPX
-
bystraya ustanovka dlya
staticheskih marshrutov (dlya backup);
-
bystro-pereklyuchaemoe GRE (generic routing encapsulation);
-
RIPv2 (podmaski,
autentikaciya, multicast, vneshnie metki
marshruta);
-
peredacha informacii iz EIGRP v NLSP (IPX);
-
input access list dlya IPX;
-
per host route balancing dlya IPX;
-
NLSP aggregation (IPX);
-
inkapsulyaciya IPX v FDDI;
-
szhatie zagolovkov dlya IPX (30 bajt);
-
marshrutizaciya VLAN;
-
asinhronnyj ISDN (V.120);
-
NetBEUI cherez PPP (NBFCP);
-
avtokonfiguraciya modemov;
-
NASI - dial-out servis dlya IPX-setej;
-
ident (RFC 1413);
-
RADIUS;
-
Locks and keys -
s 11.1(1) -
dinamicheskaya generaciya ACL v
zavisimosti ot imeni
pol'zovatelya.
Novoe v versii 11.2:
-
marshrutizaciya po zaprosu (ODR) - men'she
nagruzka, na "gluhom"
marshrutizatore ne nado
konfigurirovat' protokol
marshrutizacii;
-
OSPF on demand (RFC 1793) -
pozvolyaet
ispol'zovat' OSPF cherez ISDN, X.25 SVC i
modemnye linii;
-
OSPF Not-So-Stubby-Areas (NSSA) -
pozvolyaet "tupikovym"
marshrutizatoram
importirovat' vneshnyuyu tablicu
marshrutov chastichno (naprimer, tol'ko default);
-
BGP4 soft configuration -
pozvolyaet
konfigurirovat' BGP4 bez sbrosa kesha;
-
BGP4 multipath support -
balansirovka zagruzki mezhdu mnogimi exterior BGP;
-
BGP4 prefix filtering with inbound route maps -
pozvolyaet zadat' uroven'
agregirovaniya vneshnih tablic
marshrutizacii;
-
Network Address Translation (NAT) -
pozvolyaet
podsoedinyat' hosty i podseti s
lokal'nymi IP adresami k Internet;
-
poimenovannye IP ACL;
-
integrated routing and bridging (IRB) -
pozvolyaet prodolzhit' VLAN cherez
interfejsy (IP, IPX, AppleTalk, tol'ko
prozrachnye mosty, ne dlya X.25 i ISDN, ne dlya Cisco 7000, ne
mozhet rabotat'
parallel'no s concurrent routing and bridging);
-
pokazat' SAP po imeni (IPX);
-
zhurnalizaciya narushenij IPX ACL;
-
imena protokolov i portov v IPX ACL;
-
konfiguraciya s pomoshch'yu HTTP servera (11.1(5));
-
ClickStart - bystraya
konfiguraciya Cisco 1000;
-
RSVP (protokol
rezervirovaniya resursov) - realtime multimedia
prilozheniya;
-
RED (Random Early Detection) -
pomogaet izbegat'
peregruzok seti (soobshchaet
prilozheniyam TCP, chtoby rabotali
pomedlennee);
-
generic traffic shaping -
pomogaet izbezhat'
peregruzok seti (na urovne 2),
priostanavlivaya otvetnye pakety;
-
router authetication;
-
shifrovka na setevom urovne;
-
optimizaciya EIGRP;
-
Frame Relay SVC;
-
traffic shaping over Frame Relay;
-
NetFlow switching (tol'ko Cisco 7000 i 7500 s Route Switche Processor) -
uskoryaet primenenie ACL i sbor
statistiki;
-
MMP (multichassis multilink PPP) -
rasparallelivanie PPP mezhdu
kanalami s raznyh kisok (vnutri odnoj bylo i
ran'she);
-
TACACS+ single connection (odno TCP
soedinenie na vse);
-
SENDAUTH v TACACS+
(uvelichenie
bezopasnosti);
-
VPDN - Virtual Private DialUp Network - po imeni PPP
organizuetsya tunnel' do domashnej seti
pol'zovatelya,
nezavisimo ot fiz. prirody
soedineniya i
bezopasnyj;
-
Dialer profiles;
-
CPP -
sobstvennyj protokol Combinet - szhatie i
raspredelenie nagruzki po
neskol'kim ISDN;
-
polumost/polumarshrutizator dlya CPP i PPP -
pozvolyaet
podsoedinyat' deshevye mosty k yadru seti.
Zakazyvat' nado produkt s nomerom,
zakanchivayushchimsya na znak
ravenstva.
IOS mozhno zakazat' v treh formah:
-
DOS disketta (EPROM, Flash);
-
CD-ROM
-
zagruzka s TFTP servera (tol'ko dlya
ustrojstv s
flesh-pamyat'yu).
Nomer produkta
opredelyaetsya tak:
-
nachinaetsya na SF i NE
konchaetsya na znak ravenstva -
pervonachal'naya zagruzka na fabrike
-
nachinaetsya na SF i
zkanchivaetsya na znak
ravenstva - upgrade dlya Cisco 1003, 1004, 1005 dlya
zagruzki vo Flash
-
nachinaetsya na CD i
zakanchivaetsya na znak
ravenstva - upgrade dlya
ustrojstva, kotoroe poka soderzhit paket (feature set)
tol'ko IP;
-
nachinaetsya na SW i NE
zakanchivaetsya na znak
ravenstva - dlya zagruzki v novuyu
sistemu;
-
nachinaetsya na SW i
zakanchivaetsya na znak
ravenstva - upgrade dlya sistemy,
postavlennoj ranee na ROM ili
diskette;
-
nachinaetsya na FR - licenziya na
ispol'zovanie;
-
nachinaetsya na SWR i
zakanchvaetsya na znak
ravenstva - zapasnoj soft,
postavlyaemyj na ROM dlya Cisco 7000.
Postavka
osushchestvlyaetsya v vide paketov
vozmozhnostej (feature packs) - CD-ROM s odnim ili
neskol'kimi obrazami IOS i
installyacionnoj
programmoj dlya MS Windows 95,
instrukciya po ustanovke (v t.ch.
ispol'zovanie TFTP vmesto
installyacionnoj programmy),
licenziya, CD-ROM s
dokumentaciej.
Na nashih
marshrutizatorah stoit IOS versii 11.1 (12) na
vnutrennih i 11.2(5) na vneshnej, hotya uzhe
vypushchena 11.2(7a) 18-jul-97 - na
vnutrennih ne hvataet flesha pod versiyu 11.2.
Vynimaem zhelezku,
podklyuchaem terminal (ili PC s TELEMATE) k
konsol'nomu portu (ili
vspomogatel'nyj port ranee
skonfigurirovannoj kiski i zahodim
obratnym telnetom), vse nuzhnye nam kabeli
(sinhronnyj, Ethernet, modemy),
vklyuchaem pitanie i nachinaem
konfigurirovanie. Pri pervom
vklyuchenii IOS pytaetsya skachat'
konfiguraciyu iz
global'noj seti - mozhno
podozhdat' neskol'ko minut, chtoby dat' ej
ponyat', chto na tom konce nichego net, ili
vremenno
otsoedinit'
sinhronnyj kabel'. Poterpev neudachu, IOS
predlagaet vypolnit' komandu setup -
soglashajtes'! V etom sluchae IOS zadaet vam
neskol'ko voprosov i
samostoyatel'no
konfiguriruetsya.
Konfigurirovanie
osushchestvlyaetsya
sleduyushchimi sposobami:
-
komandnyj interfejs:
telnet imya-kiski
imya-kiski>
-
s terminala: conf term
-
NVRAM: conf memory
-
iz seti: conf network
-
cherez WWW (nachinaya s versii 11.0(6), 11.1(5), ne vse
vozmozhnosti): ip http server
-
ClickStart
(standartnye
konfiguracii).
Obshchie svedeniya o
komandnom yazyke:
-
help - v lyuboj moment mozhno vvesti "?" - kiska v
otvet vydast spisok komand ili
operandov;
-
lyuboe klyuchevoe slovo ili imya mozhno
sokrashchat' do
minimal'no
vozmozhnogo;
-
esli terminal normal'no nastroen, to mozhno
redaktirovat' komandnuyu stroku kak v emacs ili bash.
-
pochti kazhduyu komandu mozhno
predvaryat' slovom no.
Urovni privilegij:
predusmotreno 16 urovnej
privilegij - ot 0 do 15. Esli ne
proizvodit'
dopolnitel'noj nastrojki, to uroven' 0 - eto
uroven'
pol'zovatelya: dostupny tol'ko
"bezopasnye" komandy. Uroven' 15 - eto
uroven'
supervizora: dostupny vse komandy.
Perehodim s urovnya na uroven' po
komande:
epable [nomer urovnya]
Lyubuyu komandu mozhno
perevesti na uroven', otlichnyj ot
standartnogo; lyubomu
pol'zovatelyu mozhno
naznachit'
opredelennyj uroven',
ustanavlivaemyj pri vhode na kisku etogo
pol'zovatelya; takim obrazom prava
pol'zovatelej mozhno tonko
nastraivat' (tol'ko help-om pri etom tyazhelo
pol'zovat'sya :(
Rezhimy komandnogo yazyka:
-
Rezhim
pol'zovatelya
-
Privilegirovannyj rezhim:
-
verhnij uroven'
-
rezhim global'noj
konfiguracii
-
sobstvenno verhnij uroven'
konfigurirovaniya
-
konfigurirovanie
interfejsa
-
konfigurirovanie
interfejsa
-
konfigurirovanie
podinterfejsa (serial v rezhime Frame Relay)
-
konfigurirovanie
kontrollera (T1)
-
konfigurirovanie haba (cisco 2500 - ethernet)
-
konfigurirovanie spiska kart (ATM i FrameRelay)
-
konfigurirovanie klassa kart (Quality of Service over Switched Virtual Circuit
- ATM, FrameRelay ili dialer)
-
konfigurirovanie linij
-
konfigurirovanie
marshrutizatora (bgp, egp, igrp, eigrp, is-is, iso-igrp, mobile, OSPF, RIP,
static)
-
konfigurirovanie
IPX-marshrutizatora
-
konfigurirovanie kart
marshrutizatora
-
konfigurirovanie klyuchevyh cepochek s ego
podrezhimami (RIP authentication)
-
konfigurirovanie
generatora otchetov o vremeni otveta
-
konfigurirovanie BD LANE (ATM)
-
rezhim komand APPN s ego
podrezhimami (advance peer-to-peer Networking -
vtoroe pokolenie SNA)
-
rezhim komand
prisoedineniya kanala IBM s ego
podrezhimami (Cisco 7000 s CIP)
-
rezhim komand servera TN3270
-
konfigurirovanie spiskov dostupa (dlya
imenovanyh IP ACL)
-
rezhim
shestnadcaterichnogo vvoda (zadanie
publichnogo klyucha dlya shifrovki)
-
konfigurirovanie kart shifrovki
-
ROM monitor (nazhat' break v pervye 60 sekund
zagruzki, tozhe est' help).
Redaktirovanie komandnoj stroki
Kommentarii
nachinayutsya s
vosklicatel'nogo znaka, no v NVRAM ne
sohranyayutsya.
Zadat' razmer istorii komand: terminal history size
razmer
Predydushchaya/sleduyushchaya komanda: Ctrl-P/Ctrl-N ili
sstrelka vverh/vniz
Vklyuchit'/vyklyuchit'
redaktirovanie:
[no] terminal editing
simvol
vpered/nazad: Ctrl-F/Ctrl-B ili strelka
vpered/nazad
v nachalo/konec stroki: Ctrl-A/Ctrl-E
na slovo
vpered/nazad: Esc F/Esc B
razvertyvanie komandy: Tab ili Ctrl-I
vspomnit' iz
bufera/vspomnit' sleduyushchij: Ctrl-Y/Esc Y
udalit' simvol sleva ot
kursora/pod kursorom: Delete/Ctrl-D
udalit' vse simvoly do nachala
stroki/konca stroki: Ctrl-U/Ctrl-K
udalit' slovo sleva ot
kursora/sprava ot kursora: Ctrl-W/Esc D
pererisovat' stroku: Ctrl-L/Ctrl-R
pomenyat' simvoly mestami: Ctrl-T
ekranirovanie simvola: Ctrl-V ili Esc Q
Rabota s flesh-pamyat'yu (v nej lezhit i iz nee
vypolnyaetsya IOS) i NVRAM
(konfiguraciya)
Na kiske rabotaet TRI
programmy: ROM monitor (eto
zagruzchik i otladchik - tupoj do
bezobraziya - popadaem v nego esli
sootvetstvuyushchim obrazom
ustanovlen registr
konfiguracii ili nazhal BREAK vo vremya
zagruzki i eto ne
zapreshcheno); sistema v ROM
(urezannaya i ochen' staraya sistema IOS - 9.1 - esli ne
udalos' najti bolee
podhodyashchuyu vo flesh ili po seti ili ruchnaya
zagruzka iz ROM monitora) i sistema vo flesh -
versiya, kotoruya sam postavil.
V rukovodstve delaetsya
preduprezhdenie, chto na Sun'e server TFTP
dolzhen byt' nastroen tak, chtoby
generirovat' i proveryat'
kontrol'nye summy UDP (ya nichego ne delal). Vezde
vmesto TFTP mozhno
ispol'zovat' rcp (rsh), no mne
lenivo sledit' za
bezopasnost'yu v etom sluchae.
Posmotret', chto tam lezhit: show flash all
System flash directory:
File Length Name/status
addr fcksum ccksum
1 3243752 igs-i-l.110-1
0x40 0xB5C4 0xB5C4
[3243816 bytes used, 950488 available, 4194304 total]
4096K bytes of processor board System flash (Read ONLY)
Chip Bank Code Size Name
1 1 89A2 1024KB INTEL 28F008SA
2 1 89A2 1024KB INTEL 28F008SA
3 1 89A2 1024KB INTEL 28F008SA
4 1 89A2 1024KB INTEL 28F008SA
Executing current image from System flash
Imet' dva fajla vo flesh mozhno tol'ko, esli
imeetsya dva banka pamyati (u menya net) i
vypolnit'
special'nuyu proceduru (IOS nado
nastroit' adresa -
vypolnyaetsya-to ona iz flesha!). Bukva l v imeni
fajla kak raz i oznachaet, chto adresa mozhno
nastroit'.
Posmotret', skol'ko raz tuda chego
zapisyvali: show flash err
(po-moemu, erundu
pokazyvaet).
Kopirovat' iz flesh na tftp: copy flash tftp,
posle chego sprosyat imya servera,
ishodnoe imya fajla i
rezul'tatiruyushchee imya fajla (fajl dolzhen
sushchestvovat' s pravami 666).
Kopirovat'
konfiguraciyu na tftp: copy startup-config/running-config tftp
Zagruzit'
konfiguraciyu s tftp: copy tftp startup-config/running-config
(po-moemu, esli gruzit' tekushchuyu
konfiguraciyu, to
proishodit ne
kopirovanie, a sliyanie).
Kopirovat' iz tftp vo flesh (esli
dostatochno pamyati!!!): copy tftp flash
Ponyatnoe delo, chto esli IOS
vypolnyaetsya iz flesh, to gruzit' novoe
soderzhimoe flesha vo vremya raboty IOS ne stoit, nado
zagruzit'sya iz ROM (libo nazhav Break pri
zagruzke, libo vydav no boot system flash).
CHerta-s dva! Na samom dele vse ne tak
kak v knizhke. Nado vydat' copy tftp flash
pryamo iz IOS (ibo v bootstrap takoj
komandy net vovse), budet zapushchen flash load helper,
kotoryj zadaet vse
neobhodimye voprosy, zatem
perezapuskaet kisku iz ROMa, stiraet flesh,
kopiruet fajl s tftp (zahodit' tol'ko s
konsoli - inache nichego ne uvidish', i ob
oshibkah ne uznaesh' ;). Posle etogo nado
sohranit'
konfiguraciyu (copy run start). A
vse-taki interesno, kak
vybirat'sya iz situacii, esli chto-to
poluchilos' ne tak. Kstati,
rekomenduetsya sohranit'
konfiguraciyu
kuda-nibud' na tftp pered
izmeneniem flesha. p.s. vse-taki mozhno bylo by
sdelat' i
zagruzivshis' iz ROM (tol'ko ne ROM
monitor, a ROM IOS), esli zadat' v
registre
konfiguracii mladshie 4 bita ravnymi 0-0-0-1.
Kopirovanie tekushchej
konfiguracii v
zagruzochnuyu: copy run start
Kopirovanie
zagruzochnoj
konfiguracii v tekushchuyu: copy start run
Posmotret' sostoyanie: show version
Proverit'
kontrol'nuyu summu: verify flash
Szhatie
konfiguracionnogo fajla rabotaet tol'ko na Cisco 3xxx i Cisco 7xxx.
Povtorno vypolnit'
konfiguracionnyj fajl: configure memory
Ochistit'
konfiguraciyu: erase startup
Posmotret'
tekushchuyu/zagruzochnuyu
konfiguraciyu: show run/start
V NVRAM
zapisyvayutsya tol'ko
parametry, otlichnye ot
parametrov po umolchaniyu.
Registr
konfiguracii: 16 bit. Menyaetsya
komandoj: config-register.
Mladshie 4 bita (3,2,1, i 0)
obrazuyut pole zagruzki:
-
0-0-0-0 zagruzit' ROM-monitor vmesto IOS
-
0-0-0-1 zagruzit' boot ROM
-
esli mezhdu 0-0-1-0 i 1-1-1-1 to gruzit' to, chto
zadano komandoj boot system (esli
nichego ne zadano, to gruzit' fajl s
setevogo servera s imenem
opredelyaemym po umolchaniyu: imya
formairuetsya ishodya iz znacheniya
registra). Mozhno zadat'
neskol'ko komand boot system. Tol'ko ne nado
zadavat' imya fajla v boot system flash (vse
ravno on rovno odin, a to posle
proshivki novoj versii IOS
zagruzchik budet upryamo iskat' staryj fajl).
Fajl
konfiguracii seti (po
umolchaniyu imya fajla: network-config):
boot network [tftp]
imya-fajla
[ip-adres]
service config
Fajl
konfiguracii hosta (po
umolchaniyu imya fajla: network-config):
boot host [tftp]
imya-fajla
[ip-adres]
service config
Perezagruzka:
-
prosto
perezagruzka
reload
-
perezagruzka v
opredelennoe vremya:
reload at hh:mm [month day] [reason]
-
perezagruzka cherez
opredelennoe vremya:
reload in [hh:]mm [reason]
-
otmena otlozhennoj
perezagruzki:
reload cancel
Avtomatizirovannoe konfigurirovanie
ClickStart:
konfigurirovanie Cisco 1003, 1004 i 1005 cherez WWW
(odnoportovye ISDN, Frame Relay i
asinhronnye
marshrutizatory).
AutoInstall: vklyuchaesh' novyj
marshrutizator, on ishet
skonfigurirovannyj ranee
marshrutizator (Ethernet, FDDI, HDLC, Frame Relay) -
trebuetsya takoe
kolichestvo
predvaritel'noj
podgotovki, chto legche vse sdelat'
vruchnuyu (esli tol'ko ne nado
ustanovit' sotnyu kisok).
Setup:
interaktivnaya ustanovka
parametrov. Trebuet
podklyucheniya
konsol'nogo terminala (ya
ispol'zuyu AUX port sosednej kiski).
Eshche byvaet sreamline setup (esli
ustanovlen RXBOOT ROM) i
voznikayut
nepreodolimye problemy: zadaet minimum
voprosov
neobhodimyh, chtoby najti
zagruzochnyj obraz i fajl s
konfiguraciej.
CHasy
(sbrasyvayutsya dazhe pri
perezagruzke na 1 marta 1993 goda)
hranyatsya v formate UTC (Coordinated Universal Time) - to zhe
samoe, chto i GMT.
Ispol'zuyutsya protokoly NTP
(priem i peredacha - vklyuchen po
umolchaniyu - pri
perezagruzke i pri
vyklyuchenii na paru minut vremya
sohranyaetsya), SNTP na
kiskah serii 1000 (tol'ko priem -
vyklyuchen po umolchaniyu).
-
posmotret'
show clock [detail]
-
ustanovit' vruchnuyu
clock set hh:mm:ss
den' mesyac god
-
autentifikaciya NTP:
-
ntp authenticate -
vklyuchit'
-
ntp authentication-key number md value -
zadat' znachenie klyucha
-
ntp trusted-key
nomer-klyucha - znayushchij etot klyuch mozhet
sinhronizovat' nas
-
opredelit' sosedej:
ntp peer ip-address [version
nomer] [key
nomer-klyucha][source
interfejs] [prefer]
-
opredelit' server:
ntp server ip-address [version
nomer] [key
nomer-klyucha][source
interfejs] [prefer]
-
shirokoveshchatel'naya
rassylka
ntp broadcast [version
versiya]
-
poluchat'
shirokoveshchatel'nuyu
rassylku
ntp broadcast client
-
ustanovit'
predpolagaemoe znachenie zaderzhki pri
shirokoveshchatel'noj
rassylke
ntp broadcastdelay
mikrosekund
-
upravlenie dostupom (nomer ACL
zadaetsya bazovoj komandoj access-list)(po
umolchaniyu vse razresheno, dazhe
sinhronizaciya s
neznakomymi sistemami! -
sdelat')
ntp access-group query-only/serve-only/serve/peer
nomer-ACL
-
zapretit' NTP servis na
opredelennom
interfejse
ntp disable
-
esli kiska imeet neskol'ko IP-adresov to mozhno
opredelit' ishodnyj IP-adres v
NTP-paketah
ntp source
interfejs
-
opredelit' kisku kak vlastnyj
istochnik vremeni, dazhe esli ona ne
sinhronizovana s vneshnim mirom
ntp master [sloj]
-
zadat' razmer
apparatnogo tika
(teoreticheski 250 Gc) v edinicah 2^-32
ntp clock-period edinic
-
maksimal'noe chislo sosedej
NTP-protokola
(sdelat'!)
ntp max-associations chislo
-
posmotret' status
show ntp status
-
posmotret' spisok
sosedej
show ntp associations [detail]
-
otkuda SNTP budet
zaprashivat' NTP pakety
sntp server adres [version
versiya]
-
SNTP budet brat' NTP pakety iz
shirokoveshchatel'nyh
potokov
sntp broadcast client
-
posmotret' sosotoyanie SNTP (Cisco 100x)
show sntp
-
zadat' chasovoj poyas - pochemu tol'ko celoe chislo
chasov?
clock timezone imya(MSK)
smeshchenie(3)
-
zadat' letnee vremya (po pravilam) (last Sun Mar 2:00 last Sun Sep
2:00)
clock summer-time imya(MSD) recurring
first/last/nomer-nedeli-nachala
den'-nedeli mesyac hh:mm
first/last/nomer-nedeli-okonchaniya
den'-nedeli mesyac hh:mm
[smeshchenie-v-minutah]
-
zadat' letnee vremya
neposredstvenno
clock summer-time imya
mesyac-nachala den'
god hh:mm
mesyac-okonchaniya den'
god hh:mm
[smeshchenie-v-minutah]
-
na Cisco 4500 i Cisco 7000 est'
batareechnyj kalendar'
Zapustit' TFTP server na
kiske:
-
predostavlyat'
soderzhimoe flesha (tam lezhit ne
obyazatel'no IOS):
tftp-server flash
imya-fajla [alias
sinonim] [acl]
-
predostavlyat'
soderzhimoe ROMa (mozhno
odnovremenno s flesh):
tftp-server rom
imya-fajla [alias
sinonim] [acl]
Zapustit' RARP
server na kiske (chtoby eto real'no
ispol'zovat'
neobhodimo vypolnit' kuchu
dopolnitel'nyh uslovij -
obespechit' broadcast UDP - ip forward-protocol udp 111,
zapolnit' tablicu ARP
MAC-adresami klientov, ip helper-adress
adres-nastoyashchego-servera -
govoryat, chto problemy voznikli iz-za
nedodelannosti rpc.bootparamd v SunOS - sudya po
nashemu printeru tak ono i est'):
cat(config-if)>ip rarp-server
ip-adres-nastoyashchego-servera
rcp i rsh servis:
-
zadanie bazy dannyh
pol'zovatelej (ne znayu chto za zasada, no mne i
lokal'noe i vneshenee imya prishlos' zadat' svoe):
ip rcmd remote-host local-username
ip-address/host remote-username [enable [level]]
-
zapusk rcp servera (a dlya chego ego mozhno
prisposobit'?):
ip rcmd rcp-enable
-
zapusk rsh servera (nado
izbavit'sya ot expect pri sbore
statistiki)
ip rcmd rsh-enable
HTTP-server (pri vhode v
kachestve imeni nado govorit' imya kiski, a
parolya - parol'
supervizora) - pol'zy ot etogo
nikakoj:
ip http server
ip http port 80
prompt stroka -
izmenenie
standartnogo
priglasheniya
hostname imya - imya
marshrutizatora
alias uroven'-EXEC
imya-sinonim
tekst-komandy -
sozdanie
sokrashchenij-sinonimov komand
show aliases
[uroven'-EXEC] -
posmotret' spisok
sinonimov
load-interval sekund - dlina
intervala vychisleniya srednej
zagruzki
obshchie komandy dlya vseh
interfejsov
description
stroka-teksta
hold-queue dlina in/out -
zadanie razmera bufera
bandwidth kilobits -
ispol'zuetsya, naprimer, dlya
nastrojki parametrov TCP
delay
desyatye-milisekundy -
informaciya dlya nekotoryh
protokolov
marshrutizacii (ili desyatki
mikrosekund)
keepalive sekund - kak chasto
posylat' pkaety dlya proverki
zhivuchesti linii (interfejs
schitaetsya upavshim esli v techenii 3
intervalov ne prishlo otveta)
mtu bajt
posledovatel'nyj
asinhronnyj
async: 8 shtuk na Cisco 2509, 16 shtuk na Cisco 2511, eshche
mozhno
ispol'zovat' AUX port, no OCHENX ne
sovetuyu
(defektivnaya
apparatnaya
realizaciya: skorost' 38400, vse na
programmnom urovne - v tom chisle i
sinhronizaciya).
Samu fizicheskuyu liniyu nado
konfigurirovat' otdel'no s pomoshch'yu
komandy line.
Vhod v rezhim
konfiguracii
interfejsa:
interface async
nomer-porta
Inkapsulyaciya:
podderzhivayutsya dva metoda
inkapsulyacii - SLIP i PPP. O SLIP my
zabudem srazu zhe.
Rezhim:
interaktivnyj ili zhestko
nastroennyj (dedicated): v
poslednem sluchae ne
zapuskaetsya EXEC, tak chto nel'zya
pomenyat' adres i drugie
parametry:
async mode interactive/dedicated
Razreshit' protokoly
dinamicheskoj
marshrutizacii:
async dynamic routing
Gruppovaya
konfiguraciya (stol'ko
preduprezhdenij ob oshibkah, chto luchshe i ne
trogat')
-
opredelenie gruppy:
interface group-async unit-number
obshchie komandy
member nomer
individual'naya-komanda
group-range low-number high-number - tut zhe
nachinaetsya postroenie
konfiguracii
hab (2505, 2507, 2516)
hub ethernet number port
no shutdown
auto-polarity
link-test
source-address [MAC-address] -
propuskat' tol'ko pakety ot etogo MAC-adresa
loopback (pozvolyaet uderzhat' BGP-sessiyu, dazhe esli
drugie interfejsy upadut)
interface loopback number
null (pozvolyaet
marshrutizirovat' vse nenuzhnoe v /dev/null)
interface null 0
sinhronnyj
posledovatel'nyj interfejs (serial)
interface serial nomer
encapsulation
atm-dxi/hdlc/frame-relay/ppp/sdlc-primary/sdlc-secondary/smds/stun/x25
- po umolchaniyu HDLC (est'
obnaruzhenie oshibok, no net povtora
neverno peredannyh dannyh)
compress stac - esli
zagruzka CPU prevyshaet 65%, to
vyklyuchit'
pulse-time sekund - kakuyu pauzu
sdelat' pri
propadanii nesushchej
tunel'
(inkapsulyaciya paketov odnogo
protokola vnutri paketov drugogo)
Dlya chego eto nado:
-
mnogoprotokol'naya lokal'naya set' cherez
odnoprotokol'nyj bekbon
-
dlya obhoda protokolov
ogranichivayushchih chislo
promezhutochnyh uzlov
-
virtual'nye chastnye seti cherez WAN
Komponenty:
-
protokol-passazhir
-
protokol-nositel'
-
protokol
inkapsulyacii (obychno GRE,
ostal'nye v
isklyuchitel'nyh sluchayah)
Preduprezhdeniya:
-
bol'shaya zagruzka CPU
-
vozmozhnoe narushenie
bezopasnosti
-
uvelichenie vremeni zaderzhki
-
mnozhestvennye tuneli mogut zabit' kanal
informaciej o marshrutah
-
protokol
marshrutizacii mozhet
predpochest' tunel' kak yakoby samyj
korotkij marshrut
-
poyavlenie
rekursivnyh marshrutov
interface tunnel nomer
tut dolzhno byt' opisano kakim
protokolam pozvoleno
tunnelirovat'sya
tunnel source
ip-address-ili-interfejs
tunnel destination
ip-address-ili-interfejs
tunnel mode aurp/cayman/dvmrp/eon/gre ip/nos -
opredelyaet protokol
inkapsulyacii
tunnel checksum - vse plohie pakety budut
vykidyvat'sya (nekotorye
protokoly trebuyut etogo)
tunnel key nomer - dolzhny byt'
odinakovy na oboih koncah (slabaya
zashchita)
tunnel sequence-datagramms -
otbrasyvat' pakety,
prishedshie ne v tom poryadke
(nekotorye protokoly trebuyut etogo)
upravlenie i
monitoring
show async status
show interface async
nomer
show compress
show controller
imya-kontrollera
show interface accounting
show interface tip
nomer
clear counters tip
nomer
show protocols
show version
clear interface tip
nomer
clear line nomer
shutdown
no shutdown
down-when-looped - schitat'
interfejs upavshim, esli na nem vklyuchen loopback
(neobhodimo dlya backup)
dinamicheskoe vydelenie IP-adresov iz lokal'nogo pula i uderzhanie ih za pol'zovatelyami
ip address-pool local
ip local pool default
nachal'nyj-ip-adres
konechnyj-ip-adres
interface Group-Async1
ip unnumbered Ethernet0
ip tcp header-compression passive
encapsulation ppp
bandwidth 112
delay 20000
keepalive 10
async mode interactive
no cdp enable
zdes' ya eshche govoril: peer default ip address pool, no
ona kuda-to delas'
(po-umolchaniyu nebos')
group-range 1 16
esli chej-to adres nado zadat' yavno, to skazhi:
member nomer peer default ip address
IP-adres
v versii 11.0(1) ne rabotala, v versii 11.1(12)
vrode rabotaet
konfigurirovanie v kachestve prostogo terminal'nogo servera
Primer
konfiguracii s
komentariyami.
service tcp-small-servers #
pozvolyaet kiske otvechat' na vsyakie melkie
zaprosy tipa echo, chargen i t.d.
hostname cat2511-wb # imya kiski,
vydaetsya v
priglashenii i ,navernoe, gde-to eshche
slock timezone MSK 3 #
vremennaya zona
slock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00 #
letnee vremya
epable secret #
zashifrovannyj parol'
superpol'zovatelya
epable password # ne
ispol'zuetsya, esli est'
shifrovannyj
ip subnet-zero # ne
razbiralsya
ip tcp synwait-time 120 #
zachem eto
ip tcp path-mtu-discovery #
avtomaticheskaya nastrojka na razmer MTU
ip accounting-threshold 256 # ne
razbiralsya
ip accounting-list 194.84.39.0 0.0.0.255 #
ne
razbiralsya
interface Ethernet0 # nachinaem
konfigurirovat' port Ethernet
ip address 194.84.39.24 255.255.255.224 # IP
adres i maska ethernet-porta
(osnovnoj adres kiski)
ip address 194.87.163.24 255.255.255.224 secondary #
esli u nas dva bloka IP-adresov (chto u nas bylo v
moment perehoda ot odnogo ISP k
drugomu
ehit # vyhod iz
konfigurirovaniya Ethernet
interface Serial0 # nachinaem
konfigurirovat'
sinhronnyj
posledovatel'nyj port
po ip address # net u nas ego
shutdown # -//-
ehit # vyhod iz
konfigurirovaniya porta
interface Serial1 # nachinaem
konfigurirovat'
sinhronnyj
posledovatel'nyj port
po ip address # net u nas ego
shutdown # -//-
ehit # vyhod iz
konfigurirovaniya porta
ip domain-name deol.ru. # imya nashego
domena
ip name-server 194.84.39.28 # adres
DNS-servera (mozhet byt' do 6 shtuk)
ip route 0.0.0.0 0.0.0.0 194.84.39.26 #
marshrut po umolchaniyu (vse, chto ne na nashih
portah, peredaem na bolee "umnuyu" kisku
snmp-server community public RO #
razreshaem SNMP
upravlenie (tol'ko chtenie)
line con 0 # nachinaem
konfigurirovanie
konsol'nogo porta
ehec-timeout 0 0 #
otklyuchaem tajm-aut
ehit # vyhod iz
konfigurirovaniya porta
line 1 16 # nachinaem
konfiguraciyu
asinhronnyh
posledovatel'nyh portov
ehec-timeout 0 0 #
otklyuchaem tajm-aut
modem InOut #
otrabatyvat' modemnye signaly
aitocommand telnet 194.84.39.28 # pri vhode na
liniyu, kiska nasil'no vydaet komandu telnet..., chto ne
pozvolyaet
pol'zovatelyu delat' chto-libo eshche (esli,
konechno, ne znaesh' kak iz etogo vyjti)
transport input none # ne
pozvolyaet zvonit' s nashih modemov (zajdya na liniyu
obratnym telnetom)
transport preferred none # na vsyakij
sluchaj
escape-character NONE # ne
pozvolyaet vyjti iz telnet'a
stopbits 1
rxspeed 115200 # skorost' mezhdu
modemom i kiskoj
txspeed 115200 # skorost' mezhdu kiskoj i
modemom
flowcontrol hardware
ehit # vyhod iz
konfigurirovaniya porta
line aux 0 #
konfigurirovanie
vspomogatel'nogo
asinhronnogo
posledovatel'nogo porta
transport input all # mozhet byt' syuda budet
podklyuchena konsol' drugoj kiski
ehit # vyhod iz
konfigurirovaniya porta
line vty 0 4 #
konfigirirovanie
virtual'nyh
terminalov (na nih my popadaem, kogda
zahodim telnetom na kisku)
ehec-timeout 0 0 #
otklyuchaem tajm-aut
rassword # parol' linii; k
sozhaleniyu, ne
shifrovannyj
login # kiska budet
sprashivat' parol' pri zahode na etu liniyu (v
dannom sluchae telnetom)
ehit # vyhod iz
konfigurirovaniya porta
konfigurirovanie vneshnego servera dostupa (tacacs+)
Server dostupa (tacacs+) - eto
programma, kotoraya krutitsya na
UNIX-komp'yutere i otvechaet na zaprosy kiski tipa: est' li
takoj
pol'zovatel', kakie u nego prava i vedet
zhurnal poseshchenij. Kak
konfigurirovat' server smotri
otdel'nuyu glavu, a kiska
konfiguriruetsya tak:
aaa new-model # budem
ispol'zovat' tacacs+, a ne starye
varianty
aaa authentication login default tacacs+ enable #
po-umolchaniyu proveryaem kazhdyj vhod na liniyu s
pomoshch'yu tacacs+ servera, a esli on ne
otzyvaetsya, to
sprashivaem parol'
superpol'zovatelya
aaa authentication ppp default if-needed none # pri
vklyuchenii PPP,
proizvodim proverku
pol'zovatelya, esli ne
proveryali ego ran'she (mozhet eto uzhe
mozhno
vyklyuchit'?)
aaa authorization exec tacacs+ if-authenticated #
proveryaem prava na zapusk EXEC (shell tak u kiski
nazyvaetsya) s pomoshch'yu servera tacacs+, a esli ego net, to
daem razreshenie, esli lichnost'
pol'zovatelya
udostoverena - tol'ko
blagodarya etoj strochke tacacs+ server
vozvrashchaet
avtokomandu (v nashem sluchae telnet ili ppp)
aaa authorization commands 1 tacacs+ if-authenticated #
proveryaem prava na
ispolnenie komand urovnya 1
(neprivilegirovannyh) s pomoshch'yu servera tacacs+, a esli ego
net, to daem
razreshenie, esli lichnost'
pol'zovatelya
udostoverena
aaa authorization commands 15 tacacs+ if-authenticated #
proveryaem prava na
ispolnenie komand urovnya 15
(privilegirovannyh) s pomoshch'yu servera tacacs+, a esli ego net, to
daem razreshenie, esli lichnost'
pol'zovatelya
udostoverena
aaa authorization network tacacs+ if-authenticated #
proverka prav, esli kto-to lezet k nam po seti s
pomoshch'yu servera tacacs+, a esli ego net, to daem
razreshenie, esli lichnost'
pol'zovatelya
udostoverena
aaa accounting network stop-only tacacs+ #
posylaem uchetnuyu zapis' tacacs+ serveru v
sluchae okonchaniya setevogo sobytiya
(zavershenie PPP-seansa,
naprimer)
aaa accounting connection stop-only tacacs+ #
posylaem uchetnuyu zapis' tacacs+
serveru v sluchae okonchaniya
telnet-seansa
aaa accounting system stop-only tacacs+ #
posylaem uchetnuyu zapis' tacacs+ serveru v
sluchae okonchaniya
sistemnogo sobytiya (naprimer,
perezagruzki)
eshche dolzhna rabotat' komanda: aaa authentication local-override
(esli konechno pered nej zavesti
pol'zovatelya na kiske username admin privilege 15 password ),
kotoraya pozvolyaet
ispol'zovat' lokal'nuyu bazu
pol'zovatelej, no takie
pol'zovateli
poluchayutsya absolyutno
bespravnymi (dazhe EXEC ne mogut
zapustit' :( Otlichno! YA
ispol'zuyu eto dlya zapreta vhoda
pol'zovatelya bbs na kisku s
bystrymi modemami, ne
razbirayas' s tacacs+
serverom.
tacacs-server host 194.84.39.28 # adres
komp'yutera, na kotorom rabotaet tacacs+
server
tacacs-server host 194.84.39.27 # adres
komp'yutera, na kotorom rabotaet
zapasnoj tacacs+ server (v
real'nosti on ne rabotaet, no pri
neobhodimosti mozhno
zapustit')
tacacs-server key # klyuch, s
pomoshch'yu kotorogo shifruyutsya
soobshcheniya mezhdu kiskoj i tacacs+
serverom
konfigurirovanie PPP-dostupa
konfigurirovanie marshruta po umolchaniyu