Académique Documents
Professionnel Documents
Culture Documents
Cration
2000-2001 : Christian Hascot (CCR)
ARS 00/01
Plan
Les principales commandes pour la configuration d'un routeur cisco :
Commandes d'interfaces Filtrage Commandes globales Commandes de routages (voir cours correspondant) Commandes de lignes (console, vty)
Configuration : synoptique
Commandes globales :
Services, DNS, NTP, IOS, Log, statistiques, personnalisation ...
Interface Type N
Configuration de l'interface
Routage : protocole, routes statiques Filtrage : scurit, routage, accs au routeur Commande de ligne : console, vty 0 4
Ligne X : Configuration de la ligne X
ARS 00/01
...
Initialisation
Boot du routeur .
--- System Configuration Dialog --At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[ ]'. Would you like to enter the initial configuration dialog? [yes]: First, would you like to see the current interface summary? [yes]: n Configuring global parameters: Enter host name [Router]: Would you like to terminate autoinstall? [yes]: yes
ARS 00/01 5
ARS 00/01
On peut y spcifier principalement l'adressage, mais aussi le filtrage, le type d'encapsulation, la gestion des files d'attente
ARS 00/01
10
interface tunnel X description Tunnel GRE vers cisco distant ip unnumbered Type N bandwidth 256
Rseau IP1
Rseau IP2
avec sous-rseau(x) IP1
tunnel Internet
tunnel source "une adresse IP du routeur *" tunnel destination "routeur distant"
Tout ce qui n'est pas explicitement permis est interdit Elle peut tre utilis pour le filtrage des paquets
En transit par le routeur (filtrage au niveau des interfaces) D'informations de routage (venant vers ou partant du routeur) Pour accder au routeur ...
ARS 00/01 12
<1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list
ARS 00/01 13
domain 53/tcp domain 53/udp tftp finger http ... 69/udp 79/tcp
80/tcp www
Access-list ip simple
1 N 99 (source seulement)
Router(config)# access-list 1 permit | deny ? A.B.C.D (Address to match) W.X.Y.Z (Wildcard bits)
any host
Exemple :
access-list 1 permit 172.16.250.0 0.0.0.255 (0 255) access-list 1 permit 192.168.5.16 0.0.0.15 (16 31) access-list 1 deny any (ajouter de manire implicite)
ARS 00/01 15
Access-list IP tendue
100 N 199
source et destination (+ port source et/ou destination)
Router(config)# access-list 100 permit ? ip tcp udp icmp <0-255> gre, ipinip igmp Any Internet Protocol Transmission Control Protocol User Datagram Protocol Internet Control Message Protocol An IP protocol number Tunnel Cisco ou IP dans IP Internet Gateway Message Protocol
Access-list IP tendue : IP
Router(config)# access-list 100 permit ip any any ?
log
t os <cr>
Log matches against this entry Match packets with given TOS value
ARS 00/01
17
eq neq lt gt range
Match only packets on a given port number Match only packets not on a given port number Match only packets with a lower port number Match only packets with a greater port number Match only packets in the range of port numbers
established Match established connections precedence Match packets with given precedence value tos log
<cr>
ARS 00/01 18
Match packets with given TOS value Log matches against this entry
Match only packets on a given port number Match only packets not on a given port number Match only packets with a greater port number Match only packets with a lower port number Match only packets in the range of port numbers Match packets with given TOS value Log matches against this entry
ARS 00/01
19
echo , echo-reply host-redirect, host-unknown host-unreachable mask-reply mask-request source-quench time-exceeded traceroute
...
Filtrage : Application
Pour une interface :
interface Type N
OUT IN
Routeur
Filtrage : Exemples
access-list 100 permit tcp any any established access-list 100 deny ip 172.25.0.0 0.0.255.255 any log access-list 100 deny ip any 0.0.0.0 255.255.255.0 log access-list 100 deny tcp any any range 161 162 log access-list 100 permit ip any host 172.25.1.215 access-list 100 deny
(spoofing) (broadcast) (snmp) (DMZ)
access-list 100 permit tcp any host 172.25.240.4 eq smtp (Mail) tcp any any range 0 37 log
Filtrage : visualisation
show access-list 100 Extended IP access list 100 deny ip 10.0.0.0 0.255.255.255 any log (973 matches) deny ip 172.16.0.0 0.15.255.255 any log (2695 matches) deny ip 192.168.0.0 0.0.255.255 any log (952 matches) permit ip any any (234454800 matches) sh access-list 1 Standard IP access list 1 deny 0.0.0.0 deny 10.0.0.0, wildcard bits 0.255.255.255 deny 172.16.0.0, wildcard bits 0.15.255.255 deny 192.168.0.0, wildcard bits 0.0.255.255 permit any
ARS 00/01 23
line vty 0 4 access-class 98 in exec-timeout 0 0 login password XXXX history size 30 transport input telnet transport output telnet
ARS 00/01
27
Gestion de l'IOS
copy flash tftp : sauvegarde IOS sur serveur tftp copy tftp flash : chargement IOS par serveur tftp Flash : bootflash, slot0 ou slot1 (PCMCIA) format delete : effacer un fichier de la flash squeeze "flash:" : supprimer un fichier effac dir [device:] : lister les fichiers d'une flash pwd , cd erase device: | startup-config
ARS 00/01 28
show bootflash:
-#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name 1 .. image E87BFDE9 3121C8 25 2957640 Mar 13 2000 10:35 c7200-boot-mz_120-9S.bin
ARS 00/01
30
Serveur NTP
ntp broadcast
Visualisation : heure
show clock show ntp status
Clock is synchronized, stratum 2, reference is 134.157.254.135 nominal freq is 250.0000 Hz, actual freq is 249.9978 Hz, precision is 2**19 reference time is BC7E39B7.1F66A438 (18:21:59.122 MET Sat Mar 18 2000) clock offset is 0.80 msec, root delay is 2.76 msec root dispersion is 6.30 msec, peer dispersion is 1.31 msec
Commandes globales IP
ip source-route : (dfaut) accepte paquet avec source routing ip subnet-zero : permet l'utilisation du 1ier rseau ip host toto @IP-toto ( /etc/hosts) ip name-server @IP-DNS-1 @IP-DNS-2 ... i p domain-name : pour complmenter les noms (1) ip domain-list : pour complmenter les noms (2) ip accounting-threshold Seuil : Nombre d'entre dans la table ip accounting-list @IP Masque : limiter les accountings Applications des accountings :
ip accounting (commande d'interface) ip accounting access-violations
ARS 00/01 34
Visualisation accounting
Cisco # show ip accounting [access-violations]
Source Destination Packets 7 7 10 10 Bytes ACL 10500 100 10500 100 400 400 100 100 172.16.0.109 134.157.81.155 172.16.0.112 134.157.81.141 192.168.15.1 134.157.95.8 192.168.16.2 134.157.95.10
Effacement avec :
clear ip accounting
ARS 00/01 35
Commandes de log
Router(config)#logging ?
A.B.C.D IP address of the logging host Facility parameter for syslog messages Set buffered logging parameters Set console logging level Set terminal line (monitor) logging level Set syslog server logging level Specify interface for source address in logging transactions
ARS 00/01 36
source-interface
Immediate action needed Critical conditions Debugging messages System is unusable Error conditions Informational messages Normal but significant conditions Warning conditions
ARS 00/01 37
/reseau/syslog/gatorbox.log
Commandes de routage
Exemple avec RIP :
router rip version 2 network 172.16.0.0 passive-interface ethernet 1 distribute-list 1 in ethernet 1 distribute-list 2 in ethernet 0
ARS 00/01
39
Routage / Filtrage
Une autre manire efficace pour faire du filtrage :
ip route @IP_rseau Masque_rseau Destination ip route 10.0.0.0 255.0.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0
ARS 00/01
42
Transparent Proxy
RO
set ip next-hop @IP_ Transparent-Proxy access-list X deny ip host @IP-cache_www1 any access-list X deny ip host @IP-cache_www2 any
! Les autres machines
RD
Site
Internet
Site1 Rseau A
Tunnel
ARS 00/01
44
xecutable
Avec possibilit de spcifier l'adresse source pour tests
ping traceroute
who)
Management
Par station de management :
snmp-server community public RO 99 access-list 99 permit @IP
Mode debug
Par la console (monitor) Par telnet ( terminal monitor (visualisation du debug)) debug ? (La liste est trs longue) Exemple : debug ip rip
RIP: received update from 134.157.254.249 on Ethernet0 134.157.24.0 in 1 hops RIP: sending update to 134.157.254.255 via Ethernet0 (134.157.254.205) subnet 134.157.133.128, metric 1 subnet 134.157.133.0, metric 1 undebug all (u all) All possible debugging has been turned off
ARS 00/01 49