Vous êtes sur la page 1sur 7

21/04/2017 AstucesCiscoRseauxetScurit

RseauxetScurit
Accueil
Archives

OSPFOpenShortestPathFirstISISIntermediateSystemtoIntermediateSystem

AstucesCisco
ParFred,samedi14juillet2007.LienpermanentCisco

cisco

VoiciquelquesastucesappliquersurvosrouteursCisco:

Synchroniserlaconsole
Commentrendreuneinterfaceuplorsqu'ellen'estpasbranch
Configurersesbannires
Utiliserdesalias
Modifierplusieursinterfacessimultanment
Effacerlatablederoutage
Dfinirl'adressesourced'unservice
Protgerl'accsunquipementparuneaccesslist
Modifierleniveaudelog
Configurationntppourl'heured't
ActiverledebugenSSH
ActiverSSH
Rebooterlemoduled'unC6500
Vrifierlaconsommationd'unC6500
Ajusterl'intervaldecalculdechargedesinterfaces
Filtrerlasortieshowprocesscpu
Effacerlaconfigurationd'uneinterface
Modifierlaclsshd'unquipement
Afficherleslogsavecladatedujour
Connaitrelenombred'adresseMACdisponibleetutilis
Dsactiverleprompt"more"

Synchroniserlaconsole
VoicideuxpetitspensebtespourbienutiliserlaconsolesurdumatrielCisco:

loggingsynchronous:cettedirectivepermetdesynchroniserlasortieterminaletlalignedecommande.Parexemple,sivoustapezuneligne
decommandeetquelerouteurafficheunmessagedansleterminal,votretextevaalorsserafficher.
exectimeout00:cecipermetdedsactiverletimeoutenlignedecommande.Cecipeuttreutiledanslecasd'unlaboratoiredetest.

Ensituation:

Router(config)#lineconsole0
Router(configline)#loggingsynchronous
Router(configline)#exectimeout00

Commentrendreuneinterfaceuplorsqu'ellen'estpasbranche:
Danscepremierexemple,onvoitquel'interfaceestdown:

Router(config)#interfaceethernet0
Router(configif)#ipaddress10.0.0.1255.255.255.0
Router(configif)#noshutdown
Router#showipinterfacebrief
InterfaceIPAddressOK?MethodStatusProtocol
Ethernet010.0.0.1YESmanualadministrativelydowndown

Enutilisantlacommandenokeepalive:

Router(config)#interfaceethernet0
Router(configif)#ipaddress10.0.0.1255.255.255.0
Router(configif)#noshutdown
Router(configif)#nokeepalive
Router#showipinterfacebrief
InterfaceIPAddressOK?MethodStatusProtocol
Ethernet010.0.0.1YESmanualupup

http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 1/7
21/04/2017 AstucesCiscoRseauxetScurit
Configurersesbannires

Bannireavantlelogin

Router(config)#bannerlogin#
Mabannire....
....
#

Bannireaprslelogin

Router(config)#bannerexec#
Mabannire....
....
#

Anoterquelescaractres#permettentdedlimiterlazonedesaisie,ilestpossibled'utilisern'importequelautredlimiteur.

Utiliserdesalias
Cesaliastrspratiquessontconfigurerenmodeconfiguration.Voiciunexemple:

R1(config)#aliasexecsibshowipintbrief
R1(config)#aliasexecsirshowiproute

Pourvisualiserlesalias:

R1#showalias
Execmodealiases:
hhelp
lologout
pping
rresume
sshow
uundebug
unundebug
wwhere
sibshowipintbrief
sirshowiproute

Poursupprimerunalias:

R1(config)#noaliasexecsib

Modifierplusieursinterfacessimultanment
Alasuitedelacommandeinterface,ilestpossibled'utiliserrange.

Switch(config)#interfacerangefastethernet0/120
Switch(configifrange)#speed100
Switch(configifrange)#duplexfull

Onpeutaussidfinirplusieursrange:

Switch(config)#interfacerangefastethernet0/14,fastethernet0/1015

Cettecommandepeuttreutiliseavecdesinterfacesvlan,portchannel,fastethernetetgigabitethernet.

Effacerlatablederoutage

R1#cleariproute*

Dfinirl'adressesourced'unservice
Lorsqu'onraliseunssh,untelnetousimplementlorsqu'unrouteurvainterrogersonserveurTacacs,ilutilisepardfautl'adresseIPdesoninterfacede
sortie.Ilestpossibledespcifiermanuellementl'adressedequelleinterfaceutiliser(sicelleciestup)pourchaqueservice:

R1(config)#ipsshsourceinterfacegigabitEthernet0/1
R1(config)#iptelnetsourceinterfaceloopback0
R1(config)#iptftpsourceinterfaceloopback2
R1(config)#iptacacssourceinterfacetunnel0
R1(config)#loggingsourceinterfaceloopback0

Poursupprimercetteadresse:

R1(config)#noipsshsourceinterface

Protgerl'accsunquipementparuneaccesslist
Ilestpossiblededfinirunelisted'adresseayantlesdroitspouradministrerunquipement.Dansl'exemplesuivant,seuleslesmachinesdesrseaux
10.12.0.0/24et10.13.0.0/24peuventadministrermonrouteurenSSH.

http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 2/7
21/04/2017 AstucesCiscoRseauxetScurit
ipaccesslistextendedMGTSSH
permittcp10.12.00.0.0.255gt1023host0.0.0.0eq22
permittcp10.13.00.0.0.255gt1023host0.0.0.0eq22
denyipanyanylog
!
linevty04
accessclassMGTSSHin
transportinputssh

Modifierleniveaudelog
Pourvisualiserleslogsd'unquipement:

Routeur1#shlogging
Sysloglogging:enabled(12messagesdropped,6messagesratelimited,
0flushes,0overruns,xmldisabled,filteringdisabled)
Consolelogging:leveldebugging,1191740messageslogged,xmldisabled,
filteringdisabled
Monitorlogging:leveldebugging,0messageslogged,xmldisabled,
filteringdisabled
Bufferlogging:levelwarnings,1messageslogged,xmldisabled,
filteringdisabled
LoggingExceptionsize(4096bytes)
Countandtimestamploggingmessages:disabled
...
LogBuffer(4096bytes):

.Aug1214:24:22.476:%LINK3UPDOWN:InterfaceGigabitEthernet0/1,changedstatetoup

Leslogsgnresparuneaccesslistontunniveauinformational,ainsileniveauwarningsconfigurpourlebuffernenouspermettrapasdevisualiser
ceslogs.

Pourchangerleniveaudelog:

Routeur1(config)#loggingbufferedinformational

NousavonsmaintenantnoslogsdesACLs:

Routeur1#shlogging
...
Bufferlogging:levelinformational,2messageslogged,xmldisabled,
filteringdisabled
...
LogBuffer(4096bytes):

.Aug1215:39:15.443:%SEC6IPACCESSLOGP:listMGTSSHdeniedtcp10.118.14.51(32853)>0.0.0.0(22),1packet
Routeur1#

Configurationntppourl'heured't

Routeur2(config)#ntpserver192.168.1.2prefer
Routeur2(config)#ntpserver192.168.1.3
Routeur2(config)#clocktimezoneCET1
Routeur2(config)#clocksummertimeCESTrecurringlastSunMar2:00lastSunOct3:00

Debug
Visualiserlescommandesdebugactuellementactives:

R1#shdebugging
IProuting:
BGPdebuggingisonforalladdressfamilies
OSPFeventsdebuggingison
IPmulticast:
PIMdebuggingison

Dsactivertouteslescommandesdebug:

R1#uall
Allpossibledebugginghasbeenturnedoff

ActiverledebugenSSH
Commandepouractiverledebug,habituellementdisponibleenmodeconsole,enSSH:

R1#terminalmonitor

Activer/Dsactiverledebugenconsole
Dsactiverlesmessagesdedebugenconsole

R1(config)#nologgingconsole

http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 3/7
21/04/2017 AstucesCiscoRseauxetScurit
Activer

R1(config)#loggingconsole

ActiverSSH

Router01(config)#ipsshversion2
PleasecreateRSAkeystoenableSSH.

GnrerlaclRSA

Router01(config)#cryptokeygeneratersa
Thenameforthekeyswillbe:C3845.intranet.nemako.net
Choosethesizeofthekeymodulusintherangeof360to2048foryour
GeneralPurposeKeys.Choosingakeymodulusgreaterthan512maytake
afewminutes.

Howmanybitsinthemodulus[512]:1024
%Generating1024bitRSAkeys,keyswillbenonexportable...[OK]

ActiverSSH

Router01(config)#ipsshversion2

Imposersshenlinevty

Router01(config)#linevty04
Router01(configline)#transportinputssh

Modifierlaclsshd'unquipement
Regarderlesclsprsentes:

C3750#shcryptokeymypubkeyrsa
%Keypairwasgeneratedat:14:28:12UTCAug92006
Keyname:C3750.intranet
Usage:GeneralPurposeKey
Keyisnotexportable.
KeyData:
12345678901234564886F70D0101010500034B003048024100E344FA6AC1EA9A
1C6B0C36DAD96A2B93ADBDCB1234567890123456C2C9A198CDFG0000B409EC84
B6B365EFAAAAAAAA1234567890123456FADAEF65CCB1D2D7150203010001
%Keypairwasgeneratedat:09:22:32UTCJan152008
Keyname:C3750.intranet.server
Usage:EncryptionKey
Keyisnotexportable.
KeyData:
12345678901234564886F70D0101010500036B003068026100BCC9B6CD1D4A0B
9CB0C35B37508A386D9D1E441234567890123456A9C809471092B1CD450D4BCD
B83422221C3CC7DB123456789012345684B6395251BD946ACDFG00004667895A
9D2DB0D90000000027E2F3437D1D3B3499AAE391F6C4BDD9350203010001

Supprimercescls:

C3750#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
C3750(config)#cryptokeyzeroizersaC3750.intranet.server
%Keystoberemovedarenamednamed'C3750.intranet.server'.
%Allroutercertsissuedusingthesekeyswillalsoberemoved.
Doyoureallywanttoremovethesekeys?[yes/no]:yes
C3750(config)#cryptokeyzeroizersaC3750.intranet
%Keystoberemovedarenamednamed'C3750.intranet'.
%Allroutercertsissuedusingthesekeyswillalsoberemoved.
Doyoureallywanttoremovethesekeys?[yes/no]:yes

Ilsuffitmaintenantdegnrerunenouvellecl:

C3750(config)#cryptokeygeneratersa
Thenameforthekeyswillbe:C3750.intranet
Choosethesizeofthekeymodulusintherangeof360to2048foryour
GeneralPurposeKeys.Choosingakeymodulusgreaterthan512maytake
afewminutes.

Howmanybitsinthemodulus[512]:2048
%Generating2048bitRSAkeys...[OK]

C3750(config)#

Rebooterlemoduled'unC6500

http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 4/7
21/04/2017 AstucesCiscoRseauxetScurit
C651301#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
C651301(config)#powercyclemodule4
%Thiscommandisbeingdeprecated.
%Pleaseuseexeclevelcommand:
%hwmodulemodule<mod#>reset
Proceedwithreloadofmodule?[confirm]confirm

Source:FrenchCiscoUsersGroup(http://www.fcug.fr/catalyst6500rebooterunmodule)

Vrifierlaconsommationd'unC6500

C651301#showpower|in(used|total|availa)
systempowertotal=5771.64Watts(137.42Amps@42V)
systempowerused=2287.74Watts(54.47Amps@42V)
systempoweravailable=3483.90Watts(82.95Amps@42V)

Ajusterl'intervalledecalculdebandepassantedesinterfaces
Lorsqu'onutiliselacommande,showinterface,pourvisualiserlabandepassanteutilised'uneinterface,celleciestcalculesurles5dernire
minutes.Ilestpossibledemodifiercettevaleurentre30et600secondes.

C38452(config)#inttun0
C38452(configif)#?
...
loadintervalSpecifyintervalforloadcalculationforaninterface
C38452(configif)#loadinterval?
<30600>Loadintervaldelayinseconds

Voiciuneinterfaceconfigurpardfaut

C38452#shintgi0/0
GigabitEthernet0/0isup,lineprotocolisup
...
5minuteinputrate2140000bits/sec,579packets/sec
5minuteoutputrate6217000bits/sec,769packets/sec

Configurerl'interval30secondes

C38452(config)#inttun0
C38452(configif)#loadinterval30
C38452#shinttun0
Tunnel0isup,lineprotocolisup
...
30secondinputrate1461000bits/sec,388packets/sec
30secondoutputrate892000bits/sec,368packets/sec

Filtrerlasortieshowprocesscpu
Lacommandeshowprocesscpuestrelativementillisiblesansfiltrage:

C3825#shprocessescpu
CPUutilizationforfiveseconds:1%/1%;oneminute:10%;fiveminutes:5%
PIDRuntime(ms)InvokeduSecs5Sec1Min5MinTTYProcess
18255310.00%0.00%0.00%0ChunkManager
21084202477900.00%0.00%0.00%0LoadMeter
3113825231651957350.00%0.03%0.02%0OSPF1Hello
40100.00%0.00%0.00%0EDDRI_MAIN
54209864103480340680.00%0.03%0.02%0Checkheaps
6244839926130.00%0.00%0.00%0PoolManager
70200.00%0.00%0.00%0Timers
8016873300.00%0.00%0.00%0IPCDynamicCach
90100.00%0.00%0.00%0IPCZoneManager
10481012386500.00%0.00%0.00%0IPCPeriodicTim
11521012386500.00%0.00%0.00%0IPCDeferredPor
120100.00%0.00%0.00%0IPCSeatManager
130100.00%0.00%0.00%0IPCBackPressure
140100.00%0.00%0.00%0OIRHandler
150100.00%0.00%0.00%0Crashwriter
16892202477800.00%0.01%0.00%0Environmentalmo
1720017024410.00%0.00%0.00%0ARPInput
180200.00%0.00%0.00%0ATMIdleTimer
190200.00%0.00%0.00%0AAAhighcapacit
200100.00%0.00%0.00%0AAA_SERVER_DEADT
210100.00%0.00%0.00%0PolicyManager
...

Voicidoncunmoyensimpledevoirlesprocessprincipauxutilisparvotrequipement:

C3825#shprocessescpu|excl0.00%0.00%0.00%
CPUutilizationforfiveseconds:3%/2%;oneminute:8%;fiveminutes:5%
http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 5/7
21/04/2017 AstucesCiscoRseauxetScurit
PIDRuntime(ms)InvokeduSecs5Sec1Min5MinTTYProcess
21084202478200.00%0.01%0.00%0LoadMeter
3113825631651995350.00%0.03%0.02%0OSPF1Hello
54209888103480740680.24%0.04%0.02%0Checkheaps
16892202478100.00%0.01%0.00%0Environmentalmo
378160276737731711060.24%0.13%0.12%0NetBackground
472034740170147119580.00%0.02%0.00%0PerminuteJobs
762205024380.08%0.01%0.00%706SSHProcess
99151224820737241720.00%0.01%0.00%0IPInput
15996010123618400.00%0.02%0.00%0RBSCPBackground
26530921021639400.00%0.02%0.05%0NTP

Effacerlaconfigurationd'uneinterface
Voicilaconfigurationintialedemoninterface

C2950#shrunintFa1/0/35
Buildingconfiguration...

Currentconfiguration:230bytes
!
interfaceFastEthernet1/0/35
switchportaccessvlan7
switchportmodeaccess
speed100
duplexfull
nomdixauto
nocdpenable
spanningtreeportfast
spanningtreebpduguardenable
servicepolicyinputPOLICY_PHONE
end

Etvoicicommenteffacertoutelaconfigurationenuneseulecommande:

C2950#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
C2950(config)#defaultinterfaceFastEthernet1/0/35
InterfaceFastEthernet1/0/35settodefaultconfiguration

Lersultat:

C2950#shrunintFa1/0/35
Buildingconfiguration...

Currentconfiguration:36bytes
!
interfaceFastEthernet1/0/35
end

Afficherleslogsavecladatedujour
Lorsdel'affichagedeslogs,ilestpossibledechoisirladatesoitenfonctiondel'uptimesoitdel'heuredel'quipement.

Daterel

R0(config)#servicetimestampslogdatetime

Rsultat

R0#shlogging
...
Apr1420:51:44:%SYS5CONFIG_I:Configuredfromconsolebyconsole

Uptime

R0(config)#servicetimestampsloguptime

Rsultat

R0#shlogging
...
00:59:15:%LINEPROTO5UPDOWN:LineprotocolonInterfaceFastEthernet0/0,changedstatetodown

Connaitrelenombred'adresseMACdisponibleetutilis
SW015#shmacaddresstablecount
MACEntriesforallvlans:
DynamicUnicastAddressCount:383
StaticUnicastAddress(Userdefined)Count:8
StaticUnicastAddress(Systemdefined)Count:1

http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 6/7
21/04/2017 AstucesCiscoRseauxetScurit
TotalUnicastMACAddressesInUse:392
TotalUnicastMACAddressesAvailable:32768
MulticastMACAddressCount:108
TotalMulticastMACAddressesAvailable:16384

Dsactiverleprompt"more"
Ilestpossiblededsactiverleprompt"more"quiapparaitlorsqu'ilyadeslonguessorties(showrunparexemple).Ilfaututiliserlacommandeexec
terminallength0.

lineconsole
length0
linevty04
length0

OSPFOpenShortestPathFirstISISIntermediateSystemtoIntermediateSystem

Hautdepage

Accueil
Archives

S'abonner

PropulsparDotclear

http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 7/7