Cisco IOS Cookbook 中文精简版（11-14）

最新推荐文章于 2013-11-14 18:03:56 发布

lanndmentt

最新推荐文章于 2013-11-14 18:03:56 发布

阅读量1k

点赞数

本文链接：https://blog.csdn.net/lanndmentt/article/details/16120777

版权

第十一章队列和拥塞
11.1.  Fast Switching和CEF
提问：给路由器配置最有效的包交换算法
回答
Fast Switching缺省是启用的
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip route-cache
Router(config-if)#exit
Router(config)#end
Router#
如果使用策略，需要下面的命令
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip route-cache policy
Router(config-if)#exit
Router(config)#end
Router#
CEF缺省是没有启用的，全局和端口启用
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip cef
Router(config)#interface FastEthernet0/0
Router(config-if)#ip route-cache cef
Router(config-if)#exit
Router(config)#end
Router#
注释除了上面的policy参数以外，还有下面的参数来保证进出是同一物理接口
Router(config)#interface Serial0/0
Router(config-if)#ip route-cache same-interface
可以使用下面命令进行验证show cef interface show cef drop 和 show cef not-cef-switched show ip cef
11.2.  设置DSCP 或者TOS位
提问路由器标记特定数据包的DSCP或者TOS位
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 101 permit any eq ftp any
Router(config)#access-list 101 permit any any eq ftp
Router(config)#access-list 102 permit any eq ftp-data any
Router(config)#access-list 102 permit any any eq ftp-data
Router(config)#class-map match-all ser00-ftpcontrol
Router(config-cmap)#description branch ftp control traffic
Router(config-cmap)#match input-interface serial0/0
Router(config-cmap)#match access-group 101
Router(config-cmap)#exit
Router(config)#class-map match-all ser00-ftpdata
Router(config-cmap)#description branch ftp data traffic
Router(config-cmap)#match input-interface serial0/0
Router(config-cmap)#match access-group 102
Router(config-cmap)#exit
Router(config)#policy-map serialftppolicy
Router(config-pmap)#description branch ftp traffic policy
Router(config-pmap)#class ser00-ftpcontrol
Router(config-pmap-c)#set ip precedence immediate
Router(config-pmap-c)#exit
Router(config-pmap)#class ser00-ftpdata
Router(config-pmap-c)#set ip precedence priority
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#interface serial0/0
Router(config-if)#ip route-cache policy
Router(config-if)#service-policy input serialftppolicy
Router(config-if)#exit
Router(config)#end
Router#
注释先使用classmap来定义特殊的数据流，然后使用policymap来对TOS位进行标记
11.3.  使用优先级队列(Priority Queuing)
提问使用优先级队列这种严格的方式来保证高优先级的数据先被处理
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 101 permit ip any any precedence 5 tos 12
Router(config)#access-list 102 permit ip any any precedence 4
Router(config)#access-list 103 permit ip any any precedence 3
Router(config)#priority-list 1 protocol ip high list 101
Router(config)#priority-list 1 protocol ip medium list 102
Router(config)#priority-list 1 protocol ip normal list 103
Router(config)#priority-list 1 default low
Router(config)#interface Ethernet0
Router(config-if)#priority-group 1
Router(config-if)#exit
Router(config)#end
Router#
注释单纯使用优先级队列可能会导致高优先级的数据占用掉所有的带宽。precedence 5 tos 12 等同于dscp ef。缺省情况下会被不匹配的数据包归入到normal优先级队列，本例中特别配置其归入了low优先级队列。Show interface命令可以看到缺省各个队列大小（high优先级为20个，medium为40个，依次递增）
Output queue (queue priority: size/max/drops):
   high: 0/20/0, medium: 0/40/0, normal 0/60/0, low 0/80/0
可以使用Router(config)#priority-list 1 queue-limit 10 15 25 35 命令来修改。建议使用LLQ或者CBWFQ来替代单纯的优先级队列
11.4.  使用自定义队列（Custom Queuing）
提问根据数据流中IP优先级的不同来自定义队列共享带宽
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 103 permit ip any any precedence 5
Router(config)#access-list 104 permit ip any any precedence 4
Router(config)#access-list 105 permit ip any any precedence 3
Router(config)#access-list 106 permit ip any any precedence 2
Router(config)#access-list 107 permit ip any any precedence 1
Router(config)#queue-list 1 protocol ip 3 list 103
Router(config)#queue-list 1 protocol ip 4 list 104
Router(config)#queue-list 1 protocol ip 5 list 105
Router(config)#queue-list 1 queue 5 byte-count 3000 limit 55
Router(config)#queue-list 1 protocol ip 6 list 106
Router(config)#queue-list 1 protocol ip 7 list 107
Router(config)#queue-list 1 default 8
Router(config)#interface HSSI0/0
Router(config-if)#custom-queue-list 1
Router(config-if)#exit
Router(config)#end
Router#
注释通过配置自定义队列可以生成16个应用队列和1个系统队列。
Queuing strategy: custom-list 1
  Output queues: (queue #: size/max/drops)
   0: 0/20/0 1: 0/20/0 2: 0/20/0 3: 0/20/0 4: 0/20/0
   5: 0/55/3 6: 5/20/0 7: 0/20/0 8: 0/20/0 9: 0/20/0
   10: 0/20/0 11: 0/20/0 12: 0/20/0 13: 0/20/0 14: 0/20/0
   15: 0/20/0 16: 0/20/0
缺省情况下自定义队列不会对无分类的数据流进行队列归属，所以需要配置一个缺省队列。缺省情况下每个队列会读取1500字节，每个队列可最多保存20个数据包，可以通过queue-list 1 queue 5 byte-count 3000 limit 55 命令来修改。
对于这种队列方式需要注意的是队列是基于字节的不是基于数据包的，所以对于字节下的数据流会发送相对多的数据包，但是总体来说流量是平均的。此种方式也是比较老的方案，推荐使用CBWFQ
11.5.  自定义队列混和优先级队列
提问高优先级数据优先处理，低优先级数据共享带宽
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 101 permit ip any any precedence 7
Router(config)#access-list 102 permit ip any any precedence 6
Router(config)#access-list 103 permit ip any any precedence 5
Router(config)#access-list 104 permit ip any any precedence 4
Router(config)#access-list 105 permit ip any any precedence 3
Router(config)#access-list 106 permit ip any any precedence 2
Router(config)#access-list 107 permit ip any any precedence 1
Router(config)#queue-list 1 protocol ip 1 list 101
Router(config)#queue-list 1 protocol ip 2 list 102
Router(config)#queue-list 1 protocol ip 3 list 103
Router(config)#queue-list 1 protocol ip 4 list 104
Router(config)#queue-list 1 protocol ip 5 list 105
Router(config)#queue-list 1 protocol ip 6 list 106
Router(config)#queue-list 1 protocol ip 7 list 107
Router(config)#queue-list 1 lowest-custom 4
Router(config)#interface HSSI0/0
Router(config-if)#custom-queue-list 1
Router(config-if)#exit
Router(config)#end
Router#
注释相比11.4多了一个queue-list 1 lowest-custom 4 ，这样123.被定义为优先级队列
11.6.  使用加权公平队列（Weighted Fair Queuing）
提问根据TOS/DSCP位来转发数据包
回答
缺省情况下WFQ会自动在小于2M速率的接口启用
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface Serial0/0
Router(config-if)#fair-queue 64 512 10
Router(config-if)#exit
Router(config)#end
Router#
注释 WFQ在没有TOS/DSCP标记的情况下依然可以工作。命令后面的参数分为三个，第一个为丢弃阀值，某个队列如果超过64个数据包，以后的数据包就会被丢弃，第二个为动态队列数目，是16的倍数，如果端口有很多的数据流建议增加，第三个为RSVP预留队列，缺省为0。
11.7.  使用基于类的加权公平队列（Using Class-Based Weighted Fair Queuing）
提问在端口上配置基于类的加权公平队列
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#class-map highprec
Router(config-cmap)#description Highest priority Prec=5
Router(config-cmap)#match ip precedence 5
Router(config-cmap)#exit
Router(config)#class-map medhiprec
Router(config-cmap)#description Medium-high priority Prec=4
Router(config-cmap)#match ip precedence 4
Router(config-cmap)#exit
Router(config)#class-map medloprec
Router(config-cmap)#description Medium-low priority Prec=2,3
Router(config-cmap)#match ip precedence 2 3
Router(config-cmap)#exit
Router(config)#policy-map cbwfqpolicy
Router(config-pmap)#class highprec
Router(config-pmap-c)#bandwidth percent 25
Router(config-pmap-c)#exit
Router(config-pmap)#class medhiprec
Router(config-pmap-c)#bandwidth percent 25
Router(config-pmap-c)#exit
Router(config-pmap)#class medloprec
Router(config-pmap-c)#bandwidth percent 25
Router(config-pmap-c)#exit
Router(config-pmap)#class class-default
Router(config-pmap-c)#fair-queue 512
Router(config-pmap-c)#queue-limit 96
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#interface serial0/1
Router(config-if)#service-policy output cbwfqpolicy
Router(config-if)#exit
Router(config)#end
Router#
注释
11.8.  使用NBAR
提问使用NBAR（Network Based Application Recognition）在应用层对数据进行识别和分类
回答
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ip cef
Router1(config)#class-map INTERACTIVE
Router1(config-cmap)#match protocol citrix
Router1(config-cmap)#match protocol telnet
Router1(config-cmap)#exit
Router1(config)#policy-map QoSPolicy
Router1(config-pmap)#class INTERACTIVE
Router1(config-pmap-c)#bandwidth percent 50
Router1(config-pmap-c)#set dscp ef
Router1(config-pmap-c)#exit
Router1(config-pmap)#class class-default
Router1(config-pmap-c)#bandwidth percent 20
Router1(config-pmap-c)#random-detect dscp-based
Router1(config-pmap-c)#exit
Router1(config-pmap)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-fi)#service-policy inbound QoSPolicy
Router1(config-if)#exit
Router1(config)#end
Router1#
思科支持在网上下载PDLM（Packet Description Language Module）来激活NBAR分类
Router1#show flash

System flash directory:
File  Length Name/status
  1 23169076  c2600-ipvoice-mz.124-10.bin
  2 3100    bittorrent.pdlm
[23172304 bytes used, 9857836 available, 33030140 total]
32768K bytes of processor board System flash (Read/Write)

Router1#Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ip nbar pdlm flash://bittorrent.pdlm
Router1(config)#class-map BITTORRENT
Router1(config-cmap)#match protocol bittorrent
Router1(config-cmap)#exit
Router1(config)#end
Router1#
也可以使用NBAR来自动对网络协议进行分类统计
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip nbar protocol-discovery
Router1(config-if)#exit
Router1(config)#end
Router1#
注释 NBAR会增加CPU利用率。Router1#show ip nbar protocol-discovery top-n 5 可以显示出NBAR所识别各个协议数据统计
11.9.    使用WRED来控制拥塞
提问
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#class-map Prec5
Router(config-cmap)#description Critical
Router(config-cmap)#match ip precedence 5
Router(config-cmap)#exit
Router(config)#policy-map cb_wred
Router(config-pmap)#class Prec5
Router(config-pmap-c)#random-detect dscp-based
Router(config-pmap-c)#exit
Router(config-pmap)#class class-default
Router(config-pmap-c)#fair-queue 512
Router(config-pmap-c)#queue-limit 96
Router(config-pmap-c)#random-detect dscp-based
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#interface HSSI0/1
Router(config-if)#service-policy output cb_wred
Router(config-if)#exit
Router(config)#end
Router#

注释
11.10.  使用RSVP
提问在网络中启用RSVP
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 15 permit ip 192.168.1.0 0.0.0.255
Router(config)#interface FastEthernet0/0
Router(config-if)#ip rsvp bandwidth 128 56
Router(config-if)#ip rsvp neighbor 15
Router(config-if)#exit
Router(config)#end
Router#

注释配置RSVP之前，接口要配置WFQ, CBWFQ, 或者WRED
11.11.  Manual RSVP Reservations
提问
回答
Sender主机（192.168.100.202）连接R1
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip address 192.168.100.21 255.255.255.0
Router1(config-if)#ip rsvp bandwidth 128 56
Router1(config-if)#exit
Router1(config)#interface Serial0/0
Router1(config-if)#no ip address
Router1(config-if)#encapsulation frame-relay
Router1(config-if)#fair-queue 64 256 37
Router1(config-if)#ip rsvp bandwidth
Router1(config-if)#exit
Router1(config)#interface Serial0/0.1 point-to-point
Router1(config-subif)#ip address 192.168.55.9 255.255.255.252
Router1(config-subif)#frame-relay interface-dlci 904
Router1(config-fr-dlci)#ip rsvp bandwidth 128 56
Router1(config-subif)#exit
Router1(config)#ip rsvp sender 192.168.9.100 192.168.100.202 UDP 1300 1300 192.168.100.202 FastEthernet0/0 55 1
Router1(config)#end
Router1#
Receiver主机（192.168.9.100）连接R4
Router4# configure terminal
Router4(config)#interface Ethernet0/0
Router4(config-if)#ip address 192.168.9.3 255.255.255.0
Router4(config-if)#ip rsvp bandwidth 128 56
Router4(config-if)#exit
Router4(config)#interface Serial0/0
Router4(config-if)#no ip address
Router4(config-if)#encapsulation frame-relay
Router4(config-if)#fair-queue 64 256 37
Router4(config-if)#ip rsvp bandwidth
Router4(config-if)#exit
Router4(config)#interface Serial0/0.1 point-to-point
Router4(config-subif)#ip address 192.168.56.5 255.255.255.252
Router4(config-subif)#frame-relay interface-dlci 107
Router4(config-fr-dlci)#ip rsvp bandwidth 128 56
Router4(config-subif)#exit
Router4(config)#ip rsvp reservation 192.168.9.100 192.168.100.202 UDP 1300 1300 192.168.9.100 Ethernet0/0 FF RATE 55 1
Router4(config)#end
Router4#
注释
11.12.  聚合RSVP的预留（Aggregating RSVP Reservations）
提问聚合多个RSVP这样核心网络不需要对每个数据流进行追踪
回答
Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#interface FastEthernet0/0
Router2(config-if)#ip address 192.168.101.1 255.255.255.0
Router2(config-if)#ip rsvp bandwidth 128 56
Router2(config-if)#ip rsvp data-packet classification none
Router2(config-if)#ip rsvp resource-provider none
Router2(config-if)#exit
Router2(config)#interface Serial0/0.1 point-to-point
Router2(config-subif)#ip address 192.168.55.10 255.255.255.252
Router2(config-subif)#frame-relay interface-dlci 409
Router2(config-fr-dlci)#ip rsvp bandwidth 128 56
Router2(config-subif)#ip rsvp data-packet classification none
Router2(config-subif)#ip rsvp resource-provider none
Router2(config-subif)#exit
Router2(config)#end
Router2#

注释 RSVP扩展性不强，对于核心网络还是使用传统的DSCP标记方式，12.2(2)T的IOS引入了新的办法来解决此问题，核心路由器配置RSVP来支持RSVP Requests，但是队列的时候不需要使用RSVP的信息
11.13.  Using Generic Traffic Shaping
提问
回答
注释
11.14.  Using Frame-Relay Traffic Shaping
提问
回答
注释
11.15.  Using Committed Access Rate
提问
回答
注释
11.16.  部署基于标准的PHB（Per-Hop Behavior）
提问配置基于规范的根据DSCP位的PHB
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#class-map EF
Router(config-cmap)#description Real-time application traffic
Router(config-cmap)#match ip precedence 5
Router(config-cmap)#exit
Router(config)#class-map AF1x
Router(config-cmap)#description Priority Class 1
Router(config-cmap)#match ip precedence 1
Router(config-cmap)#exit
Router(config)#class-map AF2x
Router(config-cmap)#description Priority Class 2
Router(config-cmap)#match ip precedence 2
Router(config-cmap)#exit
Router(config)#class-map AF3x
Router(config-cmap)#description Priority Class 3
Router(config-cmap)#match ip precedence 3
Router(config-cmap)#exit
Router(config)#class-map AF4x
Router(config-cmap)#description Priority Class 4
Router(config-cmap)#match ip precedence 4
Router(config-cmap)#exit
Router(config)#policy-map cbwfq_pq
Router(config-pmap)#class EF
Router(config-pmap-c)#priority 58 800
Router(config-pmap-c)#exit
Router(config-pmap)#class AF1x
Router(config-pmap-c)#bandwidth percent 15
Router(config-pmap-c)#random-detect dscp-based
Router(config-pmap-c)#exit
Router(config-pmap)#class AF2x
Router(config-pmap-c)#bandwidth percent 15
Router(config-pmap-c)#random-detect dscp-based
Router(config-pmap-c)#exit
Router(config-pmap)#class AF3x
Router(config-pmap-c)#bandwidth percent 15
Router(config-pmap-c)#random-detect dscp-based
Router(config-pmap-c)#exit
Router(config-pmap)#class AF4x
Router(config-pmap-c)#bandwidth percent 15
Router(config-pmap-c)#random-detect dscp-based
Router(config-pmap-c)#exit
Router(config-pmap)#class class-default
Router(config-pmap-c)#fair-queue 512
Router(config-pmap-c)#queue-limit 96
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#interface HSSI0/1
Router(config-if)#service-policy output cbwfqpolicy
Router(config-if)#exit
Router(config)#end
Router#
注释
11.17.  AutoQoS
提问配置路由器自动生成Voip或者一般数据包的QoS策略配置
回答
一种是针对VoIP数据的
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ip cef
Router1(config)#interface Serial0/0
Router1(config-if)#no ip address
Router1(config-if)#encapsulation frame-relay
Router1(config-if)#exit
Router1(config)#interface Serial0/0.1 point-to-point
Router1(config-subif)#ip address 192.168.55.9 255.255.255.252
Router1(config-subif)#frame-relay interface-dlci 904
Router1(config-fr-dlci)#auto qos voip
%Creating new map-class.
Router1(config-fr-dlci)#exit
Router1(config-subif)#exit
Router1(config)#end
Router1#
*Mar  1 01:32:55.031: %RMON-5-FALLINGTRAP: Falling trap is generated because the
value of cbQosCMDropBitRate.1169.1171 has fallen below the falling-threshold va
lue 0
Router1#
针对一般的IP数据包，第一步是流量模式的收集
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ip cef
Router1(config)#interface Serial0/0
Router1(config-if)#no ip address
Router1(config-if)#encapsulation frame-relay
Router1(config-if)#exit
Router1(config)#interface Serial0/0.1 point-to-point
Router1(config-subif)#ip address 192.168.55.9 255.255.255.252
Router1(config-subif)#frame-relay interface-dlci 904
Router1(config-fr-dlci)#auto discovery qos
Router1(config-fr-dlci)#exit
Router1(config-subif)#exit
Router1(config)#end
Router1#
第二步是生成策略
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface Serial0/0.1 point-to-point
Router1(config-subif)#frame-relay interface-dlci 904
Router1(config-fr-dlci)#auto qos
%Creating new map-class.
Router1(config-fr-dlci)#no auto discovery qos
Router1(config-fr-dlci)#exit
Router1(config-subif)#exit
Router1(config)#end
Router1#
注释 AutoQoS很好，但是有下面几个限制：只能针对点对点的链路，不能和frame map或者virtual templates一起使用，不能用于SVC，两端必须同时配置，必须禁止掉所有的服务策略或者access-groups即使用于其他的端口，要启用CEF。针对VoIP的AutoQoS引自12.2(15)T，通过一个宏来生成配置，可以用show auto qos来查看。针对通用IP数据流的引自12.3(7)T，自动针对数据流分类至十个不同类别，要先用auto qos然后再no掉原来的discovery。注意的是你如果后来想不用auto qos了，虽然可以no auot qos但是还是有很多配置是没法自动清除的，记得要保存之前的show auto qos的输出。AutoQoS不是万能的，要慎用
11.18.    查看队列参数
提问查看当前端口的队列配置
回答
Router#show queue FastEthernet0/0
Router#show queuing
注释配置优先级队列或者自定义队列的时候show queue命令没有相应的输出

第十二章隧道和VPN

12.1.  创建Tunnel
提问 ="FONT-FAMILY: 宋体">通过隧道的方式在网络中传输IP数据
回答
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# interface Tunnel1
Router1(config-if)# ip address 192.168.35.6 255.255.255.252
Router1(config-if)# tunnel source 172.25.1.5
Router1(config-if)# tunnel destination 172.25.1.7
Router1(config-if)# exit
Router1(config)# end
Router1#
Router5# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router5(config)# interface Tunnel3
Router5(config-if)# ip address 192.168.35.5 255.255.255.252
Router5(config-if)# tunnel source 172.25.1.7
Router5(config-if)# tunnel destination 172.25.1.5
Router5(config-if)# exit
Router5(config)# end
Router5#
注释 Tunnel的配置中也可以使用 tunnel source Ethernet0 的方式来捆绑到端口。产生出来的虚拟隧道接口通常会一直UP，即使对端关机，12.2(8)T后引入了keeplive参数可以对隧道的状态进行监控， keepalive 3 2 每隔3秒一个Keeplive，如果两次没收到就认为端口当掉。如果对数据包的完整性或者防止乱序包，可以配置 tunnel checksum，tunnel sequence-datagrams，但需要注意的是GRE不是TCP，数据包丢弃了不会重传。缺省情况下隧道的模式GRE，也可以通过 tunnel mode ipip 命令来改变其模式。由于GRE是封装IP数据包所以不可避免地产生了MTU的问题，对于TCP连接可以使用 ip tcp path-mtu-discovery，但对于非TCP的GRE，需要使用 tunnel path-mtu-discovery。在12.2(13)T以后引入了 tunnel path-mtu-discovery min-mtu 500 来定义最小的MTU从而保证安全
12.2.  其他协议隧道至IP
提问通过隧道的方式在IP网络中传输其他协议数据，比如IPX
回答
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# ipx routing AAAA.BBBB.0001
Router1(config)# interface Tunnel1
Router1(config-if)# ipx network AAA
Router1(config-if)# tunnel source 172.25.1.5
Router1(config-if)# tunnel destination 172.25.1.7
Router1(config-if)# exit
Router1(config)# end
Router1#
Router5# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)# ipx routing AAAA.BBBB.0002
Router5(config)# interface Tunnel3
Router5(config-if)# ipx network AAA
Router5(config-if)# tunnel source 172.25.1.7
Router5(config-if)# tunnel destination 172.25.1.5
Router5(config-if)# exit
Router5(config)# end
Router5#
注释注意的是隧道模式里面只有GRE模式是支持IPX的。同时可以在隧道接口下配置多个不同的协议从而支持在隧道中封装多个协议
Router1(config)# interface Tunnel1
Router1(config-if)# ip address 192.168.35.6 255.255.255.252
Router1(config-if)# ipx network AAA
Router1(config-if)# tunnel source 172.25.1.5
Router1(config-if)# tunnel destination 172.25.1.7
Router1(config-if)# exit
Router1(config)# end
Router1#
12.3.  隧道和动态路由协议
提问在隧道中传递路由协议
回答
怎么解决到tunnel destination的路由不是通过tunnel接口的问题，第一种方法是静态路由
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# interface Tunnel1
Router1(config-if)# ip address 192.168.35.6 255.255.255.252
Router1(config-if)# tunnel source 172.25.1.5
Router1(config-if)# tunnel destination 172.22.1.2
Router1(config-if)# exit
Router1(config)# ip route 172.22.1.2 255.255.255.255 172.25.1.1
Router1(config)# router eigrp 55
Router1(config-router)# network 192.168.35.0
Router1(config-router)# exit
Router1(config)# end
Router1#
第二种对tunnel接口采用另外的路由协议，从而排除此地址在互联的路由协议中
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# interface Tunnel1
Router1(config-if)# ip address 192.168.35.6 255.255.255.252
Router1(config-if)# tunnel source 172.25.1.5
Router1(config-if)# tunnel destination 172.22.1.2
Router1(config-if)# exit
Router1(config)# router eigrp 55
Router1(config-router)# network 172.22.0.0
Router1(config-router)# network 172.25.0.0
Router1(config-router)# end
Router1(config)# router rip
Router1(config-router)# network 192.168.35.0
Router1(config-router)# exit
Router1(config)# end
Router1#
第三种方法路由过滤
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# interface Tunnel1
Router1(config-if)# ip address 192.168.35.6 255.255.255.252
Router1(config-if)# tunnel source 172.25.1.5
Router1(config-if)# tunnel destination 172.22.1.2
Router1(config-if)# exit
Router11(config)# ip prefix-list TUNNELROUTES seq 10 permit 192.168.0.0/16 ge 17
Router1(config)# router eigrp 55
Router1(config-router)# network 172.22.0.0
Router1(config-router)# network 172.25.0.0
Router1(config-router)# network 192.168.35.0
Router1(config-router)# distribute-list prefix TUNNELROUTES out Tunnel1
Router1(config-router)# exit
Router1(config)# end
Router1#

注释前两种很简单但是冗余性和扩展性不好，推荐第三种
12.4.  查看隧道状态
提问查看隧道状态
回答
Router1# show interface Tunnel5
Router1# ping 192.168.66.6
Router1# ping 172.22.1.4

注释
12.5.  在GRE隧道中创建一个加密的路由器到路由器的VPN
提问通过预共享密匙的方法创建互联网连接路由器的加密VPN
回答
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# crypto isakmp policy 10
Router1(config-isakmp)# encr aes 256
Router1(config-isakmp)# authentication pre-share
Router1(config-isakmp)# group 2
Router1(config-isakmp)# exit
Router1(config)# crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth
Router1(config)# crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256
Router1(cfg-crypto-trans)# mode transport
Router1(cfg-crypto-trans)# exit
Router1(config)# crypto map TUNNELMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-crypto-map)# set peer 172.16.2.1
Router1(config-crypto-map)# set transform-set TUNNEL-TRANSFORM
Router1(config-crypto-map)# match address 102
Router1(config-crypto-map)# exit
Router1(config)# access-list 102 permit gre host 172.16.1.1 host 172.16.2.1
Router1(config)# interface Tunnel1
Router1(config-if)# ip address 192.168.1.1 255.255.255.252
Router1(config-if)# tunnel source 172.16.1.1
Router1(config-if)# tunnel destination 172.16.2.1
Router1(config-if)# exit
Router1(config)# interface FastEthernet0/0
Router1(config-if)# ip address 172.16.1.1 255.255.255.0
Router1(config-if)# ip access-group 101 in
Router1(config-if)# crypto map TUNNELMAP
Router1(config-if)# exit
Router1(config)# access-list 101 permit gre host 172.16.2.1 host 172.16.1.1
Router1(config)# access-list 101 permit esp host 172.16.2.1 host 172.16.1.1
Router1(config)# access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp
Router1(config)# access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1
Router1(config)# access-list 101 deny ip any any log
Router1(config)# interface Loopback0
Router1(config-if)# ip address 192.168.16.1 255.255.255.0
Router1(config-if)# exit
Router1(config)# ip route 0.0.0.0 0.0.0.0 172.16.1.2
Router1(config)# ip route 192.168.15.0 255.255.255.0 192.168.1.2
Router1(config)# end
Router1#
Router2# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)# crypto isakmp policy 10
Router2(config-isakmp)# encr aes 256
Router2(config-isakmp)# authentication pre-share
Router2(config-isakmp)# group 2
Router2(config-isakmp)# exit
Router2(config)# crypto isakmp key TUNNELKEY01 address 172.16.1.1
Router2(config)# crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256
Router2(cfg-crypto-trans)# mode transport
Router2(cfg-crypto-trans)# exit
Router2(config)# crypto map TUNNELMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router2(config-crypto-map)# set peer 172.16.1.1
Router2(config-crypto-map)# set transform-set TUNNEL-TRANSFORM
Router2(config-crypto-map)# match address 102
Router2(config-crypto-map)# exit
Router2(config)# access-list 102 permit gre host 172.16.2.1 host 172.16.1.1
Router2(config)# interface Tunnel1
Router2(config-if)# ip address 192.168.1.2 255.255.255.252
Router2(config-if)# tunnel source 172.16.2.1
Router2(config-if)# tunnel destination 172.16.1.1
Router2(config-if)# exit
Router2(config)# interface FastEthernet0/0
Router2(config-if)# ip address 172.16.2.1 255.255.255.0
Router2(config-if)# ip access-group 101 in
Router2(config-if)# crypto map TUNNELMAP
Router2(config-if)# exit
Router2(config)# access-list 101 permit gre host 172.16.1.1 host 172.16.2.1
Router2(config)# access-list 101 permit esp host 172.16.1.1 host 172.16.2.1
Router2(config)# access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp
Router2(config)# access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1
Router2(config)# access-list 101 deny ip any any log
Router2(config)# interface Loopback0
Router2(config-if)# ip address 192.168.15.1 255.255.255.0
Router2(config-if)# exit
Router2(config)# ip route 0.0.0.0 0.0.0.0 172.16.2.2
Router2(config)# ip route 192.168.16.0 255.255.255.0 192.168.1.1
Router2(config)# end
Router2#

注释第一步首先使用ISAKMP来生成合适的密匙交换策略，当双方协商SA参数时，先从优先级低的策略开始，使用show crypto isakmp policy来查看当前策略。然后定义初始的密匙crypto isakmp key,这里可以基于IP地址也可以基于主机名，如果基于主机名对端要配置 crypto isakmp identity hostname，用show crypto isakmp key来验证。 show crypto isakmp sa 用来查看协商的ISAKMP SA状态，而最后的IPSec SA通过 show crypto ipsec sa 来查看。下一步是定义IPSec的transform set，是定义如何处理符合的数据包，并且要定义Ipsec的透明模式，缺省使用隧道模式，对于GRE使用透明模式，GRE隧道比传统的IPSec隧道好在更简单和更灵活，比如可以传递动态路由协议等。最后使用crypto map命令整合。最后要注意的是crypto map应用于接收GRE数据包的接口而不是tunnel接口。
show crypto engine connections active 显示当前连接情况
12.6.  在两个路由器的Lan接口之间创建加密VPN
提问使用预共享密匙的方式创建加密VPN通过互联网连接的两个LAN接口
回答
R1
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# crypto isakmp policy 10
Router1(config-isakmp)# encr aes 256
Router1(config-isakmp)# authentication pre-share
Router1(config-isakmp)# group 2
Router1(config-isakmp)# exit
Router1(config)# crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth
Router1(config)# crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256
Router1(cfg-crypto-trans)# exit
Router1(config)# access-list 102 permit gre host 172.16.1.1 host 172.16.2.1
Router1(config)# crypto map LAN2LANMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-crypto-map)# set peer 172.16.2.1
Router1(config-crypto-map)# set transform-set LAN2LAN-TRANSFORM
Router1(config-crypto-map)# match address 103
Router1(config-crypto-map)# exit
Router1(config)# access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255
Router1(config)# interface FastEthernet0/1
Router1(config-if)# ip address 192.168.16.1 255.255.255.0
Router1(config-if)# exit
Router1(config)# interface FastEthernet0/0
Router1(config-if)# ip address 172.16.1.1 255.255.255.0
Router1(config-if)# ip access-group 101 in
Router1(config-if)# crypto map LAN2LANMAP
Router1(config-if)# exit
Router1(config)# ip route 0.0.0.0 0.0.0.0 172.16.1.2
Router1(config)# access-list 101 permit esp host 172.16.2.1 host 172.16.1.1
Router1(config)# access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp
Router1(config)# access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1
Router1(config)# access-list 101 deny ip any any log
Router1(config)# end
Router1#
R2
Router2# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)# crypto isakmp policy 10
Router2(config-isakmp)# encr aes 256
Router2(config-isakmp)# authentication pre-share
Router2(config-isakmp)# group 2
Router2(config-isakmp)# exit
Router2(config)# crypto isakmp key TUNNELKEY01 address 172.16.1.1
Router2(config)# crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256
Router2(cfg-crypto-trans)# exit
Router2(config)# crypto map LAN2LANMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router2(config-crypto-map)# set peer 172.16.1.1
Router2(config-crypto-map)# set transform-set LAN2LAN-TRANSFORM
Router2(config-crypto-map)# match address 103
Router2(config-crypto-map)# exit
Router2(config)# access-list 103 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255

Router2(config)# interface FastEthernet0/1
Router2(config-if)# description Internal LAN
Router2(config-if)# ip address 192.168.15.1 255.255.255.0
Router2(config-if)# exit
Router2(config)# interface FastEthernet0/0
Router2(config-if)# description Connection to Internet
Router2(config-if)# ip address 172.16.2.1 255.255.255.0
Router2(config-if)# crypto map LAN2LANMAP
Router2(config-if)# exit
Router2(config)# ip route 0.0.0.0 0.0.0.0 172.16.2.2
Router2(config)# access-list 101 permit esp host 172.16.1.1 host 172.16.2.1
Router2(config)# access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp
Router2(config)# access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1
Router2(config)# access-list 101 deny ip any any log
Router2(config)# end
Router2#

注释这里跟前节区别在于12.5建立的是可路由的加密VPN。前面配置了 mode transport 而这里使用了IPSec隧道缺省的隧道模式。在ACL配置上前者允许的是GRE的数据包，这里是内部LAN接口之间的数据包，所以这里两个互联是桥接，前者两个互联是路由。通常我们更喜欢路由模式多一些
12.7.  生成RSA 密匙
提问生成共享的RSA密匙用于加密或者认证
回答
先在R1上生成自己的pubkey
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# crypto key generate rsa
The name for the keys will be: Router1.oreilly.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]

Router1(config)# end
Router1# show crypto key mypubkey rsa
% Key pair was generated at: 01:19:45 EST Mar 1 2003
Key name: Router1.oreilly.com
Usage: General Purpose Key
Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338
  D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC
  B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9
  FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742
  2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001
% Key pair was generated at: 01:19:52 EST Mar 1 2003
Key name: Router1.oreilly.com.server
Usage: Encryption Key
Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00BD928A BD5637E6
  2265621C 3AC57138 911CA27D 11F40AA1 E657EA26 6EBF654C 952A3319 D421A33C
  E2ECA87E CD7E050C 8A8FE64D B73954EA BF2ED639 BC6A8F74 5B9550EA 4119E796
  A97430E2 4B1BF7D3 ED1469FF AEA83690 A0FEA871 BBFBE8AD 19020301 0001
Router1#
然后拷贝粘贴到对端路由器
Router2# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)# crypto key pubkey-chain rsa
Router2(config-pubkey-chain)# addressed-key 192.168.99.1
Router2(config-pubkey-key)# address 192.168.99.1
Router2(config-pubkey-key)# key-string
Enter a public key as a hexidecimal number ....

Router2(config-pubkey)# 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338
Router2(config-pubkey)# D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC
Router2(config-pubkey)# B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9
Router2(config-pubkey)# FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742
Router2(config-pubkey)# 2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001
Router2(config-pubkey)# quit
Router2(config-pubkey-key)# exit
Router2(config-pubkey-chain)# exit
Router2(config)# end
Router2# show crypto key pubkey-chain rsa address 192.168.99.1
Key address: 192.168.99.1
Usage: General Purpose Key
Source: Manually entered
Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338
  D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC
  B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9
  FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742
  2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001

Router2#
注释由于密匙里面包含路由器名和域名，所以必须首先配置
Router1(config)# hostname Router1
Router1(config)# ip domain-name oreilly.com
如果修改上面配置则密匙无效。通过命令 crypto key zeroize rsa 来删除当前密匙
12.8.  使用RSA密匙创建路由器到路由器的VPN
提问利用RSA密匙创建一个加密的VPN
回答
R1
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# crypto key pubkey-chain rsa
Router1(config-pubkey-chain)# addressed-key 172.16.2.1
Router1(config-pubkey-key)# address 172.16.2.1
Router1(config-pubkey-key)# key-string
Enter a public key as a hexidecimal number ....
Router1(config-pubkey)# 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00EB0AB2
Router1(config-pubkey)# EA33B519 0CD95EFF EDFD4723 BED73640 97981CC0 1FC83FBF 5C6DF97C 8CB8CE0A
Router1(config-pubkey)# C5FE959D 1E055002 83B92EF4 35B69545 C3217E5F E0C32A73 44FD2373 15979E77
Router1(config-pubkey)# 75598BE0 B4A4E7B2 3C318C2D 3BF3B192 8B71D8C9 A1E0F929 0E84BDAD EC909833
Router1(config-pubkey)# BC425170 400BD26A 319E632F 4E9649F5 BA7ADA40 5A94B09C 05F8414E 33020301 0001
Router1(config-pubkey)# quit
Router1(config-pubkey-key)# exit
Router1(config-pubkey-chain)# exit

Router1(config)# crypto isakmp policy 100
Router1(config-isakmp)# encryption aes 256
Router1(config-isakmp)# authentication rsa-encr
Router1(config-isakmp)# group 2
Router1(config-isakmp)# exit
Router1(config)# crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256
Router1(cfg-crypto-trans)# mode transport
Router1(cfg-crypto-trans)# exit
Router1(config)# crypto map TUNNEL-RSA 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-crypto-map)# set peer 172.16.2.1
Router1(config-crypto-map)# set transform-set TUNNEL-TRANSFORM
Router1(config-crypto-map)# match address 102
Router1(config-crypto-map)# exit
Router1(config)# access-list 102 permit gre host 172.16.1.1 host 172.16.2.1
Router1(config)# interface Tunnel1
Router1(config-if)# ip address 192.168.1.1 255.255.255.252
Router1(config-if)# tunnel source 172.16.1.1
Router1(config-if)# tunnel destination 172.16.2.1
Router1(config-if)# exit
Router1(config)# interface FastEthernet0/0
Router1(config-if)# ip address 172.16.1.1 255.255.255.0
Router1(config-if)# ip access-group 101 in
Router1(config-if)# crypto map TUNNEL-RSA
Router1(config-if)# exit
Router1(config)# access-list 101 permit gre host 172.16.2.1 host 172.16.1.1
Router1(config)# access-list 101 permit esp host 172.16.2.1 host 172.16.1.1
Router1(config)# access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp
Router1(config)# access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1
Router1(config)# access-list 101 deny ip any any log
Router1(config)# end
Router1#
R2
Router2# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)# crypto key pubkey-chain rsa
Router2(config-pubkey-chain)# addressed-key 172.16.1.1
Router2(config-pubkey-key)# address 172.16.1.1
Router2(config-pubkey-key)# key-string
Enter a public key as a hexidecimal number ....

Router2(config-pubkey)# 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A0830E
Router2(config-pubkey)# 01E4B6E1 08823E41 8A98A7F4 DB0E6277 1E7AA500 F7B620CA 49BCBEBA B0A0455A
Router2(config-pubkey)# 114BA6B9 5ADE0D2E 7DC3EFC1 D7D07015 01C83E08 7305ED3C 71F04B44 31A1C574
Router2(config-pubkey)# C0E6ACA2 C191DB07 3D347F88 2D2884BF 99C2AF80 45BC1BE9 6D2BF684 B60C04E6
Router2(config-pubkey)# 0F3D5C09 7C26694F 8FB75F90 2FA1DF46 94401D54 82ACA366 E621DD04 4B020301 0001
Router2(config-pubkey)# quit
Router2(config-pubkey-key)# exit
Router2(config-pubkey-chain)# exit
Router2(config)# crypto isakmp policy 100
Router2(config-isakmp)# encryption aes 256
Router2(config-isakmp)# authentication rsa-encr
Router2(config-isakmp)# group 2
Router2(config-isakmp)# exit
Router2(config)# crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256
Router2(cfg-crypto-trans)# mode transport
Router2(cfg-crypto-trans)# exit
Router2(config)# crypto map TUNNEL-RSA 10 ipsec-isakmp
Router2(config-crypto-map)# set peer 172.16.1.1
Router2(config-crypto-map)# set transform-set TUNNEL-TRANSFORM
Router2(config-crypto-map)# match address 102
Router2(config-crypto-map)# exit
Router2(config)# access-list 102 permit gre host 172.16.2.1 host 172.16.1.1
Router2(config)# interface Tunnel1
Router2(config-if)# ip address 192.168.1.2 255.255.255.252
Router2(config-if)# tunnel source 172.16.2.1
Router2(config-if)# tunnel destination 172.16.1.1
Router2(config-if)# exit
Router2(config)# interface FastEthernet0/0
Router2(config-if)# ip address 172.16.1.1 255.255.255.0
Router2(config-if)# ip access-group 101 in
Router2(config-if)# crypto map TUNNEL-RSA
Router2(config-if)# exit
Router2(config)# access-list 101 permit gre host 172.16.1.1 host 172.16.2.1
Router2(config)# access-list 101 permit esp host 172.16.1.1 host 172.16.2.1
Router2(config)# access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp
Router2(config)# access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1
Router2(config)# access-list 101 deny ip any any log
Router2(config)# end
Router2#
注释类似12.3和12.6
12.9.  创建主机到路由器的VPN
提问从远端主机到路由器的VPN连接
回答
只有路由器的配置，没有主机上软件的配置
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# aaa new-model
Router1(config)# aaa authentication login default group tacacs+
Router1(config)# aaa authentication enable default group tacacs+
Router1(config)# tacacs-server host 172.25.1.1
Router1(config)# tacacs-server key NEOSHI
Router1(config)# crypto isakmp policy 10
Router1(config-isakmp)# encryption 3des
Router1(config-isakmp)# authentication pre-share
Router1(config-isakmp)# group 2
Router1(config-isakmp)# exit
Router1(config)# crypto ipsec transform-set VPN-TRANSFORMS ah-sha-hmac esp-sha-hmac esp-3des
Router1(cfg-crypto-trans)# mode tunnel
Router1(cfg-crypto-trans)# exit
Router1(config)# crypto dynamic-map VPN-USER-MAP 50
Router1(config-crypto-map)# description A dynamic crypto map for VPN users
Router1(config-crypto-map)# match address 115
Router1(config-crypto-map)# set transform-set VPN-TRANSFORMS
Router1(config-crypto-map)# exit
Router1(config)# access-list 115 deny any 224.0.0.0 35.255.255.255
Router1(config)# access-list 115 deny any 172.25.1.255 0.0.0.0
Router1(config)# access-list 115 permit any any
Router1(config)# crypto map CRYPTOMAP 10 ipsec-isakmp dynamic VPN-USER-MAP
Router1(config)# interface FastEthernet0/1
Router1(config-if)# ip address 172.25.1.5 255.255.255.0
Router1(config-if)# crypto map CRYPTOMAP
Router1(config-if)# exit
Router1(config)# exit
Router1#
注释由于主机可能来自任意地址所以这里使用过了dynamic crypto maps
12.10.  创建SSL VPN
提问使用路由器的WebVPN服务来创建SSL VPN
回答
Core# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Core(config)# hostname Core
Core(config)# ip domain-name oreilly.com
Core(config)# aaa new-model
Core(config)# aaa authentication login local_auth local
Core(config)# username ijbrown secret ianspassword
Core(config)# username kdooley secret kevinspassword
Core(config)# crypto pki trustpoint WEBVPN
Core(ca-trustpoint)# enrollment selfsigned
Core(ca-trustpoint)# rsakeypair WEBVPN 1024
Core(ca-trustpoint)# subject-name CN=WEBVPN OU=cookbooks O=oreilly
Core(ca-trustpoint)# exit
Core(config)# crypto pki enroll WEBVPN
The router has already generated a Self Signed Certificate for
trustpoint TP-self-signed-3299111097.
If you continue the existing trustpoint and Self Signed Certificate
will be deleted.

Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

Core(config)# interface Loopback0
Core(config-if)# ip address 172.25.100.2 255.255.255.255
Core(config-if)# exit
Core(config)# webvpn enable gateway-addr 172.25.100.2
Core(config)# Core(config)# webvpn
Core(config-webvpn)# ssl trustpoint WEBVPN
Core(config-webvpn)# ssl encryption 3des-sha1
Core(config-webvpn)# title "Cisco Cookbook WebVPN Portal"
Core(config-webvpn)# url-list COOKBOOKURLS
Core(config-webvpn-url)# heading "Cookbook URLs"
Core(config-webvpn-url)# url-text "Cisco Cookbook" url-value "http://www.oreilly.com/catalog/ciscockbk/"
Core(config-webvpn-url)# url-text "Perl Cookbook" url-value
"http://www.oreilly.com/catalog/perlckbk2/"
Core(config-webvpn-url)# heading "Cisco URLs"
Core(config-webvpn-url)# url-text "The Books" url-value
"http://www.oreilly.com/pub/topic/cisco"
Core(config-webvpn-url)# exit
Core(config-webvpn)# port-forward list SERVERLOGIN local-port 20003 remote-server 172.25.1.1 remote-port 23
Core(config-webvpn)# exit
Core(config)# end
Core#
注释 12.3(14)T引入了WebVPN服务，但是只能在特定的平台上，只能支持SSLv3，不支持TLS，不支持思科SSL VPN 客户端软件。附带说一下最后的port forward配置，当用户连接上WebVPN后，使用telnet到本地的20003端口就会转发至172.25.1.1的23端口
12.11.    查看IPSec协议状态
提问查看VPN状态
回答
显示ISAKMP security associations.
Router1# show crypto isakmp sa
IPSec security associations
Router1# show crypto ipsec sa
查看活动的IPSec连接
Router1# show crypto engine connections active
查看被丢弃的数据包
Router1# show crypto engine connections dropped-packet
查看配置的IPSec crypto maps
Router1# show crypto map
对于 dynamic crypto maps
Router1# show crypto dynamic-map

第十三章拨号备份

提问当广域网链路中断

得时候自动拨号恢复备份链路
回答
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# interface BRI0/0
Router1(config-if)# ip address 10.1.99.55 255.255.255.0
Router1(config-if)# encapsulation ppp
Router1(config-if)# dialer idle-timeout 300
Router1(config-if)# dialer map ip 10.1.99.1 name dialhost broadcast 95551212
Router1(config-if)# dialer load-threshold 50 either
Router1(config-if)# dialer-group 1
Router1(config-if)# isdn switch-type basic-ni
Router1(config-if)# isdn spid1 800555123400 5551234
Router1(config-if)# isdn spid2 800555123500 5551235
Router1(config-if)# ppp authentication chap
Router1(config-if)# ppp multilink
Router1(config-if)# exit
Router1(config)# username dialhost password dialpassword
Router1(config)# ip route 0.0.0.0 0.0.0.0 10.1.99.1 180
Router1(config)# dialer-list 1 protocol ip list 101
Router1(config)# access-list 101 deny eigrp any any
Router1(config)# access-list 101 permit ip any any
Router1(config)# router eigrp 55
Router1(config-router)# network 10.0.0.0
Router1(config-router)# end
Router1#
注释 isdn switch-type 定义对端ISDN交换机类型，中国用basic-net3。通过Router1# show isdn status 来查看当前状态
Router1# show isdn status
Global ISDN Switchtype = basic-ni
ISDN BRI1/0 interface
dsl 8, interface ISDN Switchtype = basic-ni
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 85, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
TEI = 86, Ces = 2, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
TEI 85, ces = 1, state = 8(established)
      spid1 configured, spid1 sent, spid1 valid
TEI 86, ces = 2, state = 8(established)
      spid2 configured, spid2 sent, spid2 valid
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 8 CCBs = 0
The Free Channel Mask:  0x80000003
Total Allocated ISDN CCBs = 2
Router1#
说明得是关注流量触发了拨号接通以后所有得数据都可以传输，不仅仅是关注流量
13.2.  使用拨号接口
提问捆绑多个物理接口为一个拨号接口
回答
捆绑两个ISDN BRI接口
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# interface BRI0/0
Router1(config-if)# encapsulation ppp
Router1(config-if)# dialer pool-member 1
Router1(config-if)# isdn switch-type basic-ni
Router1(config-if)# isdn spid1 800555123400 5551234
Router1(config-if)# isdn spid2 800555123500 5551235
Router1(config-if)# ppp authentication chap
Router1(config-if)# exit
Router1(config)# interface BRI0/1
Router1(config-if)# encapsulation ppp
Router1(config-if)# dialer pool-member 1
Router1(config-if)# isdn switch-type basic-ni
Router1(config-if)# isdn spid1 800555123600 5551236
Router1(config-if)# isdn spid2 800555123700 5551237
Router1(config-if)# ppp authentication chap
Router1(config-if)# exit
Router1(config)# interface Dialer1
Router1(config-if)# ip address 10.1.99.55 255.255.255.0
Router1(config-if)# encapsulation ppp
Router1(config-if)# dialer remote-name dialhost
Router1(config-if)# dialer pool 1
Router1(config-if)# dialer idle-timeout 300
Router1(config-if)# dialer string 95551212
Router1(config-if)# dialer load-threshold 50 either
Router1(config-if)# dialer-group 1
Router1(config-if)# ppp authentication chap
Router1(config-if)# ppp multilink
Router1(config-if)# exit
Router1(config)# username dialhost password dialpassword
Router1(config)# ip route 0.0.0.0 0.0.0.0 10.1.99.1 180
Router1(config)# dialer-list 1 protocol ip list 101
Router1(config)# access-list 101 deny eigrp any any
Router1(config)# access-list 101 permit ip any any
Router1(config)# router eigrp 55
Router1(config-router)# network 10.0.0.0
Router1(config-router)# end
Router1#
主机端
dialhost# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
dialhost(config)# username Router1 password dialpassword
dialhost(config)# controller T1 0
dialhost(config-controller)# framing esf
dialhost(config-controller)# clock source line primary
dialhost(config-controller)# linecode b8zs
dialhost(config-controller)# pri-group timeslots 1-24
dialhost(config-controller)# exit
dialhost(config)# interface Serial0:23
dialhost(config-if)# encapsulation ppp
dialhost(config-if)# dialer rotary-group 1
dialhost(config-if)# dialer-group 1
dialhost(config-if)# isdn switch-type primary-dms100
dialhost(config-if)# isdn not-end-to-end 56
dialhost(config-if)# exit
dialhost(config)# interface Dialer1
dialhost(config-if)# ip address 10.1.99.1 255.255.255.0
dialhost(config-if)# encapsulation ppp
dialhost(config-if)# dialer in-band
dialhost(config-if)# dialer idle-timeout 300
dialhost(config-if)# dialer-group 1
dialhost(config-if)# no peer default ip address
dialhost(config-if)# ppp authentication chap
dialhost(config-if)# ppp multilink
dialhost(config-if)# exit
dialhost(config)# access-list 101 deny eigrp any any
dialhost(config)# access-list 101 permit ip any any
dialhost(config)# dialer-list 1 protocol ip list 101
dialhost(config)# router eigrp 55
dialhost(config-router)# network 10.0.0.0
dialhost(config-router)# exit
dialhost(config)# end
dialhost#
注释本节实现得结果和13.1相同，配置也基本相同，不同得是这里没有使用dialer map命令，在物理接口上也没有配置IP地址，相关配置都在定义得逻辑拨号接口Dialer1上。在Server端使用了PRI
13.3.  在AUX端口使用异步Modem
提问在路由器得AUX端口连接异步Modem，用其作为拨号备份
回答
Router2# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)# interface Async65
Router2(config-if)# encapsulation ppp
Router2(config-if)# dialer in-band
Router2(config-if)# dialer pool-member 1
Router2(config-if)# ppp authentication chap
Router2(config-if)# async default routing
Router2(config-if)# exit
Router2(config)# interface Dialer1
Router2(config-if)# ip address 10.1.99.56 255.255.255.0
Router2(config-if)# encapsulation ppp
Router2(config-if)# dialer remote-name dialhost
Router2(config-if)# dialer pool 1
Router2(config-if)# dialer idle-timeout 300
Router2(config-if)# dialer string 95551212
Router2(config-if)# dialer-group 1
Router2(config-if)# ppp authentication chap
Router2(config-if)# exit
Router2(config)# line aux 0
Router2(config-line)# modem inout
Router2(config-line)# transport input all
Router2(config-line)# no exec
Router2(config-line)# speed 115200
Router2(config-line)# exit
Router2(config)# username dialhost password dialpassword
Router2(config)# ip route 0.0.0.0 0.0.0.0 10.1.99.1 180
Router2(config)# dialer-list 1 protocol ip list 101
Router2(config)# access-list 101 deny eigrp any any
Router2(config)# access-list 101 permit ip any any
Router2(config)# router eigrp 55
Router2(config-router)# network 10.0.0.0
Router2(config-router)# exit
Router2(config)# end
Router2#
注释开始要先通过show line查找出AUX口得vty号码，也就是 interface Async65 ，然后使用前面提到得拨号接口得方法进行配置，多了一个async default routing命令，因为缺省情况下异步口是禁止启用路由协议得。在对AUX端口配置时，首先一定要使用no exec来避免出现Modem不能响应得问题，同时建议调整速率，否则会缺省9.6 Kbps。
13.4.  使用备份接口
提问在广域网物理接口断掉得情况下拨号
回答
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# interface Serial0/0
Router1(config-if)# backup delay 0 300
Router1(config-if)# backup interface BRI0/0
Router1(config-if)# encapsulation frame-relay
Router1(config-if)# down-when-looped
Router1(config-if)# exit
Router1(config)# interface Serial0/0.1 point-to-point
Router1(config-subif)# ip address 10.1.1.10 255.255.255.252
Router1(config-subif)# frame-relay interface-dlci 50
Router1(config-subif)# exit
Router1(config)# interface BRI0/0
Router1(config-if)# ip address 10.1.99.55 255.255.255.0
Router1(config-if)# encapsulation ppp
Router1(config-if)# dialer idle-timeout 300
Router1(config-if)# dialer map ip 10.1.99.1 name dialhost broadcast 95551212
Router1(config-if)# dialer load-threshold 50 either
Router1(config-if)# dialer-group 1
Router1(config-if)# isdn switch-type basic-ni
Router1(config-if)# isdn spid1 800555123400 5551234
Router1(config-if)# isdn spid2 800555123500 5551235
Router1(config-if)# ppp authentication chap
Router1(config-if)# ppp multilink
Router1(config-if)# exit
Router1(config)# dialer-list 1 protocol ip permit
Router1(config)# end
Router1#
注释备份接口得配置要放在物理接口上而不是子接口上。一般不推荐使用此方法进行备份，因为很多广域网链路得问题不能体现在物理接口down掉上，并且在正常情况下会使备份接口处于禁用状态，这样会需要重新拨号，不能使用show isdn status等命令进行查看状态等问题。
13.5.  使用Dialer Watch
提问使用思科得Dialer Watch特性来触发拨号备份
回答
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# interface BRI0/0
Router1(config-if)# ip address 10.1.99.55 255.255.255.0
Router1(config-if)# encapsulation ppp
Router1(config-if)# dialer map ip 10.1.1.0 name dialhost broadcast 95551212
Router1(config-if)# dialer map ip 10.2.0.0 name dialhost broadcast 95551212
Router1(config-if)# dialer map ip 10.1.99.1 name dialhost broadcast 95551212
Router1(config-if)# dialer load-threshold 50 either
Router1(config-if)# dialer watch-group 1
Router1(config-if)# dialer-group 1
Router1(config-if)# isdn switch-type basic-ni
Router1(config-if)# isdn spid1 800555123400 5551234
Router1(config-if)# isdn spid2 800555123500 5551235
Router1(config-if)# ppp authentication chap
Router1(config-if)# ppp multilink
Router1(config-if)# exit
Router1(config)# router eigrp 55
Router1(config-router)# network 10.0.0.0
Router1(config-router)# exit
Router1(config)# username dialhost password cisco
Router1(config)# access-list 101 deny eigrp any any
Router1(config)# access-list 101 permit ip any any
Router1(config)# dialer-list 1 protocol ip list 101
Router1(config)# dialer watch-list 1 ip 10.2.0.0 255.255.0.0
Router1(config)# dialer watch-list 1 ip 10.1.1.0 255.255.255.0
Router1(config)# dialer watch-list 1 delay route-check initial 300
Router1(config)# dialer watch-list 1 delay disconnect 15
Router1(config)# end
Router1#
注释 Dialer Watch通过跟踪路由表中特定路由前缀得存在情况来判断是否需要触发拨号，这里要特别注意得是例子中监控了两个路由前缀，必须两个路由前缀都消失才会触发拨号。还是建议使用13.1中得浮动路由方式来进行拨号备份
13.6.  使用Virtual Templates
提问使用Virtual Templates得方式来配置拨号备份
回答
dialhost# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
dialhost(config)# username Router1 password dialpassword
dialhost(config)# interface BRI0/0
dialhost(config-if)# no ip address
dialhost(config-if)# encapsulation ppp
dialhost(config-if)# dialer pool-member 1
dialhost(config-if)# isdn switch-type basic-ni
dialhost(config-if)# isdn point-to-point-setup
dialhost(config-if)# isdn spid1 800555123400 5551234
dialhost(config-if)# isdn spid2 800555123500 5551235
dialhost(config-if)# ppp authentication chap
dialhost(config-if)# ppp multilink
dialhost(config-if)# exit
dialhost(config)# interface Dialer1
dialhost(config-if)# no ip address
dialhost(config-if)# encapsulation ppp
dialhost(config-if)# dialer idle-timeout 300
dialhost(config-if)# dialer-group 1
dialhost(config-if)# no peer default ip address
dialhost(config-if)# ppp authentication chap
dialhost(config-if)# ppp multilink
dialhost(config-if)# exit
dialhost(config)# access-list 101 deny eigrp any any
dialhost(config)# access-list 101 permit ip any any
dialhost(config)# dialer-list 1 protocol ip list 101
dialhost(config)# router eigrp 55
dialhost(config-router)# network 10.0.0.0
dialhost(config-router)# exit
dialhost(config)# interface Loopback1
dialhost(config-if)# ip address 10.1.99.1 255.255.255.0
dialhost(config-if)# exit
dialhost(config)# interface Virtual-Template1
dialhost(config-if)# ip unnumbered Loopback1
dialhost(config-if)# encapsulation ppp
dialhost(config-if)# ppp authentication chap
dialhost(config-if)# ppp multilink
dialhost(config-if)# ppp multilink load-threshold 50 either
dialhost(config-if)# exit
dialhost(config)# virtual-profile virtual-template 1
dialhost(config)# end
dialhost#
注释一般用于中心得拨号服务器，类似于13.2但是在Dialer 接口下也没有配置IP地址，而是配置在Virtual Template上
13.7.  确保断线正常
提问当主链路恢复以后确保备份链路断线正常
回答
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# interface Serial0/0.1 point-to-point
Router1(config-subif)# bandwidth 56
Router1(config-subif)# exit
Router1(config)# interface BRI0/0
Router1(config-subif)# bandwidth 54
Router1(config-subif)# end
Router1#
注释通过配置带宽得方式来调整主备接口得metric值，从而避免在路由计算时选用备份接口
13.8.  查看拨号备份状态
提问查看拨号备份状态
回答
Router1# show dialer
Router1# show backup
Router1# show isdn status
Router1# show isdn active
Router1# show isdn history

注释 show dialer里面比较有意思得信息是Dial reason: ip (s=10.1.99.55, d=224.0.0.10)，从而确定是什么数据触发得拨号
13.9.    拨号备份排错
提问查找拨号备份失败原因
回答
Router1# debug ppp authentication
Router1# debug dialer

第十四章NTP和时钟

14.1.  路由器日志显示时间戳
提问在路由器

的日志和排错信息里面显示时间
回答
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# service timestamps log datetime localtime
Router(config)# service timestamps debug datetime localtime
Router(config)# end
Router#

注释还可以在命令后面加上show-timezone, msec等参数让时间戳包含时区信息和毫秒级
14.2.  设置时间
提问设置路由器时间
回答
内部时钟
Router# clock set 14:27:22 January 29 2006
Router#
高端路由器使用电池保存时间
Router# calendar set 14:34:39 January 29 2006
Router#
注释如果没有电池保护路由器重启时间配置消失，show calendar一方面可以显示目前时钟，也可以用来验证是否有电池保护，内部时钟和calendar时钟不一致时可以使用 clock update-calendar或者 clock read-calendar来互相同步
14.3.  设置时区
提问设置路由器时区
回答
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# clock timezone EST 5
Router(config)# end
Router#
注释缺省路由器使用UTC就是以前的GMT
14.4.  夏时制调整
提问路由器自动对时钟进行夏时制调整
回答
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# clock summer-time EDT date 26 oct 2003 02:00 6 apr 2003 02:00
或者
Router(config)# clock summer-time AEDT recurring last sun oct 02:00 last sun mar 02:00
Router(config)# end
Router#

注释缺省是没有夏时制的，启用后可以使用show clock detail来验证
14.5.  时钟同步(NTP)
提问路由器自动同步网络时间
回答
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# clock timezone EST -5
Router(config)# clock summer-time EDT recurring
Router(config)# ntp server 172.25.1.1
Router(config)# end
Router#
对于不支持NTP的路由器，使用SNTP
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# clock timezone EST -5
Router(config)# clock summer-time EDT recurring
Router(config)# sntp server 172.25.1.1
Router(config)# end
Router#
注释可以使用 ntp source loopback0 或者 ntp server 10.1.1.1 source Serial 0/0 命令来指定NTP发送的源地址。由于NTP同步的是内部时钟，所以需要配置 ntp update-calendar 来同时同步其calendar时钟
14.6.  配置NTP 冗余
提问配置多个NTP服务器的方式来提供冗余
回答
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# clock timezone EST -5
Router(config)# clock summer-time EDT recurring
Router(config)# ntp server 172.25.1.1
Router(config)# ntp server 10.121.33.231
Router(config)# ntp peer 192.168.12.12
Router(config)# end
Router#
注释无
14.7.  设置路由器为网络NTP服务器
提问设置路由器为网络NTP服务器，成为网络的主时钟源
回答
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# clock timezone EST 5
Router(config)# clock summer-time EDT recurring
Router(config)# clock calendar-valid
Router(config)# ntp master 8
Router(config)# end
Router#
注释这里设置ntp master 8使其成为Stratum level 8，尽量不要配置其为1
14.8.  调整NTP同步周期
提问调整多久路由器发送NTP数据包来验证同步
回答
NTP不允许手动修改同步频率，但是内置的算法可以自动调整此频率
注释开始为64秒一个周期，如果网络足够稳定此周期会逐渐增加，最长到1024秒，如下例
Router> show ntp associations
   address       ref clock    st  when  poll reach  delay  offset disp
*~172.25.1.1    130.207.244.240 2 440  1024  377    1.6 -3.23    5.6
+~172.25.1.3    204.152.184.72 2 829  1024  377    1.7 8.06    0.9
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
Router>

14.9.  NTP 发送周期性广播包保持更新
提问工作于广播模式下，不需要周期性去查询
回答
服务器端
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# clock timezone EST -5
Router1(config)# clock summer-time EDT recurring
Router1(config)# ntp server 172.25.1.1
Router1(config)# ntp server 172.25.1.2
Router1(config)# interface FastEthernet0/0
Router1(config-if)# ntp broadcast
Router1(config-if)# end
Router1#
客户端
Router2# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)# clock timezone EST -5
Router2(config)# clock summer-time EDT recurring
Router2(config)# ntp broadcastdelay 4
Router2(config)# interface Ethernet0
Router2(config-if)# ntp broadcast client
Router2(config-if)# end
Router2#
注释工作于广播模式时间数据包是单方向的，通过broadcastdelay来控制周期，广播模式不妨碍客户端工作于服务器客户端模式
14.10.  NTP发送周期性组播包保持更新
提问工作于组播模式下，不需要周期性去查询
回答
服务器端
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# clock timezone EST -5
Router1(config)# clock summer-time EDT recurring
Router1(config)# ntp server 172.25.1.1
Router1(config)# ntp server 172.25.1.3
Router1(config)# interface FastEthernet 0/0
Router1(config-if)# ntp multicast 224.0.1.1 ttl 1
Router1(config-if)# end
Router1#
客户端
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# clock timezone EST -5
Router1(config)# clock summer-time EDT recurring
Router1(config)# ntp server 172.25.1.1
Router1(config)# ntp server 172.25.1.3
Router1(config)# interface FastEthernet 0/0
Router1(config-if)# ntp multicast 224.0.1.1 ttl 1
Router1(config-if)# end
Router1#
注释组播相对于广播的好处不用多说了，并且在这个模式的初始客户端会先发送一些单播包来测量延迟，以使时间更准确，需要注意的是不是所有的设备都支持这种组播模式
14.11.  基于接口开启NTP
提问路由器配置为NTP服务器，但是某些端口禁止NTP服务
回答
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# interface Serial0/1
Router(config-if)# ntp disable
Router(config-if)# end
Router#
或者
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# access-list 107 deny udp any eq 123 any eq 123
Router(config)# access-list 107 permit ip any any
Router(config)# interface Serial0/1
Router(config-if)# ip access-group 107 in
Router(config-if)# end
Router#

注释控制列表的方式更严格，第一种只是阻止了相应的associations，但阻止不了NTP数据包
14.12.  NTP 认证
提问鉴权NTP数据包保证安全
回答
服务器端
Router1# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)# ntp authentication-key 2 md5 neoshi
Router1(config)# ntp authenticate
Router1(config)# ntp trusted-key 2
Router1(config)# end
Router1#
客户端
Router2# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)# ntp authentication-key 2 md5 neoshi
Router2(config)# ntp authenticate
Router2(config)# ntp trusted-key 2
Router2(config)# ntp server 172.25.1.5 key 2
Router2(config)# end
Router2#
注释对于广播或者组播模式key配置为ntp broadcast key 2 和ntp multicast key 2
14.13.  限制NTP Peers数目
提问限制路由器可以接受的NTP Peers的数目
回答
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# ntp max-associations 30
Router(config)# end
Router#
注释无
14.14.  限制Peers
提问对NTP服务进行更好粒度的控制
回答
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# access-list 88 permit host 172.25.1.1
Router(config)# access-list 88 permit host 10.1.1.1
Router(config)# access-list 99 permit 172.25.0.0 0.0.255.255
Router(config)# access-list 99 permit 10.2.0.0 0.0.255.255
Router(config)# clock timezone EST -5
Router(config)# clock summer-time EDT recurring
Router(config)# ntp server 172.25.1.1 version 3
Router(config)# ntp server 10.1.1.1 version 3
Router(config)# ntp access-group peer 88
Router(config)# ntp access-group serve-only 99
Router(config)# end
Router#

注释路由器只允许内部时钟从ACL88定义的两个服务器中获得同步，同时只有ACL99定义的两个网段的客户端可以从本设备请求时间信息
14.15.  设定时钟周期
提问希望调整自动生成的 ntp clock-period xxxxxx 数值
回答
路由器在重启之后会自动生成一个时钟周期来加速再同步，不建议删除或者修改
Router# show running-config | include clock-period
ntp clock-period 17180200
Router#
注释无
14.16.  检查NTP状态
提问查看当前NTP状态
回答
Router> show clock detail
Router> show ntp status
Router> show ntp associations
Router> show ntp associations detail

注释 Router> show clock detail
.15:54:33.079 EST Sun Jan 29 2006
Time source is NTP
此输出前面有个.代表此时钟没有同步
14.17.  NTP排错
提问解决NTP出错的问题
回答
NTP非常稳定，出问题很大可能性就是连接性的问题
Router# debug ntp packets
注释 Router# debug ntp packet
NTP packets debugging is on
.Mar 21 02:39:18: NTP: xmit packet to 172.25.1.5:
.Mar 21 02:39:18:  leap 3, mode 3, version 3, stratum 0, ppoll 64
.Mar 21 02:39:18:  rtdel 28C7 (159.286), rtdsp 2444 (141.663), refid AC190101
.Mar 21 02:39:18:  ref C043C43F.47A9CD5C (21:30:23.279 EST Wed Mar 20 2003)
.Mar 21 02:39:18:  org 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
.Mar 21 02:39:18:  rec 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
.Mar 21 02:39:18:  xmt C043C656.4DFC7394 (21:39:18.304 EST Wed Mar 20 2003)
.Mar 21 02:39:25: NTP: rcv packet from 172.25.1.5 to 172.16.2.2 on Fa0/0.1:
.Mar 21 02:39:25:  leap 3, mode 3, version 3, stratum 0, ppoll 64
.Mar 21 02:39:25:  rtdel 286E (157.928), rtdsp 0EC6 (57.709), refid AC190101
.Mar 21 02:39:25:  ref C043C4D7.1D633CDE (21:32:55.114 EST Wed Mar 20 2003)
.Mar 21 02:39:25:  org 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
.Mar 21 02:39:25:  rec 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
.Mar 21 02:39:25:  xmt C043C65D.1D0A6CBC (21:39:25.113 EST Wed Mar 20 2003)
.Mar 21 02:39:25:  inp C043C65D.1296E3C7 (21:39:25.072 EST Wed Mar 20 2003)
上面是一个debug的输出，从中看到了来自server的数据包显示为stratum 0，代表服务器没有同步，既然上游服务器没有同步，本地服务器就更不能同步了
14.18.  NTP 日志
提问记录重要的NTP事件
回答
Router2# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)# ntp logging
Router2(config)# end
Router2#
注释此命令来自12.3(7)T，下面是一个日志记录
Router2# show logging | include NTP
000019: Jan 29 10:57:52.633 EST: %NTP-5-PEERSYNC: NTP synced to peer 172.25.1.5
000020: Jan 29 10:57:52.637 EST: %NTP-6-PEERREACH: Peer 172.25.1.5 is reachable
000024: Jan 29 11:01:20.653 EST: %NTP-4-PEERUNREACH: Peer 172.25.1.5 is unreachable
000026: Jan 29 11:15:11.985 EST: %NTP-4-UNSYNC: NTP sync is lost

14.19.  Extended Daylight Saving Time
注释美国为了节省能源从2007年开始调整了夏时制的设置，此略去
14.20.    NTP 服务器配置
注释主机配置暂略去

阅读(470) | 评论(0) | 转发(0) |

上一篇：cisco IOS cookbook 中文精简版(1-10)

下一篇：Cisco IOS Cookbook 中文精简版(16-23)