Escolar Documentos
Profissional Documentos
Cultura Documentos
RseauxetScurit
Accueil
Archives
OSPFOpenShortestPathFirstISISIntermediateSystemtoIntermediateSystem
AstucesCisco
ParFred,samedi14juillet2007.LienpermanentCisco
cisco
VoiciquelquesastucesappliquersurvosrouteursCisco:
Synchroniserlaconsole
Commentrendreuneinterfaceuplorsqu'ellen'estpasbranch
Configurersesbannires
Utiliserdesalias
Modifierplusieursinterfacessimultanment
Effacerlatablederoutage
Dfinirl'adressesourced'unservice
Protgerl'accsunquipementparuneaccesslist
Modifierleniveaudelog
Configurationntppourl'heured't
ActiverledebugenSSH
ActiverSSH
Rebooterlemoduled'unC6500
Vrifierlaconsommationd'unC6500
Ajusterl'intervaldecalculdechargedesinterfaces
Filtrerlasortieshowprocesscpu
Effacerlaconfigurationd'uneinterface
Modifierlaclsshd'unquipement
Afficherleslogsavecladatedujour
Connaitrelenombred'adresseMACdisponibleetutilis
Dsactiverleprompt"more"
Synchroniserlaconsole
VoicideuxpetitspensebtespourbienutiliserlaconsolesurdumatrielCisco:
loggingsynchronous:cettedirectivepermetdesynchroniserlasortieterminaletlalignedecommande.Parexemple,sivoustapezuneligne
decommandeetquelerouteurafficheunmessagedansleterminal,votretextevaalorsserafficher.
exectimeout00:cecipermetdedsactiverletimeoutenlignedecommande.Cecipeuttreutiledanslecasd'unlaboratoiredetest.
Ensituation:
Router(config)#lineconsole0
Router(configline)#loggingsynchronous
Router(configline)#exectimeout00
Commentrendreuneinterfaceuplorsqu'ellen'estpasbranche:
Danscepremierexemple,onvoitquel'interfaceestdown:
Router(config)#interfaceethernet0
Router(configif)#ipaddress10.0.0.1255.255.255.0
Router(configif)#noshutdown
Router#showipinterfacebrief
InterfaceIPAddressOK?MethodStatusProtocol
Ethernet010.0.0.1YESmanualadministrativelydowndown
Enutilisantlacommandenokeepalive:
Router(config)#interfaceethernet0
Router(configif)#ipaddress10.0.0.1255.255.255.0
Router(configif)#noshutdown
Router(configif)#nokeepalive
Router#showipinterfacebrief
InterfaceIPAddressOK?MethodStatusProtocol
Ethernet010.0.0.1YESmanualupup
http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 1/7
21/04/2017 AstucesCiscoRseauxetScurit
Configurersesbannires
Bannireavantlelogin
Router(config)#bannerlogin#
Mabannire....
....
#
Bannireaprslelogin
Router(config)#bannerexec#
Mabannire....
....
#
Anoterquelescaractres#permettentdedlimiterlazonedesaisie,ilestpossibled'utilisern'importequelautredlimiteur.
Utiliserdesalias
Cesaliastrspratiquessontconfigurerenmodeconfiguration.Voiciunexemple:
R1(config)#aliasexecsibshowipintbrief
R1(config)#aliasexecsirshowiproute
Pourvisualiserlesalias:
R1#showalias
Execmodealiases:
hhelp
lologout
pping
rresume
sshow
uundebug
unundebug
wwhere
sibshowipintbrief
sirshowiproute
Poursupprimerunalias:
R1(config)#noaliasexecsib
Modifierplusieursinterfacessimultanment
Alasuitedelacommandeinterface,ilestpossibled'utiliserrange.
Switch(config)#interfacerangefastethernet0/120
Switch(configifrange)#speed100
Switch(configifrange)#duplexfull
Onpeutaussidfinirplusieursrange:
Switch(config)#interfacerangefastethernet0/14,fastethernet0/1015
Cettecommandepeuttreutiliseavecdesinterfacesvlan,portchannel,fastethernetetgigabitethernet.
Effacerlatablederoutage
R1#cleariproute*
Dfinirl'adressesourced'unservice
Lorsqu'onraliseunssh,untelnetousimplementlorsqu'unrouteurvainterrogersonserveurTacacs,ilutilisepardfautl'adresseIPdesoninterfacede
sortie.Ilestpossibledespcifiermanuellementl'adressedequelleinterfaceutiliser(sicelleciestup)pourchaqueservice:
R1(config)#ipsshsourceinterfacegigabitEthernet0/1
R1(config)#iptelnetsourceinterfaceloopback0
R1(config)#iptftpsourceinterfaceloopback2
R1(config)#iptacacssourceinterfacetunnel0
R1(config)#loggingsourceinterfaceloopback0
Poursupprimercetteadresse:
R1(config)#noipsshsourceinterface
Protgerl'accsunquipementparuneaccesslist
Ilestpossiblededfinirunelisted'adresseayantlesdroitspouradministrerunquipement.Dansl'exemplesuivant,seuleslesmachinesdesrseaux
10.12.0.0/24et10.13.0.0/24peuventadministrermonrouteurenSSH.
http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 2/7
21/04/2017 AstucesCiscoRseauxetScurit
ipaccesslistextendedMGTSSH
permittcp10.12.00.0.0.255gt1023host0.0.0.0eq22
permittcp10.13.00.0.0.255gt1023host0.0.0.0eq22
denyipanyanylog
!
linevty04
accessclassMGTSSHin
transportinputssh
Modifierleniveaudelog
Pourvisualiserleslogsd'unquipement:
Routeur1#shlogging
Sysloglogging:enabled(12messagesdropped,6messagesratelimited,
0flushes,0overruns,xmldisabled,filteringdisabled)
Consolelogging:leveldebugging,1191740messageslogged,xmldisabled,
filteringdisabled
Monitorlogging:leveldebugging,0messageslogged,xmldisabled,
filteringdisabled
Bufferlogging:levelwarnings,1messageslogged,xmldisabled,
filteringdisabled
LoggingExceptionsize(4096bytes)
Countandtimestamploggingmessages:disabled
...
LogBuffer(4096bytes):
.Aug1214:24:22.476:%LINK3UPDOWN:InterfaceGigabitEthernet0/1,changedstatetoup
Leslogsgnresparuneaccesslistontunniveauinformational,ainsileniveauwarningsconfigurpourlebuffernenouspermettrapasdevisualiser
ceslogs.
Pourchangerleniveaudelog:
Routeur1(config)#loggingbufferedinformational
NousavonsmaintenantnoslogsdesACLs:
Routeur1#shlogging
...
Bufferlogging:levelinformational,2messageslogged,xmldisabled,
filteringdisabled
...
LogBuffer(4096bytes):
.Aug1215:39:15.443:%SEC6IPACCESSLOGP:listMGTSSHdeniedtcp10.118.14.51(32853)>0.0.0.0(22),1packet
Routeur1#
Configurationntppourl'heured't
Routeur2(config)#ntpserver192.168.1.2prefer
Routeur2(config)#ntpserver192.168.1.3
Routeur2(config)#clocktimezoneCET1
Routeur2(config)#clocksummertimeCESTrecurringlastSunMar2:00lastSunOct3:00
Debug
Visualiserlescommandesdebugactuellementactives:
R1#shdebugging
IProuting:
BGPdebuggingisonforalladdressfamilies
OSPFeventsdebuggingison
IPmulticast:
PIMdebuggingison
Dsactivertouteslescommandesdebug:
R1#uall
Allpossibledebugginghasbeenturnedoff
ActiverledebugenSSH
Commandepouractiverledebug,habituellementdisponibleenmodeconsole,enSSH:
R1#terminalmonitor
Activer/Dsactiverledebugenconsole
Dsactiverlesmessagesdedebugenconsole
R1(config)#nologgingconsole
http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 3/7
21/04/2017 AstucesCiscoRseauxetScurit
Activer
R1(config)#loggingconsole
ActiverSSH
Router01(config)#ipsshversion2
PleasecreateRSAkeystoenableSSH.
GnrerlaclRSA
Router01(config)#cryptokeygeneratersa
Thenameforthekeyswillbe:C3845.intranet.nemako.net
Choosethesizeofthekeymodulusintherangeof360to2048foryour
GeneralPurposeKeys.Choosingakeymodulusgreaterthan512maytake
afewminutes.
Howmanybitsinthemodulus[512]:1024
%Generating1024bitRSAkeys,keyswillbenonexportable...[OK]
ActiverSSH
Router01(config)#ipsshversion2
Imposersshenlinevty
Router01(config)#linevty04
Router01(configline)#transportinputssh
Modifierlaclsshd'unquipement
Regarderlesclsprsentes:
C3750#shcryptokeymypubkeyrsa
%Keypairwasgeneratedat:14:28:12UTCAug92006
Keyname:C3750.intranet
Usage:GeneralPurposeKey
Keyisnotexportable.
KeyData:
12345678901234564886F70D0101010500034B003048024100E344FA6AC1EA9A
1C6B0C36DAD96A2B93ADBDCB1234567890123456C2C9A198CDFG0000B409EC84
B6B365EFAAAAAAAA1234567890123456FADAEF65CCB1D2D7150203010001
%Keypairwasgeneratedat:09:22:32UTCJan152008
Keyname:C3750.intranet.server
Usage:EncryptionKey
Keyisnotexportable.
KeyData:
12345678901234564886F70D0101010500036B003068026100BCC9B6CD1D4A0B
9CB0C35B37508A386D9D1E441234567890123456A9C809471092B1CD450D4BCD
B83422221C3CC7DB123456789012345684B6395251BD946ACDFG00004667895A
9D2DB0D90000000027E2F3437D1D3B3499AAE391F6C4BDD9350203010001
Supprimercescls:
C3750#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
C3750(config)#cryptokeyzeroizersaC3750.intranet.server
%Keystoberemovedarenamednamed'C3750.intranet.server'.
%Allroutercertsissuedusingthesekeyswillalsoberemoved.
Doyoureallywanttoremovethesekeys?[yes/no]:yes
C3750(config)#cryptokeyzeroizersaC3750.intranet
%Keystoberemovedarenamednamed'C3750.intranet'.
%Allroutercertsissuedusingthesekeyswillalsoberemoved.
Doyoureallywanttoremovethesekeys?[yes/no]:yes
Ilsuffitmaintenantdegnrerunenouvellecl:
C3750(config)#cryptokeygeneratersa
Thenameforthekeyswillbe:C3750.intranet
Choosethesizeofthekeymodulusintherangeof360to2048foryour
GeneralPurposeKeys.Choosingakeymodulusgreaterthan512maytake
afewminutes.
Howmanybitsinthemodulus[512]:2048
%Generating2048bitRSAkeys...[OK]
C3750(config)#
Rebooterlemoduled'unC6500
http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 4/7
21/04/2017 AstucesCiscoRseauxetScurit
C651301#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
C651301(config)#powercyclemodule4
%Thiscommandisbeingdeprecated.
%Pleaseuseexeclevelcommand:
%hwmodulemodule<mod#>reset
Proceedwithreloadofmodule?[confirm]confirm
Source:FrenchCiscoUsersGroup(http://www.fcug.fr/catalyst6500rebooterunmodule)
Vrifierlaconsommationd'unC6500
C651301#showpower|in(used|total|availa)
systempowertotal=5771.64Watts(137.42Amps@42V)
systempowerused=2287.74Watts(54.47Amps@42V)
systempoweravailable=3483.90Watts(82.95Amps@42V)
Ajusterl'intervalledecalculdebandepassantedesinterfaces
Lorsqu'onutiliselacommande,showinterface,pourvisualiserlabandepassanteutilised'uneinterface,celleciestcalculesurles5dernire
minutes.Ilestpossibledemodifiercettevaleurentre30et600secondes.
C38452(config)#inttun0
C38452(configif)#?
...
loadintervalSpecifyintervalforloadcalculationforaninterface
C38452(configif)#loadinterval?
<30600>Loadintervaldelayinseconds
Voiciuneinterfaceconfigurpardfaut
C38452#shintgi0/0
GigabitEthernet0/0isup,lineprotocolisup
...
5minuteinputrate2140000bits/sec,579packets/sec
5minuteoutputrate6217000bits/sec,769packets/sec
Configurerl'interval30secondes
C38452(config)#inttun0
C38452(configif)#loadinterval30
C38452#shinttun0
Tunnel0isup,lineprotocolisup
...
30secondinputrate1461000bits/sec,388packets/sec
30secondoutputrate892000bits/sec,368packets/sec
Filtrerlasortieshowprocesscpu
Lacommandeshowprocesscpuestrelativementillisiblesansfiltrage:
C3825#shprocessescpu
CPUutilizationforfiveseconds:1%/1%;oneminute:10%;fiveminutes:5%
PIDRuntime(ms)InvokeduSecs5Sec1Min5MinTTYProcess
18255310.00%0.00%0.00%0ChunkManager
21084202477900.00%0.00%0.00%0LoadMeter
3113825231651957350.00%0.03%0.02%0OSPF1Hello
40100.00%0.00%0.00%0EDDRI_MAIN
54209864103480340680.00%0.03%0.02%0Checkheaps
6244839926130.00%0.00%0.00%0PoolManager
70200.00%0.00%0.00%0Timers
8016873300.00%0.00%0.00%0IPCDynamicCach
90100.00%0.00%0.00%0IPCZoneManager
10481012386500.00%0.00%0.00%0IPCPeriodicTim
11521012386500.00%0.00%0.00%0IPCDeferredPor
120100.00%0.00%0.00%0IPCSeatManager
130100.00%0.00%0.00%0IPCBackPressure
140100.00%0.00%0.00%0OIRHandler
150100.00%0.00%0.00%0Crashwriter
16892202477800.00%0.01%0.00%0Environmentalmo
1720017024410.00%0.00%0.00%0ARPInput
180200.00%0.00%0.00%0ATMIdleTimer
190200.00%0.00%0.00%0AAAhighcapacit
200100.00%0.00%0.00%0AAA_SERVER_DEADT
210100.00%0.00%0.00%0PolicyManager
...
Voicidoncunmoyensimpledevoirlesprocessprincipauxutilisparvotrequipement:
C3825#shprocessescpu|excl0.00%0.00%0.00%
CPUutilizationforfiveseconds:3%/2%;oneminute:8%;fiveminutes:5%
http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 5/7
21/04/2017 AstucesCiscoRseauxetScurit
PIDRuntime(ms)InvokeduSecs5Sec1Min5MinTTYProcess
21084202478200.00%0.01%0.00%0LoadMeter
3113825631651995350.00%0.03%0.02%0OSPF1Hello
54209888103480740680.24%0.04%0.02%0Checkheaps
16892202478100.00%0.01%0.00%0Environmentalmo
378160276737731711060.24%0.13%0.12%0NetBackground
472034740170147119580.00%0.02%0.00%0PerminuteJobs
762205024380.08%0.01%0.00%706SSHProcess
99151224820737241720.00%0.01%0.00%0IPInput
15996010123618400.00%0.02%0.00%0RBSCPBackground
26530921021639400.00%0.02%0.05%0NTP
Effacerlaconfigurationd'uneinterface
Voicilaconfigurationintialedemoninterface
C2950#shrunintFa1/0/35
Buildingconfiguration...
Currentconfiguration:230bytes
!
interfaceFastEthernet1/0/35
switchportaccessvlan7
switchportmodeaccess
speed100
duplexfull
nomdixauto
nocdpenable
spanningtreeportfast
spanningtreebpduguardenable
servicepolicyinputPOLICY_PHONE
end
Etvoicicommenteffacertoutelaconfigurationenuneseulecommande:
C2950#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
C2950(config)#defaultinterfaceFastEthernet1/0/35
InterfaceFastEthernet1/0/35settodefaultconfiguration
Lersultat:
C2950#shrunintFa1/0/35
Buildingconfiguration...
Currentconfiguration:36bytes
!
interfaceFastEthernet1/0/35
end
Afficherleslogsavecladatedujour
Lorsdel'affichagedeslogs,ilestpossibledechoisirladatesoitenfonctiondel'uptimesoitdel'heuredel'quipement.
Daterel
R0(config)#servicetimestampslogdatetime
Rsultat
R0#shlogging
...
Apr1420:51:44:%SYS5CONFIG_I:Configuredfromconsolebyconsole
Uptime
R0(config)#servicetimestampsloguptime
Rsultat
R0#shlogging
...
00:59:15:%LINEPROTO5UPDOWN:LineprotocolonInterfaceFastEthernet0/0,changedstatetodown
Connaitrelenombred'adresseMACdisponibleetutilis
SW015#shmacaddresstablecount
MACEntriesforallvlans:
DynamicUnicastAddressCount:383
StaticUnicastAddress(Userdefined)Count:8
StaticUnicastAddress(Systemdefined)Count:1
http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 6/7
21/04/2017 AstucesCiscoRseauxetScurit
TotalUnicastMACAddressesInUse:392
TotalUnicastMACAddressesAvailable:32768
MulticastMACAddressCount:108
TotalMulticastMACAddressesAvailable:16384
Dsactiverleprompt"more"
Ilestpossiblededsactiverleprompt"more"quiapparaitlorsqu'ilyadeslonguessorties(showrunparexemple).Ilfaututiliserlacommandeexec
terminallength0.
lineconsole
length0
linevty04
length0
OSPFOpenShortestPathFirstISISIntermediateSystemtoIntermediateSystem
Hautdepage
Accueil
Archives
S'abonner
PropulsparDotclear
http://www.nemako.net/dc2/?post/2007/05/30/AstucesCisco 7/7