Cisco 1812 設定筆記

把目前自己常用的指令給記錄下來
1. Console 登入
2.建立admin使用者
3.建立Interface IP
4.設定Telnet & SSH登入
5.設定NTP
6.設定Default Route
7.設定DHCP
8.設定NAT
9.設定Route Map
10.設定GRE Tunnel
11.設定Netflow
12.設定PPPoE
13.更新Firmware
14.設定Log
15.設定存檔 & 恢復預設值 & 還原設定檔
16.忘記密碼
17.ROMMON 模式下載IOS
18.查看設備序號
19.增加AAA 設定
20. Cisco Password Cracker
21. 定時備份設定

1. Console 登入
Setting
Value
Speed
9600
Data Bits
8Bit
Parity
None
Stop Bits
1
Flow Control
NO
2.建立admin使用者
系統密碼加密
Router(config)#service password-encryption
建立使用者
Router(config)#username fred privilege 7 password 123456
設定Enable Password
Router(config)#enable password 654321
Note: 其實建立帳號密碼時,建議使用secret,安全性較高
3.建立Interface IP
Router(config)#interface f1
設定IP
Router(config-if)#ip address 192.168.0.1 255.255.255.0
4.設定Telnet & SSH登入
預設啟動Telnet 但不啟動SSHTelnet 需要設定權限登入
設定ACL Policy
Router(config)#access-list 99 permit 192.168.0.0 0.0.255.255
Router(config)#access-list 99 deny   any
設定登入權限 & Timeout 30分
Router(config)#line vty 0 4
Router(config-line)#exec-timeout 30
Router(config-line)#login local
Router(config-line)#access-class 99 in
啟動SSH
啟動SSH前,必須先設定好Domain
Router(config)#ip domain-name abc.com
產生金鑰
Router(config)#crypto key generate rsa
The name for the keys will be: Router.abc.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
確認SSH Service
Router#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
可查看哪個帳號遠端登入
Router#show users
  Line       User       Host(s)       Idle       Location
*  7 vty 1     admin      idle          00:00:00
                                         60-248-7-247.HINET-IP.hinet.net
  Interface    User               Mode         Idle     Peer Address

5.設定NTP
設定TimeZone +8

Router(config)#clock timezone gmt 8

設定NTP Server

Router(config)#ntp server time.stdtime.gov.tw

設定Log Time 為當地時間

Router(config)#service timestamps log datetime localtime

6.設定Default Route

Router(config)#ip route 0.0.0.0 0.0.0.0 211.75.186.254
7.設定DHCP
設定DHCP排除IP
Router(config)#ip dhcp excluded-address 192.168.0.1 192.168.0.100

設定配發網段IP範圍、子網路遮罩、GatewayDNS

Router(config)#ip dhcp pool dhcp-srv
Router(dhcp-config)#network 192.168.0.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.0.1
Router(dhcp-config)#dns-server 168.95.1.1 8.8.8.8

查看DHCP配發狀況

Router#show ip dhcp binding

8.設定NAT

Interface
NAT
F0
NAT     Inside  
F1
NAT    Outside
 設定Interface NAT
Router(config)#interface f0
Router(config-if)#ip nat inside

設定內部NAT網段

Router(config)#ip access-list extended LocalUser
Router(config-ext-nacl)#permit ip 192.168.0.0 0.0.0.255 any

設定overload NAT

Router(config)#ip nat inside source list LocalUser interface FastEthernet1 overload
設定Static NAT 
Router(config)#ip nat inside source static tcp 192.168.10.99 3389 60.25.12.10 3389 extendable
查看NAT狀態
Router#show ip nat translations
9.設定Route Map
建立ACL (建立來源&目的 物件)
Router(config)#ip access-list extended lan2wan2
Router(config-ext-nacl)#permit ip 192.168.1.129 0.0.0.0 any
設定Route Map
Router(config)#route-map wan2 
Router(config-route-map)#match ip address lan2wan2
Router(config-route-map)#set ip next-hop 192.168.1.253
套用在進入的Interface 上
Router(config)#int f0/0
Router(config-if)#ip policy route-map wan2
確認是否有生效
Router#sh ip access-lists lan2wan2
Router#sh route-map
10.設定GRE Tunnel
建立Tunnel Interface 並設定IP
Router(config)#interface Tunnel1
Router(config-if)#ip address 172.16.101.1 255.255.255.252

指定自己的WAN &對方WAN IP

Router(config-if)#tunnel source 211.75.186.11
Router(config-if)#tunnel destination 61.220.71.88

對等的另外一顆Router也是相同設定

確認Tunnel 是否建立完成
Router#show interface tunnel 1
ping 對端Tunnel Interface IP
Router#ping 172.16.101.2
11.設定Netflow
設定版本
Router(config)#ip flow-export version 5
設定Source Interface
Router(config)#ip flow-export source Vlan1
設定Destination Interface
Router(config)#ip flow-export destination 33.22.1.89 9996
在要擷取流量的Interface 設定Flow
Router(config)#int tu 200
Router(config-if)#ip route-cache flow
Router(config-if)#ip flow ingress
Router(config-if)#ip flow egress
確認是否有流量導入netflow
Router#sh ip cache flow
IP packet size distribution (8889 total packets):
 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
 .000 .475 .178 .014 .055 .006 .009 .001 .000 .001 .000 .000 .000 .000 .013

 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
 .002 .000 .000 .028 .210 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
 22 active, 4074 inactive, 1936 added
 35366 ager polls, 0 flow alloc failures
 Active flows timeout in 30 minutes
 Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
 22 active, 1002 inactive, 1936 added, 1936 added to flow
 0 alloc failures, 0 force free
 1 chunk, 1 chunk added
 last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-WWW 36 0.0 33 793 0.0 0.8 2.2
TCP-SMTP 2 0.0 1104 831 0.0 16.4 1.1
...以下省略....
12.設定PPPoE
設定PPP Interface
Router#config t
Router(config)#interface Dialer1
Router(config-if)#encapsulation ppp
Router(config-if)#ip tcp adjust-mss 1400
Router(config-if)#dialer pool 1
Router(config-if)#dialer-group 1
Router(config-if)#dialer-group 1ppp pap sent-username [email protected] password 0 111111

指定F0  Port 接入電信數據機

Router(config)#interface f0
Router(config-if)#no ip address
Router(config-if)#pppoe enable group global
Router(config-if)#pppoe-client dial-pool-number 1

13.更新Firmware

先備份Firmware
Router#dir flash:
1  -rw-    23602616  Oct 24 2009 01:57:56 +00:00  c181x-advipservicesk9-mz.124-2.T1.bin
2  -rw-        3423  Oct 24 2009 01:58:56 +00:00  cpconfig-1811-1812.cfg
3  -rw-     2324992  Oct 24 2009 01:59:10 +00:00  cpexpress.tar
4  -rw-        1038  Oct 24 2009 01:59:20 +00:00  home.shtml
5  -rw-      115712  Oct 24 2009 01:59:28 +00:00  home.tar
Router#copy flash tftp:
Source filename []? c181x-advipservicesk9-mz.124-2.T1.bin
Address or name of remote host []? 192.168.0.101
Destination filename [c181x-advipservicesk9-mz.124-2.T1.bin]?
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
17672216 bytes copied in 112.648 secs (156880 bytes/sec)

上傳Firmware

Router#copy tftp flash:
Address or name of remote host []? 192.168.0.101
Source filename []? c181x-adventerprisek9-mz.124-6.T7.bin
Destination filename [c181x-adventerprisek9-mz.124-6.T7.bin]? 
Accessing tftp://192.168.0.101/c181x-adventerprisek9-mz.124-6.T7.bin...
Loading c181x-adventerprisek9-mz.124-6.T7.bin from 192.168.0.101 (via FastEthernet1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 17672216 bytes]
17672216 bytes copied in 118.824 secs (148726 bytes/sec)

比對Firmware check sum

Router#verify /md5 flash:c181x-advipservicesk9-mz.124-24.T.bin
............................................................................................................................................................
...............................................................................................................................................Done!
verify /md5 (flash:c181x-advipservicesk9-mz.124-24.T.bin) = 61703494ab2c450746da721a583f739b

刪除舊版本Firmware

Router#delete flash:c181x-adventerprisek9-mz.124-2.T6.bin

重新開機,確認是否更新為新版本

Router#reload
Router#show version

14.設定Log
設定 Log大小 1M

Router(config)#logging buffered 1024000


15.設定存檔 & 恢復預設值 & 還原設定檔
設定存檔

Router#copy running-config startup-config
Router#copy running-config flash:

恢復預設值

Router#erase startup-config
Router#reload

還原設定檔

Router#copy flash:running-config running-config

16.忘記密碼

進入rommon Mode,開機快速鍵入Ctrl+Break(Pause) 

monitor: command “boot” aborted due to user interrupt

rommon 1 >

使用0x2142 忽略NVRAM 設定

rommon 1 > confreg 0x2142 
You must reset or power cycle for new config to take effect
rommon 1 > reset 

開機內容忽略….

進入特權模式,並把config恢復

Router>en
Router#copy startup-config runn
Destination filename [running-config]? 
1379 bytes copied in 0.496 secs (2780 bytes/sec)

重新建立帳號密碼

Router#config t
Router(config)#username fred privilege 15 password 123456

回復組態站存

Router(config)#config-reg 0x2102

將設定回寫入Start-up config(NVRAM)

Router#copy run startup-config

重新開機

Router#reload

17.ROMMON 模式下載IOS

rommon 1 > IP_ADDRESS=192.168.1.129
rommon 2 > IP_SUBNET_MASK=255.255.255.0
rommon 3 > DEFAULT_GATEWAY=192.168.1.1
rommon 4 > TFTP_SERVER=192.168.1.100
rommon 5 > TFTP_FILE=c1841-adventerprisek9-mz.151-4.M4.bin
rommon 6 > tftpdnld
 IP_ADDRESS: 192.168.1.129
 IP_SUBNET_MASK: 255.255.255.0
 DEFAULT_GATEWAY: 192.168.1.1
 TFTP_SERVER: 192.168.1.100
 TFTP_FILE: c1841-adventerprisek9-mz.151-4.M4.bin

 Invoke this command for disaster recovery only.
 WARNING: all existing data in all partitions on flash will be lost!
 Do you wish to continue? y/n: [n]: y

18.查看設備序號

Router#sh inventory
NAME: "chassis", DESCR: "1812-J chassis"
PID: CISCO1812-J/K9 , VID: V02 , SN: FHK101951Z9

19.增加AAA設定

Router(config)#aaa new-model
Router(config)#aaa authentication login Test local group radius
Router(config)#aaa authorization exec Test local group radius
Router(config)#aaa session-id common
Router(config)#aaa authorization console
Router(config)#radius-server host 192.168.100.100
Router(config)#radius-server key password
Router(config)#line con 0
Router(config-line)#authorization exec Test
Router(config-line)#login authentication Test
Router(config)#line vty 0 4
Router(config-line)#authorization exec Test
Router(config-line)#login authentication Test

20. Cisco Password Cracker
http://www.ifm.net.nz/cookbooks/passwordcracker.html

21. 定時備份設定

Router(config)#kron policy-list Backup
Router(config-kron-policy)#cli show startup-config | redirect tftp://10.10.10.1/router.cfg

設定每周日晚上11點進行備份

 Router(config)#kron occurrence SaveConfigSchedule at 23:00  sun recurring
 Router(config-kron-occurrence)#policy-list Backup

驗證設定

Router#show kron schedule

Refer:
http://www.cisco.com/c/en/us/td/docs/routers/access/1800/1801/software/configuration/guide/scg.pdf

Facebook Comments