路由器配置基礎(chǔ)及科技網(wǎng)

網(wǎng)絡(luò)介紹

中國(guó)科技網(wǎng)技術(shù)部陳江寧內(nèi)容介紹路由器配置介紹路由器基礎(chǔ)知識(shí)介紹監(jiān)控與故障診斷基本測(cè)試方法設(shè)備配置存取及其備份路由器啟動(dòng)順序及密碼恢復(fù)保護(hù)Internet連接安全中國(guó)科技網(wǎng)介紹中國(guó)科技網(wǎng)的結(jié)構(gòu)簡(jiǎn)介中國(guó)科技網(wǎng)網(wǎng)絡(luò)設(shè)備簡(jiǎn)介國(guó)內(nèi)外出口簡(jiǎn)介網(wǎng)絡(luò)管理簡(jiǎn)介路由器基礎(chǔ)知識(shí)介紹外部配置的途徑可以通過(guò)各種途徑進(jìn)行配置ConsolePortNetworkManagementStationvty0-4VirtualTerminalsInterfacesAuxiliaryPortTRouter>UserEXECMode只限于路由器的某一些有限的權(quán)限登錄到機(jī)器的缺省狀態(tài)Router#PrivilegedEXECMode有檢查，配置，調(diào)試等所有權(quán)限通過(guò)enable可進(jìn)入此狀態(tài)SetupMode初始配置狀態(tài)以對(duì)話的方式來(lái)創(chuàng)建一個(gè)基本配置才出廠的機(jī)器或刪了startup-config的機(jī)器開(kāi)機(jī)后自動(dòng)進(jìn)入或手動(dòng)用setup命令進(jìn)入Router(config)#GlobalConfigurationMode全局配置狀態(tài)在特權(quán)執(zhí)行態(tài)輸入configterminalOtherConfigurationModesRouter(config-mode)#開(kāi)機(jī)后60秒內(nèi)按ctrl+break鍵則進(jìn)入該態(tài)在機(jī)器不能正常自動(dòng)引導(dǎo)時(shí)進(jìn)行RXBOOTModeRouter模式其他的配置狀態(tài)在特權(quán)執(zhí)行狀態(tài)輸入相應(yīng)的命令時(shí)進(jìn)入.Router(config)#Router>Router#Other

Configuration

ModesExit<Ctrl><z>路由器配置模式綜述UserEXECmodePrivilegedEXECmodeGlobalconfigurationmodeInterfaceSubinterfaceControllerMap-listMap-classLineRouterIPX-routerRoute-mapConfigurationModeRouter(config-if)#Router(config-subif)#Router(config-controller)#Router(config-map-list)#Router(config-map-class)#Router(config-line)#Router(config-router)#Router(config-ipx-router)#Router(config-route-map)#Prompt基本的路由器設(shè)置(續(xù)）步驟十：顯示路由器上的IP路由表，檢查網(wǎng)絡(luò)的連通性，應(yīng)確認(rèn)能夠成功的ping通網(wǎng)絡(luò)中其他的路由器；步驟十一：檢查路由器的路由表，并通過(guò)“showipprotocols”檢查路由器的協(xié)議配置；步驟十二：診斷網(wǎng)絡(luò)利用debug等命令來(lái)捕獲路由更新信息；步驟十三：利用showversion查看CiscoIOS版本和路由器的類型；步驟十四：保存路由器的配置；配置路由器的標(biāo)示RouterNameRouter(config)#hostnameTokyoTokyo#LoginBannerTokyo(config)#bannermotd^C

WelcometorouterTokyo AccountingDepartment 3rdFloor^C#InterfaceDescriptionTokyo(config)#interfacee0Tokyo(config-if)#descriptionEngineeringLAN,Bldg.18為路由器及其端口配置標(biāo)示信息配置密碼Router(config)#lineconsole0Router(config-line)#exec-timeout150Router(config-line)#loginRouter(config-line)#passwordciscoConsolePasswordVirtualTerminalPasswordRouter(config)#linevty04Router(config-line)#loginRouter(config-line)#passwordciscoEnablePasswordRouter(config)#enablesecretsan-franPerformPasswordEncryptionRouter(config)#servicepassword-encryption

(setpasswordshere)Router(config)#noservicepassword-encryption定義靜態(tài)ARP緩存Arpip-addresshardware-addresstype[alias]ARP封裝類型Arparpa：IEEE802.3Ethernet（缺省值）Arpprobe：IEEE802.3網(wǎng)絡(luò)的HP-Probe協(xié)議Arpsnap：支持RFC1402的FDDI和令牌環(huán)網(wǎng)絡(luò)的arp報(bào)文提供有主機(jī)名到IP地址的解析Router(config)#使用DNS服務(wù)ipname-serverserver-address1

[[server-address2]...

server-address6]ipdomain-nameipdomain-lookupBOOTSYSTEM列表從flash啟動(dòng)系統(tǒng)從網(wǎng)絡(luò)服務(wù)器啟動(dòng)系統(tǒng)從ROM啟動(dòng)系統(tǒng)(Cisco7500上BOOTFLASH）Router（config）＃bootsystemflash:rsp-IOSRouter（config）＃bootsystemflashslot0:rsp-IOSRouter（config）＃config-register0x010FRouter（config）＃bootsystemromRouter（config）＃bootsystem1Router（config）＃bootsystemflashslot1:rsp-IOSRouter＃wrRouter＃reload舉例:靜態(tài)路由iprouteCiscoA

CiscoBE0S0S1S2S0Makechangesinconfigurationmodes修改配置Examineresults檢查結(jié)果Router#showrunning-configIntendedresults?No修改現(xiàn)有配置Router(config)#no....Router#configmemRouter#copytRouter#erasestartup-configRouter#reloadYesSavechangestobackup保存配置Router#copyrunning-configstartup-configRouter#copyrunning-configtftpExaminebackupfile檢查備份配置Router#showstartup-config配置修改后的保存監(jiān)控與故障診斷

Router#showrunning-configBuildingconfiguration...

Currentconfiguration:

!

version11.2! --More--Router#showstartup-configUsing1108outof130048bytes

!

version11.2

!

hostnamerouter

--More--showrunning-config命令

showstartup-config命令UsewriteterminalwithRelease10.3andearlierUseshowconfigwithRelease10.3andearlierRouter#showinterfaceserial1Serial1isup,lineprotocolisupHardwareiscxBusSerialDescription:56KbLineSanJose-MP::::::::::::::::::::Operational..................ConnectionProblem...InterfaceProblem........Disabled......................Serial1isup,lineprotocolisupSerial1isup,lineprotocolisdownSerial1isdown,lineprotocolisdownSerial1isadministrativelydown,lineprotocolisdown激活信號(hào)Keepalives載波信號(hào)CarrierDetectshowinterface

serial清除showinterface中的計(jì)數(shù)器Router#clearcountersRouter#showinterfaceserial1Serial1isup,lineprotocolisupHardwareiscxBusSerialDescription:56KbLineSanJose-MPInternetaddressis03,subnetmaskisMTU1500bytes,BW56Kbit,DLY20000usec,rely255/255,load1/255EncapsulationHDLC,loopbacknotset,keepaliveset(10sec)Lastinput0:00:07,output0:00:00,outputhangneverLastclearingof"showinterface"counters2w4dOutputqueue0/40,0drops;inputqueue0/75,0dropsFiveminuteinputrate0bits/sec,0packets/secFiveminuteoutputrate0bits/sec,0packets/sec16263packetsinput,1347238bytes,0nobufferReceived13983broadcasts,0runts,0giants2inputerrors,0CRC,0frame,0overrun,0ignored,2abort0inputpacketswithdribbleconditiondetected22146packetsoutput,2383680bytes,0underruns0outputerrors,0collisions,2interfaceresets,0restarts1carriertransitionsRouter>showipprotocolRoutingProtocolis"igrp300"

Sendingupdatesevery90seconds,nextduein55seconds

Invalidafter270seconds,holddown280,flushedafter630

Outgoingupdatefilterlistforallinterfacesisnotset

Incomingupdatefilterlistforallinterfacesisnotset

Defaultnetworksflaggedinoutgoingupdates

Defaultnetworksacceptedfromincomingupdates

IGRPmetricweightK1=1,K2=0,K3=1,K4=0,K5=0

IGRPmaximumhopcount100

IGRPmaximummetricvariance1

Redistributing:igrp300

RoutingforNetworks:

RoutingInformationSources:

GatewayDistanceLastUpdate

1000:00:52

21000:00:43

301000:01:02

Distance:(defaultis100)--More--showipprotocol命令RAMInternetworkOperatingSystemProgramsTables

and

BuffersActiveConfigurationFileBackupConfigurationFileOperating

SystemsInterfacesRouter狀態(tài)檢查命令Router#showversionFlashRouter#showprocessesCPURouter#showprotocolsRouter#showmemRouter#showstacksRouter#showbuffersRouter#showflashRouter#showrunning-configRouter#writetermRouter#showstartup-configRouter#showconfigNVRAMRouter#showinterfacestelnet操作InitiateasessionDenver>telnetparisEndasessionParis>exitSuspendasessionEscapesequenceParis><Cntl><Shift><6>

<x>Denver>ResumeasessionDenver><Return>DisconnectasessionDenver>disconnectparisDisplaysessionsDenver#showsessionsConn Host Address Idle ConnName1 Paris 52 0 Paris2 Tokyo 3 0 Tokyo*TokyoParisDenver理解cisco錯(cuò)誤消息系統(tǒng)錯(cuò)誤消息格式：％Facility–subfacility–Severity–Mnemonic:MessageTextFacility指出錯(cuò)誤消息涉及的設(shè)備名。該值可以是協(xié)議、硬件設(shè)備或者系統(tǒng)軟件模塊；Subfacility它僅與通道接口處理器（CIP）卡有關(guān)；Sererity它是一個(gè)范圍在0到7之間的數(shù)字。數(shù)字的值越小，嚴(yán)重程度越高；Mnemonic唯一標(biāo)識(shí)錯(cuò)誤信息的單值代碼，該代碼通?？梢园凳惧e(cuò)誤的類型；MessageText它是錯(cuò)誤信息的簡(jiǎn)短描述，其中包括涉及的路由器硬件和軟件信息；注：并不是所有的消息都涉及到故障或者問(wèn)題的狀況，某些消息顯示的是狀態(tài)方面的信息信息記錄指定記錄到系統(tǒng)日志服務(wù)器中消息的調(diào)試級(jí)別，命令：loggingtraplevel指定系統(tǒng)日志數(shù)據(jù)包含有特定接口的ip地址，而不管數(shù)據(jù)包通過(guò)哪個(gè)接口流出路由器，命令：loggingsource-interfacetypenumber將消息記錄到系統(tǒng)日志服務(wù)器主機(jī)，命令：loggingon啟用在日志消息中加入時(shí)戳功能，命令：servicetimestamps{log|debug}datetime[msec][localtime][show-timezone]事件日志記錄步驟：信息記錄ConsoleTerminalUNIXHost(Running

Syslog

Server)Buffers(default)Telnet

TerminalnologgingbufferedterminalmonitorloggingonloggingshowloggingloggingbufferedDebugOutputandSystemErrorMessages基本測(cè)試方法測(cè)試綜述ApplicationPresentationSessionTransportNetworkDataLinkPhysical7654321telnetpingtraceshowiprouteshowinterface驗(yàn)證地址的配置ApplicationTransportInternetNetworkInterfaceHardwareApplicationTransportInternetNetworkInterfaceHardwareTelnetTelnettelnetICMPpingtracetracetrace使用ping命令測(cè)試各種協(xié)議的報(bào)文能夠被正確的路由嗎?EchoRequestEchoReplyNetworkLayer測(cè)試網(wǎng)絡(luò)的連接狀況Router>pingTypeescapesequencetoabort.Sending5,100-byteICMPEchosto,

timeoutis2seconds:.!!!!Successrateis80percent,round-tripmin/avg/max=

6/6/6msRouter>Ping! 響應(yīng)成功接收 . 請(qǐng)求超時(shí)U 目的不可達(dá) P 協(xié)議不可達(dá)N網(wǎng)絡(luò)不可達(dá)I ping被中斷(forexample,Ctrl-Shift-6X)?? 不可知報(bào)文類型Router#ping

Protocol[ip]:

TargetIPaddress:62

Repeatcount[5]:

Datagramsize[100]:

Timeoutinseconds[2]:

Extendedcommands[n]:y

Sourceaddress:

Typeofservice[0]:

SetDFbitinIPheader?[no]:yes

Datapattern[0xABCD]:

Loose,Strict,Record,Timestamp,Verbose[none]:

Sweeprangeofsizes[n]:

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto62,timeoutis2seconds:

!!!!!

Successrateis100percent(5/5),round-tripmin/avg/max=24/26/28ms

Router#Ping命令支持多協(xié)議Ping(擴(kuò)展)使用trace命令數(shù)據(jù)報(bào)文傳輸時(shí)經(jīng)過(guò)那條路徑?RomeYorkLondonParisNetworkLayerYork#traceROMETypeescapetoabort.TracingtheroutetoROME() 1LONDON()1000msec8msec4msec 2PARIS()8msec8msec8msec 3ROME()8msec8msec4msec

York#通過(guò)端口地址表示數(shù)據(jù)到達(dá)的地點(diǎn)Router#traceTypeescapesequencetoabort.Tracingtherouteto(3)

1 ()1000msec8msec4msec 2 ()8msec8msec8msec 3 (25)8msec4msec4msec 4 ()8msec8msec8msec 5 ()12msec12msec8msec 6 ()216msec120msec132msec 7 (3)412msec*664msecIPTraceH— 主機(jī)不可達(dá)P— 協(xié)議不可達(dá)N— 網(wǎng)絡(luò)不可達(dá)U— 端口不可達(dá)*— 報(bào)文超時(shí)?_報(bào)文類型不能識(shí)別測(cè)試ApplicationLayer使用telnet你能登陸遠(yuǎn)程的路由器嗎?ParisTelnetYorkParis>Application設(shè)備代碼、配置存取及其備份從NVRAM中加載配置文件ConsoleIOSSetuputilityshowstartup-configshowrunning-configLoadandexecuteconfigfromNVRAMIfnoconfiginNVRAM,entersetupmodeConfigConfigRAMNVRAMRouter#showrunning-configBuildingconfiguration...

Currentconfiguration:

!

version11.2! --More--Router#showstartup-configUsing1108outof130048bytes

!

version11.2

!

hostnamerouter

--More--showrunning-config命令

showstartup-config命令Displaycurrentandsavedconfiguration保存配置文件ConfigConfigRAMNVRAMNVRAMcopyrunningstartup=writecopystartuprunning(merge)保存配置文件ConfigConfigConsoleRAMNVRAMNVRAMTerminalTcopyrunningstartupcopystartuprunning(merge)Tcopystarttftpcopytcopyruntftpcopyt(merge)configterm(merge)Copystartuptftp

Access_Server#copy?

flashCopyfromsystemflashflh-logCopyFLHlogservermopCopyfromaMOPserverrcpCopyfromanrcpserverrunning-configCopyfromcurrentsystemconfigurationstartup-configCopyfromstartupconfigurationtftpCopyfromaT

Access_Server#copystartup-config?rcpCopytoanrcpserver

running-configUpdate(mergewith)currentsystemconfiguration

tftpCopytoaTAccess_Server#copystartup-configtftpRemotehost[]?14Nameofconfigurationwrite[access_server-confg]?Writeonhost14?[confirm]Writingaccess_server-confg!![OK]備份IOSImagesNetworkserverFLASHRouterc2500-js-l_120-3.binNetwork

server備份IOSImagesCheckaccesstotheserverRouterNetwork

serverwg_ro_a#showflashSystemflashdirectory:FileLengthName/status110084696c2500-js-l_120-3.bin[10084760bytesused,6692456available,16777216total]16384KbytesofprocessorboardSystemflash(ReadONLY)查看IOSImagesVerifyFlashmemoryhasroomfortheIOSimage創(chuàng)建Image備份BackupcurrentfilespriortoupdatingFlashNetworkserverFLASHcopyflashtftp創(chuàng)建Image備份(續(xù))Access_Server#copyflashtftpSystemflashdirectory:FileLengthName/status13988176/igs-im-l_111-22.bin[3988240bytesused,4400368available,8388608total]Addressornameofremotehost[55]?14Source?/igs-im-l_111-22.binDestination[/igs-im-l_111-22.bin]?Verifyingchecksumfor'/igs-im-l_111-22.bin'(file#1)...OKCopy'/igs-im-l_111-22.bin'fromFlashtoserveras'/igs-im-l_111-22.bin'?[yes/no]yes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!UploadtoserverdoneFlashcopytook00:00:53[hh:mm:ss]wg_ro_a#copytAddressornameofremotehost[]?Source[]?c2500-js-l_120-3.binDestination[c2500-js-l_120-3.bin]?Accessingt...Eraseflash:beforecopying?[confirm]Erasingtheflashwillremoveallfiles!Continue?[confirm]Erasingdevice...eeeee(outputomitted)...erasedEraseofflash:completeLoadingc2500-js-l_120-3.binfrom(viaEthernet0):!!!!!!!!!!!!!!!!!!!!(outputomitted)[OK-10084696/20168704bytes]Verifyingchecksum...OK(0x9AA0)10084696bytescopiedin309.108secs(32636bytes/sec)wg_ro_a#恢復(fù)Image備份EraseFlashoccursbeforeloadingnewimageNotemessagethatimagealreadyexistsNetworkserverFLASH系統(tǒng)啟動(dòng)綜述系統(tǒng)啟動(dòng)的順序通過(guò)終端不斷反饋啟動(dòng)的信息核查硬件查找并載入CiscoIOS

softwareimage查找并調(diào)用路由器的配置信息啟動(dòng)的順序RAMROMBootstrapLoadBootstrapTFlashROMCiscoInternetworkOperatingSystemLocateandLoadOperatingSystemConsoleTNVRAMConfigurationFileLocateandLoadConfigurationFileorEnterSetupModeConfigurationregisterbits3,2,1,and0setbootoptionCheckconfigurationregistervaluewithshowversion配置注冊(cè)號(hào)ConfigurationRegisterBootFieldValue0x00x2to0xF0x1MeaningUseROMmonitormode(Manuallybootusingtheb

command)ExamineNVRAMforbootsystemcommands(0x2defaultifrouterhasFlash)AutomaticallybootfromROM(ProvidesIOSsubset)Router#configureterminalRouter(config)#config-register0x2102[Ctrl-Z]Router#reload

默認(rèn)0x2102，即：0010000100000010從右開(kāi)始數(shù)，為第0位…..第15位第0-3位：0000-ROMMON，0001-MinIOS其它正常啟動(dòng)第6位：即0x2142，忽略配置文件注冊(cè)號(hào)RecoveringaLostPassword(例)重新啟動(dòng)路由器,在60秒內(nèi)按ctrl+break鍵,后按回車;在>下鍵入o/r0x2142在>下鍵入i;在進(jìn)入setup模式后,不進(jìn)行配置(鍵入no),進(jìn)入Router(boot)>狀態(tài);Router(boot)>enableRouter(boot)#configterminalRouter(boot)(config)#enablesecret你所配置的口令Router(boot)(config)#config-register0x2102Router(boot)(config)#^+ZRouter(boot)#writeRouter(boot)#reload保護(hù)管理接口的安全細(xì)調(diào)線路參數(shù)特權(quán)級(jí)允許對(duì)網(wǎng)絡(luò)設(shè)備進(jìn)行受限制的訪問(wèn)限制Telnet的訪問(wèn)控制對(duì)路由器的http訪問(wèn)網(wǎng)絡(luò)基礎(chǔ)設(shè)施的安全主要內(nèi)容保護(hù)管理接口的安全初始安裝之后立即配置口令確保特權(quán)級(jí)口令與用戶級(jí)口令不同在口令中使用混合字符以使口令破解企圖難于成功不要將口令保存在易發(fā)現(xiàn)的地方不要使用易被猜出來(lái)的口令經(jīng)常更換口令不要在生產(chǎn)環(huán)境中使用“cisco”或其他明顯的衍生詞作為cisco路由器的口令設(shè)置安全口令的技巧保護(hù)管理接口的安全保護(hù)控制臺(tái)（console）端口訪問(wèn)安全特權(quán)模式口令口令加密Router(config)#lineconsole0Router(config-line)#loginRouter(config-line)#passwordciscoRouter(config)#enablesecret[levellevel]{password|[encryption-type]encrypted-password}Router(config)#servicepassword-encryptionRouter(config)#lineconsole0設(shè)置線路超時(shí)值Router(config－line)#exec-timeout230可調(diào)節(jié)的其他線路類型Router(config)#line？<0-70>FisrtlinenumberauxAuxiliarylineconsolePrimaryterminallinettyTerminalcontrollervtyVirtualterminal細(xì)調(diào)線路參數(shù)

級(jí)別1被預(yù)先定義為啟用用戶模式訪問(wèn)特權(quán)級(jí)別2到14時(shí)可以定制的用戶模式特權(quán)級(jí)別級(jí)別15被預(yù)先定義為啟用特權(quán)模式訪問(wèn)級(jí)別，與“enable”命令所允許的訪問(wèn)級(jí)別相同Priviledge

mode{level

levelcommand|reset

command}Mode：指定配置模式，包括可執(zhí)行（exec）、配置（configure）、線路（line）、接口（interface）模式以及所有其他路由器配置模式level

level：

設(shè)置一個(gè)從0到15的特權(quán)級(jí)別與指定的命令向關(guān)聯(lián)Command：指定上述特權(quán)級(jí)別與其之關(guān)聯(lián)的命令reset

command：重置所指定命令的特權(quán)級(jí)別設(shè)置多個(gè)特權(quán)級(jí)別特權(quán)級(jí)別通過(guò)修改用戶的特權(quán)級(jí)別，你可以為用戶分配更細(xì)微的權(quán)限IOS路由器privilegeconfigurelevel3usernameprivilegeexeclevel3copyrunstartprivilegeexeclevel3pingprivilegeexeclevel3showrunprivilegeexeclevel3showenablesecretlevel3ciscoTelnet端口在路由器上被稱為虛擬終端端口（vty）必須配置一個(gè)啟用口令在路由器上才能通過(guò)telnet獲得啟用訪問(wèn)權(quán)采用“access-class”和“access-list”命令限制telnet訪問(wèn)限制由“transportinput”命令允許連接到路由器上的連接類型關(guān)閉入“ipalias”、“nocdpenable”等命令，以防止通過(guò)vty端口對(duì)路由器的攻擊－限制來(lái)自特定IP地址的telnet訪問(wèn)－定義一個(gè)包含所允許IP地址的標(biāo)準(zhǔn)訪問(wèn)控制列表－通過(guò)“access-class”命令將訪問(wèn)控制列表施加到vty線路上去控制Telnet訪問(wèn)

VirtualPorts(vty0through4)控制虛擬終端的訪問(wèn)RSM143(config)#access-list1permitRSM143(config)#linevty04RSM143(config-line)#access-class1inTelnet4343控制HTTP訪問(wèn)RSM143(config)#access-list1permitRSM143(config)#iphttpserverRSM143(config)#iphttpaccess-class1RSM143(config)#iphttpauthenticationlocalRSM143(config)#usernamestudentpasswordcisco43HTTP管理站點(diǎn)缺省情況下HTTP訪問(wèn)時(shí)關(guān)閉的；配置一個(gè)訪問(wèn)控制列表指定訪問(wèn)路由器上的tcp端口80的地址；HTTP使用與控制臺(tái)和vty訪問(wèn)相似的口令安全機(jī)制；控制TCP/IP服務(wù)訪問(wèn)控制DoS攻擊防護(hù)記錄（logging）邊界路由器事件保護(hù)Internet連接安全主要內(nèi)容控制TCP/IP服務(wù)控制路由器所提供TCP/IP服務(wù)的命令Noservicetcp-small-servers禁止對(duì)網(wǎng)絡(luò)主機(jī)的一些低端口tcp服務(wù)進(jìn)行訪問(wèn)，包括Discard、Charagen、Daytime端口Noserviceudp-small-serversNoservicefinger禁止路由器處理finger協(xié)議請(qǐng)求，阻止遠(yuǎn)程用戶查詢Noipdomain-lookup在邊界路由器上禁止基于IPDNS的主機(jī)名對(duì)地址的轉(zhuǎn)換禁止對(duì)網(wǎng)絡(luò)主機(jī)的一些低端口udp服務(wù)進(jìn)行訪問(wèn)，包括Discard、Charagen、Daytime端口Noiptcpselective-ack禁止TCP選擇性應(yīng)答，對(duì)性能有所影響，但是增加了抵御DoS攻擊的能力Nocdprun全局性禁止Cisco發(fā)現(xiàn)協(xié)議Noiprsh-enable將路由器配置成不允許遠(yuǎn)端用戶用rsh在路由器上執(zhí)行命令控制TCP/IP服務(wù)在接口模式下控制TCP/IP服務(wù)的命令Noipproxy-arp在接口上禁止代理arpNoipredirectsNoiptcppath-mtu-discovery在接口上禁止所有從路由器自身發(fā)起的新TCP連接的MTU發(fā)現(xiàn)。啟用MTU發(fā)現(xiàn)會(huì)增加遭受DOS攻擊的可能性Noipunreachable在接口上禁止產(chǎn)生icmp不可到達(dá)信息禁止ciscoios軟件在被要求經(jīng)與數(shù)據(jù)包接受端口相同的端口上重發(fā)該數(shù)據(jù)包發(fā)送重定向消息。這可以限制在端口上掃描情況下路由器的反饋信息Nocdpenable在接口上禁止cdpNoipdirected-broadcast關(guān)閉ip定向廣播，防止路由器在分布式DoS攻擊中變?yōu)閺V播放大器。缺省命令路由安全靜態(tài)路由控制路由通告路由認(rèn)證控制訪問(wèn)進(jìn)入數(shù)據(jù)包過(guò)濾外出數(shù)據(jù)包過(guò)濾DoS攻擊防護(hù)防止DDos攻擊防止網(wǎng)絡(luò)設(shè)備成為DDos攻擊的參與者采用訪問(wèn)控制列表對(duì)所有的入流量進(jìn)行過(guò)濾，濾除源地址為私有和保留地址的數(shù)據(jù)包過(guò)濾所有的外出流量，以防止源ip地址欺騙采用承諾訪問(wèn)速率(committedaccessrate,CAR)對(duì)icmp數(shù)據(jù)包風(fēng)暴進(jìn)行限速對(duì)SYN包進(jìn)行速率限制使用ipverifyunicastreverse-path網(wǎng)絡(luò)接口命令用NAT和PAT管理地址防范分布式D.O.S攻擊的配置對(duì)ICMP報(bào)文設(shè)置流率限制Router(config)#interfaceserial0Router(config-if)#rate-limitoutputaccess-group1051540000512000786000conform-actiontransmitexceed-actiondropRouter(config)#access-list105permiticmpanyanyecho-reply首先，利用訪問(wèn)控制對(duì)數(shù)據(jù)包進(jìn)行分類，定義出icmp數(shù)據(jù)流再次，CAR有選擇的將數(shù)據(jù)流量限制在指定的帶寬之內(nèi)其次，確定在配置CAR之前，接口上的CEF功能已經(jīng)打開(kāi)防范分布式D.O.S攻擊的配置為SYN報(bào)文設(shè)置流率限制Router#showinterfacesrate-limit首先，測(cè)量正常的SYN流量，幫助建立接口上正常流量速率的基準(zhǔn)其次，我們應(yīng)盡量將SYN的速率限制得盡可能低Router(config)#interfaceserial0Router(config-if)#rate-limitoutputaccess-group1501540000512000786000conform-actiontransmitexceed-actiondropRouter(config)#access-list150permittcpanyhosteqwwwRouter(config)#access-list150permittcpanyhosteqestablished再次，啟用邊界設(shè)備的日志功能，以幫助追蹤DDoS攻擊路由器防止病毒的安全配置

1、用于控制Nachi蠕蟲(chóng)的掃描

access-list110denyicmpanyanyecho

2、用于控制Blaster蠕蟲(chóng)的傳播

access-list110denytcpanyanyeq4444

access-list110denyudpanyanyeq69

3、用于控制Blaster蠕蟲(chóng)的掃描和攻擊

access-list110denytcpanyanyeq135

access-list110denyudpanyanyeq135

access-list110denytcpanyanyeq139

access-list110denyudpanyanyeq139

access-list110denytcpanyanyeq445

access-list110denyudpanyanyeq445

access-list110denytcpanyanyeq593

access-list110denyudpanyanyeq593

4、用于控制Slammer蠕蟲(chóng)的傳播

access-list110denyudpanyanyeq1434access-list110permitipanyany

5、關(guān)閉可能存在的漏洞

access-list101denyip55any

access-list101denyip55any

access-list101denyip55any

中國(guó)科技網(wǎng)介紹中國(guó)科技網(wǎng)的結(jié)構(gòu)簡(jiǎn)介中國(guó)科技網(wǎng)網(wǎng)絡(luò)設(shè)備簡(jiǎn)介國(guó)內(nèi)外出口簡(jiǎn)介網(wǎng)絡(luò)管理簡(jiǎn)介中國(guó)科技網(wǎng)發(fā)展簡(jiǎn)介CSTNET是中國(guó)最早實(shí)現(xiàn)與Internet全功能互聯(lián)的網(wǎng)絡(luò)，經(jīng)歷了三個(gè)不同的發(fā)展階段：NCFC——CASNET——CSTNETNCFC：中關(guān)村地區(qū)教育與科研示范網(wǎng)絡(luò)CASNET：中國(guó)科學(xué)院網(wǎng)接入類型：*光纖*衛(wèi)星*DDN*微波*ISDN*HDSLCSTNET：以NCFC及CASNET為基礎(chǔ)，連接中科院以外的一批中國(guó)科技單位而構(gòu)成的全國(guó)性科技網(wǎng)絡(luò)——中國(guó)科技網(wǎng)遍布全國(guó)的網(wǎng)絡(luò)部署網(wǎng)絡(luò)結(jié)構(gòu)示意圖Cisco高端路由器

Cisco12000Cisco7500Cisco7600Cisco低端路由器Cisco3600Cisco2600思科三層交換機(jī)Catalyst6500Catalyst4500Catalyst3500國(guó)內(nèi)出口介紹國(guó)內(nèi)出口Cernet---中國(guó)教育網(wǎng)1GChinaNet---中國(guó)電信1GChina169---中國(guó)網(wǎng)通1GBJNAP----北京交換中心1G國(guó)際出口介紹（北京）SPRINT1---USA155MSPRINT2---USA155MKhabarobsk----Russian155M國(guó)際出口介紹（香港）ASNet

TW

Region

----TW1G2005-01HK-IX

---HK

1G2005-04Chicago-W---USA155M2005-01APAN-JP

OTC

---JP1G2004-12Mega-iAdv.—HK1G2005-03Google

Corp.—google

1G2005-03Korea—KISTI10G2005-07GLORIAD簡(jiǎn)介北半球第一條高速環(huán)網(wǎng)中俄美三方共同合作創(chuàng)建發(fā)展目標(biāo)----全環(huán)鏈路帶寬達(dá)到10G服務(wù)科研機(jī)構(gòu)，為海量科研數(shù)據(jù)的共享和傳輸提供暢通的網(wǎng)絡(luò)環(huán)境（高能物理，生物學(xué)，天體科學(xué)等）服務(wù)目標(biāo)——成為世界科研網(wǎng)絡(luò)的基礎(chǔ)平臺(tái)國(guó)內(nèi)外出口連接示意圖155M線路質(zhì)量監(jiān)控網(wǎng)絡(luò)流量監(jiān)控網(wǎng)絡(luò)設(shè)備性能監(jiān)控路由器日志監(jiān)控流量的協(xié)議分析安全管理（TACACS認(rèn)證）AAA認(rèn)證：*Authorization*Authentication*Accounting

謝謝大家！A2D5H8KbNfQiUlXo#s%v(y0B3F6I9LdOgRjVmYq!t&w-z1C4G7JbMePhTkWnZr$u(x+A2E5H8KcNfRiUlXp#s%v)y0C3F6IaLdOgSjVmYq!t*w-z1D4G7JbMeQhTkWYq!t*w-A1D4G8JbMeQhTlWoZr%u(x+B2E6H9KcOfRiUmXp!s&v)z0C3F7IaMdPgSkVnYq$t*x-A1D5G8JbNeQiTlWo#r%u(y+B2E6H9LcOfRjUmXp!s&w)z0C4F7IaMdPhSkVnZq$t*x-A2D5G8KbNeQiTlXo#r%v(y+B3E6I9LcOgRjUmYp!t&w)z1C4F7JaMdPhSkWnZq$u*x-A2D5H8KbNfQiTlXo#s%v(y0B3E6I9LdOgRjVmYp!t&w-z1C4G7JaMePhTkWnZr$u*x+A2E5H8KcNfQiUlXo#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1D4G7JbMePhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s&v)y0C3F6IaLdPgSjVnYq!t*w-A1D4G8JbMeQhTkWoZr%u(x+B2E5H9KcOfRiUmXp#s&v)z0C3F7ePhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s&v)y0C3F6IaLdOgSjVnYq!t*w-z1D4G8JbMeQhTkWoZr%u(x+B2E5H9KcOfRiUmXp#s&v)z0C3F7IaLdPgSkVnYq8KcNfQiUlXo#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1D4G7JbMePhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s&v)y0C3F6IaLdPgSjVnYq!t*w-A1D4G8JbMeQhTkWoZr%u(x+B2E5H9KcOfRiUmXp#*x-A2D5H8KbNfQiTlXo#s%v(y0B3E6I9LdOgRjVmYp!t&w-z1C4G7JaMePhTkWnZr$u*x+A2E5H8KcNfQiUlXo#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1D4G7JbMePhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s&v)y0C3F6IaLdPgSjVnYq!t*w-A1D4G8JbMeQhTkWoZr%u(x+B2E5H9KcOfRiUmXp#s&v)z0C3F7IaLdPgSkVnYq$t*w-A1D5G8JbNeQhTlWo#r%u(y+B2E6H9LcOfRjUmXp!s&v)z0C4F7IaMdPgSkVnZq$t*x-A1D5G8KbNeQiTlWo#r%v(y+B3E6H9LcOgRjUmYp!s&w)z1C4F7JaMdPhSkWnZq$u*x-A2D5G8KbNfQiTlXo#r%v(y0B3E6I9LcOgRjVmYp!t&w)z1C4G7JaMePhSkWnZr$u*x+A2D5H8KcNfQiUlXo#s%v)y0F7JaMdPhSkVnZq$u*x-A2D5G8KbNfQiTlXo#r%v(y0B3E6I9LcOgRjVmYp!t&w)z1C4G7JaMePhSkWnZr$u*x+A2D5H8KcNfQiUlXo#s%v(y0B3F6I9LdOgRjVmYq!t&w-z1C4G7JbMePhTkWnZr$u(x+A2E5H8KcNfRiUlXp#s%v)y0C3F6IaLdOgSjVnYq!t*w-z1D4G8JbMeQhTkWoZr$u(x+B2E5H9KcNfRiUmXp#s&v)y0C3F7IaLdPgSjVnYq$t*w-A1D4G8JbNeQhTlWoZr%u(y+B2E6H9KcOfRjUmXp!s&v)z0C3F7IaMdPgSkVnYq$t*x-A1D5G8JbNeQiTlWo#r%u(y+B3E6H9LcOfRjUmYp!s&w)z0C4F7JaMdPhSkVnZq$u*x-A2D5G8KbNeQiTlXo#r%v(y+B3E6I9LcOgRjUmYp!t&w)z1C4F7JaMePWo#r%u(y+B3E6H9LcOfRjUmYp!s&w)z0C4F7JaMdPhSkVnZq$t*x-A2D5G8KbNeQiTlXo#r%v(y+B3E6I9LcOgRjUmYp!t&w)z1C4F7JaMePhSkWnZq$u*x+A2D5H8KbNfQiUlXo#s%v(y0B3E6I9LdOgRjVmYp!t&w-z1C4G7JaMePhTkWnZr$u*x+A2E5H8KcNfQiUlXp#s%v)y0B3F6IaLdOgSjVmYq!t*w-z1D4G7JbMeQhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s&v)y0C3F6IaLdPgSjVnYq!t*w-A1D4G8JbMeQhTlWoZr%u(x+B2E6H9KcOfRiUmXp!s&v)z0C3F7IaLdPgSkVnYq$t*w-A1D5G8JbNeQhTlWo#r%u(y+B2E6H9LcOfRjUmXp!s&w)z0C4F7IaMdPhSkVnZq$t*x-A2D5G8KbNeQiTlWo#r%v(y+B3E6H9LcOgRjUmYp!s&w)z1C4F7JaMdPhSkWnZq$y+B2E6H9L6H9LcOfRjUmXp!s&w)z0C4F7IaMdPhSkVnZq$t*x-A2D5G8KbNeQiTlXo#r%v(y+B3E6I9LcOgRjUmYp!s&w)z1C4F7JaMdPhSkWnZq$u*x-A2D5H8KbNfQiTlXo#s%v(y0B3E6I9LdOgRjVmYp!t&w-z1C4G7JaMePhTkWnZr$u*x+A2D5H8KcNfQiUlXo#s%v)y0B3F6I9LdOgSjVmYq!t&w-z1D4G7JbMePhTkWoZr$u(x+A2E5H9KcNfRiUlXp#s&v)C4G