說明:設定HSRP、IP SLA、一些Security、View和SNMP
這次Show Run的設定不是很齊全
實作項目:
一、設定PAT:用S0/0(10.140.2.x)為Outside
二、HSRP:設定Multiple HSRP Group for load balance and redundancy
★ Virtual Router IP : 192.168.101.254 Active @ RO_B
★ Virtual Router IP : 192.168.101.253 Active @ RO_A
★ 當Internet Link Down 時要用HSRP Tracking作調整
三、當ISP Route有問題也要用Tracking 調整Priority
四、建User為user_lv2 Privilege Level 2
建User為user_lv3 Privilege Level 3
Privilege Level 2
★ 只能設定介面IP位址和啟用/停用介面
★ 能Show Run
Privilege Level 3
★ 能設定Router Eigrp (能打Network)
★ 能設定ACL
五、建User為user_v1,view為LINE_VIEW
建User為user_v2,view為INTERFACE_VIEW
LINE_VIEW可用的指令:
★ 只能建立標準Name ACL
★ 能套用ACL到Line中
★ 能設定Exec-timeout
INTERFACE_VIEW
★ 設定IP位址和啟用/停用介面
★ 設定ACL到介面
六、Syslog 改成 TCP port 1400
Show Run 如下:
Building configuration...
Current configuration : 3730 bytes
!
version 12.4
基本設定之區域(安全性…等)
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption 把所有密碼加密
!
hostname RO_B
boot-start-marker
boot-end-marker
!
security passwords min-length 10 密碼都必須設定十碼以上
logging buffered 4096 debugging
log可存放的大小,debugging(level7)以上的等級都存
enable password 7 01100F175804575D72181B
!
aaa new-model 啟動aaa
aaa authentication login CONSOLE none console登入時不用驗證
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 100
type echo protocol ipIcmpEcho 168.95.1.1
timeout 2000
frequency 3
設定一個IP SLA(Cisco IP Service Level Agreement)
每三秒持續對168.95.1.1做ping的動作
ip sla monitor schedule 100 life forever start-time now
對IP SLA做排程,設定SLA 100從現在開始做到路由器掛點
login block-for 60 attempts 3 within 30
在30秒內打錯密碼3次就鎖60秒
login delay 5
登入時,第一次打完密碼,出現第二次時間隔5秒
login quiet-mode access-class 2
ACL2清單內的人可以略過以上兩行設定
login on-failure log
!
!
!
使用者帳號之區域
username cookling password 7 05080F1C22431F5B4A5142
username cater secret 5 $1$nLil$lNmm70tLNtKmqPM.owKK9/
username user_lv2 privilege 2 password 7 045802150C2E1D1C5A4D50
設定user_lv2的權限只有privi 2
username user_lv3 privilege 3 password 7 070C285F4D06485744465E
設定user_lv3的權限只有privi 3
username user_v1 view LINEVIEW password 7 01100F175804575D72181B
設定user_v1的View為LINEVIEW
username user_v2 view INTERFACE_VIEW
設定user_v2的View為INTERFACE_VIEW
!
!
track 10 rtr 100 Track Object 10 設定為 IP SLA 100
!
!
介面之區域
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface Serial0/0
ip address 10.140.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address 192.168.101.252 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
standby 1 ip 192.168.101.254
standby 1 preempt
standby 1 track Serial0/0 20
設定HSRP Group 1,Gateway是192.168.101.254
有搶奪機制並Seruak0/0斷掉priority會減20(預設100)
standby 2 ip 192.168.101.253
standby 2 priority 90
standby 2 preempt
設定HSRP Group 2,Gateway是192.168.101.253
有搶奪機制並priority設成90(預設100)
!
interface Serial0/1
ip address 10.100.1.2 255.255.255.0
!
路由之區域
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.140.2.1 track 10
track 10 設定的有通才會出現這條default route
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Serial0/0 overload PAT
!
Syslog、ACL和SNMP之區域
logging trap debugging logging從debugging(level7)開始記錄
logging source-interface Loopback1 來源介面設定為loopback
logging host 192.168.101.105 transport tcp port 1400
利用TCP 1400傳到主機192.168.101.105的syslog server
access-list 1 permit 192.168.101.0 0.0.0.255
access-list 2 permit 192.168.101.100 0.0.0.1
snmp-server group SNMP_AP v3 priv match exact ✔
設定SNMP Group為V3並為最高的priv
snmp-server user FB-DIGI-C777 SNMP_AP v3 auth sha cisco1234 priv des56 cisco1234 ✔
設定使用者為FB-DIGI-C777(PC NAME)並Group為SNMP_AP
SHA驗證密碼cisco1234和Priv密碼為cisco1234
snmp-server community cisco RO
設定community為cisco,RO(只讀) / RW(讀寫)
snmp-server host 192.168.101.105 version 3 priv FB-DIGI-C777 ✔
設定傳送Version3並接收SNMP的主機為192.168.101.105…後面不會解釋
snmp-server host 192.168.101.105 cisco
設定接受SNMP的主機為192.168.101.105
備註:設定V3的是打✔的那幾行
!
control-plane
!
Multiple Privilege Levels之區域
privilege ipenacl level 3 deny
privilege ipenacl level 3 permit
privilege router level 3 network
privilege interface level 2 shutdown
privilege interface level 3 ip access-group
privilege interface level 2 ip address
privilege interface level 3 ip
privilege configure all level 3 access-list
privilege configure level 3 ip access-list extended
privilege configure level 3 ip access-list
privilege configure level 3 router
privilege configure level 2 interface
privilege configure level 3 ip
privilege configure all level 2 do
privilege exec level 2 configure terminal
privilege exec level 2 configure
privilege exec level 2 show running-config
privilege exec level 2 show
有2的就是Privilege Level 2
有3的就是Privilege Level 3
備註:以上不多說解釋,就和題目說的一樣,詳細請找資料
!
line con 0
logging synchronous
line aux 0
line vty 0 3
line vty 4
View之區域
parser view LINEVIEW
secret 5 $1$Qz4T$oYJ1EXuyuhAz/NO0l2cpp/
commands line include exec-timeout
commands line include access-class
commands configure include line
commands configure include ip access-list extended
commands configure include ip access-list
commands configure include ip
commands exec include configure terminal
commands exec include configure
!
parser view INTERFACE_VIEW
secret 5 $1$rKPL$Kj9RMyAt3/mHvx3gBX8fj1
commands interface include shutdown
commands interface include ip access-group
commands interface include ip
commands configure include interface
commands exec include configure terminal
commands exec include configure
備註:以上也不多說解釋,和題目說的一樣,詳細請找資料
!
end
附註:有些網路上找到的東西,請參考…
留言列表
