Ocenite etot tekst:


Sergej Bogomolov
Original etogo dokumenta lezhit na stranice Sergeya Bogomolova, i
tam postoyanno ispravlyaetsya i popolnyaetsya. Luchshe shodite tuda.
http://www.bog.pp.ru/work/cisco_ios.html
http://www.bog.pp.ru./work/ios_lab.html


  • slovar' terminov
  • slovar' terminov Cisco
  • matrica versij
  • bezopasnost'
  • lokal'naya dokumentaciya na IOS 11.0 na CD-ROM
  • IOS 11.0 na CD-ROM na www.cisco.com
  • IOS 11.1 na CD-ROM na www.cisco.com
  • IOS 11.2 na CD-ROM na www.cisco.com
  • informaciya ob IOS na servere Cisco
  • novosti o softe
  • obshchee opisanie produkta - otlichiya v naborah vozmozhnostej i versiyah
  • razlichie v naborah vozmozhnostej dlya razlichnyh modelej i trebovaniya k resursam (pamyat'/flesh) dlya versij 11.1 i 11.2
  • informaciya ob IOS dlya znayushchih parol'

    YA rassmatrivayu tol'ko mladshie serii (Cisco 2500, AS5100), pro ATM ni slova, pro IBM protokoly tozhe)(potrebnosti v pamyati dany dlya Cisco 2500 - ispolnenie iz flesha)(RMON alarm and events realizovany dazhe dlya naborov, v kotoryh net RMON):

    1. igs-i-l(4 FLASH, 4 DRAM): IP
    2. igs-im-l(4 FLASH, 4 DRAM): IP/RMON
    3. igs-ir-l(8/4): IP/IBM Base
    4. igs-imr-l(8/4): IP/IBM/RMON
    5. igs-in-l(8/4): IP/IPX
    6. igs-imn-l(8/4): IP/IPX/RMON
    7. igs-inr-l(8/4): IP/IPX/IBM Base
    8. igs-imnr-l(8/4): IP/IPX/IBM/RMON
    9. igs-ainr-l(8/8): IP/IPX/IBM/APPN
    10. igs-d-l(8/4): Desktop (s etogo urovnya nachinaetsya AppleTalk, DECnet IV)
    11. igs-dr-l(8/4): Desktop/IBM Base
    12. igs-j-l(8/6): Enterprise (s etogo urovnya nachinaetsya ES-IS i IS-IS, DECnet V, Apoolo domain, VINES, ISO, XNS kerberos dlya login, translyaciya protokolov, Xremote)
    13. igs-jm-l(8/6): Enterprise/RMON
    14. igs-aj-l(16/8): Enterprise/APPN
    15. CFRAD(4/4) (Cisco Frame Relay Access Device)
    16. igs-p-l(4/4): Remote Access Server (net vsyakih IBMovskih i prochih nestandarnyh veshchej, zato est' vse, chto neobhodimo dlya normal'noj raboty, net RMONa,ISDN, OSPF, EGP, mosta, zato est' translyaciya protokolov, TN3270, Xremote, PAD, LAT, NETBEUI cherez PPP, avtokonfiguraciya modemov)
    17. igs-g-l(4/2): ISDN
    18. LAN FRAD(4/4)
    19. OSPF LAN FRAD(4/4)

    11.1(12)

    11.1(11)

    11.1(10)

    bolee starye modifikacii ya ne rassmatrivayu, no kolichestvo ih vpechatlyaet Nabory vozmozhnostej (feature set) dlya versii 11.0(16)(u menya est' tol'ko 11.0(14))

    Rassmatrivaetsya tol'ko Cisco 2500 (vse ochen' pohozhe na 11.1, potrebnosti v pamyati dany dlya Cisco 2500 - ispolnenie iz flesha) :

    1. IP(4 MB Flash/2 DRAM)
    2. IP/IBM Base(8/4)
    3. IP/IPX(4/4)
    4. IP/IPX/IBM Base(8/4)
    5. IP/IPX/IBM APPN(8/8)
    6. Desktop(8/4)
    7. Desktop/IBM Base(8/4)
    8. Enterprise(8/6)
    9. Enterprise/APPN(8/8)
    10. CFRAD(4/2)
    11. ISDN(4/2)
    12. LAN FRAD(8/4)
    13. Remote Access Server(4/4)

    11.0(16):

    11.0(14):

    11.0(13):

    11.0(12):

    11.0(11) i ranee:

    Nabory vozmozhnostej (feature set) dlya versii 11.2 (7a)(u menya est' tol'ko 11.2(05))

    Dlya versii 11.2 parallel'no vedutsya 3 vetki: 11.2 (naibolee stabil'naya, tol'ko ispravleniya oshibok), 11.2 P (ispravlenie oshibok i novoe oborudovanie), 11.2 F (ispravlenie oshibok, novoe oborudovanie i mezhplatformennaya sovmestimost').

    Trebovaniya k pamyati (dlya versii 11.2 Cisco 2500):

    Imena fajlov sm. v http://www.cisco.com/univercd/data/doc/software/11_2/relnotes/rn112.htm

    Image Name Mapping from Release 11.1 to Release 11.2
    Image Name in Release 11.1 or Earlier Image Name in Release 11.2
    Cisco 1005
    c1005-bnxy-mz
    c1005-bny-mz
    c1005-bxy-mz
    c1005-by-mz
    c1005-nxy-mz
    c1005-ny-mz
    c1005-xy-mz
    c1005-y-mz
    c1005-xy2-mz
    c1005-y2-mz
    Cisco 2500 Series
    IP/IPX/IBM/APPN
    igs-ainr-l
    c2500-ainr-l
    Enterprise/APPN
    igs-aj-l
    c2500-ajs-l
    igs-c-l
    c2500-c-l
    Desktop
    igs-d-l
    c2500-d-l
    Desktop/IBM Base
    igs-dr-l
    c2500-ds-l
    igs-f-l
    c2500-f-l
    igs-fin-l
    c2500-fin-l
    ISDN
    igs-g-l
    c2500-g-l
    IP
    igs-i-l
    c2500-i-l
    IP/RMON
    igs-im-l
    c2500-is-l
    IP/IPX/RMON
    igs-imn-l
    c2500-ds-l
    IP/IPX/IBM/RMON
    igs-imnr-l
    c2500-ds-l
    IP/IBM/RMON
    igs-imr-l
    c2500-is-l
    IP/IPX
    igs-in-l
    c2500-d-l
    IP/IBM Base
    igs-ir-l
    c2500-is-l
    IP/IPX/IBM base
    igs-inr-l
    c2500-ds-l
    Enterprise/RMON
    igs-jm-l
    c2500-js-l
    Enterprise
    igs-j-l
    c2500-j-l
    Cisco AS5200
    as5200-iz-l
    c5200-is-l
    as5200-dz-l
    c5200-ds-l
    as5200-jmz-l
    c5200-js-l
    Cisco 4000 Series
    xx-ainr-mz
    c4000-ainr-mz
    xx-aj-mz
    c4000-ajs-mz
    xx-d-mz
    c4000-d-mz
    xx-dr-mz
    c4000-ds-mz
    xx-i-mz
    c4000-is-mz
    xx-in-mz
    c4000-d-mz
    xx-inr-mz
    c4000-ds-mz
    xx-ir-mz
    c4000-is-mz
    xx-j-mz
    c4000-j-mz
    Cisco 4500 Series
    c4500-aj-mz
    c4500-ajs-mz
    c4500-dr-mz
    c4500-ds-mz
    c4500-ir-mz
    c4500-is-mz
    c4500-in-mz
    c4500-d-mz
    c4500-inr-mz
    c4500-ds-mz
    Cisco 7000 Series
    gs7-aj-mz
    c7000-aj-mz
    gs7-ajv-mz
    c7000-ajv-mz
    gs7-jv-mz
    c7000-jv-mz
    gs7-j-mz
    c7000-j-mz
    Cisco 7200 Series
    c7200-aj-mz
    c7200-ajs-mz
    c7200-dr-mz
    c7200-ds-mz
    c7200-j-mz
    c7200-js-mz
    Cisco 7500 Series and Cisco 7000 with RSP7000
    rsp-aj-mz
    rsp-ajsv-mz
    rsp-j-mz
    rsp-jsv-mz
    rsp-ajv-mz
    rsp-ajsv-mz
    rsp-jv-mz
    rsp-jsv-mz

    Kazhdyj nabor mozhet imet' 4 modifikacii: bazovaya, rasshirennaya (PLUS), shifrovka 40 bit, shifrovka 56 bit (ne na kazhdoj platforme vozmozhny opredelennye pakety i ih modifikacii):

    1. c2500-i- IP: parallel'naya marshrutizaciya i most, GRE, sovmeshchennaya marshrutizaciya i most (nachinaya s 11.2), IP, LAN extention host, multiring, prozrachnye i perevodnye mosty, VLAN (ISL i IEEE 802.10 - tol'ko Cisco 4500 i s versii 11.2 i modifikaciya Plus), Combinet Packet Protocol (CPP - s versii 11.2), Dialer Profiles (s versii 11.2), Frame Relay, Frame Relay Traffic shaping (s 11.2), polumost/polumarshrutizator (s 11.2), HDLC, PPP, SMDS, switched 56, X.25, polosa propuskaniya po zaprosu, nastraivaemye prioritety ocheredej, dial backup, dial-on-demand, szhatie zagolovka, soedineniya i payroll(?), snapshot routing, weighted fair queuing, BGP, BGP4 (s 11.2), EGP, IGRP, enhanced IGRP, optimizaciya EIGRP (s 11.2), poimennovannye IP ACL (s 11.2), translyaciya setevyh adresov (s 11.2 i Plus), NHRP, marshrutizaciya po zaprosu (s 11.2), OSPF, OSPF Not-So-Stubby-Areas (s 11.2), OSPF on demand circuit (RFC 1793 - s 11.2), PIM (protocol independent multicast), policy based routing, RIP, RIP2 (s 11.1), generic traffic shaping (s 11.2), Random Early Detection (RED - s 11.2), resource reservation protocol (RSVP - s 11.2), AutoInstall, avtomaticheskaya konfiguraciya modemov (s 11.1), HTTP-server (s 11.2), RMON events and alarms (s 11.1), polnyj RMON (tol'ko 2500, s 11.2 i Plus), SNMP, telnet, spiski dostupa, rasshirennye spiski dostupa, Lock and Key (s 11.2), MAC security for hubs (s 11.2), MD5 routing authentication, shifrovka na setevom urovne (tol'ko modifikaciya encrypt), RADIUS (s 11.1), TACACS+, asynchronous master interfaces, PPP, SLIP, CPPP, CSLIP, DHCP, IP pooling, rlogin, telnet, X.25 PAD
    2. c2500- IP/IPX(etot nabor otsutstvuet dlya 11.2): dobavleno IPX, IPXWAN 2.0, ISDN, IPX RIP, NLSP, IPXCP
    3. c2500- Desktop(IP/IPX/AppleTalk/DEC): dobavleno AppleTalk 1 i 2, DECnet IV, Virtual Private Dial-UP network (s 11.2), AURP, RTMP, SMRP, ARAP 1.0/2.0, ATCP, MacIP
    4. c2500- Enterpise: dobavleno Apollo Domain, Banyan Vines, DECnet V, OSI, XNS, Frame Relay SVC (s 11.2), multichassis multilink PPP (MPP - s 11.2), ES-IS, IS-IS, SRTP, Kerberos login (s 11.1), podderzhka klientov Kerberos V (s 11.2), translyaciya protokolov (LAT, telnet, PPP, rlogin, X.25, TN3270), IPX i ARAP na virtual'nyh asinhronnyh interfejsah, NASI (s 11.1), NetBEUI poverh PPP (s 11.1), LAT, TN3270, Xremote
    5. c2500- Enterprise and APPN
    6. c2500- IP/IPX/IBM and APPN
    7. c2500- Desktop/IBM and APPN

    Dlya Cisco 1000 i 1600 (tol'ko 11.1 i 11.2):

    1. IP
    2. IP/IPX
    3. IP/Apple Talk
    4. IP/IPX/Apple Talk

    Dlya Cisco 1005:

    1. IP/OSPF/PIM
    2. IP/Async
    3. IP/IPX/Async

    Dlya Cisco 2500 i AS5100 dopolnitel'no:

    1. c2500- CFRAD
    2. c2500- LAN FRAD
    3. c2500- ISDN
    4. c2500-p- Remote Access Server (2509-2512 i AS5100): AppleTalk 1 i 2 (s 11.2), DECnet IV (tol'ko 11.0), GRE, sovmeshchennaya marshrutizaciya i most (nachinaya s 11.2), IP, multiring, IPX, source-route bridging (s 11.2), prozrachnyj most (s 11.2), prozrachnye i perevodnye mosty, CPP (s 11.2), dialer profiles (s 11.2), Frame Relay, Frame Relay Traffic shaping (s 11.2), polumost/polumarshrutizator (s 11.2), HDLC, IPXWAN 2.0, multichassis multilink PPP (MPP - s 11.2), PPP, switched 56, Virtual Private Dial-UP network (s 11.2), X.25, polosa propuskaniya po zaprosu, nastraivaemye prioritety ocheredej, dial backup, dial-on-demand, szhatie zagolovka, soedineniya i payroll(?), snapshot routing, weighted fair queuing, BGP (tol'ko 11.0), BGP4 net sovsem, EGP (tol'ko 11.0), EIGRP, optimizaciya EIGRP (s 11.2), IGRP, NHRP (tol'ko 11.0), marshrutizaciya po zaprosu (s 11.2), OSPF (tol'ko 11.0), PIM, policy based routing, RIP, RIP2 (s 11.1), AURP, IPX RIP, RTMP, generic traffic shaping (s 11.2), utoInstall, avtomaticheskaya konfiguraciya modemov (s 11.1), HTTP-server (s 11.2), RMON events and alarms (s 11.1), SNMP, telnet, piski dostupa, rasshirennye spiski dostupa, Lock and Key (s 11.1), MD5 routing authentication, RADIUS (s 11.1), TACACS+, translyaciya protokolov (LAT, telnet, PPP, rlogin, X.25, TN3270), ARAP 1.0/2.0, asynchronous master interfaces, PPP, SLIP, CPPP, CSLIP, ATCP, DHCP, IP pooling, IPX i ARAP na virtual'nyh asinhronnyh interfejsah, IPXCP, MacIP, NASI (s 11.1), NetBEUI poverh PPP (s 11.1), login, telnet, X.25 PAD, LAT, TN3270, Xremote

    11.2(7):

    11.2(6):

    11.2(5):

    11.2(4) i nizhe:

    Novoe v versii 11.0 (nachinaya s 11.0(11) tol'ko ispravlyayutsya oshibki):

    Novoe v versii 11.1 (nachinaya s 11.1(6) tol'ko ispravlyayutsya oshibki):

    Novoe v versii 11.2:

    Zakazyvat' nado produkt s nomerom, zakanchivayushchimsya na znak ravenstva.

    IOS mozhno zakazat' v treh formah:

    1. DOS disketta (EPROM, Flash);
    2. CD-ROM
    3. zagruzka s TFTP servera (tol'ko dlya ustrojstv s flesh-pamyat'yu).

    Nomer produkta opredelyaetsya tak:

    Postavka osushchestvlyaetsya v vide paketov vozmozhnostej (feature packs) - CD-ROM s odnim ili neskol'kimi obrazami IOS i installyacionnoj programmoj dlya MS Windows 95, instrukciya po ustanovke (v t.ch. ispol'zovanie TFTP vmesto installyacionnoj programmy), licenziya, CD-ROM s dokumentaciej.

         Na nashih marshrutizatorah stoit IOS versii 11.1 (12) na vnutrennih i 11.2(5) na vneshnej, hotya uzhe vypushchena 11.2(7a) 18-jul-97 -  na vnutrennih ne hvataet flesha pod versiyu 11.2.

         Vynimaem zhelezku, podklyuchaem terminal (ili PC s TELEMATE) k konsol'nomu portu (ili vspomogatel'nyj port ranee skonfigurirovannoj kiski i zahodim obratnym telnetom), vse nuzhnye nam kabeli (sinhronnyj, Ethernet, modemy), vklyuchaem pitanie i nachinaem konfigurirovanie. Pri pervom vklyuchenii IOS pytaetsya skachat' konfiguraciyu iz global'noj seti - mozhno podozhdat' neskol'ko minut, chtoby dat' ej ponyat', chto na tom konce nichego net, ili vremenno otsoedinit' sinhronnyj kabel'. Poterpev neudachu, IOS predlagaet vypolnit' komandu setup - soglashajtes'! V etom sluchae IOS zadaet vam neskol'ko voprosov i samostoyatel'no konfiguriruetsya.

    Konfigurirovanie osushchestvlyaetsya sleduyushchimi sposobami:

    1. komandnyj interfejs:
      telnet imya-kiski
      imya-kiski>
      • s terminala: conf term
      • NVRAM: conf memory
      • iz seti: conf network
    2. cherez WWW (nachinaya s versii 11.0(6), 11.1(5), ne vse vozmozhnosti): ip http server
    3. ClickStart (standartnye konfiguracii).

       Obshchie svedeniya o komandnom yazyke:

    1. help - v lyuboj moment mozhno vvesti "?" - kiska v otvet vydast spisok komand ili operandov;
    2. lyuboe klyuchevoe slovo ili imya mozhno sokrashchat' do minimal'no vozmozhnogo;
    3. esli terminal normal'no nastroen, to mozhno redaktirovat' komandnuyu stroku kak v emacs ili bash.
    4. pochti kazhduyu komandu mozhno predvaryat' slovom no.

       Urovni privilegij: predusmotreno 16 urovnej privilegij - ot 0 do 15. Esli ne proizvodit' dopolnitel'noj nastrojki, to uroven' 0 - eto uroven' pol'zovatelya: dostupny tol'ko "bezopasnye" komandy. Uroven' 15 - eto uroven' supervizora: dostupny vse komandy. Perehodim s urovnya na uroven' po komande:
       epable
    [nomer urovnya]
    Lyubuyu komandu mozhno perevesti na uroven', otlichnyj ot standartnogo; lyubomu pol'zovatelyu mozhno naznachit' opredelennyj uroven', ustanavlivaemyj pri vhode na kisku etogo pol'zovatelya; takim obrazom prava pol'zovatelej mozhno tonko nastraivat' (tol'ko help-om pri etom tyazhelo pol'zovat'sya :(

    Rezhimy komandnogo yazyka:

    1. Rezhim pol'zovatelya
    2. Privilegirovannyj rezhim:
      1. verhnij uroven'
      2. rezhim global'noj konfiguracii
        1. sobstvenno verhnij uroven' konfigurirovaniya
        2. konfigurirovanie interfejsa
          1. konfigurirovanie interfejsa
          2. konfigurirovanie podinterfejsa (serial  v rezhime Frame Relay)
        3. konfigurirovanie kontrollera (T1)
        4. konfigurirovanie haba (cisco 2500 - ethernet)
        5. konfigurirovanie spiska kart (ATM i FrameRelay)
        6. konfigurirovanie klassa kart (Quality of Service over Switched Virtual Circuit - ATM, FrameRelay ili dialer)
        7. konfigurirovanie linij
        8. konfigurirovanie marshrutizatora (bgp, egp, igrp, eigrp, is-is, iso-igrp, mobile, OSPF, RIP, static)
        9. konfigurirovanie IPX-marshrutizatora
        10. konfigurirovanie  kart marshrutizatora
        11. konfigurirovanie klyuchevyh cepochek s ego podrezhimami (RIP authentication)
        12. konfigurirovanie generatora otchetov o vremeni otveta
        13. konfigurirovanie BD LANE (ATM)
        14. rezhim komand APPN s ego podrezhimami (advance peer-to-peer Networking -  vtoroe pokolenie SNA)
        15. rezhim komand prisoedineniya kanala IBM s ego podrezhimami (Cisco 7000 s CIP)
        16. rezhim komand servera TN3270
        17. konfigurirovanie spiskov dostupa (dlya imenovanyh IP ACL)
        18. rezhim shestnadcaterichnogo vvoda (zadanie publichnogo klyucha dlya shifrovki)
        19. konfigurirovanie kart shifrovki
      3. ROM monitor (nazhat' break v pervye 60 sekund zagruzki, tozhe est' help).

    Kommentarii nachinayutsya s vosklicatel'nogo znaka, no v NVRAM ne sohranyayutsya.

    Zadat' razmer istorii komand: terminal history size razmer

    Predydushchaya/sleduyushchaya komanda: Ctrl-P/Ctrl-N ili sstrelka vverh/vniz

    Vklyuchit'/vyklyuchit' redaktirovanie:
    [no] terminal editing

    simvol vpered/nazad: Ctrl-F/Ctrl-B ili strelka vpered/nazad

    v nachalo/konec stroki: Ctrl-A/Ctrl-E

    na slovo vpered/nazad: Esc F/Esc B

    razvertyvanie komandy: Tab ili Ctrl-I

    vspomnit' iz bufera/vspomnit' sleduyushchij: Ctrl-Y/Esc Y

    udalit' simvol sleva ot kursora/pod kursorom: Delete/Ctrl-D

    udalit' vse simvoly do nachala stroki/konca stroki: Ctrl-U/Ctrl-K

    udalit' slovo sleva ot kursora/sprava ot kursora: Ctrl-W/Esc D

    pererisovat' stroku: Ctrl-L/Ctrl-R

    pomenyat' simvoly mestami: Ctrl-T

    ekranirovanie simvola: Ctrl-V ili Esc Q Rabota s flesh-pamyat'yu (v nej lezhit i iz nee vypolnyaetsya IOS) i NVRAM (konfiguraciya)

    Na kiske rabotaet TRI programmy: ROM monitor (eto zagruzchik i otladchik - tupoj do bezobraziya - popadaem v nego esli sootvetstvuyushchim obrazom ustanovlen registr konfiguracii ili nazhal BREAK vo vremya zagruzki i eto ne zapreshcheno); sistema v ROM (urezannaya i ochen' staraya sistema IOS - 9.1 - esli ne udalos' najti bolee podhodyashchuyu vo flesh ili po seti ili ruchnaya zagruzka iz ROM monitora) i sistema vo flesh - versiya, kotoruya sam postavil.

    V rukovodstve delaetsya preduprezhdenie, chto na Sun'e server TFTP dolzhen byt' nastroen tak, chtoby generirovat' i proveryat' kontrol'nye summy UDP (ya nichego ne delal). Vezde vmesto TFTP mozhno ispol'zovat' rcp (rsh), no mne lenivo sledit' za bezopasnost'yu v etom sluchae.

    Posmotret', chto tam lezhit: show flash all

    System flash directory:
    File  Length   Name/status
            addr      fcksum  ccksum
      1   3243752  igs-i-l.110-1
            0x40      0xB5C4  0xB5C4
    [3243816 bytes used, 950488 available, 4194304 total]
    4096K bytes of processor board System flash (Read ONLY)
    
       Chip    Bank    Code      Size      Name
        1      1       89A2      1024KB    INTEL 28F008SA
        2      1       89A2      1024KB    INTEL 28F008SA
        3      1       89A2      1024KB    INTEL 28F008SA
        4      1       89A2      1024KB    INTEL 28F008SA
    Executing current image from System flash
    
    

    Imet' dva fajla vo flesh mozhno tol'ko, esli imeetsya dva banka pamyati (u menya net) i vypolnit' special'nuyu proceduru (IOS nado nastroit' adresa - vypolnyaetsya-to ona iz flesha!). Bukva l v imeni fajla kak raz i oznachaet, chto adresa mozhno nastroit'.

    Posmotret', skol'ko raz tuda chego zapisyvali: show flash err (po-moemu, erundu pokazyvaet).

    Kopirovat' iz flesh na tftp: copy flash tftp, posle chego sprosyat imya servera, ishodnoe  imya fajla i rezul'tatiruyushchee imya fajla (fajl dolzhen sushchestvovat' s pravami 666).

    Kopirovat' konfiguraciyu na tftp: copy startup-config/running-config tftp

    Zagruzit' konfiguraciyu s tftp: copy tftp startup-config/running-config (po-moemu, esli gruzit' tekushchuyu konfiguraciyu, to proishodit ne kopirovanie, a sliyanie).

    Kopirovat' iz tftp vo flesh (esli dostatochno pamyati!!!): copy tftp flash

    Ponyatnoe delo, chto esli IOS vypolnyaetsya iz flesh, to gruzit' novoe soderzhimoe flesha vo vremya raboty IOS ne stoit, nado zagruzit'sya iz ROM (libo nazhav Break pri zagruzke, libo vydav no boot system flash).

    CHerta-s dva! Na samom dele vse ne tak kak v knizhke. Nado vydat' copy tftp flash pryamo iz IOS (ibo v bootstrap takoj komandy net vovse), budet zapushchen flash load helper, kotoryj zadaet vse neobhodimye voprosy, zatem perezapuskaet kisku iz ROMa, stiraet flesh, kopiruet fajl s tftp (zahodit' tol'ko s konsoli - inache nichego ne uvidish', i ob oshibkah ne uznaesh' ;). Posle etogo nado sohranit' konfiguraciyu (copy run start). A vse-taki interesno, kak vybirat'sya iz situacii, esli chto-to poluchilos' ne tak. Kstati, rekomenduetsya sohranit' konfiguraciyu kuda-nibud' na tftp pered izmeneniem flesha. p.s. vse-taki mozhno bylo by sdelat' i zagruzivshis' iz ROM (tol'ko ne ROM monitor, a ROM IOS), esli zadat' v registre konfiguracii mladshie 4 bita ravnymi 0-0-0-1.

    Kopirovanie tekushchej konfiguracii v zagruzochnuyu: copy run start

    Kopirovanie zagruzochnoj konfiguracii v tekushchuyu: copy start run

    Posmotret' sostoyanie: show version

    Proverit' kontrol'nuyu summu: verify flash

    Szhatie konfiguracionnogo fajla rabotaet tol'ko na Cisco 3xxx i Cisco 7xxx.

    Povtorno vypolnit' konfiguracionnyj fajl: configure memory

    Ochistit' konfiguraciyu: erase startup

    Posmotret' tekushchuyu/zagruzochnuyu konfiguraciyu: show run/start

    V NVRAM zapisyvayutsya tol'ko parametry, otlichnye ot parametrov po umolchaniyu.

    Registr konfiguracii: 16 bit. Menyaetsya komandoj: config-register. Mladshie 4 bita (3,2,1, i 0) obrazuyut pole zagruzki:

    Fajl konfiguracii seti (po umolchaniyu imya fajla: network-config):
    boot network [tftp] imya-fajla [ip-adres]
    service config

    Fajl konfiguracii hosta (po umolchaniyu imya fajla: network-config):
    boot host [tftp] imya-fajla [ip-adres]
    service config

    Perezagruzka:

    ClickStart: konfigurirovanie Cisco 1003, 1004 i 1005 cherez WWW (odnoportovye ISDN, Frame Relay i asinhronnye marshrutizatory).

    AutoInstall: vklyuchaesh' novyj marshrutizator, on ishet skonfigurirovannyj ranee marshrutizator (Ethernet, FDDI, HDLC, Frame Relay) - trebuetsya takoe kolichestvo predvaritel'noj podgotovki, chto legche vse sdelat' vruchnuyu (esli tol'ko ne nado ustanovit' sotnyu kisok).

    Setup: interaktivnaya ustanovka parametrov. Trebuet podklyucheniya konsol'nogo terminala (ya ispol'zuyu AUX port sosednej kiski).

    Eshche byvaet sreamline setup (esli ustanovlen RXBOOT ROM) i voznikayut nepreodolimye problemy: zadaet minimum voprosov neobhodimyh, chtoby najti zagruzochnyj obraz i fajl s konfiguraciej.

    CHasy (sbrasyvayutsya dazhe pri perezagruzke na 1 marta 1993 goda) hranyatsya v formate UTC (Coordinated Universal Time) - to zhe samoe, chto i GMT. Ispol'zuyutsya protokoly NTP (priem i peredacha - vklyuchen po umolchaniyu - pri perezagruzke i pri vyklyuchenii na paru minut vremya sohranyaetsya), SNTP  na kiskah serii 1000 (tol'ko priem - vyklyuchen po umolchaniyu).

    Zapustit' TFTP server na kiske:

    Zapustit' RARP server na kiske (chtoby eto real'no ispol'zovat' neobhodimo vypolnit' kuchu dopolnitel'nyh uslovij - obespechit' broadcast UDP - ip forward-protocol udp 111, zapolnit' tablicu  ARP MAC-adresami klientov, ip helper-adress adres-nastoyashchego-servera - govoryat, chto problemy voznikli iz-za nedodelannosti rpc.bootparamd v SunOS - sudya po nashemu printeru tak ono i est'):
    cat(config-if)>ip rarp-server ip-adres-nastoyashchego-servera

    rcp i rsh servis:

    HTTP-server (pri vhode v kachestve imeni nado govorit' imya kiski, a parolya - parol' supervizora) - pol'zy ot etogo nikakoj:
    ip http server
    ip http port 80

    prompt stroka - izmenenie standartnogo priglasheniya
    hostname imya - imya marshrutizatora
    alias uroven'-EXEC imya-sinonim tekst-komandy - sozdanie sokrashchenij-sinonimov komand
    show aliases [uroven'-EXEC] - posmotret' spisok sinonimov
    load-interval sekund - dlina intervala vychisleniya srednej zagruzki

    obshchie komandy dlya vseh interfejsov

    description stroka-teksta
    hold-queue dlina in/out - zadanie razmera bufera
    bandwidth kilobits - ispol'zuetsya, naprimer, dlya nastrojki parametrov TCP
    delay desyatye-milisekundy - informaciya dlya nekotoryh protokolov marshrutizacii (ili desyatki mikrosekund)
    keepalive sekund - kak chasto posylat' pkaety dlya proverki zhivuchesti linii (interfejs schitaetsya upavshim esli v techenii 3 intervalov ne prishlo otveta)
    mtu bajt

    posledovatel'nyj asinhronnyj

    async: 8 shtuk na Cisco 2509, 16 shtuk na Cisco 2511, eshche mozhno ispol'zovat' AUX port, no OCHENX ne sovetuyu (defektivnaya apparatnaya realizaciya: skorost' 38400, vse na programmnom urovne - v tom chisle i sinhronizaciya).

    Samu fizicheskuyu liniyu nado konfigurirovat' otdel'no s pomoshch'yu komandy line.

    Vhod v rezhim konfiguracii interfejsa:
    interface async nomer-porta

    Inkapsulyaciya: podderzhivayutsya dva metoda inkapsulyacii - SLIP i PPP. O SLIP my zabudem srazu zhe.

    Rezhim: interaktivnyj ili zhestko nastroennyj (dedicated):  v poslednem sluchae ne zapuskaetsya EXEC, tak chto nel'zya pomenyat' adres i drugie parametry:
    async mode interactive/dedicated

    Razreshit' protokoly dinamicheskoj marshrutizacii:
    async dynamic routing

    Gruppovaya konfiguraciya (stol'ko preduprezhdenij ob oshibkah, chto luchshe i ne trogat')

    1. opredelenie gruppy:
      interface group-async unit-number
      obshchie komandy
      member nomer individual'naya-komanda
      group-range low-number high-number - tut zhe nachinaetsya postroenie konfiguracii

    hab (2505, 2507, 2516)

    hub ethernet number port
    no shutdown

    auto-polarity
    link-test
    source-address [MAC-address]
    - propuskat' tol'ko pakety ot etogo MAC-adresa

    loopback (pozvolyaet uderzhat' BGP-sessiyu, dazhe esli drugie interfejsy upadut)

    interface loopback number

    null (pozvolyaet marshrutizirovat' vse nenuzhnoe v /dev/null)

    interface null 0

    sinhronnyj posledovatel'nyj interfejs (serial)

    interface serial nomer
    encapsulation atm-dxi/hdlc/frame-relay/ppp/sdlc-primary/sdlc-secondary/smds/stun/x25 - po umolchaniyu HDLC (est' obnaruzhenie oshibok, no net povtora neverno peredannyh dannyh)
    compress stac - esli zagruzka CPU prevyshaet 65%, to vyklyuchit'
    pulse-time sekund - kakuyu pauzu sdelat' pri propadanii nesushchej

    tunel' (inkapsulyaciya paketov odnogo protokola vnutri paketov drugogo)

    Dlya chego eto nado:

    1. mnogoprotokol'naya lokal'naya set' cherez odnoprotokol'nyj bekbon
    2. dlya obhoda protokolov ogranichivayushchih chislo promezhutochnyh uzlov
    3. virtual'nye chastnye seti cherez WAN

    Komponenty:

    1. protokol-passazhir
    2. protokol-nositel'
    3. protokol inkapsulyacii (obychno GRE, ostal'nye v isklyuchitel'nyh sluchayah)

    Preduprezhdeniya:

    1. bol'shaya zagruzka CPU
    2. vozmozhnoe narushenie bezopasnosti
    3. uvelichenie vremeni zaderzhki
    4. mnozhestvennye tuneli mogut zabit' kanal informaciej o marshrutah
    5. protokol marshrutizacii mozhet predpochest' tunel' kak yakoby samyj korotkij marshrut
    6. poyavlenie rekursivnyh marshrutov

    interface tunnel nomer
    tut dolzhno byt' opisano kakim protokolam pozvoleno tunnelirovat'sya
    tunnel source ip-address-ili-interfejs
    tunnel destination ip-address-ili-interfejs
    tunnel mode aurp/cayman/dvmrp/eon/gre ip/nos - opredelyaet protokol inkapsulyacii
    tunnel checksum - vse plohie pakety budut vykidyvat'sya (nekotorye protokoly trebuyut etogo)
    tunnel key nomer - dolzhny byt' odinakovy na oboih koncah (slabaya zashchita)
    tunnel sequence-datagramms - otbrasyvat' pakety, prishedshie ne v tom poryadke (nekotorye protokoly trebuyut etogo)

    upravlenie i monitoring

    show async status
    show interface async nomer
    show compress
    show controller imya-kontrollera
    show interface accounting
    show interface tip nomer
    clear counters tip nomer
    show protocols
    show version
    clear interface tip nomer
    clear line nomer
    shutdown
    no shutdown

    down-when-looped - schitat' interfejs upavshim, esli na nem vklyuchen loopback (neobhodimo dlya backup)

    ip address-pool local
    ip local pool default nachal'nyj-ip-adres konechnyj-ip-adres
    interface Group-Async1
    ip unnumbered Ethernet0
    ip tcp header-compression passive
    encapsulation ppp
    bandwidth 112
    delay 20000
    keepalive 10
    async mode interactive
    no cdp enable
    zdes' ya eshche govoril: peer default ip address pool, no ona kuda-to delas' (po-umolchaniyu nebos')
    group-range 1 16

    esli chej-to adres nado zadat' yavno, to skazhi:
    member nomer peer default ip address IP-adres

    v versii 11.0(1) ne rabotala, v versii 11.1(12) vrode rabotaet

         Primer konfiguracii s komentariyami.

       service tcp-small-servers # pozvolyaet kiske otvechat' na vsyakie melkie zaprosy tipa echo, chargen i t.d.
       hostname cat2511-wb # imya kiski, vydaetsya v priglashenii i ,navernoe, gde-to eshche
       slock timezone MSK 3 # vremennaya zona
       slock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00 # letnee vremya
       epable secret # zashifrovannyj parol' superpol'zovatelya
       epable password # ne ispol'zuetsya, esli est' shifrovannyj
       ip subnet-zero # ne razbiralsya
       ip tcp synwait-time 120 # zachem eto
       ip tcp path-mtu-discovery # avtomaticheskaya nastrojka na razmer MTU
       ip accounting-threshold 256 # ne razbiralsya
       ip accounting-list 194.84.39.0 0.0.0.255 # ne razbiralsya
       interface Ethernet0 # nachinaem konfigurirovat' port Ethernet
       ip address 194.84.39.24 255.255.255.224 # IP adres i maska ethernet-porta (osnovnoj adres kiski)
       ip address 194.87.163.24 255.255.255.224 secondary # esli u nas dva bloka IP-adresov (chto u nas bylo v moment perehoda ot odnogo ISP k drugomu
       ehit # vyhod iz konfigurirovaniya Ethernet
       interface Serial0 # nachinaem konfigurirovat' sinhronnyj posledovatel'nyj port
       po ip address # net u nas ego
       shutdown # -//-
       ehit # vyhod iz konfigurirovaniya porta
       interface Serial1 # nachinaem konfigurirovat' sinhronnyj posledovatel'nyj port
       po ip address # net u nas ego
       shutdown # -//-
       ehit # vyhod iz konfigurirovaniya porta
       ip domain-name deol.ru. # imya nashego domena
       ip name-server 194.84.39.28 # adres DNS-servera (mozhet byt' do 6 shtuk)
       ip route 0.0.0.0 0.0.0.0 194.84.39.26 # marshrut po umolchaniyu (vse, chto ne na nashih portah, peredaem na bolee "umnuyu" kisku
       snmp-server community public RO # razreshaem SNMP upravlenie (tol'ko chtenie)
       line con 0 # nachinaem konfigurirovanie konsol'nogo porta
       ehec-timeout 0 0 # otklyuchaem tajm-aut
       ehit # vyhod iz konfigurirovaniya porta
       line 1 16 # nachinaem konfiguraciyu asinhronnyh posledovatel'nyh portov
       ehec-timeout 0 0 # otklyuchaem tajm-aut
       modem InOut # otrabatyvat' modemnye signaly
       aitocommand telnet 194.84.39.28 # pri vhode na liniyu, kiska nasil'no vydaet komandu telnet..., chto ne pozvolyaet pol'zovatelyu delat' chto-libo eshche (esli, konechno, ne znaesh' kak iz etogo vyjti)
       transport input none # ne pozvolyaet zvonit' s nashih modemov (zajdya na liniyu obratnym telnetom)
       transport preferred none #  na vsyakij sluchaj
       escape-character NONE # ne pozvolyaet vyjti iz telnet'a
       stopbits 1
       rxspeed 115200 # skorost' mezhdu modemom i kiskoj
       txspeed 115200 # skorost' mezhdu kiskoj i modemom
       flowcontrol hardware
       ehit # vyhod iz konfigurirovaniya porta
       line aux 0 # konfigurirovanie vspomogatel'nogo asinhronnogo posledovatel'nogo porta
       transport input all # mozhet byt' syuda budet podklyuchena konsol' drugoj kiski
       ehit # vyhod iz konfigurirovaniya porta
       line vty 0 4 # konfigirirovanie virtual'nyh terminalov (na nih my popadaem, kogda zahodim telnetom na kisku)
       ehec-timeout 0 0 # otklyuchaem tajm-aut
       rassword # parol' linii; k sozhaleniyu, ne shifrovannyj
       login # kiska budet sprashivat' parol' pri zahode na etu liniyu (v dannom sluchae telnetom)
       ehit # vyhod iz konfigurirovaniya porta

         Server dostupa (tacacs+) - eto programma, kotoraya krutitsya na UNIX-komp'yutere i otvechaet na zaprosy kiski tipa: est' li takoj pol'zovatel', kakie u nego prava i vedet zhurnal poseshchenij. Kak konfigurirovat' server smotri otdel'nuyu glavu, a kiska konfiguriruetsya tak:
       aaa new-model # budem ispol'zovat' tacacs+, a ne starye varianty
       aaa authentication login default tacacs+ enable # po-umolchaniyu proveryaem kazhdyj vhod na liniyu s pomoshch'yu tacacs+ servera, a esli on ne otzyvaetsya, to sprashivaem parol' superpol'zovatelya
       aaa authentication ppp default if-needed none # pri vklyuchenii PPP, proizvodim proverku pol'zovatelya, esli ne proveryali ego ran'she (mozhet eto uzhe mozhno vyklyuchit'?)
       aaa authorization exec tacacs+ if-authenticated # proveryaem prava na zapusk EXEC (shell tak u kiski nazyvaetsya) s pomoshch'yu servera tacacs+, a esli ego net, to daem razreshenie, esli lichnost' pol'zovatelya udostoverena - tol'ko blagodarya etoj strochke tacacs+ server vozvrashchaet avtokomandu (v nashem sluchae telnet ili ppp)
       aaa authorization commands 1 tacacs+ if-authenticated # proveryaem prava na ispolnenie komand urovnya 1 (neprivilegirovannyh) s pomoshch'yu servera tacacs+, a esli ego net, to daem razreshenie, esli lichnost' pol'zovatelya udostoverena
       aaa authorization commands 15 tacacs+ if-authenticated # proveryaem prava na ispolnenie komand urovnya 15
    (privilegirovannyh) s pomoshch'yu servera tacacs+, a esli ego net, to daem razreshenie, esli lichnost' pol'zovatelya udostoverena
       aaa authorization network tacacs+ if-authenticated # proverka prav, esli kto-to lezet k nam po seti s pomoshch'yu servera tacacs+, a esli ego net, to daem razreshenie, esli lichnost' pol'zovatelya udostoverena
       aaa accounting network stop-only tacacs+ # posylaem uchetnuyu zapis' tacacs+ serveru v sluchae okonchaniya setevogo sobytiya (zavershenie PPP-seansa, naprimer)
       aaa accounting connection stop-only tacacs+ #    posylaem uchetnuyu zapis' tacacs+ serveru v sluchae okonchaniya telnet-seansa
       aaa accounting system stop-only tacacs+ # posylaem uchetnuyu zapis' tacacs+ serveru v sluchae okonchaniya sistemnogo sobytiya (naprimer, perezagruzki)
       eshche dolzhna rabotat' komanda: aaa authentication local-override (esli konechno pered nej zavesti pol'zovatelya na kiske username admin privilege 15 password ), kotoraya pozvolyaet ispol'zovat' lokal'nuyu bazu pol'zovatelej, no takie pol'zovateli poluchayutsya absolyutno bespravnymi (dazhe EXEC ne mogut zapustit' :( Otlichno! YA ispol'zuyu eto dlya zapreta vhoda pol'zovatelya bbs na kisku s bystrymi modemami, ne razbirayas' s tacacs+ serverom.
       tacacs-server host 194.84.39.28 # adres komp'yutera, na kotorom rabotaet tacacs+ server
       tacacs-server host 194.84.39.27 # adres komp'yutera, na kotorom rabotaet zapasnoj tacacs+ server  (v real'nosti on ne rabotaet, no pri neobhodimosti mozhno zapustit')
       tacacs-server key # klyuch, s pomoshch'yu kotorogo shifruyutsya soobshcheniya mezhdu kiskoj i tacacs+ serverom


    Last-modified: Mon, 16 Apr 2001 15:07:36 GMT
    Ocenite etot tekst: