1

Configuration and IOS Management Commands

Router 의 역할

네트워크가 커지게 되면 네트워크를 분할하게 된다 . 분할된 네트워크를 서브네트라 하는데이러한 서브넷을 연결하는 장비를 라우터라 한다 . 라우터의 역할 중 가장 중요한 것은 목적지에 대한 Routing Information 을 모으고 , 목적지까지 갈 수 있는 최상의 경로를 선택해 Packet 을 전달하는 것이다 .

라우터는 연결된 라우터들과 Routing Table 을 교환하는데 라우터에 직접 연결된 네트워크에 대한경로는 라우팅 테이블 교환 없이도 알아 낼 수 있는 정보이다 . 직접 연결되지 않은 네트워크에대한 정보는 다른 라우터와 라우팅 테이블을 교환하거나 관리자가 Route 를 수동으로 추가하여인식하게 된다 .

2

Routing ( 경로설정 )

패킷이 라우터에 도착하면 라우터가 패킷을 분석하여 , 목적지의 네트워크를 알아 낸다 .목적지의 네트워크로 가는 경로가 자신의 라우팅 테이블에 나와 있으면 라우터는 그 쪽으로가는 인터페이스로 패킷을 보낸다 .

라우팅 테이블에 경로가 없는 패킷은 Drop 된다 . 라우터가 Default Route 를 갖고 있는 경우는 그곳으로 패킷을 전송한다 .

3

Cisco Router Console 에 연결하기

1. 라우터 뒷면의 컨솔 포트 (RJ 45 Port 이다 ) 에 컨솔 케이블을 연결한다 .2. 컨솔 케이블을 터미널 ( 통상 Notebook 또는 PC) 의 Serial Port(Com1, Com2) 에 연결한다 .3.Comport 설정을 한다 .( Baud Rate 9,600, Data Bit 8, Parity Bit No, Stop Bit 2)4.PC 또는 Notebook 에서 HyperTerminal 등 Emulator S/W 를 작동시킨다 .5. 라우터에 전원을 넣는다 .6. 부팅화면이 보인다 . 부팅이 끝나면 <Enter> Key 를 친다 .

4

Setup ModeConfiguration File 이 없는 경우 , 자동으로 나타나 Interractive 한 라우터 설정을 가능하게 한다 .#setup 명령을 통해서도 가능하다 .

Router#setup <= Setup Mode 에서는 Basic Configuratin 만 가능하다 .Continue with configuration dialog? [yes/no]: yEnter host name [Router]: Router01Enter enable secret [<Use current secret>]: sk <= Enable Password 대신 사용한다 .Enter enable password [password]: telecom <= Enable Secret 이 설정된 경우 무의미하다 .Enter virtual terminal password [password]: password <= Telnet 등으로 접속시 Password 이다 .Configure SNMP Network Management? [yes]: y Community string [public]: public2Configure IP? [yes]: y Configure IGRP routing? [yes]: n Configure RIP routing? [no]: yConfiguring interface Ethernet0: Is this interface in use? [yes]: y Configure IP on this interface? [yes]: y IP address for this interface [128.1.51.254]: 128.1.51.254Number of bits in subnet field [0]: 8 Class B network is 128.1.0.0, 8 subnet bits; mask is /24Configuring interface Serial0: Is this interface in use? [no]: nConfiguring interface Serial1: Is this interface in use? [no]: nUse this configuration? [yes/no]: y <= 설정이 RAM 과 NVRAM 에 동시에 저장된다 .Building configuration...[OK]Use the enabled mode 'configure' command to modify this configuration.

5

CLI(Command-Line Interface)

Router>enableRouter#disableRouter>logout

- Privileged Mode 에서 빠져 나오는 명령은 disable 을 사용한다 .- Privileged Mode 에서 Logout 상태로 한번에 빠져 나오기 위해서는 logout 또는 exit 명령을 사용한다 .

6

Routrer Mode

Exec Mode : Command 를 입력할 수 있는 Mode 이다 .

User Exec Mode Non-Destructive Command, Basic Test, System Information 을 볼 수 있다 .> 프롬프트가 나타난다 .

Previleged Exec Modeconfigure Command, Debug Command 를 사용할 수 있다 .# 프롬프트가 나타난다 .>enable 명령을 사용하여 들어간다 .>disable 명령으로 빠져 나온다 .

Global Configuration Mode

Router 전반에 걸친 사항을 Configuration 하는 Mode 이다 .config term 명령을 사용하여 들어간다 . (config)# 프롬프트가 나타난다 .exit, Ctrl+Z 으로 빠져 나온다 . Exit 명령은 중첩된 모드인 경우 , 한단계를 빠져 나오며 ctrl+z 은 일거에 빠져 나온다 .

7

Config 명령

Router#config ? memory Configure from NV memory network Configure from a TFTP network host overwrite-network Overwrite NV memory from TFTP network host terminal Configure from the terminal <cr>

8

Interface Mode

RouterA#config termEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#interface ? Async Async interface BVI Bridge-Group Virtual Interface Dialer Dialer interface Ethernet IEEE 802.3 Group-Async Async Group interface Lex Lex interface Loopback Loopback interface Null Null interface Serial Serial Tunnel Tunnel interface Virtual-Template Virtual Template interfaceRouterA(config)#interface ethernet 0RouterA(config-if)#ip address 192.168.0.254 255.255.255.0

9

Subinterface Mode

Router#config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#int s 0.? <0-4294967295> Serial interface number

Router(config)#int s 0.1Router(config-subif)#ip address 192.168.1.254 255.255.255.0

10

Line Mode

RouterA#config termEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#line ? <0-6> First Line number aux Auxiliary line console Primary terminal line vty Virtual terminal

RouterA(config)#line conRouterA(config)#line console 0RouterA(config-line)#loginRouterA(config-line)#password passwd1

11

Router Mode

RouterA#config tEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#router ripRouterA(config-router)#network 192.168.0.0RouterA(config-router)#

12

Editing and Help Features

RouterA#?Exec commands: <1-99> Session number to resume access-enable Create a temporary Access-List entry access-template Create a temporary Access-List entry bfe For manual emergency modes setting clear Reset functions clock Manage the system clock configure Enter configuration mode connect Open a terminal connection copy Copy configuration or image data debug Debugging functions (see also 'undebug') disable Turn off privileged commands disconnect Disconnect an existing network connection enable Turn on privileged commands erase Erase flash or configuration memory exit Exit from the EXEC help Description of the interactive help system lock Lock the terminal login Log in as a particular user logout Exit from the EXEC

13

RouterA#show clock detail19:58:05.431 UTC Tue Dec 19 2000Time source is user configurationRouterA#clock ? set Set the time and date

RouterA#clockRouterA#clock set ? hh:mm:ss Current Time

RouterA#clock set 20:00:00 ? <1-31> Day of the month MONTH Month of the year

RouterA#clock set 20:00:00 19 ? MONTH Month of the year

RouterA#clock set 20:00:00 19 nov ? <1993-2035> Year

RouterA#clock set 20:00:00 19 nov 2000RouterA#show clock detail20:00:09.183 UTC Sun Nov 19 2000Time source is user configuration

14

Auto Completion

명령어의 부분을 입력후 Tab 키를 누른다 .

Message

RouterA#clock set 20:00:00% Incomplete command.

RouterA(config)#show version ^% Invalid input detected at '^' marker.

RouterA#sh te% Ambiguous command: "sh te"RouterA#sh te?tech-support terminal

15

16

17

RouterA#sh history clock set 19:56:00 19 dec 2000 sh clock show clock detail clock set 20:00:00 19 nov 2000 show clock detail clock set 20:00:00 show k config term sh te sh history

18

RouterA#sh terminalLine 2, Location: "", Type: "ANSI"Length: 27 lines, Width: 80 columnsBaud rate (TX/RX) is 9600/9600Status: Ready, Active, No Exit BannerCapabilities: noneModem state: ReadySpecial Chars: Escape Hold Stop Start Disconnect Activation ^^x none - - noneTimeouts: Idle EXEC Idle Session Modem Answer Session Dispatch 00:10:00 never none not set Idle Session Disconnect Warning neverModem type is unknown.Session limit is not set.Time since activation: neverEditing is enabled.History is enabled, history size is 10.Full user help is disabledAllowed transports are pad v120 telnet rlogin mop. Preferred is telnet.No output characters are paddedNo special data dispatching characters

19

RouterA#terminal history size 25RouterA#sh terminal…History is enabled, history size is 25.…

20

Gathering Basic Routing Information

RouterA#sh versionCisco Internetwork Operating System SoftwareIOS (tm) 2500 Software (C2500-D-L), Version 11.2(3)P, SHARED PLATFORM, RELEASE SOFTWARE (fc1)Copyright (c) 1986-1996 by cisco Systems, Inc.Compiled Tue 31-Dec-96 17:11 by tambImage text-base: 0x0302A498, data-base: 0x00001000

ROM: System Bootstrap, Version 11.0(10c), SOFTWAREROM: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c), RELEASE SOFTWARE (fc1)

RouterA uptime is 1 hour, 0 minutesSystem restarted by power-on at 19:17:08 UTC Sun Nov 19 2000System image file is "flash:80135003.bin", booted via flash

cisco 2500 (68030) processor (revision N) with 2048K/2048K bytes of memory.Processor board ID 06164964, with hardware revision 00000000Bridging software.X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.1 Ethernet/IEEE 802.3 interface(s)2 Serial network interface(s)32K bytes of non-volatile configuration memory.8192K bytes of processor board System flash (Read ONLY)Configuration register is 0x2102

21

Setting the Passwords

Enable Secret & Enable Password

RouterA#config tEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#enable secret wsyangRouterA(config)#enable password wsyangThe enable password you have chosen is the same as your enable secret.This is not recommended. Re-enter the enable password.

Auxiliary Password

RouterA#config tRouterA#config terminalEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#line auxRouterA(config)#line aux ? <0-0> First Line number

RouterA(config)#line aux 0RouterA(config-line)#loginRouterA(config-line)#password wsyang

22

Console Password

RouterA#config tEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#line console ? <0-0> First Line numberRouterA(config)#line console 0RouterA(config-line)#loginRouterA(config-line)#password wsyang

Other Console Port Command

RouterA#config termEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#line console 0RouterA(config-line)#logging synchronous(logging synchronous : stop console messages from overwriting command-line input)

RouterA#config tEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#line console 0RouterA(config-line)#exec-timeout 0 0 (Console Timeout 을 없앤다 .)

23

Telnet Password / Timeout

RouterA#config tEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#line vty ? <0-4> First Line number

RouterA(config)#line vty 0 4RouterA(config-line)#loginRouterA(config-line)#password wsyang

RouterA#config termEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#line vty 0 4RouterA(config-line)#no login

- no login 을 사용하면 Password 없이 로그인 한다 .

Router#config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#line vty 0 4Router(config-line)#exec-timeout 0 0 (Telnet Time-out 을 제거한다 .)

24

Password Encryption

RouterA#config tEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#service password-encryption

Banners1.banner motd # 를 입력하고 Enter 를 누른다 .2.Message 를 입력한다 .3.# 을 입력하고 Enter 를 누른다 .4. 라우터에 로그인시 Display 된다 .

RouterA(config)#banner ? LINE c banner-text c, where 'c' is a delimiting character exec Set EXEC process creation banner incoming Set incoming terminal line banner login Set login banner motd Set Message of the Day banner

Router(config)#banner motd #Enter TEXT message. End with the character '#'.Accounting Department#

25

Configuring IP Address on Interface and Bringup, Shutdown

RouterA#config termEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#int serial 1RouterA(config-if)#ip address 192.168.5.1 255.255.255.0RouterA(config-if)#no shutdownRouterA(config-if)#shutdown

Secondary IP Address on Interface

RouterA#config termEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#int ethernet 0RouterA(config-if)#ip address 192.168.10.1 255.255.255.0 secondary

26

Configuring Serial Line

1.DCE 로 사용시에만 Clock Speed 를 명시한다 . 디폴트는 T1 라인의 Clock Speed 이다 .2.Bandwidth 를 K 단위로 명시한다 . 디폴트는 T1 라인의 Bandwidth 이다 . (1544 K)# show controller s 0 명령으로 확인할 수 있다 .

Router#config termEnter configuration commands, one per line. End with CNTL/Z.Router(config)#int s 0Router(config-if)#bandwidth 128Router(config-if)#^Z

Router#sh int s 0Serial0 is down, line protocol is down Hardware is HD64570 MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation HDLC, loopback not set, keepalive set (10 sec) Router#sh controller s 0 (Interface 의 Hardware 설정을 본다 .)HD unit 0, idb = 0x906F8, driver structure at 0x94338buffer size 1524 HD unit 0, No cable, clockrate 56000cpb = 0x11, eda = 0x4940, cda = 0x4800RX ring with 16 entries at 0x114800

27

DCE 로 설정

RouterA#config termEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#int s 1RouterA(config-if)#clock rate 64000

RouterA#sh controllers sRouterA#sh controllers s 1HD unit 1, idb = 0xA0A6C, driver structure at 0xA46B0buffer size 1524 HD unit 1, No cable, clockrate 64000cpb = 0x22, eda = 0x3140, cda = 0x3000RX ring with 16 entries at 0x223000

28

Router 이름 설정

RouterA#config termEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#hostname Seoul

Interface 에 대한 설명

Router(config)#interface ethernet 0Router(config-if)#description Engineering LAN, Bldg. 18

- show running-config, show interfaces 명령에서 확인할 수 있다 .

29

Viewing and Saving Configurations

Seoul#show running-configSeoul#show startup-configSeoul#copy running-config startup-config

Verifying Configuration

Show Interface : the hard-ware address, logical address, encapsulation method, statistics on collisions.

Seoul#sh int e 0Ethernet0 is up, line protocol is up Hardware is Lance, address is 00e0.1ea9.4f8c (bia 00e0.1ea9.4f8c) Internet address is 192.168.0.254/24 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 1/75, 0 drops

30

Clearing Counter : Clears the statistics from an interface

Seoul#clear counters ? Ethernet IEEE 802.3 Null Null interface Serial Serial <cr>Seoul#clear counters s 0Clear "show interface" counters on this interface [confirm]

Show Controllers : physical interface, type of serial cable

Seoul#sh controllers s 0HD unit 0, idb = 0x9923C, driver structure at 0x9CE80buffer size 1524 HD unit 0, V.35 DTE cable

31

ping, trace(traceroute), telnet 을 사용하여 Configuration 을 확인한다 .ping 과 trace 는 Extended 사용법이 있다 .

Seoul#pingProtocol [ip]:Target IP address: 192.168.0.1Repeat count [5]: 3Datagram size [100]: 36Timeout in seconds [2]: 1Extended commands [n]: ySource address or interface:Type of service [0]:Set DF bit in IP header? [no]:Validate reply data? [no]:Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]:Sweep range of sizes [n]:Type escape sequence to abort.Sending 3, 36-byte ICMP Echos to 192.168.0.1, timeout is 1 seconds:!!!Success rate is 100 percent (3/3), round-trip min/avg/max = 1/3/4 ms

32

시스코 라우터의 구성

IOS(Internetworking Operating System) : 라우터의 Operating System 이다 .

ROM (Read Only Memory) :Power-on Diagnostics,Bootstrap Program 을 보유하며 , Cisco 2500, 4000,4500 은 IOS 의 Subset(Small IOS) 을 갖고 있다 . (Small IOS is used only During Maintenance or Emergencies.)Cisco 7000, 7500 은 IOS 를 ROM 에 보유한다 . ROM Chip 교환으로 IOS 교체가 가능하다 .

Flash Memory (Erasable, Programmable Read-Onle Memory) : Cisco 2500 시리즈는 플래쉬 메모리에 IOS 를 갖고 있다 . IOS Update 가 가능하다 .

NVRAM(NonVolatile Memory) : 라우터 설정파일을 갖고 있다 .

RAM(Random Access Memory)- Main Memory : 작동중인 IOS, Router Running Configuration , ARP Cache 를 보유한다 . -Shared Memory : 패킷을 임시로 저장하는 Buffer 로 사용한다 .

Interface : 네트워크를 연결하는 Ethernet, Serial Port 로 각각 하나의 IP Address 가 할당되어야 한다 .라우터에 따라 , Ethernet, TokenRing,FDDI, Serial, ISDN BRI, ATM Interface 등을 제공한다 .

Console Port : Console Cable 로 Terminal 에 연결하여 라우터를 설정할 수 있다 .

Auxiliary Port : Console Port 대용으로도 사용가능 하며 , Modem 연결등을 통하여 Remote User가 라우터를 설정할 수 있으며 , Analog 회선을 사용한 Router Backup Line 등으로 사용할 수 있다 .

33

34

35

Router Status

Internetwork Operating System

ProgramsDynamic

ConfigurationInformation

RoutingTables

andBuffers

Backup(Startup)Configuration

File

Operating System

Inter-Faces

RAM NVRAM Flash

show processes

show version

show running-config

show memshow ip route

show startup-config

show flash

show interfaces

기타 : #show buffer (Buffer 상황표시 ), #show arp (Arp Cache 표시 )

36

Router Boot Sequence

1. The router performs a POST. The POST tests the hardware to verify that all components of the device are operational and present. For example, the POST checks for the different interfaces on the router. The POST is stored in and run from ROM.

2. The bootstrap looks for and loads the Cisco IOS software. The boot-strap is a program in ROM that is used to execute programs. The bootstrap program is responsible for finding where each IOS program is located and then loading the file. By default, the IOS software is loaded from flash memory in all Cisco routers.

3. The IOS software looks for a valid configuration file stored in NVRAM. This file is called startup-config and is only there if an administrator copies the running-config file into NVRAM.

37

Router#sh versionCisco Internetwork Operating System SoftwareIOS (tm)C2600 Software (C2600-I-M),Version 12.0(3)T3,RELEASE SOFTWARE (fc1)[output cut ]Configuration register is 0x2102

38

Cisco 2500, 4000 라우터 Enable Security Password 복구하기

- # show version 확인하여 ( 일반 Mode 에서도 명령 가능하다 .) Configuration register is 0x2102 를 기록한다 .- Router Power Down 후 Router Power ON 한다 .- Break Command (Ctrl+Break) 를 누른다 .- > o/r 0x2142 를 입력한다 .( 0x2142 는 NVRAM 설정을 무시하고 Flash Memory 에서 Boot 한다 ..)- > i ( Initialization, Rebooting 한다 .)- Initial Configuration dialog? No- > enable 하면 # Prompt 로 바로 들어 갈 수 있다 . # copy startup-config running-config

- Password 를 변경한 후 저장한다 .Router02#config termRouter02(config)#enable secret koreaRouter02#copy running startup

Router02#config termRouter02(config)# config-register 0x2102Router02# reloadSave ? Yesreload ? <Enter>

- # show version 으로 Register 값을 확인한다 .

39

Verifying Flash Memory

RouterB#sh flash

System flash directory:File Length Name/status 1 9524828 c2500-js-l.113-9.T[9524892 bytes used, 7252324 available, 16777216 total]16384K bytes of processor board System flash (Read ONLY)

40

Backing Up the Cisco IOS

Router#copy flash tftp

System flash directory:File Length Name/status1 8121000 c2500-js-l.112-18.bin[8121064 bytes used,8656152 available,16777216 total ]Address or name of remote host [255.255.255.255 ]?192.168.0.120Source file name?c2500-js-l.112-18.binDestination file name [c2500-js-l.112-18.bin ]?(pressenter)Verifying checksum for 'c2500-js-l.112-18.bin')file#1)...OKCopy '/c2500-js-l.112-18'from Flash to serveras '/c2500-js-l.112-18'?[yes/no ]y!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![output cut ]Upload to server doneFlash copy took 00:02:30 [hh:mm:ss ]

41

Restoring or Upgrading the Cisco Router IOS

Router#copy tftp flash

****NOTICE ****Flash load helper v1.0This process will accept the copy options and thenterminatethe current system image to use the ROM based image forthe copy.Routing functionality will not be available during thattime.If you are logged in via telnet,this connection willterminate.Users with console access can see the results of the copyoperation.----********----

42

- Verifying the Current ConfigurationSeoul#sh running-config

- Verifying the Stored ConfigurationSeoul#sh startup-config

- Copying the Current Configuration to NVRAMRouter#copy run start

- Copying the Configuration to a TFTP HostRouterB#copy running-config tftp

-Restoring the Cisco Router ConfigurationRouterB#copy tftp running-config

- Erasing the ConfigurationRouterB#erase startup-config

43

라우터 초기화 하기

Router01#erase startup-config

Building configuration...

[OK]

Router01#reload

Proceed with reload? [confirm] y

%SYS-5-RELOAD: Reload requested

System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE

Copyright (c) 1986-1995 by cisco Systems

2500 processor with 1024 Kbytes of main memory

44

CDP (Cisco Discovery Protocol)

Cisco Router 에 직접 연결된 Cisco Router 의 정보를 볼 수 있게 하는 프로토콜이다 . Datalink Layer 에서 작동한다 . Physical Layer 는 LAN, WAN(Frame Relay, SMDS, ATM) 등을 지원한다 .상위 프로토콜 (IP, IPX, Appletalk) 에 상관 없이 작동한다 .Cisco Router, Switch, Access Server간에도 작동한다 .

RouterB#sh cdpGlobal CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 secondsRouterB#config termEnter configuration commands, one per line. End with CNTL/Z.

RouterB(config)#cdp timer 120(Update Time)RouterB(config)#cdp holdtime 240( CDP Packet 보유시간 ) 등의 명령으로 파라미터를 조정할 수 있다 .

router#config termrouter(config)#no cdp run <= 전체적으로 Disable 시킨다 .

router#config termrouter(config)#int e 0router(config-if)#no cdp enable <= Interface 별로 Disable 시킨다 .

45

RouterB#sh cdp neighborsCapability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port IDRouterA Ser 0 121 R 2500 Ser 0

46

RouterB#sh cdp neighbors detail-------------------------Device ID: RouterAEntry address(es): IP address: 192.168.1.254Platform: cisco 2500, Capabilities: RouterInterface: Serial0, Port ID (outgoing port): Serial0Holdtime : 149 sec

Version : Cisco Internetwork Operating System SoftwareIOS (tm) 2500 Software (C2500-D-L), Version 11.2(3)P, SHARED PLATFORM, RELEASEOFTWARE (fc1) Copyright (c) 1986-1996 by cisco Systems, Inc. Compiled Tue 31-Dec-96 17:11 by tamb

RouterB#sh cdp entry *-------------------------Device ID: RouterAEntry address(es): IP address: 192.168.1.254Platform: cisco 2500, Capabilities: RouterInterface: Serial0, Port ID (outgoing port): Serial0Holdtime : 168 sec

Version :Cisco Internetwork Operating System SoftwareIOS (tm) 2500 Software (C2500-D-L), Version 11.2(3)P, SHARED PLATFORM, RELEASE SOFTWARE (fc1)Copyright (c) 1986-1996 by cisco Systems, Inc. Compiled Tue 31-Dec-96 17:11 by tamb

47

- show cdp traffic 명령으로 송수신된 cdp packet 수 등 cdp Traffic 을 볼수 있다 .

RouterB#sh cdp trafficCDP counters : Packets output: 281, Input: 255 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0

- show cdp interface 명령으로 라우터 인터페이스의 CDP 상태를 보여준다 .

RouterB#sh cdp interfaceEthernet0 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 120 seconds Holdtime is 240 secondsSerial0 is up, line protocol is up Encapsulation PPP Sending CDP packets every 120 seconds Holdtime is 240 secondsSerial1 is administratively down, line protocol is down Encapsulation HDLC Sending CDP packets every 120 seconds Holdtime is 240 seconds

48

Using Telnet

2501B#config tEnter configuration commands,one per line.End withCNTL/Z.2501B(config)#line vty 0 42501B(config-line)#login2501B(config-line)#password todd

Telnetting into Multiple Devices Simultaneously

텔넷으로 다른 라우터에 접속한 후 Ctrl+Shift+6 후 X 를 누르면 이전의 라우터로 돌아 온다 . 다시 Enter 를 두번 치면 텔넷 접속으로 전환된다 .

49

Checking Telnet Connections

Todd2509#sh sessionsConn Host Address Byte Idle Conn Name1 172.16.10.2 172.16.10.2 0 0 172.16.10.2*2 192.168.0.148 192.168.0.148 0 0 192.168.0.148

현재 라우터에서 원격 장비에 대한 연결을 보여준다 . * 는 마지막 연결을 나타낸다 .

Todd2509#disconnect 1Closing connection to 172.16.10.2 [confirm ]

50

Checking Telnet Users

2501B#sh usersLine User Host(s)Idle Location*0 con 0 idle 01 aux 0 idle 02 vty 0 idle 0 172.16.10.1

현재 라우터에 대한 다른 장비의 연결을 보여주며 * 는 현재 화면의 터미널을 나타낸다 .

Closing Telnet Sessions

2501B#clear line 2[confirm ][OK ]

2501B#sh usersLine User Host(s)Idle Location*0 con 0 idle 01 aux 0 idle 1

51

Building a Host Table

RouterA#config termEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#ip host routerB 192.168.1.253RouterA(config)#ip host Linux 211.168.27.41RouterA(config)#^Z

RouterA#sh hostsDefault domain is not setName/address lookup uses domain serviceName servers are 255.255.255.255

Host Flags Age Type Address(es)routerB (perm, OK) 0 IP 192.168.1.253Linux (perm, OK) 0 IP 211.168.27.41

52

Using DNS to Resolve Names

RouterA#config termEnter configuration commands, one per line. End with CNTL/Z.RouterA(config)#ip domain-lookupRouterA(config)#ip name-server 211.168.27.41RouterA(config)#ip domain-name sktelecom.com

RouterA#sh hosts

Default domain is sktelecom.comName/address lookup uses domain serviceName servers are 211.168.27.41

Host Flags Age Type Address(es)routerB (perm, OK) 0 IP 192.168.1.253Linux (perm, OK) 0 IP 211.168.27.41

53

Access List

IP 트래픽에 대한 필터링 기능을 수행한다 .Standard IP Access List 와 Extended IP Access List가 있다 .

Standard IP Access List

송신지의 IP Address 만으로 Access 를 통제한다 . Access List 번호 1-99 번을 사용한다 .

Extended IP Access List

송신지의 IP Address, Port Address 도착지의 IP Address, Port Address 를 사용하여 Access 를 통제한다 .Access List 번호 100-199 를 사용한다 .

54

RouterA(config)#access-list ?

<1-99> IP standard access list

<100-199> IP extended access list

<1000-1099> IPX SAP access list

<1100-1199> Extended 48-bit MAC address access list

<1200-1299> IPX summary address access list

<200-299> Protocol type-code access list

<300-399> DECnet access list

<600-699> Appletalk access list

<700-799> 48-bit MAC address access list

<800-899> IPX standard access list

<900-999> IPX extended access list

55

Access list 설정을 하면 (permit 이건 deny 이건 ) 암묵적으로 모든 패킷에 대해 deny 설정을 하므로 상황에 따라 “ permit 0.0.0.0 255.255.255.255(= permit any) ” 를 해주어야 한다 .

in / outin : Packet 의 흐름이 라우터 Interface 를 기준하여 라우터 내부 쪽으로 들어올 때 사용한다 .out : Packet 의 흐름이 라우터 Interface 를 기준하여 라우터 외부 쪽으로 나갈 때 사용한다 .

56

57

- any = 0.0.0.0 255.255.255.255 -Wildcard Mask 가 생략되면 0.0.0.0 을 의미한다 .- 131.104.7.11 0.0.0.0 = host 131.104.7.11

58

Extended A ccess L ist 예 (1)

128.88.3.0/24

e1외 부

128.88.1.0/24

128.88.1.2

X

A

• 외 부 에 서 X로 메 일 만 보 낼 수 있 게 할 때

128.88.3.0/24

외 부

128.88.1.0/24

128.88.1.2

X

A

• 외 부 에 서 X로 메 일 만 보 내 게 하 고 , 128.88.0.0 /16으 로nslookup 및 ping을 허 용 하 려 고 할 때

s0

• 외부에서 X 로 메일만 보내게 하고 , 128.88.0.0/16 으로 nslookup 및 ping 을 허용하려고 할때•!routerA

access-list 100 permit tcp any 128.88.0.0 0.0.255.255 established

access-list 100 permit tcp any host 128.88.1.2 eq smtp

access-list 100 permit udp any any eq domain

access-list 100 permit tcp any any eq domain

access-list 100 permit icmp any any echo

access-list 100 permit icmp any any echo-reply

interface serial 0

ip access-group 100 in

• 외부에서 X 로 메일만 보낼 수 있게 할때!routerA

access-list 100 permit tcp any 128.88.1.0. 0.0.0.255 established

access-list 100 permit tcp any host 128.88.1.2 eq smtp

interface ethernet 1

ip access-group 100 in

59

Extended Access List 예(2)

인터넷203.252.1.0

중요 DB시스템

도메인네임서버,인터넷메일서버,웹서버

203.252.1.201 203.252.1.202

• 외부에서는 203.252.1.202로nslookup, 인터넷메일, 웹서비스만접속할수있게함

• 단, 203.252.1.0/24에있는모든시스템들은외부의모든서비스를이용할수있도록함

e0

•configuration 결과

!router

access-list 101 permit tcp any 203.252.1.0 0.0.0.255 established

access-list 101 permit tcp any host 203.252.1.202 eq smtp

access-list 101 permit tcp any host 203.252.1.202 eq www

access-list 101 permit udp any host 203.252.1.202 eq domain

access-list 101 permit tcp any host 203.252.1.202 eq domain

access-list 101 permit udp any 203.252.1.0 0.0.0.255 gt 1023

interface ethernet 0

ip access-group 101 out

60

61

IP Extended Access List 명령(2)

• TCP protocol에 대한 Extended Access Listrouter(config)# access-list access-list-number {permit|deny}

tcp {source wildcard | any}

[operator source-port | source-port]

{destination wildcard | any}

[operator destination-port | destination-port]

[established]

• tcp port number 혹은 keyword로 제어 가능• “established” 가 지원되는 것이 특징

62

- Established : TCP segment 내의 ACK 혹은 RST bit 이 1 로 설정되어 있는 경우를 말하는데 이것은 데이타 요청에 대한 응답을 가리키는 것이다 . SYN

bit 가 1 로 설정된 TCP Segment 는 거부된다 .

63

Virtual Terminal Aceess 제한

Router(config)#access-list 50 permit 192.89.55.0 0.0.0.255Router(config)#line vty 0 4Router(config-line)#access-class 50 in

- Standard Access-List 는 Destination 에 가깝게 , Extended Access-List 는 Source 에 가깝게적용시키는 것이 바람직하다 .

64

Monitoring IP Access Lists

show access-list Displays all access lists and their parameters con-figured on the router. This command does not show you which interface the list is set on.

show access-list 110 Shows only the parameters for the access list 110. This command does not show you the interface the list is set on.

show ip access-list Shows only the IP access lists configured on the router.

show ip interface Shows which interfaces have access lists set.

show running-config Shows the access lists and which interfaces have access lists set.

65

라우터와 Broadcast

Broadcast Address 에는 제한된 Broadcast(255.255.255.255), Local Subnet Broadcast, Remote Subnet Broadcast 등이 있는데라우터의 Default 설정의 경우 , Remote Subnet Broadcast 만 해당 네트워크로 Forwarding 된다 .

Helper-Address 를 설정하면 제한된 Broadcast, Local Subnet Broadcast 도 Forwarding 할 수 있다 .

제한된 Broadcast(255.255.255.255) 는 통상 DHCP Broadcast 의 경우처럼 해당 호스트의 IP Address 가 설정이 안된 경우등 제한된 경우에 발생한다 .

Ip helper-address 를 설정하면 기본적으로 8 개의 Default UDP Port 만 자동으로 Enable 된다 .

TFTP(69), DNS(53), Time(37), Netbios Name Service(137), Netbios Datagram Service(138), BootP/DHCP Server(67), BootP/DHCP Client(68), TACACS(49)

Default UDP Port 가 아닌 경우는 개별적으로 Enable 시켜 주어야 한다 .Default UDP Port 중 Disable 시킬 Port 는 개별적으로 Disable 시킨다 .이를 위해 (no) ip forward-protocol udp 명령을 사용한다 .

Helper - Address

66

Helper - Address

Interface e 0 ip address 144.253.1.1 255.255.255.0ip helper-address 144.253.2.2 ( Broadcast => Unicast)( e0 에 도착하는 Broadcast 를 144.253.2.2 로 Unicast 한다 .)

Interface e 0 ip address 144.253.1.1 255.255.255.0ip helper-address 144.253.2.2ip forward-protocol udp 3000no ip forward-protocol udp 69

Interface e 0 ip address 144.253.1.1 255.255.255.0ip helper-address 144.253.2.255 (Broadcast => Broadcast)( e0 에 도착하는 Broadcast 를 144.253.2.255 로 Broadcast 한다 .)

Router

144.253.1.1

e0 e1

A 144.253.2.2

144.253.1.0 144.253.2.0

Server

144.253.1.1