Конфигурирование маршрутизаторов Cisco - Аллан Леинванд, Брюс Пински

• FastEthernet-сегмент по протоколу IPX подключается через SAP-фильтр. Полная конфигурация маршрутизатора SF-Core-1 выглядит следующим образом:

Version 12.1

Service timestamps debug datetime localtime Service timestamps log datetime localtime Service password-encryption

!

hostname SF-Core-1

!

aaa new-model

aaa authentication login default group tacacs+ enable aaa authorization exec group tacacs+ if-authenticated aaa authorization network group radius if-authenticated aaa accounting exec stop-only group tacacs+

enable secret 5 $2$5toY$IJQPTVD4.aEDLwZSnPrvX.

!

ip tcp intercept mode watch ip top intercept list 120

ip tcp intercept watch-timeout 15 ip domain-list zipnet.com

ip domain-list zipnet.net ip domain-name zipnet. om

ip name-server 131.108.110.34 ip name-server 131.108.110.35 appletalk routing eigrp 25000 appletalk route-redistribution ipx routing 0000.OeOd.lebO

!

lock timezone PST -8

lock summer-time PDT recurring! interface Loopbackl

description SF-Core-1 router loopback ip address 131.108.254.3 255.255.255.255

!

interface FastEthernetO/0

description San Francisco FastEthernet backbone LAN ip address 131.108.20.3 255.255.252.0

appletalk cable-range 1-10 appletalk zone SF Zone ipx network 10

standby ip 131.108.20.5 standby preempt

ipx router-sap-filter 1001

!

interface Seriall/0

description HDLC leased line on circuit 456WS34209 to San-Jose ip address 131.108.240.1 255.255.255.252

appletalk cable-range 901-901 appletalk zone WAN Zone appletalk protocol eigrp no

appletalk protocol rtmp ipx network 901

!

interface Seriall/1

description HDLC leased line on circuit 789WS34256 to IS2-B ip address 192.7.2.2 255.255.255.252

ip access-group 101 in

!

interface Seriall/2 no ip address shutdown

!

interface Seriall/3 no ip address shutdown

!

281

router eigrp 25000 redistribute static

redistribute bgp 25000 network 131.108.0.0 distribute-list 1300 out

no auto-summary

!

router bgp 25000

no synchronization network 131.108.0.0

neighbor 192.7.2.1 remote-as 1

neighbor 192.7.2.1 description Internet Connection to ISP-B neighbor 192.7.2.1 distribute-list ISP-routes in

neighbor 192.7.2.1 distribute-list ZIP-routes out

remote-as 25000 description IBGP to Seoul-1 update-source Loopback 0

!

ip classless

ip default-network 131.119.0.0 ip default-network 140.222.0.0

ip route 131.108.232.0 255.255.255.0 FastEthernetO/0 ip route 131.108.0.0 255.255.0.0 NullO

logging 131.108.110.33 logging trap debugging logging console emergencies

ip access-list standard ZIP-routes permit 131.108.0.0

ip access-list standard ISP-routes

deny host 0.0.0.0 deny 127.0.0.0 0.255.255.255 deny 10.0.0.0 0.255.255.255

deny 172.16.0.0 0.15.255.255 deny 192.168.0.0 0.0.255.255 deny 192.0.2.0 0.0.0.255 deny 128.0.0.0 0.0.255.255 deny 191.255.0.0 0.0.255. deny 192.0.0.0 0.0.0.255 deny 223.255.255.0 0.0.0.255 deny 224.0.0.0 31.255.255.255 permit any

access-list 1 permit 131.108.0.0 0.0.255.255 access-list 2 permit host 131.108.20.45 access-list 101 remark Permits NTP DNS WWW and SMTP

access-list 101 deny tcp host 192.7.2.2 host 192.7.2.2 log access-list 101 deny ip 131.108.0.0 0.0.255.255 any log access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 permit ip host 192.7.2.1 host 192.7.2.2 access-list 101 deny ip any host 192.7.2.2

access-list 101 permit udp any 131.108.101.99 eq domain

access-list 101 permit udp host 15.255.160.64 host 131.108.254.3 eq ntp access-list 101 permit udp host 128.4.1.1 host 131.108.254.3 eq ntp access-list 101 permit udp host 16.1.0.4 host 131.108.254.3 eq ntp access-list 101 permit udp host 204.123.2.5 host 131.108.254.3 eq ntp access-list 101 permit tcp host 192.52.71.4 host 131.108.101.34 eq domain access-list 101 permit tcp host 192.52.71.4 host 131.108.101.35 eq domain access-list 101 permit tcp any host 131.108.101.34 eq smtp

access-list 101 permit tcp any host 131.108.101.35 eq smtp access-list 101 permit tcp any host 131.108.101.100 eq www access-list 101 permit tcp any host 131.108.101.100 eq ftp access-list 101 permit tcp any host 131.108.101.100 eq ftp-data access-list 101 permit tcp any gt 1023 host 131.108.101.100 gt 1023 access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any port-unreachable access-list 101 permit tcp any any established access-list 101 permit tcp any any eq 22

282

access-list 101 deny tcp any any eq ident access-list 101 deny ip any any log

access-list 120 permit ip any 131.108.0.0 0.0.255.255 access-list 1001 permit aa.0005.0112.0474 access-list 1001 deny -1

access-list 1300 permit 131.108.0.0 0.0.255.255 access-list 1300 permit 131.119.0.0 access-list 1300 pemit!40.222. 0. 0

!

ipx router eigrp 25000 network 10

network 901

!

tacacs-server host 131.108.110.33 tacacs-server key ZIPSecure radius-server host 131.108.110.33 radius-server key Radius4Me snmp-server community Zipnet RO 2 snmp-server community ZIPprivate RW 2

snmp-server host 131.108.20.45 Zipnet snmp frame-relay config snmp-server location 22 Cable Car Drive, San Francisco, CA, USA snmp-server contact Allan Leinwand, allan@telegis.net

!

line con 0 password 7 095B59 line aux 0

line vty 0 4 password 7 095B59 access-class 1 in

!

ntp update-calendar

ntp server 192.216.191.10 ntp server 129.189.134.11

!

end

Маршрутизатор SF-Core-2

Устройство SF-Core-2 сети компании ZIP представляет собой маршрутизатор модели Cisco 7505. Конфигурацию этого маршрутизатора отличает следующее.

•Магистральный сегмент локальной сети в Сан-Франциско подключается к интерфейсу Fast Ethernet.

•Используется последовательный HDLC-канал к маршрутизатору в Сан-Хосе.

•Маршрутизаторы SF-Core-1 и SF-Core-2 образуют HSRP-rpynny.

•В процессе EIGRP-маршрутизации для формирования маршрутов по умолчанию используется редистрибуция статических маршрутов.

•FastEthernet-сегмент по протоколу IPX подключается через SAP-фильтр.

Полная конфигурация маршрутизатора SF-Core-2 выглядит следующим образом:

version 12.1

service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption

!

hostname SF-Core-2

!

aaa new-model

aaa authentication login default group tacacs+ enable aaa authorization exec group tacacs+ if-authenticated aaa authorization network group radius if-authenticated

283

aaa accounting exec stop-only group tacacs+ enable secret 5 $2$5toY$IJQPTVD4.aEDLwZSnPrvX.

!

ip domain-list zipnet.com ip domain-list zipnet.net ip domain-name zipnet.com

ip name-server 131.108.110.34 ip name-server 131.108.110.35 appletalk routing eigrp 25000 appletalk route-redistribution ipx routing OOOO.cOc.OlOb

!

clock timezone PST -8

clock summer-time PDT recurring

!

interface Loopbackl

description SF-Core-2 router loopback

ip address 131.108.254.4 255.255.255.255

!

interface FastEthernetO/0

description San Francisco FastEthernet backbone LAN ip address 131.108.20.4 255.255.252.0

appletalk able-range 1-10 appletalk zone SF Zone

ipx network 10

standby ip 131.108.20.5 standby preempt

ipx router-sap-filter 1001

!

interface Seriall/0

description HDLC leased line on circuit WSZ02980189 to Seoul-2 ip address 131.108.240.5 255.255.255.252

appletalk cable-range 902-902 appletalk zone WAN Zone appletalk protocol eigrp

no appletalk protocol rtmp ipx network 902

!

interface Seriall/1 no ip address shutdown

!

interface Seriall/2 no ip address shutdown

!

interface Seriall/3 no ip address shutdown

router eigrp 25000 redistribute static network 131.108.0.0 no auto-summary

!

ip classless

ip route 131.108.0.0 255.255.0.0 NullO logging 131.108.110.33

logging trap debugging logging console emergencies

access-list 1 permit 131.108.0.0 0.0.255.255 access-list 2 permit host 131.108.20.45 access-list 1001 permit aa.0005.0112.0474 access-list 1001 deny -1

!

ipx router eigrp 25000 network 10

284

password 7 095B59 line aux 0

line vty 0 4 password 7 095B59 access-class 1 in

!

ntp update-calendar

ntp server 192.216.191.10 ntp server 129.189.134.11

!

end

Маршрутизатор в Сан-Хосе

Устройство сети компании ZIP в Сан-Хосе представляет собой маршрутизатор модели Cisco 3640. Конфигурацию этого маршрутизатора отличает следующее.

•Сегмент локальной сети в Сан-Хосе подключается к интерфейсу Token Ring с полосой 16 Мбайт.

•Используется последовательный HDLC-канал к маршрутизатору SF-Core-1.

•Применяется последовательный HDLC-канал к маршрутизатору Seoul-1.

•Чтобы разрешить трафик к общедоступной части зоны технического дивизиона по протоколу AppleTalk, применяется список доступа.

•В целях объявления доступа к IPX-серверу общего пользования технического дивизиона последовательные каналы подключаются через выходной SAP-фильтр протокола IPX.

Полная конфигурация маршрутизатора в Сан-Хосе выглядит следующим образом:

version 12.1

service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption

!

hostname San-Jose

!

aaa new-model

aaa authentication login default group tacacs+ enable aaa authorization exec group tacacs+ if-authenticated aaa authorization network group radius if-authenticated aaa accounting exec stop-only group tacacs+

enable secret 5 $2$5toY$IJQPTVD4.aEDLwZSnPrvX.

!

ip domain-list zipnet.com ip domain-list zipnet.net ip domain-name zipnet.com

ip name-server 131.108.110.34 ip name-server 131.108.110.35 appletalk routing eigrp 25000 appletalk route-redistribution

285

ipx routing OOOO.clOe.lOOd

!

clock timezone PST -8

clock summer-time PDT recurring i

interface Loopbackl

description San-Jose router loopback

ip address 131.108.254.4 255.255.255.255

!

interface TokenRingO/0 no ip address shutdown

!

interface SerialO/0

description HDLC leased line on circuit BCS20198ASL to SF-Core-1 ip address 131.108.240.2 255.255.255.252

appletalk cable-range 901-901 appletalk zone WAN Zone appletalk protocol eigrp

no appletalk protocol rtmp ipx network 901

ipx output-sap-filter 1000 appletalk access-group 601

!

interface SerialO/1 no ip address shutdown

!

interface TokenRingl/0 description San Jose LAN Segment

ip address 131.108.100.1 255.255.255.128 ip helper-address 131.108.21.70 ring-speed 16

early-token-release ntp broadcast

appletalk cable-range 1001-1010 appletalk zone Engineering

ipx network 1010

!

interface Seriall/0

description HDLC leased line on circuit BCS1014343-9901 to Seoul-1 ip address 131.108.241.2 255.255.255.252

appletalk cable-range 1901-1901 appletalk zone WAN Zone appletalk protocol eigrp

no appletalk protocol rtmp ipx network 1901

ipx output-sap-filter 1000 appletalk access-group 601

!

interface Seriall/1 no ip address

shutdown

!

router eigrp 25000 network 131.108.0.0 no auto-suiranary

!

ip classless

logging 131.108.110.33 logging trap debugging logging console emergencies

access-list 1 permit 131.108.0.0 0.0.255.255 access-list 2 permit host 131.108.20.45

access-list 601 permit nbp 1 object Engineering Public access-list 601 permit nbp 1 type AFPServer

286

access-list 601 permit nbp 1 zone San Jose Zone access-list 601 deny other-nbps

access-list 1000 permit 10.0000.0000.aObO access-list 1000 deny -1

!

ipx router eigrp 25000 network 901

network 1010 network 1901

!

tacacs-server host 131.108.110.33 tacacs-server key ZIPSecure radius-server host 131.108.110.33 radius-server key Radius4Me snmp-server community Zipnet RO 2 snmp-server community ZIPprivate RW 2

snmp-server host 131.108.20.45 Zipnet snmp frame-relay config snmp-server location 20 Market Street, San Jose, CA, USA snmp-server contact Allan Leinwand, allan@telegis.net

!

line con 0 password 7 095B59

line aux 0 line vty 0 4

password 7 095B59 access-class 1 in

!

ntp updateclendar

ntp server 192.216.191.10 ntp server 129.189.134.11

!

end

Маршрутизатор Seoul-1

Устройство Seoul-1 сети компании ZIP представляет собой маршрутизатор модели Cisco 4700. Конфигурацию этого маршрутизатора отличает следующее.

•Сегмент локальной сети в Сеуле подключается к интерфейсу Ethernet. В этом сегменте за счет HSRP-групп организовано резервное дублирование.

•Маршрутизатор в Сингапуре и маршрутизатор в Куала-Лумпуре подключаются через двухточечный интерфейс Frame Relay.

Полная конфигурация маршрутизатора Seoul-1 выглядит так:

version 12.1

service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption

hostname Seoul-1

!

aaa new-model

aaa authentication login default group tacacs+ enable aaa authorization exec group tacacs+ if-authenticated aaa authorization network group radius if-authenticated

287

ip domain-list zipnet.net ip domain-name zipnet.com

ip name-server 131.108.110.34 ip name-server 131.108.110.35 appletalk routing eigrp 25000 appletalk route-redistribution ipx routing 0000.0011.bceb

!

clock timezone KST т9

!

interface Loopbackl

description Seoul-1 router loopback

ip address 131.108.254.6 255.255.255.255

!

interface EthernetO description Seoul LAN Segment

ip address 131.108.3.1 255.255.255.128 ip helper-address 131.108.21.70

no ip redirects media-type lOBaseT ntp broadcast

appletalk cable-range 2001-2010 appletalk zone Asia Distribution ipx network 2010

standby 1 ip 131.108.3.3 standby 1 priority 100 standby 1 track Seriall standby 1 preempt standby 2 ip 131.108.3.4 standby 2 priority 95 standby 2 preempt

!

interface SerialO

description IETF frame relay PVCs on circuit S123789y no ip address

encapsulation frame-relay ietf bandwidth 256

frame-relay Imi-type ansi

!

interface SerialO.16 point-to-point description FR PVC 16 to Kuala-Lumpur

ip address 131.108.242.1 255.255.255.252 bandwidth 128

frame-relay interface-dlci 16 appletalk cable-range 2901-2901 appletalk zone WAN Zone appletalk protocol eigrp

no appletalk protocol rtmp ipx network 2901

!

interface SerialO.17 point-to-point description FR PVC 17 to Singapore

ip address 131.108.242.5 255.255.255.252 bandwidth 128

frame-relay interface-dlci 17 appletalk cable-range 2902-2902 appletalk zone WAN Zone appletalk protocol eigrp

no appletalk protocol rtmp ipx network 2902

!

interface Seriall

description HDLC leased line on circuit MC23-01-KL889 to San Jose ip address 131.108.241.2 255.255.255.252

appletalk cable-range 1901-1901 appletalk zone WAN Zone

288

appletalk protocol eigrp no appletalk protocol rtmp ipx network 1901

!

interface Serial2

description HDLC leased line on circuit ZW2390-1-H to ISP-A ip address 211.21.2.2 255.255.255.252

ip access-group 101 in interface Serial3

no ip address shutdown

!

router eigrp 25000

redistribute bgp 25000 network 131.108.0.0 distribute-list 1300 out

no auto-summary

!

router bgp 25000 no synchronization

network 131.108.0.0

neighbor 211.21.2.1 remote-as 701

neighbor 211.21.2.1 description Internet Connection to ISP-A neighbor 211.21.2.1 distribute-list ISP-routes in

neighbor 211.21.2.1 distribute-list ZIP-routes out neighbor 131.108.254.3 remote-as 25000

neighbor 131.108.254.3 des ription IBGP to SF-Core-1 neighbor 131.108.254.3 update-source Loopback 0

!

ip classless

logging 131.108.110.33 logging trap debugging logging console emergencies

ip access-list standard ZIP-routes permit 131.108.0.0

ip access-list standard ISP-routes deny host 0.0.0.0

deny 127.0.0.0 0.255.255.255 deny 10.0.0.0 0.255.255.255 deny 172.16.0.0 0.15.255.255 deny 192.168.0.0 0.0.255.255 deny 192.0.2.0 0.0.0.255 deny 128.0.0.0 0.0.255.255 deny 191.255.0.0 0.0.255. deny 192.0.0.0 0.0.0.255 deny 223.255.255.0 0.0.0.255

deny 224.0.0.0 31.255.255.255 permit any

access-list 1 permit 131.108.0.0 0.0.255.255 access-list 2 permit host 131.108.20.45

access-list 101 remark Permits NTP DNS WWW and SMTP access-list 101 deny tcp host 192.7.2.2 host 192.7.2.2 log access-list 101 deny ip 131.108.0.0 0.0.255.255 any log access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 permit ip host 192.7.2.1 host 192.7.2.2 access-list 101 deny ip any host 192.7.2.2

access-list 101 permit udp any 131.108.101.99 eq domain

access-list 101 permit udp host 15.255.160.64 host 131.108.254.3 eq ntp access-list 101 permit udp host 128.4.1.1 host 131.108.254.3 eq ntp access-list 101 permit udp host 16.1.0.4 host 131.108.254.3 eq ntp access-list 101 permit udp host 204.123.2.5 host 131.108.254.3 eq ntp access-list 101 permit tcp host 192.52.71.4 host 131.108.101.34 eq domain access-list 101 permit tcp host 192.52.71.4 host 131.108.101.35 eq domain access-list 101 permit tcp any host 131.108.101.34 eq smtp

289

!

tacacs-server host 131.108.110.33

ntp server 192.216.191.10 ntp server 129.189.134.11

!

end

Маршрутизатор Seoul-2

Устройство Seoul-2 сети компании ZIP представляет собой маршрутизатор модели Cisco 4700. Конфигурация этого маршрутизатора имеет такие характеристики.

•Сегмент локальной сети в Сеуле подключается к интерфейсу Ethernet. В этом сегменте за счет HSRP-rpyrm организовано резервное дублирование.

•Используется последовательный HDLC-канал к маршрутизатору SF-Core-2.

Полная конфигурация маршрутизатора Seoul-2 выглядит следующим образом:

version 12.1

service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption

!

hostname Seoul-2

290