2011ǯ04

ƥ:

SCPѤեžꤷޤIOSftp-serverޥɤѤFTPФȤƲư뤳Ȥޤߤ̾ѽޤˤSCPȤޤSCPSSHεǽΰĤǡŹ沽֤ǥեžޤΤFTPǤ

SCPѤˤϡSSHɬפǤޤSSHͭˤޤ

R1(config)#ip domain-name example.com
R1(config)#crypto key generate rsa modulus 1024

F0/0R2(12.12.12.2)³ƤꡢF0/1LANLinuxФ³Ƥޤ

R1(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            12.12.12.1      YES manual up                    up
FastEthernet0/1            192.168.0.100   YES manual up                    up

ޤǧڤΤAAAͭˤޤ

R1(config)#aaa new-model

AAAauthentication loingauthorization execͭޤϥǧڤѤޤ

R1(config)#aaa authentication login default local
R1(config)#aaa authorization exec default local

ǧڤ˻Ȥ桼ޤ桼̾ȥѥɶciscoˤޤprivilegeդɬפǤ٥ˤäƥե¸顼ˤʤޤ

R1(config)#username cisco privilege 15 secret cisco

Ǹip scp server enableSCPͭˤޤSSHͭˤǤSCPѤǤޤ

R1(config)# ip scp server enable

³γǧΤ˥ǥХͭޤ

R1#debug ip scp
Incoming SCP debugging is on

ޤLinuxˤե(scp-test.txt)R1žޤǤϥ롼flash¸¹ԤƤޤե̾(from_linux)ޤǻꤷޤ

$ cat scp-test.txt
File from Linux to IOS.
$ scp scp-test.txt cisco@192.168.0.100:flash:from_linux
The authenticity of host '192.168.0.100 (192.168.0.100)' can't be established.
RSA key fingerprint is 1d:a4:f5:d8:f8:88:6c:03:41:2c:b7:e2:d7:da:d1:51.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.100' (RSA) to the list of known hosts.
Password: ѥɤ
scp-test.txt                                  100%   24     0.0KB/s   00:00

R1ΥǧϤեmoreޥɤɽƤޤ

R1#
Apr 25 07:53:26.823: SCP: [22 -> 192.168.0.180:34063] send <OK>
Apr 25 07:53:26.843: SCP: [22 <- 192.168.0.180:34063] recv C0644 24 scp-test.txt
Apr 25 07:53:26.855: SCP: [22 -> 192.168.0.180:34063] send <OK>
Apr 25 07:53:26.875: SCP: [22 <- 192.168.0.180:34063] recv 24 bytes
Apr 25 07:53:27.071: SCP: [22 <- 192.168.0.180:34063] recv <OK>
Apr 25 07:53:27.075: SCP: [22 -> 192.168.0.180:34063] send <OK>
Apr 25 07:53:27.079: SCP: [22 <- 192.168.0.180:34063] recv <EOF>
R1#
R1#dir flash:
Directory of flash:/

   12  -rw-          24  Apr 25 2011 16:53:27 +09:00  from_linux

16777212 bytes total (16499660 bytes free)
R1#more flash:from_linux
File from Linux to IOS.

IOSSCPѤˤcopyޥɤѤޤrunning-config򥳥ԡǤ

R2#copy running-config scp://cisco@12.12.12.1/
Address or name of remote host [12.12.12.1]?
Destination username [cisco]?
Destination filename [r2-confg]?
Writing r2-confg
Password:
ѥɤ
!
1289 bytes copied in 14.320 secs (90 bytes/sec)

žƤ뤳Ȥʬޤ

R1#dir flash:
Directory of flash:/
ά
   15  -rw-        1289  Apr 25 2011 17:00:09 +09:00  r2-confg
ά
R1#more flash:r2-confg
!
! Last configuration change at 15:13:53 JST Mon Apr 25 2011
!
version 12.4
ά

ANAι츫ؤμ̿

ƥ:

ANAει츫ؤ˹ԤޤֶǸԵ礭ƥӥåꤷޤJALԤäƤߤ

Boeing 777-300

__.JPG

Boeing 747-400

Boeing 767-300

Boeing 767-300

Boeing 767-300

ƥ:

ߤǤCCNAǤ롼Υ˴ؤSSH꤬Ф褦ǤLinuxʤɤǤϤʤtelnetɸ̵ǤꡢȤǤġ

SSHδŪѤǧޤͤǤSSH̵ˤʤäƤޤ

R1#sh ip ssh
SSH Disabled - version 1.99
%Please create RSA keys (of atleast 768 bits size) to enable SSH v2.
Authentication timeout: 120 secs; Authentication retries: 3

SSHѤˤRSAޤ

R1(config)#crypto key generate rsa modulus 1024
% Please define a domain-name first.

嵭η̤ʬȤꡢ餫ɥᥤ̾λ꤬ɬܤǤ

R1(config)#ip domain-name example.com
R1(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R1.example.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

λSSH³ǽȤʤޤ

R1(config)#
Apr 20 05:52:11.391: %SSH-5-ENABLED: SSH 1.99 has been enabled

R1(config)#do sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

³Ԥ桼ޤ

R1(config)#username cisco secret cisco

ƥǧڤͭˤޤ

R1(config)#line vty 0 15
R1(config-line)#login local
R1#debug ip ssh client
SSH Client debugging is on

ǤܤR2(12.12.12.2)R1(12.12.12.1)SSHǥ󤷤ޤR2Ǥäɬפޤ󡣤ޤWindowsʤɤǤѤǤޤ

IOSsshޥɤѤˤ-lץǥ桼̾ꤷޤ

R2#ssh -l cisco 12.12.12.1

Password: ѥɤ

R1>

λR1ǤϲΤ褦ʥɽޤ

R1#
Apr 20 06:26:07.135: SSH0: sent protocol version id SSH-1.99-Cisco-1.25
Apr 20 06:26:07.147: SSH0: protocol version id is - SSH-1.99-Cisco-1.25

ΤޤѤˤϤޤꥻƥŪ˾ޤʤΤǡޤꥹȤꤷޤˤ12.12.12.0/24³ΤߤĤޤ

R1(config)#access-list 1 per 12.12.12.0 0.0.0.255
R1(config)#line
R1(config)#line vty 0 15
R1(config-line)#access-class 1 in
R1(config-line)#do sh ip acce 1
Standard IP access list 1
    10 permit 12.12.12.0, wildcard bits 0.0.0.255 (2 matches)

λǤTELNETͭǤäSSHͭˤΤˡΤޤޤǤϰ̣ޤSSHΤߤǤ³Ȥˤtransport inputޥɤѤޤ

R1(config)#line vty 0 15
R1(config-line)#transport input ssh

λR2TELNETѤǤʤޤ

R2#telnet 12.12.12.1
Trying 12.12.12.1 ...
% Connection refused by remote host

ͤǤSSHΥС1ȥС2ξͭǤŤС1򤢤ѤɬפϤޤ̵ˤޤsshޥɤ-vץѤȥСǤޤ

R2#ssh -l cisco -v 1 12.12.12.1

ϥС1³줿ȤR1ΥǤ

Apr 20 06:35:27.827: SSH0: sent protocol version id SSH-1.99-Cisco-1.25
Apr 20 06:35:27.831: SSH0: protocol version id is - SSH-1.5-Cisco-1.25

R1ǥС2ΤߤĤ褦ѹޤ

R1(config)#do sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
R1(config)#ip ssh version ?
  <1-2>  Protocol version

R1(config)#ip ssh version 2
R1(config)#do sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

R2С1Ǥ³ԲǽˤʤꡢʤȤʤޤ

R2#ssh -l cisco -v 1 12.12.12.1

[Connection to 12.12.12.1 aborted: error status 0]

R1(config)#
Apr 20 06:38:33.671: SSH0: Session terminated normally
Apr 20 06:38:35.567: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
Apr 20 06:38:35.579: SSH0: receive failure - status 0x07
Apr 20 06:38:35.683: SSH0: Session disconnected - error 0x07

SSH򤹤ˤip ssh logging eventsͭˤǤ

R1(config)# ip ssh logging events
R1(config)#
Apr 20 06:46:32.455: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
Apr 20 06:46:32.463: SSH0: protocol version id is - SSH-1.99-Cisco-1.25
Apr 20 06:46:32.567: %SSH-5-SSH2_SESSION: SSH2 Session request from 12.12.12.2 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Succeeded
Apr 20 06:46:33.739: %SSH-5-SSH2_USERAUTH: User 'cisco' authentication for SSH2 Session from 12.12.12.2 (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Succeeded

IOSǤhttp server

ƥ:

IOShttp serverԤޤR1F0/1ꤷƤ192.168.0.100Фƥ饤(Windows 7)Υ֥饦³򤷤ޤ

R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/1            192.168.0.100   YES manual up                    up

ͤǤhttp server̵ˤʤäƤޤ

R1#show ip http server status
HTTP server status: Disabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path:
HTTP server help root:
ά

ip http serverޥɤͭˤʤޤ

R1(config)#ip http server
R1(config)#do sh ip http server status
HTTP server status: Enabled
ά

Ǥϥ֥饦http://192.168.0.100/³ޤ桼ǧڤ¥ץץȤɽޤlevel_15_accessΥФɽ뤳ȤդƤ

Http1_2

桼̵̾ѥɤenableѥɤϤ뤳Ȥǥޤ

Http2

̾Υ󥯡Monitor the routerѤ뤳Ȥǥ֥饦夫IOSΥޥɤ¹Ԥ뤳ȤǽǤ

Http3

ߤǤϥ¤ʤ˾ޤ֤Ȥϸޤ󡣲access-listѤ192.168.0.0/24Τߥ褦ˤǤ

R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
R1(config)#ip http access-class 1
R1(config)#do sh ip http server status | i class
HTTP server access class: 1

˥桼̾Ѥǧڤǧޤޤ桼ciscoѥciscoǺޤΤ褦privilegeꤷʤ硢privilege level1Ȥʤޤ

R1(config)#username cisco secret cisco
R1(config)#do sh run | i username
username cisco secret 5 $1$wLzt$1ERo8cQ7l4xSpjzVTJoMv1

桼ǧڤͭˤ뤿ᡢip http authentication local¹Ԥޤ

R1(config)#ip http authentication local
R1(config)#do sh ip http server status | i method
HTTP server authentication method: local

ξ֤ǥǥХͭˤ¹ԤȤɤʤ뤫ǧޤ

R1#debug ip http authentication
HTTP Server Authentication debugging is on

ǧڤɬפʥ٥15ǤϤʤϼԤΤ褦ɽޤ

Apr 11 06:37:46.139: HTTP: Authentication failed for level 15

ǥ桼ciscoprivilege15ѹޤ

R1(config)#username cisco privilege 15
R1(config)#do sh run | i username
username cisco privilege 15 secret 5 $1$wLzt$1ERo8cQ7l4xSpjzVTJoMv1

ʤ褦ˤʤޤ

Apr 11 06:40:20.423: HTTP: Priv level granted 15

http serverΥѥꤷξ˥ե֤ȤΤޤޥ֥饦ɽǽǤ

R1(config)#ip http path flash:
R1(config)#do sh ip http server status | i path
HTTP server base path: flash:

ޥɤη̤redirectѤľܻꤷ¸Ǥޤ

R1#show ip http server statistics | redirect flash:http.txt

嵭Υե http://192.168.0.100/http.txt ɽǽǤΤ褦ˡ̤WebФȤƽ뤳Ȥʬޤ

Http4_2

ƥ:

RIPǧڤǧޤR2R3ϥꥢ륱֥ľ³(23.23.23.0/24)Ƥޤ

R2(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
Serial1/2                  23.23.23.2      YES manual up                    up
Loopback0                  17.17.2.2       YES NVRAM  up                    up

R3(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
Serial1/3                  23.23.23.3      YES manual up                    up
Loopback0                  17.17.3.3       YES NVRAM  up                    up

R2(config)#do pin 23.23.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/26/72 ms

ޤǧڤʤRIPꤷޤCCIE(R&S)ǤRIPϥС2ΤߤѤǤΤǡversion 2ɬܥޥɤǤ

R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#no auto-summary
R2(config-router)#network 23.23.23.2
R2(config-router)#network 17.17.2.2

OSPFΤ褦ˡ󥿡եIPɥ쥹򤽤ΤޤϤƤ⥯饹եΥͥåȥɥ쥹˼ưŪ֤դƤ

R2(config-router)#do sh run | s rip
router rip
version 2
network 17.0.0.0
network 23.0.0.0
no auto-summary

RIPǧˤ"show ip protocols""show ip rip database"Ȥޤ

"show ip protocols"ˤС2ѤƤ뤳Ȥ䡢ꤷͥåȥͭǤ뤳ȤǧǤޤ

R2#show ip protocols
Routing Protocol is "rip"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Sending updates every 30 seconds, next due in 10 seconds
  Invalid after 180 seconds, hold down 180, flushed after 240
  Redistributing: rip
  Default version control: send version 2, receive version 2
    Interface             Send  Recv  Triggered RIP  Key-chain
    Serial1/2             2     2
    Loopback0             2     2
  Automatic network summarization is not in effect
  Maximum path: 4
  Routing for Networks:
    17.0.0.0
    23.0.0.0
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: (default is 120)

"show ip rip database"Ǥϡ߼ʬΥͥåȥɽƤʤȤʬޤ

R2#show ip rip database
17.0.0.0/8    auto-summary
17.17.2.0/24    directly connected, Loopback0
23.0.0.0/8    auto-summary
23.23.23.0/24    directly connected, Serial1/2

ǥХͭˤơƱޥɤR3ˤϤޤФ餯R2ΥåץǡȤǧǤޤ

R3#debug ip rip
R3(config-router)#do sh run | s rip
router rip
version 2
network 17.0.0.0
network 23.0.0.0
no auto-summary

Apr  4 07:02:06.631: RIP: received v2 update from 23.23.23.2 on Serial1/3
Apr  4 07:02:06.635:      17.17.2.0/24 via 0.0.0.0 in 1 hops

R2dzǧRouting Information SourcesR3IPɥ쥹ɽ뤳Ȥʬޤ

R2#show ip protocols | begin Sources
  Routing Information Sources:
    Gateway         Distance      Last Update
    23.23.23.3           120      00:00:23
  Distance: (default is 120)

R3Lo0Υͥåȥɥ쥹ɲäƤޤ

R2#show ip rip database
17.0.0.0/8    auto-summary
17.17.2.0/24    directly connected, Loopback0
17.17.3.0/24
    [1] via 23.23.23.3, 00:00:12, Serial1/2
23.0.0.0/8    auto-summary
23.23.23.0/24    directly connected, Serial1/2

ǤǧڤѤˤꡢޤǤϥ̾"RIP"Ȥֹ"1"Ȥޤʸ"CISCO"ǤƱΤR3ǤޤʸκǸ;פʥڡǧڥ顼ȤʤޤΤդƤ

R2(config)#key chain RIP
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string CISCO
R2(config-keychain-key)#do sh key chain
Key-chain RIP:
    key 1 -- text "CISCO"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

ޤƥȥ⡼ɤǧڤͭˤƤߤޤǧڤϥƥȥ⡼ɤͤΤᡢ"ip rip authentication mode text"ƤʤƤƱǤ

R2(config-keychain-key)#int s1/2
R2(config-if)#ip rip authentication key-chain RIP

R2(config-if)#do sh ip prot | b Interface
    Interface             Send  Recv  Triggered RIP  Key-chain
    Serial1/2             2     2                    RIP
    Loopback0             2     2

λR3ǤϲΤ褦ɽޤ

Apr  4 07:30:40.923: RIP: ignored v2 packet from 23.23.23.2 (invalid authentication)

R3ǤǧڤͭˤƤߤޤƥȥ⡼ɤΤᥭʸ"CISCO"Τޤɽ뤳Ȥʬޤ

R3(config-router)#int s1/3
R3(config-if)#ip rip authentication key-chain RIP

Apr  4 07:32:04.659: RIP: received packet with text authentication CISCO
Apr  4 07:32:04.659: RIP: ignored v2 packet from 23.23.23.2 (invalid authentication)

˾ޤǧڤǤ롢MD5⡼ɤѹޤ

R2(config)#int s1/2
R2(config-if)#ip rip authentication mode md5

R3(config)#int s1/3
R3(config-if)#ip rip authentication mode md5

ΤMD5ѤƤ뤳ȤʬޤRIPǤϤΤ褦debugޥɤѤơǧڤǧޤ

Apr  4 07:52:35.035: RIP: received packet with MD5 authentication

ΥڡΥȥåץ

Ф