2011ǯ09

ƥ:

¹ԤޥɤϿˤarchiveѤޤʣΥ롼硢ɤΥ롼ǤɤΥޥɤǤäΤʬʤʤ礬ޤκͽͭˤƤȤǡޥɤǧ뤳ȤǽǤ

R1(config)#archive
R1(config-archive)#log ?
  config  Logging changes to the running configuration

R1(config-archive)#log config
R1(config-archive-log-cfg)#?
commands for controlling config logging:
  default   Set a command to its defaults
  exit      Exit from the log config submode
  hidekeys  suppress output (e.g. passwords) when displaying logged commands
  logging   Modify config logging parameters
  no        Negate a command or set its defaults
  notify    Send logged commands to target applications
  record    What to record in the config logger

R1(config-archive-log-cfg)#logging enable

Ū򤷤˥ޥɤ򤤤Ĥ¹Ԥarchiveɽޤ

R1(config)#int s1/0
R1(config-if)#no sh
R1#show archive log config all
idx   sess           user@line      Logged command
    1     1        console@console  |  logging enable
    2     3        console@console  |interface Serial1/0
    3     3        console@console  | no shutdown

ƱȤR2TELNETǥ󤷡¹ԤȲΤ褦ɽޤ

R1#show archive log config all
    7     0   unknown user@vty0     |!exec: enable
    8     4   unknown user@vty0     |interface Serial1/0
    9     4   unknown user@vty0     | shutdown

R1˥桼ciscoѤȲΤ褦ɽޤ

R1(config-line)#do sh arc log con all
   15     0          cisco@vty0     |!exec: enable
   16     6          cisco@vty0     |interface Serial1/0
   17     6          cisco@vty0     | no shutdown

ͤǤhidekeysͭǤѥεϿˤʤ뤳Ȥʬޤ

R1(config)#do sh run | b archive
archive
log config
  logging enable
  hidekeys

R1(config)#do sh arc log con all
   31     5        console@console  |username ccie secret *****

hidekeys̵ˤȡѥɤΤޤɽޤ

R1(config-archive-log-cfg)#no hidekeys
R1(config-archive-log-cfg)#username ccde sec ccde
R1(config)#do sh arc log con all
   36     9        console@console  |  username ccde secret ccde

ꤷ桼Τߤξɽ뤳Ȥޤ

R1#show archive log config user cisco 0
idx   sess           user@line      Logged command
   15     0          cisco@vty0     |!exec: enable
   16     6          cisco@vty0     |interface Serial1/0
   17     6          cisco@vty0     | no shutdown
   24     0          cisco@vty0     |!exec: enable

򤽤ΤޤsyslogˤnotifyޥɤѤޤ

R1(config-archive-log-cfg)#notify syslog
%PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:no shutdown
%PARSER-5-CFGLOG_LOGGEDCMD: User:cisco  logged command:shutdown

statisticsǡ׾ɽޤ

R1#show archive log config statistics
Config Log Session Info:
        Number of sessions being tracked: 1
        Memory being held: 3914 bytes
        Total memory allocated for session tracking: 15639 bytes
        Total memory freed from session tracking: 11725 bytes

Config Log log-queue Info:
        Number of entries in the log-queue: 40
        Memory being held by the log-queue: 10956 bytes
        Total memory allocated for log entries: 10956 bytes
        Total memory freed from log entries: 0 bytes

ƥ:

ϥʥߥåꥹȤǧޤꤽΤΤϤۤʣǤϤʤΤǤ褯򤷤ƤꤷʤȺ𤷤ޤ

R1ľR2³졢R2ľR3³Ƥޤ

R1(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            12.12.12.1      YES manual up                    up
Loopback0                  17.17.1.1       YES NVRAM  up                    up

R2(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            12.12.12.2      YES manual up                    up
Serial1/2                  23.23.23.2      YES manual up                    up
Loopback0                  17.17.2.2       YES NVRAM  up                    up

R3(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
Serial1/3                  23.23.23.3      YES manual up                    up
Loopback0                  17.17.3.3       YES NVRAM  up                    up

3ƤΥ󥿡եEIGRPͭˤޤ

R1(config)#do sh ip rou ei
     17.0.0.0/24 is subnetted, 3 subnets
D       17.17.2.0 [90/156160] via 12.12.12.2, 00:02:30, FastEthernet0/0
D       17.17.3.0 [90/2300416] via 12.12.12.2, 00:02:19, FastEthernet0/0
     23.0.0.0/24 is subnetted, 1 subnets
D       23.23.23.0 [90/2172416] via 12.12.12.2, 00:02:30, FastEthernet0/0

R1R3ؤTELNET³ʥߥåꥹȻȤäƹԤޤޤTELNET桼̾ ciscoѥ ciscoǹԤʤޤ

R3(config)#username cisco password cisco
R3(config)#line vty 0 4
R3(config-line)#login local

R1³ǧޤ

R1(config)#do telnet 17.17.3.3
Trying 17.17.3.3 ... Open
ά
Username: cisco
Password:
R3>

R2ǥꥹȤꤷޤޤEIGRPΤߤ̤ʳƤݤꥹDYNAMIC_LISTޤ

R2(config)#ip access-list extended DYNAMIC_LIST
R2(config-ext-nacl)#10 permit eigrp any any
R2(config-ext-nacl)#100 deny ip any any
R2(config-ext-nacl)#do sh ip acce
Extended IP access list DYNAMIC_LIST
    10 permit eigrp any any
    100 deny ip any any

R1ľ뤹F0/0Ѥޤ

R2(config-ext-nacl)#int f0/0
R2(config-if)#ip access-group DYNAMIC_LIST in
R2(config-if)#do sh ip int f0/0 | i Inbound
  Inbound  access list is DYNAMIC_LIST

λǤʤTELNETϵݤޤ

R1(config)#do telnet 17.17.3.3
Trying 17.17.3.3 ...
% Destination unreachable; gateway or host down

줫ʥߥåꥹȤԤޤǤR2ؤTELNETˡR3ؤTELNETĤȤǿʤޤ

R2ФƤTELNET桼̾ ccieѥ ccieǵĤޤ

R2(config-if)#username ccie pass ccie
R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#ip access-list extended DYNAMIC_LIST
R2(config-ext-nacl)#20 permit tcp any host 17.17.2.2 eq telnet
R2(config-ext-nacl)#do sh ip acce
Extended IP access list DYNAMIC_LIST
    10 permit eigrp any any (267 matches)
    20 permit tcp any host 17.17.2.2 eq telnet
    100 deny ip any any (3 matches)

R1³뤳Ȥǧޤ

R1(config)#do telnet 17.17.2.2
Trying 17.17.2.2 ... Open
ά
R2>

ʥߥåꥹȤTELNET̾ꤷƺޤ

R2(config-line)#ip access-list extended DYNAMIC_LIST
R2(config-ext-nacl)#30 dynamic TELNET permit tcp any host 17.17.3.3 eq telnet
R2(config-ext-nacl)#do sh ip acce
Extended IP access list DYNAMIC_LIST
    10 permit eigrp any any (2955 matches)
    20 permit tcp any host 17.17.2.2 eq telnet (285 matches)
    30 Dynamic TELNET permit tcp any host 17.17.3.3 eq telnet
    100 deny ip any any (3 matches)

TELNETͭˤ뤿line vtyФơautocommandޥɤꤷޤ

R2(config)#line vty 0 4
R2(config-line)#autocommand access-enable host timeout 10

R1R2TELNET³ޤȥ塢ưŪ˥Ȥޤ

R1(config)#do telnet 17.17.2.2
Trying 17.17.2.2 ... Open
ά
Password:
[Connection to 17.17.2.2 closed by foreign host]

R2ΥꥹȤǧR1R3ؤTELNETͭˤʤäƤ뤳ȤǧǤޤ

R2(config-ext-nacl)#do sh ip acce
Extended IP access list DYNAMIC_LIST
    10 permit eigrp any any (2991 matches)
    20 permit tcp any host 17.17.2.2 eq telnet (351 matches)
    30 Dynamic TELNET permit tcp any host 17.17.3.3 eq telnet
       permit tcp host 12.12.12.1 host 17.17.3.3 eq telnet
    100 deny ip any any (3 matches)

ξ֤R1R3ؤTELNET³ǽǤ뤳ȤǧƤޤ

R1(config)#do telnet 17.17.3.3
Trying 17.17.3.3 ... Open
ά
Password:
R3>

ƥ:

IOSǥѤݤξҲ𤷤ޤ

ޥɤäƤ˥ɽȲ̤Ť餯ʤޤ

R1(config)#do deb ip icmp
ICMP packet debugging is on
R1(config)#do pin 17.17.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 17.17.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/12 ms
R1(config)#
ICMP: echo reply sent, src 17.17.1.1, dst 17.17.1.1
ά
ICMP: echo reply rcvd, src 17.17.1.1, dst 17.17.1.1 ΰ

logging synchronousޥɤꤹȳߤɽäݤ⡢ϸѰ֤αޤޤ

R1(config)#line console 0
R1(config-line)#logging synchronous

R1(config-line)#do pin 17.17.1.1
ά
ICMP: echo reply rcvd, src 17.17.1.1, dst 17.17.1.1
R1(config-line)# ΰ

ɽ줿ϥ륢åפéäƤȤȤ⤢Ǥlogging bufferedޥɤѤƥ¸ȳǧѰդˤʤޤ

R1(config)#logging buffered
R1(config)#do pin 17.17.1.1
ά
R1(config)#do sh logging
ά
Log Buffer (4096 bytes):

ICMP: echo reply sent, src 17.17.1.1, dst 17.17.1.1
ICMP: echo reply rcvd, src 17.17.1.1, dst 17.17.1.1

ֹ̤դˤservice sequence-numbersޥɤѤޤ

R1(config)#service sequence-numbers
R1(config)#do pin 17.17.1.1
ά
000221: ICMP: echo reply sent, src 17.17.1.1, dst 17.17.1.1
000222: ICMP: echo reply rcvd, src 17.17.1.1, dst 17.17.1.1

ͤǤϥǥХɽޤservice timestampsޥɤȤȤʻɽǤޤλʤפꤵƤʤỌ̇̄ޤ

R1(config)#service timestamps debug datetime ?
  localtime      Use local time zone for timestamps
  msec           Include milliseconds in timestamp
  show-timezone  Add time zone information to timestamp
  year           Include year in timestamp
  <cr>

R1(config)#service timestamps debug datetime localtime
R1(config)#service timestamps log datetime localtime
R1(config)#do pin 17.17.1.1
ά
Sep 13 15:21:08: ICMP: echo reply sent, src 17.17.1.1, dst 17.17.1.1
Sep 13 15:21:08: ICMP: echo reply rcvd, src 17.17.1.1, dst 17.17.1.1
R1(config)#do sh clock
15:22:50.971 JST Tue Sep 13 2011

ƥ:

ϥꥹȤǤ"log"ˡǧޤR1R2F0/0³ƤꡢEIGRPꤵƤޤ

R1(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            12.12.12.1      YES manual up                    up
Loopback0                  17.17.1.1       YES NVRAM  up                    up

R2(config)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            12.12.12.2      YES manual up                    up
Loopback0                  17.17.2.2       YES NVRAM  up                    up

R1(config)#do sh ip ei 100 int
IP-EIGRP interfaces for process 100

                        Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/0              1        0/0        12       0/1           50           0
Lo0                0        0/0         0       0/1            0           0

R1(config)#do sh ip rou ei
     17.0.0.0/24 is subnetted, 2 subnets
D       17.17.2.0 [90/156160] via 12.12.12.2, 00:08:57, FastEthernet0/0

R1(config)#do pin 17.17.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 17.17.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms

ping̤ΥꥹȤޤEIGRPʻƵĤƤޤ

R2(config)#ip access-list extended LIST1
R2(config-ext-nacl)#10 permit icmp an an
R2(config-ext-nacl)#100 per eigrp an an
R2(config-ext-nacl)#do sh ip acce
Extended IP access list LIST1
    10 permit icmp any any
    100 permit eigrp any any

F0/0ŬѤơpingޥɤ¹Ԥޤ

R2(config-ext-nacl)#int f0/0
R2(config-if)#ip access-group LIST1 in
R2(config-if)#do sh ip int f0/0 | i LIST1
  Inbound  access list is LIST1

¹Ը塢R1ping¹Ԥޤ

R1(config)#do pin 17.17.2.2
ά
!!!!!

R2ǥꥹȤǧ"15 matches"ȤʤäƤꡢŬѤ줿Ȥʬޤ

R2(config)#do sh ip acce
Extended IP access list LIST1
    10 permit icmp any any (15 matches)
    100 permit eigrp any any (6 matches)

ICMPιԤ"log"ɲäޤ

R2(config)#ip access-list extended LIST1
R2(config-ext-nacl)#no 10 per icmp an an
R2(config-ext-nacl)#10 per icm an an log
R2(config-ext-nacl)#do sh ip acce
Extended IP access list LIST1
    10 permit icmp any any log
ά

R1ping¹ԤȡΤ褦ʥR2ɽޤ

Sep  5 06:12:46.347: %SEC-6-IPACCESSLOGDP: list LIST1 permitted icmp 12.12.12.1 -> 17.17.2.2 (0/0), 5 packets

"log""log-input"ѹޤ

R2(config-ext-nacl)#no 10
R2(config-ext-nacl)#10 permit icmp an an log-input

R1ping¹ԤȡΤ褦ʥR2ɽޤ"log"Ȱ㤤MACɥ쥹ɽ뤳Ȥʬޤ

Sep  5 06:14:30.551: %SEC-6-IPACCESSLOGDP: list LIST1 permitted icmp 12.12.12.1 (FastEthernet0/0 c200.163f.0000) -> 17.17.2.2 (0/0), 5 packets

ΥڡΥȥåץ

Ф