路由器、交换机设备配置解析1、路由器的设备配置解析
1.1 设备命名和远程管理1.2 用户权限授权
1.3 设备互联信息
1.4 路由信息
1.5 设备NTP等设备信息1.6 网管信息
1.7 NAT配置
1.8 安全加固
1.9 VPN隧道
1.10 VOIP语音系统
1.1设备命名和远程管理
?version 12.4
?hostname 设备主机名
?boot-start-marker
?boot-end-marker
?enable secret 5 $1$HzVg$efnlkSsNkxwtZPlDJZ4.R. ?enable password 7 050C1E1C2D4857294056454A ?line vty 0 4
privilege level 15
password 7 00030B15085F122656721E16
authorization commands 2 vty
authorization commands 7 vty
authorization commands 15 vty
authorization exec vty
accounting commands 2 vty
accounting commands 7 vty
accounting commands 15 vty
login authentication vty
length 0
transport input telnet ssh
transport output telnet ssh
?line vty 5 988
1.2 用户权限授权
?username gxsldy privilege 15 secret 5 $1$OCdZ$Jt6HFkW23G2CqFj68waEp/ ?username gxsldyjt privilege 3 secret 5 $1$VOs/$NnR9de78X53Pu.hCjQBUP/ ?username txsldy privilege 15 secret 5 $1$kZcT$RtRzOthMUpmByrxbelmVa/ ?username huangns privilege 3 secret 5 $1$sxOC$obZ/6WNpIQ1mETTMmT4j41 ?username txvpn privilege 0 secret 5 $1$12Q9$nJpjeIETtyX4UeYGvMZy70 ?privilege exec level 2 show logging
?privilege exec level 7 show interfaces
?privilege exec level 2 show startup-config
?privilege exec level 2 show
?aaa authentication login vpnauth local
?aaa authentication login vty local
?aaa authorization console
?aaa authorization exec vty local
?aaa authorization commands 2 vty none
?aaa authorization commands 7 vty none
?aaa authorization commands 15 vty none
?aaa authorization network vpnauthor local
1.3 设备互联信息
?interface Loopback0
ip address 10.250.200.82 255.255.255.255 ?interface FastEthernet0/0
description CONNECT TO Internet
ip address 218.21.71.4 255.255.255.0 ?interface FastEthernet0/1
description CONNECT TO C3560 F0/24
bandwidth 100000
ip address 10.200.82.254 255.255.255.248
router ospf 1
log-adjacency-changes
redistribute static subnets route-map VPNtoospf network 10.82.200.0 0.0.0.255 area 0
network 10.200.82.254 0.0.0.0 area 0
network 10.200.200.0 0.0.0.255 area 0
network 10.250.200.82 0.0.0.0 area 0
ip route 0.0.0.0 0.0.0.0 218.21.71.1
ip route 10.68.0.0 255.255.0.0 10.82.200.253
ip route 10.82.63.0 255.255.255.0 Null0 tag 10
ip route 192.168.1.0 255.255.255.0 10.82.200.253
1.5 设备NTP等设备信息
?系统日记配置
logging message-counter syslog
logging buffered 409600
logging console critical
logging trap debugging
logging source-interface Loopback0
logging 10.250.100.1
?域名解析
no ip bootp server
no ip domain lookup
ip domain name https://www.wendangku.net/doc/558092002.html,
no ipv6 cef
multilink bundle-name authenticated
?NTP信息
scheduler allocate 30000 1000
ntp server 10.250.200.254
clock timezone BJ 8
snmp-server community gxsldyro RW
snmp-server community gxsldyrw RO
snmp-server trap-source Loopback0
snmp-server host 10.250.100.1 version 2c gxsldyro
1.7 NAT配置
?转换列表
ip access-list extended natlist
deny ip 10.82.0.0 0.0.255.255 10.82.95.0 0.0.0.255 deny ip 10.82.0.0 0.0.255.255 10.82.63.0 0.0.0.255 permit ip host 10.82.5.1 any
permit ip host 10.82.8.1 any
permit ip host 10.82.6.1 any
permit ip 10.82.81.0 0.0.0.255 any
permit ip 10.82.3.0 0.0.0.255 any
permit ip 10.68.0.0 0.0.255.255 any
permit ip 10.82.35.0 0.0.0.255 any
permit ip 10.82.1.0 0.0.0.15 any
permit ip 10.82.34.0 0.0.0.255 any
permit ip host 10.82.7.188 any
permit ip host 10.82.1.15 any
permit ip 192.168.1.0 0.0.0.15 any
permit ip 10.82.192.0 0.0.0.255 any
?转换规则
ip nat translation max-entries all-host 250
ip nat inside source list natlist interface FastEthernet0/0 overload
ip nat inside source static tcp 10.82.1.15 80 218.21.71.4 80 extendable
ip nat inside source static tcp 10.82.8.1 80 218.21.71.4 81 extendable
ip nat inside source static udp 10.82.8.1 161 218.21.71.4 161 extendable
ip nat inside source static tcp 10.82.8.1 3306 218.21.71.4 3306 extendable ip nat inside source static tcp 10.82.1.15 3389 218.21.71.4 3389 extendable ip nat inside source static tcp 192.168.1.10 8000 218.21.71.4 8000 extendable ip nat inside source static tcp 10.82.8.1 8022 218.21.71.4 8022 extendable ip nat inside source static tcp 10.82.8.1 8088 218.21.71.4 8088 extendable ip nat inside source static tcp 192.168.1.10 8100 218.21.71.4 8100 extendable ip nat inside source static tcp 10.82.1.5 9000 218.21.71.4 9000 extendable ip nat inside source static tcp 10.82.1.5 9100 218.21.71.4 9100 extendable ip nat inside source static tcp 10.82.1.5 9200 218.21.71.4 9200 extendable
1.8 安全加固
?service tcp-keepalives-in
?service tcp-keepalives-out
?service timestamps debug datetime msec localtime show-timezone ?service timestamps log datetime msec localtime show-timezone ?service password-encryption
?service sequence-numbers
?关闭网页管理设备
no ip http server
no ip http secure-server
?security authentication failure rate 3 log ?security passwords min-length 6 ?interface FastEthernet0/0
description CONNECT TO Internet
ip address 218.21.71.4 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
snmp trap ip verify drop-rate
no mop enabled
crypto map vpnmap
service-policy output voipaudiopolice
?interface FastEthernet0/1
description CONNECT TO C3560 F0/24
bandwidth 100000
ip address 10.200.82.254 255.255.255.248 ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
snmp trap ip verify drop-rate
no mop enabled
service-policy output voipaudiopolice
?登陆告诫提示
banner motd ^C
Authorized access only
This system is the property of GXSLDY Enterprise.
Disconnect IMMEDIATELY as you are not an authorized user!
Contact sldyjsb@https://www.wendangku.net/doc/558092002.html, 137********.^C
1.9 VPN隧道
?VPN隧道建立的阶段1
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key gxsldy:teamu:ice-cream address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10
crypto isakmp nat keepalive 10
!
crypto isakmp client configuration group vpn@txsldy
key remote@txsldy
dns 10.0.1.8
wins 10.0.1.7
pool powervpnpool
acl 110
save-password
netmask 255.255.255.0
?VPN隧道建立的阶段1
crypto isakmp profile ezvpn
match identity group vpn@txsldy
client authentication list vpnauth
isakmp authorization list vpnauthor
client configuration address respond
keepalive 10 retry 2
!
crypto ipsec transform-set ezvpnset esp-3des esp-sha-hmac mode transport
crypto ipsec transform-set sldyset esp-3des esp-sha-hmac mode transport
!
crypto ipsec profile sldypro set transform-set sldyset
!
!
crypto dynamic-map testmap 10
set transform-set ezvpnset
set isakmp-profile ezvpn
reverse-route
!
!
crypto map vpnmap 10 ipsec-isakmp dynamic testmap 1.9 VPN隧道
?建立VPN隧道(阶段2)
?interface Tunnel11
bandwidth 1000
ip address 10.200.200.82 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication sldy@
ip nhrp map 10.200.200.1 116.10.195.205
ip nhrp map multicast 116.10.195.205
ip nhrp network-id 10
ip nhrp nhs 10.200.200.1
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 0
cdp enable
tunnel source FastEthernet0/0
tunnel destination 116.10.195.205
tunnel key 5551302
tunnel protection ipsec profile sldypro
1.9 VPN隧道
?建立VPN隧道(阶段2)
?interface Tunnel11
bandwidth 1000
ip address 10.200.200.82 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication sldy@
ip nhrp map 10.200.200.1 116.10.195.205
ip nhrp map multicast 116.10.195.205
ip nhrp network-id 10
ip nhrp nhs 10.200.200.1
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 0
cdp enable
tunnel source FastEthernet0/0
tunnel destination 116.10.195.205
tunnel key 5551302
tunnel protection ipsec profile sldypro
1.9 VPN隧道
?建立VPN隧道(阶段2)
ip local pool powervpnpool 10.82.63.10 10.82.63.250
1.9 VPN隧道
?VPN隧道资源访问策略
access-list 110 permit ip 10.82.0.0 0.0.255.255 10.82.63.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 10.82.63.0 0.0.0.255
access-list 110 permit ip host 10.0.2.10 10.82.63.0 0.0.0.255
access-list 110 permit ip 10.200.200.0 0.0.0.255 10.82.63.0 0.0.0.255
access-list 110 permit ip host 10.0.2.2 10.82.63.0 0.0.0.255
access-list 110 permit ip 10.82.63.0 0.0.0.255 10.82.0.0 0.0.255.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
1.10 VOIP语音系统
?建立本地网关
interface Loopback0
ip address 10.250.200.82 255.255.255.255
h323-gateway voip interface
h323-gateway voip id https://www.wendangku.net/doc/558092002.html, ipaddr 10.250.200.254 1719 h323-gateway voip h323-id txsldy
h323-gateway voip tech-prefix 1#
h323-gateway voip bind srcaddr 10.250.200.82
gateway
timer receive-rtp 1200
1.10 VOIP语音系统
?语音应用模板
?application
service load sldy-ivr
param aa-pilot 8226316
paramspace chinese index 1
paramspace chinese language ch
paramspace chinese location flash:
param operator 986
paramspace chinese prefix ch
!
service sldy-ivr flash:its-CISCO.2.0.1.0.tcl
param operator 986
paramspace chinese language ch
paramspace chinese index 1
paramspace chinese location flash:
paramspace chinese prefix ch
param aa-pilot .
1.10 VOIP语音系统
?建立呼叫规则
?dial-peer voice 1 voip
destination-pattern 077........
session target ras
codec g711ulaw
ip qos dscp cs5 media
ip qos dscp cs5 signaling
?dial-peer voice 2 pots
preference 1
service sldy-ivr
destination-pattern 0774T
incoming called-number .
port 0/0/0
1.10 VOIP语音系统
?应用语言接口
?voice-port 0/0/0
supervisory disconnect dualtone mid-call input gain -6
output attenuation -6
no vad
cptone CN
timeouts interdigit 5
timeouts call-disconnect 1
timeouts ringing 5
timeouts wait-release 1
caller-id enable
2、交换机的设备配置解析2.1设备命名和远程管理?version 12.2
?hostname xxx
?privilege level 15
?authorization exec vty
?login authentication vty
?line vty 0 4
privilege level 15
password 7 1515131F082E32047160677A
authorization commands 2 vty
authorization commands 7 vty
authorization commands 15 vty
authorization exec vty
accounting commands 2 vty
accounting commands 7 vty
accounting commands 15 vty
login authentication vty
length 0
?line vty 5 15
2.2 用户权限授权
?username gxsldy privilege 15 secret 5 $1$Czeu$FMJhUnvTdzRsdhMJT5JnH. ?username txsldy privilege 15 secret 5 $1$9tjG$K8FWvW1v3F8qpU/UsQfJZ. ?username huangns privilege 3 secret 5 $1$dSVZ$uQFtTgynlP34b50Fospwh0 2.2 用户权限授权
?privilege exec level 2 show logging
?privilege exec level 7 show interfaces
?privilege exec level 2 show startup-config
?privilege exec level 2 show
?aaa authentication login vpnauth local
?aaa authentication login vty local
?aaa authorization console
?aaa authorization exec vty local
?aaa authorization commands 2 vty none
?aaa authorization commands 7 vty none
?aaa authorization commands 15 vty none
?aaa authorization network vpnauthor local
2.3 设备互联信息
2.3 设备互联信息
?interface FastEthernet0/23
no switchport
bandwidth 10000
ip address 10.202.82.2 255.255.255.252
ip access-group protect_local in
speed 10
srr-queue bandwidth share 5 20 10 5
srr-queue bandwidth shape 0 0 0 30
srr-queue bandwidth limit 40
priority-queue out
2.3 设备互联信息
?interface FastEthernet0/24
no switchport
ip address 10.200.82.253 255.255.255.248 mls qos trust dscp
–楼层设备互联
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 200
switchport mode trunk
2.4 路由信息
ip routing
router ospf 1
log-adjacency-changes
area 82 range 10.82.0.0 255.255.0.0
redistribute static subnets route-map VPNtoospf
network 10.82.0.0 0.0.127.255 area 82
network 10.82.128.0 0.0.63.255 area 82
network 10.82.200.0 0.0.0.255 area 0
network 10.200.82.253 0.0.0.0 area 0
network 10.202.82.0 0.0.0.3 area 0
network 10.250.202.82 0.0.0.0 area 0
ip route 0.0.0.0 0.0.0.0 10.200.82.254
2.5 设备NTP等设备信息
?系统日记配置
logging message-counter syslog
logging buffered 409600
logging console critical
logging trap debugging
logging source-interface Loopback0
logging 10.250.100.1
?域名解析
no ip bootp server
no ip domain lookup
ip domain name https://www.wendangku.net/doc/558092002.html,
no ipv6 cef
2.5 设备NTP等设备信息
?NTP信息
scheduler allocate 30000 1000
ntp server 10.250.200.254
clock timezone BJ 8
2.6 网管信息
snmp-server community gxsldyro RW
snmp-server community gxsldyrw RO
snmp-server trap-source Loopback0
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps power-ethernet group 1
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
2.7VLAN 创建
?VTP的模式
vtp mode transparent
?创建VLAN
vlan 2-8,33-34,36,42,64,81-85,91-93,100-128,192,200,220
?VLAN的网管
interface Vlan2
ip address 10.82.2.254 255.255.255.0
No shutdown
?应用到端口上
?interface FastEthernet0/3
switchport access vlan 5
switchport mode access
spanning-tree portfast
2.8 安全加固
?详见1.8内容
2.9 QOS策略
?1、标识流量类型
access-list 120 permit ip 10.82.5.0 0.0.0.255 any
access-list 130 permit ip 10.82.6.0 0.0.0.255 any
access-list 140 permit ip 10.82.1.0 0.0.0.255 any
access-list 140 permit ip 10.82.3.0 0.0.0.255 any
access-list 140 permit ip 10.82.0.0 0.0.255.255 192.168.8.0 0.0.0.255 access-list 140 permit ip 10.200.0.0 0.0.255.255 10.200.0.0 0.0.255.255 access-list 140 permit ip 10.202.0.0 0.0.255.255 10.202.0.0 0.0.255.255 access-list 140 permit ip 10.250.0.0 0.0.255.255 10.250.0.0 0.0.255.255 2.9 QOS策略
?2、基于流量类型进行分类
class-map match-all video-map
match access-group 130
class-map match-all voip-map
match access-group 120
class-map match-all critical-map
match access-group 140
2.9 QOS策略
?2、基于流量类型进行分类
policy-map inbound
class voip-map
set dscp ef
class video-map
set dscp cs4
class critical-map
set dscp cs3
class class-default
set dscp default
2.9 QOS策略
?2、基于流量类型进行分类
mls qos srr-queue output dscp-map queue 1 threshold 2 40 46 mls qos srr-queue output dscp-map queue 2 threshold 2 32 mls qos srr-queue output dscp-map queue 3 threshold 2 24 mls qos srr-queue output dscp-map queue 4 threshold 1 0 8 mls qos
2.9 QOS策略
?3、为各种服务类型定义相关的策略,并应用到端口上
interface FastEthernet0/23
no switchport
bandwidth 10000
ip address 10.202.82.2 255.255.255.252
ip access-group protect_local in
speed 10
srr-queue bandwidth share 5 20 10 5
srr-queue bandwidth shape 0 0 0 30
srr-queue bandwidth limit 40
priority-queue out
interface FastEthernet0/22
service-policy input inbound
2.10 服务器ACL保护策略
?定于营销系统的ACL保护策略
ip access-list extended protect_sale
permit ip 10.82.34.0 0.0.0.255 host 10.82.1.1
permit ip 10.82.36.0 0.0.0.255 host 10.82.1.1
permit ip 10.82.42.0 0.0.0.255 host 10.82.1.1
permit ip 10.82.64.0 0.0.0.255 host 10.82.1.1
permit ip 10.82.33.0 0.0.0.255 host 10.82.1.1
permit ip 10.68.0.0 0.0.255.255 host 10.82.1.1
permit ip 192.168.0.0 0.0.255.255 host 10.82.1.1
permit ip 10.82.34.0 0.0.0.255 host 10.82.1.15
permit ip 10.82.36.0 0.0.0.255 host 10.82.1.15
permit ip 10.82.42.0 0.0.0.255 host 10.82.1.15
permit ip 10.82.64.0 0.0.0.255 host 10.82.1.15
permit ip 10.82.33.0 0.0.0.255 host 10.82.1.15
permit ip 10.68.0.0 0.0.255.255 host 10.82.1.15
permit ip 192.168.0.0 0.0.255.255 host 10.82.1.15
permit ip 10.0.3.0 0.0.0.255 10.82.1.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 10.82.1.0 0.0.0.255
deny ip any any
2.10 服务器ACL保护策略?应用到对应的VLAN中
interface Vlan100
ip access-group protect_sales out