ASA842 双ISP接入

asa-2isp

R1

int e0/0
   no sh
   ip addr 1.1.1.1 255.255.255.0
   

int e0/1
   no sh
   ip addr 1.1.2.1 255.255.255.0

router ospf 1
   network 1.1.1.0 0.0.0.255 area 1
   network 1.1.2.0 0.0.0.255 area 1

R2.

int e0/0
   no sh
   ip addr 3.3.1.1 255.255.255.0
   

int e0/1
   no sh
   ip addr 3.3.2.1 255.255.255.0

router ospf 1
   network 3.3.1.0 0.0.0.255 area 1
   network 3.3.2.0 0.0.0.255 area 1

.ASA
1)ASA System
# changeto system
ASA# conf t
ASA(config)#

admin-context admin
  context admin
  config-url admin.cfg

context ctx1
  allocate-interface g0
  allocate-interface g2
  config-url ctx1.cfg

context ctx2
  allocate-interface GigabitEthernet1
  allocate-interface GigabitEthernet4
  config-url ctx2.cfg

2)context ctx1
# changeto context ctx1
ASA/ctx1(config)# 

hostname ctx1

interface GigabitEthernet0
 no sh
 nameif outside
 security-level 0
 ip address 1.1.2.2 255.255.255.0

interface GigabitEthernet2
 no sh
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

object network obj_inside_subnet
 subnet 192.168.1.0 255.255.255.0
 nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 1.1.2.1 1

 class-map icmp-class
      match default-inspection-traffic
   
    policy-map icmp_policy 
      class icmp-class
         inspect icmp

    service-policy icmp_policy interface outside     

    !permit ping in  
    access-list acl_outside_icmp  extended permit icmp any any
    access-group acl_outside_icmp in interface outside

    !access-list acl_inside_icmp  extended permit icmp any any    
    !access-group acl_outside_icmp out interface outside
    !access-group acl_inside_icmp in interface inside
    !access-group acl_inside_icmp out interface inside

3)context ctx2
# changeto context ctx2
ASA/ctx2(config)# 

hostname ctx2

interface GigabitEthernet4
 no sh
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0

interface GigabitEthernet1
 no sh
 nameif outside
 security-level 0
 ip address 3.3.2.2 255.255.255.0

object network obj_inside_subnet
 subnet 192.168.3.0 255.255.255.0
 nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 3.3.2.1 1

 class-map icmp-class
      match default-inspection-traffic
   
    policy-map icmp_policy 
      class icmp-class
         inspect icmp

    service-policy icmp_policy interface outside     

    !permit ping in  
    access-list acl_outside_icmp  extended permit icmp any any
    access-group acl_outside_icmp in interface outside

    !access-list acl_inside_icmp  extended permit icmp any any    
    !access-group acl_outside_icmp out interface outside
    !access-group acl_inside_icmp in interface inside
    !access-group acl_inside_icmp out interface inside

ESXi 给虚拟机添加网络串口

要看配没配对,能不能通,得先把虚拟机开开,在关机状态下,这种telnet方式一直是连不通的。

 

1. 先将ESXi的SSH开启(不知道不开行不行):

 

2. 把网络串口开开:

 

3.虚拟机照着红圈里面配就行了:

在ESXi5.5上 亲测可用

思科路由器.命令总结

.主机名
hostname a.com

.特权密码
enable password cisco
enable secret cisco

.console
line console 0
    login
    password cisco
    !设置同步时钟(仅用于串口)
    clock rate 64000
    clock rate 64

.telnet
line vty 0 4
    login 
    password cisco

.interface
ip address 192.168.1.1 255.255.255.0
ip address 192.168.1.2 255.255.255.0 secondary

.rip
router rip
    version 2
    network 1.0.0.0
    no auto-summary

.ospf
router ospf 1
   network 1.1.1.0 0.0.0.255 area 1 
   network 1.1.2.0 0.0.0.255 area 1
ip ospf authentication-key cisco
ip ospf message-digest-key cisco md5

.eigrp
 router eigrp 1
    network 1.1.1.0 0.0.0.255
    network 1.1.2.0 0.0.0.255
    auto-summary

.bgp
 router bgp 1
    no synchronization
    bgp log-neighbor-changes
    network 1.1.1.0 mask 255.255.255.0
    network 1.1.2.0 mask 255.255.255.0
    no auto-summary

.子接口
int g0/0.1
   ip address 192.168.2.1 255.255.255.0
   encapsulation dot1q|isl vlanid

.清除配置
erase startup-config

.access-list
ip access-list standard|extended name
access-list 1-99 permit <source-net-id> <返掩码>
access-list 1-99 deny 主机 反掩码
ip access-group 1-99  in|out
ip access-group name in|out
access-list 100-199 permit|deny ip|tcp|icmp|ospf|eigrp|gre|igrp|ipinip|nos|udp sourceip|wild [eq|lt|gt port] destinationip|wild [eq|lt|gt port][established] [precedence<0-7>] [tos<0-15> ]

.nat
ip nat inside
ip nat outside

ip nat inside source static 内网IP  外网IP
access-list 1 permit 192.168.100.0 0.0.0.255

ip nat pool <name> <起始地址> <中止地址> netmask <子网掩码> 
ip nat inside destination list 1 pool name
ip nat inside source list 2 interface s0/0 overload
access-list 1 permit 虚拟主机ip
ip nat pool name 起始地址 中止地址 prefix-length 24 type rotary
ip nat inside destination list 1 pool name
 
.PPP 验证
usename <RouterB> password <word> 
int s0 
ppp authentication {chap|pap} 

.cisco2600 路由器密码恢复 
重启路由器,在启动过程中按下 ctrl+break 键,使路由器进入 rom monitor 模式 
在提示符下输入命令修改配置寄存器的值,然后重器路由器     
router>confreg 0x2142     
router>reload    

修改密码

router(config)# config-register 0x2102
router(config)# copy running-config startup-config 
 
 

cisco switch spanning tree

.spanning-tree
!启用stp生成树
spanning-tree vlan <vlan-list> 

!指定根交换机
spanning-tree vlan <vlan-list> root primary

!指定备用根交换机
spanning-tree vlan <vlan-list> root secondary

!指定交换机优先级
spanning-tree vlan <vlan-list> priority <0-65535>

!指定端口成本(启用trunk口模式下)
spanning-tree vlan <vlan-list> cost <0-2000000>

!指定交换机端口优先级
spanning-tree vlan <vlan-list> port-prioty <0-255>

!配置速端口
spanning-tree portfast

!配置上行速端口
spanning-tree uplinkfast

!配置hello时间
spanning-tree vlan <vlan-list> hello-time <1-10>

!修改转发延迟时间
spanning-tree vlan <vlan-list> forward-time <4-30>

!修改最大老化时间
spanning-tree vlan <vlan-list> maxt-time <6-40>

show spanning-tree summery
show spanning-tree vlan <vlan-id> detail
show spanning-tree interface <int-id> detail

///////////////////////////////////////////

SW3560# show spanning-tree 
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     0060.5C53.9949
             Cost        19
             Port        3(FastEthernet0/3)
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     00D0.FF47.7555
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/3            Root FWD 19        128.3    P2p
Fa0/4            Desg FWD 19        128.4    P2p

VLAN0100
  Spanning tree enabled protocol ieee
  Root ID    Priority    32868
             Address     00D0.FF47.7555
             This bridge is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32868  (priority 32768 sys-id-ext 100)
             Address     00D0.FF47.7555
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ———————-
Fa0/2            Desg FWD 19        128.2    P2p

SW1# sh spanning-tree 
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     0060.5C53.9949
             Cost        38
             Port        1(FastEthernet0/1)
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     00E0.A34D.6BA3
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ————————
Fa0/1            Root FWD 19        128.1    P2p

VLAN0100
  Spanning tree enabled protocol ieee
  Root ID    Priority    32868
             Address     00D0.FF47.7555
             Cost        19
             Port        1(FastEthernet0/1)
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32868  (priority 32768 sys-id-ext 100)
             Address     00E0.A34D.6BA3
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————-
Fa0/1            Root FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
 

思科交换机.命令总结

.主机名
hostname SW1

.enable密码
enable password cisco
enable secret cisco

.telnet
int vlan1
   ip 192.168.1.254 255.255.255.0
   ip default-gateway 192.168.1.1

line vty 0 4
   login
   password cisco

.console
 line console 0
    login
    password cisco

.interface
 int f0/1
   duplex full
   speed 100
   description xxx
   no shutdown

.vlan
 vlan 100 
    name vlan100

 int f0/10
    switchport mode access
    switchport access vlan 100

.trunk    
!设置为干线
int f0/10
   switchport mode trunk  
   
!设置 vlan 中继协议
   switchport trunk encapsulation dot1q  
   
!禁用干线
   no switchport mode 或 ( switchport mode access)
     
!从 Trunk 中添加 vlans  
   switchport trunk allowed vlan add 1,2 

!从 Trunk 中删除 vlans
   switchport trunk allowed vlan remove 1,2 

!从 Trunk 中关闭局部修剪 
   switchport trunk pruning vlan remove 1,2

.port channel
int f0/1 – 2
   channel-group 1 mode on
   port-channel load-balance {dst-mac|src-mac}

show etherchannel 1 summary
show etherchannel load-balance

.vtp
vtp mode server
   vtp domain a.com
   vtp version 2
   vtp password cisco
   vtp pruning

vtp mode client
   vtp domain a.com
   vtp version 2
   vtp password cisco
   vtp pruning

.spanning-tree
!启用stp生成树
spanning-tree vlan <vlan-list> 

!指定根交换机
spanning-tree vlan <vlan-list> root primary

!指定备用根交换机
spanning-tree vlan <vlan-list> root secondary

!指定交换机优先级
spanning-tree vlan <vlan-list> priority <0-65535>

!指定端口成本(启用trunk口模式下)
spanning-tree vlan <vlan-list> cost <0-2000000>

!指定交换机端口优先级
spanning-tree vlan <vlan-list> port-prioty <0-255>

!配置速端口
spanning-tree portfast

!配置上行速端口
spanning-tree uplinkfast

!配置hello时间
spanning-tree vlan <vlan-list> hello-time <1-10>

!修改转发延迟时间
spanning-tree vlan <vlan-list> forward-time <4-30>

!修改最大老化时间
spanning-tree vlan <vlan-list> maxt-time <6-40>

show spanning-tree summery
show spanning-tree vlan <vlan-id> detail
show spanning-tree interface <int-id> detail


.查看flash
dir flash:

.cdp
show cdp 
show cdp traffic
show cdp neighbors

show interface f0/1 switchport

.2950恢复密码
1)拨下交换机的电源线
2)用手按在 mode 按键上,插上电源线
3)看到出现  flash_init  load_helper  boot    switch:  画面时松开 mode 键
4)在 switch:
    a) 后执行 flash_init 命令查看 flash 中的文件
    b) 把 config.text 文件改名为"config.old    
       rename flash:config.text flash:config.old
5) 执行 boot 命令启动交换机
   交换机出现是否进入配置的对话, 执行 no 命令
   进入特权模式查看 flash 文件      
    switch#show flash:
    把 config.old 改为 config.text            
       rename flash:config.old flash:config.text  
    把 config.text 考入系统的 running-config
    copy flash:config.text system:running-config 

3层交换机上连路由器

eeeeeee
.R0
interface GigabitEthernet0/0
 no shutdown
 ip address 1.1.1.1 255.255.255.0

ip route 192.168.100.0 255.255.255.0 1.1.1.2  
 

.SW3560

ip routing

interface FastEthernet0/1
 no switchport
 ip address 1.1.1.2 255.255.255.0

interface FastEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk

vtp mode server
   vtp domain a.com
   vtp password cisco

vlan 100
   name vlan100

ip dhcp pool pool-dhcp-vlan-100
 network 192.168.100.0 255.255.255.0
 default-router 192.168.100.1
 dns-server 8.8.8.8

interface Vlan100
 mac-address 00d0.ff47.7501
 ip address 192.168.100.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 1.1.1.1 
 

.SW1
interface FastEthernet0/1
 switchport mode trunk

vtp mode client
   vtp domain a.com
   vtp password cisco

interface FastEthernet0/2
 switchport access vlan 100
 switchport mode access

.PC0
 DHCP自动获得IP 192.168.100.2

 C:\>ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:

Reply from 1.1.1.1: bytes=32 time<1ms TTL=254
Reply from 1.1.1.1: bytes=32 time<1ms TTL=254

端口监听span

1.在全局配置模式下: 
dh(config)# monitor session 1 source interface fastethernet0/24 rx|tx|all 


dh(config)# monitor session 1 source interface vlan 1 -3 rx 

配置要监听的端口或vlan,其中对于端口可以监听进、出或双向的数据包,而监听vlan 则只能监听进入的数据包 

2.在全局配置模式下: 
Sw(config)# monitor session 1 destination interface fastethernet0/23

配置监听终端要接入交换机的端口(destination port) 
说明:一个monitor session 即为一个监听行为,source interface可以属与不同的vlan,在同一个monitor session中可以同时监听多个port

注:  目前我们的3550的Fa0/24为连接防火墙的接口,Fa0/23为连接IDS主机的接口
 

cisco 3550 arp

clear  arp-cache

arp 192.168.100.22  000a.eb22.c1b5

sh ip accounting output-packets

sh mac-address-table address 00e0.9102.afd0

显示端口F0/20上的MAC地址
sh mac-address-table int f0/20

sh cdp entry *
sh cdp neighbors

dir flash:

vlan database
   vtp domain  a.com
   vtp server
   vtp password cisco

vlan database
   vtp domain a.com
   vtp client
   vtp password cisco