Cisco设备Netflow配置要点及实例
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Cisco设备Netflow配置指南
2013.08.09
1. Netflow配置要点
1.1. Netflow需要开启ip cef才能生效,还需要在接口启用ip flow ingress命令,
IOS 12.2之前命令为ip route-cache flow。
1.2. 在部分Cisco设备中,接口下的ip route-cache flow和ip flow ingress基本上是同一个命令。
1.3. ip cef对接口上的ACL有影响,导致前几个包不接受ACL规则。
1.4. 查看ip flow支持功能
router2811#show ip flow ?
export Display export statistics
interface Display flow configuration on Interfaces
top-talkers Display top talkers
router2811#show ip flow export ?
sctp Display SCTP export statistics
template Display export template statistics
verbose Display verbose export statistics
| Output modifiers
router2811#show ip flow inter ?
| Output modifiers
router2811#show ip flow top-talkers ?
Display aggregated top talkers:
<1-100> Number of aggregated top talkers to show
Display unaggregated top flows:
verbose Display extra information about unaggregated top flows
| Output modifiers
router2811#
router3745# show ip flow export ?
template Display export template statistics
| Output modifiers
router3745# show ip flow top-talkers ?
verbose Display extra information
| Output modifiers
router3745#
1.5. 查看ip flow输出情况
router2811#show ip flow export
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 10.117.3.5 (FastEthernet0/1)
Destination(1) 10.119.159.38 (9090)
Version 5 flow records
782 flows exported in 32 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
router2811#show ip flow export verbose
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 10.117.3.5 (FastEthernet0/1)
Destination(1) 10.119.159.38 (9090)
Version 5 flow records
786 flows exported in 32 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
router2811#
router3745#show ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 172.16.100.8 (2055)
Exporting using source interface FastEthernet0/1
Version 5 flow records, peer-as
2203147 flows exported in 134556 udp datagrams
0
flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
router3745#
1.5. 查看ip flow采集接口
router2811#show ip flow interface
FastEthernet0/0
ip route-cache flow
ip flow ingress
FastEthernet0/1
ip route-cache flow
ip flow ingress
router2811#
router3745#show ip flow interface
FastEthernet0/0
ip route-cache flow
ip flow ingress
FastEthernet0/1
ip route-cache flow
ip flow ingress
router3745#
1.6. 查看ip flow缓存
router2811#show ip cache flow
IP packet size distribution (169104 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .873 .116 .006 .001 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .002 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
130 active, 3966 inactive, 11952 added
244407 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
129 active, 895 inactive, 1145 added, 1145 added to flow
0 alloc failures, 0 force free
1 chunk, 0 chunks added
last clearing of statistics 00:23:43
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 21 0.0 162 40 2.4 37.7 11.5
TCP-X 19 0.0 11 40 0.1 0.0 14.5
TCP-other 750 0.5 22 87 11.8 6.7 14.9
UDP-DNS 1 0.0 1 61 0.0 0.0 15.0
UDP-NTP 3 0.0 1 76 0.0 0.0 15.2
UDP-other 225 0.1 608 65 96.3 23.1 15.4
ICMP 10833 7.6 2 66 18.0 1.5 15.4
IP-other 3 0.0 1 109 0.0 0.0 15.6
Total: 11855 8.3 15 67 128.8 2.3 15.4
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/0 223.186.27.38 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/1 10.117.3.1 Null 224.0.0.5 59 0000 0000 158
Fa0/0 223.186.59.78 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/1 10.117.181.8 Se0/3/0 10.117.3.81 11 041B 00A1 23
Fa0/0 10.117.3.245 Null 224.0.0.5 59 0000 0000 174
Fa0/1 10.117.3.2 Null 224.0.0.5 59 0000 0000 172
Fa0/0 223.186.8.197 Se0/3/0 123.234.195.132 01 0000 000
0 2
Fa0/0 223.186.200.71 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/0 223.186.232.42 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/1 10.17.181.8 Local 10.117.3.5 11 041B 00A1 5
Fa0/0 223.186.152.8 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/0 223.186.89.157 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/0 223.186.89.198 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/0 223.186.41.194 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/0 222.11.227.58 Se0/3/0 123.234.195.132 01 0000 0301 3
Fa0/0 223.186.85.55 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/0 223.186.213.73 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/0 123.70.237.81 Se0/3/0 123.234.195.143 06 C263 1398 418
Fa0/0 223.186.69.6 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/0 223.186.5.110 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/0 223.186.53.117 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/0 223.186.197.32 Se0/3/0 123.234.195.132 01 0000 0000 2
Fa0/0 223.186.138.210 Se0/3/0 123.234.195.132 01 0000 0000 2
router2811#show ip cache verbose flow
IP packet size distribution (174410 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .875 .114 .006 .001 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .002 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
134 active, 3962 inactive, 12500 added
256287 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
133 active, 891 inactive, 1693 added, 1693 added to flow
0 alloc failures, 0 force free
1 chunk, 0 chunks added
last clearing of statistics 00:24:59
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 22 0.0 157 40 2.3 37.2 11.7
TCP-X 19 0.0 11 40 0.1 0.0 14.5
TCP-other 799 0.5 21 87 11.3 6.4 14.9
UDP-DNS 1 0.0 1 61 0.0 0.0 15.0
UDP-NTP 4 0.0 1 76 0.0 0.0 15.2
UDP-other 234 0.1 585 65 91.9 22.4 15.4
ICMP 11315 7.5 2 65 17.9 1.5 15.4
IP-other 5 0.0 1 99 0.0 0.0 15.6
Total: 12399 8.3 14 67 123.6 2.3 15.4
SrcIf SrcIPaddress DstIf DstIPaddress P
r TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Fa0/0 223.186.139.111 Se0/3/0 123.234.195.132 01 00 10 2
0000 /0 0 0000 /0 0 10.117.3.250 61 0.7
Fa0/1 10.117.3.1 Null 224.0.0.5 59 00 10 166
0000 /0 0 0000 /0 0 0.0.0.0 72 1649.9
Fa0/1 10.117.3.1 Null 224.0.0.6 59 00 10 2
0000 /0 0 0000 /0 0 0.0.0.0 102 0.0
Fa0/0 223.186.155.45 Se0/3/0 123.234.195.132 01 00 10 2
0000 /0 0 0000 /0 0 10.117.3.250 61 0.6
Fa0/0 223.186.91.109 Se0/3/0 123.234.195.132 01 00 10 2
0000 /0 0 0000 /0 0 10.117.3.250 61 0.6
Fa0/1 10.17.181.8 Se0/3/0 10.117.3.81 11 00 10 62
041B /0 0 00A1 /0 0 10.117.3.250 72 78.3
Fa0/0 223.186.104.218 Se0/3/0 123.234.195.132 01 00 10 2
0000 /0 0 0000 /0 0 10.117.3.250 61 0.6
Fa0/0 223.186.104.204 Se0/3/0 123.234.195.132 01 00 10 2
router2811#
router3745#show ip cache flow
IP packet size distribution (23308970 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .405 .240 .044 .009 .016 .005 .005 .015 .001 .024 .001 .001 .005 .001
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.002 .002 .007 .035 .173 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
10 active, 4086 inactive, 2213925 added
32394495 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
10 active, 1014 inactive, 2213925 added, 2213925 added to flow
0 alloc failures, 0 force free
1 chunk, 81 chunks added
last clearing of statistics 2w3d
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 21588 0.0 12 58 0.1 2.7 9.1
TCP-FTP 222 0.0 1 44 0.0 0.4 14.5
TCP-FTPD 2 0.0 1 40 0.0 0.0 15.8
TCP-WWW 523362 0.3 9 587 3.3 3.5 6.9
TCP-SMTP 280 0.0 1 45 0.0 0.5 14.5
TCP-X 42547 0.0 1 40 0.0 0.1 14.5
TCP-BGP 12 0.0 1 56 0.0 0.0 15.5
TCP-NNTP 18 0.0 1 50 0.0 0.0 14.8
TCP-Frag 4 0.0 1 60 0.0 0.0 15.5
TCP-other 9879
84 0.6 13 346 9.1 2.4 6.3
UDP-DNS 112462 0.0 1 70 0.0 0.2 15.9
UDP-NTP 512 0.0 1 66 0.0 0.0 15.4
UDP-TFTP 6 0.0 18 272 0.0 0.0 15.4
UDP-other 490326 0.3 8 115 2.7 11.1 15.5
ICMP 18704 0.0 1 71 0.0 0.8 15.4
IPv6INIP 5131 0.0 6 398 0.0 4.3 15.4
Total: 2203160 1.4 10 352 15.6 4.4 9.3
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/1 0.0.0.0 Null 255.255.255.255 11 0044 0043 243
Fa0/0 222.186.57.197 Fa0/1 172.16.63.246 06 1770 0D3D 1
Fa0/0 222.186.57.197 Fa0/1 172.16.63.247 06 1770 0D3D 1
Fa0/1 128.129.17.225 Fa0/0 128.255.255.255 11 8021 22B9 335
Fa0/1 172.16.178.108 Fa0/0 172.16.255.255 11 008A 008A 1
Fa0/0 180.149.153.11 Fa0/1 172.16.63.247 06 0050 920E 1
Fa0/1 172.16.100.9 Fa0/0 180.149.153.11 06 920F 0050 6
Fa0/0 192.168.22.170 Fa0/0 192.168.22.255 11 0089 0089 2927
Fa0/1 195.216.201.31 Fa0/0 195.216.201.255 11 008A 008A 1
Fa0/1 172.16.100.9 Local 172.16.100.254 06 C775 0017 60
router3745#show ip cache flow ?
aggregation Aggregation cache
| Output modifiers
router3745#show ip cache flow agg
router3745#show ip cache flow aggregation ?
as AS aggregation cache
as-tos AS TOS aggregation cache
bgp-nexthop-tos BGP nexthop TOS aggregation cache
destination-prefix Destination Prefix aggregation cache
destination-prefix-tos Destination Prefix TOS aggregation cache
prefix Source/Destination Prefix aggregation cache
prefix-port Source/Destination Prefix port aggregation cache
prefix-tos Source/Destination Prefix TOS aggregation cache
protocol-port Protocol and port aggregation cache
protocol-port-tos Protocol, port, TOS aggregation cache
source-prefix Source Prefix aggregation cache
source-prefix-tos Source Prefix TOS aggregation cache
router3745#show ip cache flow aggregation as
router3745#
1.7. 查看是否Full Flow,注意route-cache这一行
router2811#show ip inter fa0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.117.3.246/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is DenyVirus
Pro
xy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are never sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF, Full Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Ingress-NetFlow, Access List, CAR, MCI Check
Output features: CAR, Post-Ingress-NetFlow
Post encapsulation features: CAR
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
router2811#show ip inter fa0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 10.117.3.5/27
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is DenyVirus
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF, Full Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Ingress-NetFlow, Access List, MCI Check
Output features: Post-Ingress-NetFlow
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
router2811#show ip inter se0/3/0
Serial0/3/0 is up, line protocol is up
Internet address is 10.117.3.249/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5
Outgoing access list is not set
Inbound access list
is DenyVirus
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are never sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Access List, MCI Check
Output features: Post-Ingress-NetFlow
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
router2811#
router3745#show ip inter
FastEthernet0/0 is up, line protocol is up
Internet address is 172.16.63.247/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are never sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is enabled
IP CEF switching is enabled
IP CEF Flow Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow cache, CEF, Full Flow, Subint Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
FastEthernet0/1 is up, line protocol is up
Internet address is 172.16.100.254/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are never sent
ICMP mask replies are
never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is enabled
IP CEF switching is enabled
IP CEF Flow Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow cache, CEF, Full Flow, Subint Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
NVI0 is up, line protocol is up
Interface is unnumbered. Using address of NVI0 (0.0.0.0)
Broadcast address is 255.255.255.255
MTU is 1514 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
router3745#
1.8. 调整Full Flow为采样Flow
router2811(config)# ip cef
router2811(config)# flow-sampler-map my-map
router2811(config-sampler)# mode random one-out-of 100
router2811(config-sampler)# interface ethernet 0/0
router2811(config-if)# no ip route-cache flow
router2811(config-if)# ip route-cache cef
router2811(config-if)# flow-sampler my-map
router2811#sh ip inter fa0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.117.3.246/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is 101
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never s
ent
ICMP unreachables are never sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Ingress-NetFlow, Access List, CAR, MCI Check
Output features: CAR, Post-Ingress-NetFlow
Post encapsulation features: CAR
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
router2811#
3. 一个Cisco2811配置实例
router2811#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(1)XB, RELEASE SOFTWARE (fc1)
Technical Support: /techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 21-Dec-09 01:14 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)
router2811 uptime is 1 year, 39 weeks, 6 days, 4 hours, 2 minutes
System returned to ROM by power-on
System restarted at 11:57:40 HKT Fri Sep 21 2012
System image file is "flash:c2800nm-adventerprisek9-mz.151-1.XB.bin"
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use.
Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws.
By using this product you agree to comply with applicable laws and regulations.
If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at: /wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to export@.
Cisco 2811 (revision 53.51) with 512000K/12288K bytes of memory.
Processor board ID FGL151412FL
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
191K bytes of non-volatile configuration memory.
126000K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2811 FGL151412FL
Configuration register is 0x2102
router2811#sh run
Building configuration...
Current configuration : 4595 bytes
!
! Last configuration change at 15:28:23 HKT Wed Aug 14 2013
! NVRAM config last updated at 15:26:59 HKT Wed Aug 14 2013
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router2811
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
no logging console
no logging monitor
enable secret 5 $1$DNiI$0FqEe6na0KhRRhhCNyRvd0
!
no aaa new-model
!
clock timezone HKT 8
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ip domain lookup
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
flow-sampler-map 10
mode random one-out-of 10
vpdn enable
!
vpdn-group l2tpd
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 8
lcp renegotiation always
no l2tp tunnel authentication
l2tp tunnel timeout no-session 15
!
vpdn-group pptpd
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 3
lcp renegotiation always
l2tp tunnel timeout no-session 15
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
license udi pid CISCO2811 sn FGL151412FL
username cisco privilege 15 password 0 cisco
!
redundancy
!
!
crypto ikev2 diagnose error 50
!
!
ip finger
!
class-map match-all fordcme
match access-group name fordcme
!
!
policy-map HK-TK
class fordcme
priority percent 30
policy-map fordcme
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
bandwidth 4096
ip address 10.117.3.246 255.255.255.252
ip access-group DenyVirus in
no ip redirects
no ip unreachables
ip flow ingress
rate-limit input 512000 1500 2000 conform-action transmit exceed-action drop
rate-limit output 512000 1500 2000 conform-action transmit exceed-action drop
duplex auto
speed auto
fair-queue
no mop enabled
!
interface FastEthernet0/1
ip address 10.117.3.5 255.255.255.224
ip access-group DenyVirus in
ip flow ingress
duplex auto
speed auto
!
interface Serial0/3/0
bandwidth 5000
ip address 10.117.3.249 255.255.255.252
ip access-group DenyVirus in
no ip redirects
no ip unreachables
no keepalive
hold-queue 4096 out
!
interface Serial0/3/1
no ip address
shutdown
!
interface Virtual-Template3
ip unnumbered FastEthernet0/1
no logging event link-status
peer default ip address pool pptpd
compress mppc
ppp authentication ms-chap-v2 ms-chap chap pap
ppp multilink
!
interface Virtual-Template8
ip unnumbered FastEthernet0/1
no logging event link-status
peer default ip address pool l2tpd
compress mppc
ppp authentication ms-chap-v2 ms-chap chap pap
ppp multilink
!
router ospf 1
log-adjacency-changes
network 10.117.3.0 0.0.0.255 area 0
!
ip local pool pptpd 10.117.3.21 10.117.3.25
ip local pool l2tpd 10.117.3.26 10.117.3.30
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-export source FastE
thernet0/1
ip flow-export version 5
ip flow-export destination 10.119.159.38 9090
!
ip route 0.0.0.0 0.0.0.0 10.117.3.245
ip route 10.0.0.0 255.0.0.0 10.117.3.2
ip route 10.117.3.80 255.255.255.248 10.117.3.250
ip route 10.117.3.96 255.255.255.248 10.117.3.250
!
ip access-list extended DenyVirus
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny udp any any eq 1434
deny udp any eq netbios-ns any
deny udp any eq netbios-dgm any
deny udp any eq 1434 any
deny tcp any any eq 135
deny tcp any any eq 139
deny tcp any any eq 445
deny tcp any eq 135 any
deny tcp any eq 139 any
deny tcp any eq 445 any
permit ospf any any
permit icmp any any
permit gre any any
permit tcp any any
permit udp any any
permit ip any any
ip access-list extended fordcme
permit ip host 10.117.3.37 host 10.117.3.83
!
no logging trap
!
!
!
!
snmp-server community public RO
snmp-server ifindex persist
snmp-server trap-source FastEthernet0/1
snmp-server location HK
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
!
control-plane
!
!
!
!
!
!
!
!
line con 0
password cisco
login
line aux 0
password cisco
login
line vty 0 4
password cisco
login
transport input all
!
scheduler allocate 20000 1000
ntp server 10.30.1.105
end
router2811#
3. 一个Cisco3745配置实例
router3745# sh ver
Cisco IOS Software, 3700 Software (C3745-ADVSECURITYK9-M), Version 12.4(25d), RELEASE SOFTWARE (fc1)
Technical Support: /techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 18-Aug-10 08:18 by prod_rel_team
ROM: System Bootstrap, Version 12.3(6r) [cmong 6r], RELEASE SOFTWARE (fc1)
router3745 uptime is 10 weeks, 5 days, 2 hours, 6 minutes
System returned to ROM by reload at 00:05:50 UTC Fri Mar 1 2002
System restarted at 14:14:15 Shanghai Sat Feb 24 2013
System image file is "flash:/c3745-advsecurityk9-mz.124-25d.bin"
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use.
Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws.
By using this product you agree to comply with applicable laws and regulations.
If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at: /wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to export@.
Cisco 3745 (R7000) processor (revision 2.0) with 243712K/18432K bytes of memory.
Processor board ID FTX1108A1AM
R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache
2 FastEthern
et interfaces
DRAM configuration is 64 bits wide with parity disabled.
151K bytes of NVRAM.
31360K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
router3745#sh run
Building configuration...
Current configuration : 2582 bytes
!
! Last configuration change at 16:23:29 Shanghai Fri May 10 2013 by cisco
! NVRAM config last updated at 16:39:59 Shanghai Fri May 10 2013 by cisco
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router3745
!
boot-start-marker
boot system flash:/c3745-advsecurityk9-mz.124-25d.bin
boot-end-marker
!
logging buffered 4194304 debugging
no logging console
no logging monitor
!
no aaa new-model
clock timezone Shanghai 8
clock save interval 8
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
!
!
!
!
username cisco privilege 15 secret 5 $1$wJN1$ufsPnRdNErXx1HGtK0kHi1
!
!
!
!
!
!
interface FastEthernet0/0
description Internet
ip address 172.16.63.247 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip nat outside
ip virtual-reassembly max-fragments 64 max-reassemblies 64
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
description UNIV
ip address 172.16.100.254 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip nat inside
ip virtual-reassembly max-fragments 64 max-reassemblies 64
ip route-cache flow
duplex auto
speed auto
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.63.1
ip flow-export source FastEthernet0/1
ip flow-export version 5 peer-as
ip flow-export destination 172.16.100.8 2055
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static 172.16.100.2 interface FastEthernet0/0
ip nat inside source static tcp 172.16.100.10 22 172.16.63.245 22 extendable
ip nat inside source static tcp 172.16.100.10 80 172.16.63.245 80 extendable
ip nat inside source static tcp 172.16.100.9 7900 172.16.63.245 7900 extendable
ip nat inside source static tcp 172.16.100.8 13579 172.16.63.245 13579 extendable
ip nat inside source static tcp 172.16.100.7 22228 172.16.63.245 22228 extendable
ip nat inside source static tcp 172.16.100.7 22229 172.16.63.245 22229 extendable
ip nat inside source static 172.16.100.5 172.16.63.246 extendable
!
no logging trap
access-list 2 permit 172.16.100.2
access-list 101 permit ip 172.16.100.0 0.0.0.255 any
snmp-server community public RO
no cdp run
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
!
end
router3745#exit