主要コマンドのメモ
時間の設定
Router(config)# timezone 9 Router(config)# ntp retry 3 Router(config)# ntp interval 3600 Router(config)# clock 16 01 0 3 1 2010 Router(config)# show clock Sunday, 3 January 2010 16:01:28 +09 00
ホスト名の設定(任意)
Router(config)# hostname cu cu(config)#
保存
Router(config)# write memory Building configuration… % Warning: do NOT enter CNTL/Z while saving to avoid config corruption. Router(config)#
インターフェイス状態の確認
Router(config)# show interfaces FastEthernet0/0.0 Interface FastEthernet0/0.0 is administratively down Fundamental MTU is 1500 octets Current bandwidth 100M b/s, QoS is disabled Datalink header cache type is none: 0/0 (standby/dynamic) SNMP MIB-2: ifIndex is 518 Logical INTERFACE: Elapsed time after clear counters 0:11:00 0 packets input, 0 bytes, 0 errors 0 unicasts, 0 non-unicasts, 1 unknown protos 0 drops, 0 misc errors 0 output requests, 0 bytes, 0 errors 0 unicasts, 0 non-unicasts 0 overflows, 0 neighbor unreachable, 0 misc errors 1 link-up detected, 0 link-down detected Encapsulation ETHERNET: State is initialized FastEthernet status: Physical address is 00:30:13:36:ce:03 Port status is up Full-duplex, 100M b/s, 100BaseTX Promiscuous mode is disabled Statistics: Rx errors: 0 alignment errors, 0 CRC errors 0 long frames, 0 short frames, 0 overflows Tx errors: 0 single collisions, 0 multiple collisions 0 excessive collisions, 0 late collisions 0 deferred transmissions, 0 carrier sense errors 0 underflows Router(config)#
FE0/0に固定IP設定
Router(config)# interface FastEthernet0/0.0 Router(config-FastEthernet0/0.0)# ip address 192.168.0.1/24 Router(config-FastEthernet0/0.0)# ipv6 address autoconfig Router(config-FastEthernet0/0.0)# no shutdown Router(config-FastEthernet0/0.0)# show ip address</p> <p><strong>FE0/1にDHCP設定</strong> Router(config)# interface FastEthernet0/1.0 Router(config-FastEthernet0/1.0)# ip address dhcp Router(config-FastEthernet0/1.0)# ipv6 address autoconfig Router(config-FastEthernet0/1.0)# no shutdown Router(config-FastEthernet0/1.0)# show ip address Router(config-FastEthernet0/1.0)# ip nat enable
NAT設定
Router(config)# interface FastEthernet0/1.0 Router(config-FastEthernet0/1.0)# ip nat translation timeout 3600 Router(config-FastEthernet0/1.0)# ip nat dynamic list lan pool abc Router(config-FastEthernet0/1.0)# ip nat enable
telnetサーバ
Router(config)# ip access-list lan permit ip src 192.168.0.0/24 dest any Router(config)# telnet-server ip access-list lan Router(config)# telnet-server ip enable
default route設定
Router(config)# ip route default FastEthernet0/1.0 dhcp
NTPサーバ設定
Router(config)# ntp server 133.27.4.121 Router(config)# ntp server 210.173.160.27 Router(config)# ntp ip enable
DHCPサーバ設定
Router(config)# ip dhcp profile lan Router(config-dhcp-lan)# assignable-range 192.168.0.100 192.168.0.254 Router(config-dhcp-lan)# subnet-mask 255.255.255.0 Router(config-dhcp-lan)# dns-server 192.168.0.1 Router(config-dhcp-lan)# exit Router(config)# ip dhcp enable Router(config)# interface FastEthernet0/0.0 Router(config-FastEthernet0/0.0)# ip dhcp binding lan Router(config-FastEthernet0/0.0)# exit
DNS proxy設定
Router(config)# dns cache enable Router(config)# proxy-dns ip enable Router(config)# proxy-dns ipv6 enable
UFSキャッシュ有効化
UFS キャッシュ(Unified Forwarding Service Cache)は、フィルタ、NAT/NAPT、IPSec など
のサービスを使用している場合に有効な高速フォワーディングキャッシュメカニズムであり、
IX1000/2000/3000 の独自機能です。UFS キャッシュにより、フィルタの多段設定、IPSec の複
数設定等におけるスケーラビリティを向上させます。Ver4.2 以降の IPv4、IPv6 それぞれで設定
できます。Ver.4.3 以降ではポリシールーティングが、Ver.7.3以降では、QoS、ダイナミックフィ
ルタでも UFS キャッシュが適用されます。
Router(config)# ip ufs-cache enable
j
Filtering設定
ip access-list strict-block deny tcp src any sport any dest any dport eq 137 ip access-list strict-block deny udp src any sport any dest any dport eq 137 ip access-list strict-block deny udp src any sport any dest any dport eq 138 ip access-list strict-block deny tcp src any sport any dest any dport eq 139 ip access-list strict-block deny tcp src any sport any dest any dport eq 445 ip access-list strict-block deny udp src any sport any dest any dport eq 445 ip access-list weak-block deny tcp src any sport any dest any dport eq 1 ip access-list weak-block deny udp src any sport any dest any dport eq 1 ip access-list weak-block deny tcp src any sport any dest any dport eq 11 ip access-list weak-block deny udp src any sport any dest any dport eq 11 ip access-list weak-block deny tcp src any sport any dest any dport eq 15 ip access-list weak-block deny udp src any sport any dest any dport eq 15 ip access-list weak-block deny tcp src any sport any dest any dport eq 70 ip access-list weak-block deny udp src any sport any dest any dport eq 70 ip access-list weak-block deny tcp src any sport any dest any dport eq 79 ip access-list weak-block deny udp src any sport any dest any dport eq 79 ip access-list weak-block deny tcp src any sport any dest any dport eq 87 ip access-list weak-block deny udp src any sport any dest any dport eq 87 ip access-list weak-block deny tcp src any sport any dest any dport eq 95 ip access-list weak-block deny udp src any sport any dest any dport eq 95 ip access-list weak-block deny tcp src any sport any dest any dport eq 111 ip access-list weak-block deny udp src any sport any dest any dport eq 111 ip access-list weak-block deny tcp src any sport any dest any dport eq 135 ip access-list weak-block deny udp src any sport any dest any dport eq 135 ip access-list weak-block deny tcp src any sport any dest any dport eq 144 ip access-list weak-block deny udp src any sport any dest any dport eq 144 ip access-list weak-block deny tcp src any sport any dest any dport eq 161 ip access-list weak-block deny udp src any sport any dest any dport eq 161 ip access-list weak-block deny tcp src any sport any dest any dport eq 162 ip access-list weak-block deny udp src any sport any dest any dport eq 162 ip access-list weak-block deny tcp src any sport any dest any dport eq 177 ip access-list weak-block deny udp src any sport any dest any dport eq 177 ip access-list weak-block deny tcp src any sport any dest any dport eq 220 ip access-list weak-block deny udp src any sport any dest any dport eq 220 ip access-list weak-block deny tcp src any sport any dest any dport eq 445 ip access-list weak-block deny udp src any sport any dest any dport eq 445 ip access-list weak-block deny tcp src any sport any dest any dport eq 512 ip access-list weak-block deny udp src any sport any dest any dport eq 512 ip access-list weak-block deny tcp src any sport any dest any dport eq 513 ip access-list weak-block deny udp src any sport any dest any dport eq 513 ip access-list weak-block deny tcp src any sport any dest any dport eq 514 ip access-list weak-block deny udp src any sport any dest any dport eq 514 ip access-list weak-block deny tcp src any sport any dest any dport eq 515 ip access-list weak-block deny udp src any sport any dest any dport eq 515 ip access-list weak-block deny tcp src any sport any dest any dport eq 517 ip access-list weak-block deny udp src any sport any dest any dport eq 517 ip access-list weak-block deny tcp src any sport any dest any dport eq 518 ip access-list weak-block deny udp src any sport any dest any dport eq 518 ip access-list weak-block deny tcp src any sport any dest any dport eq 520 ip access-list weak-block deny udp src any sport any dest any dport eq 520 ip access-list weak-block deny tcp src any sport any dest any dport eq 540 ip access-list weak-block deny udp src any sport any dest any dport eq 540 ip access-list weak-block deny tcp src any sport any dest any dport eq 1025 ip access-list weak-block deny udp src any sport any dest any dport eq 1025 ip access-list weak-block deny tcp src any sport any dest any dport eq 2000 ip access-list weak-block deny udp src any sport any dest any dport eq 2000 ip access-list weak-block deny tcp src any sport any dest any dport eq 2049 ip access-list weak-block deny udp src any sport any dest any dport eq 2049 ip access-list weak-block deny tcp src any sport any dest any dport eq 2766 ip access-list weak-block deny udp src any sport any dest any dport eq 2766 ip access-list weak-block deny tcp src any sport any dest any dport range 6000 6063 ip access-list weak-block deny udp src any sport any dest any dport range 6000 6063 ip access-list weak-block deny tcp src any sport any dest any dport eq 12345 ip access-list weak-block deny udp src any sport any dest any dport eq 12345 ip access-list specialuse deny ip src 0.0.0.0/8 dest any ip access-list specialuse deny ip src 10.0.0.0/8 dest any ip access-list specialuse deny ip src 172.16.0.0/12 dest any ip access-list specialuse deny ip src 192.168.0.0/16 dest any ip access-list specialuse deny ip src 127.0.0.0/8 dest any ip access-list specialuse deny ip src 169.254.0.0/16 dest any ip access-list specialuse deny ip src 192.0.2.0/24 dest any ip access-list specialuse deny ip src 224.0.0.0/3 dest any ip access-list specialuse deny ip src 198.18.0.0/15 dest any ip access-list mynetwork permit ip src 192.168.0.0/24 dest any ip access-list all-pass permit ip src any dest any ip filter forced-reassembly interface FastEthernet0/1.0 ip filter all-pass 65000 in ip filter all-pass 65000 out ip filter mynetwork 50 out ip filter strict-block 1 in ip filter strict-block 1 out ip filter weak-block 100 in ip filter weak-block 100 out ip filter specialuse 101 in ip filter specialuse 101 out
再起動
# スタートアップコンフィグのロード、DRAMメモリのクリア restart # プログラムのロード、スタートアップコンフィグのロード、DRAMメモリのクリア reload
不思議な所
ip filterでdenyしているにもかかわらずnatテーブルができてしまう。もしかして、filterを通過しているのかと思ったけどちゃんとパケットは落とされている。謎。
いけてないところ
WAN側のIFはISPからDHCPでIPが振られているのだが、そのリース期限は6時間。
6時間毎にIFがIPをリリースし、一度downしてしまう。よって、NAPTテーブルも全部クリアされてしまう。再度割り当てられるIPは同じIPなので、とても不便。
すばらしい安定性
1ヶ月運用しているが、一度も再起動しないで稼働している。
変更履歴
2010/2/23 DHCPのフィルタ削除。
以下、削除部分。
ip access-list weak-block deny tcp src any sport any dest any dport eq 67 ip access-list weak-block deny udp src any sport any dest any dport eq 67 ip access-list weak-block deny tcp src any sport any dest any dport eq 68 ip access-list weak-block deny udp src any sport any dest any dport eq 68
2018/9/21 追記
この記事、結構アクセスがありますが、今となっては、IX2015はスペック的に見劣りするのでRTX1200を使うのが良いです。
2022/2/8 追記
一応、ほそぼそとNECも後継機を作っているのでNECが好きならばこちらを。YAMAHAのほうが個人的にはおすすめです。
Comments