思科配置回顾备忘录

#查看邻居
show ip bgp neighbors <peer-ip>

#拒收默认路由规则
ip prefix-list DEFAULT-ROUTE-v4 seq 5 deny 0.0.0.0/0
ipv6 prefix-list DEFAULT-ROUTE-v6 seq 5 deny ::/0

#刷新收取路由
clear ip bgp <peer-ip> soft in

#查看BGP连接状态
show ip bgp summary
show bgp ipv6 unicast summary

#筛选配置内容
show running-config | section router bgp

#查看bgp邻居
show bgp ipv6 unicast neighbors <peer-ipv6>
show bgp ipv4 unicast neighbors <peer-ipv4>

#查看网卡状态信息
show ip interface brief

#查看宣告路由表
show bgp ipv6 unicast neighbors <peer-ipv6>  advertised-routes
show bgp ipv4 unicast neighbors <peer-ipv4> advertised-routes

router bgp 65000
no bgp enforce-first-as  #关闭拒收一个as非peer as的路由
neighbor <peer-ipv4> default-originate #BGP发送默认路由

思科路由不收IX路由表问题

帮人配置个思科路踩到个坑:翻了半天文档才发现ASR默认开启了 bgp enforce-first-as,导致路由表里首个 AS 不是peer AS 的前缀都在Local Policy Denied Prefixes里面。

router bgp 65536
 no bgp enforce-first-as

IX在发送交换路由的时候把自身AS过滤掉了,导致无法收表。

之前也用了chatgpt寻找答案,关键点也提到了IX在as-path过滤掉了自生AS,但是仍然没有正确解决思路都没提到,反而一直让route-map的规则里面找配置问题和重新配置BGP Session。

Cisco ASR升级系统备忘录

先准备一个U盘格式化为FAT32格式

将bin pkg  license等文件复制到设备上

enable
cd usb0:
dir
copy usb0:/XXXXX.SPA.bin bootflash:
copy usb0:/XXXXX.SPA.pkg bootflash:
copy usb0:/license.txt flash:
license smart reservation install file flash:license.txt
>conf t
#upgrade rom-monitor filename bootflash:XXXXX.SPA.pkg all
#no boot system flash bootflash:OLD_XXXXX.SPA.bin
#boot system flash bootflash:XXXXX.SPA.bin
#platform hardware throughput level 3500000
#do wr
#do show bootvar
#reload

智能许可: 16.9到最新的17.X所有版本
传统许可: 16.9和更低的版本

新版本用的是license smart , 以前的授权文件无法再使用, 所以要写入新签发的授权数据.

Cisco配置备忘录

弃用10进制显示原文的community参数, 这玩意太容易忘记了.

ip bgp-community new-format

配置ssh免密码登录

转换密钥格式

fold -b -w 72 ~/.ssh/id_rsa.pub

准备提取复制ssh-rsa到最后comment的中间一段密钥

开始配置设备

hostname Router-R1
crypto key generate rsa modulus 2048
ip ssh version 2
!
line vty 0 4
transport input ssh
login local
!
no ip ssh server authenticate user password
no ip ssh server authenticate user keyboard
!

导入密钥步骤

Router-R1(config)#ip ssh pubkey-chain 
Router-R1(conf-ssh-pubkey)#username 用户名
Router-R1(conf-ssh-pubkey-user)#key-string
Router-R1(conf-ssh-pubkey-data)#粘贴密钥
Router-R1(conf-ssh-pubkey-data)#exit
Router-R1(conf-ssh-pubkey-user)#exit
Router-R1(conf-ssh-pubkey)#exit
Router-R1(config)# do wr

查看配置内容

Router-R1#show running-config | begin pubkey   
ip ssh pubkey-chain
  username 用户名
   key-hash ssh-rsa 8FB4F858DD7E5AFB372780EC653DB371
  quit

这些配置除了上新设备不常用容易忘记, 仅做备忘.

 

对端口进行白名单限制登录设置

ip access-list extended ssh-permit
 permit ip 10.11.80.0 0.0.1.255 any
!
line vty 0 4 
 access-class ssh-permit in

配置Telnet

line vty 5 15
 access-class ssh-permit in
 login local
 transport input telnet

 

原文出处:https://networklessons.com/uncategorized/ssh-public-key-authentication-cisco-ios