Cisco Router に接続し, 機器の設定を行う. Cisco router, switch は IOS が稼働しており, PC から console 接続を行い IOS を操作して設定を行う.
Environment
- Router
- Cisco 892J
- Console (Rollover) cable
- Cisco 純正
- RS-232C interface
- USB serial 変換 cable
- RS-232C serial port が PC 側に無い為, 本製品を利用
- ainex ADV-119
- USB 2.0/1.1規格対応
- 周辺機器側: D-Sub 9pin オス
- パソコン側: USB 2.0 Standard-A オス
- 対応OS: Windows Vista/7/8/8.1 (32/64bit)
- Mac を利用しているのであれば
UGREEN USB serial 変換 cable RS232 USB 9pin
とかの方が良いかもしれない.
Procedure
Console 接続
- Cisco router, Catalyst switch を設定するためには, Console (Rollover) cable で PC と接続し, Terminal (iTerm, Terra term 等) を使って設定を行う必要がある.
- Console 接続を行い router に IP address を設定することで remote から IP address 経由で接続可能となる.
PC[USB] -> [USB]USB serial 変換 cable [RS-232C] -> [RS-232C]Console (Rollover) cable -> [Console port]Cisco router, Catalyst switch
- 上記のように cable を接続した後, router の電源を on .
- PC の terminal から接続されている interface を確認する.
$ ls -l /dev/tty.* crw-rw-rw- 1 root wheel 18, 0 May 4 19:36 /dev/tty.Bluetooth-Incoming-Port crw-rw-rw- 1 root wheel 18, 2 May 8 14:30 /dev/tty.usbserial-1420 # connect router $ screen /dev/tty.usbserial-1420
usbserial-1420
が interface .- 初期起動の log は以下の通りだった.
Press RETLine protocol on Interface Vlan1, changed state to down *May 8 04:56:17.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet8, changed state to down *May 8 04:56:17.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down *May 8 04:56:18.815: %LINK-3-UPDOWN: Interface FastEthernet8, changed state to down *May 8 04:56:18.815: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down *May 8 06:25:49.211: %LINK-5-CHANGED: Interface BRI0, changed state to administratively down *May 8 06:25:51.159: %LINK-5-CHANGED: Interface FastEthernet8, changed state to administratively down *May 8 06:25:51.159: %LINK-5-CHANGED: Interface GigabitEthernet0, changed state to administratively down *May 8 06:25:56.215: %SYS-5-RESTART: System restarted -- Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.1(3)T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2011 by Cisco Systems, Inc. Compiled Sun 27-Mar-11 12:57 by prod_rel_team *May 8 06:25:56.215: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start *May 8 06:25:56.235: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF *May 8 06:25:56.235: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF *May 8 06:25:58.895: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down *May 8 06:25:58.911: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down *May 8 06:25:58.923: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down *May 8 06:25:58.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down *May 8 06:25:58.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4, changed state to down *May 8 06:25:58.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5, changed state to down *May 8 06:25:58.963: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet6, changed state to down *May 8 06:25:58.971: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet7, changed state to down Router> # user exec mode.
Host name の設定
# Promote to privileged mode (> to #). Router>enable # Change to setting mode. Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# # Set hostname. Router(config)#hostname rt-cisco-892-001 rt-cisco-892-001(config)# # end returns to the privileged exec mode. # exit returns to the previous layer. end # Check configurations (hostname). rt-cisco-892-001#show running-config Building configuration... Current configuration : 1181 bytes ! ! Last configuration change at 17:11:19 UTC Fri May 8 2020 ! version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname rt-cisco-892-001 ! boot-start-marker boot config flash:892config.txt boot-end-marker ! no aaa new-model ! crypto pki token default removal timeout 0 !
Router の interface に IP address を設定
- PC -> router に IP address 経由で通信を行う為, router の interface に IP address を設定する.
- GigabitEthernet0, IP address
192.168.10.1
, subnet mask255.255.255.0
に設定. - 先ずは GigabitEthernet0 の link status (interface の利用可否) を確認する.
画面を見ると Status:administratively down, Protocol:downになっています.これは利用できない状態なので設定が必要です.
# Check interface link status. rt-cisco-892-001#show ip interface brief Interface IP-Address OK? Method Status Protocol BRI0 unassigned YES unset administratively down down BRI0:1 unassigned YES unset administratively down down BRI0:2 unassigned YES unset administratively down down FastEthernet0 unassigned YES unset down down FastEthernet1 unassigned YES unset down down FastEthernet2 unassigned YES unset down down FastEthernet3 unassigned YES unset down down FastEthernet4 unassigned YES unset down down FastEthernet5 unassigned YES unset down down FastEthernet6 unassigned YES unset down down FastEthernet7 unassigned YES unset down down FastEthernet8 unassigned YES unset administratively down down GigabitEthernet0 unassigned YES unset administratively down down # down status. Vlan1 unassigned YES unset down down rt-cisco-892-001#show running-config interface gigabitEthernet0 Building configuration... Current configuration : 84 bytes ! interface GigabitEthernet0 no ip address shutdown # port closed. duplex auto speed auto end rt-cisco-892-001>enable rt-cisco-892-001#configure terminal Enter configuration commands, one per line. End with CNTL/Z. # Set interface configuration mode. rt-cisco-892-001(config)#interface gigabitethernet0 # Set IP Address. rt-cisco-892-001(config-if)#ip address 192.168.10.1 255.255.255.0 rt-cisco-892-001(config-if)#no shutdown rt-cisco-892-001(config-if)#end rt-cisco-892-001# *May 8 18:26:49.192: %SYS-5-CONFIG_I: Configured from console by console *May 8 18:26:49.452: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up *May 8 18:26:50.452: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up *May 8 18:26:51.784: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down *May 8 18:26:52.784: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down # Set `no shutdown`, so changed from `administratively down down` to `down down`. # ※ If you connect a lan cable, it will be `up` status. rt-cisco-892-001#show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0 192.168.10.1 YES manual down down Vlan1 unassigned YES unset down down # Check GigabitEthernet0 interface settings. rt-cisco-892-001#show running-config interface gigabitethernet0 Building configuration... Current configuration : 98 bytes ! interface GigabitEthernet0 ip address 192.168.10.1 255.255.255.0 duplex auto speed auto end
IP interface status | description |
---|---|
administratively down/down |
interface が閉じ, shutdown 状態. |
down/down |
interface が空き, link status が down.双方装置に cable が接続されていない. |
up/up |
interface が空き, cable が接続されている. |
LAN cable の接続, 疎通確認
GigabitEthernet0
の port WAN GE0
と PC を LAN cable で接続する.
rt-cisco-892-001#show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0 192.168.10.1 YES manual up up
up up
で LinkUp であることが分かる.
PC 側の IP address を設定する. (今回は debian)
$ sudo vi /etc/NetworkManager/NetworkManager.conf # `managed=false` to `true`
Setting > Network > Wired > IPv4
にて次の通り設定する.
- IPv4 Method: Manual
- Addresses
- Address: 192.168.10.100
- Netmask: 255.255.255.0
- Gateway: 192.168.10.1
$ service network-manager restart
Router から PC へ ping し success になることを確認.
rt-cisco-892-001#ping 192.168.10.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Telnet の設定
- Telnet を行う為に VTY(Virtual Teletype: Cisco router の目に見える LAN port ではなく, ISO で設定される仮想 port) を利用する.
- 今回は VTY port を0~4 で設定 (5 port 作成が可能な状態にする).
先ずは初期設定を確認する.
rt-cisco-892-001#show running-config line vty 0 4 login # password setting required for telnet. transport input all
telnet の設定を行い, show running-config
で設定が反映されているかを確認する.
rt-cisco-892-001#configure terminal rt-cisco-892-001(config)#line vty 0 4 # changed line configuration mode. rt-cisco-892-001(config-line)#password <password> rt-cisco-892-001(config-line)#transport input telnet rt-cisco-892-001(config-line)#end # Confirm the settings are reflected. rt-cisco-892-001#show running-config line vty 0 4 password <password> login transport input telnet
PC 側からtelnet 可能か確認する.
$ telnet 192.168.10.1 Connected to 192.168.10.1. User Access Verification Password: # Enter the previously set password.
telnet 先の router において特権 mode になろうとしても password が設定されていない為昇格できない.
rt-cisco-892-001>enable % No password set rt-cisco-892-001>
その場合 router 側では次のような log が吐かれる.
*May 10 12:46:17.865: %SYS-5-PRIV_AUTH_FAIL: Authentication to privilege level 15 failed by vty0 (192.168.10.100)
router 側で password を有効化し, show running-config
で設定が反映されているかを確認する. また, PC 側からも特権 mode へ昇格可能かを確認する.
rt-cisco-892-001#configure terminal rt-cisco-892-001(config)#enable password <password> rt-cisco-892-001(config)#end
ssh の設定
- ssh を行う為に VTY (Virtual Teletype, Cisco router の ISO で設定される仮想 port) を利用する.
- Cisco router へ ssh 接続したい場合は, password 認証もしくは公開鍵認証を設定する.
- Cisco IOS image は ssh をサポートするために k9(crypto) image である必要がある.
- aaa new-model command の扱いを誤り lockouts しないよう注意する.
- Cisco router は, ssh server, client 機能が実装されているが, 利用前に以下を設定する必要がある.
- Host, domain name の設定
- ssh 認証用 key の生成
- 生成すると自動で ssh 有効化
- ssh login user を作成する
- telnet は secure では無い為, ssh のみ可とする設定を行う.
default の設定確認.
# Before ssh setting Router>show ssh %No SSHv2 server connections running. %No SSHv1 server connections running. Router>show ip ssh SSH Disabled - version 1.99 %Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2). Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): NONE
ssh password 認証設定
- 今回は password 認証を設定する.
- ssh で VTY (Virtual Teletype) port login する際, VTY に設定された password ではなく ssh user, password を利用する設定に変更する.
# Set ssh user name and password. rt-cisco-892-001>enable Password: rt-cisco-892-001#configure terminal rt-cisco-892-001(config)#username <ssh username> password <ssh password> rt-cisco-892-001(config-line)#login local # Set local authentication for line VTY. # Create 5 VTY port. rt-cisco-892-001(config)#line vty 0 4 rt-cisco-892-001(config-line)#login local # Set domain name rt-cisco-892-001(config)#ip domain-name rtp.halu.dev # Generate ssh key with 1024 bit RSA key module. rt-cisco-892-001(config)#crypto key generate rsa How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 13 seconds)
ssh 接続のみを許可
telnet は secure ではない為 ssh のみにする.
rt-cisco-892-001#show running-config line vty 0 4 password <password> login local transport input telnet rt-cisco-892-001(config)#line vty 0 4 rt-cisco-892-001(config-line)#transport input ssh rt-cisco-892-001(config-line)#end
設定の保存
上記設定値を保存する.
rt-cisco-892-001#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK]