phanx
powered by Technology
-
CS-MARS 6.x.x (6.0.2) 虚拟机的安装
========phanx.com=========
Author: phanx
Updated: 2009-2-13
=========================网上关于CS-MARS 4.x.x的虚拟机安装的文章已经很多了,对于6.x.x来讲,其实大体一致。但是有些和4.x.x不一样的地方,这里特别讲一下。
在4.x.x版本的安装文章中提到,当MARS的Recovery CD完成安装后,在MARS第一次启动的时侯,按住SHIFT键等待lilo停留在lilo boot:状态,然后输入linux rw init=/bin/bash进入系统的shell。
但是在6.x.x版本的安装中,我发现无法按住SHIFT键停在lilo boot状态(其实lilo只要按住SHIFT或者CTRL或者ALT任意一个键都会停住),后来发现可以通过边按SHIFT边乱敲字母键的方式停在lilo boot:状态,但是只要不敲键,很快就会进入正常启动过程。于是我很快的输入了linux rw init=/bin/bash,但是发现还是进入MARS的shell(pnsh)。
后来找了点资料,发现6.x.x在这里有点不同。需要用linux的CD来启动进入rescue状态。我用的是Redhat Linux Enterprise Server Advanced 5的CD1来启动的。 CD启动后按F5再输入linux rescue进入拯救模式。
Linux会问你,是否自动查找硬盘上的linux。选择Continue,然后就会找到MARS上的Linux了,并且会自动帮你挂载在/mnt/sysimage下面。
然后就可以进入做license了。
cd /mnt/sysimage/opt/janus/release/bin
mv pnlicense pnlicense.org
echo “/bin/echo d84f7ceaf50f9c45683e2efb77752d4f:License verified:4:0:0:4″ > pnlicense
chmod +x pnlicense好了,到这里我们的MARS的license就有了,把光盘拿出来,退出rescure模式的shell,就会重新启动。然后进行MARS的第一次启动,然后开始prepare Oracle(相当慢),完成后就可以进入MARS的shell了。
然后第一次Web登录MARS会让你输入License,OK,前面我们都弄了,所以这里随便输入任意数字填满输入框就行了,全1都可以。然后就可以随便用了。
到这里基本就OK了,但是有的人并不满足,比如我,想用root?OK,有办法。
但是必需要在前面rescue模式下多做些东西。
首先要修改/mnt/sysimage/etc/passwd里面的内容
把pnadmin:x:500:500::/opt/janus/release/bin:/opt/janus/release/bin/pnsh
改为pnadmin:x:500:500::/opt/janus/release/bin:/bin/bash
这个意思是让pnadmin用户不用MARS的shell而使用系统的bash。然后,修改/mnt/sysimage/etc/passwd的内容增加一行
pnadmin ALL=(ALL) NOPASSWD: ALL
这个意思是让pnadmin用户可以使用sudo命令来进行命令执行,并且执行sudo的时侯不询问密码。BTW:别说你不会用vi….好了,保存好,其余和前面一样,退出rescue的shell。开始第一次启动MARS的系统,然后开始prepare Oracle(相当慢),完成后就可以进入系统的bash了。
这个时侯用命令
sudo su
就可以不要口令直接变成root用户了。
然后马上修改root的口令
passwd
输入一个口令。
最后再修改/etc/passwd里面的内容
把pnadmin:x:500:500::/opt/janus/release/bin:/bin/bash
改为pnadmin:x:500:500::/opt/janus/release/bin:/opt/janus/release/bin/pnsh
让pnadmin用户还原为MARS的shell而不使用系统的bash。好了,退出root用户。回到pnadmin用户,起用:/opt/janus/release/bin/pnsh到MARS的shell,这个时候我们就可以使用隐藏命令expert来进入root用户了,口令就是你刚才为root用户设置的口令。 OK,大功告成,enjoy it~
重要提示:
前面提到的这些步骤,一定要在刚刚用Recovery CD恢复后进行。因为一旦让MARS的系统引导,准备好Oracle进入MARS系统后,再用linux rescue就不行了,linux会告诉你找不到硬盘上的系统,无法挂载。这个问题是老外讲的,我也发现了。
还有,在rescue的时侯如果没有自动挂载好,你可以试试
mkdir /mnt/opt
mount /dev/md2 /mnt/opt -
NAT/PAT中对于FTP的处理,以及PAT后的非标准21 FTP端口设置
========phanx.com=========
Author: phanx
Updated: 2009-1-24
=========================这里先要对FTP的两种模式说一下:引用一张Cisco上面的图:
FTP分为两种模式: 主动Active 被动 Passive主动模式下是使用21作为控制, 20作为数据口。首先是客户端通过大于1023的端口发起到服务器21端口的控制连接,信息交换完成后。服务器从20端口发起连接到客户端提供的接收端口。这是传统意义上的FTP行为。被动模式是使用21作为控制,然后服务器自动选择一个大于1023的端口作为数据。首先是客户端通过大于1023的端口发起到服务器21端口的控制连接,信息交换完成后。服务器告诉客户端一个大于1023的端口作为数据口,然后客户端再以另外一个大于1023的端口发起连接到服务器提供的数据端口进行数据传输。目前大多数服务器都支持这种模式,而且大部分客户端都默认采用被动模式和服务器进行传输。好了,当我们在内网有两台服务器FTP SEVER1和FTP SERVER2都需要被外网访问的时侯,我们会分别为这两个服务器做映射出去。假定FTP SERVE1(10.0.0.100)占用公网IP(x.x.x.x)的21端口,FTP SERVER2(10.0.0.200)占用公网IP(x.x.x.x)的2211端口。那么我们就会这么写:ip nat inside source static tcp 10.0.0.100 21 x.x.x.x 21 extendableip nat inside source static tcp 10.0.0.200 21 x.x.x.x 2211 extendable这样做了以后,我们会发现FTP SERVER1是正常的,而FTP SERVER2却不正常,表现为登录以后无法列出目录:以下为FTP 客户端的LOG:
[xx:xx:03] PASV
[xx:xx:03] 227 Entering Passive Mode (10,0,0,200,6,32)
[xx:xx:24] Data Socket Error: Connection timed out
[xx:xx:24] List Complete: 0 bytes in 21.44 (1.00 KBps)
这是为什么呢?答案就是在被动模式下,FTP SEVER告诉客户端的数据端口,无法被访问。为什么 FTP SERVER1又可以呢?因为FTP SERVER1在对外映射的时侯采用了21端口,IOS会自动识别这个端口是FTP控制口,从而去检查里面FTP数据控制数据发现服务器告诉客户端的这个用于传送数据的端口,然后自动的添加一条映射。phanx# sh ip nat tr | in 10.0.0.100:
tcp x.x.x.x:21 10.0.0.100:21 y.y.y.y:1585 y.y.y.y:1585
tcp x.x.x.x:21 10.0.0.100:21 — —
tcp x.x.x.x:1812 10.0.0.20:1812 y.y.y.y:1594 y.y.y.y:1594而FTP SERVER2映射的端口2211无法自动被识别成FTP端口,所以IOS不会自动的为它建立数据端口的映射。解决的办法就是用 ip nat service 来指定这个端口。access-list 10 permit 10.0.0.200ip nat service 10 ftp tcp port 21注意,这里的tcp port 21是指的 10.0.0.200的FTP端口21而不是 x.x.x.x的2211。如果FTP SERVER2用的FTP端口是其他的,那么就写对应的端口号。这样做了以后,我们的FTP SERVER2就可以以 x.x.x.x:2211 的方式被公网访问了。说道这里,问题已经解决了。但是,有人可能会提出来,既然FTP SERVER1用被动很正常,x.x.x.x:20端口并没有使用,那为什么不用把FTP SERVER2主动模式来映射呢?比如这样做:ip nat inside source static tcp 10.0.0.200 20 x.x.x.x 20 extendableip nat inside source static tcp 10.0.0.200 21 x.x.x.x 2211 extendableOK. 这样做其实对于一部分情况是没有问题的。例如客户机的地址是公网地址,或者说能被FTP SERVER2所访问的地址。但是如果客户机也是通过NAT/PAT上网的呢?假设客户端地址是192.168.1.111我们将看到这样的情况:
[00:14:10] PORT 192,168,1,111,6,179
[00:14:10] 200 PORT Command successful.
[00:14:10] REST 2028256
[00:14:10] 350 Restarting at 2028256. Send STORE or RETRIEVE.
[00:14:10] RETR fool.exe
[00:14:10] 150 Opening BINARY mode data connection for fool.exe (924668 Bytes).
[00:14:11] 425 Cannot open data connection.
[00:14:11] Transfer Failed!
因为是主动模式,是服务器主动送数据给客户机。那客户机通过控制信息就需要告诉服务器往哪里送,但是FTP客户端并不知道自己的公网地址和端口,并且客户机也没有能力去自己的NAT/PAT网关上去开放一个端口让服务器来送数据。所以它是以自己的实际地址去告诉服务器的。对于服务器而言,这个地址是无法被访问到的,所以这个办法也有行不通的地方。当然,如果FTP客户端支持uPNP能识别到翻译后的公网地址,NAT/PAT网关也有uPNP的能力的话,主动模式的这个问题应该就能解决。BTW:主动模式的FTP又被称为 "firewall UNfriendly",什么原因? 好好理解哦~PIX/ASA上面的配置方法见:PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml
-
TCP Intercept防止TCP SynFlood DoS
========phanx.com=========
Author: phanx
Updated: 2008-12-18
=========================今天居然有人SynFlood我的Web Server,无聊的人还真多。。。偶然跑到Router上检查,居然发现有大量的NAT条目,一看端口很规律,都是去往Web Server的80的,而且源地址是同一个,源端口依次递增。估计是TCP SynFlood了,不过幸好还不是超多。于是使用2800自带的防止SynFlood DoS的功能TCP Intercept。配置简单,立马见效,5 seconds 不Established,就向Server发送TCP RST了 。ip tcp intercept list TCPINTERCEPT
ip tcp intercept connection-timeout 300ip tcp intercept watch-timeout 5
ip tcp intercept mode watchip access-list extended TCPINTERCEPT
permit tcp any host 188.8.8.8 eq 80phanx_Router#sh tcp intercept con
Incomplete:
Client Server State Create Timeout Mode
221.201.145.24:51247 188.8.8.8:80 SYNSENT 00:00:04 00:00:00 W
221.201.145.24:51246 188.8.8.8:80 SYNSENT 00:00:04 00:00:00 W
221.201.145.24:51245 188.8.8.8:80 SYNSENT 00:00:04 00:00:00 W
221.201.145.24:51251 188.8.8.8:80 SYNSENT 00:00:03 00:00:01 W
221.201.145.24:51250 188.8.8.8:80 SYNSENT 00:00:04 00:00:00 W
221.201.145.24:51249 188.8.8.8:80 SYNSENT 00:00:04 00:00:00 W
221.201.145.24:51248 188.8.8.8:80 SYNSENT 00:00:04 00:00:00 W
Established:phanx_Router#sh tcp intercept st
Watching new connections using access-list TCPINTERCEPT
11 incomplete, 0 established connections (total 11)
55 connection requests per minute还好还好,不是动真格的。。。
以下是NAT记录。phanx_Router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 218.104.217.135:80 188.8.8.8:80 60.240.247.48:1055 60.240.247.48:1055
tcp 218.104.217.135:80 188.8.8.8:80 60.240.247.48:1060 60.240.247.48:1060
tcp 218.104.217.135:80 188.8.8.8:80 60.240.247.48:1061 60.240.247.48:1061
tcp 218.104.217.135:80 188.8.8.8:80 60.240.247.48:1094 60.240.247.48:1094
tcp 218.104.217.135:80 188.8.8.8:80 60.240.247.48:1116 60.240.247.48:1116
。。。tcp 218.104.217.135:80 188.8.8.8:80 60.240.247.48:3688 60.240.247.48:3688
tcp 218.104.217.135:80 188.8.8.8:80 60.240.247.48:3689 60.240.247.48:3689
tcp 218.104.217.135:80 188.8.8.8:80 60.240.247.48:3690 60.240.247.48:3690
。。。tcp 218.104.217.135:80 188.8.8.8:80 60.240.247.48:4887 60.240.247.48:4887
tcp 218.104.217.135:80 188.8.8.8:80 60.240.247.48:4993 60.240.247.48:4993
Pro Inside global Inside local Outside local Outside global
tcp 218.104.217.135:80 188.8.8.8:80 94.240.224.240:59779 94.240.224.240:59779
tcp 218.104.217.135:80 188.8.8.8:80 94.240.224.240:60091 94.240.224.240:60091
tcp 218.104.217.135:80 188.8.8.8:80 94.240.224.240:62937 94.240.224.240:62937
tcp 218.104.217.135:80 188.8.8.8:80 94.240.224.240:64645 94.240.224.240:64645
tcp 218.104.217.135:80 188.8.8.8:80 94.240.224.240:65373 94.240.224.240:65373
tcp 218.104.217.135:80 188.8.8.8:80 121.229.68.69:1134 121.229.68.69:1134
tcp 218.104.217.135:80 188.8.8.8:80 123.115.1.69:7744 123.115.1.69:7744
tcp 218.104.217.135:80 188.8.8.8:80 123.115.1.69:8241 123.115.1.69:8241
tcp 218.104.217.135:80 188.8.8.8:80 221.201.145.24:18860 221.201.145.24:18860
tcp 218.104.217.135:80 188.8.8.8:80 221.201.145.24:18999 221.201.145.24:18999
。。。。。。tcp 218.104.217.135:80 188.8.8.8:80 221.201.145.24:40572 221.201.145.24:40572
tcp 218.104.217.135:80 188.8.8.8:80 221.201.145.24:40573 221.201.145.24:40573
tcp 218.104.217.135:80 188.8.8.8:80 221.201.145.24:40574 221.201.145.24:40574
tcp 218.104.217.135:80 188.8.8.8:80 221.201.145.24:40575 221.201.145.24:40575
tcp 218.104.217.135:80 188.8.8.8:80 221.201.145.24:40576 221.201.145.24:40576
tcp 218.104.217.135:80 188.8.8.8:80 — — -
7600 SPA-IPSEC-2G和SPA-5xGE-V2配合之小问题
========phanx.com=========
Author: phanx
Updated: 2008-11-132009-03-08
=========================某用户需要用SPA-IPSEC-2G在7600上实现到n多节点的IPSec Site-to-Site VPN, 由于7600引擎上的以太口做子接口配合IPSEC SPA不支持CBWFQ,故又弄了块SPA-5xGE-V2.说起SPA-5xGE-V2这卡也怪,在6500机框上要用7600-SIP-600来装,在7600上就非得用7600-SIP-400来装. 当然SPA-IPSEC-2G只能装在7600-SSC-400 上
弄得之复杂.SPA-IPSEC-2G是采用的Vlan Connect方式,即一个在传统直连链路上将IPSEC加速模块嵌入进去.以前是用一个以太口的子接口连接对方.现在则将以太口子接口上的地址移到inside interface vlan上. 然后再用 outside vlan或者一个子接口去连接对方,最后通过connect方式将inside vlan和outside vlan/sub-interface桥接起来.
以前是 sub-interface ——> 对端 或者 interface vlan & switchport trunk ——-> 对端
interface Vlan2
ip address 1.1.1.1 255.255.255.252
interface G1/1
switchport trunk encapsulation dot1q
switchport mode trunk
或者
interface G4/0/0.2
encapsulation dot1q 2
ip address 1.1.1.1 255.255.255.252
现在是 interface Vlan.inside —[connect engine]— [SPA-IPSEC-2G] — [connect vlan.inside] — vlan outside in switchoport trunk ——>对端
或者是 interface Vlan.inside —[connect engine]— [SPA-IPSEC-2G] — [connect vlan.inside] — sub-interface.outside ——>对端
interface Vlan102
ip address 1.1.1.1 255.255.255.252
crypto engine slot 2/0
interface Vlan2
crypto connect vlan 102
interface G1/1
switchport trunk encapsulation dot1q
switchport mode trunk或者
interface Vlan102
ip address 1.1.1.1 255.255.255.252
crypto engine slot 2/0
interface G4/0/0.2
encapsulation dot1q 2
crypto connect vlan 102配置方式就说到这里. Guide上写的很明确,but 遇到一个Bug..
CSCsg49757 Bug Details
Combining Gig-Sub-intf & crypto connect & vlan with crypto engine Symptom:Unable to get the VPN configuration working with a GigabitEthernet SPA module. In addition, clear text connectivity outside the 7600/6500 does not workConditions: This problem only occurs if sub-interfaces are used on the GigabiotEthernet SPA module
Workaround:
Configure ‘cdp enable’ on the sub-interface
什么意思呢,简单说就是用子接口方式做就ping不通对端,IPSec也不行…. 解决方法是在子接口下多配一个 cdp enable…. //寒…
仿佛SPA的GE卡默认就没有开起cdp. 查了Bug Toolkit,发现还没有版本修复这个BUG的(到12.2(33)SRC1为止). 就用Workaround凑合吧.
又遇到另外一个不知道是不是Bug的问题. 由于对端节点较多,所以子接口数目较多, 别人贴配置的时候一不留神把某几个子接口的配置多贴了一次.
贴完发现crypto connect语句重复的地方有提示 xxxx already connect to vlan xxx, 然后发现重复的子接口下的OSPF neighber就起不来了.ping也能ping通对端,就是OSPF无法建立邻接关系. Debug看本端有OSPF的Hello出去,但是在对端Debug却没有收到. 无奈之下,no掉子接口下crypto connect语句重新配上,好了.
依此办法对其他贴重复的子端口重配crypto connect语句, OSPF Neighbor就全部正常了.
看来SIP/SPA的bug还真不少….!
再补充一个SPA-IPSEC-2G的BUG,在Catalyst 6500 Series Switches Release Notes for Cisco IOS Release 12.2(33)SXH and Later Releases中提到:Note
SPA-IPSEC-2G does not support TACACS+ authentication for IPsec. (CSCee33200)也就是说用SPA-IPSEC-2G来做Remote Access VPN的时侯没法用TACACS来做XAuth。我同事就很走运的遇到这个BUG了。
-
2950/2960 Port Manager Internal Software Error
========phanx.com=========
Author: phanx
Updated: 2008-11-13
=========================一台2950出现大量的Port Manager Internal Software Error. LOG如下:CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid
< PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 564: pm_vlan_get_vlan_data)-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar 1 08:06:02.052 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)
-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar 1 08:06:04.048 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)
-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar 1 08:06:04.048 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)
-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar 1 08:06:06.053 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)
-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar 1 08:06:06.053 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)开始以为是软件BUG,遂即升级到最新的12.1(22)EA12,故障依旧.后来,更换成一台2960,仍然报错.检查STP.2960#sh spanning-treeVLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 49152
Address 00b0.8e21.9400
Cost 3004
Port 49 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 secBridge ID Priority 49153 (priority 49152 sys-id-ext 1)
Address 0021.1c7a.8380
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
UplinkFast enabled but inactive in rapid-pvst modeInterface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/23 Desg FWD 3019 128.23 P2p
Fa0/47 Desg BKN*3019 128.47 P2p *PVID_Inc
Fa0/48 Desg BKN*3019 128.48 P2p *PVID_Inc
Gi0/1 Root FWD 3004 128.49 P2p Peer(STP)Fa0/47和Fa0/48连接的是同一台设备2811的HWIC-4ESW模块的Fa0/0/0和Fa0/0/1端口.我检查了2811上的配置,发现用户将vlan 99上的STP关闭了.询问原因是2811上的vlan99和其他H3C的设备连接时,运行生成树会有一些问题,所以将其关闭.经过测试,发现打开2811上的vlan99的生成树则2950上不会出现报错,所以恢复2811上的生成树就可以解决这个问题,但是又会造成H3C设备的问题.由于*PVID_Inc是说两边STP的Vlan数目不一致,导致端口的Vlan1被Block,鉴于用户没有使用vlan1,所以我采用了在2950上Fa0/47和Fa0/48上将vlan1从trunk中remove后,设备不再报错.另外说一下,发现HWIC-4ESW模块上的口子无法做Port Channel……. 囧rz -
Cisco VPN Client Automatic Initiation 自动重连
========phanx.com=========
Author: phanx
Updated: 2007-7-11
=========================默认情况下,Cisco VPN Client软件在断线以后无法自动重连。某个地方,却需要自动重连功能.search了一番guide.找到如下解决办法:通过修改vpnclient.ini,可以实现断线后自动重连。vpnclient.ini在[Main]段上添加三句AutoInitiationEnable=1 // 允许自动发起连接
AutoInitiationRetryInterval=1 // 自动发起连接重试间隔时间(单位分钟)
AutoInitiationList=XXXXX // 自动连接配置段名称XXXXX为自动连接的字段名
然后在[XXXXX]字段下写四句[XXXXX]
Network=15.66.13.0 // 实际地址段
Subnet=255.255.255.252 // 实际掩码
ConnectionEntry=ATM1 // 需要连接的项目,对应VPN Client中建立的连接项目
Connect=1 // 允许自动连接修改后,VPN GUI界面在Options下也会多出一项Automatic VPN Initiation… -
创建在Cisco路由器上可以show run的只读用户
========phanx.com=========
Author: phanx
Updated: 2005-11-01
=========================某客户要求实施用户分级,有点特殊的就是需要分为特权用户和只读用户.
特权用户可以查看,修改配置,只读用户只能查看,不能修改配置.开始使用cisco的权限分级 level 1 和 level 15 来作,
然后给level 1 用户 授予 show run的权限
privilege exec level 1 show running-config表面上看是达到了要求,但是. 当 level 1 用户使用show run 的时候
命令可以被执行,但是显示出来得确实一个空得配置.
Cisco有一篇文档描述了这个问题
IOS Privilege Levels Cannot See Complete Running Configuration
www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml所以,为了解决这个问题,我们要从另外一个角度来做.要完成这个功能,我们需要通过CiscoACS来配合,而不仅仅是本地AAA认证.大概思路就是特权用户就和平常得特权用户一样, level 15的用户.
而对于只读用户,我们也给level 15得权限,但是要禁止它执行configure命令.下面是具体的配置方法:在需要进行认证的路由器上做如下配置:
aaa authentication login default group tacacs+ local none
aaa authentication login no_tacacs local
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id commonip tacacs source-interface Loopback0
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key keytoacs建议再加入一个用户
username admin privilege 15 password passwordforadmin
以备ACS服务器无法访问时候用来进行本地认证需要在ACS上做一下配置:
1. 添加 超级用户的 group
在 Group Setup 中找到一个未用的组,例如 Group 8, 选 Edit Setting
在TACACS+ Settings 中,选中Shell (exec) 和Privilege level 并将Privilege level 设为15
Shell Command Authorization Set
选 Per Group Command Authorization Unmatched Cisco IOS commands — Permit
Unlisted arguments — Permit
然后选 Sumit + Restart2.添加只读用户Group
在Group Setup中选中一个未用的组,例如group 9 选 Edit Setting。
其余操作同添加超级用户一致。
最后一个Shell Command Authorization Set
选 Per Group Command Authorization Unmatched Cisco IOS commands — Permit
然后勾上 Command 选项,输入 configure,Arguments里面填入
deny terminal ,然后Unlisted arguments – Deny。点击Submit+Restart
然后添加用户,超级用户划入 group 8, 只读用户划入 group 9。就是在User Setup的Group to which the user is assigned中选取相应的group就行了。 -
Cisco PIX /ASA 防火墙密码恢复
========phanx.com=========
Author: phanx
Updated: 2006-9-12007-6-1
=========================
PIX 的密码恢复和路由器/交换机稍有不同,需要用密码恢复文件来进行恢复.密码恢复文件有这些:np70.bin (7.0 release)np63.bin (6.3 release)np62.bin (6.2 release)np61.bin (6.1 release)np60.bin (6.0 release)np53.bin (5.3 release)np52.bin (5.2 release)np51.bin (5.1 release)np50.bin (5.0 release)np44.bin (4.4 release)nppix.bin (4.3 and earlier releases)PIX较老型号带有软驱,新一点的没有了.
这里讲的是无软驱型号的恢复过程.启动的时候按 ESC 或者 BREAK ,进入 Rom Moniter状态.
然后输入interface X - X代表端口号
address x.x.x.x – x.x.x.x 代表PIX地址
server x.x.x.y – x.x.x.y 代表TFTP Server地址
file npXY.bin – XY代表版本号
tftpCISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
32 MB RAMPCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-506E
System Flash=E28F640J3 @ 0xfff00000Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)Ethernet auto negotiation timed out.
Ethernet port 1 could not be initialized.
Use ? for help.
monitor> ?
? this help message
address [addr] set IP address of the PIX interface on which
the TFTP server resides
file [name] set boot file name
gateway [addr] set IP gateway
help this help message
interface [num] select TFTP interface
ping <addr> send ICMP echo
reload halt and reload system
server [addr] set server IP address
tftp TFTP download
timeout TFTP timeout
trace toggle packet tracingmonitor> interface 0
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)
~两个端口 0 和 1Using 0: i82557 @ PCI(bus:0 dev:14 irq:10), MAC: 000d.bc7e.d97a
monitor>address 1.1.1.2
address 1.1.1.2
monitor> file np62.bin
file np62.bin
~~~~~~~~PIX 6.2 版本的monitor> ping 1.1.1.1
Sending 5, 100-byte 0x9e5e ICMP Echoes to 1.1.1.1, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> server 1.1.1.1
server 1.1.1.1
monitor> tftp
tftp np62.bin@1.1.1.1……………………………………………………………………………………………………………………………….
Received 73728 bytesCisco Secure PIX Firewall password tool (3.0) #0: Wed Mar 27 11:02:16 PST 2002
System Flash=E28F640J3 @ 0xfff00000
BIOS Flash=am29f400b @ 0xd8000Do you wish to erase the passwords? [yn] y
The following lines will be removed from the configuration:
enable password mLbCjoY6Ql1vh0o4 encrypted
passwd i/Y4R6kWHD6hjJ/v encryptedDo you want to remove the commands listed above from the configuration? [yn] y
Passwords and aaa commands have been erased.Rebooting..
CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
32 MB RAMPCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-506E
System Flash=E28F640J3 @ 0xfff00000Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 1536512 bytes of image from flash.
##################################################################################
32MB RAM
System Flash=E28F640J3 @ 0xfff00000
BIOS Flash=am29f400b @ 0xd8000
mcwa i82559 Ethernet at irq 11 MAC: 000d.bc7e.d97b
mcwa i82559 Ethernet at irq 10 MAC: 000d.bc7e.d97a———————————————————————–
|| ||
|| ||
|||| ||||
..:||||||:..:||||||:..
c i s c o S y s t e m s
Private Internet eXchange
———————————————————————–
Cisco PIX FirewallCisco PIX Firewall Version 6.2(2)
~~~~~~ PIX 6.2
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Limited
IKE peers: Unlimited****************************** Warning *******************************
Compliance with U.S. Export Laws and Regulations – Encryption.
This product performs encryption and is regulated for export
by the U.S. Government.
This product is not authorized for use by persons located
outside the United States and Canada that do not have prior
approval from Cisco Systems, Inc. or the U.S. Government.
This product may not be exported outside the U.S. and Canada
either by physical or electronic means without PRIOR approval
of Cisco Systems, Inc. or the U.S. Government.
Persons outside the U.S. and Canada may not re-export, resell
or transfer this product by either physical or electronic means
without prior approval of Cisco Systems, Inc. or the U.S.
Government.
******************************* Warning *******************************Copyright (c) 1996-2002 by Cisco Systems, Inc.Restricted Rights LegendUse, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software – Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706.
Cryptochecksum(changed): f72dbc0b 3560939d 6544ff4a 70d7e598
Type help or ‘?’ for a list of available commands.
pixfirewall> en
Password:
pixfirewall#更详细的文档,请参考Cisco文档:Password Recovery and AAA Configuration Recovery Procedure for the PIX
而ASA的密码恢复过程就更加像路由器了.
同样,启动后按ESC进入Rommon,输入 confreg命令.
rommon #1> confreg
然后更改:
Current Configuration Register: 0x00000011
Configuration Summary:
boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]: y
hostname> enable
hostname# copy startup-config running-config hostname# configure terminal hostname(config)# password password hostname(config)# enable password password hostname(config)# username name password password 再把configuration register 改回来.
hostname(config)# config-register value 然后存盘.
hostname(config)# copy running-config startup-config
请参考cisco文档:
Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1058131
-
RR环境下的iBGP等价负载均衡路径问题
========phanx.com=========
Author: phanx
Updated: 2007-5-12
=========================这两天被某同事骚扰,协助解决一个RR环境下 iBGP 等价负载均衡的问题.今天查查文档,用DynaGen做了试验,明白了其中缘由.拓扑如图所示.R1和R3都为AS100里面的RR(路由反射体),分别属于cluster 0.0.0.1和0.0.0.3.R2和R4都是R1和R3的RR客户(Route-reflector-client).R1,R2,R3,R4之间均为相同类型和带宽的链路. R4下有一个100.0.0.0/24的网段.问题是,按照理解,R2到达R4的100.0.0.0/24应该存在两条等价路径. ( R2–> R1 –> R4 和 R2–> R3 –> R4 )但是,通过show ip bgp 100.0.0.0 和 show ip route 100.0.0.0 都只看到了一条路径.R2#sh ip bgp 100.0.0.0
BGP routing table entry for 100.0.0.0/24, version 5
Paths: (2 available, best #2, table Default-IP-Routing-Table)
Multipath: iBGP
Not advertised to any peer
Local
4.4.4.4 (metric 20) from 1.1.1.1 (1.1.1.1)
Origin IGP, metric 0, localpref 100, valid, internal, best
Originator: 4.4.4.4, Cluster list: 0.0.0.1
Local
4.4.4.4 (metric 20) from 3.3.3.3 (3.3.3.3)
Origin IGP, metric 0, localpref 100, valid, internal
Originator: 4.4.4.4, Cluster list: 0.0.0.3R2#sh ip route 100.0.0.0
Routing entry for 100.0.0.0/24
Known via "bgp 100", distance 200, metric 0, type internal
Last update from 4.4.4.4 00:16:11 ago
Routing Descriptor Blocks:
* 4.4.4.4, from 1.1.1.1, 00:16:11 ago
Route metric is 0, traffic share count is 1
AS Hops 0如果大家了解BGP,就应该知道,BGP有一系列选择最佳路径的规则,而且默认只使用一条路径.在这个问题里面, R2上是配置了 bgp maximum-path ibgp 2的,所以只要两条路径的是等价的,那么就应该可行.那么为什么会只有一条呢?其实,我们都被误导了. 要明白这个问题,首先要理解RR.RR是route reflector 路由反射体,用来减少iBGP中iBGP Peer的连接数的.在iBGP中,RR只是负责将iBGP Peer通告的路由"反射"给其它的iBGP Peer.也就是说并不是RR接收iBGP Peer的通告后再通告给别的iBGP Peer,通告的源是iBGP Peer而不是RR.再来看看刚才的show ip bgp输出:R2#sh ip bgp 100.0.0.0
BGP routing table entry for 100.0.0.0/24, version 5
Paths: (2 available, best #2, table Default-IP-Routing-Table)
Multipath: iBGP
Not advertised to any peer
Local
4.4.4.4 (metric 20) from 1.1.1.1 (1.1.1.1)
Origin IGP, metric 0, localpref 100, valid, internal, best
Originator: 4.4.4.4, Cluster list: 0.0.0.1
Local
4.4.4.4 (metric 20) from 3.3.3.3 (3.3.3.3)
Origin IGP, metric 0, localpref 100, valid, internal
Originator: 4.4.4.4, Cluster list: 0.0.0.3这两个条目实际上反映的是同样一条路由,即要到达100.0.0.0/24, 下一条地址是4.4.4.4这从show ip route的输出也得到了验证.R2#sh ip route 100.0.0.0
Routing entry for 100.0.0.0/24
Known via "bgp 100", distance 200, metric 0, type internal
Last update from 4.4.4.4 00:16:11 ago
Routing Descriptor Blocks:
* 4.4.4.4, from 1.1.1.1, 00:16:11 ago
Route metric is 0, traffic share count is 1
AS Hops 0那么到底到100.0.0.0/24有几条路呢?答案是: 两条.因为从R2到4.4.4.4的话不是直接可达,还需要进行路由的递归查找. 即查找到达4.4.4.4的下一条地址是哪里.那么,因为R2到R4存在两条同类型同带宽的链路,所以,就会有两条到达4.4.4.4的路径.R2#sh ip route 4.4.4.4
Routing entry for 4.4.4.4/32
Known via "isis", distance 115, metric 20, type level-2
Redistributing via isis
Last update from 10.0.0.17 on FastEthernet0/1, 00:02:03 ago
Routing Descriptor Blocks:
10.0.0.17, from 4.4.4.4, via FastEthernet0/1
Route metric is 20, traffic share count is 1
* 10.0.0.1, from 4.4.4.4, via FastEthernet0/0
Route metric is 20, traffic share count is 1这样,到100.0.0.0/24同样也就得到了两条路径.实际上,这个负载均衡是通过IGP来实现的. 因为对于iBGP来说只能看到一条路径.在Cisco IOS实现中,在建立FIB的时候会自动对100.0.0.0/24做递归得到两条路径.R2#sh ip cef
Prefix Next Hop Interface
100.0.0.0/24 10.0.0.17 FastEthernet0/1
10.0.0.1 FastEthernet0/0R2#sh ip cef 100.0.0.0
100.0.0.0/24, version 24, epoch 0, per-destination sharing
0 packets, 0 bytes
via 4.4.4.4, 0 dependencies, recursive
next hop 10.0.0.1, FastEthernet0/0 via 4.4.4.4/32
valid adjacency
Recursive load sharing using 4.4.4.4/32.顺便再说一下.在这个问题中, 同事另外的问题就是为什么一定是1.1.1.1反射过来的路由成为最佳路径.那是因为在BGP Best Path Algorithm 中, 最后要比较通告的iBGP Peer的地址大小,小的优先.在这个RR的环境下,R2的Peer是R1和R3, 路由通告被RR反射过,上面就会携带RR的信息.也就是show ip bgp 100.0.0.0中的from 1.1.1.1 (1.1.1.1)和from 3.3.3.3 (3.3.3.3)括号外面的为建立iBGP Peer的地址, 括号里面为iBGP的router-id.这样一比,自然1.1.1.1小, 所以也就成为了best path.这个问题最后给我的启示就是,看问题不要被表面现象迷惑了. 要看到本质. -
3750升级IOS后CPU利用率高,并且出现Traceback报错
去年记录的一个故障:========phanx.com=========
Author: phanx
Updated: 2006-5-10
=========================将3750/3750G从12.1升级IOS到 12.2(25)SEE.升级完成后发现3750的CPU利用率在80%左右,较高。并发现大量的报告错误信息如下:*Mar 1 08:02:04.722: %PLATFORM_UCAST-3-ADJ: Invalid OCE type 33 for fib x.x.x.x/32 Tbl:0
-Traceback= 250D6C 9E1364 9F054C 9F2624 9E5470 9D437C 9D48A4 A566C8 A1D858 A31454 A20ACC A28360 A28470 A764D8 A77A4C AEBD80更换其它12.2系列IOS为后故障依旧.后经过配置比较发现故障设备有一句 ip cef accounting per-prefix,去掉后一切恢复正常.暂时在Cisco 没有查到相关的说明和文档.
最新评论