roner的資訊隨手筆記: 10月 2015

星期日, 10月 25, 2015

SMC 8126L2常用指令

●設定校時與時區
Vty-0#configure
Vty-0(config)#clock timezone Taiwan hours 8 minute 0 after-UTC =>設定時區，timezone可自訂
Vty-0(config)#exit

Vty-0#configure
Vty-0(config)#sntp server 118.163.81.61 =>設定sntp server的IP，可以設3組，空格分隔
Vty-0(config)#sntp poll 60 =>設定送出查詢的間隔時間，預設16秒，此處設60秒，可設16-16384秒
Vty-0(config)#sntp client =>設定交換器為sntp client
Vty-0(config)#exit
Vty-0#show sntp
Current Time: Oct 25 19:47:34 2015
Poll Interval: 60
Current Mode: unicast
SNTP Status: Enabled
SNTP Server: 118.163.81.61 0.0.0.0 0.0.0.0
Current Server: 118.163.81.61

Vty-0#show calendar =>顯示日期與時間資訊
19:45:54 October 25 2015
Vty-0#

●觀看某一埠（範例為24埠）學習的mac，可用來遠端觀看該埠是否有通

Vty-0#show mac-address-table interface ethernet 1/24

Interface MAC Address VLAN Type

--------- ----------------- ---- -----------------

Eth 1/24 00-02-5B-XX-05-62 1 Learned

Eth 1/24 00-08-22-XX-40-2F 1 Learned

Eth 1/24 00-08-22-XX-0E-EE 1 Learned

Eth 1/24 00-08-22-XX-31-0A 1 Learned

●查詢vlan id 1及vlan id 11的狀況

Vty-0#show vlan id 1

Default VLAN ID : 1

VLAN ID: 1

Type: Static

Name: DefaultVlan

Status: Active

Ports/Port Channels: Eth1/21(S) Eth1/23(S) Eth1/24(S)

Vty-0#show vlan id 11

Default VLAN ID : 1

VLAN ID: 11

Type: Static

Name:

Status: Active

Ports/Port Channels: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/21(S)

Eth1/23(S) Eth1/24(S)

●儲存設定

Vty-0#copy running-config startup-config
Startup configuration file name [startup1.cfg]:按enter
Write to FLASH Programming.
Write to FLASH finish.
Success.

●上傳設定檔到TFTP

Vty-0#copy file tftp

Choose file type:

1. config: 2. opcode: <1-2>: 1

Source file name: startup1.cfg

TFTP server IP address: TFTP的IP

Destination file name: 自行定義要存在TFTP Server上的設定檔名稱，如smc8126l2.cfg

Success.

●更新firmware
Vty-0#copy tftp file
TFTP server IP address: 輸入TFTP 的IP
Choose file type:
1. config: 2. opcode: <1-2>: 2
Source file name: SMC8126L2_V1.4.6.1.bix
Destination file name: SMC8126L2_V1.4.6.1.bix
Write to FLASH Programming.
Write to FLASH finish.
Success.
Vty-0#configure
Vty-0(config)#boot system opcode:SMC8126L2_V1.4.6.1.bix
Success.
Vty-0(config)#exit
Vty-0#reload
System will be restarted. Continue ?y
Session is waiting for rebooting..........................................

DHCP snooping 與 IP Source Guard

###############################################

※關於dhcp snooping的觀念，請參考「防堵私自架設DHCP伺服器」這一篇文章
※關於底下將提到的ip source guard觀念，請參考「建構自我防禦不可不知－以交換器為基礎之安全防護觀念」
###############################################

身為網路管理人員，區域網路的環境中，如果有未經許可的路由器放在區網中，而此路由器又將DHCP Server功能開啟，對網管人員而言簡直是惡夢一場，因為區域網路中的電腦會租用到非法或不對的ip、gateway及dns資料，造成使用人員反應網路不通或有問題，現在的Layer2交換器大多內建dhcp snooping功能，可將連接到正確及安全的dhcp server來源埠綁定為trust（信任），這樣在此交換器所不允許的埠下（設為untrust），只要是DHCP伺服器才會發送的【DHCPOffer】或【DHCPAck】這兩種訊息在Untrust介面下都會被攔阻下來，只允許透過Trust介面傳送。這樣，就不用擔心網路上私自架設的DHCP伺服器干擾內部網路的正常運作。
#############################################################
SMC 8126L2啟用 dhcp snooping 指令

ip dhcp snooping vlan 1
ip dhcp snooping vlan 2
ip dhcp snooping -- 大開關
UP-link Port 或是接 DHCP Server .. Port 要設定 TRUST
SW#1(config)#interface ethernet 1/24 - 接 DHCP Server01
SW#1(config-if)#ip dhcp snooping trust
若要取消dhcp snooping則下no ip dhcp snooping

###############################################
實例：
若交換器有切vlan id 11,22,33,44，第24埠上接dhcp server來源
則dhcp snooping啟用的步驟如下
Vty-0#configure
Vty-0(config)#ip dhcp snooping vlan 11 =>指定在vlan id 11啟用ip dhcp snooping
Vty-0(config)#ip dhcp snooping vlan 22
Vty-0(config)#ip dhcp snooping vlan 33
Vty-0(config)#ip dhcp snooping vlan 44
以上所有界面為untrust，即若有人架dhcp server則dhcp 送的【DHCPOffer】或【DHCPAck】訊息會被阻擋下來
我們必須加入至少一個dhcp server來源界面為trust
##本例設第24埠為trust界面
Vty-0(config)#interface ethernet 1/24
Vty-0(config-if)#ip dhcp snooping trust
Vty-0(config)#exit
Vty-0#show ip dhcp snooping =>顯示dhcp snooping資訊
Global DHCP Snooping status: disable
DHCP Snooping Information Option Status: disable
DHCP Snooping Information Policy: replace
DHCP Snooping is configured on the following VLANs:
1, 11, 22, 33, 44, 55, 66, 77, 88, 99, 101,
Verify Source Mac-Address: enable
Interface Trusted
---------- ----------
Eth 1/1 No
Eth 1/2 No
Eth 1/3 No
Eth 1/4 No
Eth 1/5 No
........
........
Eth 1/23 No
Eth 1/24 Yes
Eth 1/25 No
Eth 1/26 No

上面的Global DHCP Snooping status: 若為disable，則需開啟dhcp snooping 的大開關
開啟後，Switch會自動將DHCP分配到Client端的IP，建立一份表單（dhcp snooping binding table），有了這份表單，當我們之後要用到IP Source Guard的功能時，Switch就會根據Client端的IP及Mac Address是否在這份表單中來當作放行的依據，否則，Switch就不給上，這可以用來防止未經授權的使用者私自設定IP上網。

以下先設定Global DHCP Snooping status為Enabled

Vty-0#configure
Vty-0(config)#ip dhcp snooping
按「enter」
Vty-0(config)#exit
Vty-0#show ip dhcp snooping
看是否出現以下訊息
Global DHCP Snooping status: enabled
DHCP Snooping Information Option Status: enabled

Vty-0#show ip dhcp snooping binding =>show出dhcp snooping是否有在學習紀錄dhcp配出來的ip及MAC對映

MAC Address IP Address Lease(sec) Type VLAN Interface
----------------- --------------- ---------- -------------------- ---- ---------
00-xx-xx-xx-a5-59 172.20.x.1-- 86330 dhcp-snooping 77 Eth 1/18
00-xx-xx-xx-c3-63 172.20.x.1-- 86360 dhcp-snooping 77 Eth 1/13

以上先啟用後，之後若是啟用ip source guard功能，則可限制使用者只能拿到DHCP Server發的IP，若使用者自行設定IP是不能上的，若有額外必須設固定IP，則需要手動加ip及mac到binding table中。
ip source guard 啟用後，每一埠有限制筆數（5-16筆，視交換器廠牌類型），因此若此埠下還有接網路交換器，而使用者多的話，則此埠最好不要開ip source guard以免底下使用者要不到IP

ip source-guard 啟用步驟（以port20啟用為例）

SW1(config)#interface ethernet 1/1-20
SW1(config-if)#ip source-guard sip-mac （需要IP和MAC在Binding Table中有資料且一致才行）
SW1(config-if)#exit

加入一筆資料mac為 11-11-11-11-11-11 IP為172.20.1.99，在port2的位置可接受固定IP

Vty-0(config)#ip source-guard binding 11-11-11-11-11-11 vlan 11 172.20.1.99 interface ethernet 1/2

###################################################################
LINUX DHCP Server 搭配交換器的 DHCP Option 82功能 . 可以控制用戶端的 DHCP IP 取得，例如我們可以設定使用者從哪個埠連上來，我就給哪個IP或哪個區段的IP。或是同一網段下，我們可以設定交換器第1埠給哪一個IP，第2埠給給哪一組的IP。也可以經由DHCP Server的LOG檔中看到使用者使用哪一台MAC Address裝置從哪一埠，哪一組vlan連上來。對於管理者管理內部網路是很有用的工具之一，log紀錄檔可參考下圖：

##################################################
Linux DHCP Server dhcpd.conf

###################################################
#
# Sample configuration file for ISC dhcpd for Debian
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#
#

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "example.org";
#option domain-name-servers ns1.example.org, ns2.example.org;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

#subnet 10.152.187.0 netmask 255.255.255.0 {
#}

# This is a very basic subnet declaration.

#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}

# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.

#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}

# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}

# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.

#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}

# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}

# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.

#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}

#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
class "by-oui-mac" {
match if (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:20:6a:8a")
or (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:3:6b")
or (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:7:eb");
log (info, (binary-to-ascii (16,8,":",substring(hardware, 0, 4))));
}

class "other" {
match if not (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:20:6a:8a")
and not (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:3:6b")
and not (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:7:eb");
log (info, concat("other-mac",(binary-to-ascii (16,8,":",substring(hardware, 0, 4)))));
}

class "No_AID"{
match if not exists agent.remote-id; }

class "fixed6"{
match if binary-to-ascii(16, 8, ":", substring(option agent.remote-id, 2, 6)) = "70:72:cf:95:aa:5c" and binary-to-ascii (10, 8, "/", suffix ( option agent.circuit-id, 2)) = "1/5";
}

class "fixed7"{
match if binary-to-ascii(16, 8, ":", substring(option agent.remote-id, 2, 6)) = "70:72:cf:95:aa:5c"
and binary-to-ascii (10, 8, "/", suffix ( option agent.circuit-id, 2)) = "1/6";
}

class "port4"{ match if binary-to-ascii (10, 8, "/", suffix ( option agent.circuit-id, 2)) = "1/4"; }

# Test01
subnet 192.168.2.0 netmask 255.255.255.0 {
pool{
range 192.168.2.6;
allow members of "fixed6";
}

pool{
range 192.168.2.7;
allow members of "fixed7";
}

pool{
range 192.168.2.4;
allow members of "port4";
}

pool{
range 192.168.2.210 192.168.2.220;
option routers 192.168.2.2;
allow members of "by-oui-mac";
}

pool{
range 192.168.2.141 192.168.2.150;
allow members of "No_AID";
# MyNotebook
host E10089 {
hardware ethernet 20:6A:99:6F:2C:70;
fixed-address 192.168.2.33;
}

}

}

if exists agent.circuit-id
{
log (info, concat("Lease for ",
binary-to-ascii (10, 8, ".", leased-address),
" is connected to interface ",
binary-to-ascii (10, 8, "/",
suffix ( option agent.circuit-id, 2)),
" (add 1 to port number!), VLAN ",
binary-to-ascii (10, 16, "",
substring( option agent.circuit-id, 2, 2)),
" on switch ",
binary-to-ascii(16, 8, ":",
substring( option agent.remote-id, 2, 6))));
log (info, concat("Lease for ",
binary-to-ascii (10, 8, ".", leased-address),
" raw option-82 info is CID: ",
binary-to-ascii (10, 8, ".", option agent.circuit-id),
" AID: ",
binary-to-ascii(16, 8, ".", option agent.remote-id)));
}
else { log (info, "client is neither known no agent-id"); }

###############################################
說明：
substring(option agent.circuit-id,2,2) 代表偏移量2, 長度2. 這個表達式取出了Option 82中的VID部分
binary-to-ascii(10,16,"",substring(option agent.circuit-id,2,2)) 10表示十進制, 16表示16個bit. 這個表達式的結果就是把Option 82種的VLAN ID轉成10進制.
以上參考：Linux平臺上支持Option82的DHCP服務器配置

##################################################
參考資料：

星期一, 10月 12, 2015

DELTA（台達電）UPS的SNMP卡與Shutdown Agent

環境介紹：

台達電UPS，已安裝SNMP卡，可透過網路管理與監控UPS，亦可透過RS232管理監控UPS。

主機A（OS為windows），

主機B（OS為Linux），

主機C（OS為Vmware），

主機C-1（為主機C的Guest OS，OS為windows），

主機C-2（為主機C的Guest OS，OS為linux），

主機C-3（為主機C的Guest OS，安裝vMA）

一、UPS主機安裝SNMP卡後，經過設定後可經由瀏覽器連線到SNMP卡的IP以進行監控與管理。

二、當市電斷電時，UPS要如何通知底下的主機自動關機呢？必須到【網路】-【SNMP Trap】加入要通知的主機IP（即下圖的目標IP），例如主機A，主機B，主機C，這樣當市電斷電時，UPS的SNMP才知道要通知哪些主機。

三、上述步驟完成後，目標IP的主機必須要安裝Shutdown Agent 2012（下載處在http://59.125.232.140/ups/tc/index.aspx），安裝的方式及操作務必先參考原廠的中文手冊，必須要依據作業系統安裝適合的Shutdown Agent程式。

Windows（含windows server）請依32位元或64位元，安裝適合的版本（ShutdownAgent 2012 v02.00.04a 32位元版，ShutdownAgent 2012 v02.00.04a 64位元版）。

安裝完後，可在本機或遠端以瀏覽器連接主機A的IP，（預設的帳號為admin，密碼為password），點選右上角將語言界面改為繁體中文，點選【設備】-【設定】在【來源IP地址】處下方的【Trap來源IP】新增【UPS的SNMP卡的IP】，並設定【輸入電源中斷】的【作業系統關機延遲時間】，預設是300秒（5分鐘），也就是本機收到UPS市電斷電訊號後，倒數5分鐘後就會自動關機，本例修改為120秒。

四、上述安裝完後就可以測試，測試時不一定要將UPS的電源拔起，可利用SNMP管理界面中的【控制】中，點按【輸入電源中斷測試】，SNMP卡會模擬市電斷電的情況，並送出SNMP TRAP給用戶端。

五、如果沒問題的話，用戶端主機就會收到SNMP卡送來的SNMP TRAP，主機A（Windows）的本機端應該會跳出廣播訊息視窗，提醒你「輸入電源中斷」（即市電電斷），右下角會有關機的倒數計時。

六、如果是以瀏覽器連接到主機A，則會出現以下的關機倒數訊息。

七、Linux的shutdown agent程式分為ShutdownAgent 2012 v03.00.03a 32位元版及 ShutdownAgent 2012 v03.00.03a 64位元版，安裝完後一樣是利用瀏覽器連接到主機B，並依上述的步驟設定（SNMP卡管理端輸入SNMP TRAP的目標主機，Linux主機的Shutdown Agent程式要輸入TRAP來源IP），則當UPS主機發出測試的斷電訊號時，linux主機本機端會出現收到的廣播訊號

當倒數時間結束時作業系統將會自動關機。

註：若只是要測試有沒有收到訊號，而不要關機，記得SNMP管理界面中的【控制】中，點按【輸入電源恢復測試】

Shutdown Agent若要使用在Esxi Server上，使Esxi Server在市電斷電時自動關機，則必須要有二個東西，Esxi上要安裝vMA，vMA上要安裝Shutdown Agent For Linux X64，下指令vifp addsever Esxi的IP，另外Esxi Server不能是免費版，要付費版，否則vMA會出現下列訊息，最後還是無法自動關機。

參考資料：

以下是關於Vmware Esxi free 和UPS所搜尋到的網路資料

目前測試的結果，目前支援度以APC UPS的支援度最高，網路上能查到的相關文件也最多（但多為英文），但要以一台UPS就能支援NAS+Esxi+guest OS有困難，群輝的NAS支援（可參考這篇 http://portable.easylife.tw/4399 ）最好是有USB可直接接NAS。以SNMP卡送UPS關機訊號，目前測試台達電UPS，NAS會收到斷電訊息，但不會自己關機。Esxi 要能自行關機，查了許多資料及實做後才發現，幾乎都只支援Esxi的付費版，免費版執行關機指令會失敗，一般都會要求先安裝vMA，然後再vMA上安裝UPS原廠的UPS軟體去送關機指令給Esxi Server 。但是Guest OS的支援則沒問題。

訂閱：文章 (Atom)