Cisco MARS 55 硬盘使用情况

原配500GB硬盘,全新安装MARS的默认磁盘使用情况:
[pnadmin]$ diskusage
Filesystem            Size  Used Avail Use% Mounted on
/dev/hda2             857M  543M  271M  67% /
/dev/hda1             125M   16M  103M  14% /boot
none                  2.0G     0  2.0G   0% /dev/shm
/dev/sda5             9.9G  1.2G  8.3G  12% /opt
/dev/sda6              20G  71M   19G   1% /log
/dev/sda7              74G   41M   71G  1% /pnarchive
/dev/sda8             9.9G   30M  9.4G   1% /tmp
/dev/sda9             9.9G  1.8G  7.6G  19% /u01
/dev/sda11            312G  13G  284G  5% /u02
/dev/sda10            9.9G  8.1G  1.3G  87% /u03

升级到1TB硬盘,MARS运行较长时间后,磁盘使用情况基本稳定:
[pnadmin]$ diskusage
Filesystem            Size  Used Avail Use% Mounted on
/dev/hda2             857M  538M  276M  67% /
/dev/hda1             125M   16M  103M  14% /boot
none                  2.0G     0  2.0G   0% /dev/shm
/dev/sda5             9.9G  1.3G  8.2G  14% /opt
/dev/sda6              20G  179M   19G   1% /log
/dev/sda7              74G   13G   58G  18% /pnarchive
/dev/sda8             9.9G   90M  9.3G   1% /tmp
/dev/sda9             9.9G  2.4G  7.0G  26% /u01
/dev/sda11            770G  171G  561G  24% /u02
/dev/sda10            9.9G  8.1G  1.3G  87% /u03

Cisco 6500 SUP720/MSFC3 双引擎全面升级

upgrade rom-monitor slot 6 sp file tftp://192.168.1.2/c6ksup720-rm2.srec.8-5-4.srec   //升级CatOS ROMMON
upgrade rom-monitor slot 6 rp file tftp://192.168.1.2/c6msfc3-rm2.srec.122-17r.SX7   //升级IOS ROMMON Software
upgrade rom-monitor slot 5 sp file tftp://192.168.1.2/c6ksup720-rm2.srec.8-5-4.srec
upgrade rom-monitor slot 5 rp file tftp://192.168.1.2/c6msfc3-rm2.srec.122-17r.SX7
copy tftp://192.168.1.2/s72033-boot-mz.122-33.SXI3.bin bootflash:
copy tftp://192.168.1.2/s72033-boot-mz.122-33.SXI3.bin slavebootflash:   //上传bootloader
copy tftp://192.168.1.2/s72033-adventerprisek9_wan-vz.122-33.SXI3.bin sup-bootflash:
copy tftp://192.168.1.2/s72033-adventerprisek9_wan-vz.122-33.SXI3.bin slavesup-bootflash://上传boot
copy tftp://192.168.1.2/c6500-fpd-pkg.122-33.SXI3.pkg sup-bootflash:
copy tftp://192.168.1.2/c6500-fpd-pkg.122-33.SXI3.pkg slavesup-bootflash:   //上传fpd
verify /md5 bootflash:s72033-boot-mz.122-33.SXI3.bin 27457108988653aa8ae012b28a60abce
verify /md5 slavebootflash:s72033-boot-mz.122-33.SXI3.bin 27457108988653aa8ae012b28a60abce   //验证bootloader
verify /md5 sup-bootflash:s72033-adventerprisek9_wan-vz.122-33.SXI3.bin 9e31abc3bbaee41f2086ce3b48c8f1af
verify /md5 slavesup-bootflash:s72033-adventerprisek9_wan-vz.122-33.SXI3.bin 9e31abc3bbaee41f2086ce3b48c8f1af   //验证boot
verify /md5 sup-bootflash:c6500-fpd-pkg.122-33.SXI3.pkg 2f198062eac5b2f667efd293b236a379
verify /md5 slavesup-bootflash:c6500-fpd-pkg.122-33.SXI3.pkg 2f198062eac5b2f667efd293b236a379   //验证fpd
boot bootldr bootflash:s72033-boot-mz.122-33.SXI3.bin
boot system flash sup-bootflash:s72033-adventerprisek9_wan-vz.122-33.SXI3.bin
hw-module module 6 reset   //重启Standby引擎slot 6
redundancy force-switchover   //等待slot 6启动完成为STANDBY COLD后强制手动切换引擎

两块引擎的依次升级切换重启,最大限度的降低网络中断时间。如果无法到STANDBY COLD的话,那就老老实实的reload吧。

Cisco WLC 导入SSL证书

首先生成私钥和证书请求:
openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.pem
将req.pem发给CA,CA将返回证书文件cert.cer。
将私钥和证书合并成PKCS12并转换成pem文件:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.p12 -clcerts
openssl pkcs12 -in cert.p12 -out cert.pem

把这个cert.pem文件放到一个TFTP上,登陆WLC,选择MANAGEMENT – HTTP,勾选Download SSL Certificate,填入TFTP相关信息、证书文件路径和密码,点击Apply。点击Save And Reboot保存设置并重启WLC以便使新的证书生效。

Cisco WCS 导入SSL证书

运行C:\PROGRA~1\WCS\bin>keyadmin -newdn -csr genkey c:\wcs.csr填写相关信息生成证书请求文件,将CSR文件发给CA,从CA获取证书文件放在c:\wcs.cer下,运行C:\Program Files\WCS\bin>keyadmin importsignedcert c:\certnew.cer导入证书。或者在其它地方生成私钥和CSR并取得证书后,使用keyadmin importkey [keyFileName] [certFileName]一起导入私钥和证书。重启WCS新证书即可生效。

Cisco ASA 为SSL VPN导入证书

首先生成私钥和证书请求:
openssl genrsa -des3 -out ssl.key 2048
openssl req -new -key ssl.key -out ssl.csr
将ssl.csr发给CA,CA将返回证书文件ssl.cer。
将私钥和证书合并成PKCS12文件,chain.cer是证书链文件,所有的证书链必须都放在这个文件里:
openssl pkcs12 -export -inkey ssl.key -in ssl.cer -certfile chain.cer -out ssl.p12
进入ASDM – Configuration – Device Management – Certificate Management – Identity Cerificates,点Add,给这套证书取一个名字填入Trustpoint Name,选择Import the identity certificate from a file:,导入刚刚生成的ssl.p12并输入密码。

或者也可以选择Add a new identity certificate:,用ASA生成私钥和证书请求,这样就不需要用上面的openssl了。Key Pair为私钥,ASA默认为1024,建议点击New新生成一个2048位的私钥,填写相关信息用新的私钥生成一个证书请求文件,将这个csr文件发给CA,CA返回证书文件Install进去就好了。

完成以上步骤就已经导入了新的证书,下面还需要将该证书指定给某一个端口。在Device Management – Advanced – SSL Settings – Certificates,将刚刚导入证书的Trustpoint Name指定给需要的Interface即可。好了现在在登录SSL VPN就发现是新的证书了。

Cisco MARS 重新生成SSL证书

SSH到MARS后执行sslcert可重新产生ssl证书,CN必须输入MARS的域名或者IP,其它的都无所谓,这样再访问MARS的时候将证书安装到“受信任的根证书颁发机构”中,则以后访问MARS的时候就不会出现安全警告了。这样的证书是自签名的,如果想用其它CA来签名证书的话,估计只能用其它系统挂载MARS硬盘去修改/opt/janus/jboss/bin/ssl/的文件了。

Cisco MARS 推荐使用命令行方式升级

当前Cisco MARS版本为6.0.6.3368,通过Web界面上传csmars-6.0.7.3404.zip升级失败,升级日志中错误一会是“Upgrade package acquisition error.”,一会是“Failed to pass the version dependency test.”,根本不知道到底什么错误。

SSH登陆到MARS后,使用命令行pnupgrade ftp://192.168.1.2/csmars-6.0.7.3404.zip升级,报错则很清晰了:
[Error][check_dependency/547]: minimal allowed version(6.0.6.3368.35) > current version(6.0.6.3368.34).
最后的那个小版本号Cisco的网站上根本不标注的。从Cisco下载最新的 csmars-6.0.6.3368.zip再用pnupgrade ftp://192.168.1.2/csmars-6.0.6.3368.zip升级成功,看到输出信息真是无语啊!csmars-6.0.6.3368.zip更新了Cisco也不说明。

Upgrade………………[MARS]
From……………..[6.0.6.3368.34]
To……………….[6.0.6.3368.35]
……
Current Version……….[6.0.6.3368.34]
Package Version……….[6.0.6.3368.35]

Cisco MDS 系列交换机无中断软件升级

整个升级过程业务无任何中断,具体过程如下:

MDS9134# show version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.

Software
BIOS: version 1.0.15
loader: version N/A
kickstart: version 4.2(1a)
system: version 4.2(1a)
BIOS compile time: 07/16/08
kickstart image file is: bootflash:/m9100-s2ek9-kickstart-mz.4.2.1a.bin
kickstart compile time: 8/10/2009 19:00:00 [09/24/2009 09:51:13]
system image file is: bootflash:/m9100-s2ek9-mz.4.2.1a.bin
system compile time: 8/10/2009 19:00:00 [09/24/2009 11:40:47]

Hardware
cisco MDS UROS 9134 FC (1 Slot) Chassis (“1/2/4 10 Gbps FC/Supervisor-2”)
Motorola, e500v2 with 1036308 kB of memory.
Processor Board ID JAF1326AALD

Device name: MDS9134
bootflash: 509544 kB
Kernel uptime is 80 day(s), 19 hour(s), 32 minute(s), 16 second(s)

Last reset
Reason: Unknown
System version: 4.2(1a)
Service:

MDS9134# show install all impact system tftp://192.168.1.2/m9100-s2ek9-mz.4.2.3.bin kickstart tftp://192.168.1.2/m9100-s2ek9-kickstart-mz.4.2.3.bin
Continue reading

使用 DHCP Snooping 和 DAI 防止ARP攻击和私设IP地址

  使用DHCP Snooping防止私设DHCP Server并获得MAC-IP-端口绑定表,使用DAI对所有的ARP包进行检查。Cisco 6500做核心无需特别的配置,在接入交换机3560上做如下配置:
!
ip dhcp snooping vlan 5-10
//在5-10这些vlan上使用DHCP Snooping
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp-snooping.db

//保存DHCP Snooping的绑定表,否则交换机重启将丢失绑定表
ip dhcp snooping //开启DHCP Snooping
ip arp inspection vlan 5-10
//在5-10这些vlan上使用Dynamic ARP Inspection
ip arp inspection validate src-mac dst-mac ip
//检查ARP包的源MAC、目标MAC、IP地址是否符合DHCP Snooping的绑定表
ip arp inspection log-buffer entries 1024 //DAI的日志缓冲区
ip arp inspection log-buffer logs 1 interval 60
//设置每60s产生一条DAI日志,否则DAI会每发现一个非法ARP就产生一条日志,syslog信息就太多了,这样的话DAI会自动合并一样的日志
!
errdisable recovery cause arp-inspection

//打开因arp-inspection引起err-disabled的自动恢复
errdisable recovery interval 60 //设置自动恢复延时为60s
!
interface FastEthernet0/1
//这个是接下面计算机的端口
switchport access vlan 7
switchport mode access
ip arp inspection limit rate 30

//设置每秒最多接收30个ARP包,超过则进入err-disabled状态(原因为arp-inspection)。默认为15pps,实际使用发现有点低。
ip dhcp snooping limit rate 100 //同上类似
!
interface GigabitEthernet0/1
//上联6500或级联端口,配置一样
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
//设置DAI信任,不检查ARP包
ip dhcp snooping trust //设置DHCP Snooping信任,不检查DHCP包
!

令人疑惑的 Cisco IOS Release 12.2(50)SE

  以 “Release Notes for the Catalyst 3750, 3560, and 2960 Switches, Cisco IOS Release 12.2(50)SE” мебели софия为例。
  在 “Deciding Which Files to Use” 中提到 “For IPv6 capability on the Catalyst 3750 or 3560 switch or on the Cisco EtherSwitch service modules, you must order the advanced IP services image upgrade from Cisco. ” 并在紧接着的表中有 “c3750-advipservicesk9-tar.122-50.SE.tar” 和 “c3560-advipservicesk9-tar.122-50.SE.tar”。但是在 “New Software Features” 的 “Catalyst 3750 and 3560 Switches” 中注明了 “These IPv6 features are now supported in the IP services and IP base software images:” 和 “The advanced IP services image is now end-of-sale (EOS) and end-of-life (EOL).”
  在 Download Software 里面根本没有 12.2.50-SE(ED) 的 advanced IP services image 下载,估计是写这个 Release Notes 的同志按照习惯直接复制粘贴了 Deciding Which Files to Use 段,然后把版本号替换了一下。