Вы находитесь на странице: 1из 49

..

" FreeBSD
Cisco."

..

2007


.....................................................................................................................................................2
Cisco.............................................................................................3
...........................................................................................................................10
CDP.............................................................................................................................................13
tftp................................................................................................................................................14
RSH (RCP)..................................................................................................................................15
syslog...........................................................................................................................................16
AAA.....................................................................................................................17
SNMP.............................................................................................20
802.1q FreeBSD.......................................................................................................................24
.......................................................................................................................25
...............................................................................................................................................28
IDS Snort Cisco.........................................................................................................................................31
proxy.......................................................................................................................................34
ISP ...................................................37
.................................................................................................................................................41
Kerberos Cisco AAA.................................................................................................................................41
Nagios................................................................................................................................................45
........................................................................................................................................48
...............................................................................................................................................53
...................................................................................................................................................54

Cisco

POST
ROMMON
IOS
startup-config

2 Cisco Catalyst


com FreeBSD
[gX:~] # cu -l cuad0
~. -
~# -

break


Switch>enable
Switch#


Switch#show version

Switch#show interfaces

Switch#show running-config


Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname wg_sw_X
wg_sw_X(config)#end
wg_sw_X#disable
wg_sw_X>


wg_sw_X>?
wg_sw_X>show ?
wg_sw_X>show r?
radius rmon rpms-proc rtr rtsp
wg_sw_X>enable
wg_sw_X#show r?
radius
random-detect-group rawmsg region registry
reload
rhosts
rif
rlm
rmon
route-map rpms-proc
rtpspi rtr
rtsp
rudpv1
running-config

:
wg_sw_X#clock set ?


wg_sw_X#show running-config interface FastEthernet 4/1
Building configuration...
Current configuration : 83 bytes
!
interface FastEthernet4/1
no ip address
shutdown
duplex auto
speed auto
end


wg_sw_X#show running-config

/
wg_sw_X#show running-config | inc int
interface FastEthernet0/0
interface FastEthernet2/0
interface FastEthernet2/1

VLAN
wg_sw_X#show vlan

wg_sw_X#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
wg_sw_X(config)#interface FastEthernet 0/24

wg_sw_X(config-if)#switchport mode access


wg_sw_X(config-if)#switchport access vlan 1
wg_sw_X(config-if)#interface FastEthernet 0/11
wg_sw_X(config-if)#switchport mode access
wg_sw_X(config-if)#switchport access vlan 2
wg_sw_X(config-if)#end
wg_sw_X#

IP
wg_sw_X#configure terminal
wg_sw_X(config)#interface VLAN1
wg_sw_X(config-if)#ip address 10.X+1.X+1.11 255.255.255.0
wg_sw_X(config-if)#no shutdown
wg_sw_X(config-if)#end
wg_sw_X#

: vlan 1

tftp FreeBSD
[gX:~] # grep tftp /etc/inetd.conf
tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /tftpboot
[gX:/tftpboot] # touch wg_ro_X-confg
[gX:/tftpboot] # chown nobody wg_ro_X-confg
wg_sw_X#copy running-config tftp:
Address or name of remote host []?10.X+1.X+1.2
Destination filename [wg_sw_X-confg]?

running-config startup-config

[gX:/tftpboot] # cat > stop.conf


int f0/24
shut
end
<Ctrl-D>

wg_sw_X #copy tftp: running-config


Address or name of remote host []?10.X+1.X+1.2
Source filename []? stop.conf
Destination filename [running-config]?
Loading stop.conf from 195.19.32.16 (via Vlan1): !
[OK - 19/4096 bytes]


wg_sw_X#dir system:

wg_sw_X#dir nvram:

wg_sw_X#dir flash:

wg_sw_X#more system:running-config
wg_sw_X#more nvram:startup-config
wg_sw_X#more flash:config.text
wg_sw_X#more flash:c2950-i6q4l2-mz.121-11.EA1.bin
wg_sw_X#more tftp://10.X+1.X+1.2/stop.conf


enable secret cisco


line con 0
login
password cisco

telnet
line vty 0 4
login !
password cisco

3 Cisco Router

Ethernet
interface FastEthernet0/0
desc Connect to Switch
ip address 10.X+1.X+1.3 255.255.255.0
no shutdown
!

Serial
wg_sw_X#show controllers Serial0/0
interface Serial0/0
desc Connect to ISP1
ip address 10.140.X.2 255.255.255.0
clock-rate 64000
no shutdown


ip route 0.0.0.0 0.0.0.0 10.140.X.1


[gX:~] # ls /tftpboot/c2600-js-mz.122-40.bin
wg_ro_X#more tftp://10.X+1.X+1.2/c2600-js-mz.122-40.bin
wg_ro_X#wr t
...
boot system tftp c2600-js-mz.122-40.bin 10.X+1.X+1.2
...
!
interface FastEthernet0/0
ip address 10.X+1.X+1.3 255.255.255.0
speed 100
full-duplex
!
wg_sw_X#wr t
...
!
interface FastEthernet0/2
duplex full
speed 100
spanning-tree portfast
!

ROM
rommon
rommon
rommon
rommon
rommon

1
2
3
4
5

>
>
>
>
>

IP_ADDRESS=10.X+1.X+1.3
IP_SUBNET_MASK=255.255.255.0
TFTP_SERVER=10.X+1.X+1.2
DEFAULT_GATEWAY=10.X+1.X+1.2
TFTP_FILE=c2600-js-mz.122-40.bin

rommon 6 > set


rommon 7 > tftpdnld
rommon 8 > reset


: , , telnet.


rommon 1 > confreg 0x2142
rommon 2 > boot

C
-
-

telnet
access-list 1 permit 195.19.32.0 0.0.0.127
line vty 0 15
access-class 1 in
end


ip access-list extended ACL_FIREWALL
deny ip 10.X+1.X+1.2 0.0.0.255 any
interface FastEthernet0/0
ip access-group ACL_FIREWALL in

nat
ip access-list standard ACL_NAT
permit 10.X+1.X+1.0 0.0.0.255
!
ip nat inside source list ACL_NAT interface Serial0/0 overload
interface FastEthernet0/0
ip nat inside
!
interface Serial0/0
ip nat outside
!


cu (tip)
[gX:~] # cu -l cuad0
~. -
~# -

break

minicom
[gX:~] # pkg_add /usr/ports/packages/All/minicom-2.1.tbz


[gX:~] # minicom -s
-

Serial port setup


Modem and dialing
Save setup as df
Exit from minicom

[gX:~] # minicom
<Ctrl>-A -

(xmodem)
cu
[gX:~] # pkg_add /usr/ports/packages/All/lrzsz-0.12.20_1.tbz
[gX:~] # cu -l cuad0
wg_sw_X#copy xmodem: flash:
Destination filename []? test
Begin the Xmodem or Xmodem-1K transfer now...
~CLocal command? lsx .cshrc
Sending .cshrc, 6 blocks: Give your local XMODEM receive command now.
Bytes Sent: 896 BPS:677
Transfer complete
896 bytes copied in 13.453 secs (68 bytes/sec)

minicom
[gX:~] # minicom
wg_sw_X#copy xmodem: flash:
Destination filename []? test
<Ctrl>-A S xmodem

( expect)
[gX:~] # pkg_add /usr/ports/packages/All/expect-5.43.0_1.tbz

:
!
enable secret cisco
!
line con 0
exec-timeout 0 0
!

[gX:~] # cat ex1.exp


#!/usr/local/bin/expect
exec /bin/echo > /dev/cuad0
spawn /usr/bin/cu -l /dev/cuad0
send "\n"
expect {
">" {
send "enable\n"
expect "sword:" { send "cisco\n" }
}
-re "config.*" {
send "end\n"
}
"#" {
send "\n"
}
}
expect "#" { send "conf term\n" }
expect "(config)#" { send "int f0/1\n" }
expect "(config-if)#" { send "shut\n" }
expect "(config-if)#" { send "no shut\n" }
expect "(config-if)#" { send "end\n" }
expect "#" { send "disable\n" }
send "\n"
send_user "\n"
exit 0
[gX:~] # chmod +x ex1.exp
[gX:~] # ./ex1.exp


[gX:~] # pkg_add /usr/ports/packages/All/conserver-com-8.1.14.tbz
[gX:~] # cat /usr/local/etc/conserver.cf
console router {
master localhost;
rw *;
type device;
device /dev/cuad0; parity none; baud 9600;
idletimeout 1m;
logfile /var/log/router.log;
}
access * {
trusted 127.0.0.1;
}
[gX:~] # mkdir /var/log/consoles/

10

[gX:~] # /usr/local/etc/rc.d/conserver forcestart


[gX:~] # console router
<Ctrl>-E c .
[gX:~] # tail -f /var/log/router.log
[gX:~] # tail -f /var/log/conserver

11

CDP
CDP
[gX:~] # pkg_add /usr/ports/packages/All/cdpr-2.2.1.tbz
[gX:~] # rehash
[gX:~] # cdpr
cdpr - Cisco Discovery Protocol Reporter
Version 2.2.1
Copyright (c) 2002-2006 - MonkeyMental.com
1. fxp0 (No description available)
2. lo0 (No description available)
Enter the interface number (1-2):1
Using Device: fxp0
Waiting for CDP advertisement:
(default config is to transmit CDP packets every 60 seconds)
Device ID
value: wg_sw_X
Addresses
value: 10.X+1.X+1.11
Port ID
value: FastEthernet0/24

CDP
[gX:~] # pkg_add /usr/ports/packages/All/cdpd-1.0.2_1.tbz
[gX:~] # /usr/local/etc/rc.d/cdpd.sh start
cdpd
wg_sw_X#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID
gX.class

Local Intrfce
Holdtme Capability Platform Port ID
Fas 0/24
163
H
i386
fxp0

12

tftp
tftp
[gX:~] # grep tftp /etc/inetd.conf
tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /tftpboot
[gX:/tftpboot] # touch wg_ro_X-confg
[gX:/tftpboot] # chown nobody wg_ro_X-confg

tftp
[gX:~] # pkg_add /usr/ports/packages/All/utftpd-0.2.4_2.tbz
[gX:~] # cd /usr/local/etc/
[gX:/usr/local/etc] # cat utftpd.conf
client default {
uid=nobody;
dir="/tftpboot/";
read="/";
write="/";
create="/";
}
[gX:/usr/local/etc] # rehash
[gX:/usr/local/etc] # utftpd_make utftpd.conf.cdb utftpd.conf.tmp utftpd.conf
[gX:~] # grep tftp /etc/inetd.conf
tftp dgram udp wait root /usr/local/sbin/utftpd utftpd c /usr/local/etc/utftpd.conf.cdb
[gX:~] # chown R nobody /tftpboot/

13

RSH (RCP)

wg_sw_X#wr t
...
!
ip rcmd rcp-enable
ip rcmd rsh-enable
ip host gX 10.X+1.X+1.2
ip rcmd remote-host admin gX root enable
!

:
[gX:~] # rsh 10.X+1.X+1.11 -l admin "sh run"
[gX:~] # rsh 10.X+1.X+1.11 -l admin "dir flash:"
[gX:~] # cat > conf.txt
int f0/1
shut
end
<Ctrl>-D
[gX:~] # rcp conf.txt admin@10.X+1.X+1.11:running-config
[gX:~] # rsh 10.X+1.X+1.11 -l admin "sh int f0/1"
[gX:~] # rcp admin@10.X+1.X+1.11:startup-config conf.bak
[gX:~] # rcp admin@10.X+1.X+1.11:flash:/c2900XL-c3h2s-mz.120-5.3.WC.1.bin ios.bak
[gX:~] # file ios.bak
ios.bak: MS-DOS executable (EXE)

14

syslog
FreeBSD
[gX:~] # grep syslog /etc/rc.conf
syslogd_fags="-a 10.X+1.X+1.0/24:*"
[gX:~] # grep local0 /etc/syslog.conf
local0.*
/var/log/switch.log
[gX:~] # touch /var/log/switch.log
[gX:~] # /etc/rc.d/syslogd restart
[gX:~] # grep switch.log /etc/newsyslog.conf
/var/log/switch.log
644 5
100 *
JC
[gX:~] # tail -f /var/log/switch.log


wg_sw_X#wr t
...
!
logging facility local0
logging 10.X+1.X+1.2
!

15

AAA

wg_ro_X#wr t
...
!
aaa new-model
aaa authentication login CONSOLE none
aaa authorization exec CONSOLE none
enable secret cisco
!
line con 0
login authentication CONSOLE
authorization exec CONSOLE
!


wg_ro_X#wr t
...
!
aaa authentication login default local
username uX password pX
!

FreeBSD
[gX:~] # telnet 10.X+1.X+1.3


wg_ro_X#wr t
...
!
aaa authorization exec default local
username uX privilege 15
!

FreeBSD
[gX:~] # telnet 10.X+1.X+1.3

RADIUS
FreeBSD
[gX:~] # pkg_add /usr/ports/packages/All/freeradius-1.1.2_1.tbz
[gX:~] # cd /usr/local/etc/raddb/
[gX:local/etc/raddb] # sh
# set -E
# for i in *sample; do cp $i ${i%.sample};done
<Ctrl>-D
[gX:~] # cat > /usr/local/etc/raddb/clients.conf
client 10.X+1.X+1.3 {
secret = testing123
shortname = wg_ro_X
}

16

<Ctrl>-D
[gX:~] # cat > /usr/local/etc/raddb/users
uX
Auth-Type = Local, User-Password == "radX"
adminX Auth-Type = Local, User-Password == "radadminX"
<Ctrl>-D
[gX:~] # rehash
[gX:~] # radiusd -xxyz


no username uX
username uX
username adminX privilege 15
radius-server host 10.X+1.X+1.2 auth-port 1812
radius-server key testing123
aaa authentication login default group radius enable
aaa authorization exec default local none
enable
enable

none radius ,

TACACS+
FreeBSD
[gX:~] # pkg_add /usr/ports/packages/All/tac_plus-F4.0.4.8.tbz
[gX:~] # cat /usr/local/etc/tac_plus.conf
key = tackey123
user = uX {
login = cleartext "tacX"
}
user = adminX {
login = cleartext "tacadminX"
}


tacacs-server host 10.X+1.X+1.2
tacacs-server key tackey123
aaa authentication login default group tacacs+ enable

TACACS+
FreeBSD
[gX:~] # cat /usr/local/etc/tac_plus.conf
key = tackey123
user = uX {
login = cleartext "tacX"
service = exec {
}
}
user = adminX {
login = cleartext "tacadminX"

17

service = exec {
priv-lvl = 15
}
}
[gX:~] # /usr/local/etc/rc.d/tac_plus.sh forcestart


no username uX
no username adminX privilege 15
aaa authorization exec default group tacacs+ none

18

SNMP
OID Cisco
http://www.cisco.com
Products & Services ->
Technical Support & Documentation ->
Tools & Resource ->
All Tools ->
SNMP Object Navigator

net-snmp
[gX:~] # pkg_add /usr/ports/packages/All/net-snmp-5.2.3_3.tbz
[gX:~] # snmptranslate -Tp | more


snmp-server community public RO

OID
[gX:~] # snmpwalk -On -c public -v2c 10.X+1.X+1.11

:
[gX:~] # snmpget -c public -v2c 10.X+1.X+1.11 1.3.6.1.2.1.1.5.0
SNMPv2-MIB::sysName.0 = STRING: wg_sw_X
[gX:~] # snmpget -c public -v2c 10.X+1.X+1.11 sysName.0
SNMPv2-MIB::sysName.0 = STRING: wg_sw_X
[gX:~] # snmpwalk -c public -v2c 10.X+1.X+1.11 sysName
SNMPv2-MIB::sysName.0 = STRING: wg_sw_X

CPU ( "busy" SNMP Object Navigator)


[gX:~] # snmpget -c public -v2c 10.X+1.X+1.11 .1.3.6.1.4.1.9.2.1.56.0
SNMPv2-SMI::enterprises.9.2.1.56.0 = INTEGER: 32


[gX:~] # snmpwalk -c public -v2c 10.X+1.X+1.11 ifDescr
...


[gX:~] # snmpget -c public -v2c 10.X+1.X+1.11 ifInOctets.25
IF-MIB::ifInOctets.25 = Counter32: 96612493


snmp-server community write RW

tftp
[gX:~] # cat > /tftpboot/shut23.conf

19

interface FastEthernet0/23
shut
end
<Ctrl>-D
[gX:~] # snmpset -c write -v2c 10.X+1.X+1.11 \
.1.3.6.1.4.1.9.2.1.53.10.X+1.X+1.2 string "shut23.conf"

.10.X+1.X+1.2 IOD tftp

(trap)
( )
snmp-server enable traps snmp linkdown linkup
snmp-server host 10.X+1.X+1.2 public

trap (man snmptrapd)


[gX:~] # snmptrapd -f -Le -F "%02.2h:%02.2j %l.%m.%y %v\n"
...
11:32 28.4.2007 IF-MIB::ifIndex.12 = INTEGER: 12
IF-MIB::ifDescr.12 = STRING: FastEthernet0/11
IF-MIB::ifType.12 = INTEGER: ethernetCsmacd(6) SNMPv2-SMI::enterprises.9.2.2.1.1.20.12 = STRING:
"administratively down"
11:32 28.4.2007
...
<Ctrl>-C

snmptrapd
[gX:~] # tty
/dev/ttyp1
[g13:~] # cat > /usr/local/etc/snmp/snmptrapd.conf
traphandle default cat > /dev/ttyp1
<Ctrl>-D

/dev/console
[g13:~] # /usr/local/etc/rc.d/snmptrapd forcerestart

trap RMON
- f0/2
[gX:~] # snmptranslate .1.3.6.1.2.1.2.2.1.10
IF-MIB::ifInOctets
[gX:~] # snmptranslate .1.3.6.1.2.1.2.2.1
IF-MIB::ifEntry
[gX:~] # snmpwalk -c public -v2c 10.X+1.X+1.11 ifDescr | \
grep 'FastEthernet0/2$'
IF-MIB::ifDescr.3 = STRING: FastEthernet0/2


rmon event 1 log trap public description "Change bandwith"
rmon alarm 1 ifEntry.10.3 10 delta rising-threshold 10000 1 falling-threshold 10000 1

event -

20

alarm - trap event


ifEntry.10.3 ifInOctets.3

:
[gX:~] # ping -f 10.X+1.X+1.3

debug :
wg_sw_X#debug snmp packets
1w1d: SNMP: Packet sent via UDP to 10.X+1.X+1.2
1w1d: SNMP: Queuing packet to 10.X+1.X+1.2
1w1d: SNMP: V1 Trap, ent rmon, addr 10.X+1.X+1.11, gentrap 6, spectrap 2
alarmEntry.1.1 = 1
alarmEntry.3.1 = ifEntry.10.3
alarmEntry.4.1 = 2
alarmEntry.5.1 = 64
alarmEntry.8.1 = 10000
1w1d: SNMP: Packet sent via UDP to 10.X+1.X+1.2

cisco :
!
rmon event 4 log trap public description "Cpu hight load" owner config
rmon alarm 8 1.3.6.1.4.1.9.2.1.56.0 10 absolute rising-threshold 8 4 falling-threshold 6 4
!

Multi Router Traffic Grapher (MRTG)


FreeBSD
[gX:~] # pkg_add /usr/ports/packages/All/mrtg-2.14.5,1.tbz
[gX:~] # cfgmaker public@10.X+1.X+1.11 | more
[gX:~] # cat /usr/local/etc/mrtg/mrtg.cfg
WorkDir: /usr/local/www/data/mrtg
Target[10.X+1.X+1.11_3]: 3:public@10.X+1.X+1.11:
SetEnv[10.X+1.X+1.11_3]: MRTG_INT_IP="" MRTG_INT_DESCR="FastEthernet0/2"
MaxBytes[10.X+1.X+1.11_3]: 12500000
Title[10.X+1.X+1.11_3]: Traffic Analysis for 3 -- wg_sw_X
PageTop[10.X+1.X+1.11_3]: <h1>Traffic Analysis for 3 -- wg_sw_X</h1>
<div id="sysdetails">
<table>
<tr>
<td>System:</td>
<td>wg_sw_X in </td>
</tr>

<tr>
<td>Max Speed:</td>
<td>12.5 MBytes/s</td>
</tr>
</table>
</div>

21


Target[10.X+1.X+1.3.cpu_load]: 1.3.6.1.4.1.9.2.1.56.0&1.3.6.1.4.1.9.2.1.57.0:public@10.X+1.X+1.3:
MaxBytes[10.X+1.X+1.3.cpu_load]: 100
Title[10.X+1.X+1.3.cpu_load]: wg_ro_X (wg_ro_X): CPU
Options[10.X+1.X+1.3.cpu_load]: gauge, nopercent
PageTop[10.X+1.X+1.3.cpu_load]: <H1>Analysis for Core (RSFC) router CPU load
</H1>
<TABLE>
<TR><TD>System:</TD><TD>wg_ro_X in AIS lab., BMSTU</TD></TR>
<TR><TD>Maintainer:</TD><TD>root@dX.class</TD></TR>
<TR><TD>Interface:</TD><TD>CPU</TD></TR>
<TR><TD>IP:</TD><TD>wg_ro_X (10.X+1.X+1.3)</TD></TR>
<TR><TD>Max load:</TD>
<TD>100%</TD></TR>
</TABLE>


[gX:~] # crontab -l
*/10 * * * * /usr/local/bin/mrtg /usr/local/etc/mrtg/mrtg.cfg 2>&1
[gX:~] # opera http://localhost/mrtg/

22

802.1q FreeBSD

!
interface FastEthernet0/11
switchport access vlan 2
switchport mode access
!
...
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!

FreeBSD
[gX:~] # ifconfig vlan2 create
[gX:~] # ifconfig vlan2 inet 10.1.1.X+1/24 vlan 2 vlandev fxp0

[gX:~]
...
[gX:~]
[gX:~]
[gX:~]

# ping 10.1.1.1
# route -n flush
# route add default 10.1.1.1
# ping www.ru

:
[gX:~] # cat /etc/rc.conf
...
cloned_interfaces="vlan2"
ifconfig_vlan2="inet 10.1.1.X+1/24 vlan 2 vlandev fxp0"
...

:
wg_sw_X#conf t
wg_sw_X(config)#int f0/11
wg_sw_X(config-if)#shutdown
wg_sw_X(config)#int f0/24
wg_sw_X(config-if)#switchport mode access
[gX:~] # ifconfig vlan2 destroy
[gX:~] # route add default 10.X+1.X+1.3
add net default: gateway 10.X+1.X+1.3

23




access-list 50 permit 10.X+1.X+1.0 0.0.0.255
access-list 50 permit 192.168.X.0 0.0.0.255
!
ip nat inside source list 50 interface Serial0/0 overload
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
interface Serial0/0
ip address 10.140.X.2 255.255.255.0
ip nat outside
!
interface FastEthernet0/0
ip address 10.X+1.X+1.3 255.255.255.0
ip nat inside
!



ip route 192.168.X.0 255.255.255.0 10.X+1.X+1.2

[cX:~] # ping www.ru


...

RIP

no ip route 192.168.X.0 255.255.255.0 10.X+1.X+1.2
router rip
network 10.0.0.0
!

FreeBSD
[gX:~] # cat >> /etc/rc.conf
router_flags="-s"
<Ctrl>-D
[gX:~] # /etc/rc.d/routed forcestart
Starting routed.

wg_ro_X#sh ip route
...
R 192.168.X.0/24 [120/1] via 10.X+1.X+1.1, 00:00:25, FastEthernet0/0
...
[cX:~] # ping www.ru
...

24

OSPF

no router rip
router ospf 100
network 10.X+1.X+1.0 0.0.0.255 area 0
default-information originate

FreeBSD
[gX:~] # /etc/rc.d/routed forcestop
[gX:~] # pkg_add /usr/ports/packages/All/quagga-0.99.4_2.tbz
[gX:~] # cat >> /usr/local/etc/quagga/zebra.conf
hostname gX
password zebra
enable password zebra
<Ctrl>-D
[gX:~] # cat >> /usr/local/etc/quagga/ospfd.conf
hostname gX_ospfd
password zebra
enable password zebra
<Ctrl>-D
[gX:~] # cat >> /etc/rc.conf
quagga_enable="YES"
quagga_daemons="zebra ospfd"
<Ctrl>-D
[gX:~] # route -n flush
[gX:~] # /usr/local/etc/rc.d/quagga start
Starting quagga.
Starting quagga.
[gX:~] # telnet localhost 2604
...
router ospf
redistribute connected
network 10.X+1.X+1.0/24 area 0.0.0.255

[gX:~] # netstat -rn | grep default


default
10.X+1.X+1.3
UG1

1 fxp0

wg_ro_X#show ip route
...
O E2 192.168.X.0/24 [110/20] via 10.X+1.X+1.2, 00:03:01, FastEthernet0/0
...
[cX:~] # ping www.ru
...

25


NetFlow
:
ip fow-export version 5
ip fow-export destination 10.X+1.X+1.2 4444
interface FastEthernet0/0
ip route-cache fow
interface Serial0/0
ip route-cache fow
[gX:~] # tcpdump -ni fxp0 "port 4444"

FreeBSD NetFlow ( ehnt)


[gX:~] # pkg_add /usr/ports/packages/All/ehnt-0.3_8.tbz
[gX:~] # /usr/local/etc/rc.d/ehntserv.sh.sample start
[gX:~] # rehash
[gX:~] # ehnt
Using report interval of 60 minute(s)
fow #1 received from router 10.X+1.X+1.3, IP protocol 1
input ifIndex:
2
source IP address: 194.87.0.50
source port:
0
source AS:
<unknown>(0)
output ifIndex: 0
dest IP address: 10.140.X.2
dest port:
0
dest AS:
<unknown>(0)
bytes in fow:
1K
packets in fow: 20
...
[gX:~] # /usr/local/etc/rc.d/ehntserv.sh.sample stop

NetFlow ( flow-tools)
[gX:~] # pkg_add /usr/ports/packages/All/flow-tools-0.68_1.tbz
[gX:~] # rehash
[gX:~] # mkdir /var/db/netflow
[gX:~] # flow-capture -w /var/db/netflow/ 0/0/4444
[gX:~] # ls /var/db/netflow/2007/2007-05/2007-05-02/
[gX:~] # flow-cat /var/db/netflow/ | flow-print
[gX:~] # flow-cat -t "5/2/2007 00:00:00" -T "5/2/2007 23:59:59" \
/var/db/netflow/ | flow-print

( )

26

SPAN
:
interface FastEthernet0/24
port monitor FastEthernet0/2
!

FreeBSD
[gX:~] # tcpdump -i fxp0 "icmp"
wg_sw_X#ping 10.X+1.X+1.3

SPAN ( trafd)
[gX:~] # pkg_add /usr/ports/packages/All/trafd-3.0.1_2.tbz
[gX:~] # cat >> /etc/rc.conf
trafd_enable="YES"
trafd_ifaces="fxp0"
<Ctrl>-D
[gX:~] # /usr/local/etc/rc.d/trafd.sh.sample start

(icmp )
wg_sw_X#telnet 10.X+1.X+1.3
[gX:~] # rehash
[gX:~] # mkdir /var/db/trafd


[gX:~] # trafdump fxp0
[gX:~] # ls -l /var/tmp/trafd.fxp0
-rw-r--r-- 1 root wheel 2096028 May 2 08:33 /var/tmp/trafd.fxp0


[gX:~] # trafsave fxp0
[gX:~] # ls -l /usr/local/var/trafd/trafd.fxp0
-rw-r--r-- 1 root wheel 100 May 2 09:27 /usr/local/var/trafd/trafd.fxp0

trafsave
[gX:~] # cp /usr/local/var/trafd/trafd.fxp0 \
/var/db/trafd/`date -v-1d '+%Y%m%d'`

:
[gX:~] # traflog -ni fxp0
(fxp0) gX at May 2 11:45:51 - May 2 11:47:58
Summary: 2579 data bytes, 7227 all bytes, 2 records
From
Port
To
Port Proto
Data
All
10.X+1.X+1.3
23
10.X+1.X+1.11
client tcp
2507
10.X+1.X+1.11
client 10.X+1.X+1.3
23
tcp
72
[gX:~] # traflog -ni /var/db/trafd/20070501
(fxp0) gX at May 2 11:45:51 - May 2 11:47:58
Summary: 2579 data bytes, 7227 all bytes, 2 records
From
Port
To
Port Proto
Data

4511
2716

All

27

10.X+1.X+1.3
10.X+1.X+1.11

23
10.X+1.X+1.11
client 10.X+1.X+1.3

client tcp
23
tcp

2507
72

4511
2716

28

IDS Snort Cisco


:
! snortsam kerberos
no boot system tftp c2600-js-mz.122-40.bin 10.X+1.X+1.2
reload
!
aaa authentication login default local
username uX password 0 pX
! snortsam ( )
ip access-list extended ACL_SNORTSAM
permit ip any any
int fastEthernet 0/0
ip access-group ACL_SNORTSAM in

Snort
[gX:~] # pkg_add /usr/ports/packages/All/pcre.tbz
[gX:~] # cd /usr/local/src/
[gX:/usr/local/src] # tar -xf snort-2.4.3.tar.gz
[gX:/usr/local/src] # cd snort-2.4.3
[gX:local/src/snort-2.4.3] # ./configure --prefix=/usr/local/snort/
[gX:local/src/snort-2.4.3] # make && make install
[gX:local/src/snort-2.4.3] # cp -R etc/ /usr/local/snort/etc/
[gX:local/src/snort-2.4.3] # cd /usr/local/snort/
[gX:/usr/local/snort] # tar -xf \
/usr/ports/packages/All/snortrules-snapshot-CURRENT.tar.gz
[gX:/usr/local/snort] # mkdir /var/log/snort
[gX:~] # /usr/local/snort/bin/snort -D \
-c /usr/local/snort/etc/snort.conf -i fxp0
[gX:~] # tail -f /var/log/snort/alert
[cX:~] # fetch http://www2.bmstu.ru/root.exe
[gX:~] # killall snort

Snortsam
[gX:~] # cd /usr/local/snort/bin/
[gX:local/snort/bin] # mv snort snort_
[gX:local/snort/bin] # tar -xf /usr/local/src/snort-2.4-sam.tar.gz
[gX:local/snort/bin] # tar -xf /usr/local/src/snortsam-fwsam-2.50.tar.gz

snortsam ( tftp)
[gX:~] # cat > /tftpboot/snortsam.acl

29

conf t
interface FastEthernet0/0
no ip access-group ACL_SNORTSAM in
exit
no ip access-list extended ACL_SNORTSAM
ip access-list extended ACL_SNORTSAM
snortsam-ciscoacl-begin
snortsam-ciscoacl-end
permit ip any any
exit
interface FastEthernet0/0
ip access-group ACL_SNORTSAM in
end
<Ctrl>-D

snortsam
[gX:~] # cat > /usr/local/snort/etc/snortsam.conf
nothreads
accept 127.0.0.1
defaultkey secret
ciscoacl 10.X+1.X+1.3 uX/pX cisco /tftpboot/snortsam.acl
logfile /var/log/snortsam.log
<Ctrl>-D
[gX:~] # /usr/local/snort/bin/snortsam /usr/local/snort/etc/snortsam.conf &
[gX:~] # tail -f /var/log/snortsam.log

Snort Snortsam
[gX:~] # rcsdiff /usr/local/snort/etc/snort.conf
623c623,624
<
--> output alert_fwsam: 127.0.0.1:898/secret
> output alert_fast: alert
[gX:~] # grep 1256 /usr/local/snort/etc/web-iis.rules
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe
access"; fow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack;
reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:7;)
[gX:~] # grep web-application-attack /usr/local/snort/etc/classification.config
config classification: web-application-attack,Web Application Attack,1
[gX:~] # cat >> /usr/local/snort/etc/sid-block.map
1256: src, 2 min
<Ctrl>-D
[gX:~] # /usr/local/snort/bin/snort -D \
-c /usr/local/snort/etc/snort.conf -i fxp0

:
[cX:~] # fetch http://www2.bmstu.ru/root.exe

30

proxy
FreeBSD
[gX:~] # pkg_add /usr/ports/packages/All/squid-2.5.14_2.tbz
[gX:local/etc/squid] # diff squid.conf.default squid.conf
1887,1888c1888,1892
< #acl our_networks src 192.168.1.0/24 192.168.2.0/24
< #http_access allow our_networks
--> acl our_networks src 192.168.X.0/24 127.0.0.1
> http_access allow our_networks
2231,2232c2235,2236
> httpd_accel_host virtual
2260c2264
< # httpd_accel_with_proxy of
--> httpd_accel_with_proxy on
2280c2284
< # httpd_accel_uses_host_header of
--> httpd_accel_uses_host_header on
[gX:~] # /usr/local/etc/rc.d/squid forcestart

policy routing


ip access-list extended ACL_REDIRECT_HTTP
permit tcp 192.168.X.0 0.0.0.255 any eq www
route-map RM_REDIRECT_HTTP permit 10
match ip address ACL_REDIRECT_HTTP
set ip next-hop 10.X+1.X+1.2
interface FastEthernet0/0
ip policy route-map RM_REDIRECT_HTTP

FreeBSD
[gX:~] # cat /etc/pf.conf
rdr on fxp0 proto tcp from 192.168.X/24 to any port 80 -> 127.0.0.1 port 3128
fxp0

- , http

:
[cX:~] # lynx http://www.ru
[gX:~] # tail -f /usr/local/squid/logs/access.log

31

wccp

ip wccp version 1
ip wccp web-cache redirect-list ACL_REDIRECT_HTTP
interface FastEthernet0/0
no ip policy route-map RM_REDIRECT_HTTP
ip wccp web-cache redirect in

( )
wg_ro_X#show ip wccp web-cache view
WCCP Routers Informed of:
-noneWCCP Cache Engines Visible:
10.X+1.X+1.2
WCCP Cache Engines NOT Visible:
-none-

FreeBSD


[gX:~] # ifconfig gre0 create
[gX:~] # ifconfig gre0 link1 tunnel 10.X+1.X+1.2 10.140.X.2 up

[gX:~] # cat /etc/rc.conf

cloned_interfaces="gre0"
ifconfig_gre0="ifconfig gre0 link1 tunnel 10.X+1.X+1.2 10.140.X.2 up"
link1 - (man 4 gre)
10.140.X.2 10.X+1.X+1.3 :
[gX:~] # tcpdump -ni fxp0 "proto gre"


[gX:local/etc/squid] # diff squid.conf.default squid.conf
...
2901c2905
< # wccp_router 0.0.0.0
--> wccp_router 10.X+1.X+1.3

pf
[gX:~] # cat /etc/pf.conf
rdr on gre0 proto tcp from 192.168.X/24 to any port 80 -> 127.0.0.1 port 3128

[gX:~] # pfctl -vs nat


rdr on gre0 inet proto tcp from 192.168.X.0/24 to any port = http -> 127.0.0.1 port 3128
[ Evaluations: 134
Packets: 28
Bytes: 10429
States: 2
]

32

:
[cX:~] # lynx http://www.ru
[gX:~] # tail -f /usr/local/squid/logs/access.log

33

ISP

:

interface FastEthernet0/24
no port monitor FastEthernet0/2
interface FastEthernet0/2
switchport mode trunk
switchport trunk encapsulation dot1q
interface FastEthernet0/11
switchport access vlan 2
no shutdown


interface FastEthernet0/0
no ip wccp web-cache redirect in
interface FastEthernet0/0.2
description connetc to ISP2
encapsulation dot1Q 2
ip address 10.1.1.X+1 255.255.255.0
ip nat outside
no shut
no ip nat inside source list 50 interface Serial0/0 overload
no access-list 50
no ip route 0.0.0.0 0.0.0.0 Serial0/0
no router ospf 100
ip route 192.168.X.0 255.255.255.0 10.X+1.X+1.2
snmp-server community write RW

:
wg_ro_X#ping 10.1.1.1
wg_ro_X#ping 10.140.X.1
wg_ro_X#ping 192.168.X.10

FreeBSD
[gX:~] # /usr/local/etc/rc.d/quagga stop
[gX:~] # route add default 10.X+1.X+1.3

ISP
( )

34

ip nat inside source list ACL_REDIRECT_ISP1 interface Serial0/0 overload


ip nat inside source list ACL_REDIRECT_ISP2 interface FastEthernet0/0.2 overload
ip access-list standard ACL_REDIRECT_ISP1
permit 10.X+1.X+1.0 0.0.0.255
ip access-list standard ACL_REDIRECT_ISP2
permit 192.168.X.0 0.0.0.255
interface FastEthernet0/0
ip policy route-map RM_REDIRECT_ISP
route-map RM_REDIRECT_ISP permit 10
match ip address ACL_REDIRECT_ISP1
set ip next-hop 10.140.13.1
!
route-map RM_REDIRECT_ISP permit 20
match ip address ACL_REDIRECT_ISP2
set ip next-hop 10.1.1.1

:
[gX:~] # ping www.ru
[X:~] # ping www.ru
wg_ro_X#sh ip nat translations
Pro Inside global
Inside local
Outside local
Outside global
icmp 10.1.1.14:14912 192.168.X.10:14912 194.87.0.50:14912 194.87.0.50:14912
icmp 10.140.X.2:50828 10.X+1.X+1.2:50828 194.87.0.50:50828 194.87.0.50:50828

ISP1:
[gX:~] # cat > /tftpboot/isp1.cfg
no ip access-list standard ACL_REDIRECT_ISP1
no ip access-list standard ACL_REDIRECT_ISP2
ip access-list standard ACL_REDIRECT_ISP1
permit 10.X+1.X+1.0 0.0.0.255
permit 192.168.X.0 0.0.0.255
ip access-list standard ACL_REDIRECT_ISP2
deny any
end
<Ctrl>-D

ISP2:
[gX:~] # cat > /tftpboot/isp2.cfg
no ip access-list standard ACL_REDIRECT_ISP1
no ip access-list standard ACL_REDIRECT_ISP2
ip access-list standard ACL_REDIRECT_ISP1
deny any
ip access-list standard ACL_REDIRECT_ISP2
permit 10.X+1.X+1.0 0.0.0.255
permit 192.168.X.0 0.0.0.255
end
<Ctrl>-D

35

ISP:
[gX:~] # cat > /tftpboot/isp1_isp2.cfg
no ip access-list standard ACL_REDIRECT_ISP1
no ip access-list standard ACL_REDIRECT_ISP2
ip access-list standard ACL_REDIRECT_ISP1
permit 10.X+1.X+1.0 0.0.0.255
ip access-list standard ACL_REDIRECT_ISP2
permit 192.168.X.0 0.0.0.255
end

:
[cX:~] # ping www.ru
wg_ro_X(config)#conf t
wg_ro_X(config)#interface FastEthernet 0/0.2
wg_ro_X(config-subif)#shutdown
wg_ro_X#copy tftp://10.X+1.X+1.2/isp1.cfg running-config

ip access-list extended ACL_NET_ISP1


permit ip any 10.140.X.0 0.0.0.255
ip access-list extended ACL_NET_ISP2
permit ip any 10.1.1.0 0.0.0.255
ip nat inside source list ACL_NET_ISP1 interface Serial0/0 overload
ip nat inside source list ACL_NET_ISP2 interface FastEthernet0/0.2 overload
route-map RM_REDIRECT_ISP permit 4
match ip address ACL_NET_ISP1 ACL_NET_ISP2

:
[gX:~] # ping 10.1.1.1
[gX:~] # ping 10.140.X.1
[cX:~] # ping 10.1.1.1
[cX:~] # ping 10.140.X.1
wg_ro_X#sh ip nat translations
Pro Inside global
Inside local
Outside local
Outside global
icmp 10.1.1.14:20288 192.168.X.10:20288 10.1.1.1:20288 10.1.1.1:20288
icmp 10.140.X.2:21312 192.168.X.10:21312 10.140.X.1:21312 10.140.X.1:21312
icmp 10.1.1.14:56460 10.X+1.X+1.2:56460 10.1.1.1:56460
10.1.1.1:56460
icmp 10.140.X.2:57484 10.X+1.X+1.2:57484 10.140.X.1:57484 10.140.X.1:57484

:
[gX:~] # mkdir /root/sh/
[gX:~] # cat > /root/sh/select_isp.sh
#!/bin/sh
ISP1="10.140.X.1"
ISP2="10.1.1.1"
CISCO="10.X+1.X+1.3"
BSD="10.X+1.X+1.2"

36

conf_name="isp1_isp2.cfg"
/sbin/ping -c 3 $ISP1 > /dev/null 2>&1
ALIVE1=$?
/sbin/ping -c 3 $ISP2 > /dev/null 2>&1
ALIVE2=$?
/bin/test $ALIVE1 -eq 0 && conf_name="isp1.cfg"
/bin/test $ALIVE2 -eq 0 && conf_name="isp2.cfg"
/bin/test $ALIVE1 -eq 0 && /bin/test $ALIVE2 -eq 0 && conf_name="isp1_isp2.cfg"
old_conf_name=`/bin/cat /tftpboot/old_conf_name.txt`
if [ "$old_conf_name" != "$conf_name" ]
then
echo $conf_name > /tftpboot/old_conf_name.txt
/usr/local/bin/snmpset -c write -v2c \
$CISCO .1.3.6.1.4.1.9.2.1.53.$BSD \
string $conf_name >/dev/null 2>&1
fi
exit 0
<Ctrl>-D
[gX:~] # cat > /tftpboot/old_conf_name.txt
isp1_isp2.cfg
<Ctrl>-D
[gX:~] # crontab -e
*/3 * * * * /root/sh/select_isp.sh

37


Kerberos Cisco AAA
DNS
[gX:~] # cat /etc/namedb/named.conf
options {
directory
"/etc/namedb";
pid-file
"/var/run/named/pid";
};
zone "dX.class" {
type master;
file "master/dX.class";
};
zone "X+1.X+1.10.IN-ADDR.ARPA" {
type master;
file "master/X+1.X+1.10.IN-ADDR.ARPA";
};
[gX:~] # cat /etc/namedb/master/dX.class
$TTL 36
@

IN

SOA

gX.class. root.gX.class. (
2007011603
; Serial
36
; Refresh
9
; Retry
36000 ; Expire
36 ) ; Minimum
IN
NS
gX.class.
roX IN
A
10.X+1.X+1.3
swX IN
A
10.X+1.X+1.11
gX
IN
A
10.X+1.X+1.2
_kerberos._udp
IN SRV
01 00 88 gX
_kerberos._tcp
IN SRV
01 00 88 gX
_kpasswd._udp
IN SRV
01 00 464 gX
_kerberos-adm._tcp IN SRV
01 00 749 gX
_kerberos
IN TXT
DX.CLASS
[gX:~] # cat /etc/namedb/master/X+1.X+1.10.IN-ADDR.ARPA
$TTL 36
@

IN

2
3
11

IN
IN
IN
IN

SOA

gX.class. root.gX.class. (
2007011601
; Serial
36
; Refresh
9
; Retry
36000 ; Expire
36 ) ; Minimum
NS
gX.class.
PTR
gX.dX.class.
PTR
roX.dX.class.
PTR
swX.dX.class.

dns
[gX:~] # dig SRV _kerberos._tcp.dX.class

38

[gX:~] # dig TXT _kerberos.dX.class

Kerberos
[gX:~] # cat /etc/krb5.conf
[libdefaults]
default_realm = DX.CLASS
[kdc]
encode_as_rep_as_tgs_rep = true

Kerberos
[gX:~] # kstash
[gX:~] # kadmin -l
kadmin> init DX.CLASS
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin> add uX/admin
...
uX/admin@DX.CLASS's Password: pX
Verifying - uX/admin@DX.CLASS's Password: pX
kadmin> add --random-key host/roX.dX.class
...
kadmin> get -l host/roX.dX.class
...
Keytypes(salttype[(salt-value)]): des-cbc-crc(pw-salt), des-cbc-md4(pw-salt), des-cbc-md5(pw-salt),
des3-cbc-sha1(pw-salt)
kadmin> del_enctype host/roX.dX.class des-cbc-md4
kadmin> del_enctype host/roX.dX.class des-cbc-md5
kadmin> del_enctype host/roX.dX.class des3-cbc-sha1
kadmin> get -l host/roX.dX.class
...
Keytypes(salttype[(salt-value)]): des-cbc-crc(pw-salt)
kadmin> ext --keytab=/tftpboot/roX.keytab host/roX.dX.class@DX.CLASS
kadmin> list *
...
kadmin> quit
[gX:~] # ktutil -k /tftpboot/roX.keytab list
[gX:~] # chmod +r /tftpboot/roX.keytab
[gX:~] # /etc/rc.d/kerberos forcestart
[gX:~] # kinit uX/admin
uX/admin@DX.CLASS's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
[gX:~] # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: uX/admin@DX.CLASS

39

Issued
Expires
Principal
Jan 15 07:34:41 Jan 15 17:34:41 krbtgt/DX.CLASS@DX.CLASS

DNS
ip domain name dX.class
ip name-server 10.X+1.X+1.2


clock timezone MSK 3
clock summer-time MSK recurring last Sun Mar 2:00 last Sun Oct 2:00

:
wg_ro_X#clock set 10:07:30 28 apr 2007

ntp:
ntp clock-period 17179870
ntp server 10.X+1.X+1.2

kerberos
wg_ro_X#more tftp://gX/roX.keytab
wg_ro_X#conf t
wg_ro_X(config)#kerberos srvtab remote tftp://gX/roX.keytab
Translating "gX"...domain server (10.X+1.X+1.2) [OK]
Loading roX.keytab from 10.X+1.X+1.2 (via FastEthernet0/0): !
[OK - 66 bytes]
Truncated srvtab! Discarding...
Failed to retrieve srvtab from tftp://gX/roX.keytab
wg_ro_X(config)#^Z
wg_ro_X#wr t
...
kerberos srvtab entry host/roX.dX.class@DX.CLASS 1 1177735778 4 1 8 01602=<2?8<2304:;

kerberos
kerberos local-realm DX.CLASS
kerberos server DX.CLASS 10.X+1.X+1.2


aaa authentication login default krb5-telnet krb5 enable
aaa authorization exec krb5-instance
kerberos instance map admin 15

40

Nagios
[gX:~] # pkg_add /usr/ports/packages/All/nagios-2.5.tbz
[gX:~] # cd /usr/local/etc/apache/
[gX:local/etc/apache] # rcsdiff httpd.conf
387a388,400
> <Directory /usr/local/www/nagios>
>
Order allow,deny
>
Allow from all
> </Directory>
>
> <Directory /usr/local/www/nagios/cgi-bin>
>
Options ExecCGI
> </Directory>
>
> ScriptAlias /nagios/cgi-bin/ /usr/local/www/nagios/cgi-bin/
> Alias /nagios/ /usr/local/www/nagios/
[gX:~] # cd /usr/local/etc/nagios/
[gX:local/etc/nagios] # sh
for i in *sample; do cp $i ${i%-sample};done
<Ctrl>-D
[gX:local/etc/nagios] # rcsdiff nagios.cfg
37c37
< cfg_file=/usr/local/etc/nagios/checkcommands.cfg
--> #cfg_file=/usr/local/etc/nagios/checkcommands.cfg
40c40
< cfg_file=/usr/local/etc/nagios/misccommands.cfg
--> #cfg_file=/usr/local/etc/nagios/misccommands.cfg
[gX:local/etc/nagios] # rcsdiff cgi.cfg
86c86
< use_authentication=1
--> use_authentication=0
[gX:~] # /usr/local/etc/rc.d/nagios forcestart


[gX:local/etc/nagios] # rcsdiff minimal.cfg
145c145
<
email
nagios-admin@localhost
-->
email
root@localhost
359a360,388
> define host{
>
use
generic-host
>
host_name
roX
>
alias
wg_ro_X
>
address
10.X+1.X+1.3
>
check_command
check-host-alive
>
max_check_attempts
10

41

>
check_period
24x7
>
notification_interval 120
>
notification_period
24x7
>
notification_options d,r
>
contact_groups admins
>
}
>
> define service{
>
use
generic-service
>
host_name
roX
>
service_description
PING
>
is_volatile
0
>
check_period
24x7
>
max_check_attempts
4
>
normal_check_interval
5
>
retry_check_interval
1
>
contact_groups
admins
>
notification_options
w,u,c,r
>
notification_interval
960
>
notification_period
24x7
>
check_command
check_ping!100.0,20%!500.0,60%
>
}
[gX:~] # /usr/local/bin/nagios -v /usr/local/etc/nagios/nagios.cfg
[gX:~] # /usr/local/etc/rc.d/nagios forcerestart

trap nagios
[gX:local/etc/nagios] # rcsdiff nagios.cfg
131cX1
< check_external_commands=0
--> check_external_commands=1
[gX:local/etc/nagios] # rcsdiff minimal.cfg
113a114,117
> define command{
>
command_name check_none
>
command_line $USER1$/check_dummy 0
>}
373,387c377,391
> define host{
>
use
generic-host
>
host_name
swX
>
alias
wg_sw_X
>
address
10.X+1.X+1.11
>
check_command
check-host-alive
>
max_check_attempts
10
>
check_period
24x7
>
notification_interval 120
>
notification_period
24x7
>
notification_options d,r
>
contact_groups admins
>
}
>
404,420c408,425
>
> define service{
>
host_name
swX

42

>
>
>
>
>
>
>
>
>
>
>
>
>
>

service_description
SNMP-Trap
check_period
24x7
is_volatile
1
active_checks_enabled
0
passive_checks_enabled
1
max_check_attempts
1
normal_check_interval
5
retry_check_interval
1
contact_groups
admins
notification_interval
960
notification_period
24x7
notification_options
w,u,c,r
check_command
check_none
}

[gX:~] # /usr/local/bin/nagios -v /usr/local/etc/nagios/nagios.cfg


[gX:~] # /usr/local/etc/rc.d/nagios forcerestart

:
[gX:~] # echo "[`date +%s`] PROCESS_SERVICE_CHECK_RESULT;swX;SNMPTrap;2;LinkDown" > /var/spool/nagios/rw/nagios.cmd
[gX:~] # echo "[`date +%s`] PROCESS_SERVICE_CHECK_RESULT;swX;SNMP-Trap;0;LinkUp" >
/var/spool/nagios/rw/nagios.cmd
[gX:~] # tail -f /var/spool/nagios/nagios.log

snmptrapd nagios
[gX:~] # cat /usr/local/etc/snmp/snmptrapd.conf
traphandle IF-MIB::linkDown echo "[`date +%s`] PROCESS_SERVICE_CHECK_RESULT;swX;SNMPTrap;2;LinkDown" > /var/spool/nagios/rw/nagios.cmd
traphandle IF-MIB::linkUp echo "[`date +%s`] PROCESS_SERVICE_CHECK_RESULT;swX;SNMPTrap;0;LinkUp" > /var/spool/nagios/rw/nagios.cmd

43


freebsd
[:~] # sysinstall
[:~] # cat /etc/rc.conf
hostname="gX.class"
ifconfig_fxp0="inet 10.X+1.X+1.2/24"
ifconfig_rl0="inet 10.5.7/24"
defaultrouter="10.5.7.254"
[:~] # cat /etc/resolv.conf
domain class
nameserver
10.5.7.50
[:~] # /etc/rc.d/netif start
[:~] # /etc/rc.d/routing start
[:~] # kill -1 1
[gX:~] # mount /cdrom/
[gX:~] # mkdir /usr/ports
[gX:~] # cd /usr/ports
[gX:/usr/ports] # tar -xf /cdrom/packdist.tar
[gX:~] # cd /usr/local/
[gX:/usr/local] # tar -xf /cdrom/qemuimg.tar
[gX:~] # rcp user@g50:/etc/X11/xorg.conf /etc/X11/
[gX:~] # pw usermod root -L russian
[gX:~] # pkg_add /usr/ports/packages/All/fvwm95-2.0.43a_1.tbz
[gX:~] # cat > .xinitrc
fvwm95
<Ctrl>-D
[gX:~] # startx &

freebsd
[gX:~] # cd /usr/local/qemu/
[gX:/usr/local/qemu] # cat tun_up_freebsd.sh
#!/bin/sh
ifconfig $1 192.168.X.1 netmask 255.255.255.0
[gX:/usr/local/qemu] # ./start_freebsd.sh
[:~] # cat /etc/rc.conf
hostname="cX.dX.class"
ifconfig_ed0="inet 192.168.X.10/24"
defaultrouter="192.168.X.1"
[:~] # cat /etc/resolv.conf
domain class

44

nameserver

192.168.X.1

[:~] # /etc/rc.d/netif start


[:~] # /etc/rc.d/routing start
[:~] # kill -1 1


[gX:~] # telnet 10.5.7.251 200X
wg_ro_X#wr t
...
!
hostname wg_ro_X
!
ip name-server 10.5.7.50
!
enable secret cisco
!
...
!
interface FastEthernet0/0
desc Connect to Switch
ip address 10.X+1.X+1.3 255.255.255.0
ip nat inside
no shutdown
!
interface Serial0/0
desc Connect to ISP1
ip address 10.140.X.2 255.255.255.0
ip nat outside
clock-rate 64000
no shutdown
!
ip access-list standard ACL_NAT
permit 10.X+1.X+1.0 0.0.0.255
!
ip nat inside source list ACL_NAT interface Serial0/0 overload
!
ip route 0.0.0.0 0.0.0.0 10.140.X.1
!
line vty 0 4
password cisco
login
exec-timeout 0 0
!


[gX:~] # telnet 10.5.7.250 200X
wg_sw_X#wr t
...
!
hostname wg_sw_X
!
no ip domain-lookup
!
enable secret cisco
!

45

...
interface FastEthernet0/2
switchport mode access
desc Connect to Router
!
...
!
interface FastEthernet0/11
desc Connect to ISP2
switchport mode access
switchport access vlan 2
shut
!
...
!
interface FastEthernet0/24
switchport mode access
desc Connect to FreeBSD
!
...
!
interface VLAN1
ip address 10.X+1.X+1.11 255.255.255.0
!
...
line vty 0 4
password cisco
exec-timeout 0 0
login


core_ro#wr t
...
hostname core_ro
...
ip name-server 10.5.7.254
!
interface FastEthernet0/0
ip address 10.5.7.60 255.255.255.0
ip nat outside
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface Serial0/1
ip address 10.140.1.1 255.255.255.0
ip nat inside
clockrate 64000
!
...
interface Serial2/4
ip address 10.140.X.1 255.255.255.0
ip nat inside
clockrate 64000
!
ip nat inside source list 50 interface FastEthernet0/0 overload

46

ip route 0.0.0.0 0.0.0.0 10.5.7.254


!
access-list 50 permit 10.140.0.0 0.0.255.255
access-list 50 permit 10.1.1.0 0.0.0.255
!
...
end


core_sw_a#wr t
...
hostname core_sw_a
!
vlan 100
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
no ip address
!
interface FastEthernet0/2
...............
interface FastEthernet0/13
switchport access vlan 100
switchport mode access
no ip address
!
...
!
interface FastEthernet0/23
desc conect to core_sw
switchport mode trunk
no ip address
!
interface Vlan1
ip address 10.5.7.70 255.255.255.0
no ip route-cache
!
...
!
end

47

48


1. . UNIX. "BHV-" 1999 . 528 .
2. , , , . "UNIX:
. 3- ". (RED BOOK). BHV , 2002 , 832 .
3. . FreeBSD. . : . 2004 . 616 .
4. " . ". . 2002 , 848 .
5. . . , . . " . , , ". ,
2003 , 672 .
http://www.freebsd.org/doc/ru/books/handbook/index.html

49

Вам также может понравиться