среда, 10 июня 2015 г.

How to save config using SNMPv3 via SCP

Создаём пользователя на linux хосте.
useradd -d /home/scp -m -s /bin/bash -c "only for scp" scp
pass 27iK4bUy32hLm87Eew4i

Ставим утилиту, чтобы пользователь мог использовать только scp.
apt-get install scponly
usermod -s /usr/bin/scponly scp

Настраиваем маршрутизатор.
access-list 77 permit 1.1.1.1
access-list 77 permit 2.2.2.2
access-list 77 permit 3.3.3.3

snmp-server group SNMP3GRP v3 priv write SNMP3_R access 77
snmp-server user snmpadm SNMP3GRP v3 auth md5 9LADO68h245s709qP18T priv aes 128 bOJwIi5UZi449fUyrJxZa access 77
snmp-server view SNMP3_R ccCopyTable.1 included
snmp-server view SNMP3_R 1.3.6.1.4.1.9.2.9.9.0 included

Добавим возможность удаленно бутить цыску.
snmp-server system-shutdown

Возвращаемся на линуксовую машину. Проверяем отвечает ли по SNMPv3 цыска.
snmpwalk -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122

К примеру, адрес линуксовой машины - 1.1.1.1

Так можно засейвить конфиг по scp:
snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.2.15 i 4
snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.3.15 i 4
snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.4.15 i 1
snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.5.15 a 1.1.1.1
snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.6.15 s router_running-config
snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.7.15 s "scpQr41ei4f09otuhh"
snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.8.15 s "27iK4bUy32hLm87Eew4i"
snmpset -v 3 -a md5 -u snmpadm -A 9LADO68h245s709qP18T -l authPriv -x aes -X bOJwIi5UZi449fUyrJxZa 85.198.124.122 1.3.6.1.4.1.9.9.96.1.1.1.1.14.15 i 1

понедельник, 8 июня 2015 г.

PBR in Extreme summit switch

* Int.X460-Core.4 # edit policy police_vlan8_pbr
entry permit_local_00 {
if {
   source-address 192.168.0.0/16;
   destination-address 192.168.0.0/16;
   } then {
     permit;
}
}

entry permit_local_01 {
if {
   source-address 192.168.0.0/16;
   destination-address 10.0.0.0/8;
   } then {
     permit;
}
}

entry permit_local_02 {
if {
   source-address 192.168.0.0/16;
   destination-address 172.168.0.0/12;
   } then {
     permit;
}
}

entry redirect_local_00 {
if {
   source-address 192.168.253.0/24;
   } then {
   redirect 10.255.255.41;
}
}


configure access-list police_vlan8_pbr vlan "VLAN8_USERS-NEW" ingress 
unconfigure access-list police_vlan8_pbr ingress

===

Policy-Based Redirection Redundancy
Multiple Next-hop Support
As discussed above, Layer 3 and Layer 2 policy-based redirect support only one next-hop for one
policy-based entry. Multiple next-hops with different priorities can be configured. A higher priority is
denoted with a higher number; for example, “priority 5” has a higher precedence than “priority 1.” When
a high priority next-hop becomes unreachable, another preconfigured next-hop, based on priority,
replaces the first. This is done by first creating a flow-redirect name that is used to hold next-hop
information. User-created flow-redirect names are not case-sensitive.
Use the following command:
create flow-redirect flow_redirect_name
To delete the flow-redirect name, use:
delete flow-redirect flow_redirect_name
Then information for each next-hop, including a defined priority, is added one by one to the new flowredirect
name. Use the following command:
configure flow-redirect flow_redirect_name add nexthop ipaddress priority number

===

An example.
We want to redirect all traffic from 10.91.0.48/28 to address 10.91.0.234

create flow-redirect redir1
configure flow-redirect redir1 add nexthop 10.91.0.234 priority 100
configure flow-redirect redir1 nexthop 10.91.0.234 ping health-check interval 60 miss 3

Create an ACL:
entry subnet1 {
if match all {
source-address 10.91.0.48/28 ;
} then {
permit;
redirect-name redir1;
}
}

configure access-list redir1 vlan "vlan_name" ingress


That will redirect traffic in this vlan only from subnet 10.91.0.48/28 to 10.91.0.234.

https://community.extremenetworks.com/extreme/topics/help_required_for_l3_policy_based_redirect_summit_x460_24t_exos_12_5-mb5hr