■IX2015を触ってみた。
UNIVERGE IXシリーズ マニュアル
http://jpn.nec.com/univerge/ix/Manual/
■初期パスワードは無い。
基本的にconfigモードにしないと何も出来ない。
それにしてもファームウエアが古い。
NEC Portable Internetwork Core Operating System Software
IX Series IX2010 (magellan-sec) Software, Version 7.3.21, RELEASE SOFTWARE
Compiled Nov 17-Thu-2005 11:45:52 JST
ROM: System Bootstrap, Version 16.6
System Diagnostic, Version 14.4
System uptime is 2 hours 38 minutes
System woke up by reload, caused by power-on
System started at Mar 10-Thu-2016 20:28:12 JST
System image file is "ix2010-ms-7.3.21.ldc"
Processor board ID <2>
IX2015 (MPC8270A) processor with 65536K bytes of memory.
3 FastEthernet/IEEE 802.3 interfaces
1 ISDN Basic Rate interface
512K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Length Name/status
2850546 ix2010-ms-7.3.21.ldc runnable
[2850546 bytes used, 4188562 available, 7039108 total]
6912 Kbytes of processor board System flash (Read/Write)
■タイムゾーンの設定
configure
!
timezone +09 00
Thursday, 10 March 2016 22:17:39 +09 00
■とりあえず隔離のIPで。
interface FastEthernet0/1.0
ip address 172.16.16.254/24
no shutdown
exit
!
PING 172.16.16.254 > 172.16.16.254 56 data bytes
64 bytes from 172.16.16.254: icmp_seq=0. time=0.072 ms
--- 172.16.16.254 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0.072/0.072/0.072
■上位をどっちにするかはともかく、対向の隔離IPを振る。
interface FastEthernet0/0.0
ip address 10.26.7.2/8
no shutdown
exit
PING 10.26.7.2 > 10.26.7.254 56 data bytes
64 bytes from 10.26.7.254: icmp_seq=0. time=0.710 ms
--- 10.26.7.254 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0.710/0.710/0.710
■時刻同期してみる。
ntp ip enable
ntp server 172.16.16.88
ntp interval 3600
NTP status:
Clock is synchronized, reference is 172.16.16.88
Rcvd: 0 requests, 2 responses
Sent: 2 requests, 0 responses
NTP server St Ver Timeout Last Receive
172.16.16.88 2 3 64 22:33:39
■デフォルトルートは、仮に172のfe0/1.0側にする。
ip route default FastEthernet0/1.0
IP Routing Table - 3 entries, 2044 frees
Codes: C - Connected, S - Static, R - RIP, O - OSPF, IA - OSPF inter area
E1 - OSPF external type 1, E2 - OSPF external type 2, B - BGP
* - Candidate default, s - Summary
Timers: Age
S* 0.0.0.0/0 [1/1] is directly connected, FastEthernet0/1.0, 0:00:25
C 10.0.0.0/8 [0/1] is directly connected, FastEthernet0/0.0, 0:08:28
172.16.0.0/16 is subnetted, 1 subnets
C 172.16.16.0/24 [0/1] is directly connected, FastEthernet0/1.0, 0:11:52
■telnetを有効にしてみる。
「show ip filter」で後から確認出来る。
telnet-server ip enable
telnet-server ip access-list management
telnet-server ip port 23
interface FastEthernet0/1.0
ip filter management 10 in
exit
ip access-list management permit tcp src 172.16.16.88/32 dest any
Interface is FastEthernet0/1.0, direction inbound
management - seq 10, 10 hits
$ telnet 172.16.16.254
Trying 172.16.16.254...
Connected to 172.16.16.254.
Escape character is '^]'.
NEC Portable Internetwork Core Operating System Software
Copyright Notices:
Copyright (c) NEC Corporation 2001-2005. All rights reserved.
Copyright (c) 1985-1998 OpenROUTE Networks, Inc.
Copyright (c) 1984-1987, 1989 J. Noel Chiappa.
■SNMP/SNMP TRAPを有効にしてみる。
ip access-list management permit udp src 172.16.16.88/32 dest any
snmp-agent ip enable
snmp-agent ip community public management
snmp-agent ip host 172.16.16.88 public
IPv4 community
Community name: public
Access type: Read-only
Access-list: management
View:
Traps:
cold-start: enable
warm-start: enable
link-down: enable
link-up: enable
auth-fail: enable
temp-fault: enable
temp-rest: enable
volt-fault: enable
volt-rest: enable
isakmp tunnel start: enable
isakmp tunnel stop: enable
ipsec tunnel start: enable
ipsec tunnel stop: enable
ipsec tunnel early-term: enable
vrrp new-master: enable
temp-fault: enable
temp-rest: enable
volt-fault: enable
volt-rest: enable
isakmp tunnel start: enable
isakmp tunnel stop: enable
ipsec tunnel start: enable
ipsec tunnel stop: enable
ipsec tunnel early-term: enable
vrrp new-master: enable
vrrp auth-fail: enable
network-monitor watch-group status-change: enable
login-session: enable
login-failure: enable
config-mode: enable
config-modified: enable
port link-down: enable
port link-up: enable
Trap host:
172.16.16.88
IPv6 community
■debianからチェック。
$ snmpwalk -c public -v1 172.16.16.254 sysUpTimeInstance 2>/dev/null
DISMAN-EXPRESSION-MIB::sysUpTimeInstance = Timeticks: (864448) 2:24:04.48
$ sudo awk '/snmptrapd/{a=$0};END{print a}' /var/log/syslog | \
sed -e 's/: \|::/\n\t/g' | grep -v "^[A-z]\|SMI"
2016-03-10 23:15:17 172.16.16.254(via UDP
enterprises.119.1.84 Enterprise Specific Trap (13) Uptime
enterprises.119.2.3.84.4.1.1.2.1 = INTEGER
enterprises.119.2.3.84.4.1.1.3.1 = INTEGER
enterprises.119.2.3.84.4.1.1.5.1 = INTEGER
enterprises.119.2.3.84.4.1.1.6.1 = IpAddress
enterprises.119.2.3.84.4.1.1.7.1 = Hex-STRING
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
■telnetも有効にしたし、licenseを確認してみる。
IPSecもVRRPオプションも有効。
$ (sleep 5;echo "configure";\
sleep 2;echo "show license"; \
sleep 2;echo "exit") | \
telnet 172.16.16.254 | awk '/^[A-z].*tion.*is/{print $0}'
IPsec H/W encryption is activated
ISDN-BRI/VRRP option is activated
Connection closed by foreign host.
■キリの良いところで一旦保存と再起動。
write memory
exit
# reload
Notice: The router will be RELOADED. This is to ensure that
the peripheral devices are properly initialized.
Are you sure you want to reload the router? (Yes or [No]): yes
■コンフィグを採取
そういえばicmpを許可してないな。。。
$ (sleep 5;echo "configure";\
sleep 2;echo "terminal length 0"; \
sleep 2;echo "show config"; \
sleep 10;echo "exit") | \
telnet 172.16.16.254
Trying 172.16.16.254...
Connected to 172.16.16.254.
Escape character is '^]'.
NEC Portable Internetwork Core Operating System Software
Copyright Notices:
Copyright (c) NEC Corporation 2001-2005. All rights reserved.
Copyright (c) 1985-1998 OpenROUTE Networks, Inc.
Copyright (c) 1984-1987, 1989 J. Noel Chiappa.
Router# configure
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# terminal length 0
Router(config)# show config
Using 1417 out of 524288 bytes
! NEC Portable Internetwork Core Operating System Software
! IX Series IX2010 (magellan-sec) Software, Version 7.3.21, RELEASE SOFTWARE
! Compiled Nov 17-Thu-2005 11:45:52 JST #2
! Last updated Mar 10-Thu-2016 23:25:37 JST
!
!
timezone +09 00
!
!
!
!
!
!
ntp ip enable
ntp server 172.16.16.88
ntp interval 3600
!
!
!
!
!
!
ip route default FastEthernet0/1.0
ip access-list management permit tcp src 172.16.16.88/32 sport any dest any dport any
ip access-list management permit udp src 172.16.16.88/32 sport any dest any dport any
!
!
!
!
snmp-agent ip enable
snmp-agent ip community public management
snmp-agent ip host 172.16.16.88 public
!
!
!
!
telnet-server ip enable
telnet-server ip access-list management
!
!
!
!
!
!
!
!
device FastEthernet0/0
!
device FastEthernet0/1
!
device FastEthernet1/0
!
device BRI1/0
isdn switch-type hsd128k
!
interface FastEthernet0/0.0
ip address 10.26.7.2/8
no shutdown
!
interface FastEthernet0/1.0
ip address 172.16.16.254/24
ip filter management 10 in
no shutdown
!
interface FastEthernet1/0.0
no ip address
shutdown
!
interface BRI1/0.0
encapsulation ppp
no auto-connect
no ip address
shutdown
!
interface FastEthernet0/1.1
encapsulation pppoe
auto-connect
no ip address
shutdown
!
interface Loopback0.0
no ip address
!
interface Null0.0
no ip address
Router(config)# Connection closed by foreign host.