labunix's blog

labunixのラボUnix

Cisco dCloudで[Cisco Routing and Switching Sandbox v2]を試してみる

■Cisco dCloudで[Cisco Routing and Switching Sandbox v2]を試してみる。
 Ciscoのパートナー権限が必要。
 20台のルータ、5台のスイッチ、踏み台(Win10Ent)、ADサーバ(2008R2Std)が使える。
 仮説の箇所は多分tunnelをIWANが担当してるという想定。

$ seq 1 20 | awk '{print "[r"$1"]"}' | tr '\n' ',';echo
[r1],[r2],[r3],[r4],[r5],[r6],[r7],[r8],[r9],[r10],[r11],[r12],[r13],[r14],[r15],[r16],[r17],[r18],[r19],[r20],

$ seq 101 105 | awk '{print "[sw"$1"]"}' | tr '\n' ',';echo
[sw101],[sw102],[sw103],[sw104],[sw105],

■WebブラウザからでもWORKGROUPのクライアントにプロキシ経由(http->rdp)でつながる。。。
 wkst1を踏み台としてサーバ、ルータ、スイッチに接続する方式。
 英語キーボードを使っているか、配列を覚えていれば不自由無いかも知れない。

$ echo "(home [chromium] --> [proxy] --> [FW] --> [wan]) \
        [wan] -- tunnnel/http --> [dcloud-sng-web-4.cisco.com] \ 
        (仮説 [dcloud-sng-web-4.cisco.com] --> [RouterBank_iwan-webiol2.128.33] --> [DGW.128.1] -- RDP --> [wkst1.133.38])
        (dcloud \
         (Router [wkst1.133.38] -- telnet --> [r1 ... r20]) \
         (Switch [wkst1.133.38] -- telnet --> [sw101 ... sw105]) \
         (server [wkst1.133.38] -- RDP --> [ad1.133.1]) \
       " | graph-easy --dot | dot -T png -o dcloud-http.png

f:id:labunix:20180718175147p:plain

■AnyConnect VPNで繋げて、クライアントのremminaから直接RDP接続、terminalから直接telnet接続したい。
 VPNトンネルを使うので、並列に接続できるイメージ。
 直接つながるので、手元の日本語キーボードの配列がそのまま使える。

$ echo "(home (tun0 (server [remmina] -- RDP --> [wkst1.133.38],[ad1.133.1]) \
                    (Router [terminal] -- telnet --> [r1 ... r20]) \
                    (Switch [terminal] -- telnet --> [sw101 ... sw105]) \
               [openconnect] --> [proxy] --> [FW] --> [wan])) \
        [wan] -- tunnel/SSL-VPN --> [dcloud-sng-anyconnect.cisco.com:443] \
        (仮説 [dcloud-sng-anyconnect.cisco.com:443] -- [RouterBank_iwan-webiol2.128.33] -- [DGW.128.1]) \
        [DGW.128.1] -- [ad1.133.1],[wkst1.133.38],[r1 ... r20],[sw101 ... sw105]
        (dcloud [ad1.133.1] [wkst1.133.38] [r1 ... r20] [sw101 ... sw105])
       " | graph-easy --dot | dot -T png -o dcloud-vpn.png

f:id:labunix:20180718175222p:plain

■Cisco AnyConnect VPNで接続するための準備

$ lsb_release -d
Description:	Debian GNU/Linux 9.5 (stretch)

$ sudo apt-cache search ^openconnect
ocserv - OpenConnect VPN server compatible with Cisco AnyConnect VPN
openconnect - open client for Cisco AnyConnect VPN
openconnect-dbg - debugging symbols for the OpenConnect VPN client

$ sudo apt-get install -y openconnect

■Cisco AnyConnect VPNでプロキシ経由接続

$ sudo openconnect \
    --user=$USERNAME \
    -P http://172.31.31.93:8080/ \
    -b \
    dcloud-sng-anyconnect.cisco.com
POST https://dcloud-sng-anyconnect.cisco.com/
Connected to 172.31.31.93:8080
Requesting HTTP proxy connection to dcloud-sng-anyconnect.cisco.com:443
SSL negotiation with dcloud-sng-anyconnect.cisco.com
Server certificate verify failed: signer not found

Certificate from VPN server "dcloud-sng-anyconnect.cisco.com" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert sha256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on dcloud-sng-anyconnect.cisco.com
XML POST enabled
Please enter your username and password.
GROUP: [Anyconnect-to-dCloud]:Anyconnect-to-dCloud
POST https://dcloud-sng-anyconnect.cisco.com/
XML POST enabled
Please enter your username and password.
Password:
POST https://dcloud-sng-anyconnect.cisco.com/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 10, Keepalive 20
Set up DTLS failed; using SSL instead
Connected as 10.16.4.193, using SSL
Connect Banner:
| " You are now connected to the Cisco dCloud Singapore Platform "
| 

■VPNトンネルの確認

$ ip a show dev tun0 | sed -e 's/:[a-z0-9]*/:XXXX/g' -e 's/\.[0-9][0-9]/.XX/g'
8:XXXX tun0:XXXX <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1303 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 10.XX.4.XX3/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80:XXXX:XXXX:XXXX:XXXX:XXXX/64 scope link flags 800 
       valid_lft forever preferred_lft forever

$ ip route show dev tun0
10.16.0.0/15 scope link 
10.16.4.192/28 scope link 
10.64.0.0/10 scope link 
198.18.0.0/15 scope link 
198.18.133.1 scope link 

■openconnectの終了

$ sudo pkill openconnect

■再接続

$ sudo openconnect \
    --user=$USERNAME \
    -P http://172.31.31.93:8080/ \
    -b \
    dcloud-sng-anyconnect.cisco.com

...
Requesting HTTP proxy connection to dcloud-sng-anyconnect.cisco.com:443
SSL negotiation with dcloud-sng-anyconnect.cisco.com
Server certificate verify failed: signer not found
Connected to HTTPS on dcloud-sng-anyconnect.cisco.com
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 10, Keepalive 20

■プロキシサーバログ

$ sudo grep "Open AnyConnect VPN Agent v7.08" /var/log/squid/access.log | sed -e 's/\.[0-9][0-9]/.XX/g'
172.XX.XX.XX - - [18/Jul/2018:09:11:07 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 16791 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT
172.XX.XX.XX - - [18/Jul/2018:09:14:24 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 16722 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT
172.XX.XX.XX - - [18/Jul/2018:09:19:35 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 17948 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT
172.XX.XX.XX - - [18/Jul/2018:09:24:37 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 15168 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT
172.XX.XX.XX - - [18/Jul/2018:09:26:12 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 10997 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT
172.XX.XX.XX - - [18/Jul/2018:10:11:16 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 997502 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT
172.XX.XX.XX - - [18/Jul/2018:10:16:17 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 46902 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT
172.XX.XX.XX - - [18/Jul/2018:10:21:18 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 15935 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT

■remminaリモートデスクトップで接続した際のパケットキャプチャ

$ sudo tcpdump -i tun0 -n tcp port 3389 -c 5 | sed -e 's/[0-9][0-9]\./XX./g'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
5 packets captured
21 packets received by filter
0 packets dropped by kernel
10:13:XX.076052 IP XX.XX.4.1XX.43672 > 1XX.XX.1XX.XX.3389: Flags [P.], seq 1108420422:1108420461, ack 1869198707, win 1323, options [nop,nop,TS val 7272608 ecr 122918335], length 39
10:13:XX.081816 IP XX.XX.4.1XX.43672 > 1XX.XX.1XX.XX.3389: Flags [P.], seq 39:78, ack 1, win 1323, options [nop,nop,TS val 7272609 ecr 122918335], length 39
10:13:XX.089996 IP XX.XX.4.1XX.43672 > 1XX.XX.1XX.XX.3389: Flags [P.], seq 78:117, ack 1, win 1323, options [nop,nop,TS val 7272611 ecr 122918335], length 39
10:13:XX.098084 IP XX.XX.4.1XX.43672 > 1XX.XX.1XX.XX.3389: Flags [P.], seq 117:156, ack 1, win 1323, options [nop,nop,TS val 7272613 ecr 122918335], length 39
10:13:XX.106061 IP XX.XX.4.1XX.43672 > 1XX.XX.1XX.XX.3389: Flags [P.], seq 156:195, ack 1, win 1323, options [nop,nop,TS val 7272615 ecr 122918335], length 39

■telnet接続も結構面倒なので、以下のようにmate-terminalをタブで開く。

$ echo "[Router]";seq 30001 30020 | awk '{print "mate-terminal --tab -x telnet 198.18.129.33 "$1" &"}' | sh
$ echo "[Switch]";seq 30101 30105 | awk '{print "mate-terminal --tab -x telnet 198.18.129.33 "$1" &"}' | sh

■各スイッチのインターフェイス状態を取得、[hostname.txt]の形式で保存

# show int status

■以下のように処理
 順序が変わるのは気にしないことにする。

$ for list in $(seq 105 -1 101);do \
    awk '/Et/{if($4!="a-full")print "[sw"'${list}'"."$1"] -- ["$3"."$4"]"}' "sw${list}.txt"; \
  done | sort -V > dcloud-lan.dot

$ awk '{print $1,$3}' dcloud-lan.dot | tr ' ' '\n' | sort -u | xargs echo -n | \
    sed -e '1,/\[sw105/ s/\[sw105/\n&/' -e '1,/\[sw104/ s/\[sw104/\n&/' \
        -e '1,/\[sw103/ s/\[sw103/\n&/' -e '1,/\[sw102/ s/\[sw102/\n&/' \
        -e '1,/\[sw101/ s/\[sw101/\n&/' \
        -e '1,/\[r20/ s/\[r20/\n&/' -e '1,/\[r19/ s/\[r19/\n&/' \
        -e '1,/\[r18/ s/\[r18/\n&/' -e '1,/\[r17/ s/\[r17/\n&/' \
        -e '1,/\[r16/ s/\[r16/\n&/' -e '1,/\[r15/ s/\[r15/\n&/' \
        -e '1,/\[r14/ s/\[r14/\n&/' -e '1,/\[r13/ s/\[r13/\n&/' \
        -e '1,/\[r12/ s/\[r12/\n&/' -e '1,/\[r11/ s/\[r11/\n&/' \
        -e '1,/\[r10/ s/\[r10/\n&/' -e '1,/\[r9/ s/\[r9/\n&/' -e '1,/\[r8/ s/\[r8/\n&/' \
        -e '1,/\[r7/ s/\[r7/\n&/' -e '1,/\[r6/ s/\[r6/\n&/' -e '1,/\[r5/ s/\[r5/\n&/' \
        -e '1,/\[r4/ s/\[r4/\n&/' -e '1,/\[r3/ s/\[r3/\n&/' -e '1,/\[r2/ s/\[r2/\n&/' \
        -e '1,/\[r1/ s/\[r1/\n&/' | awk '/[a-z]/{a=$1;gsub(".[Ee].*|\\[","",a);print "( "a" "$0")"}' | tac >> dcloud-lan.dot 

$ awk '{if($3<$1){print}else if($1=="("){print}}' dcloud-lan.dot > dcloud-lan.txt
$ sed -i -e 's/Et/e/g' dcloud-lan.txt
$ awk '!/\-\- \[r[0-9]/{print}' dcloud-lan.txt | sort -V > dcloud-lan-nr.txt
$ awk '/\-\- \[r[0-9]/{print $3,$2,$1}' dcloud-lan.txt | sort -V > dcloud-lan-r.txt
$ cat dcloud-lan-r.txt dcloud-lan-nr.txt > dcloud-lan.txt 

$ cat dcloud-lan.txt | graph-easy --dot | dot -T png -o dcloud-lan.png

f:id:labunix:20180718175303p:plain
f:id:labunix:20180718175322p:plain

■Windows2台で8GBとホストOSが4GB使用するとして、
 再現環境を作るには素直に2ホストに分けた方がよいかも。
 ホストメモリが32GBほどあれば再現出来そうだけど。

$ echo "135081 25" | awk '{print $1*$2/1024/1024"GB"}'
3.22058GB

$ echo "128 5 256 20" | awk '{print ($1*$2+$3*$4)/1024"GB"}'
5.625GB

r5>sho ver | inc ^Cisco|byte|^System image
Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.7(3)M2, DEVELOPMENT TEST SOFTWARE
System image file is "unix:./l3image"
Linux Unix (Intel-x86) processor with 76825K bytes of memory.
64K bytes of NVRAM.

sw105>sho ver | inc ^Cisco|byte|^System image
Cisco IOS Software, Linux Software (I86BI_LINUXL2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20180510)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to  V152_6_0_81_E
System image file is "unix:./l2image"
Linux Unix (Intel-x86) processor with 135081K bytes of memory.
20K bytes of NVRAM.