■Cisco dCloudで[Cisco Routing and Switching Sandbox v2]を試してみる。 Ciscoのパートナー権限が必要。 20台のルータ、5台のスイッチ、踏み台(Win10Ent)、ADサーバ(2008R2Std)が使える。 仮説の箇所は多分tunnelをIWANが担当してるという想定。 $ seq 1 20 | awk '{print "[r"$1"]"}' | tr '\n' ',';echo [r1],[r2],[r3],[r4],[r5],[r6],[r7],[r8],[r9],[r10],[r11],[r12],[r13],[r14],[r15],[r16],[r17],[r18],[r19],[r20], $ seq 101 105 | awk '{print "[sw"$1"]"}' | tr '\n' ',';echo [sw101],[sw102],[sw103],[sw104],[sw105], ■WebブラウザからでもWORKGROUPのクライアントにプロキシ経由(http->rdp)でつながる。。。 wkst1を踏み台としてサーバ、ルータ、スイッチに接続する方式。 英語キーボードを使っているか、配列を覚えていれば不自由無いかも知れない。 $ echo "(home [chromium] --> [proxy] --> [FW] --> [wan]) \ [wan] -- tunnnel/http --> [dcloud-sng-web-4.cisco.com] \ (仮説 [dcloud-sng-web-4.cisco.com] --> [RouterBank_iwan-webiol2.128.33] --> [DGW.128.1] -- RDP --> [wkst1.133.38]) (dcloud \ (Router [wkst1.133.38] -- telnet --> [r1 ... r20]) \ (Switch [wkst1.133.38] -- telnet --> [sw101 ... sw105]) \ (server [wkst1.133.38] -- RDP --> [ad1.133.1]) \ " | graph-easy --dot | dot -T png -o dcloud-http.png
■AnyConnect VPNで繋げて、クライアントのremminaから直接RDP接続、terminalから直接telnet接続したい。 VPNトンネルを使うので、並列に接続できるイメージ。 直接つながるので、手元の日本語キーボードの配列がそのまま使える。 $ echo "(home (tun0 (server [remmina] -- RDP --> [wkst1.133.38],[ad1.133.1]) \ (Router [terminal] -- telnet --> [r1 ... r20]) \ (Switch [terminal] -- telnet --> [sw101 ... sw105]) \ [openconnect] --> [proxy] --> [FW] --> [wan])) \ [wan] -- tunnel/SSL-VPN --> [dcloud-sng-anyconnect.cisco.com:443] \ (仮説 [dcloud-sng-anyconnect.cisco.com:443] -- [RouterBank_iwan-webiol2.128.33] -- [DGW.128.1]) \ [DGW.128.1] -- [ad1.133.1],[wkst1.133.38],[r1 ... r20],[sw101 ... sw105] (dcloud [ad1.133.1] [wkst1.133.38] [r1 ... r20] [sw101 ... sw105]) " | graph-easy --dot | dot -T png -o dcloud-vpn.png
■Cisco AnyConnect VPNで接続するための準備 $ lsb_release -d Description: Debian GNU/Linux 9.5 (stretch) $ sudo apt-cache search ^openconnect ocserv - OpenConnect VPN server compatible with Cisco AnyConnect VPN openconnect - open client for Cisco AnyConnect VPN openconnect-dbg - debugging symbols for the OpenConnect VPN client $ sudo apt-get install -y openconnect ■Cisco AnyConnect VPNでプロキシ経由接続 $ sudo openconnect \ --user=$USERNAME \ -P http://172.31.31.93:8080/ \ -b \ dcloud-sng-anyconnect.cisco.com POST https://dcloud-sng-anyconnect.cisco.com/ Connected to 172.31.31.93:8080 Requesting HTTP proxy connection to dcloud-sng-anyconnect.cisco.com:443 SSL negotiation with dcloud-sng-anyconnect.cisco.com Server certificate verify failed: signer not found Certificate from VPN server "dcloud-sng-anyconnect.cisco.com" failed verification. Reason: signer not found To trust this server in future, perhaps add this to your command line: --servercert sha256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on dcloud-sng-anyconnect.cisco.com XML POST enabled Please enter your username and password. GROUP: [Anyconnect-to-dCloud]:Anyconnect-to-dCloud POST https://dcloud-sng-anyconnect.cisco.com/ XML POST enabled Please enter your username and password. Password: POST https://dcloud-sng-anyconnect.cisco.com/ Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 10, Keepalive 20 Set up DTLS failed; using SSL instead Connected as 10.16.4.193, using SSL Connect Banner: | " You are now connected to the Cisco dCloud Singapore Platform " | ■VPNトンネルの確認 $ ip a show dev tun0 | sed -e 's/:[a-z0-9]*/:XXXX/g' -e 's/\.[0-9][0-9]/.XX/g' 8:XXXX tun0:XXXX <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1303 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.XX.4.XX3/32 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80:XXXX:XXXX:XXXX:XXXX:XXXX/64 scope link flags 800 valid_lft forever preferred_lft forever $ ip route show dev tun0 10.16.0.0/15 scope link 10.16.4.192/28 scope link 10.64.0.0/10 scope link 198.18.0.0/15 scope link 198.18.133.1 scope link ■openconnectの終了 $ sudo pkill openconnect ■再接続 $ sudo openconnect \ --user=$USERNAME \ -P http://172.31.31.93:8080/ \ -b \ dcloud-sng-anyconnect.cisco.com ... Requesting HTTP proxy connection to dcloud-sng-anyconnect.cisco.com:443 SSL negotiation with dcloud-sng-anyconnect.cisco.com Server certificate verify failed: signer not found Connected to HTTPS on dcloud-sng-anyconnect.cisco.com Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 10, Keepalive 20 ■プロキシサーバログ $ sudo grep "Open AnyConnect VPN Agent v7.08" /var/log/squid/access.log | sed -e 's/\.[0-9][0-9]/.XX/g' 172.XX.XX.XX - - [18/Jul/2018:09:11:07 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 16791 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT 172.XX.XX.XX - - [18/Jul/2018:09:14:24 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 16722 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT 172.XX.XX.XX - - [18/Jul/2018:09:19:35 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 17948 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT 172.XX.XX.XX - - [18/Jul/2018:09:24:37 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 15168 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT 172.XX.XX.XX - - [18/Jul/2018:09:26:12 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 10997 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT 172.XX.XX.XX - - [18/Jul/2018:10:11:16 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 997502 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT 172.XX.XX.XX - - [18/Jul/2018:10:16:17 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 46902 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT 172.XX.XX.XX - - [18/Jul/2018:10:21:18 +0900] "CONNECT dcloud-sng-anyconnect.cisco.com:443 HTTP/1.1" 200 15935 "-" "Open AnyConnect VPN Agent v7.XX" TCP_TUNNEL:HIER_DIRECT ■remminaリモートデスクトップで接続した際のパケットキャプチャ $ sudo tcpdump -i tun0 -n tcp port 3389 -c 5 | sed -e 's/[0-9][0-9]\./XX./g' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes 5 packets captured 21 packets received by filter 0 packets dropped by kernel 10:13:XX.076052 IP XX.XX.4.1XX.43672 > 1XX.XX.1XX.XX.3389: Flags [P.], seq 1108420422:1108420461, ack 1869198707, win 1323, options [nop,nop,TS val 7272608 ecr 122918335], length 39 10:13:XX.081816 IP XX.XX.4.1XX.43672 > 1XX.XX.1XX.XX.3389: Flags [P.], seq 39:78, ack 1, win 1323, options [nop,nop,TS val 7272609 ecr 122918335], length 39 10:13:XX.089996 IP XX.XX.4.1XX.43672 > 1XX.XX.1XX.XX.3389: Flags [P.], seq 78:117, ack 1, win 1323, options [nop,nop,TS val 7272611 ecr 122918335], length 39 10:13:XX.098084 IP XX.XX.4.1XX.43672 > 1XX.XX.1XX.XX.3389: Flags [P.], seq 117:156, ack 1, win 1323, options [nop,nop,TS val 7272613 ecr 122918335], length 39 10:13:XX.106061 IP XX.XX.4.1XX.43672 > 1XX.XX.1XX.XX.3389: Flags [P.], seq 156:195, ack 1, win 1323, options [nop,nop,TS val 7272615 ecr 122918335], length 39 ■telnet接続も結構面倒なので、以下のようにmate-terminalをタブで開く。 $ echo "[Router]";seq 30001 30020 | awk '{print "mate-terminal --tab -x telnet 198.18.129.33 "$1" &"}' | sh $ echo "[Switch]";seq 30101 30105 | awk '{print "mate-terminal --tab -x telnet 198.18.129.33 "$1" &"}' | sh ■各スイッチのインターフェイス状態を取得、[hostname.txt]の形式で保存 # show int status ■以下のように処理 順序が変わるのは気にしないことにする。 $ for list in $(seq 105 -1 101);do \ awk '/Et/{if($4!="a-full")print "[sw"'${list}'"."$1"] -- ["$3"."$4"]"}' "sw${list}.txt"; \ done | sort -V > dcloud-lan.dot $ awk '{print $1,$3}' dcloud-lan.dot | tr ' ' '\n' | sort -u | xargs echo -n | \ sed -e '1,/\[sw105/ s/\[sw105/\n&/' -e '1,/\[sw104/ s/\[sw104/\n&/' \ -e '1,/\[sw103/ s/\[sw103/\n&/' -e '1,/\[sw102/ s/\[sw102/\n&/' \ -e '1,/\[sw101/ s/\[sw101/\n&/' \ -e '1,/\[r20/ s/\[r20/\n&/' -e '1,/\[r19/ s/\[r19/\n&/' \ -e '1,/\[r18/ s/\[r18/\n&/' -e '1,/\[r17/ s/\[r17/\n&/' \ -e '1,/\[r16/ s/\[r16/\n&/' -e '1,/\[r15/ s/\[r15/\n&/' \ -e '1,/\[r14/ s/\[r14/\n&/' -e '1,/\[r13/ s/\[r13/\n&/' \ -e '1,/\[r12/ s/\[r12/\n&/' -e '1,/\[r11/ s/\[r11/\n&/' \ -e '1,/\[r10/ s/\[r10/\n&/' -e '1,/\[r9/ s/\[r9/\n&/' -e '1,/\[r8/ s/\[r8/\n&/' \ -e '1,/\[r7/ s/\[r7/\n&/' -e '1,/\[r6/ s/\[r6/\n&/' -e '1,/\[r5/ s/\[r5/\n&/' \ -e '1,/\[r4/ s/\[r4/\n&/' -e '1,/\[r3/ s/\[r3/\n&/' -e '1,/\[r2/ s/\[r2/\n&/' \ -e '1,/\[r1/ s/\[r1/\n&/' | awk '/[a-z]/{a=$1;gsub(".[Ee].*|\\[","",a);print "( "a" "$0")"}' | tac >> dcloud-lan.dot $ awk '{if($3<$1){print}else if($1=="("){print}}' dcloud-lan.dot > dcloud-lan.txt $ sed -i -e 's/Et/e/g' dcloud-lan.txt $ awk '!/\-\- \[r[0-9]/{print}' dcloud-lan.txt | sort -V > dcloud-lan-nr.txt $ awk '/\-\- \[r[0-9]/{print $3,$2,$1}' dcloud-lan.txt | sort -V > dcloud-lan-r.txt $ cat dcloud-lan-r.txt dcloud-lan-nr.txt > dcloud-lan.txt $ cat dcloud-lan.txt | graph-easy --dot | dot -T png -o dcloud-lan.png
■Windows2台で8GBとホストOSが4GB使用するとして、 再現環境を作るには素直に2ホストに分けた方がよいかも。 ホストメモリが32GBほどあれば再現出来そうだけど。 $ echo "135081 25" | awk '{print $1*$2/1024/1024"GB"}' 3.22058GB $ echo "128 5 256 20" | awk '{print ($1*$2+$3*$4)/1024"GB"}' 5.625GB r5>sho ver | inc ^Cisco|byte|^System image Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.7(3)M2, DEVELOPMENT TEST SOFTWARE System image file is "unix:./l3image" Linux Unix (Intel-x86) processor with 76825K bytes of memory. 64K bytes of NVRAM. sw105>sho ver | inc ^Cisco|byte|^System image Cisco IOS Software, Linux Software (I86BI_LINUXL2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20180510)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to V152_6_0_81_E System image file is "unix:./l2image" Linux Unix (Intel-x86) processor with 135081K bytes of memory. 20K bytes of NVRAM.