■[Cisco IOU L2]とKVMホストをホストオンリーで接続してみる。
まずは以下のシンプルなL2スイッチ(ipbaseモデル)をホストOSのNICに接続、管理用NWとして使用するために
telnet/ntp client/snmp/snmptrap/syslog/netflowを設定する。
Cloud : ホストOSのHostOnlyアダプタに接続
L2SW-base : [Cisco IOU 15.1g]を接続(4ポートから8ポートに増設)
$ echo "[host-br1] -- [L2SW-base]"
[host-br1] -- [L2SW-base]
■KVMホストは以下の方法で。
debian stretchにKVMを導入する。
http://labunix.hateblo.jp/entry/20180501/1525182562
■バージョンの確認
L2SW-base#show ver | inc ^Cisco IOS
Cisco IOS Software, Solaris Software (I86BI_LINUXL2-IPBASEK9-M), Experimental Version 15.1(20130726:213425) [dstivers-july26-2013-team_track 105]
■telnetの有効化
L2SW-base#show run | section line vty
line vty 0 4
password cisco
login
transport input telnet
■enableパスワードを設定
L2SW-base#show run | inc enable
enable password cisco
■VLAN20にIPアドレスを設定
[e0/0]をVLAN20に所属させる。
L2SW-base#show run | section interface Vlan20
interface Vlan20
ip address 192.168.0.20 255.255.255.0
L2SW-base#show run | section interface Ethernet0/0
interface Ethernet0/0
description [L2SW-base]--[host-br1]
switchport access vlan 20
switchport mode access
duplex auto
■ホストOSからtelnetで接続出来るようになった。
$ telnet 192.168.0.20
Trying 192.168.0.20...
Connected to 192.168.0.20.
Escape character is '^]'.
User Access Verification
Password:
L2SW-base>en
Password:
L2SW-base#
■ホストOSに接続する別のマシンからの接続を許可する場合
$ socat tcp-listen:8023,fork tcp-connect:192.168.0.20:23 &
[1] 16628
$ jobs
[1]+ 実行中 socat tcp-listen:8023,fork tcp-connect:192.168.0.20:23 &
$ telnet 172.31.31.92 8023
$ ss -tn | grep :8023
ESTAB 0 0 172.31.31.92:8023 172.31.31.90:47428
$ fg 1
socat tcp-listen:8023,fork tcp-connect:192.168.0.20:23
^C
■NTPの設定
ホストOSのNTPサーバを参照する。
$ grep "^restrict 192" /etc/ntp.conf
restrict 192.168.0.0 mask 255.255.255.0 nomodify
L2SW-base#show running-config | section ntp
ntp source Vlan20
ntp server 192.168.0.5
ntp update-calendar
L2SW-base#show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.0.5 172.31.31.252 3 35 64 1 0.937 0.346 188.52
* sys.peer,
■syslog転送の設定
ホストOSのrsyslogサーバに転送する。
$ grep -A 1 "module.*udp\|192.168.0.20" /etc/rsyslog.conf
module(load="imudp")
input(type="imudp" port="514")
--
fromhost-ip, isequal, "192.168.0.20" -/var/log/GNS3-L2SW-base.log
& stop
L2SW-base#show run | section service timestamps|clock|logging
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 512000
logging console discriminator EXCESS
clock timezone JST 9 0
logging host 192.168.0.5
logging synchronous
logging synchronous
udo tail -f /var/log/GNS3-L2SW-base.log
Jul 23 21:05:22 192.168.0.20 97: 000097: .Jul 23 21:05:21.815 JST: %SYS-5-CONFIG_I: Configured from console by vty0 (192.168.0.5)
■snmpの設定
ホストOSからのSNMP要求に応答する設定と、SNMP TrapをホストOSのログに残す設定
$ sudo grep public /etc/snmp/snmpd.conf
rocommunity public default -V systemonly
rocommunity6 public default -V systemonly
trapsink localhost public
$ grep ^auth /etc/snmp/snmptrapd.conf
authCommunity log,execute,net public
L2SW-base#show running-config | section snmp-server
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps flowmon
snmp-server enable traps tty
snmp-server enable traps casa
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps bgp
snmp-server enable traps dlsw
snmp-server enable traps isis
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps slb real virtual csrp
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps bfd
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps mvpn
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps syslog
snmp-server enable traps ethernet cfm alarm
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server host 192.168.0.5 public
$ snmpwalk -v 1 -c public 192.168.0.20 iso.3.6.1.4.1.9.2.1.3.0
iso.3.6.1.4.1.9.2.1.3.0 = STRING: "L2SW-base"
$ sudo tail -f /var/log/syslog | \
awk '/192.168.0.20/{gsub(", |INTEGER:","\n& ",$0);gsub("'$(hostname -s)'","dummy-host\n",$0);print $0}'
Jul 23 21:22:18 dummy-host
snmptrapd[17957]: 2018-07-23 21:22:18 192.168.0.20(via UDP: [192.168.0.20]:63142->[192.168.0.5]:162) TRAP
, SNMP v1
, community public#012#011iso.3.6.1.4.1.9 Enterprise Specific Trap (1) Uptime: 1:03:02.73#012#011iso.3.6.1.4.1.9.2.9.3.1.1.2.1 =
INTEGER: 5#011iso.3.6.1.2.1.6.13.1.1.192.168.0.20.23.192.168.0.5.59416 =
INTEGER: 5#011iso.3.6.1.4.1.9.2.6.1.1.5.192.168.0.20.23.192.168.0.5.59416 =
INTEGER: 61442#011iso.3.6.1.4.1.9.2.6.1.1.1.192.168.0.20.23.192.168.0.5.59416 =
INTEGER: 99#011iso.3.6.1.4.1.9.2.6.1.1.2.192.168.0.20.23.192.168.0.5.59416 =
INTEGER: 2900#011iso.3.6.1.4.1.9.2.9.2.1.18.2 = ""
■NetFlowの設定
$ sudo apt-get install -y flow-tools
$ sudo mkdir /var/flow/
$ grep "^\-" /etc/flow-tools/flow-capture.conf
-w /var/flow -n 275 0/0/9999
$ ps axo cmd | grep flow-captur[e]
/usr/bin/flow-capture -w /var/flow -n 275 0/0/9999
$ ss -a | grep 9999
udp UNCONN 0 0 *:9999 *:*
$ flow-[TAB]
flow-capture flow-expire flow-filter flow-import flow-merge flow-receive flow-rptfmt flow-stat
flow-cat flow-export flow-gen flow-log2rrd flow-nfilter flow-report flow-send flow-tag
flow-dscan flow-fanout flow-header flow-mask flow-print flow-rpt2rrd flow-split flow-xlate
■IPv4のcefの機能で送受信、両方を対象とする。
L2SW-base#show run | include cef
no ipv6 cef
ip cef
L2SW-base#show run | section flow-sampler-map
flow-sampler-map OUT-FLOW
mode random one-out-of 100
L2SW-base#show run | section interface Vlan20
interface Vlan20
ip flow ingress
ip address 192.168.0.20 255.255.255.0
flow-sampler OUT-FLOW egress
L2SW-base#show run | section ip flow-export
ip flow-export source Vlan20
ip flow-export version 5
ip flow-export destination 192.168.0.5 9999
■NetFlowの確認
L2SW-base#show ip flow interface
Vlan20
ip flow ingress
flow-sampler OUT-FLOW egress
L2SW-base#show ip flow export
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 192.168.0.20 (Vlan20)
Destination(1) 192.168.0.5 (9999)
Version 5 flow records
47 flows exported in 30 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
L2SW-base#show ip cache flow
IP packet size distribution (1845 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .968 .026 .005 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
1 active, 4095 inactive, 38 added
934 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 33608 bytes
1 active, 1023 inactive, 38 added, 38 added to flow
0 alloc failures, 0 force free
1 chunk, 2 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 22 0.0 80 40 0.2 14.5 14.0
UDP-NTP 9 0.0 3 76 0.0 5.3 15.9
UDP-other 2 0.0 1 109 0.0 0.0 15.8
ICMP 4 0.0 4 92 0.0 1.5 15.5
Total: 37 0.0 49 41 0.2 10.1 14.7
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Vl20 192.168.0.5 Local 192.168.0.20 06 8212 0017 19
L2SW-base#show flow-sampler
Sampler : OUT-FLOW, id : 1, packets matched : 0, mode : random sampling mode
sampling interval is : 100
$ find /var/flow/ -type f -name "ft*" | awk '{print " flow-print < "$0}' | sh
srcIP dstIP prot srcPort dstPort octets packets
192.168.0.5 192.168.0.20 6 35222 23 406 10
192.168.0.5 192.168.0.20 6 35250 23 1125 26
■NetFlowのデバッグ
L2SW-base#debug ip flow cache
L2SW-base#debug ip flow export
L2SW-base#debug ip flow non-forwarded
000176: Jul 23 23:59:58.936 JST: IPFLOW: Allocating Sub-Flow cache, without hash flags.
000177: Jul 23 23:59:58.936 JST: IPFLOW: Sub-Flow table enabled.
000178: Jul 23 23:59:58.936 JST: IPFLOW: Sub-Flow numbers are:
8 sub-flows per chunk, 0 hashflag len,
1 chunks allocated, 20 max chunks,
8 allocated records, 8 free records, 576 bytes allocated
000179: Jul 23 23:59:58.936 JST: IPFLOW: Sub-Flow cache removed
000180: Jul 24 00:00:25.176 JST: IPFLOW: Sending export pak to 192.168.0.5 port 9999
000181: Jul 24 00:00:36.239 JST: IPFlow: Packet received src - 192.168.0.5, dst - 192.168.0.20, reason - Packet destined for us
000182: Jul 24 00:00:42.373 JST: IPFlow: Packet received src - 192.168.0.5, dst - 192.168.0.20, reason - Packet destined for us
000183: Jul 24 00:01:02.176 JST: IPFLOW: Sending export pak to 192.168.0.5 port 9999
000184: Jul 24 00:01:22.180 JST: IPFLOW: Sending export pak to 192.168.0.5 port 9999
$ sudo strace -p 26463
...
lseek(2, 0, SEEK_SET) = 0
write(2, "\317\20\1\3T\0\0\0\2\0\2\0\5\0\6\0\4\0V\355U[\7\0\4\0p\355U[\10\0"..., 84) = 84
lseek(2, 0, SEEK_END) = 84
write(2, "x\234\23\177\33\32\315\21\262\213k\243\341I\6\21\206\25\7X\201\30D3\0\2012\20s\1\3614"..., 86) = 86
brk(0x55f6d24a2000) = 0x55f6d24a2000
brk(0x55f6d2492000) = 0x55f6d2492000
brk(0x55f6d2482000) = 0x55f6d2482000
brk(0x55f6d2472000) = 0x55f6d2472000
brk(0x55f6d246e000) = 0x55f6d246e000
close(2) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=318, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=318, ...}) = 0
rename("2018/2018-07/2018-07-23/tmp-v05.2018-07-23.235934+0900", "2018/2018-07/2018-07-23/ft-v05.2018-07-23.235934+0900") = 0
