暗夜星空: August 2019

Tuesday, August 20, 2019

Router# disconnect 1

Command or Action

Purpose

Step 1

service-module interface slot/port password-reset

Router# service-module gigabitethernet2/0 password-reset

Ensures that the switch stays at the boot loader prompt, so that you can copy a new image through the Xmodem Protocol.

Step 2

flash_init

Switch: flash_init

Initializes the flash memory file system on the switch.

Step 3

control+shift+6 x

Switch: control+shift+6 x

Returns you to the router console while keeping the console session to the switch intact.

(Use x to get back to the router prompt.)

Step 4

disconnect

Router# disconnect 1

Disconnects the switch session to begin the Xmodem download.

Step 5

copy flash: xmodem:

Router# copy flash: xmodem:

Starts the file transfer from the router flash memory by using the Xmodem Protocol from the router prompt.

Note Use this command to download the software image from the router flash memory. Use this command from the router prompt.

or

copy tftp: xmodem:

Router# copy tftp: xmodem:

Starts the file transfer from a TFTP server from the router prompt.

Note Use this command to download the software image from a TFTP server. Use this command only if the image is not on the router flash memory.

Step 6

service-module interface slot/port session

Router# service-module gigabitethernet1/0 session

Connects to the service module and opens a Cisco enhanced EtherSwitch service module session.

Step 7

dir flash:

switch: dir flash:

Displays a list of all files and directories in flash memory on the service module.

Step 8

boot flash:image

switch> boot flash:c2960sm-lanbasek9-mz.image

Boots the Cisco enhanced EtherSwitch service module image if all files and directories are in flash memory on the service module.

https://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/software/feature/guide/eesm_sw.html#71280

Monday, August 19, 2019

思科NAT默认时间

思科默认NAT timeout
Defaults
timeout: 86,400 seconds (24 hours)
udp-timeout: 300 seconds (5 minutes)
dns-timeout: 60 seconds (1 minute)
tcp-timeout: 86,400 seconds (24 hours)
finrst-timeout: 60 seconds (1 minute)
icmp-timeout: 60 seconds (1 minute)
pptp-timeout: 86,400 seconds (24 hours)
syn-timeout: 60 seconds (1 minute)
seconds: 0 (never)

具体优化需要根据实际业务应用而定！如果没有特别需求，可以将其修改为：
TCP会话老化时间为300秒
UDP会话老化时间为180秒
PPTP会话老化时间为300秒
修改ICMP会话老化时间为10秒
修改DNS会话老化时间为10秒
修改tcp-syn报文老化时间为10秒

经验是nat的问题，可以限制并发nat数和nat的有效时间，例如
ip nat translation timeout 180
ip nat translation tcp-timeout 180
ip nat translation udp-timeout 180
ip nat translation syn-timeout 20
ip nat translation icmp-timeout 10
ip nat translation max-entries 10000

Sunday, August 11, 2019

DNS

chown root:named test.com.zone

2.7 重启

systemctl restart named

2.8 设置开机启动

systemctl enable named

2.9 防火墙开放53、953端口

firewall-cmd --add-port=53/tcp --permanent
firewall-cmd --add-port=53/udp --permanent
firewall-cmd --add-port=953/tcp --permanent
firewall-cmd --reload

2.10 关闭selinux

修改SELNUX的值，wq保存。

SELINUX=disabled

重启OS

shutdown -r now


五、错误排查

因为BIND服务的主配置文件 named.conf 以及我们的 zone 配置文件其内容非常复杂，晦涩难懂，所以难免会出现配置出错的情况，因此为了方便我们进行错误排查，BIND还提供了两个非常的命令来对我们的 named.conf 和 zone 文件进行排错检查

①命令 named-checkconf 可以查看BIND的主配置文件的错误：

[root@xiaoluo named]# named-checkconf /var/named/chroot/etc/named.conf


②命令 named-checkzone 可以查看zone配置文件的错误：

[root@xiaoluo named]# named-checkzone cnblogs.com.zone /var/named/chroot/var/named/cnblogs.com.zone 
zone cnblogs.com.zone/IN: loaded serial 0
OK


通过这两个命令我们就可以在配置完BIND主配置文件以及zone文件以后对其进行文件排查了，如果没有返回信息，则表示配置没有问题

dns /var/named/rp.zone

[root@localhost ~]# cat /var/named/rp.zone
$TTL 1D
@ IN SOA rp. root (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
0 ) ; minimum

IN NS rp.
IN A 10.75.49.248
vcsa IN A 10.75.49.246
esx1 IN A 10.75.49.253
esx2 IN A 10.75.49.252
dns IN A 10.75.49.248

DNS /var/named/10.75.49.zone

[root@localhost ~]# cat /var/named/10.75.49.zone
$TTL 1D
@ IN SOA dns.rp. dns.rp. (
20171224 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS rp.
248 IN PTR dns.rp.
246 IN PTR vcsa.rp.
253 IN PTR esx1.rp.
252 IN PTR esx2.rp.

DNS /etc/named.rfc1912.zones

zone "rp" IN {
type master;
file "rp.zone";
allow-update { none; };
};

zone "49.75.10.in-addr.arpa" IN {
type master;
file "10.75.49.zone";
allow-update { none; };
};

DNS named.conf

[root@localhost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
forwarders { 64.104.123.245; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable no;
dnssec-validation no;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";