'업무이야기' 카테고리의 글 목록 (34 Page)

Alteon L4 FWLB Sample 입니다.

# EXT L4

>> Main# /c/dump
script start "Alteon AD3" 4 /**** DO NOT EDIT THIS LINE!
/* Configuration dump taken 20:01:29 Thu Apr 19, 2012
/* Version 10.0.28, Base MAC address 00:60:cf:49:ea:d0
/c/port 1
        pvid 10
/c/port 2
        pvid 20
/c/port 8
        pvid 30
/c/vlan 1
        def 3 4 5 6 7 9
/c/vlan 10
        ena
        name "VLAN 10"
        def 1
/c/vlan 20
        ena
        name "VLAN 20"
        def 2
/c/vlan 30
        ena
        name "VLAN 30"
        def 8
/c/stp 1/off
/c/stp 1/clear
/c/stp 1/add 1 10 20 30
/c/ip/if 1
        ena
        addr 10.10.10.254
        mask 255.255.255.0
        broad 10.10.10.255
        vlan 10
/c/ip/if 2
        ena
        addr 10.10.11.254
        mask 255.255.255.0
        broad 10.10.11.255
        vlan 20
/c/ip/if 8
        ena
        addr 192.168.1.60
        vlan 30
/c/ip/gw 1
        ena
        addr 192.168.1.1
/c/ip/route
        add 10.10.12.0 255.255.255.0 10.10.10.1 1
        add 10.10.13.0 255.255.255.0 10.10.11.1 2
/c/slb
        on
/c/slb/adv
        submac ena
/c/slb/real 1
        ena
        rip 10.10.12.254
/c/slb/real 2
        ena
        rip 10.10.13.254
/c/slb/group 1
        metric hash
        health icmp
        add 1
        add 2
/c/slb/filt 10
        ena
        action allow
        dip 192.168.1.0
        dmask 255.255.255.0
/c/slb/filt 11
        ena
        action allow
        dip 10.10.10.0
        dmask 255.255.255.0
/c/slb/filt 12
        ena
        action allow
        dip 10.10.11.0
        dmask 255.255.255.0
/c/slb/filt 20
        ena
        action redir
        dip 10.10.14.0
        dmask 255.255.255.0
/c/slb/filt 20/adv
        fwlb ena
/c/slb/filt 224
        ena
        action redir
/c/slb/filt 224/adv
        fwlb ena
/c/slb/port 8
        filt ena
        add 10-12
        add 20
        add 224
/
script end /**** DO NOT EDIT THIS LINE!

# INT L4

>> Main# /c/dump
script start "Alteon 180e" 4 /**** DO NOT EDIT THIS LINE!
/* Configuration dump taken 19:59:56 Thu Apr 19, 2012
/* Version 10.0.28, Base MAC address 00:60:cf:42:d4:10
/c/port 1
        pvid 10
/c/port 2
        pvid 20
/c/port 8
        pvid 30
/c/vlan 1
        def 3 4 5 6 7 9
/c/vlan 10
        ena
        name "VLAN 10"
        def 1
/c/vlan 20
        ena
        name "VLAN 20"
        def 2
/c/vlan 30
        ena
        name "VLAN 30"
        def 8
/c/stp 1/off
/c/stp 1/clear
/c/stp 1/add 1 10 20 30
/c/ip/if 1
        ena
        addr 10.10.12.254
        mask 255.255.255.0
        broad 10.10.12.255
        vlan 10
/c/ip/if 2
        ena
        addr 10.10.13.254
        mask 255.255.255.0
        broad 10.10.13.255
        vlan 20
/c/ip/if 8
        ena
        addr 10.10.14.254
        mask 255.255.255.0
        broad 10.10.14.255
        vlan 30
/c/ip/route
        add 10.10.10.0 255.255.255.0 10.10.12.1 1
        add 10.10.11.0 255.255.255.0 10.10.13.1 2
/c/slb
        on
/c/slb/real 1
        ena
        rip 10.10.10.254
/c/slb/real 2
        ena
        rip 10.10.11.254
/c/slb/group 1
        metric hash
        health icmp
        add 1
        add 2
/c/slb/filt 10
        ena
        action redir
        dip 192.168.1.0
        dmask 255.255.255.0
/c/slb/filt 10/adv
        fwlb ena
/c/slb/filt 13
        ena
        action allow
        dip 10.10.12.0
        dmask 255.255.255.0
/c/slb/filt 14
        ena
        action allow
        dip 10.10.13.0
        dmask 255.255.255.0
/c/slb/filt 20
        ena
        action allow
        dip 10.10.14.0
        dmask 255.255.255.0
/c/slb/filt 224
        ena
        action redir
/c/slb/filt 224/adv
        fwlb ena
/c/slb/port 8
        filt ena
        add 10
        add 13-14
        add 20
        add 224
/
script end /**** DO NOT EDIT THIS LINE!

저작자표시 비영리 변경금지

'업무이야기 > Network' 카테고리의 다른 글

식별되지 않은 네트워크 (0)	2012.09.24
한드림넷 보안스위치 사용자 알림 설정 (0)	2012.07.12
Juniper Virtual Router Basic Configuration (0)	2012.02.21
Juniper EX-series Switch Password Recovery (0)	2012.02.17
Alteon config 기본 설정 (2)	2012.02.07

Power off the device by pressing the power button on the front panel and reboot the device.
Turn on the power to the management device.
Power on the device by pressing the power button on the front panel. Verify that the POWER LED on the front panel turns green.The terminal emulation screen on your management device displays the device’s boot sequence.
When the autoboot is completed, press the spacebar a few times to access the bootstrap loader prompt.
At the following prompt, enter boot -s to start up the system in single-user mode.

loader>boot -s
At the following prompt, enter recovery to start the root password recovery procedure.
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
Enter configuration mode in the CLI.
Set the root password. For example:

user@host# set system root-authentication plain-text-password

For more information about configuring the root password, see the Junos System Basics Configuration Guide.
At the following prompt, enter the new root password. For example:

New password: juniper1
```
Retype new password:
```
At the second prompt, reenter the new root password.
If you are finished configuring the network, commit the configuration.
root@host# commit
```
commit complete
```
Exit configuration mode in the CLI.
Exit operational mode in the CLI.
At the prompt, enter y to reboot the device.

Reboot the system? [y/n] y

저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Fortigate IPS DoS Test용 configuration Sample (0)	2012.10.18
Fortigate SSL VPN 설정 샘플 (0)	2012.10.18
Juniper 인터넷 2회선을 이용한 Load Balancing (0)	2012.02.21
LAN to LAN VPN between two Juniper firewalls in Transparent mode (0)	2012.02.20
Juniper Firewall ALG (0)	2012.02.20

저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Fortigate SSL VPN 설정 샘플 (0)	2012.10.18
Juniper SRX Firewall Password Recovery (0)	2012.03.21
LAN to LAN VPN between two Juniper firewalls in Transparent mode (0)	2012.02.20
Juniper Firewall ALG (0)	2012.02.20
Juniper Firewall DHCP Server Configuration (0)	2012.01.27

ScreenOS divides its routing component into two virtual routers—untrust-VR and trust-VR. If you have obtained and loaded a virtual router (VR) software key, you can create a new VR. Multiple VRs can exist, but trust-VR is the default.

Additionally, you can set basic parameters for the untrust-VR and trust-VR and for user-defined VRs. When you set parameters for a VR, you can also configure dynamic routing protocols.

If you configure AutoConnect virtual private network (AC-VPN), you must enable Next-Hop Resolution Protocol (NHRP) on the VR.

To Create or Modify a Virtual Router

Enter the required information:

Virtual Router Name: Indicates the name of the VR.

Virtual Router ID: Indicates one of two settings that identify the VR.

Use System Default: Indicates that the IP address of the VR acts as the ID of the routing instance.

Custom: Enables you to set an IP address to identify the virtual routing instance that is different from the default address.

Management VR: Designates this VR as the management virtual router (MGT VR). A MGT VR supports the out-of-band management infrastructure and segments security device management traffic away from production traffic.

Maximum Route Entry: Indicates the upper limit of the number of routes the VR can store in its routing table.

Unlimited: Indicates that the current virtual routing instance has no upper limit for the number of routes it can store in its routing table.

Set Limit At: Enables you to set a specified upper limit for the number of routes the current VR can store in its routing table.

Maximum ECMP Routes: Enables you to set a specified upper limit for the maximum number of equal cost multipath (ECMP) routes that can exist for each protocol and for static routes in a routing table. Specify 2, 3, or 4. Setting the limit enables ECMP routing so that the security device can perform load balancing between ECMP routes.

Route Lookup Preference: Specifies the order in which the VR performs route lookup, if source-based routing or source interface-based routing (SIBR) is enabled in the VR. The VR checks the routing table with the highest preference value first.

For Destination Routing: Assigns a preference value for the destination-based routing table. The default value is 1. Enter a value between 1 and 255.

For Source Based Routing: Assigns a preference value for the source-based routing table. The default value is 2. Enter a value between 1 and 255.

For Source Interface Based Routing: Assigns a preference value for the SIBR routing table. The default value is 3. Enter a value between 1 and 255.

Use default route: (For the trust-VR only) Adds a default route with the specified VR as the next hop.

Shared and accessible by other vsys: Indicates that the root-level local VR is accessible from a virtual system (vsys). The untrust-VR is, by default, shared by all other vsys.

Ignore Subnet Conflict for Interfaces in This VRouter: Directs the VR to ignore overlapping subnet addresses for interfaces in the VR.

Make This VRouterDefault-Vrouter for the System: Sets this VR as the default VR for the vsys. The trust-VR is the default VR for the root system.

Auto Export Route to Untrust-VR: Directs the VR to export public interface routes to the untrust-VR.

Make SNMP Trap Private: (This option is only available for the default root-level VR.) Enables you to make Simple Network Management Protocol (SNMP) traps for the dynamic routing MIBs private for the VR.

Enable Source Based Routing: Enables source based routing on this VR.

Enable Source Interface Based Routing: Enables source interface-based routing on this VR.

Advertise Routes on Inactive Interfaces: Directs the VR to consider active routes on inactive interfaces for advertising.

Permit sync VR configure to NSRP peer: Directs the VR to synchronize its configuration with the VR on its NetScreen Redundancy Protocol (NSRP) peer.

Route Preference: Displays various ways to identify the desirability of a route in the current VR. The lower the value, the more probable the VR will select the route.

Auto Exported: Indicates the level of desirability associated with the decision the current VR makes to select an automatically exported route from other VRs on the network.

Imported: Indicates the level of desirability associated with the decision the current virtual routing instance makes to select a route imported from another VR on the network.

EBGP: Indicates the level of desirability associated with the decision the current VR makes to select a route originating from an Exterior Border Gateway Protocol (EBGP) router.

OSPF: Indicates the level of desirability associated with the decision the current VR makes to select a route originating from an Open Shortest Path First (OSPF) router.

RIP/RIPng: Indicates the level of desirability associated with the decision the current VR makes to select a route originating from a Routing Information Protocol (RIP) or a Routing Information Protocol Next Generation (RIPng) router. RIPng is intended only for use in IPv6 networks.

Connected: Indicates the level of desirability associated with the decision the current VR makes to select a route sent from a router that has at least one interface with an IP address assigned to it.

Static: Indicates the level of desirability associated with the decision the current VR makes to select a static or manually configured route.

IBGP: Indicates the level of desirability associated with the decision the current VR makes to select a route originating from an Interior Border Gateway Protocol (IBGP) router.

OSPF External Type 2: Indicates the level of desirability associated with the decision the current VR makes to select OSPF External-Type-2 routes.

Click OK to save your changes and return to the Virtual Router List. Click Apply to continue configuring the VR.

If you clicked Apply, the Dynamic Routing Protocols Support area displays with the following links:

BGP: A link for creating a Border Gateway Protocol (BGP) routing instance. For more information, see Virtual Router BGP Settings.

OSPF: A link for creating an OSPF routing instance. For more information, see OSPF Virtual Router Settings.

RIP: A link for creating a RIP routing instance. For more information, see RIP Virtual Router Settings.

RIPng: A link for creating a RIPng routing instance. For more information, see RIPng Virtual Router Settings.

Next Hop Resolution Protocol (NHRP) Support: If you are configuringAC-VPN,click NHRP Setting to enable NHRP and configure Next Hop Client (NHC) cache entries.

저작자표시 비영리 변경금지

'업무이야기 > Network' 카테고리의 다른 글

한드림넷 보안스위치 사용자 알림 설정 (0)	2012.07.12
Alteon L4 FWLB Sample (0)	2012.04.20
Juniper EX-series Switch Password Recovery (0)	2012.02.17
Alteon config 기본 설정 (2)	2012.02.07
Alteon SLB에서 PIP(Proxy IP) 설정 (1)	2012.02.04

LAN to LAN VPN between two Juniper firewalls in Transparent mode

Summary:

VPN terminates at the Juniper firewall in Transparent mode.
How to configure a Virtual Private Network (VPN) between two Juniper firewalls in Transparent mode.

Problem or Goal:

How is a VPN configured between two Juniper firewalls in Transparent mode?
This example will be based on a VPN between two SSG140s, using ScreenOS 5.4.0r8.0; however, this config is valid with ScreenOS 5.x and 6.x.

Assumptions:

Firewall at Site A and Site B are in Transparent mode and connected to the Internet.
Internal network on the Firewall at Site A is 1.1.1.0 255.255.255.0. The Internet router is at 1.1.1.1, and the VLAN1 IP of the firewall is 1.1.1.50
Internal network on the Firewall at Site B is 1.1.2.0 255.255.255.0. The internet router is at 1.1.2.1, and the VLAN1 IP of the firewall is 1.1.2.50
Assuming both P1 and P2 are using "standard" security level, the Preshare key for P1 is "netscreen", and Replay Protection is disabled.

Solution:

The steps are documented below.

Note that when the Virtual Private Network (VPN) tunnel uses a pair of Juniper firewalls in Transparent mode as the termination point, the security gateway needs to point to the IP address of the peer's VLAN1 interface.
Additionally, the Transparent mode Juniper firewall needs a static route to reach the remote IPSec gateway.

Site A Configuration details:
--------------------------------------

Define address objects

WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-B
    * IP Address/Netmask: 1.1.2.0/24

Choose V1-Trust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-A
    * IP address/Netmask: 1.1.1.0/24

CLI:

set address v1-trust lan-A 1.1.1.0/24
set address v1-untrust lan-B 1.1.2.0/24

Define IKE gateway (Phase 1)

WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK

Gateway Name: toB
Security Level: Standard
Static IP Address: 1.1.2.50
Preshared Key: netscreen
Outgoing Zone: V1-Untrust

CLI:


set ike gateway toB address 1.1.2.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard

Define IPSec VPN (Phase 2)

WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK

VPN Name: toB
Security Level: Standard
Remote Gateway: Predefined: toB

CLI:
set vpn toB gateway toB sec-level standard

Define policy

WEBUI:
Select Policies and following, then click New

From: V1-Trust
To: V1 Untrust

Enter following and click OK

Source Address: Address Book Entry, lan-A
Destination Address: Address Boot Entry, lan-B
Service: ANY
Action: Tunnel
Tunnel: VPN, toB
Modify matching bidirectional VPN policy: check

CLI:


set policy id 1000 from v1-trust to v1-untrust lan-A lan-B any tunnel vpn toB
set policy id 1001 from v1-untrust to v1-trust lan-B lan-A any tunnel vpn toB pair-policy 1000

Define static route

WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK

IP Address/Netmask: 0.0.0.0/0
Next Hop: Gateway (selected)
Interface: VLAN1
Gateway IP Address: 1.1.1.1

CLI:
set route 0.0.0.0/0 gateway 1.1.1.1

Site B Configuration details:
--------------------------------------

Define address objects

WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK

Address Name: lan-A
IP Address/Netmask: 1.1.1.0/24

Choose V1-Trust from pull-down menu and click New
Enter following and click OK

Address Name: lan-B
IP address/Netmask: 1.1.2.0/24

CLI:

set address v1-trust lan-B 1.1.2.0/24
set address v1-trust lan-A 1.1.1.0/24

Define IKE gateway (Phase1)

WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK

Gateway Name: toA
Security Level: Standard
Static IP Address: 1.1.1.50
Preshared Key: netscreen
Outgoing Zone: V1-Untrust

CLI:
set ike gateway toA address 1.1.1.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard

Define IPSec VPN (Phase 2)

WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK

VPN Name: toA
Security Level: Standard
Remote Gateway: Predefined: toA

CLI:
set vpn toA gateway toA sec-level standard

Define policy

WEBUI:
Select Policies and following, then click New

From: V1-Trust
To: V1-Untrust

Enter following and click OK

Source Address: Address Book Entry, lan-B
Destination Address: Address Boot Entry, lan-A
Service: ANY
Action: Tunnel
Tunnel: VPN, toA
Modify matching bidirectional VPN policy: check

CLI:

set policy id 1000 from v1-trust to v1-untrust lan-B lan-A any tunnel vpn toA
set policy id 1001 from v1-untrust to v1-trust lan-A lan-B any tunnel vpn toA pair-policy 1000

Define static route

WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK

IP Address/Netmask: 0.0.0.0/0
Next Hop: Gateway (selected)
Interface: VLAN1
Gateway IP Address: 1.1.2.1

CLI:
set route 0.0.0.0/0 gateway 1.1.2.1

Technical Documentation

A Transparent mode VPN example is also included in the Technical Documentation:

ScreenOS Concepts & Examples ScreenOS Reference Guide, Volume 5: Virtual Private Networks

Chapter 4 -- Site-to-Site Virtual Private Networks
“Transparent Mode VPN” Example

ScreenOS 5.4: http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdf
ScreenOS 6.0: http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/CE_v5.pdf

Purpose:

Troubleshooting

Related Links:

저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX Firewall Password Recovery (0)	2012.03.21
Juniper 인터넷 2회선을 이용한 Load Balancing (0)	2012.02.21
Juniper Firewall ALG (0)	2012.02.20
Juniper Firewall DHCP Server Configuration (0)	2012.01.27
LG SafeZone IPS 2400 뒷면..... (0)	2012.01.26

*ALG(Application Layer Gateway)란?

NetScreen에서 V5.0에서 특정한 프로토콜(SIP, FTP, H.323 등)을 지원하는 신규 기능으로 ALG는 특정한 트래픽을 분석하여 NetScreen 방화벽을 통과하여 서비스가 가능하도록 resource 할당, 유동적인 방화벽 정책(ex: dynamic port을 요청하는 경우 편리하게 지원가능)을 설정할 수 있도록 지원할 수 있는 기능으로 Protocol Convert 역할을 할 수 있음, 알려진 포트를 사용하는 경우 및 정책에서 지정하는 경우 ALG기능을 사용할 수 있으며 ALG는 해당 프로토콜의 Payload 내용을 감지 또는 변경할 수 있습니다.

[출처] ISG1000장비의 ALG기능 질문입니다.. (주니퍼 엔지니어 모임) |작성자 네오

ALG 관련 ISSUE가 한번 있었다.
본사와 지사간의 VPN G to G를 설치하기 위해 부산과 대전을 다녀온 적이 있다.
VPN 설정하고 통신 테스트 하고 전혀 문제가 되지 않았는데... 한곳에서 SIP 관련 ISSUE가 발생을 했다.
인터넷 전화를 사용하는 업체인데 전화가 걸려오는 전화를 받는 것은 문제가 없었는데,

다른 곳에서 울리는 전화를 땡겨받기를 할 경우

약 8-10초간 아무 소리도 안 들리다가 이후 통화가 가능한가 싶더니 15-17초 이후 전화 연결이 자동으로 끊어졌다.
통신에 필요한 프로토콜은 SIP 하나였는데 Rule 부분의 문제는 아니었다.
결론적으로 주니퍼 방화벽의 메뉴중 Security 탭의 ALG에서 SIP를 Disable 시켜서 원인 해결이 되었다.
위에서 언급했듯이 ALG 는 L7 기반의 Application Layer Gateway를 처리 하다 보니 우리가 알지 못했던 비 정상적인
패킷에 대해서 처리가 이루어지기 때문에 오동작으로 오해하기가 쉽다.
더 신중한 보안 및 Application 처리를 위해서 ALG를 사용하는 것은 맞지만 국내 현실에 맞지 않는 부분도 많은 것 같다.

저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Juniper 인터넷 2회선을 이용한 Load Balancing (0)	2012.02.21
LAN to LAN VPN between two Juniper firewalls in Transparent mode (0)	2012.02.20
Juniper Firewall DHCP Server Configuration (0)	2012.01.27
LG SafeZone IPS 2400 뒷면..... (0)	2012.01.26
웹방화벽 WebFront 소개 자료 및 채널 교육 자료 (0)	2012.01.12

Summary:

This article describes how to recover a lost or forgotten password for the EX-series Switch.

Problem or Goal:

Lost root password for the EX-series Switch.

Solution:

Troubleshooting Loss of the Root Password on the EX-series Switch

Problem:
If you forget the root password for the switch, you can use the password recovery procedure to reset the root password.

NOTE: You need physical access to the switch to recover the root password. This is done by direct console access or through a console server to the console port on the EX Switch.

Solution To recover the root password:

Power off your switch by unplugging the power cord or turning off the power at the wall switch.

Insert one end of the Ethernet cable into the serial port on the management device and connect the other end to the console port on the back of the switch.

On the management device, start your asynchronous terminal emulation application (such as Microsoft Windows Hyperterminal) and select the appropriate COM port to use (for example, COM1).

Configure the port settings as follows:

Bits per second: 9600
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None

Power on your switch by plugging in the power cord or turning on the power atthe wall switch.

When the following prompt appears, press the Spacebar to access the switch's bootstrap loader command prompt:

Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 1 second...

At the following prompt, type boot -s to start up the system in single-user mode:

loader> boot -s

At the following prompt, type recovery to start the root password recovery procedure:

Enter full path name of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery

A series of messages describe consistency checks, mounting of filesystems, and initialization and checkout of management services. Then the CLI prompt appears.

Enter configuration mode in the CLI:

user@switch> cli

Set the root password. For example:

user@switch# set system root-authentication plain-text-password

At the following prompt, enter the new root password. For example:

New password: juniper1

Retype new password:

At the second prompt, reenter the new root password.

If you are finished configuring the network, commit the configuration.root@switch# commit

commit complete

Exit configuration mode in the CLI.

root@switch# exit

Exit operational mode in the CLI.

root@switch> exit

At the prompt, enter y to reboot the switch.

Reboot the system? [y/n] y

저작자표시 비영리 변경금지

'업무이야기 > Network' 카테고리의 다른 글

Alteon L4 FWLB Sample (0)	2012.04.20
Juniper Virtual Router Basic Configuration (0)	2012.02.21
Alteon config 기본 설정 (2)	2012.02.07
Alteon SLB에서 PIP(Proxy IP) 설정 (1)	2012.02.04
Brocade FLS624G dhcp 구성 config (Foundry) (0)	2012.01.25

Alteon config 기본 설정

>> Main# /cfg/stp off

•Spanning Tree protocol 을 사용하겠냐는 명령어 입니다.

•기본 값이 enable되어 있기에, 작업환경에 따라 설정하면 된다.

•설정 후 반듯이 reboot 이 필요하다.

-- Interface 설정하기

>> Main# /cfg/ip/if 1/mask 255.255.255.0/addr 61.33.250.x/br 61.33.250.255/ena

•장비의 Interface를 넣어주는 명령어 입니다.

•interface number를 확인 후 IP address, mask, broad 를 정확히 넣어주면 된다.

•최대 256개까지 만들 수 있다.

-- Gate way 설정하기

>> Main# /cfg/ip/gw 1/addr 61.33.250.x/ena

•Gateway를 설정해 주는 명령어 입니다.

•최대 4개까지 만들 수 있다.

•/cfg/ip/gw 1/intr 2 è 2sec 마다 ping Test

•/cfg/ip/gw 1/retry 8 è 8번 try후 응답이 없으면 fail로 선언.

•/cfg/ip/gw 1/arp disable è gw에 대한 health check 를 arp를 이용하여 할 것 인지 아닌지를 선택.

èarp disable 시 ICMP를 이용하여 health check를 하지만, Router에서 ping(ICMP)을 막았을 경우에는 arp option을 enable 하여 arp table을 이용하여 health check를 한다.

-- Port link 100 Fix 설정하기

>> Main# /cfg/port ⓝ/fast/speed 100/mode full/fctl none/auto off

•link 100M Fix 시켜 준다.

•fctl (flow control) 각각의 연결된 장비가(Alteon ó 타장비) 다를 경우 buffer size의 차이로 인하여 흐름이 원활하지 못하는 경우가 있다. 이때에 fctl을 이용하여 흐름을 원활하게 해줄 수가 있는데 이 option을 설정을 해준다. 이는 Alteon의 buffer 가 타 장비보다 적기에 발생할 수 있다. 이 현상의 발생시 overflow가 발생할수 있기 때문이다. 그러나 일반적인 경우에는 장비간의 차이가 없기에 fctl을 none으로 설정하여 사용을 한다.

-- localnetwork 설정하기

>> Main# /cfg/ip/frwd/local/add xxx.xxx.xxx.xxx

•local network 를 만드는 명령어 입니다. 반듯이 필요한 사항은 아닙니다.

•Alteon 장비는 4096개의 arp를 갖고 있을 수 있는데 이 수치를 arp table full날 경우를 대비하여

local-network를 설정을 해줍니다.

-- telnet 허용하기

>> Main# /cfg/sys/tnet ena

•telnet 접속여부 판단.

-- Password 변경하기

>> Main# /cfg/sys/user/admpw

•admin password 변경여부.

•Password를 분실시 remote에서 recovery하기가 어려우니 주의 하시기 바랍니다.

SLB 만들기

-- Real server 설정하기

>> Main# /cfg/slb/real ⓝ/ena

•real server를 설정한다.

•~real 1/rip 61.33.250.x è real server의 IP address 를 지정한다.

•~real 1/weight 1 è leastcon/roundrobin 이용시 해당 group안의 real server에 대한 portion을 정해준다. 기본값은 1 이다.

•~real 1/backup none è real server fail 시 backup server가 이를 대신할수 있게 지정. 기본값은 none이다.

•~real 1/maxcon 200000 è real server에 처리할수 있는 session을 지정할 수 있다.

•~real 1/inter 3 è 3sec 마다 health check

•~real 1/retry 5 è health check 를 5번 시도 후 무응답시 fail 처리 한다.

•~real 1/tmout 10 è 한번 맺은 session이 10min 간 무응답(또는 서비스를 안 할 때) 시 자동적으로 session을 clear 한다.

-- Real server를 group로 설정하기

>> Main# /cfg/slb/group ⓝ/add ⓝ ... /add ⓝ

•group ⓝ에 생성한 real server를 포함시켜준다.

•group 에서 real server 제거시 ... /rem ⓝ 을 이용한다.

-- Virtaul IP 설정하기

>>Main#/cfg/slb/virt ⓝ/vip 61.33.250.xx/ena

•virt number ⓝ에 vip 를 설정해주고 enable 해 줍니다.

>>Main#/cfg/slb/virt ⓝ/service http/group ⓝ

•Vip 에 해당하는 적절한 서비스를 지정해 주고(서비스가 http라면 http로..) 이 서비스에 적용할 group를 지정해 줍니다.

-- Server, Client physical port 지정.

>>Main#/cfg/slb/port ⓝ/server ena

>>Main#/cfg/slb/port ⓝ/client ena

•Server가 연결되어있는 downlink 쪽 port 에 Server enable를 해 줍니다.

•Client 즉, 인터넷상에서 Vip로 서비스를 받고자 하는 물리적인 port에 client enable 를 해 줍니다.

--SLB enable

>> Main# /cfg/slb/on

•SLB enable

-- 현재 서비스중인 session을 clear 하기

>> Main# /op/slb/clear

•현재의 session clear.

모니터링 방법

Information

>> Main# /info/slb/dump

•slb가 진행중인 real server, virtual server, Filter state, Port state 전체를 한눈으로 볼 수가 있습니다.

•그 외에 ~/real , ~/virt , ~/filt , ~/port 는 개별적으로 해당 번호를 알면 부분적으로 상세한 정보를

볼 수 있다.

>> Main# /info/slb/sess/dump

•slb를 통하는 Session Table 전체를 볼 수가 있다.

•~/sess/find : 특정 Source IP를 잡아서 볼 수 있다.

•~/sess/Port : 특정 Port에 들어오는 session을 볼 수가 있다.

>> Main# /info/arp/dump

•이는 Alteon switch에 관련된 arp table을 전체를 볼 수 있다.

•IP address, MAC address, VLAN, Port 등의 정보를 알 수 있다.

•그 외에 ~/find, ~/port, ~/vlan, ~/refpt, ~/addr 로 세부적인 정보를 얻을 수 있다.

>> Main# /info/sys

•간단한 System Information 알 수 있다.

•Alteon switch 장비명, MAC address, IP address, OS version 등을 알 수 있다.

>> Main# /info/log

• 시간대별로 log를 생성하므로 장비의 상태를 알 수 있다.

• 단, Alteon switch에서 보여주는 log는 10여줄 밖에 볼 수가 없으므로 log host 지정하여 host에서 관리가 가능하다. ==> /cfg/sys/syslog 에서 host를 지정하여 주면 된다. 또한 log를 받는 서버에서는 syslog 데몬이 있어야 한다.

>> Main# /info/link

•Port , Speed , Duplex , Flow ctrl , Link 의 상태를 알 수 있다.

•강제로 fix 가 되어 있는지의 여부도 파악하기 쉽다.

>> Main# /info/ip

•기본적인 IP, gateway, local network 의 상태를 알 수가 있다.

>> Main# /info/dump

•information에 있는 모든 정보를 나열한다.

•이 정보는 작업자가 설정된 값 기준으로 표시 되기에

Statistics

>> Main# /stats/port ⓝ/brg

•대표적으로 해당 Port 에서 PortInFrames, PortOutFrames 등의 값을 알 수 가 있다.

•Discards 관련 값을 알 수가 있다.

>> Main# /stats/port ⓝ/ether

•대표적으로 해당 Port 에서 StatsSingleCollisionFrames 등의 값을 알 수 가 있다.

•CollisionFrames 관련 값을 알 수가 있다.

>> Main# /stats/port ⓝ/maint

•대표적으로 해당 Port 에서 CRC, Ovflo 등의 값을 알 수 가 있다.

>> Main# /stats/slb/

•~/Port ⓝ, ~/real ⓝ, ~/group ⓝ, ~/virt ⓝ, ~/filt ⓝ 등의 값을 알 수 있다.

•Current Sessions 수를 알 수 있기에 작동 중인 값을 정확하게 이해할 수 있다.

• 그 외에 각 옵션 별루 정확한 Sessions 수를 알 수 있다..

Maintenance

>> Main# /maint/tsdmp

•장비의 전체적인 dump를 받는 내용입니다.

발췌 :

http://blog.naver.com/hjc7669/31726476

저작자표시 비영리 변경금지

'업무이야기 > Network' 카테고리의 다른 글

Juniper Virtual Router Basic Configuration (0)	2012.02.21
Juniper EX-series Switch Password Recovery (0)	2012.02.17
Alteon SLB에서 PIP(Proxy IP) 설정 (1)	2012.02.04
Brocade FLS624G dhcp 구성 config (Foundry) (0)	2012.01.25
Pumpkin TCPDUMP 사용법 (0)	2012.01.22

쫑콩아빠의 지금 이 순간...