Alcatel 명령어
알카텔 장비 특징
routing table 기본 MAX 5000개 지원(설정으로 65000까지 지원)
알카텔 접속 후 시스코로 TELNET하면 한글 안 먹음
telnet session MAX 4개(수정불가)
소스PING,DHCP 서버 미지원(6.3.4이전)
전체 Module은 Hot swap 가능
OS6850은 콤보(1000/100M)로만 100FX 지원, OS6400은 OS 올리면 100FX 인식
기본 config
> vlan 에 포트 할당(1/1를 vlan 10에 할당)
vlan 10 port default 1/1
> vlan에 IP를 설정
ip interface vlan-1 address 210.90.67.193 mask 255.255.255.0 vlan 1 ifindex 1 <-- 내부 IP
ip interface vlan-10 address 172.19.20>50 mask 255.255.255.252 vlan 10 ifindex 10 <-- 시리얼 IP
ip interface vlan-10_1 address 100.>>1 mask 255.255.255.252 vlan 10 <-- secondary IP
> static routing 설정
ip static-route 0.0.0.0/0 gateway <gateway ip address>
ip static-route 10.10.10.0 mask 255.255.255.0 gateway <ip_address>
> port 설정
-<일반 PORT 설정시>-
interfaces 1/5 autoneg off 또는 disable
interfaces 1/5 duplex full
interfaces 1/5 speed 100
-<콤보 PORT 설정시(OS6850 21~24번, OS6400 1~4번)>-
interfaces 1/1 hybrid fiber autoneg disable
interfaces 1/1 hybrid fiber speed 100
interfaces 1/1 hybrid fiber duplex full
> prompt(=hostname 설정) logout 하셨다가 다시 login하시면 정상적인 prompt가 보입니다.
session prompt default <string_hostname>
> username 생성 및 password 변경
username <useridpassword <passwordread-write all
> telnet, ssh, http 활성화
aaa authentication default local --telnet, ftp, ssh 모두 활성화(삭제필요)
aaa authentication telnet local --telnet 활성화
aaa authentication ftp local --ftp 활성화(OS UPGRADE시 필요)
> snmp 설정
user "a12345" read-write all password "a1234567" no auth
aaa authentication snmp "local"
snmp security no security
snmp community map "public" user "a12345" on
snmp source ip preferred 21>236.84.133
> 저장
write memory
1>working 과 certified 디렉토리 동기화
copy working certified
--동기화 하지 않으면, 재 부팅시 이전 configuration으로 동작함.
> 항상 재부팅시
reload working no rollback-timeout <- 재부팅시 항상 이 명령어로 재부팅 그냥 reload 명령어로 부팅하면 cerified로 부팅하면서 저장 안됨
> 최종확인
show running-directory <- 중요 현재 running-config가 working인지 certified인지 확인
만약 cerified면 write memory로 저장이 안됨(copy cerified working -write memory하면 working으로 변환됨)
항상 working 모드에서 설정 후 저장예제
vlan 10 enable <-- 10번 vlan 생성
vlan 10 port default 1/1 <-- 1/1 번을 vlan10에 할당
ip interface vlan-1 address 210.90.67.193 mask 255.255.255.0 vlan 1 ifindex 1 <-- 내부 IP
ip interface vlan-10 address 172.19.201.50 mask 255.255.255.252 vlan 10 ifindex 10 <-- 시리얼 IP
ip interface vlan-10_1 address 100.1.1.1 mask 255.255.255.252 vlan 10 ifindex 11 <-- secondary IP
ip static-route 0.0.0.0/0 gateway 172.19.201.49 <-- default routing
interfaces 1/5 autoneg off 또는 disable <-- autonei off
interfaces 1/5 duplex full <-- ethernet port speed nego.
interfaces 1/5 speed 100 <-- ethernet port speed nego.
write memory <-- 저장
copy working certified <-- configuration file synch.
session prompt default “지점명”
user admin password netkti00 read-write all <-- ID/password 변경
aaa authentication telnet local <-- telnet만 활성화SNMP 설정
user "a12345" read-write all password "a1234567" no auth
aaa authentication snmp "local"
snmp security no security
snmp community map "public" user "a12345" onConfig 확인
show configuration snapshotsource-interface ping(6.4.X 이상 지원)
TaeAn_BB-> show system
Alcatel-Lucent OS9600/OS9700-CFM 6.4.3.520.R01 GA, April 08, 2010.,
TaeAn_BB-> ping 10.1.1.5 ?
^
<cr> COUNT DATA-PATTERN DONT-FRAGMENT INTERVAL SIZE
SOURCE-INTERFACE SWEEP-RANGE TIMEOUT TOS
TaeAn_BB-> ping 168.126.63.1 source-interface default-a
PING 168.126.63.1: 56 data bytes
64 bytes from 168.126.63.1: icmp_seq=0. time=27. ms
64 bytes from 168.126.63.1: icmp_seq=1. time=17. ms
----168.126.63.1 PING Statistics----
2 packets transmitted, 2 packets received, 0% packet loss
round-trip (ms) min/avg/max = 17/22/27대역폭 설정(Ingress policing / Egress shaping)
qos port 1/1 maximum egress-bandwidth 10M <-- interface 속도 제한
qos port 1/1 maximum ingress-bandwidth 5M
qos port 1/1 no maximum ingress-bandwidth <-- 삭제시 show qos portloopback interface 설정
### vlan 설정 필요없음(대소문자 정확히, 하나만 만들수 있다)
ip interface Loopback0 address 100.10.1.1port 명령어
interfaces 1/5 autoneg off 또는 disable <- autonei off
interfaces 1/5 duplex full <- ethernet port speed nego.
interfaces 1/5 speed 100 <- ethernet port speed nego.
interfaces 1/1 alias "To 2F" <- port name
interfaces 1/1 admin up/down <- shutdown
interfaces 1 no L2 statistics <- 1번 모듈 전체 인터페이스 클리어
interface 1/20 no L2 statistics <- 1/20 포트 클리어
interfaces 1/1 hybrid fiber autoneg disable <- 콤보 port 설정시
interfaces 1/1 hybrid fiber speed 100
interfaces 1/1 hybrid fiber duplex full
show interfaces status <- port speed/duplex 상태확인
show interfaces port <- port name/ 상태 확인
show ip interface <- vlan/ip/status 확인
show vlan port <- port 할당된 vlan 정보
show interfaces counters errors <- port error 확인link aggregation
=== OS6850 === link aggregation 방법( 1/23, 1/24 포트를 link aggregation함)
static linkagg 5 size 2 admin state enable
--> 여기서 num 5는 group number임. size 는 2-8까지 link aggregation 되는 포트 수임.
static agg 1/23 agg num 5 static agg 1/24 agg num 5
LACP를 사용한 link aggregation.(port 1/3, 1/4를 port aggregation함, aggregation group 2)
lacp linkagg 2 size 2 admin state enable lacp linkagg 2 name "LACP_TST" lacp linkagg 2 actor admin key 100 lacp agg 1/3 actor admin key 100 lacp agg 1/4 actor admin key 100
link aggregation 된 포트를 vlan 에 할당
vlan 10 port default 2 ip interface "lacp_1" address 10.1.1.2 mask 255.255.255.0 vlan 10 ifindex 10
--> 여기서 2은 group number임
show linkagg
=== cisco 3560 ===
vlan 10
!
interface Port-channel2
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
channel-protocol lacp
channel-group 2 mode passive
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
channel-protocol lacp
channel-group 2 mode passive
!
int vlan 10
ip address 10.1.1.1 255.255.255.0
시스템 명령어
session prompt default "NoDongBu_9700#"
system timezone kst <- 시간 설정
system time HH:MM:SS <- 시간 설정
show system <- 시스코 show version, up time, date & time 확인
ntp server 168.126.3.6
ntp client enable
show health all cpu <- CPU 사용률 보기
show amap <- 시스코의 CDP
show microcode <- 이미지 종류 확인
show log swlog <- log 확인
show ntp server status <- 서버상태 확인
show mac-address-table <- mac table
show arp <- arp table
show running-directory <- 현재 running-config가 working인지 certified인지 확인
중요 만약 cerified면 write memory로 저장이 안됨
reload working no rollback-timeout 명령어로 working으로 부팅
reload <- certified로 부팅함
show tech-support <- tech-support flash/ 폴더에 화일 생성됨 ftp로 받아야 되는거 같음
show ni
user password-size min 1 <- 암호 최소 1이상으로snmp 설정
user "a12345" read-write all password "a1234567" no auth
aaa authentication snmp "local"
snmp security no security
snmp community map "public" user "a12345" on
snmp source ip preferred 210.90.76.249 <- 외부에 snmp 서버가 있을경우
show snmp community mapsyslog 설정
show log swlog <- log 확인
swlog output socket 10.10.10.5
swlog appid INTERFACE level debug1
swlog console level debug3telnet 접속제한
해당 설정을 해도 show configuration snapshot에 나타나지 않음
policy 설정은 추가, 변경, 삭제시 qos apply를 입력하셔야 show configuration snapshot 나타남
policy service t23 destination tcp port 23
policy service group drop_tcp t23
policy network group ok_ip 211.34.134.194
policy condition drop destination network group Switch service group drop_tcp
policy condition ok_c1 source network group ok_ip destination network group Switch service group drop_tcp
policy action accept
policy action deny disposition deny
policy rule r1 precedence 100 condition ok_c1 action accept
policy rule drop condition drop action deny
qos apply
policy service t23 portocol 6 destination tcp port 23
policy service group drop_tcp t23
policy network group ok_ip 192.168.1.0 mask 255.255.255.0
policy condition drop destination network group Switch service group drop_tcp
policy condition ok_c1 source network gorup ok_ip destination network group Switch service group drop_tcp
policy action accept
policy action deny disposition deny
policy rule r1 precedence 100 condition ok_c1 action accept
policy rule drop condition drop action deny
qos apply
위 컨피스는 192.168.1.0/24 대역만 telnet 을 허용하고 나머지는 막는 컨피그 입니다.SSH 차단
aaa authentication ssh "local" <- 설정이 없어도 접속창이 생기면서 접속시도 log가 남음
프로그램을 이용 순간적으로 SSH 접속을 동시에 여러번 시도하면 장비가 재부팅하는 현장 차단
policy service T22 protocol 6 destination tcp port 22
policy condition SW_T22 destination network group Switch service T22
policy action deny disposition deny
policy rule A1 condition SW_T22 action deny
qos applyssh 10.10.10.50만 접속불가
policy service T22 protocol 6 destination tcp port 22
policy network group NET 10.10.10.50
policy condition SW_T22 source network group NET destination network group Switch service T22
policy action Deny disposition deny
policy rule A1 condition SW_T22 action Deny
qos applytelnet차단, ssh 59.12.186.241 119.194.103.202 210.104.235.12 210.104.235.20 접속
aaa authentication ssh "local"
no aaa authentication default "local"
no aaa authentication telnet "local"
policy service T22 protocol 6 destination tcp port 22
policy service T23 protocol 6 destination tcp port 23
policy network group NET 59.12.186.241 119.194.103.202 210.104.235.12 210.104.235.20
policy condition SW_T22_P source network group NET destination network group Switch service T22
policy condition SW_T22_D source ip Any destination network group Switch service T22
policy condition SW_T23_D source ip Any destination network group Switch service T23
policy action Deny disposition deny
policy action Permit
policy rule A1 precedence 30 condition SW_T22_P action Permit
policy rule B1 precedence 20 condition SW_T22_D action Deny
policy rule C1 precedence 10 condition SW_T23_D action Deny
qos applyMAC 차단
Layer2 ACL
policy condition toMAC3 destination mac 00:00:00:00:00:03
policy action deny disposition drop
policy rule r1 condition toMAC3 action deny
qos apply
Binding Rule
Network 사용자에게 Rule을 적용해서 요건이 충족 할 시에만 Network 사용 가능하다.
Rule의 종류 : PORT-PROTOCOL, MAC-PORT-PROTOCOL, MAC-PORT,
마찬가지로 G.M 기반의 기술이다.
설정방법은 아래와 같다.
- MAC-port-IP Address
vlan 255 binding mac-ip-port 00:00:da:59:0c:12 21.0.0.10 2/3
vlan 255 no binding mac-ip-port 00:00:da:59:0c:12
- MAC-port
vlan 1500 binding mac-port 00:02:9a:3e:f1:06 6/10
vlan 1500 no binding mac-port 00:02:9a:3e:f1:06
- port-protocol
vlan 1503 binding port-protocol 3/1 ip-snap
vlan 1503 no binding port-protocol 3/1 ip-snapport mirroring
port mirroring 1 destination 1/2
port mirroring 1 source 1/21 bidirectional
show port mirroring statusconfiguration 초기화
/flash/working 디렉토리에서 boot.cfg를 삭제 후 아래의 명령어로 reload한다.
-> reload working no rollback-timeoutcertified로 되어 있을때 working으로 돌리는 방법
copy cer wor
wr meCPU 확인
- show health
- current value exceeds thresholdDevice 1 Min 1 Hr 1 Hr
Resources Limit Curr Avg Avg Max-----------------+-------+------+------+-----+----
Receive 80 01 01 01 01Transmit/Receive 80 01 01 01 01
Memory 80 76 76 74 76
Cpu 80 08 19 10 22
ospf 명령어 (point-point경우에도 eligible 설정 필요)
ip load ospf
ip router router-id 1.1.1.1
ip ospf area 0.0.0.0
ip ospf interface "vlan-30"
ip ospf interface "vlan-30" area 0.0.0.0
ip ospf interface "vlan-30" type point-to-point
ip ospf interface "vlan-30" status enable
ip ospf neighbor 20.20.20.5 eligible
ip ospf status enable
ip ospf default-originate always metric-type type1 metric 1redistribution(local->ospf)
ip route-map "LOCAL4_OSPF_1" sequence-number 1 action permit
ip route-map "LOCAL4_OSPF_1" sequence-number 1 match ip-address 0.0.0.0/0 redist-control all-subnets permit
ip route-map "LOCAL4_OSPF_1" sequence-number 1 set metric 1 effect none
ip redist local into ospf route-map "LOCAL4_OSPF_1" status enableredistribution(static->ospf)
STATIC4_OSPF_1" sequence-number 1 action permit
ip route-map "STATIC4_OSPF_1" sequence-number 1 match ip-address 0.0.0.0/0 redist-control all-subnets permit
ip route-map "STATIC4_OSPF_1" sequence-number 1 set metric 1 effect none
ip redist static into ospf route-map "STATIC4_OSPF_1" status enable
show ip ospf interface
show ip ospf neighbor
debug drclog ospf ?
debug drclog ospf info 100BGP 명령어
ip load bgp
ip bgp autonomous-system 45999
ip bgp maximum-paths
ip bgp network 211.236.84.0 255.255.255.0
ip bgp network 211.236.84.0 255.255.255.0 status enable
ip bgp neighbor 172.20.1.93
ip bgp neighbor 172.20.1.93 remote-as 45400
ip bgp neighbor 172.20.1.93 ebgp-multihop 250
ip bgp neighbor 172.20.1.93 md5 key "tlschs!@" <- !,스페이스바 등 특수문자입력시 큰따옴표로 정의
ip bgp neighbor 172.20.1.93 maximum-prefix 65000 <- 라우팅 테이블 65000로 설정(기본 5000)
no ip bgp neighbor 172.20.1.93 soft-reconfiguration <- BGP 테이블을 만들지 않으므로 메모리 절약
ip bgp neighbor 172.20.1.93 in-aspathlist IN-KT <- AS필터 적용
ip bgp neighbor 172.20.1.93 status enable
ip bgp neighbor 200.200.200.2
ip bgp neighbor 200.200.200.2 remote-as 45999
ip bgp neighbor 200.200.200.2 next-hop-self
ip bgp neighbor 200.200.200.2 status enable
ip bgp status enable
ip bgp policy aspath-list IN-KT "^$"
ip bgp policy aspath-list IN-KT "^$" action permit
ip bgp policy aspath-list IN-KT "^$" status enable
ip bgp autonomous-system 1 <- AS넘버 삭제BGP AS필터
ip bgp policy aspath-list aspathfilter "^100 200$"
ip bgp policy aspath-list aspathfilter "^100 200$" action permit
ip bgp policy aspath-list aspathfilter "^100 200$" priority 10
prefix list
ip bgp policy prefix-list prefixfilter 12.0.0.0 255.0.0.0
ip bgp policy prefix-list prefixfilter 12.0.0.0 255.0.0.0 action deny
ip bgp policy route-map mapfilter 1
ip bgp policy route-map mapfilter 1 action denyroute AD 설정
show ip route-pref
ip route-pref rip 8PBR
policy condition Traffic10 source ip 10.10.0.0 mask 255.255.0.0
policy action Firewall permanent gateway ip 192.168.99.254
policy rule Redirect_All condition Traffic10 action Firewallsflow
sflow receiver 1 name sflowtrend address 10.10.10.50
sflow sampler 1 1/1 receiver 1RDP
ip router-discovery enable
ip router-discovery interface 172.30.10.2 enableBFD(Bidirectional Fowarding Detection)기능
알카텔 OS6850
- 고객측 단말 라우터에서 BFD 설정
#ip bfd-std status enable
#ip bfd-std interface vlan-10
#ip bfd-std interface vlan-10 status enable
#ip static-route all bfd-std enable
#ip static-route 0.0.0.0/0 gateway 172.26.45.5 bfd-std enable metric 1
BFD 상태 확인
# show ip bfd-std session 1
Interface IP Address = 172.26.45.6,
Neighbor IP Address = 172.26.45.5,
State = UP,
Local discriminator = 1,
Remote discriminator = 13,
Negotiated Tx interval = 240,show ip route
Dest Address Subnet Mask Gateway Addr Age Protocol
------------------+-----------------+-----------------+---------+-----------
0.0.0.0 0.0.0.0 *172.26.45.5 00:00:00 NETMGMT
127.0.0.1 255.255.255.255 127.0.0.1 3d19h LOCAL
172.26.45.4 255.255.255.252 172.26.45.6 00:13:45 LOCAL
211.255.75.144 255.255.255.240 211.255.75.145 01:19:51 LOCALACL
특정 ip를 차단
policy condition fromIPtoIP3 source ip 10.0.0.100 destination ip any
policy action deny disposition deny
policy rule r1 condition fromIP1toIP3 action deny
qos apply
아래의 샘플을 참고 바랍니다.
허용하고자 하시는 ip를 policy network group NG에 정의하시고 원하시는 서비스 port들만 policy service & group에 정의하시면 됩니다.
그리고 중요한것은 destination network group Switch의 명령어에서 Switch (대소문자구별)은 목적지 ip가 스위치 인경우를 의미합니다.
policy service t21 protocol 6 destination tcp port 21
policy service t22 protocol 6 destination tcp port 22
policy service t23 protocol 6 destination tcp port 23
policy service t259 protocol 6 destination tcp port 259
policy service t260 protocol 6 destination tcp port 260
policy service t261 protocol 6 destination tcp port 261
policy service t262 protocol 6 destination tcp port 262
policy service t443 protocol 6 destination tcp port 443
policy service t80 protocol 6 destination tcp port 80
policy service group tcp t21 t22 t23 t259 t260
policy service group tcp t261 t262 t443 t80
policy network group NG 192.168.1.11 192.168.1.12 192.168.1.13
policy condition C_toSwitch destination network group Switch service group tcp
policy condition c_ok source network group NG destination network group Switch service group tcp
policy action accept disposition accept
policy action deny disposition deny
policy rule r_ok precedence 100 condition c_ok action accept
policy rule drop condition C_toSwitch action deny
qos apply
no aaa authentication telnet : telnet 자체를 disable 문은 열려 있지만 출입자격이 안된다는 것이구요
no ip service telnet : telnet port 23을 차단 시켜 문을 닫아버린 다는 것이죠CMM 동기화
Working directory와 certified directory의 동기화
-> copy working certified
Primary CMM과 Secondary CMM의 동기화
-> copy working certified flash-synchrocpu 사용률 리셋
health statistics reset모듈 리셋
- no power ni [slot #] : NI module의 power down.
- power ni [slot #] : NI module의 power restore.계정 관리file
rm “userTable#”후 reload하면 Switch의 계정정보는 Default값으로 돌아간다.
-> cd network
-> ls
Listing Directory /flash/network:
drw 2048 Nov 28 2007 ./
drw 2048 Jan 16 23:07 ../
-rw 23040 Dec 14 2007 userTable4
-rw 29 May 16 2006 policy.cfg
-rw 32 May 16 2006 qos.cfg
-rw 404 May 16 2006 ssh_host_dsa_key
-rw 359 May 16 2006 ssh_host_dsa_key.pub
26277888 bytes free
배너 설정
PC에서 ban.txt로 문구 입력
도스창에서 ftp로 알카텔 임의의 디렉토리 안에 ban.txt 파일을 올림
sesstion banner cli /flash/ban.txt이 있는 임의의 디렉토리/ban.txt
참고로 ftp로 사용하지 않고 vi로 편집해도됨DHCP Relay
- IP helper standard mode : 스위치의 모든 DHCP 요청에 대해 처리
-> ip helper address 10.10.10.10
- IP helper per VLAN mode : 지정한 특정 VLAN에서의 DHCP 요청만 처리
-> ip helper per-vlan only
-> ip helper address 10.10.20.20 vlan 10
- ip helper dhcp-snooping port 2/1 ip-source-filter enable(static IP사용자 차단)
DHCP
- 우선 AOS 는 6.4.3 코드로 업그레이드 (이하에선 릴레이만 지원)
- PC 에서 아래의 파일, dhcpd.conf 와 dhcpd.pcy 를 생성
dhcpd.conf
server-identifier site_name.com;
subnet 192.168.1.0 netmask 255.255.255.0 {
dynamic-dhcp range 192.168.1.101 192.168.1.110 {
option subnet-mask 255.255.255.0;
option routers 192.168.1.205;
option domain-name-servers 168.126.63.1;
option dhcp-lease-time 900;
}
}
subnet 192.168.2.0 netmask 255.255.255.0 {
dynamic-dhcp range 192.168.2.101 192.168.2.110 {
option subnet-mask 255.255.255.0;
option routers 192.168.2.205;
option domain-name-servers 168.126.63.1;
option dhcp-lease-time 900;
}
}
..
dhcpd.pcy
PingDelay = 200
PingAttempts = 3
PingSendDelay = 1000
DefaultLease = 86400- 두 파일을 /flash/switch 디렉토리에 업로드 해주시고, 명령 프롬프트에서 아래와 같이 해주세요.
dhcp-server restart dhcp-server enable
6.4.3 버젼의 nt 가이드 보시면, dhcpd.conf 에 들어가는 파라미터, 위에 명시된 것 말고도 많이 있으니 참고하시면 되겠구요.
dhcpd.conf 에서 별도의 IP 주소 예외처리 옵션은 없고, 레인지를 끊어서 넣어주셔야 합니다..
No comments to display
No comments to display