Thursday, December 13, 2012
[Cisco] IPSec Site to Site VPN on IOS router (Sample 1)
(1) Configure ISAKMP (ISAKMP Phase 1)
(2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
(2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
Configure ISAKMP (IKE) - (ISAKMP Phase 1)
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400
R1(config)# crypto isakmp key firewallcx address 1.1.1.2
Creating crypto ACL
R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Create IPSec Transform (ISAKMP Phase 2 policy)
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
Create Crypto Map
R1(config)# crypto map CMAP 10 ipsec-isakmp
R1(config-crypto-map)# set peer 1.1.1.2
R1(config-crypto-map)# set transform-set TS
R1(config-crypto-map)# match address VPN-TRAFFIC
R1(config)# crypto map CMAP 10 ipsec-isakmp
R1(config-crypto-map)# set peer 1.1.1.2
R1(config-crypto-map)# set transform-set TS
R1(config-crypto-map)# match address VPN-TRAFFIC
Apply Crypto Map to the Public Interface
R1(config)# interface FastEthernet0/1
R1(config- if)# crypto map CMAP
R1(config)# interface FastEthernet0/1
R1(config- if)# crypto map CMAP
Add default route
R1(config)# ip route 0.0.0.0 0.0.0.0 1.1.1.2
R1(config)# ip route 0.0.0.0 0.0.0.0 1.1.1.2
R2 Config:
R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400
!
R2(config)# crypto isakmp key firewallcx address 1.1.1.1
!
R2(config)# ip access-list extended VPN-TRAFFIC
R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
R2(config)# crypto map CMAP 10 ipsec-isakmp
R2(config-crypto-map)# set peer 1.1.1.1
R2(config-crypto-map)# set transform-set TS
R2(config-crypto-map)# match address VPN-TRAFFIC
!
R2(config)# interface FastEthernet0/1
R2(config- if)# crypto map CMAP
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400
!
R2(config)# crypto isakmp key firewallcx address 1.1.1.1
!
R2(config)# ip access-list extended VPN-TRAFFIC
R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
R2(config)# crypto map CMAP 10 ipsec-isakmp
R2(config-crypto-map)# set peer 1.1.1.1
R2(config-crypto-map)# set transform-set TS
R2(config-crypto-map)# match address VPN-TRAFFIC
!
R2(config)# interface FastEthernet0/1
R2(config- if)# crypto map CMAP
Friday, November 2, 2012
RHEL5.8 and SSR2011 Testbed
Node A
Public: eth0: 192.168.159.12/24
iSCSI: eth1: 192.168.70.12/24
Private: eth2: 192.168.205.12/24
Node B
Public: eth0: 192.168.159.13/24
iSCSI: eth1: 192.168.70.13/24
Private: eth2: 192.168.205.13/24
SAN:
Public: eth0: 192.168.159.20/24
iSCSI: eth1: 192.168.70.20/24
Check current LVM config
Boot up the server with CustomSRD.
Use fdisk to create the same partitions as the original server.
lvm pvcreate /dev/{sda2,sdb1,sdc1}
lvm pvdisplay
lvm vgcreate -s 32M VolGroup00 /dev/{sda2,sdb1,sdc1}
lvm vgdisplay
lvm lvcreate -L 27.84G -n LogVol00 VolGroup00
lvm lvcreate -L 1.97G -n LogVol01 VolGroup00
lvm lvdisplay
mkfs.ext3 /dev/mapper/VolGroup00-LogVol00
mkfs.ext3 /dev/mapper/VolGroup00-LogVol01
Public: eth0: 192.168.159.12/24
iSCSI: eth1: 192.168.70.12/24
Private: eth2: 192.168.205.12/24
Node B
Public: eth0: 192.168.159.13/24
iSCSI: eth1: 192.168.70.13/24
Private: eth2: 192.168.205.13/24
SAN:
Public: eth0: 192.168.159.20/24
iSCSI: eth1: 192.168.70.20/24
Restore the system:
Capture fdisk -l on original server.Check current LVM config
Boot up the server with CustomSRD.
Use fdisk to create the same partitions as the original server.
lvm pvcreate /dev/{sda2,sdb1,sdc1}
lvm pvdisplay
lvm vgcreate -s 32M VolGroup00 /dev/{sda2,sdb1,sdc1}
lvm vgdisplay
lvm lvcreate -L 27.84G -n LogVol00 VolGroup00
lvm lvcreate -L 1.97G -n LogVol01 VolGroup00
lvm lvdisplay
mkfs.ext3 /dev/mapper/VolGroup00-LogVol00
mkfs.ext3 /dev/mapper/VolGroup00-LogVol01
Some useful Linux commands
Check runlevel
$ who -r
Change runlevel
# vi /etc/inittab
-----------------------------------------------------------------------------------------------------------
Format a SWAP partition:
# mkswap /dev/sda1
-----------------------------------------------------------------------------------------------------------
iSCSI:
Discovering iSCSI Targets:
#iscsiadm -m discovery -t st -p <Group IP address>:3260
Logging in iSCSI Targets:
#iscsiadm -m node -l
#iscsiadm -m node -l -T <Complete Target Name> -p <Group IP>:3260
Example:
#iscsiadm -m node -l -T iqn.2001-05.com.equallogic:83bcb3401-16e0002fd0a46f3d-rhel5-test -p 172.23.10.240:3260
Logging out iSCSI Targets:
#iscsiadm -m node -u
#iscsiadm -m node -u -T <Complete Target Name> -p <Group IP address>:3260
Example:
#iscsiadm -m node -u -T iqn.2001-05.com.equallogic:83bcb3401-16e0002fd0a46f3d-rhel5-test -p 172.23.10.240:3260
Restart iSCSI service:
# /etc/init.d/iscsi restart
Delete old target:
iscsiadm -m node -p 192.198.1.148 --op=delete
Check connected target:
/var/lib/iscsi/nodes/
Server IQN:
# cat /etc/iscsi/initiatorname.iscsi
-----------------------------------------------------------------------------------------------------------
測試iSCSI target在Linux上的I/O速度。
# hdparm -tT /dev/sdb1
-----------------------------------------------------------------------------------------------------------
Network:
# vi /etc/sysconfig/network
GATEWAY=your-ip
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0:0
IPADDR=192.168.1.7
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
NAME=eth0:0
-----------------------------------------------------------------------------------------------------------
YUM Local Repo:
# vi /etc/yum.repos.d/rhel-debuginfo.repo
[cdrom]
name=RHEL $releasever-$basearch CDROM
baseurl=file:///media/cdrom/Server
enabled=1
gpgchechk=1
gpgkey=file:///media/cdrom/RPM-GPG-KEY-redhat-release
-----------------------------------------------------------------------------------------------------------
$ who -r
Change runlevel
# vi /etc/inittab
-----------------------------------------------------------------------------------------------------------
Format a SWAP partition:
# mkswap /dev/sda1
-----------------------------------------------------------------------------------------------------------
iSCSI:
Discovering iSCSI Targets:
#iscsiadm -m discovery -t st -p <Group IP address>:3260
Logging in iSCSI Targets:
#iscsiadm -m node -l
#iscsiadm -m node -l -T <Complete Target Name> -p <Group IP>:3260
Example:
#iscsiadm -m node -l -T iqn.2001-05.com.equallogic:83bcb3401-16e0002fd0a46f3d-rhel5-test -p 172.23.10.240:3260
Logging out iSCSI Targets:
#iscsiadm -m node -u
#iscsiadm -m node -u -T <Complete Target Name> -p <Group IP address>:3260
Example:
#iscsiadm -m node -u -T iqn.2001-05.com.equallogic:83bcb3401-16e0002fd0a46f3d-rhel5-test -p 172.23.10.240:3260
Restart iSCSI service:
# /etc/init.d/iscsi restart
Delete old target:
iscsiadm -m node -p 192.198.1.148 --op=delete
Check connected target:
/var/lib/iscsi/nodes/
Server IQN:
# cat /etc/iscsi/initiatorname.iscsi
-----------------------------------------------------------------------------------------------------------
測試iSCSI target在Linux上的I/O速度。
# hdparm -tT /dev/sdb1
-----------------------------------------------------------------------------------------------------------
Network:
# vi /etc/sysconfig/network
GATEWAY=your-ip
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0:0
IPADDR=192.168.1.7
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
NAME=eth0:0
-----------------------------------------------------------------------------------------------------------
YUM Local Repo:
# vi /etc/yum.repos.d/rhel-debuginfo.repo
[cdrom]
name=RHEL $releasever-$basearch CDROM
baseurl=file:///media/cdrom/Server
enabled=1
gpgchechk=1
gpgkey=file:///media/cdrom/RPM-GPG-KEY-redhat-release
-----------------------------------------------------------------------------------------------------------
Thursday, November 1, 2012
Hot add a NIC to a VM with a Linux guest OS
To configure the network card from the command line interface:
- The acpiphp module must be loaded for Linux to detect hot-added devices.
To load the acpiphp module, run this command:
modprobe acpiphp
- Run the kudzu command to ensure that the new hardware is detected and configured.
- Run this command to ensure that the network card is enabled:
ifup eth2 Note: eth2 is the new network card that has been added.
- To configure the network card, edit the ifcfg-eth2 file using a text editor.
To edit the file using vi editor, run this command:
# vi /etc/sysconfig/network-scripts/ifcfg-eth2
Add a new HDD without rebooting Linux guest OS on VMware Workstation/vSphere
-Add a HDD in VM Setting.
-Check scsi_host value:
# ls /sys/class/scsi_host
-Rescan the scsi bus:
echo "- - -" > /sys/class/scsi_host/host#/scan
fdisk -l
tail -f /var/log/message
-Check scsi_host value:
# ls /sys/class/scsi_host
-Rescan the scsi bus:
echo "- - -" > /sys/class/scsi_host/host#/scan
fdisk -l
tail -f /var/log/message
Subscribe to:
Posts (Atom)