cisco機器のゼロタッチ展開のバックアップ(No.1)

バックアップ一覧
差分を表示
現在との差分を表示
ソースを表示
cisco機器のゼロタッチ展開へ行く。
- 1 (2014-11-30 (日) 23:13:27)

目的
概要
問題点
検証環境
導入方法
- DHCPサーバ
  - アプリケーションのインストール
  - 設定ファイルの修正
- TFTPサーバ
動作検証
- 初期ブートシーケンス
- 初期コンフィグ保存後再起動
注意点
その他

目的 †

工場出荷状態のCisco機器時をネットワークへ接続するだけで、利用可能な状態にする。
設定はTFTPサーバに登録しておき、シリアル番号に応じたコンフィグを自動適用する。これにより新規設置や保守交換時の作業を大幅に削減する。
これをCiscoのCNSやサードパーティ製アプリケーションを利用せずにフリーのツールのみを利用して実現する。

↑

概要 †

Cisco製機器はブート時にDHCPでアドレスを要求するシーケンスが走る。その際、ブートファイルを読み込んで起動することができる。要するにPXEブートするわけである。
ということは、接続する機器に応じたコンフィグを準備しておけば、新規設置だろうが保守交換だろうがゼロタッチによるコンフィグが適用可能、ということである。

↑

問題点 †

DHCPサーバのオプションでは、MACアドレスに対して個別のファイルを指定することは可能だが、当然のことながらCisco機器のシリアル番号なんて知ったことではない。
機器のMACアドレスを知るには、通常はコンソール接続して取得する必要があり、モノによってはインターフェイスごとにMACアドレスが変動するため、現実的ではない。
変わりに機器のシリアル番号であれば、機器にシールで貼り付けてあるし、きちんとした保守契約を結んでいれば、保守会社で出荷情報として開示してもらうこともできそうだ。
ならば、ブート時にはどんな機器にでも対応できるコンフィグを読み込ませてから、機器のシリアルを自動的に取得し、それに応じたファイルを取りに行けばよさそうだ。

↑

検証環境 †

DHCPサーバ（Ubuntu14.04）
TFTPサーバ（Ubuntu14.04）
Ciscoルータ（1812J）

↑

導入方法 †

↑

DHCPサーバ †

↑

アプリケーションのインストール †

isc-dhcp-serverでdhcpサーバの冗長構成を参照

↑

設定ファイルの修正 †

[ubuntu@lxc ~]$ sudo vi /etc/dhcp/dhcpd.conf
------8<------
subnet 192.168.200.0 netmask 255.255.255.0 {
  pool{
    failover peer "FOdhcp";
    range 192.168.200.65 192.168.200.128;
    option routers 192.168.200.254;
    option broadcast-address 192.168.200.255;
    #DHCPサーバを指定
    next-server 192.168.10.177;
    #初期コンフィグを指定
    filename "autoinstall/default";
  }
}
------>8------

↑

TFTPサーバ †

↑

アプリケーションのインストール †

tftpd-hpaを利用したtftpサーバの導入

↑

設定ファイルの配置 †

/var/lib/tftpboot/autoinstall : 最小構成のコンフィグ
/var/lib/tftpboot/serial/FHKxxxxxxxx.config : シリアル番号に応じたコンフィグ(FHKxxxxxxは利用機器のシリアルになります)
/var/lib/tftpboot/hostname/HOSTNAME.config : ホスト番号に応じたコンフィグ（シリアルからのシンボリックリンク）

↑

設定ファイルの修正 †

[ubuntu@lxc ~]$ sudo vi /var/lib/tftpboot/autoinstall/default
event manager applet CheckInterface
 ! 起動したタイミングでEEMを発動
 event syslog pattern "Cisco"
 ! 機種の確認
 action 3.0 set model "none"
 action 3.1 cli command "show version | include [Cc]isco\ (.+)\ (\(.+\)).+bytes of memory."
 action 3.2 regexp "[Cc]isco\ ([^\ ]*)\ " "$_cli_result" match model
 ! ひとまず1812Jの場合には、1812-J となる。
 action 4.0 if $model eq "1812-J"
 action 4.1  set interface "fas 0"
 ! 他機種でのshow version 出力結果を調査して、ここに記載すれば、他機種でも対応可能
 action 4.999 end
 ! DHCPでのインタフェイス設定
 action 5.0 cli command "enable"
 action 5.1 cli command "configure terminal"
 action 5.2 cli command "interface $interface"
 action 5.3 cli command " ip address dhcp"
 action 5.4 cli command " no shutdown"
 action 5.5 cli command "end"
!
!
event manager applet ConfigInstall
 ! DHCPでアドレスが取得できたタイミングでEEMを発動
 event syslog pattern "%DHCP-6-ADDRESS_ASSIGN"
 ! シリアルの確認
 action 1.0 set serial "none"
 action 1.1 cli command "show version | include Processor board ID"
 action 1.2 regexp "Processor\ board\ ID\ ([0-9a-zA-Z]*)," "$_cli_result" match serial
 ! シリアルに応じたファイルを取得
 action 2.0 cli command "enable"
 action 2.1 cli command "copy tftp://192.168.10.177/autoinstall/serial/$serial.config startup-config" pattern "Destination filename"
 action 2.2 cli command "startup-config"
 action 3.0 reload
!

↑

動作検証 †

↑

初期ブートシーケンス †

System Bootstrap, Version 12.3(8r)YH6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2005 by cisco Systems, Inc.
C1800 platform with 393216 Kbytes of main memory with parity disabled

Readonly ROMMON initialized
program load complete, entry point: 0x80012000, size: 0xc0c0

Initializing ATA monitor library.......
program load complete, entry point: 0x80012000, size: 0xc0c0

Initializing ATA monitor library.......

program load complete, entry point: 0x80012000, size: 0x1c198b8
Self decompressing the image : ############################################################################################################################################################################################################################################################################### [OK]

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706



Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 15.1(4)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 14-Jun-11 16:40 by prod_rel_team


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Installed image archive
Cisco 1812-J (MPC8500) processor (revision 0x400) with 354304K/38912K bytes of memory.
Processor board ID FHKxxxxxxxx, with hardware revision 0000

10 FastEthernet interfaces
1 ISDN Basic Rate interface
1 Virtual Private Network (VPN) Module
31360K bytes of ATA CompactFlash (Read/Write)

Loading autoinstall/default from 192.168.10.177 (via FastEthernet0): !
[OK - 1428 bytes]
Domain server mapped address 192.168.10.177 to vmtftp01.prosper2.org


Press RETURN to get started!


*May 14 14:02:07.507: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Initialized
*May 14 14:02:08.023: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Enabled
*May 14 14:02:24.959: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
*May 14 14:02:24.959: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up
*May 14 14:02:24.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0, changed state to down
*May 14 14:02:24.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to down
*May 14 14:02:24.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2, changed state to down
*May 14 14:02:25.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*May 14 14:02:25.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
*May 14 14:02:25.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down
*May 14 14:02:26.959: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to down
*May 14 14:02:26.975: USB init complete.
*May 14 14:02:55.323: AUTOINSTALL: FastEthernet0 is assigned 192.168.200.68
*May 14 14:02:55.323: AUTOINSTALL: Obtain siaddr 192.168.10.177 (as config server)
*May 14 14:02:58.635: %PARSER-4-BADCFG: Unexpected end of configuration file.

*May 14 14:02:58.635: %SYS-5-CONFIG_I: Configured from tftp://vmtftp01.prosper2.org/autoinstall/default by console
*May 14 14:02:59.687: %LINK-5-CHANGED: Interface BRI0, changed state to administratively down
*May 14 14:03:02.683: %LINK-5-CHANGED: Interface FastEthernet1, changed state to administratively down
*May 14 14:03:02.687: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up
*May 14 14:03:02.687: %LINK-3-UPDOWN: Interface FastEthernet3, changed state to up
*May 14 14:03:02.687: %LINK-3-UPDOWN: Interface FastEthernet4, changed state to up
*May 14 14:03:02.687: %LINK-3-UPDOWN: Interface FastEthernet5, changed state to up
*May 14 14:03:02.687: %LINK-3-UPDOWN: Interface FastEthernet6, changed state to up
*May 14 14:03:02.687: %LINK-3-UPDOWN: Interface FastEthernet7, changed state to up
*May 14 14:03:02.687: %LINK-3-UPDOWN: Interface FastEthernet8, changed state to up
*May 14 14:03:02.687: %LINK-3-UPDOWN: Interface FastEthernet9, changed state to up
*May 14 14:03:02.687: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 15.1(4)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 14-Jun-11 16:40 by prod_rel_team
*May 14 14:03:02.687: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start
*May 14 14:03:02.695: %SYS-6-BOOTTIME: Time taken to reboot after reload =  249 seconds
*May 14 14:03:02.719: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*May 14 14:03:02.719: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*May 14 14:03:03.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down
*May 14 14:03:03.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down
*May 14 14:03:03.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4, changed state to down
*May 14 14:03:03.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5, changed state to down
*May 14 14:03:03.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet6, changed state to down
*May 14 14:03:03.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet7, changed state to down
*May 14 14:03:03.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet8, changed state to down
*May 14 14:03:03.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet9, changed state to down
*May 14 14:03:08.315: %SYS-5-CONFIG_I: Configured from console by  on vty0 (EEM:CheckInterface)
*May 14 14:03:17.387: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned
*May 14 14:03:18.823: %SYS-5-RELOAD: Reload requested by EEM. Reload Reason: Embedded Event Manager action. DHCP address 192.168.200.68, mask 255.255.255.0, hostname Router

*May 14 14:03:18.619: %SYS-5-CONFIG_NV_I: Nonvolatile storage configured from tftp://vmtftp01.prosper2.org/autoinstall/serial/FHKxxxxxxxx.config by  on vty0 (EEM:ConfigInstall)

ここで再起動がかかる

↑

初期コンフィグ保存後再起動 †

System Bootstrap, Version 12.3(8r)YH6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2005 by cisco Systems, Inc.
C1800 platform with 393216 Kbytes of main memory with parity disabled

Readonly ROMMON initialized
program load complete, entry point: 0x80012000, size: 0xc0c0

Initializing ATA monitor library.......
program load complete, entry point: 0x80012000, size: 0xc0c0

Initializing ATA monitor library.......

program load complete, entry point: 0x80012000, size: 0x1c198b8
Self decompressing the image : ############################################################################################################################################################################################################################################################################### [OK]

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706



Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 15.1(4)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 14-Jun-11 16:40 by prod_rel_team


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Installed image archive
Cisco 1812-J (MPC8500) processor (revision 0x400) with 354304K/38912K bytes of memory.
Processor board ID FHKxxxxxxxx, with hardware revision 0000

10 FastEthernet interfaces
1 ISDN Basic Rate interface
1 Virtual Private Network (VPN) Module
31360K bytes of ATA CompactFlash (Read/Write)

SETUP: new interface BRI0 placed in "shutdown" state
SETUP: new interface FastEthernet1 placed in "shutdown" state


Press RETURN to get started!


*May 14 14:03:59.507: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Initialized
*May 14 14:04:00.023: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Enabled
*May 14 14:04:16.951: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
*May 14 14:04:16.951: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up
*May 14 14:04:16.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0, changed state to down
*May 14 14:04:16.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to down
*May 14 14:04:16.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2, changed state to down
*May 14 14:04:17.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*May 14 14:04:17.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
*May 14 14:04:17.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down
*May 14 14:04:18.951: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to down
*May 14 14:04:18.971: USB init complete.
*May 14 14:04:20.475: %PARSER-4-BADCFG: Unexpected end of configuration file.

*May 14 14:04:20.475: %SYS-5-CONFIG_I: Configured from memory by console
*May 14 14:04:20.695: %LINK-5-CHANGED: Interface BRI0, changed state to administratively down
*May 14 14:04:22.947: %LINK-5-CHANGED: Interface FastEthernet1, changed state to administratively down
*May 14 14:04:22.947: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up
*May 14 14:04:22.947: %LINK-3-UPDOWN: Interface FastEthernet3, changed state to up
*May 14 14:04:22.947: %LINK-3-UPDOWN: Interface FastEthernet4, changed state to up
*May 14 14:04:22.951: %LINK-3-UPDOWN: Interface FastEthernet5, changed state to up
*May 14 14:04:22.951: %LINK-3-UPDOWN: Interface FastEthernet6, changed state to up
*May 14 14:04:22.951: %LINK-3-UPDOWN: Interface FastEthernet7, changed state to up
*May 14 14:04:22.951: %LINK-3-UPDOWN: Interface FastEthernet8, changed state to up
*May 14 14:04:22.951: %LINK-3-UPDOWN: Interface FastEthernet9, changed state to up
*May 14 14:04:22.951: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 15.1(4)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 14-Jun-11 16:40 by prod_rel_team
*May 14 14:04:22.951: %SNMP-5-COLDSTART: SNMP agent on host Rtest01 is undergoing a cold start
*May 14 14:04:22.959: %SYS-6-BOOTTIME: Time taken to reboot after reload =   64 seconds
*May 14 14:04:22.979: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*May 14 14:04:22.979: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*May 14 14:04:23.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down
*May 14 14:04:23.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down
*May 14 14:04:23.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4, changed state to down
*May 14 14:04:23.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5, changed state to down
*May 14 14:04:23.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet6, changed state to down
*May 14 14:04:23.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet7, changed state to down
*May 14 14:04:23.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet8, changed state to down
*May 14 14:04:23.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet9, changed state to down

User Access Verification

Password:
Rtest01>

↑

注意点 †

ゼロタッチ展開したいCisco機器を接続するセグメントではブロードキャスト設定を投入しないこと。
投入してしまうと、初回のブートシーケンス時にDHCPでアドレスの払い出しは完了するが、起動後のDHCPによるアドレスの払い出しは完了しないので、注意。
なぜかDHCPOFFERはDHCPサーバから飛んでいるが、DHCPACKが返ってこず、払い出しが完了しなかった。これで半日潰した。。。

以下のように設定することで動作確認できた。

interface Vlan200
 description %%% RouterInitializeNetwork %%%
 ip address 192.168.200.254 255.255.255.0
 ip helper-address 192.168.10.186
 ip helper-address 192.168.10.185
end

↑

その他 †

/var/lib/tftpboot/serial/FHKxxxxxxxx.config はシリアル番号に応じたコンフィグであり、機種によって体系が変わります。
また、パッと見で対象機器がわかりにくいため、運用性に欠けますね。
そのため、別ディレクトリにホスト名などでシンボリックリンクを張っておくことで、コンフィグ管理もできて運用性もアップ。
コンフィグ管理にはharucaをどうぞ。

Counter: 4513, today: 1, yesterday: 0

cisco機器のゼロタッチ展開 のバックアップ(No.1)

目的 †

概要 †

問題点 †

検証環境 †

導入方法 †

DHCPサーバ †

アプリケーションのインストール †

設定ファイルの修正 †

TFTPサーバ †

アプリケーションのインストール †

設定ファイルの配置 †

設定ファイルの修正 †

動作検証 †

初期ブートシーケンス †

初期コンフィグ保存後再起動 †

注意点 †

その他 †

cisco機器のゼロタッチ展開のバックアップ(No.1)