交换机端口安全最佳实践配置

sticky 与 aging 同时配置之后，aging不会生效，因为他们不能同时使用
sticky 的配置是学习mac地址后与端口绑定（而且是永久绑定，除非手动清除），这样同一台设备再接其他交换机的端口时，就会进入err-disable。

以下配置，不会在端口下保存MAC地址，也就是说，一部电脑插上交换机的f0/3口后，去插f0/6口是不会出现err-disable状态的。

XYJ-C2960_11#show port-security int f0/10 | in Aging
Aging Time                 : 1 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled

XYJ-C2960_11(config)#int f0/10
XYJ-C2960_11(config-if)#switchport port-security
XYJ-C2960_11(config-if)#switchport port-security violation shutdown
XYJ-C2960_11(config-if)#switchport port-security maximum 1

XYJ-C2960_11(config-if)#do show port-s int f0/10 | in Aging
Aging Time                 : 1 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Enabled

以下三条命令基本上测不出来什么实际效果，虽然有细微不同，所以有与无均可。

switchport port-security aging type inactivity | absolute
switchport port-security aging time 1
switchport port-security aging static

要说出确切不同，就是没有配置aging，那么mac地址被记录一次后就再也不过期了，让后如果max为3，就是说接了三台pc后，第四台就会触发errdisable。
如果说aging配置了，并且为3分钟，那么接了三台后，第四台不会触发，因为没5分钟后自动清除该表表项

XYJ-C2960_9#show port-security interface f0/23 add
               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                          Ports   Remaining Age
                                                                   (mins)    
----    -----------       ----                          -----   -------------
  11    000c.29e1.0542    SecureDynamic                 Fa0/23       -
  11    6400.6a95.9017    SecureDynamic                 Fa0/23       -
-----------------------------------------------------------------------------
Total Addresses: 2

XYJ-C2960_9#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
XYJ-C2960_9(config)#int f0/23
XYJ-C2960_9(config-if)#switchport port-security aging time 5
XYJ-C2960_9(config-if)#end
XYJ-C2960_9#show port-security interface f0/23 ad
               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                          Ports   Remaining Age
                                                                   (mins)    
----    -----------       ----                          -----   -------------
  11    000c.29e1.0542    SecureDynamic                 Fa0/23       5
  11    6400.6a95.9017    SecureDynamic                 Fa0/23       5
-----------------------------------------------------------------------------
Total Addresses: 2

因为是使用shutdown的惩罚，所以要启用自动恢复，才可以避免手动操作的麻烦

XYJ-C2960_11(config)#errdisable recovery cause psecure-violation
XYJ-C2960_11(config)#errdisable recovery interval 30
XYJ-C2960_11#show errdisable recovery 
ErrDisable Reason            Timer Status
-----------------            --------------
arp-inspection               Disabled
bpduguard                    Disabled
channel-misconfig (STP)      Disabled
dhcp-rate-limit              Disabled
dtp-flap                     Disabled
gbic-invalid                 Disabled
inline-power                 Disabled
link-flap                    Disabled
mac-limit                    Disabled
loopback                     Disabled
pagp-flap                    Disabled
port-mode-failure            Disabled
pppoe-ia-rate-limit          Disabled
psecure-violation            Enabled
security-violation           Disabled
sfp-config-mismatch          Disabled
small-frame                  Disabled
storm-control                Disabled
udld                         Disabled
vmps                         Disabled
psp                          Disabled

Timer interval: 30 seconds

Interfaces that will be enabled at the next timeout:

cisco 3850 端口镜像对性能的影响

下面是我做端口镜像的配置，注意：这里用了26个端口作为源，而目标只有一个端口。 想要关闭端口镜像，也很简单，下面no掉即可

monitor session 1 source interface g1/0/1 - 12 , g2/0/1 - 12 , g1/0/43,g2/0/43
 monitor session 1 destination int g2/0/48
 
 no monitor session 1

等我做完配置之后，查看这么大流量对CPU于内存的消耗，发现CPU的提高几乎没有，内存的增加几乎可以忽略。
所以端口镜像对设备性能的影响其实可以忽略不计。
所以大家尽量大胆尝试。


下面是我镜像后的在Ntopng流量

镜像一天就有300多G的流量了

cisco 交换机 SNMP OID 查询 与 Zabbix 监控

第一种办法
SNMP Object Navigator
Cisco IOS MIB Locator

第二种办法
show snmp mib | in xxx
SNMP Object Navigator 


cisco的snmp会有一个问题，就是之前监控的oid，重启后就会变得不一样，
这样每次重启设备后，都需要再手动添加一些oid，这会很恼人。
这是一个官方的配置链接，配置snmp oid持久化的方法

要对cisco snmp oid 进行测试，首先要安装snmpwalk。
命令：
         yum install -y net-snmp net-snmp-utils

snmp v3的测试方法：

      snmpwalk -v 3 -u ITSEC -a sha -A gohciuY2tu -x AES -X il4laht9Pi -l authPriv 172.16.2.2

       

ASA日志量太多的解决办法

ASA日志量太多的解决办法

asa的用途是在公司连接百兆的光纤上网，但是每天都会有大量的日志，
而且那些日志一点用处都没有，可以通过以下命令去禁止无用的日志输出到syslog服务器
asa如果没有过滤的话一个月会生成1000多w的日志，太大了

XYJ-ASA5512-B(config)# show logging message 106001
syslog 106001: default-level critical (enabled)
XYJ-ASA5512-B(config)# no logg
XYJ-ASA5512-B(config)# no logging me
XYJ-ASA5512-B(config)# no logging message 106001
XYJ-ASA5512-B(config)# no logging message 106006
XYJ-ASA5512-B(config)# no logging message 106014
XYJ-ASA5512-B(config)# no logging message 106023
XYJ-ASA5512-B(config)# no logging message 500004
XYJ-ASA5512-B(config)# no logging message 410001
XYJ-ASA5512-B(config)# no logging message 733100
XYJ-ASA5512-B(config)# no logging message 106007

Oct 19 2016 15:10:02: %ASA-5-111008: User 'enable_15' executed the 'no logging message 106001' command.
Oct 19 2016 16:38:56: %ASA-5-111008: User 'enable_15' executed the 'no logging message 733100' command. 

我是用logAnalyzer去收集日志的，以下是删除一些无用日志的sql语句。

delete from SystemEvents where Message like '%Inbound TCP%' and Syslogtag = '%ASA-2-106001:';
delete from SystemEvents where Message like '%Inbound TCP%' and Syslogtag = '%ASA-2-106001:';
delete from SystemEvents where Message like '%inbound UDP%' and Syslogtag = '%ASA-2-106006:';
delete from SystemEvents where Message like '%inbound icmp%' and Syslogtag = '%ASA-3-106014:';
delete from SystemEvents where Message like '%Deny udp src%' and Syslogtag = '%ASA-4-106023:';
delete from SystemEvents where Message like '%Deny icmp src%' and Syslogtag = '%ASA-4-106023:';
delete from SystemEvents where Message like '%Invalid transport field%' and Syslogtag = '%ASA-4-500004:';
delete from SystemEvents where Message like "%executed the 'enable'%" and Syslogtag = '%ASA-5-111008:';
delete from SystemEvents where Message like '%executed the \'enable\'%' and Syslogtag = '%ASA-5-111008:';
delete from SystemEvents where Message like '%Dropped UDP DNS%' and Syslogtag = '%ASA-4-410001:';
delete from SystemEvents where Message like '%User priv level changed%' and Syslogtag = '%ASA-5-502103:';
delete from SystemEvents where Message like '%User logged out: Uname: admin%' and Syslogtag = '%ASA-5-611103:';
delete from SystemEvents where Message like '%Received encrypted packet with no matching SA%' and Syslogtag = '%ASA-5-713904:';
delete from SystemEvents where Message like '%Current burst%' and Syslogtag = '%ASA-4-733100:';
delete from SystemEvents where Message like '%TCP access denied by ACL%' and Syslogtag = '%ASA-3-710003:';
delete from SystemEvents where Message like '%Duplicate TCP SYN from%' and Syslogtag = '%ASA-4-419002:';
delete from SystemEvents where Message like '%Deny inbound UDP from%' and Syslogtag = '%ASA-2-106007:';
delete from SystemEvents where Message like '%No matching connection for ICMP%' and Syslogtag = '%ASA-4-313005:';
delete from SystemEvents where Message like '%Group = spoke1%' and Syslogtag = '%ASA-5-713120:';
delete from SystemEvents where Message like '%Group = spoke1%' and Syslogtag = '%ASA-5-713119:';
delete from SystemEvents where Message like '%Group = spoke1%' and Syslogtag = '%ASA-5-713049:';
delete from SystemEvents where Message like '%Group = spoke1%' and Syslogtag = '%ASA-5-713041:';
delete from SystemEvents where Message like '%Denied ICMP type=3, code=3 from%' and Syslogtag = '%ASA-3-313001:';
delete from SystemEvents where Message like '%Dropped connection for ESMTP Request%' and Syslogtag = '%ASA-4-108004:';
delete from SystemEvents where Message like '%Received Invalid Cookie message for non-existent SA%' and Syslogtag = '%ASA-4-713903:'; 
delete from SystemEvents where Message like '%tcp flow from lan%' and Syslogtag = '%ASA-4-507003:';

15.0 SE5 DHCP snooping bug

CISCO 2960  IOS 15.0(2) SE5

Switch Ports Model              SW Version            SW Image                 
------ ----- -----              ----------            ----------               
*    1 50    WS-C2960+48TC-L    15.0(2)SE5            C2960-LANBASEK9-M        

Configuration register is 0xF

配置 DHCP snooping后，show ip dhcp snooping 显示都正常

XYJ-C2960_11#show ip dhcp snooping 
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1-100
DHCP snooping is operational on following VLANs:
1-2,4-18,20-25,100
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 84b5.17ea.5c80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
GigabitEthernet0/1         yes        yes             unlimited
  Custom circuit-ids:
GigabitEthernet0/2         yes        yes             unlimited
  Custom circuit-ids:
Port-channel1              yes        yes             unlimited
  Custom circuit-ids:

但是untrust口依然放行 DHCP offer包，
并且在  show  ip dhcp snooping binding 没有显示任何有效条目

XYJ-C2960_11#show ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0

XYJ-C2960_11#
XYJ-C2960_11#

最后去google一下，才知道这是该版本的一个BUG
url1  url2
只能通过升级上去解决问题。
 

给迈乐M6-天猫魔盒刷v1.2.1的系统

使用sd卡刷

我只有micro sd卡，但是加上一个SD卡套，就可以当SD卡使用了
v1.2.1 固件下载与说明地址 迈乐M6
我为什么要刷v1.2.1
因为我需要同时在hdmi与av输出音频信号，之前的天猫v1.6.x的系统不支持

 

备份系统

我为什么要备份系统?
因为我的micro sd卡是来自我的树莓派的，里面有安装系统了，所以要对系统进行备份
于是我在我的mac下备份:

• 插入读卡器
• 使用

  diskutil --list
  diskutil unmountdisk rdisk2
  

  卸载sd卡，注意：不要使用eject，否则无法dd成功
• 使用dd命令去把磁盘数据导出为img文件
• 下面是标准命令,bs是指一次复制多少内容，count是指复制多少次
  

  dd bs=10m count=500 if=/dev/rdisk2 of=./backup.img

• 需要压缩的话可以这样：
  

  dd bs=10m count=500 if=/dev/rdisk2 | gzip -9 > ./backup.img.gz

• 压缩文件的系统还原
  

  gzip -c -d backup.img.gz | dd bs=10m of=/dev/rdisk2

• 查看dd执行进度

dd 是一个效率非常低的工具，但是却最可靠
在另外一个终端下执行下面的命令

watch -n 5 killall -USR1 dd

刷固件教程

1.把sd卡烧录好后
2.把魔盒断电
3.插入SD卡
4.魔盒加电
5.魔盒指示灯开始闪烁
6.指示灯不闪烁并且不亮就是刷机成功
7.拔下sd卡，并且断电
8.刷机成功，可以接上电视了

Mac os x 10.10.3 python2.7 与 python3 并存

测试别人的代码的时候难免会用到:pyhton3

我为什么会去安装python3？
因为我今天在python2.7下去import urllib.parse时，出现了错误，找不到模块
原因是python3才支持这样import

---

你可能需要brew

brew的安装方法

 

安装python3方法两种

1.使用brew安装

brew install python3

2.去官网下载指定版本的安装包

 

python3安装模块工具pip3

pip 默认只给python2.x安装模块
pip3 才可以给python3安装模块

sublime text 3 指定python3作为build system

Tools --> Build System --> New Build System
填入下面的配置

"cmd": ["/usr/local/bin/python3", "-u", "$file"],
"file_regex": "^[ ]File \"(...?)\", line ([0-9]*)",
"selector": "source.python" }

然后保存文件名为python3.sublime-build，文件会自动保存到sublime的自定义文件夹中

mac下默认路径是
~/Library/Application Support/Sublime Text 3/Packages/User

然后你就可以根据需要在Build System下切换到不同的python解释器



pythonREPL 配置python交互模式
python RUN - Current File 配置文件路径
/Users/sherpper/Library/Application Support/Sublime Text 3/Packages/SublimeREPL/config/python/Main.sublime-menu

"cmd": ["python", "-u","-i", "$file_basename"]

# 加入-i选项，运行完脚本后进入交互模式。-u 表示不缓冲

sublime text 3 输出中文提示"unicodeDecodeError"

测试环境中插入这段代码后就可以了,但是在实际使用中要把这段去掉

import sys
import codecs
sys.stdout = codecs.getwriter("utf-8")(sys.stdout.detach())