Bad block HOWTO for smartmontools

Bruce Allen

      <smartmontools-support@lists.sourceforge.net>
     

Douglas Gilbert

      <smartmontools-support@lists.sourceforge.net>
     

Copyright © 2004, 2005, 2006, 2007 Bruce Allen

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts.

For an online copy of the license see www.fsf.org/copyleft/fdl.html.

2007-01-23

Revision History
Revision 1.1	2007-01-23	dpg
add sections on ReiserFS and partition table damage
Revision 1.0	2006-11-14	dpg
merge BadBlockHowTo.txt and BadBlockSCSIHowTo.txt

Abstract

This article describes what actions might be taken when smartmontools detects a bad block on a disk. It demonstrates how to identify the file associated with an unreadable disk sector, and how to force that sector to reallocate.

Table of Contents

Introduction

Repairs in a file system

ext2/ext3 first example

ext2/ext3 second example

Unassigned sectors

ReiserFS example

Repairs at the disk level

Partition table problems

LVM repairs

Bad block reassignment

Introduction

Handling bad blocks is a difficult problem as it often involves decisions about losing information. Modern storage devices tend to handle the simple cases automatically, for example by writing a disk sector that was read with difficulty to another area on the media. Even though such a remapping can be done by a disk drive transparently, there is still a lingering worry about media deterioration and the disk running out of spare sectors to remap.

Can smartmontools help? As the SMART acronym ^[1] suggests, the smartctl command and the smartd daemon concentrate on monitoring and analysis. So apart from changing some reporting settings, smartmontools will not modify the raw data in a device. Also smartmontools only works with physical devices, it does not know about partitions and file systems. So other tools are needed. The job of smartmontools is to alert the user that something is wrong and user intervention may be required.

When a bad block is reported one approach is to work out the mapping between the logical block address used by a storage device and a file or some other component of a file system using that device. Note that there may not be such a mapping reflecting that a bad block has been found at a location not currently used by the file system. A user may want to do this analysis to localize and minimize the number of replacement files that are retrieved from some backup store. This approach requires knowledge of the file system involved and this document uses the Linux ext2/ext3 and ReiserFS file systems for examples. Also the type of content may come into play. For example if an area storing video has a corrupted sector, it may be easiest to accept that a frame or two might be corrupted and instruct the disk not to retry as that may have the visual effect of causing a momentary blank into a 1 second pause (while the disk retries the faulty sector, often accompanied by a telltale clicking sound).

Another approach is to ignore the upper level consequences (e.g. corrupting a file or worse damage to a file system) and use the facilities offered by a storage device to repair the damage. The SCSI disk command set is used elaborate on this low level approach.

Repairs in a file system

This section contains examples of what to do at the file system level when smartmontools reports a bad block. These examples assume the Linux operating system and either the ext2/ext3 or ReiserFS file system. The various Linux commands shown have man pages and the reader is encouraged to examine these. Of note is the dd command which is often used in repair work ^[2] and has a unique command line syntax.

The authors would like to thank Sergey Vlasov, Theodore Ts’o, Michael Bendzick, and others for explaining this approach. The authors would like to add text showing how to do this for other file systems, in particular XFS, and JFS: please email if you can provide this information.

ext2/ext3 first example

In this example, the disk is failing self-tests at Logical Block Address LBA = 0×016561e9 = 23421417. The LBA counts sectors in units of 512 bytes, and starts at zero.

root]# smartctl -l selftest /dev/hda:  SMART Self-test log structure revision number 1 Num  Test_Description    Status                  Remaining  LifeTime(hours)  LBA_of_first_error # 1  Extended offline    Completed: read failure       90%       217         0x016561e9

Note that other signs that there is a bad sector on the disk can be found in the non-zero value of the Current Pending Sector count:

root]# smartctl -A /dev/hda ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE   5 Reallocated_Sector_Ct   0x0033   100   100   005    Pre-fail  Always       -       0 196 Reallocated_Event_Count 0x0032   100   100   000    Old_age   Always       -       0 197 Current_Pending_Sector  0x0022   100   100   000    Old_age   Always       -       1 198 Offline_Uncorrectable   0x0008   100   100   000    Old_age   Offline      -       1

First Step: We need to locate the partition on which this sector of the disk lives:

root]# fdisk -lu /dev/hda  Disk /dev/hda: 123.5 GB, 123522416640 bytes 255 heads, 63 sectors/track, 15017 cylinders, total 241254720 sectors Units = sectors of 1 * 512 = 512 bytes     Device Boot    Start       End    Blocks   Id  System /dev/hda1   *        63   4209029   2104483+  83  Linux /dev/hda2       4209030   5269319    530145   82  Linux swap /dev/hda3       5269320 238227884 116479282+  83  Linux /dev/hda4     238227885 241248104   1510110   83  Linux

The partition /dev/hda3 starts at LBA 5269320 and extends past the ‘problem’ LBA. The ‘problem’ LBA is offset 23421417 - 5269320 = 18152097 sectors into the partition /dev/hda3.

To verify the type of the file system and the mount point, look in /etc/fstab:

root]# grep hda3 /etc/fstab /dev/hda3 /data ext2 defaults 1 2

You can see that this is an ext2 file system, mounted at /data.

Second Step: we need to find the block size of the file system (normally 4096 bytes for ext2):

root]# tune2fs -l /dev/hda3 | grep Block Block count:              29119820 Block size:               4096

In this case the block size is 4096 bytes. Third Step: we need to determine which File System Block contains this LBA. The formula is:

  b = (int)((L-S)*512/B) where: b = File System block number B = File system block size in bytes L = LBA of bad sector S = Starting sector of partition as shown by fdisk -lu and (int) denotes the integer part.

In our example, L=23421417, S=5269320, and B=4096. Hence the ‘problem’ LBA is in block number

   b = (int)18152097*512/4096 = (int)2269012.125 so b=2269012.

Note: the fractional part of 0.125 indicates that this problem LBA is actually the second of the eight sectors that make up this file system block.

Fourth Step: we use debugfs to locate the inode stored in this block, and the file that contains that inode:

root]# debugfs debugfs 1.32 (09-Nov-2002) debugfs:  open /dev/hda3 debugfs:  icheck 2269012 Block   Inode number 2269012 41032 debugfs:  ncheck 41032 Inode   Pathname 41032   /S1/R/H/714197568-714203359/H-R-714202192-16.gwf

In this example, you can see that the problematic file (with the mount point included in the path) is: /data/S1/R/H/714197568-714203359/H-R-714202192-16.gwf

To force the disk to reallocate this bad block we’ll write zeros to the bad block, and sync the disk:

root]# dd if=/dev/zero of=/dev/hda3 bs=4096 count=1 seek=2269012 root]# sync

NOTE: This last step has permanently and irretrievably destroyed some of the data that was in this file. Don’t do this unless you don’t need the file or you can replace it with a fresh or correct version.

Now everything is back to normal: the sector has been reallocated. Compare the output just below to similar output near the top of this article:

root]# smartctl -A /dev/hda ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE   5 Reallocated_Sector_Ct   0x0033   100   100   005    Pre-fail  Always       -       1 196 Reallocated_Event_Count 0x0032   100   100   000    Old_age   Always       -       1 197 Current_Pending_Sector  0x0022   100   100   000    Old_age   Always       -       0 198 Offline_Uncorrectable   0x0008   100   100   000    Old_age   Offline      -       1

Note: for some disks it may be necessary to update the SMART Attribute values by using smartctl -t offline /dev/hda

The disk now passes its self-tests again:

root]# smartctl -t long /dev/hda  [wait until test completes, then] root]# smartctl -l selftest /dev/hda  SMART Self-test log structure revision number 1 Num  Test_Description    Status                  Remaining  LifeTime(hours)  LBA_of_first_error # 1  Extended offline    Completed without error       00%       239         - # 2  Extended offline    Completed: read failure       90%       217         0x016561e9 # 3  Extended offline    Completed: read failure       90%       212         0x016561e9 # 4  Extended offline    Completed: read failure       90%       181         0x016561e9 # 5  Extended offline    Completed without error       00%        14         - # 6  Extended offline    Completed without error       00%         4         -

and no longer shows any offline uncorrectable sectors:

root]# smartctl -A /dev/hda ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE   5 Reallocated_Sector_Ct   0x0033   100   100   005    Pre-fail  Always       -       1 196 Reallocated_Event_Count 0x0032   100   100   000    Old_age   Always       -       1 197 Current_Pending_Sector  0x0022   100   100   000    Old_age   Always       -       0 198 Offline_Uncorrectable   0x0008   100   100   000    Old_age   Offline      -       0

ext2/ext3 second example

On this drive, the first sign of trouble was this email from smartd:

    To: ballen     Subject: SMART error (selftest) detected on host: medusa-slave166.medusa.phys.uwm.edu      This email was generated by the smartd daemon running on host:     medusa-slave166.medusa.phys.uwm.edu in the domain: master001-nis      The following warning/error was logged by the smartd daemon:     Device: /dev/hda, Self-Test Log error count increased from 0 to 1

Running smartctl -a /dev/hda confirmed the problem:

Num  Test_Description    Status                  Remaining  LifeTime(hours)  LBA_of_first_error # 1  Extended offline    Completed: read failure       80%       682         0x021d9f44  Note that the failing LBA reported is 0x021d9f44 (base 16) = 35495748 (base 10)      ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE   5 Reallocated_Sector_Ct   0x0033   100   100   005    Pre-fail  Always       -       0 196 Reallocated_Event_Count 0x0032   100   100   000    Old_age   Always       -       0 197 Current_Pending_Sector  0x0022   100   100   000    Old_age   Always       -       3 198 Offline_Uncorrectable   0x0008   100   100   000    Old_age   Offline      -       3

and one can see above that there are 3 sectors on the list of pending sectors that the disk can’t read but would like to reallocate.

The device also shows errors in the SMART error log:

Error 212 occurred at disk power-on lifetime: 690 hours   After command completion occurred, registers were:   ER ST SC SN CL CH DH   -- -- -- -- -- -- --   40 51 12 46 9f 1d e2  Error: UNC 18 sectors at LBA = 0x021d9f46 = 35495750    Commands leading to the command that caused the error were:   CR FR SC SN CL CH DH DC   Timestamp  Command/Feature_Name   -- -- -- -- -- -- -- --   ---------  --------------------   25 00 12 46 9f 1d e0 00 2485545.000  READ DMA EXT

Signs of trouble at this LBA may also be found in SYSLOG:

[root]# grep LBA /var/log/messages | awk '{print $12}' | sort | uniq  LBAsect=35495748  LBAsect=35495750

So I decide to do a quick check to see how many bad sectors there really are. Using the bash shell I check 70 sectors around the trouble area:

[root]# export i=35495730 [root]# while [ $i -lt 35495800 ]         > do echo $i         > dd if=/dev/hda of=/dev/null bs=512 count=1 skip=$i         > let i+=1         > done   <SNIP>     35495734 1+0 records in 1+0 records out 35495735 dd: reading `/dev/hda': Input/output error 0+0 records in 0+0 records out  <SNIP>  35495751 dd: reading `/dev/hda': Input/output error 0+0 records in 0+0 records out 35495752 1+0 records in 1+0 records out  <SNIP>

which shows that the seventeen sectors 35495735-35495751 (inclusive) are not readable.

Next, we identify the files at those locations. The partitioning information on this disk is identical to the first example above, and as in that case the problem sectors are on the third partition /dev/hda3. So we have:

     L=35495735 to 35495751      S=5269320      B=4096

so that b=3778301 to 3778303 are the three bad blocks in the file system.

[root]# debugfs debugfs 1.32 (09-Nov-2002) debugfs:  open /dev/hda3 debugfs:  icheck 3778301 Block   Inode number 3778301 45192 debugfs:  icheck 3778302 Block   Inode number 3778302 45192 debugfs:  icheck 3778303 Block   Inode number 3778303 45192 debugfs:  ncheck 45192 Inode   Pathname 45192   /S1/R/H/714979488-714985279/H-R-714979984-16.gwf debugfs:  quit

And finally, just to confirm that this is really the damaged file:

[root]# md5sum /data/S1/R/H/714979488-714985279/H-R-714979984-16.gwf md5sum: /data/S1/R/H/714979488-714985279/H-R-714979984-16.gwf: Input/output error

Finally we force the disk to reallocate the three bad blocks:

[root]# dd if=/dev/zero of=/dev/hda3 bs=4096 count=3 seek=3778301 [root]# sync

We could also probably use:

[root]# dd if=/dev/zero of=/dev/hda bs=512 count=17 seek=35495735

At this point we now have:

ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE   5 Reallocated_Sector_Ct   0x0033   100   100   005    Pre-fail  Always       -       0 196 Reallocated_Event_Count 0x0032   100   100   000    Old_age   Always       -       0 197 Current_Pending_Sector  0x0022   100   100   000    Old_age   Always       -       0 198 Offline_Uncorrectable   0x0008   100   100   000    Old_age   Offline      -       0

which is encouraging, since the pending sectors count is now zero. Note that the drive reallocation count has not yet increased: the drive may now have confidence in these sectors and have decided not to reallocate them..

A device self test:

  [root#] smartctl -t long /dev/hda (then wait about an hour) shows no unreadable sectors or errors:  Num  Test_Description    Status                  Remaining  LifeTime(hours)  LBA_of_first_error # 1  Extended offline    Completed without error       00%       692         - # 2  Extended offline    Completed: read failure       80%       682         0x021d9f44

Unassigned sectors

This section was written by Kay Diederichs. Even though this section assumes Linux and the ext2/ext3 file system, the strategy should be more generally applicable.

I read your badblocks-howto at and greatly benefited from it. One thing that’s (maybe) missing is that often the smartctl -t long scan finds a bad sector which is not assigned to any file. In that case it does not help to run debugfs, or rather debugfs reports the fact that no file owns that sector. Furthermore, it is somewhat laborious to come up with the correct numbers for debugfs, and debugfs is slow …

So what I suggest in the case of presence of Current_Pending_Sector/Offline_Uncorrectable errors is to create a huge file on that file system.

  dd if=/dev/zero of=/some/mount/point bs=4k

creates the file. Leave it running until the partition/file system is full. This will make the disk reallocate those sectors which do not belong to a file. Check the smartctl -a output after that and make sure that the sectors are reallocated. If any remain, use the debugfs method. Of course the usual caveats apply - back it up first, and so on.

ReiserFS example

This section was written by Joachim Jautz with additions from Manfred Schwarb.

The following problems were reported during a scheduled test:

smartd[575]: Device: /dev/hda, starting scheduled Offline Immediate Test. [... 1 hour later ...] smartd[575]: Device: /dev/hda, 1 Currently unreadable (pending) sectors smartd[575]: Device: /dev/hda, 1 Offline uncorrectable sectors

[Step 0] The SMART selftest/error log (see smartctl -l selftest) indicated there was a problem with block address (i.e. the 512 byte sector at) 58656333. The partition table (e.g. see sfdisk -luS /dev/hda or fdisk -ul /dev/hda) indicated that this block was in the /dev/hda3 partition which contained a ReiserFS file system. That partition started at block address 54781650.

While doing the initial analysis it may also be useful to take a copy of the disk attributes returned by smartctl -A /dev/hda. Specifically the values associated with the “Reallocated_Sector_Ct” and “Reallocated_Event_Count” attributes (for ATA disks, the grown list (GLIST) length for SCSI disks). If these are incremented at the end of the procedure it indicates that the disk has re-allocated one or more sectors.

[Step 1] Get the file system’s block size:

# debugreiserfs /dev/hda3 | grep '^Blocksize' Blocksize: 4096

[Step 2] Calculate the block number:

# echo "(58656333-54781650)*512/4096" | bc -l 484335.37500000000000000000

It is re-assuring that the calculated 4 KB damaged block address in /dev/hda3 is less than “Count of blocks on the device” shown in the output of debugreiserfs shown above.

[Step 3] Try to get more info about this block => reading the block fails as expected but at least we see now that it seems to be unused. If we do not get the `Cannot read the block’ error we should check if our calculation in [Step 2] was correct

# debugreiserfs -1 484335 /dev/hda3 debugreiserfs 3.6.19 (2003 http://www.namesys.com)  484335 is free in ondisk bitmap The problem has occurred looks like a hardware problem.

If you have bad blocks, we advise you to get a new hard drive, because once you get one bad block that the disk drive internals cannot hide from your sight, the chances of getting more are generally said to become much higher (precise statistics are unknown to us), and this disk drive is probably not expensive enough for you to risk your time and data on it. If you don’t want to follow that advice then if you have just a few bad blocks, try writing to the bad blocks and see if the drive remaps the bad blocks (that means it takes a block it has in reserve and allocates it for use for of that block number). If it cannot remap the block, use badblock option (-B) with reiserfs utils to handle this block correctly.

bread: Cannot read the block (484335): (Input/output error).  Aborted

So it looks like we have the right (i.e. faulty) block address.

[Step 4] Try then to find the affected file ^[3]:

tar -cO /mydir | cat >/dev/null

If you do not find any unreadable files, then the block may be free or located in some metadata of the file system.

[Step 5] Try your luck: bang the affected block with badblocks -n (non-destructive read-write mode, do unmount first), if you are very lucky the failure is transient and you can provoke reallocation ^[4]:

# badblocks -b 4096 -p 3 -s -v -n /dev/hda3 `expr 484335 + 100` `expr 484335 - 100`

^[5]

check success with debugreiserfs -1 484335 /dev/hda3. Otherwise:

[Step 6] Perform this step only if Step 5 has failed to fix the problem: overwrite that block to force reallocation:

# dd if=/dev/zero of=/dev/hda3 count=1 bs=4096 seek=484335 1+0 records in 1+0 records out 4096 bytes transferred in 0.007770 seconds (527153 bytes/sec)

[Step 7] If you can’t rule out the bad block being in metadata, do a file system check:

reiserfsck --check

This could take a long time so you probably better go for lunch …

[Step 8] Proceed as stated earlier. For example, sync disk and run a long selftest that should succeed now.

Repairs at the disk level

This section first looks at a damaged partition table. Then it ignores the upper level impact of a bad block and just repairs the underlying sector so that defective sector will not cause problems in the future.

Partition table problems

Some software failures can lead to zeroes or random data being written on the first block of a disk. For disks that use a DOS-based partitioning scheme this will overwrite the partition table which is found at the end of the first block. This is a single point of failure so after the damage tools like fdisk have no alternate data to use so they report no partitions or a damaged partition table.

One utility that may help is testdisk which can scan a disk looking for partitions and recreate a partition table if requested. ^[6]

Programs that create DOS partitions often place the first partition at logical block address 63. In Linux a loop back mount can be attempted at the appropriate offset of a disk with a damaged partition table. This approach may involve placing the disk with the damaged partition table in a working computer or perhaps an external USB enclosure. Assuming the disk with the damaged partition is /dev/hdb. Then the following read-only loop back mount could be tried:

# mount -r /dev/hdb -o loop,offset=32256 /mnt

The offset is in bytes so the number given is (63 * 512). If the file system cannot be identified then a ‘-t <fs_type>’ may be needed (although this is not a good sign). If this mount is successful, a backup procedure is advised.

Only the primary DOS partitions are recorded in the first block of a disk. The extended DOS partition table is placed elsewhere on a disk. Again there is only one copy of it so it represents another single point of failure. All DOS partition information can be read in a form that can be used to recreate the tables with the sfdisk command. Obviously this needs to be done beforehand and the file put on other media. Here is how to fetch the partition table information:

# sfdisk -dx /dev/hda > my_disk_partition_info.txt

Then my_disk_partition_info.txt should be placed on other media. If disaster strikes, then the disk with the damaged partition table(s) can be placed in a working system, let us say the damaged disk is now at /dev/hdc, and the following command restores the partition table(s):

# sfdisk -x -O part_block_prior.img /dev/hdc < my_disk_partition_info.txt

Since the above command is potentially destructive it takes a copy of the block(s) holding the partition table(s) and puts it in part_block_prior.img prior to any changes. Then it changes the partition tables as indicated by my_disk_partition_info.txt. For what it is worth the author did test this on his system! ^[7]

For creating, destroying, resizing, checking and copying partitions, and the file systems on them, GNU’s parted is worth examining. The Large Disk HOWTO is also a useful resource.

LVM repairs

This section was written by Frederic BOITEUX. It was titled: “HOW TO LOCATE AND REPAIR BAD BLOCKS ON AN LVM VOLUME”.

Smartd reports an error in a short test :

# smartctl -a /dev/hdb ... SMART Self-test log structure revision number 1 Num  Test_Description    Status                  Remaining  LifeTime(hours)  LBA_of_first_error # 1  Short offline       Completed: read failure       90%        66         37383668

So the disk has a bad block located in LBA block 37383668

In which physical partition is the bad block ?

# sfdisk -luS /dev/hdb  # or 'fdisk -ul /dev/hdb'  Disk /dev/hdb: 9729 cylinders, 255 heads, 63 sectors/track Units = sectors of 512 bytes, counting from 0     Device Boot    Start       End   #sectors  Id  System /dev/hdb1            63    996029     995967  82  Linux swap / Solaris /dev/hdb2   *    996030   1188809     192780  83  Linux /dev/hdb3       1188810 156296384  155107575  8e  Linux LVM /dev/hdb4             0         -          0   0  Empty

It’s in the /dev/hdb3 partition, a LVM2 partition. From the LVM2 partition beginning, the bad block has an offset of

(37383668 - 1188810) = 36194858

We have to find in which LVM2 logical partition the block belongs to.

In which logical partition is the bad block ?

IMPORTANT : LVM2 can use different schemes dividing its physical partitions to logical ones : linear, striped, contiguous or not… The following example assumes that allocation is linear !

The physical partition used by LVM2 is divided in PE (Physical Extent) units of the same size, starting at pe_start’ 512 bytes blocks from the beginning of the physical partition.

The ‘pvdisplay’ command gives the size of the PE (in KB) of the LVM partition :

#  part=/dev/hdb3 ; pvdisplay -c $part | awk -F: '{print $8}' 4096

To get its size in LBA block size (512 bytes or 0.5 KB), we multiply this number by 2 : 4096 * 2 = 8192 blocks for each PE.

To find the offset from the beginning of the physical partition is a bit more difficult : if you have a recent LVM2 version, try :

# pvs -o+pe_start $part

Either, you can look in /etc/lvm/backup :

# grep pe_start $(grep -l $part /etc/lvm/backup/*)                         pe_start = 384

Then, we search in which PE is the badblock, calculating the PE rank in which the faulty block of the partition is : physical partition’s bad block number / sizeof(PE) =

36194858 / 8192 = 4418.3176

So we have to find in which LVM2 logical partition is used the PE number 4418 (count starts from 0) :

# lvdisplay --maps |egrep 'Physical|LV Name|Type'   LV Name                /dev/WDC80Go/racine     Type                linear     Physical volume     /dev/hdb3     Physical extents    0 to 127   LV Name                /dev/WDC80Go/usr     Type                linear     Physical volume     /dev/hdb3     Physical extents    128 to 1407   LV Name                /dev/WDC80Go/var     Type                linear     Physical volume     /dev/hdb3     Physical extents    1408 to 1663   LV Name                /dev/WDC80Go/tmp     Type                linear     Physical volume     /dev/hdb3     Physical extents    1664 to 1791   LV Name                /dev/WDC80Go/home     Type                linear     Physical volume     /dev/hdb3     Physical extents    1792 to 3071   LV Name                /dev/WDC80Go/ext1     Type                linear     Physical volume     /dev/hdb3     Physical extents    3072 to 10751   LV Name                /dev/WDC80Go/ext2     Type                linear     Physical volume     /dev/hdb3     Physical extents    10752 to 18932

So the PE #4418 is in the /dev/WDC80Go/ext1 LVM logical partition.

Size of logical block of file system on /dev/WDC80Go/ext1  :

It’s a ext3 fs, so I get it like this :

# dumpe2fs /dev/WDC80Go/ext1 | grep 'Block size' dumpe2fs 1.37 (21-Mar-2005) Block size:               4096

bad block number for the file system :

The logical partition begins on PE 3072 :

 (# PE's start of partition * sizeof(PE)) + parttion offset[pe_start] =  (3072 * 8192) + 384 = 25166208

512b block of the physical partition, so the bad block number for the file system  is :

(36194858 - 25166208) / (sizeof(fs block) / 512) = 11028650 / (4096 / 512)  = 1378581.25

Test of the fs bad block :

dd if=/dev/WDC80Go/ext1 of=block1378581 bs=4096 count=1 skip=1378581

If this dd command succeeds, without any error message in console or syslog, then the block number calculation is probably wrong ! *Don’t* go further, re-check it and if you don’t find the error, please renounce !

Search / correction follows the same scheme as for simple partitions :

• find possible impacted files with debugfs (icheck <fs block nb>, then ncheck <icheck nb>).
• reallocate bad block writing zeros in it, *using the fs block size* :

dd if=/dev/zero of=/dev/WDC80Go/ext1 count=1 bs=4096 seek=1378581

Et voilà !

Bad block reassignment

The SCSI disk command set and associated disk architecture are assumed in this section. SCSI disks have their own logical to physical mapping allowing a damaged sector (usually carrying 512 bytes of data) to be remapped irrespective of the operating system, file system or software RAID being used.

The terms block and sector are used interchangeably, although block tends to get used in higher level or more abstract contexts such as a logical block.

When a SCSI disk is formatted, defective sectors identified during the manufacturing process (the so called primary list: PLIST), those found during the format itself (the certification list: CLIST), those given explicitly to the format command (the DLIST) and optionally the previous grown list (GLIST) are not used in the logical block map. The number (and low level addresses) of the unmapped sectors can be found with the READ DEFECT DATA SCSI command.

SCSI disks tend to be divided into zones which have spare sectors and perhaps spare tracks, to support the logical block address mapping process. The idea is that if a logical block is remapped, the heads do not have to move a long way to access the replacement sector. Note that spare sectors are a scarce resource.

Once a SCSI disk format has completed successfully, other problems may appear over time. These fall into two categories:

• recoverable: the Error Correction Codes (ECC) detect a problem but it is small enough to be corrected. Optionally other strategies such as retrying the access may retrieve the data.
• unrecoverable: try as it may, the disk logic and ECC algorithms cannot recover the data. This is often reported as a medium error.

Other things can go wrong, typically associated with the transport and they will be reported using a term other than medium error. For example a disk may decide a read operation was successful but a computer’s host bus adapter (HBA) checking the incoming data detects a CRC error due to a bad cable or termination.

Depending on the disk vendor, recoverable errors can be ignored. After all, some disks have up to 68 bytes of ECC above the payload size of 512 bytes so why use up spare sectors which are limited in number ^[8] ? If the disk can recover the data and does decide to re-allocate (reassign) a sector, then first it checks the settings of the ARRE and AWRE bits in the read-write error recovery mode page. Usually these bits are set ^[9] enabling automatic (read or write) re-allocation. The automatic re-allocation may also fail if the zone (or disk) has run out of spare sectors.

Another consideration with RAIDs, and applications that require a high data rate without pauses, is that the controller logic may not want a disk to spend too long trying to recover an error.

Unrecoverable errors will cause a medium error sense key, perhaps with some useful additional sense information. If the extended background self test includes a full disk read scan, one would expect the self test log to list the bad block, as shown in the the section called “Repairs in a file system”. Recent SCSI disks with a periodic background scan should also list unrecoverable read errors (and some recoverable errors as well). The advantage of the background scan is that it runs to completion while self tests will often terminate at the first serious error.

SCSI disks expect unrecoverable errors to be fixed manually using the REASSIGN BLOCKS SCSI command since loss of data is involved. It is possible that an operating system or a file system could issue the REASSIGN BLOCKS command itself but the authors are unaware of any examples. The REASSIGN BLOCKS command will reassign one or more blocks, attempting to (partially ?) recover the data (a forlorn hope at this stage), fetch an unused spare sector from the current zone while adding the damaged old sector to the GLIST (hence the name “grown” list). The contents of the GLIST may not be that interesting but smartctl prints out the number of entries in the grown list and if that number grows quickly, the disk may be approaching the end of its useful life.

Here is an alternate brute force technique to consider: if the data on the SCSI or ATA disk has all been backed up (e.g. is held on the other disks in a RAID 5 enclosure), then simply reformatting the disk may be the least cumbersome approach.

Example

Given a “bad block”, it still may be useful to look at the fdisk command (if the disk has multiple partitions) to find out which partition is involved, then use debugfs (or a similar tool for the file system in question) to find out which, if any, file or other part of the file system may have been damaged. This is discussed in the the section called “Repairs in a file system”.

Then a program that can execute the REASSIGN BLOCKS SCSI command is required. In Linux (2.4 and 2.6 series), FreeBSD, Tru64(OSF) and Windows the author’s sg_reassign utility in the sg3_utils package can be used. Also found in that package is sg_verify which can be used to check that a block is readable.

Assume that logical block address 1193046 (which is 123456 in hex) is corrupt ^[10] on the disk at /dev/sdb. A long selftest command like smartctl -t long /dev/sdb may result in log results like this:

# smartctl -l selftest /dev/sdb smartctl version 5.37 [i686-pc-linux-gnu] Copyright (C) 2002-6 Bruce Allen Home page is http://smartmontools.sourceforge.net/   SMART Self-test log Num  Test              Status            segment  LifeTime  LBA_first_err [SK ASC ASQ]      Description                         number   (hours) # 1  Background long   Failed in segment      -     354           1193046 [0x3 0x11 0x0] # 2  Background short  Completed              -     323                 - [-   -    -] # 3  Background short  Completed              -     194                 - [-   -    -]

The sg_verify utility can be used to confirm that there is a problem at that address:

# sg_verify --lba=1193046 /dev/sdb verify (10):  Fixed format, current;  Sense key: Medium Error  Additional sense: Unrecovered read error   Info fld=0x123456 [1193046]   Field replaceable unit code: 228   Actual retry count: 0x008b medium or hardware error, reported lba=0x123456

Now the GLIST length is checked before the block reassignment:

# sg_reassign --grown /dev/sdb >> Elements in grown defect list: 0

And now for the actual reassignment followed by another check of the GLIST length:

# sg_reassign --address=1193046 /dev/sdb  # sg_reassign --grown /dev/sdb >> Elements in grown defect list: 1

The GLIST length has grown by one as expected. If the disk was unable to recover any data, then the “new” block at lba 0×123456 has vendor specific data in it. The sg_reassign utility can also do bulk reassigns, see man sg_reassign for more information.

The dd command could be used to read the contents of the “new” block:

# dd if=/dev/sdb iflag=direct skip=1193046 of=blk.img bs=512 count=1

and a hex editor ^[11] used to view and potentially change the blk.img file. An altered blk.img file (or /dev/zero) could be written back with:

# dd if=blk.img of=/dev/sdb seek=1193046 oflag=direct bs=512 count=1

More work may be needed at the file system level, especially if the reassigned block held critical file system information such as a superblock or a directory.

Even if a full backup of the disk is available, or the disk has been “ejected” from a RAID, it may still be worthwhile to reassign the bad block(s) that caused the problem (or simply format the disk (see sg_format in the sg3_utils package)) and re-use the disk later (not unlike the way a replacement disk from a manufacturer might be used).

CVS $Id: badblockhowto.xml,v 1.5 2008/07/17 18:24:14 chrfranke Exp $

^[1] Self-Monitoring, Analysis and Reporting Technology -> SMART

^[2] Starting with GNU coreutils release 5.3.0, the dd command in Linux includes the options ‘iflag=direct’ and ‘oflag=direct’. Using these with the dd commands should be helpful, because adding these flags should avoid any interaction with the block buffering IO layer in Linux and permit direct reads/writes from the raw device. Use dd –help to see if your version of dd supports these options. If not, the latest code for dd can be found at alpha.gnu.org/gnu/coreutils.

^[3] Do not use tar -c -f /dev/null or tar -cO /mydir >/dev/null. GNU tar does not actually read the files if /dev/null is used as archive path or as standard output, see info tar.

^[4] Important: set blocksize range is arbitrary, but do not only test a single block, as bad blocks are often social. Not too large as this test probably has not 0% risk.

^[5] The rather awkward `expr 484335 + 100` (note the back quotes) can be replaced with $((484335+100)) if the bash shell is being used. Similarly the last argument can become $((484335-100)) .

^[6] testdisk scans the media for the beginning of file systems that it recognizes. It can be tricked by data that looks like the beginning of a file system or an old file system from a previous partitioning of the media (disk). So care should be taken. Note that file systems should not overlap apart from the fact that extended partitions lie wholly within a extended partition table allocation. Also if the root partition of a Linux/Unix installation can be found then the /etc/fstab file is a useful resource for finding the partition numbers of other partitions.

^[7] Thanks to Manfred Schwarb for the information about storing partition table(s) beforehand.

^[8] Detecting and fixing an error with ECC “on the fly” and not going the further step and reassigning the block in question may explain why some disks have large numbers in their read error counter log. Various worried users have reported large numbers in the “errors corrected without substantial delay” counter field which is in the “Errors corrected by ECC fast” column in the smartctl -l error output.

^[9] Often disks inside a hardware RAID have the ARRE and AWRE bits cleared (disabled) so the RAID controller can do things manually or flag the disk for replacement.

^[10] In this case the corruption was manufactured by using the WRITE LONG SCSI command. See sg_write_long in sg3_utils.

^[11] Most window managers have a handy calculator that will do hex to decimal conversions. More work may be needed at the file system level,

调用:
strace [ -dffhiqrtttTvxx ] [ -acolumn ] [ -eexpr ] …
[ -ofile ] [ -ppid ] … [ -sstrsize ] [ -uusername ] [ command [ arg … ] ]

strace -c [ -eexpr ] … [ -Ooverhead ] [ -Ssortby ] [ command [ arg … ] ]
功能:
跟踪程式执行时的系统调用和所接收的信号.通常的用法是strace执行一直到commande结束.
并且将所调用的系统调用的名称、参数和返回值输出到标准输出或者输出到-o指定的文件.
strace是一个功能强大的调试,分析诊断工具.你将发现他是一个极好的帮手在你要调试一个无法看到源码或者源码无法在编译的程序.
你将轻松的学习到一个软件是如何通过系统调用来实现他的功能的.而且作为一个程序设计师,你可以了解到在用户态和内核态是如何通过系统调用和信号来实现程序的功能的.
strace的每一行输出包括系统调用名称,然后是参数和返回值.这个例子:
strace cat /dev/null
他的输出会有:
open(\\”/dev/null\\”,O_RDONLY) = 3
有错误产生时,一般会返回-1.所以会有错误标志和描述:
open(\\”/foor/bar\\”,)_RDONLY) = -1 ENOENT (no such file or directory)
信号将输出喂信号标志和信号的描述.跟踪并中断这个命令\\”sleep 600\\”:
sigsuspend({}
— SIGINT (Interrupt) —
+++ killed by SIGINT +++
参数的输出有些不一致.如shell命令中的 \\”>>tmp\\“,将输出:
open(\\”tmp\\”,O_WRONLY|O_APPEND|A_CREAT,0666) = 3
对于结构指针,将进行适当的显示.如:\\”ls -l /dev/null\\”:
lstat(\\”/dev/null\\”,{st_mode=S_IFCHR|0666},st_rdev=makdev[1,3],…}) = 0
请注意\\”struct stat\\” 的声明和这里的输出.lstat的第一个参数是输入参数,而第二个参数是向外传值.
当你尝试\\”ls -l\\” 一个不存在的文件时,会有:
lstat(/foot/ball\\”,0xb004) = -1 ENOENT (no such file or directory)
char*将作为C的字符串类型输出.没有字符串输出时一般是char* 是一个转义字符,只输出字符串的长度.
当字符串过长是会使用\\”…\\“省略.如在\\”ls -l\\”会有一个gepwuid调用读取password文件:
read(3,\\”root::0:0:System Administrator:/\\”…,1024) = 422
当参数是结构数组时,将按照简单的指针和数组输出如:
getgroups(4,[0,2,4,5]) = 4
关于bit作为参数的情形,也是使用方括号,并且用空格将每一项参数隔开.如:
sigprocmask(SIG_BLOCK,[CHLD TTOU],[]) = 0
这里第二个参数代表两个信号SIGCHLD 和 SIGTTOU.如果bit型参数全部置位,则有如下的输出:
sigprocmask(SIG_UNBLOCK,~[],NULL) = 0
这里第二个参数全部置位.

参数说明:
-c 统计每一系统调用的所执行的时间,次数和出错的次数等.
-d 输出strace关于标准错误的调试信息.
-f 跟踪由fork调用所产生的子进程.
-ff 如果提供-o filename,则所有进程的跟踪结果输出到相应的filename.pid中,pid是各进程的进程号.
-F 尝试跟踪vfork调用.在-f时,vfork不被跟踪.
-h 输出简要的帮助信息.
-i 输出系统调用的入口指针.
-q 禁止输出关于脱离的消息.
-r 打印出相对时间关于,,每一个系统调用.
-t 在输出中的每一行前加上时间信息.
-tt 在输出中的每一行前加上时间信息,微秒级.
-ttt 微秒级输出,以秒了表示时间.
-T 显示每一调用所耗的时间.
-v 输出所有的系统调用.一些调用关于环境变量,状态,输入输出等调用由于使用频繁,默认不输出.
-V 输出strace的版本信息.
-x 以十六进制形式输出非标准字符串
-xx 所有字符串以十六进制形式输出.
-a column
设置返回值的输出位置.默认为40.
-e expr
指定一个表达式,用来控制如何跟踪.格式如下:
[qualifier=][!]value1[,value2]…
qualifier只能是 trace,abbrev,verbose,raw,signal,read,write其中之一.value是用来限定的符号或数字.默认的qualifier是 trace.感叹号是否定符号.例如:
-eopen等价于 -e trace=open,表示只跟踪open调用.而-etrace!=open表示跟踪除了open以外的其他调用.有两个特殊的符号 all 和 none.
注意有些shell使用!来执行历史记录里的命令,所以要使用\\\\.
-e trace=set
只跟踪指定的系统调用.例如:-e trace=open,close,rean,write表示只跟踪这四个系统调用.默认的为set=all.
-e trace=file
只跟踪有关文件操作的系统调用.
-e trace=process
只跟踪有关进程控制的系统调用.
-e trace=network
跟踪与网络有关的所有系统调用.
-e strace=signal
跟踪所有与系统信号有关的系统调用
-e trace=ipc
跟踪所有与进程通讯有关的系统调用
-e abbrev=set
设定strace输出的系统调用的结果集.-v 等与 abbrev=none.默认为abbrev=all.
-e raw=set
将指定的系统调用的参数以十六进制显示.
-e signal=set
指定跟踪的系统信号.默认为all.如signal=!SIGIO(或者signal=!io),表示不跟踪SIGIO信号.
-e read=set
输出从指定文件中读出的数据.例如:
-e read=3,5
-e write=set
输出写入到指定文件中的数据.
-o filename
将strace的输出写入文件filename
-p pid
跟踪指定的进程pid.
-s strsize
指定输出的字符串的最大长度.默认为32.文件名一直全部输出.
-u username
以username的UID和GID执行被跟踪的命令.
用strace调试程序

     在理想世界里，每当一个程序不能正常执行一个功能时，它就会给出一个有用的错误提示，告诉你在足够的改正错误的线索。但遗憾的是，我们不是生活在理想世界里，起码不总是生活在理想世界里。有时候一个程序出现了问题，你无法找到原因。

这就是调试程序出现的原因。strace是一个必不可少的调试工具，strace用来监视系统调用。你不仅可以调试一个新开始的程序，也可以调试一个已经在运行的程序（把strace绑定到一个已有的PID上面）。

首先让我们看一个真实的例子：

[BOLD]启动KDE时出现问题[/BOLD]

前一段时间，我在启动KDE的时候出了问题，KDE的错误信息无法给我任何有帮助的线索。

代码：

_KDE_IceTransSocketCreateListener: failed to bind listener
_KDE_IceTransSocketUNIXCreateListener: …SocketCreateListener() failed
_KDE_IceTransMakeAllCOTSServerListeners: failed to create listener for local

Cannot establish any listening sockets DCOPServer self-test failed.

对我来说这个错误信息没有太多意义，只是一个对KDE来说至关重要的负责进程间通信的程序无法启动。我还可以知道这个错误和ICE协议（Inter Client Exchange）有关，除此之外，我不知道什么是KDE启动出错的原因。

我决定采用strace看一下在启动dcopserver时到底程序做了什么：

代码：

strace -f -F -o ~/dcop-strace.txt dcopserver

这里 -f -F选项告诉strace同时跟踪fork和vfork出来的进程，-o选项把所有strace输出写到~/dcop-strace.txt里面，dcopserver是要启动和调试的程序。

再次出现错误之后，我检查了错误输出文件dcop-strace.txt，文件里有很多系统调用的记录。在程序运行出错前的有关记录如下：

代码：

27207 mkdir(”/tmp/.ICE-unix”, 0777) = -1 EEXIST (File exists)
27207 lstat64(”/tmp/.ICE-unix”, {st_mode=S_IFDIR|S_ISVTX|0755, st_size=4096, …}) = 0
27207 unlink(”/tmp/.ICE-unix/dcop27207-1066844596″) = -1 ENOENT (No such file or directory)
27207 bind(3, {sin_family=AF_UNIX, path=”/tmp/.ICE-unix/dcop27207-1066844596″}, 3 = -1 EACCES (Permission denied)
27207 write(2, “_KDE_IceTrans”, 13) = 13
27207 write(2, “SocketCreateListener: failed to “…, 46) = 46
27207 close(3) = 0 27207 write(2, “_KDE_IceTrans”, 13) = 13
27207 write(2, “SocketUNIXCreateListener: …Soc”…, 59) = 59
27207 umask(0) = 0 27207 write(2, “_KDE_IceTrans”, 13) = 13
27207 write(2, “MakeAllCOTSServerListeners: fail”…, 64) = 64
27207 write(2, “Cannot establish any listening s”…, 39) = 39

其 中第一行显示程序试图创建/tmp/.ICE-unix目录，权限为0777，这个操作因为目录已经存在而失败了。第二个系统调用（lstat64）检查 了目录状态，并显示这个目录的权限是0755，这里出现了第一个程序运行错误的线索：程序试图创建属性为0777的目录，但是已经存在了一个属性为 0755的目录。第三个系统调用（unlink）试图删除一个文件，但是这个文件并不存在。这并不奇怪，因为这个操作只是试图删掉可能存在的老文件。

但 是，第四行确认了错误所在。他试图绑定到/tmp/.ICE-unix/dcop27207-1066844596，但是出现了拒绝访问错误。. ICE_unix目录的用户和组都是root，并且只有所有者具有写权限。一个非root用户无法在这个目录下面建立文件，如果把目录属性改成0777， 则前面的操作有可能可以执行，而这正是第一步错误出现时进行过的操作。

所以我运行了chmod 0777 /tmp/.ICE-unix之后KDE就可以正常启动了，问题解决了，用strace进行跟踪调试只需要花很短的几分钟时间跟踪程序运行，然后检查并分析输出文件。

说 明：运行chmod 0777只是一个测试，一般不要把一个目录设置成所有用户可读写，同时不设置粘滞位(sticky bit)。给目录设置粘滞位可以阻止一个用户随意删除可写目录下面其他人的文件。一般你会发现/tmp目录因为这个原因设置了粘滞位。KDE可以正常启动 之后，运行chmod +t /tmp/.ICE-unix给.ICE_unix设置粘滞位。

[BOLD]解决库依赖问题[/BOLD]

starce 的另一个用处是解决和动态库相关的问题。当对一个可执行文件运行ldd时，它会告诉你程序使用的动态库和找到动态库的位置。但是如果你正在使用一个比较老 的glibc版本（2.2或更早），你可能会有一个有bug的ldd程序，它可能会报告在一个目录下发现一个动态库，但是真正运行程序时动态连接程序 （/lib/ld-linux.so.2）却可能到另外一个目录去找动态连接库。这通常因为/etc/ld.so.conf和 /etc/ld.so.cache文件不一致，或者/etc/ld.so.cache被破坏。在glibc 2.3.2版本上这个错误不会出现，可能ld-linux的这个bug已经被解决了。

尽管这样，ldd并不能把所有程序 依赖的动态库列出来，系统调用dlopen可以在需要的时候自动调入需要的动态库，而这些库可能不会被ldd列出来。作为glibc的一部分的NSS （Name Server Switch）库就是一个典型的例子，NSS的一个作用就是告诉应用程序到哪里去寻找系统帐号数据库。应用程序不会直接连接到NSS库，glibc则会通 过dlopen自动调入NSS库。如果这样的库偶然丢失，你不会被告知存在库依赖问题，但这样的程序就无法通过用户名解析得到用户ID了。让我们看一个例 子：

whoami程序会给出你自己的用户名，这个程序在一些需要知道运行程序的真正用户的脚本程序里面非常有用，whoami的一个示例输出如下：
代码：

# whoami
root

假设因为某种原因在升级glibc的过程中负责用户名和用户ID转换的库NSS丢失，我们可以通过把nss库改名来模拟这个环境：
代码：

# mv /lib/libnss_files.so.2 /lib/libnss_files.so.2.backup
# whoami
whoami: cannot find username for UID 0

这里你可以看到，运行whoami时出现了错误，ldd程序的输出不会提供有用的帮助：
代码：

# ldd /usr/bin/whoami
libc.so.6 => /lib/libc.so.6 (0×4001f000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0×40000000)

你只会看到whoami依赖Libc.so.6和ld-linux.so.2，它没有给出运行whoami所必须的其他库。这里时用strace跟踪whoami时的输出：
代码：

strace -o whoami-strace.txt whoami

open(”/lib/libnss_files.so.2″, O_RDONLY) = -1 ENOENT (No such file or directory)
open(”/lib/i686/mmx/libnss_files.so.2″, O_RDONLY) = -1 ENOENT (No such file or directory)
stat64(”/lib/i686/mmx”, 0xbffff190) = -1 ENOENT (No such file or directory)
open(”/lib/i686/libnss_files.so.2″, O_RDONLY) = -1 ENOENT (No such file or directory)
stat64(”/lib/i686″, 0xbffff190) = -1 ENOENT (No such file or directory)
open(”/lib/mmx/libnss_files.so.2″, O_RDONLY) = -1 ENOENT (No such file or directory)
stat64(”/lib/mmx”, 0xbffff190) = -1 ENOENT (No such file or directory)
open(”/lib/libnss_files.so.2″, O_RDONLY) = -1 ENOENT (No such file or directory)
stat64(”/lib”, {st_mode=S_IFDIR|0755, st_size=2352, …}) = 0
open(”/usr/lib/i686/mmx/libnss_files.so.2″, O_RDONLY) = -1 ENOENT (No such file or directory)
stat64(”/usr/lib/i686/mmx”, 0xbffff190) = -1 ENOENT (No such file or directory)
open(”/usr/lib/i686/libnss_files.so.2″, O_RDONLY) = -1 ENOENT (No such file or directory)

你可以发现在不同目录下面查找libnss.so.2的尝试，但是都失败了。如果没有strace这样的工具，很难发现这个错误是由于缺少动态库造成的。现在只需要找到libnss.so.2并把它放回到正确的位置就可以了。

[BOLD]限制strace只跟踪特定的系统调用[/BOLD]

如果你已经知道你要找什么，你可以让strace只跟踪一些类型的系统调用。例如，你需要看看在configure脚本里面执行的程序，你需要监视的系统调用就是execve。让strace只记录execve的调用用这个命令：

代码：

strace -f -o configure-strace.txt -e execve ./configure

部分输出结果为：
代码：

2720 execve(”/usr/bin/expr”, [”expr”, “a”, “:”, “(a)”], [/* 31 vars */]) = 0
2725 execve(”/bin/basename”, [”basename”, “./configure”], [/* 31 vars */]) = 0
2726 execve(”/bin/chmod”, [”chmod”, “+x”, “conftest.sh”], [/* 31 vars */]) = 0
2729 execve(”/bin/rm”, [”rm”, “-f”, “conftest.sh”], [/* 31 vars */]) = 0
2731 execve(”/usr/bin/expr”, [”expr”, “99″, “+”, “1″], [/* 31 vars */]) = 0
2736 execve(”/bin/ln”, [”ln”, “-s”, “conf2693.file”, “conf2693″], [/* 31 vars */]) = 0

你 已经看到了，strace不仅可以被程序员使用，普通系统管理员和用户也可以使用strace来调试系统错误。必须承认，strace的输出不总是容易理 解，但是很多输出对大多数人来说是不重要的。你会慢慢学会从大量输出中找到你可能需要的信息，像权限错误，文件未找到之类的，那时strace就会成为一 个有力的工具了。

事件类型： 警告
事件源： W3SVC
事件类别: 无
事件 ID 1009：
说明：
处理应用程序池 ‘ poolname ‘ 进程意外终止。 进程 ID 是 processid ‘ ‘。 进程退出代码为 0 x 80 ‘ ‘。

当您使用三个预定义标识不会发生此问题。 预定义标识是 NetworkService、 本地服务, 和本地系统。

注意 在同时 32 - 位版本的 IIS 和 64 - 位版本的 IIS 发生此问题。

通过从配置桌面堆分配内存一起使用， IIS 使用独立标识, 创建每个辅助进程系统创建一个新桌面对象。 出现此问题原因, 该堆已用尽时 IIS 无法创建多辅助进程是。 然后可用 ” 服务 ” 客户端接收这些应用程序池宿主站点， 其Web 当他们尝试访问 Web 浏览器中错误消息。

警告 如果正确修改注册表通过注册表编辑器或通过其他方法可能发生 Serious 问题。 这些问题可能需要重新安装操作系统。 Microsoft 不能保证能够解决这些问题而。 修改注册表需要您自担风险。

要解决此问题, 添加 UseSharedWPDesktop 注册表项， 是运行 IIS 的计算机。 此注册表项允许所有要在一个共享桌面, 不管其辅助进程标识运行辅助进程。

要添加 UseSharedWPDesktop 注册表项：

1. 单击 开始 ， 单击 运行 , 类型 regedit 然后单击 确定 。
2. 找到以下注册表项：

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC

3. 右键单击 Parameters ， 指向 新建 , 然后单击 DWORD 值 。
4. 类型 UseSharedWPDesktop.
5. 将对此新项值设置为 1。
6. 退出注册表编辑器, 并重新启动 IIS。

　　二、Setup会话
　　
　　当NVRAM里没有有效的配置文件时，路由器会自动进入Setup会话模式。以后也可
　　
　　在命令行敲入Setup进行配置。
　　
　　Setup 命令是一个交互方式的命令，每一个提问都有一个缺省配置，如果用缺省
　　
　　配置则敲回车即可。如果系统已经配置过，则显示目前的配置值。如果是第一次
　　
　　配置，则显示出厂设置。当屏幕显示 “—— More ——”,键入空格键继续；
　　
　　若从Setup 中退出，只要键入Ctrl-C即可。

　　1、Setup主要参数：
　　
　　配置它的一般参数，包括：
　　
　　主机名 ：hostname
　　
　　特权口令 ：enable password
　　
　　虚终端口令 ：virtual terminal password
　　
　　SNMP网管 ：SNMP Network Management
　　
　　IP ：IP
　　
　　IGRP路由协议：IGRP Routing
　　
　　RIP路由协议 ：RIP Routing
　　
　　DECnet : DECnet . 等

　　其中 Console 的secret、 password的设置：
　　
　　enable secret
　　
　　enable password
　　
　　Virtual Terminor 的password的设置：
　　
　　Line vty
　　
　　Password
　　
　　Host name的设置：
　　
　　Hostname

　　2、Setup接口参数：
　　
　　设置接口参数，如以太网口、TokenRing口、同步口、异步口等。包括IP地址、子
　　
　　网屏蔽、TokengRing速率等。

　　3、Setup描述：
　　
　　在设置完以上参数后，该命令提示是否要用以上的配置，如果回答是”YES”则系统
　　
　　会存储以上的配置参数，系统就可以使用了。

　　4、 Setup相关命令：
　　
　　Show config
　　
　　write memory
　　
　　write erase
　　
　　reload
　　
　　setup

　　5、路由器丢失PASSWORD的恢复
　　
　　以下办法可以恢复：
　　
　　enable secret password (适合10。3（2）或更新的版本)
　　
　　enable password
　　
　　console password
　　
　　通过修改Configuration Register(出厂为0×2102)，使路由器忽略PASSWORD，这
　　
　　样就可以进入路由器，就可以看到enable password和Console password，但ena
　　
　　ble secret password以被加密，只能替换。可以进入的configuration Registe
　　
　　r值为0×142.

　　· 运行password恢复可能会使系统DOWN掉一个半小时；
　　
　　· 将Console terinal连在路由器的Console口上，确认终端设置为9600bps、8
　　
　　Data bit 、No parity、1 stop bit;
　　
　　· show version显示Configuration Register 0×2102；
　　
　　· 关机再开，按”Ctrl+ Break”,进入ROM MONITOR状态，提示符为”>”；
　　
　　· 键入”> o/r 0×142″，修改 Configuration Register到0×142,可以忽略原先的
　　
　　password；
　　
　　· 键入”> initialize”,初始化路由器，等一段时间后，路由器会出现以下提示
　　
　　：
　　
　　”system configuration Diaglog ……”
　　
　　Enter “NO”
　　
　　提示”Press RETURN to get started!” ,Press “Enter”

　　· 进入特权模式
　　
　　Router>enable
　　
　　Router#show startup-config
　　
　　这样就可以得到password(enable&console password)
　　
　　· 修改password
　　
　　”Router#config ter”
　　
　　”Router(config)# enable secret cisco”
　　
　　”Router(config)# enable password cisco1″
　　
　　”Router(config)# line con 0″
　　
　　”Router(config)# password cisco”
　　
　　”Router(config)# config-register 0×2102″
　　
　　”ctrl + Z”
　　
　　”Router#copy running-config startup-config”
　　
　　”reload”
　　
　　· 以password cisco进入特权用户。
　三、路由器配置
　　
　　1)路由器模式
　　
　　在Cisco 路由器中，命令解释器称为EXEC，EXEC解释用户键入的命令并执行相应
　　
　　的操作，在输入EXEC命令前必须先登录到路由器上。基于安全原因，EXEC设置了
　　
　　两个访问权限：用户级和特权级，用户级可执执行的命令是特权级命令的子集。
　　
　　在特权级，可以使用：configuration，interface，subinterface，line，rout
　　
　　er，router-map等命令。

　　2)配置模式
　　
　　使用Config命令可进入配置模式，进入该模式后，EXEC提示用户可用的配置方式
　　
　　如终端、NVRAM、网络三种，缺省是终端方式。

　　3)IP路由协议模式
　　
　　在配置模式下输入Router命令，可进入IP路由协议模式，可选的路由协议一般有
　　
　　：bgp、egp、igrp、eigrp、rip等动态路由和静态路由。

　　4)接口配置模式
　　
　　在每一个端口上可以设置很多特性，接口配置命令修改以太网、令牌环网、FDDI
　　
　　或同步、异步口等操作。

　　5)口令配置
　　
　　可以采用口令来限制对路由器的访问，口令可以设定到具体的线路上或是特权Ｅ
　　
　　ＸＥＣ模式。
　　
　　Line console 0 命令设置控制台终端口令
　　
　　Line vty 0 命令设置Telnet虚终端口令
　　
　　Enable-password 命令设置特权EXEC访问权限

　　6)路由器命名
　　
　　在配置模式下用hostname，如：
　　
　　hostname RouterA

　　四、用户帮助提示
　　
　　1、在用户提示符下键入？可以列出常用命令，通常有以下命令：
　　
　　connect 打开一个中端连接
　　
　　disconnect 关闭一个已有的telnet会话
　　
　　enable 进入特权级
　　
　　exit 退出EXEC
　　
　　help 交互求助系统描述
　　
　　lock 终端锁定
　　
　　login 以特定用户登录
　　
　　logout 退出EXEC
　　
　　ping 发送echo信息
　　
　　resume 恢复一个激活的telnet连接
　　
　　show 显示正在运行的系统信息
　　
　　systat 显示正在运行的系统信息
　　
　　telnet 打开一个telnet连接
　　
　　terminal 设置终端线路参数
　　
　　where 列出激活的telnet连接
　　
　　2、上下相关帮助
　　
　　上下相关帮助包括：
　　
　　符号转换 ：键入命令有错时提示；
　　
　　关键字完成 ：键入命令字的一部分即可；
　　
　　命令记忆 ：可用” “调出以前的命令；
　　
　　命令提示 ：当命令记不完全时，可用”？”替代

一、两层交换机

1、基本配置
（1）设置VLAN1的IP地址，掩码：
配置：
sw itch#config terminal
(config)#interface vlan1    ！进入到要配置IP的接口
(config-if)#ip address 10.1.10.253(ip)  255.255.255.0(mask)  ！设置参数
验证：
(config-if)#exit
switch#show interface vlan1
保存设置：
switch#copy running-config startup-config

（2）划分VLAN
配置：
switch#vlan database(还有一种方法)   ！创建一个VLAN
switch#vlan 2
switch#exit
switch#config terminal
one port:
(config)#interface fastethernet0/0      ！进入到要被划分的端口
(config-if)#switchport access vlan 2    ！划分到一个VLAN
multiports:
(config)#interface range fastethernet0/0 -7  ！进入到要被集体划分的端口
(config-if)#switchport access vlan 2     ！划分到一个VLAN
验证：
switch#show vlan
保存：
switch#copy running-config startup-config

（3）设置trunk
配置：
switch#config terminal
(config)#interface gigabitethernet0/1  ！进入要配置成干道的接口
(config-if)#switchport mode trunk    ！设置成干道
验证：
switch#show interface trunk
保存：
switch#copy running-config startup-config

（4）连接路由器
如果交换机上有多个VLAN，则所连的路由器接口就必须有多个IP地址。要用子接口设置多IP地址。连接到路由器上的接口要被设置成trunk，并且要封装干道协议：ISL，或者802.1Q。
配置交换机：
switch#config terminal
(config)#interface gigabitethernet0/1
(config-if)#switchport mode trunk  !配置成干道，将自动封装802.1q协议
配置路由器：
router#config terminal
(config)#interface fastethernet0/0.2   ！进入子接口2
(config-subif)#encapsulation dot1q 2   ！子接口对应VLAN2，并封装dot1q协议
(config-subif)#ip address 10.1.20.1  255.255.255.0  !配置了10.1.20.0/24网段的网关
确认：
router#show interface fastethernet0/0
不同VLAN下的主机可以相互ping通，则配置成功。
保存配置

（5）连接交换机
同种类型的网络设备相连要使用交叉线。交换机使用交叉线相连后，将会自动将两端设置成干道。

2、VTP（VLAN Trunk Protocol）
（1） 作用：
允许用户集中管理网络中交换机的配。VTP是一种消息协议，可以对整个网络内的VLAN的添加、删除和重命名操作进行管理，以此维护VLAN配置的一致性。
（2） 工作方式
确定一条交换机为VTP服务器。
可以在服务器上更改VLAN的配置，并把该配置传播到网络中的所有VTP客户机。
当交换机配置成VTP客户机之后，就不能物理地改变该交换机的VLAN配置。
唯一可以更改VLAN配置的方法是当且仅当VTP客户端交换机接收到来自其VTP服务器的VTP更新信息时，才能更改。
多台VTP服务器管理不同的VTP客户机，必须指定一个VTP域。服务器和客户机在各自的域内。

二、路由器
1、基本配置
（1）以太网口配置
注：路由器以太网口直接接主机用交叉线。
（2）串口配置
（3）配置静态路由
（4）配置动态路由协议
（5）配置访问控制列表（ACL）**
（6）路由器互联

2、问题
（1）无法配置静态路由，出现“Default gateway is not set ….. ICMP redirect cache is empty”
原因：IP路由被禁用
解决：(config)#ip routing

（2）与其他设备的接口状态上，”protocol  down”
可能的原因：双绞线的接线类型不对
解决：换成直通线或者交叉线。

三、三层交换机
1、基本配置

（1）配置IP
手工配置：
(config)#interface vlan vlan-id
(config-if)#ip address ip-address subnet-mask
(config-if)#exit
(config)#ip default-gateway ip-address
确认配置：
#show interface vlan vlan-id
#show ip redirects  ！确认默认网关配置
保存：＃copy running-config startup-config
使用DHCP配置

（2）使不同VLAN互联
 

（3）配置某个端口为trunk
(config)#interface fastethernet1/0/23
(config-if)#switchport encapsultion dot1q
(config-if)#switchport mode trunk

（4）默认路由及路由协议的设定
问题
（1）多个子网连接到三层交换机，交换机上设定了每个子网对应的网关地址，交换机通过router连接到其他的网络或者区域。三层switch和router上相同网段的地址无法相互ping 通。如：3750上有192.168.8.254（VLAN1），192.168.16.254（VLAN2），192.168.24.254（VLAN3）；router上有192.168.8.1，192.168.16.1，192.168.24.1。
    现象：192.168.8.254 可以ping通192.168.8.1，但是.16.和.24.网段的无法ping通。
    原因：router接到switch上的接口没有设置成trunk。

四、防火墙
CISCO PIX系列属于状态检测防火墙。
Note:ASA(Adaptive Security Algorithm) allows one way (inside to outside) connections without an explicit configuration in memory.

1、特点
（1）自适应安全算法（ASA）
创建状态会话流表（state table）。各种连接信息都被记录进表中。
ASA是一个有状态、面向连接的过程，它在状态表中维持会话信息，应用对状态表的安全策略来控制通过防火墙的所有流量。
连接状态包括：源/目的IP，源/目的端口，TCP顺序信息，附加的TCP/UDP标记。应用一个随机产生的TCP顺序号。总称为“会话对象”。

内部不主动发出数据，要求响应，外部的数据就无法进入内部了吗。
PIX中ASA和状态过滤的工作机制：
a、 内部主机开始一个对外部资源的连接
b、 PIX在状态表中写入一个会话（连接）对象
c、 会话对象同安全策略相比较。如果连接不被允许，此会话对象被删除，并且连接被取消
h、 如果安全策略认可这个连接，此连接继续向外部资源发送
j、 外部资源响应这个请求
k、 响应信息到达防火墙，与会话对象比较。匹配则响应信息被发送到内部主机，不匹配则连接就会被取消。

 （2）贯穿式代理
认证和授权一个防火墙上输入/输出的连接。
它在应用层完成用户认证，依照安全策略检验授权。当安全策略授权时打开这个连接。这个连接后面的流量不再在应用层处理，而是进行状态检测。

（3）冗余

2、基本配置

配置完基本参数后，发现从PIX上可以ping通内网和外网的地址。但是内外网的主机无法相互ping通。内网主机无法ping通PIX外口。但是，内网主机可以访问外网的服务器。（可能原因：PIX默认关闭ICMP响应？？）

基本配置命令：interface , nameif , ip address , nat , global , route
（1）激活以太端口
firewell#config terminal
(config)#interface ethernet0 auto
(config)#interface ethernet1 auto    !外口必须用命令激活

（2）命名端口和安全级别
(config)#nameif  ethernet1  inside  security0
(config)#nameif  ethernet0  outside  security100

（3）配置内外口
firewell#config terminal
(config)#ip address inside 192.168.1.1 255.255.255.0
(config)#ip address outside 222.20.16.1 255.255.255.0

（4）配置NAT和PAT
(config)#nat (inside) 1 0 0   !所有的内口地址都
(config)#nat (inside) 2 192.168.8.0 255.255.255.0   
(config)#global (outside) 2 10.1.30.150-10.1.30.160 netmask 255.255.0.0
测试配置：
  ping
  debug

（5）DMZ的访问

（6）转换表的操作
show  xlate    显示转换表的信息
clear  xlate     每次重建转换表要运行，以清除原有的转换槽，否则原信息将在超时（3小时）后才被丢弃
show conn    查找连接故障，为选择的特定选项显示所有活动的TCP连接的数量和状态
可以更改转换表的操作：
nat ，global ，static ，route，alias，conduit

（7）配置网络时间协议（NTP）
 NTP server与PIX的关系

（8）访问配置
经由PIX的入站访问

step1：静态网络地址转换
  静态网络地址转换，不节省已经分配的IP地址 
static [( prenat_interface,postnat_interface)] {mapped_address | interface} real_address [dns] [netmask mask] [norandomseq] [ max_cons [em_limit]]
   设定一个内部地址到一个外部地址的映射
   (config)#static (inside,outside) 211.70.96.10 10.1.100.10 netmask 255.255.255.255
   或者一个内部网络到一个外部网络的映射
   (config)#static (inside,outside) 211.70.96.0 10.1.100.0 netmask 255.255.255.0
   静态端口地址转换，不支持H.323或者多媒体应用流量
   static [(internal_if_name,external_if_name)] {tcp|udp} {global_ip | interface} global local_ip local_port [netmask mask] [ max_cons [emb_limit [norandomseq]]]

Translation Type
Application
Basic Command
Direction in Which Connections Can Be Initiated
Static NAT
Real source addresses (and ports) are translated to mapped addresses (and ports)
static
Inbound or outbound
Policy NAT
Conditionally translates real source addresses (and ports) to mapped addresses
static access-list
Inbound or outbound
Identity NAT
No translation of real source addresses
nat 0
Outbound only
NAT exemption
No translation of real source addresses matched by the access list
nat 0 access-list
Inbound or outbound
Dynamic NAT
Translates real source addresses to a pool of mapped addresses
nat id
global id address-range
Outbound only
PAT
Translates real source addresses to a single mapped address with dynamic port numbers
nat id
global id address
Outbound only
配置
对于连接数的控制 PIX 6.x … [norandomseq] [max_conns [emb_limit]]
PIX 7.x  … [norandomseq] [[tcp] max_conns [emb_limit]] [udp udp_max_conns]
连接超时控制 Firewall(config)# timeout [conn hh:mm:ss] [udp hh:mm:ss]
静态NAT
基于地址的静态翻译 Firewall(config)# static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask]} [dns]
[norandomseq] [max_conns [emb_limit]]
基于端口的静态翻译 Firewall(config)# static (real_ifc,mapped_ifc) {tcp | udp} {mapped_ip | interface} mapped_port {real_ip
real_port [netmask mask]} [dns] [norandomseq] [max_conns [emb_limit]]
策略NAT
定义翻译策略 Firewall(config)# access-list acl_name permit ip real_ip real_mask foreign_ip foreign_mask
静态的 Firewall(config)# static (real_ifc,mapped_ifc) mapped_ip access-list acl_name [dns] [norandomseq] [max_conns
[emb_limit]]
NAT的 Firewall(config)# global (mapped_ifc) nat_id {global_ip [-global_ip] [netmask global_mask]} | interface
Firewall(config)# nat (real_ifc) nat_id access-list acl_name [dns] [outside][norandomseq] [max_conns [emb_limit]]
Identify NAT Firewall(config)# nat (real_ifc) 0 real_ip real_mask [dns] [norandomseq] [max_conns [emb_limit]]
注：nat 0和static 相同地址的区别在于：nat 0只能用于outbound访问，static两种访问都可以，对同一地址不建议同时配置此两类命令。
NAT Exemption
Firewall(config)# access-list acl_name permit ip local_ip local_mask foreign_ip foreign_mask
Firewall(config)# nat (real_ifc) 0 access-list acl_name [dns] [outside] [max_conns [emb_limit] [norandomseq]]
注：此类型NAT策略只能根据源和目的地址不能根据协议类型或者端口
动态地址翻译
定义NAT的映射地址 Firewall(config)# global (mapped_ifc) nat_id global_ip[-global_ip] [netmask global_mask]
定义PAT的映射地址 Firewall(config)# global (mapped_ifc) nat_id {global_ip | interface}
定义翻译策略 Firewall(config)# nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[norandomseq] [max_conns [emb_limit]]]
注：也可以使用ACL来做类似的策略NAT。
5.3 使用ACL进行访问控制
特性介绍：防火墙的ACL配置跟IOS不同，子网掩码部分为正常的子网掩码不需要使用反转的子网掩码。还支持Object group，包含IP地址组，
ICMP类型组，IP协议或者端口组，并且支持组嵌套。access-list acl_name compiled配置Turbo ACL，7.x自动turbo。防火墙的ACL缺省是扩展
模式的，7.x后也支持标准模式了儘管只用于路由协议的配置上，并且加上了extend的参数，虽然配置的时候可以不必强制用这个参数但是当你
需要移除该条目的时候要记得把extend这个参数加上。
配置
定义Object Group
网络对像组 Firewall(config)# object-group network group_id
Firewall(config-network)# description text
Firewall(config-network)# network-object ip_addr mask (或者 host ip_addr)
Firewall(config-network)# group-object group_id
ICMP对像组 Firewall(config)# object-group icmp-type group_id
Firewall(config-icmp-type)# description text
Firewall(config-icmp-type)# icmp-object icmp_type
Firewall(config-icmp-type)# group-object group_id
协议对像组 Firewall(config)# object-group protocol group_id
Firewall(config-protocol)# description text
Firewall(config-protocol)# protocol-object protocol
Firewall(config-protocol)# group-object group_id
服务对像组 Firewall(config)# object-group service group_id {tcp | udp | tcp-udp}
Firewall(config-service)# description text
Firewall(config-service)# port-object range begin_port end_port (或者eq port)
Firewall(config-service)# group-object group_id
定义时间范围 7.0特性
Firewall(config)# time-range name
Firewall(config-time-range)# periodic start-day hh:mm to end-day hh:mm
Firewall(config-time-range)# periodic days-of-the-week hh:mm to hh:mm
Firewall(config-time-range)# absolute [start hh:mm day month year] [end hh:mm day month year]
配置ACL Firewall(config)# access-list acl_id [line line-num] [extended] {permit | deny}
  {protocol | object-group protocol_obj_group}   {source_addr  source_mask | object-group  network_obj_group} [operator
sport | object-group service_obj_group]
  {destination_addr destination_mask |object-group network_obj_group}
[operator dport | object-group service_obj_group] [log [[disable | default] | [level]]] [interval secs]] [time-range name]
[inactive]
show access-list 来验证， clear access-list acl_id counters 重置ACL计数器
——————————————————————————–
■思科ASA和PIX防火墙配置手册 第六章
六 配置Failover增加可用性

特性介绍：为了增强可用性，避免单点故障，提高性能等原因才引入了Failover的特性。Active-Standby是最初支持的一种特性，其中一台是

UR的许可，另一台为UR或者Failover-only的许可，FWSM缺省支持此中模式，在该模式下一个为Active工作状态，Standby只是监控Active的状

态而不工作，这样就在性能上虽然有两台设备但是并没有得到加强。在7.x以后由于引入了context的概念，这样Active-Active另一种Failover

的特性也出现了，在每个context下有自己的active和standby，配置每个设备在不同context下的角色从而使其都工作，也增加了性能，但是此

模式只被PIX515E，525,535和ASA平台支持。

6.1 配置Failover

确定主备用的设备：一种方式是通过不同的许可来决定，如果两者都是UR的许可，对于适用serial连接的根据线缆两端的主备用标识来决定，

如果适用lan的话使用下面的命令来决定，Firewall(config)# failover lan unit {primary | secondary}

配置lan使用的端口

FWSM 2.x Firewall(config)# failover interface ip if_name ip_address mask standby ip_address

PIX 6.x Firewall(config)# interface phy_if phy_speed

Firewall(config)# nameif phy_if if_name securitylevel

Firewall(config)# ip address if_name ip_address netmask

Firewall(config)# failover ip address if_name ip_address

PIX 7.x  Firewall(config)# interface phy_if

Firewall(config-if)# speed speed

Firewall(config-if)# duplex duplex

Firewall(config-if)# no shutdown

Firewall(config-if)# exit

Firewall(config)# failover interface ip if_name ip_address mask standby ip_address

定义用于Failover通讯的接口

FWSM 2.x Firewall(config)# failover lan interface if_name vlan vlan

PIX 6.x  Firewall(config)# failover lan interface if_name

PIX 7.x  Firewall(config)# failover lan interface if_name phy_if

也可以使用failover lan key key-string命令对通讯进行加密

failover lan enable 启用lan-based failover，FWSM缺省使用此模式，不需要此命令。

对于Active-Active模式需要在主设备的system execution space下配置Failover组，

Firewall(config)# failover group {1 | 2}

Firewall(config-fover-group)# {primary | secondary}

Firewall(config-fover-group)# preempt

对接口使用虚拟的MAC地址

PIX 6.x Firewall(config)# failover mac address if_name active_mac standby_mac

PIX 7.x (A-S) Firewall(config)# failover mac address phy_if active_mac standby_mac

PIX 7.x (A-A)  Firewall(config)# failover group {1 | 2}

Firewall(config-fover-group)# mac address phy_if  active_mac standby_mac

定义健康监控策略

PIX 6.x Firewall(config)# failover poll time

PIX 7.x Firewall(config)# failover polltime [unit] [msec] time [holdtime holdtime]

Firewall(config)# failover polltime interface time

Firewall(config)# failover interface-policy num[%]

Firewall(config)# monitor-interface if_name

保持HTTP的状态信息 Firewall(config)# failover replicate http

Firewall(config)# failover 启用Failover进程

6.2 管理Failover

show failover命令对状态进行监控，后面可以加state,lan, history,等参数。

(no)Failover active手动的对状态进行切换,重置一个失败的设备failover reset。对于不能同步的挂起设备使用failover reload-standby强

制重启。

6.3 升级Failover模式防火墙的OS镜像

见附录
——————————————————————————–
■思科ASA和PIX防火墙配置手册 第七章 
七 配置负载均衡

特性介绍：虽然使用Failover保证了高可用性，但是在流量分担上还有劣势，儘管7.x支持了A-A的模式，不过也仅仅只能是两台防火墙。真正

的负载均衡的实现有三种方式，第一为软件方式，使用6500平台上IOS SLB(Server Load Balancing)特性的一个子集FWLB来实现，第二为硬件

方式，在6500上配置CSM(Content Switching Module)来实现，最后一种为专属设备方式，思科的CSS(Content Services Switch)产品线的设备

来实现。要注意的是在配置负载均衡的时候要inside和outside同时配置，免得出现来回链路不同而被丢弃的情况。

7.1 配置软件实现 (只在6500 native ios模式下)

定义防火墙群的连接性 Router(config)# vlan vlan-id

Router(config)# interface vlan vlan-id

Router(config-if)# ip address ip-address subnet-mask

Router(config-if)# no shutdown

Router(config)# ip route inside-network subnet-mask fw-outside-address

定义针对每个防火墙失败的探测器 Router(config)# ip slb probe name ping

Router(config-slb-probe)# address ip-address

Router(config-slb-probe)# interval seconds

Router(config-slb-probe)# faildetect retry-count

定义防火墙群 Router(config)# ip slb firewallfarm firewallfarm-name

Router(config-slb-fw)# real ip-address

Router(config-slb-fw-real)# probe probe-name

Router(config-slb-fw-real)# inservice

Router(config-slb-fw-real)# weight weighting-value

定义特定的数据流到该防火墙群(只针对Outside)

Router(config-slb-fw)# access [source source-ip-address network-mask]

[destination destination-ip-address network-mask]

选择FWLB的方式 Router(config-slb-fw)# predictor hash address [port]

启用FWLB Router(config-slb-fw)# inservice

7.2 配置硬件实现

进入CSM负载均衡模式 Switch(config)# ip slb mode csm

选择CSM模块 Switch(config)# module csm slot-number

配置到离开防火墙群的连接性 Switch(config-module-csm)# vlan vlan-id client

Switch(config-slb-vlan-client)# ip address ip-address netmask

Switch(config-slb-vlan-client)# gateway ip-address

Switch(config-slb-vlan-client)# exit

配置到防火墙群的连接性 Switch(config-module-csm)# vlan vlan-id server

Switch(config-slb-vlan-server)# ip address ip-address netmask

Switch(config-slb-vlan-server)# alias ip-address netmask

Switch(config-slb-vlan-server)# route ip-address netmask gateway gw-ip-address

定义防火墙探测器 Switch(config-module-csm)# probe probe-name icmp

Switch(config-slb-probe-icmp)# interval seconds

Switch(config-slb-probe-icmp)# receive receive-timeout

Switch(config-slb-probe-icmp)# retries retry-count

Switch(config-slb-probe-icmp)# failed failed-interval

定义防火墙群 Switch(config-module-csm)# serverfarm serverfarm-name

Switch(config-slb-sfarm)# real ip-address

Switch(config-slb-real)# inservice

Switch(config-slb-sfarm)# predictor hash address {source | destination} 255.255.255.255

Switch(config-slb-sfarm)# no nat server

Switch(config-slb-sfarm)# probe probe-name

定义一个虚拟服务器来处理发往服务器群的流量

Switch(config-module-csm)# vserver virtual-server-name

Switch(config-slb-vserver)# serverfarm serverfarm-name

Switch(config-slb-vserver)# virtual ip-address [network-mask] any

Switch(config-slb-vserver)# vlan vlan-number

Switch(config-slb-vserver)# inservice

Switch(config-slb-vserver)# replicate csrp {sticky | connection}

定义一个通用服务器群处理离开防火墙群的流量

Switch(config-module-csm)# serverfarm serverfarm-name

Switch(config-slb-sfarm)# predictor forward

Switch(config-slb-sfarm)# no nat server

定义一个通用的虚拟服务器处理离开防火墙群的流量

Switch(config-module-csm)# vserver virtual-server-name

Switch(config-slb-vserver)# serverfarm serverfarm-name

Switch(config-slb-vserver)# virtual 0.0.0.0 0.0.0.0  any

Switch(config-slb-vserver)# vlan vlan-number

Switch(config-slb-vserver)# inservice

7.3 配置CSS实现

配置CSS的物理接口 (config) interface interface_name

(config-if) bridge vlan vlan-id (或者(config-if) trunk)

指定IP地址 (config) circuit circuit_name

(config-circuit) ip address ip_address subnet_mask

(config-circuit-ip) enable

配置缺省路由 (config) ip route 0.0.0.0 0.0.0.0 next-hop-address

定义防火墙群的防火墙 (config) ip firewall index local_firewall_address remote_firewall_address  remote_css_address

定义静态路由 (config) ip route ip_address subnet_mask firewall index distance

调整Keeplive时间 (config) ip firewall timeout seconds

验证命令 show ip firewall 防火墙状态，show ip routes firewall到防火墙的静态路由，show flows显示到防火墙的负载均衡连接。
——————————————————————————–
■思科ASA和PIX防火墙配置手册 第八章 
八、日志管理

8.1 时钟管理

定义时区 Firewall(config)# clock timezone zone-name hours [minutes]

定义夏令时 Firewall(config)# clock summer-time zone recurring [week weekday month

hh:mm week weekday month hh:mm] [offset]

Firewall(config)# clock summer-time zone date {day month | month day}

year hh:mm {day month | month day} year hh:mm [offset]

设置防火墙时钟 Firewall(config)# clock set hh:mm:ss {day month | month day} year

时钟验证 Firewall# show clock [detail]

指定NTP服务器 Firewall(config)# ntp server ip-address [key number] [source if-name]

[prefer]

配置NTP认证 Firewall(config)# ntp authentication-key key-number md5 value

Firewall(config)# ntp trusted-key key-number

Firewall(config)# ntp authenticate

NTP验证 show ntp, show ntp status, show ntp associations

8.2 日志配置

启用消息日志 Firewall(config)# logging on (7.x 用logging enable)

使用事件列表定义日志策略 (7.0特性)

Firewall(config)# logging list event_list level level [class event_class]

Firewall(config)# logging list event_list message start[-end]

根据不同日志级别定义目的位置 (7.0特性)

Firewall(config)# logging class event_class destination level [destination level] [destination level] …

发送日志到console Firewall(config)# logging console level

发送日志到telnet，ssh会话 Firewall(config)# logging monitor level

发送日志到buffer Firewall(config)# logging buffered level

发送日志到ftp (7.0特性) Firewall(config)# logging ftp-bufferwrap

Firewall(config)# logging ftp-server ftp_server path username password

发送日志到flash (7.0特性) Firewall(config)# logging flash-bufferwrap

Firewall(config)# logging flash-minimum-free kbytes_free

Firewall(config)# logging flash-maximum-allocation kbytes_max

发送日志到SNMP服务器 Firewall(config)# snmp-server host [if_name] ip_addr trap (7.x

Firewall(config)# snmp-server host if_name ip_addr TRap [community string] [version version] [udp-port port])

Firewall(config)# snmp-server enable traps {all | syslog}

Firewall(config)# logging history level

发送日志到Syslog服务器 Firewall(config)# logging trap level

Firewall(config)# logging device-id {hostname | ipaddress if_name | string text}

Firewall(config)# logging host if_name ip_address [protocol/port] [format emblem]

Firewall(config)# logging timestamp

Firewall(config)# logging queue queue_size (show logging queue验证)

Firewall(config)# logging facility facility

Firewall(config)# logging standby

发送日志到邮件 (7.x特性) Firewall(config)# logging mail {level | event-list}

Firewall(config)# smtp-server server_primary [server_secondary]

Firewall(config)# logging from-address from_email_address

Firewall(config)# logging recipient-address to_email_address [level level]

发送日志到ASDM Firewall(config)# logging asdm-buffer-size num_of_msgs

Firewall(config)# logging asdm {level | event-list}

验证 show logging

8.3 日志消息输出的微调

消息的修剪 Firewall(config)# no logging message message-number (show logging message 验证)

改变消息严重等级 Firewall(config)# logging message message-number [level level]

配置日志对ACL支持 Firewall(config)# access-list acl_name {permit | deny} … log [level] [interval seconds]

Firewall(config)# access-list deny-flow-max n

Firewall(config)# access-list alert-interval seconds

8.4 日志分析

对日志分析的软件

CS-MARS  (http://www.cisco.com)

Network  Intelligence Engine (http://www.network-intelligence.com)

Network Security Analyzer和FirewallAnalyzer Enterprise (http://www.eiqnetworks.com)

Sawmill Log Analyzer (http://www.sawmill.net)

CiscoWorks (http://www.cisco.com)
——————————————————————————–
■思科ASA和PIX防火墙配置手册 第九章
九、防火墙工作状态验证

9.1 防火墙健康检查

CPU负荷 Firewall# show cpu usage (show cpu usage context all 正常应该在80%以下)

Show processes显示防火墙当前活动进程，一般关注Process和Runtime。

内存利用 Firewall# show memory

Xlate 表大小 Firewall# show xlate count

Conn 表大小 Firewall# show conn count

防火墙流量 使用PDM，Syslog, show traffic来计算或者Perfmon计数器 Firewall# show perfmon  Firewall(config)# perfmon interval

seconds ,perfmon {verbose | quiet}

Inspection引擎和Service Policy  Firewall# show service-policy

Failover Firewall# show failover

端口状态 Firewall# show interface, 包队列状态 Firewall# show priority-queue statistics [if_name]

9.2 流经防火墙数据的监控

特性介绍 对于流经防火墙数据的监控有两种方式capture session和debug packet，两者区别在于前者可以后处理，多个进程，CPU和内存利用

率低，后者是实时显示，同时只能一个进程，且对资源利用率高，后者在7.x后已经不被支持。

配置Capture

配置兴趣流量的ACL Firewall(config)# access-list acl_id [line line-num] [extended] permit protocol {source_addr  source_mask

[operator sport] [destination_addr destination_mask [operator dport]]

配置Capture Firewall# capture capture_name [access-list acl_name] [ethernet-type type]

[interface if-name] [buffer bytes] [circular-buffer] [packet-length bytes]

(7.x支持type {raw-data | isakmp | asp-drop drop-reason}参数)

show capture显示当前的Capture会话，Firewall# show capture capture_name [access-list acl_name] [detail] [dump] 显示所抓包的信

息。Firewall# copy capture:capture-name tftp://server/path [pcap] 拷贝信息至TFTP，如果启用http后可以用

https://firewall_address/capture/capture_name[/pcap]通过Web来显示或者下载。

clear capture capture_name清空capture缓存但是保持会话，no capture capture_name interface if_name停止capture，从特定接口去除保

持会话和缓存，no capture capture_name彻底删除会话和缓存。

配置Debug模式 Firewall# debug packet if_name [src source_ip [netmask mask]] [dst dest_ip  [netmask mask]] [[proto icmp] |

[proto {tcp | udp} [sport src_port] [dport

dest_port]] [rx | tx | both]

9.3 验证防火墙的连接性

Ping测试 Firewall# ping [if_name] host [data pattern] [repeat count] [size bytes] [timeout seconds] [validate]

ARP缓存检查 show arp

路由表检查 show route

Traceroute测试 traceroute命令前提配置 Firewall(config)# access-list acl_name permit icmp any any eq echo

Firewall(config)# access-list acl_name permit icmp any any eq echo-reply

Firewall(config)# access-list acl_name permit icmp any any eq unreachable

Firewall(config)# access-list acl_name permit icmp any any eq time-exceeded

Firewall(config)# access-list acl_name permit udp any range 32768 65535 any range

33434 33523

Firewall(config)# access-list acl_name permit udp any dns_address eq domain (可选)

ACL检查  show access-group, show access-list

NAT验证  Firewall# show xlate [detail] [global | local ip1[-ip2] [netmask mask]] lport |

gport port[-port]] [interface if1[,if2][,ifn]] [state static [,dump]

[,portmap] [,norandomseq] [,identity]] [debug] [count]

Firewall# show xlate [{global | local} ip1[-ip2] [netmask mask]] [{lport | gport}

port[-port]] [interface if1[,if2][,ifn]] [state {static | portmap | identity |

norandomseq}] [debug] [detail]

Firewall# show conn [state state_type] [{foreign | local} ip1[-ip2] netmask mask]

[long] [{lport | fport} port1[-port2]] [protocol {tcp | udp}]

监控特定主机 Firewall# show local-host [ip_address] [all] [detail]

Firewall# clear xlate global global_ip [netmask mask] [gport global_port]

Firewall# clear xlate local local_ip [netmask mask] [lport local_port]

Firewall# clear xlate interface if_name_1[,if_name_2]

Firewall# clear xlate

超时参数Firewall(config)# timeout xlate hh[:mm[:ss]]

Firewall(config)# timeout conn hh[:mm[:ss]]

Firewall(config)# half-closed hh[:mm[:ss]]

Firewall(config)# udp hh[:mm[:ss]]

Shun检查 show shun， show shun statistics

用户认证检查 show uauth  show url-server stats

配置更新检查 启用AAA记录用户命令记录

本文仅供网络管理参考

一、       3550日常管理命令………………………………………………………………………….. 1
二、       密码恢复……………………………………………………………………………………….. 1
三、       VLAN配置…………………………………………………………………………………….. 4
四、       SPAN监听配置……………………………………………………………………………… 12
五、       DHCP服务配置…………………………………………………………………………….. 13
1.    在3550上配置DHCP服务………………………………………………………………. 13
2.    C3550配置作为DHCP中继代理………………………………………………………. 15
六、       流量控制……………………………………………………………………………………… 17
七、       策略路由……………………………………………………………………………………… 19

一、      3550日常管理命令
l         clear arp-cache清除ARP缓存
l         arp 192.168.100.22 000a.eb22.c1b5 arpa 绑定MAC和IP
l         sh ip accounting output-packets显示统计信息(当然需要配置统计功能如：ip accounting-transits 3200)
l         通过IP追查交换机端口：CiscoWorks 2000 LMS网管软件的User tracking可以追查一个IP地址对应的端口。sh mac-address-table address 00e0.9102.afd0 显示这个MAC地址在哪个接口出来的；sh mac-address-table interface Fa0/20显示20端口上的MAC地址，如果只有一个，则可能连接一个电脑，如果有很多个条目，则可以连接一个交换机。sh cdp entry  *显示邻居信息；
二、      密码恢复
下面步骤也适用于 Cisco 层 2 系列的交换机比如 Catalyst 2900/3500XL,2940,2950/2955和层 3 系列的比如 Catalyst 3550 的密码恢复.
通过终端或带有仿真终端程序(比如 Hyper Terminal)的 PC,连接到交换机的 console 对于Catalyst 2900/3500XL 拔下交换机的电源线,然后按住交换机的  Mode 按钮,再重新插上交换机的电源线.直到端口 Port 1x 的 LED 熄灭之后释放 Mode 按钮.Catalyst 2940/2950L 拔下交换机的电源线,然后按住交换机的  Mode  按钮,再重新插上交换机的电源线.直到 STAT 的 LED 熄灭之后释放 Mode 按
钮. Catalyst 2955 对于 2955 交换机,它没有外部的 Mode 按钮,因此就不能使用之前的那种方法来进行密码恢 复.在交换机启动时,对于 Windows 系列的 PC,按下 Ctrl+Break 键;对于 UNIX 系列的工 作站,按下 Ctrl+C.如下:
C2955  Boot  Loader  (C2955HBOOTM)  Version  12.1(0.0.514),  CISCO DEVELOPMENT TEST
VERSION
Compiled Fri 13Dec02 17:38 by madison
WSC2955T12 starting…
Base ethernet MAC Address: 00:0b:be:b6:ee:00
Xmodem file system is available.
Initializing Flash…
flashfs[0]: 19 files, 2 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 7741440
flashfs[0]: Bytes used: 4510720 flashfs[0]: Bytes available: 3230720 flashfs[0]: flashfs
fsck took 7 seconds.
…done initializing flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
/—接下来交换机会在 15 秒内自动启动,等出现该信息之后,按下 Ctrl+Break 键或 Ctrl+C
键—-/
The system has been interrupted prior to initializing the flash file system to finish
loading the operating system software:
flash_init load_helper bootswitch:
接下来输入 flash_init 命令: switch: flash_init Initializing Flash…
flashfs[0]: 143 files, 4 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 3612672
flashfs[0]: Bytes used: 2729472 flashfs[0]: Bytes available: 883200 flashfs[0]: flashfs fsck
took 86 seconds
….done Initializing Flash.

Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
switch:
接着输入 load_helper 命令: switch: load_helper switch:
再输入 dir flash:命令显示交换机的文件系统:
switch: dir flash: Directory of flash:/
2 rwx  1803357    c3500xlc3h2smz.1205.WC7.bin
4 rwx  1131    config.text
5 rwx  109      info
6 rwx  389      env_vars

7   drwx  640     html
18 rwx  109    info.ver
403968 bytes available (3208704 bytes used)
switch:
把配置文件重命名:
switch: rename flash:config.text flash:config.old switch:

输入 boot 命令启动交换机:
switch: boot
Loading
“flash:c3500xlc3h2smz.1205.WC7.bin”…####################
###########
######################
File “flash:c3500xlc3h2smz.1205.WC7.bin” uncompressed and installed, entry po

int: 0×3000

executing…
(略)

不进入 setup 模式:
System Configuration Dialog
At any point you may enter a question mark ‘?’ for help. Use ctrlc to abort configuration
dialog at any prompt. Default settings are in square brackets ‘[]’.
Continue with configuration dialog? [yes/no]: n
进入特权模式,恢复原始的配置文件:
Switch#rename flash:config.old flash:config.text
Destination filename [config.text] Switch#
把配置文件保存在内存里:
Switch#copy flash:config.text system:runningconfig
Destination filename [runningconfig]?
1131 bytes copied in 0.760 secs
Switch# 进入全局配置模式,取消密码设置: Switch(config)#no enable secret 保存配置:
Switch#write memory
Building configuration…
[OK] Switch#
三、      VLAN配置
我们现在是一个具备三层交换功能的核心交换机接几台分支交换机(不具备三层交换能力)。我们核心交换机名称为:cmlroot;分支交换机分别为
:hrswitch、misswitch、salesswitch，分别通过port 1的光线模块与核心交换机相连;并且vlan名称分别为hrlan、mislan、saleslan……

步骤如下：

　　1、设置vtp domain(核心、分支交换机上都设置)

　　2、配置中继(核心、分支交换机上都设置)

　　3、创建vlan(在server上设置)

　　4、将交换机端口划入vlan

　　5、配置三层交换

　　6、设置vtp domain。 vtp domain 称为管理域。

　　1、交换vtp更新信息的所有交换机必须配置为相同的管理域。如果所有的交换机都以中继线相连，那么只要在核心交换机上设置一个管理
域，网络上所有的交换机都加入该域，这样管理域里所有的交换机就能够了解彼此的vlan列表。

　　cmlroot#vlan database 进入vlan配置模式

　　cmlroot(vlan)#vtp domain cmlroot 设置vtp管理域名称 cmlroot

　　cmlroot(vlan)#vtp server 设置交换机为服务器模式

　　hrswitch#vlan database 进入vlan配置模式

　　hrswitch(vlan)#vtp domain cmlroot 设置vtp管理域名称cmlroot

　　hrswitch(vlan)#vtp client 设置交换机为客户端模式

　　misswitch#vlan database 进入vlan配置模式

　　misswitch(vlan)#vtp domain cmlroot 设置vtp管理域名称cmlroot

　　misswitch(vlan)#vtp client 设置交换机为客户端模式

　　salesswitch#vlan database 进入vlan配置模式

　　salesswitch(vlan)#vtp domain cmlroot 设置vtp管理域名称cmlroot

　　salesswitch(vlan)#vtp client 设置交换机为客户端模式

　　注意:
这里设置核心交换机为server模式是指允许在该交换机上创建、修改、删除vlan及其他一些对整个vtp域的配置参数，同步本vtp域中其他交换
机传递来的最新的vlan信息;client模式是指本交换机不能创建、删除、修改vlan配置，也不能在nvram中存储vlan配置，但可同步由本vtp域中
其他交换机传递来的vlan信息。

　　2、配置中继为了保证管理域能够覆盖所有的分支交换机，必须配置中继。

　　Cisco交换机能够支持任何介质作为中继线，为了实现中继可使用其特有的isl标签。isl(inter-switch link)是一个在交换机之间、交换
机与路由器之间及交换机与服务器之间传递多个vlan信息及vlan数据流的协议，通过在交换机直接相连的端口配置isl封装，即可跨越交换机进
行整个网络的vlan分配和进行配置。

　　在核心交换机端配置如下:

　　cmlroot(config)#interface gigabitethernet 2/1

　　cmlroot(config-if)#switchport

　　cmlroot(config-if)#switchport trunk encapsulation isl 配置中继协议

　　cmlroot(config-if)#switchport mode trunk

　　cmlroot(config)#interface gigabitethernet 2/2

　　cmlroot(config-if)#switchport

　　cmlroot(config-if)#switchport trunk encapsulation isl 配置中继协议

cmlroot(config-if)#switchport mode trunk

　　cmlroot(config)#interface gigabitethernet 2/3

　　cmlroot(config-if)#switchport

　　cmlroot(config-if)#switchport trunk encapsulation isl 配置中继协议

　　cmlroot(config-if)#switchport mode trunk

　　在分支交换机端配置如下:

　　hrswitch(config)#interface gigabitethernet 0/1

　　hrswitch(config-if)#switchport mode trunk

　　misswitch(config)#interface gigabitethernet 0/1

　　misswitch(config-if)#switchport mode trunk

　　salesswitch(config)#interface gigabitethernet 0/1

　　salesswitch(config-if)#switchport mode trunk

　　……

　　此时，管理域算是设置完毕了。

　　3、创建vlan

　　cmlroot(vlan)#vlan 10 name hrlan 创建了一个编号为10 名字为hrlan的 vlan

　　cmlroot(vlan)#vlan 11 name mislan 创建了一个编号为11 名字为mislan的 vlan

　　cmlroot(vlan)#vlan 12 name saleslan 创建了一个编号为12 名字为saleslan的 vlan

　　……

　　注意，这里的vlan是在核心交换机上建立的，其实，只要是在管理域中的任何一台vtp 属性为server的交换机上建立vlan，它就会通过vtp
通告整个管理域中的所有的交换机。但如果要将具体的交换机端口划入某个vlan，就必须在该端口所属的交换机上进行设置。

　　4、将交换机端口划入vlan

　　例如，要将hrswitch、misswitch、salesswitch……分支交换机的端口1划入hrlan vlan，端口2划入mislan vlan，端口3划入saleslan
vlan……

　　hrswitch(config)#interface fastethernet 0/1 配置端口1

　　hrswitch(config-if)#switchport access vlan 10 归属hrlan vlan

　　hrswitch(config)#interface fastethernet 0/2 配置端口2

　　hrswitch(config-if)#switchport access vlan 11 归属mislan vlan

　　hrswitch(config)#interface fastethernet 0/3 配置端口3

　　hrswitch(config-if)#switchport access vlan 12 归属saleslan vlan

　　misswitch(config)#interface fastethernet 0/1 配置端口1

　　misswitch(config-if)#switchport access vlan 10 归属hrlan vlan

　　misswitch(config)#interface fastethernet 0/2 配置端口2

　　misswitch(config-if)#switchport access vlan 11 归属mislan vlan

　　misswitch(config)#interface fastethernet 0/3 配置端口3

　　misswitch(config-if)#switchport access vlan 12 归属saleslan vlan

　　salesswitch(config)#interface fastethernet 0/1 配置端口1

　　salesswitch(config-if)#switchport access vlan 10 归属hrlan vlan

　　salesswitch(config)#interface fastethernet 0/2 配置端口2

　　salesswitch(config-if)#switchport access vlan 11 归属mislan vlan

　　salesswitch(config)#interface fastethernet 0/3 配置端口3

　　salesswitch(config-if)#switchport access vlan 12 归属saleslan vlan

　　……

　　5、配置三层交换

　　到这里，vlan已经基本划分完毕。但是，vlan间如何实现三层(网络层)交换呢?这时就要给各vlan分配网络(ip)地址了。给vlan分配ip地址
分两种情况，其一，给vlan所有的节点分配静态ip地址;其二，给vlan所有的节点分配动态ip地址(可参考DHCP配置部分)。

给vlan hrlan分配的接口ip地址为192.168.101.1/24，网络地址为:192.168.101.0，

　　vlan mislan 分配的接口ip地址为192.168.102.1/24，网络地址为:192.168.102.0，

　　vlan saleslan分配接口ip地址为192.168.34.1/24， 网络地址为192.168.34.0

　　给vlan所有的节点分配静态ip地址。

　　首先在核心交换机上分别设置各vlan的接口ip地址。核心交换机将vlan做为一种接口对待，就象路由器上的一样，如下所示:

　　cmlroot(config)#interface vlan 10

　　cmlroot(config-if)#ip address 192.168.101.254 255.255.255.0 vlan10接口ip

　　cmlroot(config)#interface vlan 11

　　cmlroot(config-if)#ip address 192.168.102.253 255.255.255.0 vlan11接口ip

　　cmlroot(config)#interface vlan 12

　　cmlroot(config-if)#ip address 192.168.34.254 255.255.255.0 vlan12接口ip

　　……

　　再在各接入vlan的计算机上设置与所属vlan的网络地址一致的ip地址，并且把默认网关设置为该vlan的接口地址。这样，所有的vlan也可以互访了。

　目前我们的配置如下：

interface Vlan1
ip address 192.168.100.254 255.255.255.0
interface Vlan2
ip address 192.168.5.253 255.255.255.0 sec
ip address 192.168.5.254 255.255.255.0
interface Vlan3
ip address 192.168.101.254 255.255.255.0
interface Vlan5
ip address 192.168.34.254 255.255.255.0
interface Vlan6
ip address 192.168.102.253 255.255.255.

四、      SPAN监听配置
1．在全局配置模式下：
dh(config)# monitor session 1 source interface fastethernet0/24 rx|tx|all
或dh(config)# monitor session 1 source interface vlan 1 -3 rx
配置要监听的端口或vlan,其中对于端口可以监听进、出或双向的数据包，而监听vlan 则只能监听进入的数据包
2.在全局配置模式下：
Sw(config)# monitor session 1 destination interface fastethernet0/23
配置监听终端要接入交换机的端口(destination port)
说明：一个monitor session 即为一个监听行为，source interface可以属与不同的vlan，在同一个monitor session中可以同时监听多个port
注：目前我们的3550的Fa0/24为连接防火墙的接口，Fa0/23为连接IDS主机的接口
五、      DHCP服务配置
1.        在3550上配置DHCP服务
各VLAN保留2-10的IP地址不分配置,例如:192.168.100.0的网段,保留192.168.100.2至192.168.100.10的IP地址段不分配. VLAN 3和VLAN 4 不允许互相访问,但都可以访问服务器所在的VLAN 2,
默认访问控制列表的规则是拒绝所有包.
/*VLAN 2可用地址池和相应参数的配置,有几个VLAN要设几个地址池*/
Switch(Config)Ip Dhcp Pool IP01
/*设置可分配的子网*/
Switch(Config-pool)Network 192.168.100.0 255.255.255.0
/*设置DNS服务器*/
Switch(Config-pool)Dns-server 192.168.100.16
/*设置该子网的网关*/
Switch(Config-pool)Default-router 192.168.100.254
/*配置VLAN 3所用的地址池和相应参数*/
Switch(Config)Ip Dhcp Pool IP02
Switch(Config-pool)Network 192.168.101.0 255.255.255.0
Switch(Config-pool)Dns-server 192.168.100.16
Switch(Config-pool)Default-router 192.168.101.254
/*配置VLAN 4所用的地址池和相应参数*/
Switch(Config)Ip Dhcp Pool IP03
Switch(Config-pool)Network 192.168.102.0 255.255.255.0
Switch(Config-pool)Dns-server 192.168.100.16
Switch(Config-pool)Default-router 192.168.102.253
第六步:设置DHCP保留不分配的地址
Switch(Config)Ip Dhcp Excluded-address 192.168.100.2 192.168.100.10
Switch(Config)Ip Dhcp Excluded-address 192.168.101.2 192.168.101.10
Switch(Config)Ip Dhcp Excluded-address 192.168.102.2 192.168.102.10
第七步:启用路由
/*路由启用后,各VLAN间主机可互相访问*/
Switch(Config)Ip Routing
第八步:配置访问控制列表
Switch(Config)access-list 103 permit ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
Switch(Config)access-list 103 permit ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
Switch(Config)access-list 103 permit udp any any eq bootpc
Switch(Config)access-list 103 permit udp any any eq tftp
Switch(Config)access-list 103 permit udp any eq bootpc any
Switch(Config)access-list 103 permit udp any eq tftp any
Switch(Config)access-list 104 permit ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
Switch(Config)access-list 104 permit ip 192.168.102.0 0.0.0.255 192.168.100.0 0.0.0.255
Switch(Config)access-list 104 permit udp any eq tftp any
Switch(Config)access-list 104 permit udp any eq bootpc any
Switch(Config)access-list 104 permit udp any eq bootpc any
Switch(Config)access-list 104 permit udp any eq tftp any
第九步:应用访问控制列表
/*将访问控制列表应用到VLAN 3和VLAN 4,VLAN 2不需要*/
Switch(Config)Int Vlan 3
Switch(Config-vlan)ip access-group 103 out
Switch(Config-vlan)Int Vlan 4
Switch(Config-vlan)ip access-group 104 out
第十步：结束并保存配置
Switch(Config-vlan)End
Switch#Copy Run Start
2.        C3550配置作为DHCP中继代理

3550配置dhcp，如果在每个vlan上仅配置一句“IP HELPER-ADDRESS DHCP服务器地址”后，客户机不能从DHCP服务器获取IP地址。 还需要启用DHCP中断功能：service dhcp 然后Ip Dhcp Relay Information Option即可

网络环境：一台3550EMI交换机，划分四个vlan,vlan1 为服务器所在网络，命名为server,IP地址段为192.168.100.0,子网掩码:255.255.255.0,网关:192.168.100.254,域服务器为windows 20003 server,同时兼作DHCP服务器，DNS服务器，IP地址为192.168.100.14,vlan2 IP地址段为192.168.101.0,子网掩码:255.255.255.0,网关:192.168.101.254命名为work01,vlan3 IP地址段为192.168.102.0,子网掩码:255.255.255.0,网关:192.168.102.253. vlan4 IP地址段为192.168.5.0,子网掩码:255.255.255.0,网关:192.168.5.253.
3550上端口1-8划到VLAN 2，端口9-16划分到VLAN 3,端口17-24划分到VLAN 4.

配置命令及步骤如下：

第一步：创建VLAN：
Switch>Vlan Database
Switch(Vlan)>Vlan 1 Name server
Switch(Vlan)>Vlan 2 Name work01
Switch(vlan)>Vlan 3 Name work02
Switch(vlan)>Vlan 4 Name work03

第二步：启用DHCP中继代理：
/*关键一步，若缺少以下两条命令，在VLAN中使用“IP HELPER-ADDRESS DHCP服务器地址”指定DHCP服务器，客户机仍然不能获得IP地址*/
Switch>Enable
Switch＃c onfig t
Switch(Config)Service Dhcp
Switch(Config)Ip Dhcp Relay Information Option

第三步：设置VLAN IP地址：
Switch(Config)>Int Vlan 1
Switch(Config-vlan)Ip Address 192.168.100.254 255.255.255.0
Switch(Config-vlan)No Shut
Switch(Config-vlan)Exit
其它相同
/*注意：由于此时没有将端口分配置到VLAN2，3，4，所以各VLAN会DOWN掉，待将端口分配到各VLAN后，VLAN会起来*/

第四步：设置端口全局参数
Switch(Config)Interface Range Fa 0/1 - 24
Switch(Config-if-range)Switchport Mode Access
Switch(Config-if-range)Spanning-tree Portfast

第五步：将端口添加到VLAN2，3，4中
/*将端口1-8添加到VLAN 2*/
Switch(Config)Interface Range Fa 0/1 - 8
Switch(Config-if-range)Switchport Access Vlan 2

/*将端口9-16添加到VLAN 3*/
Switch(Config)Interface Range Fa 0/9 - 16
Switch(Config-if-range)Switchport Access Vlan 3

/*将端口17-24添加到VLAN 4*/
Switch(Config)Interface Range Fa 0/17 - 24
Switch(Config-if-range)Switchport Access Vlan 4
Switch(Config-if-range)Exit

/*经过这一步后，各VLAN会起来*/

第六步：在VLAN3和4中设定DHCP服务器地址
/*VLAN 1中不须指定DHCP服务器地址*/
Switch(Config)Int Vlan 3
Switch(Config-vlan)Ip Helper-address 192.168.100.10
Switch(Config)Int Vlan 4
Switch(Config-vlan)Ip Helper-address 192.168.100.10

第七步:启用路由
/*路由启用后,各VLAN间主机可互相访问,若需进一步控制访问权限,则需应用到访问控制列表*/
Switch(Config)Ip Routing

第八步：结束并保存配置
Switch(Config-vlan)End
Switch#Copy Run Start

六、      流量控制
class-map match-all VOIP
  match access-group 115
class-map match-any APP
  match access-group 116
class-map match-any SHARE
  match access-group 117
!
!
policy-map qos
  class VOIP
    set ip precedence 5
  class APP
    set ip precedence 3
  class SHARE
    police 2048000 1600000 exceed-action drop
  class class-default
    set ip precedence 0
并在接口上应用：
interface FastEthernet0/48
description To Cisco Router 2610xm
no switchport
ip address 10.0.0.1 255.255.255.252
ip route-cache policy
duplex full
speed 10
service-policy input qos
访问控制列表如下：
access-list 115 permit ip host 192.168.4.250 host 192.168.100.178
access-list 116 permit ip any host 192.168.100.9
access-list 116 permit ip any host 192.168.100.103
access-list 116 permit ip any host 192.168.100.104
access-list 116 permit ip any host 192.168.100.30
access-list 117 permit tcp any any eq 445
access-list 117 permit tcp any any eq 139

七、      策略路由
对于192.168.101.0/24的网络，走ADSL上网
access-list 1 permit 192.168.101.0 0.0.0.255
route-map ADSL permit 10
match ip address 1
set ip default next-hop 192.168.100.249(ADSL路由器)

       网上关于Qos资料太多了，但很多不实用，讲了一大堆理论，下面是我们一子公司的路由器上的配置，供大家参考。其实，只要理解了NBAR、CBWFQ、WRED等意义，流量控制就可以随心配置。

说明：
       一家子公司使用2M专线上网，内部网段为192.168.23.0/24（普通员工）和192.168.24.0/24（总经办所在的VLAN），其中路由器IP地址为：192.168.23.1，内部cisco3560交换机IP为：192.168.23.254。现需要作流量控制，使总经办的流量比较优先，并优先传送一些声音与视频及网管流量。其它的服务如：smtp、pop3及ftp等为低优先级，并禁止bt下载等。

配置如下：
Current configuration : 3590 bytes
!
!
version 12.3
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname xxxxxx
!
enable secret 5 $44adf#dfdfj090$on
!
clock timezone China 8
ip subnet-zero
no ip source-route
ip cef
!
!
ip name-server 192.168.23.2
ip name-server x.x.x.x
!
no ip bootp server
!
ip nbar pdlm flash:bittorrent.pdlm

class-map match-any premium_class
description For premium
match protocol http
match protocol icmp
match protocol netshow
match protocol pcanywhere
match protocol realaudio
match protocol secure-http
match access-group 111
注：以上有省略，嘿嘿!

class-map match-any normal_calss
description For normal
match protocol ftp
match protocol imap
match protocol pop3
match protocol smtp
match access-group 110

class-map match-any bt_download
description For drop
match protocol bittorrent
!
!
policy-map qos_policy_map

class premium_class
bandwidth percent 50
random-detect
random-detect exponential-weighting-constant 4
police cir 2000000 bc 10000 be 10000
conform-action transmit
exceed-action transmit

class normal_calss
bandwidth percent 25
random-detect
random-detect exponential-weighting-constant 4
police cir 2000000 bc 2000 be 2000
conform-action transmit
exceed-action drop

class bt_download
   drop

!
!
!
!
interface FastEthernet0/0
ip address 192.168.23.1 255.255.255.0
ip verify unicast reverse-path
ip nat inside
ip route-cache same-interface
ip route-cache policy
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
bandwidth 2048
ip address 210.88.44.x 255.255.255.252
ip verify unicast reverse-path
no ip proxy-arp
ip nat outside
rate-limit input 2000000 20000 20000 conform-action transmit exceed-action drop
ip route-cache policy
service-policy output qos_policy_map
no cdp enable
!
ip nat inside source list 10 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 210.88.44.y

ip route 192.168.24.0 255.255.255.0 192.168.23.254
no ip http server

!
!
access-list 10 remark NAT
access-list 10 permit 192.168.23.0 0.0.0.255
access-list 10 permit 192.168.24.0 0.0.0.255

access-list 110 remark normal
access-list 110 permit ip 192.168.23.0 0.0.0.255 any

access-list 111 remark premium
access-list 111 permit ip 192.168.24.0 0.0.0.255 any

no cdp run

!
banner motd ^cml system router !!!^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password 7 121A0C0411045D5D7C
login
!
!
!
end

注：互联网带宽为2M，故WRED中的指数加权因子为4，最小阀值为5，最大阀值为17，标记几率分母为1。

前言：
       这里是几个月前在网上转载很多的CCIE面试题，题虽然不难，但如果没有在电信或cisco代理商工作过，仅仅凭书面的知识还是回答不全的。下面是网上的参考答案加上我的一点点补充，以后有时间再补充，先贴出来供大家参考，也让从事相关技术的人自我测试一下。

1.       现在的6509及7609，SUP720交换带宽去到720G，是不是可以说7609/6509 可以取代一部分GSR的地位？
答：从某一部分功能来说是可以的。6509以前主要定位于公司企业局域网核心交换机，而GSR定位于广域网高速核心路由设备。7609的SUP720可以提供720G的高速交换能力，MSFC3和PFC3提供高速路由处理能力和大量FEATURE，再加上现在7600系列上的新的SIP+SPA高速线速板卡，完全可以胜任核心路由设备的工作，最适合作汇聚和业务提供路由器。而随着技术的发展，CRS-1的出现，GSR逐渐从核心往骨干汇聚发展，作为各种高低速线路的汇聚，在这方面7609和GSR都可以。但7609和GSR在体系结构上还是有根本不同，7609是从交换机发展而来，GSR在内部是将数据分解为标准的信元交换，在队列和调度方面也有不同，所以说作为纯核心路由器来说还是GSR更好，因为它经过多年的考验。从价格来说7609还是比较贵的，而GSR某些时候还要便宜。
2.       isis level1 的路由表包括哪此路由？有多个level-1-2出口时，其它路由它从哪里学到，如何选路？
答：ISIS level1和level2 维护LSD和SPF，LEVEL1的路由表是由LEVEL1 LSD通过SPF计算所得，只包括本地AREA的详细路由和与之连接的LEVEL-1-2通过ATT位发来的缺省路由。当有多个LEVEL12是，每个LEVEL12通过对发出的LSP包中的ATT位置1，表示其有到其它AREA的路由，而当LEVEL1路由器收到此LSP是选择最近的LEVEL12路由器转发流量。
3.       MPLS L3 VPN，如果我想让两个不同的VPN作单向互访，怎做？
答：如果是两个VPN的互通，可以将两个VPN的路由信息输出到相同的一个RT，并都导入，可实现互通。如果要单向访问，可建立一个公共VPN，导出两个VPN的RT，两个VPN都可以对公共VPN实现访问。
4.       跨域的MPLS L3 VPN可以谈谈思路吗？
答：RFC2547bis和最新的rfc4364都对其有定义，主要有三种。Option A B C：
Option A： back to back vrf 互连。两个AS间通过VRF 间的背对背的连接，路由可以选择静态或动态路由，这种方法简单实用，适于不同运营商间的连接。
Option B ：MeBGP vpnv4连接两个AS间通过ASBR间建立MeBGP vpnv4，VPN路由通过MBGP承载，具有较好的可扩展性。
Option C： RR间多跳MeBGP两个AS间建立MEBGP，但不是在ASBR上，是在两个AS各自的RR间，这样有较好的可扩展性，灵活性。但较复杂。要解决下一跳问题有标签问题。
5.       MPLS L3 VPN的一个用户，他有上internet的需求，如何实现？有几种实现方法？特点各是什么？
答：有三种。
1、通过VPN访问internet. 传统做法是：设置一个集中的防火墙通过NAT实现INTERNET访问，简单易实现，只是不能对INTERNET流量和VPN流量进行区分，安全存在问题。或者在PE路由器上配置PACK LEAKING 实现。
2、独立的INTERNET访问向每个VPN SITE 提供独立的INTERNET连接线路，由CE路由器实现NAT到INTERNET。要求PE路由器向CE提供独立的线路或虚电路，PE路由器要有访问INTERNE的能力。优点是能将VPN流量和INTERNET流量分开。
3、 通过单独的VPN实现INTERNET连接，建立一个单独的VPN，将INTERNET缺省路由和部分路由注入，在需要INTERNET访问SIET相连的PE路由器上实现VPN互通，从而访问INTERNET。比较复杂，但可支持各种INTERNET访问要求。建议采用这种
6.       L3 VPN与L2 VPN各自的特点是怎样？你觉得哪一种模式运营起来比较有前景？
答：L3 VPN 的PE路由器需要维护客户VPN的路由信息，要实现各VPN的路由选择和维护，而L2 VPN只在客户间建立透明的二层通道，不维护三层的信息，相对没有L3 VPN复杂。L3 VPN已经在现实环境中应用多年，比较成熟，适合多SITE的复杂的用户，MPLS L2 VPN用于替代传统的二层FR、ATM等技术，适合点到点的互连或少量SITE的连接。L2 VPN由于维护较方便，性价比高，最近几年应发展迅速，而传统的L3 VPN也不会在短时间淘汰。
7.       ISIS与OSPF的区别谈一谈吧，各个方面。
答：它们有很多共同之处，都是链路状态路由协议，都使用SPF算法，VSLM 快速会聚。从使用的目的来说没有什么区别。从协议实现来说OSPF其于TCP/ ip协议簇，运行在IP层上，端口号89；ISIS基于ISO CLNS，设计初是为了实现ISO CLNP路由，在后来加上了对IP路由的支持。从具体细节来说：
1：区域设计不同，OSPF采用一个骨干AREA0与非骨干区域，非骨干区域必须与AREAO连接。ISIS由L1 L2 L12路由器组成的层次结构，它使用的LSP要少很多，在同一个区域的扩展性要比OSPF好。
2 OSPF有很多种LSA，比较复杂并占用资源，而ISIS的LSP要少很多，所以在CPU占用和处理路由更新方面，ISIS要好一些。
3 isis 的定时器允许比OSPF更细的调节，可以提高收敛速度。华为、Cisco网络技术论坛
4 OSPF数据格式不容易增加新的东西，要加，就需要新的LSA，而ISIS可以很容易的通过增加TLV进行扩展，包括对IPV6等的支持。
5 从选择来说，ISIS更适合运营商级的网络，而OSPF非常适合企业级网络。
8.       一个骨干网或城域网选ISIS及OSPF基于什么理由？
答：从可用性来说，两种IGP协议都可以，但对于具体情况，经过分析，可能得出选哪种协议更优一些：
l         从稳定和可靠性来看：骨干网要求路由协议的高稳定性和可靠性，以及快速收敛。OSPF协议是基于IP层的，所以其只能支持IP网络，且网络上一些基于IP的攻击会影响到OSPF的正常运行。ISIS是直接运行在链路层上的，其可以承载多种网络类型，且在预防网络攻击方面也有一些天然的优势。
l         从支持的网络规模来看：OSPF、ISIS都有网络分层的概念，也都有区域的概念，OSPF有骨干区域0和分支区域，ISIS有相应的Level2、Level1的概念。OSPF有普通区域、Stub区域、Total Stub区域、NSSA区域等区域类型，而IS-IS 从功能上看它就是一个OSPF 的简化版本，只实现了骨干区（LEVEL2） 和STUB 区(LEVEL1)，由于其LEVEL1访问其他区域网络是采用到最近的L1/L2 路由器方式，容易产生路由次优化问题, 这样某些组网时就需要借助其他的方法来实现某些功能，如：在构建MPLS VPN的过程中就需要采用路由渗透，造成实现和维护复杂。由于ISIS计算路由的时候采用PRC计算，ip前缀作为最短 生成树的叶子节点，而OSPF是围绕链路建立的，在相同大小的区域，ISIS比OSPF更加稳定且消耗资源少，相比OSPF支持的网络规模更大。
l         从灵活性来看：OSPF协议比较灵活，协议是基于接口的，支持的网络类型全面，且技术成熟，在城域网中，使用IGP用来传播用户路由，组网设备杂，关注的是协议的灵活性兼容性，以及能否满足大量用户复杂路由控制的需求，这些是OSPF 的强 项，建议使用OSPF。对于新维护方面OSPF协议在城域网中得到了广泛的应用，尤其是早期的网络维护人员对OSPF协议相当熟悉；
l         从扩展性来看：ISIS结构严谨，运行稳定，IS-IS路由器只能属于一个区域，并且不提供对NBMA、P2MP接口的直接支持。ISIS可扩展性更好：ISIS能支持多种网络层协议（ OSPF仅支持IP协议）；ISIS区域能平滑地平移、分割、合并，流量不中断；ISIS是基于TLV的，协议本身扩展容易。最近几年，在各大运营商的骨干网络中大量使用了ISIS协议，在选取协议时，需要考虑原有网络中运行的是何种协议，如目前某些运营商在骨干层次采用ISIS，而在城域网内部采用OSPF协议，为了保护网络的延续性，在选取协议类型时需要予以考虑。新建的网络，如果所有设备都支持ISIS，可以考虑ISIS。
9.       BGP选路原则常用是哪些？在骨干网与城域网间如何搭配一块使用？
答：BGP有很多属性，用于路由选择的有9个左右，常用的有LCAL PREFERENCE,AS-PATH,MED,METRIC,COMMUNITY这几个。在骨干网与城域网连接中，骨干网向城域网发送缺省路由或部分明细路由，城域网将本地路由信息发到骨干网上。接收路由主要通过设置lcoal preference控制上行流量分担，如果骨干网发过来的明细路由带有MED，也可以通过MED值控制。发布出去的路由通过MED AS PATH控制回程流量的分担。发布路由可以设置COMMUNITY表示路由起源。在有多条出口链路时通过BGP实现流量分担。
10.   如果BGP加上max path，会在哪个BGP选路属性之前应用这个选项？
答：在最后一个BGP router id之前。
11.   为什么骨干网pop及城域网出口要作next-hop-self？
答：骨干网与城域网之间通过EBGP连接，而城域网收到的骨干网路由在发给内部IBGP邻居时不会改变路由的下一跳，下一跳的地址为骨干网设备地址，而IBGP内部路由器也没有其路由信息，所有 路由下一跳不可达，只有在城域网RR将路由发给IBGP邻居时要加next-hop-self，改变路由的下一跳，路由才可达。
12.   两个AS之间，有四台路由器口字型互联，其中一台路由器上从EBGP学到一个网络，又从IBGP学到同一个网络，选路哪个？是哪个属性影响？如果我在IBGP过来那个加上MED小于从EBGP过来的，又选哪个？为什么？
答：选EBGP那一条，如果加了MED，则选MED低的那个。
13.    local-pre与weight的区别是什么？
答：Weight 是CISCO专有的，LOCAL-PRE是公认必遵的BGP属性。Weight 只在本地ROUTER上有用，不可传递；而LOCAL-PRE用于一个AS内部，可在整个AS内传递。它们都是数值大的路由选中，而CISCO路由器中WEIGHT决策在LOCAL-PRE前。
14.   BGP能不能实现负载均衡？如果可以，有哪些方法？
答：可以。对于EBGP可以通过设置EBGP-MULTIHOP，通过相等的IGP METRIC实现。对于IBGP可以通过配置muximum-paths，使其在等值的IGP METRIC链路上实现。
15.   多个AS之间，可不可以比较MED？如可以，需要前提条件吗？如有，前提条件是什么？
答：默认是不比较来自不同AS的路由的MED值，但可设置bgp always-compare-med使其对来自不同AS的路由的MED值进行比较。
16.   MED能不能和AS内的IGP度量值结合起来？如可以，如何做？
答：设置Med的route-map 配置set metric internal
17.   割接限定回退的时间还有十分钟，割接还未成功，局方已经催你回退了，但你觉得这些问题你再努力5分钟可能会解决，你的选择是什么？
答：立即回退
18.   骨干网的QoS，如何部署？你认为什么骨干网什么情况下是有拥塞发生了？
答：对于电信级骨干网，轻载是骨干网上实现QOS的最好方法，保持流量低于带宽的50%，在需要时增加带宽，并且通过控制接入的流量在稳定的范围内。也可以对流量进行简单的分类，通过DIFF-SERV实现不同流量的QOS，对于复杂的QOS需求，可以使用TE实现。对于企业级骨干网，WAN链路为较低速率，此时可通过DIFF-SERV实现QOS，但如果流量已达到90%以前，QOS的实施对整个网络质量不能很好的改善。一般而言，在网络设备能全线速和BUFFER足够的情况一下，骨干网一般用POS接口，骨干网流量达到50%以上就应规划增加带宽，达到60%就比较紧张，70%网络质量可能开始下降，80%就有拥塞发生了。可以通过延迟和延迟抖动测试出来。
19.   对于工程及维护来说，你觉得L3网络和L2网络哪个比较好？
答：对于工程实施来说，L2网络简单。对于网络管理来说，L3要可控一些。
20.    L3网络与L2网络对环路的处理各是什么样的机制？
答：L3网络通过运行的路由协议的算法保证形成一个无环的拓扑。L2是通过STP 实现
21.   一般情况下，L2交换机的生成树有多少数量？
答：2950 支持64个PVST+ instances 16个 MST  3550 是 128WH pvst+instances  65个MST
22.   3550的生成树模式是什么？生成树数量是怎样的？
答：支持128个PVST+,65个MST，都支持PVST 和MSTP。
23.   跟据你的经验，GE的端口，当流量达到多少时，你可以认为是有拥塞发生了？2.5G POS口，当流量达到多少时，你可以认为有拥塞？
答：对于GE端口，如果流量达到900M时可视为发生拥塞，而对于POS口，如果硬件板卡都是线速，并且BUFFER足够，当流量达到达2G左右时可视为发生拥塞.。

Posted by Chris Barnes on Friday, June 15, 2007

This is a step by step tutorial that should take most of a day. I’m posting this here mostly as a reminder so that I can come back and read it when I need to build another firewall but hopefully it will be helpful to someone else also. If you find this tutorial useful or if you find anything wrong with it, send me an email hammockintahiti@gmail.com.

Install FreeBSD

Download the disc 1 and disc 2 from ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/6.2

Burn the iso images to cds and boot the target machine with disc 1.

Start a Standard installation.

Highlight any partitions and hit “d” to delete them, then hit “a” to use the entire disk, then hit “q” to continue.

Choose Standard for no boot manager.

Create partitions. You can adjust the sizes of the partitions based on the size of your drive. The /usr/local and /usr/home partitions can go as low as 128MB since this won’t be a common-user system and there won’t be a lot of user-specific files or binaries…but the /usr partition should never go below 2,000MB since that’s where all of your kernel source code and ports tree is located. Here’s a partition scheme if you have a 6GB drive:

486MB swap partition (or at least 2x your RAM)
512MB file system mounted as /
512MB file system mounted as /tmp
1267MB file system mounted as /var
3115MB file system mounted as /usr
128MB file system mounted as /usr/local
128MB file system mounted as /usr/home

Press q to continue.

Highlight Kern-Developer and press space bar.

When asked about installing the ports collection choose yes.

Highlight exit and press enter.

Choose CD/DVD as the install media.

Last Chance, are you sure? Yes

When you see Congradulations, hit ok.

FreeBSD Post-Install configuration

Would you like to configure any ethernet or SLIP/PPP network devices? Yes

Highlight your device that is connected to the internet and press enter.

Do you want to try IPv6? No

Do you want to try DHCP? Yes

Verify network info and update if necessary.

Do you want this machine to function as a gateway? Yes

Do you want to configure inetd and the network services that it provides? No

Would you like to enable SSH login? Yes

Do you want to have anonymous FTP access to this machine? No

Do you want to configure this machine as an NFS Server: No

Do you want to configure this machine as an NFS Client: No

Would you like to customize your system console settings? No

Would you like to set this machine’s time zone now? Yes

Is your machine’s CMOS clock is set to UTC? No

Select the appropriate time zone - by region, country, and then the applicable time zone.

Would you like to enable Linux Binary compatibility? No

Does your system have a PS/2, serial, or bus mouse? Yes (unless, of course, it doesn’t…)

Would you like to browse the ports collection? Yes

Install cvsup and bash

cvsup will be used to keep your system up to date.

Highlight net and press enter.

Highlight cvsup-without-gui and press space bar.

Tab to ok and press enter.
bash is a shell that we will use instead of the default sh

Highlight shells and press enter.

Highlight bash-2 and press space bar.

Tab to ok and press enter.
Tab to Install and press enter.

Review your selections and press enter to install.

Would you like to add any user accounts? Yes (we need at least one so we can dis-allow root ssh access and require you to login as an unprivilaged user and su to root)

Highlight User and press enter.

Type the username, password, full name, and make the member group 0. (this is important so that your new user will be in the ‘wheel’ group and they will be able to su to root. Also make the login shell /usr/local/bin/bash (I will create a user with the username admin so if you do the same you can follow the rest of this tutorial verbatim, otherwise just change admin to your username every time I use it later.

Set the root password.

Would you like to visit the general configuration menu for a chance to set any last options? Yes

Go to network then ntupdate and choose a server near you.

Highlight exit and press enter. (do this twice to get to the main menu)

Tab over to Exit Install and hit enter.

(System Reboots)

Make “bash” the default shell for ‘root’ and perform an initial set up of root’s bash environment.

Log in as your non-privaleged user account. You should see a ‘bash-2.05b$’ prompt…indicating that bash was successfully installed. After you log in, then type ’su’ to switch user to root. Enter the root password.

Type vipw and press enter.

Change the default shell from /bin/csh (at the end of the first line) to /usr/local/bin/bash.

If you like, you can change root’s unoffical name from ‘Charlie &’ to ‘Super-User’ or whatever you like. When you get mail from root, it will be marked as being from the name that you enter here.

Verify that your changes are successful. Press -F2 to get another terminal, then log in as root. Verify that you’re presented with the ‘bash-2.05b#’ prompt. If you are, then log out and go back to the 1st virtual terminal to continue working. If you don’t see the bash prompt, then you need to go back to the previous step and figure out what you did wrong.
Create a file named .bashrc in /root that contains the following.

umask 077
PS1="[u@h W]\$ "
alias ls='ls -alFG'

Also create a file named .bash_profile in /root that contains the following.

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin:$HOME/bin; export PATH
umask 077
PS1="[u@h W]\$ "
alias ls='ls -alFG'

Change the permissions on both files.

chmod 600 .bashrc
chmod 600 .bash_profile

Test your settings again at the 2nd virtual terminal. Log in as root, verify you’re using the bash shell, your cursor line looks different (it has your userid and current working directory), and that you have colorized directory listings. Close that session, return to the 1st virtual terminal, log out, and log back in and su to root.

Copy the files to your non privilaged user change the ownership of the new copies.

cp /root/.bashrc /usr/home/admin/.bashrc
cp /root/.bash_profile /usr/home/admin/.bash_profile
chown admin /usr/home/admin/.bashrc
chown admin /usr/home/admin/.bash_profile

Redirect root’s email to your email account.

vi /etc/aliases

Uncomment # root: me@my.domain and change me@mydomain to your email address.

Save and exit.

Update the email alias database.

newaliases

Configure cvsup and update your source tree & ports collection.

After you configure cvsup and update your source and ports collection, you will want to re-run cvsup every once in a while to ensure your sources are up to date, then recompile your kernel & system binaries to ensure you are using the latest versions with security patches applied.

cp /usr/share/examples/cvsup/stable-supfile /etc
chmod 600 /etc/stable-supfile
vi /etc/stable-supfile

Type “:set num” in vi to see line numbers

Change line 68 to point to a CVS server near you. Here you’ll find a list of CVSup servers http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html#CVSUP-MIRRORS. I ususlly go with cvsup2 or 3 because the main site reaches the maximum number of simultaneous users often.

Add these lines at the bottom of the file:

ports-net tag=CHANGE_THIS.FreeBSD.org
ports-shells tag=CHANGE_THIS.FreeBSD.org

Syncronize your source tree with the CVS server…should take 30-60 minutes

cvsup /etc/stable-supfile

Configure a custom kernel with support for ph, phsync, pflog, and carp

cd /usr/src/sys/i386/conf
cp GENERIC FIREWALL
vi FIREWALL

In line 2 of the file (part of the main comment block) change the word, GENERIC, to your hostname, FIREWALL.

On line 19 of the file (still part of the main comment block), change the word, GENERIC, to your hostname, FIREWALL

On lines 22-24, comment out the “cpu” lines so that only the one for your specific chip is left.

On line 25, change the value of the ident parameter so that it’s your hostname, FIREWALL

Add the following lines to the bottom of the file.

# pf support
device pf
device pfsync
device pflog
device carp

Recompile your kernel to the updated stable version. (make buildworld will take about an hour and make buildkernel will take about 20 minutes)

[root@firewall /]# cd /usr/src
[root@firewall src]# echo "KERNCONF=FIREWALL" >> /etc/make.conf
[root@firewall src]# make buildworld
[root@firewall src]# make buildkernel
[root@firewall src]# make installkernel

Configure the SSH daemon and your user’s DSA key files.

Modify the SSH daemon configuration file, /etc/ssh/sshd_config, so that it reads as follows. The modified lines are in red. I’m using port 8081 for ssh access instead of the usual port 21. In the past I have had issues with hackers trying to use brute force tactics on my standard ports if they were open.

Port 8081
Protocol 2
#AddressFamily any
ListenAddress 192.168.1.1 # Put your internal interface’s address here
#ListenAddress :: 

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
LogLevel VERBOSE

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
#MaxAuthTries 6

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don’t trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes
# Don’t read the user’s ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to ‘no’ to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of “PermitRootLogin without-password”.
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to ‘no’.
UsePAM no

AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
AllowUsers admin # Substitute your non-privilaged user for admin

Generate an SSH key (version 2) for your user, by performing the following steps:

[root@firewall /root]# su - admin          *** substitute your non-privileged userid for 'admin'
[admin@firewall admin]$ ssh-keygen -d   *** then accept the default DSA key name & enter a passphrase (twice)

Add the public copy of your user’s version 2 key to their own authorized_keys file by typing the following steps:

[admin@firewall admin]$ cd .ssh
[admin@firewall .ssh]$ cat id_dsa.pub > authorized_keys

Copy your user’s private & public keys to other systems that you’ll be using to SSH to your new firewall from. By default, the private & public key go into a user’s ‘.ssh’ directory on those systems. Without the private key on those remote systems, your firewall will not accept connections from them. If you’re new to FreeBSD and need to know how to access the floppy drive, follow the following steps.

[root@firewall root]# mkdir /mnt/floppy                     # This will make an empty mount point to mount the floppy to
[root@firewall root]# mount -t msdosfs /dev/fd0 /mnt/floppy # Insert a DOS-formatted floppy before you do this
[root@firewall root]# cd /mnt/floppy
[root@firewall floppy]# cp /home/admin/.ssh/id_dsa* .       # Copies all of your user's ssh key info to the floppy
[root@firewall floppy]# ls                                  # List the contents of the floppy to verify the files are there
[root@firewall floppy]# cd ..
[root@firewall mnt]# umount /mnt/floppy                     # Unmount the floppy

Now that you’ve copied your user’s private & public keys to another system, remove them from your user’s .ssh directory on the firewall. This is only a precaution so that it can’t be stolen by a hacker and compromised.

Open up your /etc/hosts.allow file, delete all of the lines, and ensure that it reads as follows. Note that 192.168.1.0 is the address space of your internal network in this example. If you’re using a different internal address space (e.g. 10.10.10.0), then make the appropriate modifications.

# hosts.allow access control file for "tcp wrapped" applications.
ALL : localhost 127.0.0.1 : allow
sshd : 192.168.1.0/255.255.255.0 : allow
ALL : ALL : deny
# If you want to allow a specific computer on the Internet to SSH into your
# system, replace the 'sshd' line above with one like this...but subsitute
# the X.X.X.X and subnet mask to suit your needs (e.g. one computer, entire subnet
# etc.). Also, make sure you allow inbound SSH from that same host/subnet
# in your /etc/ipf.rules file.
# sshd : 192.168.1.0/255.255.255.0 X.X.X.X/255.255.255.255 : allow

Install and configure AIDE (Advanced Intrusion Detection Environment)

[root@firewall /root]# cd /usr/ports/security/aide
[root@firewall aide]# make install clean
[root@firewall aide]# cp /usr/local/etc/aide.conf.sample /var/db/aide/aide.conf
[root@firewall aide]# cd /var/db/aide
[root@firewall aide]# aide --init
[root@firewall aide]# mv databases/aide.db.new databases/aide.db

Create a cron job to check the integrity of your system every Sunday at 4AM:

[root@firewall /root]# cd /etc
[root@firewall /etc]# vi crontab

Add the following line to the file:

0   4   *   *   7    root   /usr/local/bin/aide --check

Restrict crontab access/usage

Create the file /var/cron/allow and add the following lines to it. Be sure to substitute ‘newuser’ for whatever your non-privileged user account is.

root
newuser

Edit /etc/crontab and comment out the ‘at’ job that runs every 5 minutes.

*/5 * * * * root /usr/libexec/atrun

Chmod your /etc/crontab file so that it is only readable by root.

[root@firewall /etc]# chmod 600 /etc/crontab

Edit your /etc/rc.conf to look like this

This is my rc.conf file. Your network interfaces will be named differently if you have different cards (e.g. xl0 and xl1 are 3com network cards in my machine and rl0 is an integrated NE2000 network card)

icmp_drop_redirects="YES"
ntpdate_enable="YES"
ntpdate_flags="north-america.pool.ntp.org"
sshd_enable="YES"
usbd_enable="YES"
syslogd_flags="-ss"
sshd_flags="-4"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
kern_securelevel_enable="YES"
kern_securelevel="2"
dhcpd_enable="YES"
gateway_enable="YES"
defaultrouter="208.180.xxx.xxx"
hostname="dell_firewall"
network_interfaces="xl0 xl1 rl0 lo0 pfsync0"
cloned_interfaces="carp0 carp1 carp2"

# Loopback Interface
ifconfig_lo0="inet 127.0.0.1"

# External Public Interface (for the secondary firewall use a different public ip.)
ifconfig_xl0="208.180.xxx.xxx"

# External Public Carp Interface
ifconfig_carp0="208.180.xxx.xxx vhid 1 pass foo"
ifconfig_carp0_alias0="208.180.xxx.xxx vhid 1 pass foo"
ifconfig_carp0_alias1="208.180.xxx.xxx vhid 1 pass foo"

# Internal Interface (for the secondary firewall change the ip address to 192.168.1.251)
ifconfig_xl1="192.168.1.250"

# Internal Carp Interface
ifconfig_carp1="192.168.1.1 vhid 2 pass foo"

# Heartbeat Interface (for the secondary firewall, change the ip address to 10.10.10.251)
ifconfig_rl0="10.10.10.250"

#Heartbeat Carp Interface
ifconfig_carp2="10.10.10.1 vhid 3 pass foo"

# PFSync Interface
ifconfig_pfsync0="up syncif rl0"

Add the following lines to the bottom of /etc/sysctl.conf

Type ifconfig with no parameters to view your network configuration. Each real interface should have a line that says status: active when the ethernet cable is plugged in. If any of them do not, then preempt will not work. Note that the changes we made to rc.conf do not show up because we have not rebooted yet.

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

# if one interface fails then all will fail over
net.inet.carp.preempt=1

net.inet.tcp.sendspace=65536
net.inet.tcp.recvspace=65536

Configure the main firewall /etc/pf.conf

################################################################################
# Macro and lists
################################################################################
lop_if  ="lo0"
pfs_if  ="dc0"
ext_if  ="xl0"
int_if  ="xl1"
ext_carp ="carp0"

dns_srv  = "{ 208.180.xxx.xxx, 208.180.xxx.xxx }"
int_fw   = "{ 208.180.xxx.xxx 192.168.1.1 }"
chat_srv = "{ 192.168.1.119 }"

# Allowed incoming ICMP types
icmp_types = "{ echorep, echoreq, timex, paramprob, unreach code needfrag }"

# Private networks (RFC 1918)
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

mail_ports         = "{ 25, 110 }"
web_ports          = "{ www, https }"
ftp_ports          = "{ 8084 9000 9001 }"
firewall_ssh_ports = "{ 8081 }"
web_ssh_ports      = "{ 8082 }"
chat_ports         = "{ 8080 }"
dns_ports          = "{ 53 }"

################################################################################
# Options, scrub and NAT
################################################################################
set block-policy drop
set skip on $lop_if

scrub in

# NAT outgoing connections
nat on $ext_if from $int_if:network to any -> $ext_if

################################################################################
# Redirection
################################################################################
rdr on $ext_if proto tcp from any to $ext_carp port $chat_ports -> $chat_srv
rdr on $ext_if proto tcp from any to $ext_carp port $ftp_ports -> 192.168.1.80
rdr on $ext_if proto tcp from any to $ext_carp port $mail_ports -> 192.168.1.80
rdr on $ext_if proto tcp from any to $ext_carp port $web_ssh_ports -> 192.168.1.80
rdr on $ext_if proto tcp from any to 208.180.xxx.xxx port $web_ports -> 192.168.1.80
rdr on $ext_if proto tcp from any to 208.180.xxx.xxx port $web_ports -> 192.168.1.81
rdr on $ext_if proto tcp from any to 208.180.xxx.xxx port $web_ports -> 192.168.1.82

################################################################################
# Filtering Rules
################################################################################
block log all
antispoof quick for $int_if

pass in quick on $ext_if inet proto tcp from 208.180.xxx.xxx to $int_fw port $firewall_ssh_ports keep state

pass in quick on $int_if inet proto udp from any to any port 123 keep state
pass out quick on $ext_if inet proto udp from any to any port 123 keep state

pass quick on $pfs_if proto pfsync
pass quick proto carp

block in quick on $ext_if from $priv_nets to any
block out quick on $ext_if from any to $priv_nets

pass in quick on $ext_if inet proto tcp from any to $int_if:network port $mail_ports 
     synproxy state
pass out quick on $int_if inet proto tcp from any to $int_if:network port $mail_ports 
     keep state
pass in quick on $int_if inet proto tcp from $int_if:network port $mail_ports to any 
     keep state
pass out quick on $ext_if inet proto tcp from $int_if:network port $mail_ports to any 
     modulate state

pass in  quick on $ext_if inet proto tcp from any to $int_if:network port $web_ports 
     synproxy state
pass out quick on $int_if inet proto tcp from any to $int_if:network port $web_ports 
     keep state

pass in quick on $ext_if inet proto tcp from any to $chat_srv port $chat_ports 
     synproxy state
pass out quick on $int_if inet proto tcp from any to $chat_srv port $chat_ports 
     keep state

pass in  quick inet proto icmp all icmp-type $icmp_types
pass out quick inet proto icmp all

pass in quick on $int_if inet proto { tcp, udp } from $int_if:network to $dns_srv port domain keep state

pass out quick on $ext_if inet proto { tcp, udp } from { $ext_if $int_if:network} to $dns_srv port domain keep state

pass in  quick on $int_if inet proto tcp from $int_if:network to any port $web_ports
pass out quick on $ext_if inet proto tcp from { $ext_if $int_if:network } to any port $web_ports 
     modulate state

Configure the system to mount partitions restrictive

Modify the /etc/fstab file with vi so that we can change how each partition is mounted…to ensure that hackers can do at little as possible if they (by chance alone) hack the box. Essentially, we’re restricting some of the partitions so that they are ‘nosuid’, ‘noexec’, and ‘ro’. The original /etc/fstab should look something like this. Yours might look a little different…the first column (device names) might be a little different, but that’s OK. The stuff we’ll be modifying is in the 4th column.

# Device    Mountpoint  FStype  Options   Dump  Pass#
/dev/ad0s1b none        swap    sw        0     0
/dev/ad0s1a /           ufs     rw        1     1
/dev/ad0s1d /tmp        ufs     rw        2     2
/dev/ad0s1f /usr        ufs     rw        2     2
/dev/ad0s1h /usr/home   ufs     rw        2     2
/dev/ad0s1g /usr/local  ufs     rw        2     2
/dev/ad0s1e /var        ufs     rw        2     2
/dev/acd0   /cdrom      cd9660  ro,noauto 0     0

First, copy the original /etc/fstab file to /etc/fstab.original
Then, make another copy of the /etc/fstab file and call it /etc/fstab.restrictive
Then, modify the /etc/fstab.restrictive file so that it reads as follows:

# Device    Mountpoint  FStype  Options                 Dump  Pass#
/dev/ad0s1b none        swap    sw                      0     0
/dev/ad0s1a /           ufs     rw,nosuid               1     1
/dev/ad0s1d /tmp        ufs     rw,noexec,nosuid,nodev  2     2
/dev/ad0s1f /usr        ufs     ro                      2     2
/dev/ad0s1h /usr/home   ufs     rw,noexec,nosuid        2     2
/dev/ad0s1g /usr/local  ufs     ro,nosuid               2     2
/dev/ad0s1e /var        ufs     rw,noexec,nosuid        2     2
/dev/acd0   /cdrom      cd9660  ro,noauto               0     0

Next, copy your new /etc/fstab.restrictive file and over-write the original /etc/fstab…so that your “real” fstab file has the restrictive settings, and you have the two other config files available (the original and restrictive one).

[root@firewall etc]# cp /etc/fstab.restrictive /etc/fstab

This will make adding new software, etc. much more difficult since /usr and /usr/local are mounted read-only. This means that programs which try to install their user-land programs in /usr/local/bin will fail during their install programs. And cvsup…which will try to update the kernel’s source code in /usr/src and the ports in /usr/ports…well, they’re now read-only because they fall under /usr. So, mounting your partitions in a very restrictive way will limit what the hacker can do on your system, but it makes software installs and kernel upgrades more difficult (or impossible…if the partitions are still mounted in a restrictive way).

Given that, if you want to add new software or upgrade the kernel & ports tree source code, you’ll need to

1. Change the partition’s mounting in /etc/fstab back to their original values by copying your /etc/fstab.original file to /etc/fstab.
2. Bump the kernel security level back down to “1″ by setting the kern_securelevel paramater in your /etc/rc.conf file, and then
3. Reboot the machine (this will not cause downtime because the secondary firewall will take over while this machine is rebooting)
4. Update your sources with cvsup, then make buildworld, make buildkernel, and make installworld

Then when you’re done upgrading, recompiling, and installing, do the steps in reverse:

1. Change the partition’s mounting in /etc/fstab to their restrictive values by copying your /etc/fstab.restrictive file to /etc/fstab.
2. Bump the kernel security level back up to “2″ by setting the kern_securelevel paramater in your /etc/rc.conf file, and then
3. Reboot the machine

This is the price you pay for a VERY, VERY secure machine. Reboot the machine so we can finish the job…

[root@firewall /etc]# shutdown -r now

If the system doesn’t reboot, it means that you probably made an error in the kernel configuration file…possibly setting the wrong type of CPU. DON’T PANIC. We can still boot the machine so that you can fix the error. To boot into the original version of the kernel, following the steps, below:

1. Reboot the machine (power off, then on)
2. When you reboot the machine and get to the bootloader screen, select option 6, “Escape to loader prompt”. This will give you an “OK” prompt at the bottom of the screen. Boot from your “old” kernel.
   

   OK unload
   OK boot /boot/kernel.old/kernel

3. After the old kernel boots, you’ll want to copy the “old” kernel to a safe place before you recompile a new kernel. This is an important thing to do since “kernel.old” is overwritten when you install a new kernel. To do this, type the following commands:
   

   [root@firewall /]# cp -R /boot/kernel.old /boot/kernel.good

   If subsequent kernel compiles still don’t work, you can always manually boot off your good kernel from the “OK” prompt until you resolve the problem…just substitute “kernel.good” for “kernel.old” in the commands listed above.

4. Now that you’ve saved a copy of your “good” kernel, modify your kernel configuration file and fix whatever was causing the problems, recompile & install, and then reboot and continue with the next step.

After the system comes back up, you’ll want to re-generate the AIDE database and replace the old one. Since you updated the kernal and all of the system binaries, the AIDE database signatures of those files is out of date. If you don’t update the AIDE database, AIDE will find thousands of “changes” to the system binaries when it runs for the first time at 4AM in the morning. To update the database so that it has signatures for the newest kernel & system binaries, etc, just type the following commands:

[root@firewall /]# cd /var/db/aide
[root@firewall aide]# aide --init
[root@firewall aide]# mv databases/aide.db.new databases/aide.db

After you do this you should have a completely working firewall.