分类 Network 下的文章

CUBIC TCP 目前大多数Linux缺省使用的TCP流量拥塞算法 RFC8312


google bbr (Bottleneck Bandwidth and Round-trip propagation time)
google在GCP平台应用bbr TCP BBR congestion control comes to GCP
GCP-TCP-BBR-animate-r32B252812529plh0.GIF

What is BBR?
BBR ("Bottleneck Bandwidth and Round-trip propagation time") is a new congestion control algorithm developed at Google. Congestion control algorithms — running inside every computer, phone or tablet connected to a network — that decide how fast to send data.
How does a congestion control algorithm make this decision? The internet has largely used loss-based congestion control since the late 1980s, relying only on indications of lost packets as the signal to slow down. This worked well for many years, because internet switches’ and routers’ small buffers were well-matched to the low bandwidth of internet links. As a result, buffers tended to fill up and drop excess packets right at the moment when senders had really begun sending data too fast.

But loss-based congestion control is problematic in today's diverse networks:

In shallow buffers, packet loss happens before congestion. With today's high-speed, long-haul links that use commodity switches with shallow buffers, loss-based congestion control can result in abysmal throughput because it overreacts, halving the sending rate upon packet loss, even if the packet loss comes from transient traffic bursts (this kind of packet loss can be quite frequent even when the link is mostly idle).
In deep buffers, congestion happens before packet loss. At the edge of today's internet, loss-based congestion control causes the infamous “bufferbloat” problem, by repeatedly filling the deep buffers in many last-mile links and causing seconds of needless queuing delay.
We need an algorithm that responds to actual congestion, rather than packet loss. BBR tackles this with a ground-up rewrite of congestion control. We started from scratch, using a completely new paradigm: to decide how fast to send data over the network, BBR considers how fast the network is delivering data. For a given network connection, it uses recent measurements of the network's delivery rate and round-trip time to build an explicit model that includes both the maximum recent bandwidth available to that connection, and its minimum recent round-trip delay. BBR then uses this model to control both how fast it sends data and the maximum amount of data it's willing to allow in the network at any time.

找到的bbr研究BBR-Congestion-Based-Congestion-Control.pdf

SNMP 版本
有V1 V2c V3
V1使用明文community,The biggest downsides are that it does not support 64 bit counters, only 32 bit counters, and that it has little security.
V2c和V1使用明文community,it adds support for 64 bit counters. SNMPv2c is a sub-version of SNMPv2. Its key advantage over previous versions is the Inform command. Unlike Traps, which are simply received by a manager, Informs are positively acknowledged with a response message. If a manager does not reply to an Inform, the SNMP agent will resend the Inform.
V3可设置身份验证及数据在网络传输时加密

SNMP 方法
常用的是Get, GetNext, Set, Trap
ro(read only)的community/username password不能使用set方法
rw(read write)可以使用全部方法

SNMP 端口
SNMP使用UDP(IP 17) 161
SNMP trap使用UDP 162 (部分系统组件/配置发生变更,SNMP daemon主动发送消息通知网管平台)

SNMP OID结构 [图片来源Paessler AG]
653-OID+tree.png

SNMP v1 defines a special TRAP message format, different from other messages (such as GET). http://tools.ietf.org/html/rfc1157#page-27
This message format is not used any more in SNMP v2 and v3. If an SNMP agent sends out such TRAP messages for v2 or v3, that can be a bug. Since v2, TRAP starts to use the common message format (the same as GET and so on). So it is called SNMPv2-Trap-PDU. http://tools.ietf.org/search/rfc3416#page-22 SNMP v3 introduces the security model to all messages, so TRAP receives such update too. It is still based on SNMPv2-Trap-PDU.

Debian系 SNMP trap配置一些问题
启动snmp daemon,日志提示

  /etc/snmp/snmpd.conf: line 145: Warning: Unknown token: defaultMonitors.
  /etc/snmp/snmpd.conf: line 147: Warning: Unknown token: linkUpDownNotifications.
Edit /etc/default/snmpd:
comment the "export MIBS=" line:
#export MIBS=
remove ",mteTrigger,mteTriggerConf" from the SNMPDOPTS line:
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /run/snmpd.pid'
install snmp-mibs-downloader. It will download abunch of MIBs in its postinst:
sudo apt install snmp-mibs-downloader

RHEL常用的OID

Network Interface Statistics
List NIC names: .1.3.6.1.2.1.2.2.1.2
Get Bytes IN: .1.3.6.1.2.1.2.2.1.10
Get Bytes IN for NIC 4: .1.3.6.1.2.1.2.2.1.10.4
Get Bytes OUT: .1.3.6.1.2.1.2.2.1.16
Get Bytes OUT for NIC 4: .1.3.6.1.2.1.2.2.1.16.4

CPU Statistics
Load
1 minute Load: .1.3.6.1.4.1.2021.10.1.3.1
5 minute Load: .1.3.6.1.4.1.2021.10.1.3.2
15 minute Load: .1.3.6.1.4.1.2021.10.1.3.3

CPU times
percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0
raw user cpu time: .1.3.6.1.4.1.2021.11.50.0
percentages of system CPU time: .1.3.6.1.4.1.2021.11.10.0
raw system cpu time: .1.3.6.1.4.1.2021.11.52.0
percentages of idle CPU time: .1.3.6.1.4.1.2021.11.11.0
raw idle cpu time: .1.3.6.1.4.1.2021.11.53.0
raw nice cpu time: .1.3.6.1.4.1.2021.11.51.0

Memory Statistics
Total Swap Size: .1.3.6.1.4.1.2021.4.3.0
Available Swap Space: .1.3.6.1.4.1.2021.4.4.0
Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0
Total RAM used: .1.3.6.1.4.1.2021.4.6.0
Total RAM Free: .1.3.6.1.4.1.2021.4.11.0
Total RAM Shared: .1.3.6.1.4.1.2021.4.13.0
Total RAM Buffered: .1.3.6.1.4.1.2021.4.14.0
Total Cached Memory: .1.3.6.1.4.1.2021.4.15.0

Disk Statistics
Add the following line to snmpd.conf and restart:
includeAllDisks 10% for all partitions and disks
Disk OID's
Path where the disk is mounted: .1.3.6.1.4.1.2021.9.1.2.1
Path of the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1
Total size of the disk/partion (kBytes): .1.3.6.1.4.1.2021.9.1.6.1
Available space on the disk: .1.3.6.1.4.1.2021.9.1.7.1
Used space on the disk: .1.3.6.1.4.1.2021.9.1.8.1
Percentage of space used on disk: .1.3.6.1.4.1.2021.9.1.9.1
Percentage of inodes used on disk: .1.3.6.1.4.1.2021.9.1.10.1

System Uptime: .1.3.6.1.2.1.1.3.0

IANA分配的OID查询 https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers

TTCP requires Cisco IOS® Software Version 11.2 or higher and Feature
Sets IP Plus (is- images) or Service Provider (p- images). Note: The
ttcp command is a hidden, unsupported, privileged mode command. As
such, its availability may vary from one Cisco IOS software release to
another, such that it might not exist in some releases. Some
platforms, for instance, require the Cisco IOS Enterprise feature set
in order to perform this activity.

可以路由器对路由器,路由器对电脑

customer-dialin-sj>ttcp 
transmit or receive [receive]: transmit 
Target IP address: 10.1.1.52 
perform tcp half close [n]: 
use tcp driver [n]: 
send buflen [8192]: #buffers长度
send nbuf [2048]: 50 #buffers数量
bufalign [16384]: 
bufoffset [0]: 
port [5001]: 
sinkmode [y]: 
buffering on writes [y]: 
show tcp information at end [n]:
ttcp-t: buflen=8192, nbuf=50, align=16384/0, port=5001 tcp ->10.1.1.52
ttcp-t: connect (mss 1460, sndwnd 4096, rcvwnd 4128) 

Result

ttcp-t: buflen=8192, nbuf=50, align=16384/0, port=5001 tcp -> 10.1.1.52 ttcp-t: connect (mss 1460, sndwnd 4096, rcvwnd 4128) ttcp-t: 409600 bytes in 84544 ms (84.544 real seconds) (~3 kB/s) +++ ttcp-t: 50 I/O calls
ttcp-t: 0 sleeps (0 ms total) (0 ms average) 
Since it is most common to evaluate connect speeds in kbps (kilobits
per second, or 1000 bits per second) rather that KBps (kilobytes per
second, or 1024 bytes per second), we must use the information from
TTCP to calculate the bit rate (in kbps). Use the number of bytes
received and the transfer time to calculate the actual bit rate for
the connection. Calculate the bit rate by converting the number of
bytes into bits and then divide this by the time for the transfer. In
this example, the windows PC received 409600 bytes in 84.94 seconds.
We can calculate the bit rate to be (409600 bytes * 8 bits per byte)
divided by 84.94 seconds=38577 BPS or 38.577 kbps.

Referer: Using Test TCP (TTCP) to Test Throughput

ICMP Record Route反向路径追踪最大9跳,使用IP Option 7 More IP Options

r4#trace 150.1.5.5
Type escape sequence to abort.
Tracing the route to 150.1.5.5
  1 155.1.45.5 4 msec
    155.1.0.5 4 msec *
r4#
r4#ping
Protocol [ip]:
Target IP address: 150.1.5.5
Repeat count [5]: 2
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: record
Number of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
Packet has IP options:  Total option bytes= 39, padded length=40
 Record route: <*>
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)

Reply to request 0 (4 ms).  Received packet has options
 Total option bytes= 40, padded length=40
 Record route:
   (155.1.45.4) <-s0/1
   (150.1.5.5)  <-destination
   (155.1.45.5) <-return path
   (155.1.45.4) <*>
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
 End of list

Reply to request 1 (8 ms).  Received packet has options
 Total option bytes= 40, padded length=40
 Record route:
   (155.1.0.4) <-s0/0
   (150.1.5.5) <-destination
   (155.1.0.5) <-return path
   (155.1.0.4) <*>
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
 End of list

Success rate is 100 percent (2/2), round-trip min/avg/max = 4/6/8 ms

从trunst to untrust 策略、NAT都没有问题。 trust 接口是不会被NAT的
trust 连接一台设备,或主机,从设备上或主机上发起。

- webvpn
- enable outside
- tunnel-group-list enable
- group-policy ClientlessGP internal
- group-policy ClientlessGP attributes
- vpn-tunnel-protocol ssl-clientless
- username CISCO password CISCO
- username CISCO attributes
-   vpn-group-policy ClientlessTG
- tunnel-group ClientlessTG type remote-access
- tunnel-group ClientlessTG webvpn-attributes
- group-alias ALINAME enable

Clientless (browser) SSL VPN access is not allowed.
Disable AnyConnect Essential:

webvpn
no anyconnect-essentials
reference: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a2.html#wp1668278

- ip local pool AnyconnectPool 172.16.1.1-172.16.1.99 mask 255.255.255.0
- interface Vlan1
-  nameif inside
-  security-level 100
-  ip address 192.168.1.1 255.255.255.0
- interface Vlan2
-  nameif outside
-  security-level 0
-  ip address 140.10.1.1 255.255.255.0
- webvpn
-  enable outside
-  anyconnect-essentials
-  anyconnect image disk0:/anyconnect-win-2.5.6005-k9.pkg 1
-  anyconnect enable
-  tunnel-group-list enable
- group-policy AnyconnectGP internal
- group-policy AnyconnectGP attributes
-  vpn-tunnel-protocol ssl-client
- tunnel-group AnyconnectTG type remote-access
- tunnel-group AnyconnectTG general-attributes
-  address-pool AnyconnectPool
-  default-group-policy AnyconnectGP
- tunnel-group AnyconnectTG webvpn-attributes
-  group-alias AnyconnectClient enable

上面为没有禁止NAT,禁止NAT需加如下

object network NETWORK_OBJ_172.16.1.0_25
  subnet 172.16.1.0 255.255.255.128
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_25 NETWORK_OBJ_172.16.1.0_25 no-proxy-arp route-lookup

瞎逛的时候,发现了一个IP地址管理工具,phpIPAM。看名字就知道是一个基于PHP开发的。PHP是世界上最好的@#$%^&!
先看一下官方给出的要求:

1.) Requirements before you start installing phpipam, please make sure you meet following requirements: Apache2 webserver with php support or
Nginx with php-fpm Mysql server (5.1+) PHP: version 5.3 supported to
phpipam version 1.3.1 version 5.4 version 7.2 and higher supported
from phpipam release 1.3.2 PHP modules: pdo, pdo_mysql : Adds support
for mysql connections session : Adds persistent session support
sockets : Adds sockets support openssl : Adds openSSL support gmp :
Adds support for dev-libs/gmp (GNU MP library) -> to calculate IPv6
networks ldap : Adds LDAP support (Lightweight Directory Access
Protocol – for AD also) crypt : Add support for password encryption
SimpleXML: Support for SimpleXML (optional, for RIPE queries and if
required for API) json: Enable JSON support gettext: Enables
translation filter : Adds filtering support pcntl : Add support for
process creation functions (optional, required for scanning) cli :
Enable CLI (optional, required for scanning and status checks)
mbstring : Enable mbstring support php PEAR support Usually most php
modules all are built into default php installation. If some required
modules are missing phpipam will fail with warning and notify you
about them.

You can check which php modules are enabled by issuing php -m in
command line.

直接从GitHub clone
git clone https://github.com/phpipam/phpipam.git /wwwroot/ipam
切换版本
git checkout -b 1.3 origin/1.3

配置nginx和PHP7.2
官方给出了nginx的参考配置

1.) phpIPAM version 1.3.2 and higher If you are using phpIPAM version 1.3.2 or higher please use below snippet to configure your nginx server. We assume phpipam will be on separate subfolder on webserver,
e.g. http://hostname/phpipam/, if not adjust settings accordingly.

  server {
    # root directory
    root   /var/www/;

    # phpipam
    location /phpipam/ {
        try_files $uri $uri/ /phpipam/index.php;
        index index.php;
    }
    # phpipam - api
    location /phpipam/api/ {
        try_files $uri $uri/ /phpipam/api/index.php;
    }

    # php-fpm
    location ~ \.php$ {
        fastcgi_pass   unix:/var/run/php-fpm.socket;
        fastcgi_index  index.php;
        try_files      $uri $uri/ index.php = 404;
        include        fastcgi_params;
    }  }

2.) phpIPAM up to version 1.3.1 For older phpIPAM versions please use below snippet. Again we assume phpipam will be on separate subfolder
on webserver.

server {
    # root directory
    root   /var/www/;

    # phpipam
    location /phpipam/ {
        try_files $uri $uri/ =404;
        index index.php;

        error_page 500 /app/error/index.php;
        error_page 404 /app/error/index.php;
        error_page 403 /app/error/index.php;

        rewrite ^/phpipam/login/dashboard/?$ /phpipam/dashboard/ redirect;
        rewrite ^/phpipam/logout/dashboard/?$ /phpipam/dashboard/ redirect;
        rewrite ^/phpipam/tools/search/(.*)/(.*)/(.*)/(.*)/([^/]+)$ /phpipam/index.php?page=tools§ion=search&addresses=$1&subnets=$2&vlans=$3&vrf=$4&ip=$5
last;
        rewrite ^/phpipam/tools/search/(.*) /phpipam/index.php?page=tools§ion=search&ip=$1 last;
        rewrite ^/phpipam/(.*)/(.*)/(.*)/(.*)/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2&subnetId=$3&sPage=$4&ipaddrid=$5&tab=$6
last;
        rewrite ^/phpipam/(.*)/(.*)/(.*)/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2&subnetId=$3&sPage=$4&ipaddrid=$5
last;
        rewrite ^/phpipam/(.*)/(.*)/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2&subnetId=$3&sPage=$4 last;
        rewrite ^/phpipam/(.*)/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2&subnetId=$3 last;
        rewrite ^/phpipam/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2 last;
        rewrite ^/phpipam/([^/]+)/? /phpipam/index.php?page=$1 last;
    }
    # phpipam - api
    location /phpipam/api {
        rewrite ^/phpipam/api/(.*)/(.*)/(.*)/(.*)/(.*) /phpipam/api/index.php?app_id=$1&controller=$2&id=$3&id2=$4&id3=$5
last;
        rewrite ^/phpipam/api/(.*)/(.*)/(.*)/(.*) /phpipam/api/index.php?app_id=$1&controller=$2&id=$3&id2=$4 last;
        rewrite ^/phpipam/api/(.*)/(.*)/(.*) /phpipam/api/index.php?app_id=$1&controller=$2&id=$3 last;
        rewrite ^/phpipam/api/(.*)/(.*) /phpipam/api/index.php?app_id=$1&controller=$2 last;
        rewrite ^/phpipam/api/(.*) /phpipam/api/index.php?app_id=$1 last;
    }
    location /phpipam/css {
        try_files $uri $uri/ =404;
    }
    location /phpipam/js {
        try_files $uri $uri/ =404;
    }

    # php-fpm
    location ~ \.php$ {
        fastcgi_pass   unix:/var/run/php-fpm.socket;
        fastcgi_index  index.php;
        try_files      $uri $uri/ index.php = 404;
        include        fastcgi_params;
    }  }

PHP安装扩展
aptitude install php7.2-gd php-pear php7.2-pdo-mysql php7.2-mbstring php7.2-json php7.2-xml php7.2-gmp ,对LDAP有需求的可以安装php7.2-ldap

手动安装:
复制示例的config.php

3.) Initial configuration Before you start installing database files, you need to enter database details, that you will use for phpipam
connecting to database. First copy config.dist.php to config.php and
enter required details. For automatic installation phpipam will
configure database with settings you enter in config.php file, for
manual installation you will have to do it yourself.

$db['host'] = "localhost";
$db['user'] = "phpipam";
$db['pass'] = "phpipamadmin";
$db['name'] = "phpipam";

also, if you extracted
phpipam directory in any other directory than web server root folder,
you need to set that as well (BASE directive) in config.php:

define('BASE', "/");

For example, if you will have phpipam
installed in http://myserver/phpipam/ directory than set BASE as /phpipam/.

导入数据库

You can manually import sql SCHEMA file via mysql’s cli, but first you
need to create database and grant user permission (replace user/pass
with one you set in config.php):

# mysql -u root -p Enter
password:
mysql> create database phpipam;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL on phpipam.* to phpipam@localhost identified by ‘phpipamadmin’;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye

Once this is in place, you can import SCHEMA.sql file with following command:
mysql -u root -p phpipam < db/SCHEMA.sql