EdgeOS Cli Komutlari
– Operasyonel mod ve Konfigurasyon mod
ilk defa login oldugunuzda operasyonel mod da olacaksiniz ve ‘?’ yazarsiniz kullanabiliceginiz bütün komutlari görebilirsiniz:
[email protected]:~$ ? add delete ping6 reset terminal clear disconnect reboot restart traceroute configure generate release set traceroute6 connect initial-setup remove show undebug copy no rename shutdown debug ping renew telnet [email protected]:~$ show ? arp flow-accounting nat table bridge hardware ntp tech-support configuration history openvpn ubnt date host pppoe-server users debugging incoming queueing version dhcp interfaces reboot vpn dhcpv6 ip route-map vrrp disk ipv6 shutdown webproxy dns lldp snmp zebra file log switch firewall login system [email protected]:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - u/u eth1 - u/D eth2 - u/D eth3 - u/D eth4 - u/D eth5 - u/D eth6 - u/D lo 127.0.0.1/8 u/u
Konfigurasyonu degistirmek icin konfigurasyon moda giris yapmalisiniz.
[email protected]:~$ configure [email protected]#
‘?’ veya tab ile kullanabileceginiz komutlari görebilirsiniz:
[email protected]# show ? interfaces service system [email protected]# show ? Possible completions: interfaces Network interfaces service Services system System parameters
eth0 üzerinde ip adresini duzenlemek:
[email protected]# set interfaces ethernet eth0 address ? Possible completions: IP address and prefix length IPv6 address and prefix length dhcp Dynamic Host Configuration Protocol dhcpv6 Dynamic Host Configuration Protocol for IPv6 [email protected]# set interfaces ethernet eth0 address 10.1.1.80/23 [email protected]# set interfaces ethernet eth0 description "production LAN"
Bu degisikler sadece “calisan” konfigurasyonda etkilidir, ama “aktif” konfigurasyonda degisiklikler etkin degildir. Bu ikisi arasindaki farkliliklari gormek icin “compare” komutunu kullanabilirsiniz:
[email protected]# compare +address 10.1.1.2/24 +description "production LAN"
Ve hersey yolunda ise degisiklikleri aktif etmek icin “commit” komutunu kullanin:
[email protected]# commit
commit komutundan sonra hata almadiginizi varsayiyorum, artik degisikler etkin haldedir. Ama save komutunu kullanmazsaniz yeniden basladiginizda aktif olan konfigurasyonunuzu kaybedersiniz.Bunun icin “save” komutunu kullanin ve boota konfigurasyonu yazdirin.
[email protected]# save Saving configuration to '/config/config.boot'... Done [email protected]# exit exit [email protected]:~$ [email protected]:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 10.1.1.80/23 u/u production LAN eth1 - u/D eth2 - u/D eth3 - u/D eth4 - u/D eth5 - u/D eth6 - u/D lo 127.0.0.1/8 u/u ::1/128 [email protected]:~$ ping 10.1.0.1 PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data. 64 bytes from 10.1.0.1: icmp_req=1 ttl=64 time=0.460 ms 64 bytes from 10.1.0.1: icmp_req=2 ttl=64 time=0.407 ms ^C --- 10.1.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.407/0.433/0.460/0.033 ms
Ilk olarak gerekli set komutu ile bir firewall kurali olusturacagiz.
[email protected]# set firewall name TEST default-action drop [email protected]# set firewall name TEST enable-default-log [email protected]# set firewall name TEST rule 10 description "allow icmp" [email protected]# set firewall name TEST rule 10 action accept [email protected]# set firewall name TEST rule 10 protocol icmp
commit yazmadan once kurali gorebiliriz compare:
[email protected]# compare +name TEST { + default-action drop + enable-default-log + rule 10 { + action accept + description "allow icmp" + protocol icmp + } +}
Simdi discard komutu ile yazdigimiz firewall kuralini geri alalim ve edit komutu ile firewall kurali yazalim.
[email protected]# discard Changes have been discarded [email protected]# compare No changes between working and active configurations
Eger farkettiyseniz ayricalikli modda calisirken # ile bu modda oldugunuzu anlayabilirsiniz yani en ust seviye modundasiniz. Simdi edit seviyesi ile firewall kuralimizi olusturmak icin devam edelim.
[email protected]# edit firewall name TEST [email protected]# set default-action drop [email protected]# set enable-default-log
Simdi edit(düzenlemek istedigimiz zaman kullandigimiz komut) rule 10
[email protected]# edit rule 10
Using the “?” or tab completion will just show options for the given edit level
[email protected]# set ? action disable ipsec p2p source time description fragment limit protocol state destination icmp log recent tcp [email protected]# set description "allow icmp" [email protected]# set action accept [email protected]# set protocol icmp
Simdi compare komutu size edit seviyesindeki karsilastirmalari gosterecektir.
[email protected]# compare +action accept +description "allow icmp" +protocol icmp
up komutu ile edit seviyesinin uzerine cikabilirsiniz.
[email protected]# up [email protected]# compare +default-action drop +enable-default-log +rule 10 { + action accept + description "allow icmp" + protocol icmp +} [email protected]# up [email protected]# compare +name TEST { + default-action drop + enable-default-log + rule 10 { + action accept + description "allow icmp" + protocol icmp + } +}
Herhangi bir duzenleme seviyesinden en ust seviyeyi gormek icin top komutunu kullanabilirsiniz.
[email protected]# top [email protected]# compare +name TEST { + default-action drop + enable-default-log + rule 10 { + action accept + description "allow icmp" + protocol icmp + } +}
En kullanisli komutlar edit , copy ve rename “dir.Diyelimki asagidaki gibi bir frewall kuralimiz var ve biz bunda kopyalayarak bir degisiklik yapmak istiyoruz.
[email protected]# show firewall name WAN1_LOCAL { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action drop state { invalid enable } } rule 30 { action accept destination { port 22 } protocol tcp } }
[email protected]# edit firewall [email protected]# copy name WAN1_LOCAL to name WAN2_LOCAL [email protected]# commit [email protected]# top [email protected]# show firewall name WAN1_LOCAL { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action drop state { invalid enable } } rule 30 { action accept destination { port 22 } protocol tcp } } name WAN2_LOCAL { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action drop state { invalid enable } } rule 30 { action accept destination { port 22 } protocol tcp } }
rename komutu da edit komutu ile ayni sekilde calisir.
[email protected]# edit firewall [email protected]# rename name W WAN1_LOCAL WAN2_LOCAL [email protected]# rename name WAN2_LOCAL to name WAN2_IN [email protected]# commit [email protected]# top [email protected]# show firewall name name WAN1_LOCAL { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action drop state { invalid enable } } rule 30 { action accept destination { port 22 } protocol tcp } } name WAN2_IN { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action drop state { invalid enable } } rule 30 { action accept destination { port 22 } protocol tcp } } [email protected]#
– Config yönetimini kullanmak:
Yukarida anlattigim gibi save ile diske yazdirirsiniz, Ama ayni zamanda uzak bir sunucuya config dosyanizin yedegini alabilirsiniz.Su sekilde(tftp servisinin uzak sunucuya kurulu oldugunu varsiyorum):
[email protected]# save ? Possible completions: Save to system config file Save to file on local machine scp://:@/ Save to file on remote machine ftp://:@/ Save to file on remote machine tftp:/// Save to file on remote machine
[email protected]# save tftp://10.1.0.15/rtr-config.boot Saving configuration to 'tftp://10.1.0.15/rtr-config.boot'... ######################################################################## 100.0% Done
Ama bu sadece yedek konfigurasyon. Eger yeniden baslatirsam hala /config/config.boot acilacaktir.
Peki otomatik olarak her commit komutundan sonra uzak sunucuya yedeklemesini istersem ne yapmaliyim?
[email protected]# set system config-management commit-archive location ? Possible completions: Uniform Resource Identifier Detailed information: "scp://:@/
[email protected]# set system config-management commit-archive location tftp://10.1.0.15/RTR [email protected]# commit Archiving config... tftp://10.1.0.15/RTR OK
Uzak tftp sunucusunda her commit icin ayri ayri olarak bir kopyanin kaydedildigini ve bunlarin farkli router ismi & tarihi oldugunu göreceksiniz:
[email protected]:/tftpboot/RTR$ ls -l total 8 -rw------- 1 nobody nogroup 908 Aug 17 17:19 config.boot-RTR.20120817_171932 -rw------- 1 nobody nogroup 874 Aug 17 17:20 config.boot-RTR.20120818_002046
– commit-revisions
Ama uzak sunucuya yedekleme yerine config dosyasinin yerel diskte birden fazla revizyonlari saklamakta isteyebilirsiniz:
[email protected]# set system config-management commit-revisions 50 [email protected]# commit
Example:
[email protected]# set system login user joe authentication plaintext-password secret [email protected]# commit [email protected]# save; exit Saving configuration to '/config/config.boot'... Done exit [email protected]:~$ show system commit 0 2012-08-17 18:32:13 by ubnt via cli commit 1 2012-08-17 18:31:52 by ubnt via cli commit 2 2012-08-17 18:31:51 by root via init commit
Simdi revizyon 0″da neler degistigine göz atalim:
[email protected]:~$ show system commit diff 0 +user joe { + authentication { + encrypted-password $1$CWVzYggs$NyJXxC3S572rfm6pY8ZMO. + plaintext-password "" + } + level admin +}
Eger revizyon 0″daki butun konfigurasyonu görmek isterseniz:
[email protected]:~$ show system commit file 0
Peki commit komutlarima yorum /bilgi ekleyebilirmiyim?
[email protected]# set system login user joe level operator [email protected]# commit comment "change joe from admin to op" [email protected]# save; exit Saving configuration to '/config/config.boot'... Done exit
Simdi “show system commit ile bilgi/yorumlari da görebiliriz.
[email protected]R:~$ show system commit 0 2012-08-17 18:44:41 by ubnt via cli change joe from admin to op 1 2012-08-17 18:34:01 by ubnt via cli commit 2 2012-08-17 18:32:13 by ubnt via cli commit 3 2012-08-17 18:31:52 by ubnt via cli commit 4 2012-08-17 18:31:51 by root via init commit
– commit-confirm
Router üzerinde uzaktan calisirken, bazi degisikler yaparken (mesela firewall kurali veya nat kurali) baglantimiz kopabilir.Bu durumlarda yaptiginiz konfigurasyonun siz onay verene kadar etkin olmamasi cok da yerinde bir fikirdir.Mesela su sekilde:
[email protected]:~$ configure [email protected]# set firewall name WAN_IN rule 50 action drop [email protected]# set firewall name WAN_IN rule 50 destination address 172.16.0.0/16 [email protected]# commit-confirm commit confirm will be automatically reboot in 10 minutes unless confirmed Proceed?
Simdi hersey yolunda ise:
[email protected]# confirm
Kac dakika beklemesini gerektigini de yazabilirsiniz, Ama confirm komutunu yazmayi unutursaniz kötü süprizlerle karsilsabilirsiniz:
[email protected]# commit-confirm 1 commit confirm will be automatically reboot in 1 minutes unless confirmed Proceed? [email protected]# Broadcast message from [email protected] (Mon Aug 20 14:00:06 2012): The system is going down for reboot NOW! INIT: Switching to runlevel: 6 INIT: Stopping routing services...zebra...done. Removing all Quagga Routes.
