EdgeOS Cli Komutlari

– Operasyonel mod ve Konfigurasyon mod

ilk defa login oldugunuzda operasyonel mod da olacaksiniz ve ‘?’ yazarsiniz kullanabiliceginiz bütün komutlari görebilirsiniz:

[email protected]:~$ ?                                                                   
add            delete         ping6          reset          terminal            
clear          disconnect     reboot         restart        traceroute          
configure      generate       release        set            traceroute6         
connect        initial-setup  remove         show           undebug             
copy           no             rename         shutdown                           
debug          ping           renew          telnet     

[email protected]:~$ show ?                                                           
arp              flow-accounting  nat              table                        
bridge           hardware         ntp              tech-support                 
configuration    history          openvpn          ubnt                         
date             host             pppoe-server     users                        
debugging        incoming         queueing         version                      
dhcp             interfaces       reboot           vpn                          
dhcpv6           ip               route-map        vrrp                         
disk             ipv6             shutdown         webproxy                     
dns              lldp             snmp             zebra                        
file             log              switch                                        
firewall         login            system  

[email protected]:~$ show interfaces                                                    
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down                    
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         -                                 u/u                              
eth1         -                                 u/D                              
eth2         -                                 u/D                              
eth3         -                                 u/D                              
eth4         -                                 u/D                              
eth5         -                                 u/D                              
eth6         -                                 u/D                              
lo           127.0.0.1/8                       u/u

Konfigurasyonu degistirmek icin konfigurasyon moda giris yapmalisiniz.

[email protected]:~$ configure                                                          
                                                                          
[email protected]#

‘?’ veya tab ile kullanabileceginiz komutlari görebilirsiniz:

[email protected]# show ?                                                              
interfaces  service     system                                                  
                                                                          
[email protected]# show ?                                                               
Possible completions:                                                           
  interfaces    Network interfaces                                              
  service       Services                                                        
  system        System parameters

eth0 üzerinde ip adresini duzenlemek:

[email protected]# set interfaces ethernet eth0 address ?                                
Possible completions:                                                           
     IP address and prefix length                                    
                                                             
                IPv6 address and prefix length                                  
  dhcp          Dynamic Host Configuration Protocol                             
  dhcpv6        Dynamic Host Configuration Protocol for IPv6                    
                                                                                
                                                                          
[email protected]# set interfaces ethernet eth0 address 10.1.1.80/23                     
                                                                          
[email protected]# set interfaces ethernet eth0 description "production LAN"

Bu degisikler sadece  “calisan” konfigurasyonda etkilidir, ama “aktif” konfigurasyonda degisiklikler etkin degildir. Bu ikisi arasindaki farkliliklari gormek icin “compare” komutunu kullanabilirsiniz:

[email protected]# compare                                                              
                                                 
+address 10.1.1.2/24                                                            
+description "production LAN"

Ve hersey yolunda ise degisiklikleri aktif etmek icin “commit” komutunu kullanin:

[email protected]# commit

commit komutundan sonra hata almadiginizi varsayiyorum, artik degisikler etkin haldedir. Ama save komutunu kullanmazsaniz yeniden basladiginizda aktif olan konfigurasyonunuzu kaybedersiniz.Bunun icin “save” komutunu kullanin ve boota konfigurasyonu yazdirin.

[email protected]# save                                                                 
Saving configuration to '/config/config.boot'...                                
Done                                                                            
                                                                          
[email protected]# exit                                                                 
exit                                                                            
[email protected]:~$ 

[email protected]:~$ show interfaces                                                    
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down                    
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         10.1.1.80/23                      u/u  production LAN              
eth1         -                                 u/D                              
eth2         -                                 u/D                              
eth3         -                                 u/D                              
eth4         -                                 u/D                              
eth5         -                                 u/D                              
eth6         -                                 u/D                              
lo           127.0.0.1/8                       u/u                              
             ::1/128                                                            
                                                                    
[email protected]:~$ ping 10.1.0.1                                                      
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.                                  
64 bytes from 10.1.0.1: icmp_req=1 ttl=64 time=0.460 ms                         
64 bytes from 10.1.0.1: icmp_req=2 ttl=64 time=0.407 ms                         
^C                                                                              
--- 10.1.0.1 ping statistics ---                                                
2 packets transmitted, 2 received, 0% packet loss, time 999ms                   
rtt min/avg/max/mdev = 0.407/0.433/0.460/0.033 ms
–  edituptopdiscardcopyrename Komutlarini Kullanmak
Ilk olarak gerekli set komutu ile bir firewall kurali olusturacagiz.

[email protected]# set firewall name TEST default-action drop                           
                                                                          
[email protected]# set firewall name TEST enable-default-log
[email protected]# set firewall name TEST rule 10 description "allow icmp"              
[email protected]# set firewall name TEST rule 10 action accept                         
[email protected]# set firewall name TEST rule 10 protocol icmp

commit yazmadan once kurali gorebiliriz compare:

[email protected]# compare
+name TEST {
+    default-action drop
+    enable-default-log
+    rule 10 {
+        action accept
+        description "allow icmp"
+        protocol icmp
+    }
+}

Simdi discard komutu ile yazdigimiz firewall kuralini geri alalim ve edit komutu ile firewall kurali yazalim.

[email protected]# discard
Changes have been discarded
                                                 
[email protected]# compare
No changes between working and active configurations

Eger farkettiyseniz ayricalikli modda calisirken # ile bu modda oldugunuzu anlayabilirsiniz yani en ust seviye modundasiniz. Simdi edit seviyesi ile firewall kuralimizi olusturmak icin devam edelim.

[email protected]# edit firewall name TEST                  
          
[email protected]# set default-action drop
                                       
[email protected]# set enable-default-log

Simdi edit(düzenlemek istedigimiz zaman kullandigimiz komut) rule 10

[email protected]# edit rule 10

Using the “?” or tab completion will just show options for the given edit level

[email protected]# set ?
action       disable      ipsec        p2p          source       time           
description  fragment     limit        protocol     state                       
destination  icmp         log          recent       tcp                         
                                               
[email protected]# set description "allow icmp"                                         
                                               
[email protected]# set action accept                                                    
                                               
[email protected]# set protocol icmp

Simdi compare komutu size edit seviyesindeki karsilastirmalari gosterecektir.

[email protected]# compare                                                              
                                               
+action accept
+description "allow icmp"
+protocol icmp

up komutu ile edit seviyesinin uzerine cikabilirsiniz.

[email protected]# up                                                                   
                                                       
[email protected]# compare                                                              
                                                       
+default-action drop                                                            
+enable-default-log                                                             
+rule 10 {                                                                      
+    action accept                                                              
+    description "allow icmp"                                                   
+    protocol icmp                                                              
+}                                                                              
                                                       
[email protected]# up                                                                   
                                                                 
[email protected]# compare                                                              
                                                                 
+name TEST {                                                                    
+    default-action drop                                                        
+    enable-default-log                                                         
+    rule 10 {                                                                  
+        action accept                                                          
+        description "allow icmp"                                               
+        protocol icmp                                                          
+    }                                                                          
+}

Herhangi bir duzenleme seviyesinden en ust seviyeyi gormek icin top komutunu kullanabilirsiniz.

[email protected]# top                                                                  
                                                                          
[email protected]# compare                                                              
                                                                 
+name TEST {                                                                    
+    default-action drop                                                        
+    enable-default-log                                                         
+    rule 10 {                                                                  
+        action accept                                                          
+        description "allow icmp"
+        protocol icmp
+    }
+}

En kullanisli komutlar edit , copy ve rename “dir.Diyelimki asagidaki gibi bir frewall kuralimiz var ve biz bunda kopyalayarak bir degisiklik yapmak istiyoruz.

[email protected]# show firewall
 name WAN1_LOCAL {
     default-action drop
     rule 10 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action drop
         state {
             invalid enable
         }
     }
     rule 30 {
         action accept
         destination {
             port 22
         }
         protocol tcp
     }
 }
[email protected]# edit firewall
[email protected]# copy name WAN1_LOCAL to name WAN2_LOCAL
[email protected]# commit
[email protected]# top
[email protected]# show firewall
 name WAN1_LOCAL {
     default-action drop
     rule 10 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action drop
         state {
             invalid enable
         }
     }
     rule 30 {
         action accept
         destination {
             port 22
         }
         protocol tcp
     }
 }
 name WAN2_LOCAL {
     default-action drop
     rule 10 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action drop
         state {
             invalid enable
         }
     }
     rule 30 {
         action accept
         destination {
             port 22
         }
         protocol tcp
     }
 }

rename komutu da edit komutu ile ayni sekilde calisir.

[email protected]# edit firewall
[email protected]# rename name W
WAN1_LOCAL  WAN2_LOCAL
[email protected]# rename name WAN2_LOCAL to name WAN2_IN
[email protected]# commit
[email protected]# top
[email protected]# show firewall name
 name WAN1_LOCAL {
     default-action drop
     rule 10 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action drop
         state {
             invalid enable
         }
     }
     rule 30 {
         action accept
         destination {
             port 22
         }
         protocol tcp
     }
 }
 name WAN2_IN {
     default-action drop
     rule 10 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action drop
         state {
             invalid enable
         }
     }
     rule 30 {
         action accept
         destination {
             port 22
         }
         protocol tcp
     }
 }
[email protected]#

– Config yönetimini kullanmak:

Yukarida anlattigim gibi save ile diske yazdirirsiniz, Ama ayni zamanda uzak bir sunucuya config dosyanizin yedegini alabilirsiniz.Su sekilde(tftp servisinin uzak sunucuya kurulu oldugunu varsiyorum):

[email protected]# save ?                                                                 
Possible completions:                                                           
                                 Save to system config file              
                                  Save to file on local machine           
  scp://:@/   Save to file on remote machine          
  ftp://:@/   Save to file on remote machine          
  tftp:///                  Save to file on remote machine
[email protected]# save tftp://10.1.0.15/rtr-config.boot                                 
Saving configuration to 'tftp://10.1.0.15/rtr-config.boot'...                   
######################################################################## 100.0% 
Done

Ama bu sadece yedek konfigurasyon. Eger yeniden baslatirsam hala   /config/config.boot acilacaktir.

Peki otomatik olarak her commit komutundan sonra uzak sunucuya yedeklemesini istersem ne yapmaliyim?

[email protected]# set system config-management commit-archive location ?              
Possible completions:
           Uniform Resource Identifier                                     
                                                                                
Detailed information:                                                           
                                                                                
    "scp://:@/

 

“ftp://:@/ 

“tftp:/// 

[email protected]# set system config-management commit-archive location tftp://10.1.0.15/RTR

[email protected]# commit
Archiving config...
  tftp://10.1.0.15/RTR  OK

Uzak tftp sunucusunda her commit icin ayri ayri olarak bir kopyanin kaydedildigini ve bunlarin farkli router ismi & tarihi oldugunu göreceksiniz:

[email protected]:/tftpboot/RTR$ ls -l
total 8
-rw------- 1 nobody nogroup 908 Aug 17 17:19 config.boot-RTR.20120817_171932
-rw------- 1 nobody nogroup 874 Aug 17 17:20 config.boot-RTR.20120818_002046

– commit-revisions

Ama uzak sunucuya yedekleme yerine config dosyasinin yerel diskte birden fazla revizyonlari saklamakta isteyebilirsiniz:

[email protected]# set system config-management commit-revisions 50

[email protected]# commit

Example:

[email protected]# set system login user joe authentication plaintext-password secret   

[email protected]# commit

[email protected]# save; exit
Saving configuration to '/config/config.boot'...
Done
exit

[email protected]:~$ show system commit                                                  
0   2012-08-17 18:32:13 by ubnt via cli                                         
    commit                                                                      
1   2012-08-17 18:31:52 by ubnt via cli                                         
    commit                                                                      
2   2012-08-17 18:31:51 by root via init                                        
    commit

Simdi revizyon 0″da neler degistigine göz atalim:

[email protected]:~$ show system commit diff 0

+user joe {
+    authentication {
+        encrypted-password $1$CWVzYggs$NyJXxC3S572rfm6pY8ZMO.
+        plaintext-password ""
+    }
+    level admin
+}

Eger revizyon 0″daki butun konfigurasyonu görmek isterseniz:

[email protected]:~$ show system commit file 0

Peki commit komutlarima yorum /bilgi ekleyebilirmiyim?

[email protected]# set system login user joe level operator                              
                                                                          
[email protected]# commit comment "change joe from admin to op"                          
                                                                          
[email protected]# save; exit                                                            
Saving configuration to '/config/config.boot'...                                
Done                                                                            
exit

Simdi  “show system commit ile bilgi/yorumlari da görebiliriz.

[email protected]R:~$ show system commit                                                  
0   2012-08-17 18:44:41 by ubnt via cli                                         
    change joe from admin to op                                                 
1   2012-08-17 18:34:01 by ubnt via cli                                         
    commit                                                                      
2   2012-08-17 18:32:13 by ubnt via cli                                         
    commit                                                                      
3   2012-08-17 18:31:52 by ubnt via cli                                         
    commit                                                                      
4   2012-08-17 18:31:51 by root via init                                        
    commit

– commit-confirm

Router üzerinde uzaktan calisirken, bazi degisikler yaparken (mesela firewall kurali veya nat kurali) baglantimiz kopabilir.Bu durumlarda yaptiginiz konfigurasyonun siz onay verene kadar etkin olmamasi cok da yerinde bir fikirdir.Mesela su sekilde:

[email protected]:~$ configure                                                           
                                                                          
[email protected]# set firewall name WAN_IN rule 50 action drop                          
                                                                                                                                             
[email protected]# set firewall name WAN_IN rule 50 destination address 172.16.0.0/16    
                                                                          
[email protected]# commit-confirm                                                        
commit confirm will be automatically reboot in 10 minutes unless confirmed      
Proceed?

Simdi hersey yolunda ise:

[email protected]# confirm

Kac dakika beklemesini gerektigini de yazabilirsiniz, Ama confirm komutunu yazmayi unutursaniz kötü süprizlerle karsilsabilirsiniz:

[email protected]# commit-confirm 1                                                      
commit confirm will be automatically reboot in 1 minutes unless confirmed       
Proceed?                                                            
                                                                          
[email protected]#                                                                       
Broadcast message from [email protected] (Mon Aug 20 14:00:06 2012):                     
                                                                                
The system is going down for reboot NOW!                                        
INIT: Switching to runlevel: 6                                                  
INIT: Stopping routing services...zebra...done.                                 
Removing all Quagga Routes.

Bir cevap yazın

This site uses Akismet to reduce spam. Learn how your comment data is processed.