|
|
Step 8 of the CSRC installation process is to configure your cable network for CSRC before you begin using the software. This chapter provides example configurations for setting up Cisco Network Registrar and the uBR IOS.
This chapter also describes how to change the encoded passwords in the csrc.cfg file.
Example 5-1 is an example configuration shell script and Example 5-2 is a companion template configuration file. The shell script prompts for information and then updates the template file, which is then passed to the nrcmd command line interface as a batch configuration file.
An electronic copy of the files in Example 5-1 and Example 5-2 is included on the CSRC distribution media in the /opt/csrc/conf directory. The cnr-config.txt file is Example 5-1 and the cnr-configure.sh file is Example 5-2.
The cnr-config.txt file does the following:
Before you run the script files in Example 5-1 and Example 5-2, you must set the CNR license key. The command syntax is the following:
license set key=value
To set the license key you must run the nrcmd program in interactive mode. For example, to set the license key to 1234 abcd 5678 efgh, enter the following (exiting is not necessary):
nrcmd -C cluster1 -N admin -P aicuser nrcmd> license set key=1234-abcd-5678-efgh 100 Ok nrcmd> exit
In Example 5-1, underlined text indicates linewrapping. For example, the following is actually one line:
# additional log settings... ,incoming-packet-detail,outgoing-packet-detail,unknown-criteria,client-detail,client-criteria-processing
# # CNR Lab Configuration for CSRC # # This example sets up four scopes: one for Unprovisioned Modems, one # for Provisioned Modems, one for Unprovisioned CPEs and one for # Provisioned CPEs. The comments below give example values for each # variable used in the batch file. A companion shell script # configure-cnr-for-csrc.sh prompts for a value for each variable # and creates a nrcmd batch file with which it invokes nrcmd. # # This file is organized into three sections, DHCP Configuration, # TFTP Configuration and DNS Configuration. If you plan to run DNS, # DHCP and TFTP on separate machines, you may split this file up and # configure only the server you want on each machine. Or configure # all the servers on each machine and disable the ones you are not # using via the start-on-reboot command. For example... # nrcmd> server dhcp stop # nrcmd> server dhcp disable start-on-reboot # # NOTE: CNR is shipped with TFTP disabled by default so you must first # enable TFTP by running the following commands... # nrcmd> server tftp enable start-on-reboot # then run # /etc/init.d/aicservagt stop # /etc/init.d/aicservagt start # this will activate the TFTP server # # Also note: to widen the scope address ranges beyond the current value # of 16 will require manual editing of this file. See the scope and # addrange commands below. # # Example variable substitution values... # # @network_base@ 172.27.192 # @tftp_ip@ 172.27.180.112 # @time_ip@ 172.27.180.113 # @log_ip@ 172.27.180.114 # @csrc_ip@ 172.27.180.115 # @unprov_dns@ 172.27.180.116 # @prov_dns@ 172.27.182.82,172.27.182.81 # @unprov_lease_time@ 300 # @prov_lease_time@ 604800 # @cnr_host@ iceberg # @ldap_host@ glacier # @ldap_port@ 389 # @ldap_pass@ changeme # @ldap_admin@ uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot # @csrc_base@ csrcprogramname=csrc,ou=cisco.com,o=NetscapeRoot # @domain_name@ cisco.com # @csrc_config@ /opt/csrc/conf/csrc.cfg # force-lock session set visibility=3 # DHCP configuration # dhcp enable client-class dhcp enable use-ldap-client-data dhcp set log-settings=default,incoming-packets,missing-options # additional log settings... ,incoming-packet-detail,outgoing-packet-detail,unknown-criteria,client-detail,client-criteria-processing dhcp enable save-relay-agent-data dhcp enable save-vendor-class-id scope-selection-tag tagCableModem delete scope-selection-tag tagCableModemUnprov delete scope-selection-tag tagComputer delete scope-selection-tag tagComputerUnprov delete scope-selection-tag tagCableModem create scope-selection-tag tagCableModemUnprov create scope-selection-tag tagComputer create scope-selection-tag tagComputerUnprov create policy policyCableModem delete policy policyCableModemUnprov delete policy policyComputer delete policy policyComputerUnprov delete policy policyCableModem create packet-file-name=/docsis/mac-%@mac-addr% packet-siaddr=@tftp_ip@ dhcp-reply-options=packet-siaddr,packet-file-name policy policyCableModem setoption boot-file /docsis/mac-%@mac-addr% policy policyCableModem setoption tftp-server @tftp_ip@ policy policyCableModem setoption time-offset 18000 policy policyCableModem setoption time-servers @time_ip@ policy policyCableModem setoption dhcp-lease-time @prov_lease_time@ policy policyCableModem setoption log-servers @log_ip@ policy policyCableModem setoption mcns-security-server 0.0.0.0 policy policyCableModemUnprov create packet-file-name=/docsis/mac-%@mac-addr% packet-siaddr=@tftp_ip@ dhcp-reply-options=packet-siaddr,packet-file-name policy policyCableModemUnprov setoption boot-file /docsis/mac-%@mac-addr% policy policyCableModemUnprov setoption tftp-server @tftp_ip@ policy policyCableModemUnprov setoption time-offset 18000 policy policyCableModemUnprov setoption time-servers @time_ip@ policy policyCableModemUnprov setoption dhcp-lease-time @unprov_lease_time@ policy policyCableModemUnprov setoption log-servers @log_ip@ policy policyCableModemUnprov setoption mcns-security-server 0.0.0.0 policy policyComputer create policy policyComputer setoption domain-name-servers @prov_dns@ policy policyComputer setoption dhcp-lease-time @prov_lease_time@ policy policyComputer setoption domain-name @domain_name@ policy policyComputerUnprov create policy policyComputerUnprov setoption domain-name-servers @unprov_dns@ policy policyComputerUnprov setoption dhcp-lease-time @unprov_lease_time@ policy policyComputerUnprov setoption domain-name @domain_name@ client-class provisionedCM delete client-class unprovisionedCM delete client-class provisionedCPE delete client-class unprovisionedCPE delete client-class provisionedCM create policy-name=policyCableModem selection-criteria=tagCableModem client-class unprovisionedCM create policy-name=policyCableModemUnprov selection-criteria=tagCableModemUnprov client-class provisionedCPE create policy-name=policyComputer selection-criteria=tagComputer client-class unprovisionedCPE create policy-name=policyComputerUnprov selection-criteria=tagComputerUnprov scope scopeCableModem delete scope scopeCableModemUnprov delete scope scopeComputer delete scope scopeComputerUnprov delete scope scopeCableModem create @network_base@.0 255.255.255.240 policy=policyCableModem selection-tags=tagCableModem scope scopeCableModemUnprov create @network_base@.16 255.255.255.240 policy=policyCableModemUnprov selection-tags=tagCableModemUnprov primary-scope=scopeCableModem scope scopeComputer create @network_base@.32 255.255.255.240 policy=policyComputer selection-tags=tagComputer primary-scope=scopeCableModem scope scopeComputerUnprov create @network_base@.48 255.255.255.240 policy=policyComputerUnprov selection-tags=tagComputerUnprov primary-scope=scopeCableModem scope scopeCableModem addrange @network_base@.2 @network_base@.14 scope scopeCableModemUnprov addrange @network_base@.18 @network_base@.30 scope scopeComputer addrange @network_base@.34 @network_base@.46 scope scopeComputerUnprov addrange @network_base@.50 @network_base@.62 scope-policy scopeCableModem setoption routers @network_base@.1 scope-policy scopeCableModemUnprov setoption routers @network_base@.17 scope-policy scopeComputer setoption routers @network_base@.33 scope-policy scopeComputerUnprov setoption routers @network_base@.49 extension dexCmCpeClassification delete extension dexCmCpeClassification create Dex libdexextension.so dexCmCpeClassification init-entry=dexClassificationInitEntry extension dexCmCpeClassification set init-args=cm-unprovisioned-class=unprovisionedCM:cpe-unprovisioned-class=unprovisionedCPE dhcp attachextension pre-client-lookup dexCmCpeClassification # LDAP configuration for DHCP # ldap csrc delete ldap csrc create @ldap_host@.@domain_name@ can-create=enabled can-query=enabled can-update=enabled password=@ldap_pass@ port=@ldap_port@ ldap csrc set create-object-classes=top,denpolicy,csrclease dn-attribute=address default-attribute-value=<default> ldap csrc set dn-create-format=csrcobjectid=%s:Lease,csrcclassname=csrclease,@csrc_base@ ldap csrc set dn-format=csrcobjectid=%s:Lease,csrcclassname=csrclease,@csrc_base@ ldap csrc set search-filter=(&(macaddress=%s)(|(csrcclassname=Computer)(csrcclassname=Modem))) ldap csrc set search-path=@csrc_base@ ldap csrc set username=@ldap_admin@ ldap csrc setentry create-dictionary csrcleasestate=state csrcexpirationtime=expiration ldap csrc setentry create-dictionary csrcrelayagentcircuitid=relay-agent-circuit-id csrcrelayagentremoteid=relay-agent-remote-id ldap csrc setentry create-dictionary csrcipaddress=address macaddress=client-mac-addr csrcleaserenewaltime=expiration ldap csrc setentry create-string-dictionary csrcseqnum=0 csrcclassname=Lease ldap csrc setentry query-dictionary csrcclientclass=client-class-name ldap csrc setentry update-dictionary macaddress=client-mac-addr csrcrelayagentcircuitid=relay-agent-circuit-id csrcrelayagentremoteid=relay-agent-remote-id # TFTP configuration # tftp enable start-on-reboot tftp enable docsis-access tftp set csrc-configuration-file=@csrc_config@ tftp set ldap-host-name=@ldap_host@ tftp set ldap-password=@ldap_pass@ tftp set ldap-port-number=@ldap_port@ tftp set ldap-root-dn=@csrc_base@ tftp set ldap-user-name=@ldap_admin@ # DNS configuration # create dummy root zone to redirect to self # zone . delete zone . create primary @cnr_host@.@domain_name@ postmaster.@cnr_host@.@domain_name@ zone . addrr * a @csrc_ip@ save dns reload tftp reload dhcp reload
#!/bin/sh
# $Id: configure-cnr.sh,v 1.1.1.9 1999/06/11 15:38:43 rwoundy Exp $
#
# Installation script for configuring a stock CNR configuration
#set -x
verbose=1
conf=/tmp/cnr.$$
conf_orig=conf/cnr-for-csrc-config.txt
csrc_base="csrcprogramname=csrc,ou=cisco.com,o=NetscapeRoot"
ldap_admin="uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
PATH=/bin:/usr/bin:/usr/local/bin
export PATH
prompt () {
match=$3
echo "$1 ($match)? [$2] \c"
while true; do
read val
if [ -z "$val" ]; then
val=$2
break
fi
[ -z "$match" ] && break
for m in $match ; do
if [ $m = $val ] ; then
break 2
fi
done
echo " Invalid input '$val', must be one of ($match) [$2] \c"
done
}
# Figure out the distribution directory
DEST=`echo $0 | sed -e 's:.[-a-zA-Z0-9_\.]*$::'`
[ -d $DEST -a -d $DEST/conf ] || {
echo "ERROR: invalid distribution directory '$DEST'"
exit 1
}
cd $DEST
[ -f $conf_orig -a -r $conf_orig ] || {
echo "Error: input configuration file '$conf_orig' does not exist"
exit 2
}
prompt "CNR installation directory" '/opt/nwreg2'
cnr_install=$val
nrcmd=$cnr_install/usrbin/nrcmd
prompt "nrcmd path" $nrcmd
nrcmd=$val
[ -x "$nrcmd" ] || {
echo "ERROR: nrcmd proc '$nrcmd' not executable"
exit 1
}
prompt "CNR Host Name"
cnr_host=$val
prompt "CNR admin name" admin
cnr_admin=$val
prompt "CNR admin password" changeme
cnr_pass=$val
prompt "LDAP Host Name" $cnr_host
ldap_host=$val
prompt "LDAP Port" 389
ldap_port=$val
prompt "Admin DN" $ldap_admin
ldap_admin=$val
prompt "Admin Password"
ldap_pass=$val
prompt "Network Base Address" 172.27.192
network_base=$val
prompt "TFTP Server IP Address"
tftp_ip=$val
prompt "Time Server IP Address" $tftp_ip
time_ip=$val
prompt "Log Server IP Address" $tftp_ip
log_ip=$val
prompt "CSRC Server IP Address" $tftp_ip
csrc_ip=$val
prompt "Unregistered DNS Server IP Address" $tftp_ip
unprov_dns=$val
prompt "Registered DNS Server IP Address(es)" 172.27.182.82,172.27.182.81
prov_dns=$val
prompt "CSRC LDAP Root" $csrc_base
csrc_base=$val
prompt "Unprovisioned Lease Time" 300
unprov_lease_time=$val
prompt "Provisioned Lease Time" 600
prov_lease_time=$val
prompt "Domain name" cisco.com
domain_name=$val
prompt "CSRC Config File Path" /opt/csrc/conf/csrc.cfg
csrc_config=$val
cat > /tmp/sed.$$ <<EOF
/^[ ]*#/d
/^[ ]*$/d
s^@cnr_host@^$cnr_host^g
s^@ldap_host@^$ldap_host^g
s^@ldap_port@^$ldap_port^g
s^@ldap_admin@^$ldap_admin^g
s^@ldap_pass@^$ldap_pass^g
s^@csrc_base@^$csrc_base^g
s^@unprov_dns@^$unprov_dns^g
s^@prov_dns@^$prov_dns^g
s^@tftp_ip@^$tftp_ip^g
s^@time_ip@^$time_ip^g
s^@log_ip@^$log_ip^g
s^@csrc_ip@^$csrc_ip^g
s^@unprov_lease_time@^$unprov_lease_time^g
s^@prov_lease_time@^$prov_lease_time^g
s^@domain_name@^$domain_name^g
s^@csrc_config@^$csrc_config^g
s^@network_base@^$network_base^g
EOF
sed -f /tmp/sed.$$ < $conf_orig > $conf
echo "running $nrcmd < $conf"
$nrcmd -b -C $cnr_host -N $cnr_admin -P $cnr_pass < $conf > /tmp/nrcmd.log.$$
echo "done with nrcmd, output in /tmp/nrcmd.log.$$"
rm /tmp/sed.$$
# rm /tmp/sed.$$ $conf
Example 5-3 is an example configuration for the Cable Lab uBR. The interface Cable4/0 portion of the file corresponds to the scopes configured by the configuration file in Example 5-1.
! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! boot system flash slot0:ubr7200-p-mz.120-4.T.bin enable password cisco ! no cable qos permission create no cable qos permission update cable qos permission modems ip subnet-zero ip domain-name cisco.com. ip name-server 161.44.128.10 ip name-server 198.92.30.32 ip name-server 171.69.2.81 ip dhcp relay information option ! ! ! interface FastEthernet0/0 ip address 172.27.182.119 255.255.255.240 no ip directed-broadcast ! interface ATM1/0 no ip address no ip directed-broadcast shutdown no atm ilmi-keepalive ! interface Cable4/0 ip address 172.27.192.33 255.255.255.240 secondary ip address 172.27.192.49 255.255.255.240 secondary ip address 172.27.192.17 255.255.255.240 secondary ip address 172.27.192.1 255.255.255.240 no ip directed-broadcast ip helper-address 172.27.192.139 no keepalive cable shared-secret 0 cisco cable dhcp-giaddr primary cable helper-address 172.27.180.115 cable downstream annex B cable downstream modulation 64qam cable downstream interleave-depth 32 cable downstream frequency 477000000 cable upstream 0 frequency 26000000 cable upstream 0 power-level 0 no cable upstream 0 shutdown ! interface Cable5/0 ip address 172.27.192.81 255.255.255.240 secondary ip address 172.27.192.97 255.255.255.240 secondary ip address 172.27.192.113 255.255.255.240 secondary ip address 172.27.192.65 255.255.255.240 no ip directed-broadcast no keepalive cable dhcp-giaddr primary cable downstream annex B cable downstream modulation 64qam cable downstream interleave-depth 32 cable downstream frequency 477000000 cable upstream 0 frequency 26000000 cable upstream 0 power-level 0 no cable upstream 0 shutdown ! ip classless ip route 0.0.0.0 0.0.0.0 172.27.182.118 ip route 172.27.192.64 255.255.255.192 Null0 no ip http server ! snmp-server engineID local 0000000902000050731EE100 snmp-server community public RW ! ! line con 0 transport input none line aux 0 line vty 0 4 password cisco login ! end
The passwords stored in the csrc.cfg file are encoded. If you change the LDAP or Cisco Network Registrar (CNR) password for the account that CSRC uses, you must update the password in the csrc.cfg file on each CSRC server host on which the file is present. To do this, you must first encode the password, using the csrcencode utility in the /opt/csrc/bin directory.
To encode a password, enter the following command:
# csrcencode password <encoded password>
where password is the password you want to encode and <encoded password> is the encoded password string that results from the command's execution.
After you encode the new password, you can copy the encoded password string and insert it into the csrc.cfg file in place of the previous password string.
Posted: Fri Oct 15 12:55:25 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.