# CPNR Training - Day 1 Weds 24/6/20 ## Information for Lab ### Local Server **Name publicIP PrivateIP IPv6 Address** 1 Usman 172.30.0.21 2600:1f16:568:6600:5a77:a921:f3cc:8476 2 Peter 18.223.209.229 172.30.0.103 2600:1f16:568:6600:ca8e:bbe0:7086:d78c 3 Jimmy 172.30.0.25 2600:1f16:568:6600:c27e:10ea:9d20:5373 4 Darren 172.30.0.30 2600:1f16:568:6600:8717:2860:16f6:f78a 5 Matt Local Servers (Backup) ### Local Server **Private IP IPv6 Address** 1 172.30.0.8 2600:1f16:568:6600:f121:3ff8:9120:fb50 2 Peter 3.17.186.71 172.30.0.149 2600:1f16:568:6600:55de:926d:2037:3055 3 172.30.0.239 2600:1f16:568:6600:5f6:2dba:37ba:a114 4 172.30.0.207 2600:1f16:568:6600:fc44:f6e3:401:1f44 ### Regional Server **Public IP Addr. Private IPv6 Address Private IP Addr** 3.135.214.170 2600:1f16:568:6600:f0b:72e3:26f0:1fe5 172.30.0.242 Classroom DNS Server Public IP Addr. Private IPv6 Address Private IP Addr. 18.217.212.106 2600:1f16:568:6600:a86e:e695:4711:3d64 172.30.0.9 ## Architecture Regional does not run any applications (dhcp dns etc) mangement only (licensing etc) SCP - Server Configuration Protocol PNR Server Agent Tomcat Servlet Engine CCM (Central Configuration Manager) Server Regional >> Local Cluster >> Backup Cluster ## Installation Pre-req Java 1.6 JDK required for installation License Key required for installation install_cnr script that uses RPM Need to generate certs Verify installation with ```bash /opt/nwreg2/local|regional/usrbin/cnr_status ``` Licensing: Base-System Base-dhcp ### Lab and answers If you make a mistake and mis-specify regional server IP, this can be corrected in cnr.conf ``` bash [ip-172-30-0-103 Linux]# /opt/nwreg2/local/usrbin/cnr_status DNS Server running (pid: 20808) DHCP Server running (pid: 20809) Server Agent running (pid: 20735) CCM Server running (pid: 20740) WEB Server running (pid: 20741) CNRSNMP Server running (pid: 20743) RIC Server Running (pid: 20742) TFTP Server is not running DNS Caching Server is not running ``` 1. How many Cisco PNR components (DNS, WEB, etc.) are running? 7 2. What is the process ID (PID) of the DHCP server process? 20809 List the names of the processes: DNS Server DHCP Server Server Agent Web Server CNRSNMP RIC Server 3. Are all of the servers running? No 5. Which ones are not running? TFTP and DNS Caching Server ## Regional Server Three modes for web ui - standard, advanced and expert. Latter two are level 3, standard is 5. Local Clusters are automatically added when installed as licensing for local clusters originates with the regional cluster. They can be added manually however. (Add Cluster) ### Regional Templates Useful for ensuring consistency throughout multiple cluster deployment - can be deployed from regional to local. Includes - scope templates - prefix templates - link templates - zone templates ### Synchonrisation Database synchronisation and replication of configuration occurs between regional and local clusters SCP communicates changes. In the event of failure of a local server you can deactivate the local server on the regional. Once this is done you can hit rebuild to push configuration down to a new local server once server is built. Need to build a wiki for this procedure. The pull frequency of the local data is default every 4 hours. So by default data may be 4 hours old need to cross reference with changes in scope builder. Reinstall OS/PNR on duff box. Once complete: Click deactivate on the local server on the device. Once this is done you can then hit restore to re-add data. Once this is complete hit reactivate. This doesn't include logging but will include lease data. Resync button confirms connectivity and login credentials are working only. ## CLI Commands are backwards compatible, however, output of commands may be different from previous versions. commands: ``` create - create an entry if already exists returns and error delete - removes entry list - displays all objects of a given type. listnames - displays only the names of the objects of a given type show - shows items listbrief - displays details on each object. ``` ### DHCP Edit Mode Staged - Changes to zones, their hosts and RRs are written to the CCM regional database. You must synchronize the zones to propagate pending changes to the local servers. May require a server relaod Synchronous - After committing changes to the CCM regional database, they are immediately propagated to the local servers. Changes to hosts and RRs will immediately be active, but similar to staged mode, changes to zones may also require a server reload. Failure Codes - - 3xx—Command syntax issues - 4xx—Connection related errors - 5xx—Operation errors ### Lab 1. Are there any numbered codes besides 100? Yes 109 (partial success) 2. Why did the commands fail? They didn't quite fail but it does indicate some form of resource issue. One Shot Mode: ```bash [root@ip-172-30-0-103 ~]# /opt/nwreg2/local/usrbin/nrcmd -N admin -P changeme scope reg-1-cpe show 100 Ok reg-1-cpe: addr=128.107.2.0; mask=255.255.255.0; policy=default; subnet=128.107.2.0/24; tenant-id=0 tag: core; vpn-id=0 name: global; 109 Ok - resource status is Critical: 4, OK: 6 ``` Interactive/Shell Mode: ```bash [root@ip-172-30-0-103 ~]# /opt/nwreg2/local/usrbin/nrcmd -N admin -P changeme 109 Ok - resource status is Critical: 4, OK: 6 session: cluster = localhost current-view = Default current-vpn = global default-format = user dhcp-edit-mode = synchronous dns-edit-mode = synchronous groups = superuser roles = superuser user-name = admin visibility = 5 nrcmd> scope reg-1-cpe show 100 Ok reg-1-cpe: addr = 128.107.2.0 allocate-first-available = [default=false] allocation-priority = [default=0] backup-pct = bootp = [default=disabled] deactivated = description = dhcp = [default=enabled] dns-host-bytes = dynamic-bootp = [default=disabled] embedded-policy = failover-backup-allocation-boundary = free-address-config = ignore-declines = [default=false] mask = 255.255.255.0 ping-clients = ping-timeout = policy = default primary-subnet = renew-only = restrict-to-admin-allocation = [default=disabled] restrict-to-reservations = [default=disabled] selection-tag-list = subnet = 128.107.2.0/24 tenant-id = 0 tag: core vpn-id = 0 name: global ``` output is verbose in interactive. enable advanced option listing with: ```bash nrcmd session set visibility=3 #level 3 more options shown than level 5 ``` You shouldn't typically need to change any items visible under Level 3 visibility 3. Which listed idems have enabled = listed as false? CDNS & TFTP ```bash [root@ip-172-30-0-103 ~]# /opt/nwreg2/local/usrbin/nrcmd -N admin -P changeme client listnames 100 Ok - 0 objects found 109 Ok - resource status is Critical: 4, OK: 6 [root@ip-172-30-0-103 ~]# /opt/nwreg2/local/usrbin/nrcmd -N admin -P changeme scope list >> scopes [root@ip-172-30-0-103 ~]# more scopes 100 Ok - 1 object found reg-1-cpe: addr=128.107.2.0; mask=255.255.255.0; policy=default; subnet=128.107.2.0/24; tenant-id=0 tag: core; vpn-id=0 name: global; 109 Ok - resource status is Critical: 4, OK: 6 ``` # Day 2 - 25/06/20 ### Policies Policy Search order is embedded, names and then system default system defaul - applied to all objects that don't have an option defined in a more specific policy Named - Explicitly defined object attached to a scope. There will usually be a policy called default that will be assigned automatically to a scope Embedded - Embedded within the definition of the scope itself. No CNR lock apparently in place for PNR8. Darren's going to look at creating a lockfile with the nr wrapper script, once done Pete will edit the CNR lock check script to search and alert on a lockfile over a certain age. ### Scopes Network of a scope is determined by GIADDR Rest of this is as per usual. ### Reservations Used for fixed IP's as per old business scopes. ### Lease states - Available—Leasable - Unavailable—Not leasable - Leased—Held by a client - Offered—Offered to the client - Expired—Available when the lease grace period expires - Pending available—Failover-related - Other available—Failover-related ### Lab 1. Are Any policies already listed in the left column If yes then what are they? Default & Systems_Default_Policy Recall previous commands with ctrl-p move forward from last commands with ctrl-n move back with ctrl-b and forward with ctrl-f #### Scope Addition 1. What is the policy? Policy appears to be default 2. Can you select another policy? Yes 3. What is the range? 10.5.2.2-10.5.2.254 4. Can you change it? No, it is determined by the subnet. 5. What emebedded policy options exist? [3] (dhcp-config) routers (IP address) 10.5.2.1 6. Can you change or add to the embedded policy options? Not at the moment by the look of things. 7. How many addresses will be in your scope? 149 ## Troubleshooting All different components of PNR have states - Loaded—First step after the server agent starts the server (transitional). - Initialized—Server was stopped or fails to configure. - Unconfigured—Server is not operational because of a configuration failure (transitional). - Stopped—Server was administratively stopped and is not running (transitional). - Running—Server is running successfully Look on the webgui for local charting for that individual DHCP server, but not the cluster. Log analyser looks good. cnr_tactool needs to be used for sending cases to cisco. ```bash /opt/nwreg2/local/usrbin/cnr_tactool -N admin -P changeme -d /var/TACTOOL ``` ### Lab Step 3. Three items listed to failover activity are: - failover-detail - no-failover-activity - no-failover-conflict Startup log Step 3 What port is the server using to listen to SCP connections? port 55533 Event Log Are there any new error messages: There are error messages but they are not recent. # Day 3 ## Expressions enhanced client class support Take an input and produce a value Read only - don't modify packet Used to “look” at an input packet and produce from the contents a “value” to be used for a variety of purposes: • Client class • Client specifier for client lookup • Subscriber-id to tie together CPEs to subscriber (limitation-id) • Client’s identity (DNS name) To set client class from expression: ``` bash (try (or (if (equal (request get option "relay-agent-info" "remote-id") (request get "chaddr")) "cm-class") (if (equal (substring (request get option "vendorclass- id") 1 6) "docsis") "docsis-cm-class") ) null) ``` Check relay-agent-info, remote-id and chaddr are the same, if they are then they will be set to cm-class. If vendorclass-id is 1 or 6 set these to docsis or docsis-cm-class Flow chart explanation in Day 3 slides. ## DHCP Extensions Perform additional functions that PNR cannot do. Affects how the DHCP processes and responds to a request written in TCL or C/C++ compiled mode for extensions must match bit of PNR (32/64) Extensions are executed at specific extension points in processing: • init-entry—Extension point that DHCP server calls when it configures or unconfigures the extension. Occurs when starting, stopping, or reloading the server. Entry point has the same signature as the others for the extension. Required for DHCPv6 processing Dictionaries: environment only • pre-packet-decode—First extension point that the DHCP server encounters when a request arrives. Calls it before decoding the packet. Dictionaries: request and environment • post-packet-decode—Rewrites the input packet. Dictionaries: request and environment • post-class-lookup—Evaluates the result of client-class-lookup-id operation on the client-class. Dictionaries: request and environment ### Lab 11 recovering the database Q1. Are there any .bak files in /var/nwreg/local/data/? Yes there are - dhcp.bak: ```bash [root@ip-172-30-0-103 data]# ls ccm cdns dhcp dhcpeventstore dns.bak ccm.bak cnrdbversion dhcp.bak dns tftp ``` to create a .bak file enter the command: ```bash /opt/nwreg2/local/usrbin/cnr_shadow_backup ``` There are 8 Databasees in the ccm database ndb directory. There is only one dhcp.ndb file. Every time the dhcp.ndb file is rebuilt the dhcpeventstore directory is emptied. > >**There is a cnr_shadow_backup in the bin directory also, but it will not work. You must use the usrbin version.** Procedure to recover DHCP DB: - Step 1 Verify that all the processes are not running, by running the ```bash /opt/nwreg2/local/usrbin/cnr_status``` command. - Step 2 You can now execute any or all of the desired processes from the “Recommended Backup and Recovery Strategy” document provided for practice. It is recommended that you get a soft copy so that you can cut and paste the text into your server window. This approach prevents errors and is much easier than typing all of them. - Step 3 When you have finished experimenting and practicing, restore Cisco PNR to operation. ``` bash /etc/init.d/nwreglocal start``` - Step 4 Verify that all the processes are running after about two minutes.``` bash /opt/nwreg2/local/usrbin/cnr_status``` The “Recommended Backup and Recovery Strategy” document has been requested from Bob and will be uploaded to the confluence training site at https://globe.upc.biz/confluence/pages/viewpage.action?pageId=55794815