Exadata cisco switch yazilimi versiyonu çok eski ise güvenlik taramasinda zaafiyet olarak karsimiza çikar. Oracle support doc’daki bilgileri referans alarak asagidaki gibi
switch yazilimini üst versiyona güncelledik.
Exadata x3 üzerindeki eski cisco switch firmware upgrade’i;
[oracle@odbtst01 ~]$ telnet 10.10.10.10 Trying 10.10.10.10... Connected to odbswc0.domain.local (10.10.10.10). Escape character is '^]'. User Access Verification Password: odbswc0>show version Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASEK9-M), Version 15.1(1)SG, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Sun 15-Apr-12 02:55 by prod_rel_team ROM: 12.2(44r)SG11 odbswc0 uptime is 4 years, 37 weeks, 2 days, 23 hours, 55 minutes System returned to ROM by power-on System restarted at 15:15:39 GDT Tue Jul 2 2013 System image file is "bootflash:cat4500e-ipbasek9-mz.151-1.SG.bin" Hobgoblin Revision 21, Fortooine Revision 1.40 This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco WS-C4948E-F (MPC8548) processor (revision 8) with 1048576K bytes of memory. Processor board ID CAT1711S3M5 MPC8548 CPU at 1GHz, Cisco Catalyst 4948E-F Last reset from PowerUp 2 Virtual Ethernet interfaces 48 Gigabit Ethernet interfaces 4 Ten Gigabit Ethernet interfaces 511K bytes of non-volatile configuration memory. Configuration register is 0x2102 odbswc0>dir bootflash: ^ % Invalid input detected at '^' marker. odbswc0>enable Password: odbswc0#dir bootflash: Directory of bootflash:/ 6 -rw- 25213107 Mar 19 2013 14:46:08 +04:00 cat4500e-ipbase-mz.150-2.SG2.bin 7 -rw- 32288280 Jun 5 2013 20:04:54 +04:00 cat4500e-ipbasek9-mz.151-1.SG.bin 25 -rw- 38791882 Mar 20 2018 15:24:24 +04:00 cat4500e-ipbasek9-mz.152-2.E8.bin 128165888 bytes total (21831680 bytes free) odbswc0#configure terminal Enter configuration commands, one per line. End with CNTL/Z. odbswc0(config)#no boot system odbswc0(config)#boot system bootflash:cat4500e-ipbasek9-mz.151-1.SG.bin odbswc0(config)#^Z odbswc0#copy running-config startup-config all Destination filename [startup-config]? % VRF table-id 0 not active odbswc0#copy running-config bootflash:cisco-ip-config-before-upgrade-151 Destination filename [cisco-ip-config-before-upgrade-151]? % VRF table-id 0 not active 9091 bytes copied in 0.504 secs (18038 bytes/sec) odbswc0#verify /md5 bootflash:cat4500e-ipbasek9-mz.152-2.E8.bin ....................................................................................Done! verify /md5 (bootflash:cat4500e-ipbasek9-mz.152-2.E8.bin) = 8ae208ae2d59710a9434bca29026dd98 odbswc0#configure terminal Enter configuration commands, one per line. End with CNTL/Z. odbswc0(config)#config-register 0x2102 odbswc0(config)#no boot system odbswc0(config)#boot system bootflash:cat4500e-ipbasek9-mz.152-2.E8.bin odbswc0(config)#^Z odbswc0#show run | include boot boot-start-marker boot system bootflash:cat4500e-ipbasek9-mz.152-2.E8.bin boot-end-marker snmp-server enable traps entity-diag boot-up-fail hm-test-recover hm-thresh-reached scheduled-test-fail odbswc0#copy running-config startup-config all Destination filename [startup-config]? % VRF table-id 0 not active % VRF table-id 0 not active odbswc0#write memory Building configuration... % VRF table-id 0 not activeCompressed configuration from 9091 bytes to 3362 bytes[OK] [oracle@odbtst01 ~]$ telnet 10.10.10.10 Trying 10.10.10.10... Connected to odbswc0.domain.local (10.10.10.10). Escape character is '^]'. User Access Verification Password: odbswc0> odbswc0> odbswc0>enable Password: odbswc0#show version Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASEK9-M), Version 15.2(2)E8, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Mon 22-Jan-18 06:32 by prod_rel_team ROM: 12.2(44r)SG11 odbswc0 uptime is 2 minutes System returned to ROM by reload System restarted at 16:23:00 GDT Tue Mar 20 2018 System image file is "bootflash:cat4500e-ipbasek9-mz.152-2.E8.bin" Hobgoblin Revision 21, Fortooine Revision 1.40 Last reload reason: Reload command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco WS-C4948E-F (MPC8548) processor (revision 8) with 1048576K bytes of memory. Processor board ID CAT1711S3M5 MPC8548 CPU at 1GHz, Cisco Catalyst 4948E-F Last reset from Reload 2 Virtual Ethernet interfaces 48 Gigabit Ethernet interfaces 4 Ten Gigabit Ethernet interfaces 511K bytes of non-volatile configuration memory. Configuration register is 0x2102
SSH ENABLE:
[oracle@odbtst01 ~]$ telnet 10.10.10.10 Trying 10.10.10.10... Connected to odbswc0.domain.local (10.10.10.10). Escape character is '^]'. User Access Verification Password: odbswc0> odbswc0>enable Password: Password: Password: odbswc0#configure terminal Enter configuration commands, one per line. End with CNTL/Z. odbswc0(config)#crypto key generate rsa The name for the keys will be: odbswc0.domain.local Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 768 % Generating 768 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 1 seconds) odbswc0(config)#username admin password 0 welcome1 odbswc0(config)#line vty 0 4 odbswc0(config-line)#transport input all odbswc0(config-line)#exit odbswc0(config)#aaa new-model odbswc0(config)# odbswc0(config)#ip ssh time-out 60 odbswc0(config)#ip ssh authentication-retries 3 odbswc0(config)#ip ssh version 2 odbswc0(config)#^Z odbswc0#show ip ssh SSH Enabled - version 2.0 Authentication methods:publickey,keyboard-interactive,password Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc MAC Algorithms:hmac-sha1,hmac-sha1-96 Authentication timeout: 60 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAYQC0KJhEYgJTdEer5Jwa4YnWw4BmM1XAok5JQM0OprmC g4PjeSjcRi99KmrMjoIuok0VHIxUF1pDzjHIPDT4A/eLQ/QYQ1o1oeIywIkbaVK+Yqc7DfxUelsaeipu Ndvg9KU=
DISABLE TELNET:
odbswc0#configure terminal Enter configuration commands, one per line. End with CNTL/Z. odbswc0(config)#line vty 0 4 odbswc0(config-line)#transport input ssh odbswc0(config-line)#exit odbswc0#configure terminal Enter configuration commands, one per line. End with CNTL/Z. odbswc0(config)#line vty 5 15 odbswc0(config-line)#transport input ssh odbswc0(config-line)#exit
SNMP DISABLE:
[root@odbtst02 ~]# ssh admin@10.10.10.10 The authenticity of host '10.10.10.10 (10.10.10.10)' can't be established. RSA key fingerprint is 1a:a4:55:b4:ec:d0:e3:1f:77:75:ed:59:ab:29:e3:ed. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.10.10' (RSA) to the list of known hosts. Password: odbswc0> odbswc0>enable Password: odbswc0#show running-config | include snmp-server snmp-server community public RO snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps flowmon snmp-server enable traps transceiver all snmp-server enable traps call-home message-send-fail server-fail snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps auth-framework sec-violation snmp-server enable traps flex-links status snmp-server enable traps fru-ctrl snmp-server enable traps entity snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up snmp-server enable traps ether-oam snmp-server enable traps aaa_server snmp-server enable traps flash insertion removal snmp-server enable traps power-ethernet police snmp-server enable traps cpu threshold snmp-server enable traps rep snmp-server enable traps udld link-fail-rpt status-change snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps entity-diag boot-up-fail hm-test-recover hm-thresh-reached scheduled-test-fail snmp-server enable traps port-security snmp-server enable traps ethernet evc status create delete snmp-server enable traps energywise snmp-server enable traps event-manager snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps hsrp snmp-server enable traps ipmulticast snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message snmp-server enable traps bridge newroot topologychange snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency snmp-server enable traps syslog snmp-server enable traps ipsla snmp-server enable traps ike policy add snmp-server enable traps ike policy delete snmp-server enable traps ike tunnel start snmp-server enable traps ike tunnel stop snmp-server enable traps ipsec cryptomap add snmp-server enable traps ipsec cryptomap delete snmp-server enable traps ipsec cryptomap attach snmp-server enable traps ipsec cryptomap detach snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop snmp-server enable traps ipsec too-many-sas snmp-server enable traps errdisable snmp-server enable traps ethernet cfm alarm snmp-server enable traps vlan-membership snmp-server enable traps rf snmp-server enable traps mac-notification change move threshold snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down snmp-server host 10.10.10.11 public snmp-server host 10.10.10.12 public odbswc0# odbswc0# odbswc0#enable odbswc0#config term Enter configuration commands, one per line. End with CNTL/Z. odbswc0(config)#no snmp-server odbswc0(config)#^Z odbswc0#copy running-config startup-config Destination filename [startup-config]? Building configuration... Compressed configuration from 5885 bytes to 2157 bytes[OK] odbswc0#show running-config | include snmp-server odbswc0# odbswc0#exit
How To Update Exadata Management Network Switch Firmware (Doc ID 1593004.1)
Orhan Eripek's Oracle Blog 