Skip to content

Cisco

ACI で非表示ポリシーを GUI 上に表示する

以前に ACI で「__ui」という設定名だと GUI には表示されない?? というメモを書きました。 このメモに書いた点を含みますが、__ui_ で始まる名前のポリシーは以下のように特別な特徴を持ちます。

  • GUI
  • GUI 上には表示されない
  • 設定を変更することで GUI 上に表示することも可能
  • 但し、GUI 上からは削除/変更出来ない
  • CLI
  • CLI 上には表示される
  • 但し ? で表示するヘルプ (候補) には表示されない
  • CLI 上からは削除/変更出来る

ThousandEyes の Web テストの User-Agent は公式ドキュメントが間違っている

ThousandEyes の Default User-Agent Strings によると HTTP Server Test の場合、User-Agent は User-Agent: curl/7.51.0-DEV だと記載されています。

file

ですが、実際にパケットをキャプチャすると下記になっています。

  • User-Agent: curl になっている (公式ドキュメントと異なる)
  • X-ThousandEyes-Agent: yes も付与される

デフォルト User-Agent のキャプチャ結果

tshark で実際にキャプチャした出力例は以下の通りです。 User-Agent: curl 及び X-ThousandEyes-Agent: yes になっていることが分かります。

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
# tshark -i eth0 -n -V -Y "http.request"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
Frame 27: 292 bytes on wire (2336 bits), 292 bytes captured (2336 bits) on interface 0
    Interface id: 0
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep  2, 2022 05:45:51.296784160 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1662097551.296784160 seconds
    [Time delta from previous captured frame: 0.000056665 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 98.193993688 seconds]
    Frame Number: 27
    Frame Length: 292 bytes (2336 bits)
    Capture Length: 292 bytes (2336 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:tcp:http]
Ethernet II, Src: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a), Dst: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
    Destination: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
        Address: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a)
        Address: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 23.248.164.42 (23.248.164.42), Dst: 192.168.224.16 (192.168.224.16)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 278
    Identification: 0x8b7e (35710)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 42
    Protocol: TCP (6)
    Header checksum: 0x6788 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 23.248.164.42 (23.248.164.42)
    Destination: 192.168.224.16 (192.168.224.16)
Transmission Control Protocol, Src Port: 53264 (53264), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 226
    Source port: 53264 (53264)
    Destination port: 80 (80)
    [Stream index: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 227    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 502
    [Calculated window size: 64256]
    [Window size scaling factor: 128]
    Checksum: 0xb38d [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 1657494759, TSecr 3271439425
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 1657494759
            Timestamp echo reply: 3271439425
    [SEQ/ACK analysis]
        [Bytes in flight: 226]
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
            [Message: GET / HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Host: www.example.com\r\n
    User-Agent: curl\r\n
    Accept: */*\r\n
    Accept-Encoding: deflate, gzip\r\n
    Connection: Upgrade, HTTP2-Settings\r\n
    Upgrade: h2c\r\n
    HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA\r\n
    X-ThousandEyes-Agent: yes\r\n
    \r\n
    [Full request URI: http://www.example.com/]
    [HTTP request 1/1]

カスタム User-Agent のキャプチャ結果

User-Agent をカスタマイズする場合は Custom User-Agent Strings in a Web Test の手順に従います。 今回は以下のように CUSTOM-USER-AGENT と設定しました。

file

これをキャプチャした結果は以下の通りです。

  • User-Agent: CUSTOM-USER-AGENT に変更されている
  • X-ThousandEyes-Agent: yes も付与される
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
# tshark -i eth0 -n -V -Y "http.request"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
Frame 38: 305 bytes on wire (2440 bits), 305 bytes captured (2440 bits) on interface 0
    Interface id: 0
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep  2, 2022 13:35:02.650728079 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1662125702.650728079 seconds
    [Time delta from previous captured frame: 0.000039499 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 150.788132120 seconds]
    Frame Number: 38
    Frame Length: 305 bytes (2440 bits)
    Capture Length: 305 bytes (2440 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:tcp:http]
Ethernet II, Src: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a), Dst: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
    Destination: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
        Address: 06:2d:db:37:c8:a3 (06:2d:db:37:c8:a3)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a)
        Address: 06:c4:7f:0c:9d:3a (06:c4:7f:0c:9d:3a)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 23.248.164.42 (23.248.164.42), Dst: 192.168.224.16 (192.168.224.16)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 291
    Identification: 0xc6aa (50858)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 42
    Protocol: TCP (6)
    Header checksum: 0x2c4f [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 23.248.164.42 (23.248.164.42)
    Destination: 192.168.224.16 (192.168.224.16)
Transmission Control Protocol, Src Port: 35316 (35316), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 239
    Source port: 35316 (35316)
    Destination port: 80 (80)
    [Stream index: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 240    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 502
    [Calculated window size: 64256]
    [Window size scaling factor: 128]
    Checksum: 0xb668 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 1685646112, TSecr 3299590778
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 1685646112
            Timestamp echo reply: 3299590778
    [SEQ/ACK analysis]
        [Bytes in flight: 239]
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
            [Message: GET / HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Host: www.example.com\r\n
    User-Agent: CUSTOM-USER-AGENT\r\n
    Accept: */*\r\n
    Accept-Encoding: deflate, gzip\r\n
    Connection: Upgrade, HTTP2-Settings\r\n
    Upgrade: h2c\r\n
    HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA\r\n
    X-ThousandEyes-Agent: yes\r\n
    \r\n
    [Full request URI: http://www.example.com/]
    [HTTP request 1/1]

ACI 6.x 系のパスワード要件

ACI のバージョン 6.x 系でローカルユーザのパスワード要件は APIC Local Users で以下のように記載されています。 基本的に以前のバージョンから変更はありません。

  • Minimum password length is 8 characters.
  • Maximum password length is 64 characters.
  • Has fewer than three consecutive repeated characters.
  • Must have characters from at least three of the following characters types: lowercase, uppercase, digit, symbol.
  • Does not use easily guessed passwords.
  • Cannot be the username or the reverse of the username.
  • Cannot be any variation of cisco, isco or any permutation of these characters or variants obtained by changing the capitalization of letters therein.

ACI 6.x 系ではオンライン・ヘルプへのリンクが存在しない?

ACI 5.x 系までは各画面にクエスチョンマークがあり、それをクリックすることでオンライン・ヘルプを参照することが出来ました。 ACI 6.x ではこれが廃止されてしまったようで、少なくても現時点で ACI 6.x 系 唯一のリリースである 6.0(1g) では以下のようにクエスチョン・マークがありません。 正確には画面右上にクエスチョン・マークがあるのですが、これをクリックすると cisco.com や ciscolive.com へのドキュメントリンクとなっており、従来のようなオンライン・ヘルプへのリンクは存在しないようです。