python自動化管理和zabbix監控網絡設備（防火墻和python自動化配置部分）

前言

一、ssh配置

1.FW1

2.core-sw1

3.core-sw2

二、python自動化配置防火墻

三、驗證DNAT

四、驗證DNAT

前言

視頻演示請訪問b站主頁

白帽小丑的個人空間-白帽小丑個人主頁-嗶哩嗶哩視頻

一、ssh配置

給需要自動化管理的設備配置ssh服務端用戶名和密碼

1.FW1

#注意不要使用本地登錄的用戶aaa     
manager-user user1
password cipher Huawei@123
level 15     
service-type ssh     
quit     
quit     user-interface vty 0 4authentication-mode aaaprotocol inbound all
quitstelnet server enable   
ssh user user1
ssh user user1 authentication-type password
ssh user user1 service-type stelnet#注意長度為2048
rsa local-key-pair create
Y
2048

2.core-sw1

aaa     local-user huawei password cipher huaweilocal-user huawei service-type ssh telnetlocal-user huawei privilege level 15quitstelnet server enableuser-interface vty 0 4
authentication-mode aaa
protocol inbound allquitrsa local-key-pair create  
Y
2048ssh user huawei authentication-type password  ssh user huawei service-type stelnet
quit

3.core-sw2

aaa     local-user huawei password cipher huaweilocal-user huawei service-type ssh telnetlocal-user huawei privilege level 15quitstelnet server enableuser-interface vty 0 4
authentication-mode aaa
protocol inbound allquitrsa local-key-pair create  
Y
2048ssh user huawei authentication-type password  ssh user huawei service-type stelnet
quit

二、python自動化配置防火墻

import paramiko
import getpass
import timeip = "1.1.1.1"username = input("Username: ")
password = getpass.getpass("Password: ")ssh_client = paramiko.SSHClient()#SNAT配置
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh_client.connect(hostname=ip, username=username, password=password, look_for_keys=False)print("Successfully logged in" + ip)#配置外網地址
command = ssh_client.invoke_shell()
command.send("system-view\n")
command.send("inter gi1/0/4\n")
command.send("ip address 132.12.12.10\n")time.sleep(0.2)
#PNAT轉化地址池command.send("nat address-group SNAT\n")
command.send("mode pat\n")
command.send("section 0 132.12.12.10\n")
command.send("route enable\n")
time.sleep(0.2)#PNAT源地址轉化策略command.send("nat-policy\n")
command.send("rule name pat\n")
command.send("source-zone trust\n")
command.send("destination-zone untrust\n")
command.send("source-address 172.16.0.0 16\n")
command.send("source-address 172.200.0.0 0.0.1.255\n")
command.send("source-address 172.210.2.0 0.0.1.255\n")
command.send("source-address 172.220.4.0 0.0.1.255\n")
command.send("source-address 172.230.6.0 0.0.1.255\n")
command.send("source-address 172.240.8.0 0.0.1.255\n")
command.send("source-address 172.250.10.0 0.0.1.255\n")
command.send("action source-nat address-group SNAT\n")
time.sleep(0.2)#PNAT源地址轉化策略command.send("security-policy\n")
command.send("rule name NAT\n")
command.send("source-zone trust\n")
command.send("destination-zone untrust\n")
command.send("source-address 172.16.0.0 16\n")
command.send("source-address 172.200.0.0 0.0.1.255\n")
command.send("source-address 172.210.2.0 0.0.1.255\n")
command.send("source-address 172.220.4.0 0.0.1.255\n")
command.send("source-address 172.230.6.0 0.0.1.255\n")
command.send("source-address 172.240.8.0 0.0.1.255\n")
command.send("source-address 172.250.10.0 0.0.1.255\n")
command.send("action permit\n")
time.sleep(0.2)#缺省路由command.send("ip route-static 0.0.0.0 0 132.12.12.11\n")
command.send("ospf 1\n")
command.send("default-route-advertise always\n")
command.send("q\n")
time.sleep(0.2)#----------------------------------------------------------------------------------------------------#DNAT轉化內網地址池
command.send("ip pool dmz-pool\n")
command.send("network 192.168.170.0 mask 255.255.255.0 \n")
command.send("gateway 192.168.170.254\n")time.sleep(0.2)#DNAT轉化
command.send("nat server protocol udp global 132.12.12.10 80 inside 192.168.170.100 80\n")
command.send("nat server protocol tcp global 132.12.12.10 80 inside 192.168.170.100 80\n")#安全策略
command.send("security-policy \n")
command.send("rule name allow-http-to-dmz\n")
command.send("source-zone untrust\n")
command.send("destination-zone dmz\n")
command.send("destination-address 192.168.170.100 32\n")
command.send("action permit \n")time.sleep(0.2)#允許http流量通過外網口
command.send("inter gi1/0/2\n")
command.send("service-manage http permit\n")
time.sleep(0.2)#----------------------------------------------------------
#配置ospf路由，讓監控區訪問內部設備
command.send("inter gi1/0/2\n")
command.send("ip address 10.1.90.2 30\n")
command.send("quit\n")
command.send("ospf 1\n")
command.send("area 2\n")
command.send("network 10.1.0.0 255.255.0.0\n")
command.send("area 1\n")
command.send("network 10.1.90.0 0.0.0.3\n")
time.sleep(0.2)
time.sleep(0.2)output = command.recv(65535)
print(output.decode('utf-8'))ssh_client.close

運行腳本

三、驗證DNAT

四、驗證DNAT

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/news/711780.shtml
繁體地址，請注明出處：http://hk.pswp.cn/news/711780.shtml
英文地址，請注明出處：http://en.pswp.cn/news/711780.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！