Latest Post

Friday, 23 May 2014

PIX: Dynamic Site-to-Site IPSEC Configuration

|0 comments

PIX: Dynamic Site-to-Site IPSEC Configuration

SCENARIO:

Configure a tunnel between 10.2.2.0/24 to 10.1.1.0/24, between one static and one dynamic VPN peers.

This is a typical scenario when one device has a dynamic "outside" IP address (such as DHCP).

Notes:
The configuration can be expanded to include remote access VPN on either peer;
The configuration can be expanded to include more than one dynamic peer;
In case of multiple VPN devices, there should always be at least one static peer.




TOPOLOGY:

10.2.2.0 --- STATIC ==== (( INTERNET )) ===== DYNAMIC ---- 10.1.1.0

STATIC.inside = 10.2.2.1/24
STATIC.outside = 203.1.1.1/24
DYNAMIC.outside = DHCP
DYNAMIC.inside = 10.1.1.1/24




CONFIGURATIONS:
- several possible simple configurations, depending on the PIX OS running on either device.

PHASE 1 / ISAKMP PARAMETERS:
- authentication = pre-shared key (MY_ISAKMP_KEY)
- encryption = 3DES
- hash = MD5
- group = 2

PHASE 2 / IPSEC PARAMETERS:
- ESP-3DES, ESP-MD5



STATIC PIX 6.X:

access-list NONAT permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity address
isakmp nat-traversal

isakmp key MY_ISAKMP_KEY address 0.0.0.0 netmask 0.0.0.0 no-xauth

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP

crypto map MY_STATIC_MAP interface outside
isakmp enable outside



STATIC PIX 7.0/7.1:

access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity address
isakmp nat-traversal

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP

tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY

crypto map MY_STATIC_MAP interface outside
isakmp enable outside




STATIC PIX 7.2:

access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-vpn

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP

crypto isakmp nat-traversal
crypto isakmp identity address

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY

crypto map MY_STATIC_MAP interface outside
crypto isakmp enable outside



DYNAMIC PIX 6.X:

access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity hostname
isakmp nat-traversal

isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map DYNAMIC_MAP 10 ipsec-isakmp
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
crypto map DYNAMIC_MAP 10 set transform-set ESP-3DES-MD5

crypto map DYNAMIC_MAP interface outside
isakmp enable outside




DYNAMIC PIX 7.0/7.1:

access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity hostname
isakmp nat-traversal

isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1


tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY

crypto map DYNAMIC_MAP interface outside
isakmp enable outside


DYNAMIC PIX 7.2:

access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

crypto isakmp identity hostname
crypto isakmp nat-traversal

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1

tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY

crypto map DYNAMIC_MAP interface outside
isakmp enable outside


REFERENCE

PIX 6: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
PIX 7: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Wednesday, March 12, 2008

IPSEC Checklist and Best Practices

Basic Checklist for VPN Configuration:
- IP address of the static VPN peers

- IP addresses/networks that will be tunneled
--> networks behind each VPN peer (site-to-site)
--> network behind VPN and pool (remote access)

- PHASE I / ISAKMP parameters
--> authentication (pre-shared key/certificate)
--> encryption (DES, 3DES, AES)
--> hash (SHA, MD5)
--> group (2, 5)

- PHASE II / IPSEC Parameters
--> transform set

- VPN Group (remote access only)
--> VPN Group Name
--> VPN Group Password

VLAN

|0 comments

PIX 6.X - Configuring Logical / VLAN interfaces

Scenario:
The inside/ethernet1 interface of the PIX will be mapped to two VLANs, VLAN1 with IP address 192.168.1.2/24 and VLAN2 with IP address 192.168.2.2. The outside interface has IP address 10.199.248.225/24

Topology:



[Thanks to former colleague Dan for the image.]


PIX 6 Configuration:

interface ethernet1 auto
nameif ethernet1 inside security100
address inside 192.168.1.2 255.255.255.0

interface ethernet1 vlan2 logical
nameif vlan2 inside2 security50
address vlan2 192.168.2.2 255.255.255.0

Notes:
Your Physical Interface is (by default), your VLAN1.


PIX 7 Configuration:

interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
no shut

interface Ethernet1.2
vlan 2
nameif inside2
security-level 50
ip address 192.168.2.2 255.255.255.0
no shut

VTP

|0 comments

Trunking vs Etherchannel





Noticed several colleagues of mine are still confused with "trunking" and "etherchannel". These two -- some would argue grammatically similar -- have very different functions and implications.

Trunking refers to (multiple) VLANs that are going through an interface. That is, for example, if you say that "a Cat6500 with GigabitEthernet1/1 trunks VLANs 1, 50, and 100", it means that these VLANs (and only these VLANs) are permitted to go through Gi1/1. The implication is that this forms a basic security feature, by permitting only specific VLANs; other traffic belonging to other VLANs will be permitted on this trunk interface.

Etherchannel -- aka channel-group, port-channel, or port group -- on the otherhand, refers to multiple (physical) interfaces bundled together into a single (logical) interface. That is, for example, if you say that "Cat6500 Port-channel100 includes GigabitEthernet2/1-4", these means that Gi2/1 to Gi2/4 are configured together as a single logical interface. The implication is that the bandwidth of these interfaces are combined and shared -- hence, in this example, Port-channel has a total bandwidth of 4Gbps (1Gbps per interface x 4 interfaces ).

So to state the basic difference between the two:

Trunking "bundles" VLANs together that are permitted on any single interface.
Etherchannel "bundles" (physical) interfaces together into a single logical interface.


Question: Can you combine an interface to have both trunking and etherchannel?

Answer: This is question is a little vague. In a way, yes. Here's a typical scenario actually being used in many companies:

Topology:
DeviceA. GigabitEthernet1/1 <=====> DeviceB.GigabitEthernet1/1
DeviceA. GigabitEthernet1/2 <=====> DeviceB.GigabitEthernet1/2

Requirement:Permit only VLANs 100 and 200 through the link between DeviceA and DeviceB. Also, increase the link bandwidth between these two devices to 2Gbps. To summarize:

DeviceA.GigabitEthernet1/1 - trunking for vlans 100 and 200, share bandwidth with Gi1/2;
DeviceA.GigabitEthernet1/2 - trunking for vlans 100 and 200, share bandwidth with Gi1/1;

DeviceB.GigabitEthernet1/1 - trunking for vlans 100 and 200, share bandwidth with Gi1/2; DeviceB.GigabitEthernet1/2 - trunking for vlans 100 and 200, share bandwidth with Gi1/1;

To achieve this, we arbitrarily assign a channel group number IDs. For this example, we select 300 for DeviceA, so we have Port-Channel300 which will group Gi1/1 and Gi1/2. The basic configuration for DeviceA, then, would look like the following:

interface GigabitEthernet1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200

channel-group 300 mode desirable
!
interface GigabitEthernet1/2
switchport switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100,200
channel-group 300 mode desirable

!
interface Port-Channel300
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200
!


The device on the remote end, DeviceB, should be configured similarly as well.

Similarly, we select Port-Channel500 for DeviceB.

interface GigabitEthernet1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200
channel-group 500 mode desirable
!
interface GigabitEthernet1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200
channel-group 500 mode desirable
!
interface Port-Channel500
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200
!

With that, you're done!

Here are some points you should take note of:

Important Note #1: The channel-group ID only has local significance. In this example, DeviceA assigns Port-channel300 while DeviceB uses Port-channel500.

Important Note #2: The VLANs trunked on the port-channel interface and the member interfaces should match. If there is a mismatch, the status of the interfaces will be down.

Important Note #3: The actual syntax would vary, depending on the IOS image currently being used. Here's a general hint: IOS 12.0 uses the "port group" interface command, while IOS 12.1 onwards uses the "channel-group" interface command.

MPLS

|0 comments

MPLS Label Distribution Parameters

MPLS Label Distribution Parameter Options:
Label Space OptionsPer-InterfacePer-Plaform
Label DistributionUnsolicited downstreamDownstream-on-Demand
Label AllocationIndependent Control ModeOrdered Control Mode
Label RetentionLiberal Label RetentionConservative Label Retention

Label Space Options

Per-Platform Labels
  • LFIB: [Label | Action | Next Hop ]
  • one label assigned to a destination network and announced to all neighbors
  • locally unique, valid on all incoming interfaces
  • smaller LFIB, FIB; faster label exchange
  • less secure than per-interface labels; label-spoofing
  • default in Frame-Mode MPLS
Per-Interface Labels
  • LFIB:[IN intf | IN Label | NH intf | NH Label]
  • one label for each destination, each device, each interface
  • secure; prevents label-spoofing; labeled packets/ATM cells only accepted from interface where label is assigned
  • default in Cell-Mode MPLS

Label Distribution

Unsolicited Downstream
  • label advertised to all neighbor LSRs, regardless of whether upstream or downstream
  • Frame-Mode
Downstream-On-Demand
  • label advertised only upon request of upstream LSR
  • cell-mode

Label Allocation 

Independent Control
  • LSR can assign a label for a prefix w/o outgoing/downstream label
  • for edge LSRs only (requires L3 capabilities)
  • faster label propagation
  • for unsolicited downstream / frame-mode
Ordered Control
  • local label allocated and propagated only
  • if exist(nexthop label) propagae/allocate label, else request label from nexthop
  • for downstream-on-demand/cell-mode


Label Retention

Liberal Label Retention
  • all received label stored in LIB, even if not from next-hop LSR
  • improves convergence speed; allows easy failover for link failures
  • frame-mode

Conservative Label Retention
  • only received labels from nexthop LSRs are  stored; others are ignored
  • downstream-on-demand/cell-mode


Standard Parameter Sets for Cisco Platforms

ParameterRouters, frame interfacesRouters, ATM interfacesATM switches
Label Spaceper-platformper-interfaceper-interface
Label Distributionunsolicited downstreamdownstream-on-demanddownstream-on-demand
Label Allocationindependent controlindependent controlordered control
Label Retentionliberal label retentionconservative OR liberalconservative

BGP

|0 comments

BGP Route Dampening

At a Glance:
  • designed to reduce router processing load caused by unstable routes;
  • prevents sustained routing oscillations without affecting well-behaved routes;
  • RFC 2439: BGP Route Flap Dampening;
  • minimizes BGP updates by suppressing unstable routes.
Route-Dampening Operation:
  • EBGP route flaps = 1000 penalty points
    • IBGP route flaps not dampened;
    • penalty not user-configurable;
  • penalty decays via exponential decay algorithm
    • if penalty > suppress limit, route is dampened
    • if penalty < reuse limit, dampened route is propagated
    • if penalty < 1/2 reuse limit, flap history forgotten
  • route is never dampened more than the maximum suppress time limit
  • unreachable route with flap history is in history state (still in BGP table to retain flap history)
  • penalty is applied to an individual path, not the prefix

Configuring Route Dampening:
router(config-router)#
bgp dampening [half-life reuse suppress max-suppress-time] [route-map route-map-name]
half-lifetime for penalty to halve (default 15 minutes)
reusepenalty points when dampened route is reused (default 750)
suppresspenalty points when route is suppressed (default 2000)
max-suppress-timemaximum time a route is suppressed (default 1hour; maximum 255 minutes)

router(config-route-map)#
set dampening half-life reuse suppress max-suppress-time
- used for less aggressive dampening of routes towards root DNS servers
- dampening of smaller prefixes more aggressively
- selective dampening based on BGP neighbors and route-map match criteria

Other Commands:
clear ip bgp ip_addr flap-statistics [{regexp regexp} | {filter-list listname} | {ipaddr mask} ]
clear ip bgp dampening [ipaddr mask]
show ip bgp dampened-paths
show ip bgp flap-statistics [{regexp regexp}|{filter-list listname}|{ipaddr mask [longer-prefix]}]
debug ip bgp dampening

Monday, May 23, 2011

BGP: Regular Expressions for AS-PATH Filtering

SymbolDescription
|logical OR
.match any
[x..y]match one in range
^match beginning of string
$match end of string
_match any delimiter/white space
( )group as a single atom
*match 0 or more instances of previous atom
?match 0 or 1 instance of previous atom
+match 1 or more instances of previous atom
\escape character; if followed by a number n, points to the nth atom 


Example 1: Advertise routes with empty AS-PATH (internal routes)

router bgp 123
 neighbor 5.6.7.8 remote-as 387
 neighbor 5.6.7.8 filter-list 1 out
!
ip as-path access-list 1 permit ^$
!match "blank" atom at the "start" and "end" of string
!



Example 2: Accept only default routes, preferring primary route based on AS PATH:


AS387 (primary ISP)

/
AS123

\

AS462 (backup ISP)

router bgp 123
 neighbor 1.2.3.4 remote-as 462
 neighbor 1.2.3.4 route-map FILTER in
 neighbor 5.6.7.8 remote-as 387
 neighbor 5.6.7.8 route-map FILTER in
!
route-map FILTER permit 10
! default routes from primary ISP (AS 387) accepted are preferred (larger weight)
 match ip prefix-list DEFAULT_ONLY
 match as-path 10
 set weight 150
!
route-map FILTER permit 20
! default routes from backup ISP are accepted, with lower preference than primary ISP routes
 match ip prefix-list DEFAULT_ONLY
 set weight 100
!
ip as-path access-list 10 permit _387$
ip prefix-list DEFAULT_ONLY seq 10 permit 0.0.0.0/0
!



Example 3: AS PATH Filtering with AS Path Prepending:
- customer in AS123 is performing AS-PATH pre-pending

  AS123
10.0.0.1\

  \

   AS462


router bgp 387
 neighbor 10.0.0.1 remote-as 213
 neighbor 10.0.0.1 filter-list 10 in
!
ip as-path access-list 10 permit ^123(_123)*$
! accepts "123", "123 123", or "123 123 123"



Example 4: AS PATH Filtering with AS Path Prepending, multiple customers:
- multiple customers performing AS PATH Prepending

  Customer 1

\
Customer 2 -AS387

/
  Customer 3

!
router bgp 387
 neighbor 10.0.0.1 remote-as 123
 neighbor 10.0.0.1 filter-list 10 in
 neighbor 20.0.0.1 remote-as 456
 neighbor 20.0.0.1 filter-list 10 in
 neighbor 30.0.0.1 remote-as 789
 neighbor 30.0.0.1 filter-list 10 in
!
ip as-path access-list 10 permit ^([0..9]+)(_\1)*$
! accepts repeating instances of "123", "456", and "789"
! does not accept strings non-repeating strings (e.g. "123 123 100")
!

Notes:
atom 1 = at least one instance of a number at the beginning of the string;
atom 2 = 0 or more instances of a whitespace and atom 1 until the end of the string.

Wednesday, May 4, 2011

BGP Path Attributes and Route Selection

BGP Path Attributes

Mandatory Well-Known
 Origin (i, e, ?)
 AS-Path (sequence of AS-Numbers to access network/IP)
 Next-Hop (ip address)
Discretionary Well-Known
 Local Preference (for routing policy)
 Atomic Aggregate (flags route if aggregated)
Optional Non-Transitive
 Multi-Exit Discriminator (MED) - multiple entry pts to one AS
 Originator-ID - for route reflector environment
 Cluster-List - for route reflector environment
Optional Transitive
 Aggregator - IP address & AS of routers that aggregated routes
 Community - for route tagging


BGP Route Selection Order:
  1. Prefer highest weight (local to router)
  2. Prefer highest local preference (global within AS)
  3. Prefer routes that the router originated
  4. Prefer shorter AS paths
  5. Prefer lowest origin code (IGP < EGP < Incomplete)
  6. Prefer lowest MED
  7. Prefer external (EBGP) paths over internal (IBGP)
    1. For IBGP paths, prefer nonreflected routes (no originator-ID) over reflected routes
    2. For reflected routes, prefer shorter cluster-list
  8. For IBGP paths, prefer path through closest IGP neighbor
  9. For EBGP paths, prefer oldest (most stable) path
  10. Prefer paths from router with the lower BGP router-ID

BGP: Multihomed Customer to Single ISP in Load-Sharing Setup with Static Routes

Outbound Traffic (CE to PE):
- each customer router uses closest CE as exit point;
- CE routers must be collocated to have load-sharing;

Inbound/Return Traffic (PE to CE) (pre-IOS 12.2):
- true load-sharing is impossible to achieve with multiple PEs;
- per BGP route selection, only one route will be the best route (to the customer network)
- can be optimized by dividing the customer address space

Customer Network: 11.2.3.0 /24
Customer Network "division" assigned to PE1: 11.2.3.0/25
Customer Network "division" assigned to PE2: 11.2.3.128/25

BGP: Multihomed Customer to Single ISP in Primary-Backup Setup with Static Routes

Scenario:
Multihomed customer connected to a single service provider on multiple permanent links;
Customer network using OSPF; provider network using BGP; CE-PE via static routing;
Floating static routes configured as backup on both CE and PE;

Floating Static Routes in BGP:
Once active, the floating static routes will be permanently installed in BGP; static routes are locally sourced which is preferred;
  • admin distance cannot be used in route-maps; hence, use communities
  • tag floating static routes; tags mapped to specific communities;
  • use route maps to modify the weight and/or local preference;
  • default weight: 32768

Wednesday, April 15, 2009

IOS: %BGP_MPLS-3-GEN_ERROR


Mar 18 20:41:38.892 EDT: %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, prefix not in routing table -Traceback= 10D36950 10D3709C 10B10388 10B10718 10AEEFD0 10AEF030 10B53A50 10B53DC0 10AF588C 10AFD610 10AFE8E0 10A44524 10A3B6D4
Mar 18 20:41:38.892 EDT: %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, prefix not in routing table -Traceback= 10D36950 10D3709C 10B10388 10B10718 10AEEFD0 10AEF030 10B53A50 10B53DC0 10AF588C 10AFD610 10AFE8E0 10A44524 10A3B6D4
Mar 18 20:41:38.892 EDT: %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, prefix not in routing table -Traceback= 10D36950 10D3709C 10B10388 10B10718 10AEEFD0 10AEF030 10B53A50 10B53DC0 10AF588C 10AFD610 10AFE8E0 10A44524 10A3B6D4


Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICES-M), Version
12.2(50)SG1, RELEASE SOFTWARE (fc2)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 10-Feb-09 00:17 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x124FED8C

ROM: 12.2(44r)SG
Darkside Revision 0, Jawa Revision 11, Tatooine Revision 140, Forerunner Revision 1.74

MyRouter uptime is 5 days, 3 hours, 12 minutes
System returned to ROM by power-on
System restarted at 19:50:40 EDT Fri Mar 13 2009
System image file is "bootflash:/cat4500e-entservices-mz.122-50.SG1.bin"

cisco WS-C4900M (MPC8548) processor (revision 2) with 524288K bytes of memory.
Processor board ID JAE130628BD
MPC8548 CPU at 1.33GHz, Cisco Catalyst 4900M
Last reset from PowerUp
1 Virtual Ethernet interface
36 Gigabit Ethernet interfaces
16 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2102



CSCse15707: Trace back seen at bgp_ipv4_mpls_label_change.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCse15707

Basic PIX Configuration

|0 comments

Basic PIX Configuration

This should be your most basic configuration if you want your PIX to have internet access, assuming there are no other blocking/filtering device that exists between the PIX and the internet:

Topology:
PIX inside: 192.168.102.254 /24
PIX outside: 10.199.248.50 /24
ISP/default gateway: 10.199.248.254 /24



PIX 6.X Configuration:
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 10.199.248.50 255.255.255.0
ip address inside 192.168.102.254 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0 0
route outside 0 0 10.199.248.3 1


PIX 7.X Configuration
interface Ethernet0
 no shutdown
 nameif outside
 ip address 10.199.248.50 255.255.255.0
interface Ethernet1
 no shutdown
 nameif inside
 ip address 192.168.102.254 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0 0
route outside 0 0 10.199.248.3


Notes:
Slight difference when dealing with different PIX OS, but principle is the same. First, configure the interfaces. Next, configure translation (shown here is the simplest NAT). Lastly, configure default route.

Friday, 24 January 2014

MYSQL Database Create

|0 comments
Create a MySQL Database, Tables and Insert Data
Description: http://s0.cyberciti.org/images/category/old/mysqllogo.gif
How do I create a MySQL database, tables, and insert (store) data into newly created tables?

MySQL is a free and open source database management system. You need to use sql commands to create database. You also need to login as mysql root user account. To create a database and set up tables for the same use the following sql commands:
Tutorial details
Difficulty
Easy (rss)
Root privileges
No
Requirements
mysql
Estimated completion time
10m
1.  CREATE DATABASE - create the database. To use this statement, you need the CREATE privilege for the database.
2.  CREATE TABLE - create the table. You must have the CREATE privilege for the table.
3.  INSERT - To add/insert data to table i.e. inserts new rows into an existing table.
Procedure for creating a database and a sample table
Login as the mysql root user to create database:
$ mysql -u root -p
Sample outputs:
mysql>
Add a database called books, enter:
mysql> CREATE DATABASE books;
Now, database is created. Use a database with use command, type:
mysql> USE books;
Next, create a table called authors with name, email and id as fields:
mysql> CREATE TABLE authors (id INT, name VARCHAR(20), email VARCHAR(20));
To display your tables in books database, enter:
mysql> SHOW TABLES;
Sample outputs:
+-----------------+
| Tables_in_books |
+-----------------+
| authors         |
+-----------------+
1 row in set (0.00 sec)
Finally, add a data i.e. row to table books using INSERT statement, run:
mysql> INSERT INTO authors (id,name,email) VALUES(1,"Vivek","xuz@abc.com");
Sample outputs:
Query OK, 1 row affected (0.00 sec)
Try to add few more rows to your table:
mysql> INSERT INTO authors (id,name,email) VALUES(2,"Priya","p@gmail.com");
mysql> 
INSERT INTO authors (id,name,email) VALUES(3,"Tom","tom@yahoo.com");
To display all rows i.e. data stored in authors table, enter:
mysql> SELECT * FROM authors;
Sample outputs:
+------+-------+---------------+
| id   | name  | email         |
+------+-------+---------------+
|    1 | Vivek | xuz@abc.com   |
|    2 | Priya | p@gmail.com   |
|    3 | Tom   | tom@yahoo.com |
+------+-------+---------------+
3 rows in set (0.00 sec)


Share Folder Linux

|1 comments
How to install Samba server on CentOS 6

Part 1: Configuring anonymous share with samba server
To install the samba package,enter the following command:
sudo yum install samba samba-client samba-common
Description: http://rbgeek.files.wordpress.com/2012/05/426.jpg?w=630&h=63
Check the version of installed samba software by using this command:
smbd --version
Description: http://rbgeek.files.wordpress.com/2012/05/524.jpg?w=630&h=86
Configure the samba service, so that, it will start automatically at boot time:
sudo chkconfig smb on
sudo chkconfig nmb on
Description: http://rbgeek.files.wordpress.com/2012/05/on.jpg?w=630&h=100
Disable the SELinux:
sudo nano /etc/selinux/config
Description: http://rbgeek.files.wordpress.com/2012/05/157.jpg?w=630&h=73
Change SELinux from enforcing to disabled:
SELINUX=disabled
Description: http://rbgeek.files.wordpress.com/2012/05/230.jpg?w=630&h=230
Add these Iptables rules, so that samba will work perfectly:
sudo iptables -I INPUT 4 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
sudo iptables -I INPUT 5 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
sudo iptables -I INPUT 6 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
sudo service iptables save
Description: http://rbgeek.files.wordpress.com/2012/05/325.jpg?w=630&h=194
Restart the Server!!!
Go to your Windows machine and use this command in order to check the WORKGROUP name:
net config workstation
Description: http://rbgeek.files.wordpress.com/2012/05/625.jpg?w=630&h=76
It will show the output, something like this:
Description: http://rbgeek.files.wordpress.com/2012/05/720.jpg?w=630&h=315
Backup the smb.conf file, then delete it and create the new one:
sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
sudo rm /etc/samba/smb.conf
sudo touch /etc/samba/smb.conf
sudo nano /etc/samba/smb.conf
Description: http://rbgeek.files.wordpress.com/2012/05/819.jpg?w=630&h=151
Add these lines, in your smb.conf file (or change it according to your requirement):
#======================= Global Settings =====================================
[global]
 workgroup = WORKGROUP
 security = share
 map to guest = bad user
#============================ Share Definitions ==============================
[MyShare]
 path = /samba/share
 browsable =yes
 writable = yes
 guest ok = yes
 read only = no
Description: http://rbgeek.files.wordpress.com/2012/05/919.jpg?w=630&h=396
Save the smb.conf file and restart the service:
sudo service smb restart
sudo service nmb restart
Description: http://rbgeek.files.wordpress.com/2012/05/1016.jpg?w=630&h=144
Access the samba share from windows (where centos is the name of my samba server):
Description: http://rbgeek.files.wordpress.com/2012/05/centos.jpg?w=630
wao, we are able to access the samba share successfully Description: :-)
Description: http://rbgeek.files.wordpress.com/2012/05/centos12.jpg?w=630
Let’s try to create something, inside the share folder:
Description: http://rbgeek.files.wordpress.com/2012/05/1119.jpg?w=630&h=454
Error, we cannot create anything inside the share folder Description: :-(
Description: http://rbgeek.files.wordpress.com/2012/05/1213.jpg?w=630&h=350
Check the current permission on the samba share:
cd /samba/
ls -l
Description: http://rbgeek.files.wordpress.com/2012/05/1312.jpg?w=630&h=131
Change it, in such a way that everyone can read and write it(Check it, that it is allowed in your environment or not):
sudo chmod -R 0777 share
ls -l
Description: http://rbgeek.files.wordpress.com/2012/05/1412.jpg?w=630&h=129
Try to create something again, inside the share folder:
Description: http://rbgeek.files.wordpress.com/2012/05/158.jpg?w=630
Verify the newly created file on samba server:
cd share/
ls -l
Description: http://rbgeek.files.wordpress.com/2012/05/163.jpg?w=630&h=133
Part 2: Add and manage users and groups
Add a group in your CentOS server (in my case smbgrp):
sudo groupadd smbgrp
Description: http://rbgeek.files.wordpress.com/2012/05/174.jpg?w=630&h=82
Create a new share, set the permission on the share:
cd /samba/
sudo mkdir secure
sudo chown -R arbab:smbgrp secure/ 
ls -l 
sudo chmod -R 0770 secure/
ls -l
Description: http://rbgeek.files.wordpress.com/2012/05/181.jpg?w=630&h=296
Add the user to the samba group and create samba password:
sudo usermod -a -G smbgrp arbab
sudo smbpasswd -a arbab
Description: http://rbgeek.files.wordpress.com/2012/05/191.jpg?w=630&h=142
Edit the smb.conf file:
sudo nano /etc/samba/smb.conf
Description: http://rbgeek.files.wordpress.com/2012/05/201.jpg?w=630&h=76
Add the newly created samba share in smb.conf file:
[Secure]
path = /samba/secure
 valid users = @smbgrp
 guest ok = no
 writable = yes
 browsable = yes
Description: http://rbgeek.files.wordpress.com/2012/05/2110.jpg?w=630&h=395
Restart the samba service:
sudo service smb restart
sudo service nmb restart
Description: http://rbgeek.files.wordpress.com/2012/05/2210.jpg?w=630&h=133
Check the syntax error with testparm:
sudo testparm
Description: http://rbgeek.files.wordpress.com/2012/05/232.jpg?w=630&h=393
Testing from Windows Machine:
Description: http://rbgeek.files.wordpress.com/2012/05/241.jpg?w=630&h=492
Description: http://rbgeek.files.wordpress.com/2012/05/251.jpg?w=630&h=493
Verification from CentOS server:
cd /samba/secure/
ls -l 
Description: http://rbgeek.files.wordpress.com/2012/05/261.jpg?w=630&h=129