PIX: Dynamic Site-to-Site IPSEC Configuration

PIX: Dynamic Site-to-Site IPSEC Configuration

SCENARIO:

Configure a tunnel between 10.2.2.0/24 to 10.1.1.0/24, between one static and one dynamic VPN peers.

This is a typical scenario when one device has a dynamic "outside" IP address (such as DHCP).

Notes:
The configuration can be expanded to include remote access VPN on either peer;
The configuration can be expanded to include more than one dynamic peer;
In case of multiple VPN devices, there should always be at least one static peer.

---

TOPOLOGY:

10.2.2.0 --- STATIC ==== (( INTERNET )) ===== DYNAMIC ---- 10.1.1.0

STATIC.inside = 10.2.2.1/24
STATIC.outside = 203.1.1.1/24
DYNAMIC.outside = DHCP
DYNAMIC.inside = 10.1.1.1/24

---

CONFIGURATIONS:
- several possible simple configurations, depending on the PIX OS running on either device.

PHASE 1 / ISAKMP PARAMETERS:
- authentication = pre-shared key (MY_ISAKMP_KEY)
- encryption = 3DES
- hash = MD5
- group = 2

PHASE 2 / IPSEC PARAMETERS:
- ESP-3DES, ESP-MD5

---

STATIC PIX 6.X:

access-list NONAT permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity address
isakmp nat-traversal

isakmp key MY_ISAKMP_KEY address 0.0.0.0 netmask 0.0.0.0 no-xauth

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP

crypto map MY_STATIC_MAP interface outside
isakmp enable outside

---

STATIC PIX 7.0/7.1:

access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity address
isakmp nat-traversal

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP

tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY

crypto map MY_STATIC_MAP interface outside
isakmp enable outside

---

STATIC PIX 7.2:

access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-vpn

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP

crypto isakmp nat-traversal
crypto isakmp identity address

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY

crypto map MY_STATIC_MAP interface outside
crypto isakmp enable outside

---

DYNAMIC PIX 6.X:

access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity hostname
isakmp nat-traversal

isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map DYNAMIC_MAP 10 ipsec-isakmp
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
crypto map DYNAMIC_MAP 10 set transform-set ESP-3DES-MD5

crypto map DYNAMIC_MAP interface outside
isakmp enable outside

---

DYNAMIC PIX 7.0/7.1:

access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity hostname
isakmp nat-traversal

isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1


tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY

crypto map DYNAMIC_MAP interface outside
isakmp enable outside

---

DYNAMIC PIX 7.2:

access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

crypto isakmp identity hostname
crypto isakmp nat-traversal

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1

tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY

crypto map DYNAMIC_MAP interface outside
isakmp enable outside

---

REFERENCE

PIX 6: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
PIX 7: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Wednesday, March 12, 2008

IPSEC Checklist and Best Practices

Basic Checklist for VPN Configuration:
- IP address of the static VPN peers

- IP addresses/networks that will be tunneled
--> networks behind each VPN peer (site-to-site)
--> network behind VPN and pool (remote access)

- PHASE I / ISAKMP parameters
--> authentication (pre-shared key/certificate)
--> encryption (DES, 3DES, AES)
--> hash (SHA, MD5)
--> group (2, 5)

- PHASE II / IPSEC Parameters
--> transform set

- VPN Group (remote access only)
--> VPN Group Name
--> VPN Group Password

VLAN

PIX 6.X - Configuring Logical / VLAN interfaces

Scenario:
The inside/ethernet1 interface of the PIX will be mapped to two VLANs, VLAN1 with IP address 192.168.1.2/24 and VLAN2 with IP address 192.168.2.2. The outside interface has IP address 10.199.248.225/24

Topology:



[Thanks to former colleague Dan for the image.]


PIX 6 Configuration:

interface ethernet1 auto
nameif ethernet1 inside security100
address inside 192.168.1.2 255.255.255.0

interface ethernet1 vlan2 logical
nameif vlan2 inside2 security50
address vlan2 192.168.2.2 255.255.255.0

Notes:
Your Physical Interface is (by default), your VLAN1.


PIX 7 Configuration:

interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
no shut

interface Ethernet1.2
vlan 2
nameif inside2
security-level 50
ip address 192.168.2.2 255.255.255.0
no shut

VTP

Trunking vs Etherchannel

Your Ad Here

Noticed several colleagues of mine are still confused with "trunking" and "etherchannel". These two -- some would argue grammatically similar -- have very different functions and implications.

Trunking refers to (multiple) VLANs that are going through an interface. That is, for example, if you say that "a Cat6500 with GigabitEthernet1/1 trunks VLANs 1, 50, and 100", it means that these VLANs (and only these VLANs) are permitted to go through Gi1/1. The implication is that this forms a basic security feature, by permitting only specific VLANs; other traffic belonging to other VLANs will be permitted on this trunk interface.

Etherchannel -- aka channel-group, port-channel, or port group -- on the otherhand, refers to multiple (physical) interfaces bundled together into a single (logical) interface. That is, for example, if you say that "Cat6500 Port-channel100 includes GigabitEthernet2/1-4", these means that Gi2/1 to Gi2/4 are configured together as a single logical interface. The implication is that the bandwidth of these interfaces are combined and shared -- hence, in this example, Port-channel has a total bandwidth of 4Gbps (1Gbps per interface x 4 interfaces ).

So to state the basic difference between the two:

Trunking "bundles" VLANs together that are permitted on any single interface.
Etherchannel "bundles" (physical) interfaces together into a single logical interface.


Question: Can you combine an interface to have both trunking and etherchannel?

Answer: This is question is a little vague. In a way, yes. Here's a typical scenario actually being used in many companies:

Topology:
DeviceA. GigabitEthernet1/1 <=====> DeviceB.GigabitEthernet1/1
DeviceA. GigabitEthernet1/2 <=====> DeviceB.GigabitEthernet1/2

Requirement:Permit only VLANs 100 and 200 through the link between DeviceA and DeviceB. Also, increase the link bandwidth between these two devices to 2Gbps. To summarize:

DeviceA.GigabitEthernet1/1 - trunking for vlans 100 and 200, share bandwidth with Gi1/2;
DeviceA.GigabitEthernet1/2 - trunking for vlans 100 and 200, share bandwidth with Gi1/1;

DeviceB.GigabitEthernet1/1 - trunking for vlans 100 and 200, share bandwidth with Gi1/2; DeviceB.GigabitEthernet1/2 - trunking for vlans 100 and 200, share bandwidth with Gi1/1;

To achieve this, we arbitrarily assign a channel group number IDs. For this example, we select 300 for DeviceA, so we have Port-Channel300 which will group Gi1/1 and Gi1/2. The basic configuration for DeviceA, then, would look like the following:

interface GigabitEthernet1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200
channel-group 300 mode desirable
!
interface GigabitEthernet1/2
switchport switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200
channel-group 300 mode desirable
!
interface Port-Channel300
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200
!

The device on the remote end, DeviceB, should be configured similarly as well.

Similarly, we select Port-Channel500 for DeviceB.

interface GigabitEthernet1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200
channel-group 500 mode desirable
!
interface GigabitEthernet1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200
channel-group 500 mode desirable
!
interface Port-Channel500
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200
!

With that, you're done!

Here are some points you should take note of:

Important Note #1: The channel-group ID only has local significance. In this example, DeviceA assigns Port-channel300 while DeviceB uses Port-channel500.

Important Note #2: The VLANs trunked on the port-channel interface and the member interfaces should match. If there is a mismatch, the status of the interfaces will be down.

Important Note #3: The actual syntax would vary, depending on the IOS image currently being used. Here's a general hint: IOS 12.0 uses the "port group" interface command, while IOS 12.1 onwards uses the "channel-group" interface command.

MPLS

MPLS Label Distribution Parameters

MPLS Label Distribution Parameter Options:

Label Space Options	Per-Interface	Per-Plaform
Label Distribution	Unsolicited downstream	Downstream-on-Demand
Label Allocation	Independent Control Mode	Ordered Control Mode
Label Retention	Liberal Label Retention	Conservative Label Retention

---

Label Space Options

Per-Platform Labels

• LFIB: [Label | Action | Next Hop ]
• one label assigned to a destination network and announced to all neighbors
• locally unique, valid on all incoming interfaces
• smaller LFIB, FIB; faster label exchange
• less secure than per-interface labels; label-spoofing
• default in Frame-Mode MPLS

Per-Interface Labels

• LFIB:[IN intf | IN Label | NH intf | NH Label]
• one label for each destination, each device, each interface
• secure; prevents label-spoofing; labeled packets/ATM cells only accepted from interface where label is assigned
• default in Cell-Mode MPLS

---

Label Distribution

Unsolicited Downstream

• label advertised to all neighbor LSRs, regardless of whether upstream or downstream
• Frame-Mode

Downstream-On-Demand

• label advertised only upon request of upstream LSR
• cell-mode

---

Label Allocation 

Independent Control

• LSR can assign a label for a prefix w/o outgoing/downstream label
• for edge LSRs only (requires L3 capabilities)
• faster label propagation
• for unsolicited downstream / frame-mode

Ordered Control

• local label allocated and propagated only
• if exist(nexthop label) propagae/allocate label, else request label from nexthop
• for downstream-on-demand/cell-mode

---

Label Retention

Liberal Label Retention

• all received label stored in LIB, even if not from next-hop LSR
• improves convergence speed; allows easy failover for link failures
• frame-mode

Conservative Label Retention

• only received labels from nexthop LSRs are  stored; others are ignored
• downstream-on-demand/cell-mode

---

Standard Parameter Sets for Cisco Platforms

Parameter	Routers, frame interfaces	Routers, ATM interfaces	ATM switches
Label Space	per-platform	per-interface	per-interface
Label Distribution	unsolicited downstream	downstream-on-demand	downstream-on-demand
Label Allocation	independent control	independent control	ordered control
Label Retention	liberal label retention	conservative OR liberal	conservative

BGP

BGP Route Dampening

At a Glance: designed to reduce router processing load caused by unstable routes; prevents sustained routing oscillations without affecting well-behaved routes; RFC 2439: BGP Route Flap Dampening; minimizes BGP updates by suppressing unstable routes.

Route-Dampening Operation:

• EBGP route flaps = 1000 penalty points
• IBGP route flaps not dampened;
• penalty not user-configurable;
• penalty decays via exponential decay algorithm
• if penalty > suppress limit, route is dampened
• if penalty < reuse limit, dampened route is propagated
• if penalty < 1/2 reuse limit, flap history forgotten
• route is never dampened more than the maximum suppress time limit
• unreachable route with flap history is in history state (still in BGP table to retain flap history)
• penalty is applied to an individual path, not the prefix

---

Configuring Route Dampening:

router(config-router)# bgp dampening [half-life reuse suppress max-suppress-time] [route-map route-map-name]
half-life	time for penalty to halve (default 15 minutes)
reuse	penalty points when dampened route is reused (default 750)
suppress	penalty points when route is suppressed (default 2000)
max-suppress-time	maximum time a route is suppressed (default 1hour; maximum 255 minutes)

router(config-route-map)# set dampening half-life reuse suppress max-suppress-time

- used for less aggressive dampening of routes towards root DNS servers - dampening of smaller prefixes more aggressively - selective dampening based on BGP neighbors and route-map match criteria

Other Commands:

clear ip bgp ip_addr flap-statistics [{regexp regexp} | {filter-list listname} | {ipaddr mask} ]

clear ip bgp dampening [ipaddr mask]

show ip bgp dampened-paths

show ip bgp flap-statistics [{regexp regexp}|{filter-list listname}|{ipaddr mask [longer-prefix]}]

debug ip bgp dampening

Monday, May 23, 2011

BGP: Regular Expressions for AS-PATH Filtering

Symbol	Description
|	logical OR
.	match any
[x..y]	match one in range
^	match beginning of string
$	match end of string
_	match any delimiter/white space
( )	group as a single atom
*	match 0 or more instances of previous atom
?	match 0 or 1 instance of previous atom
+	match 1 or more instances of previous atom
\	escape character; if followed by a number n, points to the nth atom

Example 1: Advertise routes with empty AS-PATH (internal routes)

router bgp 123  neighbor 5.6.7.8 remote-as 387  neighbor 5.6.7.8 filter-list 1 out ! ip as-path access-list 1 permit ^$ !match "blank" atom at the "start" and "end" of string !

Example 2: Accept only default routes, preferring primary route based on AS PATH:

	AS387 (primary ISP)
	/
AS123
	\
	AS462 (backup ISP)

router bgp 123  neighbor 1.2.3.4 remote-as 462  neighbor 1.2.3.4 route-map FILTER in  neighbor 5.6.7.8 remote-as 387  neighbor 5.6.7.8 route-map FILTER in ! route-map FILTER permit 10 ! default routes from primary ISP (AS 387) accepted are preferred (larger weight)  match ip prefix-list DEFAULT_ONLY  match as-path 10  set weight 150 ! route-map FILTER permit 20 ! default routes from backup ISP are accepted, with lower preference than primary ISP routes  match ip prefix-list DEFAULT_ONLY  set weight 100 ! ip as-path access-list 10 permit _387$ ip prefix-list DEFAULT_ONLY seq 10 permit 0.0.0.0/0 !

Example 3: AS PATH Filtering with AS Path Prepending:

- customer in AS123 is performing AS-PATH pre-pending

AS123
10.0.0.1	\
	\
	AS462

router bgp 387  neighbor 10.0.0.1 remote-as 213  neighbor 10.0.0.1 filter-list 10 in ! ip as-path access-list 10 permit ^123(_123)*$ ! accepts "123", "123 123", or "123 123 123"

Example 4: AS PATH Filtering with AS Path Prepending, multiple customers:

- multiple customers performing AS PATH Prepending

Customer 1
	\
Customer 2 -	AS387
	/
Customer 3

!

router bgp 387  neighbor 10.0.0.1 remote-as 123  neighbor 10.0.0.1 filter-list 10 in  neighbor 20.0.0.1 remote-as 456  neighbor 20.0.0.1 filter-list 10 in  neighbor 30.0.0.1 remote-as 789  neighbor 30.0.0.1 filter-list 10 in ! ip as-path access-list 10 permit ^([0..9]+)(_\1)*$ ! accepts repeating instances of "123", "456", and "789" ! does not accept strings non-repeating strings (e.g. "123 123 100") !

Notes:
atom 1 = at least one instance of a number at the beginning of the string;
atom 2 = 0 or more instances of a whitespace and atom 1 until the end of the string.

Wednesday, May 4, 2011

BGP Path Attributes and Route Selection

BGP Path Attributes

Mandatory Well-Known  Origin (i, e, ?)  AS-Path (sequence of AS-Numbers to access network/IP)  Next-Hop (ip address)

Discretionary Well-Known  Local Preference (for routing policy)  Atomic Aggregate (flags route if aggregated)

Optional Non-Transitive  Multi-Exit Discriminator (MED) - multiple entry pts to one AS  Originator-ID - for route reflector environment  Cluster-List - for route reflector environment

Optional Transitive  Aggregator - IP address & AS of routers that aggregated routes  Community - for route tagging

BGP Route Selection Order:

1. Prefer highest weight (local to router)
2. Prefer highest local preference (global within AS)
3. Prefer routes that the router originated
4. Prefer shorter AS paths
5. Prefer lowest origin code (IGP < EGP < Incomplete)
6. Prefer lowest MED
7. Prefer external (EBGP) paths over internal (IBGP)
1. For IBGP paths, prefer nonreflected routes (no originator-ID) over reflected routes
2. For reflected routes, prefer shorter cluster-list
8. For IBGP paths, prefer path through closest IGP neighbor
9. For EBGP paths, prefer oldest (most stable) path
10. Prefer paths from router with the lower BGP router-ID

BGP: Multihomed Customer to Single ISP in Load-Sharing Setup with Static Routes

Outbound Traffic (CE to PE):
- each customer router uses closest CE as exit point;
- CE routers must be collocated to have load-sharing;

Inbound/Return Traffic (PE to CE) (pre-IOS 12.2):
- true load-sharing is impossible to achieve with multiple PEs;
- per BGP route selection, only one route will be the best route (to the customer network)
- can be optimized by dividing the customer address space

Customer Network: 11.2.3.0 /24
Customer Network "division" assigned to PE1: 11.2.3.0/25
Customer Network "division" assigned to PE2: 11.2.3.128/25

Read more »

BGP: Multihomed Customer to Single ISP in Primary-Backup Setup with Static Routes

Scenario:
Multihomed customer connected to a single service provider on multiple permanent links;
Customer network using OSPF; provider network using BGP; CE-PE via static routing;
Floating static routes configured as backup on both CE and PE;

Floating Static Routes in BGP:
Once active, the floating static routes will be permanently installed in BGP; static routes are locally sourced which is preferred;

• admin distance cannot be used in route-maps; hence, use communities
• tag floating static routes; tags mapped to specific communities;
• use route maps to modify the weight and/or local preference;
• default weight: 32768

Read more »

Wednesday, April 15, 2009

IOS: %BGP_MPLS-3-GEN_ERROR

Mar 18 20:41:38.892 EDT: %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, prefix not in routing table -Traceback= 10D36950 10D3709C 10B10388 10B10718 10AEEFD0 10AEF030 10B53A50 10B53DC0 10AF588C 10AFD610 10AFE8E0 10A44524 10A3B6D4
Mar 18 20:41:38.892 EDT: %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, prefix not in routing table -Traceback= 10D36950 10D3709C 10B10388 10B10718 10AEEFD0 10AEF030 10B53A50 10B53DC0 10AF588C 10AFD610 10AFE8E0 10A44524 10A3B6D4
Mar 18 20:41:38.892 EDT: %BGP_MPLS-3-GEN_ERROR: BGP: MPLS outlabel changed, MPLS forw not updated, prefix not in routing table -Traceback= 10D36950 10D3709C 10B10388 10B10718 10AEEFD0 10AEF030 10B53A50 10B53DC0 10AF588C 10AFD610 10AFE8E0 10A44524 10A3B6D4


Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICES-M), Version
12.2(50)SG1, RELEASE SOFTWARE (fc2)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 10-Feb-09 00:17 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x124FED8C

ROM: 12.2(44r)SG
Darkside Revision 0, Jawa Revision 11, Tatooine Revision 140, Forerunner Revision 1.74

MyRouter uptime is 5 days, 3 hours, 12 minutes
System returned to ROM by power-on
System restarted at 19:50:40 EDT Fri Mar 13 2009
System image file is "bootflash:/cat4500e-entservices-mz.122-50.SG1.bin"

cisco WS-C4900M (MPC8548) processor (revision 2) with 524288K bytes of memory.
Processor board ID JAE130628BD
MPC8548 CPU at 1.33GHz, Cisco Catalyst 4900M
Last reset from PowerUp
1 Virtual Ethernet interface
36 Gigabit Ethernet interfaces
16 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2102

---

CSCse15707: Trace back seen at bgp_ipv4_mpls_label_change.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCse15707

Basic PIX Configuration

Basic PIX Configuration

This should be your most basic configuration if you want your PIX to have internet access, assuming there are no other blocking/filtering device that exists between the PIX and the internet:

Topology:
PIX inside: 192.168.102.254 /24
PIX outside: 10.199.248.50 /24
ISP/default gateway: 10.199.248.254 /24



PIX 6.X Configuration:
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 10.199.248.50 255.255.255.0
ip address inside 192.168.102.254 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0 0
route outside 0 0 10.199.248.3 1

PIX 7.X Configuration
interface Ethernet0
 no shutdown
 nameif outside
 ip address 10.199.248.50 255.255.255.0
interface Ethernet1
 no shutdown
 nameif inside
 ip address 192.168.102.254 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0 0
route outside 0 0 10.199.248.3

Notes:
Slight difference when dealing with different PIX OS, but principle is the same. First, configure the interfaces. Next, configure translation (shown here is the simplest NAT). Lastly, configure default route.

MYSQL Database Create

Create a MySQL Database, Tables and Insert Data

How do I create a MySQL database, tables, and insert (store) data into newly created tables?

MySQL is a free and open source database management system. You need to use sql commands to create database. You also need to login as mysql root user account. To create a database and set up tables for the same use the following sql commands:

Tutorial details
Difficulty	Easy (rss)
Root privileges	No
Requirements	mysql
Estimated completion time	10m

1.  CREATE DATABASE - create the database. To use this statement, you need the CREATE privilege for the database.

2.  CREATE TABLE - create the table. You must have the CREATE privilege for the table.

3.  INSERT - To add/insert data to table i.e. inserts new rows into an existing table.

Procedure for creating a database and a sample table

Login as the mysql root user to create database:
$ mysql -u root -p
Sample outputs:

mysql>

Add a database called books, enter:
mysql> CREATE DATABASE books;

Now, database is created. Use a database with use command, type:
mysql> USE books;

Next, create a table called authors with name, email and id as fields:
mysql> CREATE TABLE authors (id INT, name VARCHAR(20), email VARCHAR(20));

To display your tables in books database, enter:
mysql> SHOW TABLES;
Sample outputs:

+-----------------+

| Tables_in_books |

+-----------------+

| authors         |

+-----------------+

1 row in set (0.00 sec)

Finally, add a data i.e. row to table books using INSERT statement, run:
mysql> INSERT INTO authors (id,name,email) VALUES(1,"Vivek","xuz@abc.com");
Sample outputs:

Query OK, 1 row affected (0.00 sec)

Try to add few more rows to your table:
mysql> INSERT INTO authors (id,name,email) VALUES(2,"Priya","p@gmail.com");
mysql> INSERT INTO authors (id,name,email) VALUES(3,"Tom","tom@yahoo.com");

To display all rows i.e. data stored in authors table, enter:
mysql> SELECT * FROM authors;
Sample outputs:

+------+-------+---------------+

| id   | name  | email         |

+------+-------+---------------+

|    1 | Vivek | xuz@abc.com   |

|    2 | Priya | p@gmail.com   |

|    3 | Tom   | tom@yahoo.com |

+------+-------+---------------+

3 rows in set (0.00 sec)

Share Folder Linux

How to install Samba server on CentOS 6

Part 1: Configuring anonymous share with samba server

To install the samba package,enter the following command:

sudo yum install samba samba-client samba-common

Check the version of installed samba software by using this command:

smbd --version

Configure the samba service, so that, it will start automatically at boot time:

sudo chkconfig smb on

sudo chkconfig nmb on

Disable the SELinux:

sudo nano /etc/selinux/config

Change SELinux from enforcing to disabled:

SELINUX=disabled

Add these Iptables rules, so that samba will work perfectly:

sudo iptables -I INPUT 4 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT

sudo iptables -I INPUT 5 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT

sudo iptables -I INPUT 6 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT

sudo service iptables save

Restart the Server!!!

Go to your Windows machine and use this command in order to check the WORKGROUP name:

net config workstation

It will show the output, something like this:

Backup the smb.conf file, then delete it and create the new one:

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

sudo rm /etc/samba/smb.conf

sudo touch /etc/samba/smb.conf

sudo nano /etc/samba/smb.conf

Add these lines, in your smb.conf file (or change it according to your requirement):

#======================= Global Settings =====================================

[global]

 workgroup = WORKGROUP

 security = share

 map to guest = bad user

#============================ Share Definitions ==============================

[MyShare]

 path = /samba/share

 browsable =yes

 writable = yes

 guest ok = yes

 read only = no

Save the smb.conf file and restart the service:

sudo service smb restart

sudo service nmb restart

Access the samba share from windows (where centos is the name of my samba server):

wao, we are able to access the samba share successfully 

Let’s try to create something, inside the share folder:

Error, we cannot create anything inside the share folder 

Check the current permission on the samba share:

cd /samba/

ls -l

Change it, in such a way that everyone can read and write it(Check it, that it is allowed in your environment or not):

sudo chmod -R 0777 share

ls -l

Try to create something again, inside the share folder:

Verify the newly created file on samba server:

cd share/

ls -l

Part 2: Add and manage users and groups

Add a group in your CentOS server (in my case smbgrp):

sudo groupadd smbgrp

Create a new share, set the permission on the share:

cd /samba/

sudo mkdir secure

sudo chown -R arbab:smbgrp secure/ 

ls -l 

sudo chmod -R 0770 secure/

ls -l

Add the user to the samba group and create samba password:

sudo usermod -a -G smbgrp arbab

sudo smbpasswd -a arbab

Edit the smb.conf file:

sudo nano /etc/samba/smb.conf

Add the newly created samba share in smb.conf file:

[Secure]

path = /samba/secure

 valid users = @smbgrp

 guest ok = no

 writable = yes

 browsable = yes

Restart the samba service:

sudo service smb restart

sudo service nmb restart

Check the syntax error with testparm:

sudo testparm

Testing from Windows Machine:

Verification from CentOS server:

cd /samba/secure/

ls -l