Saturday, June 23, 2012

OSPF Network Types

  • Broadcast : This network type uses 224.0.0.5 and 224.0.0.6, DR/BDR election is done between the neighbors.
  • Point-to-point: This network type uses multicast address 224.0.0.5 and no DR BDR election is performed between the neighbors
  • Point-to-Multipoint:  This network type uses multicast address 224.0.0.5 and no DR BDR election is performed between the neighbors. Hosts installs /32 routes for the endpoints.
  • Non-Broadcast: This network type used unicast instead of multicast. Neighbors needs to be defined statically and DR/BDR elections is done.
  • Point-to-Multipoint Non Broadbcast: Attributes of both Point-to-multipoint and Non-broadcast networks.

Friday, June 15, 2012

Dynamic IP Address assignment using FreeRadius IP POOL or radippool table

The following steps needs to be performed to configure a user for dynamic IP configuration setup.
  • Add username/password to “radcheck” table.
  • Map user to relevant dynamic user group in “radusergrop” table
  • Map the dynamic user group to “Pool-Name” attribute’s value in “radgroupcheck” table
  • Populate “radippool” table with the dynamic IP addresses and the relevant pool name.
  • Example:
 Configure a dynamic IP user setup for 254 users. Following data will be used for our example;

 Username:  foo@domain
 Groupname: dynamic_test
 Pool-Name: dynamic_pool
 IP range: 10.10.10.1/24
 First start with adding the user "foo@domain” to “radcheck” table.

  • Map user “foo@cerbereus" to the group “dynamic_test” in the “radusergroup” table, e.g.
 Username:       Groupname       : Priority
 foo@cerberus:   dynamic_test    :   1

  • Map the dynamic user group (dynamic_test) to Pool-name attributes in “radgroupcheck” table.
 Groupname:           attribute :     op        :               Value 
 Dynamic_test:        Pool-Name       :         :=         :   dynamic_pool

  • Add the IP addresses into the “radippool” table, as:
 Pool_name :     Framedipaddress

 Dynamic_pool:   10.10.10.1
 Dynamic_pool:   10.10.10.2

Monday, June 11, 2012

Packet Sniffer on Fortigate Firewall

There was always been an embedded packet capture in Fortigate CLI which can be accessed using below command:


diagnose packet sniffer [filters] [level]
e.g
diagnose packet sniffer wan1 'icmp and host 10.10.10.1' 4


Now in FortiOS 4.0 MR3, Fortinet has incorporated packet sniffer on GUI which can be accessed to set up a capture and download the PCAP file as well for further analysis.




you may see the faded options available with it and below is the capture settings;




It can be used for real time troubleshooting and works like a charm..!!

Sunday, June 10, 2012

Cisco ADSL PPPoE Sample Configuration

service timestamps debug datetime msec
service timestamps log datetime msec
vpdn enable no vpdn logging vpdn-group pppoe request-dialin protocol pppoe
!--- These commands are needed only on Cisco IOS Software earlier than than 12.2(13)T.
!
!
ip subnet-zero
!
!--- For DHCP:
ip dhcp excluded-address ip dhcp pool network default-router dns-server
!
interface ethernet0 
no shut 
ip address
ip tcp adjust-mss 1452
!--- If the ip tcp adjust-mss 1452 command is not supported, try this !--- configuration statement: ip adjust-mss 1452. If this command is not !--- supported in your current Cisco DSL Router software release, upgrade to the !--- latest Cisco DSL Router software or follow the procedure in the !--- "Possible Required Configuration Steps on the PC" section of this document.
!--- For NAT:
ip nat inside
no ip directed-broadcast
!
interface atm0
no ip address
bundle-enable
dsl operating-mode auto
!
interface atm0.1 point-to-point
no ip address
no ip directed-broadcast
no atm ilmi-keepalive
pvc
  pppoe-client dial-pool-number 1
!--- Common PVC values supported by ISPs are 0/35 or 8/35. !--- Confirm your PVC values with your ISP.
!
!
interface dialer1
ip address
mtu 1492
!--- For NAT:
ip nat outside
encapsulation ppp
dialer pool 1
ppp chap hostname
ppp chap password
ppp pap sent-username password
!
!--- For NAT:
ip nat inside source list 1 interface dialer1 overload
!--- If you have a pool (a range) of public IP addresses provided !--- by your ISP, you can use a NAT Pool. Replace !--- ip nat inside source list 1 interface dialer1 overload

!--- with these two configuration statements: !--- ip nat inside source list 1 pool overload !--- ip nat pool !--- netmask

!--- If Internet users require access to an internal server, you can !--- add this static NAT configuration statement: !--- ip nat inside source static tcp {80 or 25} !--- {80 or 25} extendable !--- Note: TCP port 80 (HTTP/web) and TCP port 25 (SMTP/mail) are used !--- for this example. You can open other TCP or UDP ports, if needed.
!
ip classless
ip route 0.0.0.0 0.0.0.0 interface dialer1
!--- For NAT:
access-list 1 permit
!--- In this configuration, access-list 1 defines a standard access list !--- that permits the addresses that NAT translates. For example, if !--- your private IP network is 10.10.10.0, configure !--- access-list 1 permit 10.10.10.0 0.0.0.255 in order to allow NAT to translate !--- packets with source addresses between 10.10.10.0 and 10.10.10.255.
!
end


Source : Cisco.com

Cisco ADSL PPPoA Sample Configuration

!--- Comments contain explanations and additional information.

service timestamps debug datetime msec
service timestamps log datetime msec
ip subnet-zero
!
!--- For DHCP:
ip dhcp excluded-address ip dhcp pool network default-router dns-server
!
interface ethernet0
no shut
ip address
!--- For NAT:
ip nat inside
no ip directed-broadcast
!
interface atm0
no shut
no ip address
no ip directed-broadcast
no ip mroute-cache
pvc
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!--- Common PVC values supported by ISPs are 0/35 or 8/35. !--- Confirm your PVC values with your ISP.
!
interface dialer1
ip address subnet mask           use  ip address negotiated, if dynamic address)
no ip directed-broadcast
!--- For NAT:
ip nat outside
encapsulation ppp
dialer pool 1
ppp chap hostname
ppp chap password
ppp pap sent-username password
!
!--- For NAT:
ip nat inside source list 1 interface dialer1 overload
!--- If you have a pool (a range) of public IP addresses provided !--- by your ISP, you can use a NAT Pool. Replace !--- ip nat inside source list 1 interface dialer1 overload

!--- with these two configuration statements: !--- ip nat inside source list 1 pool overload !--- ip nat pool !--- netmask

!--- If Internet users require access to an internal server, you can !--- add this static NAT configuration statement: !--- ip nat inside source static tcp {80 or 25} !--- {80 or 25} extendable !--- Note: TCP port 80 (HTTP/web) and TCP port 25 (SMTP/mail) are used !--- for this example. You can open other TCP or UDP ports, if needed.
!
ip classless
ip route 0.0.0.0 0.0.0.0 dialer1
!--- For NAT:
access-list 1 permit
!--- In this configuration, access-list 1 defines a standard access list !--- that permits the addresses that NAT translates. For example, if !--- your private IP network is 10.10.10.0, configure !--- access-list 1 permit 10.10.10.0 0.0.0.255 in order to allow NAT to translate !--- packets with source addresses between 10.10.10.0 and 10.10.10.255.
!
end



Source : Cisco.com

Restrict SSH access to Management IP address ranges - Juniper EX Switches

People from Cisco world would always wonder that how to restrict ssh access to a Juniper EX switch to fewer hosts or ranges Here is how y...