tag:blogger.com,1999:blog-40677948478614850892024-03-05T11:06:36.518+05:30Vinzoda's Networking BlogAll about NetworkingHitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-4067794847861485089.post-69979990210540608562013-11-29T21:53:00.000+05:302013-11-29T21:55:03.808+05:30Restrict SSH access to Management IP address ranges - Juniper EX Switches<div dir="ltr" style="text-align: left;" trbidi="on">
People from Cisco world would always wonder that how to restrict ssh access to a Juniper EX switch to fewer hosts or ranges<br />
<br />
Here is how you do it..<br />
<br />
<b>Add IP address to Loopback interface</b><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">set interface lo0 unit 0 family inet address 127.0.0.1/32</span><br />
<br />
<b>Create a filter with allowed hosts or subnets</b><br />
<br />
<b>Term "SSH" permits Source Managements addresses</b><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">set firewall family inet filter RE_MANAGEMENT term SSH from source-address 10.80.0.0/21</span><br />
<span style="font-family: Courier New, Courier, monospace;">set firewall family inet filter RE_MANAGEMENT term SSH from protocol tcp</span><br />
<span style="font-family: Courier New, Courier, monospace;">set firewall family inet filter RE_MANAGEMENT term SSH from destination-port ssh</span><br />
<span style="font-family: Courier New, Courier, monospace;">set firewall family inet filter RE_MANAGEMENT term SSH then count allow.ssh</span><br />
<span style="font-family: Courier New, Courier, monospace;">set firewall family inet filter RE_MANAGEMENT term SSH then accept</span><br />
<br />
<b>Term "SSH_BLOCK" denies any other IP addresses trying to SSH to the box</b><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from protocol tcp</span><br />
<span style="font-family: Courier New, Courier, monospace;">set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from destination-port ssh</span><br />
<span style="font-family: Courier New, Courier, monospace;">set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then count discard.ssh</span><br />
<span style="font-family: Courier New, Courier, monospace;">set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then discard</span><br />
<br />
<b>and then a permit all rule</b><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">set firewall family inet filter RE_MANAGEMENT term default then accept</span><br />
<br />
In Juniper world all the control traffic is processed via Loopback interfaces even if they were destined on any other interface on switch hence we will apply the filter inbound to Lo0 interface.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">set interfaces lo0 unit 0 family inet filter input RE_MANAGEMENT</span><br />
<br />
You can see the couters using below command<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">show firewall filter RE_MANAGEMENT </span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Filter: RE_MANAGEMENT </span><br />
<span style="font-family: Courier New, Courier, monospace;">Counters:</span><br />
<span style="font-family: Courier New, Courier, monospace;">Name Bytes Packets</span><br />
<span style="font-family: Courier New, Courier, monospace;">allow.ssh 38023 370</span><br />
<span style="font-family: Courier New, Courier, monospace;">discard.ssh 0 0</span><br />
<br />
and thats it !! you're done...and your switch's ssh access is now protected.</div>
Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com2tag:blogger.com,1999:blog-4067794847861485089.post-1265622291681439872013-10-30T20:14:00.001+05:302013-10-30T20:25:56.055+05:30Auto Voice/VoIP VLAN and Data Vlan assignment to Phone and Desktop on Extreme Switch using LLDP<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Arial, Helvetica, sans-serif;">There are cases where one needs to deploy the VoIP phones in the existing network and due to lack of internal cabling you cant connect IPphones separately to switches.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The VoIP phones are usually connected to the switch and a Desktop is connected to IPphone as show below</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPbynJfFv2KYiiognOnXiKmYxnlwRZh3GEkOQYiHn8ppoVGViJ9IH9mvHWYD4sHa-k3nYCMve_Mbkc0xNrNUzAfF-T-QQzcWQC_Y_a3_mMaC1gQuXytRHxR8eJ3sm0PbuARCgOQAkqZosH/s1600/VOip.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPbynJfFv2KYiiognOnXiKmYxnlwRZh3GEkOQYiHn8ppoVGViJ9IH9mvHWYD4sHa-k3nYCMve_Mbkc0xNrNUzAfF-T-QQzcWQC_Y_a3_mMaC1gQuXytRHxR8eJ3sm0PbuARCgOQAkqZosH/s320/VOip.jpg" width="320" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">In this scenario we can use LLDP ( Link layer discovery protocol) to advertise the Voice vlan details to IPphone so that we can get IP addresses on VoIP LAN and can add priority to the VoIP traffic. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><u>Basic requirement : The VoIP phone should be LLDP capable</u></b></span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Below is the configuration required on Extreme Switch</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Create Voice Vlan and we will use default Vlan for the Data Network</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<b><span style="font-family: Courier New, Courier, monospace;">create vlan "VOICE"</span></b><br />
<b><span style="font-family: Courier New, Courier, monospace;">configure vlan VOICE tag 100</span></b><br />
<b><span style="font-family: Courier New, Courier, monospace;">configure vlan Default add ports 1:1 untagged</span></b><br />
<b><span style="font-family: Courier New, Courier, monospace;">configure vlan VOICE add ports 1:1 tagged</span></b><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Configure LLDP on the interface</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace;"><b>configure lldp transmit-interval 5</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>enable lldp ports 1:1</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>configure lldp port 1:1 advertise port-description</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>configure lldp port 1:1 advertise system-name</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><b>configure lldp port 1:1 advertise system-capabilities</b></span><br />
<b style="font-family: 'Courier New', Courier, monospace;">configure lldp port 1:1 advertise management-address</b><br />
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace;"><b>configure lldp port 1:1 advertise vendor-specific dot1 vlan-name vlan VOICE</b></span><br />
<b style="font-family: 'Courier New', Courier, monospace;">configure lldp port 1:1 advertise vendor-specific med policy application voice vlan VOICE dscp 46</b><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;">This is it and switch is now configured to advertise Voice Vlan via LLDP to the phone and Data Vlan will be sent as untagged</span><br />
<b><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></b>
<b><span style="font-family: Arial, Helvetica, sans-serif;">Happy Calling..!!</span></b></div>
Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com23tag:blogger.com,1999:blog-4067794847861485089.post-23701356989107552172013-09-04T12:57:00.000+05:302013-09-04T13:00:09.759+05:30Routing Instaces VRF on Juniper EX2200 is now Supported..!!<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Arial, Helvetica, sans-serif;">I have just learned that routing instances are now supported on Juniper EX-2200 series switches from Junos 12.3R1 version onwards. It is very handy feature and is analogous to Cisco's VRF-Lite.</span><br />
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/ex-series-software-features-overview.html" target="_blank">http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/ex-series-software-features-overview.html</a></span></div>
<div>
<br /></div>
</div>
Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com5tag:blogger.com,1999:blog-4067794847861485089.post-11953584289483620492013-09-03T20:16:00.000+05:302013-09-03T20:16:16.050+05:30VPN between Fortigate and vmWare vShield Edge<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Arial, Helvetica, sans-serif;">Here is the step by step configuration of VPN between Fortigate and vShield Edge</span><div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<b><span style="font-family: Arial, Helvetica, sans-serif;">Fortigate configuration</span></b></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Create addresses on the Fortigate</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8Wa1pTJGgc7ScSlFpPcKaUK_zjL1MqhLpWeVzkj-OtzQny4aFoyE0lxReY7raN7jN9SN4889EYTvWHtt26yuIohbqkogNPEDv3o3XZOWzeJmemQrYvmuK-9V4mtMI1ENiTzf0IEwrxbsx/s1600/Addresses.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8Wa1pTJGgc7ScSlFpPcKaUK_zjL1MqhLpWeVzkj-OtzQny4aFoyE0lxReY7raN7jN9SN4889EYTvWHtt26yuIohbqkogNPEDv3o3XZOWzeJmemQrYvmuK-9V4mtMI1ENiTzf0IEwrxbsx/s640/Addresses.JPG" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Create Phase-1 and Phase-2 on Fortigate</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjy8WDutmBRtmx5uABCY1Z4h9niI4TJkSq7YMI8DzOD0gwomlhE54bFBWQSdf4se640M8uW8W90mOVTFtZJ9sqKp2wmxaiuiQErIvV3C7fyGe804yYPnoDGv3gJcAbTeA9gcwCg2ACYmJIs/s1600/Phase-1+FGT.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjy8WDutmBRtmx5uABCY1Z4h9niI4TJkSq7YMI8DzOD0gwomlhE54bFBWQSdf4se640M8uW8W90mOVTFtZJ9sqKp2wmxaiuiQErIvV3C7fyGe804yYPnoDGv3gJcAbTeA9gcwCg2ACYmJIs/s640/Phase-1+FGT.JPG" width="618" /></span></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjruCGFWnE-pI5NkjrlNXcy4Z7Rer0c2e3j25qSldb3VJ6WIOSabWy83GJw8VM1DLIPwD9zPYL1NVXGO3pWC_ZTSCTIDYNeylro4UFIUrNdR9GYF1FvlbLb6vGogUyT9OJNSp-adAbkQpmF/s1600/Phase-2-FGT.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="486" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjruCGFWnE-pI5NkjrlNXcy4Z7Rer0c2e3j25qSldb3VJ6WIOSabWy83GJw8VM1DLIPwD9zPYL1NVXGO3pWC_ZTSCTIDYNeylro4UFIUrNdR9GYF1FvlbLb6vGogUyT9OJNSp-adAbkQpmF/s640/Phase-2-FGT.JPG" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Add VPN policy on Fortigate</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBTYRRA51RaHjpNd7pCn1mX_ZFLFp8erc9GLNeFsgS5siB_MakmZZGU-0UsVp2nKYq3eBM7kBTiWuZMIQ2l2IOLezUQtc7uwlOYhUfHrFLcqGdCRvS_wzWtAeg-_Kj6fjPOMraYpiC7s_A/s1600/policy.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="550" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBTYRRA51RaHjpNd7pCn1mX_ZFLFp8erc9GLNeFsgS5siB_MakmZZGU-0UsVp2nKYq3eBM7kBTiWuZMIQ2l2IOLezUQtc7uwlOYhUfHrFLcqGdCRvS_wzWtAeg-_Kj6fjPOMraYpiC7s_A/s640/policy.JPG" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Now Configure vShield Edge from vShield Manager</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Enable VPN</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR-lG4gyKhP1MWXb2wC7hT2D46lh2SfPaQd-3aOaVNJ8zui1ChY7L_8015kSOJlhAVamS5DdF6TQzHmdyrWc6nODRgSQBCKQRpFnso_-NWYBP-l5iQHxGUNI8UbYcv19BW7c_TShg2WzeQ/s1600/ESX-VPN+Enable.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR-lG4gyKhP1MWXb2wC7hT2D46lh2SfPaQd-3aOaVNJ8zui1ChY7L_8015kSOJlhAVamS5DdF6TQzHmdyrWc6nODRgSQBCKQRpFnso_-NWYBP-l5iQHxGUNI8UbYcv19BW7c_TShg2WzeQ/s640/ESX-VPN+Enable.JPG" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Add default configuration</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoZSI9cKk9OmFYJo3NL0Jy2oEvXejiayGenECQ9TcbVv0qOGoMFFQ2JujtDgKCgNde4wub7YnWNZzgAHGMlA-9W45D-V_LbZAjuPRdRC5cnO0sCQq5i01TjFy1r7qbUs2s0gkfy0VZR6YX/s1600/ESX+VPN+Default.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoZSI9cKk9OmFYJo3NL0Jy2oEvXejiayGenECQ9TcbVv0qOGoMFFQ2JujtDgKCgNde4wub7YnWNZzgAHGMlA-9W45D-V_LbZAjuPRdRC5cnO0sCQq5i01TjFy1r7qbUs2s0gkfy0VZR6YX/s640/ESX+VPN+Default.JPG" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Add Site </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhIaO0qfwikveUl9HpYW_AUtBoEV-Fw425grRanPPFLOsA03hRKosZIHRqVTCbjs1Q-ZWF2y12wsOl4cBPSm9XbmyknBmiFK7vJD_B-9VBzwc44BsIPnhpidJ2KnuadiLHAOpnF4OopJpx/s1600/ESX-Add+Site.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhIaO0qfwikveUl9HpYW_AUtBoEV-Fw425grRanPPFLOsA03hRKosZIHRqVTCbjs1Q-ZWF2y12wsOl4cBPSm9XbmyknBmiFK7vJD_B-9VBzwc44BsIPnhpidJ2KnuadiLHAOpnF4OopJpx/s640/ESX-Add+Site.JPG" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Add Site details</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg55THviDj1CJk1I8Jv88pL0v1oBj1R-Gg28Nmmut6aNbvoNiX2yMYp-zavLAitAg2in8cBhNWi7fYRlZzkmYyhi4SdndCq987Vev-O8oDxYaKTnyNB0bF1ak2mX5AU4eJ_ASvRnlB0n-Gf/s1600/ESX-Site.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="428" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg55THviDj1CJk1I8Jv88pL0v1oBj1R-Gg28Nmmut6aNbvoNiX2yMYp-zavLAitAg2in8cBhNWi7fYRlZzkmYyhi4SdndCq987Vev-O8oDxYaKTnyNB0bF1ak2mX5AU4eJ_ASvRnlB0n-Gf/s640/ESX-Site.JPG" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Check the status as shown</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjwB-GKTrPO0AQKYJPVkTyqyuwJntBmTwL678Fii8ODtvkp7brEdp6wh_I1SEV3JliSlZdpYRFLxnTaHY0iOYfaDHq3BDyW-5HUPWlSR2Xz5rETDIo4alqoQETD1a4YYgjbjYrNQH7CE8A/s1600/VPN+Status.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="420" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjwB-GKTrPO0AQKYJPVkTyqyuwJntBmTwL678Fii8ODtvkp7brEdp6wh_I1SEV3JliSlZdpYRFLxnTaHY0iOYfaDHq3BDyW-5HUPWlSR2Xz5rETDIo4alqoQETD1a4YYgjbjYrNQH7CE8A/s640/VPN+Status.JPG" width="640" /></span></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWFd7PqpLwkT1WWdLWyjYlLj3LXMlPQc1z0sbn5pMPlpAAuRBYnWdn6R0zh3JfSq2AaKYyjYmC2WcISCgXjF7hBTpH8G_xMA15q6pI2NW5MpIA4axjPbmepAAj3XARxrBXdsjHJgpjn0xd/s1600/FGT-VPN+status.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWFd7PqpLwkT1WWdLWyjYlLj3LXMlPQc1z0sbn5pMPlpAAuRBYnWdn6R0zh3JfSq2AaKYyjYmC2WcISCgXjF7hBTpH8G_xMA15q6pI2NW5MpIA4axjPbmepAAj3XARxrBXdsjHJgpjn0xd/s640/FGT-VPN+status.JPG" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Enjoy..!!</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
</div>
</div>
Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com11tag:blogger.com,1999:blog-4067794847861485089.post-53347672587198306722013-09-03T19:52:00.001+05:302013-09-03T19:56:03.667+05:30Juniper EX Series Switches - Policing / Ratelimiting traffic<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Arial, Helvetica, sans-serif;">If you are from Cisco world and just been asked to rate limit traffic on Juniper EX series switches then this is how you will accomplish it.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">First configure a policer under firewall</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">policer TEST-POLICER {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> if-exceeding {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> bandwidth-limit 10485760;</span><br />
<span style="font-family: Courier New, Courier, monospace;"> burst-size-limit 1966080;</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"> then discard;</span><br />
<span style="font-family: Courier New, Courier, monospace;"></span><br />
<span style="font-family: Courier New, Courier, monospace;">}</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Then you will need to configure firewall filter first just like an ACL in Cisco</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace;">family ethernet-switching {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> filter TEST-POLICE {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> term 1 {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> from {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> source-address {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0.0.0.0/0;</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"> destination-address {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0.0.0.0/0;</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"> then policer TEST-POLICER;</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;">}</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">The firewall filter can have multiple statements and you can apply different policers to "term"s. the above filter will apply the policer to all traffic. If your filters are specific and you want to restrict only few hosts or networks then you can have another term "default" without any action defined which will ensure that rest of the traffic is not policed</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">term default</span><br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Now apply the filter in the ingress on the RVI or the Interface;</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">show interfaces ge-0/0/42 </span><br />
<span style="font-family: Courier New, Courier, monospace;">unit 0 {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> family ethernet-switching {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> port-mode access;</span><br />
<span style="font-family: Courier New, Courier, monospace;"> vlan {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> members 422;</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"> filter {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> input TEST-POLICE;</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;">}</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Please note that you cannot assign policers on the output direction as this is restricted in Juniper and will throw error when applying it.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">You will need to create a shaper and apply it on the interface to shape the traffic to desired rate</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">show class-of-service </span><br />
<span style="font-family: Courier New, Courier, monospace;">interfaces {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ge-0/0/42 {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> shaping-rate 10485760;</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">}</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Have Fun..!!</span></div>
Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com1tag:blogger.com,1999:blog-4067794847861485089.post-18966261231003916272013-09-03T19:37:00.002+05:302013-09-03T19:37:56.444+05:30Fortigate VPN Debug log filter for IKE<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Arial, Helvetica, sans-serif;">During debugging VPN on Fortigate you may see logs from other active VPN's as well and if you running your firewall in MSP environment and have multiple customers hosted and they have VPN's then its not your good day...!!</span><div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Use below filters to make your life easy when debugging VPN IKE on Fortigates</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><div>
<b>diag vpn ike log-filter ?</b></div>
<div>
clear erase the current filter</div>
<div>
dst-addr4 the IPv4 destination address range to filter by</div>
<div>
dst-addr6 the IPv6 destination address range to filter by</div>
<div>
dst-port the destination port range to filter by</div>
<div>
interface interface that IKE connection is negotiated over</div>
<div>
list display the current filter</div>
<div>
name the phase1 name to filter by</div>
<div>
negate negate the specified filter parameter</div>
<div>
src-addr4 the IPv4 source address range to filter by</div>
<div>
src-addr6 the IPv6 source address range to filter by</div>
<div>
src-port the source port range to filter by</div>
<div>
vd index of virtual domain. -1 matches all</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Once the filter is in place, you can then run debug using below command;</div>
<div>
<br /></div>
<div>
<b>diag debug application ike -3</b></div>
<div>
<b><br /></b></div>
<div>
<b><br /></b></div>
</span></div>
</div>
Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com1tag:blogger.com,1999:blog-4067794847861485089.post-51999202012087738992012-06-23T17:23:00.000+05:302012-06-23T17:23:47.258+05:30OSPF Network Types<div dir="ltr" style="text-align: left;" trbidi="on">
<ul style="text-align: left;">
<li><b>Broadcast :</b> This network type uses 224.0.0.5 and 224.0.0.6, DR/BDR election is done between the neighbors.</li>
<li><b>Point-to-point:</b> This network type uses multicast address 224.0.0.5 and no DR BDR election is performed between the neighbors</li>
<li><b>Point-to-Multipoint:</b>
This network type uses multicast address 224.0.0.5 and no DR BDR election is performed between the neighbors. Hosts installs /32 routes for the endpoints.</li>
<li><b>Non-Broadcast:</b> This network type used unicast instead of multicast. Neighbors needs to be defined statically and DR/BDR elections is done.</li>
<li><b>Point-to-Multipoint Non Broadbcast:</b> Attributes of both Point-to-multipoint and Non-broadcast networks.</li>
</ul>
</div>Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com0tag:blogger.com,1999:blog-4067794847861485089.post-67955081383942227432012-06-15T14:25:00.000+05:302012-06-15T14:27:11.741+05:30Dynamic IP Address assignment using FreeRadius IP POOL or radippool table<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 19px; margin: 0.4em 0px 0.5em; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
The following steps needs to be performed to configure a user for dynamic IP configuration setup.</div>
<ul style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 19px; list-style-image: url(http://wiki/skins/vector/images/bullet-icon.png); list-style-type: square; margin: 0.3em 0px 0px 1.5em; orphans: 2; padding: 0px; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<li style="margin-bottom: 0.1em;">Add username/password to “radcheck” table.</li>
<li style="margin-bottom: 0.1em;">Map user to relevant dynamic user group in “radusergrop” table</li>
<li style="margin-bottom: 0.1em;">Map the dynamic user group to “Pool-Name” attribute’s value in “radgroupcheck” table</li>
<li style="margin-bottom: 0.1em;">Populate “radippool” table with the dynamic IP addresses and the relevant pool name.</li>
</ul>
<ul style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 19px; list-style-image: url(http://wiki/skins/vector/images/bullet-icon.png); list-style-type: square; margin: 0.3em 0px 0px 1.5em; orphans: 2; padding: 0px; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<li style="margin-bottom: 0.1em;">Example:</li>
</ul>
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f9f9f9; border: 1px dashed rgb(47, 111, 171); color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 1.1em; orphans: 2; padding: 1em; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"> Configure a dynamic IP user setup for 254 users. Following data will be used for our example;
Username: foo@domain
Groupname: dynamic_test
Pool-Name: dynamic_pool
IP range: 10.10.10.1/24
First start with adding the user "foo@domain” to “radcheck” table.
</pre>
<ul style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 19px; list-style-image: url(http://wiki/skins/vector/images/bullet-icon.png); list-style-type: square; margin: 0.3em 0px 0px 1.5em; orphans: 2; padding: 0px; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<li style="margin-bottom: 0.1em;">Map user “foo@cerbereus" to the group “dynamic_test” in the “radusergroup” table, e.g.</li>
</ul>
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f9f9f9; border: 1px dashed rgb(47, 111, 171); color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 1.1em; orphans: 2; padding: 1em; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"> Username: Groupname : Priority
foo@cerberus: dynamic_test : 1
</pre>
<ul style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 19px; list-style-image: url(http://wiki/skins/vector/images/bullet-icon.png); list-style-type: square; margin: 0.3em 0px 0px 1.5em; orphans: 2; padding: 0px; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<li style="margin-bottom: 0.1em;">Map the dynamic user group (dynamic_test) to Pool-name attributes in “radgroupcheck” table.</li>
</ul>
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f9f9f9; border: 1px dashed rgb(47, 111, 171); color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 1.1em; orphans: 2; padding: 1em; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"> Groupname: attribute : op : Value
Dynamic_test: Pool-Name : := : dynamic_pool
</pre>
<ul style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 19px; list-style-image: url(http://wiki/skins/vector/images/bullet-icon.png); list-style-type: square; margin: 0.3em 0px 0px 1.5em; orphans: 2; padding: 0px; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<li style="margin-bottom: 0.1em;">Add the IP addresses into the “radippool” table, as:</li>
</ul>
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f9f9f9; border: 1px dashed rgb(47, 111, 171); color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 1.1em; orphans: 2; padding: 1em; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"> Pool_name : Framedipaddress
Dynamic_pool: 10.10.10.1
Dynamic_pool: 10.10.10.2</pre>
</div>Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com3tag:blogger.com,1999:blog-4067794847861485089.post-69735309321448874802012-06-14T13:41:00.001+05:302012-06-14T13:41:18.381+05:30Inside CCIE Lab<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/BoKuXhfdIU0?feature=player_embedded' frameborder='0'></iframe></div>
<br /></div>Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com1tag:blogger.com,1999:blog-4067794847861485089.post-88501181052984150522012-06-14T13:38:00.002+05:302012-06-14T13:38:53.943+05:30STP Root Bridge Election<div dir="ltr" style="text-align: left;" trbidi="on">
STP Root Bridge Election explained...<br />
<br />
<br />
<embed align="middle" allowscriptaccess="always" height="600" pluginspage="http://www.macromedia.com/go/getflashplayer" quality="high" src="http://www.cisco.com/warp/public/473/spanning_tree1.swf" type="application/x-shockwave-flash" width="800"></embed><br />
<br />
<br /></div>Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com0tag:blogger.com,1999:blog-4067794847861485089.post-9638312459304870012012-06-11T18:07:00.000+05:302012-06-11T18:08:23.268+05:30Packet Sniffer on Fortigate Firewall<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Arial, Helvetica, sans-serif;">There was always been an embedded packet capture in Fortigate CLI which can be accessed using below command:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">diagnose packet sniffer <interface-name> [filters] [level]</interface-name></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">e.g</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i>diagnose packet sniffer <span style="color: blue;">wan1</span> <span style="color: blue;">'icmp and host 10.10.10.1' 4</span></i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span style="color: blue;"><br /></span></i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Now in FortiOS 4.0 MR3, Fortinet has incorporated packet sniffer on GUI which can be accessed to set up a capture and download the PCAP file as well for further analysis.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-8A3wgY2NW94/T9Xl2uAp1XI/AAAAAAAAAJ4/v57ig7h2lCk/s1600/sniffer01.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="127" src="http://1.bp.blogspot.com/-8A3wgY2NW94/T9Xl2uAp1XI/AAAAAAAAAJ4/v57ig7h2lCk/s320/sniffer01.JPG" width="320" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">you may see the faded options available with it and below is the capture settings;</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-oMa8XoI8YJg/T9XmP7A4P3I/AAAAAAAAAKA/CkXFQ6OT2vI/s1600/sniffer02.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="http://1.bp.blogspot.com/-oMa8XoI8YJg/T9XmP7A4P3I/AAAAAAAAAKA/CkXFQ6OT2vI/s320/sniffer02.JPG" width="320" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">It can be used for real time troubleshooting and works like a charm..!!</span></div>Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com0tag:blogger.com,1999:blog-4067794847861485089.post-10795198092295399722012-06-10T17:23:00.002+05:302012-06-10T17:23:35.746+05:30Cisco ADSL PPPoE Sample Configuration<div dir="ltr" style="text-align: left;" trbidi="on">
service timestamps debug datetime msec<br />
service timestamps log datetime msec<br />
<b>vpdn enable
no vpdn logging
vpdn-group pppoe
request-dialin
protocol pppoe</b><br />
<i>
<span style="color: blue;">!--- These commands are needed only on Cisco IOS Software earlier than than 12.2(13)T.</span>
</i><br />
!<br />
!<br />
ip subnet-zero<br />
!<br />
<i>
<span style="color: blue;">!--- For DHCP:</span>
</i><br />
<b>
ip dhcp excluded-address <ip address="" ethernet0="" of="">
ip dhcp pool <dhcp name="" pool="">
network <ip address="" ethernet0="" network="" of=""> <subnet mask="">
default-router <ip address="" ethernet0="" of="">
dns-server <ip address="" dns="" of="" server=""> </ip></ip></subnet></ip></dhcp></ip></b><br />
!<br />
interface ethernet0 <br />
no shut <br />
ip address <ip address=""> <subnet mask=""> <br /> ip tcp adjust-mss 1452 <br /> <i>
<span style="color: blue;">!--- If the <b>ip tcp adjust-mss 1452</b> command is not supported, try this
!--- configuration statement: <b>ip adjust-mss 1452</b>. If this command is not
!--- supported in your current Cisco DSL Router software release, upgrade to the
!--- latest Cisco DSL Router software or follow the procedure in the
!--- "Possible Required Configuration Steps on the PC" section of this document. </span>
</i><br /><i>
<span style="color: blue;">!--- For NAT:</span>
</i><br /> <b>ip nat inside</b><br /> no ip directed-broadcast<br />!<br />interface atm0<br /> no ip address<br /> bundle-enable<br /> dsl operating-mode auto<br />!<br />interface atm0.1 point-to-point<br /> no ip address<br /> no ip directed-broadcast<br /> no atm ilmi-keepalive<br /> pvc <vpi vci=""><br /> pppoe-client dial-pool-number 1<br /> <i>
<span style="color: blue;">!--- Common PVC values supported by ISPs are 0/35 or 8/35.
!--- Confirm your PVC values with your ISP.</span>
</i><br /> !<br />!<br />interface dialer1<br /> ip address <ip address=""> <subnet mask=""><br /> mtu 1492<br /><i>
<span style="color: blue;">!--- For NAT:</span>
</i><br /> <b>ip nat outside</b><br /> encapsulation ppp<br /> dialer pool 1<br /> ppp chap hostname <username><br /> ppp chap password <password><br /> ppp pap sent-username <username> password <password><br />!<br /><i>
<span style="color: blue;">!--- For NAT:</span>
</i><br /><b>ip nat inside source list 1 interface dialer1 overload</b><br /><i>
<span style="color: blue;">!--- If you have a pool (a range) of public IP addresses provided
!--- by your ISP, you can use a NAT Pool. Replace
!--- <b>ip nat inside source list 1 interface dialer1 overload</b>
</span>
</i> <br /> <br /><i>
<span style="color: blue;">!--- with these two configuration statements:
!--- <b>ip nat inside source list 1 pool <nat name="" pool=""> overload</nat></b>
!--- <b>ip nat pool <nat name="" pool=""> <first address="" ip=""> <last address="" ip=""></last></first></nat></b>
!--- <b>netmask <subnet mask=""></subnet></b>
</span>
</i><br /><br /><i>
<span style="color: blue;">!--- If Internet users require access to an internal server, you can
!--- add this static NAT configuration statement:
!--- <b>ip nat inside source static tcp <inside address="" ip="" of="" server=""> {80 or 25}</inside></b>
!--- <b><outside address="" ip="" of="" server="" well-known=""> {80 or 25} extendable</outside></b>
!--- Note: TCP port 80 (HTTP/web) and TCP port 25 (SMTP/mail) are used
!--- for this example. You can open other TCP or UDP ports, if needed.</span>
</i><br />! <br />ip classless<br />ip route 0.0.0.0 0.0.0.0 interface dialer1<br /><i>
<span style="color: blue;">!--- For NAT:</span>
</i><br /><b>access-list 1 permit <ip address="" ethernet0="" network="" of=""> <wildcard mask=""></wildcard></ip></b><br /><i>
<span style="color: blue;">!--- In this configuration, access-list 1 defines a standard access list
!--- that permits the addresses that NAT translates. For example, if
!--- your private IP network is 10.10.10.0, configure
!--- access-list 1 permit 10.10.10.0 0.0.0.255 in order to allow NAT to translate
!--- packets with source addresses between 10.10.10.0 and 10.10.10.255.</span>
</i><br />!<br />end</password></username></password></username></subnet></ip></vpi></subnet></ip><br />
<br />
Source : Cisco.com</div>Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com2tag:blogger.com,1999:blog-4067794847861485089.post-20949973940807288762012-06-10T17:19:00.001+05:302012-06-10T17:22:12.800+05:30Cisco ADSL PPPoA Sample Configuration<div dir="ltr" style="text-align: left;" trbidi="on">
<em><span style="color: blue;">!--- Comments contain explanations and additional information.</span>
</em><br />
<br />
service timestamps debug datetime msec<br />
service timestamps log datetime msec<br />
ip subnet-zero<br />
!<br />
<i>
<span style="color: blue;">!--- For DHCP:</span>
</i><br />
<b>ip dhcp excluded-address <ip address="" ethernet0="" of="">
ip dhcp pool <dhcp name="" pool="">
network <ip address="" ethernet0="" network="" of=""> <subnet mask="">
default-router <ip address="" ethernet0="" of="">
dns-server <ip address="" dns="" of="" server=""></ip></ip></subnet></ip></dhcp></ip></b><br />
!<br />
interface ethernet0<br />
no shut<br />
ip address <ip address=""> <subnet mask=""><br /><i>
<span style="color: blue;">!--- For NAT:</span>
</i><br /> <b>ip nat inside</b><br /> no ip directed-broadcast<br />!<br />interface atm0<br /> no shut<br /> no ip address<br /> no ip directed-broadcast<br /> no ip mroute-cache<br /> pvc <vpi vci=""><br /> encapsulation aal5mux ppp dialer <br /> dialer pool-member 1 <br /> <i>
<span style="color: blue;">!--- Common PVC values supported by ISPs are 0/35 or 8/35.
!--- Confirm your PVC values with your ISP.</span>
</i><br />!<br />interface dialer1<br /> ip address <ip address=""> subnet mask <subnet mask=""> use <span style="color: blue;"><strong>ip address negotiated</strong>,</span> if dynamic address)<br /> no ip directed-broadcast<br /><i>
<span style="color: blue;">!--- For NAT:</span>
</i><br /> <b>ip nat outside</b><br /> encapsulation ppp<br /> dialer pool 1<br /> ppp chap hostname <username> <br /> ppp chap password <password> <br /> ppp pap sent-username <username> password <password> <br />!<br /><i>
<span style="color: blue;">!--- For NAT:</span>
</i><br /><b>ip nat inside source list 1 interface dialer1 overload</b><br /><i>
<span style="color: blue;">!--- If you have a pool (a range) of public IP addresses provided
!--- by your ISP, you can use a NAT Pool. Replace
!--- <b>ip nat inside source list 1 interface dialer1 overload</b>
</span>
</i> <br /> <br /><i>
<span style="color: blue;">!--- with these two configuration statements:
!--- <b>ip nat inside source list 1 pool <nat name="" pool=""> overload</nat></b>
!--- <b>ip nat pool <nat name="" pool=""> <first address="" ip=""> <last address="" ip=""></last></first></nat></b>
!--- <b>netmask <subnet mask=""></subnet></b>
</span>
</i><br /><br /><i>
<span style="color: blue;">!--- If Internet users require access to an internal server, you can
!--- add this static NAT configuration statement:
!--- <b>ip nat inside source static tcp <inside address="" ip="" of="" server=""> {80 or 25}</inside></b>
!--- <b><outside address="" ip="" of="" server="" well-known=""> {80 or 25} extendable</outside></b>
!--- Note: TCP port 80 (HTTP/web) and TCP port 25 (SMTP/mail) are used
!--- for this example. You can open other TCP or UDP ports, if needed.</span>
</i><br />! <br />ip classless <br />ip route 0.0.0.0 0.0.0.0 dialer1 <br /><i>
<span style="color: blue;">!--- For NAT:</span>
</i><br /><b>access-list 1 permit <ip address="" ethernet0="" network="" of=""> <wildcard mask=""></wildcard></ip></b><br /><i>
<span style="color: blue;">!--- In this configuration, access-list 1 defines a standard access list
!--- that permits the addresses that NAT translates. For example, if
!--- your private IP network is 10.10.10.0, configure
!--- access-list 1 permit 10.10.10.0 0.0.0.255 in order to allow NAT to translate
!--- packets with source addresses between 10.10.10.0 and 10.10.10.255.</span>
</i><br />!<br />end</password></username></password></username></subnet></ip></vpi></subnet></ip><br />
<br />
<br />
Source : Cisco.com</div>Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com0tag:blogger.com,1999:blog-4067794847861485089.post-20349526459373995532009-11-14T09:17:00.001+05:302009-11-14T09:27:19.099+05:30Setting up Terminal Server on Cisco RouterTo Setup a Terminal server on cisco router you require Async module on the router. Cisco routers like 2511 comes up with such interfaces. You will need Octal cable to connect the console RJ-45 of devices to the Async interface.<br />
<br />
The lines for 2511 starts from 2001 to 2008 for an Async interface. Below is the sample config which i use for my Lab's access server.<br />
<br />
<br />
<br />
<br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">interface Loopback0<br />
ip address 70.70.70.70 255.255.255.255</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">no ip directed-broadcast</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">!</span><br />
<span style="font-family: "Courier New", Courier, monospace;"><br />
<span style="font-size: x-small;"></span></span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">ip host S3 2011 70.70.70.70</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">ip host R7 2007 70.70.70.70</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">ip host R6 2006 70.70.70.70</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">ip host R4 2004 70.70.70.70</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">ip host R3 2003 70.70.70.70</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">ip host S2 2010 70.70.70.70</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">ip host S1 2009 70.70.70.70</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">ip host R5 2005 70.70.70.70</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">ip host R2 2002 70.70.70.70</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">ip host R1 2001 70.70.70.70</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">ip host S4 2012 70.70.70.70</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">ip host R8 2008 70.70.70.70<br />
</span><br />
<span style="font-family: "Courier New", Courier, monospace;"><br />
<span style="font-size: x-small;"></span></span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">line con 0</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">exec-timeout 0 0</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">logging synchronous</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">transport input none</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">line 1 16</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">no exec</span><br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">transport input all</span><br />
<br />
Now that the router is configured we use the following commands to navigate.<br />
- to access a device<br />
<br />
<span style="color: #3d85c6; font-family: "Courier New", Courier, monospace; font-size: x-small;">telnet 70.70.70.70. 2001</span><br />
<br />
- to switch between active sessions<br />
<br />
<span style="color: #3d85c6;">ctrl-shift-6-x</span> will bring you back to terminal server<br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;"><strong>show sessions</strong></span> will display the active sessions<br />
entering a number of a session will let you access that session<br />
- to disconnect a session<br />
<span style="color: #0b5394;">use the <span style="font-family: "Courier New", Courier, monospace; font-size: x-small;"><strong>disconnect</strong></span> command</span>Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com0tag:blogger.com,1999:blog-4067794847861485089.post-37577612053705546032009-11-14T09:07:00.001+05:302009-11-14T09:10:27.591+05:30CCIE R&S 4.0 Lab Blue Print<span style="color: #c27ba0; font-family: "Helvetica Neue", Arial, Helvetica, sans-serif; font-size: large;"><strong>CCIE Routing & Switching Lab Exam Topics (Blueprint)</strong></span><br />
<br />
<br />
Exam Sections and Sub-task Objectives<br />
<br />
1.00 Implement Layer 2 Technologies √<br />
<br />
1.10 Implement Spanning Tree Protocol (STP)<br />
<br />
(a) 802.1d<br />
<br />
(b) 802.1w<br />
<br />
(c) 801.1s<br />
<br />
(d) Loop guard<br />
<br />
(e) Root guard<br />
<br />
(f) Bridge protocol data unit (BPDU) guard<br />
<br />
(g) Storm control<br />
<br />
(h) Unicast flooding<br />
<br />
(i) Port roles, failure propagation, and loop guard operation<br />
<br />
1.20 Implement VLAN and VLAN Trunking Protocol (VTP)<br />
<br />
1.30 Implement trunk and trunk protocols, EtherChannel, and load-balance<br />
<br />
1.40 Implement Ethernet technologies<br />
<br />
(a) Speed and duplex<br />
<br />
(b) Ethernet, Fast Ethernet, and Gigabit Ethernet<br />
<br />
(c) PPP over Ethernet (PPPoE)<br />
<br />
1.50 Implement Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN), and flow control<br />
<br />
1.60 Implement Frame Relay<br />
<br />
(a) Local Management Interface (LMI)<br />
<br />
(b) Traffic shaping<br />
<br />
(c) Full mesh<br />
<br />
(d) Hub and spoke<br />
<br />
(e) Discard eligible (DE)<br />
<br />
1.70 Implement High-Level Data Link Control (HDLC) and PPP<br />
<br />
2.00 Implement IPv4<br />
<br />
2.10 Implement IP version 4 (IPv4) addressing, subnetting, and variable-length subnet masking (VLSM)<br />
<br />
2.20 Implement IPv4 tunneling and Generic Routing Encapsulation (GRE)<br />
<br />
2.30 Implement IPv4 RIP version 2 (RIPv2)<br />
<br />
2.40 Implement IPv4 Open Shortest Path First (OSPF)<br />
<br />
(a) Standard OSPF areas<br />
<br />
(b) Stub area<br />
<br />
(c) Totally stubby area<br />
<br />
(d) Not-so-stubby-area (NSSA)<br />
<br />
(e) Totally NSSA<br />
<br />
(f) Link-state advertisement (LSA) types<br />
<br />
(g) Adjacency on a point-to-point and on a multi-access network<br />
<br />
(h) OSPF graceful restart<br />
<br />
2.50 Implement IPv4 Enhanced Interior Gateway Routing Protocol (EIGRP)<br />
<br />
(a) Best path<br />
<br />
(b) Loop-free paths<br />
<br />
(c) EIGRP operations when alternate loop-free paths are available, and when they are not available<br />
<br />
(d) EIGRP queries<br />
<br />
(e) Manual summarization and autosummarization<br />
<br />
(f) EIGRP stubs<br />
<br />
2.60 Implement IPv4 Border Gateway Protocol (BGP)<br />
<br />
(a) Next hop<br />
<br />
(b) Peering<br />
<br />
(c) Internal Border Gateway Protocol (IBGP) and External Border Gateway Protocol (EBGP)<br />
<br />
2.70 Implement policy routing<br />
<br />
2.80 Implement Performance Routing (PfR) and Cisco Optimized Edge Routing (OER)<br />
<br />
2.90 Implement filtering, route redistribution, summarization, synchronization, attributes, and other advanced<br />
<br />
features<br />
<br />
3.00 Implement IPv6<br />
<br />
3.10 Implement IP version 6 (IPv6) addressing and different addressing types<br />
<br />
3.20 Implement IPv6 neighbor discovery<br />
<br />
3.30 Implement basic IPv6 functionality protocols<br />
<br />
3.40 Implement tunneling techniques<br />
<br />
3.50 Implement OSPF version 3 (OSPFv3)<br />
<br />
3.60 Implement EIGRP version 6 (EIGRPv6)<br />
<br />
3.70 Implement filtering and route redistribution<br />
<br />
4.00 Implement MPLS Layer 3 VPNs<br />
<br />
4.10 Implement Multiprotocol Label Switching (MPLS)<br />
<br />
4.20 Implement Layer 3 virtual private networks (VPNs) on provider edge (PE), provider (P), and customer<br />
<br />
edge (CE) routers<br />
<br />
4.30 Implement virtual routing and forwarding (VRF) and Multi-VRF Customer Edge (VRF-Lite)<br />
<br />
5.00 Implement IP Multicast<br />
<br />
5.10 Implement Protocol Independent Multicast (PIM) sparse mode<br />
<br />
5.20 Implement Multicast Source Discovery Protocol (MSDP)<br />
<br />
5.30 Implement interdomain multicast routing<br />
<br />
5.40 Implement PIM Auto-Rendezvous Point (Auto-RP), unicast rendezvous point (RP), and bootstrap router<br />
<br />
(BSR)<br />
<br />
5.50 Implement multicast tools, features, and source-specific multicast<br />
<br />
5.60 Implement IPv6 multicast, PIM, and related multicast protocols, such as Multicast Listener Discovery<br />
<br />
(MLD)<br />
<br />
6.00 Implement Network Security<br />
<br />
6.01 Implement access lists<br />
<br />
6.02 Implement Zone Based Firewall<br />
<br />
6.03 Implement Unicast Reverse Path Forwarding (uRPF)<br />
<br />
6.04 Implement IP Source Guard<br />
<br />
6.05<br />
<br />
Implement authentication, authorization, and accounting (AAA) (configuring the AAA server is not<br />
<br />
required, only the client-side (IOS) is configured)<br />
<br />
6.06 Implement Control Plane Policing (CoPP)<br />
<br />
6.07 Implement Cisco IOS Firewall<br />
<br />
6.08 Implement Cisco IOS Intrusion Prevention System (IPS)<br />
<br />
6.09 Implement Secure Shell (SSH)<br />
<br />
6.10 Implement 802.1x<br />
<br />
6.11 Implement NAT<br />
<br />
6.12 Implement routing protocol authentication<br />
<br />
6.13 Implement device access control<br />
<br />
6.14 Implement security features<br />
<br />
7.00 Implement Network Services<br />
<br />
7.10 Implement Hot Standby Router Protocol (HSRP)<br />
<br />
7.20 Implement Gateway Load Balancing Protocol (GLBP)<br />
<br />
7.30 Implement Virtual Router Redundancy Protocol (VRRP)<br />
<br />
7.40 Implement Network Time Protocol (NTP)<br />
<br />
7.50 Implement DHCP<br />
<br />
7.60 Implement Web Cache Communication Protocol (WCCP)<br />
<br />
8.00 Implement Quality of Service (QoS)<br />
<br />
8.10 Implement Modular QoS CLI (MQC)<br />
<br />
(a) Network-Based Application Recognition (NBAR)<br />
<br />
(b) Class-based weighted fair queuing (CBWFQ), modified deficit round robin (MDRR), and low latency<br />
<br />
queuing (LLQ)<br />
<br />
(c) Classification<br />
<br />
(d) Policing<br />
<br />
(e) Shaping<br />
<br />
(f) Marking<br />
<br />
(g) Weighted random early detection (WRED) and random early detection (RED)<br />
<br />
(h) Compression<br />
<br />
8.20 Implement Layer 2 QoS: weighted round robin (WRR), shaped round robin (SRR), and policies<br />
<br />
8.30 Implement link fragmentation and interleaving (LFI) for Frame Relay<br />
<br />
8.40 Implement generic traffic shaping<br />
<br />
8.50 Implement Resource Reservation Protocol (RSVP)<br />
<br />
8.60 Implement Cisco AutoQoS<br />
<br />
9.00 Troubleshoot a Network<br />
<br />
9.10 Troubleshoot complex Layer 2 network issues<br />
<br />
9.20 Troubleshoot complex Layer 3 network issues<br />
<br />
9.30 Troubleshoot a network in response to application problems<br />
<br />
9.40 Troubleshoot network services<br />
<br />
9.50 Troubleshoot network security<br />
<br />
10.00 Optimize the Network<br />
<br />
10.01 Implement syslog and local logging<br />
<br />
10.02 Implement IP Service Level Agreement SLA<br />
<br />
10.03 Implement NetFlow<br />
<br />
10.04 Implement SPAN, RSPAN, and router IP traffic export (RITE)<br />
<br />
10.05 Implement Simple Network Management Protocol (SNMP)<br />
<br />
10.06 Implement Cisco IOS Embedded Event Manager (EEM)<br />
<br />
10.07 Implement Remote Monitoring (RMON)<br />
<br />
10.08 Implement FTP<br />
<br />
10.09 Implement TFTP<br />
<br />
10.10 Implement TFTP server on router<br />
<br />
10.11 Implement Switch-module Configuration Protocol (SCP)<br />
<br />
10.12 Implement HTTP and HTTPS<br />
<br />
10.13 Implement TelnetHitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com0tag:blogger.com,1999:blog-4067794847861485089.post-3897780854790947972009-11-13T14:27:00.001+05:302009-11-29T18:18:35.692+05:30Whats first.. Route-map, Distribute-list, Filter-list, Prefix-list..??Easy way to memorize which will be selected first among Route-map, Distribute-list, Filter-list, Prefix-list is<br />
<br />
<span style="font-size: 130%;"><span style="font-weight: bold;">RFPD</span></span> <span style="color: #3366ff;">(<span style="font-style: italic; font-weight: bold;">Relate this abbreviation to any thing that you can memorize, for me "River Front Police Department" worked fine)</span></span><br />
<br />
Route-map<br />
Filter-list<br />
Prefix-list<br />
Distribute-listHitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com0tag:blogger.com,1999:blog-4067794847861485089.post-37186447878920377662009-11-13T14:04:00.001+05:302009-11-14T00:33:11.146+05:30BGP - Route Dampening .. Exponential Decay / Half life.!!In BGP Dampening, Suppose they ask that " Route should be reused after 5 minutes "and all other parameters are default<br />
<em>than as per formula for BGP dampening<br />
</em><br />
<div style="height: 8pt; min-height: 8pt; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><br />
</div><strong><span style="color: #3366ff;"><em>Max penalty = reuse-limit *2^(maximum suppress time/half time)</em></span></strong><br />
<div style="height: 8pt; min-height: 8pt; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><br />
</div>Suppose it flapped twice than max penalty will be 2000<br />
2000 = 750 * 2 ^( 5mins / half life)<br />
2000/750 = 2 ^ ( 5 / half life) { simplify 2000/750 = 8/3 }<br />
8/3 = 2 ^ ( 5 / half life)<br />
Take logarithm on both sides<br />
Log (8/3) = Log 2 ^ 5/halflife) <br />
<br />
<span style="color: red;"><strong>{ Logarithms formulas Log x/y = (Log x - Log y) and </strong></span><br />
<span style="color: red;"><strong>Log x^a = a.Log x }</strong></span><br />
<br />
after applying the log formula<br />
Log 8 - Log 3 = (5xLog 2)/halflife<br />
0.9030 - 0.4771 = 5x0.3010/halflife<br />
0.4259 = 1.505/halflife<br />
0.4259/1.505 = Halflife<br />
3.53 = Halflife<br />
Round it off<br />
<div style="height: 8pt; min-height: 8pt; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><br />
</div>Half life = 4 ... Configuring Half life as 4 will ensure that suppressed prefix will be advertised after 5 mins.Hitesh Vinzodahttp://www.blogger.com/profile/14249050675333718818noreply@blogger.com0