tag:blogger.com,1999:blog-89845942210700817322024-02-19T03:24:16.632+01:00nspneTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comBlogger67125tag:blogger.com,1999:blog-8984594221070081732.post-19426488962249224942021-12-20T15:03:00.002+01:002021-12-20T15:12:50.868+01:00NTP - ACLNTP - Network Time ProtocolPacket types:- Control messages : don't bother with this.- NTP request/update messages: used for time synchrnonizationYou can define ACL to protect your infrastructure:Cisco defines 4 Access Control :- Peer: The router responds to NTP Request, Accepts NTP Updates and NTP Control Queries. This is where you filter neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-48490713212223389022021-09-30T14:05:00.004+02:002021-09-30T14:06:55.761+02:00ENCOR - PART 1 – NETWORK INFRASTRUCTURE Switched CampusSwitch AdministrationManaging MAC address TableMAC Address Table and VLANsAll MAC Addresses are associated with a VLAN and an address can exist in more than one VLAN.Each VLAN maintains its own logical address table.When private VLANs are configured, address learning depends on the type of MAC address:<!--[if !supportLists]-->-  neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-7001354515861929382016-01-19T22:25:00.002+01:002020-06-17T09:38:00.901+02:00Client/Server Python (works with VIRL)Small Python Client/Server Application
Client
#!/usr/bin/env python
import socket
TCP_IP = '10.0.0.10'
TCP_PORT = 21
BUFFER_SIZE = 1024
MESSAGE = "Hello, World!"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
s.send(MESSAGE)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
Server
#!/usr/bin/env python
import neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-10994790466171308942012-02-29T23:26:00.000+01:002012-02-29T23:28:16.104+01:00BGP & Tunneling
R1 is in AS1, R5 in AS5.
R2, R3 and R4 are in AS234.
R1 has an eBGP session with R2.
R5 has an eBGP session with R4.
EIGRP is configured inside AS234.
To allow R1 Loopback0 to reach R5 Loopback0, we must establish an iBGP session between R2 ans R4.
We will use a GRE Tunnel between R2 and R4:
R1:
!
hostname r1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-86294015890792852552012-02-29T18:29:00.002+01:002012-02-29T18:29:14.734+01:00BGP - Synchronization
Synchronization
Before the discussion of synchronization, look at this scenario. RTC in AS300 sends updates about 170.10.0.0. RTA and RTB run iBGP, so RTB gets the update and is able to reach 170.10.0.0 via next hop 2.2.2.1. Remember that the next hop is carried via iBGP. In order to reach the next hop, RTB must send the traffic to RTE.
Assume that RTA has not redistributed network neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-80015130764637703502012-02-27T22:56:00.000+01:002012-02-27T22:59:15.335+01:00IPv6 - Frame-Relay #1There is no Frame-Relay inarp mechanism for IPv6 in IOS.
We must use static l3 to l2 mapping:
!
hostname r1
!
interface Serial1/0
no ip address
encapsulation frame-relay
ipv6 address 2001:CC1E::/64 eui-64
ipv6 enable
serial restart-delay 0
!
Gives us the IPv6 address:
r1#sh ipv6 interface brief s1/0
Serial1/0 &neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-9676942700925360282012-02-24T23:41:00.002+01:002012-02-24T23:51:10.115+01:00Policy Routing w/ Tracking objects
Reliable Policy Routing
R5 has two loopbacks, 5.5.5.5/32 and 55.55.55.55/32
Configure policy routing on r2 so that:
- to reach 5.5.5.5/32 packets from r1 must go to r3.
- to reach 55.55.55.55/32 packets from r1 must go to r4.
- do not use static routing on r2 (excepted to reach r1).
Use reliable routing to do this:
- if r3 is not reachable, packets to 5.5.5.5/neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-40666343128368183062012-02-19T22:43:00.002+01:002012-02-19T22:44:11.748+01:00Backup using Backup InterfacesR1 is connected to R2 via 2 links, one of the two links will be active if the first on goes down:
!
hostname r1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet1/0
ip address 192.168.12.1 255.255.255.0
!
interface FastEthernet2/0
backup delay 3 60
backup interface FastEthernet1/0
ip address 192.168.112.1 neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-45364120315892039372012-02-17T14:41:00.000+01:002012-02-17T14:41:11.199+01:00Static Routing Backup with Tracking
Use ip sla + tracking object to check the next-hop availability.
If the next hop is not reachable, the static route disappears from the routing table, useful if there is a switch between the routers:
!interface FastEthernet1/0.102 encapsulation dot1Q 102 ip address 192.168.12.2 255.255.255.0!track 5 ip sla 1 reachability default-state up!ip sla 1 icmp-echo 192.168.12.1 neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-606688245612638082012-02-02T17:28:00.001+01:002012-02-02T17:28:47.409+01:00To TestsCPE sends PADT
LAC sends PADT
LAC sends CDN
LNS sends CDN
neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-23940892184335759462012-02-01T11:39:00.001+01:002012-02-01T11:39:57.928+01:00PPP#1 - Authentication
Client/Server authentication
"Client" side:
!
interface Serial1/0 ip address 192.168.12.1 255.255.255.0 encapsulation ppp ppp chap hostname ROUTER1 ppp chap password 0 CISCO!
Server side:
!
interface Serial1/0 ip address 192.168.12.2 255.255.255.0 encapsulation ppp ppp authentication chap callin!
username ROUTER1 password CISCO
!
Same kind of neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-85127117738398123692012-01-31T15:11:00.000+01:002012-01-31T15:39:39.585+01:00HDLC#1 - Header Compression
Configure header on HDLC link:
R2(config)#interface serial1/0R2(config-if)#compress ? stac stac compression algorithm
R2(config-if)#compress stacR2(config-if)#endR2#
This is for header compression, not for data compression.
Must be configured on both sides. neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-73938274392643887502012-01-25T14:45:00.001+01:002012-01-25T14:45:13.114+01:00Reading-list#1
http://tools.ietf.org/html/rfc1661 - The Point-to-Point Protocol (PPP)http://tools.ietf.org/html/rfc2153 - PPP Vendor Extensionshttp://tools.ietf.org/html/rfc1994 - PPP Challenge Handshake Authentication Protocol (CHAP)http://tools.ietf.org/html/rfc1334 - PPP Authentication Protocols~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=http://tools.ietf.org/html/rfc2516neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-78563544969159977282012-01-14T19:03:00.005+01:002012-01-14T21:32:42.059+01:00RFC1483 - DHCP Server & RelayLAB#1:
BrAS
!
hostname BrAS
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool Pool-DHCP1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
no keepalive
!
interface FastEthernet1/0.203
encapsulation neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-8627380726422249342012-01-13T11:38:00.000+01:002012-01-13T11:38:11.600+01:00[rbak-nsp] Internal icmp ratelimiting?Show card X icmp
I think is the command you want.
Chris O'Shea
2011/9/16 Mariano Juliá <mjuliaq at gmail.com>
> Yes, there is a hard coded policer for locally bound ICMP packets.
>
> As a matter of fact, ICMP packets destined to any local IP address never
> reach the XCRP, they are always handled by the input traffic card regardless
> of whether the interface belong neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-51795339130098659182012-01-12T21:43:00.001+01:002012-01-15T13:02:36.954+01:00PTAlac:
hostname R1
!
no ip domain lookup
!
ip cef
vpdn enable
!
vpdn-group pppoetest
accept-dialin
protocol pppoe
virtual-template 1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.10.10.1 neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-45705773675795295502012-01-12T21:23:00.000+01:002012-01-14T16:47:40.019+01:00LAC - LNS - PPP, PPPoE, L2TPLNS:
!
hostname LNS
!
vpdn enable
vpdn multihop
!
vpdn-group L2TP-LNS
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname LAC
local name LNS
no l2tp tunnel authentication
relay pppoe bba-group PPPoE
!
bba-group pppoe PPPoE
virtual-template 1
!
interface Loopback0
ip neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-43162017250069128782011-12-15T15:09:00.001+01:002011-12-18T10:25:28.777+01:00Frame relay and inverse-arpno frame-relay inverse arp says that I shall not ask the other end what his IP address is.
no arp frame-relay means that if the other end asks me my IP address, I shall not answer him.neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-80736059299135082572011-11-29T10:34:00.001+01:002011-11-29T10:35:48.714+01:00Create ACL on eXtreme Network Switches...
First, create a policy. Enter command: vi no67udp.pol(use a pol extension)(ls command will list the files/configs on the XOS switch...linux) The following is needed in the policy (I add count so I can see the number of packet hits...it's not required):entry drop1 { if match all {  neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-77362127511093177802011-11-27T22:28:00.001+01:002012-02-05T14:47:46.268+01:00OSPF Authentication #1Three authentication modes:
0 - null, no authentication
1 - clear-text
2 - md5
Per interface authentication
r1(config)#interface s1/0
r1(config-if)#ip ospf authentication ?
message-digest Use message-digest authentication
null Use no authentication
MD5 Authentication:
If "ip ospf authentication message-digest", then:
r1(neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-761544967930792862011-11-27T22:04:00.001+01:002011-11-27T22:27:55.637+01:00OSPF Virtual linksOSPF Virtual links are mainly used to avoid partitionned areas.
r1 and r2 belongs to area 0.
r1 and r3 to area 13, r3's loopback0 belongs to area 13.
r2, r3 and r4 to area 234.
If the link between r1 and r3 goes down, r3's loopback 0 becomes unreachable because area 13 has no connectivity with area 0 to reach other areas.
To avoid this, a virtual-link is established betwen the ABR, r3 and r2. neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-4675700220597681192011-11-26T16:33:00.001+01:002011-11-27T22:04:22.046+01:00Access-List and Wildcard Mask
ACL and Wildcard mask can be determined based on AND (gives the network) and XOR (gives the wildcard mask) operations:
Example1:
Deny the following hosts in a single access-list statement:
200.0.1.2
200.0.1.10
200.0.1.18
200.0.1.26
200.0.3.2
200.0.3.10
200.0.3.18
200.0.3.26
200.0.1.2
11001000
00000000
00000001
00000010
200.0.1.10
11001000
00000000
00000001
neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-54036982369114959222011-11-26T11:01:00.001+01:002011-11-26T13:25:15.017+01:00OSPF - Ethernet Network Type BROADCAST and POINT_TO_MULTIPOINT NON_BROADCASTBROADCAST and POINT_TO_MULTIPOINT NON_BROADCAST Network Type on Ethernet
BROADCAST
Ethernet = broadcast (default)
broadcast:
DR/BDR election
multicast updates
On r1:
r1#show ip ospf interface f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.123.1/24, Area 0
Process ID 1, Router ID 192.168.123.1, neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-83846057571630062152011-11-24T21:29:00.001+01:002011-11-28T10:29:55.330+01:00OSPF - Network TypesOSPF Network Types are:
BROADCAST, DR/BDR election, auto neighbor, 10s hello.
NON_BROADCAST, DR/BDR election, configured neighbor, 30s hello.
POINT_TO_POINT, no DR/BDR election, auto neighbor, 10s hello.
POINT_TO_MULTIPOINT, no DR/BDR election, configured neighbor, 30s hello.
POINT_TO_MULTIPOINT NON_BROADCAST, no DR/BDR election, configured neighbor, 30s hello.neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.comtag:blogger.com,1999:blog-8984594221070081732.post-73713748232185314852011-11-24T21:24:00.001+01:002011-11-24T21:27:49.933+01:00OSPF - Network Type POINT_TO_MULTIPOINT NON_BROADCASTPOINT_TO_MULTIPOINT NON_BROADCAST is a mix of POINT_TO_MULTIPOINT and NON_BROADCAST network types. The best of each network type is used.
POINT_TO_MULTIPOINT means no DR/BDR election. This also signify that the hub sees each adjacency as a point-to point link and that the NEXT-HOP is always the HUB (so, partial mesh frame relay configuration is possible, for example dynamic mapping with neTrohttp://www.blogger.com/profile/12620708383024961484noreply@blogger.com