CCIE is not a specialist. But the basis for an expert.: 2008

Thursday, December 4, 2008

[Linux] Compile cacti-spine แล้ว error

ผมใช้ ubuntu 8.10 เวลาจะ compile cacti-spine เองมัน error
ubuntu@hybitz:~/cacti-spine-0.8.7a$ ./configure
configure: error: cannot run /bin/bash config/config.sub
วิธีแก้คือ

aclocal
autoheader
libtoolize --force
automake --add-missing
autoconf
./configure
make
make install

Wednesday, November 5, 2008

[Troubleshoot] show tcam ที่ apply interface

sh tcam count
sh platform software tcam interface vl10 acl in ip
sh platform software tcam interface vl10 acl out ip

Tuesday, August 19, 2008

[Certified] JNCIA-EX Logo

Monday, August 11, 2008

[Certified] CCDP Logo

Wednesday, August 6, 2008

[Cisco] ip nat outside source

[PC]<----------[R1]-----------------[R2]

PC = 192.168.2.2/24, no default gateway

[R2]
int lo0
ip add 20.0.0.1 255.255.255.255
int f0/0
ip add 192.168.1.2 255.255.255.0
ip route 10.0.0.1 255.255.255.0 192.168.1.1

[R1]
int f0/0
ip add 192.168.1.1 255.255.255.0
ip nat outside
int f0/1
ip add 192.168.2.1 255.255.255.0
ip nat inside
ip nat inside source static 192.168.2.2 10.0.0.1
ip nat outside source static 20.0.0.1 192.168.2.100 add-route <<<
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 20.0.0.0 255.255.255.0 192.168.1.2 <<<

#sh ip route
20.0.0.0/24 is subnetted, 1 subnets
S 20.0.0.0 [1/0] via 192.168.1.2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
S 192.168.1.10/32 [1/0] via 20.0.0.1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
S 192.168.2.10/32 [1/0] via 20.0.0.1
C 192.168.2.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 192.168.1.2
#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
--- --- --- 192.168.2.10 20.0.0.1
--- 10.0.0.1 192.168.2.2 --- ---

[R2]
R2#ping 10.0.0.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 20.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/15/28 ms

Wednesday, July 9, 2008

Tunning TCP window size ของ Windows

ผมลอง FTP ระหว่าง linux กับ XP ไป Siteเดียวกัน Link เดียวกัน ปรากฏว่าผล download ของ Linux ดีกว่า เลยต้องปวดหัว ดูจาก packet ก็น่าจะเกี่ยวกับ window size เลยไปถามพี่ google พี่แกก็เลยบอกมาว่าไปดูที่ h**p://rdweb.cns.vt.edu/public/notes/win2k-tcpip.htm ซึ่งหลังจาก tunning registry แล้วก็ Ok เลย

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

The names/values I installed are:

GlobalMaxTcpWindowSize	REG_DWORD	131400 (decimal)
TcpWindowSize	REG_DWORD	131400 (decimal)
Tcp1323Opts	REG_DWORD	3

Friday, June 27, 2008

[Cisco] Cisco config DHCPv6

ipv6 dhcp pool DHCPv6POOL
dns-server 2001:FB0:1000:0:192:168:1:1
domain-name domain.co.th

interface GigabitEthernet0/1
des ## LAN ##
ipv6 address 2001:FB0:1::1/64
ipv6 nd other-config-flag
ipv6 dhcp server DHCPv6POOL

* client must support DHCPv6

[Cisco] Config Cisco Multipoint GRE tunnel

Dynamic GRE tunnels (point-to-multipoint)
[R1]--------------[R2]-----------------[R3]

[R1]
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Loopback192
description ## private ip address ##
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel1
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp network-id 99
no ip split-horizon
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
!
interface Serial1/0.12 point-to-point
ip address 10.3.12.1 255.255.255.0
frame-relay interface-dlci 102
!
router ospf 1
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 0
network 10.3.12.1 0.0.0.0 area 0
!
router rip
version 2
redistribute connected metric 2 route-map PRIVATE->RIP
network 172.16.0.0
no auto-summary
!
ip access-list standard PRIVATE_192
permit 192.168.1.0
!
!
route-map PRIVATE->RIP permit 10
match ip address PRIVATE_192

R1#sh ip route rip
10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
R 10.1.3.0/24 [120/2] via 172.16.0.3, 00:00:20, Tunnel1
R 10.1.2.0/24 [120/2] via 172.16.0.2, 00:00:06, Tunnel1
R 192.168.2.0/24 [120/2] via 172.16.0.2, 00:00:06, Tunnel1
R 192.168.3.0/24 [120/2] via 172.16.0.3, 00:00:20, Tunnel1

R1#sh ip route 192.168.3.1
Routing entry for 192.168.3.0/24
Known via "rip", distance 120, metric 2
Redistributing via rip
Last update from 172.16.0.3 on Tunnel1, 00:00:15 ago
Routing Descriptor Blocks:
* 172.16.0.3, from 172.16.0.3, 00:00:15 ago, via Tunnel1
Route metric is 2, traffic share count is 1

R1#ping 192.168.3.1 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/29/52 ms

!------------------------------------------------------------------------------------------------------
[R2]
interface Loopback0
ip address 10.1.2.2 255.255.255.0
!
interface Loopback192
description ### private ip address ###
ip address 192.168.2.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map 172.16.0.1 10.1.1.1
ip nhrp map multicast 10.1.1.1
ip nhrp network-id 99
ip nhrp nhs 172.16.0.1
ip nhrp registration timeout 180
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
!
interface Serial1/0.12 point-to-point
ip address 10.3.12.2 255.255.255.0
frame-relay interface-dlci 201
!
interface Serial1/0.23 point-to-point
ip address 10.3.23.2 255.255.255.0
frame-relay interface-dlci 203
!
router ospf 1
log-adjacency-changes
network 10.1.2.2 0.0.0.0 area 0
network 10.3.12.2 0.0.0.0 area 0
network 10.3.23.2 0.0.0.0 area 0
!
router rip
version 2
redistribute connected metric 2 route-map PRIVATE->RIP
network 172.16.0.0
no auto-summary
!
ip access-list standard PRIVATE_192
permit 192.168.2.0
!
route-map PRIVATE->RIP permit 10
match ip address PRIVATE_192

R2# sh ip route rip
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
R 10.1.3.0/24 [120/3] via 172.16.0.3, 00:00:19, Tunnel0
R 192.168.1.0/24 [120/2] via 172.16.0.1, 00:00:19, Tunnel0
R 192.168.3.0/24 [120/3] via 172.16.0.3, 00:00:19, Tunnel0
!-------------------------------------------------------------------------------------------
[R3]
interface Loopback0
ip address 10.1.3.3 255.255.255.0
!
interface Loopback192
description ### private ip address ###
ip address 192.168.3.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map 172.16.0.1 10.1.1.1
ip nhrp map multicast 10.1.1.1
ip nhrp network-id 99
ip nhrp nhs 172.16.0.1
ip nhrp registration timeout 180
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
!
interface Serial1/0.23 point-to-point
ip address 10.3.23.3 255.255.255.0
frame-relay interface-dlci 302
!
router ospf 1
log-adjacency-changes
network 10.1.3.3 0.0.0.0 area 0
network 10.3.23.3 0.0.0.0 area 0
!
router rip
version 2
redistribute connected metric 2 route-map PRIVATE->RIP
network 172.16.0.0
no auto-summary
!
ip access-list standard PRIVATE_192
permit 192.168.3.0
!
route-map PRIVATE->RIP permit 10
match ip address PRIVATE_192
!

R3#sh ip route rip
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
R 10.1.2.0/24 [120/3] via 172.16.0.2, 00:00:00, Tunnel0
R 192.168.1.0/24 [120/2] via 172.16.0.1, 00:00:00, Tunnel0
R 192.168.2.0/24 [120/3] via 172.16.0.2, 00:00:00, Tunnel0
!---------------------------------------------------------------------------------------------

[Cisco] Config TACACS+

aaa authentication login TACPLUS group tacacs+ local
aaa authentication login CONSOLE local group tacacs+ none
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec TACPLUS group tacacs+ local none
aaa authorization exec CONSOLE local none
aaa authorization commands 0 TACPLUS group tacacs+ local none
aaa authorization commands 0 CONSOLE local none
aaa authorization commands 1 TACPLUS group tacacs+ local none
aaa authorization commands 1 CONSOLE local none
aaa authorization commands 15 TACPLUS group tacacs+ local none
aaa authorization commands 15 CONSOLE local none
aaa accounting exec TACPLUS start-stop group tacacs+
aaa accounting exec CONSOLE start-stop group tacacs+
aaa accounting commands 0 TACPLUS start-stop group tacacs+
aaa accounting commands 1 TACPLUS start-stop group tacacs+
aaa accounting commands 1 CONSOLE start-stop group tacacs+
aaa accounting commands 15 TACPLUS start-stop group tacacs+
aaa accounting commands 15 CONSOLE start-stop group tacacs+

username admin privilege 15 password 0 admin

ip tacacs source-interface Loopback0
tacacs-server host 192.168.1.1
tacacs-server key CISCO

line con 0
authorization commands 0 CONSOLE
authorization commands 1 CONSOLE
authorization commands 15 CONSOLE
authorization exec CONSOLE
accounting commands 15 CONSOLE
accounting commands 1 CONSOLE
accounting exec CONSOLE
login authentication CONSOLE

line vty 0 4
authorization commands 0 TACPLUS
authorization commands 1 TACPLUS
authorization commands 15 TACPLUS
authorization exec TACPLUS
accounting commands 1 TACPLUS
accounting commands 15 TACPLUS
accounting exec TACPLUS
login authentication TACPLUS
!

[3Com] Configuration 3COM router 3030 connect ADSL

system-view
System View: return to User View with Ctrl+Z.
[Router]quit

disp current-configuration
#
#3Com Router Software V2.04
#
sysname Router
#
dialer-rule 1 ip permit
#
dhcp server ip-pool default
network 192.168.1.0 mask 255.255.255.0
gateway-list 192.168.1.1
dns-list 10.0.0.1 10.0.0.2
#
interface Dialer1
link-protocol ppp
ppp pap local-user username@domain password simple mypassword
mtu 1450
ip address ppp-negotiate
dialer user username@domain
dialer-group 1
dialer bundle 1
dialer timer idle 0
nat outbound 2000
#
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
#
interface Atm2/0
pvc 0/100
map bridge Virtual-Ethernet1
#
interface Virtual-Ethernet1
pppoe-client dial-bundle-number 1
#
interface NULL0
#
acl number 2000
rule 1 permit source 192.168.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return

Monday, May 19, 2008

[Ubuntu] bootchart after tunning

[Ubuntu] tunning hardy 8.04 for my labtop

sudo vi /etc/fstab
UUID=fdb68ba3-e411-4a71-8cb4-ac4e117181de / reiserfs notail,relatime 0 1
change to
UUID=fdb68ba3-e411-4a71-8cb4-ac4e117181de / reiserfs notail,noatime,relatime 0 1

sudo vi /etc/sysctl.conf
vm.swappiness=0

sudo vi /etc/init.d/rc
CONCURRENCY=shell

sudo vi /boot/grub/menu.lst
# defoptions=quiet splash
change to
# defoptions=quiet splash elevator=cfq ramdisk_size=160000
And run
sudo update-grub

sudo apt-get install preload prelink bootchart

sudo vi /etc/default/prelink
PRELINKING=unknown
change to
PRELINKING=yes

when reboot, view images
/var/log/bootchart

Disable ipv6
sudo vi /etc/modprobe.d/aliases
#alias net-pf-10 ipv6
alias net-pf-10 off ipv6
alias net-pf-10 off
alias ipv6 off

if you want disable check filesystem (fsck)
sudo touch /fastboot

force check
sudo touch /forcefsck

!-------------------------------------------------------------------
vi fastboot

#! /bin/sh
### BEGIN INIT INFO
# Provides: fastboot
# Required-Start: networking
# Required-Stop: networking
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0
# Short-Description: create/delete file /fastboot .
### END INIT INFO

PATH=/sbin:/bin

. /lib/lsb/init-functions

do_start () {
log_begin_msg "Deleting /fastboot file ..."
rm -f /fastboot
}
do_stop () {
log_begin_msg "Creating /fastboot file ..."
touch /fastboot
}

case "$1" in
start)
do_start
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
do_stop
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
!-------------------------------------------------------------------

sudo apt-get install sysv-rc-conf
cp fastboot /etc/init.d
sudo sysv-rc-conf
check level 2,3,4,5

Friday, May 9, 2008

[Perl] IP Spoofing ง่ายๆด้วย perl

ตัวอย่างส่ง udp packet โดย spoof source address เป็น 1.1.1.1 แล้วส่ง udp 514 ไปหา server 192.168.1.100

vi spoofing_syslog.pl
use Net::RawIP;
$n = Net::RawIP->new({
ip => {
saddr => '1.1.1.1',
daddr => '192.168.1.100',
},
udp => {
source => 514,
dest => 514,
data => "<28>Syslog: Spoofing source address",
},
});
$n->send;

Monday, April 28, 2008

Thursday, April 24, 2008

[FreeBSD] Basic commands for pfctl

# basic pfctl control
# ==
# This document: http://www.rdrs.net/document/
# Related: http://www.OpenBSD.org
# Last update: Tue Dec 28, 2004
# ==
# Note:
# this document is only provided as a basic overview
# for some common pfctl commands and is by no means
# a replacement for the pfctl and pf manual pages.

#### General PFCTL Commands ####

# pfctl -d disable packet-filtering

# pfctl -e enable packet-filtering
# pfctl -q run quiet
# pfctl -v -v run even more verbose

#### Loading PF Rules ####
# pfctl -f /etc/pf.conf load /etc/pf.conf
# pfctl -n -f /etc/pf.conf parse /etc/pf.conf, but dont load it
# pfctl -R -f /etc/pf.conf load only the FILTER rules
# pfctl -N -f /etc/pf.conf load only the NAT rules
# pfctl -O -f /etc/pf.conf load only the OPTION rules

#### Clearing PF Rules & Counters ####
# pfctl -F all flush ALL
# pfctl -F rules flush only the RULES
# pfctl -F queue flush only queue's
# pfctl -F nat flush only NAT
# pfctl -F info flush all stats that are not part of any rule.
# pfctl -z clear all counters
# note: flushing rules do not touch any existing stateful connections

#### Output PF Information ####
# pfctl -s rules show filter information
# pfctl -v -s rules show filter information for what FILTER rules hit..
# pfctl -vvsr show filter information as above and prepend rule numbers
# pfctl -v -s nat show NAT information, for which NAT rules hit..
# pfctl -s nat -i xl1 show NAT information for interface xl1
# pfctl -s queue show QUEUE information
# pfctl -s label show LABEL information
# pfctl -s state show contents of the STATE table
# pfctl -s info show statistics for state tables and packet normalization
# pfctl -s all show everything

#### Maintaining PF Tables ####
# pfctl -t addvhosts -T show show table addvhosts
# pfctl -vvsTables view global information about all tables
# pfctl -t addvhosts -T add 192.168.1.50 add entry to table addvhosts
# pfctl -t addvhosts -T add 192.168.1.0/16 add a network to table addvhosts
# pfctl -t addvhosts -T delete 192.168.1.0/16 delete nework from table addvhosts
# pfctl -t addvhosts -T flush remove all entries from table addvhosts
# pfctl -t addvhosts -T kill delete table addvhosts entirely
# pfctl -t addvhosts -T replace -f /etc/addvhosts reload table addvhosts on the fly
# pfctl -t addvhosts -T test 192.168.1.40 find ip address 192.168.1.40 in table addvhosts
# pfctl -T load -f /etc/pf.conf load a new table definition
# pfctl -t addvhosts -T show -v output stats for each ip address in table addvhosts
# pfctl -t addvhosts -T zero reset all counters for table addvhosts

Friday, April 11, 2008

[Cisco] config cisco กับ tacacs+

ต้วอย่างการ config cisco กับ tacacs+ เพื่อ authen, authorize user ที่ login เข้ามาใช้งาน อุปกรณ์

aaa new-model
aaa authentication login default none
aaa authentication login AUTH_TACACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default none
aaa authorization exec AUTH_TACACS group tacacs+ local none
aaa authorization commands 1 AUTH_TACACS group tacacs+ local none
aaa authorization commands 15 AUTH_TACACS group tacacs+ local none
aaa accounting exec AUTH_TACACS start-stop group tacacs+
aaa accounting commands 1 AUTH_TACACS start-stop group tacacs+
aaa accounting commands 15 AUTH_TACACS start-stop group tacacs+

tacacs-server host 192.168.1.2
tacacs-server key TACACS_KEY

line vty 0 4
authorization commands 1 AUTH_TACACS
authorization commands 15 AUTH_TACACS
authorization exec AUTH_TACACS
login authentication AUTH_TACACS

!-----------------------------------------
! tac_plus.cfg

key = TACACS_KEY

default authentication = file /etc/passwd
accounting file = /var/log/tac_acc.log

user = $enab15$ {
login = cleartext "enable15"
}

######### GROUP DECLARATION #########

group = Administrator {
default service = permit

# example configuration for authorize commands
cmd = ping {
permit .*
}
cmd = reload {
deny .*
}
cmd = write {
deny .*
}
cmd = copy {
deny .*
}
cmd = show {
deny config
deny running
permit .*
}

cmd = ip {
deny "route 0.0.0.0 0.0.0.0"
permit .*
}
cmd = username {
deny .*
}
cmd = enable {
deny password
deny secret
permit .*
}

cmd = no {
deny "ip route 0.0.0.0 0.0.0.0"
deny "username .*"
deny "enable password .*"
deny "enable secret .*"
permit .*
}

}
user = kitti { service = exec { priv-lvl =15 } member = Administrator }

Sunday, March 2, 2008

[Certified] JNCIS-ER logo

Thursday, February 28, 2008

[FreeBSD] FreeBSD 7.0 ออกแล้ว

วันนี้ผมเข้าไปดู freebsd ปรากฏว่า freebsd 7.0 ออกแล้ว ซึ่งดูจาก release announce แล้วดูดีมากเลยครับสำหรับไปใช้กับ multiprocessing

Dramatic improvements in performance and SMP scalability shown by various database and other benchmarks, in some cases showing peak performance improvements as high as 350% over FreeBSD 6.X under normal loads and 1500% at high loads. When compared with the best performing Linux kernel (2.6.22 or 2.6.24) performance is 15% better. Results are from benchmarks used to analyze and improve system performance, results with your specific work load may vary. Some of the changes that contribute to this improvement are:

The 1:1 libthr threading model is now the default.
Finer-grained IPC, networking, and scheduler locking.
A major focus on optimizing the SMP architecture that was put in place during the 5.x and 6.x branches.

h**p://www.freebsd.org/releases/7.0R/announce.html

Wednesday, February 27, 2008

[Cisco] เมื่อเรา enable control plane policing แล้ว ping ตัวเอง

[R1] f0/0 ------------------------------ f1/1 [R2]

[R1]
int f0/0
ip add 150.1.1.1 255.255.255.0

ip access-list extended ICMP
permit icmp and and

class-map ICMP
match access-group name ICMP
policy-map ICMP
class ICMP

control-plane
service-policy input ICMP

#deb ip packet detail
#sh policy-map control-plane
Control Plane

Service-policy input: ICMP

Class-map: ICMP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: access-group name ICMP

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

R1#ping 150.1.1.1 re 1 <----- ping count 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms
R1#
00:12:24: IP: s=150.1.1.1 (local), d=150.1.1.1 (FastEthernet0/0), len
100, sending
00:12:24: ICMP type=8, code=0
00:12:24: IP: s=150.1.1.1 (FastEthernet0/0), d=150.1.1.1, len 100, rcvd 2
00:12:24: ICMP type=8, code=0
00:12:24: IP: s=150.1.1.1 (FastEthernet0/0), d=150.1.1.1, len 100, stop
process pak for forus packet
00:12:24: ICMP type=8, code=0
00:12:24: IP: s=150.1.1.1 (local), d=150.1.1.1 (FastEthernet0/0), len
100, sending
00:12:24: ICMP type=0, code=0
00:12:24: IP: s=150.1.1.1 (FastEthernet0/0), d=150.1.1.1, len 100, rcvd 2
00:12:24: ICMP type=0, code=0
00:12:24: IP: s=150.1.1.1 (FastEthernet0/0), d=150.1.1.1
R1#, len 100, stop process pak for forus packet
00:12:24: ICMP type=0, code=0

R1#sh policy-map control-plane

Control Plane

Service-policy input: ICMP

Class-map: ICMP (match-all)
2 packets, 228 bytes <---- สังเกตุว่าเมื่อแสดง log พบว่า match
icmp 2 packet ทั้งๆที่เรา ping count = 1
5 minute offered rate 0 bps
Match: access-group name ICMP

Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

เมื่อเราใช้ ethereal จับ packet ดู
No. Time Source Destination Protocol
Info
1 0.000000 ca:00:1c:34:00:00 ca:00:1c:34:00:00 LOOP
Reply

Frame 1 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 27, 2008 10:26:20.228782000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:loop:data]
Ethernet II, Src: ca:00:1c:34:00:00 (ca:00:1c:34:00:00), Dst:
ca:00:1c:34:00:00 (ca:00:1c:34:00:00)
Destination: ca:00:1c:34:00:00 (ca:00:1c:34:00:00)
Address: ca:00:1c:34:00:00 (ca:00:1c:34:00:00)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..1. .... .... .... .... = LG bit: Locally administered
address (this is NOT the factory default)
Source: ca:00:1c:34:00:00 (ca:00:1c:34:00:00)
Address: ca:00:1c:34:00:00 (ca:00:1c:34:00:00)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..1. .... .... .... .... = LG bit: Locally administered
address (this is NOT the factory default)
Type: Loopback (0x9000)
Configuration Test Protocol (loopback)
skipCount: 0
Relevant function:
Function: Reply (1)
Receipt number: 0
Data (40 bytes)

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 ........

No. Time Source Destination Protocol
Info
3 9.987619 ca:00:1c:34:00:00 ca:00:1c:34:00:00 LOOP
Reply

Frame 3 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 27, 2008 10:26:30.216401000
[Time delta from previous captured frame: 2.968997000 seconds]
[Time delta from previous displayed frame: 2.968997000 seconds]
[Time since reference or first frame: 9.987619000 seconds]
Frame Number: 3
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:loop:data]
Ethernet II, Src: ca:00:1c:34:00:00 (ca:00:1c:34:00:00), Dst:
ca:00:1c:34:00:00 (ca:00:1c:34:00:00)
Destination: ca:00:1c:34:00:00 (ca:00:1c:34:00:00)
Address: ca:00:1c:34:00:00 (ca:00:1c:34:00:00)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..1. .... .... .... .... = LG bit: Locally administered
address (this is NOT the factory default)
Source: ca:00:1c:34:00:00 (ca:00:1c:34:00:00)
Address: ca:00:1c:34:00:00 (ca:00:1c:34:00:00)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..1. .... .... .... .... = LG bit: Locally administered
address (this is NOT the factory default)
Type: Loopback (0x9000)
Configuration Test Protocol (loopback)
skipCount: 0
Relevant function:
Function: Reply (1)
Receipt number: 0
Data (40 bytes)

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 ........

พบว่ามันเป็น protocol LOOP ผมเลยไปค้นหาจาก wiki.wireshark.org
h**p://wiki.wireshark.org/Loop?action=show&redirect=Protocols%2Floop

Tuesday, February 26, 2008

ทดลองส่งเมล์เข้า blogspot

ทดลองส่งเมล์เข้า blogger แล้วให้แสดงผลออกทาง blogspot โดยใช้ feature
Mail-To-Blogger

Monday, February 25, 2008

[Certified] CCIE Logo

[Certified] CCNA Logo

[Certified] CCNP Logo

[Certified] JNCIA-ER Logo

Sunday, February 24, 2008

[Juniper] สอบ certified ของ Juniper

เมื่อวันเสาร์ผมไปสอบ JNCIA-ER ซึ่งได้สอบฟรีจาก fasttrack program ของ juniper ผลก็สอบผ่าน บอกได้เลยว่าท่องไปสอบ ตรงจริงๆ 100% :-P
และวันที่ 1 มีนาคมนี้ก็จะไปสอบอีกตัวคือ JNCIS-ER ก็น่าจะเป็นในทางเดียวกันคือ ท่องไปสอบครับ

Friday, February 8, 2008

[Linux] เวลาเราใช้ vmware เพื่อใช้ emu Olive เจอปัญหาเรื่อง console

เวลาเราใช้ vmware เพื่อ emulation Olive ซึ่งโดย default แล้ว olive จะ input/output ทาง console ฉะนั้นทำให้เราไม่สามารถ console กับ vmware ได้
1. ที่ vmware ทำการ add serial port โดยเป็น name pipe
path= /tmp/com1
This end is the server
This other end is an application
2. install software name socat
sudo apt-get install socat
3. run socat
socat -d -d /tmp/com1 pty <-- socat จะทำการ emulate /dev/pts/? จากนั้นเราใช้ minicom use port /dev/pts/?
4. minicom -s

Tuesday, February 5, 2008

[Cisco] Config Router ให้สามารถรับ L2TP over IPSec จาก windows client

aaa new-model
aaa authentication ppp L2TP local
!
username cisco password cisco
!
vpdn enable
!
vpdn-group PPPTP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 10
no l2tp tunnel authentication
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key PRESHARED address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set VPN-CLIENT esp-3des esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto dynamic-map VPN-DYNAMIC-MAP 10
description ## dyanmic crypto map for VPN Users ##
set nat demux
set transform-set VPN-CLIENT
!
!
crypto map VPN-DYNAMIC-CLIENT 10 ipsec-isakmp dynamic VPN-DYNAMIC-MAP
!
interface G0/1
des ### Internet ###
crypto map VPN-DYNAMIC-CLIENT
!
!
interface Virtual-Template10
ip unnumbered Loopback0
peer default ip address pool L2TP_POOL
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2 L2TP
!
ip local pool L2TP_POOL 192.168.1.1 192.168.1.10

#######
Windows XP Setup
1. Start -> Control Panel -> Network Connections
2. Menu File --> New Connection
3. Next --> Select: Connection to the network at my workspace --> Next
4. Select: Virtual Private Network Connection --> Next
5. Enter connection name
6. Select: Do not dial the initial connection --> Next
7. Enter IP Address of VPN Server --> Next --> Finish
8. Show dialog --> Properties --> Security Tab
9. Select: Advanced (customer settings)
10. IPSec Settings --> Use pre-shared key for authentication --> Enter pre-share key --> OK (ex. PRESHARED
11. Enter username,password then Connect (ex. username cisco, password cisco)

[Cisco] ต้องการให้ user ใน LAN ต้อง authentication ก่อนการใช้งาน internet

conf t

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization auth-proxy default local

ip auth-proxy auth-proxy-banner http ^C
Please authentication first before access internet !!!
^C
ip auth-proxy name PROXY_AUTH http inactivity-time 10
!
int f0/0
des ## LAN ##
ip access-group FW in
ip auth-proxy PROXY_AUTH
no sh
!
ip http server
ip http access-class 55
access-list 55 deny any
!
ip access-list extended FW
deny ip any any

##
sh ip access-list FW <-- เมื่อ authen ผ่าน acl จะสร้างโดยอัติโนมัติ
sh ip auth-proxy cache
!
!
User ต้องเรียก web อะไรก็ได้จากนั้นจะถูก redirect page เพื่อไป authentication และเมื่อ username และ password ถูกก็จะสามารถใช้งาน internet ได้

Monday, February 4, 2008

[Cisco] ต้องการดูว่าใครกำลังติดต่ออยู่กับใคร ด้วย ip flow

conf t
ip flow-top-talkers
top 50
sort-by-bytes
int g0/1
des ## connect to internet ##
ip flow ingress
ip flow egress

#sh ip flow top-talker

[Cisco] แก้ไข Numbering Access-list

เมื่อก่อนเวลาเราแก้ไข access-list ที่เป็นตัวเลข เราไม่สามารถลบบางบรรทัดได้ ใน IOS รุ่นใหม่สามารถแก้ไขได้ทำได้โดยใช้ command เหมือนกับ naming access-list
ตัวอย่างเรามี access-list
access-list 100 permit ip 1.1.1.1 0.0.0.0 any
access-list 100 permit ip 2.2.2.2 0.0.0.0 any
access-list 100 permit ip 3.3.3.3 0.0.0.0 any
ต้องการลบ access-list บรรทัดที่ 2
ip access-list extended 100
no permit ip 2.2.2.2 0.0.0.0 any
ต้องการ verify
sh ip access-list 100
access-list 100 permit ip 1.1.1.1 0.0.0.0 any
access-list 100 permit ip 3.3.3.3 0.0.0.0 any

Monday, January 28, 2008

[CCIE] ผ่าน CCIE (R/S) LAB แล้วววววววว

หลังจากสอบครั้งแรกเมื่อ 5 ตุลาคม 2550 ผลออกมา FAIL
พอกลับจากญี่ปุ่นก็อ่านหนังสือ ทำ lab ใหม่อีกครั้งเน้น Multicast กับ QoS
วันที่ 23 มกราคม 2551 ไปสอบ lab อีกครั้ง มั่นใจกว่าครั้งแรกผลออกมา PASS ครับ
ตั้งใจจะสอบ Track Service Provider อีกตัวไม่รู้ว่าจะทำได้หรือเปล่า แต่ก็จะลองสอบดูครับ

Sunday, January 20, 2008

[Cisco] ต้องการ clear tcp connection (bgp, line vty) ของตัว router

วิธี clear tcp connection

R1#sh tcp brief
TCB Local Address Foreign Address (state)
65DA2FF8 160.1.12.1.22 160.1.12.2.55667 ESTAB
R1#cle
R1#clear tcp tcb 65DA2FF8
[confirm]
[OK]
R1#sh tcp brief
R1#

Friday, January 11, 2008

[Cisco] Reflexive Access-list

ต้องการเขียน access-list คล้ายๆ firewall คือต้องมี packet initial ออกจากขา inside router ไป outside ก่อน แล้วถึงจะ permit packet ที่กลับเข้ามา

interface s0

des ** outside **

ip add x.x.x.x y.y.y.y

ip access-group ACL_IN in

ip access-group ACL_OUT out

ip access-list extended ACL_IN

permit tcp any any eq bgp

permit tcp any eq bgp any

permit icmp any any

evaluate REFLEX

ip access-list extended ACL_OUT

permit ip any any REFLEX

referrence:

h**p://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt3/screflex.htm

[Cisco] OSPF เลือก best path

OSPF เลือก bestpath

step1: เลือก type ของ route

1. O Intra Area ( ภายใน area เดียวกัน)

2. IA Inter Area ( ระหว่าง area )

3. E1 External type 1 ( จาก route ที่เกิดจากการ redistribute type 1)

4. E2 External type 2 (จาก router ที่เกิดจากการ redistribute type 2 และ default การ redistribute จะเป็น type 2 )

step2: เลือกค่า cost น้อย

ตัวอย่าง สมมติว่ามี route 192.168.1.0/24 มา 2 ทาง โดย

1. path แรกเป็น type E1 มี cost 100

2. path ที่สองเป้น type E2 มีค่า cost 10

จะเลือก path ใดระหว่าง path 1 หรือ 2 ????

[Cisco] BGP เลือก Best path

GP เลือก Best path มีขั้นตอนคือ

ให้จำคำย่อ

W L L A O M N I

ข้อสำคัญข้อแรกของทุก routing ของการเลือก best path คือ ip next hop จะต้องมีอยู่จริงใน routing

W = Weight (propietary cisco ใช้เฉพาะภายใน router ตัวเดียวเท่านั้น)

L = local preferrence (default เป็น 100)

L = local inject ( route ที่เกิดจากการ inject เข้า BGP ของตัวเอง)

A = AS-path ( เลือก path ที่สั้นที่สุด)

O = Origin code โดยจะเลือกค่า i <>

M = ค่า MED หรือ metric เลือกค่าน้อย

N = Neighbor type เลือก eBGP ก่อน iBGP

I = เอาค่า cost IGP metric ค่าที่น้อยที่สุดของ next hop

ถ้ามีการ config maximum-path และทุกขั้นตอนมีค่าเท่ากัน ก็จะ load-balance

แต่ถ้าไม่มีการ config maximum-path

1.จะเลือก router-id ค่าน้อย

2.ถ้ามีการ config route-reflect ให้เลือก prefix ที่มาจาก cluster-list ที่สั้นที่สุด

3.เลือก neighbor ip address ค่าน้อย

ถ้าเท่ากันทุกขั้นตอนจะ load-balance

[Cisco] BGP สร้างเงื่อนไขในการ advertise

ต้องการสร้างเงื่อนไขในการ advertise network A โดยตรวจสอบก่อนว่า network B นั้นมีอยู่ใน BGP หรือไม่ถ้าไม่มีให้ advertise network A

Ex.

router bgp 100

network 10.10.10.0 mask 255.255.255.0

neighbor 172.16.1.1 remote-as 200

neighbor 172.16.1.1 advertise-map ADVERTISE non-exist-map NON-EXIST

ip prefix-list NETWORK_A permit 10.10.10.0/24

ip prefix-list CHECK_NETWORK_B permit 192.168.1.0 mask 255.255.255.0

route-map ADVERTISE permit 10

match ip address prefix NETWORK_A

route-map NON-EXIST permit 10

match ip address prefix CHECK_NETWORK_B

จากตัวอย่างเรามีการตรวจสอบ BGP routing table ก่อนว่ามี network 192.168.1.0/24 อยู่หรือเปล่า ถ้าไม่มีจะทำการ Advertise 10.10.10.0/24 แต่ถ้ามีจะไม่ advertise

[Cisco] Legacy QoS (guarantee bandwidth)

thank you h**p://awanetwork.blogspot.com/2007/09/custom-queueing.html

QoS | Custom Queueing

CQ implementation WRR, up to 16 user queues, threshold based on number of bytes. Service use Round-robin we need requires configuration. CQ is used to create a bandwidth reservation in output queue of an interface. So no direction option on applied to the interface, fact that queueing is always outbound.

I have simple sample of CQ, objective is guaranteed the following amount of bandwidth that traffic leaving its Ethernet interface. I want 3 traffic define are ftp, telnet www and default for else logical. Each queue would be guaranteed bandwidth in a ratio of 5:2:2:1 on a total value 16000 bytes or 128 kbps, which results in 8000/16000, 3200/16000, 3200/16000, 1600/16000. With the CQ if there is traffic of type A and B waiting to be sent, but no traffic of type C, type A and B are not limited to a maximum of 50% and 20%. Instead A and B are guaranteed a minimum of 50% and 20% in the case of congestion.

#final running-config

...
queue-list 1 protocol ip 1 tcp ftp
queue-list 1 protocol ip 2 tcp telnet
queue-list 1 protocol ip 3 tcp www
queue-list 1 default 4
queue-list 1 queue 1 byte-count 8000
queue-list 1 queue 2 byte-count 3200
queue-list 1 queue 3 byte-count 1600

interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
custom-queue-list 1
...

#step-by-step configuring define queue (required)

R1(config)#queue-list ?
<1-16>  Queue list number

R1(config)#queue-list 1 ?
default        Set custom queue for unspecified datagrams
interface      Establish priorities for packets from a named interface
lowest-custom  Set lowest number of queue to be treated as custom
protocol       priority queueing by protocol
queue          Configure parameters for a particular queue
stun           Establish priorities for stun packets

R1(config)#queue-list 1 protocol ?
aarp              AppleTalk ARP
appletalk         AppleTalk
arp               IP ARP
bridge            Bridging
bstun             Block Serial Tunnel
cdp               Cisco Discovery Protocol
clns              ISO CLNS
clns_es           ISO CLNS End System
clns_is           ISO CLNS Intermediate System
cmns              ISO CMNS
compressedtcp     Compressed TCP (VJ)
decnet            DECnet
decnet_node       DECnet Node
decnet_router-l1  DECnet Router L1
decnet_router-l2  DECnet Router L2
dlsw              Data Link Switching (Direct encapsulation only)
http              HTTP
ip                IP
ipv6              IPV6
ipx               Novell IPX
llc2              llc2
pad               PAD links
pppoe             PPP over Ethernet
qllc              qllc protocol
rsrb              Remote Source-Route Bridging
snapshot          Snapshot routing support
stun              Serial Tunnel

R1(config)#queue-list 1 protocol ip ?
<0-16>  queue number

R1(config)#queue-list 1 protocol ip 1 ?
fragments  Prioritize fragmented IP packets
gt         Classify packets greater than a specified size
list       To specify an access list
lt         Classify packets less than a specified size
tcp        Prioritize TCP packets 'to' or 'from' the specified port
udp        Prioritize UDP packets 'to' or 'from' the specified port


R1(config)#queue-list 1 protocol ip 1 tcp ?
<0-65535>    Port number
bgp          Border Gateway Protocol (179)
chargen      Character generator (19)
cmd          Remote commands (rcmd, 514)
daytime      Daytime (13)
discard      Discard (9)
domain       Domain Name Service (53)
drip         Dynamic Routing Information Protocol (3949)
echo         Echo (7)
exec         Exec (rsh, 512)
finger       Finger (79)
ftp          File Transfer Protocol (21)
ftp-data     FTP data connections (20)
gopher       Gopher (70)
hostname     NIC hostname server (101)
ident        Ident Protocol (113)
irc          Internet Relay Chat (194)
klogin       Kerberos login (543)
kshell       Kerberos shell (544)
login        Login (rlogin, 513)
lpd          Printer service (515)
nntp         Network News Transport Protocol (119)
pim-auto-rp  PIM Auto-RP (496)
pop2         Post Office Protocol v2 (109)
pop3         Post Office Protocol v3 (110)
smtp         Simple Mail Transport Protocol (25)
sunrpc       Sun Remote Procedure Call (111)
syslog       Syslog (514)
tacacs       TAC Access Control System (49)
talk         Talk (517)
telnet       Telnet (23)
time         Time (37)
uucp         Unix-to-Unix Copy Program (540)
whois        Nicname (43)
www          World Wide Web (HTTP, 80)

R1(config)#queue-list 1 protocol ip 1 tcp ftp ?

#step-by-step configuring specify queue (optional)

R1(config)#queue-list 1 ?
default        Set custom queue for unspecified datagrams
interface      Establish priorities for packets from a named interface
lowest-custom  Set lowest number of queue to be treated as custom
protocol       priority queueing by protocol
queue          Configure parameters for a particular queue
stun           Establish priorities for stun packets

R1(config)#queue-list 1 queue ?
<0-16>  queue number

R1(config)#queue-list 1 queue 1 ?
byte-count  Specify size in bytes of a particular queue
limit       Set queue entry limit of a particular queue

R1(config)#queue-list 1 queue 1 byte-count ?
<1-16777215>  size in bytes

o use byte-count for average number of bytes
o use limit for maximum number of packet

#step-by-step configuring applied on interface (required)

R1(config-if)#?
Interface configuration commands:
...
custom-queue-list       Assign a custom queue list to an interface
...

R1(config-if)#custom-queue-list ?
<1-16>  Custom queue list number

R1(config-if)#custom-queue-list 1 ?

#monitor or verify CQ (optional)

R1#sh int f0/0
FastEthernet0/0 is up, line protocol is up
Hardware is Gt96k FE, address is c200.02d4.0000 (bia c200.02d4.0000)
Internet address is 192.168.0.1/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
   reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:03, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: custom-list 1
Output queues: (queue #: size/max/drops)
   0: 0/20/0 1: 0/20/0 2: 0/20/0 3: 0/20/0 4: 0/20/0
   5: 0/20/0 6: 0/20/0 7: 0/20/0 8: 0/20/0 9: 0/20/0
   10: 0/20/0 11: 0/20/0 12: 0/20/0 13: 0/20/0 14: 0/20/0
   15: 0/20/0 16: 0/20/0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
   0 packets input, 0 bytes
   Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
   0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
   0 watchdog
   0 input packets with dribble condition detected
   92 packets output, 9553 bytes, 0 underruns
   0 output errors, 0 collisions, 2 interface resets
   0 babbles, 0 late collision, 0 deferred
   0 lost carrier, 0 no carrier
   0 output buffer failures, 0 output buffers swapped out

R1#sh queueing ?
interface
custom         custom queueing list configuration
fair           fair queueing configuration
priority       priority queueing list configuration
random-detect  random early detection configuration
|              Output modifiers


R1#sh queueing custom ?
|  Output modifiers


R1#sh queueing custom
Current custom queue configuration:

List   Queue  Args
1      4      default
1      1      protocol ip          tcp port ftp
1      2      protocol ip          tcp port telnet
1      3      protocol ip          tcp port www
1      1      byte-count 8000
1      2      byte-count 3200
1      3      byte-count 1600

[Cisco] Object tracking w/ SLA

กรณีต้องการตรวจสอบ static route และ nexthop ว่าสามารถ reachable ได้หรือเปล่า

ip sla monitor 1 <-- id 1 type echo protocol ipIcmpEcho 192.168.1.1 <------ check next-hop 192.168.1.1 can reachable ( ping ) frequency <-- option สำหรับ ระยะเวลาในการ Monitor แต่ละรอบเวลา( interval ) ip sla monitor schedule 1 life forever start-time now <----- start operation id 1 track 1 rtr 1 <-- track id 1 ให้มีการอ้างอิง ip sla monitor 1 ip route 1.1.1.1 255.255.255.255 fast0/0 192.168.1.1 track 1 <-- มีการ config static route โดยชี้ next-hop ออกทาง interface f0/0 -> 192.168.1.1 และก่อนที่จะ install เข้าไปใน routing table ให้ตรวจสอบ track id 1 ว่า state up หรือไม่

#sh track 1 <-- display track id 1 operation state
#sh ip sla monitor operational-state 1 <-- display operation-state sla id 1
#sh ip sla monitor configuration 1 <-- display configuration sla id 1 detail

[Cisco] ทำ acl สำหรับ ตรวจสอบ mac-address และ ip address

Dynamic ARP Inspection

vlan 500
name CLIENT
ip arp inspection vlan 500
ip arp inspection validate src-mac ip
ip arp inspection filter ARP1 vlan 500 static

arp access-list ARP1
permit ip host 192.168.1.1 mac host 0010.8ba1.aabb

interface GigabitEthernet1/0/12
switchport access vlan 500
switchport mode access
end