Unequal load-sharing w/ BGP dmz-link
+------ bw 1024k ----[R2]--------->[R4]
|
[R1]
|
+------ bw 512k -----[R3]--------->[R4]
BGP routing
R1 ---> AS1
R2,R3,R4 ---> AS234
OSPF routing
R2,R3,R4 area 0
R1 --> R2 = 1024k
R1 --> R3 = 512k
R4 load share between R2 and R3
!===================================================
[R1 Configuration]
interface Serial2/0.12 point-to-point
des ** Connect to R2 **
bandwidth 1024
ip address 160.1.12.1 255.255.255.0
frame-relay interface-dlci 102
!
interface Serial2/0.13 point-to-point
des ** Connect to R3 **
bandwidth 512
ip address 160.1.13.1 255.255.255.0
frame-relay interface-dlci 103
!
router bgp 1
bgp log-neighbor-changes
neighbor 160.1.12.2 remote-as 234
neighbor 160.1.13.3 remote-as 234
!
address-family ipv4
neighbor 160.1.12.2 activate
neighbor 160.1.13.3 activate
no auto-summary
no synchronization
network 10.1.1.0 mask 255.255.255.0
exit-address-family
!
!====================================================
[R2 Configuration]
interface Serial2/0.12 point-to-point
des ** Connect to R1 **
bandwidth 1024
ip address 160.1.12.2 255.255.255.0
frame-relay interface-dlci 201
!
interface Serial2/0.24 point-to-point
des ** Connect to R4 **
ip address 160.1.24.2 255.255.255.0
frame-relay interface-dlci 204
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 234
bgp log-neighbor-changes
neighbor 160.1.12.1 remote-as 1
neighbor 160.1.24.4 remote-as 234
!
address-family ipv4
neighbor 160.1.12.1 activate
neighbor 160.1.12.1 default-originate
neighbor 160.1.12.1 dmzlink-bw
neighbor 160.1.24.4 activate
neighbor 160.1.24.4 next-hop-self
neighbor 160.1.24.4 send-community both
no auto-summary
no synchronization
bgp dmzlink-bw
exit-address-family
!
!====================================================
[R3 Configuration]
interface Serial1/0.13 point-to-point
des ** Connect to R1 **
bandwidth 512
ip address 160.1.13.3 255.255.255.0
frame-relay interface-dlci 301
!
interface Serial1/0.34 point-to-point
des ** Connect to R4 **
ip address 160.1.34.3 255.255.255.0
frame-relay interface-dlci 304
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 234
bgp log-neighbor-changes
neighbor 160.1.13.1 remote-as 1
neighbor 160.1.34.4 remote-as 234
!
address-family ipv4
neighbor 160.1.13.1 activate
neighbor 160.1.13.1 default-originate
neighbor 160.1.13.1 dmzlink-bw
neighbor 160.1.34.4 activate
neighbor 160.1.34.4 send-community both
neighbor 160.1.34.4 next-hop-self
no auto-summary
no synchronization
bgp dmzlink-bw
exit-address-family
!
!====================================================
[R4 Configuration]
interface Serial1/0.24 point-to-point
des ** Connect to R2 **
ip address 160.1.24.4 255.255.255.0
frame-relay interface-dlci 402
!
interface Serial1/0.34 point-to-point
des ** Connect to R3 **
ip address 160.1.34.4 255.255.255.0
frame-relay interface-dlci 403
!
router bgp 234
bgp log-neighbor-changes
neighbor 160.1.24.2 remote-as 234
neighbor 160.1.34.3 remote-as 234
maximum-paths ibgp 2
!
address-family ipv4
neighbor 160.1.24.2 activate
neighbor 160.1.24.2 send-community both
neighbor 160.1.24.2 route-reflector-client
neighbor 160.1.34.3 activate
neighbor 160.1.34.3 send-community both
neighbor 160.1.34.3 route-reflector-client
maximum-paths ibgp 2
no auto-summary
no synchronization
bgp dmzlink-bw
exit-address-family
!
!====================================================
[R2]
R2#sh ip bgp 10.1.1.0
BGP routing table entry for 10.1.1.0/24, version 6
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to update-groups:
2
1
160.1.12.1 from 160.1.12.1 (10.1.11.1)
Origin IGP, metric 0, localpref 100, valid, external, best
DMZ-Link Bw 128 kbytes
R2#sh ip route 10.1.1.0
Routing entry for 10.1.1.0/24
Known via "bgp 234", distance 20, metric 0
Tag 1, type external
Last update from 160.1.12.1 01:06:53 ago
Routing Descriptor Blocks:
* 160.1.12.1, from 160.1.12.1, 01:06:53 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 1
[R3]
R3#sh ip bgp 10.1.1.0
BGP routing table entry for 10.1.1.0/24, version 7
Paths: (2 available, best #2, table Default-IP-Routing-Table)
Advertised to update-groups:
2
1
160.1.24.2 (metric 128) from 160.1.34.4 (10.1.44.4)
Origin IGP, metric 0, localpref 100, valid, internal
Originator: 10.1.22.2, Cluster list: 10.1.44.4
1
160.1.13.1 from 160.1.13.1 (10.1.11.1)
Origin IGP, metric 0, localpref 100, valid, external, best
DMZ-Link Bw 64 kbytes
R3#sh ip route 10.1.1.0
Routing entry for 10.1.1.0/24
Known via "bgp 234", distance 20, metric 0
Tag 1, type external
Last update from 160.1.13.1 01:18:28 ago
Routing Descriptor Blocks:
* 160.1.13.1, from 160.1.13.1, 01:18:28 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 1
[R4]
R4#sh ip bgp 10.1.1.0
BGP routing table entry for 10.1.1.0/24, version 8
Paths: (2 available, best #1, table Default-IP-Routing-Table)
Multipath: iBGP
Advertised to update-groups:
1
1, (Received from a RR-client)
160.1.24.2 from 160.1.24.2 (10.1.22.2)
Origin IGP, metric 0, localpref 100, valid, internal, multipath, best
DMZ-Link Bw 128 kbytes
1, (Received from a RR-client)
160.1.34.3 from 160.1.34.3 (10.1.33.3)
Origin IGP, metric 0, localpref 100, valid, internal, multipath
DMZ-Link Bw 64 kbytes
R4#sh ip route 10.1.1.0
Routing entry for 10.1.1.0/24
Known via "bgp 234", distance 200, metric 0
Tag 1, type internal
Last update from 160.1.34.3 00:07:48 ago
Routing Descriptor Blocks:
160.1.34.3, from 160.1.34.3, 00:07:48 ago
Route metric is 0, traffic share count is 19
AS Hops 1
Route tag 1
* 160.1.24.2, from 160.1.24.2, 00:07:48 ago
Route metric is 0, traffic share count is 40
AS Hops 1
Route tag 1
R4#sh ip cef 10.1.1.0 internal
10.1.1.0/24, version 35, epoch 0, per-packet sharing
0 packets, 0 bytes
via 160.1.34.3, 0 dependencies, recursive
traffic share 19, current path
next hop 160.1.34.3, Serial1/0.34 via 160.1.34.0/24
valid adjacency
via 160.1.24.2, 0 dependencies, recursive
traffic share 40
next hop 160.1.24.2, Serial1/0.24 via 160.1.24.0/24
valid adjacency
0 packets, 0 bytes switched through the prefix
tmstats: external 0 packets, 0 bytes
internal 0 packets, 0 bytes
Load distribution: 0 1 0 1 0 1 0 1 0 1 1 1 1 1 1 1 (refcount 1)
Hash OK Interface Address Packets
1 Y Serial1/0.34 point2point 0
2 Y Serial1/0.24 point2point 0
3 Y Serial1/0.34 point2point 0
4 Y Serial1/0.24 point2point 0
5 Y Serial1/0.34 point2point 0
6 Y Serial1/0.24 point2point 0
7 Y Serial1/0.34 point2point 0
8 Y Serial1/0.24 point2point 0
9 Y Serial1/0.34 point2point 0
10 Y Serial1/0.24 point2point 0
11 Y Serial1/0.24 point2point 0
12 Y Serial1/0.24 point2point 0
13 Y Serial1/0.24 point2point 0
14 Y Serial1/0.24 point2point 0
15 Y Serial1/0.24 point2point 0
16 Y Serial1/0.24 point2point 0
refcount 6
R4#
Monday, April 28, 2008
[Cisco] Unequal load-sharing w/ BGP dmz-link
Thursday, April 24, 2008
[FreeBSD] Basic commands for pfctl
# basic pfctl control
# ==
# This document: http://www.rdrs.net/document/
# Related: http://www.OpenBSD.org
# Last update: Tue Dec 28, 2004
# ==
# Note:
# this document is only provided as a basic overview
# for some common pfctl commands and is by no means
# a replacement for the pfctl and pf manual pages.
#### General PFCTL Commands ####
# pfctl -d disable packet-filtering
# pfctl -e enable packet-filtering# pfctl -q run quiet
# pfctl -v -v run even more verbose
#### Loading PF Rules ####
# pfctl -f /etc/pf.conf load /etc/pf.conf
# pfctl -n -f /etc/pf.conf parse /etc/pf.conf, but dont load it
# pfctl -R -f /etc/pf.conf load only the FILTER rules
# pfctl -N -f /etc/pf.conf load only the NAT rules
# pfctl -O -f /etc/pf.conf load only the OPTION rules
#### Clearing PF Rules & Counters ####
# pfctl -F all flush ALL
# pfctl -F rules flush only the RULES
# pfctl -F queue flush only queue's
# pfctl -F nat flush only NAT
# pfctl -F info flush all stats that are not part of any rule.
# pfctl -z clear all counters
# note: flushing rules do not touch any existing stateful connections
#### Output PF Information ####
# pfctl -s rules show filter information
# pfctl -v -s rules show filter information for what FILTER rules hit..
# pfctl -vvsr show filter information as above and prepend rule numbers
# pfctl -v -s nat show NAT information, for which NAT rules hit..
# pfctl -s nat -i xl1 show NAT information for interface xl1
# pfctl -s queue show QUEUE information
# pfctl -s label show LABEL information
# pfctl -s state show contents of the STATE table
# pfctl -s info show statistics for state tables and packet normalization
# pfctl -s all show everything
#### Maintaining PF Tables ####
# pfctl -t addvhosts -T show show table addvhosts
# pfctl -vvsTables view global information about all tables
# pfctl -t addvhosts -T add 192.168.1.50 add entry to table addvhosts
# pfctl -t addvhosts -T add 192.168.1.0/16 add a network to table addvhosts
# pfctl -t addvhosts -T delete 192.168.1.0/16 delete nework from table addvhosts
# pfctl -t addvhosts -T flush remove all entries from table addvhosts
# pfctl -t addvhosts -T kill delete table addvhosts entirely
# pfctl -t addvhosts -T replace -f /etc/addvhosts reload table addvhosts on the fly
# pfctl -t addvhosts -T test 192.168.1.40 find ip address 192.168.1.40 in table addvhosts
# pfctl -T load -f /etc/pf.conf load a new table definition
# pfctl -t addvhosts -T show -v output stats for each ip address in table addvhosts
# pfctl -t addvhosts -T zero reset all counters for table addvhosts
Friday, April 11, 2008
[Cisco] config cisco กับ tacacs+
ต้วอย่างการ config cisco กับ tacacs+ เพื่อ authen, authorize user ที่ login เข้ามาใช้งาน อุปกรณ์
aaa new-model
aaa authentication login default none
aaa authentication login AUTH_TACACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default none
aaa authorization exec AUTH_TACACS group tacacs+ local none
aaa authorization commands 1 AUTH_TACACS group tacacs+ local none
aaa authorization commands 15 AUTH_TACACS group tacacs+ local none
aaa accounting exec AUTH_TACACS start-stop group tacacs+
aaa accounting commands 1 AUTH_TACACS start-stop group tacacs+
aaa accounting commands 15 AUTH_TACACS start-stop group tacacs+
tacacs-server host 192.168.1.2
tacacs-server key TACACS_KEY
line vty 0 4
authorization commands 1 AUTH_TACACS
authorization commands 15 AUTH_TACACS
authorization exec AUTH_TACACS
login authentication AUTH_TACACS
!-----------------------------------------
! tac_plus.cfg
key = TACACS_KEY
default authentication = file /etc/passwd
accounting file = /var/log/tac_acc.log
user = $enab15$ {
login = cleartext "enable15"
}
######### GROUP DECLARATION #########
group = Administrator {
default service = permit
# example configuration for authorize commands
cmd = ping {
permit .*
}
cmd = reload {
deny .*
}
cmd = write {
deny .*
}
cmd = copy {
deny .*
}
cmd = show {
deny config
deny running
permit .*
}
cmd = ip {
deny "route 0.0.0.0 0.0.0.0"
permit .*
}
cmd = username {
deny .*
}
cmd = enable {
deny password
deny secret
permit .*
}
cmd = no {
deny "ip route 0.0.0.0 0.0.0.0"
deny "username .*"
deny "enable password .*"
deny "enable secret .*"
permit .*
}
}
user = kitti { service = exec { priv-lvl =15 } member = Administrator }
Subscribe to:
Posts (Atom)
