ต่อไปนี้ผมเปิดบ้านใหม่เป็น www.boonmee.net ครับ มิตรรักแฟนเพลงก็ขอให้ติดตามไปบ้านใหม่ครับ
Thursday, June 17, 2010
Tuesday, May 11, 2010
[Cisco] How can find traffic flow across load-balance
ตัวอย่างต้องการทราบ traffic ที่ flow ผ่านทาง load-balance link ซึ่งโดย default CEF จะ loadbalance by src-dst ip
โดยมีข้อมูลดังนี้
source address: 192.168.100.1
destination address: 192.168.200.1
C6509#sh ip route 192.168.200.0
Routing entry for 192.168.200.0/24
Known via "ospf 100", distance 110, metric 20
Tag 65001, type extern 1
Last update from 10.0.0.71 on Port-channel2, 03:51:18 ago
Routing Descriptor Blocks:
10.0.0.90, from 10.0.254.98, 03:51:18 ago, via Port-channel2
Route metric is 20, traffic share count is 1
Route tag 65001
* 10.0.0.71, from 10.0.254.20, 03:51:18 ago, via Port-channel2
Route metric is 20, traffic share count is 1
Route tag 65001
C6509#sh ip cef exact-route 192.168.100.1 192.168.200.1
192.168.100.1 -> 192.168.200.1 => IP adj out of Port-channel2, addr 10.0.0.90
C6509#sh mls cef exact-route 192.168.100.1 192.168.200.1
Interface: Po2, Next Hop: 10.0.0.90, Vlan: 1014, Destination Mac: 0012.0111.bbbb
C6509#sh etherchannel load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip
mpls label-ip
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address
IPv6: Source XOR Destination IP address
MPLS: Label or IP
C6509#sh etherchannel load-balance hash-result int po2 ip 192.168.100.1 192.168.200.1
Computed RBH: 0x1
Would select Te4/2 of Po2
สรุปได้ว่ามี flow ของ 192.168.100.1 ----> 192.168.200.1 จะมี next-hop ไปที่ 10.0.0.90 แต่จะส่งออกทาง interface Te4/2 ซึ่งเป็นสมาชิกของ port-channel2
** อ้างอิง
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXI2a
Monday, April 5, 2010
Wednesday, March 31, 2010
Wednesday, February 10, 2010
[Cisco] Configuration Cisco IPSEC site-to-site
Cisco IPSec SITE-TO-SITE
Diagram:
(10.0.1.0/24)LAN-------[R1] atm0 ------ back to back ------ atm0 [R2]---LAN(10.0.2.0/24)
!==========================================================================
[R1]
R1#sh run
Building configuration...
Current configuration : 1622 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
!
username cisco password 0 cisco
!
!
controller DSL 0
mode atm
line-term co
line-mode 4-wire enhanced
dsl-mode shdsl symmetric annex B
line-rate 1024
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key VPNPASSWORD address 192.168.12.2
!
!
crypto ipsec transform-set TRANSFORM-1 esp-aes esp-sha-hmac
!
crypto map VPN-IPSEC 10 ipsec-isakmp
set peer 192.168.12.2
set transform-set TRANSFORM-1
match address ACL-VPN-CLIENT
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
ip address 192.168.12.1 255.255.255.0
ip access-group BLOCK-ANY-IN in
no atm ilmi-keepalive
pvc 0/100
encapsulation aal5snap
!
crypto map VPN-IPSEC
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 10.0.1.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.12.2
!
!
no ip http server
no ip http secure-server
!
ip access-list extended ACL-VPN-CLIENT
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip access-list extended BLOCK-ANY-IN
permit ip host 192.168.12.2 host 192.168.12.1
ip access-list extended VPN-CLIENT
!
!
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
logging synchronous
login
!
scheduler max-task-time 5000
end
!==========================================================================
[R2]
R2#sh run
Building configuration...
Current configuration : 1588 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
!
username cisco password 0 cisco
!
!
controller DSL 0
mode atm
line-term cpe
line-mode 4-wire enhanced
dsl-mode shdsl symmetric annex B
line-rate 1024
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key VPNPASSWORD address 192.168.12.1
!
!
crypto ipsec transform-set TRANSFORM-1 esp-aes esp-sha-hmac
!
crypto map VPN-IPSEC 10 ipsec-isakmp
set peer 192.168.12.1
set transform-set TRANSFORM-1
match address ACL-VPN-CLIENT
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
ip address 192.168.12.2 255.255.255.0
ip access-group BLOCK-ANY-IN in
no atm ilmi-keepalive
pvc 0/100
encapsulation aal5snap
!
crypto map VPN-IPSEC
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 10.0.2.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.12.1
!
!
no ip http server
no ip http secure-server
!
ip access-list extended ACL-VPN-CLIENT
permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
ip access-list extended BLOCK-ANY-IN
permit ip host 192.168.12.1 host 192.168.12.2
!
!
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
logging synchronous
login
!
scheduler max-task-time 5000
end
!==========================================================================
[VERIFY]
R1#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: ATM0
Session status: UP-ACTIVE
Peer: 192.168.12.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.12.2
Desc: (none)
IKE SA: local 192.168.12.1/500 remote 192.168.12.2/500 Active
Capabilities:(none) connid:1001 lifetime:23:48:32
IPSEC FLOW: permit ip 10.0.1.0/255.255.255.0 10.0.2.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4588216/2912
Outbound: #pkts enc'ed 9 drop 1 life (KB/Sec) 4588216/2912
R1#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 192.168.12.1 192.168.12.2 ACTIVE aes sha psk 5 23:51:15
Engine-id:Conn-id = C87X_MBRD:1
IPv6 Crypto ISAKMP SA
R1#sh crypto ipsec sa detail
interface: ATM0
Crypto map tag: VPN-IPSEC, local addr 192.168.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
current_peer 192.168.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 1, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.12.2
path mtu 4470, ip mtu 4470
current outbound spi: 0x90625D97(2422365591)
inbound esp sas:
spi: 0xF592CE25(4120038949)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: C87X_MBRD:1, crypto map: VPN-IPSEC
sa timing: remaining key lifetime (k/sec): (4588216/3051)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x90625D97(2422365591)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: C87X_MBRD:2, crypto map: VPN-IPSEC
sa timing: remaining key lifetime (k/sec): (4588216/3051)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Friday, January 29, 2010
How to login with SSH without enter password
How to login with SSH without enter password
[Client]
$ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/XXXX/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
$scp .ssh/id_rsa.pub mylogin@192.168.1.1:.ssh/authorized_keys
Password:
#Testing
$ssh mylogin@192.168.1.1
Monday, January 4, 2010
[Cisco] Local Switching Frame-Relay to FastEthernet
[R7 FE1/2]-------[FE0/0 R2 S2/0 DLCI 203]---------[S1/0.23 DLCI 302 R3]
[R7]
R7#sh run int f1/2
Building configuration...
Current configuration : 87 bytes
!
interface FastEthernet1/2
no switchport
ip address 192.168.37.7 255.255.255.0
end
======================================
[R3]
R3#sh run int s1/0.23
Building configuration...
Current configuration : 136 bytes
!
interface Serial1/0.23 point-to-point
ip address 192.168.37.3 255.255.255.0
frame-relay interface-dlci 302
end
======================================
[R2]
interface FastEthernet0/0
no ip address
duplex full
speed auto
no cdp enable
no clns route-cache
end
!
interface Serial2/0
no ip address
encapsulation frame-relay
serial restart-delay 0
frame-relay interface-dlci 203 switched
no clns route-cache
end
!
connect FE-FR Serial2/0 203 FastEthernet0/0 interworking ip
!
======================================
[Verify]
[R7]
R7#ping 192.168.37.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.37.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/44 ms
[R2]
R2#sh connection all
ID Name Segment 1 Segment 2 State
============================================================================
1 FE-FR Se2/0 203 Fa0/0 UP
[Cisco] PPP Multilink Frame-Relay
[R1]
hostname R1
!
interface Multilink1
ip address 192.168.1.1 255.255.255.0
ppp multilink
multilink-group 1
no clns route-cache
!
interface Serial2/0
no ip address
encapsulation frame-relay
serial restart-delay 0
frame-relay interface-dlci 103 ppp Virtual-Template1
frame-relay interface-dlci 113 ppp Virtual-Template2
no clns route-cache
!
interface Virtual-Template1
no ip address
ppp multilink
multilink-group 1
no clns route-cache
!
interface Virtual-Template2
no ip address
ppp multilink
multilink-group 1
no clns route-cache
!
===============================================
[R3]
hostname R3
!
interface Multilink1
ip address 192.168.1.3 255.255.255.0
ppp multilink
ppp multilink group 1
!
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
frame-relay interface-dlci 301 ppp Virtual-Template1
!
interface Serial1/1
no ip address
encapsulation frame-relay
serial restart-delay 0
frame-relay interface-dlci 311 ppp Virtual-Template2
!
interface Virtual-Template1
no ip address
ppp multilink
ppp multilink group 1
!
interface Virtual-Template2
no ip address
ppp multilink
ppp multilink group 1
!
===============================================
[Verifiy]
R3#sh ppp multilink
Multilink1, bundle name is R1
Endpoint discriminator is R1
Bundle up for 00:02:47, total bandwidth 200000, load 1/255
Receive buffer limit 24000 bytes, frag timeout 1000 ms
0/0 fragments/bytes in reassembly list
0 lost fragments, 5 reordered
0/0 discarded fragments/bytes, 0 lost received
0xE received sequence, 0x10 sent sequence
Member links: 2 active, 2 inactive (max not set, min not set)
Vi3, since 00:02:43
Vi1, since 00:02:38
Vt1 (inactive)
Vt2 (inactive)
No inactive multilink interfaces
R3#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/36 ms
R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.1/32 is directly connected, Multilink1
C 192.168.1.0/24 is directly connected, Multilink1
R3#
[Cisco] Config PPPoE Server & Client,Server use VRF, Client get ip address from DHCP
hostname PPPoE-Server
!
ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool CE
vrf CE
network 192.168.1.0 255.255.255.0
!
ip vrf CE
rd 1:1
!
vpdn enable
!
vpdn-group PPPOE
accept-dialin
protocol pppoe
virtual-template 1
!
username CLIENT password 0 CISCO
!
interface Ethernet0/0
no ip address
full-duplex
pppoe enable
!
interface Virtual-Template1
ip vrf forwarding CE
ip address 192.168.1.1 255.255.255.0
no peer neighbor-route
peer default ip address dhcp
ppp authentication chap callin
ppp chap hostname SERVER
ppp chap password 0 CISCO
!
======================================================
hostname PPPoE-Client
!
vpdn enable
!
vpdn-group PPPOE
request-dialin
protocol pppoe
!
username SERVER password 0 CISCO
!
interface Ethernet0/0
no ip address
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address dhcp
encapsulation ppp
dialer pool 1
ppp chap hostname CLIENT
ppp chap password 0 CISCO
!
Subscribe to:
Posts (Atom)
