CCIE is not a specialist. But the basis for an expert.

Tuesday, August 19, 2008

Monday, August 11, 2008

Wednesday, August 6, 2008

[PC]<----------[R1]-----------------[R2]

PC = 192.168.2.2/24, no default gateway

[R2]
int lo0
ip add 20.0.0.1 255.255.255.255
int f0/0
ip add 192.168.1.2 255.255.255.0
ip route 10.0.0.1 255.255.255.0 192.168.1.1

[R1]
int f0/0
ip add 192.168.1.1 255.255.255.0
ip nat outside
int f0/1
ip add 192.168.2.1 255.255.255.0
ip nat inside
ip nat inside source static 192.168.2.2 10.0.0.1
ip nat outside source static 20.0.0.1 192.168.2.100 add-route <<<
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 20.0.0.0 255.255.255.0 192.168.1.2 <<<

#sh ip route
20.0.0.0/24 is subnetted, 1 subnets
S 20.0.0.0 [1/0] via 192.168.1.2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
S 192.168.1.10/32 [1/0] via 20.0.0.1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
S 192.168.2.10/32 [1/0] via 20.0.0.1
C 192.168.2.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 192.168.1.2
#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
--- --- --- 192.168.2.10 20.0.0.1
--- 10.0.0.1 192.168.2.2 --- ---

[R2]
R2#ping 10.0.0.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 20.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/15/28 ms

Wednesday, July 9, 2008

Tunning TCP window size ของ Windows

ผมลอง FTP ระหว่าง linux กับ XP ไป Siteเดียวกัน Link เดียวกัน ปรากฏว่าผล download ของ Linux ดีกว่า เลยต้องปวดหัว ดูจาก packet ก็น่าจะเกี่ยวกับ window size เลยไปถามพี่ google พี่แกก็เลยบอกมาว่าไปดูที่ h**p://rdweb.cns.vt.edu/public/notes/win2k-tcpip.htm ซึ่งหลังจาก tunning registry แล้วก็ Ok เลย

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

The names/values I installed are:

GlobalMaxTcpWindowSize	REG_DWORD	131400 (decimal)
TcpWindowSize	REG_DWORD	131400 (decimal)
Tcp1323Opts	REG_DWORD	3

Friday, June 27, 2008

[Cisco] Cisco config DHCPv6

ipv6 dhcp pool DHCPv6POOL
dns-server 2001:FB0:1000:0:192:168:1:1
domain-name domain.co.th

interface GigabitEthernet0/1
des ## LAN ##
ipv6 address 2001:FB0:1::1/64
ipv6 nd other-config-flag
ipv6 dhcp server DHCPv6POOL

* client must support DHCPv6

[Cisco] Config Cisco Multipoint GRE tunnel

Dynamic GRE tunnels (point-to-multipoint)
[R1]--------------[R2]-----------------[R3]

[R1]
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Loopback192
description ## private ip address ##
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel1
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp network-id 99
no ip split-horizon
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
!
interface Serial1/0.12 point-to-point
ip address 10.3.12.1 255.255.255.0
frame-relay interface-dlci 102
!
router ospf 1
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 0
network 10.3.12.1 0.0.0.0 area 0
!
router rip
version 2
redistribute connected metric 2 route-map PRIVATE->RIP
network 172.16.0.0
no auto-summary
!
ip access-list standard PRIVATE_192
permit 192.168.1.0
!
!
route-map PRIVATE->RIP permit 10
match ip address PRIVATE_192

R1#sh ip route rip
10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
R 10.1.3.0/24 [120/2] via 172.16.0.3, 00:00:20, Tunnel1
R 10.1.2.0/24 [120/2] via 172.16.0.2, 00:00:06, Tunnel1
R 192.168.2.0/24 [120/2] via 172.16.0.2, 00:00:06, Tunnel1
R 192.168.3.0/24 [120/2] via 172.16.0.3, 00:00:20, Tunnel1

R1#sh ip route 192.168.3.1
Routing entry for 192.168.3.0/24
Known via "rip", distance 120, metric 2
Redistributing via rip
Last update from 172.16.0.3 on Tunnel1, 00:00:15 ago
Routing Descriptor Blocks:
* 172.16.0.3, from 172.16.0.3, 00:00:15 ago, via Tunnel1
Route metric is 2, traffic share count is 1

R1#ping 192.168.3.1 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/29/52 ms

!------------------------------------------------------------------------------------------------------
[R2]
interface Loopback0
ip address 10.1.2.2 255.255.255.0
!
interface Loopback192
description ### private ip address ###
ip address 192.168.2.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map 172.16.0.1 10.1.1.1
ip nhrp map multicast 10.1.1.1
ip nhrp network-id 99
ip nhrp nhs 172.16.0.1
ip nhrp registration timeout 180
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
!
interface Serial1/0.12 point-to-point
ip address 10.3.12.2 255.255.255.0
frame-relay interface-dlci 201
!
interface Serial1/0.23 point-to-point
ip address 10.3.23.2 255.255.255.0
frame-relay interface-dlci 203
!
router ospf 1
log-adjacency-changes
network 10.1.2.2 0.0.0.0 area 0
network 10.3.12.2 0.0.0.0 area 0
network 10.3.23.2 0.0.0.0 area 0
!
router rip
version 2
redistribute connected metric 2 route-map PRIVATE->RIP
network 172.16.0.0
no auto-summary
!
ip access-list standard PRIVATE_192
permit 192.168.2.0
!
route-map PRIVATE->RIP permit 10
match ip address PRIVATE_192

R2# sh ip route rip
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
R 10.1.3.0/24 [120/3] via 172.16.0.3, 00:00:19, Tunnel0
R 192.168.1.0/24 [120/2] via 172.16.0.1, 00:00:19, Tunnel0
R 192.168.3.0/24 [120/3] via 172.16.0.3, 00:00:19, Tunnel0
!-------------------------------------------------------------------------------------------
[R3]
interface Loopback0
ip address 10.1.3.3 255.255.255.0
!
interface Loopback192
description ### private ip address ###
ip address 192.168.3.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map 172.16.0.1 10.1.1.1
ip nhrp map multicast 10.1.1.1
ip nhrp network-id 99
ip nhrp nhs 172.16.0.1
ip nhrp registration timeout 180
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
!
interface Serial1/0.23 point-to-point
ip address 10.3.23.3 255.255.255.0
frame-relay interface-dlci 302
!
router ospf 1
log-adjacency-changes
network 10.1.3.3 0.0.0.0 area 0
network 10.3.23.3 0.0.0.0 area 0
!
router rip
version 2
redistribute connected metric 2 route-map PRIVATE->RIP
network 172.16.0.0
no auto-summary
!
ip access-list standard PRIVATE_192
permit 192.168.3.0
!
route-map PRIVATE->RIP permit 10
match ip address PRIVATE_192
!

R3#sh ip route rip
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
R 10.1.2.0/24 [120/3] via 172.16.0.2, 00:00:00, Tunnel0
R 192.168.1.0/24 [120/2] via 172.16.0.1, 00:00:00, Tunnel0
R 192.168.2.0/24 [120/3] via 172.16.0.2, 00:00:00, Tunnel0
!---------------------------------------------------------------------------------------------

[Cisco] Config TACACS+

aaa authentication login TACPLUS group tacacs+ local
aaa authentication login CONSOLE local group tacacs+ none
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec TACPLUS group tacacs+ local none
aaa authorization exec CONSOLE local none
aaa authorization commands 0 TACPLUS group tacacs+ local none
aaa authorization commands 0 CONSOLE local none
aaa authorization commands 1 TACPLUS group tacacs+ local none
aaa authorization commands 1 CONSOLE local none
aaa authorization commands 15 TACPLUS group tacacs+ local none
aaa authorization commands 15 CONSOLE local none
aaa accounting exec TACPLUS start-stop group tacacs+
aaa accounting exec CONSOLE start-stop group tacacs+
aaa accounting commands 0 TACPLUS start-stop group tacacs+
aaa accounting commands 1 TACPLUS start-stop group tacacs+
aaa accounting commands 1 CONSOLE start-stop group tacacs+
aaa accounting commands 15 TACPLUS start-stop group tacacs+
aaa accounting commands 15 CONSOLE start-stop group tacacs+

username admin privilege 15 password 0 admin

ip tacacs source-interface Loopback0
tacacs-server host 192.168.1.1
tacacs-server key CISCO

line con 0
authorization commands 0 CONSOLE
authorization commands 1 CONSOLE
authorization commands 15 CONSOLE
authorization exec CONSOLE
accounting commands 15 CONSOLE
accounting commands 1 CONSOLE
accounting exec CONSOLE
login authentication CONSOLE

line vty 0 4
authorization commands 0 TACPLUS
authorization commands 1 TACPLUS
authorization commands 15 TACPLUS
authorization exec TACPLUS
accounting commands 1 TACPLUS
accounting commands 15 TACPLUS
accounting exec TACPLUS
login authentication TACPLUS
!

[3Com] Configuration 3COM router 3030 connect ADSL

system-view
System View: return to User View with Ctrl+Z.
[Router]quit

disp current-configuration
#
#3Com Router Software V2.04
#
sysname Router
#
dialer-rule 1 ip permit
#
dhcp server ip-pool default
network 192.168.1.0 mask 255.255.255.0
gateway-list 192.168.1.1
dns-list 10.0.0.1 10.0.0.2
#
interface Dialer1
link-protocol ppp
ppp pap local-user username@domain password simple mypassword
mtu 1450
ip address ppp-negotiate
dialer user username@domain
dialer-group 1
dialer bundle 1
dialer timer idle 0
nat outbound 2000
#
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
#
interface Atm2/0
pvc 0/100
map bridge Virtual-Ethernet1
#
interface Virtual-Ethernet1
pppoe-client dial-bundle-number 1
#
interface NULL0
#
acl number 2000
rule 1 permit source 192.168.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return

Monday, May 19, 2008

[Ubuntu] bootchart after tunning

[Ubuntu] tunning hardy 8.04 for my labtop

sudo vi /etc/fstab
UUID=fdb68ba3-e411-4a71-8cb4-ac4e117181de / reiserfs notail,relatime 0 1
change to
UUID=fdb68ba3-e411-4a71-8cb4-ac4e117181de / reiserfs notail,noatime,relatime 0 1

sudo vi /etc/sysctl.conf
vm.swappiness=0

sudo vi /etc/init.d/rc
CONCURRENCY=shell

sudo vi /boot/grub/menu.lst
# defoptions=quiet splash
change to
# defoptions=quiet splash elevator=cfq ramdisk_size=160000
And run
sudo update-grub

sudo apt-get install preload prelink bootchart

sudo vi /etc/default/prelink
PRELINKING=unknown
change to
PRELINKING=yes

when reboot, view images
/var/log/bootchart

Disable ipv6
sudo vi /etc/modprobe.d/aliases
#alias net-pf-10 ipv6
alias net-pf-10 off ipv6
alias net-pf-10 off
alias ipv6 off

if you want disable check filesystem (fsck)
sudo touch /fastboot

force check
sudo touch /forcefsck

!-------------------------------------------------------------------
vi fastboot

#! /bin/sh
### BEGIN INIT INFO
# Provides: fastboot
# Required-Start: networking
# Required-Stop: networking
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0
# Short-Description: create/delete file /fastboot .
### END INIT INFO

PATH=/sbin:/bin

. /lib/lsb/init-functions

do_start () {
log_begin_msg "Deleting /fastboot file ..."
rm -f /fastboot
}
do_stop () {
log_begin_msg "Creating /fastboot file ..."
touch /fastboot
}

case "$1" in
start)
do_start
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
do_stop
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
!-------------------------------------------------------------------

sudo apt-get install sysv-rc-conf
cp fastboot /etc/init.d
sudo sysv-rc-conf
check level 2,3,4,5

Friday, May 9, 2008

[Perl] IP Spoofing ง่ายๆด้วย perl

ตัวอย่างส่ง udp packet โดย spoof source address เป็น 1.1.1.1 แล้วส่ง udp 514 ไปหา server 192.168.1.100

vi spoofing_syslog.pl
use Net::RawIP;
$n = Net::RawIP->new({
ip => {
saddr => '1.1.1.1',
daddr => '192.168.1.100',
},
udp => {
source => 514,
dest => 514,
data => "<28>Syslog: Spoofing source address",
},
});
$n->send;

Monday, April 28, 2008

Thursday, April 24, 2008

[FreeBSD] Basic commands for pfctl

# basic pfctl control
# ==
# This document: http://www.rdrs.net/document/
# Related: http://www.OpenBSD.org
# Last update: Tue Dec 28, 2004
# ==
# Note:
# this document is only provided as a basic overview
# for some common pfctl commands and is by no means
# a replacement for the pfctl and pf manual pages.

#### General PFCTL Commands ####

# pfctl -d disable packet-filtering

# pfctl -e enable packet-filtering
# pfctl -q run quiet
# pfctl -v -v run even more verbose

#### Loading PF Rules ####
# pfctl -f /etc/pf.conf load /etc/pf.conf
# pfctl -n -f /etc/pf.conf parse /etc/pf.conf, but dont load it
# pfctl -R -f /etc/pf.conf load only the FILTER rules
# pfctl -N -f /etc/pf.conf load only the NAT rules
# pfctl -O -f /etc/pf.conf load only the OPTION rules

#### Clearing PF Rules & Counters ####
# pfctl -F all flush ALL
# pfctl -F rules flush only the RULES
# pfctl -F queue flush only queue's
# pfctl -F nat flush only NAT
# pfctl -F info flush all stats that are not part of any rule.
# pfctl -z clear all counters
# note: flushing rules do not touch any existing stateful connections

#### Output PF Information ####
# pfctl -s rules show filter information
# pfctl -v -s rules show filter information for what FILTER rules hit..
# pfctl -vvsr show filter information as above and prepend rule numbers
# pfctl -v -s nat show NAT information, for which NAT rules hit..
# pfctl -s nat -i xl1 show NAT information for interface xl1
# pfctl -s queue show QUEUE information
# pfctl -s label show LABEL information
# pfctl -s state show contents of the STATE table
# pfctl -s info show statistics for state tables and packet normalization
# pfctl -s all show everything

#### Maintaining PF Tables ####
# pfctl -t addvhosts -T show show table addvhosts
# pfctl -vvsTables view global information about all tables
# pfctl -t addvhosts -T add 192.168.1.50 add entry to table addvhosts
# pfctl -t addvhosts -T add 192.168.1.0/16 add a network to table addvhosts
# pfctl -t addvhosts -T delete 192.168.1.0/16 delete nework from table addvhosts
# pfctl -t addvhosts -T flush remove all entries from table addvhosts
# pfctl -t addvhosts -T kill delete table addvhosts entirely
# pfctl -t addvhosts -T replace -f /etc/addvhosts reload table addvhosts on the fly
# pfctl -t addvhosts -T test 192.168.1.40 find ip address 192.168.1.40 in table addvhosts
# pfctl -T load -f /etc/pf.conf load a new table definition
# pfctl -t addvhosts -T show -v output stats for each ip address in table addvhosts
# pfctl -t addvhosts -T zero reset all counters for table addvhosts

Friday, April 11, 2008

[Cisco] config cisco กับ tacacs+

ต้วอย่างการ config cisco กับ tacacs+ เพื่อ authen, authorize user ที่ login เข้ามาใช้งาน อุปกรณ์

aaa new-model
aaa authentication login default none
aaa authentication login AUTH_TACACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default none
aaa authorization exec AUTH_TACACS group tacacs+ local none
aaa authorization commands 1 AUTH_TACACS group tacacs+ local none
aaa authorization commands 15 AUTH_TACACS group tacacs+ local none
aaa accounting exec AUTH_TACACS start-stop group tacacs+
aaa accounting commands 1 AUTH_TACACS start-stop group tacacs+
aaa accounting commands 15 AUTH_TACACS start-stop group tacacs+

tacacs-server host 192.168.1.2
tacacs-server key TACACS_KEY

line vty 0 4
authorization commands 1 AUTH_TACACS
authorization commands 15 AUTH_TACACS
authorization exec AUTH_TACACS
login authentication AUTH_TACACS

!-----------------------------------------
! tac_plus.cfg

key = TACACS_KEY

default authentication = file /etc/passwd
accounting file = /var/log/tac_acc.log

user = $enab15$ {
login = cleartext "enable15"
}

######### GROUP DECLARATION #########

group = Administrator {
default service = permit

# example configuration for authorize commands
cmd = ping {
permit .*
}
cmd = reload {
deny .*
}
cmd = write {
deny .*
}
cmd = copy {
deny .*
}
cmd = show {
deny config
deny running
permit .*
}

cmd = ip {
deny "route 0.0.0.0 0.0.0.0"
permit .*
}
cmd = username {
deny .*
}
cmd = enable {
deny password
deny secret
permit .*
}

cmd = no {
deny "ip route 0.0.0.0 0.0.0.0"
deny "username .*"
deny "enable password .*"
deny "enable secret .*"
permit .*
}

}
user = kitti { service = exec { priv-lvl =15 } member = Administrator }

CCIE is not a specialist. But the basis for an expert.

Tuesday, August 19, 2008

[Certified] JNCIA-EX Logo

Monday, August 11, 2008

[Certified] CCDP Logo

Wednesday, August 6, 2008

[Cisco] ip nat outside source

Wednesday, July 9, 2008

Tunning TCP window size ของ Windows

Friday, June 27, 2008

[Cisco] Cisco config DHCPv6

[Cisco] Config Cisco Multipoint GRE tunnel

[Cisco] Config TACACS+

[3Com] Configuration 3COM router 3030 connect ADSL

Monday, May 19, 2008

[Ubuntu] bootchart after tunning

[Ubuntu] tunning hardy 8.04 for my labtop

Friday, May 9, 2008

[Perl] IP Spoofing ง่ายๆด้วย perl

Monday, April 28, 2008

[Cisco] Unequal load-sharing w/ BGP dmz-link

Thursday, April 24, 2008

[FreeBSD] Basic commands for pfctl

Friday, April 11, 2008

[Cisco] config cisco กับ tacacs+

Sunday, March 2, 2008

[Certified] JNCIS-ER logo

About Me

Blog Archive

Tags

My Favorite

My Blog List

Followers