Note:
When you specify an action that manipulates the route
characteristics, the changes occur in a copy of the source route.
The source route itself does not change. The effect of the action
is visible only after the route is imported into or exported from
the routing table. To view the source route before the routing policy
has been applied, use the show route receive-protocol command.
To view a route after an export policy has been applied, use the show route advertised-protocol command.
http://www.juniper.net/documentation/en_US/junos13.3/topics/usage-guidelines/policy-configuring-actions-in-routing-policy-terms.html
вторник, декември 29, 2015
вторник, декември 22, 2015
Junos alternative show ip cef
Cisco style:
r3#sh ip cef 172.16.0.240
172.16.0.240/32
nexthop 10.43.0.1 GigabitEthernet0/1.43
Junos style:
eol@R2> show route forwarding-table detail matching 10.1.1.1
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
10.1.1.1/32 user 0 1.1.1.1 ucst 542 4 ge-0/0/0.0
r3#sh ip cef 172.16.0.240
172.16.0.240/32
nexthop 10.43.0.1 GigabitEthernet0/1.43
Junos style:
eol@R2> show route forwarding-table detail matching 10.1.1.1
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
10.1.1.1/32 user 0 1.1.1.1 ucst 542 4 ge-0/0/0.0
вторник, ноември 10, 2015
Hacker-ско NTP
date -s "$(wget -qSO- --max-redirect=0 google.com 2 >&1 | grep Date: | cut -d' ' -f5-8)Z"
Помага и при рестриктивни FW които блокират outgoing UDP/123
Помага и при рестриктивни FW които блокират outgoing UDP/123
вторник, октомври 06, 2015
вторник, септември 15, 2015
Cisco ZBFW (cisco 2921) and NAT Port-Forward
Requirement: NAT based Port-Forwarding through configured Zone-Based Firewall
The Most Important Thing :
Match and allow specific traffic (e.g. from and to "DMZ" ) for booth flows (INTERNET-> INSIDE and INSIDE->INTERNET) is MUST!
For more readable config and for counting purposes I've use separate class-maps
class-map type inspect match-all CM-INSIDE-INTERNET
match access-group name ACL-INSIDE-INTERNET
class-map type inspect match-all CM-INTERNET-INSIDE
match access-group name ACL-INTERNET-INSIDE
policy-map type inspect PM-INSIDE-INTERNET
class type inspect CM-OLD-RULES
inspect
class type inspect CM-INSIDE-INTERNET
inspect
Class class-default
Drop
policy-map type inspect PM-INTERNET-INSIDE
class type inspect CM-OLD-RULES
pass
class type inspect CM-INTERNET-INSIDE
pass
Class class-default
Drop
ip nat inside source static tcp PRI.VA.TE.IP 80 P.UB.LIC.IP 80 extendable
ip access-list extended ACL-INSIDE-INTERNET
permit tcp host PRI.VA.TE.IP eq www any
ip access-list extended ACL-INTERNET-INSIDE
permit tcp any host PRI.VA.TE.IP eq www
The Most Important Thing :
Match and allow specific traffic (e.g. from and to "DMZ" ) for booth flows (INTERNET-> INSIDE and INSIDE->INTERNET) is MUST!
For more readable config and for counting purposes I've use separate class-maps
class-map type inspect match-all CM-INSIDE-INTERNET
match access-group name ACL-INSIDE-INTERNET
class-map type inspect match-all CM-INTERNET-INSIDE
match access-group name ACL-INTERNET-INSIDE
policy-map type inspect PM-INSIDE-INTERNET
class type inspect CM-OLD-RULES
inspect
class type inspect CM-INSIDE-INTERNET
inspect
Class class-default
Drop
policy-map type inspect PM-INTERNET-INSIDE
class type inspect CM-OLD-RULES
pass
class type inspect CM-INTERNET-INSIDE
pass
Class class-default
Drop
ip nat inside source static tcp PRI.VA.TE.IP 80 P.UB.LIC.IP 80 extendable
ip access-list extended ACL-INSIDE-INTERNET
permit tcp host PRI.VA.TE.IP eq www any
ip access-list extended ACL-INTERNET-INSIDE
permit tcp any host PRI.VA.TE.IP eq www
четвъртък, септември 10, 2015
Juniper SSG as a BGP speaker
First at all - it;s a real time OS - changes are applied immediately (sometimes :))
set neighbor 172.16.1.2 remote-as 2222 local-ip 172.16.1.1/30 outgoing-interface ethernet0/3
set neighbor 172.16.1.2 enable
set ipv4 neighbor 172.16.1.2 activate
set ipv4 neighbor 172.16.1.2 advertise-def-route #To advertise the default route.
set ipv4 neighbor 172.16.1.2 route-map "advertise-out" out # Route map applied to the neighbor.
set ipv4 neighbor 172.16.1.2 route-map "receive-in" in
set ipv4 network 172.16.10.0/24
set ipv4 network 10.10.10.0/24 no-check # Routes advertised to other peers.
set ipv4 network 10.10.20.0/24 # Routes advertised to other peers.
### By default, the route will only be advertised to the other BGP peers when the network is reachable (either via a static route or via IGP).
### You can turn off this by adding the no-check attribute to the network that needs to be advertised
exit
set access-list 10 # ACL to block the routes for single peer.
set access-list 10 deny ip 10.10.0.0/16 10 # Deny = subnets not to be advertised. Permit = subnets allowed to be advertised.
set access-list 10 permit ip 0.0.0.0/0 20 # N.B. There is a significant difference between and 0.0.0.0/0 which means
set access-list 110 # In this case we'll advertise to 172.16.1.2 only 10.10.10.0/24 and 172.16.10.0/24
set access-list 110 permit ip 10.10.10.0/16 10 # but not 10.10.20.0/24
set access-list 110 permit ip 172.16.10.0/24 20
set route-map name "advertise-out" permit 10
set match ip 10
set route-map name "receive-in" permit 10
set match ip 110
exit
save config
Some usable commands:
Show routing table:
get routes
get vr trust-vr route
BGP peers and their states
get vrouter trust-vr proto bgp neighbor
Detailed info about BGP peer:
get vrouter trust-vr proto bgp neighbor
Learned routes from BGP peers
get vr trust-vr protocol bgp rib-in
BGP config for particular virtual router
get vr trust-vr proto bgp config
Next commands can't be accessed via auto-completion (TAB or SPACE) they should be written or copy/pasted as is
debug bgp all (debug bgp ?)
debug tcp all
debug flow basic
Read debug output:
get dbuf stream
Clear debug log/info file:
clear dbuf
Sometime's life-saving
unset vrouter trust-vr proto bgp synchronization
set vrouter trust-vr proto bgp enable
exec vrouter trust-vr proto bgp neighbor 172.16.1.2 disconnect
exec vrouter trust-vr proto bgp neighbor 172.16.1.2 connect
BGP soft-clear
clear vrouter trust-vr protocol bgp neighbor 172.16.1.2 soft-in
clear vrouter trust-vr protocol bgp neighbor 172.16.1.2 soft-out
set neighbor 172.16.1.2 remote-as 2222 local-ip 172.16.1.1/30 outgoing-interface ethernet0/3
set neighbor 172.16.1.2 enable
set ipv4 neighbor 172.16.1.2 activate
set ipv4 neighbor 172.16.1.2 advertise-def-route #To advertise the default route.
set ipv4 neighbor 172.16.1.2 route-map "advertise-out" out # Route map applied to the neighbor.
set ipv4 neighbor 172.16.1.2 route-map "receive-in" in
set ipv4 network 172.16.10.0/24
set ipv4 network 10.10.10.0/24 no-check # Routes advertised to other peers.
set ipv4 network 10.10.20.0/24 # Routes advertised to other peers.
### By default, the route will only be advertised to the other BGP peers when the network is reachable (either via a static route or via IGP).
### You can turn off this by adding the no-check attribute to the network that needs to be advertised
exit
set access-list 10 # ACL to block the routes for single peer.
set access-list 10 deny ip 10.10.0.0/16 10 # Deny = subnets not to be advertised. Permit = subnets allowed to be advertised.
set access-list 10 permit ip 0.0.0.0/0 20 # N.B. There is a significant difference between
set access-list 110 # In this case we'll advertise to 172.16.1.2 only 10.10.10.0/24 and 172.16.10.0/24
set access-list 110 permit ip 10.10.10.0/16 10 # but not 10.10.20.0/24
set access-list 110 permit ip 172.16.10.0/24 20
set route-map name "advertise-out" permit 10
set match ip 10
set route-map name "receive-in" permit 10
set match ip 110
exit
save config
Some usable commands:
Show routing table:
get routes
get vr trust-vr route
BGP peers and their states
get vrouter trust-vr proto bgp neighbor
Detailed info about BGP peer:
get vrouter trust-vr proto bgp neighbor
Learned routes from BGP peers
get vr trust-vr protocol bgp rib-in
BGP config for particular virtual router
get vr trust-vr proto bgp config
Next commands can't be accessed via auto-completion (TAB or SPACE) they should be written or copy/pasted as is
debug bgp all (debug bgp ?)
debug tcp all
debug flow basic
Read debug output:
get dbuf stream
Clear debug log/info file:
clear dbuf
Sometime's life-saving
unset vrouter trust-vr proto bgp synchronization
set vrouter trust-vr proto bgp enable
exec vrouter trust-vr proto bgp neighbor 172.16.1.2 disconnect
exec vrouter trust-vr proto bgp neighbor 172.16.1.2 connect
BGP soft-clear
clear vrouter trust-vr protocol bgp neighbor 172.16.1.2 soft-in
clear vrouter trust-vr protocol bgp neighbor 172.16.1.2 soft-out
понеделник, август 03, 2015
Windows 8.1 MS Active Directory Biometric logon
After joining computer to MS Active Directory Domain, when trying to log-in with properly configured and rolled-out fingerprints I receive a error message:
1. Remove any fingerprints
2. Win+X -> command promt (admin)
3. admin_cmd -> GPEDIT.msc-> Computer Configuration->Administrative Templates->Windows Components->Biometrics -> “Allow Domain users to log on using biometrics” = enabled (setting by default = disabled)
4. gpupdate -f
5. Swipe fingers again
6. Reboot
- You can't sign in to a domain account using a fingerprint on this PC. Contact you system administrator
1. Remove any fingerprints
2. Win+X -> command promt (admin)
3. admin_cmd -> GPEDIT.msc-> Computer Configuration->Administrative Templates->Windows Components->Biometrics -> “Allow Domain users to log on using biometrics” = enabled (setting by default = disabled)
4. gpupdate -f
5. Swipe fingers again
6. Reboot
четвъртък, юли 30, 2015
Juniper EX4200
From EX4200 datasheet
Packet Switching Capacities
• 48P/48T: 136 Gbps
• 24F: 88 Gbps
• 24P/24T: 88 Gbps
Aggregate Switch Capacities
• 24P/24T/24F: 216 Gbps
• 48P/48T: 264 Gbps
The difference between the switching capacity and throughput is what they are measured in -> the capacity is in Gbps (gigabits per second) whereas the throughput is in Mpps (Megapackets per second).
48 x 1 Gbps -- 48 Gbps (48 x 1 Gbps ports)
2 x 10 Gbps -- + 20 Gbps (2 x 10 Gbps ports)
---------
= 68 Gbps (total switching half duplex)
x 2 (because switches are full duplex)
---------
= 136 Gbps (total revenue switching capacity)
+ 128 Gbps (backplane bandwidth for VC)
----------
= 264 Gbps Total "switching" capacity per switch
Абонамент за:
Публикации (Atom)