Understanding the Bond Modes
Bond Mode 0 – Balance-rr
This method of NIC teaming is called ‘Round-Robin‘, hence the ‘RR‘ in the name. With this bond method, networks packets are rotated through each of the network interface cards that make up the bonded interface.
For example, a system with eth0, eth1, and eth2 all slaved to a bond0 interface. This interface, when enabled with bond mode 0, would send the first packet out eth0, the second packet out eth1, the third packet our eth2, and then start back at eth0 with the fourth packet. This is where the mode gets its ‘round-robin‘ name.
Bond Mode 1 – Active-Backup
With this bond method, only one network interface is active while the other interfaces in the bond simply wait for a failure in the link to the primary network interface card.
Bond Mode 2 – Balance XOR
In a balance XOR bond mode the bond will evaluate the source and destination mac addresses to determine which interface to send the network packets out. This method will pick the same interface for a given mac address and as a result is capable of load balancing and fault tolerance.
Bond Mode 3 – Broadcast
In this method the bond device will transmit data out all slave interfaces hence the ‘broadcast‘ name of this particular bonding method. There are very few uses for this method but it does provide a level of fault tolerance.
Bond Mode 4 – 802.3ad
This is a special bond method for link aggregation and does require special configuration on the switch to which this particular bonded interface connects. This method follows the IEEE standards for link aggregation and provides both fault tolerance and increased bandwidth.
Bond Mode 5 – Transmit Load Balancing
In TLB the bond will receive traffic on the slave interfaces as normal but when the system needs to send traffic, it will determine which interface is the best to transmit data on based upon the load/queue for each of the interfaces.
Bond Mode 6 – Adaptive Load Balancing
In ALB the bond will load balance similar to Bond Mode 5 but with the added ability to load receive balance as well.
Debian setup:
apt-get install ifenslave
cat /etc/network/interfaces
auto bond0
iface bond0 inet static
address 10.0.0.80
gateway 10.0.0.1
broadcast 10.0.0.255
netmask 255.255.255.0
up /sbin/ifenslave bond0 eth1 eth2
down /sbin/ifenslave -d bond0 eth0 eth1
OR:
cat /etc/network/interfaces
auto eth0
iface eth0 inet manual
bond-master bond0
auto eth1
iface eth1 inet manual
bond-master bond0
auto bond0
iface bond0 inet static
address 10.0.0.80
gateway 10.0.0.1
netmask 255.255.255.0
bond-mode 802.3ad
bond-miimon 100
bond-lacp-rate 4
bond-slaves none
Cisco setup:
interface Port-channel2
description LACP Channel for mk2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/23
description mk2 eth0
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet1/0/24
description mk2 eth1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode active
Checking the Status of the bonded LACP interface
$ cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.1.1 (September 26, 2006)
Bonding Mode: IEEE 802.3ad Dynamic link aggregation
Transmit Hash Policy: layer2 (0)
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
802.3ad info
LACP rate: fast
Active Aggregator Info:
Aggregator ID: 1
Number of ports: 2
Actor Key: 17
Partner Key: 1
Partner Mac Address: 00:77:66:55:44:33
Slave Interface: eth0
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:99:98:97:96:95
Aggregator ID: 1
Slave Interface: eth1
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:88:87:86:85:84
Aggregator ID: 1
събота, юли 01, 2017
петък, май 19, 2017
Junos Space password recovery.
Junos Space Netwrok Management platformVersion : 16.1R1.7 - trial version; virtual (ESX) appliance.
Installed by Juniper manual; after install I forgot for a while about this and week after I came back to but ... I don't remember any passwords... so password change time.
[most are from official Juniper KB]
I. Reset admin user password (cli user; local user for centos on top of which OpenNMS live)
1. reboot
2. Press "e" on GRUB boot
2.1. if GRUB has password try default one: root/abc123
3. Append init=/bin/bash at the end of the kernel line.
Remove console=ttys0,9600n8 (or any other console entries)
4. ESC to exit + "b" to boot
5. in bash remount as read/write: mount -n -o remount,rw /.
6. passwd admin Admin user can use SSH login.
Try chage -l admin and if neccesary chage admin or chage -E "Jul 19, 2027" admin
7. init 0
II Changing "super" password - user super is default user for WEB interface
1. ssh admin@IP.Of.Junos.Space
2. mysql -u jboss -pnetscreen build_db
3. mysql> update USER set password="ok89Nva6qHxytSHsP8AeLg==" where name="super";
This will reset the “super” password back to the default of juniper123
4. mysql> update USER set expiryDate="2027-07-19 16:27:45" where name="super";
A hack response to: "Your password has expired. Please contact your administrator." when trying to log into web with super/juniper123
III Changing the maintenance mode password
1.ssh admin@IP.Of.Junos.Space
2.htpasswd -sb /var/www/maintenance/maintPW maintenance password
Installed by Juniper manual; after install I forgot for a while about this and week after I came back to but ... I don't remember any passwords... so password change time.
[most are from official Juniper KB]
I. Reset admin user password (cli user; local user for centos on top of which OpenNMS live)
1. reboot
2. Press "e" on GRUB boot
2.1. if GRUB has password try default one: root/abc123
3. Append init=/bin/bash at the end of the kernel line.
Remove console=ttys0,9600n8 (or any other console entries)
4. ESC to exit + "b" to boot
5. in bash remount as read/write: mount -n -o remount,rw /.
6. passwd admin Admin user can use SSH login.
Try chage -l admin and if neccesary chage admin or chage -E "Jul 19, 2027" admin
7. init 0
II Changing "super" password - user super is default user for WEB interface
1. ssh admin@IP.Of.Junos.Space
2. mysql -u jboss -pnetscreen build_db
3. mysql> update USER set password="ok89Nva6qHxytSHsP8AeLg==" where name="super";
This will reset the “super” password back to the default of juniper123
4. mysql> update USER set expiryDate="2027-07-19 16:27:45" where name="super";
A hack response to: "Your password has expired. Please contact your administrator." when trying to log into web with super/juniper123
III Changing the maintenance mode password
1.ssh admin@IP.Of.Junos.Space
2.htpasswd -sb /var/www/maintenance/maintPW maintenance password
четвъртък, май 11, 2017
MS Exchange 2010 create shared mailbox
via Power shell coz EMC GUI missed these click-objects
New-Mailbox -Name support -Alias support -OrganizationalUnit "eol.internal/Support Training" -Database "1StGroup" -UserPrincipalName support@eols.info -Shared
Add-MailboxPermission support -User "eol.internal/Users/Regular User 1" -AccessRights FullAccess
Add-ADPermission support -User "eol.internal/Users/Regular User 1" -ExtendedRights Send-As
We've created support@eols.info mailbox and assign FullAccess and Send-As permissions to MS AD User "Regular User 1"
New-Mailbox -Name support -Alias support -OrganizationalUnit "eol.internal/Support Training" -Database "1StGroup" -UserPrincipalName support@eols.info -Shared
Add-MailboxPermission support -User "eol.internal/Users/Regular User 1" -AccessRights FullAccess
Add-ADPermission support -User "eol.internal/Users/Regular User 1" -ExtendedRights Send-As
We've created support@eols.info mailbox and assign FullAccess and Send-As permissions to MS AD User "Regular User 1"
вторник, април 25, 2017
SRX static DNS/host
I. Modify the /etc/hosts file:
root@SRX> start shell
root@SRX% vi /etc/hosts
i -> 1.2.3.4 alabala
wq
root@SRX> ping alabala
PING alabala (1.2.3.4): 56 data bytes
II. SRX static-host-mapping
root@SRX> set system static-host-mapping inet 1.2.3.4
root@SRX> set system static-host-mapping alias alabala
root@SRX> ping alabala
PING alabala (1.2.3.4): 56 data bytes
64 bytes from 1.2.3.4: icmp_seq=0 ttl=57 time=31.675 ms
64 bytes from 1.2.3.4: icmp_seq=1 ttl=57 time=31.133 ms
64 bytes from 1.2.3.4: icmp_seq=2 ttl=57 time=31.152 ms
root@SRX> start shell
root@SRX% vi /etc/hosts
i -> 1.2.3.4 alabala
wq
root@SRX> ping alabala
PING alabala (1.2.3.4): 56 data bytes
II. SRX static-host-mapping
root@SRX> set system static-host-mapping
root@SRX> set system static-host-mapping
root@SRX> ping alabala
PING alabala (1.2.3.4): 56 data bytes
64 bytes from 1.2.3.4: icmp_seq=0 ttl=57 time=31.675 ms
64 bytes from 1.2.3.4: icmp_seq=1 ttl=57 time=31.133 ms
64 bytes from 1.2.3.4: icmp_seq=2 ttl=57 time=31.152 ms
вторник, февруари 28, 2017
FTP service behind Firewall/NAT
Using FTP service behind Firewall/NAT box is a little bit tricky because of FTP protocol specificity.
In a normal days FTP client initiates a session to a server by opening a “command channel” connection to TCP port number 21 (where authentication and authorization magic is happen). After this a file transfer is requested by the client by sending a PORT command to the server. The server then attempts to initiate a “data channel” connection back to the client on TCP port number 20. FTP client's firewall data channel connection request from the server as unsolicited and drops the packets, causing the file transfer to fail or unable to list remote folders/files for example. Some firewall are smart enough to inspect this type of traffic and allow corresponding data-channel connections but this will not going to happen if we use FTP over SSL/TLS.
To avoid this issue, FTP also supports a “passive” operational mode in which the client initiates the data channel connection. Instead of using the PORT command, the client sends a PASV command on the command channel. The server responds with the TCP port number to which the client should connect to establish the data channel. These TCP port numbers are from higher range tcp 1024 - 65535. In this case what is happen when FTP server resides behind the Firewall/NAT box ?
FTP Client initiate a connection to FTP Server to tcp/21; Sends PASV command; FTP server responds with passive-ftp-port-ranges (5000-5500 for example); FTP Client trying to initiate a data connection to these new ports, and ... fails... because firewall/nat box on FTP server's side unable to find appropriate rules/sessions/flows for this kind of traffic. Once again - some smart firewalls are using technology like traffic inspection (cisco ASA), application layer gateway (Juniper SSG/SRX), nat/protocol helpers (Linux) etc... but they are differ from version-to-version and very often they just don't work as expected.
So the best practice is to manually configure passive port-ranges and create appropriate Firewall/Port-Forwarding rules.
Example for MS IIS 7.5
IS Manager - Connections - Mark server-level node - FTP Firewall Support (in the right panel) -
Data Channel Port Range & External IP Address of Firewall - Apply
Entering External IP Address is highly recommended (ot server level or per FTP site) to avoid errors like "ftp server sent unroutable address" because without this, FTP server will respond with their private IP address in a protocol header and will stun the ftp client.
net stop "Microsoft FTP Service" && net start "Microsoft FTP Service"
Pure-FTPd
in pure-ftpd.conf file:
PassivePortRange 5000 5500
ForcePassiveIP
ProFTPd
PassivePorts 5000 5500
MasqueradeAddress
Enable "smart firewall" feature
CiscoASA9.1(config)# policy-map global_policyCiscoASA9.1(config-pmap)# class inspection_defaultCiscoASA9.1(config-pmap-c)# inspect ftp
CiscoASA9.1(config-pmap-c)# end
Juniper SRX :
set security alg ftp ?
allow-mismatch-ip-address Pass FTP packets with mismatched ip address headers and payload
disable Disable FTP ALG
ftps-extension Enable secure FTP and FTP-ssl protocols
line-break-extension Enable CR+LF line termination
Mikrotik RouterOS 6.38.1
ip firewall service-port set ftp ports=21
Linux kernel 2.4.x and above
modprobe ip_conntrack
modprobe ip_conntrack_ftp
In a normal days FTP client initiates a session to a server by opening a “command channel” connection to TCP port number 21 (where authentication and authorization magic is happen). After this a file transfer is requested by the client by sending a PORT command to the server. The server then attempts to initiate a “data channel” connection back to the client on TCP port number 20. FTP client's firewall data channel connection request from the server as unsolicited and drops the packets, causing the file transfer to fail or unable to list remote folders/files for example. Some firewall are smart enough to inspect this type of traffic and allow corresponding data-channel connections but this will not going to happen if we use FTP over SSL/TLS.
To avoid this issue, FTP also supports a “passive” operational mode in which the client initiates the data channel connection. Instead of using the PORT command, the client sends a PASV command on the command channel. The server responds with the TCP port number to which the client should connect to establish the data channel. These TCP port numbers are from higher range tcp 1024 - 65535. In this case what is happen when FTP server resides behind the Firewall/NAT box ?
FTP Client initiate a connection to FTP Server to tcp/21; Sends PASV command; FTP server responds with passive-ftp-port-ranges (5000-5500 for example); FTP Client trying to initiate a data connection to these new ports, and ... fails... because firewall/nat box on FTP server's side unable to find appropriate rules/sessions/flows for this kind of traffic. Once again - some smart firewalls are using technology like traffic inspection (cisco ASA), application layer gateway (Juniper SSG/SRX), nat/protocol helpers (Linux) etc... but they are differ from version-to-version and very often they just don't work as expected.
So the best practice is to manually configure passive port-ranges and create appropriate Firewall/Port-Forwarding rules.
Example for MS IIS 7.5
IS Manager - Connections - Mark server-level node - FTP Firewall Support (in the right panel) -
Data Channel Port Range & External IP Address of Firewall - Apply
Entering External IP Address is highly recommended (ot server level or per FTP site) to avoid errors like "ftp server sent unroutable address" because without this, FTP server will respond with their private IP address in a protocol header and will stun the ftp client.
net stop "Microsoft FTP Service" && net start "Microsoft FTP Service"
Pure-FTPd
in pure-ftpd.conf file:
PassivePortRange 5000 5500
ForcePassiveIP
ProFTPd
PassivePorts 5000 5500
MasqueradeAddress
Enable "smart firewall" feature
CiscoASA9.1(config)# policy-map global_policyCiscoASA9.1(config-pmap)# class inspection_defaultCiscoASA9.1(config-pmap-c)# inspect ftp
CiscoASA9.1(config-pmap-c)# end
Juniper SRX :
set security alg ftp ?
allow-mismatch-ip-address Pass FTP packets with mismatched ip address headers and payload
disable Disable FTP ALG
ftps-extension Enable secure FTP and FTP-ssl protocols
line-break-extension Enable CR+LF line termination
Mikrotik RouterOS 6.38.1
ip firewall service-port set ftp ports=21
Linux kernel 2.4.x and above
modprobe ip_conntrack
modprobe ip_conntrack_ftp
събота, май 14, 2016
Cisco router kill process / CPU usage
#sh processes cpu
sorted
CPU utilization for
five seconds: 23%/18%; one minute: 32%; five minutes: 24%
PID
Runtime(ms) Invoked uSecs
5Sec 1Min 5Min TTY Process
6 194104 15849 12247
0.71% 0.13% 0.11%
0 Check heaps
462
84320 16610343 5
0.63% 0.73% 0.72%
0 IP SLAs XOS Even
133
284112 1036875 274
0.55% 0.59% 0.59%
0 IP Input
14
114864 72937 1574
0.47% 0.08% 0.06%
0 Environmental mo
140
33536 8685941 3
0.31% 0.26% 0.24%
0 Ethernet Msec Ti
32
206432 1042208 198
0.31% 0.28% 0.26%
0 ARP Input
3
173276 373836 463
0.23% 0.20% 0.21%
0 Skinny Msg Serve
This is an example
of the header of the show processes cpu
command:
CPU utilization for five seconds: X%/Y%; one
minute: Z%; five minutes: W%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
This table describes
the fields in the header:
|
Field
|
Description
|
|
X
|
Average total
utilization during last five seconds (interrupts + processes)
|
|
Y
|
Average
utilization due to interrupts, during last five seconds1
|
|
Z
|
Average total
utilization during last minute2
|
|
W
|
Average total
utilization during last five minutes2
|
|
PID
|
Process ID
|
|
Runtime
|
CPU time the
process has used (in milliseconds)
|
|
Invoked
|
Number of times a
process has been called
|
|
uSecs
|
Microseconds of
CPU time for each invocation
|
|
5Sec
|
CPU utilization by
task in the last five seconds
|
|
1Min
|
CPU utilization by
task in the last minute2
|
|
5Min
|
CPU utilization by
task in the last five minutes2
|
|
TTY
|
Terminal that
controls the process
|
|
Process
|
Name of process
|
To kill a process
#clear sockets 6
Sometimes this not
work as expected; sometime you need to stop "main process" for
example: no router ospf
and sometimes you just need to reboot a router
петък, април 22, 2016
BGP to Juniper J6350
BGP session between ISP and J6350
After some time I start received syslog messages like:
Apr 20 14:14:32 R1 rpd[1210]: bgp_read_v4_update:9697: NOTIFICATION sent to 10.43.0.111 (Internal AS 65432): code 3 (Update Message Error) subcode 1 (invalid attribute list)
Apr 20 14:14:32 R1 rpd[1210]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer 10.43.0.111 (Internal AS 65432) changed state from Established to Idle (event RecvUpdate)
Juniper is unable to handle some kind of BGP update packets and restart session. Workaround (by colleague advice) was to apply some metric on out direction (from ISP point of view)
So after ISP apply something like:
show configuration | display set | match adv.to-r1
set protocols bgp group br1 neighbor 10.43.0.99 export adv.to-r1
set policy-options policy-statement adv.to-r1 then metric 1000
set policy-options policy-statement adv.to-r1 then next-hop self (accept/next policy/etc)
BGP flaps are gone and everythingworks as expected
After some time I start received syslog messages like:
Apr 20 14:14:32 R1 rpd[1210]: bgp_read_v4_update:9697: NOTIFICATION sent to 10.43.0.111 (Internal AS 65432): code 3 (Update Message Error) subcode 1 (invalid attribute list)
Apr 20 14:14:32 R1 rpd[1210]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer 10.43.0.111 (Internal AS 65432) changed state from Established to Idle (event RecvUpdate)
Juniper is unable to handle some kind of BGP update packets and restart session. Workaround (by colleague advice) was to apply some metric on out direction (from ISP point of view)
So after ISP apply something like:
show configuration | display set | match adv.to-r1
set protocols bgp group br1 neighbor 10.43.0.99 export adv.to-r1
set policy-options policy-statement adv.to-r1 then metric 1000
set policy-options policy-statement adv.to-r1 then next-hop self (accept/next policy/etc)
BGP flaps are gone and everythingworks as expected
понеделник, април 18, 2016
Junos AUX 2 Console
JunOS permit to use
the AUX port to connect to another device's console.
You must use a
rollover cable to connect the JunOS device and the other one.
Solution 1 : locally
Within the
shell, type
%
/usr/libexec/interposer
You will now be
connected to the auxiliary port.
%
/usr/libexec/interposer
You are now
connected to the console of the device attached to the AUX port.
Press CTRL-^ to disconnect.
Press CTRL-^ to disconnect.
Solution 2 : remotely
You can configure
reverse telnet or reverse SSH to connect to AUX port :
user@host# set
system services reverse telnet
user@host# set
system services reverse ssh
default port for reverse-telnet : tcp/2900
default port for reverse-ssh: tcp/2901
N.B.
Нещо не се случва Solution2 на J4300
неделя, април 17, 2016
Sentence
Мъжът не яде като свиня – той страда от обратна булимия.
Мъжът не е тъп – той страда от минимално черепно развитие.
Мъжът не се разкарва – той открива алтернативни посоки.
Мъжът не е нечестен – той е морално дезориентиран.
Мъжът не е нисък – той е анатомично компактен.
Мъжът не е мързелив - той е с влошена енергичност.
Мъжът не е оплешивял – той страда от регресия на фоликулите.
Мъжът не е педофил – той предпочита връзките между различни поколения.
Мъжът не е импотентен – той е репродуктивно негоден.
Мъжът не пърди и не се оригва – той е гастрономичноекспресивен.
Мъжът не е темерут – той е словесен минималист.
Мъжът не пада под масата от преливане – той случайно се хори-зонтира.
Мъжът не се държи като задник – той развива състояние на ректално-краниална инверсия.
Мъжът няма мръсни помисли – той преживява интроспективни порнографски мигове.
Мъжът не се чука наляво-надясно – той е моногамно негоден.
Мъжът не е чешит – той е поведенчески различен.
Мъжът не хърка – той е назално репетативен.
Мъжът не е невеж – той е необременен с факти.
Жената не е стара – тя е хронологично надарена.
Жената не е дебела – тя е гравитационно подсилена.
Жената не е лоша готвачка – тя е микровълново съвместима.
Жената не е лесна – тя е хоризонтално достъпна.
Жената няма богат татко – тя е приемник на родителски авоарни вливания.
Жената не е изрусена блондинка – тя е перхидролно зависима.
Жената не се натрясква – тя получава словесна дислексия.
Жената не е лоша шофьорка – тя е автомобилно негодна.
Жената не дебелее – тя е метаболично обременена.
Жената не е фригидна – тя е термонесъвместима.
Жената не е тъпа – тя е отбивка на информационната суперма-гистрала.
Жената не страда от предменструален синдром – тя става хормонално агресивна.
Жената няма тяло трепач – тя е терминално атрактивна.
Жената няма мустаци – тя е запазила връзката си с мъжката си страна.
Жената не носи прекалено много грим – тя е козметично наситена.
Жената не е мършава – тя е скелетно изпъкваща.
Жената няма секси устни – тя е колагенно зависима.
Жената не е чорлава – тя страда от синдрома на бунтуващите се фоликули.
Жената не си пада по сапунени опери – тя страда от мелодрама-тична фиксация.
Жената не се пече на слънце – тя се подлага на соларно подсилване.
Жената не мрази спорта по телевизията – тя страда от атлетични
предразсъдъци.
Жената не е пазарохоличка – тя е прекалено податлива на маркетингови стратегии.
Жената не е проститутка – тя е специалист по човешки взаимоотношения.
Жената не е домакиня – тя е домашен инженер.
Жената не е била лека – тя е доскоро обичана компаньонка.
Тийнейджърската стая не е разхвърляна – просто преминаването през нея е затруднено.
Тийнейджърското домашно не липсва – то отсъства от тетрадката.
Мъжът не е тъп – той страда от минимално черепно развитие.
Мъжът не се разкарва – той открива алтернативни посоки.
Мъжът не е нечестен – той е морално дезориентиран.
Мъжът не е нисък – той е анатомично компактен.
Мъжът не е мързелив - той е с влошена енергичност.
Мъжът не е оплешивял – той страда от регресия на фоликулите.
Мъжът не е педофил – той предпочита връзките между различни поколения.
Мъжът не е импотентен – той е репродуктивно негоден.
Мъжът не пърди и не се оригва – той е гастрономичноекспресивен.
Мъжът не е темерут – той е словесен минималист.
Мъжът не пада под масата от преливане – той случайно се хори-зонтира.
Мъжът не се държи като задник – той развива състояние на ректално-краниална инверсия.
Мъжът няма мръсни помисли – той преживява интроспективни порнографски мигове.
Мъжът не се чука наляво-надясно – той е моногамно негоден.
Мъжът не е чешит – той е поведенчески различен.
Мъжът не хърка – той е назално репетативен.
Мъжът не е невеж – той е необременен с факти.
Жената не е стара – тя е хронологично надарена.
Жената не е дебела – тя е гравитационно подсилена.
Жената не е лоша готвачка – тя е микровълново съвместима.
Жената не е лесна – тя е хоризонтално достъпна.
Жената няма богат татко – тя е приемник на родителски авоарни вливания.
Жената не е изрусена блондинка – тя е перхидролно зависима.
Жената не се натрясква – тя получава словесна дислексия.
Жената не е лоша шофьорка – тя е автомобилно негодна.
Жената не дебелее – тя е метаболично обременена.
Жената не е фригидна – тя е термонесъвместима.
Жената не е тъпа – тя е отбивка на информационната суперма-гистрала.
Жената не страда от предменструален синдром – тя става хормонално агресивна.
Жената няма тяло трепач – тя е терминално атрактивна.
Жената няма мустаци – тя е запазила връзката си с мъжката си страна.
Жената не носи прекалено много грим – тя е козметично наситена.
Жената не е мършава – тя е скелетно изпъкваща.
Жената няма секси устни – тя е колагенно зависима.
Жената не е чорлава – тя страда от синдрома на бунтуващите се фоликули.
Жената не си пада по сапунени опери – тя страда от мелодрама-тична фиксация.
Жената не се пече на слънце – тя се подлага на соларно подсилване.
Жената не мрази спорта по телевизията – тя страда от атлетични
предразсъдъци.
Жената не е пазарохоличка – тя е прекалено податлива на маркетингови стратегии.
Жената не е проститутка – тя е специалист по човешки взаимоотношения.
Жената не е домакиня – тя е домашен инженер.
Жената не е била лека – тя е доскоро обичана компаньонка.
Тийнейджърската стая не е разхвърляна – просто преминаването през нея е затруднено.
Тийнейджърското домашно не липсва – то отсъства от тетрадката.
Add exsiting VM to VMWare Workstation
Product: VMware® Workstation
Version: 11.1.2 build-2780323
Добавянето на нова VM (експортната или копирана от друг Workstation) става ... с double click в/у *.vmx файла или File - Open - VM.vmx и се вижда вече в inventory-то
Version: 11.1.2 build-2780323
Добавянето на нова VM (експортната или копирана от друг Workstation) става ... с double click в/у *.vmx файла или File - Open - VM.vmx и се вижда вече в inventory-то
четвъртък, март 24, 2016
Back to the roots
[16:48:00] Sis: леко се съмнявам да мине номера... ма си струва да се пробвам.
[16:48:11] Sis: ся проблема ми е че не знам как да се сдобия със слон
[16:48:20] Sis: с бебе слон де
[16:48:36] Sis: те са малки и незабележими
[16:48:43] Sis: ще си живее добре на 4ия етаж
[16:48:49] Blackadder: ми намираш мама слон и татко слон, пускаш им романтична музика и чакаш 12 месеца :D
[16:50:32] Sis: за 21 месеца ще си мине по каналния дер - през куче, после конче...
[16:52:15] Sis: някой ден просто ще се прибере и ще свари някой малък каракачанец или кавказец да подтичва по коридора...
[16:52:52] Blackadder: по-добре слон, той мое си пасе кротко зад блока, наеш ли тея по колко ядат
[16:53:49] Blackadder: що не си земеш самоеб, мноо са пуфкави :D
[16:54:00] Sis: (rofl)
[16:54:04] Eol: хахаха
[16:54:14] Eol: баси и породата
[16:54:48] Blackadder: противно на името си не само ебе, от време на време и яде и сере
Отдавна не се бях докосвал до едновремешната IRC атмосфера!
[16:48:11] Sis: ся проблема ми е че не знам как да се сдобия със слон
[16:48:20] Sis: с бебе слон де
[16:48:36] Sis: те са малки и незабележими
[16:48:43] Sis: ще си живее добре на 4ия етаж
[16:48:49] Blackadder: ми намираш мама слон и татко слон, пускаш им романтична музика и чакаш 12 месеца :D
[16:50:32] Sis: за 21 месеца ще си мине по каналния дер - през куче, после конче...
[16:52:15] Sis: някой ден просто ще се прибере и ще свари някой малък каракачанец или кавказец да подтичва по коридора...
[16:52:52] Blackadder: по-добре слон, той мое си пасе кротко зад блока, наеш ли тея по колко ядат
[16:53:49] Blackadder: що не си земеш самоеб, мноо са пуфкави :D
[16:54:00] Sis: (rofl)
[16:54:04] Eol: хахаха
[16:54:14] Eol: баси и породата
[16:54:48] Blackadder: противно на името си не само ебе, от време на време и яде и сере
Отдавна не се бях докосвал до едновремешната IRC атмосфера!
петък, януари 29, 2016
Mikrotik (but not only) DHCP assign /32 to clients
To mitigate ARP spoofing on shared media access networks (ethernet LAN/WiFi/etc)
/ip dhcp-server network
add address=10.5.5.0/28 comment="hotspot network" dns-server=10.5.5.1 gateway=\
10.5.5.1 netmask=32
Result:
C:\Windows\system32>arp -a | findstr "10.5.5"
Interface: 10.5.5.8 --- 0x3
10.5.5.1 4e-5e-0c-78-f3-07 dynamic
C:\Windows\system32>ping 10.5.5.6 -n 1
Pinging 10.5.5.6 with 32 bytes of data:
Reply from 10.5.5.6: bytes=32 time=349ms TTL=63
Ping statistics for 10.5.5.6:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss)
/ip dhcp-server network
add address=10.5.5.0/28 comment="hotspot network" dns-server=10.5.5.1 gateway=\
10.5.5.1 netmask=32
Result:
C:\Windows\system32>arp -a | findstr "10.5.5"
Interface: 10.5.5.8 --- 0x3
10.5.5.1 4e-5e-0c-78-f3-07 dynamic
C:\Windows\system32>ping 10.5.5.6 -n 1
Pinging 10.5.5.6 with 32 bytes of data:
Reply from 10.5.5.6: bytes=32 time=349ms TTL=63
Ping statistics for 10.5.5.6:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss)
неделя, януари 17, 2016
Душевна криза
"Кризис в душе — ЭТО когда КАК есть — уже не ХОЧЕШЬ... А как хочешь — ЕЩЁ точно не знаешь..."
вторник, декември 29, 2015
Junos route policy
Note:
When you specify an action that manipulates the route
characteristics, the changes occur in a copy of the source route.
The source route itself does not change. The effect of the action
is visible only after the route is imported into or exported from
the routing table. To view the source route before the routing policy
has been applied, use the show route receive-protocol command.
To view a route after an export policy has been applied, use the show route advertised-protocol command.
http://www.juniper.net/documentation/en_US/junos13.3/topics/usage-guidelines/policy-configuring-actions-in-routing-policy-terms.html
http://www.juniper.net/documentation/en_US/junos13.3/topics/usage-guidelines/policy-configuring-actions-in-routing-policy-terms.html
вторник, декември 22, 2015
Junos alternative show ip cef
Cisco style:
r3#sh ip cef 172.16.0.240
172.16.0.240/32
nexthop 10.43.0.1 GigabitEthernet0/1.43
Junos style:
eol@R2> show route forwarding-table detail matching 10.1.1.1
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
10.1.1.1/32 user 0 1.1.1.1 ucst 542 4 ge-0/0/0.0
r3#sh ip cef 172.16.0.240
172.16.0.240/32
nexthop 10.43.0.1 GigabitEthernet0/1.43
Junos style:
eol@R2> show route forwarding-table detail matching 10.1.1.1
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
10.1.1.1/32 user 0 1.1.1.1 ucst 542 4 ge-0/0/0.0
вторник, ноември 10, 2015
Hacker-ско NTP
date -s "$(wget -qSO- --max-redirect=0 google.com 2 >&1 | grep Date: | cut -d' ' -f5-8)Z"
Помага и при рестриктивни FW които блокират outgoing UDP/123
Помага и при рестриктивни FW които блокират outgoing UDP/123
вторник, октомври 06, 2015
вторник, септември 15, 2015
Cisco ZBFW (cisco 2921) and NAT Port-Forward
Requirement: NAT based Port-Forwarding through configured Zone-Based Firewall
The Most Important Thing :
Match and allow specific traffic (e.g. from and to "DMZ" ) for booth flows (INTERNET-> INSIDE and INSIDE->INTERNET) is MUST!
For more readable config and for counting purposes I've use separate class-maps
class-map type inspect match-all CM-INSIDE-INTERNET
match access-group name ACL-INSIDE-INTERNET
class-map type inspect match-all CM-INTERNET-INSIDE
match access-group name ACL-INTERNET-INSIDE
policy-map type inspect PM-INSIDE-INTERNET
class type inspect CM-OLD-RULES
inspect
class type inspect CM-INSIDE-INTERNET
inspect
Class class-default
Drop
policy-map type inspect PM-INTERNET-INSIDE
class type inspect CM-OLD-RULES
pass
class type inspect CM-INTERNET-INSIDE
pass
Class class-default
Drop
ip nat inside source static tcp PRI.VA.TE.IP 80 P.UB.LIC.IP 80 extendable
ip access-list extended ACL-INSIDE-INTERNET
permit tcp host PRI.VA.TE.IP eq www any
ip access-list extended ACL-INTERNET-INSIDE
permit tcp any host PRI.VA.TE.IP eq www
The Most Important Thing :
Match and allow specific traffic (e.g. from and to "DMZ" ) for booth flows (INTERNET-> INSIDE and INSIDE->INTERNET) is MUST!
For more readable config and for counting purposes I've use separate class-maps
class-map type inspect match-all CM-INSIDE-INTERNET
match access-group name ACL-INSIDE-INTERNET
class-map type inspect match-all CM-INTERNET-INSIDE
match access-group name ACL-INTERNET-INSIDE
policy-map type inspect PM-INSIDE-INTERNET
class type inspect CM-OLD-RULES
inspect
class type inspect CM-INSIDE-INTERNET
inspect
Class class-default
Drop
policy-map type inspect PM-INTERNET-INSIDE
class type inspect CM-OLD-RULES
pass
class type inspect CM-INTERNET-INSIDE
pass
Class class-default
Drop
ip nat inside source static tcp PRI.VA.TE.IP 80 P.UB.LIC.IP 80 extendable
ip access-list extended ACL-INSIDE-INTERNET
permit tcp host PRI.VA.TE.IP eq www any
ip access-list extended ACL-INTERNET-INSIDE
permit tcp any host PRI.VA.TE.IP eq www
четвъртък, септември 10, 2015
Juniper SSG as a BGP speaker
First at all - it;s a real time OS - changes are applied immediately (sometimes :))
set neighbor 172.16.1.2 remote-as 2222 local-ip 172.16.1.1/30 outgoing-interface ethernet0/3
set neighbor 172.16.1.2 enable
set ipv4 neighbor 172.16.1.2 activate
set ipv4 neighbor 172.16.1.2 advertise-def-route #To advertise the default route.
set ipv4 neighbor 172.16.1.2 route-map "advertise-out" out # Route map applied to the neighbor.
set ipv4 neighbor 172.16.1.2 route-map "receive-in" in
set ipv4 network 172.16.10.0/24
set ipv4 network 10.10.10.0/24 no-check # Routes advertised to other peers.
set ipv4 network 10.10.20.0/24 # Routes advertised to other peers.
### By default, the route will only be advertised to the other BGP peers when the network is reachable (either via a static route or via IGP).
### You can turn off this by adding the no-check attribute to the network that needs to be advertised
exit
set access-list 10 # ACL to block the routes for single peer.
set access-list 10 deny ip 10.10.0.0/16 10 # Deny = subnets not to be advertised. Permit = subnets allowed to be advertised.
set access-list 10 permit ip 0.0.0.0/0 20 # N.B. There is a significant difference between and 0.0.0.0/0 which means
set access-list 110 # In this case we'll advertise to 172.16.1.2 only 10.10.10.0/24 and 172.16.10.0/24
set access-list 110 permit ip 10.10.10.0/16 10 # but not 10.10.20.0/24
set access-list 110 permit ip 172.16.10.0/24 20
set route-map name "advertise-out" permit 10
set match ip 10
set route-map name "receive-in" permit 10
set match ip 110
exit
save config
Some usable commands:
Show routing table:
get routes
get vr trust-vr route
BGP peers and their states
get vrouter trust-vr proto bgp neighbor
Detailed info about BGP peer:
get vrouter trust-vr proto bgp neighbor
Learned routes from BGP peers
get vr trust-vr protocol bgp rib-in
BGP config for particular virtual router
get vr trust-vr proto bgp config
Next commands can't be accessed via auto-completion (TAB or SPACE) they should be written or copy/pasted as is
debug bgp all (debug bgp ?)
debug tcp all
debug flow basic
Read debug output:
get dbuf stream
Clear debug log/info file:
clear dbuf
Sometime's life-saving
unset vrouter trust-vr proto bgp synchronization
set vrouter trust-vr proto bgp enable
exec vrouter trust-vr proto bgp neighbor 172.16.1.2 disconnect
exec vrouter trust-vr proto bgp neighbor 172.16.1.2 connect
BGP soft-clear
clear vrouter trust-vr protocol bgp neighbor 172.16.1.2 soft-in
clear vrouter trust-vr protocol bgp neighbor 172.16.1.2 soft-out
set neighbor 172.16.1.2 remote-as 2222 local-ip 172.16.1.1/30 outgoing-interface ethernet0/3
set neighbor 172.16.1.2 enable
set ipv4 neighbor 172.16.1.2 activate
set ipv4 neighbor 172.16.1.2 advertise-def-route #To advertise the default route.
set ipv4 neighbor 172.16.1.2 route-map "advertise-out" out # Route map applied to the neighbor.
set ipv4 neighbor 172.16.1.2 route-map "receive-in" in
set ipv4 network 172.16.10.0/24
set ipv4 network 10.10.10.0/24 no-check # Routes advertised to other peers.
set ipv4 network 10.10.20.0/24 # Routes advertised to other peers.
### By default, the route will only be advertised to the other BGP peers when the network is reachable (either via a static route or via IGP).
### You can turn off this by adding the no-check attribute to the network that needs to be advertised
exit
set access-list 10 # ACL to block the routes for single peer.
set access-list 10 deny ip 10.10.0.0/16 10 # Deny = subnets not to be advertised. Permit = subnets allowed to be advertised.
set access-list 10 permit ip 0.0.0.0/0 20 # N.B. There is a significant difference between
set access-list 110 # In this case we'll advertise to 172.16.1.2 only 10.10.10.0/24 and 172.16.10.0/24
set access-list 110 permit ip 10.10.10.0/16 10 # but not 10.10.20.0/24
set access-list 110 permit ip 172.16.10.0/24 20
set route-map name "advertise-out" permit 10
set match ip 10
set route-map name "receive-in" permit 10
set match ip 110
exit
save config
Some usable commands:
Show routing table:
get routes
get vr trust-vr route
BGP peers and their states
get vrouter trust-vr proto bgp neighbor
Detailed info about BGP peer:
get vrouter trust-vr proto bgp neighbor
Learned routes from BGP peers
get vr trust-vr protocol bgp rib-in
BGP config for particular virtual router
get vr trust-vr proto bgp config
Next commands can't be accessed via auto-completion (TAB or SPACE) they should be written or copy/pasted as is
debug bgp all (debug bgp ?)
debug tcp all
debug flow basic
Read debug output:
get dbuf stream
Clear debug log/info file:
clear dbuf
Sometime's life-saving
unset vrouter trust-vr proto bgp synchronization
set vrouter trust-vr proto bgp enable
exec vrouter trust-vr proto bgp neighbor 172.16.1.2 disconnect
exec vrouter trust-vr proto bgp neighbor 172.16.1.2 connect
BGP soft-clear
clear vrouter trust-vr protocol bgp neighbor 172.16.1.2 soft-in
clear vrouter trust-vr protocol bgp neighbor 172.16.1.2 soft-out
понеделник, август 03, 2015
Windows 8.1 MS Active Directory Biometric logon
After joining computer to MS Active Directory Domain, when trying to log-in with properly configured and rolled-out fingerprints I receive a error message:
1. Remove any fingerprints
2. Win+X -> command promt (admin)
3. admin_cmd -> GPEDIT.msc-> Computer Configuration->Administrative Templates->Windows Components->Biometrics -> “Allow Domain users to log on using biometrics” = enabled (setting by default = disabled)
4. gpupdate -f
5. Swipe fingers again
6. Reboot
- You can't sign in to a domain account using a fingerprint on this PC. Contact you system administrator
1. Remove any fingerprints
2. Win+X -> command promt (admin)
3. admin_cmd -> GPEDIT.msc-> Computer Configuration->Administrative Templates->Windows Components->Biometrics -> “Allow Domain users to log on using biometrics” = enabled (setting by default = disabled)
4. gpupdate -f
5. Swipe fingers again
6. Reboot
Абонамент за:
Публикации (Atom)