четверг, 13 апреля 2023 г.

BGP conditional route injection in ASA

 I have found out one very suitable feature of the BGP. I was looking for how to inject more specific into the BGP domain and was really wondered I did not use this before. One remark here - it will not generate more specs of its own route (injected from another protocol for example). All the articles I have found were about routers but it also works with ASA firewalls too.

This is totally opposite what aggregate-address do. Now in my toolkit :)

Here is how to inject two /25 if you get /24 from the neighbor 10.42.1.1/

prefix-list UNAGGREGATED-PREFIXES seq 5 permit 10.43.1.0/25

prefix-list UNAGGREGATED-PREFIXES seq 10 permit 10.43.1.128/25

prefix-list R1-AGGREGATE seq 5 permit 10.43.1.0/24

prefix-list R1-SOURCE seq 5 permit 10.42.1.1/32


route-map PREFIX-INJECTIONS permit 10

 set ip address prefix-list UNAGGREGATED-PREFIXES


route-map AGGREGATED-ROUTE permit 10

 match ip address prefix-list R1-AGGREGATE

 match ip route-source prefix-list R1-SOURCE


router bgp 64517

address-family ipv4 unicast

bgp inject-map PREFIX-INJECTIONS exist-map AGGREGATED-ROUTE

пятница, 8 января 2021 г.

Legacy Cat 4500 QoS

 Once DIA bandwidth is out and ISP will increase it only in a month you should still bring services to users. Time to implement QoS. 


ip access-list extended ACL-LAN-to-LAN-GE3-7

 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255

 permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255

 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255

ip access-list extended ACL-LAN-to-LAN-GE3-8

 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255

 permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255

 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255

 permit ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255

 permit ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255

 permit ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255


class-map match-all CM-PRIVATE-GE3-8

 match access-group name ACL-LAN-to-LAN-GE3-8

class-map match-all CM-PRIVATE-GE3-7

 match access-group name ACL-LAN-to-LAN-GE3-7

class-map match-all CM-VOICE

 match dscp ef


policy-map PM-GE3-8_1

 class CM-VOICE

  priority

  police cir percent 4 bc 33 ms

 class CM-PRIVATE-GE3-8

  bandwidth remaining percent 75

  queue-limit 2000 packets

    dbl

 class class-default

  bandwidth remaining percent 21

    dbl

policy-map PM-GE3-7_1

 class CM-VOICE

  priority

  police cir percent 4 bc 33 ms

 class CM-PRIVATE-GE3-7

  bandwidth remaining percent 75

  queue-limit 2000 packets

    dbl

 class class-default

  bandwidth remaining percent 21

    dbl


!

interface GigabitEthernet3/7

 description TO_VRF_GLOBAL

 no switchport

 bandwidth 97280

 ip vrf forwarding VRF-LAN

 ip address 10.60.5.49 255.255.255.240

 service-policy output PM-GE3-7_1

!

!

interface GigabitEthernet3/8

 description TO_VRF_LAN

 no switchport

 bandwidth 97280

 ip address 10.60.5.50 255.255.255.240

 service-policy output PM-GE3-8_1

end


https://www.ciscopress.com/articles/article.asp?p=2159353&seqNum=3

пятница, 3 апреля 2020 г.

Netflow config cisco catalyst 3850

Issue:
% Flow Record: Failed to field add: Failed to validate Unsetting Public:behaviour
% Flow Monitor: Failed to add monitor to interface: Unsupported key field "interface input" for ip traffic in Output direction

To avoid that use separate monitors for inbound and outbound monitors.


!
flow record FR-INPUT
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match flow direction
 match interface input
 collect counter bytes long
 collect counter packets long
!
!
flow record FR-OUTPUT
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match flow direction
 match interface output
 collect counter bytes long
 collect counter packets long
!
!
flow exporter EXPORT1
 destination 10.74.12.38
 source Vlan170
 transport udp 2055
!
!
flow monitor MONITOR-INPUT
 exporter EXPORT1
 cache timeout active 300
 record FR-INPUT
!
!
flow monitor MONITOR-OUTPUT
 exporter EXPORT1
 cache timeout active 300
 record FR-OUTPUT
!



vlan configuration 1,31,40,170,184,193-207,242
ip flow monitor MONITOR-INPUT input
ip flow monitor MONITOR-OUTPUT output
!

среда, 31 октября 2018 г.

IOS clear VTY session

Just reminder

Step 1:
Issue a 'show user' command to find out which connection is being used, and
take note of the address in the Location column.
   -------------------
   kriek#sh user
      Line     User      Host(s)                  Idle Location
   *  0 con 0             idle                 00:00:00
     66 vty 0             idle                 00:00:14 10.200.40.92
     -------------------
Step 2:
Issue 'show tcp brief' and look for the IP address you recorded in step 1,
in the Foreign location column. Take note of the first entry on that line, the TCB
value.
  -------------------
   kriek#sh tcp brief
   TCB             Local Address              Foreign Address
(state)   
   808E9EB4  10.200.40.37.23         10.200.40.92.11005     ESTAB
     -------------------
Step 3:
Using the TCB number recorded in Step 2, issue 'clear tcp tcb ###' where ###
is the TCB number.
      -------------------
      kriek#clear tcp tcb 808E9EB4
      -------------------

среда, 31 января 2018 г.

FortiGate troubleshoot packet tracer

Искал на фотигейте что-то типа асашного packet tracer. Вот оно:


2
3
4
5
6
7
8
diagnose debug reset
diagnose debug flow filter ?
diagnose debug flow filter saddr 172.16.27.148
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow show console enable
diagnose debug enable
diagnose debug flow trace start 10  #display 10 packets
diagnose debug disable

Отсюда - https://serverfault.com/questions/372377/fortinet-is-there-any-equivalent-of-the-asas-packet-tracer-command

вторник, 13 июня 2017 г.

OpenVPN Server PSK autostart

При загрузке OpenVPN сервер спрашивает  PSK, в случае если частный ключ был создан с защитой ключем. Как избежать вопроса без использования скриптов?

In my openvpn.conf:
...
askpass /etc/openvpn/jdoe.pass   <<< new line here
ca /etc/openvpn/jdoe_ca.crt
cert /etc/openvpn/jdoe.crt
key /etc/openvpn/jdoe.key
...
The file /etc/openvpn/jdoe.pass just contains the password. You can chmod this file to 600. This method save my life... ;-)

вторник, 7 марта 2017 г.

Voice VLAN в ExtremeXOS

У каталистов все просто - voice vlan. У extreme summit сложнее. Ставим vlan с тегом и конфигурим LLDP, чтобы телефон схватил именно тегированный vlan.

enable lldp ports 1-48
configure lldp port 1-48 advertise vendor-specific med capabilities
configure lldp port 1-48 advertise vendor-specific dot1 vlan-name vlan VLAN0022_IPPHONES
configure lldp port 1-48 advertise vendor-specific med power-via-mdi
configure lldp port 1-48 advertise vendor-specific med policy application voice vlan VLAN0022_IPPHONES dscp 46
Configure lldp port 1-48 advertise system-capabilities
Configure lldp port 1-48 advertise vendor-specific dot1 port-protocol-vlan-id vlan VLAN0022_IPPHONES

Смотреть тут - https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-LLDP-for-Extreme-switches-to-recognize-IP-phones и тут - http://www.extremenetworks.ru/blog/ip-telefonyi-i-kommutatoryi-extreme-ispolzuya-lldp/