- Weight (Bigger win, Cisco proprietary)
- LOCAL_PREF (Bigger Win)
- Locally injected routes (Locally injected win overiBGP/eBGP learned)
- AS_PATH length (Smaller Win)
- ORIGIN (code I win over E, E win over ? )
- MED (Smaller Win)
- Neighbor Type (eBGP win over iBGP)
- IGP metric to NEXT_HOP (Smaller win)
Tuesday, December 3, 2013
BGP Decision Process
Nothing new in this post! It's just a reminder regarding the BGP process decision:
Tuesday, November 26, 2013
Key Based SSH Authentication on a Linux Host using Putty
In order to be more secure, I have decided to use a key instead of a password authentication. I'm using putty to connect to my linux server. I have used the following steps in order to configure it:
The key is generated by mouving randomly the mouse.
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
After this, if you open the session, you will be directly prompted to the linux host.
- Generate a public and private key with PuTTYgen (click on Generate):
- Save the public and private key.
- The next step is to add the public key on the server:
chmod 700 ~/.ssh
- Paste the public key to the following file:
chmod 600 ~/.ssh/authorized_keys
- Configure the putty session:
- Create a new session and save it:
- Select data and configure 'Auto-login' (usersame used by the created key):
- Configure the path to the private key:
After this, if you open the session, you will be directly prompted to the linux host.
Monday, November 25, 2013
OSPF Database Reminder in the same area
This is a reminder in order to interpret an ospf database on a Cisco router. I have created the following lab to test the 'show ip ospf datase':
In red, the router ID:
R3#show ip ospf database
OSPF Router with ID (3.3.3.3) (Process ID 1)
The list of all routers in the area:
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 129 0x80000002 0x0057AC 1
2.2.2.2 2.2.2.2 25 0x80000003 0x00536B 2
3.3.3.3 3.3.3.3 24 0x80000002 0x0016B6 2
All the network segments in the area and the DR for each segment. Here, 10.1.2.2 is the IP address of the DR on the segment and 2.2.2.2 is the router id:
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.1.2.2 2.2.2.2 103 0x80000001 0x0021F5
10.1.4.2 2.2.2.2 25 0x80000001 0x006F9D
Each subnet, even if there is no OSPF neighbor:
R1#show ip ospf database internal
OSPF Router with ID (1.1.1.1) (Process ID 1)
Stub Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Mask
10.1.2.255 1.1.1.1 355 0x0 0x006D69 /24
10.1.3.255 2.2.2.2 98 0x0 0x00448D /24
10.1.4.255 2.2.2.2 315 0x0 0x003997 /24
10.1.5.255 3.3.3.3 230 0x0 0x0010BB /24
In red, the router ID:
R3#show ip ospf database
OSPF Router with ID (3.3.3.3) (Process ID 1)
The list of all routers in the area:
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 129 0x80000002 0x0057AC 1
2.2.2.2 2.2.2.2 25 0x80000003 0x00536B 2
3.3.3.3 3.3.3.3 24 0x80000002 0x0016B6 2
All the network segments in the area and the DR for each segment. Here, 10.1.2.2 is the IP address of the DR on the segment and 2.2.2.2 is the router id:
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.1.2.2 2.2.2.2 103 0x80000001 0x0021F5
10.1.4.2 2.2.2.2 25 0x80000001 0x006F9D
Each subnet, even if there is no OSPF neighbor:
R1#show ip ospf database internal
OSPF Router with ID (1.1.1.1) (Process ID 1)
Stub Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Mask
10.1.2.255 1.1.1.1 355 0x0 0x006D69 /24
10.1.3.255 2.2.2.2 98 0x0 0x00448D /24
10.1.4.255 2.2.2.2 315 0x0 0x003997 /24
10.1.5.255 3.3.3.3 230 0x0 0x0010BB /24
Friday, November 22, 2013
Reflexive ACLs
Introduction:
By default, an ACL is not stateful. When an 'inside' client open a session to an 'outside' host you have to create 2 ACLs:
- Client to Server
- Server to Client
In our case, we would like open everything coming from the client side and going to the server side. We also deny each session coming from server side. With traditional ACLs it will be really difficult to realize this configuration. It's why, we will use reflexive ACLs. This kind of ACL record session open from the client side and open the necessary port and IP source for the traffic coming back from the specific server.
In our case, we are using a simple test infrastructure as can be seen in the following diagram:
The traffic coming from the client side and going to server side is authorized. Only the response to a session open by a client is authorized (handle dynamically by a recursive ACL). Any other traffic coming from the server side is denied.
Configuration:
In a first step, we create an ACL to reflect outgoing packets:
When the client initiates a session, a reflected ACL is created in MIRROR.
In a second step, we create an ACL which uses the MIRROR entry to authorize the traffic.
ip access-list extended INBOUND
Connexion coming from the server side are denied:
By default, an ACL is not stateful. When an 'inside' client open a session to an 'outside' host you have to create 2 ACLs:
- Client to Server
- Server to Client
In our case, we would like open everything coming from the client side and going to the server side. We also deny each session coming from server side. With traditional ACLs it will be really difficult to realize this configuration. It's why, we will use reflexive ACLs. This kind of ACL record session open from the client side and open the necessary port and IP source for the traffic coming back from the specific server.
In our case, we are using a simple test infrastructure as can be seen in the following diagram:
The traffic coming from the client side and going to server side is authorized. Only the response to a session open by a client is authorized (handle dynamically by a recursive ACL). Any other traffic coming from the server side is denied.
Configuration:
In a first step, we create an ACL to reflect outgoing packets:
ip access-list extended OUTBOUND
permit ip any any reflect MIRROR
!
interface FastEthernet0/1
ip access-group OUTBOUND out
When the client initiates a session, a reflected ACL is created in MIRROR.
Router#show ip access-lists MIRROR
Reflexive IP access list MIRROR
permit tcp host 10.1.3.10 eq telnet host 10.1.1.10 eq 27797 (27 matches) (time left 159)
In a second step, we create an ACL which uses the MIRROR entry to authorize the traffic.
ip access-list extended INBOUND
evaluate MIRROR
!
interface FastEthernet0/1
ip access-group INBOUND in
Results:
Connexion coming from the server side are denied:
SERVER#telnet 10.1.1.10
Trying 10.1.1.10 ...
% Destination unreachable; gateway or host down
Connexion coming from the client side are authorized:
client#telnet 10.1.3.10
Trying 10.1.3.10 ... Open
User Access Verification
Password:
SERVER>en
As you can see below, a 'reflexive' session is authorized from the server to the client:
Router#show ip access-lists
Extended IP access list INBOUND
10 evaluate Mirror
Reflexive IP access list Mirror
permit tcp host 10.1.3.10 eq telnet host 10.1.1.10 eq 27797 (27 matches) (time left 159)
Extended IP access list OUTBOUND
10 permit ip any any reflect Mirror (27 matches)
Remarks:
By default the timeout for a reflexive ACL is 300sec.
Tuesday, November 19, 2013
Change phpmyadmin well-know url
In order to access to the web interface of phpmyadmin, by default you have to use the well-know url: mywebsite.com/phpmyadmin.
If you want to change this default url, you can use the following procedure:
If you want to change this default url, you can use the following procedure:
- Open the apache.conf file, this file is located in /etc/phpmyadmin (for many Linux servers).
By default, this file looks like:
# phpMyAdmin default Apache configuration
Alias /phpmyadmin /usr/share/phpmyadmin
- Edit the file apache.conf by changing the alias
# phpMyAdmin default Apache configuration
Alias /urlsecret /usr/share/phpmyadmin
- Restart the apache service:
sudo /etc/init.d/apache2 restart
Monday, November 18, 2013
TACACs Attributes
You will find below a compilation of attributes used for authenticate several components with an ACS server. The ACS returns this attribute to the server in order to be authenticated with the good shell privilege.
Nexus:
These equipment have been tested with an ACS 5.4. Don't hesitate to add your remarks.
Nexus:
- Attribute: cisco-avp-pair
- Requirement: Mandatory
- Value: shell:roles*"network-admin vdc-admin"
Riverbed (Steelhead):
- Attribute: local-user-name
- Requirement: Mandatory
- Value: admin
WLC (Cisco Wireless Controller):
- Attribute: role1
- Requirement: Mandatory
- Value: ALL
These equipment have been tested with an ACS 5.4. Don't hesitate to add your remarks.
Subscribe to:
Posts (Atom)