Posts

Showing posts from June 22, 2008

Configuring RMON Alarm and Event Settings from the Command Line Interface (CLI)

Introduction
This document describes how to set up Remote Monitoring (RMON) Alarms and Events on a router from the command line interface (CLI).

Background Information
RMON is a method similar to Simple Network Management Protocol (SNMP) to track statistics on network device interfaces or ports.

The RMON feature typically is useful in a LAN switch environment, but is available on access routers (for example, the 2x00 Series) in Cisco IOS® Software Release 11.1 or later. Sometimes, you need to set up RMON on remote routers only when you can not get access to the LAN equipment (such as hubs) to view the traffic. RMON does not require you to actively poll for SNMP variables on a regular basis. The devices store the needed information, and then it is dumped periodically to a RMON network management station.

Note: By default all switches support mini-rmon, so that alarms, events, stats and history are directly received from the switches. In order to receive all other detailed information from …

用路由器過濾特定MAC的主機流量

當你針對一個MAC地址進行過濾的時候,這一動作發生在第二層。而路由器一般執行的是第三層路由的任務,只有很少情況下做橋接的時候才對進入的MAC地址進行過濾,所以這樣的過濾最好設置在二層交換設備上。

  方法一、但這個要求對路由器來說也不是不可能的任務,使用以下配置達到了要求的效果︰

Router(config)#ip cef
Router(config)#interface Ethernet0/0
Router(config-if)#ip address 192.168.1.254 255.255.255.0 rate-limit input access-group rate-limit 100 8000 1500 2000 conform-action drop exceed-action drop
Router(config)#access-list rate-limit 100 0001.0001.abcd


  方法二、也可以使用橋接(IRB)的方法來解決,這種方法只需要12.0(2)T以上標準IOS即可。配置如下︰

Router(config)#bridge irb
Router(config)#interface Ethernet0/0
Router(config-if)#no ip address
Router(config-if)#bridge-group 1
Router(config-if)#interface BVI1
Router(config-if)#ip address 192.168.1.254 255.255.255.0
Router(config)#bridge 1 protocol ieee
Router(config)#bridge 1 route ip
Router(config)#bridge 1 address 0001.0001.abcd discard

Enabling Tag Switching on the ATM Interface

Image
Note:Configure all parallel interfaces between ATM switch routers for either IP unnumbered or with a specific IP address. Unnumbering some parallel interfaces and assigning specific IP addresses to others might cause TDP sessions to restart on some parallel interfaces when another parallel interface is shut down. Therefore, we highly recommend that you unnumber all parallel interfaces to loopback.

To enable tag switching on the ATM interface, perform the following steps, beginning in global configuration mode:

1. interface atm card/subcard/port
2. ip unnumbered type number or
ip address ip-address mask
3. tag-switching ip

Examples
In the following example, ATM interface 1/0/1 is configured for IP unnumbered to loopback interface 0:

Switch(config-if)# interface atm 1/0/1
Switch(config-if)# ip unnumbered loopback 0
Switch(config-if)# tag-switching ip
Switch(config-if)# exit

In the following example, ATM interface 0/0/3 is configured with a specific IP address and subnet mask (1.3.11.3 255.255.0.0):

mpls ldp discovery transport-address

To specify the transport address advertised in Label Distribution Protocol (LDP) Discovery Hello messages sent on an interface, use the mpls ldp discovery transport-address command in interface configuration mode. To remove the transport address advertised, use the no form of this command.


mpls ldp discovery transport-address {interface ip-address}
no mpls ldp discovery transport-address


Defaults
The default behavior when this command has not been issued for an interface depends on the interface type.

Unless the interface is a label-controlled ATM (LC-ATM) interface, LDP advertises its LDP router ID as the transport address in LDP Discovery Hello messages sent from the interface.

If the interface is an LC-ATM interface, no transport address is explicitly advertised in LDP Discovery Hello messages sent from the interface.

Usage Guidelines
Establishing an LDP session between two routers requires a session TCP connection by which label advertisements can be exchanged between the routers. To esta…

Proxy Auto Config(PAC)

什麼是 Proxy Auto Config ?

首先,我們一定要知道什麼是 Proxy?他的功用是什麼?如果還不知道,可以參照這份文件。
而 PAC(Proxy Auto Config) 又是什麼呢?它實際上是一個 Script;經由編寫這個 Script,我們可以讓系統判斷在怎麼樣的情形下,要利用哪一台 Proxy 來進行連線。這樣做主要的好處有:

分散 Proxy 的流量,避免 Proxy Server 負載過高
針對個別條件設定、加快瀏覽速度
設定要求順序,在某台 Proxy 無法連線時,可自動嘗試別種連線方式

--------------------------------------------------------------------------------

Proxy Auto Config File 的格式

基本上 Proxy Auto Config File(以下簡稱 PAC)是一個純文字檔,他的語法採用 JavaScript;所以建議要學習編寫 PAC 的人,最好先學習基本的 JavaScript。一個 PAC 檔必需是單獨的 JavaScript,其中不能包含任何 HTML 標籤。

在 PAC 檔中,一定要定義 Function FindProxyForURL 如下:

function FindProxyForURL( url, host ) { ... } 如果使用了 PAC 檔,則瀏覽器在接受我們要求的網址後,會去執行

ret = FindProxyForURL( url, host );這樣的指令。其中,url 是所要求網址的完整路徑,host 是對方的電腦名稱(就是在 :// 和 / 之中的部份);而 return 值 ret 則是 Proxy 的組態,它的格式有下列三種:

DIRECT 直接連線而不透過 Proxy
PROXY host:port 使用指定的 Proxy 伺服機
SOCKS host:port 使用指定的 Socks 伺服機
比如說當瀏覽器得到的是 Proxy proxy.ncu.edu.tw:3128; Proxy proxy.csie.ncu.edu.tw:3128; DIRECT 的話,那瀏覽器會先嘗試透過 proxy.ncu.edu.tw 來開啟網頁,如果無法使用,則嘗試 proxy.csie.ncu.edu.tw,還是不行的話,就…

Web Proxy Auto-Discovery(WPAD)

Web Proxy Auto-Discovery (WPAD) 功能可以不必透過設定,讓網站客戶端自動偵測代理伺服器所在。WPAD 所使用的演算法是利用一個叫 "wpad" 的主機名稱(hostname)映對到完整的網域名稱(full-qualified domain name)後面,然後逐漸移除子網域的部份名稱,直到找到一台 WPAD 伺服器或是剩下三層網域為止。

惡意使用者可以架設一台WPAD伺服器並偽裝為代理伺服器,藉此針對那些次級網域發動中間人攻擊(man-in-the-middle attacks)。當使用者設定了主要的DNS尾碼時(DNS suffix),Windows的解析器會嘗試利用所有次網域進行解析。舉例來說,如果DNS尾碼為corp.contoso.co.us,當試著解析wpad名稱時,DNS解析器會送出wpad.corp.contoso.co.us ,如果找不到,接著會嘗試wpad.contoso.co.us請求,如果還是找不到,接著會嘗試wpad.co.us,即使它不屬於contoso.co.us網域。

Juniper EX Series Switch Workshop 筆記分享 Part II

這一份是大部份我在上課作Lab時Dump下來的指令,其中比較複雜的部份我加上了些許的註釋,希望對各位會有所幫助!

Initial Configuration with DHCP

system {
root-authentication {
encrypted-password "$1$2Ssh2j.s$0vlh/Jv7fu5xpueSmG8O1/"; ## SECRET-DATA
! 設定 root 登入密碼
}
login {
user juniper {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$AGAzBQkY$QWZ8BSLezx0d7Oh0j.NFw."; ## SECRET-DATA
! 設定使用者登入帳號密碼
}
}
}
services {
ssh {
root-login allow;
! 設定ssh telnet
}
web-management {
http;
! 設定J-web access
}
dhcp {
pool 192.168.200.0/24 {
address-range low 192.168.200.101 high 192.168.200.110;
router {
192.168.200.10;
}
}
pool 192.168.3.0/24 {
address-range low 192.168.3.101 high 192.168.3.105;

Juniper EX Series Switch Workshop 筆記分享 Part I

上星期參加了Juniper原廠所舉辦的EX Series Switch Workshop,內容很多再加上時間有限,因此我利用打字的方式邊聽邊記錄重點下來,在此分享給各位,不過前提是最好對JUNOS有基本的認識不然可能看不太懂我筆記裏面的各項指令(事實上這也是我的JUNOS初體驗,不過如果有Cisco IOS指令的基礎,只要多花一點點時間很快就可以將JUNOS上手)

如果小弟的筆記有誤,還請各方大德給予指教修正,謝謝!

===============================================================================
Juniper Switch:
Model
3200
4200 (virtual chassis - 128G/redundant power)
8200 Q4
(all layer 3)

48 Port PoE need 930W

10G XFP can be virtual chassis
unsupport EtherChannel now
One Active/One Standby

USB - internal storage / firmware upgrade

Virtual Management Ethernet (VME)

IPv6/MPLS in the future(hardware ready)

NSM(all platform will use this interface)

PFE(Packer Forward Engine)

EX-PFE control 24 port

2 * VCP(Virtual chassis port)/64G(32G TX/32G RX) = 128G VCB(Virtual Chassis Backplane)

EX3200-24x/48x last 4 ports share with SPF

Extract Layer 2 Header then re-write Layer 2 with original packet

================================================================================

aka MAC address table/FDB(Forwarding Database)

&q…

PPP Over Frame Relay

Image
Feature Summary
The PPP over Frame Relay feature allows a router to establish end-to-end Point-to-Point Protocol (PPP) sessions over Frame Relay. IP datagrams are transported over the PPP link using RFC 1973 compliant Frame Relay framing. This feature is useful for remote users running PPP to access their Frame Relay corporate networks as shown in . shows a connectivity scenario using the Cisco 90i D4 channel card, which is capable of supporting Integrated Services Digital Network (ISDN) Digital Service Loop (DSL), PPP, or Frame Relay, which connects to an Internet Service Provider (ISP) or corporate network.

Figure 1


PPP Over Frame Relay Scenario

Figure 2 PPP over Frame Relay Using the Cisco 90i D4 Channel Unit



Benefits
PPP over Frame Relay provides the following benefits:
‧Allows end-to-end PPP sessions over Frame Relay.
‧Supports the 90i IDSL Channel Unit that supports both Frame Relay and Point-to-Point Protocol (PPP) on an ISDN DSL.

List of Terms
data-link connection identifier (DLCI)—

ip pim bsr-border

To prevent bootstrap router (BSR) messages from being sent or received through an interface, use the ip pim bsr-border command in interface configuration mode. To disable this configuration, use the no form of this command.

ip pim bsr-border
no ip pim bsr-border

Usage Guidelines
When this command is configured on an interface, no Protocol Independent Multicast (PIM) Version 2 BSR messages will be sent or received through the interface. Configure an interface bordering another PIM domain with this command to avoid BSR messages from being exchanged between the two domains. BSR messages should not be exchanged between different domains, because routers in one domain may elect rendezvous points (RPs) in the other domain, resulting in protocol malfunction or loss of isolation between the domains.

Note This command does not set up multicast boundaries. It sets up only a PIM domain BSR message border.

Examples
The following example configures the interface to be the PIM domain border:

interface eth…

Multicast-VPN/IP Multicast Support for MPLS VPNs

Image
Feature Overview
This Multicast-VPN—IP Multicast Support for MPLS VPNs feature allows a service provider to configure and support multicast traffic in a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) environment. This feature supports routing and forwarding of multicast packets for each individual VPN routing and forwarding (VRF) instance, and it also provides a mechanism to transport VPN multicast packets across the service provider backbone.
The Multicast-VPN feature in Cisco IOS software provides the ability to support the multicast feature over a Layer 3 VPN. As enterprises extend the reach of their multicast applications, service providers can accommodate these enterprises over their MPLS core network. IP multicast is used to stream video, voice, and data to a MPLS VPN network core.
A VPN is network connectivity across a shared infrastructure, such as an internet service provider (ISP). Its function is to provide the same policies and performance as a private n…