ヨタ助

携帯用ページ http://www.google.co.jp/gwt/x?u=http%3a%2f%2funipass.blogspot.com&btngo=go&source=wax&ie=utf-8&oe=utf-8

Monday, May 30, 2011

Sham-link & MPLS enable

### R4 - R5 間で "mpls ip" enable 前 ###

R5#os sham
Sham Link OSPF_SL0 to address 18.18.100.4 is up
Area 0 source address 18.18.100.5
  Run as demand circuit
  DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:00

R4#sh ip ospf sham-links
Sham Link OSPF_SL1 to address 18.18.100.5 is up
Area 0 source address 18.18.100.4
  Run as demand circuit
  DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:03

### R4 - R5 間で "mpls ip" enable 後 ###

"Adjacency State FULL" を確認する必要あり。


R5#os sham
Sham Link OSPF_SL0 to address 18.18.100.4 is up
Area 0 source address 18.18.100.5
  Run as demand circuit
  DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:05
    Adjacency State FULL (Hello suppressed)
    Index 2/3, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec



R4#os sham
Sham Link OSPF_SL1 to address 18.18.100.5 is up
Area 0 source address 18.18.100.4
  Run as demand circuit
  DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:02
    Adjacency State FULL (Hello suppressed)
    Index 2/3, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

posted by kimiyone @ Monday, May 30, 2011  0 Comments

Sunday, May 22, 2011

score report

Advanced Services

 First Hop router Redundancy
 Security
 QoS
 NTP
 DHCP


Optimized the Network

 IP SLA
 Netflow
 SNMP
 System Logging
 EEM
 Core Dump
 File Transfer Services
 IP Source Tracker

posted by kimiyone @ Sunday, May 22, 2011  0 Comments

Tuesday, May 03, 2011

NTP Testing

BB3 (204.12.1.254) が元々の master clock.
SW1 と R5 は ntp server 204.12.1.254 で時刻同期していたが、
BB3 (204.12.1.254 ) への経路が down

R5 が
 ntp master 5
 ntp peer 148.1.57.7 (SW1)
の設定をしていることから、R5 は自分 (127.127.7.1) を masterとする一方で
SW1 (148.1.57.7) も見に行っている(しかし、SW1 は Stratum 6 であるため、
R5 は SW1 を master clock として認めない。

SW1 は R5 側から Peer の設定をしてあるため、R5 と同期しようとする
BB3 が Stratum 4 で残っているが、reachable ではないため、reachable かつ
正常稼働している R5 (148.1.57.5) と同期。



Rack1SW1#sh ntp asso

      address         ref clock     st  when  poll reach  delay  offset    disp
+ 148.1.57.5       204.12.1.254      5    34    64  376   -23.7   11.19    17.2
*~204.12.1.254     127.127.7.1       4   507    64  200     7.8   23.79  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
Rack1SW1#sh ntp asso

      address         ref clock     st  when  poll reach  delay  offset    disp
* 148.1.57.5       204.12.1.254      5    62    64  376   -23.7   11.19    17.2
 ~204.12.1.254     127.127.7.1       4   535    64    0     7.8   23.79  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

Rack1SW1#sh ntp asso de
148.1.57.5 dynamic, our_master, sane, valid, stratum 5
ref ID 204.12.1.254, time C0295462.3CBD3979 (01:14:10.237 UTC Fri Mar 1 2002)
our mode passive, peer mode active, our poll intvl 64, peer poll intvl 64
root delay 8.13 msec, root disp 25.38, reach 377, sync dist 59.082
delay -23.70 msec, offset 11.1856 msec, dispersion 17.79
precision 2**18, version 3
org time C0295673.37899BC9 (01:22:59.216 UTC Fri Mar 1 2002)
rcv time C0295673.3CDCCCD6 (01:22:59.237 UTC Fri Mar 1 2002)
xmt time C0295651.41FDA9FD (01:22:25.257 UTC Fri Mar 1 2002)
filtdelay =    48.02  -23.70  -15.69   -7.66    3.92   36.35   -7.74   13.06
filtoffset =    3.21   11.19   -0.77  -12.71  -18.61    9.48   -3.94   -4.76
filterror =     0.53    1.51    2.49    3.46    4.44    5.42    6.39    7.37

204.12.1.254 configured, insane, invalid, stratum 4
ref ID 127.127.7.1, time C0295429.A2C06A68 (01:13:13.635 UTC Fri Mar 1 2002)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 0, sync dist 28.458
delay 7.81 msec, offset 23.7948 msec, dispersion 16000.00
precision 2**18, version 3
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rcv time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
xmt time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =  16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

Rack1SW1#


Rack1R5#sh ntp asso

      address         ref clock     st  when  poll reach  delay  offset    disp
+~127.127.7.1      127.127.7.1       4    51    64  377     0.0    0.00     0.0
+~148.1.57.7       204.12.1.254      5    42    64  376    -7.7   -3.21    12.8
*~204.12.1.254     127.127.7.1       4   473    64  200     8.1   12.07  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

Rack1R5#sh ntp asso

      address         ref clock     st  when  poll reach  delay  offset    disp
*~127.127.7.1      127.127.7.1       4    58    64  377     0.0    0.00     0.0
+~148.1.57.7       204.12.1.254      5    49    64  376    -7.7   -3.21    17.2
 ~204.12.1.254     127.127.7.1       4   544    64    0     8.1   12.07  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
Rack1R5#

Rack1R5#sh ntp asso de
127.127.7.1 configured, our_master, sane, valid, stratum 4
ref ID 127.127.7.1, time C0295688.3788A45C (01:23:20.216 UTC Fri Mar 1 2002)
our mode active, peer mode passive, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 377, sync dist 0.153
delay 0.00 msec, offset 0.0000 msec, dispersion 0.02
precision 2**18, version 3
org time C0295688.3788A45C (01:23:20.216 UTC Fri Mar 1 2002)
rcv time C0295688.3788A45C (01:23:20.216 UTC Fri Mar 1 2002)
xmt time C0295688.37888866 (01:23:20.216 UTC Fri Mar 1 2002)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =     0.02    0.99    1.97    2.94    3.92    4.90    5.87    6.85
Reference clock status:  Running normally
Timecode:

148.1.57.7 configured, insane, invalid, stratum 6
ref ID 148.1.57.5, time C0295673.3CDCCCD6 (01:22:59.237 UTC Fri Mar 1 2002)
our mode active, peer mode passive, our poll intvl 128, peer poll intvl 64
root delay 31.83 msec, root disp 54.37, reach 376, sync dist 92.239
delay -7.74 msec, offset -3.2092 msec, dispersion 18.10
precision 2**18, version 3
org time C0295691.4247359D (01:23:29.258 UTC Fri Mar 1 2002)
rcv time C0295691.43D97305 (01:23:29.265 UTC Fri Mar 1 2002)
xmt time C02956B3.378F304B (01:24:03.217 UTC Fri Mar 1 2002)
filtdelay =    26.93    4.20   -7.74    0.27    4.03   -7.95   27.73    3.49
filtoffset =    7.33  -25.12   -3.21    8.74   18.56   12.67  -13.79    9.54
filterror =     0.47    1.45    2.43    3.40    4.38    5.36    6.33    7.31

204.12.1.254 configured, insane, invalid, stratum 4
ref ID 127.127.7.1, time C0295429.A2C06A68 (01:13:13.635 UTC Fri Mar 1 2002)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 0, sync dist 19.257
delay 8.13 msec, offset 12.0710 msec, dispersion 16000.00
precision 2**18, version 3
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rcv time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
xmt time C02956A2.37885700 (01:23:46.216 UTC Fri Mar 1 2002)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =  16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

Rack1R5#

posted by kimiyone @ Tuesday, May 03, 2011  0 Comments

Remote Shell Command

R1 (remote shell commander)
ip rcmd remote-username RCP
ip rcmd source-interface Loopback0

R3 (remote shell target)
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host Rack1R3 150.1.1.1 Rack1R1 enable
ip rcmd remote-host RCP 150.1.1.1 Rack1R1 enable

VerifiRack1R1#deb ip tcp rcmd
RCMD transactions debugging is on

Rack1R1#rsh 150.1.3.3 /user Rack1R3 sh run int se0/0

Line has invalid autocommand "sh run int se0/0"

Rack1R1#
*Mar  1 02:21:19.783: RCMD: [1023 -> 150.1.3.3:514] send \0
*Mar  1 02:21:19.783: RCMD: [1023 -> 150.1.3.3:514] send Rack1R1\0
*Mar  1 02:21:19.783: RCMD: [1023 -> 150.1.3.3:514] send Rack1R3\0
*Mar  1 02:21:19.783: RCMD: [1023 -> 150.1.3.3:514] send sh run int se0/0\0
*Mar  1 02:21:19.791: RCMD: [1023 <- 150.1.3.3:514] recv

Rack1R1#rsh 150.1.3.3 /user Rack1R3 sh run int se1/1

Building configuration...

Current configuration : 76 bytes
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
end
cation from commander R1

Rack1R3#deb ip tcp rcmd
RCMD transactions debugging is on
Rack1R3#      
*Mar  1 02:21:14.039: RCMD: [514 <- 150.1.1.1:1023] recv \0
*Mar  1 02:21:14.039: RCMD: [514 <- 150.1.1.1:1023] recv Rack1R1\0Rack1R3\0sh run int se0/0\0
*Mar  1 02:21:14.039: RCMD: [514 -> 150.1.1.1:1023] send
Rack1R3#
*Mar  1 02:21:21.607: RCMD: [514 <- 150.1.1.1:1016] recv \0
*Mar  1 02:21:21.611: RCMD: [514 <- 150.1.1.1:1016] recv Rack1R1\0Rack1R3\0sh run int se1/1\0
*Mar  1 02:21:21.611: RCMD: [514 -> 150.1.1.1:1016] send
Rack1R3#
Rack1R3#srs ip rcmd

posted by kimiyone @ Tuesday, May 03, 2011  0 Comments

Sunday, May 01, 2011

Lock-and-Key Security for Dynamic Access Lists

Lock-and-Key configuration

Point
 - create Dynamic ACL with required traffic (TELNET or Web access) using Extended ACL
 - create username with "autocommand access-enable timeout 5" command
 - add entries need to be permitted for management, routing protocol, etc. Or just permit "ip any any" at the bottom of the ACL entries.

Reference
Cisco IOS Security Configuration Guide: Securing the Data Plane

posted by kimiyone @ Sunday, May 01, 2011  0 Comments

Control Plane Protections

3 types of sub-interfaces

1) Control-plane host sub-interface

2) Control-plane transit sub-interface

3) Control-plane cef-exception sub-interface


1) Control-plane host sub-interface

directly destined for 1 of router's interface
Example,
  • tunnel termination traffic
  • Management protocols (SSH, SNMP, etc)
  • Routing protocols (BGP, OSPF, EIGRP, etc)
* Non-IP based Layer 2 protocols (ARP, CDP, etc) is classified in CEF-execption sub-interface.

** The port-filter feature policy can be applied only to the control-plane host subinterface

2) Control-plane transit sub-interface

software switched by the Route Processor (RP). traffic which is not destined to the router itself, but traversing traffic.

3) Control-plane CEF-exception sub-interface

This control-plane subinterface receives all traffic that is either redirected as a result of a configured input feature in the CEF packet forwarding path for process switching or directly enqueued in the control plane input queue by the interface driver (i.e. ARP, L2 Keepalives and all non-IP host traffic). Control Plane Protection allows specific aggregate policing of this type of control plane traffic.

posted by kimiyone @ Sunday, May 01, 2011  0 Comments