tag:blogger.com,1999:blog-59607035462938843432024-02-06T20:03:56.714-08:00Network and Softwarezorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.comBlogger78125tag:blogger.com,1999:blog-5960703546293884343.post-89470053312417218242011-02-27T06:43:00.000-08:002011-02-27T06:48:21.288-08:00Ubuntu: Basic Mail Server Configuration <style type="text/css"><br /><!--<br />.style1 {font-family: "Courier New", Courier, monospace}<br />.style2 {font-family: "Times New Roman", Times, serif}<br />--><br /></style><br /><p>We will try to install and configure a mail server solution in Ubuntu. We will use postfix as the SMTP server and Dovecot as the IMAP/POP3 server. We will also use Thunderbird as the client agent for testing purpose. Before you could install a mail server, you need to have a running DNS server with an MX record in it for your domain. Refer to this <a href="http://netnsoft.blogspot.com/2011/02/ubuntu-dns-server.html">post</a> on how to configure a DNS server. </p><br /><p>First, download and install postfix with the command</p><br /><p align="center" class="style1">sudo apt-get install postfix</p><br /><span id="fullpost"><br /><p>When the installation is done, you will be asked by several questions, answer them with the following:</p><br /><ul><li>Internet Site</li><li>mail1.example.com (change this to what you want your mail server name and domain name to be) </li><li>administrator (change this to the administrator username) </li><li>mail.example.com, example.com, localhost.example.com, localhost (you can leave it as default or change this to suit your mail server and domain name)</li><li>No</li><li>127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24 (you can leave it as default) </li><li>0</li><li>+</li><li>all</li></ul><br /><p>Now, change the mailbox format used to Maildir with the command.</p><br /><p align="center" class="style1">sudo postconf -e 'home_mailbox = Maildir/'<br />sudo postconf -e 'mailbox_command ='</p><br /><p>The Maildir format will place each mail as a file in /home/username/Maildir. Now, verify postfix installation with the command (change mail1.example.com to your mailserver name or any other name just for testing purpose) </p><br /><p align="center" class="style1">telnet localhost 25<br />ehlo example.com </p><br /><p>If you are connected and you get responses, then postfix is running. Before we test sending an email, let's install Dovecot as the IMAP/POP3 server. Get and install Dovecot with the following command</p><br /><p align="center" class="style1">sudo apt-get install dovecot-imapd dovecot-pop3d </p><br /><p>Now, some configuration changes needs to be done to /etc/dovecot/dovecot.conf. Open the file using your favourite text editor. First, we will set the protocol that will be used supported by dovecot, search for the following <em>protocols </em>entry and change the value to support which protocol that you prefer.</p><br /><blockquote class="style1">protocols = pop3 pop3s imap imaps</blockquote><br /><p>configure dovecot to use Maildir format, search for the mail_location entry (it is commented by default) and set the value to the following</p><br /><blockquote class="style1">mail_location = maildir:~/Maildir</blockquote><br /><p>To allow login from remote machine, search for the "<em>listen</em>" parameter and set it to </p><br /><blockquote class="style1">listen = * </blockquote><br /><p>For Thunderbird specific configuration, search for the IMAP configuration part "<em>protocol imap {</em>", then search for "<em>imap_client_workarounds</em>" parameter before the closing bracket. Change it to</p><br /><blockquote class="style1">imap_client_workarounds = tb-extra-mailbox-sep </blockquote><br /><p>Then, add the Maildir skeleton directory to /etc/skel to automatically create the Maildirr directory structure for newly created users. Run the following command</p><br /><blockquote class="style1">sudo maildirmake.dovecot /etc/skel/Maildir<br />sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts<br />sudo maildirmake.dovecot /etc/skel/Maildir/.Sent<br />sudo maildirmake.dovecot /etc/skel/Maildir/.Trash<br />sudo maildirmake.dovecot /etc/skel/Maildir/.Templates</blockquote><br /><p>Now, restart Dovecot and test if it is running. Run the following command </p><br /><p align="center" class="style1">sudo /etc/init.d/dovecot start<br />telnet localhost pop3<br />telnet localhost imap2</p><br /><p>If Dovecot is running correctly, you should get respond when you're connecting to the POP3 and IMAP server. Next, is to try to connect to the mailserver by using a client agent. We will use Thunderbird, if you haven't installed Thunderbird, get and install it. I believe it is not hard to be found. Before start configuring Thunderbird, let's add a localuser named <em>"joe"</em> at the mailserver for testing purpose with the command </p><br /><p align="center" class="style2">sudo useradd -m -s /bin/bash joe <br />sudo passwd joe </p><br /><p>Now, let's configure Thunderbird so that joe can check his mail on the mailserver. Once you've installed Thunderbird on the client, run it, then click the File > New > Mail Account. A dialog box will appear to configure a new mail account, fill in the your name, email address and password (the value depends on what you've set for joe's password) to match joe's account </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvxR7DMa0eOTzOU3UyQhLoLojqEK9KEHuwAWp0oipuUoFOLtbYgUSMp4k0G_ZLUOVQulm-e7gOajCpS2bPXyy_C9YxasyXjAErlI-XTjOarFh_pQzm2DxFxp8x1KUpzL8NvHeWrg0jCxw/s1600/thunderbird1.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 141px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvxR7DMa0eOTzOU3UyQhLoLojqEK9KEHuwAWp0oipuUoFOLtbYgUSMp4k0G_ZLUOVQulm-e7gOajCpS2bPXyy_C9YxasyXjAErlI-XTjOarFh_pQzm2DxFxp8x1KUpzL8NvHeWrg0jCxw/s400/thunderbird1.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5578380642068890802" /></a><br /><p>Click Continue, Thunderbird will try to resolv the POP3/IMAP server and the SMTP server for the domain. If Thunderbird failed to resolv the mail server, Then click Manual Configuration. On the Server Name, fill in the mail server's hostname or IP address. Choose the port number 110 for POP3 or 143 for IMAP. Choose <strong>STARTTLS </strong>at the Connection security and <strong>Normal Password </strong>at the Authentication Method. Then click OK </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrREydRn98-0dTRB5JiOARzDtpE-mkFwYzuIqeM8xgJsfHMr50gx9hx-YpAthtpI0TqJKYSU879csfpo8UjopXN9Fq7OaKyQGQHSRuV2o8rXstZzNSb7mlzPLDP-50fdeN_G8gPlOKGHg/s1600/thunderbird2.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 324px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrREydRn98-0dTRB5JiOARzDtpE-mkFwYzuIqeM8xgJsfHMr50gx9hx-YpAthtpI0TqJKYSU879csfpo8UjopXN9Fq7OaKyQGQHSRuV2o8rXstZzNSb7mlzPLDP-50fdeN_G8gPlOKGHg/s400/thunderbird2.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5578380641175938626" /></a><br /><p>You will notice that Thunderbird will list your newly created account on the left hand side. Right click on the account name, in this case "joe@example.com", then click Settings. Make sure the selected server for Outgoing Server (SMTP) is correct, if not, you can manually add your SMTP server into Thunderbird. On the left hand side of the dialog, look for the most bottom entry, there will be an Outgoing Server (SMTP) entry. Click Add, Then fill in the server name, which is the SMTP hostname or IP addres. Choose the connection security settings and Authentication Method used by your SMTP server, in this example, choose <strong>STARTTLS </strong>and <strong>No Autentication </strong>respectively. Click OK, then go back to the account setting, and select the correct SMTP server at the Outgoing Server (SMTP) entry.</p><br /><p>Now, you can add another user to the mail server local user for testing purpose, then try to send email from one to another. You will received the email in Thunderbird. For further enhancement, you will want to add authentication to postfix, therefore disabling spammers to use your SMTP server to send emails, Integrating Dovecot with LDAP for Single Sign-On, installing and configuring spam assasin. </p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com1tag:blogger.com,1999:blog-5960703546293884343.post-36332240541634640252011-02-20T03:38:00.000-08:002011-02-27T03:42:24.887-08:00Ubuntu: DNS Server<style type="text/css"><br /><!--<br />.style1 {font-family: "Courier New", Courier, monospace}<br />--><br /></style><br /><br /><p>We will configure a DNS server on a Ubuntu machine. This server will act as the master DNS for the local domain in this example, which is example.com. First, get the bind9 and the utility package with the commands</p><br /><p align="center" class="style1">sudo apt-get install bind9<br />sudo apt-get install dnsutils</p><br /><p>Now, add the "zone" (domain) to /etc/bind/named.conf.local. Use your favourite text editor to edit that file. and add the following (you will need the super user privilege to edit the file). </p><br /><blockquote><br /><pre><br />zone "example.com" {<br /> type master;<br /> file "/etc/bind/db.example.com";<br />};<br /><br />zone "1.168.192.in-addr.arpa" {<br /> type master;<br /> notify no;<br /> file "/etc/bind/dbreverse.example.com";<br />};<br /></pre><br /></blockquote><br /><span id="fullpost"><br /><p>From the above example, two zones are created. First is example.com zone. This zone will have entry of hosts stored in file /etc/bind/db.example.com, which will need to be created later. The second zone is 1.168.192.in-addr.arpa, the reverse zone which will holds the entry to resolv ip address to hostname. You need to change <em>1.168.192 </em>with whatever private network address that you need in reverse order. If you use network <span class="style1">192.168.0.0/16</span>, then the zone name must be 168.192.in-addr.arpa. Recognize that all of the db files are referenced with the absolute path, if relative path is given, bind9 will start finding the file from <em>/var/cache/bind</em>, like how it is configured in /etc/bind/named.conf.options. </p><br /><p>Now, create the file, db.example.com in /etc/bind. Add the following to the file.</p><br /><blockquote><br /><pre><br />$TTL 604800<br />@ IN SOA ns.example.com. root.example.com. (<br /> 2011010101 ; Serial<br /> 604800 ; Refresh<br /> 86400 ; Retry<br /> 2419200 ; Expire<br /> 604800 ) ; Negative Cache TTL<br />;<br />@ IN NS ns.example.com.<br />@ IN MX 10 mail.example.com.<br /><br />ns IN A 192.168.1.133<br />mail IN A 192.168.1.140<br />host1 IN A 192.168.1.1<br />gateway IN CNAME host1<br /></pre><br /></blockquote><br /><p>In this file, the <em>";"</em> sign mark the start of a comment, and whatever follows will be ignored by the DNS parser. The first line is the TTL value, this value tells how long does other DNS server can cache infomation queried from this server. The next line is the State of Authority record. The @ symbol is a shotcut for the zone name declared in /etc/bind/named.conf.local, IN specify that this DNS resource is the <em>internet </em>class. We will use this value most often. SOA should always be there. The next entry is the hostname of the DNS server that could provide DNS service for the domain. You can specify the FQDN of the nameserver, but remember to always put a dot at the end of the name server. The nxt entry is the email address of someone who is responsible of this zone, remember to always put a dot at the end of the entry if it is a FQDN. the next fields consists of several entries that are enclosed with a set of parenthesis. Those are</p><br /><ul><li>Serial. This number should always be incremented everytime a change has been made to the file. Most people will use the <em>yyyymmddnn </em>format, with the <em>nn </em>is the sequence number, giving you the feasible value of 00-99 for a day. </li><li>Refresh Interval. This is the value in seconds after which a slave DNS server will update its zone and reverse zone information from the master</li><li>Retry. This is the value in which if a slave DNS server failed to contact the master to update its zone and reverse information, should retry to contact the master after the amount of this value has elapsed. This value should be much smaller than the Refresh value.</li><li>Expiration. This is the amount of time which information in slave DNS server should be considered expired. If a slave DNS server failed to update its zone and reverse information and the amount of time in this entry has elapsed, it will stop responding queries asking information about this domain.</li><li>Negative Cache TTL. The amount of time that a negative response, such as a nonexistent domain response, will be cached by the DNS server. </li><br /></ul><br /><p>The next part of the file is the entry that defines hostname to ip address. As can be seen, there is a nameserver, mail, host and alias entry. The nameserver record, marked with NS specify what is the name of the nameserver in this zone. The mx record, which is the mailserver record looks the same as the <strong>NS </strong>record except that it uses <strong>MX </strong>and there is a sequence number, in this case 10, specifying which mailserver will be preffered in the domain. Both of the records point to a hostname, therefore we need to specify the ip address of those hostname and that is done with the <strong>A</strong> record. The <strong>CNAME </strong>record specify an alias, in this example gateway is an alias for host1 and therefore, both will resolv to the same address. You can modify the value of this entries based on your requirement. </p><br /><p>Next, create the reverse zone file information. Create the /etc/bind/dbreverse.example.com and fill the file with the following.</p><br /><blockquote><br /><pre><br />$TTL 604800<br />@ IN SOA ns.example.com. root.example.com. (<br /> 2011010101 ; Serial<br /> 604800 ; Refresh<br /> 86400 ; Retry<br /> 2419200 ; Expire<br /> 604800 ) ; Negative Cache TTL<br />;<br />@ IN NS ns.example.com.<br />133 IN PTR ns.example.com.<br />140 IN PTR mail.example.com.<br />1 IN PTR host1.example.com.<br /></pre><br /></blockquote><br /><p>Basically, in the reverse zone file you have to create a PTR record for each A record in the zone file. Now restart bind9 with the command</p><br /><p align="center" class="style1">sudo /etc/init.d/bind9 restart</p><br /><p>Next, add an entry of your newly configured nameserver in /etc/resolv.conf. add the following line to the beginning of file</p><br /><p align="center" class="style1">nameserver 192.168.1.133 </p><br /><p> Change 192.168.1.133 to whatever your DNS server ip address is. Then, you can verify your configuration by using the <span class="style1">dig </span>command. Try the following command, </p><br /><p align="center" class="style1">dig ns.example.com</p><br /><p>If your configuration is working, it should give an output similar to this</p><br /><blockquote><br /><pre><br />; <<>> DiG 9.7.0-P1 <<>> ns.example.com<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47515<br />;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0<br /><br />;; QUESTION SECTION:<br />;ns.example.com. IN A<br /><br />;; ANSWER SECTION:<br />ns.example.com. 604800 IN A 192.168.1.133<br /><br />;; AUTHORITY SECTION:<br />example.com. 604800 IN NS ns.example.com.<br /><br />;; Query time: 1 msec<br />;; SERVER: 127.0.0.1#53(127.0.0.1)<br />;; WHEN: Sat Oct 2 21:21:32 2010<br />;; MSG SIZE rcvd: 62<br /></pre><br /></blockquote><br /><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com2tag:blogger.com,1999:blog-5960703546293884343.post-38503145146865498922011-02-15T07:29:00.001-08:002011-02-18T05:16:08.846-08:00Ubuntu: OpenLDAP<style type="text/css"><br /><!--<br />.style1 {font-family: "Courier New", Courier, monospace}<br />.style2 {font-family: "Courier New", Courier, monospace; font-size: 12px; }<br />--><br /></style><br /><br /><p>We will install OpenLDAP in Ubunt server. Here, I user Ubuntu server 10.04. After that we will use OpenLDAP for authentication. First, download and install OpenLDAP by using apt-get.</p><br /><p align="center" class="style1">sudo apt-get install slapd ldap-utils </p><br /><p>Next, load some schemas to LDAP (LDAP schemas give structure/attributes to LDAP classes, the following schemas will be used for adding users later)</p><br /><p class="style1">sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif<br />sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif<br />sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif </p><br /><span id="fullpost"><br /><p>Then, load the backend configuration to LDAP. Copy the following configuration to a file, name it backend.ldif</p><br /><blockquote><p class="style2"># Load dynamic backend modules<br />dn: cn=module,cn=config<br />objectClass: olcModuleList<br />cn: module<br />olcModulepath: /usr/lib/ldap<br /><br />olcModuleload: back_hdb</p><br /><p><span class="style2"># Database settings<br />dn: olcDatabase=hdb,cn=config<br /><br /> objectClass: olcDatabaseConfig<br />objectClass: olcHdbConfig<br />olcDatabase: {1}hdb<br />olcSuffix: dc=example,dc=com<br />olcDbDirectory: /var/lib/ldap<br />olcRootDN: cn=admin,dc=example,dc=com<br />olcRootPW: adminpw<br />olcDbConfig: set_cachesize 0 2097152 0<br />olcDbConfig: set_lk_max_objects 1500<br />olcDbConfig: set_lk_max_locks 1500<br />olcDbConfig: set_lk_max_lockers 1500<br />olcDbIndex: objectClass eq<br />olcLastMod: TRUE<br />olcDbCheckpoint: 512 30<br />olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none<br />olcAccess: to attrs=shadowLastChange by self write by * read<br />olcAccess: to dn.base="" by * read<br />olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read</span></p></blockquote><br /><p>Take a look at the olcSuffix, olcRootDN and the olcRootPW entry. The olcSuffix is the domain name, here we use example.com as the domain name. The olcRootDN is the DN that has the administrator privilege like. olcRootPW is the password for the root admin. You may want to change those value to meet your requirement. If everything is fine, load the configuration to LDAP with the command</p><br /><p align="center" class="style1">sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif </p><br /><p>Next, fill the frontend directory to LDAP. This is where we create our organization tree, the domain, ou, user, group, ect. Copy the following to a file named frontend.ldif </p><br /><blockquote><p class="style2"># Create top-level object in domain<br />dn: dc=example,dc=com<br />objectClass: top<br />objectClass: dcObject<br />objectclass: organization<br />o: Example Organization<br />dc: Example<br />description: LDAP Example </p><br /><p class="style2"># Admin user.<br />dn: cn=admin,dc=example,dc=com<br />objectClass: simpleSecurityObject<br />objectClass: organizationalRole<br />cn: admin<br />description: LDAP administrator<br />userPassword: secret</p><br /><p class="style2">dn: ou=people,dc=example,dc=com<br />objectClass: organizationalUnit<br />ou: people</p><br /><p class="style2">dn: ou=groups,dc=example,dc=com<br />objectClass: organizationalUnit<br /> ou: groups</p><br /><p class="style2">dn: uid=john,ou=people,dc=example,dc=com<br />objectClass: inetOrgPerson<br />objectClass: posixAccount<br />objectClass: shadowAccount<br /><br /> uid: john<br />sn: Doe<br />givenName: John<br />cn: John Doe<br />displayName: John Doe<br />uidNumber: 1000<br />gidNumber: 10000<br />userPassword: password<br />gecos: John Doe<br />loginShell: /bin/bash<br />homeDirectory: /home/john<br />shadowExpire: -1<br />shadowFlag: 0<br />shadowWarning: 7<br />shadowMin: 8<br />shadowMax: 999999<br />shadowLastChange: 10877<br />mail: john.doe@example.com<br />postalCode: 31000<br />l: Toulouse<br />o: Example<br />mobile: +33 (0)6 xx xx xx xx<br />homePhone: +33 (0)5 xx xx xx xx<br />title: System Administrator<br />postalAddress: <br />initials: JD</p><br /><p class="style2">dn: cn=example,ou=groups,dc=example,dc=com<br />objectClass: posixGroup<br />cn: example<br />gidNumber: 10000</p></blockquote><br /><p>In the example above, we create a user with uid: john. under the people oum the uid and the userPassword attributes will be used for authentication later. A group named example is also created under the groups ou and john is a member of that group. Change the value of ou, user information to meet your requirement. What should be taken into consideration here is the uidNumber attribute of the user. This uidNumber should be unique, it should not be the same with other user, even with the local user. You can check if the uidNumber has been used by local user by checking the "<em>/etc/passwd</em>" file. In above example, john's uidNumber is 1000. To check if this uid number has been used by local user, enter the following command </p><br /><p align="center" class="style1">egrep ":1000:" /etc/passwd</p><br /><p>If there's any output, then it has been used. If everything has been set, then load the frontend directory to OpenLDAP with the following command</p><br /><p align="center" class="style1">sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.ldif </p><br /><p>We have finished populating LDAP directory, next we will configure to use LDAP user for authentication</p><br /><p><strong>LDAP Authentication </strong></p><br /><p>To configure LDAP for authentication, first we need to install the libnss-ldap package. </p><br /><p>sudo apt-get install libnss-ldap</p><br /><p>After finishing the installation, you wll be asked several questions. Assume that you use the example.com as your domain, for each question enter the following answer</p><br /><ul><li>ldapi:///example.com </li><li>dc=example,dc=com</li><li>3</li><li>No</li><li>No</li></ul><br /><p>Then, enable auth-client-config LDAP profile</p><br /><p align="center" class="style1">sudo auth-client-config -t nss -p lac_ldap </p><br /><p>Now, enable PAM for LDAP by the command</p><br /><p align="center" class="style1">sudo pam-auth-update</p><br /><p>Choose LDAP and any other authentication mechanism if needed. Now, you should be able to login using your OpenLDAP user, in this example, as john. But something still has to be done. If we recall from the user entry in frontend.ldif file, we specify the home directory of john to be "<em>/home/john</em>", but this directory is not exist yet (not if you have created it before). The problem here is that, since we are adding user from LDAP, user's home directory is not automatically created. This is different from adding local user with the "<em>useradd -m </em>" command.</p><br /><p><strong>Creating User's Home Directory</strong></p><br /><p>Using your favourite text editor, edit the file "<em>/etc/pam.d/common-session</em>". Add the following entry if not exist</p><br /><blockquote><p class="style1">session required pam_unix.so<br />session required pam_mkhomedir.so skel=/etc/skel/<br />session optional pam_ldap.so<br />session optional pam_foreground.so</p></blockquote><br /><p>Now, if you logged using your LDAP user for the first time, user's home directory will be created. </p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-24009441929321291032011-01-23T07:01:00.000-08:002011-01-23T07:17:13.516-08:00Ubuntu: Interface IP Addressing<style type="text/css"><!--.style1 {font-family: "Courier New", Courier, monospace}--></style><br /><p>Interface addressing includes how to change the ip address of an interface, the default gateway and also the DNS address. You can do temporary or permanent changes. To temporarily change the ip address of an interface, use the following command</p><br /><p align="center" class="style1">sudo ifconfig eth0 A.B.C.D netmask X.X.X.X</p><br /><p>A.B.C.D: the new ip address<br />X.X.X.X: the netmask of the ip address</p><br /><p>The example above will change the ip address and the netmask of the eth0 interface. Change eth0 from the command above to other interface based on your need. Verify the changes by using the command "<em>sudo ifconfig eth0</em>" If you change the ip address of an interface, chances are that you also want to configure the default gateway. To do that, use the command</p><br /><p align="center" class="style1">sudo route add default default gw X.X.X.X eth0</p><br /><p>X.X.X.X: the ip address of the default gateway</p><br /><span id="fullpost"><br /><p>Verify that configuration by using the command "route". The output should display a route to your default gateway. </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCmEaPhvPxcjEpsWNo_vehThCc86Yt5q9JbrU18dWnnFogC0kdOYYVuB98_PWEQGQhYALBi9QF8JhwTSUIit0Wdg02mZPiUJXeyaxTONCr57T2tmJRCx9Lk_M5XNSLlExgP4MwkpJzQhY/s1600/interface.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 100px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCmEaPhvPxcjEpsWNo_vehThCc86Yt5q9JbrU18dWnnFogC0kdOYYVuB98_PWEQGQhYALBi9QF8JhwTSUIit0Wdg02mZPiUJXeyaxTONCr57T2tmJRCx9Lk_M5XNSLlExgP4MwkpJzQhY/s400/interface.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5565398860691692882" /></a><br /><p>Next, to make a permanent changes there is a file that has to be edited. The network configuration is kept in "<em>/etc/network/interfaces</em>", open the file and you will see what is inside the file that would look something like this.</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Arx62BjHH1FefWD22K0B53-emO6iJULPW-Fv33mVitGHn02Wbdmj-KU5jJC4FvKfTH62NkFbWP-kYNsEkeDLezIRzk2mklHNU2Vgp6TxKVJf2FFKV3EOBXLk1G3T8NeovsM-ZPBtozk/s1600/route.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 51px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Arx62BjHH1FefWD22K0B53-emO6iJULPW-Fv33mVitGHn02Wbdmj-KU5jJC4FvKfTH62NkFbWP-kYNsEkeDLezIRzk2mklHNU2Vgp6TxKVJf2FFKV3EOBXLk1G3T8NeovsM-ZPBtozk/s400/route.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5565398863996737138" /></a><br /><p>There are two interfaces in the example above, l0 and eth0. Now, from the example above, eth0 has been configured to use dhcp. If you want to edit an interface to use dhcp configuration, follow the configuration </p><br /><blockquote><br /> <blockquote><br /> <p class="style1">auto eth0 <br />iface eth0 inet dhcp</p><br /> </blockquote><br /></blockquote><br /><p>That are the what should be entried in the "<em>etc/network/interfaces</em>" file. After that, you can use the command "sudo ifup eth0" to refresh and initiate the DHCP process. But, if we want to configure the ip address and default gateway statically, edit at the appropriate interface part and add these lines</p><br /><blockquote><br /> <blockquote><br /> <p class="style1">auto eth0 <br />iface eth0 inet static<br />address 192.168.1.10<br />netmask 255.255.255.0<br />gateway 192.168.1.1 </p><br /> </blockquote><br /></blockquote><br /><p>Change the ip addressing to suit your requirement.</p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-10723302445992350512011-01-16T06:58:00.000-08:002011-01-16T07:23:12.066-08:00Configuring BGP<style type="text/css"><!--.style1 {font-family: "Courier New", Courier, monospace}--></style><br /><br /><p>BGP configuration is quite different from other routing protocols configuration. There are two kinds of BGP, which are <strong>IBGP</strong> and <strong>EBGP</strong>. EBGP is when BGP is configured between routers in a different Autonomous System (AS), IBGP is when BGP is configure between routers within the same AS. EBGP behaves differently from IBGP. We will see what other differences are as we configure BGP in the following topology.</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGhs3tdDTnC0T-dpDIDmIPU9miYdMwi0GcLOX2tPf1-ovgT67OXSvY2Q7-GdhlRF5wx15fyVpwme8B5N7IZmO2ZIFYgFvh6lr7ZLdSFPsO5lON48Ih1zon__-uWFOYgRlm7iue2ouT_Xo/s1600/bgp_configuration.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 313px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGhs3tdDTnC0T-dpDIDmIPU9miYdMwi0GcLOX2tPf1-ovgT67OXSvY2Q7-GdhlRF5wx15fyVpwme8B5N7IZmO2ZIFYgFvh6lr7ZLdSFPsO5lON48Ih1zon__-uWFOYgRlm7iue2ouT_Xo/s400/bgp_configuration.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5562800350307001346" /></a><br /><span id="fullpost"><br /><p>In BGP we have to specify each of our neighbor manually and the network command work differently as with other routing protocol. We will start by configuring every interface and start BGP in each router. </p><br /><p>R1</p><br /><p align="center"><span class="style1">interface FastEthernet1/0<br />ip address 102.102.0.1 255.255.0.0<br />no shutdown<br />interface Serial2/0<br />ip address 14.10.14.1 255.255.255.252 <br />no shutdown<br />interface loopback0<br />ip address 1.1.1.1 255.255.255.255<br />router bgp 3500</span></p><br /><p>R2</p><br /><p align="center"><span class="style1">interface FastEthernet1/0<br /> ip address 102.102.0.2 255.255.0.0<br />no shutdown<br />interface FastEthernet1/1<br />ip address 203.203.0.1 255.255.0.0<br />no shutdown</span></p><br /><p>R3</p><br /><p align="center"><span class="style1">interface FastEthernet1/0<br /> ip address 203.203.0.2 255.255.0.0<br />no shutdown<br />interface Serial2/0<br />ip address 35.10.35.1 255.255.255.252<br />no shutdown<br />interface loopback0<br />ip address 3.3.3.3 255.255.255.255<br />router bgp 3500</span></p><br /><p>R4</p><br /><p align="center"><span class="style1">interface loopback0<br />ip address 12.10.0.1 255.255.0.0<br />no shutdown<br />interface Serial1/0<br />ip address 14.10.14.2 255.255.255.252 <br />no shutdown<br />router bgp 2500</span> </p><br /><p>R5</p><br /><p align="center"><span class="style1">interface Serial1/0<br />ip address 35.10.35.2 255.255.255.252 <br />no shutdown<br />router bgp 4500</span></p><br /><p>At this point, you can run the "<em>show processes</em>" or only "<em>show processes | include BGP</em>" (the BGP should be in upper case) command to see that BGP processes is running. You can also use the "<em>show processes cpu | include BGP</em>" to see the cpu usage instead of the memory usage.</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzrIOevakE8M1n5a-tlXydO72q0tMSPn5CBnlEYAv_x0YrDesjBuWoRUvh8_4tAZ5DiLukE_IKiaW7dJEl7F9VRoKLklvQarlfyuVd9s66fkhWo4tDw8Cpgw72JQo5uJeU6BAy-psTETc/s1600/show_proc_cpu.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 40px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzrIOevakE8M1n5a-tlXydO72q0tMSPn5CBnlEYAv_x0YrDesjBuWoRUvh8_4tAZ5DiLukE_IKiaW7dJEl7F9VRoKLklvQarlfyuVd9s66fkhWo4tDw8Cpgw72JQo5uJeU6BAy-psTETc/s400/show_proc_cpu.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5562801368067753058" /></a><br /><p>Now, all interfaces have been configured and BGP processes are running. We can now make them BGP neighbor. There could be two type of BGP neighbor, IBGP or EBGP neighbor. EBGP neighbor is a neighbor of which AS number is different from the AS number of the configured router. First we will configure EBGP peers between R1-R4 and R3-R5. Neighbor in BGP should be configured manually, here is the configuration (enter the configuration at each BGP ) </p><br /><p>R1</p><br /><p align="center" class="style1">router bgp 3500<br />neighbor 14.10.14.2 remote-as 2500</p><br /><p>R4</p><br /><p align="center" class="style1">router bgp 2500<br />neighbor 14.10.14.1 remote-as 3500 </p><br /><p>R3</p><br /><p align="center" class="style1">router bgp 3500<br />neighbor 35.10.35.2 remote-as 4500</p><br /><p>R5</p><br /><p align="center" class="style1">router bgp 4500<br />neighbor 35.10.35.1 remote-as 3500</p><br /><p>At this point, you can verify the BGP neighbor status with "<em>show ip bgp</em> <em>neighbors</em>" or "<em>show bgp summary </em>". Here's the example of running "<em>show bgp summary </em>" in R1</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOUA47NH3ahahRFQZwNTsDyvepafmwaSKy18X6cZQ5IgCoifl66qDg27r4f3kuKWL68-KE4v6DB1tKixg4bw_cAWJwJmSKy89VnA8lFQHSt2gn08J8GQ_Mx2Uqh-BkfA8-CDGBOm27Uhc/s1600/bgp_summary.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 59px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOUA47NH3ahahRFQZwNTsDyvepafmwaSKy18X6cZQ5IgCoifl66qDg27r4f3kuKWL68-KE4v6DB1tKixg4bw_cAWJwJmSKy89VnA8lFQHSt2gn08J8GQ_Mx2Uqh-BkfA8-CDGBOm27Uhc/s400/bgp_summary.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5562800354757338210" /></a><br /><p align="left">Now, we will configure IBGP peer between R1-R3. Notice, that I create a loopback interface on R1 and R3, so instead of using a physical interface to make a peer between R1-R3, we will use that loopback interfaces. But, we won't be able to do that before telling each other how to get to peer loopback interface. We can do this by using a static route or a routing protocol. In this case, we will use OSPF. So, let's configure OSPF</p><br /><p align="left">R1</p><br /><p align="center" class="style1">router ospf 1<br />router-id 1.1.1.1<br />log-adjacency-changes<br />network 1.1.1.1 0.0.0.0 area 0<br />network 102.102.0.0 0.0.255.255 area 0</p><br /><p align="left">R2</p><br /><p align="center" class="style1">router ospf 1<br />router-id 2.2.2.2<br />log-adjacency-changes<br />network 102.102.0.0 0.0.255.255 area 0<br />network 203.203.0.0 0.0.255.255 area 0</p><br /><p align="left">R3</p><br /><p align="center" class="style1">router ospf 1<br />router-id 3.3.3.3<br />log-adjacency-changes<br />network 3.3.3.3 0.0.0.0 area 0<br />network 203.203.0.0 0.0.255.255 area 0</p><br /><p align="left">R1 and R3 should now have known the route to reach each other's loopback interface. We can verify this issuing the "show ip route" command </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF51Y9DVfl9VEerVG-YgbT9pt1UW24DCDrwVrTdJXndRdus8Hj_-u_JrGX0BR_QsqM-dA8NyFN4r2JSrCM2K8PLPXgBJEEpkjBspKmQPrTCVw7yO012l5iE491_sVe6Yq3E0dUWr5KF58/s1600/show_ip_route.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 200px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF51Y9DVfl9VEerVG-YgbT9pt1UW24DCDrwVrTdJXndRdus8Hj_-u_JrGX0BR_QsqM-dA8NyFN4r2JSrCM2K8PLPXgBJEEpkjBspKmQPrTCVw7yO012l5iE491_sVe6Yq3E0dUWr5KF58/s400/show_ip_route.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5562800375314252002" /></a><br /><p align="left">Now, we can configure IBGP peer for R1-R3, the configuration is quite the same as EBGP neighbor configuration</p><br /><p align="left">R1</p><br /><p align="center" class="style1">router bgp 3500<br />neighbor 3.3.3.3 remote-as 3500<br />neighbor 3.3.3.3 update-source loopback 0</p><br /><p align="left">R3 </p><br /><p align="center" class="style1">router bgp 3500<br />neighbor 1.1.1.1 remote-as 3500<br />neighbor 1.1.1.1 update-source loopback 0</p><br /><p>If we are using loopback interfaces for BGP neighbor, remember the "<em>update-source</em>" and "<em>ebgp-multihop</em>" command. Because loopback interface is not a directly connected interface, we need the "<em>ebgp-multihop</em>" command to make the EBGP neighbor works. For IBGP peer, the "<em>update-source</em>" command is used instead. </p><br /><p>Now, the BGP routers have become neighbors but no network is exchanged between them. We will try to advertise a network that is directly connected to R1 to R3 via BGP. For this purpose, we create another loopback interface on R1, and </p><br /><p>R1</p><br /><p align="center" class="style1">interface loopback 1<br />ip address 110.11.11.1 255.255.255.0</p><br /><p align="left">Then we use the BGP network command to advertise this network. In BGP, the network command should match exactly the network address and the subnet mask that is to be advertised. </p><br /><p align="left">R1</p><br /><p align="center" class="style1">router bgp 3500<br />network 110.11.11.0 mask 255.255.255.0</p><br /><p>At this point, the network won't be advertised not only to R3 but also to R4. You can verify this network being learned by both routers by issuing the command "show bgp".</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMuPoFna_oavTNAzYWxenV-XLL57PCoRUbNetAPL-OgEOQmWz67az4SkBVEFIOO7ayYLnsafwASTRBXjmmJMLrMeq3skTj8VeBmP2iblbG5BhedCS0WyEluinbvwn7373_Li-BJtl-jpo/s1600/show_bgp_r4.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 79px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMuPoFna_oavTNAzYWxenV-XLL57PCoRUbNetAPL-OgEOQmWz67az4SkBVEFIOO7ayYLnsafwASTRBXjmmJMLrMeq3skTj8VeBmP2iblbG5BhedCS0WyEluinbvwn7373_Li-BJtl-jpo/s400/show_bgp_r4.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5562800358986892274" /></a><br /><p align="left">To avoid advertising this network to R4, we can use a route-map. Here's the configuration on R1</p><br /><p align="left">R1</p><br /><p align="center" class="style1">access-list 1 deny 110.11.11.0 0.0.0.255<br /> access-list 1 permit any<br /> route-map filter_r4 permit 10<br />match ip address 1<br />router bgp 3500<br />neighbor 14.10.14.2 route-map filter_r4 out</p><br /><p align="left">The idea is to first create an access-list that will deny the route that we do not want to advertise, that is the 110.11.11.0/24 network. Then we will create a route-map that match the access-list, which will deny the unwanted routes. Finally, we apply the route-map to the R4's BGP neighbor command. The <em>out </em>parameter means we want filter outgoing networks to R4. If there's no changes after applying those commands, try to clear bgp process on R1 and R4 by the command "<em>clear ip bgp *</em>". </p><br /><p>Next, We will try to advertise network 12.10.0.0/16 from AS 2500 to AS 4500. To achieve this, we must concern the BGP synchronization rule. First, we enter the network command on R4.</p><br /><p>R4</p><br /><p align="center" class="style1">network 12.10.0.0 mask 255.255.0.0</p><br /><p>At this point, the network should have been advertised to R1 and R3. But in R3, the route won't be installed to the routing table. And also the network won't be advertised to R5 because of the synchronization rule. First we will make the route installed on R3. If we issue the command "show bgp" on R3, there's no best mark for network 12.10.0.0/16. </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRIdWl9-hwAkNdALna5jnCzd6pw35P0pw-ozlGEyvxgGJDYPKN95FEyUR84k5nokGlVDZAExFA6r4UztI1AQVZELJlhk9UNNFpdzg8ed0JxdFOqZ36Kyae5o7_ZT5ZpGXlhXskRLXajGw/s1600/show_bgp_r3.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 89px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRIdWl9-hwAkNdALna5jnCzd6pw35P0pw-ozlGEyvxgGJDYPKN95FEyUR84k5nokGlVDZAExFA6r4UztI1AQVZELJlhk9UNNFpdzg8ed0JxdFOqZ36Kyae5o7_ZT5ZpGXlhXskRLXajGw/s400/show_bgp_r3.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5562800360415663842" /></a><br /><p>This is because the next hop address is still pointing to the address of R4's Serial1/0 interface. In BGP, for a route to be chosen as the best route, the receiving router should know how to reach the address of the next hop. And by nature, a route learned via EBGP, won't have the next hop address changed as it is being advertised to another IBGP. To solve this, we add the "" command on R1</p><br /><p>R1</p><br /><p align="center" class="style1">router bgp 3500<br />neighbor 3.3.3.3 next-hop-self</p><br /><p>Now, the route should have been chosen as the best route on R3. Next, we will make the 12.10.0.0/24 network to be advertised to R5. To achieve this, we can either turn off synchronization rule or redistribute the 12.10.0.0/24 to a running IGP, that is OSPF. We will try to redistribute the network to OSPF, so that the BGP network comply the synchronization rule. </p><br /><p>R1</p><br /><p align="center" class="style1">router ospf 1<br />redistribute bgp 3500 subnets</p><br /><p>Now, if we issue the command "<em>show ip route</em>" on R5, we will see that there's a route to network 12.10.0.0/24 and is learned via BGP.</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWadTasEP_FR_ZOkFOLojYPbfYyK2rAD5qcIlp4xw7TVrG2gwIqlKm672w1r0Bp5wIqwZLQ6aUHoGVG68i7LJwFPjmczAODVKCO0RpLBGx3bQKdpcxNJnlM27EdmDIMR3p_dFCSCzb3SY/s1600/show_route_r5.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 169px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWadTasEP_FR_ZOkFOLojYPbfYyK2rAD5qcIlp4xw7TVrG2gwIqlKm672w1r0Bp5wIqwZLQ6aUHoGVG68i7LJwFPjmczAODVKCO0RpLBGx3bQKdpcxNJnlM27EdmDIMR3p_dFCSCzb3SY/s400/show_route_r5.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5562801375877906962" /></a><br /><p>We also see the 110.11.11.0/24 network advertised to R5, because no route-map is applied to filter this route. Now, the BGP is working and routes have been advertised each other. </p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-88670228534482776722011-01-14T04:24:00.000-08:002011-01-14T04:34:38.182-08:00Border Gateway Protocol Concepts <br /><p>Border Gateway Protocol (BGP) is quite different from other routing protocol. BGP is the Internet routing protocol and it is a slow routing protocol which is good for an Internet routing protocol. There are two kinds of BGP, which are Interior BGP and Exterior BGP. IBGP is when BGP is configured between routers within same Autonomous System (AS), while EBGP is when BGP is configured between routers in a different AS. EBGP behaves differently with IBGP. As we know that other Interior Gateway Routing Protocol such as RIP, OSPF or EIGRP will update the next hop address when advertising routes to its neighbor. IBGP doesn't do this. </p><br /><span id="fullpost"><br /><p>Neighbor in BGP should be configured manually. Another different concept in BGP is that neighbor in BGP shouldn't always be direct connected. In this topology bellow, R1 and R3 could be a neighbor without having a direct connection to each other.</p><br /><p>Instead of having a metric to determine the best path to a network, BGP uses a list of attribute. These attributes have an order of precedence, each attribute of the feasible routes will be evaluated in order and the best path will be chosen when there is an attribute that is better than the others. </p><br /><p>There are also two rules in IBGP, which are the <strong>synchronization rule</strong> and the <strong>split-horizon rule. </strong></p><br /><p><strong>Synchronization Rule </strong><br /><br />The synchronization rule says that BGP won't advertised a route to other EBGP peers, if the route has not been learned by an IGP. Consider the following scenario</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikJt_9OOqLzkQtsH7WKpUHUnZgbB6eUGHZdsyVReJ0gCMo6m4jgXS0SZKv4U-vjGx77W62Qlzs6DjAwI7Ba7luXkMFUTPWvYp59-dVrRFD4hsvUY0gUyh3ym7BzqVV-ByQx5l4836aY5k/s1600/bgp_synchronization.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 313px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikJt_9OOqLzkQtsH7WKpUHUnZgbB6eUGHZdsyVReJ0gCMo6m4jgXS0SZKv4U-vjGx77W62Qlzs6DjAwI7Ba7luXkMFUTPWvYp59-dVrRFD4hsvUY0gUyh3ym7BzqVV-ByQx5l4836aY5k/s400/bgp_synchronization.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5562018206405026994" /></a><br /><p>R4 advertises the network 12.10.0.0/16 to R1, which will then advertise the network to R3, since they are an IBGP peer. But R3 won't advertise the network to R5 if the IGP running in its AS has not learned the 12.10.0.0/16 network. This rule is used to avoid the "<em>blackhole</em>" problem. If R3 ever advertises the network to R5, then R5 will send packets destined to 12.10.0.0/16 network to R3. Then R3 will send the packets to R2, but R2 does not know about that network since it is not running BGP. The packets will be dropped by R2. However, this synchronization rule can be turned off. You can safely turn this off if </p><br /><ul><br /> <li>You are not plannig to be a transit AS, that is having traffic from one AS to another AS over your AS.</li><br /> <li>All of your router is running BGP.</li><br /></ul><br /><p><strong>Split Horizon Rule</strong><br /><br />The split-horizon rule says that routes learned via IBPG won't be sent ot other IBGP peers. This rule is used to prevent loop in an AS. Consider the following scenario</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizh7csFcLSucESNKO4KC_mKSU1SZ3cFd5LMk_a4AfPd-veQlaokFx8X25-YQ0DL1874M6qmtBwpRAIPzTXYU9d1JOvaeXCtoJRe86j28gg14senVpFt9XG9WKT7v36T6b7l8kw3M5nNCA/s1600/bgp_split_horizon.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 313px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizh7csFcLSucESNKO4KC_mKSU1SZ3cFd5LMk_a4AfPd-veQlaokFx8X25-YQ0DL1874M6qmtBwpRAIPzTXYU9d1JOvaeXCtoJRe86j28gg14senVpFt9XG9WKT7v36T6b7l8kw3M5nNCA/s400/bgp_split_horizon.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5562018203415994178" /></a><br /><p>R1 receives the network 12.10.0.0/16 from R4, which then will advertise the network to R2 and R3. What if then R2 sends the network to R3 and vice-versa. In IGP such as EIGRP and OSPF, the routers could determine the best path to the network, but BGP couldn't. This is because BGP doesn't use the metric like bandwidth or delay to determine the best path, instead it uses some attributes which will not change over IBGP routers in the same AS. So, if R2 and R3 ever send the 12.10.0.0/16 network to each other, they will end up having two routes with the same attribute, and therefore could potentially create a loop in the network. In Cisco routers, you could turn off this rule if you're sure that no potential loop will be created. </p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-79570090908633933682011-01-01T17:33:00.000-08:002011-01-01T17:43:13.985-08:00Configuring Multicast: Sparse-Dense Mode<br /><br /><p>There are two modes that we can use in multicast routing. They are <strong>sparse mode</strong> and <strong>dense mode</strong>. The dense mode uses the source trees multicast routing technique which is more to broadcast and prune multicast traffic. The sparse mode uses the sharde trees technique, which uses a rendezvous-point to get multicast traffic. But there's another mode which is the sparse-dense mode which quite uses the combination of both modes. We will try to configure multicast routing in sparse-dense mode but we won't get into the detail of the theory of each mode.</p><br /><span id="fullpost"><br /><p>Let's say we have this topology. </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5EsE2g32MmxGSBzhvqia8vuKSi84-PpYvtJPBhmrt2TYW6q9MhpTL-bgGYzX9sU2D8BSBffHs03gpb1_IFlS4BKhdz6_x5D4gf4WWpyshkCZyPdOnD0_IZwrNqJMoI-nwl-QiLL9cH28/s1600/multicast.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 313px; height: 352px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5EsE2g32MmxGSBzhvqia8vuKSi84-PpYvtJPBhmrt2TYW6q9MhpTL-bgGYzX9sU2D8BSBffHs03gpb1_IFlS4BKhdz6_x5D4gf4WWpyshkCZyPdOnD0_IZwrNqJMoI-nwl-QiLL9cH28/s400/multicast.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5557397484441970210" /></a><br /><br /><br /><p>First of all, we have to turn on multicast routing on all routers. Enter the following command in global configuration level</p><br /><p align="center" class="style1">ip multicast-routing</p><br /><p>Then we have to which interfaces will participate in the multicast routing. Go to the interface configuration level and enter the following command (enter the command on all interfaces listed in the above topology):</p><br /><p align="center"><span class="style1">ip pim sparse-dense-mode </span> </p><br /><p>To verify that every interface has been multicast-enabled, enter the following command:</p><br /><p align="center"><span class="style1">show ip pim interface</span></p><br /><p>At the output of the command, you can see which interfaces are participating and in which mode. </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglaubVLQ_Qok2SBxWWjx4CUdew_qBe4iyssPJeud-B6_x_hPtyrLZ8Vx4In0jPnzmQ0Z7g5EDxRpjs4i2hJ17Miyrx7_iMm5B2s6ycHiVNFbW2BB9Y-B3ZKAG9ggizkvFf7GY9ViAiXyM/s1600/show+pim+interface.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 58px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglaubVLQ_Qok2SBxWWjx4CUdew_qBe4iyssPJeud-B6_x_hPtyrLZ8Vx4In0jPnzmQ0Z7g5EDxRpjs4i2hJ17Miyrx7_iMm5B2s6ycHiVNFbW2BB9Y-B3ZKAG9ggizkvFf7GY9ViAiXyM/s400/show+pim+interface.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5557398087205324482" /></a><br /><p>At this point, you should already have multicast connectivity among your routers. But, your routers will be connected in dense mode. We still have to configure the sparse mode. To verify multicast connectivity, we will simulate a multicast server on R1, go to loopback0 interface of R1 and enter the following command:</p><br /><p align="center" class="style1">ip igmp join-group A.B.C.D</p><br /><p><strong>A.B.C.D</strong>: ip address of the multicast network. You can use one the private multicast address range, which is 239.0.0.0 - 239.127.255.255</p><br /><p>Then in any other router, try to ping the multicast address. Here, I use 239.1.1.1 as the multicast address that I joined in. If the router could reach the multicast address, you will see something like "<em>Reply to request 0 from 192.168.2.1, 168 ms</em>", but if the ping failed, you will see a ".".</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK8JknqzfuP92hTfyvCt7UpDVebdBZAuUrHgROQaLvc2J8xX4zG4U9Hu3PD4V0WIfZckjqrczMP4_fO4CGYzs57ZLlJgPBb6MjDsc_3w_gtxRKweQCdbQZZoiE9In8-hGcks2MB6gEspQ/s1600/ppp-multilink.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 59px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK8JknqzfuP92hTfyvCt7UpDVebdBZAuUrHgROQaLvc2J8xX4zG4U9Hu3PD4V0WIfZckjqrczMP4_fO4CGYzs57ZLlJgPBb6MjDsc_3w_gtxRKweQCdbQZZoiE9In8-hGcks2MB6gEspQ/s400/ppp-multilink.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5557397491682392962" /></a><br /><p>Next, as in sparse mode, we have to specify at least a rendezvous-point. There are two ways to specify the rendezvous-point, static or auto rendezvous-point. If you configure your rendezvous-point statically, you have to configure it in every router in your network where you want multicast to be supported, that could be tedious if you have many routers. Another way is by using the auto-rp (auto rendezvous-point). This way, you go to the rp router and tells it that it has to announce itself as a rendezvous-point, so that the rest multicast-enabled routers will know it. To configure rp statically, we use the following command:</p><br /><p align="center"><span class="style1">ip pim rp-address A.B.C.D</span></p><br /><p><strong>A.B.C.D</strong>: the ip address of the rp router.</p><br /><p>There are some other options to this command. Try putting the question mark and hit enter will list other options such as applying access list so that a specific rp only serves for a group of mutlicast address only. </p><br /><p>But, we will use the auto-rp technique. Here, we will configure the rp router to announce itself as a rp for the network. Go to the rp router and in the global configuration level, type in the following command:</p><br /><p align="center"><span class="style1">ip pim send-rp-announce INTERFACE-TYPE INTERFACE-NUMBER scope NUMBER </span></p><br /><p><strong>INTERFACE-TYPE <span class="style1">INTERFACE-NUMBER</span></strong>: the type and number of the interface of which address will be used as the rp address. ex, serial0/1, lo1.<br /><br /> <strong>NUMBER</strong>: the number of hops the announcement should traverse the network.</p><br /><p>It is a good idea to use <strong>loopback interface</strong> as the address of the rp since a physical interface could be down and it mark the rp as unreachable. So, use a loopback interface and advertise that loopback address by using your routing protocol, so the rest router in the network know how to reach it and do not forget to enable <strong>ip pim </strong>in the loopback interface. In this example, we will make R3 as the rp. Go to R3 and enter the following command "<em>ip pim send-rp-announce loopback 0 scope 15</em>".</p><br /><p>Then configure the mapping agent for your rp router. The mapping agent concept is similar to DR in OSPF. So, your rp will send the announcement to the mapping agent, and then it is the task of the mapping agent to send the mapping to the rest multicast-enabled router in the network. Configure a mapping agent by entering the following command:</p><br /><p align="center"><span class="style1">ip pim send-rp-discovery scope NUMBER</span></p><br /><p><strong>NUMBER</strong>: the number of hops the announcement should traverse the network.</p><br /><p>In this example, I make R3 as the mapping agent, so I configure R3 as the mapping agent by entering the command "<em>ip pim send-rp-discovery scope 15</em>" at the global configuration level. Next, we will have to configure other multicast-enabled router to accept auto-rp announcement. To configure this, go to R1, R2 and R4, at the global configuration level enter the following command:</p><br /><p align="center" class="style1">ip pim accept-rp auto-rp</p><br /><p>Then, you can also see the multicast routing table created in your router by using the command "<em>show ip mroute</em>". The output of the command would look something similar like this </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyYlrY5bHERGFSRtZ2E1ko3PDLetqgsrM6QNWlDn68jHCyDQNI7cDj596C9mgLzN5mm8MnNsyOAxckFSQVcD250sCVrC0IPG-nB_2ptjdxpFmsFs6WAsSYwsG9q9GJXXKAoOEz1___rzQ/s1600/sh+ip+mroute.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 309px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyYlrY5bHERGFSRtZ2E1ko3PDLetqgsrM6QNWlDn68jHCyDQNI7cDj596C9mgLzN5mm8MnNsyOAxckFSQVcD250sCVrC0IPG-nB_2ptjdxpFmsFs6WAsSYwsG9q9GJXXKAoOEz1___rzQ/s400/sh+ip+mroute.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5557397499000439954" /></a><br /><p>The next thing to configure is to <strong>make your switch support multicasting</strong>. This is only one command, but without this command your switches will treat multicast frames just like a broadcast frame. Type in the following command in global configuration level of your switches:</p><br /><p align="center"><span class="style1">ip igmp snooping</span></p><br /><p>Another optimization that could be done is that if you want to limit your multicast packets from entering a part of your network. Let's say that you don't want to let multicast packet to go off your specific interface of your router. Enter the following command in your interface configuration level:</p><br /><p align="center"><span class="style1">ip multicast ttl-threshold NUMBER</span></p><br /><p><strong>NUMBER</strong>: the number you want to reduce the multicast packet TTL. </p><br /><p>Every multicast packet has an <strong>TTL</strong>. With this command, you can reduce the TTL of multicast packets so it will not go any further beyond the interface where multicast packet is received. To be sure that you reduce the TTL to 0 (or even bellow it), just give the NUMBER parameter a big value such as 255. </p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-84552659519932634832010-12-31T17:56:00.000-08:002010-12-31T18:10:09.473-08:00OSPF: Authentication over a Virtual Link<style type="text/css"><br /><!--<br />.style1 {font-family: "Courier New", Courier, monospace}<br />.style3 {font-family: "Courier New", Courier, monospace; font-style: italic; }<br />--><br /></style><br /><br /><p>In OSPF, we can have an area that is not directly connected to the backbone area by using the <strong>virtual link </strong>feature. If somehow, OSPF authentication is enabled in area 0. Routers that is connected through a virtual link must have the authentication configured too. This is because the router believe that it is directly connected to the area 0, and since routers in area 0 authenticate themselves for communicating, the virtual-linked router would no longer able to communicate with the routers in area 0. </p><br /><p>The command to configure authentication on a virtual-link is:</p><br /><p align="center" class="style1">area NUMBER virtual-link A.B.C.D message-digest-key NUMBER2 md5 WORD</p><br /><p><strong>NUMBER</strong>: the area number where both virtual-linked routers reside.<br /><br /> <strong>A.B.C.D</strong>: the router-id of the peer router.<br /><strong>NUMBER2</strong>: the id number of the digest key.<br /><strong>WORD</strong>: the authentication password used.</p><br /><span id="fullpost"><br /><p>So, let's say that we have this topology</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3asASZ5frIMi-dSvDgxLHJeny4xxQadPpZvJoILXkTk1zs9romU2igBwMBTFJzxo3ShtlEHT6gJ0ohimvmtmzthzV1g4HP-2YUdpMRr5W0j0jvAXsI5bR-MeUZjgNMNNIx-eXjxv2IvI/s1600/ospf-virtual-link.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 256px; height: 348px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3asASZ5frIMi-dSvDgxLHJeny4xxQadPpZvJoILXkTk1zs9romU2igBwMBTFJzxo3ShtlEHT6gJ0ohimvmtmzthzV1g4HP-2YUdpMRr5W0j0jvAXsI5bR-MeUZjgNMNNIx-eXjxv2IvI/s400/ospf-virtual-link.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5557033752703390002" /></a><br /><p>We have an <strong>md5 authentication</strong> configured in area 0 with password of "cisco". To configure this authentication for area 0, go to all router in area 0, which in this case are R1 and R2 and type the following command (assume that you are from the global configuration level and the OSPF process id is 1):</p><br /><p align="center" class="style1">router ospf 1<br />area 0 authentication message-digest<br />interface fastethernet1/0<br />ip ospf authentication message-digest<br />ip ospf message-digest-key 1 md5 cisco</p><br /><p>Now, since authentication is in place for area 0, in order for area 2 to have connectivity with the rest of OSPF network, the authentication should be configured on the virtual-linked routers too, which in this case are R2 and R3. We first go to R2 and go to its OSPF process 1 configuration level and enter the following command</p><br /><p align="center"><span class="style1">area 1 virtual-link 3.3.3.3 message-digest-key 1 md5 cisco </span></p><br /><p>Next we go to R3, go to the OSPF process 1 configuration level and enter the command: </p><br /><p align="center"><span class="style1">area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 cisco<br />area 0 authentication message-digest </span></p><br /><p>We need to configure the command "<span class="style3">area 0 authentication message-digest</span>" on R3 to avoid authentication <strong>type mismatch </strong>error (Type 0 - Null authentication on R3, and Type 2 - Message Digest authentication on R2). This is because a virtual-link is a tunnel that makes as if R3 is directly connected to area 0, and since area 0 is configured with message-digest authentication, therefore R3 should be configured to use message-digest authentication too on area 0. </p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-37062308232107918022010-12-25T19:41:00.000-08:002010-12-25T19:53:04.889-08:00PPP Multilink Connection<br /><p>PPP Multilink connection adds load-balancing and to your PPP connection. PPP multilink sends packet in fragments spread </p><br /><p>To configure PPP Multilink connection is first go to your serial interfaces that will participate in your PPP link perform no-shutdown and change the encapsulation to PPP.</p><br /><p align="center" class="style1">no shutdown <br />encapsulation ppp</p><br /><p>Then configure the logical multilink interface. You create the multilink interface, give it an IP address, and specify the encapsulation for it. On global configuration level, type this command </p><br /><p align="center" class="style1">interface multilink <strong>NUMBER</strong></p><br /><p>NUMBER: this could be any unique number you want to identifiy the multilink interface.</p><br /><p align="center" class="style1">ip addresss <strong>A.B.C.D NETMASK</strong> </p><br /><p>A.B.C.D: IPv4 address for this interface <br /><br />NETMASK: the subnet mask for the IPv4 address. </p><br /><p align="center" class="style1">encapsulation ppp</p><br /><span id="fullpost"><br /><p>Next, you want to configure something that can link your logical multilink interface to your physical serial PPP interfaces. This something is done with the <em>multilink-group </em>command. Type the following command at your multilink and physical serial interface configuration level. </p><br /><p align="center" class="style1">ppp multilink-group <strong>NUMBER</strong></p><br /><p>NUMBER: the number of the multilink group.</p><br /><p>The number configured should be the same at the multilink interface and the physical serial interfaces. </p><br /><p>By this time, you should be able to ping your PPP peer. You can verify your multilink interface with the command "<em>show ip interface brief</em>" and "<em>show ppp multilink</em>". Here is the output of the <em>show ppp multilink</em> command:</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXdW6EAU7PrSVEwVa9WL6fFkTLNIm1Di3KL4ReDKD_4e0i316gmo1A16XTxP0o_Apfv_jjhyphenhyphenIZTNhYro1KcWshocOLANFUao-WOlGTVzVrs78p9rdvdgUHnvBxqTxMIsqVKB3b8b2-MF8/s1600/ppp-multilink.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 138px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXdW6EAU7PrSVEwVa9WL6fFkTLNIm1Di3KL4ReDKD_4e0i316gmo1A16XTxP0o_Apfv_jjhyphenhyphenIZTNhYro1KcWshocOLANFUao-WOlGTVzVrs78p9rdvdgUHnvBxqTxMIsqVKB3b8b2-MF8/s320/ppp-multilink.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5554833943987429538" /></a><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-30495483911646649522010-12-25T00:47:00.000-08:002010-12-25T01:44:50.571-08:00OSPF: Configuring NBMA Network Type<style type="text/css"><!--.style1 {font-family: "Courier New", Courier, monospace}--></style><br /><br /><p>There are 5 network tpyes in OSPF. They are: <strong>NBMA </strong>(Non-Broadcast MultiAccess), <strong>Point-to-Multipoint </strong>which are RFC standard and <strong>Broadcast</strong>, <strong>Point-to-Point</strong>, <strong>Point-to-Multipoint </strong>(static) which are Cisco proprietary. The default network type for interfaces in OSPF for multipoint network or when you are configuring Frame-Relay on physical interfaces is NBMA. </p><br /><p>The characteristics of NBMA network type are there will be DR/BDR elections, what has to be noted here is that DR and BDR should have direct connectivity with the rest OSPF router in the network. In NBMA network there will be no broadcast, so that we have to define our OSPF neighbor statically. We only have to specify the neighbors statically at one router (one-way), and the peer router will respond and the neighborship will be formed. Usually, the static neighbor configuration is done at the hub-router.</p><br /><span id="fullpost"><br /><p>We will try to configure OSPF in NBMA network type based on this topology</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzrRZuLJglMFP1-mKMU-a3x8KybxYrNMKCcXUmCCCRTIkuy5A6teFQBjp1v8470u0od1uyJLKtD6U0CGyuMeDhLFpHe4Q3OWUbyzrahQwneDw-jpPkHN3_krZEiNp50tstOkEZWGhWajs/s1600/ospf-nbma-topology.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 258px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzrRZuLJglMFP1-mKMU-a3x8KybxYrNMKCcXUmCCCRTIkuy5A6teFQBjp1v8470u0od1uyJLKtD6U0CGyuMeDhLFpHe4Q3OWUbyzrahQwneDw-jpPkHN3_krZEiNp50tstOkEZWGhWajs/s320/ospf-nbma-topology.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5554550574884733106" /></a><br /><p>First, configure the serial1/0 interface, give an ip address, set the encapsulation to frame-relay and perform no shutdown </p><br /><p align="center" class="style1">ip address 10.10.10.1 255.255.255.0 <br />encapsulation frame-relay<br />no shutdown<br />ip ospf priority 255</p><br /><p>Remember that in an NBMA network, there is a DR/BDR election. DR/BDR routers should have direct connectivity with the rest of the routers in the segment. So here, we want to make sure that R1 becomes the DR router. Therefore we set the <strong>OSPF priority</strong> of the interface to 255. You can go to R2 and R3 and configure the same configuration at the serial1/0 interface </p><br /><p>R2:</p><br /><p align="center"><span class="style1">ip address 10.10.10.2 255.255.255.0 <br />encapsulation frame-relay<br />no shutdown<br />ip ospf priority 0</span></p><br /><p>R3:</p><br /><p align="center"><span class="style1">ip address 10.10.10.3 255.255.255.0 <br />encapsulation frame-relay<br />no shutdown<br />ip ospf priority 0</span></p><br /><p align="left">R2 and R3 have no direct connectivity, therefore both of them couldn't be the BDR. We specify the OSPF interface priority of R2 and R3 serial1/0 to 0, making them <strong>inelligible </strong>for DR/BDR election. </p><br /><p align="left">I also configure a loopback0 interface on R1 for OSPF connectivity purpose, so if later after OSPF has been configured, we can see at least a route learned from OSPF on R2 and R3 in its routing table. On R1:</p><br /><p align="center"><span class="style1">interface loopback0<br />ip address 10.10.10.3 255.255.255.0 <br /></span></p><br /><p align="left">Then we can start configuring OSPF. We will use OSPF with process id of 1.</p><br /><p align="left">R1:</p><br /><p align="center" class="style1">router ospf 1<br />router-id 1.1.1.1<br />network 10.10.10.1 0.0.0.0 area 0 <br />network 192.168.1.0 0.0.0.255 area 0</p><br /><p align="left">R2:</p><br /><p align="center" class="style1">router ospf 1<br />router-id 2.2.2.2 <br />network 10.10.10.2 0.0.0.0 area 0</p><br /><p align="left">R3:</p><br /><p align="center" class="style1">router ospf 1<br />router-id 3.3.3.3 <br />network 10.10.10.3 0.0.0.0 area 0 </p><br /><p>You can do the "<em>show ip ospf interfac</em>e" command to see the network type of serial1/0 interface. Here's the partial output of the command. </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPTqBw2tmdMNdqA6KpfZz5PpCm80267QgYytW7yewy5HG3YCyXa4rUSJef1w7Aak01M0FWb9Us-bs1m8AF7w3NDwa8bRAoJGUNre26RJ57cw59YYwI8s-lbDp1o_Ijy4dCITP7BENzCfM/s1600/ospf-interface.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 80px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPTqBw2tmdMNdqA6KpfZz5PpCm80267QgYytW7yewy5HG3YCyXa4rUSJef1w7Aak01M0FWb9Us-bs1m8AF7w3NDwa8bRAoJGUNre26RJ57cw59YYwI8s-lbDp1o_Ijy4dCITP7BENzCfM/s320/ospf-interface.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5554550576476715890" /></a><br /><p>It should list the network type as <strong>NON_BROADCAST</strong>. If not, you can change the OSPF network type with the command "<em>ip ospf network non-broadcast</em>" at the interface configuration command level. At this point, you will not have any OSPF neighbor, since in non-broadcast network, neighbors should be specified manually. Remember that we only have to type the neighbor command one-way, only on one router and it is a good idea to configure it at the hub-router, which is R1. So, we go to R1 and type in the following command at the global configuration level:</p><br /><p align="center" class="style1">router ospf 1<br />neighbor 10.10.10.2<br />neighbor 10.10.10.3</p><br /><p>After entering the command, you can type the "show ip ospf neighbor" command to see that R1 is <strong>ATTEMPT</strong>-ing to become neighbor with R2 and R3. You might want to wait before the neighbor status becomes <strong>FULL</strong>. When it comes to FULL, we can verify that the network of R1 loopback0 interface is advertised to R2 and R3 and is listed in their routing table. From the picture bellow, for you who might be wondering why does 192.168.1.1 as advertised as a host route with <strong>/32</strong> subnet mask when you expect it to be /24. This is because loopback interfaces are advertised with /24 subnet. To get a /24 network in the routing table, the OSPF network type of the loopback interface could be change to point-point with the command "<em>ip ospf network point-to-point</em>". </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAf3EHKIqDEpqVREQs4NsRHtHHpcBGlrd_daTn8rt7iLdduvSTxOliIrKiF3CMwzu89i-WRI_AMeEYG-i-m2D2Xc2B16t_6Lq3Ec1mXa_EZnsFhCvkUk-xU5h8uEMyeXtH35XZxPukWCM/s1600/r2-route.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 122px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAf3EHKIqDEpqVREQs4NsRHtHHpcBGlrd_daTn8rt7iLdduvSTxOliIrKiF3CMwzu89i-WRI_AMeEYG-i-m2D2Xc2B16t_6Lq3Ec1mXa_EZnsFhCvkUk-xU5h8uEMyeXtH35XZxPukWCM/s320/r2-route.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5554550578442938994" /></a><br /><p>But, there is still a problem. If you try to ping R3 from R2 and vice-versa, the ping will fail. This is because both R2 and R3 think that they have direct connectivity because both of the reside in the same network. But actually, they have to send the packets to R1 first before reaching each other. To solve this, we add the manual <strong>frame-relay map </strong>command for them to reach each other using the DLCI used to reach R1. On R2 serial1/0 interface configuration level, type the following command:</p><br /><p align="center" class="style1">frame-relay map ip 10.10.10.3 201 broadcast</p><br /><p>On R3 serial1/0 interface configuration level, type the following command:</p><br /><p align="center" class="style1">frame-relay map ip 10.10.10.2 301 broadcast</p><br /><p>Now, if you try to ping R3 from R2 or vice-versa, the ping will succeed. </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeH0-ABPn3k115-ypezmNOc-UBXDRcWkqcRxHw98TLDHPb71EXyCn2ePQFSP49-lyPJUyc_SLWcqT43abeT0xB5bs-NeJ34khcVdLgWvjrdldI2UbU-t9g5scbvlXrB3K0HfAe7et_G4o/s1600/r2-ping.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 53px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeH0-ABPn3k115-ypezmNOc-UBXDRcWkqcRxHw98TLDHPb71EXyCn2ePQFSP49-lyPJUyc_SLWcqT43abeT0xB5bs-NeJ34khcVdLgWvjrdldI2UbU-t9g5scbvlXrB3K0HfAe7et_G4o/s320/r2-ping.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5554550577098831170" /></a><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-90205332843692795282010-12-24T05:28:00.000-08:002010-12-24T05:32:13.063-08:00PPP Enhancements<br /><br /><p>There are some enhancements that you can do for your PPP connection. These enhancements including compressions and reliability.</p><br /><p>To configure PPP compression, go to your PPP interface and type (it could only compress in some IOS) </p><br /><p align="center" class="style1">compresssion <strong>WORD</strong></p><br /><p>WORD: the type of PPP compression you want to use. </p><br /><p>There are three compression type to compress data portion of PPP packets. These are:</p><br /><ul><br /> <li><strong>MPPC</strong>. Microsoft mode </li><br /> <li><strong>Predictor</strong>. This type of compression uses more memory than processor. </li><br /> <li><strong>Stac</strong>. This compression uses more processor than memory.</li><br /></ul><br /><span id="fullpost"><br /><p>When deciding which compression you want to use, you can decide based on your router's memory and processor. If you have more free memory than processor in your router, it could be best for you to go for the predictor compression. The same goes for if you have more processor resource than memory, you may want to go for stac. And as you may have guessed, you should configure compression on both sides of the connection for the PPP link to work. </p><br /><p><strong>TCP Header Compression </strong></p><br /><p>You can also compress TCP packet header compression for your PPP link. To configure this, go to your PPP interface configuration level and type (you might want to assign an ip address to the interface first before issuing this command) </p><br /><p align="center" class="style1">ip tcp header-compression </p><br /><p><strong>PPP Reliabilty </strong></p><br /><p>If there would be many UDP packets go through the PPP link. You can add reliability down at the layer 2 link of PPP connection. This will give error correction and error detection at your PPP connection. To configure this, type the following command at your PPP interface</p><br /><p align="center" class="style1">ppp reliable-link</p><br /><p><strong>PPP Minimum Quality</strong></p><br /><p>You can specify the minimum quality of your PPP connection in percentage. If for some cases, your successfull traffic goes bellow the minimum quality number you have specified for your PPP connection. Your router will pro-actively tear down the connection and try to reconnect. To configure this, type the following command at your PPP interface </p><br /><p align="center" class="style1">ppp quality <strong>NUMBER</strong></p><br /><p>NUMBER: the percentage number of your minimum quality </p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-28297503555359318672010-12-09T02:23:00.000-08:002010-12-23T04:09:44.721-08:00VLAN Access Map<br /><br /><br /><br /><p><span style="font-weight:bold;">VLAN Access Map</span> gives you the ability to control traffic between users in the same VLAN. It is configured in the same way as a route map is configured. If you have VLAN 100 of which subnet is 192.168.100.0/24, and you want to deny access from host 192.168.100.10 to host 192.168.100.20. Here is how you configure your switch.</p><br /><p>First, you create the VLAN map. In the global configuration mode, enter the command “<span style="font-style:italic;">vlan access-map</span>” the syntax of the command is</p><br /><p class="code" align="center">Vlan access-map WORD NUMBER</p><br /><p><strong>WORD:</strong> the name of the access-map<br /><strong>NUMBER:</strong> the sequence number of the statement. You can later insert another statements with sequence number lower or higher than your current one.<br /></p><br /><span id="fullpost"><br /><p>After you enter the “vlan access-map” command, you will be in the access-map configuration level. Here, you can specify what to match and the action is, just like a route-map. </p><br /><p>If you enter the command match and hit the question mark, you will be listed by two options, ip and mac. You guessed it, you can permit or deny access based on ip address or the mac address. We need to create an access-list, either <span style="font-weight:bold;">ip access-list</span> or <span style="font-weight:bold;">mac access-list</span>, that match the criteria of what we need to be matched. We will create the access-list later, but here we will configure the access-map to match ip access-list numbered 101. and the action is to drop (the action is either drop or forward. Drop for deny and forward for permit) the packet.</p><br /><p class="code" align="center">Match ip address 101<br /><br />Action drop<br /></p><br /><p>For this scenario, you will want to match the ip of source 192.168.100.10 and destination 192.168.100.20. Therefore, we will create an ip access-list numbered 101 as what it is the access-list number we have configured in the access-map. Exit the access-map configuration and enter access-list command.</p><br /><p class="code">Access-list 101 permit ip host 192.168.100.10 host 192.168.100.20</p><br /><p>The last thing to do is to apply to which vlan does the access-map applies to. To do this, we use the command “vlan filter” at the global configuration mode. The syntax is</p><br /><p class="code" align="center">Vlan filter WORD vlan-list NUMBER</p><br /><p><strong>WORD:</strong> the name of the access-map<br /><strong>NUMBER:</strong> the number of the vlan you want the access-map to be applied to. You could use a number for the vlan or a vlan list for more than one vlan.<br /></p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com1tag:blogger.com,1999:blog-5960703546293884343.post-56114299514766792532010-12-07T03:01:00.000-08:002010-12-22T05:22:36.981-08:00Spanning-Tree Enhancements<br /><font size=3><strong>Portfast</strong></font><br /><p>Immediately change a port into a forwarding port. Can be used for ports that are connected to end devices. Should always be paired with BPDU guard. With BPDU guard enabled on a switch, if that switch received a BPDU from a portfast port, it will shutdown the port</p><br /><p>PortFast Configuration<br />go to the interface configuration level</p><br /><p class="code" align="center">spanning-tree portfast</p><br /><p>BPDU Guard configuration<br />in the global configuration level</p><br /><p class="code" align="center">spanning-tree portfast bpduguard</p><br /><p> There’s another feature other than BPDUguard, called BPDU-Filter, if a BPDU was received by the switch on a portfast port, the BPDU will just be ignored.</p><br /><span id="fullpost"><br /><font size=3><strong>UplinkFast</strong></font><br /><p>Not much used anymore. Uplink fast provides a way to make a blocked port change into a forwarding port in case that the root port is down. </p><br /><p>UpLinkFast Configuration:<br />go to the interface configuration level</p><br /><p class="code" align="center">spanning-tree uplinkfast</p><br /><font size=3><strong>BackBone Fast</strong></font><br /><p>When a root port of a switch is down, there could be a chance the switch thinks that the root bridge is down, while it’s actually not. When this happens, the switch will send BPDUs with its own switch priority and and MAC address as the root bridge, if this ever happens and received by another switch on which the Backbone fast is enabled, this switch will pro-actively tell the switch that assume it is the root bridge that the root bridge is still alive by sending a BPDU back to that switch with the real Root Bridge ID.</p><br /><p>BackBoneFast Configuration:<br />go to the interface configuration level</p><br /><p class="code" align="center">spanning-tree backbonefast</p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-88413939461878661012010-12-04T17:57:00.000-08:002010-12-04T18:10:41.329-08:00Modifying AD Schema<br /><br /><br /><br /><p>If for example you're asked to add a new attribute to the user class in your Domain, you can do this by modifying your AD Schema. Modifying AD schema is not always about adding new attributes, you can also add new class or modify existing ones and also activate or deactivate class and attributes. Before you make a modification to the AD Schema, you have to make sure that you're have the permission to do so. To check this, your account must be a member of the <strong>Schema Admin </strong>group. </p><br /><p>Microsoft has provides you a tool to make AD Schema modification. You can access this tool from the MMC. </p><br /><p>First, type the <strong>MMC </strong>on the Run command. This will bring you up the MMC window,</p><br /><span id="fullpost"><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4USL4TgB2iBCCvg24NSUm2QlRvLfkFQur83YVz3AE6-KyJQQ53W8mCleoBHlbDq_oWC7ebLAAfGUkA6DQsSKjN7tM8LBsGqMYRv4rdFUtFQZpyRXYjH79QeDwTHoCr4QqVZcfm1j5za8/s1600/mmc.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 198px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4USL4TgB2iBCCvg24NSUm2QlRvLfkFQur83YVz3AE6-KyJQQ53W8mCleoBHlbDq_oWC7ebLAAfGUkA6DQsSKjN7tM8LBsGqMYRv4rdFUtFQZpyRXYjH79QeDwTHoCr4QqVZcfm1j5za8/s320/mmc.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5547012796102172114" /></a><br /><p> go to File > Add/Remove Snap-in. Click the Add button. Choose the Active Directory Schema from the list and click Add (If you don't see the Active Directory Schema in the list, you have to regist it first by typing the '<em>regsvr32 schmmgmt.dll</em>' at the Run command or at the command prompt). </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0ZxFOGe8XaKkLwUygDvwkOoeTinrghh0QY8nfwPw355JyUxTJfGlq3vlRuH8YINiqj0ucuRG346Ce6ljGhnIo0b-GryvXTyigKU4QGrXAu4MHEsbT7XqLZdxRm9EFAl9FeTnwlZLLB2k/s1600/ad_schema.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 315px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0ZxFOGe8XaKkLwUygDvwkOoeTinrghh0QY8nfwPw355JyUxTJfGlq3vlRuH8YINiqj0ucuRG346Ce6ljGhnIo0b-GryvXTyigKU4QGrXAu4MHEsbT7XqLZdxRm9EFAl9FeTnwlZLLB2k/s320/ad_schema.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5547012801234859282" /></a><br /><p>Click close and the Active Directory Schema utility will be added to the MMC. There's only one domain controller on which AD schema changes can be made, this domain controller is called the <em>schema master</em>. To be able to make changes to the AD schema, this tool must point to <em>schema master</em>. Right click on the Active Directory Schema entry in the MMC and choose Change Domain Controller. </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX6hVMC9YkMOfCb5_5Bqtw_7pYAvn7-73oOovD5jKxcBNt8gPALQ0zZVA8YU00R8NXfT7kTjXvw9tUSyf8xOuVg21ygbj00gf6xBrohb1GgBUutfK9AmBWIFTYHUbXnwbizPEVHj90Oqg/s1600/fsmo.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 206px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX6hVMC9YkMOfCb5_5Bqtw_7pYAvn7-73oOovD5jKxcBNt8gPALQ0zZVA8YU00R8NXfT7kTjXvw9tUSyf8xOuVg21ygbj00gf6xBrohb1GgBUutfK9AmBWIFTYHUbXnwbizPEVHj90Oqg/s320/fsmo.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5547012797570241826" /></a><br /><p>In this tool, you can create/modify, activate/deactivate classes or attributes. Let's say that you want to add another attribute to the user class. First, right click on the Attributes and choose Create Attribute, a dialog box will appear warning you that creating an attribute is a nonreversible action. Next, you will see the create new attribute dialog. </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZfgMBdsu-lFSVav0s5gruMrnpGj0XDKXv-45wCRmuSEE_npRJwsXZoDZ2RrdsoLslolDETb0pvhlp8twfWxoIBEQCe8GU59D5wDUx60mN-Rwxf8LlFMc3dU59Y2syf0Yj_FQG4flJGsA/s1600/new_attr.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 312px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZfgMBdsu-lFSVav0s5gruMrnpGj0XDKXv-45wCRmuSEE_npRJwsXZoDZ2RrdsoLslolDETb0pvhlp8twfWxoIBEQCe8GU59D5wDUx60mN-Rwxf8LlFMc3dU59Y2syf0Yj_FQG4flJGsA/s320/new_attr.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5547012806237109826" /></a><br /><p><strong>Common Name</strong> This field becomes the Common Name attribute of the attribute.<br /><br /> <strong>LDAP Display Name </strong>This is the string that the LDAP utility will display to users when they access the directory.<br /><br /> <strong>Unique X.500 Object ID</strong> This is the OID you received from the ISO.<br /><br /> <strong>Description</strong> This optional field provides a short description of the attribute.</p><br /><p><strong>Snytax </strong>is the data type of the attribute will hold, such as string, SID, OID, etc... <br /><br /> <strong>Maximum</strong> specify the maximum value for the attribute <br /><br /> <strong>Minimum </strong>specify the minimum value for the attribute</p><br /><p>Now, if you ever have to create a new class or attribute, you will need a unique <strong>Object Identifier </strong>(OID). There are a couple ways to get this OID, you can apply to ANSI which will take time and money (you will have the right to use any OID that starts with your OID) or you can use the script available <a href="http://gallery.technet.microsoft.com/scriptcenter/en-us/56b78004-40d0-41cf-b95e-6e795b2e8a06">here </a>(copy the script and paste it into a file with an extension of .vbs or just simply named it oidgen.vbs, then just execute the file to obtain your OID). After filling all of the needed fields, click OK.</p><br /><p>Now, to add the newly created attribute to the user class, go to the click the Classes and search for the user class, right click on it and choose Properties. Go to the Attributes tab and click Add.</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglbZGI1zHhgyVKYhB69ohn3ND987ansLvdpoZUh6J5dGhCVenEjVdxfj9DqR2nxEx3pHhgs-wXjFcoigRitbgl_7_5SsghrvYRjjMWQgQngcFh87wQG6kkArDp-pIn_cKu5E4ZJB-tjMI/s1600/add_attr.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 292px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglbZGI1zHhgyVKYhB69ohn3ND987ansLvdpoZUh6J5dGhCVenEjVdxfj9DqR2nxEx3pHhgs-wXjFcoigRitbgl_7_5SsghrvYRjjMWQgQngcFh87wQG6kkArDp-pIn_cKu5E4ZJB-tjMI/s320/add_attr.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5547012813882103650" /></a><br /><p>Choose the attribute that you've created and click OK. Then you can verify that the attribute is listed in the optional attribute list box.</p><br /><p>The next thing is to give values to your new attribute. There are some ways to do this, but one of the way is buy using ldp.exe. It is a tool that is included when you install Windows Server 2003 Support Tools. With this tool you can search, modify, add, delete against LDAP server such as Microsoft AD. Just type ldp on the Run command. Click on the Connection then Connect.</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbU-4uKsXlQtIfBv4ZOxKKhLUqPT2GDQqVy7r5_9t_0piBeX4uLFSu26hk4A0f1gKmhZVaI5DLb32yp50RBKgkEqaMFptd4pjdaYO5YFbPK4BMXWMIFa6tJQjIRgUmMiRymHPO6lgppl8/s1600/ldp_connect.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 273px; height: 136px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbU-4uKsXlQtIfBv4ZOxKKhLUqPT2GDQqVy7r5_9t_0piBeX4uLFSu26hk4A0f1gKmhZVaI5DLb32yp50RBKgkEqaMFptd4pjdaYO5YFbPK4BMXWMIFa6tJQjIRgUmMiRymHPO6lgppl8/s320/ldp_connect.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5547014010320966786" /></a><br /><p>Type in the server location, this could be a dns name or ip address. Then just press OK. Next, we have to bind, click Connection then Bind.</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinW-iaWzfGrP4tjiCeBk_ukAQRWyvWoggxqB1gxT_66R-aaUn1fkHWTAE6fEFwRhcQMzUg6bsfSoDXs1KpRpjCr5M-wKzFZ02pj0HcRXO8r8hyphenhyphenVMrI9qGGQ46-bYL_3l0NsxwgdwzfiSE/s1600/ldp_bind.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 287px; height: 157px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinW-iaWzfGrP4tjiCeBk_ukAQRWyvWoggxqB1gxT_66R-aaUn1fkHWTAE6fEFwRhcQMzUg6bsfSoDXs1KpRpjCr5M-wKzFZ02pj0HcRXO8r8hyphenhyphenVMrI9qGGQ46-bYL_3l0NsxwgdwzfiSE/s320/ldp_bind.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5547014015474259074" /></a><br /><p>Type in your username and password which has the permission to modify user's attribute, then press OK. Then click Browse then Modify.</p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjbPso6DY_U9vriIX1I6tekFfDSJhZr59ukBQOMG1c8cocof06l62QYI21ogfjMyuA98l8nnlMMi8B_5B7_qC2nEne3ka48i13AHFnH7glqzpaVJlm1fxfnqVCiZLxTJ_dforoDtZhVMg/s1600/ldp_modify.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 295px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjbPso6DY_U9vriIX1I6tekFfDSJhZr59ukBQOMG1c8cocof06l62QYI21ogfjMyuA98l8nnlMMi8B_5B7_qC2nEne3ka48i13AHFnH7glqzpaVJlm1fxfnqVCiZLxTJ_dforoDtZhVMg/s320/ldp_modify.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5547014020292793682" /></a><br /><ul><br /> <li>In the DN textbox, type the DN for the user which you want to modify his/her attribute. For example, the DN for the administrator account would be something like this <em>CN=administrator,CN=users,DC=srv1,DC=domain,DC=com</em>.</li><br /> <li>In the attribute textbox, type in the name of the attribute that you want to modify. For example, if you want to modify the givenName of a user, type in givenName.</li><br /> <li>Type in the new value for the attribute that you want to change in the Values textbox. </li><br /> <li>Press enter, you can add another new attribute and value again if you want to modify more than one attribute.</li><br /> <li>If you're done then click Run.</li><br /></ul><br /><p>To verify the attribute modification use the search operation agains AD, press Ctrl+S or click Browse then Search in LDP. </p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-76664508198218953302010-11-27T00:34:00.000-08:002010-12-23T04:04:42.391-08:00Fetch Data from Multiple Records<p>You can use function to fetch data from multiple records into one field. If for example we have table users and hobbies. </p><br /><table border="1" width="264"> <tbody><tr> <td width="48"><div align="center"><strong>user_id</strong></div></td> <td width="99"><div lign="center"><strong>user_name</strong></div></td> <td width="95"><div lign="center"><strong>address</strong></div></td> </tr> <tr> <td>1</td> <td>John Walker </td> <td>Bangladesh</td> </tr> <tr> <td>2</td> <td>Frank McLane </td> <td>Nepal</td> </tr> <tr> <td>3</td> <td>Leon Kennedy </td> <td>USA</td> </tr> </tbody></table><br /><table border="1" width="200"> <tbody><tr> <td width="77"><div align="center"><strong>user_id</strong></div></td> <td width="107"><div align="center"><strong>hobby</strong></div></td> </tr> <tr> <td>1</td><td>Reading</td> </tr> <tr> <td>1</td> <td>Sleeping</td> </tr> <tr> <td>1</td> <td>Walking</td> </tr> <tr> <td>2</td> <td>Swimming</td> </tr><br /> <tr> <td>3</td> <td>Help People </td> </tr></tbody></table><br /><p>If we're asked to display the user's name along with his/her hobbies, first we create a function to fetch the hobbies of a user into a single column. The function is as follows</p><span id="fullpost"><br /><p class="code">CREATE FUNCTION [dbo].[get_hobbies]<br /><br />(<br />@usr_id int<br />)<br />RETURNS varchar(255)<br />AS<br />BEGIN<br />DECLARE @hobbies varchar(255)<br />DECLARE @temp varchar(255)<br /><br />SET @hobbies = ''<br />SET @temp = ''<br /><br />DECLARE HbCur CURSOR FOR SELECT hobby FROM users inner join hobbies on users.[user_id] = hobbies.[user_id] WHERE users.[user_id]=@usr_id<br /><br />OPEN HbCur<br />FETCH next FROM HbCur INTO @temp<br />WHILE @@Fetch_Status = 0<br />BEGIN<br /> SET @hobbies = @hobbies + @temp + ', '<br /> FETCH next FROM HbCur INTO @temp<br />END<br /><br /><br />CLOSE HbCur<br />DEALLOCATE HbCur<br /><br />--remove the last unnecessary comma<br />SET @hobbies = substring(@hobbies, 1, len(@hobbies)-1)<br /><br />RETURN @hobbies<br />END</p><br /><p>The function is quite self-explanatory. The body of the function starts after the keyword <span style="font-weight:bold;">BEGIN</span> and end at the <span style="font-weight:bold;">END</span> keyword. It takes the <span style="font-weight:bold;">user_id</span> as a parameter which will be used to select all hobbies of that user. Here, two variables are declared, @hobbies and @temp. These two variables are used to store the result of the hobbies queried. Next, we declare a <span style="font-weight:bold;">CURSOR</span> that will hold the result hobbies from the query, and then can be iterated to get each hobby. Next, there is a loop which will fetch every single hobby to the <span style="font-weight:bold;">@temp</span> variable which will then be appended to <span style="font-weight:bold;">@hobbies</span> variable that will hold all of the hobbies separated by comma. Last, the function returns all of the hobbies.</p><br /><p>To test the function you can run the following sql </p><br /><p class="code">SELECT [dbo].[get_hobbies] (1) </p><br /><p>This is the output when I run the query. </p><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPUHfxyGP4aWMFG3go3lG4FeNrD1t9dy5NCcDcrf2cNdQMy3lrY5piY5EsnYKxw53b7azV9WnUINt2dbZ0yhljlKoFQRysa91q_dq8LlPqB5Qqp3Rke3ILOXc2AsnupvCt2yN3KqYeIvU/s1600/fetch_result.JPG"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 180px; height: 36px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPUHfxyGP4aWMFG3go3lG4FeNrD1t9dy5NCcDcrf2cNdQMy3lrY5piY5EsnYKxw53b7azV9WnUINt2dbZ0yhljlKoFQRysa91q_dq8LlPqB5Qqp3Rke3ILOXc2AsnupvCt2yN3KqYeIvU/s320/fetch_result.JPG" alt="" id="BLOGGER_PHOTO_ID_5544146649748826834" border="0" /></a><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-13647832334538824512010-11-17T01:51:00.001-08:002010-12-20T05:57:01.757-08:00ORACLE: Load Data from a File<p>If you're asked to load data from a file in Oracle, you can use the external tables. External tables allow you to query data from a file and treat it almost like a table (there are some limitations to external tables such as you can't create index, you can't INSERT or UPDATE an external tables). Let's practice through an example.</p><br /><p>Let's say that we have this csv file named records.csv</p><br /><pre><br />76,10,0110,0.00,460008<br />77,10,0210,350000.00,460009<br />78,30,0110,0.00,430084<br />79,10,0110,500000.00,430085<br />80,30,0110,0.00,497014</pre><br /><br /><span id="fullpost"><br /><p>The first step is to determine which folder you want this file to be put into. What you should concern here is that Oracle should have the read and write access right to the file. For this example, we create a new directory in 'C:\Data'. After physically creating the directory, we then create a directory in Oracle</p><br /><p class="code">CREATE DIRECTORY records_dir AS 'C:\Data';</p><br /><p>Here, <span style="font-weight:bold;">records_dir</span> is the unique name of the directory, you can name you directory to something else.</p><br /><p>Then we create the table which defines the external table. In the <span style="font-weight:bold;">CREATE TABLE</span> statement, we define what fields are in the external table, where is the directory for the external table, the filename, etc.. For this example we create a table named records_table</p><br /><p class="code">CREATE TABLE records_table (<br /><br />record_no int,<br /><br />code int,<br /><br />message varchar2(4),<br /><br />amount number(8,2),<br /><br />message2 varchar(6)<br /><br />)<br /><br />ORGANIZATION EXTERNAL (<br /><br />DEFAULT DIRECTORY records_dir<br /><br />ACCESS PARAMETERS (<br /><br />records delimited by newline<br /><br />fields terminated by ','<br /><br />)<br /><br />LOCATION ('records.csv')<br /><br />); </p><br /><p>Because the file is a csv file, we define the terminating character for each field as ','. External table can also load data from a fixed column file.</p><br /><p>We can then select the data from the external table by using the SELECT statement (you can also add the WHERE clause) </p><br /><p class="code">SELECT * FROM records_table </p><br /><p>Here is the output example run from toad</p><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5xzlozW6v5HKCyR1aZMh6Si2_56PBovMMfR3GUfRGzimiCV1dAwe_h_h9NpsVazPz8I2jinmH4X6PuI3_2iBrhW_IlzjbuIYgIHPx9VepY9_FnBTx9UzEy-d_71e6HIhPVFGnB29aknQ/s1600/extern_table.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 316px; height: 130px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5xzlozW6v5HKCyR1aZMh6Si2_56PBovMMfR3GUfRGzimiCV1dAwe_h_h9NpsVazPz8I2jinmH4X6PuI3_2iBrhW_IlzjbuIYgIHPx9VepY9_FnBTx9UzEy-d_71e6HIhPVFGnB29aknQ/s320/extern_table.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5540454400052664914" /></a><br /><br /><p>You can then insert the data from an external table to your table. </p><br /><p class="code">CREATE TABLE in_records_table as<br /><br />(SELECT * FROM records_table);</p><br /><p>You can also set the <span style="font-weight:bold;">REJECT LIMIT</span> parameter of the external table. If Oracle found any error while processing a record, the record will be rejected. And if the number of rejected records exceeded the REJECT LIMIT parameter, your select statement will fail. You can change the REJECT LIMIT parameter by the statement </p><br /><p class="code">ALTER TABLE table_name REJECT LIMIT value</p><br /><p>After processing the select statement of an external table, Oracle creates some files which are the bad file, discard file and the log file. The bad file contains all of the rejected records, while in the log file you can see Oracle activity when processing the external table like why a record was rejected. By default, these files are created in the same directory with the input file. </p><br /><p>Another way to load data from a file to Oracle is by using the <span style="font-style:italic;">sqlldr</span> command. You can see <a href="http://www.orafaq.com/wiki/SQL*Loader_FAQ">here</a> for how to use the command. </p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-64562972768854587682010-11-11T07:17:00.000-08:002010-12-20T05:31:40.718-08:00Findstr Command<br /><br /><br /><br /><p>Sometimes we need to count how many lines are there in a file. This could be easy if we only have to count all of the line/records in the file. But, we might need to count only records containing a certain string. We can do this with the DOS <strong>findstr</strong> and <strong>find</strong> command. </p><br /><p>The syntax of the findstr command is </p><br /><p class="code">findstr "certain string" file.txt</p><br /><p>Above is the simplest syntax to use findstr. You can see the full options list by typing /?. You can use /N to display also the line number in front of each line. You can use the /C command to search for contiguous string that contains space character. At the example above, the findstr will find every line that contain "search" or "string" in file.txt. If you use /C:"certain string", the findstr will find "certain string" in the file. You can also pipe the output to another command or redirect the output to another file. </p><br /><span id="fullpost"><br /><p>I was once asked to count the number of records in a file of which transaction record is 200, the amount is zero, etc. Because the file is large, doing it manually will be tedious. Here's the findstr command form that I use.</p><br /><p class="code">findstr " 200 " file.txt | findstr /N " 0.00 " > out.txt </p><br /><p>At the command above, I first search for the lines containing the string " 200 ", then I redirect the output to another findstr command that will search lines containing " 0.00 ". So, all the commands do is searching for lines that contain both " 200 " and " 0.00 ". In the end, the output is redirected to the out.txt file. Which after that, I can open out.txt to check for the result. With the /N option, the lines in out.txt will have line number.</p><br /><p>I redirect the output to a file so that I can check and process further the output for another purpose. If you're sure all of the output lines are the line you want, you can pipe the output from <strong>findstr </strong>command to the <strong>find </strong>command by using the option /C.</p><br /><p class="code">findstr " 200 " file.txt | findstr " 0.00 " | find /C "200" </p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-54790094694205189732010-11-07T07:40:00.000-08:002010-11-08T06:57:11.794-08:00SQL: Selecting Columns from Different Rows <p>There might be times when you have to show values from different records as a row. This could for reporting need and based on the design of the table in the database. Let's say that you have a table that looks like the following:</p><table border="1"><tr><th scope="col">Name</th><th scope="col">Tax Type </th><th scope="col">Number1</th><th scope="col">Number2</th></tr><tr><td>Roy Raphael </td> <td>Housing</td><td>NULL</td><td>5000</td></tr><tr><td>Sam Murphy </td><td>Medical</td><td>1000</td><td>NULL</td></tr><tr><td>Sam Muprhy </td><td>Housing</td><td>NULL</td><td>3000</td></tr><tr><td>Roy Raphael </td><td>Medical</td><td>800</td><td>NULL</td></tr></table><br /><p>If you want to display the sum all of the tax types for a single person in a row, one way to do this is by using the case keyword. This article assume that there's only two tax types in the table. So, no query for dynamic number of columns is covered. The expected result could be like the following:</p><table border="1"><tr><th scope="col">Name</th><th scope="col">Housing</th><th scope="col">Medical</th></tr><tr><td>Roy Raphael </td><td>5000</td><td>800</td></tr><tr><td>Sam Murphy </td> <td>3000</td><td>1000</td></tr></table><br /><span id="fullpost"><br /><p>By using the case keyword, we can filter which data will be put to which column. </p><br /><div class="code">select sum(case when col1 = 'value' then col2 end) as ps-column </div><br /><p>In the case above, if the Tax Type value is 'Housing' we put it in pseudo-column named Housing and so we do the same for the Medical tax. The end result of the query might be:</p><br /><div class="code">select [name], sum(case when [Tax Type] = 'Housing' then isnull(Cost, 0) end) as Housing, sum(case when [Tax Type] = 'Medical' then isnull(Cost, 0) end) as Medical from taxes group by [name] </div><br /><p>The above sql language is a specific sql for SQL server. The isnull function is used so that the sum will just treat null values as 0.</p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-26032559386674109942010-07-09T19:38:00.000-07:002010-07-09T19:45:05.571-07:00Configuring SSH<p><strong>Always use SSH, telnet is gone.</strong></p><br /><p>Configuring SSH includes configuring a domain name (<strong><em>ip domain-name WORD</em></strong>), generate rsa key (<strong><em>crypto key generate rsa</em></strong>), specify only ssh for vty connection (<strong><em>transport input ssh</em></strong>), specify where to find username and password list (<strong>login WORD</strong>. This could be local, if you use local, you will want to create username and password in the router)</p><br /><p>First you have to configure a domain name for your router with the command (enter this command at the global configuration level) </p><span id="fullpost"><br /><p align="center">ip domain-name WORD</p><br /><p>WORD: the domain name string.</p><br /><p>Then you generate rsa key by the command </p><br /><p align="center">crypto key generate rsa [general-keys | usage-keys] </p><br /><p>In the picture above, when you try to create an rsa key, there will be two parameters</p><br /><ol><br /><li><strong>General-keys</strong>. By default Cisco routers use the same key for all encryption (SSH, HTTPS, …)</li><br /><li><strong>Usage-keys</strong>. Usage-keys create a unique key. </li><br /></ol><br /><p>Bit range of an rsa key is 360bits – 2048bits. A minimum of <strong>1024</strong> is usually used. For old series router (2500, 2600 series), generating an rsa key could take a long time (10 – 15 minutes). </p><br /><p>You can configure some ssh options through the command (from the global configuration level)</p><br /><p align="center">ip ssh time-out NUMBER</p><br /><p>NUMBER: in sec, 1-120 secs.</p><br /><p align="center">ip ssh authentication retries NUMBER</p><br /><p>NUMBER: 0-5 retries</p><br /><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-83683873351675808572010-07-03T05:57:00.001-07:002010-07-03T06:00:32.246-07:00Configuring SNMP<p><strong>Simple Network Management protocol </strong>is good to gather information per interface basis. SNMP version 1 and 2 doesn’t support authentication. SNMP version 1 is an old protocol, it doesn’t support to monitor Gigs link. SNMP version 2 was out primarily to support that problem so that you can monitor high bandwidth link even there are some other enhancements to the SNMP version 1. SNMP version 3 added security. It adds authentication and encryption.</p><br /><br /><span id="fullpost"><br /><br /><p>The following command configure SNMP version 1 or 2c.</p><br /><p align="center">snmp-server community <strong>WORD</strong> [ACL] [ro | rw]</p><br /><p><strong>WORD</strong>: the community string for the snmp community (server).<br /><br /> <strong>ro</strong>: allow other device (server) from this community to only read information from this router. Usually you will want to use this mode.<strong><br /><br /> rw</strong>: allow other device to read and write information to this device.<br /><br /> <strong>ACL</strong>: you can use ACL to specify which devices can access the community string with ro | rw mode. So you can specify, devices coming from this address has the rw mode or something like that. Here you either specify the number of the ACL or the name of the ACL. </p><br /><br /><p>SNMP works like this, <strong>the community string is the only identifier that you need to access SNMP information</strong> from the router and <strong>it is sent in clear text</strong>. So if anybody else send an SNMP request message to the router with the right community string, then the router agrees to give SNMP information to that person. </p><br /><br /><p><strong>Management Information Basis</strong> (MIB). This is the <strong>string that identify what information that you want to access</strong> or change if it is in Read-Write mode from the device. It could be in number or string representation. Let’s say that the SNMP server requested information from your router identified with MIB as <em>1.2.3.6.9.12</em>, that series of number is an identifier for a specific information in your router. Maybe that’s the identifier to get the hostname, bandwidth utilization or the enable secret information. Cisco has its own MIB.</p><br /><br /><p>You can configure what MIB people can access in your router by the following configuration (if you don’t specify this, every information could be collected from your router)</p><br /><p align="center">snmp-server view STRING</p><br /><br /><p><strong>to configure SNMP v3</strong>, first you have to configure the <strong>local ID</strong> for the router by the command</p><br /><p align="center">snmp-server engineID local HEX</p><br /><p>HEX: hexadecimal (0-9, A-F) value with a minimum of 10 chars. Actually the HEX value is a fixed length string. It’s 16 chars fixed, if you only type 10 chars, Cisco will automatically fill the rest with 0.</p><br /><br /><p>Then you want to configure the <strong>SNMP group</strong></p><br /><br /><p align="center">snmp-server group WORD v3 [auth | noauth | piv]</p><br /><br /><p>Here, you name the group (SNMP_CROWS), specify the version that it use and specify if you want users to be authenticated to access this SNMP group (auth) and if you want to use encryption to send SNMP packets in this group (priv).</p><br /><br /><p>After that, you configure the <strong>users</strong> for the <strong>SNMP groups</strong></p><br /><br /><p align="center">snmp-server user WORD1 WORD2 v3 {auth [md5 | sha] WORD3} {priv [3des | des | aes] WORD4}</p><br /><p><strong>WORD1</strong>: the name of the user.<br /><br /><strong>WORD2</strong>: the name of the group that the user belongs to.<br /><br /><strong>WORD3</strong>: the password for the authentication.<br /><br /><strong>WORD4</strong>: the privacy password for the user.<br /><br /><br /></p><p>In this command you kinda map the user to the SNMP group, you specify that this SNMP will use v3. Note that this command still has other parameters. </p><br /><p>If you choose to use authentication, you will want to choose the hashing method. It is either <span style="font-weight: bold;">md5 </span>or <span style="font-weight: bold;">sha</span>. Then enter what password is required by the users to access this SNMP GROUP</p><br /><p>If you choose to use encryption (priv) you specify the encryption method and the encryption key. The available encryption methods are <span style="font-weight: bold;">3des, des, aes</span>. which is not strong enough for an encryption but is better than not using any encryption at all.</p><br /><p>You can also specify if you want to use ACL to limit what addresses that this USER GROUP will come from.</p><br /><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-66176472262109688942010-06-27T03:20:00.000-07:002010-06-27T03:28:33.302-07:00EIGRP Stuck in Active<p>Each time there’s a change in the network (the successor path is lost) and there is no feasible successor path is available, EIGRP routers will send query message asking if there exist any other route to the unreachable network. This router, will <strong>wait for replies from all of the active EIGRP interfaces except the down link</strong>. If for some reasons, replies are not received, the missingroute will stay in Active state. The router will <strong>wait for 3 minutes before neighbor adjacencies with the neighbor router that fails to reply are reset</strong>.</p><br />When an EIGRP neighbor receives a query for a route, it behaves as follows:<br /> <span id="fullpost"><ul type="disc"><br /> <li>If the EIGRP topology table <strong>does not currently contain an entry for the route</strong>, then the router immediately replies to the query with an <strong>unreachable message</strong>, stating that there is no path for this route through this neighbor.</li><br /> <li>If the EIGRP topology table <strong>lists the querying router as the successor for this route</strong> and<strong> a feasible successor exists</strong>, then the feasible successor is installed and the router immediately replies to the query.</li><br /> <li>If the EIGRP topology <strong>table lists the querying router as the successor for this route</strong> and <strong>a feasible successor does not exist</strong>, then the router <strong>queries all of its EIGRP neighbors</strong> except those sent out the same interface as its former successor. The router will not reply to the querying router until it has received a reply to all queries that it originated for this route.</li><br /> <li>If the query was received from a neighbor that is <strong>not the successor for this destination</strong>, then the router <strong>replies with its successor information.</strong></li><br /></ul><p>The most common reasons for SIA routes are as follows:</p><ul type="disc"><br /> <li>The router is too busy to answer the query because of high CPU usage or memory problems, and cannot allocate the memory to process the query or build the reply packet.</li><br /> <li>The link between the two routers is not good; therefore, some packets are lost between the routers. While the router receives enough packets to maintain the neighbor relationship, the router does not receive all queries or replies.</li><br /> <li>A failure causes traffic on a link to flow in only one direction—this is called a unidirectional link.</li><br /> <li>Too many alternate paths through the network can create EIGRP convergence problems. This complexity creates an ideal condition for a router to become SIA as it waits for a response to queries that are being propagated through these many alternate paths.</li><br /></ul><br /><p>There are two methods to solve this problem:</p><ul type="disc"><li><br /> <strong>Configuring Stub Router</strong><br /><br /> A stub router sends a special peer information packet to all neighbor routers to report its status as a stub router.<br /><br />Any neighbor that receives a packet informing it of the stub status does not query the stub router for any routes but still send replies and updates to the stub router. This is different from a passive interface which deactivate EIGRP on that interface.<br /><br /> To configure a router to be a stub router, first enter the EIGRP configuration level and enter the following command.<br /> <br /> <center style="font-family: courier new;">eigrp stub [receive-only | connected | static | summary]</center><br /><br /> <br /> <strong>receive-only</strong>: Prevents the stub from sending any type of route.<br /><br /> <strong>connected</strong>: Permits stub to send connected routes (may still need to redistribute).<br /><br /> <strong>static</strong>: Permits stub to send static routes (may still need to redistribute).<br /><br /> <strong>summary</strong>: Permits stub to send summary routes.<br /><br /><br /> <br /> If you just enter the command <strong style="font-family: courier new;">eigrp stub</strong> then default parameters are <strong style="font-family: courier new;">connected</strong> and <strong style="font-family: courier new;">summary</strong>.<br /> </li><br /><br /><br /> <li><br /> <strong>Using Route Summarization</strong><br /><br /> Another way to solve this problem is by using route summarization. When the route goes down. The router will send query messages out to its neighbors, but the receiving routers, instead of asking their neighbors about the route again, they simply say “No! I don’t have any other paths to that route because you say you have the path for all networks that start by that address.”<br /> </li><br /></ul><p>To disable the stuck in active timer, use the following command at the EIGRP configuration level.</p><br /><center style="font-family: courier new;">timers active-time disable</center><br /><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-1978624143227636052010-06-24T20:21:00.000-07:002010-06-24T21:04:45.614-07:00OSPF Virtual Link<p>Virtual links make it possible to have an area not directly connected to area 0. But, it’s recommended that you redesign your network as soon as possible to connect each non-backbone area to area 0.</p><br /><p><strong>Virtual links depend on router-id</strong>, that’s why it’s a good idea to set your router-id manually through the router-id command. Because this type of router-id doesn’t change except you change it to another value manually, difference from the active loopback or physical interface which may accidentally change the OSPF router id if you activate another interface which has a higher ip address than the existing one.</p><br /><br /><span id="fullpost"><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzBUy5sEBeE9wnSrubJITNl0tKL7Db6Y6o-GvcOmDhgVNUCkXW6ZOB5jDR7uCdA1U4ktczqI__gV5xNZ6E5zgtV_zFkxyCh4c_xEkkYv2ZqAfHgQ6I4cZX_bARCYu2XYCwyVd-6Hd2at4/s1600/scheme.JPG"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 320px; height: 182px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzBUy5sEBeE9wnSrubJITNl0tKL7Db6Y6o-GvcOmDhgVNUCkXW6ZOB5jDR7uCdA1U4ktczqI__gV5xNZ6E5zgtV_zFkxyCh4c_xEkkYv2ZqAfHgQ6I4cZX_bARCYu2XYCwyVd-6Hd2at4/s320/scheme.JPG" alt="" id="BLOGGER_PHOTO_ID_5486555201365580210" border="0" /></a><br /><br /><p>To configure a virtual link, go to the ABRs, R2 and R3 in the case above and go to the OSPF process configuration level and use the following command</p><br /><p align="center">area <span style="font-weight: bold;">AREA-NUMBER</span> virtual-link <span style="font-weight: bold;">ROUTER-ID</span></p><br /><p> </p><br /><p><span style="font-weight: bold;">AREA-NUMBER</span>: the area number that both routers reside in. In the picture above, because both R2 and R3 reside in area 1, the AREA-NUMBER here should be 1.. </p><br /><p><span style="font-weight: bold;">ROUTER-ID</span>: router-id of the other ABR that you want to associate a virtual link with.</p><br /><p>That command should be used at both routers (both ABRs) that need to be associated with a virtual link, in this case a virtual link is needed between R2 and R3.</p><br /><p>The virtual link makes R3 believe that it’s directly connected to area 0.</p><br /><p>The virtual link command actually <strong>creates a tunnel</strong> between both routers, in a CCIE lab, you might be asked to create a virtual link without using the virtual-link command. </p><br /><p>Let's try to configure virtual link based on the case above. At this point, I have configured the interfaces and OSPF at all three routers in the picture. R3 have loopback interfaces which reside on network <span style="font-family: courier new;">172.16.1.0/24, 172.16.2.0/24, 172.16.3.0/24</span> and all routers are running OSPF process number 10. R1 is configured with router id of <span style="font-family: courier new;">1.1.1.1</span>, R2 is configured with router id of <span style="font-family: courier new;">2.2.2.2</span> and R3 is configured with router id of <span style="font-family: courier new;">3.3.3.3</span>. But, I haven't configure a virtual link between R2 and R3. Here's the configuration of all 3 routers.</p><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzd0Y-d0H5E53cI3Iv8wLgCNgNQ95xPzs42J0CIL4nLxmvSauVO_Aeq2gAIauXTzZ42jDBlJE2AqBJjTExN78UKyB6PrxJ-k4Bv_Sxo7MU5a9Ab9QIMFDjM29Cu6AZhKjJpEIKrIYNQHg/s1600/1-configuration.jpg"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 320px; height: 224px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzd0Y-d0H5E53cI3Iv8wLgCNgNQ95xPzs42J0CIL4nLxmvSauVO_Aeq2gAIauXTzZ42jDBlJE2AqBJjTExN78UKyB6PrxJ-k4Bv_Sxo7MU5a9Ab9QIMFDjM29Cu6AZhKjJpEIKrIYNQHg/s320/1-configuration.jpg" alt="" id="BLOGGER_PHOTO_ID_5486555663205666898" border="0" /></a><br /><br /><p>At this point, R1 doesn't have the routes to the <span style="font-family: courier new;">172.16.0.0/16</span> networks behind R3, However R3 have a route to network <span style="font-family: courier new;">192.168.0.0/24</span> which is the R1-R2 link. </p><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu2K8euMjVou2_yQl9LXHCnSLTJd0qzUbSeBLcsEFh3Adz3t1f1cfDLo5DvQJgg8X6SQOZ_uPpN_RTqlSdZUzmHU9iHCvWyn_3NuZ0elKXAaoWfV30iMTI_zhopJkPZ11pMcJbCHfLibQ/s1600/1.JPG"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 320px; height: 107px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu2K8euMjVou2_yQl9LXHCnSLTJd0qzUbSeBLcsEFh3Adz3t1f1cfDLo5DvQJgg8X6SQOZ_uPpN_RTqlSdZUzmHU9iHCvWyn_3NuZ0elKXAaoWfV30iMTI_zhopJkPZ11pMcJbCHfLibQ/s320/1.JPG" alt="" id="BLOGGER_PHOTO_ID_5486555667713909602" border="0" /></a><br /><br /><br /><br /><p>Let's configure a virtual link between R2 and R3. As shown above, the configuration is simple. First we connect to R2, go to the OSPF process number 10 configuration level and enter the command "<span style="font-style: italic; font-weight: bold;">area 1 virtual-link 3.3.3.3</span>" and at R3 go to the OSPF process number 10 configuration level and enter the command "<span style="font-style: italic; font-weight: bold;">area 1 virtual-link 2.2.2.2</span>". Now, if we connect to R1 and do the "<span style="font-style: italic;">show ip route</span>" command, we will see routes to <span style="font-family: courier new;">172.16.0.0/16</span> networks.</p><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWdByI59yB1r_bpFRLeiD1mg4XjajdHRHdhuQuqOLXk42NvD7-fHraynONwy3y2JAwFLbyeF71DD2DGh9BoAYsS63LVvSjVsmq7NAdy-remuDfX00rNL5DoXF7Vg5OtpemGTooYlP_N8M/s1600/2.JPG"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 320px; height: 138px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWdByI59yB1r_bpFRLeiD1mg4XjajdHRHdhuQuqOLXk42NvD7-fHraynONwy3y2JAwFLbyeF71DD2DGh9BoAYsS63LVvSjVsmq7NAdy-remuDfX00rNL5DoXF7Vg5OtpemGTooYlP_N8M/s320/2.JPG" alt="" id="BLOGGER_PHOTO_ID_5486555678007427954" border="0" /></a><br /><br /><p>You can also do the "<span style="font-style: italic;">show ip ospf neighbor</span>" command at R2 or R3 and see that they are connected through the OSPF_VL0 interface.</p><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgogt09GtgTB322-4f-mpZulsq5HUro42aNQTvzuQnuxQFEAi8opiEG6FqTCik3sDPgo-e7SxyhX9G_H2T5nyNu8NzMWsyzBIe7jIn1fcwlQyVgfFOfTyTNTfL8AnCAYo2bbolDGyi3mDI/s1600/3.JPG"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 320px; height: 47px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgogt09GtgTB322-4f-mpZulsq5HUro42aNQTvzuQnuxQFEAi8opiEG6FqTCik3sDPgo-e7SxyhX9G_H2T5nyNu8NzMWsyzBIe7jIn1fcwlQyVgfFOfTyTNTfL8AnCAYo2bbolDGyi3mDI/s320/3.JPG" alt="" id="BLOGGER_PHOTO_ID_5486555688554553458" border="0" /></a><br /><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-75756204419312069872010-06-23T23:46:00.000-07:002010-06-23T23:52:51.010-07:00OSPF LSA Types<p>Link State Advertisements (LSAs) are the building blocks of OSPF. You need to know about OSPF LSA because there are many OSPF area types and certain area types block certain LSA type from entering the area. There are 11 types of OSPF LSAs, these are the 5 most common OSPF LSAs:</p><br /><br /><br /><span id="fullpost"><br /><ul><br /> <li><strong>Router LSA (Type 1)</strong></li><br /><br /><p>The most common type of LSA. An advertisement about one network. Like hey, this is network 10.1.1.0/24 and here’s the cost to reach it.</p><br /><br /> <li><strong>Network LSA</strong> (DR Generated) <strong>(Type 2)</strong></li><br /><br /><p>Only advertised by DR. Advertise all routers that are attached to the same segment (same switch/LAN) including itself. This LSA is sent to all of the routers in the area (not only to the routers in the same segment as the DR).</p><br /><br /> <li><strong>Summary LSA</strong> (ABR Summary route) <strong>(Type 3)</strong></li><br /><br /><p>Advertisement about networks from another area. This route is marked as an IA (Inter-Area) route in the routing table.</p><br /><br /> <li><strong>Summary LSA</strong> (ASBR Location) <strong>(Type 4)</strong></li><br /><br /><p>Advertise the ip address of the ASBR in the network. This might be needed to know the next-hop ip address for external routes.</p><br /><br /> <li><strong>External LSA</strong> (ASBR Summary route) <strong>(Type 5)</strong></li><br /><p>Advertised routes coming from an ASBR.</p><br /><br /> <li><strong>NSSA External LSA (Type 7)</strong></li><br /><p>Generated by the ASBR in an NSSA (Not-So-Stubby Area). This LSA is converted back to type 5 once it reach the backbone area</p><br /></ul><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-88077972601192196612010-06-22T02:01:00.000-07:002010-06-22T02:11:43.622-07:00EIGRP Authentication<p>An EIGRP enabled router may have authentication configured. This authentication should be the same on two routers for them to form adjacency </p><br /><p><br />An EIGRP enabled router <strong>may have more than one key for authentication</strong>. This is for <strong>automated reason</strong>. So, if for example that later you decide it’s time to change the password for EIGRP authentication, you don’t have to configure all EIGRP routers all at the same time so they have the same key for authentication.</p><br /><br /><p>Keys in EIGRP can be given the <strong>start and end valid date</strong>. Usually you will give a short amount of time (<strong>an hour to a day</strong>) that the old key and the new key can be used (two keys are valid at a time). Say that at Dec 1st 2010, your old key will be expired and you choose a new key that will be valid at Nov 30th 2010, so that will give an error buffer, if for some reason there are some error preventing some EIGRP routers to communicate with each other.</p><br /><br /><span id="fullpost"><br /><br /><p>To configure authentication in EIGRP, first you must create a <strong>key chain</strong>. In global configuration mode.</p><br /><p align="center">key chain WORD</p><br /><p><strong>WORD</strong>: the name of the keychain. Example key chain EIGRPAuth</p><br /><p>After entering the above command, you will be inside the key-chain configuration level. Here, you can <strong>specify some keys</strong> as you like. The command is</p><br /><p align="center">key NUMBER </p><br /><p><strong>NUMBER</strong>: a number value, this is just for an identification for each key.</p><br /><p>After you enter that command you will be in the key level configuration level. Here, you specify <strong>the string of the key</strong> (like the actual password of the key) and the <strong>send-lifetime and the accept-lifetime</strong>. Send-lifetime specifies the time when this router will send that key for authentication, the accept lifetime specifies the time when this router will be accepting that key.</p><br /><p>The commands are</p><br /><p align="center">key-string WORD</p><br /><p align="center">accept-lifetime HH:MM:SS MONTH DATE YEAR HH:MM:SS MONTH DATE YEAR</p><br /><p align="center">send-lifetime HH:MM:SS MONTH DATE YEAR HH:MM:SS MONTH DATE YEAR</p><br /><p> </p><br /><p><strong>the first part of HH:MM:SS MONTH DATE YEAR is the start time while the second part is the end time.</strong></p><br /><p>A complete key chain configuration example as can be seen in a running-configuration is:</p><br /><p>key chain EIGRPAuth<br /> key 1<br /> key-string student<br /> accept-lifetime 12:00:00 Jan 1 2010 12:00:00 Jan 2 2011<br /> send-lifetime 12:00:00 Jan 1 2010 12:00:00 Jan 2 2011<br /> key 2<br /> key-string cisco<br /> accept-lifetime 12:00:00 Jan 1 2010 12:00:00 Jan 2 2011<br /> send-lifetime 12:00:00 Jan 1 2010 12:00:00 Jan 2 2011</p><br /><br /><p>you must create these key chain configuration on other EIGRP routers too. To avoid setting wrong lifetime of the keys and end up with a chaos because of the different keys, you can just copy and paste this from the running-configuration and paste them on other routers.</p><br /><p>After making those key chain, you enable the authentication per-interface basis. The commands are</p><br /><p align="center">ip authentication mode eigrp AS-NUMBER md5</p><br /><p>this command <strong>turn on</strong> eigrp authentication on the interface. there’s only one mode available, which is md5 (don’t know why this command exists if there’s only one mode available). </p><br /><p>Next step is to <strong>specify which key chain</strong> to be used for authentication. The command is</p><br /><p align="center">ip authentication key-chain eigrp AS-NUMBER WORD</p><br /><p>WORD: the name of the key chain.</p><br /><p> </p><br /><p><strong>You must configure authentication on both routers</strong>, if one is not using authentication, the neighbor adjacency will down.</p><br /><p>The key used to send is <strong>the first valid key</strong> sorted by the key ID. If key 1 is no longer valid to be sent, key 2 will be used instead. </p><br /><p>Routers will receive keys <strong>based on the key id not the key string</strong>. The key ID sent should match the key ID set on the peer router.</p><br /><br /><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0tag:blogger.com,1999:blog-5960703546293884343.post-68558988991897032342010-03-02T00:32:00.000-08:002010-03-02T00:35:49.920-08:00Password Construction<p>Password is one important aspect in computer security. A Password is usually used to enter user-level accounts, email accounts, web accounts, etc. With the "<em>Remember Password</em>" feature available in some applications, it is important to have a strong password. First there will be a list of bad password characteristics, then there will be a list of that a good password like. </p><br /><p>Bad password characterisitcs:</p><br /><ul><br /> <li>Password with less than 8 characters.</li><br /> <li>Password that is using words that can be found in dictionaries.</li><br /> <li>Generic word passwords, such as one of your family member's name, your friend's name, computer jargon and etc.</li><br /> <li>Birth date, address or phone number password.</li><br /> <li>Password with word pattern, such as <em>qwerty</em>, <em>123321</em>, <em>aabbcc</em>, and etc.</li><br /> <li>Words spelled backwards, such as <em>drowssap</em>.</li><br /> <li>Password with a famous people name, your idol or something.</li><br /> <li>Words prepended or appended with a number, such as <em>password1</em>, <em>2password</em>. </li><br /></ul><br /><br /><br /><span id="fullpost"><br /><p>Strong password characteristics:</p><br /><ul><br /> <li>Contains number, punctuation and letter (0-9, !@#$%^&*(),./). </li><br /> <li>Contains small and capital letters.</li><br /> <li> Longer than 8 characters.</li><br /> <li>Is not a word in any language or jargon.</li><br /> <li>Not based on any private information like your birthday, family name, etc.</li><br /></ul><br /><p>There are ways to form an easy to remember strong password, you can create an acronym from a phrase. Never write your password anywhere, do not talk about it with anyone. It's usually a bad idea to use the "<em>Remember Password</em>" feature as available in some web browsers. Saved passwords can be viewed by other people if they have access to your computer. In Firefox (Windows version), you can go to Tools > Options... > Security > Saved Passwords and click Show Passwords to see pairs of username and password saved for certain website. </p><br /><p>For an organization, you can ask your emplyees to never use tha same password they use in internal for their public account (public email or social network account for example). Change your and your employee's password periodically, somwhere between three to six months is an acceptable interval, but this depends on your organization's policy. Monitor your employee password, you can periodically try to break their password using an available software that can be used to brute force someone password, if on of your employee password can be guessed, ask him to change his password. </p><br /></span>zorohttp://www.blogger.com/profile/00564686625378860909noreply@blogger.com0