Categories
KONFIGURACJA

Intercontext routing dla ipv6

Konfiguracja:

context local

interface first-isis-intf intercontext p2p 1
  ipv6 address 10::1/64

interface router-A-id loopback
  ipv6 address 194::100/128

router isis my-backbone
  net 47.0001.1111.2222.3333.00
  is type level-1
  no address-family ipv4 unicast
  address-family ipv6 unicast
   redistribute connected level-1
   redistribute static level-1
 !
  interface router-A-id
   passive-interface
   no address-family ipv4 unicast
   address-family ipv6 unicast
 !
  interface first-isis-intf
   no address-family ipv4 unicast
   address-family ipv6 unicast

context clips

interface eth-10-1 intercontext p2p 1
  ipv6 address 10::2/64

interface router-B-id loopback
  ipv6 address 192::200/128

router isis my-backbone
  net 47.0001.0001.0002.0003.00
  is type level-1
  no address-family ipv4 unicast
  address-family ipv6 unicast
   redistribute connected level-1
   redistribute static level-1
 !
  interface router-B-id
   passive-interface
   no address-family ipv4 unicast
   address-family ipv6 unicast
 !
  interface eth-10-1
   no address-family ipv4 unicast
   address-family ipv6 unicast

Weryfikacja

[local]Train-3#ping ipv6 192::200 source 194::100
PING6 192::200 : 8 data bytes
timeout is 1 second, source 194::100
!!!!!

--- 192::200 ping6 statistics ---
5 packets transmitted, 5 packets received, 0.00000% packet loss
round-trip min/avg/max/std-dev = 1.713/1.951/2.111/0.131 ms



[local]Train-3#sh ipv6 rout
Codes: C - connected, S - static, S dv - dvsr, R - RIP, e B - EBGP, i B - IBGP
       O   - OSPF, O3  - OSPFv3, IA - OSPF(v3) inter-area,
       N1  - OSPF(v3) NSSA external type 1, N2  - OSPF(v3) NSSA external type 2
       E1  - OSPF(v3) external type 1, E2  - OSPF(v3) external type 2
       i   - IS-IS, L1 - IS-IS level-1,  L2  - IS-IS level-2, N - NAT
       IPH - IP Host, SUB A - Subscriber address, SUB S - Subscriber static
       SUB P - AAA downloaded aggregate subscriber routes
       SUB N - Subscriber ND, SUB D - Subscriber DHCP-PD
       M F - Mobile Sub Foreign Agent, M H - Mobile Sub Home Agent,
       M G - Mobile Sub GTP
       E P - EPS Aggregate(Prefix), E A - EPS Address, E S - EPS Static
       ICR - Inter-Chassis Resilience
       EPG - Evolved Packet Gateway
       A - Derived Default, MeH - Media Nexthop
       TSC - tunnel shortcut
       >   - Active Route, * - LSP

Type    Network              Next Hop        Dist    Metric    UpTime  Interface
> C     10::/64                                 0         0  00:32:26  first-isis-intf
> i L1  192::200/128                          115        11  00:10:02
> C     194::100/128         194::100           0         0  00:33:05  router-A-id



[clips]Train-3#sh ipv6 interf brief
Fri Apr  8 09:26:40 2016
Name              Address                   MTU   State    Bindings
eth-10-1          10::2/64                  1500  Up       (inter-cxt-p2p)
router-B-id       192::200/128              1500  Up       (Loopback)
[clips]Train-3#sh ipv6 rout
Codes: C - connected, S - static, S dv - dvsr, R - RIP, e B - EBGP, i B - IBGP
       O   - OSPF, O3  - OSPFv3, IA - OSPF(v3) inter-area,
       N1  - OSPF(v3) NSSA external type 1, N2  - OSPF(v3) NSSA external type 2
       E1  - OSPF(v3) external type 1, E2  - OSPF(v3) external type 2
       i   - IS-IS, L1 - IS-IS level-1,  L2  - IS-IS level-2, N - NAT
       IPH - IP Host, SUB A - Subscriber address, SUB S - Subscriber static
       SUB P - AAA downloaded aggregate subscriber routes
       SUB N - Subscriber ND, SUB D - Subscriber DHCP-PD
       M F - Mobile Sub Foreign Agent, M H - Mobile Sub Home Agent,
       M G - Mobile Sub GTP
       E P - EPS Aggregate(Prefix), E A - EPS Address, E S - EPS Static
       ICR - Inter-Chassis Resilience
       EPG - Evolved Packet Gateway
       A - Derived Default, MeH - Media Nexthop
       TSC - tunnel shortcut
       >   - Active Route, * - LSP

Type    Network              Next Hop        Dist    Metric    UpTime  Interface
> C     10::/64                                 0         0  00:53:35  eth-10-1
> C     192::200/128         192::200           0         0  00:50:59  router-B-id
> i L1  194::100/128                          115        11  00:10:50


Categories
PORADY

SmartEdge MIBS

Miby do wersji 12.1.1.12:

Categories
PORADY

SE600 snmpbulkwalk timeout

Z serii jak lekko zdławić SE600:

snmpbulkwalk -OUneb -v2c -c COMMUNITY HOST .

Categories
PORADY

SmartEdge traffic mirroring

Bez wywodów tylko link do pdf: Troubleshooting traffic mirroring

Categories
KONFIGURACJA

Protekcja dostępu SSH do SmartEdge

Acl dopisane do interfejsu 2/3

Przez interfejs 2/3 przedostaje się jedynie ruch SSH od hosta 192.168.2.2 Cały pozostały ruch IP od wszystkich hostów/sieci jest akceptowany przez port 2/3.

!
context test
!
 no ip domain-lookup
!
 interface 2/2
  ip address 192.168.1.2/24
!
 interface 2/3
  ip address 192.168.2.1/24
  ip access-group ACL-1 in
!
 interface llop1 loopback
  ip address 20.20.20.20/32
 no logging console
!
 ip access-list ACL-1 ssh-and-telnet-acl
  seq 10 permit tcp host 192.168.2.2 any eq ssh max-sessions 5 min-sessions 0
  seq 20 deny tcp any any eq ssh
  seq 30 permit ip any any
!
 enable encrypted 1 $1$........$.nNQmFppgs3ECnFPrOgpx/
!
!
 administrator admin encrypted 1 $1$........$.nNQmFppgs3ECnFPrOgpx/
!
!
 ip route 0.0.0.0/0 192.168.1.1
 service ftp client
 service ssh
 service telnet
!
!
!
!
End

Użycie admin-access-group ACL-2 in

Inaczej niż w przykładzie powyżej ACL-2 dopięty jest do kontekstu, a nie interfejsu. Kontekst Test akceptuje wykonanie wewnątrz serwisu SSH. Tylko dla hostów 192.168.2.2, 192.168.2.3

context test
!
 no ip domain-lookup
!
 interface 2/2
  ip address 192.168.1.2/24
!
 interface 2/3
  ip address 192.168.2.1/24
!
 interface llop1 loopback
  ip address 20.20.20.20/32
 no logging console
!
 ip access-list ACL-1 ssh-and-telnet-acl
  seq 10 permit tcp host 192.168.2.2 any eq ssh max-sessions 5 min-sessions 0
  seq 20 deny tcp any any eq ssh
  seq 30 permit ip any any
!
 ip access-list ACL-2
  seq 10 permit tcp host 192.168.2.2 any eq ssh
  seq 15 permit tcp host 192.168.2.3 any eq ssh
  seq 20 deny tcp any any eq ssh
  seq 30 permit ip any any
!
 enable encrypted 1 $1$........$.nNQmFppgs3ECnFPrOgpx/
!
!
 administrator admin encrypted 1 $1$........$.nNQmFppgs3ECnFPrOgpx/
!
!
 ip route 0.0.0.0/0 192.168.1.1
 service ftp client
 service ssh
 service telnet
!
 admin-access-group ACL-2 in
!
!
!
!
end

Categories
KONFIGURACJA

SmartEdge: Simple NAPT configuration

Rules – how to apply NAT

  • NAT policy should be apply to incoming traffic
  • IP outgoing interface cannot be used in the NAT pool
  • NAT pool must be on separate subnet (not part of interface subnet)
  • In dynamic nat, NAT type of route is automatically created (no need extra route configuration)
  • In static nat, extra route must by added (ip route 6.6.6.0/24 1.1.2.2) to point nat interface for coming back packet
  • If we do “clear ip route * ” dynamic nat is stop working and nat policy must be recreated on interface level (SEOS 6.2)
  • On “multibind” interface, combination with static and dynamic nat is not working (only dynamic is operational), pool should be configured as multibind
 ip nat pool my-pool napt multibind”
  • NAT policy could be applied on the subscriber level
subscriber default
     ip address pool
     nat policy my-nat

Dynamic NAT:

The ping from “LAN” context with any source address will be NAT-ed in “local” context in LAN interface. Example source address 1.1.2.2 will be replace to POOL-1 address 2.2.2.0/24 (dynamic mapping) and routed to context WAN.

Static NAT:

The ping from “LAN” context will be NAT-ed in “local” context in LAN interface. Source address 5.5.5.5 will be replace to 6.6.6.6 (static mapping) address and routed to context WAN.

Configuration

!
context local
!
 ip nat pool POOL-1 napt
  address 2.2.2.0/24
!
 nat policy POL-NAT
! Default class
  pool POOL-1 local
! Static rules
  ip static in source 5.5.5.5 6.6.6.6
!
 interface LAN
  ip address 1.1.2.1/24
  ip nat POL-NAT acl-counters
!
 interface WAN
  ip address 192.168.1.1/24
!
 ip route 0.0.0.0/0 192.168.1.2
 ip route 5.5.5.0/24 1.1.2.2
 ip route 6.6.6.0/24 1.1.2.2
 ip route 159.107.0.0/16 159.107.90.1
!
context WAN
!
 interface to-local
  ip address 192.168.1.2/24
 no logging console
!
 ip route 1.1.2.0/24 192.168.1.1
 ip route 1.1.3.0/24 192.168.1.1
 ip route 2.2.2.0/24 192.168.1.1
 ip route 6.6.6.0/24 192.168.1.1
!
context LAN
!
 interface Static loopback
  ip address 5.5.5.5/24
!
 interface to-local
  ip address 1.1.2.2/24
 no logging console
!
 ip route 0.0.0.0/0 1.1.2.1
!
! ** End Context **
!
card carrier 2
 mic 1 fe-12-port
!
port ethernet 2/1
 no shutdown
 medium-type copper
 bind interface to-local LAN
!
port ethernet 2/2
 no shutdown
 medium-type copper
 bind interface LAN local
!
port ethernet 2/3
 no shutdown
 bind interface WAN local
!
port ethernet 2/4
 no shutdown
 bind interface to-local WAN
!
end

Checking nat translation

[LAN]Redback# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): source 1.1.2.2, 36 data bytes,
timeout is 1 second
!!!!!

[LAN]Redback# ping 192.168.1.2 source 5.5.5.5
PING 192.168.1.2 (192.168.1.2): source 5.5.5.5, 36 data bytes,
timeout is 1 second
!!!!!

[local]Redback# show nat policy POL-NAT detail

Policy name          	:  POL-NAT
Policy grid          	:  0x1
Number of rules          :  1
Slot mask            	:  0xc
Number of binds      	:  1
  Circuit            	:  2/2

Reference counters (in circuits * classes):
Slot     2
           1

Static NAT Rules:
In/Out  	Protocol  	Src-Addr         	Port   	NAT-Src-Addr     	Port   	NAT-Ctx-Id
in      		ip        		5.5.5.5          	0      	6.6.6.6          		0      	0x40080001

Class-Name          	Action/  Pool-Grid/   Dest-IP-Addr/   Timeout(sec)  Admit-Ctrl
                    		P2MP    Context-Id  Context-Id

default             na[p]t  0x1                         		tcp    86400
                    	Off     	0x40080001                  	udp    120
                                                       			finrst 240
                                                       			icmp   60
                                                       			syn    128
                                                        			basic  3600

Note: This is not official command and should be use with extra attention.

The syntax could be changed in new release:

Checking dynamic translations

[local]Redback# show card 2 nat ?
  circuit        Display circuit nat information
  counters       Display NAT counters (without drop counters)
  drop-counters  Display NAT drop counters
  log            NAT Message Log
  policy         Display policy information
  pool           Display pool information
  translation    Display translation information

[local]Redback# show context
Context Name               Context ID        VPN-RD               Description
------------------------------------------------------------------------------
local                      0x40080001

[local]Redback# show card 2 nat translation context 0x40080001 source any

Slot 2 Ingress:

 Type  IP From          IP To            Ports      Flag   Pointer     Ctx Flag
 Flag: D-Dynamic, R-remote, Z-dmz, A-admission, I-ignore translation,
       d-dest NAT, U - p2mp UDP
 NAPT  1.1.2.2          2.2.2.0          1990/0009  0x0014 0x50024440  1/1 D
 NAPT  1.1.2.2          2.2.2.0          1991/0010  0x0014 0x500244a0  1/1 D
 NAPT  1.1.2.2          2.2.2.0          1989/0008  0x0014 0x500243e0  1/1 D

Checking static translation

[local]Redback# show card 2 nat circuit 2/2:1023:63/1/1/7 detail

 Circuit 2/2:1023:63/1/1/7 ingress
  Feature block pointer: 0x4ea8b4e0
  Policy: grid=1 version=1 pointer=0xf0536ae0
  Number src  rules: 1 ptr 0xf05877c0
  Number dst  rules: 0 ptr 0x0
  Number napt rules: 0 ptr 0x0
  Out nat ptr 0xd053c2c0 napt ptr 0xf053eac0
  class 0 ptr 0x4eaab500
 Rule table:
 Type     	IP From           IP To            Ports      		Csum    Idx   Ctx   Vrs
 src nat  	5.5.5.5          	6.6.6.6          0000/0000  	0xfdfd    65    1       1

 Circuit 2/2:1023:63/1/1/7 egress
  Feature block pointer: 0x4ae2c520
  Policy: grid=1 version=1 pointer=0xd00eb240
  Number src  rules: 0 ptr 0x0
  Number dst  rules: 1 ptr 0xd09cf0e0
  Number napt rules: 0 ptr 0x0
 Rule table:
 Type     IP From          IP To            Ports      Csum    Idx   Ctx   Vrs
 dst nat  6.6.6.6          5.5.5.5          0000/0000  0x0202  129   1     1

Checking translation by using “access-list”

!
 ip access-list dyn
  seq 10 permit ip 2.2.2.0 0.0.0.255 any
  seq 15 permit ip host 6.6.6.6 any
  seq 20 permit ip any any
!
!
 interface to-local
  ip address 192.168.1.2/24
  ip access-group dyn in count log
 no logging console
!

[WAN]Redback# clear access-group ip-filter interface to-local in all
[WAN]Redback# show access-group ip-filter interface to-local in counters
Circuit 2/4, slot 2, IPv4 access-list dyn, in, 3 rules

Hit Count:         0  No Match (Default)
Hit Count:         0  seq 10 permit ip 2.2.2.0 0.0.0.255 any
Hit Count:         0  seq 15 permit ip host 6.6.6.6 any
Hit Count:         0  seq 20 permit ip any any

[LAN]Redback# ping 192.168.1.2 source 5.5.5.5
PING 192.168.1.2 (192.168.1.2): source 5.5.5.5, 36 data bytes,
timeout is 1 second
!!!!!
[LAN]Redback# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): source 1.1.2.2, 36 data bytes,
timeout is 1 second
!!!!!
[WAN]Redback# show access-group ip-filter interface to-local in counters

Circuit 2/4, slot 2, IPv4 access-list dyn, in, 3 rules

Hit Count:         0  No Match (Default)
Hit Count:         5  seq 10 permit ip 2.2.2.0 0.0.0.255 any
Hit Count:         5  seq 15 permit ip host 6.6.6.6 any
Hit Count:         0  seq 20 permit ip any any

Categories
KONFIGURACJA

REDBACK context PIM

Nigdy nie było nam dane przetestować, ale może się komuś przydać. Konfiguracja inspirowana wpisem na forum sgtsa.pl

context PIM
!
 description SGT IPTV JAMBOX
!
! 
 no ip domain-lookup
!
 interface do-SGT
  description vlan 203 access
  ip address 10.200.28.6/30
  ip arp timeout 290
  pim sparse-mode
!
 interface jambox-v213
  ip address 10.202.125.129/25
  dhcp relay 125
  ip arp timeout 290
  pim sparse-mode passive
!
 interface jambox-v214
  ip address 10.202.125.1/25
  dhcp relay 125
  ip arp timeout 290
  pim sparse-mode passive
!
 interface jambox-v215
  ip address 10.202.198.1/25
  dhcp relay 125
  ip arp timeout 290
  pim sparse-mode passive
!
 interface jambox-v216
  ip address 10.202.198.129/25
  dhcp relay 125
  ip arp timeout 290
  pim sparse-mode passive
!
 interface jambox-v217
  ip address 10.200.199.1/25
  dhcp relay 125
  ip arp timeout 290
  pim sparse-mode passive
!
 interface jambox-v218
  ip address 10.200.199.129/25
  dhcp relay 125
  ip arp timeout 290
  pim sparse-mode passive
!
 interface jambox-v219
  ip address 10.200.124.1/24
  dhcp relay 125
  ip arp timeout 290
  pim sparse-mode passive
 no logging console
!
 ip access-list CPU-FILTERING
  seq 10 deny udp any any eq snmp
  seq 100 permit ip any any
!
 ip access-list SGT-MULTICAST
  seq 10 permit ip 239.239.0.0 0.0.7.255
!
 ip route 10.200.200.0/22 10.200.28.5
!
 pim rp-address 10.200.200.20 group-list SGT-MULTICAST
!
 admin-access-group CPU-FILTERING in
!
 dhcp relay server 10.200.200.31
!
!
!
!
end