Hping3 – Flooding simulation with Linux 

When testing firewalls ability against the DoS and session limit, there is a program in Linux called hping3 to produce flooding with. It can generate a small amount of packet flood while still keeping at lease 50% of CPU free for management.

if we need to test a session limit or threshold limit for SYNC flood toward to a web server port 80, we could use the command below.

Continue reading

Advertisements

IPv6 over IPv4 in SRX

IPv6 is another up coming trend on the internet. Since most of the ISPs do not provide the IPv6 service, how do we enjoy or experience the IPv6 benefit??

There are some IPv6 brokers on the internet that we can use IPv6 service over the existing IPv4 service. Some of the brokers are Hurricane Electric, Hinet, and etc….

There are some sample setup guide are already included in their website already, but their guide makes the SRX to route the IPv6 packets without policy restrictions capability. So I will attach mine as a reference for using IPv6 in flow mode.

SRX-IPIP

Continue reading

MPLS VPN – option C – using bgp label exchange with cisco and Junos -part 1

It has been a while since I have done any labs after getting a new job. This time, I will be building a NNI option C using both Cisco IOS and Juniper MX. The reason I write this is because I do not find many resources on the internet about the inter AS connection using 2 different software at the same time. Hope this can be useful for anyone who is having the same struggle as i do.

(the AS# below are randomly picked!!)

lab-testing-mpls

Based on the lab diagram (dont feel like copping it up), as the internal VPN service is already running and the intra AS is running OSPF and LDP for MPLS, I will be connecting AS5052 (the green aren in middle) and AS7077 (the orange area at the bottom) together over NNIs to extend the MPLS VPN services.

Continue reading

Cisco ASA – Site to Site IPSec VPN with dynamic IP address

Setting up a policy based site to site IPSec VPN tunnel with static IP address is quite stright forward in Cisco ASA, but what if one of the end point is using dymanic IP address?

In this lab, I will be using 2 virtual ASA (9.6(2)) to create a site to site IPSec VPN tunnel, as well as setting up Cisco VPN client in one of the ASA with static IP address.

The ASA-F14 is the one with static IP address, and the ASA-F16 is using dynamic IP address.

20161221-mpls-2vrfs

Continue reading

MPLS VPN – routes sharing between 2 different VRFs across the MPLS network

The beaut of MPLS VPN is to have multi tenants running over the same MPLS core network and each tenant are prevented to access other tenants networks. But what if the 2 different tenants want to connect to each other?

In the lab below, we have 2 different tenants and they are 1120020010 (RT:200010) in Router 12 and 1030010010 (RT:100010) in Router 03. By default, the ASAs connected to these VRFs cannot communicate since they are in 2 different VRF network. In this case, I will be using Cisco IOS and Juniper MX to let 2 different VRFs to connect together.

20161221-mpls-2vrfs

We could check the existing configuration and the route table in Router 03 and Router 12

Continue reading

Cisco ASA – simple 1 to 1 NAT and firewall policy setup

For those who had been working with Cisco routers, setting up a Cisco ASA stateful policy is as simple as setting up an ACL.  By default, ASA would drop any TCP connection that doesn’t have a session record created with a sync packet. In that case user doesn’t require to a setup ACL for return traffic like working with routers.

In this example, we have 192.168.104.250/32 as the server in the DMZ and have the have NAT 1 to 1 incoming traffic mapping applied to allow internet user accessing the http service only.

The IP address of the firewall is 10.50.2.10/29, and we will assign the mapping of the server to another external IP address of 10.50.2.11

20161215-vasa-lab-nat Continue reading

MPLS – check the label switching path with Juniper Junos and Cisco IOS

How yall doing guys. It has been some times putting anything new to my blog. I think I will put some more materials that focus on troubleshooting wise stuffs. This time, I will present the way to check the label switching path or routing path of the MPLS VPN traffic that run on top of the OSPF and LDP protocols.

Here is the Topology. The lab is build with both Cisco IOS (C1000v) and JunOS. There is 2 subnets in the VRF which are 192.168.104.0/24 and 192.168.109.0/24 and they are located in the R3 and R10 respectively.

20161215-mpls-lab

 

Continue reading