MPLS – check the label switching path with Juniper Junos and Cisco IOS

How yall doing guys. It has been some times putting anything new to my blog. I think I will put some more materials that focus on troubleshooting wise stuffs. This time, I will present the way to check the label switching path or routing path of the MPLS VPN traffic that run on top of the OSPF and LDP protocols.

Here is the Topology. The lab is build with both Cisco IOS (C1000v) and JunOS. There is 2 subnets in the VRF which are 192.168.104.0/24 and 192.168.109.0/24 and they are located in the R3 and R10 respectively.

20161215-mpls-lab

 

Continue reading

Advertisements

Networking – layer 2 communication.

Compute networking sometimes gives new ITers a feeling of confusion and complication when they start learning networking, this post will simply explain it in laymen terms and provide a basic concept and some basic configuration on Cisco productions for reference.

So what is layer 2 communication? What does it provide or allow us to do? What is networking HUB and what can it do? What is the different between network switches? What are LAN and what are VLANs? (This post will explain the ethernet network only) Continue reading

Cisco packet tracer

I have starting picking up one of the official network similator these days to learn about the ASA. The last time I used it was 7 years ago, and it didn’t have much of the routers n features r allowed to be simulated compare to the decent version. Some of the readers might think why would I start playing with packet tracer with there r many of the option in the market like GNS3. It s simply because it allows me to be lazy for setting up labs without going through the instability issues.

The newest version of packet tracer as of 2016 Oct, it has wifi, ASA, router, n switches can be used for simulation. Although it doesn’t cover all the features from the production environment, it still allows users n anyone who s new to Cisco to get a feeling of it. The best part of the tracer is to check the packet behaviours with a decent 4G ram device, which cannot be done with GNS3 running wire shark (not really cant be done, but it would be slow enough to piss everyone off). Continue reading

Cisco ASA – routing sample

In this post, I will show you guys how to setup a Cisco ASA firewall serves as a layer 3 packet transfer device. The example will be demonstrate with 192.168.3.10/32 machine accessing to 9.9.9.92/32 via IPerf. There is only simple routing and has no NAT involve.

In this setup, the ASA is acting as the gateway between office network and the internet. The 192.168.3.0/24 is the internal subnet and 10.0.0.20/30 is the internet. There are couple areas we have to handle, and they are routing, and policy. Since ASA is a stateful device, we have to apply policy to allow internal network to access external network, but not vise versa.
Continue reading

Cisco ASA – Checking information

Cisco ASA firewall is a security appliance that can perform packet inspection and with limited routing features. For those who are new to this product, it uses different ways to present its information than Cisco routers. There might have some difficulty at first, but since it is using syntax similar with other Cisco products, such as “show run”, and it is not too hard to pick up this product. I will list out some frequently  used commands for troubleshooting purpose.

  1. show run – this is to show the running configuration the cisco ASA is running with.
  2. show run all – this is to show the configuration users had input and as well the default settings that is being run by the ASA.
  3. show ip – this is similar with the “sho ip int br” from other Cisco products, and it displays the address information being set in the ASA.
  4. show nameif – this is to show the association of the interfaces and the “zone”. This “zone” used for differentiate the purpose of each interface, such as “DMZ”, “inside”, “outside”, and etc…
  5. show xlate – this is to show the NAT information with the translated flow. It shares some information with “show nat” too.
  6. show nat – similar with “show xlate”.
  7. show conn – it can be used to show sessions with.
  8. show version – it shows the information of the ASA, including RAM, CPU, serial number of the device, uptime, and license information.
  9. show crypto ikev1 sa – to check the ikev1 active tunnels info.
  10. show crypto ikev2 sa – to check the ikev2 active tunnels info.
  11. show ipsec sa – it shows the ipsec active tunnels info.
  12. show interface – it shows information for the physical interfaces including the MAC address, BW, duplex, speed, as well as CRC errors.

Commands above are for general use, and can be run under “config mode” without the “do”. I will demonstrate more command within my ASA posts.

Using dynamic DNS at SRX with non DYNDNS service provider

When placing a network equipment without a static IP address, the best way to remote access to the device is by using the dynamic DNS service. Juniper has import this feature into their network security products such as Netscreen ScreenOS and JunOS SRX.

I recently has replaced my SSG with the SRX, and am having trouble updating the DDNS record with the built-in DDNS feature. What happen is SRX only offer 2 options of “dyndns.org or ddo.jp”, any service other than these 2 are out of questions. Since I am using HE.net for DDNS, that does not do my any good.

 

20160521-DDNS-SRX_DDNS_server

So my work around is: to map the dyndns domain name to a HE.net dns server IP address with the following command. The command below is to bind the members.dyndns.org (the dyndns.org DDNS service domain name) to the IP address of 184.105.242.3 (the DDNS service domain name). Continue reading

Turning Raspberry PI into WIFI AP (in bridge mode)

20160514-vSRX_to_PI

Turning raspberry PI into WIFI AP: SSG5 to SRX migration (part 2)

Due to the insecure of internet platform, I have decided to run a security appliance at home to replace my SSG firewall. My newest design is to have SRX as the SSG replacment. Since SRX lacks of the feature of build-in WIFI, I have decided to use RASPBERRY PI as the WIFI AP bridge to cover the wireless access feature. In part 2 of this migration, it mainly focus on turning the RASPBERRY PI as the WIFI AP and bridge it to its ETH0 interface.

The WIFI AP elements:
– Raspberry PI model B
– 0ace:1215 ZyDAS ZD1211B 802.11g

Design for PI:
– Since the ESXi host is using trunk, the PI needs to have its NIC ready to take tagged and untag packets.
– PI turns the WIFI NIC into WIFI access point
– PI needs to bridge the ETH NIC and WIFI NIC to extend the SRX LAN boardcast domain with wireless capability.

Continue reading