tag:blogger.com,1999:blog-77583189321958276412012-01-27T17:34:29.570+07:00yang Penting Jalan !Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.comBlogger74125tag:blogger.com,1999:blog-7758318932195827641.post-15777276399418283072011-12-28T10:53:00.001+07:002011-12-29T00:37:56.329+07:002011-12-29T00:37:56.329+07:00Forbidden 403<br />
There are many reasons that could lead us getting forbidden message. Check the file permission, selinux, authorization or facl first. After all of those common things and u still don't work it out, then u shall read this blog !<br />
<br />
It was hard for me to trace this error. I had to copy fresh httpd
configuration and compared it with the bad one. After diff-ed those
files.<br />
I realized this line: <br />
<br />
@@ -328,7 +335,7 @@<br />
# http://httpd.apache.org/docs/2.2/mod/core.html#options<br />
# for more information.<br />
#<br />
- Options Indexes FollowSymLinks<br />
+ Options <b>+</b>Indexes FollowSymLinks<br />
<br />
<br />
I removed the bold-ed + and my symlink expectedly works, but why ? <br />
Kindly, check this quote:<br />
<br />
<blockquote class="tr_bq">
source : http://httpd.apache.org/docs/2.0/mod/core.html</blockquote>
<blockquote class="tr_bq">
Normally, if multiple <code class="directive">Options</code> could
apply to a directory, then the most specific one is used and
others are ignored; the options are not merged. (See <a href="http://httpd.apache.org/docs/2.0/sections.html#mergin">how sections are merged</a>.)<span style="color: lime;">
<span style="color: #6aa84f;"> However if </span></span><i style="color: #6aa84f;">all</i><span style="color: #6aa84f;"> the options on the
</span><code class="directive" style="color: #6aa84f;">Options</code><span style="color: #6aa84f;"> directive are preceded by a
</span><code style="color: #6aa84f;">+</code><span style="color: #6aa84f;"> or </span><code style="color: #6aa84f;">-</code><span style="color: #6aa84f;"> symbol, the options are
merged. Any options preceded by a </span><code style="color: #6aa84f;">+</code><span style="color: #6aa84f;"> are added to the
options currently in force, and any options preceded by a
</span><code style="color: #6aa84f;">-</code><span style="color: #6aa84f;"> are removed from the options currently in
force. </span></blockquote>
<div class="warning">
<blockquote>
<h3>
Warning</h3>
<div style="color: red;">
Mixing <code class="directive">Options</code> with a <code>+</code> or
<code>-</code> with those without is not valid syntax, and is likely
to cause unexpected results.</div>
</blockquote>
<br />
The point is, FollowSymLinks directive didn't work due to invalid syntax. :)<br />
<br />
<br />
======== FIN ============</div><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-1577727639941828307?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/jLy16qOEvcvnB6IzxuKIaKDfX-A/0/da"><img src="http://feedads.g.doubleclick.net/~a/jLy16qOEvcvnB6IzxuKIaKDfX-A/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/jLy16qOEvcvnB6IzxuKIaKDfX-A/1/da"><img src="http://feedads.g.doubleclick.net/~a/jLy16qOEvcvnB6IzxuKIaKDfX-A/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/pb8UexD8K7Q" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/directory-listing-index-forbidden-403.htmltag:blogger.com,1999:blog-7758318932195827641.post-27949084704910838022011-12-20T01:28:00.000+07:002011-12-22T17:41:57.249+07:002011-12-22T17:41:57.249+07:00IP SLA-like Script#!/bin/bash<br />
#<br />
#Author : Ian Wijaya<br />
#Description : Monitor IP SLA using icmp echo message, it's been designed to run as background process, thus need to be killed manually when no longer needed<br />
#kill -9 <pid><br />#Creation date : 12-10-2011 </pid><br />
#Dependency: sendEmail v 1.56 -> <a href="http://caspian.dotconf.net/menu/Software/SendEmail/">http://caspian.dotconf.net/menu/Software/SendEmail/</a><br />
#<br />
#usage: link_monitor.sh &<br />
#<br />
IFS="\n"<br />
#Define parameter<br />
host="8.8.8.8" #hostname or IP to monitor<br />
ping_interval=1 #in second<br />
ping_count=4<br />
ping_threshold=3 <br />
period=3 #the ping monitor will be executed every n second<br />
#so there will be 1 ping every 1s (4x1s) and then sleep for 3 sec<br />
<br />
mail_destination="receiver@domain.com"<br />
mail_server="smtp.domain.com"<br />
mail_account="sender@domain.com"<br />
mail_subject="This is subject"<br />
mail_password="senderpassword"<br />
mail_send_interval=10 #in minutes<br />
mail_threshold=3 #if 3 consecutive pings are fail, send email !<br />
<br />
#Declare variable<br />
received_reply=0<br />
rtt_summary=""<br />
ping_result=""<br />
prev_send_time=0<br />
fail_count=0<br />
<br />
#param guard<br />
if test $ping_count -lt $ping_threshold<br />
then<br />
echo "ping_threshold value is not valid, it must be more than or equal to ping_count value" 2>&1<br />
exit<br />
fi<br />
<br />
while true<br />
do<br />
ping_result=`ping -c $ping_count -i $ping_interval $host`<br />
received_reply=`echo $ping_result | grep -i "received" |cut -d"," -f2 | awk {'print $1'}`<br />
rtt_summary=`echo $ping_result | grep -i "rtt" | awk -F"=" '{print $2}'`<br />
<br />
if test $received_reply -lt $ping_threshold<br />
then<br />
now=`date +%s`<br />
msg="`date +%d"-"%m"-"%Y" "%T` | $received_reply/$ping_count | $rtt_summary"<br />
fail_count=`expr $fail_count + 1`<br />
if test `expr $now - $prev_send_time` -gt `expr $mail_send_interval \\* 60` -a $fail_count -ge $mail_threshold<br />
then<br />
./sendEmail-v1-56/sendEmail -f "$mail_account" -t "$mail_destination" -u "$mail_subject" -m "$msg" -s "$mail_server" -xu "$mail_account" -xp "$mail_password" 1> /dev/null<br />
prev_send_time=$now<br />
fail_count=0<br />
fi<br />
echo $msg >> link-monitor.log<br />
else<br />
if test $fail_count -gt 0<br />
then<br />
fail_count=`expr $fail_count - 1`<br />
fi<br />
fi<br />
sleep $period<br />
done<br />
<br />
<br />
If success reply is lower than ping_threshold, the result will be considered as negative result (and will be logged).<br />
Negative ping result will increment fail_count whereas positive result will decrement it. If the counter has reached the mail_threshold and the mail has not sent within last 10 minutes, an email will be sent and the counter will be reset to zero.<br />
<br />
you can replace the /sendEmail part with another action. u may want to change route, delete route, reduce metric or anything else, depends on your requirement.<br />
<br />
<br /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-2794908470491083802?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/yZeFTtKqz-NpOJGDOfF4qVLpixg/0/da"><img src="http://feedads.g.doubleclick.net/~a/yZeFTtKqz-NpOJGDOfF4qVLpixg/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/yZeFTtKqz-NpOJGDOfF4qVLpixg/1/da"><img src="http://feedads.g.doubleclick.net/~a/yZeFTtKqz-NpOJGDOfF4qVLpixg/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/D7ymI4dKP8Y" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/ip-sla-like-script.htmltag:blogger.com,1999:blog-7758318932195827641.post-60834595730139840452011-12-18T00:22:00.001+07:002011-12-19T14:57:38.220+07:002011-12-19T14:57:38.220+07:00Multicast Source Discovery Protocol (MSDP)Apabila terdapat 2 multicast domain, katakanlah domain A dan domain B dan masing-masing memiliki RP router tersendiri (RP-A dan RP-B), sedangkan multicast source terdapat pada multicast domain A, maka multicast domain B tidak akan mendapatkan paket multicast dari source tersebut.<br />
Untuk mengatasi masalah tersebut, kita dapat mengkonfigurasikan MSDP peering pada kedua RP router.<br />
Dengan MSDP peer, RP-A akan mengirimkan Source Active(SA) messages setiap 60 second
kepada RP-B. SA message berisi list IP address semua source untuk setiap group multicast yang terdapat pada RP-A.<br />
<br />
Berikut contoh lab nya.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-KifQr0ZG6DA/Tu7t9g9nBeI/AAAAAAAAAN4/X_yfWPQiw0s/s1600/msdp-n.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="http://3.bp.blogspot.com/-KifQr0ZG6DA/Tu7t9g9nBeI/AAAAAAAAAN4/X_yfWPQiw0s/s320/msdp-n.png" width="320" /></a></div>
<br />
<span style="font-size: x-small;">R1# </span><br />
<span style="font-size: x-small;">!</span><br />
<span style="font-size: x-small;">ip multicast-routing</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">interface FastEthernet0/0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip address 10.10.12.1 255.255.255.0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip pim sparse-dense-mode</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">router ospf 1</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> network 10.10.12.1 0.0.0.0 area 0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><br />
<span style="font-size: x-small;"><br /></span><br />
<span style="font-size: x-small;">R2#</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">ip multicast-routing</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">interface Loopback1</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip address 2.2.2.2 255.255.255.255</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip pim sparse-dense-mode</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">interface FastEthernet0/0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip address 10.10.12.2 255.255.255.0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip pim sparse-dense-mode</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">interface FastEthernet0/1</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip address 10.10.23.2 255.255.255.0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip pim sparse-dense-mode</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">router ospf 1</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> network 2.2.2.2 0.0.0.0 area 0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> network 10.10.12.2 0.0.0.0 area 0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> network 10.10.23.2 0.0.0.0 area 0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="color: orange;"><span style="font-size: x-small;">ip pim send-rp-announce Loopback1 scope 1</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">ip pim send-rp-discovery scope 1</span></span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><br />
<span style="font-size: x-small;"><br /></span><br />
<span style="font-size: x-small;">R3#</span><br />
<span style="font-size: x-small;">!</span><br />
<span style="font-size: x-small;">ip multicast-routing</span><br />
<span style="font-size: x-small;">!</span><br />
<span style="font-size: x-small;">interface FastEthernet0/0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip address 10.10.23.3 255.255.255.0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip pim sparse-dense-mode</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">interface FastEthernet0/1</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip address 10.10.34.3 255.255.255.0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip pim sparse-dense-mode</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">router ospf 1</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> network 10.10.23.3 0.0.0.0 area 0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> network 10.10.34.3 0.0.0.0 area 0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><br />
<span style="font-size: x-small;"><br /></span><br />
<span style="font-size: x-small;">R4# </span><br />
<span style="font-size: x-small;">ip multicast-routing</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">interface Loopback1</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip address 4.4.4.4 255.255.255.255</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip pim sparse-dense-mode</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">interface FastEthernet0/0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip address 10.10.34.4 255.255.255.0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">ip pim sparse-dense-mode</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">interface FastEthernet0/1</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip address 10.10.45.4 255.255.255.0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">ip pim sparse-dense-mode</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">router ospf 1</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> network 4.4.4.4 0.0.0.0 area 0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> network 10.10.34.4 0.0.0.0 area 0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> network 10.10.45.4 0.0.0.0 area 0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="color: orange;"><span style="font-size: x-small;">ip pim send-rp-announce Loopback1 scope 1</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">ip pim send-rp-discovery scope 1</span></span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><br />
<span style="font-size: x-small;"><br /></span><br />
<span style="font-size: x-small;">R5#</span><br />
<span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">interface FastEthernet0/0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip address 10.10.45.5 255.255.255.0</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> ip pim sparse-dense-mode</span><span style="font-size: x-small;"><br /></span><span style="color: orange;"><span style="font-size: x-small;">ip igmp join-group 225.0.0.1</span></span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">!</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;">router ospf 1</span><span style="font-size: x-small;"><br /></span><span style="font-size: x-small;"> network 10.10.45.5 0.0.0.0 area 0</span><span style="font-size: x-small;"><br /></span><br />
<br />
Kita buat R1 sebagai source (melakukan ping ke 225.0.0.1)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-IHOQQt0TChI/Tu7ruAfEyGI/AAAAAAAAANo/Yq_eTqTIuuM/s1600/msdp-before.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="http://2.bp.blogspot.com/-IHOQQt0TChI/Tu7ruAfEyGI/AAAAAAAAANo/Yq_eTqTIuuM/s640/msdp-before.png" width="640" /></a></div>
<br />
<br />
Ternyata tidak ada reply. Berarti R1 tidak menemukan member dari multicast group 225.0.0.1.<br />
Lalu kita coba tambahkan konfigurasi berikut pada R2 dan R4:<br />
<span style="font-size: x-small;"><br /></span><br />
<span style="font-size: x-small;">R2(config)#ip msdp peer 4.4.4.4 connect-source loopback 1</span><span style="font-size: x-small;"><br /></span><br />
<span style="font-size: x-small;">R4(config)#ip msdp peer 2.2.2.2 connect-source loopback 1</span><br />
<span style="font-size: x-small;"><br /></span><br />
Lakukan ping lagi dari R1 ke 225.0.0.1:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-1nvbne1au50/Tu7r1RRSVjI/AAAAAAAAANw/42b-GrqFEBw/s1600/after.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="282" src="http://4.bp.blogspot.com/-1nvbne1au50/Tu7r1RRSVjI/AAAAAAAAANw/42b-GrqFEBw/s640/after.png" width="640" /></a></div>
<br />
<br />
<br />
=====FIN====<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-6083459573013984045?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/XlPLP-KtHS_jHPsRFrAi2m2GFkU/0/da"><img src="http://feedads.g.doubleclick.net/~a/XlPLP-KtHS_jHPsRFrAi2m2GFkU/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/XlPLP-KtHS_jHPsRFrAi2m2GFkU/1/da"><img src="http://feedads.g.doubleclick.net/~a/XlPLP-KtHS_jHPsRFrAi2m2GFkU/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/hDLMm8mQbiE" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/multicast-source-discovery-protocol.htmltag:blogger.com,1999:blog-7758318932195827641.post-78387302420064352742011-12-17T01:15:00.001+07:002011-12-17T01:30:30.093+07:002011-12-17T01:30:30.093+07:00Zone-Based FirewallZone-based firewall merupakan fitur yang dapat ditemui pada IOS advsecurity. Zone bersifat user-defined dan dapat diassign pada setiap interface router. Intinya adalah, IOS akan mendrop traffic antara 2 zona yang berbeda. Meskipun demikian kita dapat mendefine beberapa policy untuk memperbolehkan case-case tertentu saja.
Ada beberapa langkah untuk mengkonfigur ZFW:
<br />
1.) Tentukan nama-nama zone
<br />
2.) Buat Class-map
<br />
3.) Buat Policy-map dan tentukan action apa yang akan dilakukan untuk setiap class. <br />
4.) Tentukan Zone Pair. Zone Pair merupakan kombinasi dari sebuah source dan destination sebuah traffic berdasarkan zone-nya. Kemudian Apply Policy-map kedalam zone pair
<br />
5.) Daftarkan interface menjadi member sebuah zone.
Berikut contoh aplikasinya : <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-BR1mMRwTEEM/TuuAyXTAWxI/AAAAAAAAANM/p8FLMWFk6Hs/s1600/topologi.png" imageanchor="1" style="clear: left; float: center; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="86" src="http://3.bp.blogspot.com/-BR1mMRwTEEM/TuuAyXTAWxI/AAAAAAAAANM/p8FLMWFk6Hs/s400/topologi.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Konfigurasikan ip address dan ip route untuk setiap router sehingga menjadi seperti digambar. Untuk lab ini saya asumsikan R1 sudah dapat melakukan telnet, ssh, ping dan browse web(telnet port 80) ke R2 (10.10.2.2 dan 8.8.8.8)
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-iYEv2hep8wc/TuuF4PPIoSI/AAAAAAAAANY/n_eXjoRqqP8/s1600/kondisi%2Bawal.png" imageanchor="1" style="clear: left; float: center; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="327" src="http://2.bp.blogspot.com/-iYEv2hep8wc/TuuF4PPIoSI/AAAAAAAAANY/n_eXjoRqqP8/s400/kondisi%2Bawal.png" width="400" /></a></div>
<br />
Kita akan memperbolehkan telnet dan ssh traffic dan mengontrol (policing) traffic web dari local zone ke external zone.
<br />
Semua traffic lain ke 10.10.2.2 akan di-<b>pass</b>.<br />
Semua traffic lain akan di-<b>drop</b>
<br />
<br />
note:
<br />
drop - semua paket tidak akan dilewatkan (silently drop)
<br />
pass - semua paket akan dilewatkan tapi hanya 1 arah saja. pass tidak akan menambahkan record pada tabel connection tracking, sehingga semua trafik ke arah sebaliknya harus di-allow secara manual.
<br />
inspect - semua paket akan dilewatkan, dan firewall akan menambahkan record pada tabel connection tracking, sehingga trafik ke arah sebaliknya akan otomatis di-allow selama record tersebut masih ada.<br />
<br />
<br />
Berikut langkah-langkah konfigurasinya :
<br />
1.) Tentukan Zone
<br />
#zone security local
<br />
#zone security external
<br />
2.) Class-map (buat class map dengan <b>type inspect</b>)
<br />
#class-map type inspect match-any remote-access
<br />
match protocol ssh
<br />
match protocol telnet
<br />
#class-map type inspect match-all web
<br />
match protocol http
<br />
#class-map type inspect match-all toR2<br />
match access-group name myACL
<br />
!
<br />
#ip access-list extended myACL<br />
permit ip any host 10.10.2.2
<br />
<br />
3.) Policy-map (buat dengan <b>type inspect</b>)
<br />
#policy-map type inspect myPOLICY<br />
class type inspect remote-access<br />
inspect<br />
class type inspect web<br />
inspect<br />
police rate 50000 burst 8000<br />
class type inspect toR2<br />
pass<br />
class class-default<br />
drop <br />
!
<br />
<br />
4.) Buat zone-pair dan apply policy-map<br />
#zone-pair security outside source local destination external<br />
service-policy type inspect myPOLICY
<br />
<br />
5.) Daftarkan interface ke dalam sebuah zone<br />
#interface FastEthernet1/0<br />
zone-member security local<br />
!<br />
#interface FastEthernet1/1<br />
zone-member security external<br />
!
<br />
<br />
verifikasi:
sh policy-map type inspect zone-pair <zone-pair-name>
<br />
<br />
<br />
Coba lakukan ssh, telnet, dan ping lagi ke R2. Ping tidak akan mendapatkan reply, karena keduanya akan meng-hit policy drop ataupun pass, sedangkan ping sendiri membutuhkan policy untuk 2 arah. Kita dapat mengakalinya dengan menggantinya menjadi inspect ataupun menambahkan policy pada zone-pair arah sebaliknya.<br />
<br />
<span style="font-family: inherit;"><span style="font-size: x-small;">FW#sh policy-map type inspect zone-pair outside<br /><br />policy exists on zp outside<br /> Zone-pair: outside<br /><br /> Service-policy inspect : myPOLICY<br /><br /> </span></span><b><span style="font-family: inherit;"><span style="font-size: x-small;">Class-map: remote-access (match-any)<br /> Match: protocol ssh<br /> 0 packets,</span></span></b><span style="font-family: inherit;"><span style="font-size: x-small;"> 0 bytes<br /> 30 second rate 0 bps<br /> </span></span><b><span style="font-family: inherit;"><span style="font-size: x-small;">Match: protocol telnet<br /> 1 packets</span></span></b><span style="font-family: inherit;"><span style="font-size: x-small;">, 24 bytes<br /> 30 second rate 0 bps<br /><br /> Inspect<br /> Packet inspection statistics [process switch:fast switch]<br /> tcp packets: [0:38]<br /><br /> Session creations since subsystem startup or last reset 1<br /> Current session counts (estab/half-open/terminating) [0:0:0]<br /> Maxever session counts (estab/half-open/terminating) [1:1:1]<br /> Last session created 01:05:47<br /> Last statistic reset never<br /> Last session creation rate 0<br /> Maxever session creation rate 1<br /> Last half-open session total 0<br /> TCP reassembly statistics<br /> received 0 packets out-of-order; dropped 0<br /> peak memory usage 0 KB; current usage: 0 KB<br /> peak queue length 0<br /><br /><br /> </span></span><b><span style="font-family: inherit;"><span style="font-size: x-small;">Class-map: web (match-all)<br /> Match: protocol http</span></span></b><span style="font-family: inherit;"><span style="font-size: x-small;"><br /><br /> <b>Inspect</b><br /> Packet inspection statistics [process switch:fast switch]<br /> tcp packets: [0:12]<br /><br /> Session creations since subsystem startup or last reset 1<br /> Current session counts (estab/half-open/terminating) [0:0:0]<br /> Maxever session counts (estab/half-open/terminating) [1:1:1]<br /> Last session created 00:59:47<br /> Last statistic reset never<br /> Last session creation rate 0<br /> Maxever session creation rate 1<br /> Last half-open session total 0<br /> TCP reassembly statistics<br /> received 0 packets out-of-order; dropped 0<br /> peak memory usage 0 KB; current usage: 0 KB<br /> peak queue length 0<br /><br /> Police<br /> rate 50000 bps,8000 limit<br /> </span></span><b><span style="font-family: inherit;"><span style="font-size: x-small;">conformed 12 packets, 836 bytes; actions: transmit<br /> exceeded 0 packets, 0 bytes; actions: drop</span></span></b><span style="font-family: inherit;"><span style="font-size: x-small;"><br /> conformed 0 bps, exceed 0 bps<br /><br /> </span></span><b><span style="font-family: inherit;"><span style="font-size: x-small;">Class-map: toR2 (match-all)<br /> Match: access-group name myACL<br />Pass<br /> 5 packets, 400 bytes</span></span></b><span style="font-family: inherit;"><span style="font-size: x-small;"><br /><br /> </span></span><b><span style="font-family: inherit;"><span style="font-size: x-small;">Class-map: class-default (match-any)<br /> Match: any<br />Drop<br /> 10 packets, 800 bytes</span></span></b><br />
<blockquote>
<br /></blockquote><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-7838730242006435274?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/0S4HYD27x5N0HDxQXaQWb2TI-Bw/0/da"><img src="http://feedads.g.doubleclick.net/~a/0S4HYD27x5N0HDxQXaQWb2TI-Bw/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/0S4HYD27x5N0HDxQXaQWb2TI-Bw/1/da"><img src="http://feedads.g.doubleclick.net/~a/0S4HYD27x5N0HDxQXaQWb2TI-Bw/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/ZzW4WZBkr4I" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/zone-based-firewall.htmltag:blogger.com,1999:blog-7758318932195827641.post-86940344338888016112011-12-15T23:48:00.001+07:002011-12-15T23:51:07.682+07:002011-12-15T23:51:07.682+07:00Nyanyian Rindu<div class="separator" style="clear: both; text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://2.gvt0.com/vi/mg10UTLoTlI/0.jpg" height="480" width="640"><param name="movie" value="http://www.youtube.com/v/mg10UTLoTlI&fs=1&source=uds" />
<param name="bgcolor" value="#FFFFFF" />
<embed width="640" height="480" src="http://www.youtube.com/v/mg10UTLoTlI&fs=1&source=uds" type="application/x-shockwave-flash"></embed></object></div>
<br /><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-8694034433888801611?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/DozoLLsnfA2HxwJchZAo-qu0KH8/0/da"><img src="http://feedads.g.doubleclick.net/~a/DozoLLsnfA2HxwJchZAo-qu0KH8/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/DozoLLsnfA2HxwJchZAo-qu0KH8/1/da"><img src="http://feedads.g.doubleclick.net/~a/DozoLLsnfA2HxwJchZAo-qu0KH8/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/-SyeREQSlZU" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/blog-post.htmltag:blogger.com,1999:blog-7758318932195827641.post-14584599308808285972011-12-15T17:47:00.001+07:002011-12-15T23:18:13.218+07:002011-12-15T23:18:13.218+07:00Regular ExpressionRegex is an expression that specifies a set of strings.<br />
Regex banyak sekali digunakan, baik dilingkungan UNIX, scripting, maupun perangkat-perangkat jaringan seperti Cisco.<br />
Berikut metacharacter yang umum digunakan pada regex.<br />
<br />
^ = Awal dari sebuah kata<br />
$ = Akhir dari sebuah kata<br />
| = Logical operator (or/atau)<br />
_ = Delimiter (pemisah: blank, spasi, comma)<br />
. = karakter apa saja. (any character)<br />
+ = 1 atau lebih karakter yang ada didepannya<br />
* = 0 atau lebih karakter yang ada di depannya<br />
? = 0 atau 1 karakter yang ada didepannya .<br />
<br />
( ) = Menandakan sebuah kesatuan<br />
[ ] = Pilihan karakter<br />
<br />
<br />
Misal<br />
1.) aku suka mangga<br />
2.) balonku ada 5<br />
3.) 5 bulan lagi aku CCIE<br />
4.) 55555<br />
5.) dia menertawakan aku<br />
6.) aku suka minggat<br />
7.) aku suka manggis<br />
<br />
^aku -> 1 <br />
aku -> 1 3 5<br />
aku$ -> 5 <br />
<br />
m[ai]ngga -> 1 6<br />
mangg.* -> 1 7<br />
^5$ -> --<br />
5+ -> 2 3 4<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-1458459930880828597?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/9CbkMMj_wvRE1oLc7TAqhc8MtyQ/0/da"><img src="http://feedads.g.doubleclick.net/~a/9CbkMMj_wvRE1oLc7TAqhc8MtyQ/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/9CbkMMj_wvRE1oLc7TAqhc8MtyQ/1/da"><img src="http://feedads.g.doubleclick.net/~a/9CbkMMj_wvRE1oLc7TAqhc8MtyQ/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/kbfzElyCt60" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/regular-expression.htmltag:blogger.com,1999:blog-7758318932195827641.post-54683882465498334092011-12-15T17:15:00.000+07:002011-12-15T17:19:28.520+07:002011-12-15T17:19:28.520+07:00SNAT - HSRP (Redundancy)Menyambung postingan yang lalu <a href="http://ianwijaya.blogspot.com/2011/12/nat-redudancy-hsrp.html">http://ianwijaya.blogspot.com/2011/12/nat-redudancy-hsrp.html</a>, saya akan membahas mengenai dynamic NAT failover dengan HSRP.<br />
Fitur yang akan digunakan disini adalah Stateful NAT (SNAT). Dengan menggunakan SNAT, translasi table pada active router akan disinkronkan dengan standby router pada HSRP, sehingga pada saat terjadi perpindahan active router, proses translasi address tidak terganggu (tersendat-sendat).<br />
Dengan topologi yang masih sama dan konfigurasi HSRP yang masih sama:
<br />
Hapus konfigurasi static nat pada percobaan sebelumnya. Kemudian tambahkan dynamic nat tanpa menggunakan SNAT pada router R2 dan R3.<br />
#ip nat pool myPOOL 10.10.10.100 10.10.10.110 prefix-length 24<br />
#ip nat inside source list myACL pool myPOOL <br />
#ip access-list standard myACL<br />
permit 172.16.1.0 0.0.0.255
<br />
<br />
Sembari melakukan telnet ke R4 dari R1, shutdown interface fa0/1 R2. Rasakan sendatannya !! =))<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-S2qpHUuFhl4/TunHbBG1YNI/AAAAAAAAAM4/9cJS07J04vI/s1600/before2-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="http://3.bp.blogspot.com/-S2qpHUuFhl4/TunHbBG1YNI/AAAAAAAAAM4/9cJS07J04vI/s640/before2-2.png" width="640" /></a></div>
<br />
<br />
<br />
Kemudian kita tambahkan konfigurasi SNAT seperti contoh dibawah.:<br />
<br />
R2#<br />
!<br />
<b>ip nat Stateful id 1<br /> redundancy myHSRP<br /> mapping-id 10</b><br />
protocol udp<br />
ip nat pool myPOOL 10.10.10.100 10.10.10.110 prefix-length 24<br />
ip nat inside source list myACL pool myPOOL <b>mapping-id 10</b><br />
ip access-list standard myACL<br />
permit 172.16.1.0 0.0.0.255<br />
!<br />
<br />
R3#<br />
!<br />
<b>ip nat Stateful id 2<br /> redundancy myHSRP<br /> mapping-id 10</b><br />
protocol udp<br />
ip nat pool myPOOL 10.10.10.100 10.10.10.110 prefix-length 24<br />
ip nat inside source list myACL pool myPOOL <b>mapping-id 10</b><br />
ip access-list standard myACL<br />
permit 172.16.1.0 0.0.0.255<br />
!<br />
<br />
Stateful ID haruslah berbeda pada setiap router.<br />
Setiap konfigurasi SNAT harus di-bind dengan sebuah mapping-id yang kemudian ditambahkan pada konfigurasi NAT.<br />
verifikasi: <br />
#sh ip snat distributed <br />
#sh ip nat translasions<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-RzaSDM15OYo/TunHcxHohSI/AAAAAAAAANA/OgYZ1d5kU6Y/s1600/after2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="359" src="http://4.bp.blogspot.com/-RzaSDM15OYo/TunHcxHohSI/AAAAAAAAANA/OgYZ1d5kU6Y/s640/after2.png" width="640" /></a></div>
<br />
<br />
====FIN ======<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-5468388246549833409?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/7x0OoEaCt7Zu2KMkqsUlylR3itQ/0/da"><img src="http://feedads.g.doubleclick.net/~a/7x0OoEaCt7Zu2KMkqsUlylR3itQ/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/7x0OoEaCt7Zu2KMkqsUlylR3itQ/1/da"><img src="http://feedads.g.doubleclick.net/~a/7x0OoEaCt7Zu2KMkqsUlylR3itQ/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/6_BR2Hw-f9k" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/snat-hsrp-redundancy.htmltag:blogger.com,1999:blog-7758318932195827641.post-88210699005440290872011-12-14T17:16:00.007+07:002011-12-15T15:02:20.121+07:002011-12-15T15:02:20.121+07:00Apache Virtual HostBila kita hanya memiliki 1 server namun ingin meng-hosting 2 web server atau lebih, kita dapat memanfaatkan fitur virtual host. <br /><br />Edit file /etc/httpd/conf/httpd.conf<br />#<br />NameVirtualHost {ip}:{port}<br />#ip bisa diganti dengan * untuk listen di semua ip<br />#lalu tambahkan stanza virtualhost untuk setiap web server <br /><VirtualHost {ip}:{port}><br /> ServerName www.webserver1.com <br /> ServerAlias webserver1.com <br /> DocumentRoot /path/to/web/dir<br /></VirtualHost><br /><br />untuk memperbolehkan directory listing, kita dapat menambahkan <br />Options +indexes<br /><br />untuk authentikasi kita dapat menambahkan stanza Directory didalam VirtualHost<br /><Directory /path/to/allowed-dir><br /> AuthName "Title" <br /> AuthType basic <br /> AuthUserFile /path/to/passfile<br /> Require valid-user<br /></Directory><br /><br />save, exit, restart httpd<br /><br />user dan password dapat dibuat dengan command htpasswd<br />htpasswd -cm /path/to/passfile user1<br />htpasswd -m /path/to/passfile user2<br /><br /><br />====FIN====<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-8821069900544029087?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/zV6fdKI-vfthbhzo7pK0bCJ9638/0/da"><img src="http://feedads.g.doubleclick.net/~a/zV6fdKI-vfthbhzo7pK0bCJ9638/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/zV6fdKI-vfthbhzo7pK0bCJ9638/1/da"><img src="http://feedads.g.doubleclick.net/~a/zV6fdKI-vfthbhzo7pK0bCJ9638/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/a6k6NqQZDWA" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/apache-virtual-host.htmltag:blogger.com,1999:blog-7758318932195827641.post-26299382746378130372011-12-14T16:58:00.014+07:002011-12-15T14:58:03.062+07:002011-12-15T14:58:03.062+07:00NAT - Redudancy (HSRP)<a href="http://2.bp.blogspot.com/-zlgEXaIfm9A/Tuh0m2NcM1I/AAAAAAAAALw/1VCr7GdXvdk/s1600/lab-nat.png"><img style="float:center; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 389px; height: 400px;" src="http://2.bp.blogspot.com/-zlgEXaIfm9A/Tuh0m2NcM1I/AAAAAAAAALw/1VCr7GdXvdk/s400/lab-nat.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5685922740290990930" /></a><br /><br />Kita dapat menggunakan HSRP untuk mendapatkan fitur high availabilty pada router gateway. namun apabila router2 gateway tersebut merangkap sebagai translator router (me-nat address local) maka hal tersebut akan menjadi masalah. <br /><br />Berikut hasil screen shot dari percobaan yang saya lakukan <br /><a href="http://4.bp.blogspot.com/-UKWeyK-e2so/Tuh0Q_sy5mI/AAAAAAAAALk/VRTt81ikgCI/s1600/before.png"><img style="float:center; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 225px;" src="http://4.bp.blogspot.com/-UKWeyK-e2so/Tuh0Q_sy5mI/AAAAAAAAALk/VRTt81ikgCI/s400/before.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5685922364881299042" /></a><br /><br />Ketika interface fa 0/1 R2 saya shutdown, translasi memang ikut berpindah ke router R3, namun muncul pesan "DUPLICATE ADDRESS BLA BLA BLA". Hal ini akan menganggu paket-paket tcp yang di lewatkan. Alhasil sesi telnet ke R4(8.8.8.8) menjadi tersendat-sendat. <br />Duplicate address ini dikarenakan interface NVI menggunakan address yang sama, yaitu 10.10.10.1 <br /><br /><br />Hal ini dapat di atasi dengan menggunakan fitur NAT-redudancy. berikut konfigurasi pada router R2 dan R3 <br /><br />R2(config-if)#do sh run | s nat|interface<br />interface FastEthernet0/0<br /> ip address 10.10.10.2 255.255.255.0<br /> ip nat outside<br /> ip virtual-reassembly<br /> duplex auto<br /> speed auto<br />interface FastEthernet0/1<br /> ip address 172.16.1.2 255.255.255.0<br /> ip nat inside<br /> ip virtual-reassembly<br /> duplex auto<br /> speed auto<br /> standby 1 ip 172.16.1.100<br /> standby 1 priority 200<br /> standby 1 preempt<br /> <b>standby 1 name myHSRP</b><br />ip nat inside source static 172.16.1.1 10.10.10.1 <b>redundancy myHSRP</b><br /><br /><br />R3(config-if)#do sh run | s nat|interface<br />interface FastEthernet0/0<br /> ip address 10.10.10.3 255.255.255.0<br /> ip nat outside<br /> ip virtual-reassembly<br /> duplex auto<br /> speed auto<br />interface FastEthernet0/1<br /> ip address 172.16.1.3 255.255.255.0<br /> ip nat inside<br /> ip virtual-reassembly<br /> duplex auto<br /> speed auto<br /> standby 1 ip 172.16.1.100<br /> <b>standby 1 name myHSRP</b><br />ip nat inside source static 172.16.1.1 10.10.10.1 <b>redundancy myHSRP</b><br /><br /><br /><a href="http://3.bp.blogspot.com/-MCtIB-9sqSQ/Tuh2s9YxIzI/AAAAAAAAAMI/eSZYQoC2h3s/s1600/after.png"><img style="float:center; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 225px;" src="http://3.bp.blogspot.com/-MCtIB-9sqSQ/Tuh2s9YxIzI/AAAAAAAAAMI/eSZYQoC2h3s/s400/after.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5685925044320019250" /></a><br /><br />Konfigurasi ini hanya dapat digunakan untuk static nat saja. Untuk dynamic nat kita dapat menggunakan fitur stateful nat yang akan saya bahas pada tulisan saya selanjutnya. :D<br /><br />===== FIN =====<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-2629938274637813037?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/ZrROLvuz8KQDztd3WA_reMcLJag/0/da"><img src="http://feedads.g.doubleclick.net/~a/ZrROLvuz8KQDztd3WA_reMcLJag/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/ZrROLvuz8KQDztd3WA_reMcLJag/1/da"><img src="http://feedads.g.doubleclick.net/~a/ZrROLvuz8KQDztd3WA_reMcLJag/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/Q6VCunl3Qw4" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/nat-redudancy-hsrp.htmltag:blogger.com,1999:blog-7758318932195827641.post-23822200806768882212011-12-12T22:28:00.005+07:002011-12-15T15:01:08.596+07:002011-12-15T15:01:08.596+07:00NAT LinuxSebelum melakukan NAT kita harus merubah default behavior dari linux machine untuk dapat melewatkan traffic yang tujuannya bukan mesin itu sendiri (transit node). <br /><br />vi /etc/sysctl.conf <br />net_ipv4_forwarding=1 <br />save, lalu reload sysctl dengan commmand <br />sysctl -p <br /><br /><br />Pada linux, khusus nya Red Hat, nat dapat dikonfigurasi dengan menambahkan rules pada table nat. <br />Untuk memanipulasi table nat kita membutuhkan tambahan parameter "-t nat". <br /><br />Untuk source nat kita bisa menggunakan table POSTROUTING maupung PREROUTING, sedangkan untuk destination nat kita hanya bisa menggunakan PREROUTING saja. <br />PREROUTING artinya translasi address akan dilakukan sebelum proses routing dilakukan, sedangkan POST brarti setelah. <br /><br /><br />Untuk source nat kita menggunakan "-j SNAT", sedangkan destination nat menggunakan "-j DNAT". <br />SNAT sebenarnya serupa dengan "-j MASQUERADE", hanya saja dengan SNAT kita bisa mengganti source address nya, tidak harus sama dengan interface. <br /><br />Berikut contohnya: <br />SNAT, aplikasi umumnya untuk sharing internet(share ip public) <br />iptables -t nat -A POSTROUTING -o <out interface> -j SNAT --to <ip_public><br /><br />DNAT, aplikasi umumnya untuk port forwarding(virtual IP) <br />iptables -t nat -A PREROUTING -p tcp -d <ip_public> --dport <port_public> -j DNAT --to <ip_private:port_private><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-2382220080676888221?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/I3rm1SLpm51VGo_3UOBb4NB5Vg4/0/da"><img src="http://feedads.g.doubleclick.net/~a/I3rm1SLpm51VGo_3UOBb4NB5Vg4/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/I3rm1SLpm51VGo_3UOBb4NB5Vg4/1/da"><img src="http://feedads.g.doubleclick.net/~a/I3rm1SLpm51VGo_3UOBb4NB5Vg4/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/tVwrp1F-PK8" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/nat-linux.htmltag:blogger.com,1999:blog-7758318932195827641.post-52706002076619495212011-12-10T08:04:00.005+07:002011-12-15T15:03:00.321+07:002011-12-15T15:03:00.321+07:00Static DHCP bindingJika kita ingin meng-assign IP yang selalu sama pada suatu node melalui DHCP, kita dapat membinding nya secara staticc dengan menggunakan perintah "host" berikut contoh nya <br /><br />#ip dhcp pool my-pool <br />dhcp#network 192.168.1.0 255.255.255.0 <br />dhcp#default-router 192.168.1.1 <br />dhcp#dns-server 8.8.8.8 <br /><br />#ip dhcp pool static-pool <br />dhcp#host 192.168.1.8 255.255.255.0<br />dhcp#hardware address xxxx.yyyy.zzzz <br />dhcp#default-router 192.168.1.1 <br /><br />verifikasi: <br />#sh ip dhcp binding<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-5270600207661949521?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/VJEYsPa6CZSdHPwUlSNnS5Xe3W8/0/da"><img src="http://feedads.g.doubleclick.net/~a/VJEYsPa6CZSdHPwUlSNnS5Xe3W8/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/VJEYsPa6CZSdHPwUlSNnS5Xe3W8/1/da"><img src="http://feedads.g.doubleclick.net/~a/VJEYsPa6CZSdHPwUlSNnS5Xe3W8/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/ZTP04PTehtI" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/static-dhcp-binding.htmltag:blogger.com,1999:blog-7758318932195827641.post-33253504023540790322011-12-09T12:28:00.005+07:002011-12-15T15:03:57.825+07:002011-12-15T15:03:57.825+07:00AutoRP ListenerKetika kita menggunakan auto rp untuk mendistribusikan rp address, kita harus menggunakan sparse-dense mode pada interface yang tergabung dengan multicast. <br />Source multicast akan menggunakan dense mode sampai source tersebut mempelajari dimana letak root tree(rp-address). Ketika source telah mempelajari rp, source akan beralih menggunakan sparse mode. <br /><br />Waktu yang dibutuhkan untuk menjadi sparse mode relatif lama. Ketika suatu source menggunakan dense mode dalam waktu yang relatif lama maka hal ini akan menjadi tidak efisien. <br />Untuk menghindari hal ini, kita dapat menggunakan autoRP listener. Dengan autorp listener kita diperbolehkan menggunakan autorp dalam mode sparse mode, dengan pengecualian traffic untuk group 224.0.0.39 (RP) dan 224.0.0.40 (Mapping agent) (yang akan di distribusikan menggunakan dense mode) <br /> <br />konfigurasi auto-RP dengan sparse mode <br /><br />R1-------R2---------R3 <br /><br /><br />konfigurasikan semua interface sebagai sparse mode<br />if#ip pim sparse-mode <br /><br />R2 sebagai RP <br />R2#<br />ip pim send-rp announce <src interface> scope <value><br />ip pim send-rp discovery scope <value><br /><br />R1&3#ip pim autorp listener<br /><br />verifikasi: <br />sh ip pim rp mapping<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-3325350402354079032?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/uDCdBXiObxK1RKjH7H44Xi9U4i8/0/da"><img src="http://feedads.g.doubleclick.net/~a/uDCdBXiObxK1RKjH7H44Xi9U4i8/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/uDCdBXiObxK1RKjH7H44Xi9U4i8/1/da"><img src="http://feedads.g.doubleclick.net/~a/uDCdBXiObxK1RKjH7H44Xi9U4i8/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/735q_k3HADE" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/autorp-listener.htmltag:blogger.com,1999:blog-7758318932195827641.post-87334540690975779732011-12-08T07:37:00.014+07:002011-12-15T15:07:54.384+07:002011-12-15T15:07:54.384+07:00MPLS VPN OSPF-ShamlinkSebelum mengkonfigur shamlink, mungkin anda merasakan ada yang aneh dengan route OSPF, mengapa prefix ospf dari PE dianggap sebagai O IA, tidak sebagai O External, padahal route tersebut di-redistribute dari BGP. <br />Hal ini memang special case untuk MPLS. Berikut saya kutip penjelasan nya dari sebuah web.<br />http://sites.google.com/site/amitsciscozone/home/important-tips/mpls-wiki/ospf-as-pe-ce-routing-protocol-in-mpls-vpn (paragraph 1, 4, dan 5) <br /><blockquote><br />OSPF Domain: Two sites are considered to be in the same OSPF Domain if the routes from one site to other are considered intra-network routes. Both sites will run OSPF as their intra-site routing protocol.This can be done by presenting such routes as inter-area routes in Type 3 LSAs.<br /><b>If normal BGP/OSPF interaction procedures are implemented, the routes from one site to be delivered to another site as External routes in Type 5 LSAs. This makes them impossible to be distinguished from "real" external routes in the VPN. Hence, a modified version of BGP/OSPF interaction procedure needs to be implemented so that routes delivered from one site to another are atleast interarea routes.</b><br />If a VRF contains both an OSPF-distributed route and a VPNv4 route for the same IP prefix, then the OSPF-distributed route is preferred because of its lower AD. Hence, forwarding is done according to OSPF route. The only exception is when the sham-link is present.<br /></blockquote> <br /><br />Ketika kita menggunakan ospf sebagai IGP anatara router PE dan CE untuk menghubungkan 2 network DAN kemudian kita menambahkan intraarea route baru untuk mencapai network yang sama, ospf akan lebih memilih jalur melewati intra area route. Hal ini dikarenakan OSPF akan mem-flag route yang melewati MPLS sebagai interarea route. <br />Kendala ini dapat diatasi dengan menambahkan konfigurasi shamlink pada PE router. Dengan shamlink, CE akan menggunakan path melalui MPLS sebagai primary path.<br /><br />Ada 4 langkah yang harus dilakukan untuk membentuk shamlink<br />misalkan customer ada pada vrfA maka: <br />1.) Buat loopback interface di masing2 PE router, kemudian assign interface tersebut ke dalam vrfA (ip vrf forwarding) <br />2.) Advertise loopback interface tersebut ke dalam BGP vrfA, (network command)<br />3.) Assign ip loopback point 1 menjadi RID untuk protocol OSPF vrfA, buat shamlink pada masing2 <br />PE router dengan comand <br />#area <id:> sham-link <source RID> <destinations RID> <br /><br />Pada tahap ini route ospf ke vrfA akan di anggap sebagai intraarea route meskipun route tersebut didapat dari redistribusi BGP <br /><br />4.) Manipulasi cost pada interface CE router. Buat agar CE lebih memilih untuk melewati jalur MPLS<br />if#ip ospf cost <value><br /><br />Berikut contohnya: <br /><br /><br /><a href="http://1.bp.blogspot.com/-UGWr6eC9t68/TuAY4gs0X_I/AAAAAAAAALA/l-6nv9isBgA/s1600/mpls-blog.png"><img style="float:center; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 238px;" src="http://1.bp.blogspot.com/-UGWr6eC9t68/TuAY4gs0X_I/AAAAAAAAALA/l-6nv9isBgA/s400/mpls-blog.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5683570088871223282" /></a><br /><br /><br /><br />Pada R7 dan R5, customer B membuat backup path baru, tambahkan konfigurasi OSPF seperti biasa pada router-router CE tersebut. <br />Konfigurasi terkait:<br />Nama VRF Bkiri (R1) dan Bkanan (R3)<br /><br />Konfigurasi dasar:<br />R1#<br />!<br />ip cef<br />!<br />ip vrf Bkiri<br /> rd 65000:2<br /> route-target export 65000:2<br /> route-target import 65000:2<br />!<br />interface Loopback0<br /> ip address 10.10.10.1 255.255.255.255<br />!<br />interface Serial0/0<br /> description # link to P #<br /> ip address 192.168.10.1 255.255.255.252<br /> mpls ip<br /> clock rate 2000000<br />!<br />interface FastEthernet0/1<br /> ip vrf forwarding Bkiri<br /> ip address 192.168.0.1 255.255.255.252<br /> duplex auto<br /> speed auto<br />!<br />router ospf 100 vrf Bkiri<br /> log-adjacency-changes <br /> redistribute bgp 65000 subnets<br /> network 192.168.0.0 0.0.255.255 area 0<br />!<br />router bgp 65000<br /> no synchronization<br /> bgp log-neighbor-changes<br /> neighbor 10.10.10.2 remote-as 65000<br /> neighbor 10.10.10.2 update-source Loopback0<br /> no auto-summary<br /> !<br /> address-family vpnv4<br /> neighbor 10.10.10.2 activate<br /> neighbor 10.10.10.2 send-community extended<br /> exit-address-family<br /> !<br /> address-family ipv4 vrf Bkiri<br /> redistribute ospf 100 vrf Bkiri match internal external 1 external 2<br /> no synchronization<br /> exit-address-family<br /> !<br /><br />R3#<br />!<br />ip cef<br />!<br />ip vrf Bkanan<br /> rd 65000:2<br /> route-target export 65000:2<br /> route-target import 65000:2<br />!<br />interface Loopback0<br /> ip address 10.10.10.2 255.255.255.255<br />!<br />interface Serial0/0<br /> description #link to P#<br /> ip address 192.168.20.2 255.255.255.252<br /> mpls ip<br /> clock rate 2000000<br />!<br />interface FastEthernet0/1<br /> ip vrf forwarding Bkanan<br /> ip address 192.168.0.5 255.255.255.0<br /> duplex auto<br /> speed auto<br />!<br />router ospf 100 vrf Bkanan<br /> log-adjacency-changes<br /> redistribute bgp 65000 subnets<br /> network 192.168.0.0 0.0.255.255 area 0<br />!<br />router bgp 65000<br /> no synchronization<br /> bgp log-neighbor-changes<br /> neighbor 10.10.10.1 remote-as 65000<br /> neighbor 10.10.10.1 update-source Loopback0<br /> no auto-summary<br /> !<br /> address-family vpnv4<br /> neighbor 10.10.10.1 activate<br /> neighbor 10.10.10.1 send-community extended<br /> exit-address-family<br /> !<br /> address-family ipv4 vrf Bkanan<br /> redistribute ospf 100 vrf Bkanan match internal external 1 external 2<br /> no synchronization<br /> exit-address-family<br />!<br /><a href="http://2.bp.blogspot.com/-jH9nNCBImIw/TuAbJJM728I/AAAAAAAAALM/m7uBwfQameI/s1600/route-before.png"><img style="float:center; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 166px;" src="http://2.bp.blogspot.com/-jH9nNCBImIw/TuAbJJM728I/AAAAAAAAALM/m7uBwfQameI/s400/route-before.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5683572573644512194" /></a><br /><br />Kemudian tambahkan konfigurasi shamlink sesuai dengan step yang telah dijabarkan di atas <br />R1#<br />interface Loopback100<br /> ip vrf forwarding Bkiri<br /> ip address 100.100.100.4 255.255.255.255<br />!<br />router ospf 100 vrf Bkiri<br />router-id 100.100.100.4<br /> area 0 sham-link 100.100.100.4 100.100.100.5<br />!<br />router bgp 65000<br />address-family ipv4 vrf Bkiri<br />network 100.100.100.4 mask 255.255.255.255<br />!<br /><br />R3#<br />interface Loopback5<br /> ip vrf forwarding Bkanan<br /> ip address 100.100.100.5 255.255.255.255<br />!<br />router ospf 100 vrf Bkanan<br /> router-id 100.100.100.5<br /> area 0 sham-link 100.100.100.5 100.100.100.4<br />!<br />router bgp 65000<br /> address-family ipv4 vrf Bkanan<br /> network 100.100.100.5 mask 255.255.255.255<br />!<br /><br /><br /><a href="http://1.bp.blogspot.com/-p1FC_3Q8rVE/TuAbJgKELLI/AAAAAAAAALY/Xk9n33y5YHM/s1600/route-after.png"><img style="float:center; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 166px;" src="http://1.bp.blogspot.com/-p1FC_3Q8rVE/TuAbJgKELLI/AAAAAAAAALY/Xk9n33y5YHM/s400/route-after.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5683572579806489778" /></a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-8733454069097577973?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/U0THpjy4aiZ2kiI8MMwd9T-FDvY/0/da"><img src="http://feedads.g.doubleclick.net/~a/U0THpjy4aiZ2kiI8MMwd9T-FDvY/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/U0THpjy4aiZ2kiI8MMwd9T-FDvY/1/da"><img src="http://feedads.g.doubleclick.net/~a/U0THpjy4aiZ2kiI8MMwd9T-FDvY/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/z3xCmMfUAWs" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/mpls-vpn-ospf-shamlink.htmltag:blogger.com,1999:blog-7758318932195827641.post-39954925707591300052011-12-07T07:31:00.007+07:002011-12-07T08:47:52.883+07:002011-12-07T08:47:52.883+07:00BGP bestpath as-path multipath-relaxNormal nya BGP akan me-load share 2 link atau lebih apabila kedua kondisi dibawah terpenuhi: <br />1.) maximum-path > 1<br />2.) terdapat 2 atau lebih link yang memiliki BGP attribute yang sama paling tidak sampai kriteria ke 8 (NWLLA OMNI, Next hop reachable, weight, Local pref, Locally injected, AS-path, Origin, MED, Neighbor type, dan IGP metric to next hop)<br /><br />Hal ini tidak akan menjadi masalah pada kasus 1 ISP multihome, namun apabila kasus multihome adalah dari 2 ISP yang berbeda maka akan terjadi perbedaan AS-path dan hanya akan ada 1 route ISP yang dimasukan ke dalam routing table. (karena syarat ke 2 tidak terpenuhi) <br /><br />untuk mengatasi masalah ini, kita dapat menambahkan konfigurasi : <br />#bgp bestpath as-path multipath-relax <br /><br />Dengan menambahkan konfigurasi tersebut BGP akan menghiraukan perbedaan as number pada masing2 path asalkan length AS nya masih tetap sama. <br /><br /><br />berikut contoh nya (perhatikan route entry untuk prefix 4.4.4.4) : <br />1 ISP, Multihome<br /><a href="http://3.bp.blogspot.com/-qR2i4C4mW74/Tt63sNx20GI/AAAAAAAAAJs/7hnrCfTJxdE/s1600/blog%2B1%2Bbgp.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 266px;" src="http://3.bp.blogspot.com/-qR2i4C4mW74/Tt63sNx20GI/AAAAAAAAAJs/7hnrCfTJxdE/s400/blog%2B1%2Bbgp.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5683181750029045858" /></a><br /><br /><a href="http://2.bp.blogspot.com/-ybZJNk2kKlk/Tt63sTc8wtI/AAAAAAAAAJ4/sQxGBVIEruc/s1600/multihome1-1.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 267px;" src="http://2.bp.blogspot.com/-ybZJNk2kKlk/Tt63sTc8wtI/AAAAAAAAAJ4/sQxGBVIEruc/s400/multihome1-1.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5683181751551967954" /></a><br /><br />Lalu saya ganti konfigurasinya agar R2 dan R3 menjadi berbeda AS (dual ISP) <br /><br /><a href="http://2.bp.blogspot.com/-a0T9SduDP2Q/Tt66XEQJ5UI/AAAAAAAAAKE/rWCVIKIrlRc/s1600/multihome2-1.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 269px;" src="http://2.bp.blogspot.com/-a0T9SduDP2Q/Tt66XEQJ5UI/AAAAAAAAAKE/rWCVIKIrlRc/s400/multihome2-1.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5683184685229401410" /></a><br /><br /><a href="http://3.bp.blogspot.com/-6ToxdFaZHiE/Tt66XXGJ8GI/AAAAAAAAAKQ/MdMmisOhK9s/s1600/multihome2-2.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 264px;" src="http://3.bp.blogspot.com/-6ToxdFaZHiE/Tt66XXGJ8GI/AAAAAAAAAKQ/MdMmisOhK9s/s400/multihome2-2.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5683184690287734882" /></a><br /><br />saya tambahkan konfigurasi multipath-relax <br />R1#router bgp 100 <br />R1(router)#bgp bestpath as-path multipath-relax <br />R1(router)#maximum-path 2 <br /><br /><a href="http://4.bp.blogspot.com/-Ppbbm7qKQTM/Tt66XunJ4UI/AAAAAAAAAKc/pYOYyMgACRE/s1600/multihome2-3.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 273px;" src="http://4.bp.blogspot.com/-Ppbbm7qKQTM/Tt66XunJ4UI/AAAAAAAAAKc/pYOYyMgACRE/s400/multihome2-3.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5683184696600158530" /></a><br /><br /><br />command ini tidak terdapat pada intellisense/auto complete<br /><br /><br /><br />===fin===<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-3995492570759130005?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/J8G7TTmRlgS5R3KD18mleVYjk6k/0/da"><img src="http://feedads.g.doubleclick.net/~a/J8G7TTmRlgS5R3KD18mleVYjk6k/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/J8G7TTmRlgS5R3KD18mleVYjk6k/1/da"><img src="http://feedads.g.doubleclick.net/~a/J8G7TTmRlgS5R3KD18mleVYjk6k/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/WCLn-3L0Z74" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/bgp-bestpath-as-path-multipath-relax.htmltag:blogger.com,1999:blog-7758318932195827641.post-63327364770852299002011-12-06T08:10:00.003+07:002011-12-15T15:13:02.861+07:002011-12-15T15:13:02.861+07:00OSPF Network Type<a href="http://4.bp.blogspot.com/-tW9LEXy2FEs/Tt1sBuYyBGI/AAAAAAAAAJg/HlXlnqFQWFk/s1600/blog%2Bospf%2Bnetwork%2Btype.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 178px;" src="http://4.bp.blogspot.com/-tW9LEXy2FEs/Tt1sBuYyBGI/AAAAAAAAAJg/HlXlnqFQWFk/s400/blog%2Bospf%2Bnetwork%2Btype.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5682817081699075170" /></a><br />*Default pada interface LAN adalah broadcast<br /><br />Ada 6 tipe network pada interface ospf. <br />Pilihan yang harus kita gunakan sangat bergantung pada komponen-komponen penyusun table tersebut. <br /><br />pada topologi frame relay, ada beberapa hal yang perlu diperhatikan dalam pemilihan tipe network: <br />1.) Pastikan hello/dead timers tidak berbeda. <br /><br />2.) Semua routers dalam suatu NBMA subnet disarankan menggunakan tipe network yang sama, antara semua menggunakan DR atau tidak sama sekali. <br /><br />3.) Apabila dikehendaki menggunakan DR, maka router yang harus menjadi DR adalah router yang punya PVC ke semua router yang lain. (set router2 DROther dengan "ip ospf priority 0")<br /><br />4.) "neighbor command" cukup dikonfigurasikan pada 1 router saja. <br /><br />5.) Apabila kita menggunakan dynamic mapping (frame-relay interface dlci) dan kita menggunakan tipe network ospf broadcast maka neighbor akan otomatis terdiscover <br /> <br />6.) Apabila kita menggunakan frame-relay map broadcast (dengan broadcast) dan kita menggunakan tipe network ospf broadcast maka neighbor akan otomatis terdiscover <br /><br />7.) Apabila kita menggunakan frame-relay map (tanpa broadcast) atau kita menggunakan tipe network ospf non broadcast maka kita harus menggunakan "neighbor" command. <br /><br />*Broadcast keyword pada frame relay map dibutuhkan apabila kita ingin mengirimkan packet broadcast dan multicast ke spesifik dlci<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-6332736477085229900?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/QpwV1ItSqLpcKuoiNAKUjPfDhPQ/0/da"><img src="http://feedads.g.doubleclick.net/~a/QpwV1ItSqLpcKuoiNAKUjPfDhPQ/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/QpwV1ItSqLpcKuoiNAKUjPfDhPQ/1/da"><img src="http://feedads.g.doubleclick.net/~a/QpwV1ItSqLpcKuoiNAKUjPfDhPQ/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/ImNT1sAK78M" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/ospf-network-type.htmltag:blogger.com,1999:blog-7758318932195827641.post-40829498252117068992011-12-05T07:37:00.008+07:002011-12-05T08:55:34.437+07:002011-12-05T08:55:34.437+07:00EIGRP Stub<a href="http://2.bp.blogspot.com/-miPyFCI6WLY/TtwTHJV3uRI/AAAAAAAAAJI/ZK-Hs2xc3Z0/s1600/stub%2B-blog.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 86px;" src="http://2.bp.blogspot.com/-miPyFCI6WLY/TtwTHJV3uRI/AAAAAAAAAJI/ZK-Hs2xc3Z0/s400/stub%2B-blog.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5682437843322386706" /></a><br /><br />Konfigurasi stub dibutuhkan saat sebuah router tidak boleh menjadi transit router. salah satu kegunaan konfigurasi stub adalah untuk mencegah sebuah router menerima query dari upstream router. Hal ini dapat memperpendek masa active dari upstream router dan menghindari kondisi stuck in active (SIA). <br /><br />Konfigurasi stub memiliki beberapa option. Secara default, stub akan mendistribusikan connected dan summary route, namun kita dapat mengubah behavior ini dengan menyebutkan route apa saja yang akan kita advertise ke upstream router. <br /><br /><br />contoh: <br /><br /><a href="http://4.bp.blogspot.com/-l9w2FkRvFh8/TtwYY5NGFaI/AAAAAAAAAJU/p1ANxuVKDgA/s1600/stub.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 388px; height: 115px;" src="http://4.bp.blogspot.com/-l9w2FkRvFh8/TtwYY5NGFaI/AAAAAAAAAJU/p1ANxuVKDgA/s400/stub.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5682443645786396066" /></a><br /><br /><br /><br /><br /><br /><br /><font size="-8"><br />R1# <br />!<br />interface Loopback1<br /> ip address 192.168.22.1 255.255.255.0<br />!<br />interface Loopback2<br /> ip address 192.168.23.1 255.255.255.0<br />!<br />interface Loopback3<br /> ip address 192.168.24.1 255.255.255.0<br />!<br />interface Loopback4<br /> ip address 192.168.25.1 255.255.255.0<br />!<br />interface Loopback5<br /> ip address 192.168.26.1 255.255.255.0<br />!<br />interface FastEthernet0/0<br /> ip address 192.168.10.1 255.255.255.0<br /> ip summary-address eigrp 10 192.168.22.0 255.255.254.0 5<br /> duplex auto<br /> speed auto<br />!<br />router eigrp 10<br /> network 192.168.10.1 0.0.0.0<br /> network 192.168.0.0 0.0.255.255<br /> no auto-summary<br />!<br /><br />R2#<br />!<br />interface FastEthernet0/0<br /> ip address 192.168.10.2 255.255.255.0<br /> duplex auto<br /> speed auto<br />!<br />router eigrp 10<br /> network 192.168.10.2 0.0.0.0<br /> auto-summary<br />!<br /><br />R2#sh ip route <br />D 192.168.25.0/24 [90/409600] via 192.168.10.1, 00:04:18, FastEthernet0/0<br />D 192.168.24.0/24 [90/409600] via 192.168.10.1, 00:04:24, FastEthernet0/0<br />C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />D 192.168.26.0/24 [90/409600] via 192.168.10.1, 00:04:13, FastEthernet0/0<br />D 192.168.22.0/23 [90/409600] via 192.168.10.1, 00:06:13, FastEthernet0/0<br /><br />============================================================================<br /><br />R1(router)#eigrp stub <br /><br />R2#sh ip routte<br />D 192.168.25.0/24 [90/409600] via 192.168.10.1, 00:00:30, FastEthernet0/0<br />D 192.168.24.0/24 [90/409600] via 192.168.10.1, 00:00:30, FastEthernet0/0<br />C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />D 192.168.26.0/24 [90/409600] via 192.168.10.1, 00:00:30, FastEthernet0/0<br />D 192.168.22.0/23 [90/409600] via 192.168.10.1, 00:00:30, FastEthernet0/0<br /><br />============================================================================<br /><br />R1(router)#eigrp stub connected <br />R2#sh ip route <br />D 192.168.25.0/24 [90/409600] via 192.168.10.1, 00:00:04, FastEthernet0/0<br />D 192.168.24.0/24 [90/409600] via 192.168.10.1, 00:00:04, FastEthernet0/0<br />C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />D 192.168.26.0/24 [90/409600] via 192.168.10.1, 00:00:04, FastEthernet0/0<br />D 192.168.23.0/24 [90/409600] via 192.168.10.1, 00:00:04, FastEthernet0/0<br />D 192.168.22.0/24 [90/409600] via 192.168.10.1, 00:00:04, FastEthernet0/0<br /><br />============================================================================<br /><br />R1(router)#eigrp stub summary <br />R2#sh ip route <br />C 192.168.10.0/24 is directly connected, FastEthernet0/0<br />D 192.168.22.0/23 [90/409600] via 192.168.10.1, 00:00:02, FastEthernet0/0<br /><br />============================================================================<br /><br />leak-map digunakan untuk menspesifikasikan prefix eigrp apa saja yang akan kita distribusikan melalui leak-map (route-map). <br /><br />saya tambahkan R3. R3 terhubung dengan interface fa 0/1 R1(172.16.1.2/24) dengan konfigurasi sebagai berikut : <br /><br />interface Loopback1<br /> ip address 172.16.10.1 255.255.255.0<br />!<br />interface Loopback2<br /> ip address 172.16.11.1 255.255.255.0<br />!<br />interface Loopback3<br /> ip address 172.16.12.1 255.255.255.0<br />!<br />interface FastEthernet0/0<br /> ip address 172.16.1.1 255.255.255.0<br /> duplex auto<br /> speed auto<br />!<br />router eigrp 10<br /> network 172.16.0.0 0.0.255.255<br /> no auto-summary<br />!<br /><br />R1#sh ip route <br />C 192.168.25.0/24 is directly connected, Loopback4<br />C 192.168.24.0/24 is directly connected, Loopback3<br />C 192.168.10.0/24 is directly connected, FastEthernet0/0<br /> 172.16.0.0/24 is subnetted, 4 subnets<br />D 172.16.12.0 [90/409600] via 172.16.1.1, 00:02:44, FastEthernet0/1<br />D 172.16.10.0 [90/409600] via 172.16.1.1, 00:02:44, FastEthernet0/1<br />D 172.16.11.0 [90/409600] via 172.16.1.1, 00:02:44, FastEthernet0/1<br />C 172.16.1.0 is directly connected, FastEthernet0/1<br />C 192.168.26.0/24 is directly connected, Loopback5<br />C 192.168.23.0/24 is directly connected, Loopback2<br />C 192.168.22.0/24 is directly connected, Loopback1<br />D 192.168.22.0/23 is a summary, 00:10:02, Null0<br /><br />kemudian saya konfigurasikan leak-map bernama lm1 <br />!<br />access-list 1 permit 172.16.12.0 0.0.0.255<br />!<br />route-map lm1 permit 1<br /> match ip address 1<br />!<br />router eigrp 10<br />eigrp stub leak-map lm1<br />!<br /><br />R2#sh ip route <br />C 192.168.10.0/24 is directly connected, FastEthernet0/0<br /> 172.16.0.0/24 is subnetted, 1 subnets<br />D 172.16.12.0 [90/435200] via 192.168.10.1, 00:00:09, FastEthernet0/0<br /><br />================================================================<br />receive-only digunakan untuk membuat sebuah router hanya menerima prefix tanpa memberitahukan prefix yang dimilikinya. <br /><br />R1(router)#eigrp stub receive-only <br />R1#sh ip route <br /><br />C 192.168.25.0/24 is directly connected, Loopback4<br />C 192.168.24.0/24 is directly connected, Loopback3<br />C 192.168.10.0/24 is directly connected, FastEthernet0/0<br /> 172.16.0.0/24 is subnetted, 4 subnets<br />D 172.16.12.0 [90/409600] via 172.16.1.1, 00:00:24, FastEthernet0/1<br />D 172.16.10.0 [90/409600] via 172.16.1.1, 00:00:24, FastEthernet0/1<br />D 172.16.11.0 [90/409600] via 172.16.1.1, 00:00:24, FastEthernet0/1<br />C 172.16.1.0 is directly connected, FastEthernet0/1<br />C 192.168.26.0/24 is directly connected, Loopback5<br />C 192.168.23.0/24 is directly connected, Loopback2<br />C 192.168.22.0/24 is directly connected, Loopback1<br />D 192.168.22.0/23 is a summary, 00:15:00, Null0<br /><br />R2#sh ip route <br />C 192.168.10.0/24 is directly connected, FastEthernet0/0<br /><br />R3#<br /> 172.16.0.0/24 is subnetted, 4 subnets<br />C 172.16.12.0 is directly connected, Loopback3<br />C 172.16.10.0 is directly connected, Loopback1<br />C 172.16.11.0 is directly connected, Loopback2<br />C 172.16.1.0 is directly connected, FastEthernet0/0<br /></font><br />==fin==<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-4082949825211706899?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/ReinebloWjOmqT7kEGG_da09PMM/0/da"><img src="http://feedads.g.doubleclick.net/~a/ReinebloWjOmqT7kEGG_da09PMM/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/ReinebloWjOmqT7kEGG_da09PMM/1/da"><img src="http://feedads.g.doubleclick.net/~a/ReinebloWjOmqT7kEGG_da09PMM/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/bR-aQ6I4V_g" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/eigrp-stub.htmltag:blogger.com,1999:blog-7758318932195827641.post-8257786719372574772011-12-04T15:45:00.008+07:002011-12-05T07:36:42.609+07:002011-12-05T07:36:42.609+07:00Distribusi Default Route4 cara untuk mendistribusikan default route :<br /><br /><a href="http://2.bp.blogspot.com/-5AsVLgczZO8/Tts0VdM3S6I/AAAAAAAAAI8/cb44tUMoFaE/s1600/blog%2Bdefault%2Broute.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 105px;" src="http://2.bp.blogspot.com/-5AsVLgczZO8/Tts0VdM3S6I/AAAAAAAAAI8/cb44tUMoFaE/s400/blog%2Bdefault%2Broute.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5682192898078493602" /></a><br /><br /> <br /> <br /> <br /><br /><br />1.) redistribusi static route <br />konfigur static route <br />#ip route <dest-net> <dest-netmask> <exit interface|next-hop ip> <br />#router <protocol><br />#redistribute static <br /><br />2.) default information originate <br />#router <protocol> <br />#default-information originate <br /><br />3.) ip default network <br />ada beberapa syarat yang harus di perhatikan untuk konfigurasi ip default network :<br />a.) local router harus di konfigur dengan "ip default-network <network number>", dengan network number sebagai classful network number.<br />b.) classful network tersebut harus terdapat pada routing table di local router tersebut, dengan cara apapun. <br />c.) khusus untuk eigrp, classful network tersebut harus di advertised oleh local router kedalam EIGRP, dengan cara apapun <br /><br />konfigurasi <br />masukan ke classful network ke routing table baik dengan konfigurasi interface maupun static routing ataupun cara yang lain. <br /> <br />#interface loopback <id><br />if# ip address <usable IP address of a classfull network> <classful netmask><br />#ip default-network <classfull network number><br /><br />contoh:<br />#interface loopback 1 <br />if#ip address 8.8.8.9 255.0.0.0 <br />#ip default-network 8.0.0.0<br /><br />khusus untuk EIGRP, kita harus menambahkan command untuk mengadvertise ip tersebut agar disebarkan oleh EIGRP sebagai candidate default route. <br />eigrp#network <network number> <network mask><br /><br /><br />4.) ip summary address <br />konfigur per interface <br />#ip summary address eigrp <ASN> 0.0.0.0 0.0.0.0<br /><br /><br />sumber: Cisco Press<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-825778671937257477?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/-j6M1Ca-fojwsj4uVW1h2hJ8qwA/0/da"><img src="http://feedads.g.doubleclick.net/~a/-j6M1Ca-fojwsj4uVW1h2hJ8qwA/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/-j6M1Ca-fojwsj4uVW1h2hJ8qwA/1/da"><img src="http://feedads.g.doubleclick.net/~a/-j6M1Ca-fojwsj4uVW1h2hJ8qwA/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/QSMxMJ70w48" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/distribusi-default-route.htmltag:blogger.com,1999:blog-7758318932195827641.post-35771572652003125682011-12-04T07:05:00.005+07:002011-12-04T08:56:23.223+07:002011-12-04T08:56:23.223+07:00Konfigurasi PPP Multilink diatas Frame Relay<a href="http://1.bp.blogspot.com/-n7ojOCeHJvE/TtrROsXeTHI/AAAAAAAAAIk/v_qaWf2zr5g/s1600/multilink.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 161px;" src="http://1.bp.blogspot.com/-n7ojOCeHJvE/TtrROsXeTHI/AAAAAAAAAIk/v_qaWf2zr5g/s400/multilink.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5682083930239290482" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />Frame Relay merupakan Protocol Layer 2 yang tidak mendukung fitur authentikasi maupun link balancing. untungnya, PPP dapat menambal kekurangan tersebut. Dengan menggunakan PPP kita dapat menambahkan fitur authentikasi, kompresi, link management maupun link balancing (melalui multi link PPP). Seperti hal nya etherchannel, multilink dapat menggabungkan 2 link PPP atau lebih dan menjadikannya seolah menjadi 1 (logical) link. <br /><br />pada frame relay, kita tidak dapat menambahkan konfigurasi multilink pada physical interface, melainkan harus dalam "interface Virtual-Template". berikut contoh konfigurasi nya<br />(saya mengasumsikan frame relay telah berjalan dengan baik) <br /><br />!buat account untuk authentikasi chap <br />R1#username <neighbor-hostname> password <pass> <br /><br />!buat interface virtual-template <br />R1#interface Virtual-Template <id><br />R1-if#ip address <ip> <netmask><br />R1-if#ppp multilink <br />R1-if#ppp authentication chap <br /><br />R1#interface serial <if-id> <br />R1-if#encapsulation frame-relay <br />RF-if#frame-relay interface-dlci <dlci> ppp virtual-template <id><br /><br /><br />buat konfigurasi ini di router lain dengan perubahan seperlunya. <br /><br />verifikasi : <br />debug ppp auth <br />debug frame-relay lmi <br />sh ppp multilink <br />sh ip int br <br /><br /><br />kita juga dapat melakukan konfigurasi "interface multilink" layaknya konfigurasi multilink tanpa frame relay. kemudian kita harus mem-bundle interface virtual-template dan multilink dengan menambahkan: <br />R1-if(multilink & virtual template)#ppp multilink group <id><br /><br />bila menggunakan konfigurasi ini, lakukan semua konfigurasi: authentikasi, ip, kompresi dsb pada interface multilink.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-3577157265200312568?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/F0f8xsxWIA1s3wlxKi6ZTYLPEjk/0/da"><img src="http://feedads.g.doubleclick.net/~a/F0f8xsxWIA1s3wlxKi6ZTYLPEjk/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/F0f8xsxWIA1s3wlxKi6ZTYLPEjk/1/da"><img src="http://feedads.g.doubleclick.net/~a/F0f8xsxWIA1s3wlxKi6ZTYLPEjk/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/OcTJwejZt5A" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/konfigurasi-ppp-multilink-diatas-frame.htmltag:blogger.com,1999:blog-7758318932195827641.post-65938244023148652722011-12-03T23:01:00.006+07:002011-12-03T23:39:08.040+07:002011-12-03T23:39:08.040+07:00Frame Relay Bridging<a href="http://2.bp.blogspot.com/-4XsjYz2spls/TtpKr9kKyqI/AAAAAAAAAIM/OR79gGPixXw/s1600/blog%2Bfr%2Bbridge.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 177px;" src="http://2.bp.blogspot.com/-4XsjYz2spls/TtpKr9kKyqI/AAAAAAAAAIM/OR79gGPixXw/s400/blog%2Bfr%2Bbridge.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5681935999002397346" /></a><br /><br /><br /><br /> <br /><br /> <br /><br /> <br /><br /> <br /><br />We can create 2 router interfaces as a bridge when using frame-relay to join 2 nodes/areas into the same network even though it is separated by many routers.<br /><br />we need to configure R1 and R2 to use bridge interface:<br /><br />3 first steps (i-p-r) <br /><br />R1#bridge Irb !enabling irb (integrated routing bridging) <br />R1#bridge <group id> Protocol ieee <br />R1#bridge <group id> route ip !IP will be routed in this bridge group <br /><br /><br /><br />Interface serial 0/0 is connected to frame relay switch <br />Interface Fa 0/0 R1 is connected to the local network which will be bridged to the network on fa 0/0 on R2<br /><br /><br />R1#interface fa0/0 <br />R1#bridge-group <group-id> <br />R1#no shut<br /><br />R1#interface ser0/0 <br />R1#no shut<br />R1#frame-relay map bridge <dlci-number> broadcast<br />R1#bridge-group <group ID><br /><br /><br />next step... place the ip address that was previously assigned to serial interface to the newly created Bridge Virtual Interface (BVI) <br /><br />R1#interface BVI <interface-id><br />R1-if#ip address <ip> <netmask><br /><br /><br />mirror this configuration to R2, with necessary changes. <br /><br />verification: <br />sh frame-relay map <br />sh ip int brief <br /><br />Source: CCIE RS Bootcamp p.30 (by Dedy Gunawan)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-6593824402314865272?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/FojWJLWgL-WVCpC_vHH53zRsrIc/0/da"><img src="http://feedads.g.doubleclick.net/~a/FojWJLWgL-WVCpC_vHH53zRsrIc/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/FojWJLWgL-WVCpC_vHH53zRsrIc/1/da"><img src="http://feedads.g.doubleclick.net/~a/FojWJLWgL-WVCpC_vHH53zRsrIc/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/FQL-O9qIxss" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/12/frame-relay-bridging.htmltag:blogger.com,1999:blog-7758318932195827641.post-45018633758750680982011-11-02T21:03:00.003+07:002011-11-02T21:11:38.609+07:002011-11-02T21:11:38.609+07:00Convert 14 bits format to 3-8-3 format Point Codethere are 2 kinds of point code format given by ITU. <br />1.) International Network [3 bits (Zone) -8 bits (Area/network) -3 bits (Point)]<br />2.) National Network (14 bits Signaling point) <br /><br />sometimes we need to convert the Point code in National Network format (14 bits) to International Format to determine the zone or area for a given point code. <br /><br />To convert it, simply convert the decimal value into 14 bits decimal then separate it by 3-8-3 format, then convert it back to decimal value and concatenate it . <br /><br />e.g <br />National Network PC: 2200 <br />then it will be : 00100010011000<br />separate it : 001 00010011 000 <br />convert to dec : 1 19 0<br />concat : 1190<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-4501863375875068098?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/B-x4YG_ntVsIZR9bC0TDUQ3vks8/0/da"><img src="http://feedads.g.doubleclick.net/~a/B-x4YG_ntVsIZR9bC0TDUQ3vks8/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/B-x4YG_ntVsIZR9bC0TDUQ3vks8/1/da"><img src="http://feedads.g.doubleclick.net/~a/B-x4YG_ntVsIZR9bC0TDUQ3vks8/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/H547a_7eNaQ" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/11/convert-14-bits-format-to-3-8-3-format.htmltag:blogger.com,1999:blog-7758318932195827641.post-16368009988467588872011-10-31T17:09:00.012+07:002011-12-15T15:08:58.285+07:002011-12-15T15:08:58.285+07:00BGP - Outbound Route FilteringSometimes, customers want to filter several routes from their ISP. we can filter the incoming update from the customer standpoint, but it will not stop the SP's router to keep sending the update. It will be totally ineffecient.<br />To rectify this problem, We can configure Outbound Route Filtering (ORF) to tell the neighboring router that we are filtering those routes so<br />"please stop sending unnecessary updates to us"<br /><br /><a href="http://1.bp.blogspot.com/-MivEllxc9zw/Tq6E7O90ULI/AAAAAAAAAH0/6mbeWr_sTWQ/s1600/bgp-orf.png"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 400px; FLOAT: left; HEIGHT: 123px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5669615134070558898" border="0" alt="" src="http://1.bp.blogspot.com/-MivEllxc9zw/Tq6E7O90ULI/AAAAAAAAAH0/6mbeWr_sTWQ/s400/bgp-orf.png" /></a><br /><br /><br /><br /><br /><br /><br /><br />R3<br />!<br />router bgp 100<br />router#no synchronization<br />router#bgp log-neighbor-changes<br />router#neighbor 192.168.1.2 remote-as 200<br />router#neighbor 192.168.1.2 soft-reconfiguration inbound<br />router#no auto-summary<br />!<br /><br /><br />R4<br />!<br />router bgp 200<br />router#no synchronization<br />router#bgp log-neighbor-changes<br />router#network 10.1.2.0 mask 255.255.255.0<br />router#network 172.16.2.0 mask 255.255.255.0<br />router#network 192.168.2.0<br />router#neighbor 192.168.1.1 remote-as 100<br />router#no auto-summary<br />!<br /><br /><br /><br /><a href="http://1.bp.blogspot.com/-keAvyhwZcbQ/Tq6E7SO7PtI/AAAAAAAAAIA/Up0D4H5cxp4/s1600/R4-adv-route-b4.png"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 400px; FLOAT: left; HEIGHT: 106px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5669615134947622610" border="0" alt="" src="http://1.bp.blogspot.com/-keAvyhwZcbQ/Tq6E7SO7PtI/AAAAAAAAAIA/Up0D4H5cxp4/s400/R4-adv-route-b4.png" /></a><br /><br /><br /><br /><br /><br /><br /><br />R3<br />!<br />ip prefix-list eliminate-route seq 10 permit 10.1.2.0/24<br />router bgp 100<br />router#neighbor 192.168.1.2 capability orf prefix-list send<br />router#neighbor 192.168.1.2 prefix-list eliminate-route in<br />!<br />R4<br />!<br />router bgp 200<br />router#neighbor 192.168.1.1 capability orf prefix-list receive<br />!<br /><br /><br /><a href="http://1.bp.blogspot.com/-FsaCc3S4LOQ/Tq6E6uSmzFI/AAAAAAAAAHo/xAAzicOkvNc/s1600/advertised%2Broute%2B2.png"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 400px; FLOAT: left; HEIGHT: 103px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5669615125299383378" border="0" alt="" src="http://1.bp.blogspot.com/-FsaCc3S4LOQ/Tq6E6uSmzFI/AAAAAAAAAHo/xAAzicOkvNc/s400/advertised%2Broute%2B2.png" /></a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-1636800998846758887?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/aQW1oipLfeAMwNLF08Jhg1mRtKk/0/da"><img src="http://feedads.g.doubleclick.net/~a/aQW1oipLfeAMwNLF08Jhg1mRtKk/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/aQW1oipLfeAMwNLF08Jhg1mRtKk/1/da"><img src="http://feedads.g.doubleclick.net/~a/aQW1oipLfeAMwNLF08Jhg1mRtKk/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/JJbjX-AWMck" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/10/outbound-route-filtering.htmltag:blogger.com,1999:blog-7758318932195827641.post-72972247524049653092011-10-31T13:10:00.006+07:002011-10-31T13:17:43.947+07:002011-10-31T13:17:43.947+07:00eBGP disable-connected-checkBy default, eBGP will check if the neighbor IP address is directly connected (TTL=1). when the neighbor statement is using loopback interface, the eBGP peering will not form. to disable this check we need to add 1 of this 2 configurations: <br /><br />-neighbor <addr> disable-connected-check <br />-neighbor <addr> ebgp-multihop <ttl><br /><br />!with TTL > 1 <br /><br />source: http://neatherweb.com/index.php?option=com_content&view=article&id=21:bgp-disable-connected-check&catid=8:ccie&Itemid=13<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-7297224752404965309?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/fM1mddFtv_-iaj7KWo_szvYanBk/0/da"><img src="http://feedads.g.doubleclick.net/~a/fM1mddFtv_-iaj7KWo_szvYanBk/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/fM1mddFtv_-iaj7KWo_szvYanBk/1/da"><img src="http://feedads.g.doubleclick.net/~a/fM1mddFtv_-iaj7KWo_szvYanBk/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/FmlNAATCr4s" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/10/ebgp-disable-connected-check.htmltag:blogger.com,1999:blog-7758318932195827641.post-26778891667463130572011-10-29T13:59:00.004+07:002011-10-29T14:04:40.468+07:002011-10-29T14:04:40.468+07:00Q-in-Qsource : http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/dot1qtnl.html<br /><br />802.1Q tunneling enables service providers to use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated.<br /><br />The link between the 802.1Q trunk port on a customer device and the tunnel port is called an asymmetrical link because one end is configured as an 802.1Q trunk port and the other end is configured as a tunnel port. You assign the tunnel port to an access VLAN ID unique to each customer.<br /><br />another words:<br />CE (Trunk) ----- (dot1q-tunnel-if (access vlan)PE)<br /><br />simply add:<br />interface#switchport mode dot1q-tunnel<br /><br />verification:<br />#sh dot1q-tunnel interface<br /><br />native vlan can't be tagged correctly through this tunnel interface. either use ISL (i.e doesn't support native vlan) or configure:<br /><br />global#vlan dot1q tag native<br />to tag native VLAN egress traffic and drop untagged native VLAN ingress traffic.<br /><br />-Jumbo frames can be tunneled as long as the jumbo frame length combined with the 802.1Q tag does not exceed the maximum frame size.<br />-L3 and higher protocol can't be identified<br />-CDP "native vlan mismatch" can be ignored<br />-can't be configured to support private vlan<br />-PortFast BPDU filtering is enabled automatically on tunnel ports.<br />-CDP is automatically disabled on tunnel ports. <br />-VLAN Trunk Protocol (VTP) does not work between the following devices:<br /> --Devices connected by an asymmetrical link <br /> --Devices communicating through a tunnel<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-2677889166746313057?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/IJZBCFFqCVdbDTgZpBaj1blGcTs/0/da"><img src="http://feedads.g.doubleclick.net/~a/IJZBCFFqCVdbDTgZpBaj1blGcTs/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/IJZBCFFqCVdbDTgZpBaj1blGcTs/1/da"><img src="http://feedads.g.doubleclick.net/~a/IJZBCFFqCVdbDTgZpBaj1blGcTs/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/Wbc3jHBmxbQ" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/10/q-in-q.htmltag:blogger.com,1999:blog-7758318932195827641.post-64401677738972275022011-10-10T11:51:00.009+07:002011-10-10T12:30:39.111+07:002011-10-10T12:30:39.111+07:00VRF (lite)<blockquote>From a design perspective, Multi-VRF CE feature gives the provider better choices about platforms, and where to put the relatively large workload required by a PE. A multitenant unit (MTU) design is a classic example, where the SP puts a single Layer 3 device in a building with multiple customers. <span style="font-weight:bold;">The SP engineers could just make the CPE device act as PE. However, by making the CPE router act as CE, but with using Multi-VRF CE, the SP can easily separate customers at Layer 3, while avoiding the investment in a more powerful Layer 3 CPE platform to support full PE functionality.</span></blockquote><br /><br /><a href="http://2.bp.blogspot.com/-bscX4Qr1J5o/TpJ8JpijsSI/AAAAAAAAAFg/LvvDLTB73OY/s1600/vrf-lite.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 215px;" src="http://2.bp.blogspot.com/-bscX4Qr1J5o/TpJ8JpijsSI/AAAAAAAAAFg/LvvDLTB73OY/s400/vrf-lite.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5661724186769600802" /></a><br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">R1#<br />version 12.4<br />!<br />hostname R1<br />!<br />ip cef<br />!<br />ip vrf cusA<br />rd 1:1<br />route-target export 1:1<br />route-target import 1:1<br />!<br />ip vrf cusB<br />rd 2:2<br />route-target export 2:2<br />route-target import 2:2<br />!<br />interface Loopback1<br />ip vrf forwarding cusA<br />ip address 192.168.1.1 255.255.255.0<br />!<br />interface Loopback2<br />ip vrf forwarding cusB<br />ip address 192.168.1.1 255.255.255.0<br />!<br />interface Serial1/0<br />no ip address<br />encapsulation frame-relay<br />no keepalive<br />serial restart-delay 0<br />clock rate 128000<br />no dce-terminal-timing-enable<br />!<br />interface Serial1/0.10 point-to-point<br />ip vrf forwarding cusA<br />ip address 202.1.1.5 255.255.255.252<br />frame-relay interface-dlci 101<br />!<br />interface Serial1/0.20 point-to-point<br />ip vrf forwarding cusB<br />ip address 202.1.1.1 255.255.255.252<br />frame-relay interface-dlci 202<br />!<br />router eigrp 5000<br />auto-summary<br />!<br />address-family ipv4 vrf cusB<br />network 192.168.1.0<br />network 202.1.1.0 0.0.0.3<br />no auto-summary<br />autonomous-system 200<br />exit-address-family<br />!<br />address-family ipv4 vrf cusA<br />network 192.168.1.0<br />network 202.1.1.4 0.0.0.3<br />no auto-summary<br />autonomous-system 100<br />exit-address-family<br />!<br /><br />R2#sh run<br />!<br />version 12.4<br />!<br />hostname R2<br />!<br />ip cef<br />!<br />ip vrf cusA<br />rd 1:1<br />route-target export 1:1<br />route-target import 1:1<br />!<br />ip vrf cusB<br />rd 2:2<br />route-target export 2:2<br />route-target import 2:2<br />!<br />interface Loopback1<br />ip vrf forwarding cusA<br />ip address 192.168.2.1 255.255.255.0<br />!<br />interface Loopback2<br />ip vrf forwarding cusB<br />ip address 192.168.3.1 255.255.255.0<br />!<br />interface Serial1/0<br />no ip address<br />encapsulation frame-relay<br />no keepalive<br />serial restart-delay 0<br />clock rate 128000<br />no dce-terminal-timing-enable<br />!<br />interface Serial1/0.10 point-to-point<br />ip vrf forwarding cusA<br />ip address 202.1.1.6 255.255.255.252<br />frame-relay interface-dlci 101<br />!<br />interface Serial1/0.20 point-to-point<br />ip vrf forwarding cusB<br />ip address 202.1.1.2 255.255.255.252<br />frame-relay interface-dlci 202<br />!<br />router eigrp 4000<br />auto-summary<br />!<br />address-family ipv4 vrf cusB<br />network 192.168.3.0<br />network 202.1.1.0 0.0.0.3<br />no auto-summary<br />autonomous-system 200<br />exit-address-family<br />!<br />address-family ipv4 vrf cusA<br />network 192.168.2.0<br />network 202.1.1.4 0.0.0.3<br />no auto-summary<br />autonomous-system 100<br />exit-address-family<br />!</span></span><br /><br /><br /><br /><a href="http://4.bp.blogspot.com/-hOHFQaEzgWA/TpJ_YQdGzqI/AAAAAAAAAFo/rvqGAh4eaE4/s1600/eigrp%2BcusA.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 135px;" src="http://4.bp.blogspot.com/-hOHFQaEzgWA/TpJ_YQdGzqI/AAAAAAAAAFo/rvqGAh4eaE4/s400/eigrp%2BcusA.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5661727736268770978" /></a><br /><br /><a href="http://1.bp.blogspot.com/-w2q9brUeEv8/TpKCW6w9wvI/AAAAAAAAAGI/8U1y5yXpj9o/s1600/vrf%2Bip%2Broute.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 337px;" src="http://1.bp.blogspot.com/-w2q9brUeEv8/TpKCW6w9wvI/AAAAAAAAAGI/8U1y5yXpj9o/s400/vrf%2Bip%2Broute.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5661731011801498354" /></a><br /><br /><a href="http://1.bp.blogspot.com/-dTgJ2nziZ9s/TpKCXCBUvMI/AAAAAAAAAGQ/WW7nOhhKIHc/s1600/ping%2Btest%2Bvrf.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 400px; height: 199px;" src="http://1.bp.blogspot.com/-dTgJ2nziZ9s/TpKCXCBUvMI/AAAAAAAAAGQ/WW7nOhhKIHc/s400/ping%2Btest%2Bvrf.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5661731013749161154" /></a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-6440167773897227502?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/b9clqOb9BB5NmnGV3zcJYW5km9M/0/da"><img src="http://feedads.g.doubleclick.net/~a/b9clqOb9BB5NmnGV3zcJYW5km9M/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/b9clqOb9BB5NmnGV3zcJYW5km9M/1/da"><img src="http://feedads.g.doubleclick.net/~a/b9clqOb9BB5NmnGV3zcJYW5km9M/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/YtxijnFgBKI" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com0http://ianwijaya.blogspot.com/2011/10/vrf-lite.htmltag:blogger.com,1999:blog-7758318932195827641.post-66292550235275225572011-09-22T14:47:00.007+07:002011-12-15T15:09:43.077+07:002011-12-15T15:09:43.077+07:00AS-set Attribute<blockquote>when the as-set option has been configured, the router creates an AS_SET segment for the aggregate route, BUT ONLY IF THE SUMMARY ROUTE'S AS_SEQ IS NULL. AS_SEQ will be null if aggregator can't create an accurate representation of AS_SEQ, due to differing AS_SEQ values of it's component route.<br /></blockquote><br /><br /><br />in fact, if there are 2 routes with different length of AS_SEQ, but they have same AS_SEQ until the short's last ASN, the router will use the longest AS_SEQ values.<br /><br /><a href="http://2.bp.blogspot.com/-s8Mu6vNwidk/TnrtkdaEwdI/AAAAAAAAAFI/ogF_MfrZfFg/s1600/bgp-as-set.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 224px;" src="http://2.bp.blogspot.com/-s8Mu6vNwidk/TnrtkdaEwdI/AAAAAAAAAFI/ogF_MfrZfFg/s400/bgp-as-set.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5655093492742144466" /></a><br /><br />R2#router bgp 500<br />no synchronization<br />bgp log-neighbor-changes<br />aggregate-address 10.1.0.0 255.255.0.0 as-set<br />redistribute connected<br />neighbor 192.168.1.2 remote-as 242<br />neighbor 192.168.1.5 remote-as 90<br />neighbor 192.168.1.10 remote-as 258<br />neighbor 192.168.1.10 shutdown<br />no auto-summary<br />!<br /><br /><a href="http://3.bp.blogspot.com/-esgTVDGfeBM/TnrtkkXILZI/AAAAAAAAAFQ/j6sALcH32EQ/s1600/r1.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 235px;" src="http://3.bp.blogspot.com/-esgTVDGfeBM/TnrtkkXILZI/AAAAAAAAAFQ/j6sALcH32EQ/s400/r1.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5655093494608833938" /></a><br /><br /><br /><br /><br />R2#no neighbor 192.168.1.10 shutdown<br /><br /><a href="http://3.bp.blogspot.com/-OREEnqusdyY/Tnrtk6Q3sDI/AAAAAAAAAFY/HMGAXAEIpr4/s1600/r1-2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 235px;" src="http://3.bp.blogspot.com/-OREEnqusdyY/Tnrtk6Q3sDI/AAAAAAAAAFY/HMGAXAEIpr4/s400/r1-2.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5655093500488167474" /></a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7758318932195827641-6629255023527522557?l=ianwijaya.blogspot.com' alt='' /></div>
<p><a href="http://feedads.g.doubleclick.net/~a/B4MltKHjWxL2-TL8K-2gjUKROBI/0/da"><img src="http://feedads.g.doubleclick.net/~a/B4MltKHjWxL2-TL8K-2gjUKROBI/0/di" border="0" ismap="true"></img></a><br/>
<a href="http://feedads.g.doubleclick.net/~a/B4MltKHjWxL2-TL8K-2gjUKROBI/1/da"><img src="http://feedads.g.doubleclick.net/~a/B4MltKHjWxL2-TL8K-2gjUKROBI/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/YangPentingJalan/~4/dGUvrcG2B9g" height="1" width="1"/>Ian Wijayahttp://www.blogger.com/profile/16822956116107389067noreply@blogger.com1http://ianwijaya.blogspot.com/2011/09/as-set-attribute.html