SNMP Object Navigator
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en
1.3.6.1.2.1.1
iso.org.dod.internet.mgmt.mib-2.system
Under Video > Understanding the Cisco Documentation link
http://www.ine.com/resources/01700358.htm
http://www.ine.com/resources/ccie-rfcs.htm
Below is the Cisco document link:
http://www.cisco.com/cisco/web/psa/default.html?mode=prod
Products > Cisco IOS and NX-OS Software
Switches
Security > Firewall
Then select Master Index, Command Reference, or Configuration Guides (this link is good).
We had a project where our vessels would be in dock for a couple of months. We would lower the VSAT connection to 64K or 128K, but even a 64K VSAT is a few thousand per month. We worked with a vendor and installed a WiFi antenna on the vessel and another antenna in our dock office. We wanted the cutover to be near seamless – without having to do a lot of work each time a vessel would enter and leave the dock. Many times they may just leave dock for the afternoon to test something, and then return within the same day.
So we used the track command to see when we can ping the 10.115.11.X IP address or not.
We need to use the tunnel command because if we entered this route on the Data Center MPLS router:
ip route 10.0.192.0 255.255.255.0 2.2.2.1 (default gateway IP address for the MPLS router), it would fail. Currently we do not have BGP routing configured on our MPLS core network, VZ routers would not know how to forward packets for 10.0.192.0/24
Without the tunnel command, each time the vessel leaves/returns to dock, we would need to contact VZ and have them add/remove a static route. This process can take up to 4 hrs to complete.
The tunnel command points to the dock office’s MPLS router which we will know about since it will not change.
In addition, there is a route map command on the vessel router. This route map forces the pings to use the WiMAX connection, without the route map command, the pings could go over the VSAT connection.
10.115.11.1
10.115.11.2 Dock Office Internal RT
10.115.11.3
10.115.11.4 Vessel router
From the vessel router, it is pinging 10.115.11.2
From the Dock Office Internal router, it is ping 10.115.11.4
From the Doc Office MPLS router, it is ping 10.115.11.4
From the Data Center MPLS router, it is ping 10.115.11.4
on the Vessel
interface FastEthernet0/0.200
description Wireless-link
encapsulation dot1Q 200
ip address 10.115.11.4 255.255.255.0
ip flow ingress
track 123 ip sla 1 reachabilityip local policy route-map MY-LOCAL-POLICY
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.115.11.2 track 123
ip route 0.0.0.0 0.0.0.0 10.0.92.25 254ip sla 1
icmp-echo 10.115.11.2
threshold 2
frequency 5
ip sla schedule 1 life forever start-time nowaccess-list 101 permit icmp host 10.115.11.4 host 10.115.11.2 echoroute-map MY-LOCAL-POLICY permit 10
match ip address 101
set ip next-hop 10.115.11.2
set interface Null0
on the Dock Office Internal Router
track 123 ip sla 1 reachabilityinterface FastEthernet2/0
description WiFi Connection
ip address 10.115.11.2 255.255.255.0
duplex auto
speed autoip forward-protocol nd
ip route 10.0.192.0 255.255.255.0 10.115.11.4 track 123
ip route 0.0.0.0 0.0.0.0 10.0.8.1ip sla 1
icmp-echo 10.115.11.4
threshold 2
frequency 5
ip sla schedule 1 life forever start-time now
on the Dock Office MPLS router
track 123 ip sla 1 reachabilityinterface Tunnel1
ip address 192.168.200.2 255.255.255.252
tunnel source 1.1.1.1
tunnel destination 2.2.2.2ip route 10.0.192.0 255.255.255.0 10.115.11.4 track 123
ip route 10.0.0.0 255.0.0.0 Multilink123ip sla
icmp-echo 10.115.11.4
threshold 2
frequency 5
ip sla schedule 1 life forever start-time now
on the Data Center MPLS router
track 123 ip sla 1 reachability
interface Tunnel1
ip address 192.168.200.1 255.255.255.252
tunnel source 2.2.2.2
tunnel destination 1.1.1.1ip route 10.0.192.0 255.255.255.0 192.168.200.2 track 123
ip route 10.0.192.0 255.255.255.0 10.5.155.3 254ip sla 1
icmp-echo 10.115.11.4
threshold 2
frequency 5
ip sla schedule 1 life forever start-time now
The below command allows you specify the DNS servers for clients on the DMZ 30 interface. With the “interface” key word you can specify different DNS servers for different networks. Now I am waiting for the ASA to assign static IP addresses based on MAC address, like the Cisco IOS…
dhcpd address 10.1.1.50-10.1.1.99 DMZ30
dhcpd dns 4.2.2.2 4.2.2.3 interface DMZ30
dhcpd enable DMZ30
I’ve always wondered how a reverse proxy sanitizes web requests. A couple of layers:
You can white list, blacklist, or both certain key terms.
But I think the bigger item is that many exploits reply on flaws in the web server, ie buffer overflows and other privileged escalation methods that can’t be executed on the proxy or can’t be forwarded to the server. Even if your proxy is vulnerable to the exploit, then your proxy server is compromised, not your server. Also many times, reverse proxies are hardened Linux kernels so they are light weight and do not support many features.
If you need to lower the power to the radio antenna, use the power local command. This could be handy if you’re in a multi-tenet building and want to limit the wireless bleed to other floors.
int dot11Radio 0
power local ?
<-1 – 20> One of: -1 2 5 8 11 14 17 20
maximum Set power to allowed maximum
The other day, we converted one of our MPLS offices to BGP. This task will allow us to advertise what subnets this office can route. In the past, we had to call the provider and wait any time we had a new subnet. I don’t really have a good IP scheme.
router bgp 105
no synchronization
bgp log-neighbor-changes
redistribute connected
redistribute static
neighbor 1.1.1.2 remote-as 65000
neighbor 1.1.1.2 ebgp-multihop 255
no auto-summaryno ip route 10.0.0.0 255.0.0.0 1.1.1.2
no ip route 10.0.177.0 255.255.255.0 1.1.1.2
Synchronization is disabled by default in IOS 12.2(8)T and later
EBGP-Multihop command:
Neighbor relationships can only be formed if there are directly connected networks. We use ebgp-multihop to allow neighbors that are not directly connected to form a relationship. The 255 represents the hop count
No auto-summary: Makes BGP advertise classless routes
Remove all static routes, allowing the router to use the BGP routes.
