• QOS
router(config)#class-map match-any voip_transport
router(config-cmap)# match access-group name qos_voip_transport
router(config-cmap)# match access-group name qos_voip_signalling
router(config-cmap)#class-map match-any critical_apps
router(config-cmap)# match access-group name qos_apps_sap
!
router(config-cmap)#policy-map apple_out
router(config-pmap)# class voip_transport
router(config-pmap-c)# priority percent 64
router(config-pmap-c)# class critical_apps
router(config-pmap-c)# bandwidth percent 10
!
router(config)#int atm0/x
router(config-subif)# pvc location_to 2/105
router(config-if-atm-vc)#service-policy output company_out
!
router#show policy-map int atm0/x
Wednesday, November 7, 2007
Wednesday, May 2, 2007
Well Known Ports
If you have even wondered what port tacacs runs on (in case you are in the middle of constructing an ACL and you don't have access to google). All you need to do is enter the following in the router:
!
router# show ip port-map
or:
!
router# show ip nbar port-map
Here is what you'll get with the port-map:
Default mapping: snmp udp port 161 system defined
Default mapping: echo tcp port 7 system defined
Default mapping: echo udp port 7 system defined
Default mapping: telnet tcp port 23 system defined
Default mapping: wins tcp port 1512 system defined
Default mapping: n2h2server tcp port 9285 system defined
Default mapping: n2h2server udp port 9285 system defined
Default mapping: nntp tcp port 119 system defined
Default mapping: pptp tcp port 1723 system defined
Default mapping: rtsp tcp port 554,8554 system defined
Default mapping: bootpc udp port 68 system defined
Default mapping: gdoi udp port 848 system defined
Default mapping: h323-nxg udp port 2099 system defined
Default mapping: h323-nxg tcp port 2099 system defined
Default mapping: tacacs udp port 49 system defined
Default mapping: gopher tcp port 70 system defined
Default mapping: icabrowser udp port 1604 system defined
Default mapping: skinny tcp port 2000 system defined
Default mapping: sunrpc tcp port 111 system defined
Default mapping: sunrpc udp port 111 system defined
Default mapping: biff udp port 512 system defined
Default mapping: router udp port 520 system defined
Default mapping: entrust-svc-hdlr tcp port 709,710 system defined
Default mapping: entrust-svc-hdlr udp port 709,710 system defined
Default mapping: ircs tcp port 994 system defined
Default mapping: orasrv tcp port 1525...1529 system defined
Default mapping: ms-cluster-net udp port 3343 system defined
Default mapping: kermit tcp port 1649 system defined
Default mapping: gnutella tcp port 6346...6349 system defined
Default mapping: gnutella tcp port 6355,5634 system defined
Default mapping: gnutella udp port 6346...6348 system defined
Default mapping: isakmp udp port 500 system defined
Default mapping: sshell tcp port 614 system defined
Default mapping: sshell udp port 614 system defined
• And here is what you get with the nbar option:
port-map bgp udp 179
port-map bgp tcp 179
port-map bittorrent tcp 6969 6881 6882 6883 6884 6885 6886 6887 6888 6889
port-map citrix udp 1604
port-map citrix tcp 2598 2512 2513 1494
port-map cuseeme udp 7648 7649 24032
port-map cuseeme tcp 7648 7649
port-map dhcp udp 67 68
port-map directconnect tcp 411 412 413
port-map dns udp 53
port-map dns tcp 53
port-map edonkey tcp 4662
port-map exchange tcp 135
port-map fasttrack tcp 1214
port-map finger tcp 79
port-map ftp tcp 21
port-map gnutella udp 6346 6347 6348
port-map gnutella tcp 6346 6347 6348 6349 6355 5634
port-map gopher udp 70
port-map gopher tcp 70
port-map h323 udp 1300 1718 1719 1720 11720
port-map h323 tcp 1300 1718 1719 1720 11000 - 11999
port-map http tcp 80
port-map imap udp 143 220
port-map imap tcp 143 220
port-map irc udp 194
port-map irc tcp 194
port-map kerberos udp 88 749
port-map kerberos tcp 88 749
port-map l2tp udp 1701
port-map ldap udp 389
port-map ldap tcp 389
port-map mgcp udp 2427 2727
port-map mgcp tcp 2427 2428 2727
port-map netbios udp 137 138
port-map netbios tcp 137 139
port-map netshow tcp 1755
port-map nfs udp 2049
port-map nfs tcp 2049
port-map nntp udp 119
port-map nntp tcp 119
port-map notes udp 1352
port-map notes tcp 1352
port-map novadigm udp 3460 3461 3462 3463 3464 3465
port-map novadigm tcp 3460 3461 3462 3463 3464 3465
port-map ntp udp 123
port-map ntp tcp 123
port-map pcanywhere udp 22 5632
port-map pcanywhere tcp 65301 5631
port-map pop3 udp 110
port-map pop3 tcp 110
port-map pptp tcp 1723
port-map printer udp 515
port-map printer tcp 515
port-map rcmd tcp 512 513 514
port-map rip udp 520
port-map rsvp udp 1698 1699
port-map rtsp tcp 554 8554
port-map secure-ftp tcp 990
port-map secure-http tcp 443
port-map secure-imap udp 585 993
port-map secure-imap tcp 585 993
and for those of you that are still reading.... tacacs runs on port 49.
!
router# show ip port-map
or:
!
router# show ip nbar port-map
Here is what you'll get with the port-map:
Default mapping: snmp udp port 161 system defined
Default mapping: echo tcp port 7 system defined
Default mapping: echo udp port 7 system defined
Default mapping: telnet tcp port 23 system defined
Default mapping: wins tcp port 1512 system defined
Default mapping: n2h2server tcp port 9285 system defined
Default mapping: n2h2server udp port 9285 system defined
Default mapping: nntp tcp port 119 system defined
Default mapping: pptp tcp port 1723 system defined
Default mapping: rtsp tcp port 554,8554 system defined
Default mapping: bootpc udp port 68 system defined
Default mapping: gdoi udp port 848 system defined
Default mapping: h323-nxg udp port 2099 system defined
Default mapping: h323-nxg tcp port 2099 system defined
Default mapping: tacacs udp port 49 system defined
Default mapping: gopher tcp port 70 system defined
Default mapping: icabrowser udp port 1604 system defined
Default mapping: skinny tcp port 2000 system defined
Default mapping: sunrpc tcp port 111 system defined
Default mapping: sunrpc udp port 111 system defined
Default mapping: biff udp port 512 system defined
Default mapping: router udp port 520 system defined
Default mapping: entrust-svc-hdlr tcp port 709,710 system defined
Default mapping: entrust-svc-hdlr udp port 709,710 system defined
Default mapping: ircs tcp port 994 system defined
Default mapping: orasrv tcp port 1525...1529 system defined
Default mapping: ms-cluster-net udp port 3343 system defined
Default mapping: kermit tcp port 1649 system defined
Default mapping: gnutella tcp port 6346...6349 system defined
Default mapping: gnutella tcp port 6355,5634 system defined
Default mapping: gnutella udp port 6346...6348 system defined
Default mapping: isakmp udp port 500 system defined
Default mapping: sshell tcp port 614 system defined
Default mapping: sshell udp port 614 system defined
• And here is what you get with the nbar option:
port-map bgp udp 179
port-map bgp tcp 179
port-map bittorrent tcp 6969 6881 6882 6883 6884 6885 6886 6887 6888 6889
port-map citrix udp 1604
port-map citrix tcp 2598 2512 2513 1494
port-map cuseeme udp 7648 7649 24032
port-map cuseeme tcp 7648 7649
port-map dhcp udp 67 68
port-map directconnect tcp 411 412 413
port-map dns udp 53
port-map dns tcp 53
port-map edonkey tcp 4662
port-map exchange tcp 135
port-map fasttrack tcp 1214
port-map finger tcp 79
port-map ftp tcp 21
port-map gnutella udp 6346 6347 6348
port-map gnutella tcp 6346 6347 6348 6349 6355 5634
port-map gopher udp 70
port-map gopher tcp 70
port-map h323 udp 1300 1718 1719 1720 11720
port-map h323 tcp 1300 1718 1719 1720 11000 - 11999
port-map http tcp 80
port-map imap udp 143 220
port-map imap tcp 143 220
port-map irc udp 194
port-map irc tcp 194
port-map kerberos udp 88 749
port-map kerberos tcp 88 749
port-map l2tp udp 1701
port-map ldap udp 389
port-map ldap tcp 389
port-map mgcp udp 2427 2727
port-map mgcp tcp 2427 2428 2727
port-map netbios udp 137 138
port-map netbios tcp 137 139
port-map netshow tcp 1755
port-map nfs udp 2049
port-map nfs tcp 2049
port-map nntp udp 119
port-map nntp tcp 119
port-map notes udp 1352
port-map notes tcp 1352
port-map novadigm udp 3460 3461 3462 3463 3464 3465
port-map novadigm tcp 3460 3461 3462 3463 3464 3465
port-map ntp udp 123
port-map ntp tcp 123
port-map pcanywhere udp 22 5632
port-map pcanywhere tcp 65301 5631
port-map pop3 udp 110
port-map pop3 tcp 110
port-map pptp tcp 1723
port-map printer udp 515
port-map printer tcp 515
port-map rcmd tcp 512 513 514
port-map rip udp 520
port-map rsvp udp 1698 1699
port-map rtsp tcp 554 8554
port-map secure-ftp tcp 990
port-map secure-http tcp 443
port-map secure-imap udp 585 993
port-map secure-imap tcp 585 993
and for those of you that are still reading.... tacacs runs on port 49.
Saturday, April 21, 2007
BGP Tips
• Links:
BGP Basics
BGP Attributes
Route Reflector
IGMP Multipath Load Shating
Cisco Q&A
• BGP route selection algorithm
•Weight - Cisco Specific - Not advertised to neighbor routers - Two links to one router both advertising the same network - Higher weight is applied to one and installed into the IP routing table
•Local preference - Two routers receiving updates from a neighbor for the same network - the higher local preference value wins
•Multi-exit discriminator - (MED) suggestion to an external AS for the preferred route - Lower value metric wins - MED's are advertised throughout the local AS
•Origin - How did BGP learn about the route - Three Possible ways -
1.IGP Interior to the originating AS (IGP) Value set when the command was used to inject the route into BGP
2. EGP The route was learned via an Exterior Border Gateway Protocol (EGBP)
3. Incomplete The origin of the route is unknown or learned in some other way. Redistributed into BGP
•AS_path - Shorter AS path wins - updates with the router's own AS are rejected
•Next hop - The IP address that is used to reach the advertising router. For EBGP peers the IP is the connection between the peers - in IBGP the EBGP next hop address is preserved in the local AS.
•Community - Route maps are used to group destinations into a community - Predefined communities are:
no-export - do not advertise this route to EBGP peers
no-advertise - do not advertise this route to any peer
internet - advertise this route to the internet all routers in the network belong to is
• BGP Valid AS Numbers
1 to 64,511
64,512 to 65,535 are reserved fr private use
• In order for two BGP peers to form a BGP session they must first have an active TCP session and be able to reach one another over TCP port 179.
• Alias Commands:
alias exec cib clear ip bgp *
alias sb show ip bgp summary
• Show Commands:
show proc cpu | include BGP
show ip bgp (*> noting best reachable route)
show ip bgp | exclude [AS#]
show run | begin router bgp
show ip bgp neighbors
BGP Basics
BGP Attributes
Route Reflector
IGMP Multipath Load Shating
Cisco Q&A
• BGP route selection algorithm
•Weight - Cisco Specific - Not advertised to neighbor routers - Two links to one router both advertising the same network - Higher weight is applied to one and installed into the IP routing table
•Local preference - Two routers receiving updates from a neighbor for the same network - the higher local preference value wins
•Multi-exit discriminator - (MED) suggestion to an external AS for the preferred route - Lower value metric wins - MED's are advertised throughout the local AS
•Origin - How did BGP learn about the route - Three Possible ways -
1.IGP Interior to the originating AS (IGP) Value set when the command was used to inject the route into BGP
2. EGP The route was learned via an Exterior Border Gateway Protocol (EGBP)
3. Incomplete The origin of the route is unknown or learned in some other way. Redistributed into BGP
•AS_path - Shorter AS path wins - updates with the router's own AS are rejected
•Next hop - The IP address that is used to reach the advertising router. For EBGP peers the IP is the connection between the peers - in IBGP the EBGP next hop address is preserved in the local AS.
•Community - Route maps are used to group destinations into a community - Predefined communities are:
no-export - do not advertise this route to EBGP peers
no-advertise - do not advertise this route to any peer
internet - advertise this route to the internet all routers in the network belong to is
• BGP Valid AS Numbers
1 to 64,511
64,512 to 65,535 are reserved fr private use
• In order for two BGP peers to form a BGP session they must first have an active TCP session and be able to reach one another over TCP port 179.
• Alias Commands:
alias exec cib clear ip bgp *
alias sb show ip bgp summary
• Show Commands:
show proc cpu | include BGP
show ip bgp (*> noting best reachable route)
show ip bgp | exclude [AS#]
show run | begin router bgp
show ip bgp neighbors
Thursday, April 12, 2007
File Permissions
To add write permission for the group on a file called "file1":
type: chmod g+w file1
To remove read and write permission for the group and others on "file1":
type: chmod go-rw file1
To make "file1" and "file2" executable for yourself:
type: chmod u+x file1 file2
To deny the group and others cd permission to the directory "direct1":
type: chmod go-x direct1
To do several steps at once:
Remove read and write permission on file1 for others, add write permission for the group:
type: chmod g+w,o-rw file1
type: chmod g+w file1
To remove read and write permission for the group and others on "file1":
type: chmod go-rw file1
To make "file1" and "file2" executable for yourself:
type: chmod u+x file1 file2
To deny the group and others cd permission to the directory "direct1":
type: chmod go-x direct1
To do several steps at once:
Remove read and write permission on file1 for others, add write permission for the group:
type: chmod g+w,o-rw file1
Sunday, April 8, 2007
UNIX Tips and Tricks
First off I want to say that these commands are specific to the mac and should be used to get things like system information and move/open files.
• Secure Copy
From source to Destination
scp /directory/localfile user@hostname.domain.com:filename
- or -
scp local_file user@hostip:/directory/directory/filename
________________________
• Copy via ftp
Say you want to copy an IOS image from a server to a router and tftp keeps timing out. You can use ftp to perform the task with no issue. You will need to turn on your ftp service and then put the file in your Public directory for the router to access it. Here is the command:
________________________
• Make a copy of a directory in a new location with ditto:
- Existing directory named bgp, full of files. You want an exact copy of that directory and all the files in it just with a new name:
sudo ditto bgp rip
________________________
• Listing the ports you have configured in your System Preferences/Network
- Enter
networksetup -listallnetworkservices
Built-in Ethernet
PCI Ethernet Slot 3, Port 1
PCI Ethernet Slot 3, Port 2
PCI Ethernet Slot 3, Port 3
PCI Ethernet Slot 3, Port 4
Built-in FireWire
VPN (L2TP)
________________________
• Specific Interface information:
- Enter
networksetup -getinfo "Built-in Ethernet"
- or -
networksetup -getinfo "Airport"
Manual Configuration
IP address: X.X.X.X
Subnet mask: 255.255.252.0
Router: X.X.X.X
IPv6: Automatic
IPv6 Link Local Address: fe80::XXXx:XXXX:XXXX:XXX
Ethernet Address: 00:30:XX:XX:XX:XX
________________________
• Setting up and interface
- Enter
sudo networksetup -setmanual "Built-in Ethernet" 192.168.100.100 255.255.255.0 192.168.100.1
________________________
• Tar
tar -cvzf images.tar "File Name"
-- unpack --
tar -xzf ~/filename.tar/
________________________
• DHCP Netinfo - Network info
ipconfig getpacket en1
________________________
• Logging elimination of specified text
tail -f /var/log/router.log| sed -e '/routername/d' -e '/other_router/d'
/d is a sed option to delete the whole line if it matches what's inside the two /'s
tail -f /logs/cisco-routers | egrep -v list
________________________
• Grep through directory in search of specific text
grep -e 'aaa' -f *confg
________________________
• sftp
sftp://username@host.domain.com:22/
________________________
• Alias Address Ethernet Interface
sudo ifconfig en0 inet X.X.X.X netmask 255.255.252.0 alias
** Remove
sudo ifconfig en0 X.X.X.X netmask 0xfffffc00 broadcast X.X.X.X -alias
________________________
• DNS Digging
495 dig axfr domain.com @disthost.domin.com | grep hostname
496 dig axfr domain.com @disthost.domin.com | sed -e '/^hostname/p'
497 dig axfr domain.com @disthost.domin.com | grep ^hostname
498 dig axfr domain.com @disthost.domin.com | grep ^hostname | sed -e '/MX/d'
**
dig axfr domain.com @disthost.domin.com | grep ^hostname | sed -e '/MX/d'
________________________
• Piping output to file
sudo tcpdump -i en1 > ~/Desktop/output
________________________
• Grep -
grep "Nov 22" /var/log/system.log | grep -v "words to omit"|grep -v "more words|grep -v "even more words"
-or -
tail -f /var/log/router.log | egrep -v "line 103|line 104"
________________________
• Netinfo
Determining what Netinfo Server a client has bound to:
sudo lsof -i | grep lookupd
________________________
Man pages stored in /usr/share/man/man8/
____+_________+_______
Revision control:
/usr/local/tftp/configs - Location of the files
rcsdiff rotuername.domain.com-confg - gets you the revision number
rcsdiff -r1.2 router.domain.com-confg - once you have that revision number you can compare the changes
co -p1.11 router.domain.com-confg - Complete revision of a config
________________________
• SSH to Router with Secure ID Auth
ssh -l user X.X.X.X
________________________
• Searching with Grep
grep gnutella *.acl
________________________
• Clearing the contents of a file
cat /dev/null >/var/log/filename.log
________________________
• Active Connections on a box:
netstat -a -f inet -p TCP | grep -i established
________________________
• Port Check
nc -z -v hostname.domain.com 443
________________________
• Tar Files
tar -cvvf home.tar home/
In the above example command the system would create a tar file named home.tar
in the directory you currently are in of the home directory.
________________________
• Extracting the files from a tar file:
tar -xvvf myfile.tar
In the above example command the system would uncompress (untar) the myfile.tar file in the current directory.
ssh preshared key generation -
http://developer.apple.com/documentation/developertools/Conceptual/XcodeUserGuide/Contents/Resources/en.lproj/13_SSHEnvironment/chapter_953_section_1.html
________________________
• Making a cool .bash_profile:
alias servername="ssh yourname@servername.com"
alias ls="ls -lGitur"
alias q="exit"
alias tftp="cd /private/tftpboot"
alias open="cd /Applications"
alias tunnel="ssh username@servername.com -D 2222"
________________________
• Listing open connections you haveon your system:
lsof -i
________________________
• Updating your path (bash) with:
% echo 'PATH=$PATH:/usr/local/bin' >> ~/.bash_profile
% source .bash_profile
________________________
• MD5 Hash
openssl passwd -1 -table -salt "73u3" "cisco"
________________________
• Show system Version (Mac OS X)
sw_vers
• Secure Copy
From source to Destination
scp /directory/localfile user@hostname.domain.com:filename
- or -
scp local_file user@hostip:/directory/directory/filename
________________________
• Copy via ftp
Say you want to copy an IOS image from a server to a router and tftp keeps timing out. You can use ftp to perform the task with no issue. You will need to turn on your ftp service and then put the file in your Public directory for the router to access it. Here is the command:
copy ftp://un:pw@hostname/Public/biglong_imagename(withlots of numbers).bin disk1:
________________________
• Make a copy of a directory in a new location with ditto:
- Existing directory named bgp, full of files. You want an exact copy of that directory and all the files in it just with a new name:
sudo ditto bgp rip
________________________
• Listing the ports you have configured in your System Preferences/Network
- Enter
networksetup -listallnetworkservices
Built-in Ethernet
PCI Ethernet Slot 3, Port 1
PCI Ethernet Slot 3, Port 2
PCI Ethernet Slot 3, Port 3
PCI Ethernet Slot 3, Port 4
Built-in FireWire
VPN (L2TP)
________________________
• Specific Interface information:
- Enter
networksetup -getinfo "Built-in Ethernet"
- or -
networksetup -getinfo "Airport"
Manual Configuration
IP address: X.X.X.X
Subnet mask: 255.255.252.0
Router: X.X.X.X
IPv6: Automatic
IPv6 Link Local Address: fe80::XXXx:XXXX:XXXX:XXX
Ethernet Address: 00:30:XX:XX:XX:XX
________________________
• Setting up and interface
- Enter
sudo networksetup -setmanual "Built-in Ethernet" 192.168.100.100 255.255.255.0 192.168.100.1
________________________
• Tar
tar -cvzf images.tar "File Name"
-- unpack --
tar -xzf ~/filename.tar/
________________________
• DHCP Netinfo - Network info
ipconfig getpacket en1
________________________
• Logging elimination of specified text
tail -f /var/log/router.log| sed -e '/routername/d' -e '/other_router/d'
/d is a sed option to delete the whole line if it matches what's inside the two /'s
tail -f /logs/cisco-routers | egrep -v list
________________________
• Grep through directory in search of specific text
grep -e 'aaa' -f *confg
________________________
• sftp
sftp://username@host.domain.com:22/
________________________
• Alias Address Ethernet Interface
sudo ifconfig en0 inet X.X.X.X netmask 255.255.252.0 alias
** Remove
sudo ifconfig en0 X.X.X.X netmask 0xfffffc00 broadcast X.X.X.X -alias
________________________
• DNS Digging
495 dig axfr domain.com @disthost.domin.com | grep hostname
496 dig axfr domain.com @disthost.domin.com | sed -e '/^hostname/p'
497 dig axfr domain.com @disthost.domin.com | grep ^hostname
498 dig axfr domain.com @disthost.domin.com | grep ^hostname | sed -e '/MX/d'
**
dig axfr domain.com @disthost.domin.com | grep ^hostname | sed -e '/MX/d'
________________________
• Piping output to file
sudo tcpdump -i en1 > ~/Desktop/output
________________________
• Grep -
grep "Nov 22" /var/log/system.log | grep -v "words to omit"|grep -v "more words|grep -v "even more words"
-or -
tail -f /var/log/router.log | egrep -v "line 103|line 104"
________________________
• Netinfo
Determining what Netinfo Server a client has bound to:
sudo lsof -i | grep lookupd
________________________
Man pages stored in /usr/share/man/man8/
____+_________+_______
Revision control:
/usr/local/tftp/configs - Location of the files
rcsdiff rotuername.domain.com-confg - gets you the revision number
rcsdiff -r1.2 router.domain.com-confg - once you have that revision number you can compare the changes
co -p1.11 router.domain.com-confg - Complete revision of a config
________________________
• SSH to Router with Secure ID Auth
ssh -l user X.X.X.X
________________________
• Searching with Grep
grep gnutella *.acl
________________________
• Clearing the contents of a file
cat /dev/null >/var/log/filename.log
________________________
• Active Connections on a box:
netstat -a -f inet -p TCP | grep -i established
________________________
• Port Check
nc -z -v hostname.domain.com 443
________________________
• Tar Files
tar -cvvf home.tar home/
In the above example command the system would create a tar file named home.tar
in the directory you currently are in of the home directory.
________________________
• Extracting the files from a tar file:
tar -xvvf myfile.tar
In the above example command the system would uncompress (untar) the myfile.tar file in the current directory.
ssh preshared key generation -
http://developer.apple.com/documentation/developertools/Conceptual/XcodeUserGuide/Contents/Resources/en.lproj/13_SSHEnvironment/chapter_953_section_1.html
________________________
• Making a cool .bash_profile:
alias servername="ssh yourname@servername.com"
alias ls="ls -lGitur"
alias q="exit"
alias tftp="cd /private/tftpboot"
alias open="cd /Applications"
alias tunnel="ssh username@servername.com -D 2222"
________________________
• Listing open connections you haveon your system:
lsof -i
________________________
• Updating your path (bash) with:
% echo 'PATH=$PATH:/usr/local/bin' >> ~/.bash_profile
% source .bash_profile
________________________
• MD5 Hash
openssl passwd -1 -table -salt "73u3" "cisco"
________________________
• Show system Version (Mac OS X)
sw_vers
Subscribe to:
Posts (Atom)
