POPULAR ISO STANDARDS

POPULAR ISO STANDARDS

ISO 9000   Quality management
ISO 14000 Environmental management
ISO 3166   Country codes
ISO 26000 Social responsibility
ISO 50001 Energy management
ISO 31000 Risk management
ISO 22000 Food safety management
ISO 27001 Information security management
ISO 20121 Sustainable events

What is a standard?

A standard is a document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose.

How does ISO develop standards?

An ISO standard is developed by a panel of experts, within a technical committee. Once the need for a standard has been established, these experts meet to discuss and negotiate a draft standard. As soon as a draft has been developed it is shared with ISO’s members who are asked to comment and vote on it. If a consensus is reached the draft becomes an ISO standard, if not it goes back to the technical committee for further edits.

What are the benefits of ISO International Standards?

ISO International Standards ensure that products and services are safe, reliable and of good quality. For business, they are strategic tools that reduce costs by minimizing waste and errors, and increasing productivity. They help companies to access new markets, level the playing field for developing countries and facilitate free and fair global trade.

MICROSOFT PATCH MANAGEMENT

Microsoft Patch Management

Patch management is a circular process and must be ongoing. The unfortunate reality about software vulnerabilities is that, after you apply a patch today, a new vulnerability must be addressed tomorrow.

Develop and automate a patch management process that includes each of the following:

Detect: Use tools to scan your systems for missing security patches. The detection should be automated and will trigger the patch management process.

Assess: If necessary updates are not installed, determine the severity of the issue(s) addressed by the patch and the mitigating factors that may influence your decision. By balancing the severity of the issue and mitigating factors, you can determine if the vulnerabilities are a threat to your current environment.

Acquire: If the vulnerability is not addressed by the security measures already in place, download the patch for testing.

Test: Install the patch on a test system to verify the ramifications of the update against your production configuration.

Deploy: Deploy the patch to production computers. Make sure your applications are not affected. Employ your rollback or backup restore plan if needed.

Maintain: Subscribe to notifications that alert you to vulnerabilities as they are reported. Begin the patch management process again.

The Role of MBSA in Patch Management

The Microsoft Baseline Security Analyzer (MBSA) is a tool that is designed for two purposes:

1. To scan a computer against vulnerable configurations

2. To detect the availability of security updates those are released by Microsoft

MBSA scan options

When using the command line interface (Mbsacli.exe), you can use the following command to scan only missing security updates.

Mbsacli.exe /n OS+IIS+SQL+PASSWORD

The option /n specifies the checks to skip. The selection (OS+IIS+SQL+PASSWORD) skips the checks for vulnerabilities and weak passwords.

From a command window, change directory to the MBSA installation directory, and type the following command:

mbsacli /i 127.0.0.1 /n OS+IIS+SQL+PASSWORD

You can also specify a computer name. For example:

mbsacli /c domain\machinename /n OS+IIS+SQL+PASSWORD

You can also specify a range of computers by using the /r option. For example:

mbsacli /r 192.168.0.1-192.168.0.254 /n OS+IIS+SQL+PASSWORD

Finally, you can scan a domain by using the /d option. For example:


mbsacli /d NameOfMyDomain /n OS+IIS+SQL+PASSWORD

INTEL 3RD AND 4TH GENERATION PROCESSOR COMPARISON

INTEL 3RD AND 4TH GENERATION MOBILE, DESKTOP AND SERVER PROCESSORS DETAILED COMPARISON.

INTEL 3RD AND 4TH GENERATION MOBILE PROCESSOR COMPARISON

Below Intel url will provide you full list of processors to select and compare detailed features.

http://www.intel.com/content/www/us/en/processor-comparison/compare-intel-processors.html

INTEL 3RD AND 4TH GENERATION DESKTOP PROCESSOR COMPARISON

http://www.intel.com/content/www/us/en/processor-comparison/compare-intel-processors.html?select=desktop

INTEL 3RD AND 4TH GENERATION SERVER PROCESSOR COMPARISON

http://www.intel.com/content/www/us/en/processor-comparison/compare-intel-processors.html?select=server

NAT STATE FULL FAILOVER ON CISCO

CISCO NAT Stateful Failover:

When the word "stateful" is mentioned in the networking world, it usually means that the router or a firewall keeps records of the sessions created. Stateful failover means that whatever sessions that have been recorded in one device the other backup device has a knowledge of it and can act as a backup without those sessions torn down in case the main device fails. It will function as the same as the primary one. NAT has also the failover functionality. This lab will focus on configuring Dynamic NAT failover.

R3 and R4 are NAT routers. R3 is the primary and R4 is the back up NAT router. These must be configured so that 
R4 will provide stateful failover. Subnets in R1 1.1.1.1/32 - 1.1.1.5/32 should be translated to 
123.123.123.1 - .5 /24. The host side ip address must match e.g. 1.1.1.1/32 = 123.123.123.1/32.

These have been preconfigured:
1. OSPF on all routers.
2. Default route and floating static default route in R5.(for 123.123.123.0/24 reachability)
3. Ip OSPF cost in the links from R2 to R3 and R3 to R5 to disable equal cost path load balancing.

1. First let's configure which is the inside and outside part in the NAT configuration.

R3(config)# int se0/2
R3(config-if)# description connected to R2
R3(config-if)# ip nat inside
R3(config-if)# int se0/3
R3(config-if)# description connected to R5
R3(config-if)# ip nat outside

R4(config)# int se0/2
R4(config-if)# description connected to R2
R4(config-if)# ip nat inside
R4(config-if)# int se0/0
R4(config-if)# description connected to R5
R4(config-if)# ip nat outside

2. Configure an access-list list that will match the IP addresses of Loopback0 in R1 and configure a NAT pool where we will get the translations.

Note: The "match-host" keyword makes it possible for exact host to host translation 1.1.1.1/32 = 123.123.123.1/32, .5 = .5 the 
last octet in the ip address will be the same value. It will match the host portion of the IP address.

R3(config)# access-list 1 permit 1.1.1.0 0.0.0.255
R3(config)# ip nat pool LOOPBACK 123.123.123.1 123.123.123.5 prefix-length 24 type match-host

R4(config)# access-list 1 permit 1.1.1.0 0.0.0.255
R4(config)# ip nat pool LOOPBACK 123.123.123.1 123.123.123.5 prefix-length 24 type match-host

3. Configure a NAT stateful ID. This is what makes the stateful failover possible. This configuration will determine which is the primary NAT router and the backup.

R3(config)# ip nat stateful id 1 ----------> This is locally significant.
R3(config-ipnat-snat)# primary 23.23.23.3
R3(config-ipnat-snat-pri)# peer 24.24.24.4
R3(config-ipnat-snat-pri)# mapping-id 1 ---------> This should match on the routers.
R3(config-ipnat-snat-pri)# exit

R4(config)# ip nat stateful id 1 ----------> This is locally significant.
R4(config-ipnat-snat)# backup 24.24.24.4
R4(config-ipnat-snat-pri)# peer 23.23.23.3
R4(config-ipnat-snat-pri)# mapping-id 1 ---------> This should match on the routers.
R4(config-ipnat-snat-pri)# exit

The "peer" keyword here will do that trick on making the 2 routers related. The ip addresses configured on the "primary" and "backup" parameters should be one of the IP addresses in the router which is configured with the "ip nat inside" command. Otherwise, you will get an error message that its not a match.If 2 backups are configured and they are peer with each other, they won't establish a relationship. A router can be configured as a primary for one mapping-id and back up for another.

After configuring these commands, let's see the logs created by the routers.

R3#
*Mar 1 01:36:33.783: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 01:36:45.871: SNAT (Receive): CONVERGENCE Message for Router-Id: 1 from Peer Router-Id: 1's entries
*Mar 1 01:36:45.871: %SNAT-5-PROCESS: Id 1, System fully converged

R4#
*Mar 1 01:34:11.803: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 01:34:11.811: %SNAT-5-PROCESS: Id 1, System fully converged
*Mar 1 01:34:48.767: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 01:34:50.791: SNAT (Receive): CONVERGENCE Message for Router-Id: 1 from Peer Router-Id: 1's entries
*Mar 1 01:34:50.795: %SNAT-5-PROCESS: Id 1, System fully converged

Let's do a show command that will check the status of the Stateful Failover NAT.

R3#show ip snat distributed

Stateful NAT Connected Peers:

SNAT: Mode PRIMARY
: State READY
: Local Address 23.23.23.3
: Local NAT id 1
: Peer Address 24.24.24.4
: Peer NAT id 1
: Mapping List 1

R4#show ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode BACKUP
: State READY
: Local Address 24.24.24.4
: Local NAT id 1
: Peer Address 23.23.23.3
: Peer NAT id 1
: Mapping List 1

4. Configure the IP NAT translation statement mapping access-list 1 and the NAT pool created.

R3(config)# ip nat inside source list 1 pool LOOPBACK mapping-id 1

R4(config)# ip nat inside source list 1 pool LOOPBACK mapping-id 1

5. Now let's test NATing by pingin 5.5.5.5 sourcing from the IP's on Loopback0 on R1. (Will not be shown) We can do "debug ip nat" on R3 and R4, but will only see output in R3 since the traffic passes there. For the sake of a shorter post I will not display the output.

6. Let's check the translation on R3, our main NAT router and afterwards check if R4 is getting the information from the NATing table.

R3#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
icmp 123.123.123.1:20 1.1.1.1:20 5.5.5.5:20 5.5.5.5:20
--- 123.123.123.1 1.1.1.1 --- ---
icmp 123.123.123.2:19 1.1.1.2:19 5.5.5.5:19 5.5.5.5:19
--- 123.123.123.2 1.1.1.2 --- ---
icmp 123.123.123.3:18 1.1.1.3:18 5.5.5.5:18 5.5.5.5:18
--- 123.123.123.3 1.1.1.3 --- ---
icmp 123.123.123.4:17 1.1.1.4:17 5.5.5.5:17 5.5.5.5:17
--- 123.123.123.4 1.1.1.4 --- ---
icmp 123.123.123.5:16 1.1.1.5:16 5.5.5.5:16 5.5.5.5:16
--- 123.123.123.5 1.1.1.5 --- ---

R4#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
icmp 123.123.123.1:20 1.1.1.1:20 5.5.5.5:20 5.5.5.5:20
--- 123.123.123.1 1.1.1.1 --- ---
icmp 123.123.123.2:19 1.1.1.2:19 5.5.5.5:19 5.5.5.5:19
--- 123.123.123.2 1.1.1.2 --- ---
icmp 123.123.123.3:18 1.1.1.3:18 5.5.5.5:18 5.5.5.5:18
--- 123.123.123.3 1.1.1.3 --- ---
icmp 123.123.123.4:17 1.1.1.4:17 5.5.5.5:17 5.5.5.5:17
--- 123.123.123.4 1.1.1.4 --- ---
icmp 123.123.123.5:16 1.1.1.5:16 5.5.5.5:16 5.5.5.5:16
--- 123.123.123.5 1.1.1.5 --- ---

Though the traffic did not pass through R4, it knows the translation. Notice that the host part of the original ip address and the translated ip address is the same. This is the result of the "match=host" keyword.
Let's see if the failover information by R3 is passed to R4 by a show command.

R4#sh ip snat peer 23.23.23.3

Show NAT Entries created by peer: 23.23.23.3

Pro Inside global Inside local Outside local Outside global
--- 123.123.123.1 1.1.1.1 --- ---
--- 123.123.123.2 1.1.1.2 --- ---
--- 123.123.123.3 1.1.1.3 --- ---
--- 123.123.123.4 1.1.1.4 --- ---
--- 123.123.123.5 1.1.1.5 --- ---
icmp 123.123.123.5:16 1.1.1.5:16 5.5.5.5:16 5.5.5.5:16
icmp 123.123.123.4:17 1.1.1.4:17 5.5.5.5:17 5.5.5.5:17
icmp 123.123.123.3:18 1.1.1.3:18 5.5.5.5:18 5.5.5.5:18
icmp 123.123.123.2:19 1.1.1.2:19 5.5.5.5:19 5.5.5.5:19
icmp 123.123.123.1:20 1.1.1.1:20 5.5.5.5:20 5.5.5.5:20

In the even that R3 and the traffic goes to R4, the sessions need not to be restarted as there are already existing translations on R4 which have been passed by R3. Let's shut down the interface in R3 and lets show how R4 reacts.

R4#
*Mar 1 02:11:15.819: %SNAT-5-ALERT: BACKUP staging recovery, replacing Primary
*Mar 1 02:11:15.819: %SNAT-5-PROCESS: Id 1, System start converging
*Mar 1 02:11:15.827: %SNAT-5-PROCESS: Id 1, System fully converged

It places itself as the primary NAT router but the translations that its learned from R3 will continue to be in place. Once R3 goes back up, it will put itself again the backup NAT router.

DHCP RELAY ON CISCO ASA FIREWALL

How to Configure DHCP Relay on Cisco ASA Firewall?

The ASA 5500 series firewall can work as DHCP relay agent which means that it receives DHCP requests from clients on one interface and forwards the requests to a DHCP server on another interface. Usually the DHCP server is located in the same layer 3 subnet with its clients. There are situations however where we have only one DHCP server but several layer 3 networks exist (on different security zones on a Cisco ASA) and dynamic IP allocation is required for those networks as well. With the DHCP relay feature, we can connect the DHCP server on one network zone and have the firewall forward all DHCP requests from the other network zones to the DHCP server.

Given diagram illustrates a simple network scenario with three security zones (network interfaces) and a single DHCP server. The three network zones are inside, outside and DMZ. The DHCP clients are connected to the inside network and the DHCP server on the DMZ network. The DHCP requests from the clients on the inside network will be relayed to the server on the DMZ network. The server will assign IP addresses in the range 192.168.1.0/24 to the clients.

Configuration:
First identify the DHCP server and the interface it Is connected to
ciscoasa# conf t
ciscoasa(config)# dhcprelay server 10.1.1.100 DMZ
ciscoasa(config)# dhcprelay timeout 90

Now enable the DHCP relay on the inside interface
ciscoasa(config)# dhcprelay enable inside

Assign the ASA inside interface IP as default gateway for the clients
ciscoasa(config)# dhcprelay setroute inside

Usage Guidelines:

You can add up to four DHCP relay servers per interface. You must add at least one dhcprelay server command to the ASA Firewall configuration before you can enter the dhcprelay enable command. You cannot configure a DHCP client on an interface that has a DHCP relay server configured.

You cannot enable DHCP relay under the following conditions:

• You cannot enable DHCP relay and the DHCP relay server on the same interface.
• You cannot enable DCHP relay and a DHCP server (dhcpd enable) on the same interface.

WiMAX

What is WiMAX?

WiMAX stand for "Worldwide Interoperability for Microware Access", a modern wireless network technology that enables fast internet connection even in remote areas. with WiMAX technology you are no longer dependent on a DSL infrastructure in your home or place of work. instead, you connect your PC or network wirelessly to radio stations operated in your region by your provider. As a result, wimax gives you fast, economical broadband internet access, even in places that are not connected to the DSL cable network.

The wimax standard IEEE 802.16 generally defines wimax technology. WiMAX is a wireless communications standard designed to provide 30 to 40 megabit-per-second data rates, with the 2011 update providing up to 1 Gbit/s for fixed stations.

WiMAX is expected to offer initially up to about 40 Mbps capacity per wireless channel for both fixed and portable applications, depending on the particular technical configuration chosen.

WiMAX MIMO refers to the use of Multiple-input multiple-output communications (MIMO) technology on WiMAX, which is the technology brand name for the implementation of the standard IEEE 802.16.

WiMAX implementations that use MIMO technology have become important. The use of MIMO technology improves the reception and allows for a better reach and rate of transmission.

The 802.16 defined MIMO configuration is negotiated dynamically between each individual base station and mobile station. The 802.16 specification supports the ability to support a mix of mobile stations with different MIMO capabilities

802.16 family of standards is officially called WirelessMAN in IEEE, it has been commercialized under the name "WiMAX" by the WiMAX Forum industry alliance. 

DISABLE TOUCHPAD OF LAPTOP IN LINUX

How to disable TouchPad of Laptop in Linux?

##use below command to list devices
xinput list

⎡ Virtual core pointer                     id=2 [master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer      id=4 [slave  pointer  (2)]
⎜   ↳ PixArt USB Optical Mouse        id=9 [slave  pointer  (2)]
⎜   ↳ PS/2 Mouse                          id=12 [slave  pointer  (2)]
⎜   ↳ AlpsPS/2 ALPS GlidePoint        id=13 [slave  pointer  (2)]
⎣ Virtual core keyboard                  id=3 [master keyboard (2)]
    ↳ Virtual core XTEST keyboard    id=5 [slave  keyboard (3)]
    ↳ Power Button                         id=6 [slave  keyboard (3)]
    ↳ Video Bus                              id=7 [slave  keyboard (3)]
    ↳ Power Button                         id=8 [slave  keyboard (3)]
    ↳ CNA7157                               id=10 [slave  keyboard (3)]
    ↳ AT Translated Set 2 keyboard   id=11 [slave  keyboard (3)]
    ↳ Toshiba input device                id=14 [slave  keyboard (3)]

## To disable "AlpsPS/2 ALPS GlidePoint" touchpad use below command.
xinput set-prop 13 "Device Enabled" 0
OR
synclient TouchpadOff=1

## To enable it again use below command.

xinput set-prop 13 "Device Enabled" 1

OR
synclient TouchpadOff=0

## To disable touchpad graphically, use below repository in Ubuntu, Linuxmint or Debian

sudo add-apt-repository ppa:atareao/atareao

sudo apt-get update

sudo apt-get install touchpad-indicator

SHUN COMMAND TO BLOCK ATTACKER ON CISCO ASA FIREWALL

Block Attacks with a Cisco ASA Firewall and IDS using the shun command:

An Intrusion Detection system as we know can either work in Inline Mode (IPS) or in promiscuous mode (IDS). In inline mode, the IPS sensor can detect and block attacks by itself since all traffic passes through the sensor. However, in promiscuous mode, the IDS sensor can not block attacks by itself, but has to instruct the firewall to block the attack.

The IDS sensor in blow diagram is connected in “parallel” (not inline) with the ASA firewall. The “Sensing Interface” of the IDS appliance is connected on the outside (Internet) network zone and is continuously monitoring traffic to detect attacks. The “Control Interface” of the IDS appliance is connected on the inside network zone and is used to communicate with the ASA firewall. If an attack is detected (e.g Attacker at address 100.100.100.1 is sending malicious traffic to Victim addrBlock Attacks with a Cisco ASA Firewall and IDS using the shun command.

An Intrusion Detection system as we know can either work in Inline Mode (IPS) or in promiscuous mode (IDS). In inline mode, the IPS sensor can detect and block attacks by itself since all traffic passes through the sensor. However, in promiscuous mode, the IDS sensor can not block attacks by itself, but has to instruct the firewall to block the attack.

The IDS sensor in our example is connected in “parallel” (not inline) with the ASA firewall. The “Sensing Interface” of the IDS appliance is connected on the outside (Internet) network zone and is continuously monitoring traffic to detect attacks. The “Control Interface” of the IDS appliance is connected on the inside network zone and is used to communicate with the ASA firewall. If an attack is detected (e.g Attacker at address 100.100.100.1 is sending malicious traffic to Victim address 200.200.200.1), the IDS sensor instructs the ASA firewall (using the “Control Interface”) to block the attacking connection. This is done by the IDS sensor by asking the firewall to use the “shun” command to block the connection.

What is a “shun” command:

The shun command on the ASA Firewall appliance is used to block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IDS sensor.

The format of the command is as following:
ASA# shun [source IP] [destination IP] 

In our example scenario above, the IDS sensor will instruct the firewall to apply the following shun command:

shun 100.100.100.1 200.200.200.1

The above will block all communication from the attacker to the victim. Cisco IPS/IDS sensors have a timer with which you define how long the command will be active. After that time, the command is removed.ess 200.200.200.1), the IDS sensor instructs the ASA firewall (using the “Control Interface”) to block the attacking connection. This is done by the IDS sensor by asking the firewall to use the “shun” command to block the connection.

What is a “shun” command:

The shun command on the ASA Firewall appliance is used to block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IDS sensor.

The format of the command is as following:
ASA# shun [source IP] [destination IP] 

In our example scenario above, the IDS sensor will instruct the firewall to apply the following shun command:

shun 100.100.100.1 200.200.200.1

The above will block all communication from the attacker to the victim. Cisco IPS/IDS sensors have a timer with which you define how long the command will be active. After that time, the command is removed.

ALIEN VAULT OSSIM INSTALLATION & CONFIGURATION

ALIEN VAULT OSSIM 4.3.4 INSTALLATION & CONFIGURATION

1. Download OSSIM from the below mentioned URL.
    http://www.alienvault.com/open-threat-exchange/projects#ossim-tab

2. write iso to cd using any iso burner (imgburn etc.)

3. Boot from CD and start installation of OSSIM 4.3.4
    There are two types of installation
    3.1 USM (Unified Security Management)
    3.2 Sensor (log collector)
    
    I have to configure a server for analysis and reporting for that i selected 
    USM.

4. Select language which ever you needs to be default and press "continue"

5. Select you country, if you didn't find in list then goto other to select your 
    country and press "continue"

6. Select region in which your country exist and press "continue" 

7. Select you country and press "continue"

8. Select locale settings as default and press "continue"

9. Select your keyboard layout and press "Continue"

10. Add IP address (10.10.xxx.xxx) for your server and press "continue"

11. Add Netmask as per your IP scheme and press "continue"

12. Add default gateway IP for your server and press "continue"

13. Add the DNS address or use google dns e.g. 8.8.8.8 and press "continue"

14. Choose the password for your root account and press "continue"

15. Installer will configure all those settings and complete installation.

16. Login using root and password as you had chosen at the time of 
     installation.

17. AlienVault setup menu will be displayed, configure all required settings 
      as below. 
      System settings  (network configuration, mail relay, local configuration, 
      Hostname)
      System Updates  (update, upgrade)
      Configure Sensor (listening interface, server ip, Monitored networks, 
      data sources, netflow generator )
      Maintenance  (repair database, change password, reboot or shutdown 
      appliance, services)
      Tools  (tools to view logs or monitor server)
      Jailbreak this Appliance  (get the shellprompt to customize)
      About (info about server)
       Apply changes  (After completing configuration, apply all those settings)

18. To access the dashboard use URL with your management interface IP.
      https://10.10.x.x

CISCO SWITCH PORT ACLs

How To Configure Switch Port ACLs?

ACLs can also be used to control traffic on VLANs. Switch port ACLs can only be applied to Layer 2 interfaces in the inbound direction, and this controls traffic via IP access Lists.

Switch port ACL application is usually effective when applied on a trunk port, be warned that, if applied on a port with voice VLAN, the ACL filters traffic on both data and voice VLANs. The switch examines ACLs associated with features configured on a given interface and either permits or denies packet forwarding based on the criteria found in the entries of the ACL. 

With switch port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic using MAC addresses.

We use the topology below as sample. follow me as we configure SW1 with ACLs to permit PC A to access Server A, and deny PC B from accessing the same network.


Complex ACLs

SW1(config)# mac access-list extended orbit123

SW1(config-ext-macl)# deny any host 000e.53ac.9b72

SW1(config-ext-macl)# permit any any

Switch(config)# int f0/3

Switch(config)# mac access-group orbit123 in

Looking at the configuration commands above, you can see that we created and extended named access list which is our only option. After creating the access list, we applied in on and interface (fa0/3). It more like the same with IP list, except that you start your command statement with mac.

Verify Configuration:
Use the Show access-list command to verify your configuration.

SW1#show access-list

JUNIPER JUNOS TIME ZONES

JUNIPER TIME ZONES
JUNIPER JUNOS OS TIME ZONES

To import and install time zone files, follow these steps:
Download the time zone files archive and untar them to a temporary directory such as /var/tmp:

    # mkdir -p /var/tmp/tz && cd /var/tmp/tz && rm *
    # wget 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz'
    # tar xvzf tzdata*.gz

    africa
    antarctica
    asia
    australasia
    europe
    northamerica
    southamerica
    pacificnew
    etcetera
    factory
    backward
    systemv
    solar87
    solar88
    solar89
    iso3166.tab
    zone.tab
    leapseconds
    yearistype.sh

Note: If needed, you can edit the above untarred files to create or modify time zones.

Select the names of time zone files to compile and feed them to the following script.

For example, to generate northamerica and asia tz files:

    # /usr/libexec/ui/compile-tz asia northamerica

Enable the use of the generated tz files using the CLI:

    # set system use-imported-time-zones

    # set system time-zone ?

This should show the newly generated tz files in /var/db/zoneinfo/.
Set the time zone and commit the configuration:

    # set system time-zone <your-time-zone>
    # commit

Verify that the time zone change has taken effect:

    # run show system uptime

Configuring a Custom Time Zone

To use a custom time zone, follow these steps:

Download a time zones archive (from a known or designated source) to the router or switch. Compile the time zone archive using the zic time zone compiler, which generates tz files.

Using the CLI, configure the router or switch to enable the use of the generated tz files as follows:

    user@host# set system use-imported-time-zones

    Display the imported time zones (saved in the directory /var/db/zoneinfo/):

    user@host# set system time-zone ?


If you do not configure the router to use imported time zones, the Junos OS default time zones are shown (saved in the directory /usr/share/zoneinfo/).

time-zone
Syntax
time-zone (GMT hour-offset | time-zone);

Description
Set the local time zone. To have the time zone change take effect for all processes running on the router or switch, you must reboot the router or switch.

Default
UTC

Options
GMT hour-offset—Set the time zone relative to UTC time.

Range: –14 through +12

Default: 0

time-zone—Specify the time zone as UTC, which is the default time zone, or as a string such as PDT (Pacific Daylight Time), or use one of the following continents and major cities:

Africa/Abidjan, Africa/Accra, Africa/Addis_Ababa, Africa/Algiers, Africa/Asmera, Africa/Bamako, Africa/Bangui, Africa/Banjul, Africa/Bissau, Africa/Blantyre, Africa/Brazzaville, Africa/Bujumbura, Africa/Cairo, Africa/Casablanca, Africa/Ceuta, Africa/Conakry, Africa/Dakar, Africa/Dar_es_Salaam, Africa/Djibouti, Africa/Douala, Africa/El_Aaiun, Africa/Freetown, Africa/Gaborone, Africa/Harare, Africa/Johannesburg, Africa/Kampala, Africa/Khartoum, Africa/Kigali, Africa/Kinshasa, Africa/Lagos, Africa/Libreville, Africa/Lome, Africa/Luanda, Africa/Lubumbashi, Africa/Lusaka, Africa/Malabo, Africa/Maputo, Africa/Maseru, Africa/Mbabane, Africa/Mogadishu, Africa/Monrovia, Africa/Nairobi, Africa/Ndjamena, Africa/Niamey, Africa/Nouakchott, Africa/Ouagadougou, Africa/Porto-Novo, Africa/Sao_Tome, Africa/Timbuktu, Africa/Tripoli, Africa/Tunis, Africa/WindhoekAmerica/Adak, America/Anchorage, America/Anguilla, America/Antigua, America/Aruba, America/Asuncion, America/Barbados, America/Belize, America/Bogota, America/Boise, America/Buenos_Aires, America/Caracas, America/Catamarca, America/Cayenne, America/Cayman, America/Chicago, America/Cordoba, America/Costa_Rica, America/Cuiaba, America/Curacao, America/Dawson, America/Dawson_Creek, America/Denver, America/Detroit, America/Dominica, America/Edmonton, America/El_Salvador, America/Ensenada, America/Fortaleza, America/Glace_Bay, America/Godthab, America/Goose_Bay, America/Grand_Turk, America/Grenada, America/Guadeloupe, America/Guatemala, America/Guayaquil, America/Guyana, America/Halifax, America/Havana, America/Indiana/Knox, America/Indiana/Marengo, America/Indiana/Vevay, America/Indianapolis, America/Inuvik, America/Iqaluit, America/Jamaica, America/Jujuy, America/Juneau, America/La_Paz, America/Lima, America/Los_Angeles, America/Louisville, America/Maceio, America/Managua, America/Manaus, America/Martinique, America/Mazatlan, America/Mendoza, America/Menominee, America/Mexico_City, America/Miquelon, America/Montevideo, America/Montreal, America/Montserrat, America/Nassau, America/New_York, America/Nipigon, America/Nome, America/Noronha, America/Panama, America/Pangnirtung, America/Paramaribo, America/Phoenix, America/Port-au-Prince, America/Port_of_Spain, America/Porto_Acre, America/Puerto_Rico, America/Rainy_River, America/Rankin_Inlet, America/Regina, America/Rosario, America/Santiago, America/Santo_Domingo, America/Sao_Paulo, America/Scoresbysund, America/Shiprock, America/St_Johns, America/St_Kitts, America/St_Lucia, America/St_Thomas, America/St_Vincent, America/Swift_Current, America/Tegucigalpa, America/Thule, America/Thunder_Bay, America/Tijuana, America/Tortola, America/Vancouver, America/Whitehorse, America/Winnipeg, America/Yakutat, America/YellowknifeAntarctica/Casey, Antarctica/DumontDUrville, Antarctica/Mawson, Antarctica/McMurdo, Antarctica/Palmer, Antarctica/South_PoleArctic/LongyearbyenAsia/Aden, Asia/Alma-Ata, Asia/Amman, Asia/Anadyr, Asia/Aqtau, Asia/Aqtobe, Asia/Ashkhabad, Asia/Baghdad, Asia/Bahrain, Asia/Baku, Asia/Bangkok, Asia/Beirut, Asia/Bishkek, Asia/Brunei, Asia/Calcutta, Asia/Chungking, Asia/Colombo, Asia/Dacca, Asia/Damascus, Asia/Dubai, Asia/Dushanbe, Asia/Gaza, Asia/Harbin, Asia/Hong_Kong, Asia/Irkutsk, Asia/Ishigaki, Asia/Jakarta, Asia/Jayapura, Asia/Jerusalem, Asia/Kabul, Asia/Kamchatka, Asia/Karachi, Asia/Kashgar, Asia/Katmandu, Asia/Krasnoyarsk, Asia/Kuala_Lumpur, Asia/Kuching, Asia/Kuwait, Asia/Macao, Asia/Magadan, Asia/Manila, Asia/Muscat, Asia/Nicosia, Asia/Novosibirsk, Asia/Omsk, Asia/Phnom_Penh, Asia/Pyongyang, Asia/Qatar, Asia/Rangoon, Asia/Riyadh, Asia/Saigon, Asia/Seoul, Asia/Shanghai, Asia/Singapore, Asia/Taipei, Asia/Tashkent, Asia/Tbilisi, Asia/Tehran, Asia/Thimbu, Asia/Tokyo, Asia/Ujung_Pandang, Asia/Ulan_Bator, Asia/Urumqi, Asia/Vientiane, Asia/Vladivostok, Asia/Yakutsk, Asia/Yekaterinburg, Asia/YerevanAtlantic/Azores, Atlantic/Bermuda, Atlantic/Canary, Atlantic/Cape_Verde, Atlantic/Faeroe, Atlantic/Jan_Mayen, Atlantic/Madeira, Atlantic/Reykjavik, Atlantic/South_Georgia, Atlantic/St_Helena, Atlantic/StanleyAustralia/Adelaide, Australia/Brisbane, Australia/Broken_Hill, Australia/Darwin, Australia/Hobart, Australia/Lindeman, Australia/Lord_Howe, Australia/Melbourne, Australia/Perth, Australia/SydneyEurope/Amsterdam, Europe/Andorra, Europe/Athens, Europe/Belfast, Europe/Belgrade, Europe/Berlin, Europe/Bratislava, Europe/Brussels, Europe/Bucharest, Europe/Budapest, Europe/Chisinau, Europe/Copenhagen, Europe/Dublin, Europe/Gibraltar, Europe/Helsinki, Europe/Istanbul, Europe/Kaliningrad, Europe/Kiev, Europe/Lisbon, Europe/Ljubljana, Europe/London, Europe/Luxembourg, Europe/Madrid, Europe/Malta, Europe/Minsk, Europe/Monaco, Europe/Moscow, Europe/Oslo, Europe/Paris, Europe/Prague, Europe/Riga, Europe/Rome, Europe/Samara, Europe/San_Marino, Europe/Sarajevo, Europe/Simferopol, Europe/Skopje, Europe/Sofia, Europe/Stockholm, Europe/Tallinn, Europe/Tirane, Europe/Vaduz, Europe/Vatican, Europe/Vienna, Europe/Vilnius, Europe/Warsaw, Europe/Zagreb, Europe/ZurichIndian/Antananarivo, Indian/Chagos, Indian/Christmas, Indian/Cocos, Indian/Comoro, Indian/Kerguelen, Indian/Mahe, Indian/Maldives, Indian/Mauritius, Indian/Mayotte, Indian/ReunionPacific/Apia, Pacific/Auckland, Pacific/Chatham, Pacific/Easter, Pacific/Efate, Pacific/Enderbury, Pacific/Fakaofo, Pacific/Fiji, Pacific/Funafuti, Pacific/Galapagos, Pacific/Gambier, Pacific/Guadalcanal, Pacific/Guam, Pacific/Honolulu, Pacific/Johnston, Pacific/Kiritimati, Pacific/Kosrae, Pacific/Kwajalein, Pacific/Majuro, Pacific/Marquesas, Pacific/Midway, Pacific/Nauru, Pacific/Niue, Pacific/Norfolk, Pacific/Noumea, Pacific/Pago_Pago, Pacific/Palau, Pacific/Pitcairn, Pacific/Ponape, Pacific/Port_Moresby, Pacific/Rarotonga, Pacific/Saipan, Pacific/Tahiti, Pacific/Tarawa, Pacific/Tongatapu, Pacific/Truk, Pacific/Wake, Pacific/Wallis, Pacific/Yap

MPLS LAYER 3 VPN ON CISCO

How to Configure MPLS Layer 3 VPN?

MPLS operates in the middle of the data link layer (Layer 2) and the network layer (Layer 3) hence it is considered to be a Layer 2.5 protocol. It operates using the protocol called LDP (Label Distribution Protocol) which assigns labels ranging from 16 to 1,048,575 (0-15 reserved and cannot be used in Cisco routers) to IP prefixes/subnets in the routing table. LDP relies on the routing table in order for it to form its LIB (Label Information Base) and LFIB (Label Forwarding Information Base). LSR (Label Switch Routers) are routers in the middle of the Service provider network that uses label to perform routing. LER (Label Edge Routers) are routers that are entry and exit points of the network. They are generally the Provider Edge (PE) routers.

The three general operations of LDP when dealing with labeling packets are PUSH, SWAP and POP. PUSH means that the incoming packet has no label and has to assign a new label to it. SWAP is basically changing the label to a different label. POP on the other hand, is to remove the label. LERs are usually the ones who PUSH labels to packets, LSRs do SWAP of the labels and the penultimate hop routers (Adjacent LSRs to the LERs, in our case Routers R2 and R3) do the POP operation. The feature where LSRs POP labels before it sends out to LERs is called PHP (Penultimate Hop Popping) with Implicit-null.

The LDP router-id needs to be reachable through the global routing table in order for LDP to form neighborship. The router-id election for LDP is the highest IP address of any loopback interface. If no loopback interfaces exist, it will be the highest IP address of any physical interface that is operational.

Configure MPLS LDP in the Service Provider network
R1(config)# int fa0/0
R1(config-if)# mpls ip
R1(config-if)# exit
R1(config)# mpls label ?
protocol Set platform default label distribution protocol
range Label range
R1(config)# mpls label range ?
Minimum label value
R1(config)# mpls label range 1000 1999
% Label range changes will take effect at the next reload.
R1(config)# mpls ldp router-id lo0 force
R2(config)# int fa0/0
R2(config-if)# mpls ip
R2(config-if)# int f0/1
R2(config-if)# mpls ip
R2(config-if)# mpls label range 2000 2999

R3(config)# int fa0/0
R3(config-if)# mpls ip
R3(config-if)# int fa0/1
R3(config-if)# mpls ip
R3(config-if)# mpls label range 3000 3999

R4(config)# int fa0/0
R4(config-if)# mpls ip
R4(config-if)# mpls label range 4000 4999

The command “mpls ip” is required to form LDP neighbors. It is only configured in interfaces that are inside the service provider network. Any interfaces such as loopbacks or those facing the customer are not required to be configured because LDP is not required between customer and PE routers. Though the customer is connected to the MPLS network, it is a common practice for service providers not to make their network visible to the customer.

The “mpls label range” command in the routers sets the number of labels only. I configured it that way so it will be easier to explain later how LDP works. In the example configuration above, the number of labels that can be assigned for each router only amounts to 1000. If the network has more than 1000 prefixes, the rest of the prefixes will not be labeled and will be routed using IP.

The “mpls ldp router-id loopback0 force” command enforces the LDP to use the IP address of Loopback0 as its ID. The “force” keyword will tear down existing LDP sessions and clear all the current bindings and applies the changes to the LDP ID. If “force” is not used, the router will wait until the current interface of the LDP ID goes down before it applies the new LDP ID specified in the command.

The routers have been restarted. Let’s check the LDP neighborship. Let’s use two examples for brevity.

R1#sh mpls ldp neigh
Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 1.1.1.1:0
TCP connection: 2.2.2.2.18805 - 1.1.1.1.646
State: Oper; Msgs sent/rcvd: 46/46; Downstream
Up time: 00:31:24
LDP discovery sources:
FastEthernet0/0, Src IP addr: 12.12.12.2
Addresses bound to peer LDP Ident:
12.12.12.2 2.2.2.2 23.23.23.2

R3#sh mpls ldp neigh
Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 3.3.3.3:0
TCP connection: 2.2.2.2.646 - 3.3.3.3.42778
State: Oper; Msgs sent/rcvd: 67/66; Downstream
Up time: 00:49:52
LDP discovery sources:
FastEthernet0/1, Src IP addr: 23.23.23.2
Addresses bound to peer LDP Ident:
12.12.12.2 2.2.2.2 23.23.23.2
Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 3.3.3.3:0
TCP connection: 4.4.4.4.59644 - 3.3.3.3.646
State: Oper; Msgs sent/rcvd: 67/67; Downstream
Up time: 00:49:51
LDP discovery sources:
FastEthernet0/0, Src IP addr: 34.34.34.4
Addresses bound to peer LDP Ident:
34.34.34.4 4.4.4.4

R1#show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
1000 Pop tag 2.2.2.2/32 0 Fa0/0 12.12.12.2
1001 Pop tag 23.23.23.0/24 0 Fa0/0 12.12.12.2
1002 2001 34.34.34.0/24 0 Fa0/0 12.12.12.2
1003 2002 3.3.3.3/32 0 Fa0/0 12.12.12.2
1004 2003 4.4.4.4/32 0 Fa0/0 12.12.12.2

As mentioned, the LDP ID will be the highest loopback IP address that is operational in the router. The LDP routers, before they form an LDP session, elect which router will be active and passive. The router chosen as active will initiate the LDP TCP connection. In our case, R2 initiated a connection using a random number which in this case is 18805, R1 responds back with the port 646, the TCP port that is assigned to LDP. The “Addresses bound to peer LDP Ident:” section specifies that the routes below are directly connected to the LDP neighbor. Directly connected routes to the neighbor by default will not have any label assigned in the LIB (Label Information Base).

The “show mpls forwarding-table” also called the LFIB, shows the actions which LDP will take when it receives a specific label. As you can see, it doesn’t put any labels to directly connected routes of its adjacent LDP neighbor which is R2.

Configure VRF in the Provider Edge (PE) Routers:

VRF (Virtual Routing and Forwarding) is comparable to a VLAN in a switch. VRF is used to create different routing tables that are separated from each other. Since one VRF can’t see what routes are in another VRF, the same IP prefix can exist in different VRFs. However, duplicate IP prefixes will have an issue when it comes to route-leaking between VRFs. 

R1(config)# ip vrf CUST-A
R1(config-vrf)# rd 65002:1
R1(config-vrf)# route
R1(config-vrf)# route-target import 65002:1
R1(config-vrf)# route-target export 65002:1

R4(config)# ip vrf CUST-A
R4(config-vrf)# rd 65002:1
R4(config-vrf)# route-target import 65002:1
R4(config-vrf)# route-target export 65002:1

Let’s apply the VRF into the interface facing the CE (customer edge) router.
R1(config-if)# ip vrf forwarding CUST-A
% Interface FastEthernet0/1 IP address 15.15.15.1 removed due to enabling VRF CUST-A
R1(config-if)# ip address 15.15.15.1 255.255.255.0

R4(config-if)# int fa0/1
R4(config-if)# ip vrf forwarding CUST-A
% Interface FastEthernet0/1 IP address 46.46.46.4 removed due to enabling VRF CUST-A
R4(config-if)# ip address 46.46.46.4 255.255.255.0

The VRF name is locally significant. It is not a transitive attribute that will be shared between routers. In fact, in an MPLS VPN network, as long as the RD (Route Distinguisher) and the RT (Route Target) values are configured correctly but the VRF names are different, the MPLS VPN service will work.

RD is what Multiprotocol BGP uses to distinguish and makes the route unique. The standard telco practice is to assign a unique RD for every customer. RT on the other hand, is an extended BGP community that marks, tags or classifies the prefix. The “export” keyword in the command means that the route will be marked and announced out with that value; “import” means put all the routes with that mark, into the VRF’s routing table specified above the command.

Configure BGP VPNv4 peering between R1 and R4:

VPNv4 is an address-family of Multiprotocol BGP. To explain it simply, VPNv4 is a collection of all routes from different VRFs that were marked with the extended community route-target. This is the address-family where route-leaking can be performed. Route-leaking is simply sharing a route from one VRF to another. Common application for this is, one company wants to connect to another company’s servers and they happen to be connected to the same MPLS provider. 

R1(config)# router bgp 65001
R1(config-router)# address-family vpnv4
R1(config-router-af)# neigh 4.4.4.4 activate

R1#sh run | inc router bgp | address-family vpnv4|neigh
router bgp 65001
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 65001
neighbor 4.4.4.4 update-source Loopback0
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 next-hop-self
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended

R4(config-if)# router bgp 65001
R4(config-router)# address-family vpnv4
R4(config-router-af)# neigh 1.1.1.1 activate

R4#sh ip bgp vpnv4 all sum
BGP router identifier 4.4.4.4, local AS number 65001
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 65001 116 116 1 0 0 00:01:09 0

In VPNv4 address-family configuration, you simply issue the neighbor statement and the keyword “activate”. The BGP peering configuration needs to be done outside the address-family. The router understands that VPNv4 peering needs to activate extended communities so it automatically configured the statement highlighted above. In regards to the VPNv4 BGP peering, we can’t see any prefixes for now since there is no peering yet between the PE s and CEs.

Configure Peering between PE routers R1 and R4 to customer routers CUST_A-R1 and CUST-A-R2. Announce Loopback 10 and 100 in the CE routers. Verify connectivity.

R1(config)# router bgp 65001
R1(config-router)# address-family vpnv4
R1(config-router-af)# address-family ipv4 vrf CUST-A
R1(config-router-af)# neighbor 15.15.15.5 remote-as 65002
R1(config-router-af)# neighbor 15.15.15.5 activate
R1(config-router-af)# neighbor 15.15.15.5 as-override

CUST_A-R1(config)# router bgp 65002
CUST_A-R1(config-router)# neighbor 15.15.15.1 remote-as 65001
CUST_A-R1(config-router)# network 5.5.5.5 mask 255.255.255.255
CUST_A-R1(config-router)# network 55.55.55.55 mask 255.255.255.255

R4(config)# router bgp 65001
R4(config-router)# address-family ipv4 vrf CUST-A
R4(config-router-af)# neighbor 46.46.46.6 remote-as 65002
R4(config-router-af)# neighbor 46.46.46.6 activate
R4(config-router-af)# neighbor 46.46.46.6 as-override

CUST_A-R2(config)# router bgp 65002
CUST_A-R2(config-router)# network 6.6.6.6 mask 255.255.255.255
CUST_A-R2(config-router)# network 66.66.66.66 mask 255.255.255.255
CUST_A-R2(config-router)# neighbor 46.46.46.4 remote-as 65001

The PE is configured with an “address-family ipv4 vrf” when peering with the CE routers. The “as-override” command replaces the AS of the route to circumvent the BGP loop prevention. BGP loop prevention blocks any route that it receives from an eBGP peer with its own AS (65002 in this case) inside it. The AS for the customer is 65002, but notice the output below, the PE’s replaced the AS to 65001 to enable communication between these two routers with the same AS inside an MPLS cloud. CUST_A-R2 is now able to see the CUST_A-R1 routes but with a different AS. Another way to do this is to configure a neighbor statement with “allowas-in” keyword.

R1#show ip bgp vpnv4 vrf CUST-A
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65002:1 (default for vrf CUST-A)
*> 5.5.5.5/32 15.15.15.5 0 0 65002 i
*>i6.6.6.6/32 4.4.4.4 0 100 0 65002 i
*> 55.55.55.55/32 15.15.15.5 0 0 65002 i

CUST_A-R2#sh ip bgp
BGP table version is 5, local router ID is 66.66.66.66
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 5.5.5.5/32 46.46.46.4 0 65001 65001 i
*> 6.6.6.6/32 0.0.0.0 0 32768 i
*> 55.55.55.55/32 46.46.46.4 0 65001 65001 i
*> 66.66.66.66/32 0.0.0.0 0 32768 i
Lets check and verify connectivity.
CUST_A-R2#traceroute 55.55.55.55 source l100

Type escape sequence to abort.
Tracing the route to 55.55.55.55

1 46.46.46.4 24 msec 28 msec 20 msec
2 34.34.34.3 88 msec 92 msec 100 msec
3 23.23.23.2 108 msec 92 msec 80 msec
4 15.15.15.1 80 msec 68 msec 72 msec
5 15.15.15.5 88 msec 88 msec 80 msec

As we can see, there is a full reachability between the CE routers but the traceroute shows the path it took inside the service provider core network. This is not an advisable behavior, normally service provider from the customer any information about its core network.

Let’s configure a way to do that.
R1(config)# no mpls ip propagate-ttl
R4(config)# no mpls ip propagate-ttl
Let’s test that again.
CUST_A-R2#traceroute 55.55.55.55 source l100

Type escape sequence to abort.
Tracing the route to 55.55.55.55

1 46.46.46.4 28 msec 16 msec 20 msec
2 15.15.15.1 80 msec 80 msec 80 msec
3 15.15.15.5 108 msec 104 msec 96 msec

Now, the service provider network has been hidden through the “no mpls ip propagate-ttl” command.