I feel like I need to move to another home so I can posts more contents with better flexibility. New home https://freenetworktutorials.com is completed.
++ My Network Bio ++
my publication of my life as Network Engineer ...
Sunday 10 January 2021
Saturday 26 December 2020
Best Security Practices for Remote Access (Secure Shell) in Cisco and Juniper Devices
1.Remote access should be via SSH and telnet is disabled
IOS-XR:
no telnet ipv4 server
Nexus OS:
no feature telnet
feature ssh
feature tacacs+
JunOS:
delete system services
2. SSH should be version 2 or higher. Do not run v1.
IOS-XR:
ssh server v2
ssh server vrf management
Nexus OS:
ssh server v2
ssh server vrf management
ssh timeout 60
JunOS:
set system services ssh protocol-version v2
3. Configure SSH logging
IOS-XR:
ssh server logging
4. Configure Login Banner
IOS-XR:
banner login ^C
^C
Nexus OS:
banner motd ^
^
JunOS:
set system login message
"\n*************************************************************************\n
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have
explicit, authorized permission to access or configure this
\ndevice.Unauthorized attempts and actions to access or use this system
may \nresult in civil and/or criminal penalties.\nAll activities
performed on this device are logged and
monitored.\n\n*************************************************************************\n\n"
For more info, pls. refer to this --> https://mynetworkbio.blogspot.com/2020/06/configuring-banner-or-login-message-in.html
5. Configure timestamp, login authentication (exec and session) timeout, ssh only transport input, with ACL configured to allow only authorized IPs and secret password in case tacacs/radius is down
IOS-XR:
line default
secret 5 $1$dAr.$win1P9yOuG1CSvO6v8tAL4
login authentication default
timestamp
exec-timeout 5 0
access-class ingress SSH-ACCESS
session-timeout 5
transport input ssh
ipv4 access-list SSH-ACCESS
10 permit tcp host 192.168.1.100 any eq ssh
20 permit tcp host 192.168.1.101 any eq ssh
30 deny ipv4 any any log
Nexus OS:
interface mgmt0
ip access-group SSH-ACCESS in
vrf member management
ip address 192.168.10.100/24
ip access-list SSH-ACCESS
10 permit tcp 192.168.1.100/32 any eq 22
20 permit tcp 192.168.1.101/32 any eq 22
30 deny ip any any log
line vty
exec-timeout 5
access-class SSH-ACCESS in
6. SSH inactivity timeout should be configured
IOS-XR:
ssh timeout 60
7. Enforce 2FA(2-factor authentication) and configure centralized AAA. Complex password/passphrase should be enforce in Tacacs/Radius Servers.
IOS-XR:
aaa authorization exec default group TACACS group tacacs+ none
aaa authorization commands default group TACACS group tacacs+ none
aaa authorization eventmanager default group tacacs+
aaa authentication login default group TACACS group tacacs+ local
aaa group server tacacs+ TACACS
vrf management
server-private 192.168.1.111 port 49
key 7 143413081E1E0B203F3F213A
Nexus OS:
aaa authentication login default group tacacs
aaa authentication login console group tacacs
aaa authorization config-commands default group tacacs local
aaa authorization commands default group tacacs local
aaa accounting default group tacacs
tacacs+ distribute
ip tacacs source-interface mgmt0
tacacs-server host 192.168.1.111 key 7 "enc_ryptedkey"
tacacs+ commit
JunOS:
set system authentication-order tacplus
set system tacplus-server 192.168.1.111 routing-instance mgmt_junos
set system tacplus-server 192.168.1.111 secret "$9$Gq.5WLGi.56/veLHvYJZjkmTGDLN4oWLXV"
set system tacplus-server 192.168.1.111 timeout 30
set system tacplus-server 192.168.1.111 single-connection
set system tacplus-server 192.168.1.111 source-address 192.168.1.2
set system accounting destination tacplus server 192.168.1.111 secret "$9$-4dHm8XUGiqPQT/9M8Xxb2Z2aZGi.mT"
set system accounting destination tacplus server 192.168.1.111 single-connection
set system accounting destination tacplus server 192.168.1.111 source-address192.168.1.2
For more info, pls. refer to this --> https://mynetworkbio.blogspot.com/2019/08/tacacs-aaa-configuration-in-juniper-and.html
8. Configure control-plane management for SSH if possible
IOS-XR:
control-plane
management-plane
out-of-band
interface MgmtEth0/RP0/CPU0/0
allow SSH peer
address ipv4 192.168.1.100
address ipv4 192.168.1.101
JunOS:
set firewall family inet filter IPv4-PROTECT-RE term SSH from source-prefix-list ALLOWED-IP
set firewall family inet filter IPv4-PROTECT-RE term SSH from protocol tcp
set firewall family inet filter IPv4-PROTECT-RE term SSH from port ssh
set firewall family inet filter IPv4-PROTECT-RE term SSH then count SSH
set firewall family inet filter IPv4-PROTECT-RE term SSH then accept
set policy-options prefix-list ALLOWED-IP 192.168.1.100/32
set policy-options prefix-list ALLOWED-IP 192.168.1.101/32
Sample IS-IS Configuration in Cisco IOS-XR, IOS and Nexus OS
IOS-XR
Configure Loopback
interface Loopback0
ipv4 address 172.16.2.1 255.255.255.255
ipv6 address fdfe:abcd:ef12:0:172:16:2:1/128
ipv6 enable
Configure P2P IP
interface Gi0/0/0/0
description Connection to IOS Fa0/0
ipv4 address 172.17.0.1 255.255.255.252
ipv4 verify unicast source reachable-via any
ipv4 unreachables disable
ipv6 nd suppress-ra
ipv6 verify unicast source reachable-via any
ipv6 address fdfe:ab12:cd34:a00:1::/127
ipv6 enable
ipv6 unreachables disable
load-interval 30
dampening
interface Gi0/0/0/1
description Connection to NX-OS E1/1
ipv4 address 172.18.0.1 255.255.255.252
ipv4 verify unicast source reachable-via any
ipv4 unreachables disable
ipv6 nd suppress-ra
ipv6 verify unicast source reachable-via any
ipv6 address fdfe:ab12:cd34:a00:2::/127
ipv6 enable
ipv6 unreachables disable
load-interval 30
dampening
Configure IS-IS
router isis ABC
is-type level-2-only
net 49.0000.1720.1600.2001.00
nsf ietf
log adjacency changes
address-family ipv4 unicast
metric-style wide
maximum-paths 8
address-family ipv6 unicast
metric-style wide
maximum-paths 8
interface Loopback0
passive
address-family ipv4 unicast
address-family ipv6 unicast
interface Gi0/0/0/0
point-to-point
address-family ipv4 unicast
address-family ipv6 unicast
point-to-point
address-family ipv4 unicast
address-family ipv6 unicast
IOS
Configure Loopback
interface Loopback0
ip address 172.16.2.2 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ipv6 address fdfe:abcd:ef12:0:172:16:2:2/128
ipv6 enable
no ipv6 redirects
Configure P2P IP
interface Fa0/0
description Connection to IOS-XR Gi0/0/0/0
dampening
ip address 172.17.0.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip router isis ABC
load-interval 30
ipv6 address fdfe:ab12:cd34:a00:1::1/127
ipv6 enable
ipv6 nd ra suppress
no ipv6 redirects
ipv6 router isis ABC
Configure IS-IS
router isis ABC
net 49.0000.1720.1600.2002.00
metric-style wide
set-overload-bit on-startup 20
log-adjacency-changes
nsf ietf
passive-interface default
no passive-interface Fa0/0
address-family ipv6
multi-topology
exit-address-family
NX-OS
Configure P2P IP
interface Eth1/1
description Connection to IOS-XR Gi0/0/0/1
no cdp enable
no ip redirects
ip address 172.18.0.2/30
ip verify unicast source reachable-via any rx
ipv6 address fdfe:ab12:cd34:a00:2::1/127
ipv6 verify unicast source reachable-via rx
no ipv6 redirects
ip router isis ABC
ipv6 router isis ABC
isis network point-to-point
no isis passive-interface level-2
no shutdown
router isis ABC
net 49.0000.1720.1600.2003.00
is-type level-2
metric-style transition
set-overload-bit on-startup 20
log-adjacency-changes
address-family ipv4 unicast
address-family ipv6 unicast
multi-topology transition
passive-interface default level-2
VERIFICATION
IOS-XR:
RP/0/RP0/CPU0:IOS-XR#show isis adjacency | i IOS
Wed Dec 23 14:22:14.273 SST
IOS Gi0/0/0/0 *PtoP* Up 27 1y07w Yes Up Up
NX-OS Gi0/0/0/1 *PtoP* Up 27 1y06w Yes Up Up
IOS:
IOS#show isis neighbors
Tag ABC:
System Id Type Interface IP Address State Holdtime Circuit Id
IOS-XR L2 Te0/3/0 172.17.0.2 UP 28 00
NX-OS:
NX-OS# show isis adjacency
IS-IS process: ABC VRF: default
IS-IS adjacency database:
Legend: '!': No AF level connectivity in given topology
System ID SNPA Level State Hold Time Interface
IOS-XR N/A 2 UP 00:00:22 Ethernet1/1
Wednesday 16 December 2020
Troubleshooting (Debugging) BGP in Juniper using Traceoptions
"traceoptions" statement in Juniper let you debug BGP protocol issues. If cannot connect BGP peering, you can set the "traceoptions" to understand further about the issue.
1. Configure "traceoptions" and name the log as debug-bgp
set protocols bgp group BGP-GROUP1 traceoptions file debug-bgp
set protocols bgp group BGP-GROUP1traceoptions file size 1m
set protocols bgp group BGP-GROUP1 traceoptions file files 2
set protocols bgp group BGP-GROUP1 traceoptions flag all
commit
where:
max trace file size = 1m
max trace files = 2
flag all = trace everything
It will look something like this:
user1@QFX-re0> show configuration protocols bgp group BGP-GROUP1
type external;
traceoptions {
file debug-bgp size 1m files 2;
flag all;
user1@QFX-re0> file list /var/log/debug-bgp
/var/log/debug-bgp
3. View the contents
user1@QFX-re0> file show /var/log/debug-bgp
Dec 16 13:37:36 trace_on: Tracing to "/var/log/debug-bgp" started
Friday 11 December 2020
IPv4 and IPv6 Static Route Configuration in Juniper
Configuration:
IPv4:
Route the block (1.1.1.0/24) to next hop 2.2.2.1 with metric 255
user@MX-re0>configure
#set routing-options static route 1.1.1.0/24 next-hop 2.2.2.1
#set routing-options static route 1.1.1.0/24 metric 255
Optional: Set comment using annotate command
#edit routing-options static
#annotate route 1.1.1.0/24 "/* STATIC ROUTE IPv4*/"
Commit
#commit
It will look something like this:
Optional: Set comment using annotate command
#edit routing-options rib inet6.0 static
#annotate route 2000:2000:2000::/56 "/* STATIC ROUTE IPv6*/"
It will look something like this:
user@MX-re0> show configuration routing-options rib inet6.0
/* STATIC ROUTE IPv6 */
route 2000:2000:2000::/56 {
next-hop 2006:3006:1:234:5:6:78:90ab;
metric 255;
Verification:
user@MX-re0> show route table inet.0 | match static
1.1.1.0/24 *[Static/5] 03:05:57, metric 255
user@MX-re0> show route table inet6.0 | match static
2000:2000:2000::/56*[Static/5] 00:59:37, metric 255
Thursday 1 October 2020
Resetting ASR9000 Network Processor(NP)
NP or network processor is the component on ASR9000 line cards that handle the feature processing of packets as they go through the system.
Sample LC: ASR9K MOD160
RP/0/RSP0/CPU0:ASR9000# show controller np ports all location 0/1/cpu0
Node: 0/0/CPU0:
----------------------------------------------------------------
NP Bridge Fia Ports
-- ------ --- ---------------------------------------------------
0 -- 0 TenGigE0/0/0/0 - TenGigE0/0/0/1, TenGigE0/0/0/4 - TenGigE0/0/0/5
NP1 is down.
2 -- 2 TenGigE0/0/1/0 - TenGigE0/0/1/1, TenGigE0/0/1/4 - TenGigE0/0/1/5
3 -- 3 TenGigE0/0/1/2 - TenGigE0/0/1/3, TenGigE0/0/1/6 - TenGigE0/0/1/7
To reset NP1:
run attach 0/0/cpu0
show_np -e 1 -d fast_reset
Tuesday 4 August 2020
100G world
-
Configuration Inconsistency and Errors Verification in Cisco ASR9000 RP/0/RSP0/CPU0:ASR9K-ROUTER#show redundancy Thu Feb 14 03:06:44.176...
-
How to upgrade Field Programmable Device (FPD) on Cisco IOS XR As per Cisco official documentation, the definition of FPD as follows: An ...
-
Assumption: JunOS is downloaded and stored in an FTP server. Step1: Download the necessary image from the FTP server. Save it in the /var/tm...