2017年11月19日

Juniper BGP 調整特定國家路由優先權

針對國別調整BGP優先權
一、先用https://ipinfo.io/countries/cn 找出要調整的國家的全部AS Number,將這些AS Number做利用正規化表示法設定成一組國別清單

set policy-options as-path China-AS-Path ".* 4134 |.* 4538 |.* 4611 |.* 4808 |.* 4809 |.* 4812 |.* 4813 |.* 4815 |.* 4816 |.* 4835 |.* 4837 |.* 4847 |.* 4859 |.* 7497 |.* 7549 |.* 7638 |.* 7640 |.* 7641 |.* 9298 |.* 9306 |.* 9308 |.* 9389 |.* 9391 |.* 9394 |.* 9395 |.* 9401 |.* 9535 |.* 9801 |.* 9802 |.* 9803 |.* 9805 |.* 9807 |.* 9808 |.* 9809 |.* 9810 |.* 9811 |.* 9812 |.* 9814 |.* 9929 |.* 9939 |.* 10206 |.* 10212 |.* 17428 |.* 17429 |.* 17430 |.* 17431 |.* 17490 |.* 17621 |.* 17622 |.* 17623 |.* 17633 |.* 17638 |.* 17739 |.* 17775 |.* 17781 |.* 17785 |.* 17799 |.* 17816 |.* 17883 |.* 17897 |.* 17962 |.* 17964 |.* 17966 |.* 17968 |.* 17969 |.* 18011 |.* 18118 |.* 18239 |.* 18241 |.* 18242 |.* 18243 |.* 18244 |.* 18245 |.* 18257 |.* 18344 |.* 23650 |.* 23724 |.* 23771 |.* 23839 |.* 23840 |.* 23841 |.* 23842 |.* 23844 |.* 23848 |.* 23851 |.* 23853 |.* 23910 |.* 23911 |.* 24059 |.* 24133 |.* 24134 |.* 24137 |.* 24138 |.* 24139 |.* 24141 |.* 24143 |.* 24147 |.* 24151 |.* 24311 |.* 24400 |.* 24404 |.* 24406 |.* 24409 |.* 24413 |.* 24414 |.* 24416 |.* 24420 |.* 24422 |.* 24424 |.* 24427 |.* 24428 |.* 24429 |.* 24430 |.* 24444 |.* 24445 |.* 24489 |.* 24490 |.* 24495 |.* 24547 |.* 24575 |.* 37937 |.* 37940 |.* 37941 |.* 37942 |.* 37943 |.* 37957 |.* 37958 |.* 37963 |.* 37965 |.* 37970 |.* 37981 |.* 38019 |.* 38027 |.* 38057 |.* 38238 |.* 38283 |.* 38339 |.* 38340 |.* 38341 |.* 38342 |.* 38345 |.* 38346 |.* 38353 |.* 38357 |.* 38358 |.* 38363 |.* 38364 |.* 38365 |.* 38366 |.* 38367 |.* 38370 |.* 38372 |.* 38375 |.* 38378 |.* 38379 |.* 38380 |.* 38381 |.* 38792 |.* 45057 |.* 45058 |.* 45061 |.* 45062 |.* 45064 |.* 45069 |.* 45070 |.* 45071 |.* 45075 |.* 45079 |.* 45080 |.* 45083 |.* 45084 |.* 45086 |.* 45087 |.* 45090 |.* 45093 |.* 45095 |.* 45100 |.* 45101 |.* 45102 |.* 45110 |.* 45113 |.* 45587 |.* 45888 |.* 55439 |.* 55461 |.* 55468 |.* 55515 |.* 55786 |.* 55956 |.* 55958 |.* 55960 |.* 55963 |.* 55966 |.* 55967 |.* 55971 |.* 55973 |.* 55982 |.* 55986 |.* 55988 |.* 55990 |.* 55992 |.* 55994 |.* 55996 |.* 55998 |.* 56000 |.* 56001 |.* 56002 |.* 56003 |.* 56005 |.* 56006 |.* 56008 |.* 56012 |.* 56013 |.* 56015 |.* 56019 |.* 56040 |.* 56041 |.* 56042 |.* 56044 |.* 56046 |.* 56047 |.* 56048 |.* 56282 |.* 56292 |.* 58416 |.* 58448 |.* 58461 |.* 58466 |.* 58517 |.* 58518 |.* 58519 |.* 58520 |.* 58536 |.* 58539 |.* 58540 |.* 58541 |.* 58542 |.* 58543 |.* 58563 |.* 58571 |.* 58593 |.* 58741 |.* 58811 |.* 58844 |.* 58845 |.* 58850 |.* 58852 |.* 58854 |.* 58864 |.* 58866 |.* 58879 |.* 58962 |.* 58997 |.* 58998 |.* 59008 |.* 59009 |.* 59010 |.* 59011 |.* 59015 |.* 59019 |.* 59023 |.* 59025 |.* 59028 |.* 59029 |.* 59034 |.* 59037 |.* 59045 |.* 59049 |.* 59050 |.* 59063 |.* 59065 |.* 59067 |.* 59072 |.* 59073 |.* 59074 |.* 59077 |.* 59078 |.* 59083 |.* 59089 |.* 63530 |.* 63531 |.* 63534 |.* 63535 |.* 63540 |.* 63541 |.* 63545 |.* 63548 |.* 63549 |.* 63554 |.* 63555 |.* 63558 |.* 63561 |.* 63570 |.* 63571 |.* 63580 |.* 63582 |.* 63583 |.* 63616 |.* 63617 |.* 63620 |.* 63621 |.* 63631 |.* 63634 |.* 63646 |.* 63655 |.* 63659 |.* 63677 |.* 63678 |.* 63679 |.* 63680 |.* 63689 |.* 63690 |.* 63691 |.* 63696 |.* 63697 |.* 63707 |.* 63711 |.* 63725 |.* 63835 |.* 63838 |.* 131325 |.* 131450 |.* 131477 |.* 131486 |.* 131503 |.* 131519 |.* 131524 |.* 131535 |.* 132058 |.* 132203 |.* 132510 |.* 132525 |.* 132719 |.* 133111 |.* 133118 |.* 133119 |.* 133151 |.* 133194 |.* 133219 |.* 133465 |.* 133475 |.* 133478 |.* 133513 |.* 133514 |.* 133626 |.* 133774 |.* 133775 |.* 133776 |.* 133865 |.* 133952 |.* 134103 |.* 134238 |.* 134417 |.* 134418 |.* 134419 |.* 134420 |.* 134542 |.* 134543 |.* 134755 |.* 134756 |.* 134761 |.* 134762 |.* 134763 |.* 134764 |.* 134765 |.* 134766 |.* 134768 |.* 134769 |.* 134771 |.* 134772 |.* 134810 |.* 135006 |.* 135061 |.* 135357 |.* 135363 |.* 135365 |.* 135577 |.* 135629 |.* 136011 |.* 136180 |.* 136189 |.* 136190 |.* 136390 |.* 136421 |.* 136559 |.* 136758"

2017年11月2日

Enable SSHv2 on Cisco Router & Switch

Steps to enable SSHv2 on Cisco Router & Switch

1. Define the hostname

2. configure the domain name

3. Specifies the RSA key pair to use for using SSH.
R2(config)#ip ssh rsa key-pair name {key-pair name}
By doing so SSH version 1.5 is deactivated

4. For SSH Version 2, the modulus size must be at least 768 bits.
R2(config)# crypto key generate rsa usage-keys label {keypair-name} modulus 768

4. Enable SSH version 2

5. Check the version with "show ip ssh"




2017年9月16日

Juniper SRX QoS 設定 ( Class of Service)

Key Components
Interface Egress Queues – When a physical interface tries to send more traffic than its bandwidth permits, packets are queued in one of a few different numbered queues

Interface Bandwidth Definition – You should manually define the bandwidth of an interface if it is lower than the line speed. For example, a 1gbit interface connected to a 200mbit fibre ethernet line needs to be defined as being 200mbit else it will assume 1gbit and QoS will not work

Forwarding Classes – These effectively assign a name to a numbered queue, for example assured-forwarding

Assignment of traffic to a forwarding class – This can be done in a number of ways:
Classifiers – These observe DSCP, Inet Precedence or other marker types to assign ingress traffic to forwarding classes
Firewall Rules – Ingress traffic can be matched with firewall rules and assigned to forwarding classes

Drop Profiles – A drop profile defines the probability of packets being dropped when a queue reaches a certain size

Schedulers – These define how differently queued egress traffic is prioritized

Scheduler Maps – These link forwarding classes to schedulers

2017年8月27日

DARTSLIVE-200S 藍芽飛鏢靶開箱

最近從日本帶回來的新玩具:DARTSLIVE-200S 藍芽飛鏢靶
下班回到家玩一下,還挺舒壓的~~

2017年5月20日

Block Visitors by Country Using Firewall

利用下面這個網站,產出所需的國別即可達成效果,可選擇產出CIDR
http://www.ip2location.com/free/visitor-blocker
如果是RouterOS的用戶,則可以用下面另一個網站,順便同時產生ACL語法
http://mikrotikconfig.com/

2017年4月3日

RouterOS Port Knocking

RouterOS Port Knocking 類似Linux中的Fail2Ban的功能,設定方式如下
/ip firewall filter
add action=add-src-to-address-list address-list=drop_scan_ip address-list-timeout=52w1d chain=input comment=ip_scan protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=drop_scan_ip src-address-list=drop_scan_ip
add action=drop chain=input dst-port=21,22,23,8291 protocol=tcp src-address-list=login_error_ip
add action=add-src-to-address-list address-list=login_error_ip address-list-timeout=1d chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login5
add action=add-src-to-address-list address-list=ros_service_login5 address-list-timeout=1d30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login4
add action=add-src-to-address-list address-list=ros_service_login4 address-list-timeout=30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login3
add action=add-src-to-address-list address-list=ros_service_login3 address-list-timeout=30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login2
add action=add-src-to-address-list address-list=ros_service_login2 address-list-timeout=30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login1
add action=add-src-to-address-list address-list=ros_service_login1 address-list-timeout=30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=!Lan_ip

2017年3月25日

F5設備Scp自動備份config

利用Script的方式,自動排程Scp傳送config檔到備份主機
[LABDEMO:Active:In Sync] root # cd /root
[LABDEMO:Active:In Sync] root # vi backup.sh
#!/bin/bash
tmsh save sys ucs Autobackup_Daily_LABDEMO.ucs
scp /var/local/ucs/Autobackup_Daily_LABDEMO.ucs autobackup@192.168.30.100://home/autobackup/
設定排程,一天備份兩次
[LABDEMO:Active:In Sync] root # vi /etc/crontab
0 8 * * * root (sh /root/backup.sh) > /dev/null
0 20 * * * root (sh /root/backup.sh) > /dev/null

Scp傳送的方式,採用ssh key認證,需先將pub key放到備份主機上面,可參考先前文章
[LABDEMO:Active:In Sync] root # cat /root/.ssh/authorized_keys
ssh-rsa BBBB3NzaC1yc2EAAAABx7DuEAiXUHI0g4ctB5sN3zljB5JOvhLIgVfEafe9ZUyQXDGD1QdSrXD23QeIts+kWg82IjccRB4sfeDEREDfffPRsOnmUttVGYc0sIGW/wUFq/AXPNusDKL62D= Host Processor Superuser

設定完成,可Run Script測試是否有出現備份成功的畫面
[LABDEMO:Active:In Sync] root # sh backup.sh