Juniper SRX QoS 設定 ( Class of Service)

Key Components
Interface Egress Queues – When a physical interface tries to send more traffic than its bandwidth permits, packets are queued in one of a few different numbered queues

Interface Bandwidth Definition – You should manually define the bandwidth of an interface if it is lower than the line speed. For example, a 1gbit interface connected to a 200mbit fibre ethernet line needs to be defined as being 200mbit else it will assume 1gbit and QoS will not work

Forwarding Classes – These effectively assign a name to a numbered queue, for example assured-forwarding

Assignment of traffic to a forwarding class – This can be done in a number of ways:
Classifiers – These observe DSCP, Inet Precedence or other marker types to assign ingress traffic to forwarding classes
Firewall Rules – Ingress traffic can be matched with firewall rules and assigned to forwarding classes

Drop Profiles – A drop profile defines the probability of packets being dropped when a queue reaches a certain size

Schedulers – These define how differently queued egress traffic is prioritized

Scheduler Maps – These link forwarding classes to schedulers

(繼續閱讀...)

DARTSLIVE-200S 藍芽飛鏢靶開箱

最近從日本帶回來的新玩具：DARTSLIVE-200S 藍芽飛鏢靶
下班回到家玩一下，還挺舒壓的~~

(繼續閱讀...)

Block Visitors by Country Using Firewall

利用下面這個網站，產出所需的國別即可達成效果，可選擇產出CIDR
http://www.ip2location.com/free/visitor-blocker
如果是RouterOS的用戶，則可以用下面另一個網站，順便同時產生ACL語法
http://mikrotikconfig.com/

(繼續閱讀...)

RouterOS Port Knocking

RouterOS Port Knocking 類似Linux中的Fail2Ban的功能，設定方式如下
/ip firewall filter
add action=add-src-to-address-list address-list=drop_scan_ip address-list-timeout=52w1d chain=input comment=ip_scan protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=drop_scan_ip src-address-list=drop_scan_ip
add action=drop chain=input dst-port=21,22,23,8291 protocol=tcp src-address-list=login_error_ip
add action=add-src-to-address-list address-list=login_error_ip address-list-timeout=1d chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login5
add action=add-src-to-address-list address-list=ros_service_login5 address-list-timeout=1d30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login4
add action=add-src-to-address-list address-list=ros_service_login4 address-list-timeout=30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login3
add action=add-src-to-address-list address-list=ros_service_login3 address-list-timeout=30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login2
add action=add-src-to-address-list address-list=ros_service_login2 address-list-timeout=30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login1
add action=add-src-to-address-list address-list=ros_service_login1 address-list-timeout=30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=!Lan_ip
(繼續閱讀...)

F5設備Scp自動備份config

利用Script的方式，自動排程Scp傳送config檔到備份主機
[LABDEMO:Active:In Sync] root # cd /root
[LABDEMO:Active:In Sync] root # vi backup.sh
#!/bin/bash
tmsh save sys ucs Autobackup_Daily_LABDEMO.ucs
scp /var/local/ucs/Autobackup_Daily_LABDEMO.ucs autobackup@192.168.30.100://home/autobackup/
設定排程，一天備份兩次
[LABDEMO:Active:In Sync] root # vi /etc/crontab
0 8 * * * root (sh /root/backup.sh) > /dev/null
0 20 * * * root (sh /root/backup.sh) > /dev/null

Scp傳送的方式，採用ssh key認證，需先將pub key放到備份主機上面，可參考先前文章
[LABDEMO:Active:In Sync] root # cat /root/.ssh/authorized_keys
ssh-rsa BBBB3NzaC1yc2EAAAABx7DuEAiXUHI0g4ctB5sN3zljB5JOvhLIgVfEafe9ZUyQXDGD1QdSrXD23QeIts+kWg82IjccRB4sfeDEREDfffPRsOnmUttVGYc0sIGW/wUFq/AXPNusDKL62D= Host Processor Superuser

設定完成，可Run Script測試是否有出現備份成功的畫面
[LABDEMO:Active:In Sync] root # sh backup.sh

(繼續閱讀...)

Cisco Troubleshooting Command

terminal length 0                                  
sh run                            
sh ver
sh vtp status
sh vtp password
sh vlan
sh int status
sh int description
sh ip int bri
sh spanning-tree
sh spanning-tree sum
sh spanning-tree root
sh cdp neighbors
sh cdp entry * protocol
sh cdp neighbors detail
sh lldp
(繼續閱讀...)

常見路由器設備商的Administrative distance / Route preference 預設值比較

(繼續閱讀...)