Hi All,
Very simple Local URL filtering by using CBAC.
ip inspect name SDM_LOW http urlfilter
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny .bypassthat.com
ip urlfilter exclusive-domain deny .megaupload.com
ip urlfilter exclusive-domain deny .facebook.com
interface fastethernet0/0
description *** Connected to Outside ***
ip inspect SDM_LOW out
Friday, May 11, 2012
Thursday, May 10, 2012
Slow HTTP download.
Hi All,
I came into problem whereby if enable specific HTTP inspection, my http download speed started with fast > Slower > stop..... In another word, none of the download have success. I have puzzling around what could be problem. Changed my Router, Changed my Load Balancer. No improvement.
End up reconfiguring my router. And then.... with initial configuration (interface IP, Routing, NAT, access-list).. I tried download again... booomm.. successful. Constant download speed. Then applied my Inspection rule, and tried download again, the earlier problem came up again. The problem was caused by specific HTTP inspection command, and I replaced it with just common protocol inspection (TCP,UDP,ICMP, ISAKMP).. and the problem SOLVED....
So watch out guys if you had similar problem and the best way is to move forward to ZONE Based Firewall Policy...
I came into problem whereby if enable specific HTTP inspection, my http download speed started with fast > Slower > stop..... In another word, none of the download have success. I have puzzling around what could be problem. Changed my Router, Changed my Load Balancer. No improvement.
End up reconfiguring my router. And then.... with initial configuration (interface IP, Routing, NAT, access-list).. I tried download again... booomm.. successful. Constant download speed. Then applied my Inspection rule, and tried download again, the earlier problem came up again. The problem was caused by specific HTTP inspection command, and I replaced it with just common protocol inspection (TCP,UDP,ICMP, ISAKMP).. and the problem SOLVED....
So watch out guys if you had similar problem and the best way is to move forward to ZONE Based Firewall Policy...
Wednesday, May 9, 2012
ISP Link Failover
Hi all,
Some of you may wonder how to failover ISP Link if one fails and another still active.
For eg, You have 2 ISP link. 1 with T1, and another is DSL. You may not want to load balance between this two link since both of this link serve different SLA and Performance. So typical design would be active/passive, whereby Primary T1 link is Active and DSL site idle and used only if T1 link fails.
We can achieve this by using IP SLA and object tracking. Remember, IP SLA command may very depends on which IOS you running.
ip sla 1 # Define SLA number 1
icmp-echo 8.8.8.8 source-interface ser0//0/0 # Define which IP you wish to ping to detect if T1 is UP
timeout 3000 # Define maximum to wait to get the reply in ms
frequency 10 # Define how frequent you wish to send ping request
ip sla schedule 1 life forever start-time now # Tell router to start SLA 1 now and run it forever.
ip route 8.8.8.8 255.255.255.255 ser0/0/0 # very important command, otherwise can cause link flapping.
track 1 ip sla 1 reachability # create track 1 to track sla 1
Now the routing part. By right you would have 2 default routing.
ip route 0.0.0.0 0.0.0.0 ser0/0/0
ip route 0.0.0.0 0.0.0.0 DSL_Interface
We are now tracking T1 link, so apply track to default routing on T1 Link. And floating static route for Backup DSL link by using metric.
ip route 0.0.0.0 0.0.0.0 ser0/0/0 track 1
ip route 0.0.0.0 0.0.0.0 DSL_Interface 200
By doing this , routing table will only show default route for T1 link till IP SLA 1 fails get reply from 8.8.8.8 within 3000ms, and that change track 1 state to DOWN, eventually removing routing for T1 link from routing table and route for DSL link will take order.
Some of you may wonder how to failover ISP Link if one fails and another still active.
For eg, You have 2 ISP link. 1 with T1, and another is DSL. You may not want to load balance between this two link since both of this link serve different SLA and Performance. So typical design would be active/passive, whereby Primary T1 link is Active and DSL site idle and used only if T1 link fails.
We can achieve this by using IP SLA and object tracking. Remember, IP SLA command may very depends on which IOS you running.
ip sla 1 # Define SLA number 1
icmp-echo 8.8.8.8 source-interface ser0//0/0 # Define which IP you wish to ping to detect if T1 is UP
timeout 3000 # Define maximum to wait to get the reply in ms
frequency 10 # Define how frequent you wish to send ping request
ip sla schedule 1 life forever start-time now # Tell router to start SLA 1 now and run it forever.
ip route 8.8.8.8 255.255.255.255 ser0/0/0 # very important command, otherwise can cause link flapping.
track 1 ip sla 1 reachability # create track 1 to track sla 1
Now the routing part. By right you would have 2 default routing.
ip route 0.0.0.0 0.0.0.0 ser0/0/0
ip route 0.0.0.0 0.0.0.0 DSL_Interface
We are now tracking T1 link, so apply track to default routing on T1 Link. And floating static route for Backup DSL link by using metric.
ip route 0.0.0.0 0.0.0.0 ser0/0/0 track 1
ip route 0.0.0.0 0.0.0.0 DSL_Interface 200
By doing this , routing table will only show default route for T1 link till IP SLA 1 fails get reply from 8.8.8.8 within 3000ms, and that change track 1 state to DOWN, eventually removing routing for T1 link from routing table and route for DSL link will take order.
Auto configuration backup in FTP
Hi all, below is the guide to do auto configuration backup to FTP using Kron Policy.
archive
log config
hidekeys
path ftp:/x.x.x.x/router_show_run
!
ip ftp username "ftp_username"
ip ftp password "ftp_password"
!
kron policy-list Backup_config # Define Kron Policy
cli archive config # Tell Kron Policy what to do. In here it will do command "
!
kron occurrence Every_week at 14:32 Fri recurring # Define when to run Kron Policy,
policy-list Backup_config # Define which policy to follow the occurrence
!
Make sure router sync with NTP server and router clock running correctly.
archive
log config
hidekeys
path ftp:/x.x.x.x/router_show_run
!
ip ftp username "ftp_username"
ip ftp password "ftp_password"
!
kron policy-list Backup_config # Define Kron Policy
cli archive config # Tell Kron Policy what to do. In here it will do command "
!
kron occurrence Every_week at 14:32 Fri recurring # Define when to run Kron Policy,
policy-list Backup_config # Define which policy to follow the occurrence
!
Make sure router sync with NTP server and router clock running correctly.
Single DMVPN cloud with 2 hub(each service different IP segment))
Hi All,
Many of you interested in DMVPN as a backup solution for MPLS or might be even as Primary connection between branches and HQ. Many site guides how to configure DMVPN with dual HUB or DUAL DMVPN with dual HUB.
But in here , im going to explain DMVPN with dual HUB, BUT both HUB servicing different IP segment. Many of us come in to scenario that have multiple HQ, all of them servicing different IP segment, and different application. When it necessary for Branches to communicate all HUB at the same time, we often think of having DUAL DMVPN , 1 for each HUB. Yes you able to do this, but to simplify your work, you can just add-in few command to achieve this under Single DMVPN.
Original post i took from Cisco, and modified.
My sample using OSPF.
HUB1 config:
Many of you interested in DMVPN as a backup solution for MPLS or might be even as Primary connection between branches and HQ. Many site guides how to configure DMVPN with dual HUB or DUAL DMVPN with dual HUB.
But in here , im going to explain DMVPN with dual HUB, BUT both HUB servicing different IP segment. Many of us come in to scenario that have multiple HQ, all of them servicing different IP segment, and different application. When it necessary for Branches to communicate all HUB at the same time, we often think of having DUAL DMVPN , 1 for each HUB. Yes you able to do this, but to simplify your work, you can just add-in few command to achieve this under Single DMVPN.
Original post i took from Cisco, and modified.
My sample using OSPF.
HUB1 config:
! hostname Hub1 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco47 address 0.0.0.0 ! crypto ipsec transform-set trans2 esp-des esp-md5-hmac mode transport ! crypto ipsec profile vpnprof set transform-set trans2 ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 600 ip ospf network broadcast ip ospf priority 2 delay 1000 tunnel source Ethernet0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! interface Ethernet0 ip address 172.17.0.1 255.255.255.0 ! interface Ethernet1 ip address 192.168.0.1 255.255.255.0 ! router ospf 1 network 10.0.0.0 0.0.0.255 area 1 network 192.168.0.0 0.0.0.255 area 0 !
HUB2 Config:
version 12.3
!
hostname Hub2
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco47 address 0.0.0.0
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile vpnprof
set transform-set trans2
!
interface Tunnel0
bandwidth 900
ip address 10.0.0.2 255.255.255.0
ip mtu 1400
ip nhrp authentication test
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.1
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 600
ip nhrp nhs 10.0.0.1
ip ospf network broadcast
ip ospf priority 1
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface Ethernet0
ip address 172.17.0.5 255.255.255.0
!
interface Ethernet1
ip address 192.168.1.1 255.255.255.0
!
router ospf 1
network 10.0.0.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
SPOKE1 config:
version 12.3
!
hostname Spoke1
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile vpnprof
set transform-set trans2
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.11 255.255.255.0
ip mtu 1400
ip nhrp authentication test
ip nhrp map multicast 172.17.0.1
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.5
ip nhrp map 10.0.0.2 172.17.0.5
ip nhrp network-id 100000
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip nhrp nhs 10.0.0.2
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface Ethernet0
ip address dhcp hostname Spoke1
!
interface Ethernet1
ip address 192.168.2.1 255.255.255.0
!
router ospf 1
network 10.0.0.0 0.0.0.255 area 1
network 192.168.2.0 0.0.0.255 area 1
!
CCNP on track
Studying for CCNP Route. Have been go through many e-books and tutorials, but personally I find www.thebryantadvantage.com is awesome. Please give a try.
Great Network Tools
If you are working with network products, and wish to monitor it, then solarwinds is great tool to have.
There are some free tools too such as Foglight(http://www.quest.com/foglight/)
There are some free tools too such as Foglight(http://www.quest.com/foglight/)
Subscribe to:
Posts (Atom)