“Ilmu pengetahuan semakin banyak melahirkan keajaiban. Dongengan leluhur sampai malu tersipu. Tak perlu lagi orang bertapa bertahun untuk dapat bicara dengan seseorang di seberang lautan. Orang Jerman telah memasang kawat laut dari Inggris sampai India! Dan kawat semacam itu membiak berjuluran ke seluruh permukaan bumi. Seluruh dunia kini dapat mengawasi tingkah-laku seseorang. Dan orang dapat mengawasi tingkah-laku seluruh dunia" (Pramoedya Ananta Toer: Bumi Manusia, hal. 316, 1980).
Kamis, 02 Desember 2010
Bagaimana membentuk IRB antar 3 router
[ Backgroud ]
PC1 is connected to Fa0/0(no IP address, bridge) of Router = IP 10.10.10.1/24
PC2 is connected to Fa0/1(no IP address, bridge) of Router = IP 10.10.10.2/24
PC3 is connected to Fa1/0(IP 20.20.20.1) of Router = IP 20.20.20.2/24
BVI is configured on Router = IP 10.10.10.3/24. (Gateway IP for PC1 and PC2)
Router#config t
Router(config)# bridge irb
Router(config)# bridge 100 protocol ieee
Router(config)# bridge 100 bridge ip
Router(config)# bridge 100 route ip
Router(config)# interface bvi
Router(config-if)# ip address 10.10.10.3 255.255.255.0
Router(config)# interface fa0/0
Router(config-if)# bridge group 100
Router(config)# interface fa0/1
Router(config-if)# bridge group 100
Router# sh int irb
FastEthernet0/0
Routed protocols on FastEthernet0/0:
ip
Bridged protocols on FastEthernet0/0:
appletalk clns decnet ip
Software MAC address filter on FastEthernet0/0
Hash Len Address Matches Act Type
0x00: 0 ffff.ffff.ffff 1 RCV Physical broadcast
0x2A: 0 0900.2b01.0001 0 RCV DEC spanning tree
0x6D: 0 cc09.6dcf.0000 4 RCV Interface MAC address
0x6D: 1 cc09.6dcf.0000 0 RCV Bridge-group Virtual Interface
0xC0: 0 0100.0ccc.cccc 29 RCV CDP
0xC2: 0 0180.c200.0000 0 RCV IEEE spanning tree
0xC2: 1 0180.c200.0000 0 RCV IBM spanning tree
0xC2: 2 0100.0ccd.cdce 0 RCV VLAN Bridge STP
FastEthernet0/1
Routed protocols on FastEthernet0/1:
ip
Bridged protocols on FastEthernet0/1:
appletalk clns decnet ip
Software MAC address filter on FastEthernet0/1
Hash Len Address Matches Act Type
0x00: 0 ffff.ffff.ffff 12 RCV Physical broadcast
0x2A: 0 0900.2b01.0001 0 RCV DEC spanning tree
0x6C: 0 cc09.6dcf.0001 0 RCV Interface MAC address
0x6D: 0 cc09.6dcf.0000 14 RCV Bridge-group Virtual Interface
0xC0: 0 0100.0ccc.cccc 29 RCV CDP
0xC2: 0 0180.c200.0000 0 RCV IEEE spanning tree
0xC2: 1 0180.c200.0000 0 RCV IBM spanning tree
0xC2: 2 0100.0ccd.cdce 0 RCV VLAN Bridge STP
FastEthernet1/0
Routed protocols on FastEthernet1/0:
ip
BVI100
Routed protocols on BVI100:
ip
Router#
Router# sh int bvi 100
BVI100 is up, line protocol is up
Hardware is BVI, address is cc09.6dcf.0000 (bia cc09.6dcf.0000)
Internet address is 10.10.10.3/24
MTU 1500 bytes, BW 100000 Kbit, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
7 packets input, 690 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
28 packets output, 3084 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Router#
Router# sh bridge
Total of 300 station blocks, 298 free
Codes: P - permanent, S - self
Bridge Group 100:
Address Action Interface Age RX count TX count
cc0a.6dcf.0000 forward FastEthernet0/1 0 5 5
cc05.6dcf.0000 forward FastEthernet0/0 0 5 5
Router#
Transport mode? cari tau
Tunnel Mode
With tunnel mode, the entire original IP packet is protected (encrypted, authenticated, or both) and is encapsulated by the IPSec headers and trailers (an Encapsulation Security Protocol header and trailer, an Authentication Header, or both). Then a new IP header is prefixed to the packet, specifying the IPSec endpoints as the source and destination.
Tunnel mode can be used with any IP traffic. Tunnel mode must be used if IPSec is protecting traffic from hosts behind the IPSec peers. For example, tunnel mode is used with Virtual Private Networks (VPNs) where hosts on one protected network send packets to hosts on a different protected network via a pair of IPSec peers. With VPNs, the IPSec peers "tunnel" the protected traffic between the peers while the hosts on their protected networks are the session endpoints.
Transport Mode
With transport mode, only the payload (data) of the original IP packet is protected (encrypted, authenticated, or both). The payload is encapsulated by the IPSec headers and trailers (an ESP header and trailer, an AH header, or both). The original IP headers remain intact and are not protected by IPSec.
Use transport mode only when the IP traffic to be protected has IPSec peers as both the source and destination. For example, you could use transport mode to protect router management traffic. Specifying transport mode allows the router to negotiate with the remote peer whether to use transport or tunnel mode.
Examples
The following example defines a transform set and changes the mode to transport mode. The mode value only applies to IP traffic with the source and destination addresses at the local and remote IPSec peers.
crypto ipsec transform-set newer esp-des esp-sha-hmac
mode transport
exit
Rabu, 01 Desember 2010
[Cisco] How to limit rate on interface ?
postdateiconTuesday, 05 May 2009 21:10 | postauthoriconWritten by ip Balance | Print | E-mail
The command 'rate-limit' is interface configuration command. It is used to setup a committed access rate (CAR) and distributed CAR (DCAR) policies. To remove the rate limit from the configuration, as you know, use the no form of this command.
rate-limit {input | output} [dscp dscp-value] [access-group [rate-limit] acl-index]
bps burst-normal burst-max conform-action conform-action exceed-action
exceed-action
no rate-limit {input | output} [dscp dscp-value] [access-group [rate-limit]
acl-index] bps burst-normal burst-max conform-action conform-action exceed-action
exceed-action
input Applies this CAR traffic policy to packets received on this input interface.
output Applies this CAR traffic policy to packets sent on this output interface .
dscp (Optional) Allows the rate limit to be applied to any packet matching a specified differentiated services code point (DSCP).
access-group (Optional) Applies this CAR traffic policy to the specified access list.
rate-limit (Optional) The access list is a rate-limit access list.
bps Average rate, in bits per second (bps). The value must be in increments of 8 kbps.
burst-normal Normal burst size, in bytes. The minimum value is bps divided by 2000.
burst-max Excess burst size, in bytes.
conform-action Action to take on packets that conform to the specified rate limit. Specify one of the following keywords .
exceed-action Action to take on packets that exceed the specified rate limit. Specify one of the following keywords .
o CAR and DCAR can only be used with IP traffic. Non-IP traffic is not rate limited.
o CAR and DCAR can be configured on an interface or subinterface. However, CAR and DCAR are not supported on the Fast EtherChannel, tunnel, or PRI interfaces, nor on any interface that does not support Cisco Express Forwarding (CEF).
o CEF must be enabled on the interface before you configure CAR or DCAR.
Policing Traffic with CAR
CAR embodies a rate-limiting feature for policing traffic. When policing traffic with CAR, Cisco recommends the following values for the normal and extended burst parameters:
Burst-normal = configured rate * 1/8 * 1.5 seconds (1/8 for convert bit to byte)
Burst-max = Burst-normal * 2
Examples 1.
FTP traffic is sent with an MPLS experimental field of 5 if it conforms to the second rate policy. If the FTP traffic exceeds the rate policy, it is dropped. See the following commands in the example:
rate-limit imput access-group 122 10000000 1875000 3750000 confirm-action
mpls-exp 5 exceed-action drop
access-list 122 permit tcp any any eq ftp
Examples 2.
Below example is shown two access lists are created to classify the web and FTP traffic so that they can be handled separately by the CAR feature:
interface Serial 0/1
Description T3 to MR
rate-limit imput access-group 111 10000000 1875000 3750000 conform-action drop
rate-limit imput access-group 122 8000000 1500000 3000000 conform-action drop
rate-limit imput access-group 133 20000000 3750000 7500000 conform-action drop
access-list 111 permit tcp any any eq www
access-list 122 permit tcp and any eq ftp
Metrik EIGRP
BW=10^7/lowest bandwidth in kbps sepanjang path ke network tsbt
delay=jumlah delay sepanjang path ke network tsbt/10.
contoh:
A---10mb--B--100mb--C--10.0.0.0/8
dari A mau ke 10.0.0.0/8.
Lowest bandwidth: 10mb
jumlah delay: 100usec(A-B)+100usec(B-C)+100usec(C-10.0.0.0/8)
jadi metricnya: 256*(10^7/10000 + 300/10) = 263680
ASA EasyVPN
Building configuration…
!
hostname RT-Jakarta
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
ip name-server 202.47.78.8
ip name-server 202.47.78.9
!
username fery privilege 15 secret 5 $1$m4eM$WC4j4KekWukubo4Oia2OG.
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group fery-g
key fery123
dns 202.47.78.8 202.47.78.9
pool SDM_POOL_1
acl 101
include-local-lan
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group fery-g
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set fery-transform-set esp-aes esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set fery-transform-set
set isakmp-profile sdm-ike-profile-1
!
interface FastEthernet1/0
description *** WAN ***
ip address 202.47.77.24x 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
description *** LAN ***$ETH-LAN$
ip address 192.168.100.1 255.255.255.0
duplex auto
speed auto
!
ip local pool SDM_POOL_1 192.168.10.1 192.168.10.100
ip classless
ip route 0.0.0.0 0.0.0.0 202.47.77.241
ip http server
no ip http secure-server
!
logging alarm informational
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
!