├── LICENSE ├── README.md ├── bgp └── bgp.monitoring.protocol.md ├── cumulus └── ztp_script.py ├── docker ├── campur.md ├── create.insecure.private.docker.registry.md ├── create_docker_image_from_centos_install.md ├── docker.enable.calico.ubuntu.md └── docker.on.arista.eos.md ├── freebsd ├── freebsd.dun.bluetooth.md └── freebsd.nat.example.md ├── game └── township.graphviz.dot ├── images ├── .placeholder ├── contrail_wireshark_no_header.png ├── contrail_wireshark_vanilla.png ├── contrail_wireshark_with_agent_dissector.png └── wireshark_in_analyzer_vm.png ├── juniper ├── evpn.vxlan.md ├── junos.allow.v4mapped.packets.md ├── junos.bgp.authentication.md ├── junos.duplicated.ipv6-link-local.md ├── junos.ipv6.prefix.over.ipv4.bgp.peering.md ├── junos.isis.authentication.md ├── junos.knob.default-address-selection.md ├── junos.l2vpn.md ├── junos.map.prefix.to.lsp.example.md ├── junos.netconf.example.md ├── junos.ospf.authentication.md ├── junos.ospf.domain-id.md ├── junos.ospf.external.metric.md ├── junos.ospf.import-policy.md ├── junos.playing.with.cos.classifier.and.rewrite.md ├── junos.route.resolution.md ├── junos.rtbh.md ├── junos.snmpv3.sample.md ├── junos.verify.multicast.md ├── junos.vpls.bgp-ldp-interworking.md ├── junos.vpls.bgp.multihoming.md ├── junos.vpls.ldp.bgp_autodiscovery.md ├── junos.vpls.ldp.hub_and_spoke.md ├── junos.vpls.ldp.multihome.md └── using.sshpass.on.junos.md ├── kubernetes.calico.ubuntu.md ├── kvm ├── kvm.clone.guest.md └── kvm.nested.md ├── linux ├── cassandra.recover.node.inside.cluster.md ├── dhcp.add-static-route-with-netmask.md ├── find.rpm.info.without.installing.md ├── linux.lvm.tutorial.md ├── linux.subinterface.md ├── linux.tcp.keepalive.md ├── linux.tcp.offload.md ├── linux_lldp.md ├── resize.qcow2.vm.md ├── tcpdump_tips.md ├── trying.coreos.md ├── ubuntu.disable.cloud.init.md ├── ubuntu.enable.serial.console.md ├── usb.temperature.sensor.md ├── vde.sample.md └── vnc.to.main.display.md ├── misc ├── campur.md ├── elasticsearch.md ├── java.log.file.location.md └── rabbitmq.on.osx.md ├── myblog └── old │ ├── acronym.md │ ├── bgp_nortel_cisco.md │ ├── force.3g.selection.using.atcommand.md │ ├── gre_tunnel_cisco_nortel_freebsd.md │ ├── ipv6.over.gprs.md │ ├── nms.for.ipv6.md │ ├── openvpn.for.ipv6.tun_mode.md │ └── ospf3.multiple_af.md ├── networking └── bgp.private.asn.md ├── openstack ├── calico.lab.md ├── contrail.check.routing.table.md ├── contrail.setup.simple.gateway.md ├── how.to.send.command.thru.vnc.md ├── memcached.openstack.md ├── misc.md ├── openstack.add.serial.console.md └── openstack.calico.md ├── perl └── perl.oneliner.md ├── python ├── elasticsearch_query.py ├── ping_parallel.py ├── simple.interactive.python.paramiko.py └── telegram.bot.to.monitor.linux.server.md ├── raspi └── force.net.interface.name.md ├── sdn ├── bgpls │ ├── cisco.iosxr.bgpls.md │ └── junos.bgpls.md └── openr.md ├── tmp └── test.txt ├── vmware └── esxi_vsphere_cli.md ├── wiki ├── A-hack-to-create-routed-virtual-network-in-Openstack-with-Openvswitch.md ├── Automate-ssh-access-on-JunOS-device-using-sshpass.md ├── Cisco-IOS-XR-Config-Example-for-PCEP-and-BGP-LS.md ├── Example-of-BGP-LS-in-Junos.md ├── Git-workflow-illustrated.md ├── How-to-Setup-Contrail-Simple-Gateway.md ├── How-to-automate-VM-configuration-that-does-not-support-DHCP-and-Cloud-init.md ├── How-to-resize-VM-image.md ├── Mirror-VM-traffic-in-Openstack-Contrail-with-custom-sniffer.md ├── Simple-Telegram-Bot-to-Monitor-Linux-Server.md ├── Some-ESXi-related-commands.md ├── Troubleshooting-Keystone-and-Memcached.md ├── Trying-BGP-Monitoring-Protocol-with-OpenBMP.md └── Trying-CoreOS.md ├── yang.ietf.network.tree.txt └── yang.itef.network.json /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 rendoaw 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | This repo contains collection of my own notes, as well as other people notes taken from various sources that i feel useful for me. 2 | 3 | Some of "blogging-style" notes is promoted (copied to) the wiki (https://rendoaw.github.io/) 4 | -------------------------------------------------------------------------------- /cumulus/ztp_script.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # CUMULUS-AUTOPROVISIONING 3 | 4 | from subprocess import Popen, PIPE, STDOUT 5 | import os 6 | import sys 7 | import syslog 8 | import logging 9 | from logging.handlers import SysLogHandler 10 | 11 | CUMULUS_LOGFILE = "/var/log/ztp.log" 12 | 13 | 14 | 15 | 16 | def cumulus_ztp(): 17 | 18 | if os.path.exists(CUMULUS_LOGFILE): 19 | os.remove(CUMULUS_LOGFILE) 20 | 21 | logger = logging.getLogger() 22 | logger.setLevel(logging.DEBUG) 23 | 24 | fh = logging.FileHandler(CUMULUS_LOGFILE) 25 | fh.setLevel(logging.DEBUG) 26 | fh.setFormatter(logging.Formatter('%(asctime)s %(message)s')) 27 | logger.addHandler(fh) 28 | consoleHandler = logging.StreamHandler() 29 | consoleHandler.setFormatter(logging.Formatter('%(asctime)s %(message)s')) 30 | logging.getLogger().addHandler(consoleHandler) 31 | 32 | def run_shell_command(cmd): 33 | logger.info("[cmd->] "+cmd) 34 | response = "" 35 | p = Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE) 36 | for line in p.stdout.readlines(): 37 | #logging.info("[<-output] "+line) 38 | response = response + str(line) 39 | #originally p.wait(10), python 2.7 requires no argument 40 | p.wait() 41 | logging.info("[<-shell response] "+response) 42 | rc = p.returncode 43 | return rc 44 | 45 | def install_license(): 46 | license = "" 47 | logging.info("Installing license") 48 | ret = run_shell_command("echo "+license+" | /usr/cumulus/bin/cl-license -i") 49 | if rt != 0: 50 | logging.error("ERROR: License not installed. Return code was: "+str(rc)) 51 | 52 | def wait_for_nclu(): 53 | while True: 54 | cmd = "net show interface" 55 | ret = run_shell_command(cmd) 56 | if ret == 0: 57 | break 58 | 59 | def init_ztp(): 60 | logging.info("add debian repository") 61 | cmd = "echo \"deb http://http.us.debian.org/debian jessie main\" >> /etc/apt/sources.list" 62 | run_shell_command(cmd) 63 | cmd = "echo \"deb http://security.debian.org/ jessie/updates main\" >> /etc/apt/sources.list" 64 | run_shell_command(cmd) 65 | cmd = "apt-get update -y && apt-get install -y netshow htop vim" 66 | run_shell_command(cmd) 67 | 68 | #install_license() 69 | 70 | cmd = "ifreload -a" 71 | run_shell_command(cmd) 72 | 73 | wait_for_nclu() 74 | 75 | #cmd = "net add vrf mgmt" 76 | #run_shell_command(cmd) 77 | cmd = "net add time zone Etc/UTC" 78 | run_shell_command(cmd) 79 | cmd = "net add time ntp server 192.168.0.254 iburst" 80 | run_shell_command(cmd) 81 | cmd = "net commit" 82 | run_shell_command(cmd) 83 | 84 | #cmd = "" 85 | #run_shell_command(cmd) 86 | 87 | init_ztp() 88 | 89 | 90 | 91 | if __name__ == "__main__": 92 | cumulus_ztp() 93 | sys.exit(0) 94 | -------------------------------------------------------------------------------- /docker/campur.md: -------------------------------------------------------------------------------- 1 | 2 | ``` 3 | docker run -d -it --name elk --restart=always -v /data/docker/elk/elasticsearch:/var/lib/elasticsearch -p 9200:9200 -p 5601:5601 rendoaw/ubuntu_netkit 4 | docker run -d -it --name nextcloud --restart=always -v /data/docker/nextcloud:/data -p 10080:80 nextcloud 5 | docker run -d -it --net=host --name openr_test3 --privileged --restart=always rendoaw/openr:test3 6 | 7 | docker pull docker.elastic.co/logstash/logstash-oss:6.1.2 8 | docker run -d -it --name logstash --restart=always -p 9300:9300 logstash-oss:6.1.2 9 | 10 | docker run -d -it --name cacti -p 10081:80 quantumobject/docker-cacti 11 | ``` 12 | -------------------------------------------------------------------------------- /docker/create_docker_image_from_centos_install.md: -------------------------------------------------------------------------------- 1 | Here is the procedure to create your own centos docker image 2 | 3 | * Install centos on a server/VM 4 | 5 | * After installation finish, boot the server 6 | 7 | * do any necessary modification, e.g: yum update, yum install ..., edit /etc/.. 8 | 9 | * clean yum cache 10 | ``` 11 | yum clean all 12 | ``` 13 | 14 | * Tar the whole file system (original: http://comments.gmane.org/gmane.comp.sysutils.docker.user/5952) 15 | ``` 16 | # tar --numeric-owner --exclude=/proc --exclude=/sys --exclude=/mnt --exclude=/var/cache --exclude=/usr/share/{foomatic,backgrounds,perl5,fonts,cups,qt4,groff,kde4,icons,pixmaps,emacs,gnome-background-properties,sounds,gnome,games,desktop-directories} --exclude=/var/log -zcvf /mnt/centos-base.tar.gz / 17 | ``` 18 | 19 | * copy the tar.gz file to docker host 20 | 21 | * import tar.gz to docker image 22 | ``` 23 | cat centos-base.tar.gz | docker import - centos/6.5 24 | ``` 25 | 26 | 27 | -------------------------------------------------------------------------------- /docker/docker.enable.calico.ubuntu.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ``` 4 | # wget -O /usr/local/bin/calicoctl https://github.com/projectcalico/calicoctl/releases/download/v1.3.0/calicoctl 5 | # chmod +x /usr/local/bin/calicoctl 6 | 7 | # mkdir /etc/calico 8 | 9 | # cat /etc/calico/calicoctl.cfg 10 | apiVersion: v1 11 | kind: calicoApiConfig 12 | metadata: 13 | spec: 14 | etcdEndpoints: http://localhost:2379 15 | vim /etc/calico/calicoctl.cfg 16 | 17 | # calicoctl node run --node-image=quay.io/calico/node:v1.3.0 18 | # calicoctl get ipPool --output wide 19 | 20 | 21 | # cat ippool_v6.yaml 22 | apiVersion: v1 23 | kind: ipPool 24 | metadata: 25 | cidr: 2001:db8:101::/64 26 | spec: 27 | ipip: 28 | enabled: false 29 | mode: always 30 | 31 | 32 | # cat ippool_v4.yaml 33 | apiVersion: v1 34 | kind: ipPool 35 | metadata: 36 | cidr: 10.191.101.0/24 37 | spec: 38 | ipip: 39 | enabled: false 40 | mode: always 41 | 42 | 43 | # cat ippool_nat.yaml 44 | apiVersion: v1 45 | kind: ipPool 46 | metadata: 47 | cidr: 10.254.101.0/24 48 | spec: 49 | nat-outgoing: true 50 | ipip: 51 | enabled: false 52 | mode: always 53 | 54 | 55 | # calicoctl create -f ippool_v6.yaml 56 | # calicoctl create -f ippool_v4.yaml 57 | # calicoctl create -f ippool_nat.yaml 58 | 59 | # calicoctl get ipPool --output wide 60 | 61 | # more policy.yaml 62 | apiVersion: v1 63 | kind: profile 64 | metadata: 65 | name: net1 66 | labels: 67 | role: net1 68 | spec: 69 | ingress: 70 | - action: allow 71 | protocol: tcp 72 | - action: allow 73 | protocol: udp 74 | - action: allow 75 | protocol: icmp 76 | egress: 77 | - action: allow 78 | protocol: tcp 79 | - action: allow 80 | protocol: udp 81 | - action: allow 82 | protocol: icmp 83 | 84 | 85 | # docker network create --driver calico --ipam-driver calico-ipam net1 --subnet 10.191.101.0/24 86 | # calicoctl apply -f policy.yaml 87 | 88 | # etcdctl get /calico/v1/policy/profile/net1/rules 89 | 90 | # docker run -d --name test --privileged --restart=always rendoaw/ubuntu_netkit 91 | 92 | ``` 93 | -------------------------------------------------------------------------------- /docker/docker.on.arista.eos.md: -------------------------------------------------------------------------------- 1 | 2 | ## using docker pull 3 | 4 | * requirements 5 | * management interface must not inside vrf 6 | 7 | ``` 8 | bash-4.3# docker pull jfloff/alpine-python:2.7 9 | Warning: failed to get default registry endpoint from daemon (Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?). Using system default: https://index.docker.io/v1/ 10 | Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? 11 | bash-4.3# systemctl docker start 12 | Unknown operation 'docker'. 13 | bash-4.3# systemctl start docker 14 | bash-4.3# docker pull jfloff/alpine-python:2.7 15 | 2.7: Pulling from jfloff/alpine-python 16 | ff3a5c916c92: Pull complete 17 | da32d2726fe3: Pull complete 18 | Digest: sha256:c036d927a465ed00de4e278f1707af3f61605f095c32e505b1a398dea7f69f72 19 | Status: Downloaded newer image for jfloff/alpine-python:2.7 20 | bash-4.3# 21 | bash-4.3# 22 | bash-4.3# 23 | bash-4.3# 24 | bash-4.3# docker ps 25 | CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 26 | bash-4.3# docker images 27 | REPOSITORY TAG IMAGE ID CREATED SIZE 28 | jfloff/alpine-python 2.7 e7d12f060254 3 weeks ago 232MB 29 | bash-4.3# docker run -dit --name alpine_python jfloff/alpine-python:2.7 30 | cb32fb6a3759906343d5451c2d4d64706c63fbd36ae3ec439eae728017e78f7c 31 | bash-4.3# docker ps 32 | CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 33 | cb32fb6a3759 jfloff/alpine-python:2.7 "/usr/bin/dumb-ini..." 3 seconds ago Up 2 seconds alpine_python 34 | bash-4.3# docker exec -it alpine_python bash 35 | bash-4.4# python --version 36 | Python 2.7.14 37 | bash-4.4# exit 38 | exit 39 | bash-4.3# 40 | ``` 41 | 42 | 43 | ## manually load docker image 44 | 45 | * upload the tar file into eos 46 | 47 | * load docker container in tar format 48 | 49 | ``` 50 | docker load -i ubuntu_sshd_2222.tar 51 | ``` 52 | 53 | * run the container 54 | 55 | ``` 56 | docker run -d -it --net=host --name test --privileged --restart=always ubuntu_sshd_2222 57 | ``` 58 | * the sample above is using privileged mode and host net because i want the container to have full acess on eos interface 59 | 60 | * attach to the container 61 | 62 | ``` 63 | docker exec -it test /bin/bash 64 | ``` 65 | 66 | -------------------------------------------------------------------------------- /freebsd/freebsd.dun.bluetooth.md: -------------------------------------------------------------------------------- 1 | This note will show you how to make gprs connection by using bluetooth DUN profile in FreeBSD. 2 | It is assumed that all bluetooth device (your laptop and your mobile phone for example) are already configured. 3 | 4 | the devices: 5 | 1. HP NC6000 laptop with builtin bluetooth adapter 6 | 2. Sony Ericsson T630 mobile phone 7 | 8 | Steps: 9 | * Make sure your bluetooth device in your laptop is ready to use. Your syslog should show something like this: 10 | ``` 11 | ubt0: ACTIONTEC Bluetooth by hp, rev 1.10/8.02, addr 2 12 | ubt0: ACTIONTEC Bluetooth by hp, rev 1.10/8.02, addr 2 13 | ubt0: Interface 0 endpoints: interrupt=0×81, bulk-in=0×82, bulk-out=0×2 14 | ubt0: Interface 1 (alt.config 5) endpoints: isoc-in=0×83, isoc-out=0×3; wMaxPacketSize=49; nframes=6, buffer size=294 15 | ``` 16 | 17 | * start your bluetoot 18 | ``` 19 | amnesiac# /etc/rc.bluetooth start ubt0 20 | BD_ADDR: 00:0f:b3:17:81:f9 21 | Features: 0xff 0xff 0xf 00 00 00 00 00 22 | <3-Slot> <5-Slot> 23 | 24 | 25 | 26 | 27 | Max. ACL packet size: 192 bytes 28 | Number of ACL packets: 8 29 | Max. SCO packet size: 64 bytes 30 | Number of SCO packets: 8 31 | amnesiac# 32 | ``` 33 | 34 | * Search your remote bluetooth device 35 | ``` 36 | amnesiac# hccontrol -n ubt0hci inquiry 37 | Inquiry result, num_responses=1 38 | Inquiry result #0 39 | BD_ADDR: 00:0e:07:a4:c8:f6 40 | Page Scan Rep. Mode: 0×1 41 | Page Scan Period Mode: 00 42 | Page Scan Mode: 00 43 | Class: 52:02:04 44 | Clock offset: 0×6214 45 | Inquiry complete. Status: No error [00] 46 | ``` 47 | 48 | from the result above, you can see that your remote device has h/w address 49 | 00:0e:07:a4:c8:f6 50 | 51 | * define your remote device in /etc/bluetooth/hcsecd.conf 52 | for example, my device name is blobi and the pin for pairing purpose is "1" 53 | ``` 54 | device { 55 | bdaddr 00:0e:07:a4:c8:f6; 56 | name "blobi"; 57 | key nokey; 58 | pin "1"; 59 | } 60 | ``` 61 | 62 | * Run hcsecd daemon by using this command 63 | ``` 64 | hcsecd -d 65 | ``` 66 | note: -d means that the daemon will be in foreground mode, it is just show how bluetooth works. You can also run without "-d" option. 67 | 68 | This is ouput sample after pairing: 69 | ``` 70 | hcsecd[694]: Got Link_Key_Request event from 'ubt0hci', remote bdaddr 00:0e:07:a4:c8:f6 71 | hcsecd[694]: Found matching entry, remote bdaddr 00:0e:07:a4:c8:f6, name 'blobi', link key doesn't exist 72 | hcsecd[694]: Sending Link_Key_Negative_Reply to 'ubt0hci' for remote bdaddr 00:0e:07:a4:c8:f6 73 | hcsecd[694]: Got PIN_Code_Request event from 'ubt0hci', remote bdaddr 00:0e:07:a4:c8:f6 74 | hcsecd[694]: Found matching entry, remote bdaddr 00:0e:07:a4:c8:f6, name 'blobi', PIN code exists 75 | hcsecd[694]: Sending PIN_Code_Reply to 'ubt0hci' for remote bdaddr 00:0e:07:a4:c8:f6 76 | hcsecd[694]: Got Link_Key_Notification event from 'ubt0hci', remote bdaddr 00:0e:07:a4:c8:f6 77 | hcsecd[694]: Updating link key for the entry, remote bdaddr 00:0e:07:a4:c8:f6, name 'blobi', link key doesn't exist 78 | ``` 79 | 80 | * check whether DUN profile is supported in your remote device or not 81 | this is the sample output of my Sony Ericsson T630 82 | ``` 83 | Record Handle: 0×00010000 84 | Service Class ID List: 85 | Dial-Up Networking (0×1103) 86 | Generic Networking (0×1201) 87 | Protocol Descriptor List: 88 | L2CAP (0×0100) 89 | RFCOMM (0×0003) 90 | Protocol specific parameter #1: u/int8/bool 1 91 | Bluetooth Profile Descriptor List: 92 | Dial-Up Networking (0×1103) ver. 1.0 93 | 94 | ..deleted to save space.. 95 | ``` 96 | 97 | * Add gprs connection definition in /etc/ppp/ppp.conf as shown below: 98 | ``` 99 | gprs: 100 | enable force-scripts 101 | set authname wap 102 | set authkey wap123 103 | set phone "*99***1#" 104 | set login 105 | set timeout 0 106 | enable dns 107 | set ifaddr 0 0 108 | add default HISADDR 109 | ``` 110 | 111 | In this example, I use GPRS from Telkomsel with username "wap" and password "wap123" 112 | 113 | * run the rfcomm_pppd daemon 114 | ``` 115 | amnesiac#rfcomm_ppd -c -a 00:0e:07:a4:c8:f6 -c -C dun -l gprs 116 | ``` 117 | 118 | this daemon will automatically dial the gprs connection based on label called "gprs" which has been defined in /etc/ppp/ppp.conf 119 | 120 | * verify your connection by checking your interface ip address and default route. This connection should use tun interface 121 | This is the sample of the connection: 122 | ``` 123 | amnesiac# ifconfig 124 | tun0: flags=8051 mtu 1500 125 | inet 10.128.110.190 –> 10.128.110.191 netmask 0xffffffff 126 | Opened by PID 6178 127 | amnesiac# 128 | ``` 129 | 130 | and the traceroute result to this website 131 | ``` 132 | amnesiac# traceroute -n rendo.no-ip.info 133 | traceroute to rendo.no-ip.info (202.51.232.116), 64 hops max, 40 byte packets 134 | 1 10.1.10.121 452.633 ms 535.863 ms 482.915 ms 135 | 2 203.130.200.126 490.891 ms 509.901 ms 510.900 ms 136 | 3 192.168.3.105 472.909 ms 524.895 ms 493.908 ms 137 | 4 61.94.0.137 484.908 ms 515.896 ms 503.903 ms 138 | 5 218.100.27.179 656.886 ms 580.981 ms 558.778 ms 139 | 6 218.100.27.169 470.916 ms 529.872 ms 488.909 ms 140 | 7 202.51.224.1 509.899 ms 509.900 ms 503.909 ms 141 | 8 202.51.232.225 480.903 ms 518.899 ms 498.902 ms 142 | 9 202.51.232.116 480.914 ms 527.886 ms 485.906 ms 143 | amnesiac# 144 | ``` 145 | -------------------------------------------------------------------------------- /freebsd/freebsd.nat.example.md: -------------------------------------------------------------------------------- 1 | Sample cases: 2 | - source traffic from 10.10.1.0/24 will be translated to 202.202.202.2/28 3 | - source traffic from 10.10.2.0/24 will be translated to 202.202.202.3/28 4 | - source traffic from 10.10.1.0/24 to 202.0.0.0/8 will be translated to 202.202.202.4/28 5 | - all http traffic will be directed to http proxy @ 10.10.10.10 port 8080 6 | - one-to-one mapping (bidirectional nat) traffic from 10.10.1.1/24 to any replaced with 202.202.202.5/28 7 | - all traffic to 202.202.202.2 port 81 will be redirected to 10.10.1.2 port 80 8 | 9 | assume external interface is fxp0 and internal interface is fxp1 and the current ip address of external interface is 202.202.202.2/28 10 | 11 | first put the ip address in fxp0 as alias ip: 12 | ``` 13 | ifconfig fxp0 inet 202.202.202.3 netmask 255.255.255.255 alias 14 | ifconfig fxp0 inet 202.202.202.4 netmask 255.255.255.255 alias 15 | ifconfig fxp0 inet 202.202.202.5 netmask 255.255.255.255 alias 16 | ``` 17 | 18 | then, the rules: 19 | ``` 20 | bimap fxp0 10.10.1.1/32 -> 202.202.202.5/32 21 | 22 | #SNAT 23 | map fxp0 from 10.10.1.0/24 to 202.0.0.0/8 -> 202.202.202.4/32 portmap tcp/udp auto 24 | map fxp0 10.10.1.0/24 -> 202.202.202.2/32 portmap tcp/udp auto 25 | map fxp0 10.10.2.0/24 -> 202.202.202.3/32 portmap tcp/udp auto 26 | 27 | #DNAT 28 | rdr fxp1 0/0 port 80 -> 10.10.10.10 port 8080 tcp 29 | rdr fxp0 202.202.202.2/32 port 81 -> 10.10.1.2 port 80 tcp 30 | ``` 31 | 32 | -------------------------------------------------------------------------------- /game/township.graphviz.dot: -------------------------------------------------------------------------------- 1 | # online visualization http://viz-js.com/ 2 | 3 | digraph G { 4 | rankdir=LR; 5 | 6 | { rank=same; wheat; corn; carrot; sugarcane; tomato; strawberry; potato; pine_tree; cacao; cotton; rubber_tree; silk; } 7 | { rank=same; cow_feed; chicken_feed; sheep_feed } 8 | { rank=same; sugar_cube; syrup; caramel; popcorn; corn_chip; granola; potato_chip } 9 | { rank=same; milk;egg; wol; paper; paper_towel; wallpaper } 10 | 11 | subgraph farm { 12 | node [style=filled, color=yellow]; 13 | wheat; 14 | corn; 15 | carrot; 16 | sugarcane; 17 | tomato; 18 | strawberry; 19 | potato; 20 | pine_tree; 21 | cacao; 22 | cotton; 23 | rubber_tree; 24 | silk; 25 | label = "Farm"; 26 | color=blue 27 | } 28 | 29 | subgraph feed_mill { 30 | label="Feed Mill"; 31 | cow_feed; chicken_feed; sheep_feed 32 | } 33 | 34 | subgraph sugar_factory { 35 | label="Sugar Factory"; 36 | sugar_cube; syrup; caramel 37 | } 38 | 39 | subgraph snack_factory { 40 | label="Snack Factory"; 41 | popcorn; corn_chip; granola; potato_chip 42 | } 43 | 44 | subgraph paper_factory { 45 | label="Paper Factory"; 46 | paper; paper_towel; wallpaper 47 | } 48 | 49 | subgraph rubber_factory { 50 | label="Rubber Factory"; 51 | rubber; 52 | } 53 | 54 | subgraph cow_shed { 55 | label="Cow shed"; 56 | milk; 57 | } 58 | 59 | subgraph chicken_coop { 60 | label="chicken coop"; 61 | egg; 62 | } 63 | 64 | subgraph sheep_farm { 65 | label="Sheep farm"; 66 | wol; 67 | } 68 | 69 | subgraph dairy_factory { 70 | label="Dairy factory"; 71 | cream; cheese; yogurt; butter 72 | } 73 | 74 | subgraph bakery { 75 | label="Bakery"; 76 | bread; cookies; bagel; pizza; potato_bread 77 | } 78 | 79 | subgraph textile_factory { 80 | label="Textile Factory"; 81 | yarn; cotton_fabric; silk_fabric 82 | } 83 | 84 | subgraph tailor_shop { 85 | label="Tailor Shop"; 86 | shirt; sweater; coat; hat 87 | } 88 | 89 | subgraph fast_food { 90 | label="Fast Food Restaurant"; 91 | milkshake; cheeseburger; sandwich; french_fries 92 | } 93 | 94 | subgraph pastry_factory { 95 | label="Pastry Factory"; 96 | muffin; brownie; cupcake 97 | } 98 | 99 | subgraph ice_cream_factory { 100 | label="Ice Cream Factory"; 101 | ice_cream; popsicle; frozen_yogurt; eskimo_pie 102 | } 103 | 104 | wheat -> cow_feed[label="x2"]; 105 | wheat -> chicken_feed[label="x2"]; 106 | wheat -> granola[label="x2"]; 107 | wheat -> muffin[label="x3"]; 108 | wheat -> bread[label="x2"]; 109 | wheat -> cookies[label="x2"]; 110 | wheat -> bagel[label="x2"]; 111 | wheat -> pizza[label="x1"]; 112 | wheat -> potato_bread[label="x2"]; 113 | 114 | corn -> cow_feed[label="x1"]; 115 | corn -> sheep_feed[label="x2"]; 116 | corn -> popcorn[label="x2"]; 117 | corn -> corn_chip[label="x3"]; 118 | 119 | carrot -> chicken_feed[label="x1"]; 120 | carrot -> sheep_feed[label="x2"]; 121 | 122 | sugarcane -> sugarcube[label="x1"]; 123 | sugarcane -> syrup[label="x2"]; 124 | sugarcane -> caramel[label="x3"]; 125 | 126 | strawberry -> milkshake[label="x1"]; 127 | strawberry -> sandwich[label="x1"]; 128 | strawberry -> popsicle[label="x2"]; 129 | strawberry -> granola[label="x2"]; 130 | 131 | tomato -> cheeseburger[label="x1"]; 132 | tomato -> french_fries[label="x2"]; 133 | tomato -> pizza[label="x2"]; 134 | 135 | potato -> french_fries[label="x2"]; 136 | potato -> potato_bread[label="x2"]; 137 | potato -> potato_chip[label="x2"]; 138 | 139 | cacao -> brownie[label="x2"]; 140 | cacao -> eskimo_pie[label="x1"]; 141 | 142 | pine_tree -> eskimo_pie[label="x1"]; 143 | pine_tree -> paper[label="x1"]; 144 | pine_tree -> paper_towel[label="x2"]; 145 | pine_tree -> wallpaper[label="x3"]; 146 | 147 | cotton -> cotton_fabric[label="x2"]; 148 | 149 | silk -> silk_fabric[label="x2"]; 150 | 151 | rubber_tree -> rubber[label="x1"]; 152 | 153 | cow_feed -> milk[label=""]; 154 | chicken_feed -> egg [label=""]; 155 | sheep_feed -> wol[label="x"]; 156 | 157 | sugar_cube -> muffin[label="x1"]; 158 | sugar_cube -> cupcake[label="x1"]; 159 | sugar_cube -> ice_cream[label="x1"]; 160 | sugar_cube -> popsicle[label="x1"]; 161 | sugar_cube -> bagel[label="x1"]; 162 | 163 | syrup -> brownie[label="x1"]; 164 | syrup -> eskimo_pie[label="x1"]; 165 | 166 | rubber -> wallpaper[label="x1"]; 167 | 168 | milk -> cream[label="x"]; 169 | milk -> cheese[label="x2"]; 170 | milk -> ice_cream[label="x1"]; 171 | milk -> butter[label="x3"]; 172 | milk -> yogurt[label="x4"]; 173 | milk -> milkshake[label="x2"]; 174 | 175 | egg -> muffin[label="x4"]; 176 | egg -> cupcake[label="x5"]; 177 | egg -> cookies[label="x4"]; 178 | egg -> bagel[label="x3"]; 179 | egg -> potato_bread[label="x4"]; 180 | 181 | wol -> yarn[label="x2"]; 182 | 183 | cream -> french_fries[label="x1"]; 184 | cream -> ice_cream[label="x1"]; 185 | cream -> frozen_yogurt[label="x1"]; 186 | 187 | cheese -> cheeseburger[label="x1"]; 188 | cheese -> pizza[label="x1"]; 189 | 190 | butter -> sandwich[label="x1"]; 191 | butter -> brownie[label="x1"]; 192 | 193 | yogurt -> frozen_yogurt[label="x1"]; 194 | 195 | yarn -> sweater[label="x1"]; 196 | yarn -> coat[label="x1"]; 197 | 198 | cotton_fabric -> shirt[label="x1"]; 199 | cotton_fabric -> coat[label="x1"]; 200 | cotton_fabric -> hat[label="x1"]; 201 | 202 | silk_fabric -> hat[label="x1"]; 203 | 204 | bread -> cheeseburger[label="x2"]; 205 | bread -> sandwich[label="x1"]; 206 | 207 | } 208 | 209 | -------------------------------------------------------------------------------- /images/.placeholder: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /images/contrail_wireshark_no_header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rendoaw/notes/be05bba6e92c5f36b2db4446b866df0fab7e8445/images/contrail_wireshark_no_header.png -------------------------------------------------------------------------------- /images/contrail_wireshark_vanilla.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rendoaw/notes/be05bba6e92c5f36b2db4446b866df0fab7e8445/images/contrail_wireshark_vanilla.png -------------------------------------------------------------------------------- /images/contrail_wireshark_with_agent_dissector.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rendoaw/notes/be05bba6e92c5f36b2db4446b866df0fab7e8445/images/contrail_wireshark_with_agent_dissector.png -------------------------------------------------------------------------------- /images/wireshark_in_analyzer_vm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rendoaw/notes/be05bba6e92c5f36b2db4446b866df0fab7e8445/images/wireshark_in_analyzer_vm.png -------------------------------------------------------------------------------- /juniper/junos.allow.v4mapped.packets.md: -------------------------------------------------------------------------------- 1 | 2 | ## Problem 3 | 4 | by default JunOS will block the traffic going to ::ffff:a.b.c.d ipv4 mapped IPv6 address. It is applied for both sending, terminating and transit traffic. 5 | reference: https://www.juniper.net/documentation/en_US/junos14.2/topics/task/configuration/ipv6-ipv4-mapped-addresses-processing-enabling.html 6 | 7 | example: 8 | 9 | ``` 10 | rwibawa@vmx-13-12# run ping ::ffff:76.5.255.11 source 2400:67:176:255::2 11 | PING6(56=40+8+8 bytes) ::ffff:67.176.0.25 --> ::ffff:76.5.255.11 12 | ^C 13 | --- ::ffff:76.5.255.11 ping6 statistics --- 14 | 3 packets transmitted, 0 packets received, 100% packet loss 15 | ``` 16 | 17 | ### Solution 18 | * configure "allow-v4mapped-packets" on all router from the source to the destination 19 | 20 | ``` 21 | 22 | [edit] 23 | rwibawa@vmx-13-12# set system allow-v4mapped-packets 24 | 25 | [edit] 26 | rwibawa@vmx-13-12# commit 27 | commit complete 28 | 29 | [edit] 30 | rwibawa@vmx-13-12# run ping ::ffff:76.5.255.11 source 2400:67:176:255::2 31 | PING6(56=40+8+8 bytes) ::ffff:67.176.0.25 --> ::ffff:76.5.255.11 32 | 16 bytes from ::ffff:76.5.255.11, icmp_seq=0 hlim=63 time=5.483 ms 33 | 16 bytes from ::ffff:76.5.255.11, icmp_seq=1 hlim=63 time=3.389 ms 34 | ^C 35 | --- ::ffff:76.5.255.11 ping6 statistics --- 36 | 2 packets transmitted, 2 packets received, 0% packet loss 37 | round-trip min/avg/max/std-dev = 3.389/4.436/5.483/1.047 ms 38 | 39 | ``` 40 | 41 | * if you are using 6PE, we need to enable this knob on each router that actually processing IPv6 packet. No need to enable the knob on the LSR that doing lookup based on the label. You need to do the same as example above on all intermediate router. 42 | -------------------------------------------------------------------------------- /juniper/junos.bgp.authentication.md: -------------------------------------------------------------------------------- 1 | # BGP authentication 2 | 3 | ## md5 4 | 5 | ``` 6 | rwibawa@vmx-13-11# show protocols bgp group as766 7 | ... 8 | family inet { 9 | unicast; 10 | } 11 | authentication-key "$9$h.3SyK8X-gaZbwTz"; ## SECRET-DATA 12 | peer-as 766; 13 | neighbor 67.176.0.162; 14 | ``` 15 | 16 | 17 | ## md5 with keychain 18 | 19 | ``` 20 | rwibawa@vmx-13-11# show protocols bgp group as766 21 | ... 22 | family inet { 23 | unicast; 24 | } 25 | authentication-key-chain bgpkey; 26 | peer-as 766; 27 | neighbor 67.176.0.162; 28 | 29 | 30 | rwibawa@vmx-13-11# show security authentication-key-chains key-chain bgpkey 31 | key 1 { 32 | secret "$9$fTQnCtOSlKIRwY"; ## SECRET-DATA 33 | start-time "2000-1-1.00:01:00 +0000"; 34 | algorithm md5; 35 | } 36 | ``` 37 | -------------------------------------------------------------------------------- /juniper/junos.duplicated.ipv6-link-local.md: -------------------------------------------------------------------------------- 1 | # JunOS - Duplicated IPv6 Link Local 2 | 3 | ## Problem 4 | * One side of ISIS link lists the neighbor with "!" mark 5 | * The other side shows "Addresses, Flags: Is-Preferred Duplicate" 6 | 7 | 8 | ## Symptomp 9 | 10 | ### at neighbor router 11 | 12 | ``` 13 | lab@vmx-13-17# run show isis adjacency 14 | Interface System L State Hold (secs) SNPA 15 | ge-0/0/3.0 vmx-13-18 ! 2 Up 8 0:50:58:13:18:5 16 | ge-0/0/4.0 vmx-13-15 2 Up 25 0:50:58:13:15:7 17 | 18 | 19 | lab@vmx-13-17# run show interfaces ge-0/0/3.0 20 | Logical interface ge-0/0/3.0 (Index 339) (SNMP ifIndex 555) 21 | Description: R8 22 | Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2 23 | Input packets : 501571 24 | Output packets: 256001 25 | Protocol inet, MTU: 1500 26 | Flags: Sendbcast-pkt-to-re 27 | Addresses, Flags: Is-Preferred Is-Primary 28 | Destination: 89.100.0.0/30, Local: 89.100.0.1, Broadcast: 89.100.0.3 29 | Protocol iso, MTU: 1497 30 | Protocol inet6, MTU: 1500 31 | Flags: Is-Primary 32 | Addresses, Flags: Is-Preferred Is-Primary 33 | Destination: 2400:67:176:0:78::/126, Local: 2400:67:176:0:78::1 34 | Addresses, Flags: Is-Preferred 35 | Destination: fe80::/64, Local: fe80::205:86ff:fee6:1f01 36 | Protocol mpls, MTU: 1488, Maximum labels: 3 37 | Protocol multiservice, MTU: Unlimited 38 | 39 | 40 | ``` 41 | 42 | ### at local router 43 | 44 | * Flags: Protocol-Down 45 | * Flags: Is-Preferred Duplicate 46 | 47 | ``` 48 | 49 | lab@vmx-13-18# run show interfaces ge-0/0/1.0 50 | Logical interface ge-0/0/1.0 (Index 333) (SNMP ifIndex 552) 51 | Description: R7 52 | Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2 53 | Input packets : 274249 54 | Output packets: 480226 55 | Protocol inet, MTU: 1500 56 | Flags: Sendbcast-pkt-to-re 57 | Addresses, Flags: Is-Preferred Is-Primary 58 | Destination: 89.100.0.0/30, Local: 89.100.0.2, Broadcast: 89.100.0.3 59 | Protocol iso, MTU: 1497 60 | Protocol inet6, MTU: 1500 61 | Flags: Protocol-Down, Down, Is-Primary 62 | Addresses, Flags: Is-Preferred Is-Primary 63 | Destination: 2400:67:176:0:78::/126, Local: 2400:67:176:0:78::2 64 | INET6 Address Flags: Tentative 65 | Addresses, Flags: Is-Preferred Duplicate 66 | Destination: fe80::/64, Local: fe80::205:86ff:fee6:1f01 67 | INET6 Address Flags: Duplicate 68 | Protocol mpls, MTU: 1488, Maximum labels: 3 69 | Protocol multiservice, MTU: Unlimited 70 | 71 | ``` 72 | 73 | 74 | ## Analysis 75 | 76 | ## Solution 77 | 78 | ### at local router 79 | 80 | ``` 81 | 82 | [edit] 83 | lab@vmx-13-18# 84 | 85 | [edit] 86 | lab@vmx-13-18# set interfaces ge-0/0/1.0 family inet6 address fe80::205:86ff:fee6:1f18/64 87 | 88 | [edit] 89 | lab@vmx-13-18# commit 90 | commit complete 91 | 92 | [edit] 93 | lab@vmx-13-18# set interfaces ge-0/0/1.0 disable 94 | 95 | [edit] 96 | lab@vmx-13-18# commit 97 | commit complete 98 | 99 | [edit] 100 | lab@vmx-13-18# delete interfaces ge-0/0/1.0 disable 101 | 102 | [edit] 103 | lab@vmx-13-18# commit 104 | commit complete 105 | 106 | ``` 107 | 108 | 109 | ## Verification 110 | 111 | ### at neighbor router 112 | 113 | ``` 114 | [edit] 115 | lab@vmx-13-17# run show isis adjacency 116 | Interface System L State Hold (secs) SNPA 117 | ge-0/0/3.0 vmx-13-18 2 Up 7 0:50:58:13:18:5 118 | ge-0/0/4.0 vmx-13-15 2 Up 26 0:50:58:13:15:7 119 | ``` 120 | 121 | 122 | 123 | -------------------------------------------------------------------------------- /juniper/junos.ipv6.prefix.over.ipv4.bgp.peering.md: -------------------------------------------------------------------------------- 1 | 2 | ## Configuration 3 | 4 | ### PE 5 | 6 | ``` 7 | rwibawa@vmx-13-11# show interfaces ge-0/0/0 unit 941 8 | vlan-id 941; 9 | family inet { 10 | address 67.176.0.161/30; 11 | } 12 | family inet6 { 13 | address 2400:67:176:6::1/126; 14 | } 15 | 16 | rwibawa@vmx-13-11# show protocols bgp group as766 17 | type external; 18 | family inet { 19 | unicast; 20 | } 21 | family inet6 { 22 | unicast; 23 | } 24 | peer-as 766; 25 | neighbor 67.176.0.162; 26 | ``` 27 | 28 | ### CE 29 | 30 | ``` 31 | rwibawa@VR# show interfaces lo0.941 32 | family inet { 33 | address 76.6.255.11/32; 34 | } 35 | family inet6 { 36 | address 2476:6:255::11/128; 37 | } 38 | 39 | [edit] 40 | rwibawa@VR# show interfaces ge-0/0/0.941 41 | vlan-id 941; 42 | family inet { 43 | address 67.176.0.162/30; 44 | } 45 | family inet6 { 46 | address 2400:67:176:6::2/126; 47 | } 48 | 49 | rwibawa@VR# show protocols bgp 50 | export rw-advertise-direct-all; 51 | local-as 766; 52 | group to-R1 { 53 | type external; 54 | family inet { 55 | unicast; 56 | } 57 | family inet6 { 58 | unicast; 59 | } 60 | peer-as 16689.7041; 61 | neighbor 67.176.0.161; 62 | } 63 | 64 | rwibawa@VR# top show policy-options policy-statement rw-advertise-direct-all 65 | term 1 { 66 | from protocol direct; 67 | then accept; 68 | } 69 | ``` 70 | 71 | 72 | 73 | ## Initial result 74 | 75 | * IPv6 prefix from the CE listed as hidden 76 | 77 | ``` 78 | rwibawa@vmx-13-11# run show route receive-protocol bgp 67.176.0.162 hidden extensive 79 | ... 80 | 81 | inet6.0: 30 destinations, 33 routes (29 active, 0 holddown, 2 hidden) 82 | 2400:67:176:6::/126 (2 entries, 1 announced) 83 | Nexthop: ::ffff:67.176.0.162 84 | AS path: 766 I 85 | Hidden reason: protocol nexthop is not on the interface 86 | 87 | 2476:6:255::11/128 (1 entry, 0 announced) 88 | Nexthop: ::ffff:67.176.0.162 89 | AS path: 766 I 90 | Hidden reason: protocol nexthop is not on the interface 91 | 92 | ... 93 | ``` 94 | 95 | 96 | ## Problem 97 | 98 | * IPv6 prefix is hidden because BGP peering is using IPv4. In this case, for any inet6 prefix, JunOS automatically map the next-hop to ::ffff:x.x.x.x IPv4-Mapped IPv6 Address. 99 | * Since the interface is actually using different format, regardless normal IPv6 format or ::x.x.x.x IPv4 mapped format, JunOS will consider the next-hop IP is unreachable. 100 | 101 | ## Solution 102 | 103 | * configure accept-remote-nexthop 104 | * change next-hop with the correct neighbor IPv6 address with BGP import policy 105 | * in addition to that, we also need to make sure that PE advertise correct next-hop for IPv6 prefix. We use export policy to change this. 106 | 107 | ``` 108 | rwibawa@vmx-13-11# show protocols bgp group as766 109 | type external; 110 | accept-remote-nexthop; 111 | import as766-import; 112 | family inet { 113 | unicast; 114 | } 115 | family inet6 { 116 | unicast; 117 | } 118 | export [ as766-export reject ]; 119 | peer-as 766; 120 | neighbor 67.176.0.162; 121 | 122 | 123 | rwibawa@vmx-13-11# show policy-options policy-statement as766-import 124 | term 1 { 125 | from next-hop ::ffff:67.176.0.162; 126 | then { 127 | next-hop 2400:67:176:6::2; 128 | accept; 129 | } 130 | } 131 | 132 | rwibawa@vmx-13-11# show policy-options policy-statement as766-export 133 | term 1 { 134 | from { 135 | protocol direct; 136 | rib inet6.0; 137 | } 138 | then { 139 | next-hop 2400:67:176:6::1; 140 | accept; 141 | } 142 | } 143 | term 2 { 144 | from protocol direct; 145 | then accept; 146 | } 147 | ``` 148 | 149 | ## Verification 150 | 151 | * make sure no hidden route anymore 152 | 153 | ``` 154 | rwibawa@vmx-13-11# run show route receive-protocol bgp 67.176.0.162 hidden table inet6.0 155 | 156 | inet6.0: 30 destinations, 33 routes (30 active, 0 holddown, 0 hidden) 157 | 158 | 159 | rwibawa@vmx-13-11# run show route receive-protocol bgp 67.176.0.162 table inet6 160 | 161 | inet6.0: 30 destinations, 33 routes (30 active, 0 holddown, 0 hidden) 162 | Prefix Nexthop MED Lclpref AS path 163 | 2400:67:176:6::/126 ::ffff:67.176.0.162 766 I 164 | * 2476:6:255::11/128 ::ffff:67.176.0.162 766 I 165 | 166 | ``` 167 | 168 | * make sure PE send correct next-hop 169 | 170 | ``` 171 | rwibawa@vmx-13-11# run show route advertising-protocol bgp 67.176.0.162 table inet6.0 172 | 173 | inet6.0: 30 destinations, 33 routes (30 active, 0 holddown, 0 hidden) 174 | Prefix Nexthop MED Lclpref AS path 175 | * ::67.176.0.156/126 2400:67:176:6::1 I 176 | 2400:67:176:0:12::/126 177 | * 2400:67:176:6::1 I 178 | 2400:67:176:0:13::/126 179 | * 2400:67:176:6::1 I 180 | * 2400:67:176:6::/126 2400:67:176:6::1 I 181 | 2400:67:176:255::1/128 182 | * 2400:67:176:6::1 I 183 | ``` 184 | 185 | ## Alternative solution 186 | 187 | * You can avoid the problem above by configuring explicit IPv6 BGP neighbor. In this case, we will have 2 BGP sessions to the same CE, 1 peering for IPv4 and the other peering for IPv6. 188 | 189 | 190 | 191 | 192 | -------------------------------------------------------------------------------- /juniper/junos.isis.authentication.md: -------------------------------------------------------------------------------- 1 | # ISIS authentication 2 | 3 | ## level based 4 | 5 | * simple 6 | 7 | ``` 8 | rwibawa@vmx-13-14# show protocols isis 9 | level 1 disable; 10 | level 2 { 11 | authentication-key "$9$PfT36/tBRSHqfz36u0vWLXVYJZjkmT"; ## SECRET-DATA 12 | authentication-type simple; 13 | wide-metrics-only; 14 | } 15 | interface ge-0/0/0.916; 16 | interface ge-0/0/1.0; 17 | interface ge-0/0/5.0; 18 | interface lo0.0; 19 | 20 | [edit] 21 | rwibawa@vmx-13-14# run show isis authentication 22 | Interface Level IIH Auth CSN Auth PSN Auth 23 | ge-0/0/0.916 2 Simple Simple Simple 24 | ge-0/0/1.0 2 Simple Simple Simple 25 | ge-0/0/5.0 2 Simple Simple Simple 26 | 27 | L2 LSP Authentication: Simple 28 | ``` 29 | 30 | * md5 31 | 32 | ``` 33 | rwibawa@vmx-13-14# show protocols isis 34 | level 1 disable; 35 | level 2 { 36 | authentication-key "$9$PfT36/tBRSHqfz36u0vWLXVYJZjkmT"; ## SECRET-DATA 37 | authentication-type md5; 38 | wide-metrics-only; 39 | } 40 | interface ge-0/0/0.916; 41 | interface ge-0/0/1.0; 42 | interface ge-0/0/5.0; 43 | interface lo0.0; 44 | 45 | ``` 46 | 47 | * md5 with key-chain 48 | 49 | ``` 50 | rwibawa@vmx-13-12# show protocols isis 51 | level 1 disable; 52 | level 2 { 53 | authentication-key-chain isiskey; 54 | wide-metrics-only; 55 | } 56 | interface ge-0/0/0.5; 57 | interface ge-0/0/1.0; 58 | interface ge-0/0/2.0; 59 | interface ge-0/0/3.0; 60 | interface ge-0/0/4.0; 61 | interface lo0.0; 62 | 63 | rwibawa@vmx-13-12# show security 64 | authentication-key-chains { 65 | key-chain isiskey { 66 | key 1 { 67 | secret "$9$bHwYoJZj.fz7-wgoJHk9ApuRSvMXNVY"; ## SECRET-DATA 68 | start-time "2000-1-1.00:00:00 +0000"; 69 | algorithm md5; 70 | } 71 | } 72 | } 73 | ``` 74 | 75 | 76 | 77 | ## interface level - hello authentication 78 | 79 | * simple 80 | 81 | ``` 82 | rwibawa@vmx-13-12# show protocols isis 83 | level 1 disable; 84 | level 2 { 85 | wide-metrics-only; 86 | } 87 | interface ge-0/0/0.5 { 88 | level 2 hello-authentication-key "$9$MFyL7VgoGqmTwYmTz3tpWLxNwY"; ## SECRET-DATA 89 | } 90 | ``` 91 | 92 | * md5 93 | 94 | ``` 95 | rwibawa@vmx-13-12# show protocols isis 96 | level 1 disable; 97 | level 2 { 98 | wide-metrics-only; 99 | } 100 | interface ge-0/0/2.0 { 101 | level 2 { 102 | hello-authentication-key "$9$S7YlvLdb2GDkxNDk.P3nylKW7-"; ## SECRET-DATA 103 | hello-authentication-type md5; 104 | } 105 | } 106 | ``` 107 | 108 | 109 | * md5 with key-chain (interoperable with md5 only) 110 | 111 | ``` 112 | rwibawa@vmx-13-14# show protocols isis 113 | level 1 disable; 114 | level 2 wide-metrics-only; 115 | interface ge-0/0/0.916; 116 | interface ge-0/0/1.0 { 117 | level 2 hello-authentication-key-chain isiskey; 118 | } 119 | interface ge-0/0/5.0; 120 | interface lo0.0; 121 | 122 | 123 | rwibawa@vmx-13-14# show security 124 | authentication-key-chains { 125 | key-chain isiskey { 126 | key 1 { 127 | secret "$9$8QQx-woJDmfzYgfz36u0LxNV24"; ## SECRET-DATA 128 | start-time "2000-1-1.00:00:00 +0000"; 129 | algorithm md5; 130 | } 131 | } 132 | } 133 | ``` 134 | -------------------------------------------------------------------------------- /juniper/junos.knob.default-address-selection.md: -------------------------------------------------------------------------------- 1 | 2 | reference: http://www.juniper.net/documentation/en_US/junos13.2/topics/reference/configuration-statement/default-address-selection-edit-system.html 3 | 4 | 5 | ### base config 6 | 7 | * R6 8 | 9 | ``` 10 | rwibawa@vmx-13-16> show configuration interfaces lo0 11 | unit 0 { 12 | family inet { 13 | address 67.176.255.6/32; 14 | } 15 | family iso { 16 | address 49.0002.0671.7625.5006.00; 17 | } 18 | family inet6 { 19 | address 2400:67:176:255::6/128; 20 | } 21 | } 22 | 23 | rwibawa@vmx-13-16> show configuration interfaces ge-0/0/0.42 24 | description R8; 25 | vlan-id 42; 26 | family inet { 27 | address 67.176.0.37/30; 28 | } 29 | family inet6 { 30 | address 2400:67:176:0:68::1/126; 31 | } 32 | family mpls; 33 | ``` 34 | 35 | * R8 36 | 37 | ``` 38 | rwibawa@vmx-13-18# show interfaces lo0 39 | unit 0 { 40 | family inet { 41 | address 67.176.255.8/32; 42 | } 43 | family iso { 44 | address 49.0002.0671.7625.5008.00; 45 | } 46 | family inet6 { 47 | address 2400:67:176:255::8/128; 48 | } 49 | } 50 | 51 | rwibawa@vmx-13-18# show interfaces ge-0/0/4 52 | unit 0 { 53 | description R6; 54 | family inet { 55 | address 67.176.0.38/30; 56 | } 57 | family inet6 { 58 | address 2400:67:176:0:68::2/126; 59 | } 60 | family mpls; 61 | } 62 | ``` 63 | 64 | ### knob configuration 65 | 66 | ``` 67 | rwibawa@vmx-13-18# show system 68 | ... 69 | default-address-selection; 70 | ... 71 | ``` 72 | 73 | 74 | ### without "default-address-selection" knob 75 | 76 | * ping 77 | 78 | ``` 79 | rwibawa@vmx-13-18# run ping 67.176.255.6 80 | 81 | rwibawa@vmx-13-18# run ping 2400:67:176:0:68::1 82 | ``` 83 | 84 | * monitor traffic interface on the neighbor side 85 | 86 | ``` 87 | 00:51:07.456383 In IP6 2400:67:176:0:68::2 > 2400:67:176:0:68::1: ICMP6, echo request, seq 3, length 16 88 | 00:51:07.456414 Out IP6 2400:67:176:0:68::1 > 2400:67:176:0:68::2: ICMP6, echo reply, seq 3, length 16 89 | 00:51:08.456840 In IP6 2400:67:176:0:68::2 > 2400:67:176:0:68::1: ICMP6, echo request, seq 4, length 16 90 | 00:51:08.456873 Out IP6 2400:67:176:0:68::1 > 2400:67:176:0:68::2: ICMP6, echo reply, seq 4, length 16 91 | 92 | 00:47:49.452825 In IP 67.176.0.38 > 67.176.255.6: ICMP echo request, id 63375, seq 27, length 64 93 | 00:47:49.452843 Out IP 67.176.255.6 > 67.176.0.38: ICMP echo reply, id 63375, seq 27, length 64 94 | 00:47:50.462942 In IP 67.176.0.38 > 67.176.255.6: ICMP echo request, id 63375, seq 28, length 64 95 | 00:47:50.462963 Out IP 67.176.255.6 > 67.176.0.38: ICMP echo reply, id 63375, seq 28, length 64 96 | ``` 97 | 98 | 99 | ### with "default-address-selection" knob 100 | 101 | * ping 102 | 103 | ``` 104 | rwibawa@vmx-13-18# run ping 67.176.255.6 105 | 106 | rwibawa@vmx-13-18# run ping 2400:67:176:0:68::1 107 | ``` 108 | 109 | * monitor traffic interface on the neighbor side 110 | 111 | ``` 112 | 00:48:21.450930 In IP 67.176.255.8 > 67.176.255.6: ICMP echo request, id 35217, seq 0, length 64 113 | 00:48:21.450959 Out IP 67.176.255.6 > 67.176.255.8: ICMP echo reply, id 35217, seq 0, length 64 114 | 00:48:22.453550 In IP 67.176.255.8 > 67.176.255.6: ICMP echo request, id 35217, seq 1, length 64 115 | 00:48:22.453567 Out IP 67.176.255.6 > 67.176.255.8: ICMP echo reply, id 35217, seq 1, length 64 116 | 117 | 00:51:28.643581 In IP6 2400:67:176:255::8 > 2400:67:176:0:68::1: ICMP6, echo request, seq 0, length 16 118 | 00:51:28.643622 Out IP6 2400:67:176:0:68::1 > 2400:67:176:255::8: ICMP6, echo reply, seq 0, length 16 119 | 00:51:28.663514 In IP6 2400:67:176:255::8 > 2400:67:176:0:68::1: ICMP6, echo request, seq 1, length 16 120 | 00:51:28.663545 Out IP6 2400:67:176:0:68::1 > 2400:67:176:255::8: ICMP6, echo reply, seq 1, length 16 121 | ``` 122 | 123 | 124 | -------------------------------------------------------------------------------- /juniper/junos.l2vpn.md: -------------------------------------------------------------------------------- 1 | # Various type of JunOS L2VPN 2 | 3 | ## CCC 4 | 5 | * JunOS legacy L2VPN type 6 | * requires 1 dedicated transmiting LSP and 1 dedicated receiving LSP 7 | * Configuration example 8 | 9 | ``` 10 | rwibawa@vmx-13-11# show protocols connections 11 | remote-interface-switch PE14 { 12 | interface ge-0/0/0.970; 13 | transmit-lsp ccc-r1-r4; 14 | receive-lsp ccc-r4-r1; 15 | } 16 | 17 | [edit] 18 | rwibawa@vmx-13-11# show interfaces ge-0/0/0.970 19 | apply-groups-except interface-group; 20 | encapsulation vlan-ccc; 21 | vlan-id 970; 22 | input-vlan-map { 23 | swap; 24 | vlan-id 969; 25 | } 26 | output-vlan-map swap; 27 | family ccc; 28 | ``` 29 | 30 | * redundancy is achieved by configuring multiple path for transmit LSP 31 | 32 | 33 | ## BGP-based L2VPN (L2VPN Kompella) 34 | 35 | * Using BGP for signaling and auto-discovery 36 | * redundancy is achived by setting site-preference on local site. Same as BGP-based VPLS. 37 | * required BGP family l2vpn signaling 38 | * configuration 39 | 40 | ``` 41 | rwibawa@vmx-13-11# show routing-instances L2VPN1 42 | instance-type l2vpn; 43 | interface ge-0/0/0.967; 44 | route-distinguisher 67.176.255.1:782; 45 | vrf-target target:7041:782; 46 | protocols { 47 | l2vpn { 48 | encapsulation-type ethernet-vlan; 49 | interface ge-0/0/0.967; 50 | site 1 { 51 | site-identifier 1; 52 | interface ge-0/0/0.967; 53 | } 54 | } 55 | } 56 | 57 | [edit] 58 | rwibawa@vmx-13-11# show interfaces ge-0/0/0.967 59 | apply-groups-except interface-group; 60 | encapsulation vlan-ccc; 61 | vlan-id 967; 62 | input-vlan-map { 63 | swap; 64 | vlan-id 966; 65 | } 66 | output-vlan-map swap; 67 | family ccc; 68 | ``` 69 | 70 | ## LDP-based L2VPN (L2VPN Martini) 71 | 72 | * no BGP is required 73 | * targeted LDP is used between local PE and remote PE 74 | * redundancy is achived by configuring backup neighbor explicitly 75 | * configuration 76 | 77 | ``` 78 | rwibawa@vmx-13-11# show protocols l2circuit 79 | neighbor 67.176.255.7 { 80 | interface ge-0/0/0.964 { 81 | virtual-circuit-id 781; 82 | backup-neighbor 67.176.255.4 { 83 | virtual-circuit-id 781; 84 | } 85 | } 86 | } 87 | 88 | [edit] 89 | rwibawa@vmx-13-11# show interfaces ge-0/0/0.964 90 | apply-groups-except interface-group; 91 | encapsulation vlan-ccc; 92 | vlan-id 964; 93 | input-vlan-map { 94 | swap; 95 | vlan-id 963; 96 | } 97 | output-vlan-map swap; 98 | family ccc; 99 | ``` 100 | -------------------------------------------------------------------------------- /juniper/junos.map.prefix.to.lsp.example.md: -------------------------------------------------------------------------------- 1 | 2 | # Example: Map prefix to specific LSP 3 | 4 | ## Configuration 5 | 6 | * at egress PE, tag the prefix with specific community 7 | 8 | ``` 9 | rwibawa@vmx-13-11# show routing-instances ASUS 10 | instance-type vrf; 11 | interface ge-0/0/0.943; 12 | interface lo0.943; 13 | route-distinguisher 67.176.255.1:773; 14 | vrf-import ASUS-import; 15 | vrf-export ASUS-export; 16 | vrf-table-label; 17 | protocols { 18 | ospf { 19 | export rw-redistribute-bgp-all; 20 | area 0.0.0.0 { 21 | interface all; 22 | } 23 | } 24 | } 25 | 26 | [edit] 27 | rwibawa@vmx-13-11# show policy-options policy-statement ASUS-export 28 | term 1 { 29 | from { 30 | route-filter 77.3.0.11/32 exact; 31 | } 32 | then { 33 | community set ASUS; 34 | community add ASUS-1-1; 35 | accept; 36 | } 37 | } 38 | term default { 39 | from protocol [ ospf direct ]; 40 | then { 41 | community set ASUS; 42 | community add ASUS-1-2; 43 | accept; 44 | } 45 | } 46 | 47 | [edit] 48 | rwibawa@vmx-13-11# show policy-options community ASUS-1-1 49 | members 773:101; 50 | 51 | [edit] 52 | rwibawa@vmx-13-11# show policy-options community ASUS-1-2 53 | members 773:102; 54 | ``` 55 | 56 | 57 | * at ingress PE, configure routing-options - forwarding-table policy to match the community and assign specific LSP 58 | 59 | ``` 60 | rwibawa@vmx-13-12# show routing-options forwarding-table 61 | export ASUS-LSP; 62 | 63 | [edit] 64 | rwibawa@vmx-13-12# show policy-options policy-statement ASUS-LSP 65 | term 1 { 66 | from { 67 | rib bgp.l3vpn.0; 68 | community ASUS-1-1; 69 | } 70 | then { 71 | install-nexthop lsp r2-to-r1-b; 72 | accept; 73 | } 74 | } 75 | term 2 { 76 | from { 77 | rib bgp.l3vpn.0; 78 | community ASUS-1-2; 79 | } 80 | then { 81 | install-nexthop lsp r2-to-r1; 82 | accept; 83 | } 84 | } 85 | term default { 86 | then accept; 87 | } 88 | 89 | [edit] 90 | rwibawa@vmx-13-12# show routing-instances ASUS 91 | instance-type vrf; 92 | interface ge-0/0/0.932; 93 | interface lo0.932; 94 | route-distinguisher 67.176.255.2:773; 95 | inactive: vrf-import ASUS-import; 96 | inactive: vrf-export ASUS-export; 97 | vrf-target target:7041:773; 98 | vrf-table-label; 99 | protocols { 100 | ospf { 101 | export rw-redistribute-bgp-all; 102 | area 0.0.0.0 { 103 | interface all; 104 | } 105 | } 106 | } 107 | 108 | ``` 109 | 110 | 111 | ## Verification 112 | 113 | * traffic going to 77.3.0.11 will be using lsp r2-to-r1-b, the other prefix from R1 will be using lsp r2-to-r1 114 | 115 | ``` 116 | 117 | rwibawa@vmx-13-12# run show route table ASUS.inet 77.3.0.11/32 118 | 119 | ASUS.inet.0: 37 destinations, 41 routes (37 active, 0 holddown, 0 hidden) 120 | + = Active Route, - = Last Active, * = Both 121 | 122 | 77.3.0.11/32 *[BGP/170] 00:07:16, MED 1, localpref 100, from 67.176.255.103 123 | AS path: I, validation-state: unverified 124 | to 67.176.0.26 via ge-0/0/1.0, label-switched-path r2-to-r1-b 125 | 126 | 127 | 128 | rwibawa@vmx-13-12# run show route table ASUS.inet 77.3.0.111/32 129 | 130 | ASUS.inet.0: 37 destinations, 41 routes (37 active, 0 holddown, 0 hidden) 131 | + = Active Route, - = Last Active, * = Both 132 | 133 | 77.3.0.111/32 *[BGP/170] 00:07:19, MED 1, localpref 100, from 67.176.255.103 134 | AS path: I, validation-state: unverified 135 | to 67.176.0.26 via ge-0/0/1.0, label-switched-path r2-to-r1 136 | 137 | 138 | 139 | 140 | rwibawa@vmx-13-12# run show route table ASUS.inet 77.3.0.11/32 detail 141 | 142 | ASUS.inet.0: 37 destinations, 41 routes (37 active, 0 holddown, 0 hidden) 143 | 77.3.0.11/32 (1 entry, 1 announced) 144 | *BGP Preference: 170/-101 145 | Route Distinguisher: 67.176.255.1:773 146 | Next hop type: Indirect 147 | Address: 0xa5e7490 148 | Next-hop reference count: 3 149 | Source: 67.176.255.103 150 | Next hop type: Router, Next hop index: 1048582 151 | Next hop: 67.176.0.26 via ge-0/0/1.0 weight 0x1 152 | Label-switched-path r2-to-r1 153 | Label operation: Push 18 154 | Label TTL action: prop-ttl 155 | Load balance label: Label 18: None; 156 | Session Id: 0x141 157 | Next hop: 67.176.0.26 via ge-0/0/1.0 weight 0x1, selected 158 | Label-switched-path r2-to-r1-b 159 | Label operation: Push 18 160 | Label TTL action: prop-ttl 161 | Load balance label: Label 18: None; 162 | Session Id: 0x141 163 | Protocol next hop: 67.176.255.1 164 | Label operation: Push 18 165 | Label TTL action: prop-ttl 166 | Load balance label: Label 18: None; 167 | Indirect next hop: 0x97b9210 1048601 INH Session ID: 0x1e7 168 | State: 169 | Local AS: 1093737345 Peer AS: 1093737345 170 | Age: 1:10 Metric: 1 Metric2: 1 171 | Validation State: unverified 172 | Task: BGP_1093737345.67.176.255.103+64248 173 | Announcement bits (2): 0-KRT 1-ASUS-OSPF 174 | AS path: I (Originator) 175 | Cluster list: 67.176.255.103 176 | Originator ID: 67.176.255.1 177 | Communities: 773:101 target:7041:773 178 | Import Accepted 179 | VPN Label: 18 180 | Localpref: 100 181 | Router ID: 67.176.255.103 182 | Primary Routing Table bgp.l3vpn.0 183 | 184 | [edit] 185 | rwibawa@vmx-13-12# run show route table ASUS.inet 77.3.0.111/32 detail 186 | 187 | ASUS.inet.0: 37 destinations, 41 routes (37 active, 0 holddown, 0 hidden) 188 | 77.3.0.111/32 (1 entry, 1 announced) 189 | *BGP Preference: 170/-101 190 | Route Distinguisher: 67.176.255.1:773 191 | Next hop type: Indirect 192 | Address: 0xa5e6c20 193 | Next-hop reference count: 21 194 | Source: 67.176.255.103 195 | Next hop type: Router, Next hop index: 1048582 196 | Next hop: 67.176.0.26 via ge-0/0/1.0 weight 0x1, selected 197 | Label-switched-path r2-to-r1 198 | Label operation: Push 18 199 | Label TTL action: prop-ttl 200 | Load balance label: Label 18: None; 201 | Session Id: 0x141 202 | Next hop: 67.176.0.26 via ge-0/0/1.0 weight 0x1 203 | Label-switched-path r2-to-r1-b 204 | Label operation: Push 18 205 | Label TTL action: prop-ttl 206 | Load balance label: Label 18: None; 207 | Session Id: 0x141 208 | Protocol next hop: 67.176.255.1 209 | Label operation: Push 18 210 | Label TTL action: prop-ttl 211 | Load balance label: Label 18: None; 212 | Indirect next hop: 0x97b9100 1048600 INH Session ID: 0x1e7 213 | State: 214 | Local AS: 1093737345 Peer AS: 1093737345 215 | Age: 1:21 Metric: 1 Metric2: 1 216 | Validation State: unverified 217 | Task: BGP_1093737345.67.176.255.103+64248 218 | Announcement bits (2): 0-KRT 1-ASUS-OSPF 219 | AS path: I (Originator) 220 | Cluster list: 67.176.255.103 221 | Originator ID: 67.176.255.1 222 | Communities: 773:102 target:7041:773 223 | Import Accepted 224 | VPN Label: 18 225 | Localpref: 100 226 | Router ID: 67.176.255.103 227 | Primary Routing Table bgp.l3vpn.0 228 | 229 | ``` 230 | 231 | -------------------------------------------------------------------------------- /juniper/junos.netconf.example.md: -------------------------------------------------------------------------------- 1 | Send standard juniper stanza inside netconf 2 | ``` 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | system { 12 | host-name juniper1; 13 | } 14 | 15 | 16 | 17 | 18 | ]]>]]> 19 | 20 | 21 | 22 | 23 | 24 | ]]>]]> 25 | ``` 26 | 27 | 28 | get standard juniper show output inside netconf 29 | ``` 30 | 31 | 32 | 33 | Physical interface: ge-0/0/0, Enabled, Physical link is Up 34 | ]]>]]> 35 | Interface index: 138, SNMP ifIndex: 513 36 | Link-level type: Ethernet, MTU: 1518, MRU: 1526, LAN-PHY mode, 37 | Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, 38 | Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled 39 | Pad to minimum frame size: Disabled 40 | Device flags : Present Running 41 | 42 | .... 43 | 44 | 45 | ``` 46 | 47 | send standard text command and get output in text format 48 | ``` 49 | show mpls lsp terse 50 | 51 | 52 | Ingress LSP: 11 sessions 53 | Total 11 displayed, Up 11, Down 0 54 | 55 | Egress LSP: 16 sessions 56 | Total 16 displayed, Up 16, Down 0 57 | 58 | Transit LSP: 0 sessions 59 | Total 0 displayed, Up 0, Down 0 60 | 61 | 62 | ]]>]]> 63 | ``` 64 | 65 | send xml , get xml output 66 | ``` 67 | 68 | 69 | 70 | 71 | 72 | ge-0/0/0 73 | 74 | 75 | up 76 | 77 | 78 | up 79 | 80 | 81 | 138 82 | 83 | 84 | 518 85 | 86 | 87 | Ethernet 88 | 89 | ... 90 | ... 91 | ``` 92 | 93 | -------------------------------------------------------------------------------- /juniper/junos.ospf.authentication.md: -------------------------------------------------------------------------------- 1 | # OSPF Authentication 2 | 3 | ``` 4 | rwibawa@vmx-13-11# show protocols ospf 5 | ... 6 | area 0.0.0.0 { 7 | interface ge-0/0/5.0 { 8 | authentication { 9 | simple-password "$9$-pbYoDi.z39JG39ApREdbs2JG"; ## SECRET-DATA 10 | } 11 | } 12 | interface ge-0/0/3.0 { 13 | authentication { 14 | md5 1 key "$9$ofZDk5Qnp0I.P0IEcvMaZU" start-time "2000-1-1.00:01:00 +0000"; ## SECRET-DATA 15 | } 16 | } 17 | interface lo0.0; 18 | } 19 | ``` 20 | 21 | * ge-0/0/5.0 is using simple auth 22 | * ge-0/0/3.0 is using md5 23 | -------------------------------------------------------------------------------- /juniper/junos.ospf.domain-id.md: -------------------------------------------------------------------------------- 1 | 2 | # OSPF Domain ID 3 | 4 | ## Official version 5 | 6 | #### source: 7 | * http://www.juniper.net/techpubs/en_US/junos12.1/topics/usage-guidelines/vpns-configuring-routing-between-pe-and-ce-routers-in-layer-3-vpns.html 8 | * http://www.juniper.net/documentation/en_US/junos12.1/topics/usage-guidelines/routing-configuring-ospf-domain-ids-for-vpns.html 9 | 10 | This extended community ID can then be carried across the BGP VPN backbone. When the route is redistributed back as an OSPF or OSPFv3 route on the PE router and advertised to the CE near the destination, the domain ID identifies which domain the route originated from. The routing instance checks incoming routes for the domain ID. The route is then propagated as either a Type 3 LSA or Type 5 LSA. 11 | 12 | When a PE router receives a route, it redistributes and advertises the route as either a Type 3 LSA or a Type 5 LSA, depending on the following: 13 | * If the receiving PE router sees a Type 3 route with a matching domain ID, the route is redistributed and advertised as a Type 3 LSA. 14 | * If the receiving PE router sees a Type 3 route without a domain ID (the extended attribute field of the route’s BGP update does not include a domain ID), the route is redistributed and advertised as a Type 3 LSA. 15 | * If the receiving PE router sees a Type 3 route with a non-matching domain ID, the route is redistributed and advertised as a Type 5 LSA. 16 | * If the receiving PE router sees a Type 3 route with a domain ID, but the router does not have a domain ID configured, the route is redistributed and advertised as a Type 5 LSA. 17 | * If the receiving PE router sees a Type 5 route, the route is redistributed and advertised as a Type 5 LSA, regardless of the domain ID. 18 | 19 | On the local PE router, the prefix of the directly connected PE/CE interface is an active direct route. This route is also an OSPF or OSPFv3 route. 20 | 21 | In the VRF export policy, the direct prefix is exported to advertise the route to the remote PE. This route is injected as an AS-External-LSA, much as when a direct route is exported into OSPF or OSPFv3. 22 | 23 | Domain ID ensures that an originated summary LSA arrives at the remote PE as a summary LSA. Domain ID does not translate AS-external-LSAs into summary LSAs. 24 | 25 | #### other links: 26 | * http://www.juniper.net/documentation/en_US/junos15.1/topics/example/vpn-ospf-domain-id-for-layer-3-configuring.html 27 | 28 | 29 | ## Personal Observation 30 | * if vrf-target is being used at the prefix-advertiser PE, JunOS automatically include BGP extended attribute "domain-id:a.b.c.d:e" and "rte-type::" 31 | * config @ prefix-advertiser PE 32 | 33 | ``` 34 | lab@vmx-13-14# show routing-instances HP 35 | instance-type vrf; 36 | interface ge-0/0/0.937; 37 | interface lo0.937; 38 | route-distinguisher 67.176.255.4:7743; 39 | inactive: vrf-import HP-import; 40 | inactive: vrf-export HP-export; 41 | vrf-target target:7041:7742; 42 | vrf-table-label; 43 | protocols { 44 | ospf { 45 | export rw-redistribute-bgp-all; 46 | area 0.0.3.6 { 47 | interface all; 48 | } 49 | } 50 | } 51 | ``` 52 | 53 | * config @ prefix-receiver PE 54 | 55 | ``` 56 | lab@vmx-13-12# show routing-instances HP 57 | instance-type vrf; 58 | interface ge-0/0/0.936; 59 | interface lo0.936; 60 | route-distinguisher 67.176.255.2:7742; 61 | inactive: vrf-import HP-import; 62 | inactive: vrf-export HP-export; 63 | vrf-target target:7041:7742; 64 | protocols { 65 | ospf { 66 | export rw-redistribute-bgp-all; 67 | area 0.0.3.6 { 68 | interface all; 69 | } 70 | } 71 | } 72 | ``` 73 | 74 | * OSPF database @ prefix-receiver PE 75 | 76 | ``` 77 | lab@vmx-13-12# run show ospf database instance HP 78 | 79 | OSPF database, Area 0.0.3.6 80 | Type ID Adv Rtr Seq Age Opt Cksum Len 81 | Router *77.4.0.2 77.4.0.2 0x80000002 564 0x22 0xba19 48 82 | Summary *77.4.0.14 77.4.0.2 0x80000001 337 0xa2 0x7e8a 28 83 | OSPF AS SCOPE link state database 84 | Type ID Adv Rtr Seq Age Opt Cksum Len 85 | Extern *77.4.0.4 77.4.0.2 0x80000001 952 0xa2 0x74a7 36 86 | Extern *77.4.4.0 77.4.0.2 0x80000002 341 0xa2 0x5cc1 36 87 | Extern *77.4.44.0 77.4.0.2 0x80000001 572 0xa2 0xb63d 36 88 | Extern *77.4.45.0 77.4.0.2 0x80000001 572 0xa2 0xab47 36 89 | Extern *77.4.46.0 77.4.0.2 0x80000001 572 0xa2 0xa051 36 90 | Extern *77.4.47.0 77.4.0.2 0x80000001 572 0xa2 0x955b 36 91 | ``` 92 | 93 | * BGP route @ prefix-receiver PE (see the line with Communities ... below) 94 | 95 | ``` 96 | 89.100.255.4:7743:77.4.0.14/32 (1 entry, 0 announced) 97 | *BGP Preference: 170/-101 98 | Route Distinguisher: 89.100.255.4:7743 99 | Next hop type: Indirect 100 | Address: 0xa67d280 101 | Next-hop reference count: 21 102 | Source: 89.100.255.3 103 | Next hop type: Router, Next hop index: 1147 104 | Next hop: 89.100.0.34 via ge-0/0/3.0, selected 105 | Label-switched-path r2-to-r4 106 | Label operation: Push 25, Push 303872(top) 107 | Label TTL action: prop-ttl, prop-ttl(top) 108 | Load balance label: Label 25: None; Label 303872: None; 109 | Session Id: 0x147 110 | Protocol next hop: 89.100.255.4 111 | Label operation: Push 25 112 | Label TTL action: prop-ttl 113 | Load balance label: Label 25: None; 114 | Indirect next hop: 0x9b60bb0 1048590 INH Session ID: 0x199 115 | State: 116 | Local AS: 1093737345 Peer AS: 1093737345 117 | Age: 7:11 Metric: 1 Metric2: 1 118 | Validation State: unverified 119 | Task: BGP_1093737345.89.100.255.3+55462 120 | AS path: I (Originator) 121 | Cluster list: 89.100.255.3 122 | Originator ID: 89.100.255.4 123 | Communities: target:7041:7742 rte-type:0.0.3.6:1:0 124 | Import Accepted 125 | VPN Label: 25 126 | Localpref: 100 127 | Router ID: 89.100.255.3 128 | Secondary Tables: HP.inet.0 129 | Indirect next hops: 1 130 | Protocol next hop: 89.100.255.4 Metric: 1 131 | Label operation: Push 25 132 | Label TTL action: prop-ttl 133 | Load balance label: Label 25: None; 134 | Indirect next hop: 0x9b60bb0 1048590 INH Session ID: 0x199 135 | Indirect path forwarding next hops: 1 136 | Next hop type: Router 137 | Next hop: 89.100.0.34 via ge-0/0/3.0 138 | Session Id: 0x147 139 | 89.100.255.4/32 Originating RIB: inet.3 140 | Metric: 1 Node path count: 1 141 | Forwarding nexthops: 1 142 | Nexthop: 89.100.0.34 via ge-0/0/3.0 143 | ``` 144 | 145 | 146 | * if vrf-export is being used at the prefix-advertiser PE, for some reason, the prefix-receiver PE is ignoring "domain-id:...." community and make it as LSA type 5. 147 | 148 | ...to be continued... 149 | -------------------------------------------------------------------------------- /juniper/junos.ospf.external.metric.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | source: https://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/ospf-routing-external-metrics-overview.html 4 | 5 | When OSPF exports route information from external autonomous systems (ASs), it includes a cost, or external metric, in the route. OSPF supports two types of external metrics: Type 1 and Type 2. The difference between the two metrics is how OSPF calculates the cost of the route. 6 | 7 | Type 1 external metrics are equivalent to the link-state metric, where the cost is equal to the sum of the internal costs plus the external cost. This means that Type 1 external metrics include the external cost to the destination as well as the cost (metric) to reach the AS boundary router. 8 | Type 2 external metrics are greater than the cost of any path internal to the AS. Type 2 external metrics use only the external cost to the destination and ignore the cost (metric) to reach the AS boundary router. 9 | By default, OSPF uses the Type 2 external metric. 10 | 11 | Both Type 1 and Type 2 external metrics can be present in the AS at the same time. In that event, Type 1 external metrics always takes the precedence. 12 | 13 | Type 1 external paths are always preferred over Type 2 external paths. When all paths are Type 2 external paths, the paths with the smallest advertised Type 2 metric are always preferred. 14 | -------------------------------------------------------------------------------- /juniper/junos.ospf.import-policy.md: -------------------------------------------------------------------------------- 1 | 2 | # JunOS OSPF Import Policy 3 | 4 | ## Official 5 | 6 | source: http://www.juniper.net/documentation/en_US/junos15.1/topics/example/ospf-import-routing-policy-configuring.html 7 | 8 | OSPF import policy allows you to prevent external routes from being added to the routing tables of OSPF neighbors. The import policy does not impact the OSPF database. This means that the import policy has no impact on the link-state advertisements. The filtering is done only on external routes in OSPF. The intra-area and interarea routes are not considered for filtering. The default action is to accept the route when the route does not match the policy. 9 | 10 | 11 | ## Personal note 12 | * possible case 13 | * backbone is using ISIS 14 | * PE-CE (non vpn) is using OSPF 15 | * CE is dual homed 16 | * make sure PE1/PE2 is not using CE to reach any destination in the backbone, especially for any external route 17 | * using import policy will block any unwanted external route in the OSPF database to be imported into routing table 18 | -------------------------------------------------------------------------------- /juniper/junos.route.resolution.md: -------------------------------------------------------------------------------- 1 | 2 | ## Problem 3 | It is common that people configure route-reflector outside the PE, either on dedicated router or on the P router. 4 | Those type of routers sometime doesn't have lsp configured (in rsvp-based network) or even may not running mpls at all. 5 | 6 | ## Symptomp 7 | 8 | * all non inet.0 routes become hidden with error message "next-hop unusable", for example 9 | 10 | ``` 11 | rwibawa@vmx-13-13# run show bgp summary 12 | ... 13 | Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped... 14 | 67.176.255.1 16689.7041 183 9403 0 0 58:32 Establ 15 | inet.0: 7/7/7/0 16 | inet6.0: 0/4/4/0 17 | bgp.l3vpn.0: 0/45/45/0 18 | bgp.l2vpn.0: 0/1/1/0 19 | ... 20 | 21 | bgp.l3vpn.0: 148 destinations, 162 routes (0 active, 0 holddown, 162 hidden) 22 | 23 | 22:4003:108.42.0.22/32 (1 entry, 0 announced) 24 | BGP Preference: 170/-101 25 | Route Distinguisher: 22:4003 26 | Next hop type: Unusable 27 | Address: 0x94129e4 28 | Next-hop reference count: 186 29 | State: 30 | Local AS: 16689.7041 Peer AS: 16689.7041 31 | Age: 59:38 32 | Validation State: unverified 33 | Task: BGP_16689.7041.67.176.255.1+179 34 | AS path: 22 I 35 | Communities: target:22:4003 36 | Accepted 37 | VPN Label: 17 38 | Localpref: 100 39 | Router ID: 67.176.255.1 40 | Indirect next hops: 1 41 | Protocol next hop: 67.176.255.1 42 | Label operation: Push 17 43 | Label TTL action: prop-ttl 44 | Load balance label: Label 17: None; 45 | Indirect next hop: 0x2 no-forward INH Session ID: 0x0 46 | 47 | 48 | ``` 49 | 50 | ## Solution 51 | 52 | * for most cases, we can solve this issue by configuring either one of the following 53 | 54 | * option 1: for rsvp-based network, setup LSP from the RR to each BGP peering 55 | * this option doesn't work if RR has no MPLS configured at all 56 | 57 | * option 2: configure static route from inet.3 to inet.0 58 | 59 | ``` 60 | rwibawa@vmx-13-13# show routing-options 61 | rib inet.3 { 62 | static { 63 | route 0.0.0.0/0 next-table inet.0; 64 | } 65 | } 66 | ``` 67 | 68 | * option 3: configure route resolution mapping 69 | 70 | ``` 71 | rwibawa@vmx-13-13# show routing-options 72 | ... 73 | resolution { 74 | rib inet.3 { 75 | resolution-ribs inet.0; 76 | } 77 | rib bgp.l3vpn.0 { 78 | resolution-ribs inet.0; 79 | } 80 | rib bgp.l2vpn.0 { 81 | resolution-ribs inet.0; 82 | } 83 | } 84 | ... 85 | 86 | ``` 87 | * option 4: configure rib-groups inet.0 to inet.3 88 | 89 | ``` 90 | rwibawa@vmx-13-13# show routing-options 91 | ... 92 | rib-groups { 93 | inet0-to-inet3 { 94 | import-rib [ inet.0 inet.3 ]; 95 | import-policy loopbacks; 96 | } 97 | } 98 | ... 99 | 100 | [edit logical-systems R3RR] 101 | rwibawa@vmx-13-13# show protocols ospf 102 | rib-group inet0-to-inet3; 103 | ... 104 | ``` 105 | 106 | * if you have 6PE configured, we also need the following rib-group configuration. The reason is, JunOS doesn't allow inet6.{0|3} resolution using inet.0 107 | 108 | * if you are using option 2 or option 3 above, you need to add rib-group for inet6.0 109 | 110 | ``` 111 | rwibawa@vmx-13-13# show routing-options 112 | ... 113 | rib-groups { 114 | inet0-to-inet6 { 115 | import-rib [ inet.0 inet6.0 ]; 116 | import-policy loopbacks; 117 | } 118 | } 119 | ... 120 | 121 | rwibawa@vmx-13-13# show protocols ospf 122 | rib-group inet0-to-inet6; 123 | ... 124 | ``` 125 | 126 | * if you are using option 4 above, you need to modify your rib-group 127 | 128 | ``` 129 | rwibawa@vmx-13-13# show routing-options 130 | ... 131 | rib-groups { 132 | inet0-to-inet3-and-inet6 { 133 | import-rib [ inet.0 inet.3 inet6.0 ]; 134 | import-policy loopbacks; 135 | } 136 | } 137 | ... 138 | 139 | rwibawa@vmx-13-13# show protocols ospf 140 | rib-group inet0-to-inet3-and-inet6; 141 | ... 142 | ``` 143 | 144 | References: 145 | * http://www.juniper.net/documentation/en_US/junos14.1/topics/example/vpns-layer-3-route-resolution-route-reflector.html 146 | * http://blog.inetsix.net/2012/09/junos-as-pe-with-route-reflector-to-learn-vpn/ 147 | * http://www.gossamer-threads.com/lists/nsp/juniper/54404 148 | -------------------------------------------------------------------------------- /juniper/junos.snmpv3.sample.md: -------------------------------------------------------------------------------- 1 | sample config 2 | ``` 3 | user@mx04> show configuration snmp | no-more 4 | location "lab"; 5 | v3 { 6 | usm { 7 | local-engine { 8 | user user1_noauth { 9 | authentication-none; 10 | } 11 | user user2_authnopriv { 12 | authentication-md5 { 13 | authentication-key "$9$LZkxbsgoJUik8X-wY2GU/CAp0IylKW87n/lKMW-d.PfzF/BIEhylmfSrKv7NjHk.Tz3nCOIECA0IESeKoJZD.PQz6u0IGDHmTQn6yleW87wYgaGDg4Tzn/0OVwsg4ZmfT3/CoJHm5Qn6lKv8-V24aUikvW7VY2GU.P5F9ABIEyevB1wY4ojimfTQ9A"; ## SECRET-DATA 14 | } 15 | privacy-none; 16 | } 17 | user user3_authpriv { 18 | authentication-md5 { 19 | authentication-key "$9$v-OWNdwYgaGDKMX-VboaFn69A0EcyeK8QFcyleXxikqf5Fp0B1EcHqRhyr8LZUDimfTQnt0Bn6A0BRSyYg4JikPfzCA0oJUHmPQzEcSeK8-Vw2oJwsmfQFAt7-dws4HqmTFnYgUH.PQzcyrKX7bs2aGDre87Vboaik.536p0BESrpu-VsYZGHqmP36"; ## SECRET-DATA 20 | } 21 | privacy-des { 22 | privacy-key "$9$CCI2pu1SyKW87/CM87-ws36/ApBEhrW87CtWLN-2gn/9A1RcSev8XIRhrvMN-k.m536O1RcSeQFEcSrvMJGUjHmQFn/ApTQhSreXxjHk.mTFn/01R6/revMXxjHkqTz9CuIRS/9pBEhKv8X7db2JZji.P7-ikmfzFAp0BcyrevL7-/Cu1hSeKxNdsYo"; ## SECRET-DATA 23 | } 24 | } 25 | user user4_authpriv_sha { 26 | authentication-sha { 27 | authentication-key "$9$gjaJDmPQF69TQ6Apu1IEcyeK87-V2oJRhgoGUHk5QFntuSreLX-yrvL7-2gz3n6uOrevW87EhyKMW-dfTQ3Ctp0BSlKfThSylMWoJZji.f5F9Cu6/tO1EyrJGUHP5n/CtO1ikuOBRSyKM87bs24aGjHKMoJDjPfTz369p0BIRSrfTRhrlMWjHkq5Q"; ## SECRET-DATA 28 | } 29 | privacy-aes128 { 30 | privacy-key "$9$gCaJDHqmPQFji9Ap0hcwY2gZUiHmF39kqEcylMWUji.mTF39pO1zFnCu0hcoJZDjqQz6pu1CAxNdVY24aZGDkQFnpu1At7-wYoa36/CA0ylKLX-vMik.mTQFn/tBIrevL7-MWjH.PQzSrlvxN4aZUHqKMik.mTQlKvWNd4aZDjqJZFn6/tpRhSleW"; ## SECRET-DATA 31 | } 32 | } 33 | user user5 { 34 | authentication-md5 { 35 | authentication-key "$9$sR2ZUik.fQFwYoGDjPf1REcyKX7-bwgO17-Vboan/9pu1lKMWX769Lx-dg4TzFnAp0ORrKMREyKMLN-k.m5n/tpBSyKP5z6AtOBX7NbwgGDiqP5iHApO1yrJGUiHm69A01Rk.z6CtOB7-dwoJjHqfQFdbgJDjPfn/CuIElKMXNdleGDHkTQ69AtIE"; ## SECRET-DATA 36 | } 37 | privacy-aes128 { 38 | privacy-key "$9$wu2gJiHm5T3VwfT36AtNdVs2aUDk5T3wY5Qn6u0-VbsJGji.PTzZGDkPfn6lKv8NdoJGji.X7UjikPfIEhSrvX7-Vs2LXDik.zFSrlKvL7-V4JGdVk.PfzFSrleLxbwgZGiVb2aUDmPTz3/CuIRSyKM36ylvWx7s24ajHk.PQ36VwgJDi.mFn/tpB"; ## SECRET-DATA 39 | } 40 | } 41 | user user6 { 42 | authentication-sha { 43 | authentication-key "$9$J2UDkTQn/Ap3nA0B1hcylKW87VwYaGDSrJGiHmPFn/CO1evWN-wKvLNVwaJ69CA1RvWLx7VyrK8Xxwsz3n9uOBIEeM8z3reKMXxGDjq.5zF/pu1AtORhyKvDiHmQFCtuORh.P1RESeK8X7V24aZUiqm8XGDkqQz369ApBIEcSevz3SrvMXxqmPfFn"; ## SECRET-DATA 44 | } 45 | privacy-des { 46 | privacy-key "$9$CuESpu1EcyrvWIR7-VwaJn/9C0BREyW87hcoJGDkqBIRSyKW87Vs2MWLNbwaJtu01IcvMXVb2N-fTzF/9Ap0O1hvWLVb2-d5Qn/tp8XxN-wGDimPQHkRhSyKvWLxdYgUjHm5QkqIESrvMZUDHfTAp0BEcikRhSyKvDiHqTzAp01Icu0WLXxdV4aZDjq"; ## SECRET-DATA 47 | } 48 | } 49 | } 50 | } 51 | vacm { 52 | security-to-group { 53 | security-model usm { 54 | security-name v3test { 55 | group v3test; 56 | } 57 | security-name user1_noauth { 58 | group v3test; 59 | } 60 | security-name user2_authnopriv { 61 | group v3test_authnopriv; 62 | } 63 | security-name user3_authpriv { 64 | group v3test_authpriv; 65 | } 66 | security-name user4_authpriv_sha { 67 | group v3test_authpriv; 68 | } 69 | security-name user5 { 70 | group v3test_authpriv; 71 | } 72 | security-name user6 { 73 | group v3test_authpriv; 74 | } 75 | } 76 | } 77 | access { 78 | group v3test { 79 | default-context-prefix { 80 | security-model any { 81 | security-level none { 82 | read-view v3testview; 83 | write-view v3testview; 84 | notify-view v3testview; 85 | } 86 | } 87 | } 88 | } 89 | group v3test_authnopriv { 90 | default-context-prefix { 91 | security-model any { 92 | security-level authentication { 93 | read-view v3testview; 94 | write-view v3testview; 95 | notify-view v3testview; 96 | } 97 | } 98 | } 99 | } 100 | group v3test_authpriv { 101 | default-context-prefix { 102 | security-model any { 103 | security-level privacy { 104 | read-view v3testview; 105 | write-view v3testview; 106 | notify-view v3testview; 107 | } 108 | } 109 | } 110 | } 111 | } 112 | } 113 | snmp-community v3test { 114 | security-name v3test; 115 | } 116 | } 117 | view v3testview { 118 | oid system include; 119 | oid .1 include; 120 | } 121 | community comm1 { 122 | authorization read-only; 123 | } 124 | trap-group comm1-dev { 125 | version v2; 126 | targets { 127 | 192.25.152.29; 128 | 192.25.152.74; 129 | 192.25.152.76; 130 | } 131 | } 132 | ``` 133 | 134 | sample query 135 | ``` 136 | 1. User "user1_noauth" will not require password 137 | snmpwalk -On -v 3 -u user1_noauth -c v3test 192.25.152.44 138 | 139 | 2. User "user2_authnopriv" requires authentication using md5 password "jnprpass" but no privacy/no encryption 140 | snmpwalk -v3 -u user2_authnopriv -a MD5 -A jnprpass -l authNoPriv 192.25.152.44 141 | 142 | 3. User "user3_authpriv" requires authentication using md5 password "jnprpass" and privacy/encryption using DES with key = jnprprivacy 143 | snmpwalk -v3 -u user3_authpriv -a MD5 -A jnprpass -x DES -X jnprprivacy -l authPriv 192.25.152.44 144 | ``` -------------------------------------------------------------------------------- /juniper/junos.verify.multicast.md: -------------------------------------------------------------------------------- 1 | The purpose of this post is to provide overview how to verify multicast traffic in Juniper if we don't have the real multicast source and receiver. 2 | 3 | Before i start, i want to remind you that it is easy to verify the multicast traffic in Cisco router, in general we can do the following: 4 | * configure the last hop router (the router that one hop away from the multicast receiver host ) to statically join the desired group by using "ip igmp join-group group-address" command 5 | * do ping from first hop router (the router that one hop away from the multicast source host) 6 | * if the last hop router(s) are answering the ping request, then the multicast packet will be successfully transmitted from source to the receiver. 7 | 8 | 9 | The case will be slightly different for Juniper. 10 | 11 | It is a well-known that we can monitor traffic passing over Juniper interface except the packet destined to its local interface. This rule is also applied for multicast traffic with these additional condition: 12 | * by default, the last hop router will only join the group as requested by multicast receiver host behind it bu the last hop router will not listen into it 13 | * the multicast packet will just transiting into its interface and forwarding-engine, and not going to the routing-engine. 14 | * In the case when the multicast receiver host is not available, last hop router can be configured to statically join the desired group by using "set protocols igmp interface XXX static group YYY" command. But again, it is just joining, not listening. 15 | * Actually we can cheat Junos to make the last hop router listen to a multicast group by using "set protocol sap listen xxxx" command but this doesn't work for logical router. It seems if we enable sap on a logical router, actually it is enabled for the whole chassis. 16 | 17 | Based on the behavior above, it is clear why we can't use Cisco's way to verify Juniper multicast traffic. 18 | 19 | Here are the diagram, step and example to verify juniper multicast traffic: 20 | 21 | 22 | notes: J1 is the first hop router, J7 us the last hop router, J5 is the RP 23 | 24 | do ping from first hop router with: 25 | * TTL long enough to reach the last hop router (by default, junos set ttl for ping packet towards multicast address to 0) 26 | * enable bypass-routing 27 | * repeat the packet long enough for you to do verification 28 | * use big packet size as long as it can produce > 1 kbps to be logged in the statistic (not sure the exact lowest limit, in cisco it is 4kbps) 29 | 30 | example: 31 | ``` 32 | erenari@SRLAB1> ping 235.1.0.7 logical-router j1 bypass-routing count 1000000000 ttl 10 size 60000 33 | PING 235.1.0.7 (235.1.0.7): 60000 data bytes 34 | Don't expect any return packet, it is normal 35 | On the last hop router, configure the static igmp 36 | example: set protocols igmp interface fe-1/3/0.777 static group 235.1.0.7 37 | check the multicast packet on last hop router, if everything works fine, we should get the result like the example below: 38 | 39 | example 1: there are packets received for 235.1.0.7 with 11.0.12.1 as the source 40 | 41 | erenari@SRLAB1> show multicast usage logical-router j7 detail 42 | Group Sources Packets Bytes 43 | 235.1.0.7 1 19117 14544260 44 | Source: 11.0.12.1 /32 Packets: 19117 Bytes: 14544260 45 | 46 | Prefix /len Groups Packets Bytes 47 | 11.0.12.1 /32 1 19117 14544260 48 | Group: 235.1.0.7 Packets: 19117 Bytes: 14544260 49 | ``` 50 | 51 | 52 | example 2: detailed multicast route info with bandwidth statistic 53 | ``` 54 | erenari@SRLAB1> show multicast route detail logical-router j7 55 | Family: INET 56 | 57 | Group: 235.1.0.7 58 | Source: 11.0.12.1/32 59 | Upstream interface: fe-1/3/0.947 60 | Downstream interface list: 61 | fe-1/3/0.777 62 | Session description: Unknown 63 | Statistics: 61 kBps, 80 pps, 22195 packets 64 | Next-hop ID: 262267 65 | Upstream protocol: PIM 66 | 67 | Family: INET6 68 | 69 | erenari@SRLAB1> 70 | ``` 71 | 72 | 73 | 74 | 75 | In addition to the above command, if you use PIM, you can always verify the PIM status. I provide some examples for PIM verification below: 76 | 77 | example 3: Check RP status 78 | ``` 79 | erenari@SRLAB1> show pim rps logical-router j1 ----> j1 is the first hop router 80 | Instance: PIM.master 81 | Address family INET 82 | RP address Type Holdtime Timeout Groups Group prefixes 83 | 11.0.9.99 bootstrap 150 124 1 224.0.0.0/4 84 | 85 | Address family INET6 86 | 87 | erenari@SRLAB1> show pim rps logical-router j7 detail ----> j7 is the first hop router 88 | Instance: PIM.master 89 | Address family INET 90 | 91 | RP: 11.0.9.99 92 | Learned from 11.0.47.4 via: bootstrap 93 | Time Active: 2w1d 12:02:10 94 | Holdtime: 150 with 112 remaining 95 | Group Ranges: 96 | 224.0.0.0/4, 112s remaining 97 | Active groups using RP: 98 | 235.1.0.7 99 | 224.2.127.254 100 | 101 | total 2 groups active 102 | 103 | Address family INET6 104 | ``` 105 | 106 | 107 | 108 | example 4: check bootstrap 109 | ``` 110 | erenari@SRLAB1> show pim bootstrap logical-router j7 111 | Instance: PIM.master 112 | 113 | BSR Pri Local address Pri State Timeout 114 | 11.0.3.4 20 11.0.9.7 0 InEligible 128 115 | None 0 2400:0:1::7 0 InEligible 0 116 | ``` 117 | 118 | 119 | example 5: check PIM join status on the RP site 120 | ``` 121 | erenari@SRLAB1> show pim join logical-router j5 detail 122 | Instance: PIM.master Family: INET 123 | 124 | Group: 224.2.127.254 125 | Source: * 126 | RP: 11.0.9.99 127 | Flags: sparse,rptree,wildcard 128 | Upstream interface: Local 129 | 130 | Group: 235.1.0.7 131 | Source: * 132 | RP: 11.0.9.99 133 | Flags: sparse,rptree,wildcard 134 | Upstream interface: Local 135 | 136 | Group: 235.1.0.7 137 | Source: 11.0.12.1 138 | Flags: sparse 139 | Upstream interface: fe-1/3/0.945 140 | 141 | Instance: PIM.master Family: INET6 142 | ``` 143 | -------------------------------------------------------------------------------- /juniper/junos.vpls.bgp-ldp-interworking.md: -------------------------------------------------------------------------------- 1 | 2 | # VPLS LDP-BGP interworking 3 | 4 | 5 | ## Topology 6 | 7 | ``` 8 | ---------------------------------MPLS Backbone--------------------------------- 9 | | | | 10 | PE11 (ldp) PE14(LDP+BGP) PE17(BGP) 11 | | | | 12 | CE1 CE2 CE3 13 | ``` 14 | 15 | ## Configuration 16 | 17 | * PE11 18 | 19 | ``` 20 | rwibawa@vmx-13-11# show interfaces ge-0/0/0.960 21 | apply-groups-except interface-group; 22 | encapsulation vlan-vpls; 23 | vlan-id 960; 24 | family vpls; 25 | 26 | [edit] 27 | rwibawa@vmx-13-11# show routing-instances VPLS6 28 | instance-type vpls; 29 | vlan-id 959; 30 | interface ge-0/0/0.960; 31 | protocols { 32 | vpls { 33 | no-tunnel-services; 34 | vpls-id 779; 35 | neighbor 67.176.255.4; 36 | } 37 | } 38 | ``` 39 | 40 | * PE14 41 | 42 | ``` 43 | rwibawa@vmx-13-14# show routing-instances VPLS6 44 | instance-type vpls; 45 | vlan-id 959; 46 | interface ge-0/0/0.961; 47 | route-distinguisher 67.176.255.4:779; 48 | vrf-target target:7041:779; 49 | protocols { 50 | vpls { 51 | no-tunnel-services; 52 | site 4 { 53 | site-identifier 4; 54 | } 55 | vpls-id 779; 56 | mesh-group LDP_PE { 57 | neighbor 67.176.255.1; 58 | } 59 | } 60 | } 61 | 62 | [edit] 63 | rwibawa@vmx-13-14# show interfaces ge-0/0/0.961 64 | apply-groups-except interface-group; 65 | encapsulation vlan-vpls; 66 | vlan-id 961; 67 | family vpls; 68 | ``` 69 | 70 | * PE17 71 | 72 | ``` 73 | rwibawa@vmx-13-17# show routing-instances VPLS6 74 | instance-type vpls; 75 | vlan-id 959; 76 | interface ge-0/0/0.962; 77 | route-distinguisher 67.176.255.7:779; 78 | vrf-target target:7041:779; 79 | protocols { 80 | vpls { 81 | no-tunnel-services; 82 | site 7 { 83 | site-identifier 7; 84 | } 85 | mac-flush; 86 | } 87 | } 88 | 89 | [edit] 90 | rwibawa@vmx-13-17# show interfaces ge-0/0/0.962 91 | apply-groups-except interface-group; 92 | encapsulation vlan-vpls; 93 | vlan-id 962; 94 | family vpls; 95 | ``` 96 | 97 | 98 | ## Verification 99 | 100 | * PE11 101 | 102 | ``` 103 | rwibawa@vmx-13-11# run show vpls connections instance VPLS6 104 | ... 105 | 106 | Instance: VPLS6 107 | VPLS-id: 779 108 | Neighbor Type St Time last up # Up trans 109 | 67.176.255.4(vpls-id 779) rmt Up Oct 21 02:48:22 2015 1 110 | Remote PE: 67.176.255.4, Negotiated control-word: No 111 | Incoming label: 262153, Outgoing label: 262154 112 | Negotiated PW status TLV: No 113 | Local interface: lsi.1048938, Status: Up, Encapsulation: ETHERNET 114 | Description: Intf - vpls VPLS6 neighbor 67.176.255.4 vpls-id 779 115 | Flow Label Transmit: No, Flow Label Receive: No 116 | ``` 117 | 118 | * PE14 119 | 120 | ``` 121 | rwibawa@vmx-13-14# run show vpls connections instance VPLS6 122 | ... 123 | 124 | Instance: VPLS6 125 | Edge protection: Not-Primary 126 | BGP-VPLS State 127 | Local site: 4 (4) 128 | connection-site Type St Time last up # Up trans 129 | 7 rmt Up Oct 24 01:49:51 2015 1 130 | Remote PE: 67.176.255.7, Negotiated control-word: No 131 | Incoming label: 262567, Outgoing label: 262532 132 | Local interface: lsi.1048627, Status: Up, Encapsulation: VPLS 133 | Description: Intf - vpls VPLS6 local site 4 remote site 7 134 | LDP-VPLS State 135 | VPLS-id: 779 136 | Mesh-group connections: LDP_PE 137 | Neighbor Type St Time last up # Up trans 138 | 67.176.255.1(vpls-id 779) rmt Up Oct 21 03:05:43 2015 1 139 | Remote PE: 67.176.255.1, Negotiated control-word: No 140 | Incoming label: 262154, Outgoing label: 262153 141 | Negotiated PW status TLV: No 142 | Local interface: lsi.1048625, Status: Up, Encapsulation: ETHERNET 143 | Description: Intf - vpls VPLS6 neighbor 67.176.255.1 vpls-id 779 144 | Flow Label Transmit: No, Flow Label Receive: No 145 | ``` 146 | 147 | * PE17 148 | 149 | ``` 150 | rwibawa@vmx-13-17# run show vpls connections instance VPLS6 151 | ... 152 | Instance: VPLS6 153 | Edge protection: Not-Primary 154 | Local site: 7 (7) 155 | connection-site Type St Time last up # Up trans 156 | 4 rmt Up Oct 24 01:49:49 2015 1 157 | Remote PE: 67.176.255.4, Negotiated control-word: No 158 | Incoming label: 262532, Outgoing label: 262567 159 | Local interface: lsi.1048631, Status: Up, Encapsulation: VPLS 160 | Description: Intf - vpls VPLS6 local site 7 remote site 4 161 | ``` 162 | 163 | ## Conclusion 164 | 165 | 166 | ... to be continued ... 167 | -------------------------------------------------------------------------------- /juniper/junos.vpls.ldp.bgp_autodiscovery.md: -------------------------------------------------------------------------------- 1 | 2 | # JunOS LDP-based VPLS with BGP autodiscovery (FEC 129+BGP AD) 3 | 4 | ## General 5 | * The configuration is pretty much similar as normal LDP-based VPLS 6 | * The only difference is, no neighbor IP that need to be defined, and include "l2vpn-id" in addition to route-distingusher and vrf-target 7 | * In term of BGP configuration, we need to add "family l2vpn auto-discovery-only" 8 | 9 | ## Configuration 10 | 11 | ### Topology 12 | * consist of 3 PEs 13 | 14 | * generic BGP config 15 | 16 | ``` 17 | rwibawa@vmx-13-17# show protocols bgp 18 | group IBGP { 19 | type internal; 20 | local-address 67.176.255.7; 21 | import rtbh; 22 | ... 23 | family l2vpn { 24 | auto-discovery-only; ---> this is needed for LDP + BGP-AD 25 | } 26 | ... 27 | } 28 | ``` 29 | 30 | * note: "family l2vpn signalling" is not required for LDP VPLS + BGP AD. It is only required by BGP-based VPLS, which is outside of this article scope. 31 | 32 | * PE1 33 | 34 | ``` 35 | rwibawa@vmx-13-11# show routing-instances VLDP5 36 | instance-type vpls; 37 | vlan-id 955; 38 | interface ge-0/0/0.956; 39 | route-distinguisher 67.176.255.1:778; 40 | l2vpn-id l2vpn-id:7041:778; 41 | vrf-target target:7041:778; 42 | protocols { 43 | vpls { 44 | no-tunnel-services; 45 | } 46 | } 47 | 48 | [edit] 49 | rwibawa@vmx-13-11# show interfaces ge-0/0/0.956 50 | apply-groups-except interface-group; 51 | encapsulation vlan-vpls; 52 | vlan-id 956; 53 | family vpls; 54 | ``` 55 | 56 | * PE4 57 | 58 | ``` 59 | rwibawa@vmx-13-14# show routing-instances VLDP5 60 | instance-type vpls; 61 | vlan-id 955; 62 | interface ge-0/0/0.957; 63 | route-distinguisher 67.176.255.4:778; 64 | l2vpn-id l2vpn-id:7041:778; 65 | vrf-target target:7041:778; 66 | protocols { 67 | vpls { 68 | no-tunnel-services; 69 | } 70 | } 71 | 72 | [edit] 73 | rwibawa@vmx-13-14# show interfaces ge-0/0/0.957 74 | apply-groups-except interface-group; 75 | encapsulation vlan-vpls; 76 | vlan-id 957; 77 | family vpls; 78 | ``` 79 | 80 | * PE7 81 | 82 | ``` 83 | rwibawa@vmx-13-17# show routing-instances VLDP5 84 | instance-type vpls; 85 | vlan-id 955; 86 | interface ge-0/0/0.958; 87 | route-distinguisher 67.176.255.7:778; 88 | l2vpn-id l2vpn-id:7041:778; 89 | vrf-target target:7041:778; 90 | protocols { 91 | vpls { 92 | no-tunnel-services; 93 | } 94 | } 95 | 96 | [edit] 97 | rwibawa@vmx-13-17# show interfaces ge-0/0/0.958 98 | apply-groups-except interface-group; 99 | encapsulation vlan-vpls; 100 | vlan-id 958; 101 | family vpls; 102 | ``` 103 | 104 | * Notes 105 | * due to limitation on the lab topology, each PE-CE interface is using different vlan-id 106 | * as a workaround, to make sure each CE can talk each other via VPLS, "vlan-id" knob is used to do automatica vlan-swapping. 107 | 108 | 109 | 110 | ## Verification 111 | 112 | * PE1 113 | 114 | ``` 115 | rwibawa@vmx-13-11# run show vpls connections instance VLDP5 116 | ... 117 | 118 | Instance: VLDP5 119 | L2vpn-id: 7041:778 120 | Local-id: 67.176.255.1 121 | Remote-id Type St Time last up # Up trans 122 | 67.176.255.4 rmt Up Oct 21 02:40:43 2015 1 123 | Remote PE: 67.176.255.4, Negotiated control-word: No 124 | Incoming label: 262151, Outgoing label: 262151 125 | Negotiated PW status TLV: No 126 | Local interface: lsi.1048936, Status: Up, Encapsulation: ETHERNET 127 | Description: Intf - vpls VLDP5 local-id 67.176.255.1 remote-id 67.176.255.4 neighbor 67.176.255.4 128 | Flow Label Transmit: No, Flow Label Receive: No 129 | 67.176.255.7 rmt Up Oct 21 02:40:43 2015 1 130 | Remote PE: 67.176.255.7, Negotiated control-word: No 131 | Incoming label: 262152, Outgoing label: 262151 132 | Negotiated PW status TLV: No 133 | Local interface: lsi.1048937, Status: Up, Encapsulation: ETHERNET 134 | Description: Intf - vpls VLDP5 local-id 67.176.255.1 remote-id 67.176.255.7 neighbor 67.176.255.7 135 | Flow Label Transmit: No, Flow Label Receive: No 136 | ``` 137 | 138 | * PE4 139 | 140 | ``` 141 | rwibawa@vmx-13-14# run show vpls connections instance VLDP5 142 | ... 143 | Instance: VLDP5 144 | L2vpn-id: 7041:778 145 | Local-id: 67.176.255.4 146 | Remote-id Type St Time last up # Up trans 147 | 67.176.255.1 rmt Up Oct 21 02:40:45 2015 1 148 | Remote PE: 67.176.255.1, Negotiated control-word: No 149 | Incoming label: 262151, Outgoing label: 262151 150 | Negotiated PW status TLV: No 151 | Local interface: lsi.1048621, Status: Up, Encapsulation: ETHERNET 152 | Description: Intf - vpls VLDP5 local-id 67.176.255.4 remote-id 67.176.255.1 neighbor 67.176.255.1 153 | Flow Label Transmit: No, Flow Label Receive: No 154 | 67.176.255.7 rmt Up Oct 21 02:40:45 2015 1 155 | Remote PE: 67.176.255.7, Negotiated control-word: No 156 | Incoming label: 262152, Outgoing label: 262152 157 | Negotiated PW status TLV: No 158 | Local interface: lsi.1048622, Status: Up, Encapsulation: ETHERNET 159 | Description: Intf - vpls VLDP5 local-id 67.176.255.4 remote-id 67.176.255.7 neighbor 67.176.255.7 160 | Flow Label Transmit: No, Flow Label Receive: No 161 | ``` 162 | 163 | * PE7 164 | 165 | ``` 166 | rwibawa@vmx-13-17# run show vpls connections instance VLDP5 167 | ... 168 | 169 | Instance: VLDP5 170 | L2vpn-id: 7041:778 171 | Local-id: 67.176.255.7 172 | Remote-id Type St Time last up # Up trans 173 | 67.176.255.1 rmt Up Oct 21 02:40:43 2015 1 174 | Remote PE: 67.176.255.1, Negotiated control-word: No 175 | Incoming label: 262151, Outgoing label: 262152 176 | Negotiated PW status TLV: No 177 | Local interface: lsi.1048626, Status: Up, Encapsulation: ETHERNET 178 | Description: Intf - vpls VLDP5 local-id 67.176.255.7 remote-id 67.176.255.1 neighbor 67.176.255.1 179 | Flow Label Transmit: No, Flow Label Receive: No 180 | 67.176.255.4 rmt Up Oct 21 02:40:43 2015 1 181 | Remote PE: 67.176.255.4, Negotiated control-word: No 182 | Incoming label: 262152, Outgoing label: 262152 183 | Negotiated PW status TLV: No 184 | Local interface: lsi.1048627, Status: Up, Encapsulation: ETHERNET 185 | Description: Intf - vpls VLDP5 local-id 67.176.255.7 remote-id 67.176.255.4 neighbor 67.176.255.4 186 | Flow Label Transmit: No, Flow Label Receive: No 187 | ``` 188 | -------------------------------------------------------------------------------- /juniper/junos.vpls.ldp.hub_and_spoke.md: -------------------------------------------------------------------------------- 1 | 2 | # Hub and Spoke LDP-based VPLS 3 | 4 | ## Overview 5 | 6 | * Topology 7 | * PE14 is HUB PE, PE11 and PE17 are the Spoke PE 8 | 9 | * there are 2 possible HUB PE configurations: 10 | * one mesh-group for each neighbor 11 | * default behavior: JunOS will switch the traffic between mesh-group, so no additional configurtaion is required 12 | * one mesh-group for all neighbors 13 | * by default, JunOS will not switch the traffic from neighbor to the other neighbor belong to the same mesh-group. 14 | * to change this behavior, add "local-switching" knob. 15 | 16 | 17 | ## Configuration 18 | 19 | ### PE HUB 20 | 21 | ``` 22 | rwibawa@vmx-13-14# show routing-instances VLDP1 23 | instance-type vpls; 24 | interface ge-0/0/0.542; 25 | protocols { 26 | vpls { 27 | interface ge-0/0/0.542; 28 | no-tunnel-services; 29 | vpls-id 502; 30 | mesh-group HUB { 31 | local-switching; 32 | neighbor 67.176.255.1; 33 | neighbor 67.176.255.7; 34 | } 35 | } 36 | } 37 | 38 | rwibawa@vmx-13-14# run show vpls connections instance VLDP1 39 | ... 40 | 41 | Instance: VLDP1 42 | VPLS-id: 502 43 | Mesh-group connections: HUB 44 | Neighbor Type St Time last up # Up trans 45 | 67.176.255.7(vpls-id 502) rmt Up Oct 26 17:44:04 2015 1 46 | Remote PE: 67.176.255.7, Negotiated control-word: No 47 | Incoming label: 262165, Outgoing label: 262151 48 | Negotiated PW status TLV: No 49 | Local interface: lsi.1048700, Status: Up, Encapsulation: ETHERNET 50 | Description: Intf - vpls VLDP1 neighbor 67.176.255.7 vpls-id 502 51 | Flow Label Transmit: No, Flow Label Receive: No 52 | 67.176.255.1(vpls-id 502) rmt Up Oct 26 17:44:04 2015 1 53 | Remote PE: 67.176.255.1, Negotiated control-word: No 54 | Incoming label: 262164, Outgoing label: 262162 55 | Negotiated PW status TLV: No 56 | Local interface: lsi.1048701, Status: Up, Encapsulation: ETHERNET 57 | Description: Intf - vpls VLDP1 neighbor 67.176.255.1 vpls-id 502 58 | Flow Label Transmit: No, Flow Label Receive: No 59 | 60 | 61 | 62 | rwibawa@vmx-13-14# run show vpls mac-table instance VLDP1 63 | 64 | MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC 65 | O -OVSDB MAC, SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC) 66 | 67 | Routing instance : VLDP1 68 | Bridging domain : __VLDP1__, VLAN : NA 69 | MAC MAC Logical NH RTR 70 | address flags interface Index ID 71 | 00:50:58:13:12:04 D lsi.1048701 72 | 00:50:58:13:18:04 D lsi.1048700 73 | 74 | ``` 75 | 76 | ### PE Spoke 77 | 78 | ``` 79 | rwibawa@vmx-13-11# show routing-instances VLDP1 80 | instance-type vpls; 81 | interface ge-0/0/0.512; 82 | protocols { 83 | vpls { 84 | interface ge-0/0/0.512; 85 | no-tunnel-services; 86 | vpls-id 502; 87 | neighbor 67.176.255.4; 88 | inactive: neighbor 67.176.255.7; 89 | } 90 | } 91 | 92 | 93 | rwibawa@vmx-13-11# run show vpls connections instance VLDP1 94 | ... 95 | 96 | Instance: VLDP1 97 | VPLS-id: 502 98 | Neighbor Type St Time last up # Up trans 99 | 67.176.255.4(vpls-id 502) rmt Up Oct 26 17:43:36 2015 1 100 | Remote PE: 67.176.255.4, Negotiated control-word: No 101 | Incoming label: 262162, Outgoing label: 262164 102 | Negotiated PW status TLV: No 103 | Local interface: lsi.1048997, Status: Up, Encapsulation: ETHERNET 104 | Description: Intf - vpls VLDP1 neighbor 67.176.255.4 vpls-id 502 105 | Flow Label Transmit: No, Flow Label Receive: No 106 | 107 | 108 | 109 | rwibawa@vmx-13-11# run show vpls mac-table instance VLDP1 110 | 111 | MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC 112 | O -OVSDB MAC, SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC) 113 | 114 | Routing instance : VLDP1 115 | Bridging domain : __VLDP1__, VLAN : NA 116 | MAC MAC Logical NH RTR 117 | address flags interface Index ID 118 | 00:50:58:13:12:04 D ge-0/0/0.512 119 | 00:50:58:13:18:04 D lsi.1048997 120 | ``` 121 | 122 | ### PE Spoke 2 123 | 124 | ``` 125 | rwibawa@vmx-13-17# show routing-instances VLDP1 126 | instance-type vpls; 127 | interface ge-0/0/0.572; 128 | protocols { 129 | vpls { 130 | interface ge-0/0/0.572; 131 | no-tunnel-services; 132 | vpls-id 502; 133 | inactive: neighbor 67.176.255.1; 134 | neighbor 67.176.255.4; 135 | } 136 | } 137 | 138 | 139 | rwibawa@vmx-13-17# run show vpls connections instance VLDP1 140 | ... 141 | 142 | Instance: VLDP1 143 | VPLS-id: 502 144 | Neighbor Type St Time last up # Up trans 145 | 67.176.255.4(vpls-id 502) rmt Up Oct 26 17:43:36 2015 1 146 | Remote PE: 67.176.255.4, Negotiated control-word: No 147 | Incoming label: 262151, Outgoing label: 262165 148 | Negotiated PW status TLV: No 149 | Local interface: lsi.1048863, Status: Up, Encapsulation: ETHERNET 150 | Description: Intf - vpls VLDP1 neighbor 67.176.255.4 vpls-id 502 151 | Flow Label Transmit: No, Flow Label Receive: No 152 | 153 | 154 | 155 | rwibawa@vmx-13-17# run show vpls mac-table instance VLDP1 156 | 157 | MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC 158 | O -OVSDB MAC, SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC) 159 | 160 | Routing instance : VLDP1 161 | Bridging domain : __VLDP1__, VLAN : NA 162 | MAC MAC Logical NH RTR 163 | address flags interface Index ID 164 | 00:50:58:13:12:04 D lsi.1048863 165 | 00:50:58:13:18:04 D ge-0/0/0.572 166 | ``` 167 | -------------------------------------------------------------------------------- /juniper/using.sshpass.on.junos.md: -------------------------------------------------------------------------------- 1 | 2 | This is an alternative way to mass configuring/accessing multiple devices at once, by using sshpass 3 | 4 | * create a simple general purpose script 5 | 6 | ``` 7 | $ cat ssh_multiple.bat 8 | 9 | #!/bin/bash 10 | 11 | user=$1 12 | passwd=$2 13 | target=$3 14 | cmd=$4 15 | 16 | for host in $target; do 17 | echo 18 | echo "Accessing $host ...." 19 | sshpass -p ${passwd} ssh ${user}@${host} "$cmd" 20 | done 21 | ``` 22 | 23 | * run the script, for example to enable telnet 24 | 25 | ``` 26 | ./ssh_multiple.bat myuser mypassword "r1 r2 r3 r4" "configure;set system services telnet;commit synchronize;exit" 27 | ``` 28 | 29 | 30 | -------------------------------------------------------------------------------- /kvm/kvm.clone.guest.md: -------------------------------------------------------------------------------- 1 | original source: http://unix.stackexchange.com/questions/8351/how-to-create-a-dupe-of-a-kvm-libvirt-virt-manager-vm 2 | 3 | ``` 4 | # You cannot "clone" a running vm, stop it. suspend and destroy 5 | # are also valid options for less graceful cloning 6 | virsh shutdown this.vm 7 | 8 | # copy the storage. 9 | cp /var/lib/libvirt/images/{this-vm,that-vm}.img 10 | 11 | # dump the xml for the original 12 | virsh dumpxml this-vm > /tmp/that-vm.xml 13 | 14 | # hardware addresses need to be removed, libvirt will assign 15 | # new addresses automatically 16 | sed -i /uuid/d /tmp/that-vm.xml 17 | sed -i '/mac address/d' /tmp/that-vm.xml 18 | 19 | # and actually rename the vm: (this also updates the storage path) 20 | sed -i s/this-vm/that-vm /tmp/that-vm.xml 21 | 22 | # finally, create the new vm 23 | virsh define /tmp/that-vm.xml 24 | virsh start this-vm 25 | virsh start that-vm 26 | ``` -------------------------------------------------------------------------------- /kvm/kvm.nested.md: -------------------------------------------------------------------------------- 1 | # How to enable nested KVM 2 | 3 | ## Ubuntu 4 | Check if nested is enabled 5 | ``` 6 | cat /sys/module/kvm_intel/parameters/nested 7 | N 8 | ``` 9 | Enable nested in Intel based chip 10 | ``` 11 | sudo rmmod kvm-intel 12 | sudo sh -c "echo 'options kvm-intel nested=y' >> /etc/modprobe.d/dist.conf" 13 | sudo modprobe kvm-intel 14 | ``` 15 | 16 | Enable nested in AMD 17 | ``` 18 | sudo rmmod kvm-amd 19 | sudo sh -c "echo 'options amd nested=1' >> /etc/modprobe.d/dist.conf" 20 | sudo modprobe kvm-amd 21 | ``` 22 | 23 | ## Centos 24 | install Kernel 3.x, either from elrepo or from Xen kernel 25 | 26 | ### using xen kernel 27 | * Step 1: add the xen-c6 repo to your system 28 | ``` 29 | su - 30 | cd /etc/yum.repos.d 31 | wget http://dev.centos.org/centos/6/xen-c6/xen-c6.repo 32 | yum repolist 33 | [optional] vi xen-c6.repo : change to "enabled=0" to not take the repo enabled by default 34 | ``` 35 | 36 | * Step 2: install the new kernel 37 | ``` 38 | su - 39 | yum --enablerepo xen-c6 install kernel kernel-firmware 40 | vi /boot/grub/grub.conf : add "kvm-intel.nested=1" to the end of the kernel line 41 | reboot 42 | verify proper operation: "cat /sys/module/kvm_intel/parameters/nested" will output "Y" 43 | ``` 44 | 45 | ### using elrepo 46 | * Enable ELRepo Project repository 47 | ``` 48 | rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org 49 | rpm -Uvh http://www.elrepo.org/elrepo-release-6-6.el6.elrepo.noarch.rpm 50 | ``` 51 | 52 | * Install the kernel 53 | ``` 54 | yum --enablerepo=elrepo-kernel install kernel-lt 55 | ``` 56 | 57 | * configure grub 58 | You also need edit /etc/grub.conf to change the kernel order, change default from 1 to 0, must looks like the below: 59 | ``` 60 | default=0 61 | timeout=5 62 | splashimage=(hd0,0)/grub/splash.xpm.gz 63 | hiddenmenu 64 | title CentOS (3.10.55-1.el6.elrepo.x86_64) 65 | root (hd0,0) 66 | kernel /vmlinuz-3.10.55-1.el6.elrepo.x86_64 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root rd_NO_DM KEYBOARDTYPE=pc KEYTABLE=br-abnt2 rhgb quiet 67 | ``` 68 | 69 | 70 | ## Modify guest VM to support nested 71 | For the setup to work, we need the "vmx" flag in the virtual cpu inside the VM. 72 | * Option 1: using virt-manager 73 | ``` 74 | virt-manager 75 | open the hypervisor virtual machine, go to Details > Processor 76 | unfold the "Configuration" 77 | press the "Copy host CPU configuration" button 78 | unfold the "CPU Features" 79 | verify the "vmx" feature is set to "require" 80 | press Apply 81 | ``` 82 | 83 | * Option 2: using virsh 84 | ``` 85 | sudo virsh edit 86 | 87 | 88 | ``` 89 | -------------------------------------------------------------------------------- /linux/cassandra.recover.node.inside.cluster.md: -------------------------------------------------------------------------------- 1 | # How to recover Cassandra database 2 | 3 | ## Overview 4 | * It is possible that the database become corrupt, for example due to server power failure 5 | * The recovery procedure could be different depend on the problem and on the role of the database node 6 | 7 | 8 | ## Common failure 9 | 10 | #### DB corrupt on Cassandra non-seed node 11 | 12 | * Make sure if this node is not cassandra seed node 13 | * check /opt/apps/data/apache-cassandra/conf/cassandra.yaml (please adjust the config folder location accordingly) 14 | * find entry similar to 15 | 16 | ``` 17 | - seeds: 1.25.152.237 18 | ``` 19 | 20 | * compare the seed IP with this node local IP. 21 | * If the seed node != this node local IP, it means this node is not seed node. 22 | 23 | * shutdown cassandra process (the example below assumes that cassandra is monitored by supervisord) 24 | 25 | ``` 26 | [root@server-03 root]# supervisorctl stop group1:cassandra 27 | ``` 28 | 29 | * delete all cassandra data (please adjust the data folder location accordingly) 30 | 31 | ``` 32 | [root@server-03 root]# rm -rf /opt/apps/data/apache-cassandra/data/* 33 | ``` 34 | 35 | * start cassandra process (the example below assumes that cassandra is monitored by supervisord) 36 | 37 | ``` 38 | [root@server-03 root]# supervisorctl start group1:cassandra 39 | ``` 40 | 41 | 42 | #### DB corrupt on Cassandra seed node 43 | 44 | * Make sure if this node is cassandra seed node 45 | * check /opt/apps/data/apache-cassandra/conf/cassandra.yaml (please adjust the config folder location accordingly) 46 | * find entry similar to 47 | 48 | ``` 49 | - seeds: 1.25.152.237 50 | ``` 51 | * compare the seed IP with this node local IP. 52 | * If the seed node == this node local IP, it means this node is seed node. 53 | 54 | * Promote other node as temporary seed node 55 | * Modify the seed configuration, point seeds IP to other existing node that currently running fine 56 | 57 | ``` 58 | - seeds: 1.25.152.239 59 | ``` 60 | 61 | * if initially it has 2 or more seed IP listed, only remove the one that same as local IP 62 | 63 | 64 | * shutdown cassandra process (the example below assumes that cassandra is monitored by supervisord) 65 | 66 | ``` 67 | [root@server-03 root]# supervisorctl stop group1:cassandra 68 | ``` 69 | 70 | * delete all cassandra data (please adjust the data folder location accordingly) 71 | 72 | ``` 73 | [root@server-03 root]# rm -rf /opt/apps/data/apache-cassandra/data/* 74 | ``` 75 | 76 | * start cassandra process (the example below assumes that cassandra is monitored by supervisord) 77 | 78 | ``` 79 | [root@server-03 root]# supervisorctl start group1:cassandra 80 | ``` 81 | 82 | * use nodetool command to see if this node already synced 83 | 84 | ``` 85 | [root@server-03 root]# nodetool status 86 | 87 | .... 88 | 89 | Database status: 90 | Datacenter: datacenter1 91 | ======================= 92 | Status=Up/Down 93 | |/ State=Normal/Leaving/Joining/Moving 94 | -- Address Load Tokens Owns Host ID Rack 95 | UN 1.25.152.237 86.71 MB 256 ? 8bdd484e-a957-4403-8ed5-67b65cdd2598 rack1 96 | UN 1.25.152.239 88.49 MB 256 ? 767062f9-9383-4fdb-8d76-c91dbd101ac0 rack1 97 | UN 1.25.152.241 105.15 MB 256 ? 253b3dec-b795-499e-81de-17989ed47664 rack1 98 | 99 | ... 100 | 101 | ``` 102 | 103 | * Because the way of Cassandra work, there is no exact indicator when the data is sync. Depend on the size of your data, it could take minutes or hours. Generally, if the Load value is similar, we can say that the new node is already been bootstraped. 104 | 105 | * If the new seed looks like have finish the bootstrap process (the load is not change that much anymore), we can shutdown the cassandra process again, and put its local IP to the seeds list. 106 | 107 | ``` 108 | - seeds: 1.25.152.237, 1.25.152.239 109 | ``` 110 | 111 | * If your server only have one seed, it is best practice to add the second seed. You can pick any one of the existing node as second seed. But do not add all nodes as seed. 112 | 113 | * start cassandra again 114 | 115 | 116 | 117 | #### Node down temporarily 118 | 119 | * Regardless the node is seed node or not, if it is down less than 10 days, simply start the cassandra on that node. 120 | * But, if the node is down > 10 days or 864000 seconds, please follow the same procedure as DB corrupt above. 121 | 122 | 123 | -------------------------------------------------------------------------------- /linux/dhcp.add-static-route-with-netmask.md: -------------------------------------------------------------------------------- 1 | source: https://forums.freebsd.org/threads/add-static-route-with-netmask-to-dhcp.40584/ 2 | 3 | ``` 4 | # Option to add static routes with netmask 5 | # RFC3442 routes: overrides routers option 6 | option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; 7 | # MS routes: adds extras to supplement routers option 8 | option ms-classless-static-routes code 249 = array of unsigned integer 8; 9 | 10 | # Local subnet 11 | subnet 172.16.0.0 netmask 255.255.255.0 { 12 | range 172.16.0.151 172.16.0.199; 13 | option routers 172.16.0.1; 14 | option broadcast-address 172.16.0.255; 15 | 16 | # Static route for OpenVPN 17 | # Classless static routes overrides default route (option routers) 18 | # Default route needs to be added to the classless static routes 19 | option rfc3442-classless-static-routes 24, 10,8,0, 172,16,0,10, 0, 172,16,0,1; 20 | option ms-classless-static-routes 24, 10,8,0, 172,16,0,10, 0, 172,16,0,1; 21 | } 22 | ``` 23 | -------------------------------------------------------------------------------- /linux/find.rpm.info.without.installing.md: -------------------------------------------------------------------------------- 1 | 2 | * get complete info 3 | 4 | ``` 5 | # rpm -qpi uuid-1.6.1-10.el6.x86_64.rpm 6 | Name : uuid Relocations: (not relocatable) 7 | Version : 1.6.1 Vendor: CentOS 8 | Release : 10.el6 Build Date: Sun 22 Aug 2010 03:16:27 AM EDT 9 | Install Date: (not installed) Build Host: c6b1.bsys.dev.centos.org 10 | Group : System Environment/Libraries Source RPM: uuid-1.6.1-10.el6.src.rpm 11 | Size : 115448 License: MIT 12 | Signature : RSA/8, Sun 03 Jul 2011 01:04:41 AM EDT, Key ID 0946fca2c105b9de 13 | Packager : CentOS BuildSystem 14 | URL : http://www.ossp.org/pkg/lib/uuid/ 15 | Summary : Universally Unique Identifier library 16 | Description : 17 | OSSP uuid is a ISO-C:1999 application programming interface (API) 18 | and corresponding command line interface (CLI) for the generation 19 | of DCE 1.1, ISO/IEC 11578:1996 and RFC 4122 compliant Universally 20 | Unique Identifier (UUID). It supports DCE 1.1 variant UUIDs of version 21 | 1 (time and node based), version 3 (name based, MD5), version 4 22 | (random number based) and version 5 (name based, SHA-1). Additional 23 | API bindings are provided for the languages ISO-C++:1998, Perl:5 and 24 | PHP:4/5. Optional backward compatibility exists for the ISO-C DCE-1.1 25 | and Perl Data::UUID APIs. 26 | ``` 27 | 28 | * get specific attribute 29 | 30 | ``` 31 | rpm -qp --queryformat '%{Name},%{Version},%{License},%{Summary}\n' uuid-1.6.1-10.el6.x86_64.rpm 32 | uuid,1.6.1,MIT,Universally Unique Identifier library 33 | ``` 34 | -------------------------------------------------------------------------------- /linux/linux.subinterface.md: -------------------------------------------------------------------------------- 1 | 2 | # ubuntu 3 | 4 | ``` 5 | modprobe 8021q 6 | apt-get install vlan 7 | vconfig add eth1 500 8 | ifconfig eth1 up 9 | ifconfig eth1.500 inet 50.11.12.4 netmask 255.255.255.0 up 10 | ``` 11 | -------------------------------------------------------------------------------- /linux/linux.tcp.keepalive.md: -------------------------------------------------------------------------------- 1 | ``` 2 | echo 3 > /proc/sys/net/ipv4/tcp_keepalive_probes 3 | echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl 4 | echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time 5 | 6 | cat /proc/sys/net/ipv4/tcp_keepalive_probes 7 | cat /proc/sys/net/ipv4/tcp_keepalive_intvl 8 | cat /proc/sys/net/ipv4/tcp_keepalive_time 9 | 10 | sysctl -w net.ipv4.tcp_keepalive_time=60 net.ipv4.tcp_keepalive_probes=3 net.ipv4.tcp_keepalive_intvl=10 11 | ``` -------------------------------------------------------------------------------- /linux/linux.tcp.offload.md: -------------------------------------------------------------------------------- 1 | original source: http://stackoverflow.com/questions/26716722/tcp-receives-packets-but-it-ignores-them 2 | 3 | # TCP receives packets, but it ignores them 4 | 5 | The problem was that I disabled the TSO (tcp-segmentation-offload) on the virtual bridge to which my Dockers are attached with the command: 6 | ``` 7 | ethtool -K IFACE_NAME tso off 8 | ``` 9 | It turns off only TSO, whereas the checksumming offload remains on. Evidently, this creates some problem and though Wireshark showed me that TCP checksum was OK, actually it wasn't. So the host ignored the packet due to the bad TCP checksum. 10 | 11 | To turn off TSO and checksumming too, I just used the command: 12 | ``` 13 | ethtool --offload IFACE_NAME rx off tx off 14 | ``` 15 | And now everything works. -------------------------------------------------------------------------------- /linux/linux_lldp.md: -------------------------------------------------------------------------------- 1 | original source: https://community.mellanox.com/docs/DOC-1522 2 | 3 | ## Option 1: lldpad 4 | 5 | 1. Install lldpad on the server: 6 | - For RHEL/CentOS 7 | ``` 8 | #yum install lldpad 9 | ``` 10 | - For Ubuntu 11 | ``` 12 | #apt-get install lldpad 13 | ``` 14 | 15 | 2. Run the LLDP Daemon: 16 | ``` 17 | #lldpad -d 18 | ``` 19 | 20 | 3. Run the following script: 21 | ``` 22 | for i in `ls /sys/class/net/ | grep eth` ; 23 | do echo "enabling lldp for interface: $i" ; 24 | lldptool set-lldp -i $i adminStatus=rxtx ; 25 | lldptool -T -i $i -V sysName enableTx=yes; 26 | lldptool -T -i $i -V portDesc enableTx=yes ; 27 | lldptool -T -i $i -V sysDesc enableTx=yes; 28 | lldptool -T -i $i -V sysCap enableTx=yes; 29 | lldptool -T -i $i -V mngAddr enableTx=yes; 30 | done 31 | ``` 32 | 33 | Note: for RHEL 7 the interface name doesn't contain "eth" but "enp" (or similar) to the grep should be "grep enp". 34 | 35 | Note: in case you use lldpad and wish to pass the management address via LLDP TLV on specific interface, you need to add this specifically. 36 | Otherwise, only the hostname will pass via LLDP TLV. 37 | 38 | For example: 39 | ``` 40 | # lldptool -T -i eth2 -V mngAddr ipv4=192.168.24.185 41 | ``` 42 | 43 | ## Option 2: lldpd 44 | 45 | Another possible LLDP linux application is called lldpd (not lldpad) 46 | This version of LLDP doesn't require and specific configuration, it sends the TLVs by default. including the management address. 47 | 48 | - For RHEL/CentoOS 49 | There is no yum inventory For RHEL/CentOS for this application, need to download the install the rpm (there are several location on the web for that) and then to restart the application. 50 | Here is a link to download the llapd. 51 | ``` 52 | #/etc/init.d/lldpd restart 53 | ``` 54 | - For Ubuntu 55 | ``` 56 | #apt-get install lldpad 57 | #/etc/init.d/lldpd restart 58 | ``` 59 | 60 | Once lldpad or lldpd are installed, make sure SNMP is running: 61 | ``` 62 | # /etc/init.d/snmpd start 63 | Starting snmpd (via systemctl): [ OK ] 64 | ``` 65 | 66 | -------------------------------------------------------------------------------- /linux/resize.qcow2.vm.md: -------------------------------------------------------------------------------- 1 | 2 | # How to resize VM image 3 | 4 | * resize the disk image 5 | 6 | ``` 7 | # qemu-img resize .qcow2 +G 8 | 9 | or 10 | 11 | # qemu-img resize .qcow2 G 12 | ``` 13 | 14 | 15 | * resize the partition table (make sure DOS Compatibility flag is not set and display units is sectors) 16 | 17 | ``` 18 | # fdisk 19 | 20 | # fdisk /dev/vda 21 | 22 | WARNING: DOS-compatible mode is deprecated. It's strongly recommended to 23 | switch off the mode (command 'c') and change display units to 24 | sectors (command 'u'). 25 | 26 | Command (m for help): c 27 | DOS Compatibility flag is not set -------> WARNING! some linux version has DOS Compatibility is already unset 28 | 29 | Command (m for help): u 30 | Changing display/entry units to sectors -------> WARNING! some linux version has unit set as sector by default 31 | 32 | Command (m for help): p 33 | 34 | Disk /dev/vda: 85.9 GB, 85899345920 bytes 35 | 255 heads, 63 sectors/track, 10443 cylinders, total 167772160 sectors 36 | Units = sectors of 1 * 512 = 512 bytes 37 | Sector size (logical/physical): 512 bytes / 512 bytes 38 | I/O size (minimum/optimal): 512 bytes / 512 bytes 39 | Disk identifier: 0x00050c05 40 | 41 | Device Boot Start End Blocks Id System 42 | /dev/vda1 * 2048 16777215 8387584 83 Linux 43 | 44 | Command (m for help): d 45 | Selected partition 1 46 | 47 | Command (m for help): n 48 | Command action 49 | e extended 50 | p primary partition (1-4) 51 | p 52 | Partition number (1-4): 1 53 | First sector (2048-167772159, default 2048): 54 | Using default value 2048 55 | Last sector, +sectors or +size{K,M,G} (2048-167772159, default 167772159): 56 | Using default value 167772159 57 | 58 | Command (m for help): w 59 | The partition table has been altered! 60 | 61 | Calling ioctl() to re-read partition table. 62 | 63 | WARNING: Re-reading the partition table failed with error 16: Device or resource busy. 64 | The kernel still uses the old table. The new table will be used at 65 | the next reboot or after you run partprobe(8) or kpartx(8) 66 | Syncing disks. 67 | # 68 | ``` 69 | 70 | * resize filesystem 71 | 72 | ``` 73 | # resize2fs 74 | # resize2fs /dev/vda1 75 | ``` 76 | 77 | -------------------------------------------------------------------------------- /linux/tcpdump_tips.md: -------------------------------------------------------------------------------- 1 | 2 | * split big tcpdump file to smaller files 3 | 4 | ``` 5 | tcpdump -r big_file -w new_small_files -C 6 | ``` 7 | 8 | * remove first N bytes from each packet 9 | 10 | ``` 11 | # editcap -C -F pcap source.pcap new.pcap 12 | ``` 13 | 14 | -------------------------------------------------------------------------------- /linux/ubuntu.disable.cloud.init.md: -------------------------------------------------------------------------------- 1 | 2 | # How to disable cloud init temporarily (revertible) 3 | 4 | ``` 5 | # dpkg-reconfigure cloud-init 6 | 7 | uncheck everything except "None" (the last one) 8 | ``` 9 | 10 | -------------------------------------------------------------------------------- /linux/ubuntu.enable.serial.console.md: -------------------------------------------------------------------------------- 1 | 2 | # Enable Serial Console @ Ubuntu 3 | 4 | The following steps will output the console to both serial and vga output 5 | 6 | ## Steps 7 | 8 | * modify/create /etc/init/ttyS0.conf 9 | 10 | ``` 11 | root@linux-cloud:/etc/grub.d# more /etc/init/ttyS0.conf 12 | # ttyS0 - getty 13 | # 14 | # This service maintains a getty on ttyS0 from the point the system is 15 | # started until it is shut down again. 16 | 17 | start on stopped rc RUNLEVEL=[2345] and ( 18 | not-container or 19 | container CONTAINER=lxc or 20 | container CONTAINER=lxc-libvirt) 21 | 22 | stop on runlevel [!2345] 23 | 24 | pre-start script 25 | # getty will not be started if the serial console is not present 26 | stty -F /dev/ttyS0 -a 2> /dev/null > /dev/null || { stop ; exit 0; } 27 | end script 28 | 29 | respawn 30 | script 31 | exec /sbin/getty -L ttyS0 115200 vt102 32 | end script 33 | ``` 34 | 35 | 36 | * modify /etc/default/grub 37 | 38 | ``` 39 | edit the following line: 40 | 41 | GRUB_CMDLINE_LINUX_DEFAULT="console=tty1 console=ttyS0" 42 | ``` 43 | -------------------------------------------------------------------------------- /linux/vde.sample.md: -------------------------------------------------------------------------------- 1 | 2 | connect local interface eth2 to remote vde switch @192.168.1.100 over ssh 3 | ``` 4 | /usr/bin/vde_switch -unix /tmp/vde2 -t tap2 -d --dirmode 777 --mode 666 --mgmtmode 666 -T -c mgmt0 -n 4096 5 | dpipe vde_plug /tmp/vde2 = ssh 192.168.1.100 /tmp/vde2 6 | 7 | brctl addbr br101 8 | brctl addif br101 eth2 9 | brctl addif br101 tap2 10 | ifconfig br101 up 11 | 12 | sysctl -w net.ipv4.conf.all.forwarding=1 13 | ``` 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /linux/vnc.to.main.display.md: -------------------------------------------------------------------------------- 1 | 2 | To use vnc with linux desktop main display (display :0), use x11vnc 3 | 4 | * install 5 | 6 | ``` 7 | apt-get install x11vnc 8 | ``` 9 | 10 | 11 | * setup vnc password 12 | 13 | ``` 14 | x11vnc -storepasswd 15 | e.g: 16 | 17 | x11vnc -storepasswd mypassword ~/.x11vnc/passwd 18 | ``` 19 | 20 | 21 | * run x11vnc (manually) 22 | 23 | ``` 24 | x11vnc -display :0 -rfbauth 25 | 26 | e.g: 27 | x11vnc -display :0 -rfbauth ~/.x11vnc/passwd 28 | ``` 29 | 30 | 31 | -------------------------------------------------------------------------------- /misc/campur.md: -------------------------------------------------------------------------------- 1 | 2 | * mongodb does not support "." (dot) inside key string 3 | 4 | * pymongo, something trigger "TypeError: document must be an instance of dict, bson.son.SON, bson.raw_bson.RawBSONDocument, or a type that inherits from collections.MutableMapping" 5 | 6 | * pymongo output has objectID, need to use custom jsonencoder 7 | 8 | -------------------------------------------------------------------------------- /misc/elasticsearch.md: -------------------------------------------------------------------------------- 1 | 2 | * create index template 3 | 4 | ``` 5 | 6 | PUT _template/template_subnet 7 | { 8 | "index_patterns": ["subnet"], 9 | "mappings": { 10 | "general": { 11 | "properties": { 12 | "router": { 13 | "type": "text", 14 | "fields": { 15 | "keyword": { 16 | "type": "keyword", 17 | "ignore_above": 256 18 | } 19 | } 20 | }, 21 | "subnet": { 22 | "type": "ip" 23 | } 24 | } 25 | } 26 | } 27 | } 28 | 29 | ``` 30 | 31 | 32 | * create index with pre-defined field type 33 | 34 | ``` 35 | PUT subnet 36 | { 37 | "mappings": { 38 | "general": { 39 | "properties": { 40 | "router": { 41 | "type": "text", 42 | "fields": { 43 | "keyword": { 44 | "type": "keyword", 45 | "ignore_above": 256 46 | } 47 | } 48 | }, 49 | "subnet": { 50 | "type": "ip", 51 | "fields": { 52 | "keyword": { 53 | "type": "keyword", 54 | "ignore_above": 256 55 | } 56 | } 57 | } 58 | } 59 | } 60 | } 61 | } 62 | ``` 63 | 64 | 65 | -------------------------------------------------------------------------------- /misc/java.log.file.location.md: -------------------------------------------------------------------------------- 1 | The default location (directory) of the trace and log files is: 2 | ``` 3 | * /.java/deployment/log on UNIX, Linux 4 | * ~/Library/Application Support/Oracle/Java/Deployment/log on Mac OS X 5 | * \Sun\Java\Deployment\log on Windows 6 | ``` 7 | 8 | If the environment variable USER_JPI_PROFILE is set to then the trace and log files will be written to: 9 | ``` 10 | * /.java/deployment/log on UNIX, Linux 11 | * /Library/Application Support/Oracle/Java/Deployment/log on Mac OS X 12 | * \Sun\Java\Deployment\log on Windows 13 | ``` -------------------------------------------------------------------------------- /misc/rabbitmq.on.osx.md: -------------------------------------------------------------------------------- 1 | 2 | # How to run rabbitmq on osx 3 | 4 | * the following example is based on brew 5 | 6 | ``` 7 | $ brew install rabbitmq 8 | 9 | ...deleted.. 10 | 11 | Access them with `erl -man`, or add this directory to MANPATH. 12 | ==> Summary 13 | 🍺 /usr/local/Cellar/erlang/19.0.2: 7,292 files, 278.6M 14 | ==> Installing rabbitmq 15 | ==> Using the sandbox 16 | ==> Downloading https://www.rabbitmq.com/releases/rabbitmq-server/v3.6.4/rabbitmq-server-generic-unix-3.6.4.tar.xz 17 | ######################################################################## 100.0% 18 | ==> /usr/bin/unzip -qq -j /usr/local/Cellar/rabbitmq/3.6.4/plugins/rabbitmq_management-3.6.4.ez rabbitmq_management- 19 | ==> Caveats 20 | Management Plugin enabled by default at http://localhost:15672 21 | 22 | Bash completion has been installed to: 23 | /usr/local/etc/bash_completion.d 24 | 25 | To have launchd start rabbitmq now and restart at login: 26 | brew services start rabbitmq 27 | Or, if you don't want/need a background service you can just run: 28 | rabbitmq-server 29 | ==> Summary 30 | 🍺 /usr/local/Cellar/rabbitmq/3.6.4: 186 files, 5.8M, built in 15 minutes 25 seconds 31 | 32 | ``` 33 | 34 | * add rabbitmq to the path (by default, 35 | 36 | ``` 37 | $ vim ~/.bash_profile 38 | 39 | ..deleted.. 40 | export PATH="/usr/local/sbin:$PATH" 41 | ..deleted.. 42 | ``` 43 | 44 | -------------------------------------------------------------------------------- /myblog/old/acronym.md: -------------------------------------------------------------------------------- 1 | AFAIK = As Far As I Know 2 | AFK = Away From Keyboard 3 | AKA = Also Known As 4 | AMBW = All My Best Wishes 5 | ASAP = As Soon As Possible 6 | ASL = AgeSexLocation 7 | ATM = at the moment 8 | AYSOS = Are You Stupid Or Something 9 | B4 = Before 10 | BAK = back at keyboard 11 | BBIAB = Be Back in a Bit 12 | BBIAF = Be Back in a Few 13 | BBL = Be Back Later 14 | BBN = Bye Bye Now 15 | BCNU = Be Seein' You 16 | BFD = Big F***ing Deal 17 | BFN = Bye For Now 18 | BHOF = Bald Headed Old Fart 19 | BIF = Basic In Fact 20 | BITD = Back In The Day 21 | BM = Byte Me 22 | BRB = Be Right Back 23 | BTSOOM = Beats The Shit Out Of Me 24 | BTW = By The Way 25 | BTW = by the way 26 | CFV = call for votes 27 | CID = Consider It Done 28 | CIO = Check It Out 29 | CMIIW = Correct Me If I'm Wrong 30 | CU = see you 31 | CUL8R = See You Later 32 | Cof$ = Church of Scientology 33 | DILLIGAS = Do I Look Like I Give A Shit 34 | DLTM = Don't Lie To Me 35 | DYJHIWTH = don't you just hate it when that happened 36 | F2F = Face to Face 37 | F2F = face to face 38 | FUBAR = F***ed Up Beyond All Recognition 39 | FUD = (Spreading) Fear, Uncertainty, and Disinformation 40 | FWIW = For What It's Worth 41 | FYA = For Your Amusement 42 | FYI = For Your Information 43 | GA = go ahead 44 | GG = Good Game 45 | GL = Good Luck 46 | GMTA = Great Minds Think Alike 47 | GR&D = Grinning Running And Ducking 48 | GTG = Got To Go 49 | GTGB = Got To Go, Bye 50 | GTSY = Glad To See Ya 51 | GYPO = Get Your Pants Off 52 | HAGO = Have A Good One 53 | HHOJ = ha ha only joking 54 | HHOK = ha ha only kidding 55 | HHOS = ha ha only serious 56 | HIWTH = hate it when that happened 57 | HTH = Hope This (That) Helps 58 | IAE = In Any Event 59 | IAE = in any event 60 | IC = In Character 61 | IDK = i don't know 62 | IDKY = I Don't Know You 63 | IDST = I Didn't Say That 64 | IDTS = I Don't Think So 65 | IFU = I F***ed Up 66 | IIRC = If I remember Correctly 67 | IMHO = In My Humble Opinion 68 | IMNERHO = in my not even remotely humble opinion 69 | IMNSHO = In My Not So Humble Opinion 70 | IMO = In My Opinion 71 | IOH = I'm Outta Here 72 | IOW = In Other Words 73 | IRL = In Real Life 74 | IYKWIM = if you know what i mean 75 | IYSS = If You Say So 76 | JK = just kidding 77 | KIT = Keep In Touch 78 | KYPO = Keep Your Pants On 79 | L8R = Later 80 | LMAO = Laughing My Ass Off 81 | LOL = Laughing Out Loud -or- Lots of Love 82 | LTNS = Long Time No See 83 | MHOTY = My Hat's Off To You 84 | MOTD = Message Of The Day 85 | MOTSS = Members of the Same Sex 86 | MorF = Male or Female 87 | NBIF = No Basis In Fact 88 | NFW = No F***ing Way 89 | NIFOC = Nude In Front Of The Computer 90 | NP = No Problem 91 | NRG = Energy 92 | NRN = No Reply Necessary 93 | OIC = Oh, I see 94 | OOC = Out Of Character 95 | OOT = Out of topic 96 | OOTB = Out of the Box -or- Out of the Blue 97 | OTOH = On the Other Hand 98 | OTTH = on the third hand 99 | PEBCAK = Problem Exists Between Chair And Keyboard 100 | PLS = Please 101 | PMFJI = Pardon Me For Jumping In 102 | PMJI = pardon me, jumping in 103 | POV = Point of View 104 | RFC = request for comment 105 | RFD = request for discussion 106 | ROTFL = Rolling On The Floor Laughing 107 | ROTFLMAO = Rolling On The Floor Laughing My Ass Off 108 | RSN = Real Soon Now 109 | RTFM = Read The F***ing Manual 110 | RTM = Read The Manual 111 | SITD = Still in the Dark 112 | SNAFU = Situation Normal, All F***ed Up 113 | SUYF = Shut Up You Fool 114 | SWAG = Scientific Wild Ass Guess 115 | SWDYT = So What Do You Think 116 | SorG = Straight or Gay? 117 | TANSTAAFL = There Ain't No Such Thing as a Free Lunch 118 | TEOTWAWKI = The End of the World As We Know It 119 | TIA = Thanks in Advance 120 | TIAIL = Think I Am In Love 121 | TIC = Tongue in Cheek 122 | TNX = thanks 123 | TTFN = Ta Ta For Now 124 | TTT = To The Top 125 | TTYL = Talk To You Later 126 | TX = Thanks 127 | TYVM = Thank You Very Much 128 | Tarfu = Things are really f***ed up! 129 | WAG = Wild Ass Guess 130 | WB = Welcome Back 131 | WCA = Who Cares Anyway 132 | WDYS = What Did You Say 133 | WE = What Ever 134 | WEG = Wicked Evil Grin 135 | WRT = with regard/respect to 136 | WTF = What The F***? 137 | WTG = Way To Go! 138 | WYRN = What's Your Real Name? 139 | WYS = Whatever You Say 140 | WYSIWYG = What You See is What You Get 141 | WYT = Whatever You Think 142 | YA = Yet Another 143 | YDKM = You Don't Know Me 144 | YMMV = Your Mileage May Vary 145 | YMMVG = your mileage may vary greatly 146 | YSYD = Yeah, Sure You Do 147 | YTTT = You Telling The Truth 148 | unPC = unPolitically Correct 149 | 150 | -------------------------------------------------------------------------------- /myblog/old/bgp_nortel_cisco.md: -------------------------------------------------------------------------------- 1 | Nortel ASN 2 | ``` 3 | ip 4 | arp 5 | back 6 | static-route address 0.0.0.0 mask 0.0.0.0 next-hop-address 219.21.2.165 7 | back 8 | 9 | …deleted… 10 | 11 | bgp router-id 219.21.2.166 12 | local-as 65521 13 | multi-hop enabled 14 | peer local 219.21.2.166 remote 219.19.232.65 as 33333 15 | next-hop-self enabled 16 | back 17 | announce polname dist-static 18 | action announce 19 | match 20 | protocol-source static 21 | back 22 | modify 23 | back 24 | back 25 | back 26 | ``` 27 | 28 | 29 | Cisco IOS 30 | ``` 31 | router bgp 33333 32 | neighbor 219.21.2.166 remote-as 65521 33 | neighbor 219.21.2.166 description BGP peer to Backup Upstream 34 | neighbor 219.21.2.166 ebgp-multihop 255 35 | neighbor 219.21.2.166 soft-reconfiguration inbound 36 | neighbor 219.21.2.166 route-map accept-default-only in 37 | neighbor 219.21.2.166 route-map NONE out 38 | neighbor 219.20.127.4 remote-as 22222 39 | neighbor 219.20.127.4 description BGP peer to ISP 40 | neighbor 219.20.127.4 ebgp-multihop 255 41 | neighbor 219.20.127.4 remove-private-AS 42 | neighbor 219.20.127.4 soft-reconfiguration inbound 43 | neighbor 219.20.127.4 route-map accept-default-only-preferred in 44 | neighbor 219.20.127.4 route-map EXPORT-TO-ISP out 45 | 46 | access-list 199 permit ip host 0.0.0.0 host 0.0.0.0 47 | access-list 199 deny ip any any 48 | 49 | route-map accept-default-only permit 10 50 | match ip address 199 51 | set ip next-hop 10.101.102.1 52 | set local-preference 50 53 | ! 54 | route-map accept-default-only-preferred permit 10 55 | match ip address 199 56 | set local-preference 200 57 | ! 58 | ``` 59 | 60 | -------------------------------------------------------------------------------- /myblog/old/force.3g.selection.using.atcommand.md: -------------------------------------------------------------------------------- 1 | Sometime, if you are in area with very good 2G coverage but average or bad 3G coverage, your 3G modem will stay in 2G network. So, what do you do to force the modem to choose the 3G network as the preferred one? 2 | 3 | Yes, you are right, most of modem connection s/w have "band selection" feature like we can find in most 3G handphone. You can force your modem or handphone to stay and looking for 3G coverage forever even there is no coverage at all. 4 | 5 | But, not all connection s/w has this menu especially if you are using UNIX environment (FreeBSD, Linux, etc). In unix, normally we are using normal ppp connection no matter what is the "dev" link. In FreeBSD, we should find the modem under /dev/cuaaxx and in linux we should find it under /dev/ttyACMx or /dev/ttyUSBx 6 | 7 | So, what can we do in Unix? 8 | Thanks to AT command that provide us access to the modem directly. There is an AT command that very useful for me: 9 | ``` 10 | AT+COPS 11 | ``` 12 | As normal AT command, AT+COPS has both read and write command. I put the format for AT+COPS command at the end of this post. 13 | You can try to search the network with this command: at+cops=? 14 | here is the example: 15 | ``` 16 | at+cops=? 17 | +COPS: (2,"IND INDOSAT","INDOSAT","51001",0),(1,"IND INDOSAT","INDOSAT","51001",2),(3,"IND TELKOMSEL","T-SEL","51010",2),(3,"IND TELKOMSEL","T-SEL","51010",0),(3,"LIPPO TEL","LIPPOTEL","51008",0),(3,"IND XL","XL","51011",0),(1,"3","3","51089",0),,(0,1,3,4),(0,1,2) 18 | 19 | OK 20 | ``` 21 | 22 | From the sample above, we can see that I can get more than one operator network coverages. Pay attention to number with bold font above, zero (0) means GSM coverage and two (2) means UMTS (3G) coverage. 23 | 24 | Now we know that we have 3G coverage. Our next task is forcing the modem to select the UMTS network instead of GSM. It is the time to use write mode of at+cops command. Here the example how to select the 3G coverage: 25 | ``` 26 | at+cops? ---> to check what is my network now, which is Indosat GSM network 27 | +COPS: 0,0,"IND INDOSAT",0 28 | 29 | OK 30 | at+cops=1,0,"IND XL",2 ---> to force releasing current network 31 | +CME ERROR: no network service 32 | at+cops? 33 | +COPS: 1 --> it is indicated that our manual selection failed 34 | 35 | OK 36 | at+cops=1,0,"IND INDOSAT",2 ---> to force/manually select Indosat 3G coverage 37 | OK 38 | at+cops? ---> to verify that we are already in 3G network 39 | +COPS: 1,0,"IND INDOSAT",2 40 | 41 | OK 42 | ``` 43 | 44 | You should have a qestion now, why do I use this command several time and use other operator network before choosing the correct one? I force the network selection to another operator first to force the modem to do cell coverage re-selection when I go back to my correct operator network. I found that if I tried to manually select 3G coverage directly using at+cops=1,0,"IND INDOSAT" when I already in GSM coverage, the modem didn't try to change the network from GSM to UMTS, so I tried to force my modem to leave the current network first then go back. 45 | 46 | note:this at command is not fully forcing the modem to always attach to 3G like connection client s/w did but this is only a workaround by utilizing manual network search to specific operator and specific radio type. 47 | 48 | 49 | 50 | Finally, here is the AT+COPS description. For full complete AT command description, please refer to 3GPP TS 27.007 specifications. 51 | ``` 52 | Command:+COPS=[[,[,[,]]]] 53 | Possible response: +CME ERROR: 54 | 55 | Command:+COPS? 56 | Possible response:+COPS: [,,[,]] 57 | +CME ERROR: 58 | 59 | Command:+COPS=? 60 | Possible response:+COPS: [list of supported (,long alphanumeric ,short alphanumeric ,numeric [,])s][,,(list of supported s),(list of supported s)] 61 | +CME ERROR: 62 | 63 | Defined values 64 | : 65 | 0 automatic ( field is ignored) 66 | 1 manual ( field shall be present, and optionally) 67 | 2 deregister from network 68 | 3 set only (for read command +COPS?), do not attempt registration/deregistration ( and fields are ignored); this value is not applicable in read command response 69 | 4 manual/automatic ( field shall be present); if manual selection fails, automatic mode (=0) is entered 70 | : 71 | 0 long format alphanumeric 72 | 1 short format alphanumeric 73 | 2 numeric 74 | : string type; indicates if the format is alphanumeric or numeric; long alphanumeric format can be upto 16 characters long and short format up to 8 characters (refer GSM MoU SE.13 [9]); numeric format is the GSM Location Area Identification number (refer TS 24.008 [8] subclause 10.5.1.3) which consists of a three BCD digit country code coded as in ITU T E.212 Annex A [10], plus a two BCD digit network code, which is administration specific; returned shall not be in BCD format, but in IRA characters converted from BCD; hence the number has structure: (country code digit 3)(country code digit 2)(country code digit 1)(network code digit 3)(network code digit 2)(network code digit 1) 75 | : 76 | 0 unknown 77 | 1 available 78 | 2 current 79 | 3 forbidden 80 | access technology selected: 81 | 0 GSM 82 | 1 GSM Compact 83 | 2 UTRAN 84 | ``` 85 | 86 | -------------------------------------------------------------------------------- /myblog/old/gre_tunnel_cisco_nortel_freebsd.md: -------------------------------------------------------------------------------- 1 | Sample config to establish GRE tunnel between Nortel ARN router series, Cisco 7500 series, and FreeBSD. 2 | 3 | Nortel ARN router configuration 4 | ``` 5 | tunnels 6 | gre name to-cisco local-address 172.17.2.166 7 | ip address 10.101.102.1 mask 255.255.255.252 8 | back 9 | remote-endpoint name cisco-1 address 172.24.232.65 10 | back 11 | back 12 | gre name to-freebsd local-address 172.17.2.166 13 | ip address 10.100.102.1 mask 255.255.255.252 14 | back 15 | remote-endpoint name freebsd-1 address 172.20.1.73 16 | back 17 | back 18 | back 19 | ``` 20 | 21 | 22 | Cisco Configuration 23 | ``` 24 | interface Tunnel3 25 | ip address 10.101.102.2 255.255.255.252 26 | tunnel destination 172.17.2.166 27 | tunnel mode gre ip 28 | ``` 29 | 30 | 31 | FreeBSD configuration 32 | ``` 33 | ifconfig gre0 create 34 | ifconfig gre0 inet 10.100.102.2 10.100.102.1 netmask 255.255.255.252 35 | ifconfig gre0 tunnel 172.20.1.73 172.17.2.166 36 | ``` 37 | -------------------------------------------------------------------------------- /myblog/old/ipv6.over.gprs.md: -------------------------------------------------------------------------------- 1 | This post contains brief instruction on how to establish IPv6 over GPRS. 2 | 3 | In general, there are two basic methods: 4 | 5 | 1. Old but fastest way, just do normal IPv4 GPRS PDP context and after that you create IPv6 over IPv4 tunnel on top of your GPRS connection. The tunnel can be any tunnel mechanism such as 6-to-4, IPv6 gre tunnel, IPIP tunnel, IPSec tunnel, etc 6 | 2. Native IPv6 GPRS connection 7 | 8 | Today, i will only explain about native IPv6 connection. I'll try to explain from mobile operator side as well as end user side. 9 | I'll start from the mobile operator side first. There are five network elements inside mobile operator network which must be have IPv6 capability. if you feel hard to understand my writing below, please read http://en.wikipedia.org/wiki/GPRS_core_network first. 10 | 1. SGSN (Serving GPRS support node). In simple language, we can see SGSN as the first control gateway from radio network. SGSN is retrieving enduser profile from "central database". SGSN need to have IPv6 capability so it can carry end user IPv6 packet over IPv4 GTP tunnel towards GGSN. 11 | 2. GGSN (Gateway GPRS support node). GGSN is the gateway from GPRS network towards normal IP network such as internet or corporate LAN. GGSN need to have IPv6 capability to open the encapsulation header of GTP tunnel from SGSN side and route the IPv6 traffic to the internet. 12 | 3. HLR (home location register). HLR stores a very complete data for each subscriber including what APNs are allowed for each subcriber, its QoS profile and the important thing for this IPv6 GPRS is what kind of PDP context that allowed for each subcriber. Normally, only IPv4 PDP is allowed, so we need to insert new profile to allow IPv6 PDP from certain subcribers. 13 | 4. IP Router. I think i don't need to explain about the router. If you want end-to-end native IPv6 connectivity, you need dual stack (IPv4 and IPv6) capability in your routers. 14 | 5. DNS server. IPv6 enabled DNS server is the important thing in general IPv6 networks. It is impossible for us to remember the 128 bit IPv6 address for each machine. 15 | 16 | Now, time for enduser side. There are two important things that you must have to be able to get IPv6 over GPRS connection. 17 | 1. handset. It is a must for you to have GPRS capable handset that have IPv6 capability. There are two types of IPv6 GPRS capable handset, the first is handset that only support IPv6 GPRS connection if only you are using that handset as a modem for your PC, either using serial/usb cable, bluetooth or infrared. The second is the handset that has IPv6 capabilty inside its operating system such as HP IPAQ, Nokia N73, etc. The advantages of the second handset is you are able to do IPv6 WAP or HTTP browsing directly from your phone. Unfortunately, I can not found any IPv6 enabled 3G data card. 18 | 2. If you are using a laptop with a IPv6 capable handset as a modem, you need operating system that support IPv6 in its PPP stack. If you are Microsoft Windows user, you need at least Windows Vista. Although windows XP is already has native IPv6 capability, XP does not have IPv6 in PPP stack. The good news is, if you are unix user, especially FreeBSD and Linux (sorry i can't give any info regarding any other Unx family since i never test them), you already have IPv6 in your OS PPP stack since few years ago. 19 | 20 | So, if you are already those two required things above, you can start to create IPv6 GPRS connection. I give the configuraton and steps example based on my experience by using FreeBSD. 21 | a. make sure you are attached to GPRS network to be able to have GPRS PDP context. It doesn't matter you are in GSM or WCDMA network. 22 | b. make sure your gprs profile in your handset is already PDP type IPv6. Unfortunately, in most phone, there is no setting menu to do this, so you may need to issue an AT command to your phone. The required AT command is AT+CGDCONT=X,”IPv6”,”apn name”. X=APN setting ID (CID) inhandset. Please refer to how to know GPRS cid in SE M600i if you want to know more about CID. 23 | c. configure your ppp.conf. If you don't issue any AT command as specified in step b above, you can configure it inside your ppp.conf as below. In example below I use cid number 8 and apn name "gprs6" 24 | ``` 25 | gprs: 26 | set dial "ABORT BUSY ABORTNO\\sCARRIER TIMEOUT 5 \ 27 | \"\" ATZ OK-ATZ-OKAT+CGDCONT=8,\\\"ipv6\\\",\\\"gprs6\\\" OK \\dATD\\TTIMEOUT 60 CONNECT" 28 | enable force-scripts 29 | disable vjcomp 30 | set authname your-username 31 | set authkey your-password 32 | set phone "*99***8#" 33 | setlogin 34 | set timeout 0 35 | enable dns 36 | add default HISADDR 37 | add default HISADDR6 38 | ``` 39 | d. and if you are success, you will get an output like 40 | ``` 41 | > ifconfig tun0 42 | tun0: flags=8051 mtu 1500 43 | inet6 fe80::e36:ae02:cdd9:134c%tun0 prefixlen 64 scopeid 0x5 44 | inet6 xxxx:yyyy:f:1001:e36:ae02:cdd9:134c prefixlen 64 autoconf 45 | Opened by PID 676 46 | > 47 | ``` 48 | And you are connected to native IPv6 world. And if your connection is OK, as usual you will see dancing turtle in www.kame.net or dancing elephant in ITB website :) 49 | 50 | Notes: 51 | Attach: GPRS state when you are connected to GPRS network but you don't do anything such as, dialling *99***1#, *99# or doing any wap browsing. In SoneEricsson phone, this state is indicate by upsidedown triangle symbol above your signal bar indicator 52 | PDP context: if you do GPRS dial with your pc or maybe do wap browsing from your phone, it means that you are doing PDP context to the network and you are in active state. In SonyEricsson phone,it usually is indicated by small globe symbol. 53 | 54 | -------------------------------------------------------------------------------- /myblog/old/nms.for.ipv6.md: -------------------------------------------------------------------------------- 1 | As most of you know, last week, (June 8 to be precise) is the world IPv6 day, was a global-scale test flight of IPv6 sponsored by the Internet Society. 2 | 3 | Personally i do expect that IPv6 network has the same quality (or better) compared with IPv4 network that we have now and to achieve this we need a similar management tools to monitor IPv6 network. This time, i would like to talk again about some part of IPv6 NMS, the similar content that i presented during the Telkom Indonesia WIDEX2011 event. 4 | 5 | I want to highlight some issues related with NMS for IPv6 especially for online monitoring system because without online monitoring we don't know how many and what kind of IPv6 traffic that we have. 6 | 7 | 1. IPv6 address representation 8 | In contrast with other network based software which don't really care about layer 3 stack, NMS software is very impacted with the introduction of IPv6. IPv4 has a single standard format, 4 column delimited by dot and each column contains numeric value within 0-255. The case is very different with IPv6. IPv6 has multiple representation as stated in RFC5952. Some of the examples are: 9 | ``` 10 | Normal form: 11 | – ABCD:EF01:2345:6789:ABCD:EF01:2345:6789 12 | Grouping of 16 bits of zeros. 13 | - 2001:DB8::8:800:200C:417A = 2001:DB8:0:0:8:800:200C:417A a unicast address 14 | - FF01::101 = FF01:0:0:0:0:0:0:101 a multicast address 15 | - ::1 = 0:0:0:0:0:0:0:1 the loopback address 16 | - :: = 0:0:0:0:0:0:0:0 the unspecified address 17 | Mixed environment of IPv4 and IPv6 nodes: 18 | – 0:0:0:0:0:0:13.1.68.3 = ::13.1.68.3 19 | – 0:0:0:0:0:FFFF:129.144.52.38 = ::FFFF:129.144.52.38 20 | Text Representation of Address Prefixes: 21 | – 12AB:0000:0000:CD30:0000:0000:0000:0000/60 22 | – 12AB::CD30:0:0:0:0/60 23 | ``` 24 | 25 | 2. SNMP for IPv6 26 | Current SNMP MIB for IPv4 monitoring can not handle IPv6 address to be put as OID index. The initial solution was creating new set of MIB to cover IPv6 statistic as listed below: 27 | IPV6-MIB, RFC2465 28 | IPV6-ICMP-MIB, RFC2466 29 | IPV6-TCP-MIB, RFC2452 30 | IPV6-UDP-MIB, RFC2454 31 | but, later, this approach was considered as complicated because we need to maintain 2 sets of MIB. The new solution is by updating the IPv4 MIB to have new indexes for IPv6 information. The new solution is explained in the below RFC: 32 | Updated IP-MIB, RFC4293, Obsoletes: RFC2011, RFC2465, RFC2466 33 | Updated TCP-MIB, RFC4022, Obsoletes: RFC2452, RFC2012 34 | Updated UDP MIB, RFC4113, Obsoletes: RFC2454, RFC2013 35 | Updated IP Forwarding MIB, RFC4292, Obsoletes: RFC2096 36 | The problem is not finished here because seems that different vendor has different implementation. Some router vendors still use the initial solution and some others are migrating to the new solution. I believe we need more time to wait until all router vendor implement the same standard. 37 | Here are some examples how IPv6 MIB looks like: 38 | ``` 39 | .1.3.6.1.2.1.55.1.8.1.2.16.37.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0 = INTEGER: 128 bits 40 | 37(10) = 25(16), 1(10) = 1(10) 41 | means: 42 | interface index = 16 43 | ipv6AddrPfxLength (.1.3.6.1.2.1.55.1.8.1.2) = 128 bits --> most likely loopback interface 44 | 45 | .1.3.6.1.2.1.55.1.12.1.3.183.37.0.0.0.0.25.0.0.0.0.0.0.0.0.0.1 = INTEGER: local(4) 46 | 37(10) = 25(16), 1(10) = 1(10), 25(10) = 19(16) 47 | means: 48 | interface index = 183 49 | IPv6 addr = 2500:0000:0019:0000:0000:0000:0000:0001 or 2500:0:19::1 50 | ipv6NetToMediaType (1.3.6.1.2.1.55.1.12.1.3) = local interface 51 | ``` 52 | 53 | 54 | 3. Netflow 55 | Netflow is still the popular way to know the real packet passing our router. Similar like SNMP, current netflow v5 implementation has a fixed fields which can not contains IPv6 address format. At this moment, netflow v9 is the only version can support IPv6 data, thanks to netflow v9 dynamic packet format. Good news, this afternoon, my friend just upgraded one of his Cisco 7600 with new IOS that support IPv6 unicast netflow reporting, so i hope i can get IPv6 netflow from real internet traffic soon :) 56 | 57 | 58 | to be continued .... 59 | 60 | -------------------------------------------------------------------------------- /myblog/old/openvpn.for.ipv6.tun_mode.md: -------------------------------------------------------------------------------- 1 | references: 2 | http://www.greenie.net/ipv6/openvpn.html 3 | http://silmor.de/64 4 | http://openvpn.net/index.php/open-source/faq/77-server/287-is-ipv6-support-plannedin-the-works.html 5 | http://techtots.blogspot.com/2010/01/openvpn-with-pammysql-usernamepassword.html 6 | 7 | OpenVPN 2.0 only support IPv6 in TAP mode. It is simply because TAP mode acts as virtual ethernet, so any layer 3 protocol should run over it without any problem 8 | On OpenVPN 2.2RC, Point-to-point IPv6 tunnels are supported on OSes which have IPv6 TUN driver support (this includes Linux and the BSDs). 9 | Full IPv6 support is already available in "allmerged" branch in Git, and will be included in OpenVPN 2.3 release 10 | TAP mode is the simplest way to setup openvpn for IPv6 but it uses a single /64 network for single client. Basically only 2 address are used and the remaining are "wasted". Since i have only a single /64 subnet and i want to provide tunnel for some people, then this is not an option for me. 11 | TUN mode for IPv6 required OpenVPN 2.3 for both server and client but TUN mode for IPv6 behaves like --topology subnet for ipv4 12 | other limitations can be found here 13 | 14 | 15 | Telkom OpenVPN tunnel mentioned in my previous blog entry is using TAP mode, but the one that i want to setup here is TUN mode, mainly because of i only have a single /64 subnet for every tunnel user. 16 | 17 | I downloaded the package from http://build.openvpn.net/downloads/ since both my server and my laptop are using Ubuntu. 18 | I also found out that i can't have ipv6 tunnel only, and i still need to setup ipv4 tunnel, so i just add "server x.x.x.x y.y.y.y" statement without any push config. 19 | 20 | Here are the complete server and client config, at this moment it is tested for linux client, and i will test the windows client using Gert Döring patch later. 21 | 22 | ``` 23 | Server config: 24 | local a.b.c.d 25 | port xx 26 | proto tcp 27 | dev tun 28 | ca /etc/openvpn/easy-rsa/keys/ca.crt 29 | cert /etc/openvpn/easy-rsa/keys/server.crt 30 | key /etc/openvpn/easy-rsa/keys/server.key 31 | dh /etc/openvpn/easy-rsa/keys/dh1024.pem 32 | 33 | server-ipv6 abcd:abc:1f05:1e02::/64 34 | server 10.99.254.0 255.255.255.0 35 | tun-ipv6 push "route-ipv6 ::/0" 36 | client-config-dir /etc/openvpn/static-config 37 | ifconfig-pool-persist /var/log/openvpn/openvpn.tcp.if 38 | client-to-client 39 | ;duplicate-cn 40 | keepalive 10 120 41 | comp-lzo 42 | persist-key 43 | persist-tun 44 | status /var/log/openvpn/openvpn.tcp.status 45 | log-append /var/log/openvpn/openvpn.tcp.log 46 | verb 5 47 | 48 | plugin /usr/lib/openvpn/openvpn-auth-pam.so mysql 49 | client-cert-not-required username-as-common-name 50 | writepid /var/log/openvpn/openvpn.tcp.pid 51 | 52 | Client config: 53 | dev tun 54 | proto tcp 55 | remote a.b.c.d xyz 56 | resolv-retry infinite 57 | nobind 58 | persist-key 59 | persist-tun 60 | ca ca.crt 61 | comp-lzo 62 | verb 3 63 | auth-user-pass 64 | ``` 65 | -------------------------------------------------------------------------------- /myblog/old/ospf3.multiple_af.md: -------------------------------------------------------------------------------- 1 | One of my job description in my current company is to do IP network simulation and creating a guidance about how the protocol works in multi vendor environment. 2 | 3 | I was looking for how is the behavior of IPv6 dual topology for Cisco and Juniper, and suddenly i found a thread from Nanog mailing list which said Junos has been supporting multi address family for OSPFv3 since version 9.5. Click here for more detail. 4 | 5 | Multiple address-family or we called it as Realm, is based on the following draft 6 | draft-ietf-ospf-af-alt-06.txt. 7 | 8 | In short, multiple address-family on OSPFv3 means we can just use OSPFv3 for both IPv4 and IPv6. Please note that OSPFv3 IPv4 address-family is not compatible with normal OSPF operation (at least with we have now, maybe in the future there is another extension to support it), so don't expect that you can create OSPF neighborship for IPv4 subnet between OSPF router and OSPFv3 router. 9 | 10 | Taken from the RFC draft itself: 11 | OSPFv3 has been defined to support the base IPv6 unicast Address 12 | Family (AF). There is a requirement to advertise other AFs in OSPFv3 13 | including multicast IPv6, unicast IPv4, and multicast IPv4. This 14 | document supports these other AFs in OSPFv3 by mapping each to a 15 | separate Instance ID and OSPFv3 instance. 16 | 17 | 18 | So here is my quick experiment, i just wondering how it works, maybe in the future i will try to do some tweaking on this feature. 19 | 20 | 21 | My Topology is simple, 3 router connected each other: 22 | ``` 23 | jpe6 --- ce8 ---- jpe7 24 | | | 25 | ------------------ 26 | ``` 27 | 28 | Configurations from each router: 29 | ``` 30 | [edit logical-systems] 31 | rendo@olive# show jpe6 protocols ospf3 32 | realm ipv4-unicast { 33 | area 0.0.0.0 { 34 | interface all; 35 | } 36 | } 37 | export bgpv6; 38 | area 0.0.2.154 { 39 | interface em1.968; 40 | interface lo0.96; 41 | } 42 | 43 | 44 | [edit logical-systems] 45 | rendo@olive# show jpe7 protocols ospf3 46 | realm ipv4-unicast { 47 | area 0.0.0.0 { 48 | interface all; 49 | } 50 | } 51 | export bgpv6; 52 | area 0.0.2.154 { 53 | interface lo0.97; 54 | interface em1.978; 55 | } 56 | 57 | 58 | [edit logical-systems] 59 | rendo@olive# show ce8 protocols ospf3 60 | realm ipv4-unicast { 61 | area 0.0.0.0 { 62 | interface all; 63 | } 64 | } 65 | area 0.0.2.154 { 66 | interface em2.968; 67 | interface em2.978; 68 | interface lo0.98; 69 | } 70 | 71 | ``` 72 | 73 | 74 | Test 1: jpe6, jpe7, ce8 run both normal ospf3 and ospf3 realm ipv4-unicast 75 | ``` 76 | [edit logical-systems] 77 | rendo@olive# run show ospf3 neighbor logical-system ce8 detail 78 | ID Interface State Pri Dead 79 | 11.0.9.6 em2.968 Full 128 36 80 | Neighbor-address fe80::a00:2703:c836:1a84 81 | Area 0.0.2.154, opt 0x13, OSPF3-Intf-Index 1 82 | DR-ID 13.0.1.8, BDR-ID 11.0.9.6 83 | Up 00:01:09, adjacent 00:00:21 84 | 11.0.9.7 em2.978 Full 128 35 85 | Neighbor-address fe80::a00:2703:d236:1a84 86 | Area 0.0.2.154, opt 0x13, OSPF3-Intf-Index 2 87 | DR-ID 13.0.1.8, BDR-ID 11.0.9.7 88 | Up 00:01:10, adjacent 00:00:30 89 | 90 | [edit logical-systems] 91 | rendo@olive# run show ospf3 neighbor logical-system ce8 detail realm ipv4-unicast 92 | ID Interface State Pri Dead 93 | 11.0.9.6 em2.968 Full 128 32 94 | Neighbor-address fe80::a00:2703:c836:1a84 95 | Area 0.0.0.0, opt 0x112, OSPF3-Intf-Index 9 96 | DR-ID 13.0.1.8, BDR-ID 11.0.9.6 97 | Up 00:01:15, adjacent 00:00:30 98 | 11.0.9.7 em2.978 Full 128 32 99 | Neighbor-address fe80::a00:2703:d236:1a84 100 | Area 0.0.0.0, opt 0x112, OSPF3-Intf-Index 8 101 | DR-ID 13.0.1.8, BDR-ID 11.0.9.7 102 | Up 00:01:15, adjacent 00:00:25 103 | ``` 104 | 105 | 106 | Test 2: IPv6 disabled on JPE6 interface towards CE8. 107 | jpe6 is not listed as ce8 neighbor for any family 108 | ``` 109 | [edit logical-systems] 110 | rendo@olive# run show ospf3 neighbor logical-system ce8 realm ipv4-unicast 111 | ID Interface State Pri Dead 112 | 11.0.9.7 em2.978 Full 128 31 113 | Neighbor-address fe80::a00:2703:d236:1a84 114 | 115 | [edit logical-systems] 116 | rendo@olive# run show ospf3 neighbor logical-system ce8 117 | ID Interface State Pri Dead 118 | 11.0.9.7 em2.978 Full 128 36 119 | Neighbor-address fe80::a00:2703:d236:1a84 120 | 121 | [edit logical-systems] 122 | rendo@olive# 123 | ``` 124 | 125 | 126 | Test 3: jpe6 ipv6 interface is activated but ospf3 area for ipv6 is disabled. 127 | jpe6 is listed as ce8 neighbor only for ipv4-unicast family 128 | ``` 129 | [edit logical-systems] 130 | rendo@olive# run show ospf3 neighbor logical-system ce8 131 | ID Interface State Pri Dead 132 | 11.0.9.7 em2.978 Full 128 35 133 | Neighbor-address fe80::a00:2703:d236:1a84 134 | 135 | [edit logical-systems] 136 | rendo@olive# run show ospf3 neighbor logical-system ce8 realm ipv4-unicast 137 | ID Interface State Pri Dead 138 | 11.0.9.6 em2.968 Full 128 33 139 | Neighbor-address fe80::a00:2703:c836:1a84 140 | 11.0.9.7 em2.978 Full 128 33 141 | Neighbor-address fe80::a00:2703:d236:1a84 142 | 143 | [edit logical-systems] 144 | rendo@olive# 145 | ``` 146 | 147 | -------------------------------------------------------------------------------- /networking/bgp.private.asn.md: -------------------------------------------------------------------------------- 1 | 2 | * 2 bytes 3 | * 64512 - 65534 4 | 5 | * 4 bytes 6 | * 4200000000 - 4294967294 (64086.59904 - 65535.65534) 7 | -------------------------------------------------------------------------------- /openstack/contrail.check.routing.table.md: -------------------------------------------------------------------------------- 1 | # Checking Contrail vrouter routing table 2 | 3 | * Find vxlan ID from Contrail web UI 4 | * find your virtual network 5 | * check the vxlan attribute 6 | * for example, the vxlan ID is 38 7 | 8 | * check vxlan table to find the nexthop ID 9 | 10 | ``` 11 | root@brg-ct1-compute2:/opt/contrail/utils# vxlan --get 38 12 | VXLAN Table 13 | 14 | VNID NextHop 15 | ---------------- 16 | 38 547 17 | ``` 18 | 19 | * the command above tell us that vxlan 38 has next-hop ID = 547 20 | 21 | * check next hop table to find the vrf associated with this virtual network 22 | 23 | ``` 24 | root@brg-ct1-compute2:/opt/contrail/utils# nh --get 547 25 | Id:547 Type:Vrf_Translate Fmly: AF_INET Flags:Valid, Vxlan, Rid:0 Ref_cnt:2 Vrf:24 26 | Vrf:24 27 | ``` 28 | 29 | * the command above tell us that vxlan 38 with nexthop 547 belongs to vrf 24 30 | 31 | * find the linux tap interface associated with this virtual network, useful if we want to do tcpdump on a specific vnet 32 | 33 | ``` 34 | root@brg-ct1-compute2:/opt/contrail/utils# vif --list | grep -b2 Vrf:24 35 | 17191-vif0/72 OS: tapfd0eb363-b0 36 | 17222- Type:Virtual HWaddr:00:00:5e:00:01:00 IPaddr:0 37 | 17281: Vrf:24 Flags:L2 MTU:9160 Ref:4 38 | 17324- RX packets:169 bytes:26160 errors:0 39 | 17373- TX packets:131 bytes:15370 errors:0 40 | ``` 41 | 42 | * the command above tell us that vrf24 has interface tapfd0eb363-b0 43 | * if we want to sniff the traffic on this vrf in this compute node, we can simply do tcpdump on tapfd0eb363-b0 interface 44 | 45 | * check the routing table 46 | * the example below is taken from virtual network with forwarding mode = layer 2, in this case --family bridge must be used 47 | 48 | ``` 49 | root@brg-ct1-compute2:/opt/contrail/utils# rt --dump 24 50 | Vrouter inet4 routing table 0/24/unicast 51 | Flags: L=Label Valid, P=Proxy ARP, T=Trap ARP, F=Flood ARP 52 | 53 | Destination PPL Flags Label Nexthop Stitched MAC(Index) 54 | 55 | 56 | root@brg-ct1-compute2:/opt/contrail/utils# rt --dump 24 --family bridge 57 | Kernel L2 Bridge table 0/24 58 | 59 | Flags: L=Label Valid, Df=DHCP flood 60 | 61 | Index DestMac Flags Label/VNID Nexthop 62 | 19128 ff:ff:ff:ff:ff:ff LDf 38 605 63 | 32880 c:c4:7a:57:e:40 Df - 3 64 | 203288 2:fd:e:b3:63:b0 Df - 587 65 | 228256 2:4a:ec:30:b3:37 LDf 66 121 66 | 250296 0:0:5e:0:1:0 Df - 3 67 | ``` 68 | 69 | * what we can learn from result above 70 | * to reach destination with mac = 2:fd:e:b3:63:b0, use next hop 587 71 | * to reach destination with mac = 2:4a:ec:30:b3:37, use next hop 121 with mpls label 66 72 | 73 | 74 | * check the actual outgoing next-hop 75 | 76 | ``` 77 | root@brg-ct1-compute2:/opt/contrail/utils# nh --get 587 78 | Id:587 Type:Encap Fmly:AF_BRIDGE Flags:Valid, Rid:0 Ref_cnt:4 Vrf:24 79 | EncapFmly:0806 Oif:72 Len:14 Data:02 fd 0e b3 63 b0 00 00 5e 00 01 00 08 00 80 | 81 | root@brg-ct1-compute2:/opt/contrail/utils# nh --get 121 82 | Id:121 Type:Tunnel Fmly: AF_INET Flags:Valid, MPLSoGRE, Rid:0 Ref_cnt:141 Vrf:0 83 | Oif:0 Len:14 Flags Valid, MPLSoGRE, Data:0c c4 7a 57 14 f0 0c c4 7a 57 0e 40 08 00 84 | Vrf:0 Sip:172.25.155.35 Dip:172.25.155.34 85 | ``` 86 | 87 | * what we can learn from result above 88 | * to reach destination with mac = 2:fd:e:b3:63:b0, use next hop 587 89 | * this next-hop is local interface with interface ID = 72 90 | * see the vif --list above 91 | 92 | * to reach destination with mac = 2:4a:ec:30:b3:37, use next hop 121 with mpls label 66 93 | * the destination is located on different compute node which is 172.25.155.34 94 | * to send the packet to the destination on the remote compute node, use MPLS over GRE with mpls label = 66 95 | 96 | * NOTE: 97 | * all the collected information above are local per compute node. If you have multiple VM connected to the same virtual network but hosted on different compute nodes, each compute node will have its own local vif, local next-hop id, local vrf id 98 | 99 | 100 | -------------------------------------------------------------------------------- /openstack/contrail.setup.simple.gateway.md: -------------------------------------------------------------------------------- 1 | 2 | # How to Setup Contrail Simple Gateway 3 | 4 | ## Overview 5 | You have OpenStack with Contrail as neutron module but you don't have any gateway router to connect the VM inside OpenStack to the outside network 6 | 7 | 8 | ## Procedure to Setup a contrail simple gateway 9 | 10 | The following example shows how to add simple gateway on the fly 11 | 12 | * select one of the compute node/control node that has vrouter-agent running as the gateway point, for example: compute01 13 | * if you haven't create the virtual network, create it first thru contrail API/GUI 14 | * find out the vrf name of the virtual network that you want to access from outside 15 | * the standard vrf naming conventions is: 16 | 17 | ``` 18 | ::: 19 | ``` 20 | 21 | * example: 22 | 23 | ``` 24 | default-domain:admin:public:public 25 | ```` 26 | 27 | * create the simple gateway instance 28 | 29 | ``` 30 | # /opt/contrail/utils/provision_vgw_interface.py --oper create --interface vgw1 --subnets 10.16.1.0/24 --routes 0.0.0.0/0 --vrf default-domain:admin:public:public 31 | ``` 32 | 33 | * Note that the example above assumes: 34 | * network name is public and it is created inside admin project 35 | * the subnet for public is 10.16.1.0/24 36 | * VM connected to public will have default gateway (0.0.0.0/0) thru this simple gateway 37 | 38 | * at this point, the VM should be reachable from this compute node 39 | * To allow traffic from the other machine beside this compute node, simply add a static route towards 10.16.1.0/24 via this compute node IP 40 | 41 | ## Note 42 | * the example above will create simple gateway on the fly. It will not persist compute node reboot. 43 | * AFAIK, single simple gateway can only be associated with single VRF (single virtual network) 44 | * It is OK to create simple gateway on multiple compute node for the same virtual network 45 | 46 | ## Reference 47 | * https://github.com/Juniper/contrail-controller/wiki/Simple-Gateway 48 | * http://www.juniper.net/techpubs/en_US/contrail2.2/topics/task/configuration/simple-gateway-support-vnc.html 49 | 50 | -------------------------------------------------------------------------------- /openstack/how.to.send.command.thru.vnc.md: -------------------------------------------------------------------------------- 1 | 2 | # How to automate VM configuration that does not support DHCP and Cloud init 3 | 4 | In some cases, you want to spawn a VM on OpenStack, but the VM Operating System does not have DHCP client capability and also no cloud-init support. 5 | In this case we have to use VNC console to configure the VM, at least to configure basic connectivity e.g: IP address, default gateway, etc 6 | 7 | To automate this VM basic connectivity configuration, one of the possibility is to use python vncdotool module. 8 | * http://vncdotool.readthedocs.io/en/latest/ 9 | * https://pypi.python.org/pypi/vncdotool 10 | 11 | And here is the sample workflow 12 | 13 | * Find the direct access VNC port (vncdotool does not work with novnc) 14 | 15 | * Find the compute node of this VM 16 | 17 | ``` 18 | # nova show 68fb6821-4d46-48c4-91f5-3b1d3d02ccbd | grep "| OS-EXT-SRV-ATTR:host" 19 | | OS-EXT-SRV-ATTR:host | brg-ct1-compute9 | 20 | ``` 21 | 22 | * Find the KVM instance ID for this VM 23 | 24 | ``` 25 | # nova show 68fb6821-4d46-48c4-91f5-3b1d3d02ccbd | grep "instance_name" 26 | | OS-EXT-SRV-ATTR:instance_name | instance-00001256 27 | ``` 28 | 29 | * Go to the compute node ( i am using ssh-key on my script to auto-login to the compute node), and find the VNC port 30 | 31 | ``` 32 | # ssh root@brg-ct1-compute9 "virsh dumpxml instance-00001256 | grep vnc | grep port" 33 | 34 | ``` 35 | 36 | * OK, now we find the direct address, which is 10.25.155.165 port 5919 37 | 38 | * Next Step, use vncdotool to send command thru vnc 39 | 40 | ``` 41 | # vncdo -s :: 42 | 43 | e.g: 44 | # vncdo -s 10.25.155.165::5919 type "configure" 45 | # vncdo -s 10.25.155.165::5919 key enter 46 | # vncdo -s 10.25.155.165::5919 type "set interfaces fxp0 unit 0 family inet address 192.168.100.10/24" 47 | # vncdo -s 10.25.155.165::5919 key enter 48 | # vncdo -s 10.25.155.165::5919 type "set routing-options static route 0.0.0.0/0 next-hop 192.168.100.1" 49 | # vncdo -s 10.25.155.165::5919 key enter 50 | # vncdo -s 10.25.155.165::5919 type "commit" 51 | # vncdo -s 10.25.155.165::5919 key enter 52 | # vncdo -s 10.25.155.165::5919 type "exit" 53 | # vncdo -s 10.25.155.165::5919 key enter 54 | ``` 55 | 56 | * Wait, how do we get the output of the command that we send? 57 | * No, we can't. VNC has graphical output, so basically we are blindly typing the keyboard keys. 58 | 59 | * So, how do we know when we can send the login or any other command? 60 | * specific to my use case, i am waiting for the VM to give me the login prompt which is i can check via console-port 61 | * for example, if i see login prompt, i know the VM is ready to accept the command 62 | 63 | ``` 64 | # nova console-log 68fb6821-4d46-48c4-91f5-3b1d3d02ccbd 65 | ... 66 | 67 | vmx104 (ttyd0) 68 | 69 | login: 70 | ... 71 | ``` 72 | 73 | * Notes: 74 | * The workflow above works only if you have configure nova vnc port to listen in non-localhost IP 75 | * make sure you have the following setting on your nova configuration 76 | 77 | ``` 78 | vncserver_enabled = true 79 | vncserver_listen = 10.25.155.165 80 | ``` 81 | 82 | * If you don't like this approach, alternatively you can you may be able to find something to bridge/convert novnc to a standard socket or to send any command thru novnc 83 | 84 | 85 | -------------------------------------------------------------------------------- /openstack/misc.md: -------------------------------------------------------------------------------- 1 | 2 | * openstack with ovs - disable snat on neutron router 3 | 4 | ``` 5 | neutron router-gateway-set --disable-snat 6 | 7 | example: 8 | neutron router-gateway-set --disable-snat r2 public 9 | ``` 10 | 11 | 12 | * packstack - add non-nat virtual network 13 | * create new vnet as usual, let say vnet1 with subnet=subnet1 14 | * do not mark this new vnet as external 15 | * create a new neutron router, let say r1 16 | * use existing external network as the gateway interface 17 | * take a note on what is the external network IP assigned to this router, let say the IP=gw_ip_1 18 | * attach the new vnet to this neutron router 19 | * disable snat on this neutron router 20 | * see "openstack with ovs - disable snat on neutron router" section above 21 | * go to network node 22 | * add static route to the new vnet subnet via the external 23 | * example: ip r add subnet1 via gw_ip_1 24 | * Outside openstack, make sure you have route towards your new subnet (subnet1) point to the network node IP address 25 | 26 | 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /openstack/openstack.add.serial.console.md: -------------------------------------------------------------------------------- 1 | 2 | ## Add read-write serial console support to VM instance on Openstack Juno 3 | 4 | * add the following to /etc/nova/nova.conf 5 | 6 | ``` 7 | [serial_console] 8 | enabled=true 9 | 10 | # Location of serial console proxy. (string value) 11 | base_url=ws://0.0.0.0:6083/ 12 | 13 | # IP address on which instance serial console should listen 14 | # (string value) 15 | listen=0.0.0.0 16 | 17 | # The address to which proxy clients (like nova-serialproxy) 18 | # should connect (string value) 19 | # proxyclient_address=127.0.0.1 20 | 21 | ``` 22 | 23 | * restart nova 24 | 25 | ## note 26 | 27 | * if you just want simple serial console accessible via telnet, no need to start the serial console proxy. 28 | * serial console proxy is only required if you want to do the openstack way, accessing virtual serial console via websocket. 29 | 30 | 31 | ## how to find the actual virtual serial console TCP port for specific VM instance 32 | 33 | * find the vm name 34 | 35 | ``` 36 | stack@openstack1:~/devstack$ nova list 37 | +--------------------------------------+----------------+---------+------------+-------------+--------------------------------------------------------------+ 38 | | ID | Name | Status | Task State | Power State | Networks | 39 | +--------------------------------------+----------------+---------+------------+-------------+--------------------------------------------------------------+ 40 | | 8ad5a2c1-0a38-4972-87a4-953c22d80742 | testvm | ACTIVE | - | Running | private3=172.19.2.104; private2=172.19.1.103 | 41 | +--------------------------------------+----------------+---------+------------+-------------+--------------------------------------------------------------+ 42 | ``` 43 | 44 | * find the instance name and which compute node that host it 45 | 46 | ``` 47 | stack@openstack1:~/devstack$ nova show testvm 48 | +--------------------------------------+----------------------------------------------------------+ 49 | | Property | Value | 50 | +--------------------------------------+----------------------------------------------------------+ 51 | | OS-DCF:diskConfig | AUTO | 52 | | OS-EXT-AZ:availability_zone | nova | 53 | | OS-EXT-SRV-ATTR:host | openstack1 | 54 | | OS-EXT-SRV-ATTR:hostname | testvm | 55 | | OS-EXT-SRV-ATTR:hypervisor_hostname | openstack1 --> this the compute node hostname | 56 | | OS-EXT-SRV-ATTR:instance_name | instance-0000000d --> this is the instance name | 57 | | OS-EXT-SRV-ATTR:kernel_id | | 58 | | OS-EXT-SRV-ATTR:launch_index | 0 | 59 | | OS-EXT-SRV-ATTR:ramdisk_id | | 60 | | OS-EXT-SRV-ATTR:reservation_id | r-0biaimu9 | 61 | | OS-EXT-SRV-ATTR:root_device_name | /dev/hda | 62 | | OS-EXT-SRV-ATTR:user_data | - | 63 | | OS-EXT-STS:power_state | 4 | 64 | | OS-EXT-STS:task_state | - | 65 | | OS-EXT-STS:vm_state | stopped | 66 | | OS-SRV-USG:launched_at | 2015-11-15T03:11:41.000000 | 67 | | OS-SRV-USG:terminated_at | - | 68 | | accessIPv4 | | 69 | | accessIPv6 | | 70 | | config_drive | True | 71 | | created | 2015-11-15T03:11:33Z | 72 | | flavor | m1.small (2) | 73 | | hostId | 7662b19b5e897d4e6b924daea7cea3cdd50b66c419cba06fa2171180 | 74 | | id | 8ad5a2c1-0a38-4972-87a4-953c22d80742 | 75 | | image | junosvm (37d7696c-8c77-433f-881a-2754e14bc0c1) | 76 | | key_name | - | 77 | | metadata | {} | 78 | | name | junosvm-serial | 79 | | os-extended-volumes:volumes_attached | [] | 80 | | private2 network | 172.19.1.103 | 81 | | private3 network | 172.19.2.104 | 82 | | security_groups | allow | 83 | | status | SHUTOFF | 84 | | tenant_id | f27176e44f9e42f594fd823a0407b0e6 | 85 | | updated | 2015-11-15T03:37:26Z | 86 | | user_id | 08c7216b91054517925a3456f9e3bc2c | 87 | +--------------------------------------+----------------------------------------------------------+ 88 | ``` 89 | 90 | * use kvm standard command to find the actual TCP port 91 | 92 | ``` 93 | stack@openstack1:~/devstack$ virsh dumpxml instance-0000000d 94 | 95 | instance-0000000d 96 | 97 | ..deleted.. 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | ..deleted.. 106 | 107 | 108 | ``` 109 | -------------------------------------------------------------------------------- /perl/perl.oneliner.md: -------------------------------------------------------------------------------- 1 | for junos, it will remove the whole interface em0 section (multiline) from config file 2 | ``` 3 | perl -ni -e 'print unless /^ em0 {/ .. /^ }/' *.conf 4 | ``` 5 | 6 | print all lines except if contains specific string 7 | ``` 8 | perl -i -nle 'print if !/SECRET/' * 9 | ``` 10 | -------------------------------------------------------------------------------- /python/elasticsearch_query.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import json 4 | import argparse 5 | from elasticsearch import Elasticsearch,helpers 6 | 7 | 8 | def jsonpretty(text): 9 | return json.dumps(text, indent=4, sort_keys=True) 10 | 11 | def arguments_parser(): 12 | parser = argparse.ArgumentParser(description="Options:") 13 | parser.add_argument('--host', help='hostname', default='127.0.0.1') 14 | parser.add_argument('--port', help='hostname', default='9200') 15 | parser.add_argument('--key', help='show this key for output', default='hostname' ) 16 | parser.add_argument('--query', help='query string' ) 17 | parser.add_argument('--index', help='query index', default='myindex' ) 18 | args = parser.parse_args() 19 | return args 20 | 21 | 22 | def es_query(host, port=9200, q_key="content", q_val="", index="myindex"): 23 | es = Elasticsearch([{'host': host, 'port': 9200}]) 24 | res = es.search(index=index, 25 | body={ "query" : 26 | { "query_string" : { 27 | "query" : q_val 28 | } 29 | } 30 | } 31 | ) 32 | return res 33 | 34 | 35 | if __name__ == "__main__": 36 | args = arguments_parser() 37 | res = es_query(host=args.host, port=args.port, q_val=args.query, index=args.index) 38 | output = [] 39 | for doc in res['hits']['hits']: 40 | entry = {} 41 | keys = args.key.split(',') 42 | for key in keys: 43 | if key in doc['_source']: 44 | entry[key] = doc['_source'][key] 45 | output.append(entry) 46 | print jsonpretty(output) 47 | -------------------------------------------------------------------------------- /python/ping_parallel.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import threading 4 | import subprocess 5 | import os 6 | import sys 7 | 8 | 9 | MAX_PROCESSES = 25 10 | semaphore = threading.Semaphore(MAX_PROCESSES) 11 | 12 | 13 | def read_file(filename): 14 | cmds = "" 15 | lines = [] 16 | if str(filename) is not '' and not os.stat(filename).st_size == 0: 17 | try: 18 | finput = open(filename, 'r') 19 | lines = [x.replace('\n', '') for x in finput] 20 | finput.close() 21 | except: 22 | return lines 23 | return lines 24 | 25 | 26 | def ping_thread(hostname): 27 | with semaphore: 28 | cmd = "ping -c 2 "+hostname 29 | response = "" 30 | p = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) 31 | for line in p.stdout.readlines(): 32 | response = response + str(line) 33 | p.wait() 34 | if p.returncode == 0: 35 | print hostname+" is UP" 36 | FO.write(hostname+" is UP\n") 37 | else: 38 | print hostname+" is DOWN" 39 | FO.write(hostname+" is DOWN\n") 40 | return 41 | 42 | 43 | 44 | if __name__ == "__main__": 45 | target = read_file(sys.argv[1]) 46 | FO = open(sys.argv[2],'w') 47 | 48 | for hostname in target: 49 | hostname = hostname.strip() 50 | threading.Thread(target=ping_thread, args=(hostname,)).start() 51 | -------------------------------------------------------------------------------- /python/simple.interactive.python.paramiko.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #original source: http://jessenoller.com/blog/2009/02/05/ssh-programming-with-paramiko-completely-different 4 | 5 | import paramiko 6 | import cmd 7 | 8 | class RunCommand(cmd.Cmd): 9 | """ Simple shell to run a command on the host """ 10 | 11 | prompt = 'ssh > ' 12 | 13 | def __init__(self): 14 | cmd.Cmd.__init__(self) 15 | self.hosts = [] 16 | self.connections = [] 17 | 18 | def do_add_host(self, args): 19 | """add_host 20 | Add the host to the host list""" 21 | if args: 22 | self.hosts.append(args.split(',')) 23 | else: 24 | print "usage: host " 25 | 26 | def do_connect(self, args): 27 | """Connect to all hosts in the hosts list""" 28 | for host in self.hosts: 29 | client = paramiko.SSHClient() 30 | client.set_missing_host_key_policy( 31 | paramiko.AutoAddPolicy()) 32 | client.connect(host[0], 33 | username=host[1], 34 | password=host[2]) 35 | self.connections.append(client) 36 | 37 | def do_run(self, command): 38 | """run 39 | Execute this command on all hosts in the list""" 40 | if command: 41 | for host, conn in zip(self.hosts, self.connections): 42 | stdin, stdout, stderr = conn.exec_command(command) 43 | stdin.close() 44 | for line in stdout.read().splitlines(): 45 | print 'host: %s: %s' % (host[0], line) 46 | else: 47 | print "usage: run " 48 | 49 | def do_close(self, args): 50 | for conn in self.connections: 51 | conn.close() 52 | 53 | if __name__ == '__main__': 54 | RunCommand().cmdloop() 55 | -------------------------------------------------------------------------------- /raspi/force.net.interface.name.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | * for wlanX and ethX naming 4 | * from https://www.raspberrypi.org/forums/viewtopic.php?t=197537 5 | * delete symlink to /dev/null /etc/systemd/network/99-default.link 6 | * Replace with a text file /etc/systemd/network/99-default.link that contains 7 | 8 | ``` 9 | [Link] 10 | NamePolicy=kernel database onboard slot path mac 11 | MACAddressPolicy=persistent 12 | ``` 13 | -------------------------------------------------------------------------------- /tmp/test.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rendoaw/notes/be05bba6e92c5f36b2db4446b866df0fab7e8445/tmp/test.txt -------------------------------------------------------------------------------- /vmware/esxi_vsphere_cli.md: -------------------------------------------------------------------------------- 1 | # ESXi related command 2 | 3 | * add static route 4 | 5 | ``` 6 | esxcfg-route -a 192.168.100.0 255.255.255.0 192.168.0.1 7 | ``` 8 | 9 | * list partition 10 | 11 | ``` 12 | ~ # ls /vmfs/devices/disks/ 13 | .... 14 | t10.ATA_____ST91000640NS________________________________________9XG8SW0 ---> main disk vml.01000000002020202020202020202020203958473853573045535439313030:9 15 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:1 ----> partition 1 vml.01000000003339666463643637386664666364313736633963653930306630373064363932536572766572 16 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:2 -----> partition 2 vml.01000000003339666463643637386664666364313736633963653930306630373064363932536572766572:1 17 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:3 vml.01000000003638383439363366616432336131333536633963653930306630373064363932536572766572 18 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:5 vml.01000000003638383439363366616432336131333536633963653930306630373064363932536572766572:1 19 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:6 vml.01000000006163306439653930613138663035663336633963653930306630373064363932536572766572 20 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:7 vml.01000000006163306439653930613138663035663336633963653930306630373064363932536572766572:1 21 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:8 vml.01000000006336383332653337353065623066376136633963653930306630373064363932536572766572 22 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:9 vml.01000000006336383332653337353065623066376136633963653930306630373064363932536572766572:1 23 | ~ # 24 | ``` 25 | 26 | * Get partition 27 | 28 | ``` 29 | ~ # partedUtil getptbl /vmfs/devices/disks/t10.ATA_____ST91000640NS________________________________________9XG8SW0E 30 | gpt 31 | 121601 255 63 1953525168 32 | 1 64 8191 C12A7328F81F11D2BA4B00A0C93EC93B systemPartition 128 33 | 5 8224 520191 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0 34 | 6 520224 1032191 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0 35 | 7 1032224 1257471 9D27538040AD11DBBF97000C2911D1B8 vmkDiagnostic 0 36 | 8 1257504 1843199 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0 37 | 9 1843200 7086079 9D27538040AD11DBBF97000C2911D1B8 vmkDiagnostic 0 38 | 2 7086080 15472639 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0 39 | 3 15472640 1953525134 AA31E02A400F11DB9590000C2911D1B8 vmfs 0 40 | ~ # 41 | ``` 42 | 43 | * delete partition #1 44 | 45 | ``` 46 | partedUtil delete /vmfs/devices/disks/t10.ATA_____ST91000640NS________________________________________9XG8SW0E 1 47 | ``` 48 | 49 | * Register/Un-register VM 50 | 51 | ``` 52 | vim-cmd solo/registervm /vmfs/volumes/datastore1/linux.vmx 53 | vim-cmd solo/unregister 54 | ``` 55 | 56 | * create vswitch (not dv switch) 57 | 58 | ``` 59 | execute from esx host: vicfg-vswitch -a 60 | execute from vsphere or VMA: vicfg-vswitch -a --vihost 61 | ``` 62 | 63 | * create port group on vswitch 64 | 65 | ``` 66 | execute from esx host: vicfg-vswitch --add-pg 67 | execute from vsphere or VMA: vicfg-vswitch --vihost --add-pg 68 | ``` 69 | 70 | * assign vlan to port group on vswitch 71 | 72 | ``` 73 | execute from esx host: vicfg-vswitch --pg --vlan 74 | execute from vsphere or VMA: vicfg-vswitch --vihost --pg --vlan 75 | ``` 76 | 77 | * clone VM 78 | 79 | ``` 80 | - shutdown the VM that want to be cloned 81 | - copy the whole folder to a new folder 82 | - go to the new folder 83 | - modify vmx file 84 | - change display name to a new name 85 | - register the VM (see above) 86 | ``` 87 | -------------------------------------------------------------------------------- /wiki/A-hack-to-create-routed-virtual-network-in-Openstack-with-Openvswitch.md: -------------------------------------------------------------------------------- 1 | # A hack to create routed virtual network in Openstack with Openvswitch 2 | 3 | This is the hack to create a routed (not NAT-ed) virtual network in Openstack with Openvswitch that was installed using PackStack. 4 | 5 | * create a new virtual network as usual 6 | * let say vnet1 with subnet=subnet1 7 | * do not mark this new vnet as external 8 | 9 | * create a new neutron router 10 | * let say r1 11 | * use existing external network as the gateway interface 12 | * take a note on what is the external network IP assigned to this router 13 | * let say the IP=gw_ip_1 14 | * attach the new vnet to this neutron router 15 | * in this example, attach vnet1 to this neutron router 16 | 17 | * disable snat on this neutron router 18 | 19 | ``` 20 | neutron router-gateway-set --disable-snat 21 | 22 | example: 23 | neutron router-gateway-set --disable-snat r2 public 24 | ``` 25 | 26 | * Add routes to the new virtual network via the newly created neutron router external IP 27 | 28 | ``` 29 | example: 30 | # ip r add subnet1 via gw_ip_1 31 | ``` 32 | 33 | * Outside openstack, make sure you have route towards your new subnet (subnet1) point to the network node IP address 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | * openstack with ovs - disable snat on neutron router 43 | 44 | 45 | 46 | * packstack - add non-nat virtual network 47 | * create new vnet as usual, let say vnet1 with subnet=subnet1 48 | * do not mark this new vnet as external 49 | * create a new neutron router, let say r1 50 | * use existing external network as the gateway interface 51 | * take a note on what is the external network IP assigned to this router, let say the IP=gw_ip_1 52 | * attach the new vnet to this neutron router 53 | * disable snat on this neutron router 54 | * see "openstack with ovs - disable snat on neutron router" section above 55 | * go to network node 56 | * add static route to the new vnet subnet via the external 57 | * example: ip r add subnet1 via gw_ip_1 58 | * Outside openstack, make sure you have route towards your new subnet (subnet1) point to the network node IP address 59 | 60 | 61 | 62 | 63 | 64 | -------------------------------------------------------------------------------- /wiki/Automate-ssh-access-on-JunOS-device-using-sshpass.md: -------------------------------------------------------------------------------- 1 | # Automate ssh access on JunOS device using sshpass 2 | 3 | This is an alternative way to mass configuring/accessing multiple devices at once, by using sshpass 4 | 5 | * create a simple general purpose script 6 | 7 | ``` 8 | $ cat ssh_multiple.bat 9 | 10 | #!/bin/bash 11 | 12 | user=$1 13 | passwd=$2 14 | target=$3 15 | cmd=$4 16 | 17 | for host in $target; do 18 | echo 19 | echo "Accessing $host ...." 20 | sshpass -p ${passwd} ssh ${user}@${host} "$cmd" 21 | done 22 | ``` 23 | 24 | 25 | * run the script, for example to enable telnet 26 | 27 | ``` 28 | ./ssh_multiple.bat myuser mypassword "r1 r2 r3 r4" "configure;set system services telnet;commit synchronize;exit" 29 | ``` 30 | 31 | 32 | -------------------------------------------------------------------------------- /wiki/How-to-Setup-Contrail-Simple-Gateway.md: -------------------------------------------------------------------------------- 1 | # How to Setup Contrail Simple Gateway 2 | 3 | ## Overview 4 | You have OpenStack with Contrail as neutron module but you don't have any gateway router to connect the VM inside OpenStack to the outside network 5 | 6 | 7 | ## Procedure to Setup a contrail simple gateway 8 | 9 | The following example shows how to add simple gateway on the fly 10 | 11 | * select one of the compute node/control node that has vrouter-agent running as the gateway point, for example: compute01 12 | * if you haven't create the virtual network, create it first thru contrail API/GUI 13 | * find out the vrf name of the virtual network that you want to access from outside 14 | * the standard vrf naming conventions is: 15 | 16 | ``` 17 | ::: 18 | ``` 19 | 20 | * example: 21 | 22 | ``` 23 | default-domain:admin:public:public 24 | ```` 25 | 26 | * create the simple gateway instance 27 | 28 | ``` 29 | # /opt/contrail/utils/provision_vgw_interface.py --oper create --interface vgw1 --subnets 10.16.1.0/24 --routes 0.0.0.0/0 --vrf default-domain:admin:public:public 30 | ``` 31 | 32 | * Note that the example above assumes: 33 | * network name is public and it is created inside admin project 34 | * the subnet for public is 10.16.1.0/24 35 | * VM connected to public will have default gateway (0.0.0.0/0) thru this simple gateway 36 | 37 | * at this point, the VM should be reachable from this compute node 38 | * To allow traffic from the other machine beside this compute node, simply add a static route towards 10.16.1.0/24 via this compute node IP 39 | 40 | ## Note 41 | * the example above will create simple gateway on the fly. It will not persist compute node reboot. 42 | * AFAIK, single simple gateway can only be associated with single VRF (single virtual network) 43 | * It is OK to create simple gateway on multiple compute node for the same virtual network 44 | 45 | ## Reference 46 | * https://github.com/Juniper/contrail-controller/wiki/Simple-Gateway 47 | * http://www.juniper.net/techpubs/en_US/contrail2.2/topics/task/configuration/simple-gateway-support-vnc.html 48 | 49 | -------------------------------------------------------------------------------- /wiki/How-to-automate-VM-configuration-that-does-not-support-DHCP-and-Cloud-init.md: -------------------------------------------------------------------------------- 1 | # How to automate VM configuration that does not support DHCP and Cloud init 2 | 3 | In some cases, you want to spawn a VM on OpenStack, but the VM Operating System does not have DHCP client capability and also no cloud-init support. 4 | In this case we have to use VNC console to configure the VM, at least to configure basic connectivity e.g: IP address, default gateway, etc 5 | 6 | To automate this VM basic connectivity configuration, one of the possibility is to use python vncdotool module. 7 | * http://vncdotool.readthedocs.io/en/latest/ 8 | * https://pypi.python.org/pypi/vncdotool 9 | 10 | And here is the sample workflow 11 | 12 | * Find the direct access VNC port (vncdotool does not work with novnc) 13 | 14 | * Find the compute node of this VM 15 | 16 | ``` 17 | # nova show 68fb6821-4d46-48c4-91f5-3b1d3d02ccbd | grep "| OS-EXT-SRV-ATTR:host" 18 | | OS-EXT-SRV-ATTR:host | brg-ct1-compute9 | 19 | ``` 20 | 21 | * Find the KVM instance ID for this VM 22 | 23 | ``` 24 | # nova show 68fb6821-4d46-48c4-91f5-3b1d3d02ccbd | grep "instance_name" 25 | | OS-EXT-SRV-ATTR:instance_name | instance-00001256 26 | ``` 27 | 28 | * Go to the compute node ( i am using ssh-key on my script to auto-login to the compute node), and find the VNC port 29 | 30 | ``` 31 | # ssh root@brg-ct1-compute9 "virsh dumpxml instance-00001256 | grep vnc | grep port" 32 | 33 | ``` 34 | 35 | * OK, now we find the direct address, which is 10.25.155.165 port 5919 36 | 37 | * Next Step, use vncdotool to send command thru vnc 38 | 39 | ``` 40 | # vncdo -s :: 41 | 42 | e.g: 43 | # vncdo -s 10.25.155.165::5919 type "configure" 44 | # vncdo -s 10.25.155.165::5919 key enter 45 | # vncdo -s 10.25.155.165::5919 type "set interfaces fxp0 unit 0 family inet address 192.168.100.10/24" 46 | # vncdo -s 10.25.155.165::5919 key enter 47 | # vncdo -s 10.25.155.165::5919 type "set routing-options static route 0.0.0.0/0 next-hop 192.168.100.1" 48 | # vncdo -s 10.25.155.165::5919 key enter 49 | # vncdo -s 10.25.155.165::5919 type "commit" 50 | # vncdo -s 10.25.155.165::5919 key enter 51 | # vncdo -s 10.25.155.165::5919 type "exit" 52 | # vncdo -s 10.25.155.165::5919 key enter 53 | ``` 54 | 55 | * Wait, how do we get the output of the command that we send? 56 | * No, we can't. VNC has graphical output, so basically we are blindly typing the keyboard keys. 57 | 58 | * So, how do we know when we can send the login or any other command? 59 | * specific to my use case, i am waiting for the VM to give me the login prompt which is i can check via console-port 60 | * for example, if i see login prompt, i know the VM is ready to accept the command 61 | 62 | ``` 63 | # nova console-log 68fb6821-4d46-48c4-91f5-3b1d3d02ccbd 64 | ... 65 | 66 | vmx104 (ttyd0) 67 | 68 | login: 69 | ... 70 | ``` 71 | 72 | * Notes: 73 | * The workflow above works only if you have configure nova vnc port to listen in non-localhost IP 74 | * make sure you have the following setting on your nova configuration 75 | 76 | ``` 77 | vncserver_enabled = true 78 | vncserver_listen = 10.25.155.165 79 | ``` 80 | 81 | * If you don't like this approach, alternatively you can you may be able to find something to bridge/convert novnc to a standard socket or to send any command thru novnc 82 | 83 | 84 | -------------------------------------------------------------------------------- /wiki/How-to-resize-VM-image.md: -------------------------------------------------------------------------------- 1 | # How to resize VM image 2 | 3 | This is the procedure to resize a VM image that has single flat primary partition. 4 | 5 | * resize the disk image 6 | 7 | ``` 8 | # qemu-img resize .qcow2 +G 9 | 10 | or 11 | 12 | # qemu-img resize .qcow2 G 13 | ``` 14 | 15 | 16 | * resize the partition table (make sure DOS Compatibility flag is not set and display units is sectors) 17 | 18 | ``` 19 | # fdisk 20 | 21 | # fdisk /dev/vda 22 | 23 | WARNING: DOS-compatible mode is deprecated. It's strongly recommended to 24 | switch off the mode (command 'c') and change display units to 25 | sectors (command 'u'). 26 | 27 | Command (m for help): c 28 | DOS Compatibility flag is not set -------> WARNING! some linux version has DOS Compatibility is already unset 29 | 30 | Command (m for help): u 31 | Changing display/entry units to sectors -------> WARNING! some linux version has unit set as sector by default 32 | 33 | Command (m for help): p 34 | 35 | Disk /dev/vda: 85.9 GB, 85899345920 bytes 36 | 255 heads, 63 sectors/track, 10443 cylinders, total 167772160 sectors 37 | Units = sectors of 1 * 512 = 512 bytes 38 | Sector size (logical/physical): 512 bytes / 512 bytes 39 | I/O size (minimum/optimal): 512 bytes / 512 bytes 40 | Disk identifier: 0x00050c05 41 | 42 | Device Boot Start End Blocks Id System 43 | /dev/vda1 * 2048 16777215 8387584 83 Linux 44 | 45 | Command (m for help): d 46 | Selected partition 1 47 | 48 | Command (m for help): n 49 | Command action 50 | e extended 51 | p primary partition (1-4) 52 | p 53 | Partition number (1-4): 1 54 | First sector (2048-167772159, default 2048): 55 | Using default value 2048 56 | Last sector, +sectors or +size{K,M,G} (2048-167772159, default 167772159): 57 | Using default value 167772159 58 | 59 | Command (m for help): w 60 | The partition table has been altered! 61 | 62 | Calling ioctl() to re-read partition table. 63 | 64 | WARNING: Re-reading the partition table failed with error 16: Device or resource busy. 65 | The kernel still uses the old table. The new table will be used at 66 | the next reboot or after you run partprobe(8) or kpartx(8) 67 | Syncing disks. 68 | # 69 | ``` 70 | 71 | * resize filesystem 72 | 73 | ``` 74 | # resize2fs 75 | # resize2fs /dev/vda1 76 | ``` 77 | 78 | -------------------------------------------------------------------------------- /wiki/Mirror-VM-traffic-in-Openstack-Contrail-with-custom-sniffer.md: -------------------------------------------------------------------------------- 1 | # Mirror VM traffic in Openstack Contrail with custom sniffer 2 | 3 | The proper way to mirror VM traffic in Contrail is by using its analyzer VM as documented in 4 | * (https://www.juniper.net/documentation/en_US/contrail3.0/topics/task/configuration/configure-traffic-analyzer-vnc.html) 5 | 6 | If you follow one of the procedures that documented in the link above, Analyzer VM will automatically give you a wireshark via VNC console. This is good enough for quick troubleshooting purpose, but i started to have a problem if i want to generate and download the pcap file. 7 | 8 | > note: we can always doing tcpdump on VM tap interface but it is not the focus of this post 9 | 10 | 11 | I don't know what is the credential to access the Analyzer VM (probably there is none), so i want to use my own linux VM as the sniffer. 12 | 13 | Here is what i have done and what i found: 14 | 15 | 16 | ## Launch a linux VM as a sniffer instance 17 | 18 | To use we own VM as sniffer VM, we need to launch the VM as an Service Instance. Basically we will do the same as the official procedure but we are going to use our own VM image, not the analyzer VM. 19 | 20 | * Upload the VM 21 | 22 | * Since it seems there is no way to specify ssh key pair or any cloud init configuration when launching a VM as Contrail Service Instance, we need to make sure we inject a default username/password inside the VM. 23 | 24 | * In my case, i am using a minimal ubuntu image which the following changes: 25 | * set default root password 26 | * allow root ssh access using password inside sshd.conf 27 | * enable dhcp client on eth0 interface 28 | 29 | * Upload the image to glance as usual 30 | * for further reference, let's call this image name: ubuntu-sniffer 31 | 32 | * Create a service template 33 | 34 | * Go to Contrail web UI -> Configure -> Services -> Service Templates 35 | 36 | * Click on '+' to create a new template, and use the following entries: 37 | * Put any name 38 | * for further reference in this post, i use name = st-mirror 39 | * Version: v1 40 | * Virtualization type: Virtual Machine 41 | * Service mode: transparent 42 | * Service type: Analyzer 43 | * Image name: ubuntu-sniffer - or any name that we assign when we upload the image - 44 | * Instance flavor: - select any appropriate flavor - 45 | * Interfaces: one should be enough, but for flexibility i add 2 interfaces 46 | * first interface: management 47 | * i will use this interface to access the VM and run tcpdump or any other sniffing tool 48 | * second interface: left 49 | * I will use this interface to receive the mirrored packet 50 | 51 | 52 | * Create a service instance 53 | 54 | * Go to Contrail web UI -> Configure -> Services -> Service Instances 55 | 56 | * Click on '+' to create a new instance, and use the following entries: 57 | * Put any name 58 | * for further reference, let put name: capture1 59 | * Service template: st-mirror - or any service template name that we just created in previous step - 60 | * Number of instance: 1 61 | * HA mode: none 62 | * Interface type: 63 | * management: attach to any virtual network that you can access 64 | * left: doesn't really matter, we can choose auto-configured 65 | 66 | 67 | * wait until the service VM is spawned and up 68 | 69 | 70 | 71 | ## Setup the sniffer 72 | 73 | * create a network policy 74 | 75 | * this is required to enable the packet mirroring on specific virtual network 76 | 77 | * Go to Contrail web UI -> Configure -> Networking -> Policies 78 | 79 | * Click on '+' to create a new policy, and use the following entries: 80 | * Put any name 81 | * for further reference, let say name: policy_capture 82 | * add rule 83 | * adjust the rule depending on what traffic that we want to mirror 84 | * check the "mirror" option 85 | * mirror 86 | * select the service instance that we created in previous step, in this example: we choose 'capture1' 87 | 88 | 89 | * apply the capture policy to the virtual network 90 | 91 | * Go to Contrail web UI -> Configure -> Networking -> Networks 92 | 93 | * find the virtual network that the target VM interface is attached to 94 | 95 | * modify the network 96 | 97 | * add the mirror policy to existng network policies 98 | * in this example, add policy_capture to existing network policies 99 | 100 | 101 | 102 | 103 | ## Sniff the mirrored packet 104 | 105 | In my example above, i assigned second interface as left interface, this means the mirrored packet will be sent to this interface. Before we continue to decode the mirrored packets, let go back and see what is the actual wireshark output from the official Analyzer VM. 106 | 107 | 108 | ![analyzer vm wireshark output](https://raw.github.com/rendoaw/notes/master/images/wireshark_in_analyzer_vm.png) 109 | 110 | From the output above, we can see that the mirrored packet received by Analyzer VM with some additional headers. 111 | Yes, vrouter will send the mirrored packet to the sniffer encapsulated inside UDP port 8099 with some additional header describing about which the virtual-network that the mirroring was performed. 112 | 113 | 114 | OK, now let try to run tcpdump on our own custom sniffer VM. Here is what i got 115 | 116 | ``` 117 | root@capture1001:~# tcpdump -s 0 -n -i eth1 118 | tcpdump: WARNING: eth1: no IPv4 address assigned 119 | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 120 | listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 121 | 20:33:49.627119 IP 100.64.1.10.61378 > 100.64.1.17.8099: UDP, length 170 122 | 20:33:49.627182 IP 100.64.1.10.21994 > 100.64.1.17.8099: UDP, length 170 123 | 20:33:49.627193 IP 10.250.2.252.53471 > 100.64.1.17.8099: UDP, length 317 124 | 20:33:50.632005 IP 100.64.1.10.61378 > 100.64.1.17.8099: UDP, length 170 125 | ... 126 | ``` 127 | 128 | As expected, sniffer receives UDP encapsulated packets. I went to try again and this time i save it to a pcap file then open it via wireshark on my pc. 129 | 130 | Here is the result from wireshark, it can't decode UDP 8099. 131 | 132 | ![wireshark output vanilla](https://raw.github.com/rendoaw/notes/master/images/contrail_wireshark_vanilla.png) 133 | 134 | 135 | I also found out that there is a Lua-based custom dissectore provided by Contrail installation, they are: 136 | * /usr/share/contrail-utils/agent_dissector.lua 137 | * /usr/share/contrail-utils/mpls_dissector.lua 138 | 139 | I loaded them into wireshark and try to decode again. It's a bit better now, it can decode some of the headers but it still can't decode the original mirrored packets. 140 | 141 | ![wireshark output with agent_dissector](https://raw.github.com/rendoaw/notes/master/images/contrail_wireshark_with_agent_dissector.png) 142 | 143 | 144 | So far, i have no idea where to get the proper dissector. Maybe later i will modify the agent_dissector to be able to decode the original packets, but for now, i'll take the simple approach but removing the contrail header from original packet manually using editcap. 145 | 146 | 147 | Looking back to the wireshark output above, and since i know the VM interface that i mirrored the packet from has MAC address start with 00:00:5e, i can guess that the original packet start from byte 0x72 (114 decimal). 148 | So, let's remove the first 114 byte from the pcap file 149 | 150 | ``` 151 | # editcap -C 114 -F pcap contrail-mirror.pcap contrail-mirror-no-header.pcap 152 | ``` 153 | 154 | Now, if we open contrail-mirror-no-header.pcap, we will see the original mirrored packets. 155 | 156 | ![wireshark output no header](https://raw.github.com/rendoaw/notes/master/images/contrail_wireshark_no_header.png) 157 | 158 | 159 | 160 | ## Conclusion 161 | 162 | * It is possible to mirror the VM traffic without official Analyzer VM, although it a bit tricky. 163 | 164 | * Ideally, if Analyzer VM can provide ssh access into it, then we don't need to go this hard way. 165 | 166 | * As a side note, it would be nice if we have the following: 167 | 168 | * ability to specify ssh key pair when launching a service instance VM 169 | 170 | * ability to use cloud init when launching a service instance VM 171 | 172 | * This is maybe supported but i don't know how to do it yet, i want to create service template and launch service instance VMs via HEAT template. 173 | 174 | 175 | 176 | -------------------------------------------------------------------------------- /wiki/Some-ESXi-related-commands.md: -------------------------------------------------------------------------------- 1 | # Some ESXi related commands 2 | 3 | * add static route 4 | 5 | ``` 6 | esxcfg-route -a 192.168.100.0 255.255.255.0 192.168.0.1 7 | ``` 8 | 9 | * list partition 10 | 11 | ``` 12 | ~ # ls /vmfs/devices/disks/ 13 | .... 14 | t10.ATA_____ST91000640NS________________________________________9XG8SW0 ---> main disk vml.01000000002020202020202020202020203958473853573045535439313030:9 15 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:1 ----> partition 1 vml.01000000003339666463643637386664666364313736633963653930306630373064363932536572766572 16 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:2 -----> partition 2 vml.01000000003339666463643637386664666364313736633963653930306630373064363932536572766572:1 17 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:3 vml.01000000003638383439363366616432336131333536633963653930306630373064363932536572766572 18 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:5 vml.01000000003638383439363366616432336131333536633963653930306630373064363932536572766572:1 19 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:6 vml.01000000006163306439653930613138663035663336633963653930306630373064363932536572766572 20 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:7 vml.01000000006163306439653930613138663035663336633963653930306630373064363932536572766572:1 21 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:8 vml.01000000006336383332653337353065623066376136633963653930306630373064363932536572766572 22 | t10.ATA_____ST91000640NS________________________________________9XG8SW0E:9 vml.01000000006336383332653337353065623066376136633963653930306630373064363932536572766572:1 23 | ~ # 24 | ``` 25 | 26 | * Get partition 27 | 28 | ``` 29 | ~ # partedUtil getptbl /vmfs/devices/disks/t10.ATA_____ST91000640NS________________________________________9XG8SW0E 30 | gpt 31 | 121601 255 63 1953525168 32 | 1 64 8191 C12A7328F81F11D2BA4B00A0C93EC93B systemPartition 128 33 | 5 8224 520191 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0 34 | 6 520224 1032191 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0 35 | 7 1032224 1257471 9D27538040AD11DBBF97000C2911D1B8 vmkDiagnostic 0 36 | 8 1257504 1843199 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0 37 | 9 1843200 7086079 9D27538040AD11DBBF97000C2911D1B8 vmkDiagnostic 0 38 | 2 7086080 15472639 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0 39 | 3 15472640 1953525134 AA31E02A400F11DB9590000C2911D1B8 vmfs 0 40 | ~ # 41 | ``` 42 | 43 | * delete partition #1 44 | 45 | ``` 46 | partedUtil delete /vmfs/devices/disks/t10.ATA_____ST91000640NS________________________________________9XG8SW0E 1 47 | ``` 48 | 49 | * Register/Un-register VM 50 | 51 | ``` 52 | vim-cmd solo/registervm /vmfs/volumes/datastore1/linux.vmx 53 | vim-cmd solo/unregister 54 | ``` 55 | 56 | * create vswitch (not dv switch) 57 | 58 | ``` 59 | execute from esx host: vicfg-vswitch -a 60 | execute from vsphere or VMA: vicfg-vswitch -a --vihost 61 | ``` 62 | 63 | * create port group on vswitch 64 | 65 | ``` 66 | execute from esx host: vicfg-vswitch --add-pg 67 | execute from vsphere or VMA: vicfg-vswitch --vihost --add-pg 68 | ``` 69 | 70 | * assign vlan to port group on vswitch 71 | 72 | ``` 73 | execute from esx host: vicfg-vswitch --pg --vlan 74 | execute from vsphere or VMA: vicfg-vswitch --vihost --pg --vlan 75 | ``` 76 | 77 | * clone VM 78 | 79 | ``` 80 | - shutdown the VM that want to be cloned 81 | - copy the whole folder to a new folder 82 | - go to the new folder 83 | - modify vmx file 84 | - change display name to a new name 85 | - register the VM (see above) 86 | ``` 87 | -------------------------------------------------------------------------------- /yang.ietf.network.tree.txt: -------------------------------------------------------------------------------- 1 | module: ietf-logical-network-element 2 | +--rw logical-network-elements 3 | +--rw logical-network-element* [name] 4 | +--rw name string 5 | +--rw managed? boolean 6 | +--rw description? string 7 | +--rw root 8 | 9 | augment /if:interfaces/if:interface: 10 | +--rw bind-lne-name? -> /logical-network-elements/logical-network-element/name 11 | 12 | notifications: 13 | +---n bind-lne-name-failed 14 | +--ro name -> /if:interfaces/interface/name 15 | +--ro bind-lne-name -> /if:interfaces/interface/lne:bind-lne-name 16 | +--ro error-info? string 17 | module: ietf-logical-network-element 18 | +--rw logical-network-elements 19 | +--rw logical-network-element* [name] 20 | +--rw name string 21 | +--rw managed? boolean 22 | +--rw description? string 23 | +--rw root 24 | 25 | augment /if:interfaces/if:interface: 26 | +--rw bind-lne-name? -> /logical-network-elements/logical-network-element/name 27 | 28 | notifications: 29 | +---n bind-lne-name-failed 30 | +--ro name -> /if:interfaces/interface/name 31 | +--ro bind-lne-name -> /if:interfaces/interface/lne:bind-lne-name 32 | +--ro error-info? string 33 | module: ietf-network-instance 34 | +--rw network-instances 35 | +--rw network-instance* [name] 36 | +--rw name string 37 | +--rw enabled? boolean 38 | +--rw description? string 39 | +--rw (ni-type)? 40 | +--rw (root-type) 41 | +--:(vrf-root) 42 | | +--rw vrf-root 43 | +--:(vsi-root) 44 | | +--rw vsi-root 45 | +--:(vv-root) 46 | +--rw vv-root 47 | 48 | augment /if:interfaces/if:interface: 49 | +--rw bind-ni-name? -> /network-instances/network-instance/name 50 | augment /if:interfaces/if:interface/ip:ipv4: 51 | +--rw bind-ni-name? -> /network-instances/network-instance/name 52 | augment /if:interfaces/if:interface/ip:ipv6: 53 | +--rw bind-ni-name? -> /network-instances/network-instance/name 54 | 55 | notifications: 56 | +---n bind-ni-name-failed 57 | +--ro name -> /if:interfaces/interface/name 58 | +--ro interface 59 | | +--ro bind-ni-name? -> /if:interfaces/interface/ni:bind-ni-name 60 | +--ro ipv4 61 | | +--ro bind-ni-name? -> /if:interfaces/interface/ip:ipv4/ni:bind-ni-name 62 | +--ro ipv6 63 | | +--ro bind-ni-name? -> /if:interfaces/interface/ip:ipv6/ni:bind-ni-name 64 | +--ro error-info? string 65 | module: ietf-network-state 66 | +--ro networks 67 | +--ro network* [network-id] 68 | +--ro network-types 69 | +--ro network-id nw:network-id 70 | +--ro supporting-network* [network-ref] 71 | | +--ro network-ref -> /networks/network/network-id 72 | +--ro node* [node-id] 73 | | +--ro node-id nw:node-id 74 | | +--ro supporting-node* [network-ref node-ref] 75 | | | +--ro network-ref -> ../../../supporting-network/network-ref 76 | | | +--ro node-ref -> /networks/network/node/node-id 77 | | +--ro nt-s:termination-point* [tp-id] 78 | | +--ro nt-s:tp-id nt:tp-id 79 | | +--ro nt-s:supporting-termination-point* [network-ref node-ref tp-ref] 80 | | +--ro nt-s:network-ref -> ../../../nw-s:supporting-node/network-ref 81 | | +--ro nt-s:node-ref -> ../../../nw-s:supporting-node/node-ref 82 | | +--ro nt-s:tp-ref -> /nw-s:networks/network[nw-s:network-id=current()/../network-ref]/node[nw-s:node-id=current()/../node-ref]/termination-point/tp-id 83 | +--ro nt-s:link* [link-id] 84 | +--ro nt-s:source 85 | | +--ro nt-s:source-node? -> ../../../nw-s:node/node-id 86 | | +--ro nt-s:source-tp? -> ../../../nw-s:node[nw-s:node-id=current()/../source-node]/termination-point/tp-id 87 | +--ro nt-s:destination 88 | | +--ro nt-s:dest-node? -> ../../../nw-s:node/node-id 89 | | +--ro nt-s:dest-tp? -> ../../../nw-s:node[nw-s:node-id=current()/../dest-node]/termination-point/tp-id 90 | +--ro nt-s:link-id nt:link-id 91 | +--ro nt-s:supporting-link* [network-ref link-ref] 92 | +--ro nt-s:network-ref -> ../../../nw-s:supporting-network/network-ref 93 | +--ro nt-s:link-ref -> /nw-s:networks/network[nw-s:network-id=current()/../network-ref]/link/link-id 94 | module: ietf-network 95 | +--rw networks 96 | +--rw network* [network-id] 97 | +--rw network-id network-id 98 | +--rw network-types 99 | +--rw supporting-network* [network-ref] 100 | | +--rw network-ref -> /networks/network/network-id 101 | +--rw node* [node-id] 102 | | +--rw node-id node-id 103 | | +--rw supporting-node* [network-ref node-ref] 104 | | | +--rw network-ref -> ../../../supporting-network/network-ref 105 | | | +--rw node-ref -> /networks/network/node/node-id 106 | | +--rw nt:termination-point* [tp-id] 107 | | +--rw nt:tp-id tp-id 108 | | +--rw nt:supporting-termination-point* [network-ref node-ref tp-ref] 109 | | +--rw nt:network-ref -> ../../../nw:supporting-node/network-ref 110 | | +--rw nt:node-ref -> ../../../nw:supporting-node/node-ref 111 | | +--rw nt:tp-ref -> /nw:networks/network[nw:network-id=current()/../network-ref]/node[nw:node-id=current()/../node-ref]/termination-point/tp-id 112 | +--rw nt:link* [link-id] 113 | +--rw nt:link-id link-id 114 | +--rw nt:source 115 | | +--rw nt:source-node? -> ../../../nw:node/node-id 116 | | +--rw nt:source-tp? -> ../../../nw:node[nw:node-id=current()/../source-node]/termination-point/tp-id 117 | +--rw nt:destination 118 | | +--rw nt:dest-node? -> ../../../nw:node/node-id 119 | | +--rw nt:dest-tp? -> ../../../nw:node[nw:node-id=current()/../dest-node]/termination-point/tp-id 120 | +--rw nt:supporting-link* [network-ref link-ref] 121 | +--rw nt:network-ref -> ../../../nw:supporting-network/network-ref 122 | +--rw nt:link-ref -> /nw:networks/network[nw:network-id=current()/../network-ref]/link/link-id 123 | --------------------------------------------------------------------------------