August 2021

You are currently browsing the monthly archive for August 2021.

Step 1: Reload Cisco 8000 and Config PXE

  1. Reload chassis
  2. Enter ESC to BIOS, Select “Boot Manager” then IPXE
iPXE initialising devices...ok
 
 
 
iPXE 1.0.0+ (b965) -- Open Source Network Boot Firmware -- http://ipxe.org
Features: DNS HTTP HTTPS TFTP EFI ISO9660_grub Menu
iPXE>                             
iPXE> ifopen net0
iPXE>
iPXE>
iPXE> ifstat     
net0: 08:4f:a9:5c:fb:c9 using i210 on PCI02:00.0 (open)
  [Link:up, TX:0 TXE:0 RX:10 RXE:3]
  [RXE: 1 x "The socket is not connected (http://ipxe.org/380f6093)"]
  [RXE: 1 x "Error 0x440e6083 (http://ipxe.org/440e6083)"]
  [RXE: 1 x "Operation not supported (http://ipxe.org/3c086083)"]
net1: 00:a0:c9:00:00:00 using x557 on PCI04:00.0 (closed)
  [Link:down, TX:0 TXE:0 RX:0 RXE:0]
  [Link status: Down (http://ipxe.org/38086193)]
net2: 08:4f:a9:5c:fb:ca using x557 on PCI04:00.1 (closed)
  [Link:down, TX:0 TXE:0 RX:0 RXE:0]
  [Link status: Down (http://ipxe.org/38086193)]
iPXE>
iPXE> set net0/ip 10.75.49.7
iPXE> set net0/netmask 255.255.255.0
iPXE> set net0/gateway 10.75.49.1
iPXE> ifopen net0

3. BOOT the ONIE image.

iPXE> boot tftp://10.76.76.160/onie-recovery-x86_64-cisco_8000-r0.efi64.pxe
tftp://10.76.76.160/onie-recovery-x86_64-cisco_8000-r0.efi64.pxe... 94%
                                                                    ok 
Read the rest of this entry »

BGP Flow Specification功能是一种用于防止DoS(Denial of Service)/DDoS(Distributed Denial of Service)攻击的方法,可以提高网络安全性和可用性。其实现方式为 BGP FS controller 通过BGP下发特定的规则给BGP FS client, BGP FS client收到后按照该规则对特定流进行redirect/remark/drop/rate limit。

Read the rest of this entry »

IKE(网络密钥交换协议)

IKE属于一种混合型协议,由Internet安全关联和密钥管理协议(ISAKMP)和两种密钥交换协议OAKLEY与SKEME组成。IKE创建在由ISAKMP定义的框架上,沿用了OAKLEY的密钥交换模式以及SKEME的共享和密钥更新技术,还定义了它自己的两种密钥交换方式:主模式和野蛮模式。

IKE协商两种SA:

  • IKE(ISAKMP) SA (Phase 1)
  • IPSEC SA(Phase 2)

IKE与IPSec的关系如下图所示,对等体之间建立一个IKE SA完成身份验证和密钥信息交换后,在IKE SA的保护下,根据配置的AH/ESP安全协议等参数协商出一对IPSec SA。此后,对等体间的数据将在IPSec隧道中加密传输。

IKE SA是一个双向的逻辑连接,两个对等体间只建立一个IKE SA。

IKE与IPSec的关系图
Read the rest of this entry »

GRE 简介

通用路由封装协议GRE(Generic Routing Encapsulation)可以对某些网络层协议(如IPX、ATM、IPv6、AppleTalk等)的数据报文进行封装(区别于IPsec, IPsec只能封装IP数据包),使这些被封装的数据报文能够在另一个网络层协议(如IPv4)中传输。

Read the rest of this entry »

DMVPN

DMVPN Phase 1:

R1配置:

R1_HUB#show run int tunnel 0 
Building configuration...

Current configuration : 219 bytes
!
interface Tunnel0
 ip address 172.168.123.1 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
end

R2 / R3 配置:

R2_spoke#show run int tunnel 0 
Building configuration...

Current configuration : 241 bytes
!
interface Tunnel0
 ip address 172.168.123.2 255.255.255.0
 ip nhrp map 172.168.123.1 10.1.14.1
 ip nhrp map multicast 10.1.14.1
 ip nhrp network-id 1
 ip nhrp nhs 172.168.123.1
 tunnel source Ethernet0/0
 tunnel destination 10.1.14.1
end
Read the rest of this entry »