PaloAlto UNL Basic config

Posted in Networking by nbctcp

20160809 22.09.jpg

NOTE:

-make sure all nics in UNL vm using vmxnet3 and not e1000

-I feel PA6.1 is more stable than PA7.0.1
-I don’t have URL Filtering license, so I can’t test blocking website

-set PA mgmt nic ip to 192.168.1.1

> configure

# set deviceconfig system ip-address 192.168.1.1 netmask 255.255.255.0

# commit

PC1:

MGMT NIC

ip 192.168.1.10/24

LAN NIC

ip 10.0.0.10/24

gw 10.0.0.1

-open PC1 browser and go to https://192.168.1.1

L: admin

P: admin

set Device/Management section

-set Service Route Configuration

-set Network/Network Profiles/Interface Mgmt

-set Network/Zones

-set Network/Interfaces

-set Network/DHCP

-set Objects/Addresses

-set Policies/Security

-set Policies/NAT

14cf68d6570787bcc52ed77bbd863a68

-click Commit

-click Save

Now you can test whether you can surfing from PC1

24Jul2016

Increasing allocated RAM for UNL in VMware Fusion

Posted in Networking by nbctcp

SOURCE:

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1014006

http://www.vwired.co.uk/2013/03/28/unsupported-bypass-the-8gb-ram-limit-in-vmware-fusion/

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1022060

import unl ova and keep it off
change hardware compatibility to 12
– In the Apple menu bar, select Virtual Machine > Settings.
– Select Compatibility
– Select the hardware version to 12
change “memsize” in unl vmx
– right click unl vm and select ” Show Package Contents”
– search for the ‘VMX’ file, right click and select open with ‘Text Edit’
– change the memsize there and save
– power on unl vm. If it complain about unsupported main memory size then just click OK

17Jul2016

What didn’t work yet in Unetlab

Posted in Networking by nbctcp

NOTE:

These limitation is not because of Unetlab but because of limitation of the image

Base on input from UD. These didn’t work in UNL

-QinQ (didn’t run in Cisco but run in Arista)

-SPAN, RSPAN

SPAN doesn’t work on any cisco switch
SPAN is ok on Arista, but RSPAN is not supportet on any switch
https://supportforums.cisco.com/document/139236/understanding-spanrspanand-erspan

-WCCP

-L2VPN

-MAB (MAC Authentication Bypass)

http://docstore.mik.ua/univercd/cc/td/doc/solution/macauthb.pdf

for best results on L2 IRON image, need turn off ip cef

(config)#no ip cef

if turn off ip cef then:

-L3 Etherchannel ok

-PVLAN ok

-VACL, PACL ok

-dhcp snooping ok

-dot1x supported

16Jul2016

Exporting/Importing Unetlab lab steps

Posted in Networking by nbctcp

Exporting Steps
1. click More actions/Start all nodes
2. click More actions/Export all CFGs
3. click More actions/Set all startup-cfg to exported
4. click More actions/Stop all nodes
5. click Close lab
6. click the lab and click ACTIONS/Export selected objects

Importing Steps
1. click ACTIONS/Import external labs
2. select target lab but don’t unzip it then import
3. click More actions/Start all nodes

How to export/import all labs

Proper way
Shift click your target lab and click menu ACTIONS/Export selected objects
Unsupported but work
copy your labs inside /opt/unetlab/labs/ and put into the same location in your target UNL

16Jul2016

Importing IOU lab into Unetlab

Posted in Networking by nbctcp

create simple IOU lab
edit new lab

Netmap: 1:0/0 2:0/0

click Save
configure both router

R1#sh run

hostname R1

interface Ethernet0/0

ip address 12.12.12.1 255.255.255.0

R1#copy run unix:

Destination filename [running-config]?

R1#wr

R2#sh run

hostname R2

interface Ethernet0/0

ip address 12.12.12.2 255.255.255.0

R2#copy run unix:

Destination filename [running-config]?

R2#wr
copy all running config to database
if you found error, then click each router and choose “Copy unix://running-config to database”
sometime this happen because the router lost its config
edit this lab again

set both router initial config
export the lab

Select labs you want to export: tick labname
Select initial config packs you want to export: tick labname
click Export
click Download

rename the file name according to your lab name
open Unetlab and import external lab

Browse and click Import
open the lab
click More actions/Set all startup-cfg to exported
click More actions/Wipe all nodes
click More actions/Start all nodes

Now all IOU config still intact in Unetlab

19May2016

CheckPoint GAIA Installation on Unetlab

Posted in Networking by nbctcp

-download CheckPoint R77.30 iso

-prepare VMware Workstation vm with Other Linux 64bit, 30GB HD, 2GB RAM and 4 nics

-open Chrome and go to https://10.0.10.61

-shutdown vm and go to VMware Workstation

-click CheckPoint vm

-click File/Export to OVF

export as cpsg-r7730.ova

# mkdir -p /opt/unetlab/addons/qemu/cpsg-r7730

scp cpsg-r7730.ova into /opt/unetlab/addons/qemu/cpsg-r7730

# tar xf cpsg-r7730.ova

# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 cpsg-r7730-disk1.vmdk hda.qcow2

# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

create CheckPoint unetlab lab above and start cp1

-open SmartDashboard and login as admin

-right click Edit Network Objects/CheckPoint/cp1

-create Network Objects/Networks/LAN

-create Firewall policy

-create Application & URL Filtering policy

6May2016

ESXi 6.0 Unetlab to Cisco Catalyst trunk

Posted in Networking, Virtualization by nbctcp

I have problem with Unetlab inside ESXi with 2 trunk port.

Once 1 of the trunk cable disconnected, the issue fixed

The problems are:

-node (in the exmple below is Mikrotik) can’t ping gateway but unetlab vm can

-after ESXi restarted, I can’t ping ESXi anymore

The solution are

Cisco:

SOURCE: http://www.sysadmintutorials.com/tutorials/vmware-vsphere-4/vcenter4/network-teaming-with-cisco-etherchannel/

# sh run

port-channel load-balance src-dst-ip

interface Port-channel1

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

flowcontrol receive desired

interface FastEthernet2/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

speed 100

duplex full

flowcontrol receive desired

channel-group 1 mode on

spanning-tree portfast trunk

spanning-tree bpdufilter enable

interface FastEthernet2/0/2

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

speed 100

duplex full

flowcontrol receive desired

channel-group 1 mode on

spanning-tree portfast trunk

spanning-tree bpdufilter enable

ESXi

20Apr2016

OSPF Labs

Posted in Networking by nbctcp

Cisco-Cisco

19-Apr 05.23.44

R1#sh run

hostname R1

interface Loopback0

ip address 1.0.0.1 255.255.255.255

interface FastEthernet0/0

no ip address

shutdown

duplex full

interface Ethernet1/0

ip address 10.0.10.61 255.255.255.0

ip nat outside

duplex full

interface Ethernet1/1

ip address 12.12.12.1 255.255.255.252

ip nat inside

duplex full

interface Ethernet1/2

ip address 31.31.31.2 255.255.255.252

ip nat inside

duplex full

interface Ethernet1/3

no ip address

duplex full

router ospf 1

redistribute static subnets

network 1.0.0.0 0.0.0.0 area 0

network 12.12.12.0 0.0.0.3 area 0

network 31.31.31.0 0.0.0.3 area 0

default-information originate

ip nat inside source list LAN interface Ethernet1/0 overload

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.0.10.1

ip access-list standard LAN

permit 12.12.12.0 0.0.0.3

permit 23.23.23.0 0.0.0.3

permit 31.31.31.0 0.0.0.3

permit 1.0.0.0 0.0.0.7

R2#sh run

hostname R2

interface Loopback0

ip address 1.0.0.2 255.255.255.255

interface FastEthernet0/0

no ip address

shutdown

duplex full

interface Ethernet1/0

no ip address

duplex full

interface Ethernet1/1

ip address 12.12.12.2 255.255.255.252

duplex full

interface Ethernet1/2

ip address 23.23.23.1 255.255.255.252

duplex full

interface Ethernet1/3

no ip address

shutdown

duplex full

router ospf 1

network 1.0.0.0 0.0.0.0 area 0

network 12.12.12.0 0.0.0.3 area 0

network 23.23.23.0 0.0.0.3 area 0

ip forward-protocol nd

R3#sh run

hostname R3

interface Loopback0

ip address 1.0.0.3 255.255.255.255

interface FastEthernet0/0

no ip address

shutdown

duplex full

interface Ethernet1/0

no ip address

duplex full

interface Ethernet1/1

ip address 23.23.23.2 255.255.255.252

duplex full

interface Ethernet1/2

ip address 31.31.31.1 255.255.255.252

duplex full

interface Ethernet1/3

no ip address

shutdown

duplex full

router ospf 1

network 1.0.0.0 0.0.0.0 area 0

network 23.23.23.0 0.0.0.3 area 0

network 31.31.31.0 0.0.0.3 area 0

ip forward-protocol nd

FortiGate-FortiGate

FGT1

config system interface

edit “port1”

set vdom “root”

set ip 10.0.10.61 255.255.255.0

set allowaccess ping https ssh http fgfm

set type physical

set snmp-index 1

edit “port2”

set vdom “root”

set ip 12.12.12.1 255.255.255.252

set allowaccess ping https ssh http fgfm

set type physical

set snmp-index 2

edit “port3”

set vdom “root”

set ip 31.31.31.2 255.255.255.252

set allowaccess ping https ssh http fgfm

set type physical

set snmp-index 3

edit “port4”

set vdom “root”

set type physical

set snmp-index 4

edit “ssl.root”

set vdom “root”

set type tunnel

set alias “SSL VPN interface”

set snmp-index 5

edit “loopback”

set vdom “root”

set ip 1.0.0.1 255.255.255.255

set type loopback

set snmp-index 6

end

config firewall policy

edit 1

set uuid ef6c951c-0627-51e6-739a-6ddf25cfc795

set srcintf “port2”

set dstintf “port3”

set srcaddr “all”

set dstaddr “all”

set action accept

set schedule “always”

set service “ALL”

edit 2

set uuid 6e9d6c2c-0708-51e6-17f6-3c373c555f2b

set srcintf “port3”

set dstintf “port2”

set srcaddr “all”

set dstaddr “all”

set action accept

set schedule “always”

set service “ALL”

edit 3

set uuid 0d34fb4c-070a-51e6-439a-725742a0b680

set srcintf “port2” “port3”

set dstintf “port1”

set srcaddr “all”

set dstaddr “all”

set action accept

set schedule “always”

set service “ALL”

set nat enable

end

config router static

edit 1

set gateway 10.0.10.1

set device “port1”

end

config router ospf

set default-information-originate enable

set router-id 1.0.0.1

config area

edit 0.0.0.0

end

config ospf-interface

edit “loopback”

set interface “loopback”

set ip 1.0.0.1

end

config network

edit 1

set prefix 12.12.12.0 255.255.255.252

edit 2

set prefix 31.31.31.0 255.255.255.252

edit 3

set prefix 1.0.0.1 255.255.255.255

end

config redistribute “connected”

end

config redistribute “static”

set status enable

end

config redistribute “rip”

end

config redistribute “bgp”

end

config redistribute “isis”

end

FGT2

config system interface

edit “port1”

set vdom “root”

set allowaccess ping https ssh http fgfm

set type physical

set snmp-index 1

edit “port2”

set vdom “root”

set ip 12.12.12.2 255.255.255.252

set allowaccess ping https ssh http fgfm

set type physical

set snmp-index 2

edit “port3”

set vdom “root”

set ip 23.23.23.1 255.255.255.252

set allowaccess ping https ssh http fgfm

set type physical

set snmp-index 3

edit “port4”

set vdom “root”

set type physical

set snmp-index 4

edit “ssl.root”

set vdom “root”

set type tunnel

set alias “SSL VPN interface”

set snmp-index 5

edit “loopback”

set vdom “root”

set ip 1.0.0.2 255.255.255.255

set type loopback

set snmp-index 6

end

config router ospf

set router-id 1.0.0.2

config area

edit 0.0.0.0

end

config ospf-interface

edit “loopback”

set interface “loopback”

set ip 1.0.0.2

end

config network

edit 1

set prefix 12.12.12.0 255.255.255.252

edit 2

set prefix 23.23.23.0 255.255.255.252

edit 3

set prefix 1.0.0.2 255.255.255.255

end

config redistribute “connected”

end

config redistribute “static”

end

config redistribute “rip”

end

config redistribute “bgp”

end

config redistribute “isis”

end

config firewall policy

edit 1

set uuid 5a630c00-071f-51e6-e8ae-2344f9e5a0e6

set srcintf “port2”

set dstintf “port3”

set srcaddr “all”

set dstaddr “all”

set action accept

set schedule “always”

set service “ALL”

set nat enable

edit 2

set uuid 5db36f80-071f-51e6-623f-42be7d156fd5

set srcintf “port3”

set dstintf “port2”

set srcaddr “all”

set dstaddr “all”

set action accept

set schedule “always”

set service “ALL”

end

FGT3

config system interface

edit “port1”

set vdom “root”

set allowaccess ping https ssh http fgfm

set type physical

set snmp-index 1

edit “port2”

set vdom “root”

set ip 23.23.23.2 255.255.255.252

set allowaccess ping https ssh http fgfm

set type physical

set snmp-index 2

edit “port3”

set vdom “root”

set ip 31.31.31.1 255.255.255.252

set allowaccess ping https ssh http fgfm

set type physical

set snmp-index 3

edit “port4”

set vdom “root”

set type physical

set snmp-index 4

edit “ssl.root”

set vdom “root”

set type tunnel

set alias “SSL VPN interface”

set snmp-index 5

edit “loopback”

set vdom “root”

set ip 1.0.0.3 255.255.255.255

set type loopback

set snmp-index 6

end

config router ospf

set router-id 1.0.0.3

config area

edit 0.0.0.0

end

config ospf-interface

edit “loopback”

set interface “loopback”

set ip 1.0.0.3

end

config network

edit 1

set prefix 23.23.23.0 255.255.255.252

edit 2

set prefix 31.31.31.0 255.255.255.252

edit 3

set prefix 1.0.0.3 255.255.255.255

end

config redistribute “connected”

end

config redistribute “static”

end

config redistribute “rip”

end

config redistribute “bgp”

end

config redistribute “isis”

end

config firewall policy

edit 1

set uuid 41d5f3a0-071f-51e6-df0e-727622495609

set srcintf “port2”

set dstintf “port3”

set srcaddr “all”

set dstaddr “all”

set action accept

set schedule “always”

set service “ALL”

set nat enable

edit 2

set uuid 46ddcb20-071f-51e6-0dc2-22dfea80d1d2

set srcintf “port3”

set dstintf “port2”

set srcaddr “all”

set dstaddr “all”

set action accept

set schedule “always”

set service “ALL”

end

NOTE:

-to refresh ospf db

# exe router clear ospf process

-to show route db

# get router info routing-table all

Juniper-Juniper

NOTE:

-With current config, I have problem ping to Internet from R1. I don’t know yet that is because in Unetlab or because I reduce the RAM in each router to 1GB

# show

system {

host-name R1;

root-authentication {

encrypted-password “$1$7VWGeJRn$iG.WRousX9Fi5BKcaZGV7/”; ## SECRET-DATA

}

services {

ssh;

web-management {

http {

interface ge-0/0/0.0;

}

syslog {

file messages {

any any;

}

license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval;

}

interfaces {

ge-0/0/0 {

unit 0 {

family inet {

address 10.0.10.61/24;

}

ge-0/0/1 {

unit 0 {

family inet {

address 12.12.12.1/30;

}

ge-0/0/2 {

unit 0 {

family inet {

address 31.31.31.2/30;

}

lo0 {

unit 0 {

family inet {

address 1.0.0.1/32;

}

routing-options {

static {

route 0.0.0.0/0 {

next-hop 10.0.10.1;

no-install;

}

protocols {

ospf {

export ospf-default;

area 0.0.0.0 {

interface ge-0/0/1.0;

interface ge-0/0/2.0;

interface lo0.0;

}

policy-options {

policy-statement ospf-default {

from {

protocol static;

route-filter 0.0.0.0/0 exact;

}

then accept;

}

security {

screen {

ids-option untrust-screen {

icmp {

ping-death;

}

ip {

source-route-option;

tear-drop;

}

tcp {

syn-flood {

alarm-threshold 1024;

attack-threshold 200;

source-threshold 1024;

destination-threshold 2048;

queue-size 2000; ## Warning: ‘queue-size’ is deprecated

timeout 20;

}

land;

}

nat {

source {

rule-set trust-to-untrust {

from zone trust;

to zone untrust;

rule source-nat-rule {

match {

source-address 0.0.0.0/0;

}

then {

source-nat {

interface;

}

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone untrust to-zone trust {

policy default-deny {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

zones {

security-zone trust {

tcp-rst;

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

system-services {

all;

}

protocols {

all;

}

interfaces {

ge-0/0/1.0;

ge-0/0/2.0;

lo0.0;

}

security-zone untrust {

screen untrust-screen;

interfaces {

ge-0/0/0.0;

}

# run show ospf neighbor

Address Interface State ID Pri Dead

12.12.12.2 ge-0/0/1.0 Full 1.0.0.2 128 32

31.31.31.1 ge-0/0/2.0 Full 1.0.0.3 128 39

# run show route

inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)

+ = Active Route, – = Last Active, * = Both

0.0.0.0/0 *[Static/5] 01:24:39

> to 10.0.10.1 via ge-0/0/0.0

1.0.0.1/32 *[Direct/0] 00:55:05

> via lo0.0

1.0.0.2/32 *[OSPF/10] 00:54:19, metric 1

> to 12.12.12.2 via ge-0/0/1.0

1.0.0.3/32 *[OSPF/10] 00:54:57, metric 1

> to 31.31.31.1 via ge-0/0/2.0

10.0.10.0/24 *[Direct/0] 01:09:05

> via ge-0/0/0.0

10.0.10.61/32 *[Local/0] 01:09:05

Local via ge-0/0/0.0

12.12.12.0/30 *[Direct/0] 01:09:05

> via ge-0/0/1.0

12.12.12.1/32 *[Local/0] 01:09:05

Local via ge-0/0/1.0

23.23.23.0/30 *[OSPF/10] 00:54:19, metric 2

> to 12.12.12.2 via ge-0/0/1.0

to 31.31.31.1 via ge-0/0/2.0

31.31.31.0/30 *[Direct/0] 01:09:05

> via ge-0/0/2.0

31.31.31.2/32 *[Local/0] 01:09:05

Local via ge-0/0/2.0

224.0.0.5/32 *[OSPF/10] 00:55:07, metric 1

MultiRecv

# show

system {

host-name R2;

root-authentication {

encrypted-password “$1$ucm0iauC$pA0/LpyHYtln36Hmw12Gj0”; ## SECRET-DATA

}

services {

ssh;

web-management {

http {

interface ge-0/0/0.0;

}

syslog {

file messages {

any any;

}

license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval;

}

interfaces {

ge-0/0/0 {

unit 0 {

family inet;

}

ge-0/0/1 {

unit 0 {

family inet {

address 12.12.12.2/30;

}

ge-0/0/2 {

unit 0 {

family inet {

address 23.23.23.1/30;

}

lo0 {

unit 0 {

family inet {

address 1.0.0.2/32;

}

protocols {

ospf {

area 0.0.0.0 {

interface ge-0/0/1.0;

interface ge-0/0/2.0;

interface lo0.0;

}

security {

zones {

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

ge-0/0/1.0;

ge-0/0/2.0;

lo0.0;

}

# show

system {

host-name R3;

root-authentication {

encrypted-password “$1$jYOE9h1/$8E0Rfv77QNRFiAEItVkTZ.”; ## SECRET-DATA

}

services {

ssh;

web-management {

http {

interface ge-0/0/0.0;

}

syslog {

file messages {

any any;

}

license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval;

}

interfaces {

ge-0/0/0 {

unit 0 {

family inet;

}

ge-0/0/1 {

unit 0 {

family inet {

address 23.23.23.2/30;

}

ge-0/0/2 {

unit 0 {

family inet {

address 31.31.31.1/30;

}

lo0 {

unit 0 {

family inet {

address 1.0.0.3/32;

}

protocols {

ospf {

area 0.0.0.0 {

interface ge-0/0/1.0;

interface ge-0/0/2.0;

interface lo0.0;

}

security {

screen {

ids-option untrust-screen {

icmp {

ping-death;

}

ip {

source-route-option;

tear-drop;

}

tcp {

syn-flood {

alarm-threshold 1024;

attack-threshold 200;

source-threshold 1024;

destination-threshold 2048;

queue-size 2000; ## Warning: ‘queue-size’ is deprecated

timeout 20;

}

land;

}

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone untrust to-zone trust {

policy default-deny {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

zones {

security-zone trust {

tcp-rst;

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

ge-0/0/1.0;

ge-0/0/2.0;

lo0.0;

}

security-zone untrust {

screen untrust-screen;

}

Mikrotik-Mikrotik

R1] > export

/interface bridge

add name=loopback

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

/routing ospf instance

set [ find default=yes ] distribute-default=always-as-type-1 \

redistribute-static=as-type-1 router-id=1.0.0.1

/ip address

add address=10.0.10.61/24 interface=ether1 network=10.0.10.0

add address=12.12.12.1/30 interface=ether2 network=12.12.12.0

add address=31.31.31.2/30 interface=ether3 network=31.31.31.0

add address=1.0.0.1 interface=loopback network=1.0.0.1

/ip firewall nat

add action=masquerade chain=srcnat out-interface=ether1

/ip route

add distance=1 gateway=10.0.10.1

/routing ospf network

add area=backbone network=1.0.0.1/32

add area=backbone network=12.12.12.0/30

add area=backbone network=31.31.31.0/30

/system identity

set name=R1

[admin@R2] > export

/interface bridge

add name=loopback

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

/routing ospf instance

set [ find default=yes ] router-id=1.0.0.2

/ip address

add address=12.12.12.2/30 interface=ether2 network=12.12.12.0

add address=1.0.0.2 interface=loopback network=1.0.0.2

add address=23.23.23.1/30 interface=ether3 network=23.23.23.0

/routing ospf network

add area=backbone network=1.0.0.2/32

add area=backbone network=12.12.12.0/30

add area=backbone network=23.23.23.0/30

/system identity

set name=R2

[admin@R3] > export

/interface bridge

add name=loopback

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

/routing ospf instance

set [ find default=yes ] router-id=1.0.0.3

/ip address

add address=23.23.23.2/30 interface=ether2 network=23.23.23.0

add address=31.31.31.1/30 interface=ether3 network=31.31.31.0

/routing ospf network

add area=backbone network=1.0.0.3/32

add area=backbone network=31.31.31.0/30

add area=backbone network=23.23.23.0/30

/system identity

set name=R3

Cisco-FortiGate-Juniper-Mikrotik

25Feb2016

Mikrotik EOIP in Unetlab

Posted in Networking by nbctcp

SOURCE: http://computechtips.com/534/mikrotik-eoip-tunnel-in-action

26-Feb 10.57.42.jpg

NOTE:
-I am using Mikrotik as PC, just to proof that ping between subnet is successful
-Unetlab will be my main testing environment from now on

[admin@PC1] > export
# feb/24/2016 15:35:38 by RouterOS 6.34.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=12.12.12.2/24 interface=ether1 network=12.12.12.0
/ip dns set servers=8.8.8.8,8.8.4.4
/ip route add distance=1 gateway=12.12.12.1
/system identity
set name=PC1
/tool romon
set enabled=yes

[admin@R1] > export
/interface ethernet
set [ find default-name=ether1 ] mtu=9000
/interface eoip
add !keepalive mac-address=FE:CC:3F:2B:A6:6E mtu=9000 name=eoip1 remote-address=\
10.0.10.143 tunnel-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=12.12.12.1/24 interface=ether2 network=12.12.12.0
add address=10.0.10.142/24 interface=ether1 network=10.0.10.0
add address=23.23.23.1/30 interface=eoip1 network=23.23.23.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=10.0.10.1
add distance=1 dst-address=34.34.34.0/24 gateway=23.23.23.2
/system identity
set name=R1
/tool romon
set enabled=yes

[admin@R2] > export
# feb/24/2016 15:33:51 by RouterOS 6.34.2
/interface ethernet
set [ find default-name=ether1 ] mtu=9000
/interface eoip
add !keepalive mac-address=FE:C1:E4:9A:A8:94 mtu=9000 name=eoip1 \
remote-address=10.0.10.142 tunnel-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=10.0.10.143/24 interface=ether1 network=10.0.10.0
add address=23.23.23.2/30 interface=eoip1 network=23.23.23.0
add address=34.34.34.1/24 interface=ether2 network=34.34.34.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=10.0.10.1
add distance=1 dst-address=12.12.12.0/24 gateway=23.23.23.1
/system identity
set name=R2
/tool romon
set enabled=yes

[admin@PC2] > export
# feb/24/2016 15:35:03 by RouterOS 6.34.2
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=34.34.34.2/24 interface=ether1 network=34.34.34.0
/ip dns set servers=8.8.8.8,8.8.4.4
/ip route add distance=1 gateway=34.34.34.1
/system identity set name=PC2
/tool romon set enabled=yes

26-Feb 11.10.37.jpg

26-Feb 07.36.45.jpg

PC1
[admin@PC1] > export
# feb/25/2016 10:10:24 by RouterOS 6.34.2
# software id =
#
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=12.12.12.2/24 interface=ether1 network=12.12.12.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=12.12.12.1
/system identity
set name=PC1
/tool romon
set enabled=yes

R1
[admin@R1] > export
# feb/25/2016 09:55:48 by RouterOS 6.34.2
# software id =
#
/interface bridge
add name=bridge1
/interface eoip
add allow-fast-path=no !keepalive mac-address=02:B5:23:BE:B8:85 name=eoip1 \
remote-address=10.0.10.143 tunnel-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=eoip1
/ip address
add address=10.0.10.142/24 interface=ether1 network=10.0.10.0
add address=12.12.12.1/24 interface=ether2 network=12.12.12.0
/ip dns set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=10.0.10.1
/system identity
set name=R1
/tool romon
set enabled=yes

R2
[admin@R2] > export
# feb/25/2016 09:56:33 by RouterOS 6.34.2
# software id =
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] mtu=9000
/interface eoip
add allow-fast-path=no !keepalive mac-address=02:1B:33:BC:55:77 name=eoip1 \
remote-address=10.0.10.142 tunnel-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=eoip1
/ip address
add address=10.0.10.143/24 interface=ether1 network=10.0.10.0
add address=12.12.12.128/24 interface=ether2 network=12.12.12.0
/ip dns set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=10.0.10.1
/system identity
set name=R2
/tool romon
set enabled=yes

PC2
[admin@PC2] > export
# feb/24/2016 15:35:38 by RouterOS 6.34.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=12.12.12.129/24 interface=ether1 network=12.12.12.0
/ip dns set servers=8.8.8.8,8.8.4.4
/ip route add distance=1 gateway=12.12.12.128
/system identity
set name=PC2
/tool romon
set enabled=yes

17Jul2015

Expanding root disk

Posted in Networking by nbctcp

1. increase vm disk from ESXi console from 20GB to 100GB

2. login as root

# fdisk -l
Disk /dev/sda: 107.4 GB, 107374182400 bytes
255 heads, 63 sectors/track, 13054 cylinders, total 209715200 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000462f5
Device Boot      Start         End      Blocks   Id System
/dev/sda1   *        2048      499711      248832   83 Linux
/dev/sda2          499712    41943039    20721664   8e Linux LVM

-We can see that current disk size is 107.4GB

Disk /dev/sda: 107.4 GB, 107374182400 bytes

But currently we use only

Disk /dev/mapper/rootvg-rootvol: 18.1 GB, 18144559104 bytes

Disk /dev/mapper/rootvg-swapvol: 1023 MB, 1023410176 bytes

# df -h
Filesystem                  Size Used Avail Use% Mounted on
/dev/mapper/rootvg-rootvol   17G 3.1G   13G 20% /
none                        4.0K     0 4.0K   0% /sys/fs/cgroup
udev                        3.9G 4.0K 3.9G   1% /dev
tmpfs                       798M 3.0M 795M   1% /run
none                        5.0M     0 5.0M   0% /run/lock
none                        3.9G     0 3.9G   0% /run/shm
none                        100M     0 100M   0% /run/user
/dev/sda1                   232M   42M 175M 20% /boot

# fdisk /dev/sda
Command (m for help): m
Command action
a   toggle a bootable flag
b   edit bsd disklabel
c   toggle the dos compatibility flag
d   delete a partition
l   list known partition types
m   print this menu
n   add a new partition
o   create a new empty DOS partition table
p   print the partition table
q   quit without saving changes
s   create a new empty Sun disklabel
t   change a partition’s system id
u   change display/entry units
v   verify the partition table
w   write table to disk and exit
x   extra functionality (experts only)

Command (m for help): n
Partition type:
p primary (2 primary, 0 extended, 2 free)
e extended
Select (default p): p
Partition number (1-4, default 3):
Using default value 3
First sector (41943040-209715199, default 41943040):
Using default value 41943040
Last sector, +sectors or +size{K,M,G} (41943040-209715199, default 209715199):
Using default value 209715199

Command (m for help): t
Partition number (1-4): 3
Hex code (type L to list codes): 8e
Changed system type of partition 3 to 8e (Linux LVM)

Command (m for help): w
The partition table has been altered!

# reboot

# pvcreate /dev/sda3
Physical volume “/dev/sda3” successfully created

# vgdisplay
— Volume group —
VG Name               rootvg
System ID
Format                lvm2
Metadata Areas        1
Metadata Sequence No 5
VG Access             read/write
VG Status             resizable
MAX LV                0
Cur LV                2
Open LV               2
Max PV                0
Cur PV                1
Act PV                1
VG Size               19.76 GiB
PE Size               4.00 MiB
Total PE              5058
Alloc PE / Size       4570 / 17.85 GiB
Free PE / Size       488 / 1.91 GiB
VG UUID               rD0jFD-GNsT-3ikl-Zfpy-hqy4-cz7W-GF9PeU

# vgextend rootvg /dev/sda3
Volume group “rootvg” successfully extended

# pvscan
PV /dev/sda2   VG rootvg   lvm2 [19.76 GiB / 1.91 GiB free]
PV /dev/sda3   VG rootvg   lvm2 [80.00 GiB / 80.00 GiB free]
Total: 2 [99.75 GiB] / in use: 2 [99.75 GiB] / in no VG: 0 [0   ]

# lvdisplay
— Logical volume —
LV Path                /dev/rootvg/rootvol
LV Name                rootvol
VG Name                rootvg
LV UUID                VjDqgV-ZlwK-H9J7-4gJo-OJBR-cXNH-kK0F7D
LV Write Access        read/write
LV Creation host, time unl01, 2014-10-03 06:34:04 +0000
LV Status              available
# open                 1
LV Size                16.90 GiB
Current LE             4326
Segments               2
Allocation             inherit
Read ahead sectors     auto
– currently set to     256
Block device           252:0

— Logical volume —
LV Path                /dev/rootvg/swapvol
LV Name                swapvol
VG Name                rootvg
LV UUID                U6SI57-45kI-wM4c-E0eq-yu3y-8eLI-dzJMjb
LV Write Access        read/write
LV Creation host, time unl01, 2014-10-03 06:34:22 +0000
LV Status              available
# open                 2
LV Size                976.00 MiB
Current LE             244
Segments               1
Allocation             inherit
Read ahead sectors     auto
– currently set to     256
Block device           252:1

# lvextend /dev/rootvg/rootvol /dev/sda3
Extending logical volume rootvol to 96.89 GiB
Logical volume rootvol successfully resized

# resize2fs /dev/rootvg/rootvol
resize2fs 1.42.9 (4-Feb-2014)
Filesystem at /dev/rootvg/rootvol is mounted on /; on-line resizing required
old_desc_blocks = 2, new_desc_blocks = 7
The filesystem on /dev/rootvg/rootvol is now 25400320 blocks long.

# df -h
Filesystem                  Size Used Avail Use% Mounted on
/dev/mapper/rootvg-rootvol   96G 3.1G   89G   4% /
none                        4.0K     0 4.0K   0% /sys/fs/cgroup
udev                        3.9G 4.0K 3.9G   1% /dev
tmpfs                       798M 3.0M 795M   1% /run
none                        5.0M     0 5.0M   0% /run/lock
none                        3.9G     0 3.9G   0% /run/shm
none                        100M     0 100M   0% /run/user
/dev/sda1                   232M   42M 175M 20% /boot

Nbctcp's Weblog

From Engineer for Engineers

Tag Archives: Unetlab

PaloAlto UNL Basic config

Increasing allocated RAM for UNL in VMware Fusion

What didn’t work yet in Unetlab

Exporting/Importing Unetlab lab steps

Importing IOU lab into Unetlab

CheckPoint GAIA Installation on Unetlab

ESXi 6.0 Unetlab to Cisco Catalyst trunk

OSPF Labs

Mikrotik EOIP in Unetlab

Expanding root disk