Learning All About Router

1. Configure VPDN with dial in VPN from Microsoft VPN Client

RO-PPTP(config)# vpdn enable
RO-PPTP(config)# vpdn-group PPTP-DIALIN
RO-PPTP(config-vpdn)# accept-dialin
RO-PPTP(config-vpdn)# protocol pptp
RO-PPTP(config-vpdn)# virtual-template 1
RO-PPTP(config-vpdn)# exit

2. Activate interface from IP Dial In to Microsoft VPN Client and LAN wan to access from out leat VPN ini.

RO-PPTP(config)# interface Ethernet5/0
RO-PPTP(config-if)# description DIAL-IN IP INTERFACE FROM OUTSIDE
RO-PPTP(config-if)# ip address 202.150.64.81 255.255.255.240
RO-PPTP(config-if)# no shutdown

RO-PPTP(config)# interface Ethernet5/1
RO-PPTP(config-if)# description SECURED-LAN
RO-PPTP(config-if)# ip address 192.168.0.254 255.255.255.0
RO-PPTP(config-if)# no shutdown

3. Create Virtual-template untuk sebagai virtual interface untuk diapply ke inbound VPN connections.
IP menggunakan unnunmbered E5/1 agar nantinya IP yang didapat oleh
Microsoft VPN client dalam satu subnet dengan IP Secured-LAN.
IP client diperoleh dari DHCP dari Pool Address pptp-pool (misalnya)

RO-PPTP(config)# interface Virtual-Template1
RO-PPTP(config-if)# ip unnumbered ethernet5/1
RO-PPTP(config-if)# peer default ip address pool pptp-pool
RO-PPTP(config-if)# ppp encrypt mppe auto required

(Bila Router Anda tidak support, lewatkan saja & di Micorosoft VPN client dibagian security, Require Data Encryptionnya tidak usah di check-list / centang).

RO-PPTP(config-if)# ppp authentication ms-chap ms-chap-v2 chap pap
(enable semua bila perlu chap/pap selain Microsoft)

4. Create Pool IP Address untuk VPN ‘pptp-pool’ (misal untuk 20 user / ip) & pastikan IP pool tersebut tidak dipakai di Secured-LAN

RO-PPTP(config)# ip local pool pptp-pool 192.168.0.100 192.168.0.119

5. Create Account untuk login VPN
RO-PPTP(config)# username vpdn password 0 pptp

6. Configure Autentikasi PPP vpn ini ke local (Router) atau selanjutnya ke Radius bila memang sudah available.
RO-PPTP(config)# aaa new-model
RO-PPTP(config)# aaa authentication ppp default local

Berikut Konfigurasi Lengkap (hanya vpdn saja) :

================================================
username vpdn password 0 pptp
!
aaa new-model
aaa authentication ppp default local
!
vpdn enable
!
vpdn-group PPTP-DIALIN
accept-dialin
protocol pptp
virtual-template 1
!
interface Ethernet5/0
description DIAL-IN IP INTERFACE FROM OUTSIDE
ip address 202.150.64.81 255.255.255.240
!
interface Ethernet5/1
description SECURED-LAN
ip address 192.168.0.254 255.255.255.0
!
interface Virtual-Template1
ip unnumbered Ethernet0/1
peer default ip address pool pptp-pool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 chap pap

!
ip local pool defaultpool 192.168.0.100 192.168.0.119
================================================

!
ip subnet-zero
isdn switch-type basic-net3 ( for BRI use basic-net3; for PRI use primary-net5 )
!
hostname jasrine
!
enable secret abc
!
interface FastEthernet0/1
description ### Connection to customer LAN ###
ip address 10.10.10.1 255.255.255.0
!
interface Serial1/0
description ### Connection to IPVPN PE ###
ip address 202.168.10.1 255.255.255.252
backup interface Dialer2
backup delay 5 300 ( ISDN will kick up 5 seconds after detect
! ( primary link failure, and ISDN will wait for
! ( 300 seconds to be in standby
! ( mode once primary link is ok
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
!
interface Dialer2
ip address negotiated
encapsulation ppp
ppp multilink minimum
dialer pool 1
dialer idle-timeout 600 (ISDN idle time out for 600 seconds
dialer string <1st> (Primary ISDN PE number
dialer string <2nd> (Backup ISDN PE number
dialer-group 1
ppp chap hostname jasrine@bbb.com
ppp chap password abc
!
dialer-list 1 protocol ip permit ( Any IP packets will kick the ISDN
! ( up, once the primary line down
!
ip classless
ip route 0.0.0.0 0.0.0.0 202.168.10.2
ip route 0.0.0.0 0.0.0.0 dialer 2 200
!

!
ip subnet-zero
!
hostname jasrine
!
enable secret abc
!
interface FastEthernet0/1
description ### Connection to customer LAN ###
ip address 10.10.10.1 255.255.255.0
!
interface Serial1/0
description ### Connection to IPVPN PE ###
ip address 202.168.10.1 255.255.255.252
encapsulation ppp (or encapsulation hdlc)
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 202.178.10.2
!
End

...
interface Serial0/0
encapsulation frame-relay
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description ***Connection to Frame Relay switch***
ip address 58.139.10.38 255.255.255.252
frame-relay interface-dlci 100 !

#
sysname ISDN-MLPPP
#
dialer-rule 1 ip permit
#
radius scheme system
#
local-user admin
password abc
service-type telnet terminal
level 3
service-type ftp
local-user abc
password simple abc
service-type ppp
#
controller E1 1/0/0
pri-set timeslot-list 1-30
#
controller E1 1/0/1
pri-set timeslot-list 1-30
#
controller E1 1/0/2
pri-set timeslot-list 1-30
#
controller E1 1/0/3
pri-set timeslot-list 1-30
#
controller E1 2/0/0
pri-set timeslot-list 1-30
#
controller E1 2/0/1
pri-set timeslot-list 1-30
#
controller E1 2/0/2
pri-set timeslot-list 1-30
#
controller E1 2/0/3
pri-set timeslot-list 1-30
#
interface Dialer1
link-protocol ppp
ppp chap user abc@abc.com
ppp chap password simple abc
ppp mp max-bind 128
ppp mp min-bind 120
ppp mp
ip address ppp-negotiate
dialer user abc
dialer-group 1
dialer bundle 1
dialer timer idle 600
dialer threshold 1 out
dialer number 123456789
#
interface Serial1/0/0:15
link-protocol ppp
ppp mp
dialer bundle-member 1
#
interface Serial1/0/1:15
link-protocol ppp
ppp mp
dialer bundle-member 1
#
interface Serial1/0/2:15
link-protocol ppp
ppp mp
dialer bundle-member 1
#
interface Serial1/0/3:15
link-protocol ppp
ppp mp
dialer bundle-member 1
#
interface Serial2/0/0:15
link-protocol ppp
ppp mp
dialer bundle-member 1
#
interface Serial2/0/1:15
link-protocol ppp
ppp mp
dialer bundle-member 1
#
interface Serial2/0/2:15
link-protocol ppp
ppp mp
dialer bundle-member 1
#
interface Serial2/0/3:15
link-protocol ppp
ppp mp
dialer bundle-member 1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 1 preference 65
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher abc
#

n mode access privileges
Conference into the overall allocation model
In the allocation of molecule into the serial port 0
Ip ip address and mask add xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx added telecommunications distribution
Enca hdlc/ppp tied link protocol hdlc or ppp
Ip unn e0
Exit back to the overall distribution pattern
E0 entered in the distribution of Ethernet Adapter
Ip ip address and mask add xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx added telecommunications distribution
Exit back to the overall distribution pattern
Add ip route 0.0.0.0 0.0.0.0's routing table 0
Ena password password
Write
Exit
Most of these applications in accordance with China Telecom ddn green
Ordinary user mode
Enable users to model privileges
Exit from distribution
Help system to help brief
Switching language instruction mode
Inspection of ping and network servers connecting it up to the mainframe
Show Information Display System Operation
Telnet remote login function
What path to the destination after tracert tracking device
Privileged user mode
#?
Clear statistical information removed
Clock management system clock
Configure access to the overall distribution pattern
Debug debugging Opening Switch
Disable return to the ordinary user mode
Download new versions of software and configuration file download
Erase the erasure allocation FLASH
Switching from overtime exec-timeout opened EXEC
Exit from distribution
First-config initial configuration installed or removed signs
Help system to help brief
Switching language instruction mode
Open the screen monitor users switching output debugging information
No closed debugging Switch
Inspection of ping and network servers connecting it up to the mainframe
Reboot router reopening
Path setup configuration parameters
Show Information Display System Operation
Telnet remote login function
What path to the destination after tracert tracking device
Unmonitor closed user information screen debugging output switch
Write to Flash will keep the current configuration parameters were MEM
Overall allocation model
Aaa-enable enable the allocation of AAA (authentication, authorization and accounting)
Access-list standard configuration visit Table
Arp ARP installed passive population
Chat-script generation modems used in the implementation of a script
Custom-list create customized list Queue
Dialer-list create dialer-list
Dram-wait installed DRAM wait state
Enable password changes ENABLE
Exit from the overall distribution pattern
Firewall configuration firewall state
Flow-interval time interval set up traffic control
Frame-relay Frame Relay overall configuration command set
Ftp-server FTP Server
Help system to help brief order
Add the mainframe host name and IP address its
Hostname host name changes
Ifquelen change adapter queue length
Interface adapter configuration options
Ip ordered subset of the overall configuration of IP
Ipx ordered subset of the overall configuration of IPX
Loghost installed mainframe log IP addresses
Logic-channel distribution channel logic
Login started EXEC download certification
Modem-timeout installed modems overtime hours
Multilink multilink configuration of the user Adapter
Multilink-user multilink configuration of the user Adapter
Natserver installed FTP, TELNET, Web services IP addresses
No closure of certain parameters Switch
Priority-list establish priority queue list
Routing start processing router
Settr set up time frame
Snmp-server SNMP parameter changes
Tcp TCP parameters of the overall allocation
Regional start-up or closing time timerange
PPP certification system for the user to add customers
Vpdn installed VPDN
VPDN group set up vpdn-group
A layer x25 X.25

Huawei simple router configuration Creating and ios not feel much like? : D

Huawei simple router configuration No wonder CISCO and his defense?. .

Hi experts

I know sod-all about VOIP, so I'm hoping you can help, here. I have just had one Avaya IPOffice 406v2 system installed in our main office, and another in our branch office, which is at the end of a dedicated kilostream link. This link carries data between our networked workstations and servers at both sites (all are on a single domain and subnet). The link is serviced by 2 Huawei Quidway AR28-09 routers (one at each end) acting as a bridge.

I've allocated the 2 ipOffice boxes ip addresses within the network subnet, and they talk across the link just fine. However, I'm aware that I should be trying to control the voice traffic with a QOS policy, and I believe my routers will support it, but I don't know how to structure the policy, and therefore what commands to implement. I am currently talking to the routers via their CON port using hyperterminal, and the command set from the Huawei manuals which I managed to begborrowsteal for them.

I will upload the manual for the QOS command set for the routers to ee-stuff, and I can provide output from any commands, eg

[Display Current-configuration]

Now create configuration...
Current configuration
!
version 1.74
firewall enable
aaa-enable
aaa accounting-scheme optional
bridge enable
bridge 1 stp ieee
!
interface Aux0
async mode flow
link-protocol ppp
!
bridge-set 1
!
interface Serial0
clock DTECLK1
link-protocol ppp
bridge-set 1
!
return




[Display Interfaces]

Aux0 current state:up, line protocol current state:up (spoofing)
The Maximum Transmit Unit is 1500
physical layer is asynchronous, baudrate is 9600 bps
Link-protocol is PPP
LCP initial, IPCP initial, IPXCP initial, CCP initial, BRIDGECP initial
Input queue : (size/max/drops) 0/50/0
FIFO queueing: FIFO
(Outbound queue:Size/Length/Discards

Implementing TACACS on networking euipments turnsout to be very efficient interms of network users management.

Let me share some of the tips for configuring TACACS on Huawei equipments….but before that let me explain few concepts…for those not familiar…

TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.

HWTACACS authorization based on the commands

HWTACACS is the enhancement of TACACS that is an access control protocol defined in RFC 1492. Similar to RADIUS, HWTACACS implements AAA of multiple users by communicating with the HWTACACS server in the Server/Client model. HWTACACS is used to perform AAA on access users over PPP or Virtual Private Dial Network (VPDN) and login users.

Now..lets take a closer look into the configuration commands…

——– Creating a tacacs template which contains the Server information.—————-
#
hwtacacs-server template ht
hwtacacs-server authentication 1000
hwtacacs-server authorization 1001
hwtacacs-server accounting 1002
hwtacacs-server shared-key
#

———- Creating an AAA authorization,authentication & accounting scheme —————
#
aaa

authentication-scheme default
authentication-scheme l-h
authentication-mode local hwtacacs
authentication-scheme hwtacacs
authentication-mode hwtacacs
#
authorization-scheme default
authorization-scheme hwtacacs
authorization-mode hwtacacs
#
accounting-scheme default
accounting-scheme hwtacacs
accounting-mode hwtacacs
accounting realtime 3
#
domain default
domain domainname
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
#

Now….Lets look at the Server Configuration….(OS : CentOS Linux)
/etc/tac_plus.conf

# tacacs configuration file
# Pierre-Yves Maunier - 20060713
# /etc/tac_plus.conf

# set the key
key = key

accounting file = /var/log/tac_plus.acct

# users accounts
user = useradmin {
default service = permit
login = cleartext “normal”
enable = cleartext “enable”

}

After the config file is saved… run the following command..

[root@centos]# tac_plus -C /etc/tac_plus.conf

Lately..I was been assigned to do some security configuration for our secure servers & networking equipments. Our technology is mostly from Huawei.. So all our Routers,Firewalls,switches and other networking equipments are from Huawei. Basically the concept is same as that of Cisco & Nortel, but yes the command varies.

Huawei Router NE40E

Performing the configuration, to my surprise the command which is used to configure ACL in other Huawei routers didn’t work in our newly bought NE40E Router. It was because since the router was bought recently, it had updated Version-V300R002_11(OS for Huawei router).

I figured out new way to do it ….so thought it would be useful for people if I share it on my blog.

Routers usually need to process the data packets with certain features.

For example, applying Access Control List (ACL) in the firewalls can either permit some data packets to pass the firewalls or directly discard the data packets. Applying ACLs in IPSec can encapsulate the data packets that match the ACL and forward those that do not match the ACL.

Routers select data packets by using a serial of rules defined through ACL.

An ACL includes a group of orderly rules that consist of rule { deny | permit } statements. The rules are described based on the source address, the destination address, and the port number of data packets. An ACL classifies data packets according to these rules.

Lets go with the syntax :

# create an acl
acl number
rule 1 permit source destination
rule 5 deny

#Now apply the acl to the interface
interface
acl

**** That was the way in earlier Huawei Routers……the below explains the new way.****

Steps,
1. Create a traffic classifier
2. Create a traffic behaviour
3. Create a traffic policy
4. Define the traffic policy with classifier & behaviour
5. Apply the traffic policy to the router interface

Well…in router series after Huawei Router NE40E the acl application is a part of policy based routing.

If you wish to bring up a Cisco router that has an IP address that conflicts with existing hosts on your network, there are a variety of ways to change it. We just happened to have a crossover network cable sitting on our work bench, and a GNU/Linux host on the LAN with an extra unused NIC in it. We didn't happen to have a convenient console cable, and thought, hey, why not? There are some examples of various GNU/Linux networking tweaks, as well as the mundane changing the IP address in IOS, so some part of this might help you.

The first step is to bind an address that doesn't conflict with the Cisco to the extra interface:

[root@sv-51 sysconfig]# cd network-scripts
[root@sv-51 network-scripts]# ls
ifcfg-eth0        ifdown-ipv6   ifup-ippp   ifup-ppp
ifcfg-eth1        ifdown-isdn   ifup-ipsec  ifup-routes
ifcfg-lo          ifdown-post   ifup-ipv6   ifup-sit
ifcfg-lo.rpmsave  ifdown-ppp    ifup-ipx    ifup-sl
ifdown            ifdown-sit    ifup-isdn   ifup-wireless
ifdown-aliases    ifdown-sl     ifup-plip   init.ipv6-global
ifdown-ippp       ifup          ifup-plusb  network-functions
ifdown-ipsec      ifup-aliases  ifup-post   network-functions-ipv6
[root@sv-51 network-scripts]# vi ifcfg-eth1
[root@sv-51 network-scripts]# cat ifcfg-eth1
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.50.100.201
[root@sv-51 network-scripts]#
[root@sv-51 network-scripts]# /etc/init.d/network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down interface eth1:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Setting network parameters:                                [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
Bringing up interface eth1:                                [  OK  ]
[root@sv-51 network-scripts]#
[root@sv-51 root]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:60:08:11:BD:4A
inet addr:10.50.100.51  Bcast:10.50.100.255  Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:13453 errors:0 dropped:0 overruns:0 frame:0
TX packets:6694 errors:0 dropped:0 overruns:0 carrier:0
collisions:354 txqueuelen:100
RX bytes:876741 (856.1 Kb)  TX bytes:471045 (460.0 Kb)
Interrupt:12 Base address:0xe000
eth1      Link encap:Ethernet  HWaddr 00:60:97:09:70:EF
inet addr:10.50.100.201  Bcast:10.255.255.255  Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:79 errors:0 dropped:0 overruns:0 frame:0
TX packets:105 errors:0 dropped:0 overruns:0 carrier:4
collisions:0 txqueuelen:100
RX bytes:8864 (8.6 Kb)  TX bytes:6343 (6.1 Kb)
Interrupt:11 Base address:0xd000
lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
UP LOOPBACK RUNNING  MTU:16436  Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:660 (660.0 b)  TX bytes:660 (660.0 b)
[root@sv-51 root]#

[root@sv-51 network-scripts]# route add 10.50.100.202 gw 10.50.100.201
[root@sv-51 network-scripts]# route add 10.50.100.200 gw 10.50.100.201
[root@sv-51 network-scripts]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.50.100.200   10.50.100.201   255.255.255.255 UGH   0      0        0 eth1
10.50.100.202   10.50.100.201   255.255.255.255 UGH   0      0        0 eth1
10.50.100.0     *               255.255.255.0   U     0      0        0 eth0
10.0.0.0        *               255.0.0.0       U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         10.50.100.82    0.0.0.0         UG    0      0        0 eth0
[root@sv-51 network-scripts]#

[root@sv-51 network-scripts]# telnet 10.50.100.200
Trying 10.50.100.200...
Connected to 10.50.100.200.
Escape character is '^]'.
User Access Verification
Password:
router>en
Password:
router#show run
Building configuration...
Current configuration:
version 12.0
.
.
.
!
interface FastEthernet0
ip address 10.50.100.200 255.255.255.0
ip access-group 100 in
ip access-group 100 out
no ip directed-broadcast
!
.
.
.
router#
router#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#int FastEthernet0
router(config-if)#ip address 10.50.100.202 255.255.255.0

[root@sv-51 root]# telnet 10.50.100.202
Trying 10.50.100.202...
Connected to 10.50.100.202.
Escape character is '^]'.
User Access Verification
Password:
router>en
Password:
router#copy run start
Destination filename [startup-config]?
Building configuration...
router#
router#reload
Proceed with reload? [confirm]
Connection closed by foreign host.
[root@sv-51 root]#

[root@sv-51 root]# /etc/init.d/network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down interface eth1:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Setting network parameters:                                [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
Bringing up interface eth1:                                [  OK  ]
[root@sv-51 root]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.50.100.0     *               255.255.255.0   U     0      0        0 eth0
10.0.0.0        *               255.0.0.0       U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         10.50.100.82    0.0.0.0         UG    0      0        0 eth0
[root@sv-51 root]# telnet 10.50.100.202
Trying 10.50.100.202...
Connected to 10.50.100.202.
Escape character is '^]'.
User Access Verification
Password: