1. 14:05:27.083238 ftp.client.org.1057 > ftp.server.edu.21: S 1484414:1484414(0) win 8192 <mss 536,nop,nop,sackOK> (DF)
sequence number of first byte in packet:sequence number of first byte in NEXT packet (data)
(0) = no. of byte
win = TCP available window size advertised by sender
mss = maximum segment size advertised by sender
<mss 536, - an admission by the client that its local network segment can accommodate a packet, without fragmentation, no larger than 536 bytes. 536 bytes is only the size of the data payload; the TCP and IP headers must still be added to the packet, and are assumed to occupy 40 bytes total.
sackOK" denotes acceptance by the client/sender of the "selective acknowledgement" option
The purpose of an ACK is to help track bytes exchanged
http://www.taosecurity.com/intv2-8.html
Richard Stevens - TCP/IP Illustrated, Volume 1: The Protocols
Friday 22 November 2013
Monday 18 November 2013
How Markets work - Supply and Demand-1
Supply and Demand
Microeconomic -
building blocks that create big economy
Opportunity cost
Implicit versus explicit(accounting) costseconomic cost versus accounting cost
Sunk cost/benefits - Anything that is common to whatever choices you have can be filtered out of the analysis.
The Determinants of Demand
Law of Demand - When you lower the price of any good or activity, consumers will demand more of that good or activity.No just price alone. It's important to understand how Price versus non-price factors affect quantity demanded.Price induces just a movement along a given demand curve.Any other factor changes, it'll shift the entire price quantity relationship. For any constant price, quantity demanded will differ if income is changed or substitutes, prices of substitutes or compliments are changed or government taxes and subsidies have been instituted.
Substitutes(lexus, bmw), complement (car,oil) affect the price of the item. some items are substitutes or complement.
The Determinants of Supply
The law of supply - The higher the price the greater the quantity suppliedTechnology, input prices, government taxes/susidies
Market Equilibrium
The point where the demand curve and supply curve intersect.
Lecture slides(PDF)
Definition: The nominal value of a good is its value in terms of money. The real value is its value in terms of some other good, service, or bundle of goods.
Examples:
Relative price is another term for the real price of a good or service. When we say that the relative price of computers has fallen in recent years, we mean that the price of computers relative to or measured in terms of other goods and services—such as TVs or cars—has declined. Relative prices of individual goods and services can decrease even if nominal prices are all increasing, because of inflation.
- Nominal: That CD costs $18. Japan's science and technology spending is about 3 trillion yen per year.
- Real: A year of college costs about the value of a Toyota Camry. Those tickets to see Van Halen cost me three weeks' worth of food!
Tuesday 1 October 2013
Wireless installation site survey
Wireless RF signal
The initial placement of an access point is based on an estimate of the signal loss that will occur between the access point and the users of the access point.
The starting point for an estimate depends on how much loss in power a signal would experience in the vacuum of space, without any obstructions or other interference. This is called the free space path loss and is specified in decibels (dB)
The estimate is tuned with an understanding that the actual expected signal loss depends on the medium through which the signal will travel, which is undoubtedly not a vacuum. An RF singal can be affected by
The initial placement of an access point is based on an estimate of the signal loss that will occur between the access point and the users of the access point.
The starting point for an estimate depends on how much loss in power a signal would experience in the vacuum of space, without any obstructions or other interference. This is called the free space path loss and is specified in decibels (dB)
The estimate is tuned with an understanding that the actual expected signal loss depends on the medium through which the signal will travel, which is undoubtedly not a vacuum. An RF singal can be affected by
- Reflection(steel, metal door)
- Absorption(water,tree,thick wood)
- Refraction(signal is bent when going through a medium with one density to a medium with another density.eg.water tank)
- Diffraction(signal which is bent while going through a region where reflective obstruction exits can interfere with that part of RF signal that is not bent
Wireless installation site survey
A site survey can be as simple as walking around with a wireless notebook computer and using the utility to measure signal strength.Signal strength can also be determined with a protocol analyzer. The WildPackets AiroPeek analyzer, for example, presents the signal strength for each frame received.
An access point typically sends a beacon frame every 100 milliseconds(ms).When evaluating the various metrics that are provided by wireless utilities, be sure to measure frame corruption and not just signal strength. With a protocol analyzer, capture frames and check for cyclic redundancy check (CRC) errors.
Wireless utility such as the Cisco ACU, WildPackets, OmniPeek, or NetStumbler to check signal strength
Juniper Junos Interfaces
> show interfaces terse --similar to sh ip int bri
> show interfaces g0/0/0 --similar to sh int g0/0/0
Backup router
Static route is only available when the system’s routing protocol process (rpd) is running. When Junos devices boot, the routing protocol process is not running; therefore, the system has no static or default routes. To allow the device to boot and to ensure that it is reachable over the network if the routing protocol process fails to start properly, you configure a backup router, which is a router or gateway device that is directly connected to the local system
[edit system]
root# show backup-router
10.0.1.129 destination 10.0.15.0/24;
Hosts on the 10.0.15.0/24 subnet are reachable through the backup router. If the destination statement is omitted, then all hosts are reachable through the backup router.
> show interfaces g0/0/0 --similar to sh int g0/0/0
Backup router
Static route is only available when the system’s routing protocol process (rpd) is running. When Junos devices boot, the routing protocol process is not running; therefore, the system has no static or default routes. To allow the device to boot and to ensure that it is reachable over the network if the routing protocol process fails to start properly, you configure a backup router, which is a router or gateway device that is directly connected to the local system
[edit system]
root# show backup-router
10.0.1.129 destination 10.0.15.0/24;
Hosts on the 10.0.15.0/24 subnet are reachable through the backup router. If the destination statement is omitted, then all hosts are reachable through the backup router.
Wednesday 14 August 2013
Linux Survival Commands
/ is root.
/home/mc7 --> go up to root and go down
home/mc7
# ls -l --> displays file permission
# chmod --> change mode/permission
#groups --> To get a listing of your group memberships
# cd ~ --> go to home directory. cd ~mc7 --> go to mc7 home directory
Monday 12 August 2013
Sunday 11 August 2013
Pfsense site-to-site OpenVPN
PPTP vs OpenVPN vs IPsec VPN
http://www.ivpn.net/
Referred to
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)
http://blog.stefcho.eu/?p=576
Topology
Configure one site as a Server and another as client
Server will listen/wait for client to connect at the specified port. (we can use default port 1194 or different port such as tcp/443)
So, server side firewall must allow traffic from OpenVPN client source IP to access that port.
Routing of additional networks (we can only define one local subnet in openVPN default configuration), add "route 172.16.1.0 255.255.255.0" in advanced configuration box. Of course, the router(pfsense) protecting that network must know how to reach it(add static route)
Access Firewall rules
Fw Access rules via OpenVPN must be configured under OpenVPN tab in firewall section. Firewall in pfsense behaves like cisco ASA - scanning the traffic via incoming interface. So, remember to allow traffic at source firewall (LAN interface) and destination firewall (openVPN) interface.
Check OpenVPN logs under Status --> OpenVPN. Check firewall logs under Status --> System Logs.
PPTP vs OpenVPN vs IPsec VPN
http://www.ivpn.net/
Referred to
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)
http://blog.stefcho.eu/?p=576
Topology
Configure one site as a Server and another as client
Server will listen/wait for client to connect at the specified port. (we can use default port 1194 or different port such as tcp/443)
So, server side firewall must allow traffic from OpenVPN client source IP to access that port.
Routing of additional networks (we can only define one local subnet in openVPN default configuration), add "route 172.16.1.0 255.255.255.0" in advanced configuration box. Of course, the router(pfsense) protecting that network must know how to reach it(add static route)
Access Firewall rules
Fw Access rules via OpenVPN must be configured under OpenVPN tab in firewall section. Firewall in pfsense behaves like cisco ASA - scanning the traffic via incoming interface. So, remember to allow traffic at source firewall (LAN interface) and destination firewall (openVPN) interface.
Dropped Firewall logs
Check OpenVPN logs under Status --> OpenVPN. Check firewall logs under Status --> System Logs.
Pfsense installation using Oracle Virtual Box
Referred to
http://forum.pfsense.org/index.php?topic=47306.0
http://pc-addicts.com/building-the-ultimate-virtualbox-lab-intro/
Download pfsnse .gz file, uncompressed to .img file and convert it to virtual hard disk using "VBoxManage convertfromraw D:\temp\pfSensexx.img D:\temp\pfSensexx..vdi"
Created a VM. Use "Bridge Adapter" to connect pfsense box to local network. Adapter 1 for WAN and adapter 2 for LAN.
(a)pfsense cannot be accessed by WAN interface due to default firewall rule. Use another VM like win XP to access the box via LAN interface. (default userid/password - admin/pfsense)
(b)If (a) is not feasible, we can use VirtualBox option in GNS3 to configure pfsense.
Add a cloud and configure it as host machine network adapter
Simulate the lab. First interface of pfsense is em0 and second is em1.
Referred to
http://forum.pfsense.org/index.php?topic=47306.0
http://pc-addicts.com/building-the-ultimate-virtualbox-lab-intro/
Download pfsnse .gz file, uncompressed to .img file and convert it to virtual hard disk using "VBoxManage convertfromraw D:\temp\pfSensexx.img D:\temp\pfSensexx..vdi"
Created a VM. Use "Bridge Adapter" to connect pfsense box to local network. Adapter 1 for WAN and adapter 2 for LAN.
(a)pfsense cannot be accessed by WAN interface due to default firewall rule. Use another VM like win XP to access the box via LAN interface. (default userid/password - admin/pfsense)
(b)If (a) is not feasible, we can use VirtualBox option in GNS3 to configure pfsense.
Simulate the lab. First interface of pfsense is em0 and second is em1.
Wednesday 31 July 2013
Junos CLI basic
The root user must start the CLI from the shell.user@router> (the > character identifies operational mode which is to monitor and troubleshoot the device)
user@router# (the # character identifies configuration mode which is to configure all properties of the Junos OS)
Press Spacebar to complete a command. Press Tab to complete system commands and user-defined variables.
Use configure exclusive to exclude other users from editing the configuration.Any uncommitted changes are discarded when the user exits. In contrast, uncommitted changes are retained when you use standard configure command.
Use configure private to allow multiple users to edit the configuration while committing only their private changes. If a private users issue a rollback 0 command, the software discards only their changes.
Moving between levels is like changing directories. Use up, up 2, top, exit commands.
Viewing differences
Using show | compare displays differences between the candidate config and active configuration also known as rollback 0.
Remember- the rollback command modifies only the candidate configuration. To activate the changes loaded through the rollback operation, issue the commit command.
Run command
The run command allows you to execute operational mode commands while in configuration mode. It is similar to the do command.
Friday 12 July 2013
OSPF Basic
OSPF LSA types
LSA Type 1 (Router LSA)
Generated by all routers in an area to describe their directly attached links (Intra-area routes).These do not leave the area.
LSA Type 2 (Network LSA)
Generated by the DR of a broadcast or Nonbroadcast segment to describe the neighbors connected to the segment.These do not leave the area.
LSA Type 3 (Network Summary LSA)
Generated by ABR to describe/advertise a route to neighbors outside the area. (Inter-area routes)
LSA Type 4 (ASBR Summary LSA)
Generated by ABR to advertise a route for/to an ASBR to neighbors outside the area
LSA Type 5 (External LSA)
Generated by ASBR to describe routes redistributed into the OSPF area.These routes appeared as E1 or E2.E2(default) uses a static cost throughout OSPF domain as it only takes the cost into account that is reported at redistribution.E1 uses a cumulative cost of the cost reported into OSPF domain at redribution plus the local cost to the ASBR.
LSA Type 6 (Multicast LSA)
Not supported on Cisco routers.
---------------------------
Unlike EIRGRP, OSPF does not support route summarization anywhere everywhere. It only supports in Area Border Router (ABR). - external route advertisement.
Stub area blocks route updates coming from any external network (redistribution). It only accepts route updates from Area 0, Area 1, so on. ABR generates a default route to this area.
Totally stubby area block external route advertisement and route advertisements from other Areas. It only knows about routes in its own area. ABR generates a default route to this area.
LSA Type 1 (Router LSA)
Generated by all routers in an area to describe their directly attached links (Intra-area routes).These do not leave the area.
LSA Type 2 (Network LSA)
Generated by the DR of a broadcast or Nonbroadcast segment to describe the neighbors connected to the segment.These do not leave the area.
LSA Type 3 (Network Summary LSA)
Generated by ABR to describe/advertise a route to neighbors outside the area. (Inter-area routes)
LSA Type 4 (ASBR Summary LSA)
Generated by ABR to advertise a route for/to an ASBR to neighbors outside the area
LSA Type 5 (External LSA)
Generated by ASBR to describe routes redistributed into the OSPF area.These routes appeared as E1 or E2.E2(default) uses a static cost throughout OSPF domain as it only takes the cost into account that is reported at redistribution.E1 uses a cumulative cost of the cost reported into OSPF domain at redribution plus the local cost to the ASBR.
LSA Type 6 (Multicast LSA)
Not supported on Cisco routers.
---------------------------
Unlike EIRGRP, OSPF does not support route summarization anywhere everywhere. It only supports in Area Border Router (ABR). - external route advertisement.
Stub area blocks route updates coming from any external network (redistribution). It only accepts route updates from Area 0, Area 1, so on. ABR generates a default route to this area.
Totally stubby area block external route advertisement and route advertisements from other Areas. It only knows about routes in its own area. ABR generates a default route to this area.
Monday 8 July 2013
BGP Theory and basic config
Basics
Neighbors are manually configured.
Stage: IDLE, ACTIVE, Open Sent, Open Confirmed, Established
Hello sent every 60 seconds with a hold-down of 180 seconds.
Capable of MD5 authentication
Rule of Synchronization
Routes learnt via iBGP must be validated by the interior routing table before they can be advertised to remote peers - eBGP. Sync can be off/on at bgp router connected to remote ebgp peer.
Rule of Split-Horizon
Routes learnt via IBGP will never be sent to another IBGP peer
Route reflector to overcome this issue.
Attributes (Mandatory, Well-known Optional - transitive/non-transitive)
AS-Path, Next-Hop, Origin (IGP,EGP,Unknown?)
Local Preference(higher better), weight(local router, higher better) = select Exit point
Atomic Aggregate = this route is summarized
MED - used to suggest an entry point into your AS (lower is better)
Aggregator = designates IP addr of the router who performed summarization,
Community = used for route tagging
Basic Configuration
ip address of neighbors must be reachable(eg. via Internal routing protocol); exact subnet mask;
router bgp AS number
neighbor x.x.x.x remote-as 666
network 10.1.0.0 mask 255.255.0.0
neighbor 3.3.3.3 ebgp-multihop 2 -- if interfaces are not directly connected to each other
neighbor 3.3.3.3 update-source loopback 0 - to use if router's bgp address is loopback or not directly connected to neigbor
no auto summary
no synchronization -- turn of rule of synchronization
neighbor 2.2.2.2 next-hop-self -- when ebgp route is advertised back to ibgp
Troubleshooting
debug ip bgp updates
Neighbors are manually configured.
Stage: IDLE, ACTIVE, Open Sent, Open Confirmed, Established
Hello sent every 60 seconds with a hold-down of 180 seconds.
Capable of MD5 authentication
Rule of Synchronization
Routes learnt via iBGP must be validated by the interior routing table before they can be advertised to remote peers - eBGP. Sync can be off/on at bgp router connected to remote ebgp peer.
Rule of Split-Horizon
Routes learnt via IBGP will never be sent to another IBGP peer
Route reflector to overcome this issue.
Attributes (Mandatory, Well-known Optional - transitive/non-transitive)
AS-Path, Next-Hop, Origin (IGP,EGP,Unknown?)
Local Preference(higher better), weight(local router, higher better) = select Exit point
Atomic Aggregate = this route is summarized
MED - used to suggest an entry point into your AS (lower is better)
Aggregator = designates IP addr of the router who performed summarization,
Community = used for route tagging
Basic Configuration
ip address of neighbors must be reachable(eg. via Internal routing protocol); exact subnet mask;
router bgp AS number
neighbor x.x.x.x remote-as 666
network 10.1.0.0 mask 255.255.0.0
neighbor 3.3.3.3 ebgp-multihop 2 -- if interfaces are not directly connected to each other
neighbor 3.3.3.3 update-source loopback 0 - to use if router's bgp address is loopback or not directly connected to neigbor
no auto summary
no synchronization -- turn of rule of synchronization
neighbor 2.2.2.2 next-hop-self -- when ebgp route is advertised back to ibgp
Troubleshooting
debug ip bgp updates
Multicast Routing (half way, basic)
Multicast Basic
Technology allowing a host to send a Single Stream of traffic to reach Any number of destination hosts. Broadcast is one to everybody. Unicast is one to one.
Multicast addresses are from Class D Range (224-239). 224.0.0.1 to 224.0.0.255 is reserved for local network protocol use. Has TTL=1
Distribution Method: Source Trees
good for small organizations
Distribution Method: Shared Trees
Rendezvous Point (RP)
Technology allowing a host to send a Single Stream of traffic to reach Any number of destination hosts. Broadcast is one to everybody. Unicast is one to one.
Multicast addresses are from Class D Range (224-239). 224.0.0.1 to 224.0.0.255 is reserved for local network protocol use. Has TTL=1
Distribution Method: Source Trees
good for small organizations
Distribution Method: Shared Trees
Rendezvous Point (RP)
IP Access List
Access-Lists
Facts:
1. Implicit Deny All at the end of every list
2. Read from Top to Bottom, Stops reading when match is found
3. New lines are added to the end of list
4. An Undefined Access-List will permit all traffic
5. Deleting an Access-List after applying to an interface causes a Deny Any for all traffic
Creating Standard Access-List
You are permitted or denied based on who you are
access-list <1-99>
Router(config)#access-list 50 deny 150.100.0.0 0.0.255.255
Router(config)#access-list 50 permit any
Router(config-if)#ip access-group 50 <in or out from router perception>
Creating an extended Access-List
access-list <100-199>
Router(config)#access-list 150 deny tcp host 192.168.1.100 150.100.0.0 0.0.255.255 eq 80
Router(config)#access-list 150 permit ip any any
Router(config-if)#ip access-group 50 <in or out from router perception>
Creating named Access-List
flexible. can edit or insert in the middle of existing list
Router(config-ext-nacl)#permit ip 150.100.0.0 0.0.255.255 any
Router(config-ext-nacl)#permit ip any any
Router#sho ip access-lists
Extended IP access list DEMO
10 permit ip 150.100.0.0 0.0.255.255 any
20 permit ip any any
30 deny ip host 150.100.1.50 any
Router#
Dynamic Access-list (Lock and Key)
Time-based Access-list
Verification
sh ip access-list number
Facts:
1. Implicit Deny All at the end of every list
2. Read from Top to Bottom, Stops reading when match is found
3. New lines are added to the end of list
4. An Undefined Access-List will permit all traffic
5. Deleting an Access-List after applying to an interface causes a Deny Any for all traffic
Creating Standard Access-List
You are permitted or denied based on who you are
access-list <1-99>
Router(config)#access-list 50 deny 150.100.0.0 0.0.255.255
Router(config)#access-list 50 permit any
Router(config-if)#ip access-group 50 <in or out from router perception>
Creating an extended Access-List
access-list <100-199>
Router(config)#access-list 150 deny tcp host 192.168.1.100 150.100.0.0 0.0.255.255 eq 80
Router(config)#access-list 150 permit ip any any
Router(config-if)#ip access-group 50 <in or out from router perception>
Creating named Access-List
flexible. can edit or insert in the middle of existing list
Router(config-ext-nacl)#permit ip 150.100.0.0 0.0.255.255 any
Router(config-ext-nacl)#permit ip any any
Router#sho ip access-lists
Extended IP access list DEMO
10 permit ip 150.100.0.0 0.0.255.255 any
20 permit ip any any
30 deny ip host 150.100.1.50 any
Router#
Dynamic Access-list (Lock and Key)
Time-based Access-list
Verification
sh ip access-list number
Sunday 7 July 2013
Easy way to calculate wildcard mask
Easy way to calculate wildcard mask
255.255.255.255 - subnet mask
e.g. for 192.168.0.0/16 wildcard is 0.0.255.255
for 192.168.5.0/30 wildcard is 0.0.0.3 (255-252)
255.255.255.255 - subnet mask
e.g. for 192.168.0.0/16 wildcard is 0.0.255.255
for 192.168.5.0/30 wildcard is 0.0.0.3 (255-252)
Cisco Router NAT
Dynamic NAT
1. Create access-list describing inside host
2. Configure outside pool
3. Map inside to outside
(config)#ip nat inside source list 50 pool outside pool_name
4. Mark Interfaces
(config-if)#ip nat inside or ip nat outside
Dynamic NAT Overloading
1. Create access-list describing inside host
3. Map inside to outside
(config)#ip nat inside source list 40 interface f0/1 overload
4. Mark Interfaces(config-if)#ip nat inside or ip nat outside
Static NAT
(config)#ip nat inside source static tcp 192.168.1.10 3389 interface f0/1 3389
Verification
show ip nat translation
show run
debug ip nat
For IP phone or other special service
(config)#ip nat service skinny tcp port 2001
Saturday 6 July 2013
Useful words
Useful words
adept - very skilled; proficient; expert; adept in competing against; small firms are proving adept at using..
impeccable - faultless; flawless; impeccable manner, impeccable credentials
accustomed - customary; usual; habitual;
leverage - n,v - power or ability to act or to influence people, events, decisions, etc.; sway: Being the only industry intown gave the company considerable leverage in its union negotiations. Synonyms: advantage, strength,weight; clout, pull
substantial
sustain, sustainable
sophisticated
confound
normative
lavish - using or giving in great amount; lavish praise
consensus - majority of opinion
demise - death or decease;termination of existence or operation
autonomy - independence or freedom, as of the will or one's actions
autonomous - self-governing;
deteriorate - to make or become worse or inferior in character, quality or value, etc. serious deterioration in performance
culminate - to reach the highest point, summit; to end or arrive at a final stage.
fret - v - to feel or express worry, annoyance, discontent, or the like: Fretting about the lost ring isn't going to help.
affiliate - v,n - to bring into close association or connection: The research center is affiliated with the university.
Unbridled - adj - not controlled or restrained: Unbridled enthusiasm
pervade - v - to become spread throughout all parts of: Spring pervaded the air.
absolve - tv - to free from guilt or blame or their consequences;to set free or release, as from some duty, obligation, or responsibility
superfluous - being more than is sufficient or required; excessive;unnecessary or needless;
pledge - n,v - a solemn promise or agreement to do or refrain from doing something:
Subscribe to:
Posts (Atom)