Category: Networks

Written by Fahadi Muhumuza07Jan, 2021

Q-in-Q Tunneling for ELS support on Juniper Switches

In a network where Service Providers run customers’ VLAN traffic over their backbone network, there is a possibility of VLAN crushing if different customers use overlapping VLAN IDs. With Q-in-Q Tunneling Providers can segregate different customers’ VLAN traffic on a link (for example, if the customers use overlapping VLAN IDs) or bundle different customer VLANs into a single service VLAN.

With Q-in-Q tunneling, providers can segregate or bundle customer traffic into fewer VLANs or different VLANs by adding another layer of 802.1Q tags. Q-in-Q tunneling is useful when customers have overlapping VLAN IDs because the customer’s 802.1Q (dot1Q) VLAN tags are prepended by the service VLAN (S-VLAN) tag.

This makes it a suitable solution for service providers since it gives them freedom on which S-VLANs to use without changing customers’ C-VLANs and customers can use any VLANs they want.

How Q-in-Q Tunneling Works

In Q-in-Q tunneling, as a packet travels from a customer VLAN (C-VLAN) to a service provider’s VLAN (S-VLAN), a customer-specific 802.1Q tag (Customer’s S-VLAN tag) is added to the packet. This additional tag is used to segregate traffic into service-provider-defined service VLANs (S-VLANs). The original customer 802.1Q tag (C-VLAN(s) tag(s)) of the packet remains and is transmitted transparently, passing through the service provider’s network. As the packet leaves the S-VLAN in the downstream direction, the extra 802.1Q tag (Customer’s S-VLAN tag) is removed.

This solution has been illustrated on a Juniper EX-2300-C Switch with Enhanced Layer 2 Software (ELS) support.

There are multiple ways Q-in-Q tunneling maps C-VLAN(s) to S-VLAN(s).

  1. All-in-one bundling
  2. Many-to-one bundling
  3. Many-to-many bundling
  4. Mapping a specific interface

In this tutorial, only “All-in-one bundling” will be covered.

Continue reading “Q-in-Q Tunneling for ELS support on Juniper Switches”

Written by Fahadi Muhumuza06Jan, 2021

VPLS Multihoming in a Sub-ring setup using rpm and event-handlers for Juniper

Virtual private LAN service (VPLS) multihoming enables you to connect a customer site to two or more PE routers to provide redundant connectivity. A redundant PE router can provide network service to the customer site as soon as a failure is detected. VPLS multihoming helps to maintain VPLS service and traffic forwarding to and from the multihomed site in the event of the following types of network failures:

  • PE router to CPE device link failure
  • PE router failure
  • MPLS-reachability failure between the local PE router and a remote PE router

Ideally, each customer should have dedicated physical connections to PEs, but this kind of setup is expensive for service providers to maintain. Therefore, a new approach of Sub Rings connecting different customers with the use of different VLAN-IDs has been lately utilized as shown below. This makes each CPE logically appear as if it’s connected directly to PEs.

However, VPLS Multihoming was designed to detect failures when the physical interface it’s running on goes down and with this kind of setup, if CPE-2 is multihomed between PE-01 and PE-02 as primary and backup respectively, and the link between CPE-2 and CPE-1 goes down, PE-01 will not notice that failure, therefore, VPLS multihoming will not failover to PE-02 and hence fail-over will not be achieved.

In this blog, we shall cover the set up and configuration of VPLS Multihoming with BGP signaling in a Sub-ring scenario to address the challenge mentioned above.

Continue reading “VPLS Multihoming in a Sub-ring setup using rpm and event-handlers for Juniper”

Written by Olivia Nakayima24Jul, 2020

RECOVERING CISCO NEXUS 3000 SERIES SWITCH USING A TFTP SERVER

INTRODUCTION

Cisco Nexus 3000 Series Switches are designed for data center top-of-rack deployments by providing 24 to 128 ports offering flexible connectivity, high performance, and a comprehensive feature set. It usually runs on multiple versions of OS images including 6.2a, 6.3a, 6.8, 7.3 and many others.

Figure 1: Nexus 3000 series switch

TFTP (Trivial FTP), is a file-transfer protocol geared towards a much simpler, and thus less robust, set of needs as far as file transfers go. TFTP is ideal for transferring of firmware updates, moving system images around, and other tasks that require far more functionality than the traditional FTP. It operates on UDP port 69.

In this article, we are going to recover a Cisco Nexus 3000 Series Switch using images installed on a TFTP server.

SIGNS OF A FAULTY NEXUS SWITCH

  • Continuous booting,
  • Cannot load Operating system image,
  • Cannot read USB drives.

PREREQUISITES

  • In this article, the TFTP server IP address is 168.10.10/24.
  • Ensure the kickstart and main images are stored in the TFTP server and set the TFTP server to use the directory or folder where the files are located.
  • In this article, we shall use n3000-uk9-kickstart.6.0.2.U5.3.bin as our kickstart image and n3000-uk9.6.0.2.U5.3.bin as our file image.

 

SETTING UP THE TFTP SERVER.

In this article, a Debian-based Linux server with UFW firewall was used to set up the TFTP server as root user.

NB: The configuration on the server IP address is beyond the scope of this article.

  • Install the TFTP server.

# apt-get -y update && apt-get install -y tftp-hpa

  • Configure the TFTP server.

# echo ‘TFTP_USERNAME=”tftp”‘ > /etc/default/tftpd-hpa

# echo ‘TFTP_DIRECTORY=”/srv/tftp”‘ >> /etc/default/tftpd-hpa

# echo ‘TFTP_ADDRESS=”0.0.0.0:69″‘ >> /etc/default/tftpd-hpa

# echo ‘TFTP_OPTIONS=”–secure”‘ >> /etc/default/tftpd-hpa

  • Copy the Cisco recovery images (assuming they are in the current working directory) to the TFTP directory

# cp -n n3000-uk9-kickstart.6.0.2.U5.3.bin /srv/tftp

# cp -n n3000-uk9.6.0.2.U5.3.bin /srv/tftp

  • Start the TFTP service

# systemctl start tftpd-hpa

  • Allow traffic to the TFTP port.

# ufw allow to any port 69

 

RECOVERING THE NEXUS SWITCH

  • Connect the switch’s Management (MGMT) port (by the power supply) to the network where the TFTP server resides.
  • Configure the switch’s IP reachability using the management port to be able to communicate with the TFTP server.

loader> set ip 192.168.10.4 255.255.255.0

loader> set gw 192.168.10.1

  • Boot the kickstart image file from the TFTP server.

loader>boot tftp://192.168.10.10/n3000-uk9-kickstart.6.0.2.U5.3.bin

  • After a successful boot, you will be directed to the (boot)# From here, you can check whether the boot flash is empty. If empty, copy the files (kickstart image, main image, and license file) over from the TFTP server.
  1. NB. You may need to format the bootflash in case of corrupted condition.
  • If all is well, then copy the kickstart and main image files using the following commands:

switch(boot)#copy tftp://192.168.10.10/n3000-uk9-kickstart.6.0.2.U5.3.bin bootflash:/n3000-uk9-kickstart.6.0.2.U5.3.bin

switch(boot)#copy tftp://192.168.10.10/n3000-uk9.6.0.2.U5.3.bin bootflash:/n3000-uk9.6.0.2.U5.3.bin

  • Verify that both images are in the bootflash using the command:

switch(boot)#dir bootflash:

  • See if the switch is able to boot up using the main image.

switch(boot)#load bootflash:/n3000-uk9.6.0.2.U5.3.bin

  • During the boot, you will be asked whether you would like to enter the initial configuration mode, type This will lead you to the basic configuration, you can then verify your configuration present using the command “show running configuration” in configuration mode.

switch#show running-config

  • Go ahead and reload the switch to ensure that the switch is able to boot up normally.

switch#reload

 

 

FURTHER READING

Written by Carol Namuddu17Jul, 2020

Ping Plotter

Ping Plotter

This is a tool used by the RENU community to troubleshoot network issues. Once an institution is facing problems they are prompted to share their results with the NOC for interpretation. The big question is do you understand these graphs.

This write-up covers the basic features of the graphs and their interpretation.

You’ve captured something in PingPlotter that looks like evidence of a network problem. Let’s take a closer look and see what the graph tells us about the source of your network problem.

Understanding PingPlotter graphs begins with the final destination. That’s the target you’re testing. PingPlotter represents the final destination with the bottom row of the trace graph.

The final destination is the bottom row of the trace graph

Check for packet loss

Take a look at your PingPlotter results. Do you see a red bar? If so, that means some data was lost between your computer and the target. This effect is known as packet loss, and if you’re seeing it on the final destination, there’s a good chance you captured a problem.

Check for latency

What about the black line? It shows how long it takes data to travel to your target and back. This measurement is known as latency. It’s another network problem indicator. The further to the right the black line is the longer it takes for data travel around the network. If you see high latency on your final destination, you’ve probably captured a network problem

Follow the pattern to the source

When you have an idea of what’s happening on the final destination, it’s time to look at the rows leading up to the final destination. Do you notice any patterns leading up to the final destination?

Where the pattern begins, helps you understand the source of the problem. If the pattern starts on the first row in the graph (your router), you’re probably dealing with an internal network problem.

Figure 1 Internal problems begin on the first hop

If the pattern originates somewhere in between the first and last row, the problem is probably outside your local network then contact the NOC it could be problems on the international circuit

Figure 2 Problems outside your network begin in the middle.

.It’s time to make a diagnosis. Do you think the source of your problem is on your local network, or it is it outside your local network?

Wireless Problems

Sometimes other devices interfere with your wireless network. If you connect with ethernet (the cable) and the problem goes away, you probably have a wireless issue.

Bandwidth

Bandwidth problems happen when your network usage exceeds your capacity. If your network problem happens during network-intensive activities like gaming, downloading, or multiple users, there’s a good chance you have a bandwidth issue.

Hardware

When network devices fail, it’s a hardware problem. If you don’t think you’re dealing with bandwidth or wireless issue, it’s time to start looking into hardware.

All the examples above can be categorised as Internal network issues. If you suspect more that the problem is outside your local network contact the NOC.

 

Written by Carol Namuddu16Jul, 2020

Optical ByPass Switching

Optical Bypass Switches

bypass switch (or bypass TAP) is a hardware device that provides a fail-safe access port for an in-line active network device such as an intrusion prevention system (IPS), next-generation firewall, network switch etc. if the device loses power, experiences a software failure, or is taken off-line for updates or upgrades, traffic can no longer flow through the critical link. The bypass switch or bypass tap removes this point of failure by automatically ‘switching traffic via bypass mode’ to keep the critical network link up.

A bypass switch has four ports. Two network ports create an in-line connection in the network link that is to be monitored. This connection is fully passive; if the bypass switch itself loses power, traffic continues to flow unimpeded through the link.

Two monitor ports are used to connect the in-line device. During normal operation, the bypass switch passes all network traffic through the network (CPE) switch as if it were directly in-line itself. But when the switch (CPE) loses power, is disconnected, or otherwise fails, the bypass switch passes traffic directly between its network ports, bypassing the CPE, and ensuring that traffic continues to flow on the network link.

A bypass switch monitors the health of the CPE by sending heartbeats to the network switch (CPE) as long as the network device/switch is on-line, the heartbeat packets will be returned to the optical bypass switch and the link traffic will continue to flow through the CPE.

If the heartbeat packets are not returned to the Optical Bypass Switch (CPE has gone off-line), the Optical Bypass will automatically bypass the CPE and keep the link traffic flowing. The Optical Bypass also removes the heartbeat packets before sending the network traffic back onto the critical link.

Written by Claire Nakakeeto17Jun, 2020

Using cacti to monitor bandwidth consumption

Cacti is a free network graphing tool that is used to visualize the time series data obtained by the Round-Robin database tool (RDD tool).

The tool polls network devices like switches and routers via SNMP and then graphs their data. Some of the data that are polled are CPU load, temperature, uptime and network bandwidth utilization.                                                                                                                                        

Here we shall focus on how you can monitor your bandwidth from the cacti graphs.

Continue reading “Using cacti to monitor bandwidth consumption”

Written by mwotila28Aug, 2018

Intel Reports

Accessible RDP

This report identifies hosts that have Remote Desktop (RDP) Service running and accessible to the world on the Internet. Misconfigured RDP can allow miscreants access to the desktop of a vulnerable host and can also allow for information gathering on a target host as the SSL certificate used by RDP often contains the system’s trivial hostname.

Remedy: Disable RDP from being world accessible by applying firewall rules either at the border or at the server itself

 

Accessible Telnet

This report identifies hosts that have a Telnet instance running on port 23/TCP that accessible on the Internet. Telnet provides no encryption and may expose sensitive information or system credentials.

Remedy: Disable Telnet service and use more secure protocols such as SSH or firewall the telnet services

 

SSL Scan

This report identifies hosts that allow the use of SSL v3.0 with cipher-block chaining (CBC) mode ciphers which are vulnerable to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. See US-CERT alert TA14-290A at: https://www.us-cert.gov/ncas/alerts/TA14-290A for more information on this vulnerability and exploit.

Statistics for these servers can be found here.

Remedy: Use TLS,  patch OpenSSL or disable SSLv3

 

Compromised Websites

This report is a list of all the websites we – or our collaboration partners – have been able to identify and verify to be compromised. These websites might be used for sending spam, participating in DDoS attacks, redirecting users to exploit kits etc.

A large subset of these compromises are caused by outdated versions of CMSes such as Joomla/Drupal/Wordpress (or plugins for these) and weak or keylogged FTP credentials.

As always, there is no guarantee that there are no additional infections/compromises on any IP we report on. We have seen several different criminal groups abusing the same compromised system for different purposes. The same IP/domain that is hosting a spambot may also be used for infecting unsuspecting users. We recommend investigating systems with the assumption that there are more compromises on the systems than what is reported.

Remedy: Upgrade the CMS

 

Open IPMI

This report identifies hosts that have the Intelligent Platform Management Interface (IPMI) service open (port 623/UDP) and accessible from the Internet.

IPMI is the base of most of the Out Of Band / Lights Out management suites and is implemented by the server’s Baseboard Management Controller (BMC). The BMC has near complete access and control of the server’s resources, including, but not limited to, memory, power, and storage. Anyone that can control your BMC (via IPMI), can control your server.

IPMI instances in general are known to contain a variety of vulnerabilities, some more serious than other. In short; you really do not want to expose IPMI to the Internet. If you are not convinced yet, please take a look at the excellent work by Dan Farmer on IPMI security issues at http://fish2.com/ipmi/ and US-CERT alert TA13-207A at https://www.us-cert.gov/ncas/alerts/TA13-207A

Statistics for these servers can be found here.

Remedy:

  • Restrict IPMI to Internal Networks
  • Utilize strong passwords
  • Encrypt the traffic
  • Require authentication and disable anonymous logins

 

Open Memcached

This report identifies hosts that have the Memcached key-value store (see memcached.org for more information) running and accessible on the Internet. Since this service does not support authentication, any entity that can access the MemCached instance can have complete control over the key-value store.

In addition, instances of MemCacheD that are accessible via UDP may be abused in amplification-style denial of service attacks.

Remedy:

  • Bind Memcached to a local interface
  • Disable this UDP service if not required
  • Protect your server with conventional network security best practices such as restricting access to MemCacheD
  • Install available security updates

 

SSL Freak Scan

This report identifies hosts that allow the use of SSL/TLS with RSA_EXPORT ciphers (aka “export-grade” encryption). Hosts using these weakened ciphers can be used in a man-in-the-middle attack which forces a browser to use a weak export key, which is easily crackable. This is called a FREAK (Factoring RSA Export Keys) attack. More information on the FREAK attack can be found at https://www.smacktls.com and https://www.digicert.com/blog/freak-attack-need-know/

Remedy

  • Disable support for all export-grade cipher suites on your servers.
  • Patch OpenSSL
  • On the client side, patch the browsers

 

Open Portmapper

This report identifies hosts that have the Portmapper service (see Wikipedia for general information on this service) running and accessible on the public Internet. This service has the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks (see US-CERT Alert TA14-017A) and Level3’s Blog for more information).

In addition to being used in denial of service attacks, portmapper can be used to obtain a large amount of information about the target, including the NFS exports that are hosted by that device, if the mountd program is also accessible.

The analogous shell command to mimic our portmapper scan is:

rpcinfo -T udp -p [IP]

And the analogous shell command that mimics our probe of the mountd program is:

showmount -e [IP]

Remedy

  • Disable portmapper

 

Open mDNS

This report identifies hosts that have the mDNS service (see https://en.wikipedia.org/wiki/Multicast_DNS for more information) running and accessible from the Internet. mDNS can be probed in a unicast fashion and can respond in methods similar to a standard dns server.

Our initial probe tests to see if mDNS is accessible on the Internet and collects the information that it discloses, including a list of services that may be accessible via further mDNS probes. If a host is found to have the services “_workstation._tcp.local” or “_http._tcp.local” running, secondary probes are performed to collect whatever system information is returned. Some of the information that may be returned includes: trivial name of the device, IPv4 and IPv6 address(es) of the device (this may include RFC1918 addresses that are not meant to be leaked), MAC address information of the device, and potentially other information.

Remedy

  • Disable the mDNS service unless required
  • Restrict access to trusted clients, for example by blocking incoming connections to port 5353/UDP on the firewall.
  • On Ubuntu, apt-get remove avahi-daemon

Open LDAP

This report identifies hosts that have an LDAP instance running on port 389/UDP and accessible on the Internet. These hosts are often Active Directory servers. In addition to allowing for an ~60x amplification vector, the data that is disclosed by the server could reveal large amounts of information about the network that the server resides on.

Remedy

  • Restrict LDAP access to only services that require it – most times these are local services. Can be implemented by use of a firewall

 

Accessible SMB

This report identifies hosts that have an SMB instance running on port 445/TCP and accessible on the Internet. This service should not be exposed to the Internet

Remedy

  • Do not expose the SMB service to the Internet but rather restrict it to where it is used

 

Accessible CiscoSmartInstall

This report identifies hosts that have the Cisco Smart Install feature running and accessible to the Internet at large. This feature can be used to read or potentially modify a switch’s configuration.

More details can be found on Cisco’s PSIRT blog.

Remedy

  • Cisco strongly recommends disabling the Smart Install feature with the no vstack configuration command.

 

DNS Scan (Open Resolver)

The Shadowserver Foundation is currently undertaking a project to search for publicly available recursive DNS servers. The goal of this project is to identify DNS servers that will send a reply to any IP address for domains that the DNS server is not authoritative for and report them back to the network owners for remediation.

These servers have the potential to be used in DNS amplification attacks and if at all possible, we would like to see these services made un-available to miscreants that would misuse these resources.

Remedy

  • Ensure that the authoritative DNS servers can only service requests for known domains
  • Recursive DNS servers should only do recursion for known networks such as institutional ones

 

NTP Version

This report identifies NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. The NTP version command is a Mode 6 query for READVAR. While not as bad as the Mode 7 query for MONLIST, the queries for READVAR will normally provide around 30x amplification.

To manually test if a system is vulnerable to this, you can use the command: ntpq -c rv [ip]

Statistics for these servers can be found here.

Instructions for restricting READVAR can be found here.

Remedy

  • Disable inbound traffic on port 123/UDP

Open SNMP

This report identifies hosts with SNMPv2 publicly accessible and responding to the community “public” that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. Statistics for these hosts can be found here.

The OID being probed for is 1.3.6.1.2.1.1.1.0 (sysDescr) and if the host responds to that probe, the host is then probed for OID 1.3.6.1.2.1.1.5.0 (sysName). The analogous shell commands would be:

snmpget -c public -v 2c [ip] 1.3.6.1.2.1.1.1.0

snmpget -c public -v 2c [ip] 1.3.6.1.2.1.1.5.0

Remedy

  • Use a strong community string other than “public”

 

Open NetBios

This report identifies hosts that have the NetBIOS service running and accessible on the Internet. These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. Statistics for these hosts can be found here.

The analogous shell command (from a windows box) to identify these hosts would be:

nbtstat -A [ip]

Remedy

  • Do not expose the NetBIOS service to the Internet but rather restrict it to where it is used on port 137/UDP

Open SSDP

This report identifies hosts that have the Simple Service Discovery Protocol (SSDP) running and accessible on the Internet. These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. Statistics for these hosts can be found here.

Remedy

  • Do not expose the SSDP service to the Internet but rather restrict it to where it is used on port 1900/UDP

 

Open TFTP

This report identifies hosts that have the TFTP service running and accessible on the Internet. Our probe tests to see if the TFTP service is accessible and will either return the file that we are asking for or return an error code. We are not testing to see if file upload is enabled.

Please note that unlike other UDP services that we test for, the response from TFTP is often received on a port that is different than what was queried! Probes sent to a host on port 69/UDP may generate responses that source from ephemeral high ports.

Remedy

  • Do not expose the TFTP service to the Internet but rather restrict it to where it is used on port 69/UDP unless it is required

 

Open HTTP

This report identifies hosts that have the Hypertext Transfer Protocol (HTTP) running on some port and accessible on the Internet.

Remedy

  • This report is just informational but where it is not required, disable the HTTP service

 

Open NATPMP

This report identifies hosts that have the NAT Port Mapping Protocol (NAT-PMP) running and accessible on the Internet. These services have the potential to expose information about a clients network on which this service is accessible. Information on this vulnerability can be found here.

Remedy

  • Deploy firewall rules to block untrusted hosts from being able to access port 5351/UDP.
  • Consider disabling NAT-PMP on the device if it is not absolutely necessary.

 

Open MSSQL

This report identifies hosts that have the MS-SQL Server Resolution Service running and accessible on the Internet. These services have the potential to expose information about a clients network on which this service is accessible and the service itself can be used in UDP amplification attacks.

Remedy

  • Deploy firewall rules to block untrusted hosts from being able to access MS-SQL Server

 

Vulnerable ISAKMP

This report identifies hosts that have a vulnerable IKE service accessible on the Internet. For more information please see the Cisco Security Advisory

Remedy

  • Implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
  • You are advised to monitor affected systems.

 

Botnet

This report contains a list of IPs that may have been compromised and now part of  a bigger bot network

Remedy

  • Monitor the affected systems for any suspect traffic flowing to and fro the system
  • Apply security patches to applications running on the affected systems

 

Sinkhole HTTP Drone

These IP addresses are all the devices that joined the Shadowserver Sinkhole server that did not arrive through the usage of an HTTP referrer. Since the Sinkhole server is only accessed through previously malicious domain names, only infected system, or security researchers should be seen in this list.

Remedy

  • Monitor the affected systems for any suspect traffic flowing to and fro the system
  • Apply firewall filters on the server to allow only required traffic. 

 

Drone Bruteforce

This report identifies hosts that have been observed performing brute force attacks.

Remedy

  • Monitor the affected systems for any suspect traffic flowing to and fro the system
  • Apply firewall filters on the server to allow only required traffic. 

 

Blacklist

This report is the aggregation of a variety of different Blacklist providers. The purpose in sharing this information is to alert the end-users that specific IP addresses of theirs have been flagged by providers as possibly malicious and different services might be impacted because of this blacklisting. The option to remove any system from a blacklist will vary by the provider. Some will have a well documented process and some will demand payment for removal.

Remedy

  • Identify the blacklisted host and use blacklist provider steps to delist its IP address. Identification can also help in determining the real cause of the blacklist

Darknet

A darknet is a portion of network, a certain routed space of IP Addresses in which there are no active servers or services. I.e., externally no packet should be directed to that address space.These systems are most likely sending or generating suspicious traffic hence signs of compromise.

Remedy

  • Monitor the affected systems for any suspect traffic flowing to and fro the system – if there are any applications generating this traffic, apply patches or disable where unnecessary. 

 

Written by Ben Kyemba07Dec, 2017

Junos MX5 error after OS upgrade: System is running on alternate media device (/dev/da1s1a)

After OS upgrade on Junos MX5, you are hit with following notice upon reboot;
— JUNOS 13.3R9.13 built 2016-03-01 07:16:35 UTC
NOTICE: System is running on alternate media device (/dev/da1s1a)

This error is as a result of various scenarios and below are the possible causes:
1.) A software failure/error on the primary media (flash)
2.) A hardware failure on the primary media (flash)
3.) A request issue reboot on the secondary media (disk)

Continue reading “Junos MX5 error after OS upgrade: System is running on alternate media device (/dev/da1s1a)”

Written by Brian Masiga27Nov, 2017

Traffic Flow Sampling in Juniper Mx-5 and Mx-480 Routers IPv4 and IPv6

Traffic Analysis is a critical component in network planning, security and troubleshooting. For you to perform traffic analysis, you need to collect network traffic flows from the different aggregation points in your network such as routers and switches.

In Juniper, they take advantage of ‘sampling’ packets and frames going through a switch or router. The sampled flows can used by third party applications such as nfsen and ntop.

This configuration solution was done on a Juniper Mx 5 Router using ipfix .

Create a sampling instance at the chassis level in this case it was named ‘1to1’
set chassis tfeb slot 0 sampling-instance 1to1

Place the flow table size at the chassis level on tfeb for both IPv4 and IPv6
set chassis tfeb slot 0 inline-services flow-table-size ipv4-flow-table-size 5
set chassis tfeb slot 0 inline-services flow-table-size ipv6-flow-table-size 5

Continue reading “Traffic Flow Sampling in Juniper Mx-5 and Mx-480 Routers IPv4 and IPv6”

Written by Nicholas Mbonimpa30Oct, 2017

Uploading Cisco IOS using XMODEM

Problem Statement

There are times when a router/switch can only boot up in ROMmon. This happens when the router/switch has no valid Cisco IOS software or bootflash image to boot from. This disaster recovery situation arises when, for example, the Cisco IOS software on the router/switch is corrupted or has crashed.

There are also cases where the router/switch has no USB port, or where it is not possible to set up a network connection with the router/switch, and hence using the Trivial File Transfer Protocol (TFTP) is not a solution.

Continue reading “Uploading Cisco IOS using XMODEM”