2009-10-26

EIGRP hidden commands

случайно нашел еще одну "скрытую" команду связанную с eigrp:


BBR1#sh ip ei eve
Event information for AS 1:
1 11:22:36.267 Poison squashed: 10.97.97.0/24 reverse
2 11:22:34.259 Poison squashed: 172.31.1.0/24 reverse
3 11:22:34.243 Change queue emptied, entries: 1
4 11:22:34.243 Metric set: 10.97.97.0/24 281600
5 11:22:34.243 Update reason, delay: new if 4294967295
6 11:22:34.243 Update sent, RD: 10.97.97.0/24 4294967295
7 11:22:34.243 Update reason, delay: metric chg 4294967295
8 11:22:34.243 Update sent, RD: 10.97.97.0/24 4294967295
9 11:22:34.243 Route install: 10.97.97.0/24 10.254.0.3

2009-10-22

ASA: change https/ASDM certificate

по-умолчанию, аса использует самоподписанный сертификат при подключении по https/asdm. краткая инструкция как это исправить.

1) получаем законный сертификат
а) добавляем центр сертификации:


(config)# crypto ca trustpoint CorpCA
(config-ca-trustpoint)# enrollment url http://172.26.26.50/certsrv/mscep/mscep.dll


b) подтверждаем сертификат CorpCA


crypto ca authenticate CorpCA
Do you accept this certificate? [yes/no]: yes


c) указываем атрибуты для своего будущего сертификата


(config)# crypto ca trustpoint CorpCA
(config-ca-trustpoint)# subject-name cn=CORP-ASA


d) запрашиваем сертификат


(config)# crypto ca enroll CorpCA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:

% The subject name in the certificate will be: cn=CORP-ASA

% The fully-qualified domain name in the certificate will be: CORP-ASA

% Include the device serial number in the subject name? [yes/no]: no

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority


2) привязываем свой сертификат к интерфейсу


(config)# ssl trust-point ASA inside

2009-10-20

ASA QoS

проводя курс на асе с прошивкой 8.2, заметил некоторые изменения в списке доступных действий MPF layer3/4 policy-map:

ASA-CO2(config)# policy-map test
ASA-CO2(config-pmap)# class class-default
ASA-CO2(config-pmap-c)# ?

MPF policy-map class configuration commands:
csc Content Security and Control service module
exit Exit from MPF class action configuration mode
flow-export Configure filters for NetFlow events
help Help for MPF policy-map class/match submode commands
inspect Protocol inspection services
ips Intrusion prevention services
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
ASA-CO2(config-pmap-c)# shape ?

mpf-policy-map-class mode commands/options:
average configure token bucket: CIR (bps) [Bc (bits)], send out Bc only per
interval
ASA-CO2(config-pmap-c)# shape average ?

mpf-policy-map-class mode commands/options:
<64000-154400000> Target Bit Rate (bits per second), the value needs to be
multiple of 8000
ASA-CO2(config-pmap-c)# shape average 200000 ?

mpf-policy-map-class mode commands/options:
<2048-154400000> bits per interval, sustained. Needs to be multiple of 128.
Recommend not to configure it, the algorithm will find out
the best value

ASA-CO2(config-pmap-c)# shape average 200000
ASA-CO2(config-pmap-c)#

на асах наконец-то появился шейпинг! :)