Juniper Tips 38: How to show VLANs in MX

Verify the logical interfaces associations with the VLAN & bridge-domains.Next, check if the correct interfaces are associated with the correct VLANs and are in the correct bridge-domains. 

To do this, run the command ‘show bridge domain‘ and ‘show bridge domain <vlan> detail‘.

For example:

# run show bridge domain

Routing instance        Bridge domain            VLAN ID     Interfaces
default-switch          VLAN-001                 1

default-switch          VLAN-10                  10

default-switch          VLAN-130                 130

default-switch          VLAN-131                 131
                                                     ae0.0
                                                     ae2.0
                                                     ae6.0
                                                     ae8.0
                                                     ge-3/1/8.0
default-switch          VLAN-140                 140
                                                     ae0.0
                                                     ae1.0
                                                     ae2.0
default-switch          VLAN-141                 141
                                                     ae0.0
                                                     ae1.0
                                                     ae2.0

# show bridge-domains
VLAN-001 {
    description “Default VLAN for unassigned ports”;
    vlan-id 1;
}
VLAN-10 {
    description “10.1.1.0/24-pip net”;
    vlan-id 10;
}
VLAN-130 {
    description “130.91.30.0/24 –  NAT”;
    vlan-id 130;
}

Juniper Tips 39: How to enable OSPF for IPV6

OSPFv3 adds support for IPv6 in the Open Shortest Path First (OSPF) routing protocol, as detailed in RFC 2740. Most configuration and operational commands function essentially the same as in OSPFv2:

All OSPFv3 operational and configuration commands include the identifier ospf3 in place of the familiar ospfo ption. For example,

show ospf databasein (OSPFv2) becomes show ospf3 database

in OSPFv3.OSPFv3 Router IDs, Area IDs, and LSA link-state IDs remain at the OSPFv2 IPv4 size of 32 bits.

All the optional capabilities in OSPFv2 for IPv4, such as not-so-stubby areas (NSSA), are supported in OSPFv3 for IPv6.

However, there are many significant changes to note about OSPFv3 for IPv6:

Router link-state advertisements (LSAs) and Network LSAs no longer carry prefix information. In OSPFv3, these LSAs only carry topology information.

New and modified LSAs have been created to handle the flow of IPv6 addresses and

prefixes in an OSPFv3 network. As a result, some show command output appears in a

different format for OSPFv3. The LSAs that have been modified are:

Interarea-Prefix LSA—This replaces the Network Summary or Type 3 LSA.

Interarea Router LSA-This replace the Autonomous System Boundary Router (ASBR) Summary or Type 4 LSA.

New LSAs introduced in OSPFv3 are:

Link LSA-This LSA has local scope and does not extend beyond the link it is associated with. The purpose of a link LSA is to provide the router’s IPv6 link-local address to neighbors, inform other routers of the associated IPv6 prefixes available on the link, and provide information to the Network LSA. On all OSPF interfaces except virtual links, OSPF packets are sent using the interface’s link-local address as the source address.

 

Intra-Area-Prefix LSA—This carries all IPv6 prefix information to all OSPFv3 routers within an area (this information in IPv4 is carried by the Router and Network LSAs). OSPFv3 now runs on a per-link basis, instead of on a per-IP-subnet basis.IPv6 link-local addresses are used for OSPFv3 neighbor exchanges (except over virtual links).

The flooding scope for LSAs has been generalized into three categories for OSPFv3:Link-local scope—The OSPFv3 packet is flooded to the members of a link.Area scope—The OSPFv3 packet is flooded to all members of an OSPFv3 area.

 

AS scope—The OSPFv3 packet is flooded to all members of an AS. Auehtntication has been removed from the OSPFv3 protocol itself and relies on the authentication header (AH) and Encapsulating Security Payload (ESP) portions of the IP Security (IPsec) protocol for all authentication tasks in IPv6.

Label-switched paths (LSPs) and traffic engineering are not supported in OSPFv3

Neighboring routers are always identified by the 32-bit router ID in OSPFv3.

ospf3 {
    export [ exportdirect exportstatic ];
    area 0.0.0.0 {
        interface ae0.9;
        interface lo0.0;
    }
}

How to enable SSL on Red Hat Linux server

How do I speak HTTPS manually for testing purposes?

While you usually just use

$ telnet localhost 80

GET / HTTP/1.0 (enter)

$ telnet 172.16.5.2 80
Trying 172.16.5.2…
Connected to 172.16.5.2.
Escape character is ‘^]’.
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 25 Mar 2015 15:31:05 GMT
Server: Apache/2.2.15 (Red Hat)
Last-Modified: Fri, 15 Feb 2013 21:40:12 GMT
ETag: “158-53-4d5ca385c499c”
Accept-Ranges: bytes
Content-Length: 83
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title>Red Hat Enterprise Linux</title>
<body>
hello
</body>
</html>
Connection closed by foreign host.

for simple testing of Apache via HTTP, it’s not so easy for HTTPS because of the SSL protocol between TCP and HTTP. With the help of OpenSSL’s s_client command, however, you can do a similar check via HTTPS:

$ openssl s_client -connect localhost:443 -state -debug

GET / HTTP/1.0

Before the actual HTTP response you will receive detailed information about the SSL handshake. For a more general command line client which directly understands both HTTP and HTTPS, can perform GET and POST operations, can use a proxy, supports byte ranges, etc. you should have a look at the nifty cURL tool. Using this, you can check that Apache is responding correctly to requests via HTTP and HTTPS as follows:

$ curl http://localhost/

$ curl http://172.16.5.2
<html>
<head>
<title>Red Hat Enterprise Linux</title>
<body>
hello
</body>
</html>
$ curl https://localhost/

$ curl -k https://172.16.5.2
<html>
<head>
<title>Red Hat Enterprise Linux</title>
<body>
hello
</body>
</html>

**If you’d like to turn off curl’s verification of the certificate, use
 the -k (or –insecure) option. otherwise it will warn you the certificate can not be authenticated.

25.8. Apache HTTP Secure Server Configuration

This section provides basic information on the Apache HTTP Server with the mod_ssl security module enabled to use the OpenSSL library and toolkit. The combination of these three components are referred to in this section as the secure Web server or just as the secure server.
 
The mod_ssl module is a security module for the Apache HTTP Server. The mod_ssl module uses the tools provided by the OpenSSL Project to add a very important feature to the Apache HTTP Server — the ability to encrypt communications. In contrast, regular HTTP communications between a browser and a Web server are sent in plain text, which could be intercepted and read by someone along the route between the browser and the server.
This section is not meant to be complete and exclusive documentation for any of these programs. When possible, this guide points to appropriate places where you can find more in-depth documentation on particular subjects.
This section shows you how to install these programs. You can also learn the steps necessary to generate a private key and a certificate request, how to generate your own self-signed certificate, and how to install a certificate to use with your secure server.
The mod_ssl configuration file is located at /etc/httpd/conf.d/ssl.conf. For this file to be loaded, and hence for mod_ssl to work, you must have the statement Include conf.d/*.conf in the /etc/httpd/conf/httpd.conf file. This statement is included by default in the default Apache HTTP Server configuration file.
 
 
25.8.1. An Overview of Security-Related Packages

To enable the secure server, you must have the following packages installed at a minimum:
httpd
The httpd package contains the httpd daemon and related utilities, configuration files, icons, Apache HTTP Server modules, man pages, and other files used by the Apache HTTP Server.
mod_ssl
The mod_ssl package includes the mod_ssl module, which provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
openssl
The openssl package contains the OpenSSL toolkit. The OpenSSL toolkit implements the SSL and TLS protocols, and also includes a general purpose cryptography library.
 

How to get and install mod_ssl

 

$ sudo yum install mod_ssl
….

Dependencies Resolved

============================================================================================================================
 Package                  Arch                    Version                                 Repository                   Size
============================================================================================================================
Installing:
 mod_ssl                  x86_64                  1:2.2.15-15.el6_2.1                     ipnsg-rhel                   87 k

Transaction Summary
============================================================================================================================
Install       1 Package(s)

Total download size: 87 k
Installed size: 183 k
Is this ok [y/N]: y
Downloading Packages:
mod_ssl-2.2.15-15.el6_2.1.x86_64.rpm                                                                 |  87 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 1 pre-existing rpmdb problem(s), ‘yum check’ output follows:
sssd-1.8.0-32.el6.x86_64 has missing requires of openldap >= (‘0′, ‘2.4.23’, ’20’)
  Installing : 1:mod_ssl-2.2.15-15.el6_2.1.x86_64                                                                              1/1
Installed products updated.
  Verifying  : 1:mod_ssl-2.2.15-15.el6_2.1.x86_64                                                                              1/1

Installed:
  mod_ssl.x86_64 1:2.2.15-15.el6_2.1

*** You can find it right now over before restart the http server.

/etc/httpd/module/mod.ssl.so

/etc/httpd/conf.d/ssl.conf

How to test it?

$more /etc/httpd/conf.d/ssl.conf

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you’ve both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

  

$wget https://172.16.5.2
–2015-03-25 17:38:20–  https://172.16.5.2/
Connecting to 172.16.5.2:443… connected.
ERROR: cannot verify 172.16.5.2âs certificate, issued by /C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=host/emailAddress=root@host
                     Self-signed certificate encountered

.
How do I create a self-signed SSL Certificate for testing purposes?

  1. Make sure OpenSSL is installed and in your PATH.
  2. Run the following command, to create server.key and server.crt files:
    $ openssl req -new -x509 -nodes -out server.crt -keyout server.key
  3. If you need a stronger key like 2048 instead of 1024

$ openssl req -new -x509 -nodes -sha1 -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
3. These can be used as follows in your /etc/httpd/conf.d/ssl.conf file:

             SSLCertificateFile    /path/to/this/server.crt
             SSLCertificateKeyFile /path/to/this/server.key

4. It is important that you are aware that this server.key does not have any passphrase. To add a passphrase to the key, you should run the following command, and enter & verify the passphrase as requested.
$ openssl rsa -des3 -in server.key -out server.key.new
$ mv server.key.new server.key

 

How do I create a real SSL Certificate?

Here is a step-by-step description:

  1. Make sure OpenSSL is installed and in your PATH.
  2. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):$ openssl genrsa -des3 -out server.key 1024

$openssl genrsa 2048 -out server.key
Generating RSA private key, 2048 bit long modulus…..

Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:

$ openssl rsa -noout -text -in server.key

If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:

$ openssl rsa -in server.key -out server.key.unsecure

 

Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):$ openssl req -new -key server.key -out server.csrMake sure you enter the FQDN (“Fully Qualified Domain Name”) of the server when OpenSSL prompts you for the “CommonName”, i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter “www.foo.dom” here. You can see the details of this CSR by using

$ openssl req -noout -text -in server.csr

 You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) to be signed. Once the CSR has been signed, you will have a real Certificate, which can be used by Apache. You can have a CSR signed by a commercial CA, or you can create your own CA to sign it.

How can I get rid of the pass-phrase dialog at Apache startup time?

The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server – proceed with caution!

Remove the encryption from the RSA private key (while keeping a backup copy of the original file):

$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key

How do I verify that a private key matches its Certificate?

A private key contains a series of numbers. Two of these numbers form the “public key”, the others are part of the “private key”. The “public key” bits are included when you generate a CSR, and subsequently form part of the associated Certificate.

To check that the public key in your Certificate matches the public portion of your private key, you simply need to compare these numbers. To view the Certificate and the key run the commands:

$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key

The `modulus’ and the `public exponent’ portions in the key and the Certificate must match. As the public exponent is usually 65537 and it’s difficult to visually check that the long modulus numbers are the same, you can use the following approach:

$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

What SSL Ciphers are supported by mod_ssl?

Usually, any SSL ciphers supported by the version of OpenSSL in use, are also supported by mod_ssl. Which ciphers are available can depend on the way you built OpenSSL. Typically, at least the following ciphers are supported:

To determine the actual list of ciphers available, you should run the following:

$ openssl ciphers -v

How to verify the certificate

$ openssl x509 -in server2.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e5:cc:7d:a6:ae:52:34:b0
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=New York, L=NYC, O=ATT, OU=CSO, CN=server

Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

 

How to disable SSLv3?

modify the /etc/httpd/conf.d/ssl.conf

SSLProtocol all -SSLv3

or

SSLProtocol -all -TLSv1

will completely disables the SSLv3 protocol and allow those browsers to work. A better workaround is to disable only those ciphers which cause trouble.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

$ openssl s_client -connect 172.16.5.2:443 -state -ssl3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read server hello A

$ openssl s_client -connect 172.16.5.2:443 -state -tls1
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = US, ST = New York, L = NYC, O = ATT, OU = CSO, CN = server
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = New York, L = NYC, O = ATT, OU = CSO, CN = server
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A

WordPress Tips 38: How to fix wp-admin not accessible problem

The /wp-admin is not accessible any more after domain moving.

Here’re the steps,

1. Edit the wp-config.php file.

2. After the “define” statements (just before the comment line that says “That’s all, stop editing!”), insert a new line, and type: define('RELOCATE',true);

3. Save your wp-config.php file.

4. Open a web browser and manually point it to wp-login.php on the new server. For example, if your new site is at http://www.yourdomainname.com, then type http://www.yourdomainname.com/wp-login.php into your browser’s address bar.

Like:

http://www.cathaycenturies.com/blog/wp-login.php

5. You will be able to login and change “site address” information under Settings.

6. Once this has been fixed, edit wp-config.php and either completely remove the line that you added (delete the whole line), comment it out (with //) or change the true value to false if you think it’s likely you will be relocating again.

Note: When the RELOCATE flag is set to true, the Site URL will be automatically updated to whatever path you are using to access the login screen. This will get the admin section up and running on the new URL, but it will not correct any other part of the setup. Those you will still need to alter manually.

Changing the URL directly in the database

If you know how to access phpMyAdmin on your host, then you can edit these values directly to get you up and running again.

  1. Backup your database and save the copy off-site.
  2. Login to phpMyAdmin.
  3. Click the link to your Databases.
  4. A list of your databases will appear. Choose the one that is your WordPress database.
  5. All the tables in your database will appear on the screen.
  6. From the list, look for wp_options. Note: The table prefix of wp_ may be different if you changed it when installing.
  7. Click on the small icon indicated as Browse.
  8. A screen will open with a list of the fields within the wp_options table.
  9. Under the field option_name, scroll down and look for siteurl.
  10. Click the Edit Field icon which usually is found at the far left at the beginning of the row.
  11. The Edit Field window will appear.
  12. In the input box for option_value, carefully change the URL information to the new address.
  13. Verify this is correct and click Go to save the information.
  14. You should be returned to your wp_options table.
  15. Look for the home field in the table and click Edit Field. Note There are several pages of tables inside wp_options. Look for the > symbol to page through them.
  16. In the input box for option_value, carefully change the URL information to the new address.
  17. Verify this is correct and click Go to save the information.

Juniper Tips 37: How to apply packet filter

1. Build a firewall filter

0> show configuration firewall family inet filter CPE1
term CUST-PROTECTED-IP {
from {
source-address { 10.2.208.0/27; }
}
then {
count CPE1;
accept;
}
}

term ALLOW-NETFLOW {
from {
source-address {
10.2.208.60/32;
}
destination-port 2055;
}
then {
count ALLOW-NETFLOW;
accept;
}
}

term DROP-ALL-ELSE {
then {
count DROP-ALL-ELSE;
log;
discard;
}
}

2. Apply Filter into the intended interface

> show configuration interfaces ge-0/0/0.100
family inet {
filter {
input-list [ COMMON-FILTER CPE1 ];
}
service {
input { service-set NAT-GROUP-1; }
output {service-set NAT-GROUP-1; }
}
address 192.168.100.33/30;
}

 3. Verify the filter

since the filter was applied as the filter set. It will not show the counter, as the single filter can be used in multiple interfaces.

#show firewall filter

Filter: gr-0/0/0.100-i
Counters:
Name Bytes Packets
ALLOW-BGP-gr-0/0/0.100-i 2165275 43751
ALLOW-ICMP-gr-0/0/0.100-i 2436 29
ALLOW-NETFLOW-gr-0/0/0.100-i 5195740 31641
ALLOW-REMOTE-GRE-PACKET-gr-0/0/0.100-i 2874504 119771
CPE1-gr-0/0/0.100-i 844762395 7679678
DROP-ALL-ELSE-gr-0/0/0.100-i 2780 88
GRE-KEEPALIVE-gr-0/0/0.100-i 0 0

#show firewall filter CPE1 <-which only work if one filter in place

Filter: CPE1
Counters:
Name Bytes Packets
ALLOW-NETFLOW 0 0
DROP-ALL-ELSE 0 0
CPE1 0 0