09 Aug

Arista EOS – BGP remove-private-as

This is a post copied/stolen/updated from Kevin Wang’s wiznote – [EOS] [RFC6996] BGP remove-private-as

Summary:

  1. Feature support starts from 4.19.1F and 4.18.4F
  2. “remove-private-as” works for both 2B/4B AS#. 
  3. Private AS number: 64512-65534(2B), 4200000000-4294967294(4B). convert to asdot notation is 64086.59904.
  4. “neighbor x.x.x.x remove-private-as” only works for those as-path which only have private as number present.
  5. 3. In case you have both public as number and private as number, you need give the keyword “all” to force remove all private as number within the as-path-list. “neighbor x.x.x.x remove-private-as all”
  6. 4. If you want to keep the as-path length, using replace-as. “neighbor x.x.x.x remove-private-as all replace-as”
  7. 5. If the AS_PATH contains the AS number of the eBGP neighbor, BGP does not remove the private AS number.
  8. 6. If the AS_PATH contains confederations, BGP removes the private AS numbers only if they come after the confederation portion of the AS_PATH.
  9. If the eBGP neighbor using private as number which you intend to apply “remove-private-as”, you will get below warning message, but the CLI still able to apply and functionality also works as expected, the reason why we have this warning before it may create potential loop, because on local switch, you remove all private-as number which might be include peer’s ASN, in this case, the loop will happen, so that’s why we put the warning here.
  10. If you configured remote-as on peer-group, and peer inherit that information from peer-group, in this case, remove-private-as on peer will not prompt warning, because that’s inherit information, EOS will not check it.

04 Jul

BGP as-path regular expressions

A regular expression is the character pattern that can be matched against an input string. Regular expressions can be built using letters (A through Z, a through z), numbers (0 through 9) and other keyboard characters, such as the exclamation point (!) or a tilde (~). A regular expression can be a single-character pattern or a multiple-character pattern. Certain keyboard characters such as caret (^) and dollar sign ($) have special meaning and allow complex regular expressions to be built. Characters with special meaning can be used as simple keyboard characters by preceding them with a backslash (\). When a Border Gateway Protocol (BGP) update exits an Autonomous System (AS), the AS path attribute of the route gets updated. The AS number of the AS is prepended to an existing list of AS numbers. BGP can be configured to use regular expressions for route filtering based on the AS path attribute.

Range

A range is a sequence of characters contained within left and right square brackets. For example: [abcd]

Atom

An atom is a single character, such as the following:

. (Matches any single character)

^ (Matches the beginning of the input string)

$ (Matches the end of the input string)

\ (Matches the character)

– (Matches a comma (,), left brace ({), right brace (}), the beginning of the input string, the end of the input string, or a space.

Piece

A piece is an atom followed by one of the following symbols:

* (Matches 0 or more sequences of the atom)

+ (Matches 1 or more sequences of the atom)

? (Matches the atom or the null string)

Branch

A branch is a 0 or more concatenated pieces.

Examples of regular expressions follow:

a* (Any occurrence of the letter “a”, including none)

a+ ( At least one occurrence of the letter “a” should be present)

ab?a (This matches “aa” or “aba”)

_100_ (Via AS100)

_100$ (Origin AS100)

^100 .* (Coming from AS100)

^$ (Originated from this AS)

Refer to Using Regular Expressions in BGP for sample configurations on regular expression filtering

To test in live network using public looking glass server:
https://www.netdigix.com/servers.html

Additional readings:

http://www.quagga.net/docs/docs-multi/AS-Path-Regular-Expression.html

http://www.cisco.com/warp/public/459/26.html

http://www.avici.com/documentation/HTMLDocs/02223-06_revBA/Routing_Pol7.html

28 Mar

BGP Additional Paths

BGP routers only advertise the best path to their neighbors. When a better path is found, it replaces the current path. Advertising a path and replacing it with a new path is called an implicit withdraw.

Since we only advertise the best path, a lot of other possible paths are unknown to some of the routers. We call this path hiding.

Extra notes on additional path command syntax:

  • neighbor neighbor-id additional-paths send: We use this to configure the router so it sends multiple BGP paths to a neighbor.
  • neighbor neighbor-id additional-paths receive: If you have a neighbor that sends multiple paths, that’s nice but you still have to configure your local router that it wants to receive multiple paths.
  • bgp additional-paths select : you receive a bunch of paths from your neighbor but you can still configure your router which of these paths you actually want to use.
  • bgp additional-paths install: this tells the router to actually install a backup path that you selected with the “bgp additional-paths install” command.
  • neighbor neighbor-id advertise additional-paths: This configures your router which additional-paths you want to advertise to a neighbor. “all” means all additional-paths.

Reference:
https://networklessons.com/bgp/bgp-additional-paths
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-xe-3s-book/irg-additional-paths.html

Incoming search terms:

  • arista bgp additional-paths install
18 Mar

VPN Ports

 

PPTP:
To allow PPTP tunnel maintenance traffic, open TCP 1723.
To allow PPTP tunneled data to pass through router, open Protocol ID 47.

L2TP over IPSec
To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 4500.
To allow L2TP traffic, open UDP 1701.

OpenVPN:

OpenVPN uses port 1194 udp and tcp:

Here’s the Cisco access list: (gre=Protocol ID 47, pptp=1723, isakmp=500, non500-isakmp=4500):

permit gre any any
permit tcp any any eq 1194
permit udp any any eq 1194
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 5500
permit tcp any any eq 1723
permit udp any any eq 1701

If natted address is being used by any of the peer then you need to open up the UDP port 4500 for ISAKMP.

If no natting is there then you need to open up the UDP port 500 for ISAKMP

For Phase 2: you need to explicitly open up the port for specific protocol like port 50 for AH and port 51 for ESP

IPSec can use ESP (protocol 50), or AH (protocol 51).   AH breaks if used with any type of NAT with IPv4, so it is rarely ever used in a transform set.

Common Cisco ACL for allowing VPN traffic:

remark Allow VPN Traffic
permit udp any host [IPSec Headend] eq 500
permit udp any host [IPSec Headend] eq 4500
permit 50 any host [IPSec Headend]
permit 51 any host [IPSec Headend]
permit 47 any host [IPSec Headend]
permit 57 any host [IPSec Headend]
deny   ip any host [IPSec Headend]

07 Feb

Installing Guacamole on Raspberry Pi

Guacamole is a clientless remote desktop gateway. After successful implementation of this system on some PCs, now I want to use this on a Raspberry Pi 3 B+. Following is how I do the installation on Raspbian system.

OS Version: Raspbian GNU/Linux 9 (stretch)
  1. Upgrade the system:
$ sudo apt-get update
$ sudo apt-get upgrade
  1. Install the required dependencies:
$ sudo apt-get install libcairo2-dev
$ sudo apt-get install libjpeg62-turbo-dev
$ sudo apt-get install libpng12-dev
$ sudo apt-get install libossp-uuid-dev
  1. Install the optional packages:
$ sudo apt-get install libavcodec-dev libavutil-dev libswscale-dev
$ sudo apt-get install libpango1.0-dev
$ sudo apt-get install libssh2-1-dev
$ sudo apt-get install libtelnet-dev
$ sudo apt-get install libvncserver-dev
$ sudo apt-get install libpulse-dev
$ sudo apt-get install libssl-dev
$ sudo apt-get install libvorbis-dev
$ sudo apt-get install libwebp-dev
  1. Download Guacamole Server and Client packages:
$ wget http://sourceforge.net/projects/guacamole/files/current/source/guacamole-server-0.9.14.tar.gz
$ wget http://sourceforge.net/projects/guacamole/files/current/source/guacamole-client-0.9.14.tar.gz
  1. Build and install the server:
$ tar xzf guacamole-server-0.9.14.tar.gz
$ cd guacamole-server-0.9.14
$ ./configure --with-init-dir=/etc/init.d
$ make
$ sudo make install
$ sudo update-rc.d guacd defaults
$ sudo ldconfig
  1. Build the client:
$ sudo apt-get install maven
$ tar xzf guacamole-client-0.9.14.tar.gz
$ cd guacamole-client-0.9.14
$ mvn package
  1. Install jetty9 servlet container:
$ sudo apt-get install jetty9
  1. Deploy Guacamole:
$ sudo cp guacamole/target/guacamole-0.9.14.war /var/lib/jetty9/webapps/guacamole.war
$ sudo mkdir -p /etc/guacamole/extensions
$ sudo cp extensions/guacamole-auth-noauth/target/guacamole-auth-noauth-0.9.14.jar /etc/guacamole/extensions/.
  1. Copy following text and save it as “/etc/guacamole/guacamole.properties”
#    Guacamole - Clientless Remote Desktop
#    Copyright (C) 2010  Michael Jumper
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU Affero General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU Affero General Public License for more details.
#
#    You should have received a copy of the GNU Affero General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.

# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port:     4822

# Auth provider class (authenticates user/pass combination, needed if using the provided login screen)
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml

# NoAuth properties
noauth-config: /etc/guacamole/noauth-config.xml
  1. Copy following text and save it as “/etc/guacamole/noauth-config.xml”
<configs>
    <config name="pi" protocol="vnc">
        <param name="hostname" value="localhost" />
        <param name="port" value="5900" />
    </config>
</configs>
  1. Copy following text and save it as “/etc/guacamole/user-mapping.xml”. The password is “raspberry”.
<user-mapping>
    <authorize 
    username="pi"
    password="b89749505e144b564adfe3ea8fc394aa"
    encoding="md5">
        <connection name="pi">
        <protocol>vnc</protocol>
        <param name="hostname">localhost</param>
        <param name="port">5900</param>
        <param name="swap-red-blue">false</param>
        <param name="enable-audio">true</param>
        </connection>
    </authorize>
</user-mapping>
  1. Install x11vnc VNC-Server:
$ sudo apt-get install x11vnc
  1. Copy following text and save it as “~/.config/autostart/x11vnc.desktop”
[Desktop Entry]
Name=X11 VNC
Comment=Remotedesktop Server
Exec=x11vnc -forever -nopw -rfbport 5900 -display :0
Terminal=false
Type=Application
X-MATE-Autostart-enabled=true
Comment[de_DE]=Remotedesktop Server
  1. Restart Raspberry Pi:
$ sudo reboot

At this point guacamole should be automatically started at system boot. You can try to open it from a web-browser, the address is “<ip-address>:<port>/guacamole”. On my network it looks like this “192.168.178.100:8080/guacamole”.

In case you use headless system (Raspberry Pi without display attached) and you have poor display resolution, you can set the parameters in “/boot/config.txt” from this:

#framebuffer_width=1280
#framebuffer_height=720

#hdmi_force_hotplug=1

to this (for full HD resolution):

framebuffer_width=1920
framebuffer_height=1080

hdmi_force_hotplug=1

Restart the system and that’s it. Have fun!

Reference: http://www.m-opensolutions.com/?p=936

Incoming search terms:

  • guacamole su raspberry
  • raspberry pi rds gateway Guacamole
  • guacamole on pi
  • guacamole raspberry pi rdp
  • how to install apache guacamole on raspberry
  • install guacamole server on raspberry pi
  • raspberry guacamole
  • raspbian desktop x86 guacamole
  • raspbian install guac