Monday 20 May 2013

How to setup a DHCP server on a Juniper SRX

Today I am going to write about how to turn your Juniper SRX onto a DHCP server. It is quite easy and quick.



root@srx100-01> configure
Entering configuration mode
[edit]

root@srx100-01# set system services dhcp router 192.168.1.1
root@srx100-01#set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
root@srx100-01#set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
root@srx100-01#set system services dhcp propagate-settings fe-0/0/0.0
root@srx100-01#set interfaces fe-0/0/0 unit 0 family inet dhcp
root@srx100-01#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
Posted by at No comments:

Saturday 18 May 2013

Setting up Bind DNS for your Network (Red Hat/Centos)

I just bought a new domain for me and I am going through the process of setting up my own DNS server. I want to share with you the experience and also the knowledge.


Package Requirements
bind
bind-libs
bind-utils
Install all packages

[root@centos63 named]yum install bind bind-libs bind-utils -y

Make sure Bind starts at boot time
[root@centos63 named]#  chkconfig --level 2345 named on
Note: On Red Hat based systems Bind damon is called named.

Configuring Bind
My domain name is e-networks.co.uk and this is domain I will use as an example.
The Server IP address will be: 192.168.1.34
Configure /etc/named.cof

[root@centos63 named]# cd /etc
[root@centos63 named]# mv named.conf named.back

##################################################################################################
[root@centos63 named]# vi named.conf
Note: Add the lines below

# This file is the main config for e-networks.co.uk domain
options {
        listen-on { 192.168.1.34; };  //Change it to your servers IP address
        version "This is not a public Server";
        directory "/var/named";
        pid-file "/var/run/named/pid";
        hostname "centos63.e-networks.co.uk"; //Change it to your Servers name and domain
        notify yes;
        forward first; // the default
        fetch-glue no; // only fetches requested records, not everything
// DNS server for your ISP, its IP address should be set below,
// This will make you resolution faster by using its cache.
        forwarders {
                194.168.4.100;  // this IP is for NTL resolver 1 (change it to your ISP Nameserver)
                194.168.8.100;  // This IP is for NTL resolver 2 (change it to your ISP Nameserver)
        };
        /*
         * Uncomment the line below if you or the name servers are behind a firewall
         */
        // query-source address * port 53;
        /*
         * If running in a chroot, you will need to specify a different
         * folder to save the dump files.
         */
        // dump-file "s/named_dump.db";
// SORT LIST
  sortlist { { localhost; localnets; };
             { localnets; };
  };
};

// SECONDARY ZONES
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
zone "." {
        type hint;
        file "named.root";
};
zone "e-networks.co.uk" { // change it to your domain name
        type master;
        allow-update { 192.168.1.0/24; }; // change it to your IP range or any server you wish to allow updates
        allow-transfer { 192.168.1.0/24; }; // change it to your IP range or any server you wish to allow transfers
        notify yes;
        file "e-networks.co.uk"; // change it to you domain name
};
zone "localhost"  {
        type master;
        file "named.localhost";
        allow-transfer { localhost; };
        notify no;
};

# reverse zones
zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "localhost.rev";
};
zone "1.168.192.in-addr.arpa" { // Change it to to match your network or range assigned to you
        type master;
        file "1.168.192.in-addr.arpa"; // Change it to to match your network or range assigned to you
        allow-update { 192.168.1.0/24; }; // change it to your IP range or any server you wish to allow updates
        allow-transfer { 192.168.1.0/24; }; // change it to your IP range or any server you wish to allow transfers
};

###################################################################################

[root@centos63 named]# cd /var/named
[root@centos63 named]# mv named.localhost named.localhost.bak

[root@centos63 named]# vi e-network.co.uk
Note: Add the lines below

$TTL 3600
e-networks.co.uk. IN SOA centos63.e-networks.co.uk. root.centos63.e-networks.co.uk. (
                        2013051801      ; Serial YYYYMMDDnn
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        86400 )         ; Minimum TTL
; DNS Servers
@       IN NS           centos63.e-networks.co.uk.
; Machine Names
localhost       IN A    127.0.0.1
centos63        IN A    192.168.1.34
; mail server (use this if you have a mail server running)
mail            IN A    192.168.1.34
@               IN A    192.168.1.34
; Aliases (use this if you have a web server here, www.e-networks.co.uk.)
www             IN CNAME        @
; MX Record (use this if you have a mail server running)
@               IN MX   10      mail.e-networks.co.uk.

#########################################################################################
[root@centos63 named]# vi named.localhost
Note: Add the lines below

$ORIGIN localhost.
$TTL 6h
@   IN  SOA localhost. postmaster.localhost. (
            1   ; serial
            3600    ; refresh
            1800    ; retry
            604800  ; expiration
            3600 )  ; minimum
    IN  NS  localhost.
    IN  A       127.0.0.1
##########################################################################################
[root@centos63 named]# vi localhost.rev
Note: Add the lines below

$TTL    3600
@       IN      SOA     centos63.e-networks.co.uk. root.centos63.e-networks.co.uk.  (
                                2013051801      ; Serial YYYYMMDDnn
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum
        IN      NS      centos63.e-networks.co.uk.
1       IN      PTR     localhost.e-networks.co.uk.

##########################################################################################
[root@centos63 named]# vi 1.168.192.in-addr.arpa
Note: Add the lines below

$TTL    3600
@       IN      SOA     centos63.e-networks.co.uk. root.centos63.e-networks.co.uk.  (
                                2013051801      ; Serial YYYYMMDDnn
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum
        IN      NS      centos63.e-networks.co.uk.
1       IN      PTR     centos63.e-networks.co.uk.
##########################################################################################
[root@centos63 named]# vi named.root
Note: Add the lines below

# This is the named.root file for all Root Name Servers

.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803f:235
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; operated by VeriSign, Inc.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30
;
; operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
;
; operated by ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
;
; operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
; End of File

##########################################################################################
Reminder:
1. Change the forwarders
2. Change the line: "listen on"
3. Change the line "hostname"
4. Change the zone "e-networks"
5. Change the line "Allow updates"
6. Change the line "Allow transfers"
7. Change the line "1.168.192.in-addr.arpa"
8. Change the line "Allow updates"
9. Change the line "Allow transfers"

Remember when Creating the files to represent the zones, make sure you also change the names
to suit your environment.

Review the whole configuration and double check for typos and names.

Starting DNS

[root@centos63 named]# service named start
Note: If the named service does not start check for errors on /var/log/messages

[root@centos63 named]# tail /var/log/messages

Check if the named service is running
[root@centos63 named]# ps -eaf | grep named
named     1061     1  0 07:49 ?        00:00:00 /usr/sbin/named -u named
root      1471  1415  0 08:23 pts/0    00:00:00 grep named

Last Note
When you start the named service for the first type the script will try and generate the rndc.key for your server. This will take some time.

I hope you enjoy folks
by Renato de Oliveira
Posted by at No comments:
Labels: , , , , , , , , ,
Location: Cambridge, Cambridgeshire CB3, UK

Thursday 16 May 2013

Data Center Design (A new Look)

I have Built a New Data Centre for the company I work for and I am going to give you some insight on the design and the cool look I gave to it.

I had literally 2 months to build a whole new Data Centre, but even with the time constraints I manage to deliver it on time and it is not only beautiful, but it has great features and as far as I am concerned ticks all the boxes.

Some of the requirements to meet:
  1. It must look presenteable to customers
  2. It must have space for growth
  3. It must have the cooling capacity for existing heating load and future growth
  4. It must have the power capacity for existing load and future growth

See some picture below:

Below you can see the front is all glass pannels, there are seven Server Racks in total. At the front  of the racks you can see there are three glass panels on the floor, and under the each pannel there is a light which is remote controlled and changes colours (it is currently in blue).
On each side of the room we have a 14Kwatts Air-con at the back we have a heat extraction system, to extract the heat generated by all the servers.

Below you can see I have used a 20KVA UPS for holding the servers, and there is a by-bass just in case we need to maintain the UPS.
I have a smaller UPS 10KVA for Comms equipment, the air-cons are also UPS protected.

 
The comms racks at at the back and they host all switches, patch pannels and firewalls.
The links between the server cabinets and the patch pannels are two looms of 24 CAT6a cables for each rack, one at the top and another at the bottom.
 
I paid a lot of attention to the detail, functionality and also to easy of maintenance.
I'll take some pictures of the patch pannel to show you another time.
 
If you need help with your Data Center or Server Room, I can help you with ideas.
 
Renato Oliveira
 

Posted by at 2 comments:
Labels: , ,

Wednesday 15 May 2013

Setting up DFS (Distributed File System) on Windows 2008 R2

I think DFS is one of the best product Microsoft has. The possibilities are just imense.
If you need a global, distributed file system with high availibility DFS is for you. You can share a folder and make it high available across the WAN. It is simple to set up, easy to use and very quick to replicate.

Today I am going to show you how to set it up. I am going to have a text version and once I have a bit more time I will give you a screenshot version.

I have two Windows 2008 R2 servers, one as my domain controller and a second one just as a member server.

You will need to install DFS Role on two servers, otherwise you won't be able to configure it.

Installing DFS (Follow these steps on both Servers)
  1. Click on [Start]
  2. Click on "Administrative Tools"
  3. Click on "Server Manager"
  4. Click on "Roles"
  5. Click on "Add Roles"
  6. Click on <Next>
  7. Select "File Services" then click on <Next>
  8. Click on <Next> once again
  9. Tick the boxes:
    • File Server
    • Distributed File System
    • DFS Namespace
    • DFS Replication
  10. After selecting the options above, click on <Next>
  11. Select "Create a namespace later" and click <Next>
  12. Click "Intall"
  13. Once the installation has been complete, click on <Close>
Follow the steps above on both servers ti host the DFS role. Once this is done we can move on to configure it.

Configuring DFS Role and Namespace
  1. Click on [Start]
  2. Click on "Administrative Tools"
  3. Click on "DFS Management"
  4. Click on "Replication"
  5. Click on "New Replication Group..."
  6. Select the option "Replication Group for data collection" and click on <Next>
  7. Within the field "Name of replication group" type a descriptive name i.e: MyReplication
  8. Within the field "Domain" type in your Windows domain name i.e: linuxad.int
  9. Click on <Next>
  10. Type in the destination server name i.e.: dfsrep01.linuxad.int
    1. Note: Remember that the DFS role needs to be installed on the destination server.
    2. Replace the server name with the name of your source server.
  11. Click on <Next>
  12. On "Replicated Folders" screen, click on [Add...]
  13. Choose the folder you wish to replicate for example: "C:\Data", then click on [OK]
  14. Click on <Next>
  15. Type in the destination Server Name i.e: dfsrep02.linuxad.int
    1. Note: Remember that the DFS role needs to be installed on the destination server.
    2. Replace the server name with the name of your source server.
  16. Click on <Next>
  17. Choose the destination foder for the replication data for example: "C:\Data", then click on <Next>
  18. Click on "Replicate Continuously using the specified bandwidth".
  19. Leave it in [Full] and click <Next>
  20. Click on [Create]
  21. then click on [OK]

This will give you a full DFS system with two servers, source and destination fully working.
There are some extra details, which need configuring, I will describe them later, keep posted.

by Renato Oliveira
Posted by at No comments:
Labels: , ,
Location: Cambridge, Cambridgeshire CB3, UK

Saturday 4 May 2013

Retaking CCNA


Studying for CCNA

OSI Model

7 Layers (7 - Application, 6 - Presentation, 5 - Session, 4 - Transport, 3 - Network, 2 - Data Link, 1 - Physical)

 
Differences between HUB and Switch

HUB = 1 Single Collision Domain

HUB = 1 Single Broadcast domain

HUB = Half Duplex

HUB = Works at the Physical layer of the OSI model, sends signals

 
Switches = each port is a separate collision domain

Switches = have a single Broadcast domain if no VLANs are configured

Switches = Full Duplex

Switches uses ASICS chips allows

Switches = Creates a CAM (Content Accessible Memory) table where all MAC addresses is stored

Switches work at the Data Link Layer of the OSI model sends phases
 

Type of Communications

Unicast = One to one communication between source and destination

Broadcast = A communication which is sent to all devices connected to a Network segment

Multicast = A communication which is sent to a group of devices

 
ARP (Address Resolution Protocol) = Broadcast message


Connecting to switch to configure

Open putty

Click on "Serial"

Connection Settings

Baud Rate = 9600

Data Bits: 8

Parity: none

Stop bit: 1

Flo Control: none

 
Cisco Command modes:

User EXEC mode - Switch - > (BAsic mode)

Enable - Privileged EXEC mode - switch# (Full access)

Config terminal - Global Configuration Mode – Switch (config)# (Full Configuration Mode)

 
Configure Cisco Switch

Setup switch name:

# hostname switch1

 
Set Switch's IP address for Management

You need to setup the IP for the default VLAN, or VLAN interface 1

# interface vlan 1

# ip address 192.168.1.1 255.255.255.0

# no shutdown

 
Setup default gateway at Global Config Mode

# ip default-gateway 192.168.1.1
 

Saving Configuration

# copy running-config startup-config


How to show the version of IOS running

# show version

Protecting User Privileged mode

Note: this is not secure

# enable password cisco123
# enable secret cisco1234

Note: this password is encrypted within the configuration file

If you have enable password and enable secret, enable secret will override enable password

If you have enable password set, just remove it with

# no enable password

Password protect your Console mode

# line console 0

# password cisco123

# login


Set password for telnet

# line vty 0 4

# login

# password cisco123

# service password-encryption (to encrypt all passwords)

 
Setting up a Login banner

# banner motd C

#################

Private

################# C

 

Setup SSH

# username renato password cisco1234

# ip domain-name e-networks4real.co.uk

# crypto key generate rsa 1024

# ip ssh version 2

# line vty 0 4

# transport input ssh

 

Port Security

How many devices can be plugged onto each port? If anyone plugs a different device port is disabled

# Show ip interface brief

 

How to show all messages displayed on the terminal

# Terminal monitor

 

MAC address security

# switchport mode access

# switchport port-security

# switchport port-security maximum 1

# switchport port-security violation

 

# interface  fastEthernet 0

# show port-security interface fastethernet <port>

 

Duplex mismatch

# interface fastethernet 0/2

# speed 100

# duplex full

 

Fixing console text wrapping

# line console 0

# logging synchronous

# line vty 0 4

# logging synchronous

 

Setting IDLE time

# line console 0

# exec-timeout 30 0

# line vty  0 4

# exec-timeout 30 0

 

 

Fixing Domain resolution annoying problem

# no ip domain-lookup

 

Troubleshooting Cisco Switches

# Show ip interface brief

 

# show interface fastEthernet 0/2

tx load = Sending data

rx load = receiving data

5 min input rate

5 min output rate

 

High level of broadcast is considered to be 20%

Runt is a packet considered to be too small

Late collision means the cable length is greater than 100M

Check for duplex mismatch

 

# show run

 

Type of Wireless Networks

PAN - Personal Area Network

LAN - Local Area Network

MAN - Metropolitan Area Network

WAN - Wide Area Network

 

Wireless is shared and Half-Duplex

The more people connected the less Bandwidth available

Uses Unlicensed BANDS of Radio Frequency (RF)

WIFI operates at the Physical and Data Link layer of OSI model

WIFI uses CSMA/CA (Carrier Sense Multiple Access/Collision Avoidence

Interference is a problem and causes connectivity issues

 

WIFI Frequencies

·         900MHZ Range - 902 - 928

·         2.4-6GHz Range - 2.400 - 2.483

·         5-gGHz Range - 5.150 to 5350

 

The lower Frequency the bigger is the range but the bandwidth is also low

Higher frequency supports higher data rate

 

WiFi Standards

802.11B 1999

Up to 11Mbps

2.45GHz

Three channels

 

 

802.11A  1999

Up to 54Mbps

5.8GHz

12 - 23 Channels

 

802.11G 2003

54Mbps

2.4GHz

Three channels

 

802.11N

100+Mbps using MIMO and multiple antenas

 

WIFI Channels

Range of Frequencies

The channel defines a section of the 2.4GHz range of frequency

If AP are in the same channel they will cause conflict and

802.11B 3 Clean Channels

 

802.11A up to 23 Channels considered Clean or not overlapping

 

300Feet without obstructions on the way

 

ITU-R

IEEE

WI-FI Alliance

 

WIFI Security

Remember it is an open door to the world

 
Recommendations

Authentication

Encryption

Intrusion Prevention System

 
Pre-shared key WEP (Use the same key)

Pre-shared keys WPA1 using encryption methot called TKIP

WPA and 802.1x Authentication (standard to request username and



Password or pass-through to a server for checking the credentials)

WPA2 (802.11I) and 802.1x
 

SSID (Service Set Identifier)

* Multiple SSIDs

* Used for public

* used for internal or private

 

RF 10-15% overlaps in your frequency area

Repeaters should have around 50%

 

BSS Basic Service Set (Roaming with service drop)

ESS Extended Service Set (Roaming without service loss)

 
Setting up redundant links

We need to use spanning tree protocol
 

Ports

Well known ports are 1-1023
 

A socket is a combination of an IP address plus a port number:

192.168.20.22:80
 

Clients use ramdon ports above 1024 as their source ports for example:

192.168.33:55667

 
Important Port Numbers

20: FTP

21: FTP

22: SSH

23: TELNET

25: SMTP

53: DNS

80: HTTP

110: POP3

443: HTTPS

69: TFTP

 
Posted by at No comments:
Labels: , , , ,
Location: Cambridge, Cambridgeshire CB3, UK
Subscribe to: Posts (Atom)