Wireshark
https://wiki.wireshark.org/DisplayFilters
IPv6 Nat or not to Nat
http://aodugin.blogspot.nl/2016/10/ipv6-security-to-nat-or-not-to-nat.html
Cisco VASI
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html
Anti-DDOS
https://fastnetmon.com/
Linux starter guide for ME
Basis CentOS minimum
- yum upgrade
Vervangen van Firewalld voor Iptables (geen regels mee nemen)
- sudo yum install iptables-services
- sudo systemctl stop firewalld
- sudo systemctl start iptables
- sudo systemctl start ip6tables
- sudo systemctl enable iptables
- sudo systemctl enable ip6tables
- sudo systemctl disable firewalld
- sudo systemctl mask firewalld
Aanpassen van standaard SSH settings:
- vi /etc/ssh/sshd_config
- Poort nummer
- Port 22522
- Disable root login
- PermitRootLogin no
- Disable X11
- X11Forwarding no
- Poort nummer
- systemctl restart sshd
Toevoegen van remote SSH toegang:
- iptables -L
- vi /etc/sysconfig/iptables
- Standaard : “-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT”
- specifieker met source IP (vb 192.0.2.1)
- -A INPUT -p tcp -s 192.0.2.1 -m state –state NEW -m tcp –dport 22522 -j ACCEPT
- systemctl restart iptables.service
- iptables -L
Cisco BNG deployment guide (PPP, IPoE)
https://blog.ine.com/2009/07/22/understanding-dhcp-option-82
https://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Service%20Provider/BRKSPG-2303%20%20Residential%20Broadband%20Subscriber%20Aggregation%20and%20BNG%20Deployment%20Models.pdf
https://supportforums.cisco.com/t5/service-providers-documents/asr9000-xr-bng-deployment-guide/ta-p/3110436#DHCPIP_sessions
https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r6-1/bng/configuration/guide/b-bng-cg-asr9k-61x/b-bng-cg-asr9k-61x_chapter_0101.pdf
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-s/dhcp-15-s-book/dhcp-option-82.html
https://supportforums.cisco.com/document/12516486/asr9k-bng-radius-and-coa-deployment-guide
https://supportforums.cisco.com/document/94171/asr9000xr-bng-deployment-guide
https://supportforums.cisco.com/t5/tkb/articleprintpage/tkb-id/4441-docs-service-providers/article-id/1985
https://supportforums.cisco.com/t5/xr-os-and-platforms/asr-9k-bng-dhcp-triggered-session-start-ack-not-received-by/td-p/2641468
https://supportforums.cisco.com/t5/service-providers-documents/asr9000-xr-bng-deployment-guide/ta-p/3110436#DHCPIP_sessions
https://supportforums.cisco.com/t5/service-providers-documents/asr9000-xr-bng-vsa-s-vendor-specific-attributes-and-services/ta-p/3141601
https://supportforums.cisco.com/t5/service-providers-documents/asr9000-bng-training-guide-setting-up-pppoe-and-ipoe-sessions/ta-p/3124670
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iwag/configuration/xe-3s/IWAG_Config_Guide_BookMap/dhcp-option-82-remote-id-format.pdf
Google cloud gateway
https://cloud.google.com/compute/docs/vpn/advanced
https://cloud.google.com/files/CloudVPNGuide-UsingCloudVPNwithCiscoASA.pdf
heres a (final/working) config in case anyone else wants to do this:
===================
crypto ikev2 proposal gcp-ikev2-proposal-1
encryption aes-cbc-128 aes-cbc-192 aes-cbc-256
integrity sha1 sha256 sha384 sha512
group 2 5 14 15 16
!
crypto ikev2 policy gcp-ikev2-policy-1
match fvrf any
proposal gcp-ikev2-proposal-1
!
crypto ikev2 profile gcp-ikev2-profile-1
match identity remote address gcp.gcp.gcp.gcp 255.255.255.255
identity local address me.me.me.me
authentication remote pre-share key xxxxxxxxxxxx
authentication local pre-share key xxxxxxxxxxxx
lifetime 10800
!
crypto ipsec transform-set gcp-tset-1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile gcp-ipsec-profile-1
set transform-set gcp-tset-1
set pfs group14
set ikev2-profile gcp-ikev2-profile-1
!
interface Tunnel0
ip address 169.254.0.2 255.255.255.252
tunnel source me.me.me.me
tunnel mode ipsec ipv4
tunnel destination gcp.gcp.gcp.gcp
tunnel protection ipsec profile gcp-ipsec-profile-1
!
===================
And then configure BGP or maybe static routes as required.
After adding in the Tunnel0 interface config it just started working
straight away. So I guess my config was right all along, its just some
other aspect of IPSEC that wasnt happy with something missing… Yay
misleading debug output. :-/
Hope that helps someone else.
Tom
Cisco VDSL SNMP oid’s
Subtree : .1.3.6.1.2.1.10.94.1.1
Download:
Noise Margin (/10):
.1.3.6.1.2.1.10.94.1.1.3.1.4.21 96 Gauge 192.0.2.254:161
Actual Power:
.1.3.6.1.2.1.10.94.1.1.3.1.7.21 124 Gauge 192.0.2.254:161
Attainable Rate:
.1.3.6.1.2.1.10.94.1.1.3.1.8.21 65969000 Gauge 192.0.2.254:161
Speed (kbps):
.1.3.6.1.2.1.10.94.1.1.4.1.2.21 51998000 Gauge 192.0.2.254:161
Upload:
Noise Margin (/10):
.1.3.6.1.2.1.10.94.1.1.2.1.4.21 126 Gauge 192.0.2.254:161
Actual Power:
.1.3.6.1.2.1.10.94.1.1.2.1.7.21 86 Gauge 192.0.2.254:161
Attainable Rate:
.1.3.6.1.2.1.10.94.1.1.2.1.8.21 23538000 Gauge 192.0.2.254:161
Speed (kbps):
.1.3.6.1.2.1.10.94.1.1.5.1.2.21 10448000 Gauge 192.0.2.254:161
Instellen windows-update via proxy
netsh winhttp show proxy netsh winhttp reset proxy
netsh set proxy 192.0.2.222
Netsh winhttp set proxy help
Aanpassen Windows firewall zone per NIC
Get the list of network profiles on the system.
Get-NetConnectionProfile
Change the network interface to private, use the network interface index number from the previous command.
Set-NetConnectionProfile -InterfaceIndex 10 -NetworkCategory Private