Category: Configuration

Create or Edit a File on Cisco IOS Flash

There is always the option to edit a file locally on your computer in notepad++ and then upload it to Cisco device.

With this trick, you can write or edit a file from Flash memory directly from Cisco IOS console. If you need it for whatever reason, maybe to change something in the config file or something else, this is the way to do it.

I was using if for my next article lab where I needed a file on the flash with at least 1600 bytes so I can pull it from neighbouring router with HTTP and check some details in new TCP connection. It was faster to just create the file directly on the router flash and not creating it on my laptop and then transferring it with FTP or TFTP.

| Continue Reading.. |

Check Point Firewall VM Disk Resize

It is related to Check Point MGMT VM with R80.10 in my story, but you would as well want to resize Check Point gateway firewall hardware box or VM.

I was searching for a simple solution and found different ones that didn’t work for me, so here are the steps that you need to go through when you resize your CheckPoint VM disk in vCenter and then need to expand the partition inside Check Point VM in order to use the additional space.

Of course, you did choose too small HDD for your VM when you created it and now you cannot upload some hotfixes or vSEC gateway files to it because you don’t have enough space.

Get to vCenter and shut down the VM.

vCenter VM Shutdown

Get more GB to your VM and power it back up.

vCenter VM HDD Space Increase

| Continue Reading.. |

Reflexive Access List

Some of my readers commented on my old article about reflexive access-list with issues in the configuration. I tried it in the lab again to be sure I didn’t make any mistake in the configuration example and here I’m sharing the lab and the config used.

About Reflexive Access Lists

Extended ACLs are a special kind of extended access-lists that have limited stateful behaviour technique implemented for TCP sessions. It is better to say that reflexive access-list is simulating stateful behaviour because it, by use of ‘established’ command, is allowing TCP packets that have the ‘ACK’ bit set but not the initial ‘SYN-only’ packet. In this way, we are effectively permitting only the packets that are part of an established session.

In my prior article, I showed how this works by enabling PING from PC1 in VLAN 10 to PC2 in VLAN 20 but not the other way.

I created the lab topology in GNS3:

| Continue Reading.. |

Juniper Control Plane Protection

I already wrote about Control Plane Protection in one of my previous posts focused on Cisco device configuration. Here we will make the same thing on Juniper device, I was using Juniper SRX300 and Juniper SRX1500 devices in my lab.

CoPP ??

Control Plane Protection (CoPP) is a method of protecting processor unit, running services on your network device, against excessive flooding. Excessive flooding of traffic aimed towards your router/firewall processor, being that valid or malicious, is always undesirable and can also be dangerous.

A network device, which starts the receive more control traffic that his processor can process, will eventually experience control traffic packet drops and it will lead to some of the router functions to become unstable. Some of the most common control traffic generating services on a router are routing protocols with different update packets, Spanning Tree with BPDU packets, HSRP, CDP, ARP, and different management traffic services like SSH, SNMP, RADIUS etc.

Some of those control plane traffic types are more important than others but they all have in common the fact that they don’t normally use much bandwidth to function. Having that in mind, it is easy to conclude that the situation above with router processor at 100% because of control plane traffic is most surely caused by a DDoS attack towards your device.

More unusual is the situation when a neighboring device is experiencing some kind of malfunction which makes him send large amounts of control plane traffic out of his interfaces towards your device.

CoPP is the best way to avoid this kind of attacks or malfunctions to get in the way of your network device stability. CoPP is basically configuration of QoS inbound to your device control plane (CPU).

CoPP Best Practices

The way to configure CoPP in the most stable and effective way is to use guaranteed minimal available bandwidth for each control plane traffic type.

| Continue Reading.. |

How to Clear Entire Configuration of your Juniper Device

If you have a Juniper device that needs to be sent to RMA or you are just putting it to some other use on your network, you will probably want to completely clear the configuration on it.

There are different ways to do it for different purpose.

If you want to securely wipe all data from this device and make it completely like when you received it from the store then next command is the right one to use:

| Continue Reading.. |