4. Install and configure NTP server in Red Hat/Centos 7.5 Linux

NTP (Network Time Protocol) is a protocol which runs over UDP port 123. NTP synchronise clients’ time and date with a master server. Within Enterprise Networking environment, to provide a reliable time service, an NTP server should have a minimum NTP stratum of 5 or less.

Step 1: Install and configure NTP daemon

sudo yum install ntp

 

Step 2: Check and adjust time zone

  1. timedatectl
  2. timedatectl list-timezones <<<to list and find time zones
  3. timedatectl set-timezone Australia/Sydney

Step 3: Enable and start ntpd service

sudo systemctl enable ntpd

sudo systemctl start ntpd

 

Step 4: Check basic NTP functionality

ntpstat

date

ntpq –p

 

Step 5: Check NTP configuration under /etc/ntp.conf

more /etc/ntp.conf

Advertisements

3. Install and configure TFTP server in Red Hat/Centos 7.5 Linux

Step 1: Install, enable and start firewalld

sudo yum install firewalld

sudo systemctl enable firewalld <<<starts up firewall when system boots up

sudo systemctl start firewalld

 

Step 2: Punch a hole in firewalld to allow TFTP traffic.

 

firewall-cmd –permanent –zone=public –add-service=tftp

firewall-cmd –reload

iptables -I INPUT -p udp –dport 69 -j ACCEPT

 

Step 3: Install, enable and start TFTP server and client

sudo yum install xinetd tftp-server tftp

sudo systemctl enable xinetd tftp <<<starts up automatically on system boot-up

sudo systemctl start xinetd tftp

 

Step 4: We don’t want TFTP user to have root user permission. So let’s create a system account called tftpuser with no home directory and no login capability.

sudo useradd –no-create-home –s /sbin/nologin tftpuser

 

Step 4: Create a directory for TFTP Server use.

sudo mkdir –p /tftpdata

sudo chmod 777 /tftpdata

nano /tftpdata/demo1.txt

chown tftpuser:tftpuser –R /tftpdata

 

 

Step 5: Configure TFTP service using the following settings.

 

nano /etc/xinetd.d/tftp

222

Server_args notes:

-c = allows clients to connect and create files on the directory

-s = automatically change directory when client connect to TFTP server, to a specific directory in the configure file such as /tftpdata. A security feature.

-u = specifies the user as the owner of the directory /tftpdata

-p = Perform no additional permissions check

-U = Set-up Umask setting when client creates or pushes a new file

-v = Print some logging verbose when client connect to TFTP server.

 

Step 6: Edit file system start service for TFTP. Update [Service] > ‘ExecStart’line as below:

sudo nano /usr/lib/systemd/system/tftp.service

 

 

[Unit]

Description=Tftp Server

Requires=tftp.socket

Documentation=man:in.tftpd

 

[Service]

ExecStart=/usr/sbin/in.tftpd -c -v -u tftp -p -U 117 -s /tftpdata

StandardInput=socket

 

[Install]

Also=tftp.socket

 

Step 7: Reload the system daemon & TFTP services

 

sudo systemctl daemon-reload

sudo systemctl start xinetd

sudo systemctl enable xinetd

sudo systemctl start tftp

sudo systemctl enable tftp

 

 

Step 8: Check UDP port 69 is in listening mode

https://www.tecmint.com/20-netstat-commands-for-linux-network-management/

 

netstat -na | grep udp6

111

 

Use ‘netstat –lu’ for all UDP listening ports/services

222

Use ‘netstat –ap | grep tftp’ to check the service.

333

 

Check that firewall is allowing udp port 69.

netstat -tupan

netstat –tupan | grep 69

111

 

Step 9: Check connection and download a demo.txt file. Using another server/router/switch. Download a demo.txt from TFTP server.

 

  1. On TFTP server (192.168.47.135), create demo.txt file under tftpdata directory.

 

nano /tftpdata/demo.txt

222

 

  1. On another Linux host (IP: 192.168.47.131), download demo.txt file.

 

tftp 192.168.47.135

get demo.txt

 

333

 

Now verification has been completed and you have a working TFTP server.

2. Install and configure SFTP server in Red Hat/Centos 7.5 Linux

Step 1: Create a SFTP user with password

sudo adduser sftpuser

sudo passwd password

 

Step 2: Create Directory for File Transfer

 

  1. sudo mkdir –p /var/sftp/sftpdata

 

[root@localhost /]# find . -name “sftpdata”

find: ‘./run/user/1000/gvfs’: Permission denied

./var/sftp/sftpdata

 

  1. Make the root user as the owner of this directory.

sudo chown root:root /var/sftp

 

  1. Grant write permission to the root user and read permission to other users.

sudo chmod 755 /var/sftp

 

  1. Modify the owner of sftpdata to be the user access.

sudo chown sftpdata:sftpdata /var/sftp/sftpdata

 

Step 3: Restrict Directory Access

 

  1. open sshd_config file

 

sudo nano /etc/ssh/sshd_config

 

  1. Add the following to the end of the file.

Match User sftpuser

ForceCommand internal-sftp

PasswordAuthentication yes

ChrootDirectory /var/sftp

PermitTunnel no

AllowAgentForwarding no

AllowTcpForwarding no

X11Forwarding no

 

  1. Restart sshd to apply change

sudo systemctl restart sshd

 

Step 4: Verification via SSH connection

 

ssh sftpuser@192.168.47.135

 

The SSH connection gets closed as expected.

333

 

sftp sftpuser@192.168.47.135

You can connect via sftp and now download and manage files as below.

111

Now the ssh access has been restricted successfully and the sftpuser can only upload and manage his/her file via SFTP only.

1. Install and configure FTP server in Red Hat/Centos 7.5 Linux

Step 1: Install vsftpd (very secure FTP daemon) package.

yum install -y vsftpd ftp

 

Step 2: Enable FTP on firewall

firewall-cmd –permanent –zone=public –add-service=ftp
firewall-cmd –reload

 

Step 3: to automatically start FTP Server when server powers on.

  1. enable vsftpd service.

systemctl enable vsftpd.service

2. Checking the status of ftp server

systemctl status vsftpd.service

 

Step 4: Configure vsftpd package. Edit /etc/vsftpd/vsftpd.conf

nano /etc/vsftpd/vsftpd.conf

 

  1. Change the line which contain anonymous_enable=NO to anonymous_enable=YES. This will give permit any one to access FTP server with authentication. If this setting is changed to ‘NO’, then users must use their login and password to access files from their home directory. [Note: For our use, I am keeping this setting as YES, so each user has to log in access their own files]
  2. local_enable=YES
    c. write_enable=YES
  3. Add the following to the end of the file.

#ADDED BY BC

allow_writeable_chroot=YES

pasv_enable=Yes

pasv_min_port=40000

pasv_max_port=40100

 

Step 5: Start FTP Server
systemctl start vsftpd.service

 

Step 6: Verification. Create a file under ‘var/ftp/pub’. Use a web browser to access the file.

[root@localhost /]# find . -name “pub”

find: ‘./run/user/1000/gvfs’: Permission denied

./var/ftp/pub

[root@localhost /]# cd var/ftp/pub

[root@localhost pub]# nano ftppubfile1.txt

 

If anonymous_enable=YES, ./var/ftp/pub Directory will be used.

111

If anonymous_enable=NO, users have to login with their credentials to access files.

222

Notes on Cisco QoS: Clearing the fog – Part 2. Quality issues

Quality of Service

QOS = Method of giving priority to some specific traffic as moving over the network.

The basic aim of QoS is to have a consistent and predictable performance on your network.

 

1 qos intro

General characteristics of today’s Converged Network:

  • Small voice packet compete with bursty data packets, many different applications are using network as services
  • Critical traffic must get priority over less critical traffic, without QoS, default behavior is First In First Out (FIFO)
  • Voice and video traffics are time-sensitive
  • Outages are not acceptable

 

Converged Network Quality issues:

  • Lack of Bandwidth
  • Packet Loss
  • Delay
  • Jitter

 

Bandwidth

2 Bandwidth Measure.png

  • Maximum available bandwidth is the slowest link on the traffic paths
  • On the same physical links (traffic paths), multiple flows compete for the same bandwidth, multiple applications sharing the same bandwidth
  • Lack of bandwidth causes performance degradation on network applications

 

 

Packet Loss

3 Tail Drop due to Queue Congestion

Packet loss due to Tail Drop: Queue only can so much packets and once it is full and more packets arrive at the tail end of the queue before the queue is emptied (due to link congestion etc.), the packets will be dropped, and this behavior is called ‘Tail Drop’. If the tail drop occurs to the time sensitive traffics such as voice and video, the effects are immediately felt by the users on the flow. If this happens to data traffic, it may interrupt file transfer and corrupt the file.

 

 

Delay

4 Types of Delay

  • Processing Delay – time taken by router to process packets from an input interface and put them into the output queue of output interface
  • Queuing Delay – time a packet resides in the output queue of a router
  • Serialization Delay – time taken to place bits on the wire
  • Propagation Delay – time taken for packets to cross links from one end to the other end

 

 

Jitter

5 Jitter

  • Packets from a source will reach a destination with different delay times
  • Congestion on the network will cause jitter
  • Congestion can occur at a router interface/Service Provider network if the circuits are not properly provisioned

 

GNS3 1.4.2 and IOU VM.ova Installation Tips

Assumption 1: You’ve already have a VMware Workstation or Virtual Box installed and running on your PC/Laptop
Assumption 2: You’ve already downloaded GNS3 1.4.2 and GNS3 VM.ova files from “https://github.com/GNS3/gns3-gui/releases&#8221;.
Now Let’s get started:

Step1: Import “GNS3 VM.ova” file on your VMWare Workstation or Virtual Box

Step 1a: Upload IOU L2 and L3 image files on “http://192.168.56.101:8000/upload&#8221;, under IOU
Step 1b: Upload CiscoIOUKeygen.py file on “http://192.168.56.101:8000/upload&#8221;, under IOU

Step2: Install GNS3 1.4.2
Step 2a: complete basic GNS3 setup following YouTube videos.
One of the videos is as below: https://www.youtube.com/watch?v=1j4VHW-vvR8

Step3: SSH into your IOU VM machine, and go to “/etc” folder and run the following commands under respective folder.
(Video Reference: https://www.youtube.com/watch?v=V0SdjK5tEcA)

Tip: Default IOU VM UID = gns3
Default IOU VM PWD = gns3

Required commands:
echo -ne \\x1\\x0\\x0\\x0 > /etc/hostid
echo -ne \\x1\\x0\\x0\\x0 > /etc/ioukey
echo hostid = 0000001 ; echo hostname = gns3-iouvm ; echo ioukey = 3d9

Step 4: Go to http://192.168.56.101:8000/upload and upload CiscoIOUKeygen.py file

Step 5: Go to /opt/gns3/images/IOU directory and take ownership of the unloaded keygen file

Step 6: use python or python3 command to generate your 16 character long IOU key

root@gns3vm:/opt/gns3/images/IOU# python CiscoIOUKeygen.py
hostid=00000001, hostname=gns3vm, ioukey=25f

Add the following text to ~/.iourc:
[license]
gns3vm = acf51841caabfb0f;

You can disable the phone home feature with something like:
echo ‘127.0.0.127 xml.cisco.com’ >> /etc/hosts

============================================
***Notice that my VM machine works with python command but not python3 command!!!

root@gns3vm:/opt/gns3/images/IOU# chmod +x CiscoIOUKeygen.py

## Notice that python3 command does not work here!!!!
root@gns3vm:/opt/gns3/images/IOU# python3 CiscoIOUKeygen.py
File “CiscoIOUKeygen.py”, line 11
print “hostid=” + hostid +”, hostname=”+ hostname + “, ioukey=” + hex(ioukey)[2:]
^
SyntaxError: invalid syntax
==============================================

Step 7: Using the “gns3vm’ value, create a txt file containg the license information. Save the file as IOURC.txt and point your GNS3 remote server to this txt file.

[license]
gns3vm = acf51841caabfb0f;

CCNA Data Center 640-911 DCICN – Note 18, IPv6 Introduction

This is my first blog in 2016, I have been on holiday mode as I have been on one the longest annual leave in my life. Hope you understand the family commitment when you and your kids are on summer holiday (here in Sydney, Dec/Jan/Feb is blazing summer).

 

IPv6, the history and does it really matter to you or anyone?

The simple answer is YES, then why? The single biggest driver behind the development and introduction of IPv6 is  a long prediction of lack of usable IPv4 IP addresses since the explosion of World Wide Web (www) in 1995. The www development goes back to 1991 and then the introduction of grandfather web browser, Mosaic was first introduced in 1993. By year 1995, one third of IPv4 addresses were consumed, by year 2000, half of all IPv4 addresses were use.

As reviewed in previous notes, IPv4 consists of 32 bit address structure and theoretically that should give us 2 to the power of 32 IP addresses, that is 4294967296 IP addresses or roughly, 4.3 billion IP addresses . But not all IP addresses are usable such as the reserved IP addresses for private network use as well as the Class E addresses reserved for development and testing purposes. In other words, only around 2.5 billion IP addresses are true usable addresses. If you just check out our world’s population today ( http://www.worldometers.info/world-population/, China = 1.407 billion and India = 1.2912 billion people,), just looking at top two countries’ population figures, you can feel the IPv4 address shortage on your skin. The trend is that the world’s network has been doubling in size every year for the past 15 years. (https://en.wikipedia.org/wiki/IPv4_address_exhaustion)

With the advancement of new technologies comes the rapid deletion of available IPv4 IP addresses. Anything that’s related to mobile communications and entertainment as well as all other areas seems to be needing more and more IP addresses for everyday use. In the past, it was expected that all the IPv4 addresses would be depleted by 2011 but it is 2016 and we are still using IPv4 address without much thought, all thanks to the counter measures put into place to slow down the IPv4 IP address deletion. e.g.) The fine art of sub-netting, a practical use of DHCP and IP Natting.

 

 Quick note on history of IPv6:

1990 – IETF had predicted that all class B IPv4 IP addresses will be deleted by 1994
1991 Nov – IETF formed  ROAD (ROuting and ADress) Group in Santa Fe, US.
1995 – IPNG (IP Next Generation) Workgroup had written and submitted ‘RFC 1883’, this RFC has become the foundation of current IPv6.
1996 – 6Bone was introduced. 6Bone was a test-bed for IPv6 vulnerabilities connecting 57 countries across 1100 sites.
1999 – IPv6 Forum was launched to standardize the use of IPv6
2006 Jul 06 – 6Bone was decommissioned after 10 years of testing.
Current – Majority of IP products are manufactured with IPv6 capabilities and compatibility. IPv6 is slowly phasing out IPv4 around the world.

Source: https://en.wikipedia.org/wiki/IPv6

 

Quick note on 10 Advantages (Characteristics) of IPv6:
1. Larger IP address space than IPv4, 32 bits based IPv4 vs 128 bits based IPv6
2. Better end-to-end connectivity than IPv4
– peer-to-peer application connections such as games, video conferencing, file sharing and VoIP
– No need to use NAT as the shortage of addresses is thing of IPv4
3. Plug-n-Play feature of IPv6
– plug-and-play auto-configuration, e.g.) DHCPv6
4. Simplified Header structures leading to faster routing
5. Better security features
– use of IPSec (a built-in feature)
6. Improved QoS features
7. Improved Multicast and Anycast abilities
8. Better mobility features
9. Ease of administration over IPv4
10. IPv6 follows the key design principles of IPv4

Source: http://www.ipv6.com/articles/general/Top-10-Features-that-make-IPv6-greater-than-IPv4.htm

In the next section, we will look at some characteristics of IPv6 and then in the final section of IPv6, I will demonstrate IPv6 in a simple lab. Happy blogging, reading and all the best with your learning and career in 2016.