Centos 7 Clone
#yum install -y rsync
contrail
https://github.com/Juniper/contrail-ansible-deployer/wiki/Deployment-Example:-Contrail-and-Kubernetes-and-Openstack
https://www.juniper.net/documentation/en_US/contrail5.0/information-products/pathway-pages/contrail-feature-guide-pwp.pdf
https://www.youtube.com/watch?v=cULuCvB-_b0
==================== EVPN VXLAN ===========================
set interfaces ge-0/0/7 unit 0 family bridge interface-mode access
set interfaces ge-0/0/7 unit 0 family bridge vlan-id 200
set interfaces ge-0/0/8 unit 0 family bridge interface-mode access
set interfaces ge-0/0/8 unit 0 family bridge vlan-id 1000
set interfaces ge-0/0/9 unit 0 family inet address 192.168.122.21/24
set interfaces fxp0 unit 0 family inet dhcp vendor-id Juniper-vmx-VM5B75A36475
set interfaces irb unit 200 family inet address 200.200.200.200/24
set interfaces irb unit 1000 family inet address 10.1.1.122/24
set interfaces lo0 unit 0 family inet address 5.5.5.5/32
set interfaces lo0 unit 11 family inet address 11.11.11.1/32
set routing-options router-id 5.5.5.5
set protocols bgp group contrail type internal
set protocols bgp group contrail family evpn signaling
set protocols bgp group contrail local-as 64512
set protocols bgp group contrail allow 192.168.122.0/24
set routing-instances VRF instance-type vrf
set routing-instances VRF interface irb.200
set routing-instances VRF interface irb.1000
set routing-instances VRF interface lo0.11
set routing-instances VRF route-distinguisher 5.5.5.5:11
set routing-instances VRF vrf-target target:64512:1
set routing-instances VRF vrf-table-label
set routing-instances VRF routing-options auto-export
set routing-instances VS vtep-source-interface lo0.0
set routing-instances VS instance-type virtual-switch
set routing-instances VS interface ge-0/0/8.0
set routing-instances VS route-distinguisher 5.5.5.5:1
set routing-instances VS vrf-target target:64512:1
set routing-instances VS protocols evpn encapsulation vxlan
set routing-instances VS protocols evpn extended-vni-list 1000
set routing-instances VS protocols evpn multicast-mode ingress-replication
set routing-instances VS bridge-domains VLAN1000 domain-type bridge
set routing-instances VS bridge-domains VLAN1000 vlan-id 1000
set routing-instances VS bridge-domains VLAN1000 routing-interface irb.1000
set routing-instances VS bridge-domains VLAN1000 vxlan vni 1000
set routing-instances VS bridge-domains VLAN1000 vxlan ingress-node-replication
set bridge-domains VLAN200 vlan-id 200
set bridge-domains VLAN200 routing-interface irb.200
================ MPLSoGRE =======================
set chassis fpc 0 pic 0 tunnel-services
set interfaces ge-0/0/8 unit 0 description “IP Fabric Int”
set interfaces ge-0/0/8 unit 0 family inet address 9.9.9.9/24
set interfaces ge-0/0/9 unit 0 family inet address 192.168.122.22/24
set interfaces fxp0 unit 0 family inet dhcp vendor-id Juniper-vmx-VM5B76594E6D
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set routing-options static route 0.0.0.0/0 next-hop 9.9.9.10
set routing-options route-distinguisher-id 192.168.122.22
set routing-options autonomous-system 64512
set routing-options dynamic-tunnels gw-gre source-address 192.168.122.22
set routing-options dynamic-tunnels gw-gre gre
set routing-options dynamic-tunnels gw-gre destination-networks 192.168.122.0/24
set protocols mpls interface all
set protocols bgp group contrail type internal
set protocols bgp group contrail local-address 192.168.122.22
set protocols bgp group contrail family inet-vpn unicast
set protocols bgp group contrail family route-target
set protocols bgp group contrail peer-as 64512
set protocols bgp group contrail local-as 64512
set protocols bgp group contrail allow 192.168.122.0/24
set protocols ldp interface all
set routing-instances admin instance-type vrf
set routing-instances admin interface ge-0/0/8.0
set routing-instances admin vrf-target target:64512:11111
set routing-instances admin routing-options static route 0.0.0.0/0 next-hop 9.9.9.10
====================== L2VXLAN + L3 MPLSoGRE ==========================
set chassis fpc 0 pic 0 tunnel-services
set interfaces ge-0/0/7 unit 0 family inet address 111.111.111.111/24
set interfaces ge-0/0/8 unit 0 family bridge interface-mode access
set interfaces ge-0/0/8 unit 0 family bridge vlan-id 1000
set interfaces ge-0/0/9 unit 0 family inet address 192.168.122.21/24
set interfaces fxp0 unit 0 family inet dhcp vendor-id Juniper-vmx-VM5B75A36475
set interfaces lo0 unit 0 family inet address 9.9.9.9/32
set routing-options static route 1.1.1.1/32 next-hop 192.168.122.10
set routing-options router-id 9.9.9.9
set routing-options route-distinguisher-id 192.168.122.21
set routing-options dynamic-tunnels gw-gre source-address 192.168.122.21
set routing-options dynamic-tunnels gw-gre gre
set routing-options dynamic-tunnels gw-gre destination-networks 192.168.122.0/24
set protocols bgp group contrail type internal
set protocols bgp group contrail family inet-vpn unicast
set protocols bgp group contrail family evpn signaling
set protocols bgp group contrail local-as 64512
set protocols bgp group contrail allow 192.168.122.0/24
set routing-instances net1L2 vtep-source-interface lo0.0
set routing-instances net1L2 instance-type virtual-switch
set routing-instances net1L2 interface ge-0/0/8.0
set routing-instances net1L2 route-distinguisher 9.9.9.9:11111
set routing-instances net1L2 vrf-target target:64512:11111
set routing-instances net1L2 protocols evpn encapsulation vxlan
set routing-instances net1L2 protocols evpn extended-vni-list 1000
set routing-instances net1L2 protocols evpn multicast-mode ingress-replication
set routing-instances net1L2 bridge-domains VLAN1000 domain-type bridge
set routing-instances net1L2 bridge-domains VLAN1000 vlan-id 1000
set routing-instances net1L2 bridge-domains VLAN1000 vxlan vni 1000
set routing-instances net1L2 bridge-domains VLAN1000 vxlan ingress-node-replication
set routing-instances net1L3 instance-type vrf
set routing-instances net1L3 vrf-table-label
set routing-instances net1L3 interface ge-0/0/7.0
set routing-instances net1L3 vrf-target target:64512:11111
set routing-instances net1L3 routing-options static route 0.0.0.0/0 next-hop 111.111.111.112
==================== 2DC ====================
[edit]
root@VMX9999# show | display set | no-more
set chassis fpc 0 pic 0 tunnel-services
set chassis network-services enhanced-ip
set interfaces ge-0/0/0 description “loop back to extL2″
set interfaces ge-0/0/0 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 1000
set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 1002
set interfaces ge-0/0/1 description “loop back to net1L2″
set interfaces ge-0/0/1 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 1000
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 1002
set interfaces ge-0/0/2 description “server access vlan 1000″
set interfaces ge-0/0/2 unit 0 family bridge interface-mode access
set interfaces ge-0/0/2 unit 0 family bridge vlan-id 1000
set interfaces ge-0/0/3 description “server access vlan 1002″
set interfaces ge-0/0/3 unit 0 family bridge interface-mode access
set interfaces ge-0/0/3 unit 0 family bridge vlan-id 1002
set interfaces ge-0/0/4 description “server L3 172.16.9.9″
set interfaces ge-0/0/4 unit 0 family inet address 172.16.9.21/24
set interfaces ge-0/0/5 description “Internet Peering”
set interfaces ge-0/0/5 unit 0 family inet address 20.1.1.21/24
set interfaces ge-0/0/9 unit 0 family inet address 192.168.122.21/24
set interfaces fxp0 unit 0 family inet dhcp vendor-id Juniper-vmx-VM5B75A36475
set interfaces irb unit 1000 virtual-gateway-accept-data
set interfaces irb unit 1000 family inet address 10.1.1.254/24 virtual-gateway-address 10.1.1.1
set interfaces irb unit 1002 virtual-gateway-accept-data
set interfaces irb unit 1002 family inet address 10.1.2.254/24 virtual-gateway-address 10.1.2.1
set interfaces lo0 unit 0 family inet address 9.9.9.9/32
set interfaces lo0 unit 1 family inet address 9.9.9.10/32
set routing-options static route 0.0.0.0/0 next-hop 20.1.1.1
set routing-options router-id 9.9.9.9
set routing-options route-distinguisher-id 192.168.122.21
set routing-options autonomous-system 64512
set routing-options dynamic-tunnels gw-gre source-address 9.9.9.9
set routing-options dynamic-tunnels gw-gre gre
set routing-options dynamic-tunnels gw-gre destination-networks 192.168.122.0/24
set routing-options dynamic-tunnels gw-gre destination-networks 8.8.8.8/32
set protocols bgp group contrail type internal
set protocols bgp group contrail family inet-vpn unicast
set protocols bgp group contrail family evpn signaling
set protocols bgp group contrail local-as 64512
set protocols bgp group contrail allow 192.168.122.0/24
set protocols bgp group EXT_BGP type external
set protocols bgp group EXT_BGP multihop ttl 5
set protocols bgp group EXT_BGP local-address 9.9.9.9
set protocols bgp group EXT_BGP family inet-vpn unicast
set protocols bgp group EXT_BGP family evpn signaling
set protocols bgp group EXT_BGP neighbor 8.8.8.8 peer-as 64513
set protocols bgp group EXT_BGP neighbor 8.8.8.8 local-as 64512
set routing-instances extL2 vtep-source-interface lo0.0
set routing-instances extL2 instance-type virtual-switch
set routing-instances extL2 interface ge-0/0/0.0
set routing-instances extL2 interface ge-0/0/2.0
set routing-instances extL2 interface ge-0/0/3.0
set routing-instances extL2 route-distinguisher 9.9.9.9:20
set routing-instances extL2 vrf-target target:64512:20
set routing-instances extL2 protocols evpn encapsulation vxlan
set routing-instances extL2 protocols evpn extended-vni-list 100
set routing-instances extL2 protocols evpn extended-vni-list 102
set routing-instances extL2 protocols evpn multicast-mode ingress-replication
set routing-instances extL2 bridge-domains VLAN1000 vlan-id 1000
set routing-instances extL2 bridge-domains VLAN1000 vxlan vni 100
set routing-instances extL2 bridge-domains VLAN1000 vxlan ingress-node-replication
set routing-instances extL2 bridge-domains VLAN1002 vlan-id 1002
set routing-instances extL2 bridge-domains VLAN1002 vxlan vni 102
set routing-instances extL2 bridge-domains VLAN1002 vxlan ingress-node-replication
set routing-instances net1L2 vtep-source-interface lo0.0
set routing-instances net1L2 instance-type virtual-switch
set routing-instances net1L2 interface ge-0/0/1.0
set routing-instances net1L2 route-distinguisher 9.9.9.9:11111
set routing-instances net1L2 vrf-target target:64512:11111
set routing-instances net1L2 protocols evpn encapsulation vxlan
set routing-instances net1L2 protocols evpn extended-vni-list 1000
set routing-instances net1L2 protocols evpn extended-vni-list 1002
set routing-instances net1L2 protocols evpn multicast-mode ingress-replication
set routing-instances net1L2 bridge-domains VLAN1000 domain-type bridge
set routing-instances net1L2 bridge-domains VLAN1000 vlan-id 1000
set routing-instances net1L2 bridge-domains VLAN1000 routing-interface irb.1000
set routing-instances net1L2 bridge-domains VLAN1000 vxlan vni 1000
set routing-instances net1L2 bridge-domains VLAN1000 vxlan ingress-node-replication
set routing-instances net1L2 bridge-domains VLAN1002 domain-type bridge
set routing-instances net1L2 bridge-domains VLAN1002 vlan-id 1002
set routing-instances net1L2 bridge-domains VLAN1002 routing-interface irb.1002
set routing-instances net1L2 bridge-domains VLAN1002 vxlan vni 1002
set routing-instances net1L2 bridge-domains VLAN1002 vxlan ingress-node-replication
set routing-instances net1L3 instance-type vrf
set routing-instances net1L3 interface ge-0/0/4.0
set routing-instances net1L3 interface irb.1000
set routing-instances net1L3 interface irb.1002
set routing-instances net1L3 interface lo0.1
set routing-instances net1L3 vrf-target target:64512:20
set routing-instances net1L3 vrf-table-label
set routing-instances net1L3 routing-options static route 10.1.2.0/24 discard
set routing-instances net1L3 routing-options static route 10.1.1.0/24 discard
lighttpd
https://www.vultr.com/docs/how-to-install-lighttpd-llmp-stack-on-centos-6
Installing PHP
Install PHP using yum.
yum install lighttpd-fastcgi php-fpm
Configure PHP-FPM user settings.
vi /etc/php-fpm.d/www.conf
We must add the following lines to the either the top or bottom of the configuration:
user = lighttpd
group = lighttpd
Make PHP-FPM start on boot.
php-fpm on
Start PHP-FPM.
service php-fpm start
Configure php.ini.
vi /etc/php.ini
Remove the commenting on the following line.
cgi.fix_pathinfo=1
Tell Lighttpd that PHP exists on this server.
vi /etc/lighttpd/modules.conf
Add the following line.
include “conf.d/fastcgi.conf”
Now we must tell PHP to listen on port 9000 (Lighttpd will send PHP requests there). Using your favorite text editor, edit the fastcgi configuration.
vi /etc/lighttpd/conf.d/fastcgi.conf
At the top of the configuration, add the following lines of code.
fastcgi.server += ( “.php” =>
((
“host” => “127.0.0.1″,
“port” => “9000″,
“broken-scriptfilename” => “enable”
))
)
Restart PHP-FPM and Lighttpd for our changes to take effect.
service php-fpm restart
service lighttpd restart
Docker
#yum install epel-release
#yum install docker-io
#docker search centos
#docker pull centos
#docker images
# docker run -tid –name centos centos
# docker ps -all
#docker exec -ti centos bash
#mkdir /netconf; cd /netconf
#vi Dockerfile
FROM centos
ENV http_proxy http://10.99.0.232:3128
ENV https_proxy http://10.99.0.232:3128
RUN yum -y update
RUN yum -y install httpd mc telnet net-tools less
RUN yum -y install epel-release
RUN rpm -ivh http://rpms.remirepo.net/enterprise/remi-release-7.rpm
RUN yum-config-manager –enable remi-php70
RUN yum -y install php php-pdo php-dom php-devel
EXPOSE 80
CMD /usr/sbin/apachectl -DFOREGROUND
#docker build -t netconf .
# docker run -tid -v /netconf/html:/var/www/html -p 80:80 –cap-add SYS_ADMIN –name netconf netconf
#docker exec -ti netconf bash
#docker stop netconf
#docker rm netconf
#docker rmi netconf
#docker export -o /path/to/file containername
#cat /path/to/file | docker import - imagename
SYS02 setup env
# yum groupinstall “Development tools”
# yum install epel-release
mariadb.repo
https://downloads.mariadb.org/mariadb/repositories/#mirror=nethub&distro=CentOS&distro_release=centos6-amd64–centos6&version=10.2
#yum install MariaDB-server MariaDB-client MariaDB-devel
# mysql_secure_installation
# For CentOS/RHEL/Scientific Linux 6 i386 or x86_64 #
wget http:
//rpms
.famillecollet.com
/enterprise/remi-release-6
.rpm
# rpm -ivh remi-release-6.rpm
#yum remove php #yum remove php-common
yum-config-manager --enable remi-php54
#yum install php php-mysql php-dom php-devel php-snmp re2c
download https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.13
unzip cphalcon-master.zip
#cd build
#./install
===================== radius OTP perl ====================
====================== Devtools2 for CentOS ======================
PHP-CPP
https://github.com/CopernicaMarketingSoftware/PHP-CPP-LEGACY
#wget 'https://github.com/CopernicaMarketingSoftware/PHP-CPP-LEGACY/archive/master.zip' #unzip php-cpp-master.zip #cd PHP-CPP-LEGACY-master/
#make; make install
LibSSH
#wget 'https://git.libssh.org/projects/libssh.git/snapshot/master.zip'
download v0.7.5 at https://git.libssh.org/projects/libssh.git/
#mv master.zip libssh-master.zip #unzip libssh-master.zip #cd master/build
#cmake -DCMAKE_INSTALL_PREFIX=/usr ..
#make ; make install
CNetconf
https://github.com/CESNET/libnetconf
#wget 'https://github.com/CESNET/libnetconf/archive/master.zip'
https://github.com/CESNET/libnetconf/tree/0.10.x
#mv master.zip netconf-master.zip #unzip netconf-master.zip
#yum install libxml2-devel libxslt-devel curl-devel
# ./configure --prefix=/usr
#vi src/ssh.c
int strict=0;
ssh_options_set(retval->ssh_sess, SSH_OPTIONS_STRICTHOSTKEYCHECK, &strict);
case NC_SSH_AUTH_INTERACTIVE:
VERB("Keyboard-interactive authentication");
break;
#make ; make install
=========== CENTOS 7 ============
install mariadb 5.5 , remi php70 , php-cpp
cnetconf branch 0.10.x not the latest one
========== CENTOS 6 ===============
cd /root/ yum -y install epel-release yum -y install centos-release-scl yum -y install devtoolset-6 yum -y install MariaDB-server MariaDB-client MariaDB-devel /etc/init.d/mysql start mysql_secure_installation export http_proxy=http://10.103.19.251:3128 export https_proxy=http://10.103.19.251:3128 wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm rpm -ivh remi-release-6.rpm yum remove php yum remove php-common yum-config-manager --enable remi-php54 yum -y install php php-mysql php-dom php-devel php-snmp re2c wget https://github.com/phalcon/cphalcon/archive/phalcon-v2.0.13.tar.gz tar -xvf phalcon-v2.0.13.tar.gz cd cphalcon-phalcon-v2.0.13/ cd build/ ./install cd /root/ wget 'https://github.com/CopernicaMarketingSoftware/PHP-CPP-LEGACY/archive/master.zip' mv master.zip PHP-CPP-LEGACY.zip unzip PHP-CPP-LEGACY.zip cd PHP-CPP-LEGACY-master/ make make install ldconfig cd /root/ wget https://git.libssh.org/projects/libssh.git/snapshot/libssh-0.7.5.tar.gz tar -xvf libssh-0.7.5.tar.gz cd libssh-0.7.5 mkdir build cd build/ yum -y install cmake cmake -DCMAKE_INSTALL_PREFIX=/usr .. make make install ldconfig cd /root/ wget https://github.com/CESNET/libnetconf/archive/0.10.x.zip unzip 0.10.x.zip cd libnetconf-0.10.x/ yum -y install libxml2-devel libxslt-devel curl-devel ./configure --prefix=/usr make make install
openvz vxlan
download template here https://openvz.org/Download/template/precreated
# vzctl create 350 –ostemplate centos-6-x86_64-minimal
# vzctl set 350 –netif_add eth0 –save
# vzctl start 350
apache hardening
ServerTokens Prod
ServerSignature Off
LoadModule reqtimeout_module modules/mod_reqtimeout.so
<Location />
<LimitExcept GET POST>
order deny,allow
deny from all
</LimitExcept>
</Location>
TraceEnable Off
Header always append X-Frame-Options SAMEORIGIN
RequestReadTimeout header=10-30,MinRate=500 body=10,MinRate=2000
apache benchmarking
ab -n 1000 -c 10 http://192.168.100.1/
iptables -A INPUT -p tcp –tcp-flags FIN FIN -j DROP
-A OUTPUT -p tcp –tcp-flags RST RST -j REJECT –reject-with tcp-reset
two more falgs PSH and FIN
# cd /proc/sys/net/ipv4
# echo 1 > tcp_orphan_retries
# cat tcp_fin_timeout
# echo 5 > tcp_fin_timeout
#for ((i=2;i<255;i++)); do ip addr add 192.168.100.$i dev eth4 ; done
for ((j=1;j<1000;j++)); do
for ((i=2;i<255;i++)); do
usleep 20000;
echo $i; echo -n “GET / HTTP/1.0″ | nc -w 2 192.168.100.1 80 &
done ;
done
# netstat -nat | awk ‘{print $6}’ | sort | uniq -c | sort -n
jncis
- ipsec vpn
confidential - encryption - symmectric RC4 DES 3DES AES blowfish , asymmectric public key RSA DH ( groups 12514 )
integrity - hash MD5 SHA1 SHA2 ( sender data+hash, receiver data+hash = hash )
authentication - HMAC ( hashed mess authen code ) Diffie-Hellman algorithm ( DH groups 125 )
Step1 established IKE (500/UDP)- phase 1 : proposals (encrypt,hash,authen,DH groups)- policy (main/aggressive, preshared key)- gateway (IP,interface) - phase 2 : quick mode - proposal ( ESP/AH , hmac ) - policy (PFS reasign DH groups) - vpn ( tunnel/transport mode)
Step 2 : process traffic - transport mode ( insert ipsec header before payload ) vs tunnel mode ( new header packed the original + trail ) ; AH (51,intefrity,authen,antireplay) vs ESP (50 , integrity,authen,antireplay,confidential )
==============================
Phase 1
+ proposal : auth-algo (md5,sha1/256) auth-method ( preshared / DSARSA key) encrypt-algo (DES,3DES,AES) dh-group (12514) lifetime ( 180s - 1day)
+ policy : proposal ( F1_PRO ) preshared-key (”pass123″)/certificate(DSARSA) mode (main/aggresive)
+ gateway : policy ( F1_POL) address (remote_ip) external interface (ge-0/0/0)
Phase 2
+ proposal : authen-algo (HMAC-md5/sha1256) encrypt (DES,3DES,AES) lifetime, protocol (ESP/AH)
+ policy : proposal (F2_PRO) PFS key (group12514)
+ vpn : bind-interface (st0.1) establishedtunnel ( immediate ) ike gateway (F1_GW) ike ipsec-pol (F2_POL)