Radovan Brezula
Author Archives: Radovan Brezula
- Home → Author's archive:
Radovan Brezula
Remotely Triggered Black Hole Filtering as Service
Remotely triggered black hole (RTBH) filtering is a technique that provides the ability to drop undesirable traffic before it enters a protected network. It is commonly used for the mitigation of distributed-denial-of-service (DDoS) and DoS attacks. We have covered a configuration of source and destination RTBH for Cisco IOS-XR in a previous tutorial. A trigger […]Continue reading...
Remotely Triggered Black Hole Filtering
Remotely triggered black hole (RTBH) filtering is a technique that provides the ability to drop undesirable traffic before it enters a protected network. It is used for the mitigation of distributed-denial-of-service (DDoS) and DoS attacks. We will show configuration of destination and source RTBH for Cisco IOS-XR in a network depicted on the Picture 1. […]Continue reading...
BGP FlowSpec on Arista vEOS
BGP FlowSpec is an another Multiptocol-BGP extension with SAFI 133. Created for the purpose of DoS and DDoS attacks mitigation, it brings a new NLRI that collects 12 types of L3 and L4 information. These information creates a flow which defines criteria used for matching DDoS parameters. For instance, a flow can match victim's IP, […]Continue reading...
LXC as Virtual Service Container on IOS XE
In the last tutorial, we have discussed Cisco open service container based on Kernel Virtual Machine (KVM). Virtual machines include the application, binaries and libraries along with entire guest OS. As a result, we can run any guest OS supported by KVM hypervisor. Containers, however share the same kernel with; each container still acts as […]Continue reading...
Hosting KVM Apps Inside IOS XE Virtual Service Container
Service Containers are applications that can be hosted directly on Cisco IOS XE routing platforms. Service containers are either Linux Virtual Containers (LXC) or Kernel Virtual Machine( KVM) based virtual machines. A typical Cisco service container carries a digital signature that verifies it as an authentic application from Cisco. An open service (unsigned) container is […]Continue reading...
Urban Terror Server on Cisco CSR1000v
We have discussed the configuration of Guest Shell on Cisco CSR 1000v platform in a previous tutorial. The guest shell is a built-in Linux container with CentOS 7 installed, which can be activated on the fly when Linux applications are needed. Our lives are currently affected by SARS-CoV-2 and long-standing quarantine, so why not do […]Continue reading...
Legacy Open Switch 0.4.0 Image
The Open Switch 0.4.0 is the legacy Open Switch version with Cisco like CLI that I used to use in my tutorials. As it can be downloaded anymore, I share the VMDK image below. Please, use the image for learning or demonstration purpose only because this Open Switch version is discontinued. Instead, use the Open Switch […]Continue reading...
Guest Shell Built-in Linux Container on Cisco IOS-XE
IOx (IOs + linuX) is Cisco's Application Hosting Infrastructure for Cisco IOS XE devices (e.g. CSR1000v). IOx enables hosting of applications and services developed by Cisco and third-party developers in network edge devices across diverse hardware platforms. The Guest Shell is a built-in Linux container (LXC) with a CentOS 7 running on Cisco IOS-XE platforms […]Continue reading...
Virtual eXtensible LANs -VXLANs
The tutorial discusses configuration of VXLANs on Arista vEOS and Openvswitch virtual machines. The VXLANs extend an L2 network by connecting VLANs from multiple hosts through UDP tunnels called VXLAN segments. VXLANs use Internet Protocol (both unicast and multicast) as the transport medium. VXLAN segments are identified by a 24-bit Virtual Network Identifier (VNI). Within […]Continue reading...
Virtual eXtensible LANs – VXLANs
The tutorial discusses configuration of VXLANs on Arista vEOS and Openvswitch virtual machines. The VXLANs extend an L2 network by connecting VLANs from multiple hosts through UDP tunnels called VXLAN segments. VXLANs use Internet Protocol (both unicast and multicast) as the transport medium. VXLAN segments are identified by a 24-bit Virtual Network Identifier (VNI). Within […]Continue reading...
Cloning Remote Linux Machines
I would like to share the second version (1.1) of the Bash script backup_images-1.1.sh which you can use for cloning disks of remote Linux machines. The script reads IP addresses of the hosts from a file and copy the disks with dd command over SSH connection. The disks are stored on a local machine, compressed […]Continue reading...
BGP on Cisco IOS XRv – Prefix-Sets and Route-Policies
The goal of this tutorial is to practice BGP configuration and filtering incoming and outgoing updates on Cisco IOS XRv. In order to do it, we configure prefix-sets and route-policy that will be applied to a particular BGP neighbor. Let's have a network topology depicted on the Picture 1. The ISP1 (AS number 64500) has […]Continue reading...
Use TheGreenBow VPN Client to Connect with VyOS
The site-to-site Virtual Private Networks (VPN) connect two or more remote locations. Thanks to it, computers located inside locations can communicate securely over the public Internet as they were located on the same private network. This is accomplished by tunnels that interconnect remote locations. Tunnels add extra layer security, encrypting user traffic carried inside tunnels. […]Continue reading...
Cuckoo Installation and Configuration on Debian 10 Buster
The tutorial covers installation and configuration of Cuckoo Malware Sandbox on Debian 10 Buster. Once you complete successfully all steps, your Cuckoo installation will be ready to perform analysis of malware uploaded to guest VM. It is Windows 7 x64 SP1 VM running on Oracle VirtualBox. The tutorial is based on an excellent YouTube videos […]Continue reading...
How to Configure BurpSuite to use Tor as Proxy
BurpSuite is a manual toolkit for investigating web security. Burp Proxy allows manual testers to intercept all requests and responses between the browser and the target application, even when HTTPS is being used. The tutorial discusses configuration of Burp to use connection over Tor network. 1. BurpSuite Community Edition We can find BurpSuite Community Edition […]Continue reading...
OpenVPN Remote Access VPNs Using TLS on VyOS
The tutorial provides configuration steps that help us to setup OpenVPN client/server model on GNS3. The model allows to connect multiple remote clients to a single centralized server. The VyOS router severs as OpenVPN server, with two VyOS branch office routers acting as OpenVPN clients (client 1 and 2). The third OpenVPN client is Ubuntu […]Continue reading...
DPDK and Open vSwitch Installation on Debian 10
DPDK stands for Data Plane Development Kit. The DPDK project consists of libraries to accelerate packet processing workloads running on a wide variety of CPU architectures. Open vSwitch can use the DPDK library to operate entirely in userspace. Thanks to it, performance of Open vSwitch increases. The tutorial help you to build and install Open vSwitch using DPDK datapah on Debian 10 Buster. The second part discuses DPDK and Open vSwitch configuration and compare performance of Open vSwitch applicance with enabled/disabled DPDK.
Note: You can download my Debian 10 Buster VMDK image with installed DPDK 18.11.2 and Open vSwitch 2.11.1 for quick testiing of Open vSwitch/DPDK functionality. If you do so, you can skip the tutorial and continue with Part 2 - DPDK/Open vSwitch Configuration.
Login/password: debian/debian
Host
Software:
- x86_64 GNU/Linux Debian 10 Buster, 4.19.0-5-amd64
- QEMU emulator version 3.1.0
Hardware:
- RAM Memory 2x Kingston 8192 MB DDRIII
- CPU - Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz, 4 cores
Qemu Guest
Software:
- x86_64 GNU/Linux Debian 10 Buster, 4.19.0-6-amd64
- Open vSwitch - 2.11.1
- DPDK - 18.11.2
Hardware:
- 4 X Continue reading
Site-to-Site OpenVPN on VyOS
The tutorial discusses configuration of site-to-site VPN on VyOS using preshared-key. Static key configuration offers the simplest setup, and is ideal for point-to-point VPNs or proof-of-concept testing. The advantages of using static key are simple setup and no X509 PKI (Public Key Infrastructure) to maintain. The disadvantages are limited scalability - one client, one server setup and the lack of perfect forward secrecy - key compromise results in a total disclosure of previous sessions. Also, a secret key must exist in plain-text form on each VPN peer and it must be exchanged using a pre-existing secure channel.
Our lab consists of two remote sites (Picture 1). The router running network OS - VyOS is presented on each side, connecting computers PC and PC2 to to a particular LAN network. The both VyOS routers are configured forOpenVPN site-to-site mode and the routers also perform NAT (PAT) and firewall services.
Picture 1 - Network Topology
1. VyOS Site1 Configuration
1.1 Hostname, IP addresses, SSH
vyos@vyos:~$ configure
vyos@vyos# set system host-name Site1
yos@vyos# commit
vyos@vyos# save
vyos@Site1# set interfaces ethernet eth1 address 10.0.0.254/24
vyos@Site1# set interfaces ethernet eth0 address 11.0.2.1/24
vyos@Site1# set service ssh
vyos@Site1# commit
Continue reading
Testing Open vSwitch-DPDK
In a previous tutorial we have built DPDK 18.11.2 and Open vSwitch 2.11.1 on Linux Debian 10.1 VM (buster). We have created a L3 Open vSwitch QEMU appliance that we will use to compare performance of Open vSwitch with enabled/disabled DPDK. A network topology is depicted on the Picture 1.
The lab is created as GNS3 project which consists of a single Debian Open vSwitch appliance. Two Linux Core 6.3 hosts PC1 and PC2 are connected to the switchports Ethernet0 and Ethernet1, respectively. Firstly, we are going to bind the both ports to DPDK-compatible driver and create a bridge with the DPDK ports attached to the bridge. As a last step, we will measure maximum achievable bandwidth with iPerf3 tool. The host PC1 will be be acting as a iPerf3 client connecting to the iPerf3 server running on the host PC2.
Note: Open vSwitch 2.11.1 appliance built on Debian 10 buster and DPDK 18.11.2 is available in Download-> Appliance Section. The Linux Core 6.3 image is available there, as well.
Picture 1 - Debian Open vSwitch/DPSK Appliance with Connected Host
1. GNS3 Configuration
Check GNS3 settings for Open Continue reading
Debian Open vSwitch Appliance with DPDK
Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license. It is designed to enable massive network automation through programmatic extension, while still supporting standard management interfaces and protocols (e.g. NetFlow, sFlow, IPFIX, RSPAN, CLI, LACP, 802.1ag).
DPDK is the Data Plane Development Kit that consists of libraries to accelerate packet processing workloads running on a wide variety of CPU architectures.
Note: Open vSwitch images are customized with my after install script and they are ready for use in GNS3.
Username is debian with the password debian.
Debian Linux 10 (buster) VMDK Appliance with DPDK 18.11.2 and Open vSwitch 2.11.1 [997,2MB]
https://drive.google.com/file/d/1ZuVVP2POUnFjySt0YpFwPeSG5Rtw_6Gj/view?usp=sharing