A VRF represents an isolated instance on a device of a routing and forwarding table. A VRF belongs to a site and is assigned to a interface (logical or physical). This interface is used to peer to the CE to exchange routing updates and packets. These updates and packets are identified in the core (provider network) by a ROUTE DISTINGUISHER and thus making it unique where there is a overlap of addressing schemes from different VRFs.
A VPN is a service which provides security and isolation normally found in a private network over a shared provider infrastructure. The scope of a VPN is contained by what routing and forwarding is required by a organizations network. Therefore a VPN can entail multiple VRFs if it requires access to networks in different VRFs. The ROUTE TARGET is used to determine what routing information to import or export from a VRF and thus creating the scope of the VPN.
Thursday, February 4, 2010
Wednesday, August 26, 2009
Reset the ProxySG back to default settings
To reset the ProxySG back to the "out-of-the-box" configuration or default settings take the following steps:
1. Connect to the ProxySG CLI through the serial interface or a terminal server.
2. Press enter 3 times.
3. Choose option 1: "Command Line Interface".
4. Enter enable mode by entering the command "en".
5. At the prompt enter "restore-defaults factory defaults".
6. The system message "Continue with system re-initialization?". Enter Y for the system to proceed with re-initialization.
7. Sit back and wait.
8. Re-initialization is now complete.
1. Connect to the ProxySG CLI through the serial interface or a terminal server.
2. Press enter 3 times.
3. Choose option 1: "Command Line Interface".
4. Enter enable mode by entering the command "en".
5. At the prompt enter "restore-defaults factory defaults".
6. The system message "Continue with system re-initialization?". Enter Y for the system to proceed with re-initialization.
7. Sit back and wait.
8. Re-initialization is now complete.
Internet Content Adaption Protocol (ICAP) Fundamentals
Core points on ICAP:
* The Blue Coat AV (virus checking) is an external service which the ProxySG can communicate with using ICAP.
* The policy definition is conducted on the ProxySG using the management console or Content Policy Language.
* There are two modes of operation: RESMOD and REQMOD. In REQMOD the ProxySG intercepts and forwards requests from the client to the origin server for parsing. In RESMOD the ProxySG (ICAP client) intercepts the response from the origin server and uses ICAP to communicate with the external service to process the response message.
* The Blue Coat AV (virus checking) is an external service which the ProxySG can communicate with using ICAP.
* The policy definition is conducted on the ProxySG using the management console or Content Policy Language.
* There are two modes of operation: RESMOD and REQMOD. In REQMOD the ProxySG intercepts and forwards requests from the client to the origin server for parsing. In RESMOD the ProxySG (ICAP client) intercepts the response from the origin server and uses ICAP to communicate with the external service to process the response message.
Monday, July 6, 2009
Backup Static Routes in Cisco IOS
Problem: I have primary static default route which I want to replace with a secondary default route when the primary fails.
Solution:
track 10 interface FastEthernet0/0 ip routing
delay down 2 up 2
!
track 11 list boolean and
object 10 not
!
ip route 0.0.0.0 0.0.0.0 192.168.2.2 track 10
ip route 0.0.0.0 0.0.0.0 192.168.3.2 track 11
!
Verify:
R1#show ip route track
ip route 0.0.0.0 0.0.0.0 192.168.2.2 track 10 state is [up]
ip route 0.0.0.0 0.0.0.0 192.168.3.2 track 11 state is [down]
!
R1#show track 11
Track 11
List boolean and
Boolean AND is Down
1 change, last change 00:05:24
object 10 not Up
Tracked by:
STATIC-IP-ROUTING 0
R1#show track 10
Track 10
Interface FastEthernet0/0 ip routing
IP routing is Up
3 changes, last change 00:16:39
Delay up 2 secs, down 2 secs
Tracked by:
Track-list 11
STATIC-IP-ROUTING 0
!
Solution:
track 10 interface FastEthernet0/0 ip routing
delay down 2 up 2
!
track 11 list boolean and
object 10 not
!
ip route 0.0.0.0 0.0.0.0 192.168.2.2 track 10
ip route 0.0.0.0 0.0.0.0 192.168.3.2 track 11
!
Verify:
R1#show ip route track
ip route 0.0.0.0 0.0.0.0 192.168.2.2 track 10 state is [up]
ip route 0.0.0.0 0.0.0.0 192.168.3.2 track 11 state is [down]
!
R1#show track 11
Track 11
List boolean and
Boolean AND is Down
1 change, last change 00:05:24
object 10 not Up
Tracked by:
STATIC-IP-ROUTING 0
R1#show track 10
Track 10
Interface FastEthernet0/0 ip routing
IP routing is Up
3 changes, last change 00:16:39
Delay up 2 secs, down 2 secs
Tracked by:
Track-list 11
STATIC-IP-ROUTING 0
!
Monday, June 22, 2009
Resetting the Trial License
The trial period on a ProxySG can be reset by entering at the CLI the command "reset-trial". This can only be done once and hence will not work if done previously by someone else who has trialed the appliance.
If the command is unsuccessful the owner of the appliance will need to contact Blue Coat and request a evaluation license. They need to fill in the following form located at: https://bluesource.bluecoat.com/evalrequest , or contact their account representative.
If the command is unsuccessful the owner of the appliance will need to contact Blue Coat and request a evaluation license. They need to fill in the following form located at: https://bluesource.bluecoat.com/evalrequest , or contact their account representative.
Wednesday, May 27, 2009
IM Filtering on Blue Coat ProxySG
What kind of IM security functionality is available from the Blue Coat ProxySG?
Administrators can control IM functionality such as:
- Block File Transfers;
- Search for keywords;
- Limit chatroom access on a user or global basis;
- Instant Messaging messages can be monitored or logged (your boss is watching) =]
As a proxy the BC ProxySG can:
- Allow selected protocols;
- Establish authentication rules for using IM services;
- Allow or deny attachments by file type;
- Allow or deny chat activity;
- Filter Keywords (my boss is the best);
- Block access to IM services by user or other means.
- Block encrypted IM services, because you do not know what information is being transmitted.
Administrators can control IM functionality such as:
- Block File Transfers;
- Search for keywords;
- Limit chatroom access on a user or global basis;
- Instant Messaging messages can be monitored or logged (your boss is watching) =]
As a proxy the BC ProxySG can:
- Allow selected protocols;
- Establish authentication rules for using IM services;
- Allow or deny attachments by file type;
- Allow or deny chat activity;
- Filter Keywords (my boss is the best);
- Block access to IM services by user or other means.
- Block encrypted IM services, because you do not know what information is being transmitted.
Monday, May 25, 2009
Analysing 401 authentication on the Blue Coat ProxySG
When a client attempt to access a website via the proxy the OCS can send to the client an authentication challenge. The response from the OCS includes a 401 code indicating either the authentication credentials from the user has failed or the user must send credentials for the requested resources. Note that a 401 message is different to a 407 message. 407 is from the proxy and 401 is from the OCS. Thus you may receive a 401 message even after you have successfully authenticated in response to a 407 message.
Below are the logs of client requests to www.google.com on the Blue Coat. You can see the initial 407 response to the proxy challenge:
2009-05-26 07:24:31 4 1.1.1.1 - - authentication_failed PROXIED "none" - 407 TCP_DENIED GET - http www.google.com 80 / - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" 203.41.5.249 1095 352 -
2009-05-26 07:24:37 524 1.1.1.1 joe - - PROXIED "none" - 302 TCP_NC_MISS GET text/html;%20charset=UTF-8 http www.google.com 80 / - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" 203.41.5.249 622 437 -
2009-05-26 07:24:39 536 1.1.1.1 joe - - PROXIED "none" - 200 TCP_NC_MISS GET text/html;%20charset=UTF-8 http www.google.com.au 80 / - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" 203.41.5.249 4253 407 -
2009-05-26 07:24:40 530 1.1.1.1 joe - - PROXIED "none" http://www.google.com.au/ 200 TCP_MISS GET image/gif http www.google.com.au 80 /images/close_sm.gif - gif "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" 203.41.5.249 380 543 -
2009-05-26 07:24:40 538 1.1.1.1 joe - - PROXIED "none" http://www.google.com.au/ 200 TCP_MISS GET image/gif http www.google.com.au 80 /images/chrome_48.gif - gif "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" 203.41.5.249 2756 544 -
2009-05-26 07:24:40 548 1.1.1.1 joe - - PROXIED "none" http://www.google.com.au/ 200 TCP_MISS GET image/gif http www.google.com.au 80 /images/modules/buttons/g-button-chocobo-basic-2.gif - gif "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" 203.41.5.249 619 575 -
Below are the logs of client requests to www.google.com on the Blue Coat. You can see the initial 407 response to the proxy challenge:
2009-05-26 07:24:31 4 1.1.1.1 - - authentication_failed PROXIED "none" - 407 TCP_DENIED GET - http www.google.com 80 / - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" 203.41.5.249 1095 352 -
2009-05-26 07:24:37 524 1.1.1.1 joe - - PROXIED "none" - 302 TCP_NC_MISS GET text/html;%20charset=UTF-8 http www.google.com 80 / - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" 203.41.5.249 622 437 -
2009-05-26 07:24:39 536 1.1.1.1 joe - - PROXIED "none" - 200 TCP_NC_MISS GET text/html;%20charset=UTF-8 http www.google.com.au 80 / - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" 203.41.5.249 4253 407 -
2009-05-26 07:24:40 530 1.1.1.1 joe - - PROXIED "none" http://www.google.com.au/ 200 TCP_MISS GET image/gif http www.google.com.au 80 /images/close_sm.gif - gif "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" 203.41.5.249 380 543 -
2009-05-26 07:24:40 538 1.1.1.1 joe - - PROXIED "none" http://www.google.com.au/ 200 TCP_MISS GET image/gif http www.google.com.au 80 /images/chrome_48.gif - gif "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" 203.41.5.249 2756 544 -
2009-05-26 07:24:40 548 1.1.1.1 joe - - PROXIED "none" http://www.google.com.au/ 200 TCP_MISS GET image/gif http www.google.com.au 80 /images/modules/buttons/g-button-chocobo-basic-2.gif - gif "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" 203.41.5.249 619 575 -
Subscribe to:
Posts (Atom)