Aliyun CDN Cache Rules

Fighting ISP Cache Hijacking Again with iptables

Fighting ISP Cache Hijacking Again with iptables Cause The fight against the carrier cache problem started two years ago. The carrier even cached cnpm data. Worse, their cache servers were not only slow like a turtle in a marathon, they also crashed frequently, so I just wanted to write code but had to face a wall of red errors. Fix iptables -I FORWARD -p tcp -m tcp -m ttl --ttl-gt 20 -m ttl --ttl-lt 30 -j DROP

Simulate Network Anomalies with TC and Netem

Simulate Network Anomalies with TC and Netem Netem and TC brief overview Netem is a network emulation module provided by Linux 2.6 and later kernels. It can be used on a good LAN to simulate complex Internet transmission performance, such as low bandwidth, latency, packet loss, and so on. Many Linux distributions with kernel 2.6+ enable this module by default, such as Fedora, Ubuntu, Redhat, OpenSuse, CentOS, Debian, etc. TC is a user-space tool in Linux, short for Traffic Control. TC controls the operating mode of the Netem module. In other words, to use Netem you need at least two conditions: the Netem module must be enabled in the kernel, and the corresponding user-space tool TC must be available.

Quagga Routing - Install, Configure and setup BGP

Quagga Routing - Install, Configure and setup BGP

Best V2Ray One-Click Install & Management Script

Best V2Ray One-Click Install & Management Script v2ray

Representative HTTP Status Codes

Representative HTTP Status Codes

Switch notes

Switch Switches are usually L2 devices They forward packets only to the destination host (based on the MAC table), which reduces collisions and eavesdropping. Switches can also handle packets arriving at the same time, while hubs cannot. Hubs are L1 devices They forward packets from any host to all connected hosts, so collisions happen and cause random retries. MAC Table Learning A packet arrives on some port (network A) from MAC X destined for MAC Y. The switch records that MAC X is on network A. This is called learning. Flooding The switch does not yet know where MAC Y is, so it forwards the packet to all networks except A. This is called flooding. Forwarding The host with MAC Y receives the packet and sends an ACK to MAC X. The switch records that MAC Y is on that network, then forwards the ACK to MAC X. This is forwarding. Filtering The switch receives a packet and finds that the source and destination MACs are on the same network, so it drops the packet. This is filtering. Aging Each MAC-table entry has a timestamp of last access. Entries older than a threshold (configurable) are removed. This is aging. Vlan Switch interfaces must support 802.1Q

Juniper notes

[Juniper Firewall] tunnel ACG icare@TWCHIJF01# show | compare rollback 4 [edit security policies] from-zone DB_12 to-zone TCT_Office { ... } + from-zone DB_12 to-zone JC32 { + policy For_Backup { + match { + source-address DB_10.11.12.0/24; + destination-address BACKUP_10.32.32.130; + application any; + } + then { + permit; + } + } + } [edit security zones security-zone DB_12 address-book] address DB_10.11.12.57 { ... } + address DB_10.11.12.0/24 10.11.12.0/24; [edit security zones] security-zone ESB_15 { ... } + security-zone JC32 { + address-book { + address BACKUP_10.32.32.130 10.32.32.130/32; + } + host-inbound-traffic { + system-services { + ping; + } + } + interfaces { + gr-0/0/0.32; + } + } [edit interfaces gr-0/0/0] + unit 32 { + description To_JC32_DBBackup; + tunnel { + source 202.168.193.128; + destination 218.253.210.8; + } + family inet { + address 10.32.0.101/30; + } + } [edit routing-options static] route 0.0.0.0/0 { ... } + route 10.32.32.130/32 next-hop 10.32.0.102; set security policies from-zone DB_12 to-zone JC32 policy For_Backup match source-address DB_10.11.12.0/24 set security policies from-zone DB_12 to-zone JC32 policy For_Backup match destination-address BACKUP_10.32.32.130 set security policies from-zone DB_12 to-zone JC32 policy For_Backup match application any set security policies from-zone DB_12 to-zone JC32 policy For_Backup then permit set security zones security-zone DB_12 address-book address DB_10.11.12.0/24 10.11.12.0/24 set security zones security-zone JC32 address-book address BACKUP_10.32.32.130 10.32.32.130/32 set security zones security-zone JC32 host-inbound-traffic system-services ping set security zones security-zone JC32 interfaces gr-0/0/0.32 set interfaces gr-0/0/0 unit 32 description To_JC32_DBBackup set interfaces gr-0/0/0 unit 32 tunnel source 202.168.193.128 set interfaces gr-0/0/0 unit 32 tunnel destination 218.253.210.8 set interfaces gr-0/0/0 unit 32 family inet address 10.32.0.101/30 set routing-options static route 10.32.32.130/32 next-hop 10.32.0.102 icare@TWCHIJF01> show configuration | compare rollback 1

Data Center Notes

First NIC - blue cable Second NIC - green cable Switch interconnect - white cable Yellow, red Storage has disk arrays and heavy data transfer, so it uses fiber connections and fiber switches. Fiber colors: Multi-mode or single-mode fiber Single-mode fiber is yellow. Multi-mode fiber (50μm or 62.5μm) is usually orange. 10GB multi-mode fiber is usually aqua. Common spec distinctions: OS1, OS2, 9µm, 9/125 = single-mode fiber OM1, 62.5µm, 62.5/125 = 62.5 multi-mode fiber OM2, 50µ, 50/125 = 50 multi-mode fiber OM3, 10GB, 50µm, 50/125 = 10GB multi-mode fiber OM4, 100GB, 50µm, 50/125 = 100GB multi-mode fiber Fiber structure

Route notes

Router - a device that is good at computing routing tables, an L3 device. Routing Table A NIC with one IP naturally has two routes and they cannot be changed. 192.168.1.1/24 Itself. Local route / Host route: 192.168.1.1/32 The whole subnet. Direct route / Connect route: 192.168.1.0/24 You can add as many static routes as you want. 172.10.10.10/24 -> 192.168.1.2 2.2.2.2/26 -> 192.168.1.9 … Default route - only one gateway. 0.0.0.0/0 -> 192.168.1.10 More specific routes take precedence. BGPv4

Arp notes

Before a packet is sent Look up the MAC for the IP in the ARP table MAC found - encapsulate No MAC - broadcast Same subnet - OK Different subnet - look up the router MAC in the ARP table Found - OK Not found - broadcast