F5 default credentials and some interesting Facts.

 Below are the default credentials for F5. you can change the credentials during initial setup wizard.

Cli

Username: root

Password: default

GUI

Username:admin

Password:admin

Interesting Fact:-

• Root and admin username cannot be deleted from F5.
• BY default,  username admin doesnot have access to the CLI but we can assign either advance shell or TMOS access to the "admin" user.

System >> Users : User List>> click user admin>> choose tmsh from drop down of "Terminal Access">> click update

• No GUI access can be given to user "root"

Global NTP servers

 NTP is a UDP based service which works on port number 123.It is recommended to use pool.ntp.org to find an NTP server.

All zones in All Pool Servers.

• Africa — africa.pool.ntp.org 
• Antarctica — antarctica.pool.ntp.org 
• Asia — asia.pool.ntp.org 
• Europe — europe.pool.ntp.org 
• North America — north-america.pool.ntp.org 
• Oceania — oceania.pool.ntp.org 
• South America — south-america.pool.ntp.org

Below is the command to check the ntp status on respective platforms.

A. Windows 

w32tm /query /peers

B. Ubuntu

/etc/ntp.conf

DNS root server list - A-M

 Below is the list of root servers starting from a to m.

SNMPv3 config on Cisco routers/Switches

   

1) Create an access-list to allow SNMP source servers.

access-list 10 permit 10.10.10.10

access-list 10 permit 10.10.10.11

access-list 10 permit 10.10.10.12

All SNMP servers must be allowed in above ACLs.

2) Now, Create the new Group using below command.

snmp-server group GROUP1 v3 auth read access 10

3) Create new credentials using the group "GROUP1"

snmp-server user SNMP_USER v3 auth md5 PASSWORD-AUTH priv aes 128 PASSWORD2-PRIV

All bold text are variables.

Enable Password vs Enable Secret command on cisco routers/switches

We all know that enable password is used to change from user mode to priviledge mode.

Enable password command will configure the password in unencrypted form whereas Enable secret command encrypts the password using MD5 hashing algorithm.

Enable secret command is always recommended.

Secret password will take precedence over enable password command.

uRPF and its modes : Strict vs Loose

Unicast Reverse Path Forwarding (Unicast RPF) Is a security feature to address the spoofed address attack. it is recommended to configure it on the L3 interfaces of the routers to verify the reach-ability of the source address in packets. Packet will be dropped in case source IP address is not valid. 

Unicast RPF works in one of below modes:

1. Strict mode: Router will perform two checks:. 

    A. Router checks the routing entry for the source address of the packet and will drop the packet in case no route is present on the routing table for the source address.
    B. Router will ensure that the source of incoming packet is reachable via same interface. Router will drop the packet in case source address is learned via different interface than from the one, packet in ingress ed.

Command:- 

Int eth1/1
ip verify unicast reverse-path    --<<< Old command but still available on some platforms
      or
IP verify unicast source reachable-via rx

ip verify unicast reverse-path (Unicast RPF)

2.  Loose mode(default mode): Only make sure that route for the source address is present in the routing table.

Int eth1/1
IP verify unicast source reachable-via Any

Note:-  Above matching criteria is not applicable for default route and will not allow traffic where source is only matching the default route. the " Allow-default" keyword is used to change this behaviour and traffic will be allowed where source address is matching only the default route.

BGP: x.x.x.x Active open failed - no route to peer, open active delayed 9216ms (35000ms max, 60% jitter)

BGP: x.x.x.x Active open failed - no route to peer, open active delayed 9216ms (35000ms max, 60% jitter)

I was working on an issue and got above logs while doing the debug of BGP on the cisco router.

Below are the two thing which we need to test to resolve such issues.

1. Specific route for the BGP neighbor IP address. BGP neighborship is dependent on it and default route won't work.

2. Ebgp multihop. Make sure to configure the eBGP multihop command while making the ebgp neighborship on the indirectly connected routers.