x83.net » Cisco

AS-path filtering

Giany — Mon, 22 Jun 2009 00:46:49 +0000

Cisco way:

ip as-path access-list 1 deny _1234$
ip as-path access-list 1 deny _5678$
ip as-path access-list 1 permit .*

router bgp 100
neighbor 192.168.0.1 remote-as 200
neighbor 192.168.0.1 des ebgp-test
neighbor 192.168.0.1 filter-list 1 in

Juniper way:

protocols {
bgp {
group “ebgp-test” {
type external;
import test-in;
peer-as 200;
neighbor 192.168.0.1 {
}
}
policy-options {
policy-statement test {
from as-path [test test1];
then reject;
}
set policy-options as-path a “.*1234″
set policy-options as-path b “.*5678″
}

Cisco IOS Rootkit info

Giany — Fri, 12 Jun 2009 03:31:02 +0000

BGP regexp

Giany — Fri, 12 Jun 2009 02:36:38 +0000

Regular Expression:

 show ip bgp regexp [AS]$ - list all network paths with that AS

 show ip bgp regexp _AS_ - match any route going through AS

 show ip bgp regexp _AS AS_ - match any route passed through AS and AS

 show ip bgp regexp _AS$ - match only routes originated in this AS

Cisco Tacacs configuration

Giany — Fri, 12 Jun 2009 02:35:36 +0000

aaa new-model
aaa authentication login default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

tacacs-server host 10.100.100.100 timeout 5
no tacacs-server directed-request
tacacs-server key 7 key

Also check :

Route servers

Giany — Thu, 11 Jun 2009 23:47:56 +0000

Route servers:

colt = telnet route-server.colt.net
cerf = telnet route-server.cerf.net
att = telnet route-server.cbbtier3.att.net
att1 = telnet route-server.ip.att.net
bbn = telnet ner-routes.bbnplanet.net
oregon = telnet route-views.oregon-ix.net
exodus = telnet route-server.exodus.net
as elnet = telnet route-server.as5388.net
gblx.net = telnet 206.132.67.9
tiscalli = telnet route-server.ip.tiscali.net
belwue = telnet route-server.belwue.de
telus = telnet route-views.on.bb.telus.com
telus = telnet route-views.ab.bb.telus.com
is = telnet public-route-server.is.co.za
opentr = telnet route-server.opentransit.net   JUNOS 9.0R3.6
GT = telnet route-server.gt.ca
He = telnet route-server.he.net
Manilla = telnet route-server.manilaix.net.ph
Allstream = telnet route-server.central.allstream.com
AllstreamE = telnet route-server.east.allstream.com
AlstreamW = telnet route-server.west.allstream.com
TwTel = telnet route-server.twtelecom.net
GBLXe = telnet route-server.eu.gblx.net
EUNet = telnet route-server.as6667.net
Sunrise = telnet routeserver.sunrise.ch
Host = telnet route-server.host.net
Optus = telnet route-views.optus.net.au
Washingt = telnet route-views3.routeviews.org (Juniper)

Internetwork

Giany — Thu, 11 Jun 2009 23:46:10 +0000

Internetwork

The Frontier Optronics Network now encompasses 11 hub cities. The northern route connects Los Angeles, San Francisco, Kansas City, Cleveland, and New York City at OC-48c or 2.5 Gbps speeds. A second backbone, through the South, connects Los Angeles, San Diego, Dallas, Atlanta, Washington D.C., and New York City—also at OC-48c. The two routes are joined together in a ring architecture, giving the backbone extended reliability and failover protection—a clear advantage over linear route networks (See Figure 1).

Optical Internet Benefits: Scalability and Simplicity

The hierarchical design of IP hubs in the Frontier Optronics Network provides Frontier with a robust and scalable infrastructure. At the highest level, redundant wide-area routers (WR1 and WR2) connect to the IP backbone at OC-48 speeds. At the middle layer, core routers (CR1 and CR2) connect lower layers to the WR routers at OC-12 speeds. At the lowest layer, an assortment of routers deliver specialized services: access routers (AR1) aggregate T1, T3 and OC-3 traffic; border routers (BR1) provide peering connections with other Internet providers; hosting routers (HR1) provide hosting services for web content; and dial routers (DR1) handle lower-speed customer access.

Bgp dampening

Giany — Thu, 11 Jun 2009 23:43:33 +0000

Cisco BGP dampening

Description:
When a route fails, a routing update is sent to withdraw the route from the network’s routing tables. When the route is re-enabled, the change in availability is also advertised. A route that continually fails and returns requires a great deal of network traffic to update the network about the route’s status.

Route dampening enables you to identify routes that repeatedly fail and return. If route dampening is enabled, an unstable route accumulates penalties each time the route fails and returns. If the accumulated penalties exceed a threshold, the route is no longer advertised. This is route suppression. Routes that have been suppressed are re-entered into the routing table only when the amount of their penalty falls below a threshold.

A penalty of 1000 is assessed each time the route fails. When the penalties reach a predefined threshold (suppress-value), the router stops advertising the route.

Once a route is assessed a penalty, the penalty is decreased by half each time a predefined amount of time elapses (half-life-time). When the accumulated penalties fall below a predefined threshold (reuse-value), the route is unsuppressed and added back into the BGP routing table.

No route is suppressed indefinitely. Maximum-suppress-time defines the maximum time a route can be suppressed before it is re-advertised

Use the bgp dampening command with arguments to override the defaults. If any argument is used, all the arguments must be defined.

Use the route-map keyword to associate a route-map to the dampening functionality. Only matching routes will be dampened according to the supplied parameters.

Use the no bgp dampening command to disable route dampening.

 router(config)#bgp dampening
 router(config)#bgp dampening 20 1800 8000 50

The following example enables route dampening and sets the half-life-time to 20 minutes, the reuse-value to 1800, the suppress-value to 8000, and the maximum-suppress-time to 50 minutes.

[[Category:Cisco]]

Show Interface Reference

Giany — Thu, 11 Jun 2009 23:41:09 +0000

Show Interface Reference

router#sh int Serial3/0/23:0

Serial3/0/23:0 is up, line protocol is up
Hardware is PA-MC-2T3+
Description: SDA Freight Data Corporation T1 CIR/CT3 (sdafda)75hcre000944-001
Internet address is 207.199.99.137/30
MTU 1500 bytes, BW 256 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, crc 16, loopback not set
Keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input 00:00:03, output 00:01:08, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
20950 packets input, 1992090 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 1 abort
31524 packets output, 10804297 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions no alarm present
Timeslot(s) Used: 1-4, subrate: 256Kb/s, transmit delay is 0 flags
non-inverted data

Interface and Line Protocol Status
Line State Possible Causes and Actions
Serial x is up, line protocol is up This status indicates that the interface is functioning properly
Serial x is down, line protocol is down This status indicates that the router is not sensing a carrier detect (CD) signal.

Possible Causes:

-Telephone company problem.
-Faulty or incorrect cabling
-Hardware failure

Suggested Actions:

-Check the LED’s on the CSU/DSU to see if the CD light is active.
-Verify that the cables are connected properly.
-Reset your equipment
-Contact your leased-line provider
-Replace faulty equipment

Serial x is up, line protocol is down Possible Causes:

-Local or remote router misconfigured
-Keep-alives not being sent by remote router
-Leased-line or other carrier service problems, such as noisy lines or faulty switch
-Timing problem on cable, possibly caused by the CSU/DSU not being set correctly.
-Failed local or remote CSU/DSU.
-Router failure.

Serial x is up, line protocol is up (looped) Possible Causes:

-Loop exists in the circuit. Contact your leased line provider or owner of remote router to remove loop.

Serial x is administratively down, line protocol is down. Possible Causes:

- Router configuration includes the shutdown interface configuration command.
- Duplicate IP address.

Hardware
This field describes the type of hardware that the interface is connected to. In this case, this Serial interface is part of a channelized T3.
Description
This field is simply used to describe the interface by the network administrator. It has not bearing on connectivity.
Internet address
This is the IP address and subnet mask assigned to the interface in question. In this case, the IP address is 207.199.99.137 and it has a subnet mask of 255.255.255.252.
MTU, BW, DLY, rely, and load

* MTU – Maximum Tranmission Unit. By default, this is 1500 bytes, which describes the largest packet that can be sent through the interface before the packet is fragmented.
* BW – Bandwidth. This field is defined by the network administrator and has no actual effect on the bandwidth of a line. It is simply used for describing the load on a specific interface.
* DLY – Delay. Amount of micro seconds of delay. I do not have any more information on this at this time.
* rely – Reliability. Reliability of the interface as a fraction of 255 (255/255 is 100% reliability), calculated as an exponential average over five minutes (default).
* load – Load Average. Load on the interface as a fraction of 255 (255/255 is completely saturated), calculated as an exponential average over five minutes (default).

Encapsulation and Loopback

* Encapsulation is the type of Data-Link encapsulation. This is commonly either PPP, HDLC (Cisco’s proprietary PPP), Frame-Relay, and ATM.
* Loopback specifies whether the loopback bit is set in the D channel signalling.

Last input

* The last input is the number of hours, minutes, and seconds since the last packet was successfully received by an interface. This is useful for determining when a dead interface.
* The last output is the number of hours, minutes, and seconds since the last packet was successfully transmitted by an interface. This is useful for determining when a dead interface failed.
* The output hang is the number of hours, minutes, and seconds (or never) since the interface was last reset because of a transmission that took too long.

Last clearing

This shows the elapsed time, in seconds, since the last clearing of the interface counters that will be described in a later section on counters.
Output queue, input queue, drops

Number of packets in output and input queues. Each number is followed by a slash, the maximum size of the queue, and the number of packets dropped due to a full queue. Output drops can be caused when the output media cannot accept frames and the output queue reaches the maximum value before it starts dropping packets. Output drops may not necessarily indicate a problem since an explorer frame being dropped because it has already traveled on a particular ring can increment the output drops counter. Increasing input drops on the other hand, can be serious and should be looked into carefully. Input drops can be caused by insufficient system buffers – see 0 no buffer in the show interfaces tokenRing 0 output above. The incrementing no buffer counter of the show interfaces output may correlate to the incrementing misses counter of the show buffers output, and the appropriate buffer pool may need to be tuned.
5 minute input/output rate

Average number of bits and packets received and transmitted per second in the last five minutes.
Counters

* Packets input – Total number of error-free packets received.
* Broadcasts – Total number of broadcast or multicast packets received.
* Runts – Number of packets discarded because they are smaller than the medium’s minimum packet size.
* Giants – Number of packets that are discarded because they exceed the medium’s maximum packet size.
* Throttle – This counter indicates the number of times the input buffers of an interface have been cleaned because they have not been serviced fast enough or they are overwhelmed. Typically, an explorer storm can cause the throttles counter to increment. It’s important to note that every time you have a throttle, all the packets in the input queue get dropped. This causes very slow performance and may also disrupt existing sessions.
* Parity – Number of parity errors on the HSSI.
* RX Disabled – Indicates inability to get a buffer when accessing a packet.
* Input Errors – Sum of all errors that prevented the receipt of datagrams. This may not balance with the sum of the enumerated output errors, because some datagrams may have more than one error and others may have errors that do not fall into any of the specific categories.
* CRC – Cyclic redundancy checksum generated mismatch. CRC errors also are reported when a far-end abort occurs and when the idle flag pattern is corrupted. This makes it possible to get CRC errors even when there is no data traffic.
* Frame – Number of packets received incorrectly having a CRC error and a noninteger number of octets.
* Overrun – Number of times the serial receiver hardware was unable to hand received data to a hardware buffer because the input rate exceeded the receiver’s ability to handle the data.
* Ignored – Number of received packets ignored by the interface because the interface hardware ran low on internal buffers.
* Abort – Number of packets whose receipt was aborted.
* Bytes – Total number of bytes, including data and MAC encapsulation, transmitted by the system.
* Underruns – Number of times that the far-end router’s transmitter has been running faster than the near-end router’s receiver can handle. This may never happen (be reported) on some interfaces.
* Congestion Drop – Number of messages discarded because the output queue on an interface grew too long.
* Output Errors – Sum of all errors that prevented the final transmission. This may not balance with the sum of the enumerated output errors, because some datagrams may have more than one error and others may have errors that do not fall into any of the specific categories.
* Interface Resets – Number of times an interface has been completely reset.
* Restarts – Number of times the controller was restarted because of errors.
* Carrier Transitions – Number of times the carrier detect signal of a serial interface has changed state.

[[Category:Cisco]]

Cisco IPIP Tunnels

Giany — Thu, 11 Jun 2009 23:38:27 +0000

Linux (192.168.2.1):

/sbin/ip tunnel add tunl1 mode ipip remote 192.168.1.1
/sbin/ifconfig tunl1 192.168.3.2 pointopoint 192.168.3.1 netmask 255.255.255.252 mtu 1500

Cisco (192.168.1.1):

interface Tunnel0
ip address 192.168.3.1 255.255.255.252
ip mtu 1500
tunnel source 192.168.1.1
tunnel destination 192.168.2.1
tunnel mode ipip

Cisco OSPF over GRE tunnel

Giany — Thu, 11 Jun 2009 23:29:08 +0000

Components Used

-Cisco 7206VXR (NPE200) Router

-Debian 2.6.8-1-386

Network MAP

The ideea of this plan is to see the network behind the 7200 Router on the Linux server using OSPF.

1. Private network has : 172.20.0.0/16

2. Cisco Router has several VLANs but I`ll use only : 172.20.6.252/32 ( its the default GW for workstations) . Its real ip is : *.*.*.130/32

3. Firewall : the firewall blocks incoming connections from any “outside” host.

4. GRE tunnel : I`ve choosed 172.19.0.0/24 ( Linux will be 172.19.0.3 and Cisco will use : 172.19.0.2)

5. Linux server has on eth1 : *.*.*.131/32 and its default GW *.*.*.129/32

6. My workstation has : different ips..

== Checking connectivity ==

linux:~# ping *.*.*.130 -i.1
PING *.*.*.130 (*.*.*.130) 56(84) bytes of data.
64 bytes from *.*.*.130: icmp_seq=10 ttl=248 time=58.9 ms
64 bytes from *.*.*.130: icmp_seq=11 ttl=248 time=58.5 ms
64 bytes from *.*.*.130: icmp_seq=12 ttl=248 time=58.5 ms
64 bytes from *.*.*.130: icmp_seq=13 ttl=248 time=81.3 ms

linux:~# telnet *.*.*.130
Trying *.*.*.130...
telnet: Unable to connect to remote host: Connection refused

So as you probably see firewall is blocking connections.

== ACLS ==

#(config) access-list 101 permit gre any any
#(config) access-list 101 permit gre host 172.19.0.2 host 172.19.0.3

== Configure Tunnel interface Cisco ==

linux:~ # telnet *.*.*.130
Trying *.*.*.130...

Connected to *.*.*.130.

Escape character is '^]'.

Username: xxx
Password:

>en
Password:
#
cisco(config)#int tun0
cisco(config-if)#ip address 172.19.0.2 255.255.255.0
cisco(config-if)#no ip redirects
cisco(config-if)#ip nat inside
cisco(config-if)#tunnel source FastEthernet2/0.50
cisco(config-if)#tunnel destination LinuxServer
cisco(config-if)#exit
cisco(config)#ip route 172.19.0.0 255.255.255.0 Tunnel0

== Linux server ==

/etc/network/interfaces

iface tun0 inet static
address 172.19.0.3
netmask 255.255.255.0
broadcast 172.19.0.255
up ifconfig tun0 multicast
pre-up iptunnel add tun0 mode gre local *.*.*.131 remote *.130 ttl 255
pointopoint 172.19.0.2
post-down iptunnel del tun0

linux:~# /etc/init.d/networking restart

linux:~# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr D0-31-73-83-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.19.0.3 P-t-P:172.19.0.3 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
RX packets:22 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1928 (1.8 KiB) TX bytes:2456 (2.3 KiB)

linux:~# ip tun s
sit0: ipv6/ip remote any local any ttl 64 nopmtudisc
gre0: gre/ip remote any local any ttl inherit nopmtudisc
tun0: gre/ip remote *.*.*.130 local *.*.*.131 ttl 255

== Debug ==

linux:~# ping -i.1 172.19.0.2
PING 172.19.0.2 (172.19.0.2) 56(84) bytes of data.
64 bytes from 172.19.0.2: icmp_seq=1 ttl=255 time=59.6 ms
64 bytes from 172.19.0.2: icmp_seq=2 ttl=255 time=67.9 ms
64 bytes from 172.19.0.2: icmp_seq=3 ttl=255 time=60.9 ms
64 bytes from 172.19.0.2: icmp_seq=4 ttl=255 time=59.6 ms
64 bytes from 172.19.0.2: icmp_seq=5 ttl=255 time=61.9 ms

cisco# ping 172.19.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/61/64 ms
cisco#

So now we have our tunnel up and running.

== Configuring OSPF ==

[http://en.wikipedia.org/wiki/Open_Shortest_Path_First]
[http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ospf.htm]

=== Cisco ===

cisco#sh running-config | begin router
router ospf 100
log-adjacency-changes
area 1 range 172.19.0.0 255.255.255.0
area 2 range 172.20.0.0 255.255.0.0
redistribute static subnets route-map internal-routes
network 172.19.0.0 0.0.0.255 area 1
network 172.20.0.0 0.0.255.255 area 2
network 172.22.209.208 0.0.0.15 area 2
network 172.22.209.224 0.0.0.31 area 2
network 172.31.254.114 0.0.0.0 area 0
network 172.31.254.122 0.0.0.0 area 0
network 172.31.254.208 0.0.0.7 area 0
network 172.31.254.240 0.0.0.7 area 0
network 172.31.255.0 0.0.0.255 area 0
network 192.168.120.0 0.0.0.255 area 2

=== Linux ===

”’zebra.conf”’

hostname Linux
password qwerty
enable password qwerty
!
interface eth1
!
interface tun0
multicast


'''ospfd.conf'''

hostname Linux
password st0ne
enable password passwd
log file /var/log/quagga/ospf.log
!
interface tun0
no ip ospf authentication-key
ip ospf network point-to-point
!
router ospf
ospf router-id 172.19.0.3
area 1 range 172.19.0.0/24
network 172.19.0.0/24 area 1
network 172.20.0.0/16 area 2
!
line vty
access-class permit-connect-only-locals
exec-timeout 0 0
!

linux:~# /usr/lib/quagga/zebra -f /etc/zebra.conf &
linux:~# /usr/lib/quagga/ospfd -f /etc/ospfd.conf &

linux:~# ip r l
172.16.19.42 via 172.19.0.2 dev tun0 proto zebra metric 12 equalize
192.168.100.3 via 172.19.0.2 dev tun0 proto zebra metric 12 equalize
192.168.131.3 via 172.19.0.2 dev tun0 proto zebra metric 12 equalize
192.168.132.60 via 172.19.0.2 dev tun0 proto zebra metric 12 equalize
172.16.19.45 via 172.19.0.2 dev tun0 proto zebra metric 12 equalize

So we`ve started recieving routes.. Now we can “see” all the network behind the Cisco router.

== Debugging ==

cisco# sh ip ospf neighbor
.........
172.19.0.3 1 FULL/ - 00:00:30 172.19.0.3 Tunnel0

cisco# sh protocols tun0
Tunnel0 is up, line protocol is up
Internet address is 172.19.0.2/24

………………………………………..

cisco# sh ip ospf
Routing Process "ospf 100" with ID 172.31.255.228 and Domain ID 0.0.0.100
Supports only single TOS(TOS0) routes
Supports opaque LSA
It is an area border and autonomous system boundary router
Redistributing External Routes from,
static, includes subnets in redistribution
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 673. Checksum Sum 0x14FAA2D
Number of opaque AS LSA 0. Checksum Sum 0x0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 3. 3 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 17
Area has no authentication
SPF algorithm executed 90578 times
Area ranges are
Number of LSA 900. Checksum Sum 0x1BB4B9D
Number of opaque link LSA 0. Checksum Sum 0x0
Number of DCbitless LSA 1
Number of indication LSA 1
Number of DoNotAge LSA 0
Flood list length 0
Area 1
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 4 times
Area ranges are
172.19.0.0/24 Active(11111) Advertise
Number of LSA 189. Checksum Sum 0x590BCE
Number of opaque link LSA 0. Checksum Sum 0x0
Number of DCbitless LSA 1
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Area 2
Number of interfaces in this area is 12
Area has no authentication
SPF algorithm executed 831 times
Area ranges are
172.20.0.0/16 Active(1) Advertise
Number of LSA 840. Checksum Sum 0x1BBCA35
Number of opaque link LSA 0. Checksum Sum 0x0
Number of DCbitless LSA 4294861955
Number of indication LSA 4294861953
Number of DoNotAge LSA 0
Flood list length 0

linux:~#!telnet
telnet localhost 2604
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Hello, this is Quagga (version 0.98.3).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

User Access Verification

Password:
Password:
> en
Password:
# sho ip ospf interfa
eth0 is down
OSPF not enabled on this interface
eth1 is up
OSPF not enabled on this interface
eth2 is down
OSPF not enabled on this interface
gre0 is down
OSPF not enabled on this interface
lo is up
OSPF not enabled on this interface
sit0 is down
OSPF not enabled on this interface
tun0 is up
Internet Address 172.19.0.3/24, Peer 172.19.0.2, Area 0.0.0.1
Router ID 172.19.0.3, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point, Priority 1
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:08
Neighbor Count is 1, Adjacent neighbor count is 1

# sho ip ospf neigh

Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
172.31.255.228 1 Full/DROther 00:00:36 172.19.0.2 tun0:172.19.0.3 0 0 0

An other way without configuring ospfd is to use iproute. Lets say you want to ssh to an server behind the Cisco Server :

linux:~# echo 201 www >> /etc/iproute2/rt_tables
linux:~# /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2
linux:~# /sbin/ip route add default via 172.19.0.2 dev tun0 table ssh
linux:~# /sbin/ip rule add fwmark 2 table ssh
linux:~# /sbin/ip route flush cache