Thứ Hai, 29 tháng 7, 2013
Cisco ASA Management
General keys
Cisco ASA
provides the remote access management protocol such as Telnet, HTTPS and SSH. Each
access management protocol allows up to 5 concurrent connections per context
and 100 total connections across all security contexts.
By default,
Cisco ASA doesn’t allow management access, so it must be configured to accept
management access from specific source IP ranges.
Telnet is a
clear-test access protocol that authenticates access to ASA based on IP address
of the session source. Hence, Telnet protocol should never be used over
untrusted networks, in that case you should use SSH instead.
SSH
protocol authenticates the ASA using public-key. SSH protocol can be used over
untrusted networks.
HTTPS
protocol allows access to ASA using ASDM and authenticates ASA to the
administrator using public key in the form of X.509 certificate. HTTPS protocol
can be used over untrusted network, it’s similar to SSH.
Thứ Tư, 17 tháng 7, 2013
How to configure GS-2224 for Q-in-Q
Functional Description :
* Service
providers can use Q-in-Q to transparently pass Layer 2 VLAN traffic from a
customer site, through the service provider network, to another customer site
without removing or changing the customer VLAN tags
* The double Q-in-Q
tags can indicate different information , the inner tag indicates the user, the
outer tag indicates carrier provider , the Q-in-Q packet with two tags can
traverse the carrier’s network and the inner tag is transmitted transparently .
Test Scenario :
Switch will be
used for Leased Line Service,
They are already
using Tag VLAN (802.1q) ,so they would like to add another Tag with out
changing existing VLAN.
Typical Application :
An abstract illustration to above
application :
GS-2224 Configure Steps :
Step 1:
Configure VLAN mode at “ Tag mode ”.
Step 2: Create
VLAN 20 and VLAN 40
Configure Port 3 .Port 4 and Port 24 are belong to
VLAN 20
Configure Port 1 .Port 2 and Port 24 are
belong to VLAN 40
Port 24 is uplink port .
The above setting is configured at SW1(Left side) and SW2(Right
side).
Step 3 : Configure
tag identifier as “0x8100 “ OR “0x88a8”
(There is no specific regulation
to choose tag identifier, the
only precautions
needs to be noticed whether link partner aware of the tag identifier).
Step 4 : Examine”
VLAN aware” check box are activity on all ports .
Step 5 :
Configure PVID
Port1 and Port2 are PVID=40 and their
port role are VLAN access mode .
Port3 and Port4 are PVID=20 and their
port role are VLAN access mode .
The port role of Port24 is VLAN trunk
mode.
Step 6 :
Configure double tag function to “Customer mode“ at Port1 ~ Port 4.
(The following picture with configure port1
and port2 only for example ).
Step 7 :
Configure double tag function to “Service mode“ at Port24.
( Double Tag:
Double-tag mode belongs to the tag-based mode,
however, it would treat all frames as the untagged ones, which means that tag
with PVID will be added into all packets. Then, these packets will be forwarded
as Tag-based VLAN. So, the incoming packets with tag will become the double-tag
ones. Scroll to enable the function and default is Disable.
Customer
port :
The
parameter is for this port connects to customer site .
Service
port :
The
parameter is for this port connects between at carrier sites. )
Test Criterion :
* Outgoing
packets from port 24 (pours packets from port1 to port24) are carrying double
tag.
The packets
captured 1.jpg .~ packets captured 4.jpg
is for reference.
Test Result : PASS
* Outgoing
packets from port 24 (pours packets from port1 to port24) are carrying correct
outer tag and inter tag .
The packets
captured 1.jpg .~ packets captured 4.jpg
is for reference.
Test Result : PASS
* Packets can
be forwarded via both switches with enable Q in Q.
Test Result : PASS
* Left Company
A and Right Company A can communicate each other .
Test Result : PASS
* Left Company
B and Right Company B can communicate each other .
Test Result : PASS
*Outgoing
packets from port 1(packets are forwarded via both switches to another customer
site ) are carrying correct tag .
The packets
captured 5.jpg .~ packets captured 6.jpg
is for reference.
Test Result : PASS
Print all relevant configuration at
CLI
GS-2224(vlan)# sh
group
Vlan mode is
tag-based.
Vlan Name : Default
Vlan ID : 1
IGMP Aware : disable
Private VLAN :
disable
GVRP Propagation :
disable
Member : 1 2
3 4 5
6 7 8
9 10 11 12 13 14 15 16 17 18 19
20 21 22 23 24
Vlan Name : vlan 20
Vlan ID : 20
IGMP Aware : disable
Private VLAN : disable
GVRP Propagation : disable
Member : 3 4 24
Vlan Name : vlan 40
Vlan ID : 40
IGMP Aware : disable
Private VLAN :
disable
GVRP Propagation :
disable
Member : 1 2 24
GS-2224(vlan)# sh
port
Tag
Identifier:0x8100
Port
PVID Ingress Frame Type
Role Untag Vid Aware
double
Filtering
tag
------ ------
--------- ---------- --------- ----------- ------- --------
1 40
disable all Access 0
true customer
2
40 disable all
Access 0 true customer
3
20 disable all
Access 0 true customer
4
20 disable all
Access 0
true customer
5
1 disable all
Access 0 true
disable
6
1 disable all
Access 0 true
disable
7
1 disable all
Access 0 true
disable
8 1
disable all Access 0
true disable
9
1 disable all
Access 0 true
disable
10
1 disable all
Access 0 true
disable
11
1 disable all
Access 0
true disable
12
1 disable all
Access 0 true
disable
13
1 disable all
Access 0 true
disable
14
1 disable all
Access 0 true
disable
15
1 disable
all Access 0
true disable
16
1 disable all
Access 0 true
disable
17
1 disable all
Access 0 true
disable
18
1 disable all
Access 0
true disable
19
1 disable all
Access 0 true
disable
20
1 disable all
Access 0 true
disable
21
1 disable all
Access 0 true
disable
22
1 disable
all Access 0
true disable
23
1 disable all
Access 0 true
disable
24
1 disable all
Trunk 0 true
service
Thứ Ba, 25 tháng 6, 2013
Cisco ASA: RIP, OSPF, EIGRP
Task:
- configure dynamic routing rip, eigrp, ospf as topology above.
- configure authentication between Router R1, R2, R4, ASA.
- Redistribute between Dynamic Routing protocols.
- ensure the network in topology can be full reachability.
On ASA, you should type command "passive interface" in RIP to suppress rmulticast updates send out interfaces e0/2 and e0/0 but will allow listerning to incomming updates. Because all interfaces on ASA have the same major network of 10.0.0.0/8.
Thứ Hai, 24 tháng 6, 2013
Cisco ASA: Security Level & Access Rule
Concepts relate to this LAB:
By default, ASA automatically assigns “level security” parameter of 100 if user configures an interface name of “inside”, and it assigns security level of 0 if user configures an interface name of “outside”. User can manually assign security lever for an interface by command “security-level <level>”. Other ASA interfaces that connect to other areas of the network should receive a security level between 1 and 99. Security level must be unique.
Interfaces with a higher security level are considered to be more trusted than interface with a lower security level. Usually, interface name is assigned to “outside” if that interface faces a public and interface name is assigned to “inside” if that interface faces a local.
Cisco ASA bases on security level to determine that traffic is inbound connection or outbound connection.
It’s an inbound connection, if traffic is initiated from a lower security lever toward a higher security level. By default, an inbound connection is considered unsecure, so traffic from a lower-security interface to a higher one can’t pass unless additional explicit inspection and filtering checks are passed.
It’s an outbound connection, if traffic is initiated from a higher security level toward a lower security level. An outbound connection is considered secure and automatically being inspection, so traffic doesn’t require any access list for returning traffic.
Note that, ICMP traffic is stateless and no icmp inspection is enabled by default so that ICMP coming from a higher security level interface to a lower security level interface will be blocked. To permit ICMP traffic in this case, user can enable ICMP inspection globally or configure an inbound ACL.
Interfaces on ASA can be configured as a trunk link. However, ASA’s interface can’t auto negotiate Trunk through the Dynamic Trunking Protocol (DTP) as a Cisco switch.
LAB Security Level & Access Rule
Chủ Nhật, 23 tháng 6, 2013
Mô Hình Mạng Kênh Thuê Riêng
1. Hướng
Dẫn Cấu Hình Kênh Thuê Riêng Trên Router Vigor3100
Bước
1:
- Cấu hình lớp mạng LAN 50.50.50.0/24 cho Router phía CPE chúng ta vào LAN >> General Setup.
- Cấu hình lớp mạng LAN 50.50.50.0/24 cho Router phía CPE chúng ta vào LAN >> General Setup.
- Click
Enable tính năng For IP Routing Usage và khai báo IP for Route cho Vigor3100 là 50.50.50.1,
nhấn Ok và nhấn Ok lần nữa để lưu cấu hình.
Bước 2:
- Vào Internet Access >> DSL Setting. Cấu hình các thông số CPE, Annex B, tốc độ đường truyền.
- Vào Internet Access >> DSL Setting. Cấu hình các thông số CPE, Annex B, tốc độ đường truyền.
Bước 3:
- Khai báo Channel2 cho dịch vụ kênh thuê riêng.
- Khai báo Channel2 cho dịch vụ kênh thuê riêng.
Chú ý: hãy đảm bảo VPI/VCI của các channel phải khác nhau, nếu không sẽ không thể kết nối.
Bước 4:
- Cấu hình IP WAN trong mục Internet Access >> MPoA (RFC1483/2684).
- Cấu hình IP WAN trong mục Internet Access >> MPoA (RFC1483/2684).
-
Chọn Specify an IP Address.
-
Khai báo IP Address, Subnet Mask, Gateway IP
Address.
Bước 5:
- Tới bước này Router đã kết nối được dịch vụ kênh thuê riêng, tuy nhiên chúng ta chỉ có thể ping thấy IP WAN, mà không ping thấy lớp mạng của CO.
- Tới bước này Router đã kết nối được dịch vụ kênh thuê riêng, tuy nhiên chúng ta chỉ có thể ping thấy IP WAN, mà không ping thấy lớp mạng của CO.
- Bạn
có thể không cần làm bước này, nếu biết chắc ISP đã routing lớp mạng của CO.
2. Hướng
Dẫn Cấu Hình Kênh Thuê Riêng Trên Atrie 5300
Bước 1: Cấu
hình lớp mạng LAN 50.50.50.0/24 cho Router phía CPE.
Bước 2:
- Vào Basic Configuration >> System
- Vào Basic Configuration >> System
·
Operation
Mode: Router
·
Service
Type: RT (CPE);
COT (CO)
·
Standard
Mode: ETSI(Annex B); ANSI(Annex A).
·
Khởi gán tốc độ Data Rate: chọn Fixed và được tính bằng kbps.
Bước 3: Khai báo Channel1 cho dịch vụ kênh thuê riêng.
-
Vào Basic Configuration >> WAN >> Channel1.
·
Active: Yes
·
VPI/VCI : 8/35
·
Encapsulation: RFC2684
·
Multiplex: LLC
·
IP Address: 192.168.100.10;
·
Subnet Mask: 255.255.255.252;
·
Remote IP: 192.168.100.9
·
IP Sharing: Disable
(Disable chạy Routing và Enable để chạy NAT).
Bước 4:
- Mặc định Atrie không trỏ default router, nên ta cần add default route chỉ về Gateway: 192.168.100.9.
- Mặc định Atrie không trỏ default router, nên ta cần add default route chỉ về Gateway: 192.168.100.9.
Bước 5:
- Đến đây thì Atrie 5300 đã kết nối dịch vụ, chúng ta cần add static route về lớp mạng 20.20.20.0/24 với Gateway là IP WAN của CO.
- Đến đây thì Atrie 5300 đã kết nối dịch vụ, chúng ta cần add static route về lớp mạng 20.20.20.0/24 với Gateway là IP WAN của CO.
3. Cấu
Hình VPN LAN to LAN từ Router Vigor3100 đến Router Cisco
I. Cấu
hình trên Router Vigor3100
1. Common Settings:
a. nhập tên Profile Name.
b. chọn "Enable this Profile".
c. chọn Dial-Out, chọn Always_on.
a. nhập tên Profile Name.
b. chọn "Enable this Profile".
c. chọn Dial-Out, chọn Always_on.
2. Dial-Out Settings:
a. enable “IPSec tunnel”.
b. nhập IP WAN của Router Cisco: 192.168.100.2
c. nhập “IKE Pre-shared Key”.
a. enable “IPSec tunnel”.
b. nhập IP WAN của Router Cisco: 192.168.100.2
c. nhập “IKE Pre-shared Key”.
d. Enable “IPSec Security Method”, chọn DES with Authentication.
3. TCP/IP Network Settings:
- Điền IP: 20.20.20.0, Subnet Mask: 255.255.255.0
- Điền IP: 20.20.20.0, Subnet Mask: 255.255.255.0
II. Cấu hình Router
Cisco
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Cisco1720
logging rate-limit console 10 except errors
enable password
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip domain-lookup
ip dhcp pool 1
network 20.20.20.0 255.255.255.0
default-router 20.20.20.1
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key 123 address 192.168.100.10
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
crypto map cm-cryptomap local-address Ethernet0
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 192.168.100.10
set transform-set cm-transformset-1
match address 100
interface Ethernet0
description connected to Internet
ip address 192.168.100.2 255.255.255.252
half-duplex
crypto map cm-cryptomap
interface FastEthernet0
description connected to EthernetLAN_1
ip address 20.20.20.1 255.255.255.0
speed auto
router rip
version 1
passive-interface Ethernet0
network 192.168.100.0
network 20.20.20.0
no auto-summary
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
access-list 100 permit ip 20.20.20.0
0.0.0.255
50.50.50.0
0.0.0.255
snmp-server community public RO
line con 0
exec-timeout 0 0
password 7 06575D7218
login
line aux 0
line vty 0 4
password
login
line vty 5 15
login
no scheduler allocate
end
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Cisco1720
logging rate-limit console 10 except errors
enable password
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip domain-lookup
ip dhcp pool 1
network 20.20.20.0 255.255.255.0
default-router 20.20.20.1
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key 123 address 192.168.100.10
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
crypto map cm-cryptomap local-address Ethernet0
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 192.168.100.10
set transform-set cm-transformset-1
match address 100
interface Ethernet0
description connected to Internet
ip address 192.168.100.2 255.255.255.252
half-duplex
crypto map cm-cryptomap
interface FastEthernet0
description connected to EthernetLAN_1
ip address 20.20.20.1 255.255.255.0
speed auto
router rip
version 1
passive-interface Ethernet0
network 192.168.100.0
network 20.20.20.0
no auto-summary
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
access-list 100 permit ip 20.20.20.0
0.0.0.255
50.50.50.0
0.0.0.255
snmp-server community public RO
line con 0
exec-timeout 0 0
password 7 06575D7218
login
line aux 0
line vty 0 4
password
login
line vty 5 15
login
no scheduler allocate
end
Port Type Switch DrayTek
Port can be one of the
following types: Unaware, C-port, S-port, and
S-custom-port.
Ingress action
|
Egress action
|
|
Unaware
|
When the port
received untagged frames, an untagged frame obtain a tag (based on PVID) and
is forwarded.
When the port
received tagged frames :
No matter which is
TPID value, it will add one outer tag that is PVID , and is forwarded.
|
The TPID of
frame transmitted by Unaware port will be set to 0x8100.
The final status
of the frame after egressing are also effected by Egress Rule.
|
C-port
|
When the port
received untagged frames, an untagged frame obtain a tag (based on PVID) and
is forwarded.
When the port
received tagged frames :
1.
if
an tagged frame with TPID=0x8100, it is forwarded. (not add tag)
2.
if
an tagged frame with TPID is not 0x8100,and not Ox88a8 , and not Ethertype ,
it is forwarded.( will add one outer tag that is PVID)
3. if the TPID of tagged frame is 0x88A8 or
Ethertype, it will be discarded.
|
The TPID of
frame transmitted by C-port will be set to 0x8100.
|
S-port
|
When the port
received untagged frames, an untagged frame obtain a tag (based on PVID) and
is forwarded.
When the port
received tagged frames:
1.
Only
the TPID of tagged frame is 0x8100, it will be discarded , others TPID will
be forwarded.
2.
This
mode will not add tag.
|
The TPID of
frame transmitted by S-port will be set to 0x88A8.
|
S-custom-port
|
When the port
received untagged frames, an untagged frame obtain a tag (based on PVID) and
is forwarded.
When the port
received tagged frames :
1.
Only
the TPID of tagged frame is 0x8100, it will be discarded , others TPID will
be forwarded.
2.
This
mode will not add tag.
|
The TPID of
frame transmitted by S-custom-port will be set to an self-customized value,
which can be set by the user using the column of Ethertype for Custom S-ports.
|
Port type - Ingress sample ( each arrow
color represents its operate behavior to
individual packet)
S-custom-port is used for user defined
TPID .While Ethertype for Custom S-ports
is configured to 8888 , outgoing packet will bring with TPID 8888 tag .
Đăng ký:
Bài đăng (Atom)