Thứ Hai, 29 tháng 7, 2013

Cisco ASA Management


General keys
Cisco ASA provides the remote access management protocol such as Telnet, HTTPS and SSH. Each access management protocol allows up to 5 concurrent connections per context and 100 total connections across all security contexts.
By default, Cisco ASA doesn’t allow management access, so it must be configured to accept management access from specific source IP ranges.
Telnet is a clear-test access protocol that authenticates access to ASA based on IP address of the session source. Hence, Telnet protocol should never be used over untrusted networks, in that case you should use SSH instead.
SSH protocol authenticates the ASA using public-key. SSH protocol can be used over untrusted networks.
HTTPS protocol allows access to ASA using ASDM and authenticates ASA to the administrator using public key in the form of X.509 certificate. HTTPS protocol can be used over untrusted network, it’s similar to SSH.
Xem tiếp...

Thứ Tư, 17 tháng 7, 2013

How to configure GS-2224 for Q-in-Q



Functional Description  :

* Service providers can use Q-in-Q to transparently pass Layer 2 VLAN traffic from a customer site, through the service provider network, to another customer site without removing or changing the customer VLAN tags

* The double Q-in-Q tags can indicate different information , the inner tag indicates the user, the outer tag indicates carrier provider , the Q-in-Q packet with two tags can traverse the carrier’s network and the inner tag is transmitted transparently .

Test Scenario :

Switch will be used for Leased Line Service,
They are already using Tag VLAN (802.1q) ,so they would like to add another Tag with out changing existing VLAN.



Typical Application :


An abstract illustration to above application :





GS-2224 Configure Steps :

Step 1: Configure VLAN mode at “ Tag mode ”.


Step 2: Create VLAN 20 and VLAN 40
       Configure Port 3 .Port 4 and Port 24 are belong to VLAN 20
Configure Port 1 .Port 2 and Port 24 are belong to VLAN 40
Port 24 is uplink port .
The above setting  is configured at SW1(Left side) and SW2(Right side).



 




Step 3 : Configure tag identifier as “0x8100 “ OR “0x88a8”
       (There is no specific regulation to choose tag identifier, the only precautions
needs to be noticed whether link partner aware of the tag identifier).

Step 4 : Examine” VLAN aware” check box are activity on all ports .
Step 5 : Configure PVID
       Port1 and Port2 are PVID=40 and their port role are VLAN access mode .
       Port3 and Port4 are PVID=20 and their port role are VLAN access mode .
       The port role of Port24 is VLAN trunk mode.
       
Step 6 : Configure double tag function to “Customer mode“ at Port1 ~ Port 4.
   (The following picture with configure port1 and port2 only for example ).

Step 7 : Configure double tag function to “Service mode“ at Port24.
( Double Tag:
Double-tag mode belongs to the tag-based mode, however, it would treat all frames as the untagged ones, which means that tag with PVID will be added into all packets. Then, these packets will be forwarded as Tag-based VLAN. So, the incoming packets with tag will become the double-tag ones. Scroll to enable the function and default is Disable.
Customer port :
The parameter is for this port connects to customer site .
Service port :
The parameter is for this port connects between at carrier sites. )





Test Criterion :

* Outgoing packets from port 24 (pours packets from port1 to port24) are carrying double tag.
The packets captured 1.jpg .~  packets captured 4.jpg is for reference.

Test Result  :  PASS

* Outgoing packets from port 24 (pours packets from port1 to port24) are carrying correct outer tag and inter tag .
The packets captured 1.jpg .~  packets captured 4.jpg is for reference.

Test Result  :  PASS

* Packets can be forwarded via both switches with enable Q in Q.

Test Result  :  PASS

* Left Company A and Right Company A can communicate each other .

Test Result  :  PASS

* Left Company B and Right Company B can communicate each other .

Test Result  :  PASS

*Outgoing packets from port 1(packets are forwarded via both switches to another customer site ) are carrying correct tag .
The packets captured 5.jpg .~  packets captured 6.jpg is for reference.

Test Result  :  PASS











Print all relevant configuration at CLI  

GS-2224(vlan)# sh group
Vlan mode is tag-based.

Vlan Name    : Default
Vlan ID      : 1
IGMP Aware   : disable
Private VLAN : disable
GVRP Propagation : disable
Member : 1  2  3  4  5  6  7  8  9  10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Vlan Name    : vlan 20
Vlan ID      : 20
IGMP Aware   : disable
Private VLAN : disable
GVRP Propagation : disable
Member : 3  4  24

Vlan Name    : vlan 40
Vlan ID      : 40
IGMP Aware   : disable
Private VLAN : disable
GVRP Propagation : disable
Member : 1  2  24

GS-2224(vlan)# sh port

Tag Identifier:0x8100

 Port   PVID  Ingress   Frame Type   Role     Untag Vid   Aware   double
              Filtering                                             tag
------ ------ --------- ---------- --------- ----------- ------- --------
   1       40   disable      all     Access         0      true customer
   2       40   disable      all     Access         0      true customer
   3       20   disable      all     Access         0      true customer
   4       20   disable      all     Access         0      true customer

   5        1   disable      all     Access         0      true  disable
   6        1   disable      all     Access         0      true  disable
   7        1   disable      all     Access         0      true  disable
   8        1   disable      all     Access         0      true  disable
   9        1   disable      all     Access         0      true  disable
  10        1   disable      all     Access         0      true  disable
  11        1   disable      all     Access         0      true  disable
  12        1   disable      all     Access         0      true  disable
  13        1   disable      all     Access         0      true  disable
  14        1   disable      all     Access         0      true  disable
  15        1   disable      all     Access         0      true  disable
  16        1   disable      all     Access         0      true  disable
  17        1   disable      all     Access         0      true  disable
  18        1   disable      all     Access         0      true  disable
  19        1   disable      all     Access         0      true  disable
  20        1   disable      all     Access         0      true  disable
  21        1   disable      all     Access         0      true  disable
  22        1   disable      all     Access         0      true  disable
  23        1   disable      all     Access         0      true  disable
  24        1   disable      all      Trunk         0      true  service













Xem tiếp...

Thứ Ba, 25 tháng 6, 2013

Cisco ASA: RIP, OSPF, EIGRP







Task:
   - configure dynamic routing rip, eigrp, ospf as topology above.
  - configure authentication between Router R1, R2, R4, ASA.
  - Redistribute between Dynamic Routing protocols. 
  - ensure the network in topology can be full reachability.

On ASA, you should type command "passive interface" in RIP to suppress rmulticast updates send out interfaces e0/2 and e0/0 but will allow listerning to incomming updates. Because all interfaces on ASA have the same major network of 10.0.0.0/8.

Xem tiếp...

Thứ Hai, 24 tháng 6, 2013

Cisco ASA: Security Level & Access Rule


Concepts relate to this LAB:
 By default, ASA automatically assigns “level security” parameter of 100 if user configures an interface name of “inside”, and it assigns security level of 0 if user configures an interface name of “outside”. User can manually assign security lever for an interface by command “security-level <level>”. Other ASA interfaces that connect to other areas of the network should receive a security level between 1 and 99. Security level must be unique.
Interfaces with a higher security level are considered to be more trusted than interface with a lower security level. Usually, interface name is assigned to “outside” if that interface faces a public and interface name is assigned to “inside” if that interface faces a local.
Cisco ASA bases on security level to determine that traffic is inbound connection or outbound connection.
It’s an inbound connection, if traffic is initiated from a lower security lever toward a higher security level. By default, an inbound connection is considered unsecure, so traffic from a lower-security interface to a higher one can’t pass unless additional explicit inspection and filtering checks are passed.
It’s an outbound connection, if traffic is initiated from a higher security level toward a lower security level. An outbound connection is considered secure and automatically being inspection, so traffic doesn’t require any access list for returning traffic.
Note that, ICMP traffic is stateless and no icmp inspection is enabled by default so that ICMP coming from a higher security level interface to a lower security level interface will be blocked. To permit ICMP traffic in this case, user can enable ICMP inspection globally or configure an inbound ACL.
Interfaces on ASA can be configured as a trunk link. However, ASA’s interface can’t auto negotiate Trunk through the Dynamic Trunking Protocol (DTP) as a Cisco switch.


LAB Security Level & Access Rule




Xem tiếp...

Chủ Nhật, 23 tháng 6, 2013

Mô Hình Mạng Kênh Thuê Riêng




1. Hướng Dẫn Cấu Hình Kênh Thuê Riêng Trên Router Vigor3100
Bước 1:
- Cấu hình lớp mạng LAN 50.50.50.0/24 cho Router phía CPE chúng ta vào LAN >> General Setup.

-  Click Enable tính năng For IP Routing Usage và khai báo IP for Route cho Vigor3100 là  50.50.50.1, nhấn Ok và nhấn Ok lần nữa để lưu cấu hình.


Bước 2: 
- Vào Internet Access >> DSL Setting. Cấu hình các thông số CPE, Annex B, tốc độ đường truyền.

Bước 3: 
- Khai báo Channel2 cho dịch vụ kênh thuê riêng.
Chú ý: hãy đảm bảo VPI/VCI của các channel phải khác nhau, nếu không sẽ không thể kết nối.

Bước 4: 
- Cấu hình IP WAN trong mục Internet Access >> MPoA (RFC1483/2684).
-       Chọn Specify an IP Address.
-       Khai báo IP Address, Subnet Mask, Gateway IP Address.


Bước 5: 
- Tới bước này Router đã kết nối được dịch vụ kênh thuê riêng, tuy nhiên chúng ta chỉ có thể ping thấy IP WAN, mà không ping thấy lớp mạng của CO.
-       Bạn có thể không cần làm bước này, nếu biết chắc ISP đã routing lớp mạng của CO.




2. Hướng Dẫn Cấu Hình Kênh Thuê Riêng Trên Atrie 5300
Bước 1: Cấu hình lớp mạng LAN 50.50.50.0/24 cho Router phía CPE.

Bước 2: 
- Vào Basic Configuration >> System
·         Operation Mode: Router
·         Service Type: RT (CPE);  COT (CO)
·         Standard Mode: ETSI(Annex B);  ANSI(Annex A).
·         Khởi gán tốc độ Data Rate: chọn Fixed và được tính bằng kbps.

Bước 3:  Khai báo Channel1 cho dịch vụ kênh thuê riêng.
-       Vào Basic Configuration >> WAN >> Channel1.
·         Active: Yes
·         VPI/VCI :    8/35
·         Encapsulation: RFC2684
·         Multiplex: LLC
·         IP Address: 192.168.100.10;     
·         Subnet Mask:   255.255.255.252;
·         Remote IP:  192.168.100.9
·         IP Sharing: Disable (Disable chạy Routing và Enable để chạy NAT).

Bước 4:
- Mặc định Atrie không trỏ default router, nên ta cần add default route chỉ về Gateway: 192.168.100.9.
Bước 5:
- Đến đây thì Atrie 5300 đã kết nối dịch vụ, chúng ta cần add static route về lớp mạng 20.20.20.0/24 với Gateway là IP WAN của CO.

3. Cấu Hình VPN LAN to LAN từ Router Vigor3100 đến Router Cisco
I. Cấu hình trên Router Vigor3100
1. Common Settings:
   a. nhập tên Profile Name.
   b. chọn "Enable this Profile".
   c. chọn Dial-Out, chọn Always_on.



















2. Dial-Out Settings:
   a. enable “IPSec tunnel”.
   b. nhập IP WAN của Router Cisco: 192.168.100.2
   c. nhập “IKE Pre-shared Key”.
   d. Enable  “IPSec Security Method”, chọn DES with Authentication.





3. TCP/IP Network Settings:
   - Điền IP: 20.20.20.0, Subnet Mask: 255.255.255.0

II. Cấu hình Router Cisco


version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Cisco1720
logging rate-limit console 10 except errors
enable password
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip domain-lookup
ip dhcp pool 1
network 20.20.20.0 255.255.255.0
default-router 20.20.20.1
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key 123 address 192.168.100.10
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
crypto map cm-cryptomap local-address Ethernet0
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 192.168.100.10
set transform-set cm-transformset-1
match address 100

interface Ethernet0
description connected to Internet
ip address 192.168.100.2 255.255.255.252
half-duplex
crypto map cm-cryptomap
interface FastEthernet0
description connected to EthernetLAN_1
ip address 20.20.20.1 255.255.255.0
speed auto
router rip
version 1
passive-interface Ethernet0
network 192.168.100.0
network 20.20.20.0
no auto-summary
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
access-list 100 permit ip 20.20.20.0
0.0.0.255
50.50.50.0
0.0.0.255

snmp-server community public RO
line con 0
exec-timeout 0 0
password 7 06575D7218
login
line aux 0
line vty 0 4
password
login
line vty 5 15
login
no scheduler allocate
end
Xem tiếp...

Port Type Switch DrayTek


Port can be one of the following types: Unaware, C-port, S-port, and S-custom-port.

Ingress action
Egress action
Unaware


When the port received untagged frames, an untagged frame obtain a tag (based on PVID) and is forwarded.

When the port received tagged frames :
No matter which is TPID value, it will add one outer tag that is PVID , and is forwarded.

The TPID of frame transmitted by Unaware port will be set to 0x8100.
The final status of the frame after egressing are also effected by Egress Rule.
C-port
When the port received untagged frames, an untagged frame obtain a tag (based on PVID) and is forwarded.

When the port received tagged frames :
1.        if an tagged frame with TPID=0x8100, it is forwarded. (not add tag)
2.        if an tagged frame with TPID is not 0x8100,and not Ox88a8 , and not Ethertype , it is forwarded.( will add one outer tag that is PVID)
3.  if the TPID of tagged frame is 0x88A8 or Ethertype, it will be discarded.
The TPID of frame transmitted by C-port will be set to 0x8100.
S-port
When the port received untagged frames, an untagged frame obtain a tag (based on PVID) and is forwarded.

When the port received tagged frames:
1.        Only the TPID of tagged frame is 0x8100, it will be discarded , others TPID will be forwarded.
2.        This mode will not add tag.
The TPID of frame transmitted by S-port will be set to 0x88A8.
S-custom-port
When the port received untagged frames, an untagged frame obtain a tag (based on PVID) and is forwarded.

When the port received tagged frames :
1.        Only the TPID of tagged frame is 0x8100, it will be discarded , others TPID will be forwarded.
2.        This mode will not add tag.
The TPID of frame transmitted by S-custom-port will be set to an self-customized value, which can be set by the user using the column of Ethertype for Custom S-ports.


Port type - Ingress sample ( each arrow color represents its operate behavior to   individual packet)









 S-custom-port is used for user defined TPID  .While Ethertype for Custom S-ports is configured to 8888 , outgoing packet will bring with TPID 8888 tag .



Xem tiếp...