DOCKER Notes

VIRTUAL MACHINE VS CONTAINERS

Virtualized Machines             Containers
- mixed operating systems      - efficient
- more flexible                        - less operating system maintenance
- mature technology                - quick deployment
                                                - not yet flexible

Virtual Machines                 Containers

[ Applications ]                    [ Applications ] [Applications]
[Operating Sys]                    [ Applications ] [Applications]
-------------------                         [  Operating Systems  ]
  [Hypervisor]
-------------------
[Operating Sys]

DOCKER WORKS...

3 Steps of Docking (Docker Containers)

[1] Docker File -> creates [2] Images -> creates [3] Containers
- Dependencies
- PHP
- NGINX / Apache
- Java
- Debian / Gentoo

Docker Daemon to faciliates the 3 steps


- apt-cache search docker
- wget -q0- https://docker.com/ | sh
- sudo docker run -d [operating system]  [applications]
  sudo docker run -d gentoo /bin/bash [application]
- sudo docker ps -a
- sudo docker logs [port number]
- sudo docker start [name]
- sudo docker stop [name]
- sudo docker images
- sudo docker search [application]
   sudo docker search php
- sudo docker pull [application]
   sudo docker pull php


Docker Hub - Online depository of Docker images

Containers and Images

- Images that can host java, apache, php - requires to run applications
- Containers consolidates the applications
- Images are just copied in the containers
- Updating a container, we delete the application and start a fresh copy of the application
- Dont update the application in the container

- sudo docker ps
- sudo docker ps -a
- sudo docker images
- sudo docker pull
- sudo docker rmi
- sudo docker rm

NETWORKING DOCKER

Virtual Interfaces
Bridged Networking
Configuring IP Address

etho: 192.168.1.201
docker0: 172.16.10.1
veXXXXXX: Bridge - where XXXXX is the MAC ADDRESS

Container is assigned via IP Address that is accessible thru out the network

- sudo docker run - d XXXXX/yyyyyy
- sudo docker inspect container | grep IP


publishing a docker to port 8080 (with random port in the container)
- sdo docker run -d -p 8080 boyformat/jabaman

publishing a docker to port 8080 via 0529
- sudo docker run -d -p 8080:0529 boyformat/jabaman

publishing a docker to port 8080 via 0529 / 8080 via 0329
- sudo docker run -d -p 8080:0529 -p 8080:0329 boyformat/jabaman

DATA STRUCTURES (PERSISTENT AND SHARED)

- Host file system can be network mounted
- Pointing the directory to /etc/fstab

- sudo docker run -d nginx
- sudo docker ps
- sudo docker inspert docker_name | grep IP

check via a web browser on the IP Address to be generated

- mkdir  web
- cd web
- vi index.html

- sudo docker run - d -v /home/jabaman/web:/usr/share/nginx/hmtl nginx
- sudo docker ps

Mounting a docker file
Docker ... -v [local directory]:[container directory]

Modifying Containers and Images

- sudo docker exec -i -t my_applicationtemp bash
- cd user/share/html/nginx/html  
- less index.html
- rm index.html
- cat index.html
- sudo docker commit my_applicationtemp my_application
- sudo docker images
- sudo docker ps
- sudo docker run -d my_application
- sudo docker ps
- sudo docker inspect | grep IP

Creating Image

Base image - includes applications (docker file) 

Sample:
Maintainer Boyformat
Copy counter.sh /usr/local/bin/counter.sh
RUN chmod + x /usr/local/bin/counter.sh
CMD ["/usr/local/bin/counter.sh"]

Cisco Security SITCS High Level Notes 300-207 WSA

WEB SECURIY APPLIANCE (WSA)

- Stop threats in downloading security appliance
- Enforing policies
- Acts as a proxy either explicit or transparent

01 Proxy function as transparent
WCCP - Web Cache Communication Protocol v2
TCP:80 and TCP:443
SSL/TLS
Requires to enable WCCP for firewall and router

02 WSA Recieves HTTP Requests
1. Time of Request / Cisco SIO URL Filtering -> Block
2. Time of Request / Cisco SIO Reputation Filter -> Block
3. Time of Response / Cisco SIO Dynamic Content Analysis -> Block
4. Time of Response / Cisco SIO Signiture  Anti-Malware Engine - Block
5. Time of Response / Cisco SIO Advance Malware Protection - Block
Options on Decision based rules: Allow | Warn | Partial Block | Block

*SIO - Security Information Operation

03 WSA Baseline Configuration (Ironport) 

03.1 Default Startup Wizard at http://192.168.42.42:8080

Admin access config
- allowed to connect
- SSL configuration

03.2 Ifconfig
Where to manage the IP address to connect to your WSA
- to enable gui management capabilities
- enabling https to manage
- enabling ssh to manage
- options for certificate for https

- edit interface
- delete interface
- new interface
- requires "commit" command to apply the changes
default user: admin | default password: ironport

03.3 On Gui
Run the setup wizard under Systems Administration -> System Settings
- Hostname
- NTP
- Time Zone
- Place to downstream the existing proxy
- Configure Managemet IP
- Configure Data (Web Traffic)
- Configre L4 Traffice Monitoring
- Configure Default Gateway
- Configure Static Routes
- Transparent Connection Setting
   - Layer 4 Switch or No Device | WCCP v2 Router
- Administration Setting
   - Admin Password
   - Email System Alerts
   - Network Participation
- Security Setting
- Summary then Install the configuration

03.4 System Administration -> System Upgrade
- shows current version

Network - > Transparent Redirection
- Can verify if Transparent configuration
- Adding WCCP devices like ASA

04 Deloying in a Virtual Environment

Requires an OVF file from Cisco to work
Transfer of license xml file  via FTP to /configration

04.1 Activating the license
Initiate command load license
show license

05 WSA Traffic Classification and Identities

Categorize via
Subnet | Protocol | Proxy Ports | User Agent | URL Categorization
- Add Identity
- Requirement for policies


06 Access Policies
Capable of URLs to visit | allowed bandwidth | limit of max file size

07 Web Security Manager Options

- Adding Policies [GROUP]
- Protocol and User Agents
  - Blocking of ports (need to specify)
- URL Filtering - eg pornography, gaming,
  - Adult / Pornography [Monitor/Block]
  - Content Filtering
- Applications - block file transfer applications / bandwidth limits
  - Blogging / Collaboration / Enterprise Applications / Facebook / [Monitor/Block]
  - Filesharing / Media / Messenger / Proxy / Office Suites
- Objects - limits files type (exe, bat) / ftp file size
  -  FTP and HTTP Max Download
  -  Executable Codes [Java / Unix / Windows]
- Anti Malware and Reputation
  - Cisco DVS - Dynamic Vectoring Streaming Engine - Stop Malware
  - Identify Malware Categories

07.1 Adding New Policy
- Policy Setting
  - Policy Name
  - Description
  - Insert Above Policy
- Policy Member Definition
  - Identities and User
  - Advance (Web Security Manager Options)

07.2 Verify if Policy is working
Systems Administration -> Policy Trace Tool
Destination
 - URL indicate
Transaction
 - Client IP Address
 Find Policy Match

07.3 Results of Verfication after Trace Tool
User Information
URL Checking - WBRS Score
Policy Match
Final Result

08 User Authentication

- Requires integration with Active Directory and/or LDAP
- Explicit and Transparent Proxy Mode
- Transparent Proxy forwards traffic to Router/Firewall

08.1 Network Menu -> Authentication
Add Realm
- Server Type
- LDAP or Active Directory
- Point on the IP Address of the server
- Active Direcotry
Validation
- Test Current Settings
- Start Test

08.2 From Identities Feature
- Identifcation and Authentication
- All Realms [Active Directory | LDAP]

08.3 From Main Panel -> Reporting
- Users
- Reports by User Location

09 Traffic Direction

09.1 Explicit Proxy - Manual | PAC | WPAD
From the Internet Browser
- Manual via Local LAN Setting Proxy Server
- PAC via Local LAN Setting  Automatic Configuration - Use Automatic Configuration
- WPAD via LAN Setting Automatically detects settings
Hosting PAC files on WSA
- Security Services -> PAC File Hosting
 - Basic Setting
 - PAC FIles
 - Via Active Directory in group policy

09.2 Transparent Proxy - WCCP | PBR | L4/L7 Capability Switch
WCCP via Firewall and Router
- WCCP Groups
  - 0 = Web Cache
  - 61-62 = WAAS
  - 70 = HTTPS Cache
  - 90-97 = User Defined
  - 99 = Reverse Proxy
 - Enable WCCP for group 0
 - Router will identity inbound http request it will direct the traffic to WSA
PBR - Policy Base Routing
Layer 4 Switch - IP and Ports decision making
Layer 7 Switch - Application URL decision making

09.3 Helpful Commands to configure/enable WCCP in a router

[Router]

interface XXXXXX0/0

no shutdown

ip address X.X.X.X Y.Y.Y.Y

exit

ip route 0.0.0.0 0.0.0.0 X.X.X.1

end

debug ip wccp packets
debug ip wccp events

conf t
ip wccp web-cache
interface XXXXX
ip wccp web-cache redirectr in
end

show ip wccp
trace 8.8.8.8

WSA -> AddWCCP v2 Service
- Service Profile Name
- Service
   - Standard / Dynamic
- Router IP Address
- Submit

09.4 WCCP Redirection

1. Configure WSA to redirection device
2. Configure ASA 
2. Firewall/ASA [ASDM] is ready to accept traffic in WSA
3. Verify

Network -> Transparent Redirection
-> Add Service
 - Service Profile Name
 - Service
    - Dynamic Servce ID
       - POrt Numbers
 - Router IP Address
 - Submit
 - Commit Changes

ASDM
- Configuation
   - Device Setup
     - Interface Setting
        - Interfaces

 - Configuration
    - Device Management
       - WCCP
          - Service Groups
             - Add
                - Add Servce Group XX
                  - Service Dynamic Service Number
             - Options
                - Redirect

ACL Manager
- Add
 - Add ACE (Access Control Entry)
   - Action Permit | Source | Destination | Service | Action

- Configuration
    - Device Management
       - WCCP
           - Redirection
              - Add
                 - Service Group XX

10 IPS and IDS Understanding


INLINE: Firewall / ASA -----IPS Inline---- Router
PROMISCOUS: Switch (mirrored port) ----- IDS ---- Router

IPS Implementation - Appliance/Hardware | Module | Software | Virtual

Placing the IPS outside the firewall will have alot of traffic
Placing the IPS inside the firewall will have less of traffic

IPS Device Manager IDM

Configuration
  -> Policies
       -> Signiture Definitions
           -> Sig0
-> Active Signiture

Security ENSS Notes 01 Port Security

DEFENDING AGAINST THE CAM TABLE OVERFLOW ATTACK

Attack Scenario
Port Security (can be configured on static access port/trunk port)
- Dynamic, Static, Sticky
- Violation Actions (PRSS)
- Access or Trunk

Trunk Configuration for port security VLAN can be included

Dynamic, Static, Sticky
1. Dynamic learned  (has ageing options)
2. Static - configured manually on the port/interface
3. Sticky - dynamic learned mac will be put on Running Config

Violation Actions (default limit of MAC = 1)
1. Protect - no syslog, no alerts, limits the number of MAC  to the port
2. Restict - snmp, syslog, counters (not all cisco has this support option)
3. Shutdown - default, reached the limit it shutdowns the port, snmp, syslog, counter
4. Shutdown VLAN - shutdown the vlan

Cofiguring Port Security

conf t
default int Gig 0/2
int Gig 0/2
switchport mode access set port type no dynamic ports
switchport access vlan 123 set access vlan
switchport port-security maximum 5 set maximum MAC
switchport port-security aging type inactivity set inactivity
switchport port-security aging time 5 set inactivity 5 mins
switchport port-security violation restict set restict
switchport port-security mac address 0000.6783.0000 add static MAC
switchport port-security enable the port-security

conf t
default int Gi0/6
int Gig 0/6
switchport trunk encapsulation dot1q
switchport mode trunk
swithcport port-security maximum 50 vlan 123 set max MAC 50
switchport port-security enable the port-security

Verification Commands
show port security
show mac address-table count vlan XXX

show port-security address
show port-security interface gig 0/2

My Linux Counter #454121

Checkpoint CSA Notes-2

NAT ADDRESS TRANSLATION

Why -> Private IP, Security, Limited IPs

What to translate: Source or Destination
How to Translate: Static or Dynamic
Where translation is done

Mostly for servers
Static - Destination NAT -> Translation happen on the Ingress Interface

Mostly for end-user pc/clients
Source - Dynamic NAT ->

NAT Hide
Firewall Tab
-> NAT
Network Objects -> Network
-> Internal-HQ
   -> NAT Tab
     -> Add Automatic Address Translation -> Translation method -> Hide
       -> Save
         -> Install Policy (PUSH)

From internal HQ PC ping public IP
       
SMART TRACKER
-> go to bottom (down icon)
 -> validate the log if ping was translated outside

XlateSrc -> Translated Source Address

NAT Static
Firewall Tab
-> NAT
Network Objects -> Notes
-> Test PC}
   -> NAT Tab
     -> Add Automatic Address Translation -> Translation method -> Static
       -> Check the global address (public IP/routed IP)
       -> Save
         -> Install Policy (PUSH)

XLateDst -> Translated Destination Address

POLICY PACKAGES AND DATABASE VERSIONS

1. Install and link Gateway to Manager
2. Include new Firewall in Policies

Policy Packages can deploy specific targets of rules for X numbers of firewalls

New Policy Package
- set of policy can be push to one or more gateways

Dashboard
 -> File
   -> New
     -> Blank Screen (need to pollute the policy)
   
Dashboard
 -> File -> Save -> Install Policy
   -> SELECT TARGETS
      - Only choose the specific firewall for the new policy packahge
     
 -> File -> Save -> Install Policy
   -> Advance Option
      -> Create Database version - to create snapshots and versions to restore

Database Version Control
 -> File -> Database Revision Control
      -> Create -> Creating a version
      -> Automatically create old version -> Configure
      -> Action -> Restore Version

Separation of rules
-> Right Click -> Add a section title -> Below -> Rule Name

SMART VIEW TRACKER
Modes: Log, Active, Audit
Queries: Predefined and Custom
Care and Feeding:
- Global Properties
- $FWDIR/log
- Other event destinations

Smart View Tracker ---> MGR <---logs--- br="" firewall="">
Active Mode
- Realtime activity
- Manual Block

Smart Console
-> Smart View Tracker
  3 Modes
  -> Network Endpoint
  -> Actve
  -> Management

Edit Filter
-> Specific (What service)
  -> Add
    -> Contain or Equal
      -> OK

Edit Filter
-> Follow
  -> Destination or Source
 
Save Query As -> Predefined searches to be save

SMART BLOCKER
Launch Menu
-> Tools -> Block Connection
   -> Block Intruder
     -> Blocking Scope
     -> Blocking Timeout
   
Management Mode

Right Click a Rule in the policy -> View Rule Logs (smart tracker will be open)

Smart Dash Board
-> Global Settings
  -> Global Properties
     -> Logs and Alert
        -> Time Settings
           Exessive Log grade period: 62 Seconds
           Smart View Tracker Resoliving Timeout: 20 Seconfs
            Virtual Link statistics logging interval: 60 seconds
            Status Fetching Interval: 60 seconds
         -> Alerts
            Send email
            Send snmp
                       
Network Objects
-> Manager
  -> Logs -> Enable Smartlog
     -> Log Storage
        Configure log file size
        Create logfile base on timing
     -> Additional Logging
        Set to a different logging servers
       
SMART VIEW MONITOR

Provides statistics of
Gateways, Traffic, Counters, Tunnels, Users

Create and view suspicious activity rules

Set Thresholds and see alerts

SmartConsole
-> SmartView Console

Gateway Status
Traffic
- Top Services
- Top QOS Rules
- Top Destinations
- Top Security Rules
- Packet Size Distribution
- Top VOIP users
- Top Interfaces
- Virtual Link
- Top Tunnels
- Top P2P-Top Sources
- Common Services History
- Top Connections

System Counters-System
-System History
-Firewall
-Firewall History
-VPN
-VPN History
-Content Inspection
-Firewall Security
-Firewall Server

Tunnels
-Tunnel on Community
-Permanent Tunnels
-Down Permanent Tunnels
-Tunnels on Gateway

Gateway Status-> Click Desired Firewall -> Configure Threshold
  -> CPU, Free Disk space, Status connection,
 
 
Launch Menu
-> Tools
  -> Start System Alert Daemon
Software Blade must be enabled (Software License)

Monitoring should be tick on the Gateway Properties

Dynamic Rules via Smart View Monitor
Icon - Suspicious Activity Rules
-> Show on all Checkpoint Gateways
  -> Refresh

JNCIA-Junos 102 Notes

Draft Notes on my JNCIA-Junos journey however on the process  I just went studying rather than logging most of eveythings here.

JUNIPER DEVICE PORTFOLIO

M-Series Scale
- Enterprise Routers
- L3/L2 VPNS
- Service Providers

J-Series Scale
- Smaller organizations
- Virtual separation of control plane and data plane (cheaper)
- Hardware separation
- Robust selection compare to SRX series

MX-Series Scale
- 3D Devices - scalability
- Availability - highest level of uptime / redundancy
- Agility - Extreme flexible on functions

EX-Series
- Layer 3 Switch routing capabilities
- Layer 2 Switch

QFX-Series (Nexus Cisco Comparison)
- Data Center devices
- TOR / EOR
- Virtualization (comparable to VDC)

SRX-Series
- Service Gateway Devices
- Flexible / act as Switch, WIFI, FW, VOIP, Router


DEVICE ARCHITECTURE

- Operating systems is based in FreeBSD
- Multi software process
  1. RPD - routing process (routing protocl daemon)
  2. MGD - management daemon
  3.SNMPD - snmp daemon

Routing Engine (RE)
[ RT     FT             ]

[          FT             ]
Packet Forwarding Engine (PFE)

Control Plane - RE
Forwarding - PFE

CLI MODES


Configure and Edit are the same
root> configure
root#


root> edit
root#
 
Comparison
root> show system | display set
cisco> show run | include interface

TROUBLESHOOTING WITH JUNOS
Credits to my collegue who has given these commands which was very helpful during my study. And now I am sharing the information without his knowledge for others to learn.

Basic troubleshoot
show security flow session 
show log traffic_log | last 50
show log messages
show system processes summary
show system processes extensive
show chassis routing-engine
monitor start traffic_log | match 389

Remote VPN users
show security dynamic-vpn users
set access profile dyn-vpn-access-profile client user1 firewall-user password 1234

Check alarms and card status
show chassis fpc pic-status
show chassis cluster status
show system alarms

Routing and ping
traceroute routing-instance SNAP_HealthBridge source x.x.x.x y.y.y.y
ping routing-instance SNAP_HealthBridge source x.x.x.x y.y.y.y record-route count 1 wait 1
ping routing-instance SNAP_HealthBridge source x.x.x.x y.y.y.y count 10000 rapid

Checkpoint CSA Notes-1

SMART ARCHITECTURE

 Smart Console -> Management Server -> Gateway (Firewall)
Policy are created -> Policy are stored -> Policy are pushed/implemented

TRAFFIC CONTROL METHODS

1. Packet Filtering
2. Stateful - remember the ports and IP address in the session (inspect)
            - Transport and Network Layer
3. Application Awareness - application layer
            - looking at the content

OPERATING SYSTEM HISTORY
 1. IPSO
2. Secure Platform
3. GAIA

INSTALLING CHECKPOINT OPTIONS

1. Standalone vs Distributed
2. High Availability
3. Routed vs Bridged
4. Topology / Addressing

Communication Manager and GW(Firewall) 

Login via console PC

1. Firewall
- Network management
  1. Network Interfaces -> Configure ETHX (0,1,2)
  2. IPV4 Static Route -> Add Gateway -> X.X.X.X (ETH0)
- System Management
  1. Messages -> Banner Messages -> MABUHAY!
 
2. Manager Server

- Network Management
  1. Network Interfaces (verify)
  2. IPV4 Static Route (verify) 10.1.1.111
- System Management
  1. Messages -> Banner Messages -> MABUHAY!
- Overview
  1. Manage Software Blade using Smart Console -> Download Now -> Install everything
 
PC Console
1. Launch the smart dashboard
Manager
To verify the fingerprint on smart dashboard
1. Lock Database override
2. cpconfig -> certificate fingerprint -> exit

2. Network Objects

   -> Checkpoint
     -> Management Server
       -> Security Gateway Management
         -> Classic
           -> Checkpoint Gateway General Properties (fill up)
           - Name - FW Name
           - IPV4 IP Address
           - Comment - FW Comment
             -> Network Security
             - Tick the feature / license based
             - IPS, Monitoring, IPS, IPSec/VPN
             -> Platform -verify Hardware OS
             -> Trusted Communication
             - Authentication -> One time password -> Initialize
             - To connect the Manager to the Firewall
             - Certificate Status -> Trust Established
             - The new Gateway will be seen
          -> Topology
             - Verify the interfaces
             - Interface will be assigned automatic as external if Gateway
                is configured

    -> Nodes
      -> Node
        -> Host Object
           - Configure Name, IP Address, Comment

    -> Network
      -> Network
        -> General
           - Configure Name, Comment, Network Address and Mask 


CREATING/INSTALLING POLICIES

Adding rules for security policy
- Mgmt, Stealth, Internal, Cleanup
- Implied Rules

Firewall
-> Policy -> Launch Menu -> Rules -> Add Rule -> Top or Bottom

MANAGEMENT RULE: RULE ID 1
- Name: Allow Traffic Management
- Source: Node PC
  -> Creating New Host -> New -> Host
     Configure Host Node Properties -> Name, IP Address,
- Service: Go to Dish
- Destination: Firewall HQ
- Action: [Accept] [Reject] [Drop]
- Track: Log
- Install On: Target Firewall

MALICIOUS: RULE ID 2
- Name: Malicious
- Source: Any
- Service: Any
- Destination: Firewall HQ
- Action: [Drop]
- Track: Log
- Install On: Target Firewall

OUR USERS: RULE ID 3
- Name: Our Users
- Source: Internal-HQ
- Service: Any
- Destination: Any
- Action: [Accept]
- Track: Log
- Install On: Target Firewall

CLEAN UP: RULE ID 4
- Name: DENY
- Source: Any
- Service: Any
- Destination: Any
- Action: [Drop]
- Track: Log
- Install On: Target Firewall

SAVING THE POLICY
1. Save Icon
2. Control + S
3. Launch Menu -> File -> Save

IMPLIED RULES
1. Launch Menu -> Policy -> Global Properties
2. Edit Global Properties
   - Implied Rules
     - Accept control Connections
     - Accept remote access control connections
     - Accept Smart Update connections
     - Accept IPS-1 management connections
     - Accept outgoing packet originating from gateway -> Before Last
   - Track
     - Log Implied Rules
3. To verify
   Launch Menu -> View -> Implied Rules

PUSING THE POLICY
1. Launch Menu -> Policy -> Install POLICY
2. Or Icon Install POLICY

Inside Install POLICY
Revision Control
- Create Database; snapshot
- Once done it will deploy the policy
- Policy Installation status -> date and succeeded

3. To verify in Firewall
FW> fw stat
FW> fw fetch IP.Address.of.Manager

Troubleshooting via CLI
FW> fw stat
FW> show configuration interfaces
FW> fw fetch [location]
       

Tshoot Notes: Layer 2 Commands

VLANs
#show vlan
#show vlan id XX
#show vlan brief

DTP - dynamic trunk protocol
#show int trunk
# show int fa0/1 switchport | ex private|unknown

Troubleshooting VTP
#show cdp neighbors
#show int trunk
#show vlan brief | exclude 100
#show vtp status
#show vtp password

Troubleshooting STP
#show spanning-tree vlan 200
#show spanning-tree vlan 200 bridge
#show spanning-tree vlan 200 root
#show spanning-tree vlan 200 summary
#show spanning-tree vlan 200 details

Troubleshooting MSTP
#show spanning-tree mst 1
#show run | begin spanning tree
#show run | inc priority

Troubleshooting Etherchannel
#show int po1 switchport
#show etherchannel summary
#show int trunk#show spanning-tree vlan 10
#show cdp neighbors
#show run | inc FastEthernet|channel-group

Tshoot Notes: Layer 2 Technologies

VLANs 

- Layer 2 Broadcast Domain
- Data VLAN
- Voice VLAN (Auxilliary VLAN)
- VLAN1: default VLAN, Trunk Link - Native VLAN (untagged)
- Extended Range VLAN 1006 - 4094
- Extended Range VLANs prerequisite is VTP Transpartent mode

conf t
switchport mode access to configure for port access
switch access vlan 100 to assign vlan
switchport voice vlan XXX to assign voice vlan

#show vlan
#show vlan id XX
#show vlan brief

 TRUNK

- ISL
- 802.1Q - takes the frame and inserts a tag (a field of VLAN ID) + (a field for QOS)
- 802.1Q Native VLAN - VLAN1 (untagged)

DTP - dynamic trunk protocol

1. Categorize switches from core, access
2. Core switch will be dynamic desirable - forms trunk links
3. Access switch dynamic auto - auto forms with desirable

#switchport mode access dtp is off not for trunking
#switchport mode trunk dtp is on
#switchport mode dynamic desirable - will be trunk
#switchport mode dynamic auto - will be trunk if other side is desirable
#switchport no negotiate - turing off dtp process (can be use with either mode access or mode trunk)

[Does not work]
SW1
int fa 0/2
switchport trunk encap dot1q
switchport mode dynamic auto
SW2
int fa 0/2
switchport trunk encap dot1q
switchport mode dynamic auto

 [Trunking will work]
SW1int fa 0/2
switchport trunk encap dot1q
switchport mode dynamic desirable
SW2
int fa 0/2
switchport trunk encap dot1q
switchport mode dynamic auto

[Trunking will work - you need to try!]
SW1
int fa 0/2
switchport trunk encap dot1q
switchport mode trunk
switchport mode dynamic auto
SW2
int fa 0/2
switchport trunk encap dot1q
switchport mode trunk

[Trunking will work]
*Not having the same native vlan
SW1 - native vlan 10
SW2 - native vlan 20
[But will have inconsistencies if one of the VLAN20 is not same on SW1]


changing native vlan on other side
int fa 0/2
switchport trunk native vlan 20


[Trunking will work]
SW1
int fa 0/2
switchport trunk encap dot1q
switchport mode trunkswitchport nonegotiateSW2
switchport trunk encap dot1q
switchport mode trunk
switchport nonegotiate

[Will not work]
SW1
switchport trunk encap dot1q
switchport mode trunk
switchport nonegotiate SW2
int fa 0/2
switchport trunk encap dot1q
switchport mode trunk
switchport mode dynamic desirable

Things to remember for TRUNKING
1. Encapsulation mismatch
2. Native VLAN mismatch
3. Layer 1 - port shutdown
4. DTP misconfiguration
5. VTP and DTP relationships

#show int trunk
# show int fa0/1 switchport | ex private|unknown


 Troubleshooting VTP

VLAN Trunking Protocol = VLAN Management
VTP only works with trunks
To propogate VLAN information trunk links must be working

VTP Modes
1. Server - create and manage VLAN devices, propagate to servers and client
2. Client - slave to vtp server, cannot create and edit
3. Transparent - partipate in vtp domain, forward advertisement, not propagated
4. VTP off mode

#show vtp status - configuration revision

VTP Scenarios
1. Trunk
    - port are in access mode
    - incorrect vtp name
2. Domain Name / Password
    - mismatch vtp name --> change the vtp domain
    - mismatch password --> change the password
3. Overwrite versions
    - new swtich has higher revision --> change first to transparent
    - rename vtp domain
4. VTP version no 1 or 2
    - mismatch vtp version

#show cdp neighbors
#show int trunk
#show vlan brief | exclude 100
#show vtp status
#show vtp password

Changing VTP Domain Name (resetting revision numbers)
conf t
vtp domain Boyformat

Troubleshooting STP

1. 802.1D - IEEE
2. 802.1W - RSTP (rapid spanning tree protocol) - enable rapid PVST+
3. 802.1S - MSTP (built in behavior of RSTP)

STP Process
         
            dp        1GB     rp
[ SW1 ] --------------- [ SW4 ]
     |  rp                   nd |
     | 1GB                     | 100 MBPS 
     |  dp                  dp  |
[ SW2 ] --------------- [ SW3 ]
    RB dp         1GB     rp

1. Root Bridge - lowest bridge ID = Priority ID + VLAN ID + Lowest MAC Add
2. Non Root Bridge has a 1 Root Port (bandwidth higher)
3. Each Link has a Designated POrt
4. Non Designated Port

         
            dp        1GB     rp
[ SW1 ] --------------- [ SW4 ]
     |  rp                   nd |
     | 1GB                     | 100 MBPS 
     |  dp                  dp  |
[ SW2 ] --------------- [ SW3 ]
    RB dp         1GB     rp
1. Root Brige - Bridge Priority - Priority (Manual)
                                                  - Root Primary
2. Root Port - Manipulate Cost
3. Designated Port - Manipulate Cost

STP Toolkit
1. PortFast -
2. BPDU Guard -
3. Root Guard - superior bridge, no one can come in with lower priority
4. Loop Guard - stop normal convergence of STP

#show spanning-tree vlan 200
#show spanning-tree vlan 200 bridge
#show spanning-tree vlan 200 root
#show spanning-tree vlan 200 summary
#show spanning-tree vlan 200 details

1. Cost - Root
2. Bridge ID

1. Check for Bridge IDs
2. Check the Priorities

Troubleshooting MSTP


PVST - per vlan spanning tree - each vlan has its own topology
MST - 802.1S can implement only the exact numbers of topology
         - coexist with PVST

Fool-proof MST
1. Region Name
2. Revision Number
3. Instances - VLAN

#show spanning-tree mst 1

#show run | begin spanning tree
  - validate the region name (case sensitive)
  - revision number
  - instance

#conf t
#spanning-tree mst configuration
#name NAME OF REGION
#end

#conf t
#spanning-tree mst 1 root primary - manipulating priority
#spanning-tree mst 1 root secondary - backup

#show run | inc priority

Troubleshooting Etherchannel

Can be Layer 2 or Layer 3 (multilayer switches)

1. Shutdown the other side (to prevent err-disable)
    - err-disable sometimes require to make the configuration to default
2.  Both devices links are physically identical
3. Dynamic or Manual creation (ON:static / LACP: active, passive / PAGP: Auto,des)

#show etherchannel ? alot of verification commands

Creating etherchannel
1. Default the interfaces
#conf t
#default int range fa 0/1-6
#int range fa 0/1-6
#shutdown
#do show int status | include disabled
#switchport trunk encapsulation dot1q
#switchport mode trunk
#switchport trunk allowed vlan 10,20,30
#switchport trunk allowed vlan add 40 - additional vlan
#channel-group 1 mode active - LACP

#show int po1 switchport
#show etherchannel summary - show the ports on the bundle
#show int trunk#show spanning-tree vlan 10 (Cost 4 = 1000 / Cost 19 = 100)

#show etherchannel load-balance

2. Load Balancing
#conf t
#port-channel load-balance ? - shows the options/method for load balancing

#show cdp neighbors
#show etherchannel summary
#show int po1 switchport
#show run | inc FastEthernet|channel-group

Routing Notes 10 BGP

BGP DEFINITIONS

1. Reliable updateds require port 179 tcp based
2. Triggered updates only (5 Seconds internal and 30 seconds external)
3. Complicated metric for finding the best route
4. All neighbors are manually set up
5. Complex filters are typically used
6. The routing protocol of the internet
7. Management of trust and untrust
8. Routing through autonomous systems instead of routers
9. The slowest routing protocol
10. Primarily service provider, but also enterprise customer

BGP NEIGHBOR FORMS

Neighbors never discover each other, manual configuration is needed
Neighbor must be reachable on TCP179
Multiple Sessions to the same neighbor not permitter - DROP

Routing Notes 09 PATH CONTROL

POLICY BASE ROUTING

Configuring Policy Routing

conf t
ip access-list standard TAMAD
permit host 192.168.1.20
ip access-list extended PAGILAS
permit tcp host 192.168.1.21 any eq 23
permit tcp host 192.168.1.21 any 443
configuring access-list

route-map CORP_POLICY permit 10
match ip address TAMAD
set ip next-hop 201.1.1.2

show route-map

route-map CORP_POLICY permit 20
match ip address PAGILAS
set ip next-hop 200.1.1.2

show route-map

route-map CORP_POLICY permit 30
set ip next-hop 201.1.1.2
after policy 10 and 20 traffic will go to policy 30

int fa0/0
ip policy route-map CORP_POLICY
incoming traffic on this interface

IP-SLA

Measuring service levels on a particular circuit
Send probes (Ping, FTP, HTTP, DNS Lookup etc) to specific IP Address

Creating SLA Monitor Probe

conf t
ip sla monitor 1
type echo protocpl ipIcmpecho 200.1.1.2
timeout 500
how long to consider a ping lost
frequency 1
threshold 800
how long to consider it down
ip sla monitor schedule 1 start time now life forver

Modify your routing must create a track object consider a probe UP or DOWN

Creating a Track Object

conf t
track 1 rtr 1
rtr = response time reporter

Adding a track object on the route

ip route 0.0.0.0 0.0.0.0 200.1.1.2 track 1
ip route 0.0.0.0 0.0.0.0 200.1.1.2 50

Routing Notes 08 REDISTRIBUTION

PROCESS OF REDISTRIBUTION

1. Routing to be redistribute INTO the Router

To redistribute OSPF

conf t
Router RIP
redistribute OSPF

To redistribute EIGRP
conf t
Router OSPF
redistribute EIGRP

Redistribution Issues
2. Sub Optimal Routing
3. Routing Loops

Work Around for Redistribution

1. Tweek Administrative Distance in OSPF
2. Route Tagging to allow and block
3. Prefix List to allow and block
4. Access-list to allow and block

BASIC ROUTE REDISTRIBUTION

RIP-----------RT1-----------RT2-----------RT3--------OSPF
10.1.1.0/24     172.16.1.0/24   172.16.2.0/24     172.17.1.0/24
10.1.2.0/24                                                          172.17.2.0/24
10.1.3.0/24                                                          172.17.3.0/24
10.1.4.0/24                                                          172.17.4.0/24
10.1.5.0/24                                                          172.17.5.0/24
10.1.6.0/24                                                          172.17.6.0/24

Router 2
conf t
router rip
redistribute ospf 1 metric 5
or

conf t
router rip
redistribute ospf 1
default-metric 5

Router 1
show ip route

Router 2
conf t
router ospf
redistribute rip metric 100 subnets metric-type [1 or 2] 2
1 external type 1 metric - adding the cost of links
2 external type 2 metric - shows the same metric of 100
Router 3
show ip route

REDISTRIBUTION WITH DISTRIBUTION LIST

Filtering 2 Statements
RIP-----------RT1-----------RT2-----------RT3--------OSPF
10.1.1.0/24    172.16.1.0/24    172.16.2.0/24    172.17.1.0/24
10.1.2.0/24                                                        172.17.2.0/24
10.1.3.0/24                                                        172.17.3.0/24
10.1.4.0/24                                                        172.17.4.0/24
10.1.5.0/24                                                        172.17.5.0/24
10.1.6.0/24                                                        172.17.6.0/24

Router 2
conf t
access-list 1 permit 172.17.1.0 0.0.0.255
access-list 1 permit 172.17.2.0 0.0.0.255

router rip
distrubute-list 1 out

Router 1
show ip route
clear ip route
show ip route

Router 2
conf t
access-list 2 deny 10.1.1.0 0.0.0.255
access-list 2 deny 10.1.2.0 0.0.0.255
access-list 2 deny 10.1.3.0 0.0.0.255
access-list 2 deny 10.1.4.0 0.0.0.255
access-list 2 permit any

router ospf 1
distribute-list 2 out

Router 3
show ip route
clear ip route
show ip route

REDISTRIBUTION WITH PREFIX LIST

1.Alternative for access-list (Matching Routes)
- Improve Processor Utilization
- Better subnet mask matching abilities
2. 2 stage matching network and subnet mask
3. Similar to ACL

ip prefix-list ABA permit 172.30.0.0/16 ge 20 (ge=greater than)

a. 172.30.1.0/24 OK
b. 172.30.0.0/16
c. 172.30.32.0/19
d. 172.16.0.0/18
e. 172.30.10.0/24 OK

ip prefix-list ABA permit 172.30.0.0/16 le 20 (le=less than)

a. 172.30.1.0/24
b. 172.30.0.0/16 OK
c. 172.30.32.0/19 OK
d. 172.16.0.0/18
e. 172.30.10.0/24

REDISTRIBUTION WITH ROUTE-MAPS

2. Peform a series of IF > then statement called match/set
1. Order list of statements similar to Access-list
3. Typically used for:
- modify bgp attributes
- policy routing
- route filtering

ROUTER 2
conf t
router rip
redistribute ospf 1 metric 5 subnets

ROUTER 1
show ip route

ROUTER 2
conf t
access-list 5 permit 10.1.1.0 0.0.0.255
access-list 5 permit 10.1.2.0 0.0.0.255
access-list 5 permit 10.1.3.0 0.0.0.255
access-list 6 permit 172.17.1.0 0.0.0.255
access-list 6 permit 172.17.2.0 0.0.0.255
access-list 6 permit 172.17.3.0 0.0.0.255

route-map ABA permit 10
match ip address 5
exit

show route-map

route-map
set metric 1000
show route-map

router ospf 1

ROUTER 2
conf t
router ospf 1
redistribute rip route-map ABA subnets

ROUTER 3
show ip route

ROUTER 2
route-map ABA permit 20
set metric 500

ROUTER 3
show ip route

REDISTRIBUTION WITH PREFIX-LIST

Router 3
conf t
ip prefix list ABA permit 10.0.0.0/8
ip prefix list ABA permit 10.0.0.0/8 le 24
router ospf 1
redistribute rip metric 100 subnets

route map RM permit 10
match ip address prefix list ABA

match ip address prefix list ABA
match ip address prefix list ABA2
match ip address prefix list ABA3
or
match ip address prefix list ABA ABA2 ABA3

router ospf 1
redistribute rip metric 100 subnet route-map RM

Router 3
show ip route