EvilZone

Hacking and Security => Tutorials => : RedBullAddicted August 07, 2012, 02:16:18 PM

: Networking - the basics - Part 2/2
: RedBullAddicted August 07, 2012, 02:16:18 PM

Hi,

this is the second part on networking basics. First of all I like to thank Daemon as he offered to correct my post.
As I'am not a native english speaker this is very kind of him. If you like this post you should give him karma, too. I have done it!

Contents
1. Ressources used for that tutorial
2. IP addresses (ipv4) and TCP/IP -> part one
3. Subnetting (the basics) -> part one
4. NAT (the basics) -> part one
5. VLANs -> part one
6. Link Aggregation -> part two
7. Spanning Tree (the basics) -> part two
8. IP Routing (the basics) -> part two
9. Something about network design -> part two

1. Resources used for that tutorial
- HP Networking student guides
- HP Networking configuration guides
- Cisco student guides
- HP and Cisco website
- various other website.

6. Link Aggregation (802.3ad describes lacp - link aggregation control protocol)
Link aggregation is used to connect one switch to another with more than just one link. This is useful for redundancy and to assume a higher Bandwidth for the uplink.
First of all you need to know that you should never connect two switches to each other with more than one cable unless you have configured spanning tree or link aggregation.
If you do so without one of these features (there are even more you can configure like the HP mesh) you will cause a broadcast storm.
The broadcast storm will cause a total outage of your network. This is called a network loop and can be achieved with only one switch.
Just plug in both ends of a network cable to the same switch and that's all. To be sure this is not happening (just imagine an employee don't likes to see a cable hanging
around and plugs the other end to another network jack) you need to configure a loop protection on all access/edge ports (this is the name of the ports which are used to connect
an end note like a client or a printer). Depending on the size of the network, a network loop will kill your complete network in less than 10 seconds.

Ok, as I said you can assume a higher Bandwidth with link aggregation but you need to know one more thing. If you just put two one gigabit links to a link aggregation it does
not mean that you have a two gigabit uplink. Most switch vendors do not do any kind of load balancing. Typically this is only a load sharing which means that the network traffic is
shared by both links in a revolving system. First conversation takes link one, second conversation takes link two, third conversation takes link one and so on.
As there is no validation of link quality the fist conversation can be held while the second one has already finished. The third one will take link 1 and not the second link
which is free in this example.

This is the configuration on an hp switch
(as I mentioned on the fist part of tutorial/guide this feature is called trunk in the hp world. Don't mix it with the cisco trunk)

hpswitch> enable
password manager:
hpswitch# configure terminal
hpswitch(config)# trunk 23,24 trk1 lacp
hpswitch(config)# write memory

What you need to do:
issue the trunk command with the following information
- A list of ports that will be aggregated
- A name for the trunk
- The type of trunk (HP trunk or LACP).
If no option is entered, the trunk will default to an hp trunk.

This is the configuration on a cisco switch:

ciscoswitch> enable
enable password:
ciscoswitch# configure terminal
ciscoswitch(config)# interface gigabitethernet 0/1
ciscoswitch(config-if)# channel-protocol lacp
ciscoswitch(config-if)# channel-group 1 mode active
ciscoswitch(config-if)# exit 
ciscoswitch(config)# interface gigabitethernet 0/2
ciscoswitch(config-if)# channel-protocol lacp
ciscoswitch(config-if)# channel-group 1 mode active
ciscoswitch(config-if)# exit
ciscoswitch(config)# write memory

What you need to do:
enter the interface configuration context and
- define the protocol to be used
- enter a group number (all links in the same group are aggregated
- enter a mode for your aggregation (a complete list of all configuration tasks can be found here:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swethchl.html

With cisco you have the possiblity to configure load-balancing (this is not really balancing its more like sharing)

ciscoswitch#show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
        src-mac

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source MAC address
  IPv4: Source MAC address
  IPv6: Source MAC address

LACP - Link Aggregation Control Protocol
Because it is a widely used standard, static LACP is the preferred trunking method when the switch on the other side of the link supports LACP. However, HP Port Trunking can
be suitable for situations when the other switch does not support LACP or when its trunking support is unknown. Because it does not rely on a protocol, HP Port Trunking
often will interoperate with other trunking configurations.

The primary advantage of dynamic LACP is support for standby links, which means the trunk can be configured with links that will become active if other links in the trunk fail.
However, the implementation of dynamic LACP limits other configuration options for the ports in the aggregation. For instance, ports in a dynamic LACP trunk cannot be configured with
non-default Spanning Tree settings. The dynamic LACP trunk also cannot be configured for membership in static VLANs.
For further reading: http://en.wikipedia.org/wiki/Link_aggregation

Link Aggregation Support

Link Aggregation support on switches varies among switch vendor, model, and software version. The hp ProVision Asic Switches including 3500yl, 5400zl and 8200zl support 144 link
aggregations with eight ports. You can assign more than these eight ports but only eight will be used for load-sharing. The others will become active if another one fails.

7. Spanning Tree (the basics)

As I mentioned on the link aggregation part, it is easy to kill your complete network with a network loop. As you want to implement redundant links and you are not able to aggregate them
you need another mechanism for that task. Imagine you have three switches. Each one is conected to each other with one link. Without the use of spanning tree, once again you build a network
loop.

_________________________
| | |
|switch1|--------|switch2|--------|switch3|

Basically the classic spanning tree which is stp (spanning tree protocol - 802.1d) and rstp (rapid spanning tree protocol - 802.1w) just blocks the redundant link which will cause a
network loop as long as the other two ports are active. If one of these ports fail then the blocked port will become active. There are a few more spanning tree types like the open standard
mstp (multiple spanning tree protocol) and the cisco pvst (per vlan spanning tree). The old stp is not used anymore as it tooks up to 30 seconds to recalculate the spanning tree topology if a
link went down. This means that a part of the network was not reachable for 30 seconds. The rstp can accomplish this in less than 2 seconds (depending on the size of the network).
In this guide I will focus on the rstp version as this is the most simple way for implementing spanning tree. I will say some words about mstp but not in depth as this can be very complex.
I will start with the hp configuration example and explain the single steps afterwards.

hpswitch(config)# spanning-treeturn on spanning tree globally on the switch

hpswitch(config)# spanning-tree force-version rstp-operationset the protocol version to rapid spanning tree

hpswitch(config)# spanning-tree priority 1set the priority for your switch. Every spanning tree instance needs a root bridge. the root bridge decides which links should be blocked.
If you dont set the priorities accordingly the switch with the lowest mac address will become root.
Bridge priority is set in increments of 4096 which means 4096 is 1, 2 is 8192 ...., 8 is 32768.

hpswitch(config)# spanning-tree 1-22 auto-edge-portdefine access/edge ports as auto-edge-ports for not envolving them into the spanning tree topology.
If one of these ports is going down the spanning tree will not recalculate it's topology.

hpswitch(config)# no spanning-tree 23-24 auto-edge-portset the uplinks port to no auto-edge-ports as they should be involved into the spanning tree topology.

hpswitch(config)# spanning-tree 1-22 bpdu-protectiondefine a bpdu protection on the access/edge ports. If some plugs in a switch to one of theses ports the switch will not get a connect.

Lets take a look at a comparable cisco configuration.

ciscoswitch(config)# spanning-treeturn on spanning tree globally on the switch -> is on by default

ciscoswitch(config)# spanning-tree mode rapid-pvstset the protocol version to rapid spanning tree

ciscoswitch(config)# spanning-tree priority 1set the priority for your switch. Every spanning tree instance needs a root bridge. the root bridge decides which links should be blocked. If you dont set the priorities accordingly
the switch with the lowest mac address will become root. Bridge priority is set with a value between 0-65535

ciscoswitch(config)# spanning-tree portfast defaultset all ports to not be involved in the spanning tree topology

ciscoswitch(config)# spanning-tree portfast bpduguard defaultconfigure all ports with bdpuguard (bdpu protection)

ciscoswitch(config)# interface gigabitethernet0/23

ciscoswitch(config-if)# spanning-tree portfast disable

ciscoswitch(config-if)# exitswitch to an uplink port to involve him to the spanning tree topology and to turn off bpdu Protection. Repeat that for all uplink ports.

Thats all for this part. This is very basic configuration but it will work and can be found in many smaller networks (up to 15 switches)

A much better way for implementing spanning tree is the multiple spanning tree protocol or per vlan spanning tree (mstp or pvst).
MSTP is an improvement to stp and rstp. You can use different spanning trees for different vlans. Within stp and rstp you have redundant links blocked.
With MSTP you can have a redundant link for vlan 5 blocked but the same link open for vlan 10. This means you have no dead links.
As with the above sample this time I will only focus on the hp configuration, start with the example config and explain it afterwards
If you are also interessted in the cisco configuration steps you can read this
http://scottledyard.wordpress.com/2007/03/18/cisco-switches-classic-stp-rstp-mst/

hpswitch(config)# spanning-treeturn on spanning tree globally on the switch

[code]hpswitch(config)# spanning-tree force-version mstp-operationset the protocol version to multiple spanning tree -> which is used as default

hpswitch(config)# spanning-tree config-name hp

hpswitch(config)# spanning-tree config-revision 1Define an MST region identity for the switch.
Must be the same on all switches involved in this mstp topology

hpswitch(config)# spanning-tree instance 1 vlan 10 30

hpswitch(config)# spanning-tree instance 2 vlan 20 40Associate user vlans with MSTP instances. If you have two instances you should consider using different root bridges for each instance.
The configuration for the root bridge on instance 1 can look like this:

hpswitch1(config)# spanning-tree instance 1 priotity 1

hpswitch1(config)# spanning-tree instance 2 priotity 2The configuration for the other root bridge may look like this

hpswitch2(config)# spanning-tree instance 1 priority 2

hpswitch2(config)# spanning-tree instance 2 priority 1
In this example hpswitch1 is the root bridge for instance 1 and secondary root bridge for instance 2.
hpswitch2 is the root bridge for instance 2 and secondary root bridge for instance 1.
And thats all for the very basic configuration.

8. IP Routing (the basics)

Ok, thats another topic which can fill books on it's own. I will keep that as small as possible. For this I will only focus on static routing, a little bit on RIPv2 and OSPF.
Imagine you have the following network with one router which is located in a transfer network. Every Switch in the different departments is confgured for ip routing and the IP of the Switch
is the default gateway for the clients. Every Switch has a vlan for the clients and a transfer vlan to the router. The Transfer vlan has an address range of 10.10.0.0/28 and the routers ip is
10.10.0.1

Department	Subnet	VLAN	Switch IP User vlan	Switch IP Transfer Network
DataCenter	10.10.1.0/24	5	10.10.1.1	10.10.0.2
Sales	10.10.2.0/24	10	10.10.2.1	10.10.0.3
Marketing	10.10.3.0/24	15	10.10.3.1	10.10.0.4

e.g. a client in the sales department has network configuration which looks like this:
IP: 10.10.2.10
Netmask: 255.255.255.0
Gateway: 10.10.2.1

_______________|Router|_____________
| | |
|DCSwitch|--------|SalesSwitch|--------|MarketingSwitch|

Static Routing

What needs to be configured:

DCSwitch

dcswitch(config)# ip route 10.10.2.0 255.255.255.0 10.10.0.1route to reach the sales department

dcswitch(config)# ip route 10.10.3.0 255.255.255.0 10.10.0.1route to reach the marketing department

dcswitch(config)# ip default-gateway 10.10.0.1
can be used as alternative. This means that all traffic regarding subnets the switch doesn't know will be send to the router

SalesSwitch

salesswitch(config)# ip route 10.10.1.0 255.255.255.0 10.10.0.1route to reach the datacenter

salesswitch(config)# ip route 10.10.3.0 255.255.255.0 10.10.0.1route to reach the marketing department

salesswitch(config)# ip default-gateway 10.10.0.1can be used as alternative. This means that all traffic regarding subnets the switch doesn't know will be send to the router

MarketingSwitch

dcswitch(config)# ip route 10.10.1.0 255.255.255.0 10.10.0.1route to reach the datacenter

dcswitch(config)# ip route 10.10.2.0 255.255.255.0 10.10.0.1route to reach the sales department

dcswitch(config)# ip default-gateway 10.10.0.1can be used as alternative. This means that all traffic regarding subnets the switch doesn't know will be send to the router

Router

router(config)#ip route 10.10.1.0 255.255.255.0 10.10.0.2all traffic for the Datacenter will be sent to the Datacenter Switch

router(config)#ip route 10.10.2.0 255.255.255.0 10.10.0.3all traffic for the Sales Department will be sent to the Sales Switch

router(config)#ip route 10.10.3.0 255.255.255.0 10.10.0.4all traffic for the Marketing Department will be sent to the Marketing Switch.

This maybe belongs to the design part but I think it also fits to this place. This routing concept is called "routing at the edge". The first L3 Switch in the row is routing all
Traffic regarding his local subnets. If you combine this with RACLs (routed access control lists) you can stop unwanted traffic at the first L3 network device.
If you deploy a core router who does all the routing a network packet is traversing the complete network until it reaches the core or backbone and is then droped maybe.

e.g. you want the people from sales department to reach a fileserver (10.10.1.100) in the datacenter but only by smb (server message block tcp/445).
Your ACL could look like this

 salesswitch(config)# ip access-list extended "ACL_TRANSFER_TO_ROUTER"
salesswitch(config-ext-nacl)# 10 permit tcp 10.10.2.0 0.0.0.255 10.10.1.100 0.0.0.0 eq 445
salesswitch(config-ext-nacl)# 20 deny ip 10.10.2.0 0.0.0.255 10.10.1.100 0.0.0.0

Note: within ACLs the subnetmask needs to be inverted. 255.255.255.0 equals 0.0.0.255
This is a very simple example about access control lists. I will write a more in-depth tutorial about that in the future

Ok, this is very simple but can get more and more complex the larger the network grows. I'am a great friend of static routing as you have complete control about which
subnet is able to reach one other. But if you have hundrets of subnets with a lot of routers and switches you maybe won't to confgure all routes by hand.
This is when dymanic routing comes into play.

Dynamic Routing
Dynamic routing protocols enable routers to adjust automatically to changes in topology. With a dynamic routing protocol configured, if a router’s neighbor has failed, it will quickly
learn if other paths are available to the neighbor’s networks and update its route table accordingly.

RIP (Routing Information Protocol) and OSPF (Open Shortest Path First) comparison (mainly from hp training material... they can explain it much better then I can)

Distance Vector:
RIP
- Router sends periodic updates to neighbor routers
- Information about remote networks is passed from router to router based on each routers perspective
- Convergence can be slow

Link State:
OSPF
- Router reports to its neighbors the characteristics of its active connections to local networks
- Updates are flooded to all routers within administratively defined "area"
- Logical tree is build to calculate shortest path to each address range
- Enables faster convergence, detection of alternate paths after link failure due to possession of first-hand information

Two types of standard interior gateway protocols are commonly used in IP networks:

1.Distance-vector protocols
Routers using these protocols integrate information into their route tables and resend the resulting entries, as modified from their own perspectives. RIP is a common
example of a distance-vector protocol.

2. Link-state protocols.
Routers using these protocols establish neighbor relationships with adjacent routers. Routers generate updates based on local information and send the updates to
neighbors, who then flood updates to all their neighbors. Ideally, within a few milliseconds, every router in an administratively defined area has identical information.
Each router builds a logical tree that then traces out the shortest path to each advertised destination, using itself as the root. As a result, every router has a
consistent picture of the network from its own perspective. OSPF is a common example of a link-state protocol

while RIP and other distance-vector protocols are easier to configure than link-state protocols, the distance-vector protocols have one serious disadvantage. Changes in
routing topology often propagate slowly because information in a router’s table is acquired from other routers that may be as many as 15 hops away.
OSPF, like other link-state protocols, avoids the convergence issues of RIP by not relying on “second-hand” information. A router sends an advertisement when it recognizes a
link-state change. Along with the topology change, the update contains the attributes of all of the router’s currently active links. The router sends the advertisement to its immediate
neighbors, which are required by the protocol to immediately flood the advertisement to all of their neighbors.

Unlike RIP routers, OSPF routers do not increment the costs as they flood updates. In fact, an OSPF router is not permitted to make any changes to advertisements it receives
on one network before sending it out onto another network. As a result, all of the routers in the OSPF “area” have a consistent picture of the connections between all routers and
networks in the area. Each router builds a tree based on “first-hand” information that traces the shortest path
between itself and every router and network in the area. When a link state changes, the router recalculates the tree based on the new information. Ideally, less than a second
passes between the time the router advertises its new state and the time when all of the routers have found an alternate path, if one exists.

Ok... that's all I want to write about dynamic routing. As you know there are a lot more routing protocols and this is very complex.
I will write a more in-depth tutorial about dynamic routing with configuration examples in the future.

9. Something about network design
I will tell you some things you need to know if you are designing a network. Mostly you won't have the possiblity to plan a complete building including cableing, network racks and network rooms.
Basically you will do a network redesign. The things I always need to know are the following (this is not a complete list.)

- How is the cableing for switch interconnection (Uplinks) (Fiber optic, copper, 10Gig ethernet (CX4))
- which network room has direct connection to another one
- how far are the switches away from each other
- Availability
- Can new cables be installed
- How deep are the racks (you may laugh but I had the problem that a switch has not fitted into the rack)
- Are there places with additional needs (maybe the human resource department needs extra protection)
and so on.

If you have the possiblity that new cables can be installed you should deploy as many redundant links as possible.
Keep in mind that different types of cables can make different distances

copper: not more than 150 m
copper CX4: 15 m
fiber SX: 550 m
fiber LX: up to 10 km
These are not all types of cables. I just wanted to give an example.

You should consider installing a redundant backbone/core and connect them with a 10 gigabit link. You should use a router redundancy protocol like hsrp (hot standby router protocol)
or vrrp (virtual router redundancy protocol). In simple words every switch has its own ip address. With a router redundancy protocol you assign a virtual ip address on top with a virtual mac
address. The primary router uses this virtual ip address. If the primary router dies the second takes over the virtual ip and mac. You all know that you can not configure a client with two gateway
ips so instead you just use the virtual one. The virtual IP address can also be used for monitoring if a remote or branch office is reachable as this is a highly available IP address.

Think about your spanning tree deployment as much as possible.
Use a protocol which has less dead links like mstp or pvst. Your design must be very good. If there is a mis-configuration, troubleshooting can be very hard as the problems can be very strange.

If you need to mix different venders read as much interoperability guides as possible. For example if you have a cisco network with pvst and a procurve network with mstp you should allways use
a pvst filter on the ports which connect to the cisco world. Believe me... you won't see whats happening if you don't! :-)

Ok.. I think this is enough. If anyone here needs to plan and implement a network they contact me anytime. I would love to discuss that :-)

Last but not least I decided to copy in a configuration I have done for a small branch office network which is connected to a datacenter. The network consids of 4 switches and this config is from one of the L3 Switches (HP 3500yl). If you read both tutorials you should be able to understand most of it. In this config I changed IP Adresses, hostnames and routes.

hostname "Switch1" 
time timezone 60 
time daylight-time-rule Western-Europe 
console inactivity-timer 60 
ip access-list extended "Transfer_to_DC_ACL" 
   10 deny tcp 10.10.0.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3389 
   20 permit ip 10.10.0.0 0.0.0.255 10.10.100.0 0.0.0.255 
   30 permit ip 10.10.0.0 0.0.0.255 10.10.150.0 0.0.31.255 
   40 deny ip 10.10.0.0 0.0.0.255 10.10.200.0 0.0.0.15 
   50 deny ip 10.10.0.0 0.0.0.255 10.10.201.0 0.0.0.255 
   60 deny ip 10.10.0.0 0.0.0.255 10.10.202.0 0.0.0.255 
   70 deny ip 10.10.0.0 0.0.0.255 10.10.203.0 0.0.0.255 
   80 deny tcp 10.10.0.0 0.0.0.255 10.10.204.0 0.0.0.255 eq 3389 
   90 permit ip 10.10.0.0 0.0.0.255 10.10.204.0 0.0.0.255 
   200 deny tcp 10.10.1.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3389 
   210 permit ip 10.10.1.0 0.0.0.255 10.10.100.0 0.0.0.255 
   220 permit ip 10.10.1.0 0.0.0.255 10.10.150.0 0.0.31.255 
   230 deny ip 10.10.1.0 0.0.0.255 10.10.200.0 0.0.0.15 
   240 deny ip 10.10.1.0 0.0.0.255 10.10.201.0 0.0.0.255 
   250 permit ip 10.10.1.0 0.0.0.255 10.10.202.0 0.0.0.255 
   260 deny ip 10.10.1.0 0.0.0.255 10.10.203.0 0.0.0.255 
   270 deny ip 10.10.1.0 0.0.0.255 10.10.204.0 0.0.0.255 
   300 deny tcp 10.10.2.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3389 
   310 permit ip 10.10.2.0 0.0.0.255 10.10.100.0 0.0.0.255 
   320 permit ip 10.10.2.0 0.0.0.255 10.10.150.0 0.0.31.255 
   330 deny ip 10.10.2.0 0.0.0.255 10.10.200.0 0.0.0.15 
   340 deny ip 10.10.2.0 0.0.0.255 10.10.201.0 0.0.0.255 
   350 deny ip 10.10.2.0 0.0.0.255 10.10.202.0 0.0.0.255 
   360 deny ip 10.10.2.0 0.0.0.255 10.10.203.0 0.0.0.255 
   370 permit ip 10.10.2.0 0.0.0.255 10.10.204.0 0.0.0.255 
   400 deny tcp 10.10.3.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3389 
   410 permit ip 10.10.3.0 0.0.0.255 10.10.100.0 0.0.0.255 
   420 permit ip 10.10.3.0 0.0.0.255 10.10.150.0 0.0.31.255 
   430 permit ip 10.10.3.0 0.0.0.255 10.10.200.0 0.0.0.15 
   440 permit ip 10.10.3.0 0.0.0.255 10.10.201.0 0.0.0.255 
   450 permit ip 10.10.3.0 0.0.0.255 10.10.202.0 0.0.0.255 
   460 permit ip 10.10.3.0 0.0.0.255 10.10.203.0 0.0.0.255 
   470 permit ip 10.10.3.0 0.0.0.255 10.10.204.0 0.0.0.255 
   500 permit ip 10.10.4.0 0.0.0.255 10.132.72.240 0.0.0.0 
   510 deny ip 10.10.4.0 0.0.0.255 10.10.100.0 0.0.0.255 
   520 deny ip 10.10.4.0 0.0.0.255 10.10.150.0 0.0.31.255 
   530 deny ip 10.10.4.0 0.0.0.255 10.10.200.0 0.0.0.15 
   540 deny ip 10.10.4.0 0.0.0.255 10.10.201.0 0.0.0.255 
   550 deny ip 10.10.4.0 0.0.0.255 10.10.202.0 0.0.0.255 
   560 deny ip 10.10.4.0 0.0.0.255 10.10.203.0 0.0.0.255 
   570 deny ip 10.10.4.0 0.0.0.255 10.10.204.0 0.0.0.255 
   600 permit ip 10.10.7.0 0.0.0.15 10.10.100.0 0.0.0.255 
   610 permit ip 10.10.7.0 0.0.0.15 10.10.150.0 0.0.31.255 
   620 permit ip 10.10.7.0 0.0.0.15 10.10.200.0 0.0.0.15 
   630 permit ip 10.10.7.0 0.0.0.15 10.10.201.0 0.0.0.255 
   640 permit ip 10.10.7.0 0.0.0.15 10.10.202.0 0.0.0.255 
   650 permit ip 10.10.7.0 0.0.0.15 10.10.203.0 0.0.0.255 
   660 permit ip 10.10.7.0 0.0.0.15 10.10.204.0 0.0.0.255 
   700 deny ip 10.10.0.0 0.0.7.255 10.128.0.0 0.7.255.255 
   710 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 
   exit 
module 1 type J86xxA 
interface 1 
   name "Connection_to_DC" 
   speed-duplex auto-1000 
exit
interface 2 
   name "WAN_Optimizer" 
   speed-duplex auto-1000 
exit
interface 3 
   name "3 Printer1" 
exit
interface 4 
   name "4 Printer2" 
exit
interface 6 
   name "6 Client1" 
exit
interface 7 
   name "Client2" 
exit
interface 8 
   name "8 Client3" 
exit
interface 9 
   name "9 Client 4" 
exit
interface 13 
   name "13 Printer3" 
exit
interface 15 
   name "UPL_Switch4_1" 
   speed-duplex auto-1000 
exit
interface 16 
   name "UPL_Switch4_2" 
   speed-duplex auto-1000 
exit
interface 17 
   name "UPL_Switch3_1" 
   speed-duplex auto-1000 
exit
interface 18 
   name "UPL_Switch3_2" 
   speed-duplex auto-1000 
exit
interface 19 
   name "UPL_Switch2_1" 
   speed-duplex auto-1000 
exit
interface 20 
   name "UPL_Switch2_2" 
   speed-duplex auto-1000 
exit
interface 23 
   name "Client5" 
exit
trunk 19-20 Trk1 LACP 
trunk 17-18 Trk2 LACP 
trunk 15-16 Trk3 LACP 
ip routing 
snmpv3 enable 
snmpv3 group ManagerAuth user "UserName" sec-model ver3 
vlan 1 
   name "DEFAULT_VLAN" 
   untagged Trk1-Trk3 
   ip address dhcp-bootp 
   no untagged 1-14,21-24 
   exit 
vlan 760 
   name "CLIENTNET" 
   untagged 3,5-6,8-9,11-12,14,21-24 
   ip helper-address 10.132.72.13 
   ip address 10.10.0.1 255.255.255.0 
   tagged Trk1-Trk3 
   exit 
vlan 770 
   name "SERVERNET" 
   untagged 7,10 
   ip address 10.10.1.1 255.255.255.0 
   tagged Trk1-Trk3 
   exit 
vlan 780 
   name "PRINTERNET" 
   untagged 4,13 
   ip helper-address 10.132.72.13 
   ip address 10.10.2.1 255.255.255.0 
   tagged Trk1-Trk3 
   exit 
vlan 790 
   name "MGMTNET" 
   untagged 2 
   ip address 10.10.3.1 255.255.255.0 
   tagged Trk1-Trk3 
   exit 
vlan 800 
   name "GUESTNET" 
   ip address 10.10.4.1 255.255.255.0 
   tagged Trk1-Trk3 
   exit 
vlan 830 
   name "TRANSFERNET" 
   untagged 1 
   ip address 10.10.7.5 255.255.255.240 
   tagged Trk1-Trk3 
   ip access-group "Transfer_to_DC_ACL" out
   exit 
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-hdx sensitivity high
fault-finder duplex-mismatch-fdx sensitivity high
fault-finder link-flap sensitivity high
banner motd "\"Authorized access only!\n\nDisconnect IMMEDIATELY if you are not 
an\n authorized user!\""
radius-server host 10.10.202.100 key "RADIUSSERVERKEY"
timesync sntp
sntp unicast
sntp server priority 1 10.10.201.5 4
no telnet-server
no web-management
ip authorized-managers 10.10.150.0 255.255.224.0 access manager
ip authorized-managers 10.10.100.0 255.255.255.0 access manager
ip authorized-managers 10.10.3.0 255.255.255.0 access manager
ip authorized-managers 10.10.201.0 255.255.255.0 access manager
ip dns domain-name "Domain.local"
ip dns server-address priority 1 10.10.203.5
ip dns server-address priority 2 10.10.203.6
ip route 10.10.150.0 255.255.224.0 10.10.7.3
ip route 10.10.100.0 255.255.255.0 10.10.7.3
ip route 10.10.201.0 255.255.255.0 10.10.7.3
ip route 10.10.202.0 255.255.255.0 10.10.7.3
ip route 10.10.200.0 255.255.255.248 10.10.7.3
ip route 10.10.203.0 255.255.255.0 10.10.7.3
ip route 10.10.204.0 255.255.255.128 10.10.7.3
router vrrp
snmp-server community "Community" operator
snmp-server contact "Admins" location "DC"
snmpv3 user "Username"
aaa accounting network start-stop radius
aaa authentication port-access eap-radius authorized
aaa authentication mac-based chap-radius authorized
aaa port-access authenticator active
aaa port-access mac-based 3-6,11-14,21-24
aaa port-access mac-based 3 unauth-vid 800
aaa port-access mac-based 4 logoff-period 10080
aaa port-access mac-based 4 unauth-vid 800
aaa port-access mac-based 5 unauth-vid 800
aaa port-access mac-based 6 unauth-vid 800
aaa port-access mac-based 8 unauth-vid 800
aaa port-access mac-based 9 unauth-vid 800
aaa port-access mac-based 11 unauth-vid 800
aaa port-access mac-based 12 unauth-vid 800
aaa port-access mac-based 13 logoff-period 10080
aaa port-access mac-based 13 unauth-vid 800
aaa port-access mac-based 14 unauth-vid 800
aaa port-access mac-based 21 unauth-vid 800
aaa port-access mac-based 22 unauth-vid 800
aaa port-access mac-based 23 unauth-vid 800
aaa port-access mac-based 24 unauth-vid 800
aaa port-access mac-based addr-format single-dash
spanning-tree
spanning-tree 3 bpdu-protection
spanning-tree 4 bpdu-protection
spanning-tree 5 bpdu-protection
spanning-tree 6 bpdu-protection
spanning-tree 7 bpdu-protection
spanning-tree 8 bpdu-protection
spanning-tree 9 bpdu-protection
spanning-tree 10 bpdu-protection
spanning-tree 11 bpdu-protection
spanning-tree 12 bpdu-protection
spanning-tree 13 bpdu-protection
spanning-tree 14 bpdu-protection
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree priority 1 force-version rstp-operation
vlan 760
   vrrp vrid 41
      owner
      virtual-ip-address 10.10.0.1 255.255.255.0
      priority 255
      enable
      exit
   exit
vlan 770
   vrrp vrid 42
      owner
      virtual-ip-address 10.10.1.1 255.255.255.0
      priority 255
      enable
      exit
   exit
vlan 780
   vrrp vrid 43
      owner
      virtual-ip-address 10.10.2.1 255.255.255.0
      priority 255
      enable
      exit
   exit
vlan 790
   vrrp vrid 44
      owner
      virtual-ip-address 10.10.3.1 255.255.255.0
      priority 255
      enable
      exit
   exit
vlan 800
   vrrp vrid 46
      owner
      virtual-ip-address 10.10.4.1 255.255.255.0
      priority 255
      enable
      exit
   exit
vlan 830
   vrrp vrid 49
      owner
      virtual-ip-address 10.10.7.5 255.255.255.240
      priority 255
      enable
      exit
   exit
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator

If you have any questions regarding this just ask

Thanks for reading!

: Re: Networking - the basics - Part 2/2
: Stackprotector August 07, 2012, 02:55:26 PM

+1 ;)

: Re: Networking - the basics - Part 2/2
: Rcoombz January 05, 2013, 06:49:14 PM

awesome work. I'm working towards my CCIE for Voice and these are awesome notes for my Samsung Galaxy Note. any way you can do some advanced topics life BGP or whatever you feel the most knowledgable about. I'm a student first and always appreciate the cheatsheet. Thanks again.

: Re: Networking - the basics - Part 2/2
: RedBullAddicted January 05, 2013, 07:04:01 PM

Hi Rcoombz,

would be nice if you would take the time to write a little intro about yourself. CCIE Voice??? You have my respect and I think you will become a lot better then I am if you manage to pass all requirements. CCIE is the most difficult thing you can do (in my opinion). If I would have the time, someone who pays for it and if I would be willing to spend month of learning I would go for the CCIE Security :) I think I could write something about dynamic routing protocols but it would be a lot of work. With these tutorials I only focused on the basics which are explained very fast. At the moment I don't really have time for it but it is noted for my next holidays or such :) For now I can only recommend reading the cisco papers about it (they are pretty good) and build your own little testlab with gns3 or something similar. You need to try stuff... only reading won't work (just my two cents)

: Re: Networking - the basics - Part 2/2
: Rcoombz January 05, 2013, 07:39:33 PM

no worries RedBULL. A little about me. I AM 32 and have been in the telephony field since age 18. I started with NEC digital pbxs then moved into Cisco Routing & Switching around age 26 when VoIP really started to saturate the market. I currently have a full CCIE setup with a rack and of course GNS3 running my virtual lab based off off blinding.net Voice lab. I started with GNS3 workbench by nectar. its a free virtual machine based of ubuntu and the programmer has probably a 100 or so custom labs. it's super sweet if you haven't already checked it out. anyway I have All the CBT, Trainsignal and INE training videos. if you ever need anything just PM me and I'll gladly hook you up. ;)

anyway I was just assigned implementing Cisco's Identity Service Engine along with Airtight security for wireless security. that's what has brought me over to the penetration testing to really hone my skills on how these attacks happen and to be honest, I'm now hooked on this stuff. I think it will add a nice compliment to my resume and it's definitely sharpened my skills as far as what the packet looks like at every node and how you can transport nearly anything regardless of the port number. ok that's enough, I just wanted to say Thank You for the Cisco training. I greatly appreciate you taking the time to share your knowledge.

-Ryan

: Re: Networking - the basics - Part 2/2
: Rcoombz January 05, 2013, 07:41:38 PM

Redbull, sorry for any bad grammar. I'm testing my Samsung Galaxy Note 10.1. This thing is a godsend for people who love screenshots and taking notes. which is me no doubt. thanks again