Notas Estudo BCVRE 170-010 parte 2

Chapter 4 DHCP and DNS

[email protected]:~$ set interfaces ethernet eth1 address dhcp

[email protected]:~$ show dhcp client leases
interface  : eth1
ip address : 192.168.196.135    [Active]
subnet mask: 255.255.255.0
domain name: localdomain        [overridden by domain-name set using CLI]
router     : 192.168.196.2
name server: 192.168.196.2
dhcp server: 192.168.196.254
lease time : 1800
last update: Tue Jul 15 10:38:43 GMT 2014
expiry     : Tue Jul 15 11:08:43 GMT 2014
reason     : RENEW

A default route recebida via DHCP tem a AD = 210

[email protected]# run sh ip route
Codes: K – kernel route, C – connected, S – static, R – RIP, O – OSPF,
I – ISIS, B – BGP, > – selected route, * – FIB route

S>*   0.0.0.0/0 [210/0] via 192.168.196.2, eth1

[set | edit] service dhcp-server
[set | edit] shared-network-name name
[set | edit] subnet address/mask
set default-router address
set dns-server address
set start address [stop address]
set exclude address

Comandos DHCP Relay
set service dhcp-relay interface interface-name
set service dhcp-relay server ip-address

[email protected]:~$ show dhcp server leases
IP address       Hardware Address   Lease expiration     Pool      Client Name
———-       —————-   —————-     —-      ———–
192.168.42.10    00:0c:29:f5:40:6e  2009/11/04 23:52:07  DHCP-Eth0 JansPC
192.168.42.11    00:0c:29:a5:02:c7  2009/11/04 23:52:11  DHCP-Eth0 Desktop
192.168.42.22    00:15:c5:b3:2e:64  2009/11/04 17:55:01  DHCP-Eth0
192.168.42.23    00:04:f2:02:84:49  2009/11/04 17:24:59  DHCP-Eth0 FredsPC

System DNS – para uso interno do vRouter
Dynamic DNS
DNS forwarding

set system name-server name
[set | edit] service dns dynamic interface interface-name service service-provider
set login name
set password password
set server [ip-address | fqdn]
set host-name name

[set | edit] service dns forwarding
set listen-on interface-name
set system
set dhcp interface-name
set name-server ip-address
set system static-host-mapping host-name name inet ip-address

Antes de configurar o DNS forwading, é necessário especificar qual o DNS server a ser usado para as queries. By default o vRouter tenta o System DNS. Caso os do System DNS não respondam o vRouter tenta os aprendidos via DHCP. É possivel fazer override destes defaults selecionando apenas os system servers, DHCP-learned ou explicity-configured apenas para o DNS forwarding

[email protected]:~$ show dns forwarding statistics
—————-
Cache statistics
—————-
Cache size: 150
Queries forwarded: 5
Queries answered locally: 2
Total DNS entries inserted into cache: 23
DNS entries removed from cache before expiry: 0
———————
Nameserver statistics
———————
Server: 10.0.0.30
Queries sent: 5
Queries retried or failed: 0

As estaticistas mostram apenas os servers contactados, ou seja, o vRouter nunca enviou nenhuma querie para o server 10.0.0.31

Chapter 5 Routing

Routing Tables

[email protected]:~$ show ip route
Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP
O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter
area
> – selected route, * – FIB route, p – stale info
Gateway of last resort is not set
C>* 10.1.1.0/30 is directly connected, eth1
C>* 10.2.2.0/30 is directly connected, eth2
C>* 127.0.0.0/8 is directly connected, lo
S>* 172.16.0.0/16 [1/0] via 10.1.1.1, eth1
O   172.16.0.0/16 [110/20] via 10.1.1.1, eth1, 00:00:35
C>* 192.168.0.0/24 is directly connected, eth0

Rotas marcadas com * são marcadas como activas

Static Routes

[email protected]# set protocol static route 172.16.1.0/24 next-hop 10.1.2.1

[email protected]# set protocol static route 0.0.0.0/0 next-hop 192.168.1.1

Floating Static Routes

Protocol——Distance
Connected–0
Static———1
EBGP——–20
OSPF——–110
RIP————120
IBGP———-200

[email protected]# set protocol static route 192.168.1.0/24 next-hop 10.1.1.2 distance 150

Chapter 6 Firewalls

vRouter_packet_processing_vyatta

Firewall Rulebase

Baseado no Match e Action

Match : Faz match do Layer 3 e Layer 4, caso não seja especificado faz match all

Action : Accept, Reject (envia ICMP unreachable message), Drop. A default action é DROP

set firewall name PublicServers rule 10 action accept
set firewall name PublicServers rule 10 state established enable
set firewall name PublicServers rule 10 state related enable

set firewall name PublicServers rule 20 action accept
set firewall name PublicServers rule 20 destination address 10.6.7.0/24
set firewall name PublicServers rule 20 source address 10.2.3.0/24

set firewall name PublicServers rule 30 action accept
set firewall name PublicServers rule 30 destination address 10.6.7.0/24
set firewall name PublicServers rule 30 destination port smtp
set firewall name PublicServers rule 30 protocol tcp
set firewall name PublicServers rule 30 source address 10.4.5.0/24

set firewall name PublicServers rule 40 action reject
set firewall name PublicServers rule 40 destination address 10.6.7.0/24
set firewall name PublicServers rule 40 source address 10.4.5.0/24

set firewall name PublicServers rule 50 action accept
set firewall name PublicServers rule 50 destination address 10.6.7.0/24
set firewall name PublicServers rule 50 destination port http,ftp,smtp
set firewall name PublicServers rule 50 protocol tcp

[email protected]# set interfaces ethernet eth0 firewall out name PublicServers

[email protected]# run show firewall name

—————————–
Rulesets Information
—————————–
——————————————————————————–
IPv4 Firewall “PublicServers”:

Active on (eth0,OUT)

rule  action   proto     packets  bytes
—-  ——   —–     ——-  —–
10    accept   all       0        0
condition – saddr 0.0.0.0/0 daddr 0.0.0.0/0 state RELATED,ESTABLISHED

20    accept   all       0        0
condition – saddr 10.2.3.0/24 daddr 10.6.7.0/24

30    accept   tcp       0        0
condition – saddr 10.4.5.0/24 daddr 10.6.7.0/24 tcp dpt:25

40    reject   all       0        0
condition – saddr 10.4.5.0/24 daddr 10.6.7.0/24 reject-with icmp-port-unreacha
ble

50    accept   tcp       0        0
condition – saddr 0.0.0.0/0 daddr 10.6.7.0/24  dports 80,21,25

10000 drop     all       0        0
condition – saddr 0.0.0.0/0 daddr 0.0.0.0/0

[email protected]:~$ show firewall name PublicServers statistics
IPv4 Firewall “PublicServers”:
Active on (eth0,OUT)
rule  packets   bytes     action  source              destination
—-  ——-   —–     ——  ——              ———–
10    5.62M     6.52G     ACCEPT  0.0.0.0/0           0.0.0.0/0
20    51        13036     ACCEPT  10.2.3.0/24         10.6.7.0/24
30    0         0         ACCEPT  10.4.5.0/24         10.6.7.0/24
40    0         0         REJECT  10.4.5.0/24         10.6.7.0/24
50    0         0         ACCEPT  0.0.0.0/0           10.6.7.0/24
1025  2042      923057    DROP    0.0.0.0/0           0.0.0.0/0

Um dos estados é o trafego “related”, isto permite ativar o ALG em protocolos como o FTP e SIP

Applying Rulebases

 Individual interfaces – cada interface pode ter uma rulebase em cada direção (IN + OUT), e a mesma rulebase pode ser aplicada a várias interfaces
Zones – Zone é um grupo de interfaces. Agrupando as interfaces em zones fica implicitamente associado todos os enderecos dentro da zona. Épossivel aplicar uma rulebase a zones possibilitando ter security policies mais genéricas.Quando aplicada a rulebase é especificado a source/destination zone

Referências:

Notas Estudo BCVRE 170-010 parte 1

Vyatta vRouter 5400 Online Documentation

Brocade Certified vRouter Engineer 2013 (BCVRE) Exam

Voucher gratuito Brocade Certified vRouter Engineer (BCVRE) 170-010 Exam

Network Functions Virtualization

Certification Brocade Community

Certification Exam Information

One thought on “Notas Estudo BCVRE 170-010 parte 2

  1. Pingback: Notas Estudo BCVRE 170-010 parte 4

Leave a Reply

Your email address will not be published. Required fields are marked *