Tag Archives: Routing

Notas Estudo BCVRE 170-010 parte 2

Chapter 4 DHCP and DNS

[email protected]:~$ set interfaces ethernet eth1 address dhcp

[email protected]:~$ show dhcp client leases
interface  : eth1
ip address : 192.168.196.135    [Active]
subnet mask: 255.255.255.0
domain name: localdomain        [overridden by domain-name set using CLI]
router     : 192.168.196.2
name server: 192.168.196.2
dhcp server: 192.168.196.254
lease time : 1800
last update: Tue Jul 15 10:38:43 GMT 2014
expiry     : Tue Jul 15 11:08:43 GMT 2014
reason     : RENEW

A default route recebida via DHCP tem a AD = 210

[email protected]# run sh ip route
Codes: K – kernel route, C – connected, S – static, R – RIP, O – OSPF,
I – ISIS, B – BGP, > – selected route, * – FIB route

S>*   0.0.0.0/0 [210/0] via 192.168.196.2, eth1

[set | edit] service dhcp-server
[set | edit] shared-network-name name
[set | edit] subnet address/mask
set default-router address
set dns-server address
set start address [stop address]
set exclude address

Comandos DHCP Relay
set service dhcp-relay interface interface-name
set service dhcp-relay server ip-address

[email protected]:~$ show dhcp server leases
IP address       Hardware Address   Lease expiration     Pool      Client Name
———-       —————-   —————-     —-      ———–
192.168.42.10    00:0c:29:f5:40:6e  2009/11/04 23:52:07  DHCP-Eth0 JansPC
192.168.42.11    00:0c:29:a5:02:c7  2009/11/04 23:52:11  DHCP-Eth0 Desktop
192.168.42.22    00:15:c5:b3:2e:64  2009/11/04 17:55:01  DHCP-Eth0
192.168.42.23    00:04:f2:02:84:49  2009/11/04 17:24:59  DHCP-Eth0 FredsPC

System DNS – para uso interno do vRouter
Dynamic DNS
DNS forwarding

set system name-server name
[set | edit] service dns dynamic interface interface-name service service-provider
set login name
set password password
set server [ip-address | fqdn]
set host-name name

[set | edit] service dns forwarding
set listen-on interface-name
set system
set dhcp interface-name
set name-server ip-address
set system static-host-mapping host-name name inet ip-address

Antes de configurar o DNS forwading, é necessário especificar qual o DNS server a ser usado para as queries. By default o vRouter tenta o System DNS. Caso os do System DNS não respondam o vRouter tenta os aprendidos via DHCP. É possivel fazer override destes defaults selecionando apenas os system servers, DHCP-learned ou explicity-configured apenas para o DNS forwarding

[email protected]:~$ show dns forwarding statistics
—————-
Cache statistics
—————-
Cache size: 150
Queries forwarded: 5
Queries answered locally: 2
Total DNS entries inserted into cache: 23
DNS entries removed from cache before expiry: 0
———————
Nameserver statistics
———————
Server: 10.0.0.30
Queries sent: 5
Queries retried or failed: 0

As estaticistas mostram apenas os servers contactados, ou seja, o vRouter nunca enviou nenhuma querie para o server 10.0.0.31

Chapter 5 Routing

Routing Tables

[email protected]:~$ show ip route
Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP
O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter
area
> – selected route, * – FIB route, p – stale info
Gateway of last resort is not set
C>* 10.1.1.0/30 is directly connected, eth1
C>* 10.2.2.0/30 is directly connected, eth2
C>* 127.0.0.0/8 is directly connected, lo
S>* 172.16.0.0/16 [1/0] via 10.1.1.1, eth1
O   172.16.0.0/16 [110/20] via 10.1.1.1, eth1, 00:00:35
C>* 192.168.0.0/24 is directly connected, eth0

Rotas marcadas com * são marcadas como activas

Static Routes

[email protected]# set protocol static route 172.16.1.0/24 next-hop 10.1.2.1

[email protected]# set protocol static route 0.0.0.0/0 next-hop 192.168.1.1

Floating Static Routes

Protocol——Distance
Connected–0
Static———1
EBGP——–20
OSPF——–110
RIP————120
IBGP———-200

[email protected]# set protocol static route 192.168.1.0/24 next-hop 10.1.1.2 distance 150

Chapter 6 Firewalls

vRouter_packet_processing_vyatta

Firewall Rulebase

Baseado no Match e Action

Match : Faz match do Layer 3 e Layer 4, caso não seja especificado faz match all

Action : Accept, Reject (envia ICMP unreachable message), Drop. A default action é DROP

set firewall name PublicServers rule 10 action accept
set firewall name PublicServers rule 10 state established enable
set firewall name PublicServers rule 10 state related enable

set firewall name PublicServers rule 20 action accept
set firewall name PublicServers rule 20 destination address 10.6.7.0/24
set firewall name PublicServers rule 20 source address 10.2.3.0/24

set firewall name PublicServers rule 30 action accept
set firewall name PublicServers rule 30 destination address 10.6.7.0/24
set firewall name PublicServers rule 30 destination port smtp
set firewall name PublicServers rule 30 protocol tcp
set firewall name PublicServers rule 30 source address 10.4.5.0/24

set firewall name PublicServers rule 40 action reject
set firewall name PublicServers rule 40 destination address 10.6.7.0/24
set firewall name PublicServers rule 40 source address 10.4.5.0/24

set firewall name PublicServers rule 50 action accept
set firewall name PublicServers rule 50 destination address 10.6.7.0/24
set firewall name PublicServers rule 50 destination port http,ftp,smtp
set firewall name PublicServers rule 50 protocol tcp

[email protected]# set interfaces ethernet eth0 firewall out name PublicServers

[email protected]# run show firewall name

—————————–
Rulesets Information
—————————–
——————————————————————————–
IPv4 Firewall “PublicServers”:

Active on (eth0,OUT)

rule  action   proto     packets  bytes
—-  ——   —–     ——-  —–
10    accept   all       0        0
condition – saddr 0.0.0.0/0 daddr 0.0.0.0/0 state RELATED,ESTABLISHED

20    accept   all       0        0
condition – saddr 10.2.3.0/24 daddr 10.6.7.0/24

30    accept   tcp       0        0
condition – saddr 10.4.5.0/24 daddr 10.6.7.0/24 tcp dpt:25

40    reject   all       0        0
condition – saddr 10.4.5.0/24 daddr 10.6.7.0/24 reject-with icmp-port-unreacha
ble

50    accept   tcp       0        0
condition – saddr 0.0.0.0/0 daddr 10.6.7.0/24  dports 80,21,25

10000 drop     all       0        0
condition – saddr 0.0.0.0/0 daddr 0.0.0.0/0

[email protected]:~$ show firewall name PublicServers statistics
IPv4 Firewall “PublicServers”:
Active on (eth0,OUT)
rule  packets   bytes     action  source              destination
—-  ——-   —–     ——  ——              ———–
10    5.62M     6.52G     ACCEPT  0.0.0.0/0           0.0.0.0/0
20    51        13036     ACCEPT  10.2.3.0/24         10.6.7.0/24
30    0         0         ACCEPT  10.4.5.0/24         10.6.7.0/24
40    0         0         REJECT  10.4.5.0/24         10.6.7.0/24
50    0         0         ACCEPT  0.0.0.0/0           10.6.7.0/24
1025  2042      923057    DROP    0.0.0.0/0           0.0.0.0/0

Um dos estados é o trafego “related”, isto permite ativar o ALG em protocolos como o FTP e SIP

Applying Rulebases

 Individual interfaces – cada interface pode ter uma rulebase em cada direção (IN + OUT), e a mesma rulebase pode ser aplicada a várias interfaces
Zones – Zone é um grupo de interfaces. Agrupando as interfaces em zones fica implicitamente associado todos os enderecos dentro da zona. Épossivel aplicar uma rulebase a zones possibilitando ter security policies mais genéricas.Quando aplicada a rulebase é especificado a source/destination zone

Referências:

Notas Estudo BCVRE 170-010 parte 1

Vyatta vRouter 5400 Online Documentation

Brocade Certified vRouter Engineer 2013 (BCVRE) Exam

Voucher gratuito Brocade Certified vRouter Engineer (BCVRE) 170-010 Exam

Network Functions Virtualization

Certification Brocade Community

Certification Exam Information

Notas Outbound Route Filtering (ORF)

Esta feature do BGP permite ao router controlar através de um prefix-list quais os prefixos que o BGP peer deve enviar, permitindo assim reduzir o numero de prefixos processados. Sintaxe:

router bgp autonomous-system-number
 
neighbor ip-address capability orf prefix-list [send | receive | both]
 
neighbor {ip-address| peer-group-name} prefix-list prefix-list-name {in | out}

Notas:

  • Apenas é usado em eBGP
  • Não suporta multicast
  • Deve ser configurado apenas por address family

Diagrama

BGP Outbound Router Filtering (ORF)

Exemplo 1

O router R2 pretende receber apenas o prefixo 192.168.2.0/24

R1

router bgp 65100
neighbor 192.168.1.2 remote-as 65200
address-family ipv4
neighbor 192.168.1.2 capability orf prefix-list receive

R2

ip prefix-list ORFFILTER seq 5 permit 192.168.2.0/24
 
router bgp 65200
neighbor 192.168.1.1 remote-as 65100
address-family ipv4
neighbor 192.168.1.1 capability orf prefix-list send
neighbor 192.168.1.1 prefix-list ORFFILTER in

 
Verificar os prefixos a filtrar no peering com o R2, definidos pelo prefix-list em R2:

R1#show ip bgp neighbors 192.168.1.2 received prefix-filter
Address family: IPv4 Unicast ip prefix-list 192.168.1.2: 1 entries seq 5 permit 192.168.2.0/24
 
R1#show ip bgp neighbors 192.168.1.2 | beg ORF
Outbound Route Filter (ORF) type (128) Prefix-list:
Send-mode: received
Receive-mode: advertised
Outbound Route Filter (ORF): received (1 entries)

Sent Rcvd
Prefix activity: —- —-
Prefixes Current: 0 0
Prefixes Total: 0 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 0
Used as multipath: n/a 0

Outbound Inbound
Local Policy Denied Prefixes: ——– ——-
ORF prefix-list: 4 n/a
Total: 4 0
Number of NLRIs in the update sent: max 3, min 1

Tabela de routing do R2

R2#show ip route bgp
 
B 192.168.2.0/24 [20/0] via 192.168.1.1, 00:01:12

 

Exemplo 2

O router R2 pretende receber todos os prefixos excepto o 192.168.2.0/24

R1

router bgp 65100
neighbor 192.168.1.2 remote-as 65200
address-family ipv4
neighbor 192.168.1.2 capability orf prefix-list receive

R2

ip prefix-list ORFFILTER seq 5 deny 192.168.2.0/24
ip prefix-list ORFFILTER seq 10 permit le 0.0.0.0/0 le 32
 
router bgp 65200
neighbor 192.168.1.1 remote-as 65100
address-family ipv4
neighbor 192.168.1.1 capability orf prefix-list send
neighbor 192.168.1.1 prefix-list ORFFILTER in

Verificar os prefixos a filtrar no peering com o R2, definidos pelo prefix-list em R2:

R1#show ip bgp neighbors 192.168.1.2 received prefix-filter
Address family: IPv4 Unicast
ip prefix-list 192.168.1.2: 2 entries
seq 5 deny 192.168.2.0/24
seq 10 permit 0.0.0.0/0 le 32
 
R1#show ip bgp neighbors 192.168.1.2 | beg ORF
Outbound Route Filter (ORF) type (128) Prefix-list:
Send-mode: received
Receive-mode: advertised
Outbound Route Filter (ORF): received (2 entries)
Sent Rcvd
Prefix activity: —- —-
Prefixes Current: 3 0
Prefixes Total: 3 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 0
Used as multipath: n/a 0Outbound Inbound
Local Policy Denied Prefixes: ——– ——-
ORF prefix-list: 1 n/a
Total: 1 0
Number of NLRIs in the update sent: max 3, min 1

Tabela de routing do R2

R2#show ip route bgp
B 192.168.4.0/24 [20/0] via 192.168.1.1, 00:00:36
B 192.168.5.0/24 [20/0] via 192.168.1.1, 00:00:36
B 192.168.3.0/24 [20/0] via 192.168.1.1, 00:00:36

Nota:As alterações efetuadas na prefix-list não são propagadas automaticamente, sendo necessário forçar usando:

R2#clear ip bgp 192.168.1.1 in prefix-filter

@Atualizado 19/12/2015