add corerouter,staff,intra configs (wip)

2022-05-16 00:37:24 +02:00 · 2022-05-16 00:37:24 +02:00 · 564354cdde
commit 564354cdde
parent d10be599cd
3 changed files with 230 additions and 6 deletions
--- a/corerouter.tex
+++ b/corerouter.tex
@ -1,9 +1,91 @@
 \subsection{\texttt{Core Router}}
+hostname, loginy
 \begin{verbatim}
-  % not much
+en
+conf t
+hostname CoreRouter
+#
+# enable strong and complicated password 
+#
+enable password 123
+#
+# gen keys, needs a domain name
+# enter 4096 when asked about bitsize
+#
+ip domain-name CoreRouter
+crypto key generate rsa modulus 4096
+#
+# set strong and complicated password
+#
+username admin password admin
+line vty 0 15
+login local
+transport input ssh
+exit
+ip ssh version 2
+ip ssh authentication-retries 3
+ip ssh time-out 120
+exit
 \end{verbatim}

-\subsubsection{\texttt{DMZ}}
+\subsubsection{\texttt{DMZ dhcp}:}
 \begin{verbatim}
-  % not much
+# (config)
+ip dhcp pool DMZ
+network 192.168.100.0 255.255.255.128
+default-router 192.168.100.1
+exit
+#
+# exclude x.x.x.1-30
+#
+ip dhcp excluded-address 192.168.100.1 192.168.100.30
+\end{verbatim}
+
+\subsubsection{\texttt{Intranet dhcp}:}
+\begin{verbatim}
+# (config)
+ip dhcp pool Intranet
+network 192.168.255.0 255.255.255.128
+default-router 192.168.255.1
+exit
+#
+# exclude x.x.x.1-60
+#
+ip dhcp excluded-address 192.168.255.1 192.168.255.60
+\end{verbatim}
+
+\subsubsection{\texttt{VLAN-HOST}:}
+\begin{verbatim}
+# (config)
+ip dhcp pool VLAN-HOST
+network 10.0.10.0 255.255.254.0
+default-router 10.0.10.1
+exit
+#
+# exclude x.x.10.1-x.x.11.0
+#
+ip dhcp excluded-address 10.0.10.1 10.0.11.0
+\end{verbatim}
+
+\subsubsection{\texttt{DMZ DNSpublic}}
+\texttt{DNSpublic} cofigure static IP:
+\begin{verbatim}
+# since this is an older Ubuntu box, we use ifconfig+route
+ifconfig eth0 192.168.100.25 255.255.255.128
+route add default gw 192.168.100.1
+ifconfig eth0 up
+\end{verbatim}
+
+\subsubsection{\texttt{DMZ WEBserver}}
+\texttt{WEBserver} enable dhcp on eth0:
+\begin{verbatim}
+# edit /etc/network/interfaces to contain the following
+auto eth0
+iface eth0 inet dhcp
+#
+# then reload the interface
+#
+ip link set eth0 down
+ip link set eth0 up
+
 \end{verbatim}
--- a/intra.tex
+++ b/intra.tex
@ -1,9 +1,84 @@
 \subsection{\texttt{INTRA}}
+
+set hostname \&\& port-sec recovery timeout
 \begin{verbatim}
-  % not much
+en
+conf t
+#
+# set hostname to INTRA
+#
+hostname INTRA
+#
+# port-sec recovery timeout - 120s
+#
+errdisable recovery interval 120s
+errdisable recovery cause psecure-violation
+\end{verbatim}
+
+\noindent
+enable port-sec for g0/{1|2|3}
+\begin{verbatim}
+# continuation of the previous block, no need to "enable" and "conf t" again
+interface g0/1
+switchport mode access
+switchport port-security maximum 2
+switchport port-security violation shutdown
+switchport port-security mac-address sticky
+switchport port-security
+#
+# g0/2
+#
+interface g0/2
+switchport mode access
+switchport port-security maximum 2
+switchport port-security violation shutdown
+switchport port-security mac-address sticky
+switchport port-security
+#
+# g0/3
+#
+interface g0/3
+switchport mode access
+switchport port-security maximum 2
+switchport port-security violation shutdown
+switchport port-security mac-address sticky
+switchport port-security
+\end{verbatim}
+
+\noindent
+trust arp packets from g0/0 (\texttt{STAFF})
+\begin{verbatim}
+en
+conf t
+in g0/0
+no shut
+ip arp inspection trust
+end
+#
+# verify
+#
+show ip arp inspection interfaces g0/0
 \end{verbatim}

 \subsubsection{Intranet}
+\texttt{INTRA} cofigure vlan
 \begin{verbatim}
-  % not much
+en
+conf t
+vlan 7
+#
+# set name
+#
+name Intranet
+exit
+#
+# add ports
+#
+in g0/1
+switchport access vlan 7
+in g0/2
+switchport access vlan 7
+in g0/3
+switchport access vlan 7
+exit
 \end{verbatim}
--- a/staff.tex
+++ b/staff.tex
@ -1,4 +1,71 @@
 \subsection{\texttt{STAFF}}
+
+set hostname \&\& port-sec recovery timeout
+% port-sec recovery timeout - 120s
 \begin{verbatim}
-  % not much
+en
+conf t
+#
+# set hostname to STAFF
+#
+hostname STAFF
+#
+# port-sec recovery timeout - 120s
+#
+errdisable recovery interval 120s
+errdisable recovery cause psecure-violation
+\end{verbatim}
+
+\noindent
+enable port-sec for g0/{1|2}
+\begin{verbatim}
+# no need to elevate privileges since we did that in the previous block
+#
+# g0/2
+#
+interface g0/1
+switchport mode access
+switchport port-security maximum 2
+switchport port-security violation shutdown
+switchport port-security mac-address sticky
+switchport port-security
+#
+# g0/2
+#
+interface g0/2
+switchport mode access
+switchport port-security maximum 2
+switchport port-security violation shutdown
+switchport port-security mac-address sticky
+switchport port-security
+\end{verbatim}
+
+\noindent
+trust arp packets from g0/0 (\texttt{CoreRouter})
+\begin{verbatim}
+en
+conf t
+in g0/0
+no shut
+ip arp inspection trust
+end
+#
+# verify
+#
+show ip arp inspection interfaces g0/0
+\end{verbatim}
+
+\noindent
+trust arp packets from g0/3 (\texttt{INTRA})
+\begin{verbatim}
+en
+conf t
+in g0/3
+no shut
+ip arp inspection trust
+end
+#
+# verify
+#
+show ip arp inspection interfaces g0/3
 \end{verbatim}