diff --git a/corerouter.tex b/corerouter.tex index 40b205b..2b9c969 100644 --- a/corerouter.tex +++ b/corerouter.tex @@ -1,9 +1,91 @@ \subsection{\texttt{Core Router}} +hostname, loginy \begin{verbatim} - % not much +en +conf t +hostname CoreRouter +# +# enable strong and complicated password +# +enable password 123 +# +# gen keys, needs a domain name +# enter 4096 when asked about bitsize +# +ip domain-name CoreRouter +crypto key generate rsa modulus 4096 +# +# set strong and complicated password +# +username admin password admin +line vty 0 15 +login local +transport input ssh +exit +ip ssh version 2 +ip ssh authentication-retries 3 +ip ssh time-out 120 +exit \end{verbatim} -\subsubsection{\texttt{DMZ}} +\subsubsection{\texttt{DMZ dhcp}:} \begin{verbatim} - % not much +# (config) +ip dhcp pool DMZ +network 192.168.100.0 255.255.255.128 +default-router 192.168.100.1 +exit +# +# exclude x.x.x.1-30 +# +ip dhcp excluded-address 192.168.100.1 192.168.100.30 +\end{verbatim} + +\subsubsection{\texttt{Intranet dhcp}:} +\begin{verbatim} +# (config) +ip dhcp pool Intranet +network 192.168.255.0 255.255.255.128 +default-router 192.168.255.1 +exit +# +# exclude x.x.x.1-60 +# +ip dhcp excluded-address 192.168.255.1 192.168.255.60 +\end{verbatim} + +\subsubsection{\texttt{VLAN-HOST}:} +\begin{verbatim} +# (config) +ip dhcp pool VLAN-HOST +network 10.0.10.0 255.255.254.0 +default-router 10.0.10.1 +exit +# +# exclude x.x.10.1-x.x.11.0 +# +ip dhcp excluded-address 10.0.10.1 10.0.11.0 +\end{verbatim} + +\subsubsection{\texttt{DMZ DNSpublic}} +\texttt{DNSpublic} cofigure static IP: +\begin{verbatim} +# since this is an older Ubuntu box, we use ifconfig+route +ifconfig eth0 192.168.100.25 255.255.255.128 +route add default gw 192.168.100.1 +ifconfig eth0 up +\end{verbatim} + +\subsubsection{\texttt{DMZ WEBserver}} +\texttt{WEBserver} enable dhcp on eth0: +\begin{verbatim} +# edit /etc/network/interfaces to contain the following +auto eth0 +iface eth0 inet dhcp +# +# then reload the interface +# +ip link set eth0 down +ip link set eth0 up + \end{verbatim} diff --git a/intra.tex b/intra.tex index 310c54c..4e8dfb6 100644 --- a/intra.tex +++ b/intra.tex @@ -1,9 +1,84 @@ \subsection{\texttt{INTRA}} + +set hostname \&\& port-sec recovery timeout \begin{verbatim} - % not much +en +conf t +# +# set hostname to INTRA +# +hostname INTRA +# +# port-sec recovery timeout - 120s +# +errdisable recovery interval 120s +errdisable recovery cause psecure-violation +\end{verbatim} + +\noindent +enable port-sec for g0/{1|2|3} +\begin{verbatim} +# continuation of the previous block, no need to "enable" and "conf t" again +interface g0/1 +switchport mode access +switchport port-security maximum 2 +switchport port-security violation shutdown +switchport port-security mac-address sticky +switchport port-security +# +# g0/2 +# +interface g0/2 +switchport mode access +switchport port-security maximum 2 +switchport port-security violation shutdown +switchport port-security mac-address sticky +switchport port-security +# +# g0/3 +# +interface g0/3 +switchport mode access +switchport port-security maximum 2 +switchport port-security violation shutdown +switchport port-security mac-address sticky +switchport port-security +\end{verbatim} + +\noindent +trust arp packets from g0/0 (\texttt{STAFF}) +\begin{verbatim} +en +conf t +in g0/0 +no shut +ip arp inspection trust +end +# +# verify +# +show ip arp inspection interfaces g0/0 \end{verbatim} \subsubsection{Intranet} +\texttt{INTRA} cofigure vlan \begin{verbatim} - % not much +en +conf t +vlan 7 +# +# set name +# +name Intranet +exit +# +# add ports +# +in g0/1 +switchport access vlan 7 +in g0/2 +switchport access vlan 7 +in g0/3 +switchport access vlan 7 +exit \end{verbatim} diff --git a/staff.tex b/staff.tex index 867c96e..80791b8 100644 --- a/staff.tex +++ b/staff.tex @@ -1,4 +1,71 @@ \subsection{\texttt{STAFF}} + +set hostname \&\& port-sec recovery timeout +% port-sec recovery timeout - 120s \begin{verbatim} - % not much +en +conf t +# +# set hostname to STAFF +# +hostname STAFF +# +# port-sec recovery timeout - 120s +# +errdisable recovery interval 120s +errdisable recovery cause psecure-violation +\end{verbatim} + +\noindent +enable port-sec for g0/{1|2} +\begin{verbatim} +# no need to elevate privileges since we did that in the previous block +# +# g0/2 +# +interface g0/1 +switchport mode access +switchport port-security maximum 2 +switchport port-security violation shutdown +switchport port-security mac-address sticky +switchport port-security +# +# g0/2 +# +interface g0/2 +switchport mode access +switchport port-security maximum 2 +switchport port-security violation shutdown +switchport port-security mac-address sticky +switchport port-security +\end{verbatim} + +\noindent +trust arp packets from g0/0 (\texttt{CoreRouter}) +\begin{verbatim} +en +conf t +in g0/0 +no shut +ip arp inspection trust +end +# +# verify +# +show ip arp inspection interfaces g0/0 +\end{verbatim} + +\noindent +trust arp packets from g0/3 (\texttt{INTRA}) +\begin{verbatim} +en +conf t +in g0/3 +no shut +ip arp inspection trust +end +# +# verify +# +show ip arp inspection interfaces g0/3 \end{verbatim}