Sunday, November 18, 2018

Basic Configuration of a Barracuda Web Application Firewall WAF

Basic Configuration of a Barracuda Web Application Firewall WAF

Contents
  1. Overview:
  2. Initial Setup:
  3. Setup Outbound Firewall Rules
  4. Activate the Firewall:
    1. 4.1 Subscription:
    2. 4.2 Firmware Upgrades:
    3. 4.3 Energize Updates:
  5. General Settings:
    1. 5.1 IP Address:
    2. 5.2 DNS:
    3. 5.3 Syslog:
    4. 5.4 Time:
    5. 5.5 Admin Access:
    6. 5.6 SNMP Conf:
    7. 5.7 Change Password:
    8. 5.8 Setup HA Pair:

Overview:

The Barracuda WAF (Web Application Firewall) model 660

Initial Setup:

Unlike "higher quality" systems, the barracuda systems needs a keyboard and VGA monitor for the initial configuration.  When plugged in, login with the default user/password (admin/admin) and in the System Configuration window, navigate to the TCP/IP Configuration.  From there, enter in the following information:
  • WAN (external) IP: 
  • WAN Mask
  • WAN Gateway
  • Primary and secondary DNS servers.  (Note that the Barracuda's Achilles heal is the external DNS system.  It requires this to work properly, so make sure that it is robust and accessible by the Barracuda.
When you are done, select save and exit.  The changes will be made instantly. 

Setup Outbound Firewall Rules

The system must connect to the Barracuda Network to handle licensing.  (this way they can milk the hell out of you for an over priced support contract. :)  Without this, the system throws errors and behaves poorly for admin purposes.  To enable this bend-overage, allow the following outbound flows on your firewall:
Allow TCP:80 from the Barracuda to the following networks
64.235.147.0 255.255.255.0
host 64.235.144.132
216.129.105.0 255.255.255.0
216.129.125.0 255.255.255.0
205.158.110.0 255.255.255.0


Activate the Firewall:

Subscription:

From the Basic tab, under Status, select (3) the "Click here for activation code".  This will pull up a Barracuda webpage where you can enter in your company's information for the support contract.  When you are finished, you will get an activation code, which you should paste back in (4) the Basic tabStatus page, under the Subscription Status

Firmware Upgrades:

To update Firmware, go to the Advanced tab, select Firmware Update, and confirm that the Current installed Version is less then the Latest General Release.  If so, select Download Now under the Latest General Release section, and then select Apply Now to install the newest release.

Energize Updates:

To get the latest Security, Virus and Attack updates, under Advanced tab, select the Energize Updates sub-tab.  Then select (A) update on those subsections.  The system will be updated without needing a restart or anything. 

General Settings:

IP Address: 

Under the Basic Tab, under IP Configuration, set your LAN and Management IP addresses.    The LAN interface is the one that connects directly to the servers being proxied, and the Management interface is how admin access is

DNS:

Under the Basic Tab, under IP Configuration, set your DNS servers

Syslog:

Under the Advanced Tab, under Export Logs, set the syslog servers.

Time:

There are two different places to change the time on the server, one is in the Basic tab, and the other under the "special expert variables".
Under the Basic Tab, under Admin, set the timezone


Then  in the Advanced tab, under System Configuration, add the Time servers under the NTP Server Settings section.


Admin Access:

Under the Basic Tab, under Admin, set the range of IP's that can connect to the admin port of this system.

SNMP Conf:

Also under the Basic Tab, further down the Admin sub-tab is the SNMP configuration tab, where you can define the snmp version, community string, and allowed IPs to poll this system.

Change Password:

Change the Admin Password by going to the Basic tab, and selecting Administration, and then adding your new password in the Password Changesection. 

Setup HA Pair:

Bind a second load balancer by repeating the process above to the second unit, and then under the Advanced Tab, select High Availability, and enter in the other systems IP, and the same shared secret and group id. 

Posted by at No comments:

Wednesday, June 13, 2018

Cisco Compute UCS B-Series Configuration using the UCS SDK and Python

The Cisco UCS B-Series is a powerful compute system. I admit that it has a little learning curve to it, but in time I’ve learned to appreciate the way it works. The thing is that after a few deployments you wonder, when are the Cisco engineers going to take usability into consideration? Well, luckily there is an SDK out there that you can get from GitHub here. If you need to refresh the use of GitHub, Atom and Python check below post about it => GitHub and Atom. After some searches on Java client setting (UCS Manager GUI), I was able to put together a couple of code lines to configure a UCS B-Series. Using an input file created from an Excel Spreadsheet and saving it as a .CSV:
excel
This example file is available as a gist: ucs-book.csv.
The following example configures a UCS B-Series with 8 blades. It uses ports 3 and 4 on both Fiber-Interconnects as Network Uplinks and creates port channels 50 and 51 with them.
The system will have three VLANs:
  1. vMotion with id 50
  2. Management with id 51
  3. Production with id 200
The script can take as many VLANs as you want from the ucs-book.csv file and it will create those, but it will not allocate them to any vNIC template by default. At this point, there is an option to omit the iSCSI or the FC with two boolean variables at the beginning or the script. Download it from GitHub => ucs-config
To test all of this you could download the UCS Manager Emulator from Cisco and use Fusion to provision a new UCS B-Series. This is a basic and raw script, you would need to change the path to the .csv file and I can’t guarantee that it will work on your system and of course I am not responsible for what happens to it. I would recommend to use it in you development environment only until you become familiar with the DSK, enjoy.
#!python
#import section
import csv
#UCS Connection Handle
from ucsmsdk.ucshandle import UcsHandle
#Create Organization
from ucsmsdk.mometa.org.OrgOrg import OrgOrg
#UUID Pool
from ucsmsdk.mometa.uuidpool.UuidpoolPool import UuidpoolPool
from ucsmsdk.mometa.uuidpool.UuidpoolBlock import UuidpoolBlock
#VLAN
from ucsmsdk.mometa.fabric.FabricVlan import FabricVlan
#Sever Pool
from ucsmsdk.mometa.compute.ComputePool import ComputePool
from ucsmsdk.mometa.compute.ComputePooledSlot import ComputePooledSlot
#Maintenance Policy
from ucsmsdk.mometa.lsmaint.LsmaintMaintPolicy import LsmaintMaintPolicy
#Power Policy
from ucsmsdk.mometa.power.PowerPolicy import PowerPolicy
#Create IP Pool
from ucsmsdk.mometa.ippool.IppoolPool import IppoolPool
from ucsmsdk.mometa.ippool.IppoolBlock import IppoolBlock
#Create MAC Pool
from ucsmsdk.mometa.macpool.MacpoolPool import MacpoolPool
from ucsmsdk.mometa.macpool.MacpoolBlock import MacpoolBlock
#Create Network Control Policy
from ucsmsdk.mometa.nwctrl.NwctrlDefinition import NwctrlDefinition
from ucsmsdk.mometa.dpsec.DpsecMac import DpsecMac
#FC WWNN and WWPN Pools
from ucsmsdk.mometa.fcpool.FcpoolInitiators import FcpoolInitiators
from ucsmsdk.mometa.fcpool.FcpoolBlock import FcpoolBlock
#Create vNIC Templates
from ucsmsdk.mometa.vnic.VnicLanConnTempl import VnicLanConnTempl
from ucsmsdk.mometa.vnic.VnicEtherIf import VnicEtherIf
#Create Local Disk Conf Policy
from ucsmsdk.mometa.storage.StorageLocalDiskConfigPolicy import StorageLocalDiskConfigPolicy
#Create Boot Policy
from ucsmsdk.mometa.lsboot.LsbootPolicy import LsbootPolicy
from ucsmsdk.mometa.lsboot.LsbootVirtualMedia import LsbootVirtualMedia
from ucsmsdk.mometa.lsboot.LsbootStorage import LsbootStorage
from ucsmsdk.mometa.lsboot.LsbootLocalStorage import LsbootLocalStorage
from ucsmsdk.mometa.lsboot.LsbootUsbFlashStorageImage import LsbootUsbFlashStorageImage
#Create HBA Template
from ucsmsdk.mometa.vnic.VnicSanConnTempl import VnicSanConnTempl
from ucsmsdk.mometa.vnic.VnicFcIf import VnicFcIf
#Configuring Uplink ports
from ucsmsdk.mometa.fabric.FabricEthLanEp import FabricEthLanEp
#Configure Port Channels
from ucsmsdk.mometa.fabric.FabricEthLanPc import FabricEthLanPc
from ucsmsdk.mometa.fabric.FabricEthLanPcEp import FabricEthLanPcEp
#Create Service Profile Template
from ucsmsdk.mometa.ls.LsServer import LsServer
from ucsmsdk.mometa.ls.LsVConAssign import LsVConAssign
from ucsmsdk.mometa.vnic.VnicEther import VnicEther
from ucsmsdk.mometa.vnic.VnicFc import VnicFc
from ucsmsdk.mometa.vnic.VnicFcIf import VnicFcIf
from ucsmsdk.mometa.vnic.VnicFcNode import VnicFcNode
from ucsmsdk.mometa.ls.LsRequirement import LsRequirement
from ucsmsdk.mometa.ls.LsPower import LsPower
from ucsmsdk.mometa.fabric.FabricVCon import FabricVCon

#Are we having iSCSI to the Hosts?
iSCSI = True
#Are we having FC to the hosts?
FC = False

#Create the handle
handle = UcsHandle("192.168.67.148","admin","password",secure=False)
#login into UCS manager
handle.login()

#reading variables from the ucs workbook
my_file=open("/Users/javirodz/Documents/ucs-book.csv", "r")
my_csv_file = csv.reader(my_file)
for row in my_csv_file:
 if row[0] == "Organization Name":
 my_Org = row[1]
 my_Full_Path_Org = "org-root/org-%s" % my_Org
 elif row[0] == "KVM Starting IP Address":
 my_kvm_pool_first = row[1]
 elif row[0] == "KVM Primary DNS IP Address":
 my_Primary_DNS = row[1]
 elif row[0] == "KVM Secondary DNS IP Address":
 my_Secondary_DNS = row[1]
 elif row[0] == "KVM Gateway":
 my_KVM_Gateway = row[1]
 elif row[0] == "KVM Ending IP Address":
 my_kvm_last_addr = row[1]
 elif row[0] == "Service Profile Template Name":
 my_SPT = row[1]
 elif row[0] == "Service Profile Name Seed":
 my_SP_Name = row[1]
 elif row[0] == "VLAN Name":
 VLAN_Name = row
 i=1
 while i < len(VLAN_Name):
 i = i + 1
 elif row[0] == "VLAN ID":
 VLAN_ID = row
 i=1
 while i < len(VLAN_ID):
 i = i + 1
 else:
 print "Bad Robot"

#Create Sub Organization
mo = OrgOrg(parent_mo_or_dn="org-root", name=my_Org, descr="Sub Organization")
handle.add_mo(mo)
handle.commit()

#Create Production VLANs
k = 1
while k < len(VLAN_Name):
 mo = FabricVlan(parent_mo_or_dn="fabric/lan", sharing="none", name=VLAN_Name[k], id=VLAN_ID[k], mcast_policy_name="", policy_owner="local", default_net="no", pub_nw_name="", compression_type="included")
 handle.add_mo(mo)
 handle.commit()
 k = k+1

#Create UUID Pool
mo = UuidpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", prefix="derived", descr="UUID Pool", assignment_order="sequential", name="UUID_POOL")
mo_1 = UuidpoolBlock(parent_mo_or_dn=mo, to="0001-000000000100", r_from="0001-000000000001")
handle.add_mo(mo)
handle.commit()

#Create a Server Pool
mo = ComputePool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", name="Server_Pool", descr="Server Pool")
mo_1 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="1", chassis_id="1")
mo_2 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="2", chassis_id="1")
mo_3 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="3", chassis_id="1")
mo_4 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="4", chassis_id="1")
mo_5 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="5", chassis_id="1")
mo_6 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="7", chassis_id="1")
mo_7 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="8", chassis_id="1")
handle.add_mo(mo)
handle.commit()

#Create Maintenance Policy
mo = LsmaintMaintPolicy(parent_mo_or_dn=my_Full_Path_Org, uptime_disr="user-ack", name="User_Ack", descr="User Ack", trigger_config="on-next-boot", sched_name="", policy_owner="local")
handle.add_mo(mo)
handle.commit()

#Create Power Policy
mo = PowerPolicy(parent_mo_or_dn=my_Full_Path_Org, fan_speed="any", policy_owner="local", name="No_Cap", prio="no-cap", descr="No Cap")
handle.add_mo(mo)
handle.commit()

#Create IP Pool
mo = IppoolPool(parent_mo_or_dn=my_Full_Path_Org, is_net_bios_enabled="disabled", name="ext_mgmt", descr="KVM", policy_owner="local", ext_managed="internal", supports_dhcp="disabled", assignment_order="sequential")
mo_1 = IppoolBlock(parent_mo_or_dn=mo, prim_dns=my_Primary_DNS, r_from=my_kvm_pool_first, def_gw=my_KVM_Gateway, sec_dns=my_Secondary_DNS, to=my_kvm_last_addr)
handle.add_mo(mo)
handle.commit()

#Create MAC Pools
mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="Mamagement FI-A", assignment_order="sequential", name="MGMT-A")
mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:A0:00:0F", r_from="00:25:B5:A0:00:00")
handle.add_mo(mo)
handle.commit()

mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="Mamagement FI-B", assignment_order="sequential", name="MGMT-B")
mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:B0:00:0F", r_from="00:25:B5:B0:00:00")
handle.add_mo(mo)
handle.commit()

mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="Production FI-A", assignment_order="sequential", name="VM-A")
mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:A1:00:0F", r_from="00:25:B5:A1:00:00")
handle.add_mo(mo)
handle.commit()

mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="Production FI-B", assignment_order="sequential", name="VM-B")
mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:B1:00:0F", r_from="00:25:B5:B1:00:00")
handle.add_mo(mo)
handle.commit()

if(iSCSI):
 mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="iSCSI FI-A", assignment_order="sequential", name="iSCSI-A")
 mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:A2:00:0F", r_from="00:25:B5:A2:00:00")
 handle.add_mo(mo)
 handle.commit()
 mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="iSCSI FI-B", assignment_order="sequential", name="iSCSI-B")
 mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:B3:00:0F", r_from="00:25:B5:B3:00:00")
 handle.add_mo(mo)
 handle.commit()
#End Create MAC Pools

#Create Network Control Policy
mo = NwctrlDefinition(parent_mo_or_dn=my_Full_Path_Org, lldp_transmit="disabled", name="CDP_EN", lldp_receive="disabled", mac_register_mode="only-native-vlan", policy_owner="local", cdp="enabled", uplink_fail_action="link-down", descr="CDP Enable")
mo_1 = DpsecMac(parent_mo_or_dn=mo, forge="allow", policy_owner="local", name="", descr="")
handle.add_mo(mo)
handle.commit()

#FC WWNN and WWPN Pools
if(FC):
 mo = FcpoolInitiators(parent_mo_or_dn=my_Full_Path_Org, name="WWNN_Pool", policy_owner="local", descr="WWNN Pool", assignment_order="sequential", purpose="node-wwn-assignment")
 mo_1 = FcpoolBlock(parent_mo_or_dn=mo, to="20:00:00:25:B5:A0:00:FF", r_from="20:00:00:25:B5:A0:00:00")
 handle.add_mo(mo)
 handle.commit()

mo = FcpoolInitiators(parent_mo_or_dn=my_Full_Path_Org, name="WWPN_Pool-A", policy_owner="local", descr="WWPN Pool FI-A", assignment_order="sequential", purpose="port-wwn-assignment")
 mo_1 = FcpoolBlock(parent_mo_or_dn=mo, to="20:01:00:25:B5:A0:00:0F", r_from="20:01:00:25:B5:A0:00:00")
 handle.add_mo(mo)
 handle.commit()

mo = FcpoolInitiators(parent_mo_or_dn=my_Full_Path_Org, name="WWPN_Pool-B", policy_owner="local", descr="WWPN Pool FI-B", assignment_order="sequential", purpose="port-wwn-assignment")
 mo_1 = FcpoolBlock(parent_mo_or_dn=mo, to="20:01:00:25:B5:B0:00:0F", r_from="20:01:00:25:B5:B0:00:00")
 handle.add_mo(mo)
 handle.commit()

#Create vNIC Templates
mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="MGMT-A", descr="Management FI-A", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="MGMT-A", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="yes", name="Mgmt")
mo_2 = VnicEtherIf(parent_mo_or_dn=mo, default_net="no", name="vMotion")
handle.add_mo(mo)
handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="MGMT-B", descr="Management FI-B", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="MGMT-B", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="yes", name="Mgmt")
mo_2 = VnicEtherIf(parent_mo_or_dn=mo, default_net="no", name="vMotion")
handle.add_mo(mo)
handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="VM-A", descr="Production FI-A", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="VM-A", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
#Depending on the VLANs that will pass wot the NIC:
mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="no", name=Production)
handle.add_mo(mo)
handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="VM-B", descr="Production FI-B", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="VM-B", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
#Depending on the VLANs that will pass wot the NIC:
mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="no", name=Production)
handle.add_mo(mo)
handle.commit()

if(iSCSI):
 #Create iSCSI-A VLAN on FI-A (ID 2550)
 mo = FabricVlan(parent_mo_or_dn="fabric/eth-estc/A", sharing="none", name="iSCSI-A", id="2550", mcast_policy_name="", policy_owner="local", default_net="no", pub_nw_name="", compression_type="included")
 handle.add_mo(mo)
 handle.commit()

#Create iSCSI-B VLAN on FI-B (ID 2551)
 mo = FabricVlan(parent_mo_or_dn="fabric/eth-estc/B", sharing="none", name="iSCSI-B", id="2551", mcast_policy_name="", policy_owner="local", default_net="no", pub_nw_name="", compression_type="included")
 handle.add_mo(mo)
 handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="iSCSI-A", descr="iSCSI FI-A", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="iSCSI-A", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
 mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="yes", name="iSCSI-A")
 handle.add_mo(mo)
 handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="iSCSI-B", descr="iSCSI FI-B", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="iSCSI-B", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
 mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="yes", name="iSCSI-B")
 handle.add_mo(mo)
 handle.commit()

#Create Local Disk Conf Policy (any-configuration)
mo = StorageLocalDiskConfigPolicy(parent_mo_or_dn=my_Full_Path_Org, protect_config="yes", name="Local_Disk_CP", descr="Local Disk Configuration Policy Desc", flex_flash_raid_reporting_state="enable", flex_flash_state="enable", policy_owner="local", mode="any-configuration")
handle.add_mo(mo)
handle.commit()

#Create Boot Policy (boot from SD)
mo = LsbootPolicy(parent_mo_or_dn=my_Full_Path_Org, name="Boot_Policy", descr="Boot Policy Desc", reboot_on_update="no", policy_owner="local", enforce_vnic_name="yes", boot_mode="legacy")
mo_1 = LsbootVirtualMedia(parent_mo_or_dn=mo, access="read-write-drive", lun_id="0", mapping_name="", order="2")
mo_2 = LsbootStorage(parent_mo_or_dn=mo, order="1")
mo_2_1 = LsbootLocalStorage(parent_mo_or_dn=mo_2, )
mo_2_1_1 = LsbootUsbFlashStorageImage(parent_mo_or_dn=mo_2_1, order="1")
handle.add_mo(mo)
handle.commit()

#Create HBA Template
if(FC):
 mo = VnicSanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="fc-a", descr="", stats_policy_name="default", switch_id="A", pin_to_group_name="", policy_owner="local", qos_policy_name="", ident_pool_name="WWPN_Pool-A", max_data_field_size="2048")
 mo_1 = VnicFcIf(parent_mo_or_dn=mo, name="default")
 handle.add_mo(mo)
 handle.commit()

 mo = VnicSanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="fc-b", descr="", stats_policy_name="default", switch_id="B", pin_to_group_name="", policy_owner="local", qos_policy_name="", ident_pool_name="WWPN_Pool-B", max_data_field_size="2048")
 mo_1 = VnicFcIf(parent_mo_or_dn=mo, name="default")
 handle.add_mo(mo)
 handle.commit()

#Configuring Uplink ports
#FI-A Port-3
mo = FabricEthLanEp(parent_mo_or_dn="fabric/lan/A", eth_link_profile_name="default", name="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", usr_lbl="", slot_id="1", admin_state="enabled", port_id="3")
handle.add_mo(mo)
handle.commit()
#FI-A Port-4
mo = FabricEthLanEp(parent_mo_or_dn="fabric/lan/A", eth_link_profile_name="default", name="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", usr_lbl="", slot_id="1", admin_state="enabled", port_id="4")
handle.add_mo(mo)
handle.commit()
#FI-B Port-3
mo = FabricEthLanEp(parent_mo_or_dn="fabric/lan/B", eth_link_profile_name="default", name="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", usr_lbl="", slot_id="1", admin_state="enabled", port_id="3")
handle.add_mo(mo)
handle.commit()
#FI-B Port-4
mo = FabricEthLanEp(parent_mo_or_dn="fabric/lan/B", eth_link_profile_name="default", name="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", usr_lbl="", slot_id="1", admin_state="enabled", port_id="4")
handle.add_mo(mo)
handle.commit()
#Configure Port Channels
#PC-50 with FI-A P3 and FI-A P4
mo = FabricEthLanPc(parent_mo_or_dn="fabric/lan/A", name="PC-50", descr="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", admin_state="enabled", oper_speed="10gbps", port_id="50", lacp_policy_name="default")
mo_1 = FabricEthLanPcEp(parent_mo_or_dn=mo, eth_link_profile_name="default", name="", auto_negotiate="yes", slot_id="1", admin_state="enabled", port_id="3")
mo_2 = FabricEthLanPcEp(parent_mo_or_dn=mo, eth_link_profile_name="default", name="", auto_negotiate="yes", slot_id="1", admin_state="enabled", port_id="4")
handle.add_mo(mo)
handle.commit()
#PC-51 with FI-B P3 and FI-B P4
mo = FabricEthLanPc(parent_mo_or_dn="fabric/lan/B", name="PC-51", descr="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", admin_state="enabled", oper_speed="10gbps", port_id="51", lacp_policy_name="default")
mo_1 = FabricEthLanPcEp(parent_mo_or_dn=mo, eth_link_profile_name="default", name="", auto_negotiate="yes", slot_id="1", admin_state="enabled", port_id="3")
mo_2 = FabricEthLanPcEp(parent_mo_or_dn=mo, eth_link_profile_name="default", name="", auto_negotiate="yes", slot_id="1", admin_state="enabled", port_id="4")
handle.add_mo(mo)
handle.commit()

#Create Service Profile Template
if (FC and not iSCSI):
 mo = LsServer(parent_mo_or_dn="org-root/org-Test_Org", vmedia_policy_name="", ext_ip_state="none", bios_profile_name="", mgmt_fw_policy_name="", agent_policy_name="", mgmt_access_policy_name="", dynamic_con_policy_name="", kvm_mgmt_policy_name="", sol_policy_name="", uuid="0", descr="SPT Description", stats_policy_name="default", policy_owner="local", ext_ip_pool_name="ext-mgmt", boot_policy_name="Boot_Policy", usr_lbl="", host_fw_policy_name="", vcon_profile_name="", ident_pool_name="UUID_POOL", src_templ_name="", type="initial-template", local_disk_policy_name="Local_Disk_CP", scrub_policy_name="", power_policy_name="default", maint_policy_name="User_Ack", name=my_SPT, resolve_remote="yes")
 mo_1 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="1", transport="ethernet", vnic_name="MGMT-A")
 mo_2 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="2", transport="ethernet", vnic_name="MGMT-B")
 mo_3 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="3", transport="ethernet", vnic_name="VM-A")
 mo_4 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="4", transport="ethernet", vnic_name="VM-B")
 mo_5 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="5", transport="fc", vnic_name="fc-a")
 mo_6 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="6", transport="fc", vnic_name="fc-b")
 mo_7 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="MGMT-A", order="1", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-A", addr="derived")
 mo_8 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="MGMT-B", order="2", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-B", addr="derived")
 mo_9 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="VM-A", order="3", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-A", addr="derived")
 mo_10 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="VM-B", order="4", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-B", addr="derived")
 mo_11 = VnicFc(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", addr="derived", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", pers_bind="disabled", order="5", pers_bind_clear="no", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", max_data_field_size="2048", nw_templ_name="fc-a", name="fc-a")
 mo_11_1 = VnicFcIf(parent_mo_or_dn=mo_11, name="")
 mo_12 = VnicFc(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", addr="derived", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", pers_bind="disabled", order="6", pers_bind_clear="no", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", max_data_field_size="2048", nw_templ_name="fc-b", name="fc-b")
 mo_12_1 = VnicFcIf(parent_mo_or_dn=mo_12, name="")
 mo_13 = VnicFcNode(parent_mo_or_dn=mo, ident_pool_name="WWNN_Pool", addr="pool-derived")
 mo_14 = LsRequirement(parent_mo_or_dn=mo, restrict_migration="no", name="Server_Pool", qualifier="")
 mo_15 = LsPower(parent_mo_or_dn=mo, state="admin-up")
 mo_16 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="1", inst_type="auto")
 mo_17 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="2", inst_type="auto")
 mo_18 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="3", inst_type="auto")
 mo_19 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="4", inst_type="auto")
 handle.add_mo(mo)
 handle.commit()

if(iSCSI and not FC):
 mo = LsServer(parent_mo_or_dn="org-root/org-Test_Org", vmedia_policy_name="", ext_ip_state="none", bios_profile_name="", mgmt_fw_policy_name="", agent_policy_name="", mgmt_access_policy_name="", dynamic_con_policy_name="", kvm_mgmt_policy_name="", sol_policy_name="", uuid="0", descr="SPT Desc", stats_policy_name="default", policy_owner="local", ext_ip_pool_name="ext-mgmt", boot_policy_name="Boot_Policy", usr_lbl="", host_fw_policy_name="", vcon_profile_name="", ident_pool_name="UUID_POOL", src_templ_name="", type="updating-template", local_disk_policy_name="Local_Disk_CP", scrub_policy_name="", power_policy_name="default", maint_policy_name="User_Ack", name=my_SPT, resolve_remote="yes")
 mo_1 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="1", transport="ethernet", vnic_name="MGMT-A")
 mo_2 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="2", transport="ethernet", vnic_name="MGMT-B")
 mo_3 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="3", transport="ethernet", vnic_name="VM-A")
 mo_4 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="4", transport="ethernet", vnic_name="VM-B")
 mo_5 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="5", transport="ethernet", vnic_name="iSCSI-A")
 mo_6 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="6", transport="ethernet", vnic_name="iSCSI-B")
 mo_7 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="MGMT-A", order="1", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-A", addr="derived")
 mo_8 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="MGMT-B", order="2", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-B", addr="derived")
 mo_9 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="VM-A", order="3", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-A", addr="derived")
 mo_10 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="VM-B", order="4", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-B", addr="derived")
 mo_11 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="iSCSI-A", order="5", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="iSCSI-A", addr="derived")
 mo_12 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="iSCSI-B", order="6", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="iSCSI-B", addr="derived")
 mo_13 = VnicFcNode(parent_mo_or_dn=mo, ident_pool_name="node-default", addr="pool-derived")
 mo_14 = LsRequirement(parent_mo_or_dn=mo, restrict_migration="no", name="Server_Pool", qualifier="")
 mo_15 = LsPower(parent_mo_or_dn=mo, state="admin-up")
 mo_16 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="1", inst_type="auto")
 mo_17 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="2", inst_type="auto")
 mo_18 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="3", inst_type="auto")
 mo_19 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="4", inst_type="auto")
 handle.add_mo(mo)
 handle.commit()

if(iSCSI and FC):
 mo = LsServer(parent_mo_or_dn="org-root/org-Test_Org", vmedia_policy_name="", ext_ip_state="none", bios_profile_name="", mgmt_fw_policy_name="", agent_policy_name="", mgmt_access_policy_name="", dynamic_con_policy_name="", kvm_mgmt_policy_name="", sol_policy_name="", uuid="0", descr="SPT Description", stats_policy_name="default", policy_owner="local", ext_ip_pool_name="ext-mgmt", boot_policy_name="Boot_Policy", usr_lbl="", host_fw_policy_name="", vcon_profile_name="", ident_pool_name="UUID_POOL", src_templ_name="", type="updating-template", local_disk_policy_name="Local_Disk_CP", scrub_policy_name="", power_policy_name="default", maint_policy_name="User_Ack", name=my_SPT, resolve_remote="yes")
 mo_1 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="1", transport="ethernet", vnic_name="MGMT-A")
 mo_2 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="2", transport="ethernet", vnic_name="MGMT-B")
 mo_3 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="3", transport="ethernet", vnic_name="VM-A")
 mo_4 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="4", transport="ethernet", vnic_name="VM-B")
 mo_5 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="5", transport="ethernet", vnic_name="iSCSI-A")
 mo_6 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="6", transport="ethernet", vnic_name="iSCSI-B")
 mo_7 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="7", transport="fc", vnic_name="fc-a")
 mo_8 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="8", transport="fc", vnic_name="fc-b")
 mo_9 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="MGMT-A", order="1", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-A", addr="derived")
 mo_10 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="MGMT-B", order="2", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-B", addr="derived")
 mo_11 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="VM-A", order="3", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-A", addr="derived")
 mo_12 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="VM-B", order="4", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-B", addr="derived")
 mo_13 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="iSCSI-A", order="5", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="iSCSI-A", addr="derived")
 mo_14 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="iSCSI-B", order="6", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="iSCSI-B", addr="derived")
 mo_15 = VnicFc(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", addr="derived", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", pers_bind="disabled", order="7", pers_bind_clear="no", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", max_data_field_size="2048", nw_templ_name="fc-a", name="fc-a")
 mo_15_1 = VnicFcIf(parent_mo_or_dn=mo_15, name="")
 mo_16 = VnicFc(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", addr="derived", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", pers_bind="disabled", order="8", pers_bind_clear="no", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", max_data_field_size="2048", nw_templ_name="fc-b", name="fc-b")
 mo_16_1 = VnicFcIf(parent_mo_or_dn=mo_16, name="")
 mo_17 = VnicFcNode(parent_mo_or_dn=mo, ident_pool_name="WWNN_Pool", addr="pool-derived")
 mo_18 = LsRequirement(parent_mo_or_dn=mo, restrict_migration="no", name="Server_Pool", qualifier="")
 mo_19 = LsPower(parent_mo_or_dn=mo, state="admin-up")
 mo_20 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="1", inst_type="auto")
 mo_21 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="2", inst_type="auto")
 mo_22 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="3", inst_type="auto")
 mo_23 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="4", inst_type="auto")
 handle.add_mo(mo)
 handle.commit()

# Logout after script is executed
handle.logout()
my_file.close()
By the way, there is another script “clean-ucs.py” that will undo whatever the configuration script does, in case that you need to go back and forth with it.
Posted by at No comments:

Monday, June 11, 2018

Cisco Nexus Switching NX-OS Basic Commands Cheat Sheet

Some of hands on Basic Cisco Command to practice for CCNA (DCICN) Data Center test (640-911). This post is going to share a series of Cisco commands used in day to day operations Network engineers would exercise to complete Networking requirements.
1.  To delete the start-up configuration
Switch#write erase boot
Switch#reload
2. To enter Global Configuration Mode
Switch#config
Switch(config)#
3. How to the save the Configuration
Switch#copy running-config start-config or
Switch#copy run star
4. Set the hostname
Switch#config t
Switch(config)#hostname switchA
5. Setting up the management ip address and description
switchA#config t
switchA(config)#int mgmt0
switchA(config-if)#ip address 10.10.10.2 255.255.255.0
switchA(config-if)#description management address
switchA(config-if)#end
switchA#
6. Creating VLANs
switchA#
switchA(config)#vlan 10
switchA(config-vlan)#name meaningful-name
switchA(config-vlan)#exit
switchA(config)#
7. Assign an interface to a vlan
switchA#config t
switchA(config)#int e3/1
switchA(config-if)#switchport
switchA(config-if)#switchport mode access
switchA(config-if)#switchport access vlan 10
switchA(config-if)#end
switchA(config)#
8. RIP
Nexus7k(config)# feature rip
Nexus7k(config)# router rip RodzRIP
Nexus7k(config-router)# address-family ?
ipv4 Configure IPv4 address-family
ipv6 Configure IPv6 address-family
Nexus7k(config-router)# address-family ipv4 unicast
Nexus7k(config-router-af)# int e3/1 - 2
Nexus7k(config-if-range)# ip router rip RodzRIP
9. EIGRP
Nexus7k(config)# feature eigrp
 Nexus7k(config)# router eigrp RodzEIGRP
 Nexus7k(config-router)# au?
 authentication autonomous-system
 Nexus7k(config-router)# autonomous-system ?
 <1-65535> Local AS number
 Nexus7k(config-router)# autonomous-system 100
 Nexus7k(config-router)# int e3/1 - 2
 Nexus7k(config-if-range)# ip router eigrp RodzEIGRP
10. OSPF
Nexus7k(config-if-range)# feature ospf
Nexus7k(config)# router ospf  JRVOSPF
Nexus7k(config-router)# int e3/1 -2
Nexus7k(config-if-range)# ip router ospf JRVOSPF area 0
11. Configure ports for routing, Example ports e3/1 and e3/2
Nexus7(config-if)# int e3/1
Nexus7(config-if)# no switchport
Nexus7(config-if)# ip address 172.16.10.1/24
Nexus7(config-if)# no shutdown
Nexus7(config-if)# int e3/2
Nexus7(config-if)# no switchport 
Nexus7(config-if)# ip address 172.16.20.1/24
Nexus7(config-if)# no shutdown
12. Configure a static route to remote network 192.168.10.0/24
Switch#conf t
Switch#(config)#ip route 192.168.10.0/24 e3/1 172.16.10.2
13. VLAN TRUNK
Switch#conf t
Switch#(config)#int e3/28
Switch#(config-if)#switchport
Switch#(config-if)#switchport mode trunk
Switch#(config-if)#switchport trunk allowed vlan add 10
Switch#(config-if)#switchport trunk allowed vlan remove 10
Switch#(config-if)#end
14. Changing Native VLAN
Switch#conf t
Switch#(config)#int e3/28
Switch#(config-if)#switchport
Switch#(config-if)#switchport mode trunk
Switch#(config-if)#switchport trunk native vlan 660
15. Configuring VTP
Switch#conf t
Switch#(config)#feature vtp
Switch#(config)#vtp mode server
Switch#(config)#vtp domain <domain-name>
Switch#(config)#vtp password <password>
Switch#(config)#vtp version 2
Switch#(config)#vtp pruning
Switch#(config)#sh vtp status
16. Configuring Inter-VLAN Routing
feature interface-vlan
interface vlan 10
ip address 172.16.10.1/24
int vlan 20
ip address 172.16.20.1/24
int vlan 30
ip address 172.16.30.1
17. STP
show spanning-tree
conf t
spanning-tree vlan 1 priority 4096 (multiples of 4096 up to 61440)
int e3/40-44
spanning-tree port type edge (for hosts)
int e3/45-48
spanning-tree port type network (for inter switch links)
18. Set a switch as root bridge
spanning-tree vlan 1 root primary
19 port-channels
interface port-channel 1
int e3/31-38
switchport
switchport mode  trunk
channel group 1 mode on
channel group 1 force mode on
20. Show the forward/filter table
show mac address-table
21. Show the STP root bridge for a VLAN
sh spanning-tree
sh spanning tree vlan <vlan#>
22. Configure a switch port to not transition through STP
spanning-tree port type edge
23. Show port channel
sh interface port-channel number
24 ACL To deny access to host 172.16.50.5 for telnet and ftp:
access-list 110 deny tcp any host 172.16.50.5 eq 21
access-list 110 deny tcp any host 172.16.50.5 eq 23
access-list 110 permit ip any any
int e3/1
ip access-group 110 out
25. Named ACL
ip access-list Deny_FTP
deny tcp any host 10.10.10.10 eq ftp
permit ip any any
int e3/2
ip accès-group Deny_FTP out
sh access-lists
26. Configure Session
config session <session name>
....
verify
commit
27. Object Groups
object-group ip address <name>
10.0.0.0/8
172.16.0.0/12
192.168.0.0/24
show object group <name>
10 10.0.0.0/8
20 172.16.0.0/12
30 192.168.0.0/24
Nexus7(config)# object-group ip port Permit_Ports
Nexus7(config-port-ogroup)# range 2011 2099
Nexus7(config-port-ogroup)# eq 31156
Nexus7(config-port-ogroup)# gt 32655
Nexus7(config-port-ogroup)# show object-group Permit_Ports
Protocol port object-group Permit_Ports
        10 range 2011 - 2099
Posted by at No comments:

Friday, April 20, 2018

Virtual Tunnel Interface – Cisco ASA


Virtual Tunnel Interface – Cisco ASA
About Virtual Tunnel Interfaces
The ASA supports a logical interface called Virtual Tunnel Interface (VTI). As an alternative to policy based VPN, a VPN tunnel can be created between peers with Virtual Tunnel Interfaces configured. This supports route based VPN with IPsec profiles attached to the end of each tunnel. This allows dynamic or static routes to be used. Egressing traffic from the VTI is encrypted and sent to the peer, and the associated SA decrypts the ingress traffic to the VTI.
Using VTI does away with the requirement of configuring static crypto map access lists and mapping them to interfaces. You no longer have to track all remote subnets and include them in the crypto map access list. Deployments become easier, and having static VTI which supports route based VPN with dynamic routing protocol also satisfies many requirements of a virtual private cloud.
Guidelines for Virtual Tunnel Interfaces
IPv6
·         IPv6 is not supported.
General Configuration Guidelines
·         You can use dynamic or static routes for traffic using the tunnel interface.
·         The MTU for VTIs is automatically set, according to the underlying physical interface.
·         VTI supports IKEv1 and uses IPsec for sending and receiving data between the tunnel's source and destination.
·         If Network Address Translation has to be applied, the IKE and ESP packets will be encapsulated in the UDP header.
·         IKE and IPsec security associations will be re-keyed continuously regardless of data traffic in the tunnel. This ensures that VTI tunnels are always up.
·         Tunnel group name must match what the peer will send as its IKEv1 identity.
·         For IKEv1 in LAN-to-LAN tunnel groups, you can use names which are not IP addresses, if the tunnel authentication method is digital certificates and/or the peer is configured to use aggressive mode.
·         VTI and crypto map configurations can co-exist on the same physical interface, provided the peer address configured in the crypto map and the tunnel destination for the VTI are different.
·         By default, all traffic through VTI is encrypted.
·         There are no security level configurations for VTI interfaces.
·         Access list can be applied on a VTI interface to control traffic through VTI.
·         Only BGP is supported over VTI.
Context Mode
Supported in single mode only.
Firewall Mode
Supported in routed mode only.
Create a VTI Tunnel
To configure a VTI tunnel, create an IPsec proposal (transform set). You will need to create an IPsec profile that references the IPsec proposal, followed by a VTI interface with the IPsec profile. Configure the remote peer with identical IPsec proposal and IPsec profile parameters. SA negotiation will start when all tunnel parameters are configured.
https://www.cisco.com/c/dam/en/us/td/i/templates/note.gifNote
For the ASA which is a part of both the VPN VTI domains, and has BGP adjacency on the physical interface:
When a state change is triggered due to the interface health check, the routes in the physical interface will be deleted until BGP adjacency is re-established with the new active peer. This behavior does not apply to logical VTI interfaces.
Procedure
Step 1  
Add an IPsec Proposal (Transform Sets).
Step 2  
Add an IPsec Profile.
Step 3  
Add a VTI Tunnel.
Add an IPsec Proposal (Transform Sets)
A transform set is required to secure traffic in a VTI tunnel. Used as a part of the IPsec profile, it is a set of security protocols and algorithms that protects the traffic in the VPN. Before You Begin
·         You can use either pre-shared key or certificates for authenticating the IKEv1 session associated with a VTI. You must configure the pre-shared key under the tunnel group used for the VTI.
·         For certificate based authentication using IKEv1, you must specify the trustpoint to be used at the initiator. For the responder, you must configure the trustpoint in the tunnel-group command.
Procedure
Add an IKEv1 transform set that defines how to protect the traffic, enter the following command:
crypto ipsec ikev1 transform-set transform-set-name encryption [authentication]


Example:
ciscoasa(config)#crypto ipsec ikev1 transform-set SET1 esp-aes esp-sha-hmac
Encryption specifies which encryption method protects IPsec data flows:
·         esp-aes—Uses AES with a 128-bit key.
·         esp-aes-192—Uses AES with a 192-bit key.
·         esp-aes-256—Uses AES with a 256-bit key.
·         esp-des—Uses 56-bit DES-CBC.
·         esp-3des—Uses triple DES algorithm.
·         esp-null—No encryption.
Authentication specifies which encryption method to protect IPsec data flows:
·         esp-md5-hmac—Uses the MD5/HMAC-128 as the hash algorithm.
·         esp-sha-hmac—Uses the SHA/HMAC-160 as the hash algorithm.
·         esp-none—No HMAC authentication.
Add an IPsec Profile
An IPsec profile contains the required security protocols and algorithms in the IPsec proposal or transform set that it references. This ensures a secure, logical communication path between two site-to-site VTI VPN peers.
Procedure
Step 1  
Set a name for the profile:
crypto ipsec profile name


Example:
ciscoasa(config)#crypto ipsec profile PROFILE1
Step 2  
Set the IKEv1 proposal. Enter the following command in the crypto ipsec profile command sub-mode:
set ikev1 transform set set_name
In this example, SET1 is the IKEv1 proposal set created previously.
ciscoasa(config-ipsec-profile)#set ikev1 transform-set SET1
Step 3  
(Optional) Specify the duration of the security association:
set security-association lifetime {seconds number | kilobytes {number | unlimited}}


Example:
ciscoasa(config-ipsec-profile)#set security-association lifetime
seconds 120 kilobytes 10000
Step 4  
(Optional) Configure the end of the VTI tunnel to act only as a responder:
responder-only
·         You can configure one end of the VTI tunnel to perform only as a responder. The responder-only end will not initiate the tunnel or rekeying.
Step 5  
(Optional) Specify the PFS group. Perfect Forward Secrecy (PFS) generates a unique session key for each encrypted exchange. This unique session key protects the exchange from subsequent decryption. To configure PFS, you have to select the Diffie-Hellman key derivation algorithm to use when generating the PFS session key. The key derivation algorithms generate IPsec security association (SA) keys. Each group has a different size modulus. A larger modulus provides higher security, but requires more processing time. You must have matching Diffie-Hellman groups on both peers.
set pfs {group1 | group2 | group5}


Example:
ciscoasa(config-ipsec-profile)#set pfs group2
Add a VTI Interface
To create a new VTI interface and establish a VTI tunnel, perform the following steps:
https://www.cisco.com/c/dam/en/us/td/i/templates/note.gifNote
Implement IP SLA to ensure that the tunnel remains up when a router in the active tunnel is unavailable. See Configure Static Route Tracking in the ASA General Operations Configuration Guide in http:/​/​www.cisco.com/​go/​asa-config.
Procedure
Step 1  
Create a new tunnel interface:
interface tunnel tunnel_interface_number


Example:
ciscoasa(config)#interface tunnel 100
Specify a tunnel ID, from a range of 0 to 100. Up to 100 VTI interfaces are supported.
Note   
If you will be migrating configurations from other devices to ASA 5506 devices, use the tunnel ID range of 1 - 100. This is to ensure compatibility of the tunnel range of 1 - 100 available in ASA 5506 devices.
Step 2  
Enter the name of the VTI interface.
Enter the following command in the interface tunnel command submode:
nameif interface name


Example:
ciscoasa(config-if)#nameif vti
Step 3  
Enter the IP address of the VTI interface.
ip address IP addressmask


Example:
ciscoasa(config-if)#ip address 192.168.1.10 255.255.255.254
Step 4  
Specify the tunnel source interface.
tunnel source interface interface name


Example:
ciscoasa(config-if)#tunnel source interface outside
Step 5  
Specify the tunnel destination IP address.
tunnel destination IP address


Example:
ciscoasa(config-if)#tunnel destination 10.1.1.1
Step 6  
Configure the tunnel with tunnel mode IPsec IPv4.
tunnel mode ipsec ipv4


Example:
ciscoasa(config-if)#tunnel mode ipsec ipv4
Step 7  
Assign the IPsec profile to tunnel.
tunnel protection ipsec IPsec profile


Example:
ciscoasa(config-if)#tunnel protection ipsec Profile1
This new VTI can be used to create an IPsec site-to-site VPN.


~ End-of-Document ~
Posted by at No comments:
Subscribe to: Posts (Atom)