Configurations Proposal Progress Report [PDF]

Zitiervorschau

NETWORK CONFIGURATION By FONYUY Boris Lami

WIICOM SARL

NETWORK CONFIGURATION Table of Contents 1

Introduction..............................................................................................................................1

2

Main prerequisites for configuration.......................................................................................1

3

Resetting MikroTik Router......................................................................................................1 3.1

Method 1...........................................................................................................................2

3.2

Method 2...........................................................................................................................2

3.3

Method 3...........................................................................................................................2

3.4

Method 4...........................................................................................................................3

4

First Login...............................................................................................................................3

5

Protecting the Router...............................................................................................................3 5.1

User Password Access and IP connectivity access...........................................................3

5.1.1

User with full access..................................................................................................4

5.1.2

User with read only privileges...................................................................................4

5.1.3

Remove default admin user for security measures....................................................4

5.2

MAC Connectivity Access................................................................................................4

5.3

Administrative Services....................................................................................................5

6

Upgrade the MikroTik OS.......................................................................................................7

7

General Configurations............................................................................................................8 7.1

Naming a router................................................................................................................8

7.2

Setting router loopback.....................................................................................................8

7.3

Renaming an interface......................................................................................................8

7.4

Setting IPv4 addresses for router interfaces......................................................................9

7.5

OSPF...............................................................................................................................11

7.6

MPLS..............................................................................................................................13

7.7

DHCP..............................................................................................................................13

i

NETWORK CONFIGURATION 7.8 8

Yaounde Region....................................................................................................................14 8.1

9

NAT................................................................................................................................14

Telephony Network.........................................................................................................14

8.1.1

PE-Internet...............................................................................................................14

8.1.2

PE-Ngoa-Ekelle-Tel................................................................................................15

8.1.3

PYaounde.................................................................................................................15

8.1.4

PE-Data-Center-1....................................................................................................15

8.1.5

PE-Mbankolo-Tel....................................................................................................16

8.1.6

PE-Soa-Tel...............................................................................................................16

8.1.7

PE-Petit-marche-Tel................................................................................................17

8.1.8

PE-Data-Center-Siege..............................................................................................17

8.1.9

PE-Siege..................................................................................................................17

8.1.10

PE-Internet-Siege.....................................................................................................18

8.1.11

CE-Monitoring-Telephonie.....................................................................................18

8.1.12

CE-Siege-Telephonie...............................................................................................18

8.1.13

Connectique Network..............................................................................................19

8.1.14

Telephone and Connectique network......................................................................20

Conclusion.............................................................................................................................21

ii

NETWORK CONFIGURATION List of Figures Figure 1: Telephony Network........................................................................................................19 Figure 2: Connectique Network.....................................................................................................20 Figure 3: Telephony and Connectique Network............................................................................21

iii

NETWORK CONFIGURATION 1 Introduction This document presents various proposed configurations for the telephone and “connectique” network for WIICOM SARL. Prior to effective configurations of each router, we will commence by resetting the router in order to remove all previous configurations, remove unnecessary default configurations, upgrade the OS of the router then proceed to proper configurations of the telephone and “connectique” network.

2 Main prerequisites for configuration  PC with an OS  Winbox Download at link https://download.mikrotik.com/winbox/3.23/winbox64.exe for 64bit Winbox 3.23 and https://download.mikrotik.com/winbox/3.23/winbox32.exe for the 32bit 3.23 Winbox version which is the most recent version available at the time of this document. To avoid having some functional limitations, do ensure that you’re using most recent stable version of Winbox is 3.23 64bits and 32bit versions.  MikroTik Router(s) to be configured  Connection between PC and MikroTik router via of the available RJ45 Ethernet ports using a straight through UTP Cat 5 cable with RJ45 connectors. It’s advisable to use the MikroTik port which is not going to be modified to avoid being logged out of the router due to configuration made on a given port.

3 Resetting MikroTik Router The objective of resetting a router prior to configuration is to ensure that no previous units that we are not conscious of and cannot account for, be erased so that we have a clean router ready to receive new configurations.

iv

NETWORK CONFIGURATION There are a variety of ways by which the configurations of a MikroTik router can be reset, here we will present 4 of such methods. It should be noted that the first two methods don’t require access to the router’s configuration interface whereas the last two require that the user should have access to the router’s configuration interface. Feel free to use a combination of these

3.1 Method 1 o Connect the router to a power supply o Use the touch pad screen to find and choose the option Reset configuration o When prompted to ENTER THE PIN CODE, enter 1234 and validate then wait for the router to reset and reboot

3.2 Method 2 o Plug device to power supply o Use a little pin to inert in the port labeled RESET which is found between the Ethernet ports and VGA port in Cloud Core MikroTik routers and maintain the button pressed until LED starts flashing then release. o The router configurations will reset and reboot

3.3 Method 3 o This method is used if you have access to the configuration interface of the router and this is done by using the following command in the router’s terminal window. It should be noted that this command ensures that the router is absolutely clean with no default configurations. /system reset-configuration no-defaults=yes skip-backup=yes keep-users=no When the router prompts for confirmation by saying “Dangerous! Reset anyway? [y/N]:”, Enter y which means “Yes”

v

NETWORK CONFIGURATION 3.4 Method 4 o This method is similar to Method 3 but involves the use of the the GUI proposed by MikroTik, go to the menu on the left and click on System. o

In the drop down menu that appears, select Reset Configuration.

o In the box that appears, click on Reset Configuration and when prompted for confirmation to reset configuration and reboot accept by clicking on Yes At this level, the MikroTik router has been successfully resetted.

4 First Login After resetting a MikroTik router, the default user with read and write permissions in the router has the following credentials Login: admin Password: Successful first login to router

5 Protecting the Router 5.1 User Password Access and IP connectivity access We will create a number of users with given privilidges based on the agreed policy to be applied. Here we will illustrate the creation of two users names user_one_all, user_two_read_only. As concerns passwords, it’s advisable to have passwords with a minimum of 20 characters which comprise a combination of numbers, symbols, uppercase and lowercase letters and that do not follow a pattern. Different passwords for different routers and different users. We will end by eliminating the default user admin for security reasons. In the example illustrated, only hosts in 192.168.10.0/24 network can access the router using the corresponding user.

vi

NETWORK CONFIGURATION 5.1.1

User with full access

Enter the following command in terminal to create a user with full privileges /user add name=user_one_all password=a+&WR=*r2F!PWa#T5*U+ disabled=no group=full comment="user_one_all is a full access user" address=192.168.10.0/24

5.1.2

User with read only privileges

Enter the following command to create a user with no write priviledges /user add name=user_two_read_only password=FhYX8n&Kp8?y3F$2^G#p disabled=no group=read comment="user_two_read_all cannot modify configurations in the router" address=192.168.10.0/24

5.1.3

Remove default admin user for security measures /user remove admin

It should be noted that there group types can be created based on the user define polices agreed upon by WIICOM using the following command in terminal. The policies are separated by a commas api ftp

password read

dude local policy

romon

sniff telnet tikapp winbox

reboot sensitive ssh

test

web

write

An example showing a group /user group add name=group_name policy=write,winbox comment="description of newly created group"

5.2 MAC Connectivity Access By default, mac server runs on all interfaces, so we will disable this using the following command in terminal

vii

NETWORK CONFIGURATION /tool mac-server set allowed-interface-list=none Similarly, for the WinBox Mac Access, the following command is used to disabled this service /tool mac-server mac-winbox set allowed-interface-list=none

5.3 Administrative Services Although firewall protect the router from public interface, you may still want to disable RouterOS services especially the ones that are not of used for now. Most of RouterOS administrative tools are configured at /ip service  menu Keep only secure ones, /ip service disable telnet,ftp,www,api,api-ssl Change default service ports, this will immediately stop most of the random SSH brute force login attempts: /ip service set ssh port=4500 Additionally, each service can be secured by allowed IP address or address range ip service set winbox address=aa.bb.cc.dd/e Bandwidth server is used to test throughput between two MikroTik routers. Disable it in the production environment. /tool bandwidth-server set enabled=no Router might have DNS cache enabled, which decreases resolving time for DNS requests from clients to remote servers. In case DNS cache is not required on your router or another router is used for such purposes, disable it. In the case of WIICOM, there is a DNS server. /ip dns set allow-remote-requests=no

viii

NETWORK CONFIGURATION Some RouterBOARDs have an LCD module for informational purposes, set pin or disable it. /lcd set enabled=no It is good practice to disable all unused interfaces on your router, in order to decrease unauthorized access to your router. Suppose we are connected to the port ether-n for configurations, we can run the following script to disable interfaces 1 to n−1 and n+1 to the N where N is the total number of interfaces { #Ensure that the interface to which you’re connected to do configurations in #no in the array named interfacesToDisable. In this example, ether10 is #connected to a PC for configurations. :local interfacesToDisable { "ether1" ; "ether2" ; "ether3" ; "ether4" ; "ether5" ; "ether6" ; "ether7" ; "ether8" ; "ether9" ; "ether11" ; "ether12"}; :foreach disableThisInterface in=$interfacesToDisable do={ :local idInterfaceToDisable :set idInterfaceToDisable [/interface ethernet find name=disableThisInterface] /interface ethernet set idInterfaceToDisable disabled=yes } }

RouterOS utilizes stronger crypto for SSH, most newer programs use it, to turn on SSH strong crypto /ip ssh set strong-crypto=yes Following services are disabled by default, nevertheless it is better to make sure that none of them were enabled accidentally. This is to ensure that MikroTik caching proxy, /ip proxy set enabled=no

ix

NETWORK CONFIGURATION MikroTik socks proxy, /ip socks set enabled=no MikroTik UPNP service, /ip upnp set enabled=no

MikroTik dynamic name service or IP cloud, /ip cloud set ddns-enabled=no update-time=no

6 Upgrade the MikroTik OS To ensure that we are up to date with MikroTik OS versions, we can download the most recent stable

RouterOS

which

is

6.46.6

using

the

link

https://download.mikrotik.com/routeros/6.46.6/routeros-mipsbe-6.46.6.npk for MIPSBE

or

https://download.mikrotik.com/routeros/6.46.6/routeros-smips-6.46.6.npk

SMIPS

or

TILE

or

https://download.mikrotik.com/routeros/6.46.6/routeros-tile-6.46.6.npk

for for

https://download.mikrotik.com/routeros/6.46.6/routeros-mmips-6.46.6.npk for MMIPS. In order to know the architecture name of the router you’re using, check at the end of the title bar or run the following command in MikroTik terminal to know the architecture name, :put [/system resource get architecture-name] It is possible that when this document is being exploited, there will be a more recent stable version, do ensure that you install the most stable RouterOS version. Subsequently, an auto upgrade could be preview and this upgrade placed in a scheduler to be activated at a given time of the night when the network is least saturated, this will depend on the agreed policy of WIICOM. This will be discussed in a later document.

x

NETWORK CONFIGURATION 7 General Configurations 7.1 Naming a router Setting a name for router permits for easy identification in the network. The following command is used to set router name /system identity set name=router_name For example, for PE-Mbankolo, we will have /system identity set name=PE-Mbankolo It’s usually important to give meaning names for interfaces to easily identify the interface later

7.2 Setting router loopback The following command is used to add an interface name loopback. A loopback address is a type of IP address that is used to test the communication or transportation medium on a local network card and/or for testing network applications. Data packets sent on a loopback address are rerouted back to the orginating node without any alteration or modification. Also, a loopback address can be subsequently used as router-id when it comes to the configuration of OSPF /interface bridge add name=loopback protocol-mode=none /ip address add address=valid_host_ipv4_address/32 interface=loopback For example, to set 1.1.1.1/32 as a loopback address, we use the following commands in terminal /interface bridge add name=loopback protocol-mode=none /ip address add address=1.1.1.1/32 interface=loopback

7.3 Renaming an interface It can important to rename an interface to ease configurations using the following commands /interface ethernet set ether1 name=ether1_new_name

xi

NETWORK CONFIGURATION Where ether1_new_name is the new name given to interface ether1. It’s advisable to maintain the ether1 to avoid mistakes in physical connections and confusions of identifying the renamed interface. Another approach to minimize confusion is using explicit names and physically placing this label on the router interface. The following script renames the interfaces from their previous names which are the keys to the new names which are the values in the array. { :local renameInterfaces { "ether1"="ether1_new_name_one" ; "ether2"="ether2_new_name_two" ; "ether3"="ether3_new_name_three" ; "ether4"="ether4_new_name_four" ; "ether5"="ether5_new_name_five" } /interface ethernet :foreach previousInterfaceName,newInterfaceName in=$renameInterfaces do={ set $previousInterfaceName name=$newInterfaceName} }

7.4 Setting IPv4 addresses for router interfaces The following command is used to set an ipv4 address on an interface /ip address add address=aa.bb.cc.dd/e interface=ether1_new_name_one network=ff.gg.hh.ii/j broadcast=kk.ll.mm.nn/p disabled=no

In other to configure an IPv4 address on an interface, of a MikroTik router, the most important information is o Ipv4 address aa.bb.cc.dd/e o Network address ff.gg.hh.ii/j o Broadcast address kk.ll.mm.nn/p o Interface name_interface o Comment “This interface is meant for …”

xii

NETWORK CONFIGURATION With this information gotten from the document for IPv4 addresses, we will create a nested 2D array containing all this info. It should be noted that the bolded sections in the following template should be replaced with real information. { :local configureRouterInterfaces { “name_of_interface_one”={ “address”=”ipv4_address_one”; “network”=”network_address_one”; “broadcast”=”broadcast_address_one”; “comment”=”useful_comment_one” }; “name_of_interface_two”={ “address”=”ipv4_address_two”; “network”=”network_address_two”; “broadcast”=”broadcast_address_two”; “comment”=”useful_comment_two”; } } /ip address :foreach interfaceName,interfaceConfig in=$configureRouterInterfaces do={ add interface=$interfaceName address=$interfaceConfig->”address” network=$interfaceConfig->”network” broadcast=$interfaceConfig->”broadcast” comment=$interfaceConfig->”comment” disabled=no} }

7.5 OSPF In other to configure OSPF routing, we will have the following in mind

xiii

NETWORK CONFIGURATION o P routers will serve as ABR (Area Border Routers) this is to ensure that LSA (Link State Advertisement) within an area shouldn’t cross to another area o DR and BDR will be generated by the OSPF algorithm o The naming of areas will be done with the help of the name of the region (NB: this region is not administrative) o 32bit Router IDs will be set for each router as per the agreed convention. We will present template scripts for the configuration of OSPF in a router The following command is used to create an area named yaounde_region /routing ospf area add area name=yaounde_region

To add a set of networks to a given area, we can use the following script to create an area and add networks to this area. It should be noted that these networks should comprise networks to which the router being configure is connected to other routers of the same area on which OSPF has be activated or will be activated. This script also fixes a router id for OSPF, in the absence of a router id, one of the addresses on the router will be used as a router id { :local networksInOSPFArea { “1.1.1.1/32”, “192.168.10.0/30”, “192.168.10.4/30”, “192.168.10.8/30”, “192.168.10.12/30”, “192.168.10.16/30” } :local nameOfArea yaounde_region :local areaId “0.0.0.1” :local nameOfInstance “name_of_instance” :local routerId “1.1.1.1” /routing ospf area add area name=$nameOfArea area-id=$areaId #We will use the default instance but rename it and set router-id to loopback #Other default parameters but for one will be modified for now /routing ospf instance set 0 name=$nameOfInstance router-id=$routerId /routing ospf network

xiv

NETWORK CONFIGURATION :foreach networkForOSPF in=$networksInOSPFArea do={ add area=$nameOfArea network=$networkForOSPF} } To verify if OSPF instance is running on router, run the following command /routing ospf monitor once

The following command is used to verify the elected DR and BDR with the various advances established by OSPF after the exchange of LSA via Hello Packets. /routing ospf neighbor print The following command is used to check whether LSA tables were generated properly. /routing ospf lsa print

By default, the authentication for exchange of LSA is not activated. This is dangerous as a packet sniffer attack is easy and can lead to OSPF misconfiguration. To avoid such, MD5 authentication should be configured on all OSPF interfaces. The following command can be used /routing ospf interface add interface=ether1 authentication=md5 The default options can be modified when need arises and other interfaces added with MD5 authentication. In order to ensure that networks that are connected to an OSPF router but not necessarily part of the initially added networks to the area but will have the router advertise the reachability to their network. This is achieved via the following command. Supposing that only the router instance with number 0 is running, we will use /routing ospf instance set 0 redistribute-connected=as-type-1

xv

NETWORK CONFIGURATION 7.6 MPLS Basic MPLS configuration is achieved on desired interfaces by running the following script with mplsInterfaces containing an array of the various interfaces on which MPLS will be activated. LDP (Label Distribution Protocol) is also enabled to ensure exchange of labels between LSRs and LERs. { :local lsrAndTranportAddress “1.1.1.1” :local mplsInterfaces {“ether1”, “ether2”, “ether3”} #enabling LDP /mpls ldp set enabled=yes lsr-id=$lsrAndTranportAddress transportaddress=$lsrAndTranportAddress /mpls ldp interface :foreach interface in=$mplsInterfaces do={ add interface=$interface} }

7.7 DHCP The following command is used to define DHCP pool, /ip pool add name=CE1pool ranges=30.4.0.2-30.4.15.254 The following command is used to set the DHCP server on a given interface, with lease time 1h /ip dhcp-server add address-pool=CE1pool disabled=no interface=ether3 leasetime=1h name=CE1

/ip dhcp-client add disabled=no interface=ether3 Let’s specify the gateway, dns server and network address for the DHCP Server Network

xvi

NETWORK CONFIGURATION /ip dhcp-server network add address=30.4.0.0/20 dns-server=8.8.8.8,8.8.4.4 gateway=30.4.0.1 comment="CE1" MikroTik has a way to quickly setup DHCP on an interface by entering the command and then enter the required information judiciously. /ip dhcp-server setup

7.8 NAT All routers that are connected to the internet should have NAT activated using the following command with ether3 being the interface facing the internet /ip firewall nat add chain=srcnat action=masquerade out-interface=ether3

8 Yaounde Region 8.1 Telephony Network Presented below is a diagrammatic representation of the telephone network. After previously elaborating a number of technologies that should be activated for use to have a functional MPLS network, we will consider each router and outline the various technologies that should be activated. The practicality will be demonstrated in simulation and a template made for P, PE and CE routers generally then particular aspects for Data Center routers and Internet Routers. Protective credentials can be saved for later with the main objective now being, having a functional MPLS network. A dynamic security script to secure all routers based on all the aforementioned security measures. 8.1.1

PE-Internet

o Set name of router o Address each router interface o Create area name yaounde_region o Place ether1 in OSPF area named yaounde_region o Activate LDP in router xvii

NETWORK CONFIGURATION o Add ether1 to MPLS o NAT with output interface ether3 8.1.2

PE-Ngoa-Ekelle-Tel

o Set name of router o Address each router interface o Create area name yaounde_region o Place ether1, ether2, ether3, ether4 and ether5 in OSPF area named yaounde_region o Activate LDP in this router o Add ether1, ether2, ether3, ether4 and ether5 to MPLS

8.1.3

PYaounde

o Set name of router o Address each router interface o Create area name yaounde_region o Place ether1 in OSPF area named yaounde_region o Activate LDP in this router o Add ether1 to MPLS o In the future, it will be necessary to configure eBGP towards others P routers in other regions.

8.1.4

PE-Data-Center-1

o Set name of router o Address each router interface

xviii

NETWORK CONFIGURATION o Create area name yaounde_region o Place ether1 in OSPF area named yaounde_region o Activate LDP in this router o Add ether1 to MPLS

8.1.5

PE-Mbankolo-Tel

o Set name of router o Address each router interface o Create area name yaounde_region o Place ether1, ether2 and ether3 in OSPF area named yaounde_region o Activate LDP in this router o Add ether1, ether2 and ether3 to MPLS

8.1.6

PE-Soa-Tel

o Set name of router o Address each router interface o Create area name yaounde_region o Place ether1 and ether2 in OSPF area named yaounde_region o Activate LDP in this router o Add ether1 and ether2 to MPLS

8.1.7

PE-Petit-marche-Tel

o Set name of router xix

NETWORK CONFIGURATION o Address each router interface o Create area name yaounde_region o Place ether1, ether2, ether3 and ether4 in OSPF area named yaounde_region o Activate LDP in this router o Add ether1, ether2, ether3 and ether4 to MPLS

8.1.8

PE-Data-Center-Siege

o Set name of router o Address each router interface o Create area name yaounde_region o Place ether1 in OSPF area named yaounde_region o Activate LDP in this router o Add ether1 to MPLS

8.1.9

PE-Siege

o Set name of router o Address each router interface o Create area name yaounde_region o Place ether1, ether5 and ether6 in OSPF area named yaounde_region o Activate LDP in this router o Add ether1, ether5 and ether6 to o Activate DHCP servers on ether3 and ether4

xx

NETWORK CONFIGURATION 8.1.10 PE-Internet-Siege o Set name of router o Address each router interface o Create area name yaounde_region o Place ether1 in OSPF area named yaounde_region o Activate LDP in this router o Add ether1 to MPLS 8.1.11 CE-Monitoring-Telephonie o Set name of router o Address each router interface o Set interface ether1 as DHCP client

8.1.12 CE-Siege-Telephonie o Set name of router o Address each router interface o Set interface ether1 as DHCP client

xxi

NETWORK CONFIGURATION

Figure 1: Telephony Network

8.1.13 Connectique Network The following architecture is used for the Connectique network. The configurations here are similar to those of the Telephony but the for the exception that a special TE will be elaborated to meet the demands of various Connectique clients. Attention should be paid to the differences in interfaces in equipment that is common to both Telephony and Connectique Network

xxii

NETWORK CONFIGURATION

Figure 2: Connectique Network

8.1.14 Telephone and Connectique network The combine network is an amalgamation of the individual configurations of Telephony and Connectique Networks. The figure below illustrates a view of the combined architecutures.

xxiii

NETWORK CONFIGURATION

Figure 3: Telephony and Connectique Network

9 Conclusion This document presents the various manipulations that are to be done on a MikroTik router prior to proper configuration. We go ahead to elaborate the putting in place of an MPLS network and some minimum security required for routers and activation of some technologies like DHCP and NAT. The main objective of this document is to present a methodology that will be used in elaborate reusable templates for various key routers in the network that’s P, PE and CE amongst other key actions in the network that will require the use of scripts.

xxiv