internal network ---------- fortigate --------- internet
objective: create 3 policy
1 user internet policy --- web access
2 user mobile policy --- web access with web filtering
3 admin policy --- sys admin unrestricted access
======================
1 user internet policy
policy & object > IPv4 Policy >
name = internet
Service = DNS, HTTP, HTTPS
NAT = enabled
Log Allowed Traffic = All Sessions
=====================
2 user mobile policy
policy & object > IPv4 Policy >
name = Mobile
incoming interface = lan
outgoing interface = wan
source = mobile devices, all
dest = all
service = DNS, HTTP, HTTPS
NAT = enabled
web filter = enabled, default
SSL/SSH inspection = enabled, certificate-inspection
Log Allowed Traffic = All Sessions
======================
3 admin policy
user & devices > Custom Devices & Groups > Create New > new
device
alias = Admin
Mac = xxxx
Device Type = windows pc
policy & object > ipv4 policy
name = Admin
incoming interface = lan
outgoing interface = wan1
source = all, admin PC
dest = all
service = all
nat = enabled
log allowed traffic = all session
save
Policy & object > Ipv4 Policy > By Sequence -> urutannya
1 internet
2 mobile
3 admin
4 implicit deny
^ untuk ngubah urutan policy tgl drag nomernya keatas
==================
Friday, March 30, 2018
fortinet - Transparent Web Proxy
transparent web proxy:
- apply web authentication to all http traffic that accepted by firewall policy
objective: applying proxy to all user web traffic without configure end user
client configuration change ( web proxy , system proxy )
dulu -> support explicit web proxy
skrg -> support transparent web proxy
system > setting > System Operation Settings > Inspection Mode = proxy
save
system > feature visibility > explicit proxy = enabled
apply
network > explicit web proxy = enabled
http port = 8080 !! bisa di custom
apply
security profiles > proxy options > http policy redirect = enabled
policy & object > IPv4 Policy > edit > security profiles > antivirus = enabled
proxy options = default
ssl / ssh inspection - certificate- inspections
OK
policy & object > Proxy Policy > Create New > Transparent Web
incoming = port1
outgoing = wan1
source = all
dest = all
security profiles > antivirus = enabled ( default )
-----------------------------------------------
fortiview > policies > internet > drill down to detail
- apply web authentication to all http traffic that accepted by firewall policy
objective: applying proxy to all user web traffic without configure end user
client configuration change ( web proxy , system proxy )
dulu -> support explicit web proxy
skrg -> support transparent web proxy
system > setting > System Operation Settings > Inspection Mode = proxy
save
system > feature visibility > explicit proxy = enabled
apply
network > explicit web proxy = enabled
http port = 8080 !! bisa di custom
apply
security profiles > proxy options > http policy redirect = enabled
policy & object > IPv4 Policy > edit > security profiles > antivirus = enabled
proxy options = default
ssl / ssh inspection - certificate- inspections
OK
policy & object > Proxy Policy > Create New > Transparent Web
incoming = port1
outgoing = wan1
source = all
dest = all
security profiles > antivirus = enabled ( default )
-----------------------------------------------
fortiview > policies > internet > drill down to detail
fortinet IPSEC / site-to-site VPN
configure ipsec vpn:
-------------------------------
VPN > Ipsec wizard >
name: hq-branch
template type: site to site
-------------------------------
vpn setup > authentication
ip address: masukin ip address public router branch
172.25.117.36
outgoing interface: wan1
authentication method: pre-shared key
pre-shared key : xxx
-------------------------------
policy & routing
local interface: LAN
local subnet: 10.11.60.0/24 !! otomatis keluar local subnet hq
remote subnet: 192.168.100.1/24 !! masukin ip private branch network
-------------------------------
setting branch-
VPN > IPsec wizard
name: branch-hq
template type: site-to-site
------------------------------
vpn setup > authentication
ip address: masukin ip address public router hq
172.25.176.36
outgoing interface: wan1
authentication method: pre-shared key
pre-shared key : xxx
-------------------------------
policy & routing
local interface: LAN
local subnet: 10.11.60.0/24 !! otomatis keluar local subnet hq
remote subnet: 192.168.100.1/24 !! masukin ip private branch network
-------------------------------
monitor > ipsec monitor
branch-to-hq > click Bring up
-------------------------------
VPN > Ipsec wizard >
name: hq-branch
template type: site to site
-------------------------------
vpn setup > authentication
ip address: masukin ip address public router branch
172.25.117.36
outgoing interface: wan1
authentication method: pre-shared key
pre-shared key : xxx
-------------------------------
policy & routing
local interface: LAN
local subnet: 10.11.60.0/24 !! otomatis keluar local subnet hq
remote subnet: 192.168.100.1/24 !! masukin ip private branch network
-------------------------------
setting branch-
VPN > IPsec wizard
name: branch-hq
template type: site-to-site
------------------------------
vpn setup > authentication
ip address: masukin ip address public router hq
172.25.176.36
outgoing interface: wan1
authentication method: pre-shared key
pre-shared key : xxx
-------------------------------
policy & routing
local interface: LAN
local subnet: 10.11.60.0/24 !! otomatis keluar local subnet hq
remote subnet: 192.168.100.1/24 !! masukin ip private branch network
-------------------------------
monitor > ipsec monitor
branch-to-hq > click Bring up
fortinet - HIGH AVAILABILITY
high availability
internet ---- switch ----- fortigate1 ------- sw1 ------ fgt140d ---- net1
| x
|--------- fortigate 2 ------ sw2 ---- fgt 40d ---- net2
==================================
intinya klo 1 fortigate down, tugasnya akan dialihkan ke fortigate sebelahnya.
jadi network tetep up.
redundancy!
==================================
** setting di primary fortigate
- setting registration & licensing.
1 firmwarenya harus sama di ke 2 fortigate
2 register license & apply same level of license ( IPS, antivirus, webfiltering, forticlient, forticloud ,fortiguard)
3 system > setting > hostname > primary-fortigate
4 system> HA > mode : active-passive
5 device priority naikin dari 128 ke 250 (higher, default = 128) -> buat jadi primary
6 group name: External-HA-Cluster
password : xxx
7 heartbeat interfaces : 2 interface yang mengarah ke fortigate yang lain.
8 heartbeat interfaces priority: 50
config system ha set group-id 25 !! klo ada cluster yg lain. ( hrs di set group id )
end
====================================
note:
1 hrs ada switch diantara cluster fortigate - internet
2 hrs ada switch diantara cluster fortigate - internal network
===================================
**setting backup fortigate
1 firmwarenya harus sama di ke 2 fortigate
2 register license & apply same level of license ( IPS, antivirus, webfiltering, forticlient, forticloud ,fortiguard)
3 system > setting > hostname > backup-fortigate
4 system> HA > mode : active-passive
5 device priority turunin dari 128 ke 50 (lower, default = 128) -> buat jadi backup )
6 group name: External-HA-Cluster !! samain nama group seperti di fortigate primary
password : xxx
7 heartbeat interfaces : 2 interface yang mengarah ke fortigate yang lain.
8 heartbeat interfaces priority: 50
done. nanti dicheck 1 role: master
2 role: slave
check via main > HA Status > active-passive , uptime xxx
=================================
cara test:
- matiin primary fortigate
via cli:
#execute shutdown
=================
internet ---- switch ----- fortigate1 ------- sw1 ------ fgt140d ---- net1
| x
|--------- fortigate 2 ------ sw2 ---- fgt 40d ---- net2
==================================
intinya klo 1 fortigate down, tugasnya akan dialihkan ke fortigate sebelahnya.
jadi network tetep up.
redundancy!
==================================
** setting di primary fortigate
- setting registration & licensing.
1 firmwarenya harus sama di ke 2 fortigate
2 register license & apply same level of license ( IPS, antivirus, webfiltering, forticlient, forticloud ,fortiguard)
3 system > setting > hostname > primary-fortigate
4 system> HA > mode : active-passive
5 device priority naikin dari 128 ke 250 (higher, default = 128) -> buat jadi primary
6 group name: External-HA-Cluster
password : xxx
7 heartbeat interfaces : 2 interface yang mengarah ke fortigate yang lain.
8 heartbeat interfaces priority: 50
config system ha set group-id 25 !! klo ada cluster yg lain. ( hrs di set group id )
end
====================================
note:
1 hrs ada switch diantara cluster fortigate - internet
2 hrs ada switch diantara cluster fortigate - internal network
===================================
**setting backup fortigate
1 firmwarenya harus sama di ke 2 fortigate
2 register license & apply same level of license ( IPS, antivirus, webfiltering, forticlient, forticloud ,fortiguard)
3 system > setting > hostname > backup-fortigate
4 system> HA > mode : active-passive
5 device priority turunin dari 128 ke 50 (lower, default = 128) -> buat jadi backup )
6 group name: External-HA-Cluster !! samain nama group seperti di fortigate primary
password : xxx
7 heartbeat interfaces : 2 interface yang mengarah ke fortigate yang lain.
8 heartbeat interfaces priority: 50
done. nanti dicheck 1 role: master
2 role: slave
check via main > HA Status > active-passive , uptime xxx
=================================
cara test:
- matiin primary fortigate
via cli:
#execute shutdown
=================
fortinet - NAT
ISP
WAN
|
|
|
FORTI-----PORT1
user default:
admin
pass: kosong
=====================
objective: menghubungkan internal LAN ke internet via fortigate.
set 2 ip
1 untuk wan
1 untuk lan
network > interfaces
^ bisa masukin address.
edit
address: manual. 172.20.121.16/255.255.255.0 !! masukin ip dr isp
^
edit
masukin ip
10.1.1.2/255.255.255.0 !! masukin ip private.
-optional: setting dhcp
set role : LAN
====================
objective: set static route untuk ke internet
network > static routes.
destination > subnet
0.0.0.0/0.0.0.0
device: wan1 !! pilih interface yang kearah internet
gateway: 172.20.121.2 !! gateway dr isp
===================
objective: set firewall policy
policy & objects > ipv4 policy
name: internet-traffic
incoming interface : lan
outgoing interface : wan1
source : all
dest : all
service: all
action: accept
nat: enable
ip pool config: use outgoing interface address
log allowed traffic : on, all traffic
=============
objective: cek traffic
portview > all sessions
=============
WAN
|
|
|
FORTI-----PORT1
user default:
admin
pass: kosong
=====================
objective: menghubungkan internal LAN ke internet via fortigate.
set 2 ip
1 untuk wan
1 untuk lan
network > interfaces
^ bisa masukin address.
edit
address: manual. 172.20.121.16/255.255.255.0 !! masukin ip dr isp
^
edit
masukin ip
10.1.1.2/255.255.255.0 !! masukin ip private.
-optional: setting dhcp
set role : LAN
====================
objective: set static route untuk ke internet
network > static routes.
destination > subnet
0.0.0.0/0.0.0.0
device: wan1 !! pilih interface yang kearah internet
gateway: 172.20.121.2 !! gateway dr isp
===================
objective: set firewall policy
policy & objects > ipv4 policy
name: internet-traffic
incoming interface : lan
outgoing interface : wan1
source : all
dest : all
service: all
action: accept
nat: enable
ip pool config: use outgoing interface address
log allowed traffic : on, all traffic
=============
objective: cek traffic
portview > all sessions
=============
fortinet
solusi fortinet:
- next gen firewall
- secure SD-WAN
- virtualized next-gen firewall
- secure wifi
- endpoint security
- email security
- IPS ( instruction prevention system )
- sandbox
- public cloud security
- web application firewall
- secure switching
- application delivery control
- secure web gateway
- management
- cloud access security broker
- SIEM
- identify and access management
- DDos
fortigate 7000,5000 series --- chassis based NGFW
fortigate 6000 series --- ultra high end
fortigate 3000,2000,1000 series --- high end
fortigate 900, 800,600,500,400,300,200,100 series --- mid range
fortigate 90, 80, 60 , 50, 30 series ---- entry
===============
next gen firewall (NGFW)
intrusion prevention system (IPS)
software-defined WAN (SD-WAN)
Secure Web Gateway (SWG)
===============
fortinet :
high performance network security products and services including the Fortigate firewall. It is their flagship integrated network security soution.
================
WF---IPS---FW----internet
FW = firewall
IPS = intrusion prevention system
wf = web filtering
security
control
performance
=================
- next gen firewall
- secure SD-WAN
- virtualized next-gen firewall
- secure wifi
- endpoint security
- email security
- IPS ( instruction prevention system )
- sandbox
- public cloud security
- web application firewall
- secure switching
- application delivery control
- secure web gateway
- management
- cloud access security broker
- SIEM
- identify and access management
- DDos
fortigate 7000,5000 series --- chassis based NGFW
fortigate 6000 series --- ultra high end
fortigate 3000,2000,1000 series --- high end
fortigate 900, 800,600,500,400,300,200,100 series --- mid range
fortigate 90, 80, 60 , 50, 30 series ---- entry
===============
next gen firewall (NGFW)
intrusion prevention system (IPS)
software-defined WAN (SD-WAN)
Secure Web Gateway (SWG)
===============
fortinet :
high performance network security products and services including the Fortigate firewall. It is their flagship integrated network security soution.
================
WF---IPS---FW----internet
FW = firewall
IPS = intrusion prevention system
wf = web filtering
security
control
performance
=================
Sunday, March 18, 2018
ospf documentation part 2
OSPF link state routing protocol.
rip = route resend every 30s. send full
routing table.
rip = advertise hop count
eigrp = advertise prefix, subnet mask,
metric. -> dicalculated oleh algorithm jadi
distance. ( penentu best path )
^ bandwidth delay reliability by directly
connected.
^ tau kondisi dari directly neighbor
adjacencies.
^ ketika sudah mencapai other side of
neighbor, information ga dikirim beda dengan
OSPF.
=======================
link state = send prefix but only for
specific time ( etc: 30 min ).
- ngirim LSA ( link state adv )
lot of descriptive information on the link!
LSA => DETAIL visibility on interface.
cache on database and keep flooding it.
everybody on area see everything!!
==================
OSPF USE LINK state logic:
- neighbor discovery
- topology database exchange
- route computation
hello packet sent using multicast 224.0.0.5
ospf use IP protocol 89 ( bukan tcp / udp )
ospf use concept of AREA
=================
scenario 1. menggunakan area 0
backbone = area 0
backbone area0
area 10 area 20 area
30
setiap area 10,20,30 ada 1 interface
connected ke area 0
dari area 1 ke area lainnya harus lewat area
0 baru dipermit lewat.
klo ada link direct dari area 10 ke area 20
-> ga bakal jalan. walopun di hubungkan
dengan
area number yg sama.
==================
scenario 2. semua network dijadiin 1 area.
network 1---- network 2 ---- network
3
^ jadi 1 area. bisa pake area number berapa
aja.
etc: area 23.
^ tp ada downsidenya. bakal send semua
information. loadnya bakal gede di tiap
router.
cpu intensive!
- Type-1 Router LSA.
tiap network baru bakal diflood ke semua
area yang bersangkutan!!
====================
1 lsa dicollect stored di database
2 masukin semuanya dan bentuk tree -> type
1 router LSA bakal beratin semua router
karena semua jadi 1 area
3 cari best path taro di routing table
- link state database
-======================
AREA BORDER ROUTER:
router yang terhubung ke router area 0
* connect non backbone area to backbone
area.
6 area connected to area border router = 6
tree.
^ router ABR work really hard.
=======================
- type-3 summary router LSA. ( di ABR )
network yg baru di area x akan di sent ke
area 0 supaya dikenali oleh area 0
=======================
#router ospf <process-id> !! ga harus sama
di router tetangga.
=======================
router id ospf:
1. manually configured !! ga perlu ada di
interface manapun
2. highest ip of any loopback interface
3. highest ip address of any non loopback
interface
=======================
TSHOOT COMMAND
show ip int bri
show ip ospf !! check router-id
show ip ospf database !! muncul area
show ip ospf neig
clear ip ospf process !! restart ospf
process klo dibutuhkan.
=====================
ospf neighborship lbh complex.
- 2 way neighbors
- fully adjacent neighbors
===================
cara konfigurasi ospf pada interface. (
bukan pada router )
interface fastethernet0/0
ip address x.x.x.x y.y.y.y
ip ospf 1 area 1 -> config on
interface
duplex auto
speed auto
klo yang global:
router ospf 1
router-id 20.20.20.20
network 20.20.20.0 0.0.0.255 area 1
================
parameter yg harus match buat neighbor:
- hello interval
- dead interval
- area ID
- subnet mask
- authentication
- stub area flag
==============
hello message parameter depending on network
condition ( no need to match ):
- ospf router ID
- list of neighbors reachable on interface
- router priority
- DR ip address
- BDR ip address
=============
interval:
LAN
hello 10
dead 40
custom hello!
#conf t
#ip ospf hello-interval 5
#ip ospf dead-interval 20
#end
!!check config
#show ip ospf interface fa0/0
** hello and dead timer interval can be
modified to have faster convergen
#ip ospf dead-interval minimal hello-
multiplier multiplier
===========
** klo mo ganti router-id di router,
harus clear ospf process. ( soalnya bakal
ganti di semua database router lainnya ).
!! verify router-id
# show ip protocols
# show ip ospf
# show ip ospf database
==========
MTU issue.
default MTU = 1500 ( bytes of data )
^ default ip MTU + ETHERNET frame ( maximum
legal size )
^ if router need to forward packet larger
than outgoing
interface MTU, it either fragments the
packet or discard
it.
tergantung setting DF ( dont fragment ).
^ klo di set DF, packetnya di drop klo ga
difragment.
2 router yg terkoneksi di cable yang sama
harus punya
MTU yang sama. ( same data link )
^ tetep jadi neighbors tp nanti bakal jadi
issue
EXSTART state abis itu down.
^ di log messsage => " too many
retransmissions "
==========
!! cek via wireshark !!
conf t
int fa0/0
ip mtu 1000
show ip ospf neigh
^ state EXSTART/DR
^ klo mo ngecek processnya bisa pake
wireshark
ip-proto eq 89 !! port 89.
dapet hello packet -> bisa di inspect /
diliat detail ( bagian header )
area ID: 0.0.0.0
hello interval: 10s
sama DB description
OSPF DB Description
Interface MTU: 1000
=================
!! check via debug command di router !!
#debug ip ospf adj
^ OSPF: Nbr 19.19.199.19 has larger
interface MTU !! ketauan errornya
================
!!OSPF Authentication part 1 !!
tujuan: prevent unauthorize router join
neighbor
2 step proces s:
- enable authentication & type
- authentication key must be configured per
interface
!! per interface
# ip ospf authentication [pass]
!! global conf
#area <area-id> authentication <pass>
3 type of authen:
- type 0 : no authentication
- type 1 : clear text authentication
- type 2 : MD5 AUTHEN**
^ capture hello packet klo ga pake md5
kebaca.
- suuport multiple key on same interface.
but does not support key chain.
^ key yang berubah2 tiap selang interval
waktu.
================
!! configure authen to interface subcommand
#ip ospf authentication null ( type 0 )
#ip ospf authentication ( type 1 )
#ip ospf authentication-key <pass> (
type1)
#ip ospf authentication message-digest (
type 2)
#ip ospf message-digest-key <key-id> <pass>
(type 2)
!! same type of authen and same type of key
must be used for auth on both router !!
^ ketika implementasi authentikasi dan ospf
sudah berjalan harus nunggu dead timernya
selesai baru adjacenciesnya putus.
================
!! debug command !!
show ip ospf interface <int>
debug ip ospf hello
debug ip ospf adj
================
!! debug on wireshark !!
filter :
224.0.0.5 -> multicast
224.0.0.6
or unicast
89 -> port ospf
# int fast0/0
# ip ospf 1 area 1
# end
ospf header:
Auth Type: -> liad auth type pake
wireshark port 89
===============
rip = route resend every 30s. send full
routing table.
rip = advertise hop count
eigrp = advertise prefix, subnet mask,
metric. -> dicalculated oleh algorithm jadi
distance. ( penentu best path )
^ bandwidth delay reliability by directly
connected.
^ tau kondisi dari directly neighbor
adjacencies.
^ ketika sudah mencapai other side of
neighbor, information ga dikirim beda dengan
OSPF.
=======================
link state = send prefix but only for
specific time ( etc: 30 min ).
- ngirim LSA ( link state adv )
lot of descriptive information on the link!
LSA => DETAIL visibility on interface.
cache on database and keep flooding it.
everybody on area see everything!!
==================
OSPF USE LINK state logic:
- neighbor discovery
- topology database exchange
- route computation
hello packet sent using multicast 224.0.0.5
ospf use IP protocol 89 ( bukan tcp / udp )
ospf use concept of AREA
=================
scenario 1. menggunakan area 0
backbone = area 0
backbone area0
area 10 area 20 area
30
setiap area 10,20,30 ada 1 interface
connected ke area 0
dari area 1 ke area lainnya harus lewat area
0 baru dipermit lewat.
klo ada link direct dari area 10 ke area 20
-> ga bakal jalan. walopun di hubungkan
dengan
area number yg sama.
==================
scenario 2. semua network dijadiin 1 area.
network 1---- network 2 ---- network
3
^ jadi 1 area. bisa pake area number berapa
aja.
etc: area 23.
^ tp ada downsidenya. bakal send semua
information. loadnya bakal gede di tiap
router.
cpu intensive!
- Type-1 Router LSA.
tiap network baru bakal diflood ke semua
area yang bersangkutan!!
====================
1 lsa dicollect stored di database
2 masukin semuanya dan bentuk tree -> type
1 router LSA bakal beratin semua router
karena semua jadi 1 area
3 cari best path taro di routing table
- link state database
-======================
AREA BORDER ROUTER:
router yang terhubung ke router area 0
* connect non backbone area to backbone
area.
6 area connected to area border router = 6
tree.
^ router ABR work really hard.
=======================
- type-3 summary router LSA. ( di ABR )
network yg baru di area x akan di sent ke
area 0 supaya dikenali oleh area 0
=======================
#router ospf <process-id> !! ga harus sama
di router tetangga.
=======================
router id ospf:
1. manually configured !! ga perlu ada di
interface manapun
2. highest ip of any loopback interface
3. highest ip address of any non loopback
interface
=======================
TSHOOT COMMAND
show ip int bri
show ip ospf !! check router-id
show ip ospf database !! muncul area
show ip ospf neig
clear ip ospf process !! restart ospf
process klo dibutuhkan.
=====================
ospf neighborship lbh complex.
- 2 way neighbors
- fully adjacent neighbors
===================
cara konfigurasi ospf pada interface. (
bukan pada router )
interface fastethernet0/0
ip address x.x.x.x y.y.y.y
ip ospf 1 area 1 -> config on
interface
duplex auto
speed auto
klo yang global:
router ospf 1
router-id 20.20.20.20
network 20.20.20.0 0.0.0.255 area 1
================
parameter yg harus match buat neighbor:
- hello interval
- dead interval
- area ID
- subnet mask
- authentication
- stub area flag
==============
hello message parameter depending on network
condition ( no need to match ):
- ospf router ID
- list of neighbors reachable on interface
- router priority
- DR ip address
- BDR ip address
=============
interval:
LAN
hello 10
dead 40
custom hello!
#conf t
#ip ospf hello-interval 5
#ip ospf dead-interval 20
#end
!!check config
#show ip ospf interface fa0/0
** hello and dead timer interval can be
modified to have faster convergen
#ip ospf dead-interval minimal hello-
multiplier multiplier
===========
** klo mo ganti router-id di router,
harus clear ospf process. ( soalnya bakal
ganti di semua database router lainnya ).
!! verify router-id
# show ip protocols
# show ip ospf
# show ip ospf database
==========
MTU issue.
default MTU = 1500 ( bytes of data )
^ default ip MTU + ETHERNET frame ( maximum
legal size )
^ if router need to forward packet larger
than outgoing
interface MTU, it either fragments the
packet or discard
it.
tergantung setting DF ( dont fragment ).
^ klo di set DF, packetnya di drop klo ga
difragment.
2 router yg terkoneksi di cable yang sama
harus punya
MTU yang sama. ( same data link )
^ tetep jadi neighbors tp nanti bakal jadi
issue
EXSTART state abis itu down.
^ di log messsage => " too many
retransmissions "
==========
!! cek via wireshark !!
conf t
int fa0/0
ip mtu 1000
show ip ospf neigh
^ state EXSTART/DR
^ klo mo ngecek processnya bisa pake
wireshark
ip-proto eq 89 !! port 89.
dapet hello packet -> bisa di inspect /
diliat detail ( bagian header )
area ID: 0.0.0.0
hello interval: 10s
sama DB description
OSPF DB Description
Interface MTU: 1000
=================
!! check via debug command di router !!
#debug ip ospf adj
^ OSPF: Nbr 19.19.199.19 has larger
interface MTU !! ketauan errornya
================
!!OSPF Authentication part 1 !!
tujuan: prevent unauthorize router join
neighbor
2 step proces s:
- enable authentication & type
- authentication key must be configured per
interface
!! per interface
# ip ospf authentication [pass]
!! global conf
#area <area-id> authentication <pass>
3 type of authen:
- type 0 : no authentication
- type 1 : clear text authentication
- type 2 : MD5 AUTHEN**
^ capture hello packet klo ga pake md5
kebaca.
- suuport multiple key on same interface.
but does not support key chain.
^ key yang berubah2 tiap selang interval
waktu.
================
!! configure authen to interface subcommand
#ip ospf authentication null ( type 0 )
#ip ospf authentication ( type 1 )
#ip ospf authentication-key <pass> (
type1)
#ip ospf authentication message-digest (
type 2)
#ip ospf message-digest-key <key-id> <pass>
(type 2)
!! same type of authen and same type of key
must be used for auth on both router !!
^ ketika implementasi authentikasi dan ospf
sudah berjalan harus nunggu dead timernya
selesai baru adjacenciesnya putus.
================
!! debug command !!
show ip ospf interface <int>
debug ip ospf hello
debug ip ospf adj
================
!! debug on wireshark !!
filter :
224.0.0.5 -> multicast
224.0.0.6
or unicast
89 -> port ospf
# int fast0/0
# ip ospf 1 area 1
# end
ospf header:
Auth Type: -> liad auth type pake
wireshark port 89
===============
Thursday, March 15, 2018
BGP basic documentation 2
forming adjacencies using loopback. (eBGP)
advantages:
- dapat terhubung secara logical. ( ga perlu directly connected ).
- loopback ga bisa down, kecuali memang disengaja secara config ( klo port bisa sewaktu2 down ).
disadvantages:
- agak ribet konfigurasi.
- butuh command ebgp-multihop ( pada address yang ga ada di subnet yang sama )
- butuh command update-source loopback
- butuh route kearah loopback address!!
==================
R1
router bgp 100
neighbor 3.3.3.3 remote-as 200
R3
router bgp 200
neighbor 1.1.1.1 remote-as 100
#show ip bgp summary !! bagian up/downnya never.
^ solusi: harus ditambahkan command multihop
R1
conf t
# router bgp 100
# neighbor 3.3.3.3 ebgp-multihop 2 !! jumlah maksimum hop. bs smp 255. tp sebaiknya sekecil mungkin.
# neighbor 3.3.3.3 update-source loopback0
# ip route 3.3.3.3 255.255.255.255 172.12.123.3
R3
conf t
# router bgp 200
# neighbor 1.1.1.1 ebgp-multihop 2
# neighbor 3.3.3.3 update-source loopback0
# ip route 1.1.1.1 255.255.255.255 172.12.123.1
=========================================
advantages:
- dapat terhubung secara logical. ( ga perlu directly connected ).
- loopback ga bisa down, kecuali memang disengaja secara config ( klo port bisa sewaktu2 down ).
disadvantages:
- agak ribet konfigurasi.
- butuh command ebgp-multihop ( pada address yang ga ada di subnet yang sama )
- butuh command update-source loopback
- butuh route kearah loopback address!!
==================
R1
router bgp 100
neighbor 3.3.3.3 remote-as 200
R3
router bgp 200
neighbor 1.1.1.1 remote-as 100
#show ip bgp summary !! bagian up/downnya never.
^ solusi: harus ditambahkan command multihop
R1
conf t
# router bgp 100
# neighbor 3.3.3.3 ebgp-multihop 2 !! jumlah maksimum hop. bs smp 255. tp sebaiknya sekecil mungkin.
# neighbor 3.3.3.3 update-source loopback0
# ip route 3.3.3.3 255.255.255.255 172.12.123.3
R3
conf t
# router bgp 200
# neighbor 1.1.1.1 ebgp-multihop 2
# neighbor 3.3.3.3 update-source loopback0
# ip route 1.1.1.1 255.255.255.255 172.12.123.1
=========================================
Wednesday, March 14, 2018
EIGRP 101 documentation
EIGRP = enchanced version of igrp.
- hybrid protocol
^ initial exchange of full routing table between eigrp neighbors.
^ after that initial exchange of full tables, an eigrp router will send an update only when there is a change in network. That update will reflect only those changes and will not contain every eigrp route known to sender. ( not every 30s like rip / distance vector )
++ from rip
rapid convergence.
^ backup routes / feasible successors are calculated before they are actually needed due to the loss of primary route ("successors").
+ consider bandwidth and delay when calculating routes. rather than primitive " hop count " of RIP.
+ NO Longer cisco- prop. Multivendor environtment.
eigrp use hello packet ( multicast to 224.0.0.10 ) to establish and maintain neighbor relationship.
- RTP -> used to handle transport of messages between eigrp-enabled routers.
- eigrp with different as number cant become neighbor!
- eigrp authentication must have same password!
- router must be on same subnet
- k-values must match
adjacencies -- its kept alive by steady flow of hello packets from the neighbor.
if those hellos stop coming, the adjacency is eventually dropped.
======================
3 table utama:
- route table ( best route to each remote network ).
- topology table ( keeps all known valid, loop-free routes to same network ).
- neighbor table ( information eigrp neighbor )
#show ip route eigrp
------r2-----
r1 r4
------r3-----
r2 : successor / next hop ( best path ) ++ metric
r3 : feasible successor / ( valid path / no loop )
r2 masuk di eigrp routing table !! -> routing utama = successor
r2+r3 masuk di topology table !!
^ neighbor table ga ada hubungannya ( isinya cm router yg jadi tetangga eigrpnya )
feasible succesor = backup succesor.
klo link sucessor putus feasible akan menggantikan menjadi succesor sementara hingga link up lagi.
===================
EIGRP AS 100
R1
R2 ---|--- R3
frame relay cloud
^ hub and spoke topology
R1
#conf t
#router eigrp 100 !! 100 = AS number
#network 172.12.123.0 0.0.0.255 !! network [network adv by eigrp] [wild card bit]
R2
#conf t
#router eigrp 100 !! 100 = AS number
#network 172.12.123.0 0.0.0.255 !! network [network adv by eigrp] [wild card bit]
R3
#conf t
#router eigrp 100 !! 100 = AS number
#network 172.12.123.0 0.0.0.255 !! network [network adv by eigrp] [wild card bit]
!! verifikasi !!
R1
# show ip eigrp neigh interface uptime
172.12.123.3 se1/0 00:00:05 ->> muncul tetangganya
172.12.123.2 se1/0 00:00:23
# show ip route eigrp !! masih kosong
!! ^ info paling penting ip address sama uptimenya !!
!! di eigrp bisa ga pake wild card bit. ga kayak ospf !!
!! tp nanti di add sbg classfull address !!
#network 172.12.123.0
^ !! class B network / 255.255.0.0 !!
- hybrid protocol
^ initial exchange of full routing table between eigrp neighbors.
^ after that initial exchange of full tables, an eigrp router will send an update only when there is a change in network. That update will reflect only those changes and will not contain every eigrp route known to sender. ( not every 30s like rip / distance vector )
++ from rip
rapid convergence.
^ backup routes / feasible successors are calculated before they are actually needed due to the loss of primary route ("successors").
+ consider bandwidth and delay when calculating routes. rather than primitive " hop count " of RIP.
+ NO Longer cisco- prop. Multivendor environtment.
eigrp use hello packet ( multicast to 224.0.0.10 ) to establish and maintain neighbor relationship.
- RTP -> used to handle transport of messages between eigrp-enabled routers.
- eigrp with different as number cant become neighbor!
- eigrp authentication must have same password!
- router must be on same subnet
- k-values must match
adjacencies -- its kept alive by steady flow of hello packets from the neighbor.
if those hellos stop coming, the adjacency is eventually dropped.
======================
3 table utama:
- route table ( best route to each remote network ).
- topology table ( keeps all known valid, loop-free routes to same network ).
- neighbor table ( information eigrp neighbor )
#show ip route eigrp
------r2-----
r1 r4
------r3-----
r2 : successor / next hop ( best path ) ++ metric
r3 : feasible successor / ( valid path / no loop )
r2 masuk di eigrp routing table !! -> routing utama = successor
r2+r3 masuk di topology table !!
^ neighbor table ga ada hubungannya ( isinya cm router yg jadi tetangga eigrpnya )
feasible succesor = backup succesor.
klo link sucessor putus feasible akan menggantikan menjadi succesor sementara hingga link up lagi.
===================
EIGRP AS 100
R1
R2 ---|--- R3
frame relay cloud
^ hub and spoke topology
R1
#conf t
#router eigrp 100 !! 100 = AS number
#network 172.12.123.0 0.0.0.255 !! network [network adv by eigrp] [wild card bit]
R2
#conf t
#router eigrp 100 !! 100 = AS number
#network 172.12.123.0 0.0.0.255 !! network [network adv by eigrp] [wild card bit]
R3
#conf t
#router eigrp 100 !! 100 = AS number
#network 172.12.123.0 0.0.0.255 !! network [network adv by eigrp] [wild card bit]
!! verifikasi !!
R1
# show ip eigrp neigh interface uptime
172.12.123.3 se1/0 00:00:05 ->> muncul tetangganya
172.12.123.2 se1/0 00:00:23
# show ip route eigrp !! masih kosong
!! ^ info paling penting ip address sama uptimenya !!
!! di eigrp bisa ga pake wild card bit. ga kayak ospf !!
!! tp nanti di add sbg classfull address !!
#network 172.12.123.0
^ !! class B network / 255.255.0.0 !!
ospf documentation 101
ospf
**whyy ospfF??
2 link state protocol yg sering dipakai saat ini:
IS-IS -> masuk k Service provider
OSPF
rip = generate updates every 30s.
- nothing changed, full RIP updates anyway.
> 25 rip updates
misal 50. harus ngirim multiple packet. karena RIP max cmn 25 router
eigrp = hybrid.
full updates setelah adjacency dibuilt, routing updates cm saat terjadi perubahan d network
partial update.
not every 30ss.
========================================
router running link state protocol dont send routing update packets.
link state router yg telah membuat formed adjacencies exchange link states updates. (yg berisi Link State Advertisement).
LSAnya dimasukin ke database.
state of convergence = synchronized link state databases.
djikstra algorithm / SPF (shortest path first algorithm) -> mengubh database jd routing tbl.
#show ip ospf database
#show ip route ospf
110
====================================
LSA sequence number -> dicek di database ada entry / enggk.
klo di liink tersebut g ada, baru diflood ke setiap ospf-enabled interface except the interface LSA comin from.
sequence number same = LSA Is ignored, no action taken.
sequence number lower: router ignore update and transmit lsa back to original sender.
sequence number higher = router add LSA to its db and send LSAcknowledgement back to original sender. router flood lsa and updates its own routing table by running spf algorithm against the now-updated db.
ospf send summary LSA ke setiap router lain tiap 30 menit. atau pas terjadi perubahan topology.
=====================
ospf router must become neighbors by forming adjacency.
- agree on area number
- hello and dead timer setting / stub area
- same link authentication
#router ospf 1 (id)
** hello packet.
digunakan untuk 2 main task:
- discovery potential neighbors
- renew existing adjacencies
ospf enabled interface send hello packet at regularly scheduled interval.(*)
hello di ethernet sent every 10s (tergantung tipe networknya)
hello di serial link sent every 30s
ospf hello have dest ip 224.0.0.5 ( class D ).
========================
ospf
ospf v2
ospf v3 -> ipv6
=======================
r1# router ospf 1
# network 10.1.1.0 0.0.0.255 area 0
#show ip ospf neigh
r2# router ospf 1
# network 10.1.1.0 0.0.0.255 area 0
r3# router ospf 1
# network 10.1.1.0 0.0.0.255 area 0 -> kosong
#debug ip ospf hello
mismatched hello parameters from 10.1.1.1
DEAD R 40 C 40 , hello r 10 c 10, mask R 255.255.255.0 C 255.255.255.240 ! salahnya disini
r = received
c = local
#u all ! buat matiinnya debug.
solusi: ganti network mask
# show ip ospf neigh ! buat cek lg.
network mask harus match ya!!!
========================
** dead timer **
ospf dead timer is 4 times hello time default.
hello = 10 dead = 40s
hello = 30 dead = 120s
dead time adjacencies gonna be down.
#ip ospf hello-interval 5
!! ketika diganti 5second
!! dead times otomatis berubah jd 20
#
============================
#show ip protocols
#debug ip ospf
#debug ip ospf adj
#clear ip ospf process
=============================
ada 2 jenis link state protocol:
ospf and IS-IS.
IS-IS buat SP. -> g ada di ccna R&S.
advantage link state over distance vector like rip:
rip:
-default behavior routing update on regular schedule ( every 30s )
-full update
klo ada 51 routes packet, dicopyin semua ke router tetangga!
eigrp:
full updates only after adjacency is built between 2 router. After that routing
updates reflect only changes to the network.
ospf:
- LS router formed adjancies exchange link state update (LSU), which contain LSA (link state advertisement). -> dimasukin ke link state database
setelah convergence, router memiliki synchronized link state database.
#show ip ospf database # liad database ospf
dijkstra algorithm -> ngambil dari database buat dijadiin routing table.
#show ip route ospf # liad route ospf
======================================================
LSA Sequence number.
LSA 172.12.23.0 / 27 -> lemme check my ospf db for that same entry.
ketika router 2 nerima LSA. check di database. klo ga ada lgsung ngeflood ke OSPF enabled interface kecuali interface LSA yg dateng dari interface tsb.
klo ada di db, dia lgsung nyari sequence numbernya.
* LSA SAMA = ignored
* LSA lower = router ignored update dan mentransmit LSU ( containing LSA ) balik ke sender. ( soalnya old information, ini loh info terbaru db nya ).
* LSA higher = router add LSA KE Database dan mengirim LSAcknowledge back to original sender. router flood LSA dan update ke routing tablenya sndiri.
* initial exchange lsa takes place, there will not be another exchange unless there is change in network topology. also send out a summary LSA Every 30 min.
========================
ospf router:
- must aggree on area number,
- hello and dead timer setting
- area is a stub area?
========================
hello packet:
- dynamic discovery potential nei
- renewing existing adjancencies.
- disend scheduled interval depending network type. -> ethernet tiap 10s. serial link tiap 30s.
- hello packet -> destination ip 224.0.0.5 ( from class d )
=========================
network mask, helloInt, DeadInt field in the received hello packet musst be checked against the values configured for the receiving interface. Any mismatch
causes processing to stop and packet to be dropped.
========================
R1# router ospf1
#network 10.1.1.0 0.0.0.255 area 0
R2# router ospf 1
network 10.1.1.0 0.0.0.255 area 0
R3# router ospf 1
network 10.1.1.0 0.0.0.255 area 0
#show ip ospf neigh
#debug ip ospf hello # turn on debug # cari mismatched hello param
#u all # turn off debug
hello parameter:
-hello timer
-dead timer
-network mask
Dead R 40 -> received
C 40 -> configured locally #2 ini harus match!
Hello R 10
C 10 # 2 ini jg hrs match!
Mask R 255.255.255.0
C 255.255.255.240 # subnetnya ga match! harus ganti!
#conf t
#int fast 0/0
#ip address 10.1.1.3 255.255.255.0
============================================
#show ip ospf neigh
=========================================
pas di debug
ada 2 way communication -> bagus linknya. hampir adjacency!
( tgl balikin unicast ke source hello. Dari multicast. trs jadi neighbors :D)
sama
prepare dbase exchange
=================================
state EXSTART
state EXCHANGEL
send LS REQ ( link state request )
=========================
down: no hellos
attemps:?!
=========================
exstart : pengecekan sequence number
exchange : packet contain description link state db
terakhir loading: router now send link state request (LSR) packet to almost - neighbor
FULL: Router databases are synched and adjacency has been formed.
========================
convergence: di setiap router memiliki informasi tentang view network tetangganya. ( similar view of network n accurate)
kendala di rip: slow convergence of distance vector protocol can lead to suboptimal routing and routing loops. (layer 3 )
=======================
link state converge almost immediately upon a change in network.
ospf menggunakan dr dan bdr (designated router dan backup designated router) to make network
convergence fast and order!
DR
BDR
RID
PELAJARIN konsepnya lagi!
=====================
**whyy ospfF??
2 link state protocol yg sering dipakai saat ini:
IS-IS -> masuk k Service provider
OSPF
rip = generate updates every 30s.
- nothing changed, full RIP updates anyway.
> 25 rip updates
misal 50. harus ngirim multiple packet. karena RIP max cmn 25 router
eigrp = hybrid.
full updates setelah adjacency dibuilt, routing updates cm saat terjadi perubahan d network
partial update.
not every 30ss.
========================================
router running link state protocol dont send routing update packets.
link state router yg telah membuat formed adjacencies exchange link states updates. (yg berisi Link State Advertisement).
LSAnya dimasukin ke database.
state of convergence = synchronized link state databases.
djikstra algorithm / SPF (shortest path first algorithm) -> mengubh database jd routing tbl.
#show ip ospf database
#show ip route ospf
110
====================================
LSA sequence number -> dicek di database ada entry / enggk.
klo di liink tersebut g ada, baru diflood ke setiap ospf-enabled interface except the interface LSA comin from.
sequence number same = LSA Is ignored, no action taken.
sequence number lower: router ignore update and transmit lsa back to original sender.
sequence number higher = router add LSA to its db and send LSAcknowledgement back to original sender. router flood lsa and updates its own routing table by running spf algorithm against the now-updated db.
ospf send summary LSA ke setiap router lain tiap 30 menit. atau pas terjadi perubahan topology.
=====================
ospf router must become neighbors by forming adjacency.
- agree on area number
- hello and dead timer setting / stub area
- same link authentication
#router ospf 1 (id)
** hello packet.
digunakan untuk 2 main task:
- discovery potential neighbors
- renew existing adjacencies
ospf enabled interface send hello packet at regularly scheduled interval.(*)
hello di ethernet sent every 10s (tergantung tipe networknya)
hello di serial link sent every 30s
ospf hello have dest ip 224.0.0.5 ( class D ).
========================
ospf
ospf v2
ospf v3 -> ipv6
=======================
r1# router ospf 1
# network 10.1.1.0 0.0.0.255 area 0
#show ip ospf neigh
r2# router ospf 1
# network 10.1.1.0 0.0.0.255 area 0
r3# router ospf 1
# network 10.1.1.0 0.0.0.255 area 0 -> kosong
#debug ip ospf hello
mismatched hello parameters from 10.1.1.1
DEAD R 40 C 40 , hello r 10 c 10, mask R 255.255.255.0 C 255.255.255.240 ! salahnya disini
r = received
c = local
#u all ! buat matiinnya debug.
solusi: ganti network mask
# show ip ospf neigh ! buat cek lg.
network mask harus match ya!!!
========================
** dead timer **
ospf dead timer is 4 times hello time default.
hello = 10 dead = 40s
hello = 30 dead = 120s
dead time adjacencies gonna be down.
#ip ospf hello-interval 5
!! ketika diganti 5second
!! dead times otomatis berubah jd 20
#
============================
#show ip protocols
#debug ip ospf
#debug ip ospf adj
#clear ip ospf process
=============================
ada 2 jenis link state protocol:
ospf and IS-IS.
IS-IS buat SP. -> g ada di ccna R&S.
advantage link state over distance vector like rip:
rip:
-default behavior routing update on regular schedule ( every 30s )
-full update
klo ada 51 routes packet, dicopyin semua ke router tetangga!
eigrp:
full updates only after adjacency is built between 2 router. After that routing
updates reflect only changes to the network.
ospf:
- LS router formed adjancies exchange link state update (LSU), which contain LSA (link state advertisement). -> dimasukin ke link state database
setelah convergence, router memiliki synchronized link state database.
#show ip ospf database # liad database ospf
dijkstra algorithm -> ngambil dari database buat dijadiin routing table.
#show ip route ospf # liad route ospf
======================================================
LSA Sequence number.
LSA 172.12.23.0 / 27 -> lemme check my ospf db for that same entry.
ketika router 2 nerima LSA. check di database. klo ga ada lgsung ngeflood ke OSPF enabled interface kecuali interface LSA yg dateng dari interface tsb.
klo ada di db, dia lgsung nyari sequence numbernya.
* LSA SAMA = ignored
* LSA lower = router ignored update dan mentransmit LSU ( containing LSA ) balik ke sender. ( soalnya old information, ini loh info terbaru db nya ).
* LSA higher = router add LSA KE Database dan mengirim LSAcknowledge back to original sender. router flood LSA dan update ke routing tablenya sndiri.
* initial exchange lsa takes place, there will not be another exchange unless there is change in network topology. also send out a summary LSA Every 30 min.
========================
ospf router:
- must aggree on area number,
- hello and dead timer setting
- area is a stub area?
========================
hello packet:
- dynamic discovery potential nei
- renewing existing adjancencies.
- disend scheduled interval depending network type. -> ethernet tiap 10s. serial link tiap 30s.
- hello packet -> destination ip 224.0.0.5 ( from class d )
=========================
network mask, helloInt, DeadInt field in the received hello packet musst be checked against the values configured for the receiving interface. Any mismatch
causes processing to stop and packet to be dropped.
========================
R1# router ospf1
#network 10.1.1.0 0.0.0.255 area 0
R2# router ospf 1
network 10.1.1.0 0.0.0.255 area 0
R3# router ospf 1
network 10.1.1.0 0.0.0.255 area 0
#show ip ospf neigh
#debug ip ospf hello # turn on debug # cari mismatched hello param
#u all # turn off debug
hello parameter:
-hello timer
-dead timer
-network mask
Dead R 40 -> received
C 40 -> configured locally #2 ini harus match!
Hello R 10
C 10 # 2 ini jg hrs match!
Mask R 255.255.255.0
C 255.255.255.240 # subnetnya ga match! harus ganti!
#conf t
#int fast 0/0
#ip address 10.1.1.3 255.255.255.0
============================================
#show ip ospf neigh
=========================================
pas di debug
ada 2 way communication -> bagus linknya. hampir adjacency!
( tgl balikin unicast ke source hello. Dari multicast. trs jadi neighbors :D)
sama
prepare dbase exchange
=================================
state EXSTART
state EXCHANGEL
send LS REQ ( link state request )
=========================
down: no hellos
attemps:?!
=========================
exstart : pengecekan sequence number
exchange : packet contain description link state db
terakhir loading: router now send link state request (LSR) packet to almost - neighbor
FULL: Router databases are synched and adjacency has been formed.
========================
convergence: di setiap router memiliki informasi tentang view network tetangganya. ( similar view of network n accurate)
kendala di rip: slow convergence of distance vector protocol can lead to suboptimal routing and routing loops. (layer 3 )
=======================
link state converge almost immediately upon a change in network.
ospf menggunakan dr dan bdr (designated router dan backup designated router) to make network
convergence fast and order!
DR
BDR
RID
PELAJARIN konsepnya lagi!
=====================
BGP basic documentation ( from christ bryan udemy )
bgp?
" an internet protocol that allows group of routers (AS) to share routing information so that efficient, loop-free routes can be established. "
^ biasanya digunakan di routing antar ISP.
^ masuk dalam kategori EGP / exterior gateway protocol
====================================
BGP :
- support VLSM and summarization
- will send full updates when router first become neighbor, then partial upgrade reflecting latest network change
- create neighbor adjacencies alive. -> no keepalive = adjacencies gone.
=====================================
BGP should be used:
- company connecting more than one AS / ISP.
^ decision on best link / path is by BGP path attributes.
- routing policy of your organization and your ISP differ.
- when ur company is an ISP. when traffic from other AS use your AS as transit domain. (BGP needed! ).
========================================
BGP should not be used:
- when there is a single connection to internet / another AS and no redundant link exist
- when u dont care which path is used to reach a route in another AS
- when router resources are limited ( memory / cpu )
=======================================
BGP Peering Process
- connection oriented ( reliable )
- TCP port 179 !! dont block on acl !!
- exchanges full routes and sync tables, afterward bgp speaker will send further updates only upon change in network
- dont have to be in same AS in order become neighbor / exchange routes.
- BGP adjacencies called " peerings ", BGP peer in same AS = iBGP peer.
==================================
BGP AS100
R1-------------------R2
^ iBGP
-------------------------------------
cisco recommended eBGP peers = directly connected
iBGP peer are not required to be so connected.
=========================================
eBGP
AS100 AS300
R1----------------R3
R1
#conf t
#router bgp 100
#neighbor 172.12.123.3 remote-AS 300
#show ip bgp neigh
!! bgp neighor is 172.12.123.3, remote AS 300, external link !! -> info plg penting
!! bgp state = Active !!
** bgp state
- active = indicates bgp peer connection that does not yet fully exists / does not complete / attempt to peering
- idle = initial state of bgp peering
- Connect follows idle = tcp connection request has been sent but response has not yet been received.
- Idle = if short = normal if stay idle, check remote router's neighbor statement and make sure AS number correct!
- OpenSent = tcp connection complete ( bgp will determines iBGP / eBGP = same as/different AS )
R3
#conf t
#router bgp 300
#neighbor 172.12.123.1 remote-AS 100
# show ip bgp neighbor 172.12.123.1
^
!! bgp neighbor is 172.12.123.1, remote AS 100, external link
!! BGP version 4, remote router ID 172.12.123.1
!! BGP state = Established, up for 00:00:21
!! connection establised 1; dropped 0
!! last reset never
!! local host : 172.12.123.3, local port: 179
!! Foreign host: 172.12.123.1, Foreign port: 28861
^ informasi yg penting ^
R2
#conf t
#router bgp 300
R3
#conf t
#router bgp 100
========================================
" an internet protocol that allows group of routers (AS) to share routing information so that efficient, loop-free routes can be established. "
^ biasanya digunakan di routing antar ISP.
^ masuk dalam kategori EGP / exterior gateway protocol
====================================
BGP :
- support VLSM and summarization
- will send full updates when router first become neighbor, then partial upgrade reflecting latest network change
- create neighbor adjacencies alive. -> no keepalive = adjacencies gone.
=====================================
BGP should be used:
- company connecting more than one AS / ISP.
^ decision on best link / path is by BGP path attributes.
- routing policy of your organization and your ISP differ.
- when ur company is an ISP. when traffic from other AS use your AS as transit domain. (BGP needed! ).
========================================
BGP should not be used:
- when there is a single connection to internet / another AS and no redundant link exist
- when u dont care which path is used to reach a route in another AS
- when router resources are limited ( memory / cpu )
=======================================
BGP Peering Process
- connection oriented ( reliable )
- TCP port 179 !! dont block on acl !!
- exchanges full routes and sync tables, afterward bgp speaker will send further updates only upon change in network
- dont have to be in same AS in order become neighbor / exchange routes.
- BGP adjacencies called " peerings ", BGP peer in same AS = iBGP peer.
==================================
BGP AS100
R1-------------------R2
^ iBGP
-------------------------------------
cisco recommended eBGP peers = directly connected
iBGP peer are not required to be so connected.
=========================================
eBGP
AS100 AS300
R1----------------R3
R1
#conf t
#router bgp 100
#neighbor 172.12.123.3 remote-AS 300
#show ip bgp neigh
!! bgp neighor is 172.12.123.3, remote AS 300, external link !! -> info plg penting
!! bgp state = Active !!
** bgp state
- active = indicates bgp peer connection that does not yet fully exists / does not complete / attempt to peering
- idle = initial state of bgp peering
- Connect follows idle = tcp connection request has been sent but response has not yet been received.
- Idle = if short = normal if stay idle, check remote router's neighbor statement and make sure AS number correct!
- OpenSent = tcp connection complete ( bgp will determines iBGP / eBGP = same as/different AS )
R3
#conf t
#router bgp 300
#neighbor 172.12.123.1 remote-AS 100
# show ip bgp neighbor 172.12.123.1
^
!! bgp neighbor is 172.12.123.1, remote AS 100, external link
!! BGP version 4, remote router ID 172.12.123.1
!! BGP state = Established, up for 00:00:21
!! connection establised 1; dropped 0
!! last reset never
!! local host : 172.12.123.3, local port: 179
!! Foreign host: 172.12.123.1, Foreign port: 28861
^ informasi yg penting ^
R2
#conf t
#router bgp 300
R3
#conf t
#router bgp 100
========================================
BGP basic documentation
BGP INE documentation.
-> Exterior Gateway Protocol
-advertise learn and choose best path inside.
-used by ISP to exchange routing information between themselves
enterprise use bgp to exchange routing info with 1 or more isp
====================================
OSPF EIGRP / IGP -> 4000 route mulai ga kuat.
IGP:
EIGRP - DUAL ( SUCCESOR , FEASIBLE SUCCESSOR )
OSPF - SPF algorithm.
distance
hop count
cost
install on routing table
+ bisa s/d 4 equal path cost load balancing
----------------
BGP - robust best-path algorithm
- check different attributes for path determination.
best route installed on routing table!
===================================
core router butuh tau semua routingannya!
12000 subnet in my network!
==================================
similarities bgp and igp (ospf & eigrp )
- need form adjacencies
- need to advertise prefix
- advertise next hop for those prefix
disimilarities
- neighbor ip address may not be on common subnet
- BGP USE TCP port 179 between neighbors. IGP do not use tcp
==================================
BGP advertised prefix / length = NLRI ( network layer reachability information )
IGP - lebih ke fast convergence , best path determination ( efficient route )
BG
P - scalability ( carry load > 1000 routes !! )
BGP use path vector logic ( similar to distance vector )
=================================
iBGP & eBGP
ada yg bisa dilakukan di iBGP yang tidak bisa dilakukan di eBGP, begitu juga sebaliknya.
same AS = iBGP
different AS = eBGP
AS number harus unique.
dapet dari ISP biasanya.
#router bgp 65350
^ klo di router tetangga juga 65350 tandanya IBGP.
=================================
bgp AS_PATH -- berbeda antara ibgp dan ebgp.
BGP- EVERYTHING IS UNICAST!
=================================
SP-1 SP-2 SP-3
ebgp
AS 1000 ----- AS2000 AS3000
R1 R3-R4-R5 R7
eigrp ibgp
R2 R6
R3-R4-R5 : IBGP
r3 ga harus terhubung directly ke r5 untuk formed adjacencies ibgp.
network-x di R1 ---> eigrp ke R2
diinject ke ebgp ke AS 2000 di R3 ( ebgp update )
send update keluar AS number lain hrs punya as-path
R2 as-path = 1000
R3-R4-R5 harus mempertahankan as-path buat network x
R3 as-path = 1000
R5 buat advertise network x ke external peer R6 harus ganti as-path sesuai as-pathnya
R5 as-path = 2000 1000
R6 advertise IBGP ke R7 as-pathnya sama
R6 as-path = 2000 1000
================================
contoh as path:
x.x.x.x/24 23 4000 56 702
x.x.x.x/24 = route sampe ke local
23 = as number 1
4000 = as number 2
56 = as number 3
702 = as number 4
=============================
intinya pas advertise:
ibgp harus sama as-pathnya ( dipertahankan )
ebgp harus add as-path AS number local
============================
public AS di internet:
1- 64495
private AS:
65512 - 65534
reserved AS ( ga bisa dipake ):
0
54496 -65511
65535
===========================
scenario 1 dikasih public ip.
SP ---- AS 2000
R1
|
|
|
COMPANY A ----- AS
R2 , R3, R4, R5, R6
R2
ip route 0.0.0.0 0.0.0.0 R1
misal dikasih ip range 200.200.200.x/24 -> disubnet ke network local.
yg advertise ke internet tanggung jawab sisi bagian SP.
as number 2000 advertise 200.200.200.x keluar.
=========================
scenario 2 bikin bgp peer.
- ambil 1 private AS number. trus bikin bgp peer ke router ISP.
SP ---- AS 2000
R1
|
|
|
COMPANY A ----- AS
R2 , R3, R4, R5, R6
R2 ---- AS 65512
dari ISP nanti bakal nyatet private AS si customer.
ketika berhubungan dengan ISP lainnya AS number private
si customer bakal di strip.
=======================
klo ada 2 SP di customer.
butuh beli AS number.
=========================
16 bit AS -> ccnp topic
32 bit AS -> ccie topic
=========================
eBGP neighborship
1. form neighborship
2. exchange topology info
3. run best-path algorithm
- form neighborship using port 179 TCP
- eBGP neighbors assumed to be directly connected. ( bisa via igp routenya )
eBGP neighborship requirement
- local bgp as number must match neighbor router as number
- peer must be reachable via IGP route
- bgp router id 2 router must not be same
- authentication md5 must pass ( if configured )
========================
**configure eBGP neighbors
#router bgp [asn]
neighbor [ip-address] remote-as [remote-asn]
** configure router-ID
#bgp router-id x.x.x.x
^ klo ga diconfig by default bakal ngambil highest loopback ip address.
^ klo ga config loopback, bakal ngambil highest ip address interface.
** configure BGP authentication ( harus diconfigure di 2 router bersangkutan )
#neighbor [neighbor-ip] [password-key]
ex:
conf t
router bgp 2
neighbor 1.1.1.1 password 0 cisco123
^ 0 maksudnya kita masukin dalam bentuk normal text yg nanti di encrypt ke md5
^ bisa dibikin 7 tp masukin password cisco123nya dalam bentuk md5
conf t
router bgp 1
neighbor 1.1.1.2 password 0 cisco123
** verify command
#show ip bgp neighbor !! cari BGP state = established
=======================
-> Exterior Gateway Protocol
-advertise learn and choose best path inside.
-used by ISP to exchange routing information between themselves
enterprise use bgp to exchange routing info with 1 or more isp
====================================
OSPF EIGRP / IGP -> 4000 route mulai ga kuat.
IGP:
EIGRP - DUAL ( SUCCESOR , FEASIBLE SUCCESSOR )
OSPF - SPF algorithm.
distance
hop count
cost
install on routing table
+ bisa s/d 4 equal path cost load balancing
----------------
BGP - robust best-path algorithm
- check different attributes for path determination.
best route installed on routing table!
===================================
core router butuh tau semua routingannya!
12000 subnet in my network!
==================================
similarities bgp and igp (ospf & eigrp )
- need form adjacencies
- need to advertise prefix
- advertise next hop for those prefix
disimilarities
- neighbor ip address may not be on common subnet
- BGP USE TCP port 179 between neighbors. IGP do not use tcp
==================================
BGP advertised prefix / length = NLRI ( network layer reachability information )
IGP - lebih ke fast convergence , best path determination ( efficient route )
BG
P - scalability ( carry load > 1000 routes !! )
BGP use path vector logic ( similar to distance vector )
=================================
iBGP & eBGP
ada yg bisa dilakukan di iBGP yang tidak bisa dilakukan di eBGP, begitu juga sebaliknya.
same AS = iBGP
different AS = eBGP
AS number harus unique.
dapet dari ISP biasanya.
#router bgp 65350
^ klo di router tetangga juga 65350 tandanya IBGP.
=================================
bgp AS_PATH -- berbeda antara ibgp dan ebgp.
BGP- EVERYTHING IS UNICAST!
=================================
SP-1 SP-2 SP-3
ebgp
AS 1000 ----- AS2000 AS3000
R1 R3-R4-R5 R7
eigrp ibgp
R2 R6
R3-R4-R5 : IBGP
r3 ga harus terhubung directly ke r5 untuk formed adjacencies ibgp.
network-x di R1 ---> eigrp ke R2
diinject ke ebgp ke AS 2000 di R3 ( ebgp update )
send update keluar AS number lain hrs punya as-path
R2 as-path = 1000
R3-R4-R5 harus mempertahankan as-path buat network x
R3 as-path = 1000
R5 buat advertise network x ke external peer R6 harus ganti as-path sesuai as-pathnya
R5 as-path = 2000 1000
R6 advertise IBGP ke R7 as-pathnya sama
R6 as-path = 2000 1000
================================
contoh as path:
x.x.x.x/24 23 4000 56 702
x.x.x.x/24 = route sampe ke local
23 = as number 1
4000 = as number 2
56 = as number 3
702 = as number 4
=============================
intinya pas advertise:
ibgp harus sama as-pathnya ( dipertahankan )
ebgp harus add as-path AS number local
============================
public AS di internet:
1- 64495
private AS:
65512 - 65534
reserved AS ( ga bisa dipake ):
0
54496 -65511
65535
===========================
scenario 1 dikasih public ip.
SP ---- AS 2000
R1
|
|
|
COMPANY A ----- AS
R2 , R3, R4, R5, R6
R2
ip route 0.0.0.0 0.0.0.0 R1
misal dikasih ip range 200.200.200.x/24 -> disubnet ke network local.
yg advertise ke internet tanggung jawab sisi bagian SP.
as number 2000 advertise 200.200.200.x keluar.
=========================
scenario 2 bikin bgp peer.
- ambil 1 private AS number. trus bikin bgp peer ke router ISP.
SP ---- AS 2000
R1
|
|
|
COMPANY A ----- AS
R2 , R3, R4, R5, R6
R2 ---- AS 65512
dari ISP nanti bakal nyatet private AS si customer.
ketika berhubungan dengan ISP lainnya AS number private
si customer bakal di strip.
=======================
klo ada 2 SP di customer.
butuh beli AS number.
=========================
16 bit AS -> ccnp topic
32 bit AS -> ccie topic
=========================
eBGP neighborship
1. form neighborship
2. exchange topology info
3. run best-path algorithm
- form neighborship using port 179 TCP
- eBGP neighbors assumed to be directly connected. ( bisa via igp routenya )
eBGP neighborship requirement
- local bgp as number must match neighbor router as number
- peer must be reachable via IGP route
- bgp router id 2 router must not be same
- authentication md5 must pass ( if configured )
========================
**configure eBGP neighbors
#router bgp [asn]
neighbor [ip-address] remote-as [remote-asn]
** configure router-ID
#bgp router-id x.x.x.x
^ klo ga diconfig by default bakal ngambil highest loopback ip address.
^ klo ga config loopback, bakal ngambil highest ip address interface.
** configure BGP authentication ( harus diconfigure di 2 router bersangkutan )
#neighbor [neighbor-ip] [password-key]
ex:
conf t
router bgp 2
neighbor 1.1.1.1 password 0 cisco123
^ 0 maksudnya kita masukin dalam bentuk normal text yg nanti di encrypt ke md5
^ bisa dibikin 7 tp masukin password cisco123nya dalam bentuk md5
conf t
router bgp 1
neighbor 1.1.1.2 password 0 cisco123
** verify command
#show ip bgp neighbor !! cari BGP state = established
=======================
Tuesday, March 13, 2018
EIGRP basic documentation part 1
EIGRP = enchanced version of igrp.
- hybrid protocol
^ initial exchange of full routing table between eigrp neighbors.
^ after that initial exchange of full tables, an eigrp router will send an update only when there is a change in network. That update will reflect only those changes and will not contain every eigrp route known to sender. ( not every 30s like rip / distance vector )
++ from rip
rapid convergence.
^ backup routes / feasible successors are calculated before they are actually needed due to the loss of primary route ("successors").
+ consider bandwidth and delay when calculating routes. rather than primitive " hop count " of RIP.
+ NO Longer cisco- prop. Multivendor environtment.
eigrp use hello packet ( multicast to 224.0.0.10 ) to establish and maintain neighbor relationship.
- RTP -> used to handle transport of messages between eigrp-enabled routers.
- eigrp with different as number cant become neighbor!
- eigrp authentication must have same password!
- router must be on same subnet
- k-values must match
adjacencies -- its kept alive by steady flow of hello packets from the neighbor.
if those hellos stop coming, the adjacency is eventually dropped.
======================
3 table utama:
- route table ( best route to each remote network ).
- topology table ( keeps all known valid, loop-free routes to same network ).
- neighbor table ( information eigrp neighbor )
#show ip route eigrp
------r2-----
r1 r4
------r3-----
r2 : successor / next hop ( best path ) ++ metric
r3 : feasible successor / ( valid path / no loop )
r2 masuk di eigrp routing table !! -> routing utama = successor
r2+r3 masuk di topology table !!
^ neighbor table ga ada hubungannya ( isinya cm router yg jadi tetangga eigrpnya )
feasible succesor = backup succesor.
klo link sucessor putus feasible akan menggantikan menjadi succesor sementara hingga link up lagi.
===================
EIGRP AS 100
R1
R2 ---|--- R3
frame relay cloud
^ hub and spoke topology
R1
#conf t
#router eigrp 100 !! 100 = AS number
#network 172.12.123.0 0.0.0.255 !! network [network adv by eigrp] [wild card bit]
R2
#conf t
#router eigrp 100 !! 100 = AS number
#network 172.12.123.0 0.0.0.255 !! network [network adv by eigrp] [wild card bit]
R3
#conf t
#router eigrp 100 !! 100 = AS number
#network 172.12.123.0 0.0.0.255 !! network [network adv by eigrp] [wild card bit]
!! verifikasi !!
R1
# show ip eigrp neigh interface uptime
172.12.123.3 se1/0 00:00:05 ->> muncul tetangganya
172.12.123.2 se1/0 00:00:23
# show ip route eigrp !! masih kosong
!! ^ info paling penting ip address sama uptimenya !!
!! di eigrp bisa ga pake wild card bit. ga kayak ospf !!
!! tp nanti di add sbg classfull address !!
#network 172.12.123.0
^ !! class B network / 255.255.0.0 !!
- hybrid protocol
^ initial exchange of full routing table between eigrp neighbors.
^ after that initial exchange of full tables, an eigrp router will send an update only when there is a change in network. That update will reflect only those changes and will not contain every eigrp route known to sender. ( not every 30s like rip / distance vector )
++ from rip
rapid convergence.
^ backup routes / feasible successors are calculated before they are actually needed due to the loss of primary route ("successors").
+ consider bandwidth and delay when calculating routes. rather than primitive " hop count " of RIP.
+ NO Longer cisco- prop. Multivendor environtment.
eigrp use hello packet ( multicast to 224.0.0.10 ) to establish and maintain neighbor relationship.
- RTP -> used to handle transport of messages between eigrp-enabled routers.
- eigrp with different as number cant become neighbor!
- eigrp authentication must have same password!
- router must be on same subnet
- k-values must match
adjacencies -- its kept alive by steady flow of hello packets from the neighbor.
if those hellos stop coming, the adjacency is eventually dropped.
======================
3 table utama:
- route table ( best route to each remote network ).
- topology table ( keeps all known valid, loop-free routes to same network ).
- neighbor table ( information eigrp neighbor )
#show ip route eigrp
------r2-----
r1 r4
------r3-----
r2 : successor / next hop ( best path ) ++ metric
r3 : feasible successor / ( valid path / no loop )
r2 masuk di eigrp routing table !! -> routing utama = successor
r2+r3 masuk di topology table !!
^ neighbor table ga ada hubungannya ( isinya cm router yg jadi tetangga eigrpnya )
feasible succesor = backup succesor.
klo link sucessor putus feasible akan menggantikan menjadi succesor sementara hingga link up lagi.
===================
EIGRP AS 100
R1
R2 ---|--- R3
frame relay cloud
^ hub and spoke topology
R1
#conf t
#router eigrp 100 !! 100 = AS number
#network 172.12.123.0 0.0.0.255 !! network [network adv by eigrp] [wild card bit]
R2
#conf t
#router eigrp 100 !! 100 = AS number
#network 172.12.123.0 0.0.0.255 !! network [network adv by eigrp] [wild card bit]
R3
#conf t
#router eigrp 100 !! 100 = AS number
#network 172.12.123.0 0.0.0.255 !! network [network adv by eigrp] [wild card bit]
!! verifikasi !!
R1
# show ip eigrp neigh interface uptime
172.12.123.3 se1/0 00:00:05 ->> muncul tetangganya
172.12.123.2 se1/0 00:00:23
# show ip route eigrp !! masih kosong
!! ^ info paling penting ip address sama uptimenya !!
!! di eigrp bisa ga pake wild card bit. ga kayak ospf !!
!! tp nanti di add sbg classfull address !!
#network 172.12.123.0
^ !! class B network / 255.255.0.0 !!
BGP Basic Documentation part 1
BGP
" an internet protocol that allows group of routers (AS) to share routing information so that efficient, loop-
free routes can be established. "
^ biasanya digunakan di routing antar ISP.
^ masuk dalam kategori EGP / exterior gateway protocol
====================================
BGP :
- support VLSM and summarization
- will send full updates when router first become neighbor, then partial upgrade reflecting latest network change
- create neighbor adjacencies alive. -> no keepalive = adjacencies gone.
=====================================
BGP should be used:
- company connecting more than one AS / ISP.
^ decision on best link / path is by BGP path attributes.
- routing policy of your organization and your ISP differ.
- when ur company is an ISP. when traffic from other AS use your AS as transit domain. (BGP needed! ).
========================================
BGP should not be used:
- when there is a single connection to internet / another AS and no redundant link exist
- when u dont care which path is used to reach a route in another AS
- when router resources are limited ( memory / cpu )
=======================================
BGP Peering Process
- connection oriented ( reliable )
- TCP port 179 !! dont block on acl !!
- exchanges full routes and sync tables, afterward bgp speaker will send further updates only upon change in
network
- dont have to be in same AS in order become neighbor / exchange routes.
- BGP adjacencies called " peerings ", BGP peer in same AS = iBGP peer.
==================================
BGP AS100
R1-------------------R2
^ iBGP
-------------------------------------
cisco recommended eBGP peers = directly connected
iBGP peer are not required to be so connected.
=========================================
eBGP
AS100 AS300
R1----------------R3
R1
#conf t
#router bgp 100
#neighbor 172.12.123.3 remote-AS 300
#show ip bgp neigh
!! bgp neighor is 172.12.123.3, remote AS 300, external link !! -> info plg penting
!! bgp state = Active !!
** bgp state
- active = indicates bgp peer connection that does not yet fully exists / does not complete / attempt to peering
- idle = initial state of bgp peering
- Connect follows idle = tcp connection request has been sent but response has not yet been received.
- Idle = if short = normal if stay idle, check remote router's neighbor statement and make sure AS number
correct!
- OpenSent = tcp connection complete ( bgp will determines iBGP / eBGP = same as/different AS )
R3
#conf t
#router bgp 300
#neighbor 172.12.123.1 remote-AS 100
# show ip bgp neighbor 172.12.123.1
^
!! bgp neighbor is 172.12.123.1, remote AS 100, external link
!! BGP version 4, remote router ID 172.12.123.1
!! BGP state = Established, up for 00:00:21
!! connection establised 1; dropped 0
!! last reset never
!! local host : 172.12.123.3, local port: 179
!! Foreign host: 172.12.123.1, Foreign port: 28861
^ informasi yg penting ^
R2
#conf t
#router bgp 300
R3
#conf t
#router bgp 100
========================================
" an internet protocol that allows group of routers (AS) to share routing information so that efficient, loop-
free routes can be established. "
^ biasanya digunakan di routing antar ISP.
^ masuk dalam kategori EGP / exterior gateway protocol
====================================
BGP :
- support VLSM and summarization
- will send full updates when router first become neighbor, then partial upgrade reflecting latest network change
- create neighbor adjacencies alive. -> no keepalive = adjacencies gone.
=====================================
BGP should be used:
- company connecting more than one AS / ISP.
^ decision on best link / path is by BGP path attributes.
- routing policy of your organization and your ISP differ.
- when ur company is an ISP. when traffic from other AS use your AS as transit domain. (BGP needed! ).
========================================
BGP should not be used:
- when there is a single connection to internet / another AS and no redundant link exist
- when u dont care which path is used to reach a route in another AS
- when router resources are limited ( memory / cpu )
=======================================
BGP Peering Process
- connection oriented ( reliable )
- TCP port 179 !! dont block on acl !!
- exchanges full routes and sync tables, afterward bgp speaker will send further updates only upon change in
network
- dont have to be in same AS in order become neighbor / exchange routes.
- BGP adjacencies called " peerings ", BGP peer in same AS = iBGP peer.
==================================
BGP AS100
R1-------------------R2
^ iBGP
-------------------------------------
cisco recommended eBGP peers = directly connected
iBGP peer are not required to be so connected.
=========================================
eBGP
AS100 AS300
R1----------------R3
R1
#conf t
#router bgp 100
#neighbor 172.12.123.3 remote-AS 300
#show ip bgp neigh
!! bgp neighor is 172.12.123.3, remote AS 300, external link !! -> info plg penting
!! bgp state = Active !!
** bgp state
- active = indicates bgp peer connection that does not yet fully exists / does not complete / attempt to peering
- idle = initial state of bgp peering
- Connect follows idle = tcp connection request has been sent but response has not yet been received.
- Idle = if short = normal if stay idle, check remote router's neighbor statement and make sure AS number
correct!
- OpenSent = tcp connection complete ( bgp will determines iBGP / eBGP = same as/different AS )
R3
#conf t
#router bgp 300
#neighbor 172.12.123.1 remote-AS 100
# show ip bgp neighbor 172.12.123.1
^
!! bgp neighbor is 172.12.123.1, remote AS 100, external link
!! BGP version 4, remote router ID 172.12.123.1
!! BGP state = Established, up for 00:00:21
!! connection establised 1; dropped 0
!! last reset never
!! local host : 172.12.123.3, local port: 179
!! Foreign host: 172.12.123.1, Foreign port: 28861
^ informasi yg penting ^
R2
#conf t
#router bgp 300
R3
#conf t
#router bgp 100
========================================
Tuesday, March 6, 2018
openstack basic documentation
===========
OpenStack is an IaaS cloud computing project that is free open-source software.
Its mission is to provide a flexible solution for both public and private clouds of any size, and for this matter two basic requirements are considered: clouds must be simple to implement and massively scalable.
To meet these principles OpenStack is divided into different components that work together. This integration is achieved through application programming interfaces – APIs – offered and consumed by each service.
With these APIs, services can communicate with each other and also allows a service to be replaced by another with similar characteristics, only if the form of communication is respected. That is, OpenStack is extensible and meets the needs of those who wish to implement it.
============
infrastructure as a service. -> api.
dari dashboard dia bisa ngatur network, compute, image, storage.
===========
horizon -> dashboard provide end user & administrator interface to service
nova compute -> transform user request on virtual machine
neutron -> mem-provide virtual network sbg service. koneksiin vm dari nova ( tiap user bisa bikin network mereka sendiri dan ngelink ke device yg mereka pilih )
cinder -> storage untuk tempat penyimpanan vm yang di host pada cloud.
clance -> catalog / repository untuk image. ( isinya image )
swift -> berisi file konfigurasi
keystone -> mengidentifikasi user authentication and authorization untuk semua openstack service.
==========
openstack horizon
- dibuat pake django web framework
- pake mod_wsgi buat implement module di apache (web server gateway interface)
wsgi: middleware antara application server dan web server untuk berkomunikasi dengan web app. -> bisa buat custom modules.
- sqlite3 ( database default )
- horizon -> implementasi dari dashboard. bukannya dashboard doank. implementasinya disesuaikan dengan kebutuhan user.
OpenStack is an IaaS cloud computing project that is free open-source software.
Its mission is to provide a flexible solution for both public and private clouds of any size, and for this matter two basic requirements are considered: clouds must be simple to implement and massively scalable.
To meet these principles OpenStack is divided into different components that work together. This integration is achieved through application programming interfaces – APIs – offered and consumed by each service.
With these APIs, services can communicate with each other and also allows a service to be replaced by another with similar characteristics, only if the form of communication is respected. That is, OpenStack is extensible and meets the needs of those who wish to implement it.
============
infrastructure as a service. -> api.
dari dashboard dia bisa ngatur network, compute, image, storage.
===========
horizon -> dashboard provide end user & administrator interface to service
nova compute -> transform user request on virtual machine
neutron -> mem-provide virtual network sbg service. koneksiin vm dari nova ( tiap user bisa bikin network mereka sendiri dan ngelink ke device yg mereka pilih )
cinder -> storage untuk tempat penyimpanan vm yang di host pada cloud.
clance -> catalog / repository untuk image. ( isinya image )
swift -> berisi file konfigurasi
keystone -> mengidentifikasi user authentication and authorization untuk semua openstack service.
==========
openstack horizon
- dibuat pake django web framework
- pake mod_wsgi buat implement module di apache (web server gateway interface)
wsgi: middleware antara application server dan web server untuk berkomunikasi dengan web app. -> bisa buat custom modules.
- sqlite3 ( database default )
- horizon -> implementasi dari dashboard. bukannya dashboard doank. implementasinya disesuaikan dengan kebutuhan user.
centos 7 basic command documentation
#set hostname
hostnamectl set-hostname multipolar.monitoring
#check status
hostnamectl status
===========================
#display device
nmcli d
>enp0s8
nmcli d show
>description all network device
#set IPv4 address
nmcli c modify enp0s3 ipv4.address 192.168.2.1/24
nmcli c modify enp0s3 ipv4.gateway 192.168.2.2
nmcli c modify enp0s3 ipv4.dns 192.168.2.2
nmcli c modify enp0s3 ipv4.method manual (auto = DHCP)
# bring device down
nmcli c down enp0s3
# bring device up.
nmcli c up enp0s3
# cek 1 interface
nmcli d show enp0s3
# cek config
ip addr show
===================
hostnamectl set-hostname multipolar.monitoring
#check status
hostnamectl status
===========================
#display device
nmcli d
>enp0s8
nmcli d show
>description all network device
#set IPv4 address
nmcli c modify enp0s3 ipv4.address 192.168.2.1/24
nmcli c modify enp0s3 ipv4.gateway 192.168.2.2
nmcli c modify enp0s3 ipv4.dns 192.168.2.2
nmcli c modify enp0s3 ipv4.method manual (auto = DHCP)
# bring device down
nmcli c down enp0s3
# bring device up.
nmcli c up enp0s3
# cek 1 interface
nmcli d show enp0s3
# cek config
ip addr show
===================
catatan vmware workshop @trainocate jakarta
global knowledge 2017 -> trainocate
100% training.
cisco ibm netapp vmware citrix.
asia 13 negara. setaun 1-2 negara.
2013 philiphine, hongkong.
HQ di sg sama japan.
===============
training microsoft.
lab bisa dipake 6bln.
-trendmicro : security buat virtualisasi. ( partner vmware ).
-netAPP : storage.
-fortinet : firewall.
brocade.
==============
softskill
pmp
itil ( foundation , sampe intermediate 9 chapter/lv -> 5 ujian - 4 ujian, diatasnya ada expert ).
isaca
apmg/agilepm
======================
selain end user, principle.
=====================
testing center
pearson VUE
criterian
castle
admin fee 100.000 ditempat lain. tp di gk ga ada.
daftar sendiri ke pearson vue.
daftarin hari jumat jam 10. klo available. done. credit card.
=======================
aktifitas:
bisa liad d fb. ada workshop apa.
======================
vmware.
vsphere.
server virtualization.
sesi 1 vmware 6.5.
sesi 2 nsx.
sesi 3 vsan.
======================================
yang membedakan 6.5 dengan 6.0.
vsphere : inti teknologi vmware.
VI vmware infrastructure 3 - june 2006 ( software switch - dalam 1 platform ada 2:
esx version 3 , vCenter version 2 , virtual SMP. )
-vCenter -> buat manage esx
-> server fisik.
space: 3 server fisik 2u -> jadi 6u
listrik, dll
-> virtualisasi
cukup 1 mesin.
1 kernel.esx
VI 3.5 - februaryy 2008
esx version 3.5, esxi version 3.5
3gbram (minimal) -> esx
200-300mb ram ( minimal ) -> esxi
exscli
powercli
gui
vsphereClient
^4 ini di cut di esxi.
vSphere 4.0 - may 2009
esxi 4.0, support windows 2008 r2, windows7
vSphere 5 agustus 2012
auto deplay, usb
vsphere5.1 sept 2013
vdp -> backup
vsphere replication
vshield endpoint ( firewall)
web client
vsphere 5.5
VSAN -> storage area network
vsphere 6.0 feb 2015
VSAN ditambahin batas max
VVOL virtual volume
vsphere 6.5 oct 2016 - belanda
HTML 5 web client,
embedded vSUM ( harus install sndiri plugin sebelumnya ) ??
migration tool -> vcenter diinstal di windows -> bisa diupgrade pk vsphere ga perlu dari windows lg.
=======================
vsphere:
-esxi ( hypervisor type 1 ) -> kernel / software untuk menjalankan beberapa os di 1 komponen fisik.
hypervisor type 1 -> install diatas os kosong ( punya akses langsung ke server fisik, resource )
esx
xenserver ( citrix )
hyper-V ( windows )
hypervisor type 2 -> install diatas os
windows, unix, linux
windows -> workstation, virtualbox, GNs3
linux -> kvm. virtualbox
-vCenter
====================
16gb -> jadiin 4 vm. bisa
5gb 5gb 5gb 5gb-
memory over commitment.
solusi : bikin esxi di server fisik baru.
tp butuh management?!
==============
migrate vm yang lagi nyala tanpa vm mati.
== vMotion
klo kita ga pake vCenter ga bisa vMotion.
DRS
VSAN
CLONE
TEMPLATE
^ butuh vCenter.
tanpa vcenter bisa. tp harus matiin server
convert > ova
=================
-cara install vcenter
VCSA vCenter -> VM -> deploy di esxi.
VCFW -> service for windows ( min 2008 r2 ).
esxi1 esxi2 esxi3 -> diregister ke VCSA.
esxi1 esxi2 esxi3 -> install windows -> install vcfw -> registerin.
============
vsphere di upgrade -> esxi sama vcenter pasti di upgrade.
1server fisik = 1 esxi.
=============
SDDC -> SOFTWARE DEFINE DATA CENTER.
3 komponen utama dc fisik.
compute / server
storage
network
^ dimanage secara terpisah. computer sendiri, network sndiri, server sndiri.
cpi -> network
spectrum control (IBM) -> storage
onCommand insight -> storage
solarwind -> compute
SDDC -> tiga komponen jadi 1.
server virt -> diconvert ke vm jadiin esxi.
network virt -> diconvert ke NSX
storage virt -> VSAN
server fisik tgl jadiin 3 esxi.
bisa bikin virtual router.
===================================
vSphere trainocate. ( indepth kelas 5 hari )
iCM -> nsx
======================
datacenter berbeda?
live migration?
syarat? vsphere beda versi?
hardware fisik?
================
exclusive feature di -> vsphere6.5
20.000 vm
builtin migration tool. migrate dari vmware windows ke vm.
improved appliance management ( pake html5 bukan flash lg ).
native HA
native backup restore
VAMI (5480) -> buat nyalain service.
vsphere 6.0
redundancy -> fault tolerance?! ( lebih powerful daripada FT ).
ft = fitur d vCenter
VCSA -> manage esxi1, ( replikasi )
esxi2,
esxi3.
sblm 6.0 bisa pake vsphere replication+ license.
atau
Fault tolerance.
masalah di FT -> jumlah vm.
klo lebih dari 4vCPU. perVM -> 1000esxi -> 32 vCPu.
10.000 vm -> windows
==========================
vmware vsphere 6.5 instalation
-install
-upgrade
-migrate
-restore
========================
-VAMI -> appliance management. di improve di vsphere 6.5.
-Native HA.
active - replikasi konfigurasi
passive -
witness -> ngecek network failure?
basic / advanced.
intra-cluster, auto cloning
inter-cluster ha, manual cloning -> bisa milih sembarang cluster mana.
=================
native backup restore.
vami -> summary -> backup
- http scp ftp
bisa di password backupannya.
kasih ip, directory.
==================
masuk vsphere bisa 2
- web based client
6.0 -> flash
6.5 -> html5 ( lebih cepet ).
- vsphere client
program diinstall di windows buat msk ke vsphere kita.
- harus nginstall dulu
- gmn klo dari linux / unix.
-udah ga pake cip client integration plugin.
plugin di browser. klo mo export file lgsung file dari pc kita ke dalem.
=================
related object.
di grouping.
host, vm, datastore, networks.
vm 20.000
host 1500
==================
improvement. vsphere 6.5
ga perlu vsphere client
ga perlu cip
vmfs6 -> ?
virtual machine file system.
format buat datastore storage.
==================
vm -> sekumpulan dari beberapa file dalam directory.
vmx
vmdk
vmsw
^ butuh tempat buat naro file2. -> disebut data store.
1 VMFS (3.5)
2 NFS (4.0)
3 VSAN (5.5)
4 VVOL (6.0)
local disk server tempat esxi dibangun. ( hardisk )
500gb diformat sbg VMFS. KLO dah jadi datastore baru bisa dijadiin VM.
VMFS v3
VMFS v5
VMFS v6 -> baru di vsphere 6.5
support HD -> 512e
hardisk -> ada sector2.
sector -> unit terkecil tempat kita bisa nyimpen data ke disk kita.
1 sector = 512bytes.
10bytes - DATA - 20 bytes ecc
header 482byte ECC
ecc brubah -> pasti data berubah.
data -> 1024 byte -> butuh 2 sector?
ada 2 tipe hardisk
512e
4kn ( 4k native )
1 sector 4096 byte
10 4046byte 30
header data ecc
------------
SAS
SATA
AHCI
IDE
==========================
AHCI 512e
nvmE 4096
ketika ada data nvmE bs lgsung diconvert ke 512 emulated.
==========================
UNMAP -> automatic space reclamation
SAN
esxi ---- ds1 ----- storage controller -------> LUM
SAN
NAS
direct dari local / remote??
direct = disk local
remote = storage controller
a.SAN -> block level storage (LUN -> logical unit number ) -> harus di format sbg
VMFS ( virtual machine file system )
b.NAS -> File level storage ( volume dengan fileSystem -> kyk usb ).
hardisk tambah ke laptop> harus di format.
esxi ----- switch ------- ibm/netapp/HDS
thin provisioning.
thick provisioning.
VM ---> VMDK ( hd virtual VM )
thin -> minta space ke data store pada saat kita tulis data ke VMDK.
thick -> minta space ke data store langsung pada saat kita buat VMDK.
vm(vmdk -> 10g ) ------ ds(50g)
thin provisioning -------- 50gb
thick provisioning -------- 40gb
SC -> LUN available -> 49gb, 1 gb dikasih ke VM
--- ketika file A didelete
klo pake LUN di controller ( etc: netAPP ) tetep terisi 1gb. ( idle )
-automatic space reclamation:
alokasi 1gb si LUN akan di unmap pada storage controller.
^ fitur 6.5. di 6.0 gada.
=====================
-enable vm encryption
bisa di encrypt. apapun guest OSnya.
key di encrypt via KMS. ( kms server tergantung vendor).
======================
server / computing
networking / nsx
storage / vsan
vm
networking -
esxi
===================================
NSX
ESXI -> CM BISA BIKIN VIrtual switch.
vmport group -
vmnic - port yg merepresentasikan physical.
1vmnic - 1 virtualswitch
1virtualswitch - bisa beberapa port group. per vlan
6 vm
3 vm vlan 10
2 vm vlan 20
===================
virtual switch -management port -> khusus service tertentu
uplink port
==================
overlay network
underlay network
ngeping antar 1 subnet -> tanpa nsx
bisa bikin topology -> dengan nsx
============
nsx do?
network decoupling
network overlay
distributed function
management plane, control plane, data plane.
management plane = manage si router. telnet,ssh, console, gui.
control plane = service2 yang mempengaruhi decision process. routing table, ospf, arp cache
data plane = port
(router)
10.1.1.1/24 10.1.2.1/24
routing table =>
10.1.1.0/24 portA
10.1.2.0/24 portB
pc A ping ke pc B
source 10.1.1.1 -> 10.1.2.1 ( router liad ke control plane dulu )
port A / B -> data plane
data plan
actual path untuk forward data
routing table -> control plane
** network overlay.
bisa bikin load balancer, firewall, etc
** distribution function
router, firewall yg kita punya bisa didistribusikan ke beberapa ESXI lgsng.
klo esxi cm bisa distribute switch saja. klo nsx bisa sampe routing vpn switch firewall, etc.
=================
NSX SERVICES
-logical switching
-logical routing - distributed, 8 gateway: vpn firewall nat
distributed: routing biasa eigrp dkk
-logical firewall
-logical loadbalancer
-logical API
=============
CARA INSTALL NSX
nsx manager install ke esxi -> trs deplay ke vcenter server.
bikin nsx controller ( control plane ) bikin yg banyak, distribusiin.
nsx bisa dimanage via orcestration
>openstack mirantis
>openstack neutron
>openstack cinder
==========
1. NSX MANAGER?!
bentuknya hampir sama kyk esxi format:vsf.
register/deploy ke vCenter
dapet menu cloud networking.
baru deploy nsx controller -> dikaitkan ke vsphere cluster yg kita punya.
2. management cluster
manage via vSphere web client
configure vDS dengan mtu lebih dari 1600.
sync with dns and ntp server. ( klo tanpa dns pastiin bisa ping )
meet cpu and memory req
6.1 vcpu 4 12gb memory 60gb
6 default 4 12gb 60gb bisa 128 logical router
==================
default cli pass
privilege cli
admin password
==================
dari fisik ke virtual=
export ke ovf dulu.
vmware punya network virtualization sendiri. ospf. klo propietarynya cisco kyk eigrp ga bisa.
klo mo virtual cisco pake openstack!
vmware workstation versi 12 -> khusus 12 ga bs diconvert ke esxi.
klo mau pake yg versi 10/11.
ato downgrade dulu export ke ovf.
vmware 10/11 -> bs ke esxi 6
ketika fisik -> vm lisensi ilang.
tgl di upload ke datacenter nanti. mo dcnya dmn aj ga masalah.
=====================
NSX NODE CONTROLLER.
provide control plane to nsx
mac address table
arp table
vtep table
1vm butuh resource d esxi:
controller vm vcpu reservation memory os disk
3 4 2048MHz 4GB 20gb
=========================
vsphere web > instalation > nsx edges > masukin.
========================
^management + control
data plane:
vmware instalation bundle (VIB)
install 1 jenis vm kernel port.
vtab.
overlay -> topologi dibikin di nsx
underlay -> topologi fisik
vxlan -> layer 2 domain.
esxi 1
esxi 2
esxi 3
1 vxlan id sama -> 1 address.
vtep -> interface ngubungin vmware interface 1 dgn lain lewat port fisik.
vtep / vxlan minim harus ada 1.
=======================
nsx:
mtu minimum 1600
karena encap / tunneling.
klo ga frame vxlan ga bisa diforward ke router fisik yg biasa.
=======================
VIB -
HOST PREPARATION.
4096 vlan
vxlan bisa lebih banyak.
=======================
1 create vmtep
2 create segment id ( vxlan id yg bisa digunain di cluster 5000 - 16000000)
3
4 create transport zone ( vxlan id mana yg di cantolin ke esxi cluster mana ).
5 create logical switch
local vtep -> 1 subnet
remote vtep -> beda subnet
unicast mode: esx1 -> esx 2
esx1 -> esx 3
hybrid mode: replicate menggunakan multicast buat yg local dan unicast ke remote vtep.
multicast mode:
224 - 239 multicast.
================================
** inter vxlan routing.
1esxi 2 vxlan. routing? tanpa keluar ke router fisik.
1 bikin router
DLR = distributed logical router ( ROUTER INFRA )
ESG = edge service gateway ( VPN NAT LOAD BALANCER ) -> l3 switch. lebih berat tp fitur lbh bnyk.
deploy dlr
- add ndx edge
- select the type
- select on which host
-
-
=================================
esxi
nsx
throughput router fisik > virtual
banyak vSwitch -> dicantolin ke 1 NIC -> throughput turun.
=========================
vsan -
bikin cluster dulu.
minim 3-64.
VSAN datastore -> 1
======================
esxi harus terdaftar di vsphere HCL ( hardware spec yg support vsan ).
NIC harus 1gb / 10gb
controller SAS/SATA.
CACHE PCI/SAS/SATA SSD -> MINIM 1 MAX 35. / node.
DATA PCI/SAS/SATA HD/SSD
=====================
BIKIN CLUSTER, ENABLE vsan.
cek lwt console:
vmcapping ip-address sourceport port
====================
tambah space ke vsan.
create diskgroup.
====================
manage > settings > disk management -> liad diskgroup per cluster esxi.
===================
UCS
1u -> setiap disk ada led -> bs dinyalain lednya. baru dicabut.
===================
summary vsan -> elligible.
raid 0 -> vsan storage policy.
===================
vsan datastore-
Vsan -> object level storage. -> namespaces(konfig vm), virtualdisk (vmdk), snapshot, swap files.
block level storage.
==================
remove disk dari diskgroup.
evacuate data? -> data taro di disk lain.
raid hrs sama hardisknya -
klo vm size sama rpm ga perlu sama. nanti ditotal.
kelas lbh lanjut :
ICM 6.5 -5hari
vsan intro class -5hari
100% training.
cisco ibm netapp vmware citrix.
asia 13 negara. setaun 1-2 negara.
2013 philiphine, hongkong.
HQ di sg sama japan.
===============
training microsoft.
lab bisa dipake 6bln.
-trendmicro : security buat virtualisasi. ( partner vmware ).
-netAPP : storage.
-fortinet : firewall.
brocade.
==============
softskill
pmp
itil ( foundation , sampe intermediate 9 chapter/lv -> 5 ujian - 4 ujian, diatasnya ada expert ).
isaca
apmg/agilepm
======================
selain end user, principle.
=====================
testing center
pearson VUE
criterian
castle
admin fee 100.000 ditempat lain. tp di gk ga ada.
daftar sendiri ke pearson vue.
daftarin hari jumat jam 10. klo available. done. credit card.
=======================
aktifitas:
bisa liad d fb. ada workshop apa.
======================
vmware.
vsphere.
server virtualization.
sesi 1 vmware 6.5.
sesi 2 nsx.
sesi 3 vsan.
======================================
yang membedakan 6.5 dengan 6.0.
vsphere : inti teknologi vmware.
VI vmware infrastructure 3 - june 2006 ( software switch - dalam 1 platform ada 2:
esx version 3 , vCenter version 2 , virtual SMP. )
-vCenter -> buat manage esx
-> server fisik.
space: 3 server fisik 2u -> jadi 6u
listrik, dll
-> virtualisasi
cukup 1 mesin.
1 kernel.esx
VI 3.5 - februaryy 2008
esx version 3.5, esxi version 3.5
3gbram (minimal) -> esx
200-300mb ram ( minimal ) -> esxi
exscli
powercli
gui
vsphereClient
^4 ini di cut di esxi.
vSphere 4.0 - may 2009
esxi 4.0, support windows 2008 r2, windows7
vSphere 5 agustus 2012
auto deplay, usb
vsphere5.1 sept 2013
vdp -> backup
vsphere replication
vshield endpoint ( firewall)
web client
vsphere 5.5
VSAN -> storage area network
vsphere 6.0 feb 2015
VSAN ditambahin batas max
VVOL virtual volume
vsphere 6.5 oct 2016 - belanda
HTML 5 web client,
embedded vSUM ( harus install sndiri plugin sebelumnya ) ??
migration tool -> vcenter diinstal di windows -> bisa diupgrade pk vsphere ga perlu dari windows lg.
=======================
vsphere:
-esxi ( hypervisor type 1 ) -> kernel / software untuk menjalankan beberapa os di 1 komponen fisik.
hypervisor type 1 -> install diatas os kosong ( punya akses langsung ke server fisik, resource )
esx
xenserver ( citrix )
hyper-V ( windows )
hypervisor type 2 -> install diatas os
windows, unix, linux
windows -> workstation, virtualbox, GNs3
linux -> kvm. virtualbox
-vCenter
====================
16gb -> jadiin 4 vm. bisa
5gb 5gb 5gb 5gb-
memory over commitment.
solusi : bikin esxi di server fisik baru.
tp butuh management?!
==============
migrate vm yang lagi nyala tanpa vm mati.
== vMotion
klo kita ga pake vCenter ga bisa vMotion.
DRS
VSAN
CLONE
TEMPLATE
^ butuh vCenter.
tanpa vcenter bisa. tp harus matiin server
convert > ova
=================
-cara install vcenter
VCSA vCenter -> VM -> deploy di esxi.
VCFW -> service for windows ( min 2008 r2 ).
esxi1 esxi2 esxi3 -> diregister ke VCSA.
esxi1 esxi2 esxi3 -> install windows -> install vcfw -> registerin.
============
vsphere di upgrade -> esxi sama vcenter pasti di upgrade.
1server fisik = 1 esxi.
=============
SDDC -> SOFTWARE DEFINE DATA CENTER.
3 komponen utama dc fisik.
compute / server
storage
network
^ dimanage secara terpisah. computer sendiri, network sndiri, server sndiri.
cpi -> network
spectrum control (IBM) -> storage
onCommand insight -> storage
solarwind -> compute
SDDC -> tiga komponen jadi 1.
server virt -> diconvert ke vm jadiin esxi.
network virt -> diconvert ke NSX
storage virt -> VSAN
server fisik tgl jadiin 3 esxi.
bisa bikin virtual router.
===================================
vSphere trainocate. ( indepth kelas 5 hari )
iCM -> nsx
======================
datacenter berbeda?
live migration?
syarat? vsphere beda versi?
hardware fisik?
================
exclusive feature di -> vsphere6.5
20.000 vm
builtin migration tool. migrate dari vmware windows ke vm.
improved appliance management ( pake html5 bukan flash lg ).
native HA
native backup restore
VAMI (5480) -> buat nyalain service.
vsphere 6.0
redundancy -> fault tolerance?! ( lebih powerful daripada FT ).
ft = fitur d vCenter
VCSA -> manage esxi1, ( replikasi )
esxi2,
esxi3.
sblm 6.0 bisa pake vsphere replication+ license.
atau
Fault tolerance.
masalah di FT -> jumlah vm.
klo lebih dari 4vCPU. perVM -> 1000esxi -> 32 vCPu.
10.000 vm -> windows
==========================
vmware vsphere 6.5 instalation
-install
-upgrade
-migrate
-restore
========================
-VAMI -> appliance management. di improve di vsphere 6.5.
-Native HA.
active - replikasi konfigurasi
passive -
witness -> ngecek network failure?
basic / advanced.
intra-cluster, auto cloning
inter-cluster ha, manual cloning -> bisa milih sembarang cluster mana.
=================
native backup restore.
vami -> summary -> backup
- http scp ftp
bisa di password backupannya.
kasih ip, directory.
==================
masuk vsphere bisa 2
- web based client
6.0 -> flash
6.5 -> html5 ( lebih cepet ).
- vsphere client
program diinstall di windows buat msk ke vsphere kita.
- harus nginstall dulu
- gmn klo dari linux / unix.
-udah ga pake cip client integration plugin.
plugin di browser. klo mo export file lgsung file dari pc kita ke dalem.
=================
related object.
di grouping.
host, vm, datastore, networks.
vm 20.000
host 1500
==================
improvement. vsphere 6.5
ga perlu vsphere client
ga perlu cip
vmfs6 -> ?
virtual machine file system.
format buat datastore storage.
==================
vm -> sekumpulan dari beberapa file dalam directory.
vmx
vmdk
vmsw
^ butuh tempat buat naro file2. -> disebut data store.
1 VMFS (3.5)
2 NFS (4.0)
3 VSAN (5.5)
4 VVOL (6.0)
local disk server tempat esxi dibangun. ( hardisk )
500gb diformat sbg VMFS. KLO dah jadi datastore baru bisa dijadiin VM.
VMFS v3
VMFS v5
VMFS v6 -> baru di vsphere 6.5
support HD -> 512e
hardisk -> ada sector2.
sector -> unit terkecil tempat kita bisa nyimpen data ke disk kita.
1 sector = 512bytes.
10bytes - DATA - 20 bytes ecc
header 482byte ECC
ecc brubah -> pasti data berubah.
data -> 1024 byte -> butuh 2 sector?
ada 2 tipe hardisk
512e
4kn ( 4k native )
1 sector 4096 byte
10 4046byte 30
header data ecc
------------
SAS
SATA
AHCI
IDE
==========================
AHCI 512e
nvmE 4096
ketika ada data nvmE bs lgsung diconvert ke 512 emulated.
==========================
UNMAP -> automatic space reclamation
SAN
esxi ---- ds1 ----- storage controller -------> LUM
SAN
NAS
direct dari local / remote??
direct = disk local
remote = storage controller
a.SAN -> block level storage (LUN -> logical unit number ) -> harus di format sbg
VMFS ( virtual machine file system )
b.NAS -> File level storage ( volume dengan fileSystem -> kyk usb ).
hardisk tambah ke laptop> harus di format.
esxi ----- switch ------- ibm/netapp/HDS
thin provisioning.
thick provisioning.
VM ---> VMDK ( hd virtual VM )
thin -> minta space ke data store pada saat kita tulis data ke VMDK.
thick -> minta space ke data store langsung pada saat kita buat VMDK.
vm(vmdk -> 10g ) ------ ds(50g)
thin provisioning -------- 50gb
thick provisioning -------- 40gb
SC -> LUN available -> 49gb, 1 gb dikasih ke VM
--- ketika file A didelete
klo pake LUN di controller ( etc: netAPP ) tetep terisi 1gb. ( idle )
-automatic space reclamation:
alokasi 1gb si LUN akan di unmap pada storage controller.
^ fitur 6.5. di 6.0 gada.
=====================
-enable vm encryption
bisa di encrypt. apapun guest OSnya.
key di encrypt via KMS. ( kms server tergantung vendor).
======================
server / computing
networking / nsx
storage / vsan
vm
networking -
esxi
===================================
NSX
ESXI -> CM BISA BIKIN VIrtual switch.
vmport group -
vmnic - port yg merepresentasikan physical.
1vmnic - 1 virtualswitch
1virtualswitch - bisa beberapa port group. per vlan
6 vm
3 vm vlan 10
2 vm vlan 20
===================
virtual switch -management port -> khusus service tertentu
uplink port
==================
overlay network
underlay network
ngeping antar 1 subnet -> tanpa nsx
bisa bikin topology -> dengan nsx
============
nsx do?
network decoupling
network overlay
distributed function
management plane, control plane, data plane.
management plane = manage si router. telnet,ssh, console, gui.
control plane = service2 yang mempengaruhi decision process. routing table, ospf, arp cache
data plane = port
(router)
10.1.1.1/24 10.1.2.1/24
routing table =>
10.1.1.0/24 portA
10.1.2.0/24 portB
pc A ping ke pc B
source 10.1.1.1 -> 10.1.2.1 ( router liad ke control plane dulu )
port A / B -> data plane
data plan
actual path untuk forward data
routing table -> control plane
** network overlay.
bisa bikin load balancer, firewall, etc
** distribution function
router, firewall yg kita punya bisa didistribusikan ke beberapa ESXI lgsng.
klo esxi cm bisa distribute switch saja. klo nsx bisa sampe routing vpn switch firewall, etc.
=================
NSX SERVICES
-logical switching
-logical routing - distributed, 8 gateway: vpn firewall nat
distributed: routing biasa eigrp dkk
-logical firewall
-logical loadbalancer
-logical API
=============
CARA INSTALL NSX
nsx manager install ke esxi -> trs deplay ke vcenter server.
bikin nsx controller ( control plane ) bikin yg banyak, distribusiin.
nsx bisa dimanage via orcestration
>openstack mirantis
>openstack neutron
>openstack cinder
==========
1. NSX MANAGER?!
bentuknya hampir sama kyk esxi format:vsf.
register/deploy ke vCenter
dapet menu cloud networking.
baru deploy nsx controller -> dikaitkan ke vsphere cluster yg kita punya.
2. management cluster
manage via vSphere web client
configure vDS dengan mtu lebih dari 1600.
sync with dns and ntp server. ( klo tanpa dns pastiin bisa ping )
meet cpu and memory req
6.1 vcpu 4 12gb memory 60gb
6 default 4 12gb 60gb bisa 128 logical router
==================
default cli pass
privilege cli
admin password
==================
dari fisik ke virtual=
export ke ovf dulu.
vmware punya network virtualization sendiri. ospf. klo propietarynya cisco kyk eigrp ga bisa.
klo mo virtual cisco pake openstack!
vmware workstation versi 12 -> khusus 12 ga bs diconvert ke esxi.
klo mau pake yg versi 10/11.
ato downgrade dulu export ke ovf.
vmware 10/11 -> bs ke esxi 6
ketika fisik -> vm lisensi ilang.
tgl di upload ke datacenter nanti. mo dcnya dmn aj ga masalah.
=====================
NSX NODE CONTROLLER.
provide control plane to nsx
mac address table
arp table
vtep table
1vm butuh resource d esxi:
controller vm vcpu reservation memory os disk
3 4 2048MHz 4GB 20gb
=========================
vsphere web > instalation > nsx edges > masukin.
========================
^management + control
data plane:
vmware instalation bundle (VIB)
install 1 jenis vm kernel port.
vtab.
overlay -> topologi dibikin di nsx
underlay -> topologi fisik
vxlan -> layer 2 domain.
esxi 1
esxi 2
esxi 3
1 vxlan id sama -> 1 address.
vtep -> interface ngubungin vmware interface 1 dgn lain lewat port fisik.
vtep / vxlan minim harus ada 1.
=======================
nsx:
mtu minimum 1600
karena encap / tunneling.
klo ga frame vxlan ga bisa diforward ke router fisik yg biasa.
=======================
VIB -
HOST PREPARATION.
4096 vlan
vxlan bisa lebih banyak.
=======================
1 create vmtep
2 create segment id ( vxlan id yg bisa digunain di cluster 5000 - 16000000)
3
4 create transport zone ( vxlan id mana yg di cantolin ke esxi cluster mana ).
5 create logical switch
local vtep -> 1 subnet
remote vtep -> beda subnet
unicast mode: esx1 -> esx 2
esx1 -> esx 3
hybrid mode: replicate menggunakan multicast buat yg local dan unicast ke remote vtep.
multicast mode:
224 - 239 multicast.
================================
** inter vxlan routing.
1esxi 2 vxlan. routing? tanpa keluar ke router fisik.
1 bikin router
DLR = distributed logical router ( ROUTER INFRA )
ESG = edge service gateway ( VPN NAT LOAD BALANCER ) -> l3 switch. lebih berat tp fitur lbh bnyk.
deploy dlr
- add ndx edge
- select the type
- select on which host
-
-
=================================
esxi
nsx
throughput router fisik > virtual
banyak vSwitch -> dicantolin ke 1 NIC -> throughput turun.
=========================
vsan -
bikin cluster dulu.
minim 3-64.
VSAN datastore -> 1
======================
esxi harus terdaftar di vsphere HCL ( hardware spec yg support vsan ).
NIC harus 1gb / 10gb
controller SAS/SATA.
CACHE PCI/SAS/SATA SSD -> MINIM 1 MAX 35. / node.
DATA PCI/SAS/SATA HD/SSD
=====================
BIKIN CLUSTER, ENABLE vsan.
cek lwt console:
vmcapping ip-address sourceport port
====================
tambah space ke vsan.
create diskgroup.
====================
manage > settings > disk management -> liad diskgroup per cluster esxi.
===================
UCS
1u -> setiap disk ada led -> bs dinyalain lednya. baru dicabut.
===================
summary vsan -> elligible.
raid 0 -> vsan storage policy.
===================
vsan datastore-
Vsan -> object level storage. -> namespaces(konfig vm), virtualdisk (vmdk), snapshot, swap files.
block level storage.
==================
remove disk dari diskgroup.
evacuate data? -> data taro di disk lain.
raid hrs sama hardisknya -
klo vm size sama rpm ga perlu sama. nanti ditotal.
kelas lbh lanjut :
ICM 6.5 -5hari
vsan intro class -5hari
Subscribe to:
Posts (Atom)