Simple ACL in HP 5500

• Simple Topology

1. Create acl on SW HP lantai 1

           acl number 3120

              rule 1 deny ip source 10.2.2.4 0 destination 10.1.1.5 0

      2. Create packet-filter inbound in interface

          interface Vlan-interface69

             description ** Gateway Server A **

             ip address 10.2.2.1 255.255.255.0

             packet-filter 3120 inbound

Create simple ACL CISCO

• Simple Topology

1. Create acl 

         example: create on branch router

           access-list 100 remark Branch
           access-list 100 permit ip 10.100.100.0 0.0.0.255 host 10.1.1.21
           access-list 100 permit ip 10.100.100.0 0.0.0.255 host 10.1.1.22
           access-list 100 deny   ip any any
       
          *Noted
            ip address 10.100.100.x ( ip local user branch )
            allow access to ip address 10.1.1.x ( ip server Datacenter )

       2. Access group in

           interface Vlan1
             description **Gateway LAN Branch**
             ip address 10.100.100.1 255.255.255.0
             ip access-group 100 in

       3. Access group out

           interface Vlan69
             description **Link to Datacenter**
             ip address 10.40.8.59 255.255.255.248
             ip access-group 100 out

Inject SSL F5 Big IP

Inject SSL Virtual Server di F5 Big IP

•  Import file ssl ( 3 File )

File yang akan di Import ( Chain, Key, SSL )

Menu import SSL

Hasil Import pada menu “Certificate Management “

• Create Profile SSL

Create profile client SSL pada menu “ Local Traffic-Profile-SSL-Client 

Hasil create SSL pada menu “ Local Traffic-Profile-SSL"

•      Masukkan profil SSL yang telah dibuat pada  Virtual server.

Masukkan SSL Profile yang sudah dibuat, pada menu SSL Profile.

Create Email Alert F5 Big IP

Enable Email Alert On F5 Big IP

1. Configure file user_alert.conf
    - nano /config/user_alert.conf 
example :
alert BIGIP_TMM_TMMERR_LAST_PMBR_DOWN {
email toaddress="paitjo@gmail.com"
fromaddress="admin"
body="Pool has no available pool members."
}

alert BIGIP_TMM_TMMERR_PMBR_BACK_UP {
email toaddress="paitjo@gmail.com"
fromaddress="admin"
body="Pool has available pool members."
}

alert BIGIP_MCPD_MCPDERR_VIRTUAL_UNAVAIL {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.136";
email toaddress="paitjo@gmail.com"
fromaddress="admin"
body="A virtual server has stopped processing traffic."
}

alert BIGIP_MCPD_MCPDERR_VIRTUAL_AVAIL {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.135";
email toaddress="paitjo@gmail.com"
fromaddress="admin"
body="A virtual server has resumed processing traffic."
}

alert BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.10";
email toaddress="paitjo@gmail.com"
fromaddress="admin"
body="A pool member node has status down."
}

alert BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS_UP {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.11";
email toaddress="paitjo@gmail.com"
fromaddress="admin"
body="A pool member node has status up."
}

alert BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.12";
email toaddress="paitjo@gmail.com"
fromaddress="admin"
body="A node address has status down."
}

alert BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS_UP {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.13";
email toaddress="paitjo@gmail.com"
fromaddress="admin"
body="A node address has status up."
}


2. Create SMTP Outbound
   example:
tmsh modify sys outbound-smtp mailhub x.x.x.x:25 rewrite-domain paitjo.com


3 . Save Configuration
    tmsh save sys config
    tmsh restart sys service alertd

4. Test Alert Email
    Example :
logger -p local0.notice "01070638:5: Pool /Common/pool_one member /Common/192.168.10.1:80  monitor status down."
logger -p local0.notice "01071682:5: SNMP_TRAP: Virtual /Common/vip_one has become unavailable"
logger -p local0.notice "01010028:3: No members available for pool /Common/pool_one"
logger -p local0.notice "01070727:5: Pool /Common/me member /Common/192.168.10.1:80 monitor status up."
logger -p local0.notice "01071681:5: SNMP_TRAP: Virtual /Common/vip_one has become available"
logger -p local0.notice "01010221:3: Pool /Common/pool_one now has available members"

Create VLAN & TRUNK on The Switch

1. Create VLAN On Switch 3560 on PT
     switch>en
     switch#config
     switch(config)#vlan 10
        - rename VLAN
     switch(config-vlan)#name ICT
        - show vlan
     switch#show vlan brief

        -vlan mode access ex f0/1

     switch(config)#int f0/1
     switch(config-if)#switchport mode access
     switch(config-if)#switchport access vlan 10
     switch(config-if)#description vlan-ICT
     switch(config-if)#no shut

         -if you want make same vlan on 2 fasethernet on same time

     switch(config)#int range f0/2-3
     switch(config-if)#switchport mode access
     switch(config-if)#switchport access vlan 10
     switch(config-if)#description vlan-ICT
     switch(config-if)#no shut

     

        - create Port mode Trunk ex f0/23

     switch(config)#int f0/23

     switch(config-if)#switchport mode trunk
     switch(config-if)#switchport access vlan 10
     switch(config-if)#no shut

     

Karakteristik RIP,EIGRP dan OSPF

1. RIP ( distance Vector ) 120
    - Rip update setiap 30 detik seklai untuk memberitahu ke router lawan
    - Hop Count--max 17 hop
       melihat jalan terbaik ( best path )
   Kelemahan :
    - Tidak bisa melihat best path berdasarkan bandwidth.
 
2. EIGRP ( Distace Vector ) 90
    - Router akan membuat ip router dan mengirim ke router tetangga
    - Langsung mengirim routing table
    - Mengetahui best path berdasarkan bandwidth ataupun numeric

3. OSPF (Link State ) 110
    - Ospf mengirim LSP pada router tetangga untuk mengetahui directly connect
    - Dapat mengetahui best path dengan bandwidth
 
   kelemahan :

   - Floading LSP ( 100 router keatas)

 Fungsi area :
  - untuk memblok area LSP agar tidak terjadi floading area

Cara kerja OSPF :

  --hallo
  --LSP
  --Routing Table

IP Address CLASS

Class	IP	Network ID	Host	Jumlah Jaringan	Jumlah jaringan Per-Host
A	1-126	w	x.y.z	126	16777214
B	128-191	w.x	y.z	16384	65534
C	192-223	w.x.y	z	2097152	254

Memberi IP Address Pada Interface Cisco

Contoh config Interface pada Cisco Device:

Router>en

Router# conf t

merubah Hostname default Cisco :

Router(config)#ho R1

R1(config)#

Misal kita menambah IP address pada interface fastethernet 0/1

R1(config)#int f0/1

R1(config-if)#ip add 192.168.0.1 255.255.255.0

secara default dalam roter cisco port interface dalam keadaan OF, maka kita harus mengaktikan dengan perintah "no shut".

R1(config-if)#no shut 

R1(config-if)#exi

R1(config)#

untuk mengatasi ketika kita salah ketik comand dan router berusaha mencari sehingga membuat kerja kita terhambat, maka kita harus menambahkan perintah:

R1(config)#no ip domain-lookup

Membuat Pasword pada Cisco

Membuat Password Cisco agar ter enkripsi
   
 -  menambahkan perintah

    service password-encryption

    Router >en
    Router #conf t
    Router(config)#ho R1
    R1(config)# service password-encryption
    R1(config)# enable password cisco
    R1(config)# line console 0
    R1(config-line)#password cisco
    R1(config-line)#login
    R1(config-line)#exi

- Membuat password telnet :

    R1(config)# line vty 0 4
    R1(config-line)#password telnet
    R1(config-line)#exi

- Membatasi waktu login :

    R1(config)#line console 0 
    R1(config-line)#exec-timeout 1 (timeout in minutes)

Menghilangkan Password Enkripsi

- mengetikan perintah berikut pada mode config

   R1(config)#no service password-encryption

dengan perintah tersebut maka pasword yang baru tidak ter-enkripsi lagi, namun pasword yang sebelumnya tetap ter-enkripsi.

Dasar Mikrotik

1. Pastikan kita menggunakan ussername dan password  yang kuat.
2. Matikan service yang tidak digunakan, cotoh kita akan mengakses mikrotik hanya menggunakan winbox.
3. Atur NTP server agar jam pada mikrotik otomatis terupdate.
4. jangan lupa ganti identity agar nama router kita tidak standart.
5. backup berkala konfigurasi mikrotik, agar apabila terjadi kegagalan server dapat dengan cepat kita tangani.