devop/netflow at main · rivancorp/devop · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
TASK2:  1 OF 5 LABS.
config t
flow record CCNP8-CUSTOM-OUT
 description Custom Flow Record for outbound traffic
  match ipv4 destination address
  match transport destination-port
  collect counter bytes
  collect counter packets
  END
@@@CREATE A FLOW EXPORTER:
config t
 flow exporter CCNP8-COLLECTOR-HOST
 destination 192.168.104.1
 export-protocol  netflow-v9
 transport UDP 9999
 end
@@@ COMBINE flow monitor and flow record:
config t
flow monitor  CCNP8-INBOUND-MONITOR
  record netflow ipv4 original-input
  cache timeout active 30
  exporter CCNP8-COLLECTOR-HOST
flow monitor  CCNP8-OUTBOUND-MONITOR
  record CCNP8-CUSTOM-OUT
  cache timeout active 30
  exporter CCNP8-COLLECTOR-HOST
  exit
@@@Define the Interface to Monitor: SiteA/ SiteB:
config t
Int Gi 3
 ip flow monitor CCNP8-INBOUND-MONITOR input
 ip flow monitor CCNP8-INBOUND-MONITOR output
 end

TASK2:  1 OF 5 LABS.
config t
flow record CCNP8-CUSTOM-OUT
 description Custom Flow Record for outbound traffic
  match ipv4 destination address
  match transport destination-port
  collect counter bytes
  collect counter packets
  END
@@@CREATE A FLOW EXPORTER:
config t
 flow exporter CCNP8-COLLECTOR-HOST
 destination 192.168.104.1
 export-protocol  netflow-v9
 transport UDP 9999
 end
@@@ COMBINE flow monitor and flow record:
config t
flow monitor  CCNP8-INBOUND-MONITOR
  record netflow ipv4 original-input
  cache timeout active 30
  exporter CCNP8-COLLECTOR-HOST
flow monitor  CCNP8-OUTBOUND-MONITOR
  record CCNP8-CUSTOM-OUT
  cache timeout active 30
  exporter CCNP8-COLLECTOR-HOST
  exit
@@@Define the Interface to Monitor: SiteA/ SiteB:
config t
Int Gi 3
 ip flow monitor CCNP8-INBOUND-MONITOR input
 ip flow monitor CCNP8-INBOUND-MONITOR output
 end

LAB2: CONTROL PLANE POLICING: monitor all data entering
and leaving the control plane: ALL the interfaces:g1,g2,g3.
ExamTask: limit the ping to 8000 packets/sec! cm-pm-sp
config t
ip access-list extended ABUSEPING
 permit icmp any any
class-map STOPPING
 match access-group name ABUSEPING
no policy-map PINGSTOP
policy-map PINGSTOP
 class STOPPING
 police 8000 conform-action transmit exceed-action drop
 exit
 control-plane
  service-policy input PINGSTOP
end
sh policy-map control-plane

TASK2: limit, telnet, ssh, and https:  CM - PM  -SP
config t
ip access-list extended TELNET
 permit tcp any any eq 23
ip access-list extended SSH
 permit tcp any any eq 22
ip access-list extended HTTPS
 permit tcp any any eq 443
ip access-list extended ICMP
 permit icmp any any
Class-map match-all CMTELNET
 match access-group name TELNET
 exit
class-map match-all CMSSH
 match access-group name SSH
 exit
class-map match-all CMHTTPS
 match access-group name HTTPS
 exit
class-map match-all CMICMP
 match access-group name ICMP
 exit
Policy-map PMCOPP
class CMTELNET
 police 10000 conform-action drop exceed-action drop
class CMSSH
 police 800000  conform-action transmit exceed-action transmit
class CMHTTPS
 police 600000  conform-action transmit exceed-action transmit
class CMICMP
  police rate 4 pps conform-action transmit exceed-action drop
class class-default
 police 12000 conform-action transmit exceed-action transmit
 exit
control-plane
 service-policy input PMCOPP
END

THE JOURNEY TO SIX FIGURES/MONTH.
1. install csr1000v 17 x 2: siteA and siteB:
2. make 3 loopbs each x eem, python+linux + Postman = 9
3. Ansible automate. the 5 loopbacks. sample.yml