p001 PSEFABRIC configuration - nihole/PSEFABRIC GitHub Wiki

video guide

Lab installation

Download Scheme

Downlaod Lab

The Emulated Virtual Environment for network (EVE) is used.

Logins

VTY Login

  • username: admin
  • password: cisco123
  • enable: cisco123

DNS

Management addresses of lab equipment are obtained through DHCP. For that purpose pnet network type is used. After running the lab, you need to find out these IP addresses and to add them in /etc/hosts file.

For example

192.168.31.133  dc1_sw1
192.168.31.134  dc1_fw1
192.168.31.138  dc2_fw1
192.168.31.139  dc2_sw1
192.168.31.136  dc3_r1
192.168.31.137  dc3_sw1

Zero configuration

  • We have 3 data centers: DC1, DC2, DC3

  • These DCs are connected via firewalls

    • Juniper SRX (dc1_fw1)
    • Cisco ASA (dc2_fw1)
    • Cisco Router with ZBF (dc3_r1)

  • BGP is used for inter-DC routing

  • OSPF and static are used for intra-DC routing

  • In addition to the firewall, each site also has a switch

    • Cisco L3 switch (dc1_sw1)
    • Cisco L3 switch (dc2_sw1)
    • Cisco L2 switch (dc3_sw1)

  • Management addresses are obtained through DHCP. For that purpose pnet network type is used. Relations between addresses and names are determined in /etc/hosts file.

  • DC1

    • IP address range is 10.1.0/16
    • VRFs: VRF1, VRF2, VRF3
    • dc1_sw1 loopbacks:
      • Loopback101: VRF VRF1, 172.16.1.101
      • Loopback102: VRF VRF2, 172.16.1.102
      • Loopback103: VRF VRF3, 172.16.1.103
      • Loopback0: 172.16.1.2
    • dc1_fw1 loopback:
      • Loopback0: 172.16.1.1

  • DC2

    • IP address range is 10.2.0/16
    • VRFs: TRUST, DMZ
    • dc2_sw2 loopbacks:
      • Loopback201: VRF DMZ, 172.16.2.201
      • Loopback202: VRF TRUST, 172.16.2.202
      • Loopback0: 172.16.2.2

  • DC3

    • IP address range is 10.3.0/16
    • Without VRFs
    • dc3_r1 loopback:
      • Loopback0: 172.16.3.1
    • dc3_sw1 loopback:
      • Loopback0: 172.16.3.2

Examples

  • Example 0

Introduction. This example shows how to create/delete/change

structure
addresses
address-sets
services
service-sets
policies (access between networks)
  • Example 1

This example shows how to manage (create/delete/change) vlans, networks, interfaces. All subnets (except loopbacks) and structure described in the scheme above are configured here.

  • Example 2

In this example, we create loopbacks for each data center and allow full mesh access (icmp) between them. So it shows how easy to manage (open/close/change) accesses. This is also a good example of the global logic concept understanding.

  • Example 3

In this example, we create few policies between different subnets. This shows how rather complex global logic may be implemented.

General Information

All information about examples 1-3 is located in the folder $PROJECT/PSEF_DOCS/EXAMPLES/. There are four folders there: INIT, LOOP, DC1_DC2, INIT+LOOP. First three folders correspond to first three examples (1 - 3) and the fourth folder is the sum of the first and second examples.

If we consider the structure of each of these folders we will see that they are the same:

.
├── AD
│   ├── psef_config.conf
│   └── term_download.conf
├── CH
│   ├── psef_config.conf
│   └── term_download.conf
└── RM
    ├── psef_config.conf
    └── term_download.conf
  • AD, RM and CH folders

In each of these examples, we examine three cases: adding, removing, or modifying some configuration items. So we have AD, RM and CH folders.

  • file term_download.conf

It is a txt configuration file. We use it for cut-and-paste configuration of PSEFABRIC.

  • file psef_config.conf

This is a result of the command execution "show configuration commit changes" and shows the last changes on Configuration Manager (CONFD).