Monday, November 16, 2020

eduroam - Setup for Windows NPS

Windows NPS Config

- we will need to set up the NPS server for local, external access for local users and local access for remote users.

- Setup the 2 external radius servers from eduroam as "Radius Clients".

- tlrs1.eduroam.us

- tlrs2.eduroam.us

set the "Shared Secret" and remember them so you can add them on eduroam's webpage later on.

- Set up the "Group Server" under "Remote Radius Server Groups".... set the name to "eduroam" and add eduroams servers.

Next set up the "Connection Request Policies"

"eduroam - School" - will be triggered for local users that are authenticating FROM School's network.
"eduroam - USTopLevel" - triggered for local users that are authenticating FROM a EXTERNAL eduroam members network.
"eduroam - external" - will be triggered for non-School domain users that are authenticating FROM School's network.

This profile you will be forwarding to the "Remote Radius Server Group" labeled "eduroam"

- THESE POLICIES NEED TO BE IN THIS ORDER.... you will get a "domain loop" error from eduroam if you have them messed up.

- Below for the “eduroam-External” Policies we are dropping users on a specific vlan, in this case we are dropping them on VLAN 10 (school’s guest network).

Now Setup the "Network Policies"

Each Network Policy is pretty much the same.. The only difference is”

Condition: “Windows Groups”
Settings : “Filter-ID”

Wednesday, June 3, 2020

Cumulus BGP Routing

This is a demo config that I did to set up BGP between cumulus routers. I was having issues trying being able to ping a advertised network from BGP2 over to BGP1. The network was advertising correctly but i just was not able to ping from BGP1 to the interface on BGP2. After a while I found that i needed to advertise an interface on BGP1 so that BGP2 would know where to send back the reply.

BGP2

cumulus@cumulus:~$ sudo cat /etc/network/interfaces

source /etc/network/interfaces.d/*.intf

auto eth0

iface eth0 inet dhcp

auto swp1

iface swp1

bridge-vids 10

bridge-stp on

auto swp3

iface swp3

auto swp5

iface swp5

auto bridge

iface bridge

bridge-vlan-aware yes

bridge-ports swp1 swp3 swp5

bridge-vids 10 300

bridge-pvid 1

bridge-stp on

auto bridge.10

iface bridge.10

address 110.10.10.253/24

auto bridge.300

iface bridge.300

address 130.100.100.253/24

auto bridge.500

iface bridge.500

address 150.100.100.254/24

cumulus@cumulus:~$ sudo cat /etc/frr/frr.conf

router bgp 65101

bgp router-id 150.100.100.254

neighbor 110.10.10.254 remote-as external

neighbor 130.100.100.254 remote-as 65103

address-family ipv4 unicast

network 150.100.100.0/24

exit-address-family

cumulus@cumulus:~$

BGP4

cumulus@cumulus:~$ sudo cat /etc/network/interfaces

auto swp3

iface swp3

auto swp4

iface swp4

bridge-vids 400

bridge-stp on

auto bridge

iface bridge

bridge-vlan-aware yes

bridge-ports swp3 swp4

bridge-vids 300 400

bridge-pvid 1

bridge-stp on

auto bridge.300

iface bridge.300

address 130.100.100.254/24

auto bridge.400

iface bridge.400

address 140.100.100.254/24

cumulus@cumulus:~$ sudo cat /etc/frr/frr.conf

router bgp 65103

bgp router-id 140.100.100.254

neighbor 130.100.100.253 remote-as 65101

neighbor 140.100.100.253 remote-as 65102

cumulus@cumulus:~$

BGP3

cumulus@cumulus:~$ sudo cat /etc/network/interfaces

auto swp1

iface swp1

auto swp2

iface swp2

bridge-vids 100

bridge-stp on

auto swp4

iface swp4

bridge-vids 400

bridge-stp on

auto bridge

iface bridge

bridge-vlan-aware yes

bridge-ports swp2 swp4

bridge-vids 100 400

bridge-pvid 1

bridge-stp on

auto bridge.100

iface bridge.100

address 100.100.100.253/24

auto bridge.400

iface bridge.400

address 140.100.100.253/24

auto bridge.600

iface bridge.600

address 160.100.100.254/24

cumulus@cumulus:~$ sudo cat /etc/frr/fr

router bgp 65102

bgp router-id 160.100.100.254

neighbor 100.100.100.254 remote-as external

neighbor 140.100.100.254 remote-as 65103

address-family ipv4 unicast

network 140.100.100.0/24

network 160.100.100.0/24

exit-address-family

cumulus@cumulus:~$

BGP1

cumulus@cumulus:~$ sudo cat /etc/network/interfaces

auto swp1

iface swp1

bridge-vids 10

bridge-stp on

auto swp2

iface swp2

bridge-vids 100

bridge-stp on

auto bridge

iface bridge

bridge-vlan-aware yes

bridge-ports swp1 swp2

bridge-vids 10 100

bridge-pvid 1

bridge-stp on

auto bridge.10

iface bridge.10

address 110.10.10.254/24

auto bridge.100

iface bridge.100

address 100.100.100.254/24

cumulus@cumulus:~$ sudo cat /etc/frr/frr.conf

router bgp 65000

bgp router-id 100.100.100.254

neighbor 100.100.100.253 remote-as external

neighbor 110.10.10.253 remote-as external

address-family ipv4 unicast

network 100.100.100.0/24

exit-address-family

line vty

cumulus@cumulus:~$

Wednesday, May 27, 2020

Fortigate to Cumulus - BGP peering

This is a general guide to connect a Fortigate firewall to a cumulus router. This is all being mocked up in GNS3.

The BGP peering is happening between "leaf01-10.10.10.253" and "FGT-10.10.10.254"

- port2 on the FGT relates to "e1" in the picture.

- port3 on the FGT relates to "e2" in the picture.

STEP 1 -

Fortigate

config system interface

edit "port2.10"

set vdom "root"

set ip 10.10.10.254 255.255.255.0

set allowaccess ping ssh

set device-identification enable

set role lan

set snmp-index 10

set interface "port2"

set vlanid 10

edit "port3.50"

set vdom "root"

set ip 50.50.50.254 255.255.255.0

set allowaccess ping

set device-identification enable

set role lan

set snmp-index 50

set interface "port3"

set vlanid 50

edit "port3.60"

set vdom "root"

set ip 60.60.60.254 255.255.255.0

set allowaccess ping

set device-identification enable

set role lan

set snmp-index 9

set interface "port3"

set vlanid 60

end

We will be using VLAN10/port2.10 as the link between the FGT and the Cumulus router. port3.50 and port3.60 are the interfaces that we are going to be advertising into BGP.

Now we will create the BGP peer on the FGT.

config router bgp

set as 65000

set router-id 1.1.1.1

config neighbor

edit "10.10.10.253"

set remote-as 65001

end

Now you need to advertise your routes from the FGT... I will be advertising specific routes using "config network".... if you would like to advertise all of your routes you could do that with "config redistributes "connected/rip/ospf/static".

config router bgp

config network

edit 3

set prefix 50.50.50.0 255.255.255.0

edit 4

set prefix 60.60.60.0 255.255.255.0

end

At this point your FGT should have routes that look like the following.

FortiGate-VM64-KVM # get router info routing-table all

Routing table for VRF=0

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

C 10.10.10.0/24 is directly connected, port2.10

C 20.20.20.0/24 is directly connected, port2.20

C 50.50.50.0/24 is directly connected, port3.50

C 60.60.60.0/24 is directly connected, port3.60

Now it is time to set up the Cumulus side.

STEP 2 -

Cumulus

Use a text editor to open "/etc/network/interfaces"

sudo nano /etc/network/interfaces

auto swp1

iface swp1

bridge-vids 10

bridge-stp on

auto bridge

iface bridge

bridge-vlan-aware yes

bridge-ports swp1

bridge-vids 10

bridge-pvid 1

bridge-stp on

auto bridge.10

iface bridge.10

address 10.10.10.253/24

save the file "etc/netwrok/interfaces" and then reload the interfaces.

sudo ifreload -a

Now set up BGP on the cumulus.

cumulus@leaf01$ net add bgp autonomous-system 65001

cumulus@leaf01$ net add bgp router-id 1010.10.253

cumulus@leaf01$ net add bgp neighbor 10.10.10.254 remote-as external

You can preview and commit the changes.

net pending

net commit

once this is done you should be able to verify that you bgp session is connected.

cumulus@leaf01:~$ net show bgp summary

show bgp ipv4 unicast summary

=============================

BGP router identifier 10.10.10.253, local AS number 65001 vrf-id 0

BGP table version 6

RIB entries 3, using 456 bytes of memory

Peers 1, using 19 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.10.10.254 4 65000 136 124 0 0 0 00:00:51 2

Total number of neighbors 1

you should also be able to see the routes coming through from FGT. "net show bgp"

cumulus@leaf01:~$ net show bgp

show bgp ipv4 unicast

=====================

BGP table version is 6, local router ID is 10.10.10.253

Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,

i internal, r RIB-failure, S Stale, R Removed

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 50.50.50.0/24 10.10.10.254 0 65000 i

*> 60.60.60.0/24 10.10.10.254 0 65000 i

Displayed 2 routes and 2 total paths

You can also do "net show router" to see all routes.

cumulus@leaf01:~$ net show route

show ip route

=============

Codes: K - kernel route, C - connected, S - static, R - RIP,

O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,

T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,

F - PBR,

> - selected route, * - FIB route

C>* 10.10.10.0/24 is directly connected, bridge.10, 00:04:04

B>* 50.50.50.0/24 [20/0] via 10.10.10.254, bridge.10, 00:03:59

B>* 60.60.60.0/24 [20/0] via 10.10.10.254, bridge.10, 00:03:59

Networking Configuration Guides

Monday, November 16, 2020

eduroam - Setup for Windows NPS

Windows NPS Config

Wednesday, June 3, 2020

Cumulus BGP Routing

Wednesday, May 27, 2020

Fortigate to Cumulus - BGP peering

Blog Archive