Standard Operating Procedure for Network Devices

Standard Operating Procedure for Network

Devices

Prepared by
Bhuvan Systems and Networking Team

Geo-portal and Web GIS Services Group

Data Processing, Products, Archival and Web Applications Area (DPPA & WAA)
National Remote Sensing Centre
Indian Space Research Organisation
Hyderabad-500 037
February 2017

1
 Standard Operating Procedure for Network Devices

Document Control Sheet

Security
1 Classificati Restricted
on

Distributio
2 BHUVAN/ G&WGSG
n

Document
3 Issue- (b) Revision: 0
(a) Issue:

Report
4 SOP Document
Type

5 Report No

6 Title Standard Operating Procedure for Networking Devices

Collation Pages Figures Tables

7

8 Project BHUVAN

9 Author(s) Bhuvan Systems and Networking Team

Affiliation
10 NRSC
of authors

Security Reviewed and Approved by

11 Mechanism
GD, G&WGSG

Originating
12 NRSC
unit

Sponsor(s)

13 Name: Nil

Type:

Date of
14 ...
Initiation

Date of
15 ...
Publication

2
 Standard Operating Procedure for Network Devices

Abstract (with Keywords):

This document explains the standard operating procedure followed for

Bhuvan Systems and Networking Devices

Table of Contents

1. Firewalls

1.1. Purpose and Scope

1.2.Make
1.2.1. Introduction to Firewalls
1.2.2. Benefits and Risk using Firewalls
1.3.Model
1.4. Steps to Connect
1.5.Allow or Deny commands for outside IP restriction
1.6.NAT commands
1.7.Additional Guidelines and Limitations
1.8.Other Useful commands and Scenarios
1.9.Troubleshooting connectivity through Firewall
2. Routers

List of Figures

3
 Standard Operating Procedure for Network Devices

SOP for operating Network devices

1. Firewall

1.1. Purpose: This standard defines the essential rules regarding the
management and maintenance of firewalls at Bhuvan cell and it applies to all
firewalls controlled by Bhuvan Networking Team.

1.2. Scope:

These standards cover the configuration of Bhuvan cell network firewalls .

1.3. Make:

Firewalls are an essential component of information systems security infrastructure.

Firewalls are defined as security systems that control and restrict both network
connectivity and network services. Firewalls establish a perimeter where access controls
are enforced and subsequently define how a network service is utilized. Examples of
services include FTP (file transfer protocol) and HTTP (web browsing).

1.3.1. Benefits:

Blocks many types of outside attacks from reaching your internal network.

May block many types of malicious attacks from your internal network to the
campus network and/or the Internet community.
Monitors and logs apparent source and origination of such attacks.

Reduces the amount of valuable data lost to assaults.

Allows for regulation of network traffic between private and public networks.

1.3.2. Risks:

A firewall can be a single point of failure in connectivity between the departmental

computing resources and those outside the firewall.
A firewall can become a performance bottleneck between departmental
computing resources and the outside.
Installing, maintaining, and operating a firewall requires specific technical
knowledge
And skill, and may require specialized training.
Firewall operation imposes organizational considerations including after hours
support, vacation coverage, timeliness and priority of response to problems, and
change management.

1.4. Model: CISCO ASA 5550

4
 Standard Operating Procedure for Network Devices

Fig(1): CISCO ASA 5550

fig(2).Hardware description of ports

The details of each port individually given below

1.Management port 8 .Power indicator LED

2 .External Compact Flash slot 9.Status indicator LED
3 .Serial Console port 10.Active LED
4.Power switch 11.VPN LED
5 .LED Power indicators 12.Flash LED
6.USB 2.0 interfaces 13.Aux Port
7 .Network interfaces (copper Gigabit Ethernet) 14.Power connector

1.5. IP address: * . * .* .*

1.6. Steps to connect:

Before going to software configuration, we need to make a Physical hardware

configuration that consist of following steps

To connect to Cisco ASA firewall, and setup initial configuration, use a blue serial
console cable , that came in the package with Your device. Connect the serial
port of console cable to your RS232 DB9 serial port on your PC and the other
end of the cable (RJ45) connect to the console port on the ASA.

5
 Standard Operating Procedure for Network Devices

Open terminal emulation program like HyperTerminal, TerraTerm or Putty, and

connect to COM serial port on PC (port should be created automaticaly from the
driver):

On succesfull connection You should see ASA command line CLI prompt. On the PC
connected to th ASA, launch a web browser. In the Address field, enter the
following (default) URL: https://192.168.1.1/admin and Run start up Wizard

The configuration consist of following commands

1. Configure the internal interface vlan

An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch
ports. If you did not set the IP address in the configure factory-default
command, then the VLAN 1 IP address and mask are 192.168.1.1 and
255.255.255.0.

ASA5550(config)# interface Vlan 1

ASA5550(config-if)# nameif inside
ASA5550(config-if)# security-level 100

6
 Standard Operating Procedure for Network Devices

ASA5550(config-if)# ip address 192.168.1.1 255.255.255.0

ASA5550(config-if)# no shut

Detailed Step:
S.N Command Purpose
O.

Ste interface vlan Adds a VLAN interface, where the number is between 1 and
p1 number 4090.

hostname(config)# To remove this VLAN interface and all associated

interface vlan 100 configuration, enter the no interface vlan command.
Because this interface also includes the interface name
configuration, and the name is used in other commands,
those commands are also removed.

Ste (Optional for the Allows this interface to be the third VLAN by limiting it from
p2 Base license) initiating contact to one other VLAN.

no forward The number specifies the VLAN ID to which this VLAN

interface vlan interface cannot initiate traffic.With the Base license, you can
number only configure a third VLAN if you use this command to limit
it.
hostname(config-
if)# no forward If you already have two VLAN interfaces configured with a
interface vlan 101 nameif command, be sure to enter the no forward
interface command before the nameif command on the
third interface; the ASA does not allow three fully functioning
VLAN interfaces with the Base license on the ASA 5505.

2. Configure the external interface vlan (connected to Internet)

An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2
derives its IP address using DHCP. The default route is also derived from DHCP. All
inside IP addresses are translated when accessing the outside using interface PAT.
By default, inside users can access the outside, and outside users are prevented
from accessing the inside. The DHCP server is enabled on the ASA, so a PC
connecting to the VLAN 1 interface receives an address between 192.168.1.2 and
192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on
the 192.168.1.0 network.

ASA5550(config)# interface Vlan 2

ASA5550(config-if)# nameif outside
ASA5550(config-if)# security-level 0
ASA5550(config-if)# ip address 200.200.200.1 255.255.255.0
ASA5550(config-if)# no shut

7
 Standard Operating Procedure for Network Devices

3. Assign Ethernet 0/0 to Vlan 2

ASA5550(config)# interface Ethernet0/0
ASA5550(config-if)# switchport access vlan 2
ASA5550(config-if)# no shut

Detailed Step:
S.N Command Purpose
o.

Ste interface Specifies the switch port you want to configure, where port is 0
p 1 ethernet0/ port through 7.

hostname(config
)# interface
ethernet0/1.

Ste To assign VLANs to this trunk, do one or more of the following:

p
2

i. switchport Identifies one or more VLANs that you can assign to the trunk
trunk allowed port, where the vlan_range (with VLANs between 1 and 4090)
vlan vlan_range can be identified in one of the following ways:

hostname(config A single number (n)

)# switchport
trunk allowed A range (n-x)
vlan 100-200
Separate numbers and ranges by commas, for example:

5,7-10,13,45-100You can enter spaces instead of commas, but

the command is saved to the configuration with commas.

You can include the native VLAN in this command, but it is not
required; the native VLAN is passed whether it is included in this
command or not.

ii. switchport Assigns a native VLAN to the trunk, where the vlan_id is a single
trunk native VLAN ID between 1 and 4090.
vlan vlan_id
Packets on the native VLAN are not modified when sent over the
hostname(config trunk. For example, if a port has VLANs 2, 3 and 4 assigned to it,
-if)# switchport and VLAN 2 is the native VLAN, then packets on VLAN 2 that
trunk native egress the port are not modified with an 802.1Q header. Frames
vlan 10 which ingress (enter) this port and have no 802.1Q header are
put into VLAN 2.

Each port can only have one native VLAN, but every port can
have either the same or a different native VLAN.

8
 Standard Operating Procedure for Network Devices

Ste switchport Makes this switch port a trunk port. To restore this port to access
p 3 mode trunk mode, enter the switchport mode access command.

hostname(config
-if)# switchport
mode trunk

Ste (Optional) Prevents the switch port from communicating with other
p4 protected switch ports on the same VLAN.
switchport
protected You might want to prevent switch ports from communicating with
each other if the devices on those switch ports are primarily
hostname(config accessed from other VLANs, you do not need to allow intra-VLAN
-if)# switchport access, and you want to isolate the devices from each other in
protected case of infection or other security breach. For example, if you
have a DMZ that hosts three web servers, you can isolate the
web servers from each other if you apply the switchport
protected command to each switch port. The inside and outside
networks can both communicate with all three web servers, and
vice versa, but the web servers cannot communicate with each
other.

Ste (Optional) Sets the speed. The auto setting is the default. If you set the
p5 speed to anything other than auto on PoE ports Ethernet 0/6 or
speed { auto | 0/7, then Cisco IP phones and Cisco wireless access points that
10 | 100 } do not support IEEE 802.3af will not be detected and supplied
with power.
hostname(config
-if)# speed 100

Ste (Optional) Sets the duplex. The auto setting is the default. If you set the
p6 duplex to anything other than auto on PoE ports Ethernet 0/6 or
duplex { auto | 0/7, then Cisco IP phones and Cisco wireless access points that
full | half } do not support IEEE 802.3af will not be detected and supplied
with power.
hostname(config
-if)# duplex full

Ste no shutdown Enables the switch port. To disable the switch port, enter the
p7 shutdown command.
hostname(config
-if)# no
shutdown

9
 Standard Operating Procedure for Network Devices

4. Enable the rest interfaces with no shut

ASA5550(config)# interface Ethernet0/1
ASA5550(config-if)# no shut (Note: Do the same for Ethernet0/1 to
0/7.)

5. Configure PAT on the outside interface

ASA5550(config)# global (outside) 1 interface
ASA5550(config)# nat (inside) 1 0.0.0.0 0.0.0.0

6. Configure default route

Default route towards the ISP (assume default gateway is 200.200.200.2)

ASA5550(config)# route outside 0.0.0.0 0.0.0.0 200.200.200.2 1

The above steps are the absolutely necessary steps you need to configure for
making the appliance operational.

1.7. Allow/deny commands for outside IP restriction:

To monitor permitting or denying network access perform one of the following

tasks given below

1. Show running-config access-group ~ displays the current access list bound to

the interfaces

2. hostname(config)# access-list OUTSIDE-ACL extended permit tcp any host

209.165.201.12 eq www

3. hostname(config)# access-group OUTSIDE-ACL in interface outside

4. The following example allows all hosts to communicate between the inside and hr
networks but only specific hosts to access the outside network

hostname(config)# access-list ANY extended permit ip any any

hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
hostname(config)# access-group ANY in interface inside
hostname(config)# access-group ANY in interface hr
hostname(config)# access-group OUT out interface outside

5. The following sample access list allows common EtherTypes originating on the
inside interface:

hostname(config)# access-list ETHER ethertype permit ipx

hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside

6. The following example allows some EtherTypes through the ASA, but it denies all
others:

hostname(config)# access-list ETHER ethertype permit 0x1234

hostname(config)# access-list ETHER ethertype permit mpls-unicast

10
 Standard Operating Procedure for Network Devices

hostname(config)# access-group ETHER in interface inside

hostname(config)# access-group ETHER in interface outside

7. The following example denies traffic with EtherType 0x1256 but allows all others
on both interfaces:

hostname (config)# access-list nonIP ethertype deny 1256

hostname(config)# access-list nonIP ethertype permit any
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside

8. The following example uses object groups to permit specific traffic on the inside
interface:

hostname (config)# object-group service myaclog

hostname (config-service)# service-object tcp source range 2000 3000
hostname (config-service)# service-object tcp source range 3000 3010 destinatio$

hostname (config-service)# service-object ipsec

hostname (config-service)# service-object udp destination range 1002 1006
hostname (config-service)# service-object icmp echo
hostname(config)# access-list outsideacl extended permit object-group myaclog
interface

1.8. NAT commands:

hostname(config)# access-list OUTSIDE extended permit tcp host *.*.*.* host

*.*.*.* eq www

hostname(config)# access-group OUTSIDE out interface outside

interface : The interface command identifies either the hardware interface or the
Switch Virtual Interface (VLAN interface) that will be configured. Once in interface
configuration mode, you can assign physical interfaces to switch ports and enable
them (turn them on) or you can assign names and security levels to VLAN
interfaces.

nameif: The nameif command gives the interface a name and assigns a security
level. Typical names are outside, inside, or DMZ.

Security-level: security levels used by appliances to control traffic flow .these

are numeric values ranging from 0-100. The default security level for an outside
interface is 0. For an inside interface, the default security level is 100.
e.g. ciscoasa(config-if)# security-level 50

IP address: ip address command is used to assign an ip address to VLAN

interface

e.g. ciscoasa(config-if)# interface vlan 1

ciscoasa(config-if)# ip address 192.168.106.1

11
 Standard Operating Procedure for Network Devices

Switch port access: This command assigns a physical interface to a logical

(VLAN) interface. This command is not used on the ASA 55x0 appliances.
e.g: ciscoasa(config-if)# interface ethernet 0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/1
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown

Object network : it states that this particular object will be based on IP addresses. The
subnet 192.168.106.0 255.255.255.0 command states that net-192.168.106 will affect any
IP address beginning with 192.168.106.

ciscoasa(config-if)#object network net-196.168.106

ciscoasa(config-network-object)#subnet 192.168.106.0 255.255.255.0

1.9. Additional Guidelines and Limitations:

The following guidelines and limitations apply to permitting or denying network access:

For the ASA 5550 ASA, for maximum throughput, be sure to balance your traffic
over the two interface slots; for example, assign the inside interface to slot 1 and
the outside interface to slot 0.

If you are using failover, do not use this procedure to name interfaces that you are
reserving for failover and Stateful Failover communications.

In routed firewall mode, set the IP address for all interfaces.

In transparent firewall mode, do not set the IP address for each interface, but
rather set it for the whole ASA or context. The exception is for the Management
0/0 or 0/1 management-only interface, which does not pass through traffic.

By default, all IP traffic from a higher-security interface to a lower-security

interface is allowed. Access lists enable you to either allow traffic from lower-
security interfaces or restrict traffic from higher-security interfaces.

You use access lists to control network access in both routed and transparent
firewall modes

For connectionless protocols, you need to apply the access list to the source
and destination interfaces if you want traffic to pass in both directions.

Always use the access-list command with the access-group command.

To show the running config access-group command displays the current access
list bound to the interfaces.

The clear configure access-group command removes all the access lists from
the interfaces.

12
 Standard Operating Procedure for Network Devices

1.10. Other useful commands and scenarios:

Here are some useful commands that help track the packet flow details at different
stages in the process:

write memory : Saves the running configuration to the startup configuration.

Example: Saves the running configuration to the startup configuration.

hostname# Note The copy running-config startup-config command is equivalent

write to the write memory command.
memory

Copying the Startup Configuration to the Running Configuration

Command Purpose

copy startup- Merges the startup configuration with the running configuration.
config running-
config
reload Reloads the ASA, which loads the startup configuration and discards
the running configuration.

clear configure Loads the startup configuration and discards the running
all configuration without requiring a reload.
copy startup-
config running-
config

Viewing the Configuration :

The following commands let you view the running and startup configurations.

Command Purpose

show running- Views the running configuration.

config

show running- Views the running configuration of a specific command.

config command

show startup- Views the startup configuration.

config

Monitoring interface commands :

To monitor interfaces, enter one of the following commands:

Command Purpose

13
 Standard Operating Procedure for Network Devices

show interface Displays interface statistics.

show interface ip brief Displays interface IP addresses and status.

show lacp For EtherChannel, displays LACP information such as

{[channel_group_number] traffic statistics, system identifier and neighbor
{counters | internal | neighbor} details.
| sys-id}

show port-channel For EtherChannel, displays EtherChannel

[channel_group_number] [brief | information in a detailed and one-line summary
detail | port | protocol | form. This command also displays the port and port-
summary] channel information.

show port-channel For EtherChannel, displays port-channel load-

channel_group_number load- balance information along with the hash result and
balance [hash-result {ip | ipv6 | member interface selected for a given set of
l4port | mac | mixed | vlan- parameters.
only} parameters]

show run static Displays the running status

show arp
Displays the address routing protocols

Show xtal Displays the translation.

14
 Standard Operating Procedure for Network Devices

1.11. Troubleshooting Connecting through the firewall

Fig(4).
Troubleshooting
Connectivity Through the Firewall

Router

Make:

Model: Cisco 7200 VXR Series Router

15
 Standard Operating Procedure for Network Devices

Software version: s

IP: address:

Steps to connect:

1. xx
2. xxx

Useful commands and use case scenarios

IDS/IPS

Make:

Model:

Software version:

16
 Standard Operating Procedure for Network Devices

IP: address:

Steps to connect:

1. xx
2. xxx

Useful commands and use case scenarios

Load balancer

Make:

Model: CISCO ASE 4710

Software version:

IP: address:

17
 Standard Operating Procedure for Network Devices

Steps to connect:

1. xx
2. xxx

Useful commands and use case scenarios

Storage configuration

18
 Standard Operating Procedure for Network Devices

Network diagram:

19