Pokhara University

Nepal College of Information Technology

Manual
On

Advanced IP Switching and Routing for Enterprise Networks

Prepared by,
Er. Kumar Pudashine
(CCNP Security, ITIL Certified, ActivIdentity Certified)

July 2014

Page No 1

Page No 2

CHAPTER I
STANDARDS AND GUIDELINES
ITIL
ITIL stands for the Information Technology Infrastructure Library. ITIL is the international de
facto management framework describing good practices for IT Service Management. The
ITIL framework evolved from the UK governments efforts during the 1980s to document how
successful organizations approached service management. By the early 1990s they had
produced a large collection of books documenting the best practices for IT Service
Management. This library was eventually entitled the IT Infrastructure Library. The Office of
Government Commerce in the UK continues to operate as the trademark owner of ITIL.
ITIL has gone through several evolutions and was most recently refreshed with the release of
version 3 in 2007. Through these evolutions the scope of practices documented has increased
in order to stay current with the continued maturity of the IT industry and meet the needs and
requirements of the ITSM professional community.
Five volumes make up the IT Infrastructure Library (Version 3):
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement

A central concept to keep in mind when discussing the benefits of IT Service Management is the
goal of business and IT alignment. When staff members of an IT organization have an internal
focus on the technology being delivered and supported, they lose sight of the actual purpose
and benefit that their efforts deliver to the business. A way in which to communicate how IT
supports the business is using Figure 1.B, demonstrating business and IT alignment.
Figure 1.B divides an organization into a number of supporting layers that work towards
meeting a number of organizational goals. These layers are communicated by the following:

Page No 3

1. Organization: What are the key goals for the organization?

2. CORE Business Processes: These business processes enable the objectives above to be met.
3. IT Service Organization: What IT Services are required to enable the effective and efficient
execution of the business processes above?
4. IT Service Management: The focus here is on the ITIL processes required for quality
delivery and support of the IT Services above.
5. IT Technical Activities: The actual technical activities required as part of the execution of the
ITIL processes above. These are technology specific and as such not the focus of ITIL or this
document.
Example to illustrate business and IT alignment:
Our Business: A fashion store
What are some of our organizations objectives or strategic goals?
We want to make a lot of money $$$!
We want to have a good image and reputation
What Business Processes aide in achieving those objectives?

Retail, marketing, buying, procurement, HR etc.

Page No 4

What IT Services are these business processes dependent on?

Web site, email, automatic procurement system for buying products, Point of Sale
Services

We have ITSM in order to make sure the IT Services are:

What we need (Service Level Management, Capacity Management etc)

Available when we need it (Availability Management, Incident Management etc.)
Provisioned cost-effectively (Financial Management, Service Level Management)

If we dont manage the IT Services appropriately we cannot rely on these services to be

available when we need. If this occurs we cannot adequately support our business processes
effectively and efficiently. And therefore we cannot meet or support our overall organizations
objectives!!!
What are Services?
The concept of IT Services as opposed to IT components is central to understanding the Service
Lifecycle and IT Service Management principles in general. It requires not just a learned set of
skills but also a way of thinking that often challenges the traditional instincts of IT workers to
focus on the individual components (typically the applications or hardware under their care)
that make up the IT infrastructure. The mindset requires instead an alternative outlook to be
maintained, with the focus being the Service oriented or end-to-end view of what their
organization actually provides to its customers.
The official definition of a Service is a means of delivering value to Customers by facilitating
outcomes customers want to achieve without the ownership of specific costs or risks. Well
what does this actually mean? To explain some of the key concepts I will use an analogy that
most (food lovers) will understand.
While I do enjoy cooking, there are often times where I wish to enjoy quality food without the
time and effort required to prepare a meal. If I was to cook, I would need to go to a grocery
store, buy the ingredients, take these ingredients home, prepare and cook the meal, set the
table and of course clean up the kitchen afterwards. The alternative of course, I can go to a
restaurant that delivers a service that provides me with the same outcome (a nice meal)
without the time, effort and general fuss.
Now consider how I would identify the quality and value of that service being provided. It isnt
just the quality of the food itself that will influence my perceptions but also:
The cleanliness of the restaurant.
The friendliness and customer service skills of the waiters and other staff.
The ambience of the restaurant (lighting, music, decorations etc.).
The time taken to receive my meal (and was it what I asked for?).
Page No 5

 Did they offer water as well as normal drinks and beverages?

If just one of these factors dont meet my expectations than ultimately the perceived quality
and value being delivered to me as a customer are negatively impacted.
The Service Life Cycle

Connecting Process and Functions

It is often said that processes are perfect... until people get involved. This saying comes from
failure when executing processes due to misunderstandings of the people involved and a lack of
clarity regarding the roles and responsibilities that exist. A useful tool to assist the definition of
the roles and responsibilities when designing processes is the RACI Model. RACI stands for:

R Responsibility (actually does the work for that activity but reports to the function or
position that has an A against it).
A Accountability (is made accountable for ensuring that the action takes place, even if they
might not do it themselves). This role implies ownership.
C Consult (advice/ guidance / information can be gained from this function or position prior
to the action taking place).
I Inform (the function or position that is told about the event after it has happened).
Page No 6

FCAPS
FCAPS is the ISO Telecommunications Management Network model and framework or network
management. FCAPS is an acronym for fault, configuration, accounting, performance, security.
In the 1990s the ITU-T, as part of their work on Telecommunications Management
Network (TMN), further refined the FCAPS as part of the TMN recommendation on
Management Functions (M.3400).

Page No 7

Business Continuity Planning

According to SANS definition Business Continuity refers to the activities required to keep your
organization running during a period of displacement or interruption of normal operation.
Whereas, Disaster Recovery is the process of rebuilding your operation or infrastructure after
the disaster has passed.
According to Business Continuity Institutes Glossary2
Business continuity plan is a collection of procedures and information which is developed,
compiled and maintained in readiness for use in the event of an emergency or disaster.
Why we need Business Continuity Plan?
Disaster might occur anytime, so we must be prepared. Depend on the size and nature of the
business, we design a plan to minimize the disruption of disaster and keep our business remain
competitive.
Due to the advancement of Information Technology (IT), business nowadays depends heavily
on IT. With the emergence of e-business, many businesses can't even survive without operating
24 hours per days and 7 days a week. A single downtime might mean disaster to their business.
Therefore the traditional Disaster Recovery Plan (DRP), which focuses on restoring the
centralized data center, might not be sufficient. A more comprehensive and rigorous Business
Continuity Plan (BCP) is needed to achieve a state of business continuity where critical systems
and networks are continuously available.
When we need Business Continuity Plan?
We need Business Continuity Plan when there is a disruption to our business such as disaster.
The Business Continuity Plan should cover the occurrence of following events:
a) Equipment failure (such as disk crash).
b) Disruption of power supply or telecommunication.
c) Application failure or corruption of database.
d) Human Error, Sabotage or Strike.
e) Malicious Software (Viruses, Worms, Trojan horses) attack.
f) Hacking or other Internet attacks.
g) Social unrest or terrorist attacks.
h) Fire
i) Natural disasters (Flood, Earthquake, Hurricanes)

Page No 8

Who Should Participate in Business Continuity Planning?

With the shift of IT structure from centralized processing to distributed computing and client/
server technology, the companys data are now located across the enterprise. Therefore it is no
longer sufficient to rely on IT department alone in Business Continuity Planning, all executives,
managers and employee must participate.
Normally Business Continuity Coordinator or Disaster Recovery Coordinator will be responsible
for maintaining Business Continuity Plan. However his or her job is not updating the Plan
himself or herself alone. His or Her job is to carry out review periodically by distribute relevant
parts of the Plan to the owner of the documents and ensure the documents are updated.

Where to Carry out BCP during disaster?

a) Cold Site
An empty facility located offsite with necessary infrastructure ready for installation in the event
of a disaster.
b) Mutual Backup
Two organizations with similar system configuration agreeing to serve as a backup site to each
other.
Page No 9

c) Hot Site
A site with hardware, software and network installed and compatible to production site.
d) Remote Journaling
Online transmission of transaction data to backup system periodically (normally a few hours) to
minimize loss of data and reduce recovery time.
e) Mirrored Site
A site equips with a system identical to the production system with mirroring facility. Data is
mirrored to backup system immediately. Recovery is transparent to users.

How to prepare Business Continuity Plan?

The Business Continuity Planning Phases are enlisted below.
1. Project Initiation
- Define Business Continuity Objective and Scope of coverage.
- Establish a Business Continuity Steering Committee.
- Draw up Business Continuity Policies

2. Business Analysis
- Perform Risk Analysis and Business Impact Analysis.
- Consider Alternative Business Continuity Strategies.
- Carry out Cost-Benefit Analysis and select a Strategy.
- Develop a Business Continuity Budget.

3. Design and Development (Designing the Plan)

- Setup a Business Recovery Team and assign responsibility to the members.
- Identify Plan Structure and major components
- Develop Backup and Recovery Strategies.
- Develop Scenario to Execute Plan.
- Develop Escalation, Notification and Plan Activation Criteria.
- Develop General Plan Administration Policy.
4. Implementation (Creating the Plan)
- Prepare Emergency Response Procedures.
- Prepare Command Center Activation Procedures.
- Prepare Detailed Recovery Procedures.
Page No 10

- Prepare Vendors Contracts and Purchase of Recovery Resources.

- Ensure everything necessary is in place.
- Ensure Recovery Team members know their Duties and Responsibilities.
5. Testing
- Exercise Plan based on selected Scenario.
- Produce Test Report and Evaluate the Result.
- Provide Training and Awareness to all Personnel.
6. Maintenance (Updating the Plan)
- Review the Plan periodically.
- Update the Plan with any Changes or Improvement.
- Distribute the Plan to Recovery Team members.

Page No 11

Data Center and Disaster Recovery Design guidelines

A data center, as defined in TIA/EIA-942, Telecommunications Infrastructure Standard for Data
Centers, is a building or portion of a building whose primary function is to house a computer
room and its support areas. The main functions of a data center are to centralize and
consolidate information technology (IT) resources, house network operations, facilitate ebusiness and to provide uninterrupted service to mission-critical data processing operations.
Data centers can be classified as either enterprise (private) data centers or co-location (colo)/hosting (public) datacenters. Enterprise data centers are privately owned and operated by
private corporate, institutional or government entities. Enterprise data centers support internal
data transactions and processing, as well as Web Services and are supported and managed by
internal IT support. Co-lo data centers are owned and operated by telecoms or unregulated
competitive service providers and offer outsourced IT services. Services that data centers
typically provide include Internet access, application or Web hosting content distribution, file
storage and backup, database management, fail-safe power, HVAC controls, security and highperformance cabling infrastructure. The functional areas of the data center can be broken
down into three zones
a) Point of Presence (POP) Zone
b) Server Area Zone
c) Storage Network Zone

Figure: Functional Areas of Data Center

Page No 12

POP Zone
This area of the data center is sometimes referred to as the meet me room. It is typically the
area where the service provider enables access to their networks. This area contains many
routers and core switches.
Server Zone
This area of the data center provides the front-end connection to the servers. This area
contains many switches and servers. The protocols used to communicate in this area are
Gigabit and 10 Gigabit Ethernet.
Storage Zone
This area of the data center provides the back-end connection to data. This area contains many
types of storage devices. The protocols used to communicate in this area are Fiber Channel
Ethernet and small computer system interface (SCSI)

Page No 13

Network Architecture Design Guidelines

Network Architecture plays a vital role for any enterprise. Networks must support a wide range
of applications and services, as well as operate over many different types of physical
infrastructures. The term network architecture, in this context, refers to both the technologies
that support the infrastructure and the programmed services and protocols that move the
messages across that infrastructure. As the Internet and networks in general, evolve, we are
discovering that there are four basic characteristics that the underlying architectures need to
address in order to meet user expectations: fault tolerance, scalability, quality of service, and
security.
Fault Tolerance
The expectation that the Internet is always available to the millions of users who rely on it
requires a network architecture that is designed and built to be fault tolerant. A fault tolerant
network is one that limits the impact of a hardware or software failure and can recover quickly
when such a failure occurs. These networks depend on redundant links, or paths, between the
source and destination of a message. If one link or path fails, processes ensure that messages
can be instantly routed over a different link transparent to the users on either end. Both the
physical infrastructures and the logical processes that direct the messages through the network
are designed to accommodate this redundancy. This is a basic premise of the architecture of
current networks.

Figure: Maintaining Fault Tolerance

Page No 14

Scalability
A scalable network can expand quickly to support new users and applications without impacting
the performance of the service being delivered to existing users. Thousands of new users and
service providers connect to the Internet each week. The ability of the network to support
these new interconnections depends on a hierarchical layered design for the underlying
physical infrastructure and logical architecture. The operation at each layer enables users or
service providers to be inserted without causing disruption to the entire network. Technology
developments are constantly increasing the message carrying capabilities and performance of
the physical infrastructure components at every layer. These developments, along with new
methods to identify and locate individual users within an internetwork, are enabling the
Internet to keep pace with user demand.

Figure: Scalable Network Architecture

Quality of Service
The Internet is currently providing an acceptable level of fault tolerance and scalability for its
users. But new applications available to users over internetworks create higher expectations for
the quality of the delivered services. Voice and live video transmissions require a level of
consistent quality and uninterrupted delivery that was not necessary for traditional computer
applications. Quality of these services is measured against the quality of experiencing the same
audio or video presentation in person. Traditional voice and video networks are designed to
support a single type of transmission, and are therefore able to produce an acceptable level of
quality. New requirements to support this quality of service over a converged network are
changing the way network architectures are designed and implemented.
Page No 15

Figure : Maintaining QoS

Security
The Internet has evolved from a tightly controlled internetwork of educational and government
organizations to a widely accessible means for transmission of business and personal
communications. As a result, the security requirements of the network have changed. The
security and privacy expectations that result from the use of internetworks to exchange
confidential and business critical information exceed what the current architecture can deliver.
Rapid expansion in communication areas that were not served by traditional data networks is
increasing the need to embed security into the network architecture. As a result, much effort is
being devoted to this area of research and development. In the meantime, many tools and
procedures are being implemented to combat inherent security flaws in the network
architecture.

Figure: Maintaining Security Architecture

Page No 16

Access Network Design Guidelines

Access Network plays a vital role for any enterprise. It enables end users to get connected to
their cloud site (Data Center / Disaster Recovery Center). The tabulated framework shows the
sample description along with detailed specification of the work that need to be done for any
Access Sites of an enterprise.
S.No

Description

Branch Router

Branch Switch

6
7
8

24 Port Modular Patch-Panels

with 24 x Cat.6 Outlets.

Faceplate

Specification
Cisco 1841/Cisco 892 Series Router with 8 Integrated
Switch ports.
Cisco 2960 Switch with Gigabit/ Fiber Uplink
Bold Port Numbering for Quick Identification of Outlets
Supports both T568A and T568B Wiring Pattern
Easy Front & Back Access of Horizontal Cables, Re-terminable
and no Punch down Tool Required.

Surface Mount Box with Single data outlet Cat.6 FacePlate

1 mtr. Patch Cord (Standard

Conductor) Cat. 6
( From Switch to Patch Panel)
3 mtr. Patch Cord (Standard
Conductor) Cat.6
(From Faceplate to PC)

Factory-Crimped

Factory-Crimped

Cat.6 Four-Pair UTP cable

Branded and Should Pass Fluke Test for 100 Meters

Network Rack

Integrated with Power Distribution Unit

Cabling/Wiring should be EIA/TIA 568B Standard
Labeling should follow ANSI/TIA 606-B Standard
Testing should follow ANSI/EIA/TIA TSB-67
Level II Test (Fluke Test) for Certification of all Points Required
(Impendence, Length, Prop Delay, Delay Skew, Resistance,
Attenuation, Return Loss, NEXT, Wiremap)
Complete Wiring Documentation

Complete Installation and

Testing

Figure: Access Network Design Framework

For ANSI/EIA/TIA 606-B Standard (Appendix A)
For ANSI/EIA/TIA TSB-67 Standard (Appendix A)

Page No 17

Living in a Network Centric World

Among all of the essentials for human existence, the need to interact with others ranks just
below our need to sustain life. Communication is almost as important to us as our reliance on
air, water, food, and shelter.
The methods that we use to share ideas and information are constantly changing and evolving.
Whereas the human network was once limited to face-to-face conversations, media
breakthroughs continue to extend the reach of our communications. From the printing press to
television, each new development has improved and enhanced our communication. As with
every advance in communication technology, the creation and interconnection of robust data
networks is having a profound effect.
Early data networks were limited to exchanging character-based information between
connected computer systems. Current networks have evolved to carry voice, video streams,
text, and graphics between many different types of devices. Previously separate and distinct
communication forms have converged onto a common platform. This platform provides access
to a wide range of alternative and new communication methods that enable people to interact
directly with each other almost instantaneously.
The immediate nature of communications over the Internet encourages the formation of global
communities. These communities foster social interaction that is independent of location or
time zone.

Figure: Converged Network

Page No 18

CHAPTER II
ENTERPRISE ROUTING AND PACKET FORWARDING
Static Routing with Failover
Routers forward packets using either route information from route table entries that you
manually configure or the route information that is calculated using dynamic routing
algorithms.
Static routes, which define explicit paths between two routers, cannot be automatically
updated; you must manually reconfigure static routes when network changes occur. Static
routes use less bandwidth than dynamic routes. No CPU cycles are used to calculate and
analyze routing updates.
You can supplement dynamic routes with static routes where appropriate. You can redistribute
static routes into dynamic routing algorithms but you cannot redistribute routing information
calculated by dynamic routing algorithms into the static routing table.
You should use static routes in environments where network traffic is predictable and where
the network design is simple. You should not use static routes in large, constantly changing
networks because static routes cannot react to network changes. Most networks use dynamic
routes to communicate between routers but might have one or two static routes configured for
special cases. Static routes are also useful for specifying a gateway of last resort (a default
router to which all unroutable packets are sent).
By default, static routes have an administrative distance of one, which gives them precedence
over routes from dynamic routing protocols. When you increase the administrative distance to
a value greater than that of a dynamic routing protocol, the static route can be a safety net in
the event that dynamic routing fails. For example, Enhanced Interior Gateway Routing Protocol
(EIGRP) routes have a default administrative distance of 90. In order to configure a static route
that is overridden by an EIGRP route, specify an administrative distance greater than 90 for the
static route.
Example of Static Routing with Failover
Router_Pokhara (config)#ip route 192.168.1.0 255.255.255.0 10.10.1.2 1
Router_Pokhara (config)#ip route 192.168.1.0 255.255.255.0 10.10.2.2 2

Router_Kathmandu (config)#ip route 192.168.10.0 255.255.255.0 10.10.1.1 1

Router_Kathmandu (config)#ip route 192.168.10.0 255.255.255.0 10.10.2.1 2

Page No 19

Static Routing with Failover (IPSLA)

Cisco IP SLAs is a part of Cisco IOS that allows Cisco customers to analyze IP service levels for IP
applications and services by using active traffic monitoring for measuring network
performance. With Cisco IOS IP SLAs, service provider customer scan measure and provide
service level agreements, and enterprise customers can verify service levels, verify outsourced
service level agreements, and understand network performance. Cisco IOS IP SLAs can perform
network assessments, verify quality of service (QoS), ease the deployment of new services, and
assist with network troubleshooting.
IP SLAs collects a unique subset of these performance metrics:

Delay (both round-trip and one-way)

Jitter (directional)

Packet loss (directional)

Packet sequencing (packet ordering)

Path (per hop)

Connectivity (directional)

Server or website download time

In this article, ICMP Echo operation will be used to measures end-to-end response time
between a Cisco router and a web server using IP. Response time is computed by measuring the
time taken between sending an ICMP Echo request message to the destination and receiving an
ICMP Echo reply.
Example
Suppose that the Ciscozine router has two different links, one is the main connection (red link)
and the other one (blue link) is the backup connection; the question is: how can I enable the
backup link if the main connection goes down? In general, the best solution for this scenario is
to use the dynamic routing protocol, but what can I do if I cant use them? The solution is the IP
SLA.

Page No 20

1. Define the ip sla operation. The Ciscozine router will send an ICMP request to 172.16.255.2
(the Ciscozine default gateway) every 10 second with a timeout of 5000ms and a threshold
value of 500ms.

Ciscozine(config)#ip sla 1
Ciscozine(config-ip-sla)#icmp-echo 172.16.255.2 source-interface FastEthernet1/0
Ciscozine(config-ip-sla-echo)#timeout 5000
Ciscozine(config-ip-sla-echo)#frequency 10
Ciscozine(config-ip-sla-echo)#threshold 500

2. Start the ip sla. It is possible schedule the SLA operation in different ways but in this tutorial I
want to start the ip SLA operation immediately and forever. Notice that the 1 refers to ip sla
1 command.

Ciscozine(config)#ip sla schedule 1 start-time now life forever

Page No 21

3. Track the state of IP SLA. Every IP SLAs operation maintains an operation return-code value.
This return code is interpreted by the tracking process. The return code may return OK, Over
Threshold, and several other return codes. Two aspects of an IP SLAs operation can be tracked:
state and reach ability
.
Tracking
Return Code
Track State
State
OK
Up
(all other return codes) Down
Reachability
OK or over threshold Up
(all other return codes) Down
In this case, it is preferred to use the reachability, so the track state will be down only in
case of a ICMP timeout.

Ciscozine(config)#track 10 ip sla 1 reachability

4. Define the tracked route. At the end, I must delete the old default gateway entry, add the
default gateway with the track feature (notice that the number 10 represents the track object
defined in the previous step) and insert a default route with a distance administrative less
strong . Hence if the track status is down the last route will be used to forward all the traffic
(notice that the number 5 define the administrative distance).

Ciscozine(config)#ip route 0.0.0.0 0.0.0.0 172.16.255.2 track 10

Ciscozine(config)#no ip route 0.0.0.0 0.0.0.0 172.16.255.2
Ciscozine(config)#ip route 0.0.0.0 0.0.0.0 172.16.255.6 5

5. Check the IP SLA.

Now that I have defined the IP SLA object, I can check some useful information when the main
link (red link) is UP or NOT.
Red link UP
To display information about the IP route track table:

Ciscozine#show ip route track-table

ip route 0.0.0.0 0.0.0.0 172.16.255.2 track 10 state is [up]
Page No 22

Ciscozine#

To display information about the IP routing table:

Ciscozine#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 172.16.255.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 172.16.255.2

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C

172.16.255.0/30 is directly connected, FastEthernet1/0

172.16.255.1/32 is directly connected, FastEthernet1/0

172.16.255.4/30 is directly connected, FastEthernet1/1

172.16.255.5/32 is directly connected, FastEthernet1/1

Page No 23

Ciscozine#

To display information about IP SLA

Ciscozine#show ip sla statistics

IPSLAs Latest Operation Statistics
IPSLA operation id: 1
Latest RTT: 24 milliseconds
Latest operation start time: 10:40:43 UTC Wed May 8 2013
Latest operation return code: OK
Number of successes: 3
Number of failures: 0
Operation time to live: Forever

Ciscozine#

To display information about the track object

Ciscozine#show track
Page No 24

Track 10
IP SLA 1 reachability
Reachability is Up
12 changes, last change 00:33:48
Latest operation return code: OK
Latest RTT (millisecs) 24
Tracked by:
STATIC-IP-ROUTING 0
Ciscozine#

Red link DOWN

First of all, Ping the web server (192.168.1.10) that it is on the headquarter, then unplug the
Ciscozine fastethernet1/0 cable

Ciscozine#ping 192.168.1.10 repeat 200

Type escape sequence to abort.
Sending 200, 50-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!....
May 8 03:23:30.082: %TRACKING-5-STATE: 10 ip sla 1 reachability Up>Down.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Page No 25

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 97 percent (195/200), round-trip min/avg/max = 20/66/248 ms
Ciscozine#

As you can see, when the cable is unplugged there are three different events:
1. there are some timeout
2. the tracking state goes down (May 8 03:23:30.082: %TRACKING-5-STATE: 10 ip sla 1
reachability Up->Down)
3. the route tracked goes down and the backup default route (ip route 0.0.0.0 0.0.0.0
172.16.255.6 5) is up.
So the output of the previous show commands will be:
The track object is down:

Ciscozine#show ip route track-table

ip route 0.0.0.0 0.0.0.0 172.16.255.2 track 10 state is [down]

The default route is 172.16.255.6 (the backup connection):

Ciscozine#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route

Page No 26

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 172.16.255.6 to network 0.0.0.0

S* 0.0.0.0/0 [5/0] via 172.16.255.6

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C

172.16.255.0/30 is directly connected, FastEthernet1/0

172.16.255.1/32 is directly connected, FastEthernet1/0

172.16.255.4/30 is directly connected, FastEthernet1/1

172.16.255.5/32 is directly connected, FastEthernet1/1

Ciscozine#

The return code is Timeout:

Ciscozine#show ip sla statistics

IPSLAs Latest Operation Statistics
IPSLA operation id: 1
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 10:42:03 UTC Wed May 8 2013
Latest operation return code: Timeout
Page No 27

Number of successes: 8
Number of failures: 3
Operation time to live: Forever

Ciscozine#

The track object is down:

Ciscozine#show track
Track 10
IP SLA 1 reachability
Reachability is Down
13 changes, last change 00:00:22
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
Ciscozine#

Red link again UP

At this point I ping the web server (192.168.1.10) , then I reconnect the Ciscozine
fastethernet1/0 cable

Page No 28

Ciscozine#ping 192.168.1.10 size 50 repeat 200

Type escape sequence to abort.
Sending 200, 50-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (200/200), round-trip min/avg/max = 12/71/172 ms
Ciscozine#
Ciscozine#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.255.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.255.2

Page No 29

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

C

172.16.255.0/30 is directly connected, FastEthernet1/0

172.16.255.1/32 is directly connected, FastEthernet1/0

172.16.255.4/30 is directly connected, FastEthernet1/1

172.16.255.5/32 is directly connected, FastEthernet1/1

Ciscozine#

As you can see, when the main line comes up (now the default gateway is again 172.16.255.2),
there isnt a packet lost.

References:
http://www.cisco.com//configuration/guide/swipsla.html
Tags: Advanced configuration, Routing, SLA, Tracking

Page No 30

Dynamic Routing protocols

Dynamic routing protocols are usually used in larger networks to ease the administrative and
operational overhead of using only static routes. Typically, a network uses a combination of
both a dynamic routing protocol and static routes. In most networks, a single dynamic routing
protocol is used; however there are cases where different parts of the network may use
different routing protocols.
One of the earliest routing protocols was Routing Information Protocol (RIP). RIP has evolved
into a newer version RIPv2. However, the newer version of RIP still does not scale to larger
network implementations. To address the needs of larger networks, two advanced routing
protocols were developed: Open Shortest Path First (OSPF) and Intermediate System-toIntermediate System (IS-IS). Cisco developed Interior Gateway Routing Protocol (IGRP) and
Enhanced IGRP (EIGRP), which also scales well in larger network implementations.
Additionally, there was the need to interconnect different internetworks and provide routing
among them. Border Gateway Routing (BGP) protocol is now used between ISPs as well as
between ISPs and their larger private clients to exchange routing information.
With the advent of numerous consumer devices using IP, the IPv4 addressing space is nearly
exhausted. Thus IPv6 has emerged. To support the communication based on IPv6, newer
versions of the IP routing protocols have been developed
Routing protocols determine the best path to each network which is then added to the routing
table. One of the primary benefits to using a dynamic routing protocol is that routers exchange
routing information whenever there is a topology change. This exchange allows routers to
automatically learn about new networks and also to find alternate paths when there is a link
failure to a current network.
Compared to static routing, dynamic routing protocols require less administrative overhead.
However, the expense of using dynamic routing protocols is dedicating part of a router's
resources for protocol operation including CPU time and network link bandwidth. Despite the
benefits of dynamic routing, static routing still has its place. There are times when static routing
is more appropriate and other times when dynamic routing is the better choice. More often
than not, you will find a combination of both types of routing in any network that has a
moderate level of complexity.
Autonomous System
An autonomous system (AS) is a collection of networks under the administrative control of a
single entity that presents a common routing policy to the Internet.
The guidelines for the creation, selection, and registration of an autonomous system are
described in RFC 1930. AS numbers are assigned by the Internet Assigned Numbers Authority
(IANA), the same authority that assigns IP address space. The local Regional Internet Registries
(RIRs) is responsible for assigning an AS number to an entity from its block of assigned AS
Page No 31

numbers. Prior to 2007, AS numbers were 16-bit numbers, ranging from 0 to 65535. Now 32-bit
AS numbers are assigned, increasing the number of available AS numbers to over 4 billion.
Based on AS, routing protocols are classified into two they are: Interior Gateway Protocols (IGP)
and Exterior Gateway Protocols (EGP).
IGP are used for intra-autonomous system routing - routing inside an autonomous system.
EGP are used for inter-autonomous system routing - routing between autonomous systems.

Figure: IGP vs. EGP Routing Protocols

Interior Gateway Routing Protocols

RIP V2
RIPv2 is defined in RFC 1723. Like version 1, RIPv2 is encapsulated in a UDP segment using port
520 and can carry up to 25 routes.
The first extension in the RIPv2 message format is the subnet mask field that allows a 32 bit
mask to be included in the RIP route entry. As a result, the receiving router no longer depends
upon the subnet mask of the inbound interface or the classful mask when determining the
subnet mask for a route.

Page No 32

The second significant extension to the RIPv2 message format is the addition of the Next Hop
address. The Next Hop address is used to identify a better next-hop address - if one exists - than
the address of the sending router. If the field is set to all zeros (0.0.0.0), the address of the
sending router is the best next-hop address.
"RFC 1723: RIP Version 2," http://www.ietf.org/rfc/rfc1723.txt

EIGRP
Cisco developed the proprietary IGRP in 1985, in response to some of the limitations of RIPv1,
including the use of the hop count metric and the maximum network size of 15 hops.
Instead of hop count, both IGRP and EIGRP use metrics composed of bandwidth, delay,
reliability, and load. By default, both routing protocols use only bandwidth and delay. However,
because IGRP is a classful routing protocol that uses the Bellman-Ford algorithm and periodic
updates, its usefulness is limited in many of today's networks.
Therefore, Cisco enhanced IGRP with a new algorithm, DUAL and other features. The
commands for both IGRP and EIGRP are similar, and in many cases identical. This allows for
easy migration from IGRP to EIGRP. Cisco discontinued IGRP starting with IOS 12.2(13)T and
12.2(R1s4)S.
Diffusing Update Algorithm (DUAL) is the convergence algorithm used by EIGRP instead of the
Bellman-Ford or Ford Fulkerson algorithms used by other distance vector routing protocols, like
RIP. DUAL is based on research conducted at SRI International, using calculations that were first
proposed by E.W. Dijkstra and C.S. Scholten. The most prominent work with DUAL has been
done by J.J. Garcia-Luna-Aceves.

OSPF
Open Shortest Path First (OSPF) is a link-state routing protocol that was developed as a
replacement for the distance vector routing protocol RIP. RIP was an acceptable routing
protocol in the early days of networking and the Internet, but its reliance on hop count as the
only measure for choosing the best route quickly became unacceptable in larger networks that
needed a more robust routing solution. OSPF is a classless routing protocol that uses the
concept of areas for scalability. RFC 2328 defines the OSPF metric as an arbitrary value called
cost. The Cisco IOS uses bandwidth as the OSPF cost metric.
The initial development of OSPF began in 1987 by the Internet Engineering Task Force (IETF)
OSPF Working Group. At that time the Internet was largely an academic and research network
funded by the U.S. government.
In 1989, the specification for OSPFv1 was published in RFC 1131. There were two
implementations written: one to run on routers and the other to run on UNIX workstations. The
Page No 33

latter implementation later became a widespread UNIX process known as GATED. OSPFv1 was
an experimental routing protocol and never deployed.
In 1991, OSPFv2 was introduced in RFC 1247 by John Moy. OSPFv2 offered significant technical
improvements over OSPFv1. At the same time, ISO was working on a link-state routing protocol
of their own, Intermediate System-to-Intermediate System (IS-IS). Not surprisingly, IETF chose
OSPF as their recommended IGP (Interior Gateway Protocol).
In 1998, the OSPFv2 specification was updated in RFC 2328 and is the current RFC for OSPF.
Each OSPF router maintains a link-state database containing the LSAs received from all other
routers. Once a router has received all of LSAs and built its local link-state database, OSPF uses
Dijkstra's shortest path first (SPF) algorithm to create an SPF tree. The SPF tree is then used to
populate the IP routing table with the best paths to each network.

Exterior Gateway Routing Protocol (BGP)

BGP is an exterior gateway protocol (EGP), used to perform inter domain routing in TCP/IP
networks. A BGP router needs to establish a connection (on TCP port 179) to each of its BGP
peers before BGP updates can be exchanged. The BGP session between two BGP peers is said
to be an external BGP (eBGP) session if the BGP peers are in different autonomous systems
(AS). A BGP session between two BGP peers is said to be an internal BGP (iBGP) session if the
BGP peers are in the same autonomous systems.

iBGP Configuration (Both Routers should be in same AS. Assume AS of Both Routers = 400)

R1-AGS
R1-AGS(config) # router bgp 400
R1-AGS(config) # neighbor 10.10.10.2 remote-as 400

R6-2500
R6-2500(config) # router bgp 400
R6-2500(config) # neighbor 10.10.10.1 remote-as 400
Page No 34

eBGP Configuration (Assume Router R1-AGS is in AS 300 and Router R6-2500 is in AS 400)
R1-AGS
R1-AGS (config) # router bgp 300
R1-AGS (config) # neighbor 10.10.10.2 remote-as 400

R6-2500
R6-2500 (config) # router bgp 400
R6-2500 (config)# neighbor 10.10.10.1 remote-as 300

Heterogeneous Routing through Route Redistribution

The use of a routing protocol to advertise routes that are learned by some other means, such as
by another routing protocol, static routes, or directly connected routes, is called redistribution.
While running a single routing protocol throughout your entire IP internetwork is desirable,
multi-protocol routing is common for a number of reasons, such as company mergers, multiple
departments managed by multiple network administrators, and multi-vendor environments.
Running different routing protocols is often part of a network design. In any case, having a
multiple protocol environment makes redistribution a necessity.
Differences in routing protocol characteristics, such as metrics, administrative distance, classful
and classless capabilities can effect redistribution. Consideration must be given to these
differences for redistribution to succeed.
OSPF router redistributing static, RIP, IGRP, EIGRP, and IS-IS routes.
router ospf 1
network 131.108.0.0 0.0.255.255 area 0
redistribute static metric 200 subnets
redistribute rip metric 200 subnets
redistribute igrp 1 metric 100 subnets
redistribute eigrp 100 metric 100 subnets
redistribute isis metric 10 subnets

Page No 35

EIGRP router redistributing static, Open Shortest Path First (OSPF), RIP, and Intermediate
System-to-Intermediate System (IS-IS) routes.
router eigrp 100
network 131.108.0.0
redistribute static
redistribute ospf 1
redistribute rip
redistribute isis
default-metric 10000 100 255 1 1500
EIGRP need five metrics when redistributing other protocols: bandwidth, delay, reliability, load,
and MTU, respectively.
RIP router redistributing static, IGRP, EIGRP, OSPF, and IS-IS routes.
router rip
version 2
network 131.108.0.0
redistribute static
redistribute igrp 1
redistribute eigrp 1
redistribute ospf 1
redistribute isis
default-metric 1

Neighbor Routing Authentication

Neighbor authentication occurs whenever neighbor routers exchange routing updates. This
authentication ensures that a router receives reliable routing information from a trusted
source.
Without neighbor authentication, unauthorized or deliberately malicious routing updates could
compromise the security of your network traffic. A security compromise could occur if an
unfriendly party diverts or analyzes that traffic. For example, an unauthorized router could send
a fictitious routing update to convince your router to send traffic to an incorrect destination.
Page No 36

The unfriendly party could analyze the diverted traffic to learn confidential information about
your organization or merely use it to disrupt your organization's ability to communicate
effectively using the network. Hence, it prevents your router from receiving any such fraudulent
routing updates.
MD5 authentication works much like plain text authentication, except that MD5 never sends
the key over the wire. Instead, the router uses the MD5 algorithm to produce a message digest
of the key (also called a hash). The router sends the message digest instead of the key itself,
which ensures that no one can eavesdrop on the line and learn keys during transmission.
OSPF Authentication
interface fa 0/1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CISCO

EIGRP Authentication
key chain eigrpchain
key 1
key-string CISCO

int fa 0/1
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 eigrpchain

Page No 37

CHAPTER III
ENTERPRISE LAN SWITCHING AND LOAD BALANCING PROTOCOLS

VLAN (Virtual LAN)

A VLAN is a logically separate IP sub network. VLANs allow multiple IP networks and subnets to
exist on the same switched network. The figure shows a network with three computers. For
computers to communicate on the same VLAN, each must have an IP address and a subnet
mask that is consistent for that VLAN. The switch has to be configured with the VLAN and each
port in the VLAN must be assigned to the VLAN. A switch port with a singular VLAN configured
on it is called an access port. Remember, just because two computers are physically connected
to the same switch does not mean that they can communicate. Devices on two separate
networks and subnets must communicate via a router (Layer 3), whether or not VLANs are
used. You do not need VLANs to have multiple networks and subnets on a switched network,
but there are definite advantages to using VLANs.
User productivity and network adaptability are key drivers for business growth and success.
Implementing VLAN technology enables a network to more flexibly support business goals. The
primary benefits of using VLANs are as follows:
Security - Groups that have sensitive data are separated from the rest of the network,
decreasing the chances of confidential information breaches. Faculty computers are on VLAN
10 and completely separated from student and guest data traffic.
Cost reduction - Cost savings result from less need for expensive network upgrades and more
efficient use of existing bandwidth and uplinks.
Higher performance - Dividing flat Layer 2 networks into multiple logical workgroups
(broadcast domains) reduces unnecessary traffic on the network and boosts performance.
Broadcast storm mitigation - Dividing a network into VLANs reduces the number of devices
that may participate in a broadcast storm. As discussed in the "Configure a Switch" chapter,
LAN segmentation prevents a broadcast storm from propagating to the whole network. In the
figure you can see that although there are six computers on this network, there are only three
broadcast domains: Faculty, Student, and Guest.
Improved IT staff efficiency - VLANs make it easier to manage the network because users with
similar network requirements share the same VLAN. When you provision a new switch, all the
policies and procedures already configured for the particular VLAN are implemented when the
ports are assigned. It is also easy for the IT staff to identify the function of a VLAN by giving it an
appropriate name. In the figure, for easy identification VLAN 20 has been named "Student",
VLAN 10 could be named "Faculty", and VLAN 30 "Guest."
Simpler project or application management - VLANs aggregate users and network devices to
support business or geographic requirements. Having separate functions makes managing a
Page No 38

project or working with a specialized application easier, for example, an e-learning

development platform for faculty. It is also easier to determine the scope of the effects of
upgrading network services.

VLAN ID Ranges
Access VLANs are divided into either a normal range or an extended range.

Normal Range VLANs

Used in small- and medium-sized business and enterprise networks.
Identified by a VLAN ID between 1 and 1005.
IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
IDs 1 and 1002 to 1005 are automatically created and cannot be removed. You will learn more
about VLAN 1 later in this chapter.
Configurations are stored within a VLAN database file, called vlan.dat. The vlan.dat file is
located in the flash memory of the switch.
The VLAN trunking protocol (VTP), which helps manage VLAN configurations between switches,
can only learn normal range VLANs and stores them in the VLAN database file.
Page No 39

Extended Range VLANs

Enable service providers to extend their infrastructure to a greater number of customers. Some
global enterprises could be large enough to need extended range VLAN IDs.
Are identified by a VLAN ID between 1006 and 4094.
Support fewer VLAN features than normal range VLANs.
Are saved in the running configuration file.
VTP does not learn extended range VLANs.
Configure a VLAN

Assign a Switch Port to Specific VLAN

Page No 40

Verify VLAN

Configure a 802.1q Trunk

Page No 41

VTP
VTP allows a network manager to configure a switch so that it will propagate VLAN
configurations to other switches in the network. The switch can be configured in the role of a
VTP server or a VTP client. VTP only learns about normal-range VLANs (VLAN IDs 1 to 1005).
Extended-range VLANs (IDs greater than 1005) are not supported by VTP.
VTP allows a network manager to makes changes on a switch that is configured as a VTP server.
Basically, the VTP server distributes and synchronizes VLAN information to VTP-enabled
switches throughout the switched network, which minimizes the problems caused by incorrect
configurations and configuration inconsistencies. VTP stores VLAN configurations in the VLAN
database called vlan.dat.
VTP Components
There are number of key components that you need to be familiar with when learning about
VTP. Here is a brief description of the components, which will be further explained as you go
through the chapter.

VTP Domain-Consists of one or more interconnected switches. All switches in a domain share
VLAN configuration details using VTP advertisements. A router or Layer 3 switch defines the
boundary of each domain.
Page No 42

VTP Advertisements-VTP uses a hierarchy of advertisements to distribute and synchronize VLAN

configurations across the network.
VTP Modes- A switch can be configured in one of three modes: server, client, or transparent.
VTP Server-VTP servers advertise the VTP domain VLAN information to other VTP-enabled
switches in the same VTP domain. VTP servers store the VLAN information for the entire
domain in NVRAM. The server is where VLANs can be created, deleted, or renamed for the
domain.
VTP Client-VTP clients function the same way as VTP servers, but you cannot create, change, or
delete VLANs on a VTP client. A VTP client only stores the VLAN information for the entire
domain while the switch is on. A switch reset deletes the VLAN information. You must configure
VTP client mode on a switch.
VTP Transparent-Transparent switches forward VTP advertisements to VTP clients and VTP
servers. Transparent switches do not participate in VTP. VLANs that are created, renamed, or
deleted on transparent switches are local to that switch only.
VTP Pruning-VTP pruning increases network available bandwidth by restricting flooded traffic
to those trunk links that the traffic must use to reach the destination devices. Without VTP
pruning, a switch floods broadcast, multicast, and unknown unicast traffic across all trunk links
within a VTP domain even though receiving switches might discard them

Page No 43

Page No 44

Inter VLAN Routing

Traditional inter-VLAN routing requires multiple physical interfaces on both the router and the
switch. However, not all inter-VLAN routing configurations require multiple physical interfaces.
Some router software permits configuring router interfaces as trunk links. This opens up new
possibilities for inter-VLAN routing.
"Router-on-a-stick" is a type of router configuration in which a single physical interface routes
traffic between multiple VLANs on a network. As you can see in the figure, the router is
connected to switch S1 using a single, physical network connection.
The router interface is configured to operate as a trunk link and is connected to a switch port
configured in trunk mode. The router performs the inter-VLAN routing by accepting VLAN
tagged traffic on the trunk interface coming from the adjacent switch and internally routing
between the VLANs using sub interfaces. The router then forwards the routed traffic-VLAN
tagged for the destination VLAN-out the same physical interface.
Sub interfaces are multiple virtual interfaces, associated with one physical interface. These sub
interfaces are configured in software on a router that is independently configured with an IP
address and VLAN assignment to operate on a specific VLAN. Subinterfaces are configured for
different subnets corresponding to their VLAN assignment to facilitate logical routing before
the data frames are VLAN tagged and sent back out the physical interface.

Page No 45

Figure: Inter VLAN Routing

Page No 46

Port Security
Port security allows an administrator to statically specify MAC addresses for a port or to permit
the switch to dynamically learn a limited number of MAC addresses. By limiting the number of
permitted MAC addresses on a port to one, port security can be used to control unauthorized
expansion of the network.
When MAC addresses are assigned to a secure port, the port does not forward frames with
source MAC addresses outside the group of defined addresses. When a port configured with
port security receives a frame, the source MAC address of the frame is compared to the list of
secure source addresses that were manually configured or auto configured (learned) on the
port. If a MAC address of a device attached to the port differs from the list of secure addresses,
the port either shuts down until it is administratively enabled (default mode) or drops incoming
frames from the insecure host (restrict option). The behavior of the port depends on how it is
configured to respond to a security violator.
It is recommended that an administrator configure the port security feature to issue a
shutdown rather than dropping frames from insecure hosts with the restrict option. The restrict
option might fail under the load of an attack.

Page No 47

Configure Port Security

Page No 48

Load Balancing Protocols

HSRP (Hot Stand by Routing Protocol)
HSRP is Ciscos standard method of providing high network availability by providing first-hop
redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address. HSRP
routes IP traffic without relying on the availability of any single router. It enables a set of router
interfaces to work together to present the appearance of a single virtual router or default
gateway to the hosts on a LAN. When HSRP is configured on a network or segment, it provides
a virtual Media Access Control (MAC) address and an IP address that is shared among a group
of configured routers. HSRP allows two or more HSRP-configured routers to use the MAC
address and IP network address of a virtual router. The virtual router does not exist; it
represents the common target for routers that are configured to provide backup to each other.
One of the routers is selected to be the active router and another to be the standby router,
which assumes control of the group MAC address and IP address should the designated active
router fail.
HSRP provides high network availability by providing redundancy for IP traffic from hosts on
networks. In a group of router interfaces, the active router is the router of choice for routing
packets; the standby router is the router that takes over the routing duties when an active
router fails or when preset conditions are met.
HSRP is useful for hosts that do not support a router discovery protocol and cannot switch to a
new router when their selected router reloads or loses power. When HSRP is configured on a
network segment, it provides a virtual MAC address and an IP address that is shared among
router interfaces in a group of router interfaces running HSRP. The router selected by the
protocol to be the active router receives and routes packets destined for the groups MAC
address. For n routers running HSRP, there are n +1 IP and MAC addresses assigned.
HSRP detects when the designated active router fails, and a selected standby router assumes
control of the Hot Standby groups MAC and IP addresses. A new standby router is also selected
at that time. Devices running HSRP send and receive multicast UDP-based hello packets to
detect router failure and to designate active and standby routers. In Cisco IOS Release
12.2(18)SE and later, when HSRP is configured on an interface, Internet Control Message
Protocol (ICMP) redirect messages are automatically enabled for the interface.

Page No 49

Figure: Typical HSRP Configuration

Page No 50

A Practical HSRP Example

VRRP (Virtual Redundancy Routing Protocol)

The industry-standard equivalent of HSRP is the Virtual Router Redundancy Protocol (VRRP),
defined in RFC 2338. It is nearly identical to HSRP, with some notable exceptions:

The router with the highest priority becomes the Master Router.

All other routers become Backup Routers.

By default, the virtual MAC address is 0000.5e00.01xx, where xx is the hexadecimal
group number.

Hellos are sent every 1 second, by default.

VRRP Hellos are sent to multicast address 224.0.0.18.

VRRP will preempt by default.

VRRP cannot track interfaces.

Switch(config)# int fa0/10

Switch(config-if)# no switchport
Switch(config-if)# ip address 192.168.1.6 255.255.255.0
Switch(config-if)# vrrp 1 priority 75
Switch(config-if)# vrrp 1 authentication CISCO
Switch(config-if)# vrrp 1 ip 192.168.1.1

Page No 51

GLBP (Gateway Load Balancing Protocol)

To overcome the shortcomings in HSRP and VRRP, Cisco developed the oh-so proprietary
Gateway Load Balancing Protocol (GLBP). Routers or multilayer switches are added to a GLBP
group - but unlike HSRP/VRRP, all routers are Active. Thus, both redundancy and load-balancing
are achieved. GLBP utilizes multicast address 224.0.0.102.
As with HSRP and VRRP, GLBP routers are placed in a group (1-255). Routers are assigned a
priority (default is 100) - the router with the highest priority becomes the Active Virtual
Gateway (AVG). If priorities are equal, the router with the highest IP on its interface will
become the AVG.

To configure a GLBP routers priority to 150, and enable preempt (preemption is not enabled by
default):
Switch(config)# int fa0/10
Switch(config-if)# glbp 1 priority 150
Switch(config-if)# glbp 1 preempt
To track an interface, to reduce a routers weight if that interface fails:
Switch(config)# track 10 interface fa0/12
Switch(config-if)# glbp 1 weighting track 10 decrement 50
The first command creates a track object 10, which is tracking interface fa0/12. The second
command assigns that track object to glbp group 1, and will decrease this routers weight by 50
if interface fa0/12 fails. Another router cannot become an AVF unless it is configured to
preempt.
Page No 52

To specify the Virtual IP, and the load-balancing method:

Switch(config-if)# glbp 1 ip 192.168.1.2
Switch(config-if)# glbp 1 load-balancing weighted

Page No 53

CHAPTER IV
ENTERPRISE INFORMATION SECURITY

Virtual Private Networks

VPN is a private network that is created via tunneling over a public network, usually the
Internet. Instead of using a dedicated physical connection, a VPN uses virtual connections
routed through the Internet from the organization to the remote site. The first VPNs were
strictly IP tunnels that did not include authentication or encryption of the data. For example,
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that can
encapsulate a wide variety of Network Layer protocol packet types inside IP tunnels. This
creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork.
Other examples of VPNs that do not automatically include security measures are Frame Relay,
ATM PVCs, and Multiprotocol Label Switching (MPLS) networks.
A VPN is a communications environment in which access is strictly controlled to permit peer
connections within a defined community of interest. Confidentiality is achieved by encrypting
the traffic within the VPN. Today, a secure implementation of VPN with encryption is what is
generally equated with the concept of virtual private networking.
Cost savings - VPNs enable organizations to use cost-effective, third-party Internet transport to
connect remote offices and remote users to the main corporate site. VPNs eliminate expensive
dedicated WAN links and modem banks. Additionally, with the advent of cost-effective, highbandwidth technologies, such as DSL, organizations can use VPNs to reduce their connectivity
costs while simultaneously increasing remote connection bandwidth.
Security - VPNs provide the highest level of security by using advanced encryption and
authentication protocols that protect data from unauthorized access.
Scalability - VPNs enable corporations to use the Internet infrastructure that is within Internet
service providers (ISPs) and devices. This makes it easy to add new users, so that corporations
can add significant capacity without adding significant infrastructure.
Compatibility with broadband technology - VPNs allow mobile workers, telecommuters, and
people who want to extend their workday to take advantage of high-speed, broadband
connectivity to gain access to their corporate networks, providing workers significant flexibility
and efficiency. High-speed broadband connections provide a cost-effective solution for
connecting remote offices.

Page No 54

Figure: Virtual Private Networks

In the simplest sense, a VPN connects two endpoints over a public network to form a logical
connection. The logical connections can be made at either Layer 2 or Layer 3 of the OSI model.
VPN technologies can be classified broadly on these logical connection models as Layer 2 VPNs
or Layer 3 VPNs. Establishing connectivity between sites over a Layer 2 or Layer 3 VPN is the
same. A delivery header is added in front of the payload to get it to the destination site. This
chapter focuses on Layer 3 VPN technology.
Common examples of Layer 3 VPNs are GRE, MPLS, and IPsec. Layer 3 VPNs can be point-topoint site connections such as GRE and IPsec, or they can establish any-to-any connectivity to
many sites using MPLS.
Generic routing encapsulation (GRE) was originally developed by Cisco and later standardized as
RFC 1701. An IP delivery header for GRE is defined in RFC 1702. A GRE tunnel between two sites
that have IP reachability can be described as a VPN, because the private data between the sites
is encapsulated in a GRE delivery header.
Pioneered by Cisco, MPLS was originally known as tag switching and later standardized via the
IETF as MPLS. Service providers are increasingly deploying MPLS to offer MPLS VPN services to
customers. MPLS VPNs use labels to encapsulate the original data, or payload, to form a VPN.

Page No 55

P2P GRE over IPSec

Generic Routing Encapsulation, or GRE, is a tunneling protocol that allows the encapsulation of
many different network layer protocols between two endpoints. Packets are sent through a
virtual tunnel on a point-to-point link.
It is important to understand that GRE tunnels do not encrypt traffic in any way; they are simply
encapsulated within an additional GRE and IP header. If a secure tunnel is required, IPSec can
be used with GRE to provide data confidentiality.
Also keep in mind that GRE over IPSec tunnels are different from stand-alone IPSec VPN
tunnels. GRE over IPSec tunnels support multicast IP traffic, which strict IPSec VPNs do not. This
is important when routing protocols need to send routing information across the tunnel since
they use multicast for their control information. If your network requires a routing protocol like
EIGRP or OSPF, then GRE over IPSec can provide secure transport for those services.
Well cover both GRE (unsecured) and GRE over IPSec (secured) tunnels in the configuration
example below.

GRE Tunnel Configuration

1. Create the tunnel interface on the VPN router.
A GRE tunnel uses a virtual tunnel interface, configured with an IP address where packets are
encapsulated/decapsulated as they enter and exit the GRE tunnel.
The IP address must be in the same subnet on both routers tunnel interfaces.
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
It is common practice to also reduce the maximum transmission unit (MTU) to 1400 bytes to
avoid any fragmentation problems over the transport networks. Remember that GRE adds an
additional 20-byte IP header as well as a 4-byte GRE header to each packet in the tunnel.
Because most devices have an MTU of 1500 bytes, reducing the GRE tunnel MTU will account
for the added overhead and help prevent unnecessary packet fragmentation.
Page No 56

interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
2. Define the tunnel source and destination under each tunnel interface.
The router uses its local interface that connects to the internet as its tunnel source. The tunnel
destination corresponds to the remote routers publicly routable IP address.
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
tunnel source FastEthernet0/0
tunnel destination 204.20.20.2
Note that the tunnel source and destination can both be IP addresses. For example, tunnel
source 201.20.20.1 could have been used instead of tunnel source FastEthernet0/0.
3. Testing Connectivity
The configuration above is from the perspective of RouterA. The same configuration template
would need to be applied to RouterB for the tunnel to begin passing traffic (with
source/destination IPs swapped of course).
Now that both endpoint routers have been configured, they should be reachable via pings.
ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
4. Add Routes to Remote Networks
This confirms that we can pass traffic inside the GRE tunnel, but hosts on the Branch LAN
networks will not be able to send packets to each other without some routes added. We can
use a simple static route for this purpose.
RouterA (config)# ip route 10.0.20.0 255.255.255.0 172.16.1.2
RouterB (config)# ip route 10.0.10.0 255.255.255.0 172.16.1.1
Now when RouterA receives a packet destined for the East Branch LAN (10.0.20.0/24), it knows
its next-hop interface is the tunnel endpoint, so it will forward the packet through the GRE
tunnel.
Thats it for the GRE tunnel configuration. Now onto adding IPSec.

IPSec Encryption for the GRE Tunnel

Page No 57

As we mentioned, GRE provides no form of payload confidentiality or encryption. If the packet

are sniffed over the public transit networks, their contents are in plain-text.
IPSec solves the security concerns by encrypting part or all of the GRE packets. There are two
IPSec tunnel modes tunnel and transport. This configuration example will show the default,
tunnel-mode IPSec encryption which protects they entire GRE header and payload.
1. Create an Access list to define the traffic to encrypt.
The ACL should match traffic from the outside interface of the local router to the outside
interface of the remote router.
access-list 101 permit gre host 201.20.20.1 host 204.20.20.2
2. Configure an isakmp policy.
Note: The ISAKMP policy, key, and IPSec transform set must match on both sides of a single
tunnel.
crypto isakmp policy 1
authentication pre-share
3. Configure pre-shared keys.
The key P@ssword will be configured to be used for authentication with RouterAs peer
204.20.20.2. The address at the end of the statement refers to the public IP address of the peer
router (RouterB).
crypto isakmp key P@ssword address 204.20.20.2
4. Configure the transform set.
crypto ipsec transform-set strong esp-3des esp-md5-hmac
The full ISAKMP configuration:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key P@ssword address 204.20.20.2
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
5. Configure a crypto map and bind the transform set and the traffic ACL to the crypto map.
Define peer IP address below crypto map.
crypto map S2SVPN 10 ipsec-isakmp
set peer 204.20.20.2
set transform-set strong
match address 101

Page No 58

6. Apply the crypto map to the physical, outside interface.

If you are running a version of IOS Software Release earlier than 12.2.15 then the crypto map
must be applied to the tunnel interface as well as the physical interface.
interface FastEthernet0/0
crypto map S2SVPN
interface Tunnel0
crypto map S2SVPN
Now configure the remote router using the same IPSec configuration template. Make sure to
change the local and remote IPs as necessary.

Verify GRE over IPSec Tunnel Connectivity

Now that the GRE over IPSec tunnel configuration is complete, we can verify end-to-end IPSec
tunnel connectivity. By simply sending pings to the remote networks, the IPSec VPN will come
up and begin encrypting/decrypting traffic.
RouterA# ping 10.0.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
The show crypto session command can be used to verify that the IPSec VPN encryption is
operational.
RouterA# show crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 200.20.20.2 port 500
IKE SA: local 201.20.20.1/500 remote 204.20.20.2/500 Active
IPSEC FLOW: permit 47 host 201.20.20.1 host 204.20.20.2

Page No 59

L2TP over IPSec

Configuration on Cisco IOS router:

version 12.4
!
hostname L2TP
!
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
Page No 60

username cisco privilege 15 password 0 cisco

!
!
crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
!
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2 L2TP-Set
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
interface Loopback0
ip address 192.168.47.1 255.255.255.0
ip nat inside
Page No 61

ip virtual-reassembly
!
interface Loopback1
description loopback for IPsec-pool
ip address 1.1.1.11 255.255.255.255
!
interface FastEthernet0/0
ip address 47.47.47.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map outside_map
!
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
!
!
ip local pool l2tp-pool 1.1.1.1 1.1.1.10
ip route 0.0.0.0 0.0.0.0 47.47.47.1
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list extended NAT
deny ip 192.168.47.0 0.0.0.255 1.1.1.0 0.0.0.255
Page No 62

permit ip 192.167.47.0 0.0.0.255 any

!
!
!
End
Windows 8 Configuration:
1. Open control panel and select Network and Sharing Centre:

2. Select Set up a new connection Entry:

3. Select Connect to a Workplace:

Page No 63

4. Choose Use my Internet Connection:

5. Type in the IP address or FQDN of the router and name the

create:

Page No 64

connection and click on

6. Once that is done, go back to control panel and network and

Change adapter settings:

7. Right click on the connection entry and click on properties:

Page No 65

sharing center and select

8. Make sure the IP

address or the FQDN is correct in the General tab:

9. In the Security tab, make sure type of VPN is L2TP/IPSEC. Then Click on advance
settings and add pre-share key:

Page No 66

10. Then select Allow these protocol and make sure MS-CHAP v2 is selected:

Page No 67

11. To connect, left click on the network icon in the task bar:

12. You will see the following, type in your user name and

Page No 68

password and click on OK:

Configuring IPSec and ISAKMP

IPSec Overview
The security appliance uses IPSec for LAN-to-LAN VPN connections, and provides the option of
using IPSec for client-to-LAN VPN connections. In IPSec terminology, a peer is a remote-access
client or another secure gateway. For both connection types, the security appliance supports
only Cisco peers. Because we adhere to VPN industry standards, ASAs may work with other
vendors' peers; however, we do not support them.
During tunnel establishment, the two peers negotiate security associations that govern
authentication, encryption, encapsulation, and key management. These negotiations involve
two phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within the
tunnel (the IPSec SA). A LAN-to-LAN VPN connects networks in different geographic locations.
In IPSec LAN-to-LAN connections, the security appliance can function as initiator or responder.
In IPSec client-to-LAN connections, the security appliance functions only as responder. Initiators
propose SAs; responders accept, reject, or make counter-proposalsall in accordance with
configured SA parameters. To establish a connection, both entities must agree on the SAs.

Configure ISAKMP Policies

Page No 69

Complete Example of IPSec ISAKMP

crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key VPN@#KEY address 172.18.1.2

crypto ipsec transform-set VPNSET esp-des esp-md5-hmac

crypto map VPNMAP local-address Loopback0

crypto map VPNMAP 10 ipsec-isakmp
set peer 172.18.1.2
set transform-set VPNSET
match address 100

access-list 100 permit ip 172.16.1.0 0.0.0.255 172.18.2.0 0.0.0.255

access-list 100 permit ip 172.16.2.0 0.0.0.255 172.18.3.0 0.0.0.255

Page No 70

Cryptographic Systems
The first goal for network administrators is to secure the network infrastructure, including
routers, switches, servers, and hosts. This is accomplished using hardening, AAA access control,
ACLs, firewalls, and monitoring threats using IPS.
The next goal is to secure the data as it travels across various links. This may include internal
traffic, but of greater concern is protecting the data that travels outside of the organization to
branch sites, telecommuter sites, and partner sites.
Secure communications involves a few primary tasks:
Authentication - Guarantees that the message is not a forgery and does actually come from
who it states it comes from.
Integrity - Similar to a checksum function in a frame, guarantees that no one intercepted the
message and altered it.
Confidentiality - Guarantees that if the message is captured, it cannot be deciphered.

Page No 71

Authentication
Authentication guarantees that a message comes from the source that it claims to come from.
Authentication is similar to entering a secure personal information number (PIN) for banking at
an ATM. The PIN should only be known to the user and the financial institution. The PIN is a
shared secret that helps protect against forgeries.
Authentication can be accomplished with cryptographic methods. This is especially important
for applications or protocols, such as email or IP, that do not have built-in mechanisms to
prevent spoofing of the source.
Data nonrepudiation is a similar service that allows the sender of a message to be uniquely
identified. With non repudiation services in place, a sender cannot deny having been the source
of that message. It might appear that the authenticity service and the nonrepudiation service
are fulfilling the same function. Although both address the question of the proven identity of
the sender, there is a difference between the two.
The most important part of no repudiation is that a device cannot repudiate, or refute, the
validity of a message sent. Nonrepudiation relies on the fact that only the sender has the
unique characteristics or signature for how that message is treated. Not even the receiving
device can know how the sender treated this message to prove authenticity, because the
receiver could then pretend to be the source.
Integrity
Data integrity ensures that messages are not altered in transit. With data integrity, the receiver
can verify that the received message is identical to the sent message and that no manipulation
occurred.
European nobility ensured the data integrity of documents by creating a wax seal to close an
envelope. The seal was often created using a signet ring. These bore the family crest, initials, a
portrait, or a personal symbol or motto of the owner of the signet ring. An unbroken seal on an
envelope guaranteed the integrity of its contents. It also guaranteed authenticity based on the
unique signet ring impression.
Confidentiality
Data confidentiality ensures privacy so that only the receiver can read the message. Encryption
is the process of scrambling data so that it cannot be read by unauthorized parties.
When enabling encryption, readable data is called plaintext, or cleartext, while the encrypted
version is called ciphertext. The plaintext readable message is converted to ciphertext, which is
the unreadable, disguised message. Decryption reverses the process. A key is required to
encrypt and decrypt a message. The key is the link between the plaintext and ciphertext.

Page No 72

Page No 73