Escolar Documentos
Profissional Documentos
Cultura Documentos
Project Title
Plan and Design network infrastructure of BAKHTA BANK
Vice Chancellor___________________________
Signature
---------------------------------------------------------
Head of department_________________________
Remarks _______________________
Signature -------------------------------------------------------------
Supervisor________________________________
Remarks _______________________
Signature
----------------------------------------------------------
Assistant Supervisor_________________________
Remarks _______________________
Signature
-----------------------------------------------------------
External Supervisor_________________________
Remarks _______________________
Signature
-----------------------------------------------------------
ABSTRACT
The goal of this thesis project is to plan and design a new network infrastructure for
Bakhter Bank that enable clients from Head quarter and Branches to have access to CBS
(Core Banking Solution) Software.
I
DEDICATION
I dedicate my humble effort to my family and parents whose affection, love, encouragement and
prays of day and night make me able to get such success and honor along with all hardworking
of my respected teacher Mr. shams ur rehman whose guide me to complete this project from
beginning to end I am thankful from him.
II
Declaration
I hereby declare that this thesis is our own work and effort and that it has not been submitted
anywhere for any award. Where other sources of information have been used, they have been
acknowledged.
The work was done under the supervision of associate professor Mr. shams ur rehman in
Maiwand Institute of higher education, Kabul Afghanistan.
III
ACKNOWLEDGEMENT
We take this opportunity as a privilege to thank all individuals without whose support and
guidance we could not have completed our project in this stipulated period of time.
First and foremost we would like to express our deepest gratitude to our Project Supervisor Mr.
Shams Ur Rehman Shinwari., Department of Computer Science, for his invaluable support,
guidance, motivation and encouragement throughout the period this work was carried out.
We would also like to thank all the Professors and members of the Department of computer
Science for their generous help in various ways for the completion of the thesis. We also extend
our thanks to our fellow students for their friendly co-operation.
IV
Table of Contents
Chapter 1...................................................................................................................................................1
Introduction ..............................................................................................................................................1
1.1 Project information: ..................................................................................................................1
1.2 Project Background: ..................................................................................................................1
1.3 Project Summary .......................................................................................................................2
1.4 Project Objectives: ....................................................................................................................2
1.5 Project Methodology ................................................................................................................3
Chapter 2...................................................................................................................................................4
Network Architecture................................................................................................................................4
2.1 Network Design Diagram ..........................................................................................................4
2.2 Project Network Lab Simulation Diagram .................................................................................5
2.3 IP Schema ..................................................................................................................................6
2.3.1 Selection and Using of the Routing Protocol for the project ............................................6
2.4 Cisco EIGRP (Enhanced Interior Gateway Routing Protocol) ....................................................6
2.4.1 Administrative Distance ....................................................................................................7
2.4.2 Metrics ..............................................................................................................................7
2.4.3 EIGRP Features ..................................................................................................................8
2.4.4 EIGRP Components ...........................................................................................................8
2.4.5 Neighbor Discover/Recovery.............................................................................................8
2.4.6 Reliable Transport .............................................................................................................9
2.4.7 DUAL finite state machine .................................................................................................9
2.4.8 Protocol-dependent modules ...........................................................................................9
2.4.9 EIGRP Operation................................................................................................................9
2.5 Core Segment ..........................................................................................................................13
2.6 DMZ Segment..........................................................................................................................13
2.7 WAN Segment .........................................................................................................................14
Chapter 3.................................................................................................................................................16
High Availability and Fail Over.................................................................................................................16
3.1 Network Availability Redundancy ...........................................................................................16
3.1.1 Review of Failover Times.................................................................................................16
3.1.2 Optimal Redundancy .......................................................................................................16
3.2 GLBP Overview ........................................................................................................................17
3.2.1 GLBP Benefits ..................................................................................................................18
3.2.2 GLBP Active Virtual Gateway...........................................................................................19
3.2.3 GLBP Virtual MAC Address Assignment ..........................................................................20
V
3.2.4 GLBP Virtual Gateway Redundancy.................................................................................20
3.2.5 GLBP Virtual Forwarder Redundancy ..............................................................................21
3.2.6 GLBP Gateway Priority ....................................................................................................21
3.2.7 GLBP Gateway Weighting and Tracking...........................................................................22
Chapter 4.................................................................................................................................................24
VPN, IPSec and NAT/PAT .........................................................................................................................24
4.1 IPSec VPN between HQ and Branches ....................................................................................24
4.1.1 What is VPN.....................................................................................................................24
4.2 Advantages & Disadvantages ..................................................................................................25
4.3 Types of VPN ...........................................................................................................................25
4.3.1 Site-to-Site VPNs .............................................................................................................25
4.3.2 Remote-access VPNs. ......................................................................................................26
4.4 Securing a VPN ........................................................................................................................27
4.4.1 VPN Encryption ...............................................................................................................27
4.4.2 VPN Tunneling .................................................................................................................28
4.5 Using IPSec in VPN ..................................................................................................................30
4.5.1 Network Diagram ............................................................................................................30
4.5.2 Configurations .................................................................................................................30
4.6 NAT & PAT to translate internal traffic to public .....................................................................36
4.7 Using inter VLAN Routing (Router-on-a-stic)...........................................................................38
4.7.1 External Router (router-on-a-stick) .................................................................................39
4.7.2 Implementation Planning ................................................................................................40
4.7.3 SVI Autostate ...................................................................................................................42
Chapter 5.................................................................................................................................................45
Network Configuration............................................................................................................................45
5.1 Network configuration part ....................................................................................................45
5.1.1 Devices Configuration Part: .............................................................................................45
References...............................................................................................................................................72
VI
Chapter 1 Introduction
Chapter 1
Introduction
1.1 Project information:
The Bakhter Bank is one of the private Banks with nearly 700 employees in different provinces
of the country and main office in Kabul City.
We are planning to equip its administrative staff with technology and transform its manual
Administrative processes into computerized paperless system in the long run. To expand
accessibility and connectivity of technology related systems to all administrative
Departments.
The goal of this project is to plan and design a new network infrastructure for Bakhter Bank that
enable clients from Head quarter and Branches to have access to CBS (Core Banking Solution)
Software.
Keeping current Bakhter Bank Network infrastructure in view, there is no connectivity between
Bakhter Head Office and Branches for accessing core banking system which is not having a
standard network design and network devices so all transactions and business process are going
on phone.
Our new network topology design will have the following parts for Bakhter Bank:
The entire branches financial database is individual and not synced with HO Database.
Business processing is followed by phone and internet which is unsecure.
Delays on processing customer transactions.
As the Bakhter Bank branches are not connected to Bakhter HQ, so all the process will take
long time to get prepared.
Also there is no proper method for troubleshooting, checking and auditing the branches.
All the problems were mentioned above could be covered by the New Bakhter Bank Network
Infrastructure which we have planned to design.
System Requirement:
Windows XP
Windows 7
Chapter 2
Network Architecture
2.1 Network Design Diagram
Upon understanding the requirements from Bank, it was clear that we would require stringent
security with 100% fallback at all critical levels. The Objective of Network connectivity was to
enable Centralized communication to Oracle Flexcube Server which was the Core banking
application. All branches should be able to connect to Data Center, by any means of WAN
connectivity such as Internet IPSec, Radio Links or private Leased Circuits.1
1
Andrew s. tanenbaum, Dabid j. wetherall, “Computer Networks”, 5th edition, Copyright © 2011, 2003, 1996,
1989, 1981 Pearson Education, Inc., publishing as Prentice Hall. Page# 20
2.3 IP Schema
I have planned this IP address Schema with respect to RFC 1918 address space with adequate
ip ranges for all locations and the IP address witch I have designed for Bakhter Bank is to reduce
overlapping and waste of IP addresses.
Number of
No IP Segment Network Subnet plan Status
Host
2.3.1 Selection and Using of the Routing Protocol for the project
I decided to use dynamic routing protocol in my project because of redundancy and load
balancing between unequal cost interfaces.
I select CISCO EIGRP routing protocol, EIGRP is CISCO proprietary and it is the only protocol
that support unequal cost load balancing between interfaces.
A router running EIGRP stores all its neighbors' routing tables so that it can quickly adapt to
alternate routes. If no appropriate route exists, EIGRP queries its neighbors to discover an
alternate route. These queries propagate until an alternate route is found.
The support of EIGRP for variable-length subnet masks permits routes to be automatically
summarized on a network number boundary. In addition, EIGRP can be configured to
summarize on any bit boundary at any interface.2
Administrative distance is the feature that routers use in order to select the best path when there
are two or more different routes to the same destination from two different routing protocols.
Administrative distance defines the reliability of a routing protocol. Each routing protocol is
prioritized in order of most to least reliable (believable) with the help of an administrative
distance value.
2.4.2 Metrics
This is a measure used by the routing protocol to calculate the best path to a given destination,
if it learns multiple paths to the same destination. Each routing protocol uses a different metric.
It is always necessary to discuss what a routing protocol uses for its metrics. In this case, EIGRP
can use:
1. Bandwidth
2. Delay
3. Reliability
4. Load
5. MTU
2
Andrew s. tanenbaum, Dabid j. wetherall, “Computer Networks”, 5th edition, Copyright © 2011, 2003, 1996,
1989, 1981 Pearson Education, Inc., publishing as Prentice Hall. Page# 25,26
o Apple talk
o Internet Protocol (IP)
o Novell Netware (IPX/SPX)
For lack of a better word, EIGRP has basically 4 components that need to be mentioned and will
be covered in any Cisco test:
Neighbor Discovery/Recovery
Reliable Transport Protocol
DUAL Finite State Machine
Protocol Dependent Modules
Is very simply the process that routers use to learn about other routers that are directly connected
to them? This includes finding out when a router (neighbor) goes down for some reason. This
is achieved by sending very small hello packets at periodic intervals. In typical Cisco fashion,
if the neighbor misses a configurable amount of hellos in a certain period, the neighbor is
declared down.
Refers to the fact that EIGRP is TCP based and therefore has the ability to use TCP based
transmission when it is necessary to guarantee that a neighbor received a communication.
EIGRP doesn't use TCP for all communications, though, but only those that require reliability.
The multicast address 224.0.0.10 is used by EIGRP and the IP protocol number is 88.
Is the key component to hose IEGRP determines routing/forwarding tables. EIGRP stands for
Diffusing Update Algorithm and differs from other routing protocols in that routing calculations
are shared among multiple routers. A router only sends routing updates as distance vectors of
directly connected routes, rather than every route that is in the network. Also, the router only
sends an update of a particular if a topology change has occurred to that specific route. In
addition, this update is only sent to relevant neighbor routers, not to all routers. This makes
EIGRP a bandwidth-efficient routing protocol. Other routing protocols have regular routing
updates that contain all route information by default.3
Handle network layer, protocol specific requirements, such as IP or IPX. EIGRP maintains
separate tables for each layer 3 protocol used in the network, just as almost all routing protocols
do.
Neighbor Table
Each router keeps state information about adjacent neighbors. When newly discovered
neighbors are learned, the address and interface of the neighbor is recorded. This information is
stored in the neighbor data structure. The neighbor table holds these entries. There is one
neighbor table for each protocol dependent module. When a neighbor sends a hello, it advertises
a Hold Time. The Hold Time is the amount of time a router treats a neighbor as reachable and
3
Andrew s. tanenbaum, Dabid j. wetherall, “Computer Networks”, 5th edition, Copyright © 2011, 2003, 1996,
1989, 1981 Pearson Education, Inc., publishing as Prentice Hall. Page# 116
operational. In other words, if a hello packet isn't heard within the Hold Time, then the Hold
Time expires. When the Hold Time expires, DUAL is informed of the topology change.
The neighbor table entry also includes information required by the reliable transport mechanism.
Sequence numbers are employed to match acknowledgments with data packets. The last
sequence number received from the neighbor is recorded so out of order packets can be detected.
A transmission list is used to queue packets for possible retransmission on a per neighbor basis.
Round trip timers are kept in the neighbor data structure to estimate an optimal retransmission
interval.
Topology Table
The Topology Table is populated by the protocol dependent modules and acted upon by the
DUAL finite state machine. It contains all destinations advertised by neighboring routers.
Associated with each entry is the destination address and a list of neighbors that have advertised
the destination. For each neighbor, the advertised metric is recorded. This is the metric that the
neighbor stores in its routing table. If the neighbor is advertising this destination, it must be
using the route to forward packets. This is an important rule that distance vector protocols must
follow.
Also associated with the destination is the metric that the router uses to reach the destination.
This is the sum of the best advertised metric from all neighbors plus the link cost to the best
neighbor. This is the metric that the router uses in the routing table and to advertise to other
routers.
Feasible Successors
A destination entry is moved from the topology table to the routing table when there is a feasible
successor. All minimum cost paths to the destination form a set. From this set, the neighbors
that have an advertised metric less than the current routing table metric are considered feasible
successors.
Feasible successors are viewed by a router as neighbors that are downstream with respect to the
destination. These neighbors and the associated metrics are placed in the forwarding table.
When a neighbor changes the metric it has been advertising or a topology change occurs in the
network, the set of feasible successors may have to be re-evaluated. However, this is not
categorized as a route recomputation.
When a link to a neighbor that is the only feasible successor goes down, all routes through that
neighbor commence a route recomputation and enter the Active state.
Configuration Example
To enable EIGRP on the router you simply need to enable eigrp for a given AS number and
define a network number. AS numbers can be from 1 to 65535. This is done as follows:
Router# conf t
Router(config)# router eigrp {AS number}
Router(config-router)# network 192.168.0.0 0.0.255.255
Router(config-router)# no auto-summary
You can also enable authentication, change the hello interval and hold times, and change split-
horizon if you want from the eigrp configuration.
Testing
There are a few commands you will want to use to verify EIGRP is running correctly:
Hello Multicast Hello messages are used for neighbor discovery and
neighbor recovery. If a hello message is not received within
the configured interval, all neighbor entries are removed
from the routing table and feasible successor routes re
utilized.
Queries Multicast Reliably Sent when one or more destinations enter the active state.
This document illustrates how to add message authentication to your Enhanced Interior Gateway
Routing Protocol (EIGRP) routers and protect the routing table from willful or accidental
corruption.4
The addition of authentication to your routers' EIGRP messages ensures that your routers only
accept routing messages from other routers that know the same pre-shared key. Without this
authentication configured, if someone introduces another router with different or conflicting
route information on to the network, the routing tables on your routers could become corrupt
and a denial of service attack could ensue. Thus, when you add authentication to the EIGRP
4
http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/16406-eigrp-
toc.html
messages sent between your routers, it prevents someone from purposely or accidentally adding
another router to the network and causing a problem.
To specify the type of authentication used in Enhanced Interior Gateway Routing Protocol
(EIGRP)
packets, use the ip authentication mode eigrp command in interface configuration mode. To
disable
ICMP should be fully restricted between Core layer and DMZ Servers but may be enabled for
NOC Users for management purpose only.
Please note, due to the open access to internet this segment is very much vulnerable for external
threats and attacks and may also be used as a platform of intrusion if compromised.
What is DMZ?
In computer security, a DMZ or Demilitarized Zone (sometimes referred to as a perimeter
network) is a physical or logical sub network that contains and exposes an organization's
external-facing services to a larger and untrusted network, usually the Internet. The purpose of
a DMZ is to add an additional layer of security to an organization's local area network (LAN);
an external attacker only has direct access to equipment in the DMZ, rather than any other part
of the network. The name is derived from the term "demilitarized zone", an area between nation
states in which military operation is not permitted.
As per system requirement of BAKHTER , the network must have the DMZ site for hosting
email service, BAKHTER website and proxy server.
routers to avoid any black holes from other IPSec Hub Routers. Please find the WAN
Architecture diagram depicted below –
The dynamic routing protocol EIGRP is used for routing of traffic between Bakhter Bank Head
office And branches. 5
5
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html
Chapter 3
High Availability and Fail Over
In order to take care of high availability and redundancy I have select GLBP from cisco
redundancy protocol HSRP, VRRP and GLBP to configure Cisco GLBP for failover purposes,
bellow is brief introduction to Cisco GLBP Protocol.
Redundancy is not only a question of added cost vs. uptime and resiliency, but also a question
of complexity. The more hardware and software deployed in the name of redundancy adds
administrative overhead and complexity, which is tough to put numbers on.6
Cisco recommends:
Redundant switches at the core and distribution layers with fully redundant links
Access switches should have redundant links to redundant distribution switches
Avoiding single points of failure as much as possible
6
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html
This can be achieved at the access layer with help from SSO (for layer 2) and
potentially NSF (for layer 3)
Note: GLBP is only supported on Cisco’s 4500, 6500, and Nexus lines.
The routers running GLBP elect a single Active Virtual Gateway (AVG), which manages the
load balancing and responds to ARPs. The highest priority router wins; in a tie highest IP address
wins. group members sends hello multicasts every 3 seconds (multicast address 224.0.0.102), if
a router goes down, another will answer for its requests.
The job of the AVG is to assign virtual MAC addresses to each of the other GLBP routers and
to assign each network host to one of the GLBP routers. The routers that recieve the MAC
address assignment are the Active Virtual Forwarders, or AVFs.
GLBP provides automatic router backup for IP hosts configured with a single default gateway
on an IEEE 802.3 LAN. Multiple first-hop routers on the LAN combine to offer a single virtual
first-hop IP router while sharing the IP packet forwarding load. Other routers on the LAN may
act as redundant GLBP routers that will become active if any of the existing forwarding routers
fail.
GLBP performs a similar function for the user as HSRP and VRRP. HSRP and VRRP allow
multiple routers to participate in a virtual router group configured with a virtual IP address. One
member is elected to be the active router to forward packets sent to the virtual IP address for the
group. The other routers in the group are redundant until the active router fails. These standby
routers have unused bandwidth that the protocol is not using. Although multiple virtual router
groups can be configured for the same set of routers,the hosts must be configured for different
default gateways, which results in an extra administrative burden. The advantage of GLBP is
that it additionally provides load balancing over multiple routers (gateways) using a single
virtual IP address and multiple virtual MAC addresses. The forwarding load is shared among
all routers in a GLBP group rather than being handled by a single router while the other routers
stand idle.
Each host is configured with the same virtual IP address, and all routers in the virtual router
group participate in forwarding packets. GLBP members communicate between each other
through hello messages sent every 3 seconds to the multicast address 224.0.0.102, UDP port
3222 (source and destination).
3.2.1.3 Preemption
The redundancy scheme of GLBP enables you to preempt an active virtual gateway with a
higher priority backup virtual gateway that has become available. Forwarder preemption works
in a similar way, except that forwarder preemption uses weighting instead of priority and is
enabled by default.
3.2.1.4 Authentication
GLBP supports the industry-standard message digest 5 (MD5) algorithm for improved
reliability, security, and protection against GLBP-spoofing software. A router within a GLBP
group with a different authentication string than other routers will be ignored by other group
members. You can alternatively use a simple text password authentication scheme between
GLBP group members to detect configuration errors.7
Members of a GLBP group elect one gateway to be the active virtual gateway (AVG) for that
group. Other group members provide backup for the AVG if the AVG becomes unavailable.
The AVG assigns a virtual MAC address to each member of the GLBP group. Each gateway
assumes responsibility for forwarding packets sent to the virtual MAC address assigned to it by
the AVG. These gateways are known as active virtual forwarders (AVFs) for their virtual MAC
address. The AVG is also responsible for answering Address Resolution Protocol (ARP)
requests for the virtual IP address. Load sharing is achieved by the AVG replying to the ARP
requests with different virtual MAC addresses.
Prior to Cisco IOS Release 15.0(1)M1, 12.4(24)T2, 15.1(2)T, and later releases, when the no
glbp loadbalancing command is configured, the AVG always responds to ARP requests with
the MAC address of its AVF.
The AVG responds to ARP requests sent by end hosts to the virtual gateway IP address, and
replies with different virtual MAC addresses that correspond to different active virtual
forwarders (AVFs).
The AVF are responsible for sending traffic destined to their Virtual Mac address which has
been allocated to them by the AVG. Both the AVG and AVFs are redundant, i.e. if a primary
physical router representing the AVG or an AVF fails, another physical router will take its role.
7
http://www.cisco.com/c/en/us/td/docs/security/pix/pix72/quick/guide/dmz_p.html
messages. A virtual forwarder that has learned the virtual MAC address is referred to as a
secondary virtual forwarder.8
8
Nurul I. Sarkar, Auckland University of Technology, New Zealand, “Tools for teaching computer networking and
hardware concepts”,7th edition, Published in the United States of America by Information Science Publishing (an
imprint of Idea Group Inc.) 2006, page# 25
If an AVG fails, the standby virtual gateway will assume responsibility for the virtual IP address.
A new standby virtual gateway is then elected from the gateways in the listen state.
Virtual forwarder redundancy is similar to virtual gateway redundancy with an AVF. If the AVF
fails, one of the secondary virtual forwarders in the listen state assumes responsibility for the
virtual MAC address.
The new AVF is also a primary virtual forwarder for a different forwarder number. GLBP
migrates hosts away from the old forwarder number using two timers that start as soon as the
gateway changes to the active virtual forwarder state. GLBP uses the hello messages to
communicate the current state of the timers.
The redirect time is the interval during which the AVG continues to redirect hosts to the old
virtual forwarder MAC address. When the redirect time expires, the AVG stops using the old
virtual forwarder MAC address in ARP replies, although the virtual forwarder will continue to
forward packets that were sent to the old virtual forwarder MAC address.
The secondary holdtime is the interval during which the virtual forwarder is valid. When the
secondary holdtime expires, the virtual forwarder is removed from all gateways in the GLBP
group. The expired virtual forwarder number becomes eligible for reassignment by the AVG.
If another router existed if the same GLBP group with a higher priority, then the router with the
higher priority would be elected.
If both routers have the same priority, the backup virtual gateway with the higher IP address
would be elected
to become the active virtual gateway.
By default, the GLBP virtual gateway preemptive scheme is disabled.
A backup virtual gateway can become the AVG only if the current AVG fails, regardless of the
priorities assigned to the virtual gateways.
You can enable the GLBP virtual gateway preemptive scheme using the glbp preempt
command.
Preemption allows a backup virtual gateway to become the AVG, if the backup virtual gateway
is assigned
a higher priority than the current AVG.9
The weighting assigned to a router in the GLBP group can be used to determine whether it will
forward packets and, if so, the proportion of hosts in the LAN for which it will forward packets.
Thresholds can be set to disable forwarding when the weighting for a GLBP group falls below
a certain value, and when it rises above another threshold, forwarding is automatically re
enabled.
The GLBP group weighting can be automatically adjusted by tracking the state of an interface
within the router.
If a tracked interface goes down, the GLBP group weighting is reduced by a specified value.
Different interfaces can be tracked to decrement the GLBP weighting by varying amounts.
By default, the GLBP virtual forwarder preemptive scheme is enabled with a delay of 30
seconds.
9
Nurul I. Sarkar, Auckland University of Technology, New Zealand, “Tools for teaching computer networking and
hardware concepts”,7th edition, Published in the United States of America by Information Science Publishing (an
imprint of Idea Group Inc.) 2006, page# 48,49
A backup virtual forwarder can become the AVF if the current AVF weighting falls below the
low weighting threshold for 30 seconds.
You can disable the GLBP forwarder preemptive scheme using the no glbp forwarder preempt
command or change the delay using the glbp forwarder preempt delay minimum command.
Chapter 4
VPN, IPSec and NAT/PAT
4.1 IPSec VPN between HQ and Branches
I have used IPSec VPN in order to secure the traffic of core banking system which except this
it is not used for other any traffic
A virtual private network (VPN) extends a private network across a public network, such as the
Internet. It enables a computer to send and receive data across shared or public networks as if it
were directly connected to the private network, while benefiting from the functionality, security
and management policies of the private network. This is done by establishing a virtual point-
to-point connection through the use of dedicated connections, encryption, or a combination of
the two.
A VPN connection across the Internet is similar to a wide area network (WAN) link between the
sites. From a user perspective, the extended network resources are accessed in the same way as
resources available from the private network.
VPNs allow employees to securely access their company's intranet while traveling outside the
office. Similarly, VPNs securely and cost-effectively connect geographically disparate offices
of an organization, creating one cohesive virtual network. VPN technology is also used by
ordinary Internet users to connect to proxy servers for the purpose of protecting one's identity.10
10
Nurul I. Sarkar, Auckland University of Technology, New Zealand, “Tools for teaching computer networking and
hardware concepts”,7th edition, Published in the United States of America by Information Science Publishing (an
imprint of Idea Group Inc.) 2006, page# 59,60
There are several potential disadvantages with VPN use. The lack of Quality of Service (QoS)
management over the Internet can cause packet loss and other performance issues. Adverse
network conditions that occur outside of the private network is beyond the control of the VPN
administrator. For this reason, many large corporations pay for the use of trusted VPNs that use
a private network to guarantee QoS. Vendor interoperability is another potential disadvantage
as VPN technologies from one vendor may not be compatible with VPN technologies from
another vendor. Neither of these disadvantages have prevented the widespread acceptance and
deployment of VPN technology.
Site-to-site VPNs connect entire networks to each other, this means, site-to-site VPN can be
used to connect a branch or remote office network to a company headquarters network. Each
site is equipped with a VPN gateway, such as a router, firewall, VPN concentrator, or security
appliance.
In the figure below, a remote branch office uses a site-to-site-VPN to connect with the corporate
head office.
A telecommuter hosts send and receive TCP/IP traffic through a VPN gateway, which could be
a router or a PIX firewall appliance.
The VPN gateway is responsible for encapsulating and encrypting all outbound traffic from a
particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at
the target site. On receipt, the peer VPN gateway strips the headers, decrypts the content, and
relays the packet toward the target host inside its private network.
In a Remote-access VPNs, individual hosts or clients, such as telecommuters, mobile users, and
extranet consumers, are able to access a company network securely over the Internet. Each host
typically has VPN client software loaded or uses a web-based client.
A remote-access VPN host or client typically has VPN client software. Whenever the host tries
to send any information, the VPN client software encapsulates and encrypts the information
before sending it over the Internet to the VPN gateway at the edge of the target network. On
receipt, the VPN gateway handles the data in the same way as it would handle data from a site-
to-site VPN.
If you're using a public line to connect to a private network, then you might wonder what makes
a virtual private network private? The answer is the manner in which the VPN is designed. A
VPN is designed to provides a secure, encrypted tunnel in which to transmit the data between
the remote user and the company network. The information transmitted between the two
locations via the encrypted tunnel cannot be read by anyone else.
VPN security contains several elements to secure both the company's private network and the
outside network, usually the Internet, through which the remote user connects through. The first
step to security is usually a firewall. You will have a firewall site between the client (which is
the remote users workstation) and the host server, which is the connection point to the private
network. The remote user will establish an authenticated connection with the firewall.
Encryption is also an important component of a secure VPN. Encryption works by having all
data sent from one computer encrypted in such a way that only the computer it is sending to can
decrypt the data. Types of encryption commonly used include public-key encryption which is a
system that uses two keys — a public key known to everyone and a private or secret key known
only to the recipient of the message. The other commonly used encryption system is
a Symmetric-key encryption system in which the sender and receiver of a message share a
single, common key that is used to encrypt and decrypt the message.
With a VPN you'll need to establish a network connection that is based on the idea of tunneling.
There are two main types of tunneling used in virtual private networks. Voluntary tunneling is
where the client makes a connection to the service provider then the VPN client creates the
tunnel to the VPN server once the connection has been made. In compulsory tunneling the
service provider manages the VPN connection and brokers the connection between that client
and a VPN server.
There are three main network protocols for use with VPN tunnels, which are generally
incompatible with each other. They include the following
4.4.2.1 IPSec
A set of protocols developed by the IETF to support secure exchange of packets at the IP layer.
IPsec has been deployed widely to implement VPNs. IPsec supports two encryption modes:
Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet,
but leaves the header untouched. The more secure Tunnel mode encrypts both the header and
the payload. On the receiving side, an IPSec-compliant device decrypts each packet. For IPsec
to work, the sending and receiving devices must share a public key. This is accomplished
through a protocol known as Internet Security Association and Key Management
Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and
authenticate the sender using digital certificates.
4.4.2.2 PPTP
Short for Point-to-Point Tunneling Protocol, a new technology for creating VPNs, developed
jointly by Microsoft, U.S. Robotics and several remote access vendor companies, known
collectively as the PPTP Forum. A VPN is a private network of computers that uses the public
Internet to connect some nodes. Because the Internet is essentially an open network, PPTP is
used to ensure that messages transmitted from one VPN node to another are secure. With PPTP,
users can dial in to their corporate network via the Internet.
4.4.2.3 L2TP
Short for Layer Two (2) Tunneling Protocol, an extension to the PPP protocol that enables ISPs
to operate Virtual Private Networks (VPNs). L2TP merges the best features of two other
tunneling protocols: PPTP from Microsoft and L2F from Cisco Systems. Like PPTP, L2TP
requires that the ISP's routers support the protocol.
Depending on the type of VPN you decide to implement, either remote-access or site-to-site,
you will need specific components to build your VPN. These standard components include a
software client for each remote workstation, dedicated hardware, such as a firewall or a product
like the Cisco VPN Concentrator, a VPN server, and a Network Access Server (NAS).
Key Terms To Understanding virtual private networks:
VPN
A network that is constructed by using public wires to connect nodes. For example, there are a
number of systems that enable you to create networks using the Internet as the medium for
transporting data.
VPDN
A network that extends remote access to a private network using a shared infrastructure.
tunneling
A technology that enables one network to send its data via another network's connections.
Tunneling works by encapsulating a network protocol within packets carried by the second
network.11
split tunneling
The process of allowing a remote VPN user to access a public network, most commonly the
Internet, at the same time that the user is allowed to access resources on the VPN.
encryption
The translation of data into a secret code. Encryption is the most effective way to achieve data
security. To read an encrypted file, you must have access to a secret key or password that enables
you to decrypt it. There are two main types of encryption: asymmetric encryption (also called
public-key encryption) and symmetric encryption.
11
http://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook
4.5.2 Configurations
This document uses these configurations:
Router A
Router B
Router A
RouterA#show running−config
Building configuration...
Current configuration : 1132 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password−encryption
!
hostname R9
!
boot−start−marker
boot−end−marker
!
!
no aaa new−model
!
resource policy
!
!
!−−− Create an ISAKMP policy for Phase 1
!−−− negotiations for the L2L tunnels.
Router B
RouterB#show running−config
Building configuration...
Current configuration : 835 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password−encryption
!
hostname R2
!
!
ip subnet−zero
!
!
!−−− Create an ISAKMP policy for Phase 1
!−−− negotiations for the L2L tunnels.
crypto isakmp policy 10
hash md5
authentication pre−share
!−−− Specify the pre−shared key and the remote peer address
!−−− to match for the L2L tunnel.
crypto isakmp key vpnuser address 172.16.1.1
!
!−−− Create the Phase 2 policy for actual data encryption.
crypto ipsec transform−set myset esp−des esp−md5−hmac
!
!−−− Create the actual crypto map. Specify
!−−− the peer IP address, transform
!−−− set, and an ACL for the split tunneling.
!
crypto map mymap 10 ipsec−isakmp
set peer 172.16.1.1
set transform−set myset
match address 100
!
!
!
!
interface Ethernet0
ip address 172.16.2.1 255.255.255.0
!
!−−− Apply the crypto map on the outside interface.
interface Ethernet1
ip address 10.0.0.2 255.255.255.0
crypto map mymap
!
interface Serial0
no ip address
shutdown
no fair−queue
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
!
!−−− Create an ACL for the traffic to
!−−− be encrypted. In this example,
!−−− the traffic from 172.16.2.0/24 to 10.1.1.0/24
!−−− is encrypted. The traffic which does not match the access list
!−−− is unencrypted for the Internet.
access−list 100 permit ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
!
End
IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides
data authentication, integrity, and confidentiality as data is transferred between communication
points across IP networks. IPSec provides data security at the IP packet level. A packet is a data
bundle that is organized for transmission across a network, and it includes a header and payload
(the data in the packet). IPSec emerged as a viable network security standard because enterprises
wanted to ensure that data could be securely transmitted over the Internet. IPSec protects against
possible security exposures by protecting data while in transit.
IPSec is the most secure method commercially available for connecting network sites. IPSec
was designed to provide the following security features when transferring packets across
networks:12
1. Authentication: Verifies that the packet received is actually from the claimed sender.
2. Integrity: Ensures that the contents of the packet did not change in transit.
3. Confidentiality: Conceals the message content through encryption.
4. ESP provides authentication, integrity, and confidentiality, which protect against data
tampering and, most importantly, provide message content protection.
5. IPSec provides an open framework for implementing industry standard algorithms, such
as SHA and MD5. The algorithms IPSec uses produce a unique and un forgeable
identifier for each packet, which is a data equivalent of a fingerprint. This fingerprint
allows the device to determine if a packet has been tampered with. Furthermore, packets
that are not authenticated are discarded and not delivered to the intended receiver.
6. ESP also provides all encryption services in IPSec. Encryption translates a readable
message into an unreadable format to hide the message content. The opposite process,
called decryption, translates the message content from an unreadable format to a
readable message. Encryption/decryption allows only the sender and the authorized
receiver to read the data. In addition, ESP has an option to perform authentication, called
12
http://www.cisco.com/c/en/us/products/switches/catalyst-6500-series-switches/index.html
ESP authentication. Using ESP authentication, ESP provides authentication and integrity
for the payload and not for the IP header.
IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup
and the exchange of keys between parties transferring data. Using keys ensures that only the
sender and receiver of a message can access it.
IPSec requires that keys be re-created, or refreshed, frequently so that the parties can
communicate securely with each other. IKE manages the process of refreshing keys; however,
a user can control the key strength and the refresh frequency. Refreshing keys on a regular basis
ensures data confidentiality between sender and receiver.
NAT is included as part of a router and is often part of a corporate firewall. Network
administrators create a NAT table that does the global-to-local and local-to-global IP address
mapping. NAT can also be used in conjunction with policy routing. NAT can be statically
13
http://www.cisco.com/c/en/us/products/collateral/routers/3900-series-integrated-services-routers-
isr/data_sheet_c78_553924.html
defined or it can be set up to dynamically translate from and to a pool of IP addresses. Cisco's
version of NAT lets an administrator create tables that map.
NAT is described in general terms in RFC 1631. which discusses NAT's relationship to
Classless Interdomain Routing (CIDR) as a way to reduce the IP address depletion problem.
NAT reduces the need for a large amount of publicly known IP addresses by creating a
separation between publicly known and privately known IP addresses. CIDR aggregates
publicly known IP addresses into blocks so that fewer IP addresses are wasted. In the end, both
extend the use of IPv4 IP addresses for a few more years before IPv6 is generally supported.
Network Address Translation (NAT) can be configured to work on your network a few different
ways. The type of NAT you choose to implement depends on what your goals are for NAT and
your public address management. NAT methods include
1. Static NAT:
Puts a permanent mapping between an internal private address and a public address. In this
scenario, 192.168.8.50 will always map out to 192.0.2.75. This type of NAT may be used
for allowing traffic into a mail server or web server.
2. Dynamic NAT:
Puts a dynamic mapping between an internal private address and a public address. This also
creates a one-to-one relationship on a first-come-first-served basis. The public address that
is used by private devices can change over time and cannot be trusted. This would allow
systems out, when you are not concerned with outside devices trying to connect in, as with
the previous web server example.
3. Overloading:
This is also known as Port Address Translation (PAT). In this case, multiple internal devices
are able to share one public address, as mappings are placed into the mappings table based
on the source and destination ports that are used. As long as ports are available to be
remapped, then any number of devices can share a very small pool of public addresses or
just one public address.
4. Overlapping:
NAT can be used when public or registered addresses are used inside your network. In this
case, you may use a public address block on multiple internal networks. NAT allows you to
translate those “internal” addresses to other publicly accessible addresses when you connect
to the “public” side of the router.
Many people quickly become lost understanding local, global, inside, and outside addresses.
The following list describes the different types of addresses:
Therefore, the router could translate that address to 192.168.10.50, or it could be the
public address of the external host. The internal hosts would contact this address to deal
with the external host.
Advantages
Works with almost all switches because the switches do not have to support layer 3, just VLANs
and trunking
Disadvantages
Configuring Router-on-a-stick
Enable trunking on the switch port
Enable the router interface with the no shut command
Create the subinterfaces on the router for each VLAN
Configure IPs and encapsulation on each subinterface as they relate to their VLANs
Switch (conf-subif)# encapsulation [dot1q | isl] vlan-id {native}
Switch (conf-subif)# ip address x.x.x.x x.x.x.x
Example router interface configuration
Router(config)# interface FastEthernet0/0
Router(config-if)#no shutdown
Router(config)# interface FastEthernet 0/0.1
Router(config-subif) description VLAN 1
Router(config-subif)# encapsulation dot1Q 1 native
Router(config-subif)# ip address 10.1.1.1 255.255.255.0
Router(config-subif)# exit
Router(config)# interface FastEthernet 0/0.2
Router(config-subif)# description VLAN 2
Router(config-subif)# encapsulation dot1Q 2
Router(config-subif)# ip address 10.2.2.1 255.255.255.0
Router(config-subif)# exit
Router(config)# end
14
http://www.cisco.com/c/en/us/products/switches/catalyst-3750-x-series-switches/index.html
Identify which VLANs require layer 3 gateways as you may not want all VLANs to be routable
within the organization
Make sure VLANs are first created on the switch, then make the SVIs
Find out what IPs need to be configured on each SVI interface, then use the no
shutdown command to enable them
Configure any routing protocols that are required
Determine if any switchports should be excluded from contributing to the SVI line-state up-and-
down calculation
Configuring SVIs
Enable IP routing
Create the VLANs
Create the SVI
Assign an IP address to each SVI
Enable the interface
Optional – Enable an IP routing protocol
Note: Routing protocols are only required to allow different devices to communicate across
different VLANs or networks. They are not required to route between SVIs on the same switch
because the switch sees the SVIs as connected interfaces.
Example Configuration
Switch# configure terminal
Switch(config)# ip routing
Switch(config)# vlan 10
Switch(config)# interface vlan 10
Switch(config-if)# ip address 10.10.1.1 255.0.0.0
Switch(config-if)# no shutdown
Switch(config)# router rip
Switch(config-router)# network 10.0.0.0
At least a single port on the switch has a port in the VLAN, is in the up state, and is in the
spanning-tree forwarding state
This automatic SVI creation is called SVI Autostate. If there are multiple ports on the switch in
the same VLAN, the default action is to take down the SVI interface if all of the ports in that
VLAN are shut down.
The command switchport autostate exclude, when applied to port, will allow the VLAN to go
down if all of the other ports in the VLAN go down except the one autostate exclude was applied
to. This is often desirable when traffic analyzers are attached to a host. They will stay up, but
are just passive monitors, so if all other devices in the VLAN go down – this port would prevent
the VLAN from going down, so autostate exclude is applied to allow the VLAN to still go down.
Routed Ports
Routed ports are physical ports on the switch that act much like a router interface would with
an IP address configured. Routed ports are not associated with an particular VLAN and do not
run layer 2 protocols like STP or VTP.
Note: Routed interfaces also do not support subinterfaces. Routed ports are point-to-point links
that usually connect core switches to other core switches or distribution layer switches (if the
distribution layer is running layer 3). They can also be used when a switch has only a single
switch port per VLAN or subnet.
Make sure when configuring a routed port that you use the no switchport command to make
sure the interface is configured to operate at layer 3. Also make sure to assign an IP addresses
and any other layer 3 information required. Lastly, check that the appropriate routing protocols
are configured.15
Advantages
A multilayer switch can have both SVIs and routed ports configured
Multilayer switches forward all layer 2 and 3 traffic in hardware, so it is very fast
Configuring Inter-VLAN Routing with Routed Ports
Select the interface
Convert to layer 3 port (no switchport command
Add an IP address
Enable the interface (no shut command)
Example Configuration
15
http://www.cisco.com/c/en/us/products/switches/catalyst-3750-x-series-switches/index.html
Chapter 5
Network Configuration
5.1 Network configuration part
5.1.1 Devices Configuration Part:
Branch Router Configuration
. BR1-RTR#show running-config
Building configuration...
version 12.4
no service password-encryption
hostname BR1-RTR
boot-start-marker
boot-end-marker
aaa new-model
resource policy
memory-size iomem 5
ip tcp synwait-time 5
ip cef
no ip domain lookup
authentication pre-share
set transform-set 1
interface Ethernet0/0
description ###To-WAN-SW###
half-duplex
interface Ethernet0/1
description ###Branch-LAN###
half-duplex
interface Ethernet0/2
no ip address
shutdown
half-duplex
interface Ethernet0/3
no ip address
shutdown
half-duplex
no auto-summary
no ip http server
no ip http secure-server
control-plane
banner motd c
==============================================================================
BAKHTER BANK
==============================================================================
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
End
version 12.4
no service password-encryption
hostname BR1-Host
boot-start-marker
boot-end-marker
aaa new-model
resource policy
memory-size iomem 5
ip tcp synwait-time 5
ip cef
no ip domain lookup
interface Ethernet0/0
half-duplex
interface Ethernet0/1
no ip address
shutdown
half-duplex
interface Ethernet0/2
no ip address
shutdown
half-duplex
interface Ethernet0/3
no ip address
shutdown
half-duplex
ip default-gateway 10.10.0.1
no ip http server
no ip http secure-server
control-plane
banner motd c
==============================================================================
BAKHTER BANK
==============================================================================
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
End
version 12.4
no service password-encryption
hostname WAN-RTR
boot-start-marker
boot-end-marker
aaa new-model
resource policy
memory-size iomem 5
ip tcp synwait-time 5
ip cef
no ip domain lookup
authentication pre-share
set transform-set 1
interface Ethernet0/0
description ###TO-ISP-RTR###
ip nat outside
ip virtual-reassembly
half-duplex
interface Ethernet0/1
description ###TO-WAN-SW###
ip nat inside
ip virtual-reassembly
half-duplex
interface Ethernet0/2
description ###TO-ASA-Appliance###
ip nat inside
ip virtual-reassembly
half-duplex
interface Ethernet0/3
no ip address
shutdown
half-duplex
no auto-summary
no ip http server
no ip http secure-server
control-plane
banner motd c
==============================================================================
BAKHTER BANK
==============================================================================
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
End
Building configuration...
version 12.4
no service password-encryption
hostname ISP-RTR
boot-start-marker
boot-end-marker
aaa new-model
resource policy
memory-size iomem 5
ip tcp synwait-time 5
ip cef
no ip domain lookup
interface Loopback1
interface Loopback2
interface Ethernet0/0
no ip address
shutdown
half-duplex
interface Ethernet0/1
half-duplex
interface Ethernet0/2
no ip address
shutdown
half-duplex
interface Ethernet0/3
no ip address
shutdown
half-duplex
no ip http server
no ip http secure-server
control-plane
banner motd c
==============================================================================
BAKHTER BANK
==============================================================================
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
End
hostname ASA-Appliance
names
interface Ethernet0/0
description ###To-WAN-RTR###
nameif Outside
security-level 0
interface Ethernet0/1
description ###TO-FAIL-OVER-SW###
nameif Inside
security-level 100
interface Ethernet0/2
description ###To-DC-DMZ-SW###
nameif DMZ
security-level 50
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
banner exec
==============================================================================
banner exec WARNING: Unauthorized access to this system is forbidden and will be
banner exec prosecuted by law. By accessing this system, you agree that your
banner exec
==============================================================================
pager lines 24
no failover
no auto-summary
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
class-map inspection_default
match default-inspection-traffic
parameters
policy-map global_policy
class inspection_default
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
Cryptochecksum:8f6735d8d945b7160faa2ff343220d06
: end
version 12.4
no service password-encryption
hostname Email-SRV
boot-start-marker
boot-end-marker
aaa new-model
resource policy
memory-size iomem 5
ip cef
interface Ethernet0/0
half-duplex
interface Ethernet0/1
no ip address
shutdown
half-duplex
interface Ethernet0/2
no ip address
shutdown
half-duplex
interface Ethernet0/3
no ip address
shutdown
half-duplex
ip default-gateway 172.16.0.1
no ip http server
no ip http secure-server
control-plane
banner motd c
==============================================================================
BAKHTER BANK
==============================================================================
line con 0
line aux 0
line vty 0 4
end
GNS3
GNS3 is an open source (GNU GPL) software that simulates complex networks while being as close as possible
from the way real networks perform, all of this without having dedicated network hardware such as routers and
switches.
GNS3 provides an intuitive graphical user interface to design and configure virtual networks, it runs on traditional
PC hardware and may be used on multiple operating systems, including Windows, Linux, and Mac OS X.
In order to provide complete and accurate simulations, GNS3 actually uses the following emulators to run the very
same operating systems as in real networks:
GNS3 is an excellent alternative or complementary tool to real labs for network engineers, administrators and
people studying for certifications such as Cisco CCNA, CCNP and CCIE as well as Juniper JNCIA, JNCIS and
JNCIE.
It can also be used to experiment features or to check configurations that need to be deployed later on real devices.
GNS3 also includes other features like connection of the virtual network to real ones or packet captures using
Wireshark. Finally, thanks to the VirtualBox support, system administrators and engineers can use GNS3 to make
labs, test network features.
References
Books
Nurul I. Sarkar, Auckland University of Technology, New Zealand, “Tools for teaching computer
networking and hardware concepts”,7th edition, Published in the United States of America by
Information Science Publishing (an imprint of Idea Group Inc.) 2006.
Websites
http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/16406-
eigrp-toc.html
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html
http://www.cisco.com/c/en/us/td/docs/security/pix/pix72/quick/guide/dmz_p.html
http://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook
http://www.cisco.com/c/en/us/products/switches/catalyst-6500-series-switches/index.html
http://www.cisco.com/c/en/us/products/collateral/routers/3900-series-integrated-services-routers-
isr/data_sheet_c78_553924.html
http://www.cisco.com/c/en/us/products/switches/catalyst-3750-x-series-switches/index.html
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-
firewalls/product_data_sheet0900aecd802930c5.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.html