LSBU MSC Cisco VlanDmvpn Project

Investigate the features of CISCO 1800 series Routers. Construct VLAN (Virtual LAN) and DMVPN (Dynamic

Multipoint VPN) on 1812w Router.

Submitted by Lubna KhanSID 2525867

Submission Date: 21st October 2008

This report has been submitted for assessment toward a Master of Science degree in the Department of Electrical, computer & Communications Engineering, London South Bank University.

This report is written in the author’s own words and all sources have been property cited.

Author’s signature:

Table of Contents

ACKNOWLEGEMENTS____________________________________________________3

Abstract__________________________________________________________________4

Aim and Objectives_________________________________________________________5

CHAPTER 1: Introduction__________________________________________________6

1.1 CISCO 1800 Series Router___________________________________________________6

1.2 Switching & Routing Functionality____________________________________________6

1.3 Routing Protocol____________________________________________________________7

1.4 VLAN (Virtual Local Area Network)___________________________________________7

1.5 DMVPN (Dynamic Multipoint Virtual Private Network)__________________________7

CHAPTER 2: Investigation on all the features of CISCO 1800 Series Routers_________9

2.1 Cisco 1801, 1802 and 1803 Integrated Services Router____________________________10

2.2 Cisco 1811 & 1812 Integrated Services Router__________________________________11

2.3 Cisco 1841 Integrated Services Router_________________________________________13



CHAPTER 3: Switching and Routing Functionality_____________________________17

3.1 Layer 2 Switching__________________________________________________________18

3.2 Layer 3 Routing___________________________________________________________20

CHAPTER 4: Routing Protocol______________________________________________21

4.1 Definition of Routing Protocol________________________________________________21

4.2 How the Routing Protocol Works_____________________________________________21

4.3 IP Routing Principles_______________________________________________________224.3.1Classful Routing________________________________________________________________224.3.2 Classless Routing_______________________________________________________________23

4.4 RIP (Routing Information Protocol)___________________________________________24

4.5 IGRP & EIGRP (Enhanced Interior Gateway Routing Protocol)___________________26

4.6 IS-IS Protocol: Intermediate System - Intermediate System_______________________28

4.7 SUBNETING______________________________________________________________29

CHAPTER 5: Virtual Local Area Network_____________________________________31

5.1 Introduction_______________________________________________________________315.1.1 LAN Segmentation______________________________________________________________325.1.2 Security_______________________________________________________________________335.1.3 Broadcast Control_______________________________________________________________33

1

5.1.4 Performance___________________________________________________________________335.1.5 Network Management___________________________________________________________33

5.2 VLAN Membership________________________________________________________345.2.1 Static VLANs__________________________________________________________________345.2.2 Dynamic VLANs_______________________________________________________________34

5.3 Types of Connections_______________________________________________________355.3.1 Trunk Link or Trunk Port_________________________________________________________355.3.2 Access Link or Access Port_______________________________________________________355.3.3 Hybrid Link___________________________________________________________________36

5.4 Communicating between VLANS_____________________________________________36

5.4.1 Inter-Switch Link (ISL) protocol____________________________________________37

5.4.2 IEEE 802.1Q protocol_____________________________________________________37

5.5 VLAN Trunking Protocol (VTP)_____________________________________________37

5.6 VTP Modes of Operation____________________________________________________385.6.1 Server Mode___________________________________________________________________385.6.2 Client mode___________________________________________________________________385.6.4 Transparent mode_______________________________________________________________38

CHAPTER 6: Dynamic Multipoint VPN_______________________________________39

6.1 What is NHRP?____________________________________________________________39

6.2 What is GRE Tunnels?______________________________________________________40

6.3 Routing with DMVPN______________________________________________________416.3.1Possible routing protocols_________________________________________________________41

6.4 DMVPN Phases____________________________________________________________426.4.1 Hub-and-spoke_________________________________________________________________426.4.2 Spoke-to-spoke: Dynamic spoke-to-spoke tunnels_____________________________________42

6.5 Sample mGRE and IPsec Integration Topology_________________________________43

6.6 IPSec Profiles_____________________________________________________________43

6.7 Benefits of Dynamic Multipoint VPN (DMVPN)_________________________________43

CHAPTER 7: Deliverables__________________________________________________45

7.1 Configuring VLAN’S On SDM_______________________________________________45

7.2 Configuring of DMVPN on CLI______________________________________________51

CHAPTER 8 Result and Discussion__________________________________________61

8.1 VLAN Results & Discussion_________________________________________________61

8.2 DMVPN Results & Discussion________________________________________________64

Conclusion______________________________________________________________67

PROJECT PLANNING____________________________________________________68

Initial project planning_________________________________________________________68

Final project planning_________________________________________________________69

References_______________________________________________________________70

2

Appendix________________________________________________________________72

ACKNOWLEGEMENTS

First of all I am cordially thankful to ALMIGHTY ALLAH who enabled me to complete

this thesis successfully. I would specially like to thank Dr Tariq Sattar (London South

Bank University) for his utmost support, valuable ideas, information and much needed

guidance throughout the completion of this thesis.

3

Abstract

An introduction of VLAN and DMVPN is given in the beginning of this report, which

includes why we need such technologies, how these work, what the benefits are and how

VLAN (Virtual Area Network) provide security to LAN networks and DMVPN (Dynamic

Multipoint Virtual Private Networks) to WAN networks.

The work flow of deployment of VLAN and DMVPN include the network design

(topology), physical connectivity (layer 1), logical connectivity (layer 2 and 3),

configuration using IOS Version 12.4 (layer 4 and above). Final phase shows testing the

configurations by using different network monitoring commands for DMVPN [all in the

Command Line Interface (CLI) mode] and different parameters for SDM (Security Device

Manager) for VLAN. The technologies in this project are based on NHRP (Next Hop

Resolution Protocol) mGRE (multipoint Generic Routing Encapsulation) Tunnels, Hub and

Spoke, Spoke to Spoke tunnels and VTP (Vlan Trunking Protocol). VTP is specially

emphasized in VLAN Section.

Further physical implementation results of above mentioned technologies have been

obtained which show these technologies have significant impact on network security.

4

Aim and Objectives

The aim of this project is to deploy the latest network security technologies on existing LAN and the WAN networks.

Objectives

Following are the key objectives behind the study:

To discuss the features of all the 1800 CISCO series routers. The reason for

using these specific series of routers is their availability on lab.

Briefly define the switching and routing functionality including Routing

Protocols.

A detailed discussion on VLAN (Virtual LAN) and DMVPN (Dynamic

Multipoint VPN), those implemented to provide the network security to the

Layer 2 and Layer 3 network respectively.

Implementation of the above mentioned technologies to observe the results and

discuss their significant features.

5

CHAPTER 1: Introduction

1.1 CISCO 1800 Series Router

The 1800 series is ideal for network location that requires secure data and voice communication using up to broadband connections for T1/E1 connections. Every 1800 series design from the ground up include comprehensive security feature. Each model comes with an encrypted chip on the motherboard that lets us build secure VPN tunnels for site to site and for remote user connection. [18]

In addition the 1800 series also offers full state firewall, instruction prevention, network administration control and URL filtering to protect and secure network. The 1800 family comes in a desk-top form with both fixed and modular configuration models. [18]

The Cisco 1812 Router that used in this project provides high-speed broadband or Ethernet access through two 10/100BASE-T Fast Ethernet WAN ports and also provide integrated WAN backup through a V.92 analog modem ISDN S/T BRI interface. The Cisco 1812 routers are focused on Ethernet access and are designed to be offered as customer premises equipment (CPE) in Metro Ethernet deployments. The eight-port switch is sufficient for connecting multiple devices and the optional PoE capability can supply power to IP telephones or other devices. [15]

1.2 Switching & Routing Functionality

A Layer 2 switch performs essentially the same function as a transparent bridge. However, a switch can have many ports and can perform hardware-based bridging. Frames are forwarded using specialized hardware, called application-specific integrated circuits (ASIC). This hardware gives switching great scalability, with wire-speed performance, low latency, low cost, and high port density. [7]

Layer 2 switching is used primarily for workgroup connectivity and network segmentation. We can contain traffic between users and servers in a workgroup within the switch. In addition, the number of stations on a network segment can be reduced with a switch, minimizing the collision domain size. [7]

6

1.3 Routing Protocol

In simple terms, a protocol is an agreed upon set of rules that determines how something will operate. A routing protocol is a set of rules that describes how Layer 3 routing devices send updates between each other about the available networks. If more than one path to the remote network exists, the protocol also determines how the best path or route is selected . [8]

Routed Protocol and Routing Protocol Both terms refer to a protocol that defines a packet structure and logical addressing, allowing routers to forward or route to the packets. Routers forward, or route, packets define by routed and un routable protocols.[26]

Even though routing protocol such as RIP are different from routed protocols such as IP, they work together very closely. The routing process forward IP packets to destination address, the router discards the packet. Routers need routing protocol so that the router can learn all the possible routers and add them to the routing table so that the routing process can forward routable protocol such as IP. [26]

1.4 VLAN (Virtual Local Area Network)

Local Area Networks are defined as a single broadcast domain. Single broadcast domain means if user broadcasts information on his/her LAN, the broadcast will be received by every other user on the LAN. Broadcasts are prevented from leaving a LAN by using a router, cause switch forward broadcast but router doesn’t forward broadcast. The disadvantage of this method is routers usually take more time to process incoming data compared to a bridge or a switch. And to use the router just to control the LAN broadcasting is of course cost effective as well.

For an alternate solution Virtual Local Area Networks (VLAN's) were developed to control broadcast traffic in LAN networks. VLANS are implemented not only to control broadcast but also to provide security, flexibility and segmentation. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management.

1.5 DMVPN (Dynamic Multipoint Virtual Private Network)

DMVPN stands for Dynamic Multipoint VPN and it is an effective solution for dynamic secure overlay networks. In short, DMVPN is combination of the following technologies

NHRP (Next Hop Resolution Protocol) GRE (Generic Routing Encapsulation)

7

NHRP (Next Hop Resolution Protocol)

Next Hop Resolution Protocol (NHRP) is used by a source station (host or router) connected to a Non-Broadcast, Multi-Access (NBMA) subnetwork to determine the internetworking layer address and NBMA subnetwork addresses of the "NBMA next hop" towards a destination station. If the destination is connected to the NBMA subnetwork, then the NBMA next hop is the destination station itself. Otherwise, the NBMA next hop is the egress router from the NBMA subnetwork that is "nearest" to the destination station. NHRP is intended for use in a multiprotocol internetworking layer environment over NBMA subnetworks. [27]

GRE (Generic Routing Encapsulation)

Generic Routing Encapsulation (GRE) is a tunneling protocol designed to encapsulate a wide variety of network layer packets inside IP tunneling packets. The original packet is the payload for the final packet. The protocol is used on the Internet to secure virtual private networks.

GRE was developed by Cisco and was designed to be stateless; the tunnel end-points do not monitor the state or availability of other tunnel end-points. This feature helps service providers support IP tunnels for clients, who won't know the service provider's internal tunneling architecture; and it gives clients the flexibility of reconfiguring their IP architectures without worrying about connectivity. GRE creates a virtual point-to-point link with routers at remote points on an IP internetwork. [28]

8

http://en.wikipedia.org/wiki/Stateless_server

http://en.wikipedia.org/wiki/Cisco

http://en.wikipedia.org/wiki/VPN

http://en.wikipedia.org/wiki/VPN

http://en.wikipedia.org/wiki/Payload_(communication_and_information_technology)

http://en.wikipedia.org/wiki/IP_tunnel

http://en.wikipedia.org/wiki/Packet_(information_technology)

http://en.wikipedia.org/wiki/Network_layer

http://en.wikipedia.org/wiki/Encapsulation_(networking)

http://en.wikipedia.org/wiki/Tunneling_protocol

CHAPTER 2: Investigation on all the features of CISCO 1800 Series Routers

In 1800 Series of Cisco there are 8 different types of Routers:

1. Cisco 1861 Integrated Services Router





6 .Cisco 1802 Integrated Services Router



Cisco 1800 series is ideal for small to medium sized business and small branch offices and provides WAN and LAN data connectivity, comprehensive security, wireless integration and with Cisco 1861 support for unified communication solutions.[18]

The 1800 family is also ideal for network locations that require secure data and voice communication using up to broadband or T1/E1 connections. This family comes in a desk-top factor with both fixed and modular configuration models. The fixed configuration model offer built- in DSL and Ethernet WAN ports combined with ISDN BRI or V.92 dial modern backup interfaces. [18]

9

http://www.cisco.com/en/US/products/ps6184/index.html








2.1 Cisco 1801, 1802 and 1803 Integrated Services Router

The Cisco 1801 Integrated Services Router as shown in Figure 1.1, has similar functionality as 1802 Integrated Services Router and 1803 integrated service Router .The only difference on all of them is that Cisco 1801, 1802, and 1803 routers provide high-speed DSL broadband access through asymmetric DSL (ADSL) over basic telephone service (Cisco 1801), ADSL over ISDN (Cisco 1802), or Symmetrical High-Data-Rate DSL (G.SHDSL) (Cisco 1803) while helping to ensure reliable networking with integrated ISDN S/T BRI backup. The Cisco 1801, 1802, and 1803 routers combine the cost benefits of DSL service with the advanced routing capability required for business use of the Internet.

The Cisco 1801, 1802 & 1803 Integrated Services Router provides the similar features those are as following

Secure broadband access with concurrent services for branch and small offices.

Integrated ISDN Basic Rate Interface (BRI), or Ethernet backup port for redundant WAN links.

LAN Switching with optional inline POE. Secure wireless LAN for simultaneous 802.11a and 802.11b/g operation with

use of multiple antennas.

Advanced security including:

o Stateful Inspection Firewall o IP Security (IPSec) VPNs (Triple Data Encryption Standard [3DES]

or Advanced Encryption Standard [AES]) o Dynamic Multipoint VPN (DMVPN) and Easy VPN. o Intrusion Prevention System (IPS) o Antivirus support through Network Admission Control (NAC) and

enforcement of secure access policies. [12]

10

Figure 1.1 Cisco 1801 Integrated Services Router [12]

Feature Cisco 1801 Cisco 1802 Cisco 1803

DSL WAN Port ADSL over POTS

ADSL over ISDN

G.SHDSL (4-wire)

10/100 FE WAN Ports 1 1 1

DOCSIS 2.0 No No No

Managed Switch Ports 8 8 8

ISDN BRI Dial Backup Yes Yes Yes

V.92 Analog Modem Dial Backup

- - -

USB 2.0 Ports 0 0 0

802.11a/b/g Wireless Model Yes Yes Yes

Auxiliary and Console Ports Yes Yes Yes

Table 1.1 Features Summary of Cisco 1801, 1802 & 1803 Routers [13]

2.2 Cisco 1811 & 1812 Integrated Services Router

The Cisco 1812 Integrated Services Router as shown in Figure 1.2 provides:

Secure broadband access with concurrent services for branch and small offices Integrated ISDN Basic Rate Interface (BRI), analog modem, or Ethernet backup

port for redundant WAN links and load balancing LAN Switching with optional inline POE Secure wireless LAN for simultaneous 802.11a and 802.11b/g operation with use of

multiple antennas Advanced security including:

o Stateful Inspection Firewall o IP Security (IPSec) VPNs (Triple Data Encryption Standard [3DES] or

Advanced Encryption Standard [AES]) o Dynamic Multipoint VPN (DMVPN) and Easy VPN o Intrusion Prevention System (IPS)

11

o Antivirus support through Network Admission Control (NAC) and enforcement of secure access policies

The Cisco 1811 and 1812 provide high-speed broadband or Ethernet access through two 10/100BASE-T Fast Ethernet WAN ports and also provide integrated WAN backup through a V.92 analog modem (Cisco 1811) or ISDN S/T BRI interface (Cisco 1812). The Cisco 1811 and 1812 routers are focused on Ethernet access and are designed to be offered as customer premises equipment (CPE) in Metro Ethernet deployments. The eight-port switch is sufficient for connecting multiple devices and the optional PoE capability can supply power to IP telephones or other device. [15]


Feature Cisco 1811 Cisco 1812

DSL WAN Port - -

10/100 FE WAN Ports 2 2

DOCSIS 2.0 No No

Managed Switch Ports 8 8

ISDN BRI Dial Backup - Yes

V.92 Analog Modem Dial Backup Yes -

USB 2.0 Ports 2 2

802.11a/b/g Wireless Model Yes Yes

Auxiliary and Console Ports Yes Yes

Table 1.2 Features Summary of Cisco 1811, 1812 Routers [13]

12

2.3 Cisco 1841 Integrated Services Router

The Cisco 1841 Integrated Services Router is part of the Cisco 1800 Integrated Services Router Series which complements the Integrated Services Router Portfolio.

The Cisco 1841 Integrated Services Router as shown in Figure 1.3 provides the following support:

Wire-speed performance for concurrent services at T1/E1 WAN rates Enhanced investment protection through increased performance and modularity Enhanced investment protection through increased modularity Increased density through High-Speed WAN Interface Card Slots (two) Support for over 90 existing and new modules Support for majority of existing WICs, VWICs, and VICs (data mode only) Two Integrated 10/100 Fast Ethernet ports Security

o On-board encryption o Support of up to 800 VPN tunnels with the AIM Module o Antivirus defense support through Network Admission Control (NAC) o Intrusion Prevention as well as stateful Cisco IOS Firewall support and

many more essential security features .[16]


13


This new platform delivers unified communications solutions to small and medium-sized businesses and small branch offices, enabling anytime, anywhere secure access to information.

Through integration of voice gateway, call processing, voicemail, automated attendant, conferencing, transcoding, and security capabilities, the 1861 Integrated Services Router as shown in Figure 1.4, delivers a complete unified communications solution. Powered by the Cisco IOS Software, the Cisco 1861 supports a wide range of connectivity options through a modular High-Speed WAN Interface Card (HWIC) Slot. In addition, it supports advanced routing and security services.

Key Features Integrated Cisco Unified Communications Manager Express or Cisco Unified

Survivable Remote Site Telephony for call processing Cisco Unity Express for voice messaging and automated attendant Integrated LAN switching with Power over Ethernet (PoE) expandable through

Cisco Catalyst Switches Support for a range of HWICs Built-in hardware encryption enabled through optional security image Innovative security services, including Secure Sockets Layer, Network Admission

Control, Group Encrypted Transport Virtual Private Networks, and Inline Intrusion Prevention System [17]


14


The Cisco 1805 is the latest addition to the Cisco integrated services router portfolio, which delivers multiple services, including feature-rich Cisco IOS Software routing, LAN switching, and advanced security with secure cable WAN access technology.

The Cisco 1805 Integrated Services Router as shown Figure 1.5, provides:

Integrated cable modem based on DOCSIS 2.0 Metro Ethernet Forum (MEF): MEF9, MEF14 Certified Built-in encryption hardware with Triple Digital Encryption Standard (3DES)

capability, and Advanced Encryption Standard (AES) encryption support Integrated, dual high-speed Fast Ethernet ports that you can use for LAN or WAN

connectivity Four-port 10/100 Ethernet switch, fully manageable with IEEE 802.1q VLAN

support Auxiliary port for analog dial backup, or out-of-band management Console port transmit and receive rates up to 115.2 kbps Advanced routing protocols Cisco IOS Software Stateful Firewall with Context-Based Access Control,

application-aware and zone-based Advanced QoS and bandwidth management Inter-VLAN routing. [13]


15

Feature Cisco 1805-D

Cisco 1805-EJ

Cisco 1805-D/K9

DOCSIS 2.0-based cable interface HWIC-CABLE-D-2

HWIC-CABLE-E/J-2

HWIC-CABLE-D-2

Two onboard Fast Ethernet WAN ports for WAN backup or for LAN connectivity

Yes Yes Yes

Four-port managed switch Yes Yes Yes

Onboard hardware-based IP Security (IPsec) encryption Yes Yes Yes

DRAM 128 MB 128 MB 192 MB

Flash memory 64 MB 64 MB 64 MB

Software image Cisco IOS IP Base

Cisco IOS IP Base

Cisco IOS Advanced IP Services

Table1.3 Features Summary of Cisco 1805 Routers [13]

16

CHAPTER 3: Switching and Routing Functionality

The standard reference model for communication between two end users is Open Systems Interconnection (OSI). The model is used in developing products and understanding networks.

Each layer has a specific function and a specific protocol so that two devices can exchange data on the same layer. A protocol data unit (PDU) is the generic name for a block of data that a layer on one device exchanges with the same layer on a peer device. [4]

OSI Layer Protocol Data Unit Mechanism to Process PDU

7 (application)

6 (presentation)

5 (session)

4 (transport)TCP Segment TCP Port

3(network)Packet Router

2 (data link)Frame Switch/Bridge

1 (physical)

Table 3.1 OSI Model

In above table, Layers 2, 3, and 4 are represented by the data link, network, and transport layers, respectively, with a PDU frame, packet, and TCP segment. When a TCP segment (Layer 4) needs to be transmitted to another station, the TCP segment is encapsulated as a packet (Layer 3) and further encapsulated as a frame (Layer 2). The receiving station un encapsulates Layers 2 and 3 before processing the original TCP segment.

The layered protocols also apply to networking devices. For example, a Layer 2 device transfers data by looking at the Layer 2 PDU header

17

http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212725,00.html

information. Upper-layer protocols are not looked at or even understood. [4]

The following figure 3.2 shows that how two devices can exchange data on the same layer.

Figure 3.2[2]

3.1 Layer 2 Switching

Devices that forward frames at Layer 2 involve the following functions:

MAC addresses are learned from the incoming frames’ source addresses.

A table of MAC addresses and their associated bridge and switch ports is built and maintained.

18

Broadcast and multicast frames are flooded out to all ports (except the one that received the frame).

Frames destined for unknown locations are flooded out to all ports (except the one that received the frame).

Bridges and switches communicate with each other using the Spanning Tree Protocol to eliminate bridging loops.[4]

Figure 3.3, Layer 2 switch with External Router for Inter-VLAN traffic and connecting to the Internet [5]

Layer 2 switching provides the following

Hardware-based bridging (MAC) Wire speed High speed Low latency Low cost

Layer 2 Switches (Multiport Bridges)

Bridges offer a frame forwarding service based on the physical addresses that are available as part of Layer 2 (i.e., the MAC address of the destination) as well as performing the signal regeneration functions of a repeater. A bridge monitors the traffic to learn which addresses exist on which ports and then builds a table of forwarding rules to control the switching process. Bridges must also identify and eliminate potential data loops (using the spanning tree algorithm). A Layer 2 Switch functions as a multiport bridge. An

19

internetwork built entirely out of Layer 2 Switches appears as a single large network with a “flat” address space. Layer 2 Switched networks have limited flexibility and scalability. [6]

As long as Layer 2 frames are being switched between two Layer 1 interfaces of the same media type, such as two Ethernet connections or an Ethernet connection and a Fast Ethernet connection, the frames do not have to be modified. However, if the two interfaces are different media, such as Ethernet and Token Ring or Ethernet and Fiber Distributed Data Interface (FDDI), the Layer 2 switch must translate the frame contents before sending out the Layer 1 interface. [4]

One drawback to Layer 2 switching is that it cannot be scaled effectively. Switches must forward broadcast frames to all ports, causing large switched networks to become large broadcast domains. In addition, Spanning Tree Protocol (STP) can have a slow convergence time when the switch topology changes. STP also can block certain switch ports, preventing data transfer. [4] Layer 2 switching alone cannot provide an effective, scalable network design.

3.2 Layer 3 Routing

Devices involved in Layer 3 routing perform the following functions:

Packets are forwarded between networks based on Layer 3 addresses.

An optimal path is determined for a packet to take through a network to the next router.

Packet forwarding involves a table lookup of the destination network, the next-hop router address, and the router’s own outbound interface.

An optimal path can be chosen from among many possibilities.

Routers communicate with each other using routing protocols.[4]

By nature, routers do not forward broadcast packets and forward only multicast packets to segments with multicast clients. This action provides control over broadcast propagation and offers network segmentation into areas of common Layer 3 addressing.

20

When an IP packet is to be forwarded, a router uses its forwarding table to determine the next hop for the packet's destination (based on the destination IP address in the IP packet header), and forwards the packet appropriately. The next router then repeats this process using its own forwarding table, and so on until the packet reaches its destination. At each stage, the IP address in the packet header is sufficient information to determine the next hop; no additional protocol headers are required. [7]

In addition, a router must examine each packet’s Layer 3 header before making a routing decision. Layer 3 securities and control can be implemented on any router interface using the source and destination addresses, protocol, or other Layer 3 attribute to make decisions on whether to limit or forward the packets. Although we can place a router anywhere in a network, the router can become a bottleneck because of a latency of packet examination and processing. [4]

CHAPTER 4: Routing Protocol

4.1 Definition of Routing Protocol

IP Routing is a term for the set of protocols that determine the path that data follows in order to travel across multiple networks from its source to its destination. Data is routed from its source to its destination through a series of routers, and across multiple networks. The IP Routing protocols enable routers to build up a forwarding table that correlates final destinations with next hop addresses. [7]

A protocol is a routed protocol if it contains an explicit network address and enough information is in its network layer address to allow for a router to make an intelligent forwarding decision. Routing is the process by which a packet gets from one network to another. A routing protocol supports a routed protocol by providing a means for propagating routing information. This information includes elements such as the available routes, a cost to the routes, and the next hop address. The routing protocol uses messages between routers that allow for communication with other routers to update and maintain routing tables. It is important to note that routing protocols do not carry end-user traffic from network to network. Routing protocols only build the paths that end-user data uses to travel. [9]

4.2 How the Routing Protocol Works

Participating routers advertise the routes that they know about to their neighbors in routing updates. Routes learned from routing updates are dynamic routes held in the routing table. The routing process is confusing until we realize that there are actually three steps involved in

21

building, maintaining, and using the routing table. These three steps are independent of one another and include the following:

The routing protocol sends the information about the routes or networks within the autonomous system, such as RIPv1, IGRP, and EIGRP, and between autonomous systems with BGP-4.

The routing table receives updates from the routing protocol and provides the forwarding process with information on request.

The forwarding process determines which path to select from the routing table in order to forward a datagram.

4.3 IP Routing Principles

Metrics—the routing protocol uses metrics to calculate which path is the best path to the remote destination network. Multiple IP routing protocols cannot easily share information because their metrics are completely different.

Administrative distance—if more than one routing process is running on the router, the administrative distance is used to select which protocol will update the routing table. This is based on which routing protocol is considered the most reliable source of accurate information.

Prefix length—the forwarding process will use the route where the most number of subnet bits match that of the destination network. It chooses the most specific match, known as the match to the longest prefix length.[8]

There are two class of Routing

Classful Routing Classless Routing

4.3.1Classful Routing

Classless routing protocols are as following.

22

RIPV1 IGRP

Classful routing protocols, such as RIPV1 and IGRP, exchange routes to sub networks within the same network. This is possible because all of the subnetworks in the major network have the same routing mask. Network administrators enforce this consistency through administrator controls.

When routers are exchange with a foreign network (a network with a different network portion), subnetwork information from this network can not be included, because the routing mask of the other network is not know. As the result, the subnet information from this network must be summarized to a classful boundary using a default routing mask prior to inclusion in the routing update. The creation of classful summary route at major network boundaries is handled automatically by classful routing protocols. Summarization at other points within the major network address is not allowed by classful routing protocols

Routing mask can not be carrier within the periodic routing updates. [10]

Classful Routing Example

Figure 4.1 [9]

4.3.2 Classless Routing

Classless routing protocol can be considered second-generation protocols because they are designed to address some of the limitation of earlier classless protocols.

23

One of the serious limitations in a classfull routing network environment is that the routing mask is not exchange during the routing update process, requiring the same routing mask to be used on all subnetworks.Instead of classless routing protocols includes the routing mask with the route advertisement.

Classless routing protocols are

OSPF EIGRP RIPV2 IS-IS BGP

In the classless environment, the summarization process is controlled manually and usually can be included at any bit position within the network.

Classless routing protocol use trigged updates to learn of topology changes. In order to control routing table content, summary routes may be created. [10]

Classless Routing Example

Fig 4.2 [9]

4.4 RIP (Routing Information Protocol)

RIP−1 is a Classfull routing protocol, so it does not advertise a subnet mask along with advertised routes. For RIP to determine what the subnet mask is of the destination network,

24

RIP uses the subnet mask of the interface in which the route was received. This is true only if the route received is a member of a directly connected major network. If the route received is not of the same major network, the router tries to match only the major bit boundary of the route Class A, B, or C. For this reason, it is critical to preserve a consistent bit mask in each major network throughout the entire RIP routing domain. [9]

A routing vector protocol floods reach ability information throughout all routers participating in the protocol, so that every router has a routing table containing the complete set of destinations known to the participating routers.

In brief the RIP protocol works as follows.

Each router initializes its routing table with a list of locally connected networks.

Periodically, each router advertises the entire contents of its routing table over all of its RIP-enabled interfaces.

o Whenever a RIP router receives such an advertisement, it puts all of the appropriate routes into its routing table and begins using it to forward packets. This process ensures that every network connected to every router eventually becomes known to all routers.

o If a router does not continue to receive advertisements for a remote route, it eventually times out that route and stops forwarding packets over it. In other words, RIP is a "soft state" protocol.

Every route has a property called a metric, which indicates the "distance" to the route's destination.

o Every time a router receives a route advertisement, it increments the metric. o Routers prefer shorter routes to longer routes when deciding which of two

versions of a route to program in the routing table. o The maximum metric permitted by RIP is 16, which means that a route is

unreachable. This means that the protocol cannot scale to networks where there may be more than 15 hops to a given destination.

RIP also includes some optimizations of this basic algorithm to improve stabilization of the routing database and to eliminate routing loops. [7]

When a router detects a change to its routing table, it sends an immediate "triggered" update. This speeds up stabilization of the routing table and elimination of routing loops.

When a route is determined to be unreachable, RIP routers do not delete it straightaway. Instead they continue to advertise the route with a metric of 16 (unreachable). This ensures that neighbors are rapidly notified of unreachable routes, rather than having to wait for a soft state timeout.

When router A has learnt a route from router B, it advertises the route back to B with a metric of 16 (unreachable). This ensures that B is never under the impression that A has a different way of getting to the same destination. This technique is known as "split horizon with poison reverse."

25

A "Request" message allows a newly-started router to rapidly query all of its neighbors' routing tables. [7]

The default hold-down time for RIP is 180 seconds and the administrator distance of RIP1 and RIP2 is 120. [10]

4.5 IGRP & EIGRP (Enhanced Interior Gateway Routing Protocol)

When Cisco Systems developed the Interior Gateway Routing Protocol (IGRP) around 1986, network administrators didn't have many options to deal with some of RIP's limitations. RIP's hop count limit of 15 and its simplistic metrics weren't allowing networks to scale and distribute traffic across paths of unequal cost. OSPF would not come out for another two years, and another routing protocol was needed. As the pioneer of internetworking, Cisco developed IGRP to specifically address some of RIP's shortcomings. [9]

EIGRP is an enhanced version of IGRP, hence the name. It uses the same distance vector technology as IGRP. The changes were effected in the convergence properties and the operating efficiency of the protocol. EIGRP has some characteristics similar to those of a link-state routing protocol. Therefore, it is sometimes referred to as a hybrid routing protocol, although Cisco calls it an advanced distance vector protocol. EIGRP is an efficient, although proprietary, solution to networking large environments because it scales well. Its ability to scale is, like OSPF, dependent on the design of the network. [8]

IGRP Features

IGRP has features that differentiate it from other distance vectors protocols:

Scalability— A hop count limit of 255 provides a broader network diameter versus RIP's hop count limit of 15. The default hop for IGRP is 100.

Faster convergence— IGRP uses Flash updates, which are updates that are sent to neighboring routers when topology changes occur.

26

Sophisticated metric— IGRP uses a composite metric based on five individual metrics bandwidth, delay, reliability, load, and MTU—to influence routing decisions.

Unequal cost load balancing— IGRP composite routing metrics allow for load balancing across multiple unequal cost paths. [9]

EIGRP Features

The goal of EIGRP is to solve the scaling limitations that IGRP faces, using the distance vectortechnology from which it grew. EIGRP increases the potential growth of a network by reducing the convergence time. This is achieved by the following features:

Dual

Rapid convergence

Reduced bandwidth use

Compatibility with IGRP

Unequal-Cost Load Balancing

DUAL

DUAL is one of the main features of EIGRP. It diffuses the routing computation over multiple Routers.

Rapid Convergence

The use of the DUAL algorithm stores not only the best path to the destination, but also the close contenders. If a network fails, the router can immediately switch to the alternate route. If there are no alternative routes, then the router will query neighbors to see whether they have a path to the destination.

Reduced Bandwidth Use

27

Using multicast and unicast addressing to send and acknowledge updates restricts the potential use of both bandwidth and the other system’s CPU to the essential requirements. EIGRP also uses only incremental updates, as opposed to periodic updates.

Compatibility with IGRP

Because it grew out of IGRP, EIGRP is backward-compatible with IGRP. This allows for seamless transitions to EIGRP and support for older, smaller networks that have neither the need nor the capability to upgrade. EIGRP automatically redistributes IP routes learned into the IGRP process as long as the autonomous system number used to configure the processes is the same.

Use of a Composite Metric

EIGRP uses the same metric as IGRP (bandwidth and delay as the default), though EIGRP has expanded the metric to 32-bit, allowing for greater scaling and granularity. An intelligent metric will select the shortest path.

Unequal-Cost Load Balancing

Unequal-cost load balancing allows all links to a destination to be used to carry data without saturating the slower links. [8]

The administrator distance for IGRP is 100, for EIGRP summary route is 5 and for External EIGRP is 170. [10]

4.6 IS-IS Protocol: Intermediate System - Intermediate System

IS-IS is a link-state routing protocol, which means that the routers exchange topology information with their nearest neighbors. The topology information is flooded throughout the AS, so that every router within the AS has a complete picture of the topology of the AS. This picture is then used to calculate end-to-end paths through the AS, normally using a variant of the Dijkstra algorithm. Therefore, in a link-state routing protocol, the next hop address to which data is forwarded is determined by choosing the best end-to-end path to the eventual destination. [7]

28

The main advantage of a link state routing protocol is that the complete knowledge of topology allows routers to calculate routes that satisfy particular criteria. This can be useful for traffic engineering purposes, where routes can be constrained to meet particular quality of service requirements. The main disadvantage of a link state routing protocol is that it does not scale well as more routers are added to the routing domain. Increasing the number of routers increases the size and frequency of the topology updates, and also the length of time it takes to calculate end-to-end routes. This lack of scalability means that a link state routing protocol is unsuitable for routing across the Internet at large, which is the reason why IGPs only route traffic within a single AS. [7]

The routing table of IS-IS contains all the destinations the routing protocol knows about, associated with a next hop IP address and outgoing interface.

The protocol recalculates routes when network topology changes, using the Dijkstra algorithm, and minimizes the routing protocol traffic that it generates.It provides support for multiple paths of equal cost.

It provides a multi-level hierarchy (two-level for IS-IS) called "area routing," so that information about the topology within a defined area of the AS is hidden from routers outside this area. This enables an additional level of routing protection and a reduction in routing protocol traffic.

All protocol exchanges can be authenticated so that only trusted routers can join in the routing exchanges for the AS. [7]

The administrative distance of IS-IS is 115.

4.7 SUBNETING

A subnet is a logical grouping of connected network devices. Nodes on a subnet tend to be located in close physical proximity to each other on a LAN. Network designers employ subnets as a way to partition networks into logical segments for greater ease of administration. When subnets are properly implemented, both the performance and security of networks can be improved.

In IP networking, nodes on a subnet share a contiguous range of IP address numbers. A mask (known as the subnet mask or network mask) defines the boundaries of an IP subnet.

The Internet community originally identified three classes of organizations:

Small organizations fall into Class C

Medium organizations fall into Class B

29

http://compnetworking.about.com/library/glossary/bldef-node.htm

http://compnetworking.about.com/library/glossary/bldef-ip.htm%22

http://compnetworking.about.com/library/glossary/bldef-lan.htm

Large organizations fall into Class A

Actually, five classes of addresses are used on the Internet. The other two classes represent multicast (Class D) and experimental addresses (Class E). Routing protocols and videoconferencing increasingly use Class D addresses. [8]

Summary of IP Address Classes

Class A – 0xxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx First bit 0; 7 network bits; 24 host bits

Initial byte: 0 - 127 126 Class As exist (0 and 127 are reserved) 16,777,214 hosts on each Class A

Class B - 10xxxxxx xxxxxxxx xxxxxxxx xxxxxxxx

First two bits 10; 14 network bits; 16 host bits Initial byte: 128 - 191 16,384 Class Bs exist 65,532 hosts on each Class B

Class C - 110xxxxx xxxxxxxx xxxxxxxx xxxxxxxx First three bits 110; 21 network bits; 8 host bits Initial byte: 192 - 223 2,097,152 Class Cs exist 254 hosts on each Class C

Class D – 1110xxxx xxxxxxxx xxxxxxxx xxxxxxxx First four bits 1110; 28 multicast address bits Initial byte: 224 - 247 Class Ds are multicast addresses

Class E – 1111xxxx xxxxxxxx xxxxxxxx xxxxxxxx First four bits 1111; 28 reserved address bits Initial byte: 248 - 255 Reserved for experimental use. [11]

The following table of IP’s for the network of 192.168.0.0 with the subnet mask of 255.255.255.248 is used for the implementation of VLANS.

NetworkHosts

Broadcast Addressfrom to

30

192.168.0.0 192.168.0.1 192.168.0.6 192.168.0.7

192.168.0.8 192.168.0.9 192.168.0.14 192.168.0.15

192.168.0.16 192.168.0.17 192.168.0.22 192.168.0.23

192.168.0.24 192.168.0.25 192.168.0.30 192.168.0.31

192.168.0.32 192.168.0.33 192.168.0.38 192.168.0.39

CHAPTER 5: Virtual Local Area Network

5.1 Introduction

As we know that shared Ethernet media operate at OSI Layer 1(physical layer). Each host must share the available bandwidth with every other connected host. When more than one host tries to talk at one time, a collision occurs, and everyone must back off and wait to talk again. This forces every host to operate in half-duplex mode, by either talking or listening at any given time. In addition, when one host sends a frame, all connected hosts hear it. When one host generates a frame with errors, everyone hears that, too. [7]

In another words we can say that when in Local Area Networks(LAN) if one user forward data in one LAN the broadcast will receive by every user in that LAN . By default router break up broadcast domain and bridge break up collision domain. Now the point is that what is the way to break up broadcast domain in a pure switched inter network? The answer is VLAN

A VLAN is a logical group of network users and resources connected to administratively defined ports on a switch. When we create VLAN we gain the ability to create smaller broadcast domain within layer 2 switch internetworks by assigning different port on switch to different sub network. A VLAN is treated like its own subnet or broadcast domain, meaning that frame broadcast one to the network are only switched between the ports logically group within the same VLAN.[3]

VLANs are created to provide the segmentation services traditionally provided by routers in LAN Configurations. VLANs address scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flowManagement

• LAN Segmentation

• Security

• Broadcast Control

• Performance

31

• Network Management

5.1.1 LAN Segmentation

The problems associated with shared LANs and the emergence of switches is causing traditional LAN configurations to be replaced with switched VLAN internetworking configurations. Switched VLAN configurations vary from LAN configurations in the following ways:

Switches replace front-end hubs in the wiring closet. Switches are easily installed with little or no cabling changes, and can completely replace a shared hub with per port service to each user.

VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. A VLAN is a switched network that is logically segmented by functions, project teams, or applications without regard to the physical location of users. Each switch port can be assigned to a VLAN. Ports in a VLAN share broadcasts. Ports that do not belong to that VLAN do not share these broadcasts. This improves the overall performance of the network.

Communication between VLANs is provided by layer 3 routing.[20]

Figure 5.1 Illustrates the difference between traditional physical LAN segmentation and logicalVLAN segmentation.

32

Figure 5.1:- LAN Segmentation and VLAN Segmentation [20]

5.1.2 Security

A flat internetwork security issue used to be tackled by connecting hubs and switched together with Router. So it is basically the routers job to maintain security. This arrangement was pretty inoffensive for several reasons. First anyone can connect to the physical network could access the network resources located to the particular physical LAN, and most important risk is that user should join a workgroup by just plugging their workstation into their existing hub.

But if we build VLANS there and create multiple broadcast group, we will have total control over each port and user so when anyone just plug their work station into any switch port and gain access in to network resources, can not gain cause now we have control on each port plus switch can be configured to inform the management to access of any unauthorized workstation. We can also place restriction on hardware, address, and application. [19]

5.1.3 Broadcast Control

Broadcast often in every protocol but how often they occur depends upon three things.

The type of protocol The application running on the internetwork

How these services are used

All devices within a VLAN are members of the same broadcast domain and receive all broadcast. By default, this broadcast is filtered from all ports on switch that are not member of the same VLAN. Means if a port is not part of that VLAN in switch can not receive that broadcast. [19]

5.1.4 Performance

Although many analysts have suggested that VLANS enhance the ability to deploy centralized servers, customers may look at enterprise-wide VLAN implementation andSee difficulties in enabling full, high-performance access to centralized servers.

33

5.1.5 Network Management

Easier network management allows by the logical grouping of users. By VLAN there is no need to pull cable to move a user from one network to another. Change, move or add are achieved by changing port into the particular VLAN.

5.2 VLAN Membership

When a VLAN is provided at an access-layer switch, an end user must have some means of gaining membership to it. Two membership methods exist on Cisco Catalyst switches.

■ Static VLAN ■ Dynamic VLAN

5.2.1 Static VLANs

VLAN membership protocol is needed for the end devices; they automatically assume VLAN connectivity when they connect to a port.

Normally, the end device is not even aware that the VLAN exists. The switch port and its VLAN simply are viewed and used as any other network segment, with other “locally attached” members on the wire. The static port-to-VLAN membership normally is handled in hardware with application-specific integrated circuits (ASICs) in the switch. This membership provides good performance because all port mappings are done at the hardware level, with no complex table lookups needed. [4]

5.2.2 Dynamic VLANs

Dynamic VLANs provide membership based on the MAC address of an end-user device. When a device is connected to a switch port, the switch must, in effect, query a database to establish VLAN membership. A network administrator also must assign the user’s MAC address to a VLAN in the database of a VLAN Membership Policy Server (VMPS).

Dynamic VLANs allow a great deal of flexibility and mobility for end users but require more administrative overhead. [4]

34

5.3 Types of Connections

Devices on a VLAN can be connected in three ways based on whether the connecteddevices are VLAN-aware or VLAN-unaware. VLAN-aware device is one which understands VLAN memberships (i.e. which users belong to a VLAN) and VLAN formats. [1]

5.3.1 Trunk Link or Trunk Port

All the devices connected to a trunk link, including workstations, must be VLAN-aware.All frames on a trunk link must have a special header attached. These special frames areCalled tagged frames. [1]

Figure 5.2: Trunk link between two VLAN-aware bridges. [1]

5.3.2 Access Link or Access Port

An access link connects a VLAN-unaware device to the port of a VLAN-aware bridge.All frames on access links must be implicitly tagged (untagged) The VLAN-unaware device can be a LAN segment with VLAN-unaware workstations or it can be a number of LAN segments containing VLAN-unaware devices. [1]

35

Figure 5.3: Access link between a VLAN-aware bridge and a VLAN-unaware device. [1]

5.3.3 Hybrid Link

This is a combination of the previous two links. This is a link where both VLAN-awareand VLAN-unaware devices are attached A hybrid link can have both tagged and untagged frames, but all the frames for a specific VLAN must be either tagged or untagged.

Figure 5.4 Hybrid link containing both VLAN-aware and VLAN-unaware devices. [1]

5.4 Communicating between VLANS

VLAN frame identification was developed for switched networks. As each frame is transmitted over a trunk link, a unique identifier is placed in the frame header. As each switch along the way receives these frames, the identifier is examined to determine to which VLAN the frames belong and then is removed.

If frames must be transported out another trunk link, the VLAN identifier is added back into the frame header. Otherwise, if frames are destined out an access (nontrunk) link, the switch removes the VLAN identifier before transmitting the frames to the end station. Therefore, all traces of VLAN associations are hidden from the end station.

36

VLAN identification can be performed using two methods, each using a different frame identifier mechanism. [4]

Inter-Switch Link (ISL) protocol

IEEE 802.1Q protocol

5.4.1 Inter-Switch Link (ISL) protocol

The Inter-Switch Link (ISL) protocol is a Cisco-proprietary method for preserving the source VLAN identification of frames passing over a trunk link. ISL performs frame identification in Layer 2 by encapsulating each frame between a header and a trailer.

When a frame is destined out a trunk link to another switch or router, ISL adds a 26-byte header and a 4-byte trailer to the frame. The source VLAN is identified with a 15-bit VLAN ID field in the header. The trailer contains a cyclic redundancy check (CRC) value to ensure the data integrity of the new encapsulated frame. [4]

5.4.2 IEEE 802.1Q protocol

The IEEE 802.10 protocol provides connectivity between VLANs. Originally developed to address the growing need for security within shared LAN/MAN environments, it incorporates authentication and encryption techniques to ensure data confidentiality and integrity throughout the network. Additionally, by functioning at Layer 2, it is well suited to high-throughput, low-latency switching environments. IEEE 802.10 protocol can run over any LAN or HDLC serial interface. [20]

5.5 VLAN Trunking Protocol (VTP)

VTP is a protocol that runs over trunk links and synchronizes the VLAN databases of all switches in the VTP domain. A VTP domain is an administrative group—all switches within that group must have the same VTP domain name configured or they do not synchronize databases.

VTP works by using Configuration Revision numbers and VTP advertisements

All switches send out VTP advertisements every five minutes, or when there is a change to the VLAN database (when a VLAN is created, deleted, or renamed).

VTP advertisements contain a Configuration Revision number. This number is increased by one for every VLAN change.

37

When a switch receives a VTP advertisement, it compares the Configuration Revision number against the one in its VLAN database.

If the new number is higher, the switch overwrites its database with the new VLAN information, and forwards the information to its neighbor switches.

If the number is the same, the switch ignores the advertisement.

If the new number is lower, the switch replies with the more up to- date information contained in its own database. [2]

5.6 VTP Modes of Operation

To participate in a VTP management domain, each switch must be configured to operate in one of several modes. The VTP mode determines how the switch processes and advertises VTP information. Following modes can be use:

Server Mode Client Mode Transparent Mode

5.6.1 Server Mode VTP servers have full control over VLAN creation and modification for their domains. All VTP information is advertised to other switches in the domain, while all received VTP information is synchronized with the other switches. By default, a switch is in VTP server mode. Note that each VTP domain must have at least one server so that VLANs can be created, modified, or deleted and VLAN information can be propagated. [4]

5.6.2 Client mode

VTP clients do not allow the administrator to create, change, or delete any VLANs. Instead, they listen to VTP advertisements from other

38

switches and modify their VLAN configurations accordingly. In effect, this is a passive listening mode. Received VTP information is forwarded out trunk links to neighboring switches in the domain, so the switch also acts as a VTP relay. [4]

5.6.4 Transparent mode

VTP transparent switches do not participate in VTP. While in transparent mode, a switch does not advertise its own VLAN configuration, and a switch does not synchronize its VLAN database with received advertisements. In VTP version 1, a transparent-mode switch does not even relay VTP information it receives to other switches unless its VTP domain names and VTP version numbers match those of the other switches. In VTP version 2, transparent switches do forward received VTP advertisements out of their trunk ports, acting as VTP relays. This occurs regardless of the VTP domain name setting. [4]

CHAPTER 6: Dynamic Multipoint VPN

A Dynamic Multipoint Virtual Private Network is an enhancement of the virtual private network (VPN) configuration process of Cisco IOS-based routers. It is CISCO proprietary software solution. DMVPN prevents the need for pre-configured (static) IPSEC peers in Crypto map configurations and isakmp peer statements. This feature of Cisco IOS allows greater scalability over previous IPSec configurations. An IPSec tunnel between two Cisco routers may be created on an as needed basis. Tunnels may be created between a spoke router and a hub router (VPN headend), or between spokes. This greatly alleviates the need for the hub to route data between spoke networks, as was common in a non-fully meshed frame relay topology. [21]

DMVPN is combination of the following technologies:

1) Multipoint GRE (mGRE)2) Next-Hop Resolution Protocol (NHRP)4) Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)3) Dynamic IPsec encryption5) Cisco Express Forwarding (CEF)[24]

6.1 What is NHRP?

•NHRP is a layer two resolution protocols and cache like ARP or Reverse ARP (Frame Relay)•It is used in DMVPN to map a tunnel IP address to an NBMA address•Like ARP, NHRP can have static and dynamic entries•NHRP has worked fully dynamically since Release 12.2(13) T [23]

39

http://en.wikipedia.org/wiki/Topology

http://en.wikipedia.org/wiki/Frame_relay

http://en.wikipedia.org/wiki/Tunneling_protocol

http://en.wikipedia.org/wiki/Ipsec

http://en.wikipedia.org/wiki/Cisco

http://en.wikipedia.org/wiki/IPSEC

http://en.wikipedia.org/wiki/Routers

http://en.wikipedia.org/wiki/Cisco_IOS

http://en.wikipedia.org/wiki/Virtual_private_network

http://en.wikipedia.org/wiki/Virtual_private_network

NHRP Phase 1

At NHRP phase, mGRE using NHRP to inform the hub about dynamically appearing spokes. Initially, we configure every spoke with the IP address of the hub as its NHS server. However, the spoke’s tunnel mode is GRE (regular point-to-point) tunnel with the fixed destination IP that equals to the physical address of the hub. The spokes can only reach hub and get to other spoke networks across the hub. The benefit of Phase 1 is simplified hub router configuration, which does not require static NHRP mapping for every new spoke.

Figure 6.1 NHRP Phases 1

As all packets go across the hub, almost any dynamic routing protocol would help with attaining reachability. The hub just needs to advertise a default route to spokes, while spokes should advertise their subnets dynamically to the hub. Probably it makes sense to run EIGRP and summarize all subnets to 0.0.0.0/0 on the hub, effectively sending a default route to all spokes (if the spokes do not use any other default route, e.g. from their ISPs). Configure spokes as EIGRP stubs and advertise their respective connected networks. RIP could be set up in similar manner, by simply configuring GRE tunnels on spokes as passive interfaces. Both EIGRP and RIP require split-horizon disabled on the hub mGRE interface in order to exchange subnets spoke to spoke. As for OSPF, the optimal choice would be using point-to-multipoint network type on all GRE and mGRE interfaces. In addition to that, configure ip ospf database filter-all out on the hub and set up static default routes via tunnel interfaces on the spokes .[24]

6.2 What is GRE Tunnels?

•A GRE tunnel is a simple non-negotiated tunnel; GRE only needs tunnel endpoints•GRE encapsulate frames or packets into an other IP packet + IP header

40

•GRE has only 4 to 8 bytes of overhead •GRE tunnels exist in two main flavors:

o Point-to-point (GRE)o Point-to-multipoint (mGRE) [23]

Classic GRE tunnel is point-to-point, but mGRE generalizes this idea by allowing a tunnel to have “multiple” destinations.

Figure 6.2 GRE Tunnels

This may seem natural if the tunnel destination address is multicast (e.g. 239.1.1.1). The tunnel could be used to effectively distribute the same information (e.g. video stream) to multiple destinations on top of a multicast-enabled network. Actually, this is how mGRE is used for Multicast VPN implementation in Cisco IOS. However, if tunnel endpoints need to exchange unicast packets, special “glue” is needed to map tunnel IP addresses to “physical” or “real” IP addresses, used by endpoint routers. [24]

6.3 Routing with DMVPN

Dynamic routing is required over hub-to-spoke tunnels

•Spoke learns of all private networks on the other spokes and the hub via routing updates sent via the hub•IP next-hop for a spoke network is the tunnel interface for that spoke

41

http://blog.internetworkexpert.com/wp-content/uploads/2008/08/dmvpn-p12-gre-tunnels.jpg%00%E5%A1%B9%EF%92%81%E1%B4%BB%E4%A1%BF%E2%B2%AF%E5%B6%82%E8%97%84%E6%8C%A7%00%00%EA%AE%A5

6.3.1Possible routing protocols

Enhanced Interior Gateway Routing Protocol (EIGRP), which scales reasonably well.

Open Shortest Path First (OSPF) Border Gateway Protocol (BGP) Routing Information Protocol (RIP)

6.4 DMVPN Phases

•Phase 1: Hub and spoke functionality•Phase 2: Spoke-to-spoke functionality

6.4.1 Hub-and-spoke

Spoke-to-spoke traffic through hub; requires about the same number of tunnels as spokes

Hub bandwidth and CPU limit VPN Server Load Balancing: Many “identical” hubs increase CPU power; spoke-to-spoke design under consideration [25]

Figure 6.3 Hub-to-spokes and Dynamic spoke-to-spoke tunnels

42

6.4.2 Spoke-to-spoke

Control traffic: Hub-and-spoke; hub to hub Hub-and-spoke single-layer. Hierarchical hub-and-spoke layers.

Unicast data traffic: Dynamic mesh Spoke routers support spoke-to-hub and spoke-to-spoke Tunnels.

Number of tunnels falls between the number of spokes n and n2 where n is the number of spokes (full-mesh) [25]

6.5 Sample mGRE and IPsec Integration Topology

• Each spoke has a permanent IPSec tunnel to the hub, not to the other spokes within the network. Each spoke registers as clients of the NHRP server.

• When a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the NHRP server for the real (outside) address of the destination (target) spoke.

• After the originating spoke "learns" the peer address of the target spoke, it can initiate a dynamic IPSec tunnel to the target spoke.

• The spoke-to-spoke tunnel is built over the multipoint GRE interface.

• The spoke-to-spoke links are established on demand whenever there is traffic between the spokes. Thereafter, packets can bypass the hub and use the spoke-to-spoke tunnel. [22]

6.6 IPSec Profiles

IPSec profiles abstract IPSec policy information into a single configuration entity, which can be referenced by name from other parts of the configuration. Therefore, users can configure functionality such as GRE tunnel protection with a single line of configuration. By referencing an IPSec profile, the user does not have to configure an entire crypto map configuration. An IPSec profile contains only IPSec information; that is, it does not contain any access list information or peering information. [22]

6.7 Benefits of Dynamic Multipoint VPN (DMVPN)

Hub Router Configuration Reduction

43

• Currently, for each spoke router, there is a separate block of configuration lines on the hub router that define the crypto map characteristics, the crypto access list, and the GRE tunnel interface. This feature allows users to configure a single mGRE tunnel interface, a single IPSec profile, and no crypto access lists on the hub router to handle all spoke routers. Thus, the size of the configuration on the hub router remains constant even if spoke routers are added to the network.

• DMVPN architecture can group many spokes into a single multipoint GRE interface, removing the need for a distinct physical or logical interface for each spoke in a native IPSec installation.

Automatic IPSec Encryption Initiation

GRE has the peer source and destination address configured or resolved with NHRP. Thus, this feature allows IPSec to be immediately triggered for the point-to-point GRE tunneling or when the GRE peer address is resolved via NHRP for the multipoint GRE tunnel.

Support for Dynamically Addressed Spoke Routers

When using point-to-point GRE and IPSec hub-and-spoke VPN networks, the physical interface IP address of the spoke routers must be known when configuring the hub router because IP address must be configured as the GRE tunnel destination address. This feature allows spoke routers to have dynamic physical interface IP addresses (common for cable and DSL connections). When the spoke router comes online, it will send registration packets to the hub router within these registration packets, is the current physical interface IP address of this spoke.

Dynamic Creation for Spoke-to-Spoke Tunnels

This feature eliminates the need for spoke-to-spoke configuration for direct tunnels. When a spoke router wants to transmit a packet to another spoke router, it can now use NHRP to dynamically determine the required destination address of the target spoke router (The hub router acts as the NHRP server, handling the request for the source spoke router). The two spoke routers dynamically create an IPSec tunnel between them so data can be directly transferred. [22]

44

CHAPTER 7: Deliverables

7.1 Configuring VLAN’S On SDM

The following figure 7.1 showing the network structure for the deployment of VLAN’S. Router 1812 W is connected to different VLAN’S and to a single hub which is also connected to a single VLAN. Physical connectivity of network is performed by straight through cable.

Router

Vlan1 Vlan2 Hub Vlan4

Vlan 3 Vlan 3 Vlan 3 (Laptop)

Figure 7.1

Following is the list of the IP addresses used in the above define network to construct VLAN’S, for the network of 192.168.0.0 with the subnet mask 255.255.255.248.

45

NetworkHosts

Broadcast Addressfrom to

192.168.0.0 192.168.0.1 192.168.0.6 192.168.0.7

192.168.0.8 192.168.0.9 192.168.0.14 192.168.0.15

192.168.0.16 192.168.0.17 192.168.0.22 192.168.0.23

192.168.0.24 192.168.0.25 192.168.0.30 192.168.0.31

192.168.0.32 192.168.0.33 192.168.0.38 192.168.0.39

VLAN 1 is configured with IP address of 10.10.10.1 because by default this IP is used to connect SDM with the directly connected machine to Router 1812W

Here Configuring VLAN1 by using SDM mode by giving the IP address of 10.10.10.1 and the subnet Mask 255.255.255.248.

Here performing IP Renew/Release in CMD mode for the Pc directly connected to VLAN 1

46

Here

Configuring VLAN2 by using SDM mode by giving the IP address of 192.168.0.9 and the subnet Mask 255.255.255.248.

47

Enabling Routing Protocol RIP in Router to perform routing between VLAN’S.

It is shown in the following screen shot that the routing enables in Router.

48

Configuring VLAN 3 and VLAN 4 on Router.

Here

Configuring IP Address, Subnet Mask & Default Gateway for VLAN 2 according to the above defines IP Address and Subnet mask. Machine pinging default gateway, own IP and VLAN 1 IP successfully in Command line mode, that is showing VLAN connectivity to each other.

49

Configuring IP Address, Subnet Mask & Default Gateway for VLAN 3, that is connecting through HUB according to the above define IP Address and Subnet mask. Machine pinging default gateway, own IP and VLAN 1 & VLAN 2 IP successfully in Command mode, that is showing VLAN connectivity to each other.

Machine pinging default gateway, own IP and VLAN 1, VLAN2 and another VLAN connecting to HUB successfully in Command mode.

50

Configuring IP Address, Subnet Mask & Default Gateway for VLAN 4, Machine pinging default gateway, own IP and VLAN1, VLAN2, VLAN3 successfully in Command mode

7.2

Configuring of DMVPN on CLI

51

Management PC

F 0/0 (.2)

R2

R3

F0/0 (.3) (.100)

F 0/0 (.1)

R1

192.1.123.0/24 VLAN 123

DMVPN through R1, R2 & R3 (Hub n Spoke)

Figure 7.2

The above figure 7.2 is showing the network structure of the implementation of DMVPN. In this network three routers are connected to switch by Ethernet cable and management PC as well. One router is configured as Hub and two routers are configured as spoke

The Lab Objective defined in the following three tasks for the implementation of DMVPN.

Lab Objectives

Task 1

Configure the following Loopback interfaces:

R1 – Interface Loopback 15 – 172.16.1.1/24 R2 – Interface Loopback 15 – 172.16.2.2/24 R3 – Interface Loopback 15 – 172.16.3.3/24

R1

Interface Loopback 15 Ip address 172.16.1.1 255.255.255.0R2

Interface Loopback 15 Ip address 172.16.2.2 255.255.255.0R3

Interface Loopback 15 Ip address 172.16.3.3 255.255.255.0

Task 2

Configure a MGRE tunnel to route traffic between the newly created Loopbacks using the following parameters:

NHRP Parameterso NHRP ID – 123o NHRP Authentication key – DMVPNo NHRP Hub – R3

Tunnel Parameterso IP address : 172.16.123.0/24o IP MTU : 1416

52

o Tunnel Authentication Key : 123 Routing Protocol Parameters

o EIGRP 123

R3

Interface Tunnel 1 Ip address 172.16.123.3 255.255.255.0 Ip mtu 1416 Ip nhrp network-id 123 Ip nhrp authentication DMVPN Ip nhrp map multicast dynamic Tunnel source F 0/0 Tunnel mode gre multipoint Tunnel key 123 No ip split-horizon eigrp 123!router eigrp 123 no auto-summary network 172.16.0.0 0.0.255.255!ip route 172.16.1.0 255.255.255.0 192.1.123.1ip route 172.16.2.0 255.255.255.0 192.1.123.2

R1

Interface Tunnel 1 Ip address 172.16.123.1 255.255.255.0 Ip mtu 1416 Ip nhrp network-id 123 Ip nhrp authentication DMVPN Ip nhrp nhs 172.16.123.3 Ip nhrp map 172.16.123.3 192.1.10.3 Ip nhrp map multicast 192.1.10.3 Tunnel source F 0/0 Tunnel mode gre multipoint Tunnel key 123!router eigrp 123 no auto-summary network 172.16.0.0 0.0.255.255!ip route 172.16.2.0 255.255.255.0 192.1.123.2ip route 172.16.3.0 255.255.255.0 192.1.123.3

53

Task 3Encrypt the MGRE traffic using the following parameters:

ISAKMP Parameterso Authentication : Pre-sharedo Encryption : 3DESo Pre-Shared Key : cisco123

IPSec Parameterso Encryption : ESP-3DESo Authentication : ESP-MD5-HMAC

R3

Crypto isakmp policy 10 Authentication pre-share Encryption 3des!crypto isakmp key ccie address 0.0.0.0!crypto ipsec transform-set t-set esp-3des esp-md5-hmac!crypto ipsec profile DMVPN set transform-set t-set!Interface Tunnel 1 Tunnel protection ipsec profile DMVPNR1

Crypto isakmp policy 10 Authentication pre-share Encryption 3des!crypto isakmp key ccie address 0.0.0.0!crypto ipsec transform-set t-set esp-3des esp-md5-hmac!crypto ipsec profile DMVPN

54

set transform-set t-set!Interface Tunnel 1 Tunnel protection ipsec profile DMVPNR2

Crypto isakmp policy 10 Authentication pre-share Encryption 3des!crypto isakmp key ccie address 0.0.0.0!crypto ipsec transform-set t-set esp-3des esp-md5-hmac!crypto ipsec profile DMVPN set transform-set t-set!Interface Tunnel 1 Tunnel protection ipsec profile DMVPNTest Commands:

Sh ip route eigrp 123

Ping 172.16.1.1Ping 172.16.2.2Ping 172.16.3.3

Sh crypto saSh crypto connections engine activeSh crypto ipsec sa

55

R3-Config (Part 1 mGRE Creation)

56

Part2: IPSec Creation (mGRE+IPSec= DMVPN)

57

R1: (Since most of the configuration is same, therefore, it is a good idea to copy and paste it on a text pad, and just change the necessary things like IP addresses and paste into Router 1 and 2.)

58

Part 2: IPSec:

59

R2: (Since most of the configuration is same, therefore, it is a good idea to copy and paste it on a text pad, and just change the necessary things like IP addresses and paste into Router 1 and 2.)

60

IPSec on R2:

61

CHAPTER 8 Result and Discussion

8.1 VLAN Results & Discussion

Discussion:-

Four VLANS have been configured, three of which connected to the router and one of which is with hub. Hub connected to three different machines that means three machines are on same VLAN. The purpose of the third machine with the hub is just to transfer the heavy files in the same VLAN and check the performance by following charts in SDM.

The above chart is for VLAN 3(connected to Hub) and the monitoring parameters are packet input/output and bytes input/output, provided by SDM. It has been observed that when file was transferring from one machine to another machine the curve of the graph was moving up but when the file transfer stopped the curve gone straight.

62

Discussion:-

In the following screen shot the monitoring measurement for VLAN 3 was bytes Input and Output and Error Input and output. The error input and output showed “0” between transfers.

63

Discussion:-

In the following screen shot the monitoring measurement for VLAN 3 was bandwidth utilizing. As there is no external source like server involved so the bandwidth utilization is “0” and another reason is of course the transfer is in the same VLAN as well.

64

8.2 DMVPN Results & Discussion

R1 and R2 (Spokes):On Router 1 and Router 2, “Sh ip nhrp” command is applied.

R3: See the commands and outputs please:1. sh ip nhrp (see both spokes’ mapping is there)2. sh ip eigrp 123 (see the routes are there using DMVPN)3. ping 172.16.2.2 (Ping is successful using DMVPN)4. ping 172.16.1.1

65

R2: See the mappings: sh ip hnrp and ping results:Traceroute shows that it is going directly through tunnel (no hops in between)

66

IPSec is UP on R1:

IPSec is UP on R2:

67

Conclusion

The main task of the deployment of VLAN and DMVPN is to provide network security to

both LAN and WAN network respectively with other beneficial aspect of both technologies

as well. VLANs have the ability to provide additional security not available in a shared

media network environment. By nature, a switched network delivers frames only to the

intended recipients, and broadcast frames only to other members of the VLAN. This allows

the network administrator to segment users requiring access to sensitive information into

separate VLANs from the rest of the general user community regardless of physical

location. In addition, monitoring of a port with a traffic analyzer will only view the traffic

associated with that particular port, making discreet monitoring of network traffic more

difficult.

It should be noted that the enhanced security that is mentioned above is not to be

considered an absolute safeguard against security infringements. What this provides is

additional safeguards against "casual" but unwelcome attempts to view network traffic.

In this report I also have discussed all the standards, technical component which relates

with DMVPN, that the DMVPN should deployed if the network requires Zero-touch

provisioning, simplified configuration, Multicast and support for dynamically addressed

spokes.

68

PROJECT PLANNING

Project Planning includes two stages

Initial project planning Final project planning

Initial project planning

The following Gant Chart is showing the initial project planning which shows number of

days spending on each task using milestones and bars. The red bar shows the completion of

all tasks.

Initial Project Plan with respect to Total No of Days

69

Final project planning:

Below is the final project planning which is shown by using a Pie chart and a table.

Basically final planning shows the number of hours that have spent on each task for doing

this project.

ACTION PLAN WITH RESPECT TO TOTAL HOURS NO.OF HOURS

INTRODUCTION 50INVESTIGATION ON 1800 ROUTER SERIES 60VLAN 150DMVPN 200TESTING AND DISCUSSION 50FURTHER REVISIONS AND CONCLUSION 100TOTAL NO. OF HOURS 610

Final Action Plan with respect to Total No.of Hours

5060

150

200

50

100

INTRODUCTION INVESTIGATION ON ROUTERS

VLAN DMVPN

TESTING & DISCUSSION FURTHER REVISION AND CONCLUCION

70

References

[1] www.ise.gmu.edu/~eschneid/infs612/projects/LAN.pdf

[2]Brent Stewart & Denise Donohue, CCNP BCMSN Quick Reference Sheets, USA, ISBN 978-1-5872-0236-0, 19-20

[3]Todd Lammle, CCNA Study Guide, Sixth edition, Sybex, USA, 2007, ISBN 0470110082

[4]David Hucaby, CCNP BCMSN Official Exam Certification Guide, Cisco Press, USA, 2007, ISBN: 1-58720-171-2

[5]Thayumanavan Sridhar, Future Communications Software, the Internet Protocol Journal - Volume 1 No. 2, 1-2, 1998

[6]Jerry Ryan,Layer 3 Switching Re- Inventing the Router, The Technology Guide Series Cisco Press, USA, 1998.

[7] www.dataconnection.com/iprouting/iprprotocol.htm

[8] Clare Gough, CCNP BSCI, USA, Cisco Press, 2006, ISBN: 1-58720-171-2

[9]Karl Solie, CCIE practical studies volume 1, Cisco Press, USA, 2001, ISBN: 1−58720−002−3

[10] Tim Boyles and Dave Hucaby ,Cisco CCNP Switching Exam Certification Guide,2000, Cisco Press. USA, ISBN: 1-58720-000-7

[11] www.freesoft.org/CIE/Course/Section3/11.htm

[12] Cisco 1801, 1802 and 1803 Integrated Services Router from Cisco.com “http://www.cisco.com/en/US/products/ps6184/”

[13] Cisco 1800 Series Integrated Services Routers Fixed Configuration Models “http://www.cisco.com”

[14]Cisco 1805 Integrated Services Router from Cisco.com

“ http://www.cisco.com/en/US/products/ps9321/”

[15] Cisco 1811 Integrated Services Router from Cisco.com

71

http://www.freesoft.org/CIE/Course/Section3/11.htm

http://www.dataconnection.com/iprouting/iprprotocol.htm

http://www.biblio.com/isbn/0470110082.html

http://www.ise.gmu.edu/~eschneid/infs612/projects/LAN.pdf

“http://www.cisco.com/en/US/products/ps6183/”





[18] Cisco 1800 family from Cisco.com


[19] Wendell Odom , CCNA ICND 2,Cisco Press,USA.2007,ISBN 9781-1-58720-181-3

[20]www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/switch_c/xcvlan.pdf

[21] www.en.wikipedia.org/wiki/Dynamic_Multipoint_Virtual_Private_Network

[22]www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1039510

[23] Introduction to DMVPN, Security Technology Group, Cisco Press, USA, 2004

[24] http://blog.internetworkexpert.com/2008/08/02/dmvpn-explained/

[25]www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6658/DMVPN_Overview.pdf

[26] Wendell Odom , CCNA ICND 2,Cisco Press,USA.2007,ISBN 9781-1-58720-181-3

[27] http://www.javvin.com/protocolNHRP.html

[28] http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation

Appendix

72

http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation

http://www.javvin.com/protocolNHRP.html

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1039510

http://www.en.wikipedia.org/wiki/Dynamic_Multipoint_Virtual_Private_Network

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/switch_c/xcvlan.pdf

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/switch_c/xcvlan.pdf

http://www.cisco.com/en/US/products/ps8321/

SDM Auto Generate Configuration of VLAN

!This is the running config of the router: 10.10.10.1!----------------------------------------------------------------------------!version 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname yourname!boot-start-markerboot-end-marker!security authentication failure rate 3 logsecurity passwords min-length 6logging buffered 51200 debugginglogging console criticalenable secret 5 $1$3QN/$FAx3IV7orGQd4rixJT9bh.!aaa new-model!!aaa authentication login default localaaa authorization exec default local !aaa session-id common!resource policy!clock timezone PCTime 0clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00no ip source-route!!ip cefno ip dhcp use vrf connectedip dhcp excluded-address 10.10.10.1ip dhcp excluded-address 192.168.0.9ip dhcp excluded-address 192.168.0.17ip dhcp excluded-address 192.168.0.25ip dhcp excluded-address 192.168.0.33!ip dhcp pool sdm-pool1 import all network 192.168.0.0 255.255.255.0 default-router 10.10.10.1

73

!ip dhcp pool sdm-pool9 network 192.168.0.8 255.255.255.248 default-router 192.168.0.9 !ip dhcp pool sdm-pool10 network 192.168.0.16 255.255.255.248 default-router 192.168.0.17 !ip dhcp pool sdm-pool11 network 192.168.0.24 255.255.255.248 default-router 192.168.0.25 !ip dhcp pool sdm-pool12 network 192.168.0.32 255.255.255.248 default-router 192.168.0.33 !!ip tcp synwait-time 10no ip bootp serverno ip domain lookupip domain name yourdomain.comip ssh time-out 60ip ssh authentication-retries 2ip inspect name SDM_LOW cuseemeip inspect name SDM_LOW dnsip inspect name SDM_LOW ftpip inspect name SDM_LOW h323ip inspect name SDM_LOW httpsip inspect name SDM_LOW icmpip inspect name SDM_LOW imapip inspect name SDM_LOW pop3ip inspect name SDM_LOW netshowip inspect name SDM_LOW rcmdip inspect name SDM_LOW realaudioip inspect name SDM_LOW rtspip inspect name SDM_LOW esmtpip inspect name SDM_LOW sqlnetip inspect name SDM_LOW streamworksip inspect name SDM_LOW tftpip inspect name SDM_LOW tcpip inspect name SDM_LOW udpip inspect name SDM_LOW vdolive!!crypto pki trustpoint TP-self-signed-2874840234 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2874840234 revocation-check none rsakeypair TP-self-signed-2874840234!!crypto pki certificate chain TP-self-signed-2874840234 certificate self-signed 01

3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

74

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32383734 38343032 3334301E 170D3038 30383035 31353136 35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38373438 34303233 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D4C9 1200473C 3C60A9C5 3475AFCD 0AB2A85E 6D1757FE C6BBB02E FC3235EB 4DBC370E 93FC490F EEE088C8 0AD340DE 0F7E4FF8 433484C5 C6AEEB01 183CB5CD 40689CCC 02BFDFDE 70F01041 75E0DBD3 1FE0AB42 FC387C73 EF37AEBC 1E0E329E D77A00A2 509F40E3 B8EE38F7 F2CEF9E6 7DBE213C BFA01FA0 A58B632D 2BA1D514 6D1D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 301F0603 551D2304 18301680 14D6C68A 543EDE81 4F72C5FD 115E2B6B D3F52643 02301D06 03551D0E 04160414 D6C68A54 3EDE814F 72C5FD11 5E2B6BD3 F5264302 300D0609 2A864886 F70D0101 04050003 81810011 A0FCEB29 305F006C 57F27435 286EC0FE 7F8466FB 15974005 B2B19C90 D6174186 DBD71987 1B644C88 437B811B CF27D62E 41D54239 E42C470A 7A0BBA71 C09A2E07 39C3798E 3FF42103 79DAD980 8D45ABB8 1694871A 487B773A D4D3045E DB16716C 1DFF1A6F 4B48E1B6 116FFF10 1105C042 741C4484 8970E23B 7624D200 0E9505 quitusername cisco1 privilege 15 secret 5 $1$3Kzc$MyCanrmvgPqTacSRE8H/p0!!

interface FastEthernet0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown duplex auto speed auto!interface FastEthernet1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown duplex auto speed auto!interface BRI0 no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation hdlc ip route-cache flow shutdown!interface FastEthernet2!interface FastEthernet3 switchport access vlan 2

75

!interface FastEthernet4 switchport access vlan 3!interface FastEthernet5 switchport access vlan 4!interface FastEthernet6 switchport access vlan 5!interface FastEthernet7!interface FastEthernet8!interface FastEthernet9!interface Dot11Radio0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root!interface Dot11Radio1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root!interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$ ip address 192.168.10.1 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452!interface Vlan2 ip address 192.168.0.9 255.255.255.248 ip nat inside ip virtual-reassembly!interface Vlan3 ip address 192.168.0.17 255.255.255.248

76

ip flow ingress ip flow egress ip nat inside ip virtual-reassembly!interface Vlan4 ip address 192.168.0.25 255.255.255.248 ip nat inside ip virtual-reassembly!interface Vlan5 ip address 192.168.0.33 255.255.255.248 ip nat inside ip virtual-reassembly!router ospf 500 log-adjacency-changes passive-interface FastEthernet0 passive-interface FastEthernet1 passive-interface Vlan1 passive-interface Vlan2 passive-interface Vlan3 passive-interface Vlan4 passive-interface Vlan5 network 10.0.0.0 0.255.255.255 area 5!router rip passive-interface Vlan1 network 10.0.0.0 no auto-summary!!!ip http serverip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000!logging trap debuggingaccess-list 100 remark auto generated by SDM firewall configurationaccess-list 100 remark SDM_ACL Category=1access-list 100 deny ip 192.168.0.16 0.0.0.7 anyaccess-list 100 deny ip host 255.255.255.255 anyaccess-list 100 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 100 permit ip any anyaccess-list 101 remark auto generated by SDM firewall configurationaccess-list 101 remark SDM_ACL Category=1access-list 101 deny ip 192.168.0.8 0.0.0.7 anyaccess-list 101 permit icmp any host 192.168.0.17 echo-replyaccess-list 101 permit icmp any host 192.168.0.17 time-exceededaccess-list 101 permit icmp any host 192.168.0.17 unreachableaccess-list 101 permit tcp any host 192.168.0.17 eq 443access-list 101 permit tcp any host 192.168.0.17 eq 22access-list 101 permit tcp any host 192.168.0.17 eq cmdaccess-list 101 permit udp any any eq ripaccess-list 101 permit ip any host 224.0.0.9access-list 101 deny ip 10.0.0.0 0.255.255.255 any

77

access-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 101 deny ip host 255.255.255.255 anyaccess-list 101 deny ip host 0.0.0.0 anyaccess-list 101 deny ip any any logno cdp run!!

control-plane!banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C!line con 0 transport output telnetline aux 0 transport output telnetline vty 0 4 transport input telnet sshline vty 5 15 transport input telnet ssh!scheduler allocate 4000 1000scheduler interval 500!webvpn context Default_context ssl authenticate verify all ! no inservice!end

Initial Configuration of DMVPM

78

For Router 1

enableconfig t!no ip domain-lookupline con 0 logg sync!Host R1!int loo 0 ip add 11.11.11.11 255.0.0.0!int loo 11 ip add 10.11.11.11 255.255.255.0!int f 0/0 ip address 192.1.123.1 255.255.255.0 no shut!Router rip ver 2 no auto network 11.0.0.0 network 192.1.123.0 end wr

For Router 2

enableconfig t!no ip domain-lookupline con 0 logg sync!Host R2!int loo 0 ip add 22.22.22.22 255.0.0.0!int loo 22 ip add 10.22.22.22 255.255.255.0!int f 0/0 ip add 192.1.123.2 255.255.255.0 no shut!Router rip ver 2 no auto network 22.0.0.0 network 192.1.123.0 end wr

For Router 3

enableconfig t!no ip domain-lookupline con 0 logg sync!Host R3!int loo 0 ip add 33.33.33.33 255.0.0.0!int loo 10 ip add 10.3.3.3 255.255.255.0!int F 0/0 ip add 192.1.123.3 255.255.255.0 no shut!

router rip ver 2 no auto network 33.0.0.0 network 192.1.123.0endwr

Final Configuration of DMVPN

79

For Router 1

hostname R1!logging queue-limit 100!memory-size iomem 10ip subnet-zero!!no ip domain lookup!ip audit notify logip audit po max-events 100!!!crypto isakmp policy 10 encr 3des authentication pre-sharecrypto isakmp key cciesec address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set t-set esp-3des esp-md5-hmac!crypto ipsec profile ABC set transform-set t-set!!!no voice hpi capture bufferno voice hpi capture destination!!mta receive maximum-recipients 0!!!!interface Loopback0 ip address 11.11.11.11

For Router 2


For Router 3


80

255.0.0.0!interface Loopback10 ip address 10.1.1.1 255.255.255.0!interface Loopback15 ip address 172.16.1.1 255.255.255.0!interface Tunnel1 ip address 172.16.123.1 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication DMVPN ip nhrp map 172.16.123.3 192.1.10.3 ip nhrp map multicast 192.1.10.3 ip nhrp network-id 123 ip nhrp nhs 172.16.123.3 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile ABC!interface Ethernet0/0 ip address 192.1.123.1 255.255.255.0 half-duplex!interface Serial0/0 no ip address shutdown!interface Ethernet0/1 no ip address shutdown half-duplex!interface Serial0/1 no ip address shutdown

255.0.0.0!interface Loopback10 ip address 192.1.2.2 255.255.255.0!interface Loopback15 ip address 172.16.2.2 255.255.255.0!interface Tunnel1 ip address 172.16.123.2 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication DMVPN ip nhrp map 172.16.123.3 192.1.10.3 ip nhrp map multicast 192.1.10.3 ip nhrp network-id 123 ip nhrp nhs 172.16.123.3 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile ABC!interface Ethernet0/0 ip address 192.1.123.2 255.255.255.0 half-duplex!interface Serial0/0 no ip address shutdown!interface Ethernet0/1 no ip address shutdown half-duplex!interface Serial0/1 no ip address shutdown

255.0.0.0!interface Loopback10 ip address 10.3.3.3 255.255.255.0!interface Loopback15 ip address 172.16.3.3 255.255.255.0!interface Tunnel1 ip address 172.16.123.3 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication DMVPN ip nhrp map multicast dynamic ip nhrp network-id 123 no ip split-horizon eigrp 123 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile ABC!interface Ethernet0/0 ip address 192.1.10.3 255.255.255.0 half-duplex!interface Serial0/0 no ip address shutdown!interface Ethernet0/1 no ip address shutdown half-duplex!router rip ver 2 no auto network 33.0.0.0 network 192.1.123.0!

81

!router eigrp 123 network 172.16.0.0 no auto-summary!router rip version 2 network 11.0.0.0 network 192.1.123.0 no auto-summary!ip http serverno ip http secure-serverip classless!!!!call rsvp-sync!!mgcp profile default!dial-peer cor custom!!!!!line con 0 logging synchronousline aux 0line vty 0 4!!end

!router eigrp 123 network 172.16.0.0 no auto-summary!router rip version 2 network 22.0.0.0 network 192.1.123.0 no auto-summary!ip http serverno ip http secure-serverip classless!!!!call rsvp-sync!!mgcp profile default!dial-peer cor custom!!!!!line con 0 logging synchronousline aux 0line vty 0 4!!end

router eigrp 123 network 172.16.0.0 no auto-summary!ip http serverno ip http secure-serverip classlessip route 0.0.0.0 0.0.0.0 192.1.10.10!!!!call rsvp-sync!!mgcp profile default!dial-peer cor custom!!!!!line con 0 logging synchronousline aux 0line vty 0 4 login!!end

82

LSBU MSC Cisco VlanDmvpn Project

Documents

definition of routing

routing protocol works

classless routing

integrated services

features of cisco

ip routing principles

w router

construct vlan virtual