Router A

gascitytankΔίκτυα και Επικοινωνίες

28 Οκτ 2013 (πριν από 3 χρόνια και 10 μήνες)

95 εμφανίσεις

Agenda



VPN tunnels


Configuration of basic core network
components


Maintenance of
Cisco

devices


Exercises & troubleshooting

Abbreviations


AP



Access Point


AH



Authentication Header


AZR



Access Zone Router


AGR



Aggregation Router


AG



Access Gateway (e.g. Cisco SSG, Juniper ERX)


CSA



Central Site Area


DHCP


Dynamic Host Configuration Protocol


DMVPN
-

Dynamic Multipoint IPsec Virtual Private Network


EIGRP


Enhanced Interior Gateway Routing Protocol


ESP



Encapsulating Security Payload


GRE



Generic Routing Encapsulation


HSA



Hotspot Area


IKE



Internet Key Exchange


IPSec



Internet Protocol Security


NHRP


Next Hop Resolution Protocol


OSPF



Open Shortest Path First (Routing Protocol)


PPTP



Point
-
To
-
Point Tunneling Protocol


SSG



Service Selection Gateway


VPN



Virtual Private Network


AGR
-

Aggregation Router


Interfaces


interface to AGR (there are possibilities to create connection to more then one
AGR)
-

GRE tunnel with IPSec is configured over this link


interface to APS


typically Ethernet.


loopback


Routing


The AGR participate in dynamic routing protocol.


The following networks shall be spread out:


all networks to AZRs


network to AG (SSG)


network to management network


network to other AGRs if such connection is realized


Default gateway shall be set on SSG in central configuration or on WIP in
decentral configuration


Multipoint IPsec


AGR may work as a hub in DMVPN (Dynamic Multipoint VPN) configuration



AZR
-

Access Zone Router


Interfaces


interface to AGR (there are possibilities to create connection to more then one AGR)
-

GRE
tunnel with IPSec is configured over this link


interface to APs


typically Ethernet.


loopback


Routing


The AZR participate in dynamic routing protocol.


The following networks shall be spread out:


Network(s) to AGR(s)


networks to APs


Default gateway shall be set on AGR or AGRs in case of multiple connections


Multipoint IPsec


AZR may work as a spoke in DMVPN (Dynamic Multipoint VPN) configuration



DHCP


DHCP (Dynamic Host Configuration Protocol) is an open, industry
-
standard protocol
that reduces the complexity of administering networks based on TCP/IP


All DHCP messages are carried in User Datagram Protocol (
UDP
). Datagrams use
port

67
at the

server

and

68
at the

client.



DHCP Request for an IP Address


DHCP Benefits to TCP/IP
Network Administrators



Simplifies problems associated with manual addressing


Centralized administration of IP configuration


Dynamic host configuration


Seamless IP host configuration


Flexibility


Scalability


Configuring DHCP on Cisco router


Enabling the Cisco IOS DHCP Server and Relay Agent Features

Router

(config)#
service dhcp


Excluding IP Addresses

Router

(config)#
ip dhcp excluded
-
address
low
-
address [high
-
address]


Configuring the DHCP Address Pool Name and Entering DHCP Pool Configuration Mode

Router

(config)#
ip dhcp pool
name


Configuring the DHCP Address Pool Subnet and Mask

Router

(dhcp
-
config)#
network
network
-
number [mask |
/
prefix
-
length]


Configuring the Domain Name for the Client

Router

(dhcp
-
config)#
domain
-
name
domain


Configuring the IP Domain Name System Servers for the Client

Router

(dhcp
-
config)#
dns
-
server
address [address2 ... address8]


Configuring the Default Router for the Client

Router

(dhcp
-
config)#
default
-
router
address [address2 ... address8]


Configuring the Address Lease Time

Router

(dhcp
-
config)#
lease
{days [hours]

[minutes] |
infinite
}



Example of DHCP configuration on
Cisco router




ip dhcp excluded
-
address 10.100.1.1 10.100.1.30


!


ip dhcp pool ZONE1



network 10.100.1.0 255.255.255.0



default
-
router 10.100.1.1



domain
-
name domain.i250



dns
-
server 192.168.201.2


!


interface FastEthernet0/1



ip address 10.100.1.1 255.255.255.0

DHCP troubleshooting


Router#

show ip dhcp binding


Router#

show ip dhcp server statistics


Router#
show ip dhcp conflict
[address]



Router#
clear ip dhcp binding
{address |
*
}


Router#
clear ip dhcp conflict
{address |
*
}


Router#
clear ip dhcp server statistics



Router#
debug ip dhcp server
{
events
|
packets
|
linkage
}



Exercise

1.
Configure DHCP server on AZR

2.
Check if client gets ip address from DHCP server

Routing



Static Routing


Advantages:


Simple to configure and maintain


Secure


as only defined routes can be accessed


Bandwidth is not used for sending routing updates


Disadvantages


Manual update of routes after network changes


Explicit addition of routes for all networks


Dynamic Routing


EIGRP


OSPF

Configuring static routing


on Cisco devices






ip route <destination network address> <destination network mask> <next hop>



Router A


ip route 192.168.1.0 255.255.255.0 172.16.1.2


ip route 192.168.1.0 255.255.255.0 172.16.1.2


Router B


ip route 10.1.1.0 255.255.255.0 172.16.1.1


Router C


ip route 10.1.1.0 255.255.255.0 172.16.2.1

Exercise

1.
Configure static routing on AZR, AGR and SSG

2.
Check if client can access (ping) AZR, AGR, SSG

Configuring dynamic routing


on Cisco devices
-

EIGRP







Router A


router eigrp 1



network 172.16.1.0 0.0.0.3



network 172.16.2.0 0.0.0.3



network 10.1.1.0 0.0.0.255



no auto
-
summary


Router B


router eigrp 1



network 172.16.1.0 0.0.0.3



network 10.1.1.0 0.0.0.255



no auto
-
summary


Router C


router eigrp 1



network 172.16.2.0 0.0.0.3



network 10.1.1.0 0.0.0.255



no auto
-
summary

Configuring dynamic routing


on Cisco devices
-

OSPF







Router A


router ospf 10



network 172.16.1.0 0.0.0.3 area 0



network 172.16.2.0 0.0.0.3 area 0



network 10.1.1.0 0.0.0.255 area 0





Router B


router ospf 100



network 172.16.1.0 0.0.0.3 area 0



network 10.1.1.0 0.0.0.255 area 0





Router C


router ospf 1



network 172.16.2.0 0.0.0.3 area 0



network 10.1.1.0 0.0.0.255 area 0




Exercise

1.
Configure dynamic routing (EIGRP) on AZR, AGR and SSG

2.
Check if client can access (ping) AZR, AGR, SSG

3.
Configure dynamic routing (OSPF) on AZR, AGR and SSG

4.
Check if client can access (ping) AZR, AGR, SSG

VPN


Virtual Private Network

GRE
-

Generic Routing Encapsulation


PPTP
-

Point
-
to
-
Point Tunneling Protocol

Types of VPNs


Secure VPNs

-

Secure VPN protocols include the following:


-
IPsec

-
SSL

-
PPTP

-
L2TP

-
L2TPv3



Trusted VPNs




-

MPLS



-

L2F

IPSec Functions




data confidentiality (encryption)


data integrity (verification)


origin authentication (authentication the
source of the packet)


Verification that each packet is unique
(not duplicated)

Type of Encryption


symmetric


DES


3DES


HMAC
-
Message Digest 5 (MD5)


HMAC
-
SHA


asymmetric


Rivest, Shamir, and Adelman (RSA)

Type of Authentication



Pre
-
shared keys


RSA signatures


RSA encrypted nonces

IPSec Protocols

IPSec Modes

VPN (DMVPN)

GRE/IPsec

Standards (Cisco IOS IPSec)





IPSec (RFCs 2401
-
2410)


IPSec Encapsulating Security Payload (ESP) Using
DES/3DES

(RFC 2406)


IPSec Authentication Header (AH) using
MD5

or
SHA

(RFCs 2403
-
2404)


Internet Key Exchange (
IKE
) (RFCs 2407
-
2409)


IPsec/GRE Example (basic)


Phase I (IKE Policy)

Internet

Fa0/1

192.168.6.2

Tunnel


192.168.10.0/30

AZR

AGR

Fa0/0

192.168.5.1

tunnel 10

192.168.10.2/30

tunnel 10

192.168.10.1/30

crypto isakmp policy 1



authentication pre
-
share



hash md5



encryption 3des

crypto isakmp key Cisco123 address 192.168.5.1



crypto isakmp policy 1



authentication pre
-
share



hash md5



encryption 3des

crypto isakmp key Cisco123 address 192.168.6.2



IPsec/GRE Example (basic)


Phase II (IPsec Policy)

Internet

Fa0/1

192.168.6.2

Tunnel


192.168.10.0/30

AZR

AGR

Fa0/0

192.168.5.1

tunnel 10

192.168.10.2/30

tunnel 10

192.168.10.1/30

crypto ipsec transform
-
set name1 esp
-
3des esp
-
md5
-
hmac


mode transport

access
-
list 110 permit gre host 192.168.6.2 host 192.168.5.1





crypto ipsec transform
-
set name1 esp
-
3des esp
-
md5
-
hmac


mode transport

access
-
list 110 permit gre host 192.168.5.1 host 192.168.6.2





IPsec/GRE Example (basic)


Phase II (IPsec Policy)

Internet

Fa0/1

192.168.6.2

Tunnel


192.168.10.0/30

AZR

AGR

Fa0/0

192.168.5.1

tunnel 10

192.168.10.2/30

tunnel 10

192.168.10.1/30

crypto map map1 local
-
address FastEthernet0/1


crypto map map1 10 IPsec
-
isakmp


set peer 192.168.5.1


match address 110


set transform
-
set name1

crypto map map1 local
-
address FastEthernet0/0


crypto map map1 10 IPsec
-
isakmp


set peer 192.168.6.2


match address 110


set transform
-
set name1

IPsec/GRE Example (basic)


Phase III (tunnel)

Internet

Fa0/1

192.168.6.2

Tunnel


192.168.10.0/30

AZR

AGR

Fa0/0

192.168.5.1

tunnel 10

192.168.10.2/30

tunnel 10

192.168.10.1/30

interface tunnel 10


ip address 192.168.10.2 255.255.255.252


tunnel source FastEthernet0/1


tunnel destination 192.168.5.1



ip mtu 1440


crypto map map1

interface Fastethernet0/1



ip address 192.168.6.2 255.255.255.0


crypto map map1

router eigrp 1


network 192.168.10.0 0.0.0.3


no auto
-
summary

interface tunnel 10


ip address 192.168.10.1 255.255.255.252


tunnel source FastEthernet0/0


tunnel destination 192.168.6.2



ip mtu 1440



crypto map map1

interface Fastethernet0/0



ip address 192.168.5.1 255.255.255.0


crypto map map1

router eigrp 1


network 192.168.10.0 0.0.0.3


no auto
-
summary

Exercise

1.
Configure static IPSec/GRE tunnel between AZR and AGR

2.
Check if wired client can access (ping) AGR, SSG

via VPN tunnel

IPsec/GRE Example (DMVPN)


Phase I (IKE Policy)

Internet

Fa0/1

192.168.6.2

Tunnel


192.168.10.0/30

AZR

(spoken)

AGR

(hub)

Fa0/0

192.168.5.1

tunnel 0

192.168.10.2/24

tunnel 0

192.168.10.1/24

crypto isakmp policy 1



authentication pre
-
share



hash md5



encryption 3des

crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0



crypto isakmp policy 1



authentication pre
-
share



hash md5



encryption 3des

crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0



IPsec/GRE Example (DMVPN)


Phase II (IPsec Policy)

Internet

Fa0/1

192.168.6.2

Tunnel


192.168.10.0/30

AZR

(spoken)

AGR

(hub)

Fa0/0

192.168.5.1

tunnel 0

192.168.10.2/24

tunnel 0

192.168.10.1/24

crypto ipsec transform
-
set name1 esp
-
3des esp
-
md5
-
hmac


mode transport

crypto ipsec profile bwsvpnprofile1


set transform
-
set name1

crypto ipsec transform
-
set name1 esp
-
3des esp
-
md5
-
hmac


mode transport

crypto ipsec profile bwsvpnprofile1


set transform
-
set name1





IPsec/GRE Example (DMVPN)


Phase III (tunnel)

Internet

Fa0/1

192.168.6.2

Tunnel


192.168.10.0/30

AZR

(spoken)

AGR

(hub)

Fa0/0

192.168.5.1

tunnel 0

192.168.10.2/24

tunnel 0

192.168.10.1/24

interface tunnel 0


ip address 192.168.10.2 255.255.255.0


ip mtu 1400


ip nhrp authentication
c
iscokey


ip nhrp map 192.168.10.1 192.168.5.1


ip nhrp network
-
id 1


ip nhrp holdtime 300


ip nhrp nhs 192.168.10.1


tunnel source FastEthernet0/1


tunnel destination 192.168.5.1


tunnel key 0


tunnel protection ipsec profile bwsvpnprofile1

interface tunnel 0


ip address 192.168.10.1 255.255.255.0


ip mtu 1400


ip nhrp authentication Cisco123key


ip nhrp map multicast dynamic


ip nhrp network
-
id 1


ip nhrp holdtime 600


no ip split
-
horizon eigrp 1


tunnel source FastEthernet0/0


tunnel mode gre multipoint


tunnel key 0


tunnel protection ipsec profile bwsvpnprofile1




IPsec/GRE Example (DMVPN)


Phase III (interfaces)

Internet

Fa0/1

192.168.6.2

Tunnel


192.168.10.0/30

AZR

(spoken)

AGR

(hub)

Fa0/0

192.168.5.1

tunnel 0

192.168.10.2/24

tunnel 0

192.168.10.1/24

interface FastEthernet0/0



ip address 192.168.5.1 255.255.255.0

router eigrp 1


network 192.168.10.0 0.0.0.255


no auto
-
summary





interface FastEthernet0/1



ip address 192.168.6.2 255.255.255.0

router eigrp 1


network 192.168.10.0 0.0.0.255


no auto
-
summary





IPsec/GRE troubleshooting




Router#

show ip nhrp


Router#

show ip interface


Router#
show crypto isakmp sa


Router#
show crypto ipsec sa


Router#
show crypto ipsec sa detail


Router#

show crypto map


Router#

show crypto engine connection active


Router#
show ip route



Router#
debug crypto isakmp


Router#
debug crypto ipsec


Router#
debug crypto engine


Exercise

1.
Configure dynamic IPSec/GRE tunnel (DMVPN) between AZR
and AGR

2.
Check if wired client can access (ping) AGR, SSG via VPN tunnel

MTU configuration on interface


Router

(config)#

access
-
list 101 permit udp any any


Router

(config)#

route
-
map clear
-
df permit 10


Router

(config
-
route
-
map)#
much ip address 101


Router

(config
-
route
-
map)#
set ip df 0


Router

(config
-
route
-
map)#
end



Router

(config)#

interface FastEthernet0/0


Router

(config
-
if)#

ip address 192.168.10.1 255.255.255.0


Router

(config
-
if)#

ip policy route
-
map clear
-
df


Router

(config
-
if)#

ip mtu 1400



Router

(config
-
if)#

end


Maintenance of Cisco devices



Copying the Configuration to a TFTP Server



Router#

copy run tftp


Address or name of remote host []?
192.168.1.1


Destination filename [router
-
confg]

?
run
-
confg


!!


486 bytes copied in 12.2 secs (40 bytes/sec)


Router#


Restoring the Configuration from TFTP Server



Router#

copy tftp run


Address or name of remote host []?
192.168.1.1


Source filename []?
run
-
confg


Destination filename [running
-
config]?
[Enter]


Accessing tftp://192.168.1.1/run
-
confg...


Loading run
-
confg from 192.168.1.1 (via FastEthernet0/1):


!!


[OK
-

486/4096 bytes]


486 bytes copied in 5.3 secs (99 bytes/sec)


Router#

Exercises & troubleshooting


1.
Design and connect your own network


2.
Configure DHCP Server on AZR


3.
Configure AZR, AGR, routing and VPN
tunnel between AZR and AGR


4.
Configure Cisco Access Point


5.
Test your configuration

This exercise assumes that SSG and WI@ was correctly configured before.