Transcript Router A

Agenda
• VPN tunnels
• Configuration of basic core network
components
• Maintenance of Cisco devices
• Exercises & troubleshooting
Abbreviations
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
AP – Access Point
AH – Authentication Header
AZR – Access Zone Router
AGR – Aggregation Router
AG – Access Gateway (e.g. Cisco SSG, Juniper ERX)
CSA – Central Site Area
DHCP – Dynamic Host Configuration Protocol
DMVPN - Dynamic Multipoint IPsec Virtual Private Network
EIGRP – Enhanced Interior Gateway Routing Protocol
ESP – Encapsulating Security Payload
GRE – Generic Routing Encapsulation
HSA – Hotspot Area
IKE – Internet Key Exchange
IPSec – Internet Protocol Security
NHRP – Next Hop Resolution Protocol
OSPF– Open Shortest Path First (Routing Protocol)
PPTP – Point-To-Point Tunneling Protocol
SSG – Service Selection Gateway
VPN – Virtual Private Network
AGR - Aggregation Router
• Interfaces
– interface to AGR (there are possibilities to create connection to more then one
AGR) - GRE tunnel with IPSec is configured over this link
– interface to APS – typically Ethernet.
– loopback
• Routing
– The AGR participate in dynamic routing protocol.
– The following networks shall be spread out:
• all networks to AZRs
• network to AG (SSG)
• network to management network
• network to other AGRs if such connection is realized
– Default gateway shall be set on SSG in central configuration or on WIP in
decentral configuration
• Multipoint IPsec
– AGR may work as a hub in DMVPN (Dynamic Multipoint VPN) configuration
AZR - Access Zone Router
• Interfaces
–
–
–
interface to AGR (there are possibilities to create connection to more then one AGR) - GRE
tunnel with IPSec is configured over this link
interface to APs – typically Ethernet.
loopback
• Routing
– The AZR participate in dynamic routing protocol.
– The following networks shall be spread out:
• Network(s) to AGR(s)
• networks to APs
– Default gateway shall be set on AGR or AGRs in case of multiple connections
• Multipoint IPsec
– AZR may work as a spoke in DMVPN (Dynamic Multipoint VPN) configuration
DHCP
•
•
DHCP (Dynamic Host Configuration Protocol) is an open, industry-standard protocol
that reduces the complexity of administering networks based on TCP/IP
All DHCP messages are carried in User Datagram Protocol (UDP). Datagrams use
port 67 at the server and 68 at the client.
• DHCP Request for an IP Address
Host
DHCPDISCOVER (broadcast)
DHCPOFFER (unicast)
DHCPREQUEST (broadcast)
DHCPACK (unicast)
Cisco router
DHCP Server
AZR
DHCP Benefits to TCP/IP
Network Administrators
•
•
•
•
•
•
Simplifies problems associated with manual addressing
Centralized administration of IP configuration
Dynamic host configuration
Seamless IP host configuration
Flexibility
Scalability
Configuring DHCP on Cisco router
•
Enabling the Cisco IOS DHCP Server and Relay Agent Features
Router (config)# service dhcp
•
Excluding IP Addresses
Router (config)# ip dhcp excluded-address low-address [high-address]
•
Configuring the DHCP Address Pool Name and Entering DHCP Pool Configuration Mode
Router (config)# ip dhcp pool name
•
Configuring the DHCP Address Pool Subnet and Mask
Router (dhcp-config)# network network-number [mask | /prefix-length]
•
Configuring the Domain Name for the Client
Router (dhcp-config)# domain-name domain
•
Configuring the IP Domain Name System Servers for the Client
Router (dhcp-config)# dns-server address [address2 ... address8]
•
Configuring the Default Router for the Client
Router (dhcp-config)# default-router address [address2 ... address8]
•
Configuring the Address Lease Time
Router (dhcp-config)# lease {days [hours] [minutes] | infinite}
Example of DHCP configuration on
Cisco router
•
•
•
•
•
•
•
•
•
•
ip dhcp excluded-address 10.100.1.1 10.100.1.30
!
ip dhcp pool ZONE1
network 10.100.1.0 255.255.255.0
default-router 10.100.1.1
domain-name domain.i250
dns-server 192.168.201.2
!
interface FastEthernet0/1
ip address 10.100.1.1 255.255.255.0
DHCP troubleshooting
•
•
•
Router# show ip dhcp binding
Router# show ip dhcp server statistics
Router# show ip dhcp conflict [address]
•
•
•
Router# clear ip dhcp binding {address | *}
Router# clear ip dhcp conflict {address | *}
Router# clear ip dhcp server statistics
•
Router# debug ip dhcp server {events | packets | linkage}
Exercise
1.
2.
Configure DHCP server on AZR
Check if client gets ip address from DHCP server
Routing
• Static Routing
– Advantages:
• Simple to configure and maintain
• Secure – as only defined routes can be accessed
• Bandwidth is not used for sending routing updates
– Disadvantages
• Manual update of routes after network changes
• Explicit addition of routes for all networks
• Dynamic Routing
– EIGRP
– OSPF
Configuring static routing
on Cisco devices
ROUTER B
172.16.1.2/30
192.168.1.0/24
172.16.1.1/30
ROUTER A
FastEthernet0/1
FastEthernet0/2
10.1.1.0/24
ROUTER C
192.168.2.0/24
172.16.2.1/30
172.16.2.2/30
•
ip route <destination network address> <destination network mask> <next hop>
•
Router A
ip route 192.168.1.0 255.255.255.0 172.16.1.2
ip route 192.168.1.0 255.255.255.0 172.16.1.2
Router B
ip route 10.1.1.0 255.255.255.0 172.16.1.1
Router C
ip route 10.1.1.0 255.255.255.0 172.16.2.1
•
•
Exercise
1.
2.
Configure static routing on AZR, AGR and SSG
Check if client can access (ping) AZR, AGR, SSG
Configuring dynamic routing
on Cisco devices - EIGRP
ROUTER B
172.16.1.2/30
192.168.1.0/24
172.16.1.1/30
ROUTER A
ROUTER C
10.1.1.0/24
192.168.2.0/24
172.16.2.1/30
172.16.2.2/30
•
Router A
router eigrp 1
network 172.16.1.0 0.0.0.3
network 172.16.2.0 0.0.0.3
network 10.1.1.0 0.0.0.255
no auto-summary
•
•
Router B
router eigrp 1
network 172.16.1.0 0.0.0.3
network 10.1.1.0 0.0.0.255
no auto-summary
Router C
router eigrp 1
network 172.16.2.0 0.0.0.3
network 10.1.1.0 0.0.0.255
no auto-summary
Configuring dynamic routing
on Cisco devices - OSPF
ROUTER B
172.16.1.2/30
192.168.1.0/24
172.16.1.1/30
ROUTER A
ROUTER C
10.1.1.0/24
192.168.2.0/24
172.16.2.1/30
172.16.2.2/30
•
Router A
router ospf 10
network 172.16.1.0 0.0.0.3 area 0
network 172.16.2.0 0.0.0.3 area 0
network 10.1.1.0 0.0.0.255 area 0
•
Router B
router ospf 100
network 172.16.1.0 0.0.0.3 area 0
network 10.1.1.0 0.0.0.255 area 0
•
Router C
router ospf 1
network 172.16.2.0 0.0.0.3 area 0
network 10.1.1.0 0.0.0.255 area 0
Exercise
1.
2.
3.
4.
Configure dynamic routing (EIGRP) on AZR, AGR and SSG
Check if client can access (ping) AZR, AGR, SSG
Configure dynamic routing (OSPF) on AZR, AGR and SSG
Check if client can access (ping) AZR, AGR, SSG
VPN
• Virtual Private Network
AGR
V
E.g G PN tunn
e
RE/I
psec l
tunn
e
l
INTERNET
AZR
GRE - Generic Routing Encapsulation
PPTP- Point-to-Point Tunneling Protocol
Types of VPNs
• Secure VPNs - Secure VPN protocols include the following:
-
IPsec
SSL
PPTP
L2TP
L2TPv3
• Trusted VPNs
- MPLS
- L2F
IPSec Functions
• data confidentiality (encryption)
• data integrity (verification)
• origin authentication (authentication the
source of the packet)
• Verification that each packet is unique
(not duplicated)
Type of Encryption
• symmetric
–
–
–
–
DES
3DES
HMAC-Message Digest 5 (MD5)
HMAC-SHA
• asymmetric
– Rivest, Shamir, and Adelman (RSA)
Type of Authentication
• Pre-shared keys
• RSA signatures
• RSA encrypted nonces
IPSec Protocols
Authentication Header
All data in clear text
ROUTER A
ROUTER B
Authentication Header provides:
· Authentication
· Integrity
Encapsulating Security Payload
ROUTER A
Data payload is encrypted
Encapsulating Security Payload provides:
· Authentication
· Integrity
· Encryption
ROUTER B
IPSec Modes
IP packet
- Transport Mode
IP Header
IP Header
Data
ESP Header
Data
ESP
Trailer
ESP
Auth.
ESP
Trailer
ESP
Auth.
ENCRYPTED
AUTHENTICATED
- Tunnel Mode
New IP HEADER
ESP Header
IP Header
Data
ENCRYPTED
AUTHENTICATED
VPN (DMVPN)
SPOKE #1.1
HUB #1
AZR
SPOKE #1.2
AGR
AZR
SPOKE #1.3
AZR
Internet
HUB #2
SSG
SPOKE #2.1
AZR
SPOKE #2.2
AZR
GRE/IPsec
AGR
SPOKE #2.3
AZR
HSA
CSA
Standards (Cisco IOS IPSec)
• IPSec (RFCs 2401-2410)
• IPSec Encapsulating Security Payload (ESP) Using
DES/3DES (RFC 2406)
• IPSec Authentication Header (AH) using MD5 or SHA
(RFCs 2403-2404)
• Internet Key Exchange (IKE) (RFCs 2407-2409)
IPsec/GRE Example (basic)
tunnel 10
192.168.10.2/30
Tunnel
192.168.10.0/30
AZR
Fa0/1
192.168.6.2
tunnel 10
192.168.10.1/30
AGR
Internet
Fa0/0
192.168.5.1
• Phase I (IKE Policy)
crypto isakmp policy 1
authentication pre-share
hash md5
encryption 3des
crypto isakmp key Cisco123 address 192.168.5.1
crypto isakmp policy 1
authentication pre-share
hash md5
encryption 3des
crypto isakmp key Cisco123 address 192.168.6.2
IPsec/GRE Example (basic)
Tunnel
192.168.10.0/30
tunnel 10
192.168.10.2/30
tunnel 10
192.168.10.1/30
AGR
AZR
Internet
Fa0/1
192.168.6.2
Fa0/0
192.168.5.1
• Phase II (IPsec Policy)
crypto ipsec transform-set name1 esp-3des esp-md5-hmac
mode transport
access-list 110 permit gre host 192.168.6.2 host 192.168.5.1
crypto ipsec transform-set name1 esp-3des esp-md5-hmac
mode transport
access-list 110 permit gre host 192.168.5.1 host 192.168.6.2
IPsec/GRE Example (basic)
tunnel 10
192.168.10.2/30
AZR
Tunnel
192.168.10.0/30
tunnel 10
192.168.10.1/30
AGR
Internet
Fa0/1
192.168.6.2
Fa0/0
192.168.5.1
• Phase II (IPsec Policy)
crypto map map1 local-address FastEthernet0/1
crypto map map1 local-address FastEthernet0/0
crypto map map1 10 IPsec-isakmp
set peer 192.168.5.1
match address 110
set transform-set name1
crypto map map1 10 IPsec-isakmp
set peer 192.168.6.2
match address 110
set transform-set name1
IPsec/GRE Example (basic)
tunnel 10
192.168.10.2/30
Tunnel
192.168.10.0/30
AZR
tunnel 10
192.168.10.1/30
AGR
Internet
Fa0/1
192.168.6.2
Fa0/0
192.168.5.1
• Phase III (tunnel)
interface tunnel 10
ip address 192.168.10.2 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 192.168.5.1
ip mtu 1440
crypto map map1
interface Fastethernet0/1
ip address 192.168.6.2 255.255.255.0
crypto map map1
router eigrp 1
network 192.168.10.0 0.0.0.3
no auto-summary
interface tunnel 10
ip address 192.168.10.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 192.168.6.2
ip mtu 1440
crypto map map1
interface Fastethernet0/0
ip address 192.168.5.1 255.255.255.0
crypto map map1
router eigrp 1
network 192.168.10.0 0.0.0.3
no auto-summary
Exercise
1.
2.
Configure static IPSec/GRE tunnel between AZR and AGR
Check if wired client can access (ping) AGR, SSG via VPN tunnel
IPsec/GRE Example (DMVPN)
tunnel 0
192.168.10.2/24
AZR
(spoken)
Tunnel
192.168.10.0/30
Fa0/1
192.168.6.2
tunnel 0
192.168.10.1/24
Internet
AGR
(hub)
Fa0/0
192.168.5.1
• Phase I (IKE Policy)
crypto isakmp policy 1
authentication pre-share
hash md5
encryption 3des
crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp policy 1
authentication pre-share
hash md5
encryption 3des
crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0
IPsec/GRE Example (DMVPN)
Tunnel
192.168.10.0/30
tunnel 0
192.168.10.2/24
AZR
(spoken)
Fa0/1
192.168.6.2
tunnel 0
192.168.10.1/24
Internet
AGR
(hub)
Fa0/0
192.168.5.1
• Phase II (IPsec Policy)
crypto ipsec transform-set name1 esp-3des esp-md5-hmac
mode transport
crypto ipsec profile bwsvpnprofile1
set transform-set name1
crypto ipsec transform-set name1 esp-3des esp-md5-hmac
mode transport
crypto ipsec profile bwsvpnprofile1
set transform-set name1
IPsec/GRE Example (DMVPN)
tunnel 0
192.168.10.2/24
AZR
(spoken)
Fa0/1
192.168.6.2
Tunnel
192.168.10.0/30
tunnel 0
192.168.10.1/24
Internet
AGR
(hub)
Fa0/0
192.168.5.1
• Phase III (tunnel)
interface tunnel 0
interface tunnel 0
ip address 192.168.10.2 255.255.255.0
ip address 192.168.10.1 255.255.255.0
ip mtu 1400
ip mtu 1400
ip nhrp authentication ciscokey
ip nhrp authentication Cisco123key
ip nhrp map 192.168.10.1 192.168.5.1
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp holdtime 600
ip nhrp nhs 192.168.10.1
no ip split-horizon eigrp 1
tunnel source FastEthernet0/1
tunnel source FastEthernet0/0
tunnel destination 192.168.5.1
tunnel mode gre multipoint
tunnel key 0
tunnel key 0
tunnel protection ipsec profile bwsvpnprofile1
tunnel protection ipsec profile bwsvpnprofile1
IPsec/GRE Example (DMVPN)
tunnel 0
192.168.10.2/24
AZR
(spoken)
Tunnel
192.168.10.0/30
Fa0/1
192.168.6.2
tunnel 0
192.168.10.1/24
Internet
AGR
(hub)
Fa0/0
192.168.5.1
• Phase III (interfaces)
interface FastEthernet0/1
ip address 192.168.6.2 255.255.255.0
router eigrp 1
network 192.168.10.0 0.0.0.255
no auto-summary
interface FastEthernet0/0
ip address 192.168.5.1 255.255.255.0
router eigrp 1
network 192.168.10.0 0.0.0.255
no auto-summary
IPsec/GRE troubleshooting
•
•
•
•
•
•
•
•
Router# show ip nhrp
Router# show ip interface
Router# show crypto isakmp sa
Router# show crypto ipsec sa
Router# show crypto ipsec sa detail
Router# show crypto map
Router# show crypto engine connection active
Router# show ip route
•
•
•
Router# debug crypto isakmp
Router# debug crypto ipsec
Router# debug crypto engine
Exercise
1.
2.
Configure dynamic IPSec/GRE tunnel (DMVPN) between AZR
and AGR
Check if wired client can access (ping) AGR, SSG via VPN tunnel
MTU configuration on interface
•
•
•
•
•
Router (config)# access-list 101 permit udp any any
Router (config)# route-map clear-df permit 10
Router (config-route-map)# much ip address 101
Router (config-route-map)# set ip df 0
Router (config-route-map)# end
•
•
•
•
•
Router (config)# interface FastEthernet0/0
Router (config-if)# ip address 192.168.10.1 255.255.255.0
Router (config-if)# ip policy route-map clear-df
Router (config-if)# ip mtu 1400
Router (config-if)# end
Maintenance of Cisco devices
•
Copying the Configuration to a TFTP Server
Transmission Core
Access Gateway (SSG)
•
•
•
•
•
•
Router# copy run tftp
Address or name of remote host []?192.168.1.1
Destination filename [router-confg] ?run-confg
!!
486 bytes copied in 12.2 secs (40 bytes/sec)
Router#
•
Restoring the Configuration from TFTP Server
•
•
•
•
•
•
•
•
•
•
Router# copy tftp run
Address or name of remote host []?192.168.1.1
Source filename []?run-confg
Destination filename [running-config]?[Enter]
Accessing tftp://192.168.1.1/run-confg...
Loading run-confg from 192.168.1.1 (via FastEthernet0/1):
!!
[OK - 486/4096 bytes]
486 bytes copied in 5.3 secs (99 bytes/sec)
Router#
AGR #1
Access Network
AZR
HSA #1
WLAN
TFTP
SERVER
AP
AP
Client
192.168.1.1
Exercises & troubleshooting
1.
Design and connect your own network
Transmission Core
Access Gateway (SSG)
2.
3.
4.
Configure DHCP Server on AZR
Configure AZR, AGR, routing and VPN
tunnel between AZR and AGR
Intern
Internet/
Intranet
et
AZR
AGR #1
HSA #1
WLAN
Access Network
Configure Cisco Access Point
TFTP
SERVER
5.
Test your configuration
AP
Client
This exercise assumes that SSG and WI@ was correctly configured before.