Building a Simple Network

Understanding Ethernet

Local Area Network

LAN Components Computers

– PCs

– Servers

Interconnections

– NICs

– Media

Network devices

– Hubs

– Switches

– Routers

Protocols

– Ethernet

– IP

– ARP

– DHCP

Functions of a LAN

Data and applications

Share resources

Provide communication path to other networks

LAN Sizes

Ethernet Evolution

LAN Standards

Ethernet Frame Structure

Communicating Within the LAN

MAC Address Components

Ethernet LANs

Understanding the Challenges of Shared LANs

Signals degrade with transmission distance.

Each Ethernet type has a maximum segment length.

LAN Segment Limitations

Extending LAN Segments

Shares bandwidth

Extends cable distances

Repeats or amplifies signal

Collisions

CSMA/CD

Ethernet LANs

Solving Network Challenges with Switched LAN Technology

Network Congestion

High-performance PCs

More networked data

Bandwidth-intensive applications

Bridges

Operate at Layer 2 of the OSI model

Forward, filter, or flood frames

Have few ports

Are slow

LAN Switch

High port density

Large frame buffers

Mixture of port speeds

Fast internal switching

Switching modes:

– Cut-through

– Store-and-forward

– Fragment-free

LAN Switch Features

Switches Supersede Bridges

Operate at Layer 2 of the OSI model

Forward, filter, or flood frames

Have many ports

Are fast

Switching Frames

LANs Today

Users grouped by physical location

More switches added to networks

Switches connected by high-speed links

Medium-Sized Switched Network Construction

Implementing VLANs and Trunks

Issues in a Poorly Designed Network

Unbounded failure domains

Large broadcast domains

Large amount of unknown MAC unicast traffic

Unbounded multicast traffic

Management and support challenges

Possible security vulnerabilities

VLAN Overview

VLAN = Broadcast Domain = Logical Network (Subnet)

Segmentation

Flexibility

Security

Designing VLANs for an Organization

VLAN design must take into consideration the implementation of a hierarchical network addressing scheme.

The benefits of hierarchical addressing are:

– Ease of management and troubleshooting

– Minimization of errors

– Reduced number of routing table entries

Guidelines for Applying IP Address Space

Allocate one IP subnet per VLAN.

Allocate IP address spaces in contiguous blocks.

VLAN Operation

VLAN Membership Modes

802.1Q Trunking

802.1Q Frame

Understanding Native VLANs

Configuring 802.1Q Trunking

Configures the port as a VLAN trunk

SwitchX(config-if)#

switchport mode trunk

switchport mode {access | dynamic {auto | desirable} | trunk}

SwitchX(config-if)#

Configures the trunking characteristics of the port

SwitchX# show interfaces fa0/11 trunk

Port Mode Encapsulation Status Native vlanFa0/11 desirable 802.1q trunking 1

Port Vlans allowed on trunkFa0/11 1-4094

Port Vlans allowed and active in management domainFa0/11 1-13

SwitchX# show interfaces fa0/11 switchportName: Fa0/11Switchport: EnabledAdministrative Mode: trunkOperational Mode: downAdministrative Trunking Encapsulation: dot1qNegotiation of Trunking: OnAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default) . . .

Verifying a TrunkSwitchX# show interfaces interface [switchport | trunk]

VLAN Creation Guidelines

The maximum number of VLANs is switch-dependent.

Most Cisco Catalyst desktop switches support 128 separate spanning-tree instances, one per VLAN.

VLAN 1 is the factory default Ethernet VLAN.

Cisco Discovery Protocol and VTP advertisements are sent on VLAN 1.

The Cisco Catalyst switch IP address is in the management VLAN (VLAN 1 by default).

If using VTP, the switch must be in VTP server or transparent mode to add or delete VLANs.

Adding a VLAN

SwitchX# configure terminalSwitchX(config)# vlan 2SwitchX(config-vlan)# name switchlab99

SwitchX# show vlan id 2

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------2 switchlab99 active Fa0/2, Fa0/12

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------2 enet 100002 1500 - - - - - 0 0

. . .SwitchX#

Verifying a VLAN

SwitchX# show vlan [brief | id vlan-id || name vlan-name]

Assigning Switch Ports to a VLAN

SwitchX# configure terminalSwitchX(config)# interface range fastethernet 0/2 - 4SwitchX(config-if)# switchport access vlan 2

SwitchX# show vlan

VLAN Name Status Ports---- -------------------------------- --------- ----------------------1 default active Fa0/1 2 switchlab99 active Fa0/2, Fa0/3, Fa0/4

switchport access [vlan vlan# | dynamic]

SwitchX(config-if)#

SwitchX# show vlan briefVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/12 switchlab99 active Fa0/2, Fa0/3, Fa0/4 3 vlan3 active4 vlan4 active1002 fddi-default act/unsup1003 token-ring-default act/unsup

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1004 fddinet-default act/unsup1005 trnet-default act/unsup

SwitchX# show vlan brief

Verifying VLAN Membership

Verifying VLAN Membership (Cont.)

SwitchX# show interfaces fa0/2 switchportName: Fa0/2Switchport: EnabledAdministrative Mode: dynamic autoOperational Mode: static accessAdministrative Trunking Encapsulation: dot1qOperational Trunking Encapsulation: nativeNegotiation of Trunking: OnAccess Mode VLAN: 2 (switchlab99)Trunking Native Mode VLAN: 1 (default)--- output omitted ----

show interfaces interface switchport

SwitchX(config-if)#

Medium-Sized Switched Network Construction

Improving Performance with Spanning Tree

Advantages of EtherChannel

Logical aggregation of similar links between switches

Load-shares across links

Viewed as one logical port to STP

Redundancy

Redundant Topology

Redundant topology eliminates single points of failure.

Redundant topology causes broadcast storms, multiple frame copies, and MAC address table instability problems.

Station D sends a broadcast frame.

Broadcast frames are flooded to all ports except the originating port.

Broadcast Frames

Multiple Frame Copies

Host X sends a unicast frame to router Y.

The MAC address of router Y has not been learned by either switch.

Router Y will receive two copies of the same frame.

Host X sends a unicast frame to router Y.

The MAC address of router Y has not been learned by either switch.

Switches A and B learn the MAC address of host X on port 1.

The frame to router Y is flooded.

Switches A and B incorrectly learn the MAC address of host X on port 2.

MAC Database Instability

Broadcast Storms

Host X sends a broadcast.

Switches continue to propagate broadcast traffic over and over.

Provides a loop-free redundant network topology by placing certain ports in the blocking state

Published in the IEEE 802.1D specification

Enhanced with the Cisco PVST+ implementation

Loop Resolution with STP

Spanning-Tree Operation One root bridge per broadcast domain.

One root port per nonroot bridge.

One designated port per segment.

Nondesignated ports are unused.

STP Root Bridge Selection

BPDU (default = sent every 2 seconds)

Root bridge = bridge with the lowest bridge ID

Bridge ID =BridgePriority

MACAddress

Per VLAN Spanning Tree Plus

PVST+ Extended Bridge ID

Bridge ID without the extended system ID

Extended bridge ID with system ID

System ID = VLAN

Default Spanning-Tree Configuration

Cisco Catalyst switches support three types of STPs:

– PVST+

– PVRST+

– MSTP

The default STP for Cisco Catalyst switches is PVST+ :

– A separate STP instance for each VLAN

– One root bridge for all VLANs

– No load sharing

PVRST+ Implementation Commands

spanning-tree mode rapid-pvst

SwitchX(config)#

Configures PVRST+

show spanning-tree vlan vlan# [detail]

SwitchX#

Verifies the spanning-tree configuration

debug spanning-tree pvst+

SwitchX#

Displays PVST+ event debug messages

Verifying PVRST+

The spanning-tree mode is set to PVRST.

SwitchX# show spanning-tree vlan 30 VLAN0030Spanning tree enabled protocol rstpRoot ID Priority 24606Address 00d0.047b.2800This bridge is the rootHello Time 2 sec Max Age 20 sec Forward Delay 15 secBridge ID Priority 24606 (priority 24576 sys-id-ext 30) Address 00d0.047b.2800Hello Time 2 sec Max Age 20 sec Forward Delay 15 secAging Time 300Interface Role Sts Cost Prio.Nbr Type-------- ----- --- --- -------- ----Gi1/1 Desg FWD 4 128.1 P2pGi1/2 Desg FWD 4 128.2 P2pGi5/1 Desg FWD 4 128.257 P2p

Configuring the Root and Secondary Bridges

Configuring the Root and Secondary Bridges: SwitchA

spanning-tree vlan 1 root primary

This command forces this switch to be the root for VLAN 1.

spanning-tree vlan 2 root secondary

This command configures this switch to be the secondary root for VLAN 2.

spanning-tree vlan # priority priority

This command statically configures the priority (increments of 4096).

SwitchA(config)#

Configuring the Root and Secondary Bridges: SwitchB

spanning-tree vlan 2 root primary

This command forces the switch to be the root for VLAN 2.

spanning-tree vlan 1 root secondary

This command configures the switch to be the secondary root VLAN 1.

spanning-tree vlan # priority priority

This command statically configures the priority (increments of 4096).

SwitchB(config)#

Implementing High Availability in a Campus Environment

Configuring Layer 3 Redundancy with HSRP

Routing Issues: Using Default Gateways

Routing Issues: Using Proxy ARP

Router Redundancy

Standby group: The set of routers participating in HSRP that jointly emulate a virtual router

The active router responds to ARP requests with the MAC address of the virtual router.

The Active Router

The Virtual Router MAC Address

The Standby Router

The standby router listens for periodic hello messages on 224.0.0.2.

Active and Standby Router Interaction

HSRP States

An HSRP router can be in one of six different states:• Initial

• Learn

• Listen

• Speak

• Standby

• Active

HSRP State Transition

Initial Initial

Listen Listen

Active Speak

Standby Listen

Speak Speak

Standby

Router APriority

Router BPriority

HSRP Standby Group 1

Router B hears that router A has a higher priority, so router B returns to the listen state.

Router A does not hear any higher priority than itself, so promotes itself to standby.

Router A does not hear an active router, so promotes itself to active.

A router in the standby state:• Is a candidate for active router • Sends hello messages• Knows the virtual router IP address

HSRP Standby State

A router in the active state:• Assumes the active forwarding of packets for the virtual router • Sends hello messages• Knows the virtual router IP address

HSRP Active State

HSRP Configuration Commands

Configure standby 1 ip 10.1.1.1

Verify show running-config

show standby

Enabling HSRP on a Cisco router interface automatically disables ICMP redirects.

Configuring an HSRP Standby Interface

Displaying the Standby Brief Status

Switch#show standby brief P indicates configured to preempt. |Interface Grp Prio P State Active addr Standby addr Group addrVl11 11 110 Active local 172.16.11.114 172.16.11.115

Implementing High Availability in a Campus Environment

Optimizing HSRP

HSRP Optimization Options

These options can be configured to optimize HSRP: HSRP standby priority

HSRP standby preempt

Hello message timers

HSRP interface tracking

Configuring HSRP Standby Priority

• The router with the highest priority in an HSRP group becomes the active router.

• The default priority is 100.

• In the case of a tie, the router with the highest configured IP address will become active.

Configuring HSRP Standby Preempt

Preempt enables a router to resume the forwarding router role.

Configuring the Hello Message Timers

The holdtime parameter value should be at least three times the value of the hellotime parameter.

HSRP Interface Tracking

HSRP Interface Tracking (Cont.)

Configuring HSRP Tracking

Switch(config-if)#standby [group-number] track type number [interface-priority]

• Configures HSRP tracking

Switch(config)#interface vlan 10Switch(config-if)#standby 1 track GigabitEthernet 0/7 50Switch(config-if)#standby 1 track GigabitEthernet 0/8 60

• Example of HSRP tracking

Note: Preempt must be configured on all participating devices within the HSRP group.

Tuning HSRP

Configure hellotime and holdtime to millisecond values.

Configure preempt delay timer so that preempt occurs only after the distribution switch has fully rebooted and established full connectivity to the rest of the network.

To load balance routers, assign them to multiple groups on the same subnet.

Multiple HSRP Groups

Addressing HSRP Groups Across Trunk Links

To load balance routers and links:

– Per VLAN, configure the HSRP active router and the spanning tree root to be the same multilayer switch.

About the HSRP Debug Command

debug standby events

debug standby terse

Debugging HSRP

• Example of HSRP debug showing standby group number mismatch

DSW111#debug standby*Mar 4 19:08:08.918: HSRP: Vl1 Grp 1 Hello out 172.16.1.111 Active pri 150 vIP 172.16.1.113*Mar 4 19:08:09.287: HSRP: Vl1 Grp 2 Hello in 172.16.1.112 Active pri 50 vIP 172.16.1.113*Mar 4 19:08:09.287: HSRP: Vl1 API active virtual address 172.16.1.113 found*Mar 4 19:08:09.891: HSRP: Vl1 API Duplicate ARP entry detected for 172.16.1.113*Mar 4 19:08:09.891: HSRP: Vl1 Grp 1 Hello out 172.16.1.111 Active pri 150 vIP 172.16.1.113*Mar 4 19:08:10.294: HSRP: Vl1 Grp 2 Hello in 172.16.1.112 Active pri 50 vIP 172.16.1.113*Mar 4 19:08:10.294: HSRP: Vl1 API active virtual address 172.16.1.113 found*Mar 4 19:08:10.294: HSRP: Vl1 API Duplicate ARP entry detected for 172.16.1.113*Mar 4 19:08:10.294: HSRP: Vl1 Grp 1 Hello out 172.16.1.111 Active pri 150 vIP 172.16.1.113*Mar 4 19:08:10.294: HSRP: Vl1 Grp 2 Hello in 172.16.1.112 Active pri 50 vIP 172.16.1.113*Mar 4 19:08:10.294: HSRP: Vl1 API active virtual address 172.16.1.113 found*Mar 4 19:08:10.898: HSRP: Vl1 API Duplicate ARP entry detected for 172.16.1.113*Mar 4 19:08:10.898: HSRP: Vl1 Grp 1 Hello out 172.16.1.111 Active pri 150 vIP 172.16.1.113*Mar 4 19:08:10.965: HSRP: Vl1 Grp 2 Hello in 172.16.1.112 Active pri 50 vIP 172.16.1.113*Mar 4 19:08:11.300: HSRP: Vl1 API active virtual address 172.16.1.113 found

Access Control Lists

Introducing ACL Operation

Why Use ACLs?

Filtering: Manage IP traffic by filtering packets passing through a router

Classification: Identify traffic for special handling

ACL Applications: Filtering

Permit or deny packets moving through the router.

Permit or deny vty access to or from the router.

Without ACLs, all packets could be transmitted to all parts of your network.

Special handling for traffic based on packet tests

ACL Applications: Classification

Outbound ACL Operation

If no ACL statement matches, discard the packet.

A List of Tests: Deny or Permit

Types of ACLs

Standard ACL– Checks source address

– Generally permits or denies entire protocol suite

Extended ACL– Checks source and destination address

– Generally permits or denies specific protocols and applications

Two methods used to identify standard and extended ACLs:

– Numbered ACLs use a number for identification

– Named ACLs use a descriptive name or number for identification

How to Identify ACLs

Numbered standard IPv4 lists (1–99) test conditions of all IP packets for source addresses. Expanded range (1300–1999).

Numbered extended IPv4 lists (100–199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Expanded range (2000–2699).

Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).

IP Access List Entry Sequence Numbering

Requires Cisco IOS Release 12.3

Allows you to edit the order of ACL statements using sequence numbers

– In software earlier than Cisco IOS Release 12.3, a text editor is used to create ACL statements, then the statements are copied into the router in the correct order.

Allows you to remove a single ACL statement from the list using a sequence number

– With named ACLs in software earlier than Cisco IOS Release 12.3, you must use no {deny | permit} protocol source source-wildcard destination destination-wildcard to remove an individual statement.

– With numbered ACLs in software earlier than Cisco IOS Release 12.3, you must remove the entire ACL to remove a single ACL statement.

ACL Configuration Guidelines

Standard or extended indicates what can be filtered. Only one ACL per interface, per protocol, and per direction is allowed. The order of ACL statements controls testing, therefore, the most specific

statements go at the top of the list. The last ACL test is always an implicit deny everything else statement, so every

list needs at least one permit statement. ACLs are created globally and then applied to interfaces for inbound or outbound

traffic. An ACL can filter traffic going through the router, or traffic to and from the router,

depending on how it is applied. When placing ACLs in the network:

– Place extended ACLs close to the source

– Place standard ACLs close to the destination

Dynamic ACLs

Dynamic ACLs (lock-and-key): Users that want to traverse the router are blocked until they use Telnet to connect to the router and areauthenticated.

Time-Based ACLs

Time-based ACLs: Allow for access control based on the time of day and week

172.30.16.29 0.0.0.0 matches all of the address bits

Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 172.30.16.29)

Wildcard Bit Mask Abbreviations

0.0.0.0 255.255.255.255 ignores all address bits

Abbreviate expression with the keyword any

Wildcard Bits: How to Check the Corresponding Address Bits

0 means to match the value of the corresponding address bit

1 means to ignore the value of the corresponding address bit

Match for IP subnets 172.30.16.0/24 to 172.30.31.0/24.

Wildcard Bits to Match IP Subnets

Address and wildcard mask:

172.30.16.0 0.0.15.255

Access Control Lists

Configuring and Troubleshooting ACLs

Testing Packets with Numbered Standard IPv4 ACLs

Activates the list on an interface.

Sets inbound or outbound testing.

no ip access-group access-list-number {in | out} removes the ACL from the interface.

ip access-group access-list-number {in | out}

Uses 1 to 99 for the access-list-number.

The first entry is assigned a sequence number of 10, and successive entries are incremented by 10.

Default wildcard mask is 0.0.0.0 (only standard ACL).

no access-list access-list-number removes the entire ACL.

remark lets you add a description to the ACL.

access-list access-list-number {permit | deny | remark} source [mask]

RouterX(config)#

RouterX(config-if)#

Numbered Standard IPv4 ACL Configuration

Permit my network only

Numbered Standard IPv4 ACLExample 1

RouterX(config)# access-list 1 permit 172.16.0.0 0.0.255.255(implicit deny all - not visible in the list)(access-list 1 deny 0.0.0.0 255.255.255.255)

RouterX(config)# interface ethernet 0RouterX(config-if)# ip access-group 1 outRouterX(config)# interface ethernet 1RouterX(config-if)# ip access-group 1 out

Deny a specific host

Numbered Standard IPv4 ACL Example 2

RouterX(config)# access-list 1 deny 172.16.4.13 0.0.0.0 RouterX(config)# access-list 1 permit 0.0.0.0 255.255.255.255(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)

RouterX(config)# interface ethernet 0RouterX(config-if)# ip access-group 1 out

Deny a specific subnet

Numbered Standard IPv4 ACL Example 3

RouterX(config)# access-list 1 deny 172.16.4.0 0.0.0.255RouterX(config)# access-list 1 permit any(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)

Permits only hosts in network 192.168.1.0 0.0.0.255 to connect to the router vty lines

access-list 12 permit 192.168.1.0 0.0.0.255(implicit deny any) !line vty 0 4 access-class 12 in

Example:

access-class access-list-number {in | out}

Restricts incoming or outgoing connections between a particular vty and the addresses in an ACL

RouterX(config-line)#

Standard ACLs to Control vty Access

Testing Packets with Numbered Extended IPv4 ACLs

ip access-group access-list-number {in | out}

Activates the extended list on an interface

Sets parameters for this list entry

access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]

RouterX(config)#

RouterX(config-if)#

Numbered Extended IPv4 ACL Configuration

Numbered Extended IPv4 ACL Example 1

RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20RouterX(config)# access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)

Deny FTP traffic from subnet 172.16.4.0 to subnet 172.16.3.0 out E0 Permit all other traffic

Numbered Extended IPv4 ACL Example 2

RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23RouterX(config)# access-list 101 permit ip any any(implicit deny all)

Deny only Telnet traffic from subnet 172.16.4.0 out E0

Permit all other traffic

ip access-list {standard | extended} name

[sequence-number] {permit | deny} {ip access list test conditions}

{permit | deny} {ip access list test conditions}

ip access-group name {in | out}

Named IP ACL Configuration

Alphanumeric name string must be unique

If not configured, sequence numbers are generated automatically starting at 10 and incrementing by 10

no sequence number removes the specific test from the named ACL

Activates the named IP ACL on an interface

RouterX(config {std- | ext-}nacl)#

RouterX(config-if)#

RouterX(config)#

Deny a specific host

Named Standard IPv4 ACL Example

RouterX(config)#ip access-list standard troublemakerRouterX(config-std-nacl)#deny host 172.16.4.13RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255RouterX(config-std-nacl)#interface e0RouterX(config-if)#ip access-group troublemaker out

Deny Telnet from a specific subnet

Named Extended IPv4 ACL Example

RouterX(config)#ip access-list extended badgroupRouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23RouterX(config-ext-nacl)#permit ip any anyRouterX(config-ext-nacl)#interface e0RouterX(config-if)#ip access-group badgroup out

Commenting ACL Statements

access-list access-list-number remark remark

ip access-list {standard|extended} name

Creates a named ACL comment

Creates a numbered ACL comment

RouterX(config {std- | ext-}nacl)#

RouterX(config)#

remark remark

RouterX(config)#

Creates a named ACL

Monitoring ACL Statements

RouterX# show access-lists {access-list number|name}

RouterX# show access-lists Standard IP access list SALES 10 deny 10.1.1.0, wildcard bits 0.0.0.255 20 permit 10.3.3.1 30 permit 10.4.4.1 40 permit 10.5.5.1Extended IP access list ENG 10 permit tcp host 10.22.22.1 any eq telnet (25 matches) 20 permit tcp host 10.33.33.1 any eq ftp 30 permit tcp host 10.44.44.1 any eq ftp-data

Displays all access lists

Verifying ACLs

RouterX# show ip interfaces e0Ethernet0 is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled <text ommitted>

Troubleshooting Common ACL Errors

Error 1: Host 10.1.1.1 has no connectivity with 10.100.100.1.

LAN Extension into a WAN

Introducing VPN Solutions

What Is a VPN?

Virtual: Information within a private network is transported over a public network.

Private: The traffic is encrypted to keep the data confidential.

Benefits of VPN

Cost Security Scalability

Site-to-Site VPNs

Site-to-site VPN: extension of classic WAN

Remote-Access VPNs

Remote-access VPN: evolution of dial-in networks and ISDN

Cisco Easy VPN

VPN-Enabled Cisco IOS Routers

Cisco ASA Adaptive Security Appliances

(legacy)

VPN Clients

What Is IPsec?

IPsec acts at the network layer, protecting and authenticating IP packets. It is a framework of open standards that is algorithm independent. It provides data confidentiality, data integrity, and origin authentication.

IPsec Security Services

Confidentiality

Data integrity

Authentication

Antireplay protection

Confidentiality (Encryption)

Encryption Algorithms

Encryption algorithms: DES

DH Key Exchange

Diffie-Hellman algorithms: DH1

Data Integrity

Hashing algorithms: HMAC-MD5

HMAC-SHA-1

Authentication

Peer authentication methods: PSKs

RSA signatures

IPsec Security Protocols

IPsec Framework

EZVPN 服务器端配置第一步：配置 XAUTHR1(config)#aaa new-modelR1(config)#aaa authentication login ezvpnauthen local

R1(config)# aaa authorization network ezvpnauthor local R1(config)#username cisco password ciscoR1(config)#enable secret ciscoR1(config)#crypto isakmp xauth timeout 30

第二步：建立 IP地址池R1(config)#ip local pool dypool 100.1.1.100 100.1.1.200

第三步：配置 ISAKMP策略R1(config)#crypto isakmp policy 1R1(config-isakmp)#authentication pre-shareR1(config-isakmp)#encryption 3desR1(config-isakmp)#group 2R1(config-isakmp)#exit

EZVPN 服务器端配置第四步：定义用户组策略R1(config)#crypto isakmp client configuration group ezvpngroupR1(config-isakmp-group)#key cisco123R1(config-isakmp-group)#dns 100.1.1.10 100.1.1.11R1(config-isakmp-group)#wins 100.1.1.12 100.1.1.13R1(config-isakmp-group)#domain cisco.comR1(config-isakmp-group)#pool dypoolR1(config-isakmp-group)#exit

第五步：设置 IPsec策略R1(config)#crypto ipsec transform-set ezset esp-3des esp-sha-hmacR1(cfg-crypto-trans)#mode transport

R1(cfg-crypto-trans)#exit

第六步：定义 Ezvpn profileR1(config)# crypto isakmp profile vpnclient

R1(config-isakmp-profile)#match identity group ezvpngroup

R1(config-isakmp-profile)#client authen list ezvpnauthen

R1(config-isakmp-profile)#isakmp author list ezvpnauthor

R1(config-isakmp-profile)#client config address respond

EZVPN 服务器端配置第七步：建立动态MAPR1(config)#crypto dynamic-map dymap 1

R1(config-crypto-map)# set isakmp-profile vpnclientR1(config-crypto-map)#set transform-set ezsetR1(config-crypto-map)#reverse-routeR1(config-crypto-map)#exit

R1(config)# crypto map MAP 10 ipsec-isakmp dynamic dymap

第八步：将动态加密映射应用到接口R1(config)#int s0/0R1(config-if)#crypto map MAPR1(config-if)#exit

EZVPN 客户端配置crypto ipsec client ezvpn

connect auto

mode client

group ezvpngroup

key cisco123

peer 10.1.1.1

interfac e0/0

crypto ipsec client ezvpn inside

interface s0/0

crypto ipsec client ezvpn outside

PPPoE配置使用 ADSL modemvpdn enable no vpdn logging vpdn-group 1 request-dialin protocol pppoe interface Ethernet0/0 ip address 192.168.0.1 255.255.255.0 ip nat inside no ip mroute-cache interface Ethernet0/1 no ip address pppoe enable pppoe-client dial-pool-number 1

PPPoE配置使用 ADSL modeminterface Dialer1 ip address negotiated ip nat outside ip mtu 1492 encapsulation ppp no ip mroute-cache dialer pool 1 dialer-group 1 ppp authentication pap ppp pap sent-username dg48907653@163.gd password xxxxxxxx! ip classless no ip http server ! dialer-list 1 protocol ip permit ip nat inside source list 1 interface Dialer1 overloadip route 0.0.0.0 0.0.0.0 dialer1

Building a Simple Network

Documents

Building Simple Network

Simple Network Defense System

Simple Network Management Protocol · Simple Network Management Protocol • SimpleNetworkManagementProtocolSupport, page 1 • SNMPTraceConfiguration, page 23 • SNMPV1andV2cSetup,

Simple network troubleshooting

Network Motifs: Simple Building Blocks of Complex Networksckingsf/bioinfo-lectures/netmotifs.pdf · Network Motifs: Simple Building Blocks of Complex Networks Milo et al., Science,

NetPro-ITI Building a Simple Network. What Is a Network?

2.3.3.4 Lab - Building a Simple Network

Building a Simple Spectroscope

2.3.3.3 Lab - Building a Simple Network

SNMP Simple Network Management Protocol SNMP Simple Network Management Protocol Haris Ribic

Building Simple Furniture

Building simple Node.js Microservices using Hapi and …codewinds.com/assets/article/microservices-nodevember.pdf · Building simple Node.js ... w Ý Building simple Node.js Microservices

NETWORK MONITORING SERVICE BERBASIS SIMPLE NETWORK

Network Motifs Zach Saul CS 289 Network Motifs: Simple Building Blocks of Complex Networks R. Milo et al

Simple Network Time Protocol

Simple Network Management Protocol - Ericsson · Simple Network Management Protocol - Ericsson ... 2> 2>

2.3.3.3 Lab - Building a Simple Network (1) (1)

GT 6.1 Simple Building

Static-course-Assets.s3.Amazonaws.com_NetBasics50ENU_files_2.3.3.4 Lab - Building a Simple Network

Network Motifs - Simple Building Blocks of Complex Networksjeti.uni-freiburg.de/.../MoritzBitterling_PresentationTermPaper131216… · Moritz Bitterling Universit¨at Freiburg 13.12.2016