Module Lesson TwoA

8/13/2019 Module Lesson TwoA

1/15

Infrastructure & Services

Ltd

Training manual

Backbone Switches Internet Infrastructure MPLS/VPN Connection Clientless VPN. Cisco Any Connect. Site to Site VPN.

Backbone Network

The backbone network is an important architectural element for building enterprise networks.

It provides a path for the exchange of information between different LANs or sub networks. A


2/15

backbone can tie together diverse networks in the same building, in different buildings in a

campus environment, or over wide areas. Generally, the backbone's capacity is greater than

the networks connected to it.

A backbone is typically a network that interconnects other networks. In a switched network

design, a backbone is not as clearly defined. It is usually just the high-speed switches like

cisco catalyst 4500, 3750, 3560 series switches that aggregate traffic from attached

networks.

Backbone Switches

The Cisco Catalyst 3750 v2 Series are next-generation energy-efficient Layer 3 Fast

Ethernet stackable switches. Its innovative unified stack management raises the bar in stack

management, redundancy, and failover. With a range of Fast Ethernet and Gigabit Ethernet

configurations, the Cisco Catalyst 3750

Series can serve as both a powerful access layer switch for medium enterprise wiring

closets and as a backbone switch for mid-sized networks

It helps increase productivity and protects your network investment by providing a unified

network for data, voice, and video.

The Cisco Catalyst 3750 is available with two software images:

IP Base software includes advanced quality of service (QoS), rate limiting, access

control lists (ACLs), Open Shortest Path First (OSPF) for routed access, and IPv6

functionality.

IP Services software provides a broader set of enterprise-class features, including

advanced hardware-based IP Unicast and IP Multicast routing, as well as policy-

based routing (PBR).

Cisco Catalyst 3750-24TSwitches with IEEE 802.3af Power


3/15

Networking detailed component integration of Catalyst

3750G 24TS to network (Back Bone)

The two Cisco Catalyst 3750G 24TS are in stack and they are the VTP server of all

the other switches in the network with the following Vlans:

VLAN management

VLAN IPTx2 VLAN LAN VLAN WAN, this VLAN is configured just toward the Cisco ASA5520 and

toward the MPLS routers (Cisco 3945).

The Back Bone switch is the default gateway of all the networks and the default

gateway of the Back Bone switch is the Cisco ASA5520.

Catalyst 2960 48PST-L

One of the Cisco Catalyst 2960 switches is placed in the annex and connected to

the backbone in two Giga Ethernet ports (each port to different back bone switch).

Two of the Cisco Catalyst 2960 switches is placed in the main site buildings and

connected to the backbone in two Optical ports (each port to different back bone

switch) in trunk mode. All the 2960 48PST-L switches are VTP clients of the Back

bone switch and have the following Vlans:

VLAN management VLAN IPTx2 VLAN LAN

Catalyst 2960 8TC-L

Three of the Cisco Catalyst 2960 8TC-L switches are placed in the main site

buildings and connected to the backbone in three SFP ports (each port to different

back bone switch) in trunk mode. All the 2960 8TC-L switches are VTP clients ofthe Back bone switch and have the following Vlans:


4/15

VLAN management VLAN IPTx2 VLAN LAN

Catalyst 2960 8TC-L

Two Cisco Catalyst 2960 8TC-L switches connected in a cluster are placed in the

DMZ network and each one is connected to different Cisco ASA5520 in trunk mode.

These switches have VLAN DMZ. This VLAN is also configured in the CiscoASA5520.

Catalyst 3750G 24TS (WAN)

Two Cisco Catalyst 3750G 24TS switches stacked together and connected to the

Cisco ASA5520 and to the Internet routers Cisco2911 in access mode.

Cisco 2911 (Internet)

In this implementation, there are two Cisco 2911 routers and each one is

connected to different ISP and is configured to work in BGP with both of the ISPs.

The routers are configured to work with HSRP between of them. And each one isconnected to different Cisco 3750 24PS in the stack in access mode.

Cisco 3945-sec

Both of the Cisco 3945-sec are connected to the backbone through two Giga

Ethernet ports (each port to different back bone switch) in trunk mode and the

Cisco 3945-sec is connected to the MPLS network in access mode. Both Cisco

3945-sec routers are connected in a cluster.


5/15

In the schematic network diagram above we see the various interconnection of devices to

the backbone Cisco catalyst switch 3750G 24TS and the ASA 5520 firewall to the backbone

The Back Bone switch is the default gateway of all the networks and the default gateway of

the Back Bone switch is the Cisco ASA5520.

Two Cisco Catalyst 3750G 24TS switches stacked together and connected to the Cisco

ASA5520 and to the Internet routers Cisco2911 in access mode.

We saw both of the Cisco 3945-sec is connected to the backbone through two

Giga Ethernet ports (each port to different back bone switch) in trunk mode and

the Cisco 3945-sec is connected to the MPLS network in access mode. Both Cisco

3945-sec routers are connected in a cluster.


6/15


7/15

Internet Infrastructure

In this implementation, there are two Cisco 2911 routers and each one is connected to

different ISP and is configured to work in BGP with both of the ISPs. The routers are

configured to work in HSRP between one another. And each one is connected to different

Cisco 3750 24PS in the stack in access mode.

The internet network infrastructure is a hybrid design where both Primary and Secondary

Internet Connection where both links are through independent routes and available at all

times; managed by BGP (Border Gateway Protocol). In event of failure of the primary,

system within 180 seconds automatically switches over to the backup link

The Primary internet connection is via Fiber optic connection with all its inherent advantages

(low latency, high capacity etc.) providing you with seamless broadband connectivity. And

Backup link is Satellite connection via Atlanta Point of presence (PoP).

With flexible bandwidth profiles to meet customer current and future needs. The bandwidth

schemes can be upgraded based on customers requirements:

BGP

BGP (Border Gateway Protocol) performs interdomain routing in Transmission-Control

Protocol/Internet Protocol (TCP/IP) networks. BGP is an exterior gateway protocol (EGP),

which means that it performs routing between multiple autonomous systems or domains and


8/15

exchanges routing and reachability information with other BGP systems. It uses TCP as the

transport protocol, on port 179. Two BGP routers form a TCP connection between one

another. These routers are peer routers. The peer router exchange message to open the

confirm the connection parameters.

Configuration of BGP

# router bgp xxxx

no synchronization

bgp log-neighbor-changes

network x.x.x.0 mask y.y.y.y customer lan network

neighbor z.z.z.z remote-as 8513

neighbor z.z.z.z description Skyvision BGP

neighbor z.z.z.z ebgp-multihop z

neighbor z.z.z.z update-source FastEthernet0/0 (foc interface)

no auto-summary

# ip route 0.0.0.0 0.0.0.0 yyyyyyy(Vsat interface)250

# ip route z.z.z.z 255.255.255.255 78.138.59.53

Hot Standby Router Protocol (HSRP)Cisco developed a proprietary protocol called Hot Standby Router Protocol (HSRP) that

allows multiple routers or multilayer switches to Masquerade as a single gateway.

This is accomplished by assigning a virtual IP address to all routers participating in HSRP.

All routers are assigned to a single HSRP group (numbered 0-255). Routers are then

elected to specific roles:

Active Router the router currently serving as the gateway

Standby Router backup router to the Active Router

Listening Routerall other routers participating in HSRP

Only one Active and one Standby router are allowed per HSRP group. HSRP routers

regularly send Hello packets (by default, every 3 seconds) to ensure all routers are

functioning. If the current Active Router fails, the Standby Router is made active, and a


9/15

new Standby is elected. The role of an HSRP router is dictated by its priority.

Whichever router has the highest (a higher value is better) priority becomes the Active

Router; the second highest priority becomes the Standby Router. If all priorities are equal,

whichever router has the highest IP Address on its HSRP interface becomes active

Each router in the HSRP group retains the address configured on its respective interface.

However, the HSRP group is assigned a virtual IP address, that client computer point to

as their default gateway.

Switch 1:Switch(config)# int fa0/10

Switch(config-if)# no switchportSwitch(config-if)# ip address 192.168.1.5 255.255.255.0Switch(config-if)# standby 1 priority 50Switch(config-if)# standby 1 preemptSwitch(config-if)# standby 1 ip 192.168.1.1Switch (config-if)# standby 1 authentication CISCOSwitch 2:Switch(config)# int fa0/10Switch(config-if)# no switchportSwitch(config-if)# ip address 192.168.1.6 255.255.255.0Switch(config-if)# standby 1 priority 75Switch(config-if)# standby 1 preempt

Switch(config-if)# standby 1 ip 192.168.1.1Switch (config-if)# standby 1 authentication CISCOSwitch (config-if)# standby 1 track fa0/12 50

WAN:

Installation of two CISCO3945-SEC routers with hardware encoding and two power

supply for redundancy, in addition to HWIC-4ESW cards, which contain 4 copper 10/100

ports. The routers include Advance IP Services software, which allows configuration of

tunnel encoding on the router.

HSRP is configured between routers.

These routers will be connected to MPLS lines when service contract isconcluded by the agency.

For data protection purposes, GRE over IPsec encoding is configuredon the routers.


10/15

A routing protocol is defined within the IPsec Tunnel.

A GRE Tunnel is implemented on the WAN line, protecting internal addresses from the

infrastructure provider as well as enabling dynamic routing and multicast protocols over

WAN lines. The GRE tunnel is configured as static between the main site and branches in

such a manner that all branch traffic is routed to the main site. WAN network security is

accomplished by way of an IPsec protocol, which secures traffic data on the WAN

network.

IPsec protocols provide information protection by way of encoding (DES, 3DES, AES) It is

important to note that high encoding levels may affect the routers performance).Within the

Tunnel, well use a routing protocol that will perform routing between networks. Theses

routers are connected to Catalyst 3750G switches with two copper cables at a rate of

100Mbps on a WAN VLAN.

To provide backup of the power supply, an RPS- Redundant Power System 2300 is a

power supply backup system that allows connection of up to 6 switches/ routers and

power supply backup for 2 of them simultaneously.

MPLS /VPN Connection

"MPLS" and "VPN" are two different technology types. Multiprotocol Label Switching

(MPLS) is a standards-based technology used to speed up the delivery of network packets

over multiple protocolssuch as the Internet Protocol (IP), Asynchronous Transport Mode

(ATM) and frame relay network protocols. A virtual private network (VPN) uses shared

public telecom infrastructure, such as the Internet, to provide secure access to remote

offices and users in a cheaper way than an owned or leased line. VPNs are secure

because they use tunneling protocols and procedures in implementing VPN such as, GRE,

IPsec, PPTP, L2TP and MPLS. The most common definition of vpn is a data network that

utilizes a portion of a shared public network to extend a cu stomers private network. There

are three basic VPN categories


11/15

Intranet: An intranet VPN connects resources from the same company across that

companys infrastructure. An example of intranet VPN is the connections between

difference locations within a companys infrastructure, such as VPNs between two offices

Extranet VPN: An extranet VPN connects resources from one company to another

company, such as a business partner. An example of an extranet is a company that has

outsourced it helps desk functions and sets up a VPN to provide a secure connection from

its corporate office to the outsourcing company.

Internet VPN: An Internet VPN uses a public network as the backbone to transport VPN

traffic between devices. As an example, you might use the Internet, which is a public

network, to connect two sites together or have telecommuters use their local ISPs to set up

a VPN connection to the corporate network (remote access connection)

VPN components The VPN realm consist of the following regions:

Customer network: Consist of the router at the various customer sites called customer

edge routers

Provider Network: Service provider devices to which the CE routers were directly attached

were called provider edge PE routers .the service provider network might consist of device

used for forwarding data in the SP backbone called the provider P router.

Clientless SSL VPN

An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be

used with a standard Web browser. In contrast to the traditional Internet Protocol Security

(IPsec) VPN, an SSL VPN does not require the installation of specialized client software

on the end user's computer. It's used to give remote users with access to Web

applications, client/server applications and internal network connections.

A virtual private network (VPN) provides a secure communications mechanism for data

and other information transmitted between two endpoints. An SSL VPN consists of one or

more VPN devices to which the user connects by using his Web browser. The trafficbetween the Web browser and the SSL VPN device is encrypted with the SSL protocol or

its successor, the Transport Layer Security (TLS) protocol.

An SSL VPN offers versatility, ease of use and granular control for a range of users on a

variety of computers, accessing resources from many locations. There are two major types

of SSL VPNs:

SSL Portal VPN: This type of SSL VPN allows for a single SSL connection to a Web site

so the end user can securely access multiple network services. The site is called a portal

because it is one door (a single page) that leads to many other resources. The remote


12/15

user accesses the SSL VPN gateway using any modern Web browser, identifies himself or

herself to the gateway using an authentication method supported by the gateway and is

then presented with a Web page that acts as the portal to the other services.

SSL Tunnel VPN: This type of SSL VPN allows a Web browser to securely access

multiple network services, including applications and protocols that are not Web-based,

through a tunnel that is running under SSL. SSL tunnel VPNs require that the Web

browser be able to handle active content, which allows them to provide functionality that is

not accessible to SSL portal VPNs. Examples of active content include Java, JavaScript,

Active X, or Flash applications or plug-ins. Here the services are accessed also through

Remote Desk Protocol (RDP).

Cisco Any Connect

The virtual private network (VPN) is one key technology for boosting Internet security and

enabling safe remote access for users who need access to enterprise wide area networks

(WANs) and the resources they can deliver. As you can see from the picture above, VPNs

interconnect all kinds of users and locations. In this brief diagram of popular VPN clients.

We a review of top four popular VPN clients for enterprise use, include the Cisco VPN

client,TeamViewer, Golden Frog's VyprVPN and PureVPN.

VPN client software must work on all user devices, such as PCs, notebooks, tablets and

smartphones; this will help your company avoid a VPN security breach. VPN protocols must


13/15

work end-to-end through firewalls, routers and switches. IT must pick VPN devices that are

compatible and interoperable with concentrators (Router and firewall), appliances and

servers,

Site-to-site VPN

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections

with each other over a public network such as the Internet site-to-site VPN extends the

company's network, making computer resources from one location available to employees at

other locations. An example of a company that needs a site-to-site VPN is a growing

corporation with dozens of branch offices around the world.

There are two types of site-to-site VPNs:

Intranet-based -- If a company has one or more remote locations that they wish to

join in a single private network, they can create an intranet VPN to connect each

separate LAN to a single WAN.

Extranet-based -- When a company has a close relationship with another company

(such as a partner, supplier or customer), it can build an extranet VPN that connects

those companies' LANs. This extranet VPN allows the companies to work together in

a secure, shared network environment while preventing access to their separate

Internets.

Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN,

it could use some of the same software and equipment. Ideally, though, a site-to-site VPN

should eliminate the need for each computer to run VPN client software as if it were on a

remote-access VPN. Now that you know the two types of VPNs, let's look at how your data

is kept secure as it travels across a VPN.


14/15

Purpose of Site-to site VPN

A VPN's purpose is providing a secure and reliable private connection between computer

networks over an existing public network, typically the Internet. Now, let's consider all the

benefits and features a company should expect in a VPN.

A well-designed VPN provides an organization with the following benefits:

Extended connections across multiple geographic locations without using a leased

line

Improved security for exchanging data

Flexibility for remote offices and employees to use the company intranet over an

existing Internet connection as if they're directly connected to the network

Savings in time and expense for employees to commute if they work from virtual

workplaces.


15/15

Improved productivity for remote employees

A Company might not require all these benefits from its VPN, but it should have the following

essential

Security -- The VPN should protect data while it's traveling on the public network. If

intruders attempt to capture the data, they should be unable to read or use it.

Reliability -- Employees and remote offices should be able to connect to the VPN

with no trouble at any time (unless hours are restricted), and the VPN should provide

the same quality of connection for each user even when it is handling its maximum

number of simultaneous connections.

Scalability -- As an organization grows, it should be able to extend its VPN services

to handle that growth without replacing the VPN technology altogether.

Equipment use in VPN

VPN components are dedicated devices a business can add to its network. You can

purchase these devices from companies that produce network equipment, such as Cisco:

VPN Concentrator -- This device replaces an AAA server installed on a generic

server. The hardware and software work together to establish VPN tunnels and

handle large numbers of simultaneous connections.

VPN-enabled/VPN-optimized Router -- This is a typical router that delegates traffic

on a network, but with the added feature of routing traffic using protocols specific to

VPNs.

VPN-enabled Firewall -- This is a conventional firewall protecting traffic between

networks, but with the added feature of managing traffic using protocols specific to

VPNs.

VPN Client -- This is software running on a dedicated device that acts as the tunnel

interface for multiple connections. This setup spares each computer from having to

run its own VPN client software.

Documents

Module Lesson TwoA