Upload
abraham
View
235
Download
0
Embed Size (px)
Citation preview
8/13/2019 Module Lesson TwoA
1/15
Infrastructure & Services
Ltd
Training manual
Backbone Switches Internet Infrastructure MPLS/VPN Connection Clientless VPN. Cisco Any Connect. Site to Site VPN.
Backbone Network
The backbone network is an important architectural element for building enterprise networks.
It provides a path for the exchange of information between different LANs or sub networks. A
8/13/2019 Module Lesson TwoA
2/15
backbone can tie together diverse networks in the same building, in different buildings in a
campus environment, or over wide areas. Generally, the backbone's capacity is greater than
the networks connected to it.
A backbone is typically a network that interconnects other networks. In a switched network
design, a backbone is not as clearly defined. It is usually just the high-speed switches like
cisco catalyst 4500, 3750, 3560 series switches that aggregate traffic from attached
networks.
Backbone Switches
The Cisco Catalyst 3750 v2 Series are next-generation energy-efficient Layer 3 Fast
Ethernet stackable switches. Its innovative unified stack management raises the bar in stack
management, redundancy, and failover. With a range of Fast Ethernet and Gigabit Ethernet
configurations, the Cisco Catalyst 3750
Series can serve as both a powerful access layer switch for medium enterprise wiring
closets and as a backbone switch for mid-sized networks
It helps increase productivity and protects your network investment by providing a unified
network for data, voice, and video.
The Cisco Catalyst 3750 is available with two software images:
IP Base software includes advanced quality of service (QoS), rate limiting, access
control lists (ACLs), Open Shortest Path First (OSPF) for routed access, and IPv6
functionality.
IP Services software provides a broader set of enterprise-class features, including
advanced hardware-based IP Unicast and IP Multicast routing, as well as policy-
based routing (PBR).
Cisco Catalyst 3750-24TSwitches with IEEE 802.3af Power
8/13/2019 Module Lesson TwoA
3/15
Networking detailed component integration of Catalyst
3750G 24TS to network (Back Bone)
The two Cisco Catalyst 3750G 24TS are in stack and they are the VTP server of all
the other switches in the network with the following Vlans:
VLAN management
VLAN IPTx2 VLAN LAN VLAN WAN, this VLAN is configured just toward the Cisco ASA5520 and
toward the MPLS routers (Cisco 3945).
The Back Bone switch is the default gateway of all the networks and the default
gateway of the Back Bone switch is the Cisco ASA5520.
Catalyst 2960 48PST-L
One of the Cisco Catalyst 2960 switches is placed in the annex and connected to
the backbone in two Giga Ethernet ports (each port to different back bone switch).
Two of the Cisco Catalyst 2960 switches is placed in the main site buildings and
connected to the backbone in two Optical ports (each port to different back bone
switch) in trunk mode. All the 2960 48PST-L switches are VTP clients of the Back
bone switch and have the following Vlans:
VLAN management VLAN IPTx2 VLAN LAN
Catalyst 2960 8TC-L
Three of the Cisco Catalyst 2960 8TC-L switches are placed in the main site
buildings and connected to the backbone in three SFP ports (each port to different
back bone switch) in trunk mode. All the 2960 8TC-L switches are VTP clients ofthe Back bone switch and have the following Vlans:
8/13/2019 Module Lesson TwoA
4/15
VLAN management VLAN IPTx2 VLAN LAN
Catalyst 2960 8TC-L
Two Cisco Catalyst 2960 8TC-L switches connected in a cluster are placed in the
DMZ network and each one is connected to different Cisco ASA5520 in trunk mode.
These switches have VLAN DMZ. This VLAN is also configured in the CiscoASA5520.
Catalyst 3750G 24TS (WAN)
Two Cisco Catalyst 3750G 24TS switches stacked together and connected to the
Cisco ASA5520 and to the Internet routers Cisco2911 in access mode.
Cisco 2911 (Internet)
In this implementation, there are two Cisco 2911 routers and each one is
connected to different ISP and is configured to work in BGP with both of the ISPs.
The routers are configured to work with HSRP between of them. And each one isconnected to different Cisco 3750 24PS in the stack in access mode.
Cisco 3945-sec
Both of the Cisco 3945-sec are connected to the backbone through two Giga
Ethernet ports (each port to different back bone switch) in trunk mode and the
Cisco 3945-sec is connected to the MPLS network in access mode. Both Cisco
3945-sec routers are connected in a cluster.
8/13/2019 Module Lesson TwoA
5/15
In the schematic network diagram above we see the various interconnection of devices to
the backbone Cisco catalyst switch 3750G 24TS and the ASA 5520 firewall to the backbone
The Back Bone switch is the default gateway of all the networks and the default gateway of
the Back Bone switch is the Cisco ASA5520.
Two Cisco Catalyst 3750G 24TS switches stacked together and connected to the Cisco
ASA5520 and to the Internet routers Cisco2911 in access mode.
We saw both of the Cisco 3945-sec is connected to the backbone through two
Giga Ethernet ports (each port to different back bone switch) in trunk mode and
the Cisco 3945-sec is connected to the MPLS network in access mode. Both Cisco
3945-sec routers are connected in a cluster.
8/13/2019 Module Lesson TwoA
6/15
8/13/2019 Module Lesson TwoA
7/15
Internet Infrastructure
In this implementation, there are two Cisco 2911 routers and each one is connected to
different ISP and is configured to work in BGP with both of the ISPs. The routers are
configured to work in HSRP between one another. And each one is connected to different
Cisco 3750 24PS in the stack in access mode.
The internet network infrastructure is a hybrid design where both Primary and Secondary
Internet Connection where both links are through independent routes and available at all
times; managed by BGP (Border Gateway Protocol). In event of failure of the primary,
system within 180 seconds automatically switches over to the backup link
The Primary internet connection is via Fiber optic connection with all its inherent advantages
(low latency, high capacity etc.) providing you with seamless broadband connectivity. And
Backup link is Satellite connection via Atlanta Point of presence (PoP).
With flexible bandwidth profiles to meet customer current and future needs. The bandwidth
schemes can be upgraded based on customers requirements:
BGP
BGP (Border Gateway Protocol) performs interdomain routing in Transmission-Control
Protocol/Internet Protocol (TCP/IP) networks. BGP is an exterior gateway protocol (EGP),
which means that it performs routing between multiple autonomous systems or domains and
8/13/2019 Module Lesson TwoA
8/15
exchanges routing and reachability information with other BGP systems. It uses TCP as the
transport protocol, on port 179. Two BGP routers form a TCP connection between one
another. These routers are peer routers. The peer router exchange message to open the
confirm the connection parameters.
Configuration of BGP
# router bgp xxxx
no synchronization
bgp log-neighbor-changes
network x.x.x.0 mask y.y.y.y customer lan network
neighbor z.z.z.z remote-as 8513
neighbor z.z.z.z description Skyvision BGP
neighbor z.z.z.z ebgp-multihop z
neighbor z.z.z.z update-source FastEthernet0/0 (foc interface)
no auto-summary
# ip route 0.0.0.0 0.0.0.0 yyyyyyy(Vsat interface)250
# ip route z.z.z.z 255.255.255.255 78.138.59.53
Hot Standby Router Protocol (HSRP)Cisco developed a proprietary protocol called Hot Standby Router Protocol (HSRP) that
allows multiple routers or multilayer switches to Masquerade as a single gateway.
This is accomplished by assigning a virtual IP address to all routers participating in HSRP.
All routers are assigned to a single HSRP group (numbered 0-255). Routers are then
elected to specific roles:
Active Router the router currently serving as the gateway
Standby Router backup router to the Active Router
Listening Routerall other routers participating in HSRP
Only one Active and one Standby router are allowed per HSRP group. HSRP routers
regularly send Hello packets (by default, every 3 seconds) to ensure all routers are
functioning. If the current Active Router fails, the Standby Router is made active, and a
8/13/2019 Module Lesson TwoA
9/15
new Standby is elected. The role of an HSRP router is dictated by its priority.
Whichever router has the highest (a higher value is better) priority becomes the Active
Router; the second highest priority becomes the Standby Router. If all priorities are equal,
whichever router has the highest IP Address on its HSRP interface becomes active
Each router in the HSRP group retains the address configured on its respective interface.
However, the HSRP group is assigned a virtual IP address, that client computer point to
as their default gateway.
Switch 1:Switch(config)# int fa0/10
Switch(config-if)# no switchportSwitch(config-if)# ip address 192.168.1.5 255.255.255.0Switch(config-if)# standby 1 priority 50Switch(config-if)# standby 1 preemptSwitch(config-if)# standby 1 ip 192.168.1.1Switch (config-if)# standby 1 authentication CISCOSwitch 2:Switch(config)# int fa0/10Switch(config-if)# no switchportSwitch(config-if)# ip address 192.168.1.6 255.255.255.0Switch(config-if)# standby 1 priority 75Switch(config-if)# standby 1 preempt
Switch(config-if)# standby 1 ip 192.168.1.1Switch (config-if)# standby 1 authentication CISCOSwitch (config-if)# standby 1 track fa0/12 50
WAN:
Installation of two CISCO3945-SEC routers with hardware encoding and two power
supply for redundancy, in addition to HWIC-4ESW cards, which contain 4 copper 10/100
ports. The routers include Advance IP Services software, which allows configuration of
tunnel encoding on the router.
HSRP is configured between routers.
These routers will be connected to MPLS lines when service contract isconcluded by the agency.
For data protection purposes, GRE over IPsec encoding is configuredon the routers.
8/13/2019 Module Lesson TwoA
10/15
A routing protocol is defined within the IPsec Tunnel.
A GRE Tunnel is implemented on the WAN line, protecting internal addresses from the
infrastructure provider as well as enabling dynamic routing and multicast protocols over
WAN lines. The GRE tunnel is configured as static between the main site and branches in
such a manner that all branch traffic is routed to the main site. WAN network security is
accomplished by way of an IPsec protocol, which secures traffic data on the WAN
network.
IPsec protocols provide information protection by way of encoding (DES, 3DES, AES) It is
important to note that high encoding levels may affect the routers performance).Within the
Tunnel, well use a routing protocol that will perform routing between networks. Theses
routers are connected to Catalyst 3750G switches with two copper cables at a rate of
100Mbps on a WAN VLAN.
To provide backup of the power supply, an RPS- Redundant Power System 2300 is a
power supply backup system that allows connection of up to 6 switches/ routers and
power supply backup for 2 of them simultaneously.
MPLS /VPN Connection
"MPLS" and "VPN" are two different technology types. Multiprotocol Label Switching
(MPLS) is a standards-based technology used to speed up the delivery of network packets
over multiple protocolssuch as the Internet Protocol (IP), Asynchronous Transport Mode
(ATM) and frame relay network protocols. A virtual private network (VPN) uses shared
public telecom infrastructure, such as the Internet, to provide secure access to remote
offices and users in a cheaper way than an owned or leased line. VPNs are secure
because they use tunneling protocols and procedures in implementing VPN such as, GRE,
IPsec, PPTP, L2TP and MPLS. The most common definition of vpn is a data network that
utilizes a portion of a shared public network to extend a cu stomers private network. There
are three basic VPN categories
8/13/2019 Module Lesson TwoA
11/15
Intranet: An intranet VPN connects resources from the same company across that
companys infrastructure. An example of intranet VPN is the connections between
difference locations within a companys infrastructure, such as VPNs between two offices
Extranet VPN: An extranet VPN connects resources from one company to another
company, such as a business partner. An example of an extranet is a company that has
outsourced it helps desk functions and sets up a VPN to provide a secure connection from
its corporate office to the outsourcing company.
Internet VPN: An Internet VPN uses a public network as the backbone to transport VPN
traffic between devices. As an example, you might use the Internet, which is a public
network, to connect two sites together or have telecommuters use their local ISPs to set up
a VPN connection to the corporate network (remote access connection)
VPN components The VPN realm consist of the following regions:
Customer network: Consist of the router at the various customer sites called customer
edge routers
Provider Network: Service provider devices to which the CE routers were directly attached
were called provider edge PE routers .the service provider network might consist of device
used for forwarding data in the SP backbone called the provider P router.
Clientless SSL VPN
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be
used with a standard Web browser. In contrast to the traditional Internet Protocol Security
(IPsec) VPN, an SSL VPN does not require the installation of specialized client software
on the end user's computer. It's used to give remote users with access to Web
applications, client/server applications and internal network connections.
A virtual private network (VPN) provides a secure communications mechanism for data
and other information transmitted between two endpoints. An SSL VPN consists of one or
more VPN devices to which the user connects by using his Web browser. The trafficbetween the Web browser and the SSL VPN device is encrypted with the SSL protocol or
its successor, the Transport Layer Security (TLS) protocol.
An SSL VPN offers versatility, ease of use and granular control for a range of users on a
variety of computers, accessing resources from many locations. There are two major types
of SSL VPNs:
SSL Portal VPN: This type of SSL VPN allows for a single SSL connection to a Web site
so the end user can securely access multiple network services. The site is called a portal
because it is one door (a single page) that leads to many other resources. The remote
8/13/2019 Module Lesson TwoA
12/15
user accesses the SSL VPN gateway using any modern Web browser, identifies himself or
herself to the gateway using an authentication method supported by the gateway and is
then presented with a Web page that acts as the portal to the other services.
SSL Tunnel VPN: This type of SSL VPN allows a Web browser to securely access
multiple network services, including applications and protocols that are not Web-based,
through a tunnel that is running under SSL. SSL tunnel VPNs require that the Web
browser be able to handle active content, which allows them to provide functionality that is
not accessible to SSL portal VPNs. Examples of active content include Java, JavaScript,
Active X, or Flash applications or plug-ins. Here the services are accessed also through
Remote Desk Protocol (RDP).
Cisco Any Connect
The virtual private network (VPN) is one key technology for boosting Internet security and
enabling safe remote access for users who need access to enterprise wide area networks
(WANs) and the resources they can deliver. As you can see from the picture above, VPNs
interconnect all kinds of users and locations. In this brief diagram of popular VPN clients.
We a review of top four popular VPN clients for enterprise use, include the Cisco VPN
client,TeamViewer, Golden Frog's VyprVPN and PureVPN.
VPN client software must work on all user devices, such as PCs, notebooks, tablets and
smartphones; this will help your company avoid a VPN security breach. VPN protocols must
8/13/2019 Module Lesson TwoA
13/15
work end-to-end through firewalls, routers and switches. IT must pick VPN devices that are
compatible and interoperable with concentrators (Router and firewall), appliances and
servers,
Site-to-site VPN
A site-to-site VPN allows offices in multiple fixed locations to establish secure connections
with each other over a public network such as the Internet site-to-site VPN extends the
company's network, making computer resources from one location available to employees at
other locations. An example of a company that needs a site-to-site VPN is a growing
corporation with dozens of branch offices around the world.
There are two types of site-to-site VPNs:
Intranet-based -- If a company has one or more remote locations that they wish to
join in a single private network, they can create an intranet VPN to connect each
separate LAN to a single WAN.
Extranet-based -- When a company has a close relationship with another company
(such as a partner, supplier or customer), it can build an extranet VPN that connects
those companies' LANs. This extranet VPN allows the companies to work together in
a secure, shared network environment while preventing access to their separate
Internets.
Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN,
it could use some of the same software and equipment. Ideally, though, a site-to-site VPN
should eliminate the need for each computer to run VPN client software as if it were on a
remote-access VPN. Now that you know the two types of VPNs, let's look at how your data
is kept secure as it travels across a VPN.
8/13/2019 Module Lesson TwoA
14/15
Purpose of Site-to site VPN
A VPN's purpose is providing a secure and reliable private connection between computer
networks over an existing public network, typically the Internet. Now, let's consider all the
benefits and features a company should expect in a VPN.
A well-designed VPN provides an organization with the following benefits:
Extended connections across multiple geographic locations without using a leased
line
Improved security for exchanging data
Flexibility for remote offices and employees to use the company intranet over an
existing Internet connection as if they're directly connected to the network
Savings in time and expense for employees to commute if they work from virtual
workplaces.
8/13/2019 Module Lesson TwoA
15/15
Improved productivity for remote employees
A Company might not require all these benefits from its VPN, but it should have the following
essential
Security -- The VPN should protect data while it's traveling on the public network. If
intruders attempt to capture the data, they should be unable to read or use it.
Reliability -- Employees and remote offices should be able to connect to the VPN
with no trouble at any time (unless hours are restricted), and the VPN should provide
the same quality of connection for each user even when it is handling its maximum
number of simultaneous connections.
Scalability -- As an organization grows, it should be able to extend its VPN services
to handle that growth without replacing the VPN technology altogether.
Equipment use in VPN
VPN components are dedicated devices a business can add to its network. You can
purchase these devices from companies that produce network equipment, such as Cisco:
VPN Concentrator -- This device replaces an AAA server installed on a generic
server. The hardware and software work together to establish VPN tunnels and
handle large numbers of simultaneous connections.
VPN-enabled/VPN-optimized Router -- This is a typical router that delegates traffic
on a network, but with the added feature of routing traffic using protocols specific to
VPNs.
VPN-enabled Firewall -- This is a conventional firewall protecting traffic between
networks, but with the added feature of managing traffic using protocols specific to
VPNs.
VPN Client -- This is software running on a dedicated device that acts as the tunnel
interface for multiple connections. This setup spares each computer from having to
run its own VPN client software.