Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices...

Agenda

• VPN tunnels

• Configuration of basic core network components

• Maintenance of Cisco devices

• Exercises & troubleshooting

Abbreviations• AP – Access Point• AH – Authentication Header• AZR – Access Zone Router• AGR – Aggregation Router• AG – Access Gateway (e.g. Cisco SSG, Juniper ERX)• CSA – Central Site Area• DHCP – Dynamic Host Configuration Protocol• DMVPN - Dynamic Multipoint IPsec Virtual Private Network• EIGRP – Enhanced Interior Gateway Routing Protocol• ESP – Encapsulating Security Payload • GRE – Generic Routing Encapsulation • HSA – Hotspot Area• IKE – Internet Key Exchange • IPSec – Internet Protocol Security• NHRP – Next Hop Resolution Protocol • OSPF – Open Shortest Path First (Routing Protocol)• PPTP – Point-To-Point Tunneling Protocol• SSG – Service Selection Gateway• VPN – Virtual Private Network

AGR - Aggregation Router

• Interfaces– interface to AGR (there are possibilities to create connection to more then one

AGR) - GRE tunnel with IPSec is configured over this link– interface to APS – typically Ethernet.– loopback

• Routing– The AGR participate in dynamic routing protocol.– The following networks shall be spread out:

• all networks to AZRs• network to AG (SSG)• network to management network• network to other AGRs if such connection is realized

– Default gateway shall be set on SSG in central configuration or on WIP in decentral configuration

• Multipoint IPsec– AGR may work as a hub in DMVPN (Dynamic Multipoint VPN) configuration

AZR - Access Zone Router

• Interfaces– interface to AGR (there are possibilities to create connection to more then one AGR) - GRE

tunnel with IPSec is configured over this link

– interface to APs – typically Ethernet.

– loopback

• Routing– The AZR participate in dynamic routing protocol.– The following networks shall be spread out:

• Network(s) to AGR(s)

• networks to APs

– Default gateway shall be set on AGR or AGRs in case of multiple connections

• Multipoint IPsec– AZR may work as a spoke in DMVPN (Dynamic Multipoint VPN) configuration

DHCP

AZR

Host DHCPDISCOVER (broadcast)

DHCPOFFER (unicast)

DHCPREQUEST (broadcast)

DHCPACK (unicast)

Cisco routerDHCP Server

• DHCP (Dynamic Host Configuration Protocol) is an open, industry-standard protocol that reduces the complexity of administering networks based on TCP/IP

• All DHCP messages are carried in User Datagram Protocol (UDP). Datagrams use port 67 at the server and 68 at the client.

• DHCP Request for an IP Address

DHCP Benefits to TCP/IP Network Administrators

• Simplifies problems associated with manual addressing• Centralized administration of IP configuration• Dynamic host configuration• Seamless IP host configuration• Flexibility• Scalability

Configuring DHCP on Cisco router

• Enabling the Cisco IOS DHCP Server and Relay Agent Features

Router (config)# service dhcp

• Excluding IP Addresses

Router (config)# ip dhcp excluded-address low-address [high-address]

• Configuring the DHCP Address Pool Name and Entering DHCP Pool Configuration Mode

Router (config)# ip dhcp pool name

• Configuring the DHCP Address Pool Subnet and Mask

Router (dhcp-config)# network network-number [mask | /prefix-length]

• Configuring the Domain Name for the Client

Router (dhcp-config)# domain-name domain

• Configuring the IP Domain Name System Servers for the Client

Router (dhcp-config)# dns-server address [address2 ... address8]

• Configuring the Default Router for the Client

Router (dhcp-config)# default-router address [address2 ... address8]

• Configuring the Address Lease Time

Router (dhcp-config)# lease {days [hours] [minutes] | infinite}

Example of DHCP configuration on Cisco router

• ip dhcp excluded-address 10.100.1.1 10.100.1.30• !• ip dhcp pool ZONE1• network 10.100.1.0 255.255.255.0• default-router 10.100.1.1 • domain-name domain.i250• dns-server 192.168.201.2• !• interface FastEthernet0/1• ip address 10.100.1.1 255.255.255.0

DHCP troubleshooting• Router# show ip dhcp binding• Router# show ip dhcp server statistics• Router# show ip dhcp conflict [address]

• Router# clear ip dhcp binding {address | *}• Router# clear ip dhcp conflict {address | *}• Router# clear ip dhcp server statistics

• Router# debug ip dhcp server {events | packets | linkage}

Exercise

1. Configure DHCP server on AZR

2. Check if client gets ip address from DHCP server

Routing

• Static Routing– Advantages:

• Simple to configure and maintain• Secure – as only defined routes can be accessed• Bandwidth is not used for sending routing updates

– Disadvantages• Manual update of routes after network changes• Explicit addition of routes for all networks

• Dynamic Routing– EIGRP– OSPF

Configuring static routing on Cisco devices

• ip route <destination network address> <destination network mask> <next hop>

• Router A

ip route 192.168.1.0 255.255.255.0 172.16.1.2

ip route 192.168.1.0 255.255.255.0 172.16.1.2• Router B

ip route 10.1.1.0 255.255.255.0 172.16.1.1• Router C

ip route 10.1.1.0 255.255.255.0 172.16.2.1

ROUTER A

ROUTER B

ROUTER C 192.168.2.0/24

172.16.1.2/30

172.16.2.2/30

172.16.2.1/30

172.16.1.1/30

10.1.1.0/24

FastEthernet0/1

192.168.1.0/24

FastEthernet0/2

Exercise

1. Configure static routing on AZR, AGR and SSG

2. Check if client can access (ping) AZR, AGR, SSG

Configuring dynamic routing on Cisco devices - EIGRP

• Router A

router eigrp 1

network 172.16.1.0 0.0.0.3

network 172.16.2.0 0.0.0.3

network 10.1.1.0 0.0.0.255

no auto-summary

• Router B

router eigrp 1

network 172.16.1.0 0.0.0.3

network 10.1.1.0 0.0.0.255

no auto-summary• Router C

router eigrp 1

network 172.16.2.0 0.0.0.3

network 10.1.1.0 0.0.0.255

no auto-summary

ROUTER A

ROUTER B

ROUTER C 192.168.2.0/24

172.16.1.2/30

172.16.2.2/30

172.16.2.1/30

172.16.1.1/30

10.1.1.0/24

192.168.1.0/24

Configuring dynamic routing on Cisco devices - OSPF

• Router A

router ospf 10

network 172.16.1.0 0.0.0.3 area 0

network 172.16.2.0 0.0.0.3 area 0

network 10.1.1.0 0.0.0.255 area 0

• Router B

router ospf 100

network 172.16.1.0 0.0.0.3 area 0

network 10.1.1.0 0.0.0.255 area 0

• Router C

router ospf 1

network 172.16.2.0 0.0.0.3 area 0

network 10.1.1.0 0.0.0.255 area 0

ROUTER A

ROUTER B

ROUTER C 192.168.2.0/24

172.16.1.2/30

172.16.2.2/30

172.16.2.1/30

172.16.1.1/30

10.1.1.0/24

192.168.1.0/24

Exercise

1. Configure dynamic routing (EIGRP) on AZR, AGR and SSG2. Check if client can access (ping) AZR, AGR, SSG3. Configure dynamic routing (OSPF) on AZR, AGR and SSG4. Check if client can access (ping) AZR, AGR, SSG

VPN

• Virtual Private Network

GRE - Generic Routing Encapsulation

PPTP- Point-to-Point Tunneling Protocol

AGR

AZR

VPN tunnelE.g GRE/Ipsec tunnel

INTERNET

Types of VPNs

• Secure VPNs - Secure VPN protocols include the following: - IPsec- SSL- PPTP- L2TP- L2TPv3

• Trusted VPNs

- MPLS

- L2F

IPSec Functions

• data confidentiality (encryption)• data integrity (verification)• origin authentication (authentication the

source of the packet)• Verification that each packet is unique

(not duplicated)

Type of Encryption• symmetric

– DES– 3DES– HMAC-Message Digest 5 (MD5)– HMAC-SHA

• asymmetric– Rivest, Shamir, and Adelman (RSA)

Type of Authentication• Pre-shared keys• RSA signatures• RSA encrypted nonces

IPSec Protocols

Authentication Header

ROUTER A

ROUTER A

All data in clear text

Authentication Header provides:· Authentication· Integrity

Data payload is encrypted

Encapsulating Security Payload

Encapsulating Security Payload provides:· Authentication· Integrity · Encryption

ROUTER B

ROUTER B

IPSec Modes

IP Header Data

DataIP Header ESP Header ESPTrailer

ESP Auth.- Transport Mode

- Tunnel Mode ESPTrailer

ESP Auth.DataIP HeaderESP HeaderNew IP HEADER

ENCRYPTED

AUTHENTICATED

ENCRYPTED

AUTHENTICATED

IP packet

VPN (DMVPN)

GRE/IPsec

HUB #1

HUB #2

SPOKE #2.1

SPOKE #1.1

SPOKE #1.2

SPOKE #1.3

SPOKE #2.2

SPOKE #2.3

AZR

AZR

AZR

AGR

AGR

AZR

AZR

AZR

HSA CSA

SSGInternet

Standards (Cisco IOS IPSec)

• IPSec (RFCs 2401-2410)• IPSec Encapsulating Security Payload (ESP) Using

DES/3DES (RFC 2406)• IPSec Authentication Header (AH) using MD5 or SHA

(RFCs 2403-2404)• Internet Key Exchange (IKE) (RFCs 2407-2409)

IPsec/GRE Example (basic)

• Phase I (IKE Policy)

InternetFa0/1

192.168.6.2

Tunnel 192.168.10.0/30

AZRAGR

Fa0/0192.168.5.1

tunnel 10192.168.10.2/30

tunnel 10192.168.10.1/30

crypto isakmp policy 1

authentication pre-share

hash md5

encryption 3des

crypto isakmp key Cisco123 address 192.168.5.1



hash md5

encryption 3des

crypto isakmp key Cisco123 address 192.168.6.2


• Phase II (IPsec Policy)

InternetFa0/1

192.168.6.2

Tunnel 192.168.10.0/30

AZRAGR

Fa0/0192.168.5.1

tunnel 10192.168.10.2/30

tunnel 10192.168.10.1/30

crypto ipsec transform-set name1 esp-3des esp-md5-hmac

mode transport

access-list 110 permit gre host 192.168.6.2 host 192.168.5.1


mode transport

access-list 110 permit gre host 192.168.5.1 host 192.168.6.2



InternetFa0/1

192.168.6.2

Tunnel 192.168.10.0/30

AZRAGR

Fa0/0192.168.5.1

tunnel 10192.168.10.2/30

tunnel 10192.168.10.1/30

crypto map map1 local-address FastEthernet0/1

crypto map map1 10 IPsec-isakmp

set peer 192.168.5.1

match address 110

set transform-set name1

crypto map map1 local-address FastEthernet0/0

crypto map map1 10 IPsec-isakmp

set peer 192.168.6.2

match address 110



• Phase III (tunnel)

InternetFa0/1

192.168.6.2

Tunnel 192.168.10.0/30

AZRAGR

Fa0/0192.168.5.1

tunnel 10192.168.10.2/30

tunnel 10192.168.10.1/30

interface tunnel 10

ip address 192.168.10.2 255.255.255.252

tunnel source FastEthernet0/1

tunnel destination 192.168.5.1

ip mtu 1440

crypto map map1

interface Fastethernet0/1

ip address 192.168.6.2 255.255.255.0

crypto map map1

router eigrp 1

network 192.168.10.0 0.0.0.3

no auto-summary

interface tunnel 10

ip address 192.168.10.1 255.255.255.252



ip mtu 1440

crypto map map1

interface Fastethernet0/0

ip address 192.168.5.1 255.255.255.0

crypto map map1

router eigrp 1

network 192.168.10.0 0.0.0.3

no auto-summary

Exercise

1. Configure static IPSec/GRE tunnel between AZR and AGR

2. Check if wired client can access (ping) AGR, SSG via VPN tunnel

IPsec/GRE Example (DMVPN)

• Phase I (IKE Policy)

InternetFa0/1

192.168.6.2

Tunnel 192.168.10.0/30

AZR(spoken)

AGR(hub)

Fa0/0192.168.5.1

tunnel 0192.168.10.2/24

tunnel 0192.168.10.1/24



hash md5

encryption 3des

crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0



hash md5

encryption 3des

crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0



InternetFa0/1

192.168.6.2

Tunnel 192.168.10.0/30

AZR(spoken)

AGR(hub)

Fa0/0192.168.5.1

tunnel 0192.168.10.2/24

tunnel 0192.168.10.1/24


mode transport

crypto ipsec profile bwsvpnprofile1



mode transport

crypto ipsec profile bwsvpnprofile1



• Phase III (tunnel)

InternetFa0/1

192.168.6.2

Tunnel 192.168.10.0/30

AZR(spoken)

AGR(hub)

Fa0/0192.168.5.1

tunnel 0192.168.10.2/24

tunnel 0192.168.10.1/24

interface tunnel 0

ip address 192.168.10.2 255.255.255.0

ip mtu 1400

ip nhrp authentication ciscokey

ip nhrp map 192.168.10.1 192.168.5.1

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 192.168.10.1



tunnel key 0

tunnel protection ipsec profile bwsvpnprofile1

interface tunnel 0

ip address 192.168.10.1 255.255.255.0

ip mtu 1400

ip nhrp authentication Cisco123key

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 600

no ip split-horizon eigrp 1


tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile bwsvpnprofile1


• Phase III (interfaces)

InternetFa0/1

192.168.6.2

Tunnel 192.168.10.0/30

AZR(spoken)

AGR(hub)

Fa0/0192.168.5.1

tunnel 0192.168.10.2/24

tunnel 0192.168.10.1/24

interface FastEthernet0/0

ip address 192.168.5.1 255.255.255.0

router eigrp 1

network 192.168.10.0 0.0.0.255

no auto-summary

interface FastEthernet0/1

ip address 192.168.6.2 255.255.255.0

router eigrp 1

network 192.168.10.0 0.0.0.255

no auto-summary

IPsec/GRE troubleshooting

• Router# show ip nhrp• Router# show ip interface• Router# show crypto isakmp sa• Router# show crypto ipsec sa• Router# show crypto ipsec sa detail• Router# show crypto map• Router# show crypto engine connection active• Router# show ip route

• Router# debug crypto isakmp • Router# debug crypto ipsec• Router# debug crypto engine

Exercise

1. Configure dynamic IPSec/GRE tunnel (DMVPN) between AZR and AGR

2. Check if wired client can access (ping) AGR, SSG via VPN tunnel

MTU configuration on interface• Router (config)# access-list 101 permit udp any any• Router (config)# route-map clear-df permit 10• Router (config-route-map)# much ip address 101• Router (config-route-map)# set ip df 0• Router (config-route-map)# end

• Router (config)# interface FastEthernet0/0• Router (config-if)# ip address 192.168.10.1 255.255.255.0• Router (config-if)# ip policy route-map clear-df• Router (config-if)# ip mtu 1400 • Router (config-if)# end

Maintenance of Cisco devices

Client

AP AP

AZRHSA #1WLAN

Access Gateway (SSG)

Access Network

Transmission Core

AGR #1

TFTP SERVER192.168.1.1

• Copying the Configuration to a TFTP Server

• Router# copy run tftp• Address or name of remote host []?192.168.1.1• Destination filename [router-confg] ?run-confg• !!• 486 bytes copied in 12.2 secs (40 bytes/sec)• Router#

• Restoring the Configuration from TFTP Server

• Router# copy tftp run

• Address or name of remote host []?192.168.1.1

• Source filename []?run-confg

• Destination filename [running-config]?[Enter]

• Accessing tftp://192.168.1.1/run-confg...

• Loading run-confg from 192.168.1.1 (via FastEthernet0/1):

• !!

• [OK - 486/4096 bytes]

• 486 bytes copied in 5.3 secs (99 bytes/sec)

• Router#

Exercises & troubleshooting

1. Design and connect your own network

2. Configure DHCP Server on AZR

3. Configure AZR, AGR, routing and VPN tunnel between AZR and AGR

4. Configure Cisco Access Point

5. Test your configuration

Client

AP

AZRHSA #1WLAN

Access Gateway (SSG)Transmission Core

AGR #1

TFTP SERVER

Internet

Internet/Intranet

Access Network

This exercise assumes that SSG and WI@ was correctly configured before.

Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices...

Documents

Transcript of Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices...