INTRODUCTION - Techshristi · Web viewTo multiplex VLAN traffic, special protocols exist that...

Banking Network Design

1.INTRODUCTION

This Network will let various usersof bank and their employeesconnect to the main Server located at the Datacenter from all across the world through internet and from the remote offices(Local Branches) through Lease line, VSAT or ISDN link. It providessupport tovarious applications of banking such asAccounts information, withdrawal(through Cash / Cheque), deposit amount.

All the devices in the Network have been provisioned with redundant links and at the same time all the devices too have been provisioned as a redundant / load-shared pair. This approach provides for the desired NSPOF approach, which will ultimately provide for the 99.999% uptimes that are expected of core datacenters.

All business critical traffic passing through the MPLS network and internet will be encrypted and this encrypted traffic will terminate on a VPN router cluster at the datacenter. All other traffic like the Voice and Web traffic will be send un-encrypted over the MPLS network.Allocate bandwidth to servers accordingly by using Quality of service(QOS).

Umesh joshi Enroll. No. 05260498961


2.OBJECTIVES & GOALS

It provides support to various applications of banking

This Network will let various users of bank and their employees connect to the main Server.

The objective only authorized user to access Network including all servers and network devices.

Provide greater speed & reduce time consumption.

It provides 99.99% of uptime of Network.

Allocate bandwidth to servers accordingly by using QOS.

The proposed Network will be user friendly so that even a beginner can troubleshoot any issue easily.



3.Project Category: Networking

Networkingis the practice of linking two or more computing devices together for the purpose of sharing data and network devices. A network is any collection of independent computers that communicate with one another over a shared network medium.A computer network is a collection of two or more connected computers. When these computers are joined in a network, people can share files and peripherals such as modems, printers, tape backup drives, or CD-ROM drives. When networks at multiple locations are connected using services available from phone companies, people can send e-mail, share links to the global Internet, or conduct video conferences in real time with other remote users. As companies rely on applications like electronic mail and database management for core business operations, computer networking becomes increasingly more important.Every network includes:

1.At least two computers Server or Client workstation.2.Networking Interface Card’s (NIC)3.A connection medium, usually a wire or cable, although wireless4.communication between networked computers and peripherals is also possible.5.Network Operating system software, such as Microsoft Windows NT or 2000, Novell NetWare, Unix and Linux.



4.H/W REQUIREMENTS

The H/W used for developing thisNetwork entitled Banking Network Designis as follows :-

HUBs L2 and L3 Switches Routers Modems WIC Cards, S/T Cards and various modules for routers and switches. Firewalls Very small aperture terminal(VSAT) Various types of cables for interconnecting Network Devices. Servers according to Customers requirements.



5.Requirement Specification

Requirements and specifications are very important components in the development of any embedded system. Requirements analysis is the first step in the system design process, where a user's requirements should be clarified and documented to generate the corresponding specifications. For activities in this first stage has significant impact on the downstream results in the system life cycle. For example, errors developed during the requirements and specifications stage may lead to errors in the design stage. When this error is discovered, the engineers must revisit the requirements and specifications to fix the problem. This leads not only to more time wasted but also the possibility of other requirements and specifications errors. Many accidents are traced to requirements flaws, incomplete implementation of specifications, or wrong assumptions about the requirements. While these problems may be acceptable in non-safety-critical systems, safety-critical systems cannot tolerate errors due to requirements a

The requirement analyst has to identify the requirements by talking to these people and understanding their needs. In situations where the software is to automate a currently manual process, many of the needs can be understood by observing the current practice. But no such methods exists for such systems for which manual processes do not exist (example; software for a missile control system) or for a "new features", which are frequently added when automating an existing manual process.



6.FEATURES PROPOSED IN THE CUREENT SYSTEM

It provides support to various applications of banking

This Network will let various users of bank and their employees connect to the main Server.

The objective only authorized user to access Network including all servers and network devices.

Provide greater speed & reduce time consumption.

It provides 99.99% of uptime of Network.

Allocate bandwidth to servers accordingly by using QOS.



7.Network Overview

The Network design starts from the point of topology. This will include defining the layers and defining the functionality of each layer. The main aspect of dividing the network into layers is to incorporate the functions based on the layered structure and design the connectivity methods and high availability techniques at each layer. It also helps in distribution and control of network functionality.The aim of the network is to provide highly available and scalable environment for collocation of Internet, Intranet and Extranet services and applications. It providing high-speed access for data, voice and internet-based applications. The network is planned such that it will provide the necessary backbone connectivity between the different offices to ensure that the network becomes an enabler for business plans.The design should be in such a way that there will be no single points of failure and should be capable of achieving fast and predictable convergence times. The design should also address the ease of scalability by increasing the port density in the switches. This Low Level Design has been made in accordance with Cisco’s existing best-practice recommendations. The foundation of the design stems from Cisco’s standard ‘Multilayer Network Design’ model.



8.Design Principles

8.1Design Objectives

This design document will provide the necessary level of high availability, scalability and security to allow for hosting of devices. To provide support for critical business systems with minimum disruption to services the following requirements are met by the proposed design.

8.2 High Availability

The design uses the proven Cisco Multi-layer architecture.

• The Core/Aggregation layeris built for fast convergence, high speed, and security and routing.

• TheDistributionlayer is proposed to support a wide range of services.• TheAccesslayer is proposed to support connectivity of single and dual

armed servers and devices.

This architecture is discussed in more detail in the following sections. The network infrastructure design is built so as to avoid any single point of failure and achieve fast and predictable convergence times.

ScalabilityThe Network architecture can be easily scaled up by addition of line cards and/or switches at the Access layer, allowing changes and additions that avoid disruption of existing services.

SimplicityThe design allows for predictable traffic paths in steady and failover states for operations and troubleshooting.

SecurityIt allows the flexibility of securing the internal/external traffic to critical systems

Design Reuse



The Network design should be similar for all services as much as is possible technically. The design should be reusable for any new network elements that would be added as the infrastructure grows.

8.3 Layer Design Concepts

HierarchyThis is a general concept from which many features of the network can be derived.

Hierarchy is a characterization of the traffic flows in a network. It implies that flows get bigger and bigger by going through points of aggregation (nodes) and tend to follow a specific direction or pattern. This is a direct consequence of client-server type of applications.

Likewise, the network topology and equipment dimensioning will reflect the traffic flow hierarchy. This concept allows us to distribute the functions of the network equipment in an optimal way, through a layered organization. Equipments within the same level of hierarchy will have similar properties and behave in a predictable way. With the help of such a classification, we can derive rules-of-thumb concerning the bandwidth required on each link or the backplane capacity needed on the network equipments etc. On the other hand, hierarchy imposes the way we use the network, where we place servers, how ‘crowded’ a VLAN can be, where we put multicast sources etc. Many high level protocols (OSPF, PIM, etc.) are hierarchical in nature and therefore, are more easily implemented in a hierarchical network. Hierarchy is the base for many other network features; it leads to Scalability, Modularity, and Predictability among others.

ModularityModularity means that the network will be made up of distinct building blocks, each having a precise set of features and behaviors. Its main advantage is to make changes in the network. Blocks can be added and removed without redesigning the network each time. Addressing is made much easier too. Modularity also means isolation; blocks are separated and interact through specific pathways thereby easing control and security. They are independent from each other, changes in one block does not affect other blocks.



ScalabilityThis is self-explanatory; it allows a network to grow considerably without making drastic changes or needing any redesign. It is a product of Hierarchy and Modularity.

Fault ToleranceThis aspect is hidden in the very definition of the term ‘network’ which generally implies a certain degree of meshing. An intelligent network relies on this property to provide redundant routes from one node to the other implying the ability to work around failures. If we have hierarchy, we don’t need to provide redundancy between every two points, as the network does not need to be a full mesh, instead we’ll be able to locate critical nodes where redundancy is important. Along with this, come features like fast convergence, determinism, etc.

PredictabilityWhen designing the network, there should be a Predictability factor associated to it. The precise knowledge of the traffic behaviors prevailing in the network will help engineers for easier Operations and Support. Hence, the network must be built such that traffic flows are easily identifiable; delays are predictable within reasonable bounds, and failover paths easily identifiable.

KIS (Keep It Simple)This is one of the key aspects to consider when designing networks. A network must always be kept as simple as possible. Remove all links and features that are not needed and ‘Keep It Simple!. The concept seems obvious but it is very often forgotten. The testimony to a good design is to be able to manage the feature & functionality using the least possible infrastructure (equipment) with a flexibility to scale to cater to the future network growth requirements.



9. Three Layered Architecture

The Basic Model of the network has been designed along the lines of the three layer Architecture. The overall design, comprising of a number of component building-blocks generic to a multi layer Network’s functional requirements is as follows:

9.1 AccessLayerBuildingBlocksThe Access Layer comprises of all the branches and their associated local area networks, which provide users access to the applications hosted at the Data center over the WAN infrastructure. The branches will connect either to the MPLS PoP directly or to the aggregation locations on 64kbps circuits. The choice of termination for the branches will be decided bySERVICE PROVIDER.

• Connectivity of single and dual homed servers and devices• Flexibility of Extending VLANs• Connectivity between Clustered servers

9.2 DistributionLayerBuildingBlocks

The Distribution layer consists of the regional offices and aggregation offices, which would be the main aggregations points for the branches located in that city. These locations will be connected to the MPLS WAN on redundant load balanced high-speed WAN links provisioned on optical fiber circuits to deliver the necessary high uptime and scalability.This layer acts as the service layer for the data center. This layer performs aggregation of the access switches. The functions performed at distribution will be

• Demarcation of Layer two from Layer three• Filtering of Routes

9.3 CoreLayerBuildingBlocks

Consisting of theDataCenter& hosting all the business applications as well as productivity applications like messaging and voice. This will be



connected to the WAN core, which is on theSERVICE PROVIDERMPLS network on high-speed optical WAN links.

The External IP networks will be terminated on the Core Switches. The basic functionality of core is

• Route the packets for external network• Reliability should be considered utmost parameter for the Core

elements• High performance Low latency switching with high densities (10 GE)• Circuits with high availability providing terminations from different

WAN clouds• Backbone for both Multicast as well as Interactive traffic.



10.Network Architecture

10.1 Network Topology

The Network is broadly divided into four Major Parts1. DataCenterand Disaster Recovery2. Members with different connectivity options3. Security4. Multicast

The datacenter & disaster sites core routers are connected to MPLSService Providers (SP) Pop’s. The VSAT connectivity also extended for both DC and DR. Dedicated Leased lines between DC & DR will be used for data replication. TheDataCenterand Disaster Recovery sites are set apart. They are located at Mumbai andBangaloreaccordingly. The Disaster site is replica of data center. The connectivity between the members and data centers will be in network ready state. Members can connect to the exchange only through MPLS or through Vsat links. The member can opt for single leased line or single Vsat connection or a leased line with Vsat backup or two leased lines in redundant mode.



10.2 Network Diagram

10.3 Design Objectives

This design documentwill provide the necessary level of high availability, scalability and security to allow for hosting of devices. To provide support for critical business systems with minimum disruption to services the following requirements are met by the proposed design.



10.4 High Availability

The design uses the proven Cisco Multi-layer architecture.

• The Core/Aggregation layeris built for fast convergence, high speed, and security and routing.

• TheDistributionlayer is proposed to support a wide range of services.• TheAccesslayer is proposed to support connectivity of single and dual

armed servers and devices.

This architecture is discussed in more detail in the following sections. The network infrastructure design is built so as to avoid any single point of failure and achieve fast and predictable convergence times.

ScalabilityThe Network architecture can be easily scaled up by addition of line cards and/or switches at the Access layer, allowing changes and additions that avoid disruption of existing services.

SimplicityThe design allows for predictable traffic paths in steady and failover states for operations and troubleshooting.

SecurityIt allows the flexibility of securing the internal/external traffic to critical systems

Design ReuseThe Network design should be similar for all services as much as is possible technically. The design should be reusable for any new network elements that would be added as the infrastructure grows.



11.Core Design

All business critical traffic passing through the MPLS network will be encrypted and this encrypted traffic will terminate on a VPN router cluster at the datacenter. All other traffic like the Voice and Web traffic will be send un-encrypted over the MPLS network.

As it can be seen, all the devices in the data center have been provisioned with redundant links and at the same time all the devices too have been provisioned as a redundant / load-shared pair. This approach provides for the desired NSPOF approach, which will ultimately provide for the 99.999% uptimes that are expected of core data centres.

To connect theService ProviderPOP, one inks will be used on each router. These link will form E-BGP pair with respetive POP. These core routers will be connecting to Distribution layer through Routing Block formed by two core switches of 6524 series. Routing-Block will be connected to Routers in criss-cross manner to achive chassis level redundancy. Both 6524 switches will be connected to each othe by ether channel formed over two fiber links. Routing block will form i-BGP pair with both routers. Local preference will be used on 7206 Routers which will help Routing Block to select Primary router.

Two core routers will be deployed in a High availability / Load Balancing configuration connecting to the MPLS PoP on a STM-1 ring. Each of the core routers are provisioned with dual control processors, dual power supplies and card-level redundancies to take care of any level of failure. The routers will be deployed in a load-balancing configuration, wherein under normal operations both the routers will have equal bandwidth links terminating on them.SERVICE PROVIDERwill size the links such that, in the event of a failure of either one link or the associated hardware, the other link will automatically take the load that has been provisioned.

At the data center, two redundant load balanced core switches each with high data switching capabilities and integrated services will be deployed. Each switch will house service delivery modules like Firewalls, Intrusion Prevention/Detection System and a L4-L7 Content Load Balancing module.



The Firewall is planned with virtual firewall services so that different parts of the network can be logically segregated on the core. This will allow for better control and more granular policies on the firewall thus providing a higher level of security policy enforcement.

Two VPN routers have been provisioned to take care of the encrypted business critical traffic that will be flowing on the WAN. These routers will be load-balanced off the core switches to ensure that the traffic is seamless distributed between the routers and will also ensure that there is no overloading of any single router. Protocol features on the content switching module on the Catalyst 6513 switch will ensure aspects like session stickiness and load balancing.

The core switch will take in additional connections from the existing building distribution switch, which is a Cisco 4507R further connected to Cisco Catalyst 2900 & 3500 series edge switches providing desktop connectivity and Power over Ethernet to Cisco IP Phones deployed at HO.

A dedicated Management Zone will hold all the network management servers and other systems like the AAA server, Two factor authentication server and the existing anti-virus and content security management servers. A medium performance chassis based switch (4503) will be placed in the management zone; this switch will provide the required services as of date in terms of port densities and data security options.

The internet connectivity fromSERVICE PROVIDERwill be upgraded to two load shared 2mbps links to provide high redundancy and performance.

Two internet routers (3845) will terminate the new ISP links that will be procured; these routers will run BGP peering with the upstream ISPs to ensure transparent service delivery across the two links. A high performance load-balanced cache appliance will be deployed on the internet links to optimize the bandwidth usage and provide caching capability for all static web content.

To provide a high degree of perimeter security a two-tiered firewall approach will be deployed, wherein the external firewall will be different from the firewall that is deployed at the core of the network. The external firewall (Checkpoint) will be deployed in a load balanced high availability mode with high performance typically needed for the internet data center,



keeping in mind that business applications would be hosted in the datacenter. The Firewall would also act as the proxy for all clients accessing the internet and will also be the enforcement point for bandwidth control on the internet link, since all traffic would need to pass through the firewall.

An VPN aggregator (ASA 5540) will handle the mobile users who connect to the network via clientless VPN services or would use the Internet as their mode of connectivity and would connect using IPSec VPN clients. Thus the VPN concentrator will need to provide both clientless and client VPN capabilities. The mobile users will be provisioned with a two-factor authentication system to ensure that network access is not compromised with weak or misplaced static passwords.

11.1 Routing Blockin Detail

Most of the members will be connected to multiple links to DC for redundancy and high availability. These Members will have IP subnet which will be routed on both the links (e.g. L/L and VSAT). L/L will be use as a primary link and VSAT will be used as a backup. The return traffic which flows from DC towards the member location needs to prefer the primary link (e.g. L/L as primary & VSAT as backup) over secondary path. For achieving this we need to use dynamic routing protocol between the DC and the perimeter routers. This way the firewall will route all the traffic to the routing block and routing block with the help of dynamic routing will take care of the best path selection for return traffic. In case the primary link fails then the member route will be preferred over the backup link.

Routing block will be directly connected to all the perimeter routers which connect to MPLS, VSAT and Lease Lines links. The advantage of using this block is to choose the best route to the destination network if we have multiple links for the remote location. By doing this router will select the route with lower cost for the remote location and failover automatically to backup link in case of failure of primary link.

Recommended routing protocol for this set-up is BGP. We will run BGP over the WAN i.e. between DC and Member locations. Static routing is recommended for VSAT links. In the routing block floating static routes will be configured for the locations connecting to VSAT as a secondary link. The AD of the static route will be kept higher than the dynamic routing protocol.



EBGP peering will be formed between the DC and the POP routers & between member and their POP routers. For all the member locations we can use the same AS number.

Routing Block to Core firewall connectivity will be on Fiber. HSRP will be configured on Routing Block toward firewall end so that redundancy could be achived. Firewall will point Outword routes owards VIP of Roting Block.

11.2 Servers Connectivity

All the Application & Database servers in theDataCenterwill be connected on the Data Center Core switch with different L2-vlan structure. Core Firewall will be the gate-way for server farm. Core switches used are 6509 switches with Virtual Switching System (VSS) capabilities. By using VSS the data plane of these switches ewill act as single plane & through put will be addition of both. To connect these VSS-6509, 10 Gig links will be used. We are providing chassis level redundancy for the servers. Servers with multiple NIC can be connected on the both the switches. This will act as a Core layer and provide high speed switching between the servers.

Core Firewall will act as a security point Gateway for all the servers in the Network. All the security policies will be defined here.



Each server will have 2 NIC card with teaming configured, each one connecting to Core switch 1 & Core switch 2.

Database Servers : - Default Gateway 10.166.16.1Application Servers : - Default Gateway 10.166.11.1

ServerPhysicalPortallotment is as below: -

11.3 Physical Connectivity


Core Routers-1 7206

Routing Block-1 6524

Routing Block-2 6524

Core Routers-2 7206

G0/1 G0/2 G0/1G0/2

G0/1 G0/2 G0/1G0/2

G0/32 G0/32

G0/31 G0/31

Core Switch 16509

G5/1 G5/1

G5/2 G5/2

Core Switch 26509

80


The following provides example for configuring the gigabit Ethernet ports interface between the Core Switches and the servers.

11.4 Layer 2 Recommendations

11.4.1VLAN Trunking Protocol

All switches will be configured in VTP transparent mode to avoid risk of overwriting existing VLAN database associated with VTP server/client, and maintain consistentconfiguration.

11.4.2Etherchannel (PAgP)

Layer 2 Channel:

It is recommended to configure the channel mode in desirable on both ends of the switches for L2 channel. For Layer 2 channel, make sure to first configure the physical interfaces as layer 2 switch ports, and then configure channel-group under the physical interfaces.


Switchport Access Configuration

int gig<mod/port>description <meaningful text>switchportswitchport access vlan <vlan>switchport mode accessno ip addressspanning-tree portfast

VTP Configuration

Vtp mode transparent

81


11.4.3UDLD

UDLD is recommended to detect uni-directional connections caused by bad fiber wiring. UDLD should be enabled globally.

11.4.4Interface Speed/Duplex

For manageability, auto-negotiation is recommended to minimize management of servers. Auto-negotiation is supported on Catalyst switches, although the latest NIC drivers are often required on the end-hosts.In general, speed and duplex for server ports are left un-configured (auto-negotiation). For certain server ports may require speed and duplex are to be hard coded.


Ether Channel Configuration

Interface range <interfaces>switchportchannel-group <group #> mode desirableno shut

UDLD Configuration

UDLD enable

Speed/ Duplex Configuration

Speed 100/ 1000Duplex full

82


11.4.5Default Gateway on Servers

All the servers would have a default gateway and this would be the IP address of the corresponding interface on the Firewall.

11.5 Routing between Firewall and Routing Block

We will configure VLAN interfaces on Bouting Block The IP address for a VLAN Interface will be configured as shown below. As Cisco ASA doesn’t support preempt, it will not be enabled in HSRP configuration.

11.5.1DC Routing Configuration

a. Core Router Configuration

b. Routing Block Configuration


HSRP Configuration

Int Vlan4ip address 10.166.9.33255.255.255.240standby10.166.9.35

DCEnd Configuration :-

router bgp xxxxxneighbor 192.168.1.5remote-asyyyyy >>>E-BGPPeering with MPLS-POP wanlink IPneighbor 10.166.9.3remote-asxxxxx>>>i-BGP Peering with Routing Block-1neighbor 10.166.9.3next-hop-selfneighbor 10.166.9.20remote-asxxxxx>>>i-BGP Peering with Routing Block-2neighbor 10.166.9.20next-hop-self

Routing BlockEnd Configuration :-

router bgp xxxxxredistribute staticneighbor 10.166.9.1remote-asxxxxx>>>i-BGP Peering with core router-1neighbor 10.166.9.18remote-asxxxxx>>>i-BGP Peering with core rputer-2

Ip route 10.166.11.0 255.255.255.0 10.166.9.36 >>> routes for application serverIp route 10.166.12.0 255.255.255.0 10.166.9.36 >>> routes for database server

83


12 VPN

There would be some members who will connect to DC via site to site VPN or via Remote Access VPN.

12.1 Site to Site VPN

Members can connect to DC via site to site VPN where VPN termination point will be Internet Router. Phase I & Phase II parameter will be shared with member to connect through VPN. Member IP address will be NATTED with IP POOL provided by IMCX and NATTED ip address will be configured as interesting traffic in IPSec Phase II. Members should have client installed in their terminal to access trading application. Members connecting via site to site VPN will be routed through outside zone of Core & Perimeter firewall.

IP POOL for VPN member:- 10.155.1.0 / 255.255.255.0

12.2 Remote Access VPN.

There would be some memberes who will access trading application by connecting through the remote access VPN client. In case of Remote access VPN termination point will be perimeter Cisco ASA 5540. Users will be authenticated against local user database of Cisco ASA 5540 howciscodoesn’t recommend authenticating more than 100 users through ASA local user database as it will add more overahead on ASA resources, it is suggested to go for any free RADIUS server to authenticate VPN users. Members connecting via remote access VPN will be routed through outside zone of Core & Perimeter firewall.

IP POOL for Remote access VPN users:- 10.155.2.0 / 255.255.255.0Separate IP schema can be used once users increases e.g. 10.155.3.0, 10.155.4.0 etc.



13.Security Architecture

Security Architecture is comprise of 2 layer security architecture where Cisco ASA 5550 acts as core layer firewall with 1.2 GBPS of through out and Cisco ASA 5540 as perimeter layer firewall with throughout of 650 MBPS.

13.1Web DMZ Block

The Web DMZ module’s primary goal is to provide application services to end users and devices. This section of the network houses corporate and department applications such as print, content engine, proxy servers, etc. In addition web application servers would be co-located in the DMZ block.

The DMZ block is connected directly to the Internet block through a set of redundant firewalls, interconnected to the DMZ switches on Gigabit Ethernet links. Incoming and outgoing traffic is load balanced through both the links.

Redundant core switches are recommended for connectivity to the servers.Missioncritical servers are often dual homed and configured for “switch fault tolerance”. This means the servers should be connected with two NIC cards to both the core switches as shown in the figure above.

Other servers such as development servers with single NIC may get isolated in the event of single switch failure. Recabling and switch configuration to the other core needs to be done under such circumstances.

13.2Core Switch/Server Block

The core switch provides connectivity for the centralized servers.With centralized servers directly attached to the core, all client/server traffic crosses one hop from a subnet in the access layer to a subnet in the core. Policy-based control of access to enterprise servers is implemented by the firewall or access lists applied at the distribution layer or the enterprise core.

6500 switches equipped with redundant supervisor engines and power modules along with the Firewall, IDS and content switching service modules provides secure and reliable platform for the servers. Servers containing



sensitive corporate information such as Internal mail server, dept server, corporate servers should be located in the server block.

The Cisco catalyst 6500 series IDS Service Module forms an important intrusion prevention system (IPS) solution for safeguarding server content from malicious Internet worms and DoS attacks. The FWSM is a high-speed, integrated firewall module provides fastest firewall rates in securing servers and maintaining a high level of protection.

shall have the flexibility of hosting multiple servers among which the traffic can be load balanced. The CSM provides advanced layer 4 to layer 7 content switching capabilities to the 6500 providing features and benefits including:

Higher uptimes Reduced application response times, higher uptimes

13.3Management DMZ

The primary goal of the management DMZ is to facilitate the secure management of all devices and hosts. This includes logging and reporting the information flow from the enterprise network devices through to the management hosts, as well as content, configurations, and new software flow to the devices from the management hosts.

The Cisco call manager along with other network monitoring and management servers shall reside with the management domain. Security and load balancing services within the management block shall be provided by the service modules installed in the Core switch.

13.4 Physical Connectivity

This section will explain about the connectivity of Cisco ASA 5550 with the internal Core 6509 switch & Routing block. ASA 5550 will connect to the Core switch & to Cisco 6524 on fiber port. Below is the physical connectivity diagram of the Core Connectivity:-



There will be 4 zones on Cisco ASA 5550 namely Application, Database, WAN & Outside. Application & Database zone will be hosted on the Cisco 6509 switch for which gateway will be Cisco ASA 5550. Connectivity between Core Switch & Cisco ASA will be through fiber ports where as servers will be connected through Gigabit Ethernet ports.

Cisco ASA core firewall default route will be pointed towards ASA 5540 i.e. 10.166.9.51. To reach MPLS network route will be pointed towards Routing block i.e. 10.166.9.35

Route outside 0.0.0.0 0.0.0.0 10.166.9.51Route WAN x.x.x.x x.x.x.x 10.166.9.35

Cisco 6509 will have two L2 VLANS for application & Database, one L3 VLAN for DR Connectivity.



13.5 Connectivity to Perimeter Firewall & DMZ

Connectivity to perimeter firewall will be over Gigabit Ethernet through Cisco 2960 switch. Both the switches will connect to each other through two uplinks considering uplink failure risk factor. Below is the physical connectivity between Core Firewall, Internet Firewall & DMZ:-

In normal scenario physical path of data flow would be Active Core ASA -> Intercon SW 1-> Active Internet ASA.

Note :-For Security purpose VLAN 1 will be disabled on DMZ, Intercon switch & Internet Switch.

Default Route on Internet Firewall will be pointed towards Internet Router

Route outside 0.0.0.0 0.0.0.0 <Internet Router> Default RouteRoute inside 10.166.11.0 255.255.255.0 10.166.9.49 towards Application ZoneRoute inside 10.166.16.0 255.255.255.0 10.166.9.49 towards Database Zone



Servers hosted under DMZ segment will be NATTED with public IP address on Cisco 5540 internet firewall. Required ports e.g. http, https will be opened on internet firewall.

13.6 IDS Connectivity

Cisco 4260 (2 nos) will be configured in IDS mode. This will monitor 3 zones, application, database & DMZ. Below is the physical connectivity of IDS

On DC-IMCX-CORE-1 port Gi 2/23 will be configured as span port or mirror port which will capture the traffic from Gi 1/1 to check for malicious traffic and will triggered alert if signature fired. IDS 2 will monitor traffic on secondary switch. IDS will also monitor the traffic from DMZ zone as well which is internet facing.



Firewall DMZ port connecting to the DMZ switch will be configured as a span source port to capture the traffic for monitoring purpose.

DC-IMCX-DMZ-SW-1

Monitor session 1 source interface Gi 0/1 bothMonitor session 1 destination interface Gi 0/2

DC-IMCX-DMZ-SW-2

Monitor session 1 source interface Gi 0/1 bothMonitor session 1 destination interface Gi 0/2



14.Traffic Flow Daigram

In normal scenario:



Case-I :

Primary MPLS link Down:1. E-BGP peering POP & Core router will be down2. Routing block will be using routes from Core Router-2 as this will be

the available path.



Case-II :

Core Router-I Down:Traffic flow will continue through Core router-II



Case-III :

Routing Block-1(Primary) Down:1. Firewall will change state as interface connecting to Routing Block-1

(Primary) goes down.2. HSRP-VIP on Routing block-II(secondary) will become active.3. Traffic flow will continue through Routing Block-2 (Secondary)



Traffic Flow in Case of Device Failure

Under normal circumstances all the traffic will flow through the primary active devices. This section will depict how traffic will flow in case of failure of devices. Device failure considers below mentioned conditions:-

1. Primary Active ASA 5550 fail2. Cisco 6509 Primary fail3. Primary Active Routing Block Fail4. Primary Internet ASA fail5. Primary Internet Router fail6. Cisco 2960 Intercon 1 switch fail7. Cisco 2960 Internet 1 switch fail.

14.1 Primary Active ASA 5550 Fail



Incase of failure of DC-IMCX-ASA-PRI , failover will be triggered and DC-IMCX-ASA-SEC will become active and will host active IP. As DC-IMCX-CORE-1 is working in L2 mode for Application & Database zone, there will be no failover at switch level. ARP response for ASA active IP will be given by DC-IMCX-CORE-2 and physical traffic for MPLS will be flow from DC-IMCX-CORE-1DC-IMCX-CORE-1DC-IMCX-ASA-SECDC-IMCX-RTLBLK-2DC-IMCX-RTLBLK-1MPLS router.

10.1 Cisco 6509 Primary Fail

Incase of failure of DC-IMCX-CORE-1, active NIC of server will fail and passive NIC in teaming will become the active i.e. in forwarding mode. Failover will be triggered at DC-IMCX-ASA-PRI as application & Database interface will goes down. DC-IMCX-ASA-SEC will become active. Traffic



will flow through DC-IMCX-CORE-2DC-IMCX-ASA-SECDC-IMCX-RTRBLK-2DC-IMCX-RTRBLK-1

14.2 Primary Active Routing Block Fail

If DC-IMCX-RTRBLK-1 (Cisco 6524) fails, it will also trigger failover at DC-IMCX-ASA-PRI as WAN interface will goes down. There won’t be any failover at DC-IMCX-CORE-1 being in to L2 mode. Traffic will flow through DC-IMCX-CORE-1DC-IMCX-CORE-2DC-IMCX-ASA-SECDC-IMCX-RTRBLK-2



14.3 Primary Internet ASA Fails

If DC-IMCX-INTERNET-PRI goes down, failover will triggered and traffic will flow through DC-IMCX-ASA-PRIDC-IMCX-INTERCON-SW-1D-IMCX-INTERCON-2DC-IMCX-INTERNET-SEC

14.4 Primary Internet Router Fail

If DC-IMCX-INTERNET-RTR-PRI fails failover will happen at internet router and traffic will flow through DC-IMCX-INTERNET-ASA-PRIDC-IMCX-INTERNET-SW-1DC-IMCX-INTERNET-SW-2DC-IMCX-INTERNET-RTR-SEC.



14.5 Cisco 2960 Intercon 1 switch Fail

If switch between core & internet firewall fails, it will triggered failover at both the firewall and core secondary & internet secondary firewall will become active. Traffic will flow through DC-IMCX-ASA-SECDC-IMCX-ASA-INTERNET-SEC.



14.6 Cisco 2960 Internet 1 Switch Fail

If internet switch 1 fails, failover will be triggered at ASA & Router. DC-IMCX-ASA-INTERNET-SEC & DC-IMCX-INTERNET-RT-SEC will become active. Traffic will flow through DC-IMCX-ASA-INTERNET-SECDC-IMCX-INTERNET-SW-2DC-IMCX-INTERNET-RTR-SEC.

15. Disaster Recovery

15.1DR Setup

Disaster recovery site will be hosted atBangalore, Netmagic premises. Network & Security devices will not be in redundant mode being DR site. Connectivity to DR will be through 40 MBPS point to point Ethernet link. DR setup will be exactly replica of DC. Below is the physical connectivity diagram of DR:-



15.2 DR Replication

We suggest to use separate interface pair on switch for DR replication or else replication will happen through Firewall which would add further load on firewall considering the current throughout of firewall. Static route needs to be configure on servers to reach DR site. Separate L3 interface can be created on core switch to route DR replication traffic.



16.Member Connectivity Scenarios

16.1 Single MPLS Circuit

Interactive and Broadcast/Multicast traffic will flow through single MPLS VPN circuit.

• Traffic for all Markets (Interactive + Broadcast) will flow through one link.

• Core Router can be automatically failover in case of failure of one of the Core routers.

Note:

- No Auto failover or High Availability on failure of Leased line as only one link is deployed.

- All the members with single Leased line will do Single EBGP peering with respected POP Routers within the location.

- Please refer the Member router configuration templates.



16.2 Single VSAT

Interactive and Broadcast/Multicast traffic will flow through VSAT Line.

• All Traffic for Interactive + Broadcast would flow through VSAT• Core Router can be automatically failover in case of failure of one of

the Core routers.

Note:- No auto failover or High Availability on VSAT is available as only one

VSAT is deployed.- From Core end, need to configure pre-defined static routes for

member subnets.


DC

Switch

DR

Single VSAT

VSAT Cloud

HUB StationUsers

103


16.3 MPLS and VSAT (As a Backup)

VSAT will be configured as backup to failover in case backbone fails, dynamic Routing has to be configured end to end.

• Member can be able to use MPLS as primary and VSAT as backup• Core Router can be automatically failover in case of failure of one of

the Core routers.• POP Router can be automatically failover in case of failure of one of

the POP routers.• Member can be able to use both MPLS and VSAT simultaneously

All the members with single MPLS will built Single EBGP peering with respective POP Routers at the SP PoP and in case of MPLS failover, all member traffic will get auto switch over to VSAT.

Dynamic convergence between POP and member end will withdraw the routes, in case of failure on backbone or lastmile links. Once BGP route is withdrawn at Member end, router will use floating static route over VSAT to access Interactive and Multicast Traffic. Core router’s will also converged according to routing updates and start forwarding traffic towards the VSAT Hub using pre-configured floating static routes.



16.4 Dual Leased Circuit (Single or Different POPs)

2 LL circuit will be configured such a way that one link will be used for interactive and other will be used for multicast traffic.

All the members with dual MPLS VPN line scenario will make two EBGP peering with two separate routers within single POP and will receive all the Interactive Market and Multicast source routes from both the routers.

At Member end, we will configure route-maps to filter and receive the particular market and multicast routes only thru particular POP router using MED. This will help routing table to decide which paths to be taken to reach interactive and multicast traffic.

In case of one link failure between POP router and Member, as we are having interactive & multicast routes available through the other link, all traffic will flow through the other available link.

Note: High Availability on every Device (MPLS Line, POP router & Core Router) except for POP Location and Member end Router.



16.5 Dual MPLS VPN Circuit (Single or Different POPs)

One router will configured for interactive traffic and other router will configured to forward multicast traffic.

All the members with dual lease line scenario will make two EBGP peering with the upstream routers, with the MPLS PoP and will receive all the Interactive Market and Multicast source routes from both the routers.

At Member end, we will configure route-maps to filter and receive the particular market and multicast routes only through particular POP router using MED. This will help routing table to decide which paths to be taken for interactive and multicast traffic.

In case of one link failure between POP router and Member, as we are having interactive & multicast routes available through the other link, Traffic will seamlessly switch to the other link.


Member End Configuration :-router bgp xxxxxneighbor 192.168.1.2 remote-asyyyyy>>>.Peering with MPLS-POP wanlink IPnetwork 10.112.111.0 mask 255.255.255.224>>> Member network advertised in BGP

106


17. Internet Connectivity

Internet link is connected through Cisco 3845 router. HSRP will be configured on internet router. ASA 5540 will always forward the traffic to virtual IP of router.

Physical Connectivity is as below:-Internet traffic will be pointed towards the Internet firewall. This will provide security to all the requests which are coming from Internet. Internet links will terminate on the dedicated internet routers in the DC. Separate set of firewalls will be used for securing connections from internet. Internet link will be active / standby mode where tracking will be used to check the status of link as internet last mile will be on Ethernet which never goes down. Once tracking fails HSRP will be triggered and secondary link on secondary router will become active.Internet Router Configuration


Internet Router Configuration :- (WAN & LAN ip will be provided byInternet SP)router bgp zzzzzneighbor 203.199.199.1remote-asttttt >>>E-BGPPeering with Internet SP over wanlink IPnetwork 200.200.200.0 mask 255.255.255.0 >>> APNIC provided ip Block

ip sla monitor 20type echo protocol ipIcmpEcho203.199.199.2source-ipaddress203.199.199.1(wan interface ip)ip sla monitor schedule 20 life forever start-time now

track 10 rtr 20

int Gig 0/0description <<<<Connecting to firewallIp address 200.200.200.2 255.255.255.0

107


Internet access to Regions

Proxy Services

Internet feed into the network will be centrally controlled from the data center. Hence, users at the regions shall ride over the MPLS network to access the Internet. Cisco ACNS 7305 positioned at the Internet gateways shall store commonly visited web pages. Web requests from the entire network will hit the CE prior to being redirected to the Internet.

Caching engines serve as accelerators as pages are locally served rather than sending forwarding the requests onto the Internet.

Content filtering can be deployed in conjunction with application like Web sense, Smart filter.



18. Multicast Architecture

Traditional IP communications allow a host to send packets to another host (unicast transmissions) or to all hosts (broadcast transmissions). IP Multicast provides a third communication alternative: allowing a host to send packets to a group that is made up of a subset of the hosts on the network. IP Multicast is a bandwidth-conserving technology specifically designed to reduce traffic by simultaneously delivering a single stream of information to potentially thousands of corporate recipients or homes. By replacing copies for all recipients with the delivery of a single stream of information, IP Multicast is able to minimize the burden on both sending and receiving hosts and reduce overall network traffic. Within a multicast network, routers are responsible for replicating and distributing multicast content to all hosts that are listening to a particular multicast group (see Figure 1). Cisco®routers employ Protocol Independent Multicast (PIM) to build distribution trees for transmitting multicast content, resulting in the most efficient delivery of data to multiple receivers.

Alternatives to IP Multicast require the source to send more than one copy of the data. Traditional application-level unicast, for example, requires the source to transmit one copy for each individual receiver in the group.Figure 1.Multicast Transmission to Many Receivers



Multicast Applications and EnvironmentsIP Multicast solutions offer benefits relating to the conservation of network bandwidth. In the case of a high-bandwidth application, such as MPEG video, IP Multicast can benefit situations with only a few receivers because a few video streams would otherwise consume a large portion of the available network bandwidth. Even for low-bandwidth applications, IP Multicast conserves resources when transmissions involve thousands of receivers. Additionally, IP Multicast is the only nonbroadcasting alternative for situations that require simultaneously sending information to more than one receiver.For low-bandwidth applications, an alternative to IP Multicast could involve replicating data at the source. This solution, however, can deteriorate application performance, introduce latencies and variable delays that impact users and applications, and require expensive servers to manage the replications and data distribution. Such solutions also result in multiple transmissions of the same content, consuming an enormous amount of network bandwidth. For most high-bandwidth applications, these same issues make IP Multicast the only viable option.Today, many applications commonly take advantage of multicast, as shown in Figure 2.

Figure 2.Different Types of IP Multicast Applications

Other applications that take advantage of IP Multicast include:• Corporate communications• Consumer television and music channel delivery• Distance learning (for example, e-learning) and white-boarding solutions• IP surveillance systems• Interactive gaming



IP Multicast is supported in:• IPv4 networks• IPv6 networks• Multiprotocol Label Switching (MPLS) VPNs• Mobile and wireless networks

IP Multicast capabilities can be deployed using a variety of different protocols, conventions, and considerations suited to the different network environments just mentioned. Multicast services can also be deployed across multiple protocol platforms and domains within the same network.By implementing native IP Multicast functionality inside MPLS VPN networks, service providers can more efficiently deliver bandwidth-intensive streaming services such as telecommuting, videoconferencing, e-learning, and a host of other business applications. Cisco Multicast VPN technology eliminates the packet replication and performance issues associated with the traffic relating to these applications.

Multicast MPLS VPNs further benefit service providers by:• Minimizing configuration time and complexity, configuration is required only at edge routers• Ensuring transparency of the service provider network• Providing the ability to easily build advanced enterprise-friendly services such as Virtual Multicast Networks• Increasing network scalability

IP Multicast can work with Cisco Mobile Networks. An IP Mobility platform extends the network with traditional fixed-line access to an environment that supports mobile wireless access. Multicast, from the point of IP Mobility, is a network service or application. Within an IP Mobility environment, IP Multicast can be employed to deliver content to users with wireless devices. An example is the Cisco Mobile Networks Tunnel Template feature. Using this feature, service providers can configure multicast on statically created tunnels to be applied to dynamic tunnels brought up on the home agent and mobile router. A tunnel template is defined and applied to the tunnels between the home agent and mobile router. The mobile router can now roam and the tunnel template enables multicast sessions to be carried through to mobile users.



Increasing Demand For IP MulticastOver the past decade, enterprise and public sector adoption of IP Multicast-enabled applications has skyrocketed (see Figure 3), and service providers have responded by increasingly adding multicast VPNs to service portfolios. Today, any service provider with enterprise customers must support IP Multicast to remain competitive. The deployment of video services provides further incentives for the strengthening of a service provider's multicast platform, because it offers the most efficient, cost-effective means of supporting triple-play traffic (data, voice, and video).

Figure 3.Multicast Deployments

Technical OverviewMulticast GroupsNetworks using IP Multicast deliver source content to multiple users (hosts or receivers) that are interested in the data stream. A multicast channel refers to the combination of a content source IP address and the IP Multicast group address to which the content is being broadcasted. Unlike unicast/broadcast addresses, multicast groups do not have any physical or geographic boundaries, and receivers interested in joining can be located anywhere on a network or the Internet as long as a multicast-enabled path has been established.To receive a particular multicast data stream, hosts must join a multicast "group" by sending an Internet Group Management Protocol (IGMP) message to their local multicast router. Almost all networks and applications



use either IGMP Version 2 or 3. IGMPv2/3 allows individual receivers to independently join or leave a group.Content is identified by "(S,G)" where G is the multicast group and S is the sending source IP address. The multicast group address lies in the Class D IP address space. The content provider/owner and service providers select the multicast address based on the local multicast addressing policy (whether multicast applications are local or global in scope).

Multicast Forwarding and Distribution TreesIn a multicast network, routers are responsible for replicating source content and forwarding it to multiple recipients. Routers use the PIM protocol to build "distribution trees" for multicast routing in the network. Routers replicate source content at any point where the network paths diverge, and use Reverse Path Forwarding (RPF) techniques to ensure content is forwarded to the appropriate downstream paths without routing loops.Multicast-capable routers dynamically create distribution trees that control the path the content travels through the network. PIM uses two types of multicast distribution trees: "shared trees" and "source trees." Services and applications can exclusively use shared trees (Bidirectional [Bi-Dir]), exclusively use source trees (Source Specific Multicast [SSM]), or use a combination of the two (Any-Source Multicast [ASM]).Routers may create shared trees so that a single distribution tree can be shared by all sources. Alternatively, a separate source tree can be built for each source. Source trees offer the most optimal paths (and least latency) for multicast traffic, whereas shared trees consume much lower router memory resources.Because members of multicast groups can join or leave at any time, distribution trees must be updated constantly. When all the active receivers on a particular branch stop requesting traffic for a particular multicast group, routers along the path will "prune" that branch from the distribution tree and stop forwarding traffic down that branch. If one receiver on that branch becomes active and requests the multicast traffic, the router will dynamically modify the distribution tree and resume forwarding traffic over that branch.

Security RequirementsTo protect multicast content and multicast service networks, network administrators should address the following security considerations:

•Service-level security:Networks using IP Multicast can use filtering mechanisms to ensure that data streams are sent (and new distribution tree



branches created) only for legitimate receivers and requesting routers. Service providers may use SSM along with Extended ACL support for SSM, which requires that the source address be supplied by any host requesting to join a multicast group. Using this combination of SSM and Extended ACL for SSM protects the network from rogue senders that might try to inundate the network with unauthorized traffic.

•Access and admission control:IP Multicast networks should use access control mechanisms such as access control lists (ACLs) and IGMP access groups to control access to multicast-capable routers. Quality of service (QoS) policing and queuing mechanisms, as well as multicast route-limiting mechanisms, provide additional access control for multicast networks. Multicast authentication, authorization, and accounting (AAA) integration can also be used for user authentication purposes within a multicast context.

•Policing multicast networks:Multicast networks require mechanisms not only to recognize illegitimate multicast groups, but to disable unauthorized groups, group ranges, and, if necessary, network routers.

•Firewall protection:New Cisco PIX®security platforms (such as the Cisco ASA 5500 Series Adaptive Security Appliances running Cisco PIX Firewall Software Version 7.0) provide PIM support. This feature eliminates the need to "tunnel" multicast traffic through the firewall, which would otherwise circumvent security policies.

•Native IP Multicast data encryption:New Cisco IOS®Secure Multicast provides a set of hardware and software features necessary to secure IP Multicast group traffic originating on or flowing through a Cisco IOS device. It combines the keying protocol Group Domain of Interpretation (GDOI) with IP Security (IPsec) encryption to provide users an efficient method to secure IP Multicast group traffic. With Cisco IOS Secure Multicast, a router can apply encryption to IP Multicast traffic without having to configure generic routing encapsulation (GRE) tunnels.

High-Availability ConsiderationsTo ensure that critical multicast applications are reliable and highly available, network administrators delivering IP Multicast services should:

•Eliminate any single point of failure:Multicast networks should be architected to protect the entire path, from the source all the way to every



receiver. The loss of any single router should not result in a disruption to the multicast stream at any point in the network.

•Design networks that can dynamically respond to problems:Network architects should use multicast protocols and strategies, such as "anycast" techniques for source redundancy, network topologies that provide path redundancies, and route processor redundancy in each node. These features ensure that the multicast network can immediately and automatically respond to the loss of any single source or network segment, and rapidly rebuild multicast trees as needed.

•Build scalability into the network:IP Multicast networks should be able to absorb growth dynamically, to ensure that usage spikes do not overwhelm the system.

•Employ high-availability techniques:Network architects should use mechanisms such as stateful switchover (SSO) and Cisco In-Service Software Upgrade (ISSU) support to help ensure availability in multicast IPv4, IPv6, and VPN environments.

Managing Multicast NetworksTo effectively manage multicast environments, network administrators can use the following technologies:•Multicast MIBs, which can be used with Simple Network Management Protocol (SNMP) tools to assess multicast network performance, identify issues and potential issues, and plan for network growth•Multicast trapsthat can notify SNMP tools of multicast problems and errors such as invalid PIM messages and group changes•Multicast "heartbeat" mechanisms, which confirm traffic stream activity and help prevent critical sections of a multicast group from being cut off from the data stream•Multicast Syslog and NetFlow mechanisms, which provide Syslog and NetFlow information for large-scale network management tools and network event correlation engines•Cisco Multicast Manager software, which provides a Web-based network management interface for multicast monitoring, diagnostics, health checks, and reporting



Cisco IP Multicast Technology LeadershipCisco Systems®was an early innovator of IP Multicast, and has provided IP Multicast technology for more than a decade. The table in Figure 4 highlights important

Multicast Sparse mode will be used in the design.

Sparse-mode PIM works by defining a Rendezvous Point. When a sender wants to send data, it first sends to the Rendezvous Point. When a receiver wants to receive data, it registers with the Rendezvous Point. Once the data stream begins to flow from sender to Rendezvous Point to receiver, the routers in the path will optimize the path automatically to remove any unnecessary hops. Sparse-mode PIM assumes that no hosts want the multicast traffic unless they specifically ask for it.

Rendezvous Point (RP) will be defined on the Routing block in the DC and DR. RP will be advertised into the routing protocol from DC and DR towards member router. RP from DC will be with higher prefix then the one advertised from DR. Incase member router is not able to reach the RP in DC it will start sending packets to RP in DR.

1. The client sends an IGMP join message to its designated multicast router. The destination MAC address maps to the Class D address of group being joined, rather being the MAC address of the router. The body of the IGMP datagram also includes the Class D group address.

2. The router logs the join message and uses PIM to add this segment to the multicast distribution tree.

3. IP multicast traffic transmitted from the server is now distributed via the designated router to the client's subnet. The destination MAC address corresponds to the Class D address of group

4. The switch receives the multicast packet and examines its forwarding table. If no entry exists for the MAC address, the packet will be flooded to all ports within the broadcast domain. If an entry does exist in the switch table, the packet will be forwarded only to the designated ports.

5. With IGMP V2, the client can cease group membership by sending an IGMP leave to the router. With IGMP V1, the client remains a member of the group until it fails to send a join message in response to a query from the router.



18.1 IGMP v2 (Internet Group Management Protocol)

IGMPv2 is used between hosts and their local router.

Hosts will use IGMP to register with the router to join (and leave) specific multicast groups; the router will then forward the data stream destined to a specific multicast group to the registered hosts.

A Leave Group message allows hosts to tell the router that they are leaving the group. This information reduces the leave latency for the group on the segment when the member who is leaving is the last member of the group.

When there are two IGMP routers on the same segment (broadcast domain), the router with the highest IP address is the designated querier. This will be used in the scenario where would have multiple routers at the member location.

Members joining a multicast group do not have to wait for a query to join; rather, they send an unsolicited report indicating their interest. This procedure will reduce join latency for an end system joining if no other members are present.

When an IGMPv2 router receives a Leave Group message, it responds by sending a group-specific query for the associated group to see whether there are still other hosts interested in receiving traffic for the group. This process helps to reduce overall leave latency.



18.2 Multicast Architecture in DC

The above diagram represents the Multicast setup in DC. It shows two logical blocks representing the traffic flow for Multicast and Interactive traffic. Physically only one pair of devices will be deployed as shown in the DC diagram.

For Multicast traffic layer 3 context will be created on the firewall and a separate layer 3 context will be created for interactive traffic.

The security appliance supports both PIM-SM and bi-directional PIM. We would implement PIM-SM for our network.

PIM-SM is a multicast routing protocol which uses the underlying unicast routing information base or a separate multicast-capable routing information base. It builds unidirectional shared trees rooted at a single Rendezvous Point per multicast group and optionally creates shortest-path trees per multicast source.

L3 links between the Core switch & firewall and between firewall & routing block will be created.


Core SwitchMulticast VLAN

Routing BlockRF for Multicast

Core SwitchInteractive VLAN

Routing Block

Layer 3 Context on firewall

Layer 3 Context on firewall

Members Connectivity

Multicast Servers Interactive Servers

Logical Separation for Multicast & Interactive Traffic in Datacenter

118


Multicast Routing Configuration on Routing Block


Ip multicast-routing

Interfacevlan 2Description>>>Connecting toCore Router-1Ip address 20.122.9.3255.255.255.240ip pim sparse-mode

Interfacevlan 3Description>>>Connecting toCore Router-2Ip address 20.122.9.19 255.255.255.240ip pim sparse-mode

Interfacevlan 4Description>>>Connecting toCore Router-2Ip address 20.122.9.33 255.255.255.240Standby 10 ip 20.122.9.35 255.255.255.240Standby 10 Priority 105ip pim sparse-mode

InterfaceLoopback 1Description>>> RP AddressIp address 20.122.101.1 255.255.255.255ip pim sparse-mode

ip pim rp-address20.122.101.1

119


Multicast Configuration on Member Router

The data center planned for has been engineered keeping in mind the No Single Point Of Failure design so as to deliver the five nines of availability that is required from the core infrastructure. This is absolutely essential since this data center would be hosting all the applications and will be providing services to the entire WAN network as well as all the future planned connections to the business partner networks


Member End RouterMulticastConfiguration

Ip multicast-routing

interface Serial0/0description “Member to MPLS-POP Connectivity”ip address 192.168.1.1 255.255.255.252ip pim sparse-mode!interface Ethernet1/0description “Back up VSAT Connectivity”ip address 192.168.2.1 255.255.255.252ip igmp join-group 239.192.39.33ip igmpjoin-group 239.192.39.34

ip pim rp-address20.122.101.1ip route 20.122.11.0 255.255.255.0Ethernet1/0255ip route 10.167.11.0 255.255.255.0Ethernet1/0255ip route 20.122.101.1 255.255.255.255Ethernet1/0255(Floating static towards VSAT IDU / VSAT Interface)

120


19. Wireless LANs

Wireless Access Points will be deployed in HO and will be integrated into existing network.

19.1LAN Switching and VLANs

ALAN switchis a device that provides much higher port density at a lower cost than traditional bridges. For this reason, LAN switches can accommodate network designs featuring fewer users per segment, thereby increasing the average available bandwidth per user. This chapter provides a summary of general LAN switch operation and maps LAN switching to the OSI reference model.

The trend toward fewer users per segment is known asmicrosegmentation. Micro-segmentation allows the creation of private or dedicated segments—that is, one user per segment. Each user receives instant access to the full bandwidth and does not have to contend for available bandwidth with other users. As a result, collisions (a normal phenomenon in shared-medium networks employing hubs) do not occur, as long as the equipment operates in full-duplex mode. A LAN switch forwards frames based on either the frame's Layer 2 address (Layer 2 LAN switch) or, in some cases, the frame's Layer 3 address (multilayer LAN switch). A LAN switch is also called a frame switch because it forwards Layer 2 frames, whereas an ATM switch forwards cells.

Figure 26-1 illustrates a LAN switch providing dedicated bandwidth to devices and illustrates the relationship of Layer 2 LAN switching to the OSI data link layer.



Figure 26-1 A LAN Switch Is a Data Link Layer Device

HistoryThe earliest LAN switches were developed in 1990. They were Layer 2 devices (bridges) dedicated to solving desktop bandwidth issues. Recent LAN switches evolved to multilayer devices capable of handling protocol issues involved in high-bandwidth applications that historically have been solved by routers. Today, LAN switches are used to replace hubs in the wiring closet because user applications demand greater bandwidth.LAN Switch OperationLAN switches are similar to transparent bridges in functions such as learning the topology, forwarding, and filtering. These switches also support several new and unique features, such as dedicated communication between devices through full-duplex operations, multiple simultaneous conversations, and media-rate adaption.Full-duplex communication between network devices increases file-transfer throughput. Multiple simultaneous conversations can occur by forwarding, or switching, several packets at the same time, thereby increasing network capacity by the number of conversations supported. Full-duplex communication effectively doubles the throughput, while with media-rate adaption, the LAN switch can translate between 10 and 100 Mbps, allowing bandwidth to be allocated as needed.



Deploying LAN switches requires no change to existing hubs, network interface cards (NICs), or cabling.

VLANs DefinedA VLAN is defined as abroadcast domainwithin a switched network. Broadcast domains describe the extent that a network propagates a broadcast frame generated by a station. Some switches may be configured to support a single or multiple VLANs. Whenever a switch supports multiple VLANs, broadcasts within one VLAN never appear in another VLAN. Switch ports configured as a member of one VLAN belong to a different broadcast domain, as compared to switch ports configured as members of a different VLAN.

Creating VLANs enables administrators to build broadcast domains with fewer users in each broadcast domain. This increases the bandwidth available to users because fewer users will contend for the bandwidth.Routers also maintain broadcast domain isolation by blocking broadcast frames. Therefore, traffic can pass from one VLAN to another only through a router.Normally, each subnet belongs to a different VLAN. Therefore, a network with many subnets will probably have many VLANs. Switches and VLANs enable a network administrator to assign users to broadcast domains based upon the user's job need. This provides a high level of deployment flexibility for a network administrator.

Advantages of VLANs include the following:• Segmentation of broadcast domains to create more bandwidth• Additional security by isolating users with bridge technologies• Deployment flexibility based upon job function rather than physical placement

SwitchPortModesSwitch ports run in either access or trunk mode. In access mode, the interface belongs to one and only one VLAN. Normally a switch port in access mode attaches to an end user device or a server. The frames transmitted on an access link look like any other Ethernet frame.Trunks, on the other hand, multiplex traffic for multiple VLANs over the same physical link. Trunk links usually interconnect switches, as shown in Figure 26-2. However, they may also attach end devices such as servers that have special adapter cards that participate in the multiplexing protocol.



Figure 26-2 Switches Interconnected with Trunk Links

Note that some of the devices attach to their switch using access links, while the connections between the switches utilize trunk links.To multiplex VLAN traffic, special protocols exist that encapsulate or tag (mark) the frames so that the receiving device knows to which VLAN the frame belongs. Trunk protocols are either proprietary or based upon IEEE 802.1Q. For example, a proprietary trunk protocol may be like Cisco's proprietary Inter-Switch Link (ISL), which enables Cisco devices to multiplex VLANs in a manner optimized for Cisco components. Or, an intervendor solution may be implemented, such as 802.1Q, which enables products from more than one vendor to multiplex VLANs on a trunk link.Without trunk links, multiple access links must be installed to support multiple VLANs between switches. This is not cost-effective and does not scale well, so trunks are preferable for interconnecting switches in most cases.

LAN Switching ForwardingLAN switches can be characterized by the forwarding method that they support. In the store-and-forward switching method, error checking is performed and erroneous frames are discarded. With the cut-through switching method, latency is reduced by eliminating error checking.With the store-and-forward switching method, the LAN switch copies the entire frame into its onboard buffers and computes the cyclic redundancy



check (CRC). The frame is discarded if it contains a CRC error or if it is arunt(less than 64 bytes, including the CRC) or agiant(more than 1518 bytes, including the CRC). If the frame does not contain any errors, the LAN switch looks up the destination address in its forwarding, or switching, table and determines the outgoing interface. It then forwards the frame toward its destination.

With the cut-through switching method, the LAN switch copies only the destination address (the first 6 bytes following the preamble) into its onboard buffers. It then looks up the destination address in its switching table, determines the outgoing interface, and forwards the frame toward its destination. A cut-through switch provides reduced latency because it begins to forward the frame as soon as it reads the destination address and determines the outgoing interface.Some switches can be configured to perform cut-through switching on a per-port basis until a user-defined error threshold is reached, when they automatically change to store-and-forward mode. When the error rate falls below the threshold, the port automatically changes back to store-and-forward mode.LAN switches must use store-and-forward techniques to support multilayer switching. The switch must receive the entire frame before it performs any protocol-layer operations. For this reason, advanced switches that perform Layer 3 switching are store-and-forward devices.

LAN Switching BandwidthLAN switches also can be characterized according to the proportion of bandwidth allocated to each port. Symmetric switching provides evenly distributed bandwidth to each port, while asymmetric switching provides unlike, or unequal, bandwidth between some ports.Anasymmetric LAN switchprovides switched connections between ports of unlike bandwidths, such as a combination of 10BaseT and 100BaseT. This type of switching is also called10/100 switching. Asymmetric switching is optimized for client/server traffic flows in which multiple clients simultaneously communicate with a server, requiring more bandwidth dedicated to the server port to prevent a bottleneck at that port.Asymmetric switchprovides switched connections between ports with the same bandwidth, such as all 10BaseT or all 100BaseT. Symmetric switching is optimized for a reasonably distributed traffic load, such as in a peer-to-peer desktop environment.



A network manager must evaluate the needed amount of bandwidth for connections between devices to accommodate the data flow of network-based applications when deciding to select an asymmetric or symmetric switch.

LAN Switch and the OSI ModelLAN switches can be categorized according to the OSI layer at which they filter and forward, or switch, frames.These categories are: Layer 2, Layer 2 with Layer 3 features, or multilayer.●A Layer 2 LAN switch is operationally similar to a multiport bridge but has a much higher capacity and supports many new features, such as full-duplex operation. A Layer 2 LAN switch performs switching and filtering based on the OSI data link layer (Layer 2) MAC address. As with bridges, it is completely transparent to network protocols and user applications.●A Layer 2 LAN switch with Layer 3 features can make switching decisions based on more information than just the Layer 2 MAC address. Such a switch might incorporate some Layer 3 traffic-control features, such as broadcast and multicast traffic management, security through access lists, and IP fragmentation.●A multilayer switch makes switching and filtering decisions based on OSI data link layer (Layer 2) and OSI network layer (Layer 3) addresses. This type of switch dynamically decides whether to switch (Layer 2) or route (Layer 3) incoming traffic. A multilayer LAN switch switches within a workgroup and routes between different workgroups.●Layer 3 switching allows data flows to bypass routers. The first frame passes through the router as normal to ensure that all security policies are observed. The switches watch the way that the router treats the frame and then replicate the process for subsequent frames. For example, if a series of FTP frames flows from a 10.0.0.1 to 192.168.1.1, the frames normally pass through a router. Multilayer switching observes how the router changes the Layer 2 and Layer 3 headers and imitates the router for the rest of the frames. This reduces the load on the router and the latency through the network.



19.2Wireless LAN Security Overview

Wireless LANs, because of their broadcast nature, require the additionaluser authentication to prevent unauthorized access to network resources.

We will deploy 802.1X based authentication in network because of the following advantages listed below.

802.1X Authentication: The 802.1 X framework uses a centralized RADIUS authentication server within the enterprise.

802.1X is an industry standard protocol for authenticating clients on wired and wireless networks. Microsoft Windows XP and Windows 2000 (patch available) have support for 802.1X authentication embedded in the operating system. This authentication mechanism works on the challenge/response mechanism.

Any new user on the wireless network is denied access to the network resources initially. The Wireless access point sends an authentication request to the end user. Upon receiving the response from the users a request is sent to the central authentication server (RADIUS). The RADIUS then verifies the response to challenge against the record created for that profile.



Since the password is passed as an MD5 computed HASH value, it is not possible for an eavesdropper to gain access to the network by using a wireless protocol analyzer.



Routing Protocols

There is two routing protocols used in this network1) Open Shortest path first (OSPF)2) Border Gateway Protocol (BGP)

Open Shortest Path First (OSPF)

Open Shortest Path First (OSPF)is a routing protocol developed for Internet Protocol (IP) networks by the Interior Gateway Protocol (IGP) working group of the Internet Engineering Task Force (IETF). The working group was formed in 1988 to design an IGP based on the Shortest Path First (SPF) algorithm for use in the Internet. Similar to the Interior Gateway Routing Protocol (IGRP), OSPF was created because in the mid-1980s, the Routing Information Protocol (RIP) was increasingly incapable of serving large, heterogeneous internetworks. This chapter examines the OSPF routing environment, underlying routing algorithm, and general protocol components.OSPF was derived from several research efforts, including Bolt, Beranek, and Newman's (BBN's) SPF algorithm developed in 1978 for the ARPANET (a landmark packet-switching network developed in the early 1970s by BBN), Dr. Radia Perlman's research on fault-tolerant broadcasting of routing information (1988), BBN's work on area routing (1986), and an early version of OSI's Intermediate System-to-Intermediate System (IS-IS) routing protocol.OSPF has two primary characteristics. The first is that the protocol is open, which means that its specification is in the public domain. The OSPF specification is published as Request For Comments (RFC) 1247. The second principal characteristic is that OSPF is based on the SPF algorithm, which sometimes is referred to as the Dijkstra algorithm, named for the person credited with its creation.OSPF is a link-state routing protocol that calls for the sending of link-state advertisements (LSAs) to all other routers within the same hierarchical area. Information on attached interfaces, metrics used, and other variables is included in OSPF LSAs. As OSPF routers accumulate link-state information, they use the SPF algorithm to calculate the shortest path to each node.As a link-state routing protocol, OSPF contrasts with RIP and IGRP, which are distance-vector routing protocols. Routers running the distance-vector



algorithm send all or a portion of their routing tables in routing-update messages to their neighbors.

Routing HierarchyUnlike RIP, OSPF can operate within a hierarchy. The largest entity within the hierarchy is the autonomous system (AS), which is a collection of networks under a common administration that share a common routing strategy. OSPF is an intra-AS (interior gateway) routing protocol, although it is capable of receiving routes from and sending routes to other ASs.An AS can be divided into a number of areas, which are groups of contiguous networks and attached hosts. Routers with multiple interfaces can participate in multiple areas. These routers, which are called Area Border Routers, maintain separate topological databases for each area.A topological database is essentially an overall picture of networks in relationship to routers. The topological database contains the collection of LSAs received from all routers in the same area. Because routers within the same area share the same information, they have identical topological databases.The termdomainsometimes is used to describe a portion of the network in which all routers have identical topological databases. Domain is frequently used interchangeably with AS.An area's topology is invisible to entities outside the area. By keeping area topologies separate, OSPF passes less routing traffic than it would if the AS were not partitioned.Area partitioning creates two different types of OSPF routing, depending on whether the source and the destination are in the same or different areas. Intra-area routing occurs when the source and destination are in the same area; interarea routing occurs when they are in different areas.An OSPF backbone is responsible for distributing routing information between areas. It consists of all Area Border Routers, networks not wholly contained in any area, and their attached routers. Figure 46-1 shows an example of an internetwork with several areas.

In the figure, routers 4, 5, 6, 10, 11, and 12 make up the backbone. If Host H1 in Area 3 wants to send a packet to Host H2 in Area 2, the packet is sent to Router 13, which forwards the packet to Router 12, which sends the packet to Router 11. Router 11 then forwards the packet along the backbone to Area Border Router 10, which sends the packet through two intra-area routers (Router 9 and Router 7) to be forwarded to Host H2.



The backbone itself is an OSPF area, so all backbone routers use the same procedures and algorithms to maintain routing information within the backbone that any area router would. The backbone topology is invisible to all intra-area routers, as are individual area topologies to the backbone.Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a nonbackbone area and function as if they were direct links.Figure 46-1 An OSPF AS Consists of Multiple Areas Linked by Routers

AS border routers running OSPF learn about exterior routes through exterior gateway protocols (EGPs), such as Exterior Gateway Protocol (EGP) or Border Gateway Protocol (BGP), or through configuration information. For



more information about these protocols, see Chapter 39, "Border Gateway Protocol."

SPF AlgorithmTheShortest Path First (SPF)routing algorithm is the basis for OSPF operations. When an SPF router is powered up, it initializes its routing-protocol data structures and then waits for indications from lower-layer protocols that its interfaces are functional.After a router is assured that its interfaces are functioning, it uses the OSPF Hello protocol to acquire neighbors, which are routers with interfaces to a common network. The router sends hello packets to its neighbors and receives their hello packets. In addition to helping acquire neighbors, hello packets also act as keepalives to let routers know that other routers are still functional.On multiaccess networks (networks supporting more than two routers), the Hello protocol elects a designated router and a backup designated router. Among other things, the designated router is responsible for generating LSAs for the entire multiaccess network. Designated routers allow a reduction in network traffic and in the size of the topological database.When the link-state databases of two neighboring routers are synchronized, the routers are said to be adjacent. On multiaccess networks, the designated router determines which routers should become adjacent. Topological databases are synchronized between pairs of adjacent routers. Adjacencies control the distribution of routing-protocol packets, which are sent and received only on adjacencies.Each router periodically sends an LSA to provide information on a router's adjacencies or to inform others when a router's state changes. By comparing established adjacencies to link states, failed routers can be detected quickly, and the network's topology can be altered appropriately. From the topological database generated from LSAs, each router calculates a shortest-path tree, with itself as root. The shortest-path tree, in turn, yields a routing table.

Packet FormatAll OSPF packets begin with a 24-byte header, as illustrated in Figure 46-2.Figure 46-2 OSPF Packets Consist of Nine Fields



The following descriptions summarize the header fields illustrated in Figure 46-2.• Version number—Identifies the OSPF version used.• Type—Identifies the OSPF packet type as one of the following:– Hello—Establishes and maintains neighbor relationships.– Database description—Describes the contents of the topological database. These messages are exchanged when an adjacency is initialized.– Link-state request—Requests pieces of the topological database from neighbor routers. These messages are exchanged after a router discovers (by examining database-description packets) that parts of its topological database are outdated.– Link-state update—Responds to a link-state request packet. These messages also are used for the regular dispersal of LSAs. Several LSAs can be included within a single link-state update packet.– Link-state acknowledgment—Acknowledges link-state update packets.• Packet length—Specifies the packet length, including the OSPF header, in bytes.• Router ID—Identifies the source of the packet.• Area ID—Identifies the area to which the packet belongs. All OSPF packets are associated with a single area.• Checksum—Checks the entire packet contents for any damage suffered in transit.• Authentication type—Contains the authentication type. All OSPF protocol exchanges are authenticated. The authentication type is configurable on per-area basis.• Authentication—Contains authentication information.• Data—Contains encapsulated upper-layer information.Additional OSPF FeaturesAdditional OSPF features include equal-cost, multipath routing, and routing based on upper-layer type-of-service (TOS) requests. TOS-based routing supports those upper-layer protocols that can specify particular types of service. An application, for example, might specify that certain data is urgent. If OSPF has high-priority links at its disposal, these can be used to transport the urgent datagram.OSPF supports one or more metrics. If only one metric is used, it is considered to be arbitrary, and TOS is not supported. If more than one



metric is used, TOS is optionally supported through the use of a separate metric (and, therefore, a separate routing table) for each of the eight combinations created by the three IP TOS bits (the delay, throughput, and reliability bits). For example, if the IP TOS bits specify low delay, low throughput, and high reliability, OSPF calculates routes to all destinations based on this TOS designation.IP subnet masks are included with each advertised destination, enabling variable-length subnet masks. With variable-length subnet masks, an IP network can be broken into many subnets of various sizes. This provides network administrators with extra network-configuration flexibility.

Enabling OSPF on the RouterEnabling OSPF on the router involves the following two steps in config mode:Enabling an OSPF process using therouter ospf<process-id>command.Assigning areas to the interfaces using thenetwork<network or IP address> <mask> <area-id>command.The OSPF process-id is a numeric value local to the router. It does not have to match process-ids on other routers. It is possible to run multiple OSPF processes on the same router, but is not recommended as it creates multiple database instances that add extra overhead to the router.The network command is a way of assigning an interface to a certain area. The mask is used as a shortcut and it helps putting a list of interfaces in the same area with one line configuration line. The mask contains wild card bits where 0 is a match and 1 is a "do not care" bit, e.g. 0.0.255.255 indicates a match in the first two bytes of the network number.The area-id is the area number we want the interface to be in. The area-id can be an integer between 0 and 4294967295 or can take a form similar to an IP address A.B.C.D.Here's an example:

RTA#interface Ethernet0ip address 192.213.11.1 255.255.255.0



interface Ethernet1ip address 192.213.12.2 255.255.255.0

interface Ethernet2ip address 128.213.1.1 255.255.255.0

router ospf 100network 192.213.0.0 0.0.255.255 area 0.0.0.0network 128.213.1.1 0.0.0.0 area 23

\The first network statement puts both E0 and E1 in the same area 0.0.0.0, and the second network statement puts E2 in area 23. Note the mask of 0.0.0.0, which indicates a full match on the IP address. This is an easy way to put an interface in a certain area if you are having problems figuring out a mask.

The Backbone and Area 0OSPF has special restrictions when multiple areas are involved. If more than one area is configured, one of these areas has be to be area 0. This is called the backbone. When designing networks it is good practice to start with area 0 and then expand into other areas later on.The backbone has to be at the center of all other areas, i.e. all areas have to be physically connected to the backbone. The reasoning behind this is that OSPF expects all areas to inject routing information into the backbone and in turn the backbone will disseminate that information into other areas. The following diagram will illustrate the flow of information in an OSPF network:



In the above diagram, all areas are directly connected to the backbone. In the rare situations where a new area is introduced that cannot have a direct physical access to the backbone, a virtual link will have to be configured. Virtual links will be discussed in the next section. Note the different types of routing information. Routes that are generated from within an area (the destination belongs to the area) are calledintra-area routes. These routes are normally represented by the letterOin the IP routing table. Routes that originate from other areas are calledinter-areaorSummary routes. The notation for these routes isOIAin the IP routing table. Routes that originate from other routing protocols (or different OSPF processes) and that are injected into OSPF via redistribution are calledexternal routes. These routes are represented byO E2orO E1in the IP routing table. Multiple routes to the same destination are preferred in the following order: intra-area, inter-area, external E1, external E2. External types E1 and E2 will be explained later.

Virtual LinksVirtual links are used for two purposes:Linking an area that does not have a physical connection to the backbone.Patching the backbone in case discontinuity of area 0 occurs.Areas Not Physically Connected to Area 0As mentioned earlier, area 0 has to be at the center of all other areas. In some rare case where it is impossible to have an area physically connected to the backbone, a virtual link is used. The virtual link will provide the disconnected area a logical path to the backbone. The virtual link has to be



established between two ABRs that have a common area, with one ABR connected to the backbone. This is illustrated in the following example:

In this example, area 1 does not have a direct physical connection into area 0. A virtual link has to be configured between RTA and RTB. Area 2 is to be used as a transit area and RTB is the entry point into area 0. This way RTA and area 1 will have a logical connection to the backbone. In order to configure a virtual link, use thearea<area-id>virtual-link<RID>router OSPF sub-command on both RTA and RTB, where area-id is the transit area. In the above diagram, this is area 2. The RID is the router-id. The OSPF router-id is usually the highest IP address on the box, or the highest loopback address if one exists. The router-id is only calculated at boot time or anytime the OSPF process is restarted. To find the router-id, use theshow ip ospf interfacecommand. Assuming that 1.1.1.1 and 2.2.2.2 are the respective RIDs of RTA and RTB, the OSPF configuration for both routers would be:RTA#router ospf 10area 2 virtual-link 2.2.2.2

RTB#router ospf 10area 2 virtual-link 1.1.1.1Partitioning the BackboneOSPF allows for linking discontinuous parts of the backbone using a virtual link. In some cases, different area 0s need to be linked together. This can occur if, for example, a company is trying to merge two separate OSPF networks into one network with a common area 0. In other instances, virtual-links are added for redundancy in case some router failure causes the backbone to be split into two. Whatever the reason may be, a virtual link can be configured between separate ABRs that touch area 0 from each side and having a common area. This is illustrated in the following example:



In the above diagram two area 0s are linked together via a virtual link. In case a common area does not exist, an additional area, such as area 3, could be created to become the transit area.In case any area which is different than the backbone becomes partitioned, the backbone will take care of the partitioning without using any virtual links. One part of the partioned area will be known to the other part via inter-area routes rather than intra-area routes.

NeighborsRouters that share a common segment become neighbors on that segment. Neighbors are elected via the Hello protocol. Hello packets are sent periodically out of each interface using IP multicast (Appendix B). Routers become neighbors as soon as they see themselves listed in the neighbor's Hello packet. This way, a two way communication is guaranteed. Neighbor negotiation applies to theprimary addressonly. Secondary addresses can be configured on an interface with a restriction that they have to belong to the same area as the primary address.

Two routers will not become neighbors unless they agree on the following:Area-id:Two routers having a common segment; their interfaces have to belong to the same area on that segment. Of course, the interfaces should belong to the same subnet and have a similar mask.Authentication:OSPF allows for the configuration of a password for a specific area. Routers that want to become neighbors have to exchange the same password on a particular segment.Hello and Dead Intervals:OSPF exchanges Hello packets on each segment. This is a form of keepalive used by routers in order to acknowledge their existence on a segment and in order to elect a designated router (DR) on multiaccess segments.The Hello interval specifies the length of time, in seconds, between the hello packets that a router sends on an OSPF interface.



The dead interval is the number of seconds that a router's Hello packets have not been seen before its neighbors declare the OSPF router down.

OSPF requires these intervals to be exactly the same between two neighbors. If any of these intervals are different, these routers will not become neighbors on a particular segment. The router interface commands used to set these timers are:ip ospf hello-intervalsecondsandip ospf dead-intervalseconds.

Stub area flag:Two routers have to also agree on the stub area flag in the Hello packets in order to become neighbors. Stub areas will be discussed in a later section. Keep in mind for now that defining stub areas will affect the neighbor election process.

AdjacenciesAdjacency is the next step after the neighboring process. Adjacent routers are routers that go beyond the simple Hello exchange and proceed into the database exchange process. In order to minimize the amount of information exchange on a particular segment, OSPF elects one router to be a designated router (DR), and one router to be a backup designated router (BDR), on each multi-access segment. The BDR is elected as a backup mechanism in case the DR goes down. The idea behind this is that routers have a central point of contact for information exchange. Instead of each router exchanging updates with every other router on the segment, every router exchanges information with the DR and BDR. The DR and BDR relay the information to everybody else. In mathematical terms, this cuts the information exchange from O(n*n) to O(n) where n is the number of routers on a multi-access segment. The following router model illustrates the DR and BDR:

In the above diagram, all routers share a common multi-access segment. Due to the exchange of Hello packets, one router is elected DR and another is



elected BDR. Each router on the segment (which already became a neighbor) will try to establish an adjacency with the DR and BDR.DR ElectionDR and BDR election is done via the Hello protocol. Hello packets are exchanged via IP multicast packets (Appendix B) on each segment. The router with the highest OSPF priority on a segment will become the DR for that segment. The same process is repeated for the BDR. In case of a tie, the router with the highest RID will win. The default for the interface OSPF priority is one. Remember that the DR and BDR concepts are per multiaccess segment. Setting the ospf priority on an interface is done using theip ospf priority<value>interface command.

A priority value of zero indicates an interface which is not to be elected as DR or BDR. The state of the interface with priority zero will beDROTHER. The following diagram illustrates the DR election:

In the above diagram, RTA and RTB have the same interface priority but RTB has a higher RID. RTB would be DR on that segment. RTC has a higher priority than RTB. RTC is DR on that segment.

Building the AdjacencyThe adjacency building process takes effect after multiple stages have been fulfilled. Routers that become adjacent will have the exact link-state database.The following is a brief summary of the states an interface passes through before becoming adjacent to another router:Down:No information has been received from anybody on the segment.Attempt:On non-broadcast multi-access clouds such as Frame Relay and X.25, this state indicates that no recent information has been received from the neighbor. An effort should be made to contact the neighbor by sending Hello packets at the reduced rate PollInterval.



Init:The interface has detected a Hello packet coming from a neighbor but bi-directional communication has not yet been established.Two-way:There is bi-directional communication with a neighbor. The router has seen itself in the Hello packets coming from a neighbor. At the end of this stage the DR and BDR election would have been done. At the end of the 2way stage, routers will decide whether to proceed in building an adjacency or not. The decision is based on whether one of the routers is a DR or BDR or the link is a point-to-point or a virtual link.Exstart:Routers are trying to establish the initial sequence number that is going to be used in the information exchange packets. The sequence number insures that routers always get the most recent information. One router will become the primary and the other will become secondary. The primary router will poll the secondary for information.Exchange:Routers will describe their entire link-state database by sending database description packets. At this state, packets could be flooded to other interfaces on the router.Loading:At this state, routers are finalizing the information exchange. Routers have built a link-state request list and a link-state retransmission list. Any information that looks incomplete or outdated will be put on the request list. Any update that is sent will be put on the retransmission list until it gets acknowledged.Full:At this state, the adjacency is complete. The neighboring routers are fully adjacent. Adjacent routers will have a similar link-state database.Let's look at an example:

RTA, RTB, RTD, and RTF share a common segment (E0) in area 0.0.0.0. The following are the configs of RTA and RTF. RTB and RTD should have a similar configuration to RTF and will not be included.



OSPF AuthenticationIt is possible to authenticate the OSPF packets such that routers can participate in routing domains based on predefined passwords. By default, a router uses a Null authentication which means that routing exchanges over a network are not authenticated. Two other authentication methods exist: Simple password authentication and Message Digest authentication (MD-5).Simple Password AuthenticationSimple password authentication allows a password (key) to be configured per area. Routers in the same area that want to participate in the routing domain will have to be configured with the same key. The drawback of this method is that it is vulnerable to passive attacks. Anybody with a link analyzer could easily get the password off the wire. To enable password authentication use the following commands:ip ospf authentication-keykey(this goes under the specific interface)areaarea-idauthentication(this goes under "router ospf <process-id>")Here's an example:interface Ethernet0ip address 10.10.10.10 255.255.255.0ip ospf authentication-key mypassword

router ospf 10network 10.10.0.0 0.0.255.255 area 0area 0 authentication



Border Gateway Protocol

Introduction

TheBorder Gateway Protocol (BGP)is an interautonomous system routing protocol. An autonomous system is a network or group of networks under a common administration and with common routing policies. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP). Customer networks, such as universities and corporations, usually employ an Interior Gateway Protocol (IGP) such as RIP or OSPF for the exchange of routing information within their networks. Customers connect to ISPs, and ISPs use BGP to exchange customer and ISP routes. When BGP is used between autonomous systems (AS), the protocol is referred to as External BGP (EBGP). If a service provider is using BGP to exchange routes within an AS, then the protocol is referred to as Interior BGP (IBGP). Figure 39-1 illustrates this distinction.

Figure 39-1 External and Interior BGP

BGP is a very robust and scalable routing protocol, as evidenced by the fact that BGP is the routing protocol employed on the Internet. At the time of this writing, the Internet BGP routing tables number more than 90,000 routes. To achieve scalability at this level, BGP uses many route parameters,



called attributes, to define routing policies and maintain a stable routing environment.

In addition to BGP attributes, classless interdomain routing (CIDR) is used by BGP to reduce the size of the Internet routing tables. For example, assume that an ISP owns the IP address block 195.10.x.x from the traditional Class C address space. This block consists of 256 Class C address blocks, 195.10.0.x through 195.10.255.x. Assume that the ISP assigns a Class C block to each of its customers. Without CIDR, the ISP would advertise 256 Class C address blocks to its BGP peers. With CIDR, BGP can supernet the address space and advertise one block, 195.10.x.x. This block is the same size as a traditional Class B address block. The class distinctions are rendered obsolete by CIDR, allowing a significant reduction in the BGP routing tables.

BGP neighbors exchange full routing information when the TCP connection between neighbors is first established. When changes to the routing table are detected, the BGP routers send to their neighbors only those routes that have changed. BGP routers do not send periodic routing updates, and BGP routing updates advertise only the optimal path to a destination network.BGP AttributesRoutes learned via BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination. These properties are referred to as BGP attributes, and an understanding of how BGP attributes influence route selection is required for the design of robust networks. This section describes the attributes that

How Does BGP Work?

BGP uses TCP as the transport protocol, on port 179. Two BGP routers form a TCP connection between one another. These routers are peer routers. The peer routers exchange messages to open and confirm the connection parameters.

BGP routers exchange network reachability information. This information is mainly an indication of the full paths that a route must take in order to reach the destination network. The paths areBGPASnumbers. This information helps in the construction of a graph of ASs that are loop-free. The graph also



shows where to apply routing policies in order to enforce some restrictions on the routing behavior.

Any two routers that form a TCP connection in order to exchange BGP routing information are "peers" or "neighbors". BGP peers initially exchange the full BGP routing tables. After this exchange, the peers send incremental updates as the routing table changes. BGP keeps a version number of the BGP table. The version number is the same for all the BGP peers. The version number changes whenever BGP updates the table with routing information changes. The send of keepalive packets ensures that the connection between the BGP peers is alive. Notification packets go out in response to errors or special conditions.

eBGP and iBGP

If an AS has multiple BGP speakers, the AS can serve as a transit service for other ASs. As the diagram in this section shows, AS200 is a transit AS for AS100 and AS300.

In order to send the information to external ASs, there must be an assurance of the reachability for networks. In order to assure network reachability, these processes take place:

Internal BGP (iBGP) peering between routers inside an AS Redistribution of BGP information to IGPs that run in the AS

When BGP runs between routers that belong to two different ASs, this is called exterior BGP (eBGP). When BGP runs between routers in the same AS, this is called iBGP.



Enable BGP Routing

Complete these steps in order to enable and configure BGP.

Assume that you want to have two routers, RTA and RTB, talk via BGP. In the first example, RTA and RTB are in different ASs. In the second example, both routers belong to the same AS.

1. Define the router process and the AS number to which the routers belong.

Issue this command to enable BGP on a router:

router bgpautonomous-system

RTA#router bgp 100

RTB#router bgp 200

These statements indicate that RTA runs BGP and belongs to AS100. RTB runs BGP and belongs to AS200.



2. Define BGP neighbors.

The BGP neighbor formation indicates the routers that attempt to talk via BGP. The sectionForm BGP Neighborsexplains this process.

Form BGP Neighbors

Two BGP routers become neighbors after the routers establish a TCP connection between each other. The TCP connection is essential in order for the two peer routers to start the exchange of routing updates.

After the TCP connection is up, the routers send open messages in order to exchange values. The values that the routers exchange include the AS number, the BGP version that the routers run, the BGP router ID, and the keepalive hold time. After the confirmation and acceptance of these values, establishment of the neighbor connection occurs. Any state other thanEstablishedis an indication that the two routers did not become neighbors and that the routers cannot exchange BGP updates.

Issue thisneighborcommand to establish a TCP connection:

neighborip-addressremote-asnumber

Thenumberin the command is the AS number of the router to which you want to connect with BGP. Theip-addressis the next hop address with direct connection for eBGP. For iBGP,ip-addressis any IP address on the other router.

The two IP addresses that you use in theneighborcommand of the peer routersmustbe able to reach one another. One way to verify reachability is an extended ping between the two IP addresses. The extended ping forces the pinging router to use as source the IP address that theneighborcommand specifies. The router must use this address rather than the IP address of the interface from which the packet goes.

If there are any BGP configuration changes, youmustreset the neighbor connection to allow the new parameters to take effect.

clear ip bgpaddress


http://www.ciscosecure.net/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml#formBGPneighbors%23formBGPneighbors


Note: Theaddressis the neighbor address.

clear ip bgp *

This command clears all neighbor connections.

By default, BGP sessions begin with the use of BGP version 4 and negotiate downward to earlier versions, if necessary. You can prevent negotiations and force the BGP version that the routers use to communicate with a neighbor. Issue this command in router configuration mode:

neighbor {ip address|peer-group-name} versionvalue

Here is an example of theneighborcommand configuration:

RTA#router bgp 100neighbor 129.213.1.1 remote-as 200

RTB#router bgp 200neighbor 129.213.1.2 remote-as 100neighbor 175.220.1.2 remote-as 200



RTC#router bgp 200neighbor 175.220.212.1 remote-as 200

In this example, RTA and RTB run eBGP. RTB and RTC run iBGP. The remote AS number points to either an external or an internal AS, which indicates either eBGP or iBGP. Also, the eBGP peers have direct connection, but the iBGP peers do not have direct connection. iBGP routers do not need to have direct connection. But, there must be some IGP that runs and allows the two neighbors to reach one another.

BGP uses in the route selection process:• Weight• Local preference• Multi-exit discriminator• Origin• AS_path• Next hop• Community

Weight AttributeWeightis a Cisco-defined attribute that is local to a router. The weight attribute is not advertised to neighboring routers. If the router learns about more than one route to the same destination, the route with the highest weight will be preferred. In Figure 39-2, Router A is receiving an advertisement for network 172.16.1.0 from routers B and C. When Router A receives the advertisement from Router B, the associated weight is set to 50. When Router A receives the advertisement from Router C, the associated weight is set to 100. Both paths for network 172.16.1.0 will be in the BGP routing table, with their respective weights. The route with the highest weight will be installed in the IP routing table.



Figure 39-2 BGP Weight Attribute

Local Preference Attribute

Thelocal preferenceattribute is used to prefer an exit point from the local autonomous system (AS). Unlike the weight attribute, the local preference attribute is propagated throughout the local AS. If there are multiple exit points from the AS, the local preference attribute is used to select the exit point for a specific route. In Figure 39-3, AS 100 is receiving two advertisements for network 172.16.1.0 from AS 200. When Router A receives the advertisement for network 172.16.1.0, the corresponding local preference is set to 50. When Router B receives the advertisement for network 172.16.1.0, the corresponding local preference is set to 100. These local preference values will be exchanged between routers A and B. Because Router B has a higher local preference than Router A, Router B will be used as the exit point from AS 100 to reach network 172.16.1.0 in AS 200.Figure 39-3 BGP Local Preference Attribute



Multi-Exit Discriminator Attribute

Themulti-exit discriminator (MED)ormetric attributeis used as a suggestion to an external AS regarding the preferred route into the AS that is advertising the metric.The termsuggestionis used because the external AS that is receiving the MEDs may be using other BGP attributes for route selection. We will cover the rules regarding route selection in the next section. In Figure 39-4, Router C is advertising the route 172.16.1.0 with a metric of 10, while Route D is advertising 172.16.1.0 with a metric of 5. The lower value of the metric is preferred, so AS 100 will select the route to router D for network 172.16.1.0 in AS 200. MEDs are advertised throughout the local AS.Origin AttributeTheorigin attributeindicates how BGP learned about a particular route. The origin attribute can have one of three possible values:• IGP—The route is interior to the originating AS. This value is set when the network router configuration command is used to inject the route into BGP.• EGP—The route is learned via the Exterior Border Gateway Protocol (EBGP).• Incomplete—The origin of the route is unknown or learned in some other way. An origin of incomplete occurs when a route is redistributed into BGP.The origin attribute is used for route selection and will be covered in the next section.



Figure 39-4 BGP Multi-Exit Discriminator Attribute

AS_path Attribute

When a route advertisement passes through an autonomous system, the AS number is added to an ordered list of AS numbers that the route advertisement has traversed. Figure 39-5 shows the situation in which a route is passing through three autonomous systems.AS1 originates the route to 172.16.1.0 and advertises this route to AS 2 and AS 3, with the AS_path attribute equal to {1}. AS 3 will advertise back to AS 1 with AS-path attribute {3,1}, and AS 2 will advertise back to AS 1 with AS-path attribute {2,1}. AS 1 will reject these routes when its own AS number is detected in the route advertisement. This is the mechanism that BGP uses to detect routing loops. AS 2 and AS 3 propagate the route to each other with their AS numbers added to the AS_path attribute. These routes will not be installed in the IP routing table because AS 2 and AS 3 are learning a route to 172.16.1.0 from AS 1 with a shorter AS_path list.Next-Hop Attribute



The EBGPnext-hopattribute is the IP address that is used to reach the advertising router. For EBGP peers, the next-hop address is the IP address of the connection between the peers. For IBGP, the EBGP next-hop address is carried into the local AS, as illustrated in

Figure 39-5 BGP AS-path Attribute

Figure 39-6 BGP Next-Hop Attribute



Router C advertises network 172.16.1.0 with a next hop of 10.1.1.1. When Router A propagates this route within its own AS, the EBGP next-hop information is preserved. If Router B does not have routing information regarding the next hop, the route will be discarded. Therefore, it is important to have an IGP running in the AS to propagate next-hop routing information.Community AttributeThe community attribute provides a way of grouping destinations, called communities, to which routing decisions (such as acceptance, preference, and redistribution) can be applied. Route maps are used to set the community attribute. Predefined community attributes are listed here:• no-export—Do not advertise this route to EBGP peers.• no-advertise—Do not advertise this route to any peer.• internet—Advertise this route to the Internet community; all routers in the network belong to it.Figure 39-7 illustrates the no-export community. AS 1 advertises 172.16.1.0 to AS 2 with the community attribute no-export. AS 2 will propagate the route throughout AS 2 but will not send this route to AS 3 or any other external AS.

Figure 39-7 BGP no-export Community Attribute

In Figure 39-8, AS 1 advertises 172.16.1.0 to AS 2 with the community attribute no-advertise. Router B in AS 2 will not advertise this route to any other router.Figure 39-8 BGP no-advertise Community Attribute



Figure 39-9 demonstrates the internet community attribute. There are no limitations to the scope of the route advertisement from AS 1.Figure 39-9 BGP internet Community AttributeFigure 39-9 demonstrates the internet community attribute. There are no limitations to the scope of the route advertisement from AS 1.Figure 39-9 BGP internet Community Attribute



BGP Path Selection

BGP could possibly receive multiple advertisements for the same route from multiple sources. BGP selects only one path as the best path. When the path is selected, BGP puts the selected path in the IP routing table and propagates the path to its neighbors. BGP uses the following criteria, in the order presented, to select a path for a destination:• If the path specifies a next hop that is inaccessible, drop the update.• Prefer the path with the largest weight.• If the weights are the same, prefer the path with the largest local preference.• If the local preferences are the same, prefer the path that was originated by BGP running on this router.• If no route was originated, prefer the route that has the shortest AS_path.• If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete).• If the origin codes are the same, prefer the path with the lowest MED attribute.• If the paths have the same MED, prefer the external path over the internal path.• If the paths are still the same, prefer the path through the closest IGP neighbor.• Prefer the path with the lowest IP address, as specified by the BGP router ID.



20. IP Telephony Overview

has already deployed a Cisco IP Telephony solution, based on the Cisco Call Manager installed on the Cisco Media Convergence platform and Cisco 7900 series IP Phones.

This is being expanded to provide an easy channel of communication between offices which will be used primarily for IT help desk and support purposes. Since will be deploying a host of new applications this will provide a cost effective mechanism of providing on-line support and training to users in remote branches without incurring high toll charges on long distance phone calls. In addition the IP Phone system can also be used for senior management reviews and conferencing.

One basic telephone will be deployed at each of its branch offices so that basic communications between locations is achieved. At HO, the wireless IP phone and the Cisco 7970 phone will be deployed for senior managers etc. For conferencing purposes, the Cisco 7936 conference station is provisioned with external microphones, which provide excellent 360-degree room coverage, and is designed for deployment in conference rooms.

The Cisco CallManager deployment consists of 900 remote branch offices with centralized call processing consists of a CallManager cluster comprising of two MCS 7835 servers and one existing MCS 7825 making a single call processing agent that provides services and uses the IP WAN to transport IP telephony traffic between the sites. The IP WAN also carries call control signaling between the central site and the remote sites. The remote sites rely on the centralized Cisco CallManager cluster to handle their call processing. Applications such as voicemail and Interactive Voice Response (IVR) systems are typically centralized as well to reduce the overall costs of administration and maintenance.



21. MPLS WAN

TheCiscoVPNSolutionsCenter: MPLS Solution, a modular suite of network and service management applications, is a network management system that defines and monitors virtual private network (VPN) services for service providers. MPLS VPN Solution allows service providers to provision and manage intranet and extranet VPNs. The product provides the aspect of operations management that addresses flow-through provisioning, service auditing, and Service Level Agreement (SLA) measurement of IP-based MPLS VPN environments. Multiprotocol Label Switching (MPLS) is an emerging industry standard upon which tag switching is based.

MPLS VPN Solution is a scalable, provider-focused VPN technology that allows service providers to plan, provision, and manage for IP VPN services according to a customer's service level agreement. This product complements Cisco's MPLS-based VPN solutions by simplifying the provisioning, service assurance, and billing processes, thereby reducing the cost of deploying and operating VPN services. MPLS VPN Solution does not contain a billing application, but the product enables billing by providing the usage data on services that a billing engine can process.

MPLS VPN Solution focuses on provisioning, auditing, and monitoring the links between the customer's routers through the provider's network. This product deals only with the provider's edge routers and the customer's edge routers. A customer edge router (CE) is connected to a provider edge router (PE) in such a way that the customer's traffic is encapsulated and transparently sent to other CEs, thus creating a virtual private network. CEs advertise routes to the VPN for all the devices in their site. The MPLS VPN Solution provisioning engine accesses the configuration files on both the CE and PE to compute the necessary changes to those files that are required to support the service on the PE-CE link.

Using the MPLS VPN Solution software, service providers can do the following:

• Provision IP-based MPLS VPN services

• Generate audit reports for service requests



• Perform data collection to measureSLAperformance

• Evaluate service usage for each VPN

An MPLS VPN consists of a set of sites that are interconnected by means of an MPLS provider core network. At each site, there are one or more CEs, which attach to one or more PEs. PEs use the Border Gateway Protocol-Multiprotocol (MP-BGP) to dynamically communicate with each other.

It is not required that the set of IPv4 addresses used in any two VPNs be mutually exclusive because the PEs translate IPv4 addresses into IPv4 VPN entities by using MP-BGP with extended community attributes.

The set of IP addresses used in a VPN, however, must be exclusive of the set of addresses used in the provider network. Every CE must be able to address the PEs to which it is directly attached. Thus, the IP addresses of the PEs must not be duplicated in any VPN.

The Customer's and Provider's View of the Network

From the customer's point of view, they see their internal routers communicating with their customer edge routers (CEs) from one site to another through a VPN managed by the service provider (seeFigure 1-1).



Figure 1-1 The Customer's View of the Network

This simple view of the customer's network is the advantage of employing VPNs: the customer experiences direct communication to their sites as though they had their own private network, even though their traffic is traversing a public network infrastructure and they are sharing that infrastructure with other businesses.

The service provider's view of the network is naturally very different, as shown inFigure 1-2. This illustration shows two different customers, with each customer having a single VPN. A customer can, however, have multiple VPNs.



Figure 1-2 Service Provider's View of the Network

About PEs

At the edge of the provider network are provider edge routers (PEs). Within the provider network are other provider routers as needed (often designated as P routers) that communicate with each other and the PEs via the Border Gateway Protocol-Multiprotocol (MP-BGP). Note that in this model, the service provider need only provision the links between the PEs and CEs.

PEs maintain separate routing tables called VPN routing and forwarding tables (VRFs). The VRFs contain the routes for directly connected VPN sites only. (For more information about VRFs, see the"VPN Routing and Forwarding Tables (VRFs)" section). PEs exchange VPN-IPv4 updates through MP-iBGP sessions. These updates contain VPN-IPv4 addresses and labels. The PE originating the route is the next hop of the route. PE addresses are referred to as host routes into the core interior gateway protocol.



Benefits

MPLS-based VPNs provide the following benefits:

• A platform for rapid deployment of additional value-added IP services, including intranets, extranets, voice, multimedia, and network commerce

• Privacy and security equal to Layer-2 VPNs by constraining the distribution of a VPN's routes to only those routers that are members of that VPN, and by using MPLS for forwarding

• Seamless integration with customer intranets

• Increased scalability with thousands of sites per VPN and hundreds of thousands of VPNs per service provider

• IP Class of Service (CoS) with support for multiple classes of service within a VPN, as well as priorities among VPNs

• Easy management of VPN membership and rapid deployment of new VPNs

• Scalable any-to-any connectivity for extended intranets and extranets that encompass multiple businesses

About MPLS VPNs

A virtual private network (VPN) is a network in which customer connectivity to multiple sites is deployed on a shared infrastructure with the same administrative policies as a private network.The path between two systems in a VPN, and the characteristics of that path, may also be determined (wholly or partially) by policy. Whether a system in a particular VPN is allowed to communicate with systems not in the same VPN is also a matter of policy.



In MPLS VPN, a VPN generally consists of a set of sites that are interconnected by means of an MPLS provider core network, but it is also possible to apply different policies to different systems that are located at the same site. Policies can also be applied to systems that dial in; the chosen policies would be based on the dial-in authentication processes.

A given set of systems can be in one or more VPNs. A VPN can consist of sites (or systems) that are all from the same enterprise (intranet), or from different enterprises (extranet); it may consist of sites (or systems) that all attach to the same service provider backbone, or to different service provider backbones.

Figure 1-3 VPNs Sharing Sites

MPLS-based VPNs are created in Layer 3 and are based on the peer model, which makes them more scalable and easier to build and manage than conventional VPNs. In addition, value-added services, such as application and data hosting, network commerce, and telephony services, can easily be targeted and deployed to a particular MPLS VPN because the service provider backbone recognizes each MPLS VPN as a secure, connectionless IP network.

The MPLS VPN model is a true peer VPN model that enforces traffic separations by assigning unique VPN route forwarding tables (VRFs) to each customer's VPN. Thus, users in a specific VPN cannot see traffic outside their VPN. Traffic separation occurs without tunneling or encryption because it is built directly into the network. (For more information on VRFs, see the"VPN Routing and Forwarding Tables (VRFs)" section.

The service provider's backbone is comprised of the PE and its provider routers. MPLS VPN provides the ability that the routing information about a particular VPN be present only in those PE routers that attach to that VPN.



Characteristics of MPLS VPNs

MPLS VPNs have the following characteristics:

• Multiprotocol Border Gateway Protocol-Multiprotocol (MP-BGP) extensions are used to encode customer IPv4 address prefixes into unique VPN-IPv4 Network Layer Reachability Information (NLRI) values.

NLRI refers to a destination address in MP-BGP, so NLRI is considered "one routing unit." In the context of IPv4 MP-BGP, NLRI refers to a network prefix/prefix length pair that is carried in the BGP4 routing updates.

• Extended MP-BGP community attributes are used to control the distribution of customer routes.

• Each customer route is associated with an MPLS label, which is assigned by the provider edge router that originates the route. The label is then employed to direct data packets to the correct egress customer edge router.

When a data packet is forwarded across the provider backbone, two labels are used. The first label directs the packet to the appropriate egress PE; the second label indicates how that egress PE should forward the packet.

• Cisco MPLS CoS and QoS mechanisms provide service differentiation among customer data packets. For more information, see the"Quality of Service and Class of Service" section.

• The link between the PE and CE routers uses standard IP forwarding.

The PE associates each CE with a per-site forwarding table that contains only the set of routes available to that CE.

Principal Technologies

There are four principal technologies that make it possible to build MPLS-based VPNs:

• Multiprotocol Border Gateway Protocol-Multiprotocol (MP-BGP) between PEs carries CE routing information



• Route filtering based on the VPN route target extended MP-BGP community attribute

• MPLS forwarding carries packets between PEs (across the service provider backbone)

• Each PE has multiple VPN routing and forwarding instances (VRFs)

The MPLS WAN design is divided into 3 major levels:

Aggregation to RO connectivity MPLSPEto CPE connectivity IGP for the network QOS

Aggregation to RO connectivity

Aggregation locations are classified into –

Type I Type II Type III

Type I & Type II

Type I aggregation offices typical terminate 8 to 10 branch offices whereas type II offices terminate 10 to 25 branch offices. Each aggregation location would have 2 routers, one connected to each of the branch offices by channelised E1 and the other by ISDN PRI. MPLS links as depicted in the diagram below.



Branch office is connected to aggregation-1 by 64 kbps leased line and aggregation-2 by ISDN BRI. Dial on Demand routing shall be configured on the branch routers to dial into the aggregation in the event of a leased line failure. Leased line complemented with ISDN backup ensures high uptimes at the branch office.

Type III

For regions having more than 30 branch offices each aggregation router will have a channelised E1 and PRI to terminate access links. In case of failure of the leased line, each BO will dial into the other aggregation router on PRI.



Branch Office to MPLS PoP

For locations where the connectivity is directly to the MPLS PoP, a 64 Kbps leased line will be provided. This will be backed up with a ISDN BRI dial backup.

Dynamic routing protocol shall be configured between the aggregation and PE routers to load balance the traffic among the two links available and seamless fail over.

IGP for network

Weimplements OSPF to be deployed with the network for a few of the compiling reasons –

Network can be segregated into multiple areas Better support for route summarization and redistribution Open standard as per IETF Multivendor support:-will have 650 MPLS locations, which will be terminated directly inSERVICE PROVIDERMPLS Pop remaining 280 Location, will be aggregating in the nearest aggregation point



The network shall be deployed as per below topology –

The WAN network shall be divided into multiple areas on the basis of aggregation offices. Aggregation routers will act as the ABR between the PE router and branch offices. Branch offices will belong to the corresponding OSPF areas as the aggregation offices.



22. Quality of Service

What Is Quality of Service?

QoS refers to the ability of a network to provide improved service to selected network traffic over various underlying technologies including Frame Relay, ATM, Ethernet and 802.1 networks, SONET, and IP-routed networks. In particular, QoS features provide improved and more predictable network service by providing the following services:• Supporting dedicated bandwidth• Improving loss characteristics• Avoiding and managing network congestion• Shaping network traffic• Setting traffic priorities across the network

About QoS Architecture

You configure QoS features throughout a network to provide for end-to-end QoS delivery. The following three components are necessary to deliver QoS across a heterogeneous network:• QoS within a single network element, which includes queueing, scheduling, and traffic shaping features.• QoS signalling techniques for coordinating QoS for end-to-end delivery between network elements.• QoS policing and management functions to control and administer end-to-end traffic across a network.Not all QoS techniques are appropriate for all network routers. Because edge routers and backbone routers in a network do not necessarily perform the same operations, the QoS tasks they perform might differ as well. To configure an IP network for real-time voice traffic, for example, you would need to consider the functions of both edge and backbone routers in the network, then select the appropriate QoS feature or features.



In general, edge routers perform the following QoS functions:• Packet classification• Admission control• Configuration managementIn general, backbone routers perform the following QoS functions:• Congestion management• Congestion avoidance

Who Could Benefit from Using Cisco IOS QoS?All networks can take advantage of aspects of QoS for optimum efficiency, whether the network is for a small corporation, an enterprise, or an Internet service provider (ISP). Different categories of networking users—such as major enterprises, network service providers, and small and medium-sized business networking users—have their own QoS requirements; in many areas, however, these requirements overlap.

Enterprisenetworks, for example, must provide end-to-end QoS solutions across the various platforms comprising the network; providing solutions for heterogeneous platforms often requires that you take a different QoS configuration approach for each technology. As enterprise networks carry more complex, mission-critical applications and experience increased traffic from Web multimedia applications, QoS serves to prioritize this traffic to ensure that each application gets the service it requires.ISPs require assured scalability and performance. For example, ISPs that long have offered best-effort IP connectivity now also transfer voice, video, and other real-time critical application data. QoS answers the scalability and performance needs of these ISPs to distinguish different kinds of traffic, thereby enabling them to offer service differentiation to their customers.In the small and medium-sized business segment, managers are experiencing firsthand the rapid growth of business on the Internet. These business networks must also handle increasingly complex business applications. QoS lets the network handle the difficult task of utilizing an expensive WAN connection in the most efficient way for business applications.

Why Deploy Cisco IOS QoS?The Cisco IOS QoS features enable networks to control and predictably service a variety of networked applications and traffic types. Implementing Cisco IOS QoS in your network promotes the following features:• Control over resources. You have control over which resources (bandwidth, equipment, wide-area facilities, and so on) are being used. For



example, you can limit bandwidth consumed over a backbone link by File Transfer Protocol (FTP) transfers or give priority to an important database access.• Tailored services. If you are an ISP, the control and visibility provided by QoS enables you to offer carefully tailored grades of service differentiation to your customers.• Coexistence of mission-critical applications. Cisco QoS features make certain of the following conditions:– That your WAN is used efficiently by mission-critical applications that are most important to your business.– That bandwidth and minimum delays required by time-sensitive multimedia and voice applications are available.– That other applications using the link get their fair service without interfering with mission-critical traffic.Moreover, in implementing QoS features in your network, you put in place the foundation for a future fully integrated network.

End-to-End QoS ModelsA service model, also called a level of service, describes a set of end-to-end QoS capabilities. End-to-end QoS is the ability of the network to deliver service required by specific network traffic from one end of the network to another. Cisco IOS QoS software supports three types of service models: best effort, integrated, and differentiated services.Consider the following factors when deciding which type of service to deploy in the network:• The application or problem you are trying to solve. Each of the three types of service—best effort, integrated, and differentiated—is appropriate for certain applications.• The kind of ability you want to allocate to your resources.• Cost-benefit analysis. For example, the cost of implementing and deploying differentiated service is certain to be more expensive than the cost for a best-effort service.



The following sections describe the service models supported by features in Cisco IOS software:• Best-Effort Service• Integrated Service• Differentiated Service

Best-Effort ServiceBest effort is a single service model in which an application sends data whenever it must, in any quantity, and without requesting permission or first informing the network. For best-effort service, the network delivers data if it can, without any assurance of reliability, delay bounds, or throughput.The Cisco IOS QoS feature that implements best-effort service is FIFO queueing. Best-effort service is suitable for a wide range of networked applications such as general file transfers or e-mail.

Integrated ServiceIntegrated service is a multiple service model that can accommodate multiple QoS requirements. In this model the application requests a specific kind of service from the network before it sends data. The request is made by explicit signalling; the application informs the network of its traffic profile and requests a particular kind of service that can encompass its bandwidth and delay requirements. The application is expected to send data only after it gets a confirmation from the network. It is also expected to send data that lies within its described traffic profile.The network performs admission control, based on information from the application and available network resources. It also commits to meeting the QoS requirements of the application as long as the traffic remains within the profile specifications. The network fulfills its commitment by maintaining per-flow state and then performing packet classification, policing, and intelligent queueing based on that state.Cisco IOS QoS includes the following features that provide controlled load service, which is a kind of integrated service:• The Resource Reservation Protocol (RSVP), which can be used by applications to signal their QoS requirements to the router.• Intelligent queueing mechanisms, which can be used with RSVP to provide the following kinds of services:– Guaranteed Rate Service, which allows applications to reserve bandwidth to meet their requirements. For example, a Voice over IP (VoIP) application can reserve the required amount of bandwidth end-to-end using


http://cisco.biz/en/US/docs/ios/12_2/qos/configuration/guide/qcfintro.html#wp1000960%23wp1000960




this kind of service. Cisco IOS QoS uses weighted fair queueing (WFQ) with RSVP to provide this kind of service.– Controlled Load Service, which allows applications to have low delay and high throughput even during times of congestion. For example, adaptive real-time applications such as playback of a recorded conference can use this kind of service. Cisco IOS QoS uses RSVP with Weighted Random Early Detection (WRED) to provide this kind of service.

Differentiated ServiceDifferentiated service is a multiple service model that can satisfy differing QoS requirements. However, unlike in the integrated service model, an application using differentiated service does not explicitly signal the router before sending data.For differentiated service, the network tries to deliver a particular kind of service based on the QoS specified by each packet. This specification can occur in different ways, for example, using the IP Precedence bit settings in IP packets or source and destination addresses. The network uses the QoS specification to classify, mark, shape, and police traffic, and to perform intelligent queueing.The differentiated service model is used for several mission-critical applications and for providing end-to-end QoS. Typically, this service model is appropriate for aggregate flows because it performs a relatively coarse level of traffic classification.Cisco IOS QoS includes the following features that support the differentiated service model:• Committed access rate (CAR), which performs packet classification through IP Precedence and QoS group settings. CAR performs metering and policing of traffic, providing bandwidth management.• Intelligent queueing schemes such as WRED and WFQ and their equivalent features on the Versatile Interface Processor (VIP), which are distributed WRED (DWRED) and distributed WFQ. These features can be used with CAR to deliver differentiated services.For more information on how to implement Differentiated Services using the components of Cisco IOS software, see the chapter "Implementing DiffServ for End-to-End Quality of Service Overview" in this book.



Cisco QoS FeaturesThe Cisco IOS QoS software provides the major features described in the following sections. Some of which have been previously mentioned, and all of them are briefly introduced in this chapter.• Classification• Congestion Management• Congestion Avoidance• Policing and Shaping• Signalling• Link Efficiency Mechanisms• QoS Solutions• Modular QoS Command-Line Interface• Security Device Manager

ClassificationPacket classification features provide the capability to partition network traffic into multiple priority levels or classes of service. For example, by using the three precedence bits in the Type of service (ToS) field of the IP packet header—two of the values are reserved for other purposes—you can categorize packets into a limited set of up to six traffic classes. After you classify packets, you can utilize other QoS features to assign the appropriate traffic handling policies including congestion management, bandwidth allocation, and delay bounds for each traffic class.Packets can also be classified by external sources, that is, by a customer or by a downstream network provider. You can either allow the network to accept the classification or override it and reclassify the packet according to a policy that you specify.Packets can be classified based on policies specified by the network operator. Policies can be set that include classification based on physical port, source or destination IP or MAC address, application port, IP protocol type, and other criteria that you can specify by using access lists or extended access lists.You can use Cisco IOS QoS policy-based routing (PBR) and the classification features of Cisco IOS QoS CAR to classify packets. You can use Border Gateway Protocol (BGP) policy propagation to propagate destination-based packet classification policy throughout a large network via BGP routing updates. This section gives a brief description of these features.In addition, you can use the QoS for Virtual Private Networks (VPNs) feature to classify packets before tunneling and encryption occur. The












process of classifying features before tunneling and encryption is called preclassification.

The Class-Based Packet Marking feature provides users with a user-friendly command-line interface (CLI) for efficient packet marking by which users can differentiate packets based on the designated markings.

IP PrecedenceThe IP Precedence feature allows you to specify the class of service of a packet using the three precedence bits in the ToS field of the IP version 4 (IPv4) header. Other features configured throughout the network can then use these bits to determine how to treat the packet in regard to the type of service to grant it. For example, although IP Precedence is not a queueing method, other queueing methods such as WFQ can use the IP Precedence setting of the packet to prioritize traffic.Committed Access Rate (Packet Classification)CAR is the main feature supporting packet classification. CAR uses the ToS bits in the IP header to classify packets. You can use the CAR classification commands to classify and reclassify a packet.Here are some example packet classification policies:• All packets received on a particular T1 line are classified as high priority (port-based classification).• All HTTP traffic is classified as medium priority (application classification).• Video traffic from a specified IP address is classified as medium priority.• Packets bound for particular destinations are classified as high priority traffic (for example, international traffic or traffic bound for a premium customer).• Some packets are classified for subrate IP services. The network operator delivers a physical T1/E1 or T3/E3 line to the customer, but offers a less expensive subrate service, for example, 1 Mbps on an E1 line or 10 Mbps on a T3 line. The customer pays for the subrate bandwidth and may be upgraded to additional access bandwidth over time based on demand. CAR limits the traffic rate available to the customer and delivered to the network to the agreed-upon rate limit (with the ability to temporarily burst over the limit). The network operator may upgrade the service without any physical network arrangement.• Traffic is classified for exchange point traffic control. An ISP offers transit services to downstream ISPs via exchange point connectivity provided by a Layer 2 switch. The upstream provider utilizes MAC-address



rate limits provided by CAR to enforce bandwidth usage limitations on the downstream ISPs.Class-Based Packet MarkingThe Class-Based Packet Marking feature provides users with a means for efficient packet marking by which users can differentiate packets based on the designated markings. The Class-Based Packet Marking feature allows users to perform the following tasks:• Mark packets by setting the IP Precedence bits or the IP differentiated services code point (DSCP) in the IP ToS byte.• Mark packets by setting the Layer 2 class of service (CoS) value.• Associate a local QoS group value with a packet.• Set the cell loss priority (CLP) bit setting in the ATM header of a packet from 0 to 1.

QoS for Virtual Private NetworksWhen packets are encapsulated by tunnel or encryption headers, QoS features are unable to examine the original packet headers and correctly classify the packets. Packets traveling across the same tunnel have the same tunnel headers, so the packets are treated identically if the physical interface is congested.With the growing popularity of VPNs, the need to classify traffic within a traffic tunnel is gaining importance. QoS features have historically been unable to classify traffic within a tunnel. With the introduction of the QoS for VPNs feature, packets can now be classified before tunneling and encryption occur. The process of classifying features before tunneling and encryption is called preclassification.

The QoS for VPNs feature is designed for tunnel interfaces. When the feature is enabled, the QoS features on the output interface classify packets before encryption, allowing traffic flows to be adjusted in congested environments. The result is more effective packet tunneling.

Network-Based Application RecognitionThe Network-Based Application Recognition (NBAR) feature provides intelligent network classification to network infrastructures. NBAR is a classification engine that recognizes a wide variety of applications, including web-based and other difficult-to-classify protocols that utilize dynamic TCP/User Datagram Ports (UDP) port assignments. When an application is recognized and classified by NBAR, a network can invoke services for that specific application.



Congestion ManagementCongestion management features operate to control congestion once it occurs. One way that network elements handle an overflow of arriving traffic is to use a queueing algorithm to sort the traffic, then determine some method of prioritizing it onto an output link. Each queueing algorithm was designed to solve a specific network traffic problem and has a particular effect on network performance.

The Cisco IOS software congestion management, or queueing, features include the following:• FIFO• Priority queueing (PQ)• Frame Relay permanent virtual circuit (PVC) interface priority queueing (FR PIPQ)• Custom queueing (CQ)• Flow-based, class-based, and distributed WFQ• Distributed class-based WFQ• IP RTP Priority and Frame Relay IP RTP Priority• Low latency queueing (LLQ), Distributed LLQ, and LLQ for Frame

RelayWhat Is Congestion in Networks?Consideration of the behavior of congested systems is not simple and cannot be dealt with in a simplistic manner, because traffic rates do not simply rise to a level, stay there a while, then subside. Periods of traffic congestion can be quite long, with losses that are heavily concentrated. In contrast to Poisson traffic models, linear increases in buffer size do not result in large decreases in packet drop rates; a slight increase in the number of active connections can result in a large increase in the packet loss rate. This understanding of the behavior of congested networks suggests that because the level of busy period traffic is not predictable, it would be difficult to efficiently size networks to reduce congestion adequately. Observers of network congestion report that in reality, traffic "spikes," which causes actual losses that ride on longer-term ripples, which in turn ride on still longer-term swells.



FIFO QueueingFIFO provides basic store and forward capability. FIFO is the default queueing algorithm in some instances, thus requiring no configuration. See"WFQ and Distributed WFQ"later in this section for a complete explanation of default configuration.

PQDesigned to give strict priority to important traffic, PQ ensures that important traffic gets the fastest handling at each point where PQ is used. PQ can flexibly prioritize according to network protocol (such as IP, IPX, or AppleTalk), incoming interface, packet size, source/destination address, and so on.Frame Relay PVC PQThe FR PIPQ provides an interface-level PQ scheme in which prioritization is based on destination PVC rather than packet contents. For example, FR PIPQ allows you to configure PVC transporting voices traffic to have absolute priority over a PVC transporting signalling traffic, and a PVC transporting signalling traffic to have absolute priority over a PVC transporting data.FR PIPQ provides four levels of priority: high, medium, normal, and low. The Frame Relay packet is examined at the interface for the data-link connection identifier (DLCI) value. The packet is then sent to the correct priority queue based on the priority level configured for that DLCI.

CQCQ reserves a percentage of the available bandwidth of an interface for each selected traffic type. If a particular type of traffic is not using the bandwidth reserved for it, then other traffic types may use the remaining reserved bandwidth.

WFQ and Distributed WFQWFQ applies priority (or weights) to identified traffic to classify traffic into conversations and determine how much bandwidth each conversation is allowed relative to other conversations. WFQ classifies traffic into different flows based on such characteristics as source and destination address, protocol, and port and socket of the session.To provide large-scale support for applications and traffic classes requiring bandwidth allocations and delay bounds over the network infrastructure Cisco IOS QoS includes a version of WFQ that runs only in distributed mode on VIPs. This version is called VIP-distributed WFQ (DWFQ). It




provides increased flexibility in terms of traffic classification, weight assessment, and discard policy, and delivers Internet-scale performance on the Cisco 7500 series platforms.For serial interfaces at E1 (2.048 Mbps) and below, WFQ is used by default. When no other queueing strategies are configured, all other interfaces use FIFO by default.

CBWFQ and Distributed CBWFQThe class-based WFQ (CBWFQ) and distributed class-based WFQ (DCBWFQ) features extend the standard WFQ functionality to provide support for user-defined traffic classes. They allow you to specify the exact amount of bandwidth to be allocated for a specific class of traffic. Taking into account available bandwidth on the interface, you can configure up to 64 classes and control distribution among them.DCWFQ is intended for use on the VIP-based Cisco 7000 series routers with the Route Switch Processors (RSPs), and the Cisco 7500 series routers except those with PA-A3-8T1IMA modules.

LLQLLQ provides strict priority queueing on ATM VCs and serial interfaces. This feature allows you to configure the priority status for a class within CBWFQ, and is not limited to UDP port numbers, as is IP RTP Priority. LLQ and IP RTP Priority can be configured at the same time, but IP RTP Priority takes precedence.Additionally, the functionality of LLQ has been extended to allow you to specify the Committed Burst (Bc) size in LLQ and to change (or vary) the number of packets contained in the hold queue per-VC (on ATM adapters that support per-VC queueing).Distributed LLQThe Distributed LLQ feature provides the ability to specify low latency behavior for a traffic class on a VIP-based Cisco 7500 series router except those with PA-A3-8T1IMA modules. LLQ allows delay-sensitive data such as voice to be dequeued and sent before packets in other queues are dequeued

The Distributed LLQ feature also introduces the ability to limit the depth of a device transmission ring.



LLQ for Frame RelayLLQ for Frame Relay is provides strict PQ for voice traffic and WFQs for other classes of traffic. Before the release of this feature, LLQ was available at the interface and ATM VC levels. It is now available at the Frame Relay VC level when Frame Relay Traffic Shaping is configured.Strict PQ improves QoS by allowing delay-sensitive traffic such as voice to be pulled from the queue and sent before other classes of traffic.LLQ for Frame Relay allows you to define classes of traffic according to protocol, interface, or access lists. You can then assign characteristics to those classes, including priority, bandwidth, queue limit, and WRED.

Congestion AvoidanceCongestion avoidance techniques monitor network traffic loads in an effort to anticipate and avoid congestion at common network and internetwork bottlenecks before it becomes a problem. These techniques are designed to provide preferential treatment for premium (priority) class traffic under congestion situations while concurrently maximizing network throughput and capacity utilization and minimizing packet loss and delay. WRED and DWRED are the Cisco IOS QoS congestion avoidance features.Router behavior allows output buffers to fill during periods of congestion, using the tail drop feature to resolve the problem when WRED is not configured. During tail drop, a potentially large number of packets from numerous connections are discarded because of lack of buffer capacity. This behavior can result in waves of congestion followed by periods during which the transmission link is not fully used. WRED obviates this situation proactively by providing congestion avoidance. That is, instead of waiting for buffers to fill before dropping packets, the router monitors the buffer depth and performs early discards on selected packets sent over selected connections.

WRED is the Cisco implementation of the RED class of congestion avoidance algorithms. When RED is used and the source detects the dropped packet, the source slows its transmission. RED is primarily designed to work with TCP in IP internetwork environments.WRED can also be configured to use the DSCP value when it calculates the drop probability of a packet, enabling WRED to be compliant with the DiffServ standard being developed by the Internet Engineering Task Force (IETF).



WREDWRED, the Cisco implementation of RED, combines the capabilities of the RED algorithm with IP Precedence to provide preferential traffic handling for higher priority packets. It can selectively discard lower priority traffic when the interface begins to get congested and provide differentiated performance characteristics for different classes of service. WRED is also RSVP-aware. WRED is available on the Cisco 7200 series RSP.



25. Configuration Of Network Devices

25.1 Configuration Of Core Devices

CoreMPLS/Central Offfice

version 12.2service tcp-keepalives-inservice timestamps debug uptimeservice timestamps log uptimeservice password-encryptionservice compress-configno service dhcp!hostname Ciscologging buffered 4096 debuggingaaa new-modelaaa authentication login default group tacacs+ localaaa authentication login console localaaa authorization config-commandsaaa authorization exec default group tacacs+ localaaa authorization commands 15 default group tacacs+ localaaa accounting exec default start-stop group tacacs+aaa accounting commands 15 default start-stop group tacacs+aaa accounting network default start-stop group tacacs+aaa accounting connection default start-stop group tacacs+enable secret 5 $1$ptGs$RSxKyBB8rTf6rQHj8rhHZ0!memory-size iomem 25clock timezone ISD 5 30ip subnet-zerono ip source-route!!no ip domain-lookup!no ip bootp serverip cef!crypto isakmp policy 1



hash md5authentication pre-sharecrypto isakmp key mumbaido_vashiecLL address 10.50.203.205crypto isakmp key mumbaido_vashiecbri address 10.50.231.16crypto isakmp key mumbaido_puneLL address 10.50.203.196crypto isakmp key mumbaido_punebri address 10.50.231.4crypto isakmp key mumbaido_VadodraLL address 10.50.203.200crypto isakmp key mumbaido_Vadodrabri address 10.50.231.8crypto isakmp key mumbaido_vashiLL address 10.50.203.201crypto isakmp key mumbaido_vashibri address 10.50.231.9crypto isakmp key mumbaido_suratLL address 10.50.203.198crypto isakmp key mumbaido_suratbri address 10.50.231.6crypto isakmp key mumbaido_MumbaiFortLL address 10.50.203.195crypto isakmp key mumbaido_MumbaiFortbri address 10.50.231.3crypto isakmp key mumbaido_indoreLL address 10.50.203.202crypto isakmp key mumbaido_indorebri address 10.50.231.10crypto isakmp key mumbaido_unjhaLL address 10.50.203.199crypto isakmp key mumbaido_AhemdabadLL address 10.50.203.194crypto isakmp key mumbaido_Ahemdabadbri address 10.50.231.2crypto isakmp key mumbaido_ahemdabadecLL address 10.50.203.207crypto isakmp key mumbaido_ahemdabadecbri address 10.50.231.18crypto isakmp key mumbaido_unjhabri address 10.50.231.7crypto isakmp key mumbaido_borivilleLL address 10.50.203.203crypto isakmp key mumbaido_borivillebri address 10.50.231.11crypto isakmp key mumbaido_ _THANELL address 10.50.203.208crypto isakmp key mumbaido_ _THANEbri address 10.50.231.19crypto isakmp key mumbaido_AHEMDABADSATbri address 10.50.231.20crypto isakmp key mumbaido_AHEMDABADSATLL address 10.50.203.209crypto isakmp key mumbaido_ _AHMEDNAGARbri address 10.50.231.25!!crypto ipsec transform-set _DES ah-md5-hmac esp-des!crypto map mumbaido_vashiecLL local-address Loopback1crypto map mumbaido_vashiecLL 1 ipsec-isakmpset peer 10.50.203.205set transform-set _DESmatch address 181!



crypto map mumbaido_puneLL local-address Loopback1crypto map mumbaido_puneLL 1 ipsec-isakmpset peer 10.50.203.196set transform-set _DESmatch address 181!crypto map mumbaido_VadodraLL local-address Loopback1crypto map mumbaido_VadodraLL 1 ipsec-isakmpset peer 10.50.203.200set transform-set _DESmatch address 181!crypto map mumbaido_borivilleLL local-address Loopback1crypto map mumbaido_borivilleLL 1 ipsec-isakmpset peer 10.50.203.203set transform-set _DESmatch address 181!crypto map mumbaido_vashiLL local-address Loopback1crypto map mumbaido_vashiLL 1 ipsec-isakmpset peer 10.50.203.201set transform-set _DESmatch address 181!crypto map mumbaido_suratLL local-address Loopback1crypto map mumbaido_suratLL 1 ipsec-isakmpset peer 10.50.203.198set transform-set _DESmatch address 181!crypto map mumbaido_MumbaiFortLL local-address Loopback1crypto map mumbaido_MumbaiFortLL 1 ipsec-isakmpset peer 10.50.203.195set transform-set _DESmatch address 181!crypto map mumbaido_indoreLL local-address Loopback1crypto map mumbaido_indoreLL 1 ipsec-isakmpset peer 10.50.203.202set transform-set _DES



match address 181!crypto map mumbaido_rajkotmainLL local-address Loopback1crypto map mumbaido_rajkotmainLL 1 ipsec-isakmpset peer 10.50.203.197set transform-set _DESmatch address 181!crypto map mumbaido_unjhaLL local-address Loopback1crypto map mumbaido_unjhaLL 1 ipsec-isakmpset peer 10.50.203.199set transform-set _DESmatch address 181!crypto map mumbaido_AhemdabadLL local-address Loopback1crypto map mumbaido_AhemdabadLL 1 ipsec-isakmpset peer 10.50.203.194set transform-set _DESmatch address 181!crypto map mumbaido_ahemdabadecLL local-address Loopback1crypto map mumbaido_ahemdabadecLL 1 ipsec-isakmpset peer 10.50.203.207set transform-set _DESmatch address 181!crypto map mumbaiisdn local-address Dialer1crypto map mumbaiisdn 2 ipsec-isakmpset peer 10.50.231.2set transform-set _DESmatch address 102crypto map mumbaiisdn 3 ipsec-isakmpset peer 10.50.231.3set transform-set _DESmatch address 103crypto map mumbaiisdn 4 ipsec-isakmpset peer 10.50.231.4set transform-set _DESmatch address 104crypto map mumbaiisdn 5 ipsec-isakmp



set peer 10.50.231.5set transform-set _DESmatch address 105crypto map mumbaiisdn 6 ipsec-isakmpset peer 10.50.231.6set transform-set _DESmatch address 106crypto map mumbaiisdn 7 ipsec-isakmpset peer 10.50.231.7set transform-set _DESmatch address 107crypto map mumbaiisdn 8 ipsec-isakmpset peer 10.50.231.8set transform-set _DESmatch address 108crypto map mumbaiisdn 9 ipsec-isakmpset peer 10.50.231.9set transform-set _DESmatch address 109crypto map mumbaiisdn 10 ipsec-isakmpset peer 10.50.231.10set transform-set _DESmatch address 110crypto map mumbaiisdn 11 ipsec-isakmpset peer 10.50.231.11set transform-set _DESmatch address 111crypto map mumbaiisdn 16 ipsec-isakmpset peer 10.50.231.16set transform-set _DESmatch address 116crypto map mumbaiisdn 18 ipsec-isakmpset peer 10.50.231.18set transform-set _DESmatch address 118crypto map mumbaiisdn 19 ipsec-isakmpset peer 10.50.231.19set transform-set _DESmatch address 119crypto map mumbaiisdn 20 ipsec-isakmp



set peer 10.50.231.20set transform-set _DESmatch address 120!crypto map mumbaido_ _THANELL local-address Loopback1crypto map mumbaido_ _THANELL 1 ipsec-isakmpset peer 10.50.203.208set transform-set _DESmatch address 181!crypto map mumbaido_AHEMDABADSATLL local-address Loopback1crypto map mumbaido_AHEMDABADSATLL 1 ipsec-isakmpset peer 10.55.63.80set peer 10.50.203.209set transform-set _DESmatch address 182!isdn switch-type primary-5esscall rsvp-sync!!!!!fax interface-type fax-mailmta receive maximum-recipients 0!controller E1 1/0framing NO-CRC4channel-group 0 timeslots 16channel-group 1 timeslots 1channel-group 2 timeslots 2channel-group 3 timeslots 3channel-group 4 timeslots 4channel-group 5 timeslots 5channel-group 6 timeslots 6channel-group 7 timeslots 7channel-group 8 timeslots 8channel-group 9 timeslots 9channel-group 10 timeslots 10



channel-group 11 timeslots 11channel-group 12 timeslots 12channel-group 13 timeslots 13channel-group 14 timeslots 14channel-group 15 timeslots 15channel-group 17 timeslots 17channel-group 18 timeslots 18channel-group 19 timeslots 19channel-group 20 timeslots 20channel-group 21 timeslots 21channel-group 22 timeslots 22-23channel-group 24 timeslots 24channel-group 25 timeslots 25channel-group 26 timeslots 26channel-group 27 timeslots 27channel-group 28 timeslots 28channel-group 29 timeslots 29channel-group 30 timeslots 30description ### Channelized E1 ###!controller E1 1/1framing NO-CRC4pri-group timeslots 1-31description ### ISDN PRI ### No - 022 - 24388500!!!interface Loopback1ip address 10.50.3.13 255.255.255.255!interface FastEthernet0/0description ### Mumbai Prabhadevi ###ip address 10.50.193.100 255.255.255.0ip access-group 198 inno ip route-cache cefno ip mroute-cacheduplex autospeed autono cdp enable!



interface FastEthernet0/1description ### Mumbai DO ###ip address 10.51.193.100 255.255.255.0ip access-group 198 induplex autospeed autono cdp enable!interface Serial1/0:0bandwidth 64no ip addressip load-sharing per-packetno ip route-cacheip ospf message-digest-key 1 md5 7 09424B1D1A0407down-when-looped!interface Serial1/0:1description ###Aurangabad###bandwidth 64ip address 10.50.192.18 255.255.255.252ip ospf message-digest-key 1 md5 7 1419171F0F053Adown-when-looped!interface Serial1/0:2description $$$ Free $$$bandwidth 64no ip addressdown-when-looped!interface Serial1/0:3description ### Pune ###bandwidth 64ip address 10.50.192.10 255.255.255.252ip ospf message-digest-key 1 md5 7 06080A354F4F19down-when-loopedcrypto map mumbaido_puneLL!interface Serial1/0:4description $$$ Free $$$bandwidth 64



no ip addressdown-when-looped!interface Serial1/0:5description $$$ Free $$$bandwidth 64no ip addressdown-when-looped!interface Serial1/0:6description ### Free ###bandwidth 64no ip addressdown-when-looped!interface Serial1/0:7description ### Free ###bandwidth 64no ip addressdown-when-looped!interface Serial1/0:8description ###Delhi###bandwidth 64ip address 10.50.4.66 255.255.255.252ip ospf message-digest-key 1 md5 7 0458021519284959down-when-looped!interface Serial1/0:9description ### Ahmedabad Main LL 1 ###bandwidth 64ip address 10.50.192.2 255.255.255.252ip load-sharing per-packetno ip route-cacheip ospf message-digest-key 1 md5 7 1419171F0F053Adown-when-looped!interface Serial1/0:10description ###Bangalore###bandwidth 64



ip address 10.50.4.73 255.255.255.252no ip route-cacheip ospf message-digest-key 1 md5 7 060506325A470C0Edown-when-looped!interface Serial1/0:11description ### Free ###bandwidth 64no ip addressno ip route-cachedown-when-looped!interface Serial1/0:12description ### Chembur ###bandwidth 64ip address 10.55.48.22 255.255.255.252ip ospf message-digest-key 1 md5 7 09424B1D1A0407down-when-looped!interface Serial1/0:13description ### Boriville ###bandwidth 64ip address 10.50.192.38 255.255.255.252encapsulation pppip ospf message-digest-key 1 md5 7 030A5E1F050E31down-when-looped!interface Serial1/0:14bandwidth 64no ip addressno ip route-cachedown-when-looped!interface Serial1/0:15description ### Vashi EC ###bandwidth 64ip address 10.50.192.46 255.255.255.252ip ospf message-digest-key 1 md5 7 011D0310580A16down-when-loopedcrypto map mumbaido_vashiecLL



!interface Serial1/0:17description ### Mulund ###bandwidth 64ip address 10.55.48.18 255.255.255.252no ip route-cacheip ospf message-digest-key 1 md5 7 0208014F08071Fdown-when-looped!interface Serial1/0:18description ### Ahmed Nagar ###bandwidth 64ip address 10.50.192.42 255.255.255.252no ip route-cacheip ospf message-digest-key 1 md5 7 000A1612075A1Bdown-when-looped!interface Serial1/0:19description ### Andheri ###bandwidth 64ip address 10.50.192.22 255.255.255.252encapsulation pppip ospf message-digest-key 1 md5 7 1419171F0F053Adown-when-looped!interface Serial1/0:20description ### Thane ###bandwidth 64ip address 10.50.192.50 255.255.255.252ip ospf message-digest-key 1 md5 7 12170003110A1Cdown-when-looped!interface Serial1/0:21description $$$ Free $$$bandwidth 64no ip addressdown-when-looped!interface Serial1/0:22description ### Vashi Main ###



bandwidth 128ip address 10.50.192.30 255.255.255.252ip ospf message-digest-key 1 md5 7 0505031B224D5Edown-when-loopedcrypto map mumbaido_vashiLL!interface Serial1/0:24description ### SOLAPUR ###ip address 10.50.192.58 255.255.255.252ip ospf message-digest-key 1 md5 7 000A1612075A1B!interface Serial1/0:25description ### ICHALKARANCHI ###bandwidth 64ip address 10.50.192.54 255.255.255.252down-when-looped!interface Serial1/0:26description $$$ Free $$$bandwidth 64no ip addressdown-when-looped!interface Serial1/0:27description $$$ Free $$$bandwidth 64no ip addressdown-when-looped!interface Serial1/0:28description $$$ Free $$$bandwidth 64no ip addressdown-when-looped!interface Serial1/0:29description $$$ Free $$$bandwidth 64no ip addressdown-when-looped



!interface Serial1/0:30description $$$ Free $$$bandwidth 64no ip addressdown-when-looped!interface Serial1/1:15description ### ISDN PRI ### No - 022 - 24388500no ip addressencapsulation pppdialer rotary-group 1dialer-group 1isdn switch-type primary-net5no cdp enableppp authentication chap!interface Serial2/0description ### Mumbai Fort 2 Mbps ###bandwidth 2048ip address 10.50.192.6 255.255.255.252max-reserved-bandwidth 95no ip route-cache cefip ospf message-digest-key 1 md5 7 10400C0D061602no ip mroute-cachedown-when-loopedserial restart-delay 0!interface Serial2/1description ### Mumbai MPLS Pop ###bandwidth 256ip address 192.168.65.113 255.255.255.252encapsulation pppip ospf authentication nullip ospf cost 80shutdowndown-when-loopedserial restart-delay 0!interface Serial2/2



description ### Nerul ###bandwidth 64ip address 10.55.48.10 255.255.255.252ip ospf message-digest-key 1 md5 7 130B1206080D14down-when-loopedserial restart-delay 0!interface Serial2/3description ### Chennai DC R2 2 Mbps ###bandwidth 2048ip address 10.50.4.137 255.255.255.252max-reserved-bandwidth 95no ip route-cache cefip ospf message-digest-key 1 md5 7 082F495A0A1815no ip mroute-cachedown-when-loopedserial restart-delay 0!interface Serial4/0description ###Nasik###bandwidth 64ip address 10.55.48.14 255.255.255.252no ip route-cache cefip ospf message-digest-key 1 md5 7 10400C0D061602no ip mroute-cachedown-when-loopedserial restart-delay 0!interface Serial4/1description ### Mumbai Fort 2 Mbps ###bandwidth 2048ip address 10.50.192.6 255.255.255.252no ip route-cache cefip ospf message-digest-key 1 md5 7 082F495A0A1815no ip mroute-cachedown-when-loopedserial restart-delay 0!interface Serial4/2no ip address



shutdown!interface Serial4/3no ip addressshutdown!interface Serial4/4description ###Nagpur###bandwidth 64ip address 10.50.192.14 255.255.255.252ip ospf message-digest-key 1 md5 7 0208014F08071Fdown-when-looped!interface Serial4/5no ip addressshutdown!interface Serial4/6no ip addressshutdown!interface Serial4/7no ip addressshutdown!interface Dialer1ip address 10.50.231.1 255.255.255.0encapsulation pppno ip route-cacheip ospf network point-to-multipointno ip mroute-cachedialer in-banddialer idle-timeout 180dialer map ip 10.50.231.30 name _AHMEDABAD broadcastdialer map ip 10.50.29.1 name _DATACENTER_R1 broadcastdialer map ip 10.50.231.3 name _MUMBAIFORT broadcastdialer map ip 10.50.231.4 name _PUNE broadcastdialer map ip 10.50.231.5 name _NAGPUR broadcastdialer map ip 10.50.231.7 name _ANDHERI broadcastdialer map ip 10.50.231.9 name _VASHI broadcast



dialer map ip 10.50.231.11 name _BORIVILLE broadcastdialer map ip 10.50.231.15 name _DATACENTER_R2 broadcastdialer map ip 10.50.231.16 name _VASHIEC broadcastdialer map ip 10.50.231.19 name _THANE broadcastdialer map ip 10.50.231.21 name _NERUL broadcastdialer map ip 10.50.231.22 name _NASIK broadcastdialer map ip 10.50.231.23 name _MULUND broadcastdialer map ip 10.50.231.24 name _CHEMBUR broadcastdialer map ip 10.50.231.25 name _AHMEDNAGAR broadcastdialer-group 1ppp authentication chap!router ospf 100log-adjacency-changesarea 0 authentication message-digestarea 8 authentication message-digestarea 8 stub no-summarynetwork 10.50.3.13 0.0.0.0 area 8network 10.50.4.0 0.0.0.255 area 0network 10.50.192.0 0.0.0.255 area 8network 10.50.193.0 0.0.0.255 area 8network 10.50.231.0 0.0.0.255 area 8network 10.51.193.0 0.0.0.255 area 8network 10.55.48.0 0.0.0.255 area 8network 192.168.65.112 0.0.0.3 area 0!ip classlessip tacacs source-interface Loopback1no ip http serverip http authentication local!access-list 102 deny ospf any anyaccess-list 102 permit ip any 10.50.194.0 0.0.0.255access-list 102 permit ip any host 10.50.203.194access-list 102 permit ip any host 10.50.231.2access-list 102 permit icmp any 10.50.194.0 0.0.0.255access-list 102 permit icmp any host 10.50.203.194access-list 102 permit icmp any host 10.50.231.2access-list 103 deny ospf any anyaccess-list 103 permit ip any 10.50.195.0 0.0.0.255



access-list 103 permit ip any host 10.50.203.195access-list 103 permit ip any host 10.50.231.3access-list 103 permit icmp any 10.50.195.0 0.0.0.255access-list 103 permit icmp any host 10.50.203.195access-list 103 permit icmp any host 10.50.231.3access-list 104 deny ospf any anyaccess-list 104 permit ip any 10.50.196.0 0.0.0.255access-list 104 permit ip any host 10.50.203.196access-list 104 permit icmp any 10.50.196.0 0.0.0.255access-list 104 permit icmp any host 10.50.203.196access-list 104 permit ip any host 10.50.231.4access-list 104 permit icmp any host 10.50.231.4access-list 105 deny ospf any anyaccess-list 105 permit ip any 10.50.197.0 0.0.0.255access-list 105 permit ip any host 10.50.203.197access-list 105 permit ip any host 10.50.231.5access-list 105 permit icmp any 10.50.197.0 0.0.0.255access-list 105 permit icmp any host 10.50.203.197access-list 105 permit icmp any host 10.50.231.5access-list 106 deny ospf any anyaccess-list 106 permit ip any 10.50.198.0 0.0.0.255access-list 106 permit ip any host 10.50.203.198access-list 106 permit ip any host 10.50.231.6access-list 106 permit icmp any 10.50.198.0 0.0.0.255access-list 106 permit icmp any host 10.50.203.198access-list 106 permit icmp any host 10.50.231.6access-list 107 deny ospf any anyaccess-list 107 permit ip any 10.50.199.0 0.0.0.255access-list 107 permit ip any host 10.50.203.199access-list 107 permit ip any host 10.50.231.7access-list 107 permit icmp any 10.50.199.0 0.0.0.255access-list 107 permit icmp any host 10.50.203.199access-list 107 permit icmp any host 10.50.231.7access-list 108 deny ospf any anyaccess-list 108 permit ip any 10.50.200.0 0.0.0.255access-list 108 permit ip any host 10.50.203.200access-list 108 permit icmp any 10.50.200.0 0.0.0.255access-list 108 permit icmp any host 10.50.203.200access-list 108 permit ip any host 10.50.231.8access-list 108 permit icmp any host 10.50.231.8



access-list 109 deny ospf any anyaccess-list 109 permit ip any 10.50.201.0 0.0.0.255access-list 109 permit ip any host 10.50.203.201access-list 109 permit ip any host 10.50.231.9access-list 109 permit icmp any 10.50.201.0 0.0.0.255access-list 109 permit icmp any host 10.50.203.201access-list 109 permit icmp any host 10.50.231.9access-list 110 deny ospf any anyaccess-list 110 permit ip any 10.50.202.0 0.0.0.255access-list 110 permit ip any host 10.50.203.202access-list 110 permit ip any host 10.50.231.10access-list 110 permit icmp any 10.50.202.0 0.0.0.255access-list 110 permit icmp any host 10.50.203.202access-list 110 permit icmp any host 10.50.231.10access-list 111 deny ospf any anyaccess-list 111 permit ip any 10.50.204.0 0.0.0.255access-list 111 permit ip any host 10.50.203.203access-list 111 permit ip any host 10.50.231.11access-list 111 permit icmp any 10.50.204.0 0.0.0.255access-list 111 permit icmp any host 10.50.203.203access-list 111 permit icmp any host 10.50.231.11access-list 116 deny ospf any anyaccess-list 116 permit ip any 10.50.205.0 0.0.0.255access-list 116 permit ip any host 10.50.203.205access-list 116 permit ip any host 10.50.231.16access-list 116 permit icmp any 10.50.205.0 0.0.0.255access-list 116 permit icmp any host 10.50.203.205access-list 116 permit icmp any host 10.50.231.16access-list 118 deny ospf any anyaccess-list 118 permit ip any 10.50.207.0 0.0.0.255access-list 118 permit ip any host 10.50.203.207access-list 118 permit ip any host 10.50.231.18access-list 118 permit icmp any 10.50.207.0 0.0.0.255access-list 118 permit icmp any host 10.50.203.207access-list 118 permit icmp any host 10.50.231.18access-list 119 deny ospf any anyaccess-list 119 permit ip any 10.50.245.0 0.0.0.255access-list 119 permit ip any host 10.50.203.208access-list 119 permit ip any host 10.50.231.19access-list 119 permit icmp any 10.50.245.0 0.0.0.255



access-list 119 permit icmp any host 10.50.203.208access-list 119 permit icmp any host 10.50.231.19access-list 120 deny ospf any anyaccess-list 120 permit ip any 10.55.49.0 0.0.0.255access-list 120 permit ip any host 10.55.63.80access-list 120 permit ip any host 10.50.231.20access-list 120 permit icmp any 10.55.49.0 0.0.0.255access-list 120 permit icmp any host 10.55.63.80access-list 120 permit icmp any host 10.50.231.20access-list 181 deny ospf any anyaccess-list 181 permit ip any 10.50.0.0 0.0.255.255access-list 181 permit icmp any anyaccess-list 182 deny ospf any anyaccess-list 182 permit ip any 10.50.0.0 0.0.255.255access-list 182 permit ip any 10.55.0.0 0.0.255.255access-list 182 permit icmp any anyaccess-list 197 deny udp any any eq netbios-nsaccess-list 197 deny udp any any eq netbios-dgmaccess-list 197 permit ip host 10.50.193.156 host 203.199.39.30access-list 197 permit ip 10.50.0.0 0.0.255.255 10.51.0.0 0.0.255.255access-list 197 permit ip 10.50.0.0 0.0.255.255 10.50.0.0 0.0.255.255access-list 197 permit ip 10.50.0.0 0.0.255.255 10.52.0.0 0.0.255.255access-list 197 permit ip 10.50.0.0 0.0.255.255 10.94.0.0 0.0.255.255access-list 197 permit ip 10.50.0.0 0.0.255.255 10.1.0.0 0.0.0.255access-list 197 permit ip 10.50.0.0 0.0.255.255 10.53.0.0 0.0.255.255access-list 197 permit ip 10.50.0.0 0.0.255.255 10.55.0.0 0.0.255.255access-list 197 permit ip 10.50.0.0 0.0.255.255 10.30.0.0 0.0.255.255access-list 197 permit ip 10.50.0.0 0.0.255.255 10.5.0.0 0.0.255.255access-list 197 permit ip 10.50.0.0 0.0.255.255 10.44.130.0 0.0.0.255access-list 197 permit ip 10.50.0.0 0.0.255.255 10.88.0.0 0.0.255.255access-list 197 permit ip 10.51.0.0 0.0.255.255 10.88.0.0 0.0.255.255access-list 197 permit ip 10.55.0.0 0.0.255.255 10.88.0.0 0.0.255.255access-list 198 deny udp any any eq netbios-nsaccess-list 198 deny udp any any eq netbios-dgmaccess-list 198 deny tcp any any eq 445access-list 198 deny udp any any eq 445access-list 198 permit ip 10.50.0.0 0.0.255.255 10.50.0.0 0.0.255.255access-list 198 permit ip 10.50.0.0 0.0.255.255 10.1.0.0 0.0.255.255access-list 198 permit ip 10.50.0.0 0.0.255.255 10.51.0.0 0.0.255.255access-list 198 permit ip 10.50.0.0 0.0.255.255 10.94.0.0 0.0.255.255



access-list 198 permit ip 10.50.0.0 0.0.255.255 10.55.0.0 0.0.255.255access-list 198 permit ip 10.50.0.0 0.0.255.255 10.52.0.0 0.0.255.255access-list 198 permit ip 10.50.0.0 0.0.255.255 10.30.0.0 0.0.255.255access-list 198 permit ip 10.50.0.0 0.0.255.255 10.5.0.0 0.0.255.255access-list 198 permit ip 10.50.0.0 0.0.255.255 10.44.130.0 0.0.0.255access-list 198 permit ip 10.50.0.0 0.0.255.255 10.88.0.0 0.0.255.255access-list 198 permit ip 10.51.0.0 0.0.255.255 10.50.0.0 0.0.255.255access-list 198 permit ip 10.51.0.0 0.0.255.255 10.1.0.0 0.0.255.255access-list 198 permit ip 10.51.0.0 0.0.255.255 10.51.0.0 0.0.255.255access-list 198 permit ip 10.51.0.0 0.0.255.255 10.94.0.0 0.0.255.255access-list 198 permit ip 10.51.0.0 0.0.255.255 10.55.0.0 0.0.255.255access-list 198 permit ip 10.51.0.0 0.0.255.255 10.52.0.0 0.0.255.255access-list 198 permit ip 10.51.0.0 0.0.255.255 10.30.0.0 0.0.255.255access-list 198 permit ip 10.51.0.0 0.0.255.255 10.5.0.0 0.0.255.255access-list 198 permit ip 10.51.0.0 0.0.255.255 10.44.130.0 0.0.0.255access-list 198 permit ip 10.51.0.0 0.0.255.255 10.88.0.0 0.0.255.255access-list 198 permit ip 10.55.0.0 0.0.255.255 10.50.0.0 0.0.255.255access-list 198 permit ip 10.55.0.0 0.0.255.255 10.1.0.0 0.0.255.255access-list 198 permit ip 10.55.0.0 0.0.255.255 10.51.0.0 0.0.255.255access-list 198 permit ip 10.55.0.0 0.0.255.255 10.94.0.0 0.0.255.255access-list 198 permit ip 10.55.0.0 0.0.255.255 10.55.0.0 0.0.255.255access-list 198 permit ip 10.55.0.0 0.0.255.255 10.52.0.0 0.0.255.255access-list 198 permit ip 10.55.0.0 0.0.255.255 10.30.0.0 0.0.255.255access-list 198 permit ip 10.55.0.0 0.0.255.255 10.5.0.0 0.0.255.255access-list 198 permit ip 10.55.0.0 0.0.255.255 10.44.130.0 0.0.0.255access-list 198 permit ip 10.55.0.0 0.0.255.255 10.88.0.0 0.0.255.255dialer-list 1 protocol ip permit!snmp-server community cisman ROsnmp-server ifindex persistsnmp-server enable traps ttytacacs-server host 151.200.10.130tacacs-server directed-requesttacacs-server key 7 04501D045E73!dial-peer cor custom!!!!



!rtr 10853type echo protocol ipIcmpEcho 10.50.203.199 source-ipaddr 10.50.3.13tag Andherifrequency 300rtr schedule 10853 life forever start-time nowrtr 10906type echo protocol ipIcmpEcho 10.50.3.14 source-ipaddr 10.50.3.13tag Bangalore DOfrequency 300rtr schedule 10906 life forever start-time nowrtr 10907type echo protocol ipIcmpEcho 10.50.3.12 source-ipaddr 10.50.3.13tagDelhifrequency 300rtr schedule 10907 life forever start-time nowrtr 10908type echo protocol ipIcmpEcho 10.50.203.201 source-ipaddr 10.50.3.13tag Vashifrequency 300rtr schedule 10908 life forever start-time nowrtr 10921type echo protocol ipIcmpEcho 10.50.203.195 source-ipaddr 10.50.3.13tag MumbaiFortfrequency 300rtr schedule 10921 life forever start-time nowrtr 10924type echo protocol ipIcmpEcho 10.50.203.196 source-ipaddr 10.50.3.13tag Punefrequency 300rtr schedule 10924 life forever start-time nowrtr 10967type echo protocol ipIcmpEcho 10.50.203.194 source-ipaddr 10.50.3.13tag Ahemdabadfrequency 600rtr schedule 10967 life forever start-time nowrtr 10983type echo protocol ipIcmpEcho 10.50.203.203 source-ipaddr 10.50.3.13tag Borivillefrequency 600



rtr schedule 10983 life forever start-time nowrtr 13360type echo protocol ipIcmpEcho 10.50.203.205 source-ipaddr 10.50.3.13tag vashiECfrequency 600rtr schedule 13360 life forever start-time nowrtr 13395type echo protocol ipIcmpEcho 10.50.203.208 source-ipaddr 10.50.3.13tag _Thanefrequency 600rtr schedule 13395 life forever start-time nowrtr 37611type echo protocol ipIcmpEcho 10.55.63.50 source-ipaddr 10.50.3.13tag Nerulfrequency 600rtr schedule 37611 life forever start-time nowrtr 37620type echo protocol ipIcmpEcho 192.168.65.114 source-ipaddr 192.168.65.113tag Mumbai MPLS 256Kfrequency 600rtr schedule 37620 life forever start-time nowrtr 37630type echo protocol ipIcmpEcho 10.55.63.53 source-ipaddr 10.50.3.13tag Chemburfrequency 600rtr schedule 37630 life forever start-time nowrtr 37631type echo protocol ipIcmpEcho 10.55.63.52 source-ipaddr 10.50.3.13tag Mulundfrequency 600rtr schedule 37631 life forever start-time nowrtr 37649type echo protocol ipIcmpEcho 10.55.63.51 source-ipaddr 10.50.3.13tagNasikfrequency 600rtr schedule 37649 life forever start-time nowrtr 37662type echo protocol ipIcmpEcho 10.55.63.54 source-ipaddr 10.50.3.13tag Ahmed_Nagar



frequency 300rtr schedule 37662 life forever start-time nowrtr 37691type echo protocol ipIcmpEcho 10.50.203.197 source-ipaddr 10.50.3.13tagNagpurfrequency 300rtr schedule 37691 life forever start-time nowrtr 37695type echo protocol ipIcmpEcho 10.55.191.172 source-ipaddr 10.50.3.13tagAurangabadfrequency 300rtr schedule 37695 life forever start-time nowbanner motd ^C

***************************************************************************

WELCOME TO MUMBAI DIVISIONAL OFFICE ROUTER

IF YOU ARE NOT AN AUTHORISED PERSON TO LOGON

PLEASE LOGOUT

***************************************************************************^Cprivilege exec level 7 show interfacesprivilege exec level 7 show isdn acprivilege exec level 7 clear counterprivilege exec level 7 sh configprivilege exec level 7 sh intprivilege exec level 7 sh isdn actprivilege exec level 7 clear couprivilege exec level 7 sh isdn statusprivilege exec level 7 pingprivilege exec level 7 ter mon



privilege exec level 7 undebug allprivilege exec level 7 send!line con 0exec-timeout 3 0password 7 10451F1B0B1606logging synchronousline aux 0exec-timeout 3 0password 7 130E0110050D10line vty 0 4exec-timeout 60 0password 7 1511021F0725!ntp broadcastdelay 4000ntp clock-period 17179976ntp source Loopback1ntp master 13ntp server 10.50.5.100end

MUMBAIDO#sh ip os ne

Neighbor ID Pri State Dead Time Address Interface10.50.3.16 1 FULL/ - 00:00:39 10.50.4.138 Serial2/310.88.35.100 1 FULL/ - 00:00:36 10.50.192.57 Serial1/0:2410.88.27.100 1 FULL/ - 00:00:36 10.50.192.53 Serial1/0:2510.50.203.195 1 FULL/ - 00:00:33 10.50.192.5 Serial2/010.50.203.199 1 FULL/ - 00:00:34 10.50.192.21 Serial1/0:1910.55.63.51 1 FULL/ - 00:00:38 10.55.48.13 Serial4/010.55.63.50 1 FULL/ - 00:00:31 10.55.48.9 Serial2/210.55.63.52 1 FULL/ - 00:00:33 10.55.48.17 Serial1/0:1710.55.63.53 1 FULL/ - 00:00:31 10.55.48.21 Serial1/0:1210.50.203.197 1 FULL/ - 00:00:31 10.50.192.13 Serial4/410.50.203.201 1 FULL/ - 00:00:33 10.50.192.29 Serial1/0:2210.50.203.208 1 FULL/ - 00:00:33 10.50.192.49 Serial1/0:2010.55.63.54 1 FULL/ - 00:00:30 10.50.192.41 Serial1/0:1810.50.203.205 1 FULL/ - 00:00:35 10.50.192.45 Serial1/0:1510.50.203.203 1 FULL/ - 00:00:36 10.50.192.37 Serial1/0:1310.50.203.196 1 FULL/ - 00:00:30 10.50.192.9 Serial1/0:3



10.50.203.198 1 FULL/ - 00:00:31 10.50.192.17 Serial1/0:1

MUMBAIDO# sh ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O -OSPF,IA- OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static route

Gateway of last resort is 10.50.4.138 to network 0.0.0.0

200.3.2.0/30 is subnetted, 1 subnetsO 200.3.2.0 [110/500] via 10.50.4.138, 00:00:07, Serial2/3172.16.0.0/16 is variably subnetted, 4 subnets, 2 masksO E2 172.16.80.204/30 [110/2000] via 10.50.4.138, 00:00:07, Serial2/3O 172.16.7.129/32 [110/51] via 10.50.4.138, 00:00:07, Serial2/3O E2 172.16.80.208/30 [110/2000] via 10.50.4.138, 00:00:07, Serial2/3O E2 172.16.131.132/30 [110/2000] via 10.50.4.138, 00:00:07, Serial2/3172.19.0.0/30 is subnetted, 1 subnetsO E2 172.19.7.40 [110/2000] via 10.50.4.138, 00:00:07, Serial2/3172.28.0.0/32 is subnetted, 1 subnetsO E1 172.28.64.115 [110/69] via 10.50.4.138, 00:00:07, Serial2/3192.168.199.0/30 is subnetted, 2 subnetsO E2 192.168.199.88 [110/2000] via 10.50.4.138, 00:00:07, Serial2/3O E2 192.168.199.84 [110/2000] via 10.50.4.138, 00:00:08, Serial2/3



Core Switch

DC-MUM-WAN-3560-1#sh runBuilding configuration... Current configuration : 8578 bytes!! Last configuration change at 17:20:42 IST Thu Mar 11 2010 by alok! NVRAM config last updated at 17:20:48 IST Thu Mar 11 2010 by alok!version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname DC-MUM-WAN-3560-1!no logging consoleenable secret 5 $1$DOUi$e2bB50Ss757Dvbx9vpHhW0!username cisco password 7 110A1016141Daaa new-modelaaa authentication login default group tacacs+ localaaa authentication enable default group tacacs+ enableaaa authorization config-commandsaaa authorization exec default group tacacs+ localaaa authorization commands 0 default group tacacs+ local if-authenticatedaaa authorization commands 15 default group tacacs+ local if-authenticatedaaa accounting commands 0 default start-stop group tacacs+aaa accounting commands 15 default start-stop group tacacs+aaa accounting connection default start-stop group tacacs+!aaa session-id commonclock timezone IST 5 30ip subnet-zeroip routing!!



!!!no file verify autospanning-tree mode pvstspanning-tree extend system-id!vlan internal allocation policy ascending!!interface Loopback0 ip address 172.16.255.3 255.255.255.255!interface GigabitEthernet0/1 switchport access vlan 20 switchport mode access spanning-tree portfast!interface GigabitEthernet0/2 switchport access vlan 20 switchport mode access spanning-tree portfast!interface GigabitEthernet0/3!interface GigabitEthernet0/4!interface GigabitEthernet0/5!interface GigabitEthernet0/6!interface GigabitEthernet0/7!interface GigabitEthernet0/8!interface GigabitEthernet0/9!interface GigabitEthernet0/10!interface GigabitEthernet0/11



!interface GigabitEthernet0/12!interface GigabitEthernet0/13 spanning-tree portfast!interface GigabitEthernet0/14 spanning-tree portfast!interface GigabitEthernet0/15!interface GigabitEthernet0/16 switchport access vlan 20 switchport mode access!interface GigabitEthernet0/17!interface GigabitEthernet0/18!interface GigabitEthernet0/19!interface GigabitEthernet0/20!interface GigabitEthernet0/21 switchport access vlan 10 switchport mode access!interface GigabitEthernet0/22!interface GigabitEthernet0/23 switchport access vlan 10 switchport mode access!interface GigabitEthernet0/24 switchport access vlan 10 switchport mode access!interface GigabitEthernet0/25!interface GigabitEthernet0/26



!interface GigabitEthernet0/27!interface GigabitEthernet0/28!interface Vlan1 no ip address!interface Vlan10 description *****UPLINK TO R1 ip address 172.16.0.49 255.255.255.248 ip ospf priority 10!interface Vlan20 description *****UPLINK TO FW_ZONE***** ip address 172.16.0.11 255.255.255.248!router ospf 1 log-adjacency-changes redistribute static subnets redistribute bgp 65056 subnets network 172.16.0.8 0.0.0.7 area 0 network 172.16.0.49 0.0.0.0 area 0 network 172.16.255.3 0.0.0.0 area 0!ip classlessip route 0.0.0.0 0.0.0.0 172.16.0.9 name INTERNET-ZONEip route 20.20.20.0 255.255.255.0 172.16.0.9ip route 124.124.5.249 255.255.255.255 172.16.0.9ip route 124.124.6.57 255.255.255.255 172.16.0.9ip route 172.16.0.24 255.255.255.248 172.16.0.9 name MGMT-L3-SWip route 172.16.0.32 255.255.255.248 172.16.0.9 name WEB-L3-SWip route 172.16.1.0 255.255.255.0 172.16.0.9 name MANAGEMENT-ZONEip route 172.16.2.0 255.255.255.0 172.16.0.9 name INFRA-ZONEip route 172.16.3.0 255.255.255.0 172.16.0.9 name PUBLIC-ZONEip route 172.16.4.0 255.255.255.0 172.16.0.9 name WEB-ZONEip route 172.16.5.0 255.255.255.0 172.16.0.9 name APPLICATION-ZONEip route 172.16.6.0 255.255.255.0 172.16.0.9 name DATABASE-ZONEip route 172.16.8.0 255.255.255.0 172.16.0.9 name UAT



ip route 192.168.72.11 255.255.255.255 172.16.0.9ip route 192.168.72.12 255.255.255.255 172.16.0.9ip http serverip http secure-server!ip tacacs source-interface Vlan10!logging 172.16.41.14snmp-server community 3ncrypt10n ROsnmp-server ifindex persistsnmp-server enable traps snmp authentication linkdown linkup coldstart warmstartsnmp-server enable traps ttysnmp-server enable traps clustersnmp-server enable traps fru-ctrlsnmp-server enable traps entitysnmp-server enable traps cpu thresholdsnmp-server enable traps vtpsnmp-server enable traps vlancreatesnmp-server enable traps vlandeletesnmp-server enable traps flash insertion removalsnmp-server enable traps port-securitysnmp-server enable traps envmonsnmp-server enable traps mac-notificationsnmp-server enable traps bgpsnmp-server enable traps copy-configsnmp-server enable traps configsnmp-server enable traps hsrpsnmp-server enable traps ipmulticastsnmp-server enable traps msdpsnmp-server enable traps ospf state-changesnmp-server enable traps ospf errorssnmp-server enable traps ospf retransmitsnmp-server enable traps ospf lsasnmp-server enable traps ospf cisco-specific state-changesnmp-server enable traps ospf cisco-specific errorssnmp-server enable traps ospf cisco-specific retransmitsnmp-server enable traps ospf cisco-specific lsasnmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-messa



gesnmp-server enable traps rtrsnmp-server enable traps bridge newroot topologychangesnmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistencysnmp-server enable traps syslogsnmp-server enable traps vlan-membershipsnmp-server host 151.200.10.129CISCOtacacs-server host 172.16.2.25 key 7 04685B0B1F71786E0A392653395815tacacs-server directed-requestradius-server source-ports 1645-1646!control-plane!banner exec ^CC************************************************************************************************************************** W A R N I N G*************************************************************

This system and all its components (including virtual components) is theproperty of Universal Sompo General Insurance(CISCO) and is intended solelyfor the usage of employees and authorised clients of CISCOin accordancewith its policies and guidelines which may in force from time to time.Unauthorised access / use of this system may attract legal actions,criminaland / or civil charges.1. This system is monitored in accordance withCISCOSecurity policy.2. By using or accessing this system ,you hereby expressly consent to (a) Be bound by all policies and regulations ofCISCOthen in existence concerning the use and/or access of this system; and (b) Abide by all directions given byCISCOconcerning the use and/or access of this system; and (c)CISCOor its agents or representatives may monitor your activitieswhileyou are using or accessing this system ( including any data that is transmitted by you) and this will not violate your privacy rights and; (d) Be liable for any loss, damages or expenses that may be caused to or suffered byCISCOdue to your use and/or access of this system and you



agree to indemnifyCISCOagainst all such losses, damages or expenses that may be occur due to your use and/or access of this system.3. In all matters related to the usage and/or access of this system, the laws ofIndiashall be the governing law and the courts atMumbai,Indiashall have exclusive jurisdiction in all matters related thereto.4. This system and the contents hereof are the sole and exclusive property of CISCOand may not be reproduced, stored, copied, or archived in any matter whatsoever either in full or in parts without prior express consent ofCISCO. CISCOreserves all rights not expressly granted byCISCOin writing.5. If you do not agree to any of the terms above, then do not use and/or access this system.***********************************************************^Cbanner motd ^C*************************************************************** ACCESS TO THIS DEVICE IS PROHIBITED UNLESS AUTHORISED ** ** ACCESSING PROGRAMS OR DATA UNRELATED TO YOUR JOB **** IS PROHIBITED ************************************************************^C!line con 0 password 7 060506324F41line vty 0 4 password 7 070C285F4D06line vty 5 15!monitor session 1 source vlan 10monitor session 1 destination interface Gi0/3monitor session 2 source vlan 20monitor session 2 destination interface Gi0/4ntp clock-period 36029287ntp server 172.16.255.1end



25.2 Configuration Of Remote Devices

service timestamps debug datetime msec localtimeservice timestamps log datetime msec localtimeservice password-encryption!hostname CHN_NUNGMBKM!logging buffered 51200 notificationsenable secret 5 $1$LYsk$myPACL4uUrKt8F1kpny5m0!username IBCO_Chennai2 password 7 094F471A1A0Ausername IB_DC_RTR2 password 7 02050D480809clock timezone ist 5 30ip subnet-zero!!ip tftp source-interface Loopback0no ip domain lookup!ip audit notify logip audit po max-events 100!isdn switch-type basic-net3!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2crypto isakmp key tcxK#PfD@2v address 10.0.0.0 255.0.0.0crypto isakmp keepalive 30!crypto ipsec security-association lifetime seconds 86400!crypto ipsec transform-set IB esp-3des esp-sha-hmaccrypto ipsec df-bit clear!crypto map vpn local-address FastEthernet0/0crypto map vpn 1 ipsec-isakmp



set peer 10.100.9.75set peer 10.200.9.75set transform-set IBset pfs group2match address 133!!!!interface Loopback0description INTERFACE FOR NOC MONITORINGip address 10.116.10.77 255.255.255.255!interface FastEthernet0/0description CONNECTED TO LANip address 10.116.85.1 255.255.255.0ip access-group 110 inip access-group 110 outspeed auto!interface Serial0/0description WAN LINK TO CHENNAIbandwidth 64backup delay 10 180backup interface BRI1/0ip address 10.116.2.42 255.255.255.252encapsulation pppno fair-queuecrypto map vpn!interface Serial0/1no ip addressshutdown!router ospf 1565log-adjacency-changesarea 116 stubnetwork 0.0.0.0 255.255.255.255 area 116!ip classless



no ip forward-protocol ndno ip http server!!access-list 110 permit tcp host 10.116.85.2 host 10.100.9.205 eq 135access-list 110 permit tcp host 10.116.85.2 eq 135 host 10.100.9.205access-list 110 permit tcp host 10.100.9.205 host 10.116.85.2 eq 135access-list 110 permit tcp host 10.100.9.205 eq 135 host 10.116.85.2access-list 110 permit tcp host 10.116.85.2 host 10.100.9.205 eq 139access-list 110 permit tcp host 10.116.85.2 eq 139 host 10.100.9.205access-list 110 permit tcp host 10.100.9.205 host 10.116.85.2 eq 139access-list 110 permit tcp host 10.100.9.205 eq 139 host 10.116.85.2access-list 110 permit tcp host 10.116.85.2 host 10.100.9.205 eq 445access-list 110 permit tcp host 10.116.85.2 eq 445 host 10.100.9.205access-list 110 permit tcp host 10.100.9.205 host 10.116.85.2 eq 445access-list 110 permit tcp host 10.100.9.205 eq 445 host 10.116.85.2access-list 110 deny tcp any any eq 135access-list 110 deny tcp any any eq 137access-list 110 deny tcp any any eq 138access-list 110 deny tcp any any eq 139access-list 110 deny udp any any eq 135access-list 110 deny udp any any eq netbios-nsaccess-list 110 deny udp any any eq netbios-dgmaccess-list 110 deny udp any any eq netbios-ssaccess-list 110 deny tcp any any eq 445access-list 110 deny udp any any eq 445access-list 110 deny tcp any any eq 4444access-list 110 deny tcp any any eq 5554access-list 110 deny udp any any eq 5554access-list 110 deny tcp any any eq 9996access-list 110 deny udp any any eq 9996access-list 110 deny tcp any eq 135 anyaccess-list 110 deny tcp any eq 137 anyaccess-list 110 deny tcp any eq 138 anyaccess-list 110 deny tcp any eq 139 anyaccess-list 110 deny udp any eq 135 anyaccess-list 110 deny udp any eq netbios-ns anyaccess-list 110 deny udp any eq netbios-dgm anyaccess-list 110 deny udp any eq netbios-ss anyaccess-list 110 deny tcp any eq 445 any



access-list 110 deny udp any eq 445 anyaccess-list 110 deny tcp any eq 4444 anyaccess-list 110 deny tcp any eq 5554 anyaccess-list 110 deny udp any eq 5554 anyaccess-list 110 deny tcp any eq 9996 anyaccess-list 110 deny udp any eq 9996 anyaccess-list 110 permit ip any anyaccess-list 133 permit ip 10.116.85.0 0.0.0.255 host 10.100.7.200access-list 133 permit ip 10.116.85.0 0.0.0.255 host 10.100.7.232access-list 133 permit ip 10.116.85.0 0.0.0.255 host 10.100.5.6access-list 133 permit ip 10.116.85.0 0.0.0.255 host 10.100.5.36access-list 133 permit ip host 10.116.10.77 host 10.100.11.69dialer-list 1 protocol ip permit!snmp-server community gr8comnet ROsnmp-server ifindex persistsnmp-server enable traps ttyrtr 100type echo protocol ipIcmpEcho 10.100.7.200 source-ipaddr 10.116.85.1timeout 1000frequency 61rtr schedule 100 start-time now life foreverrtr 101type echo protocol ipIcmpEcho 10.100.11.69 source-ipaddr 10.116.10.77timeout 1000frequency 300rtr schedule 101 start-time now life foreverbanner login ^CC+-------------------------------------------------------------------------+/ WARNING // ------------- // // This is a private Computer System owned by INDIAN BANK. // If not authorised to access this system,LOGOFF/DISCONNECT now. // By continuing you constent to your keystokes and data content // being intercepted,monitored,recorded,copied,audited,inspected and // disclosed to law enforcement personel.Unauthorised or improper use// of this system may result in administrative disciplinary action // and civil and criminal penalties. /+-------------------------------------------------------------------------+^C



!line con 0password 7 0802455D0A162C35loginline aux 0line vty 0 4privilege level 15password 7 02250D4808092603loginline vty 5 15privilege level 15login localtransport input telnet ssh!no scheduler allocatentp clock-period 17207995ntp source Loopback0ntp server 10.100.9.68end



Remote L2 SwitchCORPORATE_SW3#sh runBuilding configuration...

Current configuration : 5561 bytes!version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname CORPORATE_SW3!enable secret 5 $1$sr.F$keVC8fESMUouYb1ja.B0l1!username cisco privilege 15 password 0 ciscoaaa new-modelaaa authentication login default group tacacs+ localaaa authentication enable default group tacacs+ enableaaa authorization config-commandsaaa authorization exec default group tacacs+ localaaa authorization commands 0 default group tacacs+ local if-authenticatedaaa authorization commands 15 default group tacacs+ local if-authenticatedaaa accounting commands 0 default start-stop group tacacs+aaa accounting commands 15 default start-stop group tacacs+aaa accounting connection default start-stop group tacacs+!aaa session-id commonsystem mtu routing 1500ip subnet-zero!!!!no file verify autospanning-tree mode pvstspanning-tree extend system-id!vlan internal allocation policy ascending



!interface GigabitEthernet0/1 switchport mode access!interface GigabitEthernet0/2 switchport mode access!interface GigabitEthernet0/3 switchport mode access!interface GigabitEthernet0/4 switchport mode access!interface GigabitEthernet0/5 switchport mode access!interface GigabitEthernet0/6 switchport mode access!interface GigabitEthernet0/7 switchport mode access!interface GigabitEthernet0/8 switchport mode access!interface GigabitEthernet0/9 switchport mode access!interface GigabitEthernet0/10 switchport mode access!interface GigabitEthernet0/11 switchport mode access!interface GigabitEthernet0/12 switchport mode access!interface GigabitEthernet0/13 switchport mode access!



interface GigabitEthernet0/14 switchport mode access!interface GigabitEthernet0/15 switchport mode access!interface GigabitEthernet0/16 switchport mode access!interface GigabitEthernet0/17 switchport mode access!interface GigabitEthernet0/18 switchport mode access!interface GigabitEthernet0/19 switchport mode access!interface GigabitEthernet0/20 switchport mode access!interface GigabitEthernet0/21 description *****UPLINK TO L3_SWITCH***** switchport mode trunk!interface GigabitEthernet0/22 description *****UPLINK TO L3_SWITCH***** switchport mode access!interface GigabitEthernet0/23 description *****UPLINK TO L3_SWITCH***** switchport mode access!interface GigabitEthernet0/24 description *****UPLINK TO L3_SWITCH***** switchport mode access!interface Vlan1 ip address 172.16.16.3 255.255.255.0 no ip route-cache



!interface Vlan2 no ip address no ip route-cache!ip default-gateway 172.16.16.5ip http serverip tacacs source-interface Vlan1tacacs-server host 172.16.2.25 key S0mp0T@c@C$K3ytacacs-server directed-requestradius-server source-ports 1645-1646!control-plane!banner exec ^CC**************************************************************************************************************************************************** W A R N I N G****************************************************************************************************************************************************This system and all its components (including virtual components) is theproperty of Universal Sompo General Insurance(CISCO) and is intended solelyfor the usage of employees and authorised clients of CISCOin accordancewith its policies and guidelines which may in force from time to time.Unauthorised access / use of this system may attract legal actions,criminaland / or civil charges.1. This system is monitored in accordance withCISCOSecurity policy.2. By using or accessing this system ,you hereby expressly consent to (a) Be bound by all policies and regulations ofCISCOthen in existence concerning the use and/or access of this system; and (b) Abide by all directions given byCISCOconcerning the use and/or access of this system; and (c)CISCOor its agents or representatives may monitor your activities while you are using or accessing this system ( including any data that is transmitted by you) and this will not violate your privacy rights and;



(d) Be liable for any loss, damages or expenses that may be caused to or suffered byCISCOdue to your use and/or access of this system and you agree to indemnifyCISCOagainst all such losses, damages or expenses that may be occur due to your use and/or access of this system.3. In all matters related to the usage and/or access of this system, the laws ofIndiashall be the governing law and the courts atMumbai,Indiashall have exclusive jurisdiction in all matters related thereto.4. This system and the contents hereof are the sole and exclusive property of CISCOand may not be reproduced, stored, copied, or archived in any matter whatsoever either in full or in parts without prior express consent ofCISCO. CISCOreserves all rights not expressly granted byCISCOin writing.5. If you do not agree to any of the terms above, then do not use and/or access this system.***************************************************************************^Cbanner motd ^CC**************************************************************** ACCESS TO THIS DEVICE IS PROHIBITED UNLESS AUTHORISED **** ACCESSING PROGRAMS OR DATA UNRELATED TO YOUR JOB **** IS PROHIBITED ****************************************************************^C!line con 0line vty 5 15!end



23.Future Scope

There is a vast future scope of thisNetwork. This Designcan be improved and can be used by various banks. If the limitations present in thisDesignare removed then, thisNetworkwill becomevery relaible and provide 100% uptime.

We can easily implement any changes to the Network Design as we are using latest protocol like Border Gateway Protocol (BGP) in our network which is having attributes to easily divert or control the flow of data and QOS which can be used to allocate bandwidth to servers accordingly.



24.LIMITATIONS

Wewill not be able to resolve issues from any of the followingby using this Network:

Any unreported/ undetected Bugs in standard software’s, or tools

Any changes in Application Software features Older versions are incompatible with current features

Lease line uptime depends on particular Service Provider.

This Network islimited by the state of technology and functionality of software tools or products deployed.

Third-partyIOS (non-cisco)integration will be carried out on best-effort basis.

Allhardwaredevicesupgrades,hardware re-deployments and policy changes shall be done after the mutual consent ofcustomer, based on the impact it would have on the overall security situation and performance of the network.

Security can be implemented in a better way.



25.Bibliography

DATA COMMUNICATIONS AND NETWORKINGAuthor:BEHROUZ A FOROUZAN

Cryptographyand Network SecurityAuthor: William Stallings

Ethernet and Token Ring OptimizationAuthor: Daniel J. Nassar

Interdomain Multicast RoutingAuthor: Brian Edwards

Routing Protocols and ConceptsAuthor: Rick Graziani

Cisco Field Manual: Router ConfigurationAuthor: David Hucaby


INTRODUCTION - Techshristi · Web viewTo multiplex VLAN traffic, special protocols exist that...

Documents

Transcript of INTRODUCTION - Techshristi · Web viewTo multiplex VLAN traffic, special protocols exist that...