Infrastructure & Services Ltd Training manual

Backbone Switches Internet Infrastructure MPLS/VPN Connection Clientless VPN. Cisco Any Connect. Site to Site VPN.

Backbone Network

The backbone network is an important architectural element for building enterprise networks. It provides a path for the exchange of information between different LANs or sub networks. A

backbone can tie together diverse networks in the same building, in different buildings in a campus environment, or over wide areas. Generally, the backbone's capacity is greater than the networks connected to it.

A backbone is typically a network that interconnects other networks. In a switched network design, a backbone is not as clearly defined. It is usually just the high-speed switches like cisco catalyst 4500, 3750, 3560 series switches that aggregate traffic from attached networks.

Backbone Switches

The Cisco Catalyst 3750 v2 Series are next-generation energy-efficient Layer 3 Fast Ethernet stackable switches. Its innovative unified stack management raises the bar in stack management, redundancy, and failover. With a range of Fast Ethernet and Gigabit Ethernet configurations, the Cisco Catalyst 3750 Series can serve as both a powerful access layer switch for medium enterprise wiring closets and as a backbone switch for mid-sized networks It helps increase productivity and protects your network investment by providing a unified network for data, voice, and video. The Cisco Catalyst 3750 is available with two software images:

IP Base software includes advanced quality of service (QoS), rate limiting, access control lists (ACLs), Open Shortest Path First (OSPF) for routed access, and IPv6 functionality.

IP Services software provides a broader set of enterprise-class features, including advanced hardware-based IP Unicast and IP Multicast routing, as well as policybased routing (PBR).

Cisco Catalyst 3750-24TSwitches with IEEE 802.3af Power

Networking detailed component integration of Catalyst 3750G 24TS to network (Back Bone) The two Cisco Catalyst 3750G 24TS are in stack and they are the VTP server of all the other switches in the network with the following Vlans:

VLAN management VLAN IPTx2 VLAN LAN VLAN WAN, this VLAN is configured just toward the Cisco ASA5520 and toward the MPLS routers (Cisco 3945).

The Back Bone switch is the default gateway of all the networks and the default gateway of the Back Bone switch is the Cisco ASA5520.

Catalyst 2960 48PST-L One of the Cisco Catalyst 2960 switches is placed in the annex and connected to the backbone in two Giga Ethernet ports (each port to different back bone switch). Two of the Cisco Catalyst 2960 switches is placed in the main site buildings and connected to the backbone in two Optical ports (each port to different back bone switch) in trunk mode. All the 2960 48PST-L switches are VTP clients of the Back bone switch and have the following Vlans:

VLAN management VLAN IPTx2 VLAN LAN

Catalyst 2960 8TC-L Three of the Cisco Catalyst 2960 8TC-L switches are placed in the main site buildings and connected to the backbone in three SFP ports (each port to different back bone switch) in trunk mode. All the 2960 8TC-L switches are VTP clients of the Back bone switch and have the following Vlans:

VLAN management VLAN IPTx2 VLAN LAN

Catalyst 2960 8TC-L Two Cisco Catalyst 2960 8TC-L switches connected in a cluster are placed in the DMZ network and each one is connected to different Cisco ASA5520 in trunk mode. These switches have VLAN DMZ. This VLAN is also configured in the Cisco ASA5520. Catalyst 3750G 24TS (WAN) Two Cisco Catalyst 3750G 24TS switches stacked together and connected to the Cisco ASA5520 and to the Internet routers Cisco2911 in access mode. Cisco 2911 (Internet) In this implementation, there are two Cisco 2911 routers and each one is connected to different ISP and is configured to work in BGP with both of the ISPs. The routers are configured to work with HSRP between of them. And each one is connected to different Cisco 3750 24PS in the stack in access mode. Cisco 3945-sec Both of the Cisco 3945-sec are connected to the backbone through two Giga Ethernet ports (each port to different back bone switch) in trunk mode and the Cisco 3945-sec is connected to the MPLS network in access mode. Both Cisco 3945-sec routers are connected in a cluster.

In the schematic network diagram above we see the various interconnection of devices to the backbone Cisco catalyst switch 3750G 24TS and the ASA 5520 firewall to the backbone The Back Bone switch is the default gateway of all the networks and the default gateway of the Back Bone switch is the Cisco ASA5520.

Two Cisco Catalyst 3750G 24TS switches stacked together and connected to the Cisco ASA5520 and to the Internet routers Cisco2911 in access mode.

We saw both of the Cisco 3945-sec is connected to the backbone through two Giga Ethernet ports (each port to different back bone switch) in trunk mode and the Cisco 3945-sec is connected to the MPLS network in access mode. Both Cisco 3945-sec routers are connected in a cluster.

Internet Infrastructure In this implementation, there are two Cisco 2911 routers and each one is connected to different ISP and is configured to work in BGP with both of the ISPs. The routers are configured to work in HSRP between one another. And each one is connected to different Cisco 3750 24PS in the stack in access mode.

The internet network infrastructure is a hybrid design where both Primary and Secondary Internet Connection where both links are through independent routes and available at all times; managed by BGP (Border Gateway Protocol). In event of failure of the primary, system within 180 seconds automatically switches over to the backup link

The Primary internet connection is via Fiber optic connection with all its inherent advantages (low latency, high capacity etc.) providing you with seamless broadband connectivity. And Backup link is Satellite connection via Atlanta Point of presence (PoP). With flexible bandwidth profiles to meet customer current and future needs. The bandwidth schemes can be upgraded based on customers requirements:

BGP BGP (Border Gateway Protocol) performs interdomain routing in Transmission-Control Protocol/Internet Protocol (TCP/IP) networks. BGP is an exterior gateway protocol (EGP), which means that it performs routing between multiple autonomous systems or domains and

exchanges routing and reachability information with other BGP systems. It uses TCP as the transport protocol, on port 179. Two BGP routers form a TCP connection between one another. These routers are peer routers. The peer router exchange message to open the confirm the connection parameters.

Configuration of BGP # router bgp xxxx no synchronization bgp log-neighbor-changes network x.x.x.0 mask y.y.y.y customer lan network

neighbor z.z.z.z remote-as 8513 neighbor z.z.z.z description Skyvision BGP neighbor z.z.z.z ebgp-multihop z neighbor z.z.z.z update-source FastEthernet0/0 (foc interface) no auto-summary

# ip route 0.0.0.0 0.0.0.0 yyyyyyy(Vsat interface)250 # ip route z.z.z.z 255.255.255.255 78.138.59.53

Hot Standby Router Protocol (HSRP)

Cisco developed a proprietary protocol called Hot Standby Router Protocol (HSRP) that allows multiple routers or multilayer switches to Masquerade as a single gateway.

This is accomplished by assigning a virtual IP address to all routers participating in HSRP. All routers are assigned to a single HSRP group (numbered 0-255). Routers are then elected to specific roles: Active Router the router currently serving as the gateway Standby Router backup router to the Active Router Listening Router all other routers participating in HSRP

Only one Active and one Standby router are allowed per HSRP group. HSRP routers regularly send Hello packets (by default, every 3 seconds) to ensure all routers are functioning. If the current Active Router fails, the Standby Router is made active, and a

new Standby is elected. The role of an HSRP router is dictated by its priority. Whichever router has the highest (a higher value is better) priority becomes the Active

Router; the second highest priority becomes the Standby Router. If all priorities are equal, whichever router has the highest IP Address on its HSRP interface becomes active

Each router in the HSRP group retains the address configured on its respective interface. However, the HSRP group is assigned a virtual IP address, that client com puter point to as their default gateway. Switch 1: Switch(config)# int fa0/10 Switch(config-if)# no switchport Switch(config-if)# ip address 192.168.1.5 255.255.255.0 Switch(config-if)# standby 1 priority 50 Switch(config-if)# standby 1 preempt Switch(config-if)# standby 1 ip 192.168.1.1 Switch (config-if)# standby 1 authentication CISCO Switch 2: Switch(config)# int fa0/10 Switch(config-if)# no switchport Switch(config-if)# ip address 192.168.1.6 255.255.255.0 Switch(config-if)# standby 1 priority 75 Switch(config-if)# standby 1 preempt Switch(config-if)# standby 1 ip 192.168.1.1 Switch (config-if)# standby 1 authentication CISCO Switch (config-if)# standby 1 track fa0/12 50

WAN:

Installation of two CISCO3945-SEC routers with hardware encoding and two power supply for redundancy, in addition to HWIC-4ESW cards, which contain 4 copper 10/100 ports. The routers include Advance IP Services software, which allows configuration of tunnel encoding on the router.

HSRP is configured between routers.

These routers will be connected to MPLS lines when service contract is concluded by the agency.

For data protection purposes, GRE over IPsec encoding is configured on the routers.

A routing protocol is defined within the IPsec Tunnel.

A GRE Tunnel is implemented on the WAN line, protecting internal addresses from the infrastructure provider as well as enabling dynamic routing and multicast protocols over WAN lines. The GRE tunnel is configured as static between the main site and branches in such a manner that all branch traffic is routed to the main site. WAN network security is accomplished by way of an IPsec protocol, which secures traffic data on the WAN network.

IPsec protocols provide information protection by way of encoding (DES, 3DES, AES) It is important to note that high encoding levels may affect the routers performance).Within the Tunnel, well use a routing protocol that will perform routing between networks. Theses routers are connected to Catalyst 3750G switches with two copper cables at a rate of 100Mbps on a WAN VLAN.

To provide backup of the power supply, an RPS- Redundant Power System 2300 is a power supply backup system that allows connection of up to 6 switches/ routers and power supply backup for 2 of them simultaneously.

MPLS /VPN Connection "MPLS" and "VPN" are two different technology types. Multiprotocol Label Switching (MPLS) is a standards-based technology used to speed up the delivery of network packets over multiple protocols such as the Internet Protocol (IP), Asynchronous Transport Mode (ATM) and frame relay network protocols. A virtual private network (VPN) uses shared public telecom infrastructure, such as the Internet, to provide secure access to remote offices and users in a cheaper way than an owned or leased line. VPNs are secure because they use tunneling protocols and procedures in implementing VPN such as, GRE, IPsec, PPTP, L2TP and MPLS. The most common definition of vpn is a data network that utilizes a portion of a shared public network to extend a cu stomers private network. There are three basic VPN categories

Intranet: An intranet VPN connects resources from the same company across that companys infrastructure. An example of intranet VPN is the connections between difference locations within a companys infrastructure, such as VPNs between two offices Extranet VPN: An extranet VPN connects resources from one company to another company, such as a business partner. An example of an extranet is a company that has outsourced it helps desk functions and sets up a VPN to provide a secure connection from its corporate office to the outsourcing company. Internet VPN: An Internet VPN uses a public network as the backbone to transport VPN traffic between devices. As an example, you might use the Internet, which is a public network, to connect two sites together or have telecommuters use their local ISPs to set up a VPN connection to the corporate network (remote access connection) VPN components The VPN realm consist of the following regions: Customer network: Consist of the router at the various customer sites called customer edge routers Provider Network: Service provider devices to which the CE routers were directly attached were called provider edge PE routers .the service provider network might consist of device used for forwarding data in the SP backbone called the provider P router. Clientless SSL VPN An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. In contrast to the traditional Internet Protocol Security (IPsec) VPN, an SSL VPN does not require the installation of specialized client software on the end user's computer. It's used to give remote users with access to Web applications, client/server applications and internal network connections.

A virtual private network (VPN) provides a secure communications mechanism for data and other information transmitted between two endpoints. An SSL VPN consists of one or more VPN devices to which the user connects by using his Web browser. The traffic between the Web browser and the SSL VPN device is encrypted with the SSL protocol or its successor, the Transport Layer Security (TLS) protocol.

An SSL VPN offers versatility, ease of use and granular control for a range of users on a variety of computers, accessing resources from many locations. There are two major types of SSL VPNs: SSL Portal VPN: This type of SSL VPN allows for a single SSL connection to a Web site so the end user can securely access multiple network services. The site is called a portal because it is one door (a single page) that leads to many other resources. The remote

user accesses the SSL VPN gateway using any modern Web browser, identifies himself or herself to the gateway using an authentication method supported by the gateway and is then presented with a Web page that acts as the portal to the other services. SSL Tunnel VPN: This type of SSL VPN allows a Web browser to securely access multiple network services, including applications and protocols that are not Web-based, through a tunnel that is running under SSL. SSL tunnel VPNs require that the Web browser be able to handle active content, which allows them to provide functionality that is not accessible to SSL portal VPNs. Examples of active content include Java, JavaScript, Active X, or Flash applications or plug-ins. Here the services are accessed also through Remote Desk Protocol (RDP).

Cisco Any Connect

The virtual private network (VPN) is one key technology for boosting Internet security and enabling safe remote access for users who need access to enterprise wide area networks (WANs) and the resources they can deliver. As you can see from the picture above, VPNs interconnect all kinds of users and locations. In this brief diagram of popular VPN clients. We a review of top four popular VPN clients for enterprise use, include the Cisco VPN client,TeamViewer, Golden Frog's VyprVPN and PureVPN. VPN client software must work on all user devices, such as PCs, notebooks, tablets and smartphones; this will help your company avoid a VPN security breach. VPN protocols must

work end-to-end through firewalls, routers and switches. IT must pick VPN devices that are compatible and interoperable with concentrators (Router and firewall), appliances and servers,

Site-to-site VPN A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world. There are two types of site-to-site VPNs:

Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.

Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate Internets.

Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment. Ideally, though, a site-to-site VPN should eliminate the need for each computer to run VPN client software as if it were on a remote-access VPN. Now that you know the two types of VPNs, let's look at how your data is kept secure as it travels across a VPN.

Purpose of Site-to site VPN A VPN's purpose is providing a secure and reliable private connection between computer networks over an existing public network, typically the Internet. Now, let's consider all the benefits and features a company should expect in a VPN. A well-designed VPN provides an organization with the following benefits:

Extended connections across multiple geographic locations without using a leased line

Improved security for exchanging data Flexibility for remote offices and employees to use the company intranet over an existing Internet connection as if they're directly connected to the network

Savings in time and expense for employees to commute if they work from virtual workplaces.

Improved productivity for remote employees

A Company might not require all these benefits from its VPN, but it should have the following essential

Security -- The VPN should protect data while it's traveling on the public network. If intruders attempt to capture the data, they should be unable to read or use it.

Reliability -- Employees and remote offices should be able to connect to the VPN with no trouble at any time (unless hours are restricted), and the VPN should provide the same quality of connection for each user even when it is handling its maximum number of simultaneous connections.

Scalability -- As an organization grows, it should be able to extend its VPN services to handle that growth without replacing the VPN technology altogether.

Equipment use in VPN VPN components are dedicated devices a business can add to its network. You can purchase these devices from companies that produce network equipment, such as Cisco:

VPN Concentrator -- This device replaces an AAA server installed on a generic server. The hardware and software work together to establish VPN tunnels and handle large numbers of simultaneous connections.

VPN-enabled/VPN-optimized Router -- This is a typical router that delegates traffic on a network, but with the added feature of routing traffic using protocols specific to VPNs.

VPN-enabled Firewall -- This is a conventional firewall protecting traffic between networks, but with the added feature of managing traffic using protocols specific to VPNs.

VPN Client -- This is software running on a dedicated device that acts as the tunnel interface for multiple connections. This setup spares each computer from having to run its own VPN client software.