Documente Academic
Documente Profesional
Documente Cultură
This report is written in the author’s own words and all sources have
been property cited.
Author’s signature:
Table of Contents
ACKNOWLEGEMENTS......................................................................................................4
Abstract............................................................................................................................5
Aim and Objectives................................................................................................................6
CHAPTER 1: Introduction...................................................................................................7
1.1 CISCO 1800 Series Router....................................................................................................7
1.2 Switching & Routing Functionality......................................................................................7
1.3 Routing Protocol....................................................................................................................8
1.4 VLAN (Virtual Local Area Network)...................................................................................8
1.5 DMVPN (Dynamic Multipoint Virtual Private Network)..................................................8
CHAPTER 2: Investigation on all the features of CISCO 1800 Series Routers..............10
2.1 Cisco 1801, 1802 and 1803 Integrated Services Router.....................................................10
2.2 Cisco 1811 & 1812 Integrated Services Router..................................................................12
2.3 Cisco 1841 Integrated Services Router...............................................................................14
2.4 Cisco 1861 Integrated Services Router...............................................................................15
2.5 Cisco 1805 Integrated Services Router...............................................................................16
CHAPTER 3: Switching and Routing Functionality.........................................................20
3.1 Layer 2 Switching................................................................................................................21
3.2 Layer 3 Routing...................................................................................................................23
CHAPTER 4: Routing Protocol..........................................................................................24
4.1 Definition of Routing Protocol............................................................................................24
4.2 How the Routing Protocol Works.......................................................................................24
4.3 IP Routing Principles...........................................................................................................25
4.3.1Classful Routing ..............................................................................................................................25
4.3.2 Classless Routing.............................................................................................................................26
4.4 RIP (Routing Information Protocol)..................................................................................27
4.5 IGRP & EIGRP (Enhanced Interior Gateway Routing Protocol)...................................29
4.6 IS-IS Protocol: Intermediate System - Intermediate System............................................31
4.7 SUBNETING........................................................................................................................32
CHAPTER 5: Virtual Local Area Network........................................................................34
5.1 Introduction..........................................................................................................................34
5.1.1 LAN Segmentation..........................................................................................................................35
5.1.2 Security............................................................................................................................................36
2
5.1.3 Broadcast Control............................................................................................................................36
5.1.4 Performance.....................................................................................................................................37
5.1.5 Network Management.....................................................................................................................37
5.2 VLAN Membership.............................................................................................................37
5.2.1 Static VLANs...................................................................................................................................37
5.2.2 Dynamic VLANs.............................................................................................................................38
5.3 Types of Connections...........................................................................................................38
5.3.1 Trunk Link or Trunk Port................................................................................................................38
5.3.2 Access Link or Access Port.............................................................................................................39
5.3.3 Hybrid Link.....................................................................................................................................39
5.4 Communicating between VLANS.......................................................................................40
5.4.1 Inter-Switch Link (ISL) protocol.....................................................................................40
5.4.2 IEEE 802.1Q protocol.......................................................................................................40
5.5 VLAN Trunking Protocol (VTP)........................................................................................40
5.6 VTP Modes of Operation....................................................................................................41
5.6.1 Server Mode....................................................................................................................................41
5.6.2 Client mode......................................................................................................................................42
5.6.4 Transparent mode............................................................................................................................42
CHAPTER 6: Dynamic Multipoint VPN............................................................................42
6.1 What is NHRP?....................................................................................................................43
6.2 What is GRE Tunnels?........................................................................................................44
6.3 Routing with DMVPN.........................................................................................................45
6.3.1Possible routing protocols.................................................................................................................45
6.4 DMVPN Phases....................................................................................................................45
6.4.1 Hub-and-spoke.................................................................................................................................45
6.4.2 Spoke-to-spoke................................................................................................................................46
6.5 Sample mGRE and IPsec Integration Topology................................................................46
6.6 IPSec Profiles ......................................................................................................................47
6.7 Benefits of Dynamic Multipoint VPN (DMVPN)...............................................................47
CHAPTER 7: Deliverables..................................................................................................48
7.1 Configuring VLAN’S On SDM...........................................................................................48
7.2 Configuring of DMVPN on CLI.........................................................................................59
DMVPN through R1, R2 & R3 (Hub n Spoke)..................................................................59
CHAPTER 8 Result and Discussion...................................................................................70
8.1 VLAN Results & Discussion................................................................................................70
8.2 DMVPN Results & Discussion............................................................................................73
Conclusion ..........................................................................................................................77
PROJECT PLANNING.......................................................................................................78
Initial project planning..............................................................................................................78
3
Final project planning: .............................................................................................................78
References............................................................................................................................79
Appendix..............................................................................................................................81
ACKNOWLEGEMENTS
4
Abstract
An introduction of VLAN and DMVPN is given in the beginning of this report, which
includes why we need such technologies, how these work, what the benefits are and how
VLAN (Virtual Area Network) provide security to LAN networks and DMVPN (Dynamic
Multipoint Virtual Private Networks) to WAN networks.
The work flow of deployment of VLAN and DMVPN include the network design
(topology), physical connectivity (layer 1), logical connectivity (layer 2 and 3),
configuration using IOS Version 12.4 (layer 4 and above). Final phase shows testing the
configurations by using different network monitoring commands for DMVPN [all in the
Command Line Interface (CLI) mode] and different parameters for SDM (Security Device
Manager) for VLAN. The technologies in this project are based on NHRP (Next Hop
Resolution Protocol) mGRE (multipoint Generic Routing Encapsulation) Tunnels, Hub and
Spoke, Spoke to Spoke tunnels and VTP (Vlan Trunking Protocol). VTP is specially
emphasized in VLAN Section.
5
Aim and Objectives
The aim of this project is to deploy the latest network security technologies on existing
LAN and the WAN networks.
Objectives
Following are the key objectives behind the study:
To discuss the features of all the 1800 CISCO series routers. The reason for
Protocols.
6
CHAPTER 1: Introduction
In addition the 1800 series also offers full state firewall, instruction prevention, network
administration control and URL filtering to protect and secure network. The 1800 family
comes in a desk-top form with both fixed and modular configuration models. [18]
The Cisco 1812 Router that used in this project provides high-speed broadband or Ethernet
access through two 10/100BASE-T Fast Ethernet WAN ports and also provide integrated
WAN backup through a V.92 analog modem ISDN S/T BRI interface. The Cisco 1812
routers are focused on Ethernet access and are designed to be offered as customer premises
equipment (CPE) in Metro Ethernet deployments. The eight-port switch is sufficient for
connecting multiple devices and the optional PoE capability can supply power to IP
telephones or other devices. [15]
Layer 2 switching is used primarily for workgroup connectivity and network segmentation.
We can contain traffic between users and servers in a workgroup within the switch. In
addition, the number of stations on a network segment can be reduced with a switch,
minimizing the collision domain size. [7]
7
1.3 Routing Protocol
In simple terms, a protocol is an agreed upon set of rules that determines how something
will operate. A routing protocol is a set of rules that describes how Layer 3 routing devices
send updates between each other about the available networks. If more than one path to the
remote network exists, the protocol also determines how the best path or route is selected.
[8]
Routed Protocol and Routing Protocol Both terms refer to a protocol that defines a packet
structure and logical addressing, allowing routers to forward or route to the packets.
Routers forward, or route, packets define by routed and un routable protocols.[26]
Even though routing protocol such as RIP are different from routed protocols such as IP,
they work together very closely. The routing process forward IP packets to destination
address, the router discards the packet. Routers need routing protocol so that the router can
learn all the possible routers and add them to the routing table so that the routing process
can forward routable protocol such as IP. [26]
For an alternate solution Virtual Local Area Networks (VLAN's) were developed to control
broadcast traffic in LAN networks. VLANS are implemented not only to control broadcast
but also to provide security, flexibility and segmentation. Routers in VLAN topologies
provide broadcast filtering, security, address summarization, and traffic flow management.
8
NHRP (Next Hop Resolution Protocol)
Next Hop Resolution Protocol (NHRP) is used by a source station (host or router)
connected to a Non-Broadcast, Multi-Access (NBMA) subnetwork to determine the
internetworking layer address and NBMA subnetwork addresses of the "NBMA next hop"
towards a destination station. If the destination is connected to the NBMA subnetwork,
then the NBMA next hop is the destination station itself. Otherwise, the NBMA next hop is
the egress router from the NBMA subnetwork that is "nearest" to the destination station.
NHRP is intended for use in a multiprotocol internetworking layer environment over
NBMA subnetworks. [27]
GRE was developed by Cisco and was designed to be stateless; the tunnel end-points do
not monitor the state or availability of other tunnel end-points. This feature helps service
providers support IP tunnels for clients, who won't know the service provider's internal
tunneling architecture; and it gives clients the flexibility of reconfiguring their IP
architectures without worrying about connectivity. GRE creates a virtual point-to-point link
with routers at remote points on an IP internetwork. [28]
9
CHAPTER 2: Investigation on all the features of CISCO
1800 Series Routers
Cisco 1800 series is ideal for small to medium sized business and small branch offices and
provides WAN and LAN data connectivity, comprehensive security, wireless integration
and with Cisco 1861 support for unified communication solutions.[18]
The 1800 family is also ideal for network locations that require secure data and voice
communication using up to broadband or T1/E1 connections. This family comes in a desk-
top factor with both fixed and modular configuration models. The fixed configuration
model offer built- in DSL and Ethernet WAN ports combined with ISDN BRI or V.92 dial
modern backup interfaces. [18]
10
DSL (G.SHDSL) (Cisco 1803) while helping to ensure reliable networking with integrated
ISDN S/T BRI backup. The Cisco 1801, 1802, and 1803 routers combine the cost benefits
of DSL service with the advanced routing capability required for business use of the
Internet.
The Cisco 1801, 1802 & 1803 Integrated Services Router provides the similar features
those are as following
• Secure broadband access with concurrent services for branch and small
offices.
• Integrated ISDN Basic Rate Interface (BRI), or Ethernet backup port for
redundant WAN links.
• LAN Switching with optional inline POE.
• Secure wireless LAN for simultaneous 802.11a and 802.11b/g operation with
use of multiple antennas.
11
Feature Cisco 1801 Cisco 1802 Cisco 1803
DOCSIS 2.0 No No No
Table 1.1 Features Summary of Cisco 1801, 1802 & 1803 Routers [13]
• Secure broadband access with concurrent services for branch and small
offices
• Integrated ISDN Basic Rate Interface (BRI), analog modem, or Ethernet
backup port for redundant WAN links and load balancing
• LAN Switching with optional inline POE
• Secure wireless LAN for simultaneous 802.11a and 802.11b/g operation
with use of multiple antennas
• Advanced security including:
o Stateful Inspection Firewall
o IP Security (IPSec) VPNs (Triple Data Encryption Standard [3DES]
or Advanced Encryption Standard [AES])
o Dynamic Multipoint VPN (DMVPN) and Easy VPN
o Intrusion Prevention System (IPS)
o Antivirus support through Network Admission Control (NAC) and
enforcement of secure access policies
12
The Cisco 1811 and 1812 provide high-speed broadband or Ethernet access through two
10/100BASE-T Fast Ethernet WAN ports and also provide integrated WAN backup
through a V.92 analog modem (Cisco 1811) or ISDN S/T BRI interface (Cisco 1812). The
Cisco 1811 and 1812 routers are focused on Ethernet access and are designed to be offered
as customer premises equipment (CPE) in Metro Ethernet deployments. The eight-port
switch is sufficient for connecting multiple devices and the optional PoE capability can
supply power to IP telephones or other device. [15]
DOCSIS 2.0 No No
13
2.3 Cisco 1841 Integrated Services Router
The Cisco 1841 Integrated Services Router is part of the Cisco 1800 Integrated Services
Router Series which complements the Integrated Services Router Portfolio.
The Cisco 1841 Integrated Services Router as shown in Figure 1.3 provides the following
support:
14
2.4 Cisco 1861 Integrated Services Router
This new platform delivers unified communications solutions to small and medium-sized
businesses and small branch offices, enabling anytime, anywhere secure access to
information.
Key Features
15
2.5 Cisco 1805 Integrated Services Router
The Cisco 1805 is the latest addition to the Cisco integrated services router portfolio, which
delivers multiple services, including feature-rich Cisco IOS Software routing, LAN
switching, and advanced security with secure cable WAN access technology.
The Cisco 1805 Integrated Services Router as shown Figure 1.5, provides:
16
17
18
Feature Cisco Cisco Cisco
1805-D 1805-EJ 1805-D/K9
Two onboard Fast Ethernet WAN ports for WAN backup Yes Yes Yes
or for LAN connectivity
Flash memory 64 MB 64 MB 64 MB
19
CHAPTER 3: Switching and Routing Functionality
The standard reference model for communication between two end users is Open Systems
Interconnection (OSI). The model is used in developing products and understanding
networks.
Each layer has a specific function and a specific protocol so that two
devices can exchange data on the same layer. A protocol data unit
(PDU) is the generic name for a block of data that a layer on one device
exchanges with the same layer on a peer device. [4]
7 (application)
6 (presentation)
5 (session)
4 (transport)
TCP Segment TCP Port
3(network)
Packet Router
2 (data link)
Frame Switch/Bridge
1 (physical)
20
information. Upper-layer protocols are not looked at or even understood.
[4]
The following figure 3.2 shows that how two devices can exchange data
on the same layer.
Figure 3.2[2]
21
• Broadcast and multicast frames are flooded out to all ports
(except the one that received the frame).
• Frames destined for unknown locations are flooded out to all ports
(except the one that received the frame).
Figure 3.3, Layer 2 switch with External Router for Inter-VLAN traffic and connecting
to the Internet [5]
Bridges offer a frame forwarding service based on the physical addresses that are available
as part of Layer 2 (i.e., the MAC address of the destination) as well as performing the
signal regeneration functions of a repeater. A bridge monitors the traffic to learn which
addresses exist on which ports and then builds a table of forwarding rules to control the
switching process. Bridges must also identify and eliminate potential data loops (using the
spanning tree algorithm). A Layer 2 Switch functions as a multiport bridge. An
22
internetwork built entirely out of Layer 2 Switches appears as a single large network with a
“flat” address space. Layer 2 Switched networks have limited flexibility and scalability. [6]
23
When an IP packet is to be forwarded, a router uses its forwarding table to determine the
next hop for the packet's destination (based on the destination IP address in the IP packet
header), and forwards the packet appropriately. The next router then repeats this process
using its own forwarding table, and so on until the packet reaches its destination. At each
stage, the IP address in the packet header is sufficient information to determine the next
hop; no additional protocol headers are required. [7]
In addition, a router must examine each packet’s Layer 3 header before making a routing
decision. Layer 3 securities and control can be implemented on any router interface using
the source and destination addresses, protocol, or other Layer 3 attribute to make decisions
on whether to limit or forward the packets. Although we can place a router anywhere in a
network, the router can become a bottleneck because of a latency of packet examination
and processing. [4]
24
• The routing protocol sends the information about the routes or
networks within the autonomous system, such as RIPv1, IGRP, and
EIGRP, and between autonomous systems with BGP-4.
• The routing table receives updates from the routing protocol and
provides the forwarding process with information on request.
• Prefix length—the forwarding process will use the route where the most number of
subnet bits match that of the destination network. It chooses the most specific
match, known as the match to the longest prefix length.[8]
Classful Routing
Classless Routing
4.3.1Classful Routing
• RIPV1
• IGRP
25
Classful routing protocols, such as RIPV1 and IGRP, exchange routes to sub networks
within the same network. This is possible because all of the subnetworks in the major
network have the same routing mask. Network administrators enforce this consistency
through administrator controls.
When routers are exchange with a foreign network (a network with a different network
portion), subnetwork information from this network can not be included, because the
routing mask of the other network is not know. As the result, the subnet information
from this network must be summarized to a classful boundary using a default routing
mask prior to inclusion in the routing update. The creation of classful summary route at
major network boundaries is handled automatically by classful routing protocols.
Summarization at other points within the major network address is not allowed by
classful routing protocols
Routing mask can not be carrier within the periodic routing updates. [10]
26
Instead of classless routing protocols includes the routing mask with the route
advertisement.
• OSPF
• EIGRP
• RIPV2
• IS-IS
• BGP
Classless routing protocol use trigged updates to learn of topology changes. In order to
control routing table content, summary routes may be created. [10]
Classless Routing Example
RIP−1 is a Classfull routing protocol, so it does not advertise a subnet mask along with
advertised routes. For RIP to determine what the subnet mask is of the destination network,
RIP uses the subnet mask of the interface in which the route was received. This is true only
if the route received is a member of a directly connected major network. If the route
received is not of the same major network, the router tries to match only the major bit
27
boundary of the route Class A, B, or C. For this reason, it is critical to preserve a consistent
bit mask in each major network throughout the entire RIP routing domain. [9]
A routing vector protocol floods reach ability information throughout all routers
participating in the protocol, so that every router has a routing table containing the
complete set of destinations known to the participating routers.
• Each router initializes its routing table with a list of locally connected networks.
• Periodically, each router advertises the entire contents of its routing table over all of
its RIP-enabled interfaces.
o Whenever a RIP router receives such an advertisement, it puts all of the
appropriate routes into its routing table and begins using it to forward
packets. This process ensures that every network connected to every router
eventually becomes known to all routers.
o If a router does not continue to receive advertisements for a remote route, it
eventually times out that route and stops forwarding packets over it. In other
words, RIP is a "soft state" protocol.
• Every route has a property called a metric, which indicates the "distance" to the
route's destination.
o Every time a router receives a route advertisement, it increments the metric.
o Routers prefer shorter routes to longer routes when deciding which of two
versions of a route to program in the routing table.
o The maximum metric permitted by RIP is 16, which means that a route is
unreachable. This means that the protocol cannot scale to networks where
there may be more than 15 hops to a given destination.
RIP also includes some optimizations of this basic algorithm to improve stabilization of the
routing database and to eliminate routing loops. [7]
• When router A has learnt a route from router B, it advertises the route back to B
with a metric of 16 (unreachable). This ensures that B is never under the impression
that A has a different way of getting to the same destination. This technique is
known as "split horizon with poison reverse."
28
• A "Request" message allows a newly-started router to rapidly query all of its
neighbors' routing tables. [7]
The default hold-down time for RIP is 180 seconds and the administrator distance of RIP1
and RIP2 is 120. [10]
EIGRP is an enhanced version of IGRP, hence the name. It uses the same distance vector
technology as IGRP. The changes were effected in the convergence properties and the
operating efficiency of the protocol. EIGRP has some characteristics similar to those of a
link-state routing protocol. Therefore, it is sometimes referred to as a hybrid routing
protocol, although Cisco calls it an advanced distance vector protocol. EIGRP is an
efficient, although proprietary, solution to networking large environments because it scales
well. Its ability to scale is, like OSPF, dependent on the design of the network. [8]
IGRP Features
IGRP has features that differentiate it from other distance vectors protocols:
• Scalability— A hop count limit of 255 provides a broader network diameter versus
RIP's hop count limit of 15. The default hop for IGRP is 100.
• Faster convergence— IGRP uses Flash updates, which are updates that are sent to
neighboring routers when topology changes occur.
29
• Sophisticated metric— IGRP uses a composite metric based on five individual
metrics bandwidth, delay, reliability, load, and MTU—to influence routing
decisions.
• Unequal cost load balancing— IGRP composite routing metrics allow for load
balancing across multiple unequal cost paths. [9]
EIGRP Features
The goal of EIGRP is to solve the scaling limitations that IGRP faces, using the distance vector
technology from which it grew. EIGRP increases the potential growth of a network by reducing the
convergence time. This is achieved by the following features:
• Dual
• Rapid convergence
DUAL
DUAL is one of the main features of EIGRP. It diffuses the routing computation over
multiple Routers.
Rapid Convergence
The use of the DUAL algorithm stores not only the best path to the destination, but also the
close contenders. If a network fails, the router can immediately switch to the alternate
route. If there are no alternative routes, then the router will query neighbors to see whether
they have a path to the destination.
30
Using multicast and unicast addressing to send and acknowledge updates restricts the
potential use of both bandwidth and the other system’s CPU to the essential requirements.
EIGRP also uses only incremental updates, as opposed to periodic updates.
Because it grew out of IGRP, EIGRP is backward-compatible with IGRP. This allows for
seamless transitions to EIGRP and support for older, smaller networks that have neither the
need nor the capability to upgrade. EIGRP automatically redistributes IP routes learned into
the IGRP process as long as the autonomous system number used to configure the
processes is the same.
EIGRP uses the same metric as IGRP (bandwidth and delay as the default), though EIGRP
has expanded the metric to 32-bit, allowing for greater scaling and granularity. An
intelligent metric will select the shortest path.
Unequal-cost load balancing allows all links to a destination to be used to carry data
without saturating the slower links. [8]
The administrator distance for IGRP is 100, for EIGRP summary route is 5 and for
External EIGRP is 170. [10]
IS-IS is a link-state routing protocol, which means that the routers exchange topology
information with their nearest neighbors. The topology information is flooded throughout
the AS, so that every router within the AS has a complete picture of the topology of the AS.
This picture is then used to calculate end-to-end paths through the AS, normally using a
variant of the Dijkstra algorithm. Therefore, in a link-state routing protocol, the next hop
address to which data is forwarded is determined by choosing the best end-to-end path to
the eventual destination. [7]
31
The main advantage of a link state routing protocol is that the complete knowledge of
topology allows routers to calculate routes that satisfy particular criteria. This can be useful
for traffic engineering purposes, where routes can be constrained to meet particular quality
of service requirements. The main disadvantage of a link state routing protocol is that it
does not scale well as more routers are added to the routing domain. Increasing the number
of routers increases the size and frequency of the topology updates, and also the length of
time it takes to calculate end-to-end routes. This lack of scalability means that a link state
routing protocol is unsuitable for routing across the Internet at large, which is the reason
why IGPs only route traffic within a single AS. [7]
The routing table of IS-IS contains all the destinations the routing protocol knows about,
associated with a next hop IP address and outgoing interface.
• The protocol recalculates routes when network topology changes, using the Dijkstra
algorithm, and minimizes the routing protocol traffic that it generates.It provides
support for multiple paths of equal cost.
• All protocol exchanges can be authenticated so that only trusted routers can join in
the routing exchanges for the AS. [7]
4.7 SUBNETING
32
Large organizations fall into Class A
Actually, five classes of addresses are used on the Internet. The other
two classes represent multicast (Class D) and experimental addresses
(Class E). Routing protocols and videoconferencing increasingly use
Class D addresses. [8]
33
The following table of IP’s for the network of 192.168.0.0 with the subnet mask of
255.255.255.248 is used for the implementation of VLANS.
Hosts
Network Broadcast Address
from to
192.168.0.0 192.168.0.1 192.168.0.6 192.168.0.7
192.168.0.8 192.168.0.9 192.168.0.14 192.168.0.15
192.168.0.16 192.168.0.17 192.168.0.22 192.168.0.23
192.168.0.24 192.168.0.25 192.168.0.30 192.168.0.31
192.168.0.32 192.168.0.33 192.168.0.38 192.168.0.39
5.1 Introduction
As we know that shared Ethernet media operate at OSI Layer 1(physical layer).
Each host must share the available bandwidth with every other connected
host. When more than one host tries to talk at one time, a collision occurs, and
everyone must back off and wait to talk again. This forces every host to
operate in half-duplex mode, by either talking or listening at any given time. In
addition, when one host sends a frame, all connected hosts hear it. When one
host generates a frame with errors, everyone hears that, too. [7]
In another words we can say that when in Local Area Networks(LAN) if one user forward data in
one LAN the broadcast will receive by every user in that LAN . By default router break up
broadcast domain and bridge break up collision domain. Now the point is that what is the way to
break up broadcast domain in a pure switched inter network? The answer is VLAN
A VLAN is a logical group of network users and resources connected to administratively defined
ports on a switch. When we create VLAN we gain the ability to create smaller broadcast domain
within layer 2 switch internetworks by assigning different port on switch to different sub network.
A VLAN is treated like its own subnet or broadcast domain, meaning that frame broadcast one to
the network are only switched between the ports logically group within the same VLAN.[3]
VLANs are created to provide the segmentation services traditionally provided by routers in LAN
Configurations. VLANs address scalability, security, and network management. Routers in VLAN
topologies provide broadcast filtering, security, address summarization, and traffic flow
Management
• LAN Segmentation
34
• Security
• Broadcast Control
• Performance
• Network Management
The problems associated with shared LANs and the emergence of switches is causing
traditional LAN configurations to be replaced with switched VLAN internetworking
configurations. Switched VLAN configurations vary from LAN configurations in the
following ways:
• Switches replace front-end hubs in the wiring closet. Switches are easily installed
with little or no cabling changes, and can completely replace a shared hub with per
port service to each user.
• VLANs are created to provide the segmentation services traditionally provided by
routers in LAN configurations. A VLAN is a switched network that is logically
segmented by functions, project teams, or applications without regard to the
physical location of users. Each switch port can be assigned to a VLAN. Ports in a
VLAN share broadcasts. Ports that do not belong to that VLAN do not share these
broadcasts. This improves the overall performance of the network.
• Communication between VLANs is provided by layer 3 routing.[20]
Figure 5.1 Illustrates the difference between traditional physical LAN segmentation and logical
VLAN segmentation.
35
Figure 5.1:- LAN Segmentation and VLAN Segmentation [20]
5.1.2 Security
A flat internetwork security issue used to be tackled by connecting hubs and switched
together with Router. So it is basically the routers job to maintain security. This
arrangement was pretty inoffensive for several reasons. First anyone can connect to the
physical network could access the network resources located to the particular physical
LAN, and most important risk is that user should join a workgroup by just plugging their
workstation into their existing hub.
But if we build VLANS there and create multiple broadcast group, we will have total
control over each port and user so when anyone just plug their work station into any switch
port and gain access in to network resources, can not gain cause now we have control on
each port plus switch can be configured to inform the management to access of any
unauthorized workstation. We can also place restriction on hardware, address, and
application. [19]
Broadcast often in every protocol but how often they occur depends upon three things.
36
• The application running on the internetwork
• How these services are used
All devices within a VLAN are members of the same broadcast domain and receive all
broadcast. By default, this broadcast is filtered from all ports on switch that are not member
of the same VLAN. Means if a port is not part of that VLAN in switch can not receive that
broadcast. [19]
5.1.4 Performance
Although many analysts have suggested that VLANS enhance the ability to deploy
centralized servers, customers may look at enterprise-wide VLAN implementation and
See difficulties in enabling full, high-performance access to centralized servers.
■ Static VLAN
■ Dynamic VLAN
VLAN membership protocol is needed for the end devices; they automatically assume
VLAN connectivity when they connect to a port.
Normally, the end device is not even aware that the VLAN exists. The switch port and its
VLAN simply are viewed and used as any other network segment, with other “locally
attached” members on the wire. The static port-to-VLAN membership normally is handled
in hardware with application-specific integrated circuits (ASICs) in the switch. This
membership provides good performance because all port mappings are done at the
hardware level, with no complex table lookups needed. [4]
37
5.2.2 Dynamic VLANs
Dynamic VLANs provide membership based on the MAC address of an end-user device.
When a device is connected to a switch port, the switch must, in effect, query a database to
establish VLAN membership. A network administrator also must assign the user’s MAC
address to a VLAN in the database of a VLAN Membership Policy Server (VMPS).
Dynamic VLANs allow a great deal of flexibility and mobility for end users but require
more administrative overhead. [4]
All the devices connected to a trunk link, including workstations, must be VLAN-aware.
All frames on a trunk link must have a special header attached. These special frames are
Called tagged frames. [1]
38
Figure 5.2: Trunk link between two VLAN-aware bridges. [1]
Figure 5.3: Access link between a VLAN-aware bridge and a VLAN-unaware device.
[1]
This is a combination of the previous two links. This is a link where both VLAN-aware
and VLAN-unaware devices are attached A hybrid link can have both tagged and untagged
frames, but all the frames for a specific VLAN must be either tagged or untagged.
Figure 5.4 Hybrid link containing both VLAN-aware and VLAN-unaware devices. [1]
39
5.4 Communicating between VLANS
VLAN frame identification was developed for switched networks. As each
frame is transmitted over a trunk link, a unique identifier is placed in the
frame header. As each switch along the way receives these frames, the
identifier is examined to determine to which VLAN the frames belong
and then is removed.
If frames must be transported out another trunk link, the VLAN identifier
is added back into the frame header. Otherwise, if frames are destined
out an access (nontrunk) link, the switch removes the VLAN identifier
before transmitting the frames to the end station. Therefore, all traces of
VLAN associations are hidden from the end station.
When a frame is destined out a trunk link to another switch or router, ISL adds a 26-byte
header and a 4-byte trailer to the frame. The source VLAN is identified with a 15-bit
VLAN ID field in the header. The trailer contains a cyclic redundancy check (CRC) value
to ensure the data integrity of the new encapsulated frame. [4]
The IEEE 802.10 protocol provides connectivity between VLANs. Originally developed to
address the growing need for security within shared LAN/MAN environments, it
incorporates authentication and encryption techniques to ensure data confidentiality and
integrity throughout the network. Additionally, by functioning at Layer 2, it is well suited
to high-throughput, low-latency switching environments. IEEE 802.10 protocol can run
over any LAN or HDLC serial interface. [20]
40
VTP is a protocol that runs over trunk links and synchronizes the VLAN databases of all
switches in the VTP domain. A VTP domain is an administrative group—all switches
within that group must have the same VTP domain name configured or they do not
synchronize databases.
• If the new number is lower, the switch replies with the more up to-
date information contained in its own database. [2]
• Server Mode
• Client Mode
• Transparent Mode
41
VTP servers have full control over VLAN creation and modification for
their domains. All VTP information is advertised to other switches in the
domain, while all received VTP information is synchronized with the
other switches. By default, a switch is in VTP server mode. Note that
each VTP domain must have at least one server so that VLANs can be
created, modified, or deleted and VLAN information can be propagated.
[4]
42
4) Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
3) Dynamic IPsec encryption
5) Cisco Express Forwarding (CEF)[24]
NHRP Phase 1
At NHRP phase, mGRE using NHRP to inform the hub about dynamically appearing
spokes. Initially, we configure every spoke with the IP address of the hub as its NHS
server. However, the spoke’s tunnel mode is GRE (regular point-to-point) tunnel with the
fixed destination IP that equals to the physical address of the hub. The spokes can only
reach hub and get to other spoke networks across the hub. The benefit of Phase 1 is
simplified hub router configuration, which does not require static NHRP mapping for every
new spoke.
As all packets go across the hub, almost any dynamic routing protocol would help with
attaining reachability. The hub just needs to advertise a default route to spokes, while
spokes should advertise their subnets dynamically to the hub. Probably it makes sense to
run EIGRP and summarize all subnets to 0.0.0.0/0 on the hub, effectively sending a default
route to all spokes (if the spokes do not use any other default route, e.g. from their ISPs).
43
Configure spokes as EIGRP stubs and advertise their respective connected networks. RIP
could be set up in similar manner, by simply configuring GRE tunnels on spokes as passive
interfaces. Both EIGRP and RIP require split-horizon disabled on the hub mGRE interface
in order to exchange subnets spoke to spoke. As for OSPF, the optimal choice would be
using point-to-multipoint network type on all GRE and mGRE interfaces. In addition to
that, configure ip ospf database filter-all out on the hub and set up static default routes via
tunnel interfaces on the spokes .[24]
o Point-to-point (GRE)
o Point-to-multipoint (mGRE) [23]
Classic GRE tunnel is point-to-point, but mGRE generalizes this idea by allowing a tunnel
to have “multiple” destinations.
This may seem natural if the tunnel destination address is multicast (e.g. 239.1.1.1). The
tunnel could be used to effectively distribute the same information (e.g. video stream) to
multiple destinations on top of a multicast-enabled network. Actually, this is how mGRE is
used for Multicast VPN implementation in Cisco IOS. However, if tunnel endpoints need
to exchange unicast packets, special “glue” is needed to map tunnel IP addresses to
“physical” or “real” IP addresses, used by endpoint routers. [24]
44
6.3 Routing with DMVPN
•Spoke learns of all private networks on the other spokes and the hub via routing updates
sent via the hub
•IP next-hop for a spoke network is the tunnel interface for that spoke
6.4.1 Hub-and-spoke
Spoke-to-spoke traffic through hub; requires about the same number of tunnels as spokes
45
Figure 6.3 Hub-to-spokes and Dynamic spoke-to-spoke tunnels
6.4.2 Spoke-to-spoke
Number of tunnels falls between the number of spokes n and n2 where n is the number of
spokes (full-mesh) [25]
• When a spoke needs to send a packet to a destination (private) subnet on another spoke,
it queries the NHRP server for the real (outside) address of the destination (target) spoke.
• After the originating spoke "learns" the peer address of the target spoke, it can initiate a
dynamic IPSec tunnel to the target spoke.
• The spoke-to-spoke links are established on demand whenever there is traffic between
the spokes. Thereafter, packets can bypass the hub and use the spoke-to-spoke tunnel. [22]
46
6.6 IPSec Profiles
IPSec profiles abstract IPSec policy information into a single configuration entity, which
can be referenced by name from other parts of the configuration. Therefore, users can
configure functionality such as GRE tunnel protection with a single line of configuration.
By referencing an IPSec profile, the user does not have to configure an entire crypto map
configuration. An IPSec profile contains only IPSec information; that is, it does not contain
any access list information or peering information. [22]
• Currently, for each spoke router, there is a separate block of configuration lines on the
hub router that define the crypto map characteristics, the crypto access list, and the GRE
tunnel interface. This feature allows users to configure a single mGRE tunnel interface, a
single IPSec profile, and no crypto access lists on the hub router to handle all spoke routers.
Thus, the size of the configuration on the hub router remains constant even if spoke routers
are added to the network.
• DMVPN architecture can group many spokes into a single multipoint GRE interface,
removing the need for a distinct physical or logical interface for each spoke in a native
IPSec installation.
GRE has the peer source and destination address configured or resolved with NHRP. Thus,
this feature allows IPSec to be immediately triggered for the point-to-point GRE tunneling
or when the GRE peer address is resolved via NHRP for the multipoint GRE tunnel.
When using point-to-point GRE and IPSec hub-and-spoke VPN networks, the physical
interface IP address of the spoke routers must be known when configuring the hub router
because IP address must be configured as the GRE tunnel destination address. This feature
allows spoke routers to have dynamic physical interface IP addresses (common for cable
and DSL connections). When the spoke router comes online, it will send registration
packets to the hub router within these registration packets, is the current physical interface
IP address of this spoke.
47
This feature eliminates the need for spoke-to-spoke configuration for direct tunnels. When
a spoke router wants to transmit a packet to another spoke router, it can now use NHRP to
dynamically determine the required destination address of the target spoke router (The hub
router acts as the NHRP server, handling the request for the source spoke router). The two
spoke routers dynamically create an IPSec tunnel between them so data can be directly
transferred. [22]
CHAPTER 7: Deliverables
The following figure 7.1 showing the network structure for the deployment of VLAN’S.
Router 1812 W is connected to different VLAN’S and to a single hub which is also
connected to a single VLAN. Physical connectivity of network is performed by straight
through cable.
Router
48
Vlan1 Vlan2 Hub Vlan4
Figure 7.1
Following is the list of the IP addresses used in the above define network to construct
VLAN’S, for the network of 192.168.0.0 with the subnet mask 255.255.255.248.
Hosts
Network Broadcast Address
from to
192.168.0.0 192.168.0.1 192.168.0.6 192.168.0.7
192.168.0.8 192.168.0.9 192.168.0.14 192.168.0.15
192.168.0.16 192.168.0.17 192.168.0.22 192.168.0.23
192.168.0.24 192.168.0.25 192.168.0.30 192.168.0.31
192.168.0.32 192.168.0.33 192.168.0.38 192.168.0.39
Here Configuring VLAN1 by using SDM mode by giving the IP address of 10.10.10.1
and the subnet Mask 255.255.255.248.
49
Here performing IP Renew/Release in CMD mode for the Pc directly connected to
VLAN 1
Here
Configuring VLAN2 by using SDM mode by giving the IP address of 192.168.0.9 and
the subnet Mask 255.255.255.248.
50
51
52
53
54
55
Enabling Routing Protocol RIP in Router to perform routing between VLAN’S.
It is shown in the following screen shot that the routing enables in Router.
56
Configuring VLAN 3 and VLAN 4 on Router.
Here
Configuring IP Address, Subnet Mask & Default Gateway for VLAN 2 according to
the above defines IP Address and Subnet mask. Machine pinging default gateway,
own IP and VLAN 1 IP successfully in Command line mode, that is showing VLAN
connectivity to each other.
57
Machine pinging default gateway, own IP and VLAN 1, VLAN2 and another VLAN
connecting to HUB successfully in Command mode.
Configuring IP Address, Subnet Mask & Default Gateway for VLAN 4, Machine pinging
default gateway, own IP and VLAN1, VLAN2, VLAN3 successfully in Command mode
58
7.2 Configuring of DMVPN on CLI
R3
Management PC
(.100)
F0/0 (.3)
Figure 7.2
The above figure 7.2 is showing the network structure of the implementation of DMVPN.
In this network three routers are connected to switch by Ethernet cable and management
PC as well. One router is configured as Hub and two routers are configured as spoke
The Lab Objective defined in the following three tasks for the implementation of DMVPN.
Lab Objectives
Task 1
59
R1
Interface Loopback 15
Ip address 172.16.1.1 255.255.255.0
R2
Interface Loopback 15
Ip address 172.16.2.2 255.255.255.0
R3
Interface Loopback 15
Ip address 172.16.3.3 255.255.255.0
Task 2
NHRP Parameters
o NHRP ID – 123
o NHRP Authentication key – DMVPN
o NHRP Hub – R3
Tunnel Parameters
o IP address : 172.16.123.0/24
o IP MTU : 1416
o Tunnel Authentication Key : 123
Routing Protocol Parameters
o EIGRP 123
R3
Interface Tunnel 1
Ip address 172.16.123.3 255.255.255.0
Ip mtu 1416
Ip nhrp network-id 123
Ip nhrp authentication DMVPN
Ip nhrp map multicast dynamic
Tunnel source F 0/0
Tunnel mode gre multipoint
Tunnel key 123
No ip split-horizon eigrp 123
!
router eigrp 123
no auto-summary
60
network 172.16.0.0 0.0.255.255
!
ip route 172.16.1.0 255.255.255.0 192.1.123.1
ip route 172.16.2.0 255.255.255.0 192.1.123.2
R1
Interface Tunnel 1
Ip address 172.16.123.1 255.255.255.0
Ip mtu 1416
Ip nhrp network-id 123
Ip nhrp authentication DMVPN
Ip nhrp nhs 172.16.123.3
Ip nhrp map 172.16.123.3 192.1.10.3
Ip nhrp map multicast 192.1.10.3
Tunnel source F 0/0
Tunnel mode gre multipoint
Tunnel key 123
!
router eigrp 123
no auto-summary
network 172.16.0.0 0.0.255.255
!
ip route 172.16.2.0 255.255.255.0 192.1.123.2
ip route 172.16.3.0 255.255.255.0 192.1.123.3
Task 3
Encrypt the MGRE traffic using the following parameters:
ISAKMP Parameters
o Authentication : Pre-shared
o Encryption : 3DES
o Pre-Shared Key : cisco123
IPSec Parameters
o Encryption : ESP-3DES
o Authentication : ESP-MD5-HMAC
61
R3
62
Test Commands:
Ping 172.16.1.1
Ping 172.16.2.2
Ping 172.16.3.3
Sh crypto sa
Sh crypto connections engine active
Sh crypto ipsec sa
63
64
Part2: IPSec Creation (mGRE+IPSec= DMVPN)
65
R1: (Since most of the configuration is same, therefore, it is a good idea to copy and
paste it on a text pad, and just change the necessary things like IP addresses and paste
into Router 1 and 2.)
66
Part 2: IPSec:
67
R2: (Since most of the configuration is same, therefore, it is a good idea to copy and
paste it on a text pad, and just change the necessary things like IP addresses and paste
into Router 1 and 2.)
68
IPSec on R2:
69
CHAPTER 8 Result and Discussion
Four VLANS have been configured, three of which connected to the router and one of
which is with hub. Hub connected to three different machines that means three machines
are on same VLAN. The purpose of the third machine with the hub is just to transfer the
heavy files in the same VLAN and check the performance by following charts in SDM.
The above chart is for VLAN 3(connected to Hub) and the monitoring parameters are
packet input/output and bytes input/output, provided by SDM. It has been observed that
when file was transferring from one machine to another machine the curve of the graph
was moving up but when the file transfer stopped the curve gone straight.
70
Discussion:-
In the following screen shot the monitoring measurement for VLAN 3 was bytes Input and
Output and Error Input and output. The error input and output showed “0” between
transfers.
71
Discussion:-
In the following screen shot the monitoring measurement for VLAN 3 was bandwidth
utilizing. As there is no external source like server involved so the bandwidth utilization is
“0” and another reason is of course the transfer is in the same VLAN as well.
72
8.2 DMVPN Results & Discussion
R1 and R2 (Spokes):
On Router 1 and Router 2, “Sh ip nhrp” command is applied.
73
74
R2:
See the mappings: sh ip hnrp and ping results:
Traceroute shows that it is going directly through tunnel (no hops in between)
75
IPSec is UP on R1:
IPSec is UP on R2:
76
Conclusion
The main task of the deployment of VLAN and DMVPN is to provide network security to
both LAN and WAN network respectively with other beneficial aspect of both technologies
as well. VLANs have the ability to provide additional security not available in a shared
media network environment. By nature, a switched network delivers frames only to the
intended recipients, and broadcast frames only to other members of the VLAN. This allows
the network administrator to segment users requiring access to sensitive information into
separate VLANs from the rest of the general user community regardless of physical
location. In addition, monitoring of a port with a traffic analyzer will only view the traffic
associated with that particular port, making discreet monitoring of network traffic more
difficult.
It should be noted that the enhanced security that is mentioned above is not to be
considered an absolute safeguard against security infringements. What this provides is
additional safeguards against "casual" but unwelcome attempts to view network traffic.
In this report I also have discussed all the standards, technical component which relates
with DMVPN, that the DMVPN should deployed if the network requires Zero-touch
provisioning, simplified configuration, Multicast and support for dynamically addressed
spokes.
77
PROJECT PLANNING
Project Planning includes two stages
78
Below is the final project planning which is shown by using a Pie chart and a table.
Basically final planning shows the number of hours that have spent on each task for doing
this project.
INTRODUCTION 50
INVESTIGATION ON 1800 ROUTER SERIES 60
VLAN 150
DMVPN 200
TESTING AND DISCUSSION 50
FURTHER REVISIONS AND CONCLUSION 100
TOTAL NO. OF HOURS 610
100 50
60
50
150
200
References
[1] www.ise.gmu.edu/~eschneid/infs612/projects/LAN.pdf
79
[2]Brent Stewart & Denise Donohue, CCNP BCMSN Quick Reference Sheets, USA, ISBN
978-1-5872-0236-0, 19-20
[3]Todd Lammle, CCNA Study Guide, Sixth edition, Sybex, USA, 2007, ISBN 0470110082
[4]David Hucaby, CCNP BCMSN Official Exam Certification Guide, Cisco Press, USA,
2007, ISBN: 1-58720-171-2
[6]Jerry Ryan,Layer 3 Switching Re- Inventing the Router, The Technology Guide Series
Cisco Press, USA, 1998.
[7] www.dataconnection.com/iprouting/iprprotocol.htm
[8] Clare Gough, CCNP BSCI, USA, Cisco Press, 2006, ISBN: 1-58720-171-2
[9]Karl Solie, CCIE practical studies volume 1, Cisco Press, USA, 2001, ISBN:
1−58720−002−3
[10] Tim Boyles and Dave Hucaby ,Cisco CCNP Switching Exam Certification Guide,2000,
Cisco Press. USA, ISBN: 1-58720-000-7
[11] www.freesoft.org/CIE/Course/Section3/11.htm
[12] Cisco 1801, 1802 and 1803 Integrated Services Router from Cisco.com
“http://www.cisco.com/en/US/products/ps6184/”
[13] Cisco 1800 Series Integrated Services Routers Fixed Configuration Models
“http://www.cisco.com”
“ http://www.cisco.com/en/US/products/ps9321/”
“http://www.cisco.com/en/US/products/ps6183/”
“http://www.cisco.com/en/US/products/ps5875/”
80
[17] Cisco 1861 Integrated Services Router from Cisco.com
“http://www.cisco.com/en/US/products/ps8321/”
“http://www.cisco.com/en/US/products/ps5853/”
[20]www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/switch_c/xcvla
n.pdf
[21] www.en.wikipedia.org/wiki/Dynamic_Multipoint_Virtual_Private_Network
[22]www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1039510
[23] Introduction to DMVPN, Security Technology Group, Cisco Press, USA, 2004
[24] http://blog.internetworkexpert.com/2008/08/02/dmvpn-explained/
[25]www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6658/DMVPN
_Overview.pdf
[27] http://www.javvin.com/protocolNHRP.html
[28] http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation
Appendix
81
!------------------------------------------------------------------------
----
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$3QN/$FAx3IV7orGQd4rixJT9bh.
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.0.9
ip dhcp excluded-address 192.168.0.17
ip dhcp excluded-address 192.168.0.25
ip dhcp excluded-address 192.168.0.33
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
default-router 10.10.10.1
!
ip dhcp pool sdm-pool9
network 192.168.0.8 255.255.255.248
default-router 192.168.0.9
!
ip dhcp pool sdm-pool10
network 192.168.0.16 255.255.255.248
82
default-router 192.168.0.17
!
ip dhcp pool sdm-pool11
network 192.168.0.24 255.255.255.248
default-router 192.168.0.25
!
ip dhcp pool sdm-pool12
network 192.168.0.32 255.255.255.248
default-router 192.168.0.33
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-2874840234
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2874840234
revocation-check none
rsakeypair TP-self-signed-2874840234
!
!
crypto pki certificate chain TP-self-signed-2874840234
certificate self-signed 01
83
D77A00A2 509F40E3 B8EE38F7 F2CEF9E6 7DBE213C BFA01FA0 A58B632D 2BA1D514
6D1D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14D6C68A 543EDE81 4F72C5FD 115E2B6B D3F52643
02301D06 03551D0E 04160414 D6C68A54 3EDE814F 72C5FD11 5E2B6BD3 F5264302
300D0609 2A864886 F70D0101 04050003 81810011 A0FCEB29 305F006C 57F27435
286EC0FE 7F8466FB 15974005 B2B19C90 D6174186 DBD71987 1B644C88 437B811B
CF27D62E 41D54239 E42C470A 7A0BBA71 C09A2E07 39C3798E 3FF42103 79DAD980
8D45ABB8 1694871A 487B773A D4D3045E DB16716C 1DFF1A6F 4B48E1B6 116FFF10
1105C042 741C4484 8970E23B 7624D200 0E9505
quit
username cisco1 privilege 15 secret 5 $1$3Kzc$MyCanrmvgPqTacSRE8H/p0
!
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
switchport access vlan 3
!
interface FastEthernet5
switchport access vlan 4
!
interface FastEthernet6
84
switchport access vlan 5
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
station-role root
!
interface Dot11Radio1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.0.9 255.255.255.248
ip nat inside
ip virtual-reassembly
!
interface Vlan3
ip address 192.168.0.17 255.255.255.248
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface Vlan4
ip address 192.168.0.25 255.255.255.248
ip nat inside
85
ip virtual-reassembly
!
interface Vlan5
ip address 192.168.0.33 255.255.255.248
ip nat inside
ip virtual-reassembly
!
router ospf 500
log-adjacency-changes
passive-interface FastEthernet0
passive-interface FastEthernet1
passive-interface Vlan1
passive-interface Vlan2
passive-interface Vlan3
passive-interface Vlan4
passive-interface Vlan5
network 10.0.0.0 0.255.255.255 area 5
!
router rip
passive-interface Vlan1
network 10.0.0.0
no auto-summary
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.0.16 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.0.8 0.0.0.7 any
access-list 101 permit icmp any host 192.168.0.17 echo-reply
access-list 101 permit icmp any host 192.168.0.17 time-exceeded
access-list 101 permit icmp any host 192.168.0.17 unreachable
access-list 101 permit tcp any host 192.168.0.17 eq 443
access-list 101 permit tcp any host 192.168.0.17 eq 22
access-list 101 permit tcp any host 192.168.0.17 eq cmd
access-list 101 permit udp any any eq rip
access-list 101 permit ip any host 224.0.0.9
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
no cdp run
!
86
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
87
For Router 1 For Router 2 For Router 3
88
For Router 1 For Router 2 For Router 3
89
interface Loopback10 interface Loopback10 interface Loopback10
ip address 10.1.1.1 ip address 192.1.2.2 ip address 10.3.3.3
255.255.255.0 255.255.255.0 255.255.255.0
! ! !
interface Loopback15 interface Loopback15 interface Loopback15
ip address 172.16.1.1 ip address 172.16.2.2 ip address 172.16.3.3
255.255.255.0 255.255.255.0 255.255.255.0
! ! !
interface Tunnel1 interface Tunnel1 interface Tunnel1
ip address 172.16.123.1 ip address 172.16.123.2 ip address 172.16.123.3
255.255.255.0 255.255.255.0 255.255.255.0
no ip redirects no ip redirects no ip redirects
ip mtu 1416 ip mtu 1416 ip mtu 1416
ip nhrp authentication ip nhrp authentication ip nhrp authentication
DMVPN DMVPN DMVPN
ip nhrp map 172.16.123.3 ip nhrp map 172.16.123.3 ip nhrp map multicast dynamic
192.1.10.3 192.1.10.3 ip nhrp network-id 123
ip nhrp map multicast ip nhrp map multicast no ip split-horizon eigrp 123
192.1.10.3 192.1.10.3 tunnel source Ethernet0/0
ip nhrp network-id 123 ip nhrp network-id 123 tunnel mode gre multipoint
ip nhrp nhs 172.16.123.3 ip nhrp nhs 172.16.123.3 tunnel key 123
tunnel source Ethernet0/0 tunnel source Ethernet0/0 tunnel protection ipsec profile
tunnel mode gre multipoint tunnel mode gre multipoint ABC
tunnel key 123 tunnel key 123 !
tunnel protection ipsec profile tunnel protection ipsec profile interface Ethernet0/0
ABC ABC ip address 192.1.10.3
! ! 255.255.255.0
interface Ethernet0/0 interface Ethernet0/0 half-duplex
ip address 192.1.123.1 ip address 192.1.123.2 !
255.255.255.0 255.255.255.0 interface Serial0/0
half-duplex half-duplex no ip address
! ! shutdown
interface Serial0/0 interface Serial0/0 !
no ip address no ip address interface Ethernet0/1
shutdown shutdown no ip address
! ! shutdown
interface Ethernet0/1 interface Ethernet0/1 half-duplex
no ip address no ip address !
shutdown shutdown router rip
half-duplex half-duplex ver 2
! ! no auto
interface Serial0/1 interface Serial0/1 network 33.0.0.0
no ip address no ip address network 192.1.123.0
shutdown shutdown !
! ! router eigrp 123
router eigrp 123 router eigrp 123 network 172.16.0.0
90
network 172.16.0.0 network 172.16.0.0 no auto-summary
no auto-summary no auto-summary !
! ! ip http server
router rip router rip no ip http secure-server
version 2 version 2 ip classless
network 11.0.0.0 network 22.0.0.0 ip route 0.0.0.0 0.0.0.0
network 192.1.123.0 network 192.1.123.0 192.1.10.10
no auto-summary no auto-summary !
! ! !
ip http server ip http server !
no ip http secure-server no ip http secure-server !
ip classless ip classless call rsvp-sync
! ! !
! ! !
! ! mgcp profile default
! ! !
call rsvp-sync call rsvp-sync dial-peer cor custom
! ! !
! ! !
mgcp profile default mgcp profile default !
! ! !
dial-peer cor custom dial-peer cor custom !
! ! line con 0
! ! logging synchronous
! ! line aux 0
! ! line vty 0 4
! ! login
line con 0 line con 0 !
logging synchronous logging synchronous !
line aux 0 line aux 0 end
line vty 0 4 line vty 0 4
! !
! !
end end
91