Sunteți pe pagina 1din 91

Investigate the features of CISCO 1800 series Routers.

Construct VLAN (Virtual LAN) and DMVPN (Dynamic


Multipoint VPN) on 1812w Router.

Submitted by Lubna Khan


SID 2525867
Submission Date: 21st October 2008

This report has been submitted for assessment toward a Master of


Science degree in the Department of Electrical, computer &
Communications Engineering, London South Bank University.

This report is written in the author’s own words and all sources have
been property cited.

Author’s signature:
Table of Contents

ACKNOWLEGEMENTS......................................................................................................4
Abstract............................................................................................................................5
Aim and Objectives................................................................................................................6
CHAPTER 1: Introduction...................................................................................................7
1.1 CISCO 1800 Series Router....................................................................................................7
1.2 Switching & Routing Functionality......................................................................................7
1.3 Routing Protocol....................................................................................................................8
1.4 VLAN (Virtual Local Area Network)...................................................................................8
1.5 DMVPN (Dynamic Multipoint Virtual Private Network)..................................................8
CHAPTER 2: Investigation on all the features of CISCO 1800 Series Routers..............10
2.1 Cisco 1801, 1802 and 1803 Integrated Services Router.....................................................10
2.2 Cisco 1811 & 1812 Integrated Services Router..................................................................12
2.3 Cisco 1841 Integrated Services Router...............................................................................14
2.4 Cisco 1861 Integrated Services Router...............................................................................15
2.5 Cisco 1805 Integrated Services Router...............................................................................16
CHAPTER 3: Switching and Routing Functionality.........................................................20
3.1 Layer 2 Switching................................................................................................................21
3.2 Layer 3 Routing...................................................................................................................23
CHAPTER 4: Routing Protocol..........................................................................................24
4.1 Definition of Routing Protocol............................................................................................24
4.2 How the Routing Protocol Works.......................................................................................24
4.3 IP Routing Principles...........................................................................................................25
4.3.1Classful Routing ..............................................................................................................................25
4.3.2 Classless Routing.............................................................................................................................26
4.4 RIP (Routing Information Protocol)..................................................................................27
4.5 IGRP & EIGRP (Enhanced Interior Gateway Routing Protocol)...................................29
4.6 IS-IS Protocol: Intermediate System - Intermediate System............................................31
4.7 SUBNETING........................................................................................................................32
CHAPTER 5: Virtual Local Area Network........................................................................34
5.1 Introduction..........................................................................................................................34
5.1.1 LAN Segmentation..........................................................................................................................35
5.1.2 Security............................................................................................................................................36

2
5.1.3 Broadcast Control............................................................................................................................36
5.1.4 Performance.....................................................................................................................................37
5.1.5 Network Management.....................................................................................................................37
5.2 VLAN Membership.............................................................................................................37
5.2.1 Static VLANs...................................................................................................................................37
5.2.2 Dynamic VLANs.............................................................................................................................38
5.3 Types of Connections...........................................................................................................38
5.3.1 Trunk Link or Trunk Port................................................................................................................38
5.3.2 Access Link or Access Port.............................................................................................................39
5.3.3 Hybrid Link.....................................................................................................................................39
5.4 Communicating between VLANS.......................................................................................40
5.4.1 Inter-Switch Link (ISL) protocol.....................................................................................40
5.4.2 IEEE 802.1Q protocol.......................................................................................................40
5.5 VLAN Trunking Protocol (VTP)........................................................................................40
5.6 VTP Modes of Operation....................................................................................................41
5.6.1 Server Mode....................................................................................................................................41
5.6.2 Client mode......................................................................................................................................42
5.6.4 Transparent mode............................................................................................................................42
CHAPTER 6: Dynamic Multipoint VPN............................................................................42
6.1 What is NHRP?....................................................................................................................43
6.2 What is GRE Tunnels?........................................................................................................44
6.3 Routing with DMVPN.........................................................................................................45
6.3.1Possible routing protocols.................................................................................................................45
6.4 DMVPN Phases....................................................................................................................45
6.4.1 Hub-and-spoke.................................................................................................................................45
6.4.2 Spoke-to-spoke................................................................................................................................46
6.5 Sample mGRE and IPsec Integration Topology................................................................46
6.6 IPSec Profiles ......................................................................................................................47
6.7 Benefits of Dynamic Multipoint VPN (DMVPN)...............................................................47
CHAPTER 7: Deliverables..................................................................................................48
7.1 Configuring VLAN’S On SDM...........................................................................................48
7.2 Configuring of DMVPN on CLI.........................................................................................59
DMVPN through R1, R2 & R3 (Hub n Spoke)..................................................................59
CHAPTER 8 Result and Discussion...................................................................................70
8.1 VLAN Results & Discussion................................................................................................70
8.2 DMVPN Results & Discussion............................................................................................73
Conclusion ..........................................................................................................................77
PROJECT PLANNING.......................................................................................................78
Initial project planning..............................................................................................................78

3
Final project planning: .............................................................................................................78
References............................................................................................................................79
Appendix..............................................................................................................................81

ACKNOWLEGEMENTS

First of all I am cordially thankful to ALMIGHTY ALLAH who enabled me to complete


this thesis successfully. I would specially like to thank Dr Tariq Sattar (London South
Bank University) for his utmost support, valuable ideas, information and much needed
guidance throughout the completion of this thesis.

4
Abstract

An introduction of VLAN and DMVPN is given in the beginning of this report, which
includes why we need such technologies, how these work, what the benefits are and how
VLAN (Virtual Area Network) provide security to LAN networks and DMVPN (Dynamic
Multipoint Virtual Private Networks) to WAN networks.

The work flow of deployment of VLAN and DMVPN include the network design
(topology), physical connectivity (layer 1), logical connectivity (layer 2 and 3),
configuration using IOS Version 12.4 (layer 4 and above). Final phase shows testing the
configurations by using different network monitoring commands for DMVPN [all in the
Command Line Interface (CLI) mode] and different parameters for SDM (Security Device
Manager) for VLAN. The technologies in this project are based on NHRP (Next Hop
Resolution Protocol) mGRE (multipoint Generic Routing Encapsulation) Tunnels, Hub and
Spoke, Spoke to Spoke tunnels and VTP (Vlan Trunking Protocol). VTP is specially
emphasized in VLAN Section.

Further physical implementation results of above mentioned technologies have been


obtained which show these technologies have significant impact on network security.

5
Aim and Objectives

The aim of this project is to deploy the latest network security technologies on existing
LAN and the WAN networks.

Objectives
Following are the key objectives behind the study:

 To discuss the features of all the 1800 CISCO series routers. The reason for

using these specific series of routers is their availability on lab.

 Briefly define the switching and routing functionality including Routing

Protocols.

 A detailed discussion on VLAN (Virtual LAN) and DMVPN (Dynamic

Multipoint VPN), those implemented to provide the network security to the

Layer 2 and Layer 3 network respectively.

 Implementation of the above mentioned technologies to observe the results and

discuss their significant features.

6
CHAPTER 1: Introduction

1.1 CISCO 1800 Series Router


The 1800 series is ideal for network location that requires secure data and voice
communication using up to broadband connections for T1/E1 connections. Every 1800
series design from the ground up include comprehensive security feature. Each model
comes with an encrypted chip on the motherboard that lets us build secure VPN tunnels for
site to site and for remote user connection. [18]

In addition the 1800 series also offers full state firewall, instruction prevention, network
administration control and URL filtering to protect and secure network. The 1800 family
comes in a desk-top form with both fixed and modular configuration models. [18]

The Cisco 1812 Router that used in this project provides high-speed broadband or Ethernet
access through two 10/100BASE-T Fast Ethernet WAN ports and also provide integrated
WAN backup through a V.92 analog modem ISDN S/T BRI interface. The Cisco 1812
routers are focused on Ethernet access and are designed to be offered as customer premises
equipment (CPE) in Metro Ethernet deployments. The eight-port switch is sufficient for
connecting multiple devices and the optional PoE capability can supply power to IP
telephones or other devices. [15]

1.2 Switching & Routing Functionality


A Layer 2 switch performs essentially the same function as a transparent bridge. However,
a switch can have many ports and can perform hardware-based bridging. Frames are
forwarded using specialized hardware, called application-specific integrated circuits
(ASIC). This hardware gives switching great scalability, with wire-speed performance, low
latency, low cost, and high port density. [7]

Layer 2 switching is used primarily for workgroup connectivity and network segmentation.
We can contain traffic between users and servers in a workgroup within the switch. In
addition, the number of stations on a network segment can be reduced with a switch,
minimizing the collision domain size. [7]

7
1.3 Routing Protocol
In simple terms, a protocol is an agreed upon set of rules that determines how something
will operate. A routing protocol is a set of rules that describes how Layer 3 routing devices
send updates between each other about the available networks. If more than one path to the
remote network exists, the protocol also determines how the best path or route is selected.
[8]

Routed Protocol and Routing Protocol Both terms refer to a protocol that defines a packet
structure and logical addressing, allowing routers to forward or route to the packets.
Routers forward, or route, packets define by routed and un routable protocols.[26]

Even though routing protocol such as RIP are different from routed protocols such as IP,
they work together very closely. The routing process forward IP packets to destination
address, the router discards the packet. Routers need routing protocol so that the router can
learn all the possible routers and add them to the routing table so that the routing process
can forward routable protocol such as IP. [26]

1.4 VLAN (Virtual Local Area Network)


Local Area Networks are defined as a single broadcast domain. Single broadcast domain
means if user broadcasts information on his/her LAN, the broadcast will be received by
every other user on the LAN. Broadcasts are prevented from leaving a LAN by using a
router, cause switch forward broadcast but router doesn’t forward broadcast. The
disadvantage of this method is routers usually take more time to process incoming data
compared to a bridge or a switch. And to use the router just to control the LAN
broadcasting is of course cost effective as well.

For an alternate solution Virtual Local Area Networks (VLAN's) were developed to control
broadcast traffic in LAN networks. VLANS are implemented not only to control broadcast
but also to provide security, flexibility and segmentation. Routers in VLAN topologies
provide broadcast filtering, security, address summarization, and traffic flow management.

1.5 DMVPN (Dynamic Multipoint Virtual Private Network)


DMVPN stands for Dynamic Multipoint VPN and it is an effective solution for dynamic
secure overlay networks. In short, DMVPN is combination of the following technologies

 NHRP (Next Hop Resolution Protocol)


 GRE (Generic Routing Encapsulation)

8
NHRP (Next Hop Resolution Protocol)

Next Hop Resolution Protocol (NHRP) is used by a source station (host or router)
connected to a Non-Broadcast, Multi-Access (NBMA) subnetwork to determine the
internetworking layer address and NBMA subnetwork addresses of the "NBMA next hop"
towards a destination station. If the destination is connected to the NBMA subnetwork,
then the NBMA next hop is the destination station itself. Otherwise, the NBMA next hop is
the egress router from the NBMA subnetwork that is "nearest" to the destination station.
NHRP is intended for use in a multiprotocol internetworking layer environment over
NBMA subnetworks. [27]

GRE (Generic Routing Encapsulation)

Generic Routing Encapsulation (GRE) is a tunneling protocol designed to encapsulate a


wide variety of network layer packets inside IP tunneling packets. The original packet is
the payload for the final packet. The protocol is used on the Internet to secure virtual
private networks.

GRE was developed by Cisco and was designed to be stateless; the tunnel end-points do
not monitor the state or availability of other tunnel end-points. This feature helps service
providers support IP tunnels for clients, who won't know the service provider's internal
tunneling architecture; and it gives clients the flexibility of reconfiguring their IP
architectures without worrying about connectivity. GRE creates a virtual point-to-point link
with routers at remote points on an IP internetwork. [28]

9
CHAPTER 2: Investigation on all the features of CISCO
1800 Series Routers

In 1800 Series of Cisco there are 8 different types of Routers:

1. Cisco 1861 Integrated Services Router


2. Cisco 1841 Integrated Services Router
3. Cisco 1812 Integrated Services Router
4. Cisco 1811 Integrated Services Router
5. Cisco 1801 Integrated Services Router
6 .Cisco 1802 Integrated Services Router

7. Cisco 1803 Integrated Services Router

8. Cisco 1805 Integrated Services Router

Cisco 1800 series is ideal for small to medium sized business and small branch offices and
provides WAN and LAN data connectivity, comprehensive security, wireless integration
and with Cisco 1861 support for unified communication solutions.[18]

The 1800 family is also ideal for network locations that require secure data and voice
communication using up to broadband or T1/E1 connections. This family comes in a desk-
top factor with both fixed and modular configuration models. The fixed configuration
model offer built- in DSL and Ethernet WAN ports combined with ISDN BRI or V.92 dial
modern backup interfaces. [18]

2.1 Cisco 1801, 1802 and 1803 Integrated Services Router


The Cisco 1801 Integrated Services Router as shown in Figure 1.1, has similar
functionality as 1802 Integrated Services Router and 1803 integrated service Router .The
only difference on all of them is that Cisco 1801, 1802, and 1803 routers provide high-
speed DSL broadband access through asymmetric DSL (ADSL) over basic telephone
service (Cisco 1801), ADSL over ISDN (Cisco 1802), or Symmetrical High-Data-Rate

10
DSL (G.SHDSL) (Cisco 1803) while helping to ensure reliable networking with integrated
ISDN S/T BRI backup. The Cisco 1801, 1802, and 1803 routers combine the cost benefits
of DSL service with the advanced routing capability required for business use of the
Internet.

The Cisco 1801, 1802 & 1803 Integrated Services Router provides the similar features
those are as following

• Secure broadband access with concurrent services for branch and small
offices.
• Integrated ISDN Basic Rate Interface (BRI), or Ethernet backup port for
redundant WAN links.
• LAN Switching with optional inline POE.
• Secure wireless LAN for simultaneous 802.11a and 802.11b/g operation with
use of multiple antennas.

Advanced security including:

o Stateful Inspection Firewall


o IP Security (IPSec) VPNs (Triple Data Encryption Standard [3DES]
or Advanced Encryption Standard [AES])
o Dynamic Multipoint VPN (DMVPN) and Easy VPN.
o Intrusion Prevention System (IPS)
o Antivirus support through Network Admission Control (NAC) and
enforcement of secure access policies. [12]

Figure 1.1 Cisco 1801 Integrated Services Router [12]

11
Feature Cisco 1801 Cisco 1802 Cisco 1803

DSL WAN Port ADSL over ADSL over G.SHDSL (4-wire)


POTS ISDN

10/100 FE WAN Ports 1 1 1

DOCSIS 2.0 No No No

Managed Switch Ports 8 8 8

ISDN BRI Dial Backup Yes Yes Yes

V.92 Analog Modem Dial - - -


Backup

USB 2.0 Ports 0 0 0

802.11a/b/g Wireless Model Yes Yes Yes

Auxiliary and Console Ports Yes Yes Yes

Table 1.1 Features Summary of Cisco 1801, 1802 & 1803 Routers [13]

2.2 Cisco 1811 & 1812 Integrated Services Router


The Cisco 1812 Integrated Services Router as shown in Figure 1.2 provides:

• Secure broadband access with concurrent services for branch and small
offices
• Integrated ISDN Basic Rate Interface (BRI), analog modem, or Ethernet
backup port for redundant WAN links and load balancing
• LAN Switching with optional inline POE
• Secure wireless LAN for simultaneous 802.11a and 802.11b/g operation
with use of multiple antennas
• Advanced security including:
o Stateful Inspection Firewall
o IP Security (IPSec) VPNs (Triple Data Encryption Standard [3DES]
or Advanced Encryption Standard [AES])
o Dynamic Multipoint VPN (DMVPN) and Easy VPN
o Intrusion Prevention System (IPS)
o Antivirus support through Network Admission Control (NAC) and
enforcement of secure access policies

12
The Cisco 1811 and 1812 provide high-speed broadband or Ethernet access through two
10/100BASE-T Fast Ethernet WAN ports and also provide integrated WAN backup
through a V.92 analog modem (Cisco 1811) or ISDN S/T BRI interface (Cisco 1812). The
Cisco 1811 and 1812 routers are focused on Ethernet access and are designed to be offered
as customer premises equipment (CPE) in Metro Ethernet deployments. The eight-port
switch is sufficient for connecting multiple devices and the optional PoE capability can
supply power to IP telephones or other device. [15]

Figure 1.2 Cisco 1811 Integrated Services Router [15]

Feature Cisco 1811 Cisco 1812

DSL WAN Port - -

10/100 FE WAN Ports 2 2

DOCSIS 2.0 No No

Managed Switch Ports 8 8

ISDN BRI Dial Backup - Yes

V.92 Analog Modem Dial Backup Yes -

USB 2.0 Ports 2 2

802.11a/b/g Wireless Model Yes Yes

Auxiliary and Console Ports Yes Yes

Table 1.2 Features Summary of Cisco 1811, 1812 Routers [13]

13
2.3 Cisco 1841 Integrated Services Router

The Cisco 1841 Integrated Services Router is part of the Cisco 1800 Integrated Services
Router Series which complements the Integrated Services Router Portfolio.

The Cisco 1841 Integrated Services Router as shown in Figure 1.3 provides the following
support:

• Wire-speed performance for concurrent services at T1/E1 WAN rates


• Enhanced investment protection through increased performance and
modularity
• Enhanced investment protection through increased modularity
• Increased density through High-Speed WAN Interface Card Slots (two)
• Support for over 90 existing and new modules
• Support for majority of existing WICs, VWICs, and VICs (data mode only)
• Two Integrated 10/100 Fast Ethernet ports
• Security
o On-board encryption
o Support of up to 800 VPN tunnels with the AIM Module
o Antivirus defense support through Network Admission Control
(NAC)
o Intrusion Prevention as well as stateful Cisco IOS Firewall support
and many more essential security features .[16]

Figure 1.3 Cisco 1841 Integrated Services Router [16]

14
2.4 Cisco 1861 Integrated Services Router

This new platform delivers unified communications solutions to small and medium-sized
businesses and small branch offices, enabling anytime, anywhere secure access to
information.

Through integration of voice gateway, call processing, voicemail, automated attendant,


conferencing, transcoding, and security capabilities, the 1861 Integrated Services Router as
shown in Figure 1.4, delivers a complete unified communications solution. Powered by the
Cisco IOS Software, the Cisco 1861 supports a wide range of connectivity options through
a modular High-Speed WAN Interface Card (HWIC) Slot. In addition, it supports advanced
routing and security services.

Key Features

• Integrated Cisco Unified Communications Manager Express or Cisco Unified


Survivable Remote Site Telephony for call processing
• Cisco Unity Express for voice messaging and automated attendant
• Integrated LAN switching with Power over Ethernet (PoE) expandable through
Cisco Catalyst Switches
• Support for a range of HWICs
• Built-in hardware encryption enabled through optional security image
• Innovative security services, including Secure Sockets Layer, Network Admission
Control, Group Encrypted Transport Virtual Private Networks, and Inline Intrusion
Prevention System [17]

Figure 1.4 Cisco 1861 Integrated Services Router [17]

15
2.5 Cisco 1805 Integrated Services Router

The Cisco 1805 is the latest addition to the Cisco integrated services router portfolio, which
delivers multiple services, including feature-rich Cisco IOS Software routing, LAN
switching, and advanced security with secure cable WAN access technology.

The Cisco 1805 Integrated Services Router as shown Figure 1.5, provides:

• Integrated cable modem based on DOCSIS 2.0


• Metro Ethernet Forum (MEF): MEF9, MEF14 Certified
• Built-in encryption hardware with Triple Digital Encryption Standard
(3DES) capability, and Advanced Encryption Standard (AES) encryption support
• Integrated, dual high-speed Fast Ethernet ports that you can use for LAN or
WAN connectivity
• Four-port 10/100 Ethernet switch, fully manageable with IEEE 802.1q
VLAN support
• Auxiliary port for analog dial backup, or out-of-band management
• Console port transmit and receive rates up to 115.2 kbps
• Advanced routing protocols
• Cisco IOS Software Stateful Firewall with Context-Based Access Control,
application-aware and zone-based
• Advanced QoS and bandwidth management
• Inter-VLAN routing. [13]

Figure 1.5 Cisco 1805 Integrated Services Router [13]

16
17
18
Feature Cisco Cisco Cisco
1805-D 1805-EJ 1805-D/K9

DOCSIS 2.0-based cable interface HWIC- HWIC- HWIC-


CABLE- CABLE- CABLE-D-
D-2 E/J-2 2

Two onboard Fast Ethernet WAN ports for WAN backup Yes Yes Yes
or for LAN connectivity

Four-port managed switch Yes Yes Yes

Onboard hardware-based IP Security (IPsec) encryption Yes Yes Yes

DRAM 128 MB 128 MB 192 MB

Flash memory 64 MB 64 MB 64 MB

Software image Cisco Cisco Cisco IOS


IOS IP IOS IP Advanced
Base Base IP Services

Table1.3 Features Summary of Cisco 1805 Routers [13]

19
CHAPTER 3: Switching and Routing Functionality
The standard reference model for communication between two end users is Open Systems
Interconnection (OSI). The model is used in developing products and understanding
networks.

Each layer has a specific function and a specific protocol so that two
devices can exchange data on the same layer. A protocol data unit
(PDU) is the generic name for a block of data that a layer on one device
exchanges with the same layer on a peer device. [4]

OSI Layer Protocol Data Unit Mechanism to Process


PDU

7 (application)

6 (presentation)

5 (session)

4 (transport)
TCP Segment TCP Port
3(network)
Packet Router
2 (data link)
Frame Switch/Bridge
1 (physical)

Table 3.1 OSI Model

In above table, Layers 2, 3, and 4 are represented by the data link,


network, and transport layers, respectively, with a PDU frame, packet,
and TCP segment. When a TCP segment (Layer 4) needs to be
transmitted to another station, the TCP segment is encapsulated as a
packet (Layer 3) and further encapsulated as a frame (Layer 2). The
receiving station un encapsulates Layers 2 and 3 before processing the
original TCP segment.

The layered protocols also apply to networking devices. For example, a


Layer 2 device transfers data by looking at the Layer 2 PDU header

20
information. Upper-layer protocols are not looked at or even understood.
[4]

The following figure 3.2 shows that how two devices can exchange data
on the same layer.

Figure 3.2[2]

3.1 Layer 2 Switching


Devices that forward frames at Layer 2 involve the following functions:

• MAC addresses are learned from the incoming frames’ source


addresses.

• A table of MAC addresses and their associated bridge and switch


ports is built and maintained.

21
• Broadcast and multicast frames are flooded out to all ports
(except the one that received the frame).

• Frames destined for unknown locations are flooded out to all ports
(except the one that received the frame).

• Bridges and switches communicate with each other using the


Spanning Tree Protocol to eliminate bridging loops.[4]

Figure 3.3, Layer 2 switch with External Router for Inter-VLAN traffic and connecting
to the Internet [5]

Layer 2 switching provides the following

• Hardware-based bridging (MAC)


• Wire speed
• High speed
• Low latency
• Low cost

Layer 2 Switches (Multiport Bridges)

Bridges offer a frame forwarding service based on the physical addresses that are available
as part of Layer 2 (i.e., the MAC address of the destination) as well as performing the
signal regeneration functions of a repeater. A bridge monitors the traffic to learn which
addresses exist on which ports and then builds a table of forwarding rules to control the
switching process. Bridges must also identify and eliminate potential data loops (using the
spanning tree algorithm). A Layer 2 Switch functions as a multiport bridge. An

22
internetwork built entirely out of Layer 2 Switches appears as a single large network with a
“flat” address space. Layer 2 Switched networks have limited flexibility and scalability. [6]

As long as Layer 2 frames are being switched between two Layer 1


interfaces of the same media type, such as two Ethernet connections or
an Ethernet connection and a Fast Ethernet connection, the frames do
not have to be modified. However, if the two interfaces are different
media, such as Ethernet and Token Ring or Ethernet and Fiber
Distributed Data Interface (FDDI), the Layer 2 switch must translate the
frame contents before sending out the Layer 1 interface. [4]

One drawback to Layer 2 switching is that it cannot be scaled


effectively. Switches must forward broadcast frames to all ports, causing
large switched networks to become large broadcast domains. In
addition, Spanning Tree Protocol (STP) can have a slow convergence
time when the switch topology changes. STP also can block certain
switch ports, preventing data transfer. [4]

Layer 2 switching alone cannot provide an effective, scalable network


design.

3.2 Layer 3 Routing


Devices involved in Layer 3 routing perform the following functions:

• Packets are forwarded between networks based on Layer 3


addresses.

• An optimal path is determined for a packet to take through a


network to the next router.

• Packet forwarding involves a table lookup of the destination


network, the next-hop router address, and the router’s own
outbound interface.

• An optimal path can be chosen from among many possibilities.

• Routers communicate with each other using routing protocols.[4]

By nature, routers do not forward broadcast packets and forward only


multicast packets to segments with multicast clients. This action
provides control over broadcast propagation and offers network
segmentation into areas of common Layer 3 addressing.

23
When an IP packet is to be forwarded, a router uses its forwarding table to determine the
next hop for the packet's destination (based on the destination IP address in the IP packet
header), and forwards the packet appropriately. The next router then repeats this process
using its own forwarding table, and so on until the packet reaches its destination. At each
stage, the IP address in the packet header is sufficient information to determine the next
hop; no additional protocol headers are required. [7]

In addition, a router must examine each packet’s Layer 3 header before making a routing
decision. Layer 3 securities and control can be implemented on any router interface using
the source and destination addresses, protocol, or other Layer 3 attribute to make decisions
on whether to limit or forward the packets. Although we can place a router anywhere in a
network, the router can become a bottleneck because of a latency of packet examination
and processing. [4]

CHAPTER 4: Routing Protocol

4.1 Definition of Routing Protocol


IP Routing is a term for the set of protocols that determine the path that data follows in
order to travel across multiple networks from its source to its destination. Data is routed
from its source to its destination through a series of routers, and across multiple networks.
The IP Routing protocols enable routers to build up a forwarding table that correlates final
destinations with next hop addresses. [7]

A protocol is a routed protocol if it contains an explicit network address and enough


information is in its network layer address to allow for a router to make an intelligent
forwarding decision. Routing is the process by which a packet gets from one network to
another. A routing protocol supports a routed protocol by providing a means for
propagating routing information. This information includes elements such as the available
routes, a cost to the routes, and the next hop address. The routing protocol uses messages
between routers that allow for communication with other routers to update and maintain
routing tables. It is important to note that routing protocols do not carry end-user traffic
from network to network. Routing protocols only build the paths that end-user data uses to
travel. [9]

4.2 How the Routing Protocol Works


Participating routers advertise the routes that they know about to their
neighbors in routing updates. Routes learned from routing updates are
dynamic routes held in the routing table. The routing process is
confusing until we realize that there are actually three steps involved in
building, maintaining, and using the routing table. These three steps are
independent of one another and include the following:

24
• The routing protocol sends the information about the routes or
networks within the autonomous system, such as RIPv1, IGRP, and
EIGRP, and between autonomous systems with BGP-4.

• The routing table receives updates from the routing protocol and
provides the forwarding process with information on request.

• The forwarding process determines which path to select from the


routing table in order to forward a datagram.

4.3 IP Routing Principles


• Metrics—the routing protocol uses metrics to calculate which path
is the best path to the remote destination network. Multiple IP
routing protocols cannot easily share information because their
metrics are completely different.

• Administrative distance—if more than one routing process is


running on the router, the administrative distance is used to select
which protocol will update the routing table. This is based on
which routing protocol is considered the most reliable source of
accurate information.

• Prefix length—the forwarding process will use the route where the most number of
subnet bits match that of the destination network. It chooses the most specific
match, known as the match to the longest prefix length.[8]

There are two class of Routing

 Classful Routing
 Classless Routing

4.3.1Classful Routing

Classless routing protocols are as following.

• RIPV1
• IGRP

25
Classful routing protocols, such as RIPV1 and IGRP, exchange routes to sub networks
within the same network. This is possible because all of the subnetworks in the major
network have the same routing mask. Network administrators enforce this consistency
through administrator controls.

When routers are exchange with a foreign network (a network with a different network
portion), subnetwork information from this network can not be included, because the
routing mask of the other network is not know. As the result, the subnet information
from this network must be summarized to a classful boundary using a default routing
mask prior to inclusion in the routing update. The creation of classful summary route at
major network boundaries is handled automatically by classful routing protocols.
Summarization at other points within the major network address is not allowed by
classful routing protocols
Routing mask can not be carrier within the periodic routing updates. [10]

Classful Routing Example

Figure 4.1 [9]

4.3.2 Classless Routing

Classless routing protocol can be considered second-generation protocols because they


are designed to address some of the limitation of earlier classless protocols.
One of the serious limitations in a classfull routing network environment is that the
routing mask is not exchange during the routing update process, requiring the same
routing mask to be used on all subnetworks.

26
Instead of classless routing protocols includes the routing mask with the route
advertisement.

Classless routing protocols are

• OSPF
• EIGRP
• RIPV2
• IS-IS
• BGP

In the classless environment, the summarization process is controlled manually and


usually can be included at any bit position within the network.

Classless routing protocol use trigged updates to learn of topology changes. In order to
control routing table content, summary routes may be created. [10]
Classless Routing Example

Fig 4.2 [9]

4.4 RIP (Routing Information Protocol)

RIP−1 is a Classfull routing protocol, so it does not advertise a subnet mask along with
advertised routes. For RIP to determine what the subnet mask is of the destination network,
RIP uses the subnet mask of the interface in which the route was received. This is true only
if the route received is a member of a directly connected major network. If the route
received is not of the same major network, the router tries to match only the major bit

27
boundary of the route Class A, B, or C. For this reason, it is critical to preserve a consistent
bit mask in each major network throughout the entire RIP routing domain. [9]

A routing vector protocol floods reach ability information throughout all routers
participating in the protocol, so that every router has a routing table containing the
complete set of destinations known to the participating routers.

In brief the RIP protocol works as follows.

• Each router initializes its routing table with a list of locally connected networks.

• Periodically, each router advertises the entire contents of its routing table over all of
its RIP-enabled interfaces.
o Whenever a RIP router receives such an advertisement, it puts all of the
appropriate routes into its routing table and begins using it to forward
packets. This process ensures that every network connected to every router
eventually becomes known to all routers.
o If a router does not continue to receive advertisements for a remote route, it
eventually times out that route and stops forwarding packets over it. In other
words, RIP is a "soft state" protocol.

• Every route has a property called a metric, which indicates the "distance" to the
route's destination.
o Every time a router receives a route advertisement, it increments the metric.
o Routers prefer shorter routes to longer routes when deciding which of two
versions of a route to program in the routing table.
o The maximum metric permitted by RIP is 16, which means that a route is
unreachable. This means that the protocol cannot scale to networks where
there may be more than 15 hops to a given destination.

RIP also includes some optimizations of this basic algorithm to improve stabilization of the
routing database and to eliminate routing loops. [7]

• When a router detects a change to its routing table, it sends an immediate


"triggered" update. This speeds up stabilization of the routing table and elimination
of routing loops.

• When a route is determined to be unreachable, RIP routers do not delete it


straightaway. Instead they continue to advertise the route with a metric of 16
(unreachable). This ensures that neighbors are rapidly notified of unreachable
routes, rather than having to wait for a soft state timeout.

• When router A has learnt a route from router B, it advertises the route back to B
with a metric of 16 (unreachable). This ensures that B is never under the impression
that A has a different way of getting to the same destination. This technique is
known as "split horizon with poison reverse."

28
• A "Request" message allows a newly-started router to rapidly query all of its
neighbors' routing tables. [7]

The default hold-down time for RIP is 180 seconds and the administrator distance of RIP1
and RIP2 is 120. [10]

4.5 IGRP & EIGRP (Enhanced Interior Gateway Routing


Protocol)
When Cisco Systems developed the Interior Gateway Routing Protocol (IGRP) around
1986, network administrators didn't have many options to deal with some of RIP's
limitations. RIP's hop count limit of 15 and its simplistic metrics weren't allowing networks
to scale and distribute traffic across paths of unequal cost. OSPF would not come out for
another two years, and another routing protocol was needed. As the pioneer of
internetworking, Cisco developed IGRP to specifically address some of RIP's
shortcomings. [9]

EIGRP is an enhanced version of IGRP, hence the name. It uses the same distance vector
technology as IGRP. The changes were effected in the convergence properties and the
operating efficiency of the protocol. EIGRP has some characteristics similar to those of a
link-state routing protocol. Therefore, it is sometimes referred to as a hybrid routing
protocol, although Cisco calls it an advanced distance vector protocol. EIGRP is an
efficient, although proprietary, solution to networking large environments because it scales
well. Its ability to scale is, like OSPF, dependent on the design of the network. [8]

IGRP Features
IGRP has features that differentiate it from other distance vectors protocols:

• Scalability— A hop count limit of 255 provides a broader network diameter versus
RIP's hop count limit of 15. The default hop for IGRP is 100.

• Faster convergence— IGRP uses Flash updates, which are updates that are sent to
neighboring routers when topology changes occur.

29
• Sophisticated metric— IGRP uses a composite metric based on five individual
metrics bandwidth, delay, reliability, load, and MTU—to influence routing
decisions.

• Unequal cost load balancing— IGRP composite routing metrics allow for load
balancing across multiple unequal cost paths. [9]

EIGRP Features
The goal of EIGRP is to solve the scaling limitations that IGRP faces, using the distance vector
technology from which it grew. EIGRP increases the potential growth of a network by reducing the
convergence time. This is achieved by the following features:

• Dual

• Rapid convergence

• Reduced bandwidth use

• Compatibility with IGRP

• Unequal-Cost Load Balancing

DUAL

DUAL is one of the main features of EIGRP. It diffuses the routing computation over
multiple Routers.

Rapid Convergence

The use of the DUAL algorithm stores not only the best path to the destination, but also the
close contenders. If a network fails, the router can immediately switch to the alternate
route. If there are no alternative routes, then the router will query neighbors to see whether
they have a path to the destination.

Reduced Bandwidth Use

30
Using multicast and unicast addressing to send and acknowledge updates restricts the
potential use of both bandwidth and the other system’s CPU to the essential requirements.
EIGRP also uses only incremental updates, as opposed to periodic updates.

Compatibility with IGRP

Because it grew out of IGRP, EIGRP is backward-compatible with IGRP. This allows for
seamless transitions to EIGRP and support for older, smaller networks that have neither the
need nor the capability to upgrade. EIGRP automatically redistributes IP routes learned into
the IGRP process as long as the autonomous system number used to configure the
processes is the same.

Use of a Composite Metric

EIGRP uses the same metric as IGRP (bandwidth and delay as the default), though EIGRP
has expanded the metric to 32-bit, allowing for greater scaling and granularity. An
intelligent metric will select the shortest path.

Unequal-Cost Load Balancing

Unequal-cost load balancing allows all links to a destination to be used to carry data
without saturating the slower links. [8]

The administrator distance for IGRP is 100, for EIGRP summary route is 5 and for
External EIGRP is 170. [10]

4.6 IS-IS Protocol: Intermediate System - Intermediate System

IS-IS is a link-state routing protocol, which means that the routers exchange topology
information with their nearest neighbors. The topology information is flooded throughout
the AS, so that every router within the AS has a complete picture of the topology of the AS.
This picture is then used to calculate end-to-end paths through the AS, normally using a
variant of the Dijkstra algorithm. Therefore, in a link-state routing protocol, the next hop
address to which data is forwarded is determined by choosing the best end-to-end path to
the eventual destination. [7]

31
The main advantage of a link state routing protocol is that the complete knowledge of
topology allows routers to calculate routes that satisfy particular criteria. This can be useful
for traffic engineering purposes, where routes can be constrained to meet particular quality
of service requirements. The main disadvantage of a link state routing protocol is that it
does not scale well as more routers are added to the routing domain. Increasing the number
of routers increases the size and frequency of the topology updates, and also the length of
time it takes to calculate end-to-end routes. This lack of scalability means that a link state
routing protocol is unsuitable for routing across the Internet at large, which is the reason
why IGPs only route traffic within a single AS. [7]

The routing table of IS-IS contains all the destinations the routing protocol knows about,
associated with a next hop IP address and outgoing interface.

• The protocol recalculates routes when network topology changes, using the Dijkstra
algorithm, and minimizes the routing protocol traffic that it generates.It provides
support for multiple paths of equal cost.

• It provides a multi-level hierarchy (two-level for IS-IS) called "area routing," so


that information about the topology within a defined area of the AS is hidden from
routers outside this area. This enables an additional level of routing protection and a
reduction in routing protocol traffic.

• All protocol exchanges can be authenticated so that only trusted routers can join in
the routing exchanges for the AS. [7]

The administrative distance of IS-IS is 115.

4.7 SUBNETING

A subnet is a logical grouping of connected network devices. Nodes on a subnet tend to be


located in close physical proximity to each other on a LAN. Network designers employ
subnets as a way to partition networks into logical segments for greater ease of
administration. When subnets are properly implemented, both the performance and security
of networks can be improved.

In IP networking, nodes on a subnet share a contiguous range of IP address numbers. A


mask (known as the subnet mask or network mask) defines the boundaries of an IP subnet.

The Internet community originally identified three classes of


organizations:

Small organizations fall into Class C

Medium organizations fall into Class B

32
Large organizations fall into Class A

Actually, five classes of addresses are used on the Internet. The other
two classes represent multicast (Class D) and experimental addresses
(Class E). Routing protocols and videoconferencing increasingly use
Class D addresses. [8]

Summary of IP Address Classes

Class A – 0xxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx


First bit 0; 7 network bits; 24 host bits

• Initial byte: 0 - 127


• 126 Class As exist (0 and 127 are reserved)
• 16,777,214 hosts on each Class A

Class B - 10xxxxxx xxxxxxxx xxxxxxxx xxxxxxxx

• First two bits 10; 14 network bits; 16 host bits


• Initial byte: 128 - 191
• 16,384 Class Bs exist
• 65,532 hosts on each Class B

Class C - 110xxxxx xxxxxxxx xxxxxxxx xxxxxxxx

• First three bits 110; 21 network bits; 8 host bits


• Initial byte: 192 - 223
• 2,097,152 Class Cs exist
• 254 hosts on each Class C

Class D – 1110xxxx xxxxxxxx xxxxxxxx xxxxxxxx

• First four bits 1110; 28 multicast address bits


• Initial byte: 224 - 247
• Class Ds are multicast addresses

Class E – 1111xxxx xxxxxxxx xxxxxxxx xxxxxxxx

• First four bits 1111; 28 reserved address bits


• Initial byte: 248 - 255
• Reserved for experimental use. [11]

33
The following table of IP’s for the network of 192.168.0.0 with the subnet mask of
255.255.255.248 is used for the implementation of VLANS.

Hosts
Network Broadcast Address
from to
192.168.0.0 192.168.0.1 192.168.0.6 192.168.0.7
192.168.0.8 192.168.0.9 192.168.0.14 192.168.0.15
192.168.0.16 192.168.0.17 192.168.0.22 192.168.0.23
192.168.0.24 192.168.0.25 192.168.0.30 192.168.0.31
192.168.0.32 192.168.0.33 192.168.0.38 192.168.0.39

CHAPTER 5: Virtual Local Area Network

5.1 Introduction
As we know that shared Ethernet media operate at OSI Layer 1(physical layer).
Each host must share the available bandwidth with every other connected
host. When more than one host tries to talk at one time, a collision occurs, and
everyone must back off and wait to talk again. This forces every host to
operate in half-duplex mode, by either talking or listening at any given time. In
addition, when one host sends a frame, all connected hosts hear it. When one
host generates a frame with errors, everyone hears that, too. [7]

In another words we can say that when in Local Area Networks(LAN) if one user forward data in
one LAN the broadcast will receive by every user in that LAN . By default router break up
broadcast domain and bridge break up collision domain. Now the point is that what is the way to
break up broadcast domain in a pure switched inter network? The answer is VLAN

A VLAN is a logical group of network users and resources connected to administratively defined
ports on a switch. When we create VLAN we gain the ability to create smaller broadcast domain
within layer 2 switch internetworks by assigning different port on switch to different sub network.
A VLAN is treated like its own subnet or broadcast domain, meaning that frame broadcast one to
the network are only switched between the ports logically group within the same VLAN.[3]

VLANs are created to provide the segmentation services traditionally provided by routers in LAN
Configurations. VLANs address scalability, security, and network management. Routers in VLAN
topologies provide broadcast filtering, security, address summarization, and traffic flow
Management

• LAN Segmentation

34
• Security

• Broadcast Control

• Performance

• Network Management

5.1.1 LAN Segmentation

The problems associated with shared LANs and the emergence of switches is causing
traditional LAN configurations to be replaced with switched VLAN internetworking
configurations. Switched VLAN configurations vary from LAN configurations in the
following ways:

• Switches replace front-end hubs in the wiring closet. Switches are easily installed
with little or no cabling changes, and can completely replace a shared hub with per
port service to each user.
• VLANs are created to provide the segmentation services traditionally provided by
routers in LAN configurations. A VLAN is a switched network that is logically
segmented by functions, project teams, or applications without regard to the
physical location of users. Each switch port can be assigned to a VLAN. Ports in a
VLAN share broadcasts. Ports that do not belong to that VLAN do not share these
broadcasts. This improves the overall performance of the network.
• Communication between VLANs is provided by layer 3 routing.[20]

Figure 5.1 Illustrates the difference between traditional physical LAN segmentation and logical
VLAN segmentation.

35
Figure 5.1:- LAN Segmentation and VLAN Segmentation [20]

5.1.2 Security

A flat internetwork security issue used to be tackled by connecting hubs and switched
together with Router. So it is basically the routers job to maintain security. This
arrangement was pretty inoffensive for several reasons. First anyone can connect to the
physical network could access the network resources located to the particular physical
LAN, and most important risk is that user should join a workgroup by just plugging their
workstation into their existing hub.

But if we build VLANS there and create multiple broadcast group, we will have total
control over each port and user so when anyone just plug their work station into any switch
port and gain access in to network resources, can not gain cause now we have control on
each port plus switch can be configured to inform the management to access of any
unauthorized workstation. We can also place restriction on hardware, address, and
application. [19]

5.1.3 Broadcast Control

Broadcast often in every protocol but how often they occur depends upon three things.

• The type of protocol

36
• The application running on the internetwork
• How these services are used

All devices within a VLAN are members of the same broadcast domain and receive all
broadcast. By default, this broadcast is filtered from all ports on switch that are not member
of the same VLAN. Means if a port is not part of that VLAN in switch can not receive that
broadcast. [19]

5.1.4 Performance

Although many analysts have suggested that VLANS enhance the ability to deploy
centralized servers, customers may look at enterprise-wide VLAN implementation and
See difficulties in enabling full, high-performance access to centralized servers.

5.1.5 Network Management


Easier network management allows by the logical grouping of users. By VLAN there is no
need to pull cable to move a user from one network to another. Change, move or add are
achieved by changing port into the particular VLAN.

5.2 VLAN Membership


When a VLAN is provided at an access-layer switch, an end user must have some means of
gaining membership to it. Two membership methods exist on Cisco Catalyst switches.

■ Static VLAN
■ Dynamic VLAN

5.2.1 Static VLANs

VLAN membership protocol is needed for the end devices; they automatically assume
VLAN connectivity when they connect to a port.

Normally, the end device is not even aware that the VLAN exists. The switch port and its
VLAN simply are viewed and used as any other network segment, with other “locally
attached” members on the wire. The static port-to-VLAN membership normally is handled
in hardware with application-specific integrated circuits (ASICs) in the switch. This
membership provides good performance because all port mappings are done at the
hardware level, with no complex table lookups needed. [4]

37
5.2.2 Dynamic VLANs

Dynamic VLANs provide membership based on the MAC address of an end-user device.
When a device is connected to a switch port, the switch must, in effect, query a database to
establish VLAN membership. A network administrator also must assign the user’s MAC
address to a VLAN in the database of a VLAN Membership Policy Server (VMPS).

Dynamic VLANs allow a great deal of flexibility and mobility for end users but require
more administrative overhead. [4]

5.3 Types of Connections


Devices on a VLAN can be connected in three ways based on whether the connected
devices are VLAN-aware or VLAN-unaware. VLAN-aware device is one which
understands VLAN memberships (i.e. which users belong to a VLAN) and VLAN formats.
[1]

5.3.1 Trunk Link or Trunk Port

All the devices connected to a trunk link, including workstations, must be VLAN-aware.
All frames on a trunk link must have a special header attached. These special frames are
Called tagged frames. [1]

38
Figure 5.2: Trunk link between two VLAN-aware bridges. [1]

5.3.2 Access Link or Access Port

An access link connects a VLAN-unaware device to the port of a VLAN-aware bridge.


All frames on access links must be implicitly tagged (untagged) The VLAN-unaware
device can be a LAN segment with VLAN-unaware workstations or it can be a number of
LAN segments containing VLAN-unaware devices. [1]

Figure 5.3: Access link between a VLAN-aware bridge and a VLAN-unaware device.
[1]

5.3.3 Hybrid Link

This is a combination of the previous two links. This is a link where both VLAN-aware
and VLAN-unaware devices are attached A hybrid link can have both tagged and untagged
frames, but all the frames for a specific VLAN must be either tagged or untagged.

Figure 5.4 Hybrid link containing both VLAN-aware and VLAN-unaware devices. [1]

39
5.4 Communicating between VLANS
VLAN frame identification was developed for switched networks. As each
frame is transmitted over a trunk link, a unique identifier is placed in the
frame header. As each switch along the way receives these frames, the
identifier is examined to determine to which VLAN the frames belong
and then is removed.

If frames must be transported out another trunk link, the VLAN identifier
is added back into the frame header. Otherwise, if frames are destined
out an access (nontrunk) link, the switch removes the VLAN identifier
before transmitting the frames to the end station. Therefore, all traces of
VLAN associations are hidden from the end station.

VLAN identification can be performed using two methods, each using a


different frame identifier mechanism. [4]

• Inter-Switch Link (ISL) protocol

• IEEE 802.1Q protocol

5.4.1 Inter-Switch Link (ISL) protocol


The Inter-Switch Link (ISL) protocol is a Cisco-proprietary method for preserving the
source VLAN identification of frames passing over a trunk link. ISL performs frame
identification in Layer 2 by encapsulating each frame between a header and a trailer.

When a frame is destined out a trunk link to another switch or router, ISL adds a 26-byte
header and a 4-byte trailer to the frame. The source VLAN is identified with a 15-bit
VLAN ID field in the header. The trailer contains a cyclic redundancy check (CRC) value
to ensure the data integrity of the new encapsulated frame. [4]

5.4.2 IEEE 802.1Q protocol

The IEEE 802.10 protocol provides connectivity between VLANs. Originally developed to
address the growing need for security within shared LAN/MAN environments, it
incorporates authentication and encryption techniques to ensure data confidentiality and
integrity throughout the network. Additionally, by functioning at Layer 2, it is well suited
to high-throughput, low-latency switching environments. IEEE 802.10 protocol can run
over any LAN or HDLC serial interface. [20]

5.5 VLAN Trunking Protocol (VTP)

40
VTP is a protocol that runs over trunk links and synchronizes the VLAN databases of all
switches in the VTP domain. A VTP domain is an administrative group—all switches
within that group must have the same VTP domain name configured or they do not
synchronize databases.

VTP works by using Configuration Revision numbers and VTP advertisements

• All switches send out VTP advertisements every five minutes, or


when there is a change to the VLAN database (when a VLAN is
created, deleted, or renamed).

• VTP advertisements contain a Configuration Revision number. This


number is increased by one for every VLAN change.

• When a switch receives a VTP advertisement, it compares the


Configuration Revision number against the one in its VLAN
database.

• If the new number is higher, the switch overwrites its database


with the new VLAN information, and forwards the information to its
neighbor switches.

• If the number is the same, the switch ignores the advertisement.

• If the new number is lower, the switch replies with the more up to-
date information contained in its own database. [2]

5.6 VTP Modes of Operation


To participate in a VTP management domain, each switch must be
configured to operate in one of several modes. The VTP mode
determines how the switch processes and advertises VTP information.
Following modes can be use:

• Server Mode
• Client Mode
• Transparent Mode

5.6.1 Server Mode

41
VTP servers have full control over VLAN creation and modification for
their domains. All VTP information is advertised to other switches in the
domain, while all received VTP information is synchronized with the
other switches. By default, a switch is in VTP server mode. Note that
each VTP domain must have at least one server so that VLANs can be
created, modified, or deleted and VLAN information can be propagated.
[4]

5.6.2 Client mode

VTP clients do not allow the administrator to create, change, or delete


any VLANs. Instead, they listen to VTP advertisements from other
switches and modify their VLAN configurations accordingly. In effect, this
is a passive listening mode. Received VTP information is forwarded out
trunk links to neighboring switches in the domain, so the switch also
acts as a VTP relay. [4]

5.6.4 Transparent mode


VTP transparent switches do not participate in VTP. While in transparent mode, a switch
does not advertise its own VLAN configuration, and a switch does not synchronize its
VLAN database with received advertisements. In VTP version 1, a transparent-mode
switch does not even relay VTP information it receives to other switches unless its VTP
domain names and VTP version numbers match those of the other switches. In VTP
version 2, transparent switches do forward received VTP advertisements out of their trunk
ports, acting as VTP relays. This occurs regardless of the VTP domain name setting. [4]
CHAPTER 6: Dynamic Multipoint VPN

A Dynamic Multipoint Virtual Private Network is an enhancement of the virtual private


network (VPN) configuration process of Cisco IOS-based routers. It is CISCO proprietary
software solution. DMVPN prevents the need for pre-configured (static) IPSEC peers in
Crypto map configurations and isakmp peer statements. This feature of Cisco IOS allows
greater scalability over previous IPSec configurations. An IPSec tunnel between two Cisco
routers may be created on an as needed basis. Tunnels may be created between a spoke
router and a hub router (VPN headend), or between spokes. This greatly alleviates the need
for the hub to route data between spoke networks, as was common in a non-fully meshed
frame relay topology. [21]

DMVPN is combination of the following technologies:

1) Multipoint GRE (mGRE)


2) Next-Hop Resolution Protocol (NHRP)

42
4) Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
3) Dynamic IPsec encryption
5) Cisco Express Forwarding (CEF)[24]

6.1 What is NHRP?


•NHRP is a layer two resolution protocols and cache like ARP or Reverse ARP (Frame
Relay)
•It is used in DMVPN to map a tunnel IP address to an NBMA address
•Like ARP, NHRP can have static and dynamic entries
•NHRP has worked fully dynamically since Release 12.2(13) T [23]

NHRP Phase 1

At NHRP phase, mGRE using NHRP to inform the hub about dynamically appearing
spokes. Initially, we configure every spoke with the IP address of the hub as its NHS
server. However, the spoke’s tunnel mode is GRE (regular point-to-point) tunnel with the
fixed destination IP that equals to the physical address of the hub. The spokes can only
reach hub and get to other spoke networks across the hub. The benefit of Phase 1 is
simplified hub router configuration, which does not require static NHRP mapping for every
new spoke.

Figure 6.1 NHRP Phases 1

As all packets go across the hub, almost any dynamic routing protocol would help with
attaining reachability. The hub just needs to advertise a default route to spokes, while
spokes should advertise their subnets dynamically to the hub. Probably it makes sense to
run EIGRP and summarize all subnets to 0.0.0.0/0 on the hub, effectively sending a default
route to all spokes (if the spokes do not use any other default route, e.g. from their ISPs).

43
Configure spokes as EIGRP stubs and advertise their respective connected networks. RIP
could be set up in similar manner, by simply configuring GRE tunnels on spokes as passive
interfaces. Both EIGRP and RIP require split-horizon disabled on the hub mGRE interface
in order to exchange subnets spoke to spoke. As for OSPF, the optimal choice would be
using point-to-multipoint network type on all GRE and mGRE interfaces. In addition to
that, configure ip ospf database filter-all out on the hub and set up static default routes via
tunnel interfaces on the spokes .[24]

6.2 What is GRE Tunnels?


•A GRE tunnel is a simple non-negotiated tunnel; GRE only needs tunnel endpoints
•GRE encapsulate frames or packets into an other IP packet + IP header
•GRE has only 4 to 8 bytes of overhead
•GRE tunnels exist in two main flavors:

o Point-to-point (GRE)
o Point-to-multipoint (mGRE) [23]

Classic GRE tunnel is point-to-point, but mGRE generalizes this idea by allowing a tunnel
to have “multiple” destinations.

Figure 6.2 GRE Tunnels

This may seem natural if the tunnel destination address is multicast (e.g. 239.1.1.1). The
tunnel could be used to effectively distribute the same information (e.g. video stream) to
multiple destinations on top of a multicast-enabled network. Actually, this is how mGRE is
used for Multicast VPN implementation in Cisco IOS. However, if tunnel endpoints need
to exchange unicast packets, special “glue” is needed to map tunnel IP addresses to
“physical” or “real” IP addresses, used by endpoint routers. [24]

44
6.3 Routing with DMVPN

Dynamic routing is required over hub-to-spoke tunnels

•Spoke learns of all private networks on the other spokes and the hub via routing updates
sent via the hub
•IP next-hop for a spoke network is the tunnel interface for that spoke

6.3.1Possible routing protocols

• Enhanced Interior Gateway Routing Protocol (EIGRP), which scales reasonably


well.
• Open Shortest Path First (OSPF)
• Border Gateway Protocol (BGP)
• Routing Information Protocol (RIP)

6.4 DMVPN Phases


•Phase 1: Hub and spoke functionality
•Phase 2: Spoke-to-spoke functionality

6.4.1 Hub-and-spoke
Spoke-to-spoke traffic through hub; requires about the same number of tunnels as spokes

• Hub bandwidth and CPU limit VPN


• Server Load Balancing: Many “identical” hubs increase
CPU power; spoke-to-spoke design under consideration [25]

45
Figure 6.3 Hub-to-spokes and Dynamic spoke-to-spoke tunnels

6.4.2 Spoke-to-spoke

Control traffic: Hub-and-spoke; hub to hub


• Hub-and-spoke single-layer.
• Hierarchical hub-and-spoke layers.

Unicast data traffic: Dynamic mesh


• Spoke routers support spoke-to-hub and spoke-to-spoke Tunnels.

Number of tunnels falls between the number of spokes n and n2 where n is the number of
spokes (full-mesh) [25]

6.5 Sample mGRE and IPsec Integration Topology


• Each spoke has a permanent IPSec tunnel to the hub, not to the other spokes within the
network. Each spoke registers as clients of the NHRP server.

• When a spoke needs to send a packet to a destination (private) subnet on another spoke,
it queries the NHRP server for the real (outside) address of the destination (target) spoke.

• After the originating spoke "learns" the peer address of the target spoke, it can initiate a
dynamic IPSec tunnel to the target spoke.

• The spoke-to-spoke tunnel is built over the multipoint GRE interface.

• The spoke-to-spoke links are established on demand whenever there is traffic between
the spokes. Thereafter, packets can bypass the hub and use the spoke-to-spoke tunnel. [22]

46
6.6 IPSec Profiles
IPSec profiles abstract IPSec policy information into a single configuration entity, which
can be referenced by name from other parts of the configuration. Therefore, users can
configure functionality such as GRE tunnel protection with a single line of configuration.
By referencing an IPSec profile, the user does not have to configure an entire crypto map
configuration. An IPSec profile contains only IPSec information; that is, it does not contain
any access list information or peering information. [22]

6.7 Benefits of Dynamic Multipoint VPN (DMVPN)

Hub Router Configuration Reduction

• Currently, for each spoke router, there is a separate block of configuration lines on the
hub router that define the crypto map characteristics, the crypto access list, and the GRE
tunnel interface. This feature allows users to configure a single mGRE tunnel interface, a
single IPSec profile, and no crypto access lists on the hub router to handle all spoke routers.
Thus, the size of the configuration on the hub router remains constant even if spoke routers
are added to the network.

• DMVPN architecture can group many spokes into a single multipoint GRE interface,
removing the need for a distinct physical or logical interface for each spoke in a native
IPSec installation.

Automatic IPSec Encryption Initiation

GRE has the peer source and destination address configured or resolved with NHRP. Thus,
this feature allows IPSec to be immediately triggered for the point-to-point GRE tunneling
or when the GRE peer address is resolved via NHRP for the multipoint GRE tunnel.

Support for Dynamically Addressed Spoke Routers

When using point-to-point GRE and IPSec hub-and-spoke VPN networks, the physical
interface IP address of the spoke routers must be known when configuring the hub router
because IP address must be configured as the GRE tunnel destination address. This feature
allows spoke routers to have dynamic physical interface IP addresses (common for cable
and DSL connections). When the spoke router comes online, it will send registration
packets to the hub router within these registration packets, is the current physical interface
IP address of this spoke.

Dynamic Creation for Spoke-to-Spoke Tunnels

47
This feature eliminates the need for spoke-to-spoke configuration for direct tunnels. When
a spoke router wants to transmit a packet to another spoke router, it can now use NHRP to
dynamically determine the required destination address of the target spoke router (The hub
router acts as the NHRP server, handling the request for the source spoke router). The two
spoke routers dynamically create an IPSec tunnel between them so data can be directly
transferred. [22]

CHAPTER 7: Deliverables

7.1 Configuring VLAN’S On SDM

The following figure 7.1 showing the network structure for the deployment of VLAN’S.
Router 1812 W is connected to different VLAN’S and to a single hub which is also
connected to a single VLAN. Physical connectivity of network is performed by straight
through cable.

Router

48
Vlan1 Vlan2 Hub Vlan4

Vlan 3 Vlan 3 Vlan 3 (Laptop)

Figure 7.1

Following is the list of the IP addresses used in the above define network to construct
VLAN’S, for the network of 192.168.0.0 with the subnet mask 255.255.255.248.

Hosts
Network Broadcast Address
from to
192.168.0.0 192.168.0.1 192.168.0.6 192.168.0.7
192.168.0.8 192.168.0.9 192.168.0.14 192.168.0.15
192.168.0.16 192.168.0.17 192.168.0.22 192.168.0.23
192.168.0.24 192.168.0.25 192.168.0.30 192.168.0.31
192.168.0.32 192.168.0.33 192.168.0.38 192.168.0.39

VLAN 1 is configured with IP address of 10.10.10.1 because by default this IP is used


to connect SDM with the directly connected machine to Router 1812W

Here Configuring VLAN1 by using SDM mode by giving the IP address of 10.10.10.1
and the subnet Mask 255.255.255.248.

49
Here performing IP Renew/Release in CMD mode for the Pc directly connected to
VLAN 1

Here

Configuring VLAN2 by using SDM mode by giving the IP address of 192.168.0.9 and
the subnet Mask 255.255.255.248.

50
51
52
53
54
55
Enabling Routing Protocol RIP in Router to perform routing between VLAN’S.

It is shown in the following screen shot that the routing enables in Router.

56
Configuring VLAN 3 and VLAN 4 on Router.

Here

Configuring IP Address, Subnet Mask & Default Gateway for VLAN 2 according to
the above defines IP Address and Subnet mask. Machine pinging default gateway,
own IP and VLAN 1 IP successfully in Command line mode, that is showing VLAN
connectivity to each other.

57
Machine pinging default gateway, own IP and VLAN 1, VLAN2 and another VLAN
connecting to HUB successfully in Command mode.

Configuring IP Address, Subnet Mask & Default Gateway for VLAN 4, Machine pinging
default gateway, own IP and VLAN1, VLAN2, VLAN3 successfully in Command mode

58
7.2 Configuring of DMVPN on CLI

DMVPN through R1, R2 & R3 (Hub n Spoke)

R3
Management PC

(.100)
F0/0 (.3)

192.1.123.0/24 VLAN 123

F 0/0 (.1) F 0/0 (.2)


R1 R2

Figure 7.2

The above figure 7.2 is showing the network structure of the implementation of DMVPN.
In this network three routers are connected to switch by Ethernet cable and management
PC as well. One router is configured as Hub and two routers are configured as spoke

The Lab Objective defined in the following three tasks for the implementation of DMVPN.

Lab Objectives
Task 1

Configure the following Loopback interfaces:

 R1 – Interface Loopback 15 – 172.16.1.1/24


 R2 – Interface Loopback 15 – 172.16.2.2/24
 R3 – Interface Loopback 15 – 172.16.3.3/24

59
R1

Interface Loopback 15
Ip address 172.16.1.1 255.255.255.0
R2

Interface Loopback 15
Ip address 172.16.2.2 255.255.255.0
R3

Interface Loopback 15
Ip address 172.16.3.3 255.255.255.0

Task 2

Configure a MGRE tunnel to route traffic between the newly created


Loopbacks using the following parameters:

 NHRP Parameters
o NHRP ID – 123
o NHRP Authentication key – DMVPN
o NHRP Hub – R3
 Tunnel Parameters
o IP address : 172.16.123.0/24
o IP MTU : 1416
o Tunnel Authentication Key : 123
 Routing Protocol Parameters
o EIGRP 123

R3

Interface Tunnel 1
Ip address 172.16.123.3 255.255.255.0
Ip mtu 1416
Ip nhrp network-id 123
Ip nhrp authentication DMVPN
Ip nhrp map multicast dynamic
Tunnel source F 0/0
Tunnel mode gre multipoint
Tunnel key 123
No ip split-horizon eigrp 123
!
router eigrp 123
no auto-summary

60
network 172.16.0.0 0.0.255.255
!
ip route 172.16.1.0 255.255.255.0 192.1.123.1
ip route 172.16.2.0 255.255.255.0 192.1.123.2

R1

Interface Tunnel 1
Ip address 172.16.123.1 255.255.255.0
Ip mtu 1416
Ip nhrp network-id 123
Ip nhrp authentication DMVPN
Ip nhrp nhs 172.16.123.3
Ip nhrp map 172.16.123.3 192.1.10.3
Ip nhrp map multicast 192.1.10.3
Tunnel source F 0/0
Tunnel mode gre multipoint
Tunnel key 123
!
router eigrp 123
no auto-summary
network 172.16.0.0 0.0.255.255
!
ip route 172.16.2.0 255.255.255.0 192.1.123.2
ip route 172.16.3.0 255.255.255.0 192.1.123.3

Task 3
Encrypt the MGRE traffic using the following parameters:

 ISAKMP Parameters
o Authentication : Pre-shared
o Encryption : 3DES
o Pre-Shared Key : cisco123
 IPSec Parameters
o Encryption : ESP-3DES
o Authentication : ESP-MD5-HMAC

61
R3

Crypto isakmp policy 10


Authentication pre-share
Encryption 3des
!
crypto isakmp key ccie address 0.0.0.0
!
crypto ipsec transform-set t-set esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN
set transform-set t-set
!
Interface Tunnel 1
Tunnel protection ipsec profile DMVPN
R1

Crypto isakmp policy 10


Authentication pre-share
Encryption 3des
!
crypto isakmp key ccie address 0.0.0.0
!
crypto ipsec transform-set t-set esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN
set transform-set t-set
!
Interface Tunnel 1
Tunnel protection ipsec profile DMVPN
R2

Crypto isakmp policy 10


Authentication pre-share
Encryption 3des
!
crypto isakmp key ccie address 0.0.0.0
!
crypto ipsec transform-set t-set esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN
set transform-set t-set
!
Interface Tunnel 1
Tunnel protection ipsec profile DMVPN

62
Test Commands:

Sh ip route eigrp 123

Ping 172.16.1.1
Ping 172.16.2.2
Ping 172.16.3.3

Sh crypto sa
Sh crypto connections engine active
Sh crypto ipsec sa

R3-Config (Part 1 mGRE Creation)

63
64
Part2: IPSec Creation (mGRE+IPSec= DMVPN)

65
R1: (Since most of the configuration is same, therefore, it is a good idea to copy and
paste it on a text pad, and just change the necessary things like IP addresses and paste
into Router 1 and 2.)

66
Part 2: IPSec:

67
R2: (Since most of the configuration is same, therefore, it is a good idea to copy and
paste it on a text pad, and just change the necessary things like IP addresses and paste
into Router 1 and 2.)

68
IPSec on R2:

69
CHAPTER 8 Result and Discussion

8.1 VLAN Results & Discussion


Discussion:-

Four VLANS have been configured, three of which connected to the router and one of
which is with hub. Hub connected to three different machines that means three machines
are on same VLAN. The purpose of the third machine with the hub is just to transfer the
heavy files in the same VLAN and check the performance by following charts in SDM.

The above chart is for VLAN 3(connected to Hub) and the monitoring parameters are
packet input/output and bytes input/output, provided by SDM. It has been observed that
when file was transferring from one machine to another machine the curve of the graph
was moving up but when the file transfer stopped the curve gone straight.

70
Discussion:-

In the following screen shot the monitoring measurement for VLAN 3 was bytes Input and
Output and Error Input and output. The error input and output showed “0” between
transfers.

71
Discussion:-

In the following screen shot the monitoring measurement for VLAN 3 was bandwidth
utilizing. As there is no external source like server involved so the bandwidth utilization is
“0” and another reason is of course the transfer is in the same VLAN as well.

72
8.2 DMVPN Results & Discussion

R1 and R2 (Spokes):
On Router 1 and Router 2, “Sh ip nhrp” command is applied.

R3: See the commands and outputs please:


1. sh ip nhrp (see both spokes’ mapping is there)
2. sh ip eigrp 123 (see the routes are there using DMVPN)
3. ping 172.16.2.2 (Ping is successful using DMVPN)
4. ping 172.16.1.1

73
74
R2:
See the mappings: sh ip hnrp and ping results:
Traceroute shows that it is going directly through tunnel (no hops in between)

75
IPSec is UP on R1:

IPSec is UP on R2:

76
Conclusion

The main task of the deployment of VLAN and DMVPN is to provide network security to
both LAN and WAN network respectively with other beneficial aspect of both technologies
as well. VLANs have the ability to provide additional security not available in a shared
media network environment. By nature, a switched network delivers frames only to the
intended recipients, and broadcast frames only to other members of the VLAN. This allows
the network administrator to segment users requiring access to sensitive information into
separate VLANs from the rest of the general user community regardless of physical
location. In addition, monitoring of a port with a traffic analyzer will only view the traffic
associated with that particular port, making discreet monitoring of network traffic more
difficult.

It should be noted that the enhanced security that is mentioned above is not to be
considered an absolute safeguard against security infringements. What this provides is
additional safeguards against "casual" but unwelcome attempts to view network traffic.

In this report I also have discussed all the standards, technical component which relates
with DMVPN, that the DMVPN should deployed if the network requires Zero-touch
provisioning, simplified configuration, Multicast and support for dynamically addressed
spokes.

77
PROJECT PLANNING
Project Planning includes two stages

 Initial project planning

 Final project planning

Initial project planning


The following Gant Chart is showing the initial project planning which shows number of
days spending on each task using milestones and bars. The red bar shows the completion of
all tasks.

Initial Project Plan with respect to Total No of Days

Final project planning:

78
Below is the final project planning which is shown by using a Pie chart and a table.
Basically final planning shows the number of hours that have spent on each task for doing
this project.

ACTION PLAN WITH RESPECT TO TOTAL HOURS NO.OF HOURS

INTRODUCTION 50
INVESTIGATION ON 1800 ROUTER SERIES 60
VLAN 150
DMVPN 200
TESTING AND DISCUSSION 50
FURTHER REVISIONS AND CONCLUSION 100
TOTAL NO. OF HOURS 610

Final Action Plan with respect to Total No.of Hours

100 50
60
50

150
200

INTRODUCTION INVESTIGATION ON ROUTERS


VLAN DMVPN
TESTING & DISCUSSION FURTHER REVISION AND CONCLUCION

References

[1] www.ise.gmu.edu/~eschneid/infs612/projects/LAN.pdf

79
[2]Brent Stewart & Denise Donohue, CCNP BCMSN Quick Reference Sheets, USA, ISBN
978-1-5872-0236-0, 19-20

[3]Todd Lammle, CCNA Study Guide, Sixth edition, Sybex, USA, 2007, ISBN 0470110082

[4]David Hucaby, CCNP BCMSN Official Exam Certification Guide, Cisco Press, USA,
2007, ISBN: 1-58720-171-2

[5]Thayumanavan Sridhar, Future Communications Software, the Internet Protocol Journal


- Volume 1 No. 2, 1-2, 1998

[6]Jerry Ryan,Layer 3 Switching Re- Inventing the Router, The Technology Guide Series
Cisco Press, USA, 1998.

[7] www.dataconnection.com/iprouting/iprprotocol.htm

[8] Clare Gough, CCNP BSCI, USA, Cisco Press, 2006, ISBN: 1-58720-171-2

[9]Karl Solie, CCIE practical studies volume 1, Cisco Press, USA, 2001, ISBN:
1−58720−002−3

[10] Tim Boyles and Dave Hucaby ,Cisco CCNP Switching Exam Certification Guide,2000,
Cisco Press. USA, ISBN: 1-58720-000-7

[11] www.freesoft.org/CIE/Course/Section3/11.htm

[12] Cisco 1801, 1802 and 1803 Integrated Services Router from Cisco.com
“http://www.cisco.com/en/US/products/ps6184/”

[13] Cisco 1800 Series Integrated Services Routers Fixed Configuration Models
“http://www.cisco.com”

[14]Cisco 1805 Integrated Services Router from Cisco.com

“ http://www.cisco.com/en/US/products/ps9321/”

[15] Cisco 1811 Integrated Services Router from Cisco.com

“http://www.cisco.com/en/US/products/ps6183/”

[16] Cisco 1841 Integrated Services Router from Cisco.com

“http://www.cisco.com/en/US/products/ps5875/”

80
[17] Cisco 1861 Integrated Services Router from Cisco.com

“http://www.cisco.com/en/US/products/ps8321/”

[18] Cisco 1800 family from Cisco.com

“http://www.cisco.com/en/US/products/ps5853/”

[19] Wendell Odom , CCNA ICND 2,Cisco Press,USA.2007,ISBN 9781-1-58720-181-3

[20]www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/switch_c/xcvla
n.pdf

[21] www.en.wikipedia.org/wiki/Dynamic_Multipoint_Virtual_Private_Network

[22]www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1039510

[23] Introduction to DMVPN, Security Technology Group, Cisco Press, USA, 2004

[24] http://blog.internetworkexpert.com/2008/08/02/dmvpn-explained/

[25]www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6658/DMVPN
_Overview.pdf

[26] Wendell Odom , CCNA ICND 2,Cisco Press,USA.2007,ISBN 9781-1-58720-181-3

[27] http://www.javvin.com/protocolNHRP.html

[28] http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation

Appendix

SDM Auto Generate Configuration of VLAN

!This is the running config of the router: 10.10.10.1

81
!------------------------------------------------------------------------
----
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$3QN/$FAx3IV7orGQd4rixJT9bh.
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.0.9
ip dhcp excluded-address 192.168.0.17
ip dhcp excluded-address 192.168.0.25
ip dhcp excluded-address 192.168.0.33
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
default-router 10.10.10.1

!
ip dhcp pool sdm-pool9
network 192.168.0.8 255.255.255.248
default-router 192.168.0.9
!
ip dhcp pool sdm-pool10
network 192.168.0.16 255.255.255.248

82
default-router 192.168.0.17
!
ip dhcp pool sdm-pool11
network 192.168.0.24 255.255.255.248
default-router 192.168.0.25
!
ip dhcp pool sdm-pool12
network 192.168.0.32 255.255.255.248
default-router 192.168.0.33
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-2874840234
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2874840234
revocation-check none
rsakeypair TP-self-signed-2874840234
!
!
crypto pki certificate chain TP-self-signed-2874840234
certificate self-signed 01

3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030


31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383734 38343032 3334301E 170D3038 30383035 31353136
35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38373438
34303233 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D4C9 1200473C 3C60A9C5 3475AFCD 0AB2A85E 6D1757FE C6BBB02E FC3235EB
4DBC370E 93FC490F EEE088C8 0AD340DE 0F7E4FF8 433484C5 C6AEEB01 183CB5CD
40689CCC 02BFDFDE 70F01041 75E0DBD3 1FE0AB42 FC387C73 EF37AEBC 1E0E329E

83
D77A00A2 509F40E3 B8EE38F7 F2CEF9E6 7DBE213C BFA01FA0 A58B632D 2BA1D514
6D1D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14D6C68A 543EDE81 4F72C5FD 115E2B6B D3F52643
02301D06 03551D0E 04160414 D6C68A54 3EDE814F 72C5FD11 5E2B6BD3 F5264302
300D0609 2A864886 F70D0101 04050003 81810011 A0FCEB29 305F006C 57F27435
286EC0FE 7F8466FB 15974005 B2B19C90 D6174186 DBD71987 1B644C88 437B811B
CF27D62E 41D54239 E42C470A 7A0BBA71 C09A2E07 39C3798E 3FF42103 79DAD980
8D45ABB8 1694871A 487B773A D4D3045E DB16716C 1DFF1A6F 4B48E1B6 116FFF10
1105C042 741C4484 8970E23B 7624D200 0E9505

quit
username cisco1 privilege 15 secret 5 $1$3Kzc$MyCanrmvgPqTacSRE8H/p0
!
!

interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
switchport access vlan 3
!
interface FastEthernet5
switchport access vlan 4
!
interface FastEthernet6

84
switchport access vlan 5
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
station-role root
!
interface Dot11Radio1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.0.9 255.255.255.248
ip nat inside
ip virtual-reassembly
!
interface Vlan3
ip address 192.168.0.17 255.255.255.248
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface Vlan4
ip address 192.168.0.25 255.255.255.248
ip nat inside

85
ip virtual-reassembly
!
interface Vlan5
ip address 192.168.0.33 255.255.255.248
ip nat inside
ip virtual-reassembly
!
router ospf 500
log-adjacency-changes
passive-interface FastEthernet0
passive-interface FastEthernet1
passive-interface Vlan1
passive-interface Vlan2
passive-interface Vlan3
passive-interface Vlan4
passive-interface Vlan5
network 10.0.0.0 0.255.255.255 area 5
!
router rip
passive-interface Vlan1
network 10.0.0.0
no auto-summary
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.0.16 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.0.8 0.0.0.7 any
access-list 101 permit icmp any host 192.168.0.17 echo-reply
access-list 101 permit icmp any host 192.168.0.17 time-exceeded
access-list 101 permit icmp any host 192.168.0.17 unreachable
access-list 101 permit tcp any host 192.168.0.17 eq 443
access-list 101 permit tcp any host 192.168.0.17 eq 22
access-list 101 permit tcp any host 192.168.0.17 eq cmd
access-list 101 permit udp any any eq rip
access-list 101 permit ip any host 224.0.0.9
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
no cdp run
!

86
!

control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Initial Configuration of DMVPM

87
For Router 1 For Router 2 For Router 3

enable enable enable


config t config t config t
! ! !
no ip domain-lookup no ip domain-lookup no ip domain-lookup
line con 0 line con 0 line con 0
logg sync logg sync logg sync
! ! !
Host R1 Host R2 Host R3
! ! !
int loo 0 int loo 0 int loo 0
ip add 11.11.11.11 255.0.0.0 ip add 22.22.22.22 255.0.0.0 ip add 33.33.33.33 255.0.0.0
! ! !
int loo 11 int loo 22 int loo 10
ip add 10.11.11.11 ip add 10.22.22.22 ip add 10.3.3.3 255.255.255.0
255.255.255.0 255.255.255.0 !
! ! int F 0/0
int f 0/0 int f 0/0 ip add 192.1.123.3
ip address 192.1.123.1 ip add 192.1.123.2 255.255.255.0
255.255.255.0 255.255.255.0 no shut
no shut no shut !
! !
Router rip Router rip router rip
ver 2 ver 2 ver 2
no auto no auto no auto
network 11.0.0.0 network 22.0.0.0 network 33.0.0.0
network 192.1.123.0 network 192.1.123.0 network 192.1.123.0
end end end
wr wr wr

Final Configuration of DMVPN

88
For Router 1 For Router 2 For Router 3

hostname R1 hostname R2 hostname R3


! ! !
logging queue-limit 100 logging queue-limit 100 logging queue-limit 100
! ! !
memory-size iomem 10 memory-size iomem 10 memory-size iomem 10
ip subnet-zero ip subnet-zero ip subnet-zero
! ! !
! ! !
no ip domain lookup no ip domain lookup no ip domain lookup
! ! !
ip audit notify log ip audit notify log ip audit notify log
ip audit po max-events 100 ip audit po max-events 100 ip audit po max-events 100
! ! !
! ! !
! ! !
crypto isakmp policy 10 crypto isakmp policy 10 crypto isakmp policy 10
encr 3des encr 3des encr 3des
authentication pre-share authentication pre-share authentication pre-share
crypto isakmp key cciesec crypto isakmp key cciesec crypto isakmp key cciesec
address 0.0.0.0 0.0.0.0 address 0.0.0.0 0.0.0.0 address 0.0.0.0 0.0.0.0
! ! !
! ! !
crypto ipsec transform-set t-set crypto ipsec transform-set t-set crypto ipsec transform-set t-set
esp-3des esp-md5-hmac esp-3des esp-md5-hmac esp-3des esp-md5-hmac
! ! !
crypto ipsec profile ABC crypto ipsec profile ABC crypto ipsec profile ABC
set transform-set t-set set transform-set t-set set transform-set t-set
! ! !
! ! !
! ! !
no voice hpi capture buffer no voice hpi capture buffer no voice hpi capture buffer
no voice hpi capture destination no voice hpi capture destination no voice hpi capture destination
! ! !
! ! !
mta receive maximum- mta receive maximum- mta receive maximum-
recipients 0 recipients 0 recipients 0
! ! !
! ! !
! ! !
! ! !
interface Loopback0 interface Loopback0 interface Loopback0
ip address 11.11.11.11 ip address 22.22.22.22 ip address 33.33.33.33
255.0.0.0 255.0.0.0 255.0.0.0
! ! !

89
interface Loopback10 interface Loopback10 interface Loopback10
ip address 10.1.1.1 ip address 192.1.2.2 ip address 10.3.3.3
255.255.255.0 255.255.255.0 255.255.255.0
! ! !
interface Loopback15 interface Loopback15 interface Loopback15
ip address 172.16.1.1 ip address 172.16.2.2 ip address 172.16.3.3
255.255.255.0 255.255.255.0 255.255.255.0
! ! !
interface Tunnel1 interface Tunnel1 interface Tunnel1
ip address 172.16.123.1 ip address 172.16.123.2 ip address 172.16.123.3
255.255.255.0 255.255.255.0 255.255.255.0
no ip redirects no ip redirects no ip redirects
ip mtu 1416 ip mtu 1416 ip mtu 1416
ip nhrp authentication ip nhrp authentication ip nhrp authentication
DMVPN DMVPN DMVPN
ip nhrp map 172.16.123.3 ip nhrp map 172.16.123.3 ip nhrp map multicast dynamic
192.1.10.3 192.1.10.3 ip nhrp network-id 123
ip nhrp map multicast ip nhrp map multicast no ip split-horizon eigrp 123
192.1.10.3 192.1.10.3 tunnel source Ethernet0/0
ip nhrp network-id 123 ip nhrp network-id 123 tunnel mode gre multipoint
ip nhrp nhs 172.16.123.3 ip nhrp nhs 172.16.123.3 tunnel key 123
tunnel source Ethernet0/0 tunnel source Ethernet0/0 tunnel protection ipsec profile
tunnel mode gre multipoint tunnel mode gre multipoint ABC
tunnel key 123 tunnel key 123 !
tunnel protection ipsec profile tunnel protection ipsec profile interface Ethernet0/0
ABC ABC ip address 192.1.10.3
! ! 255.255.255.0
interface Ethernet0/0 interface Ethernet0/0 half-duplex
ip address 192.1.123.1 ip address 192.1.123.2 !
255.255.255.0 255.255.255.0 interface Serial0/0
half-duplex half-duplex no ip address
! ! shutdown
interface Serial0/0 interface Serial0/0 !
no ip address no ip address interface Ethernet0/1
shutdown shutdown no ip address
! ! shutdown
interface Ethernet0/1 interface Ethernet0/1 half-duplex
no ip address no ip address !
shutdown shutdown router rip
half-duplex half-duplex ver 2
! ! no auto
interface Serial0/1 interface Serial0/1 network 33.0.0.0
no ip address no ip address network 192.1.123.0
shutdown shutdown !
! ! router eigrp 123
router eigrp 123 router eigrp 123 network 172.16.0.0

90
network 172.16.0.0 network 172.16.0.0 no auto-summary
no auto-summary no auto-summary !
! ! ip http server
router rip router rip no ip http secure-server
version 2 version 2 ip classless
network 11.0.0.0 network 22.0.0.0 ip route 0.0.0.0 0.0.0.0
network 192.1.123.0 network 192.1.123.0 192.1.10.10
no auto-summary no auto-summary !
! ! !
ip http server ip http server !
no ip http secure-server no ip http secure-server !
ip classless ip classless call rsvp-sync
! ! !
! ! !
! ! mgcp profile default
! ! !
call rsvp-sync call rsvp-sync dial-peer cor custom
! ! !
! ! !
mgcp profile default mgcp profile default !
! ! !
dial-peer cor custom dial-peer cor custom !
! ! line con 0
! ! logging synchronous
! ! line aux 0
! ! line vty 0 4
! ! login
line con 0 line con 0 !
logging synchronous logging synchronous !
line aux 0 line aux 0 end
line vty 0 4 line vty 0 4
! !
! !
end end

91