Qasim Comlete Monograph

‫ریاست موسسات تحصالت عالی خصوصی‬
‫موسسه تحصیالت عالی میوند‬

‫پوهنحی کمپیوتر سانیس‬
‫موضوع مونوگراف‪ :‬طرح و طراحی زیرساخت شبکه باختر بانک‬
‫ترتیب و اریه کننده‪ :‬محمد قسیم‬

‫استاد رهنما‪ :‬شمس الرحمان شینواری‬
‫کمپیوتر سانیس‬ ‫دیپارتمنت‪:‬‬
‫شماره ثبت‪2014-0199 :‬‬
ISLAMIC REPUBLIC OF AFGHANISTAN
MINISTRY OF HIGHER EDUCATION
MAIWAND INSTITUTE OF HIGHER EDUCATION KABUL
AFGHANISTAN
Project Title
Plan and Design network infrastructure of BAKHTA BANK
Submitted by: Mohammad Qasim

Father name: Mohammad Nasim
Reg no: 2014-0199
Supervised by: Shams ur Rehman Shinwari
Department: Computer Science
Session: 2013-2017
Thesis Approval Form
For
“Plan and Design network infrastructure of BAKHTA BANK”
Vice Chancellor___________________________
Signature
---------------------------------------------------------
Head of department_________________________
Remarks _______________________
Signature -------------------------------------------------------------
Supervisor________________________________
Remarks _______________________
Signature
----------------------------------------------------------
Assistant Supervisor_________________________
Remarks _______________________
Signature
-----------------------------------------------------------
External Supervisor_________________________
Remarks _______________________
Signature
-----------------------------------------------------------
ABSTRACT
The goal of this thesis project is to plan and design a new network infrastructure for
Bakhter Bank that enable clients from Head quarter and Branches to have access to CBS
(Core Banking Solution) Software.
Keeping current Bakhter Bank Network infrastructure in view, there is no connectivity

between Bakhter Head Office and Branches for accessing core banking system, which
is not having a standard network design and network devices so all transactions and
business process are going on phone.
The main reason of this project is to connect Bakhter Bank branches to Bakhter Head
Quarter which is located in Kabul and allow all Bakhter branches to access Central
Financial Database and other services.
Positively this project will minimize network/system troubleshooting and enhance
network/system security and performance.
I
DEDICATION
I dedicate my humble effort to my family and parents whose affection, love, encouragement and
prays of day and night make me able to get such success and honor along with all hardworking
of my respected teacher Mr. shams ur rehman whose guide me to complete this project from
beginning to end I am thankful from him.
II
Declaration
I hereby declare that this thesis is our own work and effort and that it has not been submitted
anywhere for any award. Where other sources of information have been used, they have been
acknowledged.
The work was done under the supervision of associate professor Mr. shams ur rehman in
Maiwand Institute of higher education, Kabul Afghanistan.
III
ACKNOWLEDGEMENT
We take this opportunity as a privilege to thank all individuals without whose support and
guidance we could not have completed our project in this stipulated period of time.
First and foremost we would like to express our deepest gratitude to our Project Supervisor Mr.
Shams Ur Rehman Shinwari., Department of Computer Science, for his invaluable support,
guidance, motivation and encouragement throughout the period this work was carried out.
We would also like to thank all the Professors and members of the Department of computer
Science for their generous help in various ways for the completion of the thesis. We also extend
our thanks to our fellow students for their friendly co-operation.
IV
Table of Contents
Chapter 1...................................................................................................................................................1
Introduction ..............................................................................................................................................1
1.1 Project information: ..................................................................................................................1
1.2 Project Background: ..................................................................................................................1
1.3 Project Summary .......................................................................................................................2
1.4 Project Objectives: ....................................................................................................................2
1.5 Project Methodology ................................................................................................................3
Chapter 2...................................................................................................................................................4
Network Architecture................................................................................................................................4
2.1 Network Design Diagram ..........................................................................................................4
2.2 Project Network Lab Simulation Diagram .................................................................................5
2.3 IP Schema ..................................................................................................................................6
2.3.1 Selection and Using of the Routing Protocol for the project ............................................6
2.4 Cisco EIGRP (Enhanced Interior Gateway Routing Protocol) ....................................................6
2.4.1 Administrative Distance ....................................................................................................7
2.4.2 Metrics ..............................................................................................................................7
2.4.3 EIGRP Features ..................................................................................................................8
2.4.4 EIGRP Components ...........................................................................................................8
2.4.5 Neighbor Discover/Recovery.............................................................................................8
2.4.6 Reliable Transport .............................................................................................................9
2.4.7 DUAL finite state machine .................................................................................................9
2.4.8 Protocol-dependent modules ...........................................................................................9
2.4.9 EIGRP Operation................................................................................................................9
2.5 Core Segment ..........................................................................................................................13
2.6 DMZ Segment..........................................................................................................................13
2.7 WAN Segment .........................................................................................................................14
Chapter 3.................................................................................................................................................16
High Availability and Fail Over.................................................................................................................16
3.1 Network Availability Redundancy ...........................................................................................16
3.1.1 Review of Failover Times.................................................................................................16
3.1.2 Optimal Redundancy .......................................................................................................16
3.2 GLBP Overview ........................................................................................................................17
3.2.1 GLBP Benefits ..................................................................................................................18
3.2.2 GLBP Active Virtual Gateway...........................................................................................19
3.2.3 GLBP Virtual MAC Address Assignment ..........................................................................20
V
3.2.4 GLBP Virtual Gateway Redundancy.................................................................................20
3.2.5 GLBP Virtual Forwarder Redundancy ..............................................................................21
3.2.6 GLBP Gateway Priority ....................................................................................................21
3.2.7 GLBP Gateway Weighting and Tracking...........................................................................22
Chapter 4.................................................................................................................................................24
VPN, IPSec and NAT/PAT .........................................................................................................................24
4.1 IPSec VPN between HQ and Branches ....................................................................................24
4.1.1 What is VPN.....................................................................................................................24
4.2 Advantages & Disadvantages ..................................................................................................25
4.3 Types of VPN ...........................................................................................................................25
4.3.1 Site-to-Site VPNs .............................................................................................................25
4.3.2 Remote-access VPNs. ......................................................................................................26
4.4 Securing a VPN ........................................................................................................................27
4.4.1 VPN Encryption ...............................................................................................................27
4.4.2 VPN Tunneling .................................................................................................................28
4.5 Using IPSec in VPN ..................................................................................................................30
4.5.1 Network Diagram ............................................................................................................30
4.5.2 Configurations .................................................................................................................30
4.6 NAT & PAT to translate internal traffic to public .....................................................................36
4.7 Using inter VLAN Routing (Router-on-a-stic)...........................................................................38
4.7.1 External Router (router-on-a-stick) .................................................................................39
4.7.2 Implementation Planning ................................................................................................40
4.7.3 SVI Autostate ...................................................................................................................42
Chapter 5.................................................................................................................................................45
Network Configuration............................................................................................................................45
5.1 Network configuration part ....................................................................................................45
5.1.1 Devices Configuration Part: .............................................................................................45
References...............................................................................................................................................72
VI
Chapter 1 Introduction
Chapter 1
Introduction
1.1 Project information:
The Bakhter Bank is one of the private Banks with nearly 700 employees in different provinces
of the country and main office in Kabul City.
We are planning to equip its administrative staff with technology and transform its manual
Administrative processes into computerized paperless system in the long run. To expand
accessibility and connectivity of technology related systems to all administrative
Departments.
The goal of this project is to plan and design a new network infrastructure for Bakhter Bank that
enable clients from Head quarter and Branches to have access to CBS (Core Banking Solution)
Software.
Keeping current Bakhter Bank Network infrastructure in view, there is no connectivity between
Bakhter Head Office and Branches for accessing core banking system which is not having a
standard network design and network devices so all transactions and business process are going
on phone.
Our new network topology design will have the following parts for Bakhter Bank:
 Complete Data Center network design

 IP Addressing System and Routing
 Core Segment Design (LAN,WAN,DMZ)
 Network devices Configuration
 Implementing of High Availability and redundancy in Core Layer
 Link Connectivity of Branches to Bakhter Bank Head Office
1.2 Project Background:

As per our survey the Bakhter Bank which we had visited has a manual procedure for business
transactions and the main problems as we observed are as below:
 The entire branches financial database is individual and not synced with HO Database.
 Business processing is followed by phone and internet which is unsecure.
 Delays on processing customer transactions.
Design a new network infrastructure for BAKHTAR BANK 1

 Branches computers are in workgroup not in a centralized domain which violet

network/system security policy.
 Trouble shutting and Network monitoring is impossible because there is no connectivity
between Bakhter Bank Head Office and branches.
 No security on the network
 Standard network devices are not used in the network
As the Bakhter Bank branches are not connected to Bakhter HQ, so all the process will take
long time to get prepared.
Also there is no proper method for troubleshooting, checking and auditing the branches.
All the problems were mentioned above could be covered by the New Bakhter Bank Network
Infrastructure which we have planned to design.
1.3 Project Summary

Our aim in this project is to connect Bakhter Bank branches to Bakhter Head Quarter which is
located in Kabul and allow all Bakhter branches to access Central Financial Database and other
services from centralized network
Positively this project will minimize network/system troubleshooting and enhance

network/system security and performance.
1.4 Project Objectives:

The objective of this project is as following:
1. Centralized Network Backbone

2. Design IP Address Scheme
3. Connect all Bakhter Bank branches to head office
4. Provide internet from head office to branches
5. Configuration of network devices
6. Enable routing between network devices
7. Creating secure tunnel between branches and HQ
8. Restricting of un authorized users from accessing internet via Access Control List

1.5 Project Methodology

In order to take care of availability, confidentiality and reliability of Bakhter network and
system, we have planned to build a secure network scheme by using latest CISCO and Microsoft
products.
 Project software and tools used
1. MS Office Visio 2010
2. GNS 3 Simulator
3. Packet Tracer Simulator 6.1.0
4. MS office Excel 2007
5. Putty
6. E-draw Max
 Devices Used:
1. Cisco Switch CAT 6509 Series
2. Cisco Router 3900 Series
3. Cisco Router 2900 Series
4. Cisco ASA 5520
5. Cisco Switch c3750
6. Cisco Switch c2960
 System Requirement:
 Windows XP
 Windows 7

Chapter 2 Network Architecture
Chapter 2
Network Architecture
2.1 Network Design Diagram
Upon understanding the requirements from Bank, it was clear that we would require stringent
security with 100% fallback at all critical levels. The Objective of Network connectivity was to
enable Centralized communication to Oracle Flexcube Server which was the Core banking
application. All branches should be able to connect to Data Center, by any means of WAN
connectivity such as Internet IPSec, Radio Links or private Leased Circuits.1
1
Andrew s. tanenbaum, Dabid j. wetherall, “Computer Networks”, 5th edition, Copyright © 2011, 2003, 1996,
1989, 1981 Pearson Education, Inc., publishing as Prentice Hall. Page# 20

2.2 Project Network Lab Simulation Diagram

As per the requirement the project Lab has simulated in GNS3 since GNS3 can support live
cisco IOS Images for Cisco routers and Cisco firewalls.

2.3 IP Schema
I have planned this IP address Schema with respect to RFC 1918 address space with adequate
ip ranges for all locations and the IP address witch I have designed for Bakhter Bank is to reduce
overlapping and waste of IP addresses.
Number of
No IP Segment Network Subnet plan Status
Host
1 LAN 10.1.0.0/8 10.1.0.0/23 16777214 Allocated
2 WAN 172.16.254.0/24 172.16.254.0/30 65534 Allocated
3 DMZ 172.16.0.0/16 172.16.0.0/24 65534 Allocated
4 Core layer 172.18.0.0/23 172.18.62.0/23 32768 Allocated
5 Network Device P2P –IPs 172.17.0.0/16 172.17.0.0/29 65534 Allocated
6 Branch LAN segment 10.10.0.0/16 10.10.0.0/24 65534 Allocated
2.3.1 Selection and Using of the Routing Protocol for the project
I decided to use dynamic routing protocol in my project because of redundancy and load
balancing between unequal cost interfaces.
I select CISCO EIGRP routing protocol, EIGRP is CISCO proprietary and it is the only protocol
that support unequal cost load balancing between interfaces.
Here is a brief introduction to Cisco EIGRP Routing protocol;
2.4 Cisco EIGRP (Enhanced Interior Gateway Routing Protocol)
Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced version of IGRP.

IGRP is Cisco's Interior Gateway Routing Protocol used in TCP/IP and OSI internets. It is
regarded as an interior gateway protocol (IGP) but has also been used extensively as an exterior
gateway protocol for inter-domain routing.
Key capabilities that distinguish Enhanced IGRP (EIGRP) from other routing protocols include
fast convergence, support for variable-length subnet mask, support for partial updates, and
support for multiple network layer protocols.

A router running EIGRP stores all its neighbors' routing tables so that it can quickly adapt to
alternate routes. If no appropriate route exists, EIGRP queries its neighbors to discover an
alternate route. These queries propagate until an alternate route is found.
The support of EIGRP for variable-length subnet masks permits routes to be automatically
summarized on a network number boundary. In addition, EIGRP can be configured to
summarize on any bit boundary at any interface.2
2.4.1 Administrative Distance
Administrative distance is the feature that routers use in order to select the best path when there
are two or more different routes to the same destination from two different routing protocols.
Administrative distance defines the reliability of a routing protocol. Each routing protocol is
prioritized in order of most to least reliable (believable) with the help of an administrative
distance value.
1. Summary Routes [5]

2. Internal Routes [90]
3. External Routes [170]
2.4.2 Metrics
This is a measure used by the routing protocol to calculate the best path to a given destination,
if it learns multiple paths to the same destination. Each routing protocol uses a different metric.
It is always necessary to discuss what a routing protocol uses for its metrics. In this case, EIGRP
can use:
1. Bandwidth
2. Delay
3. Reliability
4. Load
5. MTU
2
1989, 1981 Pearson Education, Inc., publishing as Prentice Hall. Page# 25,26

2.4.3 EIGRP Features
 Hybrid Distance Vector/Link State algorithm

 Supports VLSM (subnets/supernets)
 Integrates seamlessly with IGRP
 Automatic Redistribution of Routes (IGRP <-> EIGRP)
 EIGRP metrics are 256 times the IGRP metric and therefore 'directly translatable'
 Fast convergence
 Performs Partial Updates as needed
 Consumes less bandwidth (no broadcasts, no periodic updates, updates contain only
changes)
Supports multiple network layer protocols
o Apple talk
o Internet Protocol (IP)
o Novell Netware (IPX/SPX)
2.4.4 EIGRP Components
For lack of a better word, EIGRP has basically 4 components that need to be mentioned and will
be covered in any Cisco test:
 Neighbor Discovery/Recovery
 Reliable Transport Protocol
 DUAL Finite State Machine
 Protocol Dependent Modules
2.4.5 Neighbor Discover/Recovery
Is very simply the process that routers use to learn about other routers that are directly connected
to them? This includes finding out when a router (neighbor) goes down for some reason. This
is achieved by sending very small hello packets at periodic intervals. In typical Cisco fashion,
if the neighbor misses a configurable amount of hellos in a certain period, the neighbor is
declared down.

2.4.6 Reliable Transport
Refers to the fact that EIGRP is TCP based and therefore has the ability to use TCP based
transmission when it is necessary to guarantee that a neighbor received a communication.
EIGRP doesn't use TCP for all communications, though, but only those that require reliability.
The multicast address 224.0.0.10 is used by EIGRP and the IP protocol number is 88.
2.4.7 DUAL finite state machine
Is the key component to hose IEGRP determines routing/forwarding tables. EIGRP stands for
Diffusing Update Algorithm and differs from other routing protocols in that routing calculations
are shared among multiple routers. A router only sends routing updates as distance vectors of
directly connected routes, rather than every route that is in the network. Also, the router only
sends an update of a particular if a topology change has occurred to that specific route. In
addition, this update is only sent to relevant neighbor routers, not to all routers. This makes
EIGRP a bandwidth-efficient routing protocol. Other routing protocols have regular routing
updates that contain all route information by default.3
2.4.8 Protocol-dependent modules
Handle network layer, protocol specific requirements, such as IP or IPX. EIGRP maintains
separate tables for each layer 3 protocol used in the network, just as almost all routing protocols
do.
2.4.9 EIGRP Operation
 Neighbor Table
Each router keeps state information about adjacent neighbors. When newly discovered
neighbors are learned, the address and interface of the neighbor is recorded. This information is
stored in the neighbor data structure. The neighbor table holds these entries. There is one
neighbor table for each protocol dependent module. When a neighbor sends a hello, it advertises
a Hold Time. The Hold Time is the amount of time a router treats a neighbor as reachable and
3
1989, 1981 Pearson Education, Inc., publishing as Prentice Hall. Page# 116

operational. In other words, if a hello packet isn't heard within the Hold Time, then the Hold
Time expires. When the Hold Time expires, DUAL is informed of the topology change.
The neighbor table entry also includes information required by the reliable transport mechanism.
Sequence numbers are employed to match acknowledgments with data packets. The last
sequence number received from the neighbor is recorded so out of order packets can be detected.
A transmission list is used to queue packets for possible retransmission on a per neighbor basis.
Round trip timers are kept in the neighbor data structure to estimate an optimal retransmission
interval.
Topology Table
The Topology Table is populated by the protocol dependent modules and acted upon by the
DUAL finite state machine. It contains all destinations advertised by neighboring routers.
Associated with each entry is the destination address and a list of neighbors that have advertised
the destination. For each neighbor, the advertised metric is recorded. This is the metric that the
neighbor stores in its routing table. If the neighbor is advertising this destination, it must be
using the route to forward packets. This is an important rule that distance vector protocols must
follow.
Also associated with the destination is the metric that the router uses to reach the destination.
This is the sum of the best advertised metric from all neighbors plus the link cost to the best
neighbor. This is the metric that the router uses in the routing table and to advertise to other
routers.
Feasible Successors
A destination entry is moved from the topology table to the routing table when there is a feasible
successor. All minimum cost paths to the destination form a set. From this set, the neighbors
that have an advertised metric less than the current routing table metric are considered feasible
successors.
Feasible successors are viewed by a router as neighbors that are downstream with respect to the
destination. These neighbors and the associated metrics are placed in the forwarding table.

When a neighbor changes the metric it has been advertising or a topology change occurs in the
network, the set of feasible successors may have to be re-evaluated. However, this is not
categorized as a route recomputation.
When a link to a neighbor that is the only feasible successor goes down, all routes through that
neighbor commence a route recomputation and enter the Active state.
Configuration Example
To enable EIGRP on the router you simply need to enable eigrp for a given AS number and
define a network number. AS numbers can be from 1 to 65535. This is done as follows:
Router# conf t
Router(config)# router eigrp {AS number}
Router(config-router)# network 192.168.0.0 0.0.255.255
Optionally, but not normally, you can disable auto-summarization by adding:
Router(config-router)# no auto-summary
You can also enable authentication, change the hello interval and hold times, and change split-
horizon if you want from the eigrp configuration.
Testing
There are a few commands you will want to use to verify EIGRP is running correctly:
 show ip interface brief - Used to verify your interface status.

 show ip route - It is useful to see the results of EIGRP in your actual routing table.
 show ip route eigrp - This lets you view the routes that EIGRP is handling.
 show ip eigrp neighbors - Verify that all of your neighbors are coming up and being seen.
If your neighbors aren't here, don't bother troubleshooting the routes you are supposed
to be transmitting because you aren't at that stage yet.
 show ip eigrp traffic - This is useful to see that EIGRP traffic is behing passed back and
forth between neighbors. Often with EIGRP, the problems that occur are related to other
things besides EIGRP.

EIGRP Message Types
Type Transmit Sent Function
Hello Multicast Hello messages are used for neighbor discovery and
neighbor recovery. If a hello message is not received within
the configured interval, all neighbor entries are removed
from the routing table and feasible successor routes re
utilized.
Unicast Reliably Hello messages are also used to acknowledge receipt of

information. Zero byte acknowledgement (with ACK
number)
Updates Unicast Reliably Neighbor discovery
Multicast Reliably Link cost or metric change updates
Queries Multicast Reliably Sent when one or more destinations enter the active state.
Replies Unicast Reliably Sent to originator of a query.
Requests Multicast or Unreliably Request specific information from neighbors

Unicast
Using Authentication between EIGRP Neighbors
This document illustrates how to add message authentication to your Enhanced Interior Gateway
Routing Protocol (EIGRP) routers and protect the routing table from willful or accidental
corruption.4
The addition of authentication to your routers' EIGRP messages ensures that your routers only
accept routing messages from other routers that know the same pre-shared key. Without this
authentication configured, if someone introduces another router with different or conflicting
route information on to the network, the routing tables on your routers could become corrupt
and a denial of service attack could ensue. Thus, when you add authentication to the EIGRP
4
http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/16406-eigrp-
toc.html

messages sent between your routers, it prevents someone from purposely or accidentally adding
another router to the network and causing a problem.
To specify the type of authentication used in Enhanced Interior Gateway Routing Protocol
(EIGRP)
packets, use the ip authentication mode eigrp command in interface configuration mode. To
disable
that type of authentication, use the no form of this command.
ip authentication mode eigrp as-number md5

no ip authentication mode eigrp as-number md5
2.5 Core Segment

Core Layer has been planned and positioned with Cisco 6509E with two power supply units of
4000 W along with 100% Physical redundancy at DC and the interenal and external firewall in
the core newtwork is ASA 5550 to protect inside and outside traffic to the Core Application
Servers.
The core layer has been designed as an internal gateway switch for all subdivisions of NOC
segment, Database application segment and LAN Segment.
All of these segments are trusted but has been configured with different security values for
internal trust factor and the connection of LAN Network is to both core switches for redundancy
purpose the core switch is located in the core layer of Bakther Bank network
The core layer of the network is trusted network, applications, databases, reporting services and
other system services are connection to this layer including BAKHTER LAN network.
2.6 DMZ Segment

This segment has been proposed for exposing Servers to the Internet through Static or Dynamic
IP Translation at the perimeter firewall. Traffic to this segment should be very tightly observed
due to the exposure of internet. This segment has been configured with security value of “50”,
which makes it little better than the WAN segment but no good for trusted services. Direct
communication to this segment should be very limited from any other segments. Wan Segment
should not have any communication enabled to this segment due to no direct dependencies.

ICMP should be fully restricted between Core layer and DMZ Servers but may be enabled for
NOC Users for management purpose only.
Please note, due to the open access to internet this segment is very much vulnerable for external
threats and attacks and may also be used as a platform of intrusion if compromised.
What is DMZ?
In computer security, a DMZ or Demilitarized Zone (sometimes referred to as a perimeter
network) is a physical or logical sub network that contains and exposes an organization's
external-facing services to a larger and untrusted network, usually the Internet. The purpose of
a DMZ is to add an additional layer of security to an organization's local area network (LAN);
an external attacker only has direct access to equipment in the DMZ, rather than any other part
of the network. The name is derived from the term "demilitarized zone", an area between nation
states in which military operation is not permitted.
As per system requirement of BAKHTER , the network must have the DMZ site for hosting
email service, BAKHTER website and proxy server.
2.7 WAN Segment

Cisco 3750G Switch has been configured in Kabul as a dropping point for all WAN Links such
as Point to point, internet, Radio, microwave etc and have been trunked out to 3900 Router
which upon creation of sub interfaces for each branch the router on stick technology is used.
Cisco 2960 Switch has been configured with VLANs of 10 – 50 configured for each separate
from port number 1 – 24. Port 1 of Gigabit has been configured as trunk to Cisco 3925 Routers
connecting at Gigabitethernet 0/0.
Cisco 3925 (C3925-K9) has been installed as a gateway VPN router connecting all branches
and other Internet IPSec external vendors to facilitate site to site connectivity.
This router has been configured as Dynamic IPSec HUB, which will facilitate IPSec peering for
any new or old branch routers at no extra configuration changes. The concept of dynamic routing
has been enabled for security purpose to safeguard and protect branch to branch direct
communication, as opposed to DMVPN.
Due to adverse variety of WAN media such as multiple ISP’s and Internet connections, Reverse
route injection has been enabled on the on crypto ipsec configuration for remote peer (Branch
host) routes. These routes can be identified as static entries at the routing table pointing towards
the branch vpn peer IP. On the other end these static entries have been further filtered and
redistributed into Enhances Interior Gateway Routing Protocol (EIGRP) between all other

routers to avoid any black holes from other IPSec Hub Routers. Please find the WAN
Architecture diagram depicted below –
The dynamic routing protocol EIGRP is used for routing of traffic between Bakhter Bank Head
office And branches. 5
5
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html

Chapter 3 High Availability and Fail Over
Chapter 3
High Availability and Fail Over
3.1 Network Availability Redundancy
In order to take care of high availability and redundancy I have select GLBP from cisco
redundancy protocol HSRP, VRRP and GLBP to configure Cisco GLBP for failover purposes,
bellow is brief introduction to Cisco GLBP Protocol.
High availability is an organizational objective that enables resilience by increasing network

availability and includes the following components:
3.1.1 Review of Failover Times
 EIGRP and OSPF can both achieve sub-second convergence time

 RSTP converges in about 1 second
 EtherChannel can failover in approximately 1 second (When a single link in the bundle
fails, it redirects traffic to the other links)
 Default HSRP timers are 3 seconds for hellos and 10 seconds for hold time but pest
practice says to change hellos to 1 sec. so convergence takes less than 3 seconds
 The Windows XP TCP/IP stack will hold a session open for about 9 seconds
3.1.2 Optimal Redundancy
Redundancy is not only a question of added cost vs. uptime and resiliency, but also a question
of complexity. The more hardware and software deployed in the name of redundancy adds
administrative overhead and complexity, which is tough to put numbers on.6
Cisco recommends:
 Redundant switches at the core and distribution layers with fully redundant links
 Access switches should have redundant links to redundant distribution switches
 Avoiding single points of failure as much as possible
6
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html

 This can be achieved at the access layer with help from SSO (for layer 2) and
potentially NSF (for layer 3)
3.2 GLBP Overview

The reason for the Bakther Bank network which I have select GLB is that One of the major
limitations to both HSRP and VRRP is that a single router handles traffic for the whole group,
leaving the others inactive until the master router fails. GLBP or Gateway Load Balancing
Protocol solves this dilemma by load balancing traffic over up to four gateways, maximizing
bandwidth. One virtual IP is used, but each participating router uses a virtual MAC address
which is used to respond to ARP requests.
Note: GLBP is only supported on Cisco’s 4500, 6500, and Nexus lines.
There are three load sharing options:
Weighted load balancing – based on preconfigured weights assigned to gateways
Host-dependant load balancing – each hosts uses a specific gateway
Round-robin load balancing – Each MAC is used to respond in turn (default)
The routers running GLBP elect a single Active Virtual Gateway (AVG), which manages the
load balancing and responds to ARPs. The highest priority router wins; in a tie highest IP address
wins. group members sends hello multicasts every 3 seconds (multicast address 224.0.0.102), if
a router goes down, another will answer for its requests.
The job of the AVG is to assign virtual MAC addresses to each of the other GLBP routers and
to assign each network host to one of the GLBP routers. The routers that recieve the MAC
address assignment are the Active Virtual Forwarders, or AVFs.
GLBP provides automatic router backup for IP hosts configured with a single default gateway
on an IEEE 802.3 LAN. Multiple first-hop routers on the LAN combine to offer a single virtual
first-hop IP router while sharing the IP packet forwarding load. Other routers on the LAN may
act as redundant GLBP routers that will become active if any of the existing forwarding routers
fail.
GLBP performs a similar function for the user as HSRP and VRRP. HSRP and VRRP allow
multiple routers to participate in a virtual router group configured with a virtual IP address. One
member is elected to be the active router to forward packets sent to the virtual IP address for the

group. The other routers in the group are redundant until the active router fails. These standby
routers have unused bandwidth that the protocol is not using. Although multiple virtual router
groups can be configured for the same set of routers,the hosts must be configured for different
default gateways, which results in an extra administrative burden. The advantage of GLBP is
that it additionally provides load balancing over multiple routers (gateways) using a single
virtual IP address and multiple virtual MAC addresses. The forwarding load is shared among
all routers in a GLBP group rather than being handled by a single router while the other routers
stand idle.
Each host is configured with the same virtual IP address, and all routers in the virtual router
group participate in forwarding packets. GLBP members communicate between each other
through hello messages sent every 3 seconds to the multicast address 224.0.0.102, UDP port
3222 (source and destination).
3.2.1 GLBP Benefits

3.2.1.1 Load Sharing
You can configure GLBP in such a way that traffic from LAN clients can be shared by multiple
routers, thereby sharing the traffic load more equitably among available routers.
3.2.1.2 Multiple Virtual Routers

GLBP supports up to 1024 virtual routers (GLBP groups) on each physical interface of a router
and up to four virtual forwarders per group.
3.2.1.3 Preemption
The redundancy scheme of GLBP enables you to preempt an active virtual gateway with a
higher priority backup virtual gateway that has become available. Forwarder preemption works
in a similar way, except that forwarder preemption uses weighting instead of priority and is
enabled by default.
3.2.1.4 Authentication
GLBP supports the industry-standard message digest 5 (MD5) algorithm for improved
reliability, security, and protection against GLBP-spoofing software. A router within a GLBP
group with a different authentication string than other routers will be ignored by other group

members. You can alternatively use a simple text password authentication scheme between
GLBP group members to detect configuration errors.7
3.2.2 GLBP Active Virtual Gateway
Members of a GLBP group elect one gateway to be the active virtual gateway (AVG) for that
group. Other group members provide backup for the AVG if the AVG becomes unavailable.
The AVG assigns a virtual MAC address to each member of the GLBP group. Each gateway
assumes responsibility for forwarding packets sent to the virtual MAC address assigned to it by
the AVG. These gateways are known as active virtual forwarders (AVFs) for their virtual MAC
address. The AVG is also responsible for answering Address Resolution Protocol (ARP)
requests for the virtual IP address. Load sharing is achieved by the AVG replying to the ARP
requests with different virtual MAC addresses.
Prior to Cisco IOS Release 15.0(1)M1, 12.4(24)T2, 15.1(2)T, and later releases, when the no
glbp loadbalancing command is configured, the AVG always responds to ARP requests with
the MAC address of its AVF.
3.2.2.1 GLBP is composed of two components:
 The Active Virtual Gateway (AVG) at the control plane

 The Active Virtual Forwarders (AVF) at the data plane
The AVG responds to ARP requests sent by end hosts to the virtual gateway IP address, and
replies with different virtual MAC addresses that correspond to different active virtual
forwarders (AVFs).
The AVF are responsible for sending traffic destined to their Virtual Mac address which has
been allocated to them by the AVG. Both the AVG and AVFs are redundant, i.e. if a primary
physical router representing the AVG or an AVF fails, another physical router will take its role.
Let´s consider the following topology to demonstrate how GLBP works:
7
http://www.cisco.com/c/en/us/td/docs/security/pix/pix72/quick/guide/dmz_p.html

3.2.3 GLBP Virtual MAC Address Assignment

A GLBP group allows up to four virtual MAC addresses per group. The AVG is responsible for
assigning the virtual MAC addresses to each member of the group. Other group members
request a virtual MAC address after they discover the AVG through hello messages. Gateways
are assigned the next MAC address in sequence. A virtual forwarder that is assigned a virtual
MAC address by the AVG is known as a primary virtual forwarder. Other members of the GLBP
group learn the virtual MAC addresses from hello
messages. A virtual forwarder that has learned the virtual MAC address is referred to as a
secondary virtual forwarder.8
3.2.4 GLBP Virtual Gateway Redundancy

GLBP operates virtual gateway redundancy in the same way as HSRP. One gateway is elected
as the AVG, another gateway is elected as the standby virtual gateway, and the remaining
gateways are placed in a listen state.
8
Nurul I. Sarkar, Auckland University of Technology, New Zealand, “Tools for teaching computer networking and
hardware concepts”,7th edition, Published in the United States of America by Information Science Publishing (an
imprint of Idea Group Inc.) 2006, page# 25

If an AVG fails, the standby virtual gateway will assume responsibility for the virtual IP address.
A new standby virtual gateway is then elected from the gateways in the listen state.
3.2.5 GLBP Virtual Forwarder Redundancy
Virtual forwarder redundancy is similar to virtual gateway redundancy with an AVF. If the AVF
fails, one of the secondary virtual forwarders in the listen state assumes responsibility for the
virtual MAC address.
The new AVF is also a primary virtual forwarder for a different forwarder number. GLBP
migrates hosts away from the old forwarder number using two timers that start as soon as the
gateway changes to the active virtual forwarder state. GLBP uses the hello messages to
communicate the current state of the timers.
The redirect time is the interval during which the AVG continues to redirect hosts to the old
virtual forwarder MAC address. When the redirect time expires, the AVG stops using the old
virtual forwarder MAC address in ARP replies, although the virtual forwarder will continue to
forward packets that were sent to the old virtual forwarder MAC address.
The secondary holdtime is the interval during which the virtual forwarder is valid. When the
secondary holdtime expires, the virtual forwarder is removed from all gateways in the GLBP
group. The expired virtual forwarder number becomes eligible for reassignment by the AVG.
3.2.6 GLBP Gateway Priority

GLBP gateway priority determines the role that each GLBP gateway plays and what happens if
the AVG fails.
Priority also determines if a GLBP router functions as a backup virtual gateway and the order
of ascendancy to becoming an AVG if the current AVG fails.
You can configure the priority of each backup virtual gateway with a value of 1 through 255
using the glbp priority command.
In the "GLBP Topology" figure, if Router A—the AVG in a LAN topology—fails, an election
process takes place to determine which backup virtual gateway should take over.
In this example, Router B is the only other member in the group so it will automatically become
the new AVG.

If another router existed if the same GLBP group with a higher priority, then the router with the
higher priority would be elected.
If both routers have the same priority, the backup virtual gateway with the higher IP address
would be elected
to become the active virtual gateway.
By default, the GLBP virtual gateway preemptive scheme is disabled.
A backup virtual gateway can become the AVG only if the current AVG fails, regardless of the
priorities assigned to the virtual gateways.
You can enable the GLBP virtual gateway preemptive scheme using the glbp preempt
command.
Preemption allows a backup virtual gateway to become the AVG, if the backup virtual gateway
is assigned
a higher priority than the current AVG.9
3.2.7 GLBP Gateway Weighting and Tracking

GLBP uses a weighting scheme to determine the forwarding capacity of each router in the GLBP
group.
The weighting assigned to a router in the GLBP group can be used to determine whether it will
forward packets and, if so, the proportion of hosts in the LAN for which it will forward packets.
Thresholds can be set to disable forwarding when the weighting for a GLBP group falls below
a certain value, and when it rises above another threshold, forwarding is automatically re
enabled.
The GLBP group weighting can be automatically adjusted by tracking the state of an interface
within the router.
If a tracked interface goes down, the GLBP group weighting is reduced by a specified value.
Different interfaces can be tracked to decrement the GLBP weighting by varying amounts.
By default, the GLBP virtual forwarder preemptive scheme is enabled with a delay of 30
seconds.
9
imprint of Idea Group Inc.) 2006, page# 48,49

A backup virtual forwarder can become the AVF if the current AVF weighting falls below the
low weighting threshold for 30 seconds.
You can disable the GLBP forwarder preemptive scheme using the no glbp forwarder preempt
command or change the delay using the glbp forwarder preempt delay minimum command.

Chapter 4 VPN, IPSec and NAT/PAT
Chapter 4
VPN, IPSec and NAT/PAT
4.1 IPSec VPN between HQ and Branches
I have used IPSec VPN in order to secure the traffic of core banking system which except this
it is not used for other any traffic
4.1.1 What is VPN

The traditional Layer 2 WAN (Wide Area Network) has developed more than 20 years, based
on private connections between two or more locations. However, with the development of
technology, companies evolve faster and the traditional ways seem less suitable for modern
companies, due to the costs of leasing lines from Telecom Service Provider. In the mean time,
people have an easier access to the Internet even in rural area, and the costs of access becomes
cheaper and cheaper. The development of wide band technology makes the speed faster and
faster.
A virtual private network (VPN) extends a private network across a public network, such as the
Internet. It enables a computer to send and receive data across shared or public networks as if it
were directly connected to the private network, while benefiting from the functionality, security
and management policies of the private network. This is done by establishing a virtual point-
to-point connection through the use of dedicated connections, encryption, or a combination of
the two.
A VPN connection across the Internet is similar to a wide area network (WAN) link between the
sites. From a user perspective, the extended network resources are accessed in the same way as
resources available from the private network.
VPNs allow employees to securely access their company's intranet while traveling outside the
office. Similarly, VPNs securely and cost-effectively connect geographically disparate offices
of an organization, creating one cohesive virtual network. VPN technology is also used by
ordinary Internet users to connect to proxy servers for the purpose of protecting one's identity.10
10
imprint of Idea Group Inc.) 2006, page# 59,60

4.2 Advantages & Disadvantages

A VPN is a inexpensive effective way of building a private network. The use of the Internet as
the main communications channel between sites is a cost effective alternative to expensive
leased private lines. The costs to a corporation include the network authentication hardware and
software used to authenticate users and any additional mechanisms such as authentication tokens
or other secure devices. The relative ease, speed, and flexibility of VPN provisioning in
comparison to leased lines makes VPNs an ideal choice for corporations who require flexibility.
For example, a company can adjust the number of sites in the VPN according to changing
requirements.
There are several potential disadvantages with VPN use. The lack of Quality of Service (QoS)
management over the Internet can cause packet loss and other performance issues. Adverse
network conditions that occur outside of the private network is beyond the control of the VPN
administrator. For this reason, many large corporations pay for the use of trusted VPNs that use
a private network to guarantee QoS. Vendor interoperability is another potential disadvantage
as VPN technologies from one vendor may not be compatible with VPN technologies from
another vendor. Neither of these disadvantages have prevented the widespread acceptance and
deployment of VPN technology.
4.3 Types of VPN
There are two types of VPN access:
 Site-to-site VPNs and Remote-access VPNs
4.3.1 Site-to-Site VPNs
Site-to-site VPNs connect entire networks to each other, this means, site-to-site VPN can be
used to connect a branch or remote office network to a company headquarters network. Each
site is equipped with a VPN gateway, such as a router, firewall, VPN concentrator, or security
appliance.
In the figure below, a remote branch office uses a site-to-site-VPN to connect with the corporate
head office.

A telecommuter hosts send and receive TCP/IP traffic through a VPN gateway, which could be
a router or a PIX firewall appliance.
The VPN gateway is responsible for encapsulating and encrypting all outbound traffic from a
particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at
the target site. On receipt, the peer VPN gateway strips the headers, decrypts the content, and
relays the packet toward the target host inside its private network.
4.3.2 Remote-access VPNs.
In a Remote-access VPNs, individual hosts or clients, such as telecommuters, mobile users, and
extranet consumers, are able to access a company network securely over the Internet. Each host
typically has VPN client software loaded or uses a web-based client.
A remote-access VPN host or client typically has VPN client software. Whenever the host tries
to send any information, the VPN client software encapsulates and encrypts the information
before sending it over the Internet to the VPN gateway at the edge of the target network. On
receipt, the VPN gateway handles the data in the same way as it would handle data from a site-
to-site VPN.

4.4 Securing a VPN
If you're using a public line to connect to a private network, then you might wonder what makes
a virtual private network private? The answer is the manner in which the VPN is designed. A
VPN is designed to provides a secure, encrypted tunnel in which to transmit the data between
the remote user and the company network. The information transmitted between the two
locations via the encrypted tunnel cannot be read by anyone else.
VPN security contains several elements to secure both the company's private network and the
outside network, usually the Internet, through which the remote user connects through. The first
step to security is usually a firewall. You will have a firewall site between the client (which is
the remote users workstation) and the host server, which is the connection point to the private
network. The remote user will establish an authenticated connection with the firewall.
4.4.1 VPN Encryption
Encryption is also an important component of a secure VPN. Encryption works by having all
data sent from one computer encrypted in such a way that only the computer it is sending to can
decrypt the data. Types of encryption commonly used include public-key encryption which is a
system that uses two keys — a public key known to everyone and a private or secret key known
only to the recipient of the message. The other commonly used encryption system is
a Symmetric-key encryption system in which the sender and receiver of a message share a
single, common key that is used to encrypt and decrypt the message.

4.4.2 VPN Tunneling
With a VPN you'll need to establish a network connection that is based on the idea of tunneling.
There are two main types of tunneling used in virtual private networks. Voluntary tunneling is
where the client makes a connection to the service provider then the VPN client creates the
tunnel to the VPN server once the connection has been made. In compulsory tunneling the
service provider manages the VPN connection and brokers the connection between that client
and a VPN server.
There are three main network protocols for use with VPN tunnels, which are generally
incompatible with each other. They include the following
4.4.2.1 IPSec
A set of protocols developed by the IETF to support secure exchange of packets at the IP layer.
IPsec has been deployed widely to implement VPNs. IPsec supports two encryption modes:
Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet,
but leaves the header untouched. The more secure Tunnel mode encrypts both the header and
the payload. On the receiving side, an IPSec-compliant device decrypts each packet. For IPsec
to work, the sending and receiving devices must share a public key. This is accomplished
through a protocol known as Internet Security Association and Key Management
Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and
authenticate the sender using digital certificates.
4.4.2.2 PPTP
Short for Point-to-Point Tunneling Protocol, a new technology for creating VPNs, developed
jointly by Microsoft, U.S. Robotics and several remote access vendor companies, known
collectively as the PPTP Forum. A VPN is a private network of computers that uses the public
Internet to connect some nodes. Because the Internet is essentially an open network, PPTP is
used to ensure that messages transmitted from one VPN node to another are secure. With PPTP,
users can dial in to their corporate network via the Internet.
4.4.2.3 L2TP
Short for Layer Two (2) Tunneling Protocol, an extension to the PPP protocol that enables ISPs
to operate Virtual Private Networks (VPNs). L2TP merges the best features of two other
tunneling protocols: PPTP from Microsoft and L2F from Cisco Systems. Like PPTP, L2TP
requires that the ISP's routers support the protocol.

4.4.2.4 VPN Equipment
Depending on the type of VPN you decide to implement, either remote-access or site-to-site,
you will need specific components to build your VPN. These standard components include a
software client for each remote workstation, dedicated hardware, such as a firewall or a product
like the Cisco VPN Concentrator, a VPN server, and a Network Access Server (NAS).
Key Terms To Understanding virtual private networks:
VPN
A network that is constructed by using public wires to connect nodes. For example, there are a
number of systems that enable you to create networks using the Internet as the medium for
transporting data.
VPDN
A network that extends remote access to a private network using a shared infrastructure.
tunneling
A technology that enables one network to send its data via another network's connections.
Tunneling works by encapsulating a network protocol within packets carried by the second
network.11
split tunneling
The process of allowing a remote VPN user to access a public network, most commonly the
Internet, at the same time that the user is allowed to access resources on the VPN.
encryption
The translation of data into a secret code. Encryption is the most effective way to achieve data
security. To read an encrypted file, you must have access to a secret key or password that enables
you to decrypt it. There are two main types of encryption: asymmetric encryption (also called
public-key encryption) and symmetric encryption.
11
http://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook

4.5 Using IPSec in VPN

The IPsec VPN which we have used between HO and Branches is a LAN−to−LAN IPsec Tunnel
and the example of configuration is as bellow:
4.5.1 Network Diagram
4.5.2 Configurations
This document uses these configurations:
Router A
Router B
Router A
RouterA#show running−config
Building configuration...
Current configuration : 1132 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password−encryption
!
hostname R9
!
boot−start−marker
boot−end−marker
!
!
no aaa new−model
!

resource policy
!
!
!−−− Create an ISAKMP policy for Phase 1
!−−− negotiations for the L2L tunnels.
crypto isakmp policy 10

hash md5
authentication pre−share
!−−− Specify the pre−shared key and the remote peer address
!−−− to match for the L2L tunnel.
crypto isakmp key vpnuser address 10.0.0.2
!
!−−− Create the Phase 2 policy for actual data encryption.
crypto ipsec transform−set myset esp−des esp−md5−hmac
!
!−−− Create the actual crypto map. Specify
!−−− the peer IP address, transform
!−−− set, and an access control list (ACL) for the split tunneling.
crypto map mymap 10 ipsec−isakmp
set peer 10.0.0.2
set transform−set myset
match address 100
!
!
!
!
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
half−duplex
!
!−−− Apply the crypto map on the outside interface.
interface Serial2/0
ip address 172.16.1.1 255.255.255.0
crypto map mymap
!
ip http server
no ip http secure−server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
!−−− Create an ACL for the traffic to
!−−− be encrypted. In this example,
!−−− the traffic from 10.1.1.0/24 to 172.16.2.0/24
!−−− is encrypted. The traffic which does not match the access list

!−−− is unencrypted for the Internet.

access−list 100 permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!
!
control−plane
!
line con 0
line aux 0
line vty 0 4
!
!

Router B
RouterB#show running−config
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password−encryption
!
hostname R2
!
!
ip subnet−zero
!
!
!−−− Create an ISAKMP policy for Phase 1
!−−− negotiations for the L2L tunnels.
hash md5
authentication pre−share
!−−− Specify the pre−shared key and the remote peer address
!−−− to match for the L2L tunnel.
crypto isakmp key vpnuser address 172.16.1.1
!
!−−− Create the Phase 2 policy for actual data encryption.
crypto ipsec transform−set myset esp−des esp−md5−hmac
!
!−−− Create the actual crypto map. Specify
!−−− the peer IP address, transform
!−−− set, and an ACL for the split tunneling.
!
crypto map mymap 10 ipsec−isakmp
set peer 172.16.1.1
set transform−set myset
match address 100
!
!
!
!
interface Ethernet0
ip address 172.16.2.1 255.255.255.0
!
!−−− Apply the crypto map on the outside interface.

interface Ethernet1
ip address 10.0.0.2 255.255.255.0
crypto map mymap
!
interface Serial0
no ip address
shutdown
no fair−queue
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
!
!−−− Create an ACL for the traffic to
!−−− be encrypted. In this example,
!−−− the traffic from 172.16.2.0/24 to 10.1.1.0/24
!−−− is encrypted. The traffic which does not match the access list
!−−− is unencrypted for the Internet.
access−list 100 permit ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
!
End
IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides
data authentication, integrity, and confidentiality as data is transferred between communication
points across IP networks. IPSec provides data security at the IP packet level. A packet is a data
bundle that is organized for transmission across a network, and it includes a header and payload
(the data in the packet). IPSec emerged as a viable network security standard because enterprises
wanted to ensure that data could be securely transmitted over the Internet. IPSec protects against
possible security exposures by protecting data while in transit.
4.5.2.1 IPSec Security Features

IPSec is the most secure method commercially available for connecting network sites. IPSec
was designed to provide the following security features when transferring packets across
networks:12
1. Authentication: Verifies that the packet received is actually from the claimed sender.
2. Integrity: Ensures that the contents of the packet did not change in transit.
3. Confidentiality: Conceals the message content through encryption.
4.5.2.2 IPSec Components

IPSec contains the following elements:
1. Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and

integrity.
2. Authentication Header (AH): Provides authentication and integrity.
3. Internet Key Exchange (IKE): Provides key management and Security Association (SA)
management.
4.5.2.3 Encapsulating Security Payload (ESP)
4. ESP provides authentication, integrity, and confidentiality, which protect against data
tampering and, most importantly, provide message content protection.
5. IPSec provides an open framework for implementing industry standard algorithms, such
as SHA and MD5. The algorithms IPSec uses produce a unique and un forgeable
identifier for each packet, which is a data equivalent of a fingerprint. This fingerprint
allows the device to determine if a packet has been tampered with. Furthermore, packets
that are not authenticated are discarded and not delivered to the intended receiver.
6. ESP also provides all encryption services in IPSec. Encryption translates a readable
message into an unreadable format to hide the message content. The opposite process,
called decryption, translates the message content from an unreadable format to a
readable message. Encryption/decryption allows only the sender and the authorized
receiver to read the data. In addition, ESP has an option to perform authentication, called
12
http://www.cisco.com/c/en/us/products/switches/catalyst-6500-series-switches/index.html

ESP authentication. Using ESP authentication, ESP provides authentication and integrity
for the payload and not for the IP header.
4.5.2.4 Key Management
IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup
and the exchange of keys between parties transferring data. Using keys ensures that only the
sender and receiver of a message can access it.
IPSec requires that keys be re-created, or refreshed, frequently so that the parties can
communicate securely with each other. IKE manages the process of refreshing keys; however,
a user can control the key strength and the refresh frequency. Refreshing keys on a regular basis
ensures data confidentiality between sender and receiver.
4.6 NAT & PAT to translate internal traffic to public
Doing NAT (Network Address Translation)
NAT (Network Address Translation or Network Address Translator) is the translation of an

Internet Protocol address (IP address) used within one network to a different IP address known
within another network. One network is designated the inside network and the other is the
outside. Typically, a company maps its local inside network addresses to one or more global
outside IP addresses and un maps the global IP addresses on incoming packets back into local
IP addresses. This helps ensure security since each outgoing or incoming request must go
through a translation process that also offers the opportunity to qualify or authenticate the
request or match it to a previous request. NAT also conserves on the number of global IP
addresses that a company needs and it lets the company use a single IP address in its
communication with the world. 13
NAT is included as part of a router and is often part of a corporate firewall. Network
administrators create a NAT table that does the global-to-local and local-to-global IP address
mapping. NAT can also be used in conjunction with policy routing. NAT can be statically
13
http://www.cisco.com/c/en/us/products/collateral/routers/3900-series-integrated-services-routers-
isr/data_sheet_c78_553924.html

defined or it can be set up to dynamically translate from and to a pool of IP addresses. Cisco's
version of NAT lets an administrator create tables that map.
1. A local IP address to one global IP address statically

2. A local IP address to any of a rotating pool of global IP addresses that a company may
have
3. A local IP address plus a particular TCP port to a global IP address or one in a pool of
them
4. A global IP address to any of a pool of local IP addresses on a round-robin basis
NAT is described in general terms in RFC 1631. which discusses NAT's relationship to
Classless Interdomain Routing (CIDR) as a way to reduce the IP address depletion problem.
NAT reduces the need for a large amount of publicly known IP addresses by creating a
separation between publicly known and privately known IP addresses. CIDR aggregates
publicly known IP addresses into blocks so that fewer IP addresses are wasted. In the end, both
extend the use of IPv4 IP addresses for a few more years before IPv6 is generally supported.
Network Address Translation (NAT) can be configured to work on your network a few different
ways. The type of NAT you choose to implement depends on what your goals are for NAT and
your public address management. NAT methods include
1. Static NAT:
Puts a permanent mapping between an internal private address and a public address. In this
scenario, 192.168.8.50 will always map out to 192.0.2.75. This type of NAT may be used
for allowing traffic into a mail server or web server.
2. Dynamic NAT:
Puts a dynamic mapping between an internal private address and a public address. This also
creates a one-to-one relationship on a first-come-first-served basis. The public address that
is used by private devices can change over time and cannot be trusted. This would allow
systems out, when you are not concerned with outside devices trying to connect in, as with
the previous web server example.
3. Overloading:

This is also known as Port Address Translation (PAT). In this case, multiple internal devices
are able to share one public address, as mappings are placed into the mappings table based
on the source and destination ports that are used. As long as ports are available to be
remapped, then any number of devices can share a very small pool of public addresses or
just one public address.
4. Overlapping:
NAT can be used when public or registered addresses are used inside your network. In this
case, you may use a public address block on multiple internal networks. NAT allows you to
translate those “internal” addresses to other publicly accessible addresses when you connect
to the “public” side of the router.
Many people quickly become lost understanding local, global, inside, and outside addresses.
The following list describes the different types of addresses:
1. Local: This refers to what happens on the inside of your network.

2. Global: This refers to what happens on the outside of your network.
3. Inside Local Address: This is an address of a host on your internal network, for
example, 192.168.8.25.
4. Inside Global Address: This is the mapped address that people on the Internet would
see, which represents the inside host.
5. Outside Global Address: The IP address of a remote Internet-based host as assigned
by the owner that can communicate with an inside host, for example, 192.0.2.100.
6. Outside Local Address: This is the address that the inside hosts use to reference an
outside host. The outside local address may be the outside host’s actual address or
another translated private address from a different private address block.
Therefore, the router could translate that address to 192.168.10.50, or it could be the
public address of the external host. The internal hosts would contact this address to deal
with the external host.
4.7 Using inter VLAN Routing (Router-on-a-stic)

In this project we have used the technology of Router on a stich in the WAN layer of the Bakhter
Bank network infrastructure and a brief introduction of inter-vlan-routing is as bellow.

4.7.1 External Router (router-on-a-stick)

A layer two switch can be connected to a single router to allow inter-VLAN communication
either using a single physical link as a trunk with multiple sub-interfaces (a.k.a. router-on-a-
stick) or using seperate physical links between the switch and router for each individual VLAN.
An example configuration on the router would be:
interface FastEthernet 0/1

no ip address
duplex auto
speed auto
interface FastEthernet 0/1.10
description data vlan
encapsulation dot1q 10
ip address 10.1.10.0 255.255.255.0
description mgmt vlan
encapsulation dot1q 20
ip address 10.1.20.0 255.255.255.0
description native vlan
encapsulation dot1q native
ip address 10.1.55.0 255.255.255.0
Advantages
Works with almost all switches because the switches do not have to support layer 3, just VLANs
and trunking
Simple configuration (one switch port, one router interface)
Disadvantages
 Router is a single point of failure

 If the trunk becomes congested, it can affect every VLAN
 Slightly higher latency because (1)traffic must leave and re-enter the switch and (2)the
router makes the traffic decisions in software (which is slower than hardware)

 Configuring Inter-VLAN Routing with an External Router
4.7.2 Implementation Planning

Need to know how many VLANS require routing, the VLAN IDs, and what ports connect to
the router
Every router subinterface must be configured with the same type of frame encapsulation (usually
802.1q) as well as the switch side of the link
Make sure the native VLAN is the same on both ends. A subinterface on the router can be created
for the native VLAN
It is best practice to match the subinterface ID to the VLAN ID
Configuring Router-on-a-stick
Enable trunking on the switch port
Enable the router interface with the no shut command
Create the subinterfaces on the router for each VLAN
Configure IPs and encapsulation on each subinterface as they relate to their VLANs
Switch (conf-subif)# encapsulation [dot1q | isl] vlan-id {native}
Switch (conf-subif)# ip address x.x.x.x x.x.x.x
Example router interface configuration
Router(config)# interface FastEthernet0/0
Router(config-if)#no shutdown
Router(config)# interface FastEthernet 0/0.1
Router(config-subif) description VLAN 1
Router(config-subif)# encapsulation dot1Q 1 native
Router(config-subif)# ip address 10.1.1.1 255.255.255.0
Router(config-subif)# exit
Router(config)# interface FastEthernet 0/0.2
Router(config-subif)# description VLAN 2
Router(config-subif)# encapsulation dot1Q 2
Router(config-subif)# ip address 10.2.2.1 255.255.255.0
Router(config-subif)# exit
Router(config)# end

Example switch trunk interface configuration (connected to router’s Fa 0/0)

switch(config)# interface FastEthernet 4/2
switch(config-if)# switchport trunk encapsulation dot1q
switch(config-if)# switchport mode trunk
Switch Virtual Interfaces
Remember that Cisco recommends using layer 2 connectivity between access and distribution
layers and layer 3 routing between distribution and core layers.
SVIs are virtual VLAN interfaces on multilayer switches; one SVI is created for each VLAN to
be routed and it performs the process for all the packets associated with that VLAN.
The only SVI created by default is the SVI for VLAN 1. The rest must be created manually
using the command:
Switch(conf)# interface vlan vlan_id
SVIs are commonly used for:

 Default gateways for users within the VLAN
 Virtual route between VLANs
 Provides an IP address for connectivity to the switch itself
 Can be used as an interface for routing protocols
 An SVI is considered “up” when at least one interface in it’s associated VLAN is active
and forwarding traffic. If all interfaces within that VLAN are down, the SVI goes down
to prevent creating a routing loop.14
Advantages
 Fast because all performed in hardware
 No need for external links for routing
 Low latency (doesn’t need to leave the switch)
Disadvantages
 May require a more expensive switch
 Configuring Inter-VLAN Routing with SVIs
Implementation Planning
14
http://www.cisco.com/c/en/us/products/switches/catalyst-3750-x-series-switches/index.html

Identify which VLANs require layer 3 gateways as you may not want all VLANs to be routable
within the organization
Make sure VLANs are first created on the switch, then make the SVIs
Find out what IPs need to be configured on each SVI interface, then use the no
shutdown command to enable them
Configure any routing protocols that are required
Determine if any switchports should be excluded from contributing to the SVI line-state up-and-
down calculation
Configuring SVIs
Enable IP routing
Create the VLANs
Create the SVI
Assign an IP address to each SVI
Enable the interface
Optional – Enable an IP routing protocol
Note: Routing protocols are only required to allow different devices to communicate across
different VLANs or networks. They are not required to route between SVIs on the same switch
because the switch sees the SVIs as connected interfaces.
Example Configuration
Switch# configure terminal
Switch(config)# ip routing
Switch(config)# vlan 10
Switch(config)# interface vlan 10
Switch(config-if)# ip address 10.10.1.1 255.0.0.0
Switch(config-if)# no shutdown
Switch(config)# router rip
Switch(config-router)# network 10.0.0.0
4.7.3 SVI Autostate

An SVI is automatically created when the following conditions are met:
The VLAN is active and exists in the VLN database
The VLAN interface exists and is not administratively shut down

At least a single port on the switch has a port in the VLAN, is in the up state, and is in the
spanning-tree forwarding state
This automatic SVI creation is called SVI Autostate. If there are multiple ports on the switch in
the same VLAN, the default action is to take down the SVI interface if all of the ports in that
VLAN are shut down.
The command switchport autostate exclude, when applied to port, will allow the VLAN to go
down if all of the other ports in the VLAN go down except the one autostate exclude was applied
to. This is often desirable when traffic analyzers are attached to a host. They will stay up, but
are just passive monitors, so if all other devices in the VLAN go down – this port would prevent
the VLAN from going down, so autostate exclude is applied to allow the VLAN to still go down.
Routed Ports
Routed ports are physical ports on the switch that act much like a router interface would with
an IP address configured. Routed ports are not associated with an particular VLAN and do not
run layer 2 protocols like STP or VTP.
Note: Routed interfaces also do not support subinterfaces. Routed ports are point-to-point links
that usually connect core switches to other core switches or distribution layer switches (if the
distribution layer is running layer 3). They can also be used when a switch has only a single
switch port per VLAN or subnet.
Make sure when configuring a routed port that you use the no switchport command to make
sure the interface is configured to operate at layer 3. Also make sure to assign an IP addresses
and any other layer 3 information required. Lastly, check that the appropriate routing protocols
are configured.15
Advantages
A multilayer switch can have both SVIs and routed ports configured
Multilayer switches forward all layer 2 and 3 traffic in hardware, so it is very fast
Configuring Inter-VLAN Routing with Routed Ports
Select the interface
Convert to layer 3 port (no switchport command
Add an IP address
Enable the interface (no shut command)
Example Configuration
15
http://www.cisco.com/c/en/us/products/switches/catalyst-3750-x-series-switches/index.html

Core(config)# interface GigabitEthernet 1/1

Core(config-if)# no switchport
Core(config-if)# ip address 10.10.1.1 255.255.255.252
Core(config-if)# exit
Verification Commands
show ip interfaceinterface_type_port| svi_number
show interface interface_type_port| svi_number
show running interfacetype_port| svi_number
ping
show vlan
show interface trunk

Chapter 5 Network Configuration
Chapter 5
Network Configuration
5.1 Network configuration part
5.1.1 Devices Configuration Part:
Branch Router Configuration
. BR1-RTR#show running-config
version 12.4
no service password-encryption
hostname BR1-RTR
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login default local
aaa session-id common

resource policy
memory-size iomem 5
no ip icmp rate-limit unreachable
ip tcp synwait-time 5
ip cef
no ip domain lookup
username admin privilege 15 secret 5 $1$TPoC$rYa99x5ZW/wbtQcrxzsOH/
encr aes 256
authentication pre-share
crypto isakmp key 6 BAKHTER-BR1 address 172.16.254.1
crypto ipsec security-association lifetime seconds 1800
crypto ipsec transform-set 1 esp-aes 256 esp-sha-hmac
crypto map BR1-MAP 1 ipsec-isakmp
set peer 172.16.254.1
set transform-set 1
set pfs group5
match address BR1-ACL

description ###To-WAN-SW###
ip address 172.16.254.2 255.255.255.252
half-duplex
crypto map BR1-MAP
description ###Branch-LAN###
ip address 10.10.0.1 255.255.255.0
half-duplex
no ip address
shutdown
half-duplex
no ip address
shutdown
half-duplex
router eigrp 100
network 10.10.0.1 0.0.0.0
network 172.16.254.2 0.0.0.0
no auto-summary

no ip http server
no ip http secure-server
ip access-list extended BR1-ACL
permit ip 10.10.0.0 0.0.0.255 172.18.0.0 0.0.1.255
control-plane
banner motd c
==============================================================================
BAKHTER BANK
- TECHNECAL OPERATION CENTER-
- INFORMATION TECHNOLOGY DEPARTMENT -
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.
==============================================================================
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0

exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
End
Branch Client Configuration
version 12.4
hostname BR1-Host
boot-start-marker
boot-end-marker
aaa new-model

resource policy
memory-size iomem 5
ip cef
no ip domain lookup
username admin privilege 15 secret 5 $1$J8Ve$cB8E0XkyEa0L9wOzZsv5c1
ip address 10.10.0.2 255.255.255.0
half-duplex
no ip address
shutdown
half-duplex

no ip address
shutdown
half-duplex
no ip address
shutdown
half-duplex
ip default-gateway 10.10.0.1
no ip http server
ip route 0.0.0.0 0.0.0.0 10.10.0.1
control-plane
banner motd c
==============================================================================
BAKHTER BANK

==============================================================================
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
End

WAN Router Configuration
version 12.4
hostname WAN-RTR
boot-start-marker
boot-end-marker
aaa new-model
resource policy
memory-size iomem 5

ip cef
no ip domain lookup
username admin privilege 15 secret 5 $1$P80/$4XpWI72fqk/K/GEWGXiXI0
encr aes 256
authentication pre-share
crypto isakmp key 6 BAKHTER-BR1 address 172.16.254.2
crypto ipsec security-association lifetime seconds 1800
crypto ipsec transform-set 1 esp-aes 256 esp-sha-hmac
crypto map BR1-MAP 1 ipsec-isakmp
set peer 172.16.254.2
set transform-set 1
set pfs group5
match address BR1-ACL
description ###TO-ISP-RTR###

ip address 180.94.200.2 255.255.255.252
ip nat outside
ip virtual-reassembly
half-duplex
description ###TO-WAN-SW###
ip address 172.16.254.1 255.255.255.252
ip nat inside
half-duplex
crypto map BR1-MAP
description ###TO-ASA-Appliance###
ip address 172.17.0.10 255.255.255.248
ip nat inside
half-duplex
no ip address
shutdown
half-duplex
router eigrp 100
redistribute static metric 1000 10 255 255 1500

network 172.16.254.1 0.0.0.0
network 172.17.0.10 0.0.0.0
no auto-summary
no ip http server
ip route 0.0.0.0 0.0.0.0 180.94.200.1
ip nat inside source list NAT-INT interface Ethernet0/0 overload
ip access-list extended BR1-ACL
permit ip 172.18.0.0 0.0.1.255 10.10.0.0 0.0.255.255 log
ip access-list extended NAT-INT
permit icmp any any
permit ip 10.10.0.0 0.0.255.255 any log
permit ip 172.18.0.0 0.0.1.255 any log
permit ip 172.16.0.0 0.0.0.255 any log
control-plane
banner motd c
==============================================================================
BAKHTER BANK

==============================================================================
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
End
ISP Router Configuration

version 12.4
hostname ISP-RTR
boot-start-marker
boot-end-marker
aaa new-model
resource policy
memory-size iomem 5

ip cef
no ip domain lookup
username admin privilege 15 secret 5 $1$sZbB$13sPA5c1wuz120cohm6gJ.
interface Loopback1
ip address 4.2.2.2 255.255.255.255
interface Loopback2
ip address 8.8.8.8 255.255.255.255
no ip address
shutdown
half-duplex
ip address 180.94.200.1 255.255.255.252
half-duplex
no ip address
shutdown
half-duplex
no ip address

shutdown
half-duplex
no ip http server
control-plane
banner motd c
==============================================================================
BAKHTER BANK
==============================================================================
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15

logging synchronous
line vty 0 4
End

CISCO ASA Appliance Configuration
ASA Version 8.0(2)
hostname ASA-Appliance
enable password 2KFQnbNIdI.2KYOU encrypted
names
description ###To-WAN-RTR###
nameif Outside
security-level 0
ip address 172.17.0.9 255.255.255.248
description ###TO-FAIL-OVER-SW###
nameif Inside
security-level 100
ip address 172.17.0.1 255.255.255.248
description ###To-DC-DMZ-SW###
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.255.0
shutdown

no nameif
no security-level
no ip address
shutdown
no nameif
no security-level
no ip address
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec
==============================================================================
banner exec BAKHTER BANK
banner exec - TECHNECAL OPERATION CENTER-
banner exec - INFORMATION TECHNOLOGY DEPARTMENT -
banner exec WARNING: Unauthorized access to this system is forbidden and will be
banner exec prosecuted by law. By accessing this system, you agree that your
banner exec actions may be monitored if unauthorized usage is suspected.
banner exec
==============================================================================
ftp mode passive

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_in extended permit icmp any any
access-list acl_in extended permit ip any any
pager lines 24
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any DMZ
icmp permit any Inside
no asdm history enable
arp timeout 14400
access-group acl_in in interface Outside
access-group acl_in in interface DMZ
access-group acl_in in interface Inside
router eigrp 100
no auto-summary
neighbor 172.17.0.3 interface Inside
neighbor 172.17.0.2 interface Inside
network 172.16.0.0 255.255.255.0
network 172.17.0.0 255.255.255.248
network 172.17.0.8 255.255.255.248

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp

inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8f6735d8d945b7160faa2ff343220d06
: end

Email Server Configuration
version 12.4
hostname Email-SRV
boot-start-marker
boot-end-marker
aaa new-model
resource policy
memory-size iomem 5
ip cef

username admin privilege 15 secret 5 $1$9J81$KTWH11IDBDM4BjCJPoVEU.
ip address 172.16.0.11 255.255.255.0
half-duplex
no ip address
shutdown
half-duplex
no ip address
shutdown
half-duplex
no ip address
shutdown
half-duplex

ip default-gateway 172.16.0.1
no ip http server
ip route 0.0.0.0 0.0.0.0 172.16.0.1
control-plane
banner motd c
==============================================================================
BAKHTER BANK
==============================================================================
line con 0

line aux 0
line vty 0 4
end
GNS3
GNS3 is an open source (GNU GPL) software that simulates complex networks while being as close as possible
from the way real networks perform, all of this without having dedicated network hardware such as routers and
switches.
GNS3 provides an intuitive graphical user interface to design and configure virtual networks, it runs on traditional
PC hardware and may be used on multiple operating systems, including Windows, Linux, and Mac OS X.
In order to provide complete and accurate simulations, GNS3 actually uses the following emulators to run the very
same operating systems as in real networks:
 Dynamips, the well known Cisco IOS emulator.

 VirtualBox, runs desktop and server operating systems as well as Juniper JunOS.
 QEMU, a generic open source machine emulator, it runs Cisco ASA, PIX and IPS.
GNS3 is an excellent alternative or complementary tool to real labs for network engineers, administrators and
people studying for certifications such as Cisco CCNA, CCNP and CCIE as well as Juniper JNCIA, JNCIS and
JNCIE.
It can also be used to experiment features or to check configurations that need to be deployed later on real devices.

GNS3 also includes other features like connection of the virtual network to real ones or packet captures using
Wireshark. Finally, thanks to the VirtualBox support, system administrators and engineers can use GNS3 to make
labs, test network features.

References
References
Books
 Andrew s. tanenbaum, Dabid j. wetherall, “Computer Networks”, 5th edition, Copyright ©

2011, 2003, 1996, 1989, 1981 Pearson Education, Inc., publishing as Prentice Hall.
 Nurul I. Sarkar, Auckland University of Technology, New Zealand, “Tools for teaching computer
networking and hardware concepts”,7th edition, Published in the United States of America by
Information Science Publishing (an imprint of Idea Group Inc.) 2006.
Websites
 http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/16406-
eigrp-toc.html
 http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html
 http://www.cisco.com/c/en/us/td/docs/security/pix/pix72/quick/guide/dmz_p.html
 http://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook
 http://www.cisco.com/c/en/us/products/switches/catalyst-6500-series-switches/index.html
 http://www.cisco.com/c/en/us/products/collateral/routers/3900-series-integrated-services-routers-
isr/data_sheet_c78_553924.html
 http://www.cisco.com/c/en/us/products/switches/catalyst-3750-x-series-switches/index.html
 http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-
firewalls/product_data_sheet0900aecd802930c5.html
 http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.html

Qasim Comlete Monograph

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Qasim Comlete Monograph

Hochgeladen von

Copyright:

Verfügbare Formate

‫ریاست موسسات تحصالت عالی خصوصی‬

‫موسسه تحصیالت عالی میوند‬

‫موضوع مونوگراف‪ :‬طرح و طراحی زیرساخت شبکه باختر بانک‬

‫ترتیب و اریه کننده‪ :‬محمد قسیم‬

Submitted by: Mohammad Qasim

Keeping current Bakhter Bank Network infrastructure in view, there is no connectivity

 Complete Data Center network design

1.2 Project Background:

Design a new network infrastructure for BAKHTAR BANK 1

 Branches computers are in workgroup not in a centralized domain which violet

1.3 Project Summary

Positively this project will minimize network/system troubleshooting and enhance

1.4 Project Objectives:

1. Centralized Network Backbone

Design a new network infrastructure for BAKHTAR BANK 2

1.5 Project Methodology

Design a new network infrastructure for BAKHTAR BANK 3

Design a new network infrastructure for BAKHTAR BANK 4

2.2 Project Network Lab Simulation Diagram

Design a new network infrastructure for BAKHTAR BANK 5

1 LAN 10.1.0.0/8 10.1.0.0/23 16777214 Allocated

2 WAN 172.16.254.0/24 172.16.254.0/30 65534 Allocated

3 DMZ 172.16.0.0/16 172.16.0.0/24 65534 Allocated

4 Core layer 172.18.0.0/23 172.18.62.0/23 32768 Allocated

5 Network Device P2P –IPs 172.17.0.0/16 172.17.0.0/29 65534 Allocated

6 Branch LAN segment 10.10.0.0/16 10.10.0.0/24 65534 Allocated

Here is a brief introduction to Cisco EIGRP Routing protocol;

2.4 Cisco EIGRP (Enhanced Interior Gateway Routing Protocol)

Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced version of IGRP.

Design a new network infrastructure for BAKHTAR BANK 6

2.4.1 Administrative Distance

1. Summary Routes [5]

Design a new network infrastructure for BAKHTAR BANK 7

2.4.3 EIGRP Features

 Hybrid Distance Vector/Link State algorithm

Supports multiple network layer protocols

2.4.4 EIGRP Components

2.4.5 Neighbor Discover/Recovery

Design a new network infrastructure for BAKHTAR BANK 8

2.4.6 Reliable Transport

2.4.7 DUAL finite state machine

2.4.8 Protocol-dependent modules

2.4.9 EIGRP Operation

Design a new network infrastructure for BAKHTAR BANK 9

Design a new network infrastructure for BAKHTAR BANK 10

Optionally, but not normally, you can disable auto-summarization by adding:

 show ip interface brief - Used to verify your interface status.

Design a new network infrastructure for BAKHTAR BANK 11

EIGRP Message Types

Type Transmit Sent Function

Unicast Reliably Hello messages are also used to acknowledge receipt of

Updates Unicast Reliably Neighbor discovery

Multicast Reliably Link cost or metric change updates

Replies Unicast Reliably Sent to originator of a query.

Requests Multicast or Unreliably Request specific information from neighbors

Using Authentication between EIGRP Neighbors

Design a new network infrastructure for BAKHTAR BANK 12

that type of authentication, use the no form of this command.

ip authentication mode eigrp as-number md5

2.5 Core Segment

2.6 DMZ Segment

Design a new network infrastructure for BAKHTAR BANK 13

2.7 WAN Segment

Design a new network infrastructure for BAKHTAR BANK 14