Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
What is Networking? (Introduction)
#1
Networking Fundamentals


Internet
Interconnected networks owned by different companies or organisations running TCP/IP generally accessible to anyone.

Intranet
A private internet network designed for use by company employees only.

Extranet
Part of a company’s intranet that is accessible to people who are outside the company so allows external users access to some internal resources.

Perimeter Networks
Also called Demilitarized zones (DMZ) are parts of a company’s network that is intentionally exposed to the untrusted Internet. This is normally to allow external access to the company’s web, FTP, mail, VoIP or DNS servers. They are held at arms-length from the rest of the corporate network by firewalls.

A cheap but less secure implementation is as a three-homed perimeter network, where the firewall has three network adapters configured as follows:

1. Connected to the internal company network
2. Connected to the perimeter network (where company Web/Mail servers sit)
3. Connected to the public Internet.

The more secure but more expensive Implementation has two firewalls. The EXTERIOR firewall is connected to the Internet and to the DMZ. The INTERIOR firewall is connected to the DMZ and the internal company network.

Network Topologies - Physical

Star
All nodes connected to a central node, which is therefore a single point of failure. However breaks in any arm of the star only affect nodes attached to that arm.
Simple and cheap (now that switches are cheap)
Ethernet (10BaseT, 100BaseT, 1000BaseT) LANs are implemented as a Star, with an Ethernet switch at the centre. Switches have replaced hubs.
Token Ring is implemented as a physical star using Multi-station Access Units (MAU).

Ring
A ring is a closed loop of point to point connections, where each device has an upstream and downstream neighbour.
As a single ring it is rather fragile because if any individual connection breaks then the network is broken, however the location is easily spotted
More expensive than Star or Bus
Fibre Distributed Data Interface – FDDI. It is often implemented as dual counter rotating rings for fault tolerance. Dual attached devices can “heal” the ring when necessary, although performance drops.

Bus
Devices connect directly or via a drop cable to a “backbone”
Fragile, any break in the bus (backbone) breaks the network although a break in a drop cable may only affect one machine.
Cheapest, one cable runs between each node.
Slowest data rate of all topologies under high loads as its performance degrades with number of active nodes.
Ethernet 10Base5 (Thick-net) & 10Base2 (Thin-net)

Mesh
All nodes connect to all other nodes and can pass on messages on to other nodes if required.
Most resilient network as anything less than complete failure will not compromise the network.
A Mesh is the most expensive network – usually only hypothetical.

Hybrid
A combination of each of the other topologies e.g. a fibre-optic ring network with a star or a bus connected to each node of the ring with multiple connections between various nodes.
The Internet is a real-world implementation.

Network Topologies – Logical


Bus
IEEE 802.3 – Ethernet

Ring
IEEE 802.5 – Token Ring
Fibre Distributed Data Interface (FDDI), which is often implemented as dual counter rotating rings.

Physical Diagram
This describes the physical infrastructure and location of network equipment. This includes information such as cable types and approximate cable lengths. It will contain information on static or dynamic IP addresses.
The equipment reflects the usage for example, a switch or a hub implements physical star topology.

Logical Diagram
The way computers are logically connected together but not where they are physically are. It will contain information on static or dynamic IP addresses.
Note, the equipment used may not be reflected in the diagram for example using a switch implements star topology but using a hub implements a logical bus topology.

Wiring Diagram
This describes the physical details of the network, where wall ports are located, the wiring used etc. but not IP addressing details.

Addressing


ARP
Address Resolution Protocol resolves IP addresses to MAC addresses, linking routing at OSI layer 3 with layer 2. A broadcast is sent to all nodes asking which node has a specific IP address, the intended node replies with its MAC address. It is replaced by Neighbor Discovery Protocol (NDP) in IPv6.

IPv4
Addressing
32 bit address arranged as 4 x 8bits (bytes or octets) converted to decimal e.g. 145.34.5.253
The subnet mask has two parts, the first part, set to ones, defines the subnet and the second part, set to zeros defines the host.

[Image: CL7v]

Subnet range 145.34.5.0 – 145.34.5.255 Host number range 0 – 255*

*In fact the 0th address is not used and the last address is used as the broadcast address so only 254 addresses are available.

TCP/IP Classes
The IPv4 address range was originally split into 4 classes:

[Image: CL91]

Addresses with the first octet 0 mean “The current network” so cannot be used for a host.
Addresses with the first octet 255 are used for broadcast so cannot be used for a host.
Addresses with the first octet 127 are used for local loopback so cannot be used for a host.
Addresses in the range 169.254.x.x are used for Automatic Private IP Addressing (APIPA)

Classless Inter Domain Routing (CIDR)

The class system has become unworkable as IPv4 addresses start to run out. The smallest subnet (class C) is 256 addresses which is too large to allocate to most customers. To resolve this Classless Inter Domain Routing (CIDR) was created which allows subnets of varying sizes to be allocated. The CIDR notation for subnet masks is written using a /<number> on the end of an address.

As an example 192.168.1.0/24:
of the 32 bits in the IP address, the first 24 bits are the subnet and the remaining 8 bits are the host address.
So the subnet mask is:

[Image: CL9X]

Eight bits means that the subnet has 28-2 = 254 host addresses (0 & 255 are reserved)

Another example, the subnet 10.45.34.64/27
means that you have a subnet mask of 27 bits and hostname mask of:
32 – 27 = 5 bits.

This means that the subnet has:
25-2 = 30 host addresses
and the subnet mask is:

[Image: CLaY]

Working out the subnet root and broadcast address
To get the “Incremental Number” subtract the last non zero value of a subnet mask from 256.

For example, given the IP address: 10.1.1.0/29
the subnet mask is: 255.255.255.248
the last numbered octet is: 248
256 - 248 = 8

Therefore the subnets increment (jump up) in 8s
i.e. 10.1.1.0, 10.1.1.8, 10.1.1.16 etc. Note: subnet roots normally start at .0

An alternative method of finding the “Incremental Number” is to look at the value of the last bit of the subnet mask
To calculate the broadcast address for the subnet you take the next subnet start address and subtract 1.

E.g. For 10.1.1.8 the next subnet starts at 10.1.1.16
Subtract 1 = 10.1.1.15, so the broadcast for 10.1.1.0/29 is 10.1.1.15

IPv6
Addressing
Written in hexadecimal format

[Image: CLcU]

128 bits arranged in 8 groups of 16 bits (represented in Hexadecimal) separated by colons.

E.g. FE80:0000:0000:0000:0000:0000:01A2:F190

Consecutive zeros can be skipped for brevity being replaced by a double colon and leading zeros in individual words can be skipped. So the address above could be written:
FE80::1A2:F190

Special IPv6 Addresses
Local loopback


::1 (which is the equivalent of 0000:0000:0000:0000:0000:0000:0000:0001)

Local-link addresses
This is sort of equivalent of IPv4 APIPA and allows nodes to communicate between themselves.
FE80:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX FE80:: /7

Unique Local Addresses
These are similar to private address ranges and are limited to local networks only.
FC00:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX FC00::/7

Multicast addresses

Messages sent to one of these addresses will be received by all appropriate network nodes.

FF01::1 – All interface-local nodes
FF02::1 – All link-local nodes
FF01::2 – All interface-local routers
FF02::2 – All link-local routers

Anycast addresses
Messages sent to one of these addresses will be received by ANY appropriate network node, usually the nearest node to the originator. They have the same address format as normal (or unicast) addresses.

Running IPv6 with IPv4 networks
There are various tunnelling options to support running IPv6 networks across IPv4 backbones inter-site or intra-site.

• 6to4 - a system that allows IPv6 packets to be transmitted over an IPv4 network without the need to configure explicit tunnels. The address format is typically:
2002:<IPv4 first 2 bytes>:<IPv4 second 2 bytes>:xxxx:xxxx:xxxx:xxxx:xxxx

• Teredo tunnelling allows IPv6 communication across IPv4 backbone networks. Tunnelling traffic can pass through NATs. Addresses are in the format:
2001:0000:xxxx:xxxx:xxxx:xxxx:<IPv4 first 2 bytes>:<IPv4 second 2 bytes>

• ISATAP – uses a modified address format of an IPv6 link-local address:
FE80::5EFE:<IPV4 first 2 bytes>:<IPV4 second 2 bytes>

• NAT-PT Another technique is to put the IPv6 network behind a NAT device which translates between IPv4<->IPv6 in a similar way to an IPv4 NAT.

Security

VPN
A virtual private network connects two nodes securely via the public internet, e.g. an employee connecting to the corporate internet from Starbucks.

Security authentication may be provided by RADIUS server.

Firewalls
Packet filter or State-less firewalls
Packets from the Internet are filtered based on the source or destination IP address, the TCP or UDP port or protocol used. They operate at OSI level 3.

Stateful firewalls
Packets are filtered as with the previous but in addition sequences of packets are tracked so that incoming packets are only allowed when they are a response to outgoing packets. This means that rogue packets cannot be smuggled in the middle of acceptable traffic.
They operate at OSI level 3 & 4.

Application layer firewalls
Packets can be filtered at layer 3 – 7 of the OSI model. It acts as a stateful firewall but also looks at content of the packets so that regardless of the TCP or UDP port used it can detect and block unwanted traffic even if it is attempting to sneak through on a non-standard port.

Intrusion Detection System (IDS)
These devices monitor the network for suspicious traffic and report such activity.

Intrusion Prevention System (IPS)
These devices go one step further than IDS, they monitor the network for suspicious traffic and then take action to block or stop as well as report such activity.

Proxy Servers
Proxy servers are used to control the information going in and out of the company network. Clients send their requests to the proxy server, which processes the request on the client’s behalf, so the proxy server can prevent access to specific sites, types of data or protocols. To improve performance they can also cache of data for the benefit of other users without needing to fetch the data repeatedly from remote sites.

Network Address Translation
It allows a single device to act as an intermediary between the Internet and a local network. This effectively means that a single public IP address can be used for an entire group of computers, which are using private IP addresses. Unsolicited packets arriving from the Internet at the NAT may be sent to a specific computer behind the NAT for processing this is called “Port Forwarding”.

Network Standards

Ethernet IEEE 802.3

CSMA/CD – Carrier Sense Media Access / Collision Detection
Each node listens to see if the network is clear and then transmits, if a collision occurs then both nodes back off for a short time before retrying.

Token Ring IEEE 802.5
A token is passed from node to node; if a node has the token then it can send data onto the network. Once it has finished sending it releases the token onto the network so others nodes can transmit data.
Guaranteed throughput, only one machine can talk at a time, no collisions.

Wireless IEEE 802.11
CSMA/CA – Carrier Sense Media Access / Collision Avoidance
Each node listens to see if the channel is clear and then transmits a Request to Send (RTS), if it hears another RTS then it backs off for a short time before retrying.

Datalink speeds

Note: this table is not exhaustive, check http://en.wikipedia.org/wiki/List_of_device_bandwidths for other types

[Image: CLiO]
[Image: CLj7]

Network devices


[Image: CLo9]

Wired Network Cabling LAN

Twisted Pair

UTP – Unshielded Twisted Pair
STP – Shielded Twisted Pair (used to reduce impact of EMI)

[Image: CLoP]

RJ45 Wiring Standards (TIA-EIA)

[Image: CLpe]

To create a “cross-over” cable, wire one end to one standard and the other end to the other standard. For a normal cable use the same wiring standard at both ends (usually T568B).

Coaxial
[Image: CLq5]
Fibre optic
[Image: CLqe]

Note: there are many other Fibre Optic types.

Wireless network connections WLAN

[Image: CLqN]

WEP (Wired Equivalent Privacy)

Uses pre-shared key, where each device has to have the key typed in.

64bit uses a 40 bit key combined with a 24 bit initialization vector.
128bit uses a 104 bit key combined with a 24 bit initialization vector.

RC4 encryption used, whose security is compromised.

WPA (Wi-Fi Protected Access)
WPA implements the majority of 802.11i. TKIP (Temporal Key Integrity Protocol) encryption used, which dynamically generates a new key for each packet.

WPA2 Implements 802.11i fully. AES (Advanced Encryption Standard) based encryption (may be known as CCMP)
WPA-Personal aka WPA-PSK (pre-shared key) where each device has to have the 256 bit key typed in.
WPA-Enterprise a RADIUS server to authenticate each user using EAP-TLS or similar.

Ad-hoc Wireless
Direct host-to-host wireless connection.
Up to 9 computers set up with static private addresses.
Wireless Network connection->Advanced->Computer-to-computer.

Infrastructure Wireless
Access via a Wireless Access Point to a wired network.

VLAN
VLANs are constructed using Managed Switches.
Groups of devices can be grouped into Virtual LANs or Logical LANs regardless of where they are physically located. Each VLAN is isolated from the next as if they were separate subnets.
They can be used to implement load balancing and bandwidth allocation.

WAN
Connecting LANs together forms a Wide-Area Network which is normally operated over fixed-link cabling such as T1, T4, OC-192 etc.

Network Protocols

Routing
Static routing

Static routes are stored in the routing table and define to which router each packet received should be passed on. In the case where no better match the packet is passed on to the default route. If there is no default route configured then the router will drop the packet.
The problem with static routes is that they need to be manually reconfigured when routing changes.
The ROUTE command displays and configures the routing table on a Windows or Unix machine.

Dynamic Routing
In a complex environment, static routing is too cumbersome. Various measures can be used to work out which is the “best” route through a network.

These divide into two main types:

• Number of hops (distance vector) – which simply counts the number of routers between the two end points regardless of speed, distance or cost.

• Cost of route – this calculates a route taking into account the either a financial cost, the speed of a connection, the reliability of a link etc.. Each connection is given a metric based on this cost.

Routing Information Protocol (RIP) a distance vector protocol
Each router builds up a table of the routers to which it is connected. It broadcasts this table every 30-60 seconds. It updates its own list using information in the packets from other routers. It then re-broadcasts the updated table.
The problems are that this mechanism doesn’t scale well and (because it uses broadcasts) can flood the network with update information. It only calculates the minimum number of hops regardless of the cost so can sometimes make naïve choices.

RIPv2 has some improvements, but mainly to do with security.

Open Shortest Path First (OSPF) a link state protocol
Each router discovers the routers adjacent to it (its link-state) and floods the network with this information. It then builds up a database of all the paths in the network and their relative cost from all the link-state packets it receives. At intervals it checks its link-state and sends out updates to all other routers and updates its database with received packets.
The advantage over RIP is that the relative cost of the paths can be calculated so that link speeds and availability can be considered.

Others

IGRP – Interior Gateway Routing Protocol
BGP – Border Gateway Protocol
EGP – Exterior Gateway Protocol

Domain Name System

Fully qualified domain names (FQDN)
An FQDN consists of two parts:

Host.Domain

The host name is the name of the machine, whereas the domain name is the name of a logical grouping of hosts.
E.g.

fap-002-001.Hackforums.com Host name = fap-002-001 and the Domain name = Hackforums.com

Domains are hierarchical. The last part of the domain name is the Top Level Domain and indicates the type of organisation or its country.

E.g.

.com – commercial
.mil – military
.org – not-for-profit domains
.gov – governments
.edu – educational domains
.uk – United Kingdom
.de – Germany
.tv – Tuvalu.

The part before the TLD usually indicates the organisation owning the domain name e.g. HackForums or Microsoft. Some organisations might create sub-domains to help organise hosts.

E.g. social.technet.microsoft.com where technet is a sub-domain of Microsoft.

DNS resolves (translates) a hostname or FQDN into an IP address, like a telephone directory service.
A Windows client PC goes through the following steps to resolve and address:

1. Check to see if it’s my name
2. Check my cached names.

The information may be cached locally from previous DNS lookups.

3. Check my HOSTS file for a matching entry.
4. Request a resolution from the local DNS server. If the address is not known by the local machine then the request may be forwarded to another DNS server.

5. If the name is still not resolved then NetBIOS resolution methods may be used.

Commands
NSLOOKUP allows us to query a name manually using DNS.
IPCONFIG /all will list which DNS servers we will consult.
IPCONFIG /displaydns displays any previously resolved addresses which have been cached.
IPCONFIG /flushdns clears the cache forcing new requests to be made to the DNS server

DNS Server records

[Image: CLy3]

WINS (Windows Internet Name Service)
NetBIOS has its own method of resolving names to addresses called WINS, which operates in a similar fashion to DNS and can escalate its searches to DNS if necessary. NetBIOS uses the LMHOSTS file rather than the HOSTS file for static addresses.

DHCP (Dynamic Host Configuration Protocol)
Instead of managing and setting static IP addresses and details for each node, Dynamic Host Configuration Protocol is used to allocate and distribute dynamic setting. A DHCP server responds to a client requesting a lease with:

• IP address
• Subnet Mask

And optionally:

• Default Gateway
• Domain name
• DNS Server
• WINS Server
• Hostname
• Time Server
• Print Server

The DHCP server can be configured to ensure that no address conflicts occur.
On Windows clients, if no DHCP server can be contacted, by default the client configures itself with an Automatic Private IP Address (APIPA) which is in the range 169.254.x.x.

RAS and RRAS
Remote Access Servers and Routing & Remote Access Servers provide access to company systems from remote locations via Dial-up, VPN, IP or NAT.
There are three models: hosting, software and appliance.
Security authentication may be provided by RADIUS server.

IPsec
IPsec is a protocol which can secure any IP communication. It authenticates and encrypts each IP packet of a data stream using cryptographic keys.

Other methods of securing packets such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) require that the applications are specifically written to support them; IPsec operates transparently to the application.

Network Tools

The options listed are not comprehensive, only common or especially useful options are detailed.
Use the help facility to view all options e.g. PING /?

PING

Used to test if a node is accessible using IP.
Sends an ICMP packet to the specified address and waits for the response.
PING -4 Ping using IPv4 only
PING -6 Ping using IPv6 only
PING –t Ping continuously until Ctrl-C is typed.

IPCONFIG (IFconfig on Linux)

Displays details of the NIC and TCP/IP configuration of each network connection.
Can also be used to display or flush the DNS cache
Can be used to release and renew DHCP address leases
IPCONFIG Display basic IP details for all interfaces
IPCONFIG /ALL Display extended IP details for all interfaces
IPCONFIG /RELEASE Releases any currently held dynamic address leases
IPCONFIG /RENEW Request a new dynamic address from the DHCP server
IPCONFIG /DISPLAYDNS Display a list of all resolved DNS queries in the cache
IPCONFIG /FLUSHDNS Empty the cache of resolved DNS name queries

TRACERT (traceroute or mtr on Linux)
Traces the path between this node and a destination detailing each router along the way. Used to identify problems and bottlenecks along the path.
TRACERT -4 Trace the route on an IPv4 network only
TRACERT -6 Trace the route on an IPv6 network only
TRACERT -d Do not resolve IP addresses to names

PATHPING
Traces the path between this node and a destination detailing each router along the way. Used to identify packet loss across a network path.
PATHPING -4 Trace the route on an IPv4 network only
PATHPING -6 Trace the route on an IPv6 network only
PATHPING -n Does not resolve IP addresses to names

NSLOOKUP (dig on Linux)
Used to interrogate the DNS system from the command line.
NSLOOKUP <host> [<nameserver>]
NSLOOKUP also has its own internal command line, type help for a list of commands

NETSTAT
Displays information about current TCP/IP network connections and protocol statistics
NETSTAT –a Displays all connections and listening ports
NETSTAT –r Displays the routing table
NETSTAT –p <protocol> Displays connections using particular protocols such as:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6

NBTSTAT
NBTSTAT is designed to help troubleshoot NetBIOS name resolution problems.
NBTSTAT –a <name> Lists the remote machine's name table given its name
NBTSTAT –c Lists NBT's cache of remote names and their IP addresses
NBTSTAT –n Lists local NetBIOS names.
NBTSTAT –r Lists names resolved by broadcast and via WINS
NBTSTAT –R Purges (clears) and reloads the remote cache name table
NBTSTAT –s Lists sessions table converting IP addresses to computer NETBIOS names.

NET
Used to configure and query local network connections
NET SHARE Make resources available to network users.
NET START Start computer services or list running services
NET STOP Stop computer services
NET PRINT Displays, holds, restarts or deletes print jobs on shared printers
NET USE Connects a computer to a shared network resource or lists current connections.
NET VIEW Lists resources being shared on a remote computer

NETSH
Used to configure and manage network settings
NETSH configures most network faces interfaces and services. These include:
DHCP, Bridges, Firewall, IPV4 & IPV6 interfaces, IPsec, RAS, Routing, WINS, Winsock & RPC
The command is too complicated to document here, type NETSH and then “?” to get help.

ROUTE
Used to configure static routing rules to define which routers packets are sent to.
ROUTE PRINT Print all static routes
Route ADD Adds a new static route
e.g. ROUTE ADD 192.168.0.0 MASK 255.255.0.0 172.16.21.254 METRIC 3 IF 2
ROUTE CHANGE Changes the default gateway or metric of an existing static route
e.g. ROUTE CHANGE 192.168.0.0 MASK 255.255.0.0 172.16.22.254 METRIC 4 IF 2
ROUTE DELETE Delete a static route
e.g. ROUTE DELETE 192.168.0.0

ARP
Displays and modifies entries in the Address Resolution Protocol (ARP) cache.
ARP –a Lists all ARP entries in the cache.
ARP –d Deletes an ARP entry from the cache.
ARP -s Adds a Static ARP entry to the cache.

TCP/IP Ports


[Image: CLCY]

A fuller list is available at http://en.wikipedia.org/wiki/List_of_TCP...rt_numbers
alternatively look in the file C:\Windows\System32\drivers\etc\services

OSI Model


[Image: CLDS]
Do NOT PM me for any inquiries related to advertising on PacketPunks. 

For our change log, CLICK HERE.
For our help docs, CLICK HERE.
Reply
#2
Love the post Shultz! I'll be referencing this all the time now! <3

Best regards,
-Siberia
PacketPunks
Knowledge talks, wisdom listens.
PM me with any questions or comments
Reply
#3
To Comment on some cool stuff...

Firewalls:

You no longer need multiple firewall appliances, as we now have things called VDC's (Virtual Device Contexts) which essentially virtualize the control and data planes of the firewall, allowing you to have completely separate devices in one chassis. So now, you can have an ingress point, wherein traffic flows through some arbitrary VLAN, into the SVI (Switch Virtual Interface) then into a VRF (Virtual Routing / Forwarding instance) on a switch Context, into a port-channel, tagged with a 802.1q Vlan ID. That ingresses the firewall, is processed, and assuming that the traffic is permitted, the firewall will then send that packet back out that same port-channel, except tagged with a different 802.1q Vlan, which would then ingress a Back-End Context SVI which belongs to a particular VRF.

This in essence allows you to have Active-Active Multi-Context Sub-Port-Channel Filtering.


mGRE over IPSEC (aka DMVPN)

mGRE (multipoint General Routing Encapsulation) over IPSEC (duh) when combined with NHRP (Next-Hop Resolution Protocol) is a neat way to create a full mesh (esque) dynamic discovery IPSEC backbone with layer-2 peering over that medium. It enables you to (through the NHRP process) dynamically learn about new neighbors, and map their IPSEC and GRE endpoints to each additional node. This process takes place with minimal configuration, and over the internet - all while remaining secure by communicating within the IPSEC data channel. Once the layer-2 adjacency is established, you can then peer dynamic routing protocols over that medium to really make life easier. Below, I'll include some config from one of my routers (note, I've removed IP's and hostnames):
Code:
RTR1.NOPE-LA.YouCan'tSeeThis#show run int tun0
Building configuration...

Current configuration : 677 bytes
!
interface Tunnel0
bandwidth 1048576
ip address 10.xxx.xxx.2 xxx.xxx.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 AUTH-EIGRP
ip hello-interval eigrp 10 1
ip hold-time eigrp 10 3
no ip next-hop-self eigrp 10
ip pim sparse-dense-mode
ip nhrp authentication NOPE
ip nhrp map 10.xxx.xxx.1 108.xxx.xxx.82
ip nhrp map multicast 108.xxx.xxx.82
ip nhrp network-id 10
ip nhrp nhs 108.xxx.xxx.82
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 10
shutdown
qos pre-classify
tunnel source 23.xxx.xxx.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN-NOPE
end


You also have the ability to configure something called a VTI (Virtual tunnel interface) which really simplifies the IPSEC deployment. Normally for an IPSEC L2L (LAN to LAN) tunnel, you would have to configure up your crypto isakmp (or ikev1/v2) policy, crypto map, crypto map ACL, crypto transform set, crypto PSK, tunnel-group, DH Key group, peer...blah blah blah.

The bitch of it was that your crypto map ACL was very static in nature, and only permitted the traffic from A to B, and nothing outside of this. For example, if you had a main office, as well as a remote office configured, that would be all fine and dandy. Eg:

Crypto ACL 1 for HQ: permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
Crypto ACL 1 for Remote Site: permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

Now, if you were to add a remote site with connections back into both the old remote site, and the HQ for redundant paths... well..

HQ:
Crypto ACL 1: permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
Crypto ACL 2: permit ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255
Crypto ACL 3: permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
Crypto ACL 4 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

Remote Site 1 (10.0.1.0/24):
Crypto ACL 1: permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
Crypto ACL 2: permit ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255
Crypto ACL 3: permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
Crypto ACL 4 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255


Remote site 2 (10.0.2.0/24):
Crypto ACL 1: permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
Crypto ACL 2: permit ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255
Crypto ACL 3: permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
Crypto ACL 4 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

Plus you would need to have static routes with track objects, and same-security permit intra-interface, etc etc..

Whereas with the following configuration, you simply create new virtual tunnels for each additional remote site, dynamic routing protocol peering takes place over the Tunnel interfaces, and you have full-mesh inter-site connectivity. Again, for a lower configuration overhead, the above DMVPN option would only require one tunnel interface, and presto - all sites learn about the others.

Ain't Cisco fun?

Code:
RTR1.NOPE-LA.YouCan'tSeeThis#show run int tun1
Building configuration...

Current configuration : 280 bytes
!
interface Tunnel1
bandwidth 1048576
ip address 10.xxx.xxx.2 xxx.xxx.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 23.xxx.xxx.2
tunnel mode ipsec ipv4
tunnel destination 108.xxx.xxx.82
tunnel protection ipsec profile DMVPN-NOPE
end

RTR1.NOPE-LA.YouCan'tSeeThis#
Reply
#4
I was actually looking into this. Thank you VERY much for posting!
[Image: 2mwp4dd.jpg]
Reply
#5
(04-10-2014, 04:52 AM)Mr. Zane Wrote: To Comment on some cool stuff...

Firewalls:

You no longer need multiple firewall appliances, as we now have things called VDC's (Virtual Device Contexts) which essentially virtualize the control and data planes of the firewall, allowing you to have completely separate devices in one chassis. So now, you can have an ingress point, wherein traffic flows through some arbitrary VLAN, into the SVI (Switch Virtual Interface) then into a VRF (Virtual Routing / Forwarding instance) on a switch Context, into a port-channel, tagged with a 802.1q Vlan ID. That ingresses the firewall, is processed, and assuming that the traffic is permitted, the firewall will then send that packet back out that same port-channel, except tagged with a different 802.1q Vlan, which would then ingress a Back-End Context SVI which belongs to a particular VRF.

This in essence allows you to have Active-Active Multi-Context Sub-Port-Channel Filtering.


mGRE over IPSEC (aka DMVPN)

mGRE (multipoint General Routing Encapsulation) over IPSEC (duh) when combined with NHRP (Next-Hop Resolution Protocol) is a neat way to create a full mesh (esque) dynamic discovery IPSEC backbone with layer-2 peering over that medium. It enables you to (through the NHRP process) dynamically learn about new neighbors, and map their IPSEC and GRE endpoints to each additional node. This process takes place with minimal configuration, and over the internet - all while remaining secure by communicating within the IPSEC data channel. Once the layer-2 adjacency is established, you can then peer dynamic routing protocols over that medium to really make life easier. Below, I'll include some config from one of my routers (note, I've removed IP's and hostnames):
Code:
RTR1.NOPE-LA.YouCan'tSeeThis#show run int tun0
Building configuration...

Current configuration : 677 bytes
!
interface Tunnel0
bandwidth 1048576
ip address 10.xxx.xxx.2 xxx.xxx.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 AUTH-EIGRP
ip hello-interval eigrp 10 1
ip hold-time eigrp 10 3
no ip next-hop-self eigrp 10
ip pim sparse-dense-mode
ip nhrp authentication NOPE
ip nhrp map 10.xxx.xxx.1 108.xxx.xxx.82
ip nhrp map multicast 108.xxx.xxx.82
ip nhrp network-id 10
ip nhrp nhs 108.xxx.xxx.82
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 10
shutdown
qos pre-classify
tunnel source 23.xxx.xxx.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN-NOPE
end


You also have the ability to configure something called a VTI (Virtual tunnel interface) which really simplifies the IPSEC deployment. Normally for an IPSEC L2L (LAN to LAN) tunnel, you would have to configure up your crypto isakmp (or ikev1/v2) policy, crypto map, crypto map ACL, crypto transform set, crypto PSK, tunnel-group, DH Key group, peer...blah blah blah.

The bitch of it was that your crypto map ACL was very static in nature, and only permitted the traffic from A to B, and nothing outside of this. For example, if you had a main office, as well as a remote office configured, that would be all fine and dandy. Eg:

Crypto ACL 1 for HQ: permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
Crypto ACL 1 for Remote Site: permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

Now, if you were to add a remote site with connections back into both the old remote site, and the HQ for redundant paths... well..

HQ:
Crypto ACL 1: permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
Crypto ACL 2: permit ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255
Crypto ACL 3: permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
Crypto ACL 4 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

Remote Site 1 (10.0.1.0/24):
Crypto ACL 1: permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
Crypto ACL 2: permit ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255
Crypto ACL 3: permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
Crypto ACL 4 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255


Remote site 2 (10.0.2.0/24):
Crypto ACL 1: permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
Crypto ACL 2: permit ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255
Crypto ACL 3: permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
Crypto ACL 4 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

Plus you would need to have static routes with track objects, and same-security permit intra-interface, etc etc..

Whereas with the following configuration, you simply create new virtual tunnels for each additional remote site, dynamic routing protocol peering takes place over the Tunnel interfaces, and you have full-mesh inter-site connectivity. Again, for a lower configuration overhead, the above DMVPN option would only require one tunnel interface, and presto - all sites learn about the others.

Ain't Cisco fun?

Code:
RTR1.NOPE-LA.YouCan'tSeeThis#show run int tun1
Building configuration...

Current configuration : 280 bytes
!
interface Tunnel1
bandwidth 1048576
ip address 10.xxx.xxx.2 xxx.xxx.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 23.xxx.xxx.2
tunnel mode ipsec ipv4
tunnel destination 108.xxx.xxx.82
tunnel protection ipsec profile DMVPN-NOPE
end

RTR1.NOPE-LA.YouCan'tSeeThis#

Nice addition!

Best regards,
-Siberia
PacketPunks
Knowledge talks, wisdom listens.
PM me with any questions or comments
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)