• VPN tunnels
• Configuration of basic core network components
• Maintenance of Cisco devices
• Exercises & troubleshooting

• AP – Access Point
• AH – Authentication Header
•
AZR
– Access Zone Router
•
AGR
– Aggregation Router
•
AG
– Access Gateway (e.g. Cisco SSG, Juniper ERX)
• CSA – Central Site Area
• DHCP – Dynamic Host Configuration Protocol
•
DMVPN - Dynamic Multipoint IPsec Virtual Private Network
•
EIGRP
– Enhanced Interior Gateway Routing Protocol
•
ESP
– Encapsulating Security Payload
• GRE – Generic Routing Encapsulation
• HSA – Hotspot Area
•
IKE
– Internet Key Exchange
•
IPSec
– Internet Protocol Security
•
NHRP
– Next Hop Resolution Protocol
• OSPF – Open Shortest Path First (Routing Protocol)
• PPTP – Point-To-Point Tunneling Protocol
• SSG – Service Selection Gateway
•
VPN
– Virtual Private Network

Aggregation Router
• Interfaces
– interface to AGR (there are possibilities to create connection to more then one
AGR) - GRE tunnel with IPSec is configured over this link
– interface to APS – typically Ethernet.
– loopback
• Routing
– The AGR participate in dynamic routing protocol.
– The following networks shall be spread out:
• all networks to AZRs
• network to AG (SSG)
• network to management network
• network to other AGRs if such connection is realized
– Default gateway shall be set on SSG in central configuration or on WIP in decentral configuration
• Multipoint IPsec
– AGR may work as a hub in DMVPN (Dynamic Multipoint VPN) configuration

Access Zone Router
• Interfaces
– interface to AGR (there are possibilities to create connection to more then one AGR) - GRE tunnel with IPSec is configured over this link
– interface to APs – typically Ethernet.
– loopback
• Routing
– The AZR participate in dynamic routing protocol.
– The following networks shall be spread out:
• Network(s) to AGR(s)
• networks to APs
– Default gateway shall be set on AGR or AGRs in case of multiple connections
• Multipoint IPsec
– AZR may work as a spoke in DMVPN (Dynamic Multipoint VPN) configuration

•
DHCP (Dynamic Host Configuration Protocol) is an open, industry-standard protocol that reduces the complexity of administering networks based on TCP/IP
• All DHCP messages are carried in User Datagram Protocol ( UDP ). Datagrams use port 67 at the server and 68 at the client.
• DHCP Request for an IP Address
Host DHCPDISCOVER (broadcast)
DHCPOFFER (unicast)
DHCPREQUEST (broadcast)
DHCPACK (unicast)
Cisco router
DHCP Server
AZR

• Simplifies problems associated with manual addressing
• Centralized administration of IP configuration
• Dynamic host configuration
• Seamless IP host configuration
• Flexibility
• Scalability

Configuring DHCP on Cisco router
• Enabling the Cisco IOS DHCP Server and Relay Agent Features
Router (config)# service dhcp
• Excluding IP Addresses
Router (config)# ip dhcp excluded-address low-address [high-address]
• Configuring the DHCP Address Pool Name and Entering DHCP Pool Configuration Mode
Router (config)# ip dhcp pool name
• Configuring the DHCP Address Pool Subnet and Mask
Router (dhcp-config)# network network-number [mask | / prefix-length]
• Configuring the Domain Name for the Client
Router (dhcp-config)# domain-name domain
• Configuring the IP Domain Name System Servers for the Client
Router (dhcp-config)# dns-server address [address2 ... address8]
• Configuring the Default Router for the Client
Router (dhcp-config)# default-router address [address2 ... address8]
• Configuring the Address Lease Time
Router (dhcp-config)# lease {days [hours] [minutes] | infinite }

Example of DHCP configuration on
Cisco router
•
•
•
• ip dhcp excluded-address 10.100.1.1 10.100.1.30
•
!
• ip dhcp pool ZONE1 network 10.100.1.0 255.255.255.0
default-router 10.100.1.1 domain-name domain.i250
•
•
!
dns-server 192.168.201.2
•
• interface FastEthernet0/1 ip address 10.100.1.1 255.255.255.0

•
Router# show ip dhcp binding
• Router# show ip dhcp server statistics
•
Router# show ip dhcp conflict [address]
•
Router# clear ip dhcp binding {address | * }
• Router# clear ip dhcp conflict {address | * }
• Router# clear ip dhcp server statistics
• Router# debug ip dhcp server { events | packets | linkage }

1.
Configure DHCP server on AZR
2.
Check if client gets ip address from DHCP server

• Static Routing
– Advantages:
• Simple to configure and maintain
• Secure – as only defined routes can be accessed
• Bandwidth is not used for sending routing updates
– Disadvantages
• Manual update of routes after network changes
• Explicit addition of routes for all networks
• Dynamic Routing
– EIGRP
– OSPF

Configuring static routing on Cisco devices
ROUTER B
172.16.1.2/30
192.168.1.0/24
172.16.1.1/30
ROUTER A
FastEthernet0/1
FastEthernet0/2
10.1.1.0/24
172.16.2.1/30
ROUTER C
172.16.2.2/30
192.168.2.0/24
• ip route <destination network address> <destination network mask> <next hop>
• Router A ip route 192.168.1.0 255.255.255.0 172.16.1.2
ip route 192.168.1.0 255.255.255.0 172.16.1.2
• Router B ip route 10.1.1.0 255.255.255.0 172.16.1.1
• Router C ip route 10.1.1.0 255.255.255.0 172.16.2.1

1.
Configure static routing on AZR, AGR and SSG
2.
Check if client can access (ping) AZR, AGR, SSG

Configuring dynamic routing on Cisco devices - EIGRP
172.16.1.2/30
ROUTER B
192.168.1.0/24
172.16.1.1/30
ROUTER A
10.1.1.0/24
ROUTER C
192.168.2.0/24
172.16.2.1/30
172.16.2.2/30
•
Router A router eigrp 1 network 172.16.1.0 0.0.0.3
network 172.16.2.0 0.0.0.3
network 10.1.1.0 0.0.0.255
no auto-summary
•
Router B router eigrp 1 network 172.16.1.0 0.0.0.3
network 10.1.1.0 0.0.0.255
no auto-summary
• Router C router eigrp 1 network 172.16.2.0 0.0.0.3
network 10.1.1.0 0.0.0.255
no auto-summary

Configuring dynamic routing on Cisco devices - OSPF
•
Router A router ospf 10
172.16.1.2/30
ROUTER B
192.168.1.0/24
172.16.1.1/30
ROUTER A
10.1.1.0/24
ROUTER C
192.168.2.0/24
172.16.2.1/30
172.16.2.2/30 network 172.16.1.0 0.0.0.3 area 0 network 172.16.2.0 0.0.0.3 area 0 network 10.1.1.0 0.0.0.255 area 0
•
Router B router ospf 100 network 172.16.1.0 0.0.0.3 area 0 network 10.1.1.0 0.0.0.255 area 0
• Router C router ospf 1 network 172.16.2.0 0.0.0.3 area 0 network 10.1.1.0 0.0.0.255 area 0

1.
Configure dynamic routing (EIGRP) on AZR, AGR and SSG
2.
Check if client can access (ping) AZR, AGR, SSG
3.
Configure dynamic routing (OSPF) on AZR, AGR and SSG
4.
Check if client can access (ping) AZR, AGR, SSG

• Virtual Private Network
AGR
VPN tu nnel
tunnel
INTERNET
AZR
GRE - Generic Routing Encapsulation
PPTP- Point-to-Point Tunneling Protocol

• Secure VPNs -
Secure VPN protocols include the following:
IPsec
- SSL
- PPTP
- L2TP
- L2TPv3
• Trusted VPNs
- MPLS
- L2F

• data confidentiality (encryption)
• data integrity (verification)
• origin authentication (authentication the source of the packet)
• Verification that each packet is unique
(not duplicated)

• symmetric
– DES
– 3DES
– HMAC-Message Digest 5 (MD5)
– HMAC-SHA
• asymmetric
– Rivest, Shamir, and Adelman (RSA)
• Pre-shared keys
• RSA signatures
• RSA encrypted nonces

Authentication Header
All data in clear text
ROUTER A
Authentication Header provides:
·
Authentication
·
Integrity
ROUTER B
Encapsulating Security Payload
Data payload is encrypted
ROUTER A
Encapsulating Security Payload provides:
·
Authentication
·
Integrity
·
Encryption
ROUTER B

- Transport Mode
IP packet IP Header Data
IP Header ESP Header Data
ENCRYPTED
AUTHENTICATED
- Tunnel Mode
New IP HEADER ESP Header IP Header Data
ENCRYPTED
AUTHENTICATED
ESP
Trailer
ESP
Auth.
ESP
Trailer
ESP
Auth.

GRE/IPsec
SPOKE #1.1
AZR
SPOKE #1.2
AZR
SPOKE #1.3
AZR
SPOKE #2.1
AZR
SPOKE #2.2
AZR
SPOKE #2.3
AZR
HSA
Internet
HUB #1
AGR
HUB #2
AGR
SSG
CSA

Standards (Cisco IOS IPSec)
• IPSec (RFCs 2401-2410)
• IPSec Encapsulating Security Payload (ESP) Using
DES/3DES (RFC 2406)
• IPSec Authentication Header (AH) using MD5 or SHA
(RFCs 2403-2404)
• Internet Key Exchange ( IKE ) (RFCs 2407-2409)

AZR tunnel 10
192.168.10.2/30
Tunnel
192.168.10.0/30 tunnel 10
192.168.10.1/30
Fa0/1
192.168.6.2
Internet
Fa0/0
192.168.5.1
• Phase I (IKE Policy) crypto isakmp policy 1 authentication pre-share hash md5 encryption 3des crypto isakmp key Cisco123 address 192.168.5.1
AGR crypto isakmp policy 1 authentication pre-share hash md5 encryption 3des crypto isakmp key Cisco123 address 192.168.6.2

AZR tunnel 10
192.168.10.2/30
Tunnel
192.168.10.0/30 tunnel 10
192.168.10.1/30
Internet
Fa0/1
192.168.6.2
Fa0/0
192.168.5.1
• Phase II (IPsec Policy) crypto ipsec transform-set name1 esp-3des esp-md5-hmac mode transport access-list 110 permit gre host 192.168.6.2 host 192.168.5.1
AGR crypto ipsec transform-set name1 esp-3des esp-md5-hmac mode transport access-list 110 permit gre host 192.168.5.1 host 192.168.6.2

AZR tunnel 10
192.168.10.2/30
Tunnel
192.168.10.0/30 tunnel 10
192.168.10.1/30
Internet
Fa0/1
192.168.6.2
Fa0/0
192.168.5.1
• Phase II (IPsec Policy)
AGR crypto map map1 local-address FastEthernet0/1 crypto map map1 local-address FastEthernet0/0 crypto map map1 10 IPsec-isakmp set peer 192.168.5.1
match address 110 set transform-set name1 crypto map map1 10 IPsec-isakmp set peer 192.168.6.2
match address 110 set transform-set name1

tunnel 10
192.168.10.2/30
Tunnel
192.168.10.0/30 tunnel 10
192.168.10.1/30
AGR
AZR Internet
Fa0/1 Fa0/0
192.168.6.2
192.168.5.1
• Phase III (tunnel) interface tunnel 10 interface tunnel 10 ip address 192.168.10.2 255.255.255.252
ip address 192.168.10.1 255.255.255.252
tunnel source FastEthernet0/0 tunnel source FastEthernet0/1 tunnel destination 192.168.6.2
tunnel destination 192.168.5.1
ip mtu 1440 ip mtu 1440 crypto map map1 crypto map map1 interface Fastethernet0/0 interface Fastethernet0/1 ip address 192.168.5.1 255.255.255.0
ip address 192.168.6.2 255.255.255.0
crypto map map1 crypto map map1 router eigrp 1 router eigrp 1 network 192.168.10.0 0.0.0.3
network 192.168.10.0 0.0.0.3
no auto-summary no auto-summary

1.
Configure static IPSec/GRE tunnel between AZR and AGR
2.
Check if wired client can access (ping) AGR, SSG via VPN tunnel

AZR
(spoken) tunnel 0
192.168.10.2/24
Tunnel
192.168.10.0/30 tunnel 0
192.168.10.1/24
Fa0/1
192.168.6.2
Internet
Fa0/0
192.168.5.1
• Phase I (IKE Policy)
AGR
(hub) crypto isakmp policy 1 authentication pre-share hash md5 encryption 3des crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp policy 1 authentication pre-share hash md5 encryption 3des crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0

tunnel 0
192.168.10.2/24
Tunnel
192.168.10.0/30 tunnel 0
192.168.10.1/24
AZR
(spoken) Fa0/1
192.168.6.2
Internet
Fa0/0
192.168.5.1
• Phase II (IPsec Policy) crypto ipsec transform-set name1 esp-3des esp-md5-hmac mode transport crypto ipsec profile bwsvpnprofile1 set transform-set name1
AGR
(hub) crypto ipsec transform-set name1 esp-3des esp-md5-hmac mode transport crypto ipsec profile bwsvpnprofile1 set transform-set name1

tunnel 0
192.168.10.2/24
Tunnel
192.168.10.0/30 tunnel 0
192.168.10.1/24
AZR
(spoken)
Internet
Fa0/1 Fa0/0
192.168.6.2
192.168.5.1
• Phase III (tunnel) interface tunnel 0 interface tunnel 0 ip address 192.168.10.2 255.255.255.0
ip mtu 1400
AGR
(hub) ip address 192.168.10.1 255.255.255.0
ip mtu 1400 ip nhrp authentication ciscokey ip nhrp map 192.168.10.1 192.168.5.1
ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 192.168.10.1
tunnel source FastEthernet0/1 tunnel destination 192.168.5.1
tunnel key 0 tunnel protection ipsec profile bwsvpnprofile1 ip nhrp authentication Cisco123key ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 no ip split-horizon eigrp 1 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile bwsvpnprofile1

AZR
(spoken) tunnel 0
192.168.10.2/24
Tunnel
192.168.10.0/30 tunnel 0
192.168.10.1/24
Fa0/1
192.168.6.2
Internet
Fa0/0
192.168.5.1
• Phase III (interfaces)
AGR
(hub) interface FastEthernet0/1 ip address 192.168.6.2 255.255.255.0
router eigrp 1 network 192.168.10.0 0.0.0.255
no auto-summary interface FastEthernet0/0 ip address 192.168.5.1 255.255.255.0
router eigrp 1 network 192.168.10.0 0.0.0.255
no auto-summary

•
Router# show ip nhrp
• Router# show ip interface
•
Router# show crypto isakmp sa
• Router# show crypto ipsec sa
• Router# show crypto ipsec sa detail
•
Router# show crypto map
• Router# show crypto engine connection active
•
Router# show ip route
•
Router# debug crypto isakmp
• Router# debug crypto ipsec
• Router# debug crypto engine

1.
Configure dynamic IPSec/GRE tunnel (DMVPN) between AZR and AGR
2.
Check if wired client can access (ping) AGR, SSG via VPN tunnel

•
Router (config)# access-list 101 permit udp any any
• Router (config)# route-map clear-df permit 10
•
Router (config-route-map)# much ip address 101
• Router (config-route-map)# set ip df 0
•
Router (config-route-map)# end
• Router (config)# interface FastEthernet0/0
•
Router (config-if)# ip address 192.168.10.1 255.255.255.0
• Router (config-if)# ip policy route-map clear-df
•
Router (config-if)# ip mtu 1400
• Router (config-if)# end

Maintenance of Cisco devices
•
Copying the Configuration to a TFTP Server
Transmission Core
Access Gateway (SSG)
• Router# copy run tftp
• Address or name of remote host []?
192.168.1.1
• Destination filename [router-confg] ?
run-confg
• !!
• 486 bytes copied in 12.2 secs (40 bytes/sec)
• Router#
• Restoring the Configuration from TFTP Server
• Router# copy tftp run
• Address or name of remote host []?
192.168.1.1
• Source filename []?
run-confg
• Destination filename [running-config]?
[Enter]
• Accessing tftp://192.168.1.1/run-confg...
• Loading run-confg from 192.168.1.1 (via FastEthernet0/1):
• !!
• [OK - 486/4096 bytes]
• 486 bytes copied in 5.3 secs (99 bytes/sec)
• Router#
Access Network
AZR
HSA #1
WLAN
AP
Client
AP
AGR #1
TFTP
SERVER
192.168.1.1

1.
Design and connect your own network
Transmission Core
Access Gateway (SSG)
2.
Configure DHCP Server on AZR
3.
Configure AZR, AGR, routing and VPN tunnel between AZR and AGR
4.
Configure Cisco Access Point
5.
Test your configuration
AZR
Intranet et
HSA #1
WLAN
Access Network
AGR #1
TFTP
SERVER
AP
Client
This exercise assumes that SSG and WI@ was correctly configured before.