Discovery 4 - Chapter 8

7/31/2019 Discovery 4 - Chapter 8

1/20

Discovery 4 Chapter 8

1

Testing remote connectivity options are more difficult than testing a LAN design.

Remote connections like Frame Relay, T1, DSL etc. are owned by service providers and not customers.

Testing methods for Remote Connections are:

1. Simulation software (eg. PacketTracer)

2. Prototype testing using simulated links

3. Pilot testing in the actual environment (after testing with a simulation software)

Benefits of using simulation software are:

Lower overall cost as new devices are introduced, upgrading labs can be expensive

Flexibility changing topology and configuration are quicker

Scalability building large labs are time consuming

Control entire network can be controlled at once, type and rate of traffic can be changed

Uncover Design Flaws best way to detect design flaws

Limitations of simulation software are:

Limited Functionality software can become out-of-date and may not support all the functions

Unrealistic Performance all the conditions cannot be predicted and tested

A Modem or a CSU/DSU is required to convert LAN (Ethernet) to WAN (Serial signal).

Metro Ethernet does NOT require a modem or CSU/DSU.

A 10 Mbps Ethernet connection simulates a DSL or Cable connection.

Routers can be connected using a Crossover Cable.To simulate a lower speed link, use the bandwidth command to adjust the speed of the link.


2/20


2

Methods to simulate a Serial Connection are:

1. CSU/DSUs or Serial Modems

2. V.25 cables

CSU/DSUs or Modems include wiring diagrams to create crossover cables.

If it is not available, search the Internet for the correct pinouts to use.

Crossover cable can connect like devices to simulate a Telecom Service Providers (TSPs) Link.

One CSU/DSU is configured to be DCE and the other as DTE.

The CSU/DSU or the Modem provides the clocking for the link.


3/20


3

Simulate a point-to-point WAN connection using 2 serial V.35 cables and 2 Routers.

One cable V.35 DCE cable and the other V.35 DTE cable, connect the 2 cables to the 2 Routers to create

a V.35 crossover cable.

The 2 serial V.35 cables eliminate the CSU/DSU, Modem and the Clocking.

Now, ONE of the Routers must be configured as a DCE Device using the clock rate command.

In actual implementation, routers and other CPE Devices rarely, if ever, provide DCE function.

Change the clock rate to simulate different connection speeds.

However, this simulation does not evaluate the actual factors of the Telecom Service Provider.

Additional testing must be done using a Pilot Installation.

The new network requires IP Telephony system and Video Surveillance to remote sites.

The existing network has 2 VPN connections across the Internet using DSL Links.

Since the ISP does not guarantee bandwidth or QoS upgrade to Frame Relay WAN Link and use the

existing Link as a Backup (Redundant) Link for Fault Tolerance.

Build a Prototype to simulate the WAN Link to test the configuration and Failover in case a link fails.

However, the actual Frame Relay Link can only be tested in a Pilot project.


4/20


4

Elements of the design to be tested in the Prototype WAN network are:

Frame Relay local loop configuration

Activation of the VPN Backup link if Frame Relay fails

Static Routing configuration

ACLs that filter traffic to and from the WAN sites

SSH configuration to enable Remote Management

A Cisco Router can be used to simulate a Frame Relay switch and test the Local Loop configuration.

Create a Topology diagram, installation Checklist and a Test Plan to test Frame Relay connectivity.


5/20


5

In an actual implementation:

Frame Relay Local Loop connects to CSU/DSU at Customer Premises

From the CSU/DSU a serial connection is made to the (CPE) Router

The DCE function on the Local Loop is provided by:

Either the TSP (Telecom Service Provider)

Or the CSU/DSU

Clocking for the Serial Connection (Local Loop) is provided by the CSU/DSU.

All the connections at the Router are DTE connections and use DTE Cable.

Router FR1 is used to simulate a Frame Relay Switch.

FR1 is connected to other Routers using a Crossover connection (to like devices).

The Crossover function is created by connecting 1 V.35 DTE Cable directly to a V.35 DCE Cable.

Since there is no CSU/DSU in the simulation topology, FR1 interfaces are configured with clock rate to

provide DCE function.

Frame Relay Link is a virtual circuit that spans a series of connections.

Components of Frame Relay are:

1. Local Point-to-Point circuit that connects local CPE to the TSPs Frame Relay Switch

2. TSPs Packet Switched (Frame Relay) Network

3. Remote Point-to-Point circuit connecting the TSPs Network to the remote site

Configuring Frame Relay on the CPE Router consists of setting the Point-to-Point (T1 or fractional T1)

Link to the TSPs Frame Relay Switch.

TSP configures the Virtual Circuit through the Packet Switched (Frame Relay) Network.


6/20


6

Local Access Rate is the Clock Speed of the Local Loop.

Data Link Connection Identifier (DLCI) numbers are:

Only significant on the Local Loop (can be duplicated on other switches)

Identifies each Virtual Circuit (1 physical Local Loop can carry many Virtual Circuits)

Committed Information Rate (CIR) is less than or equal () to the Local Access Rate.

A CIR is assigned to each DLCI.

Any data sent faster than the CIR is flagged as Discard Eligible (DE) bit in the Frame Header.

If there is congestion, frames flagged as DE are dropped.

Zero CIR:

Means that every frame is a DE Frame

Is an inexpensive Frame Relay Service

Is not a good choice for mission critical data

Local Management Interface (LMI):

Is a signaling standard between Router (DTE) and Frame Relay (DCE) Switch

Is responsible for managing the connection and maintaining the status between DTE & DCE

Uses Keepalive messages to monitor the status of the network connection

Adds enhancements (extensions) to basic Frame Relay

Has 3 LMI Types: Cisco, ANSI Annex D & ITU-T Q.933 Annex A

One important LMI extension is the ability to report the status of the Virtual Circuit and Physical

Connection.


7/20


7

Frame Relay mechanisms, contained in a single bit in the header, to manage traffic flow are:

1. Forward-explicit Congestion Notification (FECN)

2. Backward-explicit Congestion Notification (BECN)

FECN informs the Destination device about congestion in the path and works as follows:

DTE Device sends Frame Relay Frame to the network

If the network is congested, the DCE Switches set the FECN bit to 1

The Remote Destination reads the FECN bit and realizes the path is congested

BECN informs the Source device about congestion in the path and works as follows:

Frame Relay Switch detects congestion

Frame Relay Switch sets the BECN bit to 1 in Frames going in the opposite direction from the

Frames marked with the FECN bit

The Source DTE Device reads the BECN bit and realizes the path is congested


8/20


8

To configure the Router FR1 to act as a Frame Relay Switch use the command frame-relay switching

FR1 will now act as a DCE Device to emulate the Frame Relay Switch.

To enable FR1 to switch the DLCIs from each interface use the command frame-relay route

The serial interface on FR1 will now function as Frame Relay DCE Devices.

Each interface must now be configured with Frame Relay encapsulation using ietfor cisco

FR1(config-if)# encapsulation frame-relay {cisco | ietf}

Also configure the Clock Rate on the Serial Interfaces for FR1.

The CPE Router Serial Interface must now be configured with Frame Relay encapsulation & IP Address.


9/20


9

Inverse Address Resolution Protocol (Inverse ARP) dynamically maps DLCI to IP Address.

ARP Maps IP Addresses to MAC Address & RARP Maps MAC Address to IP Address.

Inverse ARP is activated by default.

If the Remote Router does not support Inverse ARP, use Static Mapping.

1 Physical Interface supports multiple logical Virtual Connections.

This Multi-Access WAN is cheaper than Point-to-Point Links.

Multiple Links sharing a single Physical Link can cause problems for Distance Vector Protocols.

Frame Relay is a Non Broadcast Multi Access (NBMA) Protocol.

Each VC on an interface is treated as a separate local network.

Split Horizon does not update routes out the interface on which it received the route update.

If a remote site sends a route update, it is not sent out the other VCs that share the same physical

interface.

To avoid the problems caused by Split Horizon, the Physical Interface is divided into Sub-interfaces.

The 2 types of Frame Relay Sub-interfaces are:

1. Point-to-Point each Sub-interface has its own DLCI and act like leased lines.

2. Multipoint single Sub-interface has multiple PVC connections to remote routers.

Point-to-Point does not have a Broadcast problem because it acts like leased lines.

With Multipoint, each sub-interface establishes multiple PVC connections to multiple Physical Interfaces

or Sub-interfaces on the Remote Router.

Split Horizon must be turned off for Distance Vector Routing Protocols to work with Multipoint Links.


10/20


10

To display information about the Status of Frame Relay Local Loop and the PVC Circuit:

R1# show interfaces serial ! Displays encapsulation, DLCI, LMI Type & LMI Statistics. Line UP/UP

To verify LMI Operations:

R1# show frame-relay lmi ! Verifies if LMI Keepalive Messages are sent and received

! Non-zero Invalid counters indicate problem also the check LMI Type

To Debug LMI Exchange:

R1# debug frame-relay lmi ! In real-time view invalid messages between Frame Relay Switch & CPE

! out LMI Status Messages sent out by Router

! in LMI Status Messages received from Frame Relay Switch

A type 0 message is full LMI Status Message.

The dlci 110, status 0x2 indicates that DLCI 110 is active.

Values of DLCI Status Fields are:

0x0: Added and inactive the Switch has this DLCI programmed but it is not usable

0x2: Added and active the Frame Relay Switch has the DLCI and everything is operational

0x4: Deleted the Frame Relay Switch does not have this DLCI programmed for the Router

The DLCIs are reversed on the Router or the PVC was deleted in the Frame Relay cloud

A type 1 message indicates a Keepalive LMI exchange.


11/20


11

Troubleshooting Frame Relay involves Layer 1, 2 & 3.

Layer 1 & 2 may be operational, but IP Communication may not occur.

For communication to occur, Routers must Map its Local DLCI to the RemoteRouters IP Address.

If a Router does not support Inverse ARP manually configure Inverse ARP with:

R1(config)# frame-relay map ip {IP_Address} {DLCI#} [broadcast]

Also confirm that there are no ACLs or IP Routing Table exists, as well.

If the show interface serial command is down / down then it is a Layer 1 problem.

Check the cable and/or CSU/DSU. Manually configured DLCI needs to be checked.

To check the DLCI values use R1# show frame-relay pvcPVC#

A PVC Status = DELETED indicates that DLCI is configured wrong.

If the show interface serial command up / down then it is a Layer 2 problem.

The Serial interface is not receiving LMI Keepalive messages from the Frame Relay Switch.

To check if LMI messages are sent and received use R1# show frame-relay lmi

To test the performance through the ISPs Frame Relay, a Pilot Installation must be tested.


12/20


12

For fault tolerance of Frame Relay use a Floating Static Route with an Administrative Distance (eg. 130)

greater than the corresponding Dynamic Route.


13/20


14/20


14

A VPN is an extension of the internal private network.

A VPN emulates a Point-to-Point (encapsulated and encrypted) Link.

The VPN Client connects to a VPN Endpoint (VPN Server or VPN Concentrator).

Remote workers accessing via a VPN are Trusted Users.

VPN Users from an insecure location (in public areas) must be restricted access to resources.

Encrypted data cannot be filtered until it is unencrypted at the VPN Server Endpoint.

Therefore, VPN Servers must be located at a point where incoming packets can be filtered before being

delivered to the internal network resources.

The options to support VPN for Remote Sites are:

1. Request VPN services from the current ISP (requires no testing)

2. Install VPN Server at the head office (has to be tested)

Split Tunneling allows:

Users to send corporate data on the VPN Tunnel

And send other data on the Clients local LAN

Test the ease of configuring and installing the VPN Server and Client software.

Test the ACLs for filtering incoming VPN traffic.

Test the placement of the VPN Server in the network.

Use Cisco Easy VPN software tool to configure and manage remote user VPN connectivity.

Cisco Easy VPN helps to configure Cisco Security Appliance or Router as a VPN Server or Endpoint.

Use IP Advanced Security Feature set for the 1841 router.

The Cisco SDM interface on the 1841 can be used to configure the Easy VPN Server for remote clients.


15/20


15

The 2 components of Cisco Easy VPN are:

1. Cisco Easy VPN Server it can be a router or a dedicated VPN Gateway (eg. PIX Firewall or a VPN

Concentrator) to provide a site-to-site VPN connection.

2. Cisco Easy VPN Remote it enables remote devices to receive security parameters such as IP,

SNM and DHCP Server Address (to be pushed) from the Cisco Easy VPN Server.


16/20


16

The 2 components of VPN are:

Tunneling to create the virtual network

Encryption to enable privacy and security

Site-to-site VPN sends and receives TCP/IP traffic through the VPN Tunnel to a VPN Gateway.

The VPN Gateway can be a Router, Firewall, VPN Concentrator or Security Appliance.

The VPN Tunnel can carry encrypted or unencrypted traffic.

The Remote Access VPN (VPN Client) contacts the VPN Gateway to setup the Tunnel.

The Protocols used to create the VPN Tunnel are:

Generic Routing Encapsulation (GRE)

IP Security (IPSec)

Layer 2 Forwarding (L2F) Protocol

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)

Not all protocols offer the same level of security.


17/20


17

Encryption algorithm is a math function that combines the message with a string of digits called a key.

The output is an unreadable Cipher String.

Decryption requires the Encryption key.

Common Encryption methods used for VPNs are:

Data Encryption Standard (DES) requires symmetric shared secret key to encrypt & decrypt

Triple DES (3DES) requires symmetric shared secret key to encrypt & decrypt

Advanced Encryption Standard (AES)

Rivest, Shamir and Adleman (RSA)

Keys can be manually configured.

The Keys can also be automatically configured using Key Exchange Method.

Diffie-Hellman (DH) key agreement is Public Key Exchange Method.

DH Key Agreement provides a way for 2 peers to establish a Shared Secret Key that only the peers

recognize.

Diffie-Hellman groups specify the following types of cryptography to be used:

DH Group 1 uses 768-bit cryptography

DH Group 2 uses 1024-bits. Cisco IOS, PIX Firewall, Cisco Adaptive Security Appliances (ASA)

DH Group 5 uses 1536 cryptography. Supported if the software requirements are met

Data Integrity prevents interception and modification of VPN Data (Man in the Middle Attack).

Data Integrity Algorithm adds a Hash to the message.

If the transmitted Hash matches received Hash the received message is accepted.

Keyed Hashed Message Authentication Code (HMAC) is a Data Integrity Algorithm that guarantees the

integrity of the message.

The 2 common HMAC Algorithms are:1. HMAC Message Digest 5 (MD5) it uses a 128- bit Shared Secret Key.

2. HMAC Secure Hash Algorithm 1 (HMAC-SHA-1) it uses 160-bit Secret Key.

The Hash is appended to the original message and forwarded to the remote end.


18/20


18

IPSec is an open Layer 3 (Network) standard.

It is not bound to any specific:

Authentication

Encryption

Security Algorithm

Or Keying Technology

It provides:

Data Confidentiality

Data Integrity

Data Authentication between participating peers

On the VPN Server configure the following for IPSec:

IPSec Protocol Encapsulating Security Payload (ESP), Authentication Header (AH) or (ESP + AH) Encryption Algorithm DES, 3DES or AES

Authentication Algorithm to provide data integrity MD5 or SHA

A Diffie-Hellman Group DH1, DH2 or DH5 if supported

IPSec can also use Internet Key Exchange (IKE) to handle negotiations of Protocols and Algorithms.

IKE can also generate the Encryption and Authentication Keys that IPSec uses.


19/20


19

VPN Clients receive:

1. A Logical Interface

2. And an IPv4 Private IP Address that is significant on the central sites internal network

Therefore, VPN Clients cannot access their local resources (Files and Printers).

In a Basic VPN all the traffic from the VPN Client are Encrypted using the Logical Network Interface.

It is then sent to the VPN Server, regardless of where the traffic is destined to go.

Split Tunneling sends, from the VPN Client, only the traffic that is destined for the corporate network.

Rest of the traffic (instant messaging, e-mail, web browsing etc.) is sent to the Internet via Local LAN of

the VPN Client.

If Split Tunneling is configured on the VPN Server, Cisco VPN Client software can be configured for Split

Tunneling by enabling the optionAllow Local LAN Access.

Split Tunneling increases security risk, because an attack on the VPN Client can come from the Internet

to the VPN Server via the VPN Client.


20/20


20

If VPN Servers are placed at the WAN Edge of the network, Firewalls or ACLs are used to control access.

Remote data is Decrypted and Filtered before sending the data to the Server.

Create a Test Topology, an Installation Check List and a Test Plan to test the VPN and ACL Filtering.

From the test results determine the Risks or Weaknesses in the design.

The main risks are the ability of the IT Staff to:

Configure and maintain the VPN Server

Configuring the VPN Clients

Cisco Easy VPN and SDM could be the best choice for configuring and maintaining Remote Access VPN.

Documents

Discovery 4 - Chapter 8