Professional Documents
Culture Documents
Case Study 1
Case Study 1
Study 1
CLI IPsec and Frame-Mode MPLS
1
2
Table of Contents
1. Outline....................................................................................................................................... 4
3. Logical diagram......................................................................................................................... 5
4. Physical diagram........................................................................................................................ 6
8. Equipment Table........................................................................................................................ 8
9. Questions...................................................................................................................................9
Router R1.................................................................................................................................. 10
Router R2.................................................................................................................................. 12
Router R3.................................................................................................................................. 13
Router R4.................................................................................................................................. 15
Router R1.................................................................................................................................. 16
Router R2.................................................................................................................................. 19
Router R3.................................................................................................................................. 21
3
Router R4.................................................................................................................................. 25
1. Outline
International Travel Agency is migrating to a network with Multi protocol Label Switching (MPLS)
and VPN. This will provide a customer edge to the Wide Area Network (WAN) that allows a more
efficient data switching and a secure transfer of data from one office to another.
The International Travel Agency requires a network that implements MPLS and VPN
technologies. It will use MPLS between the CE and PE and require a VPN tunnel between the
local PE and remote PE to ensure the data travels securely through the Internet cloud.
The addressing scheme that was provided in the scenario will be adhered to, allowing the
existing infrastructure to migrate without interruption. EIGRP should be used as a fast-
converging routing protocol.
• Configure all interfaces using the addressing scheme shown in the topology diagram.
• Run Enhanced Interior Gateway Routing Protocol (EIGRP) AS 1 in the entire International
Travel Agency core network. All subnets should be included.
• Create an IPSec tunnel between R1 and R3 with an appropriate transform set and Internet
Security Association and Key Management Protocol (ISAKMP) policy.
• This IPSec tunnel should only encrypt traffic between R1’s loopback network and R4’s
loopback network.
• Use pre-shared keys for authentication in the ISAKMP policy.
• Do not create any new interfaces to achieve this task.
• Use any encryption algorithms desired for the tasks listed above that use the crypto suite
of protocols.
• Configure MPLS on both ends of the link between R3 and R4.
• Configure R1 to send system logging messages at the error severity level to an imaginary
host located at 172.16.2.200.
• Set up the correct time on R4 using the clock set command. Use the inline IOS help
system if you do not know the syntax of this command.
• Configure R4 as a Network Time Protocol (NTP) master with stratum 5.
• Configure R3 as an NTP client of R4.
4
3. Logical diagram
5
4. Physical diagram
6
3. Discussion on the implementation of Routing
Enhanced Interior Gateway Routing Protocol (EIGRP) is the best choice for the International
Travel Agency. It is a classless routing protocol, and has elements of both distance vector, and
link-state algorithms.
Every directly connected network must be entered into the router’s configuration. The router
will then have three routing tables dedicated to EIGRP: topology, neighbor and routing tables.
Rapid convergence and future scalability will be realized using this protocol, as well as efficient
use of bandwidth. If any sudden changes occur to the network topology, EIGRP allows all
converged routers to update simultaneously.
The test-bed for this upgrade has been performed on the latest equipment. Cisco 3600 series
routers have been utilized and fully configured. This allows us to fully implement our solution in
a realistic fashion.
Serial port modules were used to simulate Wide Area Network links and Cisco CAB-SS-V35
cables were used to directly connect routers from port to port.
The test-bed physical design is very simple although the real implementation will include other
devices such as CSU-DSUs.
In order to test the ITA network, each implementation phase was followed by a number of
commands issued on the router to make sure a high degree of reliability was achieved before
moving to the next implementation stage. The following tests are ordered based upon the
project time line. As previously stated, logic is used when determining which stage in the
process these tests take place.
• A thorough testing of connectivity has been conducted at first using the Ping utility (see
results below). This tests overall routers reachability and correct EIGRP configuration.
• An extended Ping was used to activate the VPN tunnel and test ACLs for interesting
traffic.
• The show crypto ipsec sa command (see below) was used to make sure the traffic is
going through the tunnel successfully.
• MPLS was further tester with traceroute and show interface serial 0/2/1 accounting to
make sure packets are getting tagged by the protocol when needed.
• The debug ntp packets command was used to test communication between the NTP
server and NTP client.
7
• The interface serial 0/2/1 accounting command was used to verify that MPLS packets are
being sent and received.
The previously implement network represents a connection between two ITA remote offices. In
order to reduce connection cost, an IPSec tunnel is created over an Internet link between two
offices to provide secure connectivity and data transfer.
MPLS that is used between the CE and PE may be extended in the future inside the provider’s
network in order to speed up the delivery between two locations.
At the customer edge on both sides, the company may consider using a firewall solution to filter
incoming and outgoing traffic as its routers are directly connected to the Internet which
represents a potential risk for the internal network.
R1 Loopback 0 172.16.1.1
R2 Loopback 0 172.16.2.1
R3 Loopback 0 172.16.3.1
R4 Loopback 0 172.16.4.1
8. Equipment Table
Equipment Quantity
Cisco 3600 Series Router (w. 1x T1 interface card module) 3
8
Cisco CAB-SS-V35 Cable 3
9. Questions
1. R3 and R4 will not send NTP queries as MPLS frames. R3 and R4 are two directly
connected routers and the NTP protocol works only between them two. Therefore
because of the PHP function, MPLS will not need to tag the packets as they would need to
be removed on the next hop. To avoid overhead MPLS sends packets as normal IP
packets.
2. R3 and R4 will not send packets as MPLS to each other because of the PHP function and
because they are two directly connected routers.
3. R4 will send packets destined to R1 and R2 as MPLS frames but R3 will obviously remove
the tag before forwarding further to R1 and R2. R3 will not send any packets as MPLS
frames because on one side R1 and R2 are not configured with MPLS and on the other
side the PHP function removes the tag before any packet is sent towards R4.
R4 will not send as MPLS packets destined to R3 but will tag packets for other networks
such as R2 and R1 although those tags will be removed by R3.
4. In the network configuration, the ESP protocol provides origin authenticity, integrity, and
confidentiality protection of a packet. The ESP protocol is defined in ITA network
configuration as esp-aes 256 esp-sha-hmac inside the transform set. The AH protocol on
the other side is intended to guarantee integrity and data origin authentication of IP
packets. Encapsulating Security Payload provides confidentiality and the Authentication
Header provides integrity. In the current configuration it is defined as ah-sha-hmac. ESP
with AES encryption of 256 bits is currently the most secure algorithm as it provides as
many as 256 bits for encryption which is the maximum value available nowadays.
5. The NTP server will ensure that routers in the network are configured with correct time.
This will provide accurate time indication when error and other messages are logged to
the server. It is crucial to ensure that timestamps are correct when errors or attacks are
recorded.
9
10. Router Configurations
Router R1
Current configuration : 2027 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$68v.$0pF2U4rVQiSFjMd/aTRmo.
enable password 7 060503205F5D49
!
no aaa new-model
memory-size iomem 15
!
!
ip cef
!
!
no ip domain lookup
ip host R2 172.16.12.2
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco address 172.16.23.3
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 172.16.23.3
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
10
interface Loopback0
description network connected to router 1
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/2/0
description Link to Router 2
ip address 172.16.12.1 255.255.255.0
clock rate 64000
crypto map MYMAP
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
!
!
ip http server
no ip http secure-server
!
logging trap errors
logging 172.16.2.200
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
!
!
banner motd ^CC This is a secure system. Authorized Personnel Only! ^C
!
line con 0
exec-timeout 0 0
password 7 045802150C2E
logging synchronous
line aux 0
line vty 0 4
password 7 02050D480809
login
!
end
11
Router R2
Current configuration : 1474 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$k7cB$tzf98Aglqnj2MJZdUhLFR1
enable password 7 01100A05481846
!
no aaa new-model
memory-size iomem 15
no network-clock-participate wic 3
!
!
ip cef
!
!
no ip domain lookup
ip host R1 172.16.12.1
ip host R3 172.16.23.3
!
!
!
interface Loopback0
description network connected to router
ip address 172.16.2.1 255.255.255.0
!
interface Serial0/2/0
ip address 172.16.12.2 255.255.255.0
no fair-queue
!
interface Serial0/2/1
ip address 172.16.23.2 255.255.255.0
clock rate 64000
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
!
!
ip http server
no ip http secure-server
!
12
!
!
banner motd ^CC This is a secure system. Authorized Personnel Only! ^C
!
line con 0
exec-timeout 0 0
password 7 00071A150754
logging synchronous
line aux 0
line vty 0 4
password 7 14141B180F0B6A
login
!
end
Router R3
Current configuration : 2321 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$JIRS$AbZjQcNdIODnanFoCjzj70
enable password 7 0205085A18154F
!
no aaa new-model
memory-size iomem 15
no network-clock-participate wic 3
!
!
ip cef
!
!
no ip domain lookup
ip host R4 172.16.34.4
ip host R2 172.16.23.2
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco address 172.16.12.1
13
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 172.16.12.1
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
!
!
!
interface Loopback0
description network connected to router
ip address 172.16.3.1 255.255.255.0
!
interface Serial0/2/0
description Link to Router 4
ip address 172.16.23.3 255.255.255.0
no fair-queue
crypto map MYMAP
!
interface Serial0/2/1
description Link to Router 2
ip address 172.16.34.3 255.255.255.0
mpls ip
no fair-queue
clock rate 2000000
!
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255
!
!
!
!
banner motd ^CC This is a secure system.
Router R4
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$pKHY$Pilw1Ad7IjxaPuLSasSea0
enable password 7 121A091601184C
!
no aaa new-model
memory-size iomem 15
no network-clock-participate wic 1
!
!
ip cef
!
!
no ip domain lookup
ip host R3 172.16.34.3
!
!
!
interface Loopback0
description network connected to router
ip address 172.16.4.1 255.255.255.0
!
interface Serial0/2/0
description Link to Router 3
ip address 172.16.34.4 255.255.255.0
mpls ip
15
no fair-queue
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
!
!
ip http server
no ip http secure-server
!
banner motd ^CC This is a secure system. Authorized Personnel Only! ^C
!
line con 0
exec-timeout 0 0
password 7 02050D4808094F
logging synchronous
line aux 0
line vty 0 4
password 7 13061E01080344
login
!
scheduler allocate 20000 1000
ntp master 5
!
end
Router R1
R1#ping 172.16.12.2
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
R1#show logging
Syslog logging: enabled (11 messages dropped, 2 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 46 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
interface: Serial0/2/0
Crypto map tag: MYMAP, local addr 172.16.12.1
inbound ah sas:
spi: 0x7EE5715A(2128965978)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4505698/144)
replay detection support: Y
Status: ACTIVE
outbound ah sas:
spi: 0xCC6044(13393988)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4505698/142)
replay detection support: Y
Status: ACTIVE
Router R2
R2#sh ip route
19
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
R2#ping 172.16.1.1
Router R3
R3#ping 172.16.4.1
interface: Serial0/2/0
Crypto map tag: MYMAP, local addr 172.16.23.3
inbound ah sas:
spi: 0xCC6044(13393988)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4546509/840)
replay detection support: Y
Status: ACTIVE
22
inbound pcp sas:
outbound ah sas:
spi: 0x7EE5715A(2128965978)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4546509/840)
replay detection support: Y
Status: ACTIVE
R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
R3#ping 172.16.4.1
Router R4
R4#ping 172.16.3.1
R4#ping
Protocol [ip]:
Target IP address: 172.16.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.4.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]: y
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.4.1
Reply data will be validated
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/106/108 ms
R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
26
Gateway of last resort is not set
R4#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms
R4#ping 172.16.1.1
27