VPN (Virtual Private network)

Basic Notes about VPN

A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together.It works by encapsulating data for one network inside of an ordinary IP packet and transporting that packet to another network. When the packet arrives at the destination network, it is unwrapped and delivered to the appropriate host on the destination network. By encapsulating the data using cryptographic techniques, the data is protected from tampering and snooping while it is transported over the public network.

Through VPN you can access your private network in remote location over Internet without compromising the security. VPNs allow employees to securely access their company's Intranet while travelling outside the office. Similarly, VPNs securely connect different branch offices together via internet without dedicated lease line and its much cheaper than lease lines. VPNs also use strong encryption to provide privacy and strong authentication to guarantee identity, so they are more secure than traditional networks.By using a VPN, businesses ensure security,That means even if the data is hacked while sending through VPN, hacker can't read data as its in encrypted format.

Different VPNs used 

VPNs can be either remote-access (connecting an individual computer to a network) or site-to-site (connecting two networks together). In a corporate setting, remote-access VPNs allow employees to access their company's Intranet from home or while travelling outside the office, and site-to-site VPNs allow employees in different geographically location to share one network.

One interesting thing to note about VPNs is that there are no standards about how to set them up. If you're establishing your own VPN, though, it's up to you to decide which protocols and components to use and to understand how they work together.

Five basic components of VPNs:

VPN Gateways:
A device used to connect an entire network to the VPN
VPN Client Software: 
Software for individual PCs that allow them to connect to the VPN
Authentication Servers: 
Systems such as certificate authorities and RADIUS servers that guarantee the identity of VPN Gateways and Clients
Manage Servers: 
Systems that provide control, monitoring, alerting and reporting on the VPN
Physical Transport: 
Any IP or Internet connection

Advantages of VPN

Security -- The VPN should protect data while it's travelling on the public network. If intruders attempt to capture the data, they should be unable to read or use it.
Reliability -- Employees and remote offices should be able to connect to the VPN with no trouble at any time (unless hours are restricted), and the VPN should provide the same quality of connection for each user even when it is handling its maximum number of simultaneous connections.
Scalability -- As a business grows, it should be able to extend its VPN services to handle that growth without replacing the VPN technology altogether.

LSA Types in OSPF

LSA Types in OSPF

• Router LSA (Type 1) – Contains a list of all links local to the router, and the status and “cost” of those links. Type 1 LSAs are generated by all routers in OSPF, and are flooded to all other routers within the local area. 

• Network LSA (Type 2) – Generated by all Designated Routers in OSPF, and contains a list of all routers attached to the Designated Router. 

• Network Summary LSA (Type 3) – Generated by all ABRs in OSPF, and contains a list of all destination networks within an area. Type 3 LSAs are sent between areas to allow inter-area communication to occur. 

• ASBR Summary LSA (Type 4) – Generated by ABRs in OSPF, and contains a route to any ASBRs in the OSPF system. Type 4 LSAs are sent from an ABR into its local area, so that Internal routers know how to exit the Autonomous System. 

• External LSA (Type 5) – Generated by ASBRs in OSPF, and contain routes to destination networks outside the local Autonomous System. Type 5 LSAs can also take the form of a default route to all networks outside the local AS. Type 5 LSAs are flooded to all areas in the OSPF system. 

• Type 7 NSSA (Not-So-Stubby-Area) - Used in stub areas in place of a type 5 LSA 

NOTE : LSA types 1 and 2 are found in all areas, and are never flooded outside of an area.

Elections in OSPF

Elections in OSPF

·        When you connects routers configured with OSPF in a LAN segment or Frame-Relay network, they held elections.

·        Elections are done to avoid loops.

·        One Router is elected as DR (Designated Router), one is elected as a BDR(Backup Designated Router) and remaining are known DROther.

·        The router with highest ospf priority is elected as a DR.

·        The router whose priority value is set to 255 will always be elected as a DR and router whose priority value is set to 0 (zero) will not be part of election process and will be elected as a ODR.

·        The default priority of all the OSPF interfaces is set as 1.

·        So the election takes place on the basis of router-id.

·        The router with the highest router-id is elected as a DR.

·        DR/BDR are elected per LAN segment.

·        The Router can be part of multiple LAN segments.

·        Once the DR/BDR are elected, the election will not reoccur until DR goes down.

·        All other routers, “DROther”, establish adjacencies with only the DR and BDR.

·        DRother routers multicast LSAs  to only the DR and BDR

             (224.0.0.6 - all DR routers)

·        DR sends LSA to all adjacent neighbors  (DROthers)

            (224.0.0.5 - all OSPF routers)

Backup Designated Router - BDR

·        Listens, but doesn’t act.

·        If LSA is sent, BDR sets a timer.

·        If timer expires before it sees the reply from the DR, it becomes the DR and takes over the update process.

·        The process for a new BDR begins.

EIGRP MINI LAB

Objective:

1) Configure EIGRP 100 on R1, R2, R3, R5, R6 and R7 on required interface using the wild card mask.
2) EIGRP should not send hello packets on interface where routers are not connected
3) External routes should be sent as summary routes in the internal EIGRP network
4) ISP routes should not be advertise in the EIGRP Network but EIGRP routers should ping ISP routes
5) R7 loopback interface should not be advertised in EIGRP using network command but other EIGRP routers should know about that loopback network.
6) Configure authentication between R7--R2 and R3---ISP routers
7) Isp should not loop the packet in the network
8) Configure R6 as stub router. It should only receive routes
9) Bandwidth on the interface of R2 router which is connected to r3 should be 1000Kbit and R2 should do unequal cost load balancing to reach the 10.1.3.0/24 network.

10) For the lab, try to use the minimum commands as possible

OSPF Advantages ans Disadvantages

OSPF V2— Advantages and Disadvantages

Open Shortest Path First
[Note that version 1 of OSPF was never implemented.]

Origin: Based on RFC 2328

Type of protocol: Link-state, runs the Dijkstra algorithm to calculate the shortest-path first (SPF) tree

Metric: Calculates the cost to traverse router links to get to the destination, taking the bandwidth of the links into account

Methodology: Develops adjacencies with its neighbors, periodically sending hello packets to neighbors, flooding changes to neighbors when a link’s status changes, and sending “paranoia updates” to neighbors every 30 minutes of all recent link state changes

Ideal topology: Any network, small to very large

Strengths:

·        Converges quickly, compared to a distance vector protocol

·        Routing update packets are small, as the entire routing table is not sent

·        Not prone to routing loops

·        Scales very well to large networks

·        Recognizes the bandwidth of a link, taking this into account in link selection

·        Supports VLSM or CIDR

·        Supports a long list of optional features that many of the other protocols do not

Weaknesses:

·        More complex to configure and understand than a distance vector protocol

OSPF Elections

Elections in OSPF

·        When you connects routers configured with OSPF in a LAN segment or Frame-Relay network, they held elections.

·        Elections are done to avoid loops.

·        One Router is elected as DR (Designated Router), one is elected as a BDR(Backup Designated Router) and remaining are known DROther.

·        The router with highest ospf priority is elected as a DR.

·        The router whose priority value is set to 255 will always be elected as a DR and router whose priority value is set to 0 (zero) will not be art of election process and will be elected as a BDR.

·        The default priority of all the OSPF interfaces is set as 1.

·        So the election takes place on the basis of router-id.

·        The router with the highest router-id is elected as a DR.

·        DR/BDR are elected per LAN segment.

·        The Router can be part of multiple LAN segments.

·        Once the DR/BDR are elected, the election will not reoccur until DR goes down.

·        All other routers, “DROther”, establish adjacencies with only the DR and BDR.

·        DRother routers multicast LSAs  to only the DR and BDR

             (224.0.0.6 - all DR routers)

·        DR sends LSA to all adjacent neighbors  (DROthers)

            (224.0.0.5 - all OSPF routers)

Backup Designated Router - BDR

·        Listens, but doesn’t act.

·        If LSA is sent, BDR sets a timer.

·        If timer expires before it sees the reply from the DR, it becomes the DR and takes over the update process.

·        The process for a new BDR begins.

 

OSPF Neighbor Relationship Process

OSPF neighbor Relationship Process

Routers on the same network segment are called neighbors. Two routers connected with each other become neighbors if they have the same area-id, subnet, authentication and hello/dead intervals. This process involves the following steps and states:

1.     First router determined OSPF Router-id (RID)

2.     Network command add OSPF interfaces into OSPF process and router run link-state   

3.     Hello packets are send out on OSPF running interfaces.

When OSPF router sends a hello message it is in down-state.

Down State:

When router sends a hello packet it is down-state, hello message is send in 10s in broadcast / point to point network and after every 30s in NBMA (non broadcast multi-access). In this state the router has not received any hello packet from the Neighbor.

Attempt State:

This state is only valid when the neighbor ship is manually configured in NBMA (Non-broadcast multi-access) Network. In this state the router sends unicast hellos every poll interval to the neighbor from which hellos have not been received within the dead interval.

INIT State:

Received Hello from other routers, in this state router check hello timer, subnet, area ID and authentication.

Two-way State:

This state indicates that the bi-directional communication has been established between two routers. If already neighbor then update dead timer, if no then add as a new neighbor and move to next step.

Exstart State:

Master slave are selected in this state. A router having high priority will become Master if they have same then higher RID break the tie. Master sends the DBD ( Data base description) first to slave.

Exchange State:

Routers will describe their entire link-state database by sending database description packets. DBD are exchanges in this state.
Loading State:

In loading state router start saving the information in memory. Slave send LSR (link state request), master reply with LSU (link state update), similarly master request for missing info by LSR (link state request) and slave rely with LSU (link state update).

Full State:

In full state neighbors are synchronized, SPF algorithm is run for calculation shortest path.