Private VLAN

Private VLAN Architecture Explanation:

Service Provider has Ring topology in different area to give connection to internet to there customers, as shown in above diagram. Its a fiber ring connected to aggregation switch to pass the traffic of the customer to internet and before going to internet they also implement Broadband Policy Management (BPM) to control the bandwidth of the customer as per there plans purchased. 

From the diagram, ring is connected to three areas but focusing on area 3 only. 

Why we need Private VLANs?  

• In area 3, all building will be in same subnet IP provided by service provider so only one customer can take a connection to internet and others can share with him or customer ask oters to pay him instead of SP as they are in same subnet. Most importantly, security is weak.
• To increase the security, we have to divide into more VLAN (subnets) so that they can not communicate with each other but making more subnets will be wastage of IPs, more SVI on switches, more processing and CPU cycling. For every home different subnet, huge and complex task for service providers.
• Best solution to this problem is PRIVATE VLANs. Ports cannot communicate with same subnet when private vlan is applied.

PRIVATE VLANs:

Types:

1. Promiscuous
2. Isolated
3. Community 

For more details refer: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.pdf

Communication between Private VLAN types

Option 1: Only Isolated ports

Private VLAN - Isolated port

Service provider puts the switch ports in isolated host so now users in the same building cannot communicate to each other but can communicate to other buildings with the same isolated ports. So, to enhance the security they introduce promiscuous type.

***Isolation is local to a switch means isolated port vlan cannot communicate with isolated port vlan on the same switch but it can communicate with other switch with same isolated port vlan. 

If isolation is local to switch then we can put each building in different isolation vlans but it will make more complex because more users, more SVI on switches. Hence, not a better solution.

Option 2: Isolated and Promiscuous ports

Promiscuous port associated with Isolated port 

Locally switch ports are isolated but outbound traffic will convert it to promiscuous vlan, so two vlans will be configured primary vlan for isolation which will be associated with secondary vlan for promiscuous which acts as a gateway for the local switch.

Now, security is also enhance and user are divided within same subnet with Private VLANs to connect to Internet. Service Provider is also happy and can give connection as per user requirements.

Option 3: Community and Promiscuous ports

Only differences is few users will be in same community so that they can communicate within the same building but outbound will be promiscuous port to connect to internet.

★CT21

Reference: https://rstforum.net/ (CCNP training)

VPN - IPSec

IPsec Process & Implementation

IPSec Process:

The most important protocol used by IPsec-VPN is Internet Key Exchange (IKE) protocol. It is use for negotiation and establishment of secure site-to-site or remote access VPN tunnels.

IKE version 2 (IKEv2) is used.

To have successfully IPsec tunnel, two IKE phases could be completed successfully.

IKE Phase I - Management Tunnel

• This phase mainly focus on negotiations and authentication.
• Protect management traffic, not users packets.
• Keepalive packets are used.
• Successful negotiation of phase is possible only if both ends have same Hash algorithm, Encryption algorithm, Diffie-Hellman (DH) group, Authentication method and Lifetime. This is also called as IKE phase 1 policies.

IKE Phase II - IPsec Tunnel

• Users packets are encrypted across untrusted networks between the VPN peers. 
• Hashing and encryption algorithm is used to protect the user's packet, also called IKE Phase 2 policy.
• Using to modes - Tunnel mode and Transport mode [ For better understanding - http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html ] 

IPSec Implementation:

Figure 1 

Firewall to Firewall & Router to Router VPN configuration is slightly different. Using Cisco Packet Tracer

As per the Figure 1, configuration is between HQ -- Branch 1 with Firewall.

IKE Phase I Configuration: (both peers should have same policy)

!
crypto ikev1 policy 1             //policies to match with the peers
encr aes                                  //Encryption aglorithm
hash md5                               //Hash aglorithm
authentication pre-share        // Authentication method
group 5                                  // Diffie-Hellman (DH) group
lifetime 3600                         //Lifetime

!
object network Branch1_network
subnet 192.168.2.0 255.255.255.0
object network HQ_network
subnet 192.168.1.0 255.255.255.0
!
access-list out_crypto extended permit  object HQ_network object Branch1_network
!
tunnel-group 200.200.200.2 type ipsec-l2l
tunnel-group 200.200.200.2 ipsec-attributes         //key for authentication
ikev1 pre-shared-key 12345

!

Negotiation between HQ -- Branch 1

Phase I - Establishment

[ More information on Phase I states - https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/ ]

IKE Phase II Configuration:

!
crypto ipsec ikev1 transform-set HQ esp-aes 256 esp-sha-hmac
!
crypto map out_map 1 match address out_crypto       //access-list
crypto map out_map 1 set peer 200.200.200.2            //peer ip address
crypto map out_map 1 set ikev1 transform-set HQ     // ipsec
crypto map out_map interface outside                         //interface applied
crypto ikev1 enable outside
!

Phase II state

Inbound & Outbound packet

Outbound packet details

IPSEC Information

Returning Packet

Download configuration & .pkt file: 

https://drive.google.com/drive/folders/0B2GFOLI0vuLxRnFYWmRBX253aWc?usp=sharing

Video:
https://www.youtube.com/watch?v=Uigljo7AbVI&feature=youtu.be 

 ★CT21
Reference: CCNA Security 210-260 Official Cert Guide

Subnetting Extra (Tips & Hints)

I. Bit to mask: (Magic Box fro Subnetting)

Bit to Mask Table

It is easy to write subnet mask in /8, /16...
What if you have to write in bit format or decimal format?
For that you have to just remember this Magic box (Bit to Mask Table).

So, we know:

/8 = 255.0.0.0
/16 = 255.255.0.0
/24 = 255.255.255.0
/32 = 255.255.255.255

What if we have /10, /27, /14...?

Using Magic Box,

/10 = /8 + /2 = 255.192.0.0 (2 is the number on the first row and take the value from below)
/27 = /24 + /3 = 255.255.255.224
/14 = /8 + /6 = 255.252.0.0
/21 = /16 + /5 = 255.255.248.0

soon on..

**Count from Left

For Wildmask just inverse the subnet mask

/27 = 0.0.0.31
/21 = 0.0.7.255

and soon on...


II. Host requirement are more

Example: 16.20.0.0/16, requirement 1000 hosts.

According to the host view of point subnetting,

• 1000+2 = 1002
• 2^10 = 1024, 10 bits on host side and 1024 numbers of host.
• 32-10 = 22 bits on network side
• 16.20.0.0/22

Now how you will divide into blocks, 

• 1024/256 = 4, 256 (0 -255) is possible so we need 4 block of 256 (4X256)

Block 1: 16.20.0.0 - 16.20.3.255 /22

Block 2: 16.20.4.0 - 16.20.7.255 /22

.

.

.

.

Block last: 16.20.252.0 - 16.20.255.255 /22

★CT21

Reference: https://rstforum.net/ (CCNA training)

How to do Subnetting?

Easy way to do SUBNETTING

Example:

If you want to design your network and connect HQ and Branches using one IP block, so we need subnetting.
Below diagram will help in understanding Subnetting.

IP address has NETWORK side and HOST side  **IP addressing.

**SUBNET MASK always says bit on network side.

So, Subnetting can be done by 2 ways:

1. Host Side subnetting
2. Network Side subnetting

I. HOST SIDE SUBNETTING:

If we want to design host point of view, collect all the number of host in your network according to the branches and connectivity.

Branch1 = 12 Host;

Branch2 = 24 Host;

Branch3 = 28 Host;

Branch4 = 30 Host;

Connectivity = 2 Hosts;

Process:

• Identify which branch has more requirement (Branch4) because if you break network according to the branches, Branch4 will have shortage of IP's.
• Branch4 = 30 hosts 
• Add 2 more hosts (30+2=32) because as you know a block of IP addresses contains a Network address and Broadcast address so it cannot be use as host address.
• Now match nearest 2^n to the value 
• 2^5=32, n=5
• 'n' means number of bit on host side. 5 bits on host side.
• 32 means total number of host.
• IP address has total 32 bits and we have taken 5 bits for host side. So, 32-5=27, 27 bits on network side.
• 16.20.20.0/27
• We have successfully done subnetting from /24 to /27, 3 bits we have taken from the network side which will be used for our subnet blocks.

• Now you can use this blocks to each of your branches and connectivity, each block are in same subnet (can be switched).
• Remember First address is Network address (16.20.20.0) and Last address is Broadcast address (16.20.20.31) they cannot be use for hosts.
• If you want to use them use cmd:
• IP subnet-zero
• This method is Fixed Length Subnet Mask (FLSM).
• Disadvantage is many IP's will be wasted or unused in your network. We used VLSM - Variable Length Subnet Mask. 

II. NETWORK SIDE SUBNETTING:

If we want to design network point of view subnetting, collect number of networks needed

Process:

• We need 8 n/w's. Don't need to add 2 more to the n/w as we did in host process.
• Nearest 2^n to the number of networks required; 8=2^3
• Where 'n' means number of bits to take from network side. 3 bits we have to take from network side.
• As per our example, 24 bits are there in network side so we have to take 3 bits more.
• 24+3=27 bits on network side
• Total bits are 32 bits in IP address
• 32-27=5, 5 bits on host side
• 2^5= 32 (Similarly to Host point of view); 32 number of hosts.

• We have successfully done subnetting.

III. VSLM:

Since, there are to many wasted or unused IP addressing in FLSM we use VSLM to overcome this disadvantage in FLSM.

\

• We need 2 hosts on all the connectivity between HQ and Branches, so we will apply Host point of view process and you will obtain,
• 16.20.20.0/30
• Do it from each links,
• 16.20.20.4/30; 16.20.20.8/30; 16.20.20.12/30
• Similarly, for each branches according to the host and add to the above block to continue your IP subnetting.
• Branch1 = 16.20.20.16/28
• Branch2 = 16.20.20.32/27
• Branch3 = 16.20.20.64/27
• Branch4 = 16.20.20.95/27
• So, if you notice we have saved lots of IP's that can be used if we want to extend the network (adding another branch office).
• Finally, Subnetting design for our example as follows:

★CT21

Reference: https://rstforum.net/ (CCNA training)

Why Subnetting?

Internet Assigned Number Authority (IANA) provides the IP addresses.

**Remember:
Subnet - If mask is more then given mask it called as SUBNET.
eg: 130.20.20.0/26

Supernet - If mask is less then then given mask is called as SUPERNET.
eg: 130.20.20.0/8

SUBNETTING means breaking the network.

Why Subnetting (break the network)?

Reason 1: Organization took an IP block from IANA for connecting there branches. eg: 16.0.0.0/8

All organisations has multiple locations (geographically separated) and they are connected to each other on MAN or WAN (Serial Link), so we have to use ROUTER to connect each other. And, Router routes between the networks. So, each branches will be in different network

Hence, We have to break the IP's into different network (Subnetting).

Reason 2: If organisation is using same subnet ip's throughout the network (Layer 2).

Theoretically, we can design only layer 2 (EoSDH) network to connect each other but practically it will degrade the network performance.

• Flat Layer 2 disadvantage - Broadcast to all the ports on all branch switches (also multiple application are running), Bandwidth issue because of broadcast, Processing (I/O) in computer too high because of the broadcast. 

So, Router is required to block the broadcast and hence, subnetting is necessary.

Reason 3: Out of new IPv4 address, so break (Subnet) one IPv4 into multiple networks.

★CT21

Reference: https://rstforum.net/ (CCNA training)