Private VLAN

Private VLAN Architecture Explanation:

Service Provider has Ring topology in different area to give connection to internet to there customers, as shown in above diagram. Its a fiber ring connected to aggregation switch to pass the traffic of the customer to internet and before going to internet they also implement Broadband Policy Management (BPM) to control the bandwidth of the customer as per there plans purchased. 

From the diagram, ring is connected to three areas but focusing on area 3 only. 

Why we need Private VLANs?  

• In area 3, all building will be in same subnet IP provided by service provider so only one customer can take a connection to internet and others can share with him or customer ask oters to pay him instead of SP as they are in same subnet. Most importantly, security is weak.
• To increase the security, we have to divide into more VLAN (subnets) so that they can not communicate with each other but making more subnets will be wastage of IPs, more SVI on switches, more processing and CPU cycling. For every home different subnet, huge and complex task for service providers.
• Best solution to this problem is PRIVATE VLANs. Ports cannot communicate with same subnet when private vlan is applied.

PRIVATE VLANs:

Types:

1. Promiscuous
2. Isolated
3. Community 

For more details refer: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.pdf

Communication between Private VLAN types

Option 1: Only Isolated ports

Private VLAN - Isolated port

Service provider puts the switch ports in isolated host so now users in the same building cannot communicate to each other but can communicate to other buildings with the same isolated ports. So, to enhance the security they introduce promiscuous type.

***Isolation is local to a switch means isolated port vlan cannot communicate with isolated port vlan on the same switch but it can communicate with other switch with same isolated port vlan. 

If isolation is local to switch then we can put each building in different isolation vlans but it will make more complex because more users, more SVI on switches. Hence, not a better solution.

Option 2: Isolated and Promiscuous ports

Promiscuous port associated with Isolated port 

Locally switch ports are isolated but outbound traffic will convert it to promiscuous vlan, so two vlans will be configured primary vlan for isolation which will be associated with secondary vlan for promiscuous which acts as a gateway for the local switch.

Now, security is also enhance and user are divided within same subnet with Private VLANs to connect to Internet. Service Provider is also happy and can give connection as per user requirements.

Option 3: Community and Promiscuous ports

Only differences is few users will be in same community so that they can communicate within the same building but outbound will be promiscuous port to connect to internet.

★CT21

Reference: https://rstforum.net/ (CCNP training)

VPN - IPSec

IPsec Process & Implementation

IPSec Process:

The most important protocol used by IPsec-VPN is Internet Key Exchange (IKE) protocol. It is use for negotiation and establishment of secure site-to-site or remote access VPN tunnels.

IKE version 2 (IKEv2) is used.

To have successfully IPsec tunnel, two IKE phases could be completed successfully.

IKE Phase I - Management Tunnel

• This phase mainly focus on negotiations and authentication.
• Protect management traffic, not users packets.
• Keepalive packets are used.
• Successful negotiation of phase is possible only if both ends have same Hash algorithm, Encryption algorithm, Diffie-Hellman (DH) group, Authentication method and Lifetime. This is also called as IKE phase 1 policies.

IKE Phase II - IPsec Tunnel

• Users packets are encrypted across untrusted networks between the VPN peers. 
• Hashing and encryption algorithm is used to protect the user's packet, also called IKE Phase 2 policy.
• Using to modes - Tunnel mode and Transport mode [ For better understanding - http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html ] 

IPSec Implementation:

Figure 1 

Firewall to Firewall & Router to Router VPN configuration is slightly different. Using Cisco Packet Tracer

As per the Figure 1, configuration is between HQ -- Branch 1 with Firewall.

IKE Phase I Configuration: (both peers should have same policy)

!
crypto ikev1 policy 1             //policies to match with the peers
encr aes                                  //Encryption aglorithm
hash md5                               //Hash aglorithm
authentication pre-share        // Authentication method
group 5                                  // Diffie-Hellman (DH) group
lifetime 3600                         //Lifetime

!
object network Branch1_network
subnet 192.168.2.0 255.255.255.0
object network HQ_network
subnet 192.168.1.0 255.255.255.0
!
access-list out_crypto extended permit  object HQ_network object Branch1_network
!
tunnel-group 200.200.200.2 type ipsec-l2l
tunnel-group 200.200.200.2 ipsec-attributes         //key for authentication
ikev1 pre-shared-key 12345

!

Negotiation between HQ -- Branch 1

Phase I - Establishment

[ More information on Phase I states - https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/ ]

IKE Phase II Configuration:

!
crypto ipsec ikev1 transform-set HQ esp-aes 256 esp-sha-hmac
!
crypto map out_map 1 match address out_crypto       //access-list
crypto map out_map 1 set peer 200.200.200.2            //peer ip address
crypto map out_map 1 set ikev1 transform-set HQ     // ipsec
crypto map out_map interface outside                         //interface applied
crypto ikev1 enable outside
!

Phase II state

Inbound & Outbound packet

Outbound packet details

IPSEC Information

Returning Packet

Download configuration & .pkt file: 

https://drive.google.com/drive/folders/0B2GFOLI0vuLxRnFYWmRBX253aWc?usp=sharing

Video:
https://www.youtube.com/watch?v=Uigljo7AbVI&feature=youtu.be 

 ★CT21
Reference: CCNA Security 210-260 Official Cert Guide