ISP core routing project

1

ISP CORE ROUTING

By: Vishal Sharma Visit: www.ciscoz.com

http://www.ciscoz.com/2014/04/isp-core-routing topology/

http://www.ciscoz.com/

2

Introduction to Project The WAN is the networking infrastructure that provides

an IP-based interconnection between remote sites that are separated by large geographic distances.

This project was implemented in order to demonstrate how the company accesses its servers through internet.

By using sophisticated technology such as MultiProtocol Label Switching (MPLS), the issue of delays can be eliminated.

MPLS Layer 3 VPNs use a peer-to-peer VPN Model that leverages the Border gateway Protocol (BGP) to distribute VPN-related information.

http://www.ciscoz.com/2014/04/isp-core-routing-topology/

http://www.ciscoz.com/2014/04/isp-core-routing-topology/ 3

Layout of project


Features of the Project

MPLS Layer 3 VPN IPv6 Network with IPv6 DNS server Redundancy Dynamic Routing Protocols Linux Server Security


MPLS Layer3 VPN

MPLS stands for Multi Protocol Label Switching. It is a mechanism in high-performance telecommunications

networks that directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table.

The labels identify virtual paths between distant nodes rather than endpoints. MPLS can encapsulate packets of various network protocols, like ATM, Frame Relay etc.

MPLS operates at a layer that is generally considered to lie between traditional definitions of layer 2 (data link layer) and layer 3 (network layer), and thus is often referred to as a "layer 2.5" protocol


MPLS L3VPN is a kind of PE-based L3VPN technology for service provider VPN solutions. It uses BGP to advertise VPN routes and uses MPLS to forward VPN packets on service provider backbones.

MPLS-labeled packets are switched after a label lookup/switch instead of a lookup into the IP table. When MPLS was conceived, label lookup and label switching were faster than a routing table or RIB (Routing Information Base) lookup.

MPLS-based VPN connects geographically different branches of a private network to form a united network by using LSPs.


Fundamental component of MPLS Network Label Switching Router (LSR) Label switched path (LSP) Provider (P) router Provider edge router (PE): Customer edge device (CE) Label Distribution Protocol (LDP)


Label Switching Router :- Router that performs routing based only on the label is called a label switch router (LSR). This is a type of router located in the middle of a MPLS network. It is responsible for switching the labels used to route packets.

When an LSR receives a packet, it uses the label included in the packet header as an index to determine the next hop on the label-switched path (LSP) and a corresponding label for the packet from a lookup table.

The old label is then removed from the header and replaced with the new label before the packet is routed forward.

A label edge router (LER, also known as edge LSR) is a router that operates at the edge of an MPLS network and acts as the entry and exit points for the network. LERs respectively, push an MPLS label onto an incoming packet and pop it off the outgoing packet.


Provider router :- MPLS-based virtual private network (VPN), LERs that function as ingress and/or egress routers to the VPN are often called PE (Provider Edge) routers. Devices that function only as transit routers are similarly called P (Provider) routers.

Label Distribution Protocol :- Labels are distributed between LERs and LSRs using the Label Distribution Protocol (LDP). LSRs in an MPLS network regularly exchange label and reachability information with each other using standardized procedures in order to build a complete picture of the network they can then use to forward packets.


Label Distribution Protocol (LDP) - Purpose

Label distribution ensures that adjacent routers havea common view of FEC <-> label bindings

Routing Table:

Addr-prefix Next Hop47.0.0.0/8 LSR2

Routing Table:


LSR1 LSR2 LSR3

IP Packet 47.80.55.3

Routing Table:


Routing Table:


For 47.0.0.0/8use label ‘17’

Label Information Base:

Label-In FEC Label-Out17 47.0.0.0/8 XX


Label-In FEC Label-Out17 47.0.0.0/8 XX


Label-In FEC Label-OutXX 47.0.0.0/8 17


Label-In FEC Label-OutXX 47.0.0.0/8 17

Step 1: LSR creates bindingbetween FEC and label value

Step 2: LSR communicatesbinding to adjacent LSR

Step 3: LSR inserts labelvalue into forwarding base

Common understanding of which FEC the label is referring to!

Label distribution can either piggyback on top of an existing routing protocol,or a dedicated label distribution protocol (LDP) can be created

Label distribution can either piggyback on top of an existing routing protocol,or a dedicated label distribution protocol (LDP) can be created


IPv6 Network with IPv6 DNS server IPv6 is the version of Internet Protocol. IPv6 address is of 128 bits

Communication of IPv6 with IPv4 IPv6 Tunnelling over IPv4 Network Dual Stacking


IPv6 Tunnelling over IPv4 Network

IPv6 Tunnel source _router

IPv4_router

IPv6 Tunnel Des_router

IPv6 TunnelIPv6 Tunnel

IPv6 tunnelling is the one of the method to communicate IPv4 with IPv6 network.

IPv6 Tunnel is made over 2 routers which are enabled with IPv6 addresses. IPv4_router is the network with IPv4 address enabled. There is no ipv6 address over this router. IPv6 tunnel is directly over this IPv4_router network.

On both router IPv6 Tunnel source router and des router , a tunnel interface has been created on which IPv6 addresses have been given to communicate.


Dual Stacking2004::1/6420.3.0.1

2004::2/6420.3.0.3

2003::1/64100.0.0.254

Dual Stacking is the another method to communicate IPv4 to IPv6.

In this method both IPv4 and IPv6 addresses are given on the same interface, by which when IPv6 packet is received by router then it transfer it using IPv6 address and when IPv4 then by IPv4 address.

In this topology Linux server has IPv6 enabled and dual stacking by having IPv4 address.

Server_router

GLBP_router

Linux Server


IPv6 DNS ServerIn this Project IPv6 DNS server is made on Red Hat Enterprise Linux.DNS server:- Server which resolve IP address to Hostname and Hostname to IP address. And when DNS server resolve IPv6 address with Hostname then it is IPv6 enabled DNS server.

In the left picture, it is the configuration of for.zone , which has the entries ofCNAME and IP addresses and on other side it is res.zone, it has entry for PTR records. The longest record is of IPv6 address which is resolved to server.


Redundancy

Redundancy means multiple pathways to reach a single destination.

Methods for Redundancy1. HSRP2. VRRP3. GLBPHSRP stands for Hot Standby Router Protocol.


HSRP HSRP stands for Hot Standby Router Protocol. It is a Cisco proprietary protocol. It allows multiple routers or multilayer switches to masquerade as a single

gateway. Virtual IP address is allocated to all routers participating in HSRP. In this topology HSRP is used to produce the redundancy in between the

vlans made on layer 3 switches DSw1 & DSw2.

When one of the switch connection goes down then the other switch give the redundancy to that switch because on both switches same vlans are created. Layer 2 switches ASw1 -4 are the switches whose ports are used to connect the customers.


VRRP VRRP stands for Virtual Router Redundancy Protocol. The industry-standard equivalent of HSRP is the Virtual Router Redundancy

Protocol (VRRP). The router with the highest priority becomes the Master Router. All other routers become Backup Routers. By default, the virtual MAC address is 0000.5e00.01xx, where xx is the

hexadecimal group number. VRRP Hellos are sent to multicast address 224.0.0.18. VRRP redundancy is provided in between SEMBO_TECH_GW , VRRP_router

and SEMBO_TECH. VRRP tunnel is made in between these three routers.These have EIGRP routing in between to communicate with each other.

For SEMBO_TECH router have two paths to communicate with linux_serverone is SEMBO_TECH_GW router which is connected to MPLS, and other isVRRP_Router which has eBGP in the path.


GLBP GLBP stands for Gateway Load Balancing Protocol. Each router is assigned a weight, and the default weight is 100. Weight can

be statically configured, or dynamically decided by the router. In the topology GLBP is configured in between the server_router,

SEMBO_TECH_GW2 and GLBP_router. Tunnel is made between all these three routers.

GLBP support the Load balancing of the paths, it means it sends the traffic from both paths with the help of load balancing.

There are 3 methods, by which load balancing can be done

1. Round Robin

2. Weighted

3. Host-Dependent But by default Round Robin is used.


Dynamic Routing Protocols Dynamic routing protocols are those who perform there routing with the

help of network command. It is very easy to configure, and to troubleshoot as compare to static . Dynamic Routing Protocols used in topology :-

1. BGP

2. EIGRP

3. OSPF

4. RIP


BGP BGP stands for Border Gateway Protocol. The Border Gateway Protocol (BGP) routes traffic between autonomous

systems. An autonomous system is a network or group of networks under common administration and with common routing policies.

BGP is a very robust and scalable routing protocol, as evidenced by the fact that it is the routing protocol employed on the Internet.

There are two types of BGP

1. iBGP

2. eBGP iBGP :- iBGP means Internal Border Gateway Protocol. It is used inn

between same Autonomous system. eBGP :- eBGP means External Border Gateway Protocol. It is used inn

between different Autonomous system.


In this topology eBGP routing is used in between GLBP_router, eBGP_router and VRRP-router.

GLBP_router -> eBGP_router AS 65000 and eBGP_router -> VRRP_router AS 65001

On each router loopback addresses are configured on all three routers, loopback address is the Router-ID for all the routers.

#bgp redistribute internal is the command to distribute the internal route of each router to the other router through eBGP.

Redistribution is done over the eBGP router. Redistribution is needed because there are two different AS present.


iBGP is configured on MPLS network, BGP is used with MPLS, because BGP helps MPLS to speed up the transfer of data.

P router is Provider router which is ISP in the real topology, and other PEs are the Provider Edge router.

Over this network Virtual Private Network VPN is also configured, to connect the SEMBO offices for the secure data transfer.

Over PE1 router EIGRP and RIP is also running because some other offices uses EIGRP and RIP for the connection from internet.


EIGRP EIGRP stands for Enhanced Interior Gateway Routing Protocol. EIGRP is an advanced distance-vector routing protocol, with optimizations to

minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router.

It uses Diffusing Update Algorithm (DUAL) to calculate the routing path. In the topology EIGRP is used in these pictures. SEMBO_TECH_GW_2 is connected through EIGRP

with PE1 router which is running MPLS, with Server_router and GLBP_router there is redundancy iscreated by Gateway Load Balancing Protocol (GLBP).

Here in both cases, there are 2 EIGRP is running in both cases, one is for IPv4 and other is for IPv6.


OSPF OSPF stands for Open Shortest Path First. It uses a link state routing algorithm and falls into the group of interior

routing protocols, operating within a single autonomous system(AS). In these places OSPF is running in this topology. DEMBO_TECH_GW, PE2 and SEMBO_TECH_GW

are running OSPF10 in between them, to send route to each other. SEMBO_TECH_GW is the gateway of SEMBO_TECH on MPLS path.

Whereas OSPF 100 is running on the SEMBO_TECH_LAN,there are 5 layer 3 switches, each are connected to each other with multiple links to create the redundancy.

Redistribution of multiple protocols are done on SEMBO_TECH router.


Linux Server Red Hat Enterprise Linux 6.0 is used as a server in this topology. Linux server is installed on Vmware Workstation 10 , connected to GNS3

topology through loopback interface of the windows 8.1.

When linux server communicate with any router in GNS3 then, request and all other things goes through this loopback interface.

Servers configured on Linux :-

1. DNS

2. APACHE

3. FTP

4. YUM

5. SSH


DNS Server :- DNS stands for DOMAIN NAME SERVER. DNS server is used to translate the IP address to HOSTNAME. In Linux Environment DNS server installed by BIND Packages. The name of

service for DNS is NAMED.

DNS Records :- SOA (start of authority) :- This record automatically created when ZONE fie

created. This is the first record which is responsible for accept query and resolve it.

NS (Name Server) :- NS provide the domain name to clients. CNAME :-Alise name, Duplicate name Host Record :- It is used to add the IP Address. SPF (Sender Policy Framework) : - text record TXT Record :- It is used for authentication purpose.

APACHE Server :-APACHE server is called Apache HTTP server. It is a web server. Virtual hosting allows one Apache installation to serve many different

websites.


WEB Hosting is of two types :-

1. IP Based Hosting :- single ip single site

2. Name Based Hosting :- single ip multiple sites Service for APACHE :-httpd Port number :- 80 (http) , 443 (https) Default site storage path :- /var/www/html Configuration file path :- /etc/http/conf/httpd.conf

FTP Server :- FTP stands for FILE TRANSFER PROTOCOL. FTP is a server which is used for download and upload files on internet and

intranet. Website can be uploaded through FTP server. FTP always hits the pub

directory directly. Port number used :- 20(control)/21(access) Directory used :- /var/ftp/pub Configuration file :- /etc/vsftpd/vsftpd.conf


YUM Server :- YUM stands for Yellowdog Updater, Modified. YUM is an open-source command-line package-management utility for Linux

operating systems using the RPM Package Manager. Though yum has a command-line interface, several other tools provide

graphical user interfaces to yum functionality.Yum allows automatic updates, package and dependency management, on RPM-based distributions.

Yum directory :- /etc/yum.repos.d/

SSH Server :- SSH stands for SECURE SHELL. SSH uses public-key cryptography to authenticate the remote computer and

allow it to authenticate the user, if necessary. There are several ways to use SSH; one is to use automatically generated

public-private key pairs to simply encrypt a network connection, and then use password authentication to log on.

Service name :-sshd Configuration file :- /etc/ssh/ssh_config


SecurityBasic security in Routers Enable Secret Username and password Console password VLAN ACL Firewall


Enable Secret :- Enable Secret is the password that we set to restrict the user entry into the enable mode of the router.

The enable secret is secure and is not visible even after the user has successfully logged in.when user logged in and run #show run command then the password comes in encrypted form.

Username and Password :- is the login password that has to be entered to log in to the router. It is set in configuration mode-> console line.

Console Password :- is the password that is set on the router and the user is prompted for it when trying to enter the router.

Only this password needs to be entered and no username is required.

VLAN :- Vlan stands for Virtual LAN. Vlans are made on switch to divide the switch according to the

administrator. Vlan provide security by dividing the different department into different

section. Communication between these vlans is possible through Router.


ACL :- ACL stands for Access Control List. An ACL specifies which users or system processes are granted access to

objects, as well as what operations are allowed on given objects. Each ACL is identify by its name or number.

Firewall :- Firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic based on applied rule set.

A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted.

firewallsoftware firewall

hardware firewallWatch guard and pix firewall etc.

Norton (windows).Check-point (linux)Access-control-list (acl)(router and switch)


Thank you

ISP core routing project

Internet

Transcript of ISP core routing project