GRE over IP VPN Tunnel in Packet Tracer

GRE VPN Tunnel Overview

In this Packet Tracer 6.1 activity you configure a Generic Routing Encapsulation (GRE) over IP VPN tunnel. VPN tunnels are now part of the CCNA certification exam. VPN tunnels allow geographically separate private local area networks to be connected to each other across public wide area networks. In this way, a company or organization can have separate office networks virtually connected to each other across the public internet. Private local area networks connected by a tunnel across the internet have complete transparency to each other and are able to take advantage of all local area network resources as if they were locally available. In VPN Tunnels private networks are able to communicate across the public internet because all private network addressing and header information is not visible to public internet routers. The routers on the public internet do not have knowledge of the the private networks communicating across the internet. Unlike IPSec or OpenVPN tunnels, a GRE tunnel does not provide security or encryption by itself and therefore would not be a recommended method of creating a VPN tunnel across the internet if security or privacy is an important concern.

Instructions

In this Packet Tracer 6.1 activity you do not need to configure R2, and the PCs. R1 and R3 have G0/0, G0/1, and default routes already configured

1. Create a GRE VPN tunnel from the R1 LAN 192.168.1.0/24 to the R3 LAN 192.168.3.0/24
2. Configure Tunnel0 192.168.2.0/24
R1-192.168.2.1
R3-192.168.2.2
3. Use static routes on R1 and R3 (next hop address) to route traffic across tunnel0
4. You are successful when you can ping from PC-A to PC-C and vide versa

Download

GREoverIP_tunnel.zip

 Note: This Packet Tracer activity requires Packet Tracer version 6.1 minimum.

Video Walkthrough Tutorial

 

CLI Command Examples

R1(config)# int tunnel 0
R1(config-if)# ip address 192.168.2.1 255.255.255.0
R1(config-if)# tunnel source g0/1
R1(config-if)# tunnel destination 201.150.200.6
R1(config-if)# tunnel mode gre ip
R1(config-if)# exit
R1(config)# ip route 192.168.3.0 255.255.255.0 192.168.2.2

R3(config)# int tunnel 0
R3(config-if)# ip address 192.168.2.2 255.255.255.0
R3(config-if)# tunnel source g0/1
R3(config-if)# tunnel destination 201.150.200.1
R3(config-if)# tunnel mode gre ip
R3(config-if)# exit
R3(config)# ip route 192.168.1.0 255.255.255.0 192.168.2.1

Teleworker Services & VPN

VPN Overview

Today, more than ever, companies can support employees that work from remote locations. This Cisco CCNA curriculum points to the current trend and affordability of supporting remote employees, the increasing numbers of remote workers, and the increasing level of productivity possible for the remote worker. What are the factors that make this possible? Access to low cost, public high speed internet services like DSL, Cable Modem, Satellite and Wi-Max, and the current strength of security possible over the public internet with IPsec and VPN tunneling technology.

In the past, companies that required a high level of security for their data and resources did not have an inexpensive option for extending their company network to a remote worker. Today this can be accomplished over the public internet with VPN technology.

What is a VPN connection?

A VPN connection is a secure connection to a remote network. When a VPN connection is established, the remotely connecting computer can access the company’s network resources, meaning access to company computers, files servers, printers, etc.. In other words, you can characterize a computer that has established a VPN connection to a remote network, as being on that network, as if it was physically placed on the network. This usually means that the connecting computer receives an IP address from the remote network’s network address space on a virtual tunneling interface.

VPN connections can be between a VPN client and a VPN server or site-to-site between to VPN servers/network devices. VPN client-to-server and VPN site-to-site services are possible with Cisco PIX firewalls, Cisco ISR routers, Cisco ASA devices.

Network Security

Network Security Overview

One of the main duties of the network administrator is to protect the network and its data against all kinds of threats and attacks. Network threats and attacks can originate outside of the network but they can also be launched from within the network. A networking department needs many tools to defend the network. This can take the form of firewall routers and specialized security devices but it also means developing documents that define a network security policy, that outlines and defines the rules and boundaries of an organization’s computer network and its users.

Domains of Network Security

The CCNA Security curriculum mentions the 12 domains of network information security as published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission ISO/IEC 27002. The domains are a code of best practices for information security management. The 12 domains are like questions that every network administrator and IT department should be able to answer:

  1. Risk assessment – step one analyze what information is at risk.
  2. Security policy – create a company security policy that defines the rules and expectations for the employees behaviors and access of information.
  3. {loadposition adposition6}Organization of information security – how will the security policy be governed?
  4. Asset management – how will information assets be inventoried and classified?
  5. Human resources security – security rules for employees joining, moving or separating from the organization.
  6. Physical and environmental security – how will the technology be physically protected?
  7. Communications and operations management – who and what, will manage security controls with regards to the network and information system.
  8. Access control – who will have access and what will they have access to?
  9. Information systems acquisition, development and maintenance – how software applications and systems will be integrated into the network with a focus on security?
  10. Information security incident management – the protocols for anticipating and responding to information security breaches.
  11. Business continuity management – backup and recovery plans for computer information systems.
  12. Compliance – how does the company comply with current information security policies, standards, laws and regulations?

Viruses, Worms, and Trojans

  • Virus – a computer virus is a malicious program that attaches or embeds itself to a legitimate program, executable file or system file. Once infected the virus attempts to execute and replicate itself across multiple files and even hosts. Viruses variously damage, alter and destroy computer files. Viruses are typically spread by USB thumb drives, and most commonly through email attachments. See: http://en.wikipedia.org/wiki/Computer_virus
  • Worm – a computer worm is a malicious program that, when accessed, immediately installs itself in memory and spreads itself across a computer network. Worms do not need to attach themselves to legitimate programs like viruses in order to run. Although a worm does not alter computer files like a virus, they can deliver executable payloads, often back-doors, Trojan horses or simply drain system resources and bandwidth. See: http://en.wikipedia.org/wiki/Computer_worm
  • Trojan Horse – a Trojan horse is a computer program that masquerades as a legitimate program, but in actuality does something far different. A common form of Trojan horse is software or malware, that claims to be a legitimate antivirus program, but once downloaded, actually downloads viruses onto a user’s computer. Though Trojan horses do not replicate themselves as a virus does they are often piggy-backed with computer worms in order to spread. See: http://en.wikipedia.org/wiki/Trojan_horse_(computing)

There are five distinct stages in a virus or worm attack

  • Probe –  involves scanning network hosts for operating system or software vulnerabilities.
  • Penetrate –  launch an attack or exploit through an attack vector like program buffer overflow, email attachment or malicious webpage code injection.
  • Persist – the code may attempt to maintain a level of control over the target system by installing a backdoor or creating additional executable system files that will launch on startup.
  • Propagate – in this stage the virus or worm attempts to target additional computer systems in order to expand the number of infected systems.
  • Paralyze – viruses will criple or shutdown computer systems by corrupting system files, launching denial of service (DoS) and distributed denial of service (DDoS) attacks, and/or draining system and network resources like CPU time and available bandwidth.

Video Tutorials

Follow along with the video below, in Packet Tracer, with this file: OSPF-authentication_begin.zip

 In this video tutorial, I demonstrate configuring encrypted routing protocol authentication with OSPF

In this video, I show how to backup a router IOS image with TFTP and restore a deleted IOS image using Xmodem 

In this video, I show how to and restore a deleted Cisco router’s IOS image using a TFTP server

In this tutorial, I show how to recover a forgotten or lost password on a Cisco router

Welcome to Cisco CCNA 4

CCNA 4 Introduction

The Cisco CCNA certification is the most well known computer networking certification in the industry. I recommend a Cisco course of study and the Cisco Academy Curriculum in particular to anyone who wants to learn about computer networking. It is the best foundation to teach how networks communicate, the protocols that are involved, network addressing, subnetting, routing, switching, VLANs and more!

As a Cisco Networking Academy instructor I have taught the Cisco CCNA curriculum for over 12 years. The Cisco Academy offers 4 classes that together map to the Cisco CCNA certification exam. The current exam is the 200-120 CCNA, which has a stronger emphasis on IPv6. All students that are enrolled through the college will qualify to be enrolled in the Cisco Academy, and all Cisco Academy students will have access to online curriculum materials as well as the latest version of Packet Tracer (6.1), a great tool for creating simulated networked environments, complete with functioning routers, switches, and hosts.

In fall 2013, the Cisco Academy released an updated version of their CCNA curriculum. This updated curriculum coincides with the new 200-120 CCNA exam and includes many new area of study including a much stronger empahasis on IPv6.

Course Materials

All of the course materials are available through the Cisco Academy website through their learning management system. This includes the complete text, the Packet Tracer software program, interactive activities, multiple choice exams, and plenty of labs with complete instructions. If you prefer a paper copy of the text you can purchase one online from Cisco Press or Amazon. Make sure you order a current version of the text. I have provided a link to the text at Cisco Press and the ISBN number:
Connecting Networks Companion Guide – Print: 9781587133329 / eBook: 9780133476521

Class Availability

  • How can I enroll in a class?
    I teach the Cisco CCNA through Central Oregon Community College. To sign up for the class and attend remotely online, look for new student registration at http://www.cocc.edu
  • Where can I do my labs?.
    Some labs will be done in class, some labs will be done at home using Packet Tracer, and some labs can be done by remotely by connecting to the CIS Department Netlab+ server.
  • What if I am an online student, and I can’t come to the lab?
    If you are an online student, I recommend that you login to Blackboard and attend the class online through the Blackboard video conferencing tool. The is always available through video conference and it will also be recorded and available for watching later.
  • How will I turn in assignments?
    Exams will be taken online through the Cisco Academy website and learning management system. Labs will be turned into me directly.
  • What are the assignments and how will I be graded?
    I grade on a point system. Every week you will have the opportunity to
    earn points from chapter exams and chapter labs. At the end of the class there is a cumulative multiple choice final exam and a cumulative lab final.

WANs

WAN Overview

Today most organization’s computer networks need to stretch beyond the simple local area network. Businesses need to support multiple branches, offices, and remote workers, they need secure data connections, and continuous data connectivity for things like videoconferencing and teleconferencing. Today many of these services can be delivered over the public internet with data secured and protected through VPN tunnels, however sometimes, specialized dedicated WAN services are necessary to support a company’s infrastructure. Understanding WAN protocols and services becomes a necessary skill for any IT networking specialist. 

Important WAN Concepts

– WAN protocols operate at Layer 2 of the OSI networking model. When we talk about WAN protocols we are talking about Layer 2 encapsulation and framing. The WAN frame type depends on the WAN technology and hardware implemented.

– WAN links are typically point-to-point connections, the frames do not have source and destination addresses in the header like Ethernet frames.

– WAN protocols use various types of serial connections, as opposed to Ethernet LANs that use different types of Ethernet connections

– ISPs typically provide customers and organizations with a WAN device that will connect back to the ISP’s central office. A WAN device is typically a modem or a CSU/DSU. The WAN device can also be called the DCE which handles the clock rate. In the Cisco curriculum and labs a router is used to emulate a WAN device. The serial interface is configured with a clock rate and a DCE cable connection.

– The router is the DTE and the modem or CSU/DSU is the DCE

– The demarcation point is place where the ISP’s line enters your building. The line that goes back to the ISP’s office is called the local loop.

HDLC (High-level Data Link Control)

Based on IBM’s SDLC protocol, HDLC is one of the oldest WAN protocol frame types. Cisco’s version of HDLC protocol is called Cisco HDLC and it is the default frame type for serial interfaces on Cisco routers. Many other WAN protocol frames are based on the  HDLC protocol and frame including:

Protocols Based on HDLC

Protocol WAN Technology
LAPB – Link Access Procedure Balanced X.25
LAPD – Link Access Procedure D Channel ISDN
LAPF – Link Access Procedure Frame Frame Relay
PPP – Point-To-Point Protocol Serial Switched
Cisco HDLC – High-level Data Link Control Cisco Serial

HDLC Frame Fields – (Cisco HDLC adds the protocol field)

Flag Header Data FCS Flag
Address Control Protocol
8 bit delimiter 01111110 8 or 16 bits Variable length, 0 or more bits 16 or 32 bits 8 bit delimiter 01111110

Circuit Switched Networks

Circuit switched networks like phone lines PSTN (public switched telephone network) or POTS (plain old telephone system) and ISDN (Integrated Services Digital Network) have a continuous connection or circuit from one end point to another. The circuit can be divided into multiple conversations through multiplexing. Modems provide the ability to convert the traffic to digital information. Typically circuit switched networks have slow speeds and a low cost.

Packet Switched Networks

Packet switched wide area networks (WANs) such as V.35, Frame Relay, and ATM use network relay switches to create paths to destination networks. The paths across the networks are called virtual circuits. Virtual circuits can be permanent virtual circuits (PVC) or switched virtual circuits (SVC) that are created temporarily to send data to destination networks and then are tore down and erased.  

  • X.25 – is an older outdated technology, a precursor to Frame Relay and is still used in some countries.
  • Frame Relay – cost effective to implement in hardware because multiple circuits can go out of the same interface. Uses DLCIs to create switched paths to destination networks. DLCIs are locally significant only, not unique. Frame Relay is capable of high speeds.
  • ATM –  expensive to implement in hardware, because it uses multiple interfaces and hardware devices. Uses cells instead of frames. ATM cells are a fixed size of 53 bytes, 48 of which is for data. ATM is capable of high speeds, and can delivering video and voice, as well as data.

Dedicated Line Networks

  • T1 and E1 – bandwidth is dedicated and therefore is always available and delivers consistent speeds. Dedicated lines have expensive installation and month to month costs. A T1 line is 1.5 Mbps.

Public Internet Networks

  • DSL
  • Cable modem
  • Wireless – WiMax

Frame Relay

Frame Relay Overview

Frame Relay is a WAN protocol. A Frame Relay network is comprised of interconnected switches that make up a Frame Relay cloud. Frame Relay uses virtual circuits (PVC) to interconnect routers across the WAN.

Video Tutorials

In this series of tutorials I set up a network interconnected by Frame Relay. The first video is dedicated to setting up the network and labeling the devices and interfaces. In the second video I configure the devices and interfaces with the addressing scheme outlined in the first video. The third video is dedicated to configuring the Frame Relay cloud device which is a virtual representation of interconnected Frame Relay switches. This device is the typically the responsibility of the ISP. In the fourth video I configure the routers for Frame Relay static mappings. In the fifth and sixth videos I discuss the benefits of using subinterfaces with Frame Relay and reconfigure the network for Frame Relay subinterfaces.

 

 

 

 

 

PPP

PPP Overview

The Point-to-Point Protocol (PPP) is a layer 2 WAN protocol. PPP is used to connect a local area network (LAN) to a wide area network (WAN) through a service provider. PPP can be used as the data link layer protocol and frame for the following types of point-to-point, serial, synchronous and asynchronous network connections: Dial-Up, ISDN, Leased Line (e.g. T1 & E1), Frame Relay, DSL (PPPoE), and ATM (PPPoA). Concerning physical media, PPP can be transported over telephone lines, serial cables, fiber optic lines, twisted pair copper, satellite, and wireless.

For serial connections, Cisco routers by default use Cisco’s version of the HDLC protocol (Cisco-HDLC) but if you are going to connect to another non-Cisco router it is recommended to use the PPP protocol and frame encapsulation. The speed of PPP is limited only by the DTE and DCE interface connections it uses. It is capable of very fast speeds.

The Structure of PPP

The PPP protocol is based on, and similar to, the HDLC protocol with some important differences, in that PPP uses LCP, NCPs and supports: authentication, encryption and compression.

The PPP protocol structure

Network
Layer
 

IP, IPX, AppleTalk
IPCP, IPXCP, AppleTalkCP

NCP (Network Control Protocol)
Upwards service to layer 3 (Network Layer)
multiple layer 3 protocol support through
NCPs. PPP can exchange layer 3 addressing

LCP (Link Control Protocol)
handles link setup, termination, authentication, encryption, compression, and error detection

PPP at the
Data Link Layer
PPP at the
Physical Layer
Synchronous or Asynchronous Serial
High Speed Serial Interface
Telephone Lines
Leased Lines

LCP – Link Control Protocol handles link setup and termination as well as most of the configuration options including: authentication, compression error detection, and multilink (load balancing)

Authentication – PPP can be configured to use PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). Both protocols authenticate serial connections with a username and password but CHAP is more secure because it uses a three way handshake during the initial LCP link negotiation, and then uses three way handshake challenges at random times afterwards, insuring that the link is still trusted.
Compression – the CCNA curriculum covers two PPP compression configuration options: stacker and predictor. PPP can achieve better throughput by compressing data traveling across the links
Error detection – PPP can be configured to test and report the quality of the serial link, it can also detect interfaces in a loopback state.
Multilink – PPP can be configured to load balance across multiple serial interfaces for greater bandwidth.

 

Video Tutorials

In this video I configure PPP with PAP

In this video I configure PPP with CHAP