Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Student Guide v08.10.15
Table of Contents
Chapter 1 Equipment Overview & Architecture Chapter 2 Component Level Operations Chapter 3 Basic Networking Chapter 4 Layer 1 Interconnects & Cabling Chapter 5 Dynamic Multi-Point Virtual Private Networks (DMVPN) Chapter 6 TACLANE KG-175 Operations Chapter 7 Call Manager Express Chapter 8 SNMPc for JNN & CPNs Chapter 9 Appendix
INSERT TAB 1 HERE
Battalion Command Post Node
Equipment Overview &
Architecture
2
3
JNN Network - Satellite Backbone
Hub Node
CPN CPN
STEP
Ku TDMA
Ku FDMA
(BCT)
(Battalion level unit)
JNN
(Div/Corps)
DISN/GIG
DISN/GIG(cable)
The Battalion Command Post Node BnCPN has a single radio link into the JNN network via the Time Division Multiple Access TDMA satellite. Permanent or static Virtual Private Networks VPNs are built into the JNNs and Hub Node. Dynamic VPNs DMVPNs are built on demand to other BnCPN systems. The establishment of these dynamic VPNs are based on user requirements to transfer information between BnCPNs. Establishing VPNs between CPNs on an as needed basis decreases the amount of satellite resources required to support the network. The Tactical Hub Node THN is a Division asset that provides connectivity to the Defense Information Systems Network DISN and the Global Information Grid GIG. The THN utilizes both Frequency Division Multiple Access FDMA and TDMA satellite connectivity. The THN also serves as the master hub node for TDMA mesh networks of the Brigade Combat Teams BCTs and their associated Bn CPN. The Joint Network Node JNN is located at the BCT element. It serves as a distribution point for the various systems within the BCT and provides direct network services for the Brigade headquarter elements. The JNN can utilize both TDMA and FDMA satellite connectivity and has a single FDMA link that is usually reserved for connectivity to the THN.
4
Regional Hub Node: The RHN is the largest of the four JNN-N Hub Node types, and can provide the following capabilities:
• Provide primary hub node connectivity (FDMA and TDMA) and services for tactical users during reception, staging, onward movement, and integration RSOI operations.
• Provide TDMA management support enabling intra-theater Brigade-to-Brigade level routing and network services.
• Provide continuity of operations COOP for MRHNs and THNs. • Provide primary hub node connectivity and services to expeditionary units
(e.g., BCT) not deploying with a THN. • Provide support to Expeditionary Signal Battalions ESBs, Integrated
Theater Signal Battalion-Joint Network Node ITSB-J that are task organized to support Division and below units.
• Provide a server sanctuary supporting the delivery of theater level services and a stable location for Division or Brigade units to host services for their tactical users.
• Provide JNN-N Hub Node connectivity and services for mounted battle command on the move MBCOTM users.
• Support up to three JNN-N equipped Divisions, or reconfigurable to support two JNN-N equipped Divisions, four BCTs, and one separate (non-BCT) mission.
• Extend DISN voice, data, and video services to the warfighters. • Provide assured, low latency reachback to the TNCCs for Top
Secret/Sensitive Compartmented Information TS/SCI users using JNNs or CPNs as their transport connection to the RHN.
The RHN system is designed to support 3 separate JNN-enabled Army Divisions and up to 4 stand alone BCTs through satellite connectivity to other JNN Network systems: the THN, the JNN, and the BnCPN. The RHN will support both FDMA and TDMA satellite links. Equipment is grouped into enclaves within the FHRN facility as shown. Each enclave will operate independently of the others.
5
STT HCLOSV1
STTSTT
HCLOSV3
TSC-93STT JNN
Step SiteDISA
TSC-85 STTJNN
SSSV3
Ku Band
X Band EHF Band
ESB Hub Node
Signal Platoon Element
Signal Platoon Element
STT
Signal Platoon Element
ITSB Expeditionary Signal Platoon
TDMA
TDMA
TDMAFDMA
TDMA
TDMA
ITSB Heavy Signal Platoon
Signal Platoon Element
TDMAFDMA
LOSBack-Up Link
CPN Network Example
The above figure is an example of an Area Signal posture and the basic inter-connectivity of Signal assets. The BnCPN utilizes only TDMA satellite connectivity. Line of sight LOS inter-connectivity is provided through the use of the LOS Transit Case. It has permanent links to the THN and JNN and can establish on demand connections to other CPNs within the meshed network. The BnCPN provides LAN and WAN firewall protection.
6
Equipment
NIPR VOICE & DATA CASE SIPR VOICE & DATA CASE
The SIPR Router Case directly supports the SIPR user; data and voice and is connected to the NIPR Case via fiber through media converters. The NIPR Case provides direct connectivity to the Ku Satellite trailer for connectivity into the TDMA satellite network. The LOS case is intended to provide connectivity for the Bn CPN to a legacy system with a TRI-TAC CDI interface such as an MSE LOS system. When using the LOS Case, DMVPN operation is not possible. It consists of the following components: NIPR Router Case SIPR Router Case Universal Power Supply LOS Transit Case TFOCA II Cable 2 ea. Management Laptops Misc cables
7
Equipment; Continued
LOS CASE
VOIP PHONES
8
Front View Rear View
BN CPN NIPR Router Case
Components of the NIPR VPN Router Case: Cisco 3560G Ethernet Switch Media Converters Netscreen 50 Firewall Comtech Turbo IP PEP Cisco 3825 Router Patch Panels Signal Entry Panel Power Entry Panel The purpose of the NIPR Router case is to provide an access point for all NIPR related devices and services and to connect to the satellite trailer. The NIPR case connects to the satellite trailer via a fiber optic connection using Tactical Fiber Optic Cable Assembly II (two Pair) TFOCA II cable.
9
Cisco Catalyst 3560-48PS switch: a family of Ethernet switches that are used to connect workstations and other network devices, such as servers, routers, and other switches; terminates IP Phones and Computers and acts as the connection point for Voice and Data users. Local users connect to the Ethernet switch via an RJ-45 switch panel, mounted on the back of the case. Media Converters: (CBFTF1013-100) used to convert 100 Base FX Fiber Optic to 100 Base TX Copper Ethernet. Netscreen 50 Firewall: for local user protection. The NetScreen 50 Firewall Interfaces the Trusted world with the Untrusted world. Console port, for connecting to serial terminal emulation programs such as HyperTerminal. A modem port, used for remote console sessions using dial-up connections. A compact Flash card slot, for storage of system images, configuration files, keys, and logs. The COMTECH Turbo IP; Performance Enhancing Proxy PEP provides a performance enhancement solution that significantly improves TCP/IP performance over wireless and satellite communication networks. By overcoming the inherent limitations of TCP/IP over impaired links (high delay and/or high error), it improves performance of TCP/IP based applications such as web browsing (HTTP), file transfer (FTP), etc. The Cisco 3825 Routers are used as the NIPR voice Gateway and contains CallManager Express CME software. Case Dimensions: 22.47 W x 19.40 H x 34.50 D Estimated Case Weight: 154 lbs. Estimated Power: 813 W
10
BN CPN SIPR ROUTER Case
Front View Rear View
Components of the SIPR Router Case: Cisco 3560G Ethernet Switch Taclane Media Converters Netscreen 50 Firewall Comtech Turbo IP PEP Cisco 3825 Router Patch Panels Signal Entry Panel Power Entry Panel Cisco 3560G Ethernet Switch: The Cisco Catalyst 3560-48PS switch are a family of Ethernet switches used to connect workstations and other network devices; such as servers, routers, and other switches.Terminates IP Phones and computers and acts as the connection point for Voice and Data users. TACLANE: The TACLANE KG-175 provides security over legacy tactical IP networks. Because the KU transmission network is a black network, and because the NIPR case is also black, the Ethernet interface from the NIPR Case is encrypted by a TACLANE within the SIPR Case.
11
The Media Converters (CBFTF1013-100) convert 100 Base FX Fiber Optic to 100 Base TX Copper Ethernet. Netscreen 50 Firewall: Used for local user protection. Local users connect to the Ethernet switch via an RJ-45 switch panel, mounted on the back of the case. Comtech Turbo IP PEP: The COMTECH Turbo IP provides a performance enhancement solution that significantly improves TCP/IP performance over wireless and satellite communication networks: turboIP. By overcoming the inherent limitations of TCP/IP over impaired links (high delay and/or high error), it improves performance of TCP/IP based applications. such as web browsing (HTTP), file transfer (FTP), etc Cisco 3825 Router: Used as the SIPR voice Gateway in the SIPR Case and contains CallManager Express software used to supply voice over IP services. Is the Gateway for all voice and data services on the assigned domain. Case Dimensions: 22.47 W x 19.40 H x 34.50 D Estimated Case Weight: 154 lbs. Estimated Power: 813 W
12
IntelliPowerUninterruptible Power Supply
(UPS)
Front View Rear View
The UPS will provide emergency power for up to 12 minutes to the cases in the event of a prime power loss. Power (VA): 1500 VA Power Output: 1005 Watts Amps: 13 at 115VAC / 6.5 at 230VAC Backup Time With Full Load: 12 Minutes Total Number of Outputs: 4 Surge Suppression: 480 Joules Transfer Time: Zero, True online design Operating Temperature: 0oC to 40o C Automatic Shutdown Audible Alarm
13
CPN LOS Case
Front View Rear View
Diphase Modem “Line Of Sight” Interface Case The LOS case is intended to be used in conjunction with either the Battalion Command Post NIPR case or the Battalion Command Post SIPR case. Accepts a serial interface from the NIPR or SIPR case and applies Forward Error Correction FEC; encrypts via KIV-19A and modulates signals using a CTM-100C diphase modem. Note: The CPN LOS Case is populated to support 2 LOS links
INSERT TAB 2 HERE
Component Level Operations
2
3
Components (1)
MEDIA CONVERTER
Converts 100 Base FX Fiber Optic to 100 Base TX Copper Ethernet. The media converters are Transition 100BASE-TX to 100BASE-FX Media Converters mounted both in the satellite trailer and the transit cases. Provides an RJ-45 twisted pair 100BASE-TX connector and an RX (receive) and TX (transmit) SC100BASE-FX connector to 1300 nm multi-mode fiber-optic cable.
4
Components (2)
CISCO 3825 ROUTER
Two 3825 Routers: NIPR Tier 2 router: CISCO 3825 router which provides default gateway and routing functions for locally connected NIPR hosts. Provides a gateway for NIPR voice traffic via Cisco Call Manager Express CME (pre loaded software on router). Serves as connection point for the TACLANE Cipher Text CT: used to encrypt SIPR traffic that is part of the TDMA DMVPN tunnel architecture. SIPR Tier 2 router: CISCO 3825 router which provides default gateway and routing functions for locally connected SIPR hosts. Provides a gateway for SIPR voice traffic via CME. Serves as connection point for TACLANE Plain Text: used to encrypt SIPR traffic that is part of the TDMA DMVPN tunnel architecture.
5
Components (3)
CATALYST 3560G PoE SWITCH
The switch terminates IP Phones, and Computers The switch can be stacked with other switches Provides 48 ports with Power Over Ethernet POE, for VOIP Telephones
6
Components (4)
NETSCREEN 50 FIREWALL
Interfaces the Trusted world with the Untrusted world Common Information Assurance Threats: Malware Existence of Viruses, Worms, Trojans, Logic Bombs Denial of Service Disruption of service through attacks or system outage Network Intrusion Unauthorized or unknown users accessing the network User Behavior Authorized users accessing unauthorized systems Authorized users lax in security procedures Non-Malicious Power Outages Fire and Flood User error
7
There are many reasons why we need to protect a network. Military information and networks need to be safeguarded especially. The Military’s information infrastructure can be used as a weapon against us; it is imperative that we protect it from:
• Gathering of information about the protected network such as; topology, IP addresses for active hosts, and operating systems of active hosts
• Overwhelming the protected network with bogus traffic to induce a network-wide Denial of Service DoS.
• Causing damage to and stealing data from the host on the protected network.
• Gaining control of a host to launch an attack from within the protected boundary.
• Gain control of a firewall to control access to the network it protects. Components: Power and status LEDs *Asset Recovery Pinhole, for resetting the device to the original factory default settings Console port, for connecting to serial terminal emulation programs such as HyperTerminal A modem port, used for remote console sessions using dial-up connections A compact Flash card slot, for storage of system images, configuration files, keys, and logs Four Ethernet ports, for connecting the Netscreen device to your LAN or local workstation and to the internet Note: resetting the device restores it to the original default configuration; any new configurations settings are lost Provides following capabilities: 170 Mbps firewall – 64,000 concurrent sessions 40 Mbps 3DES or AES VPN – 500 IPSec tunnels 1000 policies 4 security zones
8
Firewall Functionality
Tier 1 Router
Firewall
Intrusion Detection
Tier 2 Router
Host Firewall
Host Switch
Tier 1 Router: Provides connection to step/hub. Performs simple packet filtering Firewall: Provides firewall services and basic DoS screening for Tier 2 networks Intrusion detection: Provides inspection of traffic for malicious packets Tier 2 Router: Provides routing for the Tier 2 network and simple packet filtering for management traffic Host Firewall: Provides boundary for data traffic between host LAN and Tier 2 network Host Switch: Provides hosts local access to LAN and access to Tier 2 network
9
Components (1)
TURBO IP
The TurboIP is located in the Battalion Command Post Node router cases There is one per security domain (SIPR/NIPR) The Comtech EF Data’s TurboIP Performance Enhancement Proxy is designed to alleviate TCP/IP bottlenecks in an impaired environment (where high delay, high bit error rate, or both, occur) while preserving interoperability with any TCP device The TurboIP is fully compatible with network devices that use TCP, which support your existing Internet standards
10
Components (2)
KG-175 TACLANE
The TACLANE provides encryption over DOD IP networks. The TACLANE provides security over legacy tactical IP networks (MPN) and strategic IP networks (SIPRNET). 2 TACLANE versions:
Classic E100
The base part number of the TACLANE is 0N649470, and the dash variations differentiate between the hardware versions. TACLANE Capabilities:
• TACLANE can communicate at multiple security levels, one level at any given time. The operator selects the security level
• The Crypto Ignition Key CIK protects one FIREFLY vector set and up to 48 Pre-positioned Keys PPKs
• Physical access control is provided by removing the CIK, which locks the TACLANE
• TACLANE is NSA-certified to provide Type 1 encryption and decryption for information classified TOP SECRET codeword and below
• When a valid CIK is inserted, the TACLANE is classified at the highest classification level of the key it contains (but never less than UNCLASSIFIED / CCI)
11
• When the CIK is removed, the TACLANE is UNCLASSIFIED / CCI and the CIK is UNCLASSIFIED
TACLANE Classic Capabilities:
• Supports IP datagram encryption over an Ethernet 10Base-T or Attachment Unit Interface (AUI) physical interface
• 7 Mbps throughput with a user traffic Maximum Transfer Unit (MTU) size of 1400 bytes
• Provides 253 secure IP paths for user traffic (One secure IP path protects all user traffic between a given pair of TACLANEs)
• Provides automated peer TACLANE discovery for secure IP paths • Supports PPK or dynamically generated FIREFLY Traffic Encryption Key
TEK for each secure IP path • Provides limited Reverse Address Resolution Protocol RARP and
Dynamic Host Configuration Protocol DHCP bypass for protected hosts to ease integration with existing base network infrastructure
• Supports Broadcast IP datagram traffic encryption • Supports static multicast with PPK
E100 Capabilities:
• Supports IP datagram encryption over an Ethernet 100Base-TX or 100Base-FX physical interface
• 100 Mbps throughput with a user traffic MTU size of 1424 octets in half duplex
• 100+ Mbps aggregate throughput with a user traffic MTU size of 1424 octets in full duplex
• 253 secure IP paths supported for user traffic (One secure IP path protects all user traffic between a given pair of TACLANEs)
• Automated peer TACLANE discovery for secure IP paths • PPK or dynamically generated FIREFLY TEK for each secure IP path • Limited RARP and DHCP bypass supported for protected hosts to ease
integration with existing base network infrastructure • Broadcast IP datagram traffic encryption supported • Auto-Negotiating 10Base-T vs. 100Base-T Ethernet interface • Static multicast with PPK • Remote TACLANE static routes
12
Components (3)
CTM - 100
The CTM-100 has two modem functions:
• Convert data between Non Return to Zero (NRZ) and Conditioned Diphase signaling types
[Cat5 and CX-11230 cables]
• Converts between Fiber Optic and NRZ [TFOCA-II and Cat5 cables] The purpose of the dual port CTM-100 is to convert the NRZ data into CDI or fiber. Allow interfaces to be extended from the shelter using either CX-11230 cable or fiber optic cable. Support rates up to 4608 kb/s using CX-11230, 18720 using fiber. Transport data up to 2 miles using CX-11230 depending on the transmission rate. Transport data up to 10 miles using fiber optical cable for all data rate. Can support loopbacks on either the NRZ, CDI or Fiber side of the selected port.
13
Components (4)
HSFEC - 5
High Speed Forward Error Correction Card- corrects bit error rates Automatically senses data rates Located in the LOS Interface Case, inside the FEC Box Houses 1 HSFEC-5 Card
14
Components (5)
KIV – 19A
FRONT VIEW
Provides Digital Data Encryption/Decryption Operates in full Duplex synchronous operation employing identical key generators for transmission and reception. The KIV-19A Trunk Encryption Device TED performs digital data encryption/decryption in full duplex synchronous operation employing identical key generators for transmission and reception. The KIV-19A passes traffic data rates of 9.6 kilobits per second to 13 megabits per second. The KIV-19A is designed for use in ground mobile and/or sheltered environments.
15
Components (6)
54321 6 7
CONFIG
2021
10
9
8
1819
12
11
1415
1617
13
KIV – 19A
Number: Function: 1 FILL 2 ON BUTTON 3 STANDBY BUTTON 4 UPDATE WINDOW 5 ACTUATE BUTTON 6 RESTART KEY LED 7 CHANGE KEY LED 8 LOAD LED 9 LOCAL UPDATE LED 10 ALARM TEST LED 11 LAMP TEST LED 12 ZEROIZE LED 13 CONFIG LED 14 SCROLL BUTTON 15 ALARM LED 16 RESYNC LED 17 FULL OP LED 18 OLD KEY LED 19 PARITY LED 20 POWER ON LED
16
System Connectivity
CISCO 3560ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 * + 175
GE 0/1
GE 0/0
GE 0/44 GE 0/43
PORT 1
dot1q TRUNK
KG-175TACLANESEP
VLAN 175
GE 0/45
PTCT
PORTS 1- 42 FOR USER ACCESS
SIPR
MC
WAN
LAN
PORT 3
* Ports 46-52 for access cases
1
CISCO 3560ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 * + 175
GE 0/1
GE 0/0
GE 0/44 GE 0/43
PORT 1
dot1q TRUNK
KG-175TACLANESEP
VLAN 175
GE 0/45
PTCT
PORTS 1- 42 FOR USER ACCESS
SIPR
MC
WAN
LAN
PORT 3
* Ports 46-52 for access cases
1
CISCO 3560ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 + 175
STTTRAILER
MC MC
GE 0/1
GE 0/0
GE 0/44 GE 0/43
GE 0/49SFP 1GE 0/51SFP 2
PORT 1
dot1q TRUNK
SEPSEP
TO SIPR TACLANE
NIPR
PORTS 1- 42 FOR USER ACCESS
PORT 3
LAN
WAN
ALT. to TACLANE(optional)
GE 0/45
* Ports 46-48,50, and 52 for user case
dot1qTRUNK CISCO 3560
ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 + 175
STTTRAILER
MC MC
GE 0/1
GE 0/0
GE 0/44 GE 0/43
GE 0/49SFP 1GE 0/51SFP 2
PORT 1
dot1q TRUNK
SEPSEP
TO SIPR TACLANE
NIPR
PORTS 1- 42 FOR USER ACCESS
PORT 3
LAN
WAN
ALT. to TACLANE(optional)
GE 0/45
* Ports 46-48,50, and 52 for user case
dot1qTRUNK
Ports 1 – 42 which appear on the rear Signal Entry Panel SEP: These ports are set up to detect Cisco VOIP Phones and place them on VLAN 58 (Voice VLAN), other devices are on VLAN 59 (Data VLAN). With Cisco 7940G/7960G phones, this may be done on the same port by plugging the other device into the phone (piggyback) via Ethernet cable.
17
Telephone Signal Flow
CISCO 3560ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 * + 175
GE 0/1
GE 0/0
GE 0/44 GE 0/43
PORT 1
dot1q TRUNK
KG-175TACLANESEP
VLAN 175
GE 0/45
PTCT
PORTS 1- 42 FOR USER ACCESS
SIPR
MC
WAN
LAN
PORT 3
* Ports 46-52 for access cases
1
CISCO 3560ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 * + 175
GE 0/1
GE 0/0
GE 0/44 GE 0/43
PORT 1
dot1q TRUNK
KG-175TACLANESEP
VLAN 175
GE 0/45
PTCT
PORTS 1- 42 FOR USER ACCESS
SIPR
MC
WAN
LAN
PORT 3
* Ports 46-52 for access cases
1
CISCO 3560ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 + 175
STTTRAILER
MC MC
GE 0/1
GE 0/0
GE 0/44 GE 0/43
GE 0/49SFP 1GE 0/51SFP 2
PORT 1
dot1q TRUNK
SEPSEP
TO SIPR TACLANE
NIPR
PORTS 1- 42 FOR USER ACCESS
PORT 3
LAN
WAN
ALT. to TACLANE(optional)
GE 0/45
* Ports 46-48,50, and 52 for user case
dot1qTRUNK CISCO 3560
ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 + 175
STTTRAILER
MC MC
GE 0/1
GE 0/0
GE 0/44 GE 0/43
GE 0/49SFP 1GE 0/51SFP 2
PORT 1
dot1q TRUNK
SEPSEP
TO SIPR TACLANE
NIPR
PORTS 1- 42 FOR USER ACCESS
PORT 3
LAN
WAN
ALT. to TACLANE(optional)
GE 0/45
* Ports 46-48,50, and 52 for user case
dot1qTRUNK
The Switch will detect an IP phone making a call and direct the call through VLAN 58 to the router. The router will ROUTE the call through VLAN 175 back through the switch, through the TACLANE, and on to the destination.
18
SIPR Data Signal Flow
CISCO 3560ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 * + 175
GE 0/1
GE 0/0
GE 0/44 GE 0/43
PORT 1
dot1q TRUNK
KG-175TACLANESEP
VLAN 175
GE 0/45
PTCT
PORTS 1- 42 FOR USER ACCESS
SIPR
MC
WAN
LAN
PORT 3
* Ports 46-52 for access cases
1
CISCO 3560ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 * + 175
GE 0/1
GE 0/0
GE 0/44 GE 0/43
PORT 1
dot1q TRUNK
KG-175TACLANESEP
VLAN 175
GE 0/45
PTCT
PORTS 1- 42 FOR USER ACCESS
SIPR
MC
WAN
LAN
PORT 3
* Ports 46-52 for access cases
1
CISCO 3560ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 + 175
STTTRAILER
MC MC
GE 0/1
GE 0/0
GE 0/44 GE 0/43
GE 0/49SFP 1GE 0/51SFP 2
PORT 1
dot1q TRUNK
SEPSEP
TO SIPR TACLANE
NIPR
PORTS 1- 42 FOR USER ACCESS
PORT 3
LAN
WAN
ALT. to TACLANE(optional)
GE 0/45
* Ports 46-48,50, and 52 for user case
dot1qTRUNK CISCO 3560
ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 + 175
STTTRAILER
MC MC
GE 0/1
GE 0/0
GE 0/44 GE 0/43
GE 0/49SFP 1GE 0/51SFP 2
PORT 1
dot1q TRUNK
SEPSEP
TO SIPR TACLANE
NIPR
PORTS 1- 42 FOR USER ACCESS
PORT 3
LAN
WAN
ALT. to TACLANE(optional)
GE 0/45
* Ports 46-48,50, and 52 for user case
dot1qTRUNK
Above is an example of SIPR data signal flow. NIPR data, generated off the NIPR 3560 switch, will follow VLAN 59 through the NIPR case. Switch will detect a data device sending data and direct the data packets through VLAN 59 to the NETSCREEN. The NETSCREEN will forward the data packets to the TURBO IP. The TURBO IP will forward the data packets to the router. The router will ROUTE the data packets back through the switch, through the TACLANE, and on to the destination.
19
TUNNEL SIGNAL FLOW
AES_RTRAES_RTR
STT
NIPR_T2_RTR NIPR_T2_RTRKG-175Taclane
KG-175Taclane SIPR_T2_RTRSIPR_T2_RTR
TDMATDMA
NIPR Tunnel
Taclane Tunnel
SIPR Tunnel
mGRE mGRESDD SDDAES
STT
INSERT TAB 3 HERE
Basic Networking
2
3
One of the most important concepts of Internetworking.
It is essential you understand how IP Addresses are used in a network.
IP Addressing and Subnet Masks
Internet Scaling Problems Over the past few years, the Internet has experienced two major scaling issues as it has struggled to provide continuous and uninterrupted growth:
• The eventual exhaustion of the IPv4 address space. • The ability to route traffic between the ever-increasing numbers of
networks that comprise the Internet. The first problem is concerned with the eventual depletion of the IP address space. The current version of IP, IP version 4 (IPv4), defines a 32-bit address which means that there are only 232 (4,294,967,296) IPv4 addresses available. This might seem like a large number of addresses, but as new markets open and a significant portion of the world's population becomes candidates for IP addresses, the finite number of IP addresses will eventually be exhausted. The address shortage problem is aggravated by the fact that portions of the IP address space have not been efficiently allocated. Also, the traditional model of classful addressing does not allow the address space to be used to its maximum potential. The Address Lifetime Expectancy (ALE) Working Group of the IETF has expressed concerns that if the current address allocation policies are not modified, the Internet will experience a near to medium term exhaustion of its unallocated address pool. If the Internet's address supply problem is not solved,
4
new users may be unable to connect to the global Internet networks (in the thousands). The second problem is caused by the rapid growth in the size of the Internet routing tables. Internet backbone routers are required to maintain complete routing information for the Internet. Over recent years, routing tables have experienced exponential growth as increasing numbers of organizations connect to the Internet -- in December 1990, there were 2,190 routes; in December 1992, there were 8,500 routes; and in December 1995, there were 30,000+ routes. By the early 2000s, the number had reached 210,000. Unfortunately, the routing problem cannot be solved by simply installing more router memory and increasing the size of the routing tables. Other factors related to the capacity problem include the growing demand for CPU horsepower to compute routing table/topology changes, the increasingly dynamic nature of WWW connections and their effect on router forwarding caches, and the sheer volume of information that needs to be managed by people and machines. If the number of entries in the global routing table is allowed to increase without bounds, core routers will be forced to drop routes and portions of the Internet will become unreachable. The long-term solution to these problems can be found in the anticipated widespread deployment of IP Next Generation (IPng or IPv6). However, while the Internet community waits for IPng, IPv4 will need to be patched and modified so that the Internet can continue to provide the universal connectivity we have come to expect. This patching process may cause a tremendous amount of pain and may alter some of our fundamental concepts about the Internet.
5
The IP Address (1)
• Is made up of 4 octets.• Each octet is 8 bits in length.• Each IP address is 32 bits in length.
148.43.200.110010100.00101011.11001000.00000001
6
The IP Address (2)
148.43.200.1
148 43 200 1
10010100 00101011 11001000 00000001
Dotted-Decimal Notation - To make Internet addresses easier for human users to read and write, IP addresses are often expressed as four decimal numbers, each separated by a dot. This format is called dotted-decimal notation. Dotted-decimal notation divides the 32-bit Internet address into four 8-bit (byte) fields and specifies the value of each field independently as a decimal number with the fields separated by dots.
7
The IP Address (3)
• Host• Is essentially anything on the network that is capable
of receiving and transmitting IP packets, such as a workstation (computer) or a router. Each host must be supplied with a unique IP address.
• Network• Is the media that is used to interconnect hosts. The
network portion of the address designates your location in the overall topology.
• Mask• A mask is applied to the address to define which
portion of the address is network specific and which is host specific.
IP addressing is based on the concept of hosts and networks. A host is essentially anything on the network that is capable of receiving and transmitting IP packets, such as a workstation or a router. The hosts are connected together by one or more networks (segments). The IP address of any host consists of its network address plus its own host address on the network. Routers deliver packets to networks, not hosts. A mask is used to determine the network and host portion of an IP address. When applied to an IP address, it quite simply defines a range of addresses. The mask determines which IP addresses reside on a given network or segment. The mask is written in the same dotted decimal notation format as the IP address but it is limited to contiguous binary variations: all ones, then all zeros. All ones in the first octet is the starting point.
8
Decimal to Binary Conversion
• A decimal number can be represented by a group of binary 1s and 0s.
• Computers do not understand decimal numbers.• They communicate in 1s and 0s, electrical highs
and lows.
0 1 0 1
Decimal to Binary Conversion
0 0 0 0
1 1 1 1
=01010101
85
9
Decimal to Binary Conversion
Converting from binary to decimal
1 1 1 1 1 1 1 1128 64 32 16 8 4 2 1 = 255
0 1 0 0 0 0 0 1128 64 32 16 8 4 2 1
Value for each bit
0+ 64 +0 +0 + 0+0 +0+1 = 65
Decimal to Binary Conversion
7
128 64 32 16 8 4 2 1
0 0 0 0 0 1 1 1
00000111
A Decimal
Is A Binary
10
Decimal to Binary Conversion
67
128 64 32 16 8 4 2 1
0 1 0 0 0 0 1 1
01000011
A Decimal
Is A Binary
11
Classfull IP Addressing
Network NumberNetwork Number Host NumberHost Number
What networkare we in?
Which user on thatnetwork are we?Network
148.43.0.0 /16
Host 148.43.200.76
Classful IP Addressing When IP was first standardized in September 1981, the specification required that each system attached to an IP-based internet be assigned a unique 32-bit Internet address value. Some systems, such as routers, which have interfaces to more than one network, must be assigned a unique IP address for each network interface. The first part of an Internet address identifies the network on which the host resides, while the second part identifies the particular host on the given network. This created the two-level addressing hierarchy.
• Network-Prefix Host-Number • Network-Number Host-Number
In recent years, the network-number field has been referred to as the network-prefix because the leading portion of each IP address identifies the network number. All hosts on a given network share the same network-prefix but must have a unique host-number. Similarly, any two hosts on different networks must have different network-prefixes but may have the same host-number.
12
Primary Address Classes
. . .
. . .
. . .
Class A
Class B
Class C
0
1 0
1 1 0
= Network= Host
Primary Address Classes In order to provide the flexibility required to support different size networks, the designers decided that the IP address space should be divided into three different address classes - Class A, Class B, and Class C. This is often referred to as classful addressing because the address space is split into three predefined classes, groupings, or categories. Each class fixes the boundary between the network-prefix and the host-number at a different point within the 32-bit address. One of the fundamental features of classful IP addressing is that each address contains a self-encoding key that identifies the dividing point between the network-prefix and the host-number. For example, if the first two bits of an IP address are 1-0, the dividing point falls between the 15th and 16th bits. This simplified the routing system during the early years of the Internet because the original routing protocols did not supply a deciphering key or mask with each route to identify the length of the network-prefix.
13
Class A
. . .
Class A (1 – 126) (/8 Prefixes)
0 0 0 0 0 0 0 1 . . .
0 1 1 1 1 1 1 0
NETWORK HOST
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 0 0 00 0 0 0 0 0 0 00 0 0 0 0 0 0 01 0 0 0
126 255 255 255. . .
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Mask
255 0 0 0
Class A Networks (/8 Prefixes) Each Class A network address has an 8-bit network-prefix with the highest order bit set to 0 and a seven-bit network number, followed by a 24-bit host-number. Today, it is no longer considered modern to refer to a Class A network. Class A networks are now referred to as /8s (pronounced "slash eight" or just "eights") since they have an 8-bit network-prefix. A maximum of 126 (27 -2) /8 networks can be defined. The calculation requires that the 2 is subtracted because the /8 network 0.0.0.0 is reserved for use as the default route and the /8 network 127.0.0.0 (also written 127/8 or 127.0.0.0/8) has been reserved for the "loopback" function. Each /8 supports a maximum of 16,777,214 (224 -2) hosts per network. The host calculation requires that 2 is subtracted because the all-0s (this network) and all-1s (broadcast) host-numbers may not be assigned to individual hosts. Since the /8 address block contains 231 (2,147,483,648) individual addresses and the IPv4 address space contains a maximum of 232 (4,294,967,296) addresses, the /8 address space is 50% of the total IPv4 unicast address space.
14
Class B
. . .
C lass B (128 – 191) (/16 P refixes)
1 0 0 0 0 0 0 0
. . .1 0 1 1 1 1 1 1
0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1
N E T W O R K H O ST
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
. . .1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0M ask
255 255 0 0
128 0 0 0
191 255 255 255
Class B Networks (/16 Prefixes) Each Class B network address has a 16-bit network-prefix with the two highest order bits set to 10 and a 14-bit network number, followed by a 16-bit host-number. Class B networks are now referred to as /16s since they have a 16-bit network-prefix. A maximum of 16,384 (214) /16 networks can be defined with up to 65,534 (216 -2) hosts per network. Since the entire /16 address block contains 230, (1,073,741,824) addresses, it represents 25% of the total IPv4 unicast address space.
15
Class C
. . .
C lass C (192 – 223) (/24 Prefixes)
1 1 0 0 0 0 0 0
. . .1 1 0 1 1 1 1 1
0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1
N ET W O R K H O ST
. . .1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0M ask
255 255 255 0
192 0 0 0
223 255 255 255
Class C Networks (/24 Prefixes) Each Class C network address has a 24-bit network-prefix with the three highest order bits set to 110 and a 21-bit network number, followed by an 8-bit host-number. Class C networks are now referred to as /24s since they have a 24-bit network-prefix. A maximum of 2,097,152 (221) /24 networks can be defined with up to 254 (28 -2) hosts per network. Since the entire /24 address block contains 229 (536,870,912) addresses, it represents 12.5% (or 1/8th) of the total IPv4 unicast address space.
16
Other Classes
. . .
Class D (IP Multicasting)
1 1 1 0
. . .1 1 1 1 1
224 – 239
Class E (Experimental)240 – 254
In addition to the three most popular classes, there are two additional classes. Class D addresses have their leading four-bits set to 1110 and are used to support IP Multicasting. Class E addresses have their leading four-bits set to 1111 and are reserved for experimental use.
17
Subnet Masking
148.43.200.1 255.255.255.0
10010100 . 00101011 . 11001000 . 0000000111111111 . 11111111 . 11111111 . 0000000010010100 . 00101011 . 11001000 . xxxxxxxx
Address:Mask:
Network Host
• A bit for bit comparison is conducted between the address & mask.
• The address bits that align with ones in the mask are considered network.
• The address bits that align with zeros in the mask are considered host.
• The point at which the mask changes from ones to zeros divides the address into network and host portions.
Subnet Masking
148.43.200.1/24 or 255.255.255.0
10010100 . 00101011 . 11001000 . 0000000111111111 . 11111111 . 11111111 . 0000000010010100 . 00101011 . 11001000 . 00000001
10010100 . 00101011 . 11001000 . 00000000 10010100 . 00101011 . 11001000 . 11111111
148 . 43 . 200 . 0-255
Address:Mask:
Range:
Network Host
You will often see the mask as a slash prefix (/)This represents the number of bits that are on (ones)
18
Subnet Masking
148.43.200.1/25 or 255.255.255.128
10010100 . 00101011 . 11001000 . 0 000000111111111 . 11111111 . 11111111 . 1 000000010010100 . 00101011 . 11001000 . 0 0000001
10010100 . 00101011 . 11001000 . 0 0000000 10010100 . 00101011 . 11001000 . 0 1111111
148 . 43 . 200 . 0-127
Address:Mask:
Range:
Network Host
Subnet Masking
148.43.200.1/27 or 255.255.255.224
10010100 . 00101011 . 11001000 . 000 0000111111111 . 11111111 . 11111111 . 111 0000010010100 . 00101011 . 11001000 . 000 00001
10010100 . 00101011 . 11001000 . 000 00000 10010100 . 00101011 . 11001000 . 000 11111
148 . 43 . 200 . 0-31
Address:Mask:
Range:
Network Host
19
Subnet Masking
148.43.200.1/28 or 255.255.255.240
10010100 . 00101011 . 11001000 . 0000 000111111111 . 11111111 . 11111111 . 1111 000010010100 . 00101011 . 11001000 . 0000 0001
10010100 . 00101011 . 11001000 . 0000 000010010100 . 00101011 . 11001000 . 0000 1111
148 . 43 . 200 . 0-15
Address:Mask:
Range:
HostNetwork
Subnet Masking
148.43.200.1/29 or 255.255.255.248
10010100 . 00101011 . 11001000 . 00000 00111111111 . 11111111 . 11111111 . 11111 00010010100 . 00101011 . 11001000 . 00000 001
10010100 . 00101011 . 11001000 . 00000 000 10010100 . 00101011 . 11001000 . 00000 111
148 . 43 . 200 . 0-7
Address:Mask:
Range:
HostNetwork
20
Available Hosts in a Network
148.43.200.0 Network Address
148.43.200.1
148.43.200.14
148.43.200.15 Broadcast Address
Hosts; or usable IP’s
148.43.200.0 255.255.255.240
Defining Network, Host and Broadcast Addresses According to Internet practices, the host-number field of an IP address cannot contain all 0-bits or all 1-bits. The all-0s host-number identifies the base network (or sub-network) number, while the all-1s host-number represents the broadcast address for the network (or sub-network). In the above example, there are 4 bits in the host-number field of each subnet address. This means that each subnet represents a block of 16 host addresses (24 -2 = 14, note that the 2 is subtracted because the all-0s and the all-1s host addresses cannot be used). The hosts on this subnet are numbered 1 through 15.
21
Network Address
• The network address is used by routers to identify and route packets to the correct destination.
• The network address can be identified by having all 0s in the host field.
• The network address cannot be assigned to a computer or host.
148.43.200.0 255.255.255.0148.43.200.128 255.255.255.128
148.43.200.64 255.255.255.192148.43.200.96 255.255.255.224
Network Address Examples
Broadcast Address
• The broadcast address is used by routers and hosts to send packets to all computers on a network at one time.
• The broadcast address can be identified by having all 1s in the host field.
• The broadcast address cannot be assigned to a computer or host.
148.43.200.255 255.255.255.0148.43.200.127 255.255.255.128
148.43.200.63 255.255.255.192148.43.200.95 255.255.255.224
Broadcast Address Examples
22
Subnet Masking Template
decimal
binary
Where the 1s end and the 0s begin, draw a VERTICAL line of demarcation to represent the division of the network specific bits and host specific bits.
binary
decimal
binary
decimalIP address plus Subnet prefix
IP address convertedInto binary
binarySubnet from the prefix Converted into binary
All zeroes in the Host Field gives you theNetwork address
Convert the binary back to Dotted decimal, this is yourNetwork IP address
All ones in the Host fieldgives you the broadcastAddress
Convert the binary back to Dotted decimal, this is yourBroadcast IP address
Once you have determined the Network and Broadcast IP addresses, everything in between will be usable host addresses
23
Practical Exercise: IP Subnet Masking 1. IP Address 10.0.0.1/16 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________ 2. IP Address 131.29.1.5/24 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________ 3. IP Address 148.43.200.128/25 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address ____________________________ Available Addresses: ____________________________ 4. IP Address 25.205.120.6/9 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address ____________________________ Available Addresses: ____________________________ 5. IP Address 128.1.0.0/10 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________ 6. IP Address 148.43.200.16/30 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________
24
7. IP Address 220.0.0.1/31 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________ 8. IP Address 55.15.3.9/27 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address ____________________________ Available Addresses: ____________________________ 9. IP Address 148.43.200.12/29 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________ 10. IP Address 125.25.20.6/22 Classful Mask: ____________________________ Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address ____________________________ Available Addresses: ____________________________ 11. IP Address 18.121.10.0/14 Subnet Mask: ____________________________ Network Address: ____________________________ Broadcast Address: ____________________________ Available Addresses: ____________________________
INSERT TAB 4 HERE
Layer 1 Interconnects &
Cabling
2
3
CPN Router Case SEPNIPR & SIPR
Each Router case is designed to provide access to major components by the use of the Signal Entry Panel SEP. The Firewall SEP connects to ports 1 – 4. Router connectivity to specific ports is accomplished at the router SEP. All console connections to the 3825 Router, 3560 Ethernet Switch, Turbo IP and Firewall are done at the Console SEP. LAN and WAN connections appear on PEP.
4
1X 2X 3X 4X 5X 6X 7X 8X 9X 10X 11X 12X 13X 14X 15X 16X 17X 18X 19X 20X 21X 22X 23X 24X
25X 26X 27X 29X 30X 31X 32X 33X 34X 35X 36X 37X 38X 39X 40X 41X 42X 43X 44X 45X 46X 47X 48X28BLANK BLANK BLANKTL PT
TFOCAII
100BFX
TFOCAII
TFOCAII
TFOCAII
1000BLX
TFOCAII
100BFX
TFOCAII
TFOCAII
TFOCAII
1000BLX
MC1 MC2
MC3 MC4
SFP1 SFP2
SFP3 SFP4
SFP PORTSFP1 49SFP2 51SFP3 50SFP4 52
FIREWALL ROUTER
CONSOLE PEPMC1
TLCT
SERIAL 0 SERIAL 1
PORT 1 PORT 2 PORT 3 PORT 4 G0/0 G0/1 WEB
3825 3560 PEP FW LAN WAN
MC1 SEPMC2 46xMC3 47xMC4 48x
CT PT
TACLANE
TONIPRCASE
BNCPN SIPR Router CasePatching Diagram
This diagram shows all connections to be made by the Operator on the SIPR Router Case. NOTE: THE CABLE FROM PORT 3 AT THE FIREWALL TO THE PEP LAN PORT IS THE ORANGE CROSSOVER CABLE PROVIDED WITH THE EQUIPMENT
5
TFOCAII
100BFX
TFOCAII
TFOCAII
TFOCAII
1000BLX
TFOCAII
100BFX
TFOCAII
TFOCAII
TFOCAII
1000BLX
MC1 MC2
MC3 MC4
SFP1 SFP2
SFP3 SFP4
SFP PORTSFP1 49SFP2 51SFP3 50SFP4 52
FIREWALL ROUTER
CONSOLE PEP
MC1
TLCT
SERIAL 0 SERIAL 1
PORT 1 PORT 2 PORT 3 PORT 4 G0/0 G0/1 WEB
3825 3560 PEP FW LAN WAN
1X 2X 3X 4X 5X 6X 7X 8X 9X 10X 11X 12X 13X 14X 15X 16X 17X 18X 19X 20X 21X 22X 23X 24X
25X 26X 27X 29X 30X 31X 32X 33X 34X 35X 36X 37X 38X 39X 40X 41X 42X 43X 44X 45X 46X 47X 48X28
BLANK BLANK BLANKTL PT
MC1 SEPMC2 46xMC3 47xMC4 48x
TOSIPR
CASE
TO STT
BNCPN NIPR Router CasePatching Diagram
This diagram shows all connections to be made by the Operator on the NIPR Router Case.
6
BNCPN SIGNAL FLOW
JNN
LOS CASE
VPNRTR
HCLOSLOS
HCLOSLOS
CISCO 3560ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 + 175
STTTRAILER
MC MC
GE 0/1
GE 0/0
GE 0/44 GE 0/43
GE 0/49SFP 1GE 0/51SFP 2
PORT 1
dot1q TRUNK
SEPSEP
TO SIPR TACLANE
NIPR
PORTS 1- 42 FOR USER ACCESS
PORT 3
LAN
WAN
ALT. to TACLANE(optional)
GE 0/45
* Ports 46-48,50, and 52 for user case
dot1qTRUNK CISCO 3560
ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 + 175
STTTRAILER
MC MC
GE 0/1
GE 0/0
GE 0/44 GE 0/43
GE 0/49SFP 1GE 0/51SFP 2
PORT 1
dot1q TRUNK
SEPSEP
TO SIPR TACLANE
NIPR
PORTS 1- 42 FOR USER ACCESS
PORT 3
LAN
WAN
ALT. to TACLANE(optional)
GE 0/45
* Ports 46-48,50, and 52 for user case
dot1qTRUNK
VPNRTR
CISCO 3560ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 * + 175
GE 0/1
GE 0/0
GE 0/44 GE 0/43
PORT 1
dot1q TRUNK
KG-175TACLANESEP
VLAN 175
GE 0/45
PTCT
PORTS 1- 42 FOR USER ACCESS
SIPR
MC
WAN
LAN
PORT 3
* Ports 46-52 for access cases
1
CISCO 3560ETHERNET SW
NETSCREEN 50
TURBO IP
CISCO 3825ROUTER
VLAN6
VLAN5859
VLAN175
VLAN 59
VLAN 59
VLAN 58
VLAN 6 * + 175
GE 0/1
GE 0/0
GE 0/44 GE 0/43
PORT 1
dot1q TRUNK
KG-175TACLANESEP
VLAN 175
GE 0/45
PTCT
PORTS 1- 42 FOR USER ACCESS
SIPR
MC
WAN
LAN
PORT 3
* Ports 46-52 for access cases
1
SERIALPORT
The BnCPN is contained in three transit cases: Router Case VPN Case LOS Case The above diagram shows the interconnectivity between the cases. The SIPR Router Case directly supports the SIPR user, data and voice, and is connected to the NIPR Case via fiber through media converters. The NIPR Case provides direct connectivity to the Satellite trailer for connectivity into the TDMA satellite network. The LOS case is intended to provide connectivity for the CPN to a legacy system with a TRI-TAC CDI interface such as an MSE LOS system. When using the LOS Case, DMVPN operation is not possible.
7
NIPR
CPN NIPR Case VLAN’s
Web Cache58175
Cisco™ 3825 Router6
GE 0/1
GE 0/0
LAN Firewall NetScreen 50P1 P3P2 P4 WANLAN
Comtech Turbo IP45 Ports
TFOCAII
TFOCAII
TFOCAII
TFOCAII
TFOCAII
TFOCAII
TFOCAII
TFOCAII
Vlan 175
802.1Q Trunk 6,58,59
MCRack
802.1Q Trunk6,58,59
Ku STT
WAN
G0/0.1G0/0.6
G0/0.175G0/0.58
Sub-Interfaces
802.1Q Trunk 6,58,59
802.1Q Trunk 6,58,59802.1Q Trunk 6,58,59
Vlan 6
RJ-45 58 Port Panel
LANP1(T)P2
P3(U)P4 G0/0 G0/1 MC 1Web
802.1QTrunk
6,58,175Vlan 59
43
Cisco™ 3560 48 Port Ethernet Switch SFPPorts
43 44 45 46 47 48
4544
Por t
49
Port
51
Por t
50
P or t
52
NIPR
NIPR
Vlan 59
Vlan 58
Vlan 175
6
58
59
175
TrunkPort
Legend
INSERT TAB 5 HERE
Dynamic Multi-Point Virtual Private Networks
(DMVPN)
2
3
JNN Network - Satellite Backbone
Hub Node
CPN CPN
STEP
Ku TDMA
Ku FDMA
(BCT)
(Battalion level unit)
JNN
(Div/Corps)
DISN/GIG
DISN/GIG(cable)
The JNN network utilizes a Ku Band commercial satellite network for the backbone interconnectivity of its systems. Both Time Division Multiple Access (TDMA) and Frequency Division Multiple Access (FDMA) are utilized. The JNN network architecture is composed of three primary elements:
1. Unit Hub Node (UHN) 2. Joint Network Node (JNN) 3. Battalion Command Post Node (CPN)
These systems provide communications support to the various elements within an Army Division. The UHN is located at the Division and/or the Corps element. It provides connectivity to the Defense Information Systems Network (DISN) and the Global Information Grid (GIG). The UHN utilizes both FDMA and TDMA satellite connectivity. The JNN is located at the Brigade Combat Team (BCT) element. It serves as both a distribution point for the various systems within the BCT and provides direct network services for the Brigade headquarter elements. The JNN can utilize both TDMA and FDMA satellite connectivity. It has a single FDMA link which is usually reserved connectivity to the UHN.
4
The CPN provides direct network access to users within a Battalion element. It utilizes only TDMA satellite connectivity. It has permanent links to the UHN and/or JNN and can establish on demand connections to other CPNs within the BCT.
5
Why Satellite?
• Allows for beyond line of sight (BLOS) extension.
• Accessible from virtually anywhere on the battlefield.
• No need for extensive “link” planning for installation of ground systems at a new location.
• Scales well for maneuver units.
• Current ground equipment readily transportable.
The use of satellite communications by the JNN network allows for the installation and operation of a very flexible intra-network backbone for its users. Tactical line of sight radio systems (LOS) are normally limited to a maximum range of approximately 40 miles. This limits the area on a battle field that maneuver units can cover. With satellite, two systems can establish a radio link as long as they are within the earth “footprint” of the satellite coverage. This coverage can be rather large allowing systems to be hundreds of miles apart. LOS radio link installation requires extensive planning and engineering utilizing complex computer programs to provide a “profile”. It is not always possible to establish an LOS radio link between two locations. Whenever LOS radio systems are moved to a new location, this link planning must be conducted again prior to the installation of the new radio link. Satellite on the other hand requires initial link planning for the installation of radio links. Once this is done, systems can move almost anywhere within the footprint and reestablish the radio link. Also, there are virtually no limits to establishing a satellite link as long as there is a clear line of sight path between the earth system and the satellite. With the flexibility noted above, satellite based systems serve well in meeting the needs of Army combat units. As changes occur on the battlefield and units are required to move, satellite based systems provide them the ability to rapidly terminate and reestablish communications in a minimal amount of time.
6
FDMA / HUB & JNN
• Users xmit on one carrier frequency and receive on another.• 2 carriers per full duplex link (point to point).• Scales poorly - inefficient use of space segment.• Does not support ad hoc networking.• Dedicated bandwidth, not shared.• No delay for link connection.
TDMA / HUB, JNN & CPN
• Users share carrier(s) for both xmit and receive.• Additional carriers can be defined to support network growth.• Scales well – efficient use of valuable space resource.• Supports ad hoc networking well.• Bandwidth is a shared resource, not dedicated.• Slight delay in establishing link connection.• Only source of connectivity for the CPN
Space Segment Usage/Efficiency
* Space segment efficiency directly related to type of modulation/encoding used.
Frequency Division Multiple Access: FDMA is a traditional technique whereby earth stations transmit simultaneously on different pre-assigned frequencies, into a common satellite transponder. In addition, the FDMA carrier is allotted a certain amount of bandwidth. This carrier is constantly being transmitted to the satellite, processed by it, and retransmitted back to earth by it regardless of user traffic. Only the system assigned a certain transmit frequency can use the allocated bandwidth. Time Division Multiple Access: TDMA is a digital transmission technology that allows a number of users to access a single radio-frequency (RF) carrier without interference by allocating unique time slots to each user within each carrier. The type utilized within JNTC-S is referred to as Multi-Frequency TDMA Demand Assigned Multiple Access. This allows for dynamic allocation of time slots based on user requirements and allows multiple carriers on the satellite within the TDMA network. This forms a “bandwidth pool” for the users.
7
FDMA/TDMA Satellite Payload-users present
• Above depicts two users communicating via a satellite link - TDMA or FDMA.• Spectrum analyzer display depicts the radio carrier used between the two systems.• The carrier has a center frequency plus a certain amount of bandwidth.• Amount of bandwidth is dependant upon data rate transfer.
The above diagram displays two ground based satellite systems with a radio link established between the two through a satellite. This could be an FDMA or TDMA link. There are two users communicating through this link with laptop computers. Depicted between the two systems is a display from a spectrum analyzer. The “hump” on the screen is a representation of the radio carrier being received by one of the satellite systems. The carrier has a center frequency and a certain amount of bandwidth being utilized on each side of this center frequency. The amount of bandwidth is determined by the data rate being transmitted by the earth systems.
8
• Above depicts two systems with no user data being transferred.• Satellite resource utilization remains unchanged on an FDMA link.• Carrier can only be utilized by systems with the pre-assigned frequency & bandwidth.• User activity or inactivity has no affect on satellite resource utilization.
FDMA Satellite Payload-no users present
The diagram now shows no user traffic being transmitted through the satellite radio link. From a satellite resource utilization stand point, there would be no change on an FDMA link (as depicted by the spectrum analyzer display). FDMA systems have pre-assigned frequencies and pre-assigned bandwidth allocation; only the systems allocated these resources can utilize them. User activity or inactivity has no affect on satellite resource utilization
9
• Above depicts two systems with no user data being transferred.• No satellite resources are utilized on a TDMA link.• Once user data transfer is complete, bandwidth is returned to a pool for use by
other systems.• Bandwidth is allocated on demand - based on user requirements.• User activity or inactivity has a direct affect on satellite resource utilization.
TDMA Satellite Payload-no users present
The diagram still shows no user traffic being transmitted through the satellite radio link. From a satellite resource utilization stand point, there would be a change on a TDMA link (as depicted by the spectrum analyzer display). Resources on a TDMA satellite network are allocated based on user requirements. When users communicating through a TDMA satellite link have information to transfer, resources are allocated, a carrier (center frequency and bandwidth), to support the requirement. Once the transfer of this information is complete, the resources are returned to a pool for use by other systems as needed.
10
• Internet Engineering Task Force (IETF): A VPN is “An emulation of a private Wide Area Network (WAN) using shared or public IP facilities, such as the Internet orprivate IP backbones.”
• In simpler terms, a VPN is an extension of a private intranet across a publicnetwork (the Internet) that ensures secure and cost-effective connectivity between the two communicating ends.
Headquarters Home Office
Branch OfficeInternet
Virtual Private Network (VPN)
A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A virtual private network can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost. VPNs establish a secure network over insecure or public networks. VPNs can take many different forms and be implemented in various ways. VPNs achieve their security by encrypting the traffic that they transport, preventing eavesdropping or interception. In simplest terms, a VPN is fundamentally a secure tunnel established between two or more endpoints. A VPN can be constructed with or without the knowledge of the network provider, and can span multiple network providers.
11
Tunneling
Data TCP Hdr IP Hdr original IP packet
IP packet encapsulated w/tunnel protocol
• VPNs are established with the help of private logical tunnels. Tunneling is theencapsulation of one protocol within another.
• Tunnels enable the two ends to exchange data in a manner that resembles point-to-point communications.
• From a routing protocol stand point, the two routers depicted above would act asdirectly connected neighbors through the tunnel even though there may be several other routers physically between them.
TunnelTrailer Data
TCP Hdr
TunnelHdr
Orig IP Hdr
New IP Hdr
CPN 1 CPN 2
The VPNs are established with the help of private logical "tunnels”. These tunnels enable the two ends to exchange data in a manner that resembles point-to-point communication. Tunneling technology lies at the core of VPNs. In addition, elaborate security measures and mechanisms can be used to ensure safe passage of sensitive data across an unsecured medium. Tunneling is the technique of encapsulating a data packet in a tunneling protocol, such as IP Security (IPSec), Point-to-Point Tunneling Protocol (PPTP), or Layer 2 Tunneling Protocol (L2TP), and then finally packaging the tunneled packet into an IP packet. The resultant packet is then routed to the destination network using the overlying IP information. Because the original data packet can be of any type, tunneling can support multi-protocol traffic, including IP, ISDN, FR, and ATM.
12
Tunnel Protocols
• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Tunneling Protocol (L2TP)
• Internet Security Protocol (IPSec)*
• Generic Routing Encapsulation (GRE)
• Multi-point Generic Routing Encapsulation (mGRE)*
*utilized within the JNN network architecture
IP Security (IPSec) - Developed by IETF, IPSec is an open standard that ensures transmission security and user authentication over public networks. Unlike other encryption techniques, IPSec operates at the Network layer of the seven-layer Open System Interconnect (OSI) model. Therefore, it can be implemented independently of the applications running over the network. As a result the network can be secured without the need to implement and coordinate security for each individual application.
• Multi-Point Generic Routing Encapsulation (mGRE) - mGRE allows a single
GRE tunnel interface to support multiple tunnels (GRE is strictly point to point). This greatly simplifies the tunnel configuration and when used in conjunction with NHRP, tunnels can be established dynamically.
13
DMVPN
CommercialTDMACPN 1 CPN 2
JNN
• DMVPN technology is utilized within the JNN network Architecture.
• Permanent VPNs are established between Hub/JNN & Bn CPN systems.
• Connections between CPN systems are established on an as needed basis utilizing DMVPN technology.
• TDMA satellite bandwidth is a shared resource; DMVPNs allow this to be utilized more efficiently.
Tunnel formed between CPN’s as needed
The JNN network utilizes satellite radio links as the backbone to interconnect its IP based systems. There are two types of satellite networks within the JNN architecture: Time Division Multiple Access (TDMA) and Frequency Division Multiple Access (FDMA). For the past several years, legacy tactical communications systems have utilized FDMA satellite networks. Within FDMA, individual satellite systems are assigned a frequency and a certain amount of bandwidth. These two resources can then only be utilized by that system even if there is actually no user communications going through this link. TDMA on the other hand pools satellite bandwidth for use by ground systems on an as needed or demand basis. It is somewhat similar to a radio Ethernet network. For IP based systems to effectively utilize this TDMA network, dynamic multi-point virtual private networks (DMVPN) are established. IP Security (IPSec) is utilized to encrypt and authenticate the DMVPN traffic. DMVPN is composed of two protocols: multi-point generic routing encapsulation (mGRE) and next hop resolution protocol (NHRP).
14
A DMVPN network is based on a hub/spoke topology. A system acts as the hub and all the others are considered spokes. Each spoke makes a permanent connection to the hub. Initially, when a spoke system has traffic destined for another spoke system, it is routed through the hub. Utilizing NHRP, the hub provides the appropriate information so that a temporary virtual connection can be made between the two spoke systems. Essentially, connections are made on an as needed basis therefore effectively utilizing the satellite resources.
15
What is a DMVPN?
• DMVPNs allow the dynamic establishment of multiple GRE tunnelsthrough a single tunnel interface.
- based on a hub/spoke network design- tunnels can be established dynamically (as needed)- more efficiently utilizes network resources- minimizes router configuration size- allows routers to be added or removed from the
topology without reconfiguring present routers
•Two protocols are utilized within DMVPNs.
- Multi-point GRE (mGRE)- Next Hop Resolution Protocol (NHRP)
The idea behind DMVPNs is that tunnels between certain routers can be established on an as needed basis. This has many benefits. The design is based on a hub/spoke topology with all spoke systems having a permanent tunnel to the hub system. Then as required the spoke systems dynamically establish tunnels between each other with information provided by the hub. This establishing of tunnels as needed and then terminating them once packet transfer is complete is very efficient in that network resources are only utilized when needed. Permanent VPNs (tunnels) utilize network resources even when there is no user traffic being transferred through the tunnel. When utilizing static tunnels with GRE, a separate tunnel interface and sub-net must be configured between the hub and each spoke. Depending on the number of routers involved, the size of the configuration and the numbers of IP’s required can be become quite extensive. DMVPNs by contrast have a simple configuration and the size of the configuration remains the same regardless of the number of routes participating. With DMVPNs, as the network topology changes (adding or removing routers); the configurations of the existing routers do not have to be modified. This makes the scaling of a DMVPN network very flexible. Static tunnels by contrast would require configuration changes to all routers within the network topology.
16
To establish DMVPNs, three protocols are utilized: Multi-point GRE (mGRE), Next Hop Resolution Protocol (NHRP), and a dynamic routing protocol (OSPF or EIGRP).
17
Multi-Point Generic Router Encapsulation
• mGRE — allows a single GRE tunnel interface to support multiple tunnels.
• GRE tunnel configuration consists of:- ip address & mask- tunnel source- tunnel destination- optional tunnel key
• mGRE tunnel configuration consists of:- ip address & mask- tunnel source- tunnel key
• With mGRE, the tunnel destination is not defined.
• mGRE relies on NHRP to supply the tunnel destination information which it then utilizes to dynamically establish the tunnel.
Tunneling protocols such as IPSec can only support IP unicast traffic. Routing protocols such as OSPF and EIGRP exchange routing information via multi-cast; therefore tunneling protocols such as IPSec cannot support dynamic routing. GRE was created to support multi-protocol traffic (IPX & AppleTalk) and in addition support all types of IP traffic (unicast, broadcast, & multicast). GRE however only supports point to point tunneling in which the source and destination addresses are specified. For each additional tunnel, a separate tunnel interface must be configured with the source and destination specified. mGRE on the other hand allows the establishment of multiple tunnels via a single tunnel interface. It is in a sense a broadcast multi-access tunnel interface. Within the mGRE configuration only the source addressing information is supplied. The destination address is learned dynamically relying on some other protocol such as NHRP.
18
• Client/server protocol: hub is server & spokes are clients.
• Each client registers with server: tunnel address and associatedtunnel source interface address (physical).
• Server maintains an NHRP database of these registrations.
• Clients request next hop information (tunnel to physical addressresolution) from server to establish dynamic tunnel to anotherspoke.
Next Hop Resolution Protocol (NHRP)
Next Hop Resolution Protocol (NHRP) is a client/server protocol that provides the capability for the spoke routers to dynamically learn the exterior physical interface address of other spoke routers within the DMVP network. Spoke routers are considered the clients and the hub router is the server. NHRP is used by a source station (host or router) connected to a Non-Broadcast, Multi-Access (NBMA) subnetwork to determine the internetworking layer address and NBMA subnetwork addresses of the "NBMA next hop" towards a destination station. If the destination is connected to the NBMA subnetwork, then the NBMA next hop is the destination station itself. Otherwise, the NBMA next hop is the egress router from the NBMA subnetwork that is "nearest" to the destination station. NHRP is intended for use in a multiprotocol internetworking layer environment over NBMA subnetworks. NHRP Resolution Requests traverse one or more hops within an NBMA subnetwork before reaching the station that is expected to generate a response. Each station, including the source station, chooses a neighboring next-hop server (NHS) to which it will forward the NHRP Resolution Request. The NHS selection procedure typically involves applying a destination protocol layer address to the protocol layer routing table which causes a routing decision to be returned.
19
This routing decision is then used to forward the NHRP Resolution Request to the downstream NHS. The destination protocol layer address previously mentioned is carried within the NHRP Resolution Request packet. Note that even though a protocol layer address was used to acquire a routing decision, NHRP packets are not encapsulated within a protocol layer header but rather are carried at the NBMA layer using the encapsulation described in its own header.
20
• Hub is the NHRP server, spokes are clients.• Clients register to server with address mapping information.• Server replies to clients once registration is complete.
NHRP (1)NHRP Database
10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20
tunnel 10.10.10.2/28f0/1 148.43.200.10/29
tunnel 10.10.10.3/28f0/1 148.43.200.20/29
tunnel 10.10.10.1/28f0/1 148.43.200.1/29
NHRPRegistration10.10.10.2 148.43.200.10
CPN 1
HUB
RegistrationReply NHRP
Registration10.10.10.3 148.43.200.20
CPN 2
TDMATDMA
The registration request is sent from the client (spoke) to the server (hub) in order to identify or register its NHRP information. The destination protocol address field is set to the server’s IP address or address of the client in the event the client is not specifically configured with next-hop server information. If the address field is set with the server’s address or with a client’s address that is within the same subnet as the server, then the server places the client NHRP information in its NHRP database. The server then sends a registration reply to the client informing it is now registered with this server. If the destination protocol address field is not set with the server’s address and the client IP is not within the same subnet as the server, then the server forwards the registration to another next-hop server.
21
NHRPResolution
Request10.10.10.3
• Client 1 has packets destined for a network belonging to client 2.• Client 1 sends request to server for resolution of the next hop tunnel address to physical address of client 2.
NHRP Database10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20
tunnel 10.10.10.2/28f0/1 148.43.200.10/29
tunnel 10.10.10.3/28f0/1 148.43.200.20/29
tunnel 10.10.10.1/28f0/1 148.43.200.1/29
HUB
CPN 1 CPN 2
NHRP (2)
TDMATDMA
A resolution request is sent from a client to the server in order to identify the address for the next hop end point in the network. If the requested endpoint belongs to the server that has received the request, then it formulates a reply based on information contained in its database. Otherwise, the request must be forwarded to a next-hop server that supports that endpoint. Within the JNN DMVPN network, the request contains the destination router’s tunnel address requesting the destinations associated physical address
22
NHRPResolution
Reply10.10.10.3 148.43.200.20
• Server replies with the tunnel to physical address resolution.• Client 1 enters this into its NHRP database.
NHRP Database10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20
tunnel 10.10.10.2/28f0/1 148.43.200.10/29
tunnel 10.10.10.3/28f0/1 148.43.200.20/29
tunnel 10.10.10.1/28f0/1 148.43.200.1/29
NHRP Database
10.10.10.3 148.43.200.20
CPN 1 CPN 2
HUB
NHRP (3)
TDMATDMA
A resolution reply is sent from the server to requesting client. The reply provides a mapping of the requested destination tunnel address to the destination physical address. This information is then entered into the client’s NHRP database. This type of reply is termed an authoritative reply. The server that supports the subnet in question generates the reply. In the case where a resolution request was forwarded by an NHRP server to another server, it is possible for a server to receive a resolution reply. Once it has received the reply, it forwards it to the originating client. It also caches this reply for later use. When the same request is received again, it can use this cached information to reply instead of forwarding the request to the server that actually supports that subnet. This type of reply is termed non-authoritative.
23
DMVPN
• Client 1 utilizes received NHRP info to establish a dynamic tunnel to client 2.• Tunnel will be terminated after a predetermined amount of time.
•Ip nhrp holdtime
NHRP Database10.10.10.2 148.43.200.1010.10.10.3 148.43.200.20
tunnel 10.10.10.2/28f0/1 148.43.200.10/29
tunnel 10.10.10.3/28f0/1 148.43.200.20/29
tunnel 10.10.10.1/28f0/1 148.43.200.1/29
NHRP Database10.10.10.3 148.43.200.20
HUB
CPN 1 CPN 2UDPUDP IP
HdrIP HdrPayloadPayload
TunnIP HdrTunnIP HdrGRE
GRE
s – 148.43.200.10d – 148.43.200.20
NHRP (4)
TDMATDMA
Once the client (spoke) has received the reply from the server and has entered it into its NHRP database, it now has the required information to establish a dynamic tunnel to the other spoke. When configuring mGRE tunnels, the information supplied is the IP address & mask of the tunnel and the source physical interface to be utilized by the tunnel. In addition to packets utilizing the tunnel actually exiting the configured physical interface, the tunneled packet also utilizes the IP address assigned to the physical interface as its source address. NHRP is dynamically supplying the destination tunnel address. The tunnel will be terminated after a predetermined amount of time. By default, the tunnel will stay active for 120 minutes. This value can be changed within the tunnel configuration.
24
DMVPN and Routing Protocols
• For DMVPN to work properly, a routing protocol must be enabled on the tunnel interface.
• Spokes must advertise their supported networks to the hub& the hub must propagate these to all the other spokes.
• Advertisements received by a spoke router must have the subnets originating router listed as the next hop.
• The same routing protocol cannot be enabled on the tunnel & physical interfaces or recursive routing may occur.
*JNN network employs static routes along with OSPF
For DMVPNs to work properly, a routing protocol must be utilized within the tunnel network so that the spokes can advertise their supported subnets to the hub. The hub then propagates these so that each spoke has knowledge of the subnets within the DMVPN topology. This is a key piece in the establishment of DMVPNs and can be easily overlooked. It is very common for a routing protocol to also be in operation on the physical network in addition to the tunnel network. It is very important that different routing protocols be utilized inside and outside of the tunnel to prevent recursive routing (routing loops). Recursive routing simply means that the routing table has found that the best path to the tunnel destination is through the tunnel. This means that the router cannot send the tunnel protocol’s TCP packets to the destination device because it thinks that they have to be encapsulated in the tunnel protocol again. This is a loop of sorts and the tunnel will be in a constant state of being torn down and rebuilt (up/down status). The other problem that can occur when using the same routing protocol inside and outside the tunnel is that packets can possibly be routed external to the tunnel. This can cause numerous problems and somewhat defeats the purpose of establishing the tunnel. Also, if IPSec is being applied to the tunnel, any packets that should be going through the tunnel but are routed externally will not have IPSec applied.
25
OSPF
• Certain configuration steps must be applied to the tunnel interfacewhen utilizing OSPF (primary protocol used in JNN network)
• OSPF- configure OSPF network type to broadcast (ip ospf network broadcast)
- configure OSPF priority so hub is always DR (ip ospf priority)
- insure the IP MTU is set the same on all tunnel interfaces (ip mtu)
Depending on the routing protocol selected, there are certain configuration steps that must be taken for it to work properly within a DMVPN environment. OSPF:
- OSPF considers a tunnel interface point to point and will not allow it to support multiple connections. Tunnel interface must be set to broadcast within OSPF.
- Once the interface is set to broadcast, OSPF treats it as part of a
broadcast multi-access network. The hub router must always be the designated router. A good practice would be to set the priority of all the spokes to “0”.
- Insure that all the ip mtu setting on the tunnel interfaces within the DMVPN
topology are set the same. Two OSPF routers cannot form a neighbor relationship if this setting is different.
26
• By default, OSPF treats a tunnel interface as a point to point network.• All tunnel interfaces on routers within a DMVPN net are on the same subnet.• OSPF must operate as if it is enabled on a broadcast multi-access network.• Tunnel interface must be set to broadcast for proper operation of the DMVPN.
OSPF - Broadcast Network
HUB
CPN 1 CPN 2tunnel 10.10.10.2/28 - broadcastf0/1 148.43.200.10/29
tunnel 10.10.10.3/28 - broadcastf0/1 148.43.200.20/29
tunnel 10.10.10.1/28 - broadcastf0/1 148.43.200.1/29
HUB
CPN 1 CPN 2
TDMATDMA
OSPF considers a tunnel interface as a point to point network and will not allow it to support multiple OSPF neighbor connections. For DMVPNs to function properly, the tunnel interface must be set to OSPF broadcast. All tunnel interfaces belonging to routers within the same DMVPN network are configured as part of the same subnet. Configuring the tunnel interface to broadcast will cause all of these routers to function as part of the same OSPF broadcast multi-access network.
27
• Spoke routers (CPN’s) have permanent connectivity only to the HUB and JNN router.• Spoke routers (CPN’s) only form an OSPF neighborship with the HUB and JNN.• The HUB must be elected as the OSPF designated router (DR).• Set all spoke routers' OSPF priority to 0. •NOTE: If no priority is set, the router will default to 1; must set a priority…
OSPF & DMVPN - Hub is DR
HUB
CPN 1 CPN 2
tunnel 10.10.10.2/28 - priority 0f0/1 148.43.200.10/29
tunnel 10.10.10.3/28 - priority 0f0/1 148.43.200.20/29
tunnel 10.10.10.1/28 - priority 1f0/1 148.43.200.1/29
(DR)
(Drother) (Drother)
TDMATDMA
Once the DMVPN topology has been configured to function as an OSPF broadcast multi-access network, the OSPF priority must be configured for the designated router (DR) election. The goal is have the hub (NHRP server) always be the DR and the spokes (NHRP clients) never be the DR. To accomplish this, all spokes should have their OSPF priority configured as “0”. If there are going to be multiple hubs (servers) within a single DMVPN topology, the priority should be set according to which of these should be the DR and which should be the backup designated router (BDR).
28
• Within the JNN network, several tunnels along with IPSec are configured.• These functions add additional bytes to the packet.• To limit fragmentation, the MTU settings of the IP packets is reduced. • For two routers to form an OSPF neighbor relationship, the interfaces providing
connectivity for this must have the same IP MTU setting.
OSPF & DMVPN - IP MTU
HUB
CPN 1 CPN 2
tunnel 10.10.