Cybersecurity Awareness

Cyber Security Alert: Potential Cyber Attacks and Recommended Actions for the Government in Bangladesh

Thursday, October 3, 2024

CCNA LAB SVI DHCP server VTP Root guard BPDU filter Inter VLAN routing 802.1q port fast and more

 

In this lab, we see the configuration of SVI DHCP server VTP Root guard BPDU filter Inter VLAN routing 802.1q  and more. This lab is good for CCNA and CCNP  students. let's see what we are going to configure. 





A Trunk link is a point-to-point link between two network devices. Trunk links carry more than one VLAN. With VLAN trunking, we can extend our configured VLAN across the entire network. Remember, sending information from an access link on one VLAN to another VLAN is not possible without the additional device a router, or an external layer 2 bridge connected between the VLAN. A Trunk link can transport multiple VLAN traffic through a single switch port. A trunk link is not assigned to a specific VLAN in detail...

VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol, as I already said VTP is used to share the VLAN configuration with other switches and maintain consistency throughout that network but information will be passed only if the switch is connected with fast Ethernet or higher ports and also it must be trunk links in detail...

 VLAN is a logical grouping of network users and resources connected to administratively defined ports on a switch. VLANs are given the ability to create smaller broadcast domains within layer 2 switched internetworks by assigning different service switches to different subnetworks. A VLAN is treated like its own subnet or broadcast domain, meaning that frames broadcast into the network are only switched between the ports logically grouped within the same VLAN. By default, hosts in a specific VLAN can’t communicate with hosts that are members of another VLAN, so if you want to communicate, we need a router or Inter-VLAN Routing (IVR) in detail...

DHCP (Dynamic Host Configuration Protocol) servers provide all the basic information the client wants to operate on the network, including DNS address, Default Gateway, IP addresses, and subnet. masks and many more in detail...

Spanning tree Portfast is a Cisco proprietary enhanced for spanning trees. Port-fast helps to speed up the network convergence on access ports. Portfast bypasses the listening and learning states 15 + 15 seconds timer and enters the spanning tree forwarding state immediately in detail...

Spanning-tree BPDU Guard is one of the features that help you protect your spanning-tree topology. BPDU Guard prevents loops if another switch is attached to a Portfast port. When BPDU Guard is enabled on an interface, it is put into an error-disable state basically shut down, if a BPDU is received on the interface. It can be enabled in either global configuration mode or interface mode. in detail...

The root guard prevents the wrong switch from becoming the spanning tree root. If a root guard port receives a superior BPDU that might cause it to become a root port, the port is put into a “root-inconsistent” state and does not pass traffic through it. If the port stops receiving these BPDUs, it automatically re-enables itself. in detail...


let's see the configuration:-



Configure the topology as per the diagram

Configure trunk 802.1q

Configure no negotiation and allow only VLAN 11,12,13,14 on the trunk

Configure VTP domain name internetworks password networks

Configure VTP version 2

Configure MLS switch as a Server and rest the switches clients

Configure VLAN_11 VLAN_12 VLAN_13 VLAN_14 on MLS

make sure rest of the switches will get this information  

Configure the ports into their VLAN as per the topology

Configure the IP address to VLANs for inter VLAN routing

IP 192.168.1.1/24 to VLAN 11

IP 192.168.2.1/24 to VLAN 12

IP 192.168.3.1/24 to VLAN 13

IP 192.168.4.1/24 to VLAN 14

Configure DHCP server for VLAN 11,12,13,14 on MLS 

Make sure all PC in different VLAN get their IP address and other information

Ping from PC-1 to PC in different VLANs

Configure port fast on all the access-ports

Configure MLS switch to become Root bridge for all the VLANs

Configure Root guard on trunk MLS switch

Configure BPDU filter


MSL-SW-(config)#interface range ethernet 1/0-3

MSL-SW-(config-if-range)#switchport trunk encapsulation dot1q

MSL-SW-(config-if-range)#switchport mode trunk

MSL-SW-(config-if-range)#switchport nonegotiate

MSL-SW-(config-if-range)#switchport trunk allowed vlan 11,12,13,14

MSL-SW-(config-if-range)#exit

 

MSL-SW-#show interface trunk

 

Port        Mode             Encapsulation  Status        Native vlan

Et1/0       on               802.1q         trunking      1

Et1/1       on               802.1q         trunking      1

Et1/2       on               802.1q         trunking      1

Et1/3       on               802.1q         trunking      1

 

Port        Vlans allowed on trunk

Et1/0       11-14

Et1/1       11-14

Et1/2       11-14

Et1/3       11-14

 

 

Switch-1(config)#interface range ethernet 1/0

Switch-1(config-if-range)#switchport trunk encapsulation dot1q

Switch-1(config-if-range)#switchport mode trunk

Switch-1(config-if-range)#switchport nonegotiate

Switch-1(config-if-range)#switchport trunk allowed vlan 11,12,13,14

Switch-1(config-if-range)#exit

Switch-1(config)#end

 

 

Switch-1#show interface trunk

 

Port        Mode             Encapsulation  Status        Native vlan

Et1/0       on               802.1q         trunking      1

 

Port        Vlans allowed on trunk

Et1/0       11-14

 

 

Switch-2(config)#interface range ethernet 1/1

Switch-2(config-if-range)#switchport trunk encapsulation dot1q

Switch-2(config-if-range)#switchport mode trunk

Switch-2(config-if-range)#switchport nonegotiate

Switch-2(config-if-range)#switchport trunk allowed vlan 11,12,13,14

Switch-2(config-if-range)#exit

Switch-2(config)#end

Switch-2#show interface trunk

 

Port        Mode             Encapsulation  Status        Native vlan

Et1/1       on               802.1q         trunking      1


 

Port        Vlans allowed on trunk

Et1/1       11-14

 

IOU3(config)#interface range ethernet 1/2

IOU3(config-if-range)#switchport trunk encapsulation dot1q

IOU3(config-if-range)#switchport mode trunk

IOU3(config-if-range)#switchport nonegotiate

IOU3(config-if-range)#switchport trunk allowed vlan 11,12,13,14

IOU3(config-if-range)#exit

IOU3(config)#end

IOU3#show interface trunk

 

Port        Mode             Encapsulation  Status        Native vlan

Et1/2       on               802.1q         trunking      1

 

Port        Vlans allowed on trunk

Et1/2       11-14

 

 

Switch-4(config)#interface range ethernet 1/3

Switch-4(config-if-range)#switchport trunk encapsulation dot1q

Switch-4(config-if-range)#switchport mode trunk

Switch-4(config-if-range)#switchport nonegotiate

Switch-4(config-if-range)#switchport trunk allowed vlan 11,12,13,14

Switch-4(config-if-range)#exit

Switch-4(config)#end


Switch-4#show interface trunk

 

Port        Mode             Encapsulation  Status        Native vlan

Et1/3       on               802.1q         trunking      1

 

Port        Vlans allowed on trunk

Et1/3       11-14

 

MSL-SW-(config)#VTP domain internetworks

Domain name already set to internetworks.

MSL-SW-(config)#VTP password networks

MSL-SW-(config)#VTP mode server

MSL-SW-(config)#VTP version 2

MSL-SW-(config)#end

 

MSL-SW-#show vtp status

VTP Version capable             : 1 to 3

VTP version running             : 2

VTP Domain Name                 : internetworks

VTP Pruning Mode                : Disabled

VTP Traps Generation            : Disabled

Device ID                       : aabb.cc00.0600


 

 

Switch-1(config)#VTP domain internetworks

Switch-1(config)#VTP password networks

Switch-1(config)#VTP mode client

Switch-1(config)#VTP version 2

Switch-1(config)#end

 

Switch-2(config)#VTP domain internetworks

Switch-2(config)#VTP password networks

Switch-2(config)#VTP mode client

Switch-2(config)#VTP version 2

Switch-2(config)#end

 

 

IOU3(config)#VTP domain internetworks

IOU3(config)#VTP password networks

IOU3(config)#VTP mode client

IOU3(config)#VTP version 2

IOU3(config)#end

 

Switch-4(config)#VTP domain internetworks

Switch-4(config)#VTP password networks

Switch-4(config)#VTP mode client

Setting device to VTP Client mode for VLANS.

Switch-4(config)#VTP version 2

Switch-4(config)#end

 

MSL-SW-(config)#VLAN 11

MSL-SW-(config-vlan)#name Go Green Team

MSL-SW-(config-vlan)#exit



MSL-SW-(config)#VLAN 12

MSL-SW-(config-vlan)#name Go Blue Team

MSL-SW-(config-vlan)#exit



MSL-SW-(config)#VLAN 13

MSL-SW-(config-vlan)#name Go Purple

MSL-SW-(config-vlan)#exit



MSL-SW-(config)#VLAN 14

MSL-SW-(config-vlan)#name Go Skey Blue

MSL-SW-(config-vlan)#exit



MSL-SW-#show vlan

 

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Et0/0, Et0/1, Et0/2, Et0/3

                                                Et2/0, Et2/1, Et2/2, Et2/3

                                                Et3/0, Et3/1, Et3/2, Et3/3

11   Go Green Team                    active

12   Go Blue Team                     active

13   Go Purple                        active

14   Go Skey Blue                     active

1002 fddi-default                     act/unsup

1003 trcrf-default                    act/unsup

1004 fddinet-default                  act/unsup

1005 trbrf-default                    act/unsup

 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

 

 

Switch-1(config)#interface range ethernet 0/0-3

Switch-1(config-if-range)#switchport mode access

Switch-1(config-if-range)#switchport access vlan 11

Switch-1(config-if-range)#exit

Switch-1(config)#end

Switch-1#

*Oct  1 11:00:36.626: %SYS-5-CONFIG_I: Configured from console by console

Switch-1#

Switch-1#show vlan

 

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Et1/1, Et1/2, Et1/3, Et2/0

                                                Et2/1, Et2/2, Et2/3, Et3/0

                                                Et3/1, Et3/2, Et3/3

11   Go Green Team                    active    Et0/0, Et0/1, Et0/2, Et0/3

12   Go Blue Team                     active

13   Go Purple                        active

14   Go Skey Blue                     active

1002 fddi-default                     act/unsup

1003 trcrf-default                    act/unsup

1004 fddinet-default                  act/unsup

1005 trbrf-default                    act/unsup

 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

 

 

 

Switch-2(config)#interface range ethernet 0/0-3

Switch-2(config-if-range)#switchport mode access

Switch-2(config-if-range)#switchport access vlan 12

Switch-2(config-if-range)#exit

Switch-2(config)#end


Switch-2#show vlan

 

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Et1/0, Et1/2, Et1/3, Et2/0

                                                Et2/1, Et2/2, Et2/3, Et3/0

                                                Et3/1, Et3/2, Et3/3

11   Go Green Team                    active

12   Go Blue Team                     active    Et0/0, Et0/1, Et0/2, Et0/3

13   Go Purple                        active

14   Go Skey Blue                     active

1002 fddi-default                     act/unsup

1003 trcrf-default                    act/unsup

1004 fddinet-default                  act/unsup

1005 trbrf-default                    act/unsup

 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

 

 


 

Switch-3(config)#interface range ethernet 0/0-3

Switch-3(config-if-range)#switchport mode access

Switch-3(config-if-range)#switchport access vlan 13

Switch-3(config-if-range)#exit

Switch-3(config)#end


Switch-3#show vlan

 

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Et1/0, Et1/1, Et1/3, Et2/0

                                                Et2/1, Et2/2, Et2/3, Et3/0

                                                Et3/1, Et3/2, Et3/3

11   Go Green Team                    active

12   Go Blue Team                     active

13   Go Purple                        active    Et0/0, Et0/1, Et0/2, Et0/3

14   Go Skey Blue                     active

1002 fddi-default                     act/unsup

1003 trcrf-default                    act/unsup

1004 fddinet-default                  act/unsup

1005 trbrf-default                    act/unsup

 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

 

Switch-4(config)#interface range ethernet 0/0-3

Switch-4(config-if-range)#switchport mode access

Switch-4(config-if-range)#switchport access vlan 14

Switch-4(config-if-range)#exit

Switch-4(config)#end


Switch-4#show vlan

 

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Et1/0, Et1/1, Et1/2, Et2/0

                                                Et2/1, Et2/2, Et2/3, Et3/0

                                                Et3/1, Et3/2, Et3/3

11   Go Green Team                    active

12   Go Blue Team                     active

13   Go Purple                        active

14   Go Skey Blue                     active    Et0/0, Et0/1, Et0/2, Et0/3

1002 fddi-default                     act/unsup

1003 trcrf-default                    act/unsup

1004 fddinet-default                  act/unsup

1005 trbrf-default                    act/unsup

 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

 

MSL-SW-(config)#interface vlan 11

MSL-SW-(config-if)#ip address 192.168.1.1 255.255.255.0

MSL-SW-(config-if)#no shutdown

MSL-SW-(config-if)#exit

MSL-SW-(config)#

MSL-SW-(config)#interface vlan 12

MSL-SW-(config-if)#ip address 192.168.2.1 255.255.255.0

MSL-SW-(config-if)#no shutdown

MSL-SW-(config-if)#exit

MSL-SW-(config)#

MSL-SW-(config)#interface vlan 13

MSL-SW-(config-if)#ip address 192.168.3.1 255.255.255.0

MSL-SW-(config-if)#no shutdown

MSL-SW-(config-if)#exit

MSL-SW-(config)#

MSL-SW-(config)#interface vlan 14

MSL-SW-(config-if)#ip address 192.168.4.1 255.255.255.0

MSL-SW-(config-if)#no shutdown

MSL-SW-(config-if)#exit

 

 

 

MSL-SW-#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

Vlan11                 192.168.1.1     YES manual up                    up

Vlan12                 192.168.2.1     YES manual up                    up

Vlan13                 192.168.3.1     YES manual up                    up

Vlan14                 192.168.4.1     YES manual up                    up

 

MSL-SW-(config)#service dhcp

MSL-SW-(config)#ip dhcp pool vlan11

MSL-SW-(dhcp-config)#network 192.168.1.2 255.255.255.0

MSL-SW-(dhcp-config)#default-router 192.168.1.1

MSL-SW-(dhcp-config)#dns-server 8.8.8.8

MSL-SW-(dhcp-config)#exit



MSL-SW-(config)#service dhcp

MSL-SW-(config)#ip dhcp pool vlan12

MSL-SW-(dhcp-config)#network 192.168.2.2 255.255.255.0

MSL-SW-(dhcp-config)#default-router 192.168.2.1

MSL-SW-(dhcp-config)#dns-server 8.8.8.8

MSL-SW-(dhcp-config)#exit


MSL-SW-(config)#service dhcp

MSL-SW-(config)#ip dhcp pool vlan13

MSL-SW-(dhcp-config)#network 192.168.3.2 255.255.255.0

MSL-SW-(dhcp-config)#default-router 192.168.3.1

MSL-SW-(dhcp-config)#dns-server 8.8.8.8

MSL-SW-(dhcp-config)#exit



MSL-SW-(config)#service dhcp

MSL-SW-(config)#ip dhcp pool vlan14

MSL-SW-(dhcp-config)#network 192.168.4.2 255.255.255.0

MSL-SW-(dhcp-config)#default-router 192.168.4.1

MSL-SW-(dhcp-config)#dns-server 8.8.8.8

MSL-SW-(dhcp-config)#exit

 

 

 

MSL-SW-#show ip dhcp binding

Bindings from all pools not associated with VRF:

IP address      Client-ID/              Lease expiration        Type       State      Interface

                Hardware address/

                User name

192.168.1.2     0100.5079.6668.00       Oct 02 2024 11:07 AM    Automatic  Active     Vlan11

192.168.1.3     0100.5079.6668.01       Oct 02 2024 11:07 AM    Automatic  Active     Vlan11

192.168.2.2     0100.5079.6668.04       Oct 02 2024 11:07 AM    Automatic  Active     Vlan12

192.168.2.3     0100.5079.6668.05       Oct 02 2024 11:08 AM    Automatic  Active     Vlan12

192.168.3.2     0100.5079.6668.08       Oct 02 2024 11:08 AM    Automatic  Active     Vlan13

192.168.3.3     0100.5079.6668.09       Oct 02 2024 11:08 AM    Automatic  Active     Vlan13

192.168.4.3     0100.5079.6668.0d       Oct 02 2024 11:08 AM    Automatic  Active     Vlan14

 

MSL-SW-(config)#ip routing

 

 

PC1> ip dhcp

DDORA IP 192.168.1.2/24 GW 192.168.1.1

 

PC1> ping 192.168.1.3

 

84 bytes from 192.168.1.3 icmp_seq=1 ttl=64 time=5.950 ms

84 bytes from 192.168.1.3 icmp_seq=2 ttl=64 time=1.285 ms

84 bytes from 192.168.1.3 icmp_seq=3 ttl=64 time=2.572 ms

84 bytes from 192.168.1.3 icmp_seq=4 ttl=64 time=2.253 ms

84 bytes from 192.168.1.3 icmp_seq=5 ttl=64 time=1.654 ms

 

PC1> ping 192.168.2.2

 

84 bytes from 192.168.2.2 icmp_seq=1 ttl=63 time=18.753 ms

84 bytes from 192.168.2.2 icmp_seq=2 ttl=63 time=5.606 ms

84 bytes from 192.168.2.2 icmp_seq=3 ttl=63 time=6.312 ms

84 bytes from 192.168.2.2 icmp_seq=4 ttl=63 time=5.498 ms

84 bytes from 192.168.2.2 icmp_seq=5 ttl=63 time=3.911 ms


 

PC1> ping 192.168.3.2

 

84 bytes from 192.168.3.2 icmp_seq=1 ttl=63 time=17.571 ms

84 bytes from 192.168.3.2 icmp_seq=2 ttl=63 time=5.690 ms

84 bytes from 192.168.3.2 icmp_seq=3 ttl=63 time=7.361 ms

84 bytes from 192.168.3.2 icmp_seq=4 ttl=63 time=4.170 ms

84 bytes from 192.168.3.2 icmp_seq=5 ttl=63 time=4.948 ms

 

PC1> ping 192.168.4.2

 

84 bytes from 192.168.4.2 icmp_seq=1 ttl=63 time=18.701 ms

84 bytes from 192.168.4.2 icmp_seq=2 ttl=63 time=5.275 ms

84 bytes from 192.168.4.2 icmp_seq=3 ttl=63 time=3.818 ms

84 bytes from 192.168.4.2 icmp_seq=4 ttl=63 time=5.806 ms

84 bytes from 192.168.4.2 icmp_seq=5 ttl=63 time=6.827 ms

 

Switch-1(config)#interface range ethernet 0/0-3

Switch-1(config-if-range)#spanning-tree portfast

Switch-1(config-if-range)#end


%Warning: portfast should only be enabled on ports connected to a single

 host. Connecting hubs, concentrators, switches, bridges, etc... to this

 interface  when portfast is enabled, can cause temporary bridging loops.

 Use with CAUTION

 

%Portfast will be configured in 4 interfaces due to the range command

 but will only have effect when the interfaces are in a non-trunking mode.

 

 

Switch-2(config)#interface range ethernet 0/0-3

Switch-2(config-if-range)#spanning-tree portfast


%Warning: portfast should only be enabled on ports connected to a single

 host. Connecting hubs, concentrators, switches, bridges, etc... to this

 interface  when portfast is enabled, can cause temporary bridging loops.

 Use with CAUTION

 

%Portfast will be configured in 4 interfaces due to the range command

 but will only have effect when the interfaces are in a non-trunking mode.

Switch-2(config-if-range)#exit

 

 

Switch-3(config)#interface range ethernet 0/0-3

Switch-3(config-if-range)#spanning-tree portfast


%Warning: portfast should only be enabled on ports connected to a single

 host. Connecting hubs, concentrators, switches, bridges, etc... to this

 interface  when portfast is enabled, can cause temporary bridging loops.

 Use with CAUTION

 

%Portfast will be configured in 4 interfaces due to the range command

 but will only have effect when the interfaces are in a non-trunking mode.

Switch-3(config-if-range)#exit

 

 

 

Switch-4(config)#interface range ethernet 0/0-3

Switch-4(config-if-range)#spanning-tree portfast


%Warning: portfast should only be enabled on ports connected to a single

 host. Connecting hubs, concentrators, switches, bridges, etc... to this

 interface  when portfast is enabled, can cause temporary bridging loops.

 Use with CAUTION

 

%Portfast will be configured in 4 interfaces due to the range command

 but will only have effect when the interfaces are in a non-trunking mode.

Switch-4(config-if-range)#exit

 

 

 

MSL-SW-(config)#spanning-tree vlan 11,12,13,14 root primary

MSL-SW-(config)#end


MSL-SW-#show spanning-tree


VLAN0001

  Spanning tree enabled protocol ieee

  Root ID    Priority    32769

             Address     aabb.cc00.0600

             This bridge is the root

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec


 


 

MSL-SW-(config)#interface range ethernet 1/0-3

MSL-SW-(config-if-range)#spanning-tree guard root

MSL-SW-(config-if-range)#end

 

*Oct  2 17:26:10.692: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet1/0.

*Oct  2 17:26:10.693: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet1/1.

*Oct  2 17:26:10.693: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet1/2.

*Oct  2 17:26:10.693: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet1/3. 


#Prepared_By: #Sardar_Imran_Hossain 
By at No comments:

Wednesday, October 2, 2024

Multi-Site VxLAN Lab with BGP EVPN deployment across two data centers

 


                                                                      Fig: Multi-Site VxLAN Lab with BGP EVPN 


#Prepared_By: #Sardar_Imran_Hossain 

This diagram represents a Multi-Site VxLAN Lab with BGP EVPN deployment across two data centers. The architecture demonstrates an advanced design that merges two key networking technologies: VXLAN (Virtual Extensible LAN) for layer 2 connectivity over layer 3 networks, and BGP EVPN (Border Gateway Protocol with Ethernet VPN) as the control plane to provide efficient layer 2 and layer 3 segmentation across the fabric. The setup is built to showcase high availability, load balancing, and connectivity between two geographically separated data centers, with distinct Multi-AS (Autonomous System) and Single-AS models.


Data Center 1: Multi-AS Model with eBGP Underlay
In Data Center 1, the design employs a Multi-AS model with BGP as the underlay, utilizing eBGP for communication between different layers. It includes two spine switches (NX9K-Spine-1 and NX9K-Spine-2), two leaf switches (NX9K-Leaf-1 and NX9K-Leaf-2), and a border leaf (NX9K-Border-Leaf-1). This structure forms the VXLAN EVPN fabric within the data center.
The spine-leaf architecture ensures high availability and horizontal scalability. Spines NX9K-Spine-1 and NX9K-Spine-2 are responsible for forwarding traffic between leaf switches in a non-blocking manner, forming a robust data plane. The leaves (NX9K-Leaf-1 and NX9K-Leaf-2) connect endpoints, like servers and firewalls, and also extend layer 2 and layer 3 connectivity across the fabric.

VxLAN EVPN is used to encapsulate layer 2 frames within layer 3 packets, enabling efficient data center interconnect (DCI) between the two data centers.
F5 Load Balancers (F5-LTM-1 and F5-LTM-2) are deployed to handle traffic management and load balancing of applications, and they ensure application availability through a VIP (Virtual IP) setup.
The border leaf switch (NX9K-Border-Leaf-1) connects to external networks, including ISP links, and acts as the data center’s gateway for external communication. The BGP AS number 64333 is used for routing information exchange with external routers.

The firewalls (PA-FW1 and PA-FW2) provide security at the perimeter of Data Center 1, ensuring that traffic between internal and external networks is filtered based on security policies.
Data Center 2: Single-AS Model with OSPF Underlay

In contrast to Data Center 1, Data Center 2 uses a Single-AS model with OSPF (Open Shortest Path First) as the underlay routing protocol. Here, the same fundamental architecture is used with two spine switches (NX9K-Spine-3 and NX9K-Spine-4), two leaf switches (NX9K-Leaf-3 and NX9K-Leaf-4), and a border leaf (NX9K-Border-Leaf-2). However, the key difference lies in the use of a single BGP AS number (65000) across the entire data center, making intra-data center communication simpler and reducing complexity for internal routing.

Similar to Data Center 1, F5 load balancers (F5-LTM-3 and F5-LTM-4) manage application traffic, and the perimeter firewalls (PA-FW3 and PA-FW4) secure traffic entering and leaving the data center.
By at No comments:

Tuesday, October 1, 2024

This structured to show the interplay of different network sites interconnected via multiple transports public internet links



This structured to show the interplay of different network sites interconnected via multiple transports such as MPLS and public internet links. The core of this design revolves around SD-WAN controllers and edge devices that help manage and optimize traffic between sites, enhancing performance, security, and manageability.


In this scenario, the controllers (vManage, vBond, and vSmart) are deployed in the management network (`10.155.237.0/24`) at the central site (SITE 1). These controllers are responsible for orchestrating, managing, and enforcing policies across the WAN infrastructure. hashtag
vManage is the network management tool, hashtag
vBond facilitates secure connections between all SD-WAN devices, and hashtag
vSmart is the control plane element that enforces routing policies. These controllers are connected to multiple hashtag
vEdge routers (at different sites) through a variety of transport networks.

We have four remote sites connected via SD-WAN:
1. SITE 10(`192.168.10.0/24`) uses BGP for routing and is connected to the management, MPLS, and public internet networks.
2. SITE 20 (`192.168.20.0/24`), also leveraging BGP, follows a similar design.
3. SITE 30 (`192.168.30.0/24`) employs OSPF, indicating a different routing protocol than the others, but still participates in the overall SD-WAN fabric.
4. SITE 40 (`192.168.40.0/24`), which also uses BGP, is connected using multiple **vEdge** devices and the core router for high availability.

The vEdge routers at each site provide the data plane and connect to the WAN through multiple interfaces (MPLS and internet). These routers handle the forwarding of traffic, often using BGP as a dynamic routing protocol, and are responsible for ensuring seamless connectivity between sites. For instance, in **SITE 10**, hashtag
VI-vEdge-01 and hashtag
VI-Core-01 are connected to MPLS and public internet links, which ensure redundancy and load sharing across the different WAN transports.

A key aspect of this lab is traffic optimization and redundancy. The hashtag
Border_Router sits centrally and connects to both MPLS and internet links, acting as the aggregation point for WAN traffic from the different edge routers and sites. This router ensures that traffic can traverse between different sites through the best possible path, whether it is MPLS for critical data or public internet for less sensitive traffic.

The presence of multiple loopback addresses for each core router (VI-Core-01, MI-Core-01, etc.) across the sites signifies that this topology also supports overlay tunnels for end-to-end encryption and secure data transmission across the WAN using Cisco’s SD-WAN fabric.
This lab validates SD-WAN capabilities, including dynamic path selection between MPLS and internet based on real-time conditions, secure traffic encryption over public networks, and seamless routing via BGP and OSPF.


Fig:  LLD for Interconnected via multiple transports public internet links

#Prepared_By: #Sardar_Imran_Hossain 

By at No comments:
Subscribe to: Posts (Atom)

Cyber Security Alert in Bangladesh