Need some advice on learning networking

Re: Need some advice on learning networking

In the next few days I will be setting up a lab in Packet Tracer where I will configure an IPSEC VPN tunnel that should allow me to establish connectivity from one remote site to another via the internet.


Hopefully, I can get this down because I believe there's a need for this with small and medium sized businesses that can't afford an IT staff.

Re: Need some advice on learning networking

I went ahead and did the lab. Everything worked fine. I don't have the command lines memorized nor do I care to. If I need to set this up in the field, the information is easy enough to find. You can also use the '?' (question mark) to help find the correct syntax.


One quick point of emphasis: It really helps to understand the theory of VPN's and the general steps needed to ensure a secure connection.


I used the same Cisco Router (Series 1941) for both of my edge routers. You can use different models. Or you can use a router on 1 network and a firewall on the other network. However, make sure they are capable of running the same version of IKE and the syntax will be slightly different for a router and firewall.


Difficultly level? This is far from the hardest thing that I've had to do. I'd give it a difficultly level of about a 7. Maybe a 6.5.

Re: Need some advice on learning networking

On the subject of site-to-site VPN's, when I originally set out to learn how to do it, I was talking about doing it via Windows Server, not a Cisco Router. I got sidetracked with my research which led me to learn it by way of a Cisco Router.



However, my understanding is that you can do it with Windows Server and it works, in theory, about the same way. It uses IKE v.2 (Internet Key Exchange). I believe you must have a Windows Server at each location and the settings must be the same in terms of Encryption, IKE, ect.


I could be wrong.

Re: Need some advice on learning networking

You can set up a remote access connection using Windows Server, but the performance is usually better when using hardware closer to your network border.

Sent from my BlackBerry using Tapatalk

Re: Need some advice on learning networking

Remember when I said I don't see how anyone can remember the command line syntax for setting up a VPN? Well, here's what it looks like:



Router(config)#crypto isakmp policy 10
Router(config-isakmp)# encryption aes 256
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# group 5
Router(config-isakmp)#crypto isakmp key secretkey address 209.165.200.1
Router(config)#crypto ipsec transform-set R1-R3 esp-aes 256 esp-sha-hmac
Router(config)#crypto map IPSEC-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(config-crypto-map)# set peer 209.165.200.1
Router(config-crypto-map)# set pfs group5
Router(config-crypto-map)# set security-association lifetime seconds 86400
Router(config-crypto-map)# set transform-set R1-R3
Router(config-crypto-map)# match address 100
Router(config-crypto-map)#interface GigabitEthernet0/0
Router(config-if)# crypto map IPSEC-MAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Re: Need some advice on learning networking

Even though I set up an IPSEC VPN and it worked, it's been bugging me because there were some gaps in understanding each stage of the process. I've learned from past experience that I need to fill in those gaps or eventually it will come back to bite me in the ass.


With that said, I set up another Packet Tracer Lab and created a IPSEC VPN tunnel but this time I analyzed all the packets as they moved thru Site 1 (home office), over the internet router and to the final destination site (remote office).


In my previous posts, I explained how to set up an IPSEC VPN but there's a lot of steps that I left out because I wanted to keep it as simple as possible without getting down in the weeds. One of the steps I left out is that we must set a "default route" on each edge router. Keep in mind that the edge routers are set up for local routing on the network, so if you try to go out over the internet (public IP address) the router will simply drop the packet because it doesn't have that route in it's routing table. Obviously we can't enter the IP address for every website but what we can do is tell the edge router that if it receives an IP address that's not in it's routing table to send it to the Internet Provider Router. You do that by entering this default route: "ip route 0.0.0.0 0.0.0.0 192.168.1.254"


There's also the matter of making sure that the Cisco Routers have the Security License enabled. If not, it won't work. I won't bore you with the details.


This post is getting long so I'm wrap it with this.


Leased lines aren't used that much anymore because they're expensive. With internet speeds so great today, most companies use a VPN. This is one of those things that will come in handy, IMO.

Last but not least...it's fascinating how the Internet Router doesn't hage a clue that the packets are intended for a local network. Hence the name "tunnel"...it tunnels right past the ISP router.

PS - It's also very cool the the sending router encrypts the data and sends a security key over to the receiving router. Without that key, the data is a bunch of unreadable mumbo-jumbo.

Re: Need some advice on learning networking

You know how when we're learning networking and we read about these network concepts and sometimes we muddle through them but we don't fully understand the way we need to? But later when we're trying to do something (VPN), all of a sudden that concept becomes relevant and we decide that we need to dig a little deeper.

That brings me to this concept: Default Gateway vs. Default Route

Anyone know the difference between the 2 and when they are needed?


Here's a hint.

Ask yourself if the device (PC, router, ect.) is routing for itself or itself & others.

Yes, a PC does route and it has a routing table. It may be a limited routing table but it does have one.

Think of it like this. If a device is routing only for itself then it has a default gateway. If it's routing for itself & others, it uses routes.



Anyone have anything to add?


More on this in the next post.

Re: Need some advice on learning networking

Finishing up my thoughts on Default Gateway vs. Default Route




The endgame when setting up a network is that when we enter a website url/ip address in our web browser that it reaches it's destination.


A PC has a limited routing table and as a result, it can't route past the street that it lives on. If it lives on street 192.168.1.0 then it can't route to street 192.168.2.0. In order to talk to another network, Mr. PC must use it's default gateway. If the router is configured correctly with a routing protocol like OSPF then it will reach it's destination.

But what happens when an address comes in on the default gateway of a router and that address isn't in its routing table? It works very similar to a default gateway. A default gateway is really the gateway of last resort if you think about it. The PC forwards the packet to it's default gateway and just hope the router knows what to do with it.

A default route works much the same. If the router receives an IP address and doesn't have it in it's routing table, we can set a default route that basically says: "If you don't have this route in your routing table, send it to the ISP router and see if it knows that address.


That's it for now.

Re: Need some advice on learning networking

PS - Default routes are used for more than sending packets to the ISP router but that's beyond the scope of what I'm trying to explain.

Re: Need some advice on learning networking

Here's a fun question. Try to answer without using google.


Does a layer 2 switch have/need a default gateway? Why or why not?

Re: Need some advice on learning networking

Nothing useful to say.

I just wanted to be the 1,000th post!

Re: Need some advice on learning networking


You sneaky devil.

Re: Need some advice on learning networking

You mean reply. You were the 1001st post.

Re: Need some advice on learning networking




I forgot about this queston:



The answer is, yes, a layer 2 switch needs a default gateway. It also needs an IP address...usually configured on VLAN 1.

Re: Need some advice on learning networking

Are y'all ready for me to bore you some more? Here we go....


Learning to set up an IPSEC VPN really caused me to go down many different paths. I've covered most of them but here's another one: Access Control List


An Access Control List can be used for many different purposes. One of the main ways it's used is as a filter. We can apply an Access List on an interface of a router and block or deny certain types of traffic: Example TCP, UDP, ICMP. ect. In addition, we can also filter by port number or just about anything.

When I was setting up the IPSEC VPN, I used an Access List to filter the IP address of both edge routers. In other words, the IPSEC initiation could only be started by the 2 routers on the Access List - any device that wasn't on the Access List will be denied.


I'm just starting to dig in to this but a WILDCARD MASK is used in conjunction with an Access List in many cases.


Once I learn more about an Access List, I'll be back to bore you some more.