Campus VPN Design Project

Verified

Added on  2019/09/16

|25
|6319
|163
Project
AI Summary
This project details the design and implementation of a Virtual Private Network (VPN) within a campus environment, specifically at Sheffield Hallam University. The project focuses on connecting various departments using a secure network system, employing Dynamic Multipoint VPN (DMVPN), Generic Route Encapsulation (GRE), and IPsec for secure data transmission. The methodology includes a study of remote VPNs, utilizing leased line internet and existing wireless networks. The design uses Cisco Packet Tracer for simulation due to cost limitations of physical devices. The project outlines hardware and software requirements, including Cisco routers and servers. It covers the configuration of default and dynamic routing protocols, specifically EIGRP, and the implementation of GRE tunnels for private network connectivity. The project also includes a detailed configuration of IPsec VPN between the Computer Science and Business School departments, demonstrating secure data transfer. The analysis and results section provides a step-by-step configuration procedure, IP address assignments, and verification of the implemented VPN, including testing of GRE tunnels, EIGRP, and IPsec VPN. The project concludes with successful testing results, recommending the design for university network security.
Document Page
CHAPTER 3
3.0 RESEARCH METHODOLOGY
The purpose of this project is to design virtual private network within the campus environment
by connecting various department together using highly secure network system which lead me
to multiple research collection on how to design a secure remote network system by connecting
all their department together using Dynamic Multiple virtual Private Network (DMVPN).
In order to implement Dynamic multiple virtual private network the methodologies were collected
from the study of remote virtual private network using leased private line internet from existing
wireless network and cisco certified network associate by Todd Lammle and also Cisco
certified network professional by Chris Brown (CCIE).
Dynamic Multipoint VPN (DMVPN) is a Cisco VPN solution for building a Virtual Private Network
having branch sites at different locations using a scalable architecture. DMVPN architecture
provides an easy approach towards implementation and management for deployments that
require access controls for diverse user communities, including mobile employees,
departments, and different remote sites.
The Cisco DMVPN provides an environment to connect different branch locations to help
communicate directly between branches over the WAN, such as when using different
communication protocols like voice over IP between two branch offices, but does not require a
permanent VPN connection between sites. It also provides a zero touch deployment of IPsec
VPNs that improves network performance. This also minimizes the deployment time, reduces
the cost in integrating voice, video with IPSEC VPN security. Helps us to enable direct
communication between branches for variety of business applications. It has all the benefits of
routing with standard IPsec security technology.
VPN using Internet Leased Line for Wired and Wireless Private Networks:
A VPN is secure connection between sites that can be established by using a Internet Leased
Line or any of the existing Wireless or Wired connection.
The VPN deployment only needs IP connectivity between the sites.
There are different methods for remote VPNs between sites like DMVPN, SSL VPN etc.
As explained above DMVPN helps us to connect site using a HUB and SPOKE topology.
SSL VPN is specially used for remote users with no hardware requirement. Only requires you to
install a VPN software which connects to the VPN HUB which then connects the PC to the
Private network of the company/organization.
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
3.1 SOFTWARE REQUIREMENT FOR THE VPN DESIGN
This design is in real life scenario and would require CISCO configurable router 2900 series but
is too expensive due to that, I will use PACKET TRACER SIMULATION for the lab design and
testing of the network security.
For setting up VPN we will need CISCO IOS routers 1900 or 2900 series with IOS version 15.x
and above. As we have limitation for the physical devices so we have chosen CISCO Packet
Tracer to simulate the VPN setup for this implementation.
Cisco Packet tracer enables us to simulate network devices which we can use to create network
topologies which help us to implement and practice network scenarios. Before implementation.
Packet tracer provides different types of cisco devices Router Switches Firewall Etc. and many
different connection options which then help the user to create a vast number of design options.
In our case we will be implementing VPN of different media types including wireless and wired
topology. And connect the private network through VPN and secure it through IPSEC.
3.2 HARDWARE REQUIREMENT FOR THE VPN DESIGN
The following network devices are required
5 Cisco 1841 or 2900 series
Internet service provider private modem with lease line
4 Cisco wireless router
5 server system
Cat 6 network cable
Serial cable
Wireless computers
For the DMVPN the hardware requirement may vary from scenario to scenario as is depends on
various factors like Routing protocols, the number of sites, number of users as well as the
amount of traffic.
As for a basic DMVPN setup, we will need a CISCO IOS router (2911 or 1841) as an edge
router for each site or department. These routers are good for small offices and branches with
medium traffic load and are suitable for a limited number of VPN connections. These routers will
be connecting us to the ISP which will be providing us with the internet leased line connectivity;
we will be calling as WAN or Public Network. These departments or site may have their wired or
wireless connectivity to their respective local area devices and allocate them with private IP
addresses.
For Internet leased line we will be using serial connection provided by our ISP and for our LAN
we are using a CISCO wireless routers for providing wireless connectivity to our wireless PCs
and Devices using Wi-Fi. The wired connectivity will be provided by CAT6 Ethernet cables.
These cables are capable to provide 100 Mbps speeds on LAN.
Also, we are using different servers for various purposes in our different departments which will
be giving access to services to the users on the network.
3.5 NEW SYSTEM DESIGN
Document Page
The prescribed solution is to design a Virtual private Network in a campus environment using
the university wireless network of Sheffield Hallam University via the school existing wireless
network by connecting the following department together such as:
Administration department
Computer science
Business school
Engineering and Medical department
Connecting the above department together remotely using virtual private network design it will
involve the following procedures:
Default routing protocol:
This will be used in order to connect to the ISP network also can be called as the
Internet as we are not running any protocols with the ISP we need the traffic to be routed
towards the ISP so we will be directing this using the default route. So all the traffic going
towards the public will be forwarded to the ISP’s router. The ISP will then forward the
route to the destination.
The default route is generally used when we do not want to give any specific route to the
destination or we do not have any protocols running for many routes / destination.
This allows us to forward all our nonspecific traffic towards a mentioned destination.
The syntax of default route is.
ip route 0.0.0.0 0.0.0.0 <forwarding router’s address>
This is the forwarding of all network traffic towards a specific router destination (Admin
department).
Dynamic routing protocol:
Dynamic routing is way of getting the routes in a network of many routers and devices
by running a dynamic routing protocol. The dynamic routing helps us to get routes easily
without manual entry into the routing table also helps us to populate the routing table by
using the best route from the different routes available with the router. There are many
dynamic routing protocols available. Routing information protocol (RIP), Enhanced
interior gateway routing protocol (EIGRP), Open Shortest Path First (OSPF).
Each routing protocol works in a different way, they use different Algorithms for the
best path selections. Some of them choose the best route by using hop counts as metric
some calculate cost and type of link to select the best possible route for the destination.
The packets exchanged by the dynamic routing protocols are called routing updated
theses updates carry the routes or networks that are connected to the routers which are
then passed on the other router running the same protocols. In this way all the routers
get their routes from each other's. And populate their routing tables. The benefit is that it
can be configured on large network easily to exchange routes. But the downside is that
is consumes more bandwidth than static routing.
This involves the advertisement of network address in each routing table with other
neighboring router that are connected together to enable information sharing via the
network however on this design Enhanced interior gateway routing protocol(EIGRP) will
be configure.
Generic Route Encapsulation (GRE)
It is routing based VPN which helps users / sites to connect their private networks via
the public network by using simple encapsulation. The GRE is used by routers to
encapsulate their private IPs.
GRE is a IPv4 tunneling protocol that provides simple and generic encapsulation
Document Page
approach to transport IPv4 packets of one protocol over another protocol by the help of
encapsulation. GRE encapsulates its packets called payload, and packs it in an inner
packet which then needs to be delivered to a destination network inside the public IP
which is an an outer IP packet. With GRE tunneling endpoints can send their payloads
through encapsulated tunnels by routing-encapsulated packets through an intervening
by IP networks. Other IP routers like the ISP routers or other routers along the way are
unable to resolve the payload (encapsulated DATA packet), they are only able to resolve
the outer IPv4 packet while forwarding it towards the destination which is the GRE tunnel
endpoint. While reaching the tunnel destination, the GRE encapsulation is removed by
the receiving router and the payload (original IPv4 DATA) is then forwarded to it’s final
destination which is the private network of the other remote location which is connected
by public network.
This involves the encapsulation of data shared within the network source and destination
by preventing it from unauthorized access.
Virtual Private Network (VPN) :
VPN stands for Virtual Private Network. VPN is built on an existing network. It works by
transferring the traffic generated by private networks and sending it to the other private
network over the public domain, which helps in reducing the costs for connectivity over
long distances significantly. As the data which is transferred over the public domain is in
plain text and can be seen and read by other devices, the confidentiality of the data must
be protected. For this we use various techniques of encryption. There are two main
types of encryptions which are generally used, Symmetric and Asymmetric.
With symmetric cryptography techniques, the key which is used encryption is also used
for decryption of the messages.
On the other hand, with the use of asymmetric cryptography techniques, two different
keys are used for encryption and decryption. The mostly used encryption technique is
the asymmetric encryption which is used to authenticate the each other sites, while the
symmetric encryption technique is applied to ensure the confidentiality of the IP data.
The popular symmetric encryption algorithms are 3DES, DES, AES256 etc. the widely
used asymmetric algorithm are RSA, DSA, etc.
IPsec is a suite of containing some special internet protocols to ensure a secure data is
transferred over the network layer using the standards of cryptographic techniques. The
IP (Internet Protocol) in general does not support or has any security mechanism when it
was primarily designed. With increasing demands of the data security and internet
security, there was a need for new protocols which have been developed for ensuring
the security confidentiality of the data behind the network layer, like ESP(encapsulated
security payload) and AH(Authentication Header) Protocols etc. IPsec is a suite which
comprises of these protocols in order to provide a complete secure transmission of data.
It involves the securing of data within the network by using a timing authentication key
which allow only user with the access key to get the data while those without the key are
deny total access to the data. It also gives uses different access level within the network.
CHAPTER 4
4.0 ANALYSIS AND RESULTS
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
4.1 DISCUSSION
Meanwhile the VPN secure network procedure will be implemented in the lab design below
using packet tracer and 1841 router series. Due to the limitation of the application routers
multiple tunnels will only demonstrate single generic routing encapsulation from the computer
science department to Business school department which will apply the VPN to both of them.
Also the router multiple Generic route encapsulations and multiple VPN will also work perfectly
in various departments.
We will implement GRE to connect the private networks of the different department namely
Administration, Business school, Medical, Computer Science Department and Engineering
Department.
For this setup we have taken Cisco 1841 routers at each site and they are connected by WAN
IPs as mentioned in the table below. And the diagram illustrates the connectivity and location of
the different departments.
The need is to connect these departments by configuring GRE VPN and test the connectivity of
these departments by having them communicate with each other.
The LAN present on each site comprises of different PCs, servers laptops and wired as well as
wireless network we will be considering all of them as the private network of each site.
There is a complete configuration explained below which demonstrates the configuration and
process of the above mentioned implementation.
Document Page
Fig A. Setting up a VPN between the University Departments of Sheffield Hallam University in a
Campus Environment.
4.2 IP ADDRESS USED IN THIS CONFIGURATION
TABLE 1
DESCRIPTION Computer
science ip
Address
Admin ip
Addr
Business
school ip
Addr
Engr dept ip
Addr
Med dept IP
Addr
LAN IP 192.168.1.33/27 192.168.1.65 192.168.1.97 192.168.1.129
WAN IP 200.10.0.5/30 200.10.0.6/30
200.20.0.9/30
200.40.0.17/3
0
200.20.0.10/30 200.30.0.14/3
0
200.40.0.18
Document Page
200.30.0.13/3
0
Tunnel IP 172.16.1.0/16 172.16..0/16
4.3 CONFIGURATION PROCEDURE AND COMMANDS
Firstly we need to setup each site with IP addresses and basic configurations as required.
The site wise implementation is shown step by step below.
4.3.1 COMPUTER SCIENCE DEPARTMENT ROUTER CONFIGURATION
For local Area Network and basic router config we will be giving the router its hostname
“COMPSC”.
we need to set Enable password for the device and change the banner if someone accesses
the router.
We also need to enable telnet on the device for remote access.
We also need to give the LAN interface IP. Network 19.168.1.0/24
We also need to set console passwords so that no unauthorised access to the router is
permitted.
All the above configurations are shown below.
Local Area Network Configuration command
enable
config t
hostname COMPSC
enable secret ccna@admin
banner motd danger
line console 0
login
password ccnp@admin
line vty 0 4
login
password ccie@admin
int F0/0
no shut
ip addr 192.168.1.33 255.255.255.224
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
do wr
For WAN interface we are using serial interface and serial cable to connect to the WAN and
have given the IP address and changed the encapsulation to HDLC.
we also need to set clock Rate in order for the interface to work.
Wide Area configuration command
config t
int s0/1/0
no shut
ip addr 200.10.0.5 255.255.255.252
encap hdlc
clock rate 64000
bandwidth 64
do wr
The GRE configuration for the this router we have created a logical interface called the tunnel
interface and has been allotted an IP address of network 172.16.1.0 /16
The tunnel interface configuration requires us to define a source interface from which the tunnel
is sourced, the router uses the IP address of the source interface as source IP and also requires
an IP address of the destination to which the tunnel has to be made called tunnel destination.
Generic route encapsulation configuration command for computer science router
config t
int tun 0
ip addr 172.16.1.0 255.255.0.0
tunnel source S0/1/0
tunnel destination 200.20.0.10
do wr
For the access to the WAN we need to define a default route towards internet/WAN we will use
a static default route for this. The default route has been explained above and it's working too.
Default Routing Configuration for Computer Science department router to Admin router
config t
ip route 0.0.0.0 0.0.0.0 200.10.0.6
do wr
4.3.2 ADMINISTRATION OFFICE ROUTER CONFIGURATION COMMAND
Document Page
For local Area Network and basic router config we will be giving the router its hostname
“ADMIN”.
we need to set Enable password for the device and change the banner if someone accesses
the router. the banner is a message that is displayed when the router is accessed.
We also need to enable telnet on the device for remote access.
We also need to give the LAN interface IP. Network 19.168.1.161/27
All the above configurations are shown below.
enable
config t
hostname ADMIN
enable secret ccna@admin
banner motd danger
line console 0
login
password ccnp@admin
line vty 0 4
login
password ccie@admin
int f0/1
no shut
ip address 192.168.1.161 255.255.255.224
do wr
For WAN interface we are using serial interface and serial cable to connect to the WAN and
have given the IP address and changed the encapsulation to HDLC.
The ADMIN router has four wan links then further connected to the other sites namely
Engineering, Computer science dept., Medical Dept. and Business School
We also need to set clock Rate in order for the interface to work.
Wide Area Network Configuration Command for Administration office Router
config t
int s0/0/1
no shut
ip addr 200.40.0.17 255.255.255.252
Document Page
encap hdlc
clock rate 64000
bandwidth 64
do wr
int s0/1/0
no shut
ip addr 200.10.0.6 255.255.255.252
encap hdlc
do wr
int s0/0/0
no shut
ip addr 200.30.0.13 255.255.255.252
encap hdlc
clock rate 64000
-bandwidth 64
do wr
int s0/1/1
no shut
ip addr 200.20.0.9 255.255.255.252
clock rate 64000
bandwidth 64
do wr
4.3.3 BUSINESS SCHOOL DEPT ROUTER CONFIGURATION COMMAND
For local Area Network and basic router config we will be giving the router its hostname
“BUSSCHOOL”.
we need to set Enable password for the device and change the banner if someone accesses
the router.
We also need to enable telnet on the device for remote access.
We also need to give the LAN interface IP. Network 19.168.1.65/27
We also need to set console passwords so that no unauthorised access to the router is
permitted.
All the above configurations are shown below.
Local Area Network Configuration Command
enable
config t
hostname BUSSCHOOL
enable secret ccna@admin
banner motd danger
line console 0
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
login
password ccnp@admin
line vty 0 4
login
password ccie@admin
int F0/0
no shut
ip addr 192.168.1.65 255.255.255.224
do wr
For WAN interface we are using serial interface and serial cable to connect to the WAN and
have given the IP address and changed the encapsulation to HDLC.
we also need to set clock Rate in order for the interface to work.
Wide Area Network Configuration Command
config t
int s0/1/1
no shut
ip addr 200.20.0.10 255.255.255.252
encap hdlc
do wr
The GRE configuration for the this router we have created a logical interface called the tunnel
interface and has been allotted an IP address of network 172.16.2.0 /16
The tunnel interface configuration requires us to define a source interface from which the tunnel
is sourced, the router uses the IP address of the source interface as source IP and also requires
an IP address of the destination to which the tunnel has to be made called tunnel destination.
Generic Route Encapsulation Configuration Command for Business School Router to
Computer Science Department.
config t
int tun 0
ip addr 172.16.2.0 255.255.0.0
tunnel source S0/1/1
tunnel destination 200.10.0.5
do wr
For the access to the WAN we need to define a default route towards internet/WAN we will use
a static default route for this. The default route has been explained above and the working of it
too.
Default Routing Configuration
config t
Document Page
ip route 0.0.0.0 0.0.0.0 200.20.0.9
do wr
4.3.4 ENGINEERING DEPT ROUTER CONFIGURATION COMMAND
For local Area Network and basic router config we will be giving the router its hostname
“ENGRDEPT”.
we need to set Enable password for the device and change the banner if someone accesses
the router.
We also need to enable telnet on the device for remote access.
We also need to give the LAN interface IP. Network 19.168.1.97/27
We also need to set console passwords so that no unauthorised access to the router is
permitted.
Local Area Network Configuration Command
enable
config t
hostname ENGRDEPT
enable secret ccna@admin
banner motd danger
line console 0
login
password ccnp@admin
line vty 0 4
login
password ccie@admin
int F0/1
no shut
ip addr 192.168.1.97 255.255.255.224
do wr
chevron_up_icon
1 out of 25
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]