Professional Documents
Culture Documents
1.online Banking Network Based On IPv6 Routing
1.online Banking Network Based On IPv6 Routing
1|Page
1.1 Online Banking: Online Banking Network means a network of online branches where any
customer can operate financial transaction from any branch. On earlier day, one can operate his
account from only that branch where he opened his account. If he needs to send money at any
other branch, he has to use Telephony Transfer (TT). But now, Banking is more easier, one can
operate his account from any branch and not only that he can operate his account from ATM
(Automated Teller Machine) & CDM (Cash Depositor Machine), can parches from POS Machine
(Point Of Sale ) even transaction can made through website. To provide these services banking
system needs to control from centrally, information needs to updated then and then.
1.2 How it actually works with current IPv4 routing systems: It’s a big challenge to provide
online facility with security. At IPv4, real IP or public IP is very expensive. So that any
organization runes with private IP for their LAN and use public IP only for connected with WAN
Protocols: Network protocols are formal standards and policies comprised of rules, procedures
and formats that define communication between two or more devices over a network. Network
protocols govern the end-to-end processes of timely, secure and managed data or network
communication.
Network protocols incorporate all the processes, requirements and constraints of initiating and
accomplishing communication between computers, servers, routers and other network enabled
devices. Network protocols must be confirmed and installed by the sender and receiver to
ensure network/data communication and apply to software and hardware nodes that
communicate on a network. There are several broad types of networking protocols,
including: Network communication protocols: Basic data communication protocols, such as
TCP/IP and HTTP Network security protocols: Implement security over network communications
and include HTTPS, SSL and SFTP. Network management protocols: Provide network
governance and maintenance and include SNMP and ICMP
Data that is sent from one LAN to another along any of several available paths is said to
be routed. The protocols that support multipath LAN-to-LAN communications are known
as routable protocols. Because routable protocols can be used to tie several LANs together and
create new wide-area environments, they are becoming increasingly important.
2|Page
1.3 Why IPv6 routing should be thing of future: IPv6 can run end-to-end encryption. While
this technology was retrofitted into IPv4, it remains an optional extra that isn’t universally used.
The encryption and integrity-checking used in current VPNs is a standard component in IPv6,
available for all connections and supported by all compatible devices and systems. Widespread
adoption of IPv6 will therefore make man-in-the-middle attacks significantly more difficult.
Pv6 also supports more-secure name resolution. The Secure Neighbor Discovery (SEND)
protocol is capable of enabling cryptographic confirmation that a host is who it claims to be at
connection time. This renders Address Resolution Protocol (ARP) poisoning and other naming-
based attacks more difficult. And while not a replacement for application- or service-layer
verification, it still offers an improved level of trust in connections. With IPv4 it’s fairly easy for an
attacker to redirect traffic between two legitimate hosts and manipulate the conversation or at
least observe it. IPv6 makes this very hard.
This added security depends entirely on proper design and implementation, and the more
complex and flexible infrastructure of IPv6 makes for more work. Nevertheless, properly
configured, IPv6 networking will be significantly more secure than its predecessor.
Internet Protocol version 6 is a new addressing protocol designed to incorporate all the possible
requirements of future Internet known to us as Internet version 2. This protocol as its
predecessor IPv4, works on the Network Layer (Layer-3). Along with its offering of an enormous
amount of logical address space, this protocol has ample features to address the shortcoming of
IPv4.
After IPv4’s development in the early 80s, the available IPv4 address pool begun to shrink
rapidly as the demand of addresses exponentially increased with Internet. Taking pre-
cognizance of the situation that might arise, IETF, in 1994, initiated the development of an
addressing protocol to replace IPv4. The progress of IPv6 can be tracked by means of the RFC
published:
3|Page
1.4 Features[1]
The successor of IPv4 is not designed to be backward compatible. Trying to keep the basic
functionalities of IP addressing, IPv6 is redesigned entirely. It offers the following features:
In contrast to IPv4, IPv6 uses 4 times more bits to address a device on the Internet. This much
of extra bits can provide approximately 3.4×1038 different combinations of addresses. This
address can accumulate the aggressive requirement of address allotment for almost everything
in this world. According to an estimate, 1564 addresses can be allocated to every square meter
of this earth.
Simplified Header
IPv6’s header has been simplified by moving all unnecessary information and options (which
are present in IPv4 header) to the end of the IPv6 header. IPv6 header is only twice as bigger
than IPv4 provided the fact that IPv6 address is four times longer.
End-to-end Connectivity
Every system now has unique IP address and can traverse through the Internet without using
NAT or other translating components. After IPv6 is fully implemented, every host can directly
reach other hosts on the Internet, with some limitations involved like Firewall, organization
policies, etc.
Auto-configuration
IPv6 supports both stateful and stateless auto-configuration mode of its host devices. This way,
absence of a DHCP server does not put a halt on inter-segment communication.
Faster Forwarding/Routing
Simplified header puts all unnecessary information at the end of the header. The information
contained in the first part of the header is adequate for a Router to take routing decisions, thus
making routing decision as quickly as looking at the mandatory header.
IPSec
Initially it was decided that IPv6 must have IPSec security, making it more secure than IPv4.
This feature has now been made optional.
No Broadcast
Though Ethernet/Token Ring are considered as broadcast network because they support
Broadcasting, IPv6 does not have any broadcast support anymore. It uses multicast to
communicate with multiple hosts.
Anycast Support
4|Page
This is another characteristic of IPv6. IPv6 has introduced Anycast mode of packet routing. In
this mode, multiple interfaces over the Internet are assigned same Anycast IP address. Routers,
while routing, send the packet to the nearest destination.
Mobility
IPv6 was designed keeping mobility in mind. This feature enables hosts (such as mobile phone)
to roam around in different geographical area and remain connected with the same IP address.
The mobility feature of IPv6 takes advantage of auto IP configuration and Extension headers.
IPv4 used 6 bits DSCP (Differential Service Code Point) and 2 bits ECN (Explicit Congestion
Notification) to provide Quality of Service but it could only be used if the end-to-end devices
support it, that is, the source and destination device and underlying network must support it.
In IPv6, Traffic class and Flow label are used to tell the underlying routers how to efficiently
process the packet and route it.
Smooth Transition
Large IP address scheme in IPv6 enables to allocate devices with globally unique IP addresses.
This mechanism saves IP addresses and NAT is not required. So devices can send/receive
data among each other, for example, VoIP and/or any streaming media can be used much
efficiently.
Other fact is, the header is less loaded, so routers can take forwarding decisions and forward
them as quickly as they arrive.
Extensibility
One of the major advantages of IPv6 header is that it is extensible to add more information in
the option part. IPv4 provides only 40-bytes for options, whereas options in IPv6 can be as
much as the size of IPv6 packet itself.
5|Page
1.5 Addressing Modes
In computer networking, addressing mode refers to the mechanism of hosting an address on the
network. IPv6 offers several types of modes by which a single host can be addressed. More
than one host can be addressed at once or the host at the closest distance can be addressed.
Unicast
In unicast mode of addressing, an IPv6 interface (host) is uniquely identified in a network
segment. The IPv6 packet contains both source and destination IP addresses. A host interface
is equipped with an IP address which is unique in that network segment. When a network switch
or a router receives a unicast IP packet, destined to a single host, it sends out one of its
outgoing interface which connects to that particular host.
6|Page
Multicast
The IPv6 multicast mode is same as that of IPv4. The packet destined to multiple hosts is sent
on a special multicast address. All the hosts interested in that multicast information need to join
that multicast group first. All the interfaces that joined the group receive the multicast packet and
process it, while other hosts not interested in multicast packets ignore the multicast information.
7|Page
Anycast
IPv6 has introduced a new type of addressing, which is called Anycast addressing. In this
addressing mode, multiple interfaces (hosts) are assigned same Anycast IP address. When a
host wishes to communicate with a host equipped with an Anycast IP address, it sends a
Unicast message. With the help of complex routing mechanism, that Unicast message is
delivered to the host closest to the Sender in terms of Routing cost. [1]
Let’s take an example of TutorialPoints.com Web Servers, located in all continents. Assume that
all the Web Servers are assigned a single IPv6 Anycast IP Address. Now when a user from
Europe wants to reach TutorialsPoint.com, the DNS points to the server that is physically
located in Europe itself. If a user from India tries to reach Tutorialspoint.com, the DNS will then
point to the Web Server physically located in Asia. Nearest or Closest terms are used in terms
of Routing Cost.
In the above picture, when a client computer tries to reach a server, the request is forwarded to
the server with the lowest Routing Cost.
8|Page
ADDRESS TYPES AND FORMATS
Address Structure
An IPv6 address is made of 128 bits divided into eight 16-bits blocks. Each block is then
converted into 4-digit Hexadecimal numbers separated by colon symbols.
For example, given below is a 128-bit IPv6 address represented in binary format and divided
into eight 16-bits blocks:
Even after converting into Hexadecimal format, IPv6 address remains long. IPv6 provides some
rules to shorten the address. The rules are as follows:
2001:0000:3238:DFE1:63::FEFB
In Block 5, 0063, the leading two 0s can
be omitted, such as (5th block):
2001:0:3238:DFE1:63::FEFB
Rule 2: If two of more blocks contain consecutive zeroes, omit them all and replace with double
colon sign ::, such as (6th and 7th block):
2001:0000:3238:DFE1:63:0000:0000:FEFB
Interface ID
IPv6 has three different types of Unicast Address scheme. The second half of the address (last
64 bits) is always used for Interface ID. The MAC address of a system is composed of 48-bits
and represented in Hexadecimal. MAC addresses are considered to be uniquely assigned
worldwide.
Interface ID takes advantage of this uniqueness of MAC addresses. A host can auto-configure
its Interface ID by using IEEE’s Extended Unique Identifier (EUI-64) format. First, a host divides
9|Page
its own MAC address into two 24-bits halves. Then 16-bit Hex value 0xFFFE is sandwiched into
those two halves of MAC address, resulting in EUI-64 Interface ID.
10 | P a g e
Global Routing Prefix: The most significant 48-bits are designated as Global Routing Prefix
which is assigned to specific autonomous systems. The three most significant bits of Global
Routing Prefix is always set to 001.
Link-Local Address
Auto-configured IPv6 address is known as Link-Local Address. This address always starts with
FE80. The first 16 bits of link-local address is always set to 1111 1110 1000 0000 (FE80). The
next 48-bits are set to 0, thus:
Link-local addresses are used for communication among IPv6 hosts on a link (broadcast
segment) only. These addresses are not routable, so a Router never forwards these addresses
outside the link.
Unique-Local Address
This type of IPv6 address is globally unique, but it should be used in local communication. The
second half of this address contains Interface ID and the first half is divided among Prefix, Local
Bit, Global ID, and Subnet ID.
Prefix is always set to 1111 110. L bit is set to 1 if the address is locally assigned. So far, the
meaning of L bit to 0 is not defined. Therefore, Unique Local IPv6 address always starts with
‘FD’
11 | P a g e
[Figure 9 : IPv6 Unicast Address Scope]
The scope of Link-local address is limited to the segment. Unique Local Address are locally
global, but are not routed over the Internet, limiting their scope to an organization’s boundary.
Global Unicast addresses are globally unique and recognizable. They shall make the essence
of Internet v2 addressing.
12 | P a g e
SPECIAL ADDRESSES
Version 6 has slightly complex structure of IP address than that of IPv4. IPv6 has reserved a
few addresses and address notations for special purposes. See the table below:
As shown in the table, the address 0:0:0:0:0:0:0:0/128 does not specify anything and is
said to be an unspecified address. After simplifying, all the 0s are compacted to ::/128.
In IPv4, the address 0.0.0.0 with netmask 0.0.0.0 represents the default route. The same
concept is also applied to IPv6, the address 0:0:0:0:0:0:0:0 with netmask all 0s
represents the default route. After applying IPv6 rule, this address is compressed to ::/0.
Loopback addresses in IPv4 are represented by 127.0.0.1 to 127.255.255.255 series.
But in IPv6, only 0:0:0:0:0:0:0:1/128 represents the Loopback address. After loopback
address, it can be represented as ::1/128.
The above table shows the reserved multicast addresses used by interior routing
protocol.
The addresses are reserved following the same rules of IPv4.
13 | P a g e
Reserved Multicast Address for Routers/Node
These addresses help routers and hosts to speak to available routers and hosts on a
segment without being configured with an IPv6 address.
Hosts use EUI-64 based auto-configuration to self-configure an IPv6 address and then
speak to available hosts/routers on the segment by means of these addresses.
14 | P a g e
1.6 Communication
In IPv4, a host that wants to communicate with another host on the network needs to have an IP
address acquired either by means of DHCP or by manual configuration. As soon as a host is
equipped with some valid IP address, it can speak to any host on the subnet.
To communicate on layer-3, a host must also know the IP address of the other host.
Communication on a link is established by means of hardware-embedded MAC Addresses. To
know the MAC address of a host whose IP address is known, a host sends ARP broadcast and
in return, the intended host sends back its MAC address.
In IPv6, there are no broadcast mechanisms. It is not a must for an IPv6 enabled host to obtain
an IP address from DHCP or manually configure one, but it can auto-configure its own IP.
Neighbor Solicitation: After configuring all IPv6’s either manually or by DHCP Server or
by auto-configuration, the host sends a Neighbor Solicitation message out to FF02::1/16
multicast address for all its IPv6 addresses in order to know that no one else occupies
the same addresses.
DAD (Duplicate Address Detection): When the host does not listen from anything from
the segment regarding its Neighbor Solicitation message, it assumes that no duplicate
address exists on the segment.
Neighbor Advertisement: After assigning the addresses to its interfaces and making
them up and running, the host once again sends out a Neighbor Advertisement message
telling all other hosts on the segment that it has assigned those IPv6 addresses to its
interfaces.
Once a host is done with the configuration of its IPv6 addresses, it does the following things:
15 | P a g e
Redirect: This may be the situation where a Router receives a Router Solicitation
request but it knows that it is not the best gateway for the host. In this situation, the
router sends back a Redirect message telling the host that there is a better ‘next-hop’
router available. Next-hop is where the host will send its data destined to a host which
does not belong to the same segment.
16 | P a g e
1.7 Subnetting
In IPv4, addresses were created in classes. Classful IPv4 addresses clearly define the bits used
for network prefixes and the bits used for hosts on that network. To subnet in IPv4, we play with
the default classful netmask which allows us to borrow host bits to be used as subnet bits. This
results in multiple subnets but less hosts per subnet. That is, when we borrow host bits to create
a subnet, it costs us in lesser bit to be used for host addresses.
IPv6 addresses use 128 bits to represent an address which includes bits to be used for
subnetting. The second half of the address (least significant 64 bits) is always used for hosts
only. Therefore, there is no compromise if we subnet the network.[4]
16 bits of subnet is equivalent to IPv4’s Class B Network. Using these subnet bits, an
organization can have another 65 thousands of subnets which is by far, more than enough.
Thus routing prefix is /64 and host portion is 64 bits. We can further subnet the network beyond
16 bits of Subnet ID, by borrowing host bits; but it is recommended that 64 bits should always
be used for hosts addresses because auto-configuration requires 64 bits.
IPv6 subnetting works on the same concept as Variable Length Subnet Masking in IPv4.
/48 prefix can be allocated to an organization providing it the benefit of having up to /64 subnet
prefixes, which is 65535 sub-networks, each having 264 hosts. A /64 prefix can be assigned to
a point-to-point connection where there are only two hosts (or IPv6 enabled devices) on a link.
17 | P a g e
1.8 Mobility[5]
When a host is connected to a link or network, it acquires an IP address and all communication
takes place using that IP address on that link. As soon as the same host changes its physical
location, that is, moves into another area / subnet / network / link, its IP address changes
accordingly, and all the communication taking place on the host using old IP address goes
down.
IPv6 mobility provides a mechanism for the host to roam around different links without losing
any communication/connection and its IP address.
Mobility Operation
When a Mobile Node stays in its Home Link, all communications take place on its Home
Address as shown below:
18 | P a g e
[Figure 11 : Mobile Node connected to Home Link]
When a Mobile Node leaves its Home Link and is connected to some Foreign Link, the Mobility
feature of IPv6 comes into play. After getting connected to a Foreign Link, the Mobile Node
acquires an IPv6 address from the Foreign Link. This address is called Care-of Address. The
Mobile Node sends a binding request to its Home Agent with the new Care-of Address. The
Home Agent binds the Mobile Node’s Home Address with the Care-of Address, establishing a
Tunnel between both.
Whenever a Correspondent Node tries to establish connection with the Mobile Node (on its
Home Address), the Home Agent intercepts the packet and forwards to Mobile Node’s Care-of
Address over the Tunnel which was already established.[6]
19 | P a g e
Route Optimization
When a Correspondent Node initiates a communication by sending packets to the Mobile Node
on the Home Address, these packets are tunneled to the Mobile Node by the Home Agent. In
Route Optimization mode, when the Mobile Node receives a packet from the Correspondent
Node, it does not forward replies to the Home Agent. Rather, it sends its packet directly to the
Correspondent Node using Home Address as Source Address. This mode is optional and not
used by default.
20 | P a g e
Chapter 2
21 | P a g e
2.1 What is IP routing
IP routing is the process of sending packets from a host on one network to another host
on another, remote network. This process is done by routers. Routers examine the
destination IP address of a packet , determine the next-hop address, and forward the
packet.
Routers use routing tables to determine a next hop address to which the packet should
be forwarded.
Consider the following example of IP routing:[7]
[Figure 13 : Routing ]
Host A wants to communicate with host B, but host B is on another network. Host A is
configured to send all packets destined for remote networks to router R1. Router R1
receives the packets, examines the destination IP address and forwards the packet to
the outgoing interface associated with the destination network.
Default gateway
A default gateway is a router that hosts use to communicate with other hosts on remote
networks. A default gateway is used when a host doesn't have a route entry for the
specific remote network and doesn't know how to reach that network. Hosts can be
configured to send all packets destined to remote networks to a default gateway, which
has a route to reach that network.
The following example explains the concept of a default gateway more thoroughly .[8]
22 | P a g e
Host A has an IP address of the router R1 configured as the default gateway address.
Host A is trying to communicate with host B, a host on another, remote network. Host A
looks up in its routing table to check if there is an entry for that destination network. If
the entry is not found, the host sends all data to the router R1. Router R1 receives the
packets and forwards them to host B.
Routing table
Each router maintains a routing table and stores it in RAM. A routing table is used by
routers to determine a path to a destination network. Each routing table consists of the
following entries:
1. network destination and a network subnet mask - specifies a range of IP addresses
2. remote router - IP address of the router used to reach that network
3. outgoing interface - outgoing interface the packet should go out to reach the
destination network
There are three different methods for populating a routing table:
• directly connected subnets
• using static routing
• using dynamic routing
Each of this method is described in the following chapters.
Consider the following example. Host A wants to communicate with host B, but host B is
on another network. Host A is configured to send all packets destined for remote
networks to the router. The router receives the packets, checks the routing table to see
if it has an entry for the destination address. If it does, the router forwards the packet out
the appropriate interface port. If the router doesn't find the entry, it discards the packet. [9]
23 | P a g e
2.2 Types of routing protocols
As the name implies, distance vector routing protocols use distance to determine the
best path to a remote network. The distance is usually the number of hops (routers) to
the destination network.
Distance vector protocols send complete routing table to each neighbor (a neighbor is
directly connected router that runs the same routing protocol). They usually use some
version of Bellman-Ford algorithm to calculate the best routes. Compared with link state
routing protocols, distance vector protocols are simpler to configure and require little
management, but are susceptible to routing loops and converge slower than link state
routing protocols. Distance vector protocols also use more bandwidth because they
send complete routing table, while link state protocols sends specific updates only when
topology changes occur.
RIP and EIGRP are examples of distance vector routing protocols.
24 | P a g e
2.4 Link state protocols
Link state routing protocols are the second type of routing protocols. They have the
same basic purpose as distance vector protocols, to find a best path to a destination,
but use different methods to do so. Unlike distance vector protocols, link state protocols
don't advertise the entire routing table. Instead, they advertise information about a
network topology (directly connected links, neighboring routers...), so that in the end all
routers running a link state protocol have the same topology database. Link state
routing protocols converge much faster than distance vector routing protocols, support
classless routing, send updates using multicast addresses and use triggered routing
updates. They also require more router CPU and memory usage than distance-vector
routing protocols and can be harder to configure.
Each router running a link state routing protocol creates three different tables:
1. neighbor table - the table of neighboring routers running the same link state routing
protocol
2. topology table - the table that stores the topology of the entire network
3. routing table - the table that stores the best routes
Shortest Path First algorithm is used to calculate the best route. OSPF and IS-IS are
examples of link state routing protocols.
25 | P a g e
2.5 RIP (Routing Information Protocol)
RIP (Routing Information Protocol) is one of the oldest distance vector routing protocols.
It is usually used in small networks. RIP is very simple to configure and maintain, but
lacks some advanced features of routing protocols like OSPF or EIGRP. Two versions
of the protocol exists: version 1 and version 2. Both versions use hop count as a metric
and have the administrative distance of 120. RIP version 2 is capable of advertising
subnet masks and uses multicast to send routing updates, while version 1 doesn't
advertises subnet masks and uses broadcast for updates. Version 2 is backwards
compatible with version 1.
RIPv2 sends the entire routing table every 30 seconds, which can consume a lot of
bandwidth. RIPv2 uses multicast address of 224.0.0.9 to send routing updates, supports
authentication and triggered updates (updates that are sent when a change in the
network occurs).
For example of how RIP works, consider the following figure. [11]
[Figure 16 : RIP ]
Router R1 directly connects to the subnet 10.0.0.0/24. Network engineer has configured
RIP on R1 to advertise this route. R1 sends routing updates to R2 and R3. The routing
updates list the subnet, subnet mask and metric for this route. Each router, R2 and R3,
receives this update and adds the route to their respective routing tables. Both routers
list the metric of 1 because the network is only one hop away.
26 | P a g e
RIPng
RIPng is an extension of RIP for support of IPv6. The configuration of RIPng is requires
at least two steps:
1. enable RIPng using the global configuration command ipv6 router rip tag. The tag is
used to differentiate between multiple RIP processes. It does not have to be the same
on all routers.
2. enable the routing protocol on the interface using the ipv6 rip tag enable. The tag has
to match the one used in the ipv6 router rip tag command
Here is an example:
We have done a similar configuration on the second router. To verify that routers are
indeed exchanging route information using RIPng we can use the show ipv6 route
command:
In the picture above, we can see that the router has received a route to the
network2001:BBBB:CCCC:DDDD::/64.
27 | P a g e
2.6 EIGRP (Enhanced Interior Gateway Routing
Protocol)
EIGRP (Enhanced Interior Gateway Routing Protocol) is an advanced distance vector
routing protocol. This protocol is an evolution of an earlier Cisco protocol called IGRP,
which is now considered obsolete. EIGRP supports classless routing and VLSM, route
summarization, incremental updates, load balancing and many other useful features. It
is a Cisco proprietary protocol, so all routers in a network that is running EIGRP must be
Cisco routers.
Routers running EIGRP must become neighbors before exchanging routing information.
To dynamically discover neighbors, EIGRP routers use the multicast address of
224.0.0.10. Each EIGRP router stores routing and topology information in three tables:
• Neighbor table - stores information about EIGRP neighbors
• Topology table - stores routing information learned from neighboring routers
• Routing table - stores the best routes
Administrative distance of EIGRP is 90, which is less than both the administrative
distance of RIP and the administrative distance of OSPF, so EIGRP routes will be
preferred over these routes. EIGRP uses Reliable Transport Protocol (RTP) for sending
messages.
EIGRP calculates its metric by using bandwidth, delay, reliability and load. By default,
only bandwidth and delay are used when calculating metric, while reliability and load are
set to zero.
EIGPR uses the concept of autonomous systems. An autonomous system is a set of
EIGRP enabled routers that should become EIGRP neighbors. Each router inside an
autonomous system must have the same autonomous system number configured,
otherwise routers will not become neighbors.
EIGRP Neighbors
EIGRP must establish neighbor relationships with other EIGRP neighboring routers
before exchanging routing information. To establish neighbor relationships, routers send
hello packets every couple of seconds. Hello packets are sent to the multicast address
of 224.0.0.10.
TIP - on LAN interfaces hellos are sent every 5 seconds. On WAN interfaces every 60
seconds.
28 | P a g e
The following fields in a hello packet must be the identical in order for routers to become
neighbors:
• ASN (autonomous system number)
• subnet number
• K values (components of metric)
Routers send hello packets every couple of seconds to ensure that the neighbor
relationship is still active. By default, routers considers the neighbor to be down after a
hold-down timer has expired. Hold-down timer is, by default, three times the hello
interval. On LAN network the hold-down timer is 15 seconds.
Two terms that you will often encounter when working with EIGRP are feasible and
reported distance. Let's clarify these terms:
Feasible distance (FD) - the metric of the best route to reach a network. That route will
be listed in the routing table.
Reported distance (RD) - the metric advertised by a neighboring router for a specific
route. It other words, it is the metric of the route used by the neighboring router to reach
the network.
To better understand the concept, consider the following example. [12]
[Figure 19 : EIGRP ]
EIGRP has been configured on R1 and R2. R2 is directly connected to the subnet
10.0.1.0/24 and advertises that subnet into EIGRP. Let's say that R2's metric to reach
that subnet is 28160. When the subnet is advertised to R1, R2 informs R1 that its metric
to reach 10.0.1.0/24 is 10. From the R1's perspective that metric is considered to be the
reported distance for that route. R1 receives the update and adds the metric to the
neighbor to the reported distance. That metric is called feasible distance and is stored in
R1's routing table (30720 in our case).
29 | P a g e
The feasible and reported distance are displayed in R1's EIGRP topology table:
Another two terms that appear often in the EIGRP world are "successor" and "feasible
successor". A successor is the route with the best metric to reach a destination. That
route is stored in the routing table. A feasible successor is a backup path to reach that
same destination that can be used immediately if the successor route fails. These
backup routes are stored in the topology table.
For a route to be chosen as a feasible successor, one condition must be met:
a neighbor's advertised distance (AD) for the route must be less than the
successor's feasible distance (FD).
The following example explains the concept of a successor and a feasible successor .[13]
30 | P a g e
R1 has two paths to reach the subnet 10.0.0.0/24. The path through R2 has the best
metric (20) and it is stored in the R1's routing table. The other route, through R3, is a
feasible successor route, because the feasibility condition has been met (R3's
advertised distance of 15 is less than R1's feasible distance of 20). R1 stores that route
in the topology table. This route can be immediately used if the primary route fails.
EIGRP is running on all three routers. Routers R2 and R3 both connect to the subnet
10.0.1.0/24 and advertise that subnet to R1. R1 receives both updates and calculates
the best route. The best path goes through R2, so R1 stores that route in the routing
table. Router R1 also calculates the metric of the route through R3. Let's say that
advertised distance of that route is less then feasible distance of the best route. The
feasibility condition is met and router R1 stores that route in the topology table as a
feasible successor route. The route can be used immediately if the primary route fails.
31 | P a g e
2.7 OSPF (Open Shortest Path First)
OSPF (Open Shortest Path First) is a link state routing protocol. Because it is an open
standard, it is implemented by a variety of network vendors. OSPF will run on most
routers that doesn't necessarily have to be Cisco routers (unlike EIGRP which can be
run only on Cisco routers).
OSPF is a classless routing protocol that supports VLSM and CIDR, manual route
summarization, incremental updates, equal cost load balancing and many other useful
features. OSPF uses only one parameter as the metric, namely interface cost. The
administrative distance of OSPF routes is, by default, 110. OSPF uses multicast
addresses 224.0.0.5 and 224.0.0.6 for routing updates.
Routers running OSPF have to establish neighbor relationships before exchanging
routes. Because OSPF is a link state routing protocol, neighbors doesn't exchange
routing tables. Instead, they exchange information about network toplogy. Each OSFP
router then runs SFP algorithm to calculate the best routes and adds those to the
routing table. Because each router knows the entire topology of a network, a chance for
a routing loop to occur is minimal.
Each OSPF router stores routing and topology information in three tables:
• Neighbor table - stores information about OSPF neighbors
• Topology table - stores the topology structure of a network
• Routing table - stores the best routes
OSPF neighbors
Routers R1 and R2 are directly connected. After OSFP is enabled both routers send
Hellos to each other to establish a neighbor relationship. You can verify that the
32 | P a g e
neighbor relationship has indeed been established by typing the show ip ospf
neighbors command.
In the example above, you can see that the router-id of R2 is 2.2.2.2.
Each OSPF router is assigned a router ID. A router ID is determined by using one of the
following:
1. Using the router-id command under the OSPF process
2. Using the highest IP address of the router's loopback interfaces
3. Using the highest IP address of the router's physical interfaces
The following fields in the Hello packets must be the same on both routers in order for
routers to become neighbors:
subnet
area id
hello and dead interval timers
authentication
area stub flag
MTU
By default, OSPF sends hello packets every 10 second on an Ethernet network (Hello
interval). A dead timer is four times the value of the hello interval, so if a routers on an
Ethernet network doesn't receive at least one Hello packet from an OSFP neighbor for
40 seconds, the routers declares that neighbor „down“.
33 | P a g e
network it doesn't know about. The other neighbor replies with the LSUs (Link
State Updates) which contain information about requested networks. After all the
requested information have been received, other neighbor goes through the
same process
6. Full state - both routers have the synchronized database and are fully adjacent
with each other.
OSPF areas
OSPF uses the concept of areas. An area is a logical grouping of contiguous networks
and routers. All routers in the same area have the same topology table, but they don't
know about routers in the other areas. The main benefits of creating areas is that the
size of the topology and the routing table on a router is reduced, less time is required to
run the SFP algorithm and routing updates are also reduced.
Each area in the OSPF network has to connect to the backbone area (area 0). All router
inside an area must have the same area ID to become OSPF neighbors. A router that
has interfaces in more than one area (area 0 and area 1, for example) is called Area
Border Router (ABR). A router that connects an OSPF network to other routing domains
(EIGRP network, for example) is called Autonomous System Border Routers (ASBR). [16]
34 | P a g e
All routers are running OSPF. Routers R1 and R2 are inside the backbone area (area
0). Router R3 is an ABR, because it has interfaces in two areas, namely area 0 and
area 1. Router R4 and R5 are inside area 1. Router R6 is an ASBR, because it
connects OSFP network to another routing domain (an EIGRP domain in this case). If
the R1's directly connected subnet fails, router R1 sends the routing update only to R2
and R3, because all routing updates all localized inside the area.
NOTE – the role of an ABR is to advertise address summaries to neighboring areas.
The role of an ASBR is to connect an OSPF routing domain to another external network
(e.g. Internet, EIGRP network...).
The LSAs (Link-State Advertisements) are used by OSPF routers to exchange topology
information. Each LSA contains routing and toplogy information to describe a part of an
OSPF network. When two neighbors decide to exchange routes, they send each other a
list of all LSAa in their respective topology database. Each router then checks its
topology database and sends a Link State Request (LSR) message requesting all
LSAs not found in its topology table. Other router responds with the Link State Update
(LSU) that contains all LSAs requested by the other neighbor .[17]
After configuring OSPF on both routers, routers exchange LSAs to describe their
respective topology database. Router R1 sends an LSA header for its directly
connected network 10.0.1.0/24. Router R2 check its topology database and determines
that it doesn't have information about that network. Router R2 then sends Link State
Request message requesting further information about that network. Router R1
responds with Link State Update which contains information about subnet 10.0.1.0/24
(next hop address, cost...).
35 | P a g e
Chapter 3
36 | P a g e
3.1 IP Planning
IP addresses are an integral part of any corporate network, and companies large and small are
consuming them faster with more applications and devices than ever before. Overlooking the
importance of getting a handle on IP addresses can prove disastrous. IP addresses are one of
the most critical resources that need to be managed in any network. Every networked
application and device from e-mail and Web connectivity to file storage and networked printers
depends on IP and requires address assignment. That presents a big enough challenge, but it's
becoming an even bigger challenge as new core services like VoIP and mobile networks
increase IP address assignment needs, requiring more robust allocation, classification, and
tracking of addresses.
37 | P a g e
d. Loans & Advance Section 05
These networks are also divided again some sub network, like
IT Division Network
1. IT Admin
2. Network Team
3. Database Team
4. System Team
38 | P a g e
4.2 IP Allocation
Prefix: FFFF:FFFF:FFFF:FFFF:0000:0000:0000:0000
or /64
Gateway will be the last IP of corresponding Network and switches will get 2nd to the last
IP and gradually
Lower.
Server LAN
===========
2001:DF1:6400:135::/67
----------------------
Network: 2001:DF1:6400:135::/120
1st IP: 2001:DF1:6400:135::/120
Last IP: 2001:DF1:6400:135::FF/120
Number Of Host: 256
-------------------------------------
Server IP
=======
DNS Server: 2001:DF1:6400:135::/120
Database Server: 2001:DF1:6400:135::1/120
Mail Server: 2001:DF1:6400:135::2/120
39 | P a g e
FTP & SYSLog Server: 2001:DF1:6400:135::3/120
NTP & DHCP Server: 2001:DF1:6400:135::4/120
Backup Server: 2001:DF1:6400:135::5/120
Web Server: 2001:DF1:6400:135::6/120
CMS Server: 2001:DF1:6400:135::7/120
IT Department
==============
2001:DF1:6400:135:2000::/67
---------------------------
2001:DF1:6400:135:2000:0:3:e800/122
2001:DF1:6400:135:2000:0:3:e840/122
2001:DF1:6400:135:2000:0:3:e880/122
2001:DF1:6400:135:2000:0:3:e8c0/122
Core 1 Network
---------------------
40 | P a g e
Network: 2001:DF1:6400:135:2000:0:3:e800/122
1st IP: 2001:DF1:6400:135:2000:0:3:e800/122
Last IP: 2001:DF1:6400:135:2000:0:3:e83F/122
Number Of Host: 64
Core 2 Network
---------------------
Network: 2001:DF1:6400:135:2000:0:3:e840/122
1st IP: 2001:DF1:6400:135:2000:0:3:e840/122
Last IP: 2001:DF1:6400:135:2000:0:3:e87F/122
Number Of Host: 64
Distribute Network
---------------------
Network: 2001:DF1:6400:135:2000:0:3:e880/122
1st IP: 2001:DF1:6400:135:2000:0:3:e880/122
Last IP: 2001:DF1:6400:135:2000:0:3:e8BF/122
Number Of Host: 64
Admin Network
--------------
Network: 2001:DF1:6400:135:2000::/120
1st IP: 2001:DF1:6400:135:2000::/120
Last IP: 2001:DF1:6400:135:2000::FF/120
Number Of Host: 256
41 | P a g e
[Figure 26 : Windows 7- Network & Sharing Center]
42 | P a g e
3. Click on Properties
43 | P a g e
7. Provide dedicated IP Address
a. IPv6 Address: 2001:DF1:6400:135:2000::
b. Subnet Prefix length: 120
c. Default gateway: 2001:DF1:6400:135:2000::FF
d. Preferred DNS Server: 2001:DF1:6400:135::
Admin_PC2 IP address:
a. IPv6 Address: 2001:DF1:6400:135:2000::1
b. Subnet Prefix length: 120
c. Default gateway: 2001:DF1:6400:135:2000::FF
d. Preferred DNS Server: 2001:DF1:6400:135::
Printer_Admin IP address:
a. IPv6 Address: 2001:DF1:6400:135:2000::F6
b. IPv6 Gateway: 2001:DF1:6400:135:2000::FF
c. IPv6 DNS Server: 2001:DF1:6400:135::
44 | P a g e
Network Team:
-------------
Network: 2001:DF1:6400:135:2000::100/120
1st IP: 2001:DF1:6400:135:2000::100/120
Last IP: 2001:DF1:6400:135:2000::1FF/120
Number Of Host: 256
Net_PC1 IP address:
a. IPv6 Address: 2001:DF1:6400:135:2000::100
b. Subnet Prefix length: 120
c. Default gateway: 2001:DF1:6400:135:2000::1FF
d. Preferred DNS Server: 2001:DF1:6400:135::
Net_PC2 IP address:
a. IPv6 Address: 2001:DF1:6400:135:2000::101
b. Subnet Prefix length: 120
c. Default gateway: 2001:DF1:6400:135:2000::1FF
d. Preferred DNS Server: 2001:DF1:6400:135::
Printer_Net IP address:
a. IPv6 Address: 2001:DF1:6400:135:2000::1F6
b. IPv6 Gateway: 2001:DF1:6400:135:2000::1FF
c. IPv6 DNS Server: 2001:DF1:6400:135::
Database Team:
--------------
Network: 2001:DF1:6400:135:2000::200/120
1st IP: 2001:DF1:6400:135:2000::200/120
Last IP: 2001:DF1:6400:135:2000::2FF/120
Number Of Host: 256
System Team:
-------------
Network: 2001:DF1:6400:135:2000::300/120
1st IP: 2001:DF1:6400:135:2000::300/120
Last IP: 2001:DF1:6400:135:2000::3FF/120
Number Of Host: 256
45 | P a g e
Card Department:
===============
2001:DF1:6400:135:4000::/67
-------------------------------
2001:DF1:6400:135:4000::/120 Card Admin
2001:DF1:6400:135:4000::100/120 Production
2001:DF1:6400:135:4000::200/120 Operation
2001:DF1:6400:135:4000::300/120 Switching
2001:DF1:6400:135:4000::400/120
Card Admin
============
Network: 2001:DF1:6400:135:4000::/120
1st IP: 2001:DF1:6400:135:4000::/120
Last IP: 2001:DF1:6400:135:4000::FF/120
Number Of Host: 256
Production:
===========
Network: 2001:DF1:6400:135:4000::100/120
1st IP: 2001:DF1:6400:135:4000::100/120
Last IP: 2001:DF1:6400:135:4000::1FF/120
Number Of Host: 256
Card Operation:
==============
Network: 2001:DF1:6400:135:4000::200/120
1st IP: 2001:DF1:6400:135:4000::200/120
Last IP: 2001:DF1:6400:135:4000::2FF/120
Number Of Host: 256
Switching
===========
Network: 2001:DF1:6400:135:4000::300/120
1st IP: 2001:DF1:6400:135:4000::300/120
Last IP: 2001:DF1:6400:135:4000::3FF/120
Number Of Host: 256
46 | P a g e
Default Gateway: 2001:DF1:6400:135:4000::3FF
Preferred DNS Server: 2001:DF1:6400:135::
Head Office
===========
2001:DF1:6400:135:6000::/67
-------------------------------
2001:DF1:6400:135:6000::/118 HR Division
2001:DF1:6400:135:6000::400/118 CAD
2001:DF1:6400:135:6000::800/118 Audit Division
2001:DF1:6400:135:6000::c00/118 GSDD
2001:DF1:6400:135:6000::1000/118 Law Division
2001:DF1:6400:135:6000::1400/118
2001:DF1:6400:135:6000::1800/118
HR Division:
------------
Network: 2001:DF1:6400:135:6000::/118
1st IP: 2001:DF1:6400:135:6000::/118
Last IP: 2001:DF1:6400:135:6000::3FF/118
Number Of Host: 1024
Audit Division:
---------------------------
Network: 2001:DF1:6400:135:6000::800/118
1st IP: 2001:DF1:6400:135:6000::800/118
Last IP: 2001:DF1:6400:135:6000::BFF/118
Number Of Host: 1024
47 | P a g e
Network: 2001:DF1:6400:135:6000::C00/118
1st IP: 2001:DF1:6400:135:6000::C00/118
Last IP: 2001:DF1:6400:135:6000::FFF/118
Number Of Host: 1024
Law Division:
---------------------------
Network: 2001:DF1:6400:135:6000::1000/118
1st IP: 2001:DF1:6400:135:6000::1000/118
Last IP: 2001:DF1:6400:135:6000::13FF/118
Number Of Host: 1024
48 | P a g e
Region of Branches
==================
2001:DF1:6400:135:8000::/71 Dhaka Region
2001:DF1:6400:135:8200::/71 Mymansing Region
2001:DF1:6400:135:8400::/71 Faridpur Region
2001:DF1:6400:135:8600::/71 Khulna Region
2001:DF1:6400:135:8800::/71 Barisal Region
2001:DF1:6400:135:8A00::/71 Cittagong Region
2001:DF1:6400:135:8C00::/71 Comilla Region
2001:DF1:6400:135:8E00::/71 Sylhet Region
2001:DF1:6400:135:9000::/71 Rajshahi Region
2001:DF1:6400:135:9200::/71 Rongpur Region
2001:DF1:6400:135:9400::/71
2001:DF1:6400:135:9600::/71
2001:DF1:6400:135:9800::/71
2001:DF1:6400:135:9A00::/71
2001:DF1:6400:135:9C00::/71
2001:DF1:6400:135:9E00::/71
Dhaka Region
-------------
2001:DF1:6400:135:8000::/71
---------------------------
2001:DF1:6400:135:8000::/121 Principle Branch
2001:DF1:6400:135:8000::80/121 Gulshan Branch
2001:DF1:6400:135:8000::100/121 Mirpur Branch
2001:DF1:6400:135:8000::180/121 Tongi Branch
2001:DF1:6400:135:8000::200/121
2001:DF1:6400:135:8000::280/121
2001:DF1:6400:135:8000::300/121
2001:DF1:6400:135:8000::380/121
2001:DF1:6400:135:8000::400/121
2001:DF1:6400:135:8000::480/121
...
...
2001:DF1:6400:135:8000:0:1:f380/121
2001:DF1:6400:135:8000:0:1:f400/121
Principle Branch Dhaka
-------------------------
Network: 2001:DF1:6400:135:8000::/121
1st IP: 2001:DF1:6400:135:8000::/121
49 | P a g e
Last IP: 2001:DF1:6400:135:6000::7F/121
Number Of Host: 128
---------------------
2001:DF1:6400:135:8000::/123 IT
2001:DF1:6400:135:8000::20/123 General Section
2001:DF1:6400:135:8000::40/123 Cash Section
2001:DF1:6400:135:8000::60/123 Loans & Advance
IT
---------------
1st IP: 2001:DF1:6400:135:8000:: /123
Gateway IP: 2001:DF1:6400:135:8000::1F/123
Number Of Host: 32
General Section
---------------
1st IP: 2001:DF1:6400:135:8000::20/123
Gateway IP: 2001:DF1:6400:135:8000::3F/123
Number Of Host: 32
Cash Section
--------------
Cash Officer IP: 2001:DF1:6400:135:8000::40/123
Gateway IP: 2001:DF1:6400:135:8000::5F/123
Number Of Host: 32
Cash_PC1: 2001:DF1:6400:135:8000::41/123
Cash_PC1: 2001:DF1:6400:135:8000::42/123
50 | P a g e
Gulshan Branch:
---------------
Network: 2001:DF1:6400:135:8000::80/121
2001:DF1:6400:135:8000::80/123 IT
2001:DF1:6400:135:8000::a0/123 General Section
2001:DF1:6400:135:8000::c0/123 Cash Section
2001:DF1:6400:135:8000::e0/123 Loans & Advance
IT
---------------
1st IP: 2001:DF1:6400:135:8000::80 /123
Gateway IP: 2001:DF1:6400:135:8000::9F/123
Number Of Host: 32
General Section
---------------
1st IP: 2001:DF1:6400:135:8000::A0/123
Gateway IP: 2001:DF1:6400:135:8000::BF/123
Number Of Host: 32
Cash Section
--------------
Cash Officer IP: 2001:DF1:6400:135:8000::C0/123
Gateway IP: 2001:DF1:6400:135:8000::DF/123
Number Of Host: 32
Cash_PC1: 2001:DF1:6400:135:8000::C1/123
Cash_PC1: 2001:DF1:6400:135:8000::C2/123
51 | P a g e
Chittagong Region
=====================================
2001:DF1:6400:135:8a00::/71
-----------------------------
2001:DF1:6400:135:8A00::/121 Ctg Corporate Branch
2001:DF1:6400:135:8A00::80/121 Main Branch
2001:DF1:6400:135:8A00::100/121 Port Branch
2001:DF1:6400:135:8A00::180/121
…..
……
2001:DF1:6400:135:8A00:0:1:f380/121
2001:DF1:6400:135:8A00:0:1:f400/121
---------------------------------
Port Branch
--------------
Network: 2001:DF1:6400:135:8A00::100/121
2001:DF1:6400:135:8A00::100/123 IT
2001:DF1:6400:135:8A00::120/123 General Section
2001:DF1:6400:135:8A00::140/123 Cash Section
2001:DF1:6400:135:8A00::160/123 Loans & Advance
IT
---------------
1st IP: 2001:DF1:6400:135:8A00::100/123
Gateway IP: 2001:DF1:6400:135:8A00::11F/123
Number Of Host: 32
Server: 2001:DF1:6400:135:8A00::100/123
Switch: 2001:DF1:6400:135:8A00::11E/123
General Section
---------------
1st IP: 2001:DF1:6400:135:8A00::120/123
Gateway IP: 2001:DF1:6400:135:8A00::13F/123
Number Of Host: 32
52 | P a g e
Manager PC: 2001:DF1:6400:135:8A00::120/123
1st pc of General Section: 2001:DF1:6400:135:8A00::121/123
10th PC of General Section: 2001:DF1:6400:135:8A00::12A/123
Printer IP: 2001:DF1:6400:135:8A00::13E/123
Cash Section
--------------
Cash Officer IP: 2001:DF1:6400:135:8A00::140/123
Gateway IP: 2001:DF1:6400:135:8000::15F/123
Number Of Host: 32
Cash_PC1: 2001:DF1:6400:135:8A00::141/123
Cash_PC1: 2001:DF1:6400:135:8A00::142/123
53 | P a g e
Mazar Branch: (Sylhet Region)
----------------------------------
Network: 2001:DF1:6400:135:8E00::80/121
2001:DF1:6400:135:8E00::80/123 IT
2001:DF1:6400:135:8E00::A0/123 General Section
2001:DF1:6400:135:8E00::C0/123 Cash Section
2001:DF1:6400:135:8E00::E0/123 Loans & Advance
IT
---------------
1st IP: 2001:DF1:6400:135:8E00::80 /123
Gateway IP: 2001:DF1:6400:135:8E00::9F/123
Number Of Host: 32
General Section
---------------
1st IP: 2001:DF1:6400:135:8E00::A0/123
Gateway IP: 2001:DF1:6400:135:8E00::BF/123
Number Of Host: 32
Cash Section
--------------
Cash Officer IP: 2001:DF1:6400:135:8E00::C0/123
Gateway IP: 2001:DF1:6400:135:8E00::DF/123
Number Of Host: 32
Cash_PC1: 2001:DF1:6400:135:8E00::C1/123
Cash_PC1: 2001:DF1:6400:135:8E00::C2/123
54 | P a g e
Main Branch: (Khulna Region)
---------------
Network: 2001:DF1:6400:135:8600::100/121
2001:DF1:6400:135:8600::100/123 IT
2001:DF1:6400:135:8600::120/123 General Section
2001:DF1:6400:135:8600::140/123 Cash Section
2001:DF1:6400:135:8600::160/123 Loans & Advance
IT
---------------
1st IP: 2001:DF1:6400:135:8600::100/123
Gateway IP: 2001:DF1:6400:135:8600::11F/123
Number Of Host: 32
Server: 2001:DF1:6400:135:8600::100/123
Switch: 2001:DF1:6400:135:8600::11E/123
General Section
---------------
1st IP: 2001:DF1:6400:135:8600::120/123
Gateway IP: 2001:DF1:6400:135:8600::13F/123
Number Of Host: 32
Cash Section
--------------
Cash Officer IP: 2001:DF1:6400:135:8600::140/123
Gateway IP: 2001:DF1:6400:135:8000::15F/123
Number Of Host: 32
Cash_PC1: 2001:DF1:6400:135:8600::141/123
Cash_PC1: 2001:DF1:6400:135:8600::142/123
55 | P a g e
University Campus Branch: (Rajshahi Region)
---------------
Network: 2001:DF1:6400:135:9000::100/121
2001:DF1:6400:135:9000::100/123 IT
2001:DF1:6400:135:9000::120/123 General Section
2001:DF1:6400:135:9000::140/123 Cash Section
2001:DF1:6400:135:9000::160/123 Loans & Advance
IT
---------------
1st IP: 2001:DF1:6400:135:9000::100/123
Gateway IP: 2001:DF1:6400:135:9000::11F/123
Number Of Host: 32
Server: 2001:DF1:6400:135:9000::100/123
Switch: 2001:DF1:6400:135:9000::11E/123
General Section
---------------
1st IP: 2001:DF1:6400:135:9000::120/123
Gateway IP: 2001:DF1:6400:135:9000::13F/123
Number Of Host: 32
Cash Section
--------------
Cash Officer IP: 2001:DF1:6400:135:9000::140/123
Gateway IP: 2001:DF1:6400:135:8000::15F/123
Number Of Host: 32
Cash_PC1: 2001:DF1:6400:135:9000::141/123
Cash_PC1: 2001:DF1:6400:135:9000::142/123
56 | P a g e
3.3 Branch Configuration:
Router
1. Set router clock to the current date and time
Router>enable
Router#clock set 3:18:00 30 Aug 2015
57 | P a g e
GUL(config)#security passwords min-length 6
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the router. Set the passwords to PubaliHO
a) Protect Console GUL
GUL(config)#line console 0
GUL(config-line)#password PubaliHO
GUL(config-line)#login
GUL(config-line)#exit
b) Protect Virtual Terminal Line:
GUL(config)#line vty 0 4
GUL(config-line)#password PubaliHO
GUL(config-line)#login
GUL(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
GUL(config)#service password-encryption
8. Prevent device status messages from interrupting command line entries at the device
console.
GUL(config-line)#logging synchronous
GUL(config-line)#exit
9. Prevent the router from attempting to resolve command line entries to IP addresses.
GUL(config)#no ip domain-lookup
58 | P a g e
GUL(config-subif)#ipv6 address 2001:DF1:6400:135:8000:::FF/120
GUL(config-subif)#no shutdown
GUL(config-subif)# exit
Switch:
1. Set Switch clock to the current date and time
Switch>enable
Switch#clock set 3:18:00 30 Aug 2015
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
59 | P a g e
GUL_SW(config)#enable secret PubaliIT
6. Secure all the ways to access the Switch. Set the passwords to PubaliHO
a) Protect Console GUL
GUL_SW(config)#line console 0
GUL_SW(config-line)#password PubaliHO
GUL_SW(config-line)#login
GUL_SW(config-line)#exit
b) Protect Virtual Terminal Line:
GUL_SW(config)#line vty 0 4
GUL_SW(config-line)#password PubaliHO
GUL_SW(config-line)#login
GUL_SW(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
GUL_SW(config)#service password-encryption
8. Prevent device status messages from interrupting command line entries at the device
console.
GUL_SW(config-line)#logging synchronous
GUL_SW(config-line)#exit
9. Prevent the Switch from attempting to resolve command line entries to IP addresses.
GUL_SW(config)#no ip domain-lookup
60 | P a g e
GUL_SW(config-if-range)# No shutdown
GUL_SW(config-if-range)# Exit
GUL_SW(config)# interface range fastEthernet 0/6-0/10
GUL_SW(config-if-range)# switchGUL mode access
GUL_SW(config-if-range)# switchGUL access vlan 300
GUL_SW(config-if-range)# No shutdown
GUL_SW(config-if-range)# Exit
GUL_SW(config)# interface range fastEthernet 0/11-0/15
GUL_SW(config-if-range)# switchGUL mode access
GUL_SW(config-if-range)# switchGUL access vlan 400
GUL_SW(config-if-range)# No shutdown
GUL_SW(config-if-range)# Exit
61 | P a g e
Port Branch Configuration
Router
1. Set router clock to the current date and time
Router>enable
Router#clock set 3:18:00 30 Aug 2015
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the router. Set the passwords to PubaliHO
a) Protect Console Port
PORT(config)#line console 0
PORT(config-line)#password PubaliHO
PORT(config-line)#login
PORT(config-line)#exit
b) Protect Virtual Terminal Line:
PORT(config)#line vty 0 4
PORT(config-line)#password PubaliHO
PORT(config-line)#login
PORT(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
PORT(config)#service password-encryption
62 | P a g e
8. Prevent device status messages from interrupting command line entries at the device
console.
PORT(config-line)#logging synchronous
PORT(config-line)#exit
9. Prevent the router from attempting to resolve command line entries to IP addresses.
PORT(config)#no ip domain-lookup
63 | P a g e
Switch:
1. Set Switch clock to the current date and time
Switch>enable
Switch#clock set 3:18:00 30 Aug 2015
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the Switch. Set the passwords to PubaliHO
a) Protect Console Port
PORT_SW(config)#line console 0
PORT_SW(config-line)#password PubaliHO
PORT_SW(config-line)#login
PORT_SW(config-line)#exit
b) Protect Virtual Terminal Line:
PORT_SW(config)#line vty 0 4
PORT_SW(config-line)#password PubaliHO
PORT_SW(config-line)#login
PORT_SW(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
PORT_SW(config)#service password-encryption
64 | P a g e
8. Prevent device status messages from interrupting command line entries at the device
console.
PORT_SW(config-line)#logging synchronous
PORT_SW(config-line)#exit
9. Prevent the Switch from attempting to resolve command line entries to IP addresses.
PORT_SW(config)#no ip domain-lookup
65 | P a g e
4.3 Configuring Data Center Devices:
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the router. Set the passwords to PubaliHO
a) Protect Console Port
DC(config)#line console 0
DC(config-line)#password PubaliHO
DC(config-line)#login
DC(config-line)#exit
b) Protect Virtual Terminal Line:
66 | P a g e
DC(config)#line vty 0 4
DC(config-line)#password PubaliHO
DC(config-line)#login
DC(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
DC(config)#service password-encryption
8. Prevent device status messages from interrupting command line entries at the device
console.
DC(config-line)#logging synchronous
DC(config-line)#exit
9. Prevent the router from attempting to resolve command line entries to IP addresses.
DC(config)#no ip domain-lookup
67 | P a g e
Configuring Core Router 1 :
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the router. Set the passwords to PubaliHO
a) Protect Console Port
CORE_1(config)#line console 0
CORE_1(config-line)#password PubaliHO
CORE_1(config-line)#login
CORE_1(config-line)#exit
b) Protect Virtual Terminal Line:
CORE_1(config)#line vty 0 4
CORE_1(config-line)#password PubaliHO
CORE_1(config-line)#login
CORE_1(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
CORE_1(config)#service password-encryption
68 | P a g e
8. Prevent device status messages from interrupting command line entries at the device
console.
CORE_1(config-line)#logging synchronous
CORE_1(config-line)#exit
9. Prevent the router from attempting to resolve command line entries to IP addresses.
CORE_1(config)#no ip domain-lookup
69 | P a g e
Configuring Core Router 2 :
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the router. Set the passwords to PubaliHO
a) Protect Console Port
CORE_2(config)#line console 0
CORE_2(config-line)#password PubaliHO
CORE_2(config-line)#login
CORE_2(config-line)#exit
b) Protect Virtual Terminal Line:
CORE_2(config)#line vty 0 4
CORE_2(config-line)#password PubaliHO
CORE_2(config-line)#login
CORE_2(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
CORE_2(config)#service password-encryption
70 | P a g e
8. Prevent device status messages from interrupting command line entries at the device
console.
CORE_2(config-line)#logging synchronous
CORE_2(config-line)#exit
9. Prevent the router from attempting to resolve command line entries to IP addresses.
CORE_2(config)#no ip domain-lookup
71 | P a g e
Configuring Core Switch 1
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the Switch. Set the passwords to PubaliHO
a) Protect Console Port
CORE_SW1(config)#line console 0
CORE_SW1(config-line)#password PubaliHO
CORE_SW1(config-line)#login
CORE_SW1(config-line)#exit
b) Protect Virtual Terminal Line:
CORE_SW1(config)#line vty 0 4
CORE_SW1(config-line)#password PubaliHO
CORE_SW1(config-line)#login
CORE_SW1(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
CORE_SW1(config)#service password-encryption
72 | P a g e
8. Prevent device status messages from interrupting command line entries at the device
console.
CORE_SW1(config-line)#logging synchronous
CORE_SW1(config-line)#exit
9. Prevent the Switch from attempting to resolve command line entries to IP addresses.
CORE_SW1(config)#no ip domain-lookup
73 | P a g e
Configuring Core Switch 2
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the Switch. Set the passwords to PubaliHO
a) Protect Console Port
CORE_SW2(config)#line console 0
CORE_SW2(config-line)#password PubaliHO
CORE_SW2(config-line)#login
CORE_SW2(config-line)#exit
b) Protect Virtual Terminal Line:
CORE_SW2(config)#line vty 0 4
CORE_SW2(config-line)#password PubaliHO
CORE_SW2(config-line)#login
CORE_SW2(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
CORE_SW2(config)#service password-encryption
74 | P a g e
8. Prevent device status messages from interrupting command line entries at the device
console.
CORE_SW2(config-line)#logging synchronous
CORE_SW2(config-line)#exit
9. Prevent the Switch from attempting to resolve command line entries to IP addresses.
CORE_SW2(config)#no ip domain-lookup
75 | P a g e
Configuring Distribution Switch 1
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the Switch. Set the passwords to PubaliHO
a) Protect Console Port
DIST_SW1(config)#line console 0
DIST_SW1(config-line)#password PubaliHO
DIST_SW1(config-line)#login
DIST_SW1(config-line)#exit
b) Protect Virtual Terminal Line:
DIST_SW1(config)#line vty 0 4
DIST_SW1(config-line)#password PubaliHO
DIST_SW1(config-line)#login
DIST_SW1(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
DIST_SW1(config)#service password-encryption
76 | P a g e
8. Prevent device status messages from interrupting command line entries at the device
console.
DIST_SW1(config-line)#logging synchronous
DIST_SW1(config-line)#exit
9. Prevent the Switch from attempting to resolve command line entries to IP addresses.
DIST_SW1(config)#no ip domain-lookup
77 | P a g e
Configuring Distribution Switch 2
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the Switch. Set the passwords to PubaliHO
a) Protect Console Port
DIST_SW2(config)#line console 0
DIST_SW2(config-line)#password PubaliHO
DIST_SW2(config-line)#login
DIST_SW2(config-line)#exit
b) Protect Virtual Terminal Line:
DIST_SW2(config)#line vty 0 4
DIST_SW2(config-line)#password PubaliHO
DIST_SW2(config-line)#login
DIST_SW2(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
DIST_SW2(config)#service password-encryption
78 | P a g e
8. Prevent device status messages from interrupting command line entries at the device
console.
DIST_SW2(config-line)#logging synchronous
DIST_SW2(config-line)#exit
9. Prevent the Switch from attempting to resolve command line entries to IP addresses.
DIST_SW2(config)#no ip domain-lookup
79 | P a g e
Configuring IT Department Router:
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the router. Set the passwords to PubaliHO
a) Protect Console Port
IT(config)#line console 0
IT(config-line)#password PubaliHO
IT(config-line)#login
IT(config-line)#exit
b) Protect Virtual Terminal Line:
IT(config)#line vty 0 4
IT(config-line)#password PubaliHO
IT(config-line)#login
IT(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
IT(config)#service password-encryption
80 | P a g e
8. Prevent device status messages from interrupting command line entries at the device
console.
IT(config-line)#logging synchronous
IT(config-line)#exit
9. Prevent the router from attempting to resolve command line entries to IP addresses.
IT(config)#no ip domain-lookup
81 | P a g e
IT(config)#interface gigabitEthernet 0/1
IT(config-if)#ipv6 address 2001:DF1:6400:135:2000::3:E804/122
IT(config-if)#no shutdown
IT(config-if)# exit
82 | P a g e
Configuring IT Department Switch
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the Switch. Set the passwords to PubaliHO
a) Protect Console Port
ITD_SW(config)#line console 0
ITD_SW(config-line)#password PubaliHO
ITD_SW(config-line)#login
ITD_SW(config-line)#exit
b) Protect Virtual Terminal Line:
ITD_SW(config)#line vty 0 4
ITD_SW(config-line)#password PubaliHO
ITD_SW(config-line)#login
ITD_SW(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
ITD_SW(config)#service password-encryption
83 | P a g e
8. Prevent device status messages from interrupting command line entries at the device
console.
ITD_SW(config-line)#logging synchronous
ITD_SW(config-line)#exit
9. Prevent the Switch from attempting to resolve command line entries to IP addresses.
ITD_SW(config)#no ip domain-lookup
84 | P a g e
Configuring Card Department Router:
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the router. Set the passwords to PubaliHO
a) Protect Console Port
CD(config)#line console 0
CD(config-line)#password PubaliHO
CD(config-line)#login
CD(config-line)#exit
b) Protect Virtual Terminal Line:
CD(config)#line vty 0 4
CD(config-line)#password PubaliHO
CD(config-line)#login
CD(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
CD(config)#service password-encryption
85 | P a g e
8. Prevent device status messages from interrupting command line entries at the device
console.
CD(config-line)#logging synchronous
CD(config-line)#exit
9. Prevent the router from attempting to resolve command line entries to IP addresses.
CD(config)#no ip domain-lookup
86 | P a g e
Configuring Card Department Switch:
5. Protect device configurations from unauthorized access with the encrypted password.
Set the password to PubaliIT
6. Secure all the ways to access the Switch. Set the passwords to PubaliHO
a) Protect Console Port
CD_SW(config)#line console 0
CD_SW(config-line)#password PubaliHO
CD_SW(config-line)#login
CD_SW(config-line)#exit
b) Protect Virtual Terminal Line:
CD_SW(config)#line vty 0 4
CD_SW(config-line)#password PubaliHO
CD_SW(config-line)#login
CD_SW(config-line)#exit
7. Prevent all passwords from being viewed in clear text in device configuration files.
CD_SW(config)#service password-encryption
87 | P a g e
8. Prevent device status messages from interrupting command line entries at the device
console.
CD_SW(config-line)#logging synchronous
CD_SW(config-line)#exit
9. Prevent the Switch from attempting to resolve command line entries to IP addresses.
CD_SW(config)#no ip domain-lookup
88 | P a g e
3.5 OSPF Configuration
Router Core1
Core_1(config)#router ospf 1
Core_1(config-router)#router-id 1.1.1.1
Core_1(config)#interface gigabitEthernet 0/0
Core_1(config-if)#ipv6 ospf 1 area 0
Core_1(config-if)#exit
Core_1(config)#interface gigabitEthernet 0/1
Core_1(config-if)#ipv6 ospf 1 area 0
Core_1(config-if)#exit
Router Core 2
Core_2(config)#router ospf 1
Core_2(config-router)#router-id 10.10.10.10
Core_2(config)#interface gigabitEthernet 0/0
Core_2(config-if)#ipv6 ospf 1 area 0
Core_2(config-if)#exit
Core_2(config)#interface gigabitEthernet 0/1
Core_2(config-if)#ipv6 ospf 1 area 0
Core_2(config-if)#exit
DC Router
DC (config)#router ospf 1
DC (config-router)#router-id 3.3.3.3
DC (config)#interface gigabitEthernet 0/0
DC (config-if)#ipv6 ospf 1 area 0
DC (config-if)#exit
DC (config)#interface gigabitEthernet 0/1
DC (config-if)#ipv6 ospf 1 area 0
DC(config-if)#exit
DC (config)#interface gigabitEthernet 1/0
DC (config-if)#ipv6 ospf 1 area 0
DC(config-if)#exit
IT Router
IT (config)#router ospf 1
IT(config-router)#router-id 3.3.3.3
IT(config)#interface gigabitEthernet 0/0
IT(config-if)#ipv6 ospf 1 area 0
IT(config-if)#exit
89 | P a g e
IT(config)#interface gigabitEthernet 0/1
IT(config-if)#ipv6 ospf 1 area 0
IT(config-if)#exit
IT(config)#interface gigabitEthernet 1/0
IT(config-if)#ipv6 ospf 1 area 0
IT(config-if)#exit
90 | P a g e
3.6 ISP & VPN Configuration
ISP Configuration
VPN Configuration:
CE1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CE1(config)#crypto isakmp policy 10
CE1(config-isakmp)#encryption 3des
CE1(config-isakmp)#group 2
CE1(config-isakmp)#authentication pre-share
CE1(config-isakmp)#exit
Configure same IPsec Transform Set and IPsec Profile on the routers CE1 and CE2:
91 | P a g e
CE1(config)#crypto ipsec transform-set ipv6_tran esp-3des esp-sha-hmac
CE1(cfg-crypto-trans)#mode tunnel
CE1(cfg-crypto-trans)#exit
CE1(config)#crypto ipsec profile ipv6_ipsec_pro ……(This transform set need to bind in
VTI step4)
CE1(ipsec-profile)#set transform-set ipv6_tran
CE1(ipsec-profile)#exit
CE1(config)#
ISAKMP profile is configured in the routers CE1 and CE2 and ensure that configuration
statement must designate the identity address of the appropriate interface on the peer
router.
CE1(config)#int tunnel 1
CE1(config-if)#ipv6 enable
CE1(config-if)#ipv6 address 2012::1/64
CE1(config-if)#tunnel source 2001::1
CE1(config-if)#tunnel destination 2002::1
CE1(config-if)#tunnel mode ipsec ipv6
CE1(config-if)#tunnel protection ipsec profile ipv6_ipsec_pro
*Mar 1 01:32:30.907: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
CE1(config-if)#exit
CE2(config)#int tunnel 1
CE2(config-if)#ipv6 enable
CE2(config-if)#ipv6 address 2012::2/64
CE2(config-if)#tunnel source 2002::1
92 | P a g e
CE2(config-if)#tunnel destination 2001::1
CE2(config-if)#tunnel mode ipsec ipv6
CE2(config-if)#tunnel protection ipsec profile ipv6_ipsec_pro
*Mar 1 01:32:30.907: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
CE2(config-if)#exit
93 | P a g e
Chapter 4
Requirements
94 | P a g e
4.1 Requirements for a Branch
Requirements for IPv6 routing are not much different from IPv4 routing. The
list of required devices are:
1. Network Interface Card
[Figure 32 : NIC][19]
2. Manageable Switch
[20]
[Figure 33: Switch]
3. Router
[21]
[Figure34: Router]
4. Media Converter
95 | P a g e
4.2 Requirements for Data Center
For Banking network Data Center needs a lot of devices to make network
secure and fast. List of devices are given here
1. Media Converter
2. Router
3. Gateway
4. Firewall
5. Proxy server
6. NTP Server
7. DNS Server
8. Mail Server
9. FTP Server
10. Fiber Connection : 100 Mbps
96 | P a g e
Chapter 5
Conclusion
97 | P a g e
5.1 Summary of Simulation
Cisco Networking Academy is pleased to announce the new release of Packet Tracer, a
Network Simulation Software. Packet Tracer 4.1 is the next major release of the
interactive network simulation and learning tool for Cisco CCNA instructors and
students. It allows users to create network topologies, configure devices, inject packets,
and simulate a network with multiple visual representations. This release of Packet
Tracer focuses on supporting more of the networking protocols taught in the CCNA
curriculum.
Key Features
In the Simulation and Visualization Mode, students can see and control time
intervals, the inner workings of data transfer, and the propagation of data across a
network. This helps students understand the fundamental concepts behind network
operations. A solid understanding of network fundamentals can help accelerate learning
about related concepts.
The physical view of devices such as routers, switches, and hosts, presents graphical
representations of expansion cards and identifies the capabilities of each card. The
physical view also provides geographic representations, including multiple cities,
buildings, and wiring closets.
98 | P a g e
self-evaluated activities that present immediate feedback to students on their proficiency
in completing the activity.
99 | P a g e
5.2 Problems with IPv6: IPv6 can run end-to-end encryption. While this technology was
retrofitted into IPv4, it remains an optional extra that isn’t universally used. The encryption and
integrity-checking used in current VPNs is a standard component in IPv6, available for all
connections and supported by all compatible devices and systems. Widespread adoption of
IPv6 will therefore make man-in-the-middle attacks significantly more difficult.
IPv6 also supports more-secure name resolution. The Secure Neighbor Discovery (SEND)
protocol is capable of enabling cryptographic confirmation that a host is who it claims to be at
connection time. This renders Address Resolution Protocol (ARP) poisoning and other naming-
based attacks more difficult. And while not a replacement for application- or service-layer
verification, it still offers an improved level of trust in connections. With IPv4 it’s fairly easy for an
attacker to redirect traffic between two legitimate hosts and manipulate the conversation or at
least observe it. IPv6 makes this very hard.
This added security depends entirely on proper design and implementation, and the more
complex and flexible infrastructure of IPv6 makes for more work. Nevertheless, properly
configured, IPv6 networking will be significantly more secure than its predecessor.
100 | P a g e
References
101 | P a g e