Quản trị mạng - Chapter 6: Teleworker Services
Components required to establish this VPN include:
1. An existing network with servers and workstations
2. A connection to the Internet
3. VPN gateways, such as routers, firewalls, VPN concentrators, and ASAs,
that act as endpoints to establish, manage, and control VPN connections
4. Appropriate software to create and manage VPN tunnels
54 trang |
Chia sẻ: nguyenlam99 | Lượt xem: 823 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Quản trị mạng - Chapter 6: Teleworker Services, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
1Chapter 6 - Teleworker Services
CCNA Exploration 4.0
Học viện mạng Bach Khoa - Website: www.bkacad.com 2
Introduction
Học viện mạng Bach Khoa - Website: www.bkacad.com 3
Business Requirements for
Teleworker Services
Học viện mạng Bach Khoa - Website: www.bkacad.com 4
The Business Requirements for Teleworker Services
• When designing network architectures that support a teleworking
solution, designers must balance organizational requirements for
security, infrastructure management, scalability, and affordability
against the practical needs of teleworkers for ease of use, connection
speeds, and reliability of service.
Học viện mạng Bach Khoa - Website: www.bkacad.com 5
The Teleworker Solution
• The term broadband refers to advanced communications systems capable of
providing high-speed transmission of services, such as data, voice, and video,
over the Internet and other networks.
• Transmission is provided by a wide range of technologies, including digital
subscriber line (DSL) and fiber-optic cable, coaxial cable, wireless technology,
and satellite.
Học viện mạng Bach Khoa - Website: www.bkacad.com 6
• Soon, voice over IP (VoIP) and videoconferencing components will become expected
parts of the teleworkers toolkit.
• Home Office Components - The required home office components are a laptop or
desktop computer, broadband access (cable or DSL), and a VPN router or VPN client
software installed on the computer. Additional components might include a wireless
access point. When traveling, teleworkers need an Internet connection and a VPN client
to connect to the corporate network over any available dialup, network, or broadband
connection.
• Corporate Components - Corporate components are VPN-capable routers, VPN
concentrators, multifunction security appliances, authentication, and central
management devices for resilient aggregation and termination of the VPN connections.
The Teleworker Solution
Học viện mạng Bach Khoa - Website: www.bkacad.com 7
Broadband Services
Học viện mạng Bach Khoa - Website: www.bkacad.com 8
Connecting Teleworkers to the WAN
• The choice of access
network technology and
the need to ensure
suitable bandwidth are
the first considerations
to address when
connecting teleworkers.
Học viện mạng Bach Khoa - Website: www.bkacad.com 9
Connecting Teleworkers to the WAN
Học viện mạng Bach Khoa - Website: www.bkacad.com 10
Cable
Học viện mạng Bach Khoa - Website: www.bkacad.com 11
Cable
Học viện mạng Bach Khoa - Website: www.bkacad.com 12
Cable
Học viện mạng Bach Khoa - Website: www.bkacad.com 13
Cable
• The Data-over-Cable Service Interface Specification (DOCSIS) is an international
standard developed by CableLabs, a non-profit research and development consortium
for cable-related technologies.
• DOCSIS specifies the OSI Layer 1 and Layer 2 requirements:
– Physical layer - For data signals that the cable operator can use, DOCSIS specifies
the channel widths (bandwidths of each channel) as 200 kHz, 400 kHz, 800 kHz, 1.6
MHz, 3.2 MHz, and 6.4 MHz. DOCSIS also specifies modulation techniques (the
way to use the RF signal to convey digital data).
– MAC layer - Defines a deterministic access method, time-division multiple access
(TDMA) or synchronous code division multiple access method (S-CDMA).
Học viện mạng Bach Khoa - Website: www.bkacad.com 14
Cable
Học viện mạng Bach Khoa - Website: www.bkacad.com 15
Học viện mạng Bach Khoa - Website: www.bkacad.com 16
DSL
• DSL is a means of providing high-speed connections over installed copper wires.
• Several years ago, Bell Labs identified that a typical voice conversation over a local loop
only required bandwidth of 300 Hz to 3 kHz.
• Advances in technology allowed DSL to use the additional bandwidth from 3 kHz up to 1
MHz to deliver high-speed data services over ordinary copper lines.
• The two basic types of DSL technologies are asymmetric (ADSL) and symmetric (SDSL).
• The transfer rates are dependent on the actual length of the local loop, and the type and
condition of its cabling. For satisfactory service, the loop must be less than 5.5
kilometers (3.5 miles).
Học viện mạng Bach Khoa - Website: www.bkacad.com 17
DSL
• The two key components are the DSL transceiver
and the DSLAM:
– Transceiver - Connects the computer of the
teleworker to the DSL. Usually the transceiver is
a DSL modem connected to the computer using
a USB or Ethernet cable. Newer DSL
transceivers can be built into small routers with
multiple 10/100 switch ports suitable for home
office use.
– DSLAM - Located at the CO of the carrier, the
DSLAM combines individual DSL connections
from users into one high-capacity link to an ISP,
and thereby, to the Internet.
Học viện mạng Bach Khoa - Website: www.bkacad.com 18
DSL
• The major benefit of ADSL is the ability to provide data services along with
POTS voice services.
• ADSL signals distort voice transmission and are split or filtered at the customer
premises. There are two ways to separate ADSL from voice at the customer
premises: using a microfilter or using a splitter.
Học viện mạng Bach Khoa - Website: www.bkacad.com 19
DSL
• A microfilter is a passive low-pass filter with two ends. One end connects to
the telephone, and the other end connects to the telephone wall jack. This
solution eliminates the need for a technician to visit the premises and allows
the user to use any jack in the house for voice or ADSL service.
Học viện mạng Bach Khoa - Website: www.bkacad.com 20
DSL
• POTS splitters separate the DSL traffic from the POTS traffic. The POTS
splitter is a passive device. In the event of a power failure, the voice traffic still
travels to the voice switch in the CO of the carrier.
• Splitters are located at the CO and, in some deployments, at the customer
premises. At the CO, the POTS splitter separates the voice traffic, destined for
POTS connections, and the data traffic destined for the DSLAM.
Học viện mạng Bach Khoa - Website: www.bkacad.com 21
Broadband Wireless
• Broadband access by ADSL or cable provides teleworkers with faster connections than
dialup, but until recently, SOHO PCs had to connect to a modem or a router over a Cat 5
(Ethernet) cable.
• Wireless networking, or Wi-Fi (wireless fidelity), has improved that situation, not only in
the SOHO, but on enterprise campuses as well.
• The benefits of Wi-Fi extend beyond not having to use or install wired network
connections. Wireless networking provides mobility. Wireless connections provide
increased flexibility and productivity to the teleworker.
Học viện mạng Bach Khoa - Website: www.bkacad.com 22
Broadband Wireless
• The significant limitation of wireless access has been the need to be within the
local transmission range (typically less than 100 feet) of a wireless router or
wireless access point that has a wired connection to the Internet.
• The concept of hotspots has increased access to wireless connections across
the world. A hotspot is the area covered by one or more interconnected access
points.
Học viện mạng Bach Khoa - Website: www.bkacad.com 23
Broadband Wireless
• The figure shows a typical
home deployment using a
single wireless router.
• This deployment uses the
hub-and-spoke model.
Học viện mạng Bach Khoa - Website: www.bkacad.com 24
Broadband Wireless
• A mesh is a series of access points (radio transmitters) as shown in the figure.
Each access point is in range and can communicate with at least two other
access points.
• A meshed network has several advantages over single router hotspots.
– Installation is easier and can be less expensive because there are fewer
wires.
– Deployment over a large urban area is faster. From an operational point of
view, it is more reliable.
– If a node fails, others in the mesh compensate for it.
Học viện mạng Bach Khoa - Website: www.bkacad.com 25
Broadband Wireless
• WiMAX (Worldwide Interoperability for Microwave Access) is
telecommunications technology aimed at providing wireless data over
long distances in a variety of ways, from point-to-point links to full
mobile cellular type access.
• A WiMAX network consists of two main components:
– A tower that is similar in concept to a cellular telephone tower. A
single WiMAX tower can provide coverage to an area as large as
3,000 square miles, or almost 7,500 square kilometers.
– A WiMAX receiver that is similar in size and shape to a PCMCIA
card, or built into a laptop or other wireless device.
Học viện mạng Bach Khoa - Website: www.bkacad.com 26
Broadband Wireless
• There are three ways to connect to the Internet using satellites: one-way multicast, one-
way terrestrial return, and two-way.
1. One-way multicast satellite Internet systems are used for IP multicast-based data,
audio, and video distribution. Even though most IP protocols require two-way
communication, for Internet content, including web pages, one-way satellite-based
Internet services can be "pushed" pages to local storage at end-user sites by
satellite Internet. Full interactivity is not possible.
2. One-way terrestrial return satellite Internet systems use traditional dialup access
to send outbound data through a modem and receive downloads from the satellite.
3. Two-way satellite Internet sends data from remote sites via satellite to a hub,
which then sends the data to the Internet. The satellite dish at each location needs
precise positioning to avoid interference with other satellites.
• Satellite Internet services
are used in locations where
land-based Internet access
is not available, or for
temporary installations that
are continually on the move.
Học viện mạng Bach Khoa - Website: www.bkacad.com 27
Broadband Wireless
• The most common standards are included in the IEEE 802.11 wireless local
area network (WLAN) standard, which addresses the 5 GHz and 2.4 GHz
public (unlicensed) spectrum bands.
• The 802.11n standard is a proposed amendment that builds on the previous
802.11 standards by adding multiple-input multiple-output (MIMO).
• The 802.16 (or WiMAX) standard allows transmissions up to 70 Mb/s, and has
a range of up to 30 miles (50 km). It can operate in licensed or unlicensed
bands of the spectrum from 2 to 6 GHz.
Học viện mạng Bach Khoa - Website: www.bkacad.com 28
VPN Technology
Học viện mạng Bach Khoa - Website: www.bkacad.com 29
• VPN technology enables organizations to create private networks over
the public Internet infrastructure that maintain confidentiality and
security.
VPNs and Their Benefits
Học viện mạng Bach Khoa - Website: www.bkacad.com 30
VPNs and Their Benefits
• Scalability - VPNs use the Internet infrastructure within ISPs and carriers, making it easy for
organizations to add new users. Organizations, big and small, are able to add large amounts of
capacity without adding significant infrastructure.
• Consider these benefits when
using VPNs:
• Cost savings - Organizations can
use cost-effective, third-party
Internet transport to connect
remote offices and users to the
main corporate site. This eliminates
expensive dedicated WAN links
and modem banks.
• Security - Advanced encryption
and authentication protocols
protect data from unauthorized
access.
Học viện mạng Bach Khoa - Website: www.bkacad.com 31
Types of VPNs
• Organizations use site-to-site VPNs to connect dispersed locations in
the same way as a leased line or Frame Relay connection is used.
• Because most organizations now have Internet access, it makes sense
to take advantage of the benefits of site-to-site VPNs.
Học viện mạng Bach Khoa - Website: www.bkacad.com 32
Types of VPNs
• Mobile users and
telecommuters use
remote access VPNs
extensively. In the
past, corporations
supported remote
users using dialup
networks. This usually
involved a toll call and
incurring long distance
charges to access the
corporation.
• In a remote-access
VPN, each host
typically has VPN
client software.
Học viện mạng Bach Khoa - Website: www.bkacad.com 33
VPN Components
• Components required to establish this VPN include:
1. An existing network with servers and workstations
2. A connection to the Internet
3. VPN gateways, such as routers, firewalls, VPN concentrators, and ASAs,
that act as endpoints to establish, manage, and control VPN connections
4. Appropriate software to create and manage VPN tunnels
Học viện mạng Bach Khoa - Website: www.bkacad.com 34
Characteristics of Secure VPNs
• VPNs use advanced encryption techniques and tunneling
to permit organizations to establish secure, end-to-end,
private network connections over the Internet.
Học viện mạng Bach Khoa - Website: www.bkacad.com 35
VPN Tunneling
• Tunneling allows the use of public networks like the Internet to carry
data for users as though the users had access to a private network.
• Tunneling encapsulates an entire packet within another packet and
sends the new, composite packet over a network.
Học viện mạng Bach Khoa - Website: www.bkacad.com 36
VPN Data Integrity
• For encryption to work, both the sender and the receiver must know the rules used to
transform the original message into its coded form.
• VPN encryption rules include an algorithm and a key. An algorithm is a mathematical
function that combines a message, text, digits, or all three with a key. The output is an
unreadable cipher string.
Học viện mạng Bach Khoa - Website: www.bkacad.com 37
VPN Data Integrity
• Some of the more common encryption algorithms and the length of
keys they use are as follows:
– Data Encryption Standard (DES) algorithm
– Triple DES (3DES) algorithm
– Advanced Encryption Standard (AES)
– Rivest, Shamir, and Adleman (RSA)
Học viện mạng Bach Khoa - Website: www.bkacad.com 38
VPN Data Integrity
• Hashes contribute to data integrity
and authentication by ensuring that
unauthorized persons do not tamper
with transmitted messages.
• A hash, also called a message
digest, is a number generated from
a string of text.
• The hash is smaller than the text
itself. It is generated using a formula
in such a way that it is extremely
unlikely that some other text will
produce the same hash value.
• There are two common HMAC
algorithms:
– Message Digest 5 (MD5)
– Secure Hash Algorithm 1
(SHA-1)
• There are two peer authentication
methods:
– Pre-shared key (PSK)
– RSA signature
Học viện mạng Bach Khoa - Website: www.bkacad.com 39
IPsec Security Protocols
• IPsec is protocol suite for securing IP communications which provides
encryption, integrity, and authentication.
• There are two main IPsec framework protocols.
– Authentication Header (AH)
– Encapsulating Security Payload (ESP)
Học viện mạng Bach Khoa - Website: www.bkacad.com 40
IPsec Security Protocols
• Activity 6.3.7
Học viện mạng Bach Khoa - Website: www.bkacad.com 41
IPsec Security Protocols
Học viện mạng Bach Khoa - Website: www.bkacad.com 42
IPsec Security Protocols
Học viện mạng Bach Khoa - Website: www.bkacad.com 43
IPsec Security Protocols
Học viện mạng Bach Khoa - Website: www.bkacad.com 44
IPsec Security Protocols
Học viện mạng Bach Khoa - Website: www.bkacad.com 45
IPsec Security Protocols
Học viện mạng Bach Khoa - Website: www.bkacad.com 46
Labs
Học viện mạng Bach Khoa - Website: www.bkacad.com 47
Summary
IKE1
• HNI(config)# crypto isakmp policy 10
hash md5
authentication pre-share
encryption des
group 1
• HNI(config)# crypto isakmp key cisco123
address 200.0.0.2
Học viện mạng Bach Khoa - Website: www.bkacad.com 48
IKE1
• HCM(config)# crypto isakmp policy 10
hash md5
authentication pre-share
encryption des
group 1
• HCM(config)# crypto isakmp key
cisco123 address 100.0.0.1
Học viện mạng Bach Khoa - Website: www.bkacad.com 49
IPSec
• HNI(config)#crypto ipsec transform-set HNI
esp-3des esp-sha-hmac
• HCM(config)#crypto ipsec transform-set HCM
esp-3des esp-sha-hmac
Học viện mạng Bach Khoa - Website: www.bkacad.com 50
CRYPTO MAP
• HNI(config)# crypto map MYMAP 1 ipsec-
isakmp
set peer 200.0.0.2
set transform-set HNI
match address 101
• HNI(config)# access-list 101 permit ip
192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
• HNI(config)#interface f0/1
Crypto map MYMAP
Học viện mạng Bach Khoa - Website: www.bkacad.com 51
CRYPTO MAP
• HCM(config)# crypto map MYMAP 1 ipsec-
isakmp
set peer 100.0.0.1
set transform-set HCM
match address 101
• HCM(config)# access-list 101 permit ip
172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
• HCM(config)#interface f0/1
Crypto map MYMAP
Học viện mạng Bach Khoa - Website: www.bkacad.com 52
• R1(config)# crypto isakmp policy 1
hash md5
authentication pre-share
encryption des
group 1
• R1(config)# crypto isakmp key cisco123 address 200.0.2.1
• R1(config)#crypto ipsec transform-set R1 esp-3des esp-sha-hmac
• R1(config)# crypto map MYMAP 1 ipsec-isakmp
set peer 200.0.2.1
set transform-set R1
match address 101
• R1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255
172.16.1.0 0.0.0.255
• R1(config)#interface f0/1
Crypto map MYMAP
Học viện mạng Bach Khoa - Website: www.bkacad.com 53
• Show crypto isakmp sa
• Show crypto ipsec sa
Học viện mạng Bach Khoa - Website: www.bkacad.com 54
Các file đính kèm theo tài liệu này:
- ccna_exp4_chapter06_teleworker_services_6129_2183.pdf