OSPF/iBGP for intra-site routing and IPSEC Tunnels for inter-site routing

-Site 1 is AS 8001, Site 2 is AS 8003, and ISP is 8000

-Routers and switches at both sites communicate internally with OSPF

-Site 1 only uses OSPF internally, no iBGP

-Firewall at Site 2 communicates with internal router using iBGP

-OSPF routes are redistributed in iBGP in Site 2

-Internal routers/switches get their default route passed down from the firewalls(default-information)

-eBGP is used for WAN connectivity through the ISP router

-Internal RFC1918 addresses are filtered/blocked in eBGP

(192.168.122.0/24 is local to the ISP router and is how it reaches the web/WAN):

-Issue with early design: Traffic stopped flowing when SITE-1-R2 is down

-Cause for issue: Used high weight parameter in iBGP on SITE-1-CORE-FW toward SITE-1-R2, floating static(default) routes on SITE-1-R2 and SITE-1-R1, and redistributing iBGP into OSPF(wasn’t necessary)

Solution:

-Removed use of iBGP and redistribution in Site 1 and implemented only OSPF

-Verified failover by having a continuous ping between the CENTRAL-SERVER at Site 1 and kali-admin at Site 2

-The firewalls have an IPSEC tunnel using AES256 and SHA256 for encrypted site to site traffic

-Traffic traversing the firewalls is translated(Public traffic translated to 10.0.0.0/15)(10.0.0.0/15 traffic translated in PAT)

-Each network device has SSH enabled

-kali-admin is the only device in the network that can SSH into network devices

-CENTRAL-ADMIN is the only device in the network that can SFTP from kali-admin

-The primary way to log into each network device at a site are with credentials stored on the RADIUS server which is CENTRAL-ADMIN at Site 1

-To SSH into a device you must use credentials on the RADIUS server as well

-Because SSH is enabled on devices, there are also local credentials to fail back to

-CENTRAL-SERVER is a Debian linux device that uses Bind9 service for DNS with 8.8.8.8/1.1.1.1 forwarders

-CENTRAL-SERVER uses isc-dhcp-server service for DHCP clients

-Clients that can use DHCP in the network are on VLAN 10(10.0.0.64/26 and 10.1.0.128/25)

-Servers are on VLAN 20 (10.0.0.32/27 and 10.1.0.16/29)

-At Site 1, I explicitly made the preferred path flow through SITE-1-R2

-SITE-1-R2 is the preferred path at Site 1 because its priority is higher than the other OSPF devices, the path cost is lower, and because interface g0/2 on SITE-1-CORE-FW is the management interface

The Firewalls at each site are passing down default routes with default-originate toward internal neighbors in iBGP

The Firewalls have their default routes pointing to the ISP router and have static routes for site to site connectivity over the IPSEC tunnel

The ISP router is giving each site WAN connectivity through a default route on g0/0

OSPF

BGP (eBGP / iBGP)

Route redistribution (OSPF ↔ iBGP)

Static routing

OSPF timer tuning

IPsec VPN (IKEv2, AES-256, SHA-256)

Cisco ASA firewall

ACLs

Prefix-lists

Route-maps

VLANs

Inter-VLAN routing

Layer 3 switching

DHCP (Linux ISC DHCP package)

DNS (Linux Bind9 package)

RADIUS (Linux FreeRADIUS package)

AAA (authentication / authorization)

SSH

SFTP

NAT (PAT on ASA)

ICMP inspection

Linux system administration (Debian/Kali)

GNS3/VMWare lab environment