cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1640
Views
0
Helpful
15
Replies

Cisco router: configure redundancy between VSAT and leased Line communication

Fida jlassi
Level 1
Level 1

Hi all, 

in the config files of the client's router I found that he configured redundancy between the leased line and VSAT communication using the Router RIP functionality.

Could you please explain how does the redundancy work with the command router rip? and what the disadvantage of using this command in the redundancy configuration, thanks.

 

 

1 Accepted Solution

Accepted Solutions

Fida

 

Your original question was about redundancy. Having looked again at the config and at the architecture drawing let me say a couple of things about redundancy.

 

The two routers are connected by two Ethernet interfaces and do run a dynamic routing protocol on both of them. This does provide effective redundancy in the sense that if one link fails all the traffic could be carried by the other link.

 

The two routers are also connected by VSAT. This has potential to provide redundancy but with the config provided it does not provide redundancy. If there were a dynamic routing protocol running on the VSAT then it could carry traffic between the routers if the Ethernet connections fail. But if routing is not configured on router 1 then it does not matter if routing is configured on router 2 because to provide redundancy it must be configured on both. I also note that the configuration of vlan 2 suggests that they intended to run RIP over the VSAT - but it is not implemented.

 

Router 1 has 4 serial interfaces that carry 4 IPsec encrypted tunnels. It does not appear that these relate to redundancy since we do not know where they go but it is not to router 2. Router 1 also has two GRE tunnels configured but they do not contribute to redundancy since we do not know where they go but it is not to router 2.

 

You also ask about security aspects of the router configuration. So let me say something about that. I do not regard running RIP as a security issue. While it is an older routing protocol and many networks choose not to use it I do not believe that it raises security issues. The 4 serial interfaces with IPsec tunnels do implement effective security that protects the data that they carry. The GRE tunnels do not provide security for the data that they carry. I can not assess whether this is a security issue since I do not know if the data that they carry is sensitive.

 

HTH

 

Rick

HTH

Rick

View solution in original post

15 Replies 15

Fida jlassi
Level 1
Level 1

Could you please answer to my question?

Fida

 

There is not enough information here for us to understand the problem or to make helpful suggestions. You mention leased line and VSAT, redundancy, and RIP. But there is not anything in the post that tells me how redundancy was set up or about how RIP is being used. If we do not know how it is set up and running then how can we offer advice about it?

 

HTH

 

Rick

HTH

Rick

The client told us that the redundancy is set between the two routers, I didn't find any command for the redundancy in the router config, I found only the rip feature configured. So I am trying to understand how the redundancy is done?

 

Fida

 

Thanks for posting the configuration. I have looked through it and have these questions and observations:

- the original post mentions VSAT and leased line. Am I correct in understanding that vlan 2 is the interface connecting to VSAT? And am I correct in understanding that the leased lines you reference are Serial1/0, 1/1, 1/2, and 1/3?

- would I be correct in assuming that the remote destinations (various subnets of 192.168.144.0 ) are reachable using the VSAT and are also reachable using the leased lines?

- assuming that these are correct then I believe that the way it was set up was intended that running RIP over both the serial interfaces and the VSAT that RIP would find that the destinations were available via both serial interface and via VSAT. If there were a difference in advertised metric then one would be primary and one would be backup. And the important aspect is that if there were a problem with one path that RIP would still know about the alternate path and traffic would fail over.

 

Thei biggest problem that I see is that there is no network statement in RIP that includes the VSAT interface. So RIP is not running there and there is no redundancy.

 

HTH

 

Rick

HTH

Rick

To answer to your questions, attached the detailed architecture, the config file that I sent concerns the Router 1 in the architecture.

I think that the network statement in RIP that includes the VSAT interface was configured in the router 2.

 

Fida

 

Thanks for sending the detailed architecture. There are still some things that I do not understand. The drawing shows router 1 and router 2 connected via two FastEthernet interfaces and by the VSAT connection. router 1 has the four serial interfaces which do not have anything similar on router 2. It is not clear to me which redundancy we are talking about. Is it redundancy between router 1 and router 2? Is it redundancy between router 1 and some other device?

 

HTH

 

Rick

HTH

Rick

the redundancy is supposed to be between the router 1 and 2, but according to their config files I think that it is just configured between the two communication link (VSAT and LS) if the communication with the  Leased line  fails the VSAT communication will take over. that's what makes me confused?

 

According to you and based one the config file that I published , which are the major security gaps in the router.

 

Many Thanks Richard for your support. 

Fida

 

Your original question was about redundancy. Having looked again at the config and at the architecture drawing let me say a couple of things about redundancy.

 

The two routers are connected by two Ethernet interfaces and do run a dynamic routing protocol on both of them. This does provide effective redundancy in the sense that if one link fails all the traffic could be carried by the other link.

 

The two routers are also connected by VSAT. This has potential to provide redundancy but with the config provided it does not provide redundancy. If there were a dynamic routing protocol running on the VSAT then it could carry traffic between the routers if the Ethernet connections fail. But if routing is not configured on router 1 then it does not matter if routing is configured on router 2 because to provide redundancy it must be configured on both. I also note that the configuration of vlan 2 suggests that they intended to run RIP over the VSAT - but it is not implemented.

 

Router 1 has 4 serial interfaces that carry 4 IPsec encrypted tunnels. It does not appear that these relate to redundancy since we do not know where they go but it is not to router 2. Router 1 also has two GRE tunnels configured but they do not contribute to redundancy since we do not know where they go but it is not to router 2.

 

You also ask about security aspects of the router configuration. So let me say something about that. I do not regard running RIP as a security issue. While it is an older routing protocol and many networks choose not to use it I do not believe that it raises security issues. The 4 serial interfaces with IPsec tunnels do implement effective security that protects the data that they carry. The GRE tunnels do not provide security for the data that they carry. I can not assess whether this is a security issue since I do not know if the data that they carry is sensitive.

 

HTH

 

Rick

HTH

Rick

It's clear now, Thank you Richard for your support.

Hi Richard,

There is something else that makes me confused, is the network masks, IP addresses and network segmentation. is there a tool to do the penetration test? based on the config file that I shared in this post how can I do the network segmentation's validation?

Thanks. 

Fida

 

I do not understand very well your question. You ask about penetration tests. There certainly are tools to do penetration testing. But since this is not my area of expertise I am reluctant to make suggestions about those tools.

 

You also ask about network segmentation validation. To perform an appropriate validation we would need more than the configuration of one or two routers. We would need an understanding of their network resources, how many routers, how many switches, how many subnets, how are the subnets distributed, who do they need to communicate with are some of the things we would need to understand to perform an appropriate validation.

 

HTH

 

Rick

HTH

Rick

Is there a procedure to do the network segmentation validation to follow? 

I mean a standard procedure.

Review Cisco Networking for a $25 gift card