Technical document for ISPFirst of all we would like to thanks you for giving us opportunity to test our productmore, I am just briefing you what more we have on the product and how you can use thesame for various application .for various Indian telecom operator we have developedspecial feature Like VRRP and IPSEC and GRE and VLAN, content-filtering (domainfiltering and URL filtering and again we have developed concept for failover based onkeep alive.I am briefing you just about telexcell what we used to do and how old we are??In one sentence what we can say we mainly used to work with ISP and always prefer thecase also to route through ISP.Again we have already experience of working with Various ISP, so we have experienceof support and services what ISP used to hope and again .“We align technology to business goals.Thats the solution, not the technology itself " Mahendra Lalwani | MDTelExcell Information Systems Ltd. is one of the leading Value Added Distributor with track recordof launching industries most innovative wireless, access control, security and networkingproducts. We are one of the pioneers to introduce Networking and Communication Products inthe country.TelExcell main focus is Wireless & Security, which is implied in all of our innovative and oftenunique leading solutions which meet the common and specialist requirements of customers.Where possible TelExcell have a direct relationship with manufacturers, avoiding many of theissues that can occur if a distribution company is used. The direct relationship ensures thehighest quality logistics, technical knowledge and technical support across the entire sales cycle.TelExcell reviews the security environment as a whole and advises organizations on the bestpractices and applications to meet legal and company obligations. It constantly reviews newtechnologies to satisfy the emerging customer requirements.We have the best choice of voice and data solutions available to successfully excel yourbusiness.TelExcell are renowned for introducing unique and emerging technologies into India. We are oneof the pioneers in introducing Networking and Communication Products in the country starting ouroperations way back in 1993.
Our business is focused on three solutions areas:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------CommunicationsTelExcell installs, and maintains communications solutions, such as the latest in unifiedcommunications, contact center, network security, wireless, IP & traditional telephony, and more.We offer a complete services portfolio, including system maintenance plans and remotemonitoring services.InfrastructureTelExcell provides planning, installation, and maintenance services for all types of datainfrastructures from structured cabling to wireless networks to CATV, and the latest in integratednetworking solutions such as routers, switches, and security applications.ProductsTelexcell’ portfolio includes all the key technologies required to build today’s high performancenetworks including: Switching IP Telephony Routing Unified Communications Wireless Mobility Access Network Security RF Connectivity Access Storage
Coming to product overview I am just listing down the application where we can dothe same and again brief overview of what we used to support and how can we usethe same to design the solution 1. IPSEC site to site application
WAN WAN Internet LAN LAN ` ` `Brief about IPSecVPN Settings are settings that are used to create virtual private tunnels to remote VPN gateways. Thetunnel technology supports data confidentiality, data origin authentication and data integrity of networkinformation by utilizing encapsulation protocols, encryption algorithms, and hashing algorithms.• VPN enable itemVPN protects network information from ill network inspectors. But it greatly degrades network throughput.Enable it when you really need a security tunnel. It is disabled for default.• Max. Number of tunnels itemSince VPN greatly degrades network throughput, the allowable maximum number of tunnels is limited. Becareful to set the value for allowing the number of tunnels can be created simultaneously. Its value rangesfrom 1 to 80.• Tunnel nameIndicate which tunnel that is focused now.• MethodIPSec VPN supports two kinds of key-obtained methods: manual key and automatic key exchange. Manualkey approach indicates that two end VPN gateways setup authenticator and encryption key by systemmanagers manually. However, IKE approach will perform automatic Internet key exchange. Systemmanagers of both end gateways only need set the same pre-shared key.Function of Buttons More... To setup detailer configuration for manual key or IKE approaches by clicking the "More" button.IPSEC consist of two phase1. IKE Phase I: the parameter are used to encrypted the Key and to start thecommunication between two site and again that key does not get decrypted by any
third party , we used to configure how encrypted and which method we need tofollow for authentication etc 2. IKE Phase II The parameter which we used to configure is used to encrypt the data. To create a IPSec tunnel between two location both IKE 1 and Ike II phase need to be same on both side.Configuration parametera.b.
chennai HYd Ipsec client Ipsec client software software WAN Bangalore NA-3G-VWR NA-3G-VWR delhi WAN Internet LAN LAN IPSEC server ` Ipsec client software ` Jaipur `For retail segment we can use netaxcess router and then we can configure the same asIPsec server and mean dynamic access server and for remote site we can use samenetaxcess boxes or we can ask customer to use IPSEC client software for the same toreduce the CAPEX and OPEX.
3. For customer having at central side firewall and behind that mapped private ip addressed on IPSec server for security purpose.As customer like Bank normally what they used to do they used to IPSec devicesbehind firewall and again from firewall to IPSec server that used to map public ipaddress to private ip address for security reason. As in this case normally for remotesite used to have user between 20 to 30, so for that kind of customer we can useNetaxcess router to reduce the cost and we can at remote site. delhi WAN Bangalore 192.168.1.177 203.110.80. NA-3G-VWR Cisco router 67 switch 192.168.1.1 firewall 115.80.x.x WAN Internet 192.168.123.25 4 IPSEC server LAN LAN 192.168.8.1 On firewall customer used to map 220.127.116.11 to 192.168.1.177 ` ` 192.168.8.2 192.168.8.3 192.168.8.4 `Configuration detailOn netaxcess router
On Cisco routerCurrent configuration : 4084 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname yourname!boot-start-markerboot system flash c1841-advipservicesk9-mz.124-13b.binboot-end-marker!logging buffered 51200 warningsenable password cisco!no aaa new-modelip cef!!no ip dhcp use vrf connectedip dhcp excluded-address 192.168.8.1 192.168.8.9ip dhcp excluded-address 192.168.8.101 192.168.8.254
!ip dhcp pool ccp-pool1 network 192.168.8.0 255.255.255.0 domain-name cisco.com default-router 192.168.8.1!!ip domain name yourdomain.comip name-server 18.104.22.168ip name-server 22.214.171.124!!!username cisco123 privilege 15 secret 5 $1$6DW6$G6JVPN9Uqyoo6/vddSGzL.!!!!crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0crypto isakmp keepalive 10!!crypto ipsec transform-set ankit esp-3des esp-md5-hmac!crypto dynamic-map dynamic 11 set security-association lifetime seconds 28800 set transform-set ankit set pfs group2 match address 103!!crypto map remotesite 11 ipsec-isakmp dynamic dynamic!!!interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 192.168.1.177 255.255.255.0 duplex auto speed auto crypto map remotesite
!interface FastEthernet0/1 description $ES_LAN$ ip address 192.168.8.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto no keepalive!ip route 0.0.0.0 0.0.0.0 192.168.1.1!!ip http serverip http access-class 23ip http authentication localno ip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000ip nat inside source list 101 interface FastEthernet0/0 overload!access-list 101 deny ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.255.255access-list 101 permit ip 192.168.8.0 0.0.0.255 anyaccess-list 103 permit ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.255.255access-list 103 deny ip 192.168.8.0 0.0.0.255 anyno cdp run!!!!control-plane!!banner exec ^C% Password expiration warning.-----------------------------------------------------------------------Cisco Configuration Professional (Cisco CP) is installed on this deviceand it provides the default username "cisco" for one-time use. If you havealready used the username "cisco" to login to the router and your IOS imagesupports the "one-time" user option, then this username has already expired.You will not be able to login to the router with this username after you exitthis session.It is strongly suggested that you create a new username with a privilege levelof 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>Replace <myuser> and <mypassword> with the username and password you want touse.-----------------------------------------------------------------------^Cbanner login ^C-----------------------------------------------------------------------Cisco Configuration Professional (Cisco CP) is installed on this device.This feature requires the one-time use of the username "cisco" with thepassword "cisco". These default credentials have a privilege level of 15.YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESEPUBLICLY-KNOWNCREDENTIALSHere are the Cisco IOS commands.username <myuser> privilege 15 secret 0 <mypassword>no username ciscoReplace <myuser> and <mypassword> with the username and password you wantto use.IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILLNOT BE ABLETO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.For more information about Cisco CP please follow the instructions in theQUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp-----------------------------------------------------------------------^C!line con 0 login localline aux 0line vty 0 4 privilege level 15 password cisco login transport input telnetline vty 5 15 access-class 23 in privilege level 15 login local
transport input telnet!scheduler allocate 20000 1000endyourname#4. GRE solution based for site to site and again for hub and Spoke location
5. Solution Based on L2TP and PPTP We used for this protocol to design solution who does not used to make so much expenseand again they do not want separate client software and want to use window Xp VPNclient to connect
L2TP Client using XP client software HYD L2TP Tunnel L2TP client delhi Internet WAN LNS server Bangalore NA-3G-VWR NA-3G-VWR L2TP tunnel/PPTP 203.110.80. 115.80.x.x 67 WAN 192.168.123.25 4 LAN LAN 192.168.8.1 L2TP Tunnel L2TP client ` using XP or vista or 7 ` 192.168.8.2 Jaipur 192.168.8.3 192.168.8.4 `6. For backup solution where Cisco router or any other router is their.Let say customer is having Cisco router or any router and have terminated bandwidth onEthernet or E1 and in that case let say his link got some problem then all his services willgoing to be get affected and many time what happen customer cannot afford ISDN asbackup and cost and again NT1 boxes cost too much and again it cost to much on himand again many time what happen ISP does not used to have feasibility and he cannotprovide ISDN connectivity and in that case we can use 3 G technology as hardware costis less than ISDN and again cost of charges of 3 G is also less then ISDN and againcustomer is going to get hardware level redundancy also .
In above case let say E1 or Ethernet used to get down then all traffic will automaticallygoing to be route through 3 G router.We used to support VRRP on our router, so using that functionality we can make thething workable.
7.let say customer want to terminated VSAT or Ethernet link on same router andwant to use 3 G technology as backup , for failover we have developed a special featurefor Failover and again these failover is based on keep alive and as what used to happen innormal case Ethernet port does not used to get down and but let say there is problem innetwork or fiber cut or any thing , for these type of scenario to over come with these whatwe can do we can configure any ip address on router so that it can ping on regularinterval and so if router will not get ping response through Ethernet path and it will dial 3G backup and then it will connect and get connect and so all traffic will move through 3G.
3G wireless CDMA Internet Backup NA-3G-VWR 203.110.80. 67 primary WAN ethernet LAN 192.168.8.1 l ` 192.168.8.2 192.168.8.31126.96.36.199
3G wireless CDMA VSAT DISH Internet Backup NA-3G-VWR 203.110.80. 67 primary WAN ethernet LAN 192.168.8.1 l ` 192.168.8.2 192.168.8.31188.8.131.52
For ATM ConnectivityThe following security is built in the proposed solution for ISP using CDMA technologyas ISP used to have LNS and AAA in network, so we can use the infrastructure todesign the solution. The LNS also acts like a firewall and basic firewall policies can be defined in the LNS. The Remote Terminal communicates directly with the Host in an IP call through the Customer Firewall and their router. The Access Control List (ACL) is setup in the Bank router and adds to the security. The AN-AAA user id and AN-AAA password gets authenticated at the AN-AAA to assign UATI to the AT. UATI is Unicast Access Terminal Identifier that uniquely identifies the AT during data call.
PPP user id and PPP password gets authenticated at PDSN to assign IP to the AT and also subnet locking is implemented to avoid misutilization of EVDO HSD+ network. Since the communication is using IP addresses, there is no need for TPDU handling.Different type of Authentications in 3 G technology which customer can 1) IS 856 air interface Authentication. 2) IS 856 RAN Authentication (performed by RAN) 3) ISP Authentication (between the user and PDSN) 4) Home Agent Authentication (between the user and home agent)IS 856 Air Interface AuthenticationAir Interface Authentication eliminates the need to perform authentication with the AAAservers (i.e., Access Authentication) every time the AT opens a connection.It works as follows:Perform ephemeral session key establishment-- Diffie-Hellman algorithm is used forsession key exchange.Authenticate the Access Atempts—The AT signs the access channel packets to prove itis the true owner of the session. SHA-1 is applied to the AC packet, the authenticationkey and a time stamp to generate the signature.IS 856 RAN Authentication
IS 856 RAN Authentication is also called as AN-AAA Authentication. In the AN-AAAauthentication AN-AAA credentials (i.e., AN-AAA username and AN-AAA password) hasto be configured both in the AT and AN-AAA. When ever the AT wants to establishsession, AN-AAA requests for username and password. AN-AAA authenticates theusername and password by using CHAP algorithm and AN-AAA returns the IMSI thathas been configured against the username and password.ISP AuthenticationISP Authentication is also called as PPP Authentication. PDSN Authenticates the ATbefore going to assign IP to the User.Home Agent AuthenticationThe HA Authenticates the registration request using the Mobile Number-Home agentshared key. The following figure shows the Broadband+ Authentications all together.Hardware ID AuthenticationHardware ID Authentication is based on ESN/MEID of the device. Hardware ID isunique to the user device so this type of Authentication is useful in avoiding the cloningproblems.End-to-End SecurityTrue data protection should be implemented from data owner to data owner (for examplea remote access employee computer to employer’s server.) A Broadband+ 1xRTTnetwork protects data over the air, but once outside the carrier’s network, publicinformation network systems (i.e. the internet) carry data unprotected. Broadband+1xRTT security should be complemented with a VPN security protocol for true dataprotection. Qualcomm’s MSM software provides direct support for SSL. VPN softwaresupport is available for both laptops and PDAs.
Now let say BANK have taken Already VSAT Link for ATM connectivity for Backuppurpose we can propose 3 G technology and in this way we can achieve 99.9 % uptime.
8. For customer who wants to block specify web site and want to block based oncontent or word we can use netaxcess router for the same. a. Domain Filter let you prevent users under this device from accessing specific URLs. b. URL Blocking will block LAN computers to connect to pre-define Web. c. Packet filtering is also their, so we can communication not to happen between A and B computer.