300-420 ENSLD – Cisco CCNP Enterprise – CCNP Enterprise ENSLD (300-420): Designing Enterprise Managed VPN’s

1. Enterprise Managed VPN Overview

Vpns or virtual private networks are used to connect remote branches and users over third party links. Notice in our graphic here, we have some business partners with a cisco router. We have a regional office with a cisco asa firewall, a small office, home office or soho with a cisco router, a mobile worker with a cisco any connect on a lamp connected into a main site with a perimeter router and a cisco asa firewall. The goal of a vn is to connect these remote sites into the central site, and the vpn connections allow the users to use the cums corporate resources securely and efficiently through the Internet and the service provider vpn. Now, gray is a T encapsulation protocol for tunneling. Now, tunnels by nature do not send broadcast and multicast packets.

So to be able to tunnel any of those type of packets over this transport this tunnel, we can use a gray tunnel, which does a unicast and multicast. And this is really important when we are doing things like routing protocols that know across these links because they typically will use a multicast or broadcast. The gray protocol creates a virtual point to point connection between the two routers and then the router encapsulates the traffic with the gray header and a new IP header.

And again, the importance of gray tunnels is typically for routing protocols across these links. Now there is a protocol or a technology called mgre or multipoint Gray. This is where I can extend that gray tunnel with multiple connections. So a single gray interface now can use multiple connections and use the same sub or all the gray connections. It supports multiple gray tunnels.

Now it uses something called nhr next hop resolution protocol. This is the address resolution that this protocol uses. It also vote unicast, multicast and broadcast traffic, just as our gray tunnels do. Now, you can mix a point and a point to multipoint gray tunnel in your environment. There are three options for implementing gray networks gray or multipoint gray. In this diagram on the left, it’s a hub and spoke network that uses a set of pointtopoint tunnels using gray interfaces. That’s our first illustration on the left side of the screen.

Now on the hub, you will need to create as many gray interfaces as there are spokes in this configuration. And you’re going to be required to have only 1 gy interface. All the traffic between the spokes flows over the hub in the middle. dumb here. The mgre here. You’re only going to need one single interface on the hub, but you will need to deploy hrp for address resolution. This will allow them to learn the hub and spoke addresses and create the gray tunnels in the diagram on the right. All of the devices in this hub and spoke network use multipoint gray tunnels and point gray interfaces. They’re using nhrp. They establish either a partial mesh or a full mesh of gray tunnels with just a single multipoint gray interface on each device. And this really simplifies the configuration and improves the manageability.

2. Describe GRE, mGRE, and IPsec

To establish an enterprise managed vpn, you need the solution that would be able to tunnel any packets, including multicaster the transport network. You can use Gray to tunnel any unicast or multicast packets. This solution allows you to use routing protocol over the tunneling mechanism. General concepts of Gray follow Grey tunneling protocol to transport any packet over IP transport. Gray is a point to point protocol. Gray supports unique and multicast traffic. The main advantage is that you can use any igp over a Grey tunnel. Grey is a protocol that provides tunneling of the packets across the network. It is a technology that’s a virtual point to point connection between two routers. The router encapsulates traffic with the Gray header IP header.

This new packet is then forwarded to the router on the other end of the tunnel using an external IP for forwarding decisions. The router on the other side of the tunnel strips the outer IP header and Gray header and words a packet that is based on the routing table. The Gray protocol was developed by cisco, but it is now styled by the Internet Engineering Task Force. It uses protocol number 47. The advantage of the Gray tunnel is that it can transport protocols that would not normally pass the network. For example, you can tunnel multicast traffic over the Internet using the Grey tunnel between two sites, but on the other, the Gray does not provide any cryptographic traffic protection. Therefore, it is usually combined with IPSec for traffic protection.

Another disadvantage is that the Gray standard does not define any Keeper live mechanism. cisco offers a proprietary Gray Keeperlive solution. When you implement Gray tunnels, you can have maximum transmission unit mtu and IP fragmentation related issues. Gray adds an extra 24 by four byte Gray header and a 20 byte new IP header to the packet. You must configure the appropriate mtu value to support extra headers. Because the Gray tunnel supports multicast packets, you can use routing proteas. Two endpoints of the Gray tunnel act as if they would be connected directly. Therefore, you implementing in the same way as you would do it. For the normal router interfaces. You can use any interior gateway protocol.

When you implement igp, you must be careful to avoid recursive loops. A recursive loop would happen if you misconfigure a router in a way that it will try to route to the tunnel destination address using the tunnel interface itself. A recursive loop can cause temporary instability that is caused by root flapping air in the network. You can avoid these situations with proper filtering or using different routing protocols for Gray tunnels and the transport network. Gray is usually implemented in Hub and spoke topology. The Hub router establish a separate point to point tunnel with each spoke router. You must use the unique subnet on the point to portions between sites. When you design a highly available Gray solution, you usually have two routers at the site and one router at the branch office. Each hub router at the central site has its own connectivity to the van.

The branch router is connected to the van via two upstream connections. You would typically implement gray tunnels at the branch office for high availability. Each tunnel would be connected to one hub router at the sennit. You will then tune the routing protocol to select the primary gray tunnel to the central site. P Point Gray Overview The classic gray tunnel is a point to point technology. There are several limitation and scalability issues with point to point technologies. Multipoint generic routing encapsulation x the gray solution by adding multipoint support. The mgre technology extends classic gray tunnels with point connections. A single gray interface is used for all connections and the routers use the same subnet for a connections. The single gray interface supports multiple gray tunnels. It needs next hop resin protocol for address resolution. It also supports unicast multicast and brought traffic as a classic gray tunnel.

When you use point to point gray tunnels, you manually specify the tunnel source and destination. With mgre, the learning of the peers should be dynamic. Therefore, you need a sportycle that maps the tunnel IP address to the physical IP address. This protocol is called nhrp is used similarly to address resolution protocol. On ethernet nhrp dynamically registers north the tunnel interface address and physical address to the other peers. This dynamic registration also allows the use of dynamically assigned addresses. The main characteristics of a point to point gray tunnel follow. It is used for simple point to point tunnels that emulate a point to point van link or on spoke routers in hub and spoke weeps on each device.

There is a separate grey tunnel interface that is configured for each gray peer. nee subnet is needed for each gray tunnel. It does not require nhrp because other peers their destination turrets are statically configured. It supports unicast multicast and broadcast traffic. The mechanistics of a point to multipoint gray tunnel follow it is typically used on hub routers, in hub and spoke toppings or on all routers in mesh or partial mesh topologies. A single gray interface is configured for multitunnels. The same subnet is configured for all gray tunnels. To learn about the IP addresses of the other peer, devices using mgre require nhrp to build dynamic gray tunnels. Peers can also use dynamically assigned addresses. xlt supports unicast multicast and broadcast traffic. Great deployment options you can mix point to point and point to multipoint gray tunnels in your environment. The diagrams show three options for implementing gray networks using gray or mgre functionality.

In the left diagram, a hub and spoke network uses a set of pointtopoint tunnels using only gray interfaces. Hub you would need to create as many gray interfaces as there are spokes, and on a spoke you would require 1 gy interface. All traffic between spokes flows strictly over the hub. The middle diagram shows the hub that is optimized and mgre interface. In this setup, only a single interface is required on the Hub. However, you must deploy nhrp for the Hub to learn spoke addresses and correctly provision the spoke to Hub grey tunnels in the right diagram. All devices in a Hub and spoke network use the mgre interface using rp. These devices can establish a partial mesh or full mesh of gray tunnels by only configuring a single mgre face on each device.

This option greatly simplifies the configuration and improves manageability IP security. Overview IPSec is designed to provide interoperable, high quality and cryptographically based transmission security to IP traffic. IPSec is defined in address resolution protocol. It offers data confidentiality, data integrity, data or authentication, and antireplay security services. These services are provided at the IP layer, offering protection for IP and upper layer protocols. General concepts of IPSec follow. It is a set of standards defined in rfc 4301. It provides security at the network layer.

IPSec protocols are I-K-E-A-H for data integrity, authentication and antireplay user traffic NASP for data integrity, data protection, authentication, antireplay, and confidentiality. IPSec provides security services at the IP layer. It enables a system to select security calls, determines the algorithms to use and negotiates any cryptographic keys that are required to provide the requested ces. IPSec can protect one or more parts between a pair of network devices. The IP protocol provides IP network layer encryption and defines a new set of headers to be added to IP datagrams. The new headers furnish information for securing the payload of the IP packet. IPSec combines the following protocols internet Key Exchange provides key management to IPSec Entertain header.

A H defines a user traffic encapsulation that provides data integrity, data origin, location, and protection against replay to user traffic encapsulating security payload. E defines a user traffic encapsulation that provides data integrity, data origin, authentication, protection against replays, and confidentiality to user traffic. The concept of a security association, both a H and A-S-P use S a’s, and a major function of ik A is to establish and maintain S a’s. nsa is a simple description of the current traffic print parameters, algorithms, keys, traffic specification, and so on that would be applied to specific user traffic flow. Security services are provided to nsa by using either a H or a SP.

If R or A-S-P protection is applied to a traffic stream, two or more S a’s are created to provide protection to the traffic stream. To secure typical bi directional communication between two hosts or between two security gateways, two S-A-S one in each direction are required. The ika operates in two phases. Phase one, used to establish a secure channel for phase two, establishes one bidirectional. S can operate in main or aggressive mode. Phase two, used to establish a secure channel for data exchange, establishes two or more unidirectional. S a’s is called quick mode. ika operates two distinct phases.

Phase one it is the initial negotiation phase between two peers. faye begins with an authentication in which each cryptographic peer verifies their identity with each other. When authentic, the cryptographic peers agree upon the encryption algorithm, hash method and other parameters. The Pestablished bidirectional S A the goal of phase one is to establish a secure channel for phase two. Phase one can operate in either main mode or aggressive mode. Phase two. ika negotiates IPSec. Parameters and sets up matching IPSec. S. a’s in the peers.

The goal of phase two is to establish a secure channel for data exchange. The peers establish two or more unidirectional s a’s two exchange is called the ika Quick Mode, Transport and Tunnel Mode. In phase one, ik A can operate in either main mode or Aggressive Mode. The major characteristics of these modes follow. Main mode has three two way exchanges between peers. It allows for more flexible ik A protection pawn negotiation and always protects peer identity. A downside of main mode is that it does not support directly Addressed peers.

When doing pre shared key psk authentication, dynamically Addressed Peers are own quoted with public key infrastructure for facilitated authentication. The exception is when Wildcard psk is used, but the usage of wildcard keys is strongly discouraged. In Aggressive Mode, fewer exchange made and with fewer packets. Therefore, it is faster than main mode. But Aggressive Mode does not prepare identities because the names of communicating peers are sent over the untrusted network. In the clear, the main effort of Aggressive Mode is that it supports psk authentication for Dynamically Addressed Peers. IPSec can operate in one of two modes tunnel mode. A new IPSec header is added to the packet and a complete user IP packet is encapsulated as the payload transport mode. The original IP header is preserved and forward decisions are based on an original IP header. When IPSec operates with a Etch, the transport mode pretty external IP header along with the data payload a etch services protect all the fields in the header that do not change.

In transport, the A Edge header goes after the IP header and before the other higher layer protocols. In Tunnel mode, the entire original header is authenticated and a new IP header is built. The IP header is protected in the same way as the IP header. In Transport mode, when IPSec operates with a SP, the IP payload is encrypted and original headers are left intact. In Transport Mode, the A P header is inserted after the IP header and before the upper layer protocol header, the upper layer protocols are encrypted and authenticated along with the esp header does not authenticate the IP header itself. When asp is used in tunnel mode, the original IP header is well protected because the entire analytp datagram is encrypted.

With an esp authentication mechanism, the original IP datagram and the asp header are included. However, the new IP header is not included in the authentication over IPSec Overview the disadvantage of the Gray protocol is that it does not provide any encryption mechanisms. Therefore, Gray is typically used along with IPSec to take advantage of both mechanisms. Overview of Gray over IPSec follows IPSec provides security but does not support IP broadcast or IP multicast. Gray can carry IP broadcast or IP multicast, but it does not support encryption. Use Grey over IPSec to overcome these drawbacks. Two implementation options cryptographic map tunnel protection mechanism Although IPSec provides a secure method for tunneling data across an IP network as limitations, IPSec does not support IP broadcast or IP multicast, preventing the use of protocols that rely on these features, such as routing protocols.

IPSec also does not support the use of eprotocol traffic. On the other hand, Grey can be used to carry protocols such as IP broadcast or Ipcast and non IP protocols, but the drawback of the Gray is that it does not provide any encryption mechanisms. The solution is to combine both technologies. To get the benefits of both technologies, you can use Gray tunnels to transfer desired traffic and IPSec to encrypt the Gray tunnels. The solution offered to point tunnels. It is usually used when the enterprise must use routing protocols over the van and traffic murtected. The underlying transport can be Internet or provider managed VPNs the cell is appropriate for a few tunnels. It can become an operational burden in larger deployments because all tunnels are point. IPSec can be used in tunnel or transport mode. In the Gray Over IPSec solution, tunnel mode adds an extra 20 bytes to the total packet size. Both modes work with Gray over IPSec.

However, when Gray Over IPSec transits either a network address translation or port address translation device, tunnel mode is required. Tunnel mode is also required if Gray tunnel endpoints and cryptographic endpoints are different. There are two options. When implementing the Gray Over IPSec solution used to graphic maps, the packets are routed to the tunnel interface. The packet is encapsulated with Gray. The encoded packet is forwarded in accordance with the routing table to the appropriate interface. The encapsulated packet ripped it using a cryptographic map configuration using tunnel protection, the packet is routed to the tunnel interface. Gray encapsulates the packet while IPSec adds encryption to the Gray tunnel. The encrypted and encapsul packet is forwarded to the destination in accordance with the routing table.

The solution with cryptographic maps is complex. Therefore, it is recommended to use the tunnel protection method. But sometimes there are situations when you need to use cryptographic maps, for example, if you are doing encryption and encapsulation on different devices. IPSec vti is another mechanism that is used to support VPNs. IPSec vti is provide a Routable interface type for terminating IPSec tunnels and an easy way to define protection between sites to form an overlay nook. A vti supports native IPSec tunneling and allows interface commands to be applied directly to the ICT tunnels. The IPSec tunnel endpoint is associated with a virtual interface.

Because there is a Routable interface at the tunnel endpoint, you can apply many common interface capabilities to the IPSec tunnel. vti support interoperability with standards based IPSec installations of other vendors. An overview of vti follows. It is the simplest form of the cisco iOS tunnel based site to site IPSec vpn correlation. It is a replacement for cryptographic map based configuration. It behaves like other tunnel aces, gray ipip, and so on. Encapsulation. Is IPSec a SP or a eight? vtis have several features. They behave as a regular tunnel one for each remote site of the vpn. Their encapsulation must be either IPSec A-S-P or a H. Their line protocol depends on the state of the vpn tunnel IPSec Security Associations the use of IPSec Vtily simplifies the configuration process when you must provide protection for site to site vpn tunnels.

The benefit of IPSec vti is that the configuration does not require a static mapping of IPSec sessions to a filterface. The IPSec tunnel endpoint is associated with a virtual interface. Because there is a Routable interface at the tunnel end point, you can apply many common interface capabilities to the IPSec tunnel. When you use the vti approach, you configure a vti and apply the IPSec profile on it via tunnel protection. It requires fewer configuration lines because cryptographic maps are automatically generated for each tunnel. Features for plaintext packets are configured on the vti. Features for encrypted packets are applied on the physical outside interface. The vti approach is appropriate for smaller deployments and hub and spoke topologies.

An IPSec vti has several benefits simplifies configuration customers can use the virtual tunnel cons to configure an IPSec peering. This option simplifies the vpn configuration compared to cryptogram apps or gray IPSec tunnels. Flexible interface feature Support An IPSec vti is an encapsulation that uses its own cisco iOS software interface. This characteristic offers the flexibility of defining features to run on either the physical interface that operates on encrypted traffic or the IPSec vti that operates on x traffic.

Multicast Support customers can use the IPSec vti Is to securely transfer multi traffic such as voice and video applications, from one side to another. Improved scalability IPSec Is need fewer established S-A-S to cover different types of traffic both unicast and multicast, thus enabling im. scaling provides a routable interface. Li K a gray IPSec IPSec vtis can natively support all types of IP routing protocols which provide scalability and redundancy. An IPSec. vti also has some limitations. The IPSec vti is limited to only IP unicast and multicast traffic, as opposed to tunnels which have wider multiprotical support. cisco iOS software. IPSec Failover is not supported with IPSec vti’s. However, you can use alternative failover methods using dynamic routing protocols to achieve similar functionality.