So it's that time again for me to renew my Cisco Certifications. As a result, this post is based on my preparation for the CCNP Route Exam (300-101).
In this post I will be focusing on Remote Site Connectivity
Multiprocol Label Switching (MPLS)
- Commonly used by service providers
- Enterprises uses MPLS for backbone networks
- Make forwarding decisions based on labels instead of IP addresses
- Size of the label is 32 bits and is inserted between the layer 2 and layer 3 headers
- MPLS header is also called a "shim header". This is because it is stuck between two existing headers
Two categories of MPLS VPNs
Layer 2
- Uses customer edge (CE) routers at different sites to form neighbourship as if they were adjacent
- operates like layer 2 switches
Layer 3
- Provider edge (PE) or Edge Label Switch Router (ELSR) router establishes relationship with Customer Edge (CE)
- Routes learnt from CE router are sent to the remote PE routers in the MPLS cloud
- Uses Multiprotocol BGP (MP-BGP)
- Once remote PE router learns a route, it is then sent to the CE router
Tunnel Based Virtual Private networks
- Generic Routing Encapsulation (GRE)
- Encapsulates any layer 3 protocol
- GRE by itself does not provide security for data in transit
- Uses IPSec VPN for security/confidentiality
- Can encapsulates IP multicast packet
- Dynamic Multipoint VPN (DMVPN)
- VPN tunnels between remote sites can be torn down and created as needed
- To address flapping check the neighbourship between routers
- if the neighbourship is not always up the VPN may flap
- Headend interface is configured as mGRE, to allow dynamic creation of tunnels
- Hub and spoke each bran can be configured with a p2p GRE interface
- Spoke-to-spoke configuration requires the spoke interface to use mGRE
- Multipoint GRE (mGRE)
- Allows a routing device to support multiple GRE tunnels on a single interface
- transports a wide variety of protocols
- Hub router can have a single mGRE interface which multiple tunnels can used
- uses Next Hop Resolution Protocol (NHRP) to dynamically form GRE tunnels
- Can use hub-and-spoke or spoke-to-spoke topology
- Tunnel destinations does not have to be configured
- GRE adds a 4 bytes header, 4 bytes mGRE tunnel key and 20 bytes for additional IP header
- Tunnel keys allow the router to have multiple mGRE interfaces
Next Hop Resolution Protocol (NHRP)
- Is a layer 2 address protocol (concepts similar to ARP)
- Uses a client server model
- Hub router acts as the server
- Spoke routers acts as clients
- Spokes are configured with IP addresses of the hub
- clients inform the hub of both its physical address and logical address when it comes online
- Can use loopback interface
- spokes can query the hub database for IP addresses for physical interfaces
- spokes send NHRP query to the hub
- Default hold time is 2 hours, recommended value is 10 mins
- cache can be populated with either static or dynamic entries
- All routers must share the same network id to participate in the NHRP network
- IPSec
- Can only protect unicast IP packets
- Confidentiality is provided through encryption
- Integrity ensures the data is not modified in transit. This can be done through the uses of a checksum or hash value of the data
- verify each party is who they claim
- Antireplay replay features are provided through the uses of sequence numbers
- Encryption and authentication are the more important features for DMVPN
- Security Associations (SA) are phase 1
- Phase 2 protects phase 1 tunnels
- Phase 2 is unidirectional SA negotiations - Each data flows uses separate key exchange
- Uses Authentication Header (AH) - Protocol 51 or Encapsulation Security Payload (ESP) - Protocol 50
- Both AH and ESP offers origin authentication service, which ensures end points are who they claim to be or the data is not modified
- ESP encrypts the original packet
- AH does not provide any encryption
- Uses transport or tunnel model
Transport Mode
- Uses packet original IP header, no additional tunnel header is added
- Used in client-to-site connection
Tunnel Mode
- Encapsulates the entire packet which adds additional headers. The new header is the IPSec header
- The new header has the source and destination IP address of the VPN endpoints
- Typically used in site-to-site VPN
References:
CCNP official Cert Guide - CCNP Routing and Switching - Route 300-101
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG/DMVPN_2_Phase2.htmlhttps://tools.ietf.org/html/rfc2332
No comments:
Post a Comment