Saturday, January 10, 2015

Cisco CCNP - 300-101 - Remote Site Connectivity

So it's that time again for me to renew my Cisco Certifications. As a result, this post is based on my preparation for the CCNP Route Exam (300-101).

In this post I will be focusing on Remote Site Connectivity

Multiprocol Label Switching (MPLS) 
    - Commonly used by service providers
    - Enterprises uses MPLS for backbone networks
    - Make forwarding decisions based on labels instead of IP addresses
    - Size of the label is 32 bits and is inserted between the layer 2 and layer 3 headers
    - MPLS header is also called a "shim header". This is because it is stuck between two existing headers
   
Two categories of MPLS VPNs
    Layer 2
        - Uses customer edge (CE) routers at different sites to form neighbourship as if they were adjacent
        - operates like layer 2 switches
       
    Layer 3
        - Provider edge (PE) or Edge Label Switch Router (ELSR) router establishes relationship with Customer Edge (CE)
        - Routes learnt from CE router are sent to the remote PE routers in the MPLS cloud
        - Uses Multiprotocol BGP (MP-BGP)
        - Once remote PE router learns a route, it is then sent to the CE router
   


Tunnel Based Virtual Private networks   
    - Generic Routing Encapsulation (GRE)
            - Encapsulates any layer 3 protocol
            - GRE by itself does not provide security for data in transit
            - Uses IPSec VPN for security/confidentiality
            - Can encapsulates IP multicast packet
   
    - Dynamic Multipoint VPN (DMVPN)
            - VPN tunnels between remote sites can be torn down and created as needed
            - To address flapping check the neighbourship between routers
            - if the neighbourship is not always up the VPN may flap
            - Headend interface is configured as mGRE, to allow dynamic creation of tunnels
            - Hub and spoke each bran can be configured with a p2p GRE interface
            - Spoke-to-spoke configuration requires the spoke interface to use mGRE
           
   
    - Multipoint GRE (mGRE)
            - Allows a routing device to support multiple GRE tunnels on a single interface
            - transports a wide variety of protocols
            - Hub router can have a single mGRE interface which multiple tunnels can used
            - uses Next Hop Resolution Protocol (NHRP) to dynamically form GRE tunnels
            - Can use hub-and-spoke or spoke-to-spoke topology
            - Tunnel destinations does not have to be configured
            - GRE adds a 4 bytes header, 4 bytes mGRE tunnel key and 20 bytes for additional IP header
            - Tunnel keys allow the router to have multiple mGRE interfaces
           
           
           
        Next Hop Resolution Protocol (NHRP)
            - Is a layer 2 address protocol (concepts similar to ARP)
            - Uses a client server model
            - Hub router acts as the server
            - Spoke routers acts as clients
            - Spokes are configured with IP addresses of the hub
            - clients inform the hub of both its physical address and logical address when it comes online
            - Can use loopback interface
            - spokes can query the hub database for IP addresses for physical interfaces
            - spokes send NHRP query to the hub
            - Default hold time is 2 hours, recommended value is 10 mins
            - cache can be populated with either static or dynamic entries
            - All routers must share the same network id to participate in the NHRP network
           
   
    - IPSec
        - Can only protect unicast IP packets
        - Confidentiality is provided through encryption
        - Integrity ensures the data is not modified in transit. This can be done through the uses of a checksum or hash value of the data
        - verify each party is who they claim
        - Antireplay replay features are provided through the uses of sequence numbers
        - Encryption and authentication are the more important features for DMVPN
        - Security Associations (SA) are phase 1
        - Phase 2 protects phase 1 tunnels
        - Phase 2 is unidirectional SA negotiations - Each data flows uses separate key exchange
        - Uses Authentication Header (AH) - Protocol 51 or Encapsulation Security Payload (ESP) - Protocol 50
        - Both AH and ESP offers origin authentication service, which ensures end points are who they claim to be or the data is not modified
        - ESP encrypts the original packet
        - AH does not provide any encryption
        - Uses transport or tunnel model
           
            Transport Mode
                - Uses packet original IP header, no additional tunnel header is added
                - Used in client-to-site connection
           
            Tunnel Mode
                - Encapsulates the entire packet which adds additional headers. The new header is the IPSec header
                - The new header has the source and destination IP address of the VPN endpoints
                - Typically used in site-to-site VPN

               
References:
CCNP official Cert Guide - CCNP Routing and Switching - Route 300-101
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG/DMVPN_2_Phase2.htmlhttps://tools.ietf.org/html/rfc2332

No comments:

Post a Comment