Scribd
Upload
31 views24 pages

VPNs & GRE & BGP

A VPN is a private network created via tunneling over a public network, usually the Internet. A secure implementation of VPN with encryption, such as IPsec VPNs, is what is usually meant by virtual private networking. To implement VPNs, a VPN gateway is necessary - could be a router, a firewall, or a Cisco

Uploaded by

Abdallh mohamed Mahmoud
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views24 pages

VPNs & GRE & BGP

A VPN is a private network created via tunneling over a public network, usually the Internet. A secure implementation of VPN with encryption, such as IPsec VPNs, is what is usually meant by virtual private networking. To implement VPNs, a VPN gateway is necessary - could be a router, a firewall, or a Cisco

Uploaded by

Abdallh mohamed Mahmoud
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

3.

3 VPNs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Fundamentals of VPNs
Introducing VPNs
 A VPN is a private network created via
tunneling over a public network, usually
the Internet.
 A secure implementation of VPN with
encryption, such as IPsec VPNs, is
what is usually meant by virtual private
networking.
 To implement VPNs, a VPN gateway is
necessary - could be a router, a firewall,
or a Cisco Adaptive Security Appliance
(ASA).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Fundamentals of VPNs
Benefits of VPNs
 The benefits of a VPN include the
following:
• Cost savings - VPNs enable organizations to
use cost-effective, high-bandwidth
technologies, such as DSL to connect remote
offices and remote users to the main site.
• Scalability - Organizations are able to add
large amounts of capacity without adding
significant infrastructure.
• Compatibility with broadband technology -
Allow mobile workers and telecommuters to
take advantage of high-speed, broadband
connectivity.
• Security - VPNs can use advanced
encryption and authentication protocols.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Types of VPNs
Site-to-Site VPNs
 Site-to-site VPNs connect entire networks to each other, for example, connecting a branch
office network to a company headquarters network.

 In a site-to-site VPN, end hosts send and receive normal TCP/IP traffic through a VPN
“gateway”.
 The VPN gateway is responsible for encapsulating and encrypting outbound traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Types of VPNs
Remote Access VPNs
 A remote-access VPN supports the
needs of telecommuters, mobile users,
and extranet traffic.
 Allows for dynamically changing
information, and can be enabled and
disabled.
 Used to connect individual hosts that
must access their company network
securely over the Internet.

 VPN client software may need to be


installed on the mobile user’s end
device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Types of VPNs
DMVPN
 Dynamic Multipoint VPN (DMVPN) is a Cisco
software solution for building multiple VPNs.

 DMVPN is built using the following


technologies:
• Next Hop Resolution Protocol (NHRP) -
NHRP creates a distributed mapping database
of public IP addresses for all tunnel spokes.
• Multipoint Generic Routing Encapsulation
(mGRE) tunnels - An mGRE tunnel interface
allows a single GRE interface to support
multiple IPsec tunnels.
• IP Security (IPsec) encryption - provides
secure transport of private information over
public networks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
3.4 GRE

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
GRE Overview
GRE Introduction
 Generic Routing Encapsulation (GRE) is a
non-secure, site-to-site VPN tunneling
protocol.

 Developed by Cisco.

 GRE manages the transportation of


multiprotocol and IP multicast traffic between
two or more sites

 A tunnel interface supports a header for each


of the following:
• An encapsulated protocol - or passenger
protocol, such as IPv4, IPv6.
• An encapsulation protocol - or carrier
protocol, such as GRE.
• A transport delivery protocol, such as IP.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
GRE Overview
GRE Characteristics
 GRE is defined as an IETF standard (RFC
2784).

 In the outer IP header, 47 is used in the


protocol field.
 GRE encapsulation uses a protocol type field
in the GRE header to support the
encapsulation of any OSI Layer 3 protocol.

 GRE is stateless.

 GRE does not include any strong security


mechanisms.

 GRE header, together with the tunneling IP


header, creates at least 24 bytes of
additional overhead for tunneled packets.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Implement GRE
Configure GRE
 Five steps to configuring a GRE tunnel:
• Step 1. Create a tunnel interface using the
interface tunnel number command.
• Step 2. Configure an IP address for the tunnel
interface. (Usually a private address)
• Step3. Specify the tunnel source IP address.
• Step 4. Specify the tunnel destination IP
address.
• Step 5. (Optional) Specify GRE tunnel mode
as the tunnel interface mode.

Note: The tunnel source and tunnel destination


commands reference the IP addresses of the
preconfigured physical interfaces.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Implement GRE
Verify GRE
 Use the show ip interface brief command
to verify that the tunnel interface is up.

 Use the show interface tunnel command to


verify the state of the tunnel.

 Use the show ip ospf neighbor command


to verify that an OSPF adjacency has been
established over the tunnel interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Implement GRE
Troubleshoot GRE
 Issues with GRE are usually due to one or
more of the following:
• The tunnel interface IP addresses are not on
the same network or the subnet masks do not
match. Use the show ip interface brief
command.
• The interfaces for the tunnel source and/or
destination are not configured with the correct
IP address or are down. Use the show ip
interface brief command.
• Static or dynamic routing is not properly
configured. Use show ip route or show ip
ospf neighbor.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
3.5 eBGP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
BGP Overview
IGP and EGP Routing Protocols
 IGPs are used to exchange routing
information within a company network or an
autonomous system (AS).
 An Exterior Gateway Protocol (EGP) is used
for the exchange of routing information
between autonomous systems, such as ISPs.

 Border Gateway Protocol (BGP) is an


Exterior Gateway Protocol (EGP).
• Every AS is assigned a unique 16-bit or 32-bit
AS number which uniquely identifies it on the
Internet.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
BGP Overview
eBGP and iBGP
 External BGP (eBGP) – External BGP is the
routing protocol used between routers in
different autonomous systems.
 Internal BGP (iBGP) - Internal BGP is the
routing protocol used between routers in the
same AS.

 Two routers exchanging BGP routing


information are known as BGP peers

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
BGP Design Considerations
When to use BGP
 BGP is used when an AS has connections to multiple autonomous systems. This is known as
multi-homed.

 A misconfiguration of a BGP router could have negative effects throughout the Internet.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
BGP Design Considerations
When not to use BGP
 BGP should not be used when one of the following conditions exist:
• There is a single connection to the Internet or another AS. Known as single-homed.
• When there is a limited understanding of BGP.
Note: Although it is recommended only in unusual situations, for the purposes of this course, you will
configure single-homed BGP.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
BGP Design Considerations
BGP Options

 Three common ways an organization


can implement BGP in a multi-homed
environment:
• Default Route Only
• Default Route and ISP Routes
• All Internet Routes (this would include
routes to over 550,000 networks)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
eBGP Branch Configuration
Steps to Configure eBGP
 To implement eBGP:
• Enable BGP routing.
• Configure BGP neighbor(s) (peering)
• Advertise network(s) originating from this AS.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
eBGP Branch Configuration
BGP Sample Configuration
 The router bgp as-number global
configuration command enables BGP
and identifies the AS number.

 The neighbor ip-address remote-as


as-number router configuration
command identifies the BGP peer and Company-A(config)#router bgp 65000
its AS number. Company-A(config-router)#neighbor 209.165.201.1 remote-as 65001
Company-A(config-router)#network 198.133.219.0 mask 255.255.255.0

 The network network-address [mask


network-mask] router configuration
command enters the network-address
into the local BGP table.

Note: The network-address used in the


network command does not have to be a
directly connected network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
eBGP Branch Configuration
Verify eBGP
 Three commands to verify eBGP:
• show ip route
• show ip bgp
• show ip bgp summary

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
3.6 Chapter Summary

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Conclusion
Chapter 3: Branch Connections
 Select broadband remote access technologies to support business requirements.

 Configure a Cisco router with PPPoE.

 Explain how VPNs secure site-to-site and remote access connectivity.

 Implement a GRE tunnel.

 Implement eBGP in a single-homed remote access network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

You might also like