Virtual Private Networks Advanced Technologies
|
|
- Douglas Gilmore
- 6 years ago
- Views:
Transcription
1 Virtual Private Networks Advanced Technologies Petr Grygárek rek Agenda: Supporting Technologies (GRE, NHRP) Dynamic Multipoint VPNs (DMVPN) Group Encrypted Transport VPNs (GET VPN) Multicast VPNs (mvpn) 1
2 Generic Routing Encapsulation (GRE) 2
3 GRE Principle (1) RFC encapsulation of an arbitrary L3 protocol over another arbitrary L3 layer defines additional header (4-20B) key field may potentially identify VRF multiple overlapping IP ranges RFC encapsulates IP in IP accompanies RFC 1701 IP protocol type 47 Allows the creation of tunnels over the shared infrastructure Originally P2P, support for P2MP interfaces added later 3
4 Completely stateless GRE Principle (2) Low overhead Tunnel interface is by default always up even if the remote point is unavailable Support for GRE keepalives GRE encapsulation process may be hardware- accelerated on some platforms But be aware that decapsulation may be still CPU- based ;-) 4
5 Usage of GRE Data tunnels over IP infrastructure Unencrypted in the original implementation Passing routing information between VPN sites 5
6 GRE Point-to-point Interface Tunnel Source Address Local endpoint physical interface implies local tunnel endpoint physical IP address Remote endpoint physical (IP) address Optional tunnel protection parameters Routing over tunnel via remote endpoint tunnel address 6
7 GRE Multipoint Interface Tunnel interface address Local endpoint physical interface Optional tunnel protection parameters No destination endpoint addresses Neither tunnel nor physical Destination physical addresses are determined by (ARP-like) NHRP database Maps the destination tunnel address to the corresponding physical IP address List of peers where multicasts have to be forwarded 7
8 Next-Hop Resolution Protocol (NHRP) RFC
9 NHRP Principle Allows systems connected to NBMA network to dynamically learn physical ( NBMA ) addresses of other systems to let them them communicate directly NBMA may be either connection-oriented network (FR, ATM) or IP infrastructure Direct communication may require to establish a SVC NBMA addresses may be either IP addresses or L2 addresses (DLCI, VPI/VCI) May be understood as ARP equivalent for NBMA ARP unusable because underlay does not support broadcast 9
10 NHRP Usage Reduction of multihop routing over NBMA network that is not fully meshed (SVC mesh) Starts with a partial mesh topology Most often hub-and-spoke Helps to establish a dynamic full mesh 10
11 Dynamic Full Mesh Advantages (1) Avoids multi-hop routing and overutilizing of the hub router Avoids double encryption/decryption Decreases delay Utilizes the underlying network infrastructure more efficiently (The same is valid for static full mesh) Support for dynamic NBMA addresses Systems behind NAT or with dynamic addresses (DHCP) For IP underlay clouds, mapping between tunnel inner addressess and tunnel endpoints is needed 11
12 Dynamic Full Mesh Advantages (2) Only spoke-to-spoke links that are needed for the traffic are (dynamically) established No need to configure full mesh (manually) No limitation of number of tunnel interfaces and number of routes supported on low-end routers Allows to mix high-end and low-end routers static full-mesh configuration would require all routers to have resources for full-mesh implementation If a spoke-to-spoke tunnel cannot be established, the traffic may still be routed through the hub 12
13 NHRP Components Next-Hop Clients (NHC) Dynamically register with NHS May be added without changing NHS configuration Next-Hop Servers (NHS) Allows NHC to register and discover logical-to- physical address mapping for other NHC NHRP Cache (on NHC) Dynamic and static entries 13
14 NHRP Messages (1) Registration Request/Response Registration of dynamic physical addresses with NHS Inner-outer (L3/L2 or L3/L3) address pair Resolution Request May be routed through multiple systems along the (suboptimal) already known path to the destination system Resolution Response Send by the destination system directly to the requesting system 14
15 NHRP Messages (2) Purge Request/Response Makes the system (NHC) to invalidate the cached information obtained by NHRP 15
16 NHRP & multicast Hub has to be explicitly configured to send multicasts to registered spokes Multicasts are necessary for many routing protocols 16
17 Dynamic Multipoint VPNs (DM VPN) 17
18 DMVPN Principle (1) Makes configuration of multipoint VPNs easier by avoiding a need to configure VPN tunnels manually Only hub-and-spoke topology has to be preconfigured Creates (encrypted) spoke-to-spoke tunnels on data- driven basis Utilizes NHRP, GRE and IPSec The communication between spokes is routed by hub until the direct tunnel is created (or if it could not be created) On-demand IPSec tunnel negotiation 18
19 DMVPN Principle (2) Spokes (NHC) dynamically registers with hub (NHS) using NHRP Inner tunnel (logical) to (currently assigned) physical address mapping Allows spoke to look up an address of another spoke spokes may have dynamic (physical) addresses Each spoke may create spoke-to-spoke tunnels up to its available resources Does not limit any other spoke to use all its available resources Dynamic tunnels are deleted after idle timeout expires 19
20 DMVPN Advantages Spokes can be added without any hub configuration change Uniform spoke configuration Utilizes standard protocols and solutions Combination of GRE,NHRP and IPSec 20
21 Developmental phases of DMVPN Phase 1 hub-and-spoke capability only Phase 2 dynamic spoke-to-spoke tunnels Phase 3 limits routing information advertised to spokes Better scalability Does not require all spoke routers to maintain all the routes of the VPN, just those needed for currently used spoke-to-spoke communications 21
22 DMVPN Phase 2 (1) Dynamic routing protocol on hub-to-spoke tunnel advertises all routes behind hub and other spokes Uses hub's or respective spokes' tunnel (inner) address as next hops to networks behind particular spokes routing protocol has to preserve next hop (spoke-to-spoke) Split horizon rule has to be turned off on hub Each spoke has routes to all networks in its routing table with tunnel interface as the outgoing interface 22
23 DMVPN Phase 2 (2) NHRP runs on the spoke's tunnel (multipoint) interface NHRP cache is used to find the logical-to-nbma mapping for the next hop address If an entry is not found in the cache, NHRP request has to be send to NHS A disadvantage is a significant load on the routing protocol in VPN 23
24 DMVPN Phase 3 (1) Reduces the amount of routes advertised to spokes Hub summarizes routing information advertised to spokes Hub sets itself as a next hop Spoke sends the first data packet to hub over the tunnel interface The logical-to-nbma mapping is preconfigured for hub 24
25 DMVPN Phase 3 (2) If a hub receives a packet from a spoke on the tunnel interface that has to be routed to other spoke by the same router interface, it initiates the spoke-to-spoke tunnel creation Sends redirect to the source spoke NHRP redirect message Contains the correct (logical) next hop address and the original destination address 25
26 DMVPN Phase 3 (3) Based on NHRP Redirect from hub, spoke sends NHRP Request to determine a NBMA address for the logical next hop address from the redirect message NHRP Request is routed to the destination spoke Destination spoke responds to the original requesting spoke with its NBMA the whole subnet from its routing table that matches the required destination address from the NHRP Request 26
27 DMVPN Phase 3 (4) Source spoke inserts the record for the particular destination network into its routing table pointing to the newly created spoke-to-spoke tunnel interface most often protected by IPSec profile The following packets follow the direct spoke-to- spoke path 27
28 Problems of Hub Failure Spoke will delete all routes pointing to the (multipoint) tunnel interface Even existing spoke-to-spoke tunnels become unusable as there is no entry in the routing table to route traffic into them Tunnels will remain available, but unused At least until NHRP cache entries time out Routes advertised from redundant hubs may solve the problem Normally they are ignored because of worse AD 28
29 DMVPN Configuration Multipoint GRE interface on hub Because it connects to multiple spokes Multipoint GRE interface on spokes Because multiple spoke-to-spoke tunnels may be initiated in parallel IPSec profile is typically applied on GRE tunnel to protect the traffic Standard IPSec mechanisms are used 29
30 Group-Encrypted Transport VPNs (GET VPN) 30
31 GET VPN (1) Tunnel-less any-to-any service Better scalability No multiple tunnel interfaces needed for partial/full mesh No overlay routing Optimal traffic paths IPSec based - transport mode Supports multicasts and QoS IP header visible (incl. QoS marking) 31
32 GET VPN (2) Secure central key distribution to routers (group members) in a domain Key server Unicast & multicast key distribution to authorized routers (download/push) Policy management Secondary key server implemented for redundancy automatic failover (COOP protocol) 32
33 GDOI: Group Domain of Interpretation (1) Key management protocol between group member(s) and key server RFC 3457 based on ISAKMP/IKE establishes a security association among two or more group members Uses IKE Phase 1 to authenticate group members to a key server according to defined group policy 33
34 GDOI: Group Domain of Interpretation (2) Group key ( key encryption key, KEK) is pulled from key server during IKE phase 2 by group members Key server pushes traffic encryption keys (TEK) to all group members using unsolicitated multicast / broadcast / unicast messages - encrypted by KEK periodic re-keys TEK may be used for both unicast or multicast communication between GMs 34
35 Multicast VPNs (mvpn) 35
36 Implementation Requirements Potentially different PIM modes in the core and each mvpn Support for all PIM modes Overlap of customers' multicast addressing 36
37 Overlay Infrastructure Full mesh of tunnels between VPN sites Hides VPN multicast from the core No multicast state in the core Customers' multicasts groups may overlap Non-scalable Suboptimal multicast routing (replication) 37
38 2-level Multicast Solution Multicast Distribution Tree (MDT) Aggregates all multicast traffic between sites of the same VPN GRE-encapsulated Including system-oriented traffic between PE routers (PIM sessions between PEs) May be seen as multiaccess segment Every PE router is connected with virtual tunnel interface Suboptimal delivers ALL multicast traffic to all PEs of the VPN 38
39 An optimization: Data MDT (1) Configured optionally Carries traffic of a single (or multiple) customer's group(s) Source PE switches to Data MDT from the Default MDT after preconfigured traffic threshold for given group(s) The tree spans only PEs with networks interested in particular multicast groups behind them Default MDT is used to inform other PEs about active sources sending to Data MDT PE may optionally join the Data MDT 39
40 Data MDT: Pros and Cons Limits traffic over core network More states in core network (multiple trees) 40
Virtual Private Networks Advanced Technologies
Virtual Private Networks Advanced Technologies Petr Grygárek rek Agenda: Supporting Technologies (GRE, NHRP) Dynamic Multipoint VPNs (DMVPN) Group Encrypted Transport VPNs (GET VPN) Multicast VPNs (mvpn)
More informationFlexible Dynamic Mesh VPN draft-detienne-dmvpn-00
Flexible Dynamic Mesh VPN draft-detienne-dmvpn-00 Fred Detienne, Cisco Systems Manish Kumar, Cisco Systems Mike Sullenberger, Cisco Systems What is Dynamic Mesh VPN? DMVPN is a solution for building VPNs
More informationGRE and DM VPNs. Understanding the GRE Modes Page CHAPTER
CHAPTER 23 You can configure Generic Routing Encapsulation (GRE) and Dynamic Multipoint (DM) VPNs that include GRE mode configurations. You can configure IPsec GRE VPNs for hub-and-spoke, point-to-point,
More informationDMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458
DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458 BRKCCIE-3003 @CCIE6458 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public About the Presenter Johnny Bass Networking industry since
More informationDMVPN for R&S CCIE Candidates
DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458 BRKCCIE-3003 @CCIE6458 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public About the Presenter Johnny Bass Networking industry since
More informationCisco Group Encrypted Transport VPN
Cisco Group Encrypted Transport VPN Q. What is Cisco Group Encrypted Transport VPN? A. Cisco Group Encrypted Transport is a next-generation WAN VPN solution that defines a new category of VPN, one that
More informationRestrictions for DMVPN Dynamic Tunnels Between Spokes. Behind a NAT Device. Finding Feature Information
DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device The DMVPN: Dynamic Tunnels Between Spokes Behind a NAT Device feature allows Next Hop Resolution Protocol (NHRP) spoke-to-spoke tunnels to be built
More informationA-B I N D E X. backbone networks, fault tolerance, 174
I N D E X A-B access links fault tolerance, 175 176 multiple IKE identities, 176 182 single IKE identity with MLPPP, 188 189 with single IKE identity, 183 187 active/standby stateful failover model, 213
More informationIP Addressing: NHRP Configuration Guide
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION
More informationOperating and Monitoring the Network
CHAPTER 6 Under the Operate tab, Prime NCS (WAN) provides tools to help you monitor your network on a daily basis, as well as perform other day-to-day or ad hoc operations relating to network device inventory
More informationSharing IPsec with Tunnel Protection
The feature allows sharing an IPsec security association database (SADB) between two or more generic routing encapsulation (GRE) tunnel interfaces when tunnel protection is used. Shared tunnel interfaces
More informationDYNAMIC MULTIPOINT VPN SPOKE TO SPOKE DIRECT TUNNELING
DYNAMIC MULTIPOINT VPN SPOKE TO SPOKE DIRECT TUNNELING NOVEMBER 2004 1 Direct Spoke To Spoke Tunnels Initially, spoke to spoke traffic can only travel via the hub In DMVPN, spokes can send packets directly
More informationMigrating from Dynamic Multipoint VPN Phase 2 to Phase 3: Why and How to Migrate to the Next Phase
Migration Guide Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3: Why and How to Migrate to the Next Phase This guide shows how a Dynamic Multipoint VPN (DMVPN) deployment can be migrated to make
More informationVPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist
VPN World MENOG 16 Istanbul-Turkey By Ziad Zubidah Network Security Specialist What is this Van used for?! Armed Van It used in secure transporting for valuable goods from one place to another. It is bullet
More informationShortcut Switching Enhancements for NHRP in DMVPN Networks
Shortcut Switching Enhancements for NHRP in DMVPN Networks Routers in a Dynamic Multipoint VPN (DMVPN) Phase 3 network use Next Hop Resolution Protocol (NHRP) Shortcut Switching to discover shorter paths
More informationScalability Considerations
3 CHAPTER This chapter presents the following steps to selecting Cisco products for a VPN solution: Sizing the headend Choosing Cisco products that can be deployed for headend devices Product sizing and
More informationManaging Site-to-Site VPNs: The Basics
CHAPTER 23 A virtual private network (VPN) consists of multiple remote peers transmitting private data securely to one another over an unsecured network, such as the Internet. Site-to-site VPNs use tunnels
More informationip nat source through iterate-ip-addrs
ip nat source through iterate-ip-addrs ip nat source, page 4 ip nat stateful id, page 7 ip nat switchover replication http, page 10 ip nat translation, page 11 ip nat translation (timeout), page 12 ip
More informationWAN Edge MPLSoL2 Service
4 CHAPTER While Layer 3 VPN services are becoming increasing popular as a primary connection for the WAN, there are a much larger percentage of customers still using Layer 2 services such Frame-Relay (FR).
More informationCisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications
Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Product Overview Cisco Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software-based security solution for building scalable
More informationIOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example
IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example Document ID: 113265 Contents Introduction Prerequisites Requirements Components Used Conventions Background
More informationCisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications
Data Sheet Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Product Overview Cisco Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software-based security solution for building
More informationIPv6 over DMVPN. Finding Feature Information
This document describes how to implement the Dynamic Multipoint VPN for IPv6 feature, which allows users to better scale large and small IPsec Virtual Private Networks (VPNs) by combining generic routing
More informationshow ipv6 nat translations, on page 71
show ip masks, on page 4 show ip nat limits all-host, on page 5 show ip nat limits all-vrf, on page 7 show ip nat nvi statistics, on page 9 show ip nat nvi translations, on page 11 show ip nat redundancy,
More informationDMVPN to Group Encrypted Transport VPN Migration
DMVPN to Group Encrypted Transport VPN Migration This document provides the steps for Dynamic Multipoint VPN (DMVPN) to Group Encrypted Transport VPN migration. DMVPN to Group Encrypted Transport VPN Migration
More informationDynamic Multipoint VPN Configuration Guide
First Published: 2011-10-14 Last Modified: 2014-01-10 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationManaging Site-to-Site VPNs
CHAPTER 21 A virtual private network (VPN) consists of multiple remote peers transmitting private data securely to one another over an unsecured network, such as the Internet. Site-to-site VPNs use tunnels
More informationManaging Site-to-Site VPNs: The Basics
CHAPTER 21 A virtual private network (VPN) consists of multiple remote peers transmitting private data securely to one another over an unsecured network, such as the Internet. Site-to-site VPNs use tunnels
More informationDynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T
Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800
More informationAdvanced Concepts of DMVPN (Dynamic Multipoint VPN)
Advanced Concepts of DMVPN (Dynamic Multipoint VPN) Mike Sullenberger Distinguished Engineer Agenda DMVPN Design Overview DMVPN General IWAN Specific NHRP Details NHRP Overview NHRP Registrations/Resolutions/Redirects
More informationDynamic Multipoint VPN (DMVPN) Deployment Models
Dynamic Multipoint VPN (DMVPN) Deployment Models BRKSEC-4054 Cisco Public 2 Agenda DMVPN Overview NHRP Details Deployment Models Recent and New Features Cisco Public 3 DMVPN Overview What is Dynamic Multipoint
More informationSecurizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN
Platformă de e-learning și curriculă e-content pentru învățământul superior tehnic Securizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN MPLS VPN 5-ian-2010 What this lecture is about: IP
More informationSecure Extension of L3 VPN s over IP-Based Wide Area Networks
White Paper Secure Extension of L3 VPN s over IP-Based Wide Area Networks Abstract Authors This paper examines how recent network-based virtualization Mark Mitch Mitchiner technology innovation can be
More informationConfiguring FlexVPN Spoke to Spoke
Last Published Date: March 28, 2014 The FlexVPN Spoke to Spoke feature enables a FlexVPN client to establish a direct crypto tunnel with another FlexVPN client leveraging virtual tunnel interfaces (VTI),
More informationImplementing Dynamic Multipoint VPN for IPv6
Implementing Dynamic Multipoint VPN for IPv6 First Published: July 11, 2008 Last Updated: November 24, 2010 This document describes how to implement Dynamic Multipoint VPN for IPv6 feature, which allows
More informationCisco CCIE Security Written.
Cisco 400-251 CCIE Security Written http://killexams.com/pass4sure/exam-detail/400-251 QUESTION: 193 Which two of the following ICMP types and code should be allowed in a firewall to enable traceroute?
More informationCisco Virtual Office High-Scalability Design
Solution Overview Cisco Virtual Office High-Scalability Design Contents Scope of Document... 2 Introduction... 2 Platforms and Images... 2 Design A... 3 1. Configure the ACE Module... 3 2. Configure the
More informationCisco Service Advertisement Framework Deployment Guide
Cisco Service Advertisement Framework Deployment Guide What You Will Learn Cisco Service Advertisement Framework (SAF) is a network-based, scalable, bandwidth-efficient approach to service advertisement
More informationImplementing Cisco Secure Mobility Solutions
Implementing Cisco Secure Mobility Solutions Dumps Available Here at: /cisco-exam/300-209-dumps.html Enrolling now you will get access to 269 questions in a unique set of 300-209 dumps Question 1 Which
More informationFUNDAMENTAL ROUTING CONCEPTS
PART I Chapter 1 FOUNDATION TOPICS Routing Protocol Fundamentals FUNDAMENTAL ROUTING CONCEPTS Characteristics of Routing Protocols Routing occurs when a router or some other Layer 3 device makes a forwarding
More informationQuestion: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.)
Volume: 217 Questions Question: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.) A. the process ID B. the hello interval C. the subnet mask D. authentication E.
More informationConfigure ISDN Connectivity between Remote Sites
Case Study 1 Configure ISDN Connectivity between Remote Sites Cisco Networking Academy Program CCNP 2: Remote Access v3.1 Objectives In this case study, the following concepts are covered: Asynchronous
More informationIntelligent WAN Deployment Guide
Cisco Validated design Intelligent WAN Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deployment Details...1 Configuring DMVPN Hub Router...2
More informationVXLAN Overview: Cisco Nexus 9000 Series Switches
White Paper VXLAN Overview: Cisco Nexus 9000 Series Switches What You Will Learn Traditional network segmentation has been provided by VLANs that are standardized under the IEEE 802.1Q group. VLANs provide
More informationMULTICAST SECURITY. Piotr Wojciechowski (CCIE #25543)
MULTICAST SECURITY Piotr Wojciechowski (CCIE #25543) ABOUT ME Senior Network Engineer MSO at VeriFone Inc. Previously Network Solutions Architect at one of top polish IT integrators CCIE #25543 (Routing
More informationSecure Multicast Cisco Systems, Inc. All rights reserved.
Secure Multicast 1 Agenda Why IP Multicast? IP Multicast Security Challenges Secure IP Multicast Solution and Benefits Technical Details Platform Support and Useful Links 2 Why IP Multicast? 3 Unicast
More informationBGP-MVPN SAFI 129 IPv6
Subsequent Address Family Identifier (SAFI) 129, known as VPN Multicast SAFI, provides the capability to support multicast routing in the service provider's core IPv6 network. Border Gateway Protocol (BGP)
More informationIPv6 Transition Mechanisms
IPv6 Transition Mechanisms Petr Grygárek rek 1 IPv6 and IPv4 Coexistence Expected to co-exist together for many years Some IPv4 devices may exist forever Slow(?) transition of (part of?) networks to IPv6
More informationMPLS опорни мрежи MPLS core networks
MPLS опорни мрежи MPLS core networks Николай Милованов/Nikolay Milovanov http://niau.org Objectives Identify the drawbacks of traditional IP routing Describe basic MPLS concepts and LSR types. MPLS Labels
More informationIP Tunneling. GRE Tunnel IP Source and Destination VRF Membership. Tunnel VRF CHAPTER
CHAPTER 27 This chapter describes IP tunneling features implemented on the Cisco 10000 series routers and includes the following topics: GRE Tunnel IP Source and Destination VRF Membership, page 27-1 Restrictions
More informationDynamic Multipoint VPN between CradlePoint and Cisco Router Example
Dynamic Multipoint VPN between CradlePoint and Cisco Router Example Summary This article describes how to setup a Dynamic GRE over IPSec VPN tunnel with NHRP (more commonly referred to as Dynamic Multipoint
More informationImplementing VXLAN. Prerequisites for implementing VXLANs. Information about Implementing VXLAN
This module provides conceptual information for VXLAN in general and configuration information for layer 2 VXLAN on Cisco ASR 9000 Series Router. For configuration information of layer 3 VXLAN, see Implementing
More informationMPLS VPN. 5 ian 2010
MPLS VPN 5 ian 2010 What this lecture is about: IP CEF MPLS architecture What is MPLS? MPLS labels Packet forwarding in MPLS MPLS VPNs 3 IP CEF & MPLS Overview How does a router forward packets? Process
More informationNext Generation MULTICAST In-band Signaling (VRF MLDP: Profile 6)
Next Generation MULTICAST In-band Signaling (VRF MLDP: Profile 6) Contents Introduction Background Information MLDP Signaling In-Band Signaling Overlay or Out-Of-Band Signaling Label Distribution Protocol
More informationARCHIVED DOCUMENT. - The topics in the document are now covered by more recent content.
ARCHIVED DOCUMENT This document is archived and should only be used as a historical reference and should not be used for new deployments for one of the following reasons: - The topics in the document are
More informationLARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF
LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF MODULE 07 - MPLS BASED LAYER 2 SERVICES 1 by Xantaro MPLS BASED LAYER 2 VPNS USING MPLS FOR POINT-TO-POINT LAYER 2 SERVICES 2 by Xantaro Why are Layer-2
More informationHOME-SYD-RTR02 GETVPN Configuration
GETVPN OVER DMVPN Topology Details HOME-SYD-RTR02 is GETVPN KS. R2 & R3 are GETVPN Members. R2 is DMVPN Hub. R3 is DMVPN Spoke. HOME-PIX01 is Firewall between R2 and R3. IP Addressing Details HOME-SYD-RTR01
More informationBIG-IP TMOS : Implementations. Version
BIG-IP TMOS : Implementations Version 11.5.1 Table of Contents Table of Contents Customizing the BIG-IP Dashboard...13 Overview: BIG-IP dashboard customization...13 Customizing the BIG-IP dashboard...13
More informationConfiguring Virtual Private LAN Services
Virtual Private LAN Services (VPLS) enables enterprises to link together their Ethernet-based LANs from multiple sites via the infrastructure provided by their service provider. This module explains VPLS
More informationSD-WAN Deployment Guide (CVD)
SD-WAN Deployment Guide (CVD) All Cisco Meraki security appliances are equipped with SD-WAN capabilities that enable administrators to maximize network resiliency and bandwidth efficiency. This guide introduces
More informationIntelligent WAN Multiple VRFs Deployment Guide
Cisco Validated design Intelligent WAN Multiple VRFs Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deploying the Cisco IWAN Multiple VRFs...
More informationIPv6 Transition Mechanisms
IPv6 Transition Mechanisms Petr Grygárek rek 1 IPv6 and IPv4 Coexistence Expected to co-exist together for many years Some IPv4 devices may exist forever Slow(?) transition of (part of?) networks to IPv6
More informationLARGE SCALE DYNAMIC MULTIPOINT VPN
LARGE SCALE DYNAMIC MULTIPOINT VPN NOVEMBER 2004 1 INTRODUCTION Presentation_ID 2004, Cisco Systems, Inc. All rights reserved. 2 Dynamic Multipoint VPN Facts Dynamic Multipoint VPN (DMVPN) can work with
More informationSCALABLE DMVPN DESIGN AND IMPLEMENTATION GUIDE
SCALABLE DMVPN DESIGN AND IMPLEMENTATION GUIDE Network Systems Integration & Test Engineering (NSITE) Document Version Number: 1.1 Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA
More informationFirepower Threat Defense Site-to-site VPNs
About, on page 1 Managing, on page 3 Configuring, on page 3 Monitoring Firepower Threat Defense VPNs, on page 11 About Firepower Threat Defense site-to-site VPN supports the following features: Both IPsec
More informationLocator ID Separation Protocol (LISP) Overview
Locator ID Separation Protocol (LISP) is a network architecture and protocol that implements the use of two namespaces instead of a single IP address: Endpoint identifiers (EIDs) assigned to end hosts.
More informationCisco Exam Questions & Answers
Cisco 300-209 Exam Questions & Answers Number: 300-209 Passing Score: 800 Time Limit: 120 min File Version: 35.4 http://www.gratisexam.com/ Exam Code: 300-209 Exam Name: Implementing Cisco Secure Mobility
More informationHUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date
HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN Issue 1.1 Date 2014-03-14 HUAWEI TECHNOLOGIES CO., LTD. 2014. All rights reserved. No part of this document may be reproduced or
More informationScalability Considerations
CHAPTER 3 This chapter presents the steps to selecting products for a VPN solution, starting with sizing the headend, and then choosing products that can be deployed for headend devices. This chapter concludes
More informationBIG-IP TMOS : Tunneling and IPsec. Version 13.0
BIG-IP TMOS : Tunneling and IPsec Version 13.0 Table of Contents Table of Contents Creating IP Tunnels... 7 About IP tunnels...7 About point-to-point tunnels... 7 Creating a point-to-point IP tunnel...8
More informationCCIE R&S LAB CFG H2/A5 (Jacob s & Jameson s)
Contents Section 1 Layer 2 Technologies... 2 1.1 Jameson s Datacenter: Access port... 2 1.2 Jameson s Datacenter: Trunk ports... 4 1.3 Jameson s Datacenter: Link bundling... 5 1.4 Jameson s Branch Offices...
More informationVPN. Agenda VPN VPDN. L84 - VPN and VPDN in IP. Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP)
VPN Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP) Agenda VPN Classical Approach Overview IP Based Solutions IP addresses non overlapping IP addresses overlapping MPLS-VPN VPDN RAS
More informationImplementing IP in IP Tunnel
This chapter module provides conceptual and configuration information for IP in IP tunnels on Cisco ASR 9000 Series Router. Note For a complete description of the IP in IP tunnel commands listed in this
More informationConfiguring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall
Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall Document ID: 43068 Contents Introduction Prerequisites Requirements Components Used Conventions Configure
More informationVNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2
VNS3 IPsec Configuration VNS3 to Cisco ASA ASDM 5.2 Site-to-Site IPsec Tunnel IPsec protocol allows you to securely connect two sites together over the public internet using cryptographically secured services.
More informationEVPN Multicast. Disha Chopra
EVPN Multicast Disha Chopra Agenda EVPN Multicast Optimizations Introduction to EVPN Multicast (BUM) IGMP Join/Leave Sync Routes Selective Multicast Ethernet Tag Route Use Case 2 EVPN BUM Traffic Basics
More informationDMVPN Topology. Page1
DMVPN DMVPN Topology Page1 LAB 2: Configure EIGRP over DMVPN: Task 1: Configure EIGRP over DMVPN Process Step 1 In the configuration mode of router configure EIGRP over DMVPN by following command: R1:
More informationConfiguring IP. IP Configuration Task List
Configuring IP This chapter describes how to configure the Internet Protocol (IP). For a complete description of the commands in this chapter, refer to the IP s chapter of the Network Protocols Reference,
More informationExam Questions
Exam Questions 642-997 DCUFI Implementing Cisco Data Center Unified Fabric (DCUFI) v5.0 https://www.2passeasy.com/dumps/642-997/ 1.Which SCSI terminology is used to describe source and destination nodes?
More informationMobile IP. rek. Petr Grygárek Petr Grygarek, Advanced Computer Networks Technologies 1
Mobile IP Petr Grygárek rek 1 Basic principle Picture from IOS IP and IP Routing Configuration Guide Mobile node maintains the same IP address even while roaming in foreign networks even if it s address
More informationCore of Multicast VPNs: Rationale for Using mldp in the MVPN Core
Core of Multicast VPNs: Rationale for Using mldp in the MVPN Core Exploring Suitability of Using mldp Versus P2MP RSVP-TE in the MVPN Core Multicast Virtual Private Network (MVPN) is a popular technology
More informationVirtual Subnet (VS): A Scalable Data Center Interconnection Solution
Virtual Subnet (VS): A Scalable Data Center Interconnection Solution draft-xu-virtual-subnet-05 Xiaohu Xu (xuxh@huawei.com) NANOG52, Denver Requirements for Data Center Interconnection To interconnect
More informationVirtual Tunnel Interface
This chapter describes how to configure a VTI tunnel. About s, on page 1 Guidelines for s, on page 1 Create a VTI Tunnel, on page 2 About s The ASA supports a logical interface called (VTI). As an alternative
More informationMPLS VPN over mgre. Finding Feature Information. Last Updated: November 1, 2012
MPLS VPN over mgre Last Updated: November 1, 2012 The MPLS VPN over mgre feature overcomes the requirement that a carrier support multiprotocol label switching (MPLS) by allowing you to provide MPLS connectivity
More informationH3C SR6600 Routers DVPN Configuration Example
H3C SR6600 Routers DVPN Configuration Example Keywords: DVPN, VPN, VAM, AAA, IPsec, GRE Abstract: This document describes the DVPN configuration example for the H3C SR6600 Routers Series. Acronyms: Acronym
More informationTop-Down Network Design
Top-Down Network Design Chapter Seven Selecting Switching and Routing Protocols Original slides by Cisco Press & Priscilla Oppenheimer Selection Criteria for Switching and Routing Protocols Network traffic
More informationIndex. Numerics 3DES (triple data encryption standard), 21
Index Numerics 3DES (triple data encryption standard), 21 A B aggressive mode negotiation, 89 90 AH (Authentication Headers), 6, 57 58 alternatives to IPsec VPN HA, stateful, 257 260 stateless, 242 HSRP,
More informationMultiprotocol Label Switching (MPLS)
Multiprotocol Label Switching (MPLS) Petr Grygárek rek 1 Technology Basics Integrates label-based forwarding paradigm with network layer routing label forwarding + label swapping similar to ATM/FR switching
More informationMulticastForwardingInformationBaseOverview
MulticastForwardingInformationBaseOverview The Multicast Forwarding Information Base (MFIB) architecture provides modularity and separation between the multicast control plane (Protocol Independent Multicast
More informationLAB 5: DMVPN BGP. LAB 5: Diagram. Note: This Lab was developed on Cisco IOS Version15.2(4) M1 ADVENTERPRISEK9-M.
LAB 5: DMVPN BGP LAB 5: Diagram Note: This Lab was developed on Cisco IOS Version15.2(4) M1 ADVENTERPRISEK9-M. LAB 5: Configure BGP over DMVPN Configuration Step 1: Enable loopback and physical interfaces
More informationMPLS, THE BASICS CSE 6067, UIU. Multiprotocol Label Switching
MPLS, THE BASICS CSE 6067, UIU Multiprotocol Label Switching Basic Concepts of MPLS 2 Contents Drawbacks of Traditional IP Forwarding Basic MPLS Concepts MPLS versus IP over ATM Traffic Engineering with
More informationCOURSE OUTLINE: Course: CCNP Route Duration: 40 Hours
COURSE OUTLINE: Course: CCNP Route 300-101 Duration: 40 Hours CCNP Route Training Day 1: Connecting Remote Locations Principles of Static Routing Configuring an IPv4 Static Route Configuring a Static Default
More informationCisco Group Encrypted Transport VPN
(GET VPN) is a set of features that are necessary to secure IP multicast group traffic or unicast traffic over a private WAN that originates on or flows through a Cisco IOS device. GET VPN combines the
More informationManual Key Configuration for Two SonicWALLs
Manual Key Configuration for Two SonicWALLs VPN between two SonicWALLs allows users to securely access files and applications at remote locations. The first step to set up a VPN between two SonicWALLs
More informationQuestion: 3 Which LSA type describes the router ID of ASBR routers located in remote areas?
Volume: 65 Questions Question: 1 Which two statements describe aggregate routes? (Choose two.) A. Invalid routing prefixes are not advertised to external peers. B. Internal routing instabilities can be
More informationEnterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.
2 CHAPTER Cisco's Disaster Recovery as a Service (DRaaS) architecture supports virtual data centers that consist of a collection of geographically-dispersed data center locations. Since data centers are
More informationADVANCED IPSEC DEPLOYMENTS AND CONCEPTS OF DMVPN NETWORKS
ADVANCED IPSEC DEPLOYMENTS AND CONCEPTS OF DMVPN NETWORKS SESSION 2 Other VPN sessions Networkers 2004 SEC-1000 Introduction to Network Security SEC-2010: Deploying Remote Access IPSec and SSL VPNs SEC-2011:
More informationCCIE Routing & Switching
CCIE Routing & Switching Cisco Certified Internetwork Expert Routing and Switching (CCIE Routing and Switching) certifies the skills required of expert-level network engineers to plan, operate and troubleshoot
More informationLISP Router IPv6 Configuration Commands
ipv6 alt-vrf, page 2 ipv6 etr, page 4 ipv6 etr accept-map-request-mapping, page 6 ipv6 etr map-cache-ttl, page 8 ipv6 etr map-server, page 10 ipv6 itr, page 13 ipv6 itr map-resolver, page 15 ipv6 map-cache-limit,
More informationDeploying GET to Secure VPNs
Deploying GET to Secure VPNs Scott Wainner Distinguished Systems Engineer Session Objectives and Prerequisites Session Objectives Identify VPN environments where GET is applicable Understand how GET can
More information