Cisco Group Encrypted Transport VPN

Similar documents
Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3: Why and How to Migrate to the Next Phase

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

A-B I N D E X. backbone networks, fault tolerance, 174

Cisco Service Advertisement Framework Deployment Guide

DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458

Managing Site-to-Site VPNs: The Basics

Scalability Considerations

DMVPN for R&S CCIE Candidates

Virtual Private Networks Advanced Technologies

Virtual Private Networks Advanced Technologies

Managing Site-to-Site VPNs: The Basics

DYNAMIC MULTIPOINT VPN SPOKE TO SPOKE DIRECT TUNNELING

Managing Site-to-Site VPNs

Implementing Cisco Secure Mobility Solutions

IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example

MPLS over GRE. Finding Feature Information. Prerequisites for MPLS VPN L3VPN over GRE

MPLS опорни мрежи MPLS core networks

Scalability Considerations

Sharing IPsec with Tunnel Protection

Flexible Dynamic Mesh VPN draft-detienne-dmvpn-00

Cisco Group Encrypted Transport VPN Configuration Guide, Cisco IOS Release 15M&T

Secure Extension of L3 VPN s over IP-Based Wide Area Networks

IP Addressing: NHRP Configuration Guide

FlexVPN HA Dual Hub Configuration Example

Cisco Group Encrypted Transport VPN

LARGE SCALE DYNAMIC MULTIPOINT VPN

Intelligent WAN Multiple VRFs Deployment Guide

ARCHIVED DOCUMENT. - The topics in the document are now covered by more recent content.

Implementing Cisco IP Routing (ROUTE)

FUNDAMENTAL ROUTING CONCEPTS

Securizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN

Enterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.

IPv6 over DMVPN. Finding Feature Information

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

Deploying and Administering Cisco s Digital Network Architecture (DNA) and Intelligent WAN (IWAN) (DNADDC)

Restrictions for DMVPN Dynamic Tunnels Between Spokes. Behind a NAT Device. Finding Feature Information

Intelligent WAN Deployment Guide

Secure Multicast Cisco Systems, Inc. All rights reserved.

Operating and Monitoring the Network

Cisco Virtual Office High-Scalability Design

WAN Edge MPLSoL2 Service

Fundamentals and Deployment of Cisco SD-WAN Duration: 3 Days (24 hours) Prerequisites

MPLS VPN. 5 ian 2010

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

CCIE Routing & Switching

IWAN Security for Remote Site Direct Internet Access and Guest Wireless

Cisco 5921 Embedded Services Router

Advanced Concepts of DMVPN (Dynamic Multipoint VPN)

Cisco IOS Software Release 15M&T Q&A

SD-WAN Deployment Guide (CVD)

MPLS, THE BASICS CSE 6067, UIU. Multiprotocol Label Switching

Configuring MPLS and EoMPLS

Shortcut Switching Enhancements for NHRP in DMVPN Networks

SCALABLE DMVPN DESIGN AND IMPLEMENTATION GUIDE

Zero To Hero CCIE CCNP

VPN WAN. Technology Design Guide

Multiprotocol Label Switching Overview

Implementing MPLS Layer 3 VPNs

Dynamic Multipoint VPN Configuration Guide


Network Design with latest VPN Technologies

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

IPsec Direct Encapsulation VPN Design Guide

Cisco Technologies, Routers, and Switches p. 1 Introduction p. 2 The OSI Model p. 2 The TCP/IP Model, the DoD Model, or the Internet Model p.

Implementing Hub and Spoke topologies in Virtual Private Network using Enhanced Interior Gateway Routing Protocol

DMVPN to Group Encrypted Transport VPN Migration

Add Path Support in EIGRP

Introduction to Segment Routing

Deploying and Testing IKEv2, Flex VPN and GET VPN. Arun Katuwal. Metropolia University of Applied Sciences. Bachelor of Engineering

Dynamic Multipoint VPN (DMVPN) Deployment Models

Optimized Edge Routing Configuration Guide, Cisco IOS Release 15.1MT

CVP Enterprise Cisco SD-WAN Retail Profile (Hybrid WAN, Segmentation, Zone-Based Firewall, Quality of Service, and Centralized Policies)

tunnel destination through tunnel source

REFERENCE NETWORK ARCHITECTURE

Enterprise SD-WAN Financial Profile (Hybrid WAN, Segmentation, Quality of Service, Centralized Policies)

Cisco Integrated Services Virtual Router

MPLS VPN Half-Duplex VRF

Exam Questions

Cisco Certified Network Associate ( )

Adaptive QoS over DMVPN

Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall

Quality of Service for VPNs

Syllabus. Cisco Certified Design Professional. Implementing Cisco IP Routing

BTEC Level 3 Extended Diploma

Configuring FlexVPN Spoke to Spoke

CCNA Routing and Switching (NI )

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

Configuring Virtual Private LAN Services

Deployment Scenarios

Intelligent WAN Design Summary

QUESTION: 1 You have been asked to establish a design that will allow your company to migrate from a WAN service to a Layer 3 VPN service. In your des

VPN Overview. VPN Types

Multiprotocol Label Switching (MPLS) on Cisco Routers

Index. Numerics 3DES (triple data encryption standard), 21

Building Service-Aware Networks

Exam Questions Demo Cisco. Exam Questions

Transcription:

Cisco Group Encrypted Transport VPN Q. What is Cisco Group Encrypted Transport VPN? A. Cisco Group Encrypted Transport is a next-generation WAN VPN solution that defines a new category of VPN, one that does not use traditional point-to-point tunnels. For the first time, it eliminates the need to make the compromise between network intelligence and data privacy. This new security model introduces the concept of trusted group member routers, which use a common security methodology that is independent of any point-to-point relationship. By eliminating point-to-point tunnels, Cisco Group Encrypted Transport VPNs can scale much higher while accommodating multicast applications and instantaneous branch-to-branch transactions. Q. What are the key features of Cisco Group Encrypted Transport? A. Cisco Group Encrypted Transport is a standards-based technology that integrates routing and security in the network fabric. The key features include: Group Domain of Interpretation: GDOI (RFC 3547) is the key management protocol that establishes security associations among authorized group member routers. IP header preservation: The original IP header inside the IPsec packet is preserved. Centralized key and policy management: A central key server pushes keys and re keyed messages as well as security policies to authorized group member routers. Policies supported include global policies applicable to all members in a group and local policies. Cooperative Key Server support enables high availability by synchronizing keys and the policy database with a secondary key server router. Q. What benefits does Cisco Group Encrypted Transport VPN provide for an MPLS network? A. Cisco Group Encrypted Transport VPN adds any-to-any encryption to an MPLS network without a tunnel overlay, maintaining the high scale, manageability, and routing intelligence of the existing MPLS network. It meets the requirements of security-conscious enterprises looking for a balance in network control since they may add encryption to the network themselves. In addition, it alleviates the complexity in adding any-to-any IPsec to large MPLS networks with requirements. Moreover, it addresses regulatory-compliance guidelines regarding encryption such as HIPAA and PCI. Q. Who should use Cisco Group Encrypted Transport? A. Enterprise organizations that are either self-managing their own MPLS network or have purchased MPLS or private WAN services from a service provider can self-employ Cisco Group Encrypted Transport to help ensure data privacy while maintaining the any-to-any connectivity intrinsic in their private WANs. In doing so, organizations attain a much-needed balance of control over security among their businesses and service providers while maintaining compliance with security regulations. For enterprises deploying IPsec VPNs over the public Internet, Cisco Group Encrypted Transport provides additional value by enhancing Dynamic Multipoint VPN (DMVPN) and generic routing encapsulation (GRE)-based site-to-site VPNs. Specifically, these customers 2008-2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 5

can take advantage of almost instantaneous branch-to-branch connectivity, while improving the core meshing capability they already have. Satellite multicast provides an efficient and cost-effective way to deliver bandwidth-rich content such as video, audio, and software upgrades to multiple sites. Using Cisco Group Encrypted Transport in conjunction with the Cisco IP VSAT Satellite WAN Module and the Cisco Enterprise CDN (Content Delivery Network) solution, enterprise customers can (skn: efficiently protect their multicast traffic while creating a highly secure, reliable, and scalable content delivery system for their branch offices worldwide.) Details of Cisco Group Encrypted Transport VPN topologies and configurations can be found at http://www.cisco.com/go/getvpn. Q. Is Cisco Group Encrypted Transport applicable only for MPLS VPNs? A. No, Cisco Group Encrypted Transport is WAN-agnostic. It can be deployed on an MPLS, IP, Frame Relay, or ATM network. For deployment with internet based environments, Cisco Group Encrypted Transport must be deployed with DMVPN. Q. What are the technical benefits of Cisco Group Encrypted Transport VPN? A. Table 1 lists the technical benefits of Cisco Group Encrypted Transport VPN. Table 1. Technical Benefits of Cisco Group Encrypted Transport VPN Previous Limitation New Feature Benefit Encrypting multicast traffic was not scalable and it was difficult to troubleshoot. Overlay VPN networks created overlay routing, lack of advanced QoS, and suboptimal multicast replication. Encryption is supported for native multicast and unicast traffic with Group Encrypted Transport s GDOI protocol. The original IP header is preserved, so no overlay network is required. Allows for higher scale and simplifies troubleshooting Achieves optimal routing and maintains network intelligence such as efficient multicast and advanced QoS Q. What are the advantages of Cisco Group Encrypted Transport VPN vs traditional pointto-point IPsec? A. Cisco Group Encrypted Transport has the following advantages: Traditional Point-to-Point IPSec Tunnels Scalability an issue (N^2 problem). IKE/IPsec tunnels between each pair of peers Any-to-any instant connectivity can t be done to scale Overlay routing New IP Header added to original packed results in Limited advanced QoS Multicast replication inefficient due to tunnel overlay GET VPN Scalable architecture. Single SA and key pair used for entire any-to-any group. Any-to-any instant connectivity to high-scale No overlays native routing IP header preservation keeps original IP header on Ipsec packet, preserves advanced QoS IP header preservation and lack of tunnel overlay results in efficient multicast replication Q. What are the differences between DMVPN and Cisco Group Encrypted Transport? A. DMVPN and Cisco Group Encrypted Transport are complementary. When used in a DMVPN environment, Cisco Group Encrypted Transport can aid in the deployments of voice and video over a VPN: DMVPN provides spoke-to-hub and spoke-to-spoke connectivity solutions using multipoint GRE (mgre) and Next Hop Resolution Protocol (NHRP) functions. For spoke-to-spoke connectivity, the originating spoke must send an NHRP resolution request to the hub in order to establish a tunnel with the requested spoke. Until the dynamic tunnel is built, traffic continues to pass through the hub. To receive the response from the destination spoke, the same procedure is initiated by the destination spoke. 2008-2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 5

By using Cisco Group Encrypted Transport, the delay caused by IPsec tunnel negotiation which is the major contributor to the overall delay is eliminated as connections are static. It is important to note that when group keying is applied to the tunnel in a DMVPN context, all tunnel traffic is encrypted with the group key. Q. When should Cisco Group Encrypted Transport be deployed? A. Consider deploying Cisco Group Encrypted Transport when interested in a VPN installation that involves: Securing private WAN connections Encrypting data over MPLS networks Securing multicast traffic Deploying voice or similar collaborative applications requiring any-to-any encryption Encrypting IP packets over satellite links Q. When should customers be interested in a Cisco VPN solution other than Cisco Group Encrypted Transport? A. Customers interested in a VPN for hub-and-spoke connectivity can deploy vanilla IPsec point-to-point tunnels, Cisco Enhanced Easy VPN with virtual tunnel interfaces (VTIs) or Cisco Dynamic Multipoint VPN (DMVPN) Customers needing partial-mesh spoke-to-spoke VPNs should deploy DMVPN or DMVPN with Cisco Group Encrypted Transport VPN. Customers interested in multicast and routing protocols over the Internet should deploy DMVPN with Cisco Group Encrypted Transport. Customers interested in encryption while supporting multicast applications and dynamic routing, and customers deploying voice over a classic WAN should deploy Cisco Group Encrypted Transport. Q. What is GDOI? A. GDOI is the ISAKMP Domain of Interpretation (DOI) for group key management. In this trusted group model, the GDOI protocol operates between each group member and the group controller, or key server, to establish security associations between authorized group member routers. Q. Can Cisco Group Encrypted Transport be deployed in Internet-based environments? A. For enterprise IPsec VPNs that traverse the public Internet, Group Encrypted Transport enhances Dynamic Multipoint VPN (DMVPN) and GRE-based site-to-site VPNs by providing manageable, highly scalable network meshing cost-effectively by using the group shared key. In this way, Group Encrypted Transport simplifies key management in large network deployments. Cisco Group Encrypted Transport requires DMVPN for Internet-based deployments because it requires IP public addresses. Q. How is voice supported in a Cisco Group Encrypted Transport network? A. The voice-over-ip (VoIP) application is very sensitive to end-to-end delay. Cisco Group Encrypted Transport provides security to voice applications with an optimized path across the network. Call setup time is reduced because there is a direct path between the group members. In a DMVPN scenario, the addition of Cisco Group Encrypted Transport reduces latency during spoke-to-spoke tunnel setup and enhances the quality of voice calls over a VPN network. Q. What platforms are supported with Cisco Group Encrypted Transport? 2008-2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 5

A. Cisco Group Encrypted Transport is supported on the Cisco 800, 1800, 2800, and 3800 Series Integrated Services Routers as well as on the Cisco 7301 and 7200 Series routers and the Cisco ASR 1000 Series routers. Q. What software release is required to use Cisco Group Encrypted Transport? A. The Cisco 800 through Cisco 7200 Series and Cisco 7301 Routers must use Cisco IOS Software Release 12.4(11) T Advanced Security image or later. The Cisco ASR 1000 Series Routers must use the Advanced Enterprise Services or Advanced IP Services image options of the Cisco IOS XE Software Release 2.3.0 or later. Note that the Cisco ASR 1000 Series Routers can support only the Group Member role and do not support VRF-lite application currently. Q. Can Key Servers be deployed in different geographic locations in the network? A. Yes Q. What is the Max number of Key Servers that can be deployed in a Cisco Group Encrypted VPN? A. The current maximum number of key servers that can be deployed is 8. Q. Can individual group member connections be monitored at the key server? A. Yes, several command-line interface (CLI) commands are available to monitor group members. One example is show crypto group. Q. What routing protocols are supported with Cisco Group Encrypted Transport? A. Because Cisco Group Encrypted Transport does not introduce an overlay routing model, all routing protocols are supported. Cisco Group Encrypted Transport supports Layer 3 Enhanced Interior Gateway Routing Protocol (EIGRP), On-Demand Routing (ODR), and Open Shortest Fast Path (OSPF). Intermediate System-to-Intermediate System (IS-IS) is not supported because it does not use IP as its network or transport protocol. Border Gateway Protocol (BGP) is supported, but requires specification of all the neighbors individually in the configuration. Q. Does Cisco Group Encrypted Transport support resiliency and failover features? A. Cisco Group Encrypted Transport provides failover between key servers with a feature called Cooperative Key Server. Cooperative key servers ensure that the keying data, such as group policy, active group members, and tunnel encryption key, is shared and kept synchronized between key servers. One primary key server is designated per group. The role of primary key server is determined by priority or by highest IP address. For More Information Q. Where can I get more information? A. For more information, go to http://www.cisco.com/go/getvpn or contact your account team for more information. 2008-2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 5

Printed in USA C67-376506-03 03/09 2008-2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback