3.

3 VPNs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Fundamentals of VPNs
Introducing VPNs
 A VPN is a private network created via
tunneling over a public network, usually
the Internet.
 A secure implementation of VPN with
encryption, such as IPsec VPNs, is
what is usually meant by virtual private
networking.
 To implement VPNs, a VPN gateway is
necessary - could be a router, a firewall,
or a Cisco Adaptive Security Appliance
(ASA).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Fundamentals of VPNs
Benefits of VPNs
 The benefits of a VPN include the
following:
• Cost savings - VPNs enable organizations to
use cost-effective, high-bandwidth
technologies, such as DSL to connect remote
offices and remote users to the main site.
• Scalability - Organizations are able to add
large amounts of capacity without adding
significant infrastructure.
• Compatibility with broadband technology -
Allow mobile workers and telecommuters to
take advantage of high-speed, broadband
connectivity.
• Security - VPNs can use advanced
encryption and authentication protocols.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Types of VPNs
Site-to-Site VPNs
 Site-to-site VPNs connect entire networks to each other, for example, connecting a branch
office network to a company headquarters network.

 In a site-to-site VPN, end hosts send and receive normal TCP/IP traffic through a VPN
“gateway”.
 The VPN gateway is responsible for encapsulating and encrypting outbound traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Types of VPNs
Remote Access VPNs
 A remote-access VPN supports the
needs of telecommuters, mobile users,
and extranet traffic.
 Allows for dynamically changing
information, and can be enabled and
disabled.
 Used to connect individual hosts that
must access their company network
securely over the Internet.

 VPN client software may need to be

installed on the mobile user’s end
device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Types of VPNs
DMVPN
 Dynamic Multipoint VPN (DMVPN) is a Cisco
software solution for building multiple VPNs.

 DMVPN is built using the following

technologies:
• Next Hop Resolution Protocol (NHRP) -
NHRP creates a distributed mapping database
of public IP addresses for all tunnel spokes.
• Multipoint Generic Routing Encapsulation
(mGRE) tunnels - An mGRE tunnel interface
allows a single GRE interface to support
multiple IPsec tunnels.
• IP Security (IPsec) encryption - provides
secure transport of private information over
public networks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
3.4 GRE

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
GRE Overview
GRE Introduction
 Generic Routing Encapsulation (GRE) is a
non-secure, site-to-site VPN tunneling
protocol.

 Developed by Cisco.

 GRE manages the transportation of

multiprotocol and IP multicast traffic between
two or more sites

 A tunnel interface supports a header for each

of the following:
• An encapsulated protocol - or passenger
protocol, such as IPv4, IPv6.
• An encapsulation protocol - or carrier
protocol, such as GRE.
• A transport delivery protocol, such as IP.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
GRE Overview
GRE Characteristics
 GRE is defined as an IETF standard (RFC
2784).

 In the outer IP header, 47 is used in the

protocol field.
 GRE encapsulation uses a protocol type field
in the GRE header to support the
encapsulation of any OSI Layer 3 protocol.

 GRE is stateless.

 GRE does not include any strong security

mechanisms.

 GRE header, together with the tunneling IP

header, creates at least 24 bytes of
additional overhead for tunneled packets.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Implement GRE
Configure GRE
 Five steps to configuring a GRE tunnel:
• Step 1. Create a tunnel interface using the
interface tunnel number command.
• Step 2. Configure an IP address for the tunnel
interface. (Usually a private address)
• Step3. Specify the tunnel source IP address.
• Step 4. Specify the tunnel destination IP
address.
• Step 5. (Optional) Specify GRE tunnel mode
as the tunnel interface mode.

Note: The tunnel source and tunnel destination

commands reference the IP addresses of the
preconfigured physical interfaces.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Implement GRE
Verify GRE
 Use the show ip interface brief command
to verify that the tunnel interface is up.

 Use the show interface tunnel command to

verify the state of the tunnel.

 Use the show ip ospf neighbor command

to verify that an OSPF adjacency has been
established over the tunnel interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Implement GRE
Troubleshoot GRE
 Issues with GRE are usually due to one or
more of the following:
• The tunnel interface IP addresses are not on
the same network or the subnet masks do not
match. Use the show ip interface brief
command.
• The interfaces for the tunnel source and/or
destination are not configured with the correct
IP address or are down. Use the show ip
interface brief command.
• Static or dynamic routing is not properly
configured. Use show ip route or show ip
ospf neighbor.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
3.5 eBGP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
BGP Overview
IGP and EGP Routing Protocols
 IGPs are used to exchange routing
information within a company network or an
autonomous system (AS).
 An Exterior Gateway Protocol (EGP) is used
for the exchange of routing information
between autonomous systems, such as ISPs.

 Border Gateway Protocol (BGP) is an

Exterior Gateway Protocol (EGP).
• Every AS is assigned a unique 16-bit or 32-bit
AS number which uniquely identifies it on the
Internet.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
BGP Overview
eBGP and iBGP
 External BGP (eBGP) – External BGP is the
routing protocol used between routers in
different autonomous systems.
 Internal BGP (iBGP) - Internal BGP is the
routing protocol used between routers in the
same AS.

 Two routers exchanging BGP routing

information are known as BGP peers

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
BGP Design Considerations
When to use BGP
 BGP is used when an AS has connections to multiple autonomous systems. This is known as
multi-homed.

 A misconfiguration of a BGP router could have negative effects throughout the Internet.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
BGP Design Considerations
When not to use BGP
 BGP should not be used when one of the following conditions exist:
• There is a single connection to the Internet or another AS. Known as single-homed.
• When there is a limited understanding of BGP.
Note: Although it is recommended only in unusual situations, for the purposes of this course, you will
configure single-homed BGP.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
BGP Design Considerations
BGP Options

 Three common ways an organization

can implement BGP in a multi-homed
environment:
• Default Route Only
• Default Route and ISP Routes
• All Internet Routes (this would include
routes to over 550,000 networks)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
eBGP Branch Configuration
Steps to Configure eBGP
 To implement eBGP:
• Enable BGP routing.
• Configure BGP neighbor(s) (peering)
• Advertise network(s) originating from this AS.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
eBGP Branch Configuration
BGP Sample Configuration
 The router bgp as-number global
configuration command enables BGP
and identifies the AS number.

 The neighbor ip-address remote-as

as-number router configuration
command identifies the BGP peer and Company-A(config)#router bgp 65000
its AS number. Company-A(config-router)#neighbor 209.165.201.1 remote-as 65001
Company-A(config-router)#network 198.133.219.0 mask 255.255.255.0

 The network network-address [mask

network-mask] router configuration
command enters the network-address
into the local BGP table.

Note: The network-address used in the

network command does not have to be a
directly connected network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
eBGP Branch Configuration
Verify eBGP
 Three commands to verify eBGP:
• show ip route
• show ip bgp
• show ip bgp summary

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
3.6 Chapter Summary

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Conclusion
Chapter 3: Branch Connections
 Select broadband remote access technologies to support business requirements.

 Configure a Cisco router with PPPoE.

 Explain how VPNs secure site-to-site and remote access connectivity.

 Implement a GRE tunnel.

 Implement eBGP in a single-homed remote access network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42