Posts Tagged ‘ipsec’
The recording of last week’s seminar on Introduction to DMVPN for CCIE R&S v5 Candidates is now available to view here. This is the first of many new free seminars on new topics that have been added to the CCIE R&S version 5 blueprint. New upcoming sessions will include IPv6 First Hop Security, IPsec LAN-to-LAN tunnels, GET VPN, IGP Convergence & Scalability, and BGP Convergence & Scalability, just to name a few. Feel free to submit requests for additional topics in the comments below.
Good luck in your studies!
Another new update is now available for the CCIE Security Advanced Technologies Class. This update adds an additional 15 hours of videos to the series, which includes the rest of IPsec, IPS, and AAA. All Access Pass subscribers and customers who purchased download access can login to the INE members site to see the new additions. This brings the series up to about 40 hours of videos, which will be further increased with some minor updates I’ll be adding over the next few weeks. If there is a specific topic which is missing that you’d like to see feel free to comment here, or email me at email@example.com.
The outline for the series is now as follows:
- Introduction – 0h 37m
- CCIE Security Preparation Resources – 0h 50m
- ASA Overview – 0h 37m
- Basic ASA Initialization – 1h 02m
- ASA Routing – 0h 37m
- ASA Reliable Static Routing – 0h 20m
- ASA Access Control Lists (ACLs) – 0h 41m
I. Security Fundamentals
a. Why Needed?
i. A closed network allows no connection to a public network; although security is still an issue due to a majority of attacks coming from inside networks today
High availability solutions often utilize virtual gateway protocol to avoid single point of failure. We are going to discuss high availability for the IPsec tunnel in the sample topology presented below. In this topology we need to protect traffic between VLAN67 and VLAN58 travelling across VLAN146 segment. In order to accomplish this, we will configure R6 to establish an IPsec tunnel with a virtual gateway representing both R1 and R4.
One of the new technologies to be featured in the CCIE Security 3.0 blueprint is the GET VPN. This blog post will give you the basics of this new and exciting technology.
Here is the scenario; you are a large corporation with multiple branch offices that need VPN connections between them in order to protect data that needs to be shared from branch to branch. The standard Cisco solution is to create point-to-point IPSec VPNs between these branch offices. This can quickly become a nightmare for administration, obviously, as this “any to any” encryption model using traditional VPN methodologies simply does not scale. Helping to exasperate this issue is the replication of multicast traffic and the extreme difficulty of implementing Quality of Service mechanisms across the core of the network.
The Group Encrypted Transport VPN model has your routers become trusted members of VPN groups as a replacement for the point-to-point model. Secured packets now use the existing router infrastructure and have their original IP header preserved. This helps to ensure that intelligent services like QoS and multicast are no longer implementation problems!
Another huge scalability issue with the traditional, point-to-point approach for “any to any” VPNs is key management. The GET VPN features simplified security policy and key distribution thanks to the Group Key Distribution Model. This model uses Group Domain of Interpretation (GDOI) as specified in RFC 3547. The Group Key Distribution Model features a Key Server (a Cisco router) that authenticates group members, and handles the distribution of security policies and any required keys. In the interests of further scaling this already scalable solution, as well as improving availability, Cooperative Key Servers can be used across wide geographic distributions.
Here are the core technologies to explore with the GET VPN feature:
- Group Domain of Interpretation (GDOI) RFC 3547
- Key Servers (KS)
- Cooperative Key Server (COOP KSs)
- Group Member (GM)
- IP tunnel header preservation
- Group security assocaition
- Rekey mechanism
- Time-based anti-replay (TBAR)
Here are the GET VPN core benefits:
- Large scale any-to-any IPSec security
- Utilizes the underlying IP VPN routing infrastructure
- Integration with existing multicast infrastructures
- IP source and destination address preservation
I certainly hope this post wets your appetite and gives you a framework to begin your studies of the GET VPN technology.
DMVPN stands for Dynamic Multipoint VPN and it is an effective solution for dynamic secure overlay networks. In short, DMVPN is combination of the following technologies:
1) Multipoint GRE (mGRE)
2) Next-Hop Resolution Protocol (NHRP)
4) Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
3) Dynamic IPsec encryption
5) Cisco Express Forwarding (CEF)
Assuming that reader has a general understanding of what DMVPN is and a solid understanding of IPsec/CEF, we are going to describe the role and function of each component in details. In this post we are going to illustrate two major phases of DMVPN evolution:
1) Phase 1 – Hub and Spoke (mGRE hub, p2p GRE spokes)
2) Phase 2 – Hub and Spoke with Spoke-to-Spoke tunnels (mGRE everywhere)
As for DMVPN Phase 3 – “Scalable Infrastructure”, a separate post is required to cover the subject. This is due to the significant changes made to NHRP resolution logic (NHRP redirects and shortcuts), which are better being illustrated when a reader has good understanding of first two phases. However, some hints about Phase 3 will be also provided in this post.
Note: Before we start, I would like to thank my friend Alexander Kitaev, for taking time to review the post and providing me with useful feedback.
1. QoS Policy Propagation through Border Gateway Protocol (BGP) (QPPB)
2. Input common classification
3. Input ACLs
4. Input marking (class-based marking or Committed Access Rate (CAR))
5. Input policing (through a class-based policer or CAR)
6. IP Security (IPSec)
7. Cisco Express Forwarding (CEF) or Fast Switching
1. CEF or Fast Switching
2. Output common classification
3. Output ACLs
4. Output marking
5. Output policing (through a class-based policer or CAR)
6. Queueing (Class-Based Weighted Fair Queueing (CBWFQ) and Low Latency Queueing (LLQ)), and Weighted Random Early Detection (WRED)