MPLS + DMVPN + IPsec
What is MPLS? How to implement MPLS?
MPLS defines protocols that make different paradigms for the way routers forward packets. rather than forwarding packets based on the packet's destination IP address, MPLS defines how the router can forward packets based on the MPLS label. Read more...
What we are going to see in this section:
- How does MPLS work?
- Traditional IP routing
- Basic MPLS feature
- MPLS terminology
What is MPLS Label distributing protocol (LDP)? How does LDP work?
 |
- IGP built routing table (fib using CEF)
- LSR assigns a local label for each route learned
- LSR shares labels with a neighbor using LDP
- LSR built their own LFIB
- Forward packets based on label lookup
What is MPLS L3 VPN? How to configure?
What is VRF (virtual routing forwarding)?
What is Rd (route-distinguisher?)
How to configure MPLS L3 VPN with RIPv2?
How to configure MPLS L3 VPN with EIGRP?
- configure the topology as per the diagram
- assign the IP addresses to their interfaces
- configure IGP (OSPF 1) inside MPLS SP core
- configure MPLS LDP on router 1_2_3
- configure labels (99-199_200-299_300-399)
- configure VRF A-1 on router 1 and VRF A-2 on router 3
- configure RD and RT value 500:1 on both the sites
- configure on router 1 assign FastEthernet facing CE under VRF A-1
- configure on router 3 assign FastEthernet facing CE under VRF A-2
- Configure the loopbacks with an exact mask to exchange the routes
- configure EIGRP 6500 on both CE routers
- make sure PE and CE routers can ping
- configure VPNv4 peering between PE routers.
- Configure redistribution on PE routers between EIGRP and BGP under VRF.
- make sure both the CEs routers are able to ping.
How to configure MPLS L3 VPN with OSPF?
- we need to assign a separate process ID because it required each VRF that receives VPN routes via OSPF from CE. in our topology we are running OSPF for multiple VRF and also running OSPF inside our core network. its a need to distinguish which routes belong to which VRF and which interface belong to which OSPF process. in simple word use a separate process ID.
- When it comes to redistributing OSPF into BGP by Default only OSPF inter-area and inter-area routes are redistributed into BGP. We need to use the EXTERNAL key with the redistribute command under BGP to redistribute OSPF external routes into BGP. in simple words use external keywords.
OSPF Sham links are logical inter-area links carried by the super backbone. A Sham link is required only between two VPN sites that belong to the same area and have a backdoor link for backup purposes. OSPF adjacency is established across the sham link. Read more...
OSPF Sham Links are required when we try to use a backdoor link between two CE routers in MPLS VPN PE CE scenarios.
How to configure MPLS L3 with BGP AS OVERRIDE?
BGP has a simple loop prevention mechanism for external BGP. When you see your own Autonomous system number in the AS path, we do not accept the prefix. This mechanism is fine for Internet routing but there are some other scenarios where this might be an issue. Read more...
Topology: Read more...
Generic Routing Encapsulation (GRE) is a network tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network. Read more...
When we use GRE?
GRE is used when packets need to be sent from one network to another over the internet.
Generic Routing Encapsulation (GRE) has some disadvantages:-
GRE tunnel is an encapsulation protocol and does not perform any encryption.
When we create a GRE point-to-point tunnel without any encryption is extremely risky as sensitive data can easily be extracted from the tunnel and misused by others. ( That’s the reason we used IPSec to add an encryption layer and secure the GRE tunnel with the help of IPSec we get army-level encryption).
GRE tunnel uses a ‘tunnel’ interface a logical interface configured on the router with an IP address where packets are encapsulated and decapsulated as they enter or exit the GRE tunnel.
All tunnel interfaces of participated routers must always be configured with an IP address that is not used anywhere else in the network. Each tunnel interface is assigned an IP address within the same network as other Tunnel interfaces. Before you configure you must adjust (MTU) maximum transfer unit and MSS maximum segment size.
Let's see the configuration:- Read more...
Topology_
Goal:
- configure the topology as per the diagram.
- assign IP addresses respectively to their interfaces as per the topology.
- configure default and static routing.
- configure point-to-point tunnels between router 1 to 3 and router 1 to router 4
What is DMVPN (Dynamic Multipoint VPN), NHRP, mGRE, and How to configure DMVPN Phase 1?
DMVPN (Dynamic Multipoint VPN) Introduced by Cisco in late 2000 is a routing technology you can use to build a VPN network with multiple sites (spokes) without having to statically configure all devices. It’s a “hub and spoke” network, where the spokes will, can communicate with each other directly without having to go through the hub. Encryption is supported through IPsec which makes DMVPN a popular choice for connecting different sites using regular Internet connections. It’s a great backup or alternative to private networks like MPLS VPN.
This technology has been developed to address the need for automatically created VPN tunnels when dynamic IP addresses on the spokes are in use. This pure hub-and-spoke topology where all branches may communicate with each other securely through the hub.
There are four topics you need to know.
- Multipoint GRE (mGRE)
- NHRP (Next Hop Resolution Protocol)
- Routing (RIP, EIGRP, OSPF, BGP, etc.)
- IPsec (not required but recommended)
Multipoint GRE (mGRE)
Our regular GRE tunnels are point-to-point and don’t scale well. It becomes messy quickly so much point-to-point tunnels. but When we use GRE Multipoint, there will be only one tunnel interface on each router. mGRE interfaces do not have a tunnel destination. It keeps costs low, minimizing configuration complexity, and increasing flexibility. Multipoint GRE(Mgre) Uses tunnel source and tunnel mode (mgre). the Tunnel can have many endpoints by using a single tunnel interface. The endpoint can be configured as GRE or MGRE and Mapping is done by NHRP Protocol. Read more...
NHRP (Next Hop Resolution Protocol)
We want something which can help our router to figure out what the public IP address is of the other router, we do this with the help of a protocol called NHRP (Next Hop Resolution Protocol). Next hop resolution protocol (NHRP) Maps the tunnel IP with NBMA address (public IP ) (static or dynamic). NHRP Provides layer 2 address resolution protocol and caching services similar to ARP and inverse ARP. All it does is build a dynamic database store on the hub with information about spokes IP addresses. Read more...
How NHRP works:
- One router will be the NHRP server next-hop server (NHS).
- All other routers will be the NHRP client's next-hop client (NHC).
- NHRP clients register themselves with the NHRP server and report their public IP address NHC sends a query to the NHS if they want to communicate with another NHC.
- The NHRP server keeps track of all public IP addresses in its cache, NHS acts as a mapping agent and stores all registered mappings NHS reply to queries made by NHC.
- When one router wants to tunnel something to another router, it will request the NHRP server for the public IP address of the other router.
DMVPN has different three versions. we call phases.
DMVPN phase 1
Phase 1
before we started I want to let you know Phase 1 is Not used nowadays, In phase 1 we use NHRP so that spokes can register themselves with the hub (NHRP needed for spokes to register with hub). The hub is the only router that is using a multipoint GRE (mGRE) interface, all spokes will be using regular point-to-point GRE tunnel interfaces.No spokes hub and spokes topology were dynamic IP address on the spokes may be used. All your traffic goes through the hub. This means that there will be no direct spoke-to-spoke communication; all traffic has to go through the hub. Read more...
So our traffic has to go through the hub, our routing configuration will be quite simple. Spoke routers only need a summary or default route to the hub to reach other spoke routers.
DMVPN Phase 2 and 3 we will talk about in the next chapter.
let's see the configuration: Read more...
Topology:
What is DMVPN (Dynamic Multipoint VPN) Phase 2? How to configure DMVPN phase 2 Dynamic and Static Mapping?
As we already discuss Phase 1 is Not used nowadays, In phase 1 we use NHRP so that spokes can register themselves with the hub (NHRP needed for spokes to register with hub). The hub is the only router that is using a multipoint GRE (mGRE) interface, all spokes will be using regular point-to-point GRE tunnel interfaces. No spokes hub and spokes topology were dynamic IP addresses on the spokes may be used. All your traffic goes through the hub. This means that there will be no direct spoke-to-spoke communication; all traffic has to go through the hub.
So our traffic has to go through the hub, our routing configuration will be quite simple. Spoke routers only need a summary or default route to the hub to reach other spoke routers. Read more...
In DMVPN Phase 2 hub and spokes are configured as multipoint GRE and spoke to spokes tunnels are created, NHRP required for spokes to register to Hub and NHRP also required for spoke to spoke resolution. Read more...
let's see the configuration:- Read more...
Topology:-
_____________________________________________________________________________
How to configure EIGRP and OSPF over DMVPN Phase 1 & 2?
Before we start our configuration of EIGRP and OSPF over DMVPN, we need to understand a few things about EIGRP and OSPF.
The IP NHRP map multicast dynamic enables the forwarding of multicast traffic across the tunnel to dynamic spokes. This is usually required by the routing protocol as OSPF and EIGRP. In most cases, DMVPN is accompanied by a routing protocol to send and receive dynamic updates about the private networks. The IP NHRP map multicast dynamic command is not required if we are using static NHRP mappings. Read more...
EIGRP routers will not be advertising back on the same interface because of the split horizon rules the split-horizon rule prohibits a router from advertising a route through an interface that the router itself uses to reach the destination. To disable the split-horizon behavior, use the { NO IP SPLIT-HORIZON EIGRP AS-number interfaces command. Split horizon behavior is turned on by default. When you change the EIGRP split-horizon setting on an interface, it reset all adjacencies with EIGRP neighbors reachable over that interface. The split horizon should only be disabled on the hub site in a hub and spoke network. Read more...
Disabling split-horizon on the spokes radically increases EIGRP memory consumption on the hub router and the amount of traffic generated on the spoke routers.
By default, OSPF handles tunnel interface as a point-to-point interface no matter even if you configure multipoint GRE. we will get neighbourship goes down messages repeatedly. to over this issue, we need to change the default setting we will see in this OSPF LAB.
Let's see the configuration-_ Read more...
Topology:-
________________________________________________________________________________
How to configure External BGP and EIGRP on DMVPN Phase 2?
The first DMVPN lesson explained the basics and I explained how to configure a basic DMVPN phase 2 network. I also explain how to configure the EIGRP phase 1 network and OSPF Phase 1 network.
In this lesson, we’ll take a look at how we can use external BGP on DMVPN phase 2 networks and EIGRP. Here is the topology we will use: Read more...
let's see the configuration Read more...
______________________________________________________________________________
What is IPSec (Internet protocol security)? What is Internet Key Exchange IKE? How to configure IPSec tunnel?
(Internet Protocol Security) IPSec is a set of protocols developed by the internet engineering Task Force (IETF). Internet protocol security (IPsec) is a framework that helps us to protect our IP traffic on the network layer. Why? Because the ( internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. Read more...
IPsec can protect our traffic with the following features:
- Confidentiality: by encrypting your data, nobody can read except the sender and the receiver will be able to read your data. This means that the contents are not visible to third parties
- Integrity: we want to make sure that no one can make changes to the data in our packets. No one can modify the data (Hashing algorithms) By calculating a hash value, the sender and receiver will be able to check if changes have been made to the packet.
- Authentication: the sender and receiver will authenticate each other to make sure that we are really talking with the device we intend to.
- Anti-replay: even if a packet is encrypted and authenticated, an attacker could try to capture these packets and send them again. By using sequence numbers, IPsec will not transmit any duplicate packets. This means ensuring packets are received only once a security service where the receiver can reject old or duplicate packets in order to defeat replay attacks.
We need to understand and build the IPSec tunnel before we protect any IP packets. For establishing an IPSec tunnel we have a protocol called Internet Key Exchange (IKE).
We have two phases for building an IPSec tunnel:
- Internet Key Exchange (IKE) phase 1
- Internet Key Exchange (IKE) phase 2
In Internet Key Exchange (IKE) phase 1, two peers are going to negotiate about the encryption, authentication, hashing values and other protocols parameters that are required, which means providing a framework for negotiation of security parameters and Establishment of authenticated keys.Read more...
In this phase, an Internet Security Association and Key Management Protocol (ISAKMP) session is established. This is also called the ISAKMP tunnel or IKE phase 1 tunnel. all the parameters that the two devices will use are called SA (Security Association). Read more...
We establish Internet Key Exchange IKE Phase 1 tunnel for traffic management, this tunnel is a method of secure establishing the second tunnel or Phase 2 in other words IPsec tunnel.
What is IKE (Internet Key Exchange)? How to configure IPSec site-to-site?
IKE (Internet Key Exchange) Phase 1
The main reason for IKE phase 1 is to establish a secure for IKE phase 2 or IPsec. let understand Phase 1 in steps
- The first step is Negotiation between future neighbors or peers have traffic to be
Step 1: Negotiation
the neighbor (peer) which has traffic and wants to protect will initiate the initiate INK phase 1 negotiation. Peers will negotiate about the following:
- Hashing: peers will use a hashing algorithm to verify the integrity and use MD5 or SHA.
- Authentication: peers have to show their identity to prove who he is. Peers use shared keys or digital certificates.
- DH (Diffie Hellman) group: DH group determines how strong the key is and it's used in the exchange process of the key. The higher number means more secure but it takes longer to compute.
- Lifetime: lifetime means how long does the IKE phase 1 tunnel stand up? The shorter the lifetime means the more secure it is because rebuilding the tunnel means we will also use new keying material. Each vendor uses a different lifetime; a default value is 86400 seconds (1 day).
- Encryption: algorithm we use for encryption DES, 3DES, or AES.
Step 2: DH Key Exchange
Step 3: Authentication
in the previous step, both peers authenticate each other using authenticate method in which they agreed on in the negotiation process. Once the authentication is successful it’s mean that both peers can send and receive on this tunnel (the tunnel is completed).
The three steps above can be completed using two different modes:
IKE Phase 2
IPSec tunnel or IKE phase 2 is used to protect user data. In the IKE phase 2 tunnel, there is only one mode for building the IPSec tunnel is called Quick mode.
As peers negotiate in IKE phase 1, our IKE phase 2 (IPSec) peers will be negotiated.
- IPsec Protocol: AH or ESP
- Encapsulation Mode: transport or tunnel mode.
- Encryption: what encryption algorithm DES, 3DES, or AES.
- Authentication: what authentication algorithm is MD5 or SHA.
- Lifetime: how long is the IKE phase 2 tunnel valid? When the tunnel is about to expire, we will refresh the keying material.
(Optional) DH exchange: used for PFS (Perfect Forward Secrecy).
IPsec Protocols
AH, and ESP is the two protocols that we use to protect user data. Both of them can be used in transport or tunnel mode, let’s see all the possible options Read more...
Authentication Header Protocol
AH offers authentication and integrity which is good but it doesn’t provide any encryption. AH protects IP packets by calculating a hash value over almost all fields in the IP header. The fields it excludes are the ones that can be changed in transit (TTL and header checksum) Read more...
Transport Mode
Transport mode is very simple, it just adds an AH header just after the IP header. Here’s an example of an IP packet that carries some TCP traffic:
Tunnel Mode
In tunnel mode, we add a new IP header on top of the original IP packet Read more...
How to configure IPsec tunnel over DMVPN?
In this previous session, we discussed MPLS, DMVPN basic to advance, and IPSec. I am assuming you are familiar with these topics. in this section are going to configure IPsec Over DMVPN.
let's see the configuration:- Read more...
Topology:-
1 comment:
Very Nice...!
Post a Comment