Scribd Logo
Upload

Welcome to Scribd!

  • VPN

    Uploaded by

    ibou
    860 views27 pages

    Original Title

    VPN.pptx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    860 views27 pages

    VPN

    Uploaded by

    ibou

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 27

    Chapter 8:

    Implementing Virtual
    Private Networks

    CCNA Security

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
    Chapter 8: Objectives

    In this chapter you will:


    Describe VPNs and their benefits.
    Describe VPNs and their benefits.
    Identify the Cisco VPN product line and
    the security features of these products.
    Configure a site-to-site VPN GRE
    tunnel.
    Describe the IPsec protocol and its
    basic functions.

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
    Chapter 8
    8.0 Introduction
    8.1 VPNs
    8.2 GRE VPNs

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
    8.1 VPNs

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
    VPN Overview
    Virtual Private Networks
    A Virtual Private Network (VPN) is a private network that is created via
    tunneling over a public network, usually the Internet.
    VPNs have multiple benefits, including:
    Compatibility with broadband technology
    Cost savings
    Security
    Scalability

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
    VPN Overview
    Types of VPNs
    In the simplest sense, a VPN connects two endpoints, such as two
    remote offices, over a public network to form a logical connection.
    The logical connections can be made at either Layer 2 or Layer 3 of the
    OSI model.
    Common examples of Layer 3 VPNs are:
    Generic Routing Encapsulation (GRE)
    Multiprotocol Label Switching (MPLS)
    Internet Protocol Security (IPsec)

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
    VPN Topologies
    Site-to-Site VPNs
    Created when connection devices on both sides of the VPN
    connection are aware of the VPN configuration in advance.
    The VPN remains static and internal hosts have no knowledge
    that a VPN exists.

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
    VPN Topologies
    Remote-Access VPNs
    Allows for dynamically changing connection information and
    can be enabled and disabled when needed.
    Example A telecommuters PC being responsible for
    establishing the VPN.

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
    VPN Topologies
    Remote-Access VPNs
    An evolution of circuit-switching networks, such as plain old
    telephone service (POTS) or Integrated Services for Digital
    Network ISDN.
    Support a client/server architecture. A VPN client (remote host)
    requires secure access to the enterprise network via a VPN
    server device at the network edge.

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
    VPN Topologies
    Site-to-Site VPNs Cont.
    An extension of a classic WAN network.
    Connect remote networks to each other.
    A site-to-site VPN can connect a branch office network to a
    company headquarter network.
    Replaces a leased line or Frame Relay connection, because
    most corporations now have Internet access.

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
    VPN Topologies
    VPN Client Software Operations

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
    VPN Topologies
    Cisco IOS SSL VPN
    The Cisco IOS SSL VPN is a technology that provides remote-
    access connectivity from almost any Internet-enabled location
    with a web browser and its native SSL encryption.
    SSL VPN currently delivers three modes of SSL VPN access:
    Clientless
    Thin client
    Full client

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
    VPN Solutions
    Cisco VPN Product Lines
    Product Choice Remote-Access VPN Site-to-Site VPN

    Cisco VPN-Enabled Routers and Switches Secondary role Primary role

    Cisco PIX 500 Series Security Appliances (Legacy) Secondary role Primary role

    Cisco ASA 5500 Adaptive Security Appliances Primary role Secondary role

    Cisco VPN 3000 Series Concentrators Primary role Secondary role

    SOHO Routers (Cisco 850 Series ISR and Linksys) Primary role Secondary role

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
    VPN Solutions
    VPN Services with Cisco ASA

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
    VPN Solutions
    Cisco IPsec Client Options
    Cisco remote-access VPNs can
    use three IPsec clients:
    Cisco VPN Client software -
    Installed on the PC or laptop
    of an individual.
    Cisco Remote Router VPN
    Client - A Cisco remote router
    (configured as a VPN client)
    that connects small office,
    home office (SOHO) LANs to
    the VPN.
    Cisco AnyConnect Secure
    Mobility Client - Next-
    generation VPN client that
    provides remote users with
    secure VPN connections to
    the Cisco ASA.

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
    VPN Solutions
    Cisco VPN Hardware Modules
    To enhance performance and offload the encryption task to specialized
    hardware.
    VPN Advanced Integration Module (AIM) - A broad range of Cisco routers
    can be equipped with VPN AIM installed inside the ISR chassis to offload
    encryption tasks from the router CPU.
    Cisco IPsec VPN Shared Port Adapter (SPA) - Delivers scalable and cost-
    effective VPN performance for higher-end Cisco Catalyst series switches and
    routers.
    Cisco VPN Accelerator Module 2+ (VAM2+) - Provides high performance
    encryption/compression and key generation services for IPsec VPN
    applications on Cisco 7204VXR, 7206VXR, and 7301 routers.
    VPN AIM

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
    8.2 GRE VPNs

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
    Configuring a Site-to-Site GRE Tunnel
    GRE Tunnels
    There are two popular site-to-site tunneling protocols:
    GRE
    IPsec
    When should you use GRE or IPsec?

    Yes
    IP
    User Traffic
    Only?

    No

    No Yes
    Use GRE Unicast Use IPsec
    Tunnel Only? VPN

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
    Configuring a Site-to-Site GRE Tunnel
    GRE Tunnels Cont.
    GRE can encapsulate almost any other type of packet.
    Uses IP to create a virtual point-to-point link between Cisco routers
    Supports multiprotocol (IP, CLNS, ) and IP multicast tunneling (and,
    therefore, routing protocols)
    Best suited for site-to-site multiprotocol VPNs
    RFC 1702 and RFC 2784

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
    Configuring a Site-to-Site GRE Tunnel
    GRE Header
    GRE encapsulates the entire original IP packet with a standard IP
    header and GRE header.
    GRE tunnel header contains at least two 2-byte mandatory fields:
    GRE flag
    Protocol type

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
    Configuring a Site-to-Site GRE Tunnel
    GRE Header Cont.
    GRE does not provide encryption, but it can be monitored with a
    protocol analyzer.
    While GRE and IPsec can be used together, IPsec does not
    support multicast/broadcast and, therefore, does not forward
    routing protocol packets. However, IPsec can encapsulate a GRE
    packet that encapsulates routing traffic (GRE over IPsec).

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
    Configuring a Site-to-Site GRE Tunnel
    Configuring GRE
    1. Create a tunnel interface: interface tunnel 0
    2. Assign the tunnel an IP address.
    3. Identify the source tunnel interface: tunnel source
    4. Identify the tunnel destination: tunnel destination
    5. (Optional) Identify the protocol to encapsulate in the GRE
    tunnel: tunnel mode gre ip

    By default, GRE is tunneled in an IP packet.

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
    Configuring a Site-to-Site GRE Tunnel
    Configuring GRE Cont.

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
    Configuring a Site-to-Site GRE Tunnel
    Configuring GRE Cont.

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
    Configuring a Site-to-Site GRE Tunnel
    Configuring GRE Cont.

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
    Configuring a Site-to-Site GRE Tunnel
    Configuring GRE Cont.

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
    Configuring a Site-to-Site GRE Tunnel
    GRE with IPsec
    The advantage of GRE is that it can be used to tunnel non-IP
    traffic over an IP network.
    Unlike IPsec, which only supports unicast traffic, GRE supports
    multicast and broadcast traffic over the tunnel link. Therefore,
    routing protocols are supported in GRE.
    GRE does not provide encryption; if needed, IPsec should be
    configured.

    Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27

    You might also like