Cisco CCIE Security 350-701 – VPN foundations

1. Virutal Private Network – Introduction

The next thing we’ll talk about VPN Overview VPN Introduction now if you talk about before we go ahead we need to understand the traditional router networks like these lines. So these are not really used in today’s networks. Lease lines are like dedicated lines which are connecting between the two sides. So if you have a site A you have a dedicated line to site B, side C and side D. So if you want to have one more line you can also have one more line from between these sites. So basically these lines are given by the service portal. They are advantages like they are secure. Provide a good bandwidth with a good quality reliable. At the same time they are quite expensive on the customer point of view because the service provider is offering you a dedicated line. At the same time the service portal point of view these are not scalable options because let’s say if you just think about service order point of view, the service provider is offering connectivity for let’s say 100 customers, 100 sites.

Now this goes five times more than in the next five years let’s say the customer has increased almost for 500 sites so the more number of sites getting added like let’s say you have one customer added ten more sites let’s say. So it becomes more complex for the service portal to provide connectivity between them. So the more number of sites getting added, the more number of leads and connections the service porter need to offer and scalability point of view it becomes very complex for the service porter as well. So in today’s networks most of these traditional van connections being replaced with VPNs.

So one of the commonly used is like you may have heard about more about MPLS, it’s also one kind of VPN technology. So even this is now gone basically this is going to replace with SDWAN in two DS networks now but these are all the examples of VPN. Now what exactly VPN do is in VPN we are going to have different sites. Let’s say this is my head office and I’m trying to connect to my branch offices here, let’s say. And in this branch offices we’ll be using existing network. And this network can be any service port infrastructure. Like it can be an MPLS network, or it can be an existing IP network which has IP reachability from here to here or it can be any other network. It can also be Internet, or even it can be an ATM network, or it can be anything or it can be a family.

Also framelay ATM is also called so the service partner will have a preexisting network which is being built. So this is like the pre existing network. So this is like customer sites customer ABC having his own sites. Now there’s no direct connection between the customer to customers so we’ll be connecting our network to the nearest service portal device. We call this as a PE device provider edge and likewise we connect our sites to the nearest service portal device. So if you try to see the physically there is a connection. The connection goes through the service portal or through some other network infrastructure. But logically we represent that as if we have a virtual connection between these sites. So we can build point to point or point to multipoint connections even full mesh habit spoke there are different types of VPN connections we can establish, we can have virtual almost like we have a virtually point to point or point to multipoint connections from these sites.

Okay, so that’s what the concept of VPN talks about so these are the simple examples like you have framelay this is all gone again MPLS, LTP, V three gr is also no more used. So the one which we are going to see in our CCNP security exams the VPN paper. These are the two main VPNs along with IPsec. Of course we also see remote access VPNs as well. So you can see the diagram here. This is like MPLS. It can be off friendly network or even it can be over internet as well. So virtual private network the name suggests that virtually you are connecting your private network over some other infrastructure so physically there is no direct connection.

2. VPN Types – Site to Site / Remote Access

So next thing we’ll try to see the different VPN types. Now mainly there are two types of VPNs. We have sidetoside VPN or remote access VPN. Now the basic difference between these two is sidetosite are also called as Land to land VPNs. In side to side we have a mainland, the main head office and this head office. We just want this head office to get connected to different small sites on a remote location. So what we are doing is we are using the existing infrastructure like Internet. Now we generally use internet because it’s a little bit cost effective solution basically. Or it can be any other network but mainly we use internet. So we will be connecting these sites to the head office.

So basically the communication is between land to land. So here our requirement is the branch offices should be able to communicate with each other. So we call it as side to side or Land to land VPNs. So whereas in the remote access VPN or remote VPNs, we have a mobile user. Let’s say I’m sitting in my home and I got a requirement to do some changes to my data center or maybe some network. So I need to change this to maybe a server or maybe a router. So now you need to access this device remotely from your home. So what we can do is I can remotely connect by using some application, I can connect to my gateway.

Now this gateway can be a router or can be an ASA firewall or any other firewall. So once you connect to this gateway it is going to securely connect or establish a tunnel between these two endpoints and of course authentication. There are many other things you do and once this secure tunnel is established now you can access the resources of your company network as if you are not sitting in your home, you are sitting in the office. So you can access resources depending upon the level of access we have, as if you are sitting in your office and you can connect to any device in general.

So we call this as a remote remote Access VPN. So basically the same thing as explained side to side VPNs, the communication between Lam to Lamb. And again if you’re connecting to internet, basically it needs to have a public IP over internet on the remote sites. And this VPN gateways as I said, can be a router or can be a firewall, any firewall it can be. Some of the common examples of side to side VPN are going to be gretf VPN, IPSA, Flexvpn Get VPN.

So each and every VPN type, the way it is configured, the features may vary, but they all provide a land to end communication. Similarly, we have something like remote access VPNs and remote access VPNs. As I explained you will be using some kind of software like nowadays we use any connect software and this software allows you to connect to the remote gateway securely from your place.

3. VPN Logical Topologies

So again when it comes to VPN logical topologies again as I said, when you are implementing the VPN connections mainly side to side you have different it’s all about how you connect. You can establish a point upon connection between the two sites where you just have two sides and you’re connecting a VPN connection between the two sides. Or you can have a head office connecting to all the branch office services and basically the branch offices can still communicate between them but they go via head office.

We call it as some kind of hub and spoke VPN and this can be even you can have a remote site as well. Remote access VPN here as well and here also it can be either side to side or remote access VPNs. You can also have a full mesh. Full mesh is like where you have all the sites connected to each other and most commonly in sites at VPNs we need to make sure that all the sites are connected to each other. So basically we call it as full mesh VPNs.

4. VPN Default Lab Setup – Routers

Okay, so the next thing is the basic setup. So most of the VPN labs side to side VPNs, I’ll be using this setup where we got some router one, router two, router three and router four. Now the router one will be acting as my hub router. And whereas the router two, three, four, I’m going to use them as spokes. And to simulate the Internet connection, I’m connecting to one of the router. Here the router file. So the connection goes through router file to all. Now this router file is going to simulate my Internet connection. So this is the same topology what I’m using in my GNS three. And additionally I’m using a LAN interface in every LAN. I’m using 192-1681 dot subnet here, 192-1682 dot subnet 192-1683 and 182-1684 dot subnet. So these are like land networks where I want to make sure that we do have land to land communication between these sites.

And the IPR says what you’ll see here, these IPS connecting interfaces. So I’m using 15 x. This is the public IP what I’m using between R one to R five. You can see one to five is 15 one five, and the last portion is one here, and the last portion is five here the exact autumn number. So similarly, I’m using 250 zero x, 350 zero x and 450 zero x. So these are the public IP is what I’m using on the router interfaces. So if you try to check my topology, so I do have this topology pre configured on my genus three. And if you try to check the images what I’m using, I’m using this IO L image, this one.

This is what I’m using, the 15 four version. So basically I recommend you to use Ivo L because I owe the iOS images have some issues with the DMVPN or the VPN configurations. So this is the image that I’m using for this lapse. So it’s pre configured with this image. And if I go to the command line and verify the configurations here, I do have these basic IP configurations. So if I say show IP interface brief on the router one, this is my ethernet interface and this is the interface which is connecting to the van. I’m using serial interfaces here, s two by zero on router 1234. And additionally the loop back I may use in the future lapse.

And also and if you check and also one more thing. Apart from the IP addressing, I also have a default route because before you move on with the VPN lapse, you need to make sure that this public IP and this public IPS must be reachable. So the reachability in the real scenarios, you will be having some kind of default route towards the service portal. And the service portal will ensure that this reaches the next public IP that is 250 zero two, mostly with the help of some BGP protocol. Basically because service portal, service portal routing is done with the help of BGP.

So I’m not going to make it complex. I’m not using it all PGP here because the router file is a common router connecting to this one. So I do have a default route pointing towards all the routers, which means in order to check the reachability from 15 to 25 between these two public IPS based on the default route, let’s say from the router, one, if I try to ping to the public IP of 25, two, I do have a default route configured already. I do have reachability because based on the default route, the packet reaches the router file and the router file knows where is 250 zero two, because it is a directly connected interface, right? But in the real scenarios, it will be through BGP routing.

So I have just configured the default route. So if you check the routing information, if I say show IP route static, I do have a default route configured out of s two by zero on all the routers. So if you check the router too as well, I do have the IP addressing as per my topology. And additionally, if I verify the routing, I do have a default route configured here.

And if you verify the iOS version I’m using here, show version. So I’m using this IVou image, this is the image that I’m using. It’s running 15 four iOS versions. So basically this will be useful for the future lapse, like we’ll be using Flexvpns. For the Flexvpns, it is again mandatory. You must be running 15 dot iOS versions. So let’s confirm the reachability between all the sites so that I can verify the router three, the public IP as well as router four public IP. So this is the prerequisite you need to always check before you go for the VPN lapse. So make sure that you do have reachability between these publicized.