Professional Documents
Culture Documents
Local Loop
ATM
Branch
Core Router
Internet
DSLAM
DHCP
Server
Cisco Public
Implementation Plan
1.
2.
3.
4.
5.
Note:
.For simplicity reasons, the ADSL Internet link implemented
in the previous step will be replaced by a Serial link.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
VPN Solutions
There are basically two
VPN solutions:
Site-to-site VPNs
VPN endpoints are devices
such as routers.
The VPN is completely hidden
from the users.
Remote-access VPNs
A mobile user initiates a VPN
connection request using either
VPN client software or an
Internet browser and SSL
connection.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Site-to-Site VPNs
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
IPsec Technologies
IPsec VPNs provide two significant benefits:
Encryption
Encapsulation
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
IPsec Encapsulation
IPsec is capable of tunneling packets using an additional
encapsulation.
New IP
Header
ESP
Header
Original IP
Header
TCP
Data
ESP
Trailer
ESP
Authentication
Encrypted
Authenticated
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
10.10.10.0 /24
.1
Fa0/0
.10
.1
IPsec VPN
Branch
HQ
S0/0/1
S0/0/1
.242
Fa0/0
.226
209.165.200.240 /29
.241
Internet
.10
209.165.200.224 /29
.225
ISP
Original IP Header
Source IP: 192.168.1.10
Destination: 10.10.10.10
TCP
Original IP Header
Source IP: 192.168.1.10
Destination: 10.10.10.10
Data
New IP Header
Source: 209.165.200.242
Destination: 209.165.200.226
ESP
Header
Original IP Header
Source IP: 192.168.1.10
Destination: 10.10.10.10
TCP
Data
ESP
Trailer
TCP
Data
ESP
Authentication
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
10.10.10.0 /24
.1
Fa0/0
Branch
.1
IPsec VPN
Internet
209.165.200.240 /29
NAT Pool
209.165.200.249
209.165.200.253/29
Fa0/0
.226
.242
Branch Server
192.168.1.254
(209.165.200.254)
HQ
S0/0/1
S0/0/1
.241
209.165.200.224 /29
.225
ISP
NAT Pool
209.165.200.233
209.165.200.237 /29
Email Server
10.10.10.238
(209.165.200.238)
The Branch router has been configured to support an IPsec VPN when
connecting to the HQ site.
The purpose of the IPsec VPN link is to serve as a backup link in case
the private WAN link fails.
The long-term goal is to decommission the WAN link completely and use only the VPN
connection to communicate between the branch office and the headquarters.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
10.10.10.0 /24
.1
Fa0/0
Branch
.1
IPsec VPN
Internet
209.165.200.240 /29
NAT Pool
Fa0/0
.226
.242
Branch Server
192.168.1.254
(209.165.200.254)
HQ
S0/0/1
S0/0/1
.241
209.165.200.249
209.165.200.253/29
209.165.200.224 /29
.225
ISP
NAT Pool
209.165.200.233
209.165.200.237 /29
Email Server
10.10.10.238
(209.165.200.238)
Cisco Public
10
IPsec Details
Identifies an acceptable combination of security protocols, algorithms,
and other settings.
Crypto ACL
Is an extended IP ACL that identifies the traffic to be protected.
A permit statement results in the traffic being encrypted, while a deny
statement sends traffic out in clear text.
Both VPN peers must have reciprocating ACLs.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
11
GRE Overview
Tunneling protocol developed by Cisco.
Can encapsulate a wide variety of network layer protocol
packets inside IP tunnels.
GRE is commonly implemented with IPsec to support IGPs.
Note:
IPsec was designed to tunnel IP only (no multiprotocol support)
Older IOS versions do not support IP multicast over IPsec
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
12
GRE Tunnel
IPsec
Crypto
Map
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Transport
Protocol
IPsec
(New IP Header)
Carrier
Protocol
Passenger
Protocol
GRE
Network Packet
(Original IP header and Data)
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
18
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
19
Authentication:
Authentication defines who gains access to resources.
Identity-based network services using authentication, authorization,
and accounting (AAA) servers, 802.1X port-based access control,
Cisco security, and trust agents are used.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
20
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
21
Cisco Public
22
Cisco Public
23
And either:
Cisco Easy VPN Remote:
A Cisco IOS router or Cisco PIX / ASA Firewall acting as a remote VPN
client.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
24
Routing Traffic to
the Mobile
Worker
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
25
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
26
Note:
For simplicity reasons, the scenario used in the following steps are
loosely connected examples
Therefore, the network and IP addressing may vary between steps.
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
27
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
28
R1
R1-vpn-cluster.cisco.com
IPSec/UDP
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
29
R1
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
30
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
31
Chapter 7 Summary
The chapter focused on the following topics:
Planning the branch office implementation
Analyzing services in the branch office
Planning for mobile worker implementations
Routing traffic to the mobile worker
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
32
Chapter 7 Lab
Lab 7-1Configure Routing Facilities to the Branch Office
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
33
Resources
Cisco IOS Software Releases 12.4 Mainline
http://www.cisco.com/en/US/products/ps6350/tsd_products_support_
series_home.html
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
34
Chapter 7 Labs
Lab 7-1 Configure Routing Facilities to the Branch
Office
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
35
Chapter 7
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
36