Mar 16, 2011 | Post by: aaron No Comments

CCNP ROUTE 642-902 :: VPNs and IPSec

 

VPN tunnels and IPSec are two topics covered on the exam, but not in great detail.  You’ll need to know enough to verify a sample configuration and answer straightforward questions on both technologies.

Let’s start with IPSec.

 


IPSec Basics

IPSec allows the establishment of a secure connection between two hosts.  The IPSec protocol sets up a unidirectional SA (security association between the two endpoints).  Because the association is unidirectional, an SA is created on both ends, resulting in two SAs per IPSec tunnel.

IPSec tunnels are often used as a backup to a WAN link failure.  If a point-to-point WAN circuit drops, an IPSec tunnel can be configured to automatically be established over the internet to the remote site.  When the primary WAN circuit comes back up, the IPSec tunnel is disconnected.

 

Floating Static Routes

Configuring an IPSec tunnel to activate when a primary link drops is commonly inplemented as a floating static route.  The idea is to configure to IPSec VPN as a static route, but with an administrative distance higher than that of the WAN routing protocol’s. 

If the primary route is active, the backup link is not placed into the routing table because its AD is higher.  If the primary route goes down, the static route becomes active.

To configure a floating static route, make sure you define a higher AD value at the end:

R1(conf)# ip route prefix mask address|interface distance_value

 


VPN Tunnels

One major problem with standard IPSec sessions is that they do not support broadcast or multicast traffic.  If you want to use an IPSec VPN in an “always on” fashion, then the tunnel needs to allow routing information to pass through.  Of course dynamic routing protocols use broadcast or multicast to send hellos and updates, so in lies the dilemma.

To get around this issue, a “tunnel within a tunnel” approach can be used.  A generic tunnel can be configured within the IPSec tunnel to allow routing protocol information (along with all the other traffic).

 

There are generally four ways to do this paired with IPSec:


DMVPN and GET VPN
Both allow the creation of secure, “on-demand”, multipoint tunnels.

Virtual Tunnel Interface (VTI)
A secure, “always-on” tunnel that supports multicast traffic.  This allows routing protocols to operate within it.

Generic Routing Encapsulation (GRE)
GRE tunnels may be the most common of the bunch – they are also the default tunnel mode on Cisco routers.  GRE tunnels support many layer 3 protocols but perhaps most importantly allow multicast traffic accross the tunnel – granting dynamic routing protocol traffic. 

Be aware that GRE tunnels add an additional 20 byte IP header as well as a 4 byte GRE tunnel header. 

 


Branch Office Connectivity

The CCNP ROUTE exam covers several unusual topics related to managing and configuring the connectivity between an HQ site and a branch office.  You need to be familiar with some of the underlying technologies used.

Cisco ISR routers are often a good choice for branch sites as they support a wide variety of incoming services.  In smaller offices, a single ISR may be used for a both remote connectivity and inter-VLAN routing.  In that case, know that an Ethernet Switch Module would be required for the ISR router.

 


DSL

DSL, or Digital Subscriber Line, can be used as a backup WAN connection to a branch office.  DSL uses frequencies not used by TDM phone systems on a phone line – allowing the extra bandwidth to be used for data connectivity.

Asymetrical DSL has higher downstream bandwidth than upstream, while with symetric DSL they are both the same rate.

 

There are two primary methods for pushing L2 data across a DSL line:

PPoE
Point-to-Point Protocol over Ethernet is the most common method and encapsulates PPP traffic into Ethernet frames.

PPoA
Point-to-Point Protocol over ATM is less common and routes PPP traffic over an ATM network between the customer and the DSL service provider.

Both options can be configured on a Cisco router to terminate the DSL connectivity.  PPoE is especially helpful because it this frees the user computers from running PPoE

 

Cable

Broadband cable providers also provide internet connectivity which can be used for WAN backup or Internet connectivity for telecommuters.  The internet signal is carried on the same line that the television is carried, but a cable modem allows the data traffic to be seperated.

The international standard for sending data over a cable system is Data Over Cable Service Interface Specification (or DOCSIS).  Many different versions of the standard are used throughout the world.

Cable system connections are typicall not terminated directly into a Cisco router.  Instead, a cable modem demodulates the incoming signal and converts the traffic to Ethernet frames, which a router can process.

Leave a Comment

Your email address will not be published. Required fields are marked *

*

  • Recent Testimonials

    I just wanted to thank you for your notes, they REALLY helped me put the SWITCH topics into perpesctive. 642-813 is as you know quite a difficult exam because it covers such a wide range of areas, and Im happy to say that with the help of your notes I successfully passed it today.

    Cheers,
    Sean from Ireland

    Really liked the design and makeup of the guide. Topics and hints and tips were right on the mark. Very helpful. a job well done and much appreciated!

    Derek

    Just thought that I’d take some time to write and thank-you for creating the CCNP Switch Guide, I bought the guide 10-days ago as final preparation for my exam which I sat this morning and I passed with 934 largely thanks to the guide!!! The guide has been absolutely invaluable, so concise and straight to [...]


    Hi, I passed the Route exam yesterday with a score of 965 and I couldn’t have done it without the use of your guide. I love the way in which your guide is so exam focussed, it cuts out all of the unnecessary padding that you find in the Cisco press! As I’ve now used [...]

    Cheers,
    Chris

  • Resource Downloads

Content Protected Using Blog Protector By: PcDrome.