Configure and verify GRE

GRE can encapsulate any Layer 3 protocols, however it does not provide security.
For this problem you can use GRE over IPSEC VPN. Unfortunately IPSEC can protect unicast packets only, but GRE tunnel is able to encapsulate multicast packets, so this solves our problem.

gre-over-ipsesc.PNG

Configuration:

!R1
interface Fa0/0
 ip address 10.0.0.1 255.255.255.0
!
interface Tunnel 1
 ip address 192.168.0.1 255.255.255.0
 tunnel source Fa0/0
 tunnel destination 10.0.0.2

!R2
interface Fa0/0
 ip address 10.0.0.2 255.255.255.0
!
interface Tunnel 1
 ip address 192.168.0.2 255.255.255.0
 tunnel source Fa0/0
 tunnel destination 10.0.0.1

Verification:

You can verify the tunnel with traceroute and sho int Tunnel x command.

Describe DMVPN (single hub)

Dynamic Multipoint VPN  allows a VPN tunnel to be dynamically created and torn down between two remote sites on an as-needed basis.
DMVPN uses multipoint GRE, which allows a router to support multiple GRE tunnels on a single GRE interface.

DMVPN require that routers run Next Hop Resolution Protocol (NHRP) which uses a hub and spoke model.
All of the spokes are configured with the HUB IP address and when a spoke comes online it informs the HUB about it’s (the spoke’s) physical and logical IP address so they can build a tunnel.

nhrp.PNG

Verification: show ip nhrp

Describe Easy Virtual Networking (EVN)

Virtual Routing and Forwarding (VRF) allows a single router to run multiple virtual router instances. The traditional approach called VRF-Lite, but the newer one is the Cisco Easy Virtual Network (EVN).

EVN uses Virtual Network Trunk to carry traffic for each virtual network and eliminates the need to manually configure a subinterface for each virtual network on all routers ( this was required in VRF Lite). Traffic flowing over a VNET Trunk is tagged with VNET tag, identifying the virtual network to which the traffic belongs. An EVN router connects to a switch through an 802.1Q trunk with the different VLANs on the .1Q trunk carrying traffic for the different virtual networks.

trunkingevn.PNG

In some cases it is needed to reach a network from another VRF. Cisco EVN implementing this with route replication.

SSL VPN client access

The Cisco AnyConnect VPN Client provides secure SSL connections to the security appliance for remote users. Without a previously installed client, remote users enter the IP address in their browser of an interface configured to accept SSL VPN connections.

After entering the URL, the browser connects to that interface and displays the login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the client, it downloads the client that matches the operating system of the remote computer. After downloading, the client installs and configures itself, establishes a secure SSL connection.

Advertisements