RETIRED! Exam
3.2.b WAN connectivity
The following are the important characteristics of LWAPP and WLC in Cisco Unified Wireless Network Architecture:
1. Layer 3 LWAPP, tunnels are used for communication between the LWAP and the WLC
2. In Layer 3 LWAPP, the controller may reside on different subnet (different LAN segment). In Layer3 LWAPP, LAPs need to be configured with an IP address because LWAPP uses IP addresses to communicate with WLCs and LAPs.
3. WLCs use UDP ports 12222 for control, and 12223 for data messages.
4. When implementing LWAPP, DHCP server is mandatory.
5. Layer 2 LWAPP tunnels use EtherType code 0xBBBB
The following solutions are most widely used for linking remote offices to the head quarters:
1. Private WAN links: This is a very expensive solution, but offers dedicated links, and the owner has to maintain the links
2. Leased WAN links: The service provider offers the leased links (usually your Telco company), and the service provider himself maintains leased links. You may still need to maintain customer end equipment. This solutions is still expensive, though usually cheaper than private WAN link.
3. Packet switched WAN solution: Here you share the bandwidth with several others, but you can expect reasonably stable network bandwidth. Service Level Agreements are important to ensure reliability and link capacity. Examples of this technology are MPLS, Frame Relay, and ATM. One advantage of this medium is the scalability. The service provider maintains the WAN link.
4. DSL: DSL is the lease expensive of all the above, but the reliability and bandwidth availability may need to be compromised. It is not recommended solution for business communications where the down-times are critical.
Link Fragmentation and Interleaving (LFI) is used to large packet flows, and interleaving small packets (such as voice) in between while transmitting the larger packets.
Miltilink PPP (MLP): As the name suggests, this technique combines two or more links to increase available bandwidth.
Real-Time Transport (RTP) header compression: Compresses RTP/UDP/IP headers from 40 bytes down to 2 bytes to 5 bytes.
Note that Network-Based Application Recognition (NBAR) deep packet content inspection to classify traffic, and categorized under Traffic classification.
The TCP windows size may effect the efficiency of a WAN link, particularly when the WAN links are far apart, and bandwidths are large. It may need to be tweaked for better utilization of bandwidth and minimize packet retransmissions.
The following are typically deployed in services providers VPNs:
1. MPLS
2. Metro Ethernet
3. Virtual Private Wire Services
4. Virtual Private LAN Services
The following are typically deployed in Enterprise VPNs:
1. IPSec
2. Generic Routing Encapsulation
3. Dynamic Multipoint VPN
4. IPSec Virtual Tunnel Interface
5. GETVPN
Note that enterprise VPNs typically use the Internet for WAN connectivity, and Service Provider (SP) VPNs use a variety of connectivity solutions depending on the customer requirements.
VPWS, also called Virtual Leased Line, provides point to point connection service. From customer's point of view, it is like leased line.
A virtual private LAN service (VPLS) network is similar to VPWS, but provides point-to-multipoint traffic forwarding in contrast to the VPWS Layer 2 VPN's point-to-point traffic forwarding
GET (Group Encrypted Transport) VPN is a VPN technology which introduces the concept to eliminate point-to-point tunnels (site-to-site VPN) and associated overlay routing (DMVPN) since it relies on WAN routing. It enables any-to-any VPN connectivity using a group IPSec security paradigm.
SSL VPN: No client pre-installation required on the clinet computer, provides endpoint security for remote clients.
Standard IPSec - Full standards compliance for inter-operability with other vendors. However, routing Protocols (e.g OSPF, EIGRP) cannot pass through the VPN tunnel as IPSec allows only Unicast traffic and does not have support for multi-cast or any-cast packets.
Dynamic Multipoint VPN (DMVPN) is a Cisco IOS solution for bulding IPSec + GRE VPNs in a dynamic and scalable manner.
Virtual Tunnel Interface (VTI) is an IPSec VPN available in Cisco IOS Software. It supports dynamic routing protocols and IP multicast without using GRE or mGRE. VTI tunnels are assigned a unique intercace, and spcific tunnel-level features such as QoS can be implemented.
Generic Routing Encapsulation is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.
The following are the important features of GET VPNs:
1. Supported only on Cisco IOS Routers. Very limited inter-operability with other vendors Here, there is an advantage with traditional IPSec VPN since DMVPN and other Cisco proprietary VPNs does not provide inter-operablity with third party routers.
2. Supports multicast (GRE and VTI) and non-IP protocols (GRE). Traditional IPSec VPN supports only Unicast traffic.
3. Routing Protocols (e.g OSPF, EIGRP) can pass through the VPN tunnel, Note that traditional IPSec VPN does not propagate routing protocols as they pass only unicast traffic through the tunnel.
4. All traffic passing through a special Tunnel Interface will be encapsulated and placed in the VPN
5. GRE or VTI alone do not provide security. You must combine them with IPSEC for securing the VPN.
6. Simplified Configuration , compared to complex configuration requirement on a traditional IPSec.
7. QoS is fully supported where as traditional IPSec has limited QoS features.
The following are the important features of traditional IPSec VPN:
1. IPSec VPN - This is one of the first entrants and standards based VPN technology. The standard is supported on most network devices (Cisco Routers, Cisco ASA, other vendors etc) . Does not support multicast or non-IP protocols, and hence routing protocols can't pass through the VPN.
2. GRE over IPSec VPN - Generic Routing Encapsulation is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network. GRE itself does not provide any encryption, and hence you need to use IPSec overlay to provide security. It is a standards based VPN technology.
3. GET VPN - GET (Group Encrypted Transport) VPN is a VPN technology which introduces the concept to eliminate point-to-point tunnels (site-to-site VPN). It enables any-to-any VPN connectivity using a group IPSec security paradigm. Cisco proprietary.
4. VTI - Virtual Tunnel Interface (VTI) is an IPSec VPN available in Cisco IOS Software. It supports dynamic routing protocols and IP multicast without using GRE or mGRE. VTI tunnels are assigned a unique intercace, and spcific tunnel-level features such as QoS can be implemented. Cisco Proprietary.
5. DMVPN - Dynamic Multipoint VPN (DMVPN) is a Cisco IOS solution for building GRE (short for Generic Routing Encapsulation) tunnels with IPSec overlay. DMVPN relies on NHRP and mGRE. mGRE is a single GRE interface, which provides support for multiple GRE and IPSec tunnels, thus reducing the complexity of configuring multiple interfaces.
Internet VPNs are widely used these days by enterprises. The following are some of the advantages of VPNs:
1. Enables network access to remote users, remote sites, and extranet business partners.
2. VPNs allow businesses to lower the WAN charges and associated overhead of maintaining the same.
3. VPNs cover vast geographic areas, as the Internet is pervasive. Remote locations may also be connected using VPNs.
4. VPNs are highly scalable, as there is no special hardware or software that needs to be installed on the remote computer (in case of remote access VPN)
5. VPNs are secure as we can secure the VPNs with IPSec or other encryption protocols.
6. One of the main disadvantage of using VPNs is in meeting the performance levels that may be required by the enterprise for various services such as Voice, Video, etc.
1. ISATAP (Intrasite Automatic Tunnel Addressing Protocol ): an automatic overlay tunneling mechanism that uses the underlying IPv4 network as a NBMA link layer for Ipv6. Provides point-to-multipoint tunnels that can be used to connect systems within a site.With ISATAP, the link-local address is generated by concatenating FE80::5EFE with IPv4 address expressed in hexadecimal. For example, with IPv4 192.168.20.20, the link-local address is FE80::5EFE:C0A8:1414.
2. 6to4: Point-to-multipoint tunnels that can be used to connect isolated IPv6 sites. Sites use addresses from the 2002::/16 prefix.
3. Ipv4 Compatible: Point-to-multipoint tunnels. Cisco does not recommend this type of tunnels.
4. Manual: Simple point-to-point tunnels that can be used within a site or between sites. Can carry IPv6 packets only.
5. GRE and Ipv4 compatible: Simple point-to-point tunnels that can be used within a site or between sites. Can carry IPv6, Connectionless Network Service (CLNS), and many other types of packets.
