CCNP ENARSI 300-410 Exam Cram Notes

2.0 VPN Technologies

2.2 Describe MPLS Layer 3 VPN

For the MPLS domain to forward traffic, a label stack is required. Specifically, two labels are required for traffic to be successfully forwarded through the MPLS domain. The first label that is attached to the packet is a VPN label, and the second label that is attached is the LDP label.

The control plane functions include the system configuration,management, and exchange of routing table information. These are performed relatively infrequently. The route controller exchanges the topology information with other routers and constructs a routing table based on a routing protocol, for example,

RIP (Routing Information Protocol), OSPF (Open Shortest Path Forwarding), or BGP (Border Gateway Protocol). It can also create a forwarding table for the forwarding engine. Since the control functions are not performed on each arriving individual packet, they do not have a strict speed constraint and are implemented in software in general. The Control plane feeds the forwarding/data plane with what it needs to create its forwarding tables and updates topology changes as they occur. A list of functions performed in traditional routing engines/route processors are the following:

1. Allocates resources to the forwarding engine/plane.

2. Routing state

3. ARP handling is always processed by general purpose processor located in the routing engine.

4. Security functions to secure the control plane access. Telnet, SSH, AAA etc.

5. Establishes and maintains management sessions, such as Telnet connections

6. Routing state to neighboring network elements.

7. Vendor and platform specific stacking, clustering, pairing etc.

1. A CE router forms a neighbor relationship with the PE router on the other end of the access link.

2. A CE router cannot form a neighbor relationship with other CE routers.

3. The MPLS network advertises the customer's routes between the various PE routers.

4. The MPLS network uses route redistribution to advertise CE routes among other CE routers.

5. It is possible that the PE routers use different layer-3 protocols to connect to the MPLS network.

Multiprotocol Label Switching (MPLS) is a protocol for speeding up and shaping network traffic flows. MPLS allows most packets to be forwarded at Layer 2 (the switching level) rather than having to be passed up to Layer 3 (the routing level). Each packet gets labeled on entry into the service provider's network by the ingress router. All the subsequent routing switches perform packet forwarding based only on those labels - they never look as far as the IP header. Finally, the egress router removes the label(s) and forwards the original IP packet toward its final destination.

MPLS is an IETF initiative that integrates Layer 2 information about network links (e.g. bandwidth, latency, utilization) into Layer 3 (IP) within a particular autonomous system, or ISP, in order to simplify and improve IP packet exchange. MPLS gives network operators a great deal of flexibility to divert and route traffic around link failures, congestion, and bottlenecks.

MPLS Layer 3 VPNs provide peer-to-peer connectivity between private customer sites across a shared network. Customer isolation is achieved on the PE (Provider Edge) router by the use of virtual routing tables or instances, also called virtual routing and forwarding tables/instances (VRFs). VRF is a technology for creating separate virtual routers on a single physical router.

A Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) consists of a set of sites that are interconnected by means of an MPLS provider core network. At each site, there are one or more customer edge (CE) devices, which attach to one or more provider edge (PE) devices. PEs use the Multiprotocol-Border Gateway Protocol (MP-BGP) to dynamically communicate with each other.

Advantages of using MPLS:

1. The label-switching technology offers QoS capabilities.

2. MPLS VPNs are available in Layer-2 as well as Layer-3 designs. Layer-2 typically uses Metro Ethernet, where as Layer-3 connectivity may use a variety of L3 technologies such as EIGRP, OSPF, RIPv2, etc., depending on what the SP could provide.

3. By keeping your traffic on a single vendor using MPLS VPNs gives the vendor the ability to offer your company service-level agreements (SLAs) for network performance.

4. MPLS supports many types of access links such as Metro Ethernet, Serial (TDM), ATM, and Frame Relay.

Some of the disadvantages are given below:

1. Your routing protocol choice might be limited.

2.3 Configure and verify DMVPN (single hub)

The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints.

IPSec Virtual Tunnel Interfaces (VTI) provide a routable interface type for terminating IPSec tunnels an easy way to define protection between sites to form an overlay network. IPSec virtual tunnel interfaces simplify configuration of IPSec for protection of remote links, supports multicast, and simplifies network management and load balancing.

Next Hop Resolution Protocol (NHRP) is a resolution protocol that allows a Next Hop Client (NHC) to dynamically register with Next Hop Servers (NHSs). With the Dynamic Multipoint Virtual Private Network (DMVPN) design the NHC is the spoke router and the NHS is the hub router.

ip nhrp holdtime (seconds) - changes the number of seconds that NHRP dynamic entries expire. The default is 7,200 seconds (two hours). The NHRP cache can contain static and dynamic entries.

Dynamic Multipoint Virtual Private Network (DMVPN) is a Cisco feature that dynamically creates a mesh VPN network. This helps to avoid having to statically create VPN tunnels for a mesh network as the network grows in size.

DMVPN has 3 phases:

1. Phase 1 – Hub & Spoke Only

2. Phase 2 – Spoke-to-Spoke Capability (dynamic tunnels)

3. Phase 3 – Allows spokes to respond to NHRP requests

DMVPN Phase 2 does not work well with summarized spoke addresses because of the lack of next-hop preservation.

DMVPN (Dynamic Multipoint VPN) is a routing technique that can be used to build a VPN network with multiple sites without having to statically configure all devices. It's a "hub and spoke" network where the spokes will be able to communicate with each other directly without having to go through the hub. Encryption is supported through IPsec which makes DMVPN a popular choice for connecting different sites using regular Internet connections. DMVPN is combination of the following technologies:

1 Multipoint GRE (mGRE)

2 Next-Hop Resolution Protocol (NHRP)

3 Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)

4.Dynamic IPsec encryption

Previous   Contents   Next

CCNP ENARSI Cram Notes Contents
certexams ad

simulationexams ad