CCNP ENCOR 350-401 Exam Cram Notes

II. Virtualization

2. Configure and verify data path virtualization technologies

2.1. VRF

Virtual routing and forwarding (VRF): VRF is an IP-based computer network technology that enables the simultaneous co-existence of multiple virtual routers (VRs) as instances or virtual router instances (VRIs) within the same router. One or multiple physical or logical interfaces may have a VRF but none of the VRFs share routes. Packets are forwarded only between interfaces on the same VRF.

VRFs work on Layer 3 of the OSI model. The independent routing instances allow users to deploy IP internet protocol addresses that overlap or are the same without conflict. Because users may segment network paths without multiple routers, network functionality improves—one of the key benefits of virtual routing and forwarding.

Advantages of Virtual Routing and Forwarding

1. Enables the virtual creation of multiple routes instate on one physical device

2. Allows users to simultaneously manage multiple routing tables

3. Can be used for MP BGP and MPLS deployments

4. Multiple VPNs for customers can use overlapping IP addresses without conflict

5. Users may segment network paths without multiple routers, improving network functionality

2.2. GRE and IPsec tunneling

IPSec uses authentication Header (AH), and Encapsulating Security Payload (ESP) protocols for transporting packets securely over the Internet. Note that PPTP and L2TP are tunneling protocols, where as IPSec provides strong encryption.

The two primary security services that are provided by IPSec are:

Authentication Header (AH), and Encapsulating Security Payload

AH provides the authentication of the sender, and ESP provides encryption of the payload

Given below are the important protocols or suite of protocols used frequently with IPSec:

ESP(Encapsulating Security Payload): ESP provides confidentiality, in addition to authentication, integrity, and anti-replay. ESP can be used alone, or in combination with AH. ESP uses HMAC-MD5 and HMAC-SHA algorithms to provide authentication functions. VPN uses Data Encryption Standard (DES), triple-DES (3DES), RC5, RC4, or Advanced Encryption Standard (AES) for encryption

Authentication Header (AH): AH provides authentication, integrity, and anti-replay for the entire packet (both the IP header and the data payload carried in the packet). It does not provide confidentiality, which means it does not encrypt the data. The data is readable, but protected from modification. AH uses the HMAC algorithms. HMAC Authentication

Hash-based message authentication code (HMAC): HMAC is a mechanism for calculating a message authentication code involving a hash function in combination with a secret key. This can be used to verify the integrity and authenticity of a message.

Other hash based algorithms include DES, triple DES, and AES.

Diffie-Hellman (DH) can be used to dynamically generate symmetrical keys to be used by symmetrical algorithms.

The following are true about IPS (Intruder Prevention System):

1. It adds some amount of delay to the network traffic, as it scans each packet for any malicious content.

2. Because the IPS is inline, it can normalize (manipulate or modify) traffic inline based on a current set of rules.

3. Unlike IDS (Intruder Detection System), an IPS works inline. So, every packet goes through IPS before being forwarded.

When a router encapsulates a packet for a GRE tunnel, it adds new header information (known as encapsulation) to the packet, which contains the remote endpoint IP address as the destination. The new IP header information allows the packet to be routed between the two tunnel endpoints without inspection of the packet's payload. After the packet reaches the remote endpoint, the GRE headers are removed (known as deencapsulation), and the original packet is forwarded out the remote router. The tunnel source interface or source IP address should not be advertised into a GRE tunnel because it would cause recursive routing issues.

The steps for configuring GRE tunnels are as follows:

Step 1:Create the tunnel interface by using the global configuration command interface tunnel tunnelnumber.

Step 2:Identify the local source of the tunnel by using the interface parameter command tunnel source {ipaddress | interface-id}. The tunnel source interface indicates the interface that will be used for encapsulation and de-encapsulation of the GRE tunnel. The tunnel source can be a physical interface or a loopback interface. A loopback interface can provide reachability if one of the transport interfaces fails.

Step 3:Identify the remote destination IP address by using the interface parameter command tunnel destination ip-address The tunnel destination is the remote router’s underlay IP address toward which the local router sends GRE packets.

Step 4:Allocate an IP address to the tunnel interface to the interface by using the command ip address ipaddress subnet-mask.

GRE is a tunneling protocol that provides connectivity to a wide variety of network-layer protocols by encapsulating and forwarding packets over an IP-based network. GRE was originally created to provide transport for non-routable legacy protocols such as Internetwork Packet Exchange (IPX) across an IP network and is now more commonly used as an overlay for IPv4 and IPv6. GRE tunnels have many uses. For example,they can be used to tunnel traffic through a firewall or an ACL or to connect discontiguous networks, and they can even be used as networking duct tape for bad routing designs. Their most important application is that they can be used to create VPNs.

3 Describe network virtualization concepts

3.1 LISP

Proxy ETR (PETR): PETRs act just like ETRs(Egress Tunnel Router) but for EIDs(Endpoint Identifier) that send traffic to destinations at non-LISP sites.

Proxy ITR (PITR): An ITR but for a non-LISP site that sends traffic to EID destinations at LISP sites.

Map resolver (MR): This is a network device (typically a router) that receives LISP-encapsulated map requests from an ITR and finds the appropriate ETR to answer those requests by consulting the map server.

Map server/Map resolver (MS/MR): When MS and the MR functions are implemented on the same device, the device is referred to as an MS/MR.

LISP site: This is the name of a site where LISP routers and EIDs (Endpoint Identifiers) reside.

Ingress Tunnel Router (ITR): ITRs are LISP routers that LISP encapsulate IP packets coming from EIDs that are destined outside the LISP site.

Egress Tunnel Router (ETR): ETRs are LISP routers that deencapsulate LISP-encapsulated IP packets coming from sites outside the LISP site and destined to EIDs within the LISP site.

Tunnel router (xTR): xTR refers to routers that perform ITR and ETR functions (which is most routers).

Cisco Locator ID Separation Protocol (LISP) is a mapping and encapsulation protocol, originally developed to address the routing scalability issues on the Internet. LISP separates these two functions of an IP address into two separate functions:

Endpoint Identifier (EID): Assigned to hosts like computers, laptops, printers, etc.

Routing Locators (RLOC):Assigned to routers. We use the RLOC address to reach EIDs.


VXLAN allows the SD-Access fabric to support Layer 2 and Layer 3 virtual topologies (overlays) and the ability to operate over any IPbased network with built-in network segmentation (VRF instance/VN) and built-in group-based policy. The original VXLAN specification was enhanced for SD-Access to support Cisco TrustSec Scalable Group Tags (SGTs). This was accomplished by adding new fields to the first 4 bytes of the VXLAN header in order to transport up to 64,000 SGT tags.

The new fields in the VXLAN-GPO packet format include the following:

Group Policy ID: 16-bit identifier that is used to carry the SGT tag.

Group Based Policy Extension Bit (G Bit): 1-bit field that, when set to 1, indicates an SGT tag is being carried within the Group Policy ID field and set to 0 when it is not.

Don't Learn Bit (D Bit): 1-bit field that when set to 1 indicates that the egress virtual tunnel endpoint (VTEP) must not learn the source address of the encapsulated frame.

Policy Applied Bit (A Bit): 1-bit field that is only defined as the A bit when the G bit field is set to 1. When the A bit is set to 1, it indicates that the group policy has already been applied to this packet, and further policies must not be applied by network devices. When it is set to 0, group policies must be applied by network devices, and they must set the A bit to 1 after the policy has been applied.

VXLAN(Virtual Extensible LAN): VXLAN is an extension to the Layer 2 VLAN. It was designed to provide the same VLAN functionality with greater extensibility and flexibility. VXLAN offers the following benefits:

VLAN flexibility in multitenant segments: It provides a solution to extend Layer 2 segments over the underlying network infrastructure so that tenant workload can be placed across physical pods in the data center.

Higher scalability:VXLAN uses a 24-bit segment ID known as the VXLAN network identifier (VNID), which enables up to 16 million VXLAN segments to coexist in the same administrative domain.

Improved network utilization:VXLAN solved Layer 2 STP limitations. VXLAN packets are transferred through the underlying network based on its Layer 3 header and can take complete advantage of Layer 3 routing, equal-cost multipath (ECMP) routing, and link aggregation protocols to use all available paths.

A VTEP is virtual or physical device that maps end devices to VXLAN segments. Devices that terminate VXLAN tunnels are known as VTEPs.

VXLAN: VXLAN is an overlay data plane encapsulation scheme that was developed to address the various issues seen in traditional Layer 2 networks. It extends Layer 2 and Layer 3 overlay networks over a Layer 3 underlay network, using MAC-in-IP/UDP tunneling. Each overlay is termed a VXLAN segment

Location/ID Separation Protocol (LISP):LISP is a routing architecture and a data and control plane protocol that was created to address routing scalability problems on the Internet:

Cisco TrustSec: TrustSec is a next-generation access control enforcement solution developed by Cisco to address the growing operational challenges related to maintaining firewall rules and ACLs by using Security Group Tag (SGT) tags.

Intermediate System-to-Intermediate System (IS-IS):It is the common dynamic routing protocols found on most routing platforms today

Previous   Contents   Next

CCNP ENCOR Cram Notes Contents
certexams ad

simulationexams ad