Network virtualization Location ID Separation Protocol( LISP) Virtual Extensible LAN VXLAN

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
university we had a server farm and in that server farm we had these massive servers from dell they had lots of storage lots of memory and we would give a job to each of those servers maybe we had a microsoft windows server a linux server maybe an oracle solaris server one thing we did is we gave a big server to each college in the university so the college of computer science would have a server the college of natural science would have a server and so on and you know what we noticed most of the resources were going unused only a fraction of that server's capacity was being tapped by the users meanwhile we had to buy all those servers we had to keep the operating system patches updated we had to provide power and redundant power to those servers it wasn't cost effective we had so much capacity that was simply being wasted that's the beautiful thing about virtual machines instead of having all these physical servers what we could do is virtualize those servers we could have a virtual server that contains multiple vms multiple virtual machines we could take the microsoft windows server and the linux server the oracle solaris server and put their hard drives on a big physical server and this physical server would run a virtual instance a vm a virtual machine for each of those formerly physical servers and those virtual servers they would have a virtual network interface card to get out to the rest of the world and they would connect into a virtual switch inside of our server and then that virtual switch could connect out to the physical network interface card of the server and we could connect out to an ethernet switch and that would get us out to the rest of the world but how is this possible how can we take something like a microsoft windows server running all sorts of applications and virtualize that inside of a big physical server well the way we can do that is run some software on that big physical server that's housing all of those virtual machines and that software that allows us to install virtual instances of servers that's called a hypervisor a hypervisor is able to create a virtual machine it can start stop it can monitor what's happening with our virtual machines and we need to know about two different types of the hypervisors types one and two first of all type one is where we install the hypervisor software like an operating system directly on the underlying hardware of the physical server this is sometimes called native or bare metal because we're not putting it on top of something like microsoft windows no we're installing it directly on the machine just like we were installing microsoft windows well here we might insert our dvd of the hypervisor software and although the exam blueprint doesn't tell us that we need to know about specific hypervisors let me give you just a couple of examples a couple of examples of type 1 hypervisors would be microsoft's hyper-v vmware esxi but sometimes we have maybe a laptop and we'd like to run a virtual machine on that laptop or for some other reason we want to install a virtual machine on an existing operating system we can do that with a type 2 hypervisor this is also known as a hosted hypervisor for example we can install virtualbox on microsoft windows and on top of that virtual box hypervisor software we could then install maybe another instance of microsoft windows or maybe on a mac we could install the parallels hypervisor software that runs on mac os and on top of that this is what i frequently do is i'll use parallels on my mac and install microsoft windows on top of that so if i have an application that just runs on windows and i'm on my mac well i can just fire up that virtual machine and run it in microsoft windows running on top of that parallels type 2 hypervisor and that's a look at how we can use hypervisor software to run virtual machine instances and in our next video we want to take a closer look at those virtual machines they don't have to be just servers they could be other network appliances and we'll also go out to a type 1 hypervisor specifically vmware's esxi and i'll show you how to create a virtual machine so join me in that video next in our last video we saw that we could install hypervisor software to let us run multiple virtual machine instances on a single physical machine and we talked about two different types of hypervisor software just as a quick review we had type 1 and type 2 hypervisor software the difference was type 1 hypervisor software ran directly on the underlying physical server's hardware while type 2 hypervisor software ran on an underlying operating system such as microsoft windows and then the vm would be installed on top of that hypervisor and that vm would contain its own operating system itself the guest os maybe linux maybe microsoft windows maybe something else all the supporting files and the configuration would be part of that virtual machine instance and the applications that we're going to be running and oftentimes when we think of a vm a virtual machine we think of a server something that's going to hold files on a hard drive but we don't have to have just a virtual server we could have something like a virtual router we could literally virtualize a cisco router inside of a vm or maybe a virtual switch and we're going to take a look later in this video in a few examples but before we do that let's define another term that you hear a lot in the industry and that term is containers a container is made up of a specific application and all the supporting files all the libraries all the configuration files required for that application but it works a little bit different than a vm with a container we still have the physical server we still have the host operating system just like a type 2 hypervisor but then we have something called a container engine and the container engine is going to be used to create a container image and the most popular container engine out there these days is docker and the container image is going to contain a copy of all the resources required by an application it's going to have the configuration files the libraries all the support files and the application itself but here's the big difference we don't have to install the underlying operating system as part of the container we're going to rely on that server's operating system so it makes it much more portable much more lightweight and then the container engine is going to run the container image and again the big term you might hear around containers is that it's a lightweight vm because unlike a vm which has its own operating system a container does not but getting back to our discussion of vms we said that a vm is not necessarily a server it might be some other virtualized device let's say that we want to install some virtual devices in our cloud providers environment maybe we have some virtual servers where we have our files stored in the cloud but for security purposes we'd love to have a firewall sitting in front of those now it's unlikely that the cloud provider is going to be okay with us walking in their front door with a firewall under our arm and installed in their data center but what we can do is we can install a virtual firewall we can install a virtual machine and then run something like the asav that's the adaptive security appliance of virtual software on that virtual machine and this is going to act and behave like a physical cisco adaptive security appliance we can have a router virtualized in the cloud as well or the data center i'm just giving the cloud as an example but we could have something like cisco's csr 1000v virtualized router csr by the way that stands for cloud services router we can even have a virtualized switch as an example cisco has the cisco nexus 1000 ve switch and all these virtual machines again they could be installed in the cloud they could be installed in a data center at our site and even though cisco doesn't specify a hypervisor that we need to be familiar with let's get a better sense of what it means to create a virtual machine by going out to a vmware esxi hypervisor and creating a virtual machine here we're using vmware's esxi and we want to create a virtual machine here's how we do it we go under virtual machines we say create slash register vm we want to create a new virtual machine and we'll give it a name i'll just call it vm hyphen demo as an example and we'll say that we want it to be compatible with esxi version 6.7 for the guest os family maybe it's some flavor of linux and the guest os version a lot of the installs i'll do will use synth os 64-bit and we'll say next it asks where i want to store the image now in my case i only have one option i only have one data store so it's already selected and i'll say next now i can specify the hardware and this could vary widely with your requirements for whatever server you're installing but let's say that i want a couple of cpus and i'll change the unit of measure to gigabytes here and i'll say that i want 16 gigabytes and i want a 160 gigabyte hard drive and i want my network adapter connected to a particular port group now in our next video i'm going to show you how to configure a port group a port group is essentially how we're connecting this server into a virtual switch to get out to other devices and let's say that i've got a port group called a pg for port group br1 sw1 so we'll select that as our port group now when i boot this up i actually want to boot on what is essentially a dvd to do the installation of my software and i have an iso image of that dvd so i can say for my cd dvd drive i want to select not a host device but a data store iso file this is a file that i've already uploaded to our storage area i've uploaded it to our data store and let's say it's going to be this csr 1000 1000v router i'll select that and i'll say next and if everything looks good i'll say finish and i'll complete the installation i'm not going to take the time to do that here but when i would click finish it would fire up this virtual machine and it would boot off that iso image that i provided and it would walk me through the installation and of course the way that looks would vary depending on what you're installing but that's an overview of how we can install a virtual machine and look at a few different options for virtual machines they're not just servers they can be network appliances as well the virtual machines we install on a hypervisor might need to talk with one another or maybe they need to talk out to the rest of the world to do that they're going to need to use a virtual network interface card or a virtual nic a virtual nic is going to have its own mac address and it's going to be used by that virtual machine to communicate to other devices maybe i have three different virtual machines and they each have their own virtual nics so we've got virtual nic 1 2 and 3 here on screen how do they get out to the rest of the world well they're going to use a virtual switch which is software supported by our hypervisor that's going to connect different nics together those nics might be virtual mix they might be physical nics for example here if we want to get out to the rest of the world we're going to need a virtual switch and that virtual switch can connect out to one of the physical network interface cards on our server to get us out to the rest of the world now you don't have to connect to a physical nic you could have a virtual switch for example sitting between a virtual router and another virtual router and maybe connected off of that virtual switch we have some vms so it doesn't have to connect us to a physical nic but it certainly could and again cisco doesn't specify that we need to know how to set up a particular type of hypervisor but i thought it would deepen our understanding just to see a virtual switch setup so similar to what we did in our previous video where i showed you how to set up a virtual router let's see how to set up a virtual switch again using that vmware esxi host to create a virtual switch we're going to go under networking and then we'll say virtual switches and we want to add a virtual switch and we'll give it a name i'll just call this v switch 1 and if i have an uplink available on this physical server in other words a network interface card that's not already associated with a virtual switch then i can choose it here and the physical server that i'm using has four different nicks on it physically but only one is currently unassigned and it's vmnic1 and i'll select that one and we'll say add and that adds my virtual switch but when we're installing a virtual machine and we're trying to plug it into the network virtually if you remember from the previous video it asked for a port group to connect into what we need to do is to create one or more port groups on this virtual switch here's how we do that i'm going to go to port groups and i'll say i want to add a port group and i'll give this a name of pg for port group hyphen v switch one and i want to associate that with the v switch one that i just created and i'll say add and we can look at logically how this v switch is connected by clicking on it let's go back to virtual switches and click on v-switch one and here we see a representation of how this is connected i'm going out to the physical adapter of vmnic1 i've got vm nick 0 1 2 and 3 on the server so as i'm looking at the back of my physical server this would be my second nic and i've defined a port group which is a way for virtual machines to get into the switch and therefore out to the rest of the world over that physical adapter not only can we have virtual servers and virtual switches like we talked about in our last lesson we can also have virtualized data paths for example let's say that we've got a couple of routers that want to be ospf neighbors the challenge is they live in different cities and we've got across maybe the internet to get between those two routers they're physically not next to each other what do we do well we could have a tunnel between them to make them logically look like they're adjacent and form that ospf neighborship another way of creating a virtualized data path is to have a physical router with multiple virtual routers running inside of it a service provider for example might have different customers and they each need their own router with their own routing a table we don't want those routing tables to leak from customer a to customer b probably well we can keep all those isolated inside of the same physical router in fact that's what we're going to look at next it's a feature called vrf earlier in this module we talked about different types of virtual machines we could have virtual servers virtual routers virtual firewalls virtual switches and so on and we could virtualize those inside of a physical server well similarly we can virtualize routers inside of a physical router let's say that we're a service provider or we have different tenants that we want to keep isolated from one another but i don't want to have to buy a router for tenant a and another router for tenant b and another router for tenancy what we can do is allow all of these tenants to be virtualized they can have their own virtual router and those virtual routers are running on this underlying physical router and they are going to be truly isolated from one another they're not even gonna see each other's ip routing tables they're gonna have their own routing tables and this technology that allows us to do this router virtualization on a physical router it's called virtual routing and forwarding or vrf for short now let's go out to a live interface and take a look at how to configure vrf we're going to begin our vrf configuration by creating a multi-protocol vrf routing instance for each tenant that we have and we're going to specify the address family to be used and by address family i'm talking about are we using ipv4 or ipv version 6. well you can guess based on our topology we're going to be using ip version 4. so let's get started let's go into global configuration mode and i'll say vrf definition and i'm going to call our first tenant ivan a and i'll say it's going to belong to the address family of ipv4 let's create another vrf instance and i'll call this one tenant b it's also going to be using address family ipv4 and what we want to do now is go into each of our four interfaces in this topology that we see and we want to assign each interface to one of these vrf instances notice that gigabit zero slash one and zero slash two they're gonna belong to tenant a zero slash three and zero slash four they're going to belong to tenant b and they're gonna have their own routing tables 10 a antenna b let's get started by going into interface gigabit zero slash one and i'll say vrf forwarding tenant hyphen a i want gigabit zero slash one to be part of tenant a's virtualized router and i'll say that its ip address is 192.0.2.1 with a 24-bit subnet mask and by default our router interfaces are administratively shut down so let's do a no shut to bring that up and let's go into interface gigabit zero slash two you can see gigabit zero slash one coming up there and on interface gigabit zero slash two we also want to belong to tenant a and the ip address is going to be 10.1.1.1 again with a 24 bit subnet mask and let's administratively bring this up we'll do a no shut which is short for no shutdown and something i want you to notice here is i gave this interface an ip address of 10.1.1.1.24 i'm gonna do the same thing for gigabit zero size three have you ever tried that on a cisco router go to different interfaces and maybe you've accidentally tried to type in the same ip address on different interfaces or maybe even ip addresses that were part of the same network you tried to apply those to different interfaces and the cisco router told you that no no you have an ip address overlap well i'm about to have what looks to be a possible overlap i'm going to assign the same ip address of 10.1.1.1 to both of these interfaces let's see what happens let's go into interface gigabit zero slash three and i want this to belong to a different vrf instance instead of tenant a it's gonna be tenant b and i'm going to assign the same ip address to tenant b now it looks like maybe in a previous configuration already had an ip address assigned but that's disabled now that we belong to a specific vrf instance let's say i p address 10.1.1.1 with a 24 bit subnet mask it's the very same ip address that i assigned to gigabit zero slash two and i did not get an error because we're in different virtual router instances they cannot see one another even though i've got the very same ip address applied to different interfaces neither tenant knows about the other tenant let's administratively bring this up if it's not already and let's go into interface gigabit zero slash four we'll say interface gigabit zero slice four and this is going to belong to tenant b as well and its ip address is 198.51.100.1 with a 24-bit subnet mask let's do a no shut to bring it up and we're done we've now configured two the vrf instances on this one physical router and we've assigned ip addresses to a couple of interfaces for each of our instances so we can route between different networks for each tenant if we want to see what vrfs we created we can do a show ipvrf this will tell us that we have two vrf instances tenant a and tenant b it shows the interfaces belonging to each tenant so gigabit zero slash one zero slash two those belong to tenant a zero slash three and zero slash four those belong to tenant b now let's look at the routing table for 10 today instead of just doing a show ip route i'll do a show iprout vrf followed by the vrf name of tenant a and we're going to see these two networks that are directly connected to us 10.1.1.0624 and we've got a local member of that the ip address of the interface of 10.1.1.1 32. we're also connected to the network of 192.0.2.0624 and our local interface has an ip address of 192.0.2.1 so we're only seeing ip addresses that were assigned to tenant a interfaces and if we look at the ipwriting table for tenant b [Music] notice that it also has a 10.1.1.0 24 network but it's a different network even though it's got the same network address traffic in the 10.1.1.0 network on tenant b is not going to be seen by the 10.1.1.0 network on 10 today but in addition to these two ip routing tables that we have one for 10 today and one for tenant b there's also a global routing table and we can see that with our traditional show iprout command and right now i don't have any global routes i don't have any interfaces not belonging to a tenant at the moment so let's create a virtual one let's create a loopback interface let's go into global configuration mode and i'll say interface loopback 0 and let's assign the ip address of 5.5.5.5 and i'll give it a 32-bit subnet mask so just one ip address in this network and loopback interfaces are up by default so no need to do a no shutdown and let's see if it shows up in our global routing table i'll do a show ip route yes it does we see it in the global writing table does it show up in the routing tables of our vrfs let's take a look let's do a show iprout for tenant a and do we see the 5.5.5.5 network no we don't what about tenant b no we don't so we see at this point we have three routing tables we've got a global writing table and i've got a routing table for each of my tenants and they are isolated from one another now in the real world beyond the scope of what we need to know for this exam just a heads up for you in case you want to dive deeper into this there is a way to leak routes in the global writing table into one of our vrf routing tables or vice versa so maybe we had a default route for example in the global writing table we could leak that into our tenants ip writing tables and we would do that using a route map but for our purposes for this exam blueprint i just want you to know what a vrf is and how to do this basic configuration where we created the vrf instance we said what kind of ip addressing are we assigning in other words what address family are we going to be using ipv4 or ipv6 then once we defined our vr instances we went into physical interfaces said you belong to this vrf instance we assigned an ip address we brought it up and we were able to keep interfaces on the same physical router isolated from one another simply by signing them to different vrf instances years ago if we wanted to connect a couple of corporate sites we probably had to get some sort of a wayne connection like a leased line or maybe go into a frame relay or an atm cloud but these days we have such high speed connectivity to the internet through something like a cable modem or in my home i've got gig fiber we've got such easy connectivity in many places in the world to high-speed internet that we can connect one office location to another office location over the internet but the challenge is we want to do that securely because the internet is an untrusted network so we need to come up with some sort of a virtual private network a vpn that can protect our data as it's flowing between a couple of sites so let's think about how we can accomplish that we know that we can use these common broadband technologies and the clients if we're using a site-to-site vpn like this they don't have to have special software installed they don't have to have client software it's going to be transparent to them because the routers or possibly a vpn concentrator is going to be used to do the heavy lifting so again the goal is to transport all kinds of traffic between our different corporate sites and by all kinds of traffic i mean not just unicast ip but broadcast multicast whatever traffic we want we want to be able to send it over this protected tunnel and to do that let's consider a couple of vpn protocols the first one is called gre generic routing encapsulation now the downside i'll tell you up front about gre is that it does not provide security the good thing about gre is that it is super flexible it can encapsulate just about any type of data broadcast unicast even non-ip traffic we can send over a jeery tunnel but it's a bit of a drawback that it doesn't do security there's another vpn protocol that's very popular that does do security and it's ipsec short for ip security but with an ipsec tunnel we're going to have a drawback there as well so let's take a look at the characteristics of an ipsec tunnel first of all it is super secure it's going to give us different encryption algorithms that will scramble our data up and therefore give us confidentiality it's going to be able to run a hashing algorithm like the secure hash algorithm against a data string and create a fingerprint of it and if the fingerprint on one router matches the fingerprint on the other router that's an indication that that packet has not been modified in transit so we think it's good that checks its integrity we can do authentication using something like a pre-shared key or a digital certificate so we know that the other end of the tunnel is who we think they are and if somebody were to intercept packets and then try to play them back because those packets worked earlier they might work later well we're going to prevent anti-replay attacks by putting basically serial numbers on those packets so it has lots of security features here's the downside though unlike gre which could encapsulate just about anything ipsec can only encapsulate unicast ip packets we'll talk about how to overcome that in a moment but more information about ipsec that i want you to know there are two basic modes of ipsec there's transport mode in tunnel mode in transport mode we're going to be using the original packets header and we're going to encapsulate the payload of the packet in tunnel mode though we encapsulate everything we encapsulate the payload and the original header and the way an ipsec tunnel is set up really uses two different steps step one is to establish what's called an iso tunnel or an ike phase one tunnel and as a metaphor if you've ever watched the tv show the really old tv show or now it's a steve carrell movie uh get smart if you're familiar with that show you might remember the cone of silence that max always once lord when he's talking to the chief about something secret never did seem to work right in the tv show or movie but the idea was you lower the cone of silence and that gives you this private communication area well that's essentially what an iso camp tunnel is it's like we're lowering the cone of silence so that these two routers can talk securely what are they talking about well they're talking about the parameters that they're going to use to set up the actual ipsec tunnel which is also known as the ike phase 2 tunnel so we negotiate the parameters of the actual ipsec tunnel within the protection of an act phase 1 tunnel this is very secure but how do we overcome this issue that we can only secure unicast ip traffic while gre could encapsulate just about anything but it would not give us security what if we use both here's what i mean what if we took whatever the traffic was unicast multicast broadcast it doesn't matter we took any of our traffic and we encapsulated it inside of a gre tunnel now we've got a bunch of gre packets some of those packets might contain ip unicast broadcast multicast doesn't matter but the jiri packet itself is a unicast ip packet do you see where i'm going with this once we put traffic inside of a jeery tunnel it's now unicast ipackets which can then be sent inside of an ipsec tunnel we're going to take our traffic put it inside of the jury tunnel then we're going to put those jiri unicast ip packets inside of an ipsec tunnel that's how we can use these two different vpn protocols together to meet our goals of giving us flexible secure communication across an untrusted network across the internet and in our next video we're going to take a look at how to configure a gre over ipsec tunnel in this video we want to see how to set up a gre over ipsec tunnel for the reasons we talked about in the prior video to begin with i want to set up just a basic gre tunnel no encryption or any security things going on here just a gre tunnel here's how we do that i'm going to go into router r1 and i'll create a virtual tunnel interface by saying interface tunnel i'll just give it a number of one i'll assign an ip address that i'm going to be using for this tunnel and i'll use a private ip address of 192.168.0.1 and i'm going to give a 30 bit subnet mask 255.255.255.252 because i only need two ip addresses in the subnet one on each end of the tunnel and the tunnel interface is up by default so i don't need to do a no shutdown and now i just need to say who's the source of the tunnel and who's the destination of the tunnel well this is going to be coming out of the bottom of r1 and going into the top of r4 so my tunnel source from the perspective of r1 is that interface of gigabit zero slash one and i'm going to that interface on the top of our four gigabit zero slash one and it has an ip address of 198.51.100 so i'll say my tunnel destination is 198.51.100.2 and i'm done with the configuration on r1 for my jre tunnel let's move over to router r4 and i'll give a mirror configuration i'll say that i want to create a tunnel interface i'll give it a locally significant number of one i'll assign it an ip address of 192.168.0.2 again with a 30 bit subnet mask from the perspective of r4 my source is going to be gigabit zero slash one i'll say tunnel source gigabit zero slash one and the tunnel destination is going to be gigabit zero slash one on r1 that has an ip address of 192.0.2.1 and we're done with our gre tunnel configuration in fact we just saw an ospf adjacency come up between r1 and r4 over that tunnel connection because it looks like they're adjacent to one another it looks like they're tied together using that tunnel let's take a look at our jerry tunnel before we move on to ipsec if i do a show ip interface brief command we can see that we do have a logical tunnel one interface and it is administratively up excellent i can do a show ipospf neighbor command and i'm on r4 and i'm a neighbor with r1 over that tunnel one interface again it looks like i'm physically adjacent to r1 and now that we've configured and verified our gre tunnel let's move on to ipsec remember there are two phases there's ike phase one also known as isokemp and ike phase 2 also known as ipsec first let's configure the ike phase 1 policy that we're going to be using let's go back over to router r1 and go into global configuration mode and i'll say crypto and let's give some context sensitive help and right now i'm wanting to set up the ike phase one or the isa camp policy so notice there's an option for iso camp i'll say crypto iso isakemp policy and i'll give a priority number i've only got one policy so it doesn't really matter what number i give i'll just say 10 and now i'm in isecant policy configuration mode from here i can set up my encryption encryption options include triple des des and aes that's the one we want advanced encryption standard that's the strongest of all three of these so i'll say aes for authentication we want to use a pre-shared key and that pre-shared key can be generated using diffie-hellman diffie-hellman is going to use asymmetric encryption to create a symmetric key to allow us to do symmetrical encryption so i'll say authentication pre-share and the diffie-hellman group determines how secure it is i'll just use group 2 for this demo and i'll say exit and since we're going to be using a pre-shared key we need to specify what is that key and who can it be used with now in our example in this lab example i'm going to make the key easy to remember i'll call it kevin's key and since we're in a lab environment i'm going to make this key valid with any peer that wants to talk with us to do that i'll say crypto isakemp and the key is going to be kevin's key and the address of any valid peer i'm going to say anybody to do that i'll say 0.0.0.0 space 0.0.0.0 that'll match anybody and now that we've specified our parameters for ike phase 1 it's time to create a transform set for ike phase 2 and the elements of this transform set that's what's going to be negotiated between our two routers when they're setting up this ike phase 2 or this ipsec tunnel in a transform set it's a collection of encryption and hashing algorithms and we have to find a matching algorithm on our peers so we don't have to specify just a a single encryption algorithm we could say we'll support any of these and during that negotiation that happens again during ike phase one we can agree on hopefully a transform set and we can also say that we're using a transport mode or tunnel mode that we talked about in the previous video in this example let's say we're going to use transport mode which is going to encapsulate the payload rather than the entire packet we're going to keep our packet size a little bit smaller by not encrypting the original header to do that i'll say crypto ipsec transform set and let's give it a name i'll call it kw train and we'll use some context sensitive help here we're looking at our security algorithms and i'm going to choose encapsulating security payload which is more secure than authentication header hyphen aes let's use some more context sensitive help and it says okay i know how you want to do encryption now you're going to use aes what about for integrity how are you going to do hashing so from this list i'll say encapsulating security payload hyphen sha secure hash algorithm hmac which is going to do more than just hash a string it's going to add a secret key to that hash so if somebody intercepts it they're not going to be able to generate a valid key let's enter that and we can specify our mode as either transport or tunnel here i'm going to say transport and the next thing we need to do is define interesting traffic when we're setting up an ip6 tunnel interesting traffic is traffic that is going to be sent through the tunnel we can send traffic that's not interesting just fine it's not going to be encrypted though and we want to encrypt our gre traffic so we want to make gre traffic interesting to do that i'm going to use an access control list i'll say ip access hyphen list and it's going to be an extended access list and i'm going to call it gre hyphen in hyphen ipsec and i'm going to permit gre traffic from anywhere to anywhere again because i'm in a lab environment i'm not concerned about specifying source and destination ip addresses and now we need to create a crypto map that's going to be the connective tissue that ties everything together the interesting traffic of the transform set and we're going to point to our peer to do that i'll say crypto map and let's name this vpn we'll give it a sequence number of 10 and this is going to be for an ipsec tunnel that uses isocamp which is what we typically use so say ipsec hyphen isocamp and it says this is going to be disabled until we specify a peer and a valid access list okay let's do that let's also specify our transform set that we want to use to protect the traffic i'll say match address gre hyphen in ipsec what this is saying is any traffic that's matching that extended access control list we're going to put that inside the ipsec tunnel we're going to protect it and what is matching that access control list all of our gre traffic so let's enter that let's say how we're going to protect that traffic we'll say set transform it will give our transform set name of kw train and who's my peer well my peers that incoming interface on r4 198.51.100.2 i'll say set pier 198.51.100.2 we'll exit that and now we need to apply this crypto map to the gig zero slash one interface which is the interface we're using to send those jiri packets let's go into interface configuration mode for gigabit zero slash one and i'll say crypto map vpn we've now configured gre and ipsec on r1 let's now go over to r4 and give a mirrored configuration oh and notice that our ospf adjacency went down because i'm encrypting traffic on r1 but i'm not encrypting it on r4 so that's caused an issue well we're going to fix that so no worries let's go into global configuration mode and let's do this instead of making you watch me type in the exact same commands with a couple of ip addresses may be different what i've done is created this in a text file where i can just paste it in again this is simply a mirrored configuration on r4 just for time sake i don't want you to have to watch me do it again if you want to watch me do it again you can just rewind and see me do it on r1 but i'm just going to paste in the configuration for r4 and it should be working now hopefully our ospf adjacency will come back up and there it is so that's a good sign let's do some configuration verification on r4 first i'll create some traffic let's see if i can ping the loopback interface on r1 can i ping 1.1.1.1 yes i can let's now do a show crypto isokemp sa and that stands for security association and we see that we've got r1 and r4 acting as both source and destination our status is active for these security associations that's all good news but that was for ike phase one that was for isaac amp what about ipsec let's do a show crypto ipsec security association things look good here as well in fact we actually see evidence that we have encapsulated packets some of those were our ping packets some of those might have been some ospf packets but we are getting confirmation now that we are successfully sending gre traffic inside of our ipsec tunnel and again the big advantage of doing that is that gre can encapsulate just about anything ip unicast broadcast multicast it encapsulates those traffic types inside of jiri packets which are unicast ip packets we then take those unicast ip packets put those inside of our ip set tunnel which can only protect ip unicast packets and then we allow ipsec to do its security work of encryption and hashing and that's a basic look at a jury in ipsec tunnel configuration in this lesson we want to discuss two different technologies lisp and vxlans to give you an overview lisp is a way for us to identify a network device using a couple of identifiers one identifier identifies the location of the device on the internet and the other identifier identifies the device within that location and one of the things this can help us with is control the exploding size of the bgp routing table on the internet we have several hundred thousand routes in a full bgp routing table it's getting out of control well great news list can help with that then we'll take a look at vxlans vxlans give us more broadcast domains than we would have with regular vlans where we have a little over four thousand different broadcast domains we could have lots more but do we need lots more yes in a data center we could very easily exceed that 4 000 and some vlans that we normally have access to and something else that vx lands can do for us it can allow the same broadcast domain to exist across a layer 3 boundary we're going to talk about both of those in this lesson but let's get started with a discussion of lisp when i started working with bgp connections going out to multiple internet service providers and having my router hold the entire internet riding table this is back in the late 1990s it contained about 60 000 entries but now the internet routing table has grown tremendously in fact let's go out and take a look at the size of the internet routing table at the time of this recording here we see how things used to be when i started working with bgp and doing multi-homing and we had about 60 000 routes at that point now we're approaching or we've exceeded 800 000 route entries and it's probably going to be more than that when you watch this video and we can do some route aggregation but sometimes like if we're doing traffic engineering we might require that a specific route be injected into bgp if we're doing multi-homing that configuration might require that we have the full internet routing table the bottom line is we have a problem with scalability with the internet routing table but there's a protocol that can help us out with that the protocol is called lisp l i s p and that stands for the location id separation protocol and by the way lisp is useful in other environments too like mobility environments or internet of things applications but it was originally designed to address the internet routing table's scalability issue now as the name suggests lisp separates a single ip address into two parts an endpoint identifier or an eid and a routing locator or an r-lock this would allow for example a device to move from one location on the internet to another location and keep its endpoint identifier or its eid while updating its routing locator its r-lock and when we're trying to locate a specific endpoint identifier what we can do is ask a map resolver and a map resolver is going to give us information about the current routing locator for that eid in this case let's say that client a wants to talk to client b client b is currently at lisp site two and client a is at lisp site one and that server lists site two it's got an ip address of 198.51.100.1 well that's going to be the address of the routing locator that's where we need to point traffic to get to client b and the way the map resolver knows that client b lives at that address is that the router at lisp site 2 registered that information with a map server and commonly we'll have the map resolver and the map server on the same device like a router and our locks routers representing at different list sites they register their information with the map server and then somebody that wants to get to one of those devices they can request information from the map resolver and the map resolver is getting information from the map server we see that commonly written as ms slash mr for example let's say that that router at lisp site 2 wants to register with its map server what it's going to do is it's going to have information stored locally it knows that the network of 192.168.1.0624 is available at the arloc router of 198.51.100.1 well it's going to send that information up to the map server and that map server is going to make an entry in its table so anybody wanting to go to any ip address in that network we're going to say yeah go to this rlok router and that map server is going to send a confirmation by the way to that registration message that's going to go back to our rlock router and once we know the r lock that we're sending to the packet that we want to send to another site we're going to add on a lisp header and we're going to add on a udp header and that's going to be encapsulated inside of an ip packet with the r-locks acting as the source and destination ip addresses notice that the source in that outer header is 203.0.113.1 that's the address of the r-lock that router at lisp site 1 and the destination is the r-lock at lisp site 2 198.51.100.1 and by the way in that lisp header it can contain information such as a vrf identifier or a vpn identifier this is going to give us segmentation isolation and in the udp header you might want to make a note that the udp port number that's used by lisp to send data is udp port 4341 and again our goal here is for client a to send traffic to client b well the router at lisp site one that's going to do the encapsulation of that traffic it's called the ingress tunnel router or the itr it's going to do the encapsulation it adds the lisp header it encapsulates everything in that new ip packet and when the packet reaches the destination the router that does the decapsulation that unwraps everything is going to be that router in our case at lispsite2 that's going to be the etr the egress tunnel router so in this example client a wants to communicate with client b so the lisp router at list site 1 is going to query the map resolver to say hey i want to go to this ip address of 192.168.1.100 and our map resolver says oh yeah i've got an entry for that network that contains that ip address you should go to an rlock at an ip address of 198.51.100.1 so that's what happens client a goes up to its itr at lisp site one and it's going to send traffic over to the r lock that it was told to go to by the map resolver that's over at lisp site two it's gonna decapsulate that packet and send it on to client b now in this example we only had one network at lisp site two but we could have had hundreds at that site all of which were available using that single route locator of 198.51.100 this gives us an idea of how lisp can help address that routing scalability issue we didn't have to contain all those networks that might have been list for site 2 we just needed to know how to get to the routing locator and we had another table that said oh yeah that r-lock will get you to all these networks and another benefit that we had here you might have noticed is we were able to send traffic between private ip addresses that were separated over the internet and that's a look at some of the benefits and the operation of the location id separation protocol with traditional ethernet switches we can support a little over four thousand vlans the reason is the vlan field is 12 bits long it's going to give us just over 4 000 vlans but in today's networks where we might have a data center with lots of virtualization and need to isolate several virtual machines from other virtual machines we could easily run out of vlans well the great news is virtual extensible lands or vx lands can come to the rescue they let us have over 16 million different identifiers instead of just 4 000 and the way vxlands can do that is by encapsulating our layer 2 or even layer 3 traffic and adding a vxlan network identifier that's called a vni and this vni field is 24 bits long that's what gives us those 16 million plus vx land network identifiers and those vx lands can run over our existing physical network infrastructure the existing physical network infrastructure is referred to as an underlay network here we see 12 different switches and they're physically connected as you see here and this makes up the underlay network but we could create logical tunnels between specific switches to create an entirely different topology here we're using that same physical underlay network but we're logically creating tunnels between select switches to create a totally different topology and that's our overlay network and we typically see this in data centers where we use a spine leaf design we've got our nodes like our servers connecting to leaf switches and those leaf switches they interconnect by going through a spine the spine switches allow any leaf switch to get to any other leaf switch in only a single hop we just have to go through one spine switch because every leaf switch is connected to every spine switch and the device that does our vxlan encapsulation is called a virtual ethernet module or them and each vim has an ip address it could have more than one but it's got at least one ip address that we're going to use to communicate over this routed network and the ip address it's assigned to a special interface called a vtep which stands for vxlan tunnel endpoint and each vtep is associated with one or more vnis and vteps on different switches they can temporarily bring up a tunnel and pass traffic between themselves by the way another benefit that vx lands give us is that if we're sending traffic over a port channel where we've got multiple links making up a single logical link instead of just using one link the vxlan switches know how to load balance that traffic across all of the pic for which we don't know the destination i mean on a regular switched infrastructure a switch that doesn't know how to get to a destination it's going to send out an arp broadcast perhaps what about multicasts what about unknown unicasts what if we don't know where somebody lives how do we get to them well for that type of traffic called bum traffic for broadcast unknown unicast and multicast we've got different approaches for handling that but we're going to consider in this example using multicast that's a very popular approach what we can do is have these different vteps join a multicast group now you might be wondering do we have to have a multicast group for each vni and no we don't we could have multiple vni's belonging to the same multicast group because the vims themselves they're going to look at that vni identifier before sending the traffic out and you can see even though it received it over this multicast group it's going to see that oh yeah this is destined for a different vni i don't send it out of this port so it's totally fine to have multiple vni's associated with the same multicast group let's walk through an example of how this is going to work and the table you see on screen that table is being maintained by leaf switch 1 leaf sw1 and what we want to do here is we want server one to communicate with server two how do we do this well server one is going to send out an arp or broadcast because it knows it wants to get to 10.1.1.200 but it doesn't know the mac address so it sends out an arp broadcast and when that frame goes into leaf switch one it's going to make an entry in its table that says hey i just learned that the always mac address lives off of port ethernet one slash one and that switch also has a mapping table that says vlan 10 to which server one belongs maps to vni one zero zero zero one zero so now we have a vni identifier not just a vlan identifier and the way we're going to get to that is go out of ethernet one slash one well we just sent broadcast traffic into this leaf switch one what's it going to do with that well for that bum traffic remember broadcast unknown unicast and multicast we're going to send that out to a multicast group that our other switches joined and leaf switch 3 sees that because it's a member of that multicast group we're pretending that the group number is 239.1.1.10 when it gets that broadcast arp sent via multicast it's going to flood it out all of its other ports so it's going to go down to server 2 and server 2 says yep that's me and it says my mac address is the old b's mac address and it goes back to leaf switch 3. and switch 3 now knows that the 10.1.1.200 ip address with the all-bees mac address lives off of port ethernet one slash one so it's going to respond to the other vtep and say hey if you want to get to the albee's mac address come to me come to 192.168.1.33 that's my vtep ip address and it sends that information over to leaf switch one and leaf switch one is going to make an entry in its table it says if i want to get to the albe's mac address which lives in vni 10010 i want to go to a vtap ip address of 192.168.1.33 and it's going to send the result of the all bees mac address down to server one so now when server one wants to communicate with server two it's gonna send traffic to a destination ip address of 10.1.1.200 which by the way is in the same vlan even though we're separated by a router it's going to say i want to go to that ip address with the all bees mac address and leaf switch 1 is going to say according to my table the obs mac address is available via vtep 192.168.1.33 so leaf switch 1 is going to form a vtep tunnel with leaf switch 3 it's going to send that traffic over there and leaf switch 3 is going to send it out to server 2. and that's a look at how vxlan communication is going to be able to allow different devices that live on the same subnet the same vlan to communicate with one another across a routed network and it's very useful in the data center to have all those extra identifiers because as we discussed we could run out of vlans but we're probably not going to run out of vxlan network identifiers in this module we took a look at virtualization we took a look at different types of hypervisors and how they could virtualize network devices and we also saw how we could virtualize data paths for example we could use vrf or we could use vpns to create a virtual path within the network and finally we took a look at how we could virtualize the network itself using technologies such as lisp and vxlans this module in my opinion is the real core of the encore course because it covers a foundational technologies that we see in our enterprise networks for example we'll take a look at layer 2 technologies like spanning tree protocol and trunking at layer 3 we'll consider routing protocols including ospf and bgp we'll see technologies that make wireless networking possible and then we're going to take a look at
Info
Channel: WE-Learns
Views: 128
Rating: 5 out of 5
Keywords: PaloAlto, Network Firewalls, Networks, Microsoft Office 365, M365, O365, Fortinet, Fortigate, MDM, Intune, Introduction to SAN and NAS Storage, networking tutorial for beginners, networking fundamentals, networking basics, what is router what is subnetting, what is the difference between router and switch, how firewalls work, what is gateway, how switch works in networking, what is dmz, demilitarized zone network, demilitarized zone default gateway, demilitarized zone explained
Id: k97zE4-jC2c
Channel Id: undefined
Length: 58min 0sec (3480 seconds)
Published: Tue May 04 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.