Cioby's technical blog – Networking and Linux stuff

Configuring IKEv1 IPSec site-to-site VPN with preshared-keys on Cisco ASA

February 11, 2018 Cristian Ciobanu One comment

7,596 views

Overview

Many companies have multiple remote offices which need secure network connectivity with the headquarters or between them. This can be achieved by using a site-to-site VPN setup which allows offices in multiple fixed locations to establish secure connections and share resources with each other over a public network such as the Internet. Cisco ASA supports the IPsec protocol for configuring an site-to-site VPN tunnel. IPsec works by authenticating and encrypting each IP packet of a communication session and uses the Internet Key Exchange (IKE) protocol to negotiate and establish a secure VPN tunnel. The original IKE version 1 is defined in RFC 2409 and the IKE version 2 (IKEv2) is defined in RFC 5996. Cisco introduced support for IKEv2 beginning with ASA version 8.4 but in this article we will focus only on the legacy IKEv1 implementation.

Cisco ASA, VPNs IKEv1, IPsec, preshared-key, Tunnel

Configuring 802.1Q tunnneling (Q-in-Q) on Cisco switches

October 4, 2017 Cristian Ciobanu One comment

8,480 views

Overview

The 802.1Q tunnneling technology also known as Q-in-Q is an extension to the well known 802.1Q standard which allows service providers to transport customers VLANs by simply adding another layer of IEEE 802.1Q tag to the original 802.1Q tagged packets that enter the ISP network. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service-provider infrastructure even when they appear to be on the same VLAN. The primary benefit for the service provider is reduced number of VLANs supported for the same number of customers. By using 802.1Q tunneling the layer 2 domain of a customer can be extended across multiple sites. A Q-in-Q frame can be identified by the Ethertype field 0x8100 in the Ethernet header and it’s called a double-tagged frame. One outer ISP VLAN tag can carry 4096 customer VLAN tags and this brings the total number of available VLANs to approximately 16.8 million.

Cisco switching, Tunneling Layer 2, Q-in-Q, tunelling

Configuring VRF-lite on Cisco routers

August 1, 2017 Cristian Ciobanu One comment

8,043 views

Overview

VRF which stands for virtual routing and forwarding is a feature that allows a single physical router to segregate network traffic into separate virtual routing instances. A router has only one global routing table by default which includes all connected, static and dynamic learned routes. As an analogy VRFs can be viewed as a segregation feature at layer 3 similar to VLANs at layer 2. If we take the example of an ISP with multiple customers by using VRFs we can have separate routing tables per customer on the same router. VRF-lite is a simple form of VRF implementation which is used without MPLS and is appropriate for small to medium enterprises. Being logically isolated each VRF can use overlapping IP address spaces without conflicting with each other.

Cisco routing routing, table, virtual, VRF

Configuring Generic Routing Encapsulation (GRE) tunnels on Cisco IOS

March 13, 2017 Cristian Ciobanu Leave a comment

7,344 views

Overview

Generic routing encapsulation (GRE) is a tunneling protocol which was initially developed by Cisco, and later it has been adopted as an industry standard in RFC 2784. GRE allows the encapsulation of a wide variety of network layer protocols inside virtual point-to-point links. This means that the original packet is encapsulated inside a GRE header and a new IP header containing the source and the destination of the tunnel endpoints. The GRE protocol does not provide any security for the data being transported so if encryption is needed GRE must be used in conjunction with IPsec protocol. Some of the reasons for using GRE are the need to transport multicast traffic, or to provide workarounds for networks with limited hops. In this article we will demonstrate how two networks which do not have reachability can be connected through an GRE tunnel.

Cisco routing, Tunneling Cisco, GRE, Tunnel

Configuring Policy Based Routing on Cisco ASA

September 8, 2016 Cristian Ciobanu Leave a comment

17,433 views

Overview

Normally when a routing device receives a packet it decides where to forward it based on the destination address of the packet. Policy Based Routing (PBR) is a mechanism which allows you forward packets based on policies manually defined by network administrators. A good use case for PBR is when a company which has multiple outside connections to different ISPs needs to control how traffic can be distributed across these connections. Compared to traditional routing PBR allows you to implement routing policies based on different criterias like source or destination address, source or destination port, protocol, size of the packet, packet classification and so on. Cisco introduced this feature on Cisco ASA beginning with version 9.4(1). Let’s dive into the PBR configuration.

Cisco ASA, Cisco routing ASA, PBR, policy, routing