[SOLVED] RFC 1483/2684 Bridged PPPoE

Lecture 05: PPPoE, GRE, IPSec VPN
HKUSPACE CCIT ENA
Syllabus inspired by Cisco Networking Academy CCNA v7.0 (ENSA)
Module Objectives

Copyright By Assignmentchef assignmentchef

Topic Title
Topic Objective
Broadband Connection
Broadband access concept
PPPoE Overview
Describe PPPoE access, advantages
PPPoE Setup
Configure PPPoE connection
VPN Technology
Describe the benefits of VPN technology.
Types of VPNs
Describe different types of VPNs.
Configure GRE Tunnels
Explain how the IPsec framework is used to secure network traffic.
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

VPN Technology
Virtual Private Networks
Virtual private networks (VPNs) to create end-to-end private network connections.
A VPN is virtual in that it carries information within a private network, but that information is actually transported over a public network.
A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network.
Remote Access Connections
Broadband Connections
The cable system uses a coaxial cable that carries radio frequency (RF) signals across the network.
A headend CMTS communicates with CMs located in subscriber homes.
The HFC network is a mixed optical-coaxial network in which optical fiber replaces the lower bandwidth coaxial cable.
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 3
Coaxial cable- bus topology (share)
One fiber node can serve 1 to several buildings. usually one node can accommodate 500 homes
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 4

Remote Access Connections
Broadband Connections
A Digital Subscriber Line (DSL) is a means of providing high-speed connections over installed copper wires.
The two important components are the DSL transceiver (DSL modem) and the DSLAM
The advantage that DSL has over cable technology is that DSL is not a shared medium. Each user has a separate direct connection to the DSLAM.
Analog voice
POTS splitter
Data over ADSL
IP packets encapsulated over ATM Three common approaches:
RFC 1483/2684 Bridged PPPoE
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 5
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 6

PPP over Ethernet
An Ethernet frame carries the PPP frame.
Service provider end (Server Side):
DSLAM for DSL connection termination Aggregation router for PPP session termination
Subscriber end (Client side):
DSL modem for DSL connection termination
PPPoE client for PPP session termination The client device is the PC or the router at the CPE.
PPP in Operation
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 7
IP is assigned to PPPoE client functioning device.
A CPE router can connect multiple users via a single ADSL connection using NAT/PAT and DHCP.
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

PPP in Overview
PPP can be used on all serial links including those links created with dial-up analog and ISDN modems.
PPP supports the ability to assign IP addresses to remote ends of a PPP link.
PPP supports CHAP authentication.
Ethernet links do not natively support PPP. PPP over Ethernet (PPPoE) provides a solution to this problem. PPPoE creates a PPP tunnel over an Ethernet connection.
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Configuring PPPoE
PPPoE Configuration (Server Side)
Configuration tasks:
Step 1: Create virtual interface template (used to spawn a virtual interface for every incoming client initiated PPP session)
Step 2: Configure Broadband Aggregation (bba) group (used to terminate PPPoE connection). Step 3: Bind PPPoE bba group with virtual interface template
Step 4: Enable PPPoE bba group on physical interface.
Step 5: Create IP address pool assigned to clients
Step 6:. Create authentication database
Step 7: Enable authentication in virtual interface
Cisco Confidential 10
2016 Cisco and/or its affiliates. All rights reserved.
Server Router

Configuring PPPoE Server
PPPoE Server Configuration Details
Step 1 Create virtual interface template
Interface IP address can follow physical interface g0/0 (facing PPPoE client) or can be actual IP address
Associate an IP pool ready for client IP address allocation
Step 2 & 3 Create bba group & bind virtual interface template to group
Some latest Cisco router may require vpdn enable command to activate bba group. In this case, the command template
below works.
interface Virtual-Template1
peer default ip address pool pppoe_pool ip unnumbered GigabitEthernet0/0
bba-group pppoe global virtual-template 1
vpdn enable vpdn-group global
accept-dialin protocol pppoe virtual-template 1
Configuring PPPoE Server
PPPoE Server Configuration Details
Step 4 Associate PPPoE bba group on physical interface
Step 5 Create IP address pool assigned to clients Step 6 Create authentication database
Step 7 Enable authentication in virtual interface
If DNS server IP needs to forward to PPPoE client, the command ppp ipcp dns dns_svr_ip should be used under virtual template.
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 11
interface GigabitEthernet0/0
ip address 4.4.4.1 255.255.255.0
pppoe enable group global
ip local pool pppoe_pool 4.4.4.10 4.4.4.100
username CPE password 0 mysecret
interface Virtual-Template1
ppp authentication chap callin

VPN Technology VPN Benefits
Modern VPNs now support encryption features, such as Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL) VPNs to secure network traffic between sites.
Major benefits of VPNs are shown in the table:
Description
Cost Savings
Organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth.
Encryption and authentication protocols protect data from unauthorized access.
Scalability
VPNs allow organizations to use the internet, making it easy to add new users without adding significant infrastructure.
Compatibility
VPNs can be implemented across a wide variety of WAN link options including broadband technologies. Remote workers can use these high-speed connections to gain secure access to corporate networks.
VPN Technology
Site-to-Site and Remote Access VPNs
A site-to-site VPN is terminated on VPN gateways. VPN traffic is only encrypted between the gateways. Internal hosts have no knowledge that a VPN is being used.
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

VPN Technology
Site-to-Site and Remote Access VPNs (Cont.)
A remote-access VPN is dynamically created to establish a secure connection between a client and a VPN terminating device.
VPN Technology
Enterprise and Service Provider VPNs
VPNs can be managed and
deployed as:
Enterprise VPNs common solution for securing enterprise traffic across the internet. Site-to-site and remote access VPNs are created and managed by the enterprise using IPsec and SSL VPNs.
Service Provider VPNs created and managed by the provider network. The provider uses Multiprotocol Label Switching (MPLS) at Layer 2 or Layer 3 to create secure channels between an enterprises sites, effectively segregating the traffic from other customer traffic.
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 15
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 16

Types of VPNs Remote-Access VPNs
Remote-access VPNs let remote and mobile users securely connect to the enterprise.
Remote-access VPNs are typically enabled dynamically by the user when required and can be created using either IPsec or SSL.
Clientless VPN connection -The connection is secured using a web browser SSL connection.
Client-based VPN connection VPN client software such as Cisco AnyConnect Secure Mobility Client must be installed on the remote users end device.
Types of VPNs SSL VPNs
SSL uses the public key infrastructure and digital certificates to authenticate peers. The type of VPN method implemented is based on the access requirements of the users and the organizations IT processes. The table compares IPsec and SSL remote access deployments.
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 17
Applications supported
Extensive All IP-based applications
Limited Only web-based applications and file sharing
Authentication strength
Strong Two-way authentication with shared keys or digital certificates
Moderate one-way or two-way authentication
Encryption strength
Strong Key lengths 56 256 bits
Moderate to strong Key lengths 40 256 bits
Connection complexity
Medium Requires VPN client installed on a host
Low Requires web browser on a host
Connection option
Limited Only specific devices with specific configurations can connect
Extensive Any device with a web browser can connect
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Types of VPNs
Site-to-Site IPsec VPNs
Site-to-site VPNs connect networks across an untrusted network such as the internet.
End hosts send and receive normal unencrypted TCP/IP traffic through a VPN gateway.
The VPN gateway encapsulates and encrypts outbound traffic from a site and sends the traffic through the VPN tunnel to the VPN gateway at the target site. The receiving VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.
Types of VPNs
GRE over IPsec
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 19
Generic Routing Encapsulation (GRE) is a non-secure site-to-site VPN tunneling protocol.
A GRE tunnel can encapsulate various network layer protocols as well as multicast and broadcast traffic.
GRE does not by default support encryption; and therefore, it does not provide a secure VPN tunnel.
A GRE packet can be encapsulated into an IPsec packet to forward it securely to the destination VPN gateway.
Standard IPsec VPNs (non-GRE) can only create secure tunnels for unicast traffic.
Encapsulating GRE into IPsec allows multicast routing protocol updates to be secured through a VPN.
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

Types of VPNs
GRE over IPsec (Cont.)
The terms used to describe the encapsulation of GRE over IPsec tunnel are passenger protocol, carrier protocol, and transport protocol.
Passenger protocol This is the original packet that is to be encapsulated by GRE. It could be an IPv4 or IPv6 packet, a routing update, and more.
Carrier protocol GRE is the carrier protocol that encapsulates the original passenger packet.
Transport protocol This is the protocol that will actually be used to forward the packet. This could be IPv4 or IPv6.
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Types of VPNs
GRE over IPsec (Cont.)
For example, Branch and HQ need to exchange OSPF routing information over an IPsec VPN. GRE over IPsec is used to support the routing protocol traffic over the IPsec VPN. Specifically, the OSPF packets (i.e., passenger protocol) would be encapsulated by GRE (i.e., carrier protocol) and subsequently encapsulated in an IPsec VPN tunnel.
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

Types of VPNs
Dynamic Multipoint VPNs
Site-to-site IPsec VPNs and GRE over IPsec are not sufficient when the enterprise adds many more sites. Dynamic Multipoint VPN (DMVPN) is a Cisco software solution for building multiple VPNs in an easy, dynamic, and scalable manner.
DMVPN simplifies the VPN tunnel configuration and provides a flexible option to connect a central site with branch sites.
It uses a hub-and-spoke configuration to establish a full mesh topology.
Spoke sites establish secure VPN tunnels with the hub site.
Each site is configure using Multipoint Generic Routing Encapsulation (mGRE). The mGRE tunnel interface allows a single GRE interface to dynamically support multiple IPsec tunnels.
Spoke sites can also obtain information about each other, and alternatively build direct tunnels between themselves (spoke-to-spoke tunnels).
Types of VPNs DMVPN (Cont.)
Dynamic Multipoint VPN (DMVPN) Cisco software solution for building multiple VPNs in an easy, dynamic, and scalable manner.
Goal is simplified configuration while providing flexibility.
DMVPN topologies can use:
Hub-to-Spoke Tunnels
Hub-to-Spoke and Spoke-to-Spoke Tunnels
DMVPN is built from the following technologies:
Next Hop Resolution Protocol (NHRP)
Multipoint Generic Routing Encapsulation (mGRE) tunnels IP Security (IPsec) encryption
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 23
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 24

Types of VPNs
IPsec Virtual Tunnel Interface
IPsec Virtual Tunnel Interface (VTI) simplifies the configuration process required to support multiple sites and remote access.
IPsec VTI configurations are applied to a virtual interface instead of static mapping the IPsec sessions to a physical interface.
IPsec VTI is capable of sending and receiving both IP unicast and multicast encrypted traffic. Therefore, routing protocols are automatically supported without having to configure GRE tunnels.
IPsec VTI can be configured between sites or in a hub-and-spoke topology.
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Types of VPNs
Service Provider MPLS VPNs
Today, service providers use MPLS in their core network. Traffic is forwarded through the MPLS backbone using labels. Traffic is secure because service provider customers cannot see each others traffic.
MPLS can provide clients with managed VPN solutions; therefore, securing traffic between client sites is the responsibility of the service provider.
There are two types of MPLS VPN solutions supported by service providers:
Layer 3 MPLS VPN The service provider participates in customer routing by establishing a peering between the customers routers and the providers routers.
Layer 2 MPLS VPN The service provider is not involved in the customer routing. Instead, the provider deploys a Virtual Private LAN Service (VPLS) to emulate an Ethernet multiaccess LAN segment over the MPLS network. No routing is involved. The customers routers effectively belong to the same multiaccess network.
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

Fundamentals of Generic Routing
Encapsulation Introduction to GRE
Fundamentals of Generic Routing Characteristics of GRE
GRE has these characteristics:
GRE is defined as an IETF standard.
IP protocol 47 is used to identify GRE packets.
GRE encapsulation uses a protocol type field in the GRE header to support the encapsulation of any OSI Layer 3 protocol.
GRE itself is stateless; it does not include any flow-control mechanisms, by default. GRE does not include any strong security mechanisms to protect its payload.
The GRE header, together with the tunneling IP header, creates at least 24 bytes of additional overhead for tunneled packets.
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Basic, non-secure, site-to- site VPN tunneling protocol developed by Cisco
Encapsulates a wide variety of protocol packet types inside IP tunnels
Creates a virtual point-to- point link to routers at remote points, over an IP internetwork
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 27

Fundamentals of Generic Routing
GRE Tunnel Configuration
Fundamentals of Generic Routing
GRE Tunnel Configuration
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 29
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 30

Configuring GRE Tunnels
GRE Tunnel Verification
Verify Tunnel Interface is Up
Verify OSPF Adjacency
IPsec Technologies
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 31
IPsec is an IETF standard that defines how a VPN can be secured across
IP networks. IPsec protects and authenticates IP packets between source
and destination and provides these essential security functions:
Confidentiality Uses encryption algorithms to prevent cybercriminals from
reading the packet contents.
Integrity Uses hashing algorithms to ensure that packets have not been altered
between source and destination.
Origin authentication Uses the Internet Key Exchange (IKE) protocol to
authenticate source and destination.
Diffie-Hellman Used to secure key exchange.
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 32

IPsec Technologies (Cont.)
IPsec is not bound to any specific rules for secure communications.
IPsec can easily integrate new security technologies without updating existing IPsec standards.
The open slots in the IPsec framework shown in the figure can be filled with any of the choices that are available for that IPsec function to create a unique security association (SA).
IPsec Protocol Encapsulation
Choosing the IPsec protocol encapsulation is the first building block of the framework.
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 33
IPsec encapsulates packets using Authentication Header (AH) or Encapsulation Security Protocol (ESP).
The choice of AH or ESP establishes which other building blocks are available.
AH is appropriate only when confidentiality is not required or permitted.
ESP provides both confidentiality and authentication.
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 34

IPSec Confidentiality
The degree of confidentiality depends on the encryption algorithm and the length of the key used in the encryption algorithm.
The number of possibilities to try to hack the key is a function of the length of the key the shorter the key, the easier it is to break.
Confidentiality (Cont.)
The encryption algorithms highlighted in the figure are all symmetric key cryptosystems:
DES uses a 56-bit key.
3DES uses three independent 56-bit
encryption keys per 64-bit block.
AES offers three different key
lengths: 128 bits, 192 bits, and 256
SEAL is a stream cipher, which
means it encrypts data continuously rather than encrypting blocks of data. SEAL uses a 160-bit key.
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 35
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 36

IPSec Integrity
Data integrity means that the data has not changed in transit.
A method of proving data integrity is required.
The Hashed Message Authentication Code (HMAC) is a data integrity algorithm that guarantees the integrity of the message using a hash value.
Message-Digest 5 (MD5) uses a 128-bit shared-secret key.
The Secure Hash Algorithm (SHA) uses a 160-bit secret key.
IPSec Authentication
There are two IPsec peer authentication methods:
1. Pre-shared key (PSK) (PSK) value is entered into each peer manually.
Easy to configure manually
Does not scale well
Must be configured on every peer
2. Rivest, Shamir, and Adleman (RSA) authentication uses digital certificates to authenticate the peers.
Each peer must authenticate its opposite peer before the tunnel is considered secure.
2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 37
2016 Cisco and/or its affiliates. All rights reserved.

CS: assignmentchef QQ: 1823890830 Email: [email protected]