Capitulo 15 y 16

Chapter 15: IP Services
CCNP and CCIE Enterprise Core ENCOR 350-401

Edgerworth B.
Ali Delgado
Chapter 15 IP Services
item content description
15.1 NTP Network Time Protocol
15.2 FHRP First-Hop Redundancy Protocol
HSRP Hot Standby Router Protocol
VRRP Virtual Router Redundancy Protocol
GLBP Global Load Balancing Protocol
15.3 NAT NETWORK ADDRESS TRANSLATION
STATIC NAT -
POOLED NAT -
PAT Port address traslation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
15.1 Network Time Protocol
(NTP)
NTP
Time and Calendar Services
• The software clock on a router or switch starts when the system boots. It is the
primary source of time for the system. It is important to synchronize the time across all
devices on the network. When the time is not synchronized between devices is
difficult:
• Managing passwords that change at specific time intervals
• Encryption key exchanges
• Checking validity of certificates based on expiration date and time
• Correlation of security-based events across multiple devices (routers,
switches, firewalls, network access control systems, and so on)
• Troubleshooting network devices and correlating events to identify the root
cause of an event
NTP
Time and Calendar Services (Cont.)
A solution is to configure the NTP on the network. This protocol allows routers on the
network to synchronize their time settings with an NTP server, which provides more
consistent time settings. NTP can be set up to synchronize to a private master clock, or it
can synchronize to a publicly available NTP server on the internet. NTP uses UDP port
123 and is documented in RFC 1305.
• Obsoletes RFC-1119, RFC-1059, RFC-958
NTP
NTP Operation
NTP networks use a hierarchical
system of time sources. Each level
in this hierarchical system is called a
stratum. The stratum level is defined
as the number of hop counts from
the authoritative source. The
synchronized time is distributed
across the network by using NTP.
The max hop count is 15. Stratum

16, the lowest stratum level,
indicates that a device is
unsynchronized.
NTP
NTP Operation (Cont.)
• Stratum 0: These authoritative time sources are high-precision timekeeping devices
assumed to be accurate and with little or no delay associated with them.
• Stratum 1: Devices that are directly connected to the authoritative time sources. They
act as the primary network time standard.
• Stratum 2 and Lower: Stratum 2 servers are connected to stratum 1 devices through
network connections. Stratum 2 devices, such as NTP clients, synchronize their time
by using the NTP packets from stratum 1 servers. They could also act as servers for
stratum 3 devices.
Time servers on the same stratum level can be configured to act as a peer with other time
servers on the same stratum level for backup or verification of time.
NTP
Configure and Verify NTP
• Before NTP is configured on the network, the show clock command displays the
current time on the software clock. With the detail option, notice that the time source
is user configuration.
• The ntp server ip-address command is issued in global configuration mode to
configure 209.165.200.225 as the NTP server for R1. To verify the time source is set
to NTP, use the show clock detail command. Notice that now the time source is NTP.
R1# show clock detail
20:55:10.207 UTC Fri Nov 15 2019
Time source is user configuration
R1# config t
R1(config)# ntp server 209.165.200.225
R1(config)# end
R1# show clock detail
21:01:34.563 UTC Fri Nov 15 2019
Time source is NTP
you should know that you can use the command ntp master stratum-number to statically set the stratum for a
device when it acts as an NTP server © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
NTP
Configure and Verify NTP (Cont.)
The show ntp associations and show ntp status commands are used to verify that R1 is
synchronized with the NTP server at 209.165.200.225. Notice that R1 is synchronized with a
stratum 1 NTP server at 209.165.200.225, which is synchronized with a GPS clock. The show
ntp status command displays that R1 is now a stratum 2 device that is synchronized with the
NTP server at 209.165.220.225.
R1# show ntp associations
address ref clock st when poll each delay offset disp

*~209.165.200.225 .GPS. 1 61 64 377 0.481 7.480 4.261
• sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1# show ntp status

Clock is synchronized, stratum 2, reference is 209.165.200.225
nominal freq is 250.0000 Hz, actual freq is 249.9995 Hz, precision is 2**19
(output omitted)
NTP
Configure and Verify NTP (Cont.)
• The clock on S1 is configured to synchronize to R1 with the ntp server command and
the configuration is verified with the show ntp associations command.
• Output from the show ntp associations command verifies that the clock on S1 is
now synchronized with R1 at 192.168.1.1 via NTP. R1 is a stratum 2 device, making
S1 is a stratum 3 device that can provide NTP service to other devices in the network.
S1(config)# ntp server 192.168.1.1

S1(config)# end
S1# show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.1.1 209.165.200.225 2 12 64 377 1.066 13.616 3.840
• sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
(output omitted)
S1# show ntp status

Clock is synchronized, stratum 3, reference is 192.168.1.1
nominal freq is 119.2092 Hz, actual freq is 119.2088 Hz, precision is 2**17
(output omitted
ntp peer 192.168.1.

15.2 First Hop Redundancy
Protocols (FHRP)
Concept of First Hop Redundancy Protocols
 The deployment of first-hop redundancy

protocols (FHRPs) solves the problem of hosts
configuring multiple gateways. FHRPs work by
creating a virtual IP (VIP) gateway instance that
is shared between the Layer 3 devices. This
presentation covers the following FHRPs:
1. Hot Standby Router Protocol (HSRP).
2. Virtual Router Redundancy Protocol (VRRP)
3. Gateway Load Balancing Protocol

(GLBP)These are the steps that take place
when the active router fails:
First Hop Redundancy Protocols
 Hot Standby Router Protocol (HSRP) - A Cisco-
proprietary FHRP designed to allow for transparent
failover of a first-hop IPv4 device.
• Active device is the device that is used for routing
packets.
• Standby device is the device that takes over when
the active device fails.
• Function of the HSRP standby router is to monitor
the operational status of the HSRP group and to
quickly assume packet-forwarding responsibility if
the active router fails.
 HSRP for IPv6 - Cisco-proprietary FHRP providing
the same functionality of HSRP, but in an IPv6
environment.
First Hop Redundancy Protocols (Cont.)
 Virtual Router Redundancy Protocol version 2 -
A nonproprietary protocol that dynamically assigns
responsibility for one or more virtual routers to the
VRRP routers on an IPv4 LAN.
• One router is elected as the virtual router master,
with the other routers acting as backups, in case the
virtual router master fails.
 VRRPv3 - Capability to support IPv4 and IPv6.
 Gateway Load Balancing Protocol (GLBP) -

Cisco-proprietary FHRP that protects data traffic
from a failed router or circuit allowing load
balancing between a group of redundant routers.
 GLBP for IPv6 - Cisco-proprietary FHRP providing
the same functionality of GLBP.
HSRP Operations
HSRP Overview
 One of the routers is selected by HSRP to

be the active router and default gateway.
 Other router will become the standby router.
 If active router fails, standby assumes the

role of active router and default gateway.
 Hosts are configured with single default
gateway VIRTUAL address that is
recognizable by both the active and standby
routers.
 RFC2281
HSRP Operations
Version HSRP V1 HSRP V2
HSRP Versions (Default)
Group numbers 0 to 255 0 to 4095
Multicast address 224.0.0.2 224.0.0.102 or
FF02::66
Virtual MAC 0000.0C07.AC00 - IPv4
address 0000.0C07.ACFF 0000.0C9F.F000
(last two digits to
group number) 0000.0C9F.FFFF
IPv6
0005.73A0.0000-
0005.73A0.0FFF
(last three digits
group number)
Support for MD5 No Yes
authentication
Timers Does not support Supports

millisecond timer millisecond timer
values values
HSRP Configuration
HSRP Configuration Commands
Step 1. Configure HSRP version 2.
Step 2. Configure the virtual IP address for the group.
Step 3. Configure the priority for the desired active router to be greater than 100.
Step 4. Configure the active router to preempt the standby router in cases where the active router comes
online after the standby router.
• Initial – Learn – Listen – speak – standby - Active

HSRP Configuration
HSRP Sample Configuration
HSRP Configuration
HSRP Verification
HSRP Configuration
HSRP Verification (Cont.)
VRRP Operations
VRRP Overview  Virtual Router Redundancy Protocol (VRRP)
is an industry standard and operates
similarly to HSRP. The behavior of VRRP is
so close to that of HSRP that the following
differences should be noted:
 The preferred active router controlling the
VIP gateway is called the master router. All
other VRRP routers are known as backup
routers.
 VRRP enables preemption by default.
 The MAC address of the VIP gateway uses

the structure 0000.5e00.01xx, where xx
reflects the group ID in hex.
 VRRP uses the multicast address
224.0.0.18 for communication.
 RFC5978 obsolete RFC3768–RFC2338
VRRP Configuration
VRRP Configuration Commands
Switch(config-if)# vrrp group ip virtual-ip
Switch(config-if)# vrrp group priority priority
Switch(config-if)# vrrp group timers advertise [msec] interval
Switch(config-if)# vrrp group timers learn
Switch(config-if)# no vrrp group preempt

Switch(config-if)# vrrp group preempt [delay segundos]
Switch(config-if)# vrrp group authentication string

Switch(config-if)# vrrp group track object-number [decrement priority]
Switch# show vrrp brief

VRRP Configuration
VRRP Sample Configuration
Configuration on R1 (master)
R1(config)#interface f0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.0
fhrp version vrrp v3
R1(config-if)#no shutdown inteface
R1(config-if)#vrrp 123 ip 10.1.1.100 vrrp 22 address-family ipv4
|||||||||||||||||||||||||||||||||||||||||| SW2(config-if-vrrp)# address 172.16.22.1
SW2(config-if-vrrp)# track 1 decrement 20
SW2(config-if-vrrp)# priority 110
Configuration on R2 (backup)
R2(config)#interface f0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#vrrp 123 ip 10.1.1.100
R2(config-if)#vrpp 123 priority 90
R2(config-if)#no vrrp 123 preempt © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
VRRP Configuration
VRRP Verification
VRRP status on R1
R1#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 123 100 3609 Y Master 10.1.1.1 10.1.1.100
||||||||||||||||||||||||||||||||||||||||||||||||||
VRRP status on R2
R2#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 123 90 3648 Y Backup 10.1.1.1 10.1.1.100
GLBP Operations
GLBP Overview
 Provides gateway redundancy and load-
balancing capability to a network segment. It
provides redundancy with an active/standby
gateway, and it provides load-balancing
capability by ensuring that each member of
the GLBP group takes care of forwarding
the traffic to the appropriate gateway:
 The GLBP contains two roles:
1. Active virtual gateway (AVG).
2. Active virtual forwarder (AVF).

 GLBP supports four active AVFs and one
AVG per GLBP group
GLBP Configuration
GLBP Configuration Commands
Para asignar la prioridad a un router en un grupo GLBP
Switch(config-if)# glbp group priority level
Switch(config-if)# glbp group preempt [delay minimum seconds]
Switch(config-if)# glbp group timers [msec] hellotime [msec] holdtime
Active Virtual Forwarder

Switch(config-if)# glbp group timers redirect redirect timeout
Switch(config)# track object-number interface type mod/num {line-protocol | ip
routing}
Switch(config-if)# glbp group weighting maximum [lower lower] [upper upper]
Switch(config-if)# glbp group weighting track object-number [decrement value]
Balanceo de Carga GLBP

Switch(config-if)# glbp group load-balancing [round-robin | weighted | host-
dependent]
Activando GLBP
Switch(config-if)# glbp group ip [ip-address]

GLBP Configuration
GLBP Sample Configuration
R1(config)# interface g0/1

R1(config-if)# glbp 1 ip 192.168.1.254
R1(config-if)# glbp 1 preempt
R1(config-if)# glbp 1 priority 150
R1(config-if)# glbp 1 load-balancing round-
robin
|||||||||||||||||||||||||||||||||||||||||||||||
R3(config)# interface g0/1
R3(config-if)# glbp 1 ip 192.168.1.254
R3(config-if)# glbp 1 load-balancing round-
robin
GLBP Configuration
GLBP Verification
R1# show glbp brief

Interface Grp Fwd Pri State Address Active router Standby
router
Gi0/1 1 - 150 Active 192.168.1.254 local 192.168.1.3
Gi0/1 1 1 - Active 0007.b400.0101 local -
Gi0/1 1 2 - Listen 0007.b400.0102 192.168.1.3 -
R3# show glbp brief

Interface Grp Fwd Pri State Address Active router Standby
router
Gi0/1 1 - 100 Standby 192.168.1.254 192.168.1.1 local
Gi0/1 1 1 - Listen 0007.b400.0101 192.168.1.1 -
Gi0/1 1 2 - Active 0007.b400.0102 local - reserved. Cisco Confidential
© 2016 Cisco and/or its affiliates. All rights 28
15.3 Network Address
Translation (NAT)
NAT Characteristics
IPv4 Address Space
• Networks are commonly implemented
using private IPv4 addresses, as defined Activity
Class Activity Type
in RFC 1918. Name
• Private IPv4 addresses cannot be routed A 10.0.0.0 – 10.255.255.255 10.0.0.0/8
over the internet and are used within an B 172.16.0.0 – 172.31.255.255 172.16.0.0/12
organization or site to allow devices to
192.168.0.0/1
communicate locally. C 192.168.0.0 – 192.168.255.255
6
• To allow a device with a private IPv4
address to access devices and
resources outside of the local network,
the private address must first be
translated to a public address.
• NAT provides the translation of private
addresses to public addresses.
NAT Characteristics
What is NAT
• The primary use of NAT is to conserve
public IPv4 addresses.
• NAT allows networks to use private IPv4
addresses internally and translates them
to a public address when needed.
• A NAT router typically operates at the
border of a stub network.
• When a device inside the stub network
wants to communicate with a device
outside of its network, the packet is
forwarded to the border router which
performs the NAT process, translating
the internal private address of the device
to a public, outside, routable address.
NAT Characteristics
NAT Terminology
NAT includes four types of addresses:
• Inside local: The actual private IP address assigned to a device on the inside
network(s).
• Inside global: The public IP address that represents one or more inside local IP
addresses to the outside.
• Outside local: The IP address of an outside host as it appears to the inside
network. The IP address does not have to be reachable by the outside but is
considered private and must be reachable by the inside network.
• Outside global: The public IP address assigned to a host on the outside network.
This IP address must be reachable by the outside network.
Static NAT
Static NAT
• Static NAT is a one-to-one mapping
between an ip address to other ip
address.
• Inside static NAT
• Outside static NAT
• Inside Static NAT allows external

devices to initiate connections to internal
devices using the statically assigned
public address.
Static NAT
Configure Static NAT
There are two basic tasks when configuring static NAT translations:
• Step 1 - Create a mapping between the inside local address and the inside global
addresses using the ip nat inside source static command.
• Step 2 - The interfaces participating in the translation are configured as inside or
outside relative to NAT with the ip nat inside and ip nat outside commands.
R2(config)# ip nat inside source static 192.168.10.254 209.165.201.5

R2(config)#
R2(config)# interface serial 0/1/0
R2(config-if)# ip address 192.168.1.2 255.255.255.252
R2(config-if)# ip nat inside
R2(config-if)# exit
R2(config-if)# ip address 209.165.200.1 255.255.255.252
R2(config-if)# ip nat outside
Static NAT
Verify Static NAT
To verify NAT operation, issue the show ip nat translations command.
• This command shows active NAT translations.
• Because the example is a static NAT configuration, the translation is always present in
the NAT table regardless of any active communications.
• If the command is issued during an active session, the output also indicates the
address of the outside device.
R2# show ip nat translations

Pro Inside global Inside local Outside local Outside global
--- 209.165.201.5 192.168.10.254 --- ---
Total number of translations: 1

tcp 209.165.201.5 192.168.10.254 209.165.200.254 209.165.200.254
--- 209.165.201.5 192.168.10.254 --- ---
Total number of translations: 2
Static NAT
Pooled NAT
• Provides a dynamic one-to-one
mapping of a local IP address to a
global IP address. The global IP
address is temporarily assigned to a
local IP address. After a certain
amount of idle NAT time, the global
IP address is returned to the pool.
Static NAT
Configure Pooled NAT
There are five tasks when configuring pooled NAT translations:
• Step 1 - Define the pool of addresses that will be used for translation using the ip
nat pool command.
• Step 2 - Configure a standard ACL to identify (permit) only those addresses that
are to be translated.
• Step 3 - Bind the ACL to the pool, using the ip nat inside source list command.
R2(config)# ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224

R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# ip nat inside source list 1 pool NAT-POOL1
Static NAT
Configure Pooled NAT (Cont.)
There are five tasks when configuring dynamic NAT translations:
• Step 4 - Identify which interfaces are inside.
• Step 5 - Identify which interfaces are outside.

R2(config)# ip nat inside source list 1 pool NAT-POOL1
R2(config-if)# interface serial 0/1/1
Static NAT
Verify Pooled NAT
The output of the show ip nat translations command displays all static
translations that have been configured and any dynamic translations that
have been created by traffic.

--- 209.165.200.228 192.168.10.10 --- ---
--- 209.165.200.229 192.168.11.10 --- ---
R2#
Static NAT
Verify Pooled NAT (Cont.)
By default, translation entries time out after 24 hours, unless the timers have been
reconfigured with the ip nat translation timeout timeout-seconds command in global
configuration mode. To clear dynamic entries before the timeout has expired, use the
clear ip nat translation privileged EXEC mode command.
R2# clear ip nat translation *

R2# show ip nat translation
Static NAT
PAT
• Provides a dynamic many-to-one
mapping of many local IP
addresses to one global IP address.
The NAT device translates the
private IP address and port to a
different global IP address and port.
PAT
Configure PAT
To configure PAT to use a single IPv4 address, add the keyword overload to the ip nat
inside source command.
R2(config)# ip nat inside source list 1 interface serial 0/1/0 overload

R2(config)# interface serial0/1/0
R2(config-if)# exit
R2(config)# interface Serial0/1/1

R2(config)# ip nat inside source list 1 pool NAT-POOL2 overload
R2(config)# interface serial0/1/0
R2(config-if)# interface serial0/1/0
PAT
Verify PAT
The same commands used to verify static and pooled NAT are used to verify PAT. The
show ip nat translations command displays the translations from two different hosts
to different web servers.

tcp 209.165.200.225:1444 192.168.10.10:1444 209.165.201.1:80 209.165.201.1:80
tcp 209.165.200.225:1445 192.168.11.10:1444 209.165.202.129:80 209.165.202.129:80
R2#
Chapter 16: Overlay Tunnels
Enterprise Core (ENCOR 350-401)

Chapter 16
item content description
16.1 GRE Generic Routing Encapsulation
16.2 IPsec IP security
16.3 LISP Locator ID Separation Protocol
16.4 VXLAN Virtual Extensible Local Area Network
An overlay network is a logical or virtual network built over a physical transport network referred
to as an underlay network. Overlay networks are used to overcome shortcomings of
traditional networks by enabling network virtualization, segmentation, and security to make
traditional networks more manageable, flexible, secure (by means of encryption), and
scalable.
16.1 Generic Routing
Encapsulation (GRE)
GRE Overview
GRE Introduction
 Generic Routing Encapsulation (GRE) is a
non-secure, site-to-site VPN tunneling
protocol.
 Developed by Cisco.
 GRE manages the transportation of

multiprotocol and IP multicast traffic between
two or more sites
GRE Overview
GRE Characteristics
 GRE is defined as an IETF standard (RFC
2784).
 GRE encapsulation uses a protocol type
field in the GRE header to support the
encapsulation of any OSI Layer 3 protocol.
 GRE does not include any strong security
mechanisms.
 GRE header, together with the tunneling IP
header, creates at least 24 bytes of
additional overhead for tunneled packets.
Implement GRE
Configure GRE
 Five steps to configuring a GRE tunnel:
• Step 1. Create a tunnel interface using the
interface tunnel number command.
• Step 2. Configure an IP address for the
tunnel interface. (Usually a private address)
• Step3. Specify the tunnel source IP address.
• Step 4. Specify the tunnel destination IP
address.
• Step 5. (Optional) Specify GRE tunnel mode
as the tunnel interface mode.
Note: The tunnel source and tunnel destination

commands reference the IP addresses of the
preconfigured physical interfaces.
Implement GRE
Verify GRE
 Use the show ip interface brief command
to verify that the tunnel interface is up.
 Use the show interface tunnel command to
verify the state of the tunnel.
.
16.2 IPsec
IPsec
IPsec overview
• IPsec is a framework of open standards for creating
highly secure virtual private networks (VPNs) using
various protocols and technologies for secure
communication across unsecure networks, such as the
Internet.
• IPsec uses two different packet headers to deliver the
security services:
1. Authentication header
2. Encapsulating Security Payload (ESP)
IPsec
IPsec overview
• Authentication Header: The authentication header ensures that the original data packet (before
encapsulation) has not been modified during transport on the public network. It creates a digital
signature similar to a checksum to ensure that the packet has not been modified, using protocol
number 51 located in the IP header.
• Encapsulating Security Payload: . ESP ensures that the original payload (before encapsulation)
maintains data confidentiality by encrypting the payload and adding a new set of headers during
transport across a public network. ESP uses the protocol number 50, located in the IP header.
IPsec
Ipsec Overview
• Transform Sets: A transform set is a combination of security protocols and
algorithms. During the IPsec SA negotiation, the peers agree to use a particular
transform set for protecting a particular data flow. .
• Internet Key Exchange (IKE): is a protocol that performs authentication between
two endpoints to establish security associations (SAs), also known as IKE tunnels.
There are two versions of IKE: IKEv1 (specified in RFC 2409) and IKEv2 (specified
in RFC 7296).
• IKEv1: Internet Security Association Key Management Protocol (ISAKMP) is a
framework for authentication and key exchange between two peers to establish,
modify, and tear down SAs.
• IKEv2: is an evolution of IKEv1 that includes many changes and improvements
that simplify it and make it more efficient. One of the major changes has to do with
the way the SAs are established.
IPsec
Ipsec Overview
Types of VPNs
GRE over IPsec
For example, Branch and HQ need to exchange OSPF routing information over an
IPsec VPN. GRE over IPsec is used to support the routing protocol traffic over the
IPsec VPN. Specifically, the OSPF, EIGRP packets (i.e., passenger protocol) would
be encapsulated by GRE (i.e., carrier protocol) and subsequently encapsulated in an
IPsec VPN tunnel.
Types of VPNs
GRE over IPsec (Configuration Scenario)
Types of VPNs
GRE over IPsec (Configuration R1)
interface fasthethernet 0/0 10.1.102.2
ip address 10.1.101.1 255.255.255.0 crypto isakmp policy 10
! authentication pre-share
interface loopback 0 encryption des
ip address 1.1.1.1 255.255.255.255 hash sha
! group 1
interface tunnel12 !
ip address 192.168.12.1 255.255.255.0 crypto ipsec transform-set esp-3des esp-
tunnel source 10.1.101.1 3des esp-sha-hmac
tunnel destination 10.1.102.2 !
! crypto map out_map 10 ipsec-isakmp
router eigrp 12 set peer 10.1.102.2
network 1.1.1.1 0.0.0.0 set transform-set esp-3des
network 192.168.12.0 match address 130
! !
access-list 130 permit gre host 10.1.101.1 interface fasthethernet0/0
host 10.1.102.2 crypto map out_map
!
crypto isakmp key cisco123 address
Types of VPNs
GRE over IPsec (Configuration R2)
interface fasthethernet 0/0 crypto isakmp key cisco123 address
ip address 10.1.102.2 255.255.255.0 10.1.101.1
! crypto isakmp policy 10
interface loopback 0 authentication pre-share
ip address 2.2.2.2 255.255.255.255 encryption des
! hash sha
interface tunnel12 group 1
ip address 192.168.12.2 255.255.255.0 !
tunnel source 10.1.102.2 crypto ipsec transform-set esp-3des esp-
tunnel destination 10.1.101.1 3des esp-sha-hmac
! !
router eigrp 12 crypto map out_map 10 ipsec-isakmp
network 2.2.2.2 0.0.0.0 set peer 10.1.101.1
network 192.168.12.0 set transform-set esp-3des
! match address 130
access-list 130 permit gre host 10.1.102.2 !
host 10.1.101.1 interface fasthethernet0/0
! crypto map out_map
Types of VPNs
GRE over IPsec (Verification)
R1#show crypto ipsec sa peer 10.1.102.2
interface: FastEthernet0/0
Crypto map tag: out_map, local addr 10.1.101.1
protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.101.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.102.2/255.255.255.255/47/0)
current_peer 10.1.102.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 711, #pkts encrypt: 711, #pkts digest: 711
#pkts decaps: 690, #pkts decrypt: 690, #pkts verify: 690
Types of VPNs
GRE over IPsec (Verification)
R2#sh crypto ipsec sa peer 10.1.101.1
interface: FastEthernet0/0
Crypto map tag: out_map, local addr 10.1.102.2
protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.102.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.101.1/255.255.255.255/47/0)
current_peer 10.1.101.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 725, #pkts encrypt: 725, #pkts digest: 725
#pkts decaps: 700, #pkts decrypt: 700, #pkts verify: 700
1.3 Locator ID Separation
Protocol (LISP)
LISP
LIST Overview
• LISP (RFC6830) is a network architecture and protocol that implements the use of two
namespaces instead of a single IP address:
1. Endpoint identifiers (EIDs)—assigned to end hosts.

2. Routing locators (RLOCs)—assigned to devices (primarily routers) that make up
the global routing system.
Splitting EID and RLOC functions yields several advantages including improved routing
system scalability, and improved multihoming efficiency and ingress traffic engineering.
LISP functionality requires LISP-specific configuration of one or more LISP-related
devices, such as the LISP egress tunnel router (ETR), ingress tunnel router (ITR), proxy
ETR (PETR), proxy ITR (PITR), map resolver (MR), map server (MS), and LISP
alternative logical topology (ALT) device .
LISP
LISP Overview
LISP
LISP ARCHITECTURE
• Architecture LISP
LISP
LIST Overview
• LISP site: This is the name of a site where LISP routers and EIDs reside.
• Ingress tunnel router (ITR): are LISP routers that LISP-encapsulate IP packets coming from EIDs that are
destined outside the LISP site.
• Egress tunnel router (ETR): ETRs are LISP routers that deencapsulate LISP-encapsulated IP packets
coming from sites outside the LISP site and destined to EIDs within the LISP site.
• Tunnel router (xTR)
• Proxy ITR (PITR): PITRs are just like ITRs but for non-LISP sites that send traffic to EID destinations.
• Proxy ETR (PETR): PETRs act just like ETRs but for EIDs that send traffic to destinations at non-LISP
sites.
• Proxy xTR (PxTR)
• LISP router
• Map server (MS): This is a network device (typically a router) that learns EID-to-prefix mapping entries
from an ETR and stores them in a local EID-to-RLOC mapping database.
• Map resolver (MR): This is a network device (typically a router) that receives LISP-encapsulated map
requests from an ITR and finds the appropriate ETR to answer those requests by consulting the map
server.
• Map server/map resolver (MS/MR)
Operation
LISP Operation
MR MS
ITR ETR
LISP
LISP Packet Format
1.4 Virtual Extensible Local
Area Network (VXLAN)
VXLAN
VXLAN Overview
• VXLAN (RFC7348) is a network virtualization technology that attempts to address the
scalability problems associated with large cloud computing deployments. It uses a
VLAN-like encapsulation technique to encapsulate OSI layer 2 Ethernet frames within
layer 4 UDP datagrams, using 4789 as the default IANA-assigned destination UDP
port number.
• The VXLAN specification was originally created by VMware, Arista Networks

and Cisco.
• VXLAN solves three main problems:

1. 16M VNIs (broadcast domains) versus the 4K offered by traditional
VLANs.
2. Allows L2 to be extended anywhere in an IP network.
3. Optimized flooding. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
VXLAN
VXLAN ARCHITECTURE
• Architecture VXLAN
VXLAN
VXLAN Packet Format
VXLAN
VXLAN Operation
Source:
• Edgerworth B. CCNP and CCIE Enterprise Core ENCOR 350-401. ciscopress.com

• https://www.oreilly.com/library/view/cisco-ios-cookbook/0596527225/ch14s13.html
• https://www.youtube.com/watch?v=IvdHW9ICkX4
• https://www.youtube.com/watch?v=YNqKDI_bnPM
• https://www.cisco.com/c/es_mx/support/docs/ip/ip-routing/212625-configure-multicast-
over-lisp-phase-1.html
• https://www.ciscopress.com/articles/article.asp?p=2992605&seqNum=3
• https://ietf.org/standards/rfcs/
• https://www.cisco.com/c/en/us/products/ios-nx-os-software/first-hop-redundancy-
protocol-fhrp/index.html
• https://www.netacad.com/
• https://es.wikipedia.org/wiki/Virtual_Extensible_LAN
• https://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-
switches/white-paper-c11-729383.html

Capitulo 15 y 16

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Capitulo 15 y 16

Uploaded by

Copyright:

Available Formats

Chapter 15: IP Services

CCNP and CCIE Enterprise Core ENCOR 350-401

item content description

15.1 NTP Network Time Protocol

15.2 FHRP First-Hop Redundancy Protocol

HSRP Hot Standby Router Protocol

VRRP Virtual Router Redundancy Protocol

GLBP Global Load Balancing Protocol

15.3 NAT NETWORK ADDRESS TRANSLATION

PAT Port address traslation

The max hop count is 15. Stratum

address ref clock st when poll each delay offset disp

R1# show ntp status

S1(config)# ntp server 192.168.1.1

S1# show ntp status

ntp peer 192.168.1.

 The deployment of first-hop redundancy

1. Hot Standby Router Protocol (HSRP).

2. Virtual Router Redundancy Protocol (VRRP)

3. Gateway Load Balancing Protocol

 Gateway Load Balancing Protocol (GLBP) -

 One of the routers is selected by HSRP to

 If active router fails, standby assumes the

Timers Does not support Supports

Step 2. Configure the virtual IP address for the group.

• Initial – Learn – Listen – speak – standby - Active

 The MAC address of the VIP gateway uses

Switch(config-if)# vrrp group priority priority

Switch(config-if)# vrrp group timers advertise [msec] interval

Switch(config-if)# vrrp group timers learn

Switch(config-if)# no vrrp group preempt

Switch(config-if)# vrrp group authentication string

Switch# show vrrp brief

• Initial – Learn – Listen – speak – standby - Active

1. Active virtual gateway (AVG).

2. Active virtual forwarder (AVF).

Active Virtual Forwarder

Balanceo de Carga GLBP

• Initial – Learn – Listen – speak – standby - Active

R1(config)# interface g0/1

R1# show glbp brief

R3# show glbp brief

• Inside Static NAT allows external

R2(config)# ip nat inside source static 192.168.10.254 209.165.201.5

R2# show ip nat translations

R2# show ip nat translations

R2(config)# ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224

R2(config)# ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224

R2# show ip nat translations

R2# clear ip nat translation *

R2(config)# ip nat inside source list 1 interface serial 0/1/0 overload

R2(config)# ip nat pool NAT-POOL2 209.165.200.226 209.165.200.240 netmask 255.255.255.224

R2# show ip nat translations

Enterprise Core (ENCOR 350-401)

item content description

16.1 GRE Generic Routing Encapsulation

16.2 IPsec IP security

16.3 LISP Locator ID Separation Protocol

16.4 VXLAN Virtual Extensible Local Area Network

 GRE manages the transportation of

Note: The tunnel source and tunnel destination

protected vrf: (none)

R2#sh crypto ipsec sa peer 10.1.101.1

protected vrf: (none)