Ch 16: Overlay Tunnels Flashcards
What is an overlay network?
An overlay network is a logical or virtual network built over a physical transport network referred to as an underlay network. Overlay networks are used to overcome shortcomings of traditional networks by enabling network virtualization, segmentation, and security to make traditional networks more manageable, flexible, secure (by means of encryption), and scalable
The following are examples of overlay tunneling technologies. What are these?
- GRE
- IPsec
- LISP
- VXLAN
- MPLS
Examples of overlay tunneling technologies include the following:
- Generic Routing Encapsulation (GRE)
- IP Security (IPsec)
- Locator ID/Separation Protocol (LISP)
- Virtual Extensible LAN (VXLAN)
- Multiprotocol Label Switching (MPLS)
T/F: An overlay tunnel can be built over another overlay tunnel.
True.
MPLS tunneling is not supported across the Internet unless it is tunneled within another tunneling protocol, such as GRE, which can then be encrypted with IPsec (MPLS over GRE over IPsec). A key takeaway from this is that an overlay tunnel can be built over another overlay tunnel.
Fact: Different combinations of overlay tunneling and encryption technologies opened the door to next-generation overlay fabric networks such as the following acronyms. What are these?
- SD-WAN
- SD-Access
- ACI
- VTS
Different combinations of overlay tunneling and encryption technologies opened the door to next-generation overlay fabric networks such as:
- Software-Defined WAN (SD-WAN)
- Software-Defined Access (SD-Access)
- Application Centric Infrastructure (ACI)
- Cisco Virtual Topology System (VTS)
Which of the following commands are optional for GRE configuration? (Choose two.)
- tunnel source {ip-address | interface-id}
- tunnel destination ip-address
- tunnel mode gre {ip | ipv6}
- keepalive
3 and 4.
When configuring a tunnel interface, the default mode is GRE, so there is no need to specify the tunnel mode with the command tunnel mode gre {ip | ipv6}. The command is useful when the tunnel mode is changed to another type (such as IPsec) and there is a need to change the tunnel mode back to GRE.
The keepalive command is also optional. It is used to make sure the other end of the tunnel is operational. This command does not need to be configured on both ends of the tunnel in order to work.
T/F: GRE was originally created to provide transport for non-routable legacy protocols.
True.
GRE was originally created to provide transport for non-routable legacy protocols such as Internetwork Packet Exchange (IPX) across an IP network, and it is now more commonly used as an overlay for IPv4 and IPv6.
Which of the following should not be dynamically advertised via an IGP into a GRE tunnel?
- Loopback interfaces
- The GRE tunnel source interface or source IP address
- Connected interfaces
- The GRE tunnel IP address
2.
The tunnel source interface or source IP address should not be advertised into a GRE tunnel because it would cause recursive routing issues. This is the outside, routable interface.
Which of the following are modes of packet transport supported by IPsec? (Choose two.)
- Tunnel mode
- Transparent mode
- Transport mode
- Crypto mode
1 and 3.
Traditional IPsec provides two modes of packet transport: tunnel mode and transport mode.
Which of the following are encryption protocols that should be avoided? (Choose two.)
a. DES
b. 3DES
c. AES
d. GCM
e. GMAC
1 and 2.
DES and 3DES are weak encryption protocols that are no longer recommended for use.
Which of the following is the message exchange mode used to establish an IKEv1 IPsec SA?
- Main mode
- Aggressive mode
- Quick mode
- CREATE_CHILD_SA
3.
The message exchange method used to establish an IPsec SA for IKEv1 is known as quick mode or QM. Main mode and aggressive mode are IKEv1 methods used to establish IKE SAs. For IKEv2, IKE_Auth creates an IPsec SA. If additional IPsec SAs are needed, a CREATE_CHILD_SA exchange is used to establish them.
LISP separates IP addresses into which of the following? (Choose two.)
- RLOCs
- LISP entities
- Subnets and hosts
- EIDs
1 and 4.
LISP separates IP addresses into endpoint identifiers (EIDs) and routing locators (RLOCs).
What is the destination UDP port used by the LISP data plane?
a. 4341
b. 4143
c. 4342
d. 4142
A.
The destination UDP port used by the LISP data plane is 4341. UDP port 4342 is used for LISP’s control plane messages.
T/F: ETRs are the only devices responsible for responding to map requests originated by ITRs.
False.
An ETR (Egress Tunnel Router) may also request that the MS(Mapping Server) answer map requests on its behalf by setting the proxy map reply flag (P-bit) in the map register message.
ITR (Ingress Tunnel Router): An ITR is responsible for finding EID-to-RLOC mappings for all traffic destined for LISP-capable sites.
Which of the following UDP ports is the UDP port officially assigned by the IANA for VXLAN?
a. 8947
b. 4789
c. 8472
d. 4987
B.
The IANA’s assigned VXLAN UDP destination port is 4789, while for Linux it is port 8472. The reason for this discrepancy is that when VXLAN was first implemented in Linux, the VXLAN UDP destination port had not yet been officially assigned, and Linux decided to use port 8472 because many vendors at the time were using that value.
T/F: The VXLAN specification defines a data plane and a control plane for VXLAN.
False.
The VXLAN specification defines VXLAN as a data plane protocol, but it does not define a VXLAN control plane, which was left open to be used with any control plane.
T/F: A GRE tunnel has many uses but they cannot be used to tunnel traffic through a firewall or an ACL.
False.
Yes they can be used to tunnel traffic through a firewall or an ACL or to connect discontiguous networks, and they can even be used as networking duct tape for bad routing designs. Their most important application is that they can be used to create VPNs.
T/F: In a GRE encapsulated packet, the new IP header information allows the packet to be routed between the two tunnel endpoints without inspection of the packet’s payload.
True.
When a router encapsulates a packet for a GRE tunnel, it adds new header information to the packet, which contains the remote endpoint IP address as the destination.
The new IP header information allows the packet to be routed between the two tunnel endpoints without inspection of the packet’s payload.
After the packet reaches the remote endpoint, the GRE headers are removed, and the original packet is forwarded out the remote router.
Figure 16-1 illustrates an IP packet before and after GRE encapsulation.
Here are the commands to configure a GRE tunnel. Put them in order.
- ip mtu mtu (optional)
- interface tunnel tunnel-number
- keepalive [seconds [retries]] (optional)
- ip address ip-address subnet-mask
- tunnel source {ip-address | interface-id}
- bandwidth [1-10000000] (optional)
- tunnel destination ip-address
The proper order is: 2, 5, 7, 4, 6, 3, 1.
The 6 steps for configuring GRE tunnels are as follows:
- Create the tunnel interface by using the global configuration command interface tunnel tunnel-number.
- Identify the local source of the tunnel by using the interface parameter command tunnel source {ip-address | interface-id}. The tunnel source interface indicates the interface that will be used for encapsulation and de-encapsulation of the GRE tunnel. The tunnel source can be a physical interface or a loopback interface. A loopback interface can provide reachability if one of the transport interfaces fails.
- Identify the remote destination IP address by using the interface parameter command tunnel destination ip-address. The tunnel destination is the remote router’s underlay IP address toward which the local router sends GRE packets.
- Allocate an IP address to the tunnel interface to the interface by using the command ip address ip-address subnet-mask.
- (Optional) Define the tunnel bandwidth. Virtual interfaces do not have the concept of latency and need to have a reference bandwidth configured so that routing protocols that use bandwidth for best path calculation can make an intelligent decision. Bandwidth is also used for quality of service (QoS) configuration on the interface. Bandwidth is defined with the interface parameter command bandwidth [1-10000000], which is measured in kilobits per second.
- (Optional) Specify a GRE tunnel keepalive. Tunnel interfaces are GRE point-to-point (P2P) by default, and the line protocol enters an up state when the router detects that a route to the tunnel destination exists in the routing table. If the tunnel destination is not in the routing table, the tunnel interface (line protocol) enters a down state.
- Tunnel keepalives ensure that bidirectional communication exists between tunnel endpoints to keep the line protocol up. Otherwise, the router must rely on routing protocol timers to detect a dead remote endpoint.
- Keepalives are configured with the interface parameter command keepalive [seconds [retries]]. The default timer is 10 seconds, with three retries.
- (Optional) Define the IP maximum transmission unit (MTU) for the tunnel interface. The GRE tunnel adds a minimum of 24 bytes to the packet size to accommodate the headers that are added to the packet. Specifying the IP MTU on the tunnel interface has the router perform the fragmentation in advance of the host having to detect and specify the packet MTU. IP MTU is configured with the interface parameter command ip mtu mtu.
T/F: Virtual interfaces have no concept of bandwidth.
True.
Virtual interfaces do not have the concept of latency and need to have a reference bandwidth configured so that routing protocols that use bandwidth for best-path calculation can make an intelligent decision. Bandwidth is also used for quality of service (QoS) configuration on the interface.
T/F: A GRE tunnel source must be a physical interface.
False.
The tunnel source interface indicates the interface that will be used for encapsulation and de-encapsulation of the GRE tunnel. The tunnel source can be a physical interface or a loopback interface. A loopback interface can provide reachability if one of the transport interfaces fails.
T/F: The tunnel destination is the remote router’s overlay IP address toward which the local router sends GRE packets.
False.
The tunnel destination is the remote router’s underlay IP address toward which the local router sends GRE packets. The underlay tunnel is the physical infrastructure.
Fact: GRE tunnels need to have a working route in the route table in order to be in an up state. Why is this?
Tunnel interfaces are GRE point-to- point (P2P) by default, and the line protocol enters an up state when the router detects that a route to the tunnel destination exists in the routing table.
If the tunnel destination is not in the routing table, the tunnel interface (line protocol) enters a down state.
Keepalives are a solution to this problem. Tunnel keepalives ensure that bidirectional communication exists between tunnel endpoints to keep the line protocol up. Otherwise, the router must rely on routing protocol timers to detect a dead remote endpoint.
What is the minimum number of bytes that a GRE encapsulation will add to a packet?
The GRE tunnel adds a minimum of 24 bytes to the packet size to accommodate the headers that are added to the packet.
How much overhead is introduced to a packet with GRE encapsulation and using AES + SHA1 for security?
See attached figure.
Write the config for R1 and R2 so that:
- OSPF is enabled on the LAN (10.0.0.0/8)
- R1 ID of 1.1.1.1 - Area 1
- R2 ID of 2.2.2.2 - Area 2
- OSPF is enabled on the GRE tunnel (192.168.100.0/24) (Area 0)
- Default routes for R1 and R2 point to their respective ISPs
- Use Tunnel 100, BW=4Kbps, IPs of tunnels = .1 and .2, MTU=1400, keepalives should be sent every 5 seconds with 3 retries, Tunnel source and destination should be G0/1 on both routers.
Example 16-2 provides a GRE tunnel configuration for R1 and R2, following the steps for GRE configuration listed earlier in this section. OSPF is enabled on the LAN (10.0.0.0/8) and GRE tunnel (192.168.100.0/24) networks. With this configuration, R1 and R2 become direct OSPF neighbors over the GRE tunnel and learn each other’s routes. The default static routes are pointing to their respective ISP routers.
What is the command to view the state of a GRE tunnel?
The state of a GRE tunnel can be verified with the command:
- show interface tunnel number.
Example 16-3 shows output from this command. Notice that the output includes the tunnel source and destination addresses, keepalive values (if any), the tunnel line protocol state, and the fact that the tunnel is a GRE/IP tunnel.
What would you expect to see if you ran a traceroute from 10.1.1.1 to 10.2.2.2?
Notice that from R1’s perspective, the 10.2.2.2 network is only one hop away.
The traceroute does not display all the hops in the underlay. In the same fashion, the packet’s time-to-live (TTL) is encapsulated as part of the payload. The original TTL decreases by only one for the GRE tunnel, regardless of the number of hops in the transport network.
What is the default TTL on a GRE tunnel?
What is the command to change the default setting of TTL?
During GRE encapsulation, the default GRE TTL value is 255.
The interface parameter command tunnel ttl <1-255> is used to change the GRE TTL value.
Here are two common issues with GRE tunnels. What is a quick summary of these two pesky problems?
- Recursive Routing
- Outbound Interface Selection
- Recursive Routing: This happens when a routing protocol is used carelessly on a network tunnel. Care must be taken not to include the externally facing interface IP in the advertisement across the tunnel! If a router tries to reach the remote router’s encapsulating interface (transport IP address) via the tunnel (overlay network), problems will occur. Recursive routing problems are remediated by preventing the tunnel endpoint address from being advertised across the tunnel network.
- Outbound Interface Selection: This is simply the wrong interface sends traffic. A very common error.
What do the following syslog error messages indicate? What is the usual cause and solution?
01: 56:39.808: %TUN-5-RECURDOWN: Tunnel100 temporarily disabled due to recursive routing
01: 56:39.811: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to down
01: 57:44.840: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel100 from FULL to DOWN, Neighbor Down: Interface down or detached
01: 57:44.845: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to up
01: 57:44.849: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel100 from LOADING to FULL, Loading Done
The syslog messages indicates a recursive routing issue is occurring on the tunnel. This will repeat endlessly.
For the issue shown in Example 16-6, removing the tunnel endpoint interfaces (Internet-facing interfaces) from OSPF would stabilize the topology.
List the three most insecure methods IPSec offers for both data security and protections from Man in the Middle attacks.
- Data Encryption Standard (DES)Data confidentiality
- Triple DES (3DES) (Data confidentiality
- MD5 (HMAC function, Data Integrity, MitM attack mitigation)
What is HMAC?
Hash Message Authentication Code (HMAC). HMAC functions:
- Message Digest 5 (MD5) algorithm
- Secure Hash Algorithm (SHA-1)
NOTE: The use of MD5 is not recommended.
These are used for:
- Data integrity
- Prevents man-in-the-middle (MitM) attacks by ensuring that data has not been tampered with during its transit across an unsecure network.
What does IPSec use for data confidentiality?
- Data Encryption Standard (DES)
- Triple DES (3DES)
- Advanced Encryption Standard (AES)
Note: The use of DES and 3DES is not recommended.
These standards protect data from eavesdropping attacks through encryption algorithms. Changes plaintext into encrypted ciphertext.
What are the two methods IPSec uses for Peer authentication?
- Pre-Shared Key (PSK)
- Digital certificates
Verifies the identity of the VPN peer through authentication.
What is Replay detection? How does IPSec defeat this attack?
Prevents MitM attacks where an attacker captures VPN traffic and replays it back to a VPN peer with the intention of building an illegitimate VPN tunnel.
Every packet is marked with a unique sequence number. A VPN device keeps track of the sequence number and does not accept a packet with a sequence number it has already processed.
IPsec uses two different packet headers to deliver the security services, what are they?
- Authentication header
- Encapsulating Security Payload (ESP)
What is the authentication header and what does it provide? Why is it not used typically?
- The IP authentication header provides data integrity, authentication, and protection from hackers replaying packets.
- The authentication header ensures that the original data packet (before encapsulation) has not been modified during transport on the public network.
- It creates a digital signature similar to a checksum to ensure that the packet has not been modified, using protocol number 51 located in the IP header.
- The authentication header does not support encryption (data confidentiality) and NAT traversal (NAT-T), and for this reason, its use is not recommended, unless authentication is all that is desired.
What is ESP?
Encapsulating Security Payload (ESP) provides data confidentiality, authentication, and protection from hackers replaying packets. Typically, payload refers to the actual data minus any headers, but in the context of ESP, the payload is the portion of the original packet that is encapsulated within the IPsec headers.
ESP ensures that the original payload (before encapsulation) maintains data confidentiality by encrypting the payload and adding a new set of headers during transport across a public network. ESP uses the protocol number 50, located in the IP header. Unlike the authentication header, ESP does provide data confidentiality and supports NAT-T.
Traditional IPsec provides two modes of packet transport. What is the difference between these two?
- Tunnel mode
- Transport mode
Tunnel mode: Encrypts the entire original packet and adds a new set of IPsec headers. These new headers are used to route the packet and also provide overlay functions.
Transport mode: Encrypts and authenticates only the packet payload. This mode does not provide overlay functions and routes based on the original IP headers.
How many bits is the key used by DES? What is the difference between DES and Triple DES?
Data Encryption Standard (DES): A 56-bit symmetric data encryption algorithm that can encrypt the data sent over a VPN. This algorithm is very weak and should be avoided.
Triple DES (3DES): A data encryption algorithm that runs the DES algorithm three times with three different 56-bit keys. Using this algorithm is no longer recommended. The more advanced and more efficient AES should be used instead.