Virtual Private Network (VPN) | Cisco CCNA 200-301Jun 08, 2021
and welcome to all holy schnikeys it's great to have you here um today we're going to focus on VPNs we'll give you a look behind the scenes that's what we'll do here on wednesday just to give you a little background on what I'm creating and some of the cool stuff that's coming out so today as per your votes last wednesday we're going to do VPN today and then just so you know they'll be showing up every sunday at 11am. m. Pacific Time is CCNA Sunday, but it provides an opportunity to cover many of the CCNA topics.
I plan to. I have about three months worth of Sundays lined up to feature awesome stuff from the current and new CCNA, mostly the new CCNA, but all of that content is still relevant. going backwards um so this coming sunday is layer 2 switching and it's not going to cover everything because there's so much that can be done with one or two switches we have things like vlans we have things like trunking we have inter-vlan routing and everything else, so it's a lot of fun. ing above, but I'd like your input on what you'd like to cover next Wednesday, so Wednesday is 4 p.m.
Pacific that's what I'd like to know what you want to cover here are some options I have for you and let's take a look at those and they're here come on so December 18th next Wednesday a week from today what would you like I have had a few port security requests but every time I put it up for a vote it doesn't get a majority vote so I still hope to keep them in the queue. I appreciate the feedback and input, so these three are the three options I'd like to focus on for next Wednesday and that's port security or inter-VLAN routing with a multi-layer switch.
I'm surprised how many people are especially new Cisco which is what I'm working with here very interested in how that multilayer switch works and how they can pop up a logical layer 3 interface on a VLAN on the path to the booth it's amazing or Option C I can give you a behind the scenes look at the test labs I'm creating at CBT Nuggets which I'm very excited for more to come is especially next Wednesday if you tell us what you select so please let me know either by letter or by title interview port security and routing with multi layer switches or assistant labs and we'll do it next wednesday and if none of that sounds appealing to you that's great we'll have something else next wednesday and again this Sunday, which is the data for the 15th, we'll be focusing on the layer 2 switch, so if you want to join us for that or see the recordings of that, that's great.
I also want to thank Jake who helped moderate me today and, as always, to those of you who are seeing your fellow humans' questions and chatting and replying to them to help them out. I take my hat off. Look, there are three or four people who have been consistently helping other people and I really appreciate that even though it's all about having fun, progressing in the right direction and learning as you go, so anytime you can help something, I appreciate that. so today I want to talk to you about VPNs because that's what we voted on last week and let me share this with you and open another window here so you can see exactly what I'm sharing otherwise watch me here we go so This is the back end studio on CBT Nuggets for some of the VPN content I've been creating as part of CCNA, so what I'd like to do is share maybe three or four of these with you, they're all quite a bit.
So let me introduce you to VPNs verbally and then we'll go ahead and start with the next one, the VPN overview. I don't know what it is but there's something about privacy that people want to maintain and so if we re if we have data that we have on a hard drive and it's stored there if three steal that hard drive like this is a great example this is it a raspberry pi device it has a hard drive or flash drive that i can store data on and if i store data on this and something physically steals this and that data is not protected in any way they can t read the data the same way with a mobile device and so to protect the data we encrypt it now, encrypt is just a fancy way of saying we're taking the data and we're encoding it with some kind of algorithm instead of rules and a key so that the combination of that key and the actual algorithm make some of you who don't have the key can get the data but can't understand it so it's called data at rest it's like at the end of the day your day is tired the data in r Rest refers to data that is in storage, it could be in the cloud, it could be on a physical device and you are at your location or at home, but data at rest we want to have. encrypted to protect it too no data on the way if we have data going through a
networkwe also want it to be protected keeping it
privateso we also use the mechanisms of cryptography which is a fancy way of saying hide the data so if the People just steal it off the cable, eavesdrop, can't figure it out. and that's the main concept of a VPN so in corporations we use VPN to protect data coming and going but we could also use VPN as individuals if we don't want our internet service provider or we don't want the traffic that is passing untrusted
networks to be intercepted and interpreted, so I'd like to share with you some of these videos on VPNs and then if there are any questions that Jake wants to ask, we can go ahead and bring them up, including voting. for next week so we're going to release this one first and i'll slow it down here it's too fast too fast using a technique called VPN Virtual Private Networks ok that's why when I'm going through my own content I got double because I knew what I already said, but I'm going to reduce it to 1x for this presentation so we can all appreciate it together.
Let me line this up and enjoy. We send millions of packets every day over untrusted networks like the Internet and if we want we can have a little extra protection like those packets over the Internet using a technique called VPN Virtual Private Networks and that's what you and I will discuss. in this video, so let's use this topology to talk together about when it might be appropriate or really useful to have that extra protection of a
privatenetwork when you're sending traffic over other people's networks, including the Internet. One of those situations is if we have a remote site that wants to communicate with the central site through someone else's network or the Internet.
So the problem is that if we start seeing packets on the internet, there is just plain text, they are not encrypted or kept secret, no one and any service provider or router forwarding that traffic on the internet has a chance to eavesdrop on that traffic. or possibly manipulate that traffic which would compromise our security for communications between those two sites so in this case what we could do is If we could build a logical route they call it a VPN tunnel between these two endpoints between the router at the site from the HQ and the router at the remote site and this is what happens whenever traffic from the HQ site is routed to the remote routers I'm going to pause for a second just for that specific traffic and say ok, I'm going to go ahead, I'm going to take a moment and I'm going to encrypt the traffic, protect it, and logically send it through this tunnel, so when we say it's going to be configured through the tunnel, I'll What that means is this router will encrypt the traffic and send it to its good friend here the remote site so this router can decrypt it so from the internet it looks like packets being sent but behind the scenes the payload of those packets is encrypted so if we have malicious actors on the internet who want to eavesdrop on that data or want to manipulate it they won't be able to do it successfully because the data is b is encrypted by this router and then decrypted by this router and only those two routers that are the endpoints in this VPN tunnel have the ability to decrypt or make sense of the data and this VPN tunnel is sometimes referred to as S a which is an acronym for a security association between this router on the left and this router on the right and this type of relationship between these two routers where they both agree to take the traffic between these two sites and encrypt it and send it back and forth to each other is known as a site-to-site or VP tunnel N from site to site, so if someone asks us how do we protect the traffic between this site and that site if it is transmitted over the internet, the answer is that we can set up and configure a VPN site site tunnel which way to encrypt and protect every single packet that goes between those two sites and this is how we can do it with a site-to-site VPN tunnel now another scenario where we might want to use VPN protection is for an individual computer so he if we have Bob let's say So Bob is at home and he has his PC connected to the Internet, maybe he's using a cable or DSL modem or some other method, he's accessing the Internet, but if he wants to connect, that's the main course.
I don't want him sending naked, unencrypted packets because once again they could be intercepted or eavesdropped on by devices on the internet, so once again we could build a VPN tunnel here from Bob's computer individually to some device at headquarters to build that VPN tunnel from Bob's computer to the headquarters site on Bob's computer we would have software that he's running that would allow them to do that and then at the headquarters site we can have a device as a router that acts as the other end of that VPN tunnel or we can have a si or a fire power plant and on one of those devices, if it's set up correctly, it could be the device at the headquarters site that Bob is using to connect with his personal VPN and when bu Install a VPN from an individual computer called remote access or our VPN so these are the two main categories of site-to-site VPN eg between the headquarters site and a remote site and a remote access VPN that is started from an individual computer going to some other device, in this case the router headquarters site to create a VPN protection for this user's traffic as it communicates with the headquarters location so now if someone were to come to us and say how do we protect packets as they go? about other people's networks or networks that are not trusted, we could say that we could implement a VPN
virtualprivate network and, in addition, we could say that they know that there are two types of categories of these, one is called Site-to-Site VPN if we want as Sai when site two and all traffic between those two sites to be encrypted and protected which is a site to site VPN and if we need to protect an individual user's data on their own PC we would create a remote access VPN which it starts on that pc and ends in this example at the headquarters site at the other end of that vpn tunnel so now we know the two main camps or categories or site to site and remote access vpn and in the next video what i I love talking to you about some of the basic components of cryptography.
That's the fancy way of saying how VPNs protect each of those packets and we'll cover that in the next video so I'll see you there in a bit. in the meantime i hope this has been informative for you and i would like to thank you for watching and with that being said here is the next video keeping confidentiality and privacy is important and those are some important things that are brought to the table with a virtual private network when we send packages over the network or through the internet or other untrusted networks, we absolutely don't want anyone who sees that package to be able to open it and make sense of the content because we have secrets, your company secrets or senses active information or protected information like health information etc, we absolutely should not leak that information, make it available to unauthorized eyes to achieve the feat of VPN virtual private networks, as we protect and encrypt every packet that is sent to all these untrusted networks or using some techniques from a suite or a technology called cryptography and that's what I like to talk about ar with you in this video so the root of the word crypto comes from the concept of having secure communications against an adversary so if you had general a, for example, from some army and you had general B from the same army and they were going to send this back and forth they would use cryptography to make sure that if those messages were intercepted the Interceptor wouldn't be able to make sense of them is there some kind of cryptography that would hide the actual message being sent, an example of this would be a Caesar cipher like at Juliu s Caesar that's what he used so nowadays cryptography refers to a bunch of algorithms or formulas and standards that can help us protect data as well but there are two main goals with cryptography one is theconfidentiality in the case of two devices communicating over an untrusted network we have someone intercept the packets and look at them if they can't figure out what the payload means we just achieved confidentiality if only the host a and host b can find out what is the actual message that we keep confidential with our cryptography and with virtual private networks that confidentiality is implemented through encryption and here is an example using caesar cipher of a protected message and it was encrypted using some type of key or method and if host a and host b are both parties not the key is one can encrypt it and the other can decrypt it so the key here is a change of one character ahead which means each of these letters is just one before the actual letter so if you back up each of these letters it would be in the I would be an H and continue and if you want to figure this out just Before you back up each character to its previous character in the English alphabet from A to Z and that will reveal a hidden message so that's an example of how we could encrypt a message and only the sender and receiver know the actual key or how decoding can actually make sense of the message and then today's high speed networks what we're going to use is an encryption algorithm and one of the most popular is called AES which is an acronym for AES Advanced Encryption Standard and then there are various flavors of it as far as how many bits are involved and with crypto the general rule of thumb is size and size matters which means bigger is better or at least bigger is considered more secure and more bits we are using as part of our algorithms, more CPU and power will be needed to do the calculations, so if we had two sites, site A and site B, and they were connected via the internet and we wanted to implement a VPN in between With them, we could train these two devices to set up a VPN, a virtual private network, we could tell them to do encryption, we specify the algorithm we'd like to use, and if we were to say this VPN, a question might come up if we're using AES, which is a standard, couldn't just anybody jump in the middle of that with AES and interpret the data, so the secret is that these devices that are on the endpoints of this VPN tunnel will negotiate and use keys that no one else knows about, because the host a and host B or router a and Rodri have the keys involved, only those two devices will be able to successfully encrypt and decrypt the data.
Anyone in between eavesdropping on that traffic or wanting to see the data is out of luck because they won't. have the keys think of it like a truck with a padlock basically if you have the key to the padlock you can open it you can close and lock it but if you don't have a key you're out of luck so host a and host b they have the key to that lock if you want it and everyone else doesn't and that's what keeps our data sensitive with encryption using current standards like AES now as well as keeping our data private we also want to make sure that data isn't being tampered with or changed by unauthorized parties as those packets are forwarded and back and that refers to having data integrity and data integrity is achieved with a method called hashing and we think of hashing as a little indicator to tell if the data has been modified or not from this, let's imagine that I send you this letter, so I wrote this nice letter and then I counted all the characters that are in this letter and imagine that there are about three hundred forty characters, so what I do is take this letter ho Take it, put it in an envelope.
I completely forgot what number I said, let's say it's 425 or 225 characters. I put the letter in the envelope, seal it, and then on the outside, what you might do is write a little note for 25 on the envelope, and when you get it, you open it, you look at it, and we think it's just an extra step to say , okay I'll make sure I count all the characters and then compare it to what you said the character for a for 25 and if the numbers are off if it should be five characters yeah that's 450 characters hey someone tampered with our data and, as a result, we may discard them, not accept them, and that concept of data integrity for an individual packet as we send it out. over VPN is known as hash and for hash of the two main families to hash our md5 and sha-1 let's say J there are a bunch of shot flavors like there is one shot one shot two shot 256 etc but In any case, the purpose of using a hash algorithm is to verify the integrity of the data.
The truth is that nothing has been modified or changed in that packet that has been sent over the network. As a fun example, here's a website with tools for dot-com newbies and it's going to use a hash calculator. little plugin that helps verify data integrity, so I have the Declaration of Independence on my clipboard. I'm going to right click and I'm going to paste it so it's the Declaration of Independence and beautiful so it has all the words. the characters and if we want to hash this entire document we're going to do this we can swipe the algorithms let's use sha-256 which is nice and strong and then we'll click hash check it out check out this little one thingy here this hash is based on the whole document if we change one character just one in the document that hash is going to change instead of unanimously it will say the majority of course is changing this document and if you click hash this will it will do watch if you come back k in the video a moment this hash is different so the hash is the little plugin that helps the receiver identify if this data got messed up or changed in transit or if the hash matches so in this video we had the opportunity to take a look at how a VPN protects data and protects privacy, the reality of ikonn fidence by using methods such as encryption, encrypting data in such a format that any device without the correct keys s involved can not understand it and the most popular encryption algorithm that we are using today for sites a VPN is AES the advanced encryption standard and then to verify the integrity of the data to verify that the data has not been tampered with in we use a method called hashing and the two main categories there are md5 and sha-1 variants behind it but the point of hashing is to verify that the data has not been modified as it is being sent over the untrusted network as part of the VPN so now we know a couple of building blocks or VPNs the encryption aspect that keeps packets private or confidential and the hashing aspect that ensures data hasn't been modified let's take those two building blocks and throw a closer look in the video below at the site-to-site VPN that protects all traffic going back and between those two sites, so I'll see you there in a bit in the meantime , I hope this has been informative for you guys and I'd like to thank you for watching it's a live cut for my video ok so I had a few questions that came up I thought I'd like to pause for a moment and address this.
I have a request regarding a t-shirt. I'll talk to you privately and connect you. Another question he said. I just passed the CCNA security exam it's awesome that means on 24th Feb 2020 they will give you the new CCNA so any current CCA regardless if wireless or security or anything else will give you the new CCNA so you have that and then as far as possible. going on there is the professional level track for security which is not a bad way to go which i would recommend if you just got your CCNA security or if you are working for a company that is using certain security products maybe they have firewalls of Palo Alto or maybe they have a checkpoint or maybe they are using some other security device.
I would say it would make sense to start looking into that because you'll have more opportunity to practice and support yourself in that environment in case you're not working with an organization that has any of those security devices or just developing your skills you're not working for someone and still continue with the CCNP level the professional level for security is a big step up so keep in mind there are other security products out there and I would recommend going with the ones you have closest access to which would make the most sense ok another question MPLS, the question is whether MPLS and VPN tunnel are mutually exclusive and technical. it's so cool so cool so what we're talking about here for security purposes is IPSec site-to-site VPN where you have two or more peers and those peers basically take all the traffic and encrypt it and send it over the concerned network on another router the other peer decrypts it and passes it to the end customer who is using a set of protocols called IPSec and as a result encryption and decryption now in a service provider environment has a challenge let's imagine you and I'm a service provider and we have dozens of customers and they have sites all over the place it would be important for us to make sure if we have a stake Acme Incorporated if we have a customer Acme Incorporated they have two sites one here and one here it's important that when you submit your traffic to us the service provider let's make sure your packets end up in the correct location on your other site we don't want to take Acme packets and have e them how on the wrong customer site that is going to be confusing and not going to make your site happy and we also have a confidentiality issue sending the packages from the wrong company to the wrong destination so in a service provider we use MPLS multi-labelling protocol and techniques called Layer 3 VPN, but in that sense it is not encryption, so Layer 3 VPN is not for the purpose of encrypting or protecting and making data sensitive, it has the purpose of making sure that we get the data in the right way. customer site to the other right customer site and that's what MPLS layer 3 VPN czar is all about and on top of that we could at the edges we could encrypt the payloads of those packets and when I switch to the service provider network but that would be encryption beyond what MPLS is doing so that's a great question because the acronym is the same virtual private network VPN but the implementation and purpose is different on a service provider network with MPLS and Layer 3 VPN is just to get the right data to the right clients with Site-to-Site IPSec VPN, so we do this purely for confidentiality as we send traffic over untrusted networks. there is a request to do a video on OSPF types um you know what I would love here is my challenge to us I am going to add that every Wednesday I ask what would you like to see next and add that as one of the items and so as i start to add that OSPF network types yes OSPF network types like Nam Broadcast, Point to Point Broadcast etc.
I'll add it next week as an option and even get enough people to vote on it it will show up in the queue and I'll do it, so I don't know if I have a lot of current training on that, but I can create something. I would be happy to do a live session and when. I was in when I did the CCA training, we had to cover them and I had to memorize them, now I have to really rethink, say, okay, how does it work again? Where would I use this? What are the implications on a hub and for spokes and relationships?
So um, I'll add that as an option and all we need is photon and I'll include that as well. what i will do is i will share the importance that it is really more of a CCNP and expert level content as opposed to CCNA but i will reinforce why that is really important and that is if you want them if you want oh SPF to work properly on certain topologies like hub-and-spoke it's critical and it's also based on the type of network connectivity you have so I'll add that ok thanks for those questions let's go ahead and take a look at the next video and that next video is this Bad Boy Site VPN Concepts Site Hope you enjoy it.
I have always been intrigued by the concept of a site-to-site VPN. traffic between those two sites the edge devices taking that traffic encrypt it logically send it up the protected vpn tunnel and the other side receive it and not encrypt it and deliver it on its way is awesome so what i would like to do in this video is to show you what it's like behind the scenes the site knows what to do and some of the configuration options available to it so using this topology let's talk about some of the ingredients of going for a site to site VPN for data confidentiality we will use some kind of encryption algorithm for data integrity we will most likely use some kind of hash algorithm or set of rules and then we can train these two routers to be peers establishing a VPN or a security association between them now a very good question to ask is the set up of a site to site VPN tunnel between these two routers what are we actually using for the pa raguas of hash algorithmsand encryption that we are going to use and the technology that you are going to use is called IPSec capital i capital P SEC, which implies that we are going to provide security for each individual IP packet as it is transmitted between the two VPN peers, so we'll use IPSec now, a big question is how can a technology like IPSec, how does it stay up to date because I was learning about IPSec 30 years ago and it still exists?
So how is it still current and viable? The answer is IPSec is like an umbrella, it is a collection of protocols and utilities and like new protocols. Come on p-set can adopt them so long ago we had encryption protocols like des the data encryption standard and then Triple DES which was even more secure and now we're using AES and we have new encryption standards they just start not to use the older ones, so IPSec over the years has the ability to use any of these encryption standards, and as they improve, IPSec will adopt them. We also have some evolution in the IPSec world. lled ike originally we had ikela version 1 extends for internet key exchange there won't be a test of that later but there might be one and as time has gone on we have ike v2 and any of these methods as part of IPSec can be used in conjunction with hashing and encryption algorithms to provide security as traffic travels between r1 and r2, so what I like to do here with you is look at what happens between the two VPN devices that want to establish a tunnel, a security association between them.
I want to share with you what's going on with IP version 1 behind the scenes and here it is, these routers would set up and what they would do is set up and negotiate what's called a phase one IKE tunnel. This tunnel, I see is being used so that r1 and r2 can communicate with each other securely, so if they need to communicate directly with each other, they can logically send the data to the hash and encryption algorithms that are part of the tunnel. from phase one it is sometimes also called ice account i and now account IX is an acronym you don't need to memorize the acronym but it is an acronym for internet security association key management protocol and if it is an acronym of security association, so they will build this tunnel and for this tunnel they will have negotiated and agreed things like what encryption algorithm we are going to use, what hash algorithm we are going to use and also the keys involved.
They can dynamically negotiate keys so that only r1 and r2 have the ability to lock and unlock the data respectively and after r1 and r2 establish this tunnel that they can use to communicate with each other, then they go to work and build a second tunnel, which they maintain the second tunnel yeah they build a second tunnel and that's for traffic from users like Bob so if we put a Bob here and bit Louis here for actual traffic from users on site one going to site 2 when that traffic hits the router the routers will encrypt the user data and send the logic over the tunnel to the other side will decrypt it and send the link to its intended destination and the second tunnel is often referred to as IPSec yes or we can too call it the phase 2 city and it is not likely that in any given sentence they will refer to these tunnels by all possible names, but I wanted to share with you where they fit together and for this IPSec mosaic that is will use to encrypt user traffic coming and going, so will they if router one on router 2 will have also negotiated what kind of encryption they want to use for that tunnel, the hash they want to use for that tunnel, and other parameters are applicable including what traffic to encrypt i mean if this is site 10 16 0 and over here is 10 16 8 part of the rules for tunnels would say ok only encrypt traffic if it comes from 10 16 0 and goes to 1060 eight so if the pumps try to go to ESPN or some other website or twitches or whatever when the router sees that dummy traffic it will see that the source is coming from ten sixteen zero but not going to ten sixteen eight and as Result, you can do Nats, you'll probably use it now at that point and then forward it to the internet and not send it. through the tunnel, so in this video we introduce the concept of IPSec, which is a big umbrella that covers a lot of sub-technologies, including hash algorithms and encryption algorithms.
We also identify that two routers that are running IPSec are going to establish relationships with each other we call those security associations and as part of that they are going to negotiate the encryption, they are going to use the hash that they are going to use and depending on the version or the Kind of IPSec on the site site tunnel, we can have one night the phase one tunnel where the two routers talk to each other directly and then a second tunnel, a logical tunnel that will be used to encrypt and send the user traffic as Bob and Louis back and forth. ted secure and private over that tunnel and what I thought would be fun to do is take a look with a network analyzer to see the actual packets and we'll see what the packets look like before they're encrypted and after just to check the traffic going through down the tunnel those packets are being encrypted and protected and sent to the other side so i'll see you on that video in a bit in the meantime i hope this was informative for you and i'd like to thank you for taking a good look and we're going to show that video here in this video let's have fun enabling IPSec with a site to site VPN tunnel between two routers and then for the main purpose of looking at the traffic before it's encrypted and then just to have a very visual comparison and realize that oh my gosh this traffic once the router gets it and encrypts it is not understandable to anyone who doesn't have the right keys to unlock that data let's use this topology as our backdrop background now there are many individual things that need to be planned and implemented and configured for an IP SEC site site tunnel to work now in this topology most of that has been implemented except for one thing and that is a crypto and you can ask Keith what is a crypto map.
I'm glad he asked for a crypto map in a collection of configurations and after the facility that we want to use for our IPSec tunnels, what we do is create a crypto. map along with the other Frank P SEC details and we apply that crypto map to the interface here so the interface here that ours are going to use is that it communicates with its peer here are two interface gigs to sell so we would apply the here in this interface, we would apply the crypto map here on r2 and that would gather all the policies and attributes in hopes of building that VPN tunnel between those two sites, assuming all the other details are in place and once we've applied d the crypto map and there is traffic that needs to go from ten sixteen zero to ten sixteen eight if we are using Ike v1 we can do a show command and we can take a look at the tunnels we can do a crypto ice account yes and that will show us our tunnel Ike phase one and the details about it and from us we see the second tunnel which is the tunnel that is actually carrying user traffic, we only show crypto IPSec if and another command while we're here it's a show Crypto engine connections are up and then they'll give us a bird's-eye view too.
We can also make a crypto map. There is a little space there between the crypto map and the crypto map. Show details of the crypto map including whether or not it applies to an interface so let's get back to our point of what I wanted to cover in this video and this is what traffic would look like to and after it's encrypted so let's do that for our plan we're going to do this we're going to take a PC at 10:16 0 10 and have the pineapple device here at 10 16.8 and this couldn't select 1 1 1 as a target that exists there and so if this device is pinging to that device and we have our IPSec tunnel built which says to encrypt everything from 10 16 0 10 16 8 if we capture the data right here before against the router we should see unencrypted data if we capture the data right here after the router we should see the encrypted packets but we'll see that they're encrypted but we won't be able to see the payload to understand what's actually being carried inside those IPSec packets and if you'd like to join me please do so this is the hands on lab for you can you go ahead and click the link for the virtual lab and follow along with me so we'll open MT putty in the top left corner and open a connection to r1 and we'll also open a connection to r2 and let me go ahead and press ENTER a few times to clean up the screen kinda fantastic so here in r1 if we did a show crypto icy camp if and hit enter it will say you have nothing no tunnels in place and if we did a show crypto IPSec yes it will also say we don't have any no security association for IPSec tunnels and let's make it one more command let's do show crypto map hit enter and even though there's a lot of output here basically this crypto map called our map says if the traffic is coming from ten sixteen zero and going to ten sixteen eight, it will go ahead and encrypt that traffic and as for the encryption and hashing that will be used for that traffic, they are specified here and down here it says that the inter faz is currently using that crypto map it's nothing so what we're going to do is go to the interface gig 2 /0 and then we'll apply that crypto map so all the rest of the heavy lifting is done all we have to to do is enable crypto map on this router router 1 and also on router 2 and that will enable the feature now before we do. that we also bring power on our client pc and verify that we can ping and have connectivity before we put the ipsec tunnel between R 1 and R 2 so we'll log in to the client pc and here on the client pc there will be a command prompt and in the command prompt let's ping and I'm going to do a dash T which stands for continuous and a little pink dot 10 16.8 1 1 1 and press enter and now our ping is going we'll let it go and while that's running let's go ahead and enable I P SEC applying the crypto map to both r1 and r2 so let's go back to DC now let's go and here we will go to the King 2/0 config mode interface and use the crypto map and our map name here is our board map uppercase that's done and then we'll apply it to r2 so the interface when r2 will be zero big zero so we'll do the T setup and a gig of zero face zero bar and crypto map space and also name it i opened my map here also my - map and hit enter hey hey i guess i didn't call my map i guess i called it our map ok let me try oh you're there you're going perfect so now we have enabled crypto map on r1 and r2 and it should be in the background the ipsec tunnel being built and configured and hopefully if it's working fine the traffic from the client is now working again so we go back to our client pc let's note they have a little bit of time waiting while negotiating and activating the tunnels but now all this traffic is being sent as it goes between r1 and r2 is being sent through this logical tunnel with each and every one of those packets encrypted with ipsec and i never do a check i see a couple times to cancel that ping and let's go back to DC nug and take a look at our tunnel info so if we go back to r1 we have a couple of commands already cached so let's try them again like so which triggers the up arrow key a few times one of them is to show crypto AIESEC FSA that is looking at Ike's phase one tunnel so if we hit enter there look at that then we have this tunnel that is currently configured and active and if we press the up arrow a few more times we have show crypto IPSec yes and that will show us details about the Ike tunnel phase 2 or IPSec tunnel, including how many packets have been encapsulated and encrypted and how many packets have been T-capsed and decrypted and then while we're here let's do one more command, show active crypto engine connections and so this represents our phase 1 ike tunnel, this represents the security associations for the IPSec tunnel, there's one each way and i guess for this one it's a fail it never worked and that's because we mentioned ours first the pigs were working but both weren't ready so it ran out of t Waiting time, didn't work and then tried again. and it actually succeeded and opened the tunnel and this is so much fun this is a packet capture on the connection between router one and router two and before we had the second ip we had these pings that were getting from fr om 10 16 0 10 our PC went up to 10 16 8.1 in 1 and then finally when we enabled IPSec on r1 and r2 they started negotiating tunnels so we'll look at the main mode here which is negotiating and configuring tunnel ike face 1 and the fast mode is setting up the actual IPSec tunnel and then once the IPSec tunnel is set up these packets right here look at them they are ESP ESP meansencapsulate the security payload and it's a layer 4 protocol and it's the 50th protocol and that's the protocol that IPSec uses as it encrypts the encapsulation so originally before encryption we have 1016 0 to 10 to 1016 8.11 it was an ICMP echo request but after encryption it looks like the packets are going from our address here that's our 1 to our Tuesday here and anyone eavesdropping will see that it's an ESP packet on protocol 50 but the payload is encrypted, they don't know if it's an ICMP request or an ssh session or a website request or anything else because the entire payload is protected and encrypted because of IPSec and encryption algorithms that protect that data and when these packets are received by r2, r2 would take those packets and decrypt them and then take them to the final destination so that the host at 10:16 0.10 doesn't really know that between r1 and r2 the traffic was encrypted and protected nor do they it really matters they just got the packets back and forth and were happy it worked so the intent of this video is to help reinforce the concept that when traffic goes through a VPN it is encrypted, encrypted and protected with the algorithms or protocols specified by that site site tunnel all under the IPSec umbrella so in this lab I have fun if you want to apply the crypto maps like we did in the demo it's great if you want to practice see show commands that's great to kind of warm up with the idea of IPSec tunnels and I'll see you dude in the next video in the meantime I hope this was informative for you and I'd like to thank you for looking at our good but I kept my attention.
I have some questions that came up in the queue. Thank you very much. Forum one was asking what Linux certificates are well regarded by the market. The company probably calls it Linux plus, but it's pretty new, so CompTIA Linux certification is great. the guy to ask is like a linux expert he loves to teach it so if you can find him i like Sean's brain if you're on Twitter or whatever your social media is your sure pick if you're looking for Sean's powers. CBT Nuggets I think his website is bringing Sean something smart like he would ask someone else too, but the CompTIA Linux plus course I think would be a great start.
Another question was from Phillip asking if he too can be port restricted. or do you use the full range and if I could fill in the lab rate on what that question was referring to and I'd be happy to answer it and I'm just not sure exactly what the context is and then Stephen asks if the two tiles are part of security , ok? like not keeping your password and username in the same place so for IPSec there are two tunnels the first one the IKE phase one tunnel is like a private party line between the two routers so forget about this one dude and wait a second and this dude and they're building the do an IPSec and they're sitting running the IKE face like a private party line just so they want to talk to each other how are you doing good hey it's time to rotate the keys ok great o we need to negotiate this that Ike faces one Tunnel is just for his personal communications between the two BPM peers and then with that in place they set up the other IPSec tunnel, the second phase, the phase two tunnel and then when they have to encrypt and decrypt data in beha If users use that tunnel, this is how they set it up.
I guess it's safer. I am not a mathematician, mathematical scientist, or cryptographic engineer. I do not write the protocols, but I imagine when they wrote. they did it in the interest of making it as secure as possible and also the ability for VPN devices to have a private party line so they can read renegotiate or dress RIA other issues that are in the other tunnel ok oh great another question about what do you have in the lab equipment so let me, it probably takes me two minutes to open a lab so for CBT Nuggets what we do is have a few lab environments and they're designed specifically for them. they're not fully set up to do everything you'd ever want to do, go have a
ciscoios lab party, but they're more focused on the topic at hand, so in this case they teach VPN or is it really a description VPN general, so it's an environment that supports the IPSec commands and the show co commands for Cisco for IPSec and that's also true if we're teaching layer 2 switching or trunking or VLANs, all the commands and the syntax and the output is what you get in the physical space except this is a virtual environment in the lab environment a lot of people like to build apps that are cool in the 80's so oh wait Cisco in the 90's for me for Cisco.
Cisco other virals which is $200 a year I think it is currently a licensed product you can do everything there is gns3 which is optional which has a G par if you have the licenses for Cisco IOS which are available what do I get I am loosing? I think I'm going to see a more viral one probably even think about it right after the live stream ends but the key is especially at the entry level for CCNA the secret is to practice to get practice and I was talking to some Cisco engineers and they had one or For them I just recently joined Cisco I just got his CCNA and he had been going through all the commands to display commands and configuration commands to get routers and switches to work and be It occurred to me that it doesn't really matter. if it's live feedback that's that meaningful and how it would be in a live environment, whether it's a simulator or emulator or a live rig if you're getting the hands-on practice, the key is to get the hands-on practice because then you can take those abilities and apply them anywhere they're needed very good excellent question let me take a look and check what our options are for next week and I think it's here so most voted last time I got an Update from Jake: The last majority vote was for inter-vlan routing with multi-layer switches.
I'll ask Jake if he can confirm it for us. If he does, that will be our theme on Wednesday, December 18 at 4:00 p.m. Pacific and this Sunday CCA Sunday at 11am. m. We're going to focus on Layer 2 switching and some fundamentals there as well, so okay, multi-layer switching inter-VLAN routing is okay, that's what we'll do. these behind the scenes look at the skills we're building and I love teaching. I welcome your input if you have a friend or two who are interested in entry level IT or focusing Cisco certifications even though I have taught ie level I.
I really, really enjoy helping people at the entry-level, intermediate, CCNA, and professional levels to really get established because, oh my gosh, once a person says oh I get this and I get it, it's a chance to accelerate that and grow. and keep growing. it's almost endless it's fantastic so thank you very much for your participation and participation if you haven't already click subscribe and also hit the alert bell so you can get an alerts when there are new live streams new content and there are topics you would like me to cover let me know if they are I will put them on the voting board on Wednesdays and we can get a majority of votes there are enough people to vote for it we will if I don't have content already created for something that we all want to see.
I will create it. with the Q i hope everything is great for the rest of the day and i'm gonna get not let me find some really cool music to say goodbye to this is called happy and hopeful through the static thank you all
If you have any copyright issue, please Contact