WEBVTT 0:00:03.080000 --> 0:00:08.120000 Hello and welcome to this video, which is part of the CCAA 200-301 bootcamp 0:00:08.120000 --> 0:00:14.240000 series. And here we're going to do a refresher on high level concepts 0:00:14.240000 --> 0:00:16.800000 of virtual private networks. 0:00:16.800000 --> 0:00:20.120000 So that's what VPN stands for, virtual private network. 0:00:20.120000 --> 0:00:24.080000 Now let's break down these two terms, virtual and private, starting with 0:00:24.080000 --> 0:00:29.880000 private. So like it says here, when you are using a VPN, privacy relates 0:00:29.880000 --> 0:00:33.180000 to two things really. 0:00:33.180000 --> 0:00:37.960000 Number one, you want to make sure that the path that your packets are 0:00:37.960000 --> 0:00:42.780000 taking is deterministic and that your packets are being kept separate 0:00:42.780000 --> 0:00:46.580000 or isolated from other flows of traffic around you. 0:00:46.580000 --> 0:00:52.000000 So for example, in a VPN environment, if I'm establishing a VPN between 0:00:52.000000 --> 0:00:56.960000 my remote office and my corporate office, one thing I want to ensure is 0:00:56.960000 --> 0:01:01.160000 that there's no possible way that the packets going back and forth between 0:01:01.160000 --> 0:01:05.560000 the two offices could be derailed and end up at a completely different 0:01:05.560000 --> 0:01:09.260000 location. Okay? So route privacy. 0:01:09.260000 --> 0:01:13.460000 Make sure that my routes are separate from the routes of other organizations. 0:01:13.460000 --> 0:01:17.460000 A lot of times another thing VPNs will provide you is the ability to use 0:01:17.460000 --> 0:01:18.560000 overlapping routes. 0:01:18.560000 --> 0:01:24.820000 In other words, a service provider who provides VPNs to their customers, 0:01:24.820000 --> 0:01:29.480000 one customer could be using the 1010 network to connect to its sites and 0:01:29.480000 --> 0:01:33.400000 a completely different customer could also be using the exact same network, 0:01:33.400000 --> 0:01:35.760000 the 1010 network to connect their sites. 0:01:35.760000 --> 0:01:39.560000 But because they're on two different VPNs, the ISP has the ability to 0:01:39.560000 --> 0:01:43.540000 keep them completely separated and isolated from each other. 0:01:43.540000 --> 0:01:52.040000 Now also another typical expectation of a VPN is data privacy. 0:01:52.040000 --> 0:01:55.360000 In other words, we want our packets to be typically encrypted. 0:01:55.360000 --> 0:01:58.700000 We don't want people to be able to read the contents of our packets as 0:01:58.700000 --> 0:02:01.780000 they're going across this virtual private network. 0:02:01.780000 --> 0:02:03.980000 Now, what makes it virtual? 0:02:03.980000 --> 0:02:09.280000 Well, typically what makes it virtual is that the network that's carrying 0:02:09.280000 --> 0:02:12.180000 this information might not be owned by you. 0:02:12.180000 --> 0:02:14.840000 It's a network owned and operated and managed by somebody else like a 0:02:14.840000 --> 0:02:19.380000 service provider and you are using it to get packets from point A to point 0:02:19.380000 --> 0:02:22.260000 B. But it doesn't have to be. 0:02:22.260000 --> 0:02:28.540000 For example, let's just look at this right here. 0:02:28.540000 --> 0:02:35.260000 The main, really what makes it virtual is that let's say that I have a 0:02:35.260000 --> 0:02:40.000000 PC right here and it connects to a VPN. 0:02:40.000000 --> 0:02:46.200000 So he's one endpoint of the VPN and the other endpoint of the VPN is this 0:02:46.200000 --> 0:02:49.020000 router right here. 0:02:49.020000 --> 0:02:51.340000 Okay, maybe it's a corporate router. 0:02:51.340000 --> 0:02:58.840000 All right, well, once this VPN is established, this PC will have some, 0:02:58.840000 --> 0:03:04.060000 this VPN tunnel will give the PC some sort of an IP address. 0:03:04.060000 --> 0:03:06.380000 Let's say he's 10.1.1.1. 0:03:06.380000 --> 0:03:11.080000 The other end of the tunnel will have another IP address in the same network. 0:03:11.080000 --> 0:03:15.680000 And so from the PC's perspective, he looks like he's on that network. 0:03:15.680000 --> 0:03:19.180000 He looks like, oh, okay, there's a network from me to this other guy. 0:03:19.180000 --> 0:03:20.980000 It's the 1011 network. 0:03:20.980000 --> 0:03:22.560000 That's what we're on. 0:03:22.560000 --> 0:03:27.780000 But the reality is to actually carry this, there's lots of different routers 0:03:27.780000 --> 0:03:32.540000 and other devices along the way, which are creating, which are transporting 0:03:32.540000 --> 0:03:36.440000 the packets through this tunnel. 0:03:36.440000 --> 0:03:39.000000 But it's, this is a virtual tunnel. 0:03:39.000000 --> 0:03:44.380000 We don't in reality have a real physical cable connecting us to the corporate 0:03:44.380000 --> 0:03:45.380000 router on the right. 0:03:45.380000 --> 0:03:51.180000 This is a virtual cable or a virtual network that is being carried by 0:03:51.180000 --> 0:03:55.840000 an underlying network of real physical devices. 0:03:55.840000 --> 0:03:59.980000 That's why we call it a virtual private network. 0:03:59.980000 --> 0:04:06.740000 I could certainly connect my PC directly, physically to a router. 0:04:06.740000 --> 0:04:11.180000 And across this router, I could encrypt my data and give myself the same 0:04:11.180000 --> 0:04:14.900000 privacy as a VPN, but it wouldn't be virtual, would it? 0:04:14.900000 --> 0:04:18.680000 This is a real physical cable, a real network. 0:04:18.680000 --> 0:04:21.920000 A VPN, this is not real. 0:04:21.920000 --> 0:04:27.180000 It's carried by real devices and it looks like a network to you, but it's 0:04:27.180000 --> 0:04:29.540000 a virtual network. 0:04:29.540000 --> 0:04:38.480000 Okay, so as far as VPNs are concerned, there's some terminology you just 0:04:38.480000 --> 0:04:39.620000 need to know here. 0:04:39.620000 --> 0:04:45.500000 So you should know what a peer-to-peer VPN is. 0:04:45.500000 --> 0:04:50.960000 So these types, so these next two VPNs here are typically where you have 0:04:50.960000 --> 0:04:57.960000 a networking device forming a VPN connection to another networking device, 0:04:57.960000 --> 0:05:03.040000 okay? Like a firewall to a firewall or a router to a firewall or a router 0:05:03.040000 --> 0:05:07.480000 to a router. Okay, so we're not really talking about VPNs where your laptop 0:05:07.480000 --> 0:05:16.220000 or your PC is one end of the VPN working devices. 0:05:16.220000 --> 0:05:31.860000 Okay, so in a peer-to-peer VPN, that means that one device, okay, so for 0:05:31.860000 --> 0:05:38.480000 example, let's say that all these routers here are owned by the same service 0:05:38.480000 --> 0:05:43.420000 provider, okay? Sharter communications, AT&T, you pick who that would 0:05:43.420000 --> 0:05:50.240000 be. And they say, okay, we can provide a peer-to-peer VPN for you between 0:05:50.240000 --> 0:05:53.520000 your spoke offices and the hub office. 0:05:53.520000 --> 0:06:02.040000 So what they're telling you is what they will do is if spoke one sends 0:06:02.040000 --> 0:06:06.580000 some packets into this peer-to-peer VPN, they can guarantee you that those 0:06:06.580000 --> 0:06:12.540000 packets will be routed to this service provider router over here and go 0:06:12.540000 --> 0:06:16.140000 to the hub. Now, what makes this a virtual private network? 0:06:16.140000 --> 0:06:18.760000 Well, we don't really know what's in the cloud here. 0:06:18.760000 --> 0:06:20.740000 Remember, this is the internet, right? 0:06:20.740000 --> 0:06:25.440000 These packets could in reality be taking all sorts of paths through the 0:06:25.440000 --> 0:06:31.000000 internet to get to this thing, but they are promising you that no matter 0:06:31.000000 --> 0:06:35.560000 what the actual cloud looks like and how it's built, your traffic will 0:06:35.560000 --> 0:06:37.940000 never go to an unintended destination. 0:06:37.940000 --> 0:06:43.960000 It will always take a private path from one destination to another. 0:06:43.960000 --> 0:06:48.880000 So they're not necessarily providing you encryption and data confidentiality. 0:06:48.880000 --> 0:06:53.340000 They're just providing you private pathways from one device to the other. 0:06:53.340000 --> 0:06:59.300000 And the reason why this is called a peer -to-peer VPN is because your corporate 0:06:59.300000 --> 0:07:03.460000 routers are actually forming a routing relationship with the service provider 0:07:03.460000 --> 0:07:11.940000 routers. You are actually running OSPF or BGP or EIGRP with the service 0:07:11.940000 --> 0:07:13.180000 provider's router. 0:07:13.180000 --> 0:07:17.780000 So on spoke one, when you do the command show IP OSPF neighbor or show 0:07:17.780000 --> 0:07:22.140000 IP EIGRP neighbor, your neighbor will be spoke to. 0:07:22.140000 --> 0:07:29.340000 Now, let's contrast that with something called an overlay VPN. 0:07:29.340000 --> 0:07:34.440000 So an overlay VPN is typically a layer. 0:07:34.440000 --> 0:07:38.320000 So the service provider, you still have some routers right here owned 0:07:38.320000 --> 0:07:44.100000 by the service provider or maybe some WAN switches, but these devices 0:07:44.100000 --> 0:07:49.020000 are providing you layer two connectivity, not layer three connectivity. 0:07:49.020000 --> 0:07:53.200000 They're just providing you a cable run out to your office, some sort of 0:07:53.200000 --> 0:07:57.600000 layer two encapsulation. 0:07:57.600000 --> 0:08:04.040000 For example, here's a prime example of a overlay VPN. 0:08:04.040000 --> 0:08:11.240000 So something is becoming more and more prevalent in Cisco's exams is this 0:08:11.240000 --> 0:08:14.880000 concept of DM VPN. 0:08:14.880000 --> 0:08:20.420000 So in DM VPN, you have some router. 0:08:20.420000 --> 0:08:25.820000 Let me just put this over here. 0:08:25.820000 --> 0:08:33.500000 You have some router called a hub router and you have some spoke routers. 0:08:33.500000 --> 0:08:41.080000 Spoke two. Spoke one. 0:08:41.080000 --> 0:08:44.580000 Now these guys are not physically connected to each other. 0:08:44.580000 --> 0:08:48.200000 They are actually connected to, well, typically the internet. 0:08:48.200000 --> 0:08:53.480000 So here is ISP A's router. 0:08:53.480000 --> 0:08:58.460000 You know, it might be the same ISP, ISP A2, and maybe this is a different 0:08:58.460000 --> 0:09:05.600000 ISP, ISP B. Okay. 0:09:05.600000 --> 0:09:11.540000 So your underlay network is going to be, you're going to connect to that 0:09:11.540000 --> 0:09:15.620000 ISP. You're probably going to run some sort of routing protocol like BGP 0:09:15.620000 --> 0:09:29.420000 with them. And these spoke routers on their connections to the ISP right 0:09:29.420000 --> 0:09:35.540000 here on these connections, they have public IP addresses, public IP addresses. 0:09:35.540000 --> 0:09:40.400000 And they're going to be in completely different networks, most likely. 0:09:40.400000 --> 0:09:45.960000 And so by doing routing with the ISP, for example, spoke one, one will 0:09:45.960000 --> 0:09:49.040000 learn of the route to get to the hub. 0:09:49.040000 --> 0:09:51.100000 He'll learn that the hub is reachable. 0:09:51.100000 --> 0:09:55.700000 Spoke one will be able to ping the hubs address because the ISP's network 0:09:55.700000 --> 0:10:01.760000 can carry it. And in here, we can have all sorts of routes, routers connecting 0:10:01.760000 --> 0:10:05.420000 these guys like this. 0:10:05.420000 --> 0:10:10.700000 Okay. So our initial connectivity, nothing to do with VPNs, just basic 0:10:10.700000 --> 0:10:14.900000 internet connectivity, connecting one spoke to the, to the internet. 0:10:14.900000 --> 0:10:19.360000 And through the internet, that spoke learns of the route to the hub. 0:10:19.360000 --> 0:10:22.220000 Okay. Here's where the VPN comes into play. 0:10:22.220000 --> 0:10:29.920000 So now the spoke, because the spoke one can ping and reach the hub, the 0:10:29.920000 --> 0:10:38.000000 spoke creates a VPN tunnel to that hub. 0:10:38.000000 --> 0:10:47.760000 And across that VPN tunnel, across that VPN tunnel, we now have, so this 0:10:47.760000 --> 0:10:49.360000 tunnel is now its own separate network. 0:10:49.360000 --> 0:10:53.300000 This could be a private network, like 10, one, one, one over here, and 0:10:53.300000 --> 0:10:56.260000 10, one, one, two over here. 0:10:56.260000 --> 0:11:01.080000 And now spoke one across this tunnel can actually route directly with 0:11:01.080000 --> 0:11:03.920000 the hub. You might say, but wait a second, Keith, whenever I've learned 0:11:03.920000 --> 0:11:10.520000 about this,SPEC, or RIP or OSPF, it's always been one router sending routing 0:11:10.520000 --> 0:11:14.940000 information or hellos or keep alive with the routers directly connected 0:11:14.940000 --> 0:11:17.120000 to him on the exact same cable. 0:11:17.120000 --> 0:11:21.620000 Are you telling me that spoke one can send OSPF or EHRP hello packets 0:11:21.620000 --> 0:11:25.480000 to the hub router, even though they might be separated by miles and miles 0:11:25.480000 --> 0:11:28.560000 and miles and who knows how many routers in between? 0:11:28.560000 --> 0:11:34.960000 Exactly. Yes. Because those OSPF hello's, those EHRP hello's are going 0:11:34.960000 --> 0:11:36.640000 across this tunnel. 0:11:36.640000 --> 0:11:40.160000 They're actually being encapsulated with new IP headers. 0:11:40.160000 --> 0:11:46.540000 So spoke one would say, okay, I'm going to create an EHRP hello with 10, 0:11:46.540000 --> 0:11:52.300000 one, one is the source, 10, one, one, two is the destination. 0:11:52.300000 --> 0:11:58.120000 And then before it actually goes out that EHRP hello, which has its own 0:11:58.120000 --> 0:12:02.040000 IP header in front of it, 10, one, one, one, going to 10, one, one, two, 0:12:02.040000 --> 0:12:03.860000 or it might be just be multicast, right? 0:12:03.860000 --> 0:12:05.780000 OSPF EHRP they use multicast. 0:12:05.780000 --> 0:12:11.440000 So 10, one, one, one going to 224, zero, zero, five or 224, zero, zero, 0:12:11.440000 --> 0:12:15.200000 10, some multicast reserved for a routing protocol. 0:12:15.200000 --> 0:12:20.300000 Now we take that and to put it into the tunnel, we add another IP header 0:12:20.300000 --> 0:12:22.760000 in front of it. We got two IP headers here. 0:12:22.760000 --> 0:12:27.940000 The inside IP header, which is my EHRP 10, one, one, one is the source, 0:12:27.940000 --> 0:12:30.040000 224, zero, zero, five is the destination. 0:12:30.040000 --> 0:12:35.380000 Then in front of that, we have our tunnel header, which has our public 0:12:35.380000 --> 0:12:44.360000 IP addresses, like maybe 777 is the source going to 51, one, one is the 0:12:44.360000 --> 0:12:51.140000 destination. This would be considered an overlay VPN, because the routing 0:12:51.140000 --> 0:12:56.620000 relationship we have is from the spoke directly to the other side of the 0:12:56.620000 --> 0:13:02.860000 VPN tunnel. You see here, let's go back to where we were. 0:13:02.860000 --> 0:13:09.240000 In a peer to peer, you actually were routing with another router physically 0:13:09.240000 --> 0:13:10.640000 connected to you. 0:13:10.640000 --> 0:13:13.480000 Your spoke was routing with the ISP router. 0:13:13.480000 --> 0:13:15.660000 When you looked at your neighbor relationship, it was a router physically 0:13:15.660000 --> 0:13:17.180000 connected to you. 0:13:17.180000 --> 0:13:22.000000 Here, oops, let's go back to here, spoke number one, he's actually routing 0:13:22.000000 --> 0:13:27.340000 with a router on the other side of possibly the world or the other side 0:13:27.340000 --> 0:13:27.340000 of the other side. 0:13:27.340000 --> 0:13:30.040000 The side of the country, the hub router. 0:13:30.040000 --> 0:13:33.760000 So your peer is not physically connected to you. 0:13:33.760000 --> 0:13:36.200000 It's across the VPN. 0:13:36.200000 --> 0:13:39.020000 That's an overlay VPN. 0:13:39.020000 --> 0:13:46.820000 Then the last couple of terms here, we should talk about our site to site 0:13:46.820000 --> 0:13:52.160000 and client VPN. So far, all those examples we've been looking at are site 0:13:52.160000 --> 0:13:58.940000 to site VPNs, where I've got a remote site with 15, 20 different clients 0:13:58.940000 --> 0:14:02.420000 in it. And then they have a router. 0:14:02.420000 --> 0:14:06.520000 And then the router is initiating a VPN connection to another router at 0:14:06.520000 --> 0:14:08.240000 the corporate headquarters. 0:14:08.240000 --> 0:14:10.220000 One site talking to another site. 0:14:10.220000 --> 0:14:14.140000 One device who's representing the entire site, that's our router talking 0:14:14.140000 --> 0:14:17.800000 to another device, maybe a firewall that's representing the entire other 0:14:17.800000 --> 0:14:20.120000 site. And we have one VPN tunnel. 0:14:20.120000 --> 0:14:23.960000 That's a site to site VPN versus a client VPN. 0:14:23.960000 --> 0:14:28.980000 Client VPN is something like this, where you bring up some sort of client 0:14:28.980000 --> 0:14:33.980000 VPN software on your laptop or your PC or your tablet, like Cisco's any 0:14:33.980000 --> 0:14:36.620000 connect. And that creates a VPN tunnel. 0:14:36.620000 --> 0:14:40.420000 So you as a host as an individual are one end of the VPN tunnel. 0:14:40.420000 --> 0:14:44.260000 And the other end of the VPN tunnel is probably a firewall or a router 0:14:44.260000 --> 0:14:48.920000 at the corporate headquarters. 0:14:48.920000 --> 0:14:52.460000 And then lastly, let's just once again review the typical expectations 0:14:52.460000 --> 0:14:55.340000 of a virtual private network. 0:14:55.340000 --> 0:14:59.300000 We talked about route exchange privacy that hey, if I send you the 10 0:14:59.300000 --> 0:15:04.000000 one network. Okay, I don't care if anybody else is using the 10 one network. 0:15:04.000000 --> 0:15:07.560000 I want you to keep my packets separate from them. 0:15:07.560000 --> 0:15:11.620000 So there's no way when I send routing updates across this VPN that my 0:15:11.620000 --> 0:15:16.660000 routes will be mixed up with those of my competitors. 0:15:16.660000 --> 0:15:18.540000 Path determination. 0:15:18.540000 --> 0:15:22.820000 Packet sent from my company will never accidentally arrive on the interface 0:15:22.820000 --> 0:15:24.440000 of one of my competitors. 0:15:24.440000 --> 0:15:28.160000 And this is probably the most important one here data security. 0:15:28.160000 --> 0:15:30.440000 We want to encrypt our packets. 0:15:30.440000 --> 0:15:34.020000 We want to make sure that nobody can read them except the other end of 0:15:34.020000 --> 0:15:38.460000 that VPN tunnel. 0:15:38.460000 --> 0:15:43.660000 So the last thing here in this introduction of VPN is I want to introduce 0:15:43.660000 --> 0:15:47.560000 you if you're not familiar with this with the concept of IP sec. 0:15:47.560000 --> 0:15:53.520000 IP sec stands for IP security and it's sort of an umbrella term for a 0:15:53.520000 --> 0:15:58.500000 collection of protocols that help these VPN tunnels to exist. 0:15:58.500000 --> 0:16:03.700000 We need some protocols to encrypt our data to provide confidentiality. 0:16:03.700000 --> 0:16:06.620000 So if somebody sees our packets in the middle, they don't even know what 0:16:06.620000 --> 0:16:07.820000 they're looking at. 0:16:07.820000 --> 0:16:12.020000 Well, there's a variety of protocols that do that under the IP sec umbrella. 0:16:12.020000 --> 0:16:15.120000 If you decide you want to use IP sec, you've got a choice of different 0:16:15.120000 --> 0:16:16.320000 encryption protocols. 0:16:16.320000 --> 0:16:19.180000 We want to supply integrity. 0:16:19.180000 --> 0:16:23.240000 How do I make sure that when I send my packet and it gets to you, how 0:16:23.240000 --> 0:16:26.380000 do you make sure that packet hasn't been changed in some way and transit 0:16:26.380000 --> 0:16:28.040000 that some of the bits haven't been changed? 0:16:28.040000 --> 0:16:32.380000 Well, IP sec has a bunch of protocols that can provide that for you. 0:16:32.380000 --> 0:16:36.980000 Authentication. Hey, before I even talk to you, I want to make sure that 0:16:36.980000 --> 0:16:39.180000 you are who you say you are. 0:16:39.180000 --> 0:16:44.480000 IP sec has a bunch of protocols that provide authentication and anti replay. 0:16:44.480000 --> 0:16:49.900000 If I send you a packet and then you get that same packet again. 0:16:49.900000 --> 0:16:54.900000 Is that legitimate or is that somebody trying to replay the same stuff 0:16:54.900000 --> 0:16:59.020000 I just did? We need some protection against that IP sec as protocols about 0:16:59.020000 --> 0:17:04.240000 that as well. So IP sec is really like it just has here an umbrella term 0:17:04.240000 --> 0:17:08.420000 for a collection of protocols that you can pick and choose that supply 0:17:08.420000 --> 0:17:10.760000 all these characteristics. 0:17:10.760000 --> 0:17:16.540000 So that concludes this video on an introduction to VPN.