Generic Routing Encapsulation (GRE) Tunnels: This section explains GRE and how to configure and verify GRE tunnels.
IPsec Fundamentals: This section explains IPsec fundamentals and how to configure and verify IPsec.
Cisco Location/ID Separation Protocol (LISP): This section describes the architecture, protocols, and operation of LISP.
Virtual Extensible Local Area Network (VXLAN): This section describes VXLAN as a data plane protocol that is open to operate with any control plane protocol.
An overlay network is a logical or virtual network built over a physical transport network referred to as an underlay network. Overlay networks are used to overcome shortcomings of traditional networks by enabling network virtualization, segmentation, and security to make traditional networks more manageable, flexible, secure (by means of encryption), and scalable. Examples of overlay tunneling technologies include the following:
■ Generic Routing Encapsulation (GRE)
■ IP Security (IPsec)
■ Locator ID/Separation Protocol (LISP)
■ Virtual Extensible LAN (VXLAN)
■ Multiprotocol Label Switching (MPLS)
A virtual private network (VPN) is an overlay network that allows private networks to communicate with each other across an untrusted network such as the Internet. VPN data sent across an unsecure network needs to be encrypted to ensure that the data is not viewed or tampered with by an attacker. The most common VPN encryption algorithm used is IP Security (IPsec).
Private networks typically use RFC 1918 address space (10.0.0.0/8,172.16.0.0/12, and 192.168.0.0/16), which is not routable across the Internet. To be able to create VPNs between private networks, a tunneling overlay technology is necessary, and the most commonly used one is GRE. Different combinations of overlay tunneling and encryption technologies opened the door to next-generation overlay fabric networks such as:
■ Software-Defined WAN (SD-WAN)
■ Software-Defined Access (SD-Access)
■ Application Centric Infrastructure (ACI)
■ Cisco Virtual Topology System (VTS)
The figure illustrates a topology where R1 and R2 are using their respective ISP routers as their default gateways to reach the Internet. This allows R1 and R2 to reach each other’s Internet-facing interfaces (g0/1 on both) to form a GRE tunnel over the Internet. For this case, the Internet, represented by 100.64.0.0/16, is the transport (underlay) network, and 192.168.100.0/24 is the GRE tunnel (overlay network).
This figure, instead, shows an original packet, an IPsec packet in transport mode, and an IPsec packet in tunnel mode
