FlexVPN

- [Tutor] Another type of VPN that we need to compare for the escort exam is flex VPN. This Cisco technology is a new implementation of the IPSec tunnel using the IKE version two protocol. The goal of FlexVPN is to simplify the deployment of VPN peers, including site to site remote access and a DMVPN. This is done by creating a single set of commands, for the setup of remote peers. Functionally speaking, FlexVPN is identical to DMVPN. All of the pieces found within a DMVPN configuration are still there. We have point to point GRE tunnels, between devices, and we still have dynamic tunnels created between spoke sites through NHRP the Next Hop Resolution Protocol. Let's look at some of the main differences in FlexVPN versus DMVPN. First, while many traditional DMVPN networks use IKE version one FlexVPN uses IKE version two. IKE version two offers many enhancements over IKE version one, including EAP authentication, less bandwidth consumption, built-in NAT traversal and more. With DMVPN, we have a single static mGRE interface, configured at the hub. With FlexVPN, both static and dynamic point-to-point interfaces are used. Which allows for the flexibility of different per spoke or per hub behaviors. With traditional DM VPN, it's necessary for each spoke site to register with the hub router. With flex VPN, in HRP is used to establish spoke to spoke communication, bypassing the need for hub registration. Let's look closer at the underlying pieces of FlexVPN. Starting with the tunnel types. We have two tunnel types that you can see here, sVTI or Static Virtual Tunnel Interfaces. And we have Dynamic virtual-template tunnels static tunnels are configured just as you would expect with any GRE tunnel. And they would be configured on the spoke router to define a tunnel back to the hub. Virtual template tunnels are what truly bring the flexibility to FlexVPN. This is a template that gets configured on the hub router which allows the hub to create a copy of an existing interface without the need for additional configuration. Anytime a spoke site requests a tunnel connection to the hub, a virtual access interface is dynamically created based on the settings in this virtual templates. Depending on the configuration, you can have a template that allows the hub to communicate with all types of incoming VPN connections. When the spoke connection is no longer needed, the virtual access interface is terminated. We can also configure virtual templates on the spokes, which will allow dynamic spoke to spoke tunnel creation in the same manner. Additionally, we can add AAA and authorization policy information to this template configuration. And this can be used to customize the virtual tunnel session, based on the identity of the spoke pier. Another advantage of FlexVPN is the ability to create a high availability deployment. Meaning that we have redundancy built in. This is achieved with a dual-hub topology. Where we deploy two hub routers. Spoke routers would use methods such as IP SLA with tracking objects, to detect an event where the main hub is unavailable. Allowing for a change over to the other hub. This is a common solution found within a data center environment. Where we want our remote access to have a very high availability rate and a minimal downtime. This design also allows for fast recovery. In a case where a hub router goes down, due to an unexpected power issue, a reload or if we simply need to service the device. With dual-hub topologies, we can do that in two ways. We can do that in a single cloud deployment or in a dual cloud deployments. A dual cloud deployment means that a spoke will maintain two separate active tunnels to each hub at all times. A few considerations for this include the fact that dual cloud deployments allow for traffic load sharing. And that's based on routing policies that we define on the spokes. Also, dual clouds topologies have a faster recovery failure time, as opposed to single cloud deployments. And that's based on the routing protocol timers. A single cloud deployment means only one active tunnel is available to the hub at any given time. Which will fail over to the other hub, in the event of a failure. Single cloud deployments are easier to configure. Although we do see a slower recovery time based on object tracking or dead peer detection. Notice the broken green lines going to HQ2. So this is our backup hub, and those broken lines indicate a redundant connection that is not active at the moment. In the event of a failure on HQ1, these spokes will be able to fell over to the backup hub. So that's an overview of Cisco FlexVPN. Including the important building blocks and some different types of deployment options for high availability.