Network Security Quest

Set Up an IPSec Tunnel  The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses across the tunnel.  If you are setting up the Palo Alto Networks firewall to work with a peer that supports policy-based VPN, you must define Proxy IDs. Devices that support policy-based VPN use specific security rules/policies or access-lists (source addresses, destination addresses and ports) for permitting interesting traffic through an IPSec tunnel. These rules are referenced during quick mode/IKE phase 2 negotiation, and are exchanged as Proxy-IDs in the first or the second message of the process. So, if you are configuring the Palo Alto Networks firewall to work with a policy-based VPN peer, for a successful phase 2 negotiation you must define the Proxy-ID so that the setting on both peers is identical. If the Proxy-ID is not configured, because the Palo Alto Networks firewall supports route-based VPN, the default values used as Proxy-ID are source

What is VXLAN? VXLAN is an encapsulation protocol that provides data center connectivity using tunneling to stretch Layer 2 connections over an underlying Layer 3 network. In data centers, VXLAN is the most commonly used protocol to create overlay networks that sit on top of the physical network, enabling the use of virtual networks. The VXLAN protocol supports the virtualization of the data center network while addressing the needs of multi-tenant data centers by providing the necessary segmentation on a large scale. VXLAN Packet: • VXLAN is point to multi-point tunneling mechanism to extend Layer 2 networks over an IP network. • VXLAN uses MAC in UDP encapsulation (UDP destination port 4789) Two Modes of VXLAN: 1. Flood-and-Learn VXLAN:   • No control plane   • Data driven flood and learning   •  Ethernet in the overlay network  2. VXLAN EVPN:  • EVPN as control plane  • VTEPs exchange L2/L3 host and subnet reachability through EVPN control plane  •  Routing protocol for both L2 and

What is an ACI network? At a very basic level ACI is really just a Spine/Leaf network of Nexus 9k switches with a management platform The network management platform (APIC) provides you with a single place from which to manage the network  Is ACI an Overlay or Underlay network? ACI is an automated (VXLAN) overlay network running over an automated (ISIS) underlay network. ACI can transport any IP traffic including “Overlay” networks based on VXLAN*, NVGRE* etc. How ACI Fabric is Built - Zero Touch: What Do We Mean by Policy ? • Access Policies = Define how a switch or switch port is configured. Specifically Ethernet and link layer properties such as LLDP, LACP, CDP, speed/duplex, etc.  • Tenant Policies = Govern traditional networking. This is where logical connectivity is defined.  • Access policies and Tenant policies work in tandem to define where and how endpoints or applications are connected  1. Tenants: Isolated configuration “zones” on common physical infrastructure 2. VRFs are