2 VPNs

VPN Technologies
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-1
• Describe the concept of VPNs and the reasons why VPNs were
introduced
• Describe VPN implementation models, and list benefits and drawbacks
of VPNs
VPN Concept
Mobile Residential Business
Access Access Access
Application Layer
Services Layer
Mobile Video Cloud
Services Services Services
IP Infrastructure Layer
Access Aggregation IP Edge Core
• Cisco NGN is a next-generation service provider infrastructure for video,

mobile, and cloud or managed services.
• It provides an all-IP network for services and applications, regardless of
access type.
Access
Aggregation
IP Edge
Core
Residential
Mobile Users
Business
• VPNs relay on the IP edge and core parts of the IP infrastructure layer of
the Cisco IP NGN.
Traditional router-based networks connect customer sites
through routers connected via dedicated point-to-point links
(leased lines).
Customer A
Leased lines
Site B
Customer A
Site A Site C
Site D
• VPNs replace dedicated point-to-point links with emulated
point-to-point links that share common infrastructure.
• Customers use VPNs primarily to reduce their operational costs.
Large Customer Site
Provider Edge (PE) Devices

Customer Site Virtual
Circuit 1 Provider (P) Core Devices
CPE Other
Router Customer
Router
Customer Premises Virtual Routers
Equipment (CPE) or Circuit 2
Customer Edge (CE)
• Cost savings:
- Replacing expensive long-distance leased lines with much less expensive
dedicated connection to the service provider (DSL, fiber)
- Offloading support costs
• Scalability:
- Adding a new branch office is fast and simple by adding an additional link to
the ISP (adding a site to the customer VPN).
• Improved security:
- Use of encryption protocols and authentication
• Better performance:
- More high-capacity data service options can be used (cheaper bandwidth).
• Flexibility and reliability:
- Widespread availability of fiber, DSL, and other broadband options
- Using more than one ISP
• Greater access to mobile users
- Increases productivity and responsiveness for employees working from home
or on business trips
Large Customer Site

Circuit 1 Provider (P) Core Devices CPE Other
Router Customer
Router
Customer Premises Virtual Routers
Equipment (CPE) or Circuit 2
Customer Edge (CE)
Provider network (P-network): The

service provider infrastructure used to
provide VPN services
Customer network (C-network): The part

of the network still under customer control
Customer site: A contiguous part of the

customer network (can encompass many
physical locations)
Large Customer Site

Circuit 1 Provider (P) Core Devices Other
PE CE Router Customer
Virtual Router Routers
Customer Edge (CE) P Router
Router Circuit 2
P device: The device in the provider network with no

customer connectivity
PE device: The device in the provider network to which
the customer devices are connected
CE device: The device in the customer network that links
to the provider network (sometimes also called CPE)
PE-CE link: A link between a PE router and a CE router.
VPN Models
Access
Aggregation
IP Edge
Core
Residential
Mobile Users
Business
• VPNs relay on the IP edge and core parts of the IP infrastructure layer of
the Cisco IP NGN.
VPN services can be offered based on two major models:
• Overlay model, in which the service provider provides virtual point-to-
point links between customer sites
• Peer-to-peer model, in which the service provider participates in the
customer routing
VPNs
Overlay VPN Peer-to-Peer VPN
Layer 2 VPN Layer 3 VPN

ACLs
GRE (Shared router)
X.25
DMVPN Split routing
(dedicated router)
Frame Relay IPsec
GET VPN
L2TPv3
ATM MPLS VPN
SSL VPN
• Layer 2 VPN
- The service provider establishes Layer 2 VCs between customer sites.
- The customer is responsible for all higher layers.
IP
X.25 Frame Relay ATM
• The service provider infrastructure appears as point-to-point links to the
customer.
• The service provider does not see customer routes and is responsible
only for providing the point-to-point transport of customer data.
• Layer 3 VPN – IP tunneling
- Routing protocols run directly IP
between customer routers.
GRE/mGRE IPsec SSL
- GRE is simple (and quicker).
IP
- IPsec provides authentication
and security.
• Layer 2 VPN – Layer 2
forwarding
- Transparent tunneling of 802.1Q PPP Ethernet
Layer 2 over IP
L2TPv3
IP
Customer Site A Customer Site C
CE Router – HUB Provider (P) CE Router – SPOKE

PE Device Core Devices PE Device
Frame Relay/ Frame Relay/
ATM switch ATM switch
Customer Site B Customer Site D
Frame Relay/
ATM switch
CE Router – SPOKE CE Router – SPOKE

Virtual Circuits
• VPN is implemented with IP-over-Frame Relay or ATM tunnels:

- The service provider establishes Layer 2 VCs between customer sites.
- The customer is responsible for all higher layers.

Core Devices
PE Router PE Router

P Router

IP tunnels
• VPN is implemented with IP-over-IP tunnels:

- Tunnels are established with GRE.
- Tunnel interfaces are point-to-point.
- Enables dynamic routing and multicast
- Runs GRE over IPsec to secure tunnel payload

Core Devices
PE Router PE Router

P Router

Dynamically
IP tunnels
created IP tunnels

- Tunnels are established with mGRE.
- Tunnel interfaces are point-to-multipoint.
- Enables dynamic routing and multicast
- Runs mGRE over IPSec to secure tunnel payload

Core Devices
PE Router PE Router

P Router

IP tunnels

- Tunnels are established with IPsec (tunnel mode).
- Enables static routing (no multicast)
- Secures payload

Core Devices
PE Router PE Router

P Router

L2TPv3 tunnels
• L2TPv3 is used as a tunneling mechanism to deploy Layer 2 transparent

services over IP:
- L2TPv3 includes support for multiple Layer 2 encapsulations, including
802.1Q VLAN, QinQ, and Ethernet.

SSL VPN Gateway Core Devices
PE Router PE Router
Remote-access
Customer Site B SSL VPN
P Router
INTERNET
CE Router – SPOKE
SSL VPN
VPN tunnels
tunnel
• SSL VPN enables remote-access connectivity from almost any Internet-

enabled location:
- Easy integration of the SSL VPN gateway into a shared MPLS network
PE-CE routing information is exchanged
between CE and PE routers.


Core Devices
PE Router PE Router

P Router
PE routers exchange customer routes Customer routes are propagated through

through the core network. the PE network and sent to other CE routers.
POP router carries all customer routes.
Customer X Customer X
Site A Site B
CE Router POP Router Provider (P) CE Router – SPOKE

Core Devices
PE Router
Customer Y Shared (PE) Customer Y

Site A Router P Router Site B
CE Router CE Router – SPOKE
Isolation between customers is

achieved with the use of ACLs (packet
filters) on PE-to-CE interfaces.
The P router contains all Each customer has a dedicated PE
customer routes. router that carries only its routes.
Customer X Customer X
Site A Site B
CE Router Provider (P) CE Router – SPOKE

Core Devices POP Router
Dedicated Dedicated
(PE) Router (PE) Router
Customer Y Customer Y
Site A P Router Site B
CE Router CE Router – SPOKE
Isolation between customers is

achieved through the lack of routing
information on the PE router.
CE Router Provider (P) CE Router

Core Devices
PE Router PE Router

P Router
CE Router CE Router
Payload encrypted traffic
• GET VPN:
- Does not use tunnels, behaves almost like transport mode IPsec
- Large-scale solution accommodating multicast
- Uses group security association and shared encryption key
- Centralized policy and key server with periodic rekeying
Provider (P)
Core Devices
CE Router CE Router
PE Router PE Router

P Router
CE Router CE Router
• CE routers route traffic to PE routers.

• Each customer has its own isolated routing table instance on PE router.
• P routers do not have customer route information.
• Label switching is enabled in service provider core.
• Overlay VPN:
- Well-known and easy to implement
- Service provider does not participate in customer routing.
- Customer network and service provider network are
well isolated.
• Peer-to-peer VPN:
- Guarantees optimum routing between customer sites
- Easier to provision an additional VPN
- Only sites provisioned, not links between them
• Overlay VPN:
- Implementing optimum routing requires a full mesh of
VCs.
- VCs have to be provisioned manually.
- Bandwidth must be provisioned on a site-to-site basis.
- Overlay VPNs always incur encapsulation overhead (GRE or IPsec).
• Peer-to-peer VPN:
- The service provider participates in customer routing. Filters should be applied
to customer links.
- The service provider becomes responsible for customer convergence.
- PE routers carry all routes from all customers.
- A secure environment must be provided for customers.
- Complex configuration
- The service provider needs detailed IP routing knowledge.
• Two options:
- Traditional router-based networks connect via dedicated point-to-point links.
- VPNs use emulated point-to-point links sharing a common infrastructure.
• The two major VPN models are overlay VPN and peer-to-peer VPN:
- Overlay VPNs use well-known technologies and are easy to implement.
- Overlay VPN VCs have to be provisioned manually.
- Peer-to-peer VPNs guarantee optimum routing between customer sites.
- Peer-to-peer VPNs require that the service provider participate in customer
routing.

2 VPNs

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

2 VPNs

Hochgeladen von

Copyright:

Verfügbare Formate

VPN Technologies

Access Aggregation IP Edge Core

• Cisco NGN is a next-generation service provider infrastructure for video,

Access Aggregation IP Edge Core

Large Customer Site

Provider Edge (PE) Devices

Provider Edge (PE) Devices

Provider network (P-network): The

Customer network (C-network): The part

Customer site: A contiguous part of the

Provider Edge (PE) Devices

P device: The device in the provider network with no

Access Aggregation IP Edge Core

Layer 2 VPN Layer 3 VPN

X.25 Frame Relay ATM

CE Router – HUB Provider (P) CE Router – SPOKE

CE Router – SPOKE CE Router – SPOKE

• VPN is implemented with IP-over-Frame Relay or ATM tunnels:

CE Router – HUB Provider (P) CE Router – SPOKE

Customer Site B Customer Site D

CE Router – SPOKE CE Router – SPOKE

• VPN is implemented with IP-over-IP tunnels:

CE Router – HUB Provider (P) CE Router – SPOKE

Customer Site B Customer Site D

CE Router – SPOKE CE Router – SPOKE

• VPN is implemented with IP-over-IP tunnels:

CE Router – HUB Provider (P) CE Router – SPOKE

Customer Site B Customer Site D

CE Router – SPOKE CE Router – SPOKE

• VPN is implemented with IP-over-IP tunnels:

CE Router – HUB Provider (P) CE Router – SPOKE

Customer Site B Customer Site D

CE Router – SPOKE CE Router – SPOKE

• L2TPv3 is used as a tunneling mechanism to deploy Layer 2 transparent

CE Router – HUB Provider (P) CE Router – SPOKE

• SSL VPN enables remote-access connectivity from almost any Internet-

Customer Site A Customer Site C

CE Router – HUB Provider (P) CE Router – SPOKE

Customer Site B Customer Site D

CE Router – SPOKE CE Router – SPOKE

PE routers exchange customer routes Customer routes are propagated through

CE Router POP Router Provider (P) CE Router – SPOKE

Customer Y Shared (PE) Customer Y

CE Router CE Router – SPOKE

Isolation between customers is

CE Router Provider (P) CE Router – SPOKE

CE Router CE Router – SPOKE

Isolation between customers is

CE Router Provider (P) CE Router

Customer Site B Customer Site D

Customer Site B Customer Site D

• CE routers route traffic to PE routers.

Das könnte Ihnen auch gefallen