Beruflich Dokumente
Kultur Dokumente
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-1
• Describe the concept of VPNs and the reasons why VPNs were
introduced
• Describe VPN implementation models, and list benefits and drawbacks
of VPNs
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-2
VPN Concept
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-3
Mobile Residential Business
Access Access Access
Application Layer
Services Layer
Mobile Video Cloud
Services Services Services
IP Infrastructure Layer
Mobile Users
Business
IP Infrastructure Layer
• VPNs relay on the IP edge and core parts of the IP infrastructure layer of
the Cisco IP NGN.
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-5
Traditional router-based networks connect customer sites
through routers connected via dedicated point-to-point links
(leased lines).
Customer A
Leased lines
Site B
Customer A
Site A Site C
Site D
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-6
• VPNs replace dedicated point-to-point links with emulated
point-to-point links that share common infrastructure.
• Customers use VPNs primarily to reduce their operational costs.
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-7
• Cost savings:
- Replacing expensive long-distance leased lines with much less expensive
dedicated connection to the service provider (DSL, fiber)
- Offloading support costs
• Scalability:
- Adding a new branch office is fast and simple by adding an additional link to
the ISP (adding a site to the customer VPN).
• Improved security:
- Use of encryption protocols and authentication
• Better performance:
- More high-capacity data service options can be used (cheaper bandwidth).
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-8
• Flexibility and reliability:
- Widespread availability of fiber, DSL, and other broadband options
- Using more than one ISP
• Greater access to mobile users
- Increases productivity and responsiveness for employees working from home
or on business trips
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-9
Large Customer Site
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-11
VPN Models
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-12
Access
Aggregation
IP Edge
Core
Residential
Mobile Users
Business
IP Infrastructure Layer
• VPNs relay on the IP edge and core parts of the IP infrastructure layer of
the Cisco IP NGN.
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-13
VPN services can be offered based on two major models:
• Overlay model, in which the service provider provides virtual point-to-
point links between customer sites
• Peer-to-peer model, in which the service provider participates in the
customer routing
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-14
VPNs
Overlay VPN Peer-to-Peer VPN
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-15
• Layer 2 VPN
- The service provider establishes Layer 2 VCs between customer sites.
- The customer is responsible for all higher layers.
IP
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-16
• The service provider infrastructure appears as point-to-point links to the
customer.
• The service provider does not see customer routes and is responsible
only for providing the point-to-point transport of customer data.
• Layer 3 VPN – IP tunneling
- Routing protocols run directly IP
between customer routers.
GRE/mGRE IPsec SSL
- GRE is simple (and quicker).
IP
- IPsec provides authentication
and security.
• Layer 2 VPN – Layer 2
forwarding
- Transparent tunneling of 802.1Q PPP Ethernet
Layer 2 over IP
L2TPv3
IP
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-17
Customer Site A Customer Site C
Provider Edge (PE) Devices
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-18
Customer Site A Customer Site C
Provider Edge (PE) Devices
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-21
Customer Site A Customer Site C
Provider Edge (PE) Devices
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-22
Customer Site A Customer Site C
Provider Edge (PE) Devices
CE Router – SPOKE
SSL VPN
VPN tunnels
tunnel
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-23
PE-CE routing information is exchanged
between CE and PE routers.
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-24
POP router carries all customer routes.
Customer X Customer X
Provider Edge (PE) Devices
Site A Site B
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-25
The P router contains all Each customer has a dedicated PE
customer routes. router that carries only its routes.
Customer X Customer X
Provider Edge (PE) Devices
Site A Site B
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-26
Customer Site A Customer Site C
Provider Edge (PE) Devices
CE Router CE Router
Payload encrypted traffic
• GET VPN:
- Does not use tunnels, behaves almost like transport mode IPsec
- Large-scale solution accommodating multicast
- Uses group security association and shared encryption key
- Centralized policy and key server with periodic rekeying
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-27
Provider Edge (PE) Devices
Customer Site A Customer Site C
Provider (P)
Core Devices
CE Router CE Router
PE Router PE Router
CE Router CE Router
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-28
• Overlay VPN:
- Well-known and easy to implement
- Service provider does not participate in customer routing.
- Customer network and service provider network are
well isolated.
• Peer-to-peer VPN:
- Guarantees optimum routing between customer sites
- Easier to provision an additional VPN
- Only sites provisioned, not links between them
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-29
• Overlay VPN:
- Implementing optimum routing requires a full mesh of
VCs.
- VCs have to be provisioned manually.
- Bandwidth must be provisioned on a site-to-site basis.
- Overlay VPNs always incur encapsulation overhead (GRE or IPsec).
• Peer-to-peer VPN:
- The service provider participates in customer routing. Filters should be applied
to customer links.
- The service provider becomes responsible for customer convergence.
- PE routers carry all routes from all customers.
- A secure environment must be provided for customers.
- Complex configuration
- The service provider needs detailed IP routing knowledge.
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-30
• Two options:
- Traditional router-based networks connect via dedicated point-to-point links.
- VPNs use emulated point-to-point links sharing a common infrastructure.
• The two major VPN models are overlay VPN and peer-to-peer VPN:
- Overlay VPNs use well-known technologies and are easy to implement.
- Overlay VPN VCs have to be provisioned manually.
- Peer-to-peer VPNs guarantee optimum routing between customer sites.
- Peer-to-peer VPNs require that the service provider participate in customer
routing.
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-31
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—1-32