Download presentation
Presentation is loading. Please wait.
Published byAnnice Cunningham Modified over 9 years ago
1
Virtual Private Networks Juha Heinänen jh@song.fi Song Networks
2
© Juha Heinänen2 What is an IP VPN? zan emulation of private (wide area) network facility using provider IP facilities zprovides permanent connectivity between multiple customer sites zimplementation can be either customer or provider based zcan span multiple providers
3
© Juha Heinänen3 SP1 SP2 SP3 VPN Example PE P Two VPNs spanning three SPs RAS PE P P CEs
4
© Juha Heinänen4 zsupport for customer addressing ynon-unique, overlapping address spaces zsupport for data security yauthenticity, privacy, integrity zsupport for QoS assurances ybandwidth, latency VPN Requirements
5
© Juha Heinänen5 VPN Classification zWho implements the VPN yCE or PE based zat which layer the VPN operates yLayer 2 or Layer 3 zhow the VPN is implemented ymembership discovery, signaling, tunneling protocol,...
6
© Juha Heinänen6 CE Based VPNs zintegrate VPN capabilities in CE devices yCEs are connected via IPSec tunnels over the Internet (available everywhere) yprovide site-to-site security yrequire networking skills and a key management system zthe only choice if security of the VPN service is a concern
7
© Juha Heinänen7 A CE Based VPN Internet IPSec Tunnel RAS Telecommuter
8
© Juha Heinänen8 PE Based VPNs zOutsource the VPN operation to SPs yPEs appear as router peers or bridges to CEs yworks with conventional access routers ysimplified CE operation ybrings new revenue sources to SPs zsuitable when the SPs and local loops can be trusted
9
© Juha Heinänen9 A Network Based VPN VPN Tunnel ”Virtual” Router or Bridge Telecommuter Internet ”Virtual” RAS
10
© Juha Heinänen10 Layer 2 vs. Layer 3 VPNs zLayer 2 VPNs yprovide Virtual Private Wire Service (VPWS) or Virtual Private LAN Service (VPLS) yPEs not aware of customer’s Layer 3 protocols, addresses, or routing zLayer 3 VPNs yprovide Virtual Routing Service yPEs participate as routing peers in customers’ Layer 3 protocols
11
© Juha Heinänen11 Virtual Private Wire Service Access Connection Access Connection VPN Tunnel AC can be physical PPP or Ethernet link, FR or ATM VC, VLAN, MPLS LSP, etc. Internet
12
© Juha Heinänen12 Virtual Private LAN Service AC can be physical Ethernet link or VLAN Virtual Learning Bridge Virtual Learning Bridge Internet
13
© Juha Heinänen13 Layer 3 VPN Dynamic or Static Routing Dynamic or Static Routing Virtual Router Virtual Router AC can be physical PPP or Ethernet link, FR or ATM VC, VLAN, MPLS LSP, etc. Internet
14
© Juha Heinänen14 Generic VPN Problems zhow to discover which other CEs or PEs belong to the same VPN zhow to setup VPN tunnels and which tunneling protocols to use zhow to advertise end-point reachability within a VPN
15
© Juha Heinänen15 VPN Membership Discovery za CE or a PE port is configured to belong to a given VPN zCE or PE learns about other members via yconfiguration (CEs) yBGP piggy packing (PEs) yDNS (CEs and PEs) zDNS vs. BGP for discovery is currently a hot issue
16
© Juha Heinänen16 VPN Tunneling zchoices for VPN tunneling protocols yMPLS (over MPLS or GRE), L2TPv3, IPSec zchoices for tunnel setup protocols yLDP, BGP piggy packing, L2TPv3, IPSec ztunneling protocol can be chosen independently of discovery protocol
17
© Juha Heinänen17 Advertising Reachability zLayer 2 VPNs yVPLS has no need to advertise reachability yVPWS can piggy pack Layer 3 reachability into tunnel setup zLayer 3 VPNs yvia IGP over VPN tunnels between VRs yvia BGP extended with VPN addresses
18
© Juha Heinänen18 BGP Piggy Packing zAssumes that each PE runs (extended) BGP zdifficulties with multiprovider VPNs yall transit SPs need to be trusted yVPN information visible at boarder routers yadvertisement scope is difficult to control zOK for single SP VPNs where customer sites can be backhauled to BGP speaking PEs
19
© Juha Heinänen19 BGP/MPLS Model SP1SP2SP3 MPLS LSPs for the VPN
20
© Juha Heinänen20 SP1SP2SP3 DNS/GRE/MPLS Model IP tunnels for the VPN
21
© Juha Heinänen21 DNS Based VPLS Example PE2 PE1 PE3 xyz.vpn.sp.net IN A PE1 IN A PE2 IN A PE3
22
© Juha Heinänen22 Summary zFrame Relay and ATM based VPNs are migrating to IP based VPNs za secure VPN can only be implementing using IPSec between CEs zLayer 2 VPNs (especially VPLS) is becoming an alternative to Layer 3 VPNs zjury is still out regarding the discovery and tunneling protocols
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.