Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7...
Transcript of Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7...
![Page 1: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/1.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Network Design with latestVPN Technologies
Carsten RossenhövelManaging Director
![Page 2: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/2.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Which VPN type fits the purpose?
Questions to identify:• What are the business goals?• Which applications will use the VPN?• What are the technical and security requirements?=> Check list is required to select the best kind of
VPN best fitting the requirements and purpose
Internet
SOHO
Branch Office
Teleworkers
Mobile WorkersCentral Office
![Page 3: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/3.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN Business Goals
• Identify the primary business goalsbefore selecting a VPN implementation!
• Reduce the budget fornetwork connections?
• Enhance networksecurity?
• Outsource IT infrastructure?
![Page 4: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/4.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN Application Areas
Important question:What will be theprimary use of the VPN?
• MAN/WAN Intranet(Branch office connectivity)
• Extranet(SOHO / Business partner access)
• Remote Access (Teleworkers, SOHOs)
![Page 5: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/5.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Service ProviderNetwork
VPN Operations
Who is going to operate the VPN network?• Enterprise IT Department• Service Provider (outsourced)• Who owns the equipment?
Different technology options:ÿ SPs usually work with MPLS
or layer 2 technologiesÿ Enterprises usually use IPsec
CustomerEdge (CE)
Provider Edge (PE)
EnterpriseOffice
![Page 6: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/6.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Applications used in the VPN
• IP Data only?
• Voice over IP?
• Layer 2 data (Ethernet Non-IP protocols, FrameRelay, ATM)?
ÿDifferent applications with differentQoS requirements:Guaranteed bandwidth, latency, jitter
![Page 7: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/7.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Applications used in the VPN (2)
Source: Cisco Systems
![Page 8: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/8.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Section II
Introduction toVPNs withMulti ProtocolLabel Switching
![Page 9: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/9.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN Wish List• Different sites of multiple enterprises are
connected through a common provider backbone
• Use layer 3 backbone• Overlapping address spaces• Using private and public addresses• VPN isolation• Simple management• Scalability• Quality of Service
Site 1 ofenterprise 2
Site 2 ofenterprise 2
ProviderNetwork
Site 1 ofenterprise 1
Site 2 ofenterprise 1
![Page 10: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/10.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN ModelsLayer 2 VPN model (“overlay”)
• Well-known from ATM, Frame Relay carrier networks• Customer interface at data link layer (ATM, Frame Relay,
Ethernet)• Private layer 2 trunks tunneled through MPLS network
Layer 3 VPN model (“peer”)
• Customer interface at IP layer• VPN isolation by tunneling through backbone• Backbone does not have information about customer IP
networks
![Page 11: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/11.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Layer 2 VPN Benefits• Looks like legacy ATM, Frame Relay, ... service to
customers
• Transparent service for upper layers and privateaddresses
• Layer 3 multi-protocol support based on layer 2 service
• Overlay model isolates core from VPN routing
• No need to replace existing customer premisesequipment (ATM, Frame Relay, ...)
• Layer 2 over MPLS / IP may use extended backbonefacilities (fast reroute etc.), compared to pure layer 2VPN services provided with ATM and Frame Relay
![Page 12: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/12.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Layer 3 VPN Benefits• Scalability for any-to-any connectivity• Support for private address space• Provides a fully routed IP network solution,
while the VPN routes are separated from corebackbone routing
• Meshing in the core network is theresponsibility of the service provider(customer not involved)
• May use MPLS / IP backbone facilities (fastreroute etc.)
![Page 13: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/13.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
MPLS VPNsStandards status of Multi Protocol Label Switching:• “Layer 3 VPN” RFC2547 (March 1999) widely
used• Informational RFC provided by Cisco Systems;
NOT an IETF standard• “Layer 2 VPN”: several competing IETF drafts;
beta status; first implementations seen in interoptests
• Not ready for customer network implementationyet
![Page 14: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/14.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Introduction to RFC2547
CustomerEdge (CE)
Provider Edge (PE)
• CE, PE and P devices
• Administrative policy is used for VPN construction
Site 1 ofenterprise 2
Site 2 ofenterprise 2
CommonNetwork
Site 1 ofenterprise 1
Site 2 ofenterprise 1
Site 3 ofenterprise 1
Provider (P) device
![Page 15: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/15.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
RolesMPLS Edge Router (PE device)• Filters incoming user traffic, assigns to VPNs• Collects and populates private network forwarding tables• Establishes MPLS paths across the core for each VPN
edge-to-edge connectivity• Establishes logically single-hop VPN connections
between the VPN edges
MPLS Core Router (P device)• Does not implement VPN routing; just switches packet
streams according to their MPLS labels• enough information to transport data through the core
![Page 16: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/16.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Per-site Forwarding Tables• How to manage large amounts of customer IP
addresses, potentially overlapping?
• Per-Site Forwarding Tables:Provider Edge routers havemultiple routing tables,one for each customer site
• Propagated by BGP routinginside the core
• VPNs are isolated from each other
PE
CE1
CE2
CE3
PE Routing tables
CE2CE3
CE1
![Page 17: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/17.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN Route Distribution via BGPProblem:
• A BGP speaker can only install and distribute oneroute to a given address prefix. In MPLS, there aredifferent VPNs with overlapping address spaces
Solution:
• Create a new address family, adding a routedistinguisher to the IP address
Route Distinguisher (RD)
0 4 8 12 bytes
IPv4 AddressType Admin-
istratorAssignedNumber
![Page 18: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/18.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
The Target VPN Attribute• Is it sufficient to keep routes inside a single VPN?
Basically: Yes.
• In certain applications, routes need to be installedin selected foreign VPNs.
• Solution: Per-site forwarding tables are associatedwith one or more "Target VPN" attributes
• Allows selective route installation in appropriatePE forwarding tables only
• Target VPN attribute is carried in BGP
![Page 19: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/19.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Target VPN Example• Task: Distribute Site 1 route to Extranet VPN1 (sites 1, 4, 5)
and to company-internal VPN2 (sites 2, 3)but not to VPN3
VPN 2Site 2
VPN 2Site 3
ProviderNetwork
VPN 1Site 1
VPN 1Site 4
VPN 1Site 5
IPv4 Route
VPN 3Site 6
VPN 3Site 7
converts IPv4 Route into VPN-IPv4, addsTarget VPN1 and Target VPN2 attributes
converts VPN-IPv4 into IPv4 route and distributeto Sites 3,4,5 because of Target attributes
distribute to Site 2because
of VPN2 Target attribute
![Page 20: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/20.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN Route Distribution with BGP• Provider Edge router are attached to a common AS
(Autonomous System), running iBGP-MP• Backbone routers (P devices) do not participate in BGP!
• iBGP-MP = interior Border Gateway Protocol / Multi-Protocol Extensions
Private Network
Private Network
Private Network
AS
PE learns VPN routes and converts toVPN-IP address
MP-iBGP routing: exchanges64 bit “route distinguisher”
![Page 21: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/21.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN Example – Labelling
MPLS Network
CE1
CE3 CE4
CE2LLIP
LIP
IP IP
IP
LLIP
LIP
IP IP
L
LIP
P1 P2
PE1 PE2
LLIP
LLIP
LLIP
LLIP
Label VPN ALabel VPN B
Label between PE1 and PE2
![Page 22: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/22.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
MPLS Layer 2 VPNs
• Provide point-to-point connections through anMPLS backbone
Provider Edge (PE)
Site 1 ofenterprise 2
Site 2 ofenterprise 2
CommonNetwork
Site 1 ofenterprise 1
Site 3 ofenterprise 1
Ethernet CustomerEdge (CE)
ATM CustomerEdge (CE)
Ethernet CustomerEdge (CE)
ATM CustomerEdge (CE)
![Page 23: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/23.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
MPLS Layer 2 VPNs (continued)
• Encoding already defined:How to map ATM cells and Ethernet framesinto IP packets
• Signalling not defined yet – how to managetunnels dynamically
• Point-to-multipoint / full mesh service notdefined yet – how to switch ATM or Ethernetpackets inside the MPLS network
![Page 24: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/24.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Main VPN Features Checklist
ÿ� �ÿ� � �Suited for non-IP traffic
� � �ÿ� � �ÿBest suited for IP traffic
��� �ÿService + Equipment pricing
�ÿÿ� �Large-scale manageability
� �� �� / ÿ� � �Provides Quality of Service
�ÿ�� � �Available from many carriers
� � ��ÿ� �Forwarding performance
� � �ÿ�ÿScale for many end points (meshed)
ÿÿ�� � �Interoperable with 3rd party products
�
MPLSLayer 3VPNs
�
MPLSLayer 2VPNs
� � �� �Provides security (VPN isolation)
IPsecLayer 2(ATM /FR)
![Page 25: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/25.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Section III – Service Levels
First step: Define Service Levels
ÿ Get in touch with company product managersto learn about their application requirements
ÿ Inspect applications running in the network,derive typical requirements
ÿ Verify budgets for network quality versusbudgets for application enhancements(maybe it’s cheaper to exchange the applicationthan enhance the network)
![Page 26: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/26.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Applications used in VPNs (revisited)
Source: Cisco Systems
![Page 27: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/27.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
How to define Service Levels
• Negotiate Classes of Service (CoS, DiffServ):
VVoIP
![Page 28: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/28.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Verify Service Level Agreements
SLAs should be monitoredand verified regularly:
• Has the network been reliable?
• Has network usage / applicationbehavior changed?
Monitoring usually done byservice provider – in addition,monitoring by customer usefulfor proactive management
PE
CE
DefineSLAs
VerifySLAs
![Page 29: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/29.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Conclusion• Different types of VPNs
available on the markettoday
• Choose depending onapplication requirements
• Keep features andlimitations of differentalternatives in mind!
![Page 30: Network Design with latest VPN TechnologiesVPN 1 Site 5 IPv4 Route VPN 3 Site 6 VPN 3 Site 7 converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes converts](https://reader033.fdocuments.in/reader033/viewer/2022042202/5ea259cfabab0a665f56b38a/html5/thumbnails/30.jpg)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Thank you!
Für mehr Informationensteht unser Webserverzur Verfügung:
http://www.eantc.de/