Network Design with latest VPN Technologies Carsten Rossenhövel Managing Director
Which VPN type fits the purpose? SOHO Teleworkers Internet Branch Office Questions to identify: What are the business goals? Which applications will use the VPN? Central Office Mobile Workers What are the technical and security requirements? => Check list is required to select the best kind of VPN best fitting the requirements and purpose
VPN Business Goals Identify the primary business goals before selecting a VPN implementation! Reduce the budget for network connections? Enhance network security? Outsource IT infrastructure?
VPN Application Areas Important question: What will be the primary use of the VPN? MAN/WAN Intranet (Branch office connectivity) Extranet (SOHO / Business partner access) Remote Access (Teleworkers, SOHOs)
VPN Operations Who is going to operate the VPN network? Enterprise IT Department Service Provider (outsourced) Who owns the equipment? Provider Edge (PE) Different technology options: ÿ SPs usually work with MPS or layer 2 technologies ÿ Enterprises usually use IPsec Enterprise Office Customer Edge (CE) Service Provider Network
Applications used in the VPN IPDataonly? Voice over IP? ayer 2 data (Ethernet Non-IP protocols, Frame Relay, ATM)? ÿdifferent applications with different QoS requirements: Guaranteed bandwidth, latency, jitter
Applications used in the VPN (2) Source: Cisco Systems
Section II Introduction to VPNs with Multi Protocol abel Switching
VPN Wish ist Different sites of multiple enterprises are connected through a common provider backbone Use layer 3 backbone Overlapping address spaces Using private and public addresses VPN isolation Simple management Scalability Quality of Service Site 1 of enterprise 1 Site 1 of enterprise 2 Provider Network Site 2 of enterprise 2 Site 2 of enterprise 1
VPN Models ayer 2 VPN model ( overlay ) Well-known from ATM, Frame Relay carrier networks Customer interface at data link layer (ATM, Frame Relay, Ethernet) Private layer 2 trunks tunneled through MPS network ayer 3 VPN model ( peer ) Customer interface at IP layer VPN isolation by tunneling through backbone Backbone does not have information about customer IP networks
ayer 2 VPN Benefits ooks like legacy ATM, Frame Relay,... service to customers Transparent service for upper layers and private addresses ayer 3 multi-protocol support based on layer 2 service Overlay model isolates core from VPN routing No need to replace existing customer premises equipment (ATM, Frame Relay,...) ayer 2 over MPS / IP may use extended backbone facilities (fast reroute etc.), compared to pure layer 2 VPN services provided with ATM and Frame Relay
ayer 3 VPN Benefits Scalability for any-to-any connectivity Support for private address space Provides a fully routed IP network solution, while the VPN routes are separated from core backbone routing Meshing in the core network is the responsibility of the service provider (customer not involved) May use MPS / IP backbone facilities (fast reroute etc.)
MPS VPNs Standards status of Multi Protocol abel Switching: ayer 3 VPN RFC2547 (March 1999) widely used Informational RFC provided by Cisco Systems; NOT an IETF standard ayer 2 VPN : several competing IETF drafts; beta status; first implementations seen in interop tests Not ready for customer network implementation yet
Introduction to RFC2547 CE, PE and P devices Administrative policy is used for VPN construction Provider (P) device Provider Edge (PE) Site 1 of enterprise 1 Customer Edge (CE) Common Network Site 2 of enterprise 2 Site 2 of enterprise 1 Site 1 of enterprise 2 Site 3 of enterprise 1
Roles MPS Edge Router (PE device) Filters incoming user traffic, assigns to VPNs Collects and populates private network forwarding tables Establishes MPS paths across the core for each VPN edge-to-edge connectivity Establishes logically single-hop VPN connections between the VPN edges MPS Core Router (P device) Does not implement VPN routing; just switches packet streams according to their MPS labels enough information to transport data through the core
Per-site Forwarding Tables How to manage large amounts of customer IP addresses, potentially overlapping? CE1 Per-SiteForwardingTables: Provider Edge routers have multiple routing tables, one for each customer site Propagated by BGP routing inside the core VPNs are isolated from each other PE CE2 CE3 PE Routing tables CE1 CE2 CE3
VPN Route Distribution via BGP Problem: A BGP speaker can only install and distribute one route to a given address prefix. In MPS, there are different VPNs with overlapping address spaces Solution: Create a new address family, adding a route distinguisher to the IP address 0 4 8 12 bytes Type Route Distinguisher (RD) Administrator Assigned Number IPv4 Address
The Target VPN Attribute Is it sufficient to keep routes inside a single VPN? Basically: Yes. In certain applications, routes need to be installed in selected foreign VPNs. Solution: Per-site forwarding tables are associated with one or more "Target VPN" attributes Allows selective route installation in appropriate PE forwarding tables only Target VPN attribute is carried in BGP
Target VPN Example Task: Distribute Site 1 route to Extranet VPN1 (sites 1, 4, 5) and to company-internal VPN2 (sites 2, 3) but not to VPN3 VPN 1 Site 1 IPv4 Route converts IPv4 Route into VPN-IPv4, adds Target VPN1 and Target VPN2 attributes Provider Network converts VPN-IPv4 into IPv4 route and distribute to Sites 3,4,5 because of Target attributes VPN 2 Site 3 VPN 3 Site 6 VPN 1 Site 4 distribute to Site 2 because of VPN2 Target attribute VPN 2 Site 2 VPN 3 Site 7 VPN 1 Site 5
VPN Route Distribution with BGP Provider Edge router are attached to a common AS (Autonomous System), running ibgp-mp Backbone routers (P devices) do not participate in BGP! Private Network AS Private Network MP-iBGP routing: exchanges 64 bit route distinguisher Private Network PE learns VPN routes and converts to VPN-IP address ibgp-mp = interior Border Gateway Protocol / Multi-Protocol Extensions
VPN Example abelling IP IP CE 1 PE1 IP IP IP P1 IP IP P2 IP IP IP PE2 CE 2 CE 3 IP MPS Network IP CE4 IP IP abel VPN A abel VPN B abel between PE1 and PE2
MPS ayer 2 VPNs Provide point-to-point connections through an MPS backbone ATM Customer Edge (CE) Provider Edge (PE) Site 1 of enterprise 1 Ethernet Customer Edge (CE) Common Network Site 2 of enterprise 2 Ethernet Customer Edge (CE) Site 1 of enterprise 2 ATM Customer Edge (CE) Site 3 of enterprise 1
MPS ayer 2 VPNs (continued) Encoding already defined: How to map ATM cells and Ethernet frames into IP packets Signalling not defined yet how to manage tunnels dynamically Point-to-multipoint / full mesh service not defined yet how to switch ATM or Ethernet packets inside the MPS network
Main VPN Features Checklist ayer 2 (ATM / FR) IPsec MPS ayer 2 VPNs MPS ayer 3 VPNs Provides security (VPN isolation) Interoperable with 3 rd party products ÿ ÿ Scale for many end points (meshed) ÿ ÿ Forwarding performance ÿ Available from many carriers ÿ Provides Quality of Service /ÿ arge-scale manageability ÿ ÿ Service + Equipment pricing ÿ Best suited for IP traffic ÿ ÿ Suited for non-ip traffic ÿ ÿ
Section III Service evels First step: Define Service evels ÿ Get in touch with company product managers to learn about their application requirements ÿ Inspect applications running in the network, derive typical requirements ÿ Verify budgets for network quality versus budgets for application enhancements (maybe it s cheaper to exchange the application than enhance the network)
Applications used in VPNs (revisited) Source: Cisco Systems
How to define Service evels Negotiate Classes of Service (CoS, DiffServ): V VoIP
Verify Service evel Agreements SAs should be monitored and verified regularly: Has the network been reliable? Has network usage / application behavior changed? Monitoring usually done by service provider in addition, monitoring by customer useful for proactive management PE Define SAs Verify SAs CE
Conclusion Different types of VPNs available on the market today Choose depending on application requirements Keep features and limitations of different alternatives in mind!
Thank you! Für mehr Informationen steht unser Webserver zur Verfügung: http://www.eantc.de/