Layer 1 Overlay VPNs use dedicated connections like T1/E1 leased lines to connect branches in a secure manner. Layer 2 Overlay VPNs connect branches over multi-access networks like frame relay. Layer 2.5 Overlay VPNs use MPLS, which inserts an MPLS header between layer 2 and 3 headers. Layer 3 Overlay VPNs use IPSec to encrypt data and GRE for routing/multicast over public networks. Layer 4 Overlay VPNs use SSL/TLS to encrypt data at the transport layer for applications like web browsing.

1. www.netprotocolxpert.in

2. Layer 1 Overlay VPN
 we can use leased lines for connectivity between
branches. These are dedicated connections which
provide us a reliable link which is not shared with
anyone else. When data is being transmitted
between branches it is using a network path which
is not under our control. Now if there is a logical or
physical thing that provides security to our
communication, we refer to that as “VPN”. This is
the reason some people refer to T1, T3 or E1, E3
leased lines as layer 1 overlay VPN.

3. Layer 2 Overlay VPN
 When we want to connect our branches using a
multi-access network we use frame-relay. It is a
protocol standard, which provides us multi-access
network functionality as well as a secure
transmission channel. At this channel only we can
communicate with our branches not others i.e. why
we can also call it as Layer 2 Overlay VPN.

4. Layer 2 and half Overlay VPN
 MPLS (Multi-protocol Label Switching) is a very
widely used technology these days for multi-access
network. When a packet enters a MPLS network a
32 bits MPLS header tag is inserted between layer
2 & layer 3 headers. This is the reason why many
folks call MPLS a layer 2.5 technology thus making
it Layer 2 and Half Overlay VPN. When we use
MPLS our entire routing table is shared with service
provider and entire data travels in plain-text format,
to make it secure there is a special VPN called
GETVPN.

5. Layer 3 Overlay VPN
 Until now we have discussed about VPN which are not using
public network like internet. If we are using internet to
connect branches of organization then we need to make sure
the data transmitted should remain private and unaltered. To
secure communication we use IPSec (IP Security) which
encrypts the data to make it private and also ensures that it
is delivered unaltered.
 IPSec is not capable to exchange routing and multicast traffic
between branch routers. For this purpose GRE (Generic
Routing Encapsulation) is used. By default GRE has no
security mechanism to protect data. To obtain security for
routing and multicast traffic IPSec must be used along with
GRE.
 These Two Protocol IPSec & GRE are represented as a
Layer 3 Overlay VPN.

6. Layer 4 Overlay VPN
 Many times when we are using internet, we want the
communication between servers and clients to be
secure. For instance when using a bank website we
don’t want to transmit data like credit card information,
passwords, etc. in clear text. For this purpose Secure
Socket Layer (SSL) or Transport Layer Security (TLS)
was invented. SSL was developed initially and later
replaced by TLS. It is used for a wide variety of
applications like web browsing, VoIP, email, etc. It works
at transport layer along with other protocols and
encrypts the data before it is transmitted. This leads to it
being referred as layer 4 Overlay VPN

7. Layers
Overlay Virtual Private
Networks
Layer 1 Overlay T1, T3 & E1, E3
Layer 2 Overlay Frame-Relay, ATM
Layer 2 and half MPLS
Layer 3 Overlay IPSec, GRE
Layer 4 Overlay SSL/TLS (HTTPS)

8. Site-Site VPN
 Connectivity between branches is a necessity for
any organization. It enables the access of
resources at two branches from each other. Site-
Site VPN is used to secure this data transmission
between two sites. Thus all the devices in LAN of
one site can transmit data to devices in LAN of
other site. Things like employees placing VoIP calls
between two sites can be made possible if we have
VPN configured. It is one of the most commonly
deployed VPN.

9. Remote Access VPN
 Work from home is a very common thing in
organization these days. Employees can perform
their duties while they are at their home. The
biggest challenge for this is to get them connected
to organization network in a secure way. This
problem is solved by deployment of Remote Access
VPN.

10. Dynamic Multipoint Virtual Private Network (DM VPN)
 When we have multiple sites connected to each other via
internet and secure communication between them is required
Site-Site VPN can be used. The only problem is Site-Site
VPN in fully mesh connectivity is hard to create, maintain &
troubleshoot if the number of sites is huge. This problem is
solved by DMVPN (Dynamic Multipoint Virtual Private
Network). In DMVPN we create Hub & Spokes, where hubs
are called servers & spokes are called clients. When client
will boot up, it will register itself with the server. When one
spoke wants to communicate with other a dynamic tunnel is
created between two spokes automatically. After the
communication is done tunnel is destroyed. This solution is
more manageable and scalable.

11. Group Encrypted Transport Virtual Private
Network (GET VPN)
 All VPN solutions like Site-Site, Remote Access and
DMVPN provide point-point connectivity. GETVPN
is only the solution, which provides tunnel less any-
any connectivity. It makes the communication
secure in a private WAN deployments. GETVPN
was especially designed for secure data
communication over MPLS network.

12. Secure Socket Layer VPN (SSL VPN)
 SSL protocol was designed for secure data
communication between web server and web
browser. Later it was modified and renamed as
Transport Layer Security (TLS). The biggest benefit
of using SSL VPN is it does not necessarily require
installation of VPN client on the end user device.
SSL VPN can be used on any device that supports
web browsing, so end user device can be a PC,
Mac, Tablet or a Smartphone.

13. Protocols Virtual Private Network
IPSec (IP Security)
Site-Site, Remote Access,
DMVPN
GDOI (Group Domain of
Interpretation)
GET VPN (Group Encrypted
Transport VPN)
SSL ( Secure Socket Layer)
Three Modes (Clientless,
Thin, Thick)