SlideShare a Scribd company logo

VPN Network

Download as PPTX, PDF
Wani Zahoor
Wani Zahoor

All about VPN,Structure & Functioning....

Technology
1 of 47
Virtual Private Networks Network Based IP VPN Presented By: Wani Zahoor zahoorwani91@gmail.com
Agenda Introduction VPN – Introduction, Requirements, Categories and Types Virtual Private Routed Networks – Introduction, Features, Requirements Virtual Private Routed Networks – Architecture Virtual Router – Concept, Objectives, Characteristics VR Based Solution for IP VPN VPN support on Linux
A Private network is a collection of hosts belonging to a common administration or organization. Private connectivity between geographically scattered networks is done through • Dedicated WANs - permanently connected to multiple sites • Dial Networks - on demand connections through PSTN to sites High cost and complexity is involved in multi-site WAN services. In order to overcome this constraint, the Internet is used to provide the connectivity between private networks. Introduction - Types of Private Networks
Some other factors that motivate in migrating to an Internet based connectivity are as follows • A need to extend the private network to offer services or connectivity that is invisible to the external observers. • Economics, in terms of aggregating the costs of individual components or set ups into a single infrastructure and offer services collectively over the public domain. • Source of revenue generation for the ISPs. Introduction - Motivation and History
“A VPN is a communications environment in which access is controlled to permit peer connections only within a defined community of interest, and is constructed through some form of partitioning of a common underlying communications medium, where this underlying communications medium provides services to the network on a non- exclusive basis." “A VPN is a private network constructed within a public network infrastructure, such as the global Internet." A Virtual Private Network is a connectivity object between two or more private entities. It uses the Internet or public domain infrastructure and connects private networks. What Is a VPN?
VPN Requirements Opaque Transport VPN traffic may be unrelated to the traffic in IP backbone • Traffic can be multi-protocol • Customer may be using IP addresses not related to backbone. These addresses may be private and non-unique Data Security • No misdirection, misrouting, snooping • Security against modification of traffic in transit • Unauthorized analysis of traffic
VPN Requirements QoS Guarantee Need for IP based QoS similar to dedicated or dial lines or ATM/Frame Relay • Opaque transport requirement is fulfilled by using tunnels for transport. Some tunneling mechanisms provide support for data security and QoS. • Some tunneling mechanisms are IP/IP, IPSec, GRE, L2TP, MPLS
VPN Requirements Private connectivity between networks is an inherent characteristic of a VPN implementation. This is achieved through the following requirements • Opaque transport • Data Security • QoS guarantee • Tunneling mechanism
VPN Requirements Tunneling Protocol Requirements • Support for Multiplexing • Signaling • Security • Multi-protocol traffic • Frame Sequencing • Maintenance • Large MTUs • Minimization of tunnel overhead • Flow/Congestion control • QoS/traffic management
IP/IP IPSec GRE L2TP MPLS Multiplexing y y y y Signaling y y y y Security y y Multi-protocol traffic y y y Frame Sequencing y y y Maintenance Large MTUs Minimization of Tunnel overhead Flow/Congestion Control y QoS/Traffic Management y VPN Requirements
VPN Categories VPN services are provided at layer 2 and layer 3. IP based layer 3 VPN implementations are broadly classified as follows • Customer Premises Equipment (CPE) based Model • Network based or Provider Provisioned Model
CPE Based Model Some characteristics of CPE based VPN model are as follows • Provides VPN capabilities on firewalls, WAN edge routers and specialized VPN termination devices • Handles security, tunneling between customer ends, management of services and devices, administrative responsibility and operational costs • Uses the ISP only for transmission of data over the backbone smitha: change
Some characteristics of network based VPN model are as follows • ISPs provide services with no change in the subscriber equipment. Services like fire-walling, data security, routing configuration, QoS, tunnel establishment, management and maintenance are handled by the provider • No extra investment is needed, at the customer end, on dedicated expensive CPE gear while subscribing to a VPN service • Customer is provided the option of choosing various services at various costs Network Based Model
• Customer follows a trust model for security, where it trusts or does not trust the provider • Trust model extends across multiple providers if the VPN spans the domain of multiple providers • Forwarding of data between the provider edges takes place through tunnels • The complexity of operation and administrative responsibility rests with the provider Network Based Model
Types of VPNs • Virtual Leased Lines • Virtual Private Dial Networks • Virtual Private LAN Segment • Virtual Private Routed Networks
Virtual Leased Lines CPE ISP Edge Router IP Backbone CPE AT M V C C AT M V C C IP Tunnel 10.0.0.5 10.0.0.6 10.0.0.4/30 ISP Edge Router Provides a point to point link between customer’s CPE devices ISP edge binds ATM VCC to a tunnel in IP backbone e.g. AAL5 payload is encapsulated in an IPSEC tunnel in backbone
Virtual Private Dial Networks CPE NAS IP Backbone Gateway Dial Up Connection 10.0.0.0 / 16 10.0.0.6 L2TP Tunnel Corporate Network L2TP – Layer 2 Tunneling Protocol LAC - L2TP Access Concentrator LNS – L2TP Network Server PPP frames are tunneled across IP backbone using L2TP L2 connection terminating at LAC avoids long distance dialup connection PPP session terminates at LNS LAC LNS
Virtual Private LAN Segment - Transparent LAN Service CPE ISP Edge Router IP Backbone ISP Edge Router CPE 10.0.0.5 10.0.0.6 ISP Edge Router 10.0.0.9 CPE Stub Link Stub Link Stub Link IP TunnelIP Tunnel IP Tunnel Emulation of LAN over internet CPE can be a bridge or a router Full mesh connectivity between edge routers Bridge CPE •ISP edge routers do flooding and MAC learning Router CPE • Explicit link layer routes to CPE routers
Virtual Private Routed Networks CPE 1 PE Router IP Backbone PE Router CPE 110.1.1.0 / 30 PE Router CPE 1 Stub Link Stub Link IP TunnelIP Tunnel IP Tunnel 10.3.3.0 / 30 Stub Link CPE 2 CPE 2 Stub Link Stub Link 10.2.2.0 / 30 10.5.5.0 / 30 10.6.6.0 / 30P P P PE – Provider Edge CPE – Customer Premises Equipment P – Provider/Interior 10.1.1.1 10.5.5.1 10.0.0.1 157.0.0.1Provider Backbone Outer IP Header Destination Address 157.0.0.1 Inner IP Header Destination Address 10.5.5.1 Customer data Encapsulation in IP/IP
Virtual Private Routed Network (VPRN) • VPRN is an IP based layer 3 VPN. • Both CPE and network based implementations are possible. • A VPRN is an emulation of a multi-site wide area routed network using IP facilities • VPN specific forwarding tables called the VPN Routing and Forwarding tables or VRFs are present at the provider routers on a per VPN basis. They contain network reachability information. • VPRN operation is de-coupled from the mechanism used by the customer to access the Internet
VPRN Generic Requirements • Use of a globally unique identifier for each VPN o VPN ID is a Globally Unique Identifier, which uniquely identifies an instance of a VPRN. o VPN ID can be used for management purposes in a MIB o Used for tunnel establishment, to bind a VPRN to a particular tunnel etc. o Same ID can be used across different technologies e.g., IP and ATM
VPRN Generic Requirements • VPRN membership determination o Determination of stub link belonging to a VPRN o Through configuration for Static links e.g. ATM VCC o As part of authentication for Dynamic Links e.g. PPP o PEs participating in a particular VPRN must be known to each other o Membership determination is done using • Directory Lookup • Explicit Management Configuration • Piggybacking in Routing Protocols
VPRN Generic Requirements • Stub link reachability information o Determine the set of VPRN addresses and address prefixes or destinations reachable at each stub site or customer site This exchange of information between the CE and PE can be through • Routing Protocol Instance on CE - PE • Configuration • ISP Administered Addresses • MPLS Label Distribution Protocol
VPRN Generic Requirements • Intra - VPN reachability information o Exchange of stub link reachability information between the provider edges o Set of reachable addresses within a VPRN are unique Information dissemination is done through • Directory Lookup • Explicit Configuration • Local intra-VPRN Routing Instantiations • Link Reachability Protocol • Piggybacking in IP backbone Routing Protocols e.g. BPG/MPLS VPN
VPRN Generic Requirements • Tunneling Mechanisms o Tunnels comprising the VPRN cores, are established between PEs, after membership determination o Various mechanisms can be used for tunneling with the requirements of security, authentication, confidentiality, sharing etc o Tunneling mechanisms – IP/IP, IPSec, GRE, MPLS, L2TP etc
Implementation Issues Summarizing some issues involved in building VPRNs • Initial configuration • Determining the set of links in each VPRN • Identifying the member routers belonging to a VPRN • Determining the set of IP addresses or address prefixes reachable via each 'stub' link or customer
Implementation Issues • Disseminate the 'stub' reachability information to the appropriate set of PE routers • Set of IP addresses reachable from the provider that is to be given to the customer • Establish, maintain, and manage the tunnels needed to carry the data • Provide secure data transfer and other features based on customer requirements
VPRN Architecture There are two fundamental architecture models for implementing VPRNs. • Overlay • Piggyback o The models differ in methods used to determine and disseminate membership and reachability o Overlay model constructs multiple routing protocol instances e.g., Multiple OSPF instances on a per VPRN basis, which overlay the IP backbone o Piggyback models make use of the existing routing protocol and extend it to carry information e.g., BGP/MPLS in the backbone
IP VPN - Virtual Router Model "A Virtual Router is an emulation of a physical router at the software and/or hardware level." • The overlay VPRN model uses the concept of Virtual Routers • Each VR runs an instance of the routing protocol for determining and exchanging reachability information with peer VRs
VR Model CPE 1 PE Router CPE 1 CPE 1 PE Router PE Router CPE 3 CPE 2 CPE 2 CPE 3 CPE 3 Backdoor Link S T U B L I N K S VPRN 1 VPRN 2 VPRN 3 VRF VRF VRF – VPN Routing and Forwarding Table VR Instance for CE 1 VR Instance for CE 2 VR Instance for CE 3
VR Objectives • The objective of this mechanism is to provide per-VPN routing, forwarding, QoS, and service management capabilities • To leverage and make use of the existing protocols for implementing VPN functionality • To isolate different VPN instances • To isolate the underlying backbone protocol from the VPN protocols
VR Characteristics • VRs that are members of a particular VPN must share the same VPN ID. • The VR architecture supports overlapping address spaces in separate VPNs • Each VPN can have its own routing protocol in the provider backbone or the customer end if needed
VR Characteristics • Supports VR to VR connectivity • Over Layer 2 connections (ATM or Frame relay) • Over IP based or MPLS tunnels • Any routing protocol instance can be run between the PE and CE to determine stub link reachability. • CE – PE routing protocol is independent of routing protocol in the backbone.
VR Advantages • The Provider (P) routers or non-edge backbone routers need not be VPN aware. In piggyback models, the provider/intermediate routers may be VPN aware to determine if the packets sent belong to the VPN or the backbone routing • Backbone protocol can be independent of the VR protocol used • No changes to existing protocols. In piggyback models, the routing protocol for VPN must extend to accommodate information about VPN membership, reachability etc. • No changes are needed while deployment
VR Based Solution for IP VPN • OSPF is run as a VR protocol for PE - PE routing • For each VPN, towards the provider edge, an OSPF instance is run on the Provider Edge router over tunnels in the backbone • Routing protocol updates are exchanged between the PE routers participating in a given VPN
Membership • Membership information is used to identify and determine which VPN a given VR belongs to • Membership information is disseminated statically or dynamically • A VPN Manager can have pre-configured or dynamically learnt VPN IDs, which are assigned to each of the VR instances • This can be used to map the VPN ID to the resources used by the instance like the routing table associated with the interface
Routing • The "stub link reachability", is learnt by the VR instance on the PE associated with that customer end of the VPN site • VRs belonging to the same VPN exchange this reachability information with the help of the VR routing protocol • Redistribution takes place at the Provider Edge Router between the customer and the provider edges on a per-VR basis • Each VR instance is associated with a routing table called the VRF. Each VPN is mapped to a VRF
Routing • Multiple routing tables are used to isolate routing information between the VRs • Multiple routing tables support on Linux is provided by the Advanced Routing option • On Linux, the input interface(s) from the customer end is/are mapped to a VRF using 'ip rule' command
Routing • VR instance on the customer end and provider end share the routing table. Any addition/deletion of new routes is redistributed to the other corresponding instance of routing protocol • CE-CE or CE-PE routing is independent of the VR routing • Multiple routing tables concept can be extended to support Traffic Engineering
Tunneling • The exchange of control and data plane information is done using tunnels, established between member routers of a VPN • Tunnels on Linux can be established by configuring the tunnel device tunl0. This feature is provided using 'ip tunnel' commands • Multiple VPNs can be mapped to a single tunnel depending on the security constraints • Tunnel aggregation can be done to minimize overhead in tunnel establishment and maintenance
VPN Support On LINUX • Multiple Routing table support – A compile time Advanced Routing option – Up to 255 routing tables • Netlink support for associating network interfaces or tunnels with routing tables • IP/IP and GRE tunneling mechanism.
VPN Support On LINUX • IP utility – To configure IP/IP and GRE tunnels • ip tunnel add mode ipip local 10.0.0.1 remote 10.0.0.2 – To configure routes in different routing tables • ip route add 10.0.0.0/24 via 192.168.221.254 table 50 – To associate interfaces with routing tables • ip rule add iif eth0 table 50
Issues in OSPF VR Model Depending on configuration of customers, various issues related to connectivity and duplication of information arise. Examples of configuration scenarios are • Each customer belonging to a particular VPN • Customer belongs to multiple VPRNs over multiple stub links • Customer belongs to multiple VPRNs over a single stub link • Multiple VPRNs are established over a single stub link
Issues in OSPF VR Model Stub information exchanged is AS External information. The routing information or updates are exchanged as AS External information between the customer ends Membership information is statically configured by a VPN manager. Manager must keep track of change in membership and disseminate this information appropriately Static configuration of tunnels, maintenance and management is also done by the manager, which must keep track of changes and handle the OSPF instances accordingly
Issues in OSPF VR Model Various configuration scenarios of connection between CE-PE and the way routing information is re-distributed between the customer and provider edge of the PE router influences the kind of information exchanged E.g., if the customer ends are treated as belonging to same area or different areas but belonging to the same AS, then the routes exchanged become intra or inter area routes, which gain preference over AS External routes according to OSPF protocol. In this case, the VPN serves to seamlessly transfer the OSPF/routing information between the customer ends.
Summary • VPN is a connectivity object • Objective of VPN is to provide private connectivity between customer ends, over a public infrastructure • VPN features and requirements include opaque transfer, security, QoS etc • Layer 3 VPN implementations are considered • Different types of VPN types exist, of which VPRN is a IP-network based layer 3 VPN implementation • VR is an overlay concept for implementing VPRN • OSPF is used as a VR protocol. Linux based model uses IP tunnels and Advanced Routing options to build rule based routing tables
References [VPN-RFC2764] Gleeson, B., et al, “A Framework for IP Based Virtual Private Networks”, RFC 2764, February 2000. [PPVPN] Ould-Brahim, H., et al., “Network based IP VPN Architecture using Virtual Routers”, work in progress. [PPVPN] Nagarajan Ananth., et al, “Applicability Statement for Virtual Router-based Layer 3 PPVPN approaches”, August 2002 [RFC2685] Fox B., et al, “Virtual Private Network Identifier”, RFC 2685, September 1999 [RFC2547bis] Rosen E., et al, “BGP/MPLS VPNs”, work in progress. [VPN-BGP] Ould-Brahim, H., et al, “Using BGP as an Auto-Discovery Mechanism for Network-based VPNs”, work in progress.

Recommended

Vpn presentation
Vpn presentationVpn presentation
Vpn presentationRam Bharosh Raut
 
Virtual Private Network (VPN).
Virtual Private Network (VPN).Virtual Private Network (VPN).
Virtual Private Network (VPN).Debasis Chowdhury
 
Virtual Private Network main
Virtual Private Network mainVirtual Private Network main
Virtual Private Network mainKanika Gupta
 
Virtual Private Network(VPN)
Virtual Private Network(VPN)Virtual Private Network(VPN)
Virtual Private Network(VPN)Abrish06
 
Vpn(virtual private network)
Vpn(virtual private network)Vpn(virtual private network)
Vpn(virtual private network)sonangrai
 
Virtual private network(vpn)
Virtual private network(vpn)Virtual private network(vpn)
Virtual private network(vpn)sonalikasingh15
 
Virtual private network
Virtual private networkVirtual private network
Virtual private networkSowmia Sathyan
 
Virtual Private Network VPN
Virtual Private Network VPNVirtual Private Network VPN
Virtual Private Network VPNFarah M. Altufaili
 

Recommended

Vpn presentation
Vpn presentationVpn presentation
Vpn presentationRam Bharosh Raut
 
Virtual Private Network (VPN).
Virtual Private Network (VPN).Virtual Private Network (VPN).
Virtual Private Network (VPN).Debasis Chowdhury
 
Virtual Private Network main
Virtual Private Network mainVirtual Private Network main
Virtual Private Network mainKanika Gupta
 
Virtual Private Network(VPN)
Virtual Private Network(VPN)Virtual Private Network(VPN)
Virtual Private Network(VPN)Abrish06
 
Vpn(virtual private network)
Vpn(virtual private network)Vpn(virtual private network)
Vpn(virtual private network)sonangrai
 
Virtual private network(vpn)
Virtual private network(vpn)Virtual private network(vpn)
Virtual private network(vpn)sonalikasingh15
 
Virtual private network
Virtual private networkVirtual private network
Virtual private networkSowmia Sathyan
 
Virtual Private Network VPN
Virtual Private Network VPNVirtual Private Network VPN
Virtual Private Network VPNFarah M. Altufaili
 
Vpn ppt
Vpn pptVpn ppt
Vpn pptNikhila Pothukuchi
 
Virtual private networks (vpn)
Virtual private networks (vpn)Virtual private networks (vpn)
Virtual private networks (vpn)Avinash Nath
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentationKuldeep Padhiyar
 
VPN, Its Types,VPN Protocols,Configuration and Benefits
VPN, Its Types,VPN Protocols,Configuration and BenefitsVPN, Its Types,VPN Protocols,Configuration and Benefits
VPN, Its Types,VPN Protocols,Configuration and Benefitsqaisar17
 
VPN (virtual private network)
VPN (virtual private network) VPN (virtual private network)
VPN (virtual private network) Netwax Lab
 
VPN (virtual Private Network)
VPN (virtual Private Network)VPN (virtual Private Network)
VPN (virtual Private Network)Chandan Jha
 
Vpn
VpnVpn
VpnNure Alam
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private NetworkRajendra Dangwal
 
VPN
VPNVPN
VPNShiraz316
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Vpn
VpnVpn
Vpnsaisravanthi11
 
Virtual private network, vpn presentation
Virtual private network, vpn presentationVirtual private network, vpn presentation
Virtual private network, vpn presentationAmjad Bhutto
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Venkatesh Jambulingam
 
Vp npresentation 2
Vp npresentation 2Vp npresentation 2
Vp npresentation 2Swarup Kumar Mall
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private NetworkRajan Kumar
 
Eigrp
EigrpEigrp
Eigrpfirey
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Securemohannadalhanahnah
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN IntroductionBangladesh Network Operators Group
 
Vpn
VpnVpn
VpnKajal Thakkar
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's TypesHem Pokhrel
 
Rules
RulesRules
RulesFa6oom92
 
snl
snlsnl
snlitsme_akku
 

More Related Content

What's hot

Virtual private networks (vpn)
Virtual private networks (vpn)Virtual private networks (vpn)
Virtual private networks (vpn)Avinash Nath
 
VPN, Its Types,VPN Protocols,Configuration and Benefits
VPN, Its Types,VPN Protocols,Configuration and BenefitsVPN, Its Types,VPN Protocols,Configuration and Benefits
VPN, Its Types,VPN Protocols,Configuration and Benefitsqaisar17
 
VPN (virtual private network)
VPN (virtual private network) VPN (virtual private network)
VPN (virtual private network) Netwax Lab
 
VPN (virtual Private Network)
VPN (virtual Private Network)VPN (virtual Private Network)
VPN (virtual Private Network)Chandan Jha
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Virtual private network, vpn presentation
Virtual private network, vpn presentationVirtual private network, vpn presentation
Virtual private network, vpn presentationAmjad Bhutto
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private NetworkRajan Kumar
 
Eigrp
EigrpEigrp
Eigrpfirey
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's TypesHem Pokhrel
 

What's hot (20)

Vpn ppt
Vpn pptVpn ppt
Vpn ppt
 
Virtual private networks (vpn)
Virtual private networks (vpn)Virtual private networks (vpn)
Virtual private networks (vpn)
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentation
 
VPN, Its Types,VPN Protocols,Configuration and Benefits
VPN, Its Types,VPN Protocols,Configuration and BenefitsVPN, Its Types,VPN Protocols,Configuration and Benefits
VPN, Its Types,VPN Protocols,Configuration and Benefits
 
VPN (virtual private network)
VPN (virtual private network) VPN (virtual private network)
VPN (virtual private network)
 
VPN (virtual Private Network)
VPN (virtual Private Network)VPN (virtual Private Network)
VPN (virtual Private Network)
 
Vpn
VpnVpn
Vpn
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
VPN
VPNVPN
VPN
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
Vpn
VpnVpn
Vpn
 
Virtual private network, vpn presentation
Virtual private network, vpn presentationVirtual private network, vpn presentation
Virtual private network, vpn presentation
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
 
Vp npresentation 2
Vp npresentation 2Vp npresentation 2
Vp npresentation 2
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
Eigrp
EigrpEigrp
Eigrp
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
 
Vpn
VpnVpn
Vpn
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's Types
 

Viewers also liked

Jezelle Bautista Resume (Final) 070516
Jezelle Bautista Resume (Final) 070516Jezelle Bautista Resume (Final) 070516
Jezelle Bautista Resume (Final) 070516Jezelle Bautista
 
Geography and identity in marlowe
Geography and identity in marloweGeography and identity in marlowe
Geography and identity in marloweHaleh Esmailian
 
Ottobre2012 you rossello
Ottobre2012 you rosselloOttobre2012 you rossello
Ottobre2012 you rosselloPaglieri U.S.A.
 
Import export and invest in iran
Import export and invest in iranImport export and invest in iran
Import export and invest in iranItalian Network
 
Facebook Ad Guide
Facebook Ad GuideFacebook Ad Guide
Facebook Ad Guidexnikos
 
Reference from Andrew Krenek
Reference from Andrew KrenekReference from Andrew Krenek
Reference from Andrew KrenekHelena Paulikova
 
Recommendation letter, Embassy
Recommendation letter, EmbassyRecommendation letter, Embassy
Recommendation letter, EmbassyCharlotte Jorsal
 
Louis Braille
Louis BrailleLouis Braille
Louis BrailleLidiaGon
 

Viewers also liked (20)

Rules
RulesRules
Rules
 
snl
snlsnl
snl
 
Jezelle Bautista Resume (Final) 070516
Jezelle Bautista Resume (Final) 070516Jezelle Bautista Resume (Final) 070516
Jezelle Bautista Resume (Final) 070516
 
Круговорот воды в природе
Круговорот воды в природеКруговорот воды в природе
Круговорот воды в природе
 
HND_Cert
HND_CertHND_Cert
HND_Cert
 
Geography and identity in marlowe
Geography and identity in marloweGeography and identity in marlowe
Geography and identity in marlowe
 
recommendation letter
recommendation letterrecommendation letter
recommendation letter
 
Ottobre2012 you rossello
Ottobre2012 you rosselloOttobre2012 you rossello
Ottobre2012 you rossello
 
Altitude u agent_customer_history
Altitude u agent_customer_historyAltitude u agent_customer_history
Altitude u agent_customer_history
 
Import export and invest in iran
Import export and invest in iranImport export and invest in iran
Import export and invest in iran
 
Presentation1.PPTX
Presentation1.PPTXPresentation1.PPTX
Presentation1.PPTX
 
Feliz navidad
Feliz navidadFeliz navidad
Feliz navidad
 
Photoshopla
PhotoshoplaPhotoshopla
Photoshopla
 
Agenda
AgendaAgenda
Agenda
 
Sena
SenaSena
Sena
 
Facebook Ad Guide
Facebook Ad GuideFacebook Ad Guide
Facebook Ad Guide
 
Reference from Andrew Krenek
Reference from Andrew KrenekReference from Andrew Krenek
Reference from Andrew Krenek
 
Yushkov lab-1
Yushkov lab-1Yushkov lab-1
Yushkov lab-1
 
Recommendation letter, Embassy
Recommendation letter, EmbassyRecommendation letter, Embassy
Recommendation letter, Embassy
 
Louis Braille
Louis BrailleLouis Braille
Louis Braille
 

Similar to VPN Network

Software Based Traffic Separation at the Access Layer
Software Based Traffic Separation at the Access LayerSoftware Based Traffic Separation at the Access Layer
Software Based Traffic Separation at the Access LayerIJERA Editor
 
MPLS-VPN-Technology.pdf
MPLS-VPN-Technology.pdfMPLS-VPN-Technology.pdf
MPLS-VPN-Technology.pdfHuynh MVT
 
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...nvirters
 
Virtual Private Networks
Virtual Private NetworksVirtual Private Networks
Virtual Private Networksprimeteacher32
 
Amplify Hybrid WAN ROI with SD-WAN - VeloCloud
Amplify Hybrid WAN ROI with SD-WAN - VeloCloudAmplify Hybrid WAN ROI with SD-WAN - VeloCloud
Amplify Hybrid WAN ROI with SD-WAN - VeloCloudVeloCloud Networks, Inc.
 
Considerations for Deploying Virtual Network Functions and Services
Considerations for Deploying Virtual Network Functions and ServicesConsiderations for Deploying Virtual Network Functions and Services
Considerations for Deploying Virtual Network Functions and ServicesOpen Networking Summit
 
Consideration of fixed mobile convergence in 5G
Consideration of fixed mobile convergence in 5GConsideration of fixed mobile convergence in 5G
Consideration of fixed mobile convergence in 5GITU
 
VPN & FIREWALL
VPN & FIREWALLVPN & FIREWALL
VPN & FIREWALLMoin Islam
 
QoS in IP Network.pptx
QoS in IP Network.pptxQoS in IP Network.pptx
QoS in IP Network.pptxPiyushJha78
 
Ip tunnelling and_vpn
Ip tunnelling and_vpnIp tunnelling and_vpn
Ip tunnelling and_vpnRajesh Porwal
 

Similar to VPN Network (20)

Vivpn pp tfinal
Vivpn pp tfinalVivpn pp tfinal
Vivpn pp tfinal
 
Vpn1
Vpn1Vpn1
Vpn1
 
Vpn1
Vpn1Vpn1
Vpn1
 
Vpnppt1884
Vpnppt1884Vpnppt1884
Vpnppt1884
 
Software Based Traffic Separation at the Access Layer
Software Based Traffic Separation at the Access LayerSoftware Based Traffic Separation at the Access Layer
Software Based Traffic Separation at the Access Layer
 
Shradhamaheshwari vpn
Shradhamaheshwari vpnShradhamaheshwari vpn
Shradhamaheshwari vpn
 
MPLS-VPN-Technology.pdf
MPLS-VPN-Technology.pdfMPLS-VPN-Technology.pdf
MPLS-VPN-Technology.pdf
 
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
 
Virtual Private Networks
Virtual Private NetworksVirtual Private Networks
Virtual Private Networks
 
Amplify Hybrid WAN ROI with SD-WAN - VeloCloud
Amplify Hybrid WAN ROI with SD-WAN - VeloCloudAmplify Hybrid WAN ROI with SD-WAN - VeloCloud
Amplify Hybrid WAN ROI with SD-WAN - VeloCloud
 
MPLS VPN
MPLS VPNMPLS VPN
MPLS VPN
 
Considerations for Deploying Virtual Network Functions and Services
Considerations for Deploying Virtual Network Functions and ServicesConsiderations for Deploying Virtual Network Functions and Services
Considerations for Deploying Virtual Network Functions and Services
 
Network Concepts
Network ConceptsNetwork Concepts
Network Concepts
 
Verizon Managed SD-WAN with Cisco IWAN
Verizon Managed SD-WAN with Cisco IWAN Verizon Managed SD-WAN with Cisco IWAN
Verizon Managed SD-WAN with Cisco IWAN
 
Consideration of fixed mobile convergence in 5G
Consideration of fixed mobile convergence in 5GConsideration of fixed mobile convergence in 5G
Consideration of fixed mobile convergence in 5G
 
VPN & FIREWALL
VPN & FIREWALLVPN & FIREWALL
VPN & FIREWALL
 
QoS in IP Network.pptx
QoS in IP Network.pptxQoS in IP Network.pptx
QoS in IP Network.pptx
 
Doc6 mpls vpn-ppt
Doc6 mpls vpn-pptDoc6 mpls vpn-ppt
Doc6 mpls vpn-ppt
 
Mplsvpn seminar
Mplsvpn seminarMplsvpn seminar
Mplsvpn seminar
 
Ip tunnelling and_vpn
Ip tunnelling and_vpnIp tunnelling and_vpn
Ip tunnelling and_vpn
 

More from Wani Zahoor

DotNet Framework
DotNet FrameworkDotNet Framework
DotNet FrameworkWani Zahoor
 
Deadlocks by wani zahoor
Deadlocks by wani zahoorDeadlocks by wani zahoor
Deadlocks by wani zahoorWani Zahoor
 
Antennas in Wireless Communication
Antennas in Wireless CommunicationAntennas in Wireless Communication
Antennas in Wireless CommunicationWani Zahoor
 

More from Wani Zahoor (6)

Java threads
Java threadsJava threads
Java threads
 
DotNet Framework
DotNet FrameworkDotNet Framework
DotNet Framework
 
Deadlocks by wani zahoor
Deadlocks by wani zahoorDeadlocks by wani zahoor
Deadlocks by wani zahoor
 
Applets in java
Applets in javaApplets in java
Applets in java
 
Antennas in Wireless Communication
Antennas in Wireless CommunicationAntennas in Wireless Communication
Antennas in Wireless Communication
 
ADO.NET
ADO.NETADO.NET
ADO.NET
 

Recently uploaded

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 

Recently uploaded (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

VPN Network

  • 1. Virtual Private Networks Network Based IP VPN Presented By: Wani Zahoor zahoorwani91@gmail.com
  • 2. Agenda Introduction VPN – Introduction, Requirements, Categories and Types Virtual Private Routed Networks – Introduction, Features, Requirements Virtual Private Routed Networks – Architecture Virtual Router – Concept, Objectives, Characteristics VR Based Solution for IP VPN VPN support on Linux
  • 3. A Private network is a collection of hosts belonging to a common administration or organization. Private connectivity between geographically scattered networks is done through • Dedicated WANs - permanently connected to multiple sites • Dial Networks - on demand connections through PSTN to sites High cost and complexity is involved in multi-site WAN services. In order to overcome this constraint, the Internet is used to provide the connectivity between private networks. Introduction - Types of Private Networks
  • 4. Some other factors that motivate in migrating to an Internet based connectivity are as follows • A need to extend the private network to offer services or connectivity that is invisible to the external observers. • Economics, in terms of aggregating the costs of individual components or set ups into a single infrastructure and offer services collectively over the public domain. • Source of revenue generation for the ISPs. Introduction - Motivation and History
  • 5. “A VPN is a communications environment in which access is controlled to permit peer connections only within a defined community of interest, and is constructed through some form of partitioning of a common underlying communications medium, where this underlying communications medium provides services to the network on a non- exclusive basis." “A VPN is a private network constructed within a public network infrastructure, such as the global Internet." A Virtual Private Network is a connectivity object between two or more private entities. It uses the Internet or public domain infrastructure and connects private networks. What Is a VPN?
  • 6. VPN Requirements Opaque Transport VPN traffic may be unrelated to the traffic in IP backbone • Traffic can be multi-protocol • Customer may be using IP addresses not related to backbone. These addresses may be private and non-unique Data Security • No misdirection, misrouting, snooping • Security against modification of traffic in transit • Unauthorized analysis of traffic
  • 7. VPN Requirements QoS Guarantee Need for IP based QoS similar to dedicated or dial lines or ATM/Frame Relay • Opaque transport requirement is fulfilled by using tunnels for transport. Some tunneling mechanisms provide support for data security and QoS. • Some tunneling mechanisms are IP/IP, IPSec, GRE, L2TP, MPLS
  • 8. VPN Requirements Private connectivity between networks is an inherent characteristic of a VPN implementation. This is achieved through the following requirements • Opaque transport • Data Security • QoS guarantee • Tunneling mechanism
  • 9. VPN Requirements Tunneling Protocol Requirements • Support for Multiplexing • Signaling • Security • Multi-protocol traffic • Frame Sequencing • Maintenance • Large MTUs • Minimization of tunnel overhead • Flow/Congestion control • QoS/traffic management
  • 10. IP/IP IPSec GRE L2TP MPLS Multiplexing y y y y Signaling y y y y Security y y Multi-protocol traffic y y y Frame Sequencing y y y Maintenance Large MTUs Minimization of Tunnel overhead Flow/Congestion Control y QoS/Traffic Management y VPN Requirements
  • 11. VPN Categories VPN services are provided at layer 2 and layer 3. IP based layer 3 VPN implementations are broadly classified as follows • Customer Premises Equipment (CPE) based Model • Network based or Provider Provisioned Model
  • 12. CPE Based Model Some characteristics of CPE based VPN model are as follows • Provides VPN capabilities on firewalls, WAN edge routers and specialized VPN termination devices • Handles security, tunneling between customer ends, management of services and devices, administrative responsibility and operational costs • Uses the ISP only for transmission of data over the backbone smitha: change
  • 13. Some characteristics of network based VPN model are as follows • ISPs provide services with no change in the subscriber equipment. Services like fire-walling, data security, routing configuration, QoS, tunnel establishment, management and maintenance are handled by the provider • No extra investment is needed, at the customer end, on dedicated expensive CPE gear while subscribing to a VPN service • Customer is provided the option of choosing various services at various costs Network Based Model
  • 14. • Customer follows a trust model for security, where it trusts or does not trust the provider • Trust model extends across multiple providers if the VPN spans the domain of multiple providers • Forwarding of data between the provider edges takes place through tunnels • The complexity of operation and administrative responsibility rests with the provider Network Based Model
  • 15. Types of VPNs • Virtual Leased Lines • Virtual Private Dial Networks • Virtual Private LAN Segment • Virtual Private Routed Networks
  • 16. Virtual Leased Lines CPE ISP Edge Router IP Backbone CPE AT M V C C AT M V C C IP Tunnel 10.0.0.5 10.0.0.6 10.0.0.4/30 ISP Edge Router Provides a point to point link between customer’s CPE devices ISP edge binds ATM VCC to a tunnel in IP backbone e.g. AAL5 payload is encapsulated in an IPSEC tunnel in backbone
  • 17. Virtual Private Dial Networks CPE NAS IP Backbone Gateway Dial Up Connection 10.0.0.0 / 16 10.0.0.6 L2TP Tunnel Corporate Network L2TP – Layer 2 Tunneling Protocol LAC - L2TP Access Concentrator LNS – L2TP Network Server PPP frames are tunneled across IP backbone using L2TP L2 connection terminating at LAC avoids long distance dialup connection PPP session terminates at LNS LAC LNS
  • 18. Virtual Private LAN Segment - Transparent LAN Service CPE ISP Edge Router IP Backbone ISP Edge Router CPE 10.0.0.5 10.0.0.6 ISP Edge Router 10.0.0.9 CPE Stub Link Stub Link Stub Link IP TunnelIP Tunnel IP Tunnel Emulation of LAN over internet CPE can be a bridge or a router Full mesh connectivity between edge routers Bridge CPE •ISP edge routers do flooding and MAC learning Router CPE • Explicit link layer routes to CPE routers
  • 19. Virtual Private Routed Networks CPE 1 PE Router IP Backbone PE Router CPE 110.1.1.0 / 30 PE Router CPE 1 Stub Link Stub Link IP TunnelIP Tunnel IP Tunnel 10.3.3.0 / 30 Stub Link CPE 2 CPE 2 Stub Link Stub Link 10.2.2.0 / 30 10.5.5.0 / 30 10.6.6.0 / 30P P P PE – Provider Edge CPE – Customer Premises Equipment P – Provider/Interior 10.1.1.1 10.5.5.1 10.0.0.1 157.0.0.1Provider Backbone Outer IP Header Destination Address 157.0.0.1 Inner IP Header Destination Address 10.5.5.1 Customer data Encapsulation in IP/IP
  • 20. Virtual Private Routed Network (VPRN) • VPRN is an IP based layer 3 VPN. • Both CPE and network based implementations are possible. • A VPRN is an emulation of a multi-site wide area routed network using IP facilities • VPN specific forwarding tables called the VPN Routing and Forwarding tables or VRFs are present at the provider routers on a per VPN basis. They contain network reachability information. • VPRN operation is de-coupled from the mechanism used by the customer to access the Internet
  • 21. VPRN Generic Requirements • Use of a globally unique identifier for each VPN o VPN ID is a Globally Unique Identifier, which uniquely identifies an instance of a VPRN. o VPN ID can be used for management purposes in a MIB o Used for tunnel establishment, to bind a VPRN to a particular tunnel etc. o Same ID can be used across different technologies e.g., IP and ATM
  • 22. VPRN Generic Requirements • VPRN membership determination o Determination of stub link belonging to a VPRN o Through configuration for Static links e.g. ATM VCC o As part of authentication for Dynamic Links e.g. PPP o PEs participating in a particular VPRN must be known to each other o Membership determination is done using • Directory Lookup • Explicit Management Configuration • Piggybacking in Routing Protocols
  • 23. VPRN Generic Requirements • Stub link reachability information o Determine the set of VPRN addresses and address prefixes or destinations reachable at each stub site or customer site This exchange of information between the CE and PE can be through • Routing Protocol Instance on CE - PE • Configuration • ISP Administered Addresses • MPLS Label Distribution Protocol
  • 24. VPRN Generic Requirements • Intra - VPN reachability information o Exchange of stub link reachability information between the provider edges o Set of reachable addresses within a VPRN are unique Information dissemination is done through • Directory Lookup • Explicit Configuration • Local intra-VPRN Routing Instantiations • Link Reachability Protocol • Piggybacking in IP backbone Routing Protocols e.g. BPG/MPLS VPN
  • 25. VPRN Generic Requirements • Tunneling Mechanisms o Tunnels comprising the VPRN cores, are established between PEs, after membership determination o Various mechanisms can be used for tunneling with the requirements of security, authentication, confidentiality, sharing etc o Tunneling mechanisms – IP/IP, IPSec, GRE, MPLS, L2TP etc
  • 26. Implementation Issues Summarizing some issues involved in building VPRNs • Initial configuration • Determining the set of links in each VPRN • Identifying the member routers belonging to a VPRN • Determining the set of IP addresses or address prefixes reachable via each 'stub' link or customer
  • 27. Implementation Issues • Disseminate the 'stub' reachability information to the appropriate set of PE routers • Set of IP addresses reachable from the provider that is to be given to the customer • Establish, maintain, and manage the tunnels needed to carry the data • Provide secure data transfer and other features based on customer requirements
  • 28. VPRN Architecture There are two fundamental architecture models for implementing VPRNs. • Overlay • Piggyback o The models differ in methods used to determine and disseminate membership and reachability o Overlay model constructs multiple routing protocol instances e.g., Multiple OSPF instances on a per VPRN basis, which overlay the IP backbone o Piggyback models make use of the existing routing protocol and extend it to carry information e.g., BGP/MPLS in the backbone
  • 29. IP VPN - Virtual Router Model "A Virtual Router is an emulation of a physical router at the software and/or hardware level." • The overlay VPRN model uses the concept of Virtual Routers • Each VR runs an instance of the routing protocol for determining and exchanging reachability information with peer VRs
  • 30. VR Model CPE 1 PE Router CPE 1 CPE 1 PE Router PE Router CPE 3 CPE 2 CPE 2 CPE 3 CPE 3 Backdoor Link S T U B L I N K S VPRN 1 VPRN 2 VPRN 3 VRF VRF VRF – VPN Routing and Forwarding Table VR Instance for CE 1 VR Instance for CE 2 VR Instance for CE 3
  • 31. VR Objectives • The objective of this mechanism is to provide per-VPN routing, forwarding, QoS, and service management capabilities • To leverage and make use of the existing protocols for implementing VPN functionality • To isolate different VPN instances • To isolate the underlying backbone protocol from the VPN protocols
  • 32. VR Characteristics • VRs that are members of a particular VPN must share the same VPN ID. • The VR architecture supports overlapping address spaces in separate VPNs • Each VPN can have its own routing protocol in the provider backbone or the customer end if needed
  • 33. VR Characteristics • Supports VR to VR connectivity • Over Layer 2 connections (ATM or Frame relay) • Over IP based or MPLS tunnels • Any routing protocol instance can be run between the PE and CE to determine stub link reachability. • CE – PE routing protocol is independent of routing protocol in the backbone.
  • 34. VR Advantages • The Provider (P) routers or non-edge backbone routers need not be VPN aware. In piggyback models, the provider/intermediate routers may be VPN aware to determine if the packets sent belong to the VPN or the backbone routing • Backbone protocol can be independent of the VR protocol used • No changes to existing protocols. In piggyback models, the routing protocol for VPN must extend to accommodate information about VPN membership, reachability etc. • No changes are needed while deployment
  • 35. VR Based Solution for IP VPN • OSPF is run as a VR protocol for PE - PE routing • For each VPN, towards the provider edge, an OSPF instance is run on the Provider Edge router over tunnels in the backbone • Routing protocol updates are exchanged between the PE routers participating in a given VPN
  • 36. Membership • Membership information is used to identify and determine which VPN a given VR belongs to • Membership information is disseminated statically or dynamically • A VPN Manager can have pre-configured or dynamically learnt VPN IDs, which are assigned to each of the VR instances • This can be used to map the VPN ID to the resources used by the instance like the routing table associated with the interface
  • 37. Routing • The "stub link reachability", is learnt by the VR instance on the PE associated with that customer end of the VPN site • VRs belonging to the same VPN exchange this reachability information with the help of the VR routing protocol • Redistribution takes place at the Provider Edge Router between the customer and the provider edges on a per-VR basis • Each VR instance is associated with a routing table called the VRF. Each VPN is mapped to a VRF
  • 38. Routing • Multiple routing tables are used to isolate routing information between the VRs • Multiple routing tables support on Linux is provided by the Advanced Routing option • On Linux, the input interface(s) from the customer end is/are mapped to a VRF using 'ip rule' command
  • 39. Routing • VR instance on the customer end and provider end share the routing table. Any addition/deletion of new routes is redistributed to the other corresponding instance of routing protocol • CE-CE or CE-PE routing is independent of the VR routing • Multiple routing tables concept can be extended to support Traffic Engineering
  • 40. Tunneling • The exchange of control and data plane information is done using tunnels, established between member routers of a VPN • Tunnels on Linux can be established by configuring the tunnel device tunl0. This feature is provided using 'ip tunnel' commands • Multiple VPNs can be mapped to a single tunnel depending on the security constraints • Tunnel aggregation can be done to minimize overhead in tunnel establishment and maintenance
  • 41. VPN Support On LINUX • Multiple Routing table support – A compile time Advanced Routing option – Up to 255 routing tables • Netlink support for associating network interfaces or tunnels with routing tables • IP/IP and GRE tunneling mechanism.
  • 42. VPN Support On LINUX • IP utility – To configure IP/IP and GRE tunnels • ip tunnel add mode ipip local 10.0.0.1 remote 10.0.0.2 – To configure routes in different routing tables • ip route add 10.0.0.0/24 via 192.168.221.254 table 50 – To associate interfaces with routing tables • ip rule add iif eth0 table 50
  • 43. Issues in OSPF VR Model Depending on configuration of customers, various issues related to connectivity and duplication of information arise. Examples of configuration scenarios are • Each customer belonging to a particular VPN • Customer belongs to multiple VPRNs over multiple stub links • Customer belongs to multiple VPRNs over a single stub link • Multiple VPRNs are established over a single stub link
  • 44. Issues in OSPF VR Model Stub information exchanged is AS External information. The routing information or updates are exchanged as AS External information between the customer ends Membership information is statically configured by a VPN manager. Manager must keep track of change in membership and disseminate this information appropriately Static configuration of tunnels, maintenance and management is also done by the manager, which must keep track of changes and handle the OSPF instances accordingly
  • 45. Issues in OSPF VR Model Various configuration scenarios of connection between CE-PE and the way routing information is re-distributed between the customer and provider edge of the PE router influences the kind of information exchanged E.g., if the customer ends are treated as belonging to same area or different areas but belonging to the same AS, then the routes exchanged become intra or inter area routes, which gain preference over AS External routes according to OSPF protocol. In this case, the VPN serves to seamlessly transfer the OSPF/routing information between the customer ends.
  • 46. Summary • VPN is a connectivity object • Objective of VPN is to provide private connectivity between customer ends, over a public infrastructure • VPN features and requirements include opaque transfer, security, QoS etc • Layer 3 VPN implementations are considered • Different types of VPN types exist, of which VPRN is a IP-network based layer 3 VPN implementation • VR is an overlay concept for implementing VPRN • OSPF is used as a VR protocol. Linux based model uses IP tunnels and Advanced Routing options to build rule based routing tables
  • 47. References [VPN-RFC2764] Gleeson, B., et al, “A Framework for IP Based Virtual Private Networks”, RFC 2764, February 2000. [PPVPN] Ould-Brahim, H., et al., “Network based IP VPN Architecture using Virtual Routers”, work in progress. [PPVPN] Nagarajan Ananth., et al, “Applicability Statement for Virtual Router-based Layer 3 PPVPN approaches”, August 2002 [RFC2685] Fox B., et al, “Virtual Private Network Identifier”, RFC 2685, September 1999 [RFC2547bis] Rosen E., et al, “BGP/MPLS VPNs”, work in progress. [VPN-BGP] Ould-Brahim, H., et al, “Using BGP as an Auto-Discovery Mechanism for Network-based VPNs”, work in progress.