Having gone through remote office design considerations, access technologies, which are used to connect remote offices and teleworkers to the corporate network, and then Teleworker considerations, the following sections will discuss the VPN technologies that can be used to connect remote offices and teleworkers to the corporate network.
The term Virtual Private Network (VPN) means different things to different people depending on the industry they are in or the solutions they have implemented. A VPN is a network that provides remote offices or individual users with secure access to their organization’s network. Contrary to popular belief that a VPN provides secure connectivity across as public network such as the Internet, a VPN can also be used on a privately-owned network. There are three types of VPN technologies that will be described in this section. These three types are:
- Trusted VPNs
- Secure VPNs
- Hybrid VPNs
Trusted VPNs are non-cryptographic VPNs. In other words, trusted VPNs do not employ the same cryptographic mechanisms used to encrypt data as those used in secure VPN. Unlike secure VPNs, the security and integrity of trusted VPN traffic relies on the fact that the circuit is not shared because each circuit is dedicated to a single site. An example of a trusted VPN implementation is the Multiprotocol Label Switching (MPLS) VPN. While MPLS configuration is beyond the scope of the current ROUTE exam, it is important that you have a basic understanding of MPLS VPN concepts. An MPLS VPN solution is shown in Figure 10-13:
Fig. 10-13. Multiprotocol Label Switching Layer 3 VPN
Referencing Figure 10-13, the provider MPLS VPN allows multiple customer sites in different locations to the connected to the same trusted VPN, allowing for secure LAN to LAN connectivity between these sites. While the MPLS VPN backbone is shared by multiple customers, VRFs (which were described earlier in this chapter) are used to prevent the different customer routing tables are logically segregated. This also allows multiple customers to use the same IP address ranges without any issues.
Within the MPLS VPN architecture, providers install one or more managed routers at each one of the different customer locations or sites. These routers, referred to as Customer Edge (CE) routers, have a LAN interface to which the site internal network is connected. The configuration of these routers is strictly controlled by the provider, although in some instances the provider will provide read-only access to these routers for the customer. From you standpoint as a network engineer, your responsibility ends at the CE router. For this reason, the configuration of MPLS VPNs is beyond the scope of the current ROUTE exam.
The CE routers are then connected to Provider Edge (PE) routers. The routers are the typically connected to multiple CE routers for multiple customers. They are, in essence, the portal into, and out of, the MPLS VPN backbone. While BGP is typically configured between PE and CE routers, any of the other routing protocols described in this guide can be used. Routes received from the site internal network are then redistributed into the PE-CE routing protocol and advertised to the PE router. From there, the prefixes are advertised to other sites within the customer VPN allowing for connectivity between all of the customer sites.
And finally, within the MPLS VPN, core routers referred to as Provider (P) routers allow for traffic to be switched between the different PE routers.
While the most common deployed trusted VPNs are Layer 3 VPNs, some service providers also provide Layer 2 VPN service for their customers using either Virtual Private LAN Service (VPLS) or Virtual Private Wire Service (VPWS) technologies. These technologies allow for the encapsulation of Layer 2 frames, e.g. Ethernet and Frame Relay, over MPLS or pure-IP networks. The primary difference between VPLS and VPWS is that VPLS provides point-to-multipoint connectivity while VPWS provides only point-to-point connectivity. A Layer 2 (VPLS) VPN is illustrated in Figure 10-14:
Fig. 10-14. Multiprotocol Label Switching Layer 2 VPN – VPLS
Referencing Figure 10-14, the same basic components used in Layer 3 VPNs are also used in the Layer 2 VPN implementations. However, there is a significant difference between Layer 2 and Layer 3 VPNs. Instead of configuring PE-CE routing protocols, Layer 2 VPNs allow the connected devices to appear as though they reside on the same LAN, even though all the sites may, and typically are, geographically dispersed.
Because the sites are on the same logical LAN, the different CE routers are assigned an address on the same subnet. Any routing protocol of choice is then configured on these devices following the same logic as described in previous chapters within this guide. As is the case with Layer 3 VPNs, the configuration and implementation of Layer 2 VPNs is beyond the scope of the ROUTE exam and will not be illustrated or described in any further detail in this chapter or the remainder of this guide. You are not expected to implement this configuration.
Unlike trusted VPNs, secure VPNs are used to transport data across public data networks, such as the Internet. These VPN technologies use different cryptographic mechanisms to ensure data confidentiality, integrity and authenticity as datagrams are carried across these unsecured networks. These VPN types are commonly used to replace or augment existing point-to-point networks that utilize dedicated leased lines or even WAN networks over common technologies such as Frame Relay. Secure VPN technologies include:
- IP Security (IPsec)
- Layer 2 Tunneling Protocol version 3 (L2TPv3) over IPsec
- Point-to-Point Tunneling Protocol (PPTP)
- SSL Encryption (SSL VPN)
NOTE: Of the secure VPN types described, only IPsec and SSL VPNs are will be described in this guide. These are described in detail later in this chapter. Both L2TPv3 and PPTP are described briefly in the following section.
Layer 2 Tunneling Protocol version 3 (L2TPv3) allows data to be tunneled across native core IP networks. Used alone, L2TPv3 does not provide any data encryption or confidentiality. To provide this additional level of security, L2TPv2 is commonly implemented in with IP Security (IPsec). Point-to-Point Tunneling Protocol (PPTP) is also used to tunnel data across IP networks. Like L2TPv3, PPTP does not provide any data encryption or confidentiality and requires implementation with other protocols to provide authentication and encryption. The configuration of L2TPv3 and PPTP is beyond the scope of the ROUTE exam. These protocols will not be described in any further detail in this chapter or the remainder of this guide.
Continuing with secure VPN technologies, there are three types of secure VPN implementation. These common implementations are:
- Intranet-based VPNs
- Internet-based VPNs
- Extranet-based VPNs
An Intranet-based VPN is provides data security within an enterprise or organization that may or may not involve traffic traversing a WAN. An Intranet-based VPN connection takes advantage of IP connectivity in an organization intranet and is implemented within the same organizations internal network.
Internet-based VPNs are the most common types of VPNs. These VPNs are used to protect the organizations data as it traverses the Internet. Internet-based VPNs can take several forms; however, only those that are applicable to the ROUTE exam will be described in this chapter. Examples of Internet-based VPNs include site-to-site or LAN-to-LAN IPsec VPNs and remote access VPNs, which are used to allow mobile workers to establish secure connections to the enterprise network. Both VPN types are described in detail later in this chapter.
And finally, extranet-based VPNs provide private communications between two or more separate entities. For example, a company can deploy an extranet VPN between its headquarters to certain business partner networks. The business partner is given access only to the headquarters public server to perform various IP-based network tasks, such as placing and managing product orders.
Hybrid Virtual Private Networks
A hybrid VPN is a combination of both a trusted VPN and a secure VPN. Hybrid VPNs are an emerging technology that are gaining momentum quickly. These VPNs allow providers that offer trusted VPNs to secure customer data in locations where such providers have no point-of-presence. Customer offices in these remote locations can then establish secured sessions to provider VPN headend devices and from there access resources in other locations that are tied into the provider trusted (MPLS) VPN allowing for LAN-to-LAN security between customer sites on the trusted and secure VPNs. Figure 10-13 illustrates a hybrid VPN implementation:
Fig. 10-13. Understanding Hybrid VPNs
NOTE: While you should be familiar with the hybrid VPN concept, the actual configuration of hybrid VPN components is beyond the scope of the scope of the ROUTE exam and will not be illustrated or described in any additional detail in this chapter or in the remainder of this guide.
As stated in the previous section, the configuration of trusted VPNs is beyond the scope of the ROUTE exam and will not be described in this guide. However, you are required to demonstrate both theoretical and configuration-level knowledge of Cisco supported secure VPN technologies. Therefore, before we delve into detail on the site-to-site VPN solutions, it is important to have a solid fundamental understanding of the protocol that all these VPN solutions use to ensure data confidentiality, integrity and authenticity. This protocol, which is described in detail in the following section, is IP Security (IPsec).