Vpn and dsl wan design
Sponsored Links
This presentation is the property of its rightful owner.
1 / 62

VPN and DSL WAN Design PowerPoint PPT Presentation


  • 118 Views
  • Uploaded on
  • Presentation posted in: General

VPN and DSL WAN Design. Chapter Topics. DSL Technologies VPNs. DSL Technologies. DSL Technologies. When used with VPN technologies, DSL can provide WAN connectivity for remote offices at a lower cost than dedicated services.

Download Presentation

VPN and DSL WAN Design

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


VPN and DSL WAN Design


Chapter Topics

  • DSL Technologies

  • VPNs


DSL Technologies


DSL Technologies

  • When used with VPN technologies, DSL can provide WAN connectivity for remote offices at a lower cost than dedicated services.

  • DSL increases connectivity options for fixed remote access and extranet offices and users

  • DSL connection is “always on”

  • Charges are typically a fixed monthly fee

  • In some major markets, private DSL access is available

    • permanent virtual circuits (PVCs) extend the enterprise network to the DSL access device


DSL Technologies

  • DSL is favorably priced based on cost for equivalent bandwidth when compared to dial-up access

  • Provides price advantages over leased lines and packet network services

  • Disadvantages of DSL include

    • spotty availability due to distance and infrastructure quality

    • lack of guaranteed transport bandwidth through the intermediate public networks

    • security issues within the Internet

    • cable modems offer comparable service for remote access at a similar cost


DSL Types

  • DSL is a physical layer technology

  • Marketplace has many variations

  • Forms of DSL include the following:

    • ADSL

    • SDSL

    • IDSL

    • High-bit-rate DSL (HDSL)

    • VDSL

  • Two leading schemes are SDSL and ADSL


Basic DSL Architecture


ADSL – Asymmetric DSL

  • Targeted for residential customers

  • Defined by the American National Standards Institute (ANSI) T1.413 standard

  • Provides asymmetric speed with a downlink speed (from the central office to the customer) faster than the uplink speed


ADSL

  • Downstream rates range from 256 kbps to 8 Mbps

  • Upstream rates range from 16 kbps to 800 kbps

  • ADSL transmissions work at distances up to 18,000 ft (5488 m) over a single copper twisted pair


ADSL

ADSL G.lite is a variant specification that reduces the device requirements of ADSL

  • eliminates the requirement for special wiring installation services

  • provides rates up to 1.5 Mbps

  • Another variant is Rate Adaptive ADSL (RADSL)

    • Allows the DSL modem to adapt its speed based on the quality and length of the line


  • ADSL Sample Services

    • Some examples of services are

      • 384 kbps download/128 kbps uplink

      • 768 kbps download/ 128 kbps uplink

      • 786 kbps download/ 256 kbps uplink

      • 1.5 Mbps download/128 kbps uplink

      • 1.5 Mbps download/384 kbps uplink

      • 6 Mbps download/384 Kbps uplink


    HDSL – High Bit-rate DSL

    • Provides 1.544 Mbps of bandwidth but uses two twisted-pair lines (4 wires)

    • Range is limited to 12,000 ft (3658.5 m)

      • Signal repeaters can extend the service

    • Used primarily for digital-loop carrier systems, interexchange points of presence (POPs), and private data networks

    • HDSL-2 is a two-wire version that provides the same speeds or double the speed with four wires


    SDSL – Symmetric DSL

    • Provides equal bandwidth for both the uplink and downlink lines

    • Targeted to business customers to replace their more expensive T1 circuits

    • Uses a single twisted-pair line

    • Operating range limited to 22,000 ft


    SDSL – Symmetric DSL

    • Often marketed as business DSL

    • Speeds up to 2.3 Mbps

    • Service examples are

      • 144 kbps symmetric

      • 192 kbps symmetric

      • 384 kbps symmetric

      • 768 kbps symmetric

      • 1.1 Mbps symmetric

      • 1.5 Mbps symmetric


    IDSL – ISDN DSL

    • Developed to provide DSL service to locations using existing ISDN facilities

      • Redirects ISDN traffic to a DSLAM

      • Maintains all the electrical capabilities of ISDN

      • CPE is still any ISDN Basic Rate Interface (BRI) bridge/router

      • Provides a flat rate for the ISDN type service versus the per-call rate of ISDN.

    • Provide the same data capabilities over longer local loop facilities

    • IDSL is cheaper than ISDN


    VDSL – Very High Rate DSL

    • Asymmetric DSL services at speeds much greater than ADSL

    • Uses a single pair to provide up to 52 Mbps downlink speeds and up to 16 Mbps uplink speeds

    • Only selected areas offer VDSL

    • Limited to 4000 ft from the central office


    LRE over VDSL

    • Provides Ethernet services over existing Category 1/2/3 twisted-pair wiring

    • Speeds from 5 to 15 Mbps (full duplex)

    • Distances up to 5000 ft.


    DSL Specifications


    VPNs


    Foundation

    • VPNs create private tunnels across the Internet

    • Create these tunnels from a single host to a VPN concentrator

    • Create site-to-site tunnels between offices


    VPN Tunnels

    • You can use several different technologies to create VPN tunnels:

      • GRE

      • Point-to-Point Tunneling Protocol (PPTP)

      • Microsoft Point-to-Point Encryption (MPPE)

      • VPDN

      • IPSec

      • MPLS


    GRE

    • Cisco tunneling protocol that encapsulates entire packets into new IP headers

      • creates a virtual point-to-point link between two Cisco routers

      • new header has the source and destination addresses of the tunnel end points

      • virtual link crosses an IP network

      • described in RFC 1701

      • created to tunnel IP and other packet types

      • Encapsulated packets types can be IPpackets or non-IP packets, such as Novell IPX or AppleTalk packets


    PPTP

    • Described in RFC 2637

    • Network protocol developed by a vendor consortium

      • Allows for transfers of data from client PCs to enterprise servers using tunneled PPP through an IP network

    • Client software is deployed in Windows 95, ME, NT, 2000, and XP

    • Cisco added support for PPTP to Cisco IOS routers, PIX Firewalls, and VPN concentrators


    MPPE

    • Microsoft protocol

      • Part of Microsoft’s PPTP client VPN solution

    • Converts PPP packets into an encrypted form

    • Used for creating VPNs over dial-up networks

    • Most Cisco access platforms support MPPE


    VPDN

    • A VPDN is a network that extends remote access to a private network using a shared infrastructure

    • Cisco protocol

    • Allows a private dial-in service to span across several remote-access servers (RAS)


    VPDN

    • Use Layer 2 tunnel technologies to extend the network connection from a remote user across an Internet service provider (ISP) network to a private network

    • Layer 2 technologies include

      • Layer 2 Forwarding Protocol (L2F)

      • Layer 2 Tunnel Protocol (L2TP)

      • PPTP


    VPDN

    • No need to connect to central office through the PSTN

      • VPDN users connect to the local ISP

      • ISP forwards the PPP session to a tunnel server

    • Forwarding calls through the Internet will save money


    VPDN Tunnel


    IPSec

    • Provides a set of security services at the IP layer

    • Defined in RFC 2401

    • Architecture IPv4 & IPv6 can use

    • IPSec is a set of protocols, key management, and algorithms for authentication and encryption.


    IPSec

    • Two central protocols for IPSec are

      • IP AH

        • provides data-connection integrity and data-origin authentication for connectionless IP communications

        • can use AH alone or with ESP

        • described in RFC 2402

      • ESP

        • provides data confidentiality, data-origin authentication, and limited traffic-flow confidentiality

        • described in RFC 2406


    IPSec - IKE

    • uses the Internet Key Exchange (IKE) protocol for the automatic exchange of keys to form security associations (SA) between two systems

      • IKE is not used if the SAs are configured manually

      • eliminates the need to manually specify all of the IPSec SA parameters of both peers and allows encryption keys to change during IPSec sessions

      • IKE is described in RFC 2409


    IPSec Algorithms

    • ESP protocol uses encryption algorithms such as DES and 3DES for bulk encryption and for data confidentiality during IKE key exchange


    IPSec Connection Steps

    • IPSec operation follows five steps:

      • Step 1: Process initiation

        • Specification of the type of traffic to be encrypted

      • Step 2: IKE Phase 1

        • Authenticates the IPSec peers and sets up a secure channel between the peers to enable IKE exchanges

      • Step 3: IKE Phase 2

        • negotiates the IPSec SA

      • Step 4: Data transfer

      • Step 5: Tunnel termination

        • Tunnel is terminated if the IPSec SA are deleted or their lifetimes expire


    AH

    • Provides connectionless integrity (data integrity) for packet headers and data payload and authentication

    • Does not provide confidentiality

    • Authentication comes from applying a one-way hash function to the packet to create a message digest


    AH Hash


    AH - Hash

    • Hot all the IP header fields are used to hash the IP header

    • fields that change are not part of the hash process

      • Time-To-Live


    ESP

    • Provides confidentiality, data-origin authentication, connectionless integrity, an anti-replay service and limited traffic-flow confidentiality as negotiated by the end points when they establish a SA

      • Packet authentication is provided by an optional field

      • Authentication is performed after encryption

      • Encryption through 56-bit DES and 3DES.


    ESP Tunnel Mode

    • Provides protection of the IP header fields only in tunnel mode

      • original IP header and payload are encrypted


    ESP Transport Mode

    • Only the IP data is encrypted

    • ESP inserts an IPSec header between the original IP header and the encrypted data


    DES and 3DES

    • DES is an older U.S. Government-approved standard widely used for encryption

      • Uses a 56-bit key to scramble and unscramble messages

      • Exported DES uses a 40-bit bit version

      • DES breaks data into 64-bit blocks and then processes it with a 56-bit shared secret key


    DES and 3DES

    • Latest DES standard uses a 3-by-56 bit key

      • a 168-bit key called Triple DES

      • input is encrypted three times

      • data is broken into 64-bit blocks

        • 3DES then processes each block three times, each time with an independent key


    DES and 3DES

    • Two IPSec peers must first exchange their shared secret key

      • Can encrypt and decrypt the message or generate and verify a message authentication code

      • After the two IPSec peers obtain their shared keys, they can use DES or 3DES for data encryption


    HMACs

    • Both AH and ESP use HMACs to ensure data integrity and authentication

    • HMACs use hash functions and private keys to perform message authentication

    • IPSec specifies the use of HMAC-MD5 and HMAC-SHA-1 for IKE and IPSec.


    MD5

    • A hash algorithm used to authenticate packet data

    • Uses a 128-bit key to perform a hash function to produce a 128-bit authentication value of the input data

      • Message digest serves as a signature of the data

        • Signature is inserted into the AH or ESP headers

        • Receiving IPSec peer computes the authentication value of the received packet and compares it to the value stored in the received packet


    SHA-1

    • A hash algorithm used to authenticate packet data

    • Uses a 160-bit secret key to produce a 160-bit authentication value of the input data

      • Signature is inserted into the AH or ESP headers

        • Receiving IPSec peer computes the authentication value of the received packet and compares it to the value stored in the received packet


    Diffie-Hellman

    • A key-agreement algorithm used by two end devices to agree on a shared secret key

    • IKE uses Diffie-Hellman for key exchange during IKE Phase 1

      • secret keys are then used by encryption algorithms


    Diffie-Hellman: How it Works

    • Each Diffie-Hellman peer generates a public and private key pair

      • public key is calculated from the private key

      • private key is kept secret

      • public keys are exchanged between the peers

      • peer then computes the same shared secret number by combining the other’s public key and its own private key

      • shared secret number is converted into a shared secret key

      • shared secret key is never exchanged


    WAN Design Using IPSec Tunnels

    • Enterprises can reduce their WAN costs by replacing traditional circuits (FR/ATM/Dedicated Cirucits) with site-to-site VPN tunnels over the Internet

      • Point-to-point IPSec tunnels replace the permanent circuits

    • Access to the Internet can come from dial-up, cable-modem, or DSL technologies


    Wan Design Using IPSec Tunnels


    MPLS

    • A transport service that can provide VPNs

    • An advantage of using MPLS for VPN service is the ability to offer service guarantees

      • Guarantees are not currently possible when using the Internet to transport VPNs


    MPLS

    • Specifies ways that you can map Layer 3 traffic to connection-oriented Layer 2 transport protocols

    • Adds a label containing specific routing information to each IP packet directing traffic through explicitly defined paths


    MPLS

    • Allows managers to implement policies to assign labels to various classes of traffic

      • Enables the service providers to offer different classes of services (CoSs) to different traffic types or from different customers

      • SPs can provide VPN services provisioned to give the appropriate priority to premium customers


    MPLS Label

    • MPLS label is inserted between the Layer 2 header and the Layer 3 header of a Layer 2 frame

    • Applies for Packet over SONET (POS), Ethernet, Frame Relay, and labels over ATM

      • In ATM networks with label switching, the label is mapped into the virtual path identifier/virtual channel identifier (VPI/VCI) fields of the ATM header

      • MPLS label field is 32 bits in length

        • actual label (tag) is 20 bits


    MPLS Labels

    • MPLS adds labels to the packets at the edge of the network and removes them at the other end

    • Labels are assigned packets based on a grouping

      • Each group is assigned a service class

    • Core of the network reads the labels and provides the appropriate services


    MPLS Label Switch Routers

    • forward packets based on the label and not on routing protocols

    • If the MPLS network uses ATM, the LSRs are called ATM LSRs

    • Edge LSR is responsible for adding the label to the packet

      • label is removed before the packet is sent from the MPLS network


    MPLS LSRs


    MPLS VPN Router Types

    • MPLS VPN architectures have four router types:

      • P router—The service provider’s internal core routers. These routers do not have to maintain VPN routes.

      • C router—The customer’s internal routers. They do not connect to the provider. These routers do not maintain VPN routes.

      • CE router—The edge routers on the customer side that connect to the service provider. These routers do not maintain VPN routes.

      • PE router—The edge routers on the service-provider side that connect with the customer’s CE routers. PE routers maintain VPN routes for the VPNs associated with the connected interfaces.


    MPLS VPN Routers


    WAN Design Using MPLS VPNs

    • Each site in the VPN service is a peer

      • Because of the peering of all sites, a logical mesh topology is acquired

    • SP contracts CoSs for the enterprise

    • SP benefits because it can isolate customers into security groups, provide CoSs, and scale VPN networks


    WAN Design Using MPLS VPNs


    DSL Summary


    VPN Summary


  • Login