Vpn and dsl wan design
This presentation is the property of its rightful owner.
Sponsored Links
1 / 62

VPN and DSL WAN Design PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on
  • Presentation posted in: General

VPN and DSL WAN Design. Chapter Topics. DSL Technologies VPNs. DSL Technologies. DSL Technologies. When used with VPN technologies, DSL can provide WAN connectivity for remote offices at a lower cost than dedicated services.

Download Presentation

VPN and DSL WAN Design

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Vpn and dsl wan design

VPN and DSL WAN Design


Chapter topics

Chapter Topics

  • DSL Technologies

  • VPNs


Dsl technologies

DSL Technologies


Dsl technologies1

DSL Technologies

  • When used with VPN technologies, DSL can provide WAN connectivity for remote offices at a lower cost than dedicated services.

  • DSL increases connectivity options for fixed remote access and extranet offices and users

  • DSL connection is “always on”

  • Charges are typically a fixed monthly fee

  • In some major markets, private DSL access is available

    • permanent virtual circuits (PVCs) extend the enterprise network to the DSL access device


Dsl technologies2

DSL Technologies

  • DSL is favorably priced based on cost for equivalent bandwidth when compared to dial-up access

  • Provides price advantages over leased lines and packet network services

  • Disadvantages of DSL include

    • spotty availability due to distance and infrastructure quality

    • lack of guaranteed transport bandwidth through the intermediate public networks

    • security issues within the Internet

    • cable modems offer comparable service for remote access at a similar cost


Dsl types

DSL Types

  • DSL is a physical layer technology

  • Marketplace has many variations

  • Forms of DSL include the following:

    • ADSL

    • SDSL

    • IDSL

    • High-bit-rate DSL (HDSL)

    • VDSL

  • Two leading schemes are SDSL and ADSL


Basic dsl architecture

Basic DSL Architecture


Adsl asymmetric dsl

ADSL – Asymmetric DSL

  • Targeted for residential customers

  • Defined by the American National Standards Institute (ANSI) T1.413 standard

  • Provides asymmetric speed with a downlink speed (from the central office to the customer) faster than the uplink speed


Vpn and dsl wan design

ADSL

  • Downstream rates range from 256 kbps to 8 Mbps

  • Upstream rates range from 16 kbps to 800 kbps

  • ADSL transmissions work at distances up to 18,000 ft (5488 m) over a single copper twisted pair


Vpn and dsl wan design

ADSL

ADSL G.lite is a variant specification that reduces the device requirements of ADSL

  • eliminates the requirement for special wiring installation services

  • provides rates up to 1.5 Mbps

  • Another variant is Rate Adaptive ADSL (RADSL)

    • Allows the DSL modem to adapt its speed based on the quality and length of the line


  • Adsl sample services

    ADSL Sample Services

    • Some examples of services are

      • 384 kbps download/128 kbps uplink

      • 768 kbps download/ 128 kbps uplink

      • 786 kbps download/ 256 kbps uplink

      • 1.5 Mbps download/128 kbps uplink

      • 1.5 Mbps download/384 kbps uplink

      • 6 Mbps download/384 Kbps uplink


    Hdsl high bit rate dsl

    HDSL – High Bit-rate DSL

    • Provides 1.544 Mbps of bandwidth but uses two twisted-pair lines (4 wires)

    • Range is limited to 12,000 ft (3658.5 m)

      • Signal repeaters can extend the service

    • Used primarily for digital-loop carrier systems, interexchange points of presence (POPs), and private data networks

    • HDSL-2 is a two-wire version that provides the same speeds or double the speed with four wires


    Sdsl symmetric dsl

    SDSL – Symmetric DSL

    • Provides equal bandwidth for both the uplink and downlink lines

    • Targeted to business customers to replace their more expensive T1 circuits

    • Uses a single twisted-pair line

    • Operating range limited to 22,000 ft


    Sdsl symmetric dsl1

    SDSL – Symmetric DSL

    • Often marketed as business DSL

    • Speeds up to 2.3 Mbps

    • Service examples are

      • 144 kbps symmetric

      • 192 kbps symmetric

      • 384 kbps symmetric

      • 768 kbps symmetric

      • 1.1 Mbps symmetric

      • 1.5 Mbps symmetric


    Idsl isdn dsl

    IDSL – ISDN DSL

    • Developed to provide DSL service to locations using existing ISDN facilities

      • Redirects ISDN traffic to a DSLAM

      • Maintains all the electrical capabilities of ISDN

      • CPE is still any ISDN Basic Rate Interface (BRI) bridge/router

      • Provides a flat rate for the ISDN type service versus the per-call rate of ISDN.

    • Provide the same data capabilities over longer local loop facilities

    • IDSL is cheaper than ISDN


    Vdsl very high rate dsl

    VDSL – Very High Rate DSL

    • Asymmetric DSL services at speeds much greater than ADSL

    • Uses a single pair to provide up to 52 Mbps downlink speeds and up to 16 Mbps uplink speeds

    • Only selected areas offer VDSL

    • Limited to 4000 ft from the central office


    Lre over vdsl

    LRE over VDSL

    • Provides Ethernet services over existing Category 1/2/3 twisted-pair wiring

    • Speeds from 5 to 15 Mbps (full duplex)

    • Distances up to 5000 ft.


    Dsl specifications

    DSL Specifications


    Vpn and dsl wan design

    VPNs


    Foundation

    Foundation

    • VPNs create private tunnels across the Internet

    • Create these tunnels from a single host to a VPN concentrator

    • Create site-to-site tunnels between offices


    Vpn tunnels

    VPN Tunnels

    • You can use several different technologies to create VPN tunnels:

      • GRE

      • Point-to-Point Tunneling Protocol (PPTP)

      • Microsoft Point-to-Point Encryption (MPPE)

      • VPDN

      • IPSec

      • MPLS


    Vpn and dsl wan design

    GRE

    • Cisco tunneling protocol that encapsulates entire packets into new IP headers

      • creates a virtual point-to-point link between two Cisco routers

      • new header has the source and destination addresses of the tunnel end points

      • virtual link crosses an IP network

      • described in RFC 1701

      • created to tunnel IP and other packet types

      • Encapsulated packets types can be IPpackets or non-IP packets, such as Novell IPX or AppleTalk packets


    Vpn and dsl wan design

    PPTP

    • Described in RFC 2637

    • Network protocol developed by a vendor consortium

      • Allows for transfers of data from client PCs to enterprise servers using tunneled PPP through an IP network

    • Client software is deployed in Windows 95, ME, NT, 2000, and XP

    • Cisco added support for PPTP to Cisco IOS routers, PIX Firewalls, and VPN concentrators


    Vpn and dsl wan design

    MPPE

    • Microsoft protocol

      • Part of Microsoft’s PPTP client VPN solution

    • Converts PPP packets into an encrypted form

    • Used for creating VPNs over dial-up networks

    • Most Cisco access platforms support MPPE


    Vpn and dsl wan design

    VPDN

    • A VPDN is a network that extends remote access to a private network using a shared infrastructure

    • Cisco protocol

    • Allows a private dial-in service to span across several remote-access servers (RAS)


    Vpn and dsl wan design

    VPDN

    • Use Layer 2 tunnel technologies to extend the network connection from a remote user across an Internet service provider (ISP) network to a private network

    • Layer 2 technologies include

      • Layer 2 Forwarding Protocol (L2F)

      • Layer 2 Tunnel Protocol (L2TP)

      • PPTP


    Vpn and dsl wan design

    VPDN

    • No need to connect to central office through the PSTN

      • VPDN users connect to the local ISP

      • ISP forwards the PPP session to a tunnel server

    • Forwarding calls through the Internet will save money


    Vpdn tunnel

    VPDN Tunnel


    Ipsec

    IPSec

    • Provides a set of security services at the IP layer

    • Defined in RFC 2401

    • Architecture IPv4 & IPv6 can use

    • IPSec is a set of protocols, key management, and algorithms for authentication and encryption.


    Ipsec1

    IPSec

    • Two central protocols for IPSec are

      • IP AH

        • provides data-connection integrity and data-origin authentication for connectionless IP communications

        • can use AH alone or with ESP

        • described in RFC 2402

      • ESP

        • provides data confidentiality, data-origin authentication, and limited traffic-flow confidentiality

        • described in RFC 2406


    Ipsec ike

    IPSec - IKE

    • uses the Internet Key Exchange (IKE) protocol for the automatic exchange of keys to form security associations (SA) between two systems

      • IKE is not used if the SAs are configured manually

      • eliminates the need to manually specify all of the IPSec SA parameters of both peers and allows encryption keys to change during IPSec sessions

      • IKE is described in RFC 2409


    Ipsec algorithms

    IPSec Algorithms

    • ESP protocol uses encryption algorithms such as DES and 3DES for bulk encryption and for data confidentiality during IKE key exchange


    Ipsec connection steps

    IPSec Connection Steps

    • IPSec operation follows five steps:

      • Step 1: Process initiation

        • Specification of the type of traffic to be encrypted

      • Step 2: IKE Phase 1

        • Authenticates the IPSec peers and sets up a secure channel between the peers to enable IKE exchanges

      • Step 3: IKE Phase 2

        • negotiates the IPSec SA

      • Step 4: Data transfer

      • Step 5: Tunnel termination

        • Tunnel is terminated if the IPSec SA are deleted or their lifetimes expire


    Vpn and dsl wan design

    AH

    • Provides connectionless integrity (data integrity) for packet headers and data payload and authentication

    • Does not provide confidentiality

    • Authentication comes from applying a one-way hash function to the packet to create a message digest


    Ah hash

    AH Hash


    Ah hash1

    AH - Hash

    • Hot all the IP header fields are used to hash the IP header

    • fields that change are not part of the hash process

      • Time-To-Live


    Vpn and dsl wan design

    ESP

    • Provides confidentiality, data-origin authentication, connectionless integrity, an anti-replay service and limited traffic-flow confidentiality as negotiated by the end points when they establish a SA

      • Packet authentication is provided by an optional field

      • Authentication is performed after encryption

      • Encryption through 56-bit DES and 3DES.


    Esp tunnel mode

    ESP Tunnel Mode

    • Provides protection of the IP header fields only in tunnel mode

      • original IP header and payload are encrypted


    Esp transport mode

    ESP Transport Mode

    • Only the IP data is encrypted

    • ESP inserts an IPSec header between the original IP header and the encrypted data


    Des and 3des

    DES and 3DES

    • DES is an older U.S. Government-approved standard widely used for encryption

      • Uses a 56-bit key to scramble and unscramble messages

      • Exported DES uses a 40-bit bit version

      • DES breaks data into 64-bit blocks and then processes it with a 56-bit shared secret key


    Des and 3des1

    DES and 3DES

    • Latest DES standard uses a 3-by-56 bit key

      • a 168-bit key called Triple DES

      • input is encrypted three times

      • data is broken into 64-bit blocks

        • 3DES then processes each block three times, each time with an independent key


    Des and 3des2

    DES and 3DES

    • Two IPSec peers must first exchange their shared secret key

      • Can encrypt and decrypt the message or generate and verify a message authentication code

      • After the two IPSec peers obtain their shared keys, they can use DES or 3DES for data encryption


    Hmacs

    HMACs

    • Both AH and ESP use HMACs to ensure data integrity and authentication

    • HMACs use hash functions and private keys to perform message authentication

    • IPSec specifies the use of HMAC-MD5 and HMAC-SHA-1 for IKE and IPSec.


    Vpn and dsl wan design

    MD5

    • A hash algorithm used to authenticate packet data

    • Uses a 128-bit key to perform a hash function to produce a 128-bit authentication value of the input data

      • Message digest serves as a signature of the data

        • Signature is inserted into the AH or ESP headers

        • Receiving IPSec peer computes the authentication value of the received packet and compares it to the value stored in the received packet


    Sha 1

    SHA-1

    • A hash algorithm used to authenticate packet data

    • Uses a 160-bit secret key to produce a 160-bit authentication value of the input data

      • Signature is inserted into the AH or ESP headers

        • Receiving IPSec peer computes the authentication value of the received packet and compares it to the value stored in the received packet


    Diffie hellman

    Diffie-Hellman

    • A key-agreement algorithm used by two end devices to agree on a shared secret key

    • IKE uses Diffie-Hellman for key exchange during IKE Phase 1

      • secret keys are then used by encryption algorithms


    Diffie hellman how it works

    Diffie-Hellman: How it Works

    • Each Diffie-Hellman peer generates a public and private key pair

      • public key is calculated from the private key

      • private key is kept secret

      • public keys are exchanged between the peers

      • peer then computes the same shared secret number by combining the other’s public key and its own private key

      • shared secret number is converted into a shared secret key

      • shared secret key is never exchanged


    Wan design using ipsec tunnels

    WAN Design Using IPSec Tunnels

    • Enterprises can reduce their WAN costs by replacing traditional circuits (FR/ATM/Dedicated Cirucits) with site-to-site VPN tunnels over the Internet

      • Point-to-point IPSec tunnels replace the permanent circuits

    • Access to the Internet can come from dial-up, cable-modem, or DSL technologies


    Wan design using ipsec tunnels1

    Wan Design Using IPSec Tunnels


    Vpn and dsl wan design

    MPLS

    • A transport service that can provide VPNs

    • An advantage of using MPLS for VPN service is the ability to offer service guarantees

      • Guarantees are not currently possible when using the Internet to transport VPNs


    Vpn and dsl wan design

    MPLS

    • Specifies ways that you can map Layer 3 traffic to connection-oriented Layer 2 transport protocols

    • Adds a label containing specific routing information to each IP packet directing traffic through explicitly defined paths


    Vpn and dsl wan design

    MPLS

    • Allows managers to implement policies to assign labels to various classes of traffic

      • Enables the service providers to offer different classes of services (CoSs) to different traffic types or from different customers

      • SPs can provide VPN services provisioned to give the appropriate priority to premium customers


    Mpls label

    MPLS Label

    • MPLS label is inserted between the Layer 2 header and the Layer 3 header of a Layer 2 frame

    • Applies for Packet over SONET (POS), Ethernet, Frame Relay, and labels over ATM

      • In ATM networks with label switching, the label is mapped into the virtual path identifier/virtual channel identifier (VPI/VCI) fields of the ATM header

      • MPLS label field is 32 bits in length

        • actual label (tag) is 20 bits


    Mpls labels

    MPLS Labels

    • MPLS adds labels to the packets at the edge of the network and removes them at the other end

    • Labels are assigned packets based on a grouping

      • Each group is assigned a service class

    • Core of the network reads the labels and provides the appropriate services


    Mpls label switch routers

    MPLS Label Switch Routers

    • forward packets based on the label and not on routing protocols

    • If the MPLS network uses ATM, the LSRs are called ATM LSRs

    • Edge LSR is responsible for adding the label to the packet

      • label is removed before the packet is sent from the MPLS network


    Mpls lsrs

    MPLS LSRs


    Mpls vpn router types

    MPLS VPN Router Types

    • MPLS VPN architectures have four router types:

      • P router—The service provider’s internal core routers. These routers do not have to maintain VPN routes.

      • C router—The customer’s internal routers. They do not connect to the provider. These routers do not maintain VPN routes.

      • CE router—The edge routers on the customer side that connect to the service provider. These routers do not maintain VPN routes.

      • PE router—The edge routers on the service-provider side that connect with the customer’s CE routers. PE routers maintain VPN routes for the VPNs associated with the connected interfaces.


    Mpls vpn routers

    MPLS VPN Routers


    Wan design using mpls vpns

    WAN Design Using MPLS VPNs

    • Each site in the VPN service is a peer

      • Because of the peering of all sites, a logical mesh topology is acquired

    • SP contracts CoSs for the enterprise

    • SP benefits because it can isolate customers into security groups, provide CoSs, and scale VPN networks


    Wan design using mpls vpns1

    WAN Design Using MPLS VPNs


    Dsl summary

    DSL Summary


    Vpn summary

    VPN Summary


  • Login