Vpn and dsl wan design
1 / 62

VPN and DSL WAN Design - PowerPoint PPT Presentation

  • Uploaded on

VPN and DSL WAN Design. Chapter Topics. DSL Technologies VPNs. DSL Technologies. DSL Technologies. When used with VPN technologies, DSL can provide WAN connectivity for remote offices at a lower cost than dedicated services.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'VPN and DSL WAN Design' - konala

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Chapter topics
Chapter Topics

  • DSL Technologies

  • VPNs

Dsl technologies1
DSL Technologies

  • When used with VPN technologies, DSL can provide WAN connectivity for remote offices at a lower cost than dedicated services.

  • DSL increases connectivity options for fixed remote access and extranet offices and users

  • DSL connection is “always on”

  • Charges are typically a fixed monthly fee

  • In some major markets, private DSL access is available

    • permanent virtual circuits (PVCs) extend the enterprise network to the DSL access device

Dsl technologies2
DSL Technologies

  • DSL is favorably priced based on cost for equivalent bandwidth when compared to dial-up access

  • Provides price advantages over leased lines and packet network services

  • Disadvantages of DSL include

    • spotty availability due to distance and infrastructure quality

    • lack of guaranteed transport bandwidth through the intermediate public networks

    • security issues within the Internet

    • cable modems offer comparable service for remote access at a similar cost

Dsl types
DSL Types

  • DSL is a physical layer technology

  • Marketplace has many variations

  • Forms of DSL include the following:

    • ADSL

    • SDSL

    • IDSL

    • High-bit-rate DSL (HDSL)

    • VDSL

  • Two leading schemes are SDSL and ADSL

Adsl asymmetric dsl
ADSL – Asymmetric DSL

  • Targeted for residential customers

  • Defined by the American National Standards Institute (ANSI) T1.413 standard

  • Provides asymmetric speed with a downlink speed (from the central office to the customer) faster than the uplink speed

Vpn and dsl wan design

  • Downstream rates range from 256 kbps to 8 Mbps

  • Upstream rates range from 16 kbps to 800 kbps

  • ADSL transmissions work at distances up to 18,000 ft (5488 m) over a single copper twisted pair

Vpn and dsl wan design

ADSL G.lite is a variant specification that reduces the device requirements of ADSL

  • eliminates the requirement for special wiring installation services

  • provides rates up to 1.5 Mbps

  • Another variant is Rate Adaptive ADSL (RADSL)

    • Allows the DSL modem to adapt its speed based on the quality and length of the line

  • Adsl sample services
    ADSL Sample Services

    • Some examples of services are

      • 384 kbps download/128 kbps uplink

      • 768 kbps download/ 128 kbps uplink

      • 786 kbps download/ 256 kbps uplink

      • 1.5 Mbps download/128 kbps uplink

      • 1.5 Mbps download/384 kbps uplink

      • 6 Mbps download/384 Kbps uplink

    Hdsl high bit rate dsl
    HDSL – High Bit-rate DSL

    • Provides 1.544 Mbps of bandwidth but uses two twisted-pair lines (4 wires)

    • Range is limited to 12,000 ft (3658.5 m)

      • Signal repeaters can extend the service

    • Used primarily for digital-loop carrier systems, interexchange points of presence (POPs), and private data networks

    • HDSL-2 is a two-wire version that provides the same speeds or double the speed with four wires

    Sdsl symmetric dsl
    SDSL – Symmetric DSL

    • Provides equal bandwidth for both the uplink and downlink lines

    • Targeted to business customers to replace their more expensive T1 circuits

    • Uses a single twisted-pair line

    • Operating range limited to 22,000 ft

    Sdsl symmetric dsl1
    SDSL – Symmetric DSL

    • Often marketed as business DSL

    • Speeds up to 2.3 Mbps

    • Service examples are

      • 144 kbps symmetric

      • 192 kbps symmetric

      • 384 kbps symmetric

      • 768 kbps symmetric

      • 1.1 Mbps symmetric

      • 1.5 Mbps symmetric

    Idsl isdn dsl

    • Developed to provide DSL service to locations using existing ISDN facilities

      • Redirects ISDN traffic to a DSLAM

      • Maintains all the electrical capabilities of ISDN

      • CPE is still any ISDN Basic Rate Interface (BRI) bridge/router

      • Provides a flat rate for the ISDN type service versus the per-call rate of ISDN.

    • Provide the same data capabilities over longer local loop facilities

    • IDSL is cheaper than ISDN

    Vdsl very high rate dsl
    VDSL – Very High Rate DSL

    • Asymmetric DSL services at speeds much greater than ADSL

    • Uses a single pair to provide up to 52 Mbps downlink speeds and up to 16 Mbps uplink speeds

    • Only selected areas offer VDSL

    • Limited to 4000 ft from the central office

    Lre over vdsl
    LRE over VDSL

    • Provides Ethernet services over existing Category 1/2/3 twisted-pair wiring

    • Speeds from 5 to 15 Mbps (full duplex)

    • Distances up to 5000 ft.


    • VPNs create private tunnels across the Internet

    • Create these tunnels from a single host to a VPN concentrator

    • Create site-to-site tunnels between offices

    Vpn tunnels
    VPN Tunnels

    • You can use several different technologies to create VPN tunnels:

      • GRE

      • Point-to-Point Tunneling Protocol (PPTP)

      • Microsoft Point-to-Point Encryption (MPPE)

      • VPDN

      • IPSec

      • MPLS

    Vpn and dsl wan design

    • Cisco tunneling protocol that encapsulates entire packets into new IP headers

      • creates a virtual point-to-point link between two Cisco routers

      • new header has the source and destination addresses of the tunnel end points

      • virtual link crosses an IP network

      • described in RFC 1701

      • created to tunnel IP and other packet types

      • Encapsulated packets types can be IPpackets or non-IP packets, such as Novell IPX or AppleTalk packets

    Vpn and dsl wan design

    • Described in RFC 2637

    • Network protocol developed by a vendor consortium

      • Allows for transfers of data from client PCs to enterprise servers using tunneled PPP through an IP network

    • Client software is deployed in Windows 95, ME, NT, 2000, and XP

    • Cisco added support for PPTP to Cisco IOS routers, PIX Firewalls, and VPN concentrators

    Vpn and dsl wan design

    • Microsoft protocol

      • Part of Microsoft’s PPTP client VPN solution

    • Converts PPP packets into an encrypted form

    • Used for creating VPNs over dial-up networks

    • Most Cisco access platforms support MPPE

    Vpn and dsl wan design

    • A VPDN is a network that extends remote access to a private network using a shared infrastructure

    • Cisco protocol

    • Allows a private dial-in service to span across several remote-access servers (RAS)

    Vpn and dsl wan design

    • Use Layer 2 tunnel technologies to extend the network connection from a remote user across an Internet service provider (ISP) network to a private network

    • Layer 2 technologies include

      • Layer 2 Forwarding Protocol (L2F)

      • Layer 2 Tunnel Protocol (L2TP)

      • PPTP

    Vpn and dsl wan design

    • No need to connect to central office through the PSTN

      • VPDN users connect to the local ISP

      • ISP forwards the PPP session to a tunnel server

    • Forwarding calls through the Internet will save money


    • Provides a set of security services at the IP layer

    • Defined in RFC 2401

    • Architecture IPv4 & IPv6 can use

    • IPSec is a set of protocols, key management, and algorithms for authentication and encryption.


    • Two central protocols for IPSec are

      • IP AH

        • provides data-connection integrity and data-origin authentication for connectionless IP communications

        • can use AH alone or with ESP

        • described in RFC 2402

      • ESP

        • provides data confidentiality, data-origin authentication, and limited traffic-flow confidentiality

        • described in RFC 2406

    Ipsec ike
    IPSec - IKE

    • uses the Internet Key Exchange (IKE) protocol for the automatic exchange of keys to form security associations (SA) between two systems

      • IKE is not used if the SAs are configured manually

      • eliminates the need to manually specify all of the IPSec SA parameters of both peers and allows encryption keys to change during IPSec sessions

      • IKE is described in RFC 2409

    Ipsec algorithms
    IPSec Algorithms

    • ESP protocol uses encryption algorithms such as DES and 3DES for bulk encryption and for data confidentiality during IKE key exchange

    Ipsec connection steps
    IPSec Connection Steps

    • IPSec operation follows five steps:

      • Step 1: Process initiation

        • Specification of the type of traffic to be encrypted

      • Step 2: IKE Phase 1

        • Authenticates the IPSec peers and sets up a secure channel between the peers to enable IKE exchanges

      • Step 3: IKE Phase 2

        • negotiates the IPSec SA

      • Step 4: Data transfer

      • Step 5: Tunnel termination

        • Tunnel is terminated if the IPSec SA are deleted or their lifetimes expire

    Vpn and dsl wan design

    • Provides connectionless integrity (data integrity) for packet headers and data payload and authentication

    • Does not provide confidentiality

    • Authentication comes from applying a one-way hash function to the packet to create a message digest

    Ah hash1
    AH - Hash

    • Hot all the IP header fields are used to hash the IP header

    • fields that change are not part of the hash process

      • Time-To-Live

    Vpn and dsl wan design

    • Provides confidentiality, data-origin authentication, connectionless integrity, an anti-replay service and limited traffic-flow confidentiality as negotiated by the end points when they establish a SA

      • Packet authentication is provided by an optional field

      • Authentication is performed after encryption

      • Encryption through 56-bit DES and 3DES.

    Esp tunnel mode
    ESP Tunnel Mode

    • Provides protection of the IP header fields only in tunnel mode

      • original IP header and payload are encrypted

    Esp transport mode
    ESP Transport Mode

    • Only the IP data is encrypted

    • ESP inserts an IPSec header between the original IP header and the encrypted data

    Des and 3des
    DES and 3DES

    • DES is an older U.S. Government-approved standard widely used for encryption

      • Uses a 56-bit key to scramble and unscramble messages

      • Exported DES uses a 40-bit bit version

      • DES breaks data into 64-bit blocks and then processes it with a 56-bit shared secret key

    Des and 3des1
    DES and 3DES

    • Latest DES standard uses a 3-by-56 bit key

      • a 168-bit key called Triple DES

      • input is encrypted three times

      • data is broken into 64-bit blocks

        • 3DES then processes each block three times, each time with an independent key

    Des and 3des2
    DES and 3DES

    • Two IPSec peers must first exchange their shared secret key

      • Can encrypt and decrypt the message or generate and verify a message authentication code

      • After the two IPSec peers obtain their shared keys, they can use DES or 3DES for data encryption


    • Both AH and ESP use HMACs to ensure data integrity and authentication

    • HMACs use hash functions and private keys to perform message authentication

    • IPSec specifies the use of HMAC-MD5 and HMAC-SHA-1 for IKE and IPSec.

    Vpn and dsl wan design

    • A hash algorithm used to authenticate packet data

    • Uses a 128-bit key to perform a hash function to produce a 128-bit authentication value of the input data

      • Message digest serves as a signature of the data

        • Signature is inserted into the AH or ESP headers

        • Receiving IPSec peer computes the authentication value of the received packet and compares it to the value stored in the received packet

    Sha 1

    • A hash algorithm used to authenticate packet data

    • Uses a 160-bit secret key to produce a 160-bit authentication value of the input data

      • Signature is inserted into the AH or ESP headers

        • Receiving IPSec peer computes the authentication value of the received packet and compares it to the value stored in the received packet

    Diffie hellman

    • A key-agreement algorithm used by two end devices to agree on a shared secret key

    • IKE uses Diffie-Hellman for key exchange during IKE Phase 1

      • secret keys are then used by encryption algorithms

    Diffie hellman how it works
    Diffie-Hellman: How it Works

    • Each Diffie-Hellman peer generates a public and private key pair

      • public key is calculated from the private key

      • private key is kept secret

      • public keys are exchanged between the peers

      • peer then computes the same shared secret number by combining the other’s public key and its own private key

      • shared secret number is converted into a shared secret key

      • shared secret key is never exchanged

    Wan design using ipsec tunnels
    WAN Design Using IPSec Tunnels

    • Enterprises can reduce their WAN costs by replacing traditional circuits (FR/ATM/Dedicated Cirucits) with site-to-site VPN tunnels over the Internet

      • Point-to-point IPSec tunnels replace the permanent circuits

    • Access to the Internet can come from dial-up, cable-modem, or DSL technologies

    Vpn and dsl wan design

    • A transport service that can provide VPNs

    • An advantage of using MPLS for VPN service is the ability to offer service guarantees

      • Guarantees are not currently possible when using the Internet to transport VPNs

    Vpn and dsl wan design

    • Specifies ways that you can map Layer 3 traffic to connection-oriented Layer 2 transport protocols

    • Adds a label containing specific routing information to each IP packet directing traffic through explicitly defined paths

    Vpn and dsl wan design

    • Allows managers to implement policies to assign labels to various classes of traffic

      • Enables the service providers to offer different classes of services (CoSs) to different traffic types or from different customers

      • SPs can provide VPN services provisioned to give the appropriate priority to premium customers

    Mpls label
    MPLS Label

    • MPLS label is inserted between the Layer 2 header and the Layer 3 header of a Layer 2 frame

    • Applies for Packet over SONET (POS), Ethernet, Frame Relay, and labels over ATM

      • In ATM networks with label switching, the label is mapped into the virtual path identifier/virtual channel identifier (VPI/VCI) fields of the ATM header

      • MPLS label field is 32 bits in length

        • actual label (tag) is 20 bits

    Mpls labels
    MPLS Labels

    • MPLS adds labels to the packets at the edge of the network and removes them at the other end

    • Labels are assigned packets based on a grouping

      • Each group is assigned a service class

    • Core of the network reads the labels and provides the appropriate services

    Mpls label switch routers
    MPLS Label Switch Routers

    • forward packets based on the label and not on routing protocols

    • If the MPLS network uses ATM, the LSRs are called ATM LSRs

    • Edge LSR is responsible for adding the label to the packet

      • label is removed before the packet is sent from the MPLS network

    Mpls vpn router types
    MPLS VPN Router Types

    • MPLS VPN architectures have four router types:

      • P router—The service provider’s internal core routers. These routers do not have to maintain VPN routes.

      • C router—The customer’s internal routers. They do not connect to the provider. These routers do not maintain VPN routes.

      • CE router—The edge routers on the customer side that connect to the service provider. These routers do not maintain VPN routes.

      • PE router—The edge routers on the service-provider side that connect with the customer’s CE routers. PE routers maintain VPN routes for the VPNs associated with the connected interfaces.

    Wan design using mpls vpns
    WAN Design Using MPLS VPNs

    • Each site in the VPN service is a peer

      • Because of the peering of all sites, a logical mesh topology is acquired

    • SP contracts CoSs for the enterprise

    • SP benefits because it can isolate customers into security groups, provide CoSs, and scale VPN networks