Final Project Report VPN

NETWORKING - VPN CONNECTIVITY AND THEIR MANAGEMENT A project report submitte to !
"ri #$b$ M$st%$t" E%&&' Co((e&e

(A Constituent Institute of Maharishi Dayanand University)
Partial fulfillment of the requirement for the award of the degree to
#ACHE)OR O* TECHNO)OGY
in
E)ECTRONIC! AND COMM+NICATION ENGINEERING

by
M$%oj b"$r ,$j ( 2 !""2")

(Under the guidan#e of ) Ms' Ne"$ K$s"-$p Asso#iate Program Manager 'uli( 'ele#om )td Ms' !u%it$ ($%&%D) C%*%+% De(tt %
!HRI #A#A MA!TNATH ENGINEERING CO))EGE As"t"$( bo"$r .ro"t$/01234415
CERTI*ICATE
'his is to #ertify that the (ro,e#t titled -NETWORKING 6 VPN CONNECTIVITY AND THEIR MANAGEMENT. is a bonafide wor/ of M$%oj b"$r ,$j 023788285 #arried out in (artial fulfillment of the requirements for awarding the degree of #$c"e(or o9 Tec"%o(o&- under m$"$ris"i $-$%$% u%i:ersit- during the a#ademi# year 2001 2 2034
Mr' Pu%eet K"$%%$ !r'Net,or/ E%&i%eer Tu(ip Te(ecom Ne, De("i
ms' !u%it$
H'O'D ; pro9essor i% c's'e eptt' s'b'm'% e%&&' co((e&e
ACKNOW)EDGEMENT
I ta/e this o((ortunity to e5(ress my dee(est gratitude to my team leader and (ro,e#t guide Ms' Ne"$ /$s"-$p 0Associ$te m$%$&er5 for his able guidan#e and su((ort in this (hase of transition from an a#ademi# to a (rofessional life%% $is su((ort and valuable in(uts hel(ed me immensely in #om(leting this (ro,e#t% I would also li/e to show my dee( sense of gratitude to my team members Mr'Ar:i% c"$% . Mr jite% er /$(r$. Mr'$%i( m$ttoo and Mr'A,$ " &$b"$ at 'uli( 'ele#om6 Delhi who hel(ed me in ways of en#ouragement6 suggestions and te#hni#al in(uts6 thus #ontributing either dire#tly or indire#tly to the various stages of the (ro,e#t% I am also grateful to Mr' As"is" Gupt$ 0NOC He$ . Tu(ip Te(ecom5 for (roviding me this great o((ortunity of industrial training at 'uli( 'ele#om% Also6 I would li/e show my sin#ere gratitude to miss su%it$ HOD ; pro9essor i% c's'e eptt' I% !#MN e%&& co((e&e 5 my internal su(ervisor and guide6 for his #ontinuous hel(6 suggestions and guidan#e during this entire (eriod% And last6 but not the least6 I would li/e to than/ the peop(e at Tu(ip TE)ECOM for being so #ordial and #oo(erative throughout the (eriod of my training%
'uli( 'ele#om is the largest MP)* based 7P8 (rovider in India and has been the front9 runner in (rovisioning and managing of multi lo#ation wide area networ/ 7P8s using last mile wireless #onne#tivity%
7P8 is a #ost effe#tive and se#ure way for different #or(orations to (rovide user a##ess to the #or(orate networ/ and for remote networ/s to #ommuni#ate with ea#h other a#ross the Internet or a shared servi#e (rovider networ/%
'he re(ort (resents a #om(rehensive overview of 7P8s% 'he most im(ortant 7P8 ar#hite#tures and te#hnologies are des#ribed% IPse#6 :;+ and MP)* te#hnologies together with various tunneling (roto#ols are studied as the main enabling te#hnologies for site to site 7P8 im(lementation% < 'he re(ort also dis#usses 'uli(s last mile wireless networ/ #onne#tivity and their remote monitoring% An insight into the #onne#tivity of some of the 7P8 #lients that were remotely monitored and managed by me as an )3 trainee at the 8etwor/ &(erations Centre(8&C) of 'uli( 'ele#om is (resented%
TA#)E O* CONTENT!
ii
P$&e
AC=8&>)+D:+M+8'??????????????????% A@*';AC' ???????????????????????%%% )I*' &A AI:U;+* ????????????????????? i ii viii
CHAPTER 1
3%3 3%2 3%4 3%
A#O+T T+)IP TE)ECOM

3 3 2 4 4
Com(any Profile%%?????????????????? Com(any &b,e#tives?%???????????????%% Infrastru#ture???????????????????? 8etwor/ Ar#hite#ture?????????????????% 3% %3 3% %2 'he Core and Aggregation 8etwor/???????%% % 'he Customer A##ess 8etwor/?????????% %
3%! 3%B
8etwor/ Management????????????????% % *ervi#es &ffered??????????????????%% % !
CHAPTER 2
2%3 2%2 2%4 2% 2%! 2%B
VIRT+A) PRIVATE NETWORK 0VPN5

B " " C 1 33 33 33 34 3
Introdu#tion??%%??????????????????% 8eed for 7P8?????%?%%????????????? @asi# 7P8 ;equirements%??????????????%%% 7P8 Devi#es and 'erminology????????????%%% 7P8 Configurations???%%????????%?????%%% 7P8 Models????????????????????%% 2%B%3 2%B%2 &verlay 7P8 Model?????????????? Peer9to9Peer 7P8 Model????????????%
2%" 2%C
A((roa#hes to 7P8?????????????????% 7P8 +nabling Proto#ols and 'e#hnologies????????
CHAPTER <
T+NNE) #A!ED VPNs
iii
4%3 4%2
'unneling??%??????????????????%%%% )ayer 4 'unneling Proto#ols%%????????????%%%%% 4%2%3 IP*e#urity (IP*e#)??????????????%%% 4%2%2 20 4%2%4 :;+9IP*e# 'unnel??????????????%% :eneri# ;outing +n#a(sulation (:;+)??????%%
3! 3B 3B
23 22 22 24 2 2!
4%4
)ayer 2 'unneling Proto#ols%?????????????%% 4%4%3 4%4%2 4%4%4 4%4% Point9to9Pont 'unneling Proto#ol (PP'P)?????%% )ayer 2 'unneling Proto#ol ()2'P)???????%%% )2'PDIP*e#?????????????????%% PP'P Com(ared to )2'PDIP*e#?????????%
CHAPTER 3
M+)TI PROTOCO) )A#E) !WITCHING 0MP)!5 AND VPNs
%3 %2
Introdu#tion to MP)*????????????????%% MP)* Con#e(ts and Com(onents???%%???????? %2%3 %2%2 %2%4 %2% %2%! %2%B %2%" %2%C Aorwarding +quivalen#e Class (A+C)??????? MP)* )abel?????????????????% )abel *wit#h ;outer ()*;)???????????% )abel +dge ;outer ()+;)????????????% )abel *wit#hed Path ()*P)???????????%% )abel Distribution Proto#ol?????????%?? )abel Information @ase ()I@)?????????%%%% )abel Aorwarding Information @ase ()AI@)????%%
2B 2" 2" 2C 21 40 40 40 40 43 43 44
%4 %
MP)* &(eration???%???????????????? ;outing in MP)*??????????????????%%
iv
% %3 % %2 %! %B
$o(9by9$o( ;outing?????????????%% +5(li#it ;outing???????????????%%
4 4 4 4! 4B 4" 4C 41 0 3
MP)* @ased 7irtual Private 8etwor/s (MP)* 7P8s)???%% 7irtual ;outer (7;) Con#e(t in MP)* 7P8???????% %B%3 %B%2 7; 7P8 Im(lementation???????????%%% 7P8 Auto9Dis#overy?????????????%
%" %C
A((li#ation of MP)*????????????????%% MP)* and )2'Pv4?????????????????%% %C%3 %C%2 )ayer 2 'unneling Proto#ol version 4 ()2'Pv4)??%% MP)*9over9)2'Pv4??????????????
CHAPTER 7
!%3
#GP=MP)! VPN NETWORK!

4
Im(lementation of the 7irtual ;outer Con#e(t?%%????? !%3%3 !%3%2 7P8 ;outing and Aorwarding 'ables (7;As)???%%% ;oute Distinguisher (;D)???????????%%%
!%2 !%4
8etwor/ Ar#hite#ture????????????????? &(eration and Illustration of a @:PDMP)* 7P8?%????%% !%4%3 !%4%2 7P8 ;oute Distribution in Control (lane?????%% 7P8 Data Aorwarding in Data Plane?????%??% !
! B 1
CHAPTER >
WIRE)E!! )A!T MI)E REMOTE !ITE CONNECTIVITY
B%3 B%2 B%4
Introdu#tion%????????????????????% ;emote *ite Conne#tivity%%??????????????%% ;adios?%%???????????????????%%%%%%%% B%4%3 B%4%2 Airs(an??????????????????%%%% ;adwin?????????????????%??
!B !" !C !C B0
B%4%4
Aire(ro???????????????????%%
B0
CHAPTER 8
REMOTE NETWORK MONITORING AND TRO+#)E!HOOTING
"%3
*im(le 8etwor/ Management Proto#ol (*8MP)?%????%% "%3%3 *8MP Messages?????????????%%%?%%%
B3 B4 B4 B! B! B! B" "0 "3 "4
"%2 "%4
;ole of )3 Member in 8&C????????????%%%%%% 'ools??????????????????????%? "%4%3 "%4%2 "%4%4 "%4% "%4%! "%4%B 'elnet Client???????????%????%?%% $ost Monitor????????????????? >i(Manage????????????????%?% Multi ;oute 'raffi# :ra(her (M;':)??????%%% Paessler ;oute 'raffi# :ra(her (P;':)????%%%%? 7irtual 8&C (78&C)?????????????%%
CHAPTER
C%3
C)IENT CA!E !T+DIE!

" "! "B C0 C0 C3
;elian#e )2 Cir#uits?????????????%%?%?%%%%% C%3%3 C%3%2 >or/ing??????????????????%%% 'roubleshooting????????%???????%
C%2
Indiabulls?????????%????????????% C%2%3 C%2%2 >or/ing??????????????????%%% 'roubleshooting???????????????%%
vi
CHAPTER
1%3 1%2 1%4
DI!C+!!ION AND *+T+RE !COPE

C2 C4 C
Dis#ussion?????????????????%%?%?%%%%% Auture *#o(e and Im(rovements???????????? Con#lusion?????????????????????
vii
)I!T O* *IG+RE!
*i&ure 3%3 2%3 2%2 2%4 2% 2%! 2%B 4%3 4%2 4%4 4% 4%! 4%B 4%" 4%C %3 %2 %4 % %! %B %"
Tit(e 'uli( 8etwor/ Ar#hite#ture????????????????% 7P8 Defined?????????????????????? Customer and Provider 8etwor/ Devi#es?%%????????? ;emote A##ess and *ite to *ite 7P8s???????????? 7P8 &verlay and Peer Model????????%%??????%% A((roa#hes to 7P8??????????????????? 7P8 +nabling Proto#ols and 'ehnologies??????????% 'unneling???????????????????????% A$ in 'rans(ort Mode?????????????????? +*P in 'unnel Mode??????????????????%%% :;+ +n#a(sulated Pa#/et Aormat%%????????????? :;+9IP*e# 'unnel A((li#ation%??????????????% *tru#ture of a PP'P Pa#/et Containing User Data??????%? *tru#ture of a )2'P (a#/et Containing User Data%??????%%% +n#ry(tion of an )2'P (a#/et with IP*e# +*P????????% A MP)* 8etwor/?????%%??????????????%% MP)* )abel Aormat%%%%%%%%%%%%%%%%%%%%??????%%%??????? *tru#ture of a )*;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% *tru#ture of a MP)* Pa#/et%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Pa#/et 'ransfer using MP)*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% 7; 7P8 ;eferen#e Model%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% 7; 7P8 with Dire#t Conne#tivity between 7;s???????%%
P$&e 4 B 1 30 32 34 3 3B 3C 31 20 23 22 24 2 2B 2" 21 43 42
4"
viii
*i&ure %C %1 %30 !%3 !%2 !%4 !% !%! !%B !%" !%C B%3 6.2 6.3 "%3 "%2 "%4 "% "%! "%B "%" "%C C%3 C%2 C%4
Tit(e 7; 7P8 with a @a#/bone 7;??????????????%%% )2'Pv4 Pa#/et 'ransfer Me#hanism????????????% MP)*9over9)2'Pv4 +n#a(sulation????????????? )ayered view of a @:PDMP)* 7P8????????????%% 8etwor/ Ar#hite#ture of a @:PDMP)* 8etwor/???????%% @:PDMP)* 7P8 ;outing and Aorwarding 'ables (7;As)???%%% P+9to9P+ (re establishment of i@:P sessions and )*Ps%%???? C+ to P+ ;oute Distribution%%???????????????% P+ to P+ ;oute Distribution???????????????%%% P+ to C+ ;oute Distribution???????????????%% Data Aorwarding a#ross the @a#/bone?????????%%?? A 'y(i#al >ireless )ast Mile ;emote *ite Conne#tivity??%?? Airspan BSR... Airspan SPR... Manager9Agent model used in *8MP??%?????????% $ierar#hy followed for )in/ 'roubleshooting????????% $ost Monitor Interfa#e?????????????????%% >i(Manage Interfa#e?????????????????? *P; @+; Performan#e Monitoring????????????%% *P; ;**I Performan#e Monitoring????????????% P;': :ra(h showing @andwidth UtiliEation????????% Proa#tive Monitoring and Aault )ogging by 78&C?????? ;elian#e )2 8etwor/ Conne#tivity with Aiber inter#onne#t??%% ?% ;elian#e )2 8etwor/ Conne#tivity with ;A inter#onne#t ???% @asi# Indiabulls 7P8 8etwor/ Conne#tivity )ayout?????%
P$&e 4" 0 3 4 ! " C !0 !2 !4 ! !" 59 59 B2 B BB BC B1 B1 "2 "4 " "! C0
i5
CHAPTER 1 A#O+T T+)IP TE)ECOM

1'1 COMPANY PRO*I)E
'uli( 'ele#om )imited is a data tele#om servi#e and I' solutions (rovider that offers innovative IP based infrastru#tural solutions to its #ustomers% 'uli( is IndiaFs largest MP)* 7P8 (layer and has been the front9runner in (rovisioning and managing multi lo#ation wide area networ/s for various industry verti#als% 'uli( is a (ubli# limited #om(any and is listed on the @ombay *to#/ +5#hange and 8ational *to#/ +5#hange in India% 'uli( (rovides networ/ integration (8I)6 #or(orate data #onne#tivity (MP)* 7P8s and Internet) within and outside India6 infrastru#ture management servi#es and I' #onsulting servi#es to enter(rises% 'uli(6 today6 is the only servi#e (rovider in its domain that (rovides #ustomers with end9 to9end #onne#tivity servi#es in#lude networ/ integration6 bandwidth as well as managed servi#es% 1'2
COMPANY O#AECTIVE! Provide end to end managed data servi#es to in#lude Data Conne#tivity6 equi(ment and managed networ/ servi#es to meet all data #onne#tivity requirements of #ustomers%
@e the trusted advisor of the #ustomers for all their data #onne#tivity D networ/ing needs%
:row the business ra(idly while maintaining the highest quality of servi#e% Im(a#t the rural e#onomy by (roviding #onne#tivity right u(to to the last village%
3%!
IN*RA!TR+CT+RE
'uli(Gs IPDMP)* networ/ is a #arrier grade infrastru#ture built using state9of9the9art networ/ing equi(ment% It is the only networ/ in the #ountry offering MP)* 7P8 servi#es at over 3300 lo#ations% 'he entire networ/ is #onne#ted over high s(eed fiber ba#/bone and offers multi(le a##ess te#hnology o(tions in#luding wireless in the last mile% 'his unique a((roa#h allows #ustomers to get #onne#ted qui#/ly and easily with very short time lead times6 eliminating many of the hindran#es en#ountered in traditional #o((er9 based last mile #onne#tivity (rovided by in#umbent servi#e (roviders% 'uli( also offers #ustomer (remises #onne#tivity over fiber for high s(eed bandwidth a((li#ations% 'uli(Gs IPDMP)* networ/ is designed with Gno9single9(oints9of9failureG ar#hite#ture% All #riti#al equi(ment and lin/s are de(loyed in redundant mode%
'he entire 'uli( 8etwor/ Infrastru#ture is designed to ensure the followingH

$ighest redundan#y levels to ensure no single (oint of failure% $ighest levels of s#alability to handle both geogra(hi# e5(ansions and bandwidth growth
Ale5ibility in solution design6 im(lementation and e5(ansion through the use of multi(le te#hnologies%
+nd9to9end assured networ/ se#urity% +nd9to9end assured quality of servi#e NETWORK ARCHITECT+RE
1'3
'uli(Gs IPDMP)* networ/ is a hierar#hi#al networ/ designed for high (erforman#e and s#alability% It follows a three9tier model with Core6 Aggregation and A##ess layers%
1'3'1
T"e Core ; A&&re&$tio% Net,or/
'he Core networ/ of 'uli( #onsists of high s(eed inter#onne#ts between the twelve ma,or #ities in India% All these #ities are dual9homed to high9#a(a#ity #ore routers at Delhi and Mumbai% 'he #ore routers are #a(able of (ro#essing u( to 320 :b(s of data traffi#% 'uli(Gs networ/ has twelve #enters for traffi# aggregation6 ea#h of whi#h is dual9homed to the #ore routers over *'M93DD*4 #a(a#ity lin/s% 'he lin/s are in redundant mode and follow inde(endent fiber routes between the P&Ps% @esides6 ea#h of the twelve aggregation (oints have dual aggregation routers for additional level of redundan#y%
Aig% 3%3 'uli( 8etwor/ Ar#hite#ture
1'3'2
T"e Customer Access Net,or/
'he most #riti#al as(e#t of a networ/ is the a##ess lin/ to the #ustomer or what is #alled as the Ilast mileI #onne#tivity% >ith the e5(losion in requirements for data #onne#tivity the last mile invariably turns out to be wea/est lin/s in the entire networ/% 'o address this
solution6 'uli( has built infrastru#ture to address all ty(es of #ustomer lo#ations and terrains% 'uli( offers multi(le modes of last mile #onne#tivity in#luding leased lines6 fiber and wireless% 'uli( is the only servi#e (rovider to have de(loyed a large s#ale wireless networ/ nationwide with thousands of wireless lin/s in o(eration today% Advan#ed wireless te#hnologies are innovatively being used rea#h out to our remotes #ustomers% 1'7 NETWORK MANAGEMENT
@esides #reating one of the most advan#ed servi#e (rovider networ/s in India6 'uli( has signifi#antly invested in setting u( the best #ustomer su((ort infrastru#ture to manage and maintain the vast networ/% 'uli( o(erates a nationwide 2 5" #ustomer su((ort networ/ to ensure round the #lo#/ o(erations for all #ustomers% 'uli( has Aull9fledged 8etwor/ &(erations Centers (8&Cs) in Delhi and Mumbai for #entraliEed networ/ monitoring and management% @esides6 'uli( also has regional 8&Cs in all ma,or #ities to allow qui#/ resolution to #ustomer (roblems% 'he 8&Cs use so(histi#ated networ/ monitoring tools to (roa#tively dete#t6 diagnose and resolve networ/ (roblems 1'> !ERVICE! O**ERED
A vast (ortfolio of servi#es is enabled on the #arrier9grade 'uli( networ/% Using the latest state9of9the9art te#hnology and solutions%
)$-er < MP)! VPN H Aully managed hub9and9s(o/e and full9mesh 7P8 for se#ure and fle5ible any9to9any #onne#tivity% MP)* 7P8s allow #onne#ting virtually any ty(e of #ustomer networ/s seamlessly a#ross different lo#ations%
)$-er 2 MP)! VPNH MP)* based 7irtual )eased )ine solutions with fle5ible bandwidth #onfigurations% Multi(le )ayer 2 te#hnologies are su((orted in#luding +thernet6 PPP6 Arame ;elay and A'M%
IP VPN !er:icesH *e#ure (oint9to9(oint and multi(oint IP #onne#tivity using IP*e# and :;+ tunneling%
I%ter%et Access !er:icesH $igh s(eed internet a##ess at any of C00 lo#ations in India%
M$%$&e !ecurit- !er:icesH Provide networ/9wide (rote#tion from atta#/s and intrusions through #entraliEed and distributed managed firewalls%
Di$( #$c/-up !er:icesH In #ase of (rimary lin/ failure6 last mile ba#/9u( #onne#tivity using I*D8 is available for #ustomers%
Vi eo co%9ere%ci%&H Point9to9(oint and multi9(oint video #onferen#ing Mu(tic$st VPNH Multi#ast traffi# #arriage within 7P8s D$t$ Ce%ter !o(utio%sH 'uli( offers #o9lo#ation and hosting servi#es in its state9 of9the9art 'ier 4 Data Center fa#ilities in Delhi6 Mumbai and two other #ities%
CHAPTER
VIRT+A) PRIVATE NEWORK 0VPN5

2'1 INTROD+CTION
A virtual (rivate networ/ (7P8) is a (rivate #ommuni#ations networ/ often used within a #om(any6 or by several #om(anies or organiEations6 to #ommuni#ate #onfidentially over a (ubli#ly a##essible networ/% 7P8 message traffi# #an be #arried over a shared (ubli# networ/ing infrastru#ture (e%g% the Internet) on to( of standard (roto#ols6 or over a servi#e (roviderFs (rivate networ/ with a defined *ervi#e )evel Agreement (*)A) between the 7P8 #ustomer and the 7P8 servi#e (rovider6 thus emulating the #hara#teristi#s of an IP9 based (rivate networ/ at a mu#h lower #ost %
Aig% 2%3 7P8 Defined
2'2

NEED *OR VPN +5tend geogra(hi# #onne#tivity Im(rove se#urity ;edu#e o(erational #osts versus traditional >A8 ;edu#e transit time and trans(ortation #osts for remote users *im(lify networ/ to(ology Provide global networ/ing o((ortunities Provide broadband networ/ing #om(atibility #A!IC VPN REB+IREMENT!
2'<
!ecurit@e#ause sensitive and mission #riti#al #om(any data must travel a#ross an e5tremely inse#ure networ/6 su#h as the Internet% User data se#urity features ( su#h as #onfidentiality6 integrity6 authenti#ation and re(ly atta#/ (revention) is the to(9most requirement%
!upport o9 o:er($ppi%& IP $
resses
A layer 4 7P8 servi#e shall su((ort overla((ing #ustomer addresses6 as IP addresses must be unique only within the set of sites rea#hable from the 7P8s of whi#h a (arti#ular site is member (but non9unique as for different #ustomersF 7P8s)% Co%str$i%e istributio% o9 $t$ $% routi%& i%9orm$tio%
A means to #onstrain6 or isolate the distribution of routing information to only those 7P8 sites whi#h are determined by #ustomer routing andDor #onfiguration must be (rovided% 'he 7P8 solution must ensure that traffi# is e5#hanged only with those sites that are in the same 7P8% Per9orm$%ce +n#ry(tion6 whi#h is a very im(ortant as(e#t of 7P8s6 is a CPU9intensive o(eration% 'herefore6 it is ne#essary to sele#t devi#es #a(able of (erforming tas/s6 su#h as data en#ry(tion6 qui#/ly and effi#iently%
Net,or/ m$%$&eme%t It should be (ossible to #onfigure6 manage6 and troubleshoot 7P89related (roblems from one lo#ation or a((li#ation%
Po(ic- m$%$&eme%t 'o ensure high (erforman#e6 high availability6 and guaranteed Jo*%
2'3
VPN DEVICE! AND TERMINO)OGY
'he 7P8 devi#es are #ategoriEed as H
Customer Customer network (C-Network)H (art of the networ/ under #ustomer #ontrol% Customer (C) devicesH C devi#es are sim(ly devi#es su#h as routers and swit#hes lo#ated within the #ustomer networ/% 'hese devi#es do not have dire#t #onne#tivity to the servi#e (rovider networ/%
Customer Edge (CE) devices: C+ devi#es6 are lo#ated at the edge of the #ustomer networ/ and #onne#t to the (rovider networ/ (via Provider +dge KP+L devi#es)% 'his devi#e is usually a router and is normally referred as the C+ router Pro:i er Provider network (P98etwor/)H the servi#e (rovider infrastru#ture that is used to (rovide 7P8 servi#es% Provider (P) devi#eH the devi#e in the P98etwor/ with no #ustomer #onne#tivity and without any -/nowledge. of the 7P8% 'his devi#e is usually a router % Provider edge (P+) devi#eH the devi#e in the P98etwor/ to whi#h the C+ devi#es are #onne#ted% 'his devi#e is usually a router and is often referred as the P+ router%
Aig% 2%2 Customer and Provider 8etwor/ Devi#es
2'7
VPN CON*IG+RATION!
Remote Access VPNs
;emote a##ess 7P8s allow remote users (home users or mobile users) to a##ess an organiEationGs resour#es remotely% A mobile user #an ma/e a lo#al #all to their Internet servi#e (rovider (I*P) to a##ess the #or(orate networ/ wherever they may be%
!ite to !ite VPNs *ite9to9site 7P8s are de(loyed for inter#onne#ting geogra(hi#ally dis(ersed #or(orate sites% *ite9to9site 7P8s are an e5tension of lega#y >A8 networ/s% 'here are two ty(es of site9to9site 7P8H

Intranet 7P8s99Allow #onne#tivity between sites of a single organiEation +5tranet 7P8s99Allow #onne#tivity between organiEations su#h as business (artners or a business and its #ustomers
Aig% 2%4 ;emote A##ess and *ite to *ite 7P8s
2'>
VPN MODE)!
7P8s are modeled as &verlay 7P8s or Peer9to9Peer 7P8s
2'>'1
O:er($- VPN Mo e(
In an overlay 7P8 model6 a 7irtual Cir#uit (7C) or tunnel #onne#ts C+ devi#es% IP routing ad,a#en#y o##urs dire#tly between C+s (thus #reating a sort of vitual ba#/bone over the *ervi#e Provider 8etwor/)% 'he P+ devi#es are unaware of #ustomer networ/ address s(a#e and do not route #ustomer traffi# based on #ustomer networ/ addressing but forward #ustomer traffi# based on globally unique addressing% 'he servi#e (rovider has no /nowledge of the #ustomer routes and is sim(ly res(onsible for (roviding (oint9 to9(oint trans(ort of data between the #ustomer sites% $owever6 the C+ #an be #onne#ted to the *ervi#e Provider networ/ (to some P+) via various forms of ad,a#en#y6 ranging from layer 3 to layer 4%
'his form of 7P8 is also referred to as C+9based 7P8s sin#e the 7P8 logi# is #on#entrated at the C+s and the P+s are unaware of the 7P8%
2'>'2
Peer-to-Peer VPN Mo e(
In a (eer 7P8 model6 P+ devi#es are aware of #ustomer networ/ addressing and route #ustomer data traffi# a##ording to #ustomer networ/ addressing% @oth (rovider and
#ustomer networ/ use the same networ/ (roto#ol and all the #ustomer routes are #arried within the #ore networ/ (servi#e (rovider networ/)% Customer traffi# is (usually) forwarded between P+ devi#es over 7P8 tunnels% A C+ is the routing (eer of a P+ and does 8&' have any routing ad,a#en#y with other C+s% As a result6 it gains IP #onne#tivity with the other sites via this P+ router and be#ause the servi#e (rovider now (arti#i(ates in #ustomer routing6 (rovider9assigned or (ubli# address s(a#e needs to be de(loyed at the #ustomerFs networ/
'his form of 7P8 is also referred to as P+9based 7P8s sin#e the 7P8 logi# is #on#entrated at the P+s% 'hey are also /nown as 8etwor/9@ased 7P8 (8@7P8)%
Aig% 2%
7P8 &verlay and Peer model
('he dotted lines indi#ate dire#t routing ad,a#en#y)
2'8
APPROACHE! TO VPN
@ased on the &verlay and Peer 7P8s6 the various a((roa#hes to the de(loyment of a 7irtual Private 8etwor/ is illustrated below%
Aig% 2%! A((roa#hes to 7P8
2'?
VPN ENA#)ING PROTOCO)! AND TECHNO)OGIE!
'he diagram below shows the various 7P8 enabling te#hnologies and (roto#ols
Aig% 2%B 7P8 +nabling Proto#ols and 'e#hnologies
CHAPTER < T+NNE) #A!ED VPNs

Most 7P8s rely on tunneling to #reate a (rivate networ/ that rea#hes a#ross the Internet or servi#e (rovider networ/% <'1 T+NNE)ING
'unneling is a method of using an internetwor/ infrastru#ture to transfer data for one networ/ over another networ/% 'he data to be transferred (or (ayload) #an be the frames (or (a#/ets) of another (roto#ol% Instead of sending a frame as it is (rodu#ed by the and originating node6 the tunneling (roto#ol en#a(sulates the frame in an additional header% 'he additional header (rovides routing information so that the en#a(sulated (ayload #an traverse the intermediate (sometimes in#om(atible) internetwor/%
'he en#a(sulated (a#/ets are then routed between tunnel end(oints over the internetwor/% 'he logi#al (ath through whi#h the en#a(sulated (a#/ets travel through the internetwor/ is #alled a tunnel% &n#e the en#a(sulated frames rea#h their destination on the internetwor/6 the frame is de#a(sulated and forwarded to its final destination% 'unneling in#ludes this entire (ro#ess (en#a(sulation6 transmission6 and de#a(sulation of (a#/ets)% 'unneling (roto#ols generally use data en#ry(tion to trans(ort inse#ure (ayload (roto#ols over a (ubli# networ/ to (rovide 7P8 fun#tionality%
Aig% 4%3 'unneling
7P8s using tunneling te#hnology #an be based on either a )ayer 2 or a )ayer 4 tunneling (roto#ol or a #ombination of both% <'2 )AYER < T+NNE)ING PROTOCO)!
)ayer 4 (roto#ols #orres(ond to the networ/ layer and use (a#/ets as their unit of e5#hange% <'2'1 IP!ecurit- 0IP!ec5
IP*e# (IP *e#urity) is a standardiEed framewor/ for se#uring Internet Proto#ol (IP) #ommuni#ations by en#ry(ting andDor authenti#ating and (roviding integrity to ea#h IP (a#/et in a data stream traveling to and from the networ/% 'here are two modes of IP*e# o(erationH Tr$%sport Mo e In trans(ort mode only the (ayload (message) of the IP (a#/et is en#ry(ted% It is fully9 routable sin#e the IP header is sent as (lain te5t% 'rans(ort mode is used for host9to9host #ommuni#ation% Tu%%e( Mo e In tunnel mode6 the entire IP (a#/et is en#ry(ted% It must then be en#a(sulated into a new IP (a#/et for routing to wor/% 'unnel mode is used for networ/9to9networ/
#ommuni#ations (se#ure tunnels between routers)% *in#e en#ry(tion and en#a(sulation are done by routersDgateways6 end systems need not su((ort this%
'he IP*e# 7P8 is based on se#ure tunnel establishment between two (eers%
Proto#ols used for se#uring traffi# in IP*e# are A$ and +*P% Aut"e%tic$tio% He$ er 0AH5 Authenti#ation $eader (A$) is intended to guarantee #onne#tionless integrity and data origin authenti#ation of IP datagrams% It does not en#ry(t the data (a#/et nor the information6 but merely #reates a #o(y of the sensitive data transferred to #he#/ against6 ensuring that nothing has been illegally modified during transit %Aurther6 it #an o(tionally (rote#t against re(lay atta#/s by using the sliding window te#hnique and dis#arding old (a#/ets% A$ tries to (rote#t IP (ayload and all header fields of an IP datagram e5#e(t for mutable fields6 i%e% those that might be altered in transit% A$ o(erates dire#tly on to( of IP%
An A$ (a#/et diagram in trans(ort mode is shown in figure 2%3% 'he IP (a#/et is modified only slightly to in#lude the new A$ header between the IP header and the (roto#ol (ayload ('CP6 UDP6 et#%)6 and there is a shuffling of the (roto#ol #ode that lin/s the various headers together% 'his (roto#ol shuffling is required to allow the original IP (a#/et to be re#onstituted at the other end% At re#eiving end on#e the IP*e# headers have been validated6 theyFre stri((ed off and the original (roto#ol ty(e ('CP6 UDP6 et#%) is stored ba#/ in the IP header%
Aig% 4%2 A$ in 'rans(ort Mode
E%c$psu($te !ecurit- P$-(o$ 0E!P5
'he +n#a(sulating *e#urity Payload (+*P) header (rovides origin authenti#ity6 integrity6 and #onfidentiality of a (a#/et% It wor/s by en#ry(ting the entire data (a#/et6 in#luding the (ayload with the sensitive information% +*P also su((orts en#ry(tion9only and authenti#ation9only #onfigurations6 but using en#ry(tion without authenti#ation is strongly dis#ouraged be#ause it is inse#ure% Unli/e A$6 the IP (a#/et header is not
(rote#ted by +*P% (Although in tunnel mode +*P6 (rote#tion is afforded to the whole inner IP (a#/et6 in#luding the inner headerM the outer header remains un(rote#ted%)
Aig% 4%4 +*P in 'unnel Mode
<'2'2
Ge%eric Routi%& E%c$psu($tio% 0GRE5
:eneri# ;outing +n#a(sulation (:;+) is a (roto#ol designed for (erforming en#a(sulation of one networ/ layer (roto#ol (IP &; IPN) over another networ/ layer
(roto#ol (for e5am(le6 IP)% It is used to #arry IP (a#/ets with (rivate addresses6 over the servi#e (rovider networ/ using delivery (a#/ets with (ubli# IP addresses% In this #ase6 the delivery and (ayload (roto#ols are #om(atible6 but the (ayload addresses are in#om(atible with those of the delivery networ/% :;+ tunnels were designed to be stateless i%e% the tunnel end9(oints do not monitor the state or availability of other tunnel end9(oints% 'his feature hel(s servi#e (roviders su((ort IP tunnels for #lients6 who wonGt /now the servi#e (roviderGs internal tunneling ar#hite#ture and it gives #lients the fle5ibility of re#onfiguring their IP ar#hite#tures without worrying about #onne#tivity%
Aig% 4%
:;+ +n#a(sulated (a#/et format
A :;+ tunnel #reates a virtual (oint9to9(oint lin/ with routers at end (oints on an IP internetwor/% GRE Tu%%e( !ecuritAor the (ur(ose of tunnel se#urity6 :;+ (rovides two o(tionsH tunnel interfa#e /ey and end9to9end #he#/sum% If the =ey Present field of a :;+ (a#/et header is set to 36 the =ey field will #arry the /ey for the re#eiver to authenti#ate the sour#e of the (a#/et% 'his /ey must be the same at both ends of a tunnel% &therwise6 (a#/ets delivered over the tunnel will be dis#arded% If the Che#/sum Present bit of a :;+ (a#/et header is set to 36 the
Che#/sum field #ontains valid information% 'he sender #al#ulates the #he#/sum for the :;+ header and the (ayload and sends the (a#/et #ontaining the #he#/sum to the (eer% 'he re#eiver #al#ulates the #he#/sum for the re#eived (a#/et and #om(ares it with that #arried in the (a#/et% If the #he#/sums are the same6 the re#eiver #onsiders the (a#/et inta#t and #ontinues to (ro#ess the (a#/et% &therwise6 the re#eiver dis#ards the (a#/et% <'2'< GRE-IP!ec Tu%%e(
Aig% 4%! :;+9IP*e# tunnel a((li#ationIAu
A :;+9IP*e# tunnel allows data (a#/ets li/e routing (roto#ol6 voi#e6 and video (a#/ets to be first en#a(sulated by :;+ and then en#ry(ted by IP*e#6 (roviding a very se#ure 7P8 #onne#tivity% <'< )AYER 2 T+NNE)ING PROTOCO)!
)ayer 2 (roto#ols #orres(ond to the data9lin/ layer and use frames as their unit of e5#hange% <'<'1 Poi%t-to-Poi%t Tu%%e(i%& protoco( 0PPTP5
PP'P is a )ayer 2 (roto#ol that en#a(sulates PPP frames in IP datagrams for transmission over an IP internetwor/ based% PP'P #an be used for remote a##ess and router9to9router 7P8 #onne#tions%
PP'P uses a 'CP #onne#tion for tunnel maintenan#e and a modified version of :eneri# ;outing +n#a(sulation (:;+) to en#a(sulate PPP frames for tunneled data% 'he (ayloads of the en#a(sulated PPP frames #an be en#ry(ted andDor #om(ressed%
Aig% 4%B *tru#ture of a PP'P (a#/et #ontaining user data <'<'2 )$-er 2 Tu%%e(i%& Protoco( 0)2TP5
)2'P a#ts li/e a data lin/ layer (roto#ol for tunneling networ/ traffi# between two (eers over an e5isting networ/% It is a #ombination of PP'P and )ayer 2 Aorwarding ()2A)% )2'P en#a(sulates PPP frames to be sent over IP6 N%2!6 Arame ;elay6 or Asyn#hronous 'ransfer Mode (A'M) networ/s% >hen #onfigured to use IP as its datagram trans(ort6 )2'P #an be used as a tunneling (roto#ol over the Internet% )2'P over IP internetwor/s uses UDP and a series of )2'P messages for tunnel maintenan#e% )2'P also uses UDP to send )2'P9en#a(sulated PPP frames as the tunneled data% 'he (ayloads of en#a(sulated PPP frames #an be en#ry(ted andDor #om(ressed% )2'P (rovides reliability features for the #ontrol (a#/ets6 but no reliability for data (a#/ets
Aig% 4%" *tru#ture of an )2'P (a#/et #ontaining user data <'<'< )2TP=IP!ec
)2'P relies on Internet Proto#ol se#urity (IP*e#) for en#ry(tion servi#es% 'he #ombination of )2'P and IP*e# is /nown as )2'PDIP*e#% )2'PDIP*e# (rovides the (rimary virtual (rivate networ/ (7P8) servi#es of en#a(sulation and en#ry(tion of (rivate data% E%c$psu($tio% A PPP frame (an IP datagram) is wra((ed with an )2'P header and a UDP header% 'he resulting )2'P message is then wra((ed with an IP*e# +n#a(sulating *e#urity Payload (+*P) header and trailer6 an IP*e# Authenti#ation trailer that (rovides message integrity and authenti#ation6 and a final IP header% In the IP header is the sour#e and destination IP address that #orres(onds to the 7P8 #lient and 7P8 server
Aig% 4%C +n#ry(tion of an )2'P (a#/et with IP*e# +*P <'<'3 PPTP Comp$re to )2TP=IP!ec
@oth PP'P and )2'PDIP*e# use PPP to (rovide an initial envelo(e for the data6 and then a((end additional headers for trans(ort through the internetwor/% $owever6 there are the following differen#esH
>ith PP'P6 data en#ry(tion begins after the PPP #onne#tion (ro#ess (and6 therefore6 PPP authenti#ation) is #om(leted% >ith )2'PDIP*e#6 data en#ry(tion begins before the PPP #onne#tion (ro#ess by negotiating an IP*e# se#urity asso#iation%
PP'P #onne#tions require only user9level authenti#ation through a PPP9based authenti#ation (roto#ol% )2'PDIP*e# #onne#tions require the same user9level authenti#ation and6 in addition6 #om(uter9level authenti#ation using #om(uter #ertifi#ates%
CHAPTER 4 MULTI PROTOCOL LABEL SWITCHING (MPLS) AND VPNs

4.1 INTRODUCTION TO MPLS
Multi Protocol Label Switching (MPLS) is a data-carrying mechanism that belongs to the family of packet-switched networks. MPLS operates at an OSI Model layer that is generally considered to lie between traditional definitions of Layer 2 (Data Link Layer) and Layer 3 (Network Layer), and thus is often referred to as a "Layer 2.5" protocol. It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switching clients which provide a datagram service model. It can be used to carry many different kinds of traffic, including IP .
Aig% %3 An MP)* 8etwor/
3'2 3'2'1
MP)! CONCEPT! AND COMPONENT! *or,$r i%& ECui:$(e%ce C($ss 0*EC5
It is a term used in Multi(roto#ol )abel *wit#hing (MP)*) to des#ribe a set of (a#/ets with similar andDor identi#al #hara#teristi#s whi#h may be forwarded the same way i%e% they may be bound to the same MP)* label% 'he #lassifi#ation of A+Cs is very fle5ible% It #an be based on any #ombination of sour#e address6 destination address6 sour#e (ort6 destination (ort6 (roto#ol ty(e and 7P8 or servi#e requirements for a (a#/et6 su#h as low laten#y% A Aorward +quivalen#e Class tends to #orres(ond to a label swit#hed (ath ()*P)% 'he reverse is not true6 however an )*P may be (and usually is) used for multi(le A+Cs% 'he set of (a#/ets in an A+C are forwarded to the same ne5t ho(6 out the same interfa#e and with the same treatment (su#h as queuing)% 3'2'2 MP)! )$be(
A label is a short fi5ed length identifier for identifying a A+C% A A+C may #orres(ond to multi(le labels in s#enarios where6 for e5am(le6 load sharing is required6 while a label #an only re(resent a single A+C% A label is #arried in the header of a (a#/et% It does not #ontain any to(ology information and is lo#al signifi#ant% A label is four o#tets6 or 42 bits6 in length
Aig% %2 MP)* )abel Aormat
+a#h label entry #ontains four fieldsH

A 209bit label value% a 49bit field for Jo* (Juality of *ervi#e) (riority (e5(erimental)% a 39bit bottom of sta#/ flag% If this is set6 it signifies that the #urrent label is the last in the sta#/%
an C9bit '') (time to live) field%
3'2'<
)$be( !,itc" Router 0)!R5
A )abel *wit#h ;outer ()*;) is a ty(e of a router lo#ated in the middle of a Multi(roto#ol )abel *wit#hing (MP)*) networ/% It is res(onsible for swit#hing the labels used to route (a#/ets% >hen an )*; re#eives a (a#/et6 it uses the label in#luded in the (a#/et header as an inde5 to determine the ne5t ho( on the )abel *wit#hed Path ()*P) and a #orres(onding label for the (a#/et from a loo/9u( table% 'he old label is then removed from the header and re(la#ed with the new label before the (a#/et is routed forward% An )*; #onsists of a Control (lane whi#h Im(lements label distribution and routing6 establishes the )AI@6 and builds and tears )*Ps and a Aorwarding (lane whi#h forwards (a#/ets a##ording to the )AI@%
Aig% %4 *tru#ture of a )*;
An )+; forwards both labeled (a#/ets and IP (a#/ets on the forwarding (lane and therefore uses both the )AI@ and the AI@% An ordinary )*; only needs to forward labeled (a#/ets and therefore uses only the )AI@% 3'2'3 )$be( E &e Router 0)ER5
)abel +dge ;outer is a )*; at the edge of an MP)* 8etwor/% >hen forwarding IP datagrams into the MP)* domain6 it uses routing information to determine a((ro(riate labels to be affi5ed6 labels the (a#/et a##ordingly6 and then forwards the labeled (a#/ets into the MP)* domain% )i/ewise6 u(on re#eiving a labeled (a#/et whi#h is destined to e5it the MP)* domain6 the +dge )*; stri(s off the label and forwards the resulting IP (a#/et using normal IP forwarding rules% 'he router whi#h first (refi5es the MP)* header to a (a#/et is #alled an ingress router% 'he last router in an )*P6 whi#h (o(s the label from the (a#/et6 is #alled an egress router
3'2'7
)$be( !,itc"e P$t" 0)!P5
)abel swit#hed (ath ()*P) means the (ath along whi#h a A+C travels through an MP)* networ/ and is set u( by a signaling (roto#ol su#h as )DP% 'he (ath is set u( based on #riteria in the forwarding equivalen#e #lass (A+C)% An )*P is a unidire#tional (ath from the ingress of the MP)* networ/ to the egress% It fun#tions li/e a virtual #ir#uit in A'M or frame relay% +a#h node of an )*P is an )*;% Along an )*P6 two neighboring )*;s are #alled u(stream )*; and downstream )*; res(e#tively Due to the forwarding of (a#/ets through an )*P being o(aque to higher networ/ layers6 an )*P is also sometimes referred to as an MP)* tunnel%
3'2'>
)$be( Distributio% Protoco( 0)DP5
)abel Distribution Proto#ol ()DP) is a (roto#ol for the (ur(ose of distributing labels in an MP)* environment% It #lassifies A+Cs6 distributes labels6 and establishes and maintains )*Ps% Using )DP two )abel *wit#h ;outers ()*;) e5#hange label ma((ing information% 'he two )*;s are #alled )DP (eers and the e5#hange of information is bi9 dire#tional% )DP is used to build and maintain )*; databases that are used to forward traffi# through MP)* networ/s%
3'2'8
)$be( I%9orm$tio% #$se 0)I#5
It is the software table maintained by IPDMP)* #a(able routers to store the details of (ort and the #orres(onding MP)* outer label to be (o((edD(ushed on in#omingDoutgoing MP)* (a#/ets%
3'2'?
)$be( *or,$r i%& I%9orm$tio% #$se 0)*I#5
It is a table #reated by a label swit#h9#a(able devi#e ()*;) that indi#ates where and how to forward frames with s(e#ifi# label values
3'<
MP)! OPERATION
MP)* wor/s by (refi5ing (a#/ets with an MP)* header6 #ontaining one or more GlabelsG% 'his is #alled a label sta#/%
Aig% %
*tru#ture of a MP)* (a#/et
'hese short6 fi5ed9length labels #arry the information that tells ea#h swit#hing node (router) how to (ro#ess and forward the (a#/ets6 from sour#e to destination% 'hey have signifi#an#e only on a lo#al node9to9node #onne#tion% As ea#h node forwards the (a#/et6 it swa(s the #urrent label for the a((ro(riate label to route the (a#/et to the ne5t node% 'his me#hanism enables very9high9s(eed swit#hing of the (a#/ets through the #ore MP)* networ/%
Aig% %! Pa#/et transfer using MP)*
'he following ste(s des#ribe the wor/ing of MP)*H 3) Airst6 the )DP (roto#ol and the traditional routing (roto#ol (su#h as &*PA and I*I*) wor/ together on ea#h )*; to establish the routing table and the label information base ()I@) for intended A+Cs% )abel *wit#h ;outers in an MP)* networ/ regularly e5#hange label and rea#hability information with ea#h other using standardiEed (ro#edures in order to build a #om(lete (i#ture of the networ/ they #an then use to forward (a#/ets%
2) U(on re#eiving a (a#/et6 the ingress )+; #om(letes the )ayer 4 fun#tions6 determines the A+C to whi#h the (a#/et belongs6 (ushes the MP)* labels onto the (a#/et6 and forwards the labeled (a#/et to the ne5t ho( along the )*P% *ometimes6
the (a#/et (resented to the )+; already may have a label6 so that the new )*; (ushes a se#ond label onto the (a#/et
4) After re#eiving a (a#/et6 ea#h transit )*; swit#hesDforwards these MP)*9labeled (a#/ets to the ne5t ho( based on the to(most label of the (a#/et and a #orres(onding loo/u( in the label forwarding information base ()AI@)% 'his in#ludes the o(eration of swa(6 (ush (im(ose) or (o( (dis(ose) on the (a#/etFs label sta#/% In a swa( o(eration the label is swa((ed with a new label6 and the (a#/et is forwarded along the (ath asso#iated with the new label% In a (ush o(eration a new label is (ushed on to( of the e5isting label6 effe#tively Ien#a(sulatingI the (a#/et in another layer of MP)*% 'his allows hierar#hi#al routing of MP)* (a#/ets% 8otably6 this is used by MP)* 7P8s% In a (o( o(eration the label is removed from the (a#/et6 whi#h may reveal an inner label below% 'his (ro#ess is #alled Ide#a(sulationI% 8one of the transit )*;s (erforms )ayer 4 (ro#essing
) >hen the egress )+; re#eives the (a#/et6 it (o(s the last MP)* label off (a#/et and (erforms IP forwarding based on routing table loo/ u(%
3'3
RO+TING IN MP)!
MP)* networ/s establish )abel9*wit#hed Paths ()*Ps) for data #rossing the networ/% An )*P is defined by a sequen#e of labels assigned to nodes on the (a#/etFs (ath from sour#e to destination% )*Ps dire#t (a#/ets in one of two waysH
3'3'1
Hop-b--Hop Routi%&
In ho(9by9ho( routing6 ea#h MP)* router inde(endently sele#ts the ne5t ho( for a given Aorwarding +quivalen#y Class (A+C)% In the #ase of ho(9by9ho( routing6 MP)* uses the networ/ to(ology information distributed by traditional Interior :ateway Proto#ols (I:Ps) routing (roto#ols su#h as &*PA et#% 'his (ro#ess is similar to traditional routing in IP networ/s6 and the )*Ps follow the routes the I:Ps di#tate%
In this #ase the (ath so followed is /nown as a ho(9by9ho( routed tunnel%
3'3'2
EDp(icit Routi%&
In e5(li#it routing6 the entire list of nodes traversed by the )*P is s(e#ified in advan#e and hen#e a tunnel is established% 'he (ath s(e#ified #ould be o(timal or not6 but is based on the overall view of the networ/ to(ology and6 (otentially6 on additional #onstraints% 'his is #alled Constraint9@ased ;outing% 'his (ermits traffi# engineering to be de(loyed in the networ/ to o(timiEe use of bandwidth% In this #ase the (ath is #alled an e5(li#itly routed tunnel%
3'7
MP)! #A!ED VIRT+A) PRIVATE NETWORK! 0MP)! VPN!5
MP)* 7P8 is a family of methods for harnessing the (ower of Multi(roto#ol )abel *wit#hing (MP)*) to #reate 7irtual Private 8etwor/s (7P8s)% 'he MP)* 7P8 solution #ombines the best of both worlds (overla((ing and (eer 7P8)% $ere the P+ routers (arti#i(ate in C9routing whi#h allows for easy (rovisioning and o(timum site9 #onne#tions% @ut the #ore routers do not need to #arry mu#h routing information% &nly the P+ routers must have some (ower%
MP)* based 7P8s #an be #ategoriEed asH )$-er 2 MP)! VPN A layer 2 MP)* 7P86 also /nown as )27P86 is a (oint9to9(oint (seudowire servi#e% It #an be used to re(la#e e5isting (hysi#al lin/s% 'he s(e#ifi#ation is based on the Martini drafts6 whi#h define methods to trans(ort layer 2 (a#/ets a#ross MP)* networ/s6 and methods to en#a(sulate trans(ort (roto#ols su#h as A'M6 +thernet6 and *&8+'%
)$-er < MP)! VPN A layer 4 MP)* 7P86 also /nown as )47P86 #ombines enhan#ed @:P signaling6 MP)* traffi# isolation and router su((ort for 7;As (7irtual ;outingDAorwarding) to #reate a virtual networ/% 'his solution is more s#alable and less #ostly than #lassi# (rovider9based frame relay or A'M9based networ/s6 or IPse#9 ased 7P8s% 'he #on#e(t of 7irtual ;outers (7;s are #entral to the #on#e(t of establishing a )ayer 4 7P8%
3'>
VIRT+A) RO+TER 0VR5 CONCEPT IN MP)! VPN
'he virtual router (7;) #on#e(t is fun#tionally equivalent to a (hysi#al router6 it must su((ort e5a#tly the same me#hanisms and tools and should a((ear for all (ur(oses (#onfiguration6 management6 monitoring and troubleshooting) li/e a dedi#ated (hysi#al router% +a#h virtual router has its own se(arate set of IP interfa#es6 forwarding table and instan#es of routing (roto#ols whi#h guarantee isolation between different 7P8s% Any
routing (roto#ol #an be used6 and no modifi#ation or e5tension is needed to the standard routing (roto#ols (e%g% ;IP6 &*PA6 I*9I*6 and @:P)%
A 7;9based 7P8 #an be #reated by assigning interfa#es that are atta#hed to the 7P8 #ustomer sites and establishing a #onne#tion (e%g% A'M 7C6 Arame ;elay D)CI) to another system that also su((orts #ustomers of the same 7P8% Isolation of 7P8 routing tables enables the overla((ing of address s(a#es by different 7P8s% >e restri#t the establishment of 7;s to the networ/ edge and inter#onne#t these 7;s through the networ/ #ore for s#alability%
Aig% %B 7; 7P8 ;eferen#e model
3'>'1
VR VPN Imp(eme%t$tio%
A 7P8 is #reated by inter#onne#ting 7;s lo#ated in P+ routers through tunnels through the servi#e (rovider #ore networ/% 'hese tunnels may be #onfigured either stati#ally or
dynami#ally% 'he tunnels between P+s may be #onfigured in several different ways% &ne of the alternatives is the dire#t #onne#tivity between 7;s%
Aig% %" 7; 7P8 with dire#t #onne#tivity between 7;s
An alternative a((roa#h6 is based on the utiliEation of a single Oba#/bone 7;F to inter#onne#t all the 7;s from two P+s% 'he ba#/bone 7; #onne#ts ea#h P+ to a shared ba#/bone infrastru#ture6 allowing the aggregation of 7;s from multi(le 7P8s and im(roving the s#alability%
Aig% %C 7; 7P8 with a ba#/bone 7; 3'>'2 VPN Auto-Disco:er-
7P8 membershi( information refers to the set of P+s that have #ustomers in a (arti#ular 7P8% In order to establish 7P89s(e#ifi# #onne#tivity6 the 7;s belonging to a given
7P86 (hysi#ally lo#ated in several P+ routers6 need to learn about ea#h other% @e#ause a solution based on manual #onfiguration is not s#alable6 an auto9dis#overy me#hanism is required% *everal 7P8 dis#overy a((roa#hes #an be im(lemented in 7; 7P8s Dire#tory servers (7;s query a server to determine their neighbours) Configuration through a management (latform Distributing 7P8 membershi( and to(ology information with @:P Multi#ast
A single P+ may a##ommodate several different me#hanisms for different 7P8s% @:P and multi#ast are #urrently the most relevant a((roa#hes%
3'8
APP)ICATION O* MP)! MP)* enables a single #onverged networ/ to su((ort both new and lega#y servi#es6 #reating an effi#ient migration (ath to an IP9based infrastru#ture% MP)* o(erates over both lega#y (D*46 *&8+') and new infrastru#ture
(30D300D3000D30: +thernet) and networ/s (IP6 A'M6 Arame ;elay6 +thernet) MP)* enables traffi# engineering and su((orts Jo* for servi#e differentiation +5(li#it traffi# routing and engineering hel( squeeEe more data into available bandwidth% Pa#/ets #an be mar/ed for high quality6 enabling (roviders to maintain a s(e#ified low end9to9end laten#y for voi#e and video% 'he forwarding of the (a#/et is done based on the #ontents of the labels6 whi#h allows I(roto#ol9inde(endent (a#/et forwardingI that does not need to loo/ at a
(roto#ol9de(endent routing table and avoids the e5(ensive IP longest (refi5 mat#h at ea#h ho(% In an MP)* networ/ the A+C is determined only on#e6 at the Ingress to an )*P6 rather than at every router ho( along the (ath MP)* redu#es router (ro#essing requirements6 sin#e routers sim(ly forward (a#/ets based on fi5ed labels% MP)* (rovides the a((ro(riate level of se#urity to ma/e IP as se#ure as Arame ;elay in the >A86 while redu#ing the need for en#ry(tion on (ubli# IP networ/s% MP)* 7P8s s#ale better than #ustomer9based 7P8s sin#e they are (rovider9 networ/9based6 redu#ing the #onfiguration and management requirements for the #ustomer% *#alabilityH MP)* 7P8s s#ale easily to thousands of users and sites sin#e they do not involve site9to9site (eering% *e#urityH MP)* 7P8s use a te#hnique #alled route distinguishers to (rovide traffi# 9 se(aration between 7P8s of different #ustomers% 'hese are assigned automati#ally where the 7P8 is (rovisioned6 and are unique for a given #ustomer%
3'?
MP)! $% )2TP:<
>hen there are long distan#e (rivate lines6 the MP)* ba#/bone requires e5tra wor/ in #onfiguring and managing the (roto#ols that distribute labels% A (rovider with thousands of P+s would in#ur a substantial o(erational burden in #arrying and managing all the host routes required by MP)* 7P8s% 'herefore long distan#e se#ure #ommuni#ation #an be
made by establishing and em(loying IP tunnels (rather than MP)* )*Ps) to forward (a#/ets a#ross native IP networ/s in su((ort of MP)* 7P8 servi#es% 'hen solution li/e :;+ and )2'Pv4 #omes into (i#ture% 3'?'1 )$-er 2 Tu%%e(i%& Protoco( :ersio% < 0)2TP:<5
)ayer 2 'unneling Proto#ol 7ersion 4 is a draft version of )2'P that is (ro(osed as an alternative (roto#ol to MP)* for en#a(sulation of multi(roto#ol )ayer 2 #ommuni#ations traffi# over IP networ/s% )i/e )2'P6 )2'Pv4 (rovides a O(seudo9wireF servi#e6 but s#aled to fit #arrier requirements% It is a stateless (roto#ol with no inherent signaling or /ee(9alive me#hanism% )2'Pv4 is a robust alternative to #reating )ayer 2 7P8s a#ross MP)* and (ure IP ba#/bones% )2'Pv4 adds im(ortant new features su#h as in#reasing the session and tunnel ID s(a#e from 3B to 42 bits6 whi#h dramati#ally in#reases the number of tunnels from B!6000 to more than billion%
Aig% %1 )2'Pv4 (a#/et transfer me#hanism >ith )2'Pv46 the (hysi#al interfa#e #onne#ting to a #ustomerFs networ/ be#omes the tunnel ingressDegress interfa#e% Consequently6 traffi# does not need to be routed into the
tunnel by the (roviderFs router% As (a#/ets arrive at the interfa#e6 they are en#a(sulated and forwarded dire#tly toward the remote tunnel end(oint% &n#e re#eived and de9 en#a(sulated6 the original (a#/et #an be forwarded out of the egress interfa#e if the tunnel identifier is re#ogniEed by the router% If it isnFt6 the (a#/et is dis#arded%
3'?'2
MP)!-o:er-)2TP:<
Aig% %30 MP)*9over9)2'Pv4 en#a(sulation
'he en#a(sulation of an MP)* (a#/et in )2'Pv4 #om(rises ofH 'he 209byte IP delivery header #ontains the sending and re#eiving P+ routersF IP address 'he session ID is an automati#ally generated 429bit number used to define individual servi#es or servi#e #onte5ts on the egress P+ router% 'he #oo/ie is an automati#ally generated (o(tional) B 9bit random number that is asso#iated with ea#h session ID% It allows remote or re#eiving P+ routers to qui#/ly verify that ea#h arriving (a#/et was originated by a valid sending or sour#e P+%
CHAPTER 7 #GP=MP)! VPN NETWORK!

@:PDMP)* 7P8s are networ/9based IP7P8s whi#h allows servi#e (roviders to use their IP ba#/bone in order to (rovide 7P8 servi#es to their #ustomers% @:PDMP)* 7P8s use #GP to distribute 7P8 routing information a#ross the (roviderFs ba#/bone and MP)! to forward 7P8 traffi# from one 7P8 site to another%
Aig% !%3 )ayered view of a @:PDMP)* 7P8
7'1
IMP)EMENTATION O* THE VIRT+A) RO+TER CONCEPT
A @:PDMP)* 8etwor/ 7P8 8etwor/ is based on the 7; #on#e(t% 'he 7; in a @:PDMP)* networ/ in im(lemented with the hel( of 7P8 ;outing and Aorwarding table (7;A) and ;oute Distinguisher (;D) 7'1'1 VPN Routi%& $% *or,$r i%& T$b(es 0VR*s5
7P8 routing and forwarding (7;A) table #an be #onsidered as the individual routing tables of ea#h of the 7;s in a @:PDMP)* 7P8 networ/% 'hus6 7;As allow overla((ing of #ustomer addresses for different 7P8s% 'he 7;As for different 7P8s is identified
based on the ;oute distinguisher assigned by the servi#e (rovider% +a#h 7;A within a 7P8 #an use its own ;oute Distinguisher% 7'1'2 Route Disti%&uis"er 0RD5
A route distinguisher is an address qualifier used only within a single (rovider MP)* 8etwor/ used to distinguish the distin#t 7P8 routes of se(arate #ustomers who #onne#t to the (rovider% It is an C9byte field (refi5ed to the #ustomerGs IP address% 'he resulting 329byte field is a unique I7P89IPv I address% >ithin an MP)* networ/6 a P+ router needs to be #onfigured to asso#iate ea#h route distinguisher with routes whi#h lead to a (arti#ular C+ router% 'he P+ router may be #onfigured to asso#iate all routes leading to the same C+ router with the same route distinguisher6 or it may be #onfigured to asso#iate different routes with different route distinguishers6 even if they lead to the same C+ router% 'he route distinguisher ma/es IPv (refi5es globally unique% It is used only by edge routers to identify whi#h 7P8 a (a#/et belongs to% Aor e5am(le6 for a P+ router to be able to distinguish between the IP address 30%0%0%0 of one #ustomer from the 30%0%0%0 of another #ustomer6 the networ/ administrator must add a unique route distinguisher to ea#h% 'he route distinguisher (;D) has 2 ma,or fields6 the 'y(e Aield (2 bytes) and 7alue Aield (B bytes)% 'he 'y(e field determines the lengths of the 7alue fieldFs two subfields (Administrator and Assigned 8umber)6 as well as the semanti#s of the Administrator field% 'he use of the (ubli# A*8 s(a#e or the (ubli# IP address s(a#e guarantees that ea#h ;D is globally unique% :lobally unique ;Ds (rovide a me#hanism that allows ea#h servi#e (rovider to administer its own address s(a#e and #reate globally unique 7P89
IPv
addresses without #onfli#ting with the ;D assignments made by other servi#e
(roviders% 7'2 Net,or/ Arc"itecture
A #ustomer site is #onne#ted to the servi#e (rovider networ/ by one or more interfa#es% 'he servi#e (rovider asso#iates ea#h interfa#e with a 7P8 routing table%
Aig% !%2 8etwor/ ar#hite#ture of a @:PDMP)* 8etwor/
A C+ router advertises the siteFs lo#al 7P8 routes to the P+ router6 and learns remote 7P8 routes from the P+ router% P+ routers e5#hange routing information with C+ routers
using stati# routing6 ;IP6 &*PA or +@:P% 'he P+ router maintains 7P8 routing information for those 7P8s to whi#h it is dire#tly atta#hed% 'his design eliminates the need for P+ routers to maintain all of the servi#e (roviderFs 7P8 routes% +a#h #ustomer #onne#tion is ma((ed to a s(e#ifi# 7;A% 'he interfa#e on the P+ router is asso#iated with a 7;AM multi(le interfa#es on a P+ router #an be asso#iated with a single 7;A% P+ routers have the ability to maintain multi(le forwarding tables that su((ort the (er97P8 se(aration of routing information% A P+ router e5#hanges 7P8 routing information with other P+ routers using I@:P% Ainally6 P routers fun#tion as MP)* transit )*;s when forwarding 7P8 data traffi# between P+ routers% *in#e traffi# is forwarded a#ross the MP)* ba#/bone using a two layer label sta#/6 P routers are only required to maintain routes to the (roviderFs P+ routersM they are not required to maintain s(e#ifi# 7P8 routing information for ea#h #ustomer site % 7'< OPERATION AND I))+!TRATION O* A #GP=MP)! VPN
'he o(eration of @:PDMP)* 7P8s #an be distributed into various (hases% 'he various (hases of a @:PDMP)* 7P8s o(eration are illustrated with a #ase study%
At a P+6 a 7;A re(resents the #onte5t that is s(e#ifi# to an atta#hed 7P8M a 7;A is (rimarily asso#iated to (is identified by) the one or more sub9interfa#es through whi#h the sites belonging to this 7P8 are #onne#ted%
'he illustration below shows a *ervi#e Provider networ/ atta#hed to a number of sites that re(resent 4 7P8s (;ed6 @lue and :reen)% *ite ! is (art of two 7P8s% In the
illustration all the 7;As have only one sub9interfa#e but 7;A :reen at P+4 that has two sub9interfa#es (those of *ite B and ")%
Aig% !%4 @:PDMP)* 7P8 ;outing P Aorwarding tables (7;As)
'he other (arameters that must be defined at 7;A #reation time are the route distinguisher (;D) and the route targets (;') for the Im(ort and +5(ort (oli#ies% 'hese (arameters are used when the 7P8 (rivate routes are distributed via the ba#/bone to the other sites% 'he ;'s enable the distribution of 7P8 routes to the relevant remote sites%
Aor 7P8 sites to be atta#hed and be o(erational6 there are two (rerequisites to be (erformed at *P networ/ #onfiguration time 9 the establishment of internal @:P (i@:P) sessions between P+s and the set9u( of MP)* label swit#h (aths between P+s%
Aig% !%
P+9to9P+ (re established i@:P sessions and )*Ps
Multi9(roto#ol @:P must be used for the sessions between P+s% MP9@:P is required be#ause it enables routers to #onvey other routes than the #lassi#al 9byte IPv routes% 7P8 routes are not distributed within the ba#/bone as IPv routes but are (refi5ed with the route distinguisher and are therefore 329bytes long%
MP)* )*Ps are unidire#tional and therefore a (air of )*Ps must be established between P+s ( for Jo* (ur(oses6 several (airs #ould be set9u( with different queuing (riorities )% In the (ers(e#tive of the data transfer (hase number shown at the ingress side of the )*P6 re(resents the -outer. label% 'he labels shown at the egress side of a P router re(resents the -swa(. labels (31 and 21 between P+3 and
P+2)% 'he labels numbered -4. re(resent a s(e#ial label value indi#ating that this P router is the (enultimate ho( in the (ath% )*Ps are established using either )DP or ;*7P%
'he fundamental me#hanisms used by @:PDMP)* 7P8s #an be summariEed asH O% t"e Co%tro( P($%e 'he use of @:P for the distribution of 7P8 routes through the *P ba#/bone and establish )*Ps%
O% t"e D$t$ p($%e 'he use of MP)* for the IP traffi# forwarding itself6 more e5a#tly the transfer of 7P8 data through the *P ba#/bone%
7'<'1
VPN Route Distributio% i% Co%tro( P($%e
Distribution of 7P8 routes is shown in several (hases% 'hese (ro#esses o##urs either when a site is atta#hed or deta#hed (,oin and (rune o(erations)6 or when some routes are added6 modified or removed at a site CE to PE
Arom the #ustomer (ers(e#tive6 routing o##urs normally% &n#e agreed with the *P whi#h sites are (arts of whi#h 7P8 and what is the logi#al to(ology6 the C+ (eers with its P+ and advertises its routes% 'he routing (roto#ols may be interior routing (roto#ols (;IP6 &*PA) or @:P% It is also (ossible not to use any routing (roto#ol and instead have stati# routing #onfigured at ea#h site%
Aig% !%! C+ to P+ ;oute Distribution
>hen the P+ re#eives routes over a 7;A sub9interfa#e6 it stores them in the asso#iated 7;A% 'hese lo#al routes are at the #lassi#al IP format (and are stored as su#h in the 7;A)% In the 7;A6 they are asso#iated to the 7;A sub9interfa#e and are assigned a label value% 'his label is /nown as the -7P8 label. (also /nown as -inner label. or -bottom label. in regards to its #onveyan#e within the )*P)% 'he 7P8 label value is a P+Fs lo#al matter% It identifies the 7;A sub9interfa#e by whi#h this route is
learned% $en#e6 routes learned over the same 7;A sub9interfa#e will have the same label value% 'his will enable the P+ when re#eiving traffi# towards one of these routes to #hoose the suitable sub9interfa#e%
>hen two sites (or more) atta#hed to one P+ are in the same 7P86 they gain #onne#tivity dire#tly via the 7;A that they share (*ites B and " in illustration)% In the figure6 the 7;A are -dimensioned. a##ording to the number of routes they will eventually #ontain% 'he lo#al routes in the 7;A are re(resented in (lain #olour%
PE to PE &n#e the P+ has learned lo#al routes from its C+s6 it will advertise them 9 via @:P 9 to the other P+s6 a##ording to the ;oute Distinguisher and +5(ort ;oute 'arget(s) that were defined at 7;A #reation time% 'he 7P8 routes #ould not be #onveyed as su#h via @:P (sin#e IP address overla((ing #an normally o##ur between 7P8s) otherwise only one route would be /e(t6 thus ma/ing the others unrea#hable% ;outes are therefore (refi5ed with an C9byte ;oute Distinguisher that ty(i#ally #onsists of the *PFs A* number (lus the 7P8 identifier% @esides6 the 7P8 label that was allo#ated to ea#h lo#al route must also be #onveyed with this route% 'he 7P8 routes will also be flagged 9 as e5tended @:P #ommunity attributes 9 with their one or more ;oute 'argets% Ainally6 the 8e5t $o( @:P attribute value is the (advertising) P+ loo(ba#/ address itself%
Aig% !%B P+ to P+ ;oute Distribution
An e5am(le of the 7P8 route distribution from P+4 to other P+s is shown in Aigure !%B% P+4 e5(orts the lo#al routes of its two 7;As a##ording to the ;D and +5(ort ;' of ea#h 7;A% >hen P+3 and P+2 re#eive these @:P u(dates6 they will filter the labeled 7P8 routes a##ording to the Im(ort Poli#y of ea#h of their 7;As6 before #om(leting these 7;As with the relevant 7P8 routes% In the illustration the remote routes in 7;As -;ed. and -@lue. at P+36 as well as in 7;As -;ed. and -@rown. at P+26 are shown with a different (attern (with transversal lines)% 'hey are stored in the 7;A as IPv routes (the ;D has been removed) along with the suitable interfa#e and label sta#/ (where the outmost label re(resents the )*P ingress label enabling this P+ to rea#h the egress P+ 9 as mentioned in the @:P 8e5t $o( (arameter 9 while the inner label is the 7P8 label ,ust re#eived with this 7P8 route)%
&n#e all the 7P8 routes have been distributed through the *P ba#/bone6 all the 7;As of all the P+s #ontain both their lo#al routes as well as the remote routes% PE to CE >hen a 7;A at a P+ is u(dated with a remote route6 it advertises this route to the atta#hed C+s that are asso#iated to this 7;A% As shown in Aigure !%"6 there is then full IP #onne#tivity between the sites belonging to the same 7P8% Aor e5am(le *ite 3 has learned via its (eer P+ (P+3) the routes from *ites and C% *imilarly6 *ite !6
whi#h is shared between 7P8 @lue and 7P8 :reen6 has learned routes from remote site 2 (@lue) as well as remote sites 46 B and " (:reen)%
Aig% !%" P+ to C+ ;oute Distribution
7'<'2
VPN D$t$ *or,$r i%& i% D$t$ P($%e
;oute distribution on the #ontrol (lane has enabled the building of the 7;As and thus (re(ared the transfer of IP traffi# between sites% Aigure !%C illustrates two simultaneous data transfersH (3) from a host at *ite 3 to6 for e5am(le6 some server at *ite (with IP
address 30%2% %2)M and (2) from a host at *ite 4 to some other server at *ite ! (with IP address 30% %3%C)%
Aig% !%C Data forwarding a#ross the ba#/bone
>hen the IP (a#/et with destination address 30%2% %2 is re#eived by P+3 from C+36 the ;ed 7;A is interrogated and the entry #orres(onding to 30%2D3B route indi#ates ifQ3a as out(ut interfa#e6 32R2003 as label sta#/6 as well as (not shown) a data lin/ header% 'he
label sta#/ is inserted in front of the IP (a#/et6 the data lin/ header is inserted in front of the label sta#/ and the resulting frame is queued on the out(ut interfa#e% *imilarly6 when the IP (a#/et with destination address 30% %3%C is re#ieved by P+3 from C+46 the :reen 7;A is interrogated and the entry #orres(onding to 30% D3B route indi#ates ifQ3a as out(ut interfa#e6 32R2002 as label sta#/6 as well as (not shown) a data lin/ header% 'he label sta#/ is inserted in front of the IP (a#/et6 the data lin/ header is inserted in front of the label sta#/ and the resulting frame is queued on the out(ut interfa#e% 'he two frames are sent on the )*P egress (ath (P+3Fs out(ut interfa#eH ifQ3a)M at P5 router6 the to( labels are swa((ed (31 re(la#es 32) and the labelled (a#/ets forwarded towards Py6 whi#h is the (enultimate ho( in the )*P% As a result6 the outer labels are (o((ed and the (a#/ets sent towards P+2 with only the inner label in front% At egress P+26 the relevant 7;A sub9interfa#e is retrieved from the 7P8 label and the original IPv (a#/et is finally forwarded to the C+ enabling us to rea#h the server within the site%
CHAPTER 6 WIRELESS LAST MILE REMOTE SITE CONNECTIVITY

6.1 INTRODUCTION
;emote #lient sites in the 'uli( 7P8 *ervi#e were #onne#ted using wireless last mile% >ireless last mile #onne#tivity is (rovided with the hel( of Point of Presen#e (PoP) or the base stations whi#h are installed at various lo#ations% 'hese PoPs are #onne#ted to the #ore ba#/bone networ/ using fibers or sometimes wireless #onne#tions% 'he remote #lient sides are #onne#ted to this PoP using wireless radios and antenna% 'his intern gives them a #onne#tion to the ba#/bone networ/% ;adios #ommuni#ate with ea#h other using radio and mi#rowave frequen#y%
'he wireless last mile were (rovided using two to(ologies Point to Point (P2P) &(erating the #lient site with the hel( of one base station radio at the Po( end and one radio at #lient end%
Point to Multi(oint (PMP) &(erating multi(le remote sites using a single radio at the PoP and one ea#h at the various remote sites%
'he lin/s are se#ured using MAC address bindings between the end radios%
>'2
REMOTE !ITE CONNECTIVITY
Aig% B%3 A ty(i#al wireless last mile remote site #onne#tivity
The base stations or POPs are connected with the core network using optical fibers or redundant RF links. This connectivity is provided with the POP end router. This router is intern connected to a switch. The radios in the base station are connected to this switch at one end and the antenna at another using a pigtail cable.
At the client side, we have an antenna installed which is again connected to the client end radio using a pigtail cable. The client end radio is connected to the client router via a POE (Power over Ethernet) device which provides DC voltage to power the modem. The router is then connected to the internal client LAN.
The information which arrives at the base station is modulated in the radio and transmitted using the antenna. The client end antenna receives this signal and the client radio demodulates it and sends it across to the client end devices.
6.3
RADIOS
Wireless last mile connectivity is established with the help of Radios and antennas. Based on the purpose and requirements different radios were used at Tulip. Each of the radio has a different running frequency range, distinct monitoring and troubleshooting procedure.
6.3.1
Airspan
'hese use IP te#hnology and have an o(erating range in e5#ess of 20 /ilometers line of sight ()&*) and around 4 /ilometers of 8on )ine of *ight (8)&*)% It is #a(able of delivering data s(eeds u( to 4%2 Mb(s to ea#h #ustomer with a su((ort for Juality of *ervi#e (Jo*) and @andwidth on Demand (@&D)% 7ariety of networ/ to(ologies are su((orted6 in#luding P2P6 Point to Multi(oint (PMP) for traditional >ireless )o#al )oo( a((li#ations and multi(oint9to9multi(oint (MMP) for base station inter#onne#tion% Airs(an su((orts 'ime Division Du(le5 ('DD) o(eration in the unli#ensed band and both Arequen#y Division Du(le5 (ADD) and 'DD modes of o(eration in the li#ensed band
#$se !t$tio% R$ io 0#!R) 'he radio at the base station is /nown as a @*;% It is an en#ased outdoor radio module (roviding a 1 (in D9ty(e (ort for ;*9242 serial interfa#e and a 3! (in D9ty(e
(ort for data6 syn#hroniEation6 and (ower interfa#es% 'he @*; is available in two models 9 with an integral antenna or with two 89ty(e (orts for atta#hing u( to two e5ternal antennas%
Aig% B%2 Airs(an @*;
!ubscriber Premises R$ io 0!PR5 'he radio at the #lient end is /nown as the *P;% It is an en#ased outdoor radio module (roviding a##ess to a 3! (in D9ty(e (ort for +thernet6 serial6 and (ower interfa#es% 'he *P; model is also available in two models 9 with an integral antenna or with an 89ty(e (ort for atta#hing an e5ternal antenna%
Aig% B%4 Airs(an *P;
'he radios #an either be #onfigured in bridge mode or in routing mode% It allows full remote and lo#al management through *im(le 8etwor/ Management Proto#ol (*8MP) using the tool >IP Manage%
6.3.2
Radwin
These radios are primarily used in the backbone to provide redundant backbone RF links to the fiber network. The system provides up to point to point 48 Mbps wireless link and supports range up to 80 km. It combines legacy TDM and Ethernet services over 2.4 GHz and 5.x GHz license exempt bands. Operation over 2.4GHz and 5.x GHz bands is not affected by harsh weather conditions, such as fog, heavy rain etc. Radwin employs Time Division Duplex (TDD) transmission. This technology simplifies the installation and configuration procedure. There is no need to plan and to allocate separate channels for the uplink and downlink data streams. . 6.3.3 Firepro
These radios can be used for both point to point and point to multi-point wireless connections. However it is primarily used for point to point links, where it can take a load of up to 2 Mbps in a dedicated fashion and supports network range upto 60 kms. It can be configured in bridging and routing modes. The main advantage of Firepro is that it can act like a mini router in itself.
It allows full remote and local management through SNMP using the tool WinBox.
CHAPTER 8 REMOTE NETWORK MONITORING AND TRO+#)E!HOOTING

;emote networ/ monitoring and troubleshooting enables effi#ient management of a networ/ from the *ervi#e Provider (oint of view% >hen the networ/ devi#es are more and the networ/ is wides(read6 lo#al management is tedious and im(ossible% 'herefore6 there arises the need to manage the networ/ remotely% 'his is enhan#ed by *8MP%
At the 8etwor/ &(eration Centre (8&C) of 'uli(6 various 7P8 #lient lin/s were remotely monitored and logi#al lin/ (roblems were remotely fi5ed% 7arious tools were used for remote monitoring and fault dete#tion%
8'1
!IMP)E NETWORK MANAGEMENT PROTOCO) 0!NMP5
'he *im(le 8etwor/ Management Proto#ol (*8MP) forms (art of the internet (roto#ol suite% *8MP is used in networ/ management systems to monitor networ/9atta#hed devi#es for #onditions that warrant administrative attention% It #onsists of a set of standards for networ/ management6 in#luding an A((li#ation )ayer (roto#ol6 a database s#hema6 and a set of data ob,e#ts% *8MP is based on the managerDagent model #onsisting of an *8MP manager6 an *8MP agent6 a database of management information6 managed *8MP devi#es and the networ/ (roto#ol% 'he *8MP manager (rovides the interfa#e between the human networ/ manager and the management system% 'he *8MP agent (rovides the interfa#e between the manager and the (hysi#al devi#e(s) being managed%
Aig% "%3 Manager9Agent model used in *8MP
'he *8MP networ/ management is #om(osed of three (arts to whi#h both the management a((li#ations and agents #onform% 'hey areH
T"e protoco(6 whi#h defines the fun#tioning of the basi# o(erations of *8MP and the format of the messages e5#hanged by management systems and agents%
!tructure o9 M$%$&eme%t I%9orm$tio% 0!MI5 6 whi#h is a set of rules used to s(e#ify the format for defining managed ob,e#ts or the devi#es that are a##essed using *8MP%
M$%$&eme%t I%9orm$tio% #$se 0MI#5 is a #olle#tion of definitions6 whi#h define the (ro(erties of the managed ob,e#t or the devi#e%
8'1'1
!NMP Mess$&es
'here are (rimarily five ty(es of *8MP messagesH *8MP ';AP message allows the agent to s(ontaneously inform the *8MP manager of an Iim(ortantI event%
An *8MP :+' and :+'98+N' message is a message whi#h is initiated by the manager when it wants to retrieve some data from a networ/ element% Aor e5am(le6 the 8etwor/ Management *ystem (8M*) might query a router for the utiliEation on a >A8 lin/ every ! minutes% It #ould then #reate #harts and gra(hs from that data6 or it #ould warn the o(erator when the lin/ was over utiliEed%
*8MP :+'9;+*P&8*+ message is issued by the agent in res(onse to a :+' or :+'98+N' message to the manager6 with either the information requested or error indi#ation
An *8MP *+' is a message whi#h is initiated by the 8etwor/ Management *ystem when it wants to #hange data on a networ/ element% Aor e5am(le6 the 8etwot/ Management *ystem may wish to alter a stati# route on a router% 'he agent would res(onse res(ond with a :+'9;+*P&8*+ message to indi#ate if the tas/ has been a##om(lished%
8'2
RO)E O* )1 MEM#ER IN NOC
In the 8etwor/ &(eration Centre (8&C) of 'uli( 'ele#om6 my role was that of a )evel3 ()3) member% 'he tas/ of an )3 member is to (roa#tively monitor and manage the networ/ lin/s and (rovide first level troubleshooting6 in #ase a #ustomerFs remote 7P8 lin/ is down or some (roblems in the #onne#tivity are being fa#ed% Aor the remote monitoring fault identifi#ation in the #lient lin/ various tools are used% 'he following flow#hart illustrates the hierar#hy followed for lin/ troubleshooting in 'uli( 8&C%
Aig% "%2 $ierar#hy followed for lin/ troubleshooting
3) +a#h team has res(e#tive team leaders whi#h handle different #lients% $andling of these #lients is the res(onsibility of the )3 +ngineers% 'he teams are also referred to as the A##ess 'eams% 'he entire networ/ is managed from Delhi 8&C% 2) 'o every #all of #lient fault ti#/et number is raised and basi# troubleshooting is done by )3 +ngineers% &n su##ess6 the #all is #losed%
4) &n es#alation6 #all is assigned to )2 +ngg who #loses the #all on su##ess% Aor (hysi#al issues6 field engineers are assigned% ) *till higher members are involved in further es#alations% !) MP)* #onfiguration6 ;outer P *wit#hes #onfiguration are done by )2 +ngg% B) *erious and #om(le5 issues are handled by )4 +ngg6 'eam 8'< 8'<'1 TOO)! Te(%et c(ie%t
'elnet is a (art of the 'CPDIP (roto#ol suite that allows virrtual terminal emulation% It allows a user on a remote #lient ma#hine6 #alled the 'elnet #lient6 to a##ess the resour#es of another ma#hine6 the 'elnet server% 'hese emulated terminals are of the te5t9mode ty(e and #an e5e#ute refined (ro#edures li/e dis(laying menus that give users the o((ortunity to #hoose o(tions from them and a##ess the a((li#ations on the du(ed server% Users begin a 'elnet session by running the 'elnet #lient software and then logging into the 'elnet server6 whi#h are usually the routers or swit#hes% 'elnet allows for remote #onfiguration andDor #he#/ u( on the routers or swit#hes without using a #onsole #able%
8'2'1
Host Mo%itor
$ost Monitor is a >indows based system management tool for monitoring server availability and (erforman#e 2 D" used for (ro9a#tive monitoring% It sends an alert a monitored devi#e does not res(ond to a test using your own (arameters6 and #an ta/e any of 2! (re9defined a#tions su#h as email message or shutting down a servi#e%
$ostMonitor #reates various log files using different detail levels and file formats >eb *ervi#e6 'elnet *ervi#e and ;emote Control Console sim(lifies remote management
using ;emote Monitoring Agents for >indows6 )inu56 *olaris et#% we may easily monitor remote networ/s
Aig% "%4 $ost Monitor Interfa#e
$ostMonitor #an #he#/ any 'CP servi#e6 (ing a host6 #he#/ a route6 monitor >eb6 A'P6 Mail6 D8* servers% It #an #he#/ the available dis/ s(a#e6 monitor siEe of a file or folder6 #he#/ integrity of the files and web site% $ostMonitor is a networ/ administration software6 it (rovides different ways to res(ond on failed servi#es% Audio and visual
notifi#ations alert (eo(le near the ma#hine% +9mail and (ager notifi#ations inform a wider range of remote o(erators% $ostMonitor #an ta/e a#tions that are designed to re#over from a failure automati#ally without human intervention (e%g% Irestart servi#eI6 Ireboot #om(uterI a#tions)%
$ost Monitor was used in the 8&C for a#tive monitoring of networ/ lin/s and in order to immediately alert the user of a lin/ failure%
8'<'2
WipM$%$&e
>i(Manage enables lo#al remote management of the Airs(an system and every unit within the system% >i(Manage #an a##ess every unit using a to(9down hierar#hy% At the to( of the hierar#hy are the base stations% Arom the base stations the system manager #an Eoom9in on and manage ea#h unit on ea#h subs#riber site%
>i(Manage uses *8MP and 'A'P to (erform the following tas/s on an airs(an system

Installation Configuration 'ra( management Aault management Performan#e Monitoring *etting ;A (arameters6 IP #onfiguration6 se#urity (oli#ies6 7)A8s and any other feature (er element or (er many elements simultaneously (multi devi#e o(eration)
Aig% "%
>i(Manage Interfa#e
>i(Manage is lo#ation9inde(endent and #an be used to manage any Airs(an unit in the networ/ as long as the Airs(an is #onne#ted to the networ/%
>i(Manage was (rimarily used in the 8&C for the #onne#tion and (erforman#e monitoring of ;A lin/s and the @*; and *P;% 'hese in#luded #he#/ing the @+; (@it +rror ;ate) and the ;e#eived *ignal *trength Indi#ation (;**I)6 whi#h is a measurement of the (ower (resent in a re#eived radio signal%
Aig% "%! *P; @+; Performan#e Monitoring
Aig% "%B *P; ;**I Performan#e Monitoring
8'<'<
Mu(ti Router Tr$99ic Gr$p"er 0MRTG5
'he Multi ;outer 'raffi# :ra(her or ,ust sim(ly M;': is software for monitoring the traffi# load on networ/ lin/s% It allows the user to see traffi# load on a networ/ over time in gra(hi#al form% M;': is written in Perl and wor/s on Uni5D)inu5 as well as >indows and even 8etware systems%
M;': uses the *im(le 8etwor/ Management Proto#ol (*8MP) to send requests with two ob,e#t identifiers (&IDs) to a devi#e% 'he devi#e6 whi#h must be *8MP9enabled6 will have a management information base (MI@s) to loo/u( the &IDGs s(e#ified% After #olle#ting the information it will send ba#/ the raw data en#a(sulated in an *8MP (roto#ol% M;': re#ords this data in a log on the #lient along with (reviously re#orded data for the devi#e% 'he software then #reates an $'M) do#ument from the logs6 #ontaining a list of gra(hs detailing traffi# for the sele#ted devi#e% Aeatures

Measures 2 values (I for In(ut6 & for &ut(ut) (er target% :ets its data via an *8MP agent6 or through the out(ut of a #ommand line% 'y(i#ally #olle#ts data every five minutes (it #an be #onfigured to #olle#t data less frequently)%
Creates an $'M) (age (er target that features
gra(hs (:IA or P8: images)%
;esults are (lotted vs time into day6 wee/6 month and year gra(hs6 with the I (lotted as a full green area6 and the & as a blue line%
Automati#ally s#ales the S a5is of the gra(hs to show the most detail%
Adds #al#ulated Ma56 Average and Current values for both I and & to the targetGs $'M) (age%
Can also send warning emails if targets have values above a #ertain threshold%
In the 8&C6 M;': was (rimarily used to #he#/ if the high laten#ies and dro(s in the networ/ lin/ were due to overutiliEation of the bandwidth a#tually assigned%
8'<'3
P$ess(er Router Tr$99ic Gr$p"er 0PRTG5
Paessler ;outer 'raffi# :ra(her (P;':) is a networ/ monitoring and bandwidth use software for Mi#rosoft >indows by Paessler A:% >ith P;': bandwidth usage of a networ/ #an be monitored and #lassified using the three most #ommon bandwidth data a#quisition methodsH
*8MPH ;eads traffi# #ounters of networ/ devi#es li/e swit#hes6 routers and servers
Pa#/et *nifferH )oo/s at all data (a#/ets travelling through a networ/ using the (romis#uous mode and analyEes the networ/ (a#/ets to find out the IP addresses6 (roto#ols6 et#% of the sour#e and target ma#hine
Analyses
8etflow
(roto#ol
(a#/ets
used
mostly
by
Cis#o
routers
Using *8MP not only bandwidth usage but also many other networ/ readings (e%g% CPU usages6 dis/ usages6 tem(eratures) #an be monitored using *8MP &IDs%
'he usage data is #onstantly re#orded and the histori# data #an be analyEed e%g% with data tables for usage billing and gra(hs for trend analysis via a web server interfa#e and in a >indows :UI%
In the 8&C6 P;': was (rimarily used to #he#/ utiliEation of assigned bandwidth by the #lient% 'he P;': gra(hs were used to #onfirm if the laten#ies and dro(s fa#ed in a networ/ lin/ is due to a (roblem in the lin/ or as a result of overutiliEation of assigned bandwidth by the #lient%
Aig% "%" P;': :ra(h showing bandwidth utiliEation
8'<'7
Vitu$( NOC 0VNOC5
78&C is a software develo(ed by 'uli(% 'he main motto of 78&C is to enable (roa#tive monitoring system% Any lin/ whi#h is fla((ing or is not u( will be refle#ted immediately in the 78&C interfa#e% Aurther6 only a warning will be dis(layed firstly% After a sti(ulated time6 if no a#tion is ta/en a ti#/et is further logged automati#ally% 'his along with tool%tuli(#onne#t%#om hel(s (rovide a very reliable and (roa#tive manner of monitoring of the #lients by the A##ess 'eam%
Aig% "%C Proa#tive monitoring and fault logging by 78&C
CHAPTER ? CLIENT CASE STUDIES
Tulip provided a variety of VPN services to its clients. Two of the circuits that were handled by as an L1 member in the team were Reliance L2 circuits and Indiabulls Layer 3 MPLS VPN circuits.
8.1
RELIANCE L2 CIRCUITS
Aig% C%3 ;elian#e )2 networ/ #onne#tivity with fiber inter#onne#t
'uli( (rovided last mile #onne#tivity to ;elian#e #ustomers at )ayer 2% In this #ase 'uli( a#ted as the #arrier of #arriers%
?'1'1
Wor/i%&
Arames from the #lient end are tagged at the *P; end% 7)A8 tagged traffi# is a##e(ted by Cis#o 21!0 swit#h in P&P and same is forwarded to P&P router whi#h may be Cis#o3C00D2C00%
)2'P74 (N#onne#t) tunnel is #reated from that router (ort (in whi#h 21!0 is terminated) till the )A8 side (ort of Cis#o "200 in &/hla offi#e%
Again )2 traffi# is terminated in a trun/ (ort of Cis#o !00 swit#h at &/hla side% In turn Cis#o !00 is #onne#ted via trun/ (orts to ;elian#e Attri#a and traffi# is forwarded via this (ath to ;elian#e%
Aig% C%2 ;elian#e )2 networ/ #onne#tivity with ;A inter#onne#t
8ow the traffi# flow in the networ/ ta/es (la#e as followsH 3) 'he tagged frame rea#hes the remote 'uli( P&P and lands on the trun/ (ort%
2) 'he trun/ (ort throws the frames on router via another trun/ (ort% 4) ;outer sends the frames to main 'uli( P&P (where Inter#onne#t has been made) via N9Conne#t% ) 'he frame now lands on the )A8 (ort of main 'uli( P&P router where N9#onne#t ends% $ere the N9#onne#t throws the frame on the trun/ (ort of 'uli( swit#h% !) 'uli( swit#h in turn throws it via another trun/ (ort on the ;A whi#h is #onfigured in -Pass all 7)A8 tag. mode% B) ;A lin/ is the inter#onne#t lin/ between ;elian#e @ase 'rans#eiver *tation and 'uli( P&P and is hen#e terminated in the trun/ (ort of ;elian#e swit#h%
At the time of installation6 we ma/e sure that we allow only *P+CIAIC 7)A8s at all the trun/ (orts% 'hey are not #onfigured in default mode allowing all the 7)A8*
?'1'2
Troub(es"ooti%&
'o illustrate the troubleshooting (ro#edures6 let us assume that the *P; is being tagged by a 7)A8 'ag9"""% *u((ose now we get a #all from #ustomer that the lin/ is not wor/ing then the following ste(s are followedH
a) 7isit the #lient site and terminate the lin/ in the la(to(Dma#hine% b) Assign the Customer router >A8 (ort IP6 also /nown as C+ IP to the la(to(% #) Ping the ;elian#e P+ IP (:iven at the time of installation along with 7)A8 'A: and C+ IP)
d) If we are able to (ing then the (roblem is with #lient router or )A8 whi#h is not in 'uli( domain% e) If we are not able to (ing then either /ee( the ;A lin/ not terminated so that we #an use the router C+ IP for further tests or we #an /ee( it terminated and remove the 7)A8 """ from the trun/ (ort of 'uli( swit#h in whi#h the lin/ is terminated at P&P end% f) 8ow ;A lin/ from the C+ router is removed so that when we use the C+ IP for further trial6 it does not #ollide% g) Assuming that we are not able to (ing even from the la(to( after assigning it the C+ IP6 then we need to #he#/ the last mile ;A lin/ for (ro(er 'A: #onfiguration% h) >hen we #he#/ the #lient end radio for 'A: #onfiguration6 we need to #hange the IP to 'uli( subnet for sometime% i) After ma/ing sure that ;A last mile and tagging is (ro(er then we /ee( the lin/ unterminated (or remove s(e#ifi# 7)A8 as mentioned above) and move to the P&P site to whi#h lin/ is #onne#ted% ,) :et an ACC+** (ort against 7)A8 """ #reated in the swit#h (in whi#h lin/ is terminated)6 and terminate the la(to( in that (ort% /) Assign the C+ IP to the la(to( and try to (ing the ;elian#e P+ IP% l) If we are able to (ing then #learly the (roblem is in ;A last mile6 if not then #learly (roblem is beyond 'uli( remote P&P where we are doing the troubleshooting%
m) If we are able to (ing P+ and have #on#luded that (roblem is in last mile then we #on#entrate on last mile and troubleshooting that should not be an issue6 however if we are not able to (ing P+ IP then n) @efore moving beyond we must ma/e sure that last mile is absolutely fine % o) 'o #he#/ last mile6 get the ;A lin/ at #lient side terminated ba#/ in router or add s(e#ifi# 7)A8 ba#/ to the trun/ (ort of swit#h% () If the last mile ;A is absolutely fine then our la(to( IP should #ollide with C+ router IP (be#ause we have assigned C+ IP to la(to()% q) As soon as this ha((ens6 we /now that last mile is wor/ing6 sin#e we have already tested trying P+ IP from P&P and we were unsu##essful in that% *o we #an now assign P+ IP to the la(to( (sin#e #onne#tivity with ;elian#e is not wor/ing so it wonFt #ollide) and try (inging C+ ;outer IP% It should (ing% r) 8ow the big (roblem still remains and i%e% we are not able to (ing the ;elian#e P+ from the remote P&P% 'here #an be some issue with ;elian#e itself% *o we #reate an a##ess (ort against 7)A8 """ in the 'uli( main P&P swit#h in whi#h inter#onne#t is terminated% t) ;emove the #lient end ;A lin/ from C+ router and use the C+ IP again on the la(to( #onne#ted now to 'uli( Main P&P swit#h% u) 'ry (inging the ;elian#e P+ a#ross the inter#onne#t lin/% v) If we are not able to (ing then #learly the issue is in Inter#onne#t or relian#e side% w) *u((ose other ;elian#e )2 #ir#uits are (erfe#tly wor/ing then obviously the (roblem is with ;elian#e end% If this is the only #ir#uit then the integration of 'uli( main P&P swit#h with ;elian#e swit#h #omes into question%
5) 8ow su((ose we are not able to (ing ;elian#e P+ IP from the a##ess (ort of main P&P swit#h6 then we first ma/e sure that (art of )2 #ir#uit inside 'uli( networ/ is wor/ing fine% 'o do this we assign ;elian#e P+ IP to the la(to( (it wonFt #ollide as the logi#al #onne#tivity with ;elian#e is already not wor/ing) and revert the #lient end termination and try (inging C+ ;outer IP6 if we are (inging then 'uli( (art of networ/ is wor/ing fine% &therwise there may be a ma,or (roblem as we are neither able to rea#h ;elian#e P+ nor Customer C+% 'his #an also ha((en when a##ess (ort to whi#h we are #onne#ted is not wor/ing or some issue with la(to( or #onne#tivity with swit#h ((ra#ti#ally ha((ens most of the time)% E) If we are able to (ing C+ IP using ;elian#e P+ IP on la(to(6 then we now /now that 'uli( (art of )2 is wor/ing fine6 so now we #on#entrate on #onne#tivity with ;elian#e%
Again if many lin/s are wor/ing through this inter#onne#t and only this P+ IP is not wor/ing then it is evidently ;elian#e end (roblem% $owever if this is the only lin/ #urrently live via Inter#onne#t and we are not able to figure out whether Inter#onne#t ;A is (assing the 7)A8 then we sim(ly arrange a standalone #is#o 21!0 or any manageable swit#h and (ut it in ;elian#e @ase 'rans#eiver *tation6 terminate the ;A lin/ (otherwise terminated in ;elian#e swit#h trun/ (ort) in the trun/ (ort of arranged swit#h% Create an a##ess (ort against 7)A8 """ and try (inging the C+ ;outer IP% If we are able to (ing then our 'uli( end to end is wor/ing fine%
?'2
INDIA#+))!
CE Routers Logical GRE tunnel from CE to Regional PE Routers. PE routers in MPLS cloud POP Routers RF link from CE router to POP router.
Aig% C%4 @asi# Indiabulls 7P8 8etwor/ #onne#tivity layout
?'2'1
Wor/i%&
Indiabulls was one of the #lients who were (rovided )ayer 4 7P8 *ervi#es% 'he networ/ diagram shows a sim(lified networ/ diagram of Indiabulls networ/ #onne#tivity #onsidering only a few lo#ations for the sa/e of sim(li#ity% >e see the Indiabulls $ead &ffi#e lo#ated at :urgaon6 to whi#h for whi#h the (rimary lin/ was (rovided through ;A from :urgaon *e#tor 3C P&P% MP)* tunnel is (rovided to the $ead &ffi#e using 8D+) "20B router% 'he regional offi#es are #onne#ted to the nearest 'uli( P&P using ;A #onne#tivity% A logi#al :;+ tunnel is established from these C+ routers to the P+ routers in the MP)* #loud% 'hus6 all the (a#/ets to the $ead &ffi#e travel through the 'uli( MP)* #loud% 'his (rovided intranet 7P8 among various offi#es of Indiabulls% 'he 'uli( MP)* #loud is (rimarily a @:PDMP)* networ/%
?'2'2
Troub(es"ooti%&
3) Airst we #he#/ router IP% If it is not (inging then get #he#/ed the #able from modem to router and the (ort where ;A lin/ terminated%
2) If Modem IP is not (inging then maybe the modem has hanged6 #able #onne#tivity is loose or there may be a (roblem in the Po+% 4) If @*; IP is not (inging then the #all is assigned to su((ort engineer and the regional 8&C% ) In #ase if all these are wor/ing fine then we go for logi#al #he#/ing% >e #he#/ end to end (ing of tunnel from #lient to $& P vi#e versa as well as #he#/ end to end MP)* (ing% 'he #all is assigned to )2 +ngineers for ma,or #onfiguration issues% !) In #ase of laten#y P dro(s we #he#/ ;A (arameter as well #he#/ utiliEation of #lient on P;':% In #ase of ;**I P @+; (roblem6 we #oordinate with field engineers%
CHAPTER @ DI!C+!!ION AND *+T+RE !COPE
@'1
DI!C+!!ION
>e have studied the enabling te#hnologies for both )ayer 2 and )ayer 4 site to site 7P8s% @oth have their advantages and disadvantages% It is #lear that the setu( and (rovisioning of a 7P8 servi#e is not a straightforward (ro#ess due to the large number and diversity of #om(onents involved% 'he wide range of available te#hnologies and the number of 7P8 variants ma/e the design of an IP7P8 solution a nontrivial tas/% Arom the (oint of view of the servi#e (rovider the de#ision to im(lement layer 2 or layer 4 7P8s is influen#ed by
a number of fa#tors de(ending on is the servi#e (rovider willing to manage a high number ((otentially hundreds) of 7P8 routing tables or does he (refer to (ush this res(onsibility to the #ustomers and the /ind of a((roa#h used by the servi#e (rovider to manage and #ontrol Jo* and if the (resent #ustomerFs #or(orate networ/ based on a layer 2 7P8 (e%g% Arame ;elay6 A'M)% Also layer 2 and layer 4 7P8s are not mutually e5#lusive% As was mentioned before6 the same MP)*9based ba#/bone allows the de(loyment of both 7P8 models simultaneously%
IPse# and MP)* are undoubtedly the two main enabling te#hnologies to build )ayer 4 7P8s% >hile IPse# is (arti#ularly suited to handle se#urity sin#e it is the only 7P8 te#hnology to su((ort data en#ry(tion6 it #an be de(loyed over any IP9based networ/ and is only limited by the s#o(e of the servi#e (rovider networ/ domain% MP)* is mainly oriented to #o(e with su#h requirements as s#alability6 traffi# engineering and Jo* #ontrol and is the only feasible solution to su((ort large s#ale IP7P8 im(lementations% $owever6 it requires an MP)*9enabled ba#/bone infrastru#ture% @oth te#hnologies should have their (la#e in the servi#e (rovider networ/s% IPse# is the natural #hoi#e for small enter(rise networ/ environments6 whereas MP)* is used when s#alability is a #on#ern (both in terms of the average #ustomer networ/ siEe)
In #ertain 7P8 s#enarios6 both IPse# and MP)* #an be used as #om(lementary te#hnologies% IPse# should be used in those #ases where strong authenti#ation and #onfidentiality are required (ty(i#ally6 remote 7P8 a##ess through the (ubli# Internet or any non9trusted networ/) whereas MP)* (rovides fle5ible 7P8 #ontrol fun#tions and
enables traffi# engineering and traffi# differentiation required by large 7P8 im(lementations%
@'2
*+T+RE !COPE AND IMPROVEMENT!
*everal methods to im(lement the 7P8 models have been dis#ussed% $owever6 in the future a lot has to be done regarding the internetwor/ing of different solutions% 'he multi9(rovider s#enarios available so far #over only the #ase where multi(le MP)* domains su((ort the same 7P8 ty(e (e%g% multi9(rovider @:PDMP)*)
Also6 so far 7P8 solutions have dealt (rimarily with IPv at the networ/ layer level% As IPvB #omes into im(lementation6 the definition of IPvB 7P8 address family would be required% Also an already e5isting MP)* ba#/bone would need to u(grade the P+ routers to su((ort IPvB 7P8 #ustomers% Aurther user mobility6 fostered by IPvB and the dissemination of wireless terminals6 will be #ru#ial requirement in future #or(orate networ/s% U( to now6 mobility issues have been largely ignored by networ/ based 7P8 standardiEation efforts%
Multi#ast is (resently an essential feature in a high number of #or(orate networ/s and this trend will li/ely in#rease in the future% Aor @:PDMP)* 7P8s6 based on @:P e5tensions6 multi#ast su((ort is not so straightforward as of now% A lot of wor/ needs to be done in this avenue as well%
@'<
CONC)+!ION
7P8s have be#ome the de fa#to standard today for #or(orate site to site #onne#tivity with signifi#ant #ost savings and fle5ibility #ou(led with se#urity6 reliability and assured level of servi#e guaranteed by 7P8 *ervi#e Providers as (er the *ervi#e )evel Agreements% >ith this re(ort6 the various site to site 7P8 enabling te#hnologies have been e5(lained%
'he relatively new 7P8 te#hnology in the form of MP)* 7P8s has been s(e#ially em(hasiEed on% >ith the hel( of 'uli( 'ele#om6 one of the largest 7P8 (roviders in India6 (ra#ti#ally wor/ing on live MP)* 7P8 #ustomer #onne#tions in the form of remote 7P8 management and troubleshooting gave me a logi#al insight to the 7P8 enabling te#hnologies and the (roblems asso#iated with it% >e saw that MP)* addresses issues related to s#alability and routing (based on Jo* and servi#e quality metri#s) and #an e5ist over e5isting A'M and frame9relay networ/s% IP*e# and )2'Pv46 #oe5isting with MP)* will (lay an im(ortant role in the routing6 swit#hing6 and forwarding of (a#/ets se#urely through the ne5t9generation networ/ in order to meet the servi#e demands of the users%
'his (ro,e#t was an enlightening one6 giving an insight into the latest 7P8 te#hnologies and the ever in#reasing domain of #om(uter networ/s% RE*ERENCE! 1' D$:ie #' and Re/"ter Y', MPLS Technolog !nd "##lic!tions, Morgan =aufmann Publishers 2' G"ei%. )uc De. MPLS $und!ment!ls, Cis#o Press <% )$mm(e. To In#% 3' )e,is. M$r/. Com#!ring, 'esigning, !nd 'e#lo ing (PNs, Cis#o Press 7' RepiCuet6 AoE(. >hite Pa(er. )ee# it Sim#le with *&P+MPLS (irtu!l Priv!te Networks >' !%$ er. Ao% C' . (PNs ,llustr!ted: Tunnels, (PNs, !nd ,Psec, Addison >esley Professional . Cisco Certi%ied Network "ssoci!te Stud &uide, >iley Publishing
8' ,,,',i/ipe i$'or&6 Internet ?' ,,,':p%c'or&6 Internet @' ,,,'cisco'com6 Internet 14' ,,,'tu(ipte(ecom'com6 Internet

Final Project Report VPN

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Final Project Report VPN

Uploaded by

Copyright:

Available Formats

NETWORKING - VPN CONNECTIVITY AND THEIR MANAGEMENT A project report submitte to !

"ri #$b$ M$st%$t" E%&&' Co((e&e

Partial fulfillment of the requirement for the award of the degree to

E)ECTRONIC! AND COMM+NICATION ENGINEERING

M$%oj b"$r ,$j ( 2 !""2")

!HRI #A#A MA!TNATH ENGINEERING CO))EGE As"t"$( bo"$r .ro"t$/01234415

Mr' Pu%eet K"$%%$ !r'Net,or/ E%&i%eer Tu(ip Te(ecom Ne, De("i

A#O+T T+)IP TE)ECOM

8etwor/ Management????????????????% % *ervi#es &ffered??????????????????%% % !

VIRT+A) PRIVATE NETWORK 0VPN5

A((roa#hes to 7P8?????????????????% 7P8 +nabling Proto#ols and 'e#hnologies????????

T+NNE) #A!ED VPNs

M+)TI PROTOCO) )A#E) !WITCHING 0MP)!5 AND VPNs

MP)* &(eration???%???????????????? ;outing in MP)*??????????????????%%

$o(9by9$o( ;outing?????????????%% +5(li#it ;outing???????????????%%

#GP=MP)! VPN NETWORK!

WIRE)E!! )A!T MI)E REMOTE !ITE CONNECTIVITY

B%3 B%2 B%4

Introdu#tion%????????????????????% ;emote *ite Conne#tivity%%??????????????%% ;adios?%%???????????????????%%%%%%%% B%4%3 B%4%2 Airs(an??????????????????%%%% ;adwin?????????????????%??

REMOTE NETWORK MONITORING AND TRO+#)E!HOOTING

*im(le 8etwor/ Management Proto#ol (*8MP)?%????%% "%3%3 *8MP Messages?????????????%%%?%%%

B3 B4 B4 B! B! B! B" "0 "3 "4

C)IENT CA!E !T+DIE!

;elian#e )2 Cir#uits?????????????%%?%?%%%%% C%3%3 C%3%2 >or/ing??????????????????%%% 'roubleshooting????????%???????%

Indiabulls?????????%????????????% C%2%3 C%2%2 >or/ing??????????????????%%% 'roubleshooting???????????????%%

DI!C+!!ION AND *+T+RE !COPE

Dis#ussion?????????????????%%?%?%%%%% Auture *#o(e and Im(rovements???????????? Con#lusion?????????????????????

P$&e 4" 0 3 4 ! " C !0 !2 !4 ! !" 59 59 B2 B BB BC B1 B1 "2 "4 " "! C0

CHAPTER 1 A#O+T T+)IP TE)ECOM

'he entire 'uli( 8etwor/ Infrastru#ture is designed to ensure the followingH

T"e Core ; A&&re&$tio% Net,or/

Aig% 3%3 'uli( 8etwor/ Ar#hite#ture

T"e Customer Access Net,or/

VIRT+A) PRIVATE NEWORK 0VPN5

Aig% 2%3 7P8 Defined

VPN DEVICE! AND TERMINO)OGY

'he 7P8 devi#es are #ategoriEed as H

Aig% 2%2 Customer and Provider 8etwor/ Devi#es

Remote Access VPNs

Aig% 2%4 ;emote A##ess and *ite to *ite 7P8s

7P8s are modeled as &verlay 7P8s or Peer9to9Peer 7P8s

7P8 &verlay and Peer model

('he dotted lines indi#ate dire#t routing ad,a#en#y)

Aig% 2%! A((roa#hes to 7P8

VPN ENA#)ING PROTOCO)! AND TECHNO)OGIE!

Aig% 2%B 7P8 +nabling Proto#ols and 'e#hnologies

CHAPTER < T+NNE) #A!ED VPNs

Aig% 4%3 'unneling

Aig% 4%2 A$ in 'rans(ort Mode

E%c$psu($te !ecurit- P$-(o$ 0E!P5

Aig% 4%4 +*P in 'unnel Mode

Ge%eric Routi%& E%c$psu($tio% 0GRE5

:;+ +n#a(sulated (a#/et format

Aig% 4%! :;+9IP*e# tunnel a((li#ationIAu

CHAPTER 4 MULTI PROTOCOL LABEL SWITCHING (MPLS) AND VPNs

Aig% %3 An MP)* 8etwor/

MP)! CONCEPT! AND COMPONENT! *or,$r i%& ECui:$(e%ce C($ss 0*EC5

Aig% %2 MP)* )abel Aormat

+a#h label entry #ontains four fieldsH

an C9bit '') (time to live) field%

)$be( !,itc" Router 0)!R5

Aig% %4 *tru#ture of a )*;

)$be( !,itc"e P$t" 0)!P5

im(le 8etwor/ Management Proto#ol (8MP)?%????%% "%3%3 *8MP Messages?????????????%%%?%%%

Aig% 2%4 ;emote A##ess and ite to ite 7P8s

MP)! CONCEPT! AND COMPONENT! or,$r i%& ECui:$(e%ce C($ss 0EC5

Aig% %4 tru#ture of a );

)$be( or,$r i%& I%9orm$tio% #$se 0)I#5

tru#ture of a MP) (a#/et