Deploying VPNs and Tunneling Technology

313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 1
Deploying VPNs and

Tunneling Technology
Session 313
313
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 1
Agenda
• Scope of the Session

• VPN Overview
• Enterprise Dial/Access VPNs
• Enterprise Intranet/Extranet VPNs
• Service Provider VPNs
• Next Generation VPN Solutions
313
Scope of this Session
• A VPN survey with design guidelines, service options, and

configuration examples
• For in-depth IPSec coverage, attend “Advanced Security
Technology Concepts”
• For in-depth coverage of network management issues,
attend “Evolution of Network Management Technologies”
• For in-depth coverage of QoS issues, attend “Deploying
Traffic Management (QoS) Technology”
• For a survey of enterprise QoS, security, monitoring and
provisioning products, attend “New Developments for the
Enterprise Virtual Private Network”
313
Virtual Private Network (VPN)
Defined
“ A Virtual Private
Network Carries Private
Traffic Over
a Public Network
”
313
What Is a “Public” Network?
• In this context, any network shared

among different administrative domains
• A shared network such as the Internet
• A privately owned network which
services many customers, such as a
long distance telephone network
313
The Three Categories of VPN
Cisco
IOS®
313
Legacy VPNs
ASYNC
Remote
PSTN
Office Mobile User
Remote
Office ISDN
64 K
PRI
64 K Telecommuter
T1 Enterprise
Frame
Relay
AAA
Service Provider
DMZ
Internet
T1
Web Servers
DNS Server
SMTP Mail Relay
313
Agenda

• VPN Overview
313
Enterprise Dial Outsourcing
Remote 64 K
Office
AAA
Enterprise
Frame T1
Relay
64 K
Remote Service Provider
Office DMZ
May Be Service
Mobile Provider IP Network
User Instead of the Internet
ASYNC Internet T3 Web Servers

DNS Server
PSTN SMTP Mail Relay
USA ISP ISP
A B ISDN
ASYNC
ISP Telecommuter
Mobile PSTN C
User Australia
313
PPTP/MPPE
(Voluntary Tunneling)
ISP NAS
• PPP Termination PPTP
• Registered Address Server
192.x.x.x
10.x.x.x
Private
Internet Address
• Registered Address
• Tunnel Termination
• MPPE Decryption
PSTN
PPTP/
MPPE • Layer 2 VPN, Multiprotocol
192.x.x.x • MPPE Encryption
• Tunnel Is Transparent to ISP
313
PPTP/MPPE Considerations
• PPTP/MPPE is built into Windows

dial-up networking
• Stateful MPPE encryption changes the
key every 255 packets, flow control is
useful in this case
• Stateless MPPE encryption generates
a new key for every packet
• Stateless MPPE is only supported in
recent versions of Dial Up Networking
313
L2TP/IPSec (Client Mode L2TP
with Transport Mode ESP )
ISP NAS
• PPP Termination
192.x.x.x L2TP LNS
10.x.x.x
Private
Internet Address
• IPSec Decryption
PSTN
L2TP/
IPSec • Layer 2 VPN, Multiprotocol
192.x.x.x • IPSec Encryption
• Tunnel Is Transparent to ISP
313
L2TP/IPSec Considerations
• Need client software, bundled

into Windows 2000
• Multivendor, multiprotocol,
standards track
• Most robust security solution
• Scales with certificate authority support
313
IPSec Alone
(Tunnel Mode with ESP)
ISP NAS
• PPP Termination
192.x.x.x IPSec
10.x.x.x
Private
Internet Address
• IPSec Decryption
PSTN
• IPSec Tunneling and
IPSec Encryption
192.x.x.x • Tunnel Is Transparent
to ISP
313
IPSec Alone Considerations
• Client software need not support L2TP

• Open standards client
• Layer 3 VPN, so IP only
• IKE extensions provide AAA
• Scales with certificate authority support
313
Enterprise Dial/Access
VPN Summary
Pro • Service Provider Independent

• Reduced Cost for Enterprises
• No Long Distance Phone Charges
Con • No Resource Availability Guarantees

• No Quality of Service Guarantees
• Performance Dictated by Weakest Link
in the Internet
• Must Manage Client Software
313
Agenda

• VPN Overview
313
Enterprise Intranet VPNs
Enterprise
Remote Office Remote Office Hub AAA
May Be Service
Provider IP Network
Instead of the Internet 64 K 64 K DMZ
Mobile
User
T3 Web Servers
ASYNC Internet DNS Server
PSTN SMTP Mail Relay
USA ISP ISP
A B ISDN
ASYNC
ISP Telecommuter
Mobile PSTN C
User Australia
313
Enterprise Intranet VPN

Technologies
• Routing variants
• IP in IP
• L2TP router to router
• GRE tunneling
• IPSec in tunnel mode
313
Routing Variants
• VPNs through obscurity

(per customer ACLs)
• Policy routing
313
IP in IP
• Used mainly by mobile users, mobile

LAN, dial, wireless, packet radio
• RFC 1853s, 2003
• IETF mobile IP working group
• Similar to GRE
313
L2TP LAN to LAN
• L2TP dynamic tunneling for

LAN-based clients
• Useful for remote LANs that
may need to connect to one
of many sites
• Similar to GRE
313
Generic Route
Encapsulation (GRE)
151.145.1.1 151.145.1.2
255.255.255.252 255.255.255.252
IP Cloud
151.145.0.0
Router LEFT Router RIGHT

172.16.1.1 172.16.2.1
255.255.255.0 255.255.255.0
172.16.3.1 GRE Tunnel 172.16.3.2

255.255.255.252 255.255.255.252
IP GRE Network Packet

Transport Carrier Passenger
Protocol Protocol Protocol
313
GRE Configuration
Router LEFT Configuration
• Network 151.145.x.x is in
publicly routable address Interface Ethernet 0
space (routable over the ip address 172.16.1.1 255.255.255.0
Internet or other shared
network) Interface Serial 0
ip address 151.145.1.1 255.255.255.0
• Routes for 151.145.x.x are
not propagated in private Interface Tunnel 0
network 172.16.x.x ip address 172.16.3.1 255.255.255.252
• Serial interfaces are point- tunnel source Serial 0
to-point connections across tunnel destination 151.145.1.2
the public network
router eigrp
• May be designed as a network 172.16.0.0
hub and spoke, the no auto-summary
configuration is the
same except the hub has ip route 151.145.0.0 255.255.0.0 Serial 0
tunnels to each spoke
313
IPSec
IP Cloud
Router LEFT Router RIGHT
20.1.1.2 20.1.1.1
255.255.255.0
IPSec Tunnel 255.255.255.0
313
IPSec Modes
IP HDR Data
Tunnel Mode
New IP HDR IPsec HDR IP HDR Data

May Be Encrypted
IP HDR Data
Transport Mode
IP HDR IPsec HDR Data
May Be Encrypted
313
IPSec
Router LEFT Configuration
crypto isakmp policy 1
hash md5
authentication pre-share
• A simple IPSec lifetime 3600
config that uses pre- crypto isakmp key cisco address 20.1.1.1
shared keys instead !
of a CA crypto ipsec transform-set Foo ah-md5-hmac esp-des
crypto ipsec transform-set Foo2 ah-sha-hmac esp-des
• Multiple policies may crypto ipsec transform-set Foo3 ah-md5-hmac esp-3des
be defined !
crypto map CryptPing 10 ipsec-isakmp
• Tie the crypto map set peer 20.1.1.1
to the outbound set security-association lifetime seconds 300
interface set transform-set Foo Foo2 Foo3
match address 101
• In this example, only !
interface Serial0
PING (or other ICMP
ip address 20.1.1.2 255.255.255.0
traffic) will crypto map CryptPing
be encrypted !
access-list 101 permit icmp host 20.1.1.2 host 20.1.1.1
313
Enterprise Extranet
Enterprise X
May Be Service
Provider IP Network DMZ
Instead of the Internet
IPSec T1 IPSec
Internet
ISP B
ISP A
T1 T1
ISP C DMZ
DMZ
Partner Z
Supplier Y
313
Enterprise Intranet and Extranet

VPN Summary
Pro • Service Provider Independent

• Reduced Cost for Enterprises
• Quick and Easy Provisioning
Con • No QoS Guarantee

• Performance Dictated by Weakest Link
in the Internet
313
Agenda

• VPN Overview
313
Service Provider Enterprise

Outsourcing and Wholesale Dial
DNIS= Mary/ISP A ISP
Proxied User with A
555-9999
Local PPP Termination
AAA
PSTN
Service
PRI(s) POP Provider
Network RPMS
DNIS= Core
555-1111
Joe
L2x Forwarded
Proxy
Radius
L2F or L2TP
Enterprise AAA
Z
313
Virtual Private Dial Networks
(VPDN) Components
LACs (NASs)
PSTN
PRI(s) Service
Provider LNS
DNIS= POP Network (Home
555-1111 Gateway)
RPMS and AAA AAA

Enterprise
or ISP
IP V.90 PPP L2TP IP
313
L2TP Basic Cisco IOS Commands
LAC:
vpdn-group 1
request dialin [l2f|l2tp] ip x.x.x.x [domain|dnis] <y>
local name <foo>
l2tp tunnel password <password>
LNS:
vpdn-group 1
accept dialin [l2f|l2tp|any] virtual-template 1 remote <y>
local name <foo>
l2tp tunnel password <password>
313
L2TP LAC Configuration
through AAA
• Enables centralized configuration
of NAS/LACs
• Simplifies and standardizes
NAS/LAC configuration
• Radius, Tacacs+
• Resource Pool Management (RPM)
adds the ability to configure this
locally in the Cisco IOS
313
Radius Tunnel Attribute

Sample Configuration
foo.com Password = "cisco User-Service = Outbound-User

Tunnel-type = L2TP,
Tunnel-Medium-Type = IP,
Tunnel-Server-Endpoint = "10.1.1.1, 10.1.1.2, 10.1.1.3",
Tunnel-Id = "nas-pool",
Tunnel-Password = "welcome"
Cisco-specific AV-Pairs Are Also Supported in

Earlier Versions of the Cisco IOS, for Example:
5551212 Password= "cisco" User-Service = Outbound-user,
cisco-avp="vpdn:ip-addresses=10.1.1.1,10.1.1.2/20.1.1.1",
cisco-avp="vpdn:tunnel-id=nas-pool",
cisco-avp="vpdn:tunnel-type=l2tp",
cisco-avp="vpdn:l2tp-tunnel-password=welcome”
313
Resource Pool Management
(RPM) Network Layout
Customer A
Optional Local AAA Radius/

Modem TACACS+
LNS
Service Provider
TA Network
NASs VPDN Tunnel
PSTN
ISDN VPDN Tunnel Radius/
Router DNIS TACACS+
Resource
Groups
RPMS LNS
Customer B
• Resources are located in the NAS
• Information captured at call setup
DNIS, Call Type, CLID
• Public network interfaces supported
PRI, CT1, CT3, CE1, SS7
• Resource pool management may be located:
In the NAS (if single NAS) or in a Resource Pool Manager Server
313
RPM Customer Profile

Components
A Outgoing
Incoming C Session
Call Management C Management
• DNIS Group(s)
E • Local
and Call Type P Authentication
T
• Session Limit • VPDN Group(s)
and Overflow
• Resource Group
and Resource
C
Service A
L
• Call Treatment
L
Threshold Settings (RPMS)
313
Resource Pool Management
Cisco IOS Command Sample
resource-pool enable resource-pool profile customer FOO1

vpdn enable limit base-size 16
! limit overflow-size 8
resource-pool group resource ISDN1 resource ISDN1 digital
range limit 46 dnis group DG1
! vpdn group VG1
vpdn-group VG1 !
request dialin l2tp ip 10.1.1.1 dnis DG1 dialer dnis group DG1
local name NAS1 number 5551212
dnis DG1 number 5553434
loadsharing ip 10.1.1.1 limit 12
loadsharing ip 10.1.1.2 limit 12
backup ip 10.1.1.3
313
RPMS Control
RMP RPMS
PRI
CT1
CE1
Modem PSTN/ISDN
DNIS RADIUS
Call Type
ISDN {CLID} AAA
Pool (Optional)
• Customer profiles stored in the RPMS

• RPMS may control a single NAS, or multiple
NASes in a single or multiple PoP definitions
• Utilizes Resource Manager Protocol (RMP)
313
Stackable L2TP LNSs
and Multilink PPP
LNS #1
NASs 1st Link
SGBP
Domain IP 2nd Link

x.com 10.1.1.1 LNS #2
x.com 10.1.1.2
AAA
• SGBP determines bundle owner

• Multihop code forwards link
313
Stacking Home Gateways/

LNS’s Configuration
hostname LNS1
!
username LNSstack password 7 00071A150754
!
multilink virtual-template 1
!
sgbp group LNSstack
sgbp member LNS2 10.1.1.2
!
vpdn multihop
313
QoS Considerations
• The IP ToS byte may be copied from

the IP header down to the L2TP
header for class-based queuing
• Individual tunnels/VCs can have
standard QoS techniques applied
such as CAR and traffic shaping
313
L2TP Multihop for Multi-Protocol
LNS
Multi Protocol Router
(IPX, ATalk, Etc.)
Enterprise
L2TP
NAS/ L2TP
LAC DMZ
Internet T1
IP Only Router
313
L2TP Multihop for
Clearing House Model
Enterprise
Clearing
House
Internet
DMZ
L2TP L2TP
LAC MultiHop LNS
Router
313
L2F/L2TP Multihop Configuration
vpdn enable
vpdn multihop
!
vpdn-group 1
accept dialin l2tp virtual-template 1 remote cs1
local name cs2
!
vpdn-group 2
request dialin l2tp ip 10.1.1.1 domain x.com
local name cs2
313
Domain Name Stripping
Configuration
Enterprise
X.COM
AAA
L2TP Jane
LNS
Jane@X.COM
LAC
Cisco IOS config:
ip host x.com 10.1.1.1

...
radius-server host 10.1.1.1
radius-server directed-request restricted
313
Service Provider VPN Summary
Pro • Service Guarantees Such as Modem

Reservation and QoS
• Service Provider IP Network Reliability
and Privacy
• No Client Software to Manage
Con • Must Contract with Service Provider(s)
• Coverage Area May Not Be as Great
313
Agenda

• VPN Overview
313
Cisco MPLS VPN Architecture
VPN Membership
Corp A Based on Interface
• Scalable VPNs Site 3 and Unique ID
Corp A
• Standards-based Site 1
Corp A
Site 2 MPLS
• IP QoS Network
Corp B
and traffic MPLS VPN Citybank Site 2
engineering MPLS VPN Bankcorp
Corp B
• WAN B/W Site 3
Corp B
optimization Site 1
Traffic Separation by
• No VC Interface
provisioning
required
313
Building VPNs with MPLS
Private View Public View Private View
Controlled Route
Distribution Cust A
(15)10.1.1 (15)10.2.1
10.2.1.x
Cust A VPN 15
10.1.1.x MPLS (15)10.3.1
VPN 15 Network
(354)10.2.1
Cust A
(354)10.1.1 10.3.1.x
VPN 15
Forwarding Examples
In Out
Cust B Cust B
10.1.1.x (15)10.2.1 (15)10.1.1 10.2.1.x
VPN 354 (15)10.3.1 VPN 354
(354)10.2.1 (354)10.1.1
313
PPP+MPLS VPN
VPN A
CE AAA
VPN100 PE
DNIS VPN 100 VPN 200 1.1.1.1
555-1212 FIB FIB
PPP Client BGP-MP AAA
POP IP
VPN A L2TP Server
NAS 1
PE
NAS 2 L2TP
IP
isp-b.net BGP-MP
PPP Client BGP-MP MPLS
VPN B Core
Route
Summary
Mgmt IP
Station
PE
VPN B
VPN200
CE AAA
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 2.2.2.2 52
PPP/MPLS VPN Configuration—
Define VPDN and VRFs
vpdn enable
vpdn-group 1
accept dialin l2tp virtual-template 1 remote nas-cisco
local name pe1
vpdn-group 2
accept dialin l2tp virtual-template 2 remote nas-stanford
local name pe1
!
ip vrf CISCO
rd 100:1
route-target both 100:1
!
ip vrf STANFORD
rd 100:2
route-target both 100:2
313
PPP/MPLS VPN Configuration—

Define Virtual Templates
interface virtual-template 1
ip vrf forwarding CISCO
ip address 10.100.0.1 255.255.255.0
no ip directed-broadcast
ppp authentication chap
peer default ip address pool CISCO
!
interface virtual-template 2
ip vrf forwarding STANFORD
ip address 10.200.0.1 255.255.255.0
no ip directed-broadcast
ppp authentication chap
peer default ip address pool STANFORD
313
PPP/MPLS VPN—Define Pools
and Configure Routing
ip local pool CISCO 10.100.0.2 10.100.0.254

ip local pool STANFORD 10.200.0.2 10.200.0.254
!
router bgp 1
address-family ipv4 vrf CISCO
network 10.100.0.0 mask 255.255.255.0
aggregate 10.100.0.0 255.255.255.0 summary
redistribute connected
exit-address-family
address-family ipv4 vrf STANFORD
network 10.200.0.0 mask 255.255.255.0
aggregate 10.200.0.0 255.255.255.0 summary
redistribute connected
exit-address-family
313
PPP/MPLS VPN—
Configure Interfaces
Interface FastEthernet 1.1

! this is a VLAN interface, but it doesn’t have to be
ip vrf forwarding CISCO
ip address 10.100.10.1 255.255.255.0
Interface FastEthernet 1.2

ip vrf forwarding STANFORD
ip address 10.200.10.1 255.255.255.0
! Optional static routes
ip vrf CISCO route 0.0.0.0 0.0.0.0 FastEthernet 1.1

ip vrf STANFORD route 0.0.0.0 0.0.0.0 FastEthernet 1.2
313
PPP/MPLS VPN—Other
Configuration Considerations
• Use Proxy Radius in first release

• Much work is being done in this area
313
Next Generation MPLS VPN

Solutions Summary
Pro • Offers Optimal Use of the Backbone

• Offers New Managed Service
Opportunities, Bundled VPN Services
(Dedicated and Access)
• Offers Traffic Engineering
• No Client Software to Manage
Con • Requires an Upgrade of the
Backbone Network
313
Resources
• VPN Services (Enterprise):

http://www.cisco.com/warp/public/779/largeent/
learn/technologies/VPNs.html
• VPN Services (Service Provider):
http://www.cisco.com/warp/public/779/servpro/
solutions/vpn/about.htm
• VPN Solutions for Service Providers:
http://www.cisco.com/warp/public/cc/cisco/mkt/
servprod/dial/index.shtml
• MPLS VPNs:
http://www.cisco.com/warp/public/784/packet/
313
apr99/6.html
Q&A
313
Please Complete Your
Evaluation Form
Session 313
313
313

Deploying VPNs and Tunneling Technology

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deploying VPNs and Tunneling Technology

Uploaded by

Copyright:

Available Formats

313

1006_05F9_c3 © 1999, Cisco Systems, Inc. 1

Deploying VPNs and

• Scope of the Session

Scope of this Session

• A VPN survey with design guidelines, service options, and

What Is a “Public” Network?

• In this context, any network shared

• Scope of the Session

Enterprise Dial Outsourcing

ASYNC Internet T3 Web Servers

• PPTP/MPPE is built into Windows

• Need client software, bundled

IPSec Alone Considerations

• Client software need not support L2TP

Pro • Service Provider Independent

Con • No Resource Availability Guarantees

• Scope of the Session

Enterprise Intranet VPN

• VPNs through obscurity

• Used mainly by mobile users, mobile

• L2TP dynamic tunneling for

Router LEFT Router RIGHT

172.16.3.1 GRE Tunnel 172.16.3.2

IP GRE Network Packet

Router LEFT Router RIGHT

New IP HDR IPsec HDR IP HDR Data

IP HDR IPsec HDR Data

Enterprise Intranet and Extranet

Pro • Service Provider Independent

Con • No QoS Guarantee

• Scope of the Session

Service Provider Enterprise

RPMS and AAA AAA

IP V.90 PPP L2TP IP

L2TP Basic Cisco IOS Commands

Radius Tunnel Attribute

foo.com Password = "cisco User-Service = Outbound-User

Cisco-specific AV-Pairs Are Also Supported in

Optional Local AAA Radius/

RPM Customer Profile

resource-pool enable resource-pool profile customer FOO1

• Customer profiles stored in the RPMS

Domain IP 2nd Link

• SGBP determines bundle owner

Stacking Home Gateways/

• The IP ToS byte may be copied from

L2TP Multihop for Multi-Protocol

L2F/L2TP Multihop Configuration

ip host x.com 10.1.1.1

Service Provider VPN Summary

Pro • Service Guarantees Such as Modem

• Scope of the Session

Cisco MPLS VPN Architecture

PPP/MPLS VPN Configuration—

ip local pool CISCO 10.100.0.2 10.100.0.254

Interface FastEthernet 1.1

Interface FastEthernet 1.2

! Optional static routes

ip vrf CISCO route 0.0.0.0 0.0.0.0 FastEthernet 1.1

• Use Proxy Radius in first release

Next Generation MPLS VPN

Pro • Offers Optimal Use of the Backbone