Professional Documents
Culture Documents
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 2
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 1
Agenda
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 4
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 2
Virtual Private Network (VPN)
Defined
“ A Virtual Private
Network Carries Private
Traffic Over
a Public Network
”
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 5
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 6
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 3
The Three Categories of VPN
Cisco
IOS®
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 7
Legacy VPNs
ASYNC
Remote
PSTN
Office Mobile User
Remote
Office ISDN
64 K
PRI
64 K Telecommuter
T1 Enterprise
Frame
Relay
AAA
Service Provider
DMZ
Internet
T1
Web Servers
DNS Server
SMTP Mail Relay
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 8
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 4
Agenda
Remote 64 K
Office
AAA
Enterprise
Frame T1
Relay
64 K
Remote Service Provider
Office DMZ
May Be Service
Mobile Provider IP Network
User Instead of the Internet
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 10
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 5
PPTP/MPPE
(Voluntary Tunneling)
ISP NAS
• PPP Termination PPTP
• Registered Address Server
192.x.x.x
10.x.x.x
Private
Internet Address
• Registered Address
• Tunnel Termination
• MPPE Decryption
PSTN
PPTP/
MPPE • Layer 2 VPN, Multiprotocol
192.x.x.x • MPPE Encryption
• Tunnel Is Transparent to ISP
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 11
PPTP/MPPE Considerations
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 6
L2TP/IPSec (Client Mode L2TP
with Transport Mode ESP )
ISP NAS
• PPP Termination
• Registered Address
192.x.x.x L2TP LNS
10.x.x.x
Private
Internet Address
• Registered Address
• Tunnel Termination
• IPSec Decryption
PSTN
L2TP/
IPSec • Layer 2 VPN, Multiprotocol
192.x.x.x • IPSec Encryption
• Tunnel Is Transparent to ISP
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 13
L2TP/IPSec Considerations
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 14
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 7
IPSec Alone
(Tunnel Mode with ESP)
ISP NAS
• PPP Termination
• Registered Address
192.x.x.x IPSec
10.x.x.x
Private
Internet Address
• Registered Address
• Tunnel Termination
• IPSec Decryption
PSTN
• IPSec Tunneling and
IPSec Encryption
192.x.x.x • Tunnel Is Transparent
to ISP
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 15
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 16
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 8
Enterprise Dial/Access
VPN Summary
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 17
Agenda
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 9
Enterprise Intranet VPNs
Enterprise
Remote Office Remote Office Hub AAA
May Be Service
Provider IP Network
Instead of the Internet 64 K 64 K DMZ
Mobile
User
T3 Web Servers
ASYNC Internet DNS Server
PSTN SMTP Mail Relay
USA ISP ISP
A B ISDN
ASYNC
ISP Telecommuter
Mobile PSTN C
User Australia
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 19
• Routing variants
• IP in IP
• L2TP router to router
• GRE tunneling
• IPSec in tunnel mode
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 20
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 10
Routing Variants
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 21
IP in IP
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 22
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 11
L2TP LAN to LAN
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 23
Generic Route
Encapsulation (GRE)
151.145.1.1 151.145.1.2
255.255.255.252 255.255.255.252
IP Cloud
151.145.0.0
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 12
GRE Configuration
Router LEFT Configuration
• Network 151.145.x.x is in
publicly routable address Interface Ethernet 0
space (routable over the ip address 172.16.1.1 255.255.255.0
Internet or other shared
network) Interface Serial 0
ip address 151.145.1.1 255.255.255.0
• Routes for 151.145.x.x are
not propagated in private Interface Tunnel 0
network 172.16.x.x ip address 172.16.3.1 255.255.255.252
• Serial interfaces are point- tunnel source Serial 0
to-point connections across tunnel destination 151.145.1.2
the public network
router eigrp
• May be designed as a network 172.16.0.0
hub and spoke, the no auto-summary
configuration is the
same except the hub has ip route 151.145.0.0 255.255.0.0 Serial 0
tunnels to each spoke
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 25
IPSec
IP Cloud
20.1.1.2 20.1.1.1
255.255.255.0
IPSec Tunnel 255.255.255.0
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 26
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 13
IPSec Modes
IP HDR Data
Tunnel Mode
IP HDR Data
Transport Mode
May Be Encrypted
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 27
IPSec
Router LEFT Configuration
crypto isakmp policy 1
hash md5
authentication pre-share
• A simple IPSec lifetime 3600
config that uses pre- crypto isakmp key cisco address 20.1.1.1
shared keys instead !
of a CA crypto ipsec transform-set Foo ah-md5-hmac esp-des
crypto ipsec transform-set Foo2 ah-sha-hmac esp-des
• Multiple policies may crypto ipsec transform-set Foo3 ah-md5-hmac esp-3des
be defined !
crypto map CryptPing 10 ipsec-isakmp
• Tie the crypto map set peer 20.1.1.1
to the outbound set security-association lifetime seconds 300
interface set transform-set Foo Foo2 Foo3
match address 101
• In this example, only !
interface Serial0
PING (or other ICMP
ip address 20.1.1.2 255.255.255.0
traffic) will crypto map CryptPing
be encrypted !
access-list 101 permit icmp host 20.1.1.2 host 20.1.1.1
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 28
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 14
Enterprise Extranet
Enterprise X
May Be Service
Provider IP Network DMZ
Instead of the Internet
IPSec T1 IPSec
Internet
ISP B
ISP A
T1 T1
ISP C DMZ
DMZ
Partner Z
Supplier Y
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 29
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 30
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 15
Agenda
Service
PRI(s) POP Provider
Network RPMS
DNIS= Core
555-1111
Joe
L2x Forwarded
Proxy
Radius
L2F or L2TP
Enterprise AAA
Z
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 32
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 16
Virtual Private Dial Networks
(VPDN) Components
LACs (NASs)
PSTN
PRI(s) Service
Provider LNS
DNIS= POP Network (Home
555-1111 Gateway)
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 33
LAC:
vpdn-group 1
request dialin [l2f|l2tp] ip x.x.x.x [domain|dnis] <y>
local name <foo>
l2tp tunnel password <password>
LNS:
vpdn-group 1
accept dialin [l2f|l2tp|any] virtual-template 1 remote <y>
local name <foo>
l2tp tunnel password <password>
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 34
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 17
L2TP LAC Configuration
through AAA
• Enables centralized configuration
of NAS/LACs
• Simplifies and standardizes
NAS/LAC configuration
• Radius, Tacacs+
• Resource Pool Management (RPM)
adds the ability to configure this
locally in the Cisco IOS
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 35
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 18
Resource Pool Management
(RPM) Network Layout
Customer A
Resource
Groups
RPMS LNS
Customer B
• Resources are located in the NAS
• Information captured at call setup
DNIS, Call Type, CLID
• Public network interfaces supported
PRI, CT1, CT3, CE1, SS7
• Resource pool management may be located:
In the NAS (if single NAS) or in a Resource Pool Manager Server
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 37
A Outgoing
Incoming C Session
Call Management C Management
• DNIS Group(s)
E • Local
and Call Type P Authentication
T
• Session Limit • VPDN Group(s)
and Overflow
• Resource Group
and Resource
C
Service A
L
• Call Treatment
L
Threshold Settings (RPMS)
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 38
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 19
Resource Pool Management
Cisco IOS Command Sample
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 39
RPMS Control
RMP RPMS
PRI
CT1
CE1
Modem PSTN/ISDN
DNIS RADIUS
Call Type
ISDN {CLID} AAA
Pool (Optional)
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 20
Stackable L2TP LNSs
and Multilink PPP
LNS #1
NASs 1st Link
SGBP
AAA
hostname LNS1
!
username LNSstack password 7 00071A150754
!
multilink virtual-template 1
!
sgbp group LNSstack
sgbp member LNS2 10.1.1.2
sgbp member LNS3 10.1.1.3
sgbp member LNS4 10.1.1.4
!
vpdn multihop
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 42
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 21
QoS Considerations
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 43
LNS
Multi Protocol Router
(IPX, ATalk, Etc.)
Enterprise
L2TP
NAS/ L2TP
LAC DMZ
Internet T1
IP Only Router
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 44
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 22
L2TP Multihop for
Clearing House Model
Enterprise
Clearing
House
Internet
DMZ
L2TP L2TP
LAC MultiHop LNS
Router
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 45
vpdn enable
vpdn multihop
!
vpdn-group 1
accept dialin l2tp virtual-template 1 remote cs1
local name cs2
!
vpdn-group 2
request dialin l2tp ip 10.1.1.1 domain x.com
local name cs2
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 46
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 23
Domain Name Stripping
Configuration
Enterprise
X.COM
AAA
L2TP Jane
LNS
Jane@X.COM
LAC
Cisco IOS config:
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 48
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 24
Agenda
VPN Membership
Corp A Based on Interface
• Scalable VPNs Site 3 and Unique ID
Corp A
• Standards-based Site 1
Corp A
Site 2 MPLS
• IP QoS Network
Corp B
and traffic MPLS VPN Citybank Site 2
engineering MPLS VPN Bankcorp
Corp B
• WAN B/W Site 3
Corp B
optimization Site 1
Traffic Separation by
• No VC Interface
provisioning
required
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 50
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 25
Building VPNs with MPLS
Private View Public View Private View
Controlled Route
Distribution Cust A
(15)10.1.1 (15)10.2.1
10.2.1.x
Cust A VPN 15
10.1.1.x MPLS (15)10.3.1
VPN 15 Network
(354)10.2.1
Cust A
(354)10.1.1 10.3.1.x
VPN 15
Forwarding Examples
In Out
Cust B Cust B
10.1.1.x (15)10.2.1 (15)10.1.1 10.2.1.x
VPN 354 (15)10.3.1 VPN 354
(354)10.2.1 (354)10.1.1
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 51
PPP+MPLS VPN
VPN A
CE AAA
VPN100 PE
DNIS VPN 100 VPN 200 1.1.1.1
555-1212 FIB FIB
PPP Client BGP-MP AAA
POP IP
VPN A L2TP Server
NAS 1
PE
NAS 2 L2TP
IP
isp-b.net BGP-MP
PPP Client BGP-MP MPLS
VPN B Core
Route
Summary
Mgmt IP
Station
PE
VPN B
VPN200
CE AAA
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 2.2.2.2 52
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 26
PPP/MPLS VPN Configuration—
Define VPDN and VRFs
vpdn enable
vpdn-group 1
accept dialin l2tp virtual-template 1 remote nas-cisco
local name pe1
vpdn-group 2
accept dialin l2tp virtual-template 2 remote nas-stanford
local name pe1
!
ip vrf CISCO
rd 100:1
route-target both 100:1
!
ip vrf STANFORD
rd 100:2
route-target both 100:2
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 53
interface virtual-template 1
ip vrf forwarding CISCO
ip address 10.100.0.1 255.255.255.0
no ip directed-broadcast
ppp authentication chap
peer default ip address pool CISCO
!
interface virtual-template 2
ip vrf forwarding STANFORD
ip address 10.200.0.1 255.255.255.0
no ip directed-broadcast
ppp authentication chap
peer default ip address pool STANFORD
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 54
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 27
PPP/MPLS VPN—Define Pools
and Configure Routing
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 55
PPP/MPLS VPN—
Configure Interfaces
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 56
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 28
PPP/MPLS VPN—Other
Configuration Considerations
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 57
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 58
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 29
Resources
Q&A
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 60
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 30
Please Complete Your
Evaluation Form
Session 313
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 61
313
1006_05F9_c3 © 1999, Cisco Systems, Inc. 62
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr 31