This chapter is primarily a history lesson. There are many technologies that were used to connect sites together well before the concept of
MPLS virtual private networks (VPNs) came along. This chapter starts with a review of dedicated point-to-point, or leased line, connections. Then it explains how, as less expensive alternatives to point-to-point connections, VPNs connect sites together with virtual circuits (VCs). VPN topologies are also covered in this chapter.
Just a few years ago, service providers began to offer peer-to-peer VPNs. Peer-to-peer VPNs are very different from traditional VPNs in that customer routers actually peer with service provider routers. This chapter will explain the characteristics of peer-to-peer VPNs in detail.
This chapter lays the foundation for you to really understand the mechanisms used for MPLS VPNs. Although no material in this chapter deals specifically with MPLS, it does cover the necessary exam objectives. For the MPLS exam, you are required to know about overlay and peer-to-peer VPNs, which MPLS VPNs may replace. You also need to know the usage scenarios, topologies, and the differences between them.
VPNs 101
Iassume that most of you who have purchased this study guide already know 90% of the material in this chapter. Just to make sure that you’re up to speed on VPNs, this section covers the history of VPNs, including point-to- point connections and how they segued into VPNs. In addition, this section describes the basic VPN technologies and topologies. If you are a seasoned veteran, feel free to skim this section. If you’re wondering what a VPN is, keep reading.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
VPNs 101 121
Point-to-Point Connections
Point-to-point connections, or leased lines, are not VPNs; they’re dedicated private links through a service provider network. Point-to-point connections offer guaranteed bandwidth and privacy through a service provider network, but they come at a price. Because the service provider is giving the customer guaranteed bandwidth, they’re paying for it all the time. It doesn’t matter if you’re not using any of the connection between 6 P.M. and 8 A.M.; you’re still paying for it. In addition, since you’re the only person using the connection, you get guaranteed privacy.
Point-to-point connections are expensive because the service provider can’t make use of statistical multiplexing. Statistical multiplexing is based on the principle that not everyone needs to use all the bandwidth they are paying for at any given time. Since not everyone will use all the bandwidth all the time, the service provider can sell more bandwidth than is actually present in the network.
Figure 4.1 illustrates connectivity with dedicated point-to-point links connecting customer devices.
F I G U R E 4 . 1 Dedicated point-to-point connectivity
R1 |
R2 |
In Figure 4.1, customer routers R1 and R2 are totally unaware of the infrastructure behind their dedicated point-to-point connection. It’s important to remember that point-to-point connections are private, secure, and expensive.
Virtual Private Networks
VPNs emerged as an alternative to dedicated point-to-point connections because VPNs deliver the same benefits of dedicated point-to-point links but without the high cost. The earliest VPNs were made available with Frame Relay and X.25. By establishing VCs between the customer devices, the service provider was able to emulate dedicated point-to-point connections while sharing a common service provider infrastructure and therefore reducing costs.
In Figure 4.2, customer routers are shown connected through the service provider network with VCs.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
122 Chapter 4 VPNs: An Overview
F I G U R E 4 . 2 Customer connectivity with virtual circuits
Virtual circuits (VCs)
R1 |
R2 |
When customers are connected with virtual circuits through a shared service provider infrastructure, it is called an overlay. There are three common overlay VPN topologies that you need to know about: full-mesh, partial mesh, and hub-and-spoke.
Full-Mesh Topology
A full-mesh topology is where every site in the network is directly connected to every other site in the network. Figure 4.3 illustrates a full-mesh topology. In Figure 4.3, there are four routers connected together with six VCs.
F I G U R E 4 . 3 A full-mesh topology
|
VC1 |
R1 |
VC5 |
R2 |
|
VC2 |
VC3 |
|
VC6 |
|
VC4 |
R3 |
R4 |
With a full-mesh topology, it’s easy to ensure optimal routing and redundancy. For example, in Figure 4.3, traffic from R1 to R2 follows VC1. Traffic from R1 to R4 follows VC5. In a fully meshed environment, traffic takes the most direct route. Figure 4.4 illustrates an example of the redundancy provided with a full-mesh topology, where VC1 and VC2 are unavailable. R1 can still send traffic to R2; since some of the surviving VCs are still up, traffic flows from R1 to R4 to R2, as you can see in Figure 4.5.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
VPNs 101 123
F I G U R E 4 . 4 A full-mesh topology with failed VCs
R1 |
VC5 |
R2 |
|
|
VC3 |
|
VC6 |
|
VC4 |
R3 |
R4 |
F I G U R E 4 . 5 Traffic flow for a full-mesh topology with failed VCs
VC5
R1
VC6
VC4
R2
VC3
R3 |
R4 |
Now that you know about the advantages of a full-mesh topology, let’s discuss some of its drawbacks. In the simple network illustrated in Figure 4.3, with four routers connected together in a full-mesh, only six VCs are required. One of the big problems with a full-mesh overlay is that it does not scale well. The best way to illustrate the scalability problem is to take it to the extreme. How many VCs are required to fully mesh 100 routers together? A total of 4950! Another disadvantage of implementing a full-mesh topology is cost. Try telling your finance person that you need 4950 virtual circuits. They aren’t as expensive as leased lines, but they aren’t cheap.
Partial-Mesh Topology
So, you don’t want a full-mesh topology, or you can’t afford it. What are your alternatives? One alternative to a full-mesh topology is a partial-mesh topology, where each site is directly connected to one or two other sites in the network. Figure 4.6 illustrates a partial-mesh topology.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
124 Chapter 4 VPNs: An Overview
F I G U R E 4 . 6 A partial-mesh topology
R1
VC1
R3
VC3
VC2
R2
VC4
R4
In Figure 4.6, the connectivity requirements are resource driven. For example, all sites (R1, R2, and R3) need to connect to resources located off of R4. Notice in Figure 4.6 that VC2, VC3, and VC4 give the sites R1, R2, and R3 a direct connection to R4. In addition, R1 needs to connect to data located off of R3. To provide for connectivity, VC1 runs between them. A partial-mesh topology has fewer virtual circuits and therefore costs less than a full-mesh topology.
Hub-and-Spoke Topology
A hub-and-spoke topology is the least expensive of all VPNs to implement. A hub-and-spoke topology is most often implemented by financial organizations because they usually have centralized resources that need to be accessed by remote branch offices. With a hub-and-spoke topology, the spoke sites don’t need to communicate with each other, only with the central, or hub, site. Figure 4.7 illustrates a hub-and-spoke topology.
In Figure 4.7, the hub site is R1. Each router (R2, R3, and R4) has a direct connection to R1. From a traffic standpoint, R2, R3, and R4 cannot communicate directly with each other unless R1 provides transit between them.
A hub-and-spoke topology is the least expensive network topology to implement, but it does not offer any redundancy. For example, if VC1 goes down between R1 and R2, then R2 will not be able to access any data at the hub. Figure 4.8 illustrates this situation.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
F I G U R E 4 . 7 A hub-and-spoke topology
VC1
R2
Spoke
VPNs 101 125
R1
Hub
VC2 |
VC3 |
R3 |
R4 |
Spoke |
Spoke |
F I G U R E 4 . 8 A hub-and-spoke topology with a VC failure
Hub 
R1
VC1 |
VC2 |
VC3 |
R2 |
R3 |
R4 |
Spoke |
Spoke |
Spoke |
Redundant Hub-and-Spoke Topology
The redundant hub-and-spoke topology is an extension of the standard hub- and-spoke topology. A standard hub-and-spoke topology has a single point of failure in the connections that link the spoke sites with the hub site. For example, Figure 4.9 illustrates a standard hub-and-spoke topology.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
126 Chapter 4 VPNs: An Overview
F I G U R E 4 . 9 A standard hub-and-spoke topology
Hub
Spoke 1 |
Spoke 2 |
Spoke 3 |
What happens when the connection between Spoke 1 and the hub becomes unavailable? Spoke 1 loses connectivity to the hub. To remedy this problem, you can use a redundant hub-and-spoke topology, illustrated in Figure 4.10. In a redundant hub-and-spoke topology, there are multiple hubs and multiple connections between the hubs and the spokes. That way, if one connection goes down, the connectivity is provided via another connection.
F I G U R E 4 . 1 0 A redundant hub-and-spoke topology
Hub 1 |
Hub 2 |
Spoke 1 |
Spoke 2 |
Spoke 3 |
|
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
VPNs 101 127
What happens if one of the links goes down between Spoke 1 and one of the hubs in Figure 4.10? Connectivity is still available through the alternate connection. What happens if Hub 2 goes down in its entirety? The hub site is still available through Hub 1.
In addition to designing a network for redundancy as in the redundant hub-and-spoke topology, redundancy can also be implemented by using multiple service providers. Figure 4.11 shows a simple redundant hub-and- spoke topology where all the connections are with a single service provider.
F I G U R E 4 . 1 1 A redundant hub-and-spoke topology with a single service provider
Hub 1 |
Hub 2 |
Provider 1 |
Provider 1 |
Provider 1 |
Provider 1 |
Provider 1 |
Provider 1 |
Spoke 1 |
Spoke 2 |
Spoke 3 |
If there is a catastrophic problem with the single service provider, a spoke site, or multiple spoke sites, can lose all connectivity. Instead of using a single service provider, multiple service providers can be used to improve upon the redundant hub-and-spoke design and guarantee connectivity.
Figure 4.12 illustrates such a situation. All the spokes have connectivity to Hub 1 through Provider 1 and connectivity to Hub 2 through Provider 2. If Provider 1 has a catastrophic failure, all the Provider 1 links will go down. Assuming that Provider 2 is not experiencing any failures, redundancy is preserved through the alternate connections.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
128 Chapter 4 VPNs: An Overview
F I G U R E 4 . 1 2 A redundant hub-and-spoke topology with multiple service providers
Hub 1 |
Hub 2 |
|
Provider 2 |
Provider 1 |
Provider 2 |
Provider 1 |
Provider 2 |
Provider 1
Spoke 1 |
Spoke 2 |
Spoke 3 |
VPN Technologies
This chapter is exposing you to overlay VPN topologies and traditional Layer 2 overlay VPN technologies such Frame Relay, X.25, and ATM. There are, however, other VPN technologies that you should be aware of. I’ll start with the bottom of the OSI model and work my way up.
Layer 1: Physical layer VPNs At Layer 1 of the OSI model, technologies such as SONET, E1, T1, and ISDN are used to provide VPNs.
Layer 2: Data Link layer VPNs At Layer 2 of the OSI model, technologies such as Frame Relay, X.25, and ATM are used to provide VPNs.
Layer 3: Network layer VPNs At Layer 3 of the OSI model, technologies such as IPSec and GRE tunnels are used to provide VPNs.
Although there are many possible technologies, they all suffer from the same problem: they do not scale well.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |