Summary 145

ensure optimal routing, a full-mesh topology needs to be implemented between all customer sites. All those VCs don’t come for free, and full-mesh VPNs can get quite complex, especially in large environments.

Peer-to-peer VPNs are a solution to the full-mesh problem. With peer-to- peer VPNs, the service provider becomes involved with customer routing and ensures optimal path selection through the service provider network.

Every customer site connects and gets, in essence, a full-mesh topology simply as a function of the peer-to-peer VPN. Drawbacks? Security, management, and added network complexity.

Neither overlay nor peer-to-peer VPNs are based on MPLS. In Chapter 5, you’ll learn about MPLS VPNs allowing peer-to-peer VPNs to be implemented in a simpler and more secure manner.

Summary

This chapter explained that VPNs provide the same security and privacy of dedicated point-to-point connections without the costs. There are many types of technologies used to implement VPNs. At Layer 1, there is SONET, E1, T1, and ISDN. At Layer 2, there is Frame Relay, X.25, and ATM. At Layer 3, there is GRE and IPSec. When each site in a VPN is from the same company, the network is called an intranet. When sites are from different companies, or organizations, the network is called an extranet.

How VPNs are connected together also falls under topological categories. A full-mesh topology is when every site is connected to every other site. A partial-mesh topology is when some sites are fully meshed and other sites are not. In a hub-and-spoke topology, spoke sites are connected only to a hub site. Financial organizations make extensive use of hub-and-spoke topologies because they usually have centralized resources that need to be accessed by remote branch offices.

In an effort to offer improved services to customers, service providers began to implement peer-to-peer VPNs. The biggest difference between peer- to-peer VPNs and traditional VPNs is that a customer actually peers with a service provider device. The two ways to implement a peer-to-peer VPN is using either a dedicated or a shared PE router. A peer-to-peer VPN using

a shared router requires extensive management using access lists and route filters to ensure security. Peer-to-peer VPNs with a dedicated router are easier to implement, but they’re expensive.

146 Chapter 4 VPNs: An Overview

Overlay VPNs are based on well-known and established technologies that keep customer sites isolated. The problem is that they don’t scale. Peer-to- peer VPNs are an improvement, but they’re extremely difficult to manage and secure.

Exam Essentials

Be able to describe virtual private networks. VPNs evolved as a cheaper but just-as-good alternative to point-to-point connections. In a VPN, customer sites are connected together with VCs. The customer network does not know the details of the service provider. Conversely, the service provider does not know about customer IP addresses or routing protocols.

Be able to define the major VPN topologies. There are essentially three major VPN topologies: full-mesh, partial-mesh, and hub-and-spoke. A full-mesh topology ensures optimal routing and redundancy. The drawback of a full-mesh topology is the number of VCs required to implement it. A partial-mesh topology has fewer virtual circuits and therefore costs less than a full-mesh topology. A partial-mesh topology does not offer the same optimal routing as a full-mesh topology. A hub-and-spoke topology is the cheapest of all VPNs to implement. A hub-and-spoke topology is most often implemented by financial organizations.

Understand peer-to-peer VPNs. To offer better services to customers, service providers began to implement peer-to-peer VPNs. The biggest difference between peer-to-peer VPNs and traditional VPNs is that a customer router actually peers with a service provider device. With a peer- to-peer VPN, a service provider becomes responsible for routing protocol convergence, knows the details of customer networks, and must work overtime to ensure security. There are two ways that peer-to-peer VPNs are implemented: dedicated router and shared router. A dedicated peer- to-peer VPN uses a single PE, or a set of PE routers, for a single customer. A shared peer-to-peer VPN has many customers connecting to the same PE router. A shared PE has the most security problems.

Be able to compare overlay and peer-to-peer VPNs. Overlay VPN technology has been around for a while and everyone knows how they

Key Terms 147

work. With an overlay VPN, the service provider and customer sites are well isolated from each other. To have optimal routing in an overlay VPN, you need a full-mesh topology.

Peer-to-peer VPNs eliminate the need for a full mesh of VCs. With a peer- to-peer VPN solution, the service provider becomes involved with customer routing and ensures optimal path selection through the service provider network. Every customer site connects and gets, in essence, a full mesh simply as a function of the peer-to-peer VPN.

Key Terms

Before you take the exam, be certain you are familiar with the following terms:

148 Chapter 4 VPNs: An Overview

Review Questions

1.VPNs emerged as a technology to replace ___________.

A.Point-to-point connections

B.Overlays

C.Tag-switched VPNs

D.Full-mesh topologies

2.Which of the following is not an overlay VPN topology?

A.Full-mesh

B.Partial-mesh

C.Hub-and-spoke

D.Peer-to-peer

3.Which of the following topologies is usually used by financial organizations?

A.Full-mesh

B.Partial-mesh

C.Hub-and-spoke

D.Peer-to-peer

4.If optimal routing is desired in a VPN topology, which of the following topologies is the best?

A.Full-mesh

B.Partial-mesh

C.Hub-and-spoke

D.None of the above

5.In an overlay VPN, a customer router ___________ aware of the service provider infrastructure.

A.Is

B.Is not

Review Questions 149

6.In which of the following VPN methods is it the most difficult to implement proper security?

A.Simple VPN

B.Overlay

C.Peer-to-peer

D.None of the above

7.In a peer-to-peer VPN, a customer router ___________ aware of the service provider infrastructure.

A.Is

B.Is not

8.Which of the following peer-to-peer VPN methods has the most security problems associated with it?

A.Dedicated router

B.Shared router

9.A peer-to-peer VPN offers the same optimal traffic flow as a

___________ topology?

A.Full-mesh

B.Partial-mesh

C.Hub-and-spoke

D.None of the above

10.Which of the following overlay VPN topologies is the least expensive to implement?

A.Full-mesh

B.Partial-mesh

C.Hub-and-spoke

D.None of the above

150Chapter 4 VPNs: An Overview

11.IPSec and GRE tunnels are Layer ___________ VPN technologies?

A.1

B.2

C.3

D.7

12.Which of the following is a Layer 1 VPN technology?

A.IPSec

B.Frame Relay

C.GRE

D.ISDN

13.A(n) ___________ is where everyone being connected is part of the same company or organization.

A.Intranet

B.Extranet

C.Combination of intranet and extranet

D.None of the above

14.A(n) ___________ is where sites from different companies or organizations are connected.

A.Intranet

B.Extranet

C.Combination of intranet and extranet

D.None of the above

15.Frame Relay and ATM are Layer _________ VPN technologies.

A.1

B.2

C.3

D.7

Review Questions 151

16.Which of the following topologies provides the most redundancy?

A.Full-mesh

B.Partial-mesh

C.Hub-and-spoke

D.None of the above

17.Which of the following peer-to-peer VPN methods is the most expensive to implement?

A.Dedicated router

B.Shared router

18.Which of the following overlay VPN topologies is typically used by financial organizations?

A.Full-mesh

B.Partial-mesh

C.Hub-and-spoke

D.None of the above

19.In a peer-to-peer VPN, the ___________ becomes responsible for routing protocol convergence.

A.Customer

B.Service provider

C.Edge-LSR

D.PE

20.Which of the following are valid peer-to-peer VPN methods? (Choose two.)

A.Dedicated router

B.Full-mesh

C.Partial-mesh

D.Shared router