- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Service Provider Networks
- •Scalability
- •Traffic Engineering
- •Quality of Service
- •MPLS Label Stack
- •Shim Header
- •MPLS Architecture
- •Control
- •Forwarding
- •MPLS Label Switching
- •MPLS Network Components
- •Device Output
- •Label-Switched Paths
- •MPLS Applications
- •MPLS and ATM
- •Overlay
- •Quality of Service
- •Traffic Engineering
- •Summary
- •Exam Essentials
- •Key Terms
- •Review Questions
- •Answers to Review Questions
- •Routing Review
- •Frame-Mode MPLS Working Example
- •Network Routing Protocol Examples
- •MPLS Step by Step
- •Label Distribution
- •Assigning Labels
- •Troubleshooting and Verification
- •Device Configuration
- •IGP Verification
- •CEF Verification
- •MPLS Verification
- •Label Distribution and Bindings
- •Binding Verification
- •Troubleshooting the Network
- •Hiding Service Provider Devices
- •Summary
- •Exam Essentials
- •Key Terms
- •Review Questions
- •Answers to Review Questions
- •Frame-Mode MPLS and ATM
- •Frame-Mode MPLS and ATM Configuration
- •Cell-Mode MPLS
- •Label Binding with ATM
- •Cell-Mode Label Switching
- •VC Merge
- •Loop Prevention
- •Cell-Mode MPLS Configuration
- •Summary
- •Exam Essentials
- •Key Terms
- •Review Questions
- •Answers to Review Questions
- •VPNs 101
- •Point-to-Point Connections
- •Virtual Private Networks
- •Categories of VPNs
- •VPN Routing
- •Peer-to-Peer VPNs
- •Optimal Routing
- •Peer-to-Peer Security
- •Peer-to-Peer VPN Routing
- •Summary
- •Exam Essentials
- •Key Terms
- •Review Questions
- •Answers to Review Questions
- •Service Provider Configuration
- •MPLS VPNs
- •Virtual Router
- •Virtual Routing and Forwarding Tables
- •MPLS Operational Overview
- •MP-BGP Configuration
- •An MPLS VPN Example
- •Route Distinguisher
- •MP-IBGP Configuration Example
- •Initial Network Configuration
- •MP-IBGP Configuration
- •Verification
- •Summary
- •Exam Essentials
- •Key Terms
- •Review Questions
- •Answers to Review Questions
- •A Review of VPNs
- •Configuring a Simple MPLS VPN
- •Configuring VRF Interfaces
- •Running RIP in an MPLS VPN
- •Configuring RIPv2 with Address-Family ipv4
- •Configuring Redistribution
- •Route Targets
- •Configuring Route Targets
- •A Review of Simple VPN Configuration
- •Configuring MPLS in the Service Provider Network
- •Simple VPN Configuration
- •Configuring the PE-CE Routing Protocol
- •Lab: Configuring an MPLS VPN
- •Configuring POP Routers
- •VPN Configuration
- •Raleigh Running-Config
- •Atlanta Running-Config
- •Peer 1 Running-Config
- •Peer 2 Running-Config
- •Verification with Ping
- •Routing Table Isolation
- •Verifying VRF Routes
- •Summary
- •Exam Essentials
- •Key Terms
- •Review Questions
- •Answers to Review Questions
- •MP-BGP and OSPF
- •A Review of OSPF
- •OSPF Router Types
- •Link State Advertisements
- •OSPF for MPLS VPNs
- •OSPF Super-Backbone
- •Preventing Routing Loops
- •Path Selection
- •MPLS VPN OSPF Lab
- •Summary
- •Exam Essentials
- •Key Terms
- •Review Questions
- •Answers to Review Questions
- •Static Routing
- •Device Configuration
- •VPN Configuration
- •Raleigh Running-Config
- •Atlanta Running-Config
- •Peer Router Configuration
- •Verification with Ping
- •Verifying Static VRF Routes
- •E-BGP and MPLS VPNs
- •Device Configuration
- •E-BGP Operation
- •AS-Override
- •VPN Configuration
- •Raleigh Running-Config
- •Atlanta Running-Config
- •Peer Router Configuration
- •Peer 1 Running-Config
- •Peer 2 Running-Config
- •Verification with Ping
- •Advanced MPLS VPN Topologies
- •Simple VPNs
- •Central Services MPLS VPN Topology
- •Overlay MPLS VPN Topology
- •Summary
- •Exam Essentials
- •Key Terms
- •Review Questions
- •Answers to Review Questions
- •Challenge Lab 1
- •MPLS
- •MP-IBGP
- •Answer to Lab 1.1
- •Answer to Lab 1.2
- •Answer to Lab 1.3
- •Challenge Lab 2
- •Tag Switching
- •MP-IBGP
- •Answer to Lab 2.1
- •Answer to Lab 2.2
- •Answer to Lab 2.3
- •Challenge Lab 3
- •VRF Configuration
- •RIPv2
- •Redistribution
- •Answer to Lab 3.1
- •Answer to Lab 3.2
- •Answer to Lab 3.3
- •Challenge Lab 4
- •VRF Configuration
- •OSPF
- •Redistribution
- •Answer to Lab 4.1
- •Answer to Lab 4.2
- •Answer to Lab 4.3
- •Challenge Lab 5
- •VRF Configuration
- •Static Routes and Redistribution
- •Answer to Lab 5.1
- •Answer to Lab 5.2
- •Challenge Lab 6
- •VRF Configuration
- •E-BGP Configuration
- •Answer to Lab 6.1
- •Answer to Lab 6.2
- •Service Provider Network Configuration with OSPF
- •Router Configuration
- •Routing Tables
- •Tags
- •Service Provider Network Configuration with IS-IS
- •Router Configuration
- •Routing Tables
- •Tag Switching Forwarding Tables
- •Glossary
Summary 145
ensure optimal routing, a full-mesh topology needs to be implemented between all customer sites. All those VCs don’t come for free, and full-mesh VPNs can get quite complex, especially in large environments.
Peer-to-peer VPNs are a solution to the full-mesh problem. With peer-to- peer VPNs, the service provider becomes involved with customer routing and ensures optimal path selection through the service provider network.
Every customer site connects and gets, in essence, a full-mesh topology simply as a function of the peer-to-peer VPN. Drawbacks? Security, management, and added network complexity.
Neither overlay nor peer-to-peer VPNs are based on MPLS. In Chapter 5, you’ll learn about MPLS VPNs allowing peer-to-peer VPNs to be implemented in a simpler and more secure manner.
Summary
This chapter explained that VPNs provide the same security and privacy of dedicated point-to-point connections without the costs. There are many types of technologies used to implement VPNs. At Layer 1, there is SONET, E1, T1, and ISDN. At Layer 2, there is Frame Relay, X.25, and ATM. At Layer 3, there is GRE and IPSec. When each site in a VPN is from the same company, the network is called an intranet. When sites are from different companies, or organizations, the network is called an extranet.
How VPNs are connected together also falls under topological categories. A full-mesh topology is when every site is connected to every other site. A partial-mesh topology is when some sites are fully meshed and other sites are not. In a hub-and-spoke topology, spoke sites are connected only to a hub site. Financial organizations make extensive use of hub-and-spoke topologies because they usually have centralized resources that need to be accessed by remote branch offices.
In an effort to offer improved services to customers, service providers began to implement peer-to-peer VPNs. The biggest difference between peer- to-peer VPNs and traditional VPNs is that a customer actually peers with a service provider device. The two ways to implement a peer-to-peer VPN is using either a dedicated or a shared PE router. A peer-to-peer VPN using
a shared router requires extensive management using access lists and route filters to ensure security. Peer-to-peer VPNs with a dedicated router are easier to implement, but they’re expensive.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
146 Chapter 4 VPNs: An Overview
Overlay VPNs are based on well-known and established technologies that keep customer sites isolated. The problem is that they don’t scale. Peer-to- peer VPNs are an improvement, but they’re extremely difficult to manage and secure.
Exam Essentials
Be able to describe virtual private networks. VPNs evolved as a cheaper but just-as-good alternative to point-to-point connections. In a VPN, customer sites are connected together with VCs. The customer network does not know the details of the service provider. Conversely, the service provider does not know about customer IP addresses or routing protocols.
Be able to define the major VPN topologies. There are essentially three major VPN topologies: full-mesh, partial-mesh, and hub-and-spoke. A full-mesh topology ensures optimal routing and redundancy. The drawback of a full-mesh topology is the number of VCs required to implement it. A partial-mesh topology has fewer virtual circuits and therefore costs less than a full-mesh topology. A partial-mesh topology does not offer the same optimal routing as a full-mesh topology. A hub-and-spoke topology is the cheapest of all VPNs to implement. A hub-and-spoke topology is most often implemented by financial organizations.
Understand peer-to-peer VPNs. To offer better services to customers, service providers began to implement peer-to-peer VPNs. The biggest difference between peer-to-peer VPNs and traditional VPNs is that a customer router actually peers with a service provider device. With a peer- to-peer VPN, a service provider becomes responsible for routing protocol convergence, knows the details of customer networks, and must work overtime to ensure security. There are two ways that peer-to-peer VPNs are implemented: dedicated router and shared router. A dedicated peer- to-peer VPN uses a single PE, or a set of PE routers, for a single customer. A shared peer-to-peer VPN has many customers connecting to the same PE router. A shared PE has the most security problems.
Be able to compare overlay and peer-to-peer VPNs. Overlay VPN technology has been around for a while and everyone knows how they
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
Key Terms 147
work. With an overlay VPN, the service provider and customer sites are well isolated from each other. To have optimal routing in an overlay VPN, you need a full-mesh topology.
Peer-to-peer VPNs eliminate the need for a full mesh of VCs. With a peer- to-peer VPN solution, the service provider becomes involved with customer routing and ensures optimal path selection through the service provider network. Every customer site connects and gets, in essence, a full mesh simply as a function of the peer-to-peer VPN.
Key Terms
Before you take the exam, be certain you are familiar with the following terms:
dedicated router |
overlay |
extranet |
partial-mesh topology |
full-mesh topology |
peer-to-peer VPNs |
hub-and-spoke topology |
point-to-point connections |
intranet |
redundant hub-and-spoke topology |
leased lines |
shared router |
optimal routing |
|
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
148 Chapter 4 VPNs: An Overview
Review Questions
1.VPNs emerged as a technology to replace ___________.
A.Point-to-point connections
B.Overlays
C.Tag-switched VPNs
D.Full-mesh topologies
2.Which of the following is not an overlay VPN topology?
A.Full-mesh
B.Partial-mesh
C.Hub-and-spoke
D.Peer-to-peer
3.Which of the following topologies is usually used by financial organizations?
A.Full-mesh
B.Partial-mesh
C.Hub-and-spoke
D.Peer-to-peer
4.If optimal routing is desired in a VPN topology, which of the following topologies is the best?
A.Full-mesh
B.Partial-mesh
C.Hub-and-spoke
D.None of the above
5.In an overlay VPN, a customer router ___________ aware of the service provider infrastructure.
A.Is
B.Is not
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
Review Questions 149
6.In which of the following VPN methods is it the most difficult to implement proper security?
A.Simple VPN
B.Overlay
C.Peer-to-peer
D.None of the above
7.In a peer-to-peer VPN, a customer router ___________ aware of the service provider infrastructure.
A.Is
B.Is not
8.Which of the following peer-to-peer VPN methods has the most security problems associated with it?
A.Dedicated router
B.Shared router
9.A peer-to-peer VPN offers the same optimal traffic flow as a
___________ topology?
A.Full-mesh
B.Partial-mesh
C.Hub-and-spoke
D.None of the above
10.Which of the following overlay VPN topologies is the least expensive to implement?
A.Full-mesh
B.Partial-mesh
C.Hub-and-spoke
D.None of the above
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
150Chapter 4 VPNs: An Overview
11.IPSec and GRE tunnels are Layer ___________ VPN technologies?
A.1
B.2
C.3
D.7
12.Which of the following is a Layer 1 VPN technology?
A.IPSec
B.Frame Relay
C.GRE
D.ISDN
13.A(n) ___________ is where everyone being connected is part of the same company or organization.
A.Intranet
B.Extranet
C.Combination of intranet and extranet
D.None of the above
14.A(n) ___________ is where sites from different companies or organizations are connected.
A.Intranet
B.Extranet
C.Combination of intranet and extranet
D.None of the above
15.Frame Relay and ATM are Layer _________ VPN technologies.
A.1
B.2
C.3
D.7
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
Review Questions 151
16.Which of the following topologies provides the most redundancy?
A.Full-mesh
B.Partial-mesh
C.Hub-and-spoke
D.None of the above
17.Which of the following peer-to-peer VPN methods is the most expensive to implement?
A.Dedicated router
B.Shared router
18.Which of the following overlay VPN topologies is typically used by financial organizations?
A.Full-mesh
B.Partial-mesh
C.Hub-and-spoke
D.None of the above
19.In a peer-to-peer VPN, the ___________ becomes responsible for routing protocol convergence.
A.Customer
B.Service provider
C.Edge-LSR
D.PE
20.Which of the following are valid peer-to-peer VPN methods? (Choose two.)
A.Dedicated router
B.Full-mesh
C.Partial-mesh
D.Shared router
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |