350-501 SPCOR Cisco CCNP Service Provider – Virtual Private Networks part 1

1. VPN – Introduction

In this section I’m going to introduce you with some of the most commonly used Van technology called VPN kind of implementation. So the first thing we’ll see the concept of VPNs and then later on we’ll see the different reasons why and how the VPNs were introduced and how they are much better technology than when you compare with the least line connections. And then finally we’ll also discuss some of the different kinds of VPN models. And in that our in this course we’ll be majorly focusing on the MPLS technology. MPLS, VPNs and then finally, before we finish off, I’m going to list some of the benefits and the drawbacks of the different kinds of VPN implementations. So let’s get started with the first thing traditional router based network.

Now, when you talk about van connections, if you go back to early 80s, somewhere around if you have a site A of a customer A want to communicate what to connect with a site B, side C and side D, we need to have a separate cable or a separate listing connection given by the service forum. Now this is more a traditional router based networks which is going to connect the customer sides via a dedicated point to point lease land connection. So it’s a separate point to point dedicated connection given by the service board. Now it’s a very good connection, but at the same time there are some advantages and disadvantages with the lease lamp connections. Now, when it comes to advantages, it’s really very secure. It provides some highs bandwidth with some good quality and reliability.

But at the same time, the lease lines are very expensive lines. So if you want to have a lease rank connection connecting from router A to router B, router C, router D, we need to have a three separate lease direct connections. And then again, if you want to have a connection between B to C and C to D, again, you need to have a separate little van connection. So the more number of sites you want to connect, you need to go with more number of separate dedicated van connections and it’s a permanent connection. At the same time it is not scalable. So not scalable means, let’s say I’m going to connect three different branch offices. In future I’m going to add two more branch offices and I want these two different branch offices to communicate with my head office.

Again, we need to have a separate dedicated connection. So like that, as the size of the organization increases, the more and more branch offices added, we need to go with more and more van connections, that is dedicated lease land connections. And it’s really very difficult for the service portal to provide a dedicated line, a separate dedicated line for each and every site. So it’s really not scalable solution. Now, later on in 90s, they introduced a concept of VPN. When I say VPN, don’t get wrong with something called Internet VPNs or IPsec VPNs. There is also one kind of VPN technology but we are talking about the overall VPN technology like Frame delay, XR 25, ATM. These are all different kinds of VPN implementations.

GRE DMVPN IPsec MPLS and NTP v three These are all different kinds of VPN implementations but they vary the way they implement. Okay, so what we are going to see is, in case of VPN, if you want to connect your customer side here. So I got a customer site here and I want to provide a connection with another customer site here on the right side. And to provide connection, we are going to connect to the service for, let’s say I have a customer customer sites. And to provide the connectivity between these two different branch offices, I’m going to use the existing service for the network and then I’m going to allow my customer to connect to the nearest router here.

Nearest router or frameless, which depends upon what kind of technology we’re using. And then I’m going to connect my site with the nearest router and then the service provider is receiving the traffic from the customer side and he’s allowing you to send the customer traffic over his service portal network. Allowing through the service portal network this kind of implementations we call them as VPN implementations virtual Private Network even though we we are actually connecting between over the service portal but it is going to provide a virtual point to point connection. So virtually it is a point to point but there is no permanent dedicated line connecting between the two different sites.

So that’s the reason we call them as VPNs virtual Private Networks which is going to replace the complete point to point links, the least line connections with an Emulated point upon links emulated means virtually there is a point to point connection between these two sides but physically there is no separate line connecting. Physically they are going with through the service portal devices and the service border is allowing you to send your traffic over his private network. Now customers use VPNs primarily to reduce the operational costs. So the main reason of using the VPNs is the cost effective solution. So it has been a very good cost effective solution when you compare with the lease land connections.

At the same time it is very much scalable when you compare with laser land. So we’ll see the advantages and disadvantages much more in detail in my next slide. So when I talk about VPNs XR 25, no more used frame delay that is also one kind of VPN incrimination. ATM is also not much in use and we have something called GRE DM VPN Ipsic MPLS L Two, DPV Three these are all the different examples of VPN implementation but when it comes to the way they work, the way they are configured is going to be totally different when you compare with any each other technologies. Okay, so we are not going to work through with all these things. So our main focus will be understanding the MPLS technologies in this video series.

OK, so let us see the advantages. What are the advantages we get with VPN implementation? The first thing you can see it is a cost saving solution. Now, replacing the expensive lease line connections. It’s really very good cost effective solution. So we are going to replace all your expensive lease line connections with a less expensive connection to a service folder through some DSL fiber which are most commonly used to provide connectivity. The different kinds of beeping implementations we can say. And it’s really scalable, scalability because adding a new branch office is very fast and simple by just adding an additional link to the service form. Now, how it is simple, let me show you how it is simple here.

Now, if you want to add any new branch office, let’s say I want to add two new branch offices somewhere here and to add a new branch office, what I need to do, I just need to connect my router, the customer router to the nearest nearest service portal router. Nearest service portal router. Now, already there is a connection between through the service portal, which means if these two branch officers want to communicate with each other or maybe it’s a new customer want to communicate with each other now, he will simply send your traffic here and from there it goes to the other side and it really goes through the service. For network you don’t need to have a separate point to point dedicated connection.

So adding a new branch office for the service porter is going to be very easy just connecting the customer routes, the nearest service porter devices, so it’s going to be very easy and it’s really scalable solution. The reason is the more number of customers you add or more number of sites you add, it’s really not going to add much overhead on the service folder. But it’s really because in case of lease land connections, if you just talk about then you need to have a separate dedicated connection from each and every site. But here it’s not required. So that’s one of the advantage we get here, scalable. At the same time it provides some improved security by using some different encryption protocols and authentication methods. Like you have one kind of implementation called IPsec VPNs.

What I can do is I can provide a band connection over the existing internet. So they use some very strong encryption protocols and some strong authentication methods, which is going to ensure that it’s as secure as the world and it’s going to provide a very good performance, the more equivalent performance to lease line connections. And also it’s very much flexible to connect because now most of the VPN connections you can have over fiber and DSL and also it is available on other broadband options and also they are reliable. So when you compare with the lease lines, VPNs are going to provide a very good advantages in today’s networks. So most of the lease lines in today’s networks are replaced with the different kinds of VPN implementations.

Now the next thing we’ll try to understand the terminology of the VPNs. Now in VPN we have a terminology here. Now normally the service for network we call as P network, provider network, the service provider infrastructure which is providing you with the VPN services. And then you have a customer network which is the complete service for customer network, the part of the network which is under the customer control. And then we have a customer site which is a part of the customer network. Again, now you can have any number of sites, you may have multiple sites like that. And then we have something called P devices. Now typically we call these middle routers as P devices, provider devices and they don’t have any connection to any of the customer.

They are mostly the middle devices and you have something called provider edge devices. Now these devices we call them as provider edge by because these provider edge devices or the devices which are connecting to the customer and depends, it can be connecting to a single customer or multiple customers. And then you have something called customer edge devices, C devices, the devices which are going to connect to the provider edge, the PE to C, that’s what we call as provider edge and customer edge. And then finally you have a link, the link which is connecting between the PE router and the C router, that’s what PE to C we call it as P to C link.

2. VPN Models – Overview

In this section I am going to introduce you with some of the different kinds of VPN models which we use in two dash networks. So in the previous section I have explained you that how VPN models or different kinds of VPNs are more effective and the cost effective when you compare with the East LAN connections. So VPNs can be offered in two major models. Now majorly we have two categories of VPN models. We have something called Overlay model and P to pin model. Now, the basic differences are let’s say Overlay in case of overlay all your frame delay, ATM XR, 25, IP Six, GRE. These are all comes under the category of Overlay model. And when you talk about P to pill model, our MPLS comes under the category of the PTP model.

So what’s the difference between these two overlay and the P to build model? Let’s take an example. This is my service portal network. Already he’s having some connection dedicated devices inside the service port network. And then I have a customer site A want to connect a customer’s site B or site one, want to connect to site two. Now, VPNs provide a virtual dedicated point to point connection between two different sites. So now we are going to have a dedicated, not dedicated actually it’s a virtual point to point connection is provided and which goes through the service port network. That is what VPN is going to provide when compared with the lease land connections. In case of lease lands, we have a separate dedicated point to point links.

But here it’s a virtual point to point links. Now, the basic differences are in overlay model. Now the service portal provides a virtual point upon connection between the customer sites without actually exchanging the routing information. Which means now we are going to provide a connection to the nearest service portal device, that is the PE device. And then we are going to connect to the nearest provider edge device here. Now, the service Porter is going to provide a virtual point to point connection between these two. So it’s a virtual point to point. It’s more like a tunnel. It’s more like a tunnel. In case of GRE we call as GRE tunnels. And even we have something called Ipsic tunnels. If you talk about frame delay, now that virtual point to point connection is established with the LCR values.

If you talk about frame delay, how it works. Now we have something called DLC value 10 two. It’s mapped with something called 20 one. There is a mapping of 102-2201. That is how the overlay model is going to provide you the virtual point to point connection between the two sides. Now here, now the major difference is here the customer traffic enters as a normal IP packet. Now, once it enters as a normal IP packet, this IP packet is encapsulated with some extra information of extra information in case if it is a frame. Miller it is going to add the delc values. If you’re using some GRE tunnels, it’s going to add some source IP destination IP of the header, something like that. And then the traffic is encapsulated to the other side of the network and then it will be sent as a normal IP packet.

So which means now we can run a routing between Customer to Customer directly without actually the Service folder is without actually interfering the routing between the customer side. So the Service folder is only responsible for providing a virtual point to point connection between the two sides. That’s how your Overlay model works. So you are much aware of the frame delay. You just think about frame delay, you will automatically understand how Overlay models exactly operate. But when I talk about Overlay now I’m not going to say that the frame relay or Ipsic is also going to work in the same manner. IPsec totally works in a different way. GRE also works in a different way.

The main difference is in Overlay model, the Service Portal do not know anything about the customer or they just forward the packet based on that extra information added or extra information added on the header. Whereas when you talk about PeerToPeer model, especially our MPLS L, three VPNs which we’ll be discussing the major topic in our course here. Now in case of MPLS the same thing. Let’s say this is a Service folder. I have a customer on both the sites, a Customer Site One, want to connect to Customer site Two. Now we are going to provide a connection from the customer to the nearest service for the device, that is the Provider Edge device and the customer connects to a nearest Provider Edge device.

And here what happens is we are going to run routing between PE to C, which means the customer routes tend or network will be advertised to the Service Portal router. And the Service Portal router is going to maintain the customer routes in the routing information routing table. So Service Porter is actually participating in the customer routing. That’s what I wrote here, in which the Service Porter participates in the customer routing. Now same thing happens here. Now this 20 dot network, the customer will advertise the routes to the Provider Edge router. Sorry, this is my provider edge and this is my customer edge.

Okay? So now this 22 network will be revised to the Provider Edge router and the Provider Edge router is going to maintain that route in its own routing table and then between now what Provider Edge will do then you have a logical VPN type of connection established between these two. Now this Provider Edge router is responsible for exchanging the routes with another Porter Edge router, which means your routes come from the customer, goes to the Service Portal and Service Board is responsible for sending those routes again back to the other end of the provided router. And then from there again, the provider edge router will pass on those routes to the customer edge.

Now this kind of implementation we call as a P to be model and your MPs, L three VPNs, which will be discussing the major topic in your MPs comes under this kind of implementation, this kind of category. Okay, but anyway, I’m just going through with all different kinds of VPN, just an overview, just trying to understand. So let’s get started here. So the classification, I got a VPN classification. We got two kinds of models overlay model, where the Service Porter is not responsible for sharing any route from the customer. It’s just provide a virtual pointtopoint connection, that’s it. So it will not participate in any of the customer routing information.

Whereas here, in case of PTP model, our MPLS comes in this category where the service provider is responsible for taking the routes from the customer and responsible for sending on the other edge of the other provider edge router and then back to the customer. When you talk about overlay models, again we got L Two, L two VPNs and L three VPNs. Now in overlay we have L two VPNs and L three VPNs. Now the difference between L two VPNs and L three VPNs is if you just try to understand the difference between frame delay. Now in frame delay, what we do in general, in the Frame delay, you have a customer on both the sites and then also we have a service folder here we have a customer and service on both the sites.

And now your traffic from the customer comes a normal IP packet, but enters the service for it. And the Service Porter will not identify your traffic as an IP packet. It’s going to forward from other ones that on the side based on the pure layer to information that is your delc values, just like switches forward the packets based on the Mac address. It’s more similar to that. That’s what we call as L two VPNs. Whereas when you talk about L three VPNs now in case of L three VPNs over the L three VPNs, now your customer traffic, customer packet, between the two customers we have a Service portal and your traffic comes as a normal IP packet. And your IP packet is again encapsulated with another IP packet.

Which means now you have a logical tunnel. If I’m using Gross, you have a logical tunnel established between from point to point and the reachability from this end to that end is provided based on the complete IP reachability, which means the service portal is not using any Dlcr values. It’s going to provide the reachability from one side to another side based on the pure IP packet and it’s not going to see the customer traffic. As I said, your normal packet will be encountered with some extra information, the source of the tunnel and destination of the tunnel. So the source of the tunnel is eleven one destination tunnel is. So any traffic coming from this side will be automatically forwarded to the other end of the tunnel.

So it’s a pure based on IP reach ability. So this is the major difference between these two kinds of categories. Now all your GRE DMVPN IPSA, L two, DPV three, SSL VPN. These are all comes under overlay L three VPN kind of implementations. So the one L two VPN kind of implementation, we have a frame delay. We are much used to the frame delay in our basic CCN studies. So we’re not getting into this overlay model anyway. Our main focus will be on MPLS VPNs, but we are just trying to understand the different kinds of VPN implementations here. Now, let’s try to see how these peer to peer models are going to work in our scenario here. Now, in PTP model before we actually used MPLS, there were some other kind of implementations.

We have something called ACL shared router and split routing concepts. Now, there are some disadvantages with these two kinds of implementations. Let us see what exactly and how exactly PTP VPNs works in our scenarios. When we use MPLS, this is what we discuss, frame delay and all this stuff. Now, in PTP model, as I said, the customer will be advertising its route. Let’s say this is ten dot network. He advertises his routes to the provider edge router, the P routing information. And then this P is responsible for sending the routes to other end of the peer router. And then this P again sent back to the customer routes. This is how your P to pill is going to work. But now let’s take an example in this diagram.

Now, there might be a possibility that you have more than one customer connecting on the same router. Like in this scenario, you have a customer network, ten dot network and there is another customer using some 20 dot network. Now, he’s advising the routes to the provider’s router. At the same time the customer Y, XY, both the customers are advertising the routes. Now, how the provider router is going to differentiate the routes between them. So how is going to prevent the customer routes coming from X not going to be? Now, to prevent that, we use something called ACLs initially. Now, we don’t use any way ACLs.

Now, when you define some ACLs saying that any routes coming from this side or some routes filtering methods we need to apply, mentioning that whatever the routes coming from this side should not go on the other side or whatever the routes coming from this customer X should not go to customer Y. So this was one of the initial implementation. There is one solution we can go with before MPLS. Now, there is one alternate option you have. Instead of connecting to the same router, let’s go with the alternate option here. The alternate option is we can have a split routing or a dedicated router for each customer.

Your customer X connect to a separate router, customer Y connects to a separate router and then anyway we don’t really exchange any routing information between these two. Now in the previous scenario we are connecting customer X and Y into the same router, but this time we are using two different routers. But again, this is also not scalable solution if you have hundreds of customers. Now we need to have some hundreds of provider edge routers which is not again a scalable solution. Now VPN, MPLS VPNs is going to solve all of these problems. Now in MPLS VPNs, what we have is we have a concept of VRF. Now what this router is going to do is we have a concept of virtual route forwarding.

Now what it is going to do is it is going to maintain a separate routing table for each and every customer. So even though physical it’s a one router, but still it’s going to maintain virtual routing tables. Now it’s going to maintain one global routing table, it’s going to maintain one global routing table which will be the default routing table for the service portal network. It will be used for the service pawn network and then it’s going to maintain a separate routing table for X customer and a separate routing table for Y customer and separate routing table for the next customer. By default. Now, one router is going to maintain four different routing tables and each routing table is isolated with each others.

Now, we don’t really need to write any ACLs to prevent the routes going from one customer to another customer. Now what we can do by default, the broad range router will have something called PRF. So we’ll see, we’ll get into more in detail about these concepts, but this is what our MPLS VPNs will actually provide. One of the most commonly used van technology in today’s networks. We call them as MPLS. L three VPNs. Now why we call L three VPNs because we are going to take the customer routes and we are going to maintain those routes in our routing table before they are again forwarded to the other edge of the products router. And these routes are maintained under the PRS in a separate routing table and each customer route is isolated from other customers.