Virtual private networks (VPN), used both in public and private networks, allow traffic to be sent securely between two network devices. For example, consider a traveling salesperson who has broadband access in his hotel in the evening.
With VPN technology, that salesperson can securely connect back to his corporate headquarters. Similarly, VPNs are often beneficial for telecommuters and remote offices.
In many cases, VPNs can replace previously installed WAN connections (for example, Frame Relay or ATM connec-tions), offering security and lower cost. This chapter discusses the components that make up a VPN, and also covers VPN design considerations.
Remote-Access VPNs
Remote-access VPN tunnels typically use secure tunnels between a remote user, connecting via an Internet service provider (ISP), and the corporate VPN termination device, as illustrated in Figure 9-1.
A VPN is composed of three main elements:
n VPN termination devices: Also known as a “headend,” this termination device (for example, and Adaptive Security Appliance [ASA]) has the capacity to support multiple simultaneous VPN connections.
n End clients: Either mobile or fixed, end clients are devices that reside at one end of VPN tunnels and connect to VPN termination devices at the other end of VPN tunnels.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
n VPN technology: VPNs can securely send data across a tunnel. Two protocols that make this secure transmission possible are as follows:
n IPsec: IPsec is normally used to secure the transmission of data.
n SSL: Secure Sockets Layer (SSL) uses digital certificates to secure the transmission of web traffic. Among SSLs VPN mechanisms are the following:
nClientless access: Proxies web pages and then transmits those web pages over an SSL connection to the end user
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
Headquarters
Hotel Internet
Mobile Workforce Telecommuter’s House
FIGURE 9-1 Remote-Access VPNs
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
Virtual Private Network Design
nThin client: Uses a small application to perform port forwarding, where the port forwarder acts as a local proxy server
nThick client: A VPN client application, which is downloaded via a web page and runs on the end client The VPN termination devices mentioned here are usually installed, along with a firewall, at the edge of the network.
Cisco best practice for locating a VPN termination device is to install the VPN device behind a firewall in the enterprise’s demilitarized zone (DMZ).
When designing a remote access VPN, consider the following:
n Routing: Typically, static routes are configured on internal routers pointing to the headend VPN device.
n Address assignment: Usually, an internal address pool is assigned for each VPN headend. These address pools are pointed to by the static routes mentioned in the preceding bullet.
n Authentication: The only authentication method supported by SSL is digital certificates. However, other authentica-tion soluauthentica-tions can be used along with SSL.
n Access control: Common approaches to access control include defining access control rules on the VPN headend or defining access control rules on an internal firewall.
Site-to-Site VPNs
Site-to-site VPNs, as illustrated in Figure 9-2, offer a replacement to traditional WAN connections that interconnect, for example, remote offices. Because a VPN tunnel can be created across relatively low-cost network connections, such as a digital subscriber line (DSL) connection to the Internet, site-to-site VPNs can offer significant cost savings, while contin-uing to provide a secure path for network traffic.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
The primary elements comprising a site-to-site VPN include the following:
n Head-end VPN devices: Similar to the remote-access headend, these devices act as the termination point for incom-ing VPN tunnels to the main campus.
n VPN access devices: Located at remote locations, these devices terminate the remote side of the VPN tunnels.
n IPsec and GRE tunnels: IPsec and generic routing encapsulation (GRE) are VPN tunneling technologies, and each offers it own unique benefits; they are often used together in site-to-site VPNs.
n Internet access: Supplied by ISPs, access to the Internet offers the medium of transport between the VPN headend and VPN access devices.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
Headquarters
Branch B Branch A
Branch C Internet
VPN Head-End Device
VPN Access Device
VPN Access Device
VPN Access Device
FIGURE 9-2 Site-to-site VPNs
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
Virtual Private Network Design
Each end of a VPN tunnel needs an Internet-routable IP address. Traffic flowing through the VPN might physically pass through multiple routers (for example, routers in the ISP’s network). However, from the perspective of the VPN traffic, traveling from one end of the VPN to the other appears to be a single router hop. Therefore, the addressing of the traffic traversing the tunnel can be private addressing.
Another major VPN design consideration is scalability. Although multiple factors impact the scalability of a VPN, the main indicator of scalability is the number of remote sites to be supported. Cisco recommends that redundant headend VPN devices be installed and that the CPU utilization of each headend be less than 50 percent. However, VPN access devices located at remote sites are not considered overburdened if their CPU utilization is less than 65 percent.
Cisco offers a wide variety of VPN devices, which vary in their scalability. Consult current Cisco product documentation when selecting a VPN device for a design.
When interconnecting multiple sites using VPN technologies, consider the following deployment models:
n Peer-to-peer: Secures traffic between two sites
n Hub and spoke: A common approach, in which remote sites connect back to a central location
n Partial mesh: Builds on a hub-and-spoke topology to provide direct connections between some remotes, to better accommodate for traffic patterns
n Full mesh: Provides direct connections between each location in the VPN topology
The three primary approaches for placing a VPN device in an enterprise campus design are as follows:
n Placing the VPN device parallel to the firewall, which supports high scalability
n Placing the VPN in a firewall’s DMZ, which supports the inspection of decrypted IPsec traffic n Integrating the VPN device with the firewall, resulting in fewer devices to manage
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
IPsec VPNs
As previously mentioned, IPsec offers secure communication over a tunnel, thus forming a secure VPN. However, multi-ple IPsec VPN immulti-plementations exist.
A basic IPsec VPN interconnects peers over a tunnel. These tunnels are defined by security associations (SA), which specify the protocols, algorithms, and keying material used to form the tunnel.
Other IPsec-based VPNs include the following:
n Easy VPN: Cisco Easy VPN solution is composed of the Easy VPN server and Easy VPN remote devices. The Easy VPN server can push security policies to remote sites. Also, the configuration can be performed using the Router and Security Device Manager (SDM) Easy VPN Server Wizard and Easy VPN Remote Wizard.
n GRE tunneling: IPsec can provide security, but it only supports IP unicast traffic. GRE supports additional traffic types (for example, IP multicast and broadcast traffic), but GRE lacks security features. By using these technologies together, multiple traffic types can be encapsulated inside of a GRE tunnel, and then those GRE tunnel packets (which are unicast IP packets) can be transmitted securely inside of an IPsec tunnel.
n Dynamic multipoint VPN (DMVPN): Because hub-and-spoke designs suffer from scalability issues when the number of sites exceed 10 (because of all traffic passing to or through the hub), DMVPN technology can be used to create on-demand tunnels. Specifically, DMVPN is most appropriate when more than 20 percent of the network traffic travels between spoke sites. DMVPN can dynamically create a spoke-to-spoke tunnel based on traffic patterns, as shown in Figure 9-3. In the figure, a dynamic VPN tunnel is established between the Branch B and Branch C sites.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
Virtual Private Network Design
n Virtual tunnel interfaces (VTI): The VTI feature offers a special type of interface, which supports routing, VPN termination, and other configurations that cannot always be applied to a VPN tunnel (such as quality of service [QoS] configurations).
n Group encrypted transport VPN (GET VPN): Although the GET VPN does provide security for network traffic in a fully meshed network, a tunnel is not used. Instead, the GET VPN uses Cisco IOS features to provide security over a private WAN.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
Headquarters
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
Managing and Scaling VPNs
The Cisco Security Management Suite contains multiple components, including the following:
n Cisco Router and Security Device Manager (SDM): Offers a web-based interface for managing various features (for example, QoS and security features) on Cisco routers
n Cisco Adaptive Security Device Manager (ASDM): Provides a graphical interface for managing Cisco ASA, PIX, and FWSM devices
n Cisco PIX Device Manager (PDM): Supports management of some models of the Cisco PIX (Cisco PIX Security Appliance Software Version 6.3 and earlier) and FWSM
n Cisco View Device Manager (CVDM): Used to manage selected Layer 2 and Layer 3 features on a Cisco Catalyst 6500 series switch
n Cisco Security Manager: Offers a GUI-based configuration solution for firewall, VPN, and intrusion prevention system (IPS) policy configuration on some Cisco security appliances
n Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS): Supports the monitoring, identification, and isolation of security threats, in addition to countering those threats, in an appliance-based solution When scaling a VPN, the number of packets per second (PPS) transmitted between sites is more design relevant than the bandwidth, in bits per second (bps), between sites, because each packet needs to be encrypted and decrypted, for example. Applications vary in the number of PPS they send. For example, a VoIP application uses smaller packet sizes than an FTP application. Therefore, the VoIP application would send more PPS than the FTP application.
Various network management tools can be used to determine the PPS rate. However, a basic method of determining the PPS rate on existing equipment is to issue the show interfaces command.
Selecting an appropriate routing protocol for a VPN also helps the VPN to scale. Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF) Protocol are both examples of enterprise routing protocols that support VPNs.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
IP Multicast Design Considerations