Compairing, Designing, And Deploying VPNs

  • View

  • Download

Embed Size (px)



Text of Compairing, Designing, And Deploying VPNs

  • 800 East 96th StreetIndianapolis, Indiana 46240 USA

    Cisco Press

    Comparing, Designing, and Deploying VPNs

    Mark Lewis, CCIE No. 6280

  • ii

    Comparing, Designing, and Deploying VPNs

    Mark Lewis

    Copyright 2006 Cisco Systems, Inc.

    Cisco Press logo is a trademark of Cisco Systems, Inc.

    Published by:Cisco Press800 East 96th Street Indianapolis, IN 46240 USA

    All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.

    Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

    First Printing April 2006

    Library of Congress Cataloging-in-Publication Number: 2003114910

    ISBN: 1-58705-179-6

    Trademark Acknowledgments

    All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital-ized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.

    Corporate and Government Sales

    Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales.

    For more information, please contact

    U.S. Corporate and Government Sales,

    1-800-382-3419 or [email protected]

    For sales outside the U.S., please contact

    International Sales,

    [email protected]

    Warning and Disclaimer

    This book is designed to provide information about virtual private networks (VPN). Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

    The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it.

    The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

    Feedback Information

    At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community.

    Readers feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at [email protected] Please make sure to include the book title and ISBN in your message.

  • iii

    We greatly appreciate your assistance.

    Publisher John WaitEditor-in-Chief John KaneCisco Representative Anthony WolfendenCisco Press Program Manager Jeff BradyProduction Manager Patrick KanouseSenior Development Editor Christopher ClevelandCopy Editor and Indexer Keith ClineTechnical Editors Henry Benjamin, Lei Chen, Mark Newcomb, Ajay SimhaBook and Cover Designer Louisa AdairComposition Interactive Composition Corporation

  • iv

    About the Author

    Mark Lewis, CCIE No. 6280,

    is technical director of MJL Network Solutions (, a leading provider of internetworking solutions that focuses on helping enterprise and service provider customers to implement leading-edge technologies. Mark specializes in next-generation network technologies and has extensive experience designing, deploying, and migrating large-scale IP/MPLS networks. He is an active participant in the IETF, a member of the IEEE, and a certified Cisco Systems instructor. Mark is also the author of

    Troubleshooting Virtual Private Networks,

    published by Cisco Press.

    Mark can be contacted at [email protected]

    About the Technical Reviewers

    Henry Benjamin, CCIE No. 4695,

    holds three CCIE certifications (Routing and Switching, ISP Dial, and Commu-nications and Services). He has more than 10 years experience with Cisco networks and recently worked for Cisco in the internal IT department helping to design and implement networks throughout Australia and Asia. Henry was a key member of the CCIE global team, where he was responsible for writing new laboratory examinations and questions for the CCIE exams. Henry is an independent consultant with a large security firm in Australia. Henry is the author of

    CCIE Security Exam Certification Guide


    CCNP Practical Studies: Routing,

    both published by Cisco Press.

    Lei Chen, CCIE No. 6399,

    received a master of science degree in computer science from DePaul University in 2000. He joined the Cisco NSITE system testing group in 2000, and then went on to support Cisco high-tier cus-tomers as part of the Cisco TAC VPN team in 2002. He has first-hand experience in troubleshooting, designing, and deploying IPsec VPNs.

    Mark Newcomb, CCNP, CCDP,

    is a retired network security engineer. Mark has more than 20 years experience in the networking industry, focusing on the financial and medical industries. Mark is a frequent contributor and reviewer for Cisco Press books.

    Ajay Simha, CCIE No. 2970,

    joined the Cisco TAC in 1996. He then went on to support tier 1 and 2 ISPs as part of the Cisco ISP Expert team. He worked as an MPLS deployment engineer from October 1999 to November 2003. Currently, he is a senior network consulting engineer in Advanced Services at Cisco working on Metro Ethernet and MPLS design and deployment. Ajay is the coauthor of the Cisco Press title

    Traffic Engineering with MPLS.

  • v


    Id like to thank a number of people who helped me to complete this book. Id like to thank Michelle, Chris, John, and Patrick at Cisco Press, who helped to get this project started in the first place and then provided indispensable help and encouragement along the way.

    And Id also like to thank the technical reviewersMark Newcomb, Henry Benjamin, Ajay Simha, and Lei Chenwho all provided useful comments and suggestions.

  • vi

    This Book Is Safari Enabled

    The Safari

    Enabled icon on the cover of your favorite technology book means the book is available through Safari Bookshelf. When you buy this book, you get free access to the online edition for 45 days.

    Safari Bookshelf is an electronic reference library that lets you easily search thousands of technical books, find code samples, download chapters, and access technical information whenever and wherever you need it.

    To gain 45-day Safari Enabled access to this book

    Go to

    Complete the brief registration form

    Enter the coupon code GBCR-98XD-CWIL-XSD7-VQQE

    If you have difficulty registering on Safari Bookshelf or accessing the online edition, please e-mail [email protected]

  • vii

    Contents at a Glance

    Introduction xxii

    Part I Understanding VPN Technology 3

    Chapter 1

    What Is a Virtual Private Network? 5

    Part II Site-to-Site VPNs 25

    Chapter 2

    Designing and Deploying L2TPv3-Based Layer 2 VPNs 27

    Chapter 3

    Designing and Implementing AToM-Based Layer 2 VPNs 137

    Chapter 4

    Designing MPLS Layer 3 Site-to-Site VPNs 225

    Chapter 5

    Advanced MPLS Layer 3 VPN Deployment Considerations 293

    Chapter 6

    Deploying Site-to-Site IPsec VPNs 407

    Chapter 7

    Scaling and Optimizing IPsec VPNs 523

    Part III Remote Access VPNs 707

    Chapter 8

    Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs 709

    Chapter 9

    Designing and Deploying IPsec Remote Access and Teleworker VPNs 805

    Chapter 10

    Designing and Building SSL Remote Access VPNs (WebVPN) 905

    Part IV Appendixes 983

    Appendix A

    VPLS and IPLS Layer 2 VPNs 985

    Appendix B

    Answers to Review Questions 997



  • viii

    Table of Contents

    Introduction xxii

    Part I Understanding VPN Technology 3

    Chapter 1

    What Is a Virtual Private Network? 5

    VPN Devices 5VPN Technologies and Protocols 7

    Technologies and Protocols Used to Enable Site-to-Site VPNs 7Technologies and Protocols Used to Enable Remote Access VPNs 8

    Modeling and Characterizing VPNs 9Service Provider and Customer Provisioned VPNs 10Site-to-Site and Remote Access VPNs 11Service Provider Provisioned Site-to-Site VPNs 13Customer Provisioned Site-to-Site VPNs 15Service Provider and Customer Provisioned Remote Access VPNs 15Other Methods of Categorizing VPNs 16

    Deploying Site-to-Site and Remote Access VPNs: A Comparison 18Site-to-Site VPN Deployment 18Remote Access VPN Deployment 19

    Summary 22

    Review Questions 22

    Part II Site-to-Site VPNs 25

    Chapter 2

    Designing and Deploying L2TPv3-Based Layer 2 VPNs 27

    Benefits and Drawbacks of L2TPv3-Based L2VPNs 28

    L2TPv3 Pseudowire Operation 29L2TPv3 Deployment Models 30L2TPv3 Message Types 31The L2TPv3 Control Connection 34

    L2TPv3 Control Connection Setup 34L2TPv3 Control Connection Teardown 36L2TPv3 Session Setup 37L2TPv3 Session Teardown 38Hello and SLI Messages 40

    Configuring and Verifying L2TPv3 Pseudowires 41Deploying L2TPv3 Pseudowires with Dynamic Session Setup 42

    Step 1: Configure CEF 43

  • ix

    Step 2: Configure a Loopback Interface to Use as the Pseudowire Endpoint 43Step 3: Configure an L2TPv3 Class (

Search related