The Radios!!!!

2.1 What’s usedThe flexibility of Tulip lies in the ability to reach out to rural areas. This by no means is a small task and requires ample amount of dedication, focus and high levels of enthusiasm, which is found in abundance in the employees. They are willing to make it right no matter how difficult it is. The last mile of Tulip connectivity is on wireless. This is made possible by the use of a variety of wireless radios some of which are enlisted here.

Airspan

Firepro

Radwin

The radios in frequent usage today are the Airspan, Radwin and the Firepro radios. Each of these radios has a particular frequency range. Airspan is mostly used in a Point to Multipoint topology and used majorly at the base station, where multiple clients’ branches have to be handled.

In Airspan specifically, there is a modem at the Tulip end known as the BASE STATION RADIO and the radio at the client end is know an SUBSCRIBER PREMISES RADIO.

Firepro can be used in point to point and point to multipoint topologies and is actually used for both as well, majorly used in Point to Point topology mostly.

Radwin is used very rarely as well, and if at all, is used in the backbone to provide redundancy to the fiber paths in the backbone.

These radios have particular graphical interfaces as well and distinct troubleshooting procedures. Each of these radios has a wide variety if features and different diagnostic interfaces associated which makes each of them unique and suited for a particular purpose. But the background process and the procedure of implementation of all these radios is the same. They follow a standard methodology of implementation as described herewith, but before that let’s just get acquainted with the nitty-gritty of the business, the mother of all purposes here, the RF or the radio frequency.

Radio frequency, or RF, refers to that portion of the electromagnetic spectrum in which electromagnetic waves can be generated by alternating current fed to an antenna. RF, Short for radio frequency, any frequency within the electromagnetic spectrum associated with radio wave propagation. When an RF current is supplied to an antenna, an electromagnetic field is created that then is able to propagate through space. Many wireless technologies are based on RF field propagation. In the scope of work we are so hotly discussing about, VPN’s are provided to the clients using modems supporting Radio Frequency. The two modems i.e. the base station modem and the client site modem communicates with each other through the RF. The link becomes more secure due to the MAC address binding. The MAC

1

address is given on both the modems which act as an authenticating agent. It does not allow anyone to interfere into the network. Radio Frequency provides the communication between end to end through the radio frequency by using different channels called different frequencies.

But yes, did we just notice the usage of the word Electromagnetic Spectrum. That is, broadly considered as the mother of the RF. Why? Simple, because RF is part of that spectrum only. Electromagnetic radiation is generally described as a self-propagating wave in space with electric and magnetic components. These components oscillate at right angles to each other and to the direction of propagation, and are in phase with each other. Electromagnetic radiation is classified into types according to the frequency of the wave: these types include, in order of increasing frequency, radio waves, microwaves, infrared radiation, visible light, ultraviolet radiation, X-rays and gamma rays.

Now that we are clear with the fact that the connectivity is based upon a radio at Tulip’s base station and one at the client site, it would be imminent enough that the topology used between the base station and the client(/s) is either

POINT TO POINT- mostly in the case of Tulip’s backbone or to HO’s of clientsPOINT TO MULTIPOINT- mostly in the case of branches of the clients

The following would give us a brief idea of the correlation between the EM spectrum and the radio frequency part of the spectrum.

2

3

2.2 How It’s Used

Well, let me try and give you a visual picture of how it is done. Well, at the base station end, the router is connected to the switch which in

turn is connected to the radio modem through an SDA, which is basically the power adapter to which we connect the CAT-5 cable of the modems as well as of the routers/switches. Then we have the radio modem attached to the antenna, you know you just can’t go places without an antenna. Now what do we use to attach the antenna to the modem. That’s where a pigtail comes in. No; it’s not a pig’s tail. It is what we use to connect the radio modem and antenna and it looks somewhat like this:

So now we have a complete picture of what’s happening. The information travels from the router to the switch at the base station to the antenna via the radio modem. The antenna zaps it across to the other side, where a similar but reverse process takes place, making it possible for information to be transmitted anywhere!!! Sounds pretty neat, eh?

2.3 Perfunctory DefinitionsOk, so lets just sum up the above two sections in a tabular and presentable manner

ROUTER: A device or setup that finds the best route between any two networks, even if there are several networks to traverse. Like bridges, remote sites can be connected using routers over dedicated or switched lines to create WANs.

Radio: One at each side, at the base and client sides. These radios are connected to the antenna via the Pigtail cable.

SDA or POE: It is the power adapter to which we connect the CAT-5 cable of the modems as well as of the routers.

Feeder: It is type of the stick connected to the antenna which points the waves to the

The pigtail cable, used to connect the radio modem to the antenna.

4

direction to which they have to travel and also provides the beam to the waves.

Antenna: It is a type of dish with which we connect the modems like BSR and SPR.

Pigtail: It is the cable used to connect the antenna with a modem.

2.4 Radios

Now that we are through with knowing how it works, lets concentrate a little bit more on the types of radio modems that are used in Tulip. Radios primarily used in Tulip are Airspan, Radwin, and Firepro

- AIRSPAN- As said earlier, the two components making up the Airspan setup are the BSR and the SPR.

-BSRThe BSR, installed at the Base Station, is an encased outdoor radio module providing a 9 pin D-type port forRS-232 serial interface and a 15 pin D-type port for data, synchronization, and power interfaces. The BSR is available in two models: BSR with an integral antenna (BSR 900 MHz TDD V-pol); BSR with two N-type ports (displayed below) for attaching up to two external antennas (BSR 900 MHz TDD Dual Ext). Major cities like NCR and Mumbai would have up to about 50 Base Stations. Medium sized towns will have 20 Base Stations. Very small towns could have one to three Base Stations. Total of about 2000 base stations setup to date. Any new city comes up in four weeks.

5

SPRThe SPR is an encased CPE outdoor radio module providing access to a 15 pin D-type port for Ethernet, serial, and power interfaces. The SPR model is available in two models: SPR with an integral antenna (SPRL900MHz TDD V-pol) and SPR with an N-type port for attaching an external antenna (SPR 900MHz TDD Ext).

Cable connection of the SPR to the SDA

1. Connect the 15-pin D-type male connector, at one end of the CAT 5 cable, to the SPR’s 15-pin port.2. Connect the 15-pin D-type male connector, at the other end of the CAT 5 cable, to the

6

SDA’s 15-pinD-type

The setup of the radio is comparatively easier. The radio can either be configured in bridge mode or in routing mode. The following is a snapshot of Airspan SPR and BSR being configured in bridge mode.

7

BSR and SPR being configured in the bridge mode.

8

2.5 Site preparation and planning

When preparing and planning the site, ensure the following:

1. Minimum obstructions (e.g. buildings) in the radio path between the Base Station radio (i.e. BSR) and the subscriber radios (i.e. SPR/IDR).

2. Minimum incursions on Fresnel Zone (recommended minimum of 60% clearance of first Fresnel Zone).

-Minimum multipath fading: Some of the transmitted signals may be reflected from a

nearby building, by water under the signal path, or from any other reflectors. This

reflected ("bounced") signal can then be received by the radio receiving the signal and

superimposed on the main received signal, thereby, degrading the signal strength.

Airspan recommends installing the outdoor radios at the rear of the building’s roof instead

of the front. When you install at the rear, the front of the building blocks incoming signals

from multipath reflections.

9

- Clean frequencies selected from Spectrum Analyzer results.

- Maximum received signal strength (RSS) at CPE by antenna alignment: For the IDR,

RSS can be measured by the IDR's built-in RSS LEDs; for the SPR, RSS can be

measured by Airspan’s WipConfig program or by connecting Airspan's RSS LED Plug

Adapter.

- Radios are mounted as far as possible from sources of interference that could degrade

performance of radio. Ensure a minimum of 1-meter separation between co-located

outdoor units.

Radios mounted as high as possible to avoid obstructions and to increase link quality.

-BSR and SPR/IDR are within maximum range of reception.

-Maximum length of 100 meters CAT-5 cable connecting outdoor radio units to indoor

terminating units.

- Sufficient wiring conduit and cable ties to channel and protect the CAT 5 cable

connecting the outdoor radio to the indoor hub/switch.

- Required power source is available at the site.

External antenna consideration

In some scenarios, where capacity demand is relatively low, external omni-directional

antenna use at the Base Station may seem attractive. However, it is recommended to

avoid using omni-directional antennas (ifpossible), due to the following disadvantages that

these antennas pose compared to directional antennas:

- Higher sensitivity to external interferences.

- Higher sensitivity to multipath, resulting in the following:

10

- The root mean square (RMS) delay spread at the Base Station is substantially higher.

-Multipath interference at the CPE side (when using omni-directional antenna at the Base

Station) is substantially higher. In fact, when using an omni-directional antenna, the

existence of clear Fresnel zone between BSR and SPR/IDR is insufficient to eliminate

multipath interference, since multipath, in this case, can be caused by reflections

originating from obstacles outside the Fresnel zone.

- Higher sensitivity to alignment. Since the omni-directional antenna gain is achieved

by narrowing the vertical beam width, a relatively low deviation in the antenna alignment

will result in severe signal attenuation.

3 Cisco Router Configuration

3.1 Cisco IOS Modes of Operation

The Cisco IOS software provides access to several different command modes. Each

command mode provides a different group of related commands.

For security purposes, the Cisco IOS software provides two levels of access to

commands: user and privileged. The unprivileged user mode is called user EXEC mode.

The privileged mode is called privileged EXEC mode and requires a password. The

commands available in user EXEC mode are a subset of the commands available in

privileged EXEC mode.

11

The following table describes some of the most commonly used modes, how to enter the

modes, and the resulting prompts. The prompt helps you identify which mode you are in

and, therefore, which commands are available to you

Mode of Operation Usage How to Enter the Mode Prompt User EXEC Change terminal

settings on a temporary basis, perform basic tests, and list system information. First level

accessed.

Router> Privileged EXEC System administration, set operating parameters. From user

EXEC mode, enter enable password command

Router# Global Config Modify configuration that affect the system as a whole. From

privileged EXEC, enter configure terminal.

Router(config)# Interface

Config Modify the operation of an interface. From global mode, enter interface type

number.

Router(config-if)# Setup Create the initial configuration. From privileged EXEC mode,

enter command setup. Prompted dialog

User EXEC Mode:

When you are connected to the router, you are started in user EXEC mode. The user

EXEC commands are a subset of the privileged EXEC commands.

Privileged EXEC Mode:

Privileged commands include the following:

• Configure – Changes the software configuration.

• Debug – Display process and hardware event messages.

• Setup – Enter configuration information at the prompts.

Enter the command disable to exit from the privileged EXEC mode and return to user

EXEC mode.

Configuration Mode

Configuration mode has a set of submodes that you use for modifying interface settings,

12

routing protocol settings, line settings, and so forth. Use caution with configuration mode

because all changes you enter take effect immediately.

To enter configuration mode, enter the command configure terminal and exit by pressing

Ctrl-Z.

Note:

Almost every configuration command also has a no form. In general, use the no form to

disable a feature or function. Use the command without the keyword no to re-enable a

disabled feature or to enable a feature that is disabled by default. For example, IP routing

is enabled by default. To disable IP routing, enter the no ip routing command and enter

ip routing to re-enable it.

Getting Help

In any command mode, you can get a list of available commands by entering a question

mark (?).

Router>?

To obtain a list of commands that begin with a particular character sequence, type in

those characters followed immediately by the question mark (?).

Router#co?

configure connect copy

To list keywords or arguments, enter a question mark in place of a keyword or argument.

Include a

space before the question mark.

Router#configure ?

memory Configure from NV memory

network Configure from a TFTP network host

terminal Configure from the terminal

You can also abbreviate commands and keywords by entering just enough characters to

make the command unique from other commands. For example, you can abbreviate the

show command to sh.

13

14

3 INTRODUCTION TO VPN

3.1What is VPN?

A virtual private network (VPN) is a communications network tunneled through an-other network, and dedicated for a specific network. One common application is secure communications through the public Internet, but a VPN need not have explicit security features, such as authentication or content encryption. A VPN may have best-effort performance, or may have a defined Service Level Agreement (SLA) between the VPN customer and the VPN service provider.

Generally, a VPN has a topology more complex than point-to-point. Nodes. For ex-ample, there are a number of systems that enables to create networks using the Inter -net as the medium for transporting data. These systems use encryption and other se -curity mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

Basically, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world con-nection such as leased line, a VPN uses “virtual” connections routed through the Inter -net from the company’s private network to the remote site or employee. A virtual pri -vate network can be contrasted with an expensive system of owned or leased lines that can only be used by one organization.

VPN gateway offers secure, encrypted tunnels, extending the corporate network any -where in the world. VPN prevents eavesdropping and data tampering, protecting infor -mation confidentiality. VPN protects data integrity, ensuring that no modifications were made to the data while in transit. A VPN supplies network connectivity over a possibly long physical distance. In this respect, a VPN is a form of Wide Area Network (WAN). VPN technologies implement restricted-access networks that utilize the same cabling and routers as a public network, and they do so without sacrificing features or basic se -curity.

15

3.2Why VPN’s ?

Extend geographic connectivity Improve security Reduce operational costs versus traditional WAN Reduce transit time and transportation costs for remote users Improve productivity Simplify network topology Provide global networking opportunities Provide telecommuter support Provide broadband networking compatibility Provide faster ROI (return on investment) than traditional WAN

A well-designed VPN incorporates:

Security Reliability Scalability Network management Policy management

16

VPN DEVICES AND TERMINOLOGY

The VPN devices are categorized as :

Customer

Customer network (C-Network): part of the network under customer control.Customer (C) devices: C devices are simply devices such as routers and switches located within the customer network. These devices do not have direct connectivity to the service provider network. Customer Edge (CE) devices: CE devices, are located at the edge of the customer network and connect to the provider network (via Provider Edge [PE] devices). This device is usually a router and is normally referred as the CE router

Provider

Provider network (P-Network): the service provider infrastructure that is used to provide VPN services.Provider (P) device: the device in the P-Network with no customer connectivity and without any “knowledge” of the VPN. This device is usually a router .Provider edge (PE) device: the device in the P-Network to which the CE devices are connected. This device is usually a router and is often referred as the PE router.

17

3.3TYPES OF VPN:

Remote-Access VPNThere are two common types of VPN. Remote-access, also called a virtual private dial-up

network (VPDN), is a user-to-LAN connection used by a company that has employees who need

to connect to the private network from various remote locations. Typically, a corporation that

wishes to set up a large remote-access VPN will outsource to an enterprise service provider

(ESP). The ESP sets up a network access server (NAS) and provides the remote users with

desktop client software for their computers. The telecommuters can then dial a toll-free number

to reach the NAS and use their VPN client software to access the corporate network.

A good example of a company that needs a remote-access VPN would be a large firm with

hundreds of sales people in the field. Remote-access VPNs permit secure, encrypted connections

between a company's private network and remote users through a third-party service provider.

18

1) SECURE VPNS:

Tunneling:

Tunneling is the transmission of data through a public network in such a way that routing nodes in the public network are unaware that the transmission is part of a pri -vate network. Tunneling is generally done by encapsulating the private network data and protocol information within the public network protocol data so that the tunneled data is not available to anyone examining the transmitted data frames. Tunneling al -lows the use of public networks (eg, the Internet), to carry data on behalf of users as though they had access to a ‘private network’, hence the name. Secure VPNs use the tunneling mechanism to carry data on public internet lines.

IPSec (IP security) - commonly used over IPv4, and an obligatory part of IPv6. PPTP ( point-to-point tunneling protocol ) , developed jointly by a number of compa-

nies, including Microsoft. L2TP (Layer 2 Tunneling Protocol) , including work by both Microsoft and Cisco. L2TPv3 (Layer 2 Tunneling Protocol version 3) .

Some large ISPs now offer “managed” VPN service for business customers who want the security and convenience of a VPN but prefer not to undertake administering a VPN server themselves. In addition to providing remote workers with secure access to their employer’s internal network, sometimes other security and management services are included as part of the package

2) TRUSTED VPN :Trusted VPNs do not use cryptographic tunneling, and instead rely on the security of a single provider’s network to protect the traffic. In a sense, these are an elaboration of traditional network and system administration work. Multi-Protocol Label Switching (MPLS) is often used to build trusted VPN. L2F (Layer 2 Forwarding), developed by Cisco, can also be used.

19

3.4VPN Protocols and Tunnels

Layer 3 tunneling protocols:

Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication.

A remote-access VPN utilizing IPSec

IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the

payload of each packet while transport only encrypts the payload. Only systems that are IPSec

compliant can take advantage of this protocol. Also, all devices must use a common key and the

firewalls of each network must have very similar security policies set up.

IPSec can encrypt data between various devices, such as:

Router to router

Firewall to router

PC to router

PC to server

20

1) IPSec:

IPSec (IP Security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. There are two modes of IPSec operation: transport mode and tunnel mode. In transport mode only the payload (message) of the IP packet is encrypted. It is fully-routable since the IP header is sent as plain text. Transport mode is used for host-to-host com -munication. In tunnel mode, the entire IP packet is encrypted. It must then be encapsu -lated into a new IP packet for routing to work. Tunnel mode is used for network-to-net -work communications (secure tunnels between routers). Since encryption and encapsu -lation are done by routers/gateways,end systems need not support this. IPSec proto-cols operate at the network layer. This makes IPSec more flexible, as it can be used for protecting both TCP and UDP-based protocols, but increases its complexity and pro -cessing overhead, as it cannot rely on TCP (layer 4) to manage reliability and fragmen -tation. Protocols used for securing traffic in IPSec are AH and ESP.

Authentication header (AH)

The AH is intended to guarantee connectionless integrity and data origin authentication of IP datagrams. Further, it can optionally protect against replay attacks by using the sliding window technique and discarding old packets. AH protects the IP payload and all header fields of an IP datagram except for mutable fields, i.e. those that might be al -tered in transit. In IPv4, mutable (and therefore unauthenticated) IP header fields in -clude TOS, Flags, Fragment Offset, TTL and Header Checksum. AH operates directly on top of IP, using IP protocol number 51.

Encapsulating Security Payload (ESP)

The ESP protocol provides origin authenticity, integrity, and confidentiality protection of a packet. ESP also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is inse -cure.[2][3][4]. Unlike AH, the IP packet header is not protected by ESP. (Although in tunnel mode ESP, protection is afforded to the whole inner IP packet, including the in -ner header; the outer header remains unprotected.) ESP operates directly on top of IP, using IP protocol number 50

21

2) GRE:

Generic Routing Encapsulation (GRE) is a protocol designed for performing encapsula -tion of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP). GRE uses the tunneling technology and serves as a Layer 3 tunneling protocol of virtual private network (VPN).

A tunnel is a virtual point-to-point connection for transferring encapsulated packets. Packets are encapsulated at one end of the tunnel and decapsulated at the other end.

Operation of GRE

A packet transferred through a tunnel undergoes an encapsulation process and a de-capsulation process. Figure 1-1 depicts the network used to illustrate these two pro-cesses.

Figure 1 IPX networks interconnected through the GRE tunnel

I. Encapsulation process

1)After receiving an IPX packet through the interface connected to IPX network Group 1, Router A submits it to the IPX module for processing.2) The IPX module checks the destination address field in the IPX header to determine how to route the packet.3)If the packet must be tunneled to reach its destination, Router A sends it to the tunnel interface.4) Upon receipt of the packet, the tunnel interface encapsulates it in a GRE packet and submits to the IP module. 5) The IP module encapsulates the packet in an IP packet, and then forwards the IP packet out through the corresponding network interface based on its destination address and the routing table.

II. Format of an encapsulated packet

Figure 1-2 shows the format of an encapsulated packet.

22

Figure 3 Format of an IPX packet encapsulated for transmission over an IP tunnel

These are the involved terms:

Payload: Packet that needs to be encapsulated and routed.

Passenger protocol: Protocol that the payload packet uses, IPX in the example.

Encapsulation or carrier protocol: Protocol used to encapsulate the payload packet,

that is, GRE.

Delivery or transport protocol: Protocol used to encapsulate the GRE packet and to

forward the resulting packet to the other end of the tunnel, IP in this example.

Depending on the transport protocol, two tunnel modes are present: GRE over IPv4 and GRE over IPv6.

III. Decapsulation process

Decapsulation is the reverse process of encapsulation:

1)  Upon receiving an IP packet from the tunnel interface, Router B checks the destina -tion address.

2)  If the destination is itself, Router B strips off the IP header of the packet and sub -mits the resulting packet to the GRE module.

3) The GRE module checks the key, checksum and sequence number, and then strips off the GRE header and submits the payload to the IPX module

4) The IPX module performs the subsequent forwarding processing for the packet.

Encapsulation and decapsulation processes on both ends of the GRE tunnel and the resulting increase in data volumes will degrade the forwarding efficiency for the GRE-enabled device to some extent.

GRE Security Options :

23

For the purpose of tunnel security, GRE provides two options: tunnel interface key and end-to-end checksum. According to RFC 1701,

If the Key Present field of a GRE packet header is set to 1, the Key field will carry the key for the receiver to authenticate the source of the packet. This key must be the same at both ends of a tunnel. Otherwise, packets delivered over the tunnel will be dis -carded.

If the Checksum Present bit of a GRE packet header is set to 1, the Checksum field contains valid information. The sender calculates the checksum for the GRE header and the payload and sends the packet containing the checksum to the peer. The re -ceiver calculates the checksum for the received packet and compares it with that car -ried in the packet. If the checksums are the same, the receiver considers the packet in -tact and continues to process the packet. Otherwise, the receiver discards the packet.

Due to the GRE encapsulation/decapsulation process respectively executed on both ends of the tunnels and the resulting increase in data volume, the forwarding efficiency of routers using GRE is degraded to some extent.

GRE Applications :

GRE supports these types of applications:

 Multi-protocol communications through a single-protocol backbone

Scope enlargement of the network running a hop-limited protocol

VPN creation by connecting discontinuous subnets

GRE-IPSec tunnel application

24

I.Multi-protocol communications through a single-protocol backbone

Figure 4 Multi-protocol communications through a single-protocol backbone

In the example as shown in Figure 1-4, Group 1 and Group 2 are local networks run-ning Novell IPX, while Team 1 and Team 2 are local networks running IP. Through the GRE tunnel between Router A and Router B, Group 1 can communicate with Group 2 and Team 1 can communicate with Team 2. They will not interfere with each other.

II. Scope enlargement of the network running a hop-limited protocol

Figure 5 Scope enlargement of the network

When the hop count between two terminals exceeds 15, the terminals cannot communicate with each other. Using GRE, you can hide some hops so as to enlarge the scope of the network.

III. VPN creation by connecting discontinuous subnets

25

Figure 6 Connect discontinuous subnets with a tunnel to form a VPN

In the example as shown in Figure 1-6, Group 1 and Group 2 running Novell IPX are deployed in different cities. They can constitute a trans-WAN virtual private network (VPN) through the tunnel.

IV. GRE-IPSec tunnel application

Figure 7 GRE-IPSec tunnel application

Working with IPSec, GRE allows data packets like routing protocol, voice, and video packets to be first encapsulated by GRE and then encrypted by IPSec.

Layer 2 tunneling protocols:

1) PPTP - Point-to-Point Tunneling Protocol –

Extends the Point to Point Protocol (PPP) standard for traditional dial-up networking. PPTP is best suited for the remote access applications of VPNs, but it also supports LAN internetworking. PPTP operates at Layer 2 of the OSI model. PPTP packages data within PPP packets, then encapsulates the PPP packets within IP packets (datagrams) for transmission through an Internet-based VPN tunnel. PPTP supports data encryption and compression of these packets. PPTP also uses a form of General Routing Encapsulation (GRE) to get data to and from its final destination.

PPTP-based Internet remote access VPNs are by far the most common form of PPTP VPN. In this environment, VPN tunnels are created via the following two-step process:

1. The PPTP client connects to their ISP using PPP dial-up networking (traditional modem or ISDN).

2. via the broker device (described earlier), PPTP creates a TCP control connection between the VPN client and VPN server to establish a tunnel. PPTP uses TCP port

26

1723 for these connections.

PPTP also supports VPN connectivity via a LAN. ISP connections are not required in this case, so tunnels can be created directly as in Step 2 above.

Once the VPN tunnel is established, PPTP supports two types of information flow:

1) Control messages for managing and eventually tearing down the VPN connection. Control messages pass directly between VPN client and server.

2) Data packets that pass through the tunnel, to or from the VPN client

PPTP supports authentication, encryption, and packet filtering. PPTP authentication uses PPP-based protocols like EAP, CHAP, and PAP. PPTP supports packet filtering on VPN servers. Intermediate routers and other firewalls can also be configured to selectively filter PPTP traffic.

2) L2TP (Layer 2 Tunneling Protocol) -

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs).L2TP has its origins primarily in two older tunneling protocols for PPP: Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP).

Description:

L2TP acts like a data link layer (layer 2 of the OSI model) protocol for tunneling network traffic between two peers over an existing network (usually the Internet). L2TP is in fact a layer 5 protocol session layer, and uses the registered UDP port 1701. The entire L2TP packet, including payload and L2TP header, is sent within a UDP datagram. It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPSec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPSec (discussed below).

The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To facilitate this an L2TP session (or call) is established within the tunnel for each higher-level protocol such as PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a single tunnel. MTU should be considered when implementing L2TP.

The packets exchanged within an L2TP tunnel are categorized as either control packets or data packets. L2TP provides reliability features for the control packets, but no reliability for data packets. Reliability, if desired, must be provided by the nested

27

protocols running within each session of the L2TP tunnel.

Tunneling Models:

An L2TP tunnel can extend across an entire PPP session or only across one segment of a two-segment session. This can be represented by four different tunneling models, namely

I. voluntary tunnel II. compulsory tunnel — incoming call

III. compulsory tunnel — remote dial and IV. L2TP multi-hop connection

1) In the voluntary tunnel model , a tunnel is created by the user, typically by the use of an L2TP enabled client which is called the LAC client. The user will send L2TP packets to the Internet Service Provider (ISP) which will forward them on to the LNS. The ISP does not need to support L2TP; it only forwards the L2TP packets between LAC and LNS. The LAC client acts as an L2TP tunnel initiator which effectively resides on the same system as the remote client. The tunnel extends across the entire PPP session from the L2TP client to the LNS.

2) In the compulsory tunnel model-incoming call , a tunnel is created between ISP LAC and the LNS home gateway. The company may provide the remote user with a Virtual Private Network (VPN) login account from which he can access the corporate server. As a result the user will send PPP packets to the ISP (LAC) which will encapsulate them in L2TP and tunnel them to the LNS. In the compulsory tunneling cases, the ISP must be L2TP capable. In this model the tunnel only extends across the segment of the PPP session between the ISP and the LNS.

3) In the compulsory tunnel model-remote dial the home gateway (LNS) initiates a tunnel to an ISP (LAC) (outgoing call) and instructs the ISP to place a local call to the PPP enabled client which is the remote user. This model is intended for cases where the remote PPP Answer Client has a permanently established phone number with an ISP. This model is expected to be used when a company with established presence on the Internet needs to establish a connection to a remote office that requires a dial-up link. In this model the tunnel only extends across the segment of the PPP session between the LNS and the ISP.

4) An L2TP Multi-hop connection is a way of redirecting L2TP traffic on behalf of client LACs and LNSs. A Multi-hop connection is established using an L2TP Multi-hop gateway. A tunnel is established from a client LAC to the L2TP Multi-hop gateway and then another tunnel is established between the L2TP Multi-hop gateway and a target LNS. L2TP traffic between client LAC and LNS is redirected to each other through the gateway.

3) L2TPv3 (Layer 2 Tunneling Protocol version 3) -

28

Layer 2 Tunneling Protocol Version 3 is a draft version of L2TP that is proposed as an alternative protocol to MPLS for encapsulation of multiprotocol Layer 2 communications traffic over IP networks. Like L2TP, L2TPv3 provides a ‘pseudo-wire’ service, but scaled to fit carrier requirements.

L2TPv3 can be regarded as being to Multiprotocol Label Switching (MPLS) what IP is to ATM: a simplified version of the same concept, with much of the goodness achieved with a fraction of the effort, at the cost of losing some technical features con -sidered less important in the market. In the case of L2TPv3, the features lost are tele-traffic engineering features considered important in MPLS. The protocol overhead of L2TPv3 is also significantly bigger than MPLS. However, there is no reason why these features could not be re-engineered in or on top of L2TPv3 in later products. L2TPv3 is emerging as a lightweight yet robust alternative to creating Layer 2 VPNs across MPLS and pure IP backbones.

L2TPv3, an extension of the L2TP, is a stateless protocol with no inherent signaling or keep-alive mechanism. L2TP, originally defined in RFC 2661, was designed to provide dynamic tunneling for multiple Layer 2 circuits across packet-oriented data networks. It describes a standard method of tunneling that lets circuit like connections across one or many Layer 3 networks appear as point-to-point or point-to-multipoint links between customer locations. The base L2TP protocol consists of a control protocol for dynamic creation, maintenance and tear-down of L2TP sessions; and data encapsulation to multiplex and demultiplex Layer 2 datastreams between IP-connected nodes.

L2TP has been focused on narrowband dial-up protocols. L2TPv3 extends L2TP by letting it run on higher-speed devices such as routers because of reduced overhead and the related decrease in processing chores. It also adds important new features such as increasing the session and tunnel ID space from 16 to 32 bits, which dramatically increases the number of tunnels from 65,000 to more than 4 billion.

With L2TPv3, the physical interface connecting to a customer’s network becomes the

29

tunnel ingress/egress interface. Consequently, traffic does not need to be routed into the tunnel by the provider’s router. As packets arrive at the interface, they are encapsulated and forwarded directly toward the remote tunnel endpoint. Once received and de-encapsulated, the original packet can be forwarded out of the egress interface if the tunnel identifier is recognized by the router. If it isn’t, the packet is discarded.

With L2TPv3, companies reap lower-cost services because carriers can offer frame relay, ATM and Ethernet over a common IP backbone - radically lowering capital and operational costs. And because L2TPv3 adds no new requirements to the IP transport infrastructure, it is inherently easier and simpler to implement and support, because network staff is familiar with IP.

30