Upload
victor-sanchez
View
218
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Introducción a las Redes Virtuales una visión Cisco
Citation preview
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 1
13051112_06F9_c2 © 1999, Cisco Systems, Inc. 13051112_06F9_c1 © 1999, Cisco Systems, Inc.
23051112_06F9_c2 © 1999, Cisco Systems, Inc.
Introduction toIntroduction to Virtual Private Networks Virtual Private Networks
Session 305Session 305
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 2
33051112_06F9_c2 © 1999, Cisco Systems, Inc.
AgendaAgenda
• Scope of this Session
• Intro and History of VPNs
• VPN Technology Building Blocks
• Basic VPN Architectures
• Next Generation VPN Solutions
43051112_06F9_c2 © 1999, Cisco Systems, Inc.
Scope of this SessionScope of this Session
• Provide a basic understanding of thecomponent technologies relevant to VPNs
• Show how these technologies fit togetherto provide today’s VPN solutions
• Speculate on some of the VPN advancesthat may come along in the near future
• For further info attend Dave Phillip’s Level2 Deploying VPN Solutions (Session 313)
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 3
53051112_06F9_c2 © 1999, Cisco Systems, Inc.
What Is a VPN Service ?What Is a VPN Service ?
A “VPN service” is a service which offerssecure, reliable connectivity over a sharedpublic network infrastructure such as the
Internet. Because the infrastructure is“shared”, connectivity can be provided at
lower cost than existing dedicatedprivate networks
63051112_06F9_c2 © 1999, Cisco Systems, Inc.
A VPN Analogy!A VPN Analogy!
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 4
73051112_06F9_c2 © 1999, Cisco Systems, Inc.
Enterprise
FrameRelay
Service Provider
T1128 K
64 K
RemoteOffice
RegionalOffice
RemoteOffice
56 K
AAA
IP Network
GRETunnel
Traditional VPNsTraditional VPNs
DMZ
Web ServersDNS Server
STMP Mail Relay
83051112_06F9_c2 © 1999, Cisco Systems, Inc.
What’s Driving VPN OfferingsWhat’s Driving VPN Offerings
ReducedNetworking
Costs
IncreasedNetwork
Flexibility
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 5
93051112_06F9_c2 © 1999, Cisco Systems, Inc.
TunnelingTunneling
VPN Building BlocksVPN Building Blocks
SecuritySecurity QoSQoS
ManagementManagement ProvisioningProvisioning
103051112_06F9_c2 © 1999, Cisco Systems, Inc.
Tunneling TypesTunneling Types
Compulsory or VoluntaryCompulsory or Voluntary
Layer 2/Layer 3Layer 2/Layer 3
TunnelingTunneling
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 6
113051112_06F9_c2 © 1999, Cisco Systems, Inc.
Layer 2 vs. Layer 3Layer 2 vs. Layer 3
TunnelingTunneling
Tunneling ComparisonTunneling Comparison
Layer 3Layer 3
Layer 2Layer 2
IP Centric
Less Integrated Solutions
Solutions Still in Definition Stage
IP Centric
Less Integrated Solutions
Solutions Still in Definition Stage
Center on PPP
Multiprotocol
Integrated With Existing Access Technologies
Center on PPP
Multiprotocol
Integrated With Existing Access Technologies
123051112_06F9_c2 © 1999, Cisco Systems, Inc.
PassengerProtocol
CarrierProtocol
TransportProtocol
Network PacketNetwork PacketGREGREIPIP
IP Network
GRE TunnelGRE Tunnel
Generic Route EncapsulationGeneric Route Encapsulation(GRE)(GRE)
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 7
133051112_06F9_c2 © 1999, Cisco Systems, Inc.
LAC LNS
VPDNVPDN DATADATAPPPPPP VPDNVPDN DATADATA
Compulsory Tunnel ModelCompulsory Tunnel Model
• Client software wraps data in tunnelingprotocol then in transport protocol
• Transparent to LAC
143051112_06F9_c2 © 1999, Cisco Systems, Inc.
Voluntary Tunnel ModelVoluntary Tunnel Model
• Generic PPP encapsulated datafrom any standard client
LAC LNS
DATADATAPPPPPP VPDNVPDN DATADATA
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 8
153051112_06F9_c2 © 1999, Cisco Systems, Inc.
PPP TunnelingPPP Tunneling
TunnelingTunneling
L2TPL2TP PPTPPPTP PPPoEPPPoE
163051112_06F9_c2 © 1999, Cisco Systems, Inc.
L2TPL2TP
TunnelingTunnelingLAC
LNS
• L2TP is an IETF draft movingtowards standards status
• Mostly used in voluntary mode
• Some third party clients available
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 9
173051112_06F9_c2 © 1999, Cisco Systems, Inc.
• An informational RFC
• Primarily used in compulsory mode
• Widely available clientsWin95, Win98, NT, Third parties
Microsoft Point-to-PointMicrosoft Point-to-PointTunneling ProtocolTunneling Protocol
TunnelingTunnelingLAC
LNS
183051112_06F9_c2 © 1999, Cisco Systems, Inc.
VIVI
ISP
Corporate
PPPTunneling
Routing, etc.
ATM PVC
PPP over Ethernet
DSL
DSLAMDSLCPE
LAC
Host 1
Host 2
PPP over EthernetPPP over Ethernet
Key Benefits• Preservation of Dial Model—
PPP session-basedcommunication
• Leverages existing Ethernetbased infrastructure
• Allows multiple PPP sessions to be initiated within home LAN
• Enables destination selection
• DSL Modem Independent (mustrun RFC 1483 Bridging)
Key Benefits• Preservation of Dial Model—
PPP session-basedcommunication
• Leverages existing Ethernetbased infrastructure
• Allows multiple PPP sessions to be initiated within home LAN
• Enables destination selection
• DSL Modem Independent (mustrun RFC 1483 Bridging)
Hosts Run PPPoE
Client SW
Runs RFC 1483 Bridge
ModeTunnelingTunneling
• Informational RFC
• Primarily used in xDSL environments
VIVI
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 10
193051112_06F9_c2 © 1999, Cisco Systems, Inc.
VPN SecurityVPN Security
• IPSec
• MPPE
SecuritySecurity
203051112_06F9_c2 © 1999, Cisco Systems, Inc.
IPSec Transport ModeIPSec Transport Mode
IP HDRIP HDRMay Be Encrypted
IP HDRIP HDR DataData
IPSec HDRIPSec HDR DataData
Router LEFT Router RIGHT
IP NetworkIPSec Transport ModeIPSec Transport Mode
SecuritySecurity
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 11
213051112_06F9_c2 © 1999, Cisco Systems, Inc.
IP HDRIP HDR DataData
IPSec HDRIPSec HDR IP HDRIP HDRNew IP HDRNew IP HDR
May Be Encrypted
DataData
IPSec Tunnel ModeIPSec Tunnel Mode
SecuritySecurity
Router LEFT Router RIGHT
SP 1
SP 2
IPSec Tunnel ModeIPSec Tunnel Mode
223051112_06F9_c2 © 1999, Cisco Systems, Inc.
Remote User w/IPSec Client
Home GatewayRouter
HomeNetwork
CertificateAuthority/AAA
Public Network
Dial Access to Corporate NetworkExchange X.509 or One-Time Password
IKE NegotiationAuthentication Approved
Encrypted Data flows
SecuritySecurity
IPSec VPN Client OperationIPSec VPN Client Operation
Secure Tunnel EstablishedSecure Tunnel Established
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 12
233051112_06F9_c2 © 1999, Cisco Systems, Inc.
Microsoft Point-to-PointMicrosoft Point-to-PointEncryptionEncryption
• RC4 encryption of PPP packets
• Used almost exclusively with PPTP
• Informational RFC 2118
SecuritySecurity
LNS
PPTP TunnelPPTP Tunnel
243051112_06F9_c2 © 1999, Cisco Systems, Inc.
VPNs and Quality of ServiceVPNs and Quality of Service
• Optimize use of the WAN link
• Guarantee bandwidth for missioncritical applications
• Take advantage of differentiatedservices offered by the ISP
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 13
253051112_06F9_c2 © 1999, Cisco Systems, Inc.
VoicePremium IPBest Effort
Tunnel
Conforming TrafficConforming Traffic
VPNs and Quality of ServiceVPNs and Quality of Service
• ClassificationCAR
• ClassificationCAR
• PolicingCAR
• PolicingCAR
• Congestion• Avoidance
WRED
• Congestion• Avoidance
WRED
• TunnelLayer 2TPIPSec, GRE
• TunnelLayer 2TPIPSec, GRE
AAACA
PBX
263051112_06F9_c2 © 1999, Cisco Systems, Inc.
Management and ProvisioningManagement and Provisioning
• Genericconfiguration
• AAA
• Policy management
• Certificateauthorities
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 14
273051112_06F9_c2 © 1999, Cisco Systems, Inc.
ArchitecturesArchitectures
So, How Does It All Go Together ?So, How Does It All Go Together ?
283051112_06F9_c2 © 1999, Cisco Systems, Inc.
CiscoIOS®
VPN ArchitecturesVPN Architectures
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 15
293051112_06F9_c2 © 1999, Cisco Systems, Inc.
Type
AccessVPN
AccessVPN
Application
RemoteConnectivity
RemoteConnectivity
Alternative To
DedicatedDial
ISDN
DedicatedDial
ISDN
IntranetVPN
IntranetVPN
ExtranetVPN
ExtranetVPN
InternalCorporate
Connectivity
InternalCorporate
Connectivity
LeasedLines
LeasedLines
Business-toBusiness
ExternalConnectivity
Business-toBusiness
ExternalConnectivity
Fax, Mail,EDI
Fax, Mail,EDI
Ubiquitous Access
Lower Cost
Ubiquitous Access
Lower Cost
Benefits
Extend ConnectivityLower Cost
Extend ConnectivityLower Cost
Facilitates E-Commerce
Facilitates E-Commerce
VPN ArchitecturesVPN Architecturesand Applicationsand Applications
303051112_06F9_c2 © 1999, Cisco Systems, Inc.
Enterprise
DMZ
Web ServersDNS Server
STMP Mail Relay
AAACA
Service Provider A
SmallOffice
Mobile Useror Corporate
Telecommuter
UbiquitousAccess
• Modem, ISDN• Xdsl, Cable
PotentialOperations
andInfrastructure Cost Savings
Compulsory or Voluntary Tunneling
Solutions
Access VPNsAccess VPNs
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 16
313051112_06F9_c2 © 1999, Cisco Systems, Inc.
Enterprise
DMZ
Web ServersDNS Server
STMP Mail Relay
AAACA
RemoteOffice
Service Provider A
RegionalOffice
Potential Operations and Infrastructure
Cost Savings
Extends the Corporate IP Network across a
Shared WAN
The Intranet VPNThe Intranet VPN
323051112_06F9_c2 © 1999, Cisco Systems, Inc.
Enterprise
DMZ
Web ServersDNS Server
STMP Mail Relay
AAACA
Extends ConnectivityTo Business Partners,
Suppliers and Customers Security PolicyVery Important
BusinessPartner
Service Provider B
Supplier
The Extranet VPNThe Extranet VPN
Service Provider A
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 17
333051112_06F9_c2 © 1999, Cisco Systems, Inc.
The Complete VPNThe Complete VPN
Enterprise
DMZ
Web ServersDNS Server
STMP Mail Relay
AAACA
SupplierBusinessPartner
RemoteOffice
Service Provider A
Service Provider B
RegionalOffice
SmallOffice
Mobile UserOr Corporate
Telecommuter
343051112_06F9_c2 © 1999, Cisco Systems, Inc.
Service ProviderFocused
EnterpriseFocusedCollaborative
Service ProviderSupplies Majority of
VPN SolutionEquipment
ServiceTraining
Help Desk
EnterpriseManages Security
Services
Service Provider Supplies Hardware
Qos to Bandwidth Offering
Service ProviderSupplies Basic
NetworkAccess
Deployment AlternativesDeployment Alternatives
EnterpriseApplication and Configuration
ManagementHelp Desk Support
EnterpriseSupplies VPN
EquipmentManages Network
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 18
353051112_06F9_c2 © 1999, Cisco Systems, Inc.
Next Generation VPNsNext Generation VPNs
• Multiservice VPNs
• MPLS VPNs“Next generationnetworks must allowthe corporation tothrive on change…”
The Burton Group
“Next generationnetworks must allowthe corporation tothrive on change…”
The Burton Group
363051112_06F9_c2 © 1999, Cisco Systems, Inc.
Internet
London
Australia
BrazilBrazil
LiveAudio/Video
Feed
Tokyo
StoredVideo
StoredVideo
Multiservice VPNsMultiservice VPNs
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 19
373051112_06F9_c2 © 1999, Cisco Systems, Inc.
Enterprise
DMZDMZ
Web ServersDNS ServerSTMP Mail Relay
AAACA
RemoteOffice
Service Provider A
RegionalOffice Remote
Office
Mobile UserOr Corporate
Telecommuter
PBX
Multiservice VPNsMultiservice VPNs
383051112_06F9_c2 © 1999, Cisco Systems, Inc.
MPLS VPNsMPLS VPNs
MplsNetwork
MplsNetwork
Corp ASite 1
Corp ASite 2
Corp ASite 3
Corp BSite 2
Corp BSite 1
Corp BSite 3
Corporate A MPLS VPNCorporate A MPLS VPN
Corporate B MPLS VPNCorporate B MPLS VPN
Traffic SeparationBy Interface
ScalableIETF Standards Based
VPN MembershipBased on Interface
And Unique RD
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 20
393051112_06F9_c2 © 1999, Cisco Systems, Inc.
ScalabilityScalability
Standards BasedStandards BasedPlatformsPlatforms
QoSQoS SecuritySecurity Mgmt.Mgmt.
Future FlexibilityFuture Flexibility
CoreCore Services
Services
SummarySummary
403051112_06F9_c2 © 1999, Cisco Systems, Inc.
Cisco VPNSolutions
IPSec
MPPE
http://www.cisco.com/warp/public/779/largeent/learn/technologies/vpn/
http://www.cisco.com/warp/public/779/servpro/solutions/vpn/
http://www.cisco.com/warp/public/cc/cisco/mkt/security/encryp/tech/ipsec_wp.htm
http://search.ietf.org/internet-drafts/draft-ietf-pppext-mppe-03.txt
L2TP http://search.ietf.org/internet-drafts/draft-ietf-pppext-l2tp-15.txt
Location
PPTP http://search.ietf.org/internet-drafts/draft-ietf-pppext-pptp-10.txt
Other Useful InformationOther Useful Information
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 21
413051112_06F9_c2 © 1999, Cisco Systems, Inc.
Q & AQ & A
413051112_06F9_c2 © 1999, Cisco Systems, Inc.
423051112_06F9_c2 © 1999, Cisco Systems, Inc.
Thank YouThank You
423051112_06F9_c2 © 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 22
433051112_06F9_c2 © 1999, Cisco Systems, Inc.
Please Complete YourPlease Complete YourEvaluation FormEvaluation Form
Session 305Session 305
433051112_06F9_c2 © 1999, Cisco Systems, Inc.
443051112_06F9_c2 © 1999, Cisco Systems, Inc.