Chapter 3. VPNs in Broadband Networks

In this chapter, you learn about the following topics:

Criteria to Evaluate VPNs for Broadband Access
Operation and Configuration of Tunnel-Based VPN Solutions, Using Three Case Studies:
Site VPN Using GRE Tunnels
Telecommuter VPN Using IPSec Tunnels
Infrastructure VPN Using L2TP Tunnels to Provide an Open Access Solution
Two Limited Solutions for Open Access Without Tunnels Using NAT and Policy-Based Routing

This chapter is really about tunnels. A lot of networks do not run MPLS, which creates a need to deliver VPN services over IP cores. These VPNs are typically built using point-to-point tunnels either between CPE routers or between provider routers.

Before taking a closer look at the world of tunnels, the chapter starts by reviewing some basic network design principles concerning tunnels and criteria to evaluate VPNs for broadband access applications for site, telecommuter, and wholesale applications.

The following sections cover the major IP-VPN tunneling solutions, namely generic routing encapsulation (GRE), IPSec, and L2TP. A case-study approach is used to look at each option, starting with a discussion of the technology used in the solution: how the protocol works, which RFCs define it, and so on. Then, you plunge into the details of the Cisco implementation, with examples of increasing sophistication that show you how to solve the problem defined by the case study under consideration. Finally, each solution is analyzed against the set of generic requirements of site, telecommuter, and wholesale VPNs.

The cases are as follows:

Site VPN: Non-IP trafficGRE
Telecommuter VPN: VPN over anythingIPSec
Infrastructure VPN: Open Access and wholesalesituations for L2TP

The same network is used for the GRE and IPSec examples, so once you understand the basic topology, you can quickly grasp what is going on in both the case studies. The focus of the L2TP case is just too different to be able to use exactly the same network, so there is a different topology.

Chapter 1, "Introduction: Broadband Access and Virtual Private Networks," introduced definitions of the various types of VPN. As a reminder, they are as follows:

Site-to-site VPN A VPN that is used to connect different sites.
Telecommuter VPN An individual subscriber, or very small network, that connects over a third-party network, such as the Internet, to its enterprise network.
Infrastructure VPN A special case of a VPN that is used by a wholesale provider to transport subscriber traffic to its service provider of choice. Internet traffic may cross one or several infrastructure VPNs.

Note

The site-to-site solutions discussed in this chapter are all CPE based. The reason is simple: True network-based VPN solutions require support for overlapping IP address spaces. In other words, two sites, belonging to two different customers, but each using the 192.168.1.0/24 subnet, can be connected to the same edge router. To deal with this, the router needs private routing tables, which are discussed along with MPLS in Chapters 5, 6, and 7.