virtual private networks warren toomey. available wan links
TRANSCRIPT
Virtual Private Networks
Warren Toomey
Available WAN Links
Available WAN Links
• Dedicated Links: very expensive, fixed endpoints
• Packet-Switched: expensive, fixed endpoints but some choice
• What if we need a cheaper alternative, or one where the endpoints can move around?– We have to use the Internet– Our traffic goes through other peoples’ routers
A Dilemma• We want to interconnect parts of our
enterprise over long distances– But we are using a public network to do so
Virtual Private Network
• What we want is a WAN link: link with an IP address at each end, and one which carries traffic that others cannot see
• VPN: Virtual Private Network• Virtual: Information within a private network
is transported over a public network• Private: The traffic is encrypted to keep the
data confidential
Benefits of VPNs
• Cost Savings: cheaper than dedicated links• Scalability: use existing Internet connection• Security: encryption ensures traffic is secure
VPN Tunnels
• A VPN tunnel acts like a WAN link• In reality, it is a collection of public routers and
LAN/WAN links• Traffic enters the tunnel, and traverses the
tunnel until it reaches the other end• The traffic needs to be encapsulated:– Placed into the network protocol used on the
physical links of the tunnel– Example: IP packets are encapsulated in IP packets
VPN Tunnels
VPN Encryption
GRE: VPN Technology
• Generic Routing Encapsulation• VPN technology developed by Cisco• Set up on two routers with public IP addrs• To form a tunnel between them– Carrying private IP traffic over public Internet
GRE Example
• R1 has public IP address 1.1.1.1• R2 has public IP address 2.2.2.2• R1 has a private LAN 192.168.1.0/24• R2 has a private LAN 192.168.2.0/24
GRE Example
• We want to route traffic between the private LANs. We need a tunnel between them
• The GRE tunnel acts like a WAN link– Each end has an “interface” with an IP address– Just like a s0/0/0 with an IP address
GRE Configuration
• We need static routes on each router. Cannot advertise with a routing protocol
• R1(config)# ip route 192.168.2.0 255.255.255.0 172.16.1.2• R2(config)# ip route 192.168.1.0 255.255.255.0 172.16.1.1
• Note: we use the private IP addresses in the static route