Fundamentals of Network-Based VPNs

In a customer edge (CE) VPN or CE-based VPN that uses IPSec, all VPN configuration, encapsulation, and decapsulation is performed by the CEs. The provider network that provides connectivity to the CEs is simply providing a transport service to the CEs and is oblivious of the VPN configuration. In a network or provider edgebased VPN, all VPN configuration, encapsulation, and decapsulation is performed at the provider edge (PE); the CEs in this case are oblivious of the VPN configuration. Figure 9-1 shows a popular PE-based VPN defined in RFC 2547 using Multiprotocol Label Switching (MPLS). Figure 9-1. PE-based MPLS VPN All the tunneling of CE-CE traffic in the MPLS VPN shown in Figure 9-1 is performed by the PE routers at the edge of the service provider network. MPLS VPNs have several advantages over the traditional overlay CE-based IPSec VPNs. Some salient advantages of PE-based VPNs over CE-based VPNs are as follows: Increased scalability To connect N sites of an IPSec VPN for any-to-any connectivity, each CE will need (N-1) tunnels to every other CE. This means that every CE has to be able to deal with this scalability requirement, thereby increasing the cost of the CEs at sites where such a large CE may not be required. In contrast, the same any-to-any connectivity can be established between CEs of an MPLS VPN with a single connection from a CE to the PE. Also, the encapsulation and decapsulation is performed by the PE routers, thereby reducing the cost of the CE by not requiring expensive hardware encryption at the CE. Greatly simplified configuration Every time a new site is added to a CE-based IPSec VPN, the configuration has to be changed in (N-1) sites for any-to-any connectivity. In an MPLS-VPN, only the configuration of the PE and the attached CE is changed; none of the remote CEs or remote PEs is affected. In other words, configuration complexity of MPLS-based VPNs is O(1) compared to O(n) for IPSec-based VPNs. This means that it is operationally easier and more economical for a service provider to provision an MPLS-based VPN. Note One could argue that DMVPN (see Chapter 7, "Auto-Configuration Architectures for Site-to-Site IPSec VPNs") reduces configuration complexity, negating this advantage for MPLS VPN. But DMVPN also requires a dynamic routing protocol such as OSPF in the overlay tunnels, which has limitations as the number of sites of the VPN grows very large. One of the primary limitations of MPLS VPN architecture is the requirement for each CE to have physical connectivity at Layer 2 to its corresponding PE. Now, imagine a service provider that is offering an MPLS VPN service to its customers. In this scenario, assume that one customer has five sites that need to be connected over the VPN and that the service provider has a point of presence (POP) in only four of the five locationswhich means only four of the sites can be part of the VPN. The following list presents the options available for the service provider to connect the fifth site to the VPN: Option 1 The service provider can extend its backbone network and build a new POP in the new location. Although the most obvious solution, this option is usually not cost effective for the service provider and in some cases is simply not viable. Option 2 The service provider may backhaul the customer's traffic across other providers using leased lines. This option is the next obvious option, but is also cost prohibitive, has long installation lead times, and may be subject to frequent outages. Option 3 Connect the fifth site to the VPN via IPSec tunnels over the public Internet to every other site. However, there are several disadvantages of this option: - Each site of this VPN now requires a CE that is IPSec-capable. - IPSec requires (public) reachability to each CE endpoint. If the IPSec tunnels to each site have to traverse the Internet, all the CEs at the sites need IP reachability over the Internet, which might not be possible. - Every site is exposed to the Internet and may require more security protection mechanisms. Option 4 Build an IPSec tunnel from the remote CE to the service provider PE and map the IPSec tunnel into the appropriate MPLS VPN at the PE. This option is called the Network Based IPSec VPN solution, which is the subject of this chapter. Figure 9-2 illustrates this option. This would be a secure and cost-effective option. Figure 9-2. Network-Based IPSec VPN There are several advantages of the Network Based IPSec VPN architecture: The PE and CE need only IP connectivity; no dedicated Layer 2 connection is required. Connectivity to the four original sites is retained via the MPLS VPN and no additional configuration is needed on the sites to connect the fifth site to the VPN. Optimal routing from site to site is possible without a full-mesh configuration. Secure connectivity for the new "off net" site. This is important because traffic from this site routinely transits the public Internet. The rest of this chapter is dedicated to this architecture and presents the configuration and design of network-based VPNs.