VPN Design discussion

In this post, I will give you a business requirements and information about the business of a fictitious company,together we will try to find an optimal solution for the given questions.

There will be many valid solution as you will see from the comments, we will have to make tradeoffs between each design goals while selecting one design vs another. 

Company has 15 different business units and want to provide end to end segmentation.

Company has 500 remote offices and only the 2 business units employees are working in the remote offices. They are planning to expand their locations at least 10{ea8372c0850978052e20c0d53be15bc420c794e9b9b32f0ee9dfe0056552e01e} every 6 months.

Confidentiality of their data is highly critical due to regulatory reason.

Business units will not communicate with each other. They have HQ which is connected to their datacenter through WAN over a service provider.

Engineers of the company are highly skilled since most of them are orhanergun.net readers ! 🙂

Which service Company should receive from the service provider ?

How would you provide end to end segmentation ?

Will your choice provide confidentiality ?

30 Replies to “VPN Design discussion”

  1. Excelente exercise.
    In my opinion the posible solutions may be:
    a) MPLS solution – it´s a flexible and scalable solution vs VPLS
    b) VRF configuration should be a good solution for traffic segmentation, but it´s recommended to know the type of traffic to be processed in the links, in order to decide the adecuate configurations of the VRFs: static o dynamic.
    c) In case to protect traffic may be IPSEc for Layer 3 or linksec (802.1AE) for Layer 2, which is he best options?, depend of the traffic characteristic and the critical of the information.
    Thanks Orhan.


    1. i agree that mpls is more flexible but is not as secure as VPLS.why ?

      the answer is what if the service provider did a mistake and shares your network with another company ? so the security of your network it related somehow to a service provider.

  2. Its hub and spoke topology between BU and HQ. We can have IPSec tunnels to HQ from each site. BUs connected with Remoter Offices, we can use DMVPN and 2 employees can have SSL VPN to their respective BU.

  3. Solution 1: I would ask for VPLS, and then run MPLS L3 VPNs on top of that end-to-end for segmentation…next best thing to building out your own physical WAN that you run MPLS on.

    Yes, the solution would be secure as you would be peering directly with your own routers and can add authentication to routing protocols…adding DMVPN or a PTP IPSEC VPN on top of it would only add complexity, and you would get no real benefit.

    Solution 2: Alternatively you could get 2xL3VPN service from the provider and have each of the remote officer operating business units get their own WAN “cloud”. At the HQ/DC each of those would go in a VRF, which is part of the L3 MPLS VPN implementation you run on those networks.

    Yes, would provide confidentiality in that the carrier is guaranteeing segmentation. You can also enhance that by prefix and/or community based tagging and filtering along with authentication configured on routing protocols between CE and PE.

    Solution 3: You could also do a carrier supporting carrier service across the carrier’s MPLS “cloud”, which you would then be able to run MPLS end-to-end with…same rules apply on confidentiality as solution 1.

    1. Hi all:

      Whatever the connectivity mechanism l3 or l2, service provider offering.
      I would like to more emphasize on the things we can do like:

      – Having ipsec over gre on wan segments, if provider is giving l3 conectivity or we can use dmvpn with ipsec.
      – Can have seprate vrf’s.
      – Putting every department in different vlan’s/ DMZs and allow specific ports and IPs based on requiremnts.
      – some sort of DLP solution, also can be used to ensure data confidentiality and avoid data theft.
      – web services must be using ssl based certificates to achieve end to end encryption.

      My 10 cents…..

    2. I notice I left out the REQUIREMENT for confidentiality…so, GET VPN across the carrier provided cloud would likely be the best solution for the confidentiality as Maxim says below.

  4. This is interesting. Maybe a Hub and Spoke L3VPN for scalability (not paying attention to the MPLS topology of the Service Provider as it is not important in this scenario). It would be possible to run IPSec from the spoke to the hub through the L3VPN, depending on the type of data and quantity maybe another encryption scheme. Anyways I’m not sure I understand the scenario 100{ea8372c0850978052e20c0d53be15bc420c794e9b9b32f0ee9dfe0056552e01e}, I think we would need a little bit more detail about the Availability needs of the company, what are the SLAs they are expecting for this

    1. When you don’t have thight constraints, you will assume the things , so your design options will be more. If I would give all the constraints and force you to choose very specific one, then I would be giving too much detail.

      Since this is just a discussion, I want assumptions and which one is more suitable for which type of business discussion.

      I give much greater detail in mini design scenarios which I force you to choose optimal design solution in general

  5. Put my two cents in. Solution that meets all requirements will be L3VPN + GETVPN with VRF segmentation:
    1. Scalable – we have grow of 10{ea8372c0850978052e20c0d53be15bc420c794e9b9b32f0ee9dfe0056552e01e} per year;
    2. Segmentation – VRFs;
    3. Security – end-to-end encryption;

    To improve solution (reduce OPEX) we can also consider OTP EIGRP + GETVPN

    1. So far this is the most close approach to what I will suggest. I will write a longer comment to explain why and what if scenarios. Thanks Maxim, very good analyze.

  6. Does “Confidentiality” means “Encryption” ? The data will still be confidential if it is in an MPLS VPN environment as it will be in a separate customer VRF.

    1. Unfortunately no. It is not encrypted with symmetric or symmetric any type of algorithm

      MPLS VPN is not different than legacy FR, ATM once it comes to an encryption.

      Yes it might be seen as secure since it is private and not public and it can be seen as secure when you put it in a VRF but actually you just provide segmentation on the control and data plane , it doesn’t mean you encrypt it with MPLS VPN.

      Thus you need to run IPSEC on top of MPLS VPN for crypto.

    2. Any kind of unencrypted VPN does not provide confidentiality: in US service providers must follow CALEA act and provide lawful intercept capabilities for FBI and other government agencies, the similar rules exist in other parts of the World.

  7. Good exercice and again many answers.

    For the ones who want to prepare the CCDE, you have to stay as open as possible. If you think that – let us say – DMVPN Phase 3 + MPLS + IPSec + EIGRP is the target, then you are sure to fail (do you agree with me Orhan ?).

    First question, do we need virtualization ?

    We want some segmentation, but flat IP routing on the WAN and at the access level one interface/VLAN per BU protected by an ACL may be enough (depends on addressing plan).

    If we want some kind of virtualization, how complex should it be ?

    Is VRF-lite enough ? If the WAN can keep the segmentation. Why not buying 2 VPLS/L3VPN instances to our provider ? Or even a Frame realy network with 2 PVC per access or one VPLS instance with self managed VLANs ?
    What about policy-routing ? Not a fan, but it should also be considered.

    Do we need any to any communication ? If yes, it is acceptable to traffic via the datacenter ?

    What about the sizing ?
    You have to support 500 remote sites, that is enough to eliminate multicast routing protocols on a VPLS instance but every overlay can easily handle that.

    No redundancy and resilienty requirements ?

    Confidentiality ?

    OK, you have to encryt the traffic. Just the payload, or create point to point tunnels, multipoint tunnels ?

    Now some answers :
    Simplest : IPSec transport mode + static routing and VRF-Lite on top of a star frame relay network.
    Reasonnable : IPsec tunnels mode with VRF Lite and routing based on RRI and DPD.
    Funniest : LISP + GETVPN on top of everything the provider will give us

  8. I suggest MPLS-TP solution (carrier ethernet), the service could be based in E-Tree with the hub (HQ) and the spokes.
    split horizon should be configured int he bridge domain to avoid forwarding PW to another PW (loop free and integrity principle)

    secondly , the MPLS-TP solution will be based on MPLS Tunnels with bfd tracking briefly, the midpoints should be confured too.

    Despite the engineers the solution proposal is based in NMS so the operator can add services , tunnels and tp links with process automation.

    1. I would say who is this crazy 🙂 I just finished the session once I am available let me comment on it , Thanks and I haven’t seen your comments for a while I was wondering !

  9. Baseline 500 offices 100+ new sites per year in 5 years they have 1000+ sites
    30 employees per site

    Which service Company should receive from the service provider ?

    L2VPN or L3VPN looking at the requirements and expected growth this is a simple large-scale network with no special requirement so L3VPN will do the job.

    How would you provide end to end segmentation ?
    – Provider will create 15 BU VPNS
    – Each BU will receive it’s own sub-interface with vrf-lite

    Will your choice provide confidentiality ?
    – GETVPN instead of ipsec because we don’t know if the same BU branches will talk with each other GETVPN has any-to-any connectivity and encryption functionality

Leave a Reply

Your email address will not be published.