Introduction to VPN (Virtual Private Network)
Let’s start with the definition. VPN is a logical network and created over shared physical infrastructure.
Shared infrastructure can be private such as MPLS VPN of a Service Provider or over the Public infrastructure such as Internet.
There are many concepts to understand VPN in detail but in this article I will cover the definition, common design considerations, and some not well known concepts about it.
We can group VPNs into two categories. WAN and the Datacenter VPN Technologies.
WAN VPN Technologies
2.mGRE (Multipoint GRE)
8. MPLS L3 VPN
Datacenter VPN Technologies
1.EoMPLS (Ethernet over MPLS (a.k.a VPWS)
2. VPLS (Virtual Private Lan Service)
3. OTV (Overlay Transport Virtualization)
6. VXLAN (And other host based overlays such as NVGRE, STT, GENEVE)
Of course this is not the complete list. Please note that some of the technologies which I grouped into WAN technologies can be used in the Datacenter and vice versa.
For example LISP can be used in Datacenter as well and VPWS and VPLS can be used on the Wide Area Network as well.
I am going to cover each of these technologies in the individual article so please stay tuned and follow the website by subscribing the email list. Also please know that there is a video lesson which I explain all these technologies in my Self Paced CCDE Course in detail.
VPN Design Considerations
- VPNs can be further categorised as Overlay and Peer to Peer. Overlay VPNs is what I described above. Private network is created over the shared physical infrastructure.
For better illustration, imagine customer is receiving a Layer 2 MPLS VPN service from the Service Provider. In Overlay VPN model, endpoints are the customer devices, which is called as CE (Customer Equipment).
MPLS Layer 3 VPN is a Peer to Peer technology. In Peer to Peer model, customer has a routing neighborship with the Service Provider. Endpoints are not the customer sites in this model. One side of the VPN is a customer device (CE) and remote end is Service Provider device (PE).
- All of the above technologies add extra information to the packet or frame which increases the overall MTU.Network links should accommodated to handle bigger MTU. For example GRE adds extra 24 byte. (GRE header is 4 byte and new IP header is 20byte. mGRE adds 28 bytes and so on.)
- VPNs work based on encapsulation and decapsulation. For example in GRE, mGRE or DMVPN encapsulate IP packets into another IP packet and VPLS or EVPN encapsulates Layer 2 frame into an MPLS packets.
Some VPNs require tunnel as well. For example although I didn’t include in the list above but MPLS Traffic Engineering is used as a VPN mechanism and requires a tunnel. This doesn’t mean that there is no encapsulation and decapsulation in MPLS Traffic Engineering, of course there is, but it requires tunnel as well. Or GRE requires a tunnel and encapsulation (IP header is encapsulated in GRE header).
- Some of the above technologies support routing protocol, some don’t.In order to run routing protocols over tunnel, tunnel endpoints should be aware from each other.In other words, tunnel should be bidirectional tunnel and co-associated.
For example MPLS Traffic Engineer tunnels don’t support routing protocol,since the MPLS-TE LSPs (Label Switch Paths) are unidirectional which mean Head-end and Tail-end routers are not associated and not bidirectional.
All WAN technologies except IPSEC and LISP in our list supports routing protocols.
- Some VPN technologies cannot run over Internet. For example GETVPN, due to IP header preservation, cannot run over public Internet. But by building private infrastructure over Internet with GRE for example, GET VPN can run over GRE over Internet.
VPN Choice Check List
- Will you use it over Private or Public infrastructure ?
- How many locations will be connected? (Some has scalability challenges)
- Will you run a routing protocol on top of it ?
- What is the security requirement ? (Do you need to encrypt the data?)
- Which one do you know best ?
- Do you need to carry IP traffic only or do you need to carry non-IP as well ? So what is the payload?
- Do you need Multicast, QoS and IPv6 support ? (Some of them don’t support, some of them are very poor)
- Do your device hardware and software support the protocol which you choose ?
- Do you have a budget problem ? (Some VPN services are more expensive than others)
Is there any Layer 8 and above issue ?