Constructing VPN virtual private network skillfully

Requirements for VPN
Because the VPN is for the Enterprise User Service, relates to the enterprise normal operation, therefore the following from the user angle analysis to the VPN several requirements.
VPN availability: That is, the established network can meet the requirements of the user's business. After the enterprise user's own business nature, the flow analysis, constructs one to adopt what technology the VPN satisfies the demand, if only uses the data service, may adopt the non-connection-oriented IP technology; If you have voice services at the same time, you can use the connection-oriented FR/ATM technology or IP VPN and VoIP combination scheme If the video business is added, it is suggested that the connection-oriented technology should be adopted, and there should be some requirements and calculation rules in bandwidth. In the design, consider the redundant backup of VPN and the maximum minimum capacity and the minimum amount of network management that the system can support.
VPN security: such as the security of PVC, encryption security as a guarantee, but also rely on the upper network application of the authentication system, user authorization system and other guarantees.
The scalability of the VPN: first, the expansion of the physical network, that is, the addition of new nodes, the technical perspective and the funding perspective on the impact of the whole network and the extension of the principle. The second is functional expansion, including support for Internet internal data applications, external extranet data processing, remote access, and even mobile IP mode applications. Finally, in the provision of the application of the expansion of the service, that is, VPN value-added services: IP Fax, office automation systems, financial systems.
The manageability of a VPN: there are different VPN management content for networks with different business models and technologies. The Vpn,vpn management content of the connection-oriented technology based on NSP (Network service provider) should basically equate to NSP's own business network. Because NSP provides transparent channels to the VPN network management information and user network conditions do not interfere. Based on the network of enterprise users, because only in the client configuration and control, in the network transmission part is not known and guaranteed by NSP, so manageability by NSP restrictions.
VPN construction and operation maintenance costs: The cost of VPN is divided into two parts: 1. Initial network construction cost mainly for equipment and initial loading costs. 2. Network expansion and operation maintenance costs. The initial network construction and expansion costs can be easily calculated, and in most cases and actual access is not large, and the number of operating maintenance costs and enterprise users of the network size, the requirements of network performance, different business models, the company's IT technical strength and network management requirements of the degree of a great relationship.
Combining the above several aspects, the author starts from the practical application to discuss to the enterprise constructs the VPN the proposal. First of all, in the security, reliability, I think the difference is small, and the security of a variety of pure technology is not comparable, only the combination of a full network of security policies can effectively enhance security. In network management, because most enterprise users do not have enough ability to manage IP network, and want and willing to entrust the network to the NSP to manage, so the difference of network management level is mainly the difference of operator network and management level, In fact, if there is engaged in Network management agent maintenance of professional firms (there are already the embryonic form of such companies), can seize a large number of markets, become a new network value-added services hotspot. For the network technology itself, although there are a large number of disputes, experiments and real cases of operation, the author is still relatively recognized the use of FR/ATM technology for VPN construction. If in the normal network state (does not appear the flow explosion), IP, ATM is not much different, but the situation of sudden increase in traffic, queuing mechanism, caching mechanism, CAC, car and other technologies can be run, but to the final generation of packet loss, due to ATM in the EPD, PPD is discarded for a set of recognizable queues or users, causing some data to retransmit or delay, without spreading the drop range. and IP network is in the right strategy under the large range of packet loss, and discarded packets are not related, so the business reorganization after the packet loss will generate more traffic, further worsening the network situation. At the same time, due to the traffic model of enterprise users, especially the unexpected situation is not sure, at the same time, based on input-output ratio, network operators can not always expand the network bandwidth and optimize the structure of the network, not to mention the existence of network interconnection. In the case of a PVC based network without increasing backbone bandwidth, can guarantee the basic service quality of each user, and in the actual operation of the IP network, due to the irregular data flow in the same large channel transmission, so when the network bandwidth occupancy rate reached a certain proportion, there will be a serious loss of packets, delay increase and so many of the image. In view of the above understanding, the author thinks that in the construction of enterprise VPN, the first is to analyze its own business nature and traffic model. If strict QoS protection is required, such as the delay, packet loss and other sensitive business, should invest appropriately, use FR/ATM technology to build networks, while strengthening network management and quality of service monitoring work. If only a few small or not real-time bursts of traffic, just want to have a relatively secure, confidential channel, you can use IPSec technology to establish a VPN.

Flexible selection
Here are two examples to illustrate the relevance of customer nature to network technology.
1, FR Technology network: One company's business is to send some films or television programs from the United States headquarters through the network sent to Beijing, China, when the company's request for the network can be synchronized transmission of the then import blockbuster, and then made in mainland China can sell audio-visual products. Because the video stream to QoS, especially the bandwidth requirements are relatively high, at the same time in the design due to jet lag, the data network between China and the United States in the evening traffic is very small, and so on, the implementation of the VPN is through the opening cir=1m can support burst to 2M fr PVC, Network management to provide users with web-based MRTG traffic Monitoring window, users found in the use of the process, almost only need at night at a burst rate can complete the transmission of video data.
2, IP Technology Group Network: 2000, a company needs for its financial system for the construction of financial special network, began to consider the use of FR technology, but the design due to the network investment is smaller, traffic is small, and do not need real-time reconciliation, only the day of the day's accounts, a monthly summary, So we use L2TP and IPSec to build a VPN network. At the same time, it is suggested that the data should be updated at night, and the network management should be managed by the network monitoring system with the accounting system. Network operation at the beginning of all normal, but because of the price adjustment of various telecom operators, especially the night of the Internet cost adjustment, the cost of the Internet increased number of users, recurrent network congestion, in the accounting system transmission, the phenomenon of super time, has been unable to meet user needs, End users to establish the use of the FR Technology Office automation Network, while loading accounts part of the business to solve the problem.
The above two cases, mainly to illustrate that with the different user needs and network conditions, the choice of technology will be flexible and diverse changes, at the same time should be combined with different nodes of the overall planning and deployment. Before deciding how to set up a network, the decision-makers of enterprise network construction must understand the network condition of network operators in detail. If the Access service provider and backbone transport operators are different units, it is important to consider whether the interface between the access line and the backbone node will affect the expansion capability of the VPN, whether it can become a network bottleneck or a single point of failure. At the same time, with the increasingly fierce competition among network service providers, the best enterprise users and operators have a clearer quality of service agreement (SLA), including the constraints of technical parameters and technical support part of the commitment. Generally in the SLA enterprise users need to pay a certain fee, the proposed enterprise users according to their own needs and interests to choose, do not blindly pursue high QoS, without regard to the actual network quality and business nature.
After determining which technology and which operator to use, is how to select the VPN device. Equipment stability and processing capacity is the first, high mttr can effectively reduce operation and maintenance costs, to protect the VPN network a higher availability rate. Powerful processing power for the expansion of the network lay a solid foundation, in the processing capacity, especially for encryption/decryption capabilities require higher requirements. Encryption/decryption on the Internet is actually the only feasible way of security, encryption and decryption algorithm in the complexity of bringing good security at the same time, the requirements of equipment processing capacity almost show geometric growth, a variety of VPN products, a major difference is the use of encryption algorithm and key strength is different. Because encryption is a complex processing process, especially in the network has a large number of information transmission, the CPU to bear a lot of computing work, so the current VPN market tends to adopt special hardware equipment.
The scalability of the device can provide more value-added services to the VPN platform, such as supporting the existing LAN can be extended to support the wireless LAN, with the voice business intervention and the expansion of voice processing cards to FXO, FXS, e&m support. It is also important that the management of the equipment and the need for the customer's own user authentication and billing information because the user's technical power is limited, the network management system has the graphical user interface, the interface is friendly, the operation is simple, and if and the user management system is based on the unified platform, can consider to establish the Integrated network administration system.
When considering the pure VPN technology, we should combine the technology with the help of the equipment merchant and the integrator, which is the earliest application of the network security tool and the very mature firewall technology is a good supplement to the VPN technology.