Summary
Virtual Private Network (VPN) is an important value-added service of the network. This article describes the basic concepts, categories, key technologies of VPN, and management of VPN data and routes.
1. Virtual Private Network
A Virtual Private Network (VPN) is a technology used to establish a private network on a public network, free vpn simulate your own network user terminals, related access lines, modules, what is vpn and ports into your own private network, the Private Network Administrator performs status monitoring, data query, port control and testing on the ports of each part of the network through the VPN management station, and collects alarms, billing, and statistical information., public network administrators help manage various VPNs. VPN connects enterprise remote users, branches, business partners, and office staff on business trips through a specific encrypted tunnel to form an Extended Enterprise Network. Because special leased line leasing is not required, the cost can be greatly reduced. VPN has good scalability. When the network is expanded to connect to remote offices, international regions, remote computers, roaming mobile users, and business partners due to business requirements, or the network structure is changed, enterprises can expand their VPN capacity and coverage at any time by relying on the ISP that provides the VPN service.
VPN has an absolute price advantage over the leased line. Compared with ordinary PSTN dial-up connections, express vpn VPN is superior in terms of security and confidentiality. The Traditional VPN is basically built on Frame Relay and ATM. The main limitation is that communication between any two points requires direct connection to virtual circuits,what is a vpn reducing the flexibility of the network. VPN is a VPN built on a public IP network. VPN has become the mainstream. MPLS-based VPN is a new stage in the development of ipvpn.
2 VPN Classification
Divided by access type: dial-up VPN (VPDN) and leased line VPN. VPDN is a VPN built through public network remote dialing; a VPN is a VPN provided by a leased line for users connected to an ISP edge router. Leased Line VPN provides a secure and reliable Virtual Private Network with QoS. It includes virtual circuit-based VPN (vcvpn) and IP tunneling-based VPN.
Divided by Protocol: VPN based on the second-layer service and VPN based on the third-layer tunnel. The second-layer service VPN is composed of a public frame relay or ATM network, it forwards data packets based on the layer-2 addresses of user data packets (such as MAC addresses, dlci of frame relay, and VPI/VCI of ATM) on the second layer of the network, the service provider network is responsible for providing Layer 2 link connections between users. The VPN of the layer-3 service is ipvpn, which uses the IP address facility to establish a point-to-point tunnel between routers on the edge of the service provider's network, and forwards user data packets based on IP addresses. Security is a key requirement of ipvpn. ipvpn ensures the confidentiality, integrity, testability and availability of network information through Secure IP tunneling.
Divided by service type: divided into dial-up VPN (VPDN), virtual private line (VLL), virtual private routing network (VPRN) and virtual private LAN segment (VPLS ). VPDN is a virtual network built using the public network remote dialing method. A Virtual Private Line (VLL) is a virtual leased line used by service providers on the IP network. It simulates a virtual leased line through a tunnel. It is mainly used for secure and reliable VPN with QoS Assurance, the implementation protocols include IPSec, GRE, L2TP, and MPLS. VPRN uses IP facilities to simulate a dedicated multi-site wide-area routing network. packet forwarding is implemented at the network layer. The protocols include IPSec, GRE, L2TP, and MPLS. VPLS uses the Internet to simulate a lan cidr block. The protocol is completely transparent and is used to provide transparent LAN services.
By application type: divided into virtual network access, Intranet VPN and external Network VPN.
By VPN deployment mode: divided into end-to-end mode, supplier? Enterprise mode and internal supplier mode.
The above classification can also be divided into network-based VPN and user-device-based VPN. The fundamental difference between them is who provides the maintenance of the ipvpn network. The network-based ingress PN model focuses on the network services provided by VPN service providers. VPN users can completely outsource VPN services to VPN service providers, so that they have high requirements on the operator's network, the requirements for accessing users are flexible. The dedicated PN model of user devices focuses on the implementation of users' own network applications. Users need special devices to build their own VPN networks, at the same time, users need dedicated network personnel to maintain their own network and business needs. Of course, it can also be shared by VPN service providers and users.
3. Key Technologies of VPN
The VPN architecture is a logical network built on the network platform provided by a public network service provider. User data is transmitted in a logical link instead of an end-to-end physical link on a traditional private network. The key technologies for VPN implementation are tunneling, encryption and decryption, key management, and identity authentication. The purpose of tunneling technology is to ensure the encapsulation mode and address used by the VPN group. It is independent of the encapsulation mode of the bearer network and the address used. A tunnel establishes a point-to-point logical path between the edge routers of the service provider network. The tunnel is reusable and supports multi-protocol transmission and frame sorting. Based on the layers of tunnels in the OSI model, tunnel technology is divided into Layer 2 tunnel technology and Layer 3 tunnel technology. Layer 2 Tunneling Protocols include L2 Forwarding (l2f), Point-to-Point Tunneling (PPTP), and L2 tunneling (L2TP), which are based on the layer-2 PPP protocol, encapsulate various network protocols into PPP, and then load the entire PPP packet into the tunnel protocol. Layer-3 tunneling protocols include IP Security Protocol (IPSec) or common Routing Encapsulation (GRE ).
4. Manage VPN data and routes
A route is a way to transmit information from the source location to the destination through a interconnected network. Routes include path finding and forwarding. path finding is the best path from the source network to the target network. Forwarding is the best path for transmitting data packets along the path finding.
IP route selection methods include static and dynamic routing, direct and indirect routing, single-path and multi-path routing, hierarchical routing and non-hierarchical routing, intra-Domain Routing and domain query routing, and distance. vector routing and link status routing. Routing selection using RoutingAlgorithmTo calculate and determine the optimal transfer path to the destination.
The routing protocol is divided into the Internal Gateway Protocol (IGP) and the external Gateway Protocol (EGP) based on the internal or autonomous system running in an autonomous system ). For example, the routing information selection protocol (RIP) and the Open Shortest Path Priority Protocol (OSPF) are the internal gateway protocol, and the Border Gateway Protocol (BGP) is the external gateway protocol. BGP boundary refers to the boundary of the autonomous system, which is used to transmit routing information between autonomous systems. It can also be used within an, the edge router running BGP provides a tunnel through the communication between the AS and other. To distinguish between BGP running between AS and BGP running inside as, the former is called external BGP (ebgp), and the latter is called internal external BGP (ibgp ).
The multicast routing protocol is used to maintain the connection between routers that form a multicast tree. Common multicast routing protocols in the management domain of Autonomous Systems (AS) include distance vector multicast routing selection protocol (dvmrp) and multicast Open Shortest Path Priority Protocol (mospf) and Independent Multicast Protocols (PIM). The main difference between these protocols is the type of the multicast tree they establish. Dvmrp, mospf, and intensive PIM-DM are classified as intensive mode, and their forwarding path is the shortest path spanning tree with each source as the root; sparse PIM-SM is the protocol based on the core tree.
VPN data and route management can be achieved through the superposition mode and peer mode. Tunnel technology is the most common overlay mode, providing inter-site connections for VPN. Point-to-point connections between sites can be achieved through IPSec, GRE, frame relay, and ATM circuits. Each site has a vro that connects to other sites through a point-to-point connection. A site can have one or more such vrouters, and do not connect to all or some other sites. IPsec-based secure VPN is widely used.
BGP/MPLS is the mainstream peer-to-peer VPN technology. Mplsvpn uses MPLS Label Switching to provide virtual connections for VPN users on the wide-area network. This allows mpes ipvpn to reach the second-layer VPN with special features, security, and high-speed data transmission, it is easy to seamlessly integrate with the IP-based user network. Because mplsvpn is based on the network, all VPN network configurations and VPN policy configurations are completed on the network side, which can greatly reduce the management and maintenance overhead. In BGP/MPLS, MPLS is used to forward data packets between networks, while BGP is used to broadcast route information and VPN member information between the edge router and the core router.