SS_MPLS_VPN_Internet_Access_ipb.pdf

(3174 KB) Pobierz
SS_MPLS_VPN Chapter_002.PDF
Internet Access from
a VPN
Overview
Integrating Internet Access with an MPLS/VPN solution is one of the most
common SP business requirements. This chapter provides a good understanding of
underlying design issues, several potential design scenarios and some sample
configurations.
This chapter contains the following topics:
n Integrating Internet Access with the MPLS VPN Solution
n Design Options for Integrating Internet Access with MPLS VPN
n Leaking Between VPN and Global Backbone Routing
n Separating Internet Access from VPN Service
n Internet Access Backbone as a Separate VPN
Objectives
Upon completion of this chapter, you will be able to perform the following tasks:
n Explain the requirements for Internet Access from a VPN.
n Describe various design models for integrated Internet Access and their
benefits and drawbacks.
n Design and implement an MPLS VPN solutions based on these design models.
n Design and implement a Wholesale Internet Access solution.
377099055.011.png
Integrating Internet Access with the MPLS VPN
Solution
Objectives
n Upon completion of this section, you will be able to explain the requirements
for combining Internet Access with VPN services.
2
Internet Access from a VPN
Copyright 2000, Cisco Systems, Inc.
Classical Internet Access for a
VPN Customer
Customer VPN
Internet
CE-Site-1
CE-Site-2
CE-Central
Firewall
CE-Internet
PE-Internet
CE-Site-3
The VPN customer connects to the Internet
only through a central site (or a few central
sites)
A firewall between the customer VPN and the
Internet is deployed only at the central site
© 2000, Cisco Systems, Inc.
www.cisco.com
Chapter 2-5
Classical Internet access is implemented through a (usually central) firewall that
connects the customer’s network to the Internet in a secure fashion. The
customer's private network (or Virtual Private Network if the customer is using a
VPN service) and the Internet are connected only through the firewall.
Copyright 2000, Cisco Systems, Inc.
Internet Access from a VPN
3
377099055.012.png
Classical Internet Access
Addressing
Customer VPN
Internet
CE-Site-1
CE-Site-2
CE-Central
Firewall
CE-Internet
PE-Internet
CE-Site-3
Private addresses
Public addresses
Customer can use private address space
The firewall provides Network Address
Translation (NAT) between the private
address space and the small portion of public
address space assigned to the customer
© 2000, Cisco Systems, Inc.
www.cisco.com
Chapter 2-6
Addressing requirements of this type of connection are very simple:
n The customer is assigned a small block of public address space used by the
firewall.
n The customer typically uses private addresses inside the customer network.
n The firewall performs Network Address Translation (NAT) between the
customer’s private addresses and the public addresses assigned to the
customer by the Internet Service Provider (ISP). Alternatively, the firewall
might perform an application-level proxy function that also isolates private and
public IP addresses.
4
Internet Access from a VPN
Copyright 2000, Cisco Systems, Inc.
377099055.013.png
Classical Internet Access for a
VPN Customer
Customer VPN
Internet
CE-Site-1
CE-Site-2
CE-Central
Firewall
CE-Internet
PE-Internet
CE-Site-3
Benefits:
Simple, well-known setup
Only a single point needs to be secured
Drawbacks:
All Internet traffic from all sites goes across the
central site
© 2000, Cisco Systems, Inc.
www.cisco.com
Chapter 2-7
There are a number of benefits associated with this design:
n It is a well-known setup used world-wide for Internet connectivity from a
corporate network. Access to expertise needed to implement such a setup is
thus simple and straightforward.
n There is only one interconnection point between the secure customer network
and the Internet. Security of the Internet access only has to be managed at this
central point.
The major drawback of this design is the traffic flow – all traffic from the customer network
to the Internet has to pass through the central firewall. While this might not be a drawback
for smaller customers, it can be a severe limitation for large organizations with many users,
especially when geographically separated.
Copyright 2000, Cisco Systems, Inc.
Internet Access from a VPN
5
377099055.014.png 377099055.001.png 377099055.002.png 377099055.003.png 377099055.004.png 377099055.005.png 377099055.006.png 377099055.007.png 377099055.008.png 377099055.009.png 377099055.010.png

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin