ISCW: MPLS VPN

gojericho0gojericho0 Member Posts: 1,060
I'm just trying to distinguish the similarities\differences between an MPLS VPN and a peer to peer VPN. I know the MPLS uses tags and a peer to peer does not, but is that the only difference?

[edit] i think i just picked up the key point i was missing. MPLS is not encrypted, just private using the info tied to the RD and tags. peer to peer is tunnled\encrypted causing more overhead

any other thoughts\additions are welcome though if i am missing something else :)

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    There are too many differences to explain in one post. Basically the only thing that is the same is the Virtual and Private parts....
    An expert is a man who has made all the mistakes which can be made.
  • kryollakryolla Member Posts: 785
    Did you mean overlay VPN as in GRE and ipsec?
    Studying for CCIE and drinking Home Brew
  • gojericho0gojericho0 Member Posts: 1,060
    in a peer-to-peer (fig 11-3, page 223 in ISCW Cisco Cert guide)
  • keenonkeenon Member Posts: 1,922 ■■■■□□□□□□
    there is a big difference.. peer to peer are pretty much a site to site vpn connection.

    mpls vpn.. the service provider is participating in the customer routing. actually the sp is building the vpn through mpbgp which can allow a full mesh of customer sites.. normally done in hub and spoke setups
    Become the stainless steel sharp knife in a drawer full of rusty spoons
  • kryollakryolla Member Posts: 785
    okay so you meant a site to site VPN overlayed existing ISP network and MPLS VPN which is a peer to peer with the ISP?
    Studying for CCIE and drinking Home Brew
  • gojericho0gojericho0 Member Posts: 1,060
    Now i'm confused, I was thinking...

    Layer3 overlay was more of the traditional site-to-site VPN

    Peer-to-peer was a full mesh layer 3 solution (like MPLS), with the service provider maintaining the customer routing information
  • kryollakryolla Member Posts: 785
    MPLS VPN is you share routing info with the ISP via ospf eigrp and the ISP will redistribute it to a iBGP peering with the other side, on the other side the isp share routing with your edge device via redsitribution from BGP to ospf eigrp (BGP VPN). So multiple customers addresses dont overlap each other you have a RD and a RT for VPN id.

    Site to Site VPN is peering with routers in your control i.e HQ and remote site overlayed existing ISP or using the internet for layer 3 transport. For security you use encryption etc for payload and header.

    HTH
    Studying for CCIE and drinking Home Brew
  • gojericho0gojericho0 Member Posts: 1,060
    kryolla wrote:
    MPLS VPN is you share routing info with the ISP via ospf eigrp and the ISP will redistribute it to a iBGP peering with the other side, on the other side the isp share routing with your edge device via redsitribution from BGP to ospf eigrp (BGP VPN). So multiple customers addresses dont overlap each other you have a RD and a RT for VPN id.

    Site to Site VPN is peering with routers in your control i.e HQ and remote site overlayed existing ISP or using the internet for layer 3 transport. For security you use encryption etc for payload and header.

    HTH


    yeah, but there also seems to be a peer-to-peer type that is different from site-to-site which also uses the providers routers to propagate the information (similar to mpls vpn) though i think in this implementation a bgp core for the P routers is required and not so in mpls
  • networker050184networker050184 Mod Posts: 11,962 Mod
    gojericho0 wrote:
    kryolla wrote:
    MPLS VPN is you share routing info with the ISP via ospf eigrp and the ISP will redistribute it to a iBGP peering with the other side, on the other side the isp share routing with your edge device via redsitribution from BGP to ospf eigrp (BGP VPN). So multiple customers addresses dont overlap each other you have a RD and a RT for VPN id.

    Site to Site VPN is peering with routers in your control i.e HQ and remote site overlayed existing ISP or using the internet for layer 3 transport. For security you use encryption etc for payload and header.

    HTH


    yeah, but there also seems to be a peer-to-peer type that is different from site-to-site which also uses the providers routers to propagate the information (similar to mpls vpn) though i think in this implementation a bgp core for the P routers is required and not so in mpls

    The peer-to-peer VPN you are referring to here is when the provider actually participates in the customer routing. This differs from an MPLS VPN because customer routes are not kept separate from each other and can not overlap. In an MPLS VPN the provider does not participate in customer routing, it just passes customer routes via MBGP between customer sites. One of the big pluses of an MPLS VPN is the ability to have overlapping customer address spaces.
    An expert is a man who has made all the mistakes which can be made.
  • gojericho0gojericho0 Member Posts: 1,060
    thanks! thats what i was trying to conclude, but my interpretation of the book kind of made it a grey area. i tried searching google, as i myself have never seen the peer-to-peer implementation before. Has anyone ever dealt with one of these?
  • ilcram19-2ilcram19-2 Banned Posts: 436
    overlay vpn are the ones that have something like a point to point direct connections privided by the service provider more like just point A to point B example would be a frame-relay network where only you are able to use the tunnel and no one else can see the traffic you could apply encrytion to this type of vpn but is not required. is pretty much a secure and isolated tunnel

    A peer-to-peer or site to site vpn are the one you make from location A to location B over the internet here the service provider doesnt have to be involved pretty much you encryting the data to go from site A to site B using ipsec,pptp,l2tp in this type of vpn ecryption is required since is going using the internet.

    MPLS VPNs is something like an overlay vpn (which include security and isolation) with simplied routing of a peer-to-peer vpn. "MPLS VPN provides simpler customer routing, simpler service provider provisioning and a number of possible topologies that are hard to implement in either the overlay or peer-to-peer VPN models. MPLS also adds the benefits of a connection-oriented approach to the IP routing paradigm, through the establishment of label-switched paths that are created based on topology information rather than traffic flow."
  • gojericho0gojericho0 Member Posts: 1,060
    ilcram19-2 wrote:

    A peer-to-peer or site to site vpn are the one you make from location A to location B over the internet here the service provider doesnt have to be involved pretty much you encryting the data to go from site A to site B using ipsec,pptp,l2tp in this type of vpn ecryption is required since is going using the internet.

    See this is where i was getting confused. A peer-to-peer and site-to-site VPN are not the same thing. The terminology was messing me up

    In the peer-to-peer VPN model, the service provider routers carry the customers data across the network, but they also participate in customer routing. In other words, the service provider routers peer directly with the customer routers at Layer3. The result is that one routing protocol neighborhship or adjacency exists between the customer and the service provider router.

    Before MPLS existed, the peer-to-peer VPN model could be achieved by creating the IP routing peering between the customer and service provider routers. The peer-to-peer model also requires privateness or isolation between the different customers. You can achieve this by configuring packet filters to control the data to and from customer routers.

    MPLS Fundamentals by Luc De Ghein pg 12-13[/quote] [/b]
  • ilcram19-2ilcram19-2 Banned Posts: 436
    peer-to-peer and site-to-site are the samething, in the book he is refering to the overlay vpn not to a peer to peer, i just took the iscw and the what ever book you are reading is going to get you more confuse specially if you are testing for cisco you need to do a lilttle more research try to get cbtnuggets for iscw 642-825 or see if you can take a look at the cisco academy program where im quoting the below info

    Overlay VPNs
    Service providers (SPs) are the most common users of the overlay VPN model. The design and provisioning of virtual circuits (VC) across the backbone is complete prior to any traffic flow. In the case of an IP network, this means that even though the underlying technology is connectionless, it requires a connection-oriented approach to provision the service.

    The scaling issues of overlay VPNs present a challenge to SPs when they have to manage and provision a large number of circuits and tunnels between customer devices. From a customer's point of view, the Interior Gateway Protocol design is also complex and difficult to manage.
    The overlay model includes L2 and L3 VPNs

    VPN (Peer-to-Peer)
    CPE-based VPN is another name for an L3 overlay VPN. The VPN is implemented using CPE, as shown in Figure . In this way, a customer creates a VPN across an Internet connection without any specific knowledge or cooperation from the service provider. The customer gains the advantage of increased privacy using an inexpensive Internet connection.

    This approach is not advantageous to the SP because there is little opportunity for VPN service revenue. However, SPs do charge a higher rate for “business class” Internet services applicable to medium to large enterprises. Also, some SPs offer “managed VPN” services where CPE configuration and Network Address Translation (NAT) address management are performed by the SP rather than by the customer

    SP-Provisioned VPN (MPLS vpns)
    The introduction of Multiprotocol Label Switching (MPLS) combines the benefits of overlay VPNs (security and isolation among customers) with the benefits of the simplified routing of a peer-to-peer VPN. MPLS VPN provides simpler customer routing, simpler service provider provisioning and a number of possible topologies that are hard to implement in either the overlay or peer-to-peer VPN models. MPLS also adds the benefits of a connection-oriented approach to the IP routing paradigm, through the establishment of label-switched paths that are created based on topology information rather than traffic flow.
  • ilcram19-2ilcram19-2 Banned Posts: 436
    more:
    Site-to-Site Intranet VPN :
    Site-to-site intranet VPNs link headquarters, remote offices, and branch offices to an internal network over a shared infrastructure using dedicated connections. Intranet VPNs differ from extranet VPNs in that intranet VPNs allow access only to trusted employees. With an intranet VPN, gateways at various physical locations within the same business negotiate secure tunnels across the Internet. An example of this type of VPN is a network that exists in several geographic locations, connecting to a data center or mainframe that has secure access through the Internet. Users from the networks on either side of the tunnel can communicate with one another as if the networks were a single network. These networks may need strong encryption and strict performance and bandwidth requirements. Tunnels are created using either IPsec, or IPsec/GRE.


    Site-to-Site Extranet VPN :
    An extranet site-to-site VPN links outside customers, suppliers, partners, or communities of interest to an enterprise customer's network over a shared infrastructure using dedicated connections. Extranet VPNs differ from intranet VPNs in that extranet VPNs allow access to users who are outside the enterprise. Extranet VPNs use firewalls in conjunction with VPN tunnels so that business partners are only able to gain secure access to specific data and resources while not gaining access to private corporate information.
  • ilcram19-2ilcram19-2 Banned Posts: 436
    i recomend not to stick with just one source read a couple of book or research online, writter have different point of views and undestanding
  • gojericho0gojericho0 Member Posts: 1,060
    ilcram19-2 wrote:
    i recomend not to stick with just one source read a couple of book or research online, writter have different point of views and undestanding

    I have been reading from two different sources. The ISCW official exam guide and MPLS Fundamentals. Here is another link confirming that a peer-to-peer is different than the site-to-site. In both a site-to-site or overlay VPN, there is no route info shared between the customer and provider to adapt to routing protocol changes.

    http://www.ensc.sfu.ca/~ljilja/cnl/presentations/tony/BGP-MPLS-VPN/sld026.htm


    If you took your ICSW you probably have official ICSW exam certification guide, check out pg 232 - 236. The MPLS VPN gets the best features of both the peer-to-peer and overlay and both were critical in the development of MPLS
  • ilcram19-2ilcram19-2 Banned Posts: 436
    all that above was quoted from the cisco academy program, thats what i been using for the ccnp trainig unless academy program is wrong thats what i needed to know to pass the iscw as well as bsci and bcmsn all all of those above 930 points so im sticking with that for the ont also but may be you are right who knows i was you giving something for you to take in consideration, good luck on the test
  • gojericho0gojericho0 Member Posts: 1,060
    thanks, i'm just trying to get all the fundamentals down. We setup a lot of site-to-site vpns for customers at work and the configuration does not seem to be the same b/c in the peer-to-peer setup, it doesn't seem like you need to tunnel.

    Probably take me another day to really wrap my head and cross references the conceptual stuff. Hows the ONT studying coming?
  • ilcram19-2ilcram19-2 Banned Posts: 436
    no so bad i been working with qos and voice prirization the last 6 months so i think i have some of the stuff down but you always have to learn terminology + theory, this one seems to be a little shorter compare the past tests
  • networker050184networker050184 Mod Posts: 11,962 Mod
    gojericho0 wrote:
    thanks, i'm just trying to get all the fundamentals down. We setup a lot of site-to-site vpns for customers at work and the configuration does not seem to be the same b/c in the peer-to-peer setup, it doesn't seem like you need to tunnel.

    I think you have the concepts down you just need to get your head around the terms. Sometimes that's half the battle.
    An expert is a man who has made all the mistakes which can be made.
Sign In or Register to comment.