ISCW: MPLS VPN
gojericho0
Senior MemberMember Posts: 1,059 ■■■□□□□□□□
in CCNP
I'm just trying to distinguish the similarities\differences between an MPLS VPN and a peer to peer VPN. I know the MPLS uses tags and a peer to peer does not, but is that the only difference?
[edit] i think i just picked up the key point i was missing. MPLS is not encrypted, just private using the info tied to the RD and tags. peer to peer is tunnled\encrypted causing more overhead
any other thoughts\additions are welcome though if i am missing something else
[edit] i think i just picked up the key point i was missing. MPLS is not encrypted, just private using the info tied to the RD and tags. peer to peer is tunnled\encrypted causing more overhead
any other thoughts\additions are welcome though if i am missing something else
Comments
mpls vpn.. the service provider is participating in the customer routing. actually the sp is building the vpn through mpbgp which can allow a full mesh of customer sites.. normally done in hub and spoke setups
Layer3 overlay was more of the traditional site-to-site VPN
Peer-to-peer was a full mesh layer 3 solution (like MPLS), with the service provider maintaining the customer routing information
Site to Site VPN is peering with routers in your control i.e HQ and remote site overlayed existing ISP or using the internet for layer 3 transport. For security you use encryption etc for payload and header.
HTH
yeah, but there also seems to be a peer-to-peer type that is different from site-to-site which also uses the providers routers to propagate the information (similar to mpls vpn) though i think in this implementation a bgp core for the P routers is required and not so in mpls
The peer-to-peer VPN you are referring to here is when the provider actually participates in the customer routing. This differs from an MPLS VPN because customer routes are not kept separate from each other and can not overlap. In an MPLS VPN the provider does not participate in customer routing, it just passes customer routes via MBGP between customer sites. One of the big pluses of an MPLS VPN is the ability to have overlapping customer address spaces.
A peer-to-peer or site to site vpn are the one you make from location A to location B over the internet here the service provider doesnt have to be involved pretty much you encryting the data to go from site A to site B using ipsec,pptp,l2tp in this type of vpn ecryption is required since is going using the internet.
MPLS VPNs is something like an overlay vpn (which include security and isolation) with simplied routing of a peer-to-peer vpn. "MPLS VPN provides simpler customer routing, simpler service provider provisioning and a number of possible topologies that are hard to implement in either the overlay or peer-to-peer VPN models. MPLS also adds the benefits of a connection-oriented approach to the IP routing paradigm, through the establishment of label-switched paths that are created based on topology information rather than traffic flow."
See this is where i was getting confused. A peer-to-peer and site-to-site VPN are not the same thing. The terminology was messing me up
MPLS Fundamentals by Luc De Ghein pg 12-13[/quote] [/b]
Overlay VPNs
Service providers (SPs) are the most common users of the overlay VPN model. The design and provisioning of virtual circuits (VC) across the backbone is complete prior to any traffic flow. In the case of an IP network, this means that even though the underlying technology is connectionless, it requires a connection-oriented approach to provision the service.
The scaling issues of overlay VPNs present a challenge to SPs when they have to manage and provision a large number of circuits and tunnels between customer devices. From a customer's point of view, the Interior Gateway Protocol design is also complex and difficult to manage.
The overlay model includes L2 and L3 VPNs
VPN (Peer-to-Peer)
CPE-based VPN is another name for an L3 overlay VPN. The VPN is implemented using CPE, as shown in Figure . In this way, a customer creates a VPN across an Internet connection without any specific knowledge or cooperation from the service provider. The customer gains the advantage of increased privacy using an inexpensive Internet connection.
This approach is not advantageous to the SP because there is little opportunity for VPN service revenue. However, SPs do charge a higher rate for “business class” Internet services applicable to medium to large enterprises. Also, some SPs offer “managed VPN” services where CPE configuration and Network Address Translation (NAT) address management are performed by the SP rather than by the customer
SP-Provisioned VPN (MPLS vpns)
The introduction of Multiprotocol Label Switching (MPLS) combines the benefits of overlay VPNs (security and isolation among customers) with the benefits of the simplified routing of a peer-to-peer VPN. MPLS VPN provides simpler customer routing, simpler service provider provisioning and a number of possible topologies that are hard to implement in either the overlay or peer-to-peer VPN models. MPLS also adds the benefits of a connection-oriented approach to the IP routing paradigm, through the establishment of label-switched paths that are created based on topology information rather than traffic flow.
Site-to-Site Intranet VPN :
Site-to-site intranet VPNs link headquarters, remote offices, and branch offices to an internal network over a shared infrastructure using dedicated connections. Intranet VPNs differ from extranet VPNs in that intranet VPNs allow access only to trusted employees. With an intranet VPN, gateways at various physical locations within the same business negotiate secure tunnels across the Internet. An example of this type of VPN is a network that exists in several geographic locations, connecting to a data center or mainframe that has secure access through the Internet. Users from the networks on either side of the tunnel can communicate with one another as if the networks were a single network. These networks may need strong encryption and strict performance and bandwidth requirements. Tunnels are created using either IPsec, or IPsec/GRE.
Site-to-Site Extranet VPN :
An extranet site-to-site VPN links outside customers, suppliers, partners, or communities of interest to an enterprise customer's network over a shared infrastructure using dedicated connections. Extranet VPNs differ from intranet VPNs in that extranet VPNs allow access to users who are outside the enterprise. Extranet VPNs use firewalls in conjunction with VPN tunnels so that business partners are only able to gain secure access to specific data and resources while not gaining access to private corporate information.
I have been reading from two different sources. The ISCW official exam guide and MPLS Fundamentals. Here is another link confirming that a peer-to-peer is different than the site-to-site. In both a site-to-site or overlay VPN, there is no route info shared between the customer and provider to adapt to routing protocol changes.
http://www.ensc.sfu.ca/~ljilja/cnl/presentations/tony/BGP-MPLS-VPN/sld026.htm
If you took your ICSW you probably have official ICSW exam certification guide, check out pg 232 - 236. The MPLS VPN gets the best features of both the peer-to-peer and overlay and both were critical in the development of MPLS
Probably take me another day to really wrap my head and cross references the conceptual stuff. Hows the ONT studying coming?
I think you have the concepts down you just need to get your head around the terms. Sometimes that's half the battle.