Peerto Peer VPN Model Versus Overlay VPN Model

A VPN is a network that emulates a private network over a common infrastructure. The private network requires all customer sites to be able to interconnect and be completely separate from other VPNs. The VPN usually belongs to one company and has several sites interconnected across the common service provider infrastructure.

Service providers can deploy two major VPN models to provide VPN services to their customers:

■ Overlay VPN model

Overlay VPN Model

In the overlay model, the service provider supplies a service of point-to-point links or virtual circuits across his network between the routers of the customer. The customer routers form routing peering between them directly across the links or virtual circuits from the service provider. The routers or switches from the service provider carry the customer data across the service provider network, but no routing peering occurs between a customer and a service provider router. The result of this is that the service provider routers never see the customer routes.

These point-to-point services could be of Layer 1, 2, or even 3. Examples of Layer 1 are timedivision multiplexing (TDM), E1, E3, SONET, and SDH links. Examples of Layer 2 are virtual circuits created by X.25, ATM, or Frame Relay.

Figure 1-2 shows an example of an overlay network build on Frame Relay. In the service provider network are Frame Relay switches that set up the virtual circuits between the customer routers on the edge of the Frame Relay network.

Figure 1-2 Overlay Network on Frame Relay

Service Providers' Frame Relay Network

Customer Router

Frame Relay Switch

Customer Router

Frame Relay Switch

Virtual Circuits

Frame Relay Switch

Customer Router

Router g mm/

Customer Router

Considering the Layer 3 routing (IP) and peering from the customer viewpoint, the customer routers appear to be directly connected. Figure 1-3 shows this.

Figure 1-3 Overlay Network: Customer Routing Peering

Customer Router

IP Connectivity for Customer Network

Customer Router

Customer Router

Customer

The overlay service can also be provided over the IP Layer 3 protocol. Most commonly used tunnels to build the overlay network on IP are generic routing encapsulation (GRE) tunnels. These tunnels encapsulate the traffic with a GRE header and an IP header. The GRE header, among other things, indicates what the transported protocol is. The IP header is used to route the packet through the service provider network. Figure 1-4 shows an example of an overlay network with GRE tunnels. One advantage of GRE tunnels is that they can route traffic other than IP traffic.

Figure 1-4 Overlay Network on GRE Tunnels

Service Providers' IP Network

GRE Tunnels

It is possible to use IPsec on the GRE tunnels and thus provide security as the data is encrypted.

Peer-to-Peer VPN Model

In the peer-to-peer VPN model, the service provider routers carry the customer data across the network, but they also participate in the customer routing. In other words, the service provider routers peer directly with the customer routers at Layer 3. The result is that one routing protocol neighborship or adjacency exists between the customer and the service provider router. Figure 1-5 shows the concept of the peer-to-peer VPN model.

Figure 1-5 Peer-to-Peer VPN Model

VPN A Site 1

Customer Edge Router

VPN A

Customer Site 2 Edge Router

Provider Edge Router f*

Isolated Routing Between VPNs

Provider Edge Router

Service Provider I Network

Provider Edge Router

Isolated Routing Between VPNs

Provider Edge Router

Before MPLS existed, the peer-to-peer VPN model could be achieved by creating the IP routing peering between the customer and service provider routers. The VPN model also requires privateness or isolation between the different customers. You can achieve this by configuring packet filters (access lists) to control the data to and from the customer routers. Another way to achieve a form of privateness is to configure route filters to advertise routes or stop routes from being advertised to the customer routes. Or, you can deploy both methods at the same time.

Before MPLS came into being, the overlay VPN model was deployed much more commonly than the peer-to-peer VPN model. The peer-to-peer VPN model demanded a lot from provisioning because adding one customer site demanded many configuration changes at many sites. MPLS VPN is one application of MPLS that made the peer-to-peer VPN model much easier to implement. Adding or removing a customer site is now easier to configure and thus demands much less time and effort. With MPLS VPN, one customer router, called the customer edge (CE) router, peers at the IP Layer with at least one service provider router, called the provider edge (PE) router.

The privateness in MPLS VPN networks is achieved by using the concept of virtual routing/ forwarding (VRF) and the fact that the data is forwarded in the backbone as labeled packets. The VRFs ensure that the routing information from the different customers is kept separate, and the MPLS in the backbone ensures that the packets are forwarding based on the label information and not the information in the IP header. Figure 1-6 shows the concept of VRFs and forwarding labeled packets in the backbone of a network that is running MPLS VPN.

Figure 1-6 MPLS VPN with VRF

VPN A Site 1

Customer Edge Router

Provider Edge Router

MPLS Backbone

Provider ! Customer VPN A Edge Router ; Edge Router Site 2

Customer Edge Router

Data Label(s)

Provider Edge Router

Provider ! Customer VPN A Edge Router ; Edge Router Site 2

Figure 1-7 shows the concept of the peer-to-peer VPN model applied to MPLS VPN.

Figure 1-7 Peer-to-Peer MPLS VPN Model

Service Providers' MPLS Network

Routing Peering

Customer Edge Router

Customer Edge Router

Provider Edge Router

Routing Peering

Provider Edge Router

Routing Peering

Customer Edge Router

^ Edge Router

Provider

^ Edge Router

Provider

Provider ^. Edge Router

Customer Edge Router

Provider Edge Router

Routing Peering

Customer Edge Router

Customer Edge Router

Adding one customer site means that on the PE router, only the peering with the CE router must be added. You do not have to hassle with creating many virtual circuits as with the overlay model or with configuring packet filters or route filters with the peer-to-peer VPN model over an IP network. This is the benefit of MPLS VPN for the service provider.

Most service provider customers have a hub-and-spoke network, whereas some have a fully meshed network around the service provider backbone. Others have something in between. The benefit of MPLS VPN for the customer is at its greatest when the customer has a fully meshed network. Refer to Figure 1-2 to see a fully meshed customer network around a Frame Relay network, and compare that to the same customer network with MPLS VPN in Figure 1-7. In Figure 1-2, each customer edge router peers with n-1 other customer edge routers—where n is the total number of customer edge routers. In Figure 1-7, each customer edge router peers with only one service provider edge router.

Another benefit for the service provider is that it only needs to provision the link between the PE and CE routers. With the overlay model, the service provider needs to provision the links or virtual circuits between the sites. It is much easier to predict the traffic and thus the bandwidth requirement of one site than to predict the complete traffic model between all the customer sites.

It is only fair to list the disadvantages of the peer-to-peer VPN model compared to the overlay VPN model:

■ The customer must share the routing responsibility with the service provider.

■ The edge devices of the service provider have an added burden.

The first disadvantage is that the customer must have a routing peer with the service provider. The customer does not control its network end to end anymore on Layer 3 and regarding the IP routing, as with the overlay model. The second disadvantage is for the service provider. The burden for the service provider is the added task of the edge device—the PE router. The service provider is responsible for the scalability and routing convergence of the customer networks because the PE routers must be able to carry all the routes of the many customers while providing timely routing convergence.

Body Language Magic

Body Language Magic

Most people don't often mean what they say. How to Efficiently Decode People's Inner Feelings and Emotions Through Their Body Movements, and How You Can Use This Knowledge to Succeed in Your Career, Relationships, and Personal Life! What I am about to tell you might shock you. Many people think that the most popular way of communicating with other people is through the mouth. But what they didn't know is that actual verbal communication accounts to only around 10 or even less of the overall means to convey a message.

Get My Free Ebook


Post a comment