Filter
Top Products
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Chapter 1
VPN Overview
1-3
The maintenance function of VPN is allocated to be completed by to ISP (the users are
allowed to manage and control services to some extent) and VPN functions are mainly
fulfilled on the equipment at network side. This practice reduces the investments of the
users, increases the flexibility and scalability of services and brings new incomes to the
operators.
II. According to the layer where the tunnel is
1) Layer 2 tunneling protocol
Layer 2 tunneling protocol starts from NAS (Network Access Server) and ends on the
equipment at user side. All the PPP frames are encapsulated in the tunnel. The current
layer 2 tunneling protocol mainly includes Point-to-Point Tunneling Protocol (PPTP)
(supported by Microsoft, Ascend and 3COM, and also in Windows NT 4.0 above),
Layer 2 Forwarding Protocol (L2F) (supported by Cisco and Nortel), and Layer 2
Tunneling Protocol (L2TP) (drafted by IETF and aided by Microsoft, integrating the
advantages of the above two protocols, and thus accepted by the industry as standard
RFC). L2TP can be used for not only dial-up VPN services but also VPN services of
leased line.
2) Layer 3 tunneling protocol
Layer 3 tunneling protocol starts from and ends in ISP. PPP session ends in NAS and
only layer 3 messages are carried in the tunnel. The current layer 3 tunneling protocol
mainly includes General Route Encapsulation Protocol (GRE) and IPSec. GRE and
IPSec are mainly used for VPN services of leased line.
Comparing with layer 2 tunnel, layer 3 tunnel is safe, scalable and reliable. In terms of
security, as layer 2 tunnel usually ends on the equipment at user side, there exist great
challenges for the security and firewall technical of user’s network. But layer 3 tunnel
usually ends on ISP gateway and does not impose any threat to the security of user’s
network.
In terms of scalability, all the PPP frames are encapsulated in layer 2 IP tunnel and
transmission efficiency may be degraded. And PPP session will be run through entire
tunnel and end on nodes or servers of user’s network. So the gateway at user side
must save a great deal of the status and information of PPP session, which will add to
system load and affect scalability considerably. In addition, as LCP and NCP
negotiations of PPP are very sensitive for time, the efficiency of IP tunnel will result in
such a series of problems as PPP session timeout. As layer 3 tunnel ends in ISP
gateway and PPP session ends in NAS, it is unnecessary for the gateway at user side
to manage and maintain the status of respective PPP session, thus minimizing the
system load.
Generally, layer 2 and 3 tunneling protocols are independently used, however,
reasonable combination of the two layers of protocols will provide better security for the
users (e.g. use L2TP together with IPSec protocol).
III. According to service purpose
1) Intranet VPN
In Intranet VPN, respective locations of enterprises are interconnected through public
network, which is the extension or alternative of traditional leased line networks or other
enterprise networks.
2) Access VPN
Access VPN has two structures: Client-initiated VPN connection and NAS-initiated
VPN connection.
3) Extranet VPN