Introduction
Chapter 1 Introduction to
VPNs
Motivations for Deploying a
VPN
VPN Technologies
Layer 2
VPNs
Layer 3
VPNs
Remote Access
VPNs
Summary
Chapter 2 IPSec
Overview
Encryption
Terminology
Symmetric Algorithms
Asymmetric Algorithms
Digital Signatures
IPSec Security
Protocols
IPSec Transport Mode
IPSec Tunnel Mode
Encapsulating Security Header
(ESP)
Authentication Header (AH)
Key Management and Security
Associations
The Diffie-Hellman Key Exchange
Security Associations and IKE
Operation
IKE Phase 1 Operation
IKE Phase 2 Operation
IPSec Packet Processing
Summary
Chapter 3 Enhanced IPSec
Features
IKE
Keepalives
Dead Peer Detection
Idle Timeout
Reverse Route Injection
RRI and HSRP
Stateful Failover
SADB Transfer
SADB Synchronization
IPSec and Fragmentation
IPSec and PMTUD
Look Ahead Fragmentation
GRE and IPSec
IPSec and NAT
Effect of NAT on AH
Effect of NAT on ESP
Effect of NAT on IKE
IPSec and NAT
Solutions
Summary
Chapter 4 IPSec Authentication and
Authorization Models
Extended Authentication (XAUTH) and Mode Configuration
(MODE-CFG)
Mode-Configuration (MODECFG)
Easy VPN
(EzVPN)
EzVPN Client Mode
Network Extension
Mode
Digital Certificates for IPSec VPNs
Digital
Certificates
Certificate
Authority–Enrollment
Certificate Revocation
Summary
Chapter 5 IPSec VPN
Architectures
IPSec VPN Connection Models
IPSec Model
The GRE
Model
The Remote Access Client
Model
IPSec Connection Model
Summary
Hub-and-Spoke
Architecture
Using the IPSec Model
Transit Spoke-to-Spoke Connectivity Using
IPSec
Internet Connectivity
Scalability Using the IPSec Connection
Model
GRE Model
Transit Site-to-Site Connectivity
Transit Site-to-Site Connectivity with Internet
Access
Scalability of GRE Hub-and-Spoke
Models
Remote Access Client Connection Model
Easy VPN (EzVPN) Client Mode
EzVPN Network Extension Mode
Scalability of Client Connectivity
Models
Full-Mesh Architectures
Native IPSec Connectivity Model
GRE Model
Summary
Chapter 6 Designing Fault-Tolerant
IPSec VPNs
Link Fault Tolerance
Backbone Network Fault Tolerance
Access Link Fault Tolerance
Access Link Fault Tolerance
Summary
IPSec Peer Redundancy
Simple Peer Redundancy Model
Virtual IPSec Peer Redundancy Using
HSRP
IPSec Stateful Failover
Peer Redundancy Using
GRE
Virtual IPSec Peer Redundancy Using SLB
Server Load Balancing Concepts
IPSec Peer Redundancy Using SLB
Cisco VPN 3000 Clustering for Peer
Redundancy
Peer Redundancy Summary
Intra-Chassis IPSec VPN Services Redundancy
Stateless IPSec
Redundancy
Stateful IPSec Redundancy
Summary
Chapter 7 Auto-Configuration
Architectures for Site-to-Site IPSec VPNs
IPSec Tunnel Endpoint Discovery
Principles of
TED
Limitations with TED
TED Configuration and State
TED Fault Tolerance
Dynamic Multipoint VPN
Multipoint GRE
Interfaces
Next Hop Resolution Protocol
Dynamic IPSec Proxy
Instantiation
Establishing a Dynamic Multipoint VPN
DMVPN Architectural
Redundancy
DMVPN Model
Summary
Summary
Chapter 8 IPSec and Application
Interoperability
QoS-Enabled IPSec VPNs
Overview of IP QoS
Mechanisms
IPSec Implications for
Classification
IPSec Implications on QoS
Policies
VoIP Application Requirements for IPSec VPN
Networks
Delay
Implications
Jitter
Implications
Loss
Implications
IPSec VPN Architectural Considerations for
VoIP
Decoupled VoIP and Data Architectures
VoIP over IPSec Remote
Access
VoIP over IPSec-Protected GRE Architectures
VoIP Hub-and-Spoke
Architecture
VoIP over DMVPN Architecture
VoIP Traffic Engineering
Summary
Multicast over IPSec VPNs
Multicast over IPSec-protected GRE
Multicast on Full-Mesh Point-to-Point GRE/IPSec
Tunnels
DMVPN and
Multicast
Multicast Group Security
Multicast Encryption
Summary
Summary
Chapter 9 Network-Based IPSec
VPNs
Fundamentals of Network-Based VPNs
The Network-Based IPSec Solution: IOS
Features
The Virtual Routing and Forwarding
Table
Crypto Keyrings
ISAKMP Profiles
Operation of Network-Based IPSec
VPNs
A Single IP Address on the
PE
Front-Door and Inside VRF
Configuration and Packet
Flow
Termination of IPSec on a Unique IP Address Per
VRF
Network-Based VPN Deployment
Scenarios
IPSec to MPLS VPN over
GRE
IPSec to L2 VPNs
PE-PE Encryption
Summary
Index
As the numbers of remote branches and work-from-home employees grows throughout corporate America, VPNs are becoming essential to both Enterprise networks and Service providers. IPSec is one of the more popular technologies for deploying IP based VPNs. IPSec VPN Design provides a solid understanding of design and architectural issues of IPSec VPNs. Some books cover IPSec protocols, but they do not address overall design issues. This book fills that void. IPSec VPN Design consists of three main sections. The first section provides a comprehensive introduction to the IPSec protocol, including IPSec Peer Models. This section also includes an introduction to site-to-site, network-based, and remote access VPNs. The second section is dedicated to an analysis of IPSec VPN architecture and proper design methodologies. Peer relationships and fault tolerance models and architectures are examined in detail. Part three addresses enabling VPN services, such as performance, scalability, packet processing, QoS, multicast, and security. This title also gives exposure to integration of IPSec VPNs with other Layer 3 (MPLS VPN) and Layer 2 (Frame Relay, ATM) technologies. Management, provisioning, and troubleshooting techniques are also be discussed. Case studies highlight design, implementation, and management advice to be applied in both service provider and enterprise environments.
Vijay Bollapragada, CCIE® No. 1606, is a senior manager in the
Network Systems Integration and Test Engineering group at Cisco
Systems® where he works on the architecture, design, and validation
of complex network solutions.
Mohamed Khalid, CCIE No. 2435, is a technical leader working with
IP VPN solutions at Cisco®. He works extensively with service
providers across the globe and their associated Cisco account teams
to determine technical and engineering requirements for various IP
VPN architectures.
Scott Wainner is a Distinguished Systems Engineer in the U.S.
Service Provider Sales Organization at Cisco Systems where he
focuses on VPN architecture and solution development. In this
capacity, he provides customer guidance on IP VPN architectures and
drives internal development initiatives within Cisco Systems.
Ask a Question About this Product More... |