|
|
An access virtual private dial network (VPDN) is a network that extends dial access to users over a shared infrastructure. Access VPDNs maintain the same security and management policies as a private network. They are a cost-effective method of establishing long-distance point-to-point connections between remote users and a private network.
 |
Note Access VPDNs should not be confused with dedicated virtual private networks (VPNs)---also called intranet VPNs or extranet VPNs. Dedicated VPNs connect remote offices to private networks using permanent, dedicated connections. Access VPDNs provide remote access to private networks using analog, ISDN, mobile IP, and cable technologies. |
The main attraction of access VPDNs is the way they delegate responsibilities for the network. An Internet service provider (ISP) leases VPDN service to customers (typically enterprise customers or medium-sized service providers) that want to outsoure their information technology (IT) responsibilities or expand their geographical presence. The ISP is responsible for the modems, access servers, and internetworking expertise necessary to remotely access the network. The ISP customers are then responsible only for authenticating their users and maintaining their private network.
Instead of making connections directly to the network by using the expensive Public Switched Telephone Network (PSTN), access VPDN users only need to use the PSTN to connect to the ISP local point of presence (POP). The ISP then uses the Internet to forward users from the POP to the customer network. Forwarding calls over the Internet as opposed to making a long-distance PSTN call provides dramatic cost saving for the customer.
Access VPDNs use Layer 2 tunneling technologies to create virtual point-to-point connections between users and the customer network. These tunneling technologies provide the same direct connectivity as the expensive PSTN by using the inexpensive Internet. Users anywhere in the world then have the same connectivity as they would at the customer headquarters.
VPDNs are designed based on one of two architectural options: client-initiated or network access server (NAS)-initiated VPDNs. A NAS is an access server, maintained by the ISP, that users dial in to and that forwards the call to the network:
This document focuses solely on NAS-initiated access VPDNs.
VPDNs can use any of the three following Layer 2 tunneling protocols:
L2TP offers the best scalability and most features of the three Layer 2 tunneling protocols.
This Integration Solutions Guide describes how a large ISP plans, designs, and implements an access VPDN using L2TP. The ISP works with two customers---a medium-sized service provider and an enterprise customer---to create two main types of VPDN service: wholesale dial and service for enterprise customers.
The L2TP network is primarily designed to provide wholesale dial service to medium-sized service providers. In a wholesale dial scenario, the large ISP maintains geographically dispersed POPs. The ISP then offers VPDN service to medium-sized service providers that do not have the resources to maintain multiple POPs, but want to offer geographically extended dial services (called roaming services) to their customers. The customers of the service providers dial in to the ISP local POP, and the ISP then creates a VPDN tunnel to the home networks of the service providers .
The ISP L2TP network is also designed to provide VPDN service to enterprise customers that want to outsource their IT responsibilities. Enterprise customers want to establish secure, comprehensive dial service for their employees and partners. Some enterprises also want dial-out service to upload information from their central network to remote sites.
This ISG describes how a large ISP partners with a wholesale dial customer and an enterprise customer to design and implement the VPDN network shown in Figure 1.
Throughout the rest of this integration solutions guide, we will refer to the three companies---the ISP, service provider, and enterprise---as the partners. We will refer to the service provider and the enterprise as the customers of the ISP.
Access VPDNs benefit ISPs, enterprise customers, and service providers as described in the following sections.
This section describes the service provider and enterprise networks before they implement the access VPDN network. Their networks are shown in Figure 2.
|
Note The devices in the lighter shade of grey are not affected by the implementation of the access VPDN network. |
The three networks function independently of each other. The ISP, service provider, and enterprise each maintains its own access server.
The ISP only has traffic from its own dial-in users.
In order to provide worldwide roaming dialup service, the service provider must maintain an 800 number that generates expensive long-distance phone calls. When customers need to access the network from overseas, they must deal with expensive and often problematic international phone service.
The enterprise customer must maintain its own access server in order to allow employees and partners to remotely access the enterprise network. The enterprise must maintain its own IT infrastructure and networking expertise, including leasing its own IP address subnet. These IT responsibilities distract from its core business responsibilities. When employees need to access the network from remote locations, the enterprise must pay for expensive long-distance phone calls.
The service provider has the following motivations for establishing the access VPDN:
The enterprise customer has the following motivations for establishing the access VPDN:
Service provider customers and enterprise employees and partners that need to access the networks outside of the local calling area can dial in to the ISP access servers. The ISP then forwards the calls over the Internet to the proper network, which eliminates 800 number and long-distance charges. The ISP maintains the access servers, modems, phone lines, and internetworking expertise. The service provider and enterprise can then focus on their core business responsibilities. The VPDN network functions as shown in Figure 3.
|
Note The devices in the lighter shade of grey are not involved in the access VPDN network. |
The access VPDN network operation is as follows:
1. The service provider and enterprise lease access VPDN dial-in service from the ISP.
2. The ISP works with the service provider and enterprise to determine the level of service they require. The service provider simply needs calls from its remote users forwarded to its home network.
3. The enterprise requires more extensive VPDN service: It leases IP address space from the ISP, it leases the L2TP Network Server (LNS) from the ISP, and it contracts with the ISP to configure and maintain this equipment.
4. The partners work together to configure the devices to establish L2TP tunnels from the L2TP Access Concentrator (LAC) to the customer LNSs.
5. Once the partners verify that the access VPDN network works, the service provider and enterprise configure the usernames and passwords of their users on their LNSs.
The goal of the ISP is to design an access VPDN network that will meet the requirements of as many customers as possible. To design this network, the ISP meets with two different types of customers: a medium-sized service provider interested in wholesale dial VPDN service and an enterprise customer interested in access VPDN service. The ISP, service provider, and enterprise decide to partner to create the access VPDN network.
To ensure a smooth transition from their previous networks to the new networks, they begin with a basic VPDN network: a single LAC that creates VPDN tunnels with two LNSs. All tunnel endpoint information and usernames and passwords are stored locally on the devices.
The ISP wants to make the VPDN network as flexible as possible. Although the initial implementation will be a basic VPDN network, it is designed to easily increase in scale and complexity. The service provider only wants the ISP to forward its user calls without relinquishing any further control of its network. The enterprise customer wants to outsource as much IT responsibility as possible. The enterprise will use the equipment, IP address space, and networking expertise of the ISP. Then, the enterprise is solely responsible for maintaining its usernames and passwords.
To implement the access VPDN network, the partners perform the following tasks:
1. The partners determine the level of service the service provider and enterprise require.
2. The partners design the network topology and create a device characteristics table.
3. The ISP configures the LAC and forwarding router.
4. The service provider and enterprise configure their LNSs.
5. The partners verify that they can establish L2TP tunnels to both LNSs.
6. The service provider and enterprise configure the usernames and passwords of their users on the LNSs.
After the VPDN network is configured, the partners face the implications described in the following sections:
Posted: Fri Jun 16 16:54:36 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.