VPN Design

Remote Access VPN design

  • For a VPN you need a termination device (vpn concentrator / Firewall), a client and the connecting technology for tunneling.
  • Cisco Easy VPN.
  • Client options
    • IPSEC VPN client
    • SSLVPN Clientless Access
    • SSLVPN Thin client
    • SSLVPN Thick client

Placement of the VPN Termination Device:

  • Parallel Placement
    • Easy implementation.
    • Less security because it goes around the firewall.
  • Inline Placement
    • Termination device is routed through the firewall.
      • Filtering rules in place to keep VPN users out from resources.
    • VPN Termination device is exposed to the outside world.
  • DMZ placement
    • Traffic goes through the firewall, and trough the firewall again after.
    • Hardest to implement, best security.

Routing the traffic back

  • Internal network needs to reach the VPN clients.
  • Small orgs typically use a static route to VPN Termination device.
  • Larger orgs use reverse route injection ( RRI ) – OSPF / RIPV host routes.
  • Clients can get addresses via DHCP ( common ) or Static ( via Radius / LDAP ).

Site-to-Site VPN: Wan replacement or backup

  • Cost effective.
  • (Typically) Faster.
  • More available.
  • Secure (HIPAA).
    • Health Insurance Portability and Accountability Act

Core Principles for succes with Site-to-Site VPNs

  • IPSec VPN acts as an ‘overlay network ( Tunnel ).
  • Larger organizations will want dynamic routing.
    • IPSEC is for TCP or UDP traffic only.
  • To handle multicast / Broadcast use GRE Tunnels ( Inside IPSEC ).
  • Scale your VPN devices:
    • ¬†Head-end device 50% CPU.
    • ¬†Branch devices 65% CPU.

OSPF over GRE (with and without IPsec)

VPN Variations

  • Easy VPN
    • Centralizes VPN Configuration.
    • Eases remote site setup.
  • Gre + IPSec
    • Adds another layer of encapsulation to VPN.
    • Allows non UDP / TCP Application to function.
    • Allows Routing protocol function.
    • Typical Hub-and-Spoke VPN has issues:
      • Traffic passing through Hub.
      • Spoke configuration becomes complicated.
    • Use DMVPN:
      • Single connection to Hub.
      • Address registrered with NHRP.
      • Automatic GRE Based VPN’s ( time limited ) between sites.
      • Locked down with NHRP network ID / password.
  • Virtual Tunnel Interface ( VTI )
    • Use over GRE if router supports it.
    • Alternative to GRE tunnels. Supports non-TCP/UDP Traffic
    • Saves on the GRE overhead
    • Simplifies configuration; static or dynamic VTI options
    • The VPN for the Private WAN ( MPLS like).
    • IP header not tunneled.
    • Dynamic, Full Mesh.
    • Complicated configuration.

VPN Scalability

  • Packets per second matter much more than throughput for VPNs
  • The marketing:
    • 1400 byte packets
    • 100% CPU
  • The reality
    • Mix of packet sizes ( VoIP, Video)
    • 80% CPU
  • Testing with a realisting simulator instead of packets blasting iperf
    • Iperf is better than nothing, and it’s free

Firewall are specced in best case scenario with 1400 byte packets. This is almost never the case and depending on the traffic the byte size varries:

FTP Downloads1052 Bytes
VoIP60 Bytes
HTTP377 Bytes
DNS124 Bytes
POP3462 Bytes

Routing procol over VPN Suggestions

  • Use EIGRP
    • Can summerize everywhere
    • Doesn’t flood the database
    • Using stub options limit queries
  • Watch your default EIGRP bandwidth
    • 9Kbps on a tunnel interface
    • EIGRP updates throttle to 50% interface bandwidth


Add a Comment

Your email address will not be published. Required fields are marked *

Reload Image