SP-面试---MPLSVPN

VPNCategoriesQ.WhatisthemajorpartsofanoverallVPNsolutionŸProvidernetwork(P-network):ThecommoninfrastructurethattheserviceproviderusestoofferVPNservicestocustomersŸCustomernetwork(C-network):ThepartoftheoverallcustomernetworkthatisstillexclusivelyundercustomercontrolŸCustomersites:ContiguouspartsoftheC-networkQ.WhatAretheVPNtwomajormodels•OverlayVPNs,inwhichtheserviceproviderprovidesvirtualpoint-to-pointlinksbetweencustomersites•Peer-to-peerVPNs,inwhichtheserviceproviderparticipatesinthecustomerroutingQ.WhatAretheOverlayVPNImplementationTechniques?•IntheLayer1overlayVPNimplementation,theserviceprovidersellsLayer1circuits(bitpipes)implementedwithtechnologiessuchasISDN,digitalservicezero(DS0),E1,T1,SynchronousDigitalHierarchy(SDH),orSONET.ThecustomerisresponsibleforLayer2encapsulationbetweencustomerdevicesandthetransportofIPdataacrosstheinfrastructure.•ALayer2VPNimplementationisthetraditionalswitchedWANmodel,implementedwithtechnologiessuchasX.25,FrameRelay,ATM,andSwitchedMultimegabitDataService(SMDS).TheserviceproviderisresponsiblefortransportofLayer2framesbetweencustomersites,andthecustomerisresponsibleforallhigherlayers.•WiththesuccessofIPandassociatedtechnologies,someserviceprovidersstartedtoimplementpureIPbackbonestoofferVPNservicesbasedonIP.Inothercases,customerswantedtotakeadvantageofthelowcostanduniversalavailabilityoftheInternettobuildlowcostprivatenetworksoverit.Q.WhatAretheImplementationTechniquesforPeer-to-PeerVPNs?theserviceprovideractivelyparticipatesincustomerrouting,acceptingcustomerroutes,transportingthosecustomerroutesacrosstheserviceproviderbackbone,andfinallypropagatingthemtoothercustomersites.Themorecommonpeer-to-peerVPNimplementationallowedaPEroutertobesharedbetweentwoormorecustomers.PacketfilterswereusedonthesharedPErouterstoisolatethecustomers.Inthisimplementation,itwascommonfortheserviceprovidertoallocateaportionofitsaddressspacetoeachcustomerandmanagethepacketfiltersonthePErouterstoensurefullreachabilitybetweensitesofasinglecustomerandisolationbetweenseparatecustomers.Q.WhatAretheBenefitsofVPNImplementations?overlayVPNshavethefollowingadvantages:ŸOverlayVPNsarewell-knownandeasytoimplementfrombothcustomerandserviceproviderperspectives.ŸTheserviceproviderdoesnotparticipateincustomerrouting,makingthedemarcationpointbetweenserviceproviderandcustomereasiertomanage.Ontheotherhand,peer-to-peerVPNsprovidethefollowing:ŸOptimumroutingbetweencustomersiteswithoutanyspecialdesignorconfigurationeffortŸEasyprovisioningofadditionalVPNsorcustomersites,becausetheserviceproviderprovisionsonlyindividualsites,notthelinksbetweenindividualcustomersitesQ.WhatAretheDrawbacksofVPNImplementations?ØOverlayVPNshavethefollowingdisadvantages:ŸOverlayVPNsrequireafullmeshofvirtualcircuitsbetweencustomersitestoprovideoptimumintersiterouting.ŸAllvirtualcircuitsbetweencustomersiteshavetobeprovisionedmanually,andthebandwidthmustbeprovisionedonasite-to-sitebasis(whichisnotalwayseasytoachieve).ŸTheIP-basedoverlayVPNimplementations(withIPSecorGRE)incurhighencapsulationoverhead—rangingfrom20bytes(B)to80Bpertransporteddatagram.ØThemajordrawbacksofpeer-to-peerVPNsarisefromserviceproviderinvolvementincustomerrouting,suchasthefollowing:ŸTheserviceproviderbecomesresponsibleforcorrectcustomerroutingandforfastconvergenceoftheC-networkfollowingalinkfailure.ŸTheserviceproviderPEroutershavetocarryallcustomerroutesthatwerehiddenfromtheserviceproviderintheoverlayVPNmodel.ŸTheserviceproviderneedsdetailedIProutingknowledge,whichisnotreadilyavailableintraditionalserviceproviderteams.Q.WhatAretheDrawbacksofTraditionalPeer-to-PeerVPNs?•SharedPErouter:–Allcustomerssharethesame(provider-assignedorpublic)addressspace.–Highmaintenancecostsareassociatedwithpacketfilters.–Performanceislower—eachpackethastopassapacketfilter.•DedicatedPErouter:–Allcustomerssharethesameaddressspace.–EachcustomerrequiresadedicatedrouterateachPOP.Q.OverlayVPNsarecategorizedbasedonthetopologyofthevirtualcircuits:•(Redundant)hub-and-spoke•Partialmesh•Fullmesh•Multilevel—combinesseverallevelsofoverlayVPNtopologiesQ.WhatAretheVPNBusinessCategories?•IntranetVPNconnectssiteswithinanorganization.•ExtranetVPNconnectsdifferentorganizationsinasecureway.•AccessVPN(VPDN)providesdialupaccessintoacustomernetwork.Q.WhatIstheVPNConnectivityCategory?•SimpleVPN:Everysitecancommunicatewitheveryothersite.•OverlappingVPNs:SomesitesparticipateinmorethanonesimpleVPN.•CentralservicesVPN:Allsitescancommunicatewithcentralserversbutnotwitheachother.•Managednetwork:AdedicatedVPNisestablishedtomanageCErouters.MPLSVPNArchitectureQ.WhatIstheMPLSVPNArchitecture?AnMPLSVPNcombinesthebestfeaturesofanoverlayVPNandapeer-to-peerVPN:ŸPEroutersparticipateincustomerrouting,guaranteeingoptimumroutingbetweencustomersites.ŸPErouterscarryaseparatesetofroutesforeachcustomer,resultinginperfectisolationbetweencustomers.ŸCustomerscanuseoverlappingaddresses.Q.WhatIstheArchitectureofaPERouterinanMPLSVPN?ThearchitectureofaPErouterinanMPLSVPNisverysimilartothearchitectureofaPOPinthededicatedPErouterpeer-to