VPN Deployment Types
VPNs come in different types, categorized by criteria like technology, OSI layer, and deployment mode. For technology, there are IPsec, SSL, and MPLS VPNs. Regarding the OSI layer, you have Layer 2 and Layer 3 MPLS VPNs. Deployment mode, the most common, includes site-to-site and remote access VPNs.
As you can see in the image above, site-to-site VPNs mainly rely on IPsec, while remote access VPNs can use either IPsec or TLS (commonly known as SSL). Site-to-site VPNs consistently use IPsec for security, while the choice between IPsec and TLS depends on the type of remote access VPN.
Site-to-Site VPNs
A site-to-site VPN extends traditional WAN networks, linking entire networks together, like connecting branch offices to the company HQ. While in the past, this was done with leased lines or Frame Relay, which are now considered slow and outdated, today, high-speed internet connections are used for site-to-site VPNs.
These VPNs rely on the IPsec framework for data security and don't require any client software. The connection happens between two devices, often Cisco routers or firewalls like Cisco ASA or Cisco Firepower NGFW. These devices act as VPN gateways, encrypting and encapsulating outgoing data, sending it through the VPN tunnel to the target site's VPN gateway. It's decrypted, decapsulated, and forwarded to the destination host, providing a secure, always-on connection between sites.
Three common deployment options for site-to-site VPNs are:
- IPsec tunnel: IPsec tunnel is a traditional approach where IP packets are encapsulated within encrypted IP packets, securing data transmission. However, it can be complex to configure, especially in scenarios with multiple endpoints. It is commonly used for securely connecting branch offices over the Internet.
- Generic Routing Encapsulation (GRE) over IPsec: GRE over IPsec combines the GRE tunnel technology with IPsec, creating a tunnel that doesn't encrypt traffic. This simplifies routing between networks but still requires configuring IPsec for security, resulting in extra complexity. It's a suitable choice when routing between networks is the primary concern, and not all traffic requires encryption.
- IPsec virtual tunnel interface (VTI): IPsec VTI provides a streamlined solution by creating a virtual interface for routing and applying IPsec encryption directly to the traffic on this interface. This eliminates additional encapsulation and simplifies configuration and management. IPsec VTI is ideal for scenarios where simplicity and efficiency are paramount, such as securely connecting branch offices or data centers.
These options depend on network complexity, performance requirements, and scalability needs. While IPsec tunnel and GRE over IPsec are versatile, IPsec VTI is a modern alternative that simplifies large-scale deployments.
Remote Access VPNs
Remote access VPNs have evolved from dial-up connections, which were once the primary secure communication method. These VPNs cater to the needs of telecommuters and mobile users, offering secure connectivity to the company's main or branch offices anytime and anywhere. Users simply require a high-speed broadband or cellular connection to establish an on-demand remote access VPN for secure data transfer.
In a remote access VPN, each host typically has a VPN client installed, like the Cisco AnyConnect Secure Mobility Client. Alternatively, users can access VPN resources using a browser (Clientless remote access VPN), providing more flexibility but limited access based on policy. Full-client remote access VPNs, like Cisco AnyConnect VPN, can employ IPsec or TLS for data protection, while clientless SSL VPNs rely on TLS technology.
Dynamic Multipoint VPNs
Cisco's DMVPN technology tackles site-to-site VPN scalability issues while easily enabling network expansion. It supports zero-touch deployment, reducing resource requirements. DMVPN excels in scaling hub-to-spoke and spoke-to-spoke topologies, enhancing communication performance, and reducing latency and jitter while optimizing bandwidth usage.
DMVPN's centralized architecture simplifies implementation and management, enabling branch locations to communicate on-demand without permanent VPN connections. Importantly, these connections don't require central site involvement, streamlining the process. Cisco's DMVPN reduces complexity in hub device configuration, simplifies branch office interactions, and lowers capital and operational costs.
Flex VPNs
Large organizations often face complex VPN requirements, leading to high costs and operational challenges when deploying various IPsec VPNs. Network engineers must learn and manage different VPN types, as switching or enhancing them can be cumbersome.
Cisco developed FlexVPN as a unified solution to address these issues. This innovation offers a unified VPN solution that streamlines VPN deployments in large enterprises. It enables diverse VPNs, including remote access and site-to-site VPNs, to coexist within a single deployment.
In essence, FlexVPN empowers large organizations to securely interconnect remote users, branch offices, and headquarters while delivering substantial cost savings compared to managing several VPN types concurrently.
Cisco FlexVPN, as a modern VPN solution, offers numerous advantages, including straightforward deployment, compatibility with third-party devices, redundancy support, robust QoS capabilities, and the ability to handle IP multicast traffic, among other benefits. This makes it a versatile and cost-effective choice for large enterprises seeking an efficient VPN solution.
Provider Managed VPNs
Service providers use their network technology to offer VPN services to enterprises. They ensure that customer traffic remains separate while it travels through their shared infrastructure, preventing any mixing of data between customers. With MPLS technology, service providers can establish two types of VPNs: Layer 2 MPLS VPNs and Layer 3 MPLS VPNs.
Layer 2 MPLS VPNs are suitable for customers who manage their own Layer 3 infrastructure but need Layer 2 connectivity from the service provider. Some applications require nodes in the same Layer 2 network, making this type advantageous. Examples include Virtual Private LAN Service (VPLS) and Virtual Private Wire Service (VPWS), where the entire service provider network can be seen as a single virtual switch from the customer's perspective.
On the other hand, Layer 3 MPLS VPNs provide Layer 3 services across the backbone. Each customer site uses a distinct IP subnet, and routing protocols are deployed, involving the service provider in route exchanges. The service provider's core routers facilitate connectivity between provider edge routers, effectively making the service provider the backbone of the customer's network. This option suits customers who prefer to outsource routing to the service provider.