Академический Документы
Профессиональный Документы
Культура Документы
Technical Write-Up
Revision History
Table of Contents
List of Figures
One type of widely used VPN is called Layer 3 VPN. Layer 3 site-to-site VPNs interconnect hosts and
routers at separate customer sites. These customer hosts and routers communicate based on Layer 3
(network layer) addressing, and Provider Edge (PE) devices forward traffic based on incoming interface,
and on addresses contained in the IP header.
VLAN
tagged or
Customer device untagged
(VPN unaware) traffic
VPN
Branch Office Tunnels
VLAN
VPN Trunk
VLAN Tunnels
tagged or
untagged
traffic
VPN
Tunnels Head Office
SP-side device
(VPN aware: tunnel enpoints)
VLAN
tagged or Advantech Service
untagged Satellite Provider
traffic Network Network
Branch Office
A common problem when interconnecting multiple Layer 3 VPNs through a shared network such as a
satellite network is that the address space resources used by these VPNs can overlap. This address
space overlap creates an ambiguity on the routing of VPN traffic through the satellite network.
Advantech Satellite Networks offers a solution that allows multiple Head Offices or departments with
overlapping address spaces to communicate with remote Branch Offices through the satellite network.
This solution uses GRE VPN tunnels to encapsulate the VPN traffic between the Service Provider-side
(SP-side) device and the remote-side devices of the satellite network. The GRE tunnels IP addressing
used a reserved address space in the satellite network address space therefore allowing the routing of
VPN traffic through the satellite network without any ambiguity.
A common technology used by organizations to effectively separate the broadcast domains and the
address spaces of different groups in their network is to create virtual private LANs (VLAN). Using the
Advantech solution presented, customers whishing to interconnect VLANs at separate customer sites
would simply group these VLANs into an 802.1Q VLAN trunk and connect it to the Service Provider-side
of the Advantech Gateway network. Based on the incoming interface, the VLAN ID and the IP destination
address, the VPN traffic is encapsulated into a GRE tunnel and routed to the SIT connected to the
customer’s remote site associated with that VLAN. In case of VPN traffic generated at the remote sites,
the process is the similar except that the SIT performs the GRE encapsulation and the tunneling router
performs the GRE de-encapsulation.
The Advantech Satellite Networks SIT model S4100 has the following functionalities to support Layer 3
VPN / VLAN connectivity:
- GRE encapsulation/de-encapsulation.
- VLAN tagged (trunk) and untagged traffic on the Ethernet port.
- Remote GRE and VLAN configuration by the Network Management System (NMS).
The Layer 3 VPN / VLAN connectivity feature of the SIT S4100 is optional.
The tunneling router functionality located at the SP-side of the Gateway network is offered by a Cisco
2811 Integrated Services Router. This router has the following functionalities to support Layer 3 VPN /
VLAN connectivity:
- GRE encapsulation/de-encapsulation.
- 1 FastEthernet port with VLAN trunking used as the interface to SP-side customer VPNs (with the
option to add a second one).
- 1 FastEthernet port to connect to the Advantech Gateway network.
- Remote GRE and VLAN configuration by the Network Management System (NMS).
- Support enough simultaneous GRE tunnels to service a network with up to 200 SITs member of
VPNs.
In the case where support for more SITs member of VPNs is required, two solutions are possible:
As mentioned previously, the main goal of this architecture is to isolate customer address spaces to
ensure that there are no address collisions in the Advantech satellite network. In a satellite network where
all traffic is going through GRE tunnels, the only traffic IP addresses used are the tunnels sources and
destination addresses. The tunnels source addresses are configured in the Cisco router and taken from a
reserved subnet. The tunnels destination addresses are the tunnel endpoints IP addresses of the SIT
population. These SIT tunnel endpoints IP addresses could be grouped in one or many subnets
depending on the network topology. Therefore, traffic not belonging to a VPN could be transported as
usual through the satellite network as long as there is no conflict between the IP addresses used by that
non-VPN traffic and the tunnels source and destination IP addresses.
The following figure gives an example how these two types of traffic can coexist.
All these IP addresses are reserved for the VPN traffic (GRE encapsulated). In order to avoid IP
addresses conflicts, the administrator of the satellite network must ensure that the IP addresses used by
hosts that are not members of a VPN do not use IP addresses used by the VPN traffic (as it is the case
for the customer C sites in the example above).