UNIVERSITI KUALA LUMPUR

MALAYSIAN INSTITUTE OF INFORMATION TECHNOLOGY

INB 35605
ADVANCED ROUTING
GROUP LO1

(JANUARY 2019)

GROUP ASSIGNMENT

NAME STUDENT ID
NURUL LYANA BINTI MOHAMED SAZALI 52211116082
AINUL SYAHIRA BINTI MD NOOR 52211116077

PREPARED FOR:
MADAM SHAHIDATUL ARFAH BINTI BAHARUDIN
MPLS-BASED VPN

Multiprotocol label switching is used to create a virtual private network. It is a

switching technique where packets are forwarded from a source to destination using labels
rather than using hop-by-hop IP based forwarding and a flexible method to transport and route
several types of network traffic using an MPLS backbone.

FIGURE 1: MPLS network diagram

MPLS VPN allows for the creation of virtual private networks using MPLS. There are
three types of MPLS VPNs that are in use:
1. Point-to-Point (Pseudowire):
 Encapsulating TDM T1 circuits attached to Remote Terminal Units.
 Forwarding non-routed DNP3 traffic across the backbone network to the
SCADA master controller.

FIGURE 2: Point-to-Point network diagram

2. Layer 2 MPLS VPN or VPLS:
 Offers a switch in the cloud style service and provides the ability to span
VLANs between sites.
 Typically used to route voice, video, and AMI traffic between substation and
data centre locations.

FIGURE 3: Point-to-Point vs Layer 2 MPLS network diagram

3. Layer 3 MPLS VPN:

 Most widely used services leveraged on MPLS.
 Works on the concept of label switching.

FIGURE 4: Layer 3 MPLS network diagram

ADVANTAGES
The benefits of an MPLS network are not restricted to the scalability of the network. It
also provides:
1. Improved up-time:
 By providing alternative network.
2. Improved bandwidth utilization:
 By allowing for multiple traffic types to traverse the network
3. Reduced network congestion:
 By utilizing optional paths for traffic to avoid congestion
4. Improved end user experience:
 By allowing multiple Classes of Service to different types of traffic such as
VOIP

DISADVANTAGES
The drawback of using MPLS network:
1. The carrier has to play a role in configuration of the overall network:
 If using static routing on network, provider will be responsible for the routing
of data within their MPLS cloud.
 While using dynamic routing will work in most cases, the user and provider
will have to work together in routing MPLS traffic.
2. Security:
 Does not offer any inherent data protection, and improper implementation
can open up the network to vulnerabilities.
 User should work with provider to ensure that all devices and interfaces are
sufficiently hardened to ensure the network is secured and vulnerabilities are
minimized.
Tunneling VPNs

GRE
 Tunneling protocol developed by Cisco that enables encapsulation of arbitrary Layer
3 protocols inside a point-to-point, tunnel-over-IP network.
 Traffic that is transported over the GRE tunnel is not encrypted
 GRE traffic is usually encapsulated within IPsec.

The benefit of a GRE tunnel are as follows:

 A GRE tunnel is similar to an IPsec tunnel because the original packet is wrapped
inside of an outer shell.
 GRE is stateless, and offers no flow control mechanisms.
 GRE adds at least 24 bytes of overhead, including the new 20-byte IP header.
 GRE is multiprotocol and can tunnel any OSI Layer 3 protocol.
 GRE permits routing protocols to travel through the tunnel.
 GRE was needed to carry IP multicast traffic until Cisco IOS Software Release
12.4(4) T.
 GRE has relatively weak security features.

Multipoint GRE

The main characteristics of the mGRE configuration are as follows:

 Only one tunnel interface needs to be configured on a router to support multiple remote
GRE peers
 To learn the IP addresses of other peer, devices using mGRE require NHRP to build
dynamic GRE tunnels.
 mGRE interfaces also support unicast, multicast, and broadcast traffic.
GRE Tunnel diagram

 A passenger protocol or encapsulated protocol, such as IPv4 or IPv6 that is being

encapsulated.
 A carrier protocol, GRE in this example, that is defined by Cisco as a multiprotocol
carrier protocol.
 A transport protocol, such as IP, that carries the encapsulated protocol.

IPsec
Features
 IPsec, also known as the Internet Protocol Security that defines the architecture for
security services for IP network traffic.
 Also included in IPsec are protocols that define the cryptographic algorithms used to
encrypt, decrypt and authenticate packets, as well as the protocols needed for secure
key exchange and key management.
 It also defined two mechanisms for imposing security on IP packets, the Encapsulating
Security Payload (ESP) protocol, which defined a method for encrypting data in IP
packets, and the Authentication Header (AH) protocol, which defined a method for
digitally signing IP packets. The Internet Key Exchange (IKE) protocol is used to
manage the cryptographic keys used by hosts for IPsec.

Advantages
 IPsec can be used to protect network data, for example, by setting up circuits using
IPsec tunneling, in which all data being sent between two endpoints is encrypted, as
with a Virtual Private Network (VPN) connection.
 It also for encrypting application layer data and for providing security for routers
sending routing data across the public internet.
  IPsec can also be used to provide authentication without encryption, for example to
authenticate that data originates from a known sender.
 It can be applied in networks of all sizes including LAN’s to global network.

Disadvantages
 When transmitting small packets, the encryption process of IPSec generates a large
overhead. This diminishes the performance of the network.
 Because IPSec has a great number of features and options, it is very complex.
Complexity will increase the probability of the presence of a weakness or hole. For
example, IPSec is a weak against replay attacks.
 The implementation of IPSec defeats the purpose of a firewall. This is because firewalls
are based on preconfigured rules, which IPSec encrypts.

Direct spoke-to-spoke deployments provide a number of advantages when compared to

traditional VPN deployments:
 Traffic between remote sites does not need to traverse the hub (headquarter VPN
router).
 A DMVPN deployment eliminates additional bandwidth requirements at the hub.
 DMVPNs eliminate additional network delays.
 DMVPNs conserve WAN bandwidth.
 They lower costs for VPN circuits.
 They increase resiliency and redundancy.
DMVPN
Features
 DMVPN is a dynamic multipoint virtual private network is a secure network that
exchanges data between sites without needing to pass traffic through an organizations
headquarter VPN server or router.
 Traditionally connect each remote site to the headquarters and essentially creates a
mesh VPN topology which mean that each sites, no matter where they are located.

Direct spoke-to-spoke deployments provide a number of advantages when compared to

traditional VPN deployments:
 Traffic between remote sites does not need to traverse the hub (headquarter VPN
router).
 A DMVPN deployment eliminates additional bandwidth requirements at the hub.
 DMVPNs eliminate additional network delays.
 DMVPNs conserve WAN bandwidth.
 They lower costs for VPN circuits.
 They increase resiliency and redundancy.

Advantages
 DMVPN supports star, full mesh, or a partial mesh topology.
 It can distribute multicast traffic by taking advantage of protocols such as PIM, IGMP
and MSDP.
 Allows monitoring and logging. All topology changes, connections and disconnections
are logged and can be monitored.
  All primary and secondary/backup DMVPN tunnels are pre-established, such that a
new tunnel does not have to be established in the event of a failure scenario.

Disadvantages
 No support for non-IP protocols.
 IGP routing peers tend to limit the design scalability.
 No interoperability with non-Cisco IOS routers.
 Not possible to implement a QoS service policy per VPN tunnel.