DOCSLIB.ORG

Implementing SES Network Duplication a Best Practices Guide

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Implementing SES Network Duplication A Best Practices Guide. SIP Enablement Services 5.1 Avaya ABSTRACT This application note is a tutorial on Avaya SIP Enablement Services Network Duplication from a implementation focus. SES Network Duplication basics, protocol examples and rationale are discussed as a Best Practice. The customer is always free to implement SES Network Duplication in any other method they choose for any reasons. The intent of this document is to provide guidelines on implementing Avaya’s SES Network Duplication from a best practices data network view. External posting: www.avaya.com. Application Note June 2008 COMPAS ID 136114 All information in this document is subject to change without notice. Although the information is believed to be accurate, it is provided without guarantee of complete accuracy and without warranty of any kind. It is the user’s responsibility to verify and test all information in this document. Avaya shall not be liable for any adverse outcomes resulting from the application of this document; the user accepts full responsibility. © 2008 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. or Avaya ECS Ltd., a wholly owned subsidiary of Avaya Inc. and may be registered in the US and other jurisdictions. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other registered trademarks or trademarks are property of their respective owners. Table of Contents 1) Introduction-------------------------------------------------------------------------------------------------------------------------------3 2) SES Network Duplication Basics----------------------------------------------------------------------------------------------------3 3) L2TPv3 Protocol Rationale -----------------------------------------------------------------------------------------------------------3 4) Physical vs. Logical WAN Views----------------------------------------------------------------------------------------------------4 5) L2TPv3 Header--------------------------------------------------------------------------------------------------------------------------5 6) Traffic Pattern Considerations -------------------------------------------------------------------------------------------------------6 7) Configuration and Verification -------------------------------------------------------------------------------------------------------7 8) Best Practice Checklist -------------------------------------------------------------------------------------------------------------- 10 9) Related Documents ------------------------------------------------------------------------------------------------------------------ 10 1) Introduction This application note is a tutorial covering the Avaya SIP Enablement Services (SES) Network Duplication from a network implementation focus. SES Network Duplication basics, protocol rationale, configuration and verification are discussed and summarized as a Best Practice checklist. Customer’s may implement SES Network Duplication using other methods but these notes only document the method we believe is a best practice. However, Avaya will diagnose and fix any customer’s network for a fee through Avaya’s Global Services. The intent of this document is to provide guidelines on implementing Avaya’s SES Network Duplication from a best practices data network view. Bandwidth requirements may be included in this document at a later time. Network Duplex configuration (Geo-Redundancy) provides mission critical duplication similar to the cabled duplex configuration. With SES Network Duplication, whether edge, home or home/edge combo, the two SES servers can be physically separated via WAN routing. This allows the SES servers to be placed anywhere in the world. 2) SES Network Duplication Basics When using SES Network Duplication mode, the two SES servers must be on the same LAN network or subnet. SES Network Duplication is an OSI model layer-2 solution. SES Network Duplication servers, whether edge, home or edge/home combo, share a virtual IP address. L2TPv3 is used to connect the two SES servers over a WAN and is essentially a “pseudo-wire” across that WAN. L2TPv3 was intended to bridge a WAN to connect two halves of the same network or subnet. Redundancy options include: • Redundant edges with single home • Redundant homes with single edge • Redundant homes and redundant edges (whether combo and separate servers) 3) L2TPv3 Protocol Rationale There are several choices when selecting a bridging protocol to tunnel layer-2 traffic across a WAN. L2TPv3 was selected as a best practice because: • It is easy to configure • Point-to-Point only connectivity is needed • It supports modern L2 WAN protocols including: o Ethernet o Frame Relay o ATM o MPLS o PPP • Current vendor support (Cisco and others) • RFCs are available – L2TPv3 is not a proprietary protocol • Tunnel endpoints do not have to be on the WAN edge routers • Provides security – guarantees against spoofing 4) Physical vs. Logical WAN Views Effectively, the WAN transport and perhaps some LAN network devices become transparent from a logical view as shown by the two diagrams below. 5) L2TPv3 Header The L2TPv3 header is a “shim” consisting of two parts and is 8 to 16 bytes depending on automatic or manual implementation modes. Below is a view of automatic L2TPv3 frames as shown by Wireshark – a freeware protocol analyzer. This means anyone can easily identify and troubleshoot L2TPv3. As you can see, between the IP and Application layer resides the L2TP and the Default sub-layers. This capture was taken from an Ethernet segment, but a WAN capture would look the same except for the layer-2 protocol. An expanded view (below) shows the details of the L2TPv3 and Sub-layer contents. Each L2TPv3 frame has a session ID and a magic cookie. The sub-layer contains the “s” bit and a sequence number. The session ID will remain the same during the life of the session. The sequence number will remain the same during the session unless there is a server interchange. Details about L2TPv3 can be found in many places on the Internet. Two good sites are: RFC-3931 http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s23/l2tpv3.htm 6) Traffic Pattern Considerations Most implementations will have phones located at both the Primary (active) and Stand-by SES servers. If the number of phones is relatively balanced at both locations, the bandwidth needed before and after an SES server interchange will remain about the same. This is important for sizing the WAN bandwidth needs with the Service Provider. Conversely, placing most or all of the phones at one site will have a dramatic effect on WAN bandwidth. Consider the diagram below: 7) Configuration and Verification Configuration Steps Enable IP CEF Step #1: Each router needs to have IP CEF enabled. This is a layer 3 switching technique that speeds processing of packets from the ingress to egress interfaces. Interface Loopback 0 Step #2: The Loopback interface is the terminating point for the L2TP traffic. Each router Loopback must be reachable from the other router. This can be accomplished with static routes or routing protocols. Configure L2TP Control Channel Step #3: This creates the L2TP Class which is a template that is inherited by the different pseudowire classes. The class includes parameters such as authentication, keepalive timers, and retransmission timeouts. In this example, only authentication is configured, the other parameter default values are acceptable. Configure L2TP Pseudowire Step #4: The pseudowire is a template that defines the data encapsulation type, control protocol, signaling, and sequencing. My example configures the encapsulation type as L2TPv3, and assigns interface loopback 0 as the source IP address for tunneled packets. Authentication is configured by assigning the geo-class Control Channel template. IP ToS Reflect assigns the inner IP packet ToS setting to the tunneled packet. Configure Xconnect Circuit Step #5: This binds the interface G0/1.16 (VLAN 16) to the L2TPv# pseudowire. The command is broken down and explained: xconnect – keyword to assign binding 192.168.3.1 – remote end loopback IP 10 – virtual circuit ID used between the near end and far end routers. The value must match on each router. pw-class geo-pseudowire – template used to assign pseudowire template. Verification Steps Displays detailed information about all current L2TP sessions configured on the router. Displays information about all current L2TPv3 sessions, including peer router IP address, and circuit status. Displays information about all current L2TPv3 sessions and their protocol state, including remote virtual circuit identifiers. *Note: Circuit ID must match on the near and far end router. 8) Best Practice Checklist • Place SES servers on their own network (subnet) to avoid transporting needless broadcast traffic across the WAN. • Use L2TPv3 as the preferred bridging protocol. See section 3 for the rationale list. • Distribute the number of phones registered to SES between SES locations to balance the WAN traffic regardless of which server • Provide routing at both SES locations to provide normal operations during WAN outages. • If Cisco equipment is used, IOS 12.2(x) or higher is desirable. Cisco L2TP support began in IOS 12.0(23) T, but the goal is use an IOS level that supports the features of the standard defined in RFC-3931. Therefore, IOS 12.2(x) or higher is desirable as a best practice. • Router redundancy such as VRRP, HSRP or other is desirable but optional. The goal is to provide routing off the SES subnet during a WAN failure. See diagram on section 7. This is optional. • Trunks between the L2 switch and the un-numbered router interface may be desirable to pass non-SES data through the Pseudowire. Broadcasts from these non-SES VLANs will be filtered allowing only unicast data to flow. See diagram on section 7. This is optional. 9) Related Documents Installing, Administering, Maintaining, and Troubleshooting SIP Enablement Services, Doc ID: 03_600768 .
Recommended publications
  • Mist Teleworker ME

    Mist Teleworker ME

    MIST TELEWORKER GUIDE ​ ​ ​ ​ ​ Experience the corporate network @ home DOCUMENT OWNERS: ​ ​ ​ ​ Robert Young – [email protected] ​ Slava Dementyev – [email protected] ​ Jan Van de Laer – [email protected] ​ 1 Table of Contents Solution Overview 3 How it works 5 Configuration Steps 6 Setup Mist Edge 6 Configure and prepare the SSID 15 Enable Wired client connection via ETH1 / Module port of the AP 16 Enable Split Tunneling for the Corp SSID 17 Create a Site for Remote Office Workers 18 Claim an AP and ship it to Employee’s location 18 Troubleshooting 20 Packet Captures on the Mist Edge 23 2 Solution Overview Mist Teleworker solution leverages Mist Edge for extending a corporate network to remote office workers using an IPSEC secured L2TPv3 tunnel from a remote Mist AP. In addition, MistEdge provides an additional RadSec service to securely proxy authentication requests from remote APs to provide the same user experience as inside the office. WIth Mist Teleworker solution customers can extend their corporate WLAN to employee homes whenever they need to work remotely, providing the same level of security and access to corporate resources, while extending visibility into user network experience and streamlining IT operations even when employees are not in the office. What are the benefits of the Mist Teleworker solution with Mist Edge compared to all the other alternatives? Agility: ● Zero Touch Provisioning - no AP pre-staging required, support for flexible all home coverage with secure Mesh ● Exceptional support with minimal support - leverage Mist SLEs and Marvis Actions Security: ● Traffic Isolation - same level of traffic control as in the office.
  • Spirent Testcenter™

    Spirent Testcenter™

    DATASHEET Spirent TestCenter™ L2TPv2 / L2TPv3 Base Packages Convergence is creating a new generation of integrated network Layer 2 Tunneling Protocol (L2TP) is used to support Virtual Private Networks (VPNs) devices and services that are or as part of the delivery of services by ISPs. Spirent TestCenter L2TP Base Package much more complex than ever enables Service Providers and network equipment manufacturers to quickly validate before. Service Providers need subscriber scalability. While L2TPv2 is all about PPPoE subscriber sessions being the ability to deploy networks tunneled to domains, L2TPv3 is more about multi-protocol tunneling. L2TPv3 Base quickly that get Quality of Package provides additional security features, improved encapsulation, and the Experience (QoE) right the first ability to carry data links other than simply Point-to-Point Protocol (PPP) over an time. IP network. L2TPv3 is emerging as a core tunneling and VPN technology for next- generation networks. L2TPv3 provides the flexibility and scalability of IP with the Benefits privacy of Frame Relay and ATM. L2TPv3 will allow network services to be delivered over routed IP networks. Stability and performance of L2TP is critical to many Service • L2TP Tunnel capacity testing Providers and data services. • Session per tunnel testing Spirent can help you address this challenge with Spirent TestCenter with its innovative design. Now you can create and execute more complex test cases in less time with the • Data forwarding across all L2TP same resources—and scale tests higher while debugging problems faster. The results: tunnels lower CAPEX and OPEX, faster time to market, greater market share and higher • L2TP Tunnel stability test profitability, the ability to tunnel thousands of subscribers to thousands of tunnels with authentication and verify data forwarding and receive rates per subscriber.
  • Brocade Vyatta Network OS Data Sheet

    Brocade Vyatta Network OS Data Sheet

    DATA SHEET Brocade Vyatta Network OS HIGHLIGHTS A Network Operating System for the Way Forward • Offers a proven, modern network The Brocade® Vyatta® Network OS lays the foundation for a flexible, easy- operating system that accelerates the adoption of next-generation to-use, and high-performance network services architecture capable of architectures meeting current and future network demands. The operating system was • Creates an open, programmable built from the ground up to deliver robust network functionality that can environment to enhance be deployed virtually or as an appliance, and in concert with solutions differentiation, service quality, and from a large ecosystem of vendors, to address various Software-Defined competitiveness Networking (SDN) and Network Functions Virtualization (NFV) use cases. • Supports a broad ecosystem for With the Brocade Vyatta Network OS, organizations can bridge the gap optimal customization and service between traditional and new architectures, as well as leverage existing monetization investments and maximize operational efficiencies. Moreover, they can • Simplifies and automates network compose and deploy unique, new services that will drive differentiation functions to improve time to service, increase operational efficiency, and and strengthen competitiveness. reduce costs • Delivers breakthrough performance flexibility, performance, and operational and scale to meet the needs of any A Proven, Modern Operating efficiency, helping organizations create deployment System The Brocade Vyatta Network OS new service offerings and value. Since • Provides flexible deployment options separates the control and data planes in 2012, the benefits of this operating to support a wide variety of use cases software to fit seamlessly within modern system have been proven by the Brocade SDN and NFV environments.
  • Brocade Vyatta Network OS LAN Interfaces Configuration Guide, 5.2R1

    Brocade Vyatta Network OS LAN Interfaces Configuration Guide, 5.2R1

    CONFIGURATION GUIDE Brocade Vyatta Network OS LAN Interfaces Configuration Guide, 5.2R1 Supporting Brocade 5600 vRouter, VNF Platform, and Distributed Services Platform 53-1004724-01 24 October 2016 © 2016, Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, and MyBrocade are registered trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands, product names, or service names mentioned of Brocade Communications Systems, Inc. are listed at www.brocade.com/en/legal/ brocade-Legal-intellectual-property/brocade-legal-trademarks.html. Other marks may belong to third parties. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government. The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it. The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.
  • What Is a Virtual Private Network?

    What Is a Virtual Private Network?

    C H A P T E R 1 What Is a Virtual Private Network? A virtual private network (VPN) allows the provisioning of private network services for an organization or organizations over a public or shared infrastructure such as the Internet or service provider backbone network. The shared service provider backbone network is known as the VPN backbone and is used to transport traffic for multiple VPNs, as well as possibly non-VPN traffic. VPNs provisioned using technologies such as Frame Relay and Asynchronous Transfer Mode (ATM) virtual circuits (VC) have been available for a long time, but over the past few years IP and IP/Multiprotocol Label Switching (MPLS)-based VPNs have become more and more popular. This book focuses on describing the deployment of IP- and IP/MPLS-based VPNs. The large number of terms used to categorize and describe the functionality of VPNs has led to a great deal of confusion about what exactly VPNs are and what they can do. The sections that follow cover VPN devices, protocols, technologies, as well as VPN categories and models. VPN Devices Before describing the various VPN technologies and models, it is useful to first describe the various customer and provider network devices that are relevant to the discussion. Devices in the customer network fall into one of two categories: • Customer (C) devices—C devices are simply devices such as routers and switches located within the customer network. These devices do not have direct connectivity to the service provider network. C devices are not aware of the VPN. • Customer Edge (CE) devices—CE devices, as the name suggests, are located at the edge of the customer network and connect to the provider network (via Provider Edge [PE] devices).
  • Time-Sensitive Networks Over 5G

    Time-Sensitive Networks Over 5G

    Time-sensitive networks over 5G Bachelor’s thesis Häme University of Applied Sciences Information and Communications Technology Spring 2020 Kaarlo Skogberg TIIVISTELMÄ Tieto- ja viestintätekniikka Hämeen Ammattikorkeakoulu Tekijä Kaarlo Skogberg Vuosi 2020 Työn nimi Aikakriittiset verkot 5G:n yli Työn ohjaaja /t Marko Grönfors (HAMK), Toni Huusko, Juhani Kerovuori TIIVISTELMÄ Opinnäytetyön tarkoitus oli tuottaa vertailu reaaliaikaisista kommunikaa- tiokeinoista nosturin ja etäohjausaseman välille 5G-mobiiliverkon yli. Kent- täväyliä tarvitaan nosturin kanssa kommunikointiin, mutta koska nämä ovat pääosin tason 2 protokollia ja eivät reitity luontaisesti 5G-verkossa täytyy kenttäväylän verkkoliikenne tunneloida. Työssä tutkittiin erilaisia Ethernet-pohjaisia kenttäväyliä sekä tunnelointiteknologioita, jotka kyke- nevät tunneloimaan tason 2 verkkoliikennettä. Tason 2 tunnelointi mah- dollistaa suoran kommunikaation kahden paikallisverkon välillä. Kaikkien työssä tutkittujen Ethernet-pohjaisten kenttäväylien sekä tunnelointipro- tokollien täytyi olla sopivia käytettäväksi teollisessa ympäristössä valituilla verkkolaitteistolla. Työtä varten tutkitun tiedon perusteella esitetään, että käytettävä kenttä- väylä sekä tunnelointiprotokolla tulisi valita saatavilla olevan verkkolait- teiston sekä muun infrastruktuurin perusteella. Kenttäväylää valittaessa reaaliaikaiset vaatimukset olivat käyttötarkoitukseen nähden kevyet, joka avaa enemmän vaihtoehtoja kenttäväylää valittaessa. Yrityksessä käyte- tään jo Profinetia, joka soveltuu mainiosti käyttötarkoitukseen.
  • Vyos Documentation Release Current

    Vyos Documentation Release Current

    VyOS Documentation Release current VyOS maintainers and contributors Jun 04, 2019 Contents: 1 Installation 3 1.1 Verify digital signatures.........................................5 2 Command-Line Interface 7 3 Quick Start Guide 9 3.1 Basic QoS................................................ 11 4 Configuration Overview 13 5 Network Interfaces 17 5.1 Interface Addresses........................................... 18 5.2 Dummy Interfaces............................................ 20 5.3 Ethernet Interfaces............................................ 20 5.4 L2TPv3 Interfaces............................................ 21 5.5 PPPoE.................................................. 23 5.6 Wireless Interfaces............................................ 25 5.7 Bridging................................................. 26 5.8 Bonding................................................. 27 5.9 Tunnel Interfaces............................................. 28 5.10 VLAN Sub-Interfaces (802.1Q)..................................... 31 5.11 QinQ................................................... 32 5.12 VXLAN................................................. 33 5.13 WireGuard VPN Interface........................................ 37 6 Routing 41 6.1 Static................................................... 41 6.2 RIP.................................................... 41 6.3 OSPF................................................... 42 6.4 BGP................................................... 43 6.5 ARP................................................... 45 7
  • Preview - Click Here to Buy the Full Publication

    Preview - Click Here to Buy the Full Publication

    This is a preview - click here to buy the full publication IEC TR 62357-200 ® Edition 1.0 2015-07 TECHNICAL REPORT colour inside Power systems management and associated information exchange – Part 200: Guidelines for migration from Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6) INTERNATIONAL ELECTROTECHNICAL COMMISSION ICS 33.200 ISBN 978-2-8322-2795-4 Warning! Make sure that you obtained this publication from an authorized distributor. ® Registered trademark of the International Electrotechnical Commission This is a preview - click here to buy the full publication – 2 – IEC TR 62357-200:2015 © IEC 2015 CONTENTS FOREWORD ........................................................................................................................... 6 INTRODUCTION ..................................................................................................................... 8 1 Scope .............................................................................................................................. 9 2 Normative references ...................................................................................................... 9 3 Terms, definitions, abbreviated terms, acronyms and conventions ................................. 13 3.1 Terms and definitions ............................................................................................ 13 3.2 Abbreviations ........................................................................................................ 14 3.3 Conventions .........................................................................................................
  • Iproute2 Cheat Sheet by TME520 (TME520) Via Cheatography.Com/20978/Cs/4067

    Iproute2 Cheat Sheet by TME520 (TME520) Via Cheatography.Com/20978/Cs/4067

    iproute2 Cheat Sheet by TME520 (TME520) via cheatography.com/20978/cs/4067/ Address management In this section ${address} value should be a host address in dotted decimal format, and ${mask} can be either a dotted decimal subnet mask or a prefix length. That is, both 192.0.2.10/24 and 192.0.2.10​ /25​ 5.25​ 5.255.0 are equally accepta​ ble. Show all addres‐​ ip address show All "s​ how​ " commands can be used with "-​ 4" or "-​ 6" options to show only IPv4 or ses IPv6 addresses. Show addresses ip address show ${inter​ face name} ip address show eth0 for a single interf‐​ ace Show addresses ip address show up only for running interfa​ ces Show only ip address show [dev ${inter​ face}] permanent statically configured address​ es Show only ip address show [dev ${inter​ face}] dynamic addresses learnt via autocon​ fig​ ur‐​ ation Add an address to ip address add ${addre​ ss}​ /${​ mask} ip address add ip address add 2001:db​ 8:1​ ::/48 dev tun10 an interfa​ ce dev ${inter​ face name} 192.0.2.10/27 dev eth0 You can add as many addresses as you want. The first address will be primary and will be used as source address by default. Add an address ip address add ${addre​ ss}​ /${​ mask} ip address add Interface name with a colon before label is required, with human-r​ ea‐​ dev ${inter​ face name} label ${inte‐​ 192.0.2.1/24 dev eth0 some backwards compati​ bility issue. dable descrip​ tion rface name}:$​ {de​ scr​ ipt​ ion} label eth0:my​ _wa​ n_a​ dd‐​ ress Delete an address ip address delete ${addre​ ss}​ /${​ pre​ fix} ip address delete Interface name argument is required.
  • C1921-3G-V-SEC/K9 Datasheet

    C1921-3G-V-SEC/K9 Datasheet

    C1921-3G-V-SEC/K9 Datasheet Get a Quote Overview The Cisco 1921 builds on the best-in-class. All Cisco 1900 Series Integrated Services Routers offer embedded hardware encryption acceleration, and advanced security services. In addition, the platforms support the industry's widest range of wired and wireless connectivity options such as Serial, T1/E1, xDSL, Gigabit Ethernet, and third-generation (3G) wireless. The Cisco 1921 is architected to meet the application demands of today's branch offices with design flexibility for future applications. PRODUCT DETAILS Device Type Router Enclosure Type Desktop, rack-mountable - modular - 1U Data Link Protocol Ethernet, Fast Ethernet, Gigabit Ethernet Network / Transport IPSec, L2TPv3 Protocol OSPF, IS-IS, BGP, EIGRP, DVMRP, PIM-SM, static IP routing, IGMPv3, GRE, PIM-SSM, static IPv4 routing, static IPv6 Routing Protocol routing, policy-based routing (PBR), MPLS Remote Management SNMP, RMON Protocol Compliant Standards IEEE 802.1Q, IEEE 802.3ah, IEEE 802.1ah, IEEE 802.1ag Power AC 120/230 V ( 50/60 Hz ) Dimensions (WxDxH) 34.3 cm x 29.2 cm x 4.4 cm Weight 5.4 kg Manufacturer 1 year warranty Warranty Get more information Do you have any question about the C1921-3G-V-SEC-K9? Contact us now via Live Chat or [email protected]. Specification General Device Type: Router Service Provider: Verizon Wireless Enclosure Type: Desktop, rack-mountable, modular, 1U Connectivity Wired Technology: Data Link Ethernet, Fast Ethernet, Gigabit Ethernet Protocol: Network / Transport IPSec, L2TPv3 Protocol: OSPF,
  • Packetix VPN ?????

    Packetix VPN ?????

    ??????? ?? Web ????? PacketiX VPN 4.0 ????????????????????? PacketiX VPN ????? ?????????? VPN ?????? • 4,096 ????? ?????????? HUB ? • 4,096 ? ????????????? VPN • ??? 2 (Ethernet ????) • ??? 3 (IP ??????) ?????????? VPN • ??? 2 (Ethernet ????) • ??? 3 (IP ??????) ???????? • VoIP / QoS ???? • ?????????????????? ?? HUB ????????????????? • ????: 10,000 • ????: 10,000 • ??????????: 32,768 • MAC ???????????: 65,536 • IP ???????????: 65,536 • ???????: 128 SecureNAT ?? • ?? NAT ??: ?? HUB ????? 4,096 NAT ???? • ??????? NAT • ??????? NAT • ?? DHCP ?????? ????(HA)???????? • ???????????: 64 • ????????? • ?????????????????????????? • ??????????????????????????????? HUB ????? • ???????????????????? ???????? • ????????: RADIUS ?? / NT ???? ?? / Active Directory • ????????????????????????????? • ?? HUB ??????????? • ?????????????????????? • ????????????????????????????????? • DoS ??(SYN Flood ??)????????? ???? • Windows ? GUI ?? VPN ??????????? • CUI ??????????????????(vpncmd) • syslog ????????? • VPN ??????????????? PacketiX VPN Server????????VPN?????? • SoftEther VPN ????? (Ethernet over HTTPS) • OpenVPN (L3 ???? L2 ???) • L2TP/IPsec • MS-SSTP (Microsoft Secure Socket Tunneling Protocol) • L2TPv3/IPsec • EtherIP/IPsec PacketiX VPN ???????? • ???????????: ?????? • VPN ??????????(??): SSL (Secure Socket Layer) 3.0 / TLS (Transport Layer Security) 1.0 • VPN ??????????(??): TCP/IP ? UDP/IP ??? (IPv4 ??? IPv6 ?) • ????: RC4-MD5, RC4-SHA, AES128-SHA, AES256-SHA, DES-CBC-SHA and DES- CBC3-SHA • ?????: zlib • ??????: 128bit • ??????: ?????HTTP over SSL Protocol
  • Advanced Networking Laboratory

    Advanced Networking Laboratory

    Advanced Networking Laboratory Virtual Private Networking: Enhancing Security for E-Business TR-ANL-2002-04-01 Jingdi Zeng and Nirwan Ansari April 2002 Electrical and Computer Engineering New Jersey Institute of Technology University Heights Newark, NJ 07029 U.S.A 1 Virtual Private Networking: Enhancing Security for E-business1 Abstract With the Internet penetrating every corner of the world, e-business has found an excellent carrier which is able to fulfill the information transfer among diverse areas. Virtual private networking, a booming value-added service over the Internet, offers a low-cost, high-security, and easy-to- manage solution for e-business applications and services. The article introduces the implementation of Virtual Private Networks (VPNs), by portraying a generic deployment process following with certain details. The comparison and discussion in the article shall benefit service providers seeking for new avenues, and enterprises longing for supreme e-business services as well. Key words: E-business, virtual private networks, deployment framework, implementation, security. Authors: Jingdi Zeng [email protected] Prof. Nirwan Ansari ECE department New Jersey Institute of Technology 323 M. L. K. Blvd. University Height Newark, New Jersey 07102 USA (Tel) 973-596-3670 [email protected] 1 This work is resulted from the effort on incorporating IP VPN services into a 10G Ethernet product for OpenCon Communication Systems. 2 1. INTRODUCTION With the Internet reaching more and more homes and offices, the electronic commerce has been spreading out to every corner of the world. On one hand, e-business providers desire diverse technologies, from database management to Intranet security, to support everyday activities.