AlexJ's Computer Science Journal

alexandru.juncu.ro

Private Networks – Introduction and Legacy Solutions

META: This article is a draft for a chapter of my Research Paper for this semester.

Introduction

An Enterprise Network is usually a network of a medium-to-large company that has multiple branches in different geographical locations, each branch with its own local data networks. The branches need to communicate in order to access each other’s resources (for example the company’s centralised database). Having its own direct cable connections between all the branches is practically impossible, so the company will have to depend on a Service Provider (SP) for interconnecting the sites. This can be done in several ways, using different technologies and protocols, each with its pros and cons, varying in price, ease of implementation, features, throughput and security.

A generic topology consists of the following:

P – Provider Equipment
PE – Provider Edge Equipment
CE – Customer Edge Equipment
C – Customer Equipment

The Service Provider has its network (cloud) of PE and P equipments, the Provider Equipments being in the core of the network and the Provider Edge Equipments at the border. The client company has in each branch a CE connected to a PE, and behind the CE all the rest of the Customer Equipment.

Depending on the technologies used, each of these equipments can take different forms.

Leased lines

The most basic connection type for the Service Provider to provide a leased line. This would practically give the company a virtual cable between two locations. The edge routers in the branches would see each other as they were directly connected, as a point to point connection.

Having a leased line gives you control over both Layer 3 and Layer 2. This means that the company can choose the encapsulation of the line. It can go for a simple PPP connection, or PPP with PAP or CHAP configuration for privacy against Layer 1 attacks, or configure compression for traffic or any other encapsulation wanted. The edge routers would be in a common broadcast domain meaning that the company can also chose the Layer 3 protocol (IPv4, IPv6,
CLNS).

Leased lines are rather expensive and they do not scale well. The approach is acceptable if the company has two branches, but for n branches, n*(n-1)/2 lines would be needed to have full connectivity. Frame Relay could be used to solve this problem.

Frame Relay

To have a scalable network, the company could use a technology like Frame Relay, connecting several sites over the Server Provider’s network infrastructure. Frame Relay is a Layer 2 protocol and it connects the company’s
edge routers to a Frame Relay Cloud (ran by the Service Provider). The SP is in charge of providing point-to-point or point-to-multipoint connections between routers by the use of Virtual Circuits (VC).

Several companies can use the the same physical infrastructure of the SP, but each company will have its own set of Virtual Circuits so data will not be visible between companies, securing privacy of data.  The Virtual Circuites are switched in the FR Cloud with the use of an identifier called a DLCI that is attached to each frame sent in the Cloud. The SP will use DLCIs to get data from one edge router to another. It is easier and cheaper to have new Virtual Circuits than new physical connections between different sites. But the fee of the SP is still on a per VC basses, so rather than having full mesh topologies companies will chose hub and spoke topologies (the Headquarter usually being the hub).

Configuration example (IOS based equipment)

hostname CE1
!
interface Serial2/0
ip address 123.0.0.1 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
clock rate 128000
!

hostname PE1
!
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 128000
frame-relay intf-type nni
frame-relay route 300 interface Serial2/0 100
!
interface Serial2/0
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 128000
frame-relay intf-type dce
frame-relay route 100 interface Serial1/0 300
frame-relay route 102 interface Serial1/0 102

hostname P
!
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 128000
frame-relay intf-type nni
frame-relay route 300 interface Serial1/1 400
!
interface Serial1/1
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 128000
frame-relay intf-type nni
frame-relay route 400 interface Serial1/0 300

hostname PE2
!
interface Serial1/1
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 128000
frame-relay intf-type nni
frame-relay route 400 interface Serial2/0 200
!
interface Serial2/0
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 128000
frame-relay intf-type dce
frame-relay route 200 interface Serial1/1 400
frame-relay route 201 interface Serial1/1 201

hostname CE2
!
interface Serial2/0
ip address 123.0.0.2 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
clock rate 128000
!

Observations

These two solutions, very commonly used until recently, are by design private because the traffic between the company’s offices can’t be seen by anyone except the Service Provider. If layer 2 or upper mechanisms of data encryption are used, even the SP will be prevented from reading the data. The company can’t be attacked with malitios data because outside traffic won’t reach the Customer Equipments.

The downfall of these solutions came with the rise of the Public WAN, the Internet. A company that wanted a WAN  connection between the sites and connection(s) to the Internet needed to purchase two separate services. Because of the cheap nature of the Internet, companies preffer to have the Internet connections for their offices and also use it as a way of connecting different branches. This solves some problems, but introduces others.

Comments

Comment

AlphaOmega Captcha Classica  –  Enter Security Code
     
 

*