VPN Models

VPN : This term is very popular in service provider industry which is used in industry as a product or service integrating with many other services.Basically they are offering same thing. They are offering you a virtual private tunnel in public network(shared network).

Currently in Industry there are two VPN models to offer service as per business requirement

•  Overlay VPN
•  Peer to Peer VPN

Overlay VPN: In this Service provider will establish physical connectivity between customer sites and customer is responsible for all higher layers. Service provider is not responsible for any routing.They are just providing a Circuit. For all other things customer is responsible.

The overlay VPN is deployed via private trunks across a service provider’s shared infrastructure. These VPNs can be implemented as below.

• At layer-1 using leased/dialup lines (E1, T1, SDH, SONET, ISDN, etc.)
• At layer-2 using X.25/frame relay/ATM Virtual Circuits.
• At layer-3 using IP (GRE) tunneling.

The service provider has no knowledge of the customer routes and is simply responsible for providing point-to-point transport of data between the customer sites.

Service Provider infrastructure appears as point to point links to customer routes. The provider network is invisible to customer.

 Routing protocols are directly between customer routers.

Peer to Peer VPN: Here Service provider participates in customer routing.

Routing information is exchanged between CE & PE routers.

PE routers exchange customer routers though the core network

Finally the routes propagated through the PE network are sent to other CE routers.

Peer to Peer implementation: Commonly PE router is shared router for Customers and Packet filters isolate the customers, Due to packet filters the CPU utilization increases which results in performance issue.

  

Dedicated PE router Model: In this model for every customer service provider use a dedicated PE router to reduce the complications but it results in high cost.

MPLS VPNs is combination of best features of both Overlay and Peer to Peer Model.

WCCP

WCCP: Web Cache Communication Protocol

Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing protocol that provides a mechanism to redirect traffic flows in real-time. It has built-in load balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms. Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the protocol.

WCCP allows utilization of Cisco Cache Engines (or other caches running WCCP) to localize web traffic patterns in the network, enabling content requests to be fulfilled locally. Traffic localization reduces transmission costs and download time.

How WCCP Works:

WCCP enables Cisco Router to transparently redirect content requests to WEB engines running WCCP. The main benefit of transparent redirection is that users need not configure their browsers to use a web proxy. Instead, they can use the target URL to request content, and have their requests automatically redirected to a cache engine. The word "transparent" is this case means that the end user does not know that a requested file (such as a web page) came from the cache engine instead of from the originally specified server.

When a cache engine receives a request, it attempts to service it from its own local cache. If the requested information is not present, the cache engine issues its own request to the originally targeted server to get the required information. When the cache engine retrieves the requested information, it forwards it to the requesting client and caches it to fulfill future requests, thus maximizing download performance and substantially reducing transmission costs.

WCCP enables a series of cache engines, called a cache engine cluster, to provide content to a router or multiple routers. You can cluster up to 32 cache engines to scale to your desired capacity.

Versions : WCCP v1 and WCCP v2.

Difference : Multiple routers can use WCCPv2 to service a cache cluster. This is in contrast to WCCPv1, in which only one router could redirect content requests to a cluster.

ip wccp version {1 | 2}

To enable WCCP on Cisco Router

ip wccp web-cache

To enable WCCP redirection on particular interface

ip wccp web-cache redirect{out | in}

Those who are initiating the request to WEB, That will be in and which interface is connected to web engine is out.

Use with ACL

ip wccp web-cache redirect-list access-list

 OR

WCCP Outbound ACL Check Configuration

The following configuration example shows that the access list prevents traffic from network 192.168.1.0 leaving Fast Ethernet interface 0/0. Because the outbound ACL check is enabled, WCCP does not redirect that traffic. WCCP checks packets against the ACL before they are redirected.

ip wccp web-cache

ip wccp outbound-acl-check

!

interface fastethernet0/0 

 ip access-group 10 out 

!

ip wccp web-cache redirect-list redirect-out

access-list 10 deny 192.168.1.0 0.0.0.255

access-list 10 permit any

Sample Config:

Router# configure terminal

Router(config)# ip wccp web-cache

Router(config)# interface fa0/0

Router(config-if)# ip wccp web-cache redirect out

Monitoring Commands:

Show ip wccp

sh ip wccp web-cache

Show ip wccp detail

Show ip interface

Known issues: After configuring WCCP on router, you can see high CPU utilization.

Important Links:

 http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf018_ps1835_TSD_Products_Configuration_Guide_Chapter.html

Ref: cisco.com