Free Worldwide Shipping

Shop over 1 Million Toys in our Huge New Range

Advanced IPSec VPN Design


Product Description
Product Details

Table of Contents


Chapter 1 Introduction to VPNs

Motivations for Deploying a VPN

VPN Technologies

Layer 2 VPNs

Layer 3 VPNs

Remote Access VPNs


Chapter 2 IPSec Overview

Encryption Terminology

Symmetric Algorithms

Asymmetric Algorithms

Digital Signatures

IPSec Security Protocols

IPSec Transport Mode

IPSec Tunnel Mode

Encapsulating Security Header (ESP)

Authentication Header (AH)

Key Management and Security Associations

The Diffie-Hellman Key Exchange

Security Associations and IKE Operation

IKE Phase 1 Operation

IKE Phase 2 Operation

IPSec Packet Processing


Chapter 3 Enhanced IPSec Features

IKE Keepalives

Dead Peer Detection

Idle Timeout

Reverse Route Injection


Stateful Failover

SADB Transfer

SADB Synchronization

IPSec and Fragmentation


Look Ahead Fragmentation

GRE and IPSec

IPSec and NAT

Effect of NAT on AH

Effect of NAT on ESP

Effect of NAT on IKE

IPSec and NAT Solutions


Chapter 4 IPSec Authentication and Authorization Models

Extended Authentication (XAUTH) and Mode Configuration (MODE-CFG)

Mode-Configuration (MODECFG)

Easy VPN (EzVPN)

EzVPN Client Mode

Network Extension Mode

Digital Certificates for IPSec VPNs

Digital Certificates

Certificate Authority-Enrollment

Certificate Revocation


Chapter 5 IPSec VPN Architectures

IPSec VPN Connection Models

IPSec Model

The GRE Model

The Remote Access Client Model

IPSec Connection Model Summary

Hub-and-Spoke Architecture

Using the IPSec Model

Transit Spoke-to-Spoke Connectivity Using IPSec

Internet Connectivity

Scalability Using the IPSec Connection Model

GRE Model

Transit Site-to-Site Connectivity

Transit Site-to-Site Connectivity with Internet Access

Scalability of GRE Hub-and-Spoke Models

Remote Access Client Connection Model

Easy VPN (EzVPN) Client Mode

EzVPN Network Extension Mode

Scalability of Client Connectivity Models

Full-Mesh Architectures

Native IPSec Connectivity Model

GRE Model


Chapter 6 Designing Fault-Tolerant IPSec VPNs

Link Fault Tolerance

Backbone Network Fault Tolerance

Access Link Fault Tolerance

Access Link Fault Tolerance Summary

IPSec Peer Redundancy

Simple Peer Redundancy Model

Virtual IPSec Peer Redundancy Using HSRP

IPSec Stateful Failover

Peer Redundancy Using GRE

Virtual IPSec Peer Redundancy Using SLB

Server Load Balancing Concepts

IPSec Peer Redundancy Using SLB

Cisco VPN 3000 Clustering for Peer Redundancy

Peer Redundancy Summary

Intra-Chassis IPSec VPN Services Redundancy

Stateless IPSec Redundancy

Stateful IPSec Redundancy


Chapter 7 Auto-Configuration Architectures for Site-to-Site IPSec VPNs

IPSec Tunnel Endpoint Discovery

Principles of TED

Limitations with TED

TED Configuration and State

TED Fault Tolerance

Dynamic Multipoint VPN

Multipoint GRE Interfaces

Next Hop Resolution Protocol

Dynamic IPSec Proxy Instantiation

Establishing a Dynamic Multipoint VPN

DMVPN Architectural Redundancy

DMVPN Model Summary


Chapter 8 IPSec and Application Interoperability

QoS-Enabled IPSec VPNs

Overview of IP QoS Mechanisms

IPSec Implications for Classification

IPSec Implications on QoS Policies

VoIP Application Requirements for IPSec VPN Networks

Delay Implications

Jitter Implications

Loss Implications

IPSec VPN Architectural Considerations for VoIP

Decoupled VoIP and Data Architectures

VoIP over IPSec Remote Access

VoIP over IPSec-Protected GRE Architectures

VoIP Hub-and-Spoke Architecture

VoIP over DMVPN Architecture

VoIP Traffic Engineering Summary

Multicast over IPSec VPNs

Multicast over IPSec-protected GRE

Multicast on Full-Mesh Point-to-Point GRE/IPSec Tunnels

DMVPN and Multicast

Multicast Group Security

Multicast Encryption Summary


Chapter 9 Network-Based IPSec VPNs

Fundamentals of Network-Based VPNs

The Network-Based IPSec Solution: IOS Features

The Virtual Routing and Forwarding Table

Crypto Keyrings

ISAKMP Profiles

Operation of Network-Based IPSec VPNs

A Single IP Address on the PE

Front-Door and Inside VRF

Configuration and Packet Flow

Termination of IPSec on a Unique IP Address Per VRF

Network-Based VPN Deployment Scenarios

IPSec to MPLS VPN over GRE

IPSec to L2 VPNs

PE-PE Encryption



Promotional Information

As the numbers of remote branches and work-from-home employees grows throughout corporate America, VPNs are becoming essential to both Enterprise networks and Service providers. IPSec is one of the more popular technologies for deploying IP based VPNs. IPSec VPN Design provides a solid understanding of design and architectural issues of IPSec VPNs. Some books cover IPSec protocols, but they do not address overall design issues. This book fills that void. IPSec VPN Design consists of three main sections. The first section provides a comprehensive introduction to the IPSec protocol, including IPSec Peer Models. This section also includes an introduction to site-to-site, network-based, and remote access VPNs. The second section is dedicated to an analysis of IPSec VPN architecture and proper design methodologies. Peer relationships and fault tolerance models and architectures are examined in detail. Part three addresses enabling VPN services, such as performance, scalability, packet processing, QoS, multicast, and security. This title also gives exposure to integration of IPSec VPNs with other Layer 3 (MPLS VPN) and Layer 2 (Frame Relay, ATM) technologies. Management, provisioning, and troubleshooting techniques are also be discussed. Case studies highlight design, implementation, and management advice to be applied in both service provider and enterprise environments.

About the Author

Vijay Bollapragada, CCIE (R) No. 1606, is a senior manager in the Network Systems Integration and Test Engineering group at Cisco Systems (R) where he works on the architecture, design, and validation of complex network solutions.

Mohamed Khalid, CCIE No. 2435, is a technical leader working with IP VPN solutions at Cisco (R). He works extensively with service providers across the globe and their associated Cisco account teams to determine technical and engineering requirements for various IP VPN architectures.

Scott Wainner is a Distinguished Systems Engineer in the U.S. Service Provider Sales Organization at Cisco Systems where he focuses on VPN architecture and solution development. In this capacity, he provides customer guidance on IP VPN architectures and drives internal development initiatives within Cisco Systems.

Ask a Question About this Product More...
Write your question below:
Look for similar items by category
Home » Books » Computers » Networking » General
Home » Books » Computers » Security » Networking
Home » Books » Computers » Security
Item ships from and is sold by, Inc.
Back to top