The Radios!!!!

2.1 What’s used

The flexibility of Tulip lies in the ability to reach out to rural areas. This by no means is a
small task and requires ample amount of dedication, focus and high levels of enthusiasm,
which is found in abundance in the employees. They are willing to make it right no matter
how difficult it is. The last mile of Tulip connectivity is on wireless. This is made possible
by the use of a variety of wireless radios some of which are enlisted here.

 Airspan

 Firepro

 Radwin

The radios in frequent usage today are the Airspan, Radwin and the Firepro radios.
Each of these radios has a particular frequency range. Airspan is mostly used in a Point to
Multipoint topology and used majorly at the base station, where multiple clients’ branches
have to be handled.
In Airspan specifically, there is a modem at the Tulip end known as the BASE
STATION RADIO and the radio at the client end is know an SUBSCRIBER PREMISES
RADIO.
Firepro can be used in point to point and point to multipoint topologies and is
actually used for both as well, majorly used in Point to Point topology mostly.
Radwin is used very rarely as well, and if at all, is used in the backbone to provide
redundancy to the fiber paths in the backbone.

These radios have particular graphical interfaces as well and distinct

troubleshooting procedures.
Each of these radios has a wide variety if features and different diagnostic interfaces
associated which makes each of them unique and suited for a particular purpose. But the
background process and the procedure of implementation of all these radios is the same.
They follow a standard methodology of implementation as described herewith, but before
that let’s just get acquainted with the nitty-gritty of the business, the mother of all
purposes here, the RF or the radio frequency.

Radio frequency, or RF, refers to that portion of the electromagnetic spectrum in

which electromagnetic waves can be generated by alternating current fed to an
antenna. RF, Short for radio frequency, any frequency within the electromagnetic
spectrum associated with radio wave propagation. When an RF current is supplied
to an antenna, an electromagnetic field is created that then is able to propagate
through space. Many wireless technologies are based on RF field propagation. In
the scope of work we are so hotly discussing about, VPN’s are provided to the
clients using modems supporting Radio Frequency. The two modems i.e. the base
station modem and the client site modem communicates with each other through
the RF. The link becomes more secure due to the MAC address binding. The MAC
address is given on both the modems which act as an authenticating agent. It does
1
not allow anyone to interfere into the network. Radio Frequency provides the
communication between end to end through the radio frequency by using different
channels called different frequencies.

But yes, did we just notice the usage of the word Electromagnetic Spectrum. That is,
broadly considered as the mother of the RF. Why? Simple, because RF is part of that
spectrum only. Electromagnetic radiation is generally described as a self-propagating
wave in space with electric and magnetic components. These components oscillate at
right angles to each other and to the direction of propagation, and are in phase with each
other. Electromagnetic radiation is classified into types according to the frequency of the
wave: these types include, in order of increasing frequency, radio waves, microwaves,
infrared radiation, visible light, ultraviolet radiation, X-rays and gamma rays.
Now that we are clear with the fact that the connectivity is based upon a radio at
Tulip’s base station and one at the client site, it would be imminent enough that the
topology used between the base station and the client(/s) is either

POINT TO POINT- mostly in the case of Tulip’s backbone or to HO’s of clients

POINT TO MULTIPOINT- mostly in the case of branches of the clients

The following would give us a brief idea of the correlation between the EM spectrum
and the radio frequency part of the spectrum.

2
3
 2.2 How It’s Used

Well, let me try and give you a visual picture of how it is done.
Well, at the base station end, the router is connected to the switch which in
turn is connected to the radio modem through an SDA, which is basically the power
adapter to which we connect the CAT-5 cable of the modems as well as of the
routers/switches. Then we have the radio modem attached to the antenna, you know you
just can’t go places without an antenna. Now what do we use to attach the antenna to the
modem. That’s where a pigtail comes in. No; it’s not a pig’s tail. It is what we use to
connect the radio modem and antenna and it looks somewhat like this:

The pigtail cable, used to connect

the radio modem to the antenna.

So now we have a complete picture of what’s happening. The information travels from the
router to the switch at the base station to the antenna via the radio modem. The antenna
zaps it across to the other side, where a similar but reverse process takes place, making it
possible for information to be transmitted anywhere!!! Sounds pretty neat, eh?

2.3 Perfunctory Definitions

Ok, so lets just sum up the above two sections in a tabular and presentable manner

ROUTER: A device or setup that finds the best route between any two networks, even if
there are several networks to traverse. Like bridges, remote sites can be connected using
routers over dedicated or switched lines to create WANs.

Radio: One at each side, at the base and client sides. These radios are connected to the
antenna via the Pigtail cable.

SDA or POE: It is the power adapter to which we connect the CAT-5 cable of the modems
as well as of the routers.

4
 Feeder: It is type of the stick connected to the antenna which points the waves to the
direction to which they have to travel and also provides the beam to the waves.

Antenna: It is a type of dish with which we connect the modems like BSR and SPR.

Pigtail: It is the cable used to connect the antenna with a modem.

2.4 Radios

Now that we are through with knowing how it works, lets concentrate a little bit more on
the types of radio modems that are used in Tulip. Radios primarily used in Tulip are
Airspan, Radwin, and Firepro

– AIRSPAN- As said earlier, the two components making up the Airspan setup are the BSR
and the SPR.
–
BSR
The BSR, installed at the Base Station, is an encased outdoor radio module providing a 9
pin D-type port for
RS-232 serial interface and a 15 pin D-type port for data, synchronization, and power
interfaces. The BSR is available in two models: BSR with an integral antenna (BSR 900
MHz TDD V-pol); BSR with two N-type ports
(displayed below) for attaching up to two external antennas (BSR 900 MHz TDD Dual
Ext). Major cities like
NCR and Mumbai would have up to about 50 Base Stations. Medium sized towns will
have 20 Base Stations.
Very small towns could have one to three Base Stations. Total of about 2000 base
stations setup to date.
Any new city comes up in four weeks.

5
SPR
The SPR is an encased CPE outdoor radio module providing access to a 15 pin D-type
port for Ethernet, serial, and power interfaces. The SPR model is available in two models:
SPR with an integral antenna (SPRL
900MHz TDD V-pol) and SPR with an N-type port for attaching an external antenna (SPR
900MHz TDD Ext).

Cable connection of the SPR to the SDA

1. Connect the 15-pin D-type male connector, at one end of the CAT 5 cable, to the SPR’s
15-pin port.

6
2. Connect the 15-pin D-type male connector, at the other end of the CAT 5 cable, to the

SDA’s 15-pinD-type

The setup of the radio is comparatively easier. The radio can either be configured in
bridge mode or in routing mode. The following is a snapshot of Airspan SPR and BSR
being configured in bridge mode.

7
BSR and SPR being configured in
the bridge mode.

8
 2.5 Site preparation and planning

When preparing and planning the site, ensure the following:

1. Minimum obstructions (e.g. buildings) in the radio path between the Base Station radio
(i.e. BSR) and the subscriber radios (i.e. SPR/IDR).

2. Minimum incursions on Fresnel Zone (recommended minimum of 60% clearance of

first Fresnel Zone).

-Minimum multipath fading: Some of the transmitted signals may be reflected from a
nearby building, by water under the signal path, or from any other reflectors. This
reflected ("bounced") signal can then be received by the radio receiving the signal and
superimposed on the main received signal, thereby, degrading the signal strength.
Airspan recommends installing the outdoor radios at the rear of the building’s roof instead
of the front. When you install at the rear, the front of the building blocks incoming signals
from multipath reflections.

9
- Clean frequencies selected from Spectrum Analyzer results.

- Maximum received signal strength (RSS) at CPE by antenna alignment: For the IDR,
RSS can be measured by the IDR's built-in RSS LEDs; for the SPR, RSS can be
measured by Airspan’s WipConfig program or by connecting Airspan's RSS LED Plug
Adapter.

- Radios are mounted as far as possible from sources of interference that could degrade
performance of radio. Ensure a minimum of 1-meter separation between co-located
outdoor units.
Radios mounted as high as possible to avoid obstructions and to increase link quality.

-BSR and SPR/IDR are within maximum range of reception.

-Maximum length of 100 meters CAT-5 cable connecting outdoor radio units to indoor
terminating units.

- Sufficient wiring conduit and cable ties to channel and protect the CAT 5 cable
connecting the outdoor radio to the indoor hub/switch.

- Required power source is available at the site.

External antenna consideration

In some scenarios, where capacity demand is relatively low, external omni-directional

antenna use at the Base Station may seem attractive. However, it is recommended to
avoid using omni-directional antennas (ifpossible), due to the following disadvantages that
these antennas pose compared to directional antennas:

- Higher sensitivity to external interferences.

10
- Higher sensitivity to multipath, resulting in the following:

- The root mean square (RMS) delay spread at the Base Station is substantially higher.

-Multipath interference at the CPE side (when using omni-directional antenna at the Base
Station) is substantially higher. In fact, when using an omni-directional antenna, the
existence of clear Fresnel zone between BSR and SPR/IDR is insufficient to eliminate
multipath interference, since multipath, in this case, can be caused by reflections
originating from obstacles outside the Fresnel zone.

- Higher sensitivity to alignment. Since the omni-directional antenna gain is achieved

by narrowing the vertical beam width, a relatively low deviation in the antenna alignment
will result in severe signal attenuation.

3 Cisco Router Configuration

3.1 Cisco IOS Modes of Operation

The Cisco IOS software provides access to several different command modes. Each
command mode provides a different group of related commands.
For security purposes, the Cisco IOS software provides two levels of access to
commands: user and privileged. The unprivileged user mode is called user EXEC mode.
The privileged mode is called privileged EXEC mode and requires a password. The
commands available in user EXEC mode are a subset of the commands available in
privileged EXEC mode.

11
The following table describes some of the most commonly used modes, how to enter the
modes, and the resulting prompts. The prompt helps you identify which mode you are in
and, therefore, which commands are available to you
Mode of Operation Usage How to Enter the Mode Prompt User EXEC Change terminal
settings on a temporary basis, perform basic tests, and list system information. First level
accessed.
Router> Privileged EXEC System administration, set operating parameters. From user
EXEC mode, enter enable password command
Router# Global Config Modify configuration that affect the system as a whole. From
privileged EXEC, enter configure terminal.
Router(config)# Interface

Config Modify the operation of an interface. From global mode, enter interface type
number.
Router(config-if)# Setup Create the initial configuration. From privileged EXEC mode,
enter command setup. Prompted dialog

User EXEC Mode:

When you are connected to the router, you are started in user EXEC mode. The user
EXEC commands are a subset of the privileged EXEC commands.
Privileged EXEC Mode:
Privileged commands include the following:
• Configure – Changes the software configuration.
• Debug – Display process and hardware event messages.
• Setup – Enter configuration information at the prompts.
Enter the command disable to exit from the privileged EXEC mode and return to user
EXEC mode.

Configuration Mode

12
Configuration mode has a set of submodes that you use for modifying interface settings,
routing protocol settings, line settings, and so forth. Use caution with configuration mode
because all changes you enter take effect immediately.
To enter configuration mode, enter the command configure terminal and exit by pressing
Ctrl-Z.

Note:
Almost every configuration command also has a no form. In general, use the no form to
disable a feature or function. Use the command without the keyword no to re-enable a
disabled feature or to enable a feature that is disabled by default. For example, IP routing
is enabled by default. To disable IP routing, enter the no ip routing command and enter
ip routing to re-enable it.
Getting Help
In any command mode, you can get a list of available commands by entering a question
mark (?).
Router>?
To obtain a list of commands that begin with a particular character sequence, type in
those characters followed immediately by the question mark (?).
Router#co?
configure connect copy
To list keywords or arguments, enter a question mark in place of a keyword or argument.
Include a

space before the question mark.

Router#configure ?
memory Configure from NV memory
network Configure from a TFTP network host
terminal Configure from the terminal
You can also abbreviate commands and keywords by entering just enough characters to
make the command unique from other commands. For example, you can abbreviate the
show command to sh.
13
14
3 INTRODUCTION TO VPN

3.1What is VPN?

A virtual private network (VPN) is a communications network tunneled through

another network, and dedicated for a specific network. One common application is
secure communications through the public Internet, but a VPN need not have explicit
security features, such as authentication or content encryption. A VPN may have best-
effort performance, or may have a defined Service Level Agreement (SLA) between the
VPN customer and the VPN service provider.
Generally, a VPN has a topology more complex than point-to-point. Nodes. For
example, there are a number of systems that enables to create networks using the
Internet as the medium for transporting data. These systems use encryption and other
security mechanisms to ensure that only authorized users can access the network and
that the data cannot be intercepted.
Basically, a VPN is a private network that uses a public network (usually the Internet)
to connect remote sites or users together. Instead of using a dedicated, real-world
connection such as leased line, a VPN uses “virtual” connections routed through the
Internet from the company’s private network to the remote site or employee. A virtual
private network can be contrasted with an expensive system of owned or leased lines
that can only be used by one organization.
VPN gateway offers secure, encrypted tunnels, extending the corporate network
anywhere in the world. VPN prevents eavesdropping and data tampering, protecting
information confidentiality. VPN protects data integrity, ensuring that no modifications
were made to the data while in transit. A VPN supplies network connectivity over a
possibly long physical distance. In this respect, a VPN is a form of Wide Area Network
(WAN). VPN technologies implement restricted-access networks that utilize the same
cabling and routers as a public network, and they do so without sacrificing features or
basic security.

15
 3.2Why VPN’s ?

• Extend geographic connectivity

• Improve security
• Reduce operational costs versus traditional WAN
• Reduce transit time and transportation costs for remote users
• Improve productivity
• Simplify network topology
• Provide global networking opportunities
• Provide telecommuter support
• Provide broadband networking compatibility
• Provide faster ROI (return on investment) than traditional WAN

A well-designed VPN incorporates:

• Security
• Reliability
• Scalability
• Network management
• Policy management

VPN DEVICES AND TERMINOLOGY

The VPN devices are categorized as :

• Customer

Customer network (C-Network): part of the network under customer control.

Customer (C) devices: C devices are simply devices such as routers and switches
located within the customer network. These devices do not have direct connectivity to
the service provider network.
Customer Edge (CE) devices: CE devices, are located at the edge of the customer
network and connect to the provider network (via Provider Edge [PE] devices). This
device is usually a router and is normally referred as the CE router
• Provider

Provider network (P-Network): the service provider infrastructure that is used to provide
VPN services.
Provider (P) device: the device in the P-Network with no customer connectivity and
without any “knowledge” of the VPN. This device is usually a router .

16
 Provider edge (PE) device: the device in the P-Network to which the CE devices are
connected. This device is usually a router and is often referred as the PE router.

3.3TYPES OF VPN:

Remote-Access VPN
There are two common types of VPN. Remote-access, also called a virtual private dial-up
network (VPDN), is a user-to-LAN connection used by a company that has employees who need
to connect to the private network from various remote locations. Typically, a corporation that
wishes to set up a large remote-access VPN will outsource to an enterprise service provider
(ESP). The ESP sets up a network access server (NAS) and provides the remote users with
desktop client software for their computers. The telecommuters can then dial a toll-free number
to reach the NAS and use their VPN client software to access the corporate network.

17
 A good example of a company that needs a remote-access VPN would be a large firm with
hundreds of sales people in the field. Remote-access VPNs permit secure, encrypted connections
between a company's private network and remote users through a third-party service provider.

1) SECURE VPNS:

Tunneling:
Tunneling is the transmission of data through a public network in such a way that
routing nodes in the public network are unaware that the transmission is part of a
private network. Tunneling is generally done by encapsulating the private network data
and protocol information within the public network protocol data so that the tunneled
data is not available to anyone examining the transmitted data frames. Tunneling
allows the use of public networks (eg, the Internet ), to carry data on behalf of users as
though they had access to a ‘private network’, hence the name. Secure VPNs use the
tunneling mechanism to carry data on public internet lines.

• IPSec (IP security) - commonly used over IPv4 , and an obligatory part of IPv6 .
• PPTP ( point-to-point tunneling protocol ) , developed jointly by a number of companies,
including Microsoft .

18
• L2TP (Layer 2 Tunneling Protocol) , including work by both Microsoft and Cisco.
• L2TPv3 (Layer 2 Tunneling Protocol version 3) .

Some large ISPs now offer “managed” VPN service for business customers who want
the security and convenience of a VPN but prefer not to undertake administering a VPN
server themselves. In addition to providing remote workers with secure access to their
employer’s internal network, sometimes other security and management services are
included as part of the package

2) TRUSTED VPN :
Trusted VPNs do not use cryptographic tunneling , and instead rely on the security of a
single provider’s network to protect the traffic. In a sense, these are an elaboration of
traditional network and system administration work. Multi-Protocol Label Switching
(MPLS) is often used to build trusted VPN. L2F (Layer 2 Forwarding), developed by
Cisco , can also be used.

3.4VPN Protocols and Tunnels

Layer 3 tunneling protocols:

Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better
encryption algorithms and more comprehensive authentication.

19
A remote-access VPN utilizing IPSec

IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the
payload of each packet while transport only encrypts the payload. Only systems that are IPSec
compliant can take advantage of this protocol. Also, all devices must use a common key and the
firewalls of each network must have very similar security policies set up.
IPSec can encrypt data between various devices, such as:
➢ Router to router
➢ Firewall to router
➢ PC to router
➢ PC to server

1) IPSec:
IPSec (IP Security) is a standardized framework for securing Internet Protocol (IP)
communications by encrypting and/or authenticating each IP packet in a data stream.
There are two modes of IPSec operation: transport mode and tunnel mode. In transport
mode only the payload (message) of the IP packet is encrypted. It is fully-routable
since the IP header is sent as plain text. Transport mode is used for host-to-host
communication. In tunnel mode, the entire IP packet is encrypted. It must then be
encapsulated into a new IP packet for routing to work. Tunnel mode is used for

20
network-to-network communications (secure tunnels between routers). Since
encryption and encapsulation are done by routers/gateways,end systems need not
support this. IPSec protocols operate at the network layer. This makes IPSec more
flexible, as it can be used for protecting both TCP and UDP-based protocols, but
increases its complexity and processing overhead, as it cannot rely on TCP (layer 4) to
manage reliability and fragmentation. Protocols used for securing traffic in IPSec are
AH and ESP.

Authentication header (AH)

The AH is intended to guarantee connectionless integrity and data origin authentication
of IP datagrams. Further, it can optionally protect against replay attacks by using the
sliding window technique and discarding old packets. AH protects the IP payload and
all header fields of an IP datagram except for mutable fields, i.e. those that might be
altered in transit. In IPv4, mutable (and therefore unauthenticated) IP header fields
include TOS , Flags, Fragment Offset , TTL and Header Checksum . AH operates directly
on top of IP, using IP protocol number 51.

Encapsulating Security Payload (ESP)

The ESP protocol provides origin authenticity, integrity, and confidentiality protection of
a packet. ESP also supports encryption-only and authentication-only configurations,
but using encryption without authentication is strongly discouraged because it is
insecure.[2] [3] [4] . Unlike AH, the IP packet header is not protected by ESP. (Although
in tunnel mode ESP, protection is afforded to the whole inner IP packet, including the
inner header; the outer header remains unprotected.) ESP operates directly on top of
IP, using IP protocol number 50

2) GRE:
Generic Routing Encapsulation (GRE) is a protocol designed for performing
encapsulation of one network layer protocol (for example, IP or IPX) over another
network layer protocol (for example, IP). GRE uses the tunneling technology and
serves as a Layer 3 tunneling protocol of virtual private network (VPN).

21
 A tunnel is a virtual point-to-point connection for transferring encapsulated packets.
Packets are encapsulated at one end of the tunnel and decapsulated at the other end.

Operation of GRE
A packet transferred through a tunnel undergoes an encapsulation process and a
decapsulation process. Figure 1-1 depicts the network used to illustrate these two
processes.

Figure 1 IPX networks interconnected through the GRE tunnel

I. Encapsulation process
1)After receiving an IPX packet through the interface connected to IPX network Group
1, Router A submits it to the IPX module for processing.
2) The IPX module checks the destination address field in the IPX header to determine
how to route the packet.
3)If the packet must be tunneled to reach its destination, Router A sends it to the tunnel
interface.
4) Upon receipt of the packet, the tunnel interface encapsulates it in a GRE packet and
submits to the IP module.
5) The IP module encapsulates the packet in an IP packet, and then forwards the IP
packet out through the corresponding network interface based on its destination
address and the routing table.

II. Format of an encapsulated packet

Figure 1-2 shows the format of an encapsulated packet.

Figure 3 Format of an IPX packet encapsulated for transmission over an IP tunnel

22
These are the involved terms:

Payload: Packet that needs to be encapsulated and routed.

Passenger protocol: Protocol that the payload packet uses, IPX in the example.
Encapsulation or carrier protocol: Protocol used to encapsulate the payload packet,
that is, GRE.

Delivery or transport protocol: Protocol used to encapsulate the GRE packet and to
forward the resulting packet to the other end of the tunnel, IP in this example.
Depending on the transport protocol, two tunnel modes are present: GRE over IPv4
and GRE over IPv6.

III. Decapsulation process

Decapsulation is the reverse process of encapsulation:

1) Upon receiving an IP packet from the tunnel interface, Router B checks the
destination address.
2) If the destination is itself, Router B strips off the IP header of the packet and
submits the resulting packet to the GRE module.
3) The GRE module checks the key, checksum and sequence number, and then strips
off the GRE header and submits the payload to the IPX module
4) The IPX module performs the subsequent forwarding processing for the packet.
Encapsulation and decapsulation processes on both ends of the GRE tunnel and the
resulting increase in data volumes will degrade the forwarding efficiency for the GRE-
enabled device to some extent.

GRE Security Options :

For the purpose of tunnel security, GRE provides two options: tunnel interface key and
end-to-end checksum. According to RFC 1701,

If the Key Present field of a GRE packet header is set to 1, the Key field will carry the
key for the receiver to authenticate the source of the packet. This key must be the
same at both ends of a tunnel. Otherwise, packets delivered over the tunnel will be
discarded.
If the Checksum Present bit of a GRE packet header is set to 1, the Checksum field
contains valid information. The sender calculates the checksum for the GRE header
and the payload and sends the packet containing the checksum to the peer. The
receiver calculates the checksum for the received packet and compares it with that
carried in the packet. If the checksums are the same, the receiver considers the packet

23
 intact and continues to process the packet. Otherwise, the receiver discards the
packet.
Due to the GRE encapsulation/decapsulation process respectively executed on both
ends of the tunnels and the resulting increase in data volume, the forwarding efficiency
of routers using GRE is degraded to some extent.

GRE Applications :

GRE supports these types of applications:

• Multi-protocol communications through a single-protocol backbone
• Scope enlargement of the network running a hop-limited protocol
• VPN creation by connecting discontinuous subnets
• GRE-IPSec tunnel application

I.Multi-protocol communications through a single-protocol backbone

24
Figure 4 Multi-protocol communications through a single-protocol backbone
In the example as shown in Figure 1-4 , Group 1 and Group 2 are local networks
running Novell IPX, while Team 1 and Team 2 are local networks running IP. Through
the GRE tunnel between Router A and Router B, Group 1 can communicate with Group
2 and Team 1 can communicate with Team 2. They will not interfere with each other.

II. Scope enlargement of the network running a hop-limited protocol

Figure 5 Scope enlargement of the network

When the hop count between two terminals exceeds 15, the terminals cannot
communicate with each other. Using GRE, you can hide some hops so as to enlarge
the scope of the network.

III. VPN creation by connecting discontinuous subnets

Figure 6 Connect discontinuous subnets with a tunnel to form a VPN

25
In the example as shown in Figure 1-6 , Group 1 and Group 2 running Novell IPX are
deployed in different cities. They can constitute a trans-WAN virtual private network
(VPN) through the tunnel.

IV. GRE-IPSec tunnel application

Figure 7 GRE-IPSec tunnel application

Working with IPSec, GRE allows data packets like routing protocol, voice, and video
packets to be first encapsulated by GRE and then encrypted by IPSec.

Layer 2 tunneling protocols:

1) PPTP - Point-to-Point Tunneling Protocol –

Extends the Point to Point Protocol (PPP) standard for traditional dial-up networking.
PPTP is best suited for the remote access applications of VPNs, but it also supports
LAN internetworking. PPTP operates at Layer 2 of the OSI model. PPTP packages data
within PPP packets, then encapsulates the PPP packets within IP packets (datagrams)
for transmission through an Internet-based VPN tunnel. PPTP supports data encryption
and compression of these packets. PPTP also uses a form of General Routing
Encapsulation (GRE) to get data to and from its final destination.
PPTP-based Internet remote access VPNs are by far the most common form of PPTP
VPN. In this environment, VPN tunnels are created via the following two-step process:
1. The PPTP client connects to their ISP using PPP dial-up networking (traditional
modem or ISDN ).

2. via the broker device (described earlier), PPTP creates a TCP control connection
between the VPN client and VPN server to establish a tunnel. PPTP uses TCP port
1723 for these connections.

PPTP also supports VPN connectivity via a LAN. ISP connections are not required in
this case, so tunnels can be created directly as in Step 2 above.

Once the VPN tunnel is established, PPTP supports two types of information
flow:

1) Control messages for managing and eventually tearing down the VPN connection.
Control messages pass directly between VPN client and server.
2) Data packets that pass through the tunnel, to or from the VPN client

26
 PPTP supports authentication, encryption, and packet filtering. PPTP authentication
uses PPP-based protocols like EAP, CHAP, and PAP. PPTP supports packet filtering on
VPN servers. Intermediate routers and other firewalls can also be configured to
selectively filter PPTP traffic.

2) L2TP (Layer 2 Tunneling Protocol) -

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual
private networks (VPNs).L2TP has its origins primarily in two older tunneling protocols
for PPP: Cisco ’s Layer 2 Forwarding (L2F ) and Microsoft ’s Point-to-Point Tunneling
Protocol (PPTP).

Description:

L2TP acts like a data link layer (layer 2 of the OSI model ) protocol for tunneling
network traffic between two peers over an existing network (usually the Internet ). L2TP
is in fact a layer 5 protocol session layer , and uses the registered UDP port 1701. The
entire L2TP packet, including payload and L2TP header, is sent within a UDP
datagram. It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP
tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPSec is
often used to secure L2TP packets by providing confidentiality, authentication and
integrity. The combination of these two protocols is generally known as L2TP/IPSec
(discussed below).
The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator)
and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the
LNS is the server, which waits for new tunnels. Once a tunnel is established, the
network traffic between the peers is bidirectional. To be useful for networking, higher-
level protocols are then run through the L2TP tunnel. To facilitate this an L2TP session
(or call) is established within the tunnel for each higher-level protocol such as PPP.
Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by
L2TP, so it is possible to set up multiple virtual networks across a single tunnel. MTU
should be considered when implementing L2TP.
The packets exchanged within an L2TP tunnel are categorized as either control
packets or data packets. L2TP provides reliability features for the control packets, but
no reliability for data packets. Reliability, if desired, must be provided by the nested
protocols running within each session of the L2TP tunnel.

Tunneling Models:

An L2TP tunnel can extend across an entire PPP session or only across one segment
of a two-segment session. This can be represented by four different tunneling models,
namely
I. voluntary tunnel
II. compulsory tunnel — incoming call
III. compulsory tunnel — remote dial and

27
IV. L2TP multi-hop connection

1) In the voluntary tunnel model , a tunnel is created by the user, typically by the use of
an L2TP enabled client which is called the LAC client. The user will send L2TP packets
to the Internet Service Provider (ISP) which will forward them on to the LNS. The ISP
does not need to support L2TP; it only forwards the L2TP packets between LAC and
LNS. The LAC client acts as an L2TP tunnel initiator which effectively resides on the
same system as the remote client. The tunnel extends across the entire PPP session
from the L2TP client to the LNS.
2) In the compulsory tunnel model-incoming call , a tunnel is created between ISP LAC
and the LNS home gateway. The company may provide the remote user with a Virtual
Private Network (VPN) login account from which he can access the corporate server.
As a result the user will send PPP packets to the ISP (LAC) which will encapsulate
them in L2TP and tunnel them to the LNS. In the compulsory tunneling cases, the ISP
must be L2TP capable. In this model the tunnel only extends across the segment of the
PPP session between the ISP and the LNS.
3) In the compulsory tunnel model-remote dial the home gateway (LNS) initiates a
tunnel to an ISP (LAC) (outgoing call) and instructs the ISP to place a local call to the
PPP enabled client which is the remote user. This model is intended for cases where
the remote PPP Answer Client has a permanently established phone number with an
ISP. This model is expected to be used when a company with established presence on
the Internet needs to establish a connection to a remote office that requires a dial-up
link. In this model the tunnel only extends across the segment of the PPP session
between the LNS and the ISP.
4) An L2TP Multi-hop connection is a way of redirecting L2TP traffic on behalf of client
LACs and LNSs. A Multi-hop connection is established using an L2TP Multi-hop
gateway. A tunnel is established from a client LAC to the L2TP Multi-hop gateway and
then another tunnel is established between the L2TP Multi-hop gateway and a target
LNS. L2TP traffic between client LAC and LNS is redirected to each other through the
gateway.

3) L2TPv3 (Layer 2 Tunneling Protocol version 3) -

Layer 2 Tunneling Protocol Version 3 is a draft version of L2TP that is proposed as an
alternative protocol to MPLS for encapsulation of multiprotocol Layer 2 communications
traffic over IP networks. Like L2TP, L2TPv3 provides a ‘pseudo-wire ’ service, but
scaled to fit carrier requirements.
L2TPv3 can be regarded as being to Multiprotocol Label Switching (MPLS) what IP is
to ATM : a simplified version of the same concept, with much of the goodness achieved
with a fraction of the effort, at the cost of losing some technical features considered
less important in the market. In the case of L2TPv3, the features lost are teletraffic
engineering features considered important in MPLS. The protocol overhead of L2TPv3
is also significantly bigger than MPLS. However, there is no reason why these features
could not be re-engineered in or on top of L2TPv3 in later products. L2TPv3 is
emerging as a lightweight yet robust alternative to creating Layer 2 VPNs across MPLS
and pure IP backbones.

28
L2TPv3, an extension of the L2TP, is a stateless protocol with no inherent signaling or
keep-alive mechanism. L2TP, originally defined in RFC 2661, was designed to provide
dynamic tunneling for multiple Layer 2 circuits across packet-oriented data networks. It
describes a standard method of tunneling that lets circuit like connections across one
or many Layer 3 networks appear as point-to-point or point-to-multipoint links between
customer locations. The base L2TP protocol consists of a control protocol for dynamic
creation, maintenance and tear-down of L2TP sessions; and data encapsulation to
multiplex and demultiplex Layer 2 datastreams between IP-connected nodes.
L2TP has been focused on narrowband dial-up protocols. L2TPv3 extends L2TP by
letting it run on higher-speed devices such as routers because of reduced overhead
and the related decrease in processing chores. It also adds important new features
such as increasing the session and tunnel ID space from 16 to 32 bits, which
dramatically increases the number of tunnels from 65,000 to more than 4 billion.

With L2TPv3, the physical interface connecting to a customer’s network becomes the
tunnel ingress/egress interface. Consequently, traffic does not need to be routed into
the tunnel by the provider’s router. As packets arrive at the interface, they are
encapsulated and forwarded directly toward the remote tunnel endpoint. Once received
and de-encapsulated, the original packet can be forwarded out of the egress interface
if the tunnel identifier is recognized by the router. If it isn’t, the packet is discarded.
With L2TPv3, companies reap lower-cost services because carriers can offer frame
relay, ATM and Ethernet over a common IP backbone - radically lowering capital and
operational costs. And because L2TPv3 adds no new requirements to the IP transport
infrastructure, it is inherently easier and simpler to implement and support, because
network staff is familiar with IP.

29