<< 1 >>
Rating: 
Summary: Specifically intended for the use of network engineers
Review: Troubleshooting Virtual Private Networks presents by computer hardware and software expert Mark Lewise is a 1000 page systematic troubleshooting methodology "how to" manual specifically intended for the use of network engineers, administrators, and architects tasked with managing and deploying Cisco IOS VPNs. With eight self-contained chapters organized and designed to facilitate rapid and straightforward troubleshooting, Troubleshooting Virtual Private Networks provides detailed information on addressing all common and not-so-common issues associated with IPSec VPNs, MPLS Layer-3 VPNs, any transport over MPLS (AToM)-based Layer-2 VPNs, L2TP Version 3 (L2TPv3)-based Layer-2 VPNs, L2TP Version 2 (L2TPv2) VPNs, PPTP VPNs, and L2F VPNs. Troubleshooting Virtual Private Networks not only shows the user how to correct problems but also how to avoid them in the first place with expert VPN configuration guidance and optimization tips.
Rating:
Summary: Fun with Tunneling
Review: Troubleshooting VPNs by Mark Lewis (Cisco Press, 2004) demystifies the major protocols used to create Virtual Private Networks. VPNs use a form of encapsulation called tunneling, or additions to packets or frames to make them distinguishable as part of a unique connection, to transmit different protocols or encrypted data across the wide area network. The cost savings over dedicated leased line access-extended connectivity with potentially more bandwidth for less money-were compelling from the start, and the standardization process to secure VPNs and make them easier to implement moved quickly. But VPNs also meant that many disparate protocols (PAP/CHAP, LCP/NCP, ATM, IP) with many different functions (authentication, negotiation, and transport) would have to play together in new ways. The inevitable free-for-all that results from these "forced parties" has opened up a world of opportunity for network engineers with troubleshooting skills. That's where this book comes in to help. The book begins by establishing some basic rules of thumb for VPN troubleshooting. These include bottom up and top down troubleshooting (the "up" and down" parts refer to the OSI stack) and end-to-end analysis of "what might have gone wrong where." Then the book moves on to quickly address older, less secure VPN-creation methods such as Point to Point Tunneling Protocol (PPTP), which is widely used for dial access, and Layer 2 Forwarding (L2F), before continuing on to more common protocols such as such as Layer 2 Tunneling Protocol (L2TP), IP Security (IPSec), Multi Protocol Label Switching (MPLS), and an emerging practice to adapt existing WAN protocols (especially ATM but also PPP and HDLC) to MPLS called Any Transport over MPLS (AToM). For every protocol discussed, the book introduces the technology in some depth for those who might have only a cursory knowledge of what they're getting into. It offers deep detail on control messages, connection and session establishment, configuring and maintaining the VPN tunnel, and (of course) troubleshooting common failure scenarios known to occur with these technologies. All topics include a detailed glossary of common troubleshooting commands (show and debug), with tips on how to employ them and caveats on what to watch out for in terms of the amount of output they might generate or the effect they might have on the devices they are executing on. In addition to very descriptive visuals walking you through such complex inner-workings as tunnel setup sequences (from initial channel establishment, through negotiation and authentication, and on to frame forwarding) the author has devised detailed troubleshooting flowcharts for every major VPN technology. These flowcharts include questions you should ask yourself while fixing a broken configuration; for instance, a PPTP flowchart instructs you to ask (in order, working up the stack) if LCP negotiation, PPP authentication, and NCP negotiation was successful. In working up through the data link sublayers in this way, any answer of "No" or "Not Sure" sends you to a section describing how to verify or correct what is happening at that sublayer. Similarly, for AToM VPNs, you are asked whether CEF (required for MPLS) is enabled for internal (LSR) routers, and then whether MPLS and LDP are correctly enabled on these routers as well. A "Not Sure" sure answer directs you where to correct the problem. Of course, there is an art to troubleshooting, and these flowcharts are guidelines rather than something that can be automated. But they are very well thought out, and combined with some practice and experience on the learner's part, can help foster a very strong knowledge of how to debug these tricky technologies. For those who have the resource to set them up and the time to do them, there are labs with some invaluable assistance on handling common configurations gone wrong. The problems include incorrect IP addressing, password or protocol mismatches, or access lists blocking a needed protocol. The MPLS labs are especially useful, as there are a lot of dependencies on a successful MPLS VPN: MPLS itself has to be fully operational and stable before the VPN routing and forwarding (VRF) tables are established. In describing the different protocols, the book ultimately illustrates some of the tradeoffs between Layer 2 and Layer 3 VPNs. Things have moved rapidly from L2F forwarding to IPSec and MPLS based services; however, Layer 2 VPNS (via L2TP) will continue to be developed because they're so much easier to implement and maintain and because they scale adequately and satisfy the requirements for most customer applications. The need for Layer 3 comes into play when there's a large number of very small sites, but the tradeoff of a Layer 3 VPN service is that providers need to keep with changes in a customer's routing tables-a potentially costly operations expenditure. To automate some of the transfers of information needed at layer 3, a protocol called Multiprotocol BGP (MP-BGP) was developed for Layer 3 VPNs. This advertises customer routes and associated labels in the MPLS environment. The book includes a section on troubleshooting these Layer 3 VPNs with a variety of interior gateway protocols (RIPv2, EIGRP, or OSFP) working with the EGP. The nuts and bolts of multicast VPNs, another Layer 3 technology that facilitates one to many applications such as distance learning or conferencing, are also covered.
This book is entirely service provider focused - this makes sense considering the subject matter, but there are many separate issues in the enterprise arena that are not covered here. By and large, these are probably simpler problems, and might not warrant this level of treatment. They also include other devices such as VPN concentrators and the unique problems of terminating different VPN types (remote access versus site to site) in the enterprise edge, and positioning these termination solutions with a firewall or a server farm. Whether this belongs in another book (which would be my vote) or as a separate chapter here is a judgment call and doesn't take away from the quality of what is covered in the book, but rather just stands out as an open question. Simply put, the numerous examples in this book are well thought out and acutely illustrative of real world problems, and the author always walks through detailed scenarios on how to solve them. Lewis is a CCIE who works in the service provider space and specializes in VPN technologies; the material in this book is clearly based on his experience and he has taken the trouble to make it as accessible as possible. Given the technical depth and how relatively new much of this material is, combined with the pressing need for expertise in troubleshooting VPNs in the service provider arena, this book gets five stars out of five.
<< 1 >>
| 
