Understanding Virtual Private Networks
Three Types of VPNs
Let’s look now at the three types of VPNs.
Access, Intranet, and Extranet VPNs
As previously stated, VPN is defined as customer
connectivity deployed on a shared infrastructure with the
same policies as a private network. The shared infrastructure
can leverage a service provider IP, Frame Relay, or ATM backbone,
or the Internet. Cisco defines three types of virtual private
networks according to how businesses and organizations use
Access VPNs provide remote connectivity to telecommuters
and mobile users. They’re typically an alternative to
dedicated dial or ISDN connections. They offer users a range
of connectivity options as well as a much lower cost solution.
Intranet VPNs link corporate headquarters,
remote offices, and branch offices over a shared infrastructure
using dedicated connections. The VPN typically is an alternative
to a leased line. It provides the benefit of extended connectivity
and lower cost.
Extranet VPNs link customers, suppliers,
partners, or communities of interest to a corporate intranet
over a shared infrastructure using dedicated connections.
In this example, the VPN is often an alternative to fax, snail
mail, or EDI. The extranet VPN facilitates e-commerce.
Access VPNs Let’s look at the Access VPN in more detail.
Remote access VPNs extend the corporate network
to telecommuters, mobile workers, and remote offices with
minimal WAN traffic. They enable users to connect to their
corporate intranets or extranets whenever, wherever, or however
they require. Remote access VPNs provide connectivity to a
corporate intranet or extranet over a shared infrastructure
with the same policies as a private network. Access methods
are flexible---asynchronous dial, ISDN, DSL, mobile IP, and
cable technologies are supported. Migrating from privately
managed dial networks to remote access.
VPNs offers several advantages, most notably:
- Reduced capital costs associated with
modem and terminal server equipment
- Ability to utilize local dial-in numbers
instead of long distance or 800 numbers, thus significantly
reducing long distance
- Greater scalability and ease of deployment
for new users added to the network
- Restored focus on core corporate business
objectives instead of managing and retaining staff to operate
the dial network
Access VPN Operation Overview
In an Access VPN environment, the most important
aspect of security revolves around identifying a user as a
member of an approved customer company and establishing a
tunnel to its home gateway, which handles per-user authentication,
authorization, and accounting (AAA).
User authentication is a critical characteristic of an Access
VPN. Through a local point of presence (POP), a client establishes
communication with the service provider network (1),
and secondarily establishes a connection with the customer
The Access VPN tunnel end points authenticate each other
Next, the user connects to the customer premises equipment
(CPE) home gateway server (local network server) using PPP
or SLIP (4) and is authenticated through
a username/password handling protocol such as PAP, CHAP, or
The home gateway maintains a relationship with an access control
server (ACS), also known as an AAA server, using TACACS+ or
RADIUS protocols. At this point, authorization is set up using
the policies stored in the ACS and communicated to the home
gateway at the customer premises (5).
Often, the customer administrates the ACS server, providing
ultimate and centralized control of who can access its network
as well as which servers can be accessed. User profiles define
what the user can do on the network. Using authorization profiles,
the network creates a "virtual interface" for each
user. Access policies are enforced using Cisco IOS software
specific to each interface.