Simply put, IPSEC is a protocol, or a framework. Realizing remote access based on this security protocol is IPSEC.
Advantages: IPSEC has been used for a long time, and the technology and corresponding equipment are relatively mature; At the same time, by using symmetric and asymmetric keys and digest algorithms, and with the help of identity authentication, encryption and integrity check, security can be guaranteed to a great extent.
Disadvantages: Because IPSEC needs to create an encrypted virtual tunnel in the Internet environment, the network quality and stability are uncontrollable; At the same time, there is a risk of being intercepted by bypass because of crossing the Internet.
Scheme 2: SDH dedicated line
SDH is Synchronous Digital Hierarchy (Synchronous Digital Hierarchy) dedicated line, also called digital dedicated line. At present, major operators provide the main business products of enterprise networking.
SDH is basically equivalent to directly connecting two branches with optical fiber (of course, in practical application, the intermediate links are mostly provided by operators, and sometimes they are multiplexed). The schematic diagram is as follows:
Advantages: stable network quality, simple deployment, mature technology, low maintenance cost and high security.
Disadvantages: if there is a problem with the central point, it will affect the mutual visits between branches; If you want to increase redundancy, you can choose to deploy dedicated lines between branches, but it will inevitably increase costs.
Scheme 3: MPLS
Technical principle: MPLS adopts the switching idea of VPI (Virtual Path Identifier) /VCI (Virtual Channel Identifier) in ATM (Asynchronous Transfer Mode), and integrates the advantages of IP routing technology and Layer 2 switching. IP network is originally a connectionless network, but in MPLS network, routing information is collected through routing protocols such as IGP (Interior Gateway Protocol) and BGP (Border Gateway Protocol) to generate routing tables, and then specific routing table entries are marked, which increases the connection-oriented attribute, provides QoS guarantee to a certain extent, and meets the QoS requirements of different types of services.
Architecture composition: A typical MPLS network includes the following three types of network elements.
(1)PE: service provider edge router, which is directly connected with the user's ce equipment. PE is responsible for managing users, establishing LSP connections, and creating and managing VRF (Virtual Routing and Forwarding).
(2)P: The backbone router in the service provider's network, which is not directly connected with ce, only needs to have MPLS label packet forwarding capability, and forwards messages according to the outer label, and does not participate in the addition and deletion of users and the creation and maintenance of VRF entries.
(3)CE: The edge equipment of the user network is directly connected with the PE equipment of the service provider, and is responsible for publishing local routes to the PE equipment, but CE does not need to support MPLS and is unaware of its existence.
As can be seen from the figure, under MPLS- mode, all branches are not directly connected, and there is no so-called central branch node, but all branches are connected to nearby POP nodes, thus opening the link to MPLS backbone network.
Advantages:
Branch nodes are connected nearby, saving local private line fees and avoiding network instability factors such as cross-regional and cross-operators;
Address isolation and route isolation can resist hacker attacks and label deception;
Equipment access is relatively convenient, and customers only need to connect CE equipment to the network edge equipment of operators.