This section describes the Internet as an alternative option for a failed WAN connection. This type of connection is considered best-effort and does not guarantee any bandwidth. Common methods for connecting noncontiguous private networks over a public IP network include the following:

■ IP routing without constraints

■ GRE tunnels

■ IPsec tunnels

The following sections describe these methods.

IP Routing Without Constraints

When relying on the Internet to provide a backup for branch offices, a company must fully cooperate with the ISP and announce its networks. The backup network—the Internet—therefore becomes aware of the company’s data, because it is sent unencrypted.

Layer 3 Tunneling with GRE and IPsec

Layer 3 tunneling uses a Layer 3 protocol to transport over another Layer 3 network. Typically, Layer 3 tunneling is used either to connect two noncontiguous parts of a non-IP network over an IP network or to connect two IP networks over a backbone IP network, possibly hiding the IP addressing details of the two networks from the backbone IP network. Following are the two Layer 3 tunneling methods for connecting noncontiguous private networks over a public IP network:

■ GRE: A protocol developed by Cisco that encapsulates a wide variety of packet types inside IP tunnels. GRE is designed for generic tunneling of protocols. In the Cisco IOS, GRE tunnels IP over IP, which can be useful when building a small-scale IP VPN network that does not require substantial security.

GRE enables simple and flexible deployment of basic IP VPNs. Deployment is easy; however, tunnel provisioning is not very scalable in a full-mesh network because every point-to-point association must be defined separately. The packet payload is not protected against sniffing and unauthorized changes (no encryption is used), and no sender authentication occurs. Using GRE tunnels as a mechanism for backup links has several drawbacks, including administrative overhead, scaling to large numbers of tunnels, and processing overhead of the GRE encapsulation.

■ IPsec: IPsec is both a tunnel encapsulation protocol and a security protocol. IPsec provides security for the transmission of sensitive information over unprotected networks (such as the Internet) by encrypting the tunnel’s data. IPsec acts as the network layer in tunneling or transport mode and protects and authenticates IP packets between participating IPsec devices. Following are some features of IPsec: - Data confidentiality: An IPsec sender can encrypt packets before transmitting them across a network. - Data integrity: An IPsec receiver can authenticate packets sent by an IPsec sender to ensure that the data has not been altered during transmission. - Data origin authentication: An IPsec receiver can authenticate the source of the sent IPsec packets. This service depends on the data integrity service. - Anti-replay: An IPsec receiver can detect and reject replay by rejecting old or duplicate packets. - Easy deployment: IPsec can be deployed with no change to the intermediate systems (the ISP backbone) and no change to existing applications (it is transparent to applications). - Internet Key Exchange (IKE): IPsec uses IKE for automated key management. - Public Key Infrastructure (PKI): IPsec is interoperable with PKI.