You are on page 1of 13

T e c h n i c a l P a p e r

Tunnel Switching

3Com Technology Boosts VPN


Security and Flexibility
Tunnel Switching
3Com Technology Boosts VPN Security and Flexibility

Contents
What Is Tunnel Switching? 2
An Important Part of Enterprise VPN Strategies 2
A Flexible Means of Supporting Current and Future VPNs 3
Benefits of Tunnel Switching 3
Improved VPN Security 3
How Does Tunnel Switching Work? (box) 4
Flexible VPN Management and Easier Administration 6
Increased VPN Performance, Capacity, and Scalability 9
Adding a Tunnel Switch to Your Network 10
Evolving Your VPNs with New Standards 10
From Point-to-Point Tunneling Protocol to Layer 2 Tunneling Protocol 10
The Impact of IPSec 10
3Com Tunnel Switching Solutions 11
Conclusion 11

1
Tunnel Switching users, and in some cases branch offices, with
enterprise resources at a fraction of the cost of
3Com Technology Boosts VPN Security 800 number dial-in, leased lines, or Frame
and Flexibility Relay.
VPNs are created using encryption,
Virtual private networks (VPNs) are becoming authentication, and tunneling—a method by
an increasingly popular means for organizations which data packets in one protocol are encap-
Acronyms and
Abbreviations to provide wide area connectivity to remote users sulated in another protocol. Tunneling enables
and, in some cases, to branch offices and business traffic from multiple enterprises to travel across
ASIC partners. These private connections over shared the same network unaware of each other, as if
application-specific public networks, such as the Internet, offer sub- enclosed in their own private pipes (some-
integrated circuit stantial cost savings compared with dedicated thing like pulling serial cables across a WAN
point-to-point connections like 800 numbers or cloud). It can also enable packets to travel
BITW
bump in the wire leased lines. across incompatible networks (for example,
Tunnel switching is an innovative technology IPX or SNA packets across an IP network). At
DMZ that increases VPN security and flexibility by the destination point (tunnel termination),
demilitarized zone
making it possible to extend tunnels inside fire- packets are unwrapped, returning them to
FTP walls and terminate them at any location. Tun- their underlying protocol format.
File Transfer Protocol nel switching also improves manageability by While tunnels are generally terminated at
ICSA
shielding remote tunnel users from changes in the the enterprise network edge, tunnel switching
International Computer internal network, boosts VPN performance by allows them to be extended safely across fire-
Security Association reducing tunnel set up and tear down overhead, walls to specific tunnel termination points
and increases scalability by allowing multiple within local area network (LAN) administra-
IETF
Internet Engineering Task
tunneling components to be cascaded as VPN tive domains. In this way, all tunneled traffic
Force demand grows. can be addressed to the tunnel switch, with its
This paper explains tunnel switching and its single publicly known address, while actually
IP role in enterprise VPN strategies. It describes how being terminated at any number of internal
Internet Protocol
tunnel switches work and the benefits of various destinations, whose addresses and security
IPSec tunnel switch deployment options. It also dis- measures are hidden from the Internet.
Internet Protocol Security cusses how tunnel switches can simultaneously
IPX support multiple protocols (PPTP, L2TP, IPSec) An Important Part of Enterprise VPN Strategies
Internetwork Packet and enable smooth transitions between them. Tunnel switching increases security by moving
Exchange primary security controls inside the network
What Is Tunnel Switching? and adding a second layer of security at the
L2F
Layer 2 Forwarding Tunnel switching is a 3Com technology that edge. Instead of terminating the tunnel out-
increases the security, manageability, perfor- side the firewall or in a “demilitarized zone”
L2TP mance, and scalability of virtual private net- (DMZ) between two firewalls, then transmit-
Layer 2 Tunneling Protocol
works (VPNs). It provides these benefits by ting packets over an unsecured link to an
LAN allowing organizations to bring multiple internal server, enterprises can maintain pack-
local area network VPNs into the network through a single edge ets in their secure tunnels through the firewall
LDAP
device, efficiently aggregate them for internal to the other side. This approach allows multi-
Lightweight Directory delivery, and flexibly locate their end points ple protocols and applications to be supported
Access Protocol anywhere in the enterprise. while opening only a “pinhole” in the firewall
A VPN is a secure connection that offers for the tunneling protocol.
MPPE
Microsoft Point-to-Point
the privacy and management controls of a In addition, while the tunnel switch per-
Encryption dedicated point-to-point link but actually forms preliminary authentication on incoming
occurs over a shared, routed network. VPNs tunnels, it need not be aware of encryption
are enabling enterprises to use the Internet keys, digital signatures, and other security
and other public networks as their own private measures employed by tunnel terminators. As
wide area network (WAN), connecting remote a result, the amount of security information

2
stored at the network edge, requiring protec- network topology. Tunnel switches can handle
tion against potential threats from the Internet, tunneled legacy network protocols (IPX, SNA,
is minimized. Nor does the tunnel switch par- DECnet, VINES, NetBEUI, etc.) and inter-
ticipate in the Point-to-Point Protocol (PPP) operate with existing network infrastructure
sessions between the source and ultimate des- (address provisioning, authentication, autho-
tination host; in the event that the tunnel rization, accounting).
switch is compromised, the PPP session is not. Tunnel switches support both the Point-
Acronyms and
Organizations can determine the level of to-Point Tunneling Protocol (PPTP), a de Abbreviations
security that will be applied to various types of facto standard, and the Layer 2 Tunneling
tunneled traffic. Tunnel switches can direct Protocol (L2TP), a new industry standard. NAT
employee traffic, for example, to one tunnel Enterprises thus gain the flexibility to offer Network Address Translation
terminator, while traffic from consultants and VPN services to users who have a variety of
PPP
suppliers is directed to another terminator that client machines, or to gradually transition all
Point-to-Point Protocol
enforces stricter security. Government organi- users to a single protocol.
zations and universities often use tunnel Moreover, tunnel switches, which serve a PPTP
switching to allow internal agencies or depart- dual purpose as routers, also support Internet Point-to-Point Tunneling
Protocol
ments to implement their own security poli- Protocol Security (IPSec) scenarios, including
cies, while still providing a single address for both transport mode and tunnel mode. IPSec QoS
tunnels coming in from the outside world. transport mode is clearly going to become the Quality of Service
Other advantages of tunnel switching dominant method of securing VPNs, includ- RADIUS
include improved VPN manageability. Enter- ing those that use PPTP and L2TP for tunnel- Remote Authentication
prises can change the location of tunnel termi- ing. IPSec tunnel mode (sometimes called Dial-In User Service
nators, addressing schemes, or indeed the “Layer 3 tunneling”) will provide an alterna-
SNA
entire network topology behind the firewall tive to L2TP, which will be attractive to IP- Systems Network
without having to notify all tunnel initiators only networks but will coexist with L2TP for Architecture
(which could comprise tens of thousands of as long as most networks remain heteroge-
TI
remote users). Tunnel switching also facilitates neous. Tunnel switches can be used in any of
tunnel initiator
VPN access to legacy applications and allows these situations. In fact, the same device could
VPN users to be members of virtual local area potentially switch both PPTP and L2TP tun- TS
networks (VLANs), simplifying user moves nels while routing IPSec tunnels to IPSec tunnel switch
and changes. security gateways inside the enterprise. For TT
Tunnel switching improves VPN perfor- more information about tunneling standards tunnel terminator
mance, since aggregating PPP sessions within and smooth transitions between them, see
VLAN
a single tunnel dramatically reduces overhead “Evolving Your VPNs with New Standards”
virtual local area network
for tunnel set up, tear down, and state mainte- on page 10.
nance. As demand for VPN services grows and VPN
users opt for high-bandwidth connections (such Benefits of Tunnel Switching virtual private network
as cable modems and xDSL), tunnel switching VPNs with tunnel switches are more secure, WAN
enables enterprises to smoothly scale their easier to manage, and better equipped to han- wide area network
VPN infrastructure by adding multiple tunnel dle rising traffic levels than nonswitched
xDSL
terminators or even cascading multiple tunnel VPNs. The ability to terminate tunnels at digital subscriber line
switches and terminators. These changes to the multiple points behind the firewall offers both
network are transparent to users, who con- technical and business advantages.
tinue to address tunnels to the single publicly
known IP address, that of the tunnel switch. Improved VPN Security
Tunnel switching improves security by provid-
A Flexible Means of Supporting Current ing a double line of security and reducing the
and Future VPNs exposure of IP addresses, passwords, encryp-
A tunnel switch can be “dropped into” most tion keys, digital certificates, and other secu-
existing VPN architectures without changing rity information at the network edge. In

3
How Does Tunnel Switching Work?
Tunnel switches are true multiprotocol tunnel, fully processing its contents, then
switches. Just as Ethernet switches can accept initiate a new tunnel to the terminator. This
multiple LAN input streams and aggregate adds latency and exposes security infor-
them into a single outgoing LAN connection, mation at the network edge. Also, if the
tunnel switches can accept multiple tunnels router cannot aggregate outgoing tunnels,
and aggregate them into a single outgoing there is additional overhead for setting up
tunnel. And while tunnel switches facilitate multiple individual tunnels.
connections and forward traffic, they do not
participate in the point-to-point conversation It’s helpful to think about the tunnel switching
between source and destination hosts. process as occurring in three stages:

Figure 1 shows what happens in a tunnel- Stage 1. The tunnel switch receives the tunnel
switched VPN. Two points are worthy of and performs the initial setup of a PPP con-
special note: nection with the TI:
• Throughout this process, only pinholes are a The initiator builds a tunnel to the tunnel
opened up through the firewall: one for the switch (TS). In most cases, the initiator will
tunneling protocol and another for the be the PPP client. (In some cases, the tunnel
initial Remote Authentication Dial-In User will be initiated by an access concentrator
Service (RADIUS) inquiry. on a service provider’s network after
• The tunnel switch extends the original tunnel receiving PPP packets from the client.)
to the tunnel terminator (TT) by switching b The tunnel switch performs the initial
the destination address. To do this, the authentication phase of PPP session setup.
tunnel switch only partially unwraps the Normally it will query an external authenti-
PPP packet it received from the tunnel ini- cation mechanism such as a RADIUS server,
tiator (TI) before forwarding it on to the ter- but the tunnel switch can also consult its
minator. In contrast, some vendors that own local database. The tunnel switch
claim tunnel switching are actually performing receives back a validation of the user’s name
routing. Routers must first terminate the and password. It also receives a list of user

prise
all Enterwork
Firew n e t

er
all Rout AAA TT
Firew

Rout
er DMZ gated
aggre l
s e s sionsgle tunne
TS PPP side sin
in
net
Inter

TI
2

TI
e
insid
TI s e s sions nnels
PPP vidual t u
indi

Figure 1. True Tunnel Switching Extends the Original Tunnel to a New Destination

4
attributes, which it ignores except for the b The tunnel switch, which no longer looks at
tunnel type and tunnel terminator’s the contents of the packets, forwards them
address. to the tunnel terminator.
c The tunnel terminator authenticates the
Stage 2. The tunnel switch combines the two user again. It may query the same RADIUS
tunnels and forwards messages between the server consulted previously by the tunnel
two end points: switch, a different RADIUS server, its own
a The tunnel switch builds an outgoing tunnel local database, or a Lightweight Directory
to that terminator or, if a tunnel to that des- Access Protocol (LDAP) directory. The ter-
tination already exists, it multiplexes the minator receives back a validation of the
new traffic onto it. user’s name and password along with the
b The tunnel switch sends a PPP reset list of user attributes, which it processes.
message back to the tunnel initiator. Attributes may include domain name, IP
address, and policy-based authorization
Stage 3. The tunnel terminator reauthen- information that controls which network
ticates the user and completes setup of the resources the user may access.
PPP session: d The tunnel terminator completes the end-to-
a The tunnel initiator resubmits the user end PPP connection with the client and
name and password. provides appropriate network access.

Figure 2, the tunnel switch acts as a “main to access particular LAN administrative
gate sentry post” that performs initial screen- domains. For example, in Figure 4 on page 6,
ing of visitors. Those it allows to reach the the Finance Department restricts access to
tunnel terminator, the “internal gate,” are sub- only users with IP address in the Finance sub-
ject to more stringent security measures that net. Tunnel switches facilitate this process
control exactly which network resources they because tunnel terminators provide the
can access. required IP address directly to the PPP client.
Tunnel switches also increase security by If a router were used instead of a true tunnel
allowing enterprises to differentiate and direct switch, the router would either have to build a
VPN traffic to specific end points. In Figure 3 tunnel to request the address, then proxy it back
on page 6, tunnels from employees and external to the client, or perform address translation
users are directed to separate tunnel termina- (in addition to encoding/decoding, encryp-
tors, which apply appropriate security measures tion/decryption) for every packet.
to provide access to appropriate resources. Organizations that comprise departments
Tunnel switching enables enterprises to or agencies operating with considerable auton-
allow only clients with acceptable IP addresses omy can use tunnel switches to allow these

all
Firew rk
etwo
prise n
Enter
TT
ate
nal g
Inter name
r rd
• Use passwo s
and o n key
TS E n c rypti tificate
• er
ital c res
entry • Dig l signatu
nal s i t a
Exter name • Dig
.
r
• Use passwo
rd • Etc
and

Figure 2. Creating a Double Line of Security

5
s
acces e
all l i c a tions certificat
Firew SA P a p p
=d i g i t a l
urity
• Sec TT ork
netw
n t e r prise
s E
oyee
Empl TT
es d
ervic swor
and FTP s rity = pas
mers rs u
TS Custo ss partne • Sec
i n e
bus
entry
nal s
Exter name
r rd
• Use passwo
and

Figure 3. Applying Different Levels of Security to Tunneled Traffic

entities to control their own security policies terminators, as shown in Figure 6, do not have
while still enjoying the economies of scale that to be assigned globally unique addresses. And
come from a single VPN connection to the the enterprise is free to change addresses or
Internet. In Figure 5, all VPNs into a state even the entire topology of the network with-
government come in over the same tunnel out regard to their effect on VPNs. Because
switch, which forwards them to agency-man- the tunnel switch intervenes between remote
aged tunnel terminators. In this way, the clients and the rest of the network, enterprises
attorney general’s office could enforce much can add, move, or remove tunnel terminators
stronger security measures than, for example, a at will, without having to notify users.
registry of public records. Enterprises that employ tunnel switching
can more easily provide remote access to
Flexible VPN Management and Easier legacy application protocols not usually avail-
Administration able in the DMZ. In Figure 7, mobile
Tunnel switching allows enterprises to employ employees are able to work with SNA applica-
their choice of addressing schemes. Because tions over VPNs without the enterprise having
the tunnel switch provides a single publicly to put an SNA interface on the publicly
known address for all incoming traffic, tunnel exposed portion of the network. Based on the

all
Firew

bnet
all n a n ce su64.0
Firew F i 27 .
193.1
TT
DMZ

TS

Internet
th
er wi
ied to us 27.81.51
n 1
ss de 193.
Acce address
u r c e
so TI

TI
r with24
o use .
r a n ted t 3.127.64
ss g 19
Acce address
e
sourc

Figure 4. Restricting Access to LAN Administrative Domains

6
s
ecord
f P u blic R ity
stry o ecur
Regi ols own s
all o n t r tion
Firew • C licies duca
TT po e n t of E urity
rt m e c
Depa ols own s
tr fice
• Conlicies ’s Of
TT po y G e neral urity
ne ec
Attor ols own s
tr
• Conlicies
TT po

TS
ment
t e g overn face
Sta ter
red in et
• Shathe Intern
to

Figure 5. Combining Local Control with Economies of Scale

tor
rmina s
t u n nel te new one
ing wo
all Exist ed with t
Firew c prise
repla TT Enterwork
ne t
all
Firew TT

DMZ TT

TS ange
i s e c an ch gy,
pr ol o
own Enter ress, tops needed
ly kn add ators a g users
TI e , p ublic address d in in
l n
Sing stinatio nchange term ut notify
de ains u witho
TI rem

TI

TI
t
paren
a r e trans tors
ges itia
Chan tunnel in
to

Figure 6. Making Internal Network Changes Without Impact on Remote Users

rk c
etwo traffi
prise n r fo r SNA
ewal
l Enter inato
Fir Term ffic
TT X tra
ator for IP
T ermin
TT raffic
r for IP t
inato
Term
TT

TS
IPX e
eceiv
i t c h can r neled
SNA el sw f tun
Tunn number orotocols
IP any twork p
ne

Figure 7. Providing VPN Users with Access to Legacy Protocols

7
all
Firew
lly
irtua e
n is v r
Jorda ged in he
all plug
Firew TT

DMZ TT
tually
o m is vir n here
TS T ed i
plugg
net
r Inter
embe
n is m
Jorda f VLAN X
o
TI

TI
mber
is me
Tom VLAN Y
of

Figure 8. Plugging VPN Users into VLANs

user name, tunnel switches can direct VPN switch, all VPN users would be plugged into
users to a tunnel terminator that supports the the same tunnel terminator, and thus have to
protocols they need to access. be members of the same VLAN.
Tunnel switching enables enterprises to Tunnel switches enable a single VPN
assign VPN users to any VLAN, increasing infrastructure to support multiple tunneling
network efficiency by directing traffic only to protocols and allow orderly transitions
where it needs to go and simplifying user between protocols. By adding a tunnel switch
moves and changes. Assignment to VLANs is to the network, as shown in Figure 9, enter-
usually based on the hub port a user is prises can avoid “forklift upgrades” to the new
plugged into. As Figure 8 shows, by forward- L2TP protocol, supporting users with PPTP
ing VPN tunnels to specific tunnel termina- and users with L2TP simultaneously while
tors, users can be virtually “plugged into” executing a phased migration.
various network segments. Without a tunnel

all
Firew rs
inato
a d e term L2TP
r
Upg PPTP t o
all from
Firew TT

DMZ TT

TS
th
ernet rts bo
Int c h s uppo switch
ers el sw
i t
nd ca
n
nt us Tunn otocols a een them
Curre ith PPTP
w pr e t w
stay b
TI

TI

users
New ith L2TP
w
start

Figure 9. Supporting Multiple Protocols and Transitioning Between Them

8
Increased VPN Performance, Capacity, Tunnel switching, as shown in Figure 10,
and Scalability enables enterprises to smoothly scale their
Tunnel switching improves VPN perfor- VPN infrastructure by transparently adding
mance. By forwarding rather than processing any number of tunnel termination devices at
tunneled packets, switches minimize latency. the network edge or inside internal LAN sub-
Aggregating PPP sessions into a single tunnel domains. The tunnel switch automatically for-
has two benefits: It minimizes connection wards tunneled traffic to tunnel terminators.
overhead, and it also increases capacity, since (In the future, tunnel switching will also sup-
multiple sessions use the virtual port allocated port automatic VPN load balancing and
to that tunnel, leaving more ports available for failover.) To add even more capacity as well as
other VPN users. control over tunnel termination points,

all
Firew

(A)
rk
etwo
pr ise n
Enter

TT
tern et
he In
r f a c e to tunnels
e inte PN t
Singl ends all V

all
Firew

(B) TT

work
prise net
Enter
TT
TS
s
place
s w i t ch re interfacec
el gl e ffi
Tunn tor as sin iverts tras
i n a t , d t o r
term e Interne l termina
to th n tunne
to

all TT
Firew
TT
(C) TS work
pris e net
Enter TT

TT
TS
TS
vide t,
o pro
n t i n ues t e Interneon
h co to t h inati
Switc interface nel term ary
e n d
singl ffloads tu of secon ators
but oo cascadend termin
t hes a
switc

Figure 10. Scaling to Meet Growing VPN Demand

9
enterprises can cascade tunnel switches and oped by Cisco Systems. Support for L2TP will
terminators. be bundled into Windows 2000 and perhaps
into upcoming releases of Windows NT.
Adding a Tunnel Switch to Your Network Because tunnel switches support both PPTP
Tunnel switches can easily be added to exist- and L2TP, organizations can make the transi-
ing VPN infrastructures, interoperating with tion gradually.
tunnel initiators and terminators from any Both of these protocols are for “Layer 2
leading vendor. tunneling,” a technology that encapsulates
Generally, tunnel switches are deployed PPP (a Layer 2 protocol) inside the PPTP or
outside a single firewall or between two fire- L2TP tunneling header, which is then encap-
walls in a DMZ. No topology changes are sulated by an IP header for transport across
required. Tunnel initiators need only be told the network. Anything that can be encapsu-
to address tunnels to the tunnel switch instead lated within PPP—higher-level protocols such
of to the tunnel terminator. (From the termi- as IPX, VINES, DECnet, SNA, NetBEUI,
nator’s point of view, the tunnel switch looks even an inner IP packet—can be transported
like any other tunnel initiator—although a inside a Layer 2 tunnel. As a result, Layer 2
very busy one.) tunneling enables multiprotocol VPNs.
Where no firewall is currently in place, a
tunnel switch can be introduced as a “bump The Impact of IPSec
in the wire” (BITW) between the edge router IPSec transport mode will become the domi-
and tunnel terminator. Companies can intro- nant means of securing VPN tunnels. IPSec, a
duce tunnel switching now and increase their set of IETF protocols, provides standard ways
security infrastructure later—transitioning, for of authenticating VPN users, encrypting and
example, from a single firewall to a double decrypting tunnel contents, and exchanging
firewall architecture—without having to and managing encryption keys. 3Com tunnel-
notify or reconfigure tunnel initiators. ing devices, including tunnel switches and ter-
minators, fully support IPSec.
Evolving Your VPNs with New Standards In IPSec transport mode, IPSec is used to
Tunneling standards are evolving rapidly. As secure IP frames transmitted between two
VPNs become widely used not only for hosts, one of which can be a Layer 3 tunnel
remote access, but for a growing range of switch or tunnel terminator. When used this
Internet-based applications, standards will way, IPSec authentication and encryption is
continue to change. Enterprises need to select usually performed on the outer IP packet,
VPN architectures and components that sup- eliminating the need for PPP-level security
port multiple standards simultaneously and such as Microsoft Point-to-Point Encryption
facilitate smooth migrations. (MPPE). Enterprises moving to IP but still
supporting multiple network protocols can
From Point-to-Point Tunneling Protocol to Layer take this approach to gain experience with the
2 Tunneling Protocol new standard, gradually replacing PPP-level
PPTP is widely used in existing VPNs. This security protocols with IPSec on some VPN
de facto standard, which was developed by links.
3Com, Microsoft, and Ascend Communica- IPSec tunnel mode will emerge as an
tions, is an extension of PPP. Support for alternate means of creating VPN tunnels for
PPTP is currently bundled into Microsoft IP-only networks, coexisting with L2TP for
Windows 95/98 and Windows NT. multiprotocol networks. While enterprises
PPTP is gradually being displaced by with IP-only networks will likely readily adopt
L2TP. An industry standard sanctioned by the IPSec tunnel mode, the majority of organiza-
Internet Engineering Task Force (IETF), it is a tions will continue to need to support multi-
combination of the best features of PPTP and ple network protocols. For the foreseeable
the Layer 2 Forwarding (L2F) protocol devel-

10
future, the two methods will probably coexist, leading features such as ASIC-based wire-
with L2TP being the most widely used. speed encryption processing, Network Address
IPSec tunnel mode is often called “Layer Translation (NAT), and ICSA-certified fire-
3 tunneling” because the payload in this type walls are built in and ready to come into play
of tunnel is an IP packet (a Layer 3 protocol) as necessary, depending on where and how the
rather than PPP. The IP payload is encapsu- device is deployed. Transcend® Secure VPN
lated within another IP packet serving as the Manager provides a simple graphical user
tunneling protocol. Because IP-based tunnels interface for monitoring tunnels, including
can be routed, there is no need for tunnel session statistics, Quality of Service (QoS)
switching. Enterprises can achieve the same breaches, and potential faults.
benefits by having a router forward tunnels to
multiple “secure gateways,” which is the IPSec Conclusion
term for a tunnel terminator. All secure gate- VPNs support increasingly mobile workforces
ways must be equipped to receive and process and farflung businesses by providing wide area
IPSec. access to enterprise resources using public net-
Because tunnel switches serve a dual func- works at a fraction of the cost of private con-
tion as routers, they can forward IPSec tunnels nections. Tunnel switching substantially
to secure gateways. At the tunnel end points, improves VPN scalability, security, and man-
existing 3Com tunnel terminators can easily ageability. Corporations need the benefits of
be software-reconfigured to function as IPSec these technologies now—even though VPN
secure gateways. 3Com VPN devices simulta- protocols are still evolving.
neously support PPTP, L2TP, and both IPSec 3Com provides multipurpose tunnel
modes. switches and other VPN devices that smoothly
evolve with tunneling standards. Our solu-
3Com Tunnel Switching Solutions tions allow enterprises to maximize the bene-
3Com is the inventor of tunnel switching and fits of VPNs now, with today’s requirements
has applied for a patent on this uniquely valu- for supporting legacy network and application
able technology. 3Com provides tunnel switch- protocols, while pacing the introduction of
ing capabilities throughout all its product lines the standards that will eventually dominate as
that use Enterprise OS software: the entire networks become purely IP. No matter which
NETBuilder® family, including SuperStack® type of VPN an enterprise deploys—PPTP,
NETBuilder models, and OfficeConnect® L2TP, IPSec, or a mix of all three—3Com
NETBuilder routers, the PathBuilder™ S500 tunnel switches can support them simultane-
series, and the new PathBuilder S400 series. ously, maximizing return on investment.
For network service providers, the 3Com Enterprises that implement 3Com tunnel
Total Control® multi-service access platform switches today gain immediate benefits as well
also supports tunnel switching. as long-term strategic advantages in leveraging
All of these products can perform multi- the increasingly rich array of public networks
ple functions, including routing, tunnel and services available for private use.
switching, and tunnel termination. Industry-

11
About 3Com Corporation
With more than 300 million customers worldwide, 3Com Corporation connects more
people in more ways to information than any other networking company. 3Com deliv-
ers innovative information access products and network system solutions to large,
medium, and small enterprises; carriers and network service providers; PC OEMs; and
consumers. 3Com. More connected.™

3Com Corporation Colombia Philippines 3Com Iberia


5400 Bayfront Plaza Phone: 57 1 629 4110 Phone: 632 849 3979 Portugal
P.O. Box 58145 Fax: 57 1 629 4503 Fax: 632 849 3970 Phone: 351 1 3404505
Santa Clara, CA Costa Rica Singapore Fax: 351 1 3404575
95052-8145 Phone: 506 280 8480 Phone: 65 538 9368 Spain
Phone: 1 800 NET 3Com Fax: 506 280 5859 Fax: 65 538 9369 Phone: 34 91 509 69 00
or 1 408 326 5000
Mexico Taiwan Fax: 34 91 307 66 63
Fax: 1 408 326 5001
Phone: 525 201 0000 Phone: 886 2 2 377 5850
World Wide Web: 3Com Italia S.p.A.
Fax: 525 201 0001 Fax: 886 2 2 377 5860
www.3com.com Milan, Italy
Peru Thailand
3Com Americas International Phone: 51 1 221 5399 Phone: 662 231 8151 5 Phone: 39 02 253011
Fax: 51 1 221 5499 Fax: 662 231 8158 Fax: 39 02 27304244
U.S. Headquarters (serving
Canada and Latin America) Venezuela Rome, Italy
3Com Austria Phone: 39 06 5279941
Phone: 1 408 326 6328/1 408 Phone: 582 267 5550
326 6075 Fax: 582 267 3373 Phone: 43 1 580 17 0 Fax: 39 06 52799423
Fax: 1 408 326 5730/ Fax: 43 1 580 17 20
Asia Pacific Rim 3Com Middle East
1 408 326 8914 3Com Benelux B.V.
Melbourne, Australia Phone: 971 4 319533
Miami Belgium Fax: 971 4 316766
Phone: 1 305 461 8400 Phone: 61 3 9934 8888
Fax: 61 3 9934 8880 Phone: 32 2 711 94 00
Fax: 1 305 461 8401/02 Fax: 32 2 711 94 11 3Com Nordic AB
Sydney, Australia Denmark
3Com Canada Phone: 61 2 9937 5000 Netherlands
Phone: 31 346 58 62 11 Phone: 45 48 10 50 00
Burlington Fax: 61 2 9956 6247 Fax: 45 48 10 50 50
Phone: 905 336 8168 Fax: 31 346 58 62 22
Beijing, China Finland
Fax: 905 336 7380 Phone: 8610 6588 0568 3Com Eastern Europe/CIS Phone: 358 9 435 420 67
Calgary Fax: 8610 6588 0602 Bulgaria Fax: 358 9 455 51 66
Phone: 403 265 3266 Shanghai, China Phone: 359 2 962 5222 Norway
Fax: 403 265 3268 Phone: 86 21 6350 1581 Fax: 359 2 962 4322 Phone: 47 22 58 47 00
Edmonton Fax: 86 21 6350 1531 Czech Republic Fax: 47 22 58 47 01
Phone: 780 423 3266 Hong Kong Phone: 420 2 21845 800 Sweden
Fax: 780 423 2368 Phone: 852 2501 1111 Fax: 420 2 21845 811 Phone: 46 8 587 05 600
Montreal Fax: 852 2537 1149 Hungary Fax: 46 8 587 05 601
Phone: 514 683 3266 India Phone: 36 1 250 83 41
Fax: 514 683 5122 Phone: 91 11 629 3177 Fax: 36 1 250 83 47 3Com Southern Africa
Ottawa Fax: 91 11 623 6509 Poland Phone: 27 11 700 8600
Phone: 613 566 7055 Indonesia Phone: 48 22 6451351 Fax: 27 11 706 0441
Fax: 613 233 9527 Phone: 62 21 572 2088 Fax: 48 22 6451352 3Com Switzerland
Toronto Fax: 62 21 572 2089 Russia
Phone: 416 498 3266 Phone: 41 844 833 933
Osaka, Japan Phone: 7 095 258 09 40
Fax: 416 498 1262 Fax: 41 844 833 934
Phone: 81 6 6379 1767 Fax: 7 095 258 09 41
Vancouver Fax: 81 6 6379 0871 Slovak Republic 3Com UK Ltd.
Phone: 604 434 3266 Tokyo, Japan Phone: 421 7 317 850 Edinburgh
Fax: 604 434 3264 Phone: 0120 31 3266 Fax: 421 7 317 849 Phone: 44 131 240 2900
(toll free from Japan) Fax: 44 131 240 2903
3Com Latin America 3Com France
Phone: 81 3 5977 3266 Ireland
Argentina (serving Argentina, Fax: 81 3 5977 3370 Phone: 33 1 69 86 68 00
Paraguay, and Uruguay ) Phone: 353 1 823 5000
Korea Fax: 33 1 69 07 11 54 Fax: 353 1 823 5001
Phone: 54 11 4510 3200
Phone: 82 2 3455 6300 Manchester
Fax: 54 11 4314 3329 3Com GmbH
Fax: 82 2 319 4710 Phone: 44 161 874 1700
Brazil Unterfoehring, Germany
Malaysia Fax: 44 161 874 1737
Phone: 55 11 5641 5001 Phone: 49 89 992200
Phone: 60 3 715 1333 Winnersh
Fax: 55 11 5641 3444 Fax: 49 89 9577 220
Fax: 60 3 715 2333 Phone: 44 1189 27 8200
Chile (serving Bolivia, Chile, and
New Zealand Fax: 44 1189 695555
Peru)
Phone: 64 9 366 9138
Phone: 562 240 6200
Fax: 64 9 366 9139
Fax: 562 240 6231

To learn more about 3Com products and services, visit our Web site at www.3com.com. 3Com Corporation is publicly traded on Nasdaq under the symbol COMS.
The information contained in this document represents the current view of 3Com Corporation on the issues discussed as of the date of publication. Because 3Com must respond to changing market condi-
tions, this paper should not be interpreted to be a commitment on the part of 3Com, and 3Com cannot guarantee the accuracy of any information presented after the date of publication. This document is for
informational purposes only; 3Com makes no warranties, express or implied, in this document.
© 1999 3Com Corporation. All rights reserved. 3Com, the 3Com logo, NETBuilder, OfficeConnect, SuperStack, Total Control, and Transcend are registered trademarks of 3Com Corporation. More connected.
and PathBuilder are trademarks of 3Com Corporation. VINES is a trademark of Banyan Systems. DECnet is a trademark of Digital Computer Corp. Windows and Windows NT are trademarks of Microsoft. IPX is
a trademark of Novell. Other brand or product names may be trademarks or registered trademarks of their respective owners.

Printed in U.S.A. on recycled paper 503049-001 10/99

You might also like