The Internet Encyclopedia (Volume 3)

P1: IXL

Virtual ̇Private WL040/Bidgolio-Vol I WL040-Sample.cls August 14, 2003 17:53 Char Count= 0

584 VIRTUALPRIVATENETWORKS:INTERNETPROTOCOL(IP) BASED

CE

VPN

A

CE

VPN

B

Access

Network

PE

P PE

PE

Tunnel

CE

VPN

A

CE

VPN

B

Access

Network

Tunnel

Provider

Network(s)

Figure 4: Generic customer edge (CE)-based VPN.

Figure 5 illustrates the case where the tunnels termi-

nate on the PE. A PE-based VPN is one in which the service

provider network maintains state information for each

customer VPN such that packets are forwarded between

customer sites in an intranet or extranet context using

the customer’s address space. Often, a hierarchical tunnel

is used between PEs, with the outermost tunnel being im-

plemented by a provider (P) router, which provides PE–PE

connectivity. (Note that the P and PE functions are logical

and that a single router may implement both functions.)

These tunnels may be dedicated to separate VPNs or they

may be shared between multiple VPNs by the PEs, which

use label stacking to isolate traffic between VPNs. These

inner tunnels interconnect an L3 virtual forwarding (or

L2 switching) instance (VFI/VSI) for each VPN instance

in a PE switching router. A PE-based L2 VPN provides an

L2 service that switches link-layer packets between cus-

tomer sites using the customer’s link-layer identifiers, for

example the Ethernet. A PE-based L3 VPN provides an L3

service that routes packets between customer sites using

the customer network’s address space, for example the IP.

The CE-based approach is the simplest from the ser-

vice provider backbone perspective, but it requires a fair

amount of configuration and management of the CE. On

the other hand, the network-based approach provides

greater control of traffic engineering and performance,

but it incurs additional complexity in the backbone net-

work to achieve these benefits. The L3 PPVPN frame-

work document (Callon et al., 2002) further describes

these concepts in the context of a reference model that

defines layered service relationships between devices and

one or more levels of tunnels. The next sections cover

some specifics of CE- and PE-based VPNs as they relate

to IP intranets and extranets.

CUSTOMER-EDGE-BASED VIRTUAL

PRIVATE NETWORKS

As defined earlier, CE-based VPNs are partitioned by tun-

nels established between CE devices. Routing inside the

customer network often treats the tunnels as simple point-

to-point links, or sometimes as broadcast local area net-

works. For customer-provisioned CE-based VPNs, pro-

visioning and management of the tunnels is up to the

customer network administration, which is also respon-

sible for operation of the routing protocol between CE

devices. In provider-provisioned CE-based VPNs, the ser-

vice provider(s) perform provisioning and management of

the tunnels and may also configure and operate routing

protocols on the CE devices. Of course, routing within a

site is always under control of the customer.

There are two primary types of IP CE-based VPNs, dis-

tinguished by the type of tunnel employed. The first is

older and is used primarily to construct intranets by us-

ing CE routers connected via FR or ATM virtual connec-

tions. The second is newer and is based upon tunnels im-

plemented using cryptographic methods over the public

Internet using either dedicated or dial-up access. We now

describe each of these approaches.

P PE

PE

Tunnels

CE

VPN

A

CE

VPN

B

Access

Network PE

Provider Network(s)

CE

VPN

A

CE

VPN

B

Access

Network

Figure 5: Generic PE-based (also called network based) VPN.