P1: IXL
Virtual ̇Private WL040/Bidgolio-Vol I WL040-Sample.cls August 14, 2003 17:53 Char Count= 0
CUSTOMER-EDGE-BASEDVIRTUALPRIVATENETWORKS 585Frame
Relay or
ATM
VC’sCECE ... CE CE
Hub ... CE
sitesBranch
sitesCECE ...
...
Figure 6: CE-based VPN over a partial mesh of L2 hub-and-spoke VCs.CE Virtual Private Networks Over Virtual
Connection Networks
The FR and ATM connection-oriented VPN alternatives
largely apply to a single service provider. In order to con-
nect each site to every other site in a fully meshed network
ofNnumber of sites, the service provider must provision
on the order ofNsquared virtual connections (VCs). Note
that each VC must be provisioned at every intermediate
FR or ATM switch in the service provider network. As the
number of sites becomes large, service providers often
interconnect the sites, creating what is called hub-and-
spoke architecture, as shown in Figure 6. Often, the hub
sites are connected in a full mesh with branch sites dual-
homed to a primary and secondary hub site, as shown in
the figure. Another motivation for the hub-and-spoke de-
sign is that with a full mesh of sites, addition of a new site
requires configuration not only of the new site but of each
of the other VPN sites as well.
The traffic forwarded between the sites in a VPN is iso-
lated from all others by the logical separation provided
by the virtual connections, which perform label switch-
ing as configured by a provisioning system. What results
is, for all practical purposes, a private network. Such a
connection-oriented VPN is a good approach for intranetsbecause of the isolation and site-to-site traffic engineering,
provided by the approach is good.
On the other hand, configuring such a network for ex-
tranets can be complex and inflexible. For these reasons,
e-commerce applications tend to use IP security proto-
cols as the foundation for CE-based VPNs that are used
by many intranet and extranet applications.IP Security-Based Customer-Edge Virtual
Private Networks
An analogous IP-based VPN network has the same num-
ber of hub-and-spoke sites but requires the addition of
overlay IP security (IPsec) tunneling and/or encryption
functions in the CE devices. There is no explicit connec-
tion through the devices in the service provider network.
Instead, all the tunnel functions are implemented in the
CE devices. Scaling issues similar to those in CE devices
overlaid on virtual connections arise in IPsec CE-based
VPNs, but here the limits are the number of IPsec tunnels
and the number of routing adjacencies a CE router can
support. Therefore, large IPsec CE-based VPNs also have
a hub-and-spoke architecture, as described previously.
Figure 7 illustrates the same hub-and-spoke network ex-
ample, with circles showing the hub–spoke tunnels andCE ... CE CE
...
Hub
sitesBranch
sitesCE CEInternet IPsec
Tunnel
Endpoints...
CECEFigure 7: CE-based VPN using IPsec tunnels over the Internet.