P1: IXL
Virtual ̇Private WL040/Bidgolio-Vol I WL040-Sample.cls August 14, 2003 17:53 Char Count= 0
PROVIDER-EDGE-BASEDLAYER3VIRTUALPRIVATENETWORKS 587PEPCE
ACE
BPECE
CCE
APE
PCE
CCE
APECE
ACE
BPPECE
CCE
BVirtual Forwarding
TablesPECE
BCE
AShared
TunnelsABACC B B AABCAFigure 9: Aggregated routing and shared tunnel network-based L3 VPN.the existence of the VPN to be hidden from the CE de-
vices, which can operate as though they were part of a
normal customer network. As described earlier, PE-based
VPNs use tunnels set up between PE devices. These tun-
nels may use one of a number of encapsulations to send
traffic over the provider network(s), for example MPLS,
generic routing encapsulation, IPsec, or IP-in-IP. As sites
for new VPNs are added or removed, PE-based VPN solu-
tions provide a means of distributing membership infor-
mation automatically. There are two principal methods
defined in the IETF (Callon et al., 2002) for implementing
these types of PE-based VPNs, namely aggregated routing
and virtual routers, which we now describe.Aggregated Routing Virtual
Private Networks
The aggregated routing approach is one in which a sepa-
rate forwarding table exists for each VPN on every PE that
connects to a site in that VPN but where the exchange
of routing information between the PEs is multiplexed,
or aggregated together. The BGP/MPLS VPN (RFC 2547,
Rosen & Rekhter, 1999) approach uses extensions to the
border gateway protocol (BGP) to implement this generic
architecture. Figure 9 illustrates an example of this ap-
proach, connecting sites from three VPNs, A, B, and C,
in an extranet. Each PE has a separate virtual forward-
ing table for each VPN site that it serves, but the for-
warded traffic and exchanged routing information uses a
set of shared tunnels, as shown in the center of the figure.
Often these types of solutions are implemented on a sin-
gle service provider network. However, there are some
implementations across more than one provider net-
work.
This approach alleviates some of the scaling issues in-
volved with the connection- or tunnel-oriented CE-based
approaches described earlier when full communication
between a set of sites is desired. Specifically, when addingor removing a site, only the PE involved with that site
need be reconfigured—the BGP/MPLS protocols automa-
tically take care of the rest. Furthermore, the protocols
have the capability of advertising to their peers more than
one route for the same destination address. This can be
useful in an extranet to force traffic exchanged between
different enterprises through additional devices, such as
firewalls or filters.Virtual Router Virtual Private Networks
Although the virtual router (VR)-based approach (RFC
2917, Muthukrishnan & Malis, 2000) also uses PE and P
routers, there are several important differences, as illus-
trated in Figure 10. This example uses the same CE sites
from the three VPNs discussed in the aggregated routing
example above. In a VR VPN, a VR is dedicated to each
VPN in every PE that supports a site for that VPN. This
means that each enterprise can manage its own routing
on the VR in the PE. This works very well in cases where
the enterprise network has other forms of connectivity be-
tween its sites: The VRs look like just another (well con-
nected) router to the enterprise network. Usually, a sepa-
rate set of tunnels is allocated in a full mesh between the
VRs, as shown by different line styles in the center of the
figure. This allows excellent control of capacity allocation
and control of QoS between the VPN sites.
The VR PE-based VPN is best suited for intranets. It is
not frequently used in an extranet because one enterprise
would have to exchange routing information with another.
This could lead to undesirable security holes, instability of
the routing, and, hence, a greater likelihood of an outage,
as well as more difficult coordination in the event of the
inevitable moves, adds, and changes. It could be used,
however, as a backbone network provided by one partner
for connecting a number of other enterprises together, for
example using CE-based VPNs overlaid on a managed VR
PE-based network.