What Is a Virtual Private Network?
A virtual private network (VPN) allows the provisioning of private network services for an organisation or organizations over a public or shared infrastructure such as the Internet or service provider backbone network. The shared service provider backbone network is known as the VPN backbone and is used to transport traffic for multiple VPNs, as well as possibly non-VPN traffic.
VPNs provisioned using technologies such as Frame Relay and Asynchronous Transfer Mode (ATM) virtual circuits (VC) have been available for a long time, but over the past few years IP and IP/Multiprotocol Label Switching (MPLS)-based VPNs have become more and more popular.
This article focuses on describing the deployment of IP- and IP/MPLS-based VPNs. The large number of terms used to categorize and describe the functionality of VPNs has led to a great deal of confusion about what exactly VPNs are and what they can do. The sections that follow cover VPN devices, protocols, technologies, as well as VPN categories and models.
VPN Customer Devices
Devices in the customer network fall into one of two categories:
Customer (C) devices—C devices are simply devices such as routers and switches located within the customer network. These devices do not have direct connectivity to the service provider network. C devices are not aware of the VPN.
Customer Edge (CE) devices—CE devices, as the name suggests, are located at the edge of the customer network and connect to the provider network (via Provider Edge [PE] devices).In CE-based VPNs, CE devices are aware of the VPN. In PE-based VPNs, CE devices are unaware of the VPN.CE devices are either categorized as Customer Edge routers (CE-r), or Customer Edge switches (CE-s).
Site to Site Virtual Private Network?
In a site-to-site VPN, devices in the service provider network also fall into one of two categories:
Service Provider (P) devices—P devices are devices such as routers and switches within the provider network that do not directly connect to customer networks. P devices are unaware of customer VPNs.
Service Provider Edge (PE) devices—PE devices connect directly to customer networks via CE devices. PE devices are aware of the VPN in PE-based VPNs, but are unaware of the VPN in CE-based VPNs. There are three types of PE device:
Provider Edge routers (PE-r)
Provider Edge switches (PE-s)
Provider Edge devices that are capable of routing and switching (PE-rs)
VPN Technologies and Protocols
A number of technologies and protocols are used to enable site-to-site and remote access VPNs. These protocols and technologies are described in the sections that follow. Technologies and Protocols Used to Enable Site-to-Site VPNs In site-to-site VPNs, customer user data traffic is either tunnelled between CE devices or between PE devices.
VPN Site 1
VPN Site 2
VPM Site 3
Modelling and Characterizing VPNs
A plethora of methods are used to model and characterize VPNs. The purpose of this section is to introduce and explain each of these models and characterizations. As you read this section, you may ask yourself how it is that we have ended up with so many terms to describe VPNs.
The answer is a desire to accurately describe the characteristics of a VPN protocol or technology but also a simple lack of coordination among protocol designers and engineers (this is getting much better), and on top of that a certain amount of “help” from our marketing colleagues (“How can I differentiate our products?”).
Service Provider and Customer Provisioned VPNs
VPNs can be either one of the following:
Service provider provisioned—VPNs that are configured and managed by a service provider or providers
Customer provisioned—VPNs that are configured and managed by the (service provider) customer itself
Additionally, a VPN service might be offered over the backbone networks of multiple cooperating autonomous systems and/or service providers. In this case, the VPN service is known as inter-AS or inter-provider VPN service.