Mpls Vpn Architecture

To properly understand MPLS VPNs as a solution, it is important to understand the problem. MPLS VPNs are a Layer 3 WAN solution to an age-old Layer 2 WAN problem—that is, the quest to provide any-to-any connectivity among sites in a cost-efficient manner. In the past, WAN architects struggled with topological design principals that amounted to choosing the least of all evils. A full mesh topology was too expensive but most robust. A hub-and-spoke topology was least expensive but least robust. A failure at the hub site would have a severe network impact. Partial mesh topologies created a balance of pain created by leveraging cost against connectivity.

MPLS is the answer to the problem. With MPLS, it is possible to have a fully meshed network, but beyond that, it is a Layer 3-capable, fully meshed network. The possibilities for architecting a WAN solution are greatly expanded with little or no incremental cost over traditional Layer 2 circuits.

The idea of a VPN brings to mind the concepts of security and privacy. These things have always been an enterprise solution that had to be implemented by knowledgeable individuals within a particular company or by an outside consultant brought in for just such a deployment. The term VPN still brings to mind, for most people, the IPsec and remote-access VPNs discussed in Chapter 2.

All-in-all, the term VPN has become rather wide reaching. Figure 11-1 illustrates this fact in detailing what VPN has come to mean in a wider sense.

Figure 11-1 VPN Taxonomy

Layer 1 VPN

Dedicated Circuits

Virtual Dialup Networks

Overlay VPN

Layer 2 VPN


Frame Relay

Layer 3 VPN


Virtual Networks

Peer-to-Peer VPN

Access Control Lists (Shared Router)

Split Routing (Dedicated Router)



In essence, Figure 11-1 shows an evolutionary path of the VPN and how it has come to encompass a very different set of technologies depending on how it is to be deployed.

Virtual local-area networks (VLAN) allow the isolation of traffic on a per-subnet basis across a common physical infrastructure.

Virtual private dialup networks (VPDN) allow the use of dialup infrastructure via private implementation or as a service offered by a service provider.

VPNs allow the use of a shared infrastructure offered by a service provider to implement private networks. The degree of security is, of course, subject to negotiation. Many service provider offerings now include a "firewall in the cloud" offering to filter traffic to and from an Internet connection or other network. Also available are managed voice, content caching, and content filtering services. It all depends on the negotiated package.

From a typical VPN implementation standpoint, there are essentially two models:

■ Overlay VPNs—Include older technologies such as X.25, Frame Relay, and Asynchronous Transfer Mode (ATM) for Layer 2 overlay VPNs as well as generic routing encapsulation (GRE) tunnels and IPsec for Layer 3 overlay VPNs

■ Peer-to-peer VPNs—Implemented with shared service provider router infrastructure using access control lists (ACL) and providing separate routers per customer

Was this article helpful?

0 0

Post a comment