Virtual Private Network, VPN

Listen to the network pulse

Virtual Private Network, VPN

The network infrastructure is managed by a sole owner business. It owns and controls all the  network infrastructure – cables, switches, routers, etc. An indication of a private network is its isolation from other networks, which offers the following advantages:

  • independent technology choice;
  • independent addressing;
  • ability to forecast traffic through owing the communication lines;
  • high security level due to a low chance of traffic “eavesdrops”.

Private network is by no means an economical solution. Only very large and rich companies can afford such network, especially the one of a national or an international scale.

The VPN technology, using network infrastructure is shared by several companies. It makes it possible to implement services similar to those offered by true private networks. As a result, it is becoming a base for service support of the nearest future.

The VPN technology poses strict requirements upon the modern networks. A network must be able to identify types of traffic, i.e. voice, video, or data. It must be able to identify a client. Moreover, the network must offer facilities for easy user and service grouping. 


Using the MPLS VPN technology makes it possible for a provider to integrate client networks to form a unified network isolated from other clients’ networks. It is difficult to both intergrate and isolate in IP technology which dominates the universal transport.

The MPLS VPN resolves the isolation tasks while retaining connectivity by using MPLS VPN tunnels formed between provider routers. In the MPLS technology, VPN tunnels can be formed automatically. This makes it unnecessary to configure all the network routers. It is quite enough to specify the first and the last routers of a tunnel.


MPLS-VPN network content an IP Client Networks and a Provider Network. The client network is comprised of СЕ routers, while the Provider Network includes Р and РЕ routers.

A client can have several networks separated geographically. Such isolated networks are referred to as “sites”. One of the IGP (Interior Gateway Protocol) protocols is used to exchange information about routes within a site. The range of validity of these protocols is restricted by an autonomous system. 

A router that is used to connect the site to the Provider Network is referred to as Customer Edge (СЕ) Router. Since СЕ has no information about VPN existence, there is no need to configure MPLS at СЕ routers. A СЕ router can connect to the Provider Backbone Network with one or more links. The point of СЕ router connection to the Provider Network is its Provider Edge (РЕ) Router. For communications between СЕ and РЕ routers, RIP, OSPF, BGP, and similar routing protocols can be used. All the protocols mentioned have been modified for MPLS VPN support. The routing protocol used between СЕ and РЕ routers is independent of the one used within the client network. РЕ routers are subdivided into input and output ones, depending on traffic direction. Note that one РЕ router can operate as input and output simultaneously.

In a provider backbone network, only edge РЕ routers must be configured for VPN support because they are the only ones containing information about VPN. Every edge router uses an address family for route information storage and exchange. Every PE router retains routing information in its VRF (Virtual Routing and Forwarding) tables for every client.

РЕ routers are functionally more complex as compared with Р ones. They are imposed with tasks of VPN support, namely, separating information on routers and data arrived from various clients. Routes arrived from a client under a routing protocol valid between a СЕ router and a РЕ router, are first recorded into the local VRF table and then transferred to the next router under a routing protocol valid between these two routers.

РЕ routers act also as LSP path end-points between customer sites. It is only a РЕ router that assigns labels for ІР packets to be used for packet transferring over a provider’s internal network. Label Distribution Protocol (LDP) is a protocol in which Label Switch Routers (LSR) exchange label mapping information. Laying out an LSP within a provider network is, essentially, switch table formation using labels of all РЕ and Р routers that form a specific LSP.

The main function of P routers in a provider backbone network is providing fast packet switching using LSP identification labels. A provider’s P router, like a client’s CE one, bears no information about MPLS VPN.

Within a provider network, a large number of РЕ routers can exist, along with many clients. To avoid possible errors when forming MPLS VPN, which can result in connections of client sites with one another, automated software MPLS provision systems were developed. The VPN Solution Center of Cisco Systems is offering a graphical interface for an administrator form that can create a VPN tunnel and that helps to transfer the configurations to the РЕ routers, as an example.

To enhance MPLS VPN protection, authentication and encoding facilities can also be used for the IPSec protocol, that are typically used for provider networks.

MPLS is, essentially, a breakthrough in the VPN technology. MPLS VPN has many distinct advantages over the other virtual private network development methods (ATM/FR-based VPN or VPN IPSec) in that it is scalable, configurable automatically, and can be naturally integrated with other ІР services offered currently at the telecom markets.

PrioCom Corp. tel.+1(415) 398-8200, 100 Pine Street, Suite 300, San Francisco, CA 94111, USA
Priocom Corp. 1999 — 2017. All rights reserved