Understanding modern VPN service offerings

From CT3

Jump to: navigation, search

By Ivan Pepelnjak

Numerous variants of IP-based VPN services have replaced the traditional Frame Relay or ATM services offered by Service Providers. The VPN services range from do-it-yourself IPSec-over-Internet offerings to MPLS VPN, pseudowire (VPWS) or VPLS services.

The implementation details of these services and the underlying protocols (MPLS, AToM, L2TPv3 and others) don’t matter to an enterprise network designer; it’s important to understand their conceptual model, their interaction with on-site routers or switches and their implications for enterprise network reliability and availability.

VPN services overview

The VPN service offerings fall into three major categories (Figure 1):

  • Layer-2 VPN services, where the Service Provider offers end-to-end layer-2 transport between customer sites. The legacy L2 VPN services (Frame Relay and ATM) have been replaced with point-to-point (VPWS) or multipoint (VPLS) Ethernet-based services.
  • Layer-3 VPN services, where the Service Provider takes over the responsibility for the core IP routing of the enterprise network.
  • Remote access VPN services, where the Service Provider concentrates remote access traffic (for example, mobile phone connections) and delivers it to a concentration point at the edge of the enterprise network.
Figure 1: Service provider-implemented VPN services

The end-customers can also choose to implement their own VPN service over a public or private IP network offered by the Service Provider (Figure 2). These VPN services are almost always implemented with IPSec encryption (to provide secure transport of data across less secure IP infrastructure) and often combined with GRE transport to build point-to-point or multipoint links across an IP transport network.

Enterprise networks faced with legal requirements to encrypt their transit data can also choose to implement scalable IPSec encryption (GET VPN) over a layer-3 IP service offered by the Service Provider. The Service Provider provides the core IP routing and end-to-end IP transport functionality while the customer enforces the end-to-end data confidentiality.

Figure 2: Service Provider and Customer VPN options

Additional Resources  

Implementing Cisco MPLS (MPLS) course:

Configuring BGP on Cisco Routers (BGP) course:

Other links

Did you know?

  • NIL developed the first commercially available MPLS/VPN traning.
  • This training was for several years the only course available to Cisco's internal audiences and its Service Provider customers in Europe.
  • The MPLS/VPN course developed by NIL later became part of Cisco's Service Provider training curriculum and the basis for the Implementing Cisco MPLS (MPLS) course that is part of the CCIP curriculum.
  • NIL's experts have worked as part of Cisco's Professional Services team supporting early adopters of MPLS VPN technology in Europe.
  • NIL has provided several large Service Providers with MPLS/VPN design and deployment support.
Personal tools


Main menu