In the past the old days we have layer 2 virtual circuits provided courtesy of our service provider
A virtual circuit would be an overlay normally from side A to side B. may be a frame lay link or ATM or SMDS, X.25 whatever it is. It is the overlay of the provider network.
If you have multiple sites you have full mesh, partial mesh, multilevel topology etc.
We also have overlay methods of IP Tunneling in which we have IPsec, GRE, and PPTP.
IPsec and PPTP has the benefit over GRE is the security but they doesn’t have the encryption.
So the GRE benefit is that of encryption.

Now how we implement them.We have implementation methods:


Service Provider gives the customers the circuits, and says “have funs with that”


Service Provider peers with the customer and learns all their routes.


By using MPLS Technology to securely transport data over IP. A lot of service Providers are now offering enterprise MPLS VPN service in a number of different ways or flavors based on the needs of small corporations to big Enterprises existing investment in CPE, and the available infrastructure. MPLS is protocol independent forwarding, so MPLS VPNS can be implemented using different customer edge equipment allowing the customer to leverage their existing investments.

As MPLS provides traffic separation with its addressing methodologies, the label are used to move traffic via MPLS can be easily used to provide separate traffic ‘tunnels’ for multiple VPN’s across an MPLS core network.

By ‘stacking labels’ MPLS can  create logical traffic separation because in MPLS only the top-most label is used for addressing the packet,   any information that is not contained in the addressing label is invisible to all devices except the destination device.

The LER, or in the case of a VPN a Provider Edge (PE) or Customer Edge (CE) Router, is the only device which accesses the VPN network directly. This provides fewer access points into the network and only this router must have the highest level of security. Traffic is separated at the Provider Edge (PE) using Virtual Routing and Forwarding Instances (VRF’s) which areassigned to each VPN accessing the provider’s MPLS network individually. The VRF’s are unique to each VPN so all other VPN’s using the network are transparent to each other, as well as any other Customer Edge (CE) devices.

MPLS VPN’s provide a number of advantages given below.


MPLS VPN’s provide security through traffic separation.


MPLS VPN’s are highly scalable.


MPLS VPN’s provide QoS based on different numbers of classes of service (CoS). The number of CoS and the specific QoS guarantees are defined and backed by Service Level Agreements (SLA) with individual service providers.

MPLS VPN’s are limited by the core network; however, remote users must use some other VPN method, most likely IPsec, to peer with the network securely.

Furthermore there are different types of classifications of IP VPNs.

  • Classification based on where VPN functions are implemented.
    • Customer Edge (CE) based VPN
    • Provider Edge (PE) based VPN
    • Classification based on Service Provider’s role in provisioning the VPN.
      • Providers Provisioned VPN (PPVPN)
      • Customer Provisioned VPN


  • Classification based on Protocol Layers
    • Layer 2 VPN
    • Layer 3 VPN

Layer 2 VPN:

Service Provider network switches customer Layer-2 frames based on Layer-2 header.
Service Provider then delivers layer 2 circuits to the customer, one for each remote site. Customer then maps their layer 3 routing to the circuit mesh. In Layer 2 VPN customer routes are transparent to the provider.

Layer 3 VPN:

Service Provider network routes incoming customer packet based on the destination IP address. Service Provider network participates in customer’s layer 3 routing. Service Provider network then manages VPN specific routing tables, distributes routes to remote sites. CPE routers advertise their routes to the provider.