A Virtual Private Network implemented over the public Internet (IP).

The term “virtual” implies that the connections between crossroads are not dedicated but rather connections made as needed between points.

“Virtual Private” means that private “tunnels” are established over a public network, such as the Internet. Tunneling involves the condensing of encrypted data inside IP packets.

Additional security is provided through firewalls at sites that participate in the VPN.

To begin you must assess your WAN requirements and determine if needs would be best served by an IP VPN solution.

This decision to assess may be determined by the following factors:

  • The need to keep data private and protect IT resources from malicious attacks
  • Using the Internet to reach numerous locations throughout the U.S. or around the world
  • Need for an efficiently interlocked map to facilitate direct communication between sites
  • Allowing remote users/sites to access the network via their local ISP (dial-up, cable or DSL)
  • Deploying a computer network that business partners can access via their existing Internet connection
  • Providing branch offices with direct access to the Internet and the WAN over a single circuit
  • Provisioning higher bandwidth for demanding applications like remote data storage
  • Accommodating bursty (load inflicted, such as large document transfers) applications without compromising performance
  • Uniting a diverse number of applications over a single WAN network for greater efficiency

After assessment it’s just a matter of deciding which type of IP VPN best suits your needs, how various types of IP VPNs are deployed, and which IP VPN service provider to choose.

Types of IP VPNs

There are two general categories of IP VPNs, CPE-based and Network-based, along with a variety of technologies and ways that they can be implemented.

CPE-based IP VPNs

A CPE-based IP VPN can be deployed using Firewalls with VPN capability at each location.  Recently, however, Firewall/VPN appliances have been introduced with

Application Specific Integrated Circuits (ASICs) that encrypt/decrypt data much faster than software. One way is to integrate the VPN encryption functionality into the router having a “single-box” approach which can be much more cost-effective and is easier to manage.


The primary advantage of using a CPE-based approach is that it encrypts/decrypts data at the customer location which ensures the highest level of protection across the entire WAN.

It enables sending data across the public Internet with the comfort of knowing that even if someone intercepted it, they would have an extremely difficult time decrypting and exposing the information.

This ability to use the public Internet makes the CPE-based approach an ideal solution for sites that are connected to the Internet via different ISPs (e.g., as a result of an acquisition), and for providing access to telecommuters and mobile workers.


The primary disadvantages of a CPE-based IP VPN are the cost and time associated with deploying and managing the CPE and Hub site equipment, and administering the site-to-site VPN tunnels.  Naturally, the more sites one has, the more equipment one needs to purchase, deploy and manage.

Network-based IP VPNs

Network-based IP VPNs perform all of the site-to-site VPN functionality within the service provider’s network using either IPSec encryption or Multi-protocol Label Switched routing (MPLS).  To offer MPLS network-based IP VPNs, service providers run MPLS on the routers in their POPs to build Label-Switched Paths (LSPs) across their network.


The general advantage of network-based IP VPNs is that they require much less capital expenditure for the customer than the CPE-based approach and they limit the number of VPN tunnels that need to be managed.

The most significant advantage of an MPLS network-based IP VPN is the enhanced performance which enables customers to unite all of their data communications onto a single network infrastructure for on-net/off-net sites and remote users (one router, one local loop, one access port, etc.) and assign different Classes of Service to each application or source/destination address.


MPLS network-based IP VPNs are limited to those sites that can be reached by dedicated or Layer 2 access technologies (dedicated T1/T3s, frame relay or Layer 2 DSL). CPE-based network VPNs, on the other hand, can reach any site that has Internet access.

Also, with a CPE-based network VPN, the encryption can degrade performance and, unlike with MPLS, there is no bi-directional Class of Service capability available; performance-sensitive applications can be prioritized only in the outbound direction.

This document is excerpts taken from Implementing an IP VPN white paper by MegaPath.  The entire article is available on www.t1town.com under data services.


You can leave a response, or trackback from your own site.

Leave a Reply