Understanding VPN models

VPN services can be offered as two major models:

Overlay model

  • service provider provides virtual point-to-point links between customer sites
  • Frame relay, ATM, X.25, IPSEC, GRE
  • In overlay model SP dont know anything about customer routes! He doesnt participates in customer routing. He doesnt receive any customer routers. He decide how to proceed the packet based on extra information he adds to the packet (encapsulate, for example DLCI for Frame relay) when it enters its infrastructure.

Peer-to-peer model

  • service provider participates in the customer routing
  • now you run routing between PE and CE! And SP see the customer routes and route them

 VPN classification

vpn clasification







SP encapsulate customer IP packet with different technology and then switch the traffic based on this new encapsulation (Frame relay DLCI for example). This creates logical point-to-point tunnel


SP encapsulate customer IP packet with new IP packet, thus creating point to point logical tunnel

Peer-to-Peer VPNs: ACLs (Shared router)

Customers can share same physical PE router. Isolation between customers is achieved with the use of ACLs on PE-to-CE interfaces.

Peer-to-Peer VPNs: Split Routing (Dedicated router)

Each customer has a dedicated PE router that carries only its routes. Isolation between customers is achieved by lack of routing information on the PE router.


We have concept known as VRF, which creates from one physical many virtual routers. VRF router maintain one global routing table and then other customer routing tables. Each routing table is isolated with other routing tables. Will see more details further

Overlay VPN advantages and disadvantages

  • Well known and easy to implement 🙂
  • SP does not participates in customer routing – it will not receive any customer routes! it is just responsible for providing point to point virtual connections 🙂
  • Customer network and service provider network are well isolated 🙂
  • Implementing optimum routing requires a full mesh of VCs – in hub and spoke you dont have redundancy and in partial mesh just some sites got redundancy 🙁
  • VCs have to be provisioned manually 🙁
  • Overlay VPNs always add some encapsulation ovrhead 🙁

Peer-to-Peer VPN advantages and disadvantages

  • guarantees optimum routing between customer sites – becaues now SP contain the customer routes it can provide the best path to all the customer sites. 🙂
  • easier to provision and additional VPN – you just need to add link between CE and PE router. SP dont have to create any VC between new site and HQ etc… 🙂
  • SP participates in customer routing. Filters should be applied to customer links 🙁
  • SP becomes responsible for customer convergence 🙁
  • PE routers carry all routes from all customers 🙁
  • A secure environment must be provided for customers 🙁
  • Complex configuration 🙁
  • The SP needs detailed IP routing knowledge 🙁


When speaking about MPLS it can be clasified in both overlay and peer-to-peer model. It receive customer routes and participates in customer routing and also it encapsulate the IP packet. It brings the best of both VPN models.