VPN solutions can be categorized into three main groups:
- MPLS VPNs – An ISP uses labels distributed among its core routers (see also previous section)
- L3 MPLS – Peers with provider PE device, and usually distributes traffic to multi-protocol BGP (MP-BGP) for WAN transmission
- L2 MPLS – Direct peering between customer site routers; PE device appears as a normal L2 hop. This is based on pseudowire.
- VPWS (Virtual Private Wire Service) – A point-to-point L2 MPLS service that resembles a leased line.
- VPLS (Virtual Private LAN Service) – A point-to-multipoint L2 MPLS service that resembles a normal ethernet broadcast network.
- Tunneling VPNs – encapsulate traffic in a carrier protocol, where the contents of this tunnel do not need to be seen by the transport network on which the tunnel resides. There are three main types.
- GRE – Initially developed by Cisco, it tunnels multicast and non-routable protocols; is not encrypted, but can be paired with IPsec to secure it.
- IPsec – A suite of protocols designed for encryption, authentication, and integrity of a communication.
- DMVPN – Dynamic Multipoint VPN provides a scalable way to fully mesh IPsec tunnels at remote at multiple remote sites participating in hub-spoke or spoke-spoke architectures. Uses multi-point GRE, IPsec, and Next-Hop Resolution Protocol (NHRP). It can also support environments with dynamic IP addressing on interfaces, such as you’d find in DSL and residential cable connections.
- Hybrid VPNs – This is essentially a mix between the two previous types, and is usually implemented when a customer needs the privacy or CoS guarantee of a provider MPLS but wants to route an IGP over GRE or secure customer data with IPsec using DMVPN. The drawback to this type of deployment is the additional MTU overhead required for multiple tunneling protocols, as well as added complexity
Stuck-in-Active: Journal of an IT-Network Administrator 