A Virtual Private Network (VPN) is a private network constructed over a public infrastructure, like the network of a service provider. The division of that network is virtual, since the same physical infrastructure of transport is used. The VPN maintains its own scheme of addressing and routing, separated from the provider's scheme. The provider provides the connectivity between the sites of the client VPN, allowing that only these sites have visibility among each other. The provider ensures that a device which is not authorized cannot access the VPN and, besides, it connects the remote sites transparently through the network.
Being IP/MPLS the most developed technology, it is used to create the different types of IP based VPNs. For the subscriber that deploys a VPN scheme over the Internet, it reduces the costs and it allows the deployment of a unique connection for multiple services. The provider creates a new type of service and, thus, a new business by using the same transport infrastructure.
Regarding the VPN categories, the layer 3 VPNs (L3VPN) are classified as provider-provisioned. This means that the responsibility to create and manage the channels for the private traffic between the sites is in the provider’s hands. The provider uses MPLS as a means of transport to create channels between the private sites. Other examples of VPNs of this type include BGP, L2VPNs, LDP L2VPNs and VPLS.
In L3VPNs, the provider participates in the client's routing scheme. In this scheme, Provider Edge routers (PE) create and mantain special routing tables used to separate the clients private routes from the provider routes. The provider assumes the responsibility to handle routing tables which are specific to each VPN, and to distribute those routes to the remote sites of the VPN. The provider's PE routers maintain a separate table for each VPN configured. These tables are complemented with the information of the prefixes, received from the connected Customer Edge (CE) routers. The PE routers announce these specific routes using Multiprotocol BGP sessions (MP-BGP) to other PEs, where the VPN has presence. MP-BGP is used to distribute information of the VPNs, to distribute the specific routes of each VPN and to negotiate a label for the VPN. The PE receives these announcements and it puts the routes in the specific table of the correspondent VPN, identifying it with the extended BGP communities attributes of each announcement. As regards forwarding, MPLS LSPs, that can be signaled with LDP or RSVP protocols, are used to send the VPN traffic. The protocol negotiates labels, that are known as external labels or transport labels. In the control level, in order to identify the corresponding VPN, the MG-BGP session negotiates a label associated with the VPN (it is added before the transport label and becomes an internal label or the VPN label). It is important to highlight that only a MP-BGP session is used to signal and control all the VPNs between two PE routers. Moreover, only a transport LSP is used for all the traffic between PE routers, which makes this scheme highly scalable.
In L3VPN environments, the client delegates the routing responsibility among providers' sites, and it perceives the providers network as a layer 3 jump. This way, the client does not have to worry for the routing among sites and can concentrate in its own network. This technology, on the other hand, allows the provider to offer additional services using its own infrastructure based on IP/MPLS. Additionally, in the provider's network, the information relating the VPNs exists only in the PE equipment, and, because o this, the use of the network’s resources is optimized.
More information at: http://tools.ietf.org/html/rfc4364