A Virtual Private Network (VPN) is a private network constructed over a public infrastructure, like the network of a service provider. The division of that network is virtual, since the same physical transport infrastructure is used. The VPN maintains its own scheme of addressing and routing, separated from the provider's scheme. The provider provides the connectivity between the sites of the client VPN, allowing that only these sites have visibility among each other. The provider ensures that a device which is not authorized cannot access the VPN and, besides, it connects the remote sites transparently through the network.
Being IP/MPLS the most developed technology, it is used to create the different types of IP based VPNs. For the subscriber that deploys a VPN scheme over the Internet, it reduces the costs and it allows the deployment of a unique connection for multiple services. The provider creates a new type of service and, thus, a new business by using the same transport infrastructure.
Regarding the VPN categories, the layer 2 VPNs (L2VPN) are classified as provider-provisioned. This means that the responsibility to create and manage the channels for the private traffic between the sites is in the provider’s hands. The provider uses MPLS as a means of transport to create channels between the private sites. Other examples of VPNs of this type include BGP, L3VPNs, and VPLS.
Using L2VPNs, a connectivity in layer 2 is accomplished between sites, channeling the different technologies is LPS paths. This way, layer 2 frames are transported between 2 remote sites. From the client’s point of view, the provider's network simulates a direct connection between sites (wire). The L2VPN belongs to the point-to-point VPN type. The client's border devices (Costumer Edge Router, CE) maps the traffic in a specific circuit (Ethernet, ATM, Frame Relay, etc.) and then send it to the provider (Provider Edge Router, PE). The provider encapsulates the traffic in a LSP, and it sends it to the remote PE router associated to such connection. In order to obtain connectivity among several sites of a L2VPN, a full-mesh between PE routers must be configured. For this type of applications the use of VPLS can be considered.
The client’s frames are transmitted using a stack of two MPLS labels. The external label identifies the LSP between the PE routers, and the internal label identifies the VPN (Circuit L2) that is being interconnected. This scheme allows that many VPNs use the same transport LSP. Since the connection through the provider is made in Layer 2, the routing scheme of the client is implemented in CE devices and it does not involve the provider.
There are two variants of layer 2 VPNs. The difference between them relies in the signaling and control protocol they use. Such protocol is used to establish the sessions between PE routers, and to negotiate the VPN label to be used. The schemes are BGP L2VPN (it uses the BGP protocol, draft-Kompella) and LDP L2PN or LDP L2 Circuit (it uses the LDP protocol, RFC 4447). When the BGP protocol is used, major scalability and new services like auto-discovery of neighbors are are accomplished, but the scheme becomes more complex. When the protocol LDP is used, a simpler environment is accomplished, but one must configure explicitly each neighbor and, as a consequence, the scalability is lost.
Using these technologies, the client can outsource the transport of circuits, still having the control of the routing, using the layer 3 protocol that he wishes. On the other hand, the provider can use the existent IP/MPLS infrastructure to offer a new service of aggregated value. He can also use the same transport LSP for all the services between PE routers.
More information at: http://tools.ietf.org/html/rfc6624