Hierarchy Of VPN - HoVPN

Hierarchy Of VPN - HoVPN

Hierarchical Model and Plane Model

On a BGP/MPLS IP VPN, as the key devices, PEs perform the following functions:
  • PEs ensure the access for users, and thus require a great number of interfaces.
  • PEs manage and advertise VPN routes, and process user packets. Thus, the PEs require large-capacity memory and high forwarding capabilities.
Currently, the hierarchical architecture is adopted by most networking schemes. For example, the typical architecture of a MAN consists of three layers: the core layer, convergence layer, and access layer. From the core layer to the access layer, the performance requirements for devices decline, but the network scale enlarges.
A BGP/MPLS IP VPN uses a plane model, which has the same performance requirement for all the PEs. If certain PEs have problems in performance or scalability, the whole network is affected.
The BGP/MPLS IP VPN plane model is not the same as the typical hierarchical model. In the plane model, deployment of PEs is hindered by poor scalability on each layer. Therefore, the plane model is unfavorable for VPN deployment on a large scale.


To improve scalability, a BGP/MPLS IP VPN must use the hierarchical model instead of the plane model.
In a Hierarchy of VPN (HoVPN), the functions of a PE are distributed among multiple PEs. Playing different roles, these PEs form a hierarchical architecture and fulfill the functions of a centralized PE. For this reason, the solution is also called a Hierarchy of PE (HoPE).
On an HoVPN, the routing and forwarding capabilities of the devices of higher levels must be stronger than those of lower levels.

Advantages of HoVPN

The HoVPN model has the following advantages:
  • A BGP/MPLS IP VPN can be divided into different hierarchies. If the performance of an underlayer PE (UPE) does not satisfy the requirements, a superstratum PE (SPE) can be added, and the UPE accesses the new SPE. When the service access capabilities of the SPE is insufficient, UPEs can be added to the SPE.
  • Label forwarding is performed between UPEs and SPEs. Thus, a UPE and an SPE need be connected through only a pair of interfaces or sub-interfaces. Thus, interface resources are saved.
  • If UPEs and SPEs are separated by an IP or MPLS network, GRE or LSP tunnels are set up to connect the UPEs and SPEs. A layered MPLS VPN features excellent scalability.
  • The UPEs need maintain only the local VPN routes. All the remote routes are represented by a default or aggregated route. This lightens the burden on the UPEs.
  • SPEs and UPEs exchange routes and advertise labels through the Multi-protocol Extensions for Border Gateway Protocol (MP-BGP). Each UPE sets up only one MP-BGP peer. Thus, the protocol cost is low and the configuration load is little.

Architecture of an HoVPN

Figure 1 Architecture of an HoVPN
As shown in Figure 1, the devices that are directly connected to user devices are called underlayer PEs or UPEs; on the internal network, the device that is connected to UPEs is called a superstratum PE or an SPE.
The relationships between the UPEs and the SPE are as follows:
  • The UPEs provide the access service for users. The UPEs maintain the routes of the directly connected VPN sites. The UPEs do not maintain the routes of the remote VPN sites, or only maintain their aggregation routes. The UPEs assign inner labels to the routes of the directly connected sites, and advertise the labels with the VPN routes to the SPE through MP-BGP.
  • The SPE mainly manages and advertises VPN routes. The SPE maintains all the routes of the VPN sites connected through the UPEs, including the routes of the local and the remote sites. Instead of advertising routes of the remote sites to the UPEs, the SPE advertises the default routes of VPN instances that carry labels to the UPEs.
  • Label forwarding is adopted between the UPEs and the SPE. Thus, only one interface of the SPE is required to connect to a UPE. The SPE does not need to provide many interfaces for access users. The interface that connects the UPEs and the SPE can be a physical interface, a sub-interface such as VLAN and Permanent Virtual Circuit (PVC), or a tunnel interface such as GRE and LSP. If a tunnel interface is used, and an IP network or an MPLS network resides between the SPE and the UPEs, the SPE and the UPEs can communicate. Labeled packets are transmitted through the tunnel. If the tunnel is a GRE tunnel, it must support the MPLS encapsulation.
Different roles of an SPE and a UPE result in different requirements, which are as follows: the SPE requires a large-capacity routing table, high forwarding performance, and less interface resources; the UPE requires a small-capacity routing table, low forwarding performance, and high access capabilities.
Note that the SPE and UPE are relative concepts. In an HoVPN, the superstratum PE is the SPE of the underlayer, and the underlayer PE is the UPE of the superstratum.
An HoPE can coexist with common PEs in an MPLS network.


If an SPE and a UPE belong to the same AS, MP-BGP running between the SPE and the UPE is MP-IBGP. If they belong to different ASs, MP-BGP running between them is MP-EBGP.
When MP-IBGP is used, to advertise routes between the IBGP peers, the SPE can function as the RR of multiple UPEs. To reduce the number of routes on the UPEs, the SPE is not recommended to function as an RR for other PEs.

Embedding and Extension of an HoVPN

An HoVPN supports the embedding of HoPEs.
  • An HoPE can function as a UPE, and compose a new HoPE with an SPE.
  • An HoPE can function as an SPE, and compose a new HoPE with multiple UPEs.
  • An HoPE can be embedded recursively in the preceding two modes.
The embedding of an HoPE can infinitely extend a VPN in theory.

Figure 2 Embedding of an HoVPN
Figure 2 shows a three-layer HoPE, and the PE in the middle is called the middle-level PE (MPE). MP-BGP runs between the SPE and the MPE, and between the MPE and the UPEs.
The MPE does not actually exist in an HoVPN model. The concept is introduced just for the convenience of description.
MP-BGP advertises all the VPN routes of the UPEs to the SPE, but advertises only the default routes of the VPN instances of the SPE to the UPEs.
The SPE maintains the routes of all VPN sites that the PEs access, whereas the UPE maintains only the VPN routes of the directly connected VPN sites. The numbers of routes maintained by the SPE, MPE, and UPE are in descending order.

Networking Applications

  • HoVPN extension
    If an MPLS VPN spans a country, the VPN is generally of a flat structure, that is, the MPLS VPN services are provided through the backbone network. In the flat structure, the PEs of the backbone network are generally deployed in the central cities. The CEs are converged to a PE through one link respectively, as shown in Figure 3.
    Figure 3 Networking diagram of a non-HoVPN
    In this networking mode, a lot of resources of WAN links are consumed when the remote CEs access the central cities. The scale of the backbone network is limited, which leads to the poor scalability and limited coverage of the VPN.
    On the contrary, if the HoVPN model is adopted, UPEs can be deployed even in counties, and the VPN users access the adjacent UPEs before being converged to the central cities, as shown in Figure 4. The coverage of the VPN can be extended. The services can be smoothly upgraded and the network can be extended as required. The SPEs and UPEs can reside within an AS or serve as joints between ASs.
    Figure 4 Networking diagram of an HoVPN
  • UPE connected to multiple SPEs
    The networking mode in which a UPE is connected to multiple SPEs is called multi-homed UPE. In this networking mode, the multiple SPEs advertise the VRF default routes to the UPE. The UPE selects one of the routes as the optimal route, or selects multiple routes to perform load balancing.
    The UPE advertises all the VPN routes to the multiple SPEs, or just part of routes to each SPE to implement load balancing.
  • HoVPN of an inter-AS VPN
    • As shown in Figure 5, the backbone network and the MANs belong to different ASs. The SPEs are deployed in the backbone network; the UPEs are deployed in the MANs. The UPEs advertise all the MAN routes to the SPEs; the SPEs advertise only the default routes of the VPN instances to the UPEs. Thus, the MANs need only maintain the routes of the internal VPN sites instead of the routes of sites outside the MANs. The backbone network must maintain the routes of all the VPN sites.
    • In an inter-AS scheme, MP-EBGP or multi-hop EBGP can be adopted between SPEs and UPEs.
    • In an inter-AS HoVPN, the high-level network, namely, the backbone network handles the global services; the low-level network, namely, the MAN need deal with only the local services. Thus, the global VPN service development does not challenge the capacity and extension of the low-level network.
    Figure 5 Inter-AS HoVPN


  1. Simply perfect! Excellent explanation

  2. NordVPN's most huge thing is that it has a better than average measure of worldwide assets, ensuring that you can be guaranteed of a customer's better.
    If you want to know more, Please visit website