HVPN

What Is HVPN?

Hierarchy VPN (HVPN) is a VPN technology designed for use in hierarchical networks. Traditional BGP/MPLS IP VPNs typically employ a flat network model, which necessitates all provider edges (PEs) to have uniform performance capabilities. However, if certain PEs have lower performance capabilities, it can impact the overall network performance and limit the number of users that can access the network. In contrast, HVPN transforms the flat network model into a hierarchical structure, reducing the performance requirements for devices at each level. This enhances network scalability and simplifies the planning and design of large-scale networks.

Background of HVPN

A BGP/MPLS IP VPN operates on a flat network model, utilizing the Border Gateway Protocol (BGP) for VPN route advertisement and Multiprotocol Label Switching (MPLS) for forwarding VPN packets within the service provider's backbone network.

In a BGP/MPLS IP VPN, the deployment of VPN services places significant pressure on Provider Edge (PE) routers, as they are required to provide consistent performance levels. As the network expands in size and service complexity, certain PE routers may not meet the necessary access requirements. In a flat network structure, performance issues with specific PEs can impact the overall network performance and scalability, hindering large-scale VPN deployments. Additionally, hierarchical architectures are commonly used in many network design scenarios.

To address these challenges and prevent the performance limitations of certain PEs from affecting the entire network and restricting the number of access users, transitioning from a flat model to a hierarchical model is necessary for BGP/MPLS IP VPNs. This transition involves the deployment of HVPN.

HVPN Networking

Device Classification in HVPN

Superstratum Provider Edge (SPE): A type of PE connected to UPEs and located in the core of the network. The SPE, also known as a service provider-end PE, manages and advertises VPN routes.

Underlay Provider Edge (UPE): A type of PE directly connected to users. The UPE, also known as a user-end PE, primarily offers access services for users.

Network Provider Edge (NPE): A type of PE connected to SPEs and situated on the network side. The NPE, also known as a network provider-end PE.

The roles of SPEs and UPEs reflect the characteristics of PEs at different levels. UPE and SPE roles are relative concepts. In a hierarchical PE structure, an upper-level PE is the SPE relative to the lower level, and a lower-level PE is the UPE relative to the upper level.

Functions of Devices in an HVPN

• A UPE is primarily responsible for user access. It only needs to maintain routes for directly connected VPN sites, representing routes for remote VPN sites with a default or summary route. The UPE assigns inner VPN labels to its directly connected site routes and uses MP-BGP to advertise these labels, along with VPN routes, to the corresponding SPE.

• An SPE is responsible for maintaining and distributing VPN routes. It maintains all VPN routes, including those from local and remote sites.

• An NPE connects to SPEs to learn routes from UPEs.

UPEs and SPEs exchange packets based on labels and require only one interface for interconnection. SPEs do not need to provide numerous interfaces for user access. The interconnection interfaces between UPEs and SPEs can be physical interfaces, sub-interfaces, or tunnel interfaces. If there is an IP or MPLS network between a UPE and an SPE, they can be connected through tunnel interfaces to exchange labeled packets over a tunnel. SPEs and UPEs have different requirements based on their network roles. SPEs need large-capacity routing tables and high forwarding performance but few interface resources. UPEs, on the other hand, require low-capacity routing tables and low forwarding performance but high access capabilities.

HVPN leverages network layering advantages, such as the high performance of upper-level devices and strong access capabilities of lower-level devices, to provide PE functions. This approach is also known as the hierarchy of PE/hierarchical provider edge (HoPE).

Advantages of HVPN Networking

• High scalability: HVPN allows for high scalability by adjusting the placement of PEs. Lower-level PEs with insufficient performance can be moved downwards by adding upper-level PEs, while upper-level PEs with insufficient access capabilities can be moved upwards by adding lower-level PEs.

• Efficient use of interface resources: The exchange of traffic between lower-level and upper-level PEs is based on labels, requiring only one interface or sub-interface for interconnection between them.

• Reduced burden on lower-level PEs: Lower-level PEs are only required to maintain local VPN routes, with remote VPN routes represented by a default or summary route.

• Simplified configuration: Upper-level and lower-level PEs exchange routes and advertise labels through the dynamic routing protocol MP-BGP. Each lower-level PE only needs to establish one MP-BGP peer relationship.