The interest in the deployment of virtual private networks (VPNs) across IP backbone facilities is growing every-day. In general, VPNs fall into two categories: Customer Provided Equipment-(CPE) based VPNs and network-based VPNs.
With CPE-based VPNs, the ISP network provides only layer 2 connectivity to the customer. The CPE router takes ownership of setting up tunnels and handling routing with other sites. Network-based VPNs consist of a mesh of tunnels between ISP routers. They also have the routing capabilities required to forward traffic from each customer site. Each ISP router has a VPN-specific forwarding table that contains VPN member sites. The benefit offered by network-based VPNs is that the ISP is responsible for routing configuration and tunnel setup. In addition, other services, such as firewall, Quality of Service (QoS) processing, virus scanning, and intrusion detection can be handled by a small number of ISP routers. New services can be introduced and managed without the need to upgrade CPE devices.
There are typically three steps to building a VPN's infrastructure:                1) Define a topology and create tunnels using IPSec, LT2P, PPTP, GRE, or MPLS.        2) Configure routing on the edge routers to disseminate site- and intra-VPN reachability information.        3) Enable such services as firewall, QoS, and so forth.        
Usually, IP network managers use the following model for building and maintaining their networks:                1) With the help of some network experts, design the network.        2) Use the command line interface (CLI) or ASCII configuration files to define the routing configuration.        3) Use trial-and-error method to determine a working solution for the network configuration.        4) Manually manage configuration files for routers.        
The process of building or changing a network requires significant manual effort, and is slow, expensive, and error-prone. For ISPs that plan to provide VPN services, this model for provisioning VPNs is problematic. ISPs need to configure routing for VPNs, each of which can be considered separate networks.
As noted above, building and managing one network is difficult, the problem is made much worse when the ISP must build and manage thousands of networks. For ISPs to succeed at this, a facilitation framework is required.