Virtual Private Networks (i.e., VPNS) provide a secured means for transmitting and receiving data between network nodes even though many users share a corresponding physical network supporting propagation of the data. The data transmitted between such network nodes (e.g., edge nodes of a service provider network) may or may not be encrypted to protect against eavesdropping and tampering by unauthorized parties. Because the physical network is shared, costs of using resources are generally reduced for each of many users. A typical arrangement involves customer edge (CE) routers communicating via the Internet (or shared backbone) between local area networks (LANs), that the respective edge routers protect. The edge routers establish secure, encrypted links between each other to protect the trusted LANs in the VPN.
A physical network such as a service provider network topology, therefore, may include peripherally located provider edge (PE) routers, each of which couples to one or multiple customer edge (CE) routers. The customer edge routers, in turn, may couple to private local area networks (LANs) associated with one or multiple VPNs. To support operation, the service provider's PE routers typically maintain Virtual Routing and Forwarding (VRF) information dictating how to route and forward traffic through the shared physical network to support corresponding VPNs for the different customer departments. Typically, the service provider network selectively couples the local area networks to each other through links created between its PE routers.
Dynamic Group VPNs (DGVPN) provide a scalable method for large-scale encryption between endpoints within a network based VPN environment. DGVPN provides for encryption within a single VPN partition in the sense that all sites of a VPN may participate in the encryption services, and the operator of the VPN bases this on the configuration. It also provides the necessary machinery in which to define multiple “groups” within a VPN so that different security policies may be applied to each group.
A VPN with multiple “groups” defined within it is sometimes called a “partitioned VPN”.