Service providers commonly offer network services that enable packet communication between a plurality of geographically dispersed sites associated with a subscriber. Such services may be referred to as Virtual Private Network services (VPNs). A VPN enables sites associated with the VPN to communicate with each other as if the sites were part of a single local area network.
In offering network services, service providers may use a single network infrastructure to provide the network services for more than one subscriber. In doing so, the network infrastructure segregates packets belonging to one subscriber from packets belonging to other subscribers so that one subscriber is not able to access a VPN associated with another subscriber.
Subscriber devices that are part of a VPN may send control packets to the VPN requesting that the network device that receives the control packet make a behavior or configuration change. Conventional service provider networks handle these control packets by acting on the request made by the control packet. Consequently, a subscriber device may effect a change in the service provider network without the knowledge or consent of the service provider and may thereby affect a VPN associated with another subscriber.
In addition to control packets, subscriber devices may send tagged data packets to the VPN. Conventional service provider networks may be configured to accept data packets having one of a set of tags and to drop tagged data packets having tags that are not in the set. Such networks require burdensome coordination of tags between subscribers and the service provider to prevent the network from dropping packets sent by the subscriber.