3VPN Classification according to RM-OSI
  1. VPN based on a provider’s device (PE-based VPN)

PE (Provider Edge) is the boundary device of the ISP (Internet Service Provider), which include routers, switches or devices that are a combination of both.

The PE device participates in routing and forwarding traffic based on the customer's address range. Data is typically transmitted between PE devices via VPN tunnels created using MPLS (Multi Protocol Layer Switching), IPSec, L2TPv3 or GRE. In this case, CE (Customer Edge) devices do not recognize that they are part of a VPN.

image
VPN layout based on the device of the provider

VPN tunnels are terminated at the PE boundary router and are usually configured as permanent.

  1. VPN based on customer equipment (CE-based VPN)

The CE device is a customer boundary device connected to the PE device.

PE devices in this mode do not distinguish the type of traffic, VPN connections are handled by the CE device that routes and sends user traffic. Tunnels are created between the CE devices based on IPSec or GRE.

image
VPN layout based on customer equipment

The CE devices (VPN gateway) usually have some other features for VPN clients (such as DHCP (Dynamic Host Configuration Protocol), DNS (Domain Name Server)). This solution generally puts higher demands on client authentication, as they connect anytime and anywhere.