A network architecture includes a communication network that support one ormore network-based Virtual Private networks (VPNS) (32a, 32b). The communicationnetwork includes a plurality of boundary routers (40a, 40b, 42a, 42b) that areconnected by access links (35a, 35b) to CPE edge routers (34a, 34b) belongingto the one or more VPNs (32a, 32b). To prevent traffic from outside a customer'sVPN (e.g., traffic from other VPNs or the Internet at large) from degrading theQoS provided to traffic from within the customer's VPN (32a, 32b), the presentinvention gives precedence to intra-VPN traffic over extra-VPN traffic on eachcustomer's access link through access link prioritization or access linkcapacity allocation, such that extra-VPN traffic cannot interfere with inter-VPNtraffic. By configuring the access networks (38a, 38b) the VPN boundary routers(40a, 40b, 42a, 42b) and CPE edge routers (42a, 42b), and the routing protocolsof the edge and boundary routers, a high-level service of DoS (Denial of Service)attak prevention is achieved.
展开▼