A network architecture includes a communication network that support one or more network-based Virtual Private networks (VPNS) (32a, 32b). The communication network includes a plurality of boundary routers (40a, 40b, 42a, 42b) that are connected by access links (35a, 35b) to CPE edge routers (34a, 34b) belonging to the one or more VPNs (32a, 32b). To prevent traffic from outside a customer s VPN (e.g., traffic from other VPNs or the Internet at large) from degrading the QoS provided to traffic from within the customer s VPN (32a, 32b), the present invention gives precedence to intra-VPN traffic over extra-VPN traffic on each customer s access link through access link prioritization or access link capacity allocation, such that extra-VPN traffic cannot interfere with inter-VPN traffic. By configuring the access networks (38a, 38b) the VPN boundary routers (40a, 40b, 42a, 42b) and CPE edge routers (42a, 42b), and the routing protocols of the edge and boundary routers, a high-level service of DoS (Denial of Service) attak prevention is achieved.
展开▼