In order to withstand a denial of service attack, a system for isolating the best effort traffic and virtual private network (VPN), a method and apparatus

摘要

A network architecture (20) in accordance with the present invention includes a communication network that supports one or more network-based Virtual Private Networks (VPNs). The communication network includes a plurality of boundary routers (22a-22d) that are connected by access links to CPE edge routers (24b-24d and 25a-25d) belonging to the one or more VPNs. To prevent traffic from outside a customer's VPN (e.g., traffic from other VPNs or the Internet at large) from degrading the QoS provided to traffic from within the customer's VPN, the present invention gives precedence to intra-VPN traffic over extra-VPN traffic on each customer's access link through access link prioritisation or access link capacity allocation, such that extra-VPN traffic can not interfere with inter-VPN traffic.