With IP or Multiprotocol Label Switching (MPLS) running in the network core, two emerging Layer 2 VPN IP/MPLS architectures are generating high interest among service providers and enterprises¾Virtual Private LAN Service (VPLS) and Virtual Private Wire Service (VPWS). VPLS supports the emulation of multipoint Layer 2 technologies, such as Ethernet, over an IP/MPLS network. VPWS is a point-to-point technology for supporting the transport of Layer 2 technologies, such as Frame Relay, ATM, High-Level Data Link Control (HDLC), and Ethernet over IP/MPLS.
THIS PAPER EXPLORES THE BUSINESS DRIVERS BEHIND VPLS AND VPWS; IT PROVIDES A DESCRIPTION OF LAYER 2 AND LAYER 3 COMPONENTS THAT SUPPORT VPLS AND VPWS, AS WELL AS THE HARDWARE, SOFTWARE, MANAGEMENT, AND OPERATIONAL BUILDING BLOCKS REQUIRED.
SUMMARY
VPNs create secure site-to-site and remote-access connections over public networks, and are growing exponentially in popularity. VPNs can be implemented over low-cost connections using traditional technologies such as Frame Relay and ATM; they also allow for several remote connection options, including cable modems, DSL, and dialup.
Originally designed using Layer 2 technologies such as Frame Relay, VPNs are being augmented by packet-based technologies such as IP and MPLS. IP and MPLS support Layer 3 VPNs while adding support for Layer 2 services, which support applications such as the ability to converge multiple Layer 2 networks. One new capability is the consolidation of multiple Layer 2 networks within enterprise or service provider environments into one core network, with Layer 2 and Layer 3 services running over a common IP/MPLS core. Another is the ability to smoothly extend one or more LAN as a VPLS across a service provider's network and to deliver multipoint Ethernet services.
CHALLENGE
To reduce costs and increase efficiency, service providers are reducing the number of networks needed to support the delivery of customer services. With fewer networks, less maintenance and overhead are needed. Edge devices can deliver multiple services, including direct Internet access and Layer 3 and Layer 2 intelligence over the same device. VPWS technology is one of the primary enablers for this service integration, allowing for the consolidation of Layer 2 and Layer 3 services. MPLS allows service providers to consolidate Layer 2 and Layer 3 services into one infrastructure and lets them cap investment in older Layer 2-only devices and grow investment in longer-lived Layer 3-based devices and services. Service providers can reap cost efficiencies and expand their service offerings by moving older networks to packet-switched network cores.
Traditionally, Layer 2 services from service providers have been point-to-point. With new Layer 2 architectures like VPLS, the multipoint nature of the Ethernet LAN can be extended over a WAN. Layer 2 VPNs appeal to subscribers who run their own Layer 3 networks over the wide area and require Layer 2 connectivity from service providers. Layer 2 VPNs also directly support multiprotocol applications (IPX, DecNet, Appletalk, IP, and NetBIOS, for example). In this case, enterprise customers manage their
own routing information. Layer 3 VPNs appeal to customers who wish to use IP connectivity and to partner with a service provider at Layer 3 to support site routing and multicast applications within a WAN. Other multipoint applications include enterprise resource planning (ERP) applications and voice-over-IP (VoIP), which are peer-to-peer in nature.
LAYER 2 VPNS
Layer 2 VPNs use pseudowires, which provide connectivity across a packet-switched IP/MPLS network to two or more customer edge devices or sites, as in Figure 1. Pseudowires emulate a point-to-point Layer 2 connection over Layer 3. Figure 1 shows switched connections between subscriber endpoints over a shared network. Nonsubscribers do not have access to those same endpoints.
Figure 1
A Layer 2 VPN
The use of pseudowires enables integration and transport of diverse types of network traffic, as well as coexistence with other types of encapsulation. Pseudowires encapsulate Layer 2 protocol datagram units (PDUs), or cells, for transport across public switched networks. Service providers have used private IP offerings based on MPLS Layer 3 VPNs to respond to new requirements. Meanwhile, VPLS has been proposed by the industry as an alternative to implementing high-bandwidth multipoint services across the WAN. VPWS offers point-to-point connectivity through transport of Layer 2 PDUs over pseudowires between peering sites.
• VPLS on a Cisco Systems® platform using Cisco IOS® Software-based MPLS brings flexibility to service provider and enterprise customers¾now they can deploy and manage innovative new multipoint services to geographically dispersed users over one virtual Ethernet LAN. These services include affordable, robust deployment of multipoint Ethernet VPNs across a wide-area or metropolitan-area network (WAN/MAN).
• VPWS is particularly useful in networks that already have ATM, Frame Relay, Ethernet, or other leased lines in place, and where service providers want to integrate and extend their LAN services to the WAN for point-to-point connectivity and migrate networks to an IP/MPLS core. Integration of these services over a packet-based infrastructure saves service providers from having to expand existing Layer 2 networks to provide greater coverage of existing Layer 2 services. It also lets providers replace costly Layer 2 trunk lines and move them over the packet-switched network to reduce costs.
VPLS
VPLS builds on the VPWS point-to-point pseudowire model, adding packet replication and the ability to learn source-based MAC addresses for multipoint Layer 2 capabilities. It is an attractive option for service providers because it uses a Layer 2 architecture to offer multipoint Ethernet VPNs that connect multiple sites within a MAN or over a WAN.
Using VPLS, service providers can create a Layer 2 "virtual switch" over an MPLS core. Enterprises with large, distributed ERP applications and VoIP can benefit from these multipoint services.
Users benefit from performance and connectivity that are on par with a direct connection to a switch. This architecture for providing geographically dispersed Ethernet Multipoint Service (EMS) adheres to Metropolitan Ethernet Forum standards. Each customer edge device or node communicates directly with all other customer edge nodes in the EMS (Figure 2). This is a significant improvement over hub-and-spoke architectures used by Frame Relay and other technologies. Hub-and-spoke architectures require the end user to designate one customer edge node as the "hub" that is connected to all "spoke" sites. All communication between sites first must go through the spoke site, leading to potential bottlenecks and other performance problems. With VPLS, each customer edge device only requires a single connection to the provider edge, and the provider edge provides full multipoint connectivity. A VPLS consists of a collection of customer sites connected to provider edge devices that are implementing the emulated LAN service.
Figure 2
Logical View of VPLS
A virtual switching instance (VSI) is used at each VPLS provider edge router to implement the forwarding decisions of each VPLS. The provider edge devices make the forwarding decisions between sites and encapsulate the Ethernet frames across a packet-switched network using an Ethernet pseudowire. Provider edge routers use a full mesh of pseudowires to forward the Ethernet frames between provider edge nodes. More information on pseudowire full mesh is given in the Layer 2 VPN Building Blocks section, under Tunneling.
In a VPLS, each device can communicate directly with its peers, which is efficient for applications that must be propagated quickly throughout the network, such as broadcast and distributed ERP. Scalability and manageability are limited, however-the amount of overhead increases exponentially because packets sent to all devices in a broadcast, for example, must be replicated for the number of devices receiving them. Depending on the type of VPLS application, MAC address learning and broadcast packet replication can become problematic. To remedy this, different architectures have been proposed; these are discussed in following sections.
HIERARCHICAL VPLS
Larger VPLS networks can add a hierarchy to reduce the signaling overhead and packet replication requirements for the provider edge. The hierarchical VPLS architecture includes customer edge devices connected to provider edge routers that isolate traffic destined for the VLAN instead of WAN traffic. By keeping traffic localized, MAC learning and replication are handled in the user provider edge routers, instead of network provider edge devices. Hierarchical connectivity reduces signaling and replication overhead to allow for large-scale deployment.
In this hierarchical model, the user-facing provider edge devices support Layer 2 switching and perform normal bridging functions. Cisco® VPLS uses IEEE 802.1Q tunneling, a double 802.1Q (Q-in-Q) encapsulation to aggregate traffic between the user-facing and network-facing provider edge devices. The Q-in-Q trunk is an access port to a VPLS instance on a network provider edge (Figure 3). Hierarchical VPLS partitions the network into several edge domains that are interconnected using an MPLS core. Edge devices need only learn of their local network provider edge devices and do not need large routing table support. The edge domain can be built using Ethernet switches and techniques such as Q-in-Q trunking, Any-Transport-over MPLS (AToM), or Layer 2 Tunneling Protocol version 3 (L2TPv3).
Figure 3
Hierarchical VPLS
Using Ethernet as the edge technology simplifies the operation of the edge domain and dramatically reduces the cost of the edge devices. Cisco was one of the first vendors to realize the scaling limitations imposed by having a nonhierarchical architecture for VPLS.
VPWS
VPWS makes the convergence of Layer 2 and Layer 3 services possible over an IP/MPLS cloud. VPWS lets service providers deploy point-to-point circuits with Ethernet as an attachment circuit, allowing high-speed LAN connectivity. Two pseudowire technologies are available from Cisco:
• AToM for MPLS networks
• L2TPv3 for native IP networks
Both AToM and L2TPv3 support the transport of Frame Relay, ATM, HDLC, and Ethernet traffic over an IP or MPLS core.
VPWS is generating interest among service providers that wish to migrate existing Layer 2 networks to their packet MPLS or IP network (Figure 4), or for service providers that wish to use the packet infrastructure to extend Layer 2 service offerings in new markets. VPWS provides a common framework to encapsulate and transport supported Layer 2 traffic types over an MPLS network core. Service providers can use a single MPLS network infrastructure to offer connectivity for supported Layer 2 traffic and for IP traffic in Layer 3 VPNs.
Figure 4
Network Consolidation for Layer 2 VPNs with VPWS
COMPARISONS
VPLS
• Offers multipoint connectivity and support for multiple higher-level protocols
• Uses the familiar Ethernet user interface
• Allows for bridged encapsulation support for non-native Ethernet links such as RFC 1483 and RFC 1490 bridging
• Leaves full control of Layer 3 routing to the VPN user; supports speeds of 10/100/1000 Gigabit Ethernet for customer interfaces
• Provides a standards-based solution that can be easily deployed and efficiently managed between a service provider and private corporate networks (VPLS is being defined as a part of the IETF Layer 2 VPN Working Group)
VPWS
• Offers point-to-point connectivity between customer sites through transport of Layer 2 PDUs between the customer sites
• Supports multiple encapsulations such as ATM, Frame Relay, PPP/HDLC, and Ethernet
• Is being standardized primarily in the IETF Pseudowire Edge-to-Edge (PWE3) and Layer 2 Tunneling Protocol Extensions (L2TPEXT) working groups
LAYER 2 VPN BUILDING BLOCKS
Hardware
Cisco VPLS is implemented on the Cisco 7600 Series router, a product widely deployed in Metro Ethernet architectures by service providers worldwide. VPWS capabilities are offered on numerous platforms, including the Cisco Catalyst® 3750 and 6500 series switches and Cisco 1700, 2600, 3700, 7200, 7300, 7400, 7500, 7600, 10700, and 12000 series routers.
Tunneling
Both VPLS and VPWS require a tunneling component. Although VPLS offers multipoint connectivity, it is created with a full mesh of point-to-point pseudowires between the participating provider edge routers. VPLS uses an MPLS core; at the edges, it multiplexes and creates pseudowires to each router that participates in the VPLS network. Thus, a full mesh of pseudowires is required to support the service. Signaling for both VPLS and VPWS relies on directed Label Distribution Protocol (LDP) sessions between edge routers for setting up and maintaining connections. Tunnel labels, which make up the unidirectional tunnel label-switched path (LSP), are established with link LDP or RSVP-TE. The L2TPv3 control plane is used to perform signaling and session negotiation between tunnel endpoints.
Signaling and Provisioning
As additional services use the transport efficiencies of IP networks, additional signaling capabilities are required. Signaling in Layer 2 VPNs is a control plane function that gives two endpoints the information required to establish and maintain communication across a packet-switched network.
Two separate signaling processes exist for pseudowires. One process sets up or tears down the pseudowire, including the exchange or distribution of the pseudowire identifiers that the network tunnel endpoints use. A second process manages the signaling, timing, sequencing, and other aspects of the service at the boundaries of the pseudowire, including control plane messages sent by customer equipment. It may be necessary or desirable for the provider edge router to participate in or monitor this signaling activity to effectively emulate the service (for instance, Frame Relay, permanent virtual connection/data-link connection identifier status signaling, local management interface [LMI], ATM inverse LMI [ILMI], and time-division multiplexing [TDM] channel-associated signaling). Two drafts are proposed for Layer 2 VPN signaling; one uses extensions to LDP (IETF RFC #3036) and the other uses extensions to Border Gateway Protocol (BGP) for signaling.
LDP is an inherently point-to-point technology; BGP (through full mesh or route reflectors) operates more in a broadcast mode in distributing label information. Cisco uses LDP as the signaling mechanism for both VPLS and VPWS on MPLS networks, and the L2TPv3 control plane for native IP networks. LDP provides greater control of communication and quality of service (QoS) between VPLS nodes. For example, IP Security (IPSec) or specific QoS features could be deployed between two specific nodes.
Cisco VPLS relies on command-line interface (CLI)-based configuration or the use of provisioning tools, such as the Cisco IP Solution Center (ISC), to establish provider edge associations within a VPLS. The architecture can be enhanced to support several discovery protocols, including BGP, RADIUS, LDP, or Domain Name System (DNS).
VPN DISCOVERY
Cisco supports two methods of discovery for VPLS: manual discovery, which involves manual configuration that is simple (but can be cumbersome, especially in larger networks); and network management service, a provisioning tool within Cisco IP Solution center for provisioning.
BGP can also be used to discover what sites to include or add in a VPLS. With BGP, the new router is plugged in and it uses BGP to acknowledge itself. Another method is directory-based services, where a central database is used to administer autodiscovery (for example, RADIUS or DNS).
FORWARDING MECHANISM
VPLS forwards Ethernet frames like a transparent bridge, simply using Layer 2 MAC addresses. VSIs, interconnected using MPLS pseudowires, learn the associations between the source MAC address and pseudowires or physical ports; they forward frames based on the destination MAC address. If the destination address is unknown or is a broadcast or multicast address, the frame is flooded to all ports associated with the virtual bridge.
VPWS forwarding is based on a predetermined ingress and egress attachment circuit used by the edge routers. All traffic coming in on an attachment circuit is forwarded over the packet core via the pseudowire. The virtual circuit label determines the egress interface and binds the Layer 2 egress interface to the tunnel label. The virtual circuits act like repeaters, bulk-forwarding data as it passes through an interface.
NETWORK MANAGEMENT SYSTEMS AND OPERATIONAL SUPPORT SYSTEMS
Cisco introduced support for VPLS and VPWS in Cisco ISC, a provisioning and management tool that provides management automation and intelligence while helping to increase the productivity of network operators. These components, along with the Cisco portfolio of Metro Ethernet equipment, provide a complete solution for Ethernet services.
Cisco ISC can interface with third-party operations support systems (OSSs) for billing, provisioning, and monitoring.
SUMMARY
The massive shift underway within service provider networks from circuit-switched to packet-based technology presents opportunities for increased revenues, as well as cost containment from consolidation and better use of the network infrastructure. VPLS and VPWS represent advanced packet-switched VPN solutions that blend Layer 2 and Layer 3 technologies to make it possible to operate private point-to-point and multipoint VLANs through public networks.
Service providers and customers want:
• To avoid buying more legacy equipment
– IP and MPLS features allow for continued support of existing Layer 2 VPNs while adding support for new Layer 3 services, such as MPLS VPNs, over a single infrastructure.
• To deliver Layer 2 VPN services cost effectively over public and private networks
– VPLS lets customers and service providers deploy and manage multipoint services to dispersed users over one virtual Ethernet LAN operating over a WAN or MAN. VPWS allows customers and service providers to integrate existing ATM, Frame Relay, or other legacy Layer 2 networks over a WAN for point-to-point connectivity.
• To move network switching overhead to Layer 3, which is underused
– Service providers can reap cost efficiencies and expand their service offerings by moving older networks to IP and consolidating Layer 2 and Layer 3 services into one infrastructure. Using MPLS and other technologies, providers can cap investment in older Layer 2-only devices and better use Layer 3 devices and services.
IP, MPLS, Layer 2 switching, pseudowires, and the other technologies and products behind VPLS and VPWS make these objectives possible, with benefits that can directly affect the bottom lines of both service providers and their customers.
