Documente Academic
Documente Profesional
Documente Cultură
W H I T E
P A P E R
Virtual Private LAN Service (VPLS) Technical Primer for Government Agencies
The adoption of consolidated IP/MPLS networks, together with the development of new standards within the IETF, is now enabling government agencies to offer both VPN services and Internet access from a single packet-switched infrastructure. One of the most interesting of these mainstream VPN services is a multipoint Ethernet VPN, commonly referred to as Virtual Private LAN Service (VPLS) and also referred to as an E-LAN Carrier Ethernet service by the Metro Ethernet Forum (MEF).
Table of contents
1 2 2 2 2 3 3 3 4 4 4 4 5 6 6 7 7 VPLS: an additional option VPLS: solution overview MAC learning and packet forwarding VPLS packet walkthrough PE Router A Known MAC address Unknown MAC address Core router switching PE Router C Known MAC address Unknown MAC address Hierarchical VPLS Inter-metro services (H-VPLS and MS-PW) Industry support for VPLS Conclusion References Acronyms
US$ Billions
VPLS, described in RFC 4762, is an Ethernet VPN that allows the connection of multiple sites in a single bridged domain over a service provider-managed Internet Protocol (IP)/Multiprotocol Label Switching (MPLS) network. All sites and users in a VPLS instance appear to be on the same LAN, regardless of their location (metro, national or international). VPLS uses an Ethernet interface as the customer handoff, simplifying the LAN/WAN boundary and allowing for rapid and exible service provisioning. VPLS is a good alternative for government agencies that want to move beyond point-to-point Frame Relay services but whose needs are not satised by a routed IP-VPN service. In the case of VPLS, the government agencies maintain complete control over their routing, and because all the agency routers in the VPLS are part of the same subnet (LAN), the result is a simplied IP addressing plan. This is especially true when compared to a mesh constructed from many separate point-to-point connections. From a security perspective, if the government agency is using a service provider to provide connectivity between sites, that service provider has no awareness or participation in the agencys IP addressing space and routing. VPLS also offers some additional advantages: A transparent, protocol-independent service LAN/WAN Ethernet interface on the users router, which reduces complexity and total cost of ownership No Layer 2 protocol conversion between LAN and WAN technologies No need to train personnel on WAN technologies such as Frame Relay because there is no need to design, manage, congure and maintain separate WAN access equipment Complete control over their routing, providing a clear demarcation of functionality between the service provider and the government agency, so that troubleshooting is easier The ability to add a new site without the need to reconfigure service provider equipment or the local equipment at existing sites
Fast provisioning, with potential for user-provisioned bandwidth on demand Scalability: virtual LAN (VLAN) IDs have local significance only and eliminate the 4094 VLANs per network limit of traditional bridged metro Ethernet services Granular bandwidth from 64 kb/s to 1 Gb/s (compared to Frame Relay step-function in DS1/DS3 multiples) The remainder of this discussion focuses on the details of the VPLS solution as described in RFC 4762.
PE C B B
B PE B
Virtual Bridge
PE Router A User packets arriving at PE Router A are associated to the appropriate VPLS service instance based on the combination of the physical port and the IEEE 802.1Q tag (VLAN ID) in the packet. PE Router A learns the source MAC address in the packet and creates an entry in the FIB table that associates the MAC address to the access port on which it was received.
2 VPLS Technical Primer for Government Agencies | Technical White Paper
The destination MAC address in the packet is looked up in the FIB table for the VPLS instance. There are two possibilities: either the destination MAC address has already been learned (known MAC address) or the destination MAC address is not yet learned (unknown MAC address). Known MAC address If the destination MAC address has been previously learned by PE Router A, an existing entry in the FIB table identies the far-end PE router and the service VC label (inner label) to be used before sending the packet to the far-end PE Router C.
Figure 3. Packet forwarding by the ingress PE router
Ingress Look-up Based on Access Port or Port/VLAN ID
Location A PE Router A chooses a transport LSP to send the user packets to PE Router Customer Dest Src VLAN C. The user packet is sent on this LSP Packet MAC MAC ID after the IEEE 802.1Q tag is stripped and the service VC label (inner label) and the transport label (outer label) are added to the packet.
Unknown MAC address If the destination MAC address has not been learned, PE Router A will ood the packet to both PE Router B and PE Router C. It does this using the VC labels that each PE router previously signaled for this VPLS instance. Note that the packet is not sent to PE Router D because this VPLS service does not exist on that PE router.
LSP Tunnel
B Customer Location A PE A IP/MPLS Network
LSP Tunnel
PE C
PE Router C PE Router C strips the transport label of the received packet to reveal the inner VC label. The VC label identies the VPLS service instance to which the packet belongs. PE Router C learns the source MAC address in the packet and creates an entry in the FIB table. This entry associates the MAC address with PE Router A and the VC label that PE Router A previously signaled for the VPLS service. The destination MAC address in the packet is looked up in the FIB table for the VPLS instance. Once again there are two possibilities: either the destination MAC address has already been learned (known MAC address) or the destination MAC address has not been learned on the access side of PE Router C (unknown MAC address). Known MAC address If the destination MAC address has been learned by PE Router C, an existing entry in the FIB table identies the local access port and the IEEE 802.1Q tag to be added before sending the packet to customer location C (see Figure 5). Note that the egress Q tag may be different from the ingress Q tag that was used on PE Router As access port.
Figure 5. Packet forwarding by the egress PE router
Egress Look-up Based on VC Label
IP/MPLS Network LSP Tunnel B PE C Dest MAC Src MAC VLAN ID Customer Location C Customer Packet
Unknown MAC address If the destination MAC address has not been learned, PE Router C will ood the packet to all its local access ports that belong to the same VPLS instance as the source MAC address.
Hierarchical VPLS
The hierarchical VPLS (H-VPLS) architecture also described in RFC 4762 builds on the base VPLS solution to provide several scaling and operational advantages. The scaling advantages are gained by introducing hierarchy and eliminating the need for a full mesh of VCs between all participating devices. Hierarchy is achieved by augmenting the base VPLS core mesh of VCs (hub) with access VCs (spoke) to form two tiers, as shown in Figure 6. Spoke connections are generally created between Layer 2 switches placed at the multitenant unit (MTU) and the PE routers placed at the service providers point of presence (POP). This considerably reduces both the signaling and replication overhead on all devices. H-VPLS offers the exibility of using different types of spoke connections: either an IEEE 802.1Q tagged connection or an MPLS LSP. H-VPLS also offers several operational advantages by centralizing all the major functions in the POP PE routers, allowing the use of low-cost, low-maintenance MTU devices, and thereby reducing overall capital expenditures (CAPEX) and operating expenditures (OPEX) (because there are an order of magnitude more MTU devices than PE routers). Another operational advantage offered by H-VPLS is centralized provisioning with fewer elements to touch when turning up service for a user. Adding a new MTU device requires some conguration of the local PE router, but does not require any signaling of other PE routers or MTU devices, thereby greatly simplifying the provisioning process.
Customer Q Tags or MPLS Labels CE-a1/11 PE D CE-a1/4 MTU D1 Spoke VCs CE-c1/11 CE-c1/4
MTU C1
CE-c2/4
MTU C2 MTU B1 PE B
MTU D
MTU H
MTU A PE A PE C PE E PE G
MTU G
MTU B PE B
MTU C
MTU E PE F
MTU F
End-to-End Service
VSI T-PE
MS-P W(1)
MS-P
MS-PW(2) S-PE S-PE
W(3)
AS2
T-PE
AS1
Conclusion
VPLS has emerged as an important Layer 2 VPN service to complement IP-VPN services to address a broader market. It offers government users exactly what they need for intersite connectivity: protocol transparency, scalable and granular bandwidth from 64 kb/s to 1 Gb/s, fast service activation and provisioning, and a simplied LAN/WAN boundary. VPLS also allows larger agencies to deliver
a scalable VPN service offering that can be combined with Internet access on a consolidated IP/ MPLS infrastructure, reducing OPEX. VPLS has received widespread industry support in the commercial sector from both vendors and service providers. The Alcatel-Lucent Service Routing portfolio includes the Alcatel-Lucent 7750 Service Router (SR), the 7710 SR, the 7450 Ethernet Service Switch (ESS)/Router, the 7250 Service Access Switch (SAS) and the 5620 Service Aware Manager (SAM). These products allow service providers to differentiate themselves with fully managed, uninterrupted VPLS services that have assured high quality of experience, to meet the needs of todays always-on enterprise.
References
Standards bodies: Institute of Electrical and Electronics Engineers (www.ieee.org) Internet Engineering Task Force (www.ietf.org) Ron Kline, Forecast: Enterprise, Ethernet services, global. OvumRHK, 18 October 2007 (www.ovum.com)
Acronyms
AS CAGR CAPEX CE ESS FIB H-VPLS IEEE IETF IP IP-VPN LAN LDP LSP LSR MAC MPLS MS-PW MTU autonomous system compound annual growth rate capital expenditures customer edge Ethernet Service Switch forwarding information base hierarchical virtual private LAN service Institute of Electrical and Electronics Engineers Internet Engineering Task Force Internet Protocol IP virtual private network local area network Label Distribution Protocol label switched path label switching router Media Access Control Multiprotocol Label Switching multi-segment pseudo-wire multitenant unit OPEX PE POP RFC S-PE SS-PW ST-PE SAM SAS SR T-LDP T-PE TT-PE TLS VC VLAN VPLS VPN WAN operating expenditures provider edge point of presence Request for Comment switching PE single-segment pseudo-wire source terminating PE Service Aware Manager Service Access Switch Service Router targeted LDP terminating PE target T-PE transparent LAN service virtual connection virtual LAN virtual private LAN service virtual private network wide area network
www.alcatel-lucent.com
Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright 2008 Alcatel-Lucent. All rights reserved. CAR4688081106 (11)