T E C H N O L O G Y

W H I T E

P A P E R

Virtual Private LAN Service (VPLS) Technical Primer for Government Agencies
The adoption of consolidated IP/MPLS networks, together with the development of new standards within the IETF, is now enabling government agencies to offer both VPN services and Internet access from a single packet-switched infrastructure. One of the most interesting of these mainstream VPN services is a multipoint Ethernet VPN, commonly referred to as Virtual Private LAN Service (VPLS) and also referred to as an E-LAN Carrier Ethernet service by the Metro Ethernet Forum (MEF).

Table of contents
1 2 2 2 2 3 3 3 4 4 4 4 5 6 6 7 7 VPLS: an additional option VPLS: solution overview MAC learning and packet forwarding VPLS packet walkthrough PE Router A Known MAC address Unknown MAC address Core router switching PE Router C Known MAC address Unknown MAC address Hierarchical VPLS Inter-metro services (H-VPLS and MS-PW) Industry support for VPLS Conclusion References Acronyms

VPLS: an additional option

As government agencies evaluate technologies to connect geographically dispersed locations, their choice is increasingly driven by the networking requirements of the various applications they use in conducting their operation and the ease with which they can leverage the talents and resources of their service provider. Traditional choices have included Frame Relay-based virtual private networks (VPNs) and IP-VPN services. VPLS is an alternative that has become mainstream, with a forecasted 47 percent CAGR (20072012) as shown in Figure 1. It provides an additional choice for government agencies by addressing the bandwidth and site scalability limitations of Frame Relay. VPLS also provides a Layer 2 alternative to network-based IP-VPNs for those government organizations using non-IP protocols or who may be reluctant to move to a Layer 3 service because of concerns over sharing routing information or other internal operational reasons.
Figure 1. VPLS growth forecast
6 5 4 3 2 1 0 2004 2005 2006 2007 2008 2009 2010 2011 2012

US$ Billions

VPLS, described in RFC 4762, is an Ethernet VPN that allows the connection of multiple sites in a single bridged domain over a service provider-managed Internet Protocol (IP)/Multiprotocol Label Switching (MPLS) network. All sites and users in a VPLS instance appear to be on the same LAN, regardless of their location (metro, national or international). VPLS uses an Ethernet interface as the customer handoff, simplifying the LAN/WAN boundary and allowing for rapid and exible service provisioning. VPLS is a good alternative for government agencies that want to move beyond point-to-point Frame Relay services but whose needs are not satised by a routed IP-VPN service. In the case of VPLS, the government agencies maintain complete control over their routing, and because all the agency routers in the VPLS are part of the same subnet (LAN), the result is a simplied IP addressing plan. This is especially true when compared to a mesh constructed from many separate point-to-point connections. From a security perspective, if the government agency is using a service provider to provide connectivity between sites, that service provider has no awareness or participation in the agencys IP addressing space and routing. VPLS also offers some additional advantages: A transparent, protocol-independent service LAN/WAN Ethernet interface on the users router, which reduces complexity and total cost of ownership No Layer 2 protocol conversion between LAN and WAN technologies No need to train personnel on WAN technologies such as Frame Relay because there is no need to design, manage, congure and maintain separate WAN access equipment Complete control over their routing, providing a clear demarcation of functionality between the service provider and the government agency, so that troubleshooting is easier The ability to add a new site without the need to reconfigure service provider equipment or the local equipment at existing sites

VPLS Technical Primer for Government Agencies | Technical White Paper

 Fast provisioning, with potential for user-provisioned bandwidth on demand Scalability: virtual LAN (VLAN) IDs have local significance only and eliminate the 4094 VLANs per network limit of traditional bridged metro Ethernet services Granular bandwidth from 64 kb/s to 1 Gb/s (compared to Frame Relay step-function in DS1/DS3 multiples) The remainder of this discussion focuses on the details of the VPLS solution as described in RFC 4762.

VPLS: solution overview

The VPLS architecture proposed in RFC 4762 species use of a provider edge (PE) router that is capable of learning, bridging and replication on a per-VPLS basis. The PE routers that participate in the service are connected together by a full mesh of MPLS label switched path (LSP) tunnels. Multiple VPLS services can be offered over the same set of LSP tunnels. Signaling specied in RFC 4447 is used to negotiate a set of ingress and egress virtual connection (VC) labels on a per-service basis. The VC labels are used by the PE routers for demultiplexing trafc arriving from different VPLS services over the same set of LSP tunnels. MAC learning and packet forwarding PE routers learn the source media access control (MAC) addresses of the trafc arriving on their access and network ports. Each PE router maintains a forwarding information base (FIB) for each VPLS service instance and learned MAC addresses are populated in the FIB table of the service. All trafc is switched based on MAC addresses and forwarded between all participating PE routers using the LSP tunnels. Unknown packets (that is, the destination MAC address has not been learned) are forwarded on all LSPs to the participating PE routers for that service until the target station responds and the MAC address is learned by the PE routers associated with that service.

VPLS packet walkthrough

The following is a description of the VPLS processing of a user packet sent from Site A, which is connected to PE Router A, to Site C, which is connected to PE Router C (see Figure 2).
Figure 2. VPLS leveraging IP/MPLS
PE D

VPLS Service 1 VPLS Service 2 PE A B B IP/MPLS Network B

PE C B B

B PE B

Virtual Bridge

PE Router A User packets arriving at PE Router A are associated to the appropriate VPLS service instance based on the combination of the physical port and the IEEE 802.1Q tag (VLAN ID) in the packet. PE Router A learns the source MAC address in the packet and creates an entry in the FIB table that associates the MAC address to the access port on which it was received.
2 VPLS Technical Primer for Government Agencies | Technical White Paper

The destination MAC address in the packet is looked up in the FIB table for the VPLS instance. There are two possibilities: either the destination MAC address has already been learned (known MAC address) or the destination MAC address is not yet learned (unknown MAC address). Known MAC address If the destination MAC address has been previously learned by PE Router A, an existing entry in the FIB table identies the far-end PE router and the service VC label (inner label) to be used before sending the packet to the far-end PE Router C.
Figure 3. Packet forwarding by the ingress PE router
Ingress Look-up Based on Access Port or Port/VLAN ID

IP/MPLS Network B Customer PE A LSP Tunnel

Location A PE Router A chooses a transport LSP to send the user packets to PE Router Customer Dest Src VLAN C. The user packet is sent on this LSP Packet MAC MAC ID after the IEEE 802.1Q tag is stripped and the service VC label (inner label) and the transport label (outer label) are added to the packet.

Unknown MAC address If the destination MAC address has not been learned, PE Router A will ood the packet to both PE Router B and PE Router C. It does this using the VC labels that each PE router previously signaled for this VPLS instance. Note that the packet is not sent to PE Router D because this VPLS service does not exist on that PE router.

Core router switching

All the core routers (P routers in IETF nomenclature) are label switching routers (LSRs) that switch the packet based on the transport (outer) label of the packet until the packet arrives at the far-end PE router (see Figure 4). All core routers are unaware of the fact that this trafc is associated with a VPLS service.
Figure 4. Packet forwarding in the core
Pre-assigned and Signaled PE C Tunnel Label Apply VC and Tunnel Labels B VC Label X Dest MAC Src MAC Customer Packet

LSP Tunnel
B Customer Location A PE A IP/MPLS Network
LSP Tunnel

PE C

B PE B Tunnel Label VC Label Y Dest MAC Src MAC Customer Packet

Pre-assigned and Signaled PE B

VPLS Technical Primer for Government Agencies | Technical White Paper

PE Router C PE Router C strips the transport label of the received packet to reveal the inner VC label. The VC label identies the VPLS service instance to which the packet belongs. PE Router C learns the source MAC address in the packet and creates an entry in the FIB table. This entry associates the MAC address with PE Router A and the VC label that PE Router A previously signaled for the VPLS service. The destination MAC address in the packet is looked up in the FIB table for the VPLS instance. Once again there are two possibilities: either the destination MAC address has already been learned (known MAC address) or the destination MAC address has not been learned on the access side of PE Router C (unknown MAC address). Known MAC address If the destination MAC address has been learned by PE Router C, an existing entry in the FIB table identies the local access port and the IEEE 802.1Q tag to be added before sending the packet to customer location C (see Figure 5). Note that the egress Q tag may be different from the ingress Q tag that was used on PE Router As access port.
Figure 5. Packet forwarding by the egress PE router
Egress Look-up Based on VC Label

IP/MPLS Network LSP Tunnel B PE C Dest MAC Src MAC VLAN ID Customer Location C Customer Packet

Unknown MAC address If the destination MAC address has not been learned, PE Router C will ood the packet to all its local access ports that belong to the same VPLS instance as the source MAC address.

Hierarchical VPLS
The hierarchical VPLS (H-VPLS) architecture also described in RFC 4762 builds on the base VPLS solution to provide several scaling and operational advantages. The scaling advantages are gained by introducing hierarchy and eliminating the need for a full mesh of VCs between all participating devices. Hierarchy is achieved by augmenting the base VPLS core mesh of VCs (hub) with access VCs (spoke) to form two tiers, as shown in Figure 6. Spoke connections are generally created between Layer 2 switches placed at the multitenant unit (MTU) and the PE routers placed at the service providers point of presence (POP). This considerably reduces both the signaling and replication overhead on all devices. H-VPLS offers the exibility of using different types of spoke connections: either an IEEE 802.1Q tagged connection or an MPLS LSP. H-VPLS also offers several operational advantages by centralizing all the major functions in the POP PE routers, allowing the use of low-cost, low-maintenance MTU devices, and thereby reducing overall capital expenditures (CAPEX) and operating expenditures (OPEX) (because there are an order of magnitude more MTU devices than PE routers). Another operational advantage offered by H-VPLS is centralized provisioning with fewer elements to touch when turning up service for a user. Adding a new MTU device requires some conguration of the local PE router, but does not require any signaling of other PE routers or MTU devices, thereby greatly simplifying the provisioning process.

VPLS Technical Primer for Government Agencies | Technical White Paper

Figure 6. H-VPLS architecture

CE-d1/11

Customer Q Tags or MPLS Labels CE-a1/11 PE D CE-a1/4 MTU D1 Spoke VCs CE-c1/11 CE-c1/4

MTU A1 PE A CE-b1/11 CE-b1/4 IP/MPLS Network Hub VCs PE C

MTU C1

CE-c2/4

MTU C2 MTU B1 PE B

Inter-metro services (H-VPLS and MS-PW)

H-VPLS also enables VPLS services to span multiple metro networks (see Figure 7). A spoke connection is used to connect each VPLS service between the two metros. In its simplest form, the spoke connection could be a single-tunnel LSP. A set of ingress and egress VC labels is exchanged for each VPLS service instance to be transported over this LSP. The PE routers at each end treat this as a virtual spoke connection for the VPLS service in the same way as the PE-MTU connections. This architecture minimizes the signaling overhead and avoids a full mesh of VCs and LSPs between the two metro networks. Multi-segment pseudo-wires (MS-PWs) provide a solution for inter-metro services that are managed as independent autonomous systems (AS), for example, where a VPLS service spans two metro networks managed by different service providers. With this method pseudo-wires are connected between two distinct pseudo-wire control planes or packet-switched network domains as shown in Figure 8. The pseudo-wire packet data units are simply switched from one pseudo-wire to another without changing the pseudo-wire payload. To date, most deployed VPLS networks are based on single-segment pseudo-wires (SS-PWs), as described earlier in this document, whereby each PE node establishes a targeted LDP (T-LDP) session between two PE endpoints. This is a suitable and scalable solution within large-scale networks within the same domain but may not meet the service providers requirements when delivering large-scale global services across administrative boundaries. With MS-PW, terminating-PE (T-PE) nodes replace the standard PE nodes as the originating and terminating nodes for the service. The source terminating PE (ST-PE) node assumes the active signaling role and initiates the signaling for the MS-PW using the address of the terminating node, referred to as the destination target T-PE (TT-PE). The TT-PE assumes a passive signaling role; it waits and responds to the MS-PW signaling message in the reverse direction. Switching PE (S-PE) nodes are introduced to alleviate the need for the endto-end full mesh of T-LDP sessions and MPLS tunnels between T-PE nodes to address any T-LDP scaling concerns. In a standard MS-PW environment, S-PE nodes act as switching points. As the LDP mapping request arrives at the S-PE, it replaces the source information with its own and sends its own label mapping downstream toward the egress TT-PE.

VPLS Technical Primer for Government Agencies | Technical White Paper

Figure 7. Inter-metro VPLS with H-VPLS

MTU D

MTU H

1 VC per Service for this Example IP/MPLS Metro Network PE D

1 VC per Service for this Example IP/MPLS Metro Network PE H

LSP Full Mesh

MTU A PE A PE C PE E PE G

MTU G

MTU B PE B

MTU C

MTU E PE F

MTU F

Figure 8. MS-PW for inter-AS VPLS

End-to-End Service

VSI T-PE
MS-P W(1)

VSI ASBR ASBR

MS-P
MS-PW(2) S-PE S-PE

W(3)
AS2

T-PE

AS1

Industry support for VPLS

Alcatel-Lucent was the rst to introduce VPLS to complement IP-VPNs on IP/MPLS-enabled networks and has been a leader in standards development from the start. Since then, VPLS has been ratied as an IETF standard (RFC 4762) through collaboration with other vendors and service providers. Carrier Ethernet VPNs based on VPLS are now included in the portfolio of service providers around the world, and vendors have been collaborating in interoperability events for several years. Beyond Carrier Ethernet VPNs for service providers enterprise customers, VPLS has also emerged as a key infrastructure technology in the aggregation network for triple play services.

Conclusion
VPLS has emerged as an important Layer 2 VPN service to complement IP-VPN services to address a broader market. It offers government users exactly what they need for intersite connectivity: protocol transparency, scalable and granular bandwidth from 64 kb/s to 1 Gb/s, fast service activation and provisioning, and a simplied LAN/WAN boundary. VPLS also allows larger agencies to deliver

VPLS Technical Primer for Government Agencies | Technical White Paper

a scalable VPN service offering that can be combined with Internet access on a consolidated IP/ MPLS infrastructure, reducing OPEX. VPLS has received widespread industry support in the commercial sector from both vendors and service providers. The Alcatel-Lucent Service Routing portfolio includes the Alcatel-Lucent 7750 Service Router (SR), the 7710 SR, the 7450 Ethernet Service Switch (ESS)/Router, the 7250 Service Access Switch (SAS) and the 5620 Service Aware Manager (SAM). These products allow service providers to differentiate themselves with fully managed, uninterrupted VPLS services that have assured high quality of experience, to meet the needs of todays always-on enterprise.

References
Standards bodies: Institute of Electrical and Electronics Engineers (www.ieee.org) Internet Engineering Task Force (www.ietf.org) Ron Kline, Forecast: Enterprise, Ethernet services, global. OvumRHK, 18 October 2007 (www.ovum.com)

Acronyms
AS CAGR CAPEX CE ESS FIB H-VPLS IEEE IETF IP IP-VPN LAN LDP LSP LSR MAC MPLS MS-PW MTU autonomous system compound annual growth rate capital expenditures customer edge Ethernet Service Switch forwarding information base hierarchical virtual private LAN service Institute of Electrical and Electronics Engineers Internet Engineering Task Force Internet Protocol IP virtual private network local area network Label Distribution Protocol label switched path label switching router Media Access Control Multiprotocol Label Switching multi-segment pseudo-wire multitenant unit OPEX PE POP RFC S-PE SS-PW ST-PE SAM SAS SR T-LDP T-PE TT-PE TLS VC VLAN VPLS VPN WAN operating expenditures provider edge point of presence Request for Comment switching PE single-segment pseudo-wire source terminating PE Service Aware Manager Service Access Switch Service Router targeted LDP terminating PE target T-PE transparent LAN service virtual connection virtual LAN virtual private LAN service virtual private network wide area network

VPLS Technical Primer for Government Agencies | Technical White Paper

www.alcatel-lucent.com

Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright 2008 Alcatel-Lucent. All rights reserved. CAR4688081106 (11)