VPLS Tech

T E C H N O L O G Y W H I T E P A P E R

The adoption of consolidated IP/MPLS networks, together with the development of

new standards within the IETF, is now enabling government agencies to offer both VPN

services and Internet access from a single packet-switched infrastructure. One of the most

interesting of these mainstream VPN services is a multipoint Ethernet VPN, commonly

referred to as Virtual Private LAN Service (VPLS) and also referred to as an E-LAN Carrier

Ethernet service by the Metro Ethernet Forum (MEF).

Virtual Private LAN Service (VPLS) Technical Primer for Government Agencies

Table of contents

1 VPLS: an additional option

2 VPLS: solution overview

2 MAC learning and packet forwarding

2 VPLS packet walkthrough

2 PE Router A

3 Known MAC address

3 Unknown MAC address

3 Core router switching

4 PE Router C

4 Known MAC address

4 Unknown MAC address

4 Hierarchical VPLS

5 Inter-metro services (H-VPLS and MS-PW)

6 Industry support for VPLS

6 Conclusion

7 References

7 Acronyms

VPLS Technical Primer for Government Agencies | Technical White Paper 1

VPLS: an additional option

As government agencies evaluate technologies to connect geographically dispersed locations, their choice is increasingly driven by the networking requirements of the various applications they use in conducting their operation and the ease with which they can leverage the talents and resources of their service provider. Traditional choices have included Frame Relay-based virtual private networks (VPNs) and IP-VPN services. VPLS is an alternative that has become mainstream, with a forecasted 47 percent CAGR (20072012) as shown in Figure 1. It provides an additional choice for govern-ment agencies by addressing the bandwidth and site scalability limitations of Frame Relay. VPLS also provides a Layer 2 alternative to network-based IP-VPNs for those government organizations using non-IP protocols or who may be reluctant to move to a Layer 3 service because of concerns over sharing routing information or other internal operational reasons.

Figure 1. VPLS growth forecast

2004 2005 2006 2007 2008 2009 2010 2011 2012

6

5

4

3

2

1

0

US$

Bill

ion

s

VPLS, described in RFC 4762, is an Ethernet VPN that allows the connection of multiple sites in a single bridged domain over a service provider-managed Internet Protocol (IP)/Multiprotocol Label Switching (MPLS) network. All sites and users in a VPLS instance appear to be on the same LAN, regardless of their location (metro, national or international). VPLS uses an Ethernet interface as the customer handoff, simplifying the LAN/WAN boundary and allowing for rapid and flexible service provisioning.

VPLS is a good alternative for government agencies that want to move beyond point-to-point Frame Relay services but whose needs are not satisfied by a routed IP-VPN service. In the case of VPLS, the government agencies maintain complete control over their routing, and because all the agency routers in the VPLS are part of the same subnet (LAN), the result is a simplified IP addressing plan. This is especially true when compared to a mesh constructed from many separate point-to-point connections. From a security perspective, if the government agency is using a service provider to provide connectivity between sites, that service provider has no awareness or participation in the agencys IP addressing space and routing. VPLS also offers some additional advantages:

Atransparent,protocol-independentservice

LAN/WANEthernetinterfaceontheusersrouter,whichreducescomplexityandtotalcostofownership

NoLayer2protocolconversionbetweenLANandWANtechnologies

NoneedtotrainpersonnelonWANtechnologiessuchasFrameRelaybecausethereisnoneedto design, manage, configure and maintain separate WAN access equipment

Completecontrolovertheirrouting,providingacleardemarcationoffunctionalitybetweentheservice provider and the government agency, so that troubleshooting is easier

Theabilitytoaddanewsitewithouttheneedtoreconfigureserviceproviderequipmentorthelocal equipment at existing sites

VPLS Technical Primer for Government Agencies | Technical White Paper2

Fastprovisioning,withpotentialforuser-provisionedbandwidthondemand

Scalability:virtualLAN(VLAN)IDshavelocalsignificanceonlyandeliminatethe 4094 VLANs per network limit of traditional bridged metro Ethernet services

Granularbandwidthfrom64kb/sto1Gb/s(comparedtoFrameRelaystep-function inDS1/DS3multiples)

The remainder of this discussion focuses on the details of the VPLS solution as described in RFC 4762.

VPLS: solution overview

The VPLS architecture proposed in RFC 4762 specifies use of a provider edge (PE) router that is capable of learning, bridging and replication on a per-VPLS basis. The PE routers that participate in the service are connected together by a full mesh of MPLS label switched path (LSP) tunnels. Multiple VPLS services can be offered over the same set of LSP tunnels. Signaling specified in RFC 4447 is used to negotiate a set of ingress and egress virtual connection (VC) labels on a per-service basis. The VC labels are used by the PE routers for demultiplexing traffic arriving from different VPLS services over the same set of LSP tunnels.

MAC learning and packet forwardingPE routers learn the source media access control (MAC) addresses of the traffic arriving on their access and network ports. Each PE router maintains a forwarding information base (FIB) for each VPLS service instance and learned MAC addresses are populated in the FIB table of the service. All traffic is switched based on MAC addresses and forwarded between all participating PE rout-ers using the LSP tunnels. Unknown packets (that is, the destination MAC address has not been learned) are forwarded on all LSPs to the participating PE routers for that service until the target station responds and the MAC address is learned by the PE routers associated with that service.

VPLS packet walkthrough

The following is a description of the VPLS processing of a user packet sent from Site A, which is connected to PE Router A, to Site C, which is connected to PE Router C (see Figure 2).

Figure 2. VPLS leveraging IP/MPLS

VirtualBridge

PE CPE A

PE D

PE B

VPLS Service 1

IP/MPLSNetwork

BB

BB

BB

B

VPLS Service 2

PE Router A User packets arriving at PE Router A are associated to the appropriate VPLS service instance based onthecombinationofthephysicalportandtheIEEE802.1Qtag(VLANID)inthepacket.PERouter A learns the source MAC address in the packet and creates an entry in the FIB table that associates the MAC address to the access port on which it was received.

VPLS Technical Primer for Government Agencies | Technical White Paper 3

The destination MAC address in the packet is looked up in the FIB table for the VPLS instance. There are two possibilities: either the destination MAC address has already been learned (known MAC address) or the destination MAC address is not yet learned (unknown MAC address).

Known MAC addressIf the destination MAC address has been previously learned by PE Router A, an existing entry in the FIB table identifies the far-end PE router and the service VC label (inner label) to be used before sending the packet to the far-end PE Router C.

PE Router A chooses a transport LSP to send the user packets to PE Router C. The user packet is sent on this LSP after the IEEE 802.1Q tag is stripped and the service VC label (inner label) and the transport label (outer label) are added to the packet.

Unknown MAC addressIf the destination MAC address has not been learned, PE Router A will flood the packet to both PE Router B and PE Router C. It does this using the VC labels that each PE router previously signaled forthisVPLSinstance.NotethatthepacketisnotsenttoPERouterDbecausethisVPLSservicedoes not exist on that PE router.

Core router switching

Allthecorerouters(ProutersinIETFnomenclature)arelabelswitchingrouters(LSRs)thatswitch the packet based on the transport (outer) label of the packet until the packet arrives at the far-end PE router (see Figure 4). All core routers are unaware of the fact that this traffic is associated with a VPLS service.

Figure 4. Packet forwarding in the core

PE C

CustomerLocation A

VC Label X

TunnelLabel

DestMAC

SrcMAC

CustomerPacket

IP/MPLS Network

Apply VC andTunnel Labels

Pre-assigned andSignaled PE C

Pre-assigned andSignaled PE B

B

PE B

B

PE A

B

LSP Tunnel

LSP Tunnel

VC Label Y

TunnelLabel

DestMAC

SrcMAC

CustomerPacket

Figure 3. Packet forwarding by the ingress PE router

PE ACustomerLocation A

DestMAC

SrcMAC

VLANID

CustomerPacket

IP/MPLS Network

Ingress Look-upBased on Access

Port or Port/VLAN ID

B LSP Tunnel

VPLS Technical Primer for Government Agencies | Technical White Paper4

PE Router CPE Router C strips the transport label of the received packet to reveal the inner VC label. The VC label identifies the VPLS service instance to which the packet belongs. PE Router C learns the source MAC address in the packet and creates an entry in the FIB table. This entry associates the MAC address with PE Router A and the VC label that PE Router A previously signaled for the VPLS service. The destination MAC address in the packet is looked up in the FIB table for the VPLS instance. Once again there are two possibilities: either the destination MAC address has already been learned (known MAC address) or the destination MAC address has not been learned on the access side of PE Router C (unknown MAC address).

Known MAC addressIf the destination MAC address has been learned by PE Router C, an exist-ing entry in the FIB table identifies the local access port and the IEEE 802.1Q tag to be added before sending the packet to customer location C (see Fig-ure 5). Note that the egress Q tag may be different from the ingress Q tag that was used on PE Router As access port.

Unknown MAC addressIf the destination MAC address has not been learned, PE Router C will flood the packet to all its local access ports that belong to the same VPLS instance as the source MAC address.

Hierarchical VPLS

The hierarchical VPLS (H-VPLS) architecture also described in RFC 4762 builds on the base VPLS solution to provide several scaling and operational advantages. The scaling advantages are gained by introducing hierarchy and eliminating the need for a full mesh of VCs between all participating devices. Hierarchy is achieved by augmenting the base VPLS core mesh of VCs (hub) with ac-cess VCs (spoke) to form two tiers, as shown in Figure 6. Spoke connections are generally created between Layer 2 switches placed at the multitenant unit (MTU) and the PE routers placed at the service providers point of presence (POP). This considerably reduces both the signaling and replica-tion overhead on all devices.

H-VPLS offers the flexibility of using different types of spoke connections: either an IEEE 802.1Q tagged connection or an MPLS LSP.

H-VPLS also offers several operational advantages by centralizing all the major functions in the POP PE routers, allowing the use of low-cost, low-maintenance MTU devices, and thereby reducing overall capital expenditures (CAPEX) and operating expenditures (OPEX) (because there are an order of magnitude more MTU devices than PE routers). Another operational advantage offered by H-VPLS is centralized provisioning with fewer elements to touch when turning up service for a user. Adding a new MTU device requires some configuration of the local PE router, but does not require any signaling of other PE routers or MTU devices, thereby greatly simplifying the provisioning process.

Figure 5. Packet forwarding by the egress PE router

PE CCustomerLocation C

IP/MPLS Network

Egress Look-upBased on VC Label

BLSP Tunnel

DestMAC

SrcMAC

VLANID

CustomerPacket

VPLS Technical Primer for Government Agencies | Technical White Paper 5

Figure 6. H-VPLS architecture

PE C

PE B

PE A

MTU C1

CE-c1/11

CE-c1/4

IP/MPLSNetwork

Customer Q Tagsor MPLS Labels

Hub VCs

Spoke VCs

MTU D1

CE-d1/11

MTU C2

CE-c2/4

MTU A1

CE-a1/11

CE-a1/4

MTU B1

CE-b1/11

CE-b1/4

PE D

Inter-metro services (H-VPLS and MS-PW)

H-VPLS also enables VPLS services to span multiple metro networks (see Figure 7). A spoke con-nection is used to connect each VPLS service between the two metros. In its simplest form, the spoke connection could be a single-tunnel LSP. A set of ingress and egress VC labels is exchanged for each VPLS service instance to be transported over this LSP. The PE routers at each end treat this as a virtual spoke connection for the VPLS service in the same way as the PE-MTU connec-tions. This architecture minimizes the signaling overhead and avoids a full mesh of VCs and LSPs between the two metro networks.

Multi-segment pseudo-wires (MS-PWs) provide a solution for inter-metro services that are man-aged as independent autonomous systems (AS), for example, where a VPLS service spans two metro networks managed by different service providers. With this method pseudo-wires are connected between two distinct pseudo-wire control planes or packet-switched network domains as shown in Figure 8. The pseudo-wire packet data units are simply switched from one pseudo-wire to another without changing the pseudo-wire payload.

To date, most deployed VPLS networks are based on single-segment pseudo-wires (SS-PWs), as describedearlierinthisdocument,wherebyeachPEnodeestablishesatargetedLDP(T-LDP)ses-sion between two PE endpoints. This is a suitable and scalable solution within large-scale networks within the same domain but may not meet the service providers requirements when delivering large-scale global services across administrative boundaries. With MS-PW, terminating-PE (T-PE) nodes replace the standard PE nodes as the originating and terminating nodes for the service. The source terminating PE (ST-PE) node assumes the active signaling role and initiates the signaling for the MS-PW using the address of the terminating node, referred to as the destination target T-PE (TT-PE).

The TT-PE assumes a passive signaling role; it waits and responds to the MS-PW signaling message in the reverse direction. Switching PE (S-PE) nodes are introduced to alleviate the need for the end-to-endfullmeshofT-LDPsessionsandMPLStunnelsbetweenT-PEnodestoaddressanyT-LDPscaling concerns. In a standard MS-PW environment, S-PE nodes act as switching points. As the LDPmappingrequestarrivesattheS-PE,itreplacesthesourceinformationwithitsownandsendsits own label mapping downstream toward the egress TT-PE.

VPLS Technical Primer for Government Agencies | Technical White Paper6

Figure 7. Inter-metro VPLS with H-VPLS

PE C

PE B

PE A

IP/MPLSMetro

Network

1 VC per Servicefor this Example

MTU A

MTU B

PE D

MTU C

PE G

PE F

PE E

1 VC per Servicefor this Example LSP Full Mesh

MTU G

MTU E

PE H

MTU F

IP/MPLSMetro

Network

MTU D MTU H

Figure 8. MS-PW for inter-AS VPLS

T-PE

S-PE

ASBR

AS2AS1

VSI

S-PE

ASBR

MS-PW(2)

End-to-End Service

T-PE

VSI

MS-PW(3)MS-PW(1)

Industry support for VPLS

Alcatel-Lucent was the first to introduce VPLS to complement IP-VPNs on IP/MPLS-enabled net-works and has been a leader in standards development from the start. Since then, VPLS has been ratified as an IETF standard (RFC 4762) through collaboration with other vendors and service pro-viders. Carrier Ethernet VPNs based on VPLS are now included in the portfolio of service providers around the world, and vendors have been collaborating in interoperability events for several years. Beyond Carrier Ethernet VPNs for service providers enterprise customers, VPLS has also emerged as a key infrastructure technology in the aggregation network for triple play services.

Conclusion

VPLS has emerged as an important Layer 2 VPN service to complement IP-VPN services to address a broader market. It offers government users exactly what they need for intersite connectivity: pro-tocol transparency, scalable and granular bandwidth from 64 kb/s to 1 Gb/s, fast service activation and provisioning, and a simplified LAN/WAN boundary. VPLS also allows larger agencies to deliver

VPLS Technical Primer for Government Agencies | Technical White Paper 7

a scalable VPN service offering that can be combined with Internet access on a consolidated IP/MPLS infrastructure, reducing OPEX. VPLS has received widespread industry support in the com-mercial sector from both vendors and service providers.

The Alcatel-Lucent Service Routing portfolio includes the Alcatel-Lucent 7750 Service Router (SR), the 7710 SR, the 7450 Ethernet Service Switch (ESS)/Router, the 7250 Service Access Switch (SAS) and the 5620 Service Aware Manager (SAM). These products allow service providers to differentiate themselves with fully managed, uninterrupted VPLS services that have assured high quality of experience, to meet the needs of todays always-on enterprise.

References

Standards bodies: Institute of Electrical and Electronics Engineers (www.ieee.org)Internet Engineering Task Force (www.ietf.org)

Ron Kline, Forecast: Enterprise, Ethernet services, global. OvumRHK, 18 October 2007(www.ovum.com)

AcronymsAS autonomous system

CAGR compound annual growth rate

CAPEX capital expenditures

CE customer edge

ESS Ethernet Service Switch

FIB forwarding information base

H-VPLS hierarchical virtual private LAN service

IEEE Institute of Electrical and Electronics Engineers

IETF Internet Engineering Task Force

IP Internet Protocol

IP-VPN IP virtual private network

LAN local area network

LDP Label Distribution Protocol

LSP label switched path

LSR label switching router

MAC Media Access Control

MPLS Multiprotocol Label Switching

MS-PW multi-segment pseudo-wire

MTU multitenant unit

OPEX operating expenditures

PE provider edge

POP point of presence

RFC Request for Comment

S-PE switching PE

SS-PW single-segment pseudo-wire

ST-PE source terminating PE

SAM Service Aware Manager

SAS Service Access Switch

SR Service Router

T-LDP targeted LDP

T-PE terminating PE

TT-PE target T-PE

TLS transparent LAN service

VC virtual connection

VLAN virtual LAN

VPLS virtual private LAN service

VPN virtual private network

WAN wide area network

www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright 2008 Alcatel-Lucent. All rights reserved. CAR4688081106 (11)