-
T E C H N O L O G Y W H I T E P A P E R
The adoption of consolidated IP/MPLS networks, together with the
development of
new standards within the IETF, is now enabling government
agencies to offer both VPN
services and Internet access from a single packet-switched
infrastructure. One of the most
interesting of these mainstream VPN services is a multipoint
Ethernet VPN, commonly
referred to as Virtual Private LAN Service (VPLS) and also
referred to as an E-LAN Carrier
Ethernet service by the Metro Ethernet Forum (MEF).
Virtual Private LAN Service (VPLS) Technical Primer for
Government Agencies
-
Table of contents
1 VPLS: an additional option
2 VPLS: solution overview
2 MAC learning and packet forwarding
2 VPLS packet walkthrough
2 PE Router A
3 Known MAC address
3 Unknown MAC address
3 Core router switching
4 PE Router C
4 Known MAC address
4 Unknown MAC address
4 Hierarchical VPLS
5 Inter-metro services (H-VPLS and MS-PW)
6 Industry support for VPLS
6 Conclusion
7 References
7 Acronyms
-
VPLS Technical Primer for Government Agencies | Technical White
Paper 1
VPLS: an additional option
As government agencies evaluate technologies to connect
geographically dispersed locations, their choice is increasingly
driven by the networking requirements of the various applications
they use in conducting their operation and the ease with which they
can leverage the talents and resources of their service provider.
Traditional choices have included Frame Relay-based virtual private
networks (VPNs) and IP-VPN services. VPLS is an alternative that
has become mainstream, with a forecasted 47 percent CAGR (20072012)
as shown in Figure 1. It provides an additional choice for
govern-ment agencies by addressing the bandwidth and site
scalability limitations of Frame Relay. VPLS also provides a Layer
2 alternative to network-based IP-VPNs for those government
organizations using non-IP protocols or who may be reluctant to
move to a Layer 3 service because of concerns over sharing routing
information or other internal operational reasons.
Figure 1. VPLS growth forecast
2004 2005 2006 2007 2008 2009 2010 2011 2012
6
5
4
3
2
1
0
US$
Bill
ion
s
VPLS, described in RFC 4762, is an Ethernet VPN that allows the
connection of multiple sites in a single bridged domain over a
service provider-managed Internet Protocol (IP)/Multiprotocol Label
Switching (MPLS) network. All sites and users in a VPLS instance
appear to be on the same LAN, regardless of their location (metro,
national or international). VPLS uses an Ethernet interface as the
customer handoff, simplifying the LAN/WAN boundary and allowing for
rapid and flexible service provisioning.
VPLS is a good alternative for government agencies that want to
move beyond point-to-point Frame Relay services but whose needs are
not satisfied by a routed IP-VPN service. In the case of VPLS, the
government agencies maintain complete control over their routing,
and because all the agency routers in the VPLS are part of the same
subnet (LAN), the result is a simplified IP addressing plan. This
is especially true when compared to a mesh constructed from many
separate point-to-point connections. From a security perspective,
if the government agency is using a service provider to provide
connectivity between sites, that service provider has no awareness
or participation in the agencys IP addressing space and routing.
VPLS also offers some additional advantages:
Atransparent,protocol-independentservice
LAN/WANEthernetinterfaceontheusersrouter,whichreducescomplexityandtotalcostofownership
NoLayer2protocolconversionbetweenLANandWANtechnologies
NoneedtotrainpersonnelonWANtechnologiessuchasFrameRelaybecausethereisnoneedto
design, manage, configure and maintain separate WAN access
equipment
Completecontrolovertheirrouting,providingacleardemarcationoffunctionalitybetweentheservice
provider and the government agency, so that troubleshooting is
easier
Theabilitytoaddanewsitewithouttheneedtoreconfigureserviceproviderequipmentorthelocal
equipment at existing sites
-
VPLS Technical Primer for Government Agencies | Technical White
Paper2
Fastprovisioning,withpotentialforuser-provisionedbandwidthondemand
Scalability:virtualLAN(VLAN)IDshavelocalsignificanceonlyandeliminatethe
4094 VLANs per network limit of traditional bridged metro Ethernet
services
Granularbandwidthfrom64kb/sto1Gb/s(comparedtoFrameRelaystep-function
inDS1/DS3multiples)
The remainder of this discussion focuses on the details of the
VPLS solution as described in RFC 4762.
VPLS: solution overview
The VPLS architecture proposed in RFC 4762 specifies use of a
provider edge (PE) router that is capable of learning, bridging and
replication on a per-VPLS basis. The PE routers that participate in
the service are connected together by a full mesh of MPLS label
switched path (LSP) tunnels. Multiple VPLS services can be offered
over the same set of LSP tunnels. Signaling specified in RFC 4447
is used to negotiate a set of ingress and egress virtual connection
(VC) labels on a per-service basis. The VC labels are used by the
PE routers for demultiplexing traffic arriving from different VPLS
services over the same set of LSP tunnels.
MAC learning and packet forwardingPE routers learn the source
media access control (MAC) addresses of the traffic arriving on
their access and network ports. Each PE router maintains a
forwarding information base (FIB) for each VPLS service instance
and learned MAC addresses are populated in the FIB table of the
service. All traffic is switched based on MAC addresses and
forwarded between all participating PE rout-ers using the LSP
tunnels. Unknown packets (that is, the destination MAC address has
not been learned) are forwarded on all LSPs to the participating PE
routers for that service until the target station responds and the
MAC address is learned by the PE routers associated with that
service.
VPLS packet walkthrough
The following is a description of the VPLS processing of a user
packet sent from Site A, which is connected to PE Router A, to Site
C, which is connected to PE Router C (see Figure 2).
Figure 2. VPLS leveraging IP/MPLS
VirtualBridge
PE CPE A
PE D
PE B
VPLS Service 1
IP/MPLSNetwork
BB
BB
BB
B
VPLS Service 2
PE Router A User packets arriving at PE Router A are associated
to the appropriate VPLS service instance based
onthecombinationofthephysicalportandtheIEEE802.1Qtag(VLANID)inthepacket.PERouter
A learns the source MAC address in the packet and creates an entry
in the FIB table that associates the MAC address to the access port
on which it was received.
-
VPLS Technical Primer for Government Agencies | Technical White
Paper 3
The destination MAC address in the packet is looked up in the
FIB table for the VPLS instance. There are two possibilities:
either the destination MAC address has already been learned (known
MAC address) or the destination MAC address is not yet learned
(unknown MAC address).
Known MAC addressIf the destination MAC address has been
previously learned by PE Router A, an existing entry in the FIB
table identifies the far-end PE router and the service VC label
(inner label) to be used before sending the packet to the far-end
PE Router C.
PE Router A chooses a transport LSP to send the user packets to
PE Router C. The user packet is sent on this LSP after the IEEE
802.1Q tag is stripped and the service VC label (inner label) and
the transport label (outer label) are added to the packet.
Unknown MAC addressIf the destination MAC address has not been
learned, PE Router A will flood the packet to both PE Router B and
PE Router C. It does this using the VC labels that each PE router
previously signaled
forthisVPLSinstance.NotethatthepacketisnotsenttoPERouterDbecausethisVPLSservicedoes
not exist on that PE router.
Core router switching
Allthecorerouters(ProutersinIETFnomenclature)arelabelswitchingrouters(LSRs)thatswitch
the packet based on the transport (outer) label of the packet until
the packet arrives at the far-end PE router (see Figure 4). All
core routers are unaware of the fact that this traffic is
associated with a VPLS service.
Figure 4. Packet forwarding in the core
PE C
CustomerLocation A
VC Label X
TunnelLabel
DestMAC
SrcMAC
CustomerPacket
IP/MPLS Network
Apply VC andTunnel Labels
Pre-assigned andSignaled PE C
Pre-assigned andSignaled PE B
B
PE B
B
PE A
B
LSP Tunnel
LSP Tunnel
VC Label Y
TunnelLabel
DestMAC
SrcMAC
CustomerPacket
Figure 3. Packet forwarding by the ingress PE router
PE ACustomerLocation A
DestMAC
SrcMAC
VLANID
CustomerPacket
IP/MPLS Network
Ingress Look-upBased on Access
Port or Port/VLAN ID
B LSP Tunnel
-
VPLS Technical Primer for Government Agencies | Technical White
Paper4
PE Router CPE Router C strips the transport label of the
received packet to reveal the inner VC label. The VC label
identifies the VPLS service instance to which the packet belongs.
PE Router C learns the source MAC address in the packet and creates
an entry in the FIB table. This entry associates the MAC address
with PE Router A and the VC label that PE Router A previously
signaled for the VPLS service. The destination MAC address in the
packet is looked up in the FIB table for the VPLS instance. Once
again there are two possibilities: either the destination MAC
address has already been learned (known MAC address) or the
destination MAC address has not been learned on the access side of
PE Router C (unknown MAC address).
Known MAC addressIf the destination MAC address has been learned
by PE Router C, an exist-ing entry in the FIB table identifies the
local access port and the IEEE 802.1Q tag to be added before
sending the packet to customer location C (see Fig-ure 5). Note
that the egress Q tag may be different from the ingress Q tag that
was used on PE Router As access port.
Unknown MAC addressIf the destination MAC address has not been
learned, PE Router C will flood the packet to all its local access
ports that belong to the same VPLS instance as the source MAC
address.
Hierarchical VPLS
The hierarchical VPLS (H-VPLS) architecture also described in
RFC 4762 builds on the base VPLS solution to provide several
scaling and operational advantages. The scaling advantages are
gained by introducing hierarchy and eliminating the need for a full
mesh of VCs between all participating devices. Hierarchy is
achieved by augmenting the base VPLS core mesh of VCs (hub) with
ac-cess VCs (spoke) to form two tiers, as shown in Figure 6. Spoke
connections are generally created between Layer 2 switches placed
at the multitenant unit (MTU) and the PE routers placed at the
service providers point of presence (POP). This considerably
reduces both the signaling and replica-tion overhead on all
devices.
H-VPLS offers the flexibility of using different types of spoke
connections: either an IEEE 802.1Q tagged connection or an MPLS
LSP.
H-VPLS also offers several operational advantages by
centralizing all the major functions in the POP PE routers,
allowing the use of low-cost, low-maintenance MTU devices, and
thereby reducing overall capital expenditures (CAPEX) and operating
expenditures (OPEX) (because there are an order of magnitude more
MTU devices than PE routers). Another operational advantage offered
by H-VPLS is centralized provisioning with fewer elements to touch
when turning up service for a user. Adding a new MTU device
requires some configuration of the local PE router, but does not
require any signaling of other PE routers or MTU devices, thereby
greatly simplifying the provisioning process.
Figure 5. Packet forwarding by the egress PE router
PE CCustomerLocation C
IP/MPLS Network
Egress Look-upBased on VC Label
BLSP Tunnel
DestMAC
SrcMAC
VLANID
CustomerPacket
-
VPLS Technical Primer for Government Agencies | Technical White
Paper 5
Figure 6. H-VPLS architecture
PE C
PE B
PE A
MTU C1
CE-c1/11
CE-c1/4
IP/MPLSNetwork
Customer Q Tagsor MPLS Labels
Hub VCs
Spoke VCs
MTU D1
CE-d1/11
MTU C2
CE-c2/4
MTU A1
CE-a1/11
CE-a1/4
MTU B1
CE-b1/11
CE-b1/4
PE D
Inter-metro services (H-VPLS and MS-PW)
H-VPLS also enables VPLS services to span multiple metro
networks (see Figure 7). A spoke con-nection is used to connect
each VPLS service between the two metros. In its simplest form, the
spoke connection could be a single-tunnel LSP. A set of ingress and
egress VC labels is exchanged for each VPLS service instance to be
transported over this LSP. The PE routers at each end treat this as
a virtual spoke connection for the VPLS service in the same way as
the PE-MTU connec-tions. This architecture minimizes the signaling
overhead and avoids a full mesh of VCs and LSPs between the two
metro networks.
Multi-segment pseudo-wires (MS-PWs) provide a solution for
inter-metro services that are man-aged as independent autonomous
systems (AS), for example, where a VPLS service spans two metro
networks managed by different service providers. With this method
pseudo-wires are connected between two distinct pseudo-wire control
planes or packet-switched network domains as shown in Figure 8. The
pseudo-wire packet data units are simply switched from one
pseudo-wire to another without changing the pseudo-wire
payload.
To date, most deployed VPLS networks are based on single-segment
pseudo-wires (SS-PWs), as
describedearlierinthisdocument,wherebyeachPEnodeestablishesatargetedLDP(T-LDP)ses-sion
between two PE endpoints. This is a suitable and scalable solution
within large-scale networks within the same domain but may not meet
the service providers requirements when delivering large-scale
global services across administrative boundaries. With MS-PW,
terminating-PE (T-PE) nodes replace the standard PE nodes as the
originating and terminating nodes for the service. The source
terminating PE (ST-PE) node assumes the active signaling role and
initiates the signaling for the MS-PW using the address of the
terminating node, referred to as the destination target T-PE
(TT-PE).
The TT-PE assumes a passive signaling role; it waits and
responds to the MS-PW signaling message in the reverse direction.
Switching PE (S-PE) nodes are introduced to alleviate the need for
the
end-to-endfullmeshofT-LDPsessionsandMPLStunnelsbetweenT-PEnodestoaddressanyT-LDPscaling
concerns. In a standard MS-PW environment, S-PE nodes act as
switching points. As the
LDPmappingrequestarrivesattheS-PE,itreplacesthesourceinformationwithitsownandsendsits
own label mapping downstream toward the egress TT-PE.
-
VPLS Technical Primer for Government Agencies | Technical White
Paper6
Figure 7. Inter-metro VPLS with H-VPLS
PE C
PE B
PE A
IP/MPLSMetro
Network
1 VC per Servicefor this Example
MTU A
MTU B
PE D
MTU C
PE G
PE F
PE E
1 VC per Servicefor this Example LSP Full Mesh
MTU G
MTU E
PE H
MTU F
IP/MPLSMetro
Network
MTU D MTU H
Figure 8. MS-PW for inter-AS VPLS
T-PE
S-PE
ASBR
AS2AS1
VSI
S-PE
ASBR
MS-PW(2)
End-to-End Service
T-PE
VSI
MS-PW(3)MS-PW(1)
Industry support for VPLS
Alcatel-Lucent was the first to introduce VPLS to complement
IP-VPNs on IP/MPLS-enabled net-works and has been a leader in
standards development from the start. Since then, VPLS has been
ratified as an IETF standard (RFC 4762) through collaboration with
other vendors and service pro-viders. Carrier Ethernet VPNs based
on VPLS are now included in the portfolio of service providers
around the world, and vendors have been collaborating in
interoperability events for several years. Beyond Carrier Ethernet
VPNs for service providers enterprise customers, VPLS has also
emerged as a key infrastructure technology in the aggregation
network for triple play services.
Conclusion
VPLS has emerged as an important Layer 2 VPN service to
complement IP-VPN services to address a broader market. It offers
government users exactly what they need for intersite connectivity:
pro-tocol transparency, scalable and granular bandwidth from 64
kb/s to 1 Gb/s, fast service activation and provisioning, and a
simplified LAN/WAN boundary. VPLS also allows larger agencies to
deliver
-
VPLS Technical Primer for Government Agencies | Technical White
Paper 7
a scalable VPN service offering that can be combined with
Internet access on a consolidated IP/MPLS infrastructure, reducing
OPEX. VPLS has received widespread industry support in the
com-mercial sector from both vendors and service providers.
The Alcatel-Lucent Service Routing portfolio includes the
Alcatel-Lucent 7750 Service Router (SR), the 7710 SR, the 7450
Ethernet Service Switch (ESS)/Router, the 7250 Service Access
Switch (SAS) and the 5620 Service Aware Manager (SAM). These
products allow service providers to differentiate themselves with
fully managed, uninterrupted VPLS services that have assured high
quality of experience, to meet the needs of todays always-on
enterprise.
References
Standards bodies: Institute of Electrical and Electronics
Engineers (www.ieee.org)Internet Engineering Task Force
(www.ietf.org)
Ron Kline, Forecast: Enterprise, Ethernet services, global.
OvumRHK, 18 October 2007(www.ovum.com)
AcronymsAS autonomous system
CAGR compound annual growth rate
CAPEX capital expenditures
CE customer edge
ESS Ethernet Service Switch
FIB forwarding information base
H-VPLS hierarchical virtual private LAN service
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IP Internet Protocol
IP-VPN IP virtual private network
LAN local area network
LDP Label Distribution Protocol
LSP label switched path
LSR label switching router
MAC Media Access Control
MPLS Multiprotocol Label Switching
MS-PW multi-segment pseudo-wire
MTU multitenant unit
OPEX operating expenditures
PE provider edge
POP point of presence
RFC Request for Comment
S-PE switching PE
SS-PW single-segment pseudo-wire
ST-PE source terminating PE
SAM Service Aware Manager
SAS Service Access Switch
SR Service Router
T-LDP targeted LDP
T-PE terminating PE
TT-PE target T-PE
TLS transparent LAN service
VC virtual connection
VLAN virtual LAN
VPLS virtual private LAN service
VPN virtual private network
WAN wide area network
-
www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the
Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other
trademarks are the property of their respective owners. The
information presented is subject to change without notice.
Alcatel-Lucent assumes no responsibility for inaccuracies contained
herein. Copyright 2008 Alcatel-Lucent. All rights reserved.
CAR4688081106 (11)