Virtual Private LAN Service
Encyclopedia
Virtual Private LAN Service (VPLS) is a way to provide Ethernet based multipoint to multipoint communication over IP/MPLS networks. It allows geographically dispersed sites to share an Ethernet
broadcast domain
by connecting sites through pseudo-wire
s. The technologies that can be used as pseudo-wire can be Ethernet over MPLS, L2TPv3
or even GRE
. There are two IETF standards track RFC
s (RFC 4761 and RFC 4762) describing VPLS establishment.
VPLS is a virtual private network
(VPN) technology. In contrast to L2TPv3, which allows only point-to-point layer 2 tunnels, VPLS allows any-to-any (multipoint) connectivity.
In a VPLS, the local area network
(LAN) at each site is extended to the edge of the provider network. The provider network then emulates a switch
or bridge to connect all of the customer LANs to create a single bridged LAN.
and using Label Distribution Protocol
(LDP). The "control plane" is the means by which provider edge
(PE) routers communicate for auto-discovery and signaling. Auto-discovery refers to the process of finding other PE routers participating in the same VPN or VPLS. Signaling is the process of establishing pseudo-wires (PW). The PWs constitute the "data plane", whereby PEs send customer VPN/VPLS traffic to other PEs.
With BGP, one has auto-discovery as well as signaling. The mechanisms used are very similar to those used in establishing Layer-3 MPLS VPNs. Each PE is configured to participate in a given VPLS. The PE, through the use of BGP, simultaneously discovers all other PEs in the same VPLS, and establishes a full mesh of pseudo-wires to those PEs.
With LDP, each PE router must be configured to participate in a given VPLS, and, in addition, be given the addresses of other PEs participating in the same VPLS. A full mesh of LDP sessions is then established between these PEs. LDP is then used to create an equivalent mesh of PWs between those PEs.
An advantage to using PWs as the underlying technology for the data plane is that in case of failure, traffic will automatically be routed along available backup paths in the service provider's network. Failover will be much faster than could be achieved with e.g. Spanning Tree Protocol
(STP). VPLS is thus a more reliable solution for linking together Ethernet networks in different locations than simply connecting a WAN
link to Ethernet switches
in both locations.
VPLS has significant advantages for both service providers and customers. Service providers benefit because they can generate additional revenues by offering a new Ethernet
service with flexible bandwidth and sophisticated service level agreements (SLAs). VPLS is also simpler and more cost effective to operate than a traditional service. Customers benefit because they can connect all of their sites to an Ethernet
VPN that provides a secure, high speed and homogenous network. Moreover, VPLS provides a logical next step in the continuing evolution of Ethernet from a 10 Mbit/s shared LAN protocol to a multi-Gbps global service.
(CE) devices. Received Ethernet frames must be treated in such a way as to ensure CEs can be simple Ethernet devices.
When a PE receives a frame from a CE, it inspects the frame and learns the CE's MAC address, storing it locally along with LSP routing information. It then checks the frame's destination MAC address. If it is a broadcast frame, or the MAC address is not known to the PE, it floods the frame to all PEs in the mesh.
Ethernet does not have a time to live
(TTL) field in its frame header, so loop avoidance must be arranged by other means. In regular Ethernet deployments, Spanning Tree Protocol is used for this. In VPLS, loop avoidance is arranged by the following rule: A PE never forwards a frame received from a PE, to another PE. The use of a full mesh combined with split horizon
forwarding guarantees a loop-free broadcast domain.
s (RRs). RRs are extensively used in the context of Internet routing, as well as for several types of VPNs. To scale the data plane for multicast and broadcast traffic, there is work in progress to use point-to-multipoint
LSPs as the underlying transport.
For LDP, a method of subdividing a VPLS VPN into two or three tiered hierarchical networks was developed. Called hierarchical VPLS (HVPLS), it introduces a new type of MPLS device: the multi-tenant unit (MTU) switch. This switch aggregates multiple customers into a single PE, which in turn needs only one control and data plane connection into the mesh. This can significantly reduce the number of LDP sessions and LSPs, and thus unburden the core network, by concentrating customers in edge devices.
HVPLS (LDP) may also be used to join two VPLS mesh structures together. Without using HVPLS, every node in each VPLS mesh must become meshed with all nodes in the other VPLS mesh. However, with HVPLS, the two meshes can essentially be joined together at certain locations. Techniques such as redundant pseudo-wires can provide resiliency in case of failures at the interconnection points.
es and associated LSP routing information, this can potentially result in a large amount of memory being needed in every PE in the mesh.
To counter this problem, sites may use a router as the CE
device. This hides all MAC addresses on that site behind the CE's MAC address.
PE devices may also be equipped with content-addressable memory
(CAM), similar to high-end Ethernet switches.
An alternative mechanism is using MAT (MAC Address Translation). However, at the time of writing this, there aren't vendors providing MAT functionality.
servers to use. When the first CE router in a particular VPLS VPN connects to the PE, it uses the CE's identification to request authentication from the RADIUS server. This identification may be provided by the CE, or may be configured into the PE for that particular CE. In addition to a username and password, the identification string also contains a VPN name, and an optional provider name.
The RADIUS server keeps track of all PEs that requested authentication for a particular VPN, and returns a list of them to the PE requesting authentication. The PE then establishes LDP sessions to every PE in the list.
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
broadcast domain
Broadcast domain
A broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer. A broadcast domain can be within the same LAN segment or it can be bridged to other LAN segments....
by connecting sites through pseudo-wire
Pseudo-wire
In computer networking and telecommunications, a pseudowire is an emulation of a point-to-point connection over a packet-switching network ....
s. The technologies that can be used as pseudo-wire can be Ethernet over MPLS, L2TPv3
L2TPv3
Layer 2 Tunneling Protocol Version 3 is an IETF standard related to L2TP that can be used as an alternative protocol to Multiprotocol Label Switching for encapsulation of multiprotocol Layer 2 communications traffic over IP networks...
or even GRE
Generic Routing Encapsulation
Generic Routing Encapsulation is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol internetwork.-Overview:...
. There are two IETF standards track RFC
Request for Comments
In computer network engineering, a Request for Comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.Through the Internet Society, engineers and...
s (RFC 4761 and RFC 4762) describing VPLS establishment.
VPLS is a virtual private network
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
(VPN) technology. In contrast to L2TPv3, which allows only point-to-point layer 2 tunnels, VPLS allows any-to-any (multipoint) connectivity.
In a VPLS, the local area network
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
(LAN) at each site is extended to the edge of the provider network. The provider network then emulates a switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
or bridge to connect all of the customer LANs to create a single bridged LAN.
Mesh establishment
Since VPLS emulates a LAN, full mesh connectivity is required. There are two methods for full mesh establishment for VPLS: using BGPBorder Gateway Protocol
The Border Gateway Protocol is the protocol backing the core routing decisions on the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among autonomous systems . It is described as a path vector protocol...
and using Label Distribution Protocol
Label Distribution Protocol
Label Distribution Protocol is a protocol in which two Label Edge Routers exchange label mapping information. The two LERs are called LDP peers and the exchange of information is bi-directional....
(LDP). The "control plane" is the means by which provider edge
PE router
A Provider Edge router is a router between one network service provider's area and areas administered by other network providers...
(PE) routers communicate for auto-discovery and signaling. Auto-discovery refers to the process of finding other PE routers participating in the same VPN or VPLS. Signaling is the process of establishing pseudo-wires (PW). The PWs constitute the "data plane", whereby PEs send customer VPN/VPLS traffic to other PEs.
With BGP, one has auto-discovery as well as signaling. The mechanisms used are very similar to those used in establishing Layer-3 MPLS VPNs. Each PE is configured to participate in a given VPLS. The PE, through the use of BGP, simultaneously discovers all other PEs in the same VPLS, and establishes a full mesh of pseudo-wires to those PEs.
With LDP, each PE router must be configured to participate in a given VPLS, and, in addition, be given the addresses of other PEs participating in the same VPLS. A full mesh of LDP sessions is then established between these PEs. LDP is then used to create an equivalent mesh of PWs between those PEs.
An advantage to using PWs as the underlying technology for the data plane is that in case of failure, traffic will automatically be routed along available backup paths in the service provider's network. Failover will be much faster than could be achieved with e.g. Spanning Tree Protocol
Spanning tree protocol
The Spanning Tree Protocol is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP is to prevent bridge loops and ensuing broadcast radiation...
(STP). VPLS is thus a more reliable solution for linking together Ethernet networks in different locations than simply connecting a WAN
Wide area network
A wide area network is a telecommunication network that covers a broad area . Business and government entities utilize WANs to relay data among employees, clients, buyers, and suppliers from various geographical locations...
link to Ethernet switches
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
in both locations.
VPLS has significant advantages for both service providers and customers. Service providers benefit because they can generate additional revenues by offering a new Ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
service with flexible bandwidth and sophisticated service level agreements (SLAs). VPLS is also simpler and more cost effective to operate than a traditional service. Customers benefit because they can connect all of their sites to an Ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
VPN that provides a secure, high speed and homogenous network. Moreover, VPLS provides a logical next step in the continuing evolution of Ethernet from a 10 Mbit/s shared LAN protocol to a multi-Gbps global service.
Label stack
VPLS MPLS packets have a two-label stack. The outer label is used for normal MPLS forwarding in the service provider's network. If BGP is used to establish the VPLS, the inner label is allocated by a PE as part of a label block. If LDP is used, the inner label is a virtual circuit ID assigned by LDP when it first established a mesh between the participating PEs. Every PE keeps track of assigned inner label, and associates these with the VPLS instance.Ethernet emulation
PEs participating in a VPLS-based VPN must appear as an Ethernet bridge to connected customer edgeCustomer Edge
The customer edge is the router at the customer premises that is connected to the provider edge of a service provider IP/MPLS network. CE peers with the PE and exchanges routes with the corresponding VRF inside the PE. The routing protocol used could be static or dynamic ....
(CE) devices. Received Ethernet frames must be treated in such a way as to ensure CEs can be simple Ethernet devices.
When a PE receives a frame from a CE, it inspects the frame and learns the CE's MAC address, storing it locally along with LSP routing information. It then checks the frame's destination MAC address. If it is a broadcast frame, or the MAC address is not known to the PE, it floods the frame to all PEs in the mesh.
Ethernet does not have a time to live
Time to live
Time to live is a mechanism that limits the lifespan of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded. In computer networking, TTL prevents a data...
(TTL) field in its frame header, so loop avoidance must be arranged by other means. In regular Ethernet deployments, Spanning Tree Protocol is used for this. In VPLS, loop avoidance is arranged by the following rule: A PE never forwards a frame received from a PE, to another PE. The use of a full mesh combined with split horizon
Split horizon
In computer networking, split-horizon route advertisement is a method of preventing routing loops in distance-vector routing protocols by prohibiting a router from advertising a route back onto the interface from which it was learned.-Example:...
forwarding guarantees a loop-free broadcast domain.
Scalability
VPLS is typically used to link a large number of sites together. Scalability is therefore an important issue that needs addressing.Hierarchical VPLS
VPLS requires a full mesh in both the control and data planes; this can be difficult to scale. For BGP, the control plane scaling issue has long been addressed, through the use of route reflectorRoute reflector
A route reflector is a network routing component. It offers an alternative to the logical full-mesh requirement of internal border gateway protocol . An RR acts as a focal point for IBGP sessions. The purpose of the RR is concentration...
s (RRs). RRs are extensively used in the context of Internet routing, as well as for several types of VPNs. To scale the data plane for multicast and broadcast traffic, there is work in progress to use point-to-multipoint
Point-to-multipoint
Point-to-multipoint communication is a term that is used in the telecommunications field which refers to communication which is accomplished via a specific and distinct type of one-to-many connection, providing multiple paths from a single location to multiple locations.Point-to-multipoint is often...
LSPs as the underlying transport.
For LDP, a method of subdividing a VPLS VPN into two or three tiered hierarchical networks was developed. Called hierarchical VPLS (HVPLS), it introduces a new type of MPLS device: the multi-tenant unit (MTU) switch. This switch aggregates multiple customers into a single PE, which in turn needs only one control and data plane connection into the mesh. This can significantly reduce the number of LDP sessions and LSPs, and thus unburden the core network, by concentrating customers in edge devices.
HVPLS (LDP) may also be used to join two VPLS mesh structures together. Without using HVPLS, every node in each VPLS mesh must become meshed with all nodes in the other VPLS mesh. However, with HVPLS, the two meshes can essentially be joined together at certain locations. Techniques such as redundant pseudo-wires can provide resiliency in case of failures at the interconnection points.
MAC addresses
Since VPLS links multiple Ethernet broadcast domains together, it effectively creates a much larger broadcast domain. Since every PE must keep track of all MAC addressMAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
es and associated LSP routing information, this can potentially result in a large amount of memory being needed in every PE in the mesh.
To counter this problem, sites may use a router as the CE
Customer Edge
The customer edge is the router at the customer premises that is connected to the provider edge of a service provider IP/MPLS network. CE peers with the PE and exchanges routes with the corresponding VRF inside the PE. The routing protocol used could be static or dynamic ....
device. This hides all MAC addresses on that site behind the CE's MAC address.
PE devices may also be equipped with content-addressable memory
Content-addressable memory
Content-addressable memory is a special type of computer memory used in certain very high speed searching applications. It is also known as associative memory, associative storage, or associative array, although the last term is more often used for a programming data structure...
(CAM), similar to high-end Ethernet switches.
An alternative mechanism is using MAT (MAC Address Translation). However, at the time of writing this, there aren't vendors providing MAT functionality.
PE auto-discovery
In a VPLS-based VPN with a large number of sites, manually configuring every participating PE does not scale well. If a new PE is taken into service, every existing PE needs to have its configuration adjusted to establish an LDP session with the new PE. Standardization work is in progress to enable auto-discovery of participating PEs. Three implementations are being worked on:LDP
The LDP method of PE auto-discovery is based on that used by the Label Distribution Protocol to distribute labels across P and PE routers within a single autonomous system.BGP
The BGP method of PE auto-discovery is based on that used by Layer-3 MPLS VPNs to distribute VPN routes among PEs participating in a VPN. The BGP4 Multi-Protocol (BGP-MP) extensions are used to distribute VPN IDs and VPN-specific reachability information. Since IBGP requires either a full mesh of BGP sessions or the use of a route reflector, enabling the VPN ID in a participating PEs existing BGP configuration provides it with a list of all PEs in that VPN. Note that this method is for auto-discovery alone; LDP is still used for signaling. The method of establishing VPLS with BGP described above accomplishes both auto-discovery and signaling.RADIUS
This method requires ALL PEs to be configured with one or more RADIUSRADIUS
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
servers to use. When the first CE router in a particular VPLS VPN connects to the PE, it uses the CE's identification to request authentication from the RADIUS server. This identification may be provided by the CE, or may be configured into the PE for that particular CE. In addition to a username and password, the identification string also contains a VPN name, and an optional provider name.
The RADIUS server keeps track of all PEs that requested authentication for a particular VPN, and returns a list of them to the PE requesting authentication. The PE then establishes LDP sessions to every PE in the list.
See also
- Multiprotocol label switchingMultiprotocol Label SwitchingMultiprotocol Label Switching is a mechanism in high-performance telecommunications networks that directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table. The labels identify virtual links between...
(MPLS) - Virtual Leased LineVirtual Leased LineVirtual Leased Line is a way to provide Ethernet-based point to point communication over IP/MPLS networks.The term Virtual Leased Line is also used to describe a point to point bonded connection using the Broadband Bonding technology...
(VLL) - IEEE 1355IEEE 1355IEEE Standard 1355-1995, IEC 14575, or ISO 14575 is a data communications standard for Heterogeneous Interconnect . It is a low-cost, low latency, scalable serial interconnection system, originally intended for communication between large numbers of inexpensive computers. It lacks many of the...
, which does something broadly similar via hardware. - Virtual private networkVirtual private networkA virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
(VPN) - Virtual LANVirtual LANA virtual local area network, virtual LAN or VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of their physical location...
(VLAN) - Virtual networkVirtual networkA virtual network is a computer network that consists, at least in part, of virtual network links. A virtual network link is a link that does not consist of a physical connection between two computing devices but is implemented using methods of network virtualization.The two most common forms of...
- Carrier EthernetCarrier EthernetCarrier Ethernet is a marketing term for extensions to Ethernet to enable telecommunications network providers to provide Ethernet services to customers and to utilize Ethernet technology in their networks....
External links
- "Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling"
- "Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling"
- Layer 2 Virtual Private Networks (l2vpn) working group homepage
- Pseudo Wire Emulation Edge to Edge (pwe3) working group homepage
- RAD's VPLS tutorial
- MPLS-VPLS Resource Center: News and mailing lists
- VPLS.us