Problem solve Get help with specific problems with your technologies, process and projects.

Layer 2 VPN scalability

A look at the limitations of layer 2 VPN scalability.

A scalability problem occurs when an increase in the number of instances of a given managed object in the network necessitates a compensating, proportional resource increase inside the management system. This excerpt from Informit examines layer 2 VPN scalability issues.

Scalability problems tend to arise in situations of proportional growth. This figure illustrates a layer 2 VPN, which provides a good example of scalability. This scheme is often referred to as an overlay network because the IP network is overlaid on the underlying ATM infrastructure.

Sites 1 to 4 are all part of the one enterprise. This makes what is often called an intranet VPN. If one or more of the other sites is part of another organization, such as a customer or supplier, then we have an extranet VPN. Yet another VPN variant is the access VPN, which allows remote users to connect to it over some type of access technology, such as dialup.

In the figure, four sites are contained in the VPN, with one IP router in each site cloud. In order to achieve full layer 3 connectivity, each site must have a virtual circuit connection to every other site. These connections are created through the ATM core. So, the number of ATM virtual circuits required is six; that is, N * (N – 1)/2, where N is the number of sites. The full mesh of six bidirectional virtual circuits is shown in the figure as VC1-VC6. A full mesh provides the necessary connectivity for the VPN. This is generally referred to as the N2 problem because the number of layer 2 virtual circuits required is proportional to the square of the number of sites. Anything in networking that grows at the rate of N2 tends to give rise to a problem of scale. The reason for calling this the N2 problem is because as the number of sites gets bigger, the N2 term is more significant than the other terms.

The problem gets worse if the ATM virtual circuits in the core are unidirectional (some vendors support only unidirectional permanent virtual circuits, or PVCs) in nature because then the number must be doubled in order for IP traffic to flow in both directions. Adding a new site to the VPN requires the creation of new virtual circuits from that site to all other sites. When the number of sites and subscribers is very large, the number of virtual circuits required tends to become unmanageable. Another less obvious problem with this is that each virtual circuit consumes switch capacity in terms of memory and control processor resources. Added to this is link bandwidth and fabric switching capacity if the virtual circuits reserve QoS resources.

As if that wasn't enough, a further problem with layer 2 VPNs is that topology changes in the core can result in routing information exchanges of the order of N4.

In contrast, layer 3 VPNs provide a much more scalable solution because the number of connections required is proportional to number of sites, not the square of the number of sites. Layer 3 VPNs (such as RFC 2547) avoid the need for a full mesh between all of the customer edge routers by providing features such as:

  • A layer 3 core
  • Overlapping IP address ranges across the connected sites (if separate organizations use the same VPN service)
  • Multiple routing table instances in the provider edge routers

Not surprisingly, layer 3 VPN technology is an area of great interest to both enterprise network managers and service providers. For enterprises, layer 3 VPNs provide advanced, potentially low-cost networking features while allowing the service to be provided and managed by a service provider. For SP networks, layer 3 VPNs provide a scalable solution as well as an opportunity to extend services all the way to the customer premises.

Read more about overall network scalability issues at Informit.

This was last published in November 2004

Dig Deeper on Network Security