MPLS/VPNs are called many different names according to the whim of marketers, yet only three classes of MPLS-based...
VPN services exist. To learn about the different MPLS classes and which to select for your wide area network (WAN), read this technology primer on the pros and cons of various MPLS/VPN service types.
Some history behind MPLS/VPN technology
Service providers (SP) started talking about Multiprotocol Label Switching (MPLS)-based virtual private network (VPN) services more than a decade ago when Cisco -- and subsequently other vendors -- introduced MPLS/VPN technology. MPLS-based VPNs were initially offered as a lower-cost full-mesh Layer-3 service replacing expensive frame relay offerings, but as more and more service providers deployed MPLS in their network backbones, vendors quickly figured out other uses for the then-ubiquitous MPLS infrastructure.
AToM (Any Transport over MPLS) enabled service providers to offer point-to-point transport (pseudowires) across their IP- and MPLS-based infrastructure and carry customer Ethernet, frame relay, ATM or even TDM data across a unified backbone. VPLS (Virtual Private LAN Service) is an extension of AToM and allows service providers to build any-to-any LAN-like networks across MPLS backbones, usually combined with Carrier Ethernet access networks.
With the introduction of numerous MPLS-based VPN offerings, the lines between them became blurred as the SP marketing departments following hot trends quickly relabeled service types MPLS-based services, confusing enterprise WAN network managers. Today, it’s not uncommon to hear SPs call their AToM pseudowires “MPLS leased lines” or their VPLS-based technology an “Enterprise Virtual Private LAN Service.”
Regardless of the marketese used by your connectivity suppliers, there are only three classes of MPLS-based VPN services. If you’re able to map their obfuscated service descriptions into one of the classes, you’ll immediately understand the benefits and drawbacks of their MPLS/VPN service offering.
Layer-3 MPLS/VPN services
When service providers market MPLS VPNs, they usually offer Layer-3 MPLS/VPN services, where your routers (customer edge or CE routers) exchange routes with provider edge (PE) routers. When you use MPLS/VPN services, the service provider routers form the core of your WAN backbone.
MPLS VPN topology
Enlarge MPLS VPN topology diagram.
The MPLS/VPN backbone is always using Border Gateway Protocol (BGP) as its routing protocol. Almost any other routing protocol (OSPF, EIGRP, RIP and even IS-IS) can be used to connect your sites with the MPLS/VPN backbone, but many service providers limit the choices to BGP and static routing for convenience.
MPLS VPN routing
Enlarge MPLS VPN routing diagram.
A Layer-3 MPLS/VPN is undoubtedly the most scalable SP-offered VPN solution. Each of your edge routers peers with just one router (the PE-router) and you get optimum any-to-any connectivity between your sites regardless of your network topology. Some service providers also offer advanced topologies, including overlapping VPNs -- which are often used to implement extranet services -- and hub-and-spoke topology -- where all your traffic still traverses the central site, allowing you to inspect, audit and filter it.
MPLS/VPNs have several drawbacks, most of them associated with the service provider competency level -- after all, they’re now running the core of your network:
Routing protocol choice might be limited. If you want to use multiple service providers to gain redundancy, it’s best to swallow the bitter pill and start using BGP everywhere in your network. After the initial cultural shock, you’ll discover that BGP gives you more control over your routing and even allows you to implement interesting cost-saving designs. For example, you could shift low-priority traffic to Internet-based VPN/s while retaining tight QoS for the mission-critical applications within the MPLS VPN service.
End-to-end convergence is controlled primarily by the service provider. There’s not much you can do if SPs can’t fine-tune the routing protocols to give you the convergence speed you need to keep your voice traffic unaffected. In worst case scenarios, some network architects build their own dynamic multipoint VPN (DMVPN) networks on top of MPLS/VPN IP topology to improve the convergence.
Reliability of an MPLS/VPN solution is influenced by the service provider's competence level. Some very large MPLS/VPN providers offer excellent service, but many mid-sized or small providers lack understanding of enterprise IP routing challenges.
Deciding to use MPLS/VPN services from a particular service provider also creates a very significant lock-in. It’s hard to change the provider when it’s operating your network core.
Layer-2 MPLS-based services (VPLS)
From the enterprise network architect’s perspective, the VPLS services are pure simplicity. The service provider offers you a switched LAN segment to which you connect your routers. There’s almost no lock-in; you can use whichever routing protocol you choose; you control the convergence parameters; you can always walk away from a SP that provides you with Ethernet connectivity without significant changes in your design or router configurations.
Enlarge MPLS VPLS diagram.
The major drawback of the VPLS service is scalability; large bridged domains don’t scale well. They also represent a single security zone. Last but not least, it’s hard to connect a hundred or more routers to a shared LAN segment; OSPF could break very quickly, EIGRP and RIP would fare better and the only routing protocol that would work reliably is BGP.
Pseudowire services (using AToM or L2TPv3 protocols) offer point-to-point transport. They are sometimes used to provide legacy connectivity services (frame relay or ATM) but their most common use is point-to-point Gigabit Ethernet connectivity used in lieu of dark fiber to connect data centers.
Enlarge MPLS pseudowire diagram.
When considering a pseudowire service, make sure you ask these questions:
- Is the service totally transparent, i.e., can I pass any packets, including Spanning Tree Protocol updates across it?
- What is the maximum MTU size I can use? (Knowing this is extremely important when you use jumbo frames in your data center.)
- Are there any QoS guarantees and can I use 802.1p markings to indicate which packets should never be dropped?
Which MPLS service is best?
It’s impossible to answer the “which MPLS service should I choose” question with anything other than “it depends.” Simplistic advice is usually misleading without considering your business requirements and your network design.
You should carefully evaluate your business needs and minimum requirements, collect the offerings of relevant service providers in your geographic area (it’s impossible to get all the services in some places) and then select the best match. If this is the first time you’re selecting MPLS-based services, get external help from an experienced consultant.
Quite often you’ll be forced to combine multiple services in your network: MPLS VPN for smaller sites, VPLS for sites with high-availability requirements (to better control convergence speed and routing protocol behavior) and pseudowires for point-to-point links between your data centers.
For more on MPLS/VPN services, learn when companies should consider building MPLS networks of their own in this tip, how to prepare enterprise WANs for MPLS/VPN integration in part two, or learn about troubleshooting MPLS WAN services in part three of this tip series. Expert Chris Partsenidis also provides a simple explanation of MPLS/VPN services in his MPLS VPN tutorial.
About the author:
Ivan Pepelnjak, CCIE No. 1354, is a 25-year veteran of the networking industry. He has more than 10 years of experience in designing, installing, troubleshooting and operating large service provider and enterprise WAN and LAN networks.
He is currently chief technology advisor at NIL Data Communications, focusing on advanced IP-based networks and Web technologies. His books include MPLS and VPN Architectures and EIGRP Network Design. Check out his IOS Hints blog.