Written by Alex Foster

In that past 12 months virtually every carrier has announced a Virtual Private LAN Service (VPLS) offering. Once a niche offering for interconnecting datacenters, VPLS has now gone mainstream. This is a great thing because it means more choices for organizations selecting a WAN architecture. However, it has also created a lot of confusion in the minds of CIOs and network architects. As the product manager of Cavalier's private networking solutions, I hear a lot of that confusion. Here I'll try to answer some of the most common questions about VPLS and investigate some of its benefits. In part 2 of this series I'll address some of the common misconceptions about VPLS and provide some criteria for determining when VPLS is a good option.

What is VPLS and how is it different than MPLS/ IP VPN?

The easiest way to answer this question is to compare VPLS to today's dominant WAN transport technology - MPLS-based IP VPNs. First the MPLS part: MPLS is a carrier backbone technology. From a carrier perspective MPLS does many wonderful things - it securely segments different traffic, it scales fantastically, it has fast failover times and virtually anything can be run on top of it. Because of these benefits every major carrier runs an MPLS core and any carrier-provided VPN service is likely going to be delivered using the carrier's MPLS network. IP VPN (standardized as RFC 2547bis) is the most common of these services.

When a firm buys an IP VPN service the carrier creates what is known as a virtual route forwarding (VFR) domain for that firm. A VRF is a set of customer locations that are in their own virtual network. The service provider maps particular physical ports (access circuits) into the customer's VRF as they turn up customer locations. The service is highly secure because the carrier routers append a tag to all customer traffic as it enters the carrier network, marking it as belonging to a specific VRF. Once tagged, traffic from one VRF can never be inadvertently forward to another VRF. This overlay of VRFs on to a shared MPLS backbone provides each customer with a private network. This private network works at the IP layer - the customer edge routers (CE) peer with the provider edge (PE) routers to advertise their routes to the carrier. The carrier's PE routers act as the default gateway to the CE - traffic is forwarded and the CE inspects the destination IP to discover where on the MPLS network to route the traffic. In many ways, IP VPN is best thought of as giving each firm its own private internet as everything operates at the IP layer, unlike traditional WANs (ATM, Frame Relay) that operate at Layer 2.

Conceptual diagram of an IP VPN. Note distinct VRF routing instances for each enterprise. (Alcatel 2008)

VPLS takes the same concepts of MPLS but applies them at Layer 2 to create an Ethernet-based virtual private network. Unlike IP VPN that works by creating Virtual Route Forwarding instances (collections of customer IP routes), VPLS creates Virtual Bridging instances. Virtual Bridging instances are a collection of customer MAC addresses at various endpoints on the WAN. So unlike IP VPNs that learn what IP subnets are at each location through route peering between the PE and CE, VPLS networks learn what MAC addresses are at each location through MAC learning much like a LAN switch.

Conceptual diagram of VPLS . Note distinct Virtual Bridging instances for each enterprise. (Alcatel 2008)

While this sounds like a small detail, it isn't. There are several key differences:

1) No service provider involvement at Layer 3 - No need to setup BGP or static routes with the carrier, you simply forward Ethernet frames and the carrier's network learns how to get them to their destination.

2) Your WAN now behaves like one large Ethernet network - Troubleshooting and problem segmentation between the enterprise and the carrier gets really easy. The service provider is responsible for learning MAC addresses and forwarding frames and this can be easily tested during turn up or troubleshooting.

3) The enterprise is responsible for any routing - Unlike IP VPNs where the customer edge routers generally send all traffic to the CE (and hence have only one or two routes), the customer edge devices will now need to have a way to route traffic to each site. That may come in the form of a large routing table with many remotes or one or two hub sites that all traffic passes through.

So what are some of the reasons to consider VPLS?

1) Control over your routing protocols - most companies run EIGRP or OSPF as their internal routing protocol. Most service providers require PE/ CE routing to be done with BGP which enterprises tend to have limited expertise with. Even if a provider supports EIGRP or OSPF there tend to be significant limitations in what functionality is supported.

2) Simplicity and familiarity - VPLS is delivered as Ethernet and behaves like a LAN. Most organizations tend to have much greater familiarity with these technologies than they do with WAN interfaces, layer 3 routing and complex IP VPN architectures. VPLS takes problems that would be complex in an IP VPN environment and allows you to solve them the same way you would on your LAN.

3) Easier migration path from existing Layer 2 WANs - if the current WAN is ATM, frame relay or point- to- point, VPLS architectures will be a much more logical replacement that requires less re-architecture than IP VPN.

4) Transparently extend subnets between physical locations - need to move a server from one location to another without changing the address or moving the subnet? Ever wanted to move one half of a cluster into a colocation environment without buying a dedicated point- to- point link? These feats are near impossible with IP VPN but trivial with VPLS.

5) Segmentation and isolation -When using VLANs on top of a VPLS service a company can create a large number of virtual WANs. This can be used by a centralized IT group to securely segment different types of traffic over the WAN or to give a number of different divisions their own WAN with full layer 2 control. Although this is technically possible with IP VPNs as well it tends to be far more complex and requires significant coordination with the service provider.

6) Faster convergence time - for locations with multiple links VPLS can generally be configured for much faster convergence than IP VPNs. Using OSPF VPLS networks can be tuned for convergence times of about 1 - 5 seconds versus a typical best case for IP VPN more on the order of 20 to 30 seconds as the routing updates have to propagate across the PEs and then back to the CEs.

7) Non-IP traffic - this is a huge headache with IP VPNs requiring GRE tunneling. With VPLS, if your traffic can be encapsulated as Ethernet you don't need to tunnel.

In the next post I'll discuss some other factors to help you choose between VPLS and IP VPNs and then dive into some of the benefits above at a more technical level.