The Case for Building VPNsLayer 2 or Layer 3


VPNs comprise a set of sites that are permitted to communicate with each other privately and securely over a shared infrastructure. VPN types include IPSec, Layer 2 VPN, and Layer 3 (BGP-BGP) VPN. IPSec VPNs are difficult to categorize as either Layer 2 or Layer 3. Specifically, packets are forwarded using Layer 3 information but the service delivered to the customer is a mesh of "connections," just like in a Layer 2 service.

An IPSec VPN is perceived by the customer to be more secure than other VPN types and less reliant upon the service provider. A typical IPSec application is a hub and spoke scenario in which you have a tunnel/circuit mesh mechanism over which you manage a mesh or routing adjacencies. IPSec and MPLS are not competing technologies and, in fact, can be deployed together. This aspect is further discussed in Chapter 8.

Figure 1-4 depicts a basic example of an IPSec implementation. Note the IPSec tunnels (logical) running over the actual physical access technologies (which could be different depending on the local site). This is, of course, another benefit to using a logical Layer 3 MPLS VPN in that a logical Layer 3 MPLS VPN is access agnostic.

Figure 1-4. IPSec VPN


An overlay network is characteristic of the Layer 2 model, in which a customer's IP network is overlaid on top of a provider's network. The provider's transport, such as Frame Relay or ATM, creates a private IP network for the customer and is typically point-to-point. The challenge for the provider is managing scalability because N*(N-1)/2 provisioning is required for each customer connection and can result in inefficient routing. Further, this model lacks scalability and flexibility to support new peer-to-peer applications (any-to-any), as we previously pointed out in this chapter. This model requires complex bandwidth and design layout as it grows.

In a Layer 3 MPLS VPN, the provider exchanges routing information with customer edge routers and the service delivered is a virtual IP cloud per customer. This relationship between provider and customer edge is referred to as the peer model. The provider and the customer exchange IP routing information directly. The customer has only one routing peer per site, whereas the provider can have multiple customers. For example, customer A and customer B can possess the same address space, and there is no requirement for these customers to communicate with one another, therein permitting overlapping addresses between two different VPNs.

Layer 3 MPLS VPN deployments are not point-to-point connections. The key benefit of a Layer 3 MPLS VPN is the capability of implementing any-to-any connectivity without a full mesh of circuits and routing adjacencies, therein providing improved scalability for connected VPNs. Chapter 6, "Remote Access and IPSec/MPLS VPN Integration," explores various Layer 3 MPLS VPN service scenarios, such as extranet, Internet access, Carrier Supporting Carrier, and Inter-AS considerations. The Layer 3 MPLS VPN model (peer) is ideal for customers with organic growth or merger and acquisition plans.

Figure 1-5 depicts the general attributes of an overlay versus peer model.

Figure 1-5. Overlay and Peer Networks


In a Layer 2 VPN, a provider forwards customer packets based on Layer 2 information, such as a Frame Relay DLCI or an Ethernet MAC address. For this reason, there is no provider involvement in the customer routing (for example, at Layer 3) as in a Layer 3 VPN implementation. Layer 2 transport services can be characterized as "wire" and "LAN" services. A virtual private wire service consists of a fixed relationship between an attachment virtual circuit and an emulated virtual circuit (commonly referred to as pseudowires or Martini IETF draft pseudowires). These services are point-to-point and examples include Frame Relay, ATM, and Ethernet services over IP/MPLS.

A virtual private LAN service comprises a dynamic relationship learned between an attachment virtual circuit and emulated virtual circuits and the relationship determined by the customer's MAC addresses. These service relationships are multipoint services and can be referred to as Ethernet multipoint service (EMS).

Chapter 5, "Layer 3 VPNs," describes these Layer 2 VPN relationships and deployment scenarios. Table 1-2 compares Layer 3 and Layer 2 service characteristics.

Table 1-2. Layer 3 and Layer 2 VPN Characteristics

Layer 3 VPNs

Layer 2 VPNs

Provider devices forward customer packets based on Layer 3 information (for example, IP address)

Provider devices forward customer packets based on Layer 2 information (DLCI and MAC)

Provider involvement in customer IP routing; PE is L3 peer to CE

No provider involvement in customer IP routing

RFC 2547bis VPNs (typically MPLS core)

Pseudowire and pseudo-LAN concept (Martini-drafts, L2TPv3 => VPWS, VPLS)


A Layer 3 MPLS VPN service implementation provides the enterprise customer with the following benefits: any-to-any connectivity; integration of data, voice, and video applications; service organizational segregation; ease of provisioning; value-added service extensions, such as quality of service and traffic engineering; and a possible reduction of total cost of ownership. The corresponding service provider benefits include the following: Capex and Opex efficiencies that are achieved by using a single IP/MPLS network for basic IP services, managed Layer 3 MPLS VPN services, Layer 2 transport services, voice services, and a broad portfolio of value-added services that are discussed in Chapter 2.

An enterprise customer might want a Layer 2 VPN to retain control of its Layer 3 policies, such as routing, quality of service, and security. The service provider can offer a simple transport service for customers implementing a DIY model and deliver these services on a common, already deployed IP/MPLS service-aware infrastructure. Layer 2 VPN services are complementary to Layer 3 VPN services, and choosing a VPN is not an either/or decision for an enterprise customer and a service provider because the choice depends on the enterprise customer or the service provider's specific circumstances.




MPLS and Next-Generation Networks(c) Foundations for NGN and Enterprise Virtualization
MPLS and Next-Generation Networks: Foundations for NGN and Enterprise Virtualization
ISBN: 1587201208
EAN: 2147483647
Year: 2006
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net