Layer 2 Vpn Architectures [Electronic resources] نسخه متنی

Any Transport over MPLS Overview

In recent years, Multiprotocol Label Switching (MPLS) has had a phenomenal growth in the service provider space, especially where network infrastructures are based on ATM. One of the driving forces for MPLS is to utilize dynamic routing protocols to establish end-to-end virtual connections instead of manually provision ATM VCs hop by hop on each ATM switch. In Chapter 2, "Pseudowire Emulation Framework and Standards," AToM is enabled on the provider edge (PE) routers, which play a similar role as the edge switches in Frame Relay or ATM-based L2VPNs or the network access server in VPDN. In a Frame Relay or ATM-based Layer 2 VPN, the edge switch maps a Frame Relay or ATM VC connecting to the customer device to a PVC connecting to a core switch by the data-link connection identifier (DLCI) or virtual path identifier (VPI)/virtual connection identifier (VCI) values. In VPDN, the network access server binds a PPP connection from the remote user to a VPDN session. With AToM, the PE router maps an attachment circuit of any supported Layer 2 encapsulation from the customer edge (CE) router to an AToM pseudowire.

An AToM pseudowire is made of a pair of MPLS label-switched paths (LSP). Because an MPLS LSP is inherently unidirectional, to have bidirectional connectivity, a pseudowire is formed by establishing two LSPs in the opposite directions. Different MPLS applications might use different ways to distribute labels. Some use the dedicated Label Distribution Protocol (LDP), whereas others use extensions of existing protocols, including routing protocols. AToM utilizes targeted LDP sessions between PE routers to exchange MPLS labels that are used for pseudowires. You establish a targeted LDP session by sending unicast hello packets rather than multicast hello packets during the LDP discovery phase. LDP also supports TCP message digest, also known as TCP MD5, as its authentication method. Figure 3-4 illustrates the network components of AToM.

The next sections provide an overview of AToM from the following aspects:

Label stacking hierarchy in AToM

Supported Layer 2 protocols

Decision factors whether to use AToM in your network, such as installation base, advanced features, interoperability, and complexity.

Using Label Stacking in AToM

One common technique that many MPLS applications utilize is label stacking. MPLS label stacking is documented in IETF RFC 3032, "MPLS Label Stack Encoding." The basic idea is to create layers or hierarchies of MPLS labels; each label corresponds to a particular layer in the network architecture. Creating such hierarchies allows aggregation and multiplexing, which improve scalability. It also simplifies the operations on the transit routers, which make forwarding decisions based on the topmost label in the label stack.

The semantics of labels in a label stack might vary from one MPLS application to another. For example, in MPLS traffic engineering, the top label in the label stack represents the traffic-engineered path, and the bottom label represents the original Interior Gateway Protocol (IGP) path. In MPLS Layer 3 VPN, the top label in the label stack represents the IGP path to the next-hop Border Gateway Protocol (BGP) router, which is normally the PE router that originates the VPN routes. The bottom label represents a specific or aggregated VPN route. In Layer 2 VPN, the LDP top label usually represents the IGP path to the peering PE router, and the bottom label represents a Layer 2 VPN forwarder on the peering PE router. A Layer 2 VPN forwarder is an abstract entity that switches Layer 2 traffic back and forth between the pseudowire and itself. In the context of pseudowire emulation, the Layer 2 VPN forwarder is usually some sort of attachment circuit. Figure 3-5 shows the overview of an AToM packet.

Chapter 9, "Advanced AToM Case Studies."

Using label stacking in AToM improves scalability when compared to the scalability of legacy Layer 2 VPNs built on top of Frame Relay or ATM. As you learned in Chapter 2, every time you add a new end-to-end virtual connection or relocate an existing one to a different edge switch, you must ensure that a virtual path extends from one edge switch to the other. If none exists, you need to provision the edge and core switches along the path. With a large number of virtual connections in a typical Layer 2 VPN, this task amounts to a significant portion of the overall operation cost structure.

Instead of statically provisioning the virtual paths hop by hop, AToM takes advantage of routing protocols to dynamically set up virtual paths across the core network. Only PE routers need to maintain and manage the pseudowire labels for the virtual connections. The pseudowire labels are at the bottom of the label stack, so they are not visible to the transit routers, also known as the Provider (P) routers. The P routers forward packets using the top label and are unaware of the existence of pseudowires.

Many pseudowires can be multiplexed in a single MPLS tunnel LSP. In such a way, the core network is spared from managing and maintaining forwarding information for each pseudowire.

Layer 2 Protocols Supported by AToM

AToM supports a wide range of Layer 2 protocols, including PPP, High-Level Data Link Control (HDLC), Ethernet, Frame Relay, and ATM.

PPP over MPLS operates in the transparent mode, in which case PPP sessions are between CE routers, and PE routers do not terminate PPP sessions. In other words, CE routers are the only PPP speakers that process PPP frames through the PPP protocol stack, and PE routers do not participate in PPP protocol exchange.

HDLC over MPLS allows transportation of Cisco HDLC frames over an MPLS network. Like PPP over MPLS, HCLC over MPLS operates in the transparent mode, which is the only mode it supports.

Two types of Ethernet frames are supported in Ethernet over MPLS:

Untagged Ethernet frames

IEEE 802.1q tagged Ethernet VLAN frames

PE routers classify Ethernet frames that are received from CE routers into different pseudowires based on the receiving interface or the VLAN tag carried in the Ethernet VLAN frames. Bridging protocol support varies depending on the deployment model. Chapter 7, "LAN Protocols over MPLS Case Studies," has in-depth case studies on running bridging protocols over MPLS networks.

With Frame Relay over MPLS, PE routers forward Frame Relay frames to different pseudowires based on the receiving interface and the DLCI value, and they also provide Local Management Interface (LMI) signaling to CE routers. To Frame Relay customers, the migration in the service provider network is completely transparent. The Frame Relay header is removed at the ingress PE router and added back at the egress PE router. The flags in the Frame Relay headerssuch as backward explicit congestion notification (BECN), forward explicit congestion notification (FECN), discard eligible (DE), and command/respose (C/R)are carried in the pseudowire control word, which is mandatory for Frame Relay over MPLS. The operation details are described in Chapter 6, "Understanding Any Transport over MPLS."

ATM over MPLS includes two types of ATM services:

ATM AAL5

ATM Cell

With ATM AAL5, PE routers either receive ATM AAL5 packets or reassemble ATM cells into ATM AAL5 packets from CE routers and forward them to different pseudowires based on the receiving interface and the VPI or VCI values. The ingress PE router drops all other packets except operations, administration, and maintenance (OAM) cells. The ATM flags, such as explicit forward congestion indication (EFCI) and cell loss priority (CLP), are carried in the pseudowire control word, which is also mandatory for ATM AAL5 over MPLS. ATM Cell over MPLS can encapsulate a single ATM cell at a time or pack multiple ATM cells into one MPLS packet. Both ATM services can be offered in VC mode, VP mode, or port mode. These modes determine the granularity of how ATM packets and cells should be classified and mapped to pseudowires.

Deciding Whether to Use AToM

When determining whether AToM is the right choice for your company, you need to consider several factors, including the following:

Existing network installation base

Advanced network services

Interoperability

Network operation complexity

The next sections describe how each of these factors can help you determine whether AToM is feasible for your networking environment.

Existing Network Installation Base

For those service providers that have separate parallel networks for Layer 2 and Layer 3 services, an MPLS-enabled network is a natural candidate for converging all services onto a single network infrastructure.

With appropriate software and hardware upgrades, many existing Frame Relay and ATM switches can readily support dynamic routing protocols and perform MPLS label switching. Such a migration allows the service providers to expand their network capacity and service portfolios and protect their investment on the existing network infrastructure. Transitioning to the packet-based AToM pseudowire emulation has minimal impact to the existing Layer 2 VPN services.

Advanced Network Services

Besides the basic MPLS features such as routing optimization and network consolidation, AToM can leverage advanced MPLS features for enhanced network services, such as MPLS traffic engineering, QoS guarantee, and fast rerouting.

The efficiency with which a service provider utilizes its network infrastructure has a significant impact on the cost structure of its business. The more efficient the use of network resources, the less capital investment that a service provider has to make to provide the desired level of service offering. Traffic engineering aims at solving the problem that some parts of the network are highly congested while others are underutilized. MPLS solves the traffic engineering problem that plain IP routing cannot solve by using MPLS constraint-based routing. Constraint-based routing is essentially a set of algorithms designed to find an optimal path with given routing metrics while confined to the pre-established constraints. The constraints can be performance or administrative requirements imposed by network operators. This book does not go into details about why plain IP routing is insufficient for traffic engineering.

Note

If you are interested in learning more about traffic engineering, you might want to read the following books:

MPLS and VPN Architectures, Volume I, by Ivan Pepelnjak and Jim Guichard: Cisco Press, 2000.

MPLS and VPN Architectures, Volume II, by Ivan Pepelnjak, Jim Guichard, and Jeff Apcar: Cisco Press, 2003.

MPLS: Technology and Applications by Bruce S. Davie and Yakov Rekhter: Morgan Kaufmann Publishers, 2000.

Traffic Engineering with MPLS by Eric Osborne and Ajay Simha: Cisco Press, 2002.

MPLS traffic engineering helps redirect trafficincluding Layer 2 trafficto less congested parts of the network. Layer 2 services typically come with service-level agreements (SLA). An SLA is a service guarantee that a service provider agrees to offer to its customer on availability, guaranteed bandwidth, burst bandwidth, and so on. The service provider can use an MPLS QoS guarantee to enforce SLAs. The level of service guarantee is usually associated with the premium that a customer subscribes to. For instance, an SLA with a higher premium might provide more guaranteed bandwidth than an SLA with a lower premium. MPLS constraint-based routing is again used to provide QoS guarantees. It allocates the necessary network resources, such as buffer space and link bandwidth, along the specific path that is established through traffic engineering. Although both MPLS traffic engineering and MPLS QoS guarantee use MPLS constraint-based routing, the difference is that traffic engineering does not require all the bandwidth allocation and queuing mechanisms that are required to provide QoS guarantees.

Another important advanced MPLS feature that AToM can rely on is the ability to reroute traffic to an alternate path in a short period when a failure occurs along the original path, typically within 50 ms. With hop-by-hop, destination-based plain IP routing, the network convergence time is usually seconds upon network failure, which results in packet loss before the network converges. To reduce packet loss during routing transitions, MPLS fast rerouting constructs a protection LSP in advance for a given link by explicitly establishing an alternate path that circumvents the possible failing link. Because the alternate path is set up prior to the link failure, rerouting can take place rather quickly.

Interoperability

A rapidly growing number of service providers and network equipment vendors have become involved in the development and interoperability testing for the MPLS-based pseudowire emulation products.

AToM is the Cisco product for pseudowire emulation over MPLS networks. As the protocol specification and implementation have matured over the past couple of years, the standards-based pseudowire emulation products from different equipment vendors have achieved an excellent level of interoperability. In the service provider space, the deployment has gained significant momentum.

Network Operation Complexity

The previous sections highlighted the advanced features that AToM can offer as the MPLS-based pseudowire emulation. However, they come with a substantial level of complexity in network design and operation, which involves more than just enabling new protocols in the network. Making effective use of these features requires fine-tuning on the network parameters according to the network characteristics.

When an operating problem occurs, AToM also requires highly sophisticated expertise and skills to troubleshoot the issue. For example, LDP is an out-of-band signaling protocol. For a single pseudowire, the control packets might take a different path from the data packets. Therefore, the liveliness of the control plane does not serve as a good indication for that of the data plane, in which case you need more sophisticated diagnosis methods to verify the data plane connectivity, such as MPLS ping.

Establishing AToM pseudowires successfully requires the maximum transmission unit (MTU) settings of both attachment circuits connecting through the pseudowire to match. In addition, the network MTU between the PE routers must accommodate the resulting MPLS-encapsulated packets that carry Layer 2 payload. Because these packets generally do not have an IP header, fragmentation is difficult. That is why packets exceeding the network MTU are dropped. MTU settings need to be carefully engineered throughout the network to avoid connectivity problems.