|Enterprise Buyer's Guide to Layer 3 MPLS VPN Services|
|Monday, 13 June 2005 21:00|
This month brings the text version of another seminar, the one I presented at MPLScon in New York City in mid-May, 2005. I hope that putting some words to it will clarify the posted slides. In addition, after all the prep work for two presentations in two months, economizing on the effort of writing seems like a very good idea right now!
Due to space limitations, we'll focus on introductory material and MPLS L3 VPN's in this article. A following article will then discuss L2 VPN's, whether MPLS-based or not.
For those who'd rather scan the presentation slides, it can be found at MPLScon 2005 Enterprise Buyer's Guide to MPLS VPN Services. It is complementary to this article.
What are MPLS VPN Services?In listening to all the presentations at MPLScon, it struck me that there's something rather basic that the MPLS, Service Provider, and journalistic communities have maybe not communicated very clearly to the networking public. To see this, realize that MPLS comes in two very distinct flavors:
There's one other very solid reason I think this distinction is important. If you're a buyer of MPLS VPN Services, you do NOT need to start by learning MPLS first! All the MPLS is on the provider side. Knowing some MPLS can't hurt, but isn't a pre-requisite for getting started. You're buying a WAN / MAN service. Knowing what special things the provider can do to smoothly fit your environment may be more important. So if you've been looking at MPLS books, maybe they looked a bit complex, maybe you decided to wait another 6 months before thinking about buying MPLS VPN service ... well, you don't have to put it off any longer!
This article is intended for those in group 2, the buyers of MPLS VPN Services. It represents some of the things that I think you DO need to think about before ordering up some MPLS VPN Services. We'll indirectly touch on some non-MPLS LAN Services as well, in a later article. But that is not the main focus of this article. The focus is on understanding what's different about Layer 3 MPLS VPN, compared to traditional WAN services. And how those differences may affect you.
If you're in group 1, implementing your own MPLS, well, I'd love to talk to you as a consultant, but I'm not sure I have any article-length advice to offer. Internal MPLS design is something Ivan Pepelnjak, Jim Guichard, and others have written books about!
Why MPLS VPN Services?I hear several motivations for buying MPLS VPN Services:
Layer 3 VPN's use any form of connectivity to reach the provider, it doesn't really matter what (leased line, FR, ATM, Ethernet). Layer 3 VPN's commingle your routing securely with that of your provider. Your router doesn't peer with the one at the other end of the circuit, it peers with the PE router. That's novel to most of us. We'll look at some of the design implications below.
Depending on provider equipment vendor, the routing handoff between PE and CE can be based on almost any routing method: static, RIPv2, OSPF, EIGRP, eBGP, and ISIS. (But who'd want ISIS?)
Requirements: Questions to Ask YourselfThe first thing you really need to consider is whether you're looking to outsource, and how much. Do you want managed links? Managed routers? Managed routing? That's the first significant thing that's different about MPLS VPN Services, compared to leased lines, Frame Relay, or ATM: you may not be buying Layer 2 connectivity. L3 MPLS VPNs mix your routing with the Service Provider's routing in a secure, controlled manner. If you're a retailer or manufacturer with two overworked networking people, outsourcing routers and routing headaches might seem very attractive. If you're a large organization with solid in-house expertise, outsourcing routing might seem very unattractive. That's particularly so if you've been burned by previous exhibitions of inconsistency or mediocrity in Service Provider (SP) skill levels.
Layer 3 MPLS VPN can be provided with managed or unmanaged CE router. It is a routed service (hence L3). If you don't want to share routing with, or offload routing upon, your service provider, then you should perhaps think about a L2 VPN service.
A second question is: what is the local availability of L2 VPN services? Right now they're a bit spotty. Verizon is ramping up their TLS (Transparent LAN Services). Verizon TLS can be quite cost-effective and there are indications it may soon be much more widely available. I do have some reservations about relative risk and trusting such a service, depending on the underlying technology. We'll discuss this later on, in this or another article. The concern I have is not Verizon, it is Spanning-Tree Protocol. But you might decide the price is right and proceed anyway.
A third question to consider is: do you require a single SP or dual SP for redundancy (and negotiating leverage)? With a single SP, you can get locked in, particularly if you colocate gear at their site(s) -- the hassle of migrating to a new SP limits your ability to react to poor service. With dual SPs, your costs may be higher, but your network may stay up even when one provider is having problems. By experiencing two SPs, you can pressure them on pricing, and you can also compare the levels of service they actually provide. (Experience says that sales folks make SLA's sound great, but what you really get can be somewhat different!)
The remainder of this article concentrates on L3 MPLS VPN service.
Design Hint: Backdoor Routes
This seems like a competitive business opportunity for the providers. The sales pitch is basically "we become your OSPF area 0" or "we become your EIGRP core". The drawback from the provider side is, there's lots of provider expertise or at least knowledge of BGP, less so for the internal gateway protocols (IGP's). Acquiring that expertise (experience!) is not inexpensive.
Design Hint: Dual Providers
Bypassing Provider RoutingSuppose you want to do your own routing, but all you can buy is L3 VPN service. Or perhaps HQ bought and imposed the MPLS VPN service on you, and your sub-organization wants to retain routing control. (Usually a losing political battle, but that's OSI layer 9). You can run GRE tunnels across the MPLS cloud, using the provider routing for connectivity between CE routers. And then run you IGP over the GRE tunnels. Note that this may entail a performance hit, and require dealing with MTU issues.
Other Questions for Your ProviderUnder the hood, MPLS L3 VPNs use multiprotocol BGP between provider PE routers. You might ask some questions about this (good luck getting answers):
The part about provider core IGP is stability and convergence. If it carries customer routes, routing tables are huge, lowering stability and speed. If it is single large-area OSPF or ISIS, as is common, that is not great -- but probably something the provider isn't going to fix quickly, or just because you didn't like it.Some other questions to ask:
This has security impact: one central IDS at HQ doesn't see all the traffic anymore (unless you use a hub & spoke VPN design).
SummaryNext month we'll look at L2 VPN's in general, not just MPLS-based L2 VPN's. The article will include some technical gotcha's and things to think about, based on my experiences to date.
Here are some links about MPLS VPNs.
Your comments, questions, and suggestions for future articles are of course welcome! See below to decipher my email address.