Buying Metro Ethernet Services

Introduction

The previous three articles were about Security topics, including some fresh ideas on what's changed recently in the security world. I do hope the links were useful to you. I have lots more security thoughts, but it seems like it's time for a change of topic for a while.

The same applies to optical networks. What Cisco is putting out is heavily Service Provider flavored. That's fine if you're a Service Provider and want to know about how the optical side of things is going to work. There are some very important engineering and provisioning details that need to get done right. Yet the data (bridge, switch, route) side of things is arguably more complex from the protocol side of things. There are certainly some important details that need to be paid attention to there. From my point of view, what the devices do (and don't) do on the data side is what's interesting, and there's some surprising vagueness there. More on that later. And by the way, no, I haven't seen any vendors do a better job of documenting what they do than Cisco. Sometimes far worse!

I started envisioning this article when I attended two good Networkers 2003 presentations. I found myself thinking that what I was hearing was some of what I'd been wanting to know for a while, but also thinking that folks need to know how to think through what they're getting, because most of the vendors seem to be staying rather vague about it. My concern would be that a newcomer to the area might come with certain expectations or assumptions that might not in fact be valid. You'd hate to go and buy some service and then discover it doesn't do what you thought it would do for you. So my mission in this article is to set you up to be an informed consumer of Metro Ethernet services.

Why Metro Ethernet?

What Metro Ethernet does is gets you a connection, generally within a metropolitan area (hence "Metro"), generally running over optical links and hardware. The connection physically terminates in an Ethernet cable. We're talking Fast or Gig Ethernet connections here, at prices in the range of $1000-2000/month. You may be rate-limited, e.g. to 200 Mbps. Did that get your attention?

Some ideas as to how you'd use it:

• High speed link from Point A to Point B (usually the first one goes to backup data center or between data centers)
• High speed link to Internet
• High speed link to Internet Interconnect or Colocation Facility
• Distributed campus (which can also be done without the optical gear under some conditions)
  

Let me explain the third option (with thanks to the guys who asked me what I thought of it -- you know who you are).  I ran into this in Long Island. Broadwing was thinking creatively, and proposed to a customer to provide T1 services to remote sites, terminating in Channelized T3's on routers. This is arguably how you make modern leased lines competitive with Frame Relay in terms of port costs. They also take distance charges out of the mix, which also helps. It's all done with optical transport. The extra twist to this is that the termination would be on a managed Cisco router in Manhattan, with GigEthernet Metro Ethernet to deliver it to the customer premises out on Long Island.  The cost of the access would be less than Verizon pricing on several T3's. Broadwing would manage this end to end. That's pretty attractive!

This customer needs to scale up some QWest Frame Relay, and likes diversity, so they then started talking to OpenAccess and QWest about doing the same for their existing FR services. And then asked me for comments. My comments boil down to "neat", with some caveats that I go into briefly below.

The consulting customer then realized that having a presence at an major Internet interconnect might make other high-speed services affordable, which also seems to be true to some extent. Some good thinking there too!

Kudos to LightPath and OpenAccess for being competitive and customer-oriented in terms of price and services, and Broadwing for thinking creatively.

I know of another good sample use of Metro Ethernet. Use EPL services (below) to connect a couple of large Board of Education HQ L3 switch/routers via Metro Ethernet to smaller switches in city or county school buildings. That keeps the gear and design complexity in each school simpler (central switch doing trunking to per-classroom switches, with each room in its own VLAN?). 

What you might not expect is that the link may not behave exactly like a plain Ethernet cable. One simple example that goes with the first example above: one of the MESP's has Cisco boxes in between Customer Points A and B, with CDP turned off. The two Cisco devices at the end of the GigE "virtual link" therefore do NOT see each other via CDP. They also don't see the MESP boxes. So it isn't Plain Old Ethernet. And that's really the point of this article.

Types of Service

Let's talk about what you might be buying. There are several types of service, and different vendors do use the terms differently. I'm going to try to follow the Cisco terminology, and I'll describe each variant so you can check if the other vendors are using the words in the same way.

• Types of connection: point-to-point (P2P) or multipoint (MP).
• Customer equipment (CE): router or bridge (switch).
• Architecture: VPWS, VPLS, EoOT
• Service Characteristics: Service Multiplexing, VLAN Transparency, Bundling, L2 PDU Transparency

Explanations:

VPWS = Virtual Private Wire Services

VPLS = Virtual Private LAN Service

EoOT (my acronym) = Ethernet over Optical Transport, which might be SONET/SDH, or EoxWDM, Ethernet over Coarse or Dense Wave Division Multiplexing (CWDM/DWDM).

Service multiplexing means you can use one link to reach multiple sites, using VLAN's to control target site.

VLAN transparency means your VLAN's get trunked through the link.

L2 PDU transparency refers to BPDU's and CDP packets: transport of L2 management frames.  If you don't have L2 transparency, your switches will not be able to detect Spanning Tree (ST) loops!

Some services defined by Cisco:

Ethernet Private Line (EPL) is a point-to-point service, interconnecting two Ethernet ports. There is no multiplexing of services, such as say Frame Relay or ATM do. The EPL acts like a long point-to-point Ethernet cable, transparent to whatever your gear sends down the wire. This would be built using EoOT optical technology. It provides Bundling in the sense that you can make the link a trunk, and your VLAN tags will be transported, possibly using QinQ (see below).

The OpenAccess service mentioned earlier is a variation of this, intended for interconnect of two routers. It provides P2P Ethernet but no transparency.

Ethernet Relay Service (ERS) is VLAN-based. I think of this as being like Frame Relay, with VLAN acting in place of the DLCI. That is, your site may trunk to the MESP. Each VLAN then gets transported to a different remote site. BPDU's and CDP do not pass through transparently. This could be built using L2 MPLS VPN pseudo-wires, with one pseudo-wire per VLAN. The first cut at Cisco AToM EoMPLS services could provide this sort of connectivity.

Ethernet Multipoint Service (EMS) makes all CE devices peers. There is no service multiplexing, in that all VLAN's appear at all sites. BPDU's pass through transparently. Transparent LAN Service (TLS) is another name for this.  It might be built using QinQ (see below) on top of a multipoint VLAN service. Or it might be provided more directly by the transport device.

Ethernet Relay Multipoint Service (ERMS) allows P2P and MP to co-exist on one Ethernet link ("UNI"). Some VLAN's might be P2P and others might be MP. This hybrid service is (probably) opaque to customer BPDU's.

The same might also apply to transparent links, if you're cautious. If the MESP allows switches on one or both ends, my next question as a customer would be: "how are you going to keep your other customer's ST loops from killing my link?"  I probably want to hear words like "rate limiting" in their answer. My point here is that a customer broadcast storm at a site will propagate through a switch and into the MESP network.

About the Cisco Hardware

The 15454 also provides Ethernet transport. This is done with various cards. There are three series of Ethernet cards for the 15454. From oldest to newest:  the E-series, the G-series, and the ML-series.

The E-series supports Point-to-Point (P2P) or Multi-Point (MP) configuration, as well as trunk (carrier) side STP. It does L2 switching, especially within a card. Using the MP configuration costs some bandwidth. The E-series matches up with certain customer VLAN's and transports them. And the VLAN's have to be coordinated across customers.

The G series is simpler: it only does P2P, and it just passes bits through. If you want MP, you can do something like provision a ring or mesh using 2 ports per 15454, and then hang L2 switches off the two ports. In other words, to anything fancy, use a switch or a router alongside the G series blade. Practical designs right now use the 3550 switch for inexpensive designs, or the 7300 or 6500/7600 series switches/routers for more ports, and the 12000 GSR router for big designs.

The ML series is IOS-based, and does Integrated Routing and Bridging (IRB), and can do various routing protocols. It is supposed to do VRF-Lite for per-customer routing tables and light MPLS. VRF-Lite requires connection to a full MPLS router as Provider Edge (PE) device. The idea here is to do VLAN's per customer in a building, trunk the building switch to ML-series port either in the building or in a PoP within single mode GBIC range (10's of miles), and have the ML series act as router for all those VLAN's.  I note the 4.0 documentation mentions VRF Lite, the 4.1/4.5 documentation does not, always a bad sign. I gather folks are also using external 3550's for the VRF Lite functionality.

My guess on the evolution here is that Cisco was finding development  costs high and market tight. The E series represented dedicated and complex control code and perhaps chipsets. The G series is the core functionality that MESP's need and want most. And the ML series gets over to the IOS code base, getting ready for MPLS to provide the unifying L2 and L3 optical transport control going forward. And leveraging all the R&D that's gone into the Cisco IOS code.

About VPLS

Cisco is trying to be agnostic, especially since some other providers (e.g. Juniper) are somewhat pushing VPLS, and may have sold some folks on it. The concerns that I have about VPLS are shared by several very knowledgeable people I've spoken with (who shall remain anonymous). Hmm, come to think of it, I haven't had the chance to debate or discuss this with my friends who now work for Juniper. You've been warned! Anyway, let me briefly run through the concerns. The excuse for this rant is to fill you in on what the MESP might be trying to sell you, and why it might be hazardous to your network's availability.

The quick description of VPLS is that the MESP network looks like a distributed Ethernet switch, built over MPLS technology. To imitate standard L2 switching, you either have to have flooding of customer MAC layer traffic to all points connected to the VPLS, or the MESP switches need a protocol to learn which edge device has a specific MAC address attached to them. The latter is basically what ATM LANE did, and the standards commitee wisely chose not to go down that path again. Very few people may have ever understood LANE, troubleshooting it was a nightmare, etc. Lessons learned!

So VPLS Provider Edge (PE) devices flood unknown unicasts, but associate each SP peer device with a virtual port. That way, over time they do learn to associate MAC addresses with peers. A very large number of MAC addresses! This does trade MESP bandwidth for some degree of simplicity.

Think about number of MAC addresses for a moment. These devices need to learn many (but not all) MAC addresses for each customer that attaches. And you need some form of protection in case one customer somehow acquires or configures devices with MAC addresses duplicating those of another. Per-customer (per-VPLS) MAC tables is one obvious way of doing that, and is mentioned in the IETF draft as a possible vendor implementation choice.

As far as BPDU's, they are tunneled over IP in MPLS VPLS. This is highly desirable for preventing self-inflicted ST loops. That protects both customer and MESP. But there are some scenarios with back door links where lack of MESP PE MAC address flushing might create issues, like the PE devices perhaps forwarding frames to the wrong peer for 5 minutes. So if I were buying VPLS services, I'd be listening for the MESP to discuss backdoor links and why I should not be doing them, at least not at Layer 2.

With VPLS, you still have flooding and bandwidth issues with multicast and broadcast. They go everywhere. There are some other management-related issues.  E.g. QoS and availability SLA enforcement.

One possible design to work around this is to only allow routers to attach to the VPLS. That would certainly help cut down on MAC addresses. The drawbacks there are peering adjacency numbers and routing protocol behavior, multicast behavior ("spraying"), and traffic aggregation/QoS controls.

All of the above discussion really applies to VPLS built over a MPLS core. In short, this is not-very-proven technology that attempts to go where problems have been observed in the past, at just enterprise scale. As it evolves, its limitations may be better understood, and workarounds may be found for the known issues. 

It appears conceivable that VPLS could also be offered based on some combination of optical devices (such as the Cisco 15454 and E-series blades), QinQ trunking (see below), and L2 switches as Provider Edge (PE) devices. This scares me, as it would be based on pure L2 technology, which just does not scale very well. Problem isolation, modularity, and troubleshooting all seem to have potential problems. When I design networks, I try to avoid building campus-wide VLAN's. So exactly why would doing multi-campus-sized VLAN's remotely resemble a Good Idea? (I've had this question for 3 years now, and have yet to see a good answer to it.)

In summary, if a vendor is trying to sell you VPLS, stop and ask some questions. If they're talking full mesh between many devices, ask if those are L2 or L3 devices. If L2 switches, ask why massive scale STP is remotely desirable, and how they're going to keep your network from melting down.  If L3 routers, ask why full meshing is desirable, and why you want 30 or 100 or n x 100 routers forming adjacencies. (Note that in MPLS L3 VPN, routers form adjacencies with the SP PE router, not with each other. So traffic follows a full mesh of paths but your routers do not have anything resembling a full mesh of adjacencies.)

Some providers are pointing out that full mesh provides lower latency. At optical speeds, this is a non-issue: shaving 10 msec off 40-60 msec just doesn't buy you very much. If it does, you've got applications or protocols with throughput problems, and I'm not sure the network is the place to fix that. Admittedly, sometimes we don't have much choice, but trading stability for throughput may not be a good trade-off. I personally very much like the idea of routers and some hierarchy. If you're still worried about latency, you can still cut way down on latency with hierarchy: create 4 pairs of regional routers with meshing, and have everything else feed into that core. 

Now that I've talked you out of VPLS, what about ERMS? Well, ERMS involves mixing VPWS and VPLS, perhaps several virtual VPLS's, with various VLAN's getting either P2P or VPLS treatment. I.e. VPLS + some provisioning complexity. Enough said?

Underlying Technologies

VLAN-based: Smaller MESP's may offer VLAN-based services, e.g. based on Cisco 15454's with the E-series card. They may provision P2P optical links between POP's, and give each customer a dedicated VLAN for each P2P link. Your Ethernet gets optically carried to the POP, plugged into a L2 switch port assigned to a VLAN, and then that VLAN gets bridged to another POP, trunked to attached L2 switch, and the port in that VLAN connected to your equipment. That gets such a MESP up to a max of 4000 VLAN's (and probably less), which is OK as a starter business model. I've certainly seen some high operational costs by MESP's overbuilding for huge numbers of customers, which is reminiscent of the dotcom era.  Building for 1000's and having 10's or 100's of customers can be a Bad Thing financially.

Be aware that Cisco device support for QinQ is sparse. You can do it in 3550 and 6500 model switches, and in certain routers.

Example use: you have multiple municipal departments in one building. Each has a VLAN assigned. You trunk these up, hand off QinQ to your MESP, they transport it over EPL to your data center or HQ building. This keeps each department isolated, without having to put a router at the remote site and run MPLS VPN routing for separate per-department routing tables. (I personally would prefer to troubleshoot the latter, but that's to some extent my personal preferences).

Considerations

One cost factor I've noticed is whether the MESP wants to put optical gear at the building. If so, there are two issues you'll encounter. If they haven't already put gear in your multi-tenant building, they may want several tenants signed up, or it may take time to get the gear and get it installed. And if you're single-tenant, good luck, your contract is going to end up buying them the optical gear over time, several times over, and it isn't cheap, although SONET access gear is rapidly decreasing in cost. I've still been wondering why MESP's don't want to use GBIC's and backhaul to a metro region POP (30 km is easily doable) before hitting the SONET or DWDM gear. The puzzle to me is that various parties still seem to be acting as if fiber is scarce, even though in many regions there is a vast glut of fiber. I've heard of dark fiber outside DC for $1500/month on a 20 year lease. 20 year anything is of course a problem for some enterprises. Then put the costlier gear in where and when fiber gets scarce. Cost of engineering and leased fiber paths is also non-trivial, but a good Metro provider ought to know what's available to where, within their coverage area.

Type of service you buy. As you can see above, I'm in favor of EPN and EWS. ERS also doesn't bother me, although you're trusting the MESP to pair up the VLAN's right. That's about like trusting a FR Service Provider to get the DLCI's right. It doesn't take a huge leap of faith to believe they can mostly get that part right.

Colocation? By this I mean you want to think about whether colocated or managed equipment is involved, and how you feel about that. How much control do you want or need to retain? What's your comfort level with somebody else managing it for you. If the MESP is going to give you free colocation of gear, see also the next  paragraph.

Security exposures. You ought to understand business risk issues. What controls are there to make sure you don't accidentally get connected to somebody else, either initially or as the MESP adds customers? What social controls are there, so that a hacker or competitor can't just call up and get a connection into your network? What design or other controls are there to make sure somebody else's problems don't become your problems? What security measures has the MESP put in place as far as L2 anti-spoofing protections and protections against other L2 exploits? Routing and MPLS protections (if their network is MPLS based)?

Links

Providers mentioned in this article:

IETF L2VPN and PWE Drafts

Metro Ethernet Forum

Summary

I wish you good luck with your Metro Ethernet and optical networking. Please drop me an email if you disagree (or agree) with anything I've said above, or if you can help me fill in some of the many gaps as to who's offering Metro Ethernet services in various geographic areas. If you would like network design or design review, or help with optical networks or MPLS, please drop me an email.

Dr. Peter J. Welcher (CCIE #1773, CCSI #94014, CCIP) is a Senior Consultant with Chesapeake NetCraftsmen. NetCraftsmen is a high-end consulting firm and Cisco Premier Partner dedicated to quality consulting and knowledge transfer. NetCraftsmen has eight CCIE's, with expertise including large network high-availability routing/switching and design, VoIP, QoS, MPLS, IPSec VPN, wireless LAN and bridging,  network management, security, IP multicast, and other areas. See http://www.netcraftsmen.net for more information about NetCraftsmen. Pete's links start at http://www.netcraftsmen.net/welcher . New articles will be posted under the Articles link. Questions, suggestions for articles, etc. can be sent to pjw <at> netcraftsmen <dot> net.