Introducing Enhanced Layer 2 VPNs

A solution has been developed to address the desire to consolidate the Layer 2 and IP/MPLS-based Layer 3 VPNs. New, enhanced Layer 2 VPNs allow offering a traditional Layer 2 service, such as Frame Relay, by employing an IP/MPLS network infrastructure. This might decrease the cost of providing a comparable service using a dedicated Layer 2 network. In contrast with Layer 3 VPNs, Layer 2 VPNs are capable of carrying multiprotocol (IP and non-IP alike) transport across a common infrastructure. Another drawback of Layer 3 VPNsthe need for edge routers to support routing tables of every connected VPNis eliminated with enhanced Layer 2 VPNs because customer routing tables are not stored on the provider's network. Instead, they are transparently switched site-to-site to the customer's own infrastructure, which reduces complexity.

Even though a Layer 2 service over IP/MPLS might cost the same as a dedicated ATM/Frame Relay-based Layer 2 network, the ability to offer new value-add services is one of the most compelling reasons to move to a packet-based network.

Figure 1-3 illustrates a sample topology with Layer 2 VPN service. Instead of building a separate, private IP network and running traffic across it, enhanced Layer 2 VPNs take existing Layer 2 traffic and send it through point-to-point tunnels on the IP/MPLS network backbone.

Figure 1-3. Layer 2-Based VPN Services

[View full size image]

Both enhanced Layer 2 VPNs and Layer 3 VPNs rely on IP/MPLS transport through the core. The principal difference lies in how PE-CE router relations are handled. In an enhanced Layer 2 VPN, the PE router is not a peer to the CE router and does not maintain separate routing tables. Rather, it simply maps incoming Layer 2 traffic onto the appropriate point-to-point tunnel.

Enhanced Layer 2 VPNs use the privacy of Frame Relay and ATM and the flexibility and scalability of IP/MPLS. They deliver network services over routed IP/MPLS networks. Higher efficiency and scalability are achieved because service decisions are made at the VPN and tunnel endpoints and switched without requiring additional provisioning.

With enhanced Layer 2 VPNs, service providers can offer such services as VPNs with managed Internet, intranet, and extranet without the complexity that they required in the past. The new Layer 2 VPN services do not require additional equipment spending because they are available by upgrading Cisco IOS Software. By reducing customer networking complexity and cost, the new Layer 2 VPNs allow service providers to expand their customer base to small and medium-sized businesses.

Layer 2 services have proven to be steady revenue-generating resources because the provider is not required to participate in customer Layer 3 services. Therefore, although service providers are branching into IP/MPLS-based core networks, they continue to maintain an extensive network of Layer 2-based equipment and services. By combining Layer 2 transport with Layer 3, enhanced Layer 2 VPNs offer an attractive alternative and convergence point for Layer 2 and Layer 3 infrastructures.

Some of the key advantages of enhanced Layer 2 VPNs over other VPN techniques include the following:

• Simple design and implementation Because these Layer 2 VPNs are based on the IP/MPLS model, the simplicity of IP/MPLS reduces the amount of administration involved in deploying and maintaining the Layer 2 VPN services.

• New services facilitation Additional revenue is realized by selling more services to existing customers or by offering new services. By introducing services such as Pseudowire Emulation Edge to Edge (PWE3) (discussed in Chapter 2, "Pseudowire Emulation Framework and Standards"), other revenue-generating services are easy to add. Service providers can sell more bandwidth and better performance to their existing Layer 2 customers.

By utilizing enhanced Layer 2 VPNs, service providers can do the following:

• Lower the cost of providing legacy Layer 2 services through new generation IP/MPLS cores.

• Expand their present Layer 2 networks without having to further invest in their legacy networks.

• Reduce service provider's capital expenditures (capex) and operational expenses (opex) associated with offering numerous services to a customer through service consolidation across a shared infrastructure. Implement transparent LAN and IP/MPLS functionality for IP/MPLS VPN services by providing a simple tunneling mechanism.

• Preserve current investment while building Layer 2 VPN support.

• Transport Layer 2 and Layer 3 protocols.

In addition, new Layer 2 VPNs enable service providers to broaden the geographic scope of their established Layer 2 service to places where their Layer 2 infrastructures are not currently present. By using the IP/MPLS core, traditional Layer 2 services can extend as far as the core.

Enhanced Layer 2 VPNs offer service providers several major cost reductions on their existing infrastructure, which leads to higher profitability. First, by consolidating networks, service providers reduce operational costs by migrating to a single infrastructure, rather than supporting and investing in multiple infrastructures. Second, enhanced Layer 2 VPNs eliminate the need to provision multiple infrastructures (such as Layer 2 and Layer 3) across the core, reducing expensive configuration and maintenance costs.

Service providers can also continue to make money from their existing investments. Existing investments represent expenses not only in equipment, but also in configuration (such as creating circuits, security, and service levels). Although new Layer 2 VPNs offer high return on investment (ROI) when you are buying a routing platform because they integrate with the existing infrastructure, they also help maximize the ROI on the existing infrastructure by working with it, rather than replacing it. By aggregating traffic from ATM, Frame Relay, or Ethernet edge platforms, equipment and configuration investments continue to generate revenue, rather than create more cost or end their return.

On the customer side, enhanced Layer 2 VPNs offer the following advantages:

• Simple to configure

• Provide connectivity of non-IP protocols, both routable and bridged

With enhanced Layer 2 VPNs, customers can independently maintain their routing and security policies. Deployed edge platforms connecting to customer networks continue to create the circuits and interface with customer networks, whereas the Layer 2 VPN-enabled IP/MPLS routing platform essentially creates an intelligent "pipe" to move the traffic through the core, emulating the customer circuit. A VPN that is based on Layer 2 eliminates the need for end users to exchange routing information with service providers, thus reducing the network management, complexity, and associated costs. Additional investment in equipment is unnecessary because the existing customer hardware is sufficient.

Some of the features of enhanced Layer 2 VPNs are as follows:

• The configuration is simplified because only two endpoints must be configured and the rest is signaled across the core, unlike with traditional Layer 2 networks in which you must provision hop by hop.

• The transition from a traditional Layer 2 VPN from the customer's point of view is uncomplicated.

• The customer is responsible for its own routing. All the provider needs to show is that CE-to-CE connection is single hop.

• Because the service provider does not take part in the routing process, the customer's routing privacy is preserved from the provider.

• Layer 2 VPN does not require storing a routing table for each site on the service provider's end.

• A misbehaving CE can, at worst, flap its interface, as opposed to an MPLS VPN, whereby an interface flapping can affect performance of the provider's edge router because of BGP peering.

Several enhanced Layer 2 VPN techniques have been developed. One such technique, defined in an IETF draft, is known as Any Transport over MPLS (AToM), which has been designed to allow an MPLS-enabled network to transport Layer 2 frames. Another emerging technology within the IETF is the Layer 2 Tunneling Protocol Version 3 (L2TPv3).

Both AToM and L2TPv3 have the common objective of transmitting packet-switched traffic (Frame Relay, ATM, and Ethernet) across a packet-switched network (PSN). What separates the two is the fact that AToM transports Layer 2 traffic over an MPLS-enabled network, whereas L2TPv3 transports it over a native IP network core. Both L2TPv3 and AToM are offered as part of the new Cisco Unified VPN Suite.

Figure 1-4 shows a sample enhanced Layer 2 VPN topology. The Layer 2 VPN tunnels provide the transport to make routers 3 and 4 appear to be directly connected to Packet over SONET (POS) interfaces (interfaces 1 and 4).

Figure 1-4. Enhanced Layer 2 VPN Example

[View full size image]

Supported Layer 2 encapsulations include 802.1Q VLAN, Cisco High-Level Data Link Control (HDLC), Ethernet, Frame Relay, POS, ATM, and PPP.

The first phase of Layer 2 VPN development in Cisco IOS Software supports like-to-like connectivity. This requires that the same transport type be at each end of the network. In the second phase, Layer 2 VPNs were enhanced to provide interworking functions that can connect disparate transport types at each end, such as Frame Relay at one end connecting to Ethernet VLAN at the other.