VPN Services

Enterprises IT managers are discovering the benefits of managed network services-improved ability to control equipment costs and network management costs, enhanced support for business applications, and ease and speed to deploy new sites. Multiprotocol Label Switching (MPLS)-based managed VPN services can act as a solid starting point to deploy many value-added services, while helping an enterprise to converge existing disparate networks onto a consolidated, end-to-end infrastructure that can support combined data, voice, and video services. The inherent any-to-any connectivity of MPLS-based VPNs also lowers the total cost of ownership (TCO) for a service provider. These savings can be passed along to enterprises, along with other inherent benefits, including simplified deployments of quality of service (QoS), security, high availability, multicasting, and other critical abilities.

Making the decision to migrate an existing corporate network to a managed MPLS-based VPN service offered by a service provider requires an understanding of MPLS and the VPN features associated with this technology. Enterprise IT managers must also consider a number of critical issues when MPLS-based VPNs are to be deployed either locally or globally.

This paper provides an introduction to the key technologies and architecture features for MPLS-based VPN services, and reviews the issues to discuss with a service provider to finalize a migration plan. Managed MPLS-based VPN services are described as they relate to the critical network requirements for today's enterprises.

The paper concludes with an overview of the Cisco IOS® Software features that support managed MPLS-based VPN services, and two case studies describing customers that have already made the transition to a service-centric MPLS-based VPN environment. Relevant sources of additional information are provided at the end of this paper, and decision makers are encouraged to download the follow-on paper, "The Move to MPLS-Based VPNS: Exploring the Service Options" to understand the service options available when migrating to MPLS-based VPNs.

Any discussion of enterprise networking capabilities should start with an understanding of the challenges. Enterprise network requirements can be mapped into five sets of questions from the enterprise IT managers:

The following sections overview MPLS and the related VPN features that address these requirements.

Cisco IOS MPLS fuses the intelligence of routing with the performance of switching, providing significant benefits to networks with
a native IP architecture as well as those with IP, ATM, or a mixture of other Layer 2 technologies. MPLS is often called a Layer 2.5 protocol as MPLS labels can encapsulate packets at Layer 3 (for example, IP packets), and also frames at Layer 2 (for example, ATM cells). MPLS-labeled packets can be carried across a variety of Layer 2 interfaces-ATM, Frame Relay, Point-to-Point Protocol (PPP), Packet over SONET (POS), or Ethernet.

There are two architectural elements that make up MPLS: the control plane and the data (or forwarding) plane. The control plane refers to all technology components that build forwarding tables. The forwarding plane includes all components that forward traffic based on the forwarding tables. The control plane uses the IP routing mechanisms such as Border Gateway Protocol (BGP) or Enhanced Interior Gateway Routing Protocol (EIGRP). The forwarding plane resembles the ATM forwarding structure. For this reason, MPLS is referred to as a good mix-and-match solution, pulling in the strengths of IP and ATM.

Regarding network topology, MPLS architecture can be discussed in terms of the edge functionality and the core functionality (Figure 1). At the edge, MPLS relates to all functionality that classifies traffic and imposes labels. Next, traffic is sent into the core where MPLS is focused on the rapid forwarding of packets. Therefore the edge involves the service definition, creation, and aggregation, and the core is focused on traffic throughput and fast reroute.

Layer 3 VPNs provide three key benefits to enterprises: any-to-any connectivity through the use of forwarding tables, the ability to retain existing IP addressing plan by supporting overlapping IP addresses, and greater scalability at the site-to-site and data center levels.

MPLS-based Layer 3 VPNs are defined in rfc2547bis, published by the Internet Engineering Task Force (IETF) L3VPN working group. This rfc defines VPNs based on the use of BGP routing protocol for distributing VPN labels (Figure 2). This sets up an internal BGP session between the two edge routers, or the two provider edge routers in this case. It is the job of the Label Distribution Protocol (LDP) to distribute labels in the core of the network. Also in the core, VPN routing and forwarding (VRF) instances-also called VRF tables-are derived from the global routing tables which reside in each router. One VRF is assigned to each subscriber. Since there are multiple VRFs and one global routing table, a service provider can offer a VPN service as well as Internet service over the same connection. When traffic arrives on a VPN, the forwarding decision is made according to the associated VRF. Internet traffic will still be routed using the global routing table.

Forwarding tables provide a foundation for any-to-any connectivity. MPLS allows multiple routing tables to simultaneously support traffic for multiple VPNs in addition to non-VPN traffic. VPNs impose VRF instances for each subscriber. The VRF uses BGP to assign labels, or designated VPN prefixes. The prefixes are used to route packets to the egress provider edge, advertising that prefix. The Interior Gateway Protocol (IGP) determines the target egress node, and the VPN label determines the applicable outgoing interface to which the traffic should be sent.

The underlying concepts for a discussion of IGP labels and VPN labels, involve MPLS label stacking. There is both an outer label and an inner label: The outer label is the IGP label; it makes sure that traffic gets from the source to the destination provider edge. The inner label is the VPN label. Traffic is routed to the appropriate provider edge using the outer label, and then the inner label dictates where it goes from there.

Routing policies can be configured to import and export routes. These policies allow topologies to be built as hub and spokes or as full mesh, and allow sites to maintain any-to-any connectivity (subject to hub and spokes/full mesh) even though there is a single access link. New sites can be easily added by adding a new VRF to the appropriate provider edge router. There is no need to go to every other site or router to accommodate the introduction of a new site, and therefore MPLS provides excellent scalability and simplified start up of new sites.

Overlapping address spaces make it possible to retain an existing addressing plan, and are also critical for implementing rfc1918. This standard sets out a certain number of private address blocks (IP addresses) that are non-routable over the Internet, the most popular of these being the 10.0.0.0 address. MPLS-based Layer 3 VPNs handle these by using globally unique identifiers. VRF uses these identifiers, and even if two enterprises use the same address in a shared service provider infrastructure, VRF maintains two copies of the address space so that these two enterprises are still separated even if the addresses in these two VPNs are identical.

In non-MPLS networks, large networks often end up with scalability problems-especially when trying to implement full-mesh topologies. To ensure a scalable, full-mesh topology, MPLS-based VPNs do not keep any subscriber information (such as ATM or Frame Relay virtual circuit information) in the core devices. With ATM networks, core devices have to keep virtual circuits information about each and every subscriber, and details about locations they can reach. This quickly limits capacity in a large full-mesh network topology.

In contrast, MPLS-based VPNs are virtually unlimited as to the number of sites each can reach. Today, MPLS-based VPNs have been implemented to span thousands of sites, and are far ahead of any alternative technologies when it comes to scalability.

Both Layer 2 and Layer 3 traffic can be deployed over a single provider edge device, which allows service providers to rapidly deploy new services and gives enterprises fast access to new offerings and a broad choice of end-circuit services. Many service providers offer both Layer 3 and Layer 2 VPN support over the same MPLS network, giving enterprise IT managers the freedom to choose the best option for meeting the overall requirements of their networks (Figure 3).

The Cisco Systems® implementation of the Layer 2 MPLS solution is based on Any Transport over MPLS (AToM). In this case, AToM is very similar to Layer 3 BGP VPNs. AToM uses the same concept of label stacking to carry multiple Layer 2 circuits over a single pseudo wire, but LDP is used instead of BGP because it is suitable for the point-to-point nature of AToM. (BGP excels for any-to-any architectures.)

In Layer 2 MPLS, the outer label is still the IGP label, but the inner label is the virtual circuit (VC) label (which was called the VPN label in the Layer 3 MPLS). Other than the difference in naming, the Layer 2 and Layer 3 label stacking schemes are identical, and Layer 2 VPNs offer the same scalability benefits since core devices are not required to store per-subscriber information such as ATM or Frame Relay virtual circuit information. The inherent scalability of Layer 2 MPLS VPNs is a key benefit compared to the limitations associated with the ATM and Frame Relay architecture.

Most existing enterprise networks already have established levels of service to support the delay, loss, and jitter requirements for voice and video traffic. Migrating to an MPLS-based VPN requires that the sites retain the equivalent or improved ability to flexibly manage QoS. MPLS-based networks address these requirements with differentiated services (DiffServ) mechanisms over MPLS (Figure 4), providing the ability to prioritize traffic and enable QoS service level agreements (SLAs) that enterprise customers can subscribe to.

In MPLS-based networks, IP QoS markings are mapped onto the MPLS experimental bits (EXP). The EXP field includes three bits in the MPLS label header. So the IP header remains intact and, since there are no other changes except in this EXP field, QoS transparency is ensured across the network. This eases the management of multiservice traffic.

IP QoS and MPLS QoS use fundamentally similar mechanisms, with identical behavior regardless of minor low-level implementation differences. For example, both IP and MPLS QoS support:

In addition, DiffServ mechanisms provide similar per-hop behavior for MPLS networks. The similarities and virtual transparency of MPLS QoS mechanisms compared to IP QoS mechanisms make it easy for a service provider to meet the requirements of an enterprise based on their existing voice, video, and data traffic characteristics and QoS needs.

Networks with high availability are absolutely essential to support the core business of today's enterprises. The inherent MPLS traffic engineering mechanisms provide valuable tools to maximize traffic distribution and improve network bandwidth utilization. These steps are essential to achieve high availability that ultimately benefits the enterprise customers. The traffic engineering tunnels also enable fast reroute, allowing service providers to take advantage of fast rerouting within the core network to achieve higher up times and thereby accommodate mission-critical, delay-sensitive enterprise traffic such as voice and video.

MPLS traffic engineering provides a viable solution to maximize traffic distribution and overall bandwidth utilization for an IP-based network. Consider the "fish" problem (Figure 5), so named because of the shape of the network topology. This refers to the challenge associated with IP routing. In traditional IP networks, no information is kept regarding the bandwidth availability on a particular link. IP only keeps information about the shortest path from one point to another. Referring to Figure 5, it is possible to quickly oversubscribe the link from router R2 to R3 to R4, while completely ignoring a very viable but longer link that goes from R2 to R6 to R7 to R4. This longer route may carry little or no traffic, and traffic engineering can be employed to better distribute traffic and get better bandwidth utilization. It can also be used to define protection mechanisms such as fast reroute that result in very efficient traffic diversion when needed, or avoiding outages. Traffic engineering and fast reroute can be used to minimize latencies for all traffic. For example, voice traffic can be routed over links with the least delay while data goes over links with longer delays since it is not as sensitive to delay.

MPLS combines the strengths of Layer 2, Layer 3, QoS, and traffic engineering, and enables a converged network that can support all services. Because of these strengths, service providers are rapidly enabling MPLS in core networks, and enterprise IT managers should look for providers that can deliver MPLS-based VPNs with all of these related services at the edge, as well as QoS and traffic engineering tools that can span the end-to-end network (Figure 6).

When evaluating the move to managed MPLS-based VPN services, the issue of security is a key concern for enterprise IT managers. There are two distinct considerations to secure a network in a shared environment: traffic separation between customers and traffic encryption to protect data confidentiality. Independent testing conducted by Miercom, a privately held network consultancy specializing in networking and communications-related product testing and analysis, shows that MPLS-based VPN services are as secure as ATM and Frame Relay networks. MPLS-based VPNs can effectively separate traffic between customers, and optional encryption can be built into an MPLS network using IP security (IPSec) mechanisms. IPSec provides complete end-to-end encryption and supports host-to-host authentication. The effective traffic separation and encryption capabilities mean that enterprises can effectively deploy mission-critical networked applications on MPLS-based VPNs.

For more information about MPLS and security, refer to Cisco® white paper, "Analysis of MPLS IP VPN Security: Comparison to Traditional L2VPNs Such as ATM and Frame Relay, and Deployment Guidelines" at:

http://www.cisco.com/warp/public/cc/so/neso/vpn/prodlit/mpvpn_wp.pdf

A report summarizing the Miercom evaluation of MPLS VPN security is also available at:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns103/c654/cdccont_0900aecd800c552e.pdf

Table 1 summarizes the network services enabled by MPLS-based VPNs, categorized into the five key areas of enterprise requirements. Figure 7 depicts examples of additional value-added services that can be offered by a service provider using an established foundation of an MPLS-based VPN.

Cisco IOS Software enables Intelligent Information Networks that can benefit both enterprises and service providers. Intelligent Information Networks simplify the deployment and operation of MPLS-based VPN services. Some of the relevant Cisco IOS Software features unique for MPLS-based VPNs currently being deployed by service providers include:

HJ Heinz Europe, the international food manufacturer, adopted MPLS VPN services to converge data and voice onto a single network, and to boost overall enterprise productivity levels in Europe. The company's migration to managed MPLS-based VPN services was also motivated by the desire to gain pan-European visibility across their network, and to enable the rollout of other applications, including Microsoft Exchange. Details of their implementation include:

This Dutch real estate and construction group deployed a managed MPLS-based VPN service across the company's 20 sites. The company defined its goals for migrating to a managed service:

The new managed service provided to Van Wijnen Groep consists of the MPLS-based VPN connecting all 20 sites, management of customer premises equipment (CPE) at these sites by the service provider, and remote access for an increasing number of teleworkers. Two unique classes of service are required for the Van Wijnen Groep-a gold class for Citrix clients, and a silver class for Telnet traffic.

With superior Cisco technology and management functions as the foundation, Cisco MPLS-based VPNs help enable service providers worldwide to offer the most advanced and robust business communications solutions today. Managed network services from a provider with a network built end to end with Cisco equipment can help your business excel. Service providers that display the Cisco Powered logo are uniquely positioned to assist enterprise IT managers in the migration to MPLS-based VPN services. They have earned this designation by maintaining high levels of network quality and by basing their VPN services end to end on Cisco equipment-the same equipment that virtually all Internet traffic travels on today. More than 350 of the most successful service providers around the world have earned Cisco Powered Network designations. Situated in 62 countries, these providers offer a wide range of services for small and large businesses alike. From the basics such as Internet access and Web hosting to emerging services such as IP telephony and storage networking, they should be an enterprise's first choice.

For more information about migrating to MPLS-based VPN services, review the follow-on Cisco paper, "The Move to MPLS-Based VPNS: Exploring the Service Options" that can be downloaded from:

For a detailed discussion of managed MPLS-based VPN service offerings powered by Cisco, visit:

For more information about selecting and working with service providers, visit:

http://www.cisco.com/warp/public/779/servpro/cpn/benefits/Cisco_Outsourcing_Guide.pdf

To find a recommended service provider, go to:

http://www.cisco.com/pcgi-bin/cpn/cpn_pub_bassrch.pl