VPLS is not Aspirin

If you’re old enough to remember the days when switches were still called bridges and were used to connect multiple sites over WAN links, you’ve probably experienced interesting network meltdowns caused by a single malfunctioning network interface card. Some of you might have had the “privilege” of encountering another somewhat failed attempt at WAN bridging: ATM LAN Emulation (LANE) service (not to mention the “famous” Catalyst 3000 switches with LANE uplink).

It looks like some people decided not to learn from others’ mistakes: years later the bridging-over-WAN idea has resurfaced in the VPLS clothes. While there are legitimate reasons why you’d want to have a bridged connection across the Service Provider network, VPLS should not be used to connect regular remote sites to a central site without on-site routers. You can find several reasons for this claim in the “VPLS: A secure LAN cloud solution for some, not all” I wrote for SearchTelecom.

7 comments:

  1. Hi Ivan,

    Your expressed views appear a bit single-sided. Carrier Ethernet (including VPLS) is very often sold as a backbone carriage solution for customers to run their L3 on top. The case of people "just plugging their LAN switches into it" is pretty rare, as Carrier Ethernet typically steals market share from other technologies (P2P links and IP VPNs), and people usually already have routers in place.

    The security issues you pointed out for VPLS are more of a corner case then something really prominent, too.

    ReplyDelete
  2. Hi cdplayer!

    If we could ensure that everyone connected to a VPLS service will deploy CE routers, I'd be extremely happy. Unfortunately, the reality (particularly with mid-sized SPs and SMB customers) tends to go the other way, more so as people are trying to cut costs.

    Assuming the customer has deployed CE routers, we're facing a scalability issue as all of them are connected to the same virtual LAN segment, which is not a good idea if you're talking about hundreds of sites.

    ReplyDelete
  3. From my service provider experience where we run VPLS, its a great step in carrier ethernet. Multipoint feature does the job very well. Customers in most cases have Routers sitting as CE and simply giving ethernet frames to SP. If they have too many sites, they carefully plan the traffic pattern and sites are isolated if required on a separate L2 broadcast domain. I believe your CE equipment in head office seeing the next hop as CE in branch more comfortable than seeing PE as next hop. Moreover, there is no possibility of SP getting hit by loops as CP seperated from DP.

    ReplyDelete
  4. @Sundar: what you're describing is a perfect use of VPLS. I'm glad to see that some SPs use this interesting technology the way it should be used :)

    ReplyDelete
  5. Hi Ivan, from your perspective, CPE routers are necessary in order for VPLS to work properly, but in my mind that negates the "sexy" sticker that analysts have slapped on the service. I thought the whole idea gaining plug and play benefits of a native LAN.

    Here's Heavy Reading's take in 2007 on Verizon's flavor -

    Stan Hubbard, Lead Analyst – Heavy Reading
    "Verizon Business delivered the goods again in 2007 by demonstrating a strategic commitment to transform the data connectivity services landscape through Ethernet portfolio innovations that address on-demand enterprise needs. Light Reading and Heavy Reading have been particularly impressed by its national VPLS rollout, international expansion activities and plans, and widespread deployment of Ethernet access platforms that extend the benefits of high-performance Ethernet to more customer locations."

    Is this just fluff???

    ReplyDelete
  6. As a service provider we do a lot of VPLS networks for small to mid-size businesses (5-40 sites) and we really don't run into customers looking to connect a switch directly to the network. Customers invariably are coming from another technology (IP VPNs, IPSEC over DIA etc) that provides them with an existing router they simply re-use.

    Code-E: the real benefit of VPLS isn't that it doesn't require a router it is that it provides the benefits of IP VPN while giving the customer full control over layer 3. For us that means no more issues interacting with customer routing protocols (eg EIGRP in particular), no more modifying static routes and adding new subnets manually for static routed customers and much simpler troubleshooting when something breaks. For the customer it means the ability to run any routing protocol they like, better convergence times than IP VPNs and the ability to segment their network using VLANs over the WAN for different departments or divisions.

    As you start to exceed around 100 sites you start to have to think about scalability more as Sundar mentioned but below that level it is just a no-brainer if you need a private network and you can find a service provider that can deliver VPLS to all of your locations.

    I know there isn't a ton of blog coverage on service-provider delivered VPLS networks so I thought some of you might enjoy our blog which has a number of posts on VPLS http://www.cavtel.com/business/blog/

    ReplyDelete
  7. It's nice to see some Service Providers understand exactly how and where to use VPLS. What you describe is the exact scenario I have in my "Choose the Optimal VPN Service" webinar.

    Please keep also in mind that the article was written almost a year and a half ago, when some vendors were still promoting VPLS as the next panacea.

    Last but definitely not least, it's great to see a Service Provider blog full of useful and accurate information. I could only wish more SPs would be like you.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.