Making the case for Layer 2 and Layer 3 VPNs

The common wisdom a few years ago was that Frame Relay and ATM were dead and that anyone trying to offer a serious Virtual Private Network (VPN) service should be offering Layer 3 VPNs (usually in form of an MPLS VPN).

Equipment manufacturers have started promoting Layer 2 VPNs recently, increasing the confusion within some service providers that now have to decide what service to offer to their customers. As always, the right answer is: Listen to your customers, find a solution that matches their expectations, help them get the most out of the solution, and deliver it reliably.

Before the explosion of IP-based VPNs based on Multiprotocol Label Switching (MPLS) or IP Security (IPSec), almost all service providers (excluding the pure Internet Service Providers) were offering Layer 2 virtual circuit services implemented with Frame Relay or ATM technologies. Some providers decided early to climb up the value chain and offer managed router services, effectively providing end-to-end IP connectivity to their customers (most often LAN-to-LAN, but some even provided dial-in access).

For these service providers, the migration to IP-based VPNs was simple, as they already had the necessary IP routing skills and understood the customer environment. The providers that didn't make that early migration needed to make the following realizations:

• Previously they had provided point-to-point transport (bit pipes); now they were providing the very core of the customer's network.
• End-to-end convergence and backup plans were previously the customer's problem; now they were the service provider's responsibility.
• If they wanted to offer IP-based services, they needed to have in-depth IP knowledge in their design, deployment and operations teams.

Unfortunately, the world is not flat, and Layer 2 services cannot cover the needs of an entire network. Ivan Pepelnjak Chief Technology Advisor, NIL Data Communications

Some of the more traditional service providers have ignored these facts and failed miserably. I've seen service providers offering point-to-point IP services (emulating virtual circuits with IP) or supporting only static routes and connected subnets (which also meant they also couldn't answer the simple question of how they planned to provide a backup for the primary access link). For these service providers, the newly introduced Layer 2 VPNs seemed like a panacea; they could continue ignoring the IP world and offer what they know best -- Layer 2 services.

Unfortunately, the world is not flat, and Layer 2 services cannot cover the needs of an entire network. This fact has been proven time and again in networks that used wide area network (WAN) bridges 15 years ago (and crashed) or in environments where switches without Layer 3 capabilities were used) to replace routers. To provide a stable, reliable, scalable network, you need both Layer 2 services to provide transport and Layer 3 services to segment the network into manageable isolated chunks.

Implementing true service convergence on a single core

On the other hand, there are situations where Layer 2 transport is the only solution. Customers often use legacy equipment that has Frame Relay or ATM uplinks (in some cases, the really old boxes have only an X.25 port) and these needs have to be addressed. as well. Some customers still run non-IP protocols in an Ethernet environment. And there's always the transport of non-packetized voice traffic that uses T1/E1 lines between exchanges.

If you want to implement true convergence of all your services onto a single core infrastructure, your core network should support the transport of public IP, private IP (VPN) as well as a number of legacy Layer 2 WAN and LAN technologies (for example, with Any Transport over MPLS – AtoM). Unless you decide that your core network will be built with Wavelength Division Multiplexing (WDM), you have to offer IP-based Layer 2 and Layer 3 VPN services (using ATM in the core is simply too expensive when compared to IP-based solutions). Most often, the core technology of choice would be MPLS, but you can get similar results (although with more overhead and reduced traffic engineering capabilities) with IPSec-based Layer -3 VPNs and Layer 2 Tunneling Protocol Version 3 (L2TPv3)-based Layer 2 VPNs.

Whatever you decide to offer your customers, be honest with them. If you're providing an end-to-end LAN-to-LAN solution, use a Layer 3 service (an MPLS- or IPSec-based VPN). If you decide not to offer a Layer 3 service, but provide a site-to-site Layer 2 transport infrastructure (virtual circuits or bridged LAN-to-LAN traffic), that's fine -- as long as you're not trying to persuade customers that they can plug your LAN cable straight into their Layer 2 switches on every site and have a reliably running network.

About the author: Ivan Pepelnjak, CCIE No. 1354, is a 25-year veteran of the networking industry. He has more than 10 years of experience in designing, installing, troubleshooting and operating large service provider and enterprise WAN and LAN networks and is currently chief technology advisor at NIL Data Communications, focusing on advanced IP-based networks and web technologies. His books include MPLS and VPN Architectures and EIGRP Network Design. You can read his blog here: http://ioshints.blogspot.com/index.html.

Rate this Tip To rate tips, you must be a member of SearchTelecom.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT MPLS (Multi-protocol Label Switching) Networks MPLS QoS: Implementing the best model for guaranteed service MPLS and Carrier Ethernet: Playing together to ensure quality of service Nemertes service provider awards reflect enterprise views on excellence MPLS solutions: Gathering customer requirements is job 1 Scale your backbone with core MPLS, BGP on the edge Telecoms deploy Carrier Ethernet despite lack of standards, survey reveals The 5 hottest topics on SearchTelecom Traffic engineering the service provider network 10 MPLS traffic engineering myths and half truths IPv6 network's a go for Verizon, others Telecom Routing and Switching BGP Autonomous Systems transition: The 10 biggest concerns IP QoS: Two generations of class-of-service tools What's all this fuss about telecom carrier capex? New Juniper "virtualized" dynamic services gateways emphasize flexibility Avoiding private IP security risks in public networks Enterprise IPv6 upgrades mean new service provider opportunity Juniper adds Comcast to cable operators deploying Carrier Ethernet NXTcomm 2008 is about telecom advances, not breakthroughs Telecom product and service news from NXTcomm08 Juniper works to cut providers' wireless backhaul costs, converging TDM, ATM with Ethernet Headlines Next-gen networks require 24x7 bandwidth readiness Telecom network security requires constant vigilance Qwest makes good on fiber network deployment; steers clear of IPTV Carrier Ethernet planning: Two distinct dimensions PON evolution presents provider planning choices Next-gen OSS may include revenue operations centers (ROCs) to monitor business processes MPLS solutions: Gathering customer requirements is job 1 Vendor telco services grow faster than equipment sales, new report finds Network modernization in an optically dominated era E-mail security protocols add service provider requirements RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Multiprotocol Label Switching  (SearchTelecom.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.