MPLS VPN fundamentals

Are you having trouble understanding what an MPLS VPN is? It's not your fault. "MPLS VPNs" go by many different names. To get a better grasp of this network connection type, use this guide to MPLS VPN fundamentals to understand the types of MPLS VPNs that exist today as well as how to procure or rollout your own MPLS VPN and troubleshoot them.

What is an MPLS VPN?

VPLS, MPLS VPNs, MPLS and VPNs are terms often used interchangeably, but erroneously so. Confusion about MPLS VPNs stems from the multitudinous words that vendors and marketers often use to describe the same service. So what actually is an MPLS VPN?

"MPLS" and "VPN" are two different technology types. Multiprotocol Label Switching (MPLS) is a standards-based technology used to speed up the delivery of network packets over multiple protocols – such as the Internet Protocol (IP), Asynchronous Transport Mode (ATM) and frame relay network protocols. A virtual private network (VPN) uses shared public telecom infrastructure, such as the Internet, to provide secure access to remote offices and users in a cheaper way than an owned or leased line. VPNs are secure because they use tunneling protocols and procedures such as Layer Two Tunneling Protocol (L2TP). With those definitions understood, an MPLS VPN is a VPN that is built on top of an MPLS network, usually from a service provider, to deliver connectivity between enterprise office locations. The terms "MPLS IP VPN," "MPLS VPN" and "MPLS-based VPN" can be used synonymously. Understanding these terms are important when mastering MPLS VPN fundamentals.

Until recent years, enterprises were restricted to limited wide area network (WAN) connectivity options -- usually frame relay or T1/E1 dedicated links. The problem with these was that they were usually very expensive, inflexible and complex to manage for both enterprises and service providers. MPLS began over a decade ago as a way to allow enterprises to create end-to-end circuits across any type of transport medium using any available WAN technology, says networking expert Chris Partsenidis.

More relevant information:

Read this MPLS technology overview.

View this short primer to understand MPLS VPN basics.

Understand the MPLS VPN architecture.

Learn about how MPLS VPNs work in this MPLS VPN tutorial.

What are the different types of MPLS VPNs?

VPN expert Rainer Enders explains that there are two types of VPN MPLS-based services: Layer 3 MPLS VPNs and Layer 2 MPLS VPNs. Layer 3 MPLS VPNs operate at Layer 3, and Layer 2 MPLS VPNs operate at Layer 2 of the OSI model.

Layer 3 MPLS VPNs

Service providers typically refer to Layer 3 (L3) MPLS VPNs when they say "MPLS VPN." These VPNs are popular because they are the most scalable service provider option. In this scenario, expert Ivan Pepelnjak explains that your customer edge (CE) routers exchange routes with your provider edge (PE) routers. When you use L3 MPLS VPN services, the service provider routers form the core of your WAN backbone. The MPLS VPN backbone always uses Border Gateway Protocol (BGP) as its routing protocol. Almost any other routing protocol can be used to connect your sites with the MPLS VPN backbone, but many service providers limit the choices to BGP and static routing. Each of your edge routers peers with just one router -- the PE-router -- and you get optimum any-to-any connectivity between your sites regardless of your network topology.

Layer 2 MPLS VPNs

Layer 2 (L2) MPLS VPNs resemble a virtual circuit type service and are very effectively used by service providers in the Metro Ethernet field. According to Enders, there are two main RFCs that define two L2 MPLS VPN topologies:

• The Martini draft specifies the concept of virtual circuits as another overlay label switched path (LSP) inside a tunnel LSP. It addresses the problem of point-to-point VPN connections in MPLS VPNs.
• The second important RFC on the label distribution protocol (LDP), drafted by Marc Lasserre and Vac Kompella, specifies the virtual private LAN service (VPLS), which presents a solution for multipoint connectivity for the Layer 2 MPLS VPN. It builds upon the Martini approach by expanding the concept to a full mesh network topology. VPLS is commonly marketed under the name "Enterprise Private LAN."

In discovering MPLS VPN types, you may also encounter the term pseudowire. Pseudowires offer point-to-point WAN transport. A pseudowire is an industry term for transport of any frame over an MPLS network that uses MPLS to encapsulate packets and uses LDP as a signaling mechanism, notes telecom expert Steve Garson in his blog entry on pseudowires. Cisco calls pseudowires Any Transport over MPLS (AToM). This is the building block of Layer 2 VPNs over MPLS.

More relevant information:

VPLS, a new Layer 2 MPLS VPN technology

Classes of MPLS VPN services

Advantages and disadvantages of MPLS VPNs

MPLS VPN advantages

Many MPLS VPNs offer much more flexibility at more cost-effective price-points than other WAN technologies such as T1 lines. The label-switching technology offers QoS and CoS capabilities. Also, keeping your traffic on a single vendor using MPLS VPNs gives the vendor the ability to offer your company service-level agreements (SLAs) for network performance, unlike the "best effort" delivery of the Internet, network consultant Tom Lancaster says.

MPLS VPN disadvantages

Keep in mind that with MPLS VPNs, service providers run the core of your network, which presents several disadvantages:

• Your routing protocol choice might be limited.
• Your end-to-end convergence is controlled primarily by the service provider.
• The reliability of your L3 MPLS VPN is influenced by the service provider's competence level.
• Deciding to use MPLS VPN services from a particular service provider also creates a very significant lock-in. It’s hard to change the provider when it’s operating your network core.

More relevant information:

Comparing ADSL MPLS VPNs with ADSL IP VPNs

Choosing MPLS VPN services

The only way to choose the best MPLS VPN service is to understand your business requirements, network design and service provider options. Pepelnjak recommends running through these considerations:

• Carefully evaluate your business needs and minimum requirements.
• Collect the offerings of relevant service providers in your geographic area. (Note that it’s impossible to get all the services in some places.)
• After viewing your minimum requirements and service provider options, match the best service to your enterprise requirements.
• If this is the first time you’re selecting MPLS-based services, get external help from an experienced consultant.

In many cases, finding the best MPLS VPN service means you need to combine multiple services. For example, many enterprises use Layer 3 MPLS VPNs for smaller sites, pseudowires for point-to-point links between data centers and VPLS for sites that need high availability to control convergence speed and routing protocol behavior.

If you're thinking about a move to an MPLS VPN, network consultant Tom Lancaster offers these points to consider in your vendor evaluation:

Internet access: Most vendors allow you to connect your MPLS VPN directly to the Internet via a shared network firewall. However, some of them restrict the traffic to outbound-initiated, while others allow you to establish an IPsec tunnel to the network firewall and then hop into your network. Still others allow inbound access through an encapsulated GRE tunnel that dumps off in front of another firewall you control.

The full mesh: While MPLS technology typically facilitates a full mesh of connectivity among all your sites, this requires a single MPLS network. Some service providers have split their MPLS networks into geographic regions, and you have to pay a little extra to get connectivity from one region to another. Without this, traffic from one location to another may be forced through a third site acting as a hub. This can unnecessarily complicate your routing and make it inefficient.

Remember that MPLS-based VPNs aren't encrypted; they only separate your data from other customers' data logically. Your data shares the same physical path with other customers of the service provider, just like frame relay or any other WAN. Some vendors may offer additional services that allow you to encrypt your traffic. In fact, you may want to explore the possibility of using your existing IPsec VPN equipment to create permanent tunnels between sites over a new high-speed MPLS backbone to get the best of both worlds.

More relevant information:

Selecting MPLS VPN service providers

Implementing quality of service: Chapter 5 of Selecting MPLS VPN Services (2006)

Deploying your own MPLS VPN

While most companies will find it useful to procure an MPLS VPN from a service provider, other companies may want to create MPLS VPNs in-house. This is only reasonable for large enterprises that need to isolate traffic as it crosses the WAN infrastructure. Pepelnjak says this is common for high-security departments, governments, companies that have outsourced services and companies that would like to create a separate guest Internet access network.

While the process can be difficult, he recommends the following steps to prepare for an in-house MPLS VPN deployment:

1. Evaluate whether an MPLS VPN deployment could benefit your network.
2. Educate yourself. Know the basics in order to work with the experts in the initial design and deployment phase. Attend an MPLS course approved by your equipment vendor or study a good MPLS book like MPLS and VPN Architectures or MPLS Fundamentals.
3. Get an MPLS VPN expert or a professional services organization with a proven MPLS track record to help you in your network design phase.
4. Educate other engineers on your team who will be involved in the pilot project. Try to make them as self-sufficient as possible before the pilot starts.
5. Implement the pilot project. It should be implemented by your team and supported by the external expert.
6. Evaluate the pilot project, fix the design if needed, train the rest of your team and roll out the solution.

More relevant information:

When should companies consider building MPLS networks into their WANs?

How to prepare enterprise WANs for MPLS/VPN integration

Troubleshooting MPLS VPNs

Expert Ivan Pepelnjak explains how to troubleshoot each MPLS VPN service below:

Troubleshooting L3 MPLS VPNs

If your L3 MPLS VPN service connection is down, then there are only a few things you can do before sending a help desk ticket to your service provider:

1. Check the WAN link status on your CE routers. If it's down, then that's the source of the problem.
2. Check the routing protocol status on the CE routers. If you can’t reach the provider edge (PE) router, either the PE router failed or the local link has failed in a way that’s not reflected in Layer-1/Layer-2 link status. (See the Troubleshooting pseudowires section below.)
3. If the CE routers communicate with the PE routers but you still can’t get the routes across the MPLS VPN network, the service provider has routing issues that you can do nothing about.

Troubleshooting MPLS-based pseudowires

When troubleshooting pseudowires, you may run into any one of these scenarios:

• MTU mismatch. See whether the maximum transmission unit (MTU) could be larger than the Ethernet’s default setting due to jumbo frames used in typical data center environments or additional header fields imposed by your private MPLS-based solutions. Use a tool like mturoute for Windows or tracepath for Linux to measure the actual end-to-end MTU.
• Pseudowire might not be transparent. Verify that your edge devices can see each other using a Layer 2 protocol like Cisco’s Discovery Protocol (CDP) or Link Layer Discover Protocol (LLDP). Non-transparent pseudowires might not affect routed L3 connections, but they can devastate L 2 data center interconnect.
• Pseudowire might not provide end-to-end state signaling. When the link is lost at one end of the pseudowire or broken somewhere in the service provider cloud, the other end may still appear operational.

Troubleshooting VPLS

Since VPLS is built with a full mesh of pseudowires, you might experience some of the problems described in the previous section. Also, if you have MTU problems, those can be detected using the tools mentioned above. However, if some edge devices are connecting while others are not, then you have partial connectivity within the VPLS cloud due to broken or misconfigured pseudowires. Pepelnjak suggests troubleshooting partially connected VPLS services this way:

1. Identify the endpoints that cannot communicate.
2. Check the routing tables on the first-hop routers. If they don’t have routes to the destination, you’ll have to perform traditional routing protocol troubleshooting.
3. Do a traceroute between the endpoints. If the trace stops at the edge of the VPLS service, you might be experiencing VPLS connectivity issues.
4. To verify your diagnosis, perform pings between routers directly attached to the VPLS service. If the initial pings succeed, don’t forget to repeat the tests with the maximum MTU size you expect to be able to transport across the VPLS service.

More relevant information:

Troubleshooting MPLS WAN services: VPLS, pseudowires, and Layer-3 VPNs

MPLS VPN experts

Do you have more questions about MPLS VPN fundamentals? Then contact any one of our experts below by emailing editor@searchenterpriseWAN.com or check out any of the already-answered questions in their sections below.