How to integrate MPLS/VPNs with enterprise WANs
Implementing isolated Layer-3 domains in a campus local area network (LAN) is easy if you use virtual LANs (VLANs) and virtual routing and forwarding tables (VRFs). Likewise, building MPLS/VPN infrastructure is manageable, but transporting labeled MPLS traffic across the WAN could become quite a challenge.
If you’re still using dedicated optical transport (like dark fiber, DWDM lambdas or SDH/SONET links), leased lines or traditional Layer 2 WAN technology (like ATM or frame relay), your task is simple: Just configure MPLS on your WAN links, increase the maximum transmission unit (MTU) size a bit, and you can start using MPLS/VPN services.
If you’re using Ethernet-based carrier services (including pseudowires and VPLS services), check the maximum MTU size supported by your service provider. An MPLS header extends the Ethernet packets by 8-20 bytes, depending on the number of MPLS features you use. MPLS/VPN headers are typically 8 bytes long, so your service provider should support Ethernet frames that are at least 1526 bytes long. (A standard Ethernet frame is 1518 bytes long.)
If you use MPLS/VPN services or any other native IP transport (like DWDM, leased lines or frame relay) in your network, you’ll have to use Generic Route Encapsulation (GRE) tunnels to transport MPLS frames across your WAN, because MPLS frames are transported within IP and GRE datagrams.
(To note, RFC 4023 specifies two modes of MPLS-over-IP transport: MPLS transport within GRE frames and MPLS transport directly on top of IP. Unfortunately, the second option is not yet implemented by major router vendors.)
If you already use GRE-based VPNs (point-to-point GRE tunnels or DMVPN), you just have to enable MPLS transport on the tunnel interface.
You can also integrate MPLS/VPN technology with your enterprise WAN another way: A service provider offering carrier’s carrier-grade architecture with its MPLS/VPN services could accept MPLS frames and IP datagrams from your CE-router. Unfortunately, this option is almost never available as a standard service provider MPLS/VPN offering.
Regardless of the actual technology you use in your WAN network, it’s important to remember that all of them can support MPLS transport in one way or another. Your existing WAN infrastructure is not a showstopper.
Steps to integrate MPLS/VPN with your enterprise WAN
While building an MPLS/VPN network is not nearly as complex as putting a man on the moon, MPLS/VPN relies on numerous intricate technologies, including Border Gateway Protocol (BGP), Label Distribution Protocol (LDP) and VRFs -- not to mention the need to solve the MPLS transport across your IP-based WAN, which is what most of us use somewhere in our networks. Deploying MPLS/VPN in your network is thus a major undertaking that should be handled with proper care, with suitable project management and expertise. If this is your first MPLS/VPN project, speak with an external consultant or a professional services organization (either independent or from your equipment vendor). I would suggest the following steps to begin MPLS/VPN integration with your WAN:
- Evaluate whether MPLS/VPN deployment could benefit your network.
- Educate yourself. You need to know the basics to work with the experts you’ll need in the initial design and deployment phase. Attend an MPLS course approved by your equipment vendor (for example, this Implementing Cisco MPLS course) or study a good MPLS book. My MPLS and VPN Architectures or Luc de Ghein's MPLS Fundamentals are still the best resources.
- Get an MPLS/VPN expert or a professional services organization with a proven MPLS track record to help you in your network design phase.
- Once you have the network design completed, educate other engineers on your team that will be involved in the pilot project. Try to make them as self-sufficient as possible before the pilot starts.
- Implement the pilot project. It should be implemented by your team and supported by the external expert.
- Evaluate the pilot project; fix the design if needed; train the rest of your team and roll out the solution.
For more information on MPLS/VPNs, view the WAN protocols section of SearchEnterpriseWAN.com or continue on to part three: Troubleshooting MPLS WAN services: VPLS, pseudowires, and Layer-3 VPNs.
About the author:
Ivan Pepelnjak, CCIE No. 1354, is a 25-year veteran of the networking industry. He has more than 10 years of experience in designing, installing, troubleshooting and operating large service provider and enterprise WAN and LAN networks. He is currently chief technology advisor at NIL Data Communications, focusing on advanced IP-based networks and Web technologies. His books include MPLS and VPN Architectures and EIGRP Network Design. Check out his IOS Hints blog.
This was first published in November 2010