MPLS Compared to Other IP-over-ATM Schemes

MPLS Compared to Other IP-over-ATM Schemes

In ATM networks, MPLS allows ATM switches to directly support IP services, giving maximum efficiency compared to other approaches. Traditional IP-over-ATM connects routers over Permanent Virtual Circuits (PVC).

Cisco also supports an alternative IP-over-ATM scheme called Multiprotocol over ATM (MPOA), which uses the Next Hop Resolution Protocol (NHRP). Unlike MPLS, MPOA overlays IP-over-ATM rather than fully integrating them. Although they do not share many of the advantages of MPLS in the WAN, MPOA and NHRP are cost-effective technologies for interconnecting nearby emulated LANs (ELANs) at high speeds. MPOA and similar proprietary approaches carry IP traffic over Switched Virtual Circuits (SVC). Traditional IP over ATM, MPOA, and proprietary approaches all have similar disadvantages:

• It is difficult to offer some types of IP services on the networks. For example, IP Class of Service cannot be offered natively by traditional ATM switches, and must be offered by translation to quite different ATM Forum Quality of Service concepts.
• Where IP services are offered, they are difficult to administer. Two levels of routing must be administered: IP routing (via OSPF or EIGRP or similar) and PNNI or similar routing for ATM. MPOA requires additional administration. Service translations, for example IP Class of Service to ATM Quality of Service, also require administration.
• IP services can be quite inefficient over ATM networks. For example, IP Multicast over ATM networks is difficult to achieve on a large scale due to the interaction of multicast routing, multicast group membership processing and ATM VC maintenance.
• There can be scaling limitations and/or dangerous interactions between IP routing (OSPF, and so on) and the ATM network, leading to unstable networks. Traditional IP over ATM can lead to storms of IP routing updates and subsequent network meltdown, if more than 30 OSPF routers are connected in a full mesh over PVCs. MPOA is unsafe when connecting routers to each other, and is intended only to connect hosts to routers or hosts to hosts. (See below.)
• IP services require a substantial implementation and management effort. For example, an MPOA implementation requires PNNI, SVC signaling, ATM ARP, an ATM ARP server, NHRP, and a NHRP server, in addition to AAL5, IP routing (OSPF, and so on) and an IPv4 stack.

MPLS in ATM networks avoid all of these disadvantages.

Problems of Running IP Routing over An ATM Network without MPLS

If N number of routers are running OSPF and are connected in a full mesh over ATM PVCs, a single physical ATM link failure may result in ATM-layer rerouting of a large number of PVCs. If this takes too long, or if the ATM network cannot reroute PVCs at all, a large number of PVCs effectively fails.

The number of PVCs involved may be of the same order magnitude as N, and even N² in some cases. In any case, it is likely to be seen by O(N) routers, where "O(N)" means "a number proportional to N". So, a single ATM link failure will cause each of O(N) routers to send a link state advertisement (LSA) of size (at least) O(N) to (N-1) neighbors. Thus a single event in the ATM network results in O(N³) to O(N⁴) traffic.

When a router receives an LSA, it must immediately recalculate its routing table because it must not forward packets based on old routing information. The processor load caused by a storm of routing updates might cause the routers to drop or not send keep-alive packets, which appears to the neighboring routers as further link failures. These lead to further LSAs being sent, which perpetuates the problem.

The net result is that a full mesh network can go persistently unstable after a single network event.

This critical failure occurs because the routers do not see the state of the ATM links and switches directly. IS-IS has somewhat better performance than OSPF in full mesh conditions because IS-IS has more sophisticated flooding capabilities (these capabilities, specifically the ability to pace flooding and block flooding on some interfaces, are also becoming available on OSPF). However this does not address the underlying problem.

The solution is to enable IP routing to directly see the state of ATM links, which is what is done by ATM MPLS.

MPLS also addresses a different problem that arises when the ATM network runs PNNI routing: the basic conflict between routing protocols. PNNI routing at the ATM layer can make decisions that conflict with OSPF or similar routing at the IP layer. These conflicting decisions can lead to persistent loops. (See the NHRP Protocol Applicability Statement, RFC2333, for more on this. Further investigation on router-to-router NHRP at the IETF revealed that router-to-router NHRP was not practical.)

The only reliable solution to this problem is to use the same routing protocol at the IP layer and ATM layer. This is exactly what MPLS does in ATM networks.

MPLS Virtual Private Network

MPLS Virtual Private Network

MPLS Virtual Private Networks (VPN) deliver enterprise-scale connectivity deployed on a shared infrastructure with the same policies enjoyed in a private network. A VPN can be built on the Internet or on a service provider's IP, Frame Relay, or ATM infrastructure. Businesses that run their intranets over a VPN service enjoy the same security, prioritization, reliability, and manageability as they do in their own private networks.

VPNs based on IP can extend intranets over wide-area links to remote offices, mobile users, and telecommuters. They can support extranets linking business partners, customers, and suppliers to provide better customer satisfaction and reduced manufacturing costs. VPNs can also connect communities of interest, providing a secure forum for common topics of discussion.

New IP-based services such as videoconferencing, packet telephony, distance learning, and information-rich applications offer businesses the promise of improved productivity at reduced costs. As these networked applications become more prevalent, businesses increasingly look to their service providers for intelligent services based on a rich set of controls that go beyond transport to optimize the delivery of applications end to end. Today organizations want their applications to traverse a network in a secure, prioritized environment, and they want the opportunity to reduce costs, improve connectivity, and gain access to networking expertise.

Intranet and Extranet VPNs

Intranet VPN services link employees, telecommuters, mobile workers, remote offices, and so on, to each other with the same privacy as a private network.

Extranet VPN services link suppliers, partners, customers, or communities of interest over a shared infrastructure with the same policies as a private network.

Cisco provides a range of ATM- and IP-based choices for deploying large-scale intranet and extranet VPN services, including Multiprotocol Label Switching (MPLS)-based services, which provide secure, business-quality VPN solutions that scale to support tens of thousands of VPN customers over IP or IP+ATM networks.

A VPN built with MPLS affords broad scalability and flexibility across any IP, IP+ATM, or multivendor backbone. MPLS forwards packets using labels. The VPN identifier in the label isolates traffic to a specific VPN. In contrast with IP tunnel and virtual-circuit architectures, MPLS-based VPNs enable connectionless routing within each VPN community. Service providers can easily scale their services to support tens of thousands of VPNs on the same infrastructure, with full QoS benefits across IP and ATM environments.

Cisco MPLS-based VPN solutions are supported on its IP+ATM WAN switch platforms including the BPX 8650 and MGX families, and on its high-end router platforms such as the Cisco 12000 series GSR.

MPLS VPN Features

The VPN feature for MPLS Switching allows a Cisco IOS network to deploy scalable IPv4 Layer 3 VPN backbone services. MPLS Switching VPNs provide essential characteristics and features that service providers require to deploy scalable VPNs and build the foundation to deliver these value-added services:

Performance

When MPLS VPNs are set up using ATM LSRs such as the BPX 8650, the capabilities of scalable connectionless service of IP are combined with the performance and traffic management capabilities of ATM.

Connectionless Service

A significant technical advantage of MPLS VPNs is connectionless service. The Internet owes its success to its basic technology, TCP/IP, built on the packet-based, connectionless network paradigm. This means that no prior action is necessary to establish communication between hosts, making it easy for two parties to communicate.

To establish privacy in a connectionless IP environment, current VPN solutions impose a connection-oriented, point-to-point overlay on the network. Even if it runs over a connectionless network, today's VPN cannot take advantage of the ease of connectivity and multiple services available in connectionless networks.

By creating a connectionless MPLS VPN, tunnels and encryption are not required for network privacy, thus eliminating significant complexity.

Centralized Service

Building VPNs in Layer 3 has the additional advantage of allowing delivery of targeted services to a group of users represented by a VPN.

A VPN must give service providers more than a mechanism for privately connecting users to intranet services. It must also provide a way to flexibly deliver value-added services to targeted customers. Scalability is critical, because customers want to use services privately in their intranets and extranets.

Because MPLS Switching VPNs are seen as private intranets, it's easy to leverage new IP services:

• multicast
• Quality of Service
• telephony support within a VPN
• centralized services such as content and Web hosting to a VPN

Now myriad combinations of specialized services can be customized for individual customers, for example, a service that combines IP multicast with a low-latency service class to enable videoconferencing within an intranet.

Scalability

Scalability is the major deficiency of VPNs created using connection-oriented, point-to-point overlays, Frame Relay, or ATM VCs. Specifically, connection-oriented VPNs require a full N² mesh of connections between customer sites to support any-to-any communication.

MPLS-based VPNs instead use the peer model and Layer 3 connectionless architecture to leverage a highly scalable VPN solution. The peer model requires a customer site to make peer connection with only one provider edge (PE) router as opposed to all other CPE or customer edge (CE) routers that are members of the VPN. The connectionless architecture allows the creation of VPNs in Layer 3, eliminating the need for tunnels or VCs.

Other scalability capabilities of MPLS Switching VPNs are due to the partitioning of VPN routes between PE routers and the further partitioning of VPN and IGP routes between PE routers and provider (P) routers in a core network. PE routers must maintain VPN routes for those VPNs who are members. P routers do not maintain any VPN routes. This increases the scalability of the providers core and insures that no one device is a scalability bottleneck.

Security

MPLS Switching VPNs offer the same level of security as connection-oriented VPNs. Packets from one VPN will not inadvertently go to another VPN. Security is provided at the edge and core of a provider network:

• at the edge, security ensures that packets received from a customer are placed on the correct VPN
• at the backbone, VPN traffic is kept separate

Malicious spoofing of a provider edge (PE) router is nearly impossible because the packets received from customers are IP packets. These IP packets must be received on a particular interface or subinterface to be uniquely identified with a VPN label.

Easy to Create

To take full advantage of VPNs, it must be easy to create new VPNs and user communities. Because MPLS VPNs are connectionless, no specific point-to-point connection maps or topologies are required.

Now it is easy to add sites to intranets and extranets and to easily form closed user groups. Managing VPNs in this manner enables membership of any given site in multiple VPNs, maximizing flexibility in building intranets and extranets.

Flexible Addressing

To make a VPN service more accessible, users should be able to design their own addressing plan, independent of addressing plans for other VPN customers supported by a common service provider.

Many organizations use private address spaces, as defined in RFC 1918 today, and do not want to undertake the time and expense of implementing registered IP addresses to enable intranet connectivity. MPLS VPNs allow customers to continue to use their present address spaces without network address translation (NAT) by providing a public and private view of the address.

If two VPNs want to communicate and both have overlapping addresses, that communication requires NAT at one endpoint. This enables customers to use their own unregistered private addresses and communicate freely across a public IP network.

Integrated Class of Service (CoS) Support

CoS is an essential ingredient of an IP VPN because it provides the ability to address two fundamental VPN requirements:

• predictable performance and policy implementation
• support for multiple Classes of Service in an MPLS Switching VPN

Network traffic is classified and labeled at the edge of the network before traffic is aggregated according to policies defined by subscribers and implemented by the provider and transported across the provider core. Traffic at the edge and core of the network can then be differentiated into different classes by drop probability or delay.

Straightforward Migration

For service providers to quickly deploy these VPN services, a straightforward migration path is required. MPLS VPNs are unique because they can be built over multiple network architectures, including IP, ATM, Frame Relay, and hybrid networks.

Migration for the end customer is also simplified because there is no requirement to support MPLS on the customer edge (CE) router and no modifications are required to a customer's intranet.

MPLS VPN Benefits

• A platform for rapid deployment of additional value-added IP services, including intranets, extranets, voice, multimedia, and network commerce
• Privacy and security equal to Layer 2 VPNs by limiting the distribution of a VPN's routes to only those routers that are members of the VPN
• Seamless integration with customer intranets
• Increased scalability over current VPN implementations, with thousands of sites per VPN and hundreds of thousands of VPNs per service provider
• IP Class of Service (CoS), with support for multiple Classes of Service and priorities within a VPN, as well as between VPNs
• Easy management of VPN membership and easy provisioning of new VPNs for rapid deployment
• Scalable any-to-any connectivity for extended intranets and extranets that encompass multiple businesses
• MPLS enables business IP services

  • VPNs with strong SLAs for QoS

  • privacy and QoS of ATM without tunneling or encryption

  • enabled by Cisco's unique combination of MPLS and open standards routing
• Lower operating costs

  • enables low-cost managed services to increase SP market share

  • increases profits though lower marginal cost for new services

  • network establishes VPN connectivity; no provisioning

  • build once/sell many; single routing image for all VPNs
• The first transport-independent VPN

  • universal VPN: one VPN, any access/transport: dial, xDSL, ATM, and so on

  • service delivery independent of transport/access technology
• Simpler to use

  • VPN managed by the service provider

  • transparent support for private IP addresses

  • multiple QoS service classes to implement business net policy
• Revenue and growth

  • revenue from today's transport services, growth from IP
• Business IP services enabled by MPLS/IOS

  • MPLS brings IOS to service provider ATM networks

  • MPLS is the new industry standard for bringing IP and ATM together
• Seamless service delivery

  • wide breadth of services; circuit emulation to IP VPNs

  • single pipe; multiple services (any service, any port)
• lower cost of operation and competitive advantages

  • ROI, TTM, economies of a multiservice network