Virtual Private LAN Service (VPLS) is a VPN technology that enables Ethernet multipoint services (EMSs) over a packet-switched network infrastructure. VPN users receive an emulated LAN segment that offers a Layer 2 broadcast domain. The end user perceives the service as a virtual private Ethernet switch that forwards frames to their respective destinations within the VPN.
Ethernet is the technology of choice for LANs due to its relative low cost and simplicity. Ethernet has also gained recent popularity as a metropolitan area network (MAN or metro) technology.
A multipoint technology allows a user to reach multiple destinations through a single physical or logical connection. This requires the network to make a forwarding decision based on the destination of the packet. Within the context of VPLS, this means that the network makes a forwarding decision based on the destination MAC address of the Ethernet frame. A multipoint service is attractive because fewer connections are required to achieve full connectivity between multiple points. An equivalent level of connectivity based on a point-to-point technology requires a much larger number of connections or the use of suboptimal packet forwarding.
In its simplest form, a VPLS consists of several sites connected to provider edge devices implementing the emulated LAN service. These provider edge devices make the forwarding decisions between sites and encapsulate the Ethernet frames across a packet-switched network using a virtual circuit or pseudowire. A virtual switching instance (VSI) is used at each provider edge to implement the forwarding decisions of each VPLS. The provider edges use a full mesh of Ethernet-emulated circuits (or pseudowires) to forward the Ethernet frames between provider edges.
One security flag is that the broadcast/multicast packet replication occurs in the backbone (PE), and this factor could be high?for example greater than 10 or 20 depending on the number of PEs involved in the VPN. Therefore, what may appear "reasonable" at the U-PE and local loop could have a DoS impact on the backbone itself. This is a deployment planning matter that the network architect should be cognizant of.
VPLS uses a Layer 2 architecture to offer multipoint Ethernet VPNs that connect multiple sites over a metropolitan area network (MAN) or WAN. Other technologies also enable Ethernet across the WAN, including Ethernet over MPLS, Ethernet over Layer 2 Tunneling Protocol Version 3 (L2TPv3), Ethernet over SONET/SDH, and Ethernet Bridging over Any Transport over MPLS (AToM). Even though most VPLS sites are expected to connect via Ethernet, they may connect using other Layer 2 technologies (ATM, Frame Relay, or Point-to-Point Protocol [PPP], for example). Sites connecting with non-Ethernet links exchange packets with the provider edge using a bridged encapsulation. The configuration requirements on the customer edge device are similar to the requirements for Ethernet interworking in point-to-point Layer 2 services.
This section is specific to multipoint constructs. VPLS is designed for applications that require multipoint or broadcast access. Using established VPLS, service providers can create a Layer 2 "virtual switch" over an MPLS core to establish a distributed network access point (NAP). The NAP permits transparent private peering between multiple service providers (SPs) and delivers connections to multiple sites within a specific metro region.
SP-to-SP VPLS can be supported using either Border Gateway Protocol (BGP) or Label Distribution Protocol (LDP). LDP provides more granular control of communication and quality of service between VPLS nodes, more control per node, and is a consistent signaling option to support MPLS, VPLS, or VPWS, whereas BGP communicates the same information to all nodes participating in a VPLS. The hierarchical VPLS architecture includes customer edge devises connected to provider edge routers that aggregate VPLS traffic before it reaches the network provider edge routers, where the VPLS forwarding occurs. In summary, key VPLS architectural attributes include the use of BGP or RADIUS for discovery membership and the use of LDP to establish pseudowires per broadcast domain instance.