Getting down to business - Layer 2 VPNs for commercial services(2)
by Wes Berkey, System Engineering Manager, Transmission Network Systems, Scientific Atlanta, A Cisco Company
The ability to design and deploy a Virtual LAN Service over a simple Layer 2 VPN (L2VPN), whether utilizing fiber or HFC plant, can give the MSO a competitive advantage over other service providers. By looking at the network requirements for popular commercial services, examining the available technologies, and comparing them against the characteristics of L2VPNs, it can be determined when this technology choice is a good fit. Highlighted is the implementation of a Layer 2 VPN over a hybrid fiber/coax (HFC) network. Popular commercial services By examining and segmenting the services that an MSO plans to offer, successful enabling technology choices can be narrowed down. Internet access. There is no doubt that there is a significant demand for Internet access, usually categorized as high-speed data (HSD), as it makes up approximately 24 percent of all commercial services sold today. Offerings range from best effort connectivity, to managed services including domain names, e-mail, security, storage, and Web site hosting. The basic requirement for an MSO to offer Internet access is connectivity–the ability to physically attach to the customer, whether with coax or fiber. On top of simply offering bandwidth, the service provider can add bandwidth guarantees, Quality of Service (QoS), and security features. Figure 1: OSI model. It is important to note that telco service providers typically offer data services over traditional OC-3, DS-3, DS-1, DS-0, dial-up, digital subscriber line (DSL), and integrated services digital network (ISDN). Sometimes, in order for an MSO to compete against an existing service offering, the same signal format has to be maintained because of customer-owned equipment interfaces. Local and long distance data connectivity. Local and long distance LAN/WAN services, representing about 46 percent of total commercial service revenue, provide connectivity between customer facilities. The basic requirement for LAN/WAN services is the ability to connect to all of the required customer facilities, and provide the required bandwidth, QoS and security. Voice services With voice services making up approximately 30 percent of total commercial service spending, and technology advances enabling new equipment and architecture solutions, voice is an attractive and growing segment of the MSO service offering. Services include local and long distance telephone service, voice-over-Internet Protocol (VoIP), Centrex telephone service, and Private Branch Exchange (PBX) connectivity. The recent market for the backhaul of cell provider traffic has illustrated the reach and usefulness of the MSO’s facilities. Providing voice services requires the basic ability to connect the customer facility, but might additionally require more backoffice and operations infrastructure. The “low-hanging fruit” will be customers that can be connected across existing infrastructure, leveraging the existing expertise of the MSO, like VoIP. Technology solutions Using the Open System Interconnection (OSI) model as a guide (see Figure 1), the operator has many options for deploying customer networks. In order to create a private network, a service provider can simply keep the customer’s network physically separate from any other network at Layer 1, by dedicating fiber, coax, or twisted pair solely to that customer. More commonly, the operator deploys a VPN with some enabling technology at either Layer 2 or Layer 3. Note: Although there is no standard definition of a VPN, it is generally accepted that a VPN requires traffic separation, and implies security and QoS. In addition, a VPN also implies some amount of guaranteed bandwidth, or guaranteed packet delivery. VPNs are often marketed along with a Service Level Agreement (SLA) that spells out the individual VPN parameters. What is a Layer 2 Virtual Private Network (L2VPN)? From a service provider perspective, Layer 2 VPNs offer tremendous advantages. Providers can use this technology to help consolidate multiple Layer 2 and Layer 3 networks into a single unified network infrastructure. For example, a provider can continue to offer Frame Relay or ATM services to its customers, even though the traffic might not be carried by Frame or ATM networks. From the customer’s perspective, Layer 2 VPNs are essentially transparent, and allow the individual customer implementation of preferred IP addressing schemes, terminal-to-terminal security protocols, etc. There are other popular protocols that can be utilized to create a VPN: L2TPv3: The Layer 2 Tunneling Protocol (L2TP) provides a dynamic mechanism for tunneling Layer 2 (L2) “circuits” across a packet-oriented data network (e.g., over IP). L2TP is capable of tunneling a number of Layer 2 protocols including Frame Relay Ethernet and ISDN. Layer 3 VPN: MPLS Layer 3 VPNs use a peer-to-peer VPN model that leverages BGP to distribute VPN-related information. This peer-to-peer model allows the customer to rely on the service provider for any Layer 3 requirements, resulting in cost savings and a reduction in operational complexity for the customer. Service providers can then offer value-added services like QoS and traffic engineering, and enable network convergence across voice, video and data services. MPLS Layer 3 VPNs can be deployed with traffic engineering (MPLS TE) and Fast Re-route to offer SLAs. QoS-based offerings vary from two to five classes of services. Why choose a Layer 2 VPN? Layer 2 VPNs are generally considered simpler to set up and operate than L2TPv3 tunnels. Additionally, a Layer 2 VPN offers some advantages over a Layer 3 VPN, such as: 1) A Layer 2 VPN flexibly accommodates non-IP verticals, such as Appletalk or Windows NetBIOS Extended User Interface (NetBEUI);2) At Layer 2, the overhead to create the VPN is simply a VLAN tag and VPNID, as opposed to IP encapsulation at Layer 3;3) L2VPN supports IPsec in transport mode, which produces lower packet overhead4) IP address management remains a customer responsibility when providing a Layer 2 VPN. Fiber-based L2VPNs Continued decreases in fiber optic equipment pricing and construction costs make fiber-based commercial service offerings attractive. From simple, point-to-point media converters to Multi-lambda, 10 Gig Metro Ethernet networks, fiber can satisfy just about every commercial opportunity. There are multiple technologies which can enable L2VPNs over fiber–from physically separate Layer 1/2 networks over fiber or DWDM, to Metro Ethernet or IP networks running IPsec, SSL, MPLS, or L2TPv3. Fiber advantages: Fiber construction for a 6-to-8 count fiber cable costs less than a typical HFC extension ($1.63/foot compared to approximately $2.12/foot for aerial); Customer perception of a fiber-based solution is very good (secure, physically separate, etc.); It can leverage existing HSD operations and IP protocols for advanced features (QoS and SLA-based services); Virtually unlimited bandwidth when WDM is deployed; Leverages technologies developed for other industries (telco, enterprise, etc.) Fewer active devices mean higher reliability, and lower maintenance costs. Fiber disadvantages: The nearest fiber splice facility is often farther away than the nearest RF extension opportunity; Customer premises devices can be expensive, depending on the application. HFC-based L2VPNs The predominant use of HFC plant for commercial service has been, and continues to be HSD services–mostly configured for Internet access in a single, shared LAN domain. But with the emerging LAN/WAN, teleworker, and commercial voice opportunities, VPNs are now an excellent fit as bundled or standalone offerings. HFC advantages: Approximately 80 percent to 90 percent of businesses are serviceable by HFC–approximately 50 percent have a drop nearby; Small Office/Home Office (SOHO) market has shown acceptance of an HFC solution; Can provide QoS- and SLA-based services over DOCSIS that enable voice and/or video; Adequate security provided by DOCSIS BPI+ and triple Digital Encryption Standard (DES); Higher bandwidth customers can be served with wideband DOCSIS 3.0. HFC disadvantages: Commercial customers’ negative perception that they are in a shared domain with residential customers; Reliability of HFC plant–both up-time and ability to accommodate higher bandwidths in the reverse (16 or 64 QAM may require higher quality reverse lasers in the node, tightening fittings, terminating unused ports, etc.); Use of HFC spectrum–competition from DBS service providers has put pressure on MSOs to utilize HFC bandwidth for HDTV, digital simulcast, VOD, SDV, residential HSD and VoIP, with little room left for commercial services; Political divide within the MSO–commercial service department doesn’t dictate HFC bandwidth use; Operations–who will perform the HFC plant provisioning, monitoring, and troubleshooting? Note: Besides DOCSIS-based solutions, there are several proprietary approaches to offer commercial services over HFC. These proprietary solutions are subject to many of the same advantages and disadvantages listed above. The main disadvantage of a proprietary solution is that it does not participate in the ongoing technological advancements within CableLabs. Implementing an L2VPN over DOCSIS Because a VPN is an end-to-end service, it is important to consider the entire network that will be traversed by the customer’s traffic–specifically the QoS “islands” that will affect the VPN service as illustrated in Figure 2. Figure 2: QoS in a typical HFC network. The operator must ensure that the QoS engineered in the HFC portion of the network is maintained throughout the backbone (MSO) portion of the network. Depending on the nature of the backbone equipment, this can be accomplished by utilizing 802.1Q and 802.1P protocols, IP Type Of Service (TOS), or similar technology. Equipment requirements. For the HFC portion of the network, many CMTS vendors have implemented software versions that enable Layer 2 VPNs in their current products, in advance of the Business Services over DOCSIS L2VPN specification that was issued on March 28, 2006. Standard DOCSIS 1.1 and 2.0 cable modems can be utilized in these L2VPNs. Note: CableLabs has continued to enhance the DOCSIS standard to enable more advanced commercial services, such as commercial voice and Layer 2 VPNs. As vendors deploy new DOCSIS products, these advanced features will be more easily configured. How does it work? Essentially, the MAC address of any cable modem that will be participating in the L2VPN is mapped to a VLAN ID on the network interface of the corresponding CMTS device. This VLAN definition is contained in the CMTS Service ID (SID) database. Traffic from that specific cable modem is thus tagged with a VLAN ID, and bridged with any other cable modem that is mapped to the same VLAN ID. For traffic flow outbound from the cable modem: 1) A DOCSIS header including the SID (or SFID) is added to the Ethernet frame, and it is sent on the upstream HFC interface;2) When the CMTS receives the packet, it performs an SID lookup;3) Based on the SID, the CMTS identifies whether the packet belongs in a VLAN;4) If the packet is found to be part of a VLAN domain, the CMTS adds the VLAN ID and forwards the packet. For traffic flow inbound from the backbone: 1) If the packet has a VLAN ID, the CMTS performs a SID lookup to see if the VLAN is mapped to a cable modem;2) If a match is found, the CMTS removes the VLAN ID and adds the DOCSIS header;3) The CMTS now processes the packet to perform any specified QoS functions;4) The packet is sent out on the HFC downstream interface. Note: In the new BSoD L2VPN standard, a VPNID is defined to be a standard identifier for this Layer 2 VPN traffic. What to watch for. Setting up a Layer 2 VPN “tunnel” does not ensure security; the operator must turn on BPI+ for the VPN in order to secure the traffic flows. Similarly, setting up the VPN itself does not guarantee bandwidth, or QoS. Prioritization through the entire network path must be specified in all of the QoS islands. Downstream non-L2VPN traffic with Group MAC addresses (broadcast, multicast) is forwarded to all of the cable modems if it is unencrypted. This presents a “leaking” issue where L2VPN traffic could be seen by non-L2VPN cable modems, and vice versa. This issue is solved by implementing Downstream Unencrypted Traffic (DUT) filtering which defines a Cable Modem Interface Mask (CMIM) and prevents the forwarding of unencrypted traffic based on the filter value. Conclusion: An excellent tool for pursuing LAN/WAN, teleworker, or voice services opportunities, the Layer 2 VPN is becoming a standards-based protocol for deployment over fiber or HFC. Utilizing existing facilities, the operator can configure the L2VPN, and create a service offering with traffic separation, security, QoS and bandwidth guarantees. E-mail: email@example.com Bibliography 1) “MSO Commercial Services Development,” SCTE Emerging Technologies 2004. Author: Don Sorenson, Scientific Atlanta, A Cisco Company.2) “Business Services: Has the Time (Finally) Come?” CT, October 2006. Authors: Dave Brown, John Mattson, Cisco Systems.3) “Better Bandwidth: How to Preserve, Optimize, and Grow Bandwidth,” SCTE Cable-Tec Expo 2005; Author: Mark Palazzo, Scientific Atlanta, A Cisco Company.4) “802.1Q Transparent LAN Service (TLS) over DOCSIS,” SCTE 2004. Author: Jaime Zabala, Cisco Systems.5) “Data-Over-Cable Service Interface Specifications–Layer 2 Virtual Private Networks;” Spec: CM-SP-L2VPN-I01-060328, March 28, 2006. Note: These materials were first presented at SCTE’s Business Services Symposium 2006 in Chicago, Ill.