Many reports have been written about the techniques behind Virtual Private Networks (VPN) and Multi Protocol Label Switching (MPLS). They usually deal with the low level design of the software implementing a specific technique. The initial products are usually not mature enough to run in a large network or have to be adjusted in some way to fit.
This report investigates the different ways of implementing strict layer 2 Virtual Private Networks in an existing nation-wide Gigabit Ethernet. The infrastructure in use, as well as the hardware, has to be used without major changes. Since 1998/1999, when MPLS first started in the laboratories, development has continued. Today it is possible to introduce MPLS or tunneled national virtual local area network into an existing network. This requires high speed, fault tolerant, and stable hardware and software.
Going beyond the separation of traffic at layer 3 using Virtual Private Networks, i.e., IPSec, we can tunnel layer 2 traffic through a network. Although the first layer 3 VPN products are already in use, layer 2 VPNs still need to be evaluated and brought into regular use. There are currently two ways of tunneling VLANs in a core network: tunneled VLANs (or as Extreme Networks calls them, VMANs) and MPLS.
This project showed that it is possible to start with a VLAN-only solution, and then upgrade to MPLS to solve scalability issues. The VMAN solution can not be used at Arrowhead, since there are too many disadvantages in the way Extreme Networks has implemented it. However, a mix of tunneling VMAN in a VLAN core is possible, and enables customer tagging of VLANs in a Layer 2 VPN. Furthermore, the testing of EAPS and per-VLAN Spanning Tree Protocol turned out well, and showed that EAPS should not be used when there is more than one loop.
Author: Ögren, Niklas