Restrictions on Ethernet L2 circuits?
simon.leinen at switch.ch
Thu Dec 31 10:29:11 CST 2009
Interesting questions. Here are a few thoughts from the perspective of
an education/research backbone operator that used to be IP only but has
also been offering L2 point-to-point circuits for a few years.
> Should business customers expect to be able to connect several LANs
> through an Ethernet L2 ciruit and build a layer 2 network spanning
> several locations?
At least for our customers, that is indeed important. The most popular
application here is for a customer to connect a remote location to their
campus network, and that want to (at least be able to) use any of their
existing VLANs at the remote site.
> Or should the service provider implement port security and limit the
> number of MAC addresses on the access ports, forcing the customer to
> connect a router in both ends and segment their network?
That would make the service less attractive, and also more complex to
set up and maintain. For point-to-point service, there is really no
reason for the network to care about customers' MAC addresses, VLAN tags
and such. As you said, EoMPLS doesn't care. (Ethernet over L2TPv3
shouldn't care either. If I had cost-effective edge routers that did
L2TPv3 encapsulation/decapsulation at line rate, I'd switch off MPLS in
our core tomorrow.)
Couldn't PBB or even Q-in-Q provide that isolation as well, at least for
point-to-point services? I must say that I don't personally have much
experience with those, because we tend to connect our customers to
EoMPLS-capable routers directly.
> Also, do you see a demand for multi-point layer 2 networks (requiring
> VPLS), or are point-to-point layer 2 circuits sufficient to meet
> market demand?
That's a big question for us right now... we're not sure yet. I'd like to
hear others' opinions on this.
> The most important argument for customers that choose Ethernet L2 over
> MPLS IP-VPN is that they want full control over their routing, they
> don't want the involvement from the service provider. Some customers
> also argue that a flat layer 2 network spanning several locations is a
> simpler and better design for them, and they don't want the "hassle"
> with routers and network segmentation.
I have a good deal of sympathy for customers who think this way. Also
from the service provider point of view, I like the simplicity of the
offering - basically we're providing an emulation of a very long piece
of Ethernet cable. (My worry with multipoint L2 VPNs is that they can't
have such a simple service model.)
> But IMO the customer (and the service provider) is far better off by
> segmenting their network in the vast majority of cases. What do you
Maybe they already have a segmented network, but don't want to segment
it based on geography/topology.
As far as I'm concerned, enterprises should just connect their various
sites to the Internet independently, and use VPN techniques if and where
necessary to provide the illusion of a unified network. In practice,
this illusion of a single large LAN (or rather, multiple
organization-wide LANs) is very important to the typical enterprise,
because so much security policy is enforced based on IP addresses. And
the typical enterprise wants a central chokepoint that all traffic must
go through, for reasons that might have to do with security, or support
costs, or with (illusions of) control.
This bridging function required to maintain the illusion of a unified
network is something that most enterprises prefer to outsource. I'd
hope that at some point, better security mechanisms and/or better VPN
technologies make these kinds of VPN services less relevant. Until that
happens, there's going to be demand for them. Of course the telcos have
known that for eons and provided many generations of expensive and
hard-to-use services to address this. Point-to-point Ethernet services
are interesting because they are relatively easy to provide for folks
like us who only really know IP (and maybe some MPLS). And the more
transparent they are, the easier it is for customers to use them.
More information about the NANOG