So you have customers out in the world that have private networks. Most of them have some kind of private VPN service from a provider such as AT&T or Verizon or twTelecom. This VPN service could be a L2VPN service (ELAN or EVLAN) or it could be an L3VPN service (VRFs).
You want to attach services to these private VPNs (such as hosted e-mail, SIP or internet) or you want to extend them into your datacenter so you can attach VMs to them (virtual datacenter/private cloud). You will need to virtualize your datacenter network (the actual network plumbing) with something like MPLS (VPLS, VRFs), PBB, or Q-in-Q. I recommend MPLS at this point. Its mature and has large body of standards and features that multiple vendors support and interoperate well with and you can provision L2 and L3 VPNs with it. Effectively you are building a private VPN in your datacenter(s) for each customer and attaching it to the provider’s VPN. This diagram depicts the interconnect between your datacenter and the providers.
The extension of L2VPNs from the providers network into your datacenter can be slightly trickier than depicted and will vary depending on the provider. Multiple circuits may be required (boo00!). However, some carriers will do VLAN translation on their side to multiplex multiple customer L2VPNs over a single ethernet link. I’m aware of at least one provider that will extend a Q-in-Q trunk to you which is ideal if you can negotiate it.
Not depicted here are other transport methods to terminate into VRFs/VSIs/Q-in-Q VLANs at the datacenter WAN edge:
- dedicated private links
- IPSec/GRE tunnels over the internet
- ISDN. Yes, ISDN. You can map an incoming call’s virtual-access interface to a particular VRF based on the username/password used during CHAP authentication.
- SSL. Cisco has features that will let you similarly map SSL sessions to VRFs in IOS.
The transport really doesn’t matter so long as you can get a particular customer into their VPN in your datacenter.
There are some awesome things you can build and attach to your customers’ VPNs, and in future posts I will show you some of these. In each case I will refer back to this post as a point of reference.
[edit: Actually, you could easily provide internet-service ala my previous post: Internet-as-a-Service in an MPLS Cloud]