MPLS in the Enterprise and Data Center has been a topic of some debate from some of the leading independent bloggers out there over the past couple of years. Network virtualization is beginning to be used a bit loosely these days as folks try and define how SDN allows for slicing of Data Center and campus networks. Multi Protocol Label Switching (MPLS) is a core tool for virtualization at scale that is real today, and not promises of SDN x86 hardware bathed in unicorn tears of the future.
Some Important Virtualization Concepts
Virtual Lans (VLAN) – Taking one physical network and carving out separate logical networks into an isolated broadcast domain. It is often safe to think of a network address belonging to a single network like 192.168.1.0/24 (though multiple can exist). That network maintains Layer 2 path isolation throughout the network by having Vlan tags imposed into the Ethernet header. That Vlan ID (VID) is logically isolated by all adjacent switches in the Layer 2 path with the VID defined.
Virtual Route Forwarding (VRF) – Is the ability to have multiple containers of routing tables or Forwarding Information Bases (FIB) inside one Router or Switch. These VRFs operate without knowledge of one another unless for example they are imported or exported into one another. VRFs can be deployed without using MPLS to pass the VRF information over BGP but it can be problematic to operate at large scale since individual IGP mappings are required for each VRF.
Multi Protocol Label Switching (MPLS) – Is a concept whose heritage came from Cisco with the concept of Tag switching that later standardized through the IETF and as it stands today is with BGP,MPLS,VPNs in RFC4364. Simply put, I tend to explain that MPLS is merely an encapsulation that can carry multiple tags inner and outer inside its encapsulation that can carry the destination egress PE (far end of the FEC) and one tag for carrying the VRF information through the MPLS signaled network.
MPLS in the Enterprise
This concept is not new. MPLS/BGP/VPNs has long been a “carrier technology” used for isolating customer traffic A from customer traffic B. As typical hardware in the distribution layers of campus networks such as Cisco 6500, Brocade MLX and Juniper MX switches have had or added MPLS support more have begun adopting the strategy. There are also smaller sized boxes that can act as PE nodes as more vendors understand the importance of path isolation at scale.
Figure 1. Path Isolation funneled to Policy application points.
The core impact of MPLS/VPNs in an enterprise is virtualization at scale. While we once used a VIDs for things that needed to be isolated from one another and sprawled it across the network, we now take lots of VIDs and drop them into containers of VPNs and route them rather than bridge them. To quote my friend Ivan Pepelnjak “The Internet is not make up of Brouters”.
MPLS in the Data Center
MPLS in the Data Center can be used for the same concept as it would be in the campus, path isolation. As the needs of security architects continues to grow, so does the amount of path isolation. We can easily accomplish this in small data centers with Vlans. The problems is every time we extend a “failure domain” e.g. Vlan we also increase the risk associated with unicast flooding, broadcast flooding and all of the other inherent scale problems of Vlan sprawl.
Figure 2. East-West traffic between data centers or failure zones is fine if policy does not need to be applied. Vlans are reasonable.
Figure 3. If you need to scale policy application between multiple data centers and apply policy you begin to burn down policy bandwidth in load-balancers, Firewalls and Security monitoring devices if you are inspecting traffic within the same security zone at the front door of each of your data centers or availability/failure zones.
Pros/Cons of MPLS
- Faster provisioning of new tenancy or policy domains.
- No longer needing to really on a less scalable .
- Overlapping RFC 1918 addresses.
- I argue much easier operationally to manage post deployment.
Reduced operational complexity as compared to private Vlans, Policy Based Routing (PBR) or Contextual slicing of hardware like Juniper logical systems or Virtual Device Contexts (VDC) in Juniper chassis.
- Support from vendors in hardware is often limited.
- Migration is far from a small undertaking.
- Different and arguably higher skill set needed for implementation.
Two Men Enter One Man Leaves!
Derick Winkorth and Greg Ferro are getting ready to duke it out over this topic with Ethan Banks playing Switzerland as the referee so tune in!
Mel Gibson and Greg are both Australian… I’m worried about Ethan’s safety.
So I gotta ask…who owns Bartertown?