A layer 2 end-to-end solution (including VPLS) has to permit every workstation to communicate with every other workstation in the extended LAN or send Ethernet packets to all workstations connected to the same bridging domain. VPLS thus provides no inter-site isolation:
A single workstation can saturate the WAN links of all sites connected to the VPLS service.
An intruder gaining access to a workstation on one site can try layer 2 penetration techniques on all workstations and servers connected to the VPLS cloud.
VPLS-based services cannot implement traffic filters, as these filters would violate the 'transparent LAN' principle.
With these threats in mind, it's easy to see that you should offer VPLS services only to the customers actually requiring multi-site transparent LAN solutions, not to everyone asking about a simple VPN service.
Which customers need VPLS‾
If your customer has applications that use non-IP protocols (including legacy Microsoft or AppleTalk networks), VPLS is the best alternative, as long as the customer understands its security implications. To implement a secure solution on top of a VPLS backbone, each customer site should use a router to connect to the VPLS backbone. A managed router service will achieve the maximum value-add, if the customer will go that route.
VPLS is also a perfect fit for disaster recovery scenarios, where you need to create an impression that servers located at different sites belong to the same LAN.
VPLS: Not appropriate for all customers
When a customer with insufficient IT knowledge approaches your sales team asking for a VPN solution linking numerous remote sites, VPLS might not be the best solution, and he probably needs a more scalable MPLS VPN solution. Implementing VPLS would be faster and easier (more so since the customer is not networking-savvy), but after the first major incident -- and it will happen eventually -- you'll be faced with an extremely unhappy customer and a tarnished reputation.
About the author: Ivan Pepelnjak, CCIE No. 1354, is a 25-year veteran of the networking industry. He has more than 10 years of experience in designing, installing, troubleshooting and operating large service provider and enterprise WAN and LAN networks and is currently chief technology advisor at NIL Data Communications, focusing on advanced IP-based networks and Web technologies. His books include MPLS and VPN Architectures and EIGRP Network Design. You can read his blog here: http://blog.ioshints.info/
This article originally appeared on SearchTelecom.com