What are the types of Multiprotocol Label Switching (MPLS) VPNs: Layer 3MPLS VPNs and Layer 2 MPLS VPNs? I am confused...
about whether virtual private LAN service (VPLS) is a type of Layer 2 MPLS VPN or whether it’s used synonymously with Layer 2 MPLS VPNs. Under Layer 2 type MPLS VPNs, I’ve also seen Border Gateway Protocol(BGP)-based and Label Distribution Protocol (LDP)-based mentioned. In addition, I’ve seen pseudowires and Asymmetric Digital Subscriber Line (ADSL) mentioned as other types of MPLS VPNs. Could you let me know what types of MPLS VPNs exist and the difference between the VPLS, BGP, LDP, ADSL and pseudowire options?
Yes, there are two VPN MPLS-based services: Layer 3 MPLS VPN and Layer 2 MPLS VPN. As the name indicates Layer 3 MPLS VPN operates at network Layer 3 (L3) and Layer 2 MPLS VPN operates at Layer 2 (L2) of the Open Systems Interconnection (OSI) model. This is how the two services are differentiated.
In general, MPLS VPN is a service provider technology where, from a security perspective, the enterprise customer trusts the service provider to securely handle and deliver the traffic between sites. This can be done in several forms as I will explain below.
Both MPLS VPN techniques, L2 and L3, utilize the same basic principle for transporting traffic across the provider network -- namely, MPLS label switching, setting up Tunnel Label Switched Paths (LSPs). However, the difference is that L3 VPN MPLS uses IP Routing and L2 VPN MPLS uses a circuit switching approach, similar to the way how Leased Line services were provided via frame relay or ATM using permanent virtual circuits (PVCs). However, the MPLS VPN approach is more flexible for service providers as it allows them to utilize the same networking equipment for all operations. The customer data is encapsulated and carried across the provider network via MPLS. In L3 MPLS VPN the customer traffic consists of IP frames, and in L2 MPLS VPN the customer traffic is tagged or untagged Ethernet frames. In both techniques, there are two labels prepended to the customer frame. The inner label is different for the two techniques. In L2 MPLS VPN the inner label is a virtual circuit tag and in L3 MPLS VPN the inner label is a label containing the final virtual routing and forwarding (VRF) table. The outer label for both techniques is the LSP switching label that identifies the switched path across the provider MPLS network. Imagine the outer label like a letter envelope sent via the US Postal Service that contains the address of the recipient. When the recipient receives the letter from the mailman and opens it, the recipient can throw away the envelope as it only contains relevant information for the Postal Service that delivered the letter. But inside the letter -- the inner label -- there are additional instructions to whom the contents are actually addressed, like the accounting department, the secretary or the services department. So the letter will be routed accordingly internally.
As I stated, L3 MPLS VPN is based on routing tables. It uses standard routing protocols, such as BGP, to create route maps and uses various add-ons and extensions for the purpose of the L3 VPN such as route distinguishers and route targets to differentiate and properly handle routes and destinations. L2 MPLS VPNs resemble a virtual circuit type service. They are very effectively used by service providers in the Metro Ethernet field. During my days at Yipes Communications I participated in some of the standardization efforts around this service in the Metro Ethernet Forum. There are two main RFCs that define the two L2 MPLS VPN topologies:
- The Martini draft specifies the concept of virtual circuits as another overlay LSP inside a tunnel LSP. It addresses the problem of point-to-point VPN connections in MPLS VPN.
- The second important RFC, drafted by Marc Lasserre and Vac Kompella, specifies VPLS, which presents a solution for multi-point connectivity for Layer 2 MPLS VPN. It basically builds upon the Martini approach by expanding the concept to a full mesh topology.
ADSL is just a telephone company DSL type. It describes how the last mile, the connection from the Internet Service Provider (ISP) to the enterprise customer premise is accomplished. There are many different ways to do this. It used to be frame relay, which is now losing ground to DSL, Gigabit Ethernet, fiber optic and others. There are mainly three components in every connection scenario, the provider network, the customer network and the last mile that bridges the connection between customer and provider. See this guide on MPLS VPN fundamentals for more information.
Email your VPN-related questions to firstname.lastname@example.org.
Dig Deeper on WAN technologies and services
Related Q&A from Rainer Enders
Rainer Enders explains how to allow certain users to access a VPN client while restricting others. Continue Reading
In this Ask the Expert response, Rainer Enders explains how to disable VPN passthrough and what the benefits and drawbacks are. Continue Reading
Our VPN expert explains why a Layer 3 VPN can ping but not do a tracepath from the client in this response. Continue Reading