L2 VPN's vs L3VPN's

Oke I'm trying to understand what kind of L2 VPN's and L3 VPN's there are, and what there advantages are over the other.

I'm hearing and seeing a lot of variants on the internet and I'm trying to keep them seperate as it's getting confusing. Can someone help met with the 2 list and if possibe explain or provide link to articel where the difference are discussed, or better yet, discuss it here.

I have acquired the following VPN types from the internet. I'm wondering I got most of them and if anyone has the time to give me a short description as to whihc one is better in which situation and maybe a small config exmaple? Thank you.

L2VPN:

MPLS L2 VPN

MPLS L2VPN has two modes: Virtual Private LAN Service (VPLS) and Virtual Leased Line (VLL).In the industry, a Virtual Leased Line is also referred to as Virtual Private Wire Service (VPWS)

Virtual Leased Line (VLL)
Virtual Leased Line (VLL) is a way to provide Ethernet-based point to point communication over IP/MPLS networks.VLL uses the pseudo-wire encapsulation for transporting Ethernet traffic over an MPLS tunnel across an IP/MPLS backbone.

Pseudowire

A pseudowire (PW) is an emulation of a native service over a packet switched network (PSN). The native service may be ATM, frame relay, Ethernet, low-rate TDM, or SONET/SDH, while the PSN may be MPLS, IP (either IPv4 or IPv6), or L2TPv3.

Point-to-Point (VPWS/VLL/Pseudowire):
- Virtual Leased Line (VLL) in Circuit Cross Connect (CCC) Mode
- Virtual Leased Line (VLL) in Martini Mode (PWE3) aka EoMPLS aka Xconnect
- Virtual Leased Line (VLL) in Kompella Mode

Martini vs Kompella (VLL)
Martini VLL (Virtual Leased Line) – this is a method of providing one point to point L2 link between two endpoints in the MPLS network by using LDP as a signaling protocol to transfer tunnel identification.

Kompella VLL (Virtual Leased Line) – this is exactly the same L2 point-to-point service as previous Martini VLL has, the difference is this one uses BGP as a signaling protocol to transfer tunnel identificaiton.

Point to Multipoint/Multipoint to Multipoint:
- Virtual Private LAN Service (VPLS) => A Layer-2 service that emulates a switched Ethernet (V)LAN across a PSN.

Martini vs Kompella (VPLS)
Martini VPLS (Virtual Private LAN Service) – in this service, you create an illusion that the entire MPLS cloud is a giant switch for the customer, the “Martini” again means using LDP as signaling protocol.

Kompella VPLS (Virtual Private LAN Service) – in this service you again create an illusion of a giant switch to the customer, but internally it will use BGP for signalling.

Other L2VPN types:
- 802.1q Tunneling (QinQ)
- E-VPN - This seems to be the future (http://blogs.cisco.com/tag/e-vpn/).
- Frame Relay (Old) - Point to point
- ATM (Old) - Point to point

L3VPN:
- IPSEC - Point to Point
- GRE - Point to Point
- MPLS/BGP L3 VPN
- DMVPN

Find more posts tagged with

Comments

filkenjitsu

2014-01-28%2005_49_28-www.cisco.com_web_learning_exams_docs_642-889_spedge.pdf.png

2014-01-28%2005_50_58-www.cisco.com_web_learning_exams_docs_642-889_spedge.pdf.png

Check out the SPEDGE test requirements for a good summary:

FrankGuthrie

Hmmm, thaht actually made it more confusion... Thanks for the reply though.

deth1k

There is no better or worse, it depends on requirements. If i need a point to point link between two campus sites or DC's I'd ask for Pseudowire/VLL/Crossconnect/AToM/PBW from a service provider, terms might be different from vendor to vendor. Similarly if i needed to extend my LAN across multiple sites, I'd order VPLS that however doesn't stop me using routers at each site and create my own logical topology using underlying flat Layer 2.
L3VPN is better suited when you have a large number of sites in different states and even continets. It all comes down to what you need at the end of the day. Also i would suggest posting somewhere else other than CCIE thread and making more research as your questions aren't centered around Cisco.

FrankGuthrie

Hi Ddeth1k,

Well which other forum do you suggest I post this?

Also, I did my research and asked around to get to the result posted in the opening post. Was hoping if someone could add more and maybe enlighten me more about the topic.

FrankGuthrie

Anyone else?

networker050184

What specific questions do you have? I can try to shed some light for you.

FrankGuthrie

I just wanted to know if I was on the right track, and if possible can you maybe explain why you would choose on over the other.

I know it might be asking a lot, but if it could be done is short, that be very helpfull. I've seen so much of these VPN technologies that I'm trying to wrap my head around them and understand what my colleagues are talking about.

In our network we're using in vary of these technologies and I'm always looking with a blank stare when my colleagues talk about these.(E-VPN, VPLS)

So I set out to define a list for myself of what types of VPN's there are and what the difference are. Also When do you use use one over the other? So any additions are helpfull.

EdTheLad

Originally when a customer wanted to connect two remotes sites together they used a leased line, lets say a 2M E1 link, this E1 link would get bundled at the physical layer into lets say an stm1/stm4.This was expensive, not all customers were willing to pay for a dedicated end to end port. This is where shared media came along, the protocol of choice FR. FR was flexible with regards to what bandwidth/service could be offered, it gave the SP some extra marketing possiblities etc. The customer got and end to end dlci which could be shaped/policed to a specific rate of their choice.
The problem with FR is that due to the variable frame length, it was hard to manage voice traffic and regular data traffic over the same links, large frames delayed voice traffic. The solution ATM, fixed size cells, which meant predicable delays, with pretty much the type of control over bw service etc, just different terms used.

Both ATM/FR encapsulate IP, the layer 3 IP packets are encapsulated in ATM/FR and sent across the provider core. There is no layer 3 peering with the provider, this is know as an overlay model. So lets say the customer has 3 sites, in order for all sites to communicate, they need a full mesh of pvc's between them. As the number of sites increase the number of pvcs in the mesh exponentially increases.

Around this time, fastethernet/Gig ethernet started to kick off, providers were replacing legacy SDH networks with ethernet. CPE equipment was still using FR/ATM but the provider was encapsulating this at the core to ethernet frames rather than transporting over sdh. What ended up was, an SP with a layer 3 backbone was working as an overlay network for legacy customers. The question on every ISP's mind was how do we migrate all these customers onto our l3 network and still provide them with the same private service?

A big issue was address space, what happens when customers use the same ip addresses? Security, what happens if an operator error causes routes to be injected going to the wrong customer? i.e. customer A's sensitive material is sent to CustomerB.

This is why l3vpn was born, to fix the overlapping address issue, all ipv4 addresses are converted to vpnv4 addresses, i.e. they get an extra unique 64bit number attached to the ip address to make them unique. To fix the routing issues, each customer is assigned a dedicated routing/forwarding instance per router.

The only issue now is, if every customer has a unique id added to the ip address, and lets say each customer handles the full bgp routing table, how can the SP core routers handle a bgp routing table for every customer? That could run to billions of route. Solution was to use mpls, with BGP only the next hop is required for forwarding on the PE, if the packets are label switched the core only needs to know next-hop addresses.

So this is all fine and good for ip traffic, but what if we need to transport non IP protocols across the core? Believe it or not X25 is still being used by banks today. But lets just say we want to extend our ethernet across the core. This is where AToM comes in, with ATom you can create a psuedowire across the mpls core. This is a layer 2 ptp virtual circuit. Another name EVCs etc etc. A psuedowire encapsulates the frame in a VC label and the trunk label i.e. double label, the VC label needs to be learned from the remote PE using signalling, this is where the whole kompella vs martini thing comes in, how are labels signaled? using either a separate protocol LDP(martini) or a via BGP(kompella) same thing goes with vpls.

Now what happens if i have multiple sites and want them all connected across the provider as layer 2 as if they were all on the same lan? This is where vpls comes in. It will automatically create a full mesh of pvcs between all site as well as keep track of mac learning etc.

Anyway, not sure how clear that is, but i tried

FrankGuthrie

Hi Ed,

That was a lot to taken in. I have to read it a few more times, but thank you for taking the time too write such a extended reply

. Let me read it a few times and see if I have questions.

FrankGuthrie

Hi Ed finally had the time to read your reply

. See below my response to your text.

Originally when a customer wanted to connect two remotes sites together they used a leased line, lets say a 2M E1 link, this E1 link would get bundled at the physical layer into lets say an stm1/stm4.This was expensive, not all customers were willing to pay for a dedicated end to end port. This is where shared media came along, the protocol of choice FR. FR was flexible with regards to what bandwidth/service could be offered, it gave the SP some extra marketing possiblities etc. The customer got and end to end dlci which could be shaped/policed to a specific rate of their choice.
The problem with FR is that due to the variable frame length, it was hard to manage voice traffic and regular data traffic over the same links, large frames delayed voice traffic. The solution ATM, fixed size cells, which meant predicable delays, with pretty much the type of control over bw service etc, just different terms used.

The above is clear.

Both ATM/FR encapsulate IP, the layer 3 IP packets are encapsulated in ATM/FR and sent across the provider core. There is no layer 3 peering with the provider, this is know as an overlay model. So lets say the customer has 3 sites, in order for all sites to communicate, they need a full mesh of pvc's between them. As the number of sites increase the number of pvcs in the mesh exponentially increases.

The above is clear.

Around this time, fastethernet/Gig ethernet started to kick off, providers were replacing legacy SDH networks with ethernet. CPE equipment was still using FR/ATM but the provider was encapsulating this at the core to ethernet frames rather than transporting over sdh. What ended up was, an SP with a layer 3 backbone was working as an overlay network for legacy customers. The question on every ISP's mind was how do we migrate all these customers onto our l3 network and still provide them with the same private service?

Isn't SDH a fiber channel format and still in use? Why would this be phased out?

A big issue was address space, what happens when customers use the same ip addresses? Security, what happens if an operator error causes routes to be injected going to the wrong customer? i.e. customer A's sensitive material is sent to CustomerB.

The above is clear.

This is why l3vpn was born, to fix the overlapping address issue, all ipv4 addresses are converted to vpnv4 addresses, i.e. they get an extra unique 64bit number attached to the ip address to make them unique. To fix the routing issues, each customer is assigned a dedicated routing/forwarding instance per router.

The above is clear.

The only issue now is, if every customer has a unique id added to the ip address, and lets say each customer handles the full bgp routing table, how can the SP core routers handle a bgp routing table for every customer? That could run to billions of route. Solution was to use mpls, with BGP only the next hop is required for forwarding on the PE, if the packets are label switched the core only needs to know next-hop addresses.

Not sure I got this. Why would the customer run BGP?

So this is all fine and good for ip traffic, but what if we need to transport non IP protocols across the core? Believe it or not X25 is still being used by banks today. But lets just say we want to extend our ethernet across the core. This is where AToM comes in, with ATom you can create a psuedowire across the mpls core. This is a layer 2 ptp virtual circuit. Another name EVCs etc etc. A psuedowire encapsulates the frame in a VC label and the trunk label i.e. double label, the VC label needs to be learned from the remote PE using signalling, this is where the whole kompella vs martini thing comes in, how are labels signaled? using either a separate protocol LDP(martini) or a via BGP(kompella) same thing goes with vpls.

The above is clear.

Now what happens if i have multiple sites and want them all connected across the provider as layer 2 as if they were all on the same lan? This is where vpls comes in. It will automatically create a full mesh of pvcs between all site as well as keep track of mac learning etc.

What is the thing with MAC learning? Also I heard that when you create VPN by the means of VLPS, you need to seperate each VPN in their own respective VLPS, because of MAC learning Issues. This I heard on my work, but don't get the basics behind it?

Anyway, not sure how clear that is, but i tried

networker050184

Yes, SDH is still in use. Most of the time an Ethernet circuit is encapsulated into the SONET/SDH frames to emulate a point-to-point Ethernet link to the routers.

A customer would run BGP to advertise it's routes into the VRF on the provider side. This can also be done via an IGP or static routes, but BGP is the most common as it gives the most control.

MAC learning is needed to give the appearance of a LAN connection. The providers network appears as though you are plugging into an Ethernet switch. Each customer is placed into a separate VPLS instance which allows for scale by only having the PE's connecting to the customer sites learning MACs. MAC tables can grow very large and if you just learned every customers MAC on every router in the network you'd soon be scaling to very large numbers.

FrankGuthrie

Yes, SDH is still in use. Most of the time an Ethernet circuit is encapsulated into the SONET/SDH frames to emulate a point-to-point Ethernet link to the routers.

This clear, but I heard that SDH is being replaced by DWDM, which is also a fiber standard whihc can carry Etherrnet signals. Is this correct?

A customer would run BGP to advertise it's routes into the VRF on the provider side. This can also be done via an IGP or static routes, but BGP is the most common as it gives the most control.

This is clear. Only in cotect with Ed's explanation I did not see the problem with BGP. Why schoose MPLS. You would aslo have the heep track of all the CE's route. The only difference is that you're giving these routes an MPLS label.

MAC learning is needed to give the appearance of a LAN connection. The providers network appears as though you are plugging into an Ethernet switch. Each customer is placed into a separate VPLS instance which allows for scale by only having the PE's connecting to the customer sites learning MACs. MAC tables can grow very large and if you just learned every customers MAC on every router in the network you'd soon be scaling to very large numbers.

This is clear, but I still have a question. A collegaue of mine told me that when sending VPN traffic over an VPLS I need to create a separate VPLS per VPN. So for axample I have taffic from 1 customer whihc has 2 VPN's, i need to seperate this in a different VLPS because of MAC learning. He never told me why, and I just assumed what he said was correct, but I now want to know the logic behing it. Does VPLS have a drawback when using mutiple VLAN/subnets in a VPLS.

networker050184

DWDM and SDH are exclusive. DWDM just uses different frequencies to send multiple bit streams over a single fiber. A lot of the time it is still SONET/SDH streams. More places are using straight 10 Gig Ethernet over DWDM though I'm not sure if I'd really say it is replacing SONET/SDH though. I don't have numbers.

Why choose MPLS L3VPN? One of the biggest advantages is the ability to use overlapping IP space. Almost every company uses 10.0.0.0/8 space on their LAN. What happens when every customer connects with the same routes? Normal routing isn't going to take too kindly to that. So MPLS L3VPNs take care of this by making prefixes unique and making forwarding decisions based on labels rather than IP addresses.

Ok, a VPLS instance is a VPN. If you have two customers you want two separate VPLS instances/VPNs mostly for flooding purposes. As I'm sure you know how LANs and unknown unicast flooding works, you don't want traffic from customer 1 flooding to customer 2 and vice versa. The seperate VPLS/VPN keeps these separate.

FrankGuthrie

networker050184 wrote: »

DWDM and SDH are exclusive. DWDM just uses different frequencies to send multiple bit streams over a single fiber. A lot of the time it is still SONET/SDH streams. More places are using straight 10 Gig Ethernet over DWDM though I'm not sure if I'd really say it is replacing SONET/SDH though. I don't have numbers.

Why choose MPLS L3VPN? One of the biggest advantages is the ability to use overlapping IP space. Almost every company uses 10.0.0.0/8 space on their LAN. What happens when every customer connects with the same routes? Normal routing isn't going to take too kindly to that. So MPLS L3VPNs take care of this by making prefixes unique and making forwarding decisions based on labels rather than IP addresses.

Ok, a VPLS instance is a VPN. If you have two customers you want two separate VPLS instances/VPNs mostly for flooding purposes. As I'm sure you know how LANs and unknown unicast flooding works, you don't want traffic from customer 1 flooding to customer 2 and vice versa. The seperate VPLS/VPN keeps these separate.

Hi Networker,

Thanks for the anwser

Dieg0M

networker050184 wrote: »

Why choose MPLS L3VPN? One of the biggest advantages is the ability to use overlapping IP space. Almost every company uses 10.0.0.0/8 space on their LAN. What happens when every customer connects with the same routes? Normal routing isn't going to take too kindly to that. So MPLS L3VPNs take care of this by making prefixes unique and making forwarding decisions based on labels rather than IP addresses.

I think Frank's question was more oriented on why use MPLS, not the L3VPN portion. If overlapping addresses are the only concern then you could run vrf aware GRE tunnels to accomplish this. Why would you use an MPLS backbone over an IP centralized backbone?

networker050184

You would use MPLS for the forwarding flexibility of not relying on routing on strictly destination IP address. You get the huge benefit of traffic engineering.

EdTheLad

SDH is still used on the edge, but 10 years ago it was in most provider cores, so i was referring to how i've pretty much seen it disappear.

Imagine the l3vpn solution without an mpls core, lets say you have the vrf's, the unique vpnv4 address space and some field added to the ip packet so that it knows the remote vrf. So purely ipv4 forwarding in the core. This means that the core needs to know every customer address for forwarding. Lets imagine per PE you have roughly 100 customers, each customer receives a partial bgp routing table 5k ipv4 addresses, so per PE you have about 500k addresses. Lets say your network consists of 20 PE's , that means the P routers need to learn 10 million addresses.

Now running an mpls core, the PE still has 500k addresses, the core runs an igp, the bgp next-hop and internal link addresses are advertised in the igp, ldp distributes labels for all igp addresses which includes the bgp next-hops. When a packet arrives on a PE for a remote customer, a recursive rib lookup occurs, the next-hop bgp peer address is found, this address has a label associated with it in the fib and a label is pushed onto the packet. The core routers just need to label switch the packet till it reaches the remote PE.

So you can see the scalability benefits with regards to the P routers.

In regards to vrf aware GRE tunnels, that pretty much would do what mpls does, except mpls is dynamic and uses a 4 byte header as opposed to GREs which uses a 20 bytes and would need to be manually provisioned.