VRF-Lite+GRE/dot1q or MPLS L3 VPN

I am going to create a new category on the blog which we will discuss together the different technologies,protocols, designs and architecture.

You can suggest a discussion topics and you all please welcome to join the discussions in the comment box of each topic.

I want to throw a first topic for the discussions !

Which Enterprise Architecture is more complex ? ( Did you read network complexity article in the blog ? )



MPLS VPN Technologies and Design are explained in detail in my Onsite CCDE  Live/Webex CCDE  and  Self Paced CCDE  course.



VRF-lite with GRE/dot1q or MPLS L3VPN ? 

It is very subjective topic I think there is not absolute corrects thus please share your opinion.Collective of our answers will be creating a detail article and will provide a good resource for the people before they decide a particular technology,protocol,architecture.

UPDATE : Let me provide very brief overview for vrf-lite and MPLS VPNs.

How they can be carried through an overlay to provide data plane separation and how same tasks can be achieved with MPLS layer 3 VPNs.

Vrf-lite provides a control and data plane separation without requiring an MPLS as control or data plane. You don’t need an MPLS encapsulation.

It should be configured hop by hop from source to destinations.

Every node on the path should be configured separately.

GRE and dot1.q can provide data plane separation.

Vendor implementations might have hardware limit, so you should be aware the limits.

Same is true mostly for the MPLS VPNs as well, routing protocol process is limited and varies based on hardware.

By the way for those who don’t know what is the difference between control vs data plane ,very abstracted definition :

The operations on the user traffic is handled at the data plane, the operations between the networking devices is explained and handled with control plane operations.

MPLS VPN on the other hand requires a LABEL at least on the control plane.

MPLS VPN idea is to hide state from the core thus we provide an encapsulation for the underlay.

On the other hand, every node from source to destination keeps state information in the concext of Vrf-lite. If you read the Network Complexity article in the blog, I explained that state information ( Routing tables, MPLS labels, ARP tables, L2 information etc ) is directly related with the network complexity.

Encapsulation might be provided by the GRE,L2tpv3, LDP , RSVP,Segment Routing and  so on.We call it transport or underlay, topmost label. (In general you see and hear LDP but I provided many other possible encapsulations mechanisms)

In the context of MPLS L3 VPNs, We have second level of layering to separate end user traffic from each other. This is achieved through Multi Protocol BGP (MP-BGP).

25 Replies to “VRF-Lite+GRE/dot1q or MPLS L3 VPN”

  1. That is a tricky one to answer. If I was to take both of these to my current client I know which one would be preferred. They would certainly prefer VRF-lite with GRE and dot1q because this is an amalgamation of technologies they are already familiar with – it would be easy to explain and repeatable in implementation though it is not a scalable solution and it would be very configuration heavy.

    On the other hand if the time was invested to explain MPLS there would be a great number of benefits and the configuration would be tidier, less lines, and more repeatable as they would rarely touch anything other than the edge.

    So which is more complex for me and my current client? Short term – MPLS, Long term – VRF-lite

  2. yes i will join Jamie Grive answers, but it’s not all the time about complexity but it’s about $.if you want to have L3VPN in your network you must have equipements that supports MPLS BGP L3VPN and this kind of equipements are a little bit expensive.
    it’s all the time about tradeoffs if you want flexibilité and resiliency you should introduce implementation complexity of L3VPN from customer point of view ( am i right orhan :p ? ).but if the customer look for a simple design from his point of view and a cheap solution than he will accept dealing with customer vlan and intrconnecting vlans …etc

    1. I updated the post, provided little bit overview on vrf-lite and mpls VPNs. I think it might be better to start the discussions in this way.

      I agree with both of you. Jamie touches on scalability point of view.

      And it is correct that managing vrf-lite separately is hard, especially if the number of required separation (VRF)increases.

      If the requirement is large scale design, due to management scaling limits of vrf-lite, MPLS VPN is a better option.

      But the question is asking about complexity.

      So, even though in general vrf-lite is suitable for the smaller size deployments, if someone tries to continue with vrf-lite for fairly large size deployment, I think vrf-lite would be as complex as MPLS VPN deployment.

      It is not only configuration complexity also.

      You still need to manage GRE or dot1.q for the separation and don’t forget that adding each feature/protocol on the existing architecture adds complexity again.

      Software, hardware to support those encapsulations ( GRE,dot1q,MPLS etc ) is another considerations.

      You mentioned about cost and surely it is fair. It is always a part of design decision and somehow related with complexity in my opinion.

      You didn’t mentioned yet from two things. Human element and management systems.

      If the networking team does;t have an experience with MPLS VPN it should be included to calculation when you compare which one is more complex.

      Also what about management systems ? Does it support to monitor, configure MPLS LSPs ?

      Once the other answers come, I will reply them as well. Let’s keep this post alive.

  3. Benefits MPLS
    Highly scalable
    stability only PE changes
    Simplified routing
    Low Opex
    Overlapping VPNs
    Shared Internet access and firewalling
    flexibility eassier to extend the network

    drawbacks (if provider managed)
    SP owns your core network
    SP owns the convergence
    Load sharing depends on correct PE-router configuration
    no end to end routing adjacency

    Benefits vrf-lite + gre
    Overlapping VPNs
    Shared Internet access and firewalling

    not as widely implemented as MPLS VPN
    MTU issues
    Load sharing more complex
    not scalable
    no Simplified routing
    high Opex
    lots of tunnels (you can also use mGRE will save some tunnels:))

  4. My advice would be go for MPLS-VPN or for an mGRE solution with the possibility to upgrade to upgrade to MPLSoGRE when they realize vrf-lite is not good with 100+ vrf’s.


  5. Hi Driss,

    You really made me think about this 🙂

    I think it depends if I would have an hub-spoke network it’s better to do DMVPN. But if it is just an standard MPLS L3VPN backbone with a couple of POPs a simple mGRE solution would be ok.

    At the end both solutions do not scale well if you require lots of VPNs without running MPLS over it DMVPN or mGRE.


    1. Hi Driss,

      Yes I meant it as two different solutions.

      l3vpn over mGRE
      2547oDMVPN (MPLSoDMVPN)

      Both don’t scale without MPLS.


      1. Thanks Roy !

        Both are very complex although for the given business requirements you think that they solve the problems in my opinion.
        I wouldn’t design any network with neither of them but since you mentioned, for those who don’t know what they are can you write briefly what they are.

        1. Hi Orhan,

          VRF-Lite+GRE/dot1q is also rather complex, so to make life eassier you can atleast advice your customer that their are other ways to. You also say that you would never do something like this I have a real life example that is perfect for 2547oDMVPN.

          You need to cross several networks in a very large enterprise that are managed by different third parties to get to special routers deep into the network and you want to provide serveral vrfs (10+) to them and you have an isolation requirement and qos and multicast requirements per vrf.

          Then one of those solutions is your only (cheap)option.

          Below the brief description about the solutions:

          l3vpn over mGRE: If MPLS is not available in a network you can use GRE to automatically build dynamic tunnels in order to provider L3VPN services. The BGP nexthop is used for tunnel endpoint discovery, but instead of adding a transport label, VPN traffic is encapsulated into GRE (having as source a local interface and as destionation the neighbor PE).

          The L3VPN BGP configuration (vrfs and VPNv4) remains the same as in MPLS L3 vpn.

          some key points:
          you don’t use LDP, you only have VPN label no transport, all devices are PE’s no P routers.

          2547oDMVPN (MPLSoDMVPN)
          In the DMVPN per vrf approach, a separate DMVPN overlay needs to be created for each VRF. The MPLS VPN over DMVPN (2547oDMVPN) approach addresses this scaling limitation by using a single DMVPN overlay instead. In this approach the GRE tunnels are created outside the VRFs. A single DMVPN overlay can carry multiple VRFs.

  6. Greetings from Sweden!

    I would vote for MPLS L3VPN. MPLS is not a new technology 🙂 Nowadays you can find quite many CCIEs who with a little training can handle MPLS stuff.
    I have seen GRE tunnels. if there are few in a router, the config can be quite messy and hard to troubleshoot if there is routing problems etc. Go 4 MPLS.

    BR, Murad

  7. Certainly not a clear-cut answer on this… MPLS is definitely more complex initially for your typical enterprise, but it is far more scalable. The answer really depends on the customers network topology, what they are trying to accomplish, their engineering and support staff expertise/experience, and their network management capabilities.

    With both solutions you have the same complexity on the edge with VRF definitions, and everything that goes along with it. The scalability issues involve the manual configuration of multiple GRE tunnels and DMVPN clouds that you could end up with. MPLS is designed for any-to-any “dynamic” connectivity, so once the core is in place adding functionality at the edge is relatively easy.

    Of course you could even do 2547oDMVPN, but then you’re double encapsulating and may not be able to reach all locations (depending on the topology). I’d be interested to see this in a large deployment with RRs deployed. Lots of potential issues to look out for here.

    I have most often seen IPSEC and GRE (or some form of encryption) used on enterprise and mil networks because if there is a requirement for logical isolation from the “normal” network then it is usually driven by a security requirement. Usually something like POS systems in retail space, process control networks in the energy sector, or classified networks for gov/mil will employ a GRE over IPSEC overlay solution to provide connectivity between locations where complete physical isolation is not practical.

  8. There is no black and white answer for this.

    I believe it all boils down to

    i. Customer’s technical requirements
    ii. Budget
    iii. Future plans (Expansion)
    iv. In house technical expertise

    1. Hi Jigar, first welcome.In network design we never have black or white so you are definitely right.

      We are trying to define the tradeoffs and in which case and for the requirements, which architecture should be deployed we are trying to find, as I have seen these technical discussion will be useful , your inputs proved it to me 🙂

      Hope to see your continuous participation

  9. I have just finished a “design” with a customer using VRF lite and gre instead of MPLS.
    The equipment used in the design was cisco switches which don’t run full MPLS.
    The equipment was ordered prior to the design (which seems to be the norm these days)
    The comments of the customer were,
    Next time well budget for proper MPLS equipment and deploy proper MPLS.

    1. How many VRF they have and how many devices end to end you had to deploy ? Surely we don’t need name of the customer but little bit about topology as well please ?

  10. 2457oDMVPN ,
    This can be useful if the customer has bought a managed MPLS service that goes too all sites
    They don’t have the budget to buy another VPN
    And they need to Create a sub-set of their current network , with let’s say extra security
    You can deploy this as an overlay over the current network.
    Sure, it’s dirty, but it provides a solution, even though we learned from a limited deployment that it would be really difficult to scale

    1. Stephen,I think I need to write a post about 2457oDMVPN and then we should discuss that vs alternatives. It is extremely unnecessary I think but deserve separate discussion.

  11. Complexity is also coming from number of control plane protocols to handle. With GRE and VRF-lite you have 2 routing instances and many p2p or p2m GRE tunnels, which increase. Configuration is overhead but network is simple.

    When using MPLS L3 VPN you have more control plane to be involved. LDP, MP-BGP, Routing but its more scalabale, less config but more complex to manage and more knowledge required.

    GRE and VRFs has also trap. If you want to have multiple tunnels to the same destination in the same VRF for example to provide 3-4 separate security Zones for customer. devices that terminate tunnels need to support GRE keys.

    In MPLS you dont have this problem, because you always have one MP-BGP session from branch/site. MPLS L3 VPN is more scalable also. The problem is.. who will manage VRFs ? If we want to pay money to ISP for each new VRF.. then ok.

    Implementing 2547oDMVPN is very complicated to manage and require a lot of knowledge

    1. Greg , Probably you mean if you want to have a connection to same destination from different VRF , then you will need separate tunnel for each VRF.

      If the discussion only complexity Vrf over p2p gre is simpler than the second option, scalability is a parameter definitely.

      If you need multiple VRF and customer has provider managed L3 VPN, then there are many overlay solutions out there or CSC architecture is just for this ( hierarchical VPN ).

      Probably new debate I should start Overlays ( in the context of Hierarchical VPNs ) vs CSC ( Carrier Supporting Carrier )

      Writing all the drawbacks here wouldn’t be nice since more pole can benefit from the new discussion topic 🙂

  12. I agree Roy’s explanation, additionally I would like to add below items;

    L3VPN Benefits;
    -TE advantages such as
    Fast Re-route-Link Protection/Node Protection/Bandwidth Protection
    Link usage efficiency on core network with different LSPs
    Lack of RSVP technology
    -Scalability – Network can be extendable easier and simpler
    -Convergence time – we can use BFD, backup interface or multilink however during the path change, convergence time is linked to IGP/BFD timers.
    -Network Management – If we want to change a path for certain tunnel, metric manipulations effect whole core network. So the management point of view metric manipulations create complex configurations on our overall network.
    -Common Services – This is quite simple within Route target manipulations.

Leave a Reply

Your email address will not be published.