Orhan Ergun 15 Comments

Couple days before I received an email from one of my readers ( Ahmet Eris )  related with his design. He designed a network infrastructure for his customer and wanted me to take a look as well.

But I realized that Ahmet has some misunderstanding on the usage of MPLS layer 2 VPNs and I thought just briefly mentioning about it can help to my other readers as well.

Update : He allowed me to share his name publicly thus I updated the post by including his name as well. Thanks Ahmet, with this post and the discussions in the comment section, you will help most probably the other people as well.

In his topology, there was remote offices which has only one router that terminates MPLS and 3G links. 3G links would be used as backup and MPLS as primary for all traffic types ( Data,voice and video ).

Ahmet had 2 datacenter which will be used as Active-Standby. Standby data center will be working as disaster recovery center.

In this post I won’t go to detail which technology would be more suitable for the business of his customer but instead I want to touch on very specific requirement.

I suggested him to use MPLS layer 2 VPN service from the provider only if he wants to do IP Traffic engineering, wants to control his WAN himself, don’t rely on Service Provider, more flexible QoS design, better security etc.

But surely MPLS L3 VPN takes the complexity from the customer and handing it over to service provider.

Ahmet understood the pros and cons of  MPLS l2 and l3 vpn after our discussion and reading this article from the blog ,but one of his word inspired me to write this post.

“He wouldn’t consider to get an MPLS layer 2 vpn because He doesn’t want to extend all the end device broadcast ”

Yes MPLS layer 2 VPN can give you an ability to extend your l2 between the sites but in his topology, he needs to setup a routing protocol neighborship between his routers. So reachability is necessary only between the routers at layer 2.

Then L3 interfaces will be terminated on the routers and the protocol between the routers can work since will be an IP reachability. MPLS L2 VPN might be implemented by service provider as point to point, in this case 2 routers can talk only with each other or point to multipoint so many of the customer routers could be in the same layer2 domain.

What about you ?

Which MPLS VPN service would you get from the service provider in which case ?

Do you have specific questions related with this design ?

Leave your comment in the comment box below.

0.00 avg. rating (0% score) - 0 votes
  • driss jabbar

    Hi Orhan,

    i have the same situation,where i have a Hub and spokes topology with about 1000 spokes,the spokes are using 3G connexion.i asked the service provider to give me L2 VPN so i can control my boat but he wouldn’t do that.i got a small problem about multicast so the customer want to convey multicast trafic between hub and spokes,i suggest using (DMVPN or FlexVPN) as an overlay.he said ok but i would like to test it with BGP to not be related to cisco routers :).you will say it’s possible by implementing GRE tunnnels.agree.now using P2P ou P2mP GRE,i will choose the second one (1000 spokes)but what if the router is not supporting P2MP tunnels :(.

    so yes having L2VPN can solve a lot of stuff but it will move complexity to the customer side.

    • A SP provided L2VPN service can definitely simplify the customers network depending on size. You don’t extend end systems across it though…you just have the CE routers appear directly connected so they can peer directly. It would potentially allow the customer to run a single routing protocol across their entire domain, which will decrease their convergence time. Also makes implementing mcast much simple.

      • Good point, I wouldn’t want to mention to make this post shorter but the reader wanted to use initially two routing protocol over the WAN.

        He was thinking to enable BGP on the WAN, OSPF on the LAN.
        He would try to manage redistribution, for the redundant sites, he would try to manage forwarding loops but most importantly he would loose the metric information probably or try to use MED to reflect IGP topology and so on.

        But I suggested to use only one routing protocol to simplify the design of course.

        End to end path visibility would allow traffic engineering, still based on the size of the remote locations, only default route could be sent to those locations so on.

    • Hi Driss,

      Although you have 1000 spokes, still it can give you the benefits of layer2 vans and you already know that.
      As I said always, modularity is the key and number doesn’t important.

      Having 20 non-identical might be more complex than 1000 identical (configuration,protocol etc) sites.

      It would ease your multicast configuration.

      Let’s say you would want to continue with l3 vpn, in that case doesn’t SO offer multicast support over L3 vpn ?

      • driss jabbar

        As i said i asked for the L2VPN but it’s not offered.so using L3VPN won’t answer the customer requirements.i explained that to him and the ball is in his camp :).

        i have a challenging question for all the orhanergun.net readers :p.

        i need a way so i can stop automatically the 3G LINK when i go above the quota given by the service provider.e g if i have 1G data in my 3G link then when i go above it i want my router shutdown this interface because if not the provider will charge the extra amount very very expensive.

        • Use net flow for accounting, then EEM type of script to make it shutdown when the threshold excited.

          • driss jabbar

            I forgot to mention that the spokes are off by night so the interfaces are reseted

  • Thanks your support:)

    • Thanks Ahmet for allowing me to share the case

  • Ugur

    I suggested him to use MPLS layer 2 VPN service from the provider only if he wants to do IP Traffic engineering, wants to control his WAN himself, don’t rely on Service Provider, more flexible QoS design, better security etc.

    Even only this part is so sufficient to understand the difference between L2VPN and L3VPN mostly. If customer is willing to do its own routing, then providing l2vpn sounds cooler. Thank you and your for friend sharing this case.

    • Absolutely, although there are some other design decision which might effect the decision process, high level this is enough for the experience engineers IMO.

  • Jigar

    I have seen few enterprise customers asking for VPLS service as they want to control the WAN routing themselves.

    I asked one of those customers why don’t they buy a fully managed L3 MPLS VPN solution. The guy explained his network and there were around 16 different VRFs in the network with various security policies which is obviously easier to manage, control and troubleshoot in-house than relying on the third party provider.

    • nice example Jigar. Now someone will come here ( Roy , don’t ! 🙂 ) and say that they could get L3 VPN and use it only for IP connectivity to create a DMVPN on top and then run 2547oDMVPN 🙂 or some one more crazy can come and say CSC solves this !

      Why L2 MPLS VPN I was recommending to control your infrastructure should be obvious now. You can solve it with many ways, but you don’t want to avoid unnecessary complexity ( necessary is what we need and want )

  • Roy Lexmond

    Hahaha I am only reading not commenting, but I still don’t agree in my particular case 2547oDMVPN is nice I will explain my case better and if you then say no ok I believe you ;-);-)

    • 🙂 your case and this scenario is different though , you know that right ?