Table of Contents

Cisco CCDE v3 Training

71:39:25 Hours
226 Lectures


MPLS Zero to Hero Training

30:07:04 Hours
52 Lectures


Cisco CCIE Service Provider Training

96:02:27 Hours
242 Lectures


MPLS over IP Encapsulations and Comparison between MPLS over LSP

MPLS over IP Encapsulations - Do you need an LSP for MPLS ? In this post, I will go through below topics. This is one of the points which network engineers struggle to understand as I have seen.  

  • What is an LSP (Label Switched Path) ?
  • What was the purpose of having LSP in the first place?
  • Do we need an LSP for MPLS and MPLS Applications such as 2547 VPNs ?
  • MPLS over LSP vs. MPLS over IP Encapsulations
  • MPLS VPN infrastructure in 2017

What is an LSP
  LSP is a tunnel between the edge devices in very basic definition. There are many discussions whether LSP is a tunnel, in this post I will not start that discussion again. Edge devices in MPLS network is called PE (Provider Edge) devices. LSP can be created with four ways. LDP, RSVP-TE, BGP+Label (BGP-LU) and IGP Advertisement (Segment Routing/Spring uses this concept)  

What was the purpose of having LSP in the first place ?
  Before LSP, we had IP based lookup. It is also called as destination based lookup. Since the IP header is 20 byte(Without options), back in old days routers were having a performance issue. They needed a simple lookup to increase the packet processing performance, so MPLS was born. Of course today MPLS is used mostly for the VPNs and Traffic Engineering but initial purpose was performance.  

Do we need an LSP for MPLS and MPLS Applications such as 2547 VPNs ?
  In the below figure, nodes are in MPLS networks shared. As I stated above, LSP is created between the edge devices which are PE devices. When you have a tunnel or encapsulation between the edge devices, you can hide the customer prefixes from the core devices. That’s why when you have an LSP, P devices don’t have to keep the customer specific information. So, LSP is used to hide the service specific (customer MAC address/IP address etc.) from the core network and require reachability between PE devices. (Unless you statically configure them through NMS as in the case of MPLS-TP which doesn’t require IP control plane)

But, what if we don’t have an LSP in the network. We just need a connectivity between the PE devices, right? So if I have IP connectivity between the PE devices, can I setup MP-BGP VPNv4 session for example ?. Yes of course. We can setup VPNv6 and other BGP address families as well. So, we can provide MPLS Layer 3 VPN service over IP connectivity only.

Problem with this, P devices would know the customer prefixes. Thus, you could create GRE tunnel which would allow to hide the customer prefixes from the core of the network(P devices) and run MPLS over GRE tunnel. This would provide hiding customer prefixes from the core of the network without having MPLS in the core.

Of course GRE adds extra 4 byte header, so MTU would increase as well. MPLS can run over mGRE (Multipoint GRE) as well which brings scalability to the solutions as the GRE is point to point and in large scale brings operational complexity. Or you could run L2TPv3 between PE devices and run MPLS over L2TPv3.  

MPLS over LSP vs. MPLS over IP Encapsulations
  • IP core is considered as less secure compare to MPLS core. IP core is more vulnerable to Spoofing Attacks for example, compare to MPLS core.
  • IP header is 16 byte more than MPLS header, which is less efficient compare to MPLS core. At least performance point of view.
  • MPLS over IP encapsulations might create interoperability issues due to multiple encapsulation options (IP, GRE, L2TPv3)
  • MPLS over IP doesn’t hide the customer specific information from the core devices but MPLS over LSP does. (MPLS over GRE and L2TPv3 hides as well)
  • MPLS over IP encapsulations can be used as migration mechanisms. If your network doesn’t have an LSP today, by starting MPLS at the PE nodes and running MPLS over IP and then you can continue with the core nodes for the migration.
MPLS VPN infrastructure in 2017
Enough theory I guess. Because today in almost any network which provides MPLS VPN service, they use LSP rather than IP. Although it is possible to create MPLS Layer 3 VPN for example over IP core, everyone uses LDP and/or RSVP-TE for Labeled Switched Path and create MP-BGP (Multi Protocol BGP) session for the service over these LSPs.

Also IPSEC can run on top of any model. It can run with MPLS over LSP or MPLS over IP models and provide security. And as you might know MPLS over IP or MPLS over LSP doesn’t come up with confidentiality so there is no encryption by default. In my opinion it was important to know the alternative approaches and if you like this post, share/like/comment it on social media ?

Created by
Orhan Ergun

Orhan Ergun, CCIE/CCDE Trainer, Author of Many Networking Books, Network Design Advisor, and Cisco Champion 2019/2020/2021

He created OrhanErgun.Net 10 years ago and has been serving the IT industry with his renowned and awarded training.

Wrote many books, mostly on Network Design, joined many IETF RFCs, gave Public talks at many Forums, and mentored thousands of his students.  

Today, with his carefully selected instructors, OrhanErgun.Net is providing IT courses to tens of thousands of IT engineers. 

View profile