MPLS VPNs – Layer 2 or Layer 3, Understanding the Choice

The Basics


It is easy to lose sight of the purpose of MPLS VPN technology in the first place. The goal is simple: to build a network that, as much as possible, acts like an extension of the private corporate network on a service provider's shared network infrastructure. The result, ideally, is a fast and efficient means of making scattered places seem just like local sites, from workers' homes to branch offices.

MPLS, designed to scale IP networks, is a natural choice for virtual private networks. Supporting multiple private networks on a shared infrastructure suggests immediate scaling problems for both Layer 3 and Layer 2 networks. On a Layer 3 network, asking each router on the network to potentially support thousands of different routing tables (one for each virtual private network, in addition to those of the public network) is an interminable option.

Layer 2 networks, on the other hand, have a different scaling problem: they lack the scope of routed networks, limiting a Layer 2 implementation to the confines of the transport medium. Certain link-layer protocols, like Ethernet, also have scaling limits that reflect their LAN origins (i.e., the 4095 VLAN limit). For each of these problems, MPLS can help.

The Layer 3 Approach

The Layer 3 VPN MPLS implementation is an early leader. The BGP model is based on an IETF Request for Comments (RFC) 2547, and these "2547 VPNs" have already been implemented in several major carrier networks, including parts of the IP/MPLS backbones of AT&T, Bell Canada, and Global Crossing.

How does a 2547 VPN work? As the RFC explains, "MPLS is used for forwarding packets over the backbone, and BGP is used to distribute routes over the backbone." Each 2547 VPN is really a private IP network, with modified private IP addresses for each of the Provider Edge (PE) routers immediately connected to the customer site. The route to each of the sites on the private network is distributed using the familiar BGP routing protocol.

The relationship between the PE router and the Customer Edge (CE) router is the truly distinctive aspect of 2547 VPNs. The CE router becomes a peer of the PE router (and not a peer to the other CE routers). The CE router provides the PE router with route information for the private network. The PE router, in turn, must be capable of storing multiple private routing tables - one for each customer connection - along with the usual public Internet forwarding information.

MPLS handles the forwarding between the nodes on a 2547 network (in this respect, Layer 2 and 3 VPN approaches are identical). This MPLS forwarding role is crucial because it means the routers in the core of the network ("P" routers) need not know about the routes connecting the 2547 private network. A 2547 network uses a two-level label stack - the ingress PE router pushes both a Next-Hop BGP header (for the private network) and a Next-Hop Interior Gateway Protocol (IGP) header (for the shared infrastructure) onto the packet. After reaching the egress PE router via one or more MPLS Label Switched Paths (LSPs), the PE pops the MPLS headers and delivers a normal IP packet to the customer.

What is to be made of the RFC 2547 approach? It has great potential. It takes advantage of the ubiquity of IP networks and, like IP, runs over multiple transport networks. It also has strong automatic route discovery, which is important for dynamic VPNs.

On the other hand, several comparative limitations are also clear. The 2547 approach can be very demanding of provider edge routers. While not all 2547 deployments will necessarily require anything but a number of static routes, the potential for overburdening the network exists. For 2547-bis to truly scale, the next-generation of routers with expanded memory will need to be ubiquitous.

Layer 2 MPLS VPNs-A Different Philosophy

A different philosophy underlies Layer 2 MPLS virtual private networks [also known as Transparent LAN Services (TLS) or Virtual Private LAN Services (VPLS)]. The goal is the extension, rather than replacement, of existing Layer 2 VPN services. Instead of building a separate, private IP network and running traffic across it, Layer 2 VPNs take existing Layer 2 traffic and send it through point-to-point tunnels on the MPLS network backbone.

Both Layer 2 and Layer 3 MPLS VPNs rely on MPLS transport through the core. The principal difference lies in how PE-CE router relations are handled. In a Layer 2 MPLS VPN, the PE router is not a peer to the CE router and does not maintain separate routing tables. Rather, it simply maps incoming Layer 2 traffic onto the appropriate point-to-point tunnel. The result is best described as an "overlay" model as opposed to the Layer 3 "peer" model.

Analogies are tricky, but we might think of the wide area network as a mountain that must be traversed. A 2547 VPN is more like a separate railway system that must be boarded to traverse a network of mountain tunnels. The Layer 2 approach better resembles a series of simple car tunnels that go straight through the mountain without the transition to rail. As this comparison suggests, there might be different reasons to want each.

Crucial to the Layer 2 VPN model is a method for establishing simple point-to-point tunnels on an MPLS network that can handle various forms of Layer 2 traffic. Today, the industry is standardizing on the Martini drafts (named after Luca Martini from Level 3 Communications), which define point-to-point encapsulation mechanisms for Ethernet, frame relay, ATM, TDM, and PPP/HDLC traffic. Indeed, Martini interoperability between many MPLS vendors was conclusively demonstrated at iLabs testing at the Networld+Interop conference in September 2002. Still other Internet drafts have built on the Martini draft encapsulations to define frame relay and ATM operations and to define Ethernet Transparent LAN Services (VPLS).

Which Works Better Where?

The Layer 3 approach, as stated above, is ideally suited to "classic" ISP networks with existing core router deployments. It is a good fit for carriers serving large VPNs with changing locations, making automatic route discovery useful. The Layer 2 approach, on the other hand, is the preferred approach for networks that want to extend and scale legacy Layer 2 VPN deployments, transport-oriented carriers in general, or any situation with few VPN sites and static routes.

Many carriers are already be providing Layer 2 VPN services (over, say, frame relay or metro Ethernet) and are interested in scaling such services. In that case, the SP doesn't want a whole new VPN infrastructure, just a way to overlay Layer 2 traffic on MPLS/IP networks. For this task, Layer 2 MPLS VPNs are ideal.

Transport-oriented carriers also should prefer the Layer 2 approach. Again, the main difference with Layer 2 VPNs is at the PE router. Among other things, the Layer 2 approach eliminates the need to peer with CE routers and maintain multiple routing tables. This approach suits carriers that traditionally offer transport services and leave routing to the customer. VPN traffic is carried over an IP/MPLS network, without upgrading to expensive and specialized core routers at the edge. In addition, in a Layer 2 MPLS VPN, reachability is achieved in the data plane through address learning, rather than in the control plane through BGP route exchange.

Finally, where routes are likely to be static and private networks simple, the relative simplicity of the Layer 2 approach is appealing. In a metro TLS scenario, for example, a network usually needs only to interconnect a few sites; a 2547 MPLS VPN may be overkill, from both a cost and complexity standpoint.

In the end, as MPLS VPNs are deployed, it is likely that carriers will choose Layer 2 and Layer 3 VPNs for many of the same reasons they decided to deploy Layer 2 or Layer 3 networks. The question of Layer 2 or Layer 3 deployment, like nature or nurture in human development, is likely to stay with networking for 

Leave a Comment