MPLS Layer 2 VPN
To extend a customer’s Layer 2 network (such as Ethernet, Frame Relay, or ATM) across a geographically dispersed MPLS backbone, providers offer a Layer 2 MPLS VPN (Multiprotocol Label Switching Virtual Private Network), which makes disparate sites appear to be on the same local or wide area network segment.
The main feature that distinguishes a Layer 2 MPLS VPN is that customer routing is not handled by the service provider (SP). Customers can keep total control over the transport and routing protocols they choose for the SP’s transparent Layer 2 service. The customer manages their own IP routing, and the provider network is opaque to the customer edge (CE) device operation.
You can also read What is MPLS Layer 3 VPN? Key Components and Benefits
Architecture and Core Components
Three primary device types are involved in a Layer 2 MPLS VPN within the provider network:
- Customer Edge (CE) Device: A customer router or switch that is linked to the MPLS network is known as a customer edge (CE) device. CEs are set up as though they were connected to a shared link and do not employ MPLS.
- Provider Edge (PE) Device: The edge router in the provider network that links directly to the CE device. PE devices keep the VPN state. They are responsible for encapsulating client Layer 2 frames into MPLS packets and decapsulating them upon exit.
- Provider (P) Device: The backbone’s central MPLS label-switching router. P devices simply need a baseline MPLS configuration to perform basic MPLS switching functions; they are not aware of Virtual Private Networks.
Operational Mechanism: Pseudowire and Labels
The Pseudowire (PW) concept, which simulates a Layer 2 service (such as a shared LAN or leased line) over the Packet Switched Network (PSN) or MPLS core, is a key component of Layer 2 VPNs.
- Encapsulation (Ingress PE): When a CE device sends a Layer 2 frame (e.g., Ethernet) to the ingress PE router, the PE encapsulates the frame and adds a two-layer MPLS label stack:
- Outer Label (Transport Label): This label specifies how the core P devices use a Label Switched Path (LSP) to switch the packet across the MPLS backbone in order to get it to the PE router at its destination. The PE loopback address is linked to this label.
- Inner Label (VC/VPN Label): This label identifies the specific customer’s VPN service (the pseudowire) and the interface on the egress PE router to which the frame should be delivered.
- Core Transport: Without conducting an IP lookup or requiring knowledge of the customer’s Layer 2 payload, P routers simply analyze the Outer Label while carrying out conventional MPLS label switching.
- Decapsulation (Egress PE): The PE router uses the remaining Inner (VC) Label to determine the correct Layer 2 service and forwards the original frame to the destination CE device once the packet reaches the egress PE (usually after the penultimate P router has eliminated the outer label via PHP Penultimate Hop Popping).
Note on MTU: Layer 2 VPNs do not support fragmentation in the provider network. After the PE devices have added the MPLS and Virtual Routing and Forwarding (VRF) labels, it is critical that the MTU of the provider network be set up to accommodate the largest customer frame.
Signaling and Control Plane
PE devices need both VPN-specific signaling and a baseline MPLS configuration (IGP, LSPs utilizing RSVP or LDP) in order to create a Layer 2 MPLS VPN.
Specialized signaling protocols are utilized by the control plane:
- MPLS Baseline: An Interior Gateway Protocol (IGP) like OSPF or IS-IS provides reachability between provider loopback addresses, and an MPLS signaling protocol like LDP or RSVP signals the LSPs (Label Switched Paths) utilized for transport.
- VPN Signaling:
- BGP Signaling: Layer 2 VPNs use BGP signaling (
family l2vpn signaling) between PE devices to convey Layer 2 site reachability, which automates the mapping of remote Layer 2 VPN sites to the appropriate LSP next hops. This is known as BGP-based L2 VPNs. - LDP Signaling: Pseudowires are typically signaled using a Targeted LDP (TLDP) session between the PE routers to advertise the VC label associated with the PW. This is known as LDP-based L2 VPNs or Layer 2 circuits.
- BGP Signaling: Layer 2 VPNs use BGP signaling (
Types of Layer 2 MPLS VPNs
Layer 2 VPNs are categorized based on the connectivity model they provide:
| Type | Connectivity Model | Emulated Service | Key Technology |
|---|---|---|---|
| Virtual Private Wire Service (VPWS) | Point-to-Point (P2P) | A dedicated leased line (Virtual Leased Line – VLL). | Pseudowire (PW), also called Any Transport over MPLS (AToM). |
| Virtual Private LAN Service (VPLS) | Multipoint-to-Multipoint (MP2MP) | A shared Ethernet switch or LAN. | MAC address learning and forwarding across the MPLS cloud, emulating an Ethernet broadcast domain. |
| Ethernet VPN (EVPN) | Next-generation solution | Ethernet services. | Uses a BGP control plane for MAC distribution and learning, rather than traditional Pseudowires for unicast. |
Benefits
There are various advantages to Layer 2 MPLS VPNs, especially in terms of client control:
- Customer Control: Over the provider network, the client can use proprietary or nonstandard transport protocols and retains complete routing control.
- Transparency: Link addressing and routing procedures are segregated between the customer and provider networks the provider network’s transparent Layer 2 transport.
- Application Support: They provide support for applications that particularly call for nodes to be located within the same Layer 2 network.
- Scalability: Because VPN state is only kept on the PE devices and not the core P devices, MPLS-based VPNs are scalable.
- Efficiency: MPLS supports Quality of Service (QoS) capabilities by optimizing bandwidth utilization and offering effective network traffic flow management.
You can also read Components of Digital Certificate, How it Works and Benefits