Service Provider VPNs: Layer 2 Versus Layer 3 – WAN for the Enterprise
3 min readLayer 3 VPN service provides routed Layer 3 connections between sites. With Layer 3 VPNs, you exchange routes with the provider. Customer routes are exchanged from the customer edge (CE) routers to the provider edge (PE) router before entering the Layer 3 VPN. The service provider uses Border Gateway Protocol (BGP) for routing inside the Layer 3 VPN, and then routes are exchanged at each remote site from the PE router back to the CE router. Routing protocols such as OSPF and EIGRP are normally used at the exchange point between the CE and PE routers, but static or BGP routing can also be used. Multiprotocol Label Switching (MPLS) is an example of a Layer 3 VPN service.
Virtual Private Wire Services
Virtual Private Wire Service (VPWS) is a Layer 2 VPN technology commonly referred to as pseudowires. VPWS provides a point-to-point WAN link between two sites over an MPLS provider backbone. It’s similar in concept to leased-line service, except that the provider transports multiple customer VPNs on the MPLS equipment connecting your sites. Two popular VPWS use cases are connecting a pair of data centers and using point-to-point WAN transport for legacy services.
VPWS Layer 2 VPN Considerations
There are several traffic considerations to think about with the VPWS Layer 2 VPN service. It is important to understand whether the service will transparently pass all traffic, such as Spanning Tree Protocol frames as well as broadcast, unknown unicast, and multicast (BUM) type traffic. Also, does the provider offer quality-of-service (QoS) mechanisms to prioritize voice, video, and critical traffic over best-effort traffic? Another consideration is the maximum transmission unit (MTU) size throughout the provider network for the Layer 2 VPN. If you are using VPWS for Data Center Interconnect (DCI), you might need to support jumbo frames within the provider network. In addition, you will want to make sure the provider is passing link loss signaling from end to end. This way, you can detect when the far side link is down.
Virtual Private LAN Service
Virtual Private LAN Service (VPLS) expands on VPWS and defines an architecture that enables Ethernet Multipoint Service (EMS) over an MPLS network. VPLS allows for connecting Layer 2 domains over an IP/MPLS network, which emulates an IEEE Ethernet bridge.
Figure 8-12 depicts a VPLS topology in an MPLS network.
Figure 8-12 VPLS Topology Example
VPLS is a type of VPN that allows for the connection of multiple sites into a single Layer 2 domain over a managed IP/MPLS network. VPLS presents an Ethernet interface, which simplifies the LAN/WAN demarcation for service providers. This enables rapid and flexible service provisioning because the service bandwidth is not tied to the physical interface. All the VPLS services appear to be on the same VLAN, regardless of the physical locations in the WAN.
VPLS uses edge routers that learn Layer 2 domains, bridge them, and replicate them through the VPN. Within the IP/MPLS cloud is a collection of full-mesh connections providing any-to-any connectivity between sites. VPLS supports many of the new applications and services that need to be on the same Layer 2 network to function properly. Some services lack network layer addressing or are transparent to the upper-layer protocols.