cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
949
Views
15
Helpful
9
Replies

L3 MPLS VPNs: What do you think?

marikakis
Level 7
Level 7

Hello,

This is not a conversation about a particular network issue related to L3 MPLS VPNs. I just wanted to listen to experiences of people here with the particular solution and I am trying to get a feeling of the popularity of the solution.

I will start first. According to literature (and cisco press in particular), L3 MPLS VPNs are very popular (if not the most popular MPLS application). I am having a hard time to believe that. There are advantages, but I think the setup and troubleshooting are quite complex. I admittedly like routing and I like thinking about hard routing scenarios. However, in the best case those scenarios are a plain intellectual challenge and in the worst case a plain headache. I think the person who tries to solve an issue has to think about a lot of factors and lots of protocols. I don't know, perhaps if BGP was the only PE-CE routing protocol, the solution would be more elegant.

Probably L3 MPLS VPNs apply well to remote access in a VPN scenarios. I cannot think of any other case where L2 MPLS VPNs cannot be an alternative solution that also provides a clean separation between customer and provider routing. In addition, redistribution between IGP and BGP has been upgraded from a better avoided practice to an actually needed one.

In my previous job we have been working in software development for automating the generation of configuration for various VPN scenarios and topologies using a very simple web GUI. Still, even with such a tool available, administrators seemed to prefer L2 MPLS VPNs (especially in hub and spoke topologies). I guess the tool could not help if they had to resolve routing issues.

What do you think? Do you like L3 MPLS VPNs? Are they really so popular? Do customers really like them and am I lucky enough to not have to deal with them daily at this point of my life? :-)

Kind Regards,

Maria

1 Accepted Solution

Accepted Solutions

Harold Ritter
Cisco Employee
Cisco Employee

Maria,

See comments in-line.

I will start first. According to literature (and cisco press in particular), L3 MPLS VPNs are very popular (if not the most popular MPLS application). I am having a hard time to believe that. There are advantages, but I think the setup and troubleshooting are quite complex. I admittedly like routing and I like thinking about hard routing scenarios. However, in the best case those scenarios are a plain intellectual challenge and in the worst case a plain headache. I think the person who tries to solve an issue has to think about a lot of factors and lots of protocols. I don't know, perhaps if BGP was the only PE-CE routing protocol, the solution would be more elegant.

HR> L3vpn is indeed a very popular service and by far the most widely deployed of all MPLS based services. It can be complex sometimes and one need to try to keep it simple. As you mentioned it is much simpler when BGP is used as a PE-CE protocol and most SPs have that has their main policy (either static ot BGP).

Probably L3 MPLS VPNs apply well to remote access in a VPN scenarios. I cannot think of any other case where L2 MPLS VPNs cannot be an alternative solution that also provides a clean separation between customer and provider routing. In addition, redistribution between IGP and BGP has been upgraded from a better avoided practice to an actually needed one.

HR> By network access, I believe you mean branch network access for instance, right? L3vpn is as far as I am concerned the only MPLS based service that can support and scale these types of deployment, where you very often have thousands of remote sites to aggregate into a few data centers. This type of service brings in lots and lots of money to large SPs.

In my previous job we have been working in software development for automating the generation of configuration for various VPN scenarios and topologies using a very simple web GUI. Still, even with such a tool available, administrators seemed to prefer L2 MPLS VPNs (especially in hub and spoke topologies). I guess the tool could not help if they had to resolve routing issues.

HR> It is true that using the right provisioning tools can help in managing these networks. Bringing network staff up to speed on MPLS and its services is also an absolute requirement for any serious SP considering deploying such services and I realize that there is cost that comes with it.

What do you think? Do you like L3 MPLS VPNs? Are they really so popular? Do customers really like them and am I lucky enough to not have to deal with them daily at this point of my life? :-)

HR> I personally do like L3vpn and I have seen many very successful deployments throughout the last 8 to 9 years. As I stated before, it does make a lot of sense from a business point of view, as it allows SP with many different cores to converge into a single core, which was one of the goals behind the technology.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

9 Replies 9

shivlu jain
Level 5
Level 5

Hi Maria

You are quite right about the advantages and its com[lex troubleshooting part. But as per me to troubleshoot MPLS VPN is really a wasy one. Its not a hard to do the troubleshooting in MPLS VPN, in fact its really a awesome. Every concept is simliar to plain vanila routing except labels. If you are clear with the labels concepts then you can easily reach to the destination.

Regarding BGP, it is one of the best protocol in PE-CE case. One can do anything with BGP in terms of managebility.

L2 VPN is not well cleaned solution but it works fine. Doing troubleshooting is one of the hardest part in L2VPN but most of the customers looking for the solution.

As per me I like most the mpls l3vpn and it is really so opular. Customers also like it becasue they got their individual routing domain with in SP domain and can run any ip schema with combination of any protocol.

Because of the popularity of MPLSVPN I started my blog which is fully dedicated to MPLS.

http://shivlu.blogspot.com

regards

shivlu jain

Shivlu,

Thanks for your reply.

For everybody: I might not respond to each and everyone of you. I am not trying to convince you that my view is the correct one. I just want to hear your opinions and experiences and I will be rating them as offered opinions (the issue to resolve here is me to be able to listen to you :-)

Kind Regards,

Maria

Mohamed Sobair
Level 7
Level 7

Hello Maria,

Lets take it like bellow:-

a)L3 From the prespective of the Provider:

1-Its easier to provision.

2-No need for full mesh point to point links.

3- Security breaks are likely to be occured.

4- Added overhead (Additional administrative confi overhead).

5- reduces cost.

6- Security precaution has to be taken int account.

B) L3From the prespective of the Customer:

1) Requires specific hardware and memory.

2) requires the customer to participate in L3 routing.

3) Customer dont usually like to implementit due to Security reasons.

4) Securing their Network at layer2 and layer-3 is required for Sensitive applications belongs to certain Organization.

5) Administrative Overhead.

C)L2 From the Prespective Of the Provider:

1) Doesnt require the Provider to participate in the customer Network.

2) lesser administrative Overhead than L3-VPN.

3) requires full mesh of L2-VPN point to point if multiple sites involved.

4) Not easier to provision if Controlling traffic between sites required like (Hub and Spoke),(Centeral Services), (Overlapping).

5) If multiple Sites involved , Cost wise increases.

6) Better Security Control than L3.

d)L2 From th prespective of the Customer:

1) More Secured.

2) Lesser administrative Overhead than L3

3) The requirement of Special Hardware/Memory is minimized.

4) If Multiple Sites involved, Multiple L2VPN dedicated Point to point required.

5) Therfore, additional cost takes place if (4) is applicable.

The Conclusion: It really varies and depends of the requirment. If for example its a point to point link , I would go for a point to point L2VPN. If its more than 2 sites requires full mesh, then L2VPN is also applicable.

IF better control of traffic or partial mesh required for more than 2 sites, then L3-VPN is most appropriate solution.

HTH

Mohamed

Mohamed,

Thanks for your reply. It also depends on personal opinions of engineers. In my previous job, at some point, network engineers were discussing an issue with a hub-and-spoke scenario implemented with L2 p2p VPNs. Traffic would flow back and forth and waste bandwidth at a central point in the VPN, so I dared to suggest some rearrangement using an L3 VPN solution for optimal traffic flow and they freaked out! :-) Specific security reasons dictated the hub-and-spoke design, but still I got a feeling that they thought of the L3 VPN solution as being worse than the p2p implementation.

Kind Regards,

Maria

p.s. Thank you all for your interest in this discussion so far. And to clarify one point: the security reasons did not have to do with data privacy so much, but rather the fact that it was a school environment and content had to be checked at a central location to ensure some level of appropriateness for non-adult students.

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Maria,

my experience is different.

Actually in my current job I have been hired for my experience on MPLS and MPLS L3 VPN.

In previous job We developed a GUI based semi-automated tool for MPLS L3 VPN.

I can say the incumbent operator in my country has dedicated route reflector servers for vpnv4 address family hundreds to thousands of customers, hundreds of thousands of vpnv4 routes: I think this is a sign of clear popularity.

Last news from my ex collegues is that they are deploying/adapting the tool for provisioning MPLS VPN and VRF sites to

MPLS L3 VPN with the peer-to-peer model provides clear scalability benefits when the number of sites is not small.

A new site can be added without changing the configuration of all the other sites and this is a key difference with overlay VPN model either done with FR, ATM or a collection of p-t-p EoMPLS links.

the comparison should be done with a VPLS solution.

If the sites are a few with high or very high speed requirements a L2 VPN service can be preferred.

For example instead of a CSC scenario an EoMPLS service to connect can be attractive.

In addition with L3 VPN you can implement constrained connectivity models using multiple route targets and different import / export.

My current customer is a big enterprise where the ICT department acts as a service provider for other groups and MPLS L3 VPN is used to consolidate dedicated networks over the single backbone (instead of deploying dedicated backbone infrastructures).

Here they use also MPLS VPN a tool for security.

Hope to help

Giuseppe

Guiseppe,

I am enthusiasted with your reply. When I was working in an ISP MPLS had just begin to creep in, but I soon changed my job and I do not have a good view now of what's going on (so I opened this conversation). I do have friends in that ISP, but those are heavily focused on DSL and they ignore me when I say BGP, MPLS and the like :-)

I only have one comment regarding VPLS. I just not like it yet. When I was cooperating with a colleague to develop the automated VPN configuration tool, she was more specialized in web development and I knew more about configurations. When she asked me what was the difference between AToM and VPLS configurations I told her: most of the VPLS config is rather constant (except a few parameters the tool has to dynamically determine) and the rest is like when you create a full mesh of AToM VCs (you just say 'neighbor' instead of 'xconnect' to LDP peer)! She wrote the code right away :-)

Kind Regards,

Maria

p.s. Code also had to check if VPLS is supported in specific GSR linecards. As far as I know VPLS support is limited in other platforms as well.

Harold Ritter
Cisco Employee
Cisco Employee

Maria,

See comments in-line.

I will start first. According to literature (and cisco press in particular), L3 MPLS VPNs are very popular (if not the most popular MPLS application). I am having a hard time to believe that. There are advantages, but I think the setup and troubleshooting are quite complex. I admittedly like routing and I like thinking about hard routing scenarios. However, in the best case those scenarios are a plain intellectual challenge and in the worst case a plain headache. I think the person who tries to solve an issue has to think about a lot of factors and lots of protocols. I don't know, perhaps if BGP was the only PE-CE routing protocol, the solution would be more elegant.

HR> L3vpn is indeed a very popular service and by far the most widely deployed of all MPLS based services. It can be complex sometimes and one need to try to keep it simple. As you mentioned it is much simpler when BGP is used as a PE-CE protocol and most SPs have that has their main policy (either static ot BGP).

Probably L3 MPLS VPNs apply well to remote access in a VPN scenarios. I cannot think of any other case where L2 MPLS VPNs cannot be an alternative solution that also provides a clean separation between customer and provider routing. In addition, redistribution between IGP and BGP has been upgraded from a better avoided practice to an actually needed one.

HR> By network access, I believe you mean branch network access for instance, right? L3vpn is as far as I am concerned the only MPLS based service that can support and scale these types of deployment, where you very often have thousands of remote sites to aggregate into a few data centers. This type of service brings in lots and lots of money to large SPs.

In my previous job we have been working in software development for automating the generation of configuration for various VPN scenarios and topologies using a very simple web GUI. Still, even with such a tool available, administrators seemed to prefer L2 MPLS VPNs (especially in hub and spoke topologies). I guess the tool could not help if they had to resolve routing issues.

HR> It is true that using the right provisioning tools can help in managing these networks. Bringing network staff up to speed on MPLS and its services is also an absolute requirement for any serious SP considering deploying such services and I realize that there is cost that comes with it.

What do you think? Do you like L3 MPLS VPNs? Are they really so popular? Do customers really like them and am I lucky enough to not have to deal with them daily at this point of my life? :-)

HR> I personally do like L3vpn and I have seen many very successful deployments throughout the last 8 to 9 years. As I stated before, it does make a lot of sense from a business point of view, as it allows SP with many different cores to converge into a single core, which was one of the goals behind the technology.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Harold,

You responded just about the time I was wondering where you were! :-)

I guess now all the usual MPLS suspects (as Paolo would say) have responded.

Keep up the good work!

Kind Regards,

Maria

p.s. I know I said that there is no issue to resolve, but this is a tribute to Harold for his work so many years in the forum!

Thanks Maria for the good word.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: