Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

MPLS "VPN" - really a VPN?

I keep reading about the MPLS VPN, including a recent Cisco document. They keep referring to MPLS VPNs, but the closest reference to any real VPN was to "Layer 2 VPNs". What L2 VPN? The best that I could decipher was some possible inference to L2TP and/or PPTP encoding (etc.) - maybe. Or not. WPA is probably the only real L2 VPN tech (other than the rare Ethernet encryptors). Most descriptions of MPLS VPNs actually sound similar to VLANs (which is also L2 tech), since the MPLS seem to be isolating similar to VLAN.


Re: MPLS "VPN" - really a VPN?


what is a real VPN?

Virtual Private Network - the term does not imply and technology on how to achieve "Virtual" or "Private".

Especially there is no implied need for any type of encryption, though IPSec based VPNs have somewhat "occupied" the term.

In the above sense even a T1 is a "Layer 1 VPN" - it is indeed multiplexed into possibly a STM64 together with a huge number of other T1. So it´s "Virtual", because you do not have your own pair of wires spanning the US. It´s "Private", because the multiplexers take care that you will finally see only your own T1 frames.

MPLS L3VPN achieve the "Virtual" by sharing several customers on one MPLS/IP backbone infrastructure. The "Private" is achieved with the help of data structures like RD and RT on the control plane and with the help of labels on the data plane.

It is called Layer3 VPN, because it is an IP routing solution transporting customer IP packets.

There are also MPLS Layer2 VPNs (like Ethernet over MPLS) transporting customer Layer 2 frames.

Hope this helps! Pease rate all posts.

Regards, Martin

Community Member

Re: MPLS "VPN" - really a VPN?

I agree that Virtual seems to imply encryption, while not strictly specified. I see how L1 isolation could be similarly described as VPN. Good. I suppose I shouldn't have focused on encryption. I would make comment, as you seem to say, that too much focus is placed on IPSec and (especially) SSL/TLS as 'VPN'. I know that the need is for full spectrum solution across all layers. I know IPSec, DNS, RADIUS, TLS, kerberos, and so on. I'm trying to gain insight and comfort with MPLS and how it fits into the big (full spectrum) security/network solutions that I must devise. Thanks again.

Re: MPLS "VPN" - really a VPN?


just a small clarification (from a non-native english speaker): I didn´t want to say that there is too much focus on encryption. It has it´s place and is inevitably needed in some places. MPLS is no replacement for it but goes well along.

What I wanted to say is that the term VPN linuistically is "occupied" by the encrypted VPNs thus causing some confusion amongst some "MPLS beginners". When you can accept the idea that the term "VPN" is not equal to "IPSec", it is easier and less confusing, when dealing with MPLS L3VPN and MPLS L2VPN.

Cheers, have fun with MPLS (or any other VPN technology),


Community Member

Re: MPLS "VPN" - really a VPN?

your english was fine.... and I suppose I myself shouldn't have blurred the line between VPN and encryption. I am just trying to gain some clarity with MPLS VPN, since the term 'VPN' has various uses. The understanding is as I suspected, that MPLS VPN is used in (the pure sense) of VPN focused on isolation.

That being said, I would like to see information on the robustness of the MPLS VPN approach. For example, Layer 2 VLAN protocols have had known security problems (probably resolved since; might have been vendor specific if I recall correctly). For example, with MPLS VPN, what are the strengths, and what are realistic security expectations or limitations.


Re: MPLS "VPN" - really a VPN?

Hi there,

First: Here's a MPLS FAQ for beginners

When it comes to info on the security of MPLS VPN's, take a look at this document (written by a Cisco-employee):

M. Behringer, Analysis of the Security of BGP/MPLS IP Virtual Private Networks (VPNs), Internet informational RFC 4381, February 2006.

"This document analyses the security of the BGP/MPLS IP virtual private network (VPN) architecture that is described in RFC 4364, for the benefit of service providers and VPN users.

The analysis shows that BGP/MPLS IP VPN networks can be as secure as traditional layer-2 VPN services using Asynchronous Transfer Mode (ATM) or Frame Relay. This memo provides information for the Internet community."


Did it help? If so, please rate it.

CreatePlease to create content