CISCO- MPLS, Layer 2 VPN, Layer 3 VPN?

[JEDI]

ok, i'm reading about MPLS since my company is wants to do a network via a cloud. CISCO

"One of the main benefits of Multiprotocol Label Switching (MPLS) is enabling virtual private network (VPN) connectivity over a public packet-switching infrastructure."

1) You need MPLS to do VPN's?
2) What's the difference between Layer 2 (frames) VPN and Layer 3 (packet) VPN?

THX

 

[cmetz]

MPLS is evil. Don't do it.

If you buy a L2 VPN, you're pretty much immediately locked into one telco as the vendor. The downside of this should be obvious. The upside is that it's all within their network and so there should be plenty of bandwidth at all needed points (or at least, they can see how much is there) and they have some ability to set up committed information rates (CIRs) or other QoS-type features and offer some real service level agreement guarantees backed by technology.

If you buy a L3 VPN, you can use any IP vendor you want. The smart thing, however, is to pick one tier 1 ISP (hint: if they advertise "tier 1" in their marketing, they probably aren't) and to keep as many tunnels as possible within their network -- crossing ISP peerings is where you normally run into trouble, keeping it within their network again means there should be enough bandwidth to go around. L3 VPNs you get no particular guarantees from the telco, other than maybe on the tail circuits to each site.

L2 VPNs are expensive. L3 VPNs allow you to run over cheap ordinary IP service. L2 VPNs are typically intra-carrier only, while L3 VPNs you can attach sites no matter what public IP carrier. L2 gives you more guarantees, L3 gives you much less. Note that L2 VPNs typically mean traffic separation but not normally encryption, while L3 VPNs typically mean you're also doing encryption. For company WAN traffic, you might really want encryption!

I'd recommend you do L3 VPNs unless you strongly believe you need otherwise.

 

[JEDI]

What's wrong w/MPLS?

The packet header is only analyzed once when it enters the network, instead of each hop. That improves performance

 

[cmetz]

MPLS is ATM rehashed. ATM was mostly a dismal market failure, for a number of very good reasons.
Among them is that running a nontrivial L3 network on top of a nontrivial L2 network becomes a complexity nightmare.
Also among them is that there are too many knobs, things you can tweak and configure and get subtly wrong.
Also among them is that most real carriers' NOC staff have a hard time diagnosing IP routing correctly, and now you're throwing a whole new problem set at them, and expect them to figure out how to fix it?
And what benefit are you getting for all your trouble?

There are some very narrow problems for which ATM/MPLS are good solutions, but in general I'd avoid them like the plague.

>The packet header is only analyzed once when it enters the network, instead of each hop. That improves performance

The same story was told for ATM. It wasn't true in practice then, and isn't true in practice now. All routers worth anything and all ATM/MPLS switches worth anything do all their thinking about packets in hardware, and the thinking about packets part turns out to not be as big a constraint on performance as other aspects of the system.

A Juniper T640 can forward IP packets OR MPLS frames at 640Gb/s peak aggregate. The more commonly deployed Juniper M160/M40/M20 boxes similarly do IP and MPLS at the same performance.

 

[JEDI]

so speed is no longer the driving force for mpls. i've read the new driving force for mpls is layer 3 VPN + te? (um..whats TE?)

 

[cmetz]

The driving force behind MPLS is ATM experts who need jobs.

MPLS is used by many telcos for their managed L2 VPN services. Traffic Engineering is basically QoS and within a single carrier's private network it can be a real benefit of L2 VPNs (see my original post).

The traditional IP solution to the QoS problem is to simply have plenty of bandwidth. If there's more than enough capacity to go around, everyone gets good service, and so there's no need for complex ways to allocate the service. Within the network of a tier-1 ISP, they have plenty of bandwidth, and hence, QoS is basically a non-issue. Crossing ISPs, or in the network of a lower tier ISP, and you may run into congestion loss and that could be a problem.