I would like to know what is the difference between the following VPN solutions:


Thank you
Who is Participating?
Hassan BesherConnect With a Mentor Commented:
We have 2 types, L2 and L3 MPLS VPN's. L3 VPN named MPLS/BGP L3 VPN and this is the most common type of MPLS VPN.
For Metro Ethernet we can use MPLS L2 VPN. MPLS L2 VPN is a great topic, much harder that MPLS L3 VPN. All the time when I'm teaching MPLS VPN's I'm starting with L3 VPN's.
L2 VPN's are divided in 2 main categories: VPWS (Virtual Private Wire Service) also known as point-to-point VLL (virtual leased line) VPNs and VPLS (Virtual Private Lan Service) point-to-multipoint service.
From VPWS historically speaking we have:
- VLL in CCC mode - circuit cross connect
In this type of VPN you don't have a inner label for customer service. You have only the outer label and this label is manually allocated by the operator when building the VPN.
- SVC - static virtual circuit this can be called simplified Martini Mode
In this mode you have 2 labels, one for LSP announced by LDP and one inner configured by the operator. The inner label defines the Virtual Circuit thus the customer Service.
- VLL in Martini mode also known as EoMPLS service - this mode complies with draft-martini-l2circuit-mpls
In Martini mode, the VC type and the VC ID are used to identify a VC between two CEs. You will need extended remote LDP sessions between PEs to transmit the VC message. To transmit the VC message, an FEC is added with the type as 128.
I want to notice here the presence of PWE3 (Pseudo-Wire Emulation Edge to Edge). VLL in Martinit Mode is a subset of PWE3 technology. PWE3 adopts the same signaling process as VLL in Martini mode but adds some new extensions on data plane and control plane thus is more advanced and used today.
- VLL in Kompella mode
This mode adopts the MP-BGP as the signaling protocol for inner label.
This mode also adopts the RD and RT for transmitting the VC information and adopts the label block mode to assign the label to VC's.
VPLS is the point-to-multipoint service and you can think that you service provider appears as a big L2 switch from the customer point of view.
Depends on the network scale you can have simple VPLS or hierarchical VPLS. In VPLS the you adopt LDP as signaling protocol or MP-BGP.
The LDP mode is preferable when the number of VPLS sites is relatively small and the VPLS network seldom or never traverses multiple domains, especially in the case that BGP is not run on PEs.
The BGP mode is applicable at the core layer of a large-scale network in the case that BGP is run on PEs and cross-domain is required.
If the scale of a VPLS network is large (a great number of nodes or a wide geographical range), you can use hierarchical VPLS (HVPLS) that combines the two modes. In HVPLS, the core layer uses the BGP mode and the access layer uses the LDP mode.


jskfanAuthor Commented:
if I understand :

GETVPN  is like the classic (IPSEC VPN with GRE Tunnel), however GETVPN is Tunnel-less and does not use GRE. Spokes still connect to the HUB(Key Server) and authenticate to get a Key, after they get initial key then they can talk to each other "without going through the HUB", in reality they do go through the HUB, but no chatting with the HUB since they already they have the appropriate key to talk to other spokes. I believe there is life time to the key, after it expires, spokes renew their key with the HUB

DMVPN  is like IPSEC VPN with GRE Tunnel , however it uses point to multipoint instead of point to point..In DMVPN , we create Multipoint GRE Tunnel interface on the HUB, and create Tunnel Key, we can use Routing protocol on the HUB(EIGRP or OSPF,etc…) the Spokes will register with the HUB.
on the spokes will create Tunnel interfaces and a Key that matches the key on the HUB.
The traffic can be encrypted with IPSEC

GETVPN and DMVPN sound like they have a lot of similarities other than that:
GETVPN is Tunnel-less and is point-to-point does not use GRE and DMVPN use GRE Tunnel and is Point-To-Multipoint.

I still do not understand why GETVPN is considered point-to-point and DMVPN is considered point-to-multipoint.
in some Docs, they say " DMVPN is designed to secure traffic over the Internet, and GETVPN is designed to secure traffic over WAN (i.e. MPLS VPN)"… Actually I though GETVPN is also used over the internet.

MPLS VPN =sounds to me like GETVPN inside MPLS… The first Customer Edge Router
receives data from customer1 and puts it in the appropriate VRF that corresponds to Customer1 then transfers that data to the destined Customer2 going through Customer Edge Router facing Customer2. I believe the routers in the middle will just forward data and cannot read it since it is in different VRF. I may need to know if I am correct on the MPLS VPN explanation.

L2VPN and L3VPN, I believe are MPLS technology….I cannot tell how different they are when compared to the VPNs mention above…and in which case they would use them instead of the other VPNs cited above.
jskfanAuthor Commented:
Thank you
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.