Posted on 2014-04-08
Medium Priority
Last Modified: 2014-04-09
I would like to know what is the difference between the following VPN solutions:


Thank you
Question by:jskfan
  • 2

Accepted Solution

Hassan Besher earned 2000 total points
ID: 39986621
We have 2 types, L2 and L3 MPLS VPN's. L3 VPN named MPLS/BGP L3 VPN and this is the most common type of MPLS VPN.
For Metro Ethernet we can use MPLS L2 VPN. MPLS L2 VPN is a great topic, much harder that MPLS L3 VPN. All the time when I'm teaching MPLS VPN's I'm starting with L3 VPN's.
L2 VPN's are divided in 2 main categories: VPWS (Virtual Private Wire Service) also known as point-to-point VLL (virtual leased line) VPNs and VPLS (Virtual Private Lan Service) point-to-multipoint service.
From VPWS historically speaking we have:
- VLL in CCC mode - circuit cross connect
In this type of VPN you don't have a inner label for customer service. You have only the outer label and this label is manually allocated by the operator when building the VPN.
- SVC - static virtual circuit this can be called simplified Martini Mode
In this mode you have 2 labels, one for LSP announced by LDP and one inner configured by the operator. The inner label defines the Virtual Circuit thus the customer Service.
- VLL in Martini mode also known as EoMPLS service - this mode complies with draft-martini-l2circuit-mpls
In Martini mode, the VC type and the VC ID are used to identify a VC between two CEs. You will need extended remote LDP sessions between PEs to transmit the VC message. To transmit the VC message, an FEC is added with the type as 128.
I want to notice here the presence of PWE3 (Pseudo-Wire Emulation Edge to Edge). VLL in Martinit Mode is a subset of PWE3 technology. PWE3 adopts the same signaling process as VLL in Martini mode but adds some new extensions on data plane and control plane thus is more advanced and used today.
- VLL in Kompella mode
This mode adopts the MP-BGP as the signaling protocol for inner label.
This mode also adopts the RD and RT for transmitting the VC information and adopts the label block mode to assign the label to VC's.
VPLS is the point-to-multipoint service and you can think that you service provider appears as a big L2 switch from the customer point of view.
Depends on the network scale you can have simple VPLS or hierarchical VPLS. In VPLS the you adopt LDP as signaling protocol or MP-BGP.
The LDP mode is preferable when the number of VPLS sites is relatively small and the VPLS network seldom or never traverses multiple domains, especially in the case that BGP is not run on PEs.
The BGP mode is applicable at the core layer of a large-scale network in the case that BGP is run on PEs and cross-domain is required.
If the scale of a VPLS network is large (a great number of nodes or a wide geographical range), you can use hierarchical VPLS (HVPLS) that combines the two modes. In HVPLS, the core layer uses the BGP mode and the access layer uses the LDP mode.



Author Comment

ID: 39987294
if I understand :

GETVPN  is like the classic (IPSEC VPN with GRE Tunnel), however GETVPN is Tunnel-less and does not use GRE. Spokes still connect to the HUB(Key Server) and authenticate to get a Key, after they get initial key then they can talk to each other "without going through the HUB", in reality they do go through the HUB, but no chatting with the HUB since they already they have the appropriate key to talk to other spokes. I believe there is life time to the key, after it expires, spokes renew their key with the HUB

DMVPN  is like IPSEC VPN with GRE Tunnel , however it uses point to multipoint instead of point to point..In DMVPN , we create Multipoint GRE Tunnel interface on the HUB, and create Tunnel Key, we can use Routing protocol on the HUB(EIGRP or OSPF,etc…) the Spokes will register with the HUB.
on the spokes will create Tunnel interfaces and a Key that matches the key on the HUB.
The traffic can be encrypted with IPSEC

GETVPN and DMVPN sound like they have a lot of similarities other than that:
GETVPN is Tunnel-less and is point-to-point does not use GRE and DMVPN use GRE Tunnel and is Point-To-Multipoint.

I still do not understand why GETVPN is considered point-to-point and DMVPN is considered point-to-multipoint.
in some Docs, they say " DMVPN is designed to secure traffic over the Internet, and GETVPN is designed to secure traffic over WAN (i.e. MPLS VPN)"… Actually I though GETVPN is also used over the internet.

MPLS VPN =sounds to me like GETVPN inside MPLS… The first Customer Edge Router
receives data from customer1 and puts it in the appropriate VRF that corresponds to Customer1 then transfers that data to the destined Customer2 going through Customer Edge Router facing Customer2. I believe the routers in the middle will just forward data and cannot read it since it is in different VRF. I may need to know if I am correct on the MPLS VPN explanation.

L2VPN and L3VPN, I believe are MPLS technology….I cannot tell how different they are when compared to the VPNs mention above…and in which case they would use them instead of the other VPNs cited above.

Author Closing Comment

ID: 39989622
Thank you

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question