mplstutorialMPLS –  A Tutorial on VPNs Layer 2 and 3

Network architects during a previous era – when there was a clear separation of function – enjoyed debating the virtues of switched or routed networks, which was stated in OSI terms as networks performing at layer-2 and layer-3 respectively. As networks grew from local area networks (LAN) to geographically dispersed networks connected by telecommunication links and Internet access became global, the debate ran its course with a general consensus — that each had a role, depending on circumstance. However, with the emergence of the Multi-Protocol Label Switching (MPLS) technology, the debate has once more surfaced. Which technology is the superior – Layer-2 or layer-3 VPN?

Need a better understanding of VPNs and switching? Take a course at

In order to consider the question it is necessary to review the technologies that construct MPLS layer-2 (switched) and MPLS layer-3 (routed) VPNs. The first salient point is what is the purpose of the underlying MPLS technology?

The development of MPLS came about due to the recognition that sometimes it was better to switch than to route. A specific case being when dealing with IP streams where the destination address will remain constant, surely the router could do a route look-up from the routing table once, cache the results, and switch subsequent packets. This is how high performance multi-layer switching came about. It was then an extension of the observation – route once, switch often – that brought about the idea to using simple labels instead of routes. Labels decoupled the dependency between IP routes and labels, therefore the label could carry any protocol, hence the Multi-Protocol Label Switching.

MPLS because of its multi-protocol utility was of interest to Telecom, Infrastructure and Internet Service Providers due to its potential to act as an IP backbone at both layer-2 and Layer-3. The larger ISPs saw the immediate potential in layer-3 VPN as a solution, due to their extensive experience with IP routing and BGP in particular. They saw that constructing and handling a client’s VPN and relieving them of the routing burden as an opportunity, which they could provision and sell as a product. The product they envisioned was a full layer-3 VPN, which would enable companies with offices around the country or even the world to interconnect through the providers IP MPLS backbone.

This was not how Telecom or the infrastructure providers saw the potential. Telecoms in particular having experience in providing circuits saw the immediate potential of provisioning IP based virtual circuits to replace lease lines. Infrastructure providers also saw the potential of extending local area networks seamlessly across the MPLS backbone to allow companies to connect all their remote locations across the MPLS network into one seamless and transparent LAN.

The Layer-3 Approach

The layer-3 approach is constructing MPLS VPNs based on a peer model where BGP is used as the method to distribute routes throughout the MPLS network. BGP was required as it could carry the modified Customer IP addresses and the VPN Identifiers. The model itself required every client site to connect via a client equipment router (CE) directly with a provider edge router. The client would then redistribute their routes into the MPLS context and be distributed to all the other PE routes connecting the other client sites. It is the relationship between the CE and the PE routers, which is the tricky part to understand. The CE router peers with the PE router using any protocol but it crucially only peers with the PE router and NOT the other clients CE routers. The PE router then builds a virtual routing table per client, so that each customer’s routes are segregated.

MPLS handles the forwarding of packets by placing two labels on the stack — one label addressed for the IGP calculated next-hop, which will be to a core P router, and a BGP deduced label for the VPN. Once the labeled packet has traversed the backbone of core P routers, it arrives at the PE router serving the remote site. The PE router ‘pops’ the label and delivers the packer directly using IP routing to the Clients CE router.

The Layer-2 Approach

The layer-3 VPN uses a peer model – where the customer’s router peers and redistributes its routes with the providers PE router – the Layer-2 approach is actually an overlay model. In this VPN model, the customer simply connects to the provider PE using the standard Ethernet interface and protocol. The provider creates static point-to-point tunnels across the backbone to each remote customer site. There is no routing involved — only the provision of transparent –to the customer – point-to-point tunnels. These services known as TLS (transparent LAN service) or VPLS (virtual private LAN service) are extensions to the existing client network and they behave exactly like any other LAN segment.

Both MPLS VPN models use MPLS to forward the packets over Label Switch Paths (LSP) within the providers MPLS network. The principle difference is the relationship between the customer (CE) and the provider’s edge router (PE). In a layer-3 scenario, the PE must peer accept the client’s routes and build and maintain individual routing tables per client. In the Layer-2 model, the provider’s edge router does not peer or handle any routes. It simply maps the incoming IP traffic onto a prebuilt and defined tunnel for transport across the MPLS network. Therefore, the layer-2 VPN is more an overlay on top of the MPLS.

Learn advanced switching capabilities at

The Better Approach?

At first glance, the layer-2 approach seems from both the client’s perspective and the provider’s to be a much simpler solution. Further research into configurations required confirms that the layer-2 is a far simpler VPN solution to provision, maintain and troubleshoot. However, not all providers will agree, because should the provider have extensive routing and BGP in-house knowledge then the added complexity is certainly an issue but not a serious one. The added technical burden and the additional operational expenditure (Opex) will pale in comparison to the financial returns.

The Layer-2 VPN solution is a simple and low maintenance solution, and that is a considerable strength, but it has a weakness. Providers can leverage higher prices and profits from Layer-3 networks due to their complexity, not in spite of it. This is because by handling the customers’ routing using layer-3, providers are offering and performing additional services than the layer-2 providers.

Learn more about IP routing and switch at

MPLS students also learn

Empower your team. Lead the industry.

Get a subscription to a library of online courses and digital learning tools for your organization with Udemy for Business.

Request a demo