Fact-checked by Grok 2 weeks ago

Layer 2 MPLS VPN

Layer 2 MPLS Virtual Private Network (L2VPN) is a provider-provisioned virtual private network technology that emulates traditional Layer 2 services, such as Ethernet LAN connectivity, across an MPLS-enabled IP backbone, enabling transparent communication between geographically dispersed customer sites.^[1] This framework supports standardized protocols for interoperability and includes key service types: point-to-point Virtual Private Wire Service (VPWS), which connects two customer edge (CE) devices via virtual circuits, and multipoint Virtual Private LAN Service (VPLS), which provides Ethernet-based multipoint-to-multipoint connectivity resembling a shared LAN.^[1] L2VPNs leverage MPLS pseudowires—virtual tunnels carrying Layer 2 frames—to transport customer traffic over the provider's core network while maintaining Layer 2 protocol transparency.^[2] In an L2VPN deployment, provider edge (PE) routers interface with CE devices through attachment circuits, such as Ethernet ports or Frame Relay DLCIs, and establish pseudowires across the MPLS domain using signaling protocols like Label Distribution Protocol (LDP) for VPWS or BGP for VPLS auto-discovery and signaling.^[1] MPLS labels are imposed on incoming Layer 2 frames at the ingress PE, facilitating label-switched path (LSP) forwarding through the core, where intermediate provider (P) routers perform efficient label swapping without inspecting the encapsulated payload.^[2] This architecture separates customer Layer 2 domains from the provider's IP infrastructure, ensuring isolation and scalability for multiple VPNs.^[3] L2VPNs offer service providers a flexible means to deliver managed Layer 2 services, supporting diverse applications including data center extensions, financial trading networks, and remote branch interconnections, without necessitating changes to customer routing configurations.^[3] Defined by IETF standards since the early 2000s, these VPNs have evolved to incorporate enhancements like Ethernet VPN (EVPN) for improved control plane efficiency and multihoming support, addressing limitations in traditional VPLS such as flooding-based MAC learning.^[4] By providing native Layer 2 transport over MPLS, L2VPNs enable cost-effective, high-performance connectivity that scales with bandwidth demands.^[5]

Introduction

Overview

Layer 2 MPLS VPNs are virtual private networks that utilize Multiprotocol Label Switching (MPLS) to transport Layer 2 frames across a service provider's backbone, effectively extending customer Layer 2 networks such as Ethernet LANs over wide-area connections.^[6]^[1] This technology emulates transparent Layer 2 services, allowing customer sites to communicate as if connected on the same local segment.^[3] The primary purpose of Layer 2 MPLS VPNs is to enable service providers to deliver scalable, multi-tenant Layer 2 connectivity services without requiring customers to manage or be aware of the provider's IP infrastructure.^[6]^[1] By handling forwarding at the edge routers while preserving customer Layer 2 details, these VPNs support diverse applications like branch office connectivity and data center extension, ensuring isolation between tenants.^[3] Key characteristics include the transparent preservation of customer MAC addresses, VLAN tags, and Layer 2 protocols across the wide-area network, which maintains the integrity of the original Ethernet or other Layer 2 frames during transit.^[6]^[3]^[1] This transparency allows Layer 2 protocols to operate end-to-end without modification by the provider network.^[3] Layer 2 MPLS VPNs evolved from earlier legacy technologies like Frame Relay and ATM VPNs, transitioning to modern Ethernet-based services by leveraging MPLS as the underlying transport for efficient, IP-compatible Layer 2 extension.^[3]^[1]

Historical Development

The development of Layer 2 MPLS VPNs traces its origins to late 1990s efforts within the Internet Engineering Task Force (IETF) to leverage Multiprotocol Label Switching (MPLS) for emulating Layer 2 services across packet-switched networks. Initial IETF drafts explored MPLS extensions for transporting Layer 2 protocols, building on the core MPLS architecture formalized in RFC 3031, published in January 2001, which provided the foundational framework for label-based forwarding.^[7] These early works addressed the need for service providers to migrate from legacy circuit-based technologies like Frame Relay and ATM to more scalable packet-based alternatives. Key milestones emerged in the early 2000s with the specification of Virtual Private Wire Service (VPWS), a point-to-point Layer 2 VPN mechanism. The seminal Martini drafts, starting with draft-martini-l2circuit-trans-mpls-01 in May 2000, outlined methods for encapsulating and transporting Layer 2 frames over MPLS pseudowires using Label Distribution Protocol (LDP) signaling. These evolved through multiple revisions and were ultimately standardized as RFC 4906 in June 2007, defining the transport of Layer 2 Protocol Data Units (PDUs) over MPLS. Cisco Systems pioneered practical implementation with its Any Transport over MPLS (AToM) feature in 2001, enabling the carriage of diverse Layer 2 protocols like Ethernet and ATM across MPLS backbones. For multipoint services, Virtual Private LAN Service (VPLS) gained traction around 2003, with Juniper Networks introducing support in Junos OS version 5.4, facilitating Ethernet LAN extension over MPLS. The IETF standardized VPLS through RFC 4761 (BGP-based auto-discovery and signaling) and RFC 4762 (LDP-based signaling), both published in February 2007, enabling transparent multipoint Ethernet connectivity.^[8] Complementary standardization from the ITU-T included Recommendation Y.1731 in May 2006, which defined Operations, Administration, and Maintenance (OAM) functions for Ethernet-based networks, enhancing VPWS and VPLS reliability.^[9] Widespread adoption accelerated post-2005, coinciding with the rapid growth of Ethernet services in metropolitan networks, as providers sought cost-effective alternatives to traditional leased lines. By 2009, global Ethernet and IP MPLS VPN service revenues reached $20.8 billion, reflecting a 23% year-over-year increase and driving the transition from circuit-based to packet-based Layer 2 VPNs throughout the 2010s.^[10] The IETF was the primary standards body for these developments, with the L2VPN Working Group concluding in November 2014; subsequent refinements, such as those for Ethernet VPN (EVPN), have been handled by other groups like BESS to ensure interoperability and scalability.

Core Concepts

MPLS Basics for L2 VPN

Multiprotocol Label Switching (MPLS) is a forwarding mechanism that directs data from one network node to the next based on short path labels rather than long network addresses, enabling efficient packet transport across service provider networks.^[11] In MPLS, forwarding decisions are made by swapping labels at each intermediate router, avoiding the need for complete IP header lookups at every hop, which improves scalability and performance in large networks.^[11] Labels are 20-bit fixed-length identifiers inserted between the Layer 2 and Layer 3 headers in a shim header, allowing for a stack of labels to support hierarchical tunneling where outer labels handle transport and inner labels manage services.^[11] The core components of an MPLS network include Label Edge Routers (LERs) and Label Switch Routers (LSRs). LERs operate at the boundary of the MPLS domain, imposing (pushing) labels onto incoming unlabeled packets at the ingress edge and disposing (popping) labels from outgoing packets at the egress edge.^[11] LSRs, located in the core of the network, perform transit forwarding by swapping the top label of incoming packets without examining the underlying network layer information.^[11] Central to MPLS is the concept of Forwarding Equivalence Classes (FECs), which group packets that should receive identical treatment along the same path through the network, such as those destined for the same IP prefix or sharing similar service requirements.^[11] Label distribution in MPLS establishes the paths over which labeled packets travel, known as Label Switched Paths (LSPs). For standard unicast forwarding, the Label Distribution Protocol (LDP) is used to advertise label bindings between LERs and LSRs in a hop-by-hop manner, mapping FECs to labels without explicit path control.^[12] In contrast, for traffic engineering applications requiring explicit routing and resource reservations, RSVP-TE extends the Resource Reservation Protocol to set up LSPs with defined paths and bandwidth guarantees, distributing labels through Path and Resv messages.^[13] At the edges, label imposition occurs when an ingress LER pushes one or more labels onto a packet to direct it into the MPLS core, while disposition at the egress LER removes the labels before forwarding the packet to its final destination.^[11] MPLS provides an IP-independent transport layer, operating as a multiprotocol scheme applicable to any network layer protocol, which allows Layer 2 frames from customer networks to be encapsulated and tunneled across the provider's MPLS backbone without modifying the original customer headers.^[11] This separation preserves the integrity of Layer 2 payloads during transit, making MPLS suitable for extending Layer 2 services over wide-area networks.^[11] The fundamental label operations in MPLS—push, swap, and pop—facilitate efficient forwarding along an LSP. At the ingress LER, the push operation adds a label (or stack of labels) to an incoming packet, associating it with a specific FEC.^[11] In the core, each LSR performs a swap, replacing the topmost label with a new one to forward the packet to the next hop along the path.^[11] Finally, at the egress LER, the pop operation removes the outermost label, allowing the packet to exit the MPLS domain with its original header intact.^[11] These operations, combined with the label stack, enable nested tunneling for complex service delivery.^[11]

Layer 2 Tunneling Mechanisms

In Layer 2 MPLS VPNs, pseudowires (PWs) serve as the foundational mechanism for tunneling customer Layer 2 frames across the MPLS core, emulating the essential attributes of traditional Layer 2 services such as Frame Relay or Ethernet over a packet-switched network (PSN). Defined in the Pseudo Wire Emulation Edge-to-Edge (PWE3) architecture, a PW is a virtual circuit that transparently transports native service data units—such as bits, cells, or packets—between provider edge (PE) routers while preserving the service's timing, sequencing, and error detection characteristics.^[14] This emulation ensures that customer edge (CE) devices perceive a direct Layer 2 connection, independent of the underlying MPLS PSN, which may use IP or MPLS for transport.^[14] The encapsulation process for PWs in MPLS involves wrapping the original Layer 2 frame within a PW protocol data unit (PDU), which includes the customer payload, an optional PW control word, and a stack of MPLS labels. The PW control word, specified for use over MPLS PSNs, is a 32-bit header inserted immediately after the MPLS label stack to provide sequencing, fragmentation indicators, and length information, helping to distinguish PW payloads from native IP traffic and prevent misordering in equal-cost multipath (ECMP) routing.^[15] It consists of a 4-bit start flag (set to 0000), flags for per-payload signaling, a fragmentation field, a length field for padding, and a 16-bit sequence number that increments per frame to maintain order.^[15] While optional for some payload types, the control word is mandatory for services sensitive to packet reordering, such as those using ECMP.^[15] The encapsulated frame is then forwarded over the MPLS core, where label switching directs it to the egress PE. MPLS label stacking is integral to PW tunneling, employing at minimum two labels to separate transport and service identification functions. The inner label, known as the virtual circuit (VC) label, identifies the specific PW and is assigned a value from the PW label space, enabling the egress PE to demultiplex and process the frame correctly.^[14] The outer label serves as the transport label, directing the packet along a label-switched path (LSP) through the MPLS core via standard label switching.^[14] In scenarios requiring hierarchical routing—such as when PWs traverse multiple administrative domains or for traffic engineering—a third label may be added as an outer hierarchical LSP label, aggregating multiple inner label stacks for scalability.^[14] Demultiplexing at the egress PE relies on the VC label to uniquely identify the target PW among potentially many sharing the same transport LSP, ensuring frames are associated with the correct attachment circuit (AC) on the CE side.^[14] The PW control word further aids this process by including a start-of-frame flag and length field, which allow the PE to detect frame boundaries and handle variable-length payloads accurately, even in the presence of padding.^[15] This combination maintains frame integrity without requiring the core routers to inspect the Layer 2 payload. Operations, Administration, and Maintenance (OAM) for PWs integrates Virtual Circuit Connectivity Verification (VCCV), which establishes a control channel within the PW for diagnostics and fault detection.^[16] VCCV packets, carried alongside data traffic over the MPLS LSP, support connectivity checks using mechanisms like MPLS echo requests (LSP ping) or ICMP pings, with capabilities negotiated during PW setup.^[16] This allows PEs to verify end-to-end PW health, isolate faults, and report status without disrupting service traffic.^[16]

Types of Layer 2 MPLS VPNs

Point-to-Point Services (VPWS)

Virtual Private Wire Service (VPWS) emulates a dedicated Layer 2 point-to-point wire or circuit between two customer sites across an MPLS provider network, delivering transparent transport of Layer 2 frames as if connected by a direct physical link.^[1] This service uses a single pseudowire (PW) to carry the customer's Layer 2 traffic end-to-end, preserving the native framing and timing where applicable. VPWS forms the basis for simple, dedicated connectivity in Layer 2 MPLS VPNs, suitable for scenarios requiring leased-line-like behavior without the complexities of multipoint distribution.^[17] The structure of VPWS involves attachment circuits (ACs) at the customer edge interfaces on provider edge (PE) routers, which are directly mapped to a corresponding PW traversing the MPLS core.^[1] These ACs can encapsulate various Layer 2 technologies, including Ethernet frames, Asynchronous Transfer Mode (ATM) cells, Frame Relay frames, and Time Division Multiplexed (TDM) circuits such as Synchronous Digital Hierarchy (SDH) or Plesiochronous Digital Hierarchy (PDH). Pseudowires provide the Layer 2 tunneling mechanism, encapsulating the AC payload within an MPLS label stack for transport across the provider domain. Key features of VPWS include restricted MAC address learning, which occurs only at the PE endpoints terminating the PW, avoiding the need for distributed learning or address tables in the core network.^[1] There is no frame flooding or broadcasting within the service, as traffic is strictly forwarded along the dedicated PW path, which supports efficient scalability in point-to-point or hub-and-spoke deployments without the overhead of unknown destination handling. This design ensures low latency and minimal jitter for time-sensitive applications, while maintaining frame integrity and order.^[1] Examples of VPWS implementations include Any Transport over MPLS (AToM), which enables the migration of legacy Layer 2 services like ATM and Frame Relay onto MPLS infrastructure by defining specific encapsulation methods for each technology. In contemporary deployments, Ethernet VPWS is widely used to extend metro Ethernet links across wide-area MPLS networks, providing carrier-grade point-to-point Ethernet services with VLAN preservation and QoS mapping. VPWS also incorporates interworking capabilities to bridge disparate Layer 2 attachment circuits, referred to as attachment circuit interworking (AC-IW), allowing connectivity between incompatible technologies such as Ethernet and ATM without requiring customer-side modifications.^[1] For instance, AC-IW functions perform protocol mapping and adaptation at the PE to translate Ethernet frames into ATM cells or vice versa, ensuring seamless end-to-end service delivery.^[1]

Multipoint Services (VPLS)

Virtual Private LAN Service (VPLS) is a multipoint Layer 2 virtual private network (VPN) technology that enables Ethernet frames to be transparently transported across a Multiprotocol Label Switching (MPLS) provider network, emulating a single broadcast domain as if all customer edge (CE) devices were connected to the same local area network (LAN). Defined in RFC 4761 and RFC 4762, VPLS provides multipoint connectivity for Ethernet services, allowing multiple sites to communicate as peers without requiring Layer 3 routing awareness at the customer sites. This service is particularly suited for applications requiring LAN-like behavior, such as extending broadcast domains over wide areas. At its core, VPLS operates through Virtual Switching Instances (VSIs), one per VPLS service on each participating Provider Edge (PE) router. Each VSI functions as a virtual Ethernet bridge, maintaining a MAC address forwarding table and performing learning, forwarding, and flooding of Ethernet frames across multiple pseudowires (PWs) that tunnel traffic to other PEs. When a frame arrives at a PE via an attachment circuit (AC) from a CE, the VSI learns the source MAC address and associates it with the incoming AC; subsequent frames destined to that MAC are forwarded directly via the appropriate PW, while unknown unicast, broadcast, or multicast frames are flooded to all other PWs and ACs in the VSI to ensure reachability. This bridging mechanism relies on MPLS labels to encapsulate and transport the frames, preserving Ethernet headers end-to-end. VPLS topologies are designed to balance connectivity and scalability. In small-scale deployments, a full-mesh configuration is used, where each PE establishes a dedicated PW to every other PE in the VPLS instance, ensuring direct multipoint communication but limiting the number of supported sites due to the quadratic growth in PWs (n*(n-1)/2 for n PEs). For larger networks, Hierarchical VPLS (H-VPLS) extends this model by introducing a two-tier structure: access PEs (or User PEs, UPEs) connect directly to CEs via ACs and form point-to-multipoint PWs to a smaller set of core PEs, which in turn maintain a full-mesh among themselves; this reduces the PW count at the edge while leveraging the core for efficient distribution, as specified in RFC 4762. Key features of VPLS include support for IEEE 802.1Q VLAN tagging, allowing multiple services to be multiplexed over the same AC through VLAN-based service instances. To prevent loops in the emulated LAN, VPLS employs split-horizon rules, where PEs are grouped into hub-and-spoke arrangements; traffic received from a PW in one group is not forwarded back to PWs in the same group, effectively blocking redundant Spanning Tree Protocol (STP) BPDUs and data frames that could cause loops. Unknown unicast and multicast traffic is handled via controlled flooding to relevant PWs, with options for multicast optimization in advanced implementations to reduce bandwidth overhead. MAC address management in VPLS is critical for efficient operation and stability. Each VSI maintains a local MAC learning table that stores source MAC addresses learned from incoming frames, mapping them to specific ACs or PWs for unicast forwarding; these entries age out after a timer (typically 300 seconds) to adapt to topology changes, such as CE relocations. MAC flushing can be triggered dynamically via signaling messages to clear stale entries during events like link failures. To mitigate risks like MAC table overflow leading to excessive flooding and broadcast storms, VPLS implementations enforce per-VSI limits on the number of learned MAC addresses (e.g., 4,000 to 32,000, depending on hardware), beyond which new learning is suppressed or excess traffic is flooded.

Signaling Protocols

LDP-Based Signaling

Label Distribution Protocol (LDP) serves as a signaling mechanism for establishing pseudowires in Layer 2 MPLS VPNs by extending the core LDP framework defined for MPLS label distribution. Basic LDP, as specified in RFC 5036, enables label-switched routers (LSRs) to exchange label bindings for forwarding equivalence classes (FECs), primarily supporting IP prefix-based forwarding. For Layer 2 VPNs, LDP is augmented through Targeted LDP (T-LDP), which establishes directed sessions between provider edge (PE) routers that may not be adjacent, allowing negotiation of pseudowire FECs to emulate Layer 2 connections over MPLS tunnels.^[12]^[18] The Martini method, outlined in RFC 4447, employs T-LDP sessions directly between the PEs terminating the pseudowire endpoints. In this approach, the FEC element incorporates a pseudowire identifier (PW ID), comprising a control word and attachment circuit identifiers, to uniquely specify the Layer 2 service. This method facilitates point-to-point pseudowires for Virtual Private Wire Services (VPWS) and was adapted for early multipoint Virtual Private LAN Services (VPLS) implementations by signaling individual pseudowires between PEs.^[18] In contrast, the Kompella method, detailed in RFC 4762, uses LDP for signaling in VPLS deployments, with auto-discovery typically requiring manual configuration or external protocols. It employs an Attachment Group Identifier (AGI) within the FEC (type 129) to scope pseudowires to specific services. For multipoint connectivity, this method establishes a full-mesh of pseudowires among PEs, using FEC type 129 to denote multipoint services and support Ethernet frame forwarding across the emulated LAN.^[19] Key procedures in LDP-based signaling involve the exchange of label mapping messages to bind MPLS labels to pseudowire FECs. A PE initiates setup by sending a label mapping request to the remote PE, which responds with a mapping message containing the allocated label if the FEC is recognized. Pseudowire status is conveyed via the PW Status Type-Length-Value (TLV) in notification messages, indicating up or down states to manage faults and maintenance. For efficiency in bulk configurations, wildcard FECs allow a single session to negotiate multiple pseudowires, reducing signaling overhead in dense topologies.^[18] LDP-based signaling offers simplicity in Layer 2 MPLS VPNs, relying solely on existing MPLS infrastructure without requiring an external controller for pseudowire orchestration. However, it faces limitations in large-scale auto-discovery, as the full-mesh requirement between numerous PEs can lead to excessive session proliferation and management complexity.^[18]

BGP-Based Signaling

BGP serves as a key control plane protocol for Layer 2 MPLS VPNs, particularly in enabling auto-discovery and signaling for multipoint services like Virtual Private LAN Service (VPLS). Defined in RFC 4761, it leverages Multiprotocol BGP (MP-BGP) with the Layer 2 VPN Address Family Identifier (AFI 25) and VPLS Subsequent Address Family Identifier (SAFI 65) to exchange reachability information among provider edge (PE) routers.^[20] This approach allows BGP to advertise Virtual Switching Instance (VSI) identifiers and pseudowire (PW) endpoint details, facilitating dynamic discovery of remote PEs without manual configuration for each connection.^[21] In BGP-based auto-discovery for VPLS, each PE assigns a unique Route Distinguisher (RD) to its VSI and advertises it alongside a Virtual Ethernet (VE) ID, which uniquely identifies the VSI on that PE.^[22] The BGP Network Layer Reachability Information (NLRI) encodes PW endpoint details, including the VE ID, VE Block Offset, VE Block Size, and Label Base, enabling other PEs to construct targeted PWs.^[21] Route Targets (RTs), carried as BGP extended communities, are used to constrain advertisement scope and ensure only relevant PEs receive VSI information, thus forming the VPLS membership.^[23] Loop avoidance is achieved through RT-based filtering and BGP's path selection mechanisms, which prevent circular forwarding paths by discarding advertisements from non-direct peers in the VPLS topology.^[24] BGP integrates with label distribution protocols like LDP or RSVP-TE for PW label assignment, where BGP handles reachability and discovery while the underlying protocols signal the actual transport labels over MPLS tunnels.^[25] This separation supports full-mesh PW topologies among PEs for multipoint connectivity, or hub-and-spoke configurations to optimize traffic flow in asymmetric deployments.^[25] For point-to-point services such as Virtual Private Wire Service (VPWS), extensions in RFC 6074 introduce BGP auto-discovery using the same AFI 25 and SAFI 65, allowing PEs to advertise endpoint pools via NLRI that includes Attachment Group Identifiers (AGI) and Attachment Individual Identifiers (AII).^[26] This enables multi-homing support with endpoint discrimination, where AIIs distinguish multiple attachments from a customer edge (CE) device to avoid duplication.^[27] The scalability of BGP in L2 MPLS VPNs stems from its ability to aggregate reachability information across large domains, reducing the need for a full-mesh of PWs by leveraging route reflectors and RT constraints to limit state explosion.^[28] In VPLS deployments, this auto-discovery mechanism minimizes configuration overhead for thousands of sites, as BGP advertisements propagate VSI membership efficiently without per-PE signaling sessions.^[23] For VPWS, colored pools and multi-segment PWs further enhance inter-AS scalability by partitioning endpoints and supporting segmented signaling paths.^[29]

Implementation

Configuration Principles

Configuring Layer 2 MPLS VPNs begins with the Provider Edge (PE) router setup, where attachment circuits (ACs) are defined to connect customer edge (CE) devices to the provider network. ACs can include physical interfaces, logical subinterfaces, or VLANs, each provisioned with parameters such as encapsulation type and QoS policies to handle customer traffic appropriately.^[1] These ACs are then mapped to pseudowires (PWs) for point-to-point services like Virtual Private Wire Service (VPWS) or to Virtual Switching Instances (VSIs) for multipoint services like Virtual Private LAN Service (VPLS), ensuring frame forwarding across the MPLS core while preserving Layer 2 attributes.^[1] Signaling is enabled by establishing sessions, such as LDP or BGP peering between PEs, to facilitate PW discovery and label distribution for end-to-end connectivity. Pseudowire setup involves specifying Forwarding Equivalence Class (FEC) types to identify the PW endpoints, such as the PWid FEC using a 32-bit identifier for simple point-to-point emulation or the Generalized PWid FEC with attachment identifiers for more complex scenarios.^[18] MTU adjustments are critical, with the interface MTU sub-TLV negotiated during signaling to ensure compatibility; mismatches result in PW deactivation to prevent fragmentation issues.^[18] The control word, a 4-byte header for sequence numbering and fragmentation, is optionally enabled based on PW type and negotiated preference, aiding in frame reassembly and error detection.^[18] Operations, Administration, and Maintenance (OAM) is enabled via Virtual Circuit Connectivity Verification (VCCV), allowing fault detection and diagnostics over the PW using control channel types like router-alert or MPLS labels. For VPLS, VSI configuration creates a virtual bridge domain where multiple ACs connect to a mesh of PWs, using an Attachment Group Identifier (AGI) for LDP-based setups or Route Distinguisher (RD) and Route Target (RT) for BGP-based auto-discovery to uniquely identify the service instance.^[19]^[20] Split-horizon groups are implemented to prevent forwarding loops by isolating traffic from access PWs (to CEs) and network PWs (to other PEs), ensuring frames from one PW group are not replicated back to the same group.^[19]^[20] MAC address learning limits are set per VSI to cap the number of learned addresses, mitigating denial-of-service risks from MAC table exhaustion, with configurable aging timers to flush inactive entries.^[20] Verification of L2 MPLS VPNs focuses on confirming PW operational status through signaling messages, such as LDP notifications for PW up/down events or BGP updates for VPLS reachability.^[18] Label checks involve inspecting allocated MPLS labels and their bindings to PWs or VSIs to ensure correct forwarding paths, often using OAM probes for end-to-end validation.^[30] Traffic tests employ OAM mechanisms to measure frame loss, delay, and connectivity, sending test packets over PWs to simulate customer traffic and detect issues like blackholing.^[30] Troubleshooting loops and flooding requires monitoring MAC learning behavior and split-horizon enforcement, with rapid fault isolation via PW status TLVs to isolate affected segments without service-wide disruption.^[30] Security considerations include applying Access Control Lists (ACLs) on ACs to filter unauthorized traffic at the PE-CE boundary, permitting only expected protocols and customer-originated frames. For BGP-signaled services, authentication via MD5 keys secures peering sessions between PEs, preventing unauthorized route advertisements. MTU mismatch handling involves proactive negotiation during PW setup and alerting on discrepancies to avoid silent drops, with fallback to minimum supported values if configurable.^[18]

Vendor-Specific Features

Cisco implements Layer 2 MPLS VPN services primarily through Any Transport over MPLS (AToM) for Virtual Private Wire Services (VPWS), which encapsulates and transports various Layer 2 protocols over MPLS pseudowires to emulate point-to-point connections.^[31] For Virtual Private LAN Services (VPLS), Cisco supports BGP-aware signaling with integration of Ethernet VPN (EVPN) following its standardization in 2015, with support introduced in mid-2010s releases such as IOS XR 6.x and later, enabling multipoint Ethernet services with enhanced MAC learning and mobility via BGP control plane.^[32] Additionally, Cisco provides pseudowire redundancy through Stateful Switchover (SSO), allowing seamless failover between primary and backup pseudowires without service disruption in high-availability setups.^[33] Juniper Networks employs Circuit Cross-Connect (CCC) for VPWS implementations, where CCC establishes point-to-point Layer 2 circuits over MPLS by directly mapping attachment circuits to pseudowires without intermediate encapsulation.^[34] For VPLS, Juniper utilizes the Kompella method, a BGP-based signaling approach that automates peer discovery and pseudowire setup using BGP advertisements with FEC 128 labels, improving scalability over LDP-based alternatives.^[35] Juniper enhances operations, administration, and maintenance (OAM) through MPLS Transport Profile (MPLS-TP) support, including fault detection and performance monitoring across pseudowires.^[36] A key strength in Juniper's offerings is robust support for Hierarchical VPLS (H-VPLS), which scales multipoint services by introducing user-provider edge (u-PE) and network-provider edge (n-PE) routers to reduce full-mesh requirements in large deployments.^[37] Huawei advances Layer 2 MPLS VPNs through integration of Ethernet VPN (EVPN) for both VPWS and VPLS, providing a unified control plane that enhances Layer 2 service provisioning with automated discovery and multi-homing capabilities.^[38] For scaling, Huawei's Virtual Switching Instance (VSI) framework allows multiple VSIs per device, enabling efficient resource allocation for diverse Layer 2 VPN instances in high-density environments.^[39] Vendor implementations differ in emphasis: Cisco prioritizes MPLS-TP compliance per RFC 6370 for precise timing and OAM in transport networks, while Juniper excels in H-VPLS for hierarchical scalability.^[33]^[40] Huawei focuses on EVPN-driven evolution for next-generation services. Post-2020, shifts toward EVPN-VPWS and EVPN-VPLS have been prominent, as seen in Cisco IOS XR 7.x releases, which introduce enhanced single-homing and hot-standby support for these services.^[41] Interoperability among Cisco, Juniper, and Huawei is facilitated by adherence to IETF standards, with multi-vendor tests confirming seamless Layer 2 MPLS VPN operation in EVPN and VPLS scenarios through 2025.^[42]^[43]

Benefits and Applications

Key Advantages

Layer 2 MPLS VPNs provide transparency to customer Layer 2 protocols, such as Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), and VLAN Trunking Protocol (VTP), by tunneling these protocol data units across the provider network without alteration, allowing legacy applications to operate seamlessly without requiring IP address changes or modifications to customer equipment.^[44] This preservation of Layer 2 characteristics ensures that the VPN emulates a local Ethernet segment, maintaining protocol independence at the provider edge (PE) routers, which do not process customer Layer 3 routes.^[3]^[45] In terms of scalability, Layer 2 MPLS VPNs, particularly through Virtual Private LAN Service (VPLS), support multipoint connectivity for thousands of sites by leveraging BGP for auto-discovery and signaling, which simplifies peer management and adapts to network topology changes without extensive manual configuration.^[45] Efficient MAC address learning at PE routers minimizes broadcast traffic, further enhancing scalability over traditional Layer 2 circuits by reducing control plane overhead.^[3] For customers, Layer 2 MPLS VPNs offer simplicity, as no routing configuration is required on customer premises equipment; the service appears as an extension of the local Layer 2 network, requiring only basic interface connectivity knowledge.^[3] This approach isolates customer addressing and routing protocols, eliminating the need for provider involvement in customer Layer 3 operations.^[45] Providers benefit from multi-tenancy enabled by MPLS labels, which allow multiple customer VPNs to share the same IP/MPLS backbone without interference, supporting efficient resource utilization.^[3] Quality of Service (QoS) is inherited from the MPLS infrastructure, with mechanisms like mapping IEEE 802.1p bits to MPLS EXP bits for precedence-based treatment of frames.^[45] Performance is optimized through MPLS label switching, delivering low-latency forwarding for high-bandwidth Ethernet services by encapsulating Layer 2 frames in pseudowires over the core network.^[2] This results in reliable, high-speed connectivity comparable to dedicated lines while leveraging the provider's existing infrastructure.^[3]

Common Use Cases

Layer 2 MPLS VPNs are widely deployed in metropolitan Ethernet services to extend local area networks across urban areas, enabling enterprises to connect distributed sites as if they were part of a single LAN. This is particularly valuable for organizations requiring seamless Layer 2 connectivity over wide areas, such as financial institutions that leverage VPWS or VPLS for low-latency trading environments where preserving Ethernet frames minimizes processing delays.^[1] Retail chains commonly use VPLS-based Layer 2 MPLS VPNs to interconnect point-of-sale (POS) systems and branch offices, ensuring transparent transport of Ethernet traffic while preserving VLAN tags for secure segmentation of payment data from general network access. This multipoint connectivity allows centralized management of inventory and transaction systems across multiple locations without altering existing Layer 2 protocols.^[1] In data center interconnect (DCI) scenarios, VPLS facilitates virtual machine (VM) mobility by extending broadcast domains across geographically separated facilities, supporting live migration of workloads for disaster recovery, load balancing, and high-availability clustering. By emulating a unified Layer 2 network over an MPLS backbone, VPLS enables VMs to maintain IP addresses and VLAN memberships during transfers, reducing downtime in active/active data center architectures.^[46] Service providers offer Layer 2 MPLS VPNs as standardized Ethernet services, with E-Line (based on VPWS) delivering point-to-point connectivity for dedicated private lines between customer sites, and E-LAN (based on VPLS) providing multipoint Ethernet LAN emulation for collaborative environments like shared campuses or cloud access. These services align with Metro Ethernet Forum definitions, allowing providers to bundle multiple customer VLANs over pseudowires for scalable, any-to-any connectivity.^[2]^[47] Organizations often migrate from legacy time-division multiplexing (TDM) or asynchronous transfer mode (ATM) networks to Layer 2 MPLS VPNs to consolidate infrastructure and achieve cost savings through IP/MPLS convergence, while maintaining compatibility with existing Layer 2 protocols via pseudowire emulation. This transition supports gradual replacement of circuit-based services with packet-switched VPNs, preserving service-level agreements for voice, video, and data traffic.^[48]

Limitations and Comparisons

Technical Challenges

Layer 2 MPLS VPNs, particularly in Virtual Private LAN Service (VPLS) implementations, face significant scalability challenges due to the requirement for a full mesh of pseudowires (PWs) between provider edge (PE) routers. In a flat VPLS topology with n PEs, this necessitates n(n-1)/2 bidirectional PWs to emulate a single broadcast domain, resulting in quadratic growth in control plane signaling overhead and resource consumption as the number of sites increases.^[20]^[49] Additionally, the data plane suffers from MAC table explosion in large domains, where each PE must maintain entries for potentially thousands of customer MAC addresses learned across multiple sites, leading to memory exhaustion and forwarding inefficiencies.^[49] Flooding mechanisms in VPLS exacerbate operational risks, as unknown unicast, broadcast, and multicast (BUM) traffic is replicated across all PWs to facilitate MAC learning, which can trigger traffic storms in high-volume environments.^[20] Loop prevention often relies on Spanning Tree Protocol (STP) extensions or split-horizon rules, but dependency on STP introduces convergence delays and potential instability in multi-access scenarios.^[20] Operations, Administration, and Maintenance (OAM) for pseudowires introduces complexity, as there is no native end-to-end Layer 2 monitoring capability; instead, fault detection requires Virtual Circuit Connectivity Verification (VCCV) to establish a control channel over MPLS for diagnostics.^[16] VCCV, combined with Bidirectional Forwarding Detection (BFD), enables proactive PW data plane monitoring but demands precise configuration of control channel types (e.g., router alert labels or TTL expiry) and capability matching between endpoints, with equal-cost multipath (ECMP) paths potentially causing verification inconsistencies.^[16]^[50] Maximum Transmission Unit (MTU) mismatches pose fragmentation risks, as MPLS labels (4 bytes each) and the optional PW control word (4 bytes) add 8–12 bytes of overhead to Ethernet frames, potentially exceeding interface limits and requiring path MTU discovery or frame reassembly.^[15] Large customer frames may thus fragment during transit, degrading performance in environments without jumbo frame support. Multi-homing in VPLS defaults to single-active mode for redundancy, where only one PE link is active per customer edge (CE) device to avoid loops, but enabling multi-active configurations demands meticulous split-horizon enforcement and MAC flushing to prevent persistent forwarding loops across redundant paths.^[19]

Alternatives to L2 MPLS VPN

Layer 3 MPLS VPNs, as defined in RFC 4364, operate at the IP layer to provide routed connectivity between customer sites over a service provider's MPLS backbone.^[51] Unlike Layer 2 MPLS VPNs, which maintain Layer 2 transparency for customer traffic, Layer 3 MPLS VPNs use BGP to exchange routing information and virtual routing and forwarding (VRF) instances to isolate customer routes, making them IP-aware and suitable for services requiring inter-site routing.^[52] This approach scales more efficiently with BGP's capabilities for large networks but does not preserve Layer 2 adjacency, limiting its use for applications needing broadcast domains or non-IP protocols.^[53] Ethernet VPN (EVPN), specified in RFC 7432, offers a BGP-based overlay for both Layer 2 and Layer 3 services, addressing scaling limitations in traditional Virtual Private LAN Service (VPLS) implementations of Layer 2 MPLS VPNs.^[4] EVPN uses MAC routing to enable control-plane learning of customer MAC addresses, reducing unknown unicast flooding and supporting multi-homing with flow-based load balancing, which improves efficiency over VPLS's data-plane flooding.^[54] It integrates seamlessly with VXLAN for data center interconnect (DCI) scenarios, providing multi-tenancy and mobility features essential for cloud environments.^[55] Provider Backbone Bridging (PBB), standardized in IEEE 802.1ah, provides a Layer 2-only solution by encapsulating customer MAC frames within provider MAC frames, enabling scalable Ethernet services without the full bridging complexity of VPLS.^[56] This MAC-in-MAC approach hides customer MAC addresses from the provider core, simplifying MAC table management and supporting up to 2^{24} service instances per backbone, but it lacks the flexibility for mixed Layer 2/Layer 3 services offered by MPLS-based VPNs.^[57] Software-Defined Wide Area Network (SD-WAN) delivers VPN services through application-aware overlays, often using IPsec tunnels over broadband or MPLS links, prioritizing cost-effective branch connectivity without dedicated MPLS circuits.^[58] Compared to Layer 2 MPLS VPNs, SD-WAN introduces higher latency due to public internet paths but offers dynamic path selection, centralized policy management, and lower deployment costs for distributed enterprises.^[59] Alternatives like Layer 3 MPLS VPNs are preferable for IP-centric enterprises needing routed scalability without Layer 2 extension.^[60] EVPN suits modern cloud-era deployments requiring multi-tenancy and DCI integration.^[54] PBB fits pure Layer 2 carrier scenarios demanding simplicity and MAC isolation, while SD-WAN excels in branch offices prioritizing affordability over low-latency guarantees.^[58]

References

[1]
RFC 4664 - Framework for Layer 2 Virtual Private Networks (L2VPNs)
This document provides a framework for Layer 2 Provider Provisioned Virtual Private Networks (L2VPNs). This framework is intended to aid in standardizing ...
[2]
Understand MPLS L2VPN Pseudowire - Cisco
L2VPNs employ L2 services over MPLS in order to build a topology of point-to-point connections that connect end you sites in a VPN. These L2VPNs provide an ...
[3]
Understanding Layer 2 VPNs | Junos OS - Juniper Networks
A Layer 2 MPLS VPN allows you to provide Layer 2 VPN service over an existing IP and MPLS backbone. You can configure the PE router to run any Layer 3 protocol ...
[4]
[PDF] Introduction to Layer 2 Virtual Private Networks - Cisco
A Layer 2 Virtual Private Network (VPN) emulates a physical sub-network in an IP or MPLS network, by creating private connections between two points.
[5]
Implementing MPLS Layer 2 VPNs on Cisco IOS XR Software
Jul 15, 2008 · Layer 2 VPN (L2VPN) emulates the behavior of a LAN across an IP or MPLS-enabled IP network allowing Ethernet devices to communicate with each ...Missing: characteristics | Show results with:characteristics
[6]
RFC 3031 - Multiprotocol Label Switching Architecture
This document specifies the architecture for Multiprotocol Label Switching (MPLS). Note that the use of MPLS for multicast is left for further study.
[7]
RFC 4761 - Virtual Private LAN Service (VPLS) Using BGP for Auto ...
Dec 20, 2018 · Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling (RFC 4761, January 2007)
[8]
Y.1731 : OAM functions and mechanisms for Ethernet based networks
May 15, 2025 · Number, Title, Status ; G.8013/Y.1731 (06/23), Operation, administration and maintenance (OAM) functions and mechanisms for Ethernet-based ...
[9]
[PDF] Accelerating Revenue Through Carrier Ethernet Service Differentiation
In its June 2010 Ethernet and IP MPLS VPN Services report, Infonetics Research states that global revenue from Ethernet services was $20.8B in 2009, up 23% ...
[10]
RFC 3031 - Multiprotocol Label Switching Architecture
MPLS Basics In this section, we introduce some of the basic concepts of MPLS and describe the general approach to be used. 3.1. Labels A label is a short ...
[11]
RFC 5036 - LDP Specification - IETF Datatracker
Abstract The architecture for Multiprotocol Label Switching (MPLS) is described in RFC 3031. A fundamental concept in MPLS is that two Label Switching ...
[12]
RFC 3209 - RSVP-TE: Extensions to RSVP for LSP Tunnels
This document describes the use of RSVP (Resource Reservation Protocol), including all the necessary extensions, to establish label-switched paths (LSPs) in ...
[13]
RFC 3985: Pseudo Wire Emulation Edge-to-Edge (PWE3) Architecture
### Definition and Purpose of Pseudowire
[14]
RFC 4385 - Pseudowire Emulation Edge-to-Edge (PWE3) Control ...
This document specifies how the PW control word is used to distinguish a PW payload from an IP payload carried over an MPLS PSN.
[15]
RFC 5085: Pseudowire Virtual Circuit Connectivity Verification (VCCV): A Control Channel for Pseudowires
### Definition, Purpose, and Integration of VCCV with MPLS for Pseudowires
[16]
RFC 8214 - Virtual Private Wire Service Support in Ethernet VPN
This document describes how Ethernet VPN (EVPN) can be used to support the Virtual Private Wire Service (VPWS) in MPLS/IP networks.
[17]
RFC 4447 - Pseudowire Setup and Maintenance Using the Label ...
This document specifies a protocol for establishing and maintaining the pseudowires, using extensions to Label Distribution Protocol (LDP).
[18]
RFC 4761 - Virtual Private LAN Service (VPLS) - IETF Datatracker
This document describes the functions required to offer VPLS, a mechanism for signaling a VPLS, and rules for forwarding VPLS frames across a packet switched ...
[19]
https://datatracker.ietf.org/doc/html/rfc4762
[20]
https://datatracker.ietf.org/doc/html/rfc4761
[21]
https://datatracker.ietf.org/doc/html/rfc4761#section-3.2.2
[22]
https://datatracker.ietf.org/doc/html/rfc4761#section-3.3
[23]
https://datatracker.ietf.org/doc/html/rfc4761#section-3.1.2
[24]
https://datatracker.ietf.org/doc/html/rfc4761#section-3.5
[25]
https://datatracker.ietf.org/doc/html/rfc4761#section-2.2
[26]
https://datatracker.ietf.org/doc/html/rfc6074#section-3.3.2.1
[27]
https://datatracker.ietf.org/doc/html/rfc6074#section-6
[28]
RFC 4762: Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling
### Configuration Principles for VPLS Using LDP in MPLS L2VPN
[29]
RFC 6136 - Layer 2 Virtual Private Network (L2VPN) Operations ...
This document provides framework and requirements for Layer 2 Virtual Private Network (L2VPN) Operations, Administration, and Maintenance (OAM).
[30]
RFC 4381 - Analysis of the Security of BGP/MPLS IP Virtual Private ...
This document analyses the security of the BGP/MPLS IP virtual private network (VPN) architecture that is described in RFC 4364, for the benefit of service ...
[31]
MPLS Layer 2 VPNs Configuration Guide, Cisco IOS XE 17 (Cisco ...
Mar 25, 2025 · Specifies the peer IP address and virtual circuit (VC) ID value of a Layer 2 VPN (L2VPN) pseudowire. Changing the Encapsulation Type and ...
[32]
L2VPN and Ethernet Services Configuration Guide for Cisco NCS ...
Sep 5, 2025 · Explore EVPN-VPWS, a BGP solution for point-to-point services using IP and MPLS cores without MAC lookup.Missing: integration 2020
[33]
[PDF] MPLS Layer 2 VPNs Configuration Guide, Cisco IOS XE Gibraltar ...
Aug 15, 2019 · MPLS Layer 2 VPNs Configuration Guide, Cisco IOS XE Gibraltar 16.12.x.
[34]
Understanding VPWS | Junos OS - Juniper Networks
Kompella Layer 2 VPNs require the site-identifier and remote-site-id statements. Note: VPWS creates pseudowires that emulate Layer 2 circuits. A virtual private ...
[35]
Supported Layer 2 VPN Standards | Junos OS - Juniper Networks
Junos OS substantially supports the following standards and Internet drafts, which define standards for Layer 2 virtual private networks (VPNs).
[36]
MPLS OAM Configuration | Junos OS - Juniper Networks
This example shows how to configure the MPLS Transport Profile (MPLS-TP) for sending and receiving of OAM GAL and G-Ach messages across a label-switched path ( ...
[37]
Example: Configuring H-VPLS Without VLANs | Junos OS
This example shows how to configure the hierarchical virtual private LAN service (H-VPLS). No VLANs are configured in this example.
[38]
Configuring Evolution from Traditional L2VPN to EVPN
Nov 11, 2024 · On NPEs, VPWS accesses EVPN through PW VE interfaces. Specifically, VPWS is configured on PW VE interfaces, and PW VE sub-interfaces are bound ...Missing: NG- pseudowire
[39]
Configuring EVPN VPWS over MPLS - Huawei Support
Nov 11, 2024 · EVPN VPWS over MPLS allows you to establish P2P MPLS tunnels between PEs and implement the P2P L2VPN function.Missing: NG- pseudowire
[40]
A VLL or VSI? - Huawei
VSI is a concept that is more important than VLL in VPLS. Virtual Private LAN Service (VPLS) is a Layer 2 VPN technology based on MPLS and Ethernet technologies ...
[41]
Configuring H-VPLS BGP-Based and LDP-Based VPLS Interoperation
This example shows how to configure the hierarchical virtual private LAN service (H-VPLS) in a scenario that uses both LDP-based VPLS and BGP-based VPLS ...
[42]
L2VPN and Ethernet Services Configuration Guide for Cisco NCS ...
Starting from Cisco IOS XR Release 7.10.1, EVPN port-active configuration is modified to support hot standby where the interfaces in the standby node are Up.
[43]
[PDF] Multi-Vendor MPLS SDN Interoperability Test Report 2023 - EANTC
VPLS is a point-to-multipoint Layer 2 VPN service that provides Layer 2 connectivity between geographically separated data centers or customer sites across ...
[44]
MPLS Layer 2 VPNs Configuration Guide - Cisco
Feb 9, 2016 · Virtual Private LAN Services (VPLS) enables enterprises to link together their Ethernet-based LANs from multiple sites via the infrastructure provided by their ...
[45]
RFC 4761: Virtual Private LAN Service (VPLS) Using BGP for Auto ...
This document describes the functions required to offer VPLS, a mechanism for signaling a VPLS, and rules for forwarding VPLS frames across a packet switched ...
[46]
[PDF] Data Center Interconnect Solution Overview - Cisco
DCI provides connectivity between data centers for application flexibility and resiliency, using LAN, Layer 3, and SAN extensions, and path optimization.
[47]
[PDF] Metro Ethernet Business Services—Juniper Validated Design (JVD)
Sep 5, 2025 · Metro EBS Service Delivery Models. Over twenty use cases are covered for delivering Metro Ethernet services. Traditional Layer 2 VPN services ...
[48]
[PDF] CISCO IP/MPLS NETWORK CONVERGENCE FOR MOBILE ...
Cisco IP/MPLS solutions provide a realistic migration path when moving from a traditional Frame Relay or ATM environment to an IP- enabled, converged network ...
[49]
A Survey of Virtual Private LAN Services (VPLS): Past, Present and ...
Sep 4, 2021 · This paper aims to conduct an in-depth survey of various VPLS architectures and highlight different characteristics through insightful comparisons.
[50]
RFC 5885: Bidirectional Forwarding Detection (BFD) for the Pseudowire Virtual Circuit Connectivity Verification (VCCV)
### Summary of RFC 5885: BFD for MPLS Label Switched Paths and Pseudowire Fault Detection
[51]
RFC 4364 - BGP/MPLS IP Virtual Private Networks (VPNs)
... layer 2 switch; the layer 2 infrastructure is transparent. If the layer 2 infrastructure provides a multipoint service, then multiple CE devices can be ...
[52]
Overview | Junos OS - Juniper Networks
VPLS is designed to carry Ethernet traffic across an MPLS-enabled service provider network. In certain ways, VPLS mimics the behavior of an Ethernet network.
[53]
[PDF] MPLS Layer 3 VPNs Configuration Guide, Cisco IOS Release 12.4T
This guide covers MPLS VPN definition, how it works, virtual routing, forwarding, and how to configure MPLS Layer 3 VPNs.<|separator|>
[54]
RFC 7432 - BGP MPLS-Based Ethernet VPN - IETF Datatracker
This document describes procedures for BGP MPLS-based Ethernet VPNs (EVPN). The procedures described here meet the requirements specified in RFC 7209.
[55]
Ethernet VPN – What's the big deal about it? - Cisco Blogs
Mar 29, 2017 · VPLS has been the VPN technology of choice for delivering E-LAN services but had some limitations from day one. EVPN has some noteworthy ...
[56]
What is EVPN-VXLAN? | Glossary | HPE
EVPN's advantages over VPLS include: Improved network efficiency. Reduced unknown-unicast flooding due to control-plane MAC learning.
[57]
IEEE 802.1ah-2008
IEEE 802.1ah-2008 defines architecture and bridge protocols for interconnection of multiple Provider Bridged Networks, supporting up to 2^20 service instances.
[58]
IEEE 802.1ah Support on Provider Backbone Bridges - Cisco
Nov 25, 2009 · The IEEE 802.1ah on Provider Backbone Bridges feature enables MAC-in-MAC tunneling on Ethernet virtual circuits (EVCs).
[59]
What Is the Difference Between SD-WAN and MPLS? - Cisco
MPLS is a legacy routing method to connect to the WAN. SD-WAN is a software-defined approach to managing WAN, and core to agile, secure, and connected ...
[60]
What Is SD-WAN? - Software-Defined WAN (SDWAN) - Cisco
While MPLS handled failure scenarios with backup links, SD-WAN handles them with real-time traffic steering based on centralized policy. Also, since SD-WAN ...
[61]
Difference between L2VPN and L3 VPN - Cisco Community
Jul 28, 2016 · L2VPN connects at layer 2, no IP routing with provider. L3VPN connects at layer 3, with IP routing and route exchange with the provider.Missing: comparison | Show results with:comparison