Who’s Pushing Layer-2 VPN Services?

Here’s another great point Tiziano Tofoni raised in his comment to my EVPN in small data center fabrics blog post:

I cannot understand the usefulness of L2 services. I think that the preference for L2 services has its origin in the enterprise world (pushed by well known $vendors) while ISPs tend to work at Layer 3 (L3) only, even if they are urged to offer L2 services by their customers.

Some (but not all) ISPs are really good at offering IP transport services with fixed endpoints. Some Service Providers are good at offering per-tenant IP routing services required by MPLS/VPN, but unfortunately many of them simply don’t have the skills needed to integrate with enterprise routing environments.

For example: I’ve seen MPLS/VPN providers who force the customers to accept external OSPF routes because the provider wants to own the CE-router and is not willing to do BGP-to-OSPF redistribution in a way that would preserve the OSPF route attributes the way they were meant to be preserved in MPLS/VPN architecture.

More about this can of worms in the Choose the Optimal VPN Service webinar and Integrating DMVPN-based Internet VPN with MPLS/VPN WAN case study.

Long story short: I always believed in greatness of MPLS/VPN architecture, but when the theory meets reality things often get ugly. As much as it hurts me, I’d prefer buying layer-2 services or IP transport services from a service provider because I know they can’t mess them up too much, and I’d still own the end-to-end routing.

I would then use the layer-2 transport service to build my own routed core, or use IP transport service with a tunnel VPN on top of it. You could also use SD-WAN if you’re happy to deal with GUI-driven undocumented technologies.


  1. everything over ip is the right stuff?as service provider we sell internet access or L2 VPLS that’s it
    1. ... and we're perfectly in sync. That's what I would buy from most SPs unless I would be absolutely sure they know how to deal with Enterprise routing.

      Also, many SPs rightfully don't want to deal with the mess that's called Enterprise routing ;))
  2. "As much as it hurts me, I’d prefer buying layer-2 services or IP transport services from a service provider because I know they can’t mess them up too much, and I’d still own the end-to-end routing." - Very surprised to see this comment. I assume this would be on a small scale only. Once you get to 5 or 10 or more sites, routed MPLS VPN is really the only solution that will scale... (May be I am missing the context).
    1. There are L2-VPNs with 600+ sites operating 24/7/365 since years....
      I would not exactly call that small scale.
  3. Never heard of BGP route reflection and hub and spoke design? It's highly scalable and a perfect case for automation. Look at Ivan's ansible for network engineers webinar.
  4. So Ivan, you are telling me to go back to the old days of overlay networks over ATM/Frame relay, now revisited over IP/MPLS ? Seriuos ISPs have today thousands and thousands of customers well satisfied with L3VPN services, and as far as is my understanding, L2 services are a small percentage of overall BGP/MPLS services. But to be sincere my point in the past comment was about Data center scenarios. My point was that you can drastically simplify the fabric deploying multitenancy through simple L3VPN, without using LDP, but using simple MPLS over GR/IP/UDP+IP. And therefore you do not need neither EVPN nor VXLAN (I understand that this is blasphemous ... !!!)
    1. Isn't that what CO transformation is all about?
      Use L2 tunneling to transport the packets to the closest (virtual) L3 endpoint?

      IMHO it really depends on where you're deploying the fabric.
      In a regular DCs maybe you don't need EVPNs, but in SP PoPs? Well you do.
  5. We (two municipalities in Sweden) buy exclusively internet access and layer 2 VPN services from our service provider. We have looked into buying layer 3 VPN services several times, but always decide against because we'd have to integrate with the service provider's routing (which would limit our flexibility, sometimes limit our choice of IP ranges, sometimes just not work with IPv6, and most importantly based on experience I don't trust our service provider to handle routing properly...)
  6. "I cannot understand the usefulness of L2 services..."

    Are we at risk of applying logic to emotion?

    In a world where economic stimulus comes in the form of 'job creation' instead of proper grass roots agitation, you may find you're designing for a 95th percentile which no longer exists. Gone is the curious, extroverted, inner geek, who weighed up his career options as a project engineer or a support analyst and decided that support was probably the perfect combination of people+tech.

    In his/her place, we have state sponsored employee numbers with designations that bear no resemblance to the geek-come-customer-champion of yesteryear. IT jobs FTW?

    "Fill those seats and get them filled ASAP or you can kiss goodbye to the second, third and fourth stages of that grant we promised!"

    Applying a cattle prod to your country's employment statistics is a brilliant short term win. Everyone's a winner!

    Is this really true, though?

    It's possible that such endeavours could jumpstart someone's ascent on the Needs Hierarchy and in turn, propel a nation out of stagnation... but is it enough to merely set the wheels in motion?

    Yeh, course. Just like when you plug cables into any port of any switch, all of your apps come alive, magically.

    In such a state (demoralised, depressed, angry, resentful, unproductive - pick one? :P) how likely are people to welcome additional complexity into their lives? Is it, perhaps, more likely they'll stick to what they know?

    24 bit masks?
    The ARP cache?

    Who knows! :)
  7. The reason for the migration to L2 service by network service providers is automation.

    An L3VPN deployment cannot be easily automated, since you have to agree on IP addressing, IP routing, you have to test the integration, and you have no real separation of administrative domains. The full process might take weeks, with multiple meetings, documents to review, etc.

    If you provide an L2 service only, then you do not have to discuss anything. You just provide the service, make an automated test using Ethernet OAM, notify the customer, the customer connects and the frames are forwarded. You can light up such service instances in minutes. If it is just a P2P L2 service, then it is easy to guarantee bandwidth and it is just a check-box to order automated protection switching.

    Nowadays you can also automate L2 service provisioning over multiple service providers. On the long term this will make L2 services much cheaper than L3 services.

    In about a decade, L3 services might become a small niche market...

Add comment