Chapter 7. Security of MPLS Layer 2 VPNs

In this chapter, you learn about the following:

  • Generic Layer 2 security as a foundation for Layer 2 over MPLS constructs with an emphasis on Ethernet

  • (Virtual Private LAN Service VPLS security overview)

  • Virtual Private Wire Service (VPWS) security overview

New architectures allow MPLS to build VPNs interconnecting Layer 2 (L2) networks that transport L2 frames. A Layer 2 VPN comprises switched connections between subscriber endpoints over a shared network. Nonsubscribers do not have access to those same endpoints. Originally designed using network technologies at Layer 2 (Frame Relay, for example), VPNs are now being augmented by packet-based technologies such as IP and MPLS. A shift is underway within service provider networks from circuit-switched to packet-based technology. Virtual Private LAN Service (VPLS) and Virtual Private Wire Service (VPWS) are examples of Layer 2 technologies that make it possible to operate private, multipoint, and point-to-point LANs through public networks. VPWS and VPLS possess different security properties than those within Layer 3 VPNs and will be discussed in this chapter.

Certain aspects of the Layer 2 network architecture have an impact on the mechanisms that can be applied as well as the operational characteristics that need to be addressed. As such, this chapter is structured in consideration of these various schemes. Since many of the recommended practices are applicable across the board, a complete discussion of relevant security recommendations is provided in this chapter.