C H A P T E R
Security of MPLS Layer 2 VPNs
New architectures allow MPLS to build VPNs interconnecting Layer 2 (L2) networks that
transport L2 frames. A Layer 2 VPN comprises switched connections between subscriber
endpoints over a shared network. Nonsubscribers do not have access to those same endpoints.
Originally designed using network technologies at Layer 2 (Frame Relay, for example),
VPNs are now being augmented by packet-based technologies such as IP and MPLS.
A shift is underway within service provider networks from circuit-switched to packet-
based technology. Virtual Private LAN Service (VPLS) and Virtual Private Wire Service
(VPWS) are examples of Layer 2 technologies that make it possible to operate private,
multipoint, and point-to-point LANs through public networks. VPWS and VPLS possess
different security properties than those within Layer 3 VPNs and will be discussed in this
Certain aspects of the Layer 2 network architecture have an impact on the mechanisms that
can be applied as well as the operational characteristics that need to be addressed. As such,
this chapter is structured in consideration of these various schemes. Since many of the
recommended practices are applicable across the board, a complete discussion of relevant
security recommendations is provided in this chapter.
Generic Layer 2 Security Considerations
Ethernet over MPLS (EoMPLS) is being increasingly deployed in environments where the
service provider (SP) does not wish to participate in the management of the customer’s
Layer 3 routing mechanisms and wishes only to provide a Layer 2 solution similar to
traditional Frame Relay and ATM service offerings. Alternatively, some customers may not
wish to ofﬂoad their Layer 3 operations to a service provider, preferring to maintain control
over that aspect of their networks themselves. In either of these scenarios, the Layer 2 VPN
can meet the applicable network requirements.
In order to protect customer networks, the SP’s access network and backbone, and to ensure
that service-level expectations can be met, the security considerations of the network must
Security in MPLS networks can be viewed from a Layer 2 and Layer 3 perspective. SPs
need to concern themselves with securing the network from both layers in order to assure