Hi there! I recently migrated from MPLS L3VPN to VPLS and learned that VPLS isn’t as secure as L3VPN. To enhance security, I’m considering implementing IPSec on the PE routers. This would help secure the Layer 2 traffic received from the CEs over the internet. Is this a valid approach?
Use MACSec on the underlay network, VPLS overlay.
9k L3 MTU
9216 L2 MTU end to end
What did you learn that is less secure on VPLS?
Normally both L3VPN and VPLS are about as secure as a letter carried by a private courier - ie. the security depends on how much you trust the courier. So with L3VPN and VPLS services offered by ISPs, the packets won’t be sent over the internet, but the ISP could read them if they wanted to. Whether this is a security risk is really a choice based on your threat analysis. The fix is encryption and authentication, which you could do with IPSEC or MACSEC. Since you have VPLS, MACSEC might be easier here.
You mentioned DMVPN in a reply, since this is normally done over the internet it’s normal to run it with IPSEC. Many small businesses use ISP L3VPN / VPLS links without encryption, but some larger businesses do.
You went from a L3VPN to a L2VPN… I have never heard of such madness.
MPLS L3 VPN is not encrypted either.
Neither are encrypted (and therefore on the wire they are not “secure”). They are both private. They are networks.
L2vpn and l3vpn are both unencrypted by default so neither is more or less secure. Macsec if supported by your ISP. IPsec can always work as well.
have you even gone as far as to even go look more alike?
Wondering the same. I mean hecould do IPsec, but I don’t see the need.
I have been given a project titled “Migration from MPLS to VPLS using DMVPN and IPSec.” During my research, I learned that DMVPN doesn’t typically coexist with VPLS unless it’s for redundancy purposes. This leaves me with IPSec as the primary option. I considered adding IPSec to the MPLS core to provide an additional layer of security. However, I’m starting to doubt if the project is a valid combination of technologies. Please correct me if I’m wrong. I’m counting on your help.
Trust obviously depends on type of a courier. The ones that are compliant with RFC 1149 are highly susceptible to lead interference, for example. On the other hand, RFC 1217 ones are truly jam resistant.
P.S. I’ll show myself out 
Thank you so much! That was the best explanation I have received since starting my research. However, the thing now bothering me is when I apply DMVPN with IPsec over VPLS, should it be on the PE routers? And would the L2 traffic coming from the CEs use the DMVPN tunnels or just MPLS? Again, I can’t thank you enough for your help.
Sounds like a salesperson was running their mouth lol.
Crazy when people downvote legitimate curiosity/misunderstanding…… I know it’s just fake internet points but Jesus.
You can absolutely still run DMVPN over VPLS and can secure DMVPN with IPSec.
Neither MPLS L3VPN nor VPLS is secure. They are both equally insecure.
TIL about RFC 1217, thank you!
Hahaha, I thought that was weird. Who did I trigger with this? Maybe it was a misclick.
Thank you so much ! so the dmvpn with ipsec will be in the PE routers and would it be used by the L2 traffic coming form the CE’s ?? ( i know i got somethings wrong but please bear with me i’m new to this my specialty is dev and i got put in networking projects)
Neither the PE nor the CE will participate in the DMVPN. Only your customer router will.
From the carrier’s perspective, they’re just transporting your traffic across their network.
The only difference between an MPLS L3VPN and a VPLS underlay for your DMVPN is that in the VPLS variety will have all of your customer routers likely in the same subnet.