To MPLS or not to MPLS?

Last updated 5 years ago First published 09 July, 2017

Based on Ivan Pepelnjak's work and blog posts: and

VRF,MPLS,data centre,VLAN English Rating: ALL ages Shortest path: 3 nodes Longest path: 21 nodes Possible solutions: 12
  • Do you have multiple security zones or tenants? No. Yes.
  • You don’t need VRFs.
  • Do you plan to span these zones across multiple sites (or data centers)? No. Yes.
  • I would use VRFs. You might want to use stretched VLANs, and I wish you luck..
  • Will you implement tenants or security zones with multiple segments or distributed firewalls (also marketed as microsegmentation)? Multiple segments. Distributed firewalls.
  • You might think you don’t need VRFs, but maybe you still do unless all hosts use the same exit from the subnet. If the hosts from different security zones (or tenants) need different exit points (aka service insertion), you’re better off using different routing domains for them..
  • Do you need a separate routing domain for each security zone or tenant within a site? No. Yes.
  • You don’t need VRFs, VLANs are good enough..
  • Do you have many VRFs or plan to have a scalable solution? Yes. No.
  • VRF-Lite is probably good enough..
  • Do you believe in SD-WAN? No. Yes.
  • You don’t need MPLS or any other technology. The black box you bought will do its proprietary magic to solve all the problems you might have (or not)..
  • Is this a data center-only problem? No. Yes.
  • Do you plan to use overlay virtual networks? No. Yes.
  • implement VRFs with distributed routers in overlay virtual networks..
  • Do your data center switches support MPLS at reasonable cost/performance point? Answer. No.
  • Use VXLAN (and change gear if it doesn’t support VXLAN)..
  • Do you really want to deal with complexities of MPLS and complexities of EVPN? Yes. No.
  • Use MPLS with L3VPN or EVPN control plane.
  • Use EVPN over VXLAN..
  • Do you plan to do layer-3 encryption (IPsec)? Yes. No.
  • You would need MPLS-over-GRE-over-IPsec, in which case VXLAN-over-IPsec might be better (assuming you can get it on your WAN gear)..
  • Use MPLS. It has way lower encapsulation overhead than anything..

Related Topics