352-001 · Question #81
Senior management wants you to evaluate the risks to your network of offering VPWS, VPLS, GRE, or other tunneling services to your fiber-connected client base. Clients indicate that they prefer to use
The correct answer is A. VPWS E. QinQ. VPWS and QinQ both support Layer 2 switch CEs while maintaining clear separation between provider and customer networks with minimal risk to the provider core.
Question
Senior management wants you to evaluate the risks to your network of offering VPWS, VPLS, GRE, or other tunneling services to your fiber-connected client base. Clients indicate that they prefer to use Layer 2 switches as CEs. Which two tunneling services expose your network to minimal risk and meet the clients' needs, including separation between providers and customer networks? (Choose two.)
Options
- AVPWS
- B802.1Q
- CGRE
- DVPLS
- EQinQ
How the community answered
(44 responses)- A59% (26)
- B23% (10)
- C11% (5)
- D7% (3)
Why each option
VPWS and QinQ both support Layer 2 switch CEs while maintaining clear separation between provider and customer networks with minimal risk to the provider core.
VPWS (Virtual Private Wire Service) uses MPLS pseudowires to create point-to-point Layer 2 connections, keeping customer traffic fully encapsulated within the provider MPLS core and away from provider infrastructure. It natively supports Layer 2 switch CEs and provides strong provider-customer separation, meaning a customer broadcast storm or STP event cannot propagate into the provider network.
Standard 802.1Q uses a single shared VLAN namespace between provider and customer, creating risk of VLAN ID conflicts and insufficient isolation between provider and customer networks.
GRE is a Layer 3 tunneling protocol that requires routers as CEs, directly conflicting with the client requirement to use Layer 2 switches as customer edge devices.
VPLS is an MPLS-based multipoint Layer 2 service, but it floods customer broadcast and unknown unicast traffic across all pseudowires and exposes the provider core to customer Spanning Tree BPDUs, creating higher risk than VPWS.
QinQ (802.1ad) double-tagging encapsulates customer 802.1Q frames within an outer provider VLAN tag, completely separating customer and provider VLAN namespaces. This requires no changes to customer Layer 2 switches acting as CEs and limits provider exposure because customer frames are opaque to the provider switching domain.
Concept tested: Layer 2 VPN tunneling risk and CE device compatibility
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/xe-16/mp-l2-vpns-xe-16-book/mp-vpws.html
Topics
Community Discussion
No community discussion yet for this question.