Any Transport Over MPLS (AToM)

Hello Ananth

Pseudowire in general is a feature that allows you to create a Layer 2 connection between two remote devices, over a Layer 3 infrastructure. An example of where pseudowire is applied is in the L2TPv3 protocol. More about L2TPv3 can be found at this lesson:

Within the context of MPLS however, pseudowire is used to provide end-to-end services across an MPLS network. More about what these are and how they can be implemented can be found here:

I hope this has been helpful!


Hi Laz,

Here the tunnel is nothing but LSP path. which is from PE1 to PE2 . Is that correct? Is tunnel specific to one Service provider and pseudowire inside than tunnel will provide for different customers?

Can un explain use case for where tunnel is used and how pw is used?

Hello Ananth

Yes, that is correct, only an LSP path is created between PE1 and PE2. However, notice that this path is essentially bound to the FastEthernet 0/0 physical interface of the PE router. So this essentially creates a Layer 2 tunnel between the devices connected to the FastEthernet 0/0 physical interfaces on PE1 and PE2 over the existing MPLS network.

The industry term for this is pseudowire, while Cisco calls it AToM. So the LDP path is itself pseudowire.

Now if you have multiple customers connected to a PE, such a configuration requires that each customer connects to a physical interface of the PE router.

Pseudowires can be used to deliver two types of services:

  • Virtual Private LAN Service (VPLS) - VPLS emulates a LAN over an MPLS network, so different sites share the Ethernet broadcast domain. MPLS tunnel is set up between every pair of PEs (full-mesh).
  • Virtual Private Wire Service (VPWS) - VPWS is an L2 point-to-point service provisioned by Layer 2 VPN, which delivers the virtual equivalent of a leased line. Any Transport Over MPLS (AToM) is Cisco’s implementation of VPWS for IP/MPLS networks, which is what we saw in this lesson.

I hope this has been helpful!


Hi Rene,

Could you pls let me know where actually we go for MPLS L2 VPN. What was the previous problem and how it is solved via MPLS L2 VPN

Hello Ananth

I’m not sure what you mean when you say “where actually we go for MPLS L2 VPN”. Can you clarify?

As for what problem MPLS L2 VPN solves, there are times when you may have a single subnet, and you want that subnet to span two remote locations. If you are using MPLS to interconnect multiple remote sites, then you can use MPLS L2 VPN to create a single subnet that spans two remote sites, as shown in the lesson.

Such a scenario is useful if you want to migrate people from one area to another without changing their IP addresses, and may also be useful for specific applications.

If I have not fully addressed your questions, please let me know and I’ll revisit them more thoroughly.

I hope this has been helpful!


Hello Dear,

Just have one question, on router’s interfaces we can add l2transprot on the interface as follows, without defining any encapsulation, my question is how does that effect the interface in the router is it access or trunk or any l2 frame can across the router ?


Hello Ahmedlmad

When you configure L2 transport on a router’s interface, you enable the interface to carry Layer 2 traffic between two devices directly connected to it, similar to a switch. Essentially, the router behaves as a bridge with the specified interface.

As the encapsulation is not defined, the interface will accept any frame received at the Layer 2 level. This means that the router will forward any received Layer 2 frames across the interface, regardless of their encapsulation type (such as Ethernet, IEEE 802.1Q, or others).

Keep in mind that in order to use such a configured port with features such as MPLS, Metro Ethernet, and others, you may need to configure encapsulation options as well, depending on the specific traffic-handling requirements in each case.

I hope this has been helpful!


1 Like

Can i use IPsec over a GRE (Generic Routing Encapsulation) tunnel to encrypt traffic between PE1 and PE2 in this Scenario (AtoM) MPLS ?

Hello Ridhwan

Yes, you can use IPsec over a GRE tunnel to encrypt traffic between PE1 and PE2 in an AtoM scenario.

GRE provides the framework to route other protocols over an IP network, but it does not provide any security measures. On the other hand, IPsec provides confidentiality, integrity, and authentication of data communications over an IP network.

By combining the two, you can route traffic between PE1 and PE2 using GRE and then secure that traffic using IPsec. This is a common setup in VPN configurations where you want to securely connect two distant networks over an untrusted medium like the internet.

Remember, the configuration can be complex and requires a good understanding of both protocols and your network. You would need to properly configure the IPsec encryption and GRE tunneling settings on both PE1 and PE2.

I hope this has been helpful!


thank you

but can i implement IPsec profile under
MPLS GRE tunnel ?

for example :

Device> enable
Device# configure terminal
Device(config)# interface Tunnel 1
Device(config-if)# ip address
Device(config-if)# tunnel source
Device(config-if)# tunnel destination
Device(config-if)# ip ospf 1 area 0
Device(config-if)# mpls ip

and can i use GETVPN in this design ?

Hello Ridhwan

Yes, you can implement IPsec profile under MPLS GRE tunnel. The configuration you provided is for a GRE tunnel over MPLS. Now, to secure this tunnel, you can apply IPsec.

Here’s a brief example:

Device(config)# crypto isakmp policy 1
Device(config-isakmp)# encryption aes 256
Device(config-isakmp)# hash sha
Device(config-isakmp)# authentication pre-share
Device(config-isakmp)# group 14
Device(config-isakmp)# lifetime 86400

Device(config)# crypto isakmp key cisco123 address

Device(config)# crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
Device(cfg-crypto-trans)# mode transport

Device(config)# crypto ipsec profile MYPROFILE
Device(ipsec-profile)# set transform-set MYSET

Device(config)# interface Tunnel1
Device(config-if)# tunnel protection ipsec profile MYPROFILE

This will encrypt the GRE tunnel with IPsec. Try it out and let us know how you get along. If you run into any difficulties, share them with us so we can help you troubleshoot.

As for GETVPN, it’s designed for IP networks, so it can be used over any transport that can forward IP, including MPLS. However, GETVPN works best in environments where there is direct IP connectivity between all sites. If the MPLS network is a managed service from a provider, you may want to consider other VPN technologies that are designed to work better in such environments, such as DMVPN or FlexVPN.

I hope this has been helpful!


is there going to be an MPLS Qos tutorial ?
can you tell me what i should fix in this config ? (.txt file bellow topology picture)

i got lost
Qos.txt (4.3 KB)

Hello Mehdi

For the time being we don’t have a lesson about MPLS QoS, however, you can go to the Member Ideas page and make your suggestion there:

You may find that others have made similar suggestions, and you can add your voice to theirs.

In the meantime, concerning your topology and your configs, it won’t be possible for us to go through and check those configs, however, if you tell us a little bit more about your topology, what you are attempting to achieve, and where you find that you are having problems, we may be able to help you further.

I hope this has been helpful!