Skip to main content

Distinctive features of L2 and L3 VPN communication channels

(Image credit: Image source: Shutterstock/violetkaipa)

The world entered the all-embracing computer revolution v3.0 in early 2000s when cloud-borne data storage and processing technologies came into existence. Whereas the previous “second revolution” had revolved around a massive shift towards the client-server paradigm back in 1980s, the “first” one had presumably come down to users starting to work simultaneously via separate terminals connected to what’s called “mainframes” in 1960s. 

All of these ground-breaking changes took place smoothly and inconspicuously for most users, but they definitely made themselves felt in the entire business world along with the information technologies.

When an IT infrastructure is migrating to cloud platforms and remote data centres, setting up correct communication channels from the client to these data centres becomes a crucial objective. You may come across service providers offering a dedicated line, fibre-optic communication, L2 channel, VPN, etc. Let’s try and figure out what actually underlies all of these offers.

Physical and virtual communication channels

1. A “physical line” or “layer 2 channel” means that there is a dedicated cable - copper or optical fibre - or a radio channel linking offices and the areas where data centres are located. In practice, by ordering this service you typically get a dedicated optical fibre channel for rent. The main thing on the plus side of this solution is that the service provider is responsible for stable connection, and they will restore the channel on their own in case the cable is damaged. The truth is, the cable is hardly ever solid all the way and typically consists of multiple linked fragments, which reduces its reliability to some extent. During the process, service providers have to leverage additional equipment, such as amplifiers and splitters, and there are usually modems at the end points.

Marketing-wise, this type of a solution isn’t necessarily an inalienable component of the L2 (Data-Link) level of the OSI or TCP/IP network model. It functions at the level of Ethernet frames commutation into LAN without taking care of some packet routing issues at the higher, network IP layer. For instance, customers can optionally continue to use so-called “private” IP addresses in their virtual networks rather than unique public ones. Considering the convenience of leveraging private IP addresses in local networks, the following ranges from the main network classes were allocated to users:

  • – in class A ( or /8 subnet mask);
  • – in class A (with or /10 subnet mask);
  • – in class B (with or /12 subnet mask);
  • – in class C (with or /16 subnet mask).

Customers choose these types of IP addresses for internal use only and therefore they may coincide with the ones utilised by numerous other client networks. This is why data packets with private IP addresses in the header are not routed on the Internet – otherwise, there would be a great deal of confusion. In order to go online beyond the local network, customers resort to NAT (network address translation) or some other similar solution.

There is an apparent shortcoming of using a dedicated channel, though. In case the customer moves to another location they may encounter serious hurdles establishing connection there, so they may have to switch to a different ISP.

Upon close inspection, the speculation that a channel like that is much more secure and better protected against cyber-attacks, as well as mistakes of poorly qualified IT staff, turns out to be a myth. In fact, security issues typically occur on the client side and involve the human factor.


2. Virtual channels and private VPN networks built on top of them are widespread and allow for solving most of a customer’s tasks. If a provider offers L2 VPN, it usually means the client can opt for one of the following layer 2 services:

VLAN – the customer gets a virtual network between their offices. In practice, the customer’s traffic streams through the provider’s active equipment, which may reduce the connection speed.

PWE3 (Pseudo Wire Emulation Edge-to-Edge) – this mechanism presumably provides the customer with a dedicated connection, supporting Ethernet frames transfer between two nodes as if they were directly linked by a cable. What clients typically find important about this technology is that all the submitted frames are delivered to a remote edge in unaltered form. The same holds true for the reverse process. This is possible due to the fact that a customer’s frame, having reached the provider’s router, gets encapsulated into a higher-level data block (MPLS packet) and then extracted at the terminal node.

For the record, MPLS stands for Multiprotocol Label Switching and denotes a data transfer technology where packets are assigned transport/service labels, and the network path of data packets transmission is based on the labels’ values regardless of the transfer environment and protocol being used.

VPLS is a technology for emulating a local network with multi-node connections. It makes the provider’s network appear to the client as a single switch storing a table of network devices’ MAC addresses. This virtual switch performs appropriate allocation of an Ethernet frame received from the client. To this end, the frame is encapsulated into an MPLS packet and then extracted.

Just a quick note: VPLS (Virtual Private LAN Service) is a mechanism that makes a client’s geographically scattered networks appear as if they were interlinked with virtual L2 connections.


3. In the L3 VPN deployment scenario, the provider’s network appears to the client like a single router with several interfaces. Therefore, the customer’s local network and the provider’s network merge at L3 layer of the OSI or TCP/IP network model.

The process of determining public IP addresses for network junction points can be coordinated with the service provider – they may either belong to the customer or be obtained from the provider. The customer configures the IP addresses at their equipment on both sides (private ones – on their local network side; and public ones – on the provider’s side). The provider is responsible for further routing of data packets. Technically, this type of a solution is implemented by means of MPLS (see above) as well as GRE and IPSec technologies.

Zooming in, GRE stands for Generic Routing Encapsulation and designates a protocol for tunnelling network packets that allows for establishing a logical connection between two endpoints by means of encapsulating protocols at the L3 network layer.

IPSec (IP Security) is a set protocols for securing data transferred via IP. It verifies the authenticity, encryption, and integrity of data packets.

It’s worth mentioning that contemporary network infrastructure is architected in such a way that the client only sees its part defined by the contract. The allocated resources, including virtual servers, routers, data, and backup repositories, as well as the running software and memory contents are entirely isolated from other users. 

A number of physical servers can be coordinated to work concurrently for one customer who will view them as a single powerful server pool. And vice versa, multiple virtual machines can be created on the same physical server, and each one will appear as if it were a standalone machine running an operating system. Besides regular solutions, providers can deliver custom ones that also meet the adopted requirements regarding client data processing and storage security.

With that said, the configuration of a layer 3 network deployed in the cloud allows for scaling to a pretty much-unlimited size. In fact, that’s how the Internet and major data centres are made. Dynamic routing protocols, such as OSPF, and others applicable to L3 cloud networks facilitate the process of finding shortcuts for routing data packets and make it possible to send packets concurrently over several paths in order to optimise the load and expand the bandwidth of channels.

Meanwhile, it’s also possible to deploy a virtual network at layer 2, which is a common thing for small data centres and customers’ obsolete, or specially crafted, applications. In some of these scenarios, a technology referred to as “L2 over L3” is applied for network compatibility and to make sure applications run smooth.

The bottom line

At this point, most customers’ requirements can be met by setting up virtual private networks using GRE and IPSec technologies to ensure proper security.

It’s not very reasonable to set L2 and L3 VPN communication channels against each other, nor does it make much sense to treat an L2 channel offer as the best solution imaginable for dependable communication within your network. The present-day communication channels and service providers’ equipment make it possible to handle enormous data volumes, while a lot of dedicated channels actually have a significant amount of spare capacity. L2 is only appropriate on special occasions to address specific tasks – in that case, you should take the restrictions for further network scaling into account and resort to expert advice. L3 VPN networks are more flexible and easier to operate.

This overview briefly covers today’s common solutions used to move a local IT infrastructure to remote data centres. Each one has a user base as well as pros and cons of its own. Choosing the right solution is a matter of considering the goals it’s supposed to accomplish.

In practice, both the L2 and L3 channels function in tandem, each one of them fulfilling its own task. Therefore, ads by service providers that clearly delimit these technologies are foul play to a certain extent.

Alex Smith, IT Security Expert at
Image source: Shutterstock/violetkaipa