L2 and L3 VPN channels – the differences between physical and virtual channels of different levels

L2 and L3 VPN channels


Nowadays, it’s funny to recall how people were expecting an apocalypse in 2000 anxiously. It didn’t happen then; however, another important event took place.


Historically, this was the time when the world entered a true v.3.0 computer revolution – the time when distributed storage and data processing based on cloud computing were incepted. The ‘version 2’ revolution marked a mass adoption of the ‘client-server’ architecture in the 1980’s, while the first one was the time when users started working simultaneously with separate terminals connected to so-called mainframes (1960’s). These dramatic changes were almost unnoticeable for users; however, they had a huge impact on the business and the IT.


When moving an IT infrastructure into a cloud platform and remote data centers, a key point is how to set up reliable channels from the client to the data centers. Many vendors post online ads claiming that they provide ‘a physical dedicated channel, fiber optics’, ‘an L2 channel’, ‘a VPN’, etc. Let us have a look at what it really means.

Channels – physical and virtual ones

L2 1. Setting up a "physical line" or a "layer 2 channel, L2" commonly refers to a service when a provider offers either a dedicated cable (made of copper or fiber optics) or a radio channel between the offices and the spaces where data centers’ hardware is deployed. When you opt for this service, what you will typically get is a dedicated fiber optics channel for rent. The benefit of such solution is that the provider is responsible for connection reliability (and, if the cable is broken, the provider has to restore its function). In reality, a cable is never whole in full – it consists of multiple fragments connected (welded) to each other, which makes it slightly less reliable. Along the cable routing, the provider needs to use amplifiers and splitters, and modems are connected to cables at the end points.


Marketing materials refer this type of solution to the L2 (Data-Link) OSI network model or TCP/IP provisionally – we can say that it enables operation on the level of switching Ethernet frames into LAN without caring much about packet routing on the IP network level. For example, there is an option to go on using your own, so-called "private", IP addresses in the client virtual networks instead of registered unique public addresses. Since it’s very convenient to use private IP addresses in local networks, special ranges from the basic address classes were allocated for users:

  • 10.0.0.0 – 10.255.255.255 in A class (with a 255.0.0.0 or /8 mask);
  • 100.64.0.0 – 100.127.255.255 in A class (with a 255.192.0.0 or /10 mask);
  • 172.16.0.0 – 172.31.255.255 in B class (with a 255.240.0.0 or /12 mask);
  • 192.168.0.0 – 192.168.255.255 in C class (with a 255.255.0.0 or /16 mask).


Users choose such addresses on their own "for internal usage" and, hence, these addresses can be used many times in thousands of client networks, which is why data packets with private addresses in the header are not routed on the Internet to avoid a mess. To connect to the Internet, a user has to utilize NAT (or another solution like that).


Note: NAT – Network Address Translation, a method of remapping one IP address space into another by modifying network address information in the IP header of transit packets to route packets from the client’s local network to other networks/ Internet and vice versa – into the client’s LAN to the recipient.


This dedicated channel approach obviously has a disadvantage – if a client moves to another office, there might be connection issues in the new one, and the client might have to switch to another provider.


Any claims that such channels are more secure and safe against hackers or that they are less vulnerable in case a technician makes mistakes have nothing to back them up. Our experience shows that security problems typically arise (or are introduced by a hacker on purpose) on the client’s side and involve human factor.

L2 VPN (Virtual Private Network) 2. Virtual channels and VPNs (Virtual Private Networks) based on those are very popular and address multiple challenges faced by the clients.


When a company provides "L2 VPN" there is a number of "layer 2, L2" services to choose from:

VLAN – the client gets a virtual network between their offices (in reality, the client’s traffic is handled by the provider’s active equipment, which limits the speed);


PWE3, point-to-point connection (or, in other words, an emulation of a point-to-point connection over a packet-switching network) enables transferring Ethernet frames between two nodes in such a way as if they were wired to each other. What really matters for the client is that all transferred frames are delivered to a remote node unaltered. The same is true for a vice versa transfer. It all became possible because when the client’s frame gets to the provider’s router, it is then encapsulated (added) to an upper-level data block (MPLS packet) and extracted at the end point;


Note: PWE3 – Pseudo-Wire Emulation Edge to Edge, a mechanism that, from a user’s standpoint, gives a dedicated connection.


MPLS – MultiProtocol Label Switching, a type of data-carrying technique where data are directed from one network node to the next one based on short path transport/service labels rather than long network addresses regardless of the transmission medium and using any protocol. During the routing process, new labels can be added (if necessary) or removed if their function has been completed. The content of packets is not reviewed and is not changed.


VPLS – a technology to emulate a local network with multipoint to multipoint connections. In that case, from a client’s standpoint, the provider’s network looks like a switch storing a table of the network devices’ MAC addresses. This virtual ‘switch’ directs an Ethernet frame coming from the client’s network to the right destination, which means that this frame is encapsulated into an MPLS packet and is then extracted.


Note: VPLS – Virtual Private LAN Service, a mechanism where, from the client’s standpoint, their geographically distributed networks are connected using virtual L2 channels.


MAC – Media Access Control, a unique 6-byte ID of a network device (or its interfaces) in an Ethernet.


L3 VPN 3. When an "L3 VPN" is deployed, a client sees a provider’s network as a single router with multiple interfaces. That’s why the client’s local network meets the provider’s network at the L3 of the OSI or TCP/IP network model.


Public IP addresses for the network joints can be agreed upon with the provider (and can belong either to a client or to a provider). The client sets up the IP addresses at their routers on both sides (private ones for the local network and public ones for the provider), and the provider handles the process of routing data packets. From the technology prospective, MPLS is used for this solution (see above) along with GRE and IPSec.


Note: GRE – Generic Routing Encapsulation, a tunneling protocol for packaging network packets that enables establishing a secure logic point-to-point connection using protocol encapsulation on L3.


IPSec – IP Security, a network security protocol suite that applies to the data transferred over IP and uses packet authentication, encryption and integrity check mechanisms.


It is important to note that modern network infrastructure is designed in such a way that a client only sees a part of it stipulated in the agreement. Dedicated resources (virtual servers, routers, operational data and backup storages) along with operating programs and memory content are completely isolated from other users. Multiple physical servers can work simultaneously and consistently for one client, and the latter will see them as one powerful pool of servers. It works vice versa, too: one physical server can host multiple virtual machines, and each of those will be like a separate computer with its own operating system for each particular user. Also, there are custom solutions available that comply with the applicable client’s requirements towards safe data processing and storage.


In addition, the configuration of an L3 cloud network can be scaled up to almost any size (which is the way Internet and large data centers are designed). Dynamic routing protocols, e.g. OSPF, and others operating in L3 cloud network enable choosing the shortest routes for data packets and sending packets in multiple routes simultaneously to optimize the load and to extend the capacity of the channels.


In the meantime, a virtual network can be deployed on L2, which is typical for small data centers and legacy (or very specific) clients’ applications. In some cases, an ‘L2 over L3’ technology is used to facilitate network compatibility and application operation capacity.

Summary

As of now, users/ clients can solve their problems by setting up virtual private networks using GRE and IPSec technologies catering for security.


It doesn’t really make sense to oppose L2 to L3, and it doesn’t make sense to consider an L2 channel offer to be the best solution for your network communication, it’s not a "one-size-fits-all". Modern communication channels and hardware used by providers can handle a large amount of information, and many dedicated channels rented by users are, in fact, underloaded. L2 should only be used on particular occasions for specific tasks, and one should take into account the options of scaling this network in the future and consult with an expert. On the other hand, all other things being equal, L3 VPNs are more versatile and easy to operate.


This review lists modern standard solutions used when relocating a local IT infrastructure into remote data centers. Each of those has its own pros and cons, its own clientele, and when choosing the right solution, you should focus on a particular task at hand.


In reality, both L2 and L3 of a network model work together and cover their own activities, which means that providers trying to differentiate those levels are playing a double game.



Author: Stanislav Komukhaev

Share this: