Communication channels L2 and L3 VPN - Differences between physical and virtual channels at different levels



    With a kind smile, I now recall how humanity anxiously awaited the end of the world in 2000. Then this did not happen, but on the other hand, a completely different event occurred and also very significant.

    Historically, at that time the world entered the real computer revolution v. 3.0 - The start of cloud technology for distributed storage and data processing. Moreover, if the previous “second revolution” was a massive transition to client-server technologies in the 80s, then the first can be considered the beginning of simultaneous user work using separate terminals connected to the so-called. "Mainframes" (in the 60s of the last century). These revolutionary changes took place peacefully and invisibly to users, but they affected the entire world of business along with information technology.

    When transferring IT infrastructure to cloud platforms and remote data centers (data centers), the key issue immediately becomes the organization of reliable communication channels from the client to the data centers. The network often offers providers: “physical leased line, fiber”, “L2 channel”, “VPN” and so on ... Let's try to figure out what is behind this in practice.

    Communication channels - physical and virtual




    1. The organization “physical line” or “channel of the second level, L2” is called the service of the provider providing a dedicated cable (copper or fiber), or a radio channel between offices and those sites where the equipment of data centers is deployed. When ordering this service, in practice, most likely you will get a dedicated fiber-optic channel for rent. This solution is attractive because the provider is responsible for reliable communication (and in case of cable damage, it independently restores the channel’s performance). However, in real life, the cable throughout is not integral - it consists of many fragments connected (welded) to each other, which somewhat reduces its reliability. On the way of laying the fiber optic cable, the provider has to use amplifiers, splitters, and modems at the end points.

    In marketing materials, this solution is referred to as the L2 (Data-Link) layer of the OSI or TCP / IP network model conditionally - it allows you to work as if at the level of Ethernet frame switching in the LAN, without worrying about many packet routing problems at the next network IP level. For example, it is possible to continue to use your so-called "private" IP addresses in client virtual networks instead of registered unique public addresses. Since it is very convenient to use private IP addresses in local networks, users were allocated special ranges from the main addressing classes:

    • 10.0.0.0 - 10.255.255.255 in class A (with a mask of 255.0.0.0 or / 8 in an alternative format for recording a mask);
    • 100.64.0.0 - 100.127.255.255 in class A (with a mask of 255.192.0.0 or / 10);
    • 172.16.0.0 - 172.31.255.255 in class B (with a mask of 255.240.0.0 or / 12);
    • 192.168.0.0 - 192.168.255.255 in class C (with mask 255.255.0.0 or / 16).

    Such addresses are selected by users independently for "internal use" and can be repeated simultaneously in thousands of client networks, therefore data packets with private addresses in the header are not routed on the Internet - to avoid confusion. To access the Internet, you have to use NAT (or another solution) on the client side.
    Note: NAT - Network Address Translation (a mechanism for replacing network addresses of transit packets in TCP / IP networks, it is used to route packets from the client’s local network to other networks / Internet and in the opposite direction, inside the client’s LAN, to the destination).
    This approach (and we are talking about a dedicated channel) has an obvious drawback - in case of moving the client’s office, there may be serious difficulties with connecting to a new location and there may be a need to change the provider.

    The claim that such a channel is much safer is better protected from malicious attacks and the mistakes of low-skilled technical personnel, upon closer examination, turns out to be a myth. In practice, security problems often arise (or are created deliberately by a hacker) directly on the client side, with the participation of the human factor.



    2. Virtual channels and VPNs built on them (Virtual Private Network) are widespread and allow you to solve most client tasks.

    Providing the L2 VPN provider involves a choice of several “second level” services, L2:

    VLAN - the client receives a virtual network between its offices and branches (in fact, the client’s traffic goes through the provider's active equipment, which limits the speed);

    Point-to-Point Connection PWE3(in other words, “end-to-end pseudowire emulation” in packet-switched networks) allows you to transfer Ethernet frames between two nodes as if they were connected directly by cable. For a client in such a technology, it is essential that all transmitted frames are delivered to a remote point without changes. The same thing happens in the opposite direction. This is possible due to the fact that the client’s frame arriving at the provider’s router is further encapsulated (added) to a higher-level data block (MPLS packet) and retrieved at the endpoint;
    Note: PWE3 - Pseudo-Wire Emulation Edge to Edge (a mechanism in which, from the user's point of view, it receives a dedicated connection).

    MPLS - MultiProtocol Label Switching (data transfer technology in which packets are assigned transport / service labels and the transmission path of data packets in networks is determined only by the value of the labels, regardless of the transmission medium, using any protocol. During routing, new labels can be added (if if necessary) or be deleted when their function is completed. The contents of the packages are not analyzed or changed).
    VPLS is a LAN simulation technology with multipoint connections. In this case, the provider's network looks on the client side similar to a single switch that stores a table of MAC addresses of network devices. Such a virtual “switch” distributes the Ethernet frame that came from the client’s network, according to its purpose — for this, the frame is encapsulated in the MPLS packet and then retrieved.
    Note: VPLS - Virtual Private LAN Service (a mechanism in which, from the user's point of view, his geographically spaced networks are connected by virtual L2 connections).

    MAC - Media Access Control (a way to control access to the medium is a unique 6-byte address identifier of a network device (or its interfaces) in Ethernet networks).


    3. In the case of “L3 VPN” deployment, the provider network in the eyes of the client looks like one router with several interfaces. Therefore, the interface between the client’s local network and the provider’s network occurs at the L3 level of the OSI or TCP / IP network model.

    Public IP addresses for network interfaces can be determined by agreement with the provider (belong to the client or be obtained from the provider). IP addresses are configured by the client on their routers from both sides (private from the side of their local network, public from the side of the provider), the provider provides further routing of data packets. Technically, MPLS is used to implement such a solution (see above), as well as GRE and IPSec technologies.
    Note: GRE stands for Generic Routing Encapsulation (a protocol for tunneling, packing network packets that allows you to establish a secure logical connection between two endpoints - using protocol encapsulation at the L3 network level).

    IPSec - IP Security (a set of data protection protocols that are transmitted using IP. Authentication, encryption, and packet integrity are used).
    It is important to understand that the modern network infrastructure is built so that the client sees only that part of it that is defined by the contract. The allocated resources (virtual servers, routers, online data and backup storage), as well as running programs and memory contents are completely isolated from other users. Several physical servers can work in concert and simultaneously for one client, from the point of view of which they will look like one powerful server pool. Conversely, many virtual machines can be created on the same physical server (each will look like a separate computer with an operating system for the user). In addition to standard, individual solutions are offered,

    At the same time, the configuration of the L3-level network deployed in the cloud allows scaling to almost unlimited sizes (the Internet and large data centers were built on this principle). Dynamic routing protocols, such as OSPF, and others in L3 cloud networks, allow you to choose the shortest paths for routing data packets, send packets simultaneously in several ways for the best load and expand channel bandwidth.

    At the same time, it is possible to deploy a virtual network at the “L2 level”, which is typical for small data centers and outdated (or narrowly specific) client applications. In some such cases, even L2 over L3 technology is used to ensure network compatibility and application health.

    To summarize


    To date, the tasks of the user / client in most cases can be effectively solved by organizing virtual private VPN networks using GRE and IPSec technologies for security.

    It makes little sense to contrast L2 and L3, just as it makes no sense to consider the L2 channel offer as the best solution for building reliable communication in your network, a panacea. Modern communication channels and equipment of providers allow you to skip a huge amount of information, and many dedicated channels rented by users, in fact, are even underloaded. It is reasonable to use L2 only in special cases when the specifics of the task require it, take into account the limitations of the possibility of future expansion of such a network, and consult with a specialist. On the other hand, virtual networks L3 VPN, ceteris paribus, are more versatile and easy to operate.

    This overview briefly lists the typical standard solutions that are used when moving the local IT infrastructure to remote data centers. Each of them has its own consumer, advantages and disadvantages, the correct choice of a solution depends on the specific task.

    In real life, both levels of the L2 and L3 network models work together, each is responsible for its task and contrasting them in advertising, the providers are openly cunning.

    Also popular now: