Historically, the world then entered a true computer revolution – introduction of cloud technologies for distributed storage and virtual data rooms processing. If the previous “second revolution” was the mass transition to “client-server” technology in the 80s, then the first can be considered the beginning of simultaneous work by users using separate terminals equipped with the so-called “mainframes” (in the 1960s). These revolutionary changes happened peacefully and unnoticed by users, but with information technology, they affected the entire business world.
When migrating the IT infrastructure to cloud platforms and remote data centers, the organization of reliable communication channels from the customer to the data centers immediately becomes a central issue. The network often offers offers: “Physical leased line, fiber optics”, “L2 channel”, “VPN” and so on… Let’s try to understand what is behind it.
Communication channels – physical and virtual
The organization of the “Physical Line” or “Second Level Channel, L2” is called a service to provide a dedicated wired (copper or fiber optic) or radio channel between offices and locations where data center equipment is deployed. When you order this service, you are most likely renting a dedicated fiber optic channel. This solution is attractive because the provider is responsible for a reliable connection (and will restore the channel itself if the cable is damaged). In real life, however, the cable is not intact throughout – it consists of many parts connected (welded) together, which somewhat reduces its reliability. When laying fiber optic cables, the provider must use repeaters, splitters, but ultimately modems.
In marketing materials, this solution is conditionally referred to the L2 level (data link) of the OSI or TCP / IP network model – it allows you to work on the LAN as at the Ethernet frame switching level, without worrying about a lot of packets to have to worry about routing issues on the next IP network layer.
This approach has an obvious disadvantage: in the event of a client’s office relocation, there may be serious difficulties in connecting to a new location and possibly switching providers.
The claim that such a channel is much more secure, better protected from attacks by attackers and the mistakes of low-skilled technicians on closer inspection is a myth. In practice, security problems most often originate (or are created intentionally by a hacker) directly on the customer’s side, involving the human factor.
MPLS – MultiProtocol Label Switching (a data transmission technique in which packets are assigned transport/service labels and the packet transmission route in networks is determined solely by label values, regardless of the transmission medium with any protocol. New labels can be added during routing (if necessary) or deleted after the end of their function, the content of the packets is not analyzed or modified).
Virtual channels and private VPNs built on them are widespread and allow you to solve most client tasks.
Deploying an L2 VPN offers a choice of several possible second layer L2 services:
VLAN – L2 VPN deployment offers a choice of several possible L2 second layer services:
The PWE3 point-to-point connection (i.e. end-to-end pseudo-wire emulation in packet-switched networks) allows Ethernet frames to be transmitted between two nodes as if they were directly connected by a wire. In such technology, it is essential for the client that all transmitted frames are delivered to a remote point without modification. The same happens in reverse. This is possible because the client frame arriving at the provider’s router is further encapsulated (appended) in the parent data block (MPLS packet) and extracted at the endpoint;
VPLS – local network simulation technology with multipoint connections. In this case, the provider’s network looks like a single client-side switch that stores a table of MAC addresses of network devices. Such a virtual “switch” distributes the Ethernet frame coming from the client network as intended – the frame is encapsulated in an MPLS packet and then extracted.
Note: VPLS – Virtual Private LAN Service (a mechanism where, from the user’s point of view, their geographically distributed networks are connected by virtual L2 connections).
MAC – Media Access Control (a method of controlling access to the environment – a unique 6-byte address identifier of the network device (or its interfaces) on Ethernet networks).
A Router With Multiple Interfaces
When using “L3 VPN”, the provider’s network looks to the customer like a single router with multiple interfaces. Therefore, the connection of the customer’s local network to the provider’s network occurs at the level of the L3 network model OSI or TCP / IP.
Public IP addresses for network termination points can be defined in consultation with the provider (owned by the customer or obtained from the provider). IP addresses are configured by the client on its routers on both sides (private – from its local network, public – from the provider), further routing of data packets is provided by the provider. Technically, MPLS is used to implement this solution (see above), as well as GRE and IPSec technologies.
It is important to understand that the modern network infrastructure is designed in such a way that the customer only sees the part of it that is defined in the contract. Dedicated resources (virtual servers, routers, online storage and backup) as well as running programs and storage content are completely isolated from other users. Multiple physical servers can be coordinated and work together for a client, making them look like a powerful server pool. Conversely, multiple virtual machines can be created on a single physical server (each appearing to the user as a separate computer with an operating system). In addition to the standard, individual solutions are offered that also meet the recognized requirements for the security of processing and storing customer data.
At the same time, the configuration of the L3-level network deployed in the cloud allows scaling to practically unlimited sizes (the Internet and large data centers are built on this principle). Dynamic routing protocols like OSPF and others in L3 cloud networks allow you to choose the shortest routes for packet data routing, send packets in multiple ways at the same time to better utilize and increase channel bandwidth.
At the same time, it is possible to deploy a virtual network at the “L2 level”, which is typical for small data centers and legacy (or narrowly specific) client applications. In some cases even L2 over L3 technology is used to ensure network compatibility and application performance.
Nowadays, in most cases, user/client tasks can be solved effectively by organizing VPNs with GRE and IPSec security technologies.
There is little point in juxtaposing L2 and L3, just as there is no point in offering the L2 channel as the best solution for building reliable communications in your network as a panacea. Modern communication channels and providers’ devices allow the transmission of a large amount of information, and many dedicated channels rented by users are even underutilized. It is advisable to use L2 only in special cases, when the specifics of the task require it, taking into account the limitations of the possibility of future expansion of such a network and consulting a specialist. On the other hand, other things being equal, L3 VPNs are more versatile and easier to use.
This overview briefly lists the current off-the-shelf solutions used for migrating on-premises IT infrastructure to remote data centers. Each of them has its consumers, advantages and disadvantages, the right choice of solution depends on the specific task.
In real life, both layers of the L2 and L3 network model work together, each responsible for its own task, and by contrasting them in advertising, the vendors are downright cunning.