Communication channels L2 and L3 VPN - Differences between physical and virtual channels of different levels

With a good smile, I now recall how humanity anxiously awaited the end of the world in 2000. Then this did not happen, but a completely different event took place and it was also very significant.

Historically, at that time, the world entered a real computer revolution v. 3.0 - start of cloud technologies for distributed data storage and processing. Moreover, if the previous “second revolution” was a massive transition to “client-server” technologies in the 80s, the first one can be considered the beginning of simultaneous work of users using separate terminals connected to the so-called. "Mainframe" (in the 60s of the last century). These revolutionary changes took place peacefully and imperceptibly to users, but they touched the whole business world together with information technologies.
')
When transferring IT infrastructure to cloud platforms and remote data centers (data centers), the organization of reliable communication channels from the client to data centers immediately becomes a key issue. On the Web, there are often offers from providers: “physical leased line, fiber”, “L2 channel”, “VPN”, and so on ... Let's try to figure out what is behind this in practice.

Communication channels - physical and virtual

1. The organization of a “physical line” or “second-level channel, L2” is usually called a service of providing a dedicated cable (copper or fiber-optic) by the provider, or a radio channel between offices and those sites where the data center equipment is deployed. When ordering this service, in practice, most likely you will receive a dedicated fiber-optic channel for rent. This solution is attractive because the provider is responsible for reliable communication (and in case of cable damage, the channel can be restored by itself). However, in real life, the cable throughout is not solid - it consists of many connected (welded) to each other fragments, which somewhat reduces its reliability. On the way of laying the fiber-optic cable, the provider has to use amplifiers, splitters, and end-points - modems.

In marketing materials, this solution is conditionally referred to as L2 (Data-Link) of the OSI or TCP / IP network model: it allows you to work as if at the Ethernet frame switching level on the LAN, without worrying about many packet routing problems at the following IP network level. There is, for example, the ability to continue to use their so-called “private” IP addresses in client virtual networks instead of registered unique public addresses. Since it is very convenient to use private IP addresses in local networks, special ranges from the main addressing classes were allocated to users:

• 10.0.0.0 - 10.255.255.255 in class A (with a mask of 255.0.0.0 or / 8 in an alternative mask recording format);
• 100.64.0.0 - 100.127.255.255 in class A (with a mask of 255.192.0.0 or / 10);
• 172.16.0.0 - 172.31.255.255 in class B (with a mask of 255.240.0.0 or / 12);
• 192.168.0.0 - 192.168.255.255 in class C (with a mask of 255.255.0.0 or / 16).

Such addresses are chosen by users for their own "internal use" and can be repeated at the same time in thousands of client networks, so data packets with private addresses in the header are not routed on the Internet - to avoid confusion. To access the Internet, you have to apply NAT (or another solution) on the client side.

Note: NAT - Network Address Translation (a mechanism for replacing network addresses of transit packets on TCP / IP networks, is used to route packets from a client's local network to other networks / Internet and in the opposite direction - inside the client's LAN, to the addressee).

This approach (and we are talking about a dedicated channel) has an obvious disadvantage - in case of moving the client’s office, there may be serious difficulties with connecting to a new place and the need for a change of provider is possible.

The assertion that such a channel is much safer, better protected from attacks by intruders and the mistakes of low-skilled technical staff, upon close inspection, is a myth. In practice, security problems often arise (or are created by a hacker intentionally) directly on the client side, with the participation of the human factor.



2. Virtual channels and private networks built on them VPN (Virtual Private Network) are widely distributed and allow to solve most of the client’s tasks.

Providing by the provider "L2 VPN" involves the choice of several possible services of the "second level", L2:

VLAN - a client receives a virtual network between its offices and branches (in fact, client traffic goes through the active equipment of the provider, which limits the speed);

The PWE3 point-to-point connection (in other words, end-to-end pseudo -pipe emulation in packet-switched networks) allows Ethernet frames to be transferred between two nodes as if they were directly connected by cable. For a client in such a technology, it is essential that all transmitted frames are delivered to the remote point unchanged. The same thing happens in the opposite direction. This is possible due to the fact that the client’s frame arriving at the provider's router is further encapsulated (added) into a higher-level data block (MPLS packet), and is retrieved at the end point;

Note: PWE3 - Pseudo-Wire Emulation Edge to Edge (the mechanism by which, from the user's point of view, he gets a dedicated connection).

MPLS - MultiProtocol Label Switching (data transmission technology in which transport / service labels are assigned to packets and the transmission path of data packets in networks is determined only on the basis of the value of labels, regardless of the transmission medium, using any protocol. During routing, new labels can be added (with necessary) or be deleted when their function is completed. The contents of the packets are not analyzed or changed).

VPLS is a local area network simulation technology with multipoint connections. In this case, the provider’s network looks from the client’s side similar to a single switch storing a table of MAC addresses of network devices. Such a virtual "switch" distributes the Ethernet frame coming from the client's network, according to its intended purpose - for this, the frame is encapsulated in an MPLS packet, and then retrieved.

Note: VPLS is the Virtual Private LAN Service (the mechanism by which, from the user's point of view, its geographically separated networks are connected by virtual L2 connections).

MAC - Media Access Control (medium access control method - a unique 6-byte address-identifier of a network device (or its interfaces) on Ethernet networks).

3. In case of “L3 VPN” deployment, the provider’s network looks like a single router with several interfaces in the eyes of the client. Therefore, the client’s local network’s junction with the provider’s network occurs at the L3 level of the OSI or TCP / IP network model.

Public IP addresses for network interface points can be determined by agreement with the provider (belong to the client or be obtained from the provider). IP addresses are configured by the client on their routers on both sides (private ones from their local network, public ones from the provider), and the provider will further route the data packets. Technically, to implement such a solution, MPLS (see above) is used, as well as GRE and IPSec technologies.

Note: GRE - Generic Routing Encapsulation (tunneling protocol, network packet packaging, which allows you to establish a secure logical connection between two endpoints - using protocol encapsulation at the L3 network layer).

IPSec - IP Security (a set of data protection protocols that are transmitted using IP. Authentication, encryption, and packet integrity checking are used).

It is important to understand that the modern network infrastructure is built so that the client sees only that part of it, which is defined by the contract. Dedicated resources (virtual servers, routers, storage of operational data and backup), as well as running programs and memory contents are completely isolated from other users. Several physical servers can work together and simultaneously for one client, from the point of view of which they will look like one powerful server pool. Conversely, multiple virtual machines can be simultaneously created on one physical server (each will look to the user like a separate computer with an operating system). In addition to standard solutions, individual solutions are offered that also comply with accepted requirements regarding the security of processing and storing customer data.

At the same time, the configuration of the “L3 level” network deployed in the cloud allows scaling to almost unlimited sizes (according to this principle, the Internet and large data centers are built). Dynamic routing protocols, such as OSPF, and others in L3 cloud networks, allow you to select the shortest routing paths for data packets, send packets at the same time in several ways to better load and expand channel capacity.

At the same time, it is possible to deploy a virtual network at the “L2 level”, which is typical for small data centers and outdated (or narrowly specific) client applications. In some such cases, even “L2 over L3” technology is used to ensure network compatibility and application performance.

Let's sum up

Today, user / client tasks in most cases can be effectively solved by organizing virtual private VPNs using GRE and IPSec security technologies.

There is not much point in contrasting L2 and L3, just as there is no sense in considering the L2 channel proposal to be the best solution for building reliable communication in your network as a panacea. Modern communication channels and equipment providers allow you to skip a huge amount of information, and many of the dedicated channels leased by users, in fact - even underused. It is reasonable to use L2 only in special cases when the specificity of the task requires it, take into account the limitations of the possibility of future expansion of such a network and consult with a specialist. On the other hand, L3 VPN virtual networks, other things being equal, are more versatile and easy to use.

This overview briefly lists the current typical solutions that are used to transfer local IT infrastructure to remote data centers. Each of them has its consumer, advantages and disadvantages, the correctness of the choice of solution depends on the specific task.

In real life, both levels of the network model L2 and L3 work together, each is responsible for his task and opposing them in advertising, providers are frankly cunning.