Full-fledged L2 switches. What is the “level” of the switch L1, L2, L3, L4. Equipment connection plan by ports

Many people have wondered what L2-VPN is, how it works and why it is needed. L2-VPN is a virtual private network service. Virtual Private Network- virtual private network), provided by telecom operators on a point-to-point basis. The provider’s network is absolutely transparent for the client in this service.

Where might this be needed?

Let's say you are a private entrepreneur, you have an office in Uryupinsk and Voronezh. You want to combine 2 networks into 1 large local network. From the point of view of you (the client), this service will look like shown in Figure 1.

Those. like connecting to one large L2 switch. If necessary, you can independently install additional services in your VPN channel network protection, encryption, authentication, for example IPSec tunnel, etc.

What does this look like from the provider's point of view?

This is where it gets a little more complicated. Telling him what you want this service, the provider you choose will connect both offices to their nearest switches, perform manipulations on the equipment, and you will receive the coveted service. The provider's network can be huge. In order for your packages from Uryupinsk to get to Voronezh and back, they will have to overcome a lot of switches, several routers and many, many kilometers of travel. If schematically, it can be represented as shown in Figure 2.

Providers provide this service based on their IP/MPLS network. The cost of this service is calculated by the provider based on distance, channel capacity, total costs of maintaining and operating equipment, depreciation charges, etc. However, with all this, the price is several times too high for the client.

Conclusion

This service is one of the most popular providers among clients. It is very simple and does not require settings on the client’s equipment.

Advantages:

  • accelerated exchange of files and messages within the network;
  • high security of information transfer;
  • collaboration on documents and databases;
  • access to corporate information http servers;
  • organization of high-quality video conferencing and video broadcasts between offices

However, there are also disadvantages. Because Since the service is L2, it is very difficult for telecom operators to track problems on this service and almost always they learn about the problem from the client. In fact, the client takes upon himself all the diagnostics and work with the provider, so if there are any problems, their solution is very delayed.

There is a more interesting service that allows you to organize point-to-multipoint connections at the L2 level of the OSI model - this is VPLS, you can read more about it by going to.

You can buy/order the L2VPN service.

L3VPN, which we reviewed in the last issue, covers a huge number of scenarios needed by most customers. Huge, but not all. It allows communication only at the network level and only for one protocol - IP. What to do with telemetry data, for example, or traffic from base stations, working through the E1 interface? There are also services that use Ethernet, but also require communication at the data link layer. Again, data centers like to communicate with each other in L2.
So for our clients, take out and put in L2.

Traditionally, everything used to be simple: L2TP, PPTP and everything by and large. Well, it was still possible to hide Ethernet in GRE. For everything else, they built separate networks, installed dedicated lines at the cost of a tank (monthly). However, in our age of converged networks, distributed data centers and international companies, this is not an option, and a number of scalable data link technologies have spilled onto the market.
This time we will focus on MPLS L2VPN.

L2VPN Technologies

Before diving into warm MPLS, let's take a look at what types of L2VPN exist.

  • VLAN/QinQ- they can be included here, since the basic requirements of a VPN are met - a virtual L2 network is organized between several points, the data in which is isolated from others. Essentially, VLAN per-user organizes Hub-n-Spoke VPN.
  • L2TPv2/PPTP- outdated and boring things.
  • L2TPv3 together with GRE have problems with scaling.
  • VXLAN, EVPN- options for data centers. Very interesting, but DCI is not included in the plans for this issue. But there was a separate podcast about them (listen to the recording on November 25th)
  • MPLS L2VPN is a set of different technologies, the transport for which is MPLS LSP. It is this that is now most widely used in provider networks.

Why is he a winner? The main reason, of course, is the ability of routers transmitting MPLS packets to abstract from their contents, but at the same time distinguish between traffic from different services.
For example, an E1 frame arrives at the PE, is immediately encapsulated in MPLS, and no one along the way will even suspect what’s inside - it’s only important to change the label in time.
And an Ethernet frame arrives on another port and can travel through the network via the same LSP, only with a different VPN label.
In addition, MPLS TE allows you to build channels taking into account traffic requirements for network parameters.
In conjunction with LDP and BGP, it becomes easier to configure VPN and automatically find neighbors.
The ability to encapsulate traffic of any link layer in MPLS is called AToM - Any Transport over MPLS.
Here is a list of supported AToM protocols:

  • ATM Adaptation Layer Type-5 (AAL5) over MPLS
  • ATM Cell Relay over MPLS
  • Ethernet over MPLS
  • Frame Relay over MPLS
  • PPP over MPLS
  • High-Level Data Link Control (HDLC) over MPLS

Two worlds of L2VPN

There are two conceptually different approaches to building any L2VPN.

Terminology

Traditionally, terms will be introduced as needed. But about some at once.
P.E. - Provider Edge- edge routers of the provider's MPLS network to which client devices (CE) connect.
C.E. - Customer Edge- client equipment directly connected to provider routers (PE).
A.C. - Attached Circuit- interface on PE for client connection.
V.C. - Virtual Circuit- virtual unidirectional connection via shared network, simulating the original environment for the client. Connects AC interfaces of different PEs. Together they form a single channel: AC→VC→AC.
PW - PseudoWire- virtual bidirectional data channel between two PEs - consists of a pair of unidirectional VCs. This is the difference between PW and VC.

V.P.W.S. Point to point

VPWS - Virtual Private Wire Service.
The basis of any MPLS L2VPN solution is the idea of ​​PW - PseudoWire - a virtual cable extended from one end of the network to the other. But for VPWS, this PW itself is already a service.
A kind of L2 tunnel through which you can transfer anything you want without worry.
Well, for example, a client has a 2G base station in Kotelniki, and the controller is in Mitino. And this BS can only connect via E1. In ancient times, it would have been necessary to extend this E1 using a cable, radio relays and all sorts of converters.
Today, one common MPLS network can be used both for this E1 and for L3VPN, Internet, telephony, television, etc.
(Someone will say that instead of MPLS for PW you can use L2TPv3, but who needs it with its scalability and lack of Traffic Engineering?)

VPWS is relatively simple, both in terms of traffic transmission and the operation of service protocols.

VPWS Data Plane or user traffic transmission

The tunnel label is the same as the transport label, it’s just that the long word “transport” did not fit in the title.

0. A transport LSP has already been built between R1 and R6 using the LDP or RSVP TE protocol. That is, R1 knows the transport label and the output interface to R6.
1. R1 receives from client CE1 a certain L2 frame on the AC interface (it could be Ethernet, TDM, ATM, etc. - it doesn’t matter).
2. This interface is tied to a specific client identifier - VC ID - in a sense, an analogue of the VRF in L3VPN. R1 gives the frame a service label that will remain unchanged until the end of the path. The VPN label is internal to the stack.
3. R1 knows the destination - the IP address of the remote PE router - R6, finds out the transport label and inserts it into the MPLS label stack. This will be an external - transport label.
4. The MPLS packet travels across the operator's network through P-routers. The transport label is changed to a new one at each node, the service label remains unchanged.
5. On the penultimate router, the transport label is removed - PHP occurs. On R6, the package comes with one VPN service tag.
6. PE2, having received the packet, analyzes the service label and determines to which interface the unpacked frame should be sent.

Please note: Each CSR1000V node requires 2.5 GB of RAM. Otherwise, the image will either not start or there will be various problems, such as that the ports do not rise or losses are observed.

VPWS practice

Let's simplify the topology to four backbone nodes. By clicking, you can open it in a new tab so that you can look at it with Alt+Tab, rather than turning the page up and down.

Our task is to connect Ethernet from Linkmeup_R1 (Gi3 port) to Linkmeup_R4 (Gi3 port).

On the move 0 IP addressing, IGP routing and basic MPLS are already configured (see how).

Let's see what happened behind the scenes of the protocols (the dump was taken from the GE1 Linkmeup_R1 interface). The main milestones can be identified:

0) The IGP met, the LDP identified the neighbors, raised the session and distributed transport labels.
As you can see, Linkmeup_R4 allocated transport label 19 for FEC 4.4.4.4.

1) But tLDP began its work.

--A. First we configured it on Linkmeup_R1 and tLDP began periodically sending its Hello to address 4.4.4.4

As you can see, this is a unicast IP packet that is sent from the Loopback interface address 1.1.1.1 to the address of the same Loopback remote PE - 4.4.4.4.
Packed in UDP and transmitted with one MPLS label - transport - 19. Pay attention to the priority - the EXP field - 6 - one of the highest, since this is a service protocol packet. We'll talk more about this in the QoS issue.

The PW state is still in DOWN, because reverse side there is nothing.

--B. After you have configured xconnect on the Linkmeup_R4 side - immediately Hello and establishing a connection via TCP.

At this point, an LDP neighborhood has been established

--IN. The tags were exchanged:

At the very bottom you can see that FEC in the case of VPWS is the VC ID that we specified in the xconnect command - this is the ID of our VPN - 127 .
And just below the label allocated to it Linkmeup_R4 is 0x16 or 22 in the decimal system.
That is, with this message Linkmeup_R4 told Linkmeup_R1, they say, if you want to transmit a frame to the VPN with VCID 127, then use service tag 22.

Here you can see a bunch of other Label Mapping messages - this is LDP sharing everything it has acquired - information about all FECs. This is of little interest to us, and Lilnkmeup_R1 even less so.

Linkmeup_R1 does the same thing - it tells Linkmeup_R4 its label:

After this, the VCs are raised and we can see the labels and current statuses:

Teams show mpls l2transport vc detail And show l2vpn atom vc detail generally identical for our examples.

3) Now everything is ready to transfer user data. At this point we run ping. Everything is predictably simple: two marks that we have already seen above.

For some reason Wireshark didn't parse the internals of MPLS, but I'll show you how to read the attachment:

The two blocks highlighted in red are MAC addresses. DMAC and SMAC respectively. Yellow block 0800 - Ethertype field of the Ethernet header - means inside IP.
Next, black block 01 - the Protocol field of the IP header - is the ICMP protocol number. And two green block- SIP and DIP respectively.
Now you can in Wireshark!

Accordingly, the ICMP-Reply is returned only with the VPN label, because PHP took over on Linkmeup_R2 and the transport label was removed.

If VPWS is just a wire, then it should also safely transmit a frame with a VLAN tag?
Yes, and we don’t have to reconfigure anything for this.
Here is an example of a frame with a VLAN tag:

Here you see Ethertype 8100 - 802.1q and VLAN tag 0x3F, or 63 in decimal.

If we transfer the xconnect configuration to a subinterface specifying a VLAN, then it will terminate this VLAN and send a frame without an 802.1q header to the PW.

Types of VPWS

The example considered is EoMPLS (Ethernet over MPLS). It is part of PWE3 technology, which is a development of VLL Martini Mode. And all this together is VPWS. The main thing here is not to get confused in definitions. Let me be your guide.
So, VPWS- the general name of solutions for point-to-point L2VPN.
PW is a virtual L2 channel that underlies any L2VPN technology and serves as a tunnel for data transmission.
VLL(Virtual Leased Line) is already a technology that allows you to encapsulate frames of various link layer protocols in MPLS and transmit them through the provider’s network.

The following types of VLL are distinguished:
VLL CCC - Circuit Cross Connect. In this case, there is no VPN label, and transport ones are assigned manually (static LSP) on each node, including swap rules. That is, there will always be only one label in the stack, and each such LSP can carry the traffic of only one VC. I've never met him in my life. Its main advantage is that it can provide connectivity between two nodes connected to one PE.

VLL TCC - Translational Cross Connect. Same as CCC, but allows different link layer protocols to be used from different ends.
This only works with IPv4. When received, the PE removes the link layer header, and when transmitted to the AC interface, inserts a new one.
Interesting? Start here.

VLL SVC - Static Virtual Circuit. The transport LSP is built by conventional mechanisms (LDP or RSVP-TE), and the VPN service label is assigned manually. tLDP is not needed in this case. Cannot provide local connectivity (if two nodes are connected to the same PE).

Martini VLL- this is approximately what we dealt with above. The transport LSP is constructed in the usual way, the VPN labels are distributed by tLDP. Beauty! Does not support local connectivity.

Kompella VLL- Transport LSP in the usual way, to distribute VPN labels - BGP (as expected, with RD/RT). Wow! Maintains local connectivity. Well, okay.

PWE3 - Pseudo Wire Emulation Edge to Edge. Strictly speaking, the scope of this technology is wider than just MPLS. However, in modern world in 100% of cases they work together. Therefore, PWE3 can be considered as an analogue of Martini VLL with expanded functionality - signaling is also handled by LDP+tLDP.
Briefly, its differences from Martini VLL can be represented as follows:

  • Reports the status of the PW using an LDP Notification message.
  • Supports Multi-Segment PW, when the end-to-end channel consists of several smaller pieces. In this case, the same PW can become segments for several channels.
  • Supports TDM interfaces.
  • Provides a fragmentation negotiation mechanism.
  • Other...

Now PWE3 is the de facto standard and it was the one in the example above.

I talk about Ethernet everywhere here in order to show the most obvious example. Everything that concerns other channel protocols is, please, for independent study.

Bachelor of Radio Engineering

trainee engineer at the branch of NVision Group CJSC NVision-Siberia

Master's student at SibGUTI

Consultant: Maramzin Valery Valentinovich, Leading Design Engineer Direction of Networks and Data Transmission Systems NVision Group

Annotation:

The article describes the elements of the methodology for determining the network topology at the data link and network levels

This article describes the elements of methodology for determining of the network topology at the data link and network layers

Keywords:

topology, protocols

topology, protocols

UDC 004.722

Currently, every large company has its own internal local network infrastructure. The internal network includes both workstations themselves and any other network devices that fall under the concept of “host”.

Host (from the English Host) is the end node in the TCP/IP protocol stack. Most often, these devices on a network are routers and switches.

The larger the company, the larger and more extensive its network, which includes both intranet resources and other services and nested structures that must be constantly maintained and monitored. It is for the purpose of high-quality network monitoring, quick troubleshooting and emergency situations, identifying channel obstructions and solving other problems that you need to know the network topology.

Network topology is the configuration of a graph, the vertices of which correspond to the end nodes of the network (computers) and communication equipment (routers, switches), and the edges correspond to physical or information connections between the vertices.

In most cases, the type of topology is a partially connected hierarchical tree, when the entire network web diverges from one or several powerful root servers, routers. And the larger the local network, the more difficult it is to maintain and detect faults in the absence of knowledge of its architecture.

Of course, there are currently some ready-made solutions capable of visualizing a network graph indicating all its nodes. These include various network management packages that work in automatic mode and not always correctly reflecting the real state of objects.

For example, HP OpenView Network Node Manager from Hewlett-Packard and various similar products provide information about the topology at the L3 level, but do not provide much information about connecting and disconnecting network devices. That is, to effectively detect network nodes and existing connections between them, it is necessary to operate with topology detection tools at the L2 level, working in connection detection mode at the level of switches and routers.

There are other solutions from specific large manufacturers of network equipment, such as Cisco Systems, Nortel Networks, which have developed their own protocols CDP, LLDP - a standard for servicing large enterprise networks. But the problem is this: often many networks are implemented on equipment from different manufacturers, selected for one reason or another, parameters or preferences.

Consequently, there is a need to develop a universal method for determining the topology of networks, regardless of the equipment supplier and other conditions, which would use a branched algorithm for analyzing the network and its nodes, and would also provide the results in a simplified visual form, for example, by constructing a network connectivity graph.

This can be implemented as follows. The input data for the algorithm will be the authentication parameters of one of the root devices on the network and its IP address. From there, the collection of information about each device will begin through a sequential SNMP poll using a certain sequence of actions.

First you need to establish which protocols are active and supported. specific device, on the device in question. The primary analysis should include checking the activity of the LLDP and CDP protocols - the simplest ways to detect proximity between devices on the network. Link Layer Discovery Protocol (LLDP) is a link layer protocol that allows network devices to advertise information about themselves and their capabilities to the network, and also collect this information about neighboring devices.

Cisco Discovery Protocol (CDP) is a link-level protocol developed by Cisco Systems, which allows you to discover connected (directly or through first-level devices) Cisco network equipment, its name, iOS version and IP addresses.

Thus, if a device supports one of these protocols, the algorithm immediately accesses the corresponding sections of the MIB table (Management Information Base), which contains all information about neighboring devices, if they also advertised it about themselves. This includes IP addresses, port information, chassis information, and device types.

If there is no LLDP/CDP support, the second step of the check will be an SNMP poll of the local MIB of the current device to obtain information about its active interfaces and ARP table.

In this case, first of all, the verification procedure is launched on the switches. Using the ARP table (Address Resolution Protocol) of the switch, the algorithm will obtain information about each connected device in the form of a correspondence MAC-address ̶ IP-address ̶ interface ̶ TTL

The search for neighboring devices must be carried out through sequential unicast polling of all MAC addresses found in the ARP table. Replying to an ARP request from the desired device by MAC address and fixing the interface from which the response was received will become a fact of detecting the device on the network. Having identified the neighborhood, we carry out the MAC address matching procedure: if the interface of the first device receives a response to a request for the MAC address of the second device and vice versa, the interface of the second device receives a response to the request first MAC address, then this is a guaranteed communication line between two nodes. As a result, neighborhood information contains not only the communication line between nodes, but also information about the interfaces through which they are connected.

Determining the proximity of devices by MAC addresses

Next, the algorithm switches to the next switch and repeats the verification procedure, leaving a record in the log file about the devices already visited and their parameters, thus going through each node in the network sequentially.

When designing this method and the development of the algorithm, one should not lose sight of several conditions for its correct operation:

  1. Devices must have support for the SNMP protocol enabled, preferably version 3.
  2. The algorithm must be able to distinguish virtual interfaces from real ones and build a connectivity graph based on real physical connections.
Having fulfilled the necessary operating conditions and implemented this kind of algorithm, a universal method for determining the network topology will eventually be developed, which can be used either simply to visualize the network connectivity graph, or be included as a module in another more complex algorithm for identifying and eliminating faults at levels L2, L3

Bibliography:


1. Olifer V.G., Olifer N.A. Computer networks. Principles, technologies, protocols (4th ed.) - St. Petersburg: Peter, 2010. - 944p
2. Link Layer Discovery Protocol (LLDP). Access mode: http://xgu.ru/wiki/LLDP (date accessed 03/12/2014)
3. Cisco Discovery Protocol (CDP) Access mode: http://ru.wikipedia.org/wiki/CDP (accessed March 12, 2014)

Reviews:

03/13/2014, 21:09 Klinkov Georgy Todorov
Review: One must also keep in mind the fact that network topology requires effective routing and data switching, especially in relation to firewall technology - Active-Active topology, asymmetric routing Cisco MSFC and FWSM. FWSM balancing using PBR or ECMP routing; NAC – location in the topology; IDS and IPS architecture.

03/13/2014, 22:08 Nazarova Olga Petrovna
Review: The last paragraph represents recommendations. No conclusion. Finalize it.


03/17/2014, 9:44 Nazarova Olga Petrovna
Review: Recommended for printing.

    L2 VPN, OR DISTRIBUTED ETHERNET The L2 VPN category includes a wide range of services: from emulating dedicated point-to-point channels (E-Line) to organizing multipoint connections and emulating the functions of an Ethernet switch (E-LAN, VPLS). L2 VPN technologies are “transparent” to higher-level protocols, therefore they allow the transmission, for example, of IPv4 or IPv6 traffic, regardless of which version of the IP protocol the operator uses. Their “low-level” nature also shows itself positively in cases where it is necessary to transmit SNA, NetBIOS, SPX/IPX traffic. However, now, during the period of general “IPization”, these capabilities are required less and less often. Some time will pass, and the new generation of network specialists will probably not know at all that there were times when NetWare OS and SPX/IPX protocols “dominated” in networks.

    L2 VPN services are usually used to build corporate networks within the same city (or city and immediate surroundings), so this concept is often perceived almost as a synonym for the term Metro Ethernet. Such services are characterized by high channel speeds at lower (compared to L3 VPN) connection costs. The advantages of L2 VPN are also support for larger frame sizes (jumbo frames), relative simplicity and low cost of client equipment installed at the border with the provider (L2).

    The growing popularity of L2 VPN services is largely due to the needs of fault-tolerant, geographically distributed data centers: for “travel” virtual machines requires direct connection between nodes at L2 level. Such services, in essence, allow you to stretch the L2 domain. These are well-established solutions, but often require complex configuration. In particular, when connecting a data center to the service provider’s network at several points - and this is highly desirable to increase fault tolerance - it is required to use additional mechanisms to ensure optimal load of connections and eliminate the occurrence of “switching loops”.

    There are also solutions designed specifically for interconnecting data center networks at the L2 level, for example, the Overlay Transport Virtualization (OTV) technology implemented in Cisco Nexus switches. It operates on top of IP networks, using all the advantages of routing at the L3 level: good scalability, high fault tolerance, connection at several points, transmission of traffic along multiple paths, etc. (for more details, see the author’s article “On interdata center backbones” in the November issue of “Networking Magazine” solutions/LAN" for 2010).

    L2 OR L3 VPN

    If, in the case of purchasing L2 VPN services, the enterprise itself will have to take care of routing traffic between its nodes, then in L3 VPN systems this task is solved by the service provider. The main purpose of L3 VPN is to connect sites located in different cities, at a great distance from each other. These services typically have higher connection costs (since they involve a router rather than a switch), high rental fees, and low throughput(usually up to 2 Mbit/s). The price can increase significantly depending on the distance between connection points.

    An important advantage of L3 VPN is its support for QoS and traffic engineering functions, which allows you to guarantee the required level of quality for IP telephony and video conferencing services. Their disadvantages are that they are not transparent to Ethernet services, do not support larger Ethernet frame sizes, and are more expensive than Metro Ethernet services.

    Note that MPLS technology can be used to organize both L2 and L3 VPNs. The level of a VPN service is determined not by the level of technology used for it (MPLS is generally difficult to attribute to any specific level of the OSI model; rather, it is L2.5 technology), but by “consumer properties”: if the operator’s network routes client traffic, then it is L3, if it emulates link layer connections (or Ethernet switch functions) - L2. At the same time, other technologies can be used to form L2 VPN, for example 802.1ad Provider Bridging or 802.1ah Provider Backbone Bridges.

    802.1ad Provider Bridging solutions, also known by many other names (vMAN, Q-in-Q, Tag Stacking, VLAN Stacking), allow you to add a second 802.1Q VLAN tag to an Ethernet frame. The service provider can ignore internal VLAN tags set by the client's equipment - external tags are sufficient to forward traffic. This technology removes the 4096 VLAN ID limitation found in classic Ethernet technology, which significantly increases the scalability of services. 802.1ah Provider Backbone Bridges (PBB) solutions involve adding a second MAC address to the frame, while the MAC addresses of the end equipment are hidden from the backbone switches. PBB provides up to 16 million service identifiers.

RAW Paste Data

L2 VPN, OR DISTRIBUTED ETHERNET The L2 VPN category includes a wide range of services: from emulating dedicated point-to-point channels (E-Line) to organizing multipoint connections and emulating the functions of an Ethernet switch (E-LAN, VPLS). L2 VPN technologies are “transparent” to higher-level protocols, therefore they allow the transmission, for example, of IPv4 or IPv6 traffic, regardless of which version of the IP protocol the operator uses. Their “low-level” nature also shows itself positively in cases where it is necessary to transmit SNA, NetBIOS, SPX/IPX traffic. However, now, during the period of general “IPization”, these capabilities are required less and less often. Some time will pass, and the new generation of network specialists will probably not know at all that there were times when NetWare OS and SPX/IPX protocols “dominated” in networks. L2 VPN services are usually used to build corporate networks within one city (or a city and its immediate surroundings), so this concept is often perceived almost as a synonym for the term Metro Ethernet. Such services are characterized by high channel speeds at lower (compared to L3 VPN) connection costs. The advantages of L2 VPN are also support for larger frame sizes (jumbo frames), relative simplicity and low cost of client equipment installed at the border with the provider (L2). The growing popularity of L2 VPN services is largely due to the needs of fault-tolerant, geographically distributed data centers: for virtual machines to “travel”, a direct connection between nodes at the L2 level is required. Such services, in essence, allow you to stretch the L2 domain. These are well-established solutions, but often require complex configuration. In particular, when connecting a data center to a service provider's network at several points - and this is highly desirable to increase fault tolerance - it is necessary to use additional mechanisms to ensure optimal load of connections and eliminate the occurrence of “switching loops”. There are also solutions designed specifically for interconnecting data center networks at the L2 level, for example, the Overlay Transport Virtualization (OTV) technology implemented in Cisco Nexus switches. It operates on top of IP networks, using all the advantages of routing at the L3 level: good scalability, high fault tolerance, connection at several points, transmission of traffic along multiple paths, etc. (for more details, see the author’s article “On interdata center backbones” in the November issue of “Networking Magazine” solutions/LAN” for 2010). L2 OR L3 VPN If, in the case of purchasing L2 VPN services, an enterprise will have to take care of routing traffic between its nodes, then in L3 VPN systems this task is solved by the service provider. The main purpose of L3 VPN is to connect sites located in different cities, at a great distance from each other. These services typically have higher connection costs (since they involve a router rather than a switch), high rental fees, and low bandwidth (usually up to 2 Mbps). The price can increase significantly depending on the distance between connection points. An important advantage of L3 VPN is its support for QoS and traffic engineering functions, which allows you to guarantee the required level of quality for IP telephony and video conferencing services. Their disadvantages are that they are not transparent to Ethernet services, do not support larger Ethernet frame sizes, and are more expensive than Metro Ethernet services. Note that MPLS technology can be used to organize both L2 and L3 VPNs. The level of a VPN service is determined not by the level of technology used for it (MPLS is generally difficult to attribute to any specific level of the OSI model; rather, it is L2.5 technology), but by “consumer properties”: if the operator’s network routes client traffic, then it is L3, if it emulates link-level connections (or functions of an Ethernet switch) - L2. At the same time, other technologies can be used to form L2 VPN, for example 802.1ad Provider Bridging or 802.1ah Provider Backbone Bridges. 802.1ad Provider Bridging solutions, also known by many other names (vMAN, Q-in-Q, Tag Stacking, VLAN Stacking), allow you to add a second 802.1Q VLAN tag to an Ethernet frame. The service provider can ignore internal VLAN tags set by the client's equipment; external tags are sufficient to forward traffic. This technology removes the 4096 VLAN ID limitation found in classic Ethernet technology, which significantly increases the scalability of services. 802.1ah Provider Backbone Bridges (PBB) solutions involve adding a second MAC address to the frame, while the MAC addresses of the end equipment are hidden from the backbone switches. PBB provides up to 16 million service identifiers.