A VPN (Virtual Private Network) is used for adding privacy and security to the public as well as private networks. For instance, it gives anonymity to users by creating a private network from the publicly available internet connection.

It’s characterized in two different ways, remote-access VPN and Site-to-Site VPN, where remote-access VPNs allow specific users to make a secure connection with the remote computer network. And, site-to-site VPN allows offices from more than one fixed location to create a secure connection with each other over a network like internet.

Nonetheless, a VPN lets users interconnect to two similar networks over a different intermediate network. For example, IPV6 networks can be connected over an IPV4 network.

The VPN is classified under, customer-provisioned and provider-provisioned, where:

Customer Provisioned VPNs

The user is responsible for creating as well as managing the VPN on its own. And tunnels are made between Customer Edges (CE).

Provider-Provisioned Virtual Networks VPNs (PPVPNs)

The VPN is offered and managed by the internet connectivity provider, and the tunnels are created between Provider Edges (PE).

Note: The customer-provisioned VPNs can’t become a peer-model as the providers are not aware of the customer’s self-created VPN.

Yet, all VPNs are not created equally. It works on different methods and protocols. Commonly VPNs are operated on two different data link layers of the OSI model (Open Systems Interconnection model), namely, Layer 2 and Layer 3.


Layer 2 is referred to as the second layer of the OSI model known as the Data Link Layer.

Layer 3 is referred to as the third layer of the OSI model known as the Network Layer.

What’s Layer 2 VPN?

To put simply, Layer 2 VPNs are VPN (Virtual Private Network), which make use of MPLS labels for transporting data. Here, the communication is done between the routers, which are known as PEs (Provider Edge Routers), because it sits at the network provider’s edge, which is next to the customer’s network. In other words, Layer 2 VPN transports L2 frames between locations which are usually Ethernet.

What’s Layer 3 VPN?

Layer 3 VPN, also called VPRN (Virtual Private Routed Network), is typically a VPN mode that is built and delivered over the networking technology OSI Layer 3. Here, the entire communication is carried out on the core of VPN infrastructure, which forwards using Layer 3 forwarding and virtual routing methods.

Furthermore, it’s built with a combination of MPLS and IP -based networking technology. It’s usually used for sending data on the back end of the VPN infrastructure. For example, VPN connections between back officers or data centers.

Moreover, in earlier years, Layer 2 VPNs were quite popular, and once the Layer 3 VPNs came into existence, it started picking the pace. Both the VPN layers have certain pros and cons.

Table: Layer 2 VPN vs Layer 3 VPN – The Difference

Layer 2 VPN Layer 3 VPN
  • In Layer 2 VPNs, virtualization of the data link layer (Layer 2) is for making geographically remotes look upon as they are operating within the same LAN Network.
  • The whole network layer is virtualized in the Layer 3 VPNs to route the customer networks on public infrastructure such as the Internet or Service provider backbone.
  • Layer 2 VPN is the Martini approach. It’s also known as Virtual Private Lan Services (VPLS) or Transparent LAN Services (TLS).
  • Layer 3 VPN is the Private Routed Network approach, often called a virtual private routed network (VPRN).
  • Layer 2 VPN (L2VPN) usually use MPLS-based (Multi-Protocol Label Switching) labels for sending data to network edge routers from the transmission site to the destined node.
  • Layer 3 VPN (L3VPN) usually uses a peer-to-peer model, which uses Border Gateway Protocol (BGP) model, which is based on an IETF Request for Comments (RFC) 2547 for sending and receiving data related to VPN.
  • Transportation of L2 frames (mostly Ethernet) is between locations, like a cable connecting two switches between two different buildings.
  • In Layer 3, VPN connection from every side is on a different subnet, and IP packets are sent through the VPN.
  • Based on Layer 2 information, provider devices forward the customer traffic.
  • Based on Layer 3 information, provider devices forward the customer traffic.
  • Layer 3 VPNs are more scalable compared to Layer 2 VPNs.
  • Layer 2 VPNs are less scalable than Layer 3 VPNs.
  • Layer 2 VPN is less secured compared to Layer 3 VPN.
  • Layer 3 VPN is more secured compared to Layer 2 VPN.
  • Layer 2 VPN is conceptually more straightforward.
  • Layer 3 VPN is conceptually harder compared to Layer 2 VPN.
  • Layer 2 VPN can become completely transparent to applications.
  • Layer 3 VPN is less transparent compared to Layer 2 VPN and can meddle with applications.
  • Customers make connectivity of remote customer sites with the Layer 3 (IP) connectivity and not the service provider.
  • Layer 3 (IP) connectivity of the customer is made with the edge devices of the provider sites.
  • For Customer Subnets IP Routing, there’s no involvement of Service Provider.
  • For IP Routing of Customer Subnets Service Providers are involved.
  • The Layer 2 VPN approach is generally preferred when service providers want to extend and scale their Layer 2 VPN deployments. It’s quite a transport-oriented carrier or used in a scenario of few static routes and VPN sites.
  • The Layer 3 VPN is generally suited for the classic ISP networks with their existing router deployments. It’s the right choice for carriers who are serving large VPNs along with changing locations.


To summarize, Layer 3 VPNs (L3VPN) offer impermeable protection for peer to peer connections, whether it’s from remote workers, suppliers, or offices from different locations. Also, it’s incorporated with extra security, which is often missed in lower versions.

On the other hand, Layer 2 VPN (L2VPN), is used for connecting VLANs together, which is useful for sharing or communicating sensitive subjects. For example, communication between national offices. Also, L2VPN is a cheaper and fast security option compared to L3VPN. But it does lack flexibility for traffic and routing management like it’s provided in L3VPN.