L2VPN vs L3VPN: What’s the difference?

Padlock against a digital blue background
(Image credit: Pixabay)

The best VPNs establish a secure, encrypted connection over a private or public network. Although they were originally designed to allow employees to “dial home” to their corporate mainframe whilst away from the office, they have a number of uses from allowing you to access geographic-specific online services like Netflix and protecting your online privacy. For a deep dive into the topic, see our guide What is a VPN? 

Not all VPNs are created equal however. Layer 2 VPNs have been around for some time but Layer 3 VPNs are also popular. In this guide, you can explore and compare the differences between L2VPN and L3VPN.

What is L2VPN? 

As the name suggests, L2VPN (Layer 2 VPNs) work on the second layer of the OSI (Open Systems Interconnection) model, known as the ‘data link’ layer. 

The OSI model is an abstract concept but generally a Layer 2 VPN virtualises this ‘data link’ layer to allow multiple sites to operate as part of the same network using MPLS (Multiprotocol Label Switching). This is a routing technique that transfers data from one node to the next using labels rather than specific network addresses.

In a traditional L2VPN model this routing occurs on the customer edge (CE) router or switch. The CE will connect to the VPN service provider’s edge (PE) switch or router. 

Users - or ‘customers’ - need only know which VPN interfaces connect to their services. They determine their own network policies and the best way to route traffic to the provider via an LSP (Label Switched Path). However, the user must also configure all their devices to handle Layer 3 traffic themselves, as well as to connect with other users rather than the provider.

As it only established Layer 2 connections, an L2VPN can be less resource intensive: it doesn’t have to keep a detailed record of routing info for every single user. This is less of a burden on the provider meaning it can be easier to scale up the network by adding more devices.

The fact that no record of individual user’s routing info is kept is also good news for privacy. It makes it much harder to trace data to an individual device if a bad actor gains access to the L2VPNs connection logs. There’s also no risk of a user’s routing information being made available to other private networks connected to the VPN.

The other main advantage of L2VPNs is that users can use any Layer 3 Protocol they wish, such as IP, IPv6, IPX and SNA.

What is L3VPN?  

LV3PN (Layer 3 VPN) operates on the third layer of the OSI, known as the ‘network layer’. The key difference between an L2VPN and an L3VPN (Layer 3 VPN) is that routing takes part on the provider’s VPN routers or switches. 

Since the service provider manages site to site routing, this can be an advantage given that they can use their expertise to handle this in the most efficient way possible. They may even be able to offer virtual private network-wide services such as video calls which are more difficult to implement on disparate L2VPNs using different protocols. 

To do this though, they need a knowledge of their user’s network structure, so it’s arguably not as private as using a L2VPN, as the service provider is even able to manage routing of user’s sub-nets. This wouldn’t usually be necessary or desirable e.g. when connecting various company offices around the world to a corporate or business VPN

In a L3VPN, the CE (customer’s edge) switch or router must be configured to exchange traffic with the PE (provider’s edge) switch/router using either BGP (Border Gateway Protocol) or OSPF (Open Shortest Path First). 

This can be an advantage relative to L2VPNs as there’s no need for every CE device to be connected to every other CE switch/router. Instead each CE device only needs to connect to one of the provider’s routers. However this only works for IP traffic : if users want to support protocols like IPX, the provider must set up GRE (Generic Routing EncapsulatioN) tunnels between CE devices.

The fact still remains that by only requiring a connection between one CE device and one PE device, L3VPNs are very simple to scale up. 


Ultimately there are workarounds for getting a particular VPN protocol running on either a L2VPN or L3VPN and scaling up each type of network is feasible with enough time in resources. Although, by default, a L3VPN doesn’t offer the same level of security and encryption implemented by an L2VPN running over IPSEC for instance, it is possible to secure connections between PE devices.

The key difference then between the two types of VPNs is one of control. If a user wants to be able to set its own network policies, perform their own routing and not reveal too much about the topology of their various private networks then L2VPN is the best option, as they can retain granular control over them.

If a user is less concerned with control and more worried about making sure that every site can communicate and share resources in the most efficient way possible, then L3VPn is probably the best option. Giving the provider control over routing has a number of benefits including maximizing bandwidth, support for services like voice and video conferencing and, most importantly, the user/customer doesn’t have to define their own network policies and protocols. 

In summary, each VPN model has its own pros and cons. The reason both exist is because there’s no “right” layer to choose when implementing a VPN, only what’s right for you. If you’re relying on a third-party provider for your VPN - especially when using a free VPN - make sure to ask which model they follow before setting up. 

If you simply want to use a proxy server to bypass regional restrictions and wouldn’t mind any web traffic on your device leaking onto the internet, then by all means employ a proxy. Just remember that you will need to individually configure each app that you want to use with the proxy, such as your web browser.

If you want to encrypt all your web traffic and a better guarantee of concealing your IP address, consider using a VPN instead. Find out more in our guide to the benefits of proxy servers vs VPNs

If you simply want to browse the web anonymously, you can also use the Tor browser free of charge. Although web pages will load much more slowly than with a VPN, you’ll have a much higher level of anonymity as your connection is routed through various tor proxies. The browser itself is also specially configured not to leak any personal information about you through ‘browser fingerprinting’.  

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.