Layer 3 Virtual Private Network (L3 VPN)_

Hassle-free interconnection_

A fully managed IP based WAN solution to connect offices and data centers to each other, anywhere in the world.

Our quality technology, experienced team and fully managed approach is ideal for any multisite WAN. Delivered across our global IP network, the enterprise-grade offering provides a simple yet dependable virtual private network to connect sites together.

Enquire Now


Why BSO for L3 VPN?

Worry-free connectivity

BSO’s round the clock monitoring and maintenance ensures everything runs without a hitch.


Highly customisable and configurable - define how connections are routed and control which traffic is prioritised.


Rock solid availability combined with competitive pricing delivers a solution packed full of value.


Our global network_

View more


Not on-net with BSO?

We have great relationships with carriers around the world, all we need are your business objectives to provide the right assistance.

Find out more

Get in touch now to transform your business with Layer 3 VPN_


What is the difference between L2 and L3 VPN?

L2 (Layer 2) and L3 (Layer 3) VPNs differ in their network abstraction and routing capabilities:

L2 (Layer 2) VPNs operate at the data link layer, creating the illusion of a shared ethernet segment. They don't perform routing and are suitable when all sites need to be part of the same broadcast domain. Examples include EPL and VPLS.

L3 (Layer 3) VPNs work at the network layer, abstracting the routing infrastructure and enabling isolated routing domains for each VPN. They perform routing within each VPN, allowing separate IP address spaces. MPLS VPNs and IPsec VPNs are examples. The choice between L2 and L3 VPN depends on specific networking requirements and use cases.

What is Layer 3 VPN (L3VPN)?

Layer 3 VPN (L3 VPN) is a sophisticated network technology that allows organisations to establish private and secure communication networks over shared or public infrastructure, such as the internet or a service provider's network. Here's a more detailed breakdown of L3VPN:

Network layer: L3 VPN operates at the network layer, which is Layer 3 of the OSI model. It focuses on routing and forwarding packets based on IP addresses.

Isolated routing domains: The key feature of L3 VPN is the creation of isolated routing domains for different VPNs or customers. Each VPN exists as a separate, independent network, with its own IP address space and routing tables. This isolation ensures that traffic from one VPN does not interfere with traffic from another.

IP address separation: L3 VPNs allow different VPNs to use overlapping IP address ranges because the isolation keeps them separate. This flexibility is particularly valuable when multiple organisations or customers share the same infrastructure.

Routing control: Within each L3 VPN, organisations have complete control over routing policies, allowing them to determine how traffic is routed within their VPN. They can configure static routes or dynamic routing protocols, such as OSPF or BGP, to optimise traffic flow.

Security: L3 VPNs provide a high level of security and privacy by segregating traffic and IP address spaces. This ensures that sensitive data remains within the boundaries of the VPN and cannot be accessed by other VPNs sharing the same infrastructure.

Service provider backbone: L3 VPNs are commonly offered by service providers, who manage the core network infrastructure. They use technologies like MPLS (Multiprotocol Label Switching) to create the VPN tunnels and route traffic securely between different customer VPNs.

Scalability: L3 VPNs are highly scalable, making them suitable for both small and large organisations. Additional sites or branches can be easily added to the VPN without major changes to the network architecture.

Common use cases: L3 VPNs are widely used in scenarios where multiple organisations or departments within an organisation need secure and separate communication networks. Examples include connecting remote offices, providing secure access to cloud resources, and enabling communication between different business units.

How does L3VPN work?

Layer 3 Virtual Private Networks (L3VPNs) work by creating isolated routing domains within a shared or public network infrastructure. Here's a simplified overview:

Configuration: Each L3 VPN is configured with its own IP address ranges and routing policies.

Isolation: VPNs are isolated, so their IP address spaces and routing are independent.

Routing control: Organisations manage routing protocols for optimised traffic flow within their VPN.

Tunnels: Secure tunnels, often using MPLS, connect VPN sites within the service provider's network.

Traffic separation: Traffic from one VPN doesn't mix with others, even with overlapping IP addresses.

Security: L3 VPNs ensure data security and privacy within each VPN.

Service provider: Providers manage the core network infrastructure for seamless connectivity.

Scalability: L3 VPNs are easily scalable for network growth.

What does MPLS L3 VPN configuration consist of?

MPLS L3 VPN configuration requires careful planning and coordination between the service provider and the customer to establish secure, efficient, and isolated communication between multiple VPNs over a shared MPLS network. Several key elements are:

VPN configuration: Define the MPLS VPN itself, specifying its unique identifier (VPN ID) and customer name or identifier.

Customer edge (CE) routers: Configure the customer's routers at the network edges. Set up the routing protocols (e.g. BGP) and IP address assignments for CE routers.

Provider edge (PE) routers: Configure the service provider's routers at the network edges. Define the interfaces connecting to CE routers and enable MPLS on those interfaces.

Virtual routing and forwarding (VRF) instances: Create VRF instances on PE routers for each VPN customer. Each VRF instance is a separate routing table for that customer's traffic, ensuring isolation.

Route distinguisher (RD) and Route target (RT): Assign unique RDs and RTs to each VRF instance to distinguish routes within the provider's network and control route distribution.

BGP configuration: Set up BGP sessions between CE and PE routers, enabling the exchange of routing information. Apply import and export policies to control route propagation.

MPLS label distribution: Ensure MPLS label distribution between PE routers, enabling the creation of label-switched paths (LSPs) for VPN traffic.

Quality of Service (QoS) settings: Optionally, configure QoS policies to prioritise or manage traffic within the VPN.

Security and access control: Implement access control lists (ACLs) and security measures to safeguard the VPN's traffic.

Testing and verification: Conduct thorough testing and verification of the configuration to ensure proper functionality and connectivity.

How can I set up a Layer 3 Virtual Private Network?

The specific steps and complexity of setting up an L3 VPN may vary based on your unique requirements, the technology chosen, and whether you use a service provider. It's often beneficial to work with experienced network professionals or consult with your chosen service provider for guidance and support. Typically, the steps involved are:

Planning: Determine your network requirements, including the number of sites, IP address schemes, and routing protocols to use.

Select a provider: Choose a service provider or decide if you will manage the VPN in-house.

Choose VPN type: Decide between MPLS-based VPNs (typically provided by carriers) or IPsec-based VPNs (for site-to-site or remote access).

Design IP addressing: Plan IP address assignments for each site and ensure they don't overlap.

Configure routers: Set up customer edge (CE) routers at each site. Configure routing protocols (e.g. BGP) for communication.

Provider edge (PE) routers: Configure PE routers at provider network edges, enabling MPLS (for MPLS VPNs) or IPsec (for IPsec VPNs).

VRF instances: Create Virtual Routing and Forwarding (VRF) instances on PE routers for each VPN, ensuring traffic isolation.

Route distinguishers (RD) and Route targets (RT): Assign unique RDs and RTs to VRF instances to control route distribution.

BGP configuration: Set up BGP sessions between CE and PE routers, applying import and export policies to control routing.

Label distribution: For MPLS VPNs, ensure MPLS label distribution between PE routers to establish label-switched paths (LSPs).

Quality of Service (QoS): Optionally, configure QoS policies for traffic prioritisation or management.

Security measures: Implement security measures, such as access control lists (ACLs), to protect VPN traffic.

Testing and verification: Thoroughly test the VPN configuration, verifying connectivity and functionality.

Monitoring and maintenance: Continuously monitor the VPN's performance, addressing any issues and making necessary adjustments.