How to Use L2 VPN — Site-to-Site Layer 2 Connectivity Guide
A practical guide to Layer 2 VPN technologies — VPLS, EVPN, L2TP, and pseudowires — for extending LANs across geographically distributed sites.
What is a Layer 2 VPN?
A Layer 2 VPN extends a local area network (LAN) across a wide area network (WAN), making remote sites appear as if they are on the same physical network. Unlike Layer 3 VPNs (like IPsec) that route IP packets between sites, L2 VPNs transport Ethernet frames — preserving MAC addresses, VLANs, and broadcast domains across sites.
When Do You Need L2 VPN?
- Migrate VMs between data centers without changing IP addresses
- Extend a VLAN across multiple office locations
- Connect industrial equipment that requires L2 connectivity (some SCADA systems)
- Cluster applications that require L2 adjacency (heartbeat, multicast)
- Bridge legacy systems that don't support routing
L2 VPN vs L3 VPN
| Feature | L2 VPN | L3 VPN (IPsec/WireGuard) | |---------|--------|--------------------------| | Layer | Ethernet frames (L2) | IP packets (L3) | | Address | MAC addresses preserved | Only IP routing | | Broadcast | Broadcast/multicast forwarded | Typically blocked | | Protocol | Any L2 protocol (ARP, etc.) | IP only | | Complexity | Higher | Lower | | Scalability | Limited (broadcast domain size) | Better | | Use case | LAN extension, VM migration | General site connectivity |
L2 VPN Technologies
1. L2TP (Layer 2 Tunneling Protocol)
The simplest approach for small deployments:
[Site A LAN] ──→ [L2TP Server] ══ Internet ══ [L2TP Server] ──→ [Site B LAN]
│ │
Tunnel encapsulates Ethernet frames
Configuration example (Linux with L2TPv3):
# Site A (IP: 203.0.113.10)
sudo ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 \
encap udp local 203.0.113.10 remote 198.51.100.20 \
udp_sport 5000 udp_dport 5000
sudo ip l2tp add session tunnel_id 1 session_id 1 \
peer_session_id 1
sudo ip link set l2tpeth0 up
sudo brctl addif br0 l2tpeth0
sudo brctl addif br0 eth1 # Local LAN interface
# Site B (IP: 198.51.100.20) — mirror configuration
sudo ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 \
encap udp local 198.51.100.20 remote 203.0.113.10 \
udp_sport 5000 udp_dport 5000
sudo ip l2tp add session tunnel_id 1 session_id 1 \
peer_session_id 1
sudo ip link set l2tpeth0 up
sudo brctl addif br0 l2tpeth0
sudo brctl addif br0 eth12. VXLAN (Virtual Extensible LAN)
VXLAN encapsulates L2 frames in UDP packets, allowing L2 extension over any IP network:
[Site A] [Site B]
│ │
[VTEP] ──── VXLAN Tunnel (UDP 4789) ──── [VTEP]
│ Outer: IP/UDP │
[LAN] Inner: Original Ethernet frame [LAN]
Configuration (Linux):
# Site A
sudo ip link add vxlan100 type vxlan \
id 100 \
remote 198.51.100.20 \
local 203.0.113.10 \
dstport 4789
sudo ip link set vxlan100 up
sudo brctl addbr br-vxlan
sudo brctl addif br-vxlan vxlan100
sudo brctl addif br-vxlan eth1
sudo ip link set br-vxlan up3. WireGuard + Bridge (Simple L2 over L3)
Using WireGuard with GRE tap for a lightweight L2 VPN:
# Create WireGuard tunnel (L3)
# Then add GRE tap over the WireGuard tunnel
# Site A
sudo ip link add gretap1 type gretap \
local 10.0.0.1 remote 10.0.0.2 # WireGuard tunnel IPs
sudo brctl addif br0 gretap1
sudo brctl addif br0 eth1
sudo ip link set gretap1 up4. VPLS (Virtual Private LAN Service)
Provider-managed L2 VPN service using MPLS:
[Site A] ──→ [PE Router] ══ MPLS Cloud ══ [PE Router] ──→ [Site B]
[Site C] ──→ [PE Router] ════════════════ [PE Router] ──→ [Site D]
Full mesh pseudowires
VPLS creates a multipoint L2 VPN — all sites can communicate at L2 as if on the same switch. This is typically a service purchased from a telecom provider.
5. EVPN-VXLAN (Modern Standard)
The current best practice for large-scale L2 extension:
- Uses BGP for control plane (MAC address learning)
- VXLAN for data plane (L2 frame encapsulation)
- Supports multihoming and active-active redundancy
- Efficient — no unnecessary flooding
Security Considerations
L2 VPNs carry raw Ethernet frames, so security is critical:
Encryption
- L2TP: Must pair with IPsec for encryption (L2TP alone is unencrypted)
- VXLAN: Unencrypted by default — use MACsec or IPsec underlay
- WireGuard + GRE: WireGuard provides strong encryption
- Provider VPLS/EVPN: Encrypted if using MACsec or provider guarantees
Access Control
- Limit which VLANs are extended across the tunnel
- Use MAC address filtering where possible
- Monitor for unexpected MAC addresses (rogue devices)
- Implement storm control to prevent broadcast storms crossing the WAN
Broadcast Storm Prevention
Since L2 VPNs extend the broadcast domain, a broadcast storm at one site will affect all sites:
# Enable storm control on the bridge interface
sudo tc qdisc add dev br0 root tbf rate 10mbit burst 10kb latency 50msPerformance Optimization
MTU Configuration
L2 VPN encapsulation adds overhead. Adjust MTU to avoid fragmentation:
| Technology | Overhead | Recommended MTU | |-----------|----------|-----------------| | L2TPv3/UDP | ~36 bytes | 1464 | | VXLAN | ~50 bytes | 1450 | | GRE tap | ~42 bytes | 1458 | | WireGuard + GRE | ~102 bytes | 1398 |
# Set MTU on bridge interface
sudo ip link set br0 mtu 1450Bandwidth Planning
Account for encapsulation overhead when planning bandwidth:
- 50-byte VXLAN header on every frame
- For 1500-byte frames: ~3.3% overhead
- For small frames (64-byte): up to 78% overhead
Practical Use Case: Extending Railway NMS Across Sites
[Central NMS Server] ── L2 VPN ── [Remote Station A - SNMP Devices]
│ │
│ [Same VLAN 100]
│
└──────── L2 VPN ── [Remote Station B - SNMP Devices]
│
[Same VLAN 100]
Benefits:
- SNMP devices appear on the same subnet as the NMS
- No need for SNMP routing or NAT traversal
- Broadcast-based device discovery works across sites
Conclusion
Layer 2 VPNs are essential when you need to extend Ethernet connectivity across geographic boundaries. Choose the right technology based on your scale — L2TP or WireGuard+GRE for small setups, VXLAN for medium deployments, and EVPN-VXLAN or provider VPLS for enterprise scale. Always encrypt the transport and implement storm control to maintain network stability.
Related reading: Achieving 1 Gbps Data Transfer Using VLAN and Network Monitoring Best Practices.