Cloud Connectivity

This topic is to discuss the following lesson:

Can you explain the below with examples
“You can use 802.1Q VLAN tags for multiple virtual interfaces. This allows you to use one VLAN to access public services like S3 with public IP addresses, and another VLAN for private resources like EC2 instances with private IP addresses.”


Cloud vendors use the term L2 connectivity and L3 connectivity
What actually mean by this
What a cloud provider says we support only L2 connectivity ?

Hello Sims,

This is from the AWS Direct Connect documentation:

AWS Direct Connect lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations. Using industry standard 802.1Q virtual LANS (VLANs), this dedicated connection can be partitioned into multiple virtual interfaces. This allows you to use the same connection to access public resources, such as objects stored in Amazon S3 using public IP address space, and private resources such as EC2 instances running within a VPC using private IP address space, while maintaining network separation between the public and private environments. Virtual interfaces can be reconfigured at any time to meet your changing needs.

AWS uses Virtual Private Cloud (VPC). In a nutshell, this is a virtual network where you configure routing, subnets, etc.

You can create a single VPC where you run all your EC2 instances (virtual machines) and RDS instances (databases) etc, or you can create multiple VPCs and isolate your network resources.

AWS Direct Connect is a L2 trunk which uses 802.1Q so it supports VLANs.

For each VPC, you can use a different VLAN on your L2 trunk. This way, your VPCs remain isolated even when they are connected to your site over the L2 trunk.

A L2 connection usually means it’s an Ethernet based connection so you can use 802.1Q and VLANs. With L3, it’s a routed connection…no 802.1Q and VLANs.

Does this help?


1 Like

I understand “A L2 connection usually means it’s an Ethernet based connection so you can use 802.1Q and VLANs. With L3, it’s a routed connection…no 802.1Q and VLANs.”

My question is what if they offer only l2 connectivity to a customer .

What is the pros and cons if they provide only l2 connectivity and what is the pros and cons if they also providing l3 connectivity


To clear up possible misunderstanding… 802.1q and VLANs can be used with L3 routed connections (see below). The way to understand this is when a frame arrives on a subinterface, the physical interface receives the frame and reads the 802.1q tag to determine which subinterface to direct the frame for processing. Return traffic gets encapsulated in an L2 frame with an 802.1q tag (in the example below the tag = 100). If the frame doesn’t have a tag, then it’s processed by the main physical interface.

interface gi 0/0/0
no ip address
interface go 0/0/0.100
 encapsulation dot1q 100
 ip address

A layer 2 connection, like a VPLS (ENS for Comcast or ACE for AT&T) is basically the ISP offering you a virtual switch to plug into between your sites (or the cloud) meaning all devices that have circuits terminating on that virtual switch (the VPLS) can talk to each other over layer 2. For instance, your devices may see each other through CDP. Some ISPs charge extra to pass CDP, but the principle is the same.

Of course a circuit doesn’t need to be a VPLS to offer L2 connectivity, that’s just one example. A circuit could be a point-to-point and also offer L2 reachability. That said, you’re not going to get traffic beyond a L3 hop (like a router) without an IP address.

A L3 circuit usually means you’re peering at L3 with the ISP. Your router connects usually via a dynamic routing protocol (BGP, EIGRP, etc…) to the ISP router. They take whatever advertised routes/prefixes you advertise and pass it to the other end of the circuit, where there’s another ISP router that peers with your far end router, again over L3 and passes the traffic.

The advantage of an L2 circuit is that you don’t need to interact with the ISP to connect your A-side and Z-side devices. The ISP turns up the circuit, you accept it, then you configure each end(s) and you’re done. The other advantage is that you don’t consume additional IP space peering with an ISP, though ISPs can offer public IPs to peer with even though the connection remains private.


Thanks alias,
Recently i saw cloud provider says they provide only l2 connectivity .
What I cannot do If I subscribe from them

Thanks again

You’re not limited by accepting an L2 connection. It’s just a different way of delivery end-to-end connectivity. In the end, circuits deliver connectivity between different locations - both L2 and L3 circuits perform this. The question really is, how to you want to this?

Personally I prefer L2 circuits because it allows me to control the L3 of the circuit termination points (your routers). If your ISP passes CDP, then you can even see your far end device.

The bigger question concerns whether your circuit is a point-to-point or virtual ethernet switch (VPLS).


“Personally I prefer L2 circuits because it allows me to control the L3 of the circuit termination points (your routers)”
You mean you will do a vpn for L3?

Hi Guys,

I saw that ENARSI blueprint at NetworkLessons course does not have the topic "Troubleshoot network problems using Cisco DNA Center assurance )connectivity, monitoring, device health, network health), covered in the exam Blueprint issued by Cisco.

I’m really working hard to take the exam this month, so I’d like to know when you will update new topic into the course or if you already have it, please send me the link, I’ll appriciate that.


Hello Luis

You can find information about DNA in the following lesson:

I hope this has been helpful!


Hi Lazaros,

Ok, but it does not have the Assurance Topic explaining how to Troubleshooting, It explains about Cloud Connectivity, but it is not part of the Cisco’s ENARSI Blueprint.
Could you please check it again?


Hi Luis,

I’ll take a look and update it so it matches the blueprint topic.