carl_townshend Sun, 09/20/2009 - 11:12

hi there

what do you mean used to transport l2 traffic? Is it not a layer 2 protocol itself?

please explain the benifits and uses if poss ?

Giuseppe Larosa Sun, 09/20/2009 - 14:33

Hello Carl,

>> what do you mean used to transport l2 traffic? Is it not a layer 2 protocol itself?

L2TP = Layer 2 tunneling protocol is not a L2 protocol but a way to carry L2 frames over an IP tunnel to provide a point to point L2 transport service over an IP cloud.

L2TPv2 focuses on PPP sessions and it had been introduced to allow remote access via dialup to an enteprise without requiring the enterprise to have its own dialup NAS servers.

During PPP authentication a user can specify a realm like

[email protected]

the device receiving the PPP auth request can send to acme endpoint over the L2TP tunnel.

The end result is that the PPP session can be extended to acme network.

This idea has been extended and applied for DSL wholesale services.

L2TPv3 supports carrying almost any L2 technology see and it is a major change from L2TPv2.

L2TPv3 can be used to extend one vlan over an IP WAN.

Hope to help


carl_townshend Mon, 09/21/2009 - 00:46

hello there

so are you saying it can carry layer 2 frames? does does this mean I can extend a broadcast domain and have the same ip subnet over the tunnel? what do people use L2TP for generally?

Giuseppe Larosa Mon, 09/21/2009 - 02:35

Hello Carl,

yes you can do that with a config like that attached by Nelson.

Nelson has also added encryption to protect the L2TPv3 traffic.

the possible usage of L2TPv2 and L2TPv3 are described in previous posts.

Hope to help


Nelson Serrao Mon, 09/21/2009 - 01:43

I have a question on this topic. I am currently using l2tpv3 and it works like a charm. Below is a copy of my config that allows me to have 1 remote site connected:

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp keepalive 10 5


crypto isakmp client configuration group "group_name"

key "key"



crypto ipsec transform-set myset esp-3des esp-md5-hmac


crypto dynamic-map dynmap 10

set transform-set myset


crypto map clientmap isakmp authorization list default

crypto map clientmap 10 ipsec-isakmp dynamic dynmap


pseudowire-class "class_name"

encapsulation l2tpv3

ip local interface Loopback0


interface Loopback0

description Tunnel Interface

ip address


interface FastEthernet0/0

description Connection to Local Switch

no ip address

duplex auto

speed auto

no cdp enable

xconnect 1 pw-class "class_name"


interface FastEthernet0/1

desc WAN Interface

ip address x.x.x.x y.y.y.y

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip pim sparse-dense-mode

duplex auto

speed auto

no mop enabled

crypto map clientmap


I would like to know what config is needed to have multiple sites connected to this VPN router.

Giuseppe Larosa Mon, 09/21/2009 - 02:33

Hello Nelson,

the answer depends from what you want to do.

L2TPv3 provides a point-to-point L2 transport service.

so if your idea is to have a central site with multiple remote sites all with a L2 connection.

you need an L2TPv3 pseudowire for each remote site, but the local endpoint cannot be the same:

if you try to add an xconnect command you are overriding the current one.

you would need a different subinterface for each remote site but they would be in different vlans so you would need an external device to perform inter-vlan bridging.

But I don't recommend this because I'm afraid broadcast traffic can go up and down eating BW and cpu.

Hope to help


Nelson Serrao Mon, 09/21/2009 - 02:40

Hi Giuseppe,

Thanks for the response. The intention is to have one central site and 2 remote sites. Both of the remote sites would have different vlans and only need to talk to the central site. Would this be possible using subinterfaces as you mentioned. Since I dont need the traffic to flow across the 2 remote sites, there wouldnt be a need for an external device to perform inter-vlan bridging. Is that correct? If yes, please could you provide a sample config. Thanks in advance.

Giuseppe Larosa Mon, 09/21/2009 - 08:36

Hello Carl,

yes but GRE is used to carry L3 packets of different suites: appletalk and IPX in the past, IPv6 nowdays.

Hope to help


Giuseppe Larosa Mon, 09/21/2009 - 08:34

Hello Nelson,

it should be as easy as putting the xconnect command with a different destination under two vlan based subifs.

if all devices share the same isakmp key and because you are using dynamic crypto map on central site the IPSec should be fine.

Hope to help


Nelson Serrao Mon, 09/21/2009 - 16:00

The problem here is that both sites use multiple vlans. The xconnect command under the subif would be ideal if both sites used one vlan each. For eg. if remote site 1 was using vlans 11,21,31 and remote site 2 was using vlans 12,22,32 then what config would be needed on the central site router to get this working?

Giuseppe Larosa Tue, 09/22/2009 - 01:52

Hello Nelson,

two options here:

a) one subif and one xconnect with the appropriate destination for each vlan at central site.

b) add an interface to the lan switch at central site on this interface you will pass only site2 vlans using

switchport trunk allowed vlan 12,22,32

(do the same for current port using

switchport trunk allowed vlan 11,21,31)

and then you add a single xconnect to the second main interface with destination = remote site2.

Be aware that this is not best practice because it is easy to fill the wan link just to carry broadcast traffic.

So use it only if really needed otherwise using routing is better for different reasons.

Hope to help


carl_townshend Wed, 11/11/2009 - 12:38

Hi there

so what kind of things can we put through these tunnels?? why do most people use them? why would i need to tunnel at layer 2??

also how simple is the config to do between 2 sites? and do we have to use an acl etc to push certain traffic through the tunnel ?

Laurent Aubert Wed, 11/11/2009 - 19:32


L2TPv2 allows you to transport PPP session over an IP backbone via an L2TP tunnel.

One common scenario is when a ISP wants to provide Internet access to users where it doesn't control the dial network (PSTN/DSL or ISDN). In this case it will negotiate with a local wholesale Dial SP so it will forward the PPP session of the user who bought the service from the ISP via L2TP. L2TP is mandatory as between the wholesale SP and the ISP, there is only an IP backbone.

It's also useful when you want to use DSL access to connect commercial customers site to their VPN.

L2TPv3 can encapsulate any Layer 2 protocols like Ethernet for example. Common application of L2TPV3 is to provide L2VPN services when you are not using MPLS in your core.



carl_townshend Thu, 11/12/2009 - 01:33


i still need to see the benifits for this, does it hide every hop between 2 endpoints ?

and why would we need to encapsulate ethernet frames, would this so we can extend vlans over the tunnel, and bridge my lan etc?

also how do you say send a certain subnet over the tunnel? or would it need to be all traffic ?



Nelson Serrao Thu, 11/12/2009 - 04:28

Hello Carl,

I found quite a few benefits of using L2TP v3 on our network one of which you already mentioned. The list goes like this:

1) Minimal configuration when comparing to GRE where you need several tunnel interfaces (one for each VLAN).

2) After configuration the 2 sites are bridged together. So DHCP broadcasts and CDP info is exchanged between the local and remote site as if there was no WAN in between.

Sending a subnet over the tunnel can be done using VLANs. Whatever you allow on the trunk is what will pass through the tunnel.

Hope this helps.



This Discussion