carl_townshend Sun, 09/20/2009 - 11:12
User Badges:

hi there


what do you mean used to transport l2 traffic? Is it not a layer 2 protocol itself?


please explain the benifits and uses if poss ?

Giuseppe Larosa Sun, 09/20/2009 - 14:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Carl,

>> what do you mean used to transport l2 traffic? Is it not a layer 2 protocol itself?


L2TP = Layer 2 tunneling protocol is not a L2 protocol but a way to carry L2 frames over an IP tunnel to provide a point to point L2 transport service over an IP cloud.


L2TPv2 focuses on PPP sessions and it had been introduced to allow remote access via dialup to an enteprise without requiring the enterprise to have its own dialup NAS servers.


During PPP authentication a user can specify a realm like

[email protected]


the device receiving the PPP auth request can send to acme endpoint over the L2TP tunnel.

The end result is that the PPP session can be extended to acme network.


This idea has been extended and applied for DSL wholesale services.


L2TPv3 supports carrying almost any L2 technology see and it is a major change from L2TPv2.


http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html


L2TPv3 can be used to extend one vlan over an IP WAN.



Hope to help

Giuseppe


carl_townshend Mon, 09/21/2009 - 00:46
User Badges:

hello there


so are you saying it can carry layer 2 frames? does does this mean I can extend a broadcast domain and have the same ip subnet over the tunnel? what do people use L2TP for generally?



Giuseppe Larosa Mon, 09/21/2009 - 02:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Carl,

yes you can do that with a config like that attached by Nelson.


Nelson has also added encryption to protect the L2TPv3 traffic.


the possible usage of L2TPv2 and L2TPv3 are described in previous posts.


Hope to help

Giuseppe


Nelson Serrao Mon, 09/21/2009 - 01:43
User Badges:

I have a question on this topic. I am currently using l2tpv3 and it works like a charm. Below is a copy of my config that allows me to have 1 remote site connected:


crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp keepalive 10 5

!

crypto isakmp client configuration group "group_name"

key "key"

save-password

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap isakmp authorization list default

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

pseudowire-class "class_name"

encapsulation l2tpv3

ip local interface Loopback0

!

interface Loopback0

description Tunnel Interface

ip address 10.255.118.5 255.255.255.255

!

interface FastEthernet0/0

description Connection to Local Switch

no ip address

duplex auto

speed auto

no cdp enable

xconnect 10.255.118.10 1 pw-class "class_name"

!

interface FastEthernet0/1

desc WAN Interface

ip address x.x.x.x y.y.y.y

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip pim sparse-dense-mode

duplex auto

speed auto

no mop enabled

crypto map clientmap

!


I would like to know what config is needed to have multiple sites connected to this VPN router.

Giuseppe Larosa Mon, 09/21/2009 - 02:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Nelson,

the answer depends from what you want to do.


L2TPv3 provides a point-to-point L2 transport service.


so if your idea is to have a central site with multiple remote sites all with a L2 connection.


you need an L2TPv3 pseudowire for each remote site, but the local endpoint cannot be the same:

if you try to add an xconnect command you are overriding the current one.


you would need a different subinterface for each remote site but they would be in different vlans so you would need an external device to perform inter-vlan bridging.

But I don't recommend this because I'm afraid broadcast traffic can go up and down eating BW and cpu.


Hope to help

Giuseppe


Nelson Serrao Mon, 09/21/2009 - 02:40
User Badges:

Hi Giuseppe,

Thanks for the response. The intention is to have one central site and 2 remote sites. Both of the remote sites would have different vlans and only need to talk to the central site. Would this be possible using subinterfaces as you mentioned. Since I dont need the traffic to flow across the 2 remote sites, there wouldnt be a need for an external device to perform inter-vlan bridging. Is that correct? If yes, please could you provide a sample config. Thanks in advance.

Giuseppe Larosa Mon, 09/21/2009 - 08:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Carl,

yes but GRE is used to carry L3 packets of different suites: appletalk and IPX in the past, IPv6 nowdays.


Hope to help

Giuseppe


Giuseppe Larosa Mon, 09/21/2009 - 08:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Nelson,

it should be as easy as putting the xconnect command with a different destination under two vlan based subifs.


if all devices share the same isakmp key and because you are using dynamic crypto map on central site the IPSec should be fine.


Hope to help

Giuseppe


Nelson Serrao Mon, 09/21/2009 - 16:00
User Badges:

The problem here is that both sites use multiple vlans. The xconnect command under the subif would be ideal if both sites used one vlan each. For eg. if remote site 1 was using vlans 11,21,31 and remote site 2 was using vlans 12,22,32 then what config would be needed on the central site router to get this working?

Giuseppe Larosa Tue, 09/22/2009 - 01:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Nelson,


two options here:

a) one subif and one xconnect with the appropriate destination for each vlan at central site.


b) add an interface to the lan switch at central site on this interface you will pass only site2 vlans using

switchport trunk allowed vlan 12,22,32

(do the same for current port using

switchport trunk allowed vlan 11,21,31)


and then you add a single xconnect to the second main interface with destination = remote site2.


Be aware that this is not best practice because it is easy to fill the wan link just to carry broadcast traffic.

So use it only if really needed otherwise using routing is better for different reasons.


Hope to help

Giuseppe



carl_townshend Wed, 11/11/2009 - 12:38
User Badges:

Hi there


so what kind of things can we put through these tunnels?? why do most people use them? why would i need to tunnel at layer 2??


also how simple is the config to do between 2 sites? and do we have to use an acl etc to push certain traffic through the tunnel ?

Laurent Aubert Wed, 11/11/2009 - 19:32
User Badges:
  • Cisco Employee,

Hi,


L2TPv2 allows you to transport PPP session over an IP backbone via an L2TP tunnel.


One common scenario is when a ISP wants to provide Internet access to users where it doesn't control the dial network (PSTN/DSL or ISDN). In this case it will negotiate with a local wholesale Dial SP so it will forward the PPP session of the user who bought the service from the ISP via L2TP. L2TP is mandatory as between the wholesale SP and the ISP, there is only an IP backbone.


It's also useful when you want to use DSL access to connect commercial customers site to their VPN.


L2TPv3 can encapsulate any Layer 2 protocols like Ethernet for example. Common application of L2TPV3 is to provide L2VPN services when you are not using MPLS in your core.


HTH


Laurent.

carl_townshend Thu, 11/12/2009 - 01:33
User Badges:

hi


i still need to see the benifits for this, does it hide every hop between 2 endpoints ?

and why would we need to encapsulate ethernet frames, would this so we can extend vlans over the tunnel, and bridge my lan etc?


also how do you say send a certain subnet over the tunnel? or would it need to be all traffic ?


cheers


Carl

Nelson Serrao Thu, 11/12/2009 - 04:28
User Badges:

Hello Carl,

I found quite a few benefits of using L2TP v3 on our network one of which you already mentioned. The list goes like this:

1) Minimal configuration when comparing to GRE where you need several tunnel interfaces (one for each VLAN).

2) After configuration the 2 sites are bridged together. So DHCP broadcasts and CDP info is exchanged between the local and remote site as if there was no WAN in between.


Sending a subnet over the tunnel can be done using VLANs. Whatever you allow on the trunk is what will pass through the tunnel.


Hope this helps.


Nelson

Actions

This Discussion