cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5288
Views
5
Helpful
18
Replies

L2TP explanation

carl_townshend
Spotlight
Spotlight

Hi all

Can anyone tell me about L2TP, why people use it, and does it encapsulate the IP header or does it need ppp to do this ?

18 Replies 18

Laurent Aubert
Cisco Employee
Cisco Employee

Hi,

L2TP is used to transport L2 protocol over IP:

L2TPv2 transport PPP and is used by SP which doesn't own the DSL access network for example

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800a43e9.shtml

L2TPv3 allows you to transport any L2 protocols and can be used to provide VPN services without MPLS.

HTH

Laurent.

hi there

what do you mean used to transport l2 traffic? Is it not a layer 2 protocol itself?

please explain the benifits and uses if poss ?

Hello Carl,

>> what do you mean used to transport l2 traffic? Is it not a layer 2 protocol itself?

L2TP = Layer 2 tunneling protocol is not a L2 protocol but a way to carry L2 frames over an IP tunnel to provide a point to point L2 transport service over an IP cloud.

L2TPv2 focuses on PPP sessions and it had been introduced to allow remote access via dialup to an enteprise without requiring the enterprise to have its own dialup NAS servers.

During PPP authentication a user can specify a realm like

johndoe@acme.com

the device receiving the PPP auth request can send to acme endpoint over the L2TP tunnel.

The end result is that the PPP session can be extended to acme network.

This idea has been extended and applied for DSL wholesale services.

L2TPv3 supports carrying almost any L2 technology see and it is a major change from L2TPv2.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtl2tpv3.html

L2TPv3 can be used to extend one vlan over an IP WAN.

Hope to help

Giuseppe

hello there

so are you saying it can carry layer 2 frames? does does this mean I can extend a broadcast domain and have the same ip subnet over the tunnel? what do people use L2TP for generally?

Hello Carl,

yes you can do that with a config like that attached by Nelson.

Nelson has also added encryption to protect the L2TPv3 traffic.

the possible usage of L2TPv2 and L2TPv3 are described in previous posts.

Hope to help

Giuseppe

I have a question on this topic. I am currently using l2tpv3 and it works like a charm. Below is a copy of my config that allows me to have 1 remote site connected:

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp keepalive 10 5

!

crypto isakmp client configuration group "group_name"

key "key"

save-password

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap isakmp authorization list default

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

pseudowire-class "class_name"

encapsulation l2tpv3

ip local interface Loopback0

!

interface Loopback0

description Tunnel Interface

ip address 10.255.118.5 255.255.255.255

!

interface FastEthernet0/0

description Connection to Local Switch

no ip address

duplex auto

speed auto

no cdp enable

xconnect 10.255.118.10 1 pw-class "class_name"

!

interface FastEthernet0/1

desc WAN Interface

ip address x.x.x.x y.y.y.y

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip pim sparse-dense-mode

duplex auto

speed auto

no mop enabled

crypto map clientmap

!

I would like to know what config is needed to have multiple sites connected to this VPN router.

Hello Nelson,

the answer depends from what you want to do.

L2TPv3 provides a point-to-point L2 transport service.

so if your idea is to have a central site with multiple remote sites all with a L2 connection.

you need an L2TPv3 pseudowire for each remote site, but the local endpoint cannot be the same:

if you try to add an xconnect command you are overriding the current one.

you would need a different subinterface for each remote site but they would be in different vlans so you would need an external device to perform inter-vlan bridging.

But I don't recommend this because I'm afraid broadcast traffic can go up and down eating BW and cpu.

Hope to help

Giuseppe

Hi Giuseppe,

Thanks for the response. The intention is to have one central site and 2 remote sites. Both of the remote sites would have different vlans and only need to talk to the central site. Would this be possible using subinterfaces as you mentioned. Since I dont need the traffic to flow across the 2 remote sites, there wouldnt be a need for an external device to perform inter-vlan bridging. Is that correct? If yes, please could you provide a sample config. Thanks in advance.

so does this do a similar thing to say a GRE tunnel ?

Hello Carl,

yes but GRE is used to carry L3 packets of different suites: appletalk and IPX in the past, IPv6 nowdays.

Hope to help

Giuseppe

Hello Nelson,

it should be as easy as putting the xconnect command with a different destination under two vlan based subifs.

if all devices share the same isakmp key and because you are using dynamic crypto map on central site the IPSec should be fine.

Hope to help

Giuseppe

The problem here is that both sites use multiple vlans. The xconnect command under the subif would be ideal if both sites used one vlan each. For eg. if remote site 1 was using vlans 11,21,31 and remote site 2 was using vlans 12,22,32 then what config would be needed on the central site router to get this working?

Hello Nelson,

two options here:

a) one subif and one xconnect with the appropriate destination for each vlan at central site.

b) add an interface to the lan switch at central site on this interface you will pass only site2 vlans using

switchport trunk allowed vlan 12,22,32

(do the same for current port using

switchport trunk allowed vlan 11,21,31)

and then you add a single xconnect to the second main interface with destination = remote site2.

Be aware that this is not best practice because it is easy to fill the wan link just to carry broadcast traffic.

So use it only if really needed otherwise using routing is better for different reasons.

Hope to help

Giuseppe

Hi there

so what kind of things can we put through these tunnels?? why do most people use them? why would i need to tunnel at layer 2??

also how simple is the config to do between 2 sites? and do we have to use an acl etc to push certain traffic through the tunnel ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: