L2TPv3 or something else?

Answered Question

We have a remote site connected via an MPLS network to our HQ.

There are about 10 people at this remote site.

The router is a 2801. The bandwidth is 512Kb (this can and will be increased this year)

The HQ router is a 2821.

They have no external internet access and are presently proxied to HQ for outside acess.

Our issue is that we would like to allow visitors to have outside access from this site as well without incurring the cost of providing an internet circuit.

At HQ we simply created a vlan that takes wireless visitors outside our private network.

Ideally we would like to create something at this site that would act exactly like our visitor network here at HQ.


Does anyone have any suggestions how this could be done? Is it possible?

Correct Answer by DialerString_2 about 7 years 1 month ago

Hey,



Do you have the dot1q interface configure on the other router?


There is one issue. When I try to use the protocol paramenter I get this error.

LAB_188(config-pw-class)#protocol l2tpv3 wifi_vlan

L2TP class changes are not allowed on L2TP pw-class with Xconnects

!!! You have to remove the xconnect statemet from int .103 to make this change and add it back. This should fix you.!!!!


Use the "show xconnect all" command to make sure the psuedowire is up. Verify that the loopbacks are in your routing table and you can reach both.

If you are having trouble reaching host in the vlan verify the gateway of the vlan hosts, that host are in the same vlan and the vlan tagging on your switch - (I use HP) Check your trunk on the Cisco switches. You don't need to set up routing for the VLAN (but I haven't seen your config or lab diagram either) The sudo wire will encapsulate the l2 traffic in a l2tpv3 header and removes that header when it hits the other side of the wire.


Send me the relevant configs on each side and a show ip route also. If you have a diagram of your lab that would be great too.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
paolo bevilacqua Mon, 03/29/2010 - 09:08
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Just use ACL as needed.

DialerString_2 Mon, 03/29/2010 - 12:52
User Badges:
  • Bronze, 100 points or more

You can use ACLS and LTTPv3 would work but you would need a dot1q interface for your vlan on the remote and HQ side. Below is the client side and side and the HQ side would have a different loopback ip addres.


This is from memory so verify and test first.



interface Loopback0
  ip address 10.1.1.1 255.255.255.252

!

pseudowire-class wifi_vlan
encapsulation l2tpv3
protocol l2tpv3 vlan80

ip local interface Loopback0

!

interface f0/0

desc local lan

ip address 10.10.10.1

!

interface f0/0.80

no ip address

encapsulation dot1q 80

xconnect "10.1.1.2" 80 pw-class wifi_vlan  10.1.1.2 is the other loopback.


make sure you have routes for the loopbacks.


thx.


E

Thanks for help Dialer

I set this up in my lab and here is what I have as the config. The config piece reflects only one side of connection. The other side does have a different loopback address.


There is one issue. When I try to use the protocol paramenter I get this error.

LAB_188(config-pw-class)#protocol l2tpv3 wifi_vlan

L2TP class changes are not allowed on L2TP pw-class with Xconnects



And here is what I get for a show l2tun.


AB_KAO_188#sh l2tun tunnel

%No active L2F tunnels

L2TP Tunnel Information Total tunnels 1 sessions 1

LocID RemID Remote Name State Remote Address Port Sessions L2TP Class/

VPDN Group

47306 13730 LAB_NTT_189 est 10.52.4.6 0 1 l2tp_default_cl

%No active PPTP tunnels


LAB_188#sh l2tun session all

%No active L2F tunnels

L2TP Session Information Total tunnels 1 sessions 1

Session id 40957 is up, tunnel id 47306

Call serial number is 3196700031

Remote tunnel name is LAB_NTT_189

Internet address is 10.52.4.6

Session is L2TP signalled

Session state is established, time since change 20:17:23

37643 Packets sent, 0 received

2554856 Bytes sent, 0 received

Last clearing of "show vpdn" counters never

Receive packets dropped:

out-of-order: 0

total: 0

Send packets dropped:

exceeded session MTU: 0

total: 0

Session vcid is 103

Session Layer 2 circuit, type is Ethernet Vlan, name is FastEthernet0/1.103:103

Circuit state is UP

Remote session id is 41666, remote tunnel id 13730

Session PMTU enabled, path MTU is not known

DF bit on, ToS reflect disabled, ToS value 0, TTL value 255

No session cookie information available

UDP checksums are disabled

SSS switching enabled

Sequencing is off

Unique ID is 32


The tunnel appears to working; is that right?


However I have not been able to get two devices to talk on the vlan 103 as I had hoped. I don't need any routing for the vlan extension;correct?

I did create a staic route on both sides for the loopbacks.

Any help appreciated.


l2tp-class wifi_vlan

hello 100

pseudowire-class vlan103

encapsulation l2tpv3

ip local interface Loopback0

ip pmtu

interface FastEthernet0/1.103

encapsulation dot1Q 103

no cdp enable

xconnect 10.52.4.6 103 pw-class vlan103

Correct Answer
DialerString_2 Fri, 04/02/2010 - 10:41
User Badges:
  • Bronze, 100 points or more

Hey,



Do you have the dot1q interface configure on the other router?


There is one issue. When I try to use the protocol paramenter I get this error.

LAB_188(config-pw-class)#protocol l2tpv3 wifi_vlan

L2TP class changes are not allowed on L2TP pw-class with Xconnects

!!! You have to remove the xconnect statemet from int .103 to make this change and add it back. This should fix you.!!!!


Use the "show xconnect all" command to make sure the psuedowire is up. Verify that the loopbacks are in your routing table and you can reach both.

If you are having trouble reaching host in the vlan verify the gateway of the vlan hosts, that host are in the same vlan and the vlan tagging on your switch - (I use HP) Check your trunk on the Cisco switches. You don't need to set up routing for the VLAN (but I haven't seen your config or lab diagram either) The sudo wire will encapsulate the l2 traffic in a l2tpv3 header and removes that header when it hits the other side of the wire.


Send me the relevant configs on each side and a show ip route also. If you have a diagram of your lab that would be great too.




Dialer

Thanks for the reply.

Your requests made me look again at the config and I noticed that I had the xconnect assigned to the wrong interface on one of the routers.

When I put it where it belonged the tunnel came right up and I was able to get a dhcp assigned IP on the remote router across the wan which is what I need to happen in the real world.

Thanks for your help your and interest.

DialerString_2 Fri, 04/02/2010 - 11:16
User Badges:
  • Bronze, 100 points or more

Glad it's working for you and  thanks for the rating, John!


Best of Luck.


Eric

Actions

This Discussion