03-29-2010 09:06 AM - edited 03-04-2019 07:57 AM
We have a remote site connected via an MPLS network to our HQ.
There are about 10 people at this remote site.
The router is a 2801. The bandwidth is 512Kb (this can and will be increased this year)
The HQ router is a 2821.
They have no external internet access and are presently proxied to HQ for outside acess.
Our issue is that we would like to allow visitors to have outside access from this site as well without incurring the cost of providing an internet circuit.
At HQ we simply created a vlan that takes wireless visitors outside our private network.
Ideally we would like to create something at this site that would act exactly like our visitor network here at HQ.
Does anyone have any suggestions how this could be done? Is it possible?
Solved! Go to Solution.
04-02-2010 10:41 AM
Hey,
Do you have the dot1q interface configure on the other router?
There is one issue. When I try to use the protocol paramenter I get this error.
LAB_188(config-pw-class)#protocol l2tpv3 wifi_vlan
L2TP class changes are not allowed on L2TP pw-class with Xconnects
!!! You have to remove the xconnect statemet from int .103 to make this change and add it back. This should fix you.!!!!
Use the "show xconnect all" command to make sure the psuedowire is up. Verify that the loopbacks are in your routing table and you can reach both.
If you are having trouble reaching host in the vlan verify the gateway of the vlan hosts, that host are in the same vlan and the vlan tagging on your switch - (I use HP) Check your trunk on the Cisco switches. You don't need to set up routing for the VLAN (but I haven't seen your config or lab diagram either) The sudo wire will encapsulate the l2 traffic in a l2tpv3 header and removes that header when it hits the other side of the wire.
Send me the relevant configs on each side and a show ip route also. If you have a diagram of your lab that would be great too.
03-29-2010 09:08 AM
Just use ACL as needed.
03-29-2010 12:52 PM
You can use ACLS and LTTPv3 would work but you would need a dot1q interface for your vlan on the remote and HQ side. Below is the client side and side and the HQ side would have a different loopback ip addres.
This is from memory so verify and test first.
interface Loopback0
ip address 10.1.1.1 255.255.255.252
!
pseudowire-class wifi_vlan
encapsulation l2tpv3
protocol l2tpv3 vlan80
ip local interface Loopback0
!
interface f0/0
desc local lan
ip address 10.10.10.1
!
interface f0/0.80
no ip address
encapsulation dot1q 80
xconnect "10.1.1.2" 80 pw-class wifi_vlan 10.1.1.2 is the other loopback.
make sure you have routes for the loopbacks.
thx.
E
04-02-2010 08:18 AM
Thanks for help Dialer
I set this up in my lab and here is what I have as the config. The config piece reflects only one side of connection. The other side does have a different loopback address.
There is one issue. When I try to use the protocol paramenter I get this error.
LAB_188(config-pw-class)#protocol l2tpv3 wifi_vlan
L2TP class changes are not allowed on L2TP pw-class with Xconnects
And here is what I get for a show l2tun.
AB_KAO_188#sh l2tun tunnel
%No active L2F tunnels
L2TP Tunnel Information Total tunnels 1 sessions 1
LocID RemID Remote Name State Remote Address Port Sessions L2TP Class/
VPDN Group
47306 13730 LAB_NTT_189 est 10.52.4.6 0 1 l2tp_default_cl
%No active PPTP tunnels
LAB_188#sh l2tun session all
%No active L2F tunnels
L2TP Session Information Total tunnels 1 sessions 1
Session id 40957 is up, tunnel id 47306
Call serial number is 3196700031
Remote tunnel name is LAB_NTT_189
Internet address is 10.52.4.6
Session is L2TP signalled
Session state is established, time since change 20:17:23
37643 Packets sent, 0 received
2554856 Bytes sent, 0 received
Last clearing of "show vpdn" counters never
Receive packets dropped:
out-of-order: 0
total: 0
Send packets dropped:
exceeded session MTU: 0
total: 0
Session vcid is 103
Session Layer 2 circuit, type is Ethernet Vlan, name is FastEthernet0/1.103:103
Circuit state is UP
Remote session id is 41666, remote tunnel id 13730
Session PMTU enabled, path MTU is not known
DF bit on, ToS reflect disabled, ToS value 0, TTL value 255
No session cookie information available
UDP checksums are disabled
SSS switching enabled
Sequencing is off
Unique ID is 32
The tunnel appears to working; is that right?
However I have not been able to get two devices to talk on the vlan 103 as I had hoped. I don't need any routing for the vlan extension;correct?
I did create a staic route on both sides for the loopbacks.
Any help appreciated.
l2tp-class wifi_vlan
hello 100
pseudowire-class vlan103
encapsulation l2tpv3
ip local interface Loopback0
ip pmtu
interface FastEthernet0/1.103
encapsulation dot1Q 103
no cdp enable
xconnect 10.52.4.6 103 pw-class vlan103
04-02-2010 10:41 AM
Hey,
Do you have the dot1q interface configure on the other router?
There is one issue. When I try to use the protocol paramenter I get this error.
LAB_188(config-pw-class)#protocol l2tpv3 wifi_vlan
L2TP class changes are not allowed on L2TP pw-class with Xconnects
!!! You have to remove the xconnect statemet from int .103 to make this change and add it back. This should fix you.!!!!
Use the "show xconnect all" command to make sure the psuedowire is up. Verify that the loopbacks are in your routing table and you can reach both.
If you are having trouble reaching host in the vlan verify the gateway of the vlan hosts, that host are in the same vlan and the vlan tagging on your switch - (I use HP) Check your trunk on the Cisco switches. You don't need to set up routing for the VLAN (but I haven't seen your config or lab diagram either) The sudo wire will encapsulate the l2 traffic in a l2tpv3 header and removes that header when it hits the other side of the wire.
Send me the relevant configs on each side and a show ip route also. If you have a diagram of your lab that would be great too.
04-02-2010 11:13 AM
Dialer
Thanks for the reply.
Your requests made me look again at the config and I noticed that I had the xconnect assigned to the wrong interface on one of the routers.
When I put it where it belonged the tunnel came right up and I was able to get a dhcp assigned IP on the remote router across the wan which is what I need to happen in the real world.
Thanks for your help your and interest.
04-02-2010 11:16 AM
Glad it's working for you and thanks for the rating, John!
Best of Luck.
Eric
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide