L2TP on 6500

Answered Question
Jun 22nd, 2010

Hi all Expert ..;-)

Need ur urgent help...

I have to configure a L2TP between two 6500 switch. Need configuration and confirmation that it work..

WS-C6509 is running with 72033-advipservicesk9_wan-mz.122-18.SXF17.bin

I would realy appriciate if som1 can giv me solution..

Regards

amar

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 6 years 5 months ago

Hello Amar,

I don't see a way to achieve encryption in your current setup without adding expensive boxes

However, fiber based links are inherently secure that is that they cannot be sniffed by simply putting something near the fibers.

For this reason some networks are built with fiber to the PC instead of using RJ45.

Try to report this to your management, for a few days you should be able to afford the use of the fiber link without encryption.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Tue, 06/22/2010 - 06:01

Hello Amar,

when wondering if a feature is supported on a device you can use feature navigator

http://www.cisco.com/go/fn

Search by feature

if you are interested in L2TPv3 for transport services

L2TPv2 = L2TP is used in broadband access

according to feature navigator L2TPv3 is supported on C7600 with sup720 and MSFC3 for example on:

SERVICES

c7600s72033-advipservices-mz.122-33.SRC4.bin

on your image you should be able to run EoMPLS that is pseudowire with enc mpls I've checked on one device

see

router(config)#pseudowire-class pippo

router(config-pw-class)#enc ?

  mpls  Use MPLS encapsulation

router(config-pw-class)#enc mpls ?

 

sh ver | inc image

System image file is "disk0:s72033-advipservicesk9_wan-mz.122-18.SXF17a.bin"

if you don't see encapsulation l2tpv3 it is not supported

Hope to help

Giuseppe

amardram123 Wed, 06/30/2010 - 05:24

Hi,

I have configured the L2tp on l2 trunk between 6509, (sup720 msfc3) and able to pass all the traffic...

these two switches are in two diffrent location...My query is that, can we do any encryption on it..

interface GigabitEthernet1/7
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp

no cdp enable
spanning-tree bpdufilter enable
end

Thanks

Amar...

Giuseppe Larosa Wed, 06/30/2010 - 06:04

Hello Amar,

without an hardware module that provides encryption the answer is negative.

You would need a SIP linecard and to install an IPSec VPN SPA  over it

see

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html

But I'm not sure it would be enough, it may work with an ES linecard + the IPSEC VPN SPA in a SIP linecard (not a sip 600)

Hope to help

Giuseppe

amardram123 Sat, 07/03/2010 - 12:59

Hi,

actually i an extending the data center LAN to a new location and later the old data center will be shut and same WAN IP will be assigned on similler set of WAN routers at new data center..

these location is seprated by 10 KM and 2 GB link terminated between them..

Idea was to avoid any downtime during movement of all links, routers server to new datacenter..

now with the help of l2 trunk i am able to extend my LAN and setting all servers at new location...

but the concern is that communication between these data center(L2 link between these 6500 switches) should be encrypted...

Since the data is huge and an encryption box is very costly which is just required for few days till data center is operational..

wondering how can I secure the data flowing between these switches..!!!

Regards

amar

amardram123 Sat, 07/03/2010 - 13:02

Also want to add that, since it is LAN extention, I cant have l3 link between these switches, so cant have an l3 ipsec...

Correct Answer
Giuseppe Larosa Sun, 07/04/2010 - 04:54

Hello Amar,

I don't see a way to achieve encryption in your current setup without adding expensive boxes

However, fiber based links are inherently secure that is that they cannot be sniffed by simply putting something near the fibers.

For this reason some networks are built with fiber to the PC instead of using RJ45.

Try to report this to your management, for a few days you should be able to afford the use of the fiber link without encryption.

Hope to help

Giuseppe

amardram123 Sun, 07/04/2010 - 06:29

Thanks Giuseppe....for clearing my doubts.. All the info were very helpful..I realy appreciate...

Regards

Amar..

Actions

This Discussion