L2TP on 6500

Answered Question
Jun 22nd, 2010
User Badges:

Hi all Expert ..;-)


Need ur urgent help...


I have to configure a L2TP between two 6500 switch. Need configuration and confirmation that it work..


WS-C6509 is running with 72033-advipservicesk9_wan-mz.122-18.SXF17.bin


I would realy appriciate if som1 can giv me solution..


Regards

amar

Correct Answer by Giuseppe Larosa about 6 years 11 months ago

Hello Amar,


I don't see a way to achieve encryption in your current setup without adding expensive boxes


However, fiber based links are inherently secure that is that they cannot be sniffed by simply putting something near the fibers.

For this reason some networks are built with fiber to the PC instead of using RJ45.


Try to report this to your management, for a few days you should be able to afford the use of the fiber link without encryption.


Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Tue, 06/22/2010 - 06:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Amar,


when wondering if a feature is supported on a device you can use feature navigator


http://www.cisco.com/go/fn


Search by feature


if you are interested in L2TPv3 for transport services


L2TPv2 = L2TP is used in broadband access


according to feature navigator L2TPv3 is supported on C7600 with sup720 and MSFC3 for example on:


SERVICES

c7600s72033-advipservices-mz.122-33.SRC4.bin


on your image you should be able to run EoMPLS that is pseudowire with enc mpls I've checked on one device


see


router(config)#pseudowire-class pippo

router(config-pw-class)#enc ?

  mpls  Use MPLS encapsulation


router(config-pw-class)#enc mpls ?

 



sh ver | inc image

System image file is "disk0:s72033-advipservicesk9_wan-mz.122-18.SXF17a.bin"


if you don't see encapsulation l2tpv3 it is not supported


Hope to help

Giuseppe

amardram123 Wed, 06/30/2010 - 05:24
User Badges:

Hi,


I have configured the L2tp on l2 trunk between 6509, (sup720 msfc3) and able to pass all the traffic...

these two switches are in two diffrent location...My query is that, can we do any encryption on it..


interface GigabitEthernet1/7
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp

no cdp enable
spanning-tree bpdufilter enable
end


Thanks

Amar...

Giuseppe Larosa Wed, 06/30/2010 - 06:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Amar,

without an hardware module that provides encryption the answer is negative.


You would need a SIP linecard and to install an IPSec VPN SPA  over it


see


http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html


But I'm not sure it would be enough, it may work with an ES linecard + the IPSEC VPN SPA in a SIP linecard (not a sip 600)


Hope to help

Giuseppe

amardram123 Sat, 07/03/2010 - 12:59
User Badges:

Hi,


actually i an extending the data center LAN to a new location and later the old data center will be shut and same WAN IP will be assigned on similler set of WAN routers at new data center..

these location is seprated by 10 KM and 2 GB link terminated between them..


Idea was to avoid any downtime during movement of all links, routers server to new datacenter..


now with the help of l2 trunk i am able to extend my LAN and setting all servers at new location...


but the concern is that communication between these data center(L2 link between these 6500 switches) should be encrypted...

Since the data is huge and an encryption box is very costly which is just required for few days till data center is operational..


wondering how can I secure the data flowing between these switches..!!!


Regards

amar

amardram123 Sat, 07/03/2010 - 13:02
User Badges:

Also want to add that, since it is LAN extention, I cant have l3 link between these switches, so cant have an l3 ipsec...

Correct Answer
Giuseppe Larosa Sun, 07/04/2010 - 04:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Amar,


I don't see a way to achieve encryption in your current setup without adding expensive boxes


However, fiber based links are inherently secure that is that they cannot be sniffed by simply putting something near the fibers.

For this reason some networks are built with fiber to the PC instead of using RJ45.


Try to report this to your management, for a few days you should be able to afford the use of the fiber link without encryption.


Hope to help

Giuseppe

amardram123 Sun, 07/04/2010 - 06:29
User Badges:

Thanks Giuseppe....for clearing my doubts.. All the info were very helpful..I realy appreciate...


Regards

Amar..

Actions

This Discussion