L2TP is used to transport L2 protocol over IP:
L2TPv2 transport PPP and is used by SP which doesn't own the DSL access network for example
L2TPv3 allows you to transport any L2 protocols and can be used to provide VPN services without MPLS.
what do you mean used to transport l2 traffic? Is it not a layer 2 protocol itself?
please explain the benifits and uses if poss ?
>> what do you mean used to transport l2 traffic? Is it not a layer 2 protocol itself?
L2TP = Layer 2 tunneling protocol is not a L2 protocol but a way to carry L2 frames over an IP tunnel to provide a point to point L2 transport service over an IP cloud.
L2TPv2 focuses on PPP sessions and it had been introduced to allow remote access via dialup to an enteprise without requiring the enterprise to have its own dialup NAS servers.
During PPP authentication a user can specify a realm like
the device receiving the PPP auth request can send to acme endpoint over the L2TP tunnel.
The end result is that the PPP session can be extended to acme network.
This idea has been extended and applied for DSL wholesale services.
L2TPv3 supports carrying almost any L2 technology see and it is a major change from L2TPv2.
L2TPv3 can be used to extend one vlan over an IP WAN.
Hope to help
so are you saying it can carry layer 2 frames? does does this mean I can extend a broadcast domain and have the same ip subnet over the tunnel? what do people use L2TP for generally?
yes you can do that with a config like that attached by Nelson.
Nelson has also added encryption to protect the L2TPv3 traffic.
the possible usage of L2TPv2 and L2TPv3 are described in previous posts.
Hope to help
I have a question on this topic. I am currently using l2tpv3 and it works like a charm. Below is a copy of my config that allows me to have 1 remote site connected:
crypto isakmp policy 1
crypto isakmp keepalive 10 5
crypto isakmp client configuration group "group_name"
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap isakmp authorization list default
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
ip local interface Loopback0
description Tunnel Interface
ip address 10.255.118.5 255.255.255.255
description Connection to Local Switch
no ip address
no cdp enable
xconnect 10.255.118.10 1 pw-class "class_name"
desc WAN Interface
ip address x.x.x.x y.y.y.y
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip pim sparse-dense-mode
no mop enabled
crypto map clientmap
I would like to know what config is needed to have multiple sites connected to this VPN router.
the answer depends from what you want to do.
L2TPv3 provides a point-to-point L2 transport service.
so if your idea is to have a central site with multiple remote sites all with a L2 connection.
you need an L2TPv3 pseudowire for each remote site, but the local endpoint cannot be the same:
if you try to add an xconnect command you are overriding the current one.
you would need a different subinterface for each remote site but they would be in different vlans so you would need an external device to perform inter-vlan bridging.
But I don't recommend this because I'm afraid broadcast traffic can go up and down eating BW and cpu.
Hope to help
Thanks for the response. The intention is to have one central site and 2 remote sites. Both of the remote sites would have different vlans and only need to talk to the central site. Would this be possible using subinterfaces as you mentioned. Since I dont need the traffic to flow across the 2 remote sites, there wouldnt be a need for an external device to perform inter-vlan bridging. Is that correct? If yes, please could you provide a sample config. Thanks in advance.
yes but GRE is used to carry L3 packets of different suites: appletalk and IPX in the past, IPv6 nowdays.
Hope to help
it should be as easy as putting the xconnect command with a different destination under two vlan based subifs.
if all devices share the same isakmp key and because you are using dynamic crypto map on central site the IPSec should be fine.
Hope to help
The problem here is that both sites use multiple vlans. The xconnect command under the subif would be ideal if both sites used one vlan each. For eg. if remote site 1 was using vlans 11,21,31 and remote site 2 was using vlans 12,22,32 then what config would be needed on the central site router to get this working?
two options here:
a) one subif and one xconnect with the appropriate destination for each vlan at central site.
b) add an interface to the lan switch at central site on this interface you will pass only site2 vlans using
switchport trunk allowed vlan 12,22,32
(do the same for current port using
switchport trunk allowed vlan 11,21,31)
and then you add a single xconnect to the second main interface with destination = remote site2.
Be aware that this is not best practice because it is easy to fill the wan link just to carry broadcast traffic.
So use it only if really needed otherwise using routing is better for different reasons.
Hope to help
so what kind of things can we put through these tunnels?? why do most people use them? why would i need to tunnel at layer 2??
also how simple is the config to do between 2 sites? and do we have to use an acl etc to push certain traffic through the tunnel ?
L2TPv2 allows you to transport PPP session over an IP backbone via an L2TP tunnel.
One common scenario is when a ISP wants to provide Internet access to users where it doesn't control the dial network (PSTN/DSL or ISDN). In this case it will negotiate with a local wholesale Dial SP so it will forward the PPP session of the user who bought the service from the ISP via L2TP. L2TP is mandatory as between the wholesale SP and the ISP, there is only an IP backbone.
It's also useful when you want to use DSL access to connect commercial customers site to their VPN.
L2TPv3 can encapsulate any Layer 2 protocols like Ethernet for example. Common application of L2TPV3 is to provide L2VPN services when you are not using MPLS in your core.
I forgot here is a link for L2TPv2 configuration example: http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800a43e9.shtml
i still need to see the benifits for this, does it hide every hop between 2 endpoints ?
and why would we need to encapsulate ethernet frames, would this so we can extend vlans over the tunnel, and bridge my lan etc?
also how do you say send a certain subnet over the tunnel? or would it need to be all traffic ?
I found quite a few benefits of using L2TP v3 on our network one of which you already mentioned. The list goes like this:
1) Minimal configuration when comparing to GRE where you need several tunnel interfaces (one for each VLAN).
2) After configuration the 2 sites are bridged together. So DHCP broadcasts and CDP info is exchanged between the local and remote site as if there was no WAN in between.
Sending a subnet over the tunnel can be done using VLANs. Whatever you allow on the trunk is what will pass through the tunnel.
Hope this helps.