L2TPv3 (Layer 2 Tunnel Protocol Version 3)

What is the best method to extend a provider subnet (/29) from the edge CE router (ISR4331), to another layer 3 device when the two nodes are separated by a layer 2 switch? I.e. I want the edge router, the second layer 3 node and the provider’s PE edge device to all be part of the same public IP subnet. Is BDI or EVC the answer?

If I just want to extend the provider’s PE to CE subnet (a /21) down to other layer 3 nodes within my network at a single branch (i.e. from the wan router (ISR 4331) down through a pair of Nexus cores and then onto my SDWAN edge, are you saying BDI on the ISR and a corresponding transit vlan on the cores) is not the way to go, but rather I should use L2TPv3? I thought that this was more for layer 2 tunneling between geographic sites.

Hello Chad

If I understand correctly, you want the following:

(ISP Network) --- (PE) --- (CE) --- (SW) --- (R1)

And you want the /29 subnet provided at the customer-facing interface of PE to be assigned to an interface on the CE as well as on an interface on R1, correct?

Well, the simplest way to achieve this would probably be to change the topology and have the SW connect directly to the PE, and then have the CE and R1 connect to the switch, on the same VLAN. I’m assuming however that you want to avoid such a scenario.

Well, one way to do it is to use a BVI in the CE so that the two ports on the CE will essentially act as two switchports, and the BVI will act as an SVI for those two ports. You can find out more about that at the following Cisco documentation:

Another option would be to use L2TPv3, but that would give you a layer 2 tunnel through the CE device without allowing it to actually obtain an IP address in the subnet you want.

This is a protocol that allows you to tunnel L2 over an L3 network regardless of whether you do it within your own network, or across two geographically remote sites, the concept is the same. But it really depends upon your topology and what you actually want to achieve.

In any case, such a scenario would be a little cumbersome to implement. Can you share with us what it is that you are trying to achieve so that we can see if there is another way of accomplishing it?

I hope this has been helpful!

Laz

1 Like

Hi can you help on interworking? I have ISR router serial interface configured PPP and other end ethernet .


will it work?

Hello Shashank

If you have a serial interface on R4 for example, that must connect to a serial interface on R3. You cannot connect a serial interface to an Ethernet interface. They are two different technologies that are not compatible.

I hope this has been helpful!

Laz

Hi Rene,

I tried to do the lab in GNS with cisco routers with IOS 15, it did not support the command, could you please advise a link so that i can download a IOS that supports this command?

thanks in adavnce

Hello Costa

Take a look at the Cisco Feature Navigator to find out what IOS versions support the L2TPv3 feature:

https://cfnng.cisco.com/browse/routing/features

As for Cisco IOS images, take a look at this NetworkLessons note on the subject.

I hope this has been helpful!

Laz

Hi Lagapides,

Thanks for your reply.

In fact what I need is a link where I can download cisco ios which support L2TPv3.

can you help?

Thanks in advance,

Lazaros Agapides via NetworkLessons.com Community Forum <forum@networklessons.com> escreveu no dia quinta, 31/03/2022 à(s) 06:19:

Hello Costa

As stated in the NetworkLessons note on downloading IOS images:

GNS3 emulator software is free, but the related Cisco IOS images you require to use it are not. Cisco owns the copyright on IOS so they can’t be shared freely. You’ll have to purchase them, or get them from someone who has legal access to them.

If you have purchased the appropriate Cisco support package, you can go to the following Software Download site and get what you need.

https://software.cisco.com/download/home

I hope this has been helpful!

Laz

Hello Rene ; csn you please tell me how to implement L2tp over ipsecsite to site ? Do you have any example for that ?
Thank you .

Hello Mohammad

Cisco has a detailed document describing how to implement L2TP over IPSec. Take a look at this and if you have more specific questions, please feel free to post them here!

I hope this has been helpful!

Laz

Thanks Lagapides . In the cisco Dokument they describe l2tp/ Ipsec between Server und remote Site . My Question is how to implement Ipsec on the same Topology hier ( Site to site ) ? As I think we can add crypto map and transform set and Ikev1 policy to the L2tp Configuration that you did on Topology , is this right ?
Second Question on the G0/2 interface on Router 1 and Router 2 there is no Ip Adress and H1 , H2 are as Arouter layer 3 with Ip Adress how will be this link between Router 1 and H1 up without Io Adress configured on Router 1s Interface ? Can we configure g0/2 with Ip adress ? Can we connect Layer 2 Switch to g0/2 interface or does this link have to be to Router layer 3 with ip adress ?

Sorry for multiple Questions but Im a little confused hier .
Thank you .

Hello Mohammad

As stated in the documentation shared before:

The primary benefit of configuring L2TP with IPsec/IKEv1 in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that no additional client software, such as Cisco VPN client software, is required.

Typically, L2TP with IPSec is used to connect individual clients. The only other scenario that matches more closely to a site to site scenario is the one described in this documentation:

In this case, the tunnel is created between two Cisco routers, however, its purpose is to enable a dial-up client to securely access a remote network.

I don’t know if L2TP over IPSec can be used as a site to site VPN solution, I have never seen it implemented this way, nor have I found examples of it, however, it may be possible, with experimentation. A more suitable, simpler, scalable, and all-round better solution is to use one of these:

The list above is not exhaustive, there are more options available, depending on your needs and your topology.

The purpose of L2TP is to create a layer 2 tunnel over a layer 3 infrastructure. In this case, G0/2 of both R1 and R2 are acting as layer 2 interfaces, and that is why they are not assigned IP addresses. You can imagine the combination of R1 and R2 and the L2TP tunnel as one big layer 2 switch.

I hope this has been helpful!

Laz

Thank you Laz very much for good Explaination .

1 Like

In place of H1 and H2 as PCs can I use routers ? If yes then how ?

Hello Shivam

You can indeed use routers in place of H1 and H2. In fact, in the lesson, H1 and H2 are actually routers! The icons are PCs, but for the sake of the lesson, routers were used. You can see this from the fact that when Rene configures H1 and H2, they are configured using the Cisco command line commands.

I hope this has been helpful!

Laz

1 Like

Hello, i currently have a working l2tpv3 set up (using this lesson), and it works with a couple different devices on a layer2 network so i know its configured correctly;however, a 3rd different device can make connection but cant download an application from the server on the other end (basically connects via the webpage and then freezes during the download) Ive wiresharked this connection (when its actually connected/not over the l2tpv3) and it routinely sends/recieve packets that are 1460 in size. I am Using an ipsec dmvpn tunnel at the edge routers for the Point to point network with starlink. It seems like this combined with the dmvpn, l2tpv3, as well as kg-250xs encryptors would grossly exeed the mtu due to all the additional overhead and cause fragmenting. To solve this, does setting pmtu set up on the pseudowire and then again at the edge router seem like it would work? Do i need to configure both sides for pmtu? Do i need to do just the pseduwire and not the edge router? In the attached image, replace “MBK” with starlink and router and “gre tunnel” with ipsec dmvpn.

Note: hosts parameters are not authorized to be changed.

Hello Cole

I think you’ve done a good job in walking through the scenario and concluding that it is an MTU issue. Thanks for being so clear in your description as well.

One more check I would suggest you do is to use a ping sweep with a range of sizes to determine the actual MTU size that is being allowed from end to end. The 1460 size sounds reasonable, but it’s worth doing just to see the maximum that is actually allowed. To find out more about how you can do this (assuming you have a Cisco device on the one end) take a look at this NetworkLessons note. You can do this with Linux devices as well, and even with a Windows PC with the appropriate 3rd party tools. Doing a Google search for the topic brings many results.

Having said that, using PMTUD may be a solution to your particular issue. The pseudowire is applied on R1 and R2, correct? Then yes, you would have to configure PMTUD on those devices. To enable PMTUD, you can use the ip tcp adjust-mss command on the router interfaces. This command adjusts the MSS of TCP packets to account for the additional overhead from the encapsulation protocols. You should set the MSS to the MTU size minus the total encapsulation overhead. You can determine what value to use from the results of your ping sweep.

In order for PMTUD to work however, ICMP must be able to send and receive packets freely. Sometimes such packets are blocked by firewalls or services such as Starlink. Also keep in mind that this command only applies to TCP sessions (which includes your web session). UDP will not be affected by this command.

In this lesson, you can find an example of the ip tcp adjust-mss command. Additional information about resolving such issues using PMTUD can be found here.

Let us know how you get along and if we can be of further help!

I hope this has been helpful!

Laz

Hey sir, thanks for the assist. We made some good progress. 2 different devices responded well to the ip pmtu commands under the pseduowire, dramitically improving performance. However, the 3rd device recived the pings (could see them coming back “fragmentation needed” on wireshark) and upon receipt the host’s port quickly shut down until we reset the host. Unfortunately we cant modify either hosts settings. We have tried the mss adjust command on any and all ports on both ends that would accept the command, no change to packet size. 1514 size packets go through, there is just a lot of fragmentation that ia slowing down the data/ dup acks/ re-trans/ timeouts etc… Any follow on ideas on how to adjust mss values?

Hello Cole

I’m glad that you made some progress in resolving the issue! Tell me a little bit more about this third device. What kind of device is it? When you see the host’s port shut down, what kind of error message is indicated? The other two devices that work successfully, what have you done there to make them work, and why isn’t that working on the third device? This information will help us to further help you. Let us know when you can!

Thanks!

Laz