Hello Costa
Take a look at the Cisco Feature Navigator to find out what IOS versions support the L2TPv3 feature:
https://cfnng.cisco.com/browse/routing/features
As for Cisco IOS images, take a look at this NetworkLessons note on the subject.
I hope this has been helpful!
Laz
Hi Lagapides,
Thanks for your reply.
In fact what I need is a link where I can download cisco ios which support L2TPv3.
can you help?
Thanks in advance,
Lazaros Agapides via NetworkLessons.com Community Forum <forum@networklessons.com> escreveu no dia quinta, 31/03/2022 Ć (s) 06:19:
Hello Costa
As stated in the NetworkLessons note on downloading IOS images:
GNS3 emulator software is free, but the related Cisco IOS images you require to use it are not. Cisco owns the copyright on IOS so they canāt be shared freely. Youāll have to purchase them, or get them from someone who has legal access to them.
If you have purchased the appropriate Cisco support package, you can go to the following Software Download site and get what you need.
https://software.cisco.com/download/home
I hope this has been helpful!
Laz
Hello Rene ; csn you please tell me how to implement L2tp over ipsecsite to site ? Do you have any example for that ?
Thank you .
Hello Mohammad
Cisco has a detailed document describing how to implement L2TP over IPSec. Take a look at this and if you have more specific questions, please feel free to post them here!
I hope this has been helpful!
Laz
Thanks Lagapides . In the cisco Dokument they describe l2tp/ Ipsec between Server und remote Site . My Question is how to implement Ipsec on the same Topology hier ( Site to site ) ? As I think we can add crypto map and transform set and Ikev1 policy to the L2tp Configuration that you did on Topology , is this right ?
Second Question on the G0/2 interface on Router 1 and Router 2 there is no Ip Adress and H1 , H2 are as Arouter layer 3 with Ip Adress how will be this link between Router 1 and H1 up without Io Adress configured on Router 1s Interface ? Can we configure g0/2 with Ip adress ? Can we connect Layer 2 Switch to g0/2 interface or does this link have to be to Router layer 3 with ip adress ?
Sorry for multiple Questions but Im a little confused hier .
Thank you .
Hello Mohammad
As stated in the documentation shared before:
The primary benefit of configuring L2TP with IPsec/IKEv1 in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that no additional client software, such as Cisco VPN client software, is required.
Typically, L2TP with IPSec is used to connect individual clients. The only other scenario that matches more closely to a site to site scenario is the one described in this documentation:
In this case, the tunnel is created between two Cisco routers, however, its purpose is to enable a dial-up client to securely access a remote network.
I donāt know if L2TP over IPSec can be used as a site to site VPN solution, I have never seen it implemented this way, nor have I found examples of it, however, it may be possible, with experimentation. A more suitable, simpler, scalable, and all-round better solution is to use one of these:
The list above is not exhaustive, there are more options available, depending on your needs and your topology.
The purpose of L2TP is to create a layer 2 tunnel over a layer 3 infrastructure. In this case, G0/2 of both R1 and R2 are acting as layer 2 interfaces, and that is why they are not assigned IP addresses. You can imagine the combination of R1 and R2 and the L2TP tunnel as one big layer 2 switch.
I hope this has been helpful!
Laz
Thank you Laz very much for good Explaination .
In place of H1 and H2 as PCs can I use routers ? If yes then how ?
Hello Shivam
You can indeed use routers in place of H1 and H2. In fact, in the lesson, H1 and H2 are actually routers! The icons are PCs, but for the sake of the lesson, routers were used. You can see this from the fact that when Rene configures H1 and H2, they are configured using the Cisco command line commands.
I hope this has been helpful!
Laz
Hello, i currently have a working l2tpv3 set up (using this lesson), and it works with a couple different devices on a layer2 network so i know its configured correctly;however, a 3rd different device can make connection but cant download an application from the server on the other end (basically connects via the webpage and then freezes during the download) Ive wiresharked this connection (when its actually connected/not over the l2tpv3) and it routinely sends/recieve packets that are 1460 in size. I am Using an ipsec dmvpn tunnel at the edge routers for the Point to point network with starlink. It seems like this combined with the dmvpn, l2tpv3, as well as kg-250xs encryptors would grossly exeed the mtu due to all the additional overhead and cause fragmenting. To solve this, does setting pmtu set up on the pseudowire and then again at the edge router seem like it would work? Do i need to configure both sides for pmtu? Do i need to do just the pseduwire and not the edge router? In the attached image, replace āMBKā with starlink and router and āgre tunnelā with ipsec dmvpn.
Note: hosts parameters are not authorized to be changed.
Hello Cole
I think youāve done a good job in walking through the scenario and concluding that it is an MTU issue. Thanks for being so clear in your description as well.
One more check I would suggest you do is to use a ping sweep with a range of sizes to determine the actual MTU size that is being allowed from end to end. The 1460 size sounds reasonable, but itās worth doing just to see the maximum that is actually allowed. To find out more about how you can do this (assuming you have a Cisco device on the one end) take a look at this NetworkLessons note. You can do this with Linux devices as well, and even with a Windows PC with the appropriate 3rd party tools. Doing a Google search for the topic brings many results.
Having said that, using PMTUD may be a solution to your particular issue. The pseudowire is applied on R1 and R2, correct? Then yes, you would have to configure PMTUD on those devices. To enable PMTUD, you can use the ip tcp adjust-mss command on the router interfaces. This command adjusts the MSS of TCP packets to account for the additional overhead from the encapsulation protocols. You should set the MSS to the MTU size minus the total encapsulation overhead. You can determine what value to use from the results of your ping sweep.
In order for PMTUD to work however, ICMP must be able to send and receive packets freely. Sometimes such packets are blocked by firewalls or services such as Starlink. Also keep in mind that this command only applies to TCP sessions (which includes your web session). UDP will not be affected by this command.
In this lesson, you can find an example of the ip tcp adjust-mss command. Additional information about resolving such issues using PMTUD can be found here.
Let us know how you get along and if we can be of further help!
I hope this has been helpful!
Laz
Hey sir, thanks for the assist. We made some good progress. 2 different devices responded well to the ip pmtu commands under the pseduowire, dramitically improving performance. However, the 3rd device recived the pings (could see them coming back āfragmentation neededā on wireshark) and upon receipt the hostās port quickly shut down until we reset the host. Unfortunately we cant modify either hosts settings. We have tried the mss adjust command on any and all ports on both ends that would accept the command, no change to packet size. 1514 size packets go through, there is just a lot of fragmentation that ia slowing down the data/ dup acks/ re-trans/ timeouts etcā¦ Any follow on ideas on how to adjust mss values?
Hello Cole
Iām glad that you made some progress in resolving the issue! Tell me a little bit more about this third device. What kind of device is it? When you see the hostās port shut down, what kind of error message is indicated? The other two devices that work successfully, what have you done there to make them work, and why isnāt that working on the third device? This information will help us to further help you. Let us know when you can!
Thanks!
Laz
This is from a beginnerās perspective.
how do I stretch VLANs across this routed link using L2TPv3?
VLANs 1-5 reside on the Core as SVIs. So where/how do I setup the xconnect statement to trunk over the VLANs I need over to PC1?
Hello Sean
With the topology that you have shared, it wouldnāt make sense to employ L2TPv3. Since you are using switches here, you would simply create a trunk and span the VLANs to the TEST-Warehouse switch.
L2TPv3 comes into play if you have a Layer 3 network composed of several routers, and you want to tunnel Layer 2 traffic over that. Something like this:
(TEST-CORE-SW) -------(R1) -----[LAYER 3 NW FABRIC] -----(R2) -----(TEST-Warehouse-SW)
The L2TPv3 would be configured on the ports on R1 and R2, such that those ports would tunnel your L2 traffic across the Layer 3 network fabric. Does that make sense?
I hope this has been helpful!
Laz
I realize it may not make a lot of sense; but the segment between the 2 switches has to be routed ports between the two.
Knowing this, is it still possible?
I shouldāve annotated the visual better.
G0/0 on both switches are routed ports.
TEST-CORE will have the SVIās for the VLANs. I need to stretch vlan 5 & 6 thru the routed ports and get them to the TEST-WAREHOUSE switch for the PC.
Hello Sean
Ah I see, thanks for making the clarification. There are a couple of things you have to keep in mind:
When you configure L2TPv3, you essentially configure it between two Layer 3 interfaces in an incoming direction. This allows you to configure an L3 underlay network to carry the L2 traffic. In your topology, those interfaces that would be configured with L2TPv3 would be the L3 Gi0/1 interfaces of the two switches. In order to route L2 traffic, you would need additional switches to connect to those two ports with trunk ports. So with just the topology you have, it would not be possible.
Beyond the topological constraints, the other issue is the support of the feature on L3 switches. L2TPv3 is a feature that you primarily see on routers, but some switches to support it, depending on their IOS version.
Doing some research I have found that the older Catalyst 3560 and 3750 series do not support L2TPv3. Some higher-end Catalyst switches, like the Catalyst 6500/6800 with appropriate licensing and supervisor modules, may support L2TPv3. Newer Catalyst 9000 series switches may support L2TPv3 again with the appropriate licensing, but itās still more common on routers. Does that make sense?
I hope this has been helpful!
Laz
Ahā¦Iām starting to understand more from what you wrote.
Can you please shoot me a topo diagram of the MINIMUM hardware Iād need? I know the 3850ās I have support L2TPv3 along with the 2921 routers I have.
Again, I simply need to stretch a couple VLANs across a routed linkā¦maybe 2 routed linksā¦using minimal hardware to save space in our wall cabinets.
Thanks very much for your input.
@lagapidis , Iāve created a new lab with 2 switches and 2 routers.
Iāve successfully created the tunnel and everything works as it should.
next question, will BPDUs also traverse the tunnel? So if there is a network loop on the far side of the tunnel, will that also send STP packets to cause a root recalculation and bring down the network? Iām assuming it will. I see the tunnel is passing CDP as if the routers in between arenāt even there.
