This article explores the technical behavior of Pseudo-wire Ethernet connectivity and its operations. Using L2TPv3 (Layer 2 Tunneling Protocol version 3), a network engineer can emulate a point-to-point remote connection for VPNs; it is also possible to transport Layer-2 protocols in a pseudo-wire configuration, including the transportation of MPLS Layer-3 VPN traffic, and it also supports IPv6 transportation over an IPv4 backbone network.
In this article, we will examine the one of the best deployments of L2TPv3, i.e., pseudo-wire, an emulated point-to-point circuit across backbone layer-3 network. Most service providers use this technology to connect two or more distributed clients without depending on MPLS cloud; L2TPv3 is also very functional for extending layer-2 segments to reduce network operational cost and overhead to meet the best of the network’s feasibilities.
Before implementing Layer 2 Tunnel Protocol Version 3 (L2TPv3), the following configuration must be done:
The CEF feature must be enabled over Cisco devices.
A loopback interface with a valid IP address must be configured on the source and destination router for the L2TPv3 traffic.
Loopbacks must be reachable between these edge routers (mostly PEs).
I know L2TPv3 deployment might be new for many of you; that’s why I have designed a hands-on lab to break the barriers of learning this technology. Fig. 1 shows a general set-up between a client and service provider situated in USA.
Note: I have designed a GNS3 file for the same that can be downloaded with a download link posted here.
Scenario (Refer to Fig 1):
A service provider (without MPLS backbone) in the USA has to implement a pseudo-wire connection between New York and Chicago to emulate a point-to-point remote connection for establishing a VPN for one of its clients so that client’s HQ (in New York) can have a multi-traffic communication with its branch office, named Site-A (in Chicago). The following configurations are preconfigured on given topology:
IP CEF is enabled.
Required IP addresses are preconfigured on all devices.
Service provider’s cloud is configured with proper OSPF implementation with process-id 1 and area 0.
Both PEs are having loopback to loopback IP-reachability (220.127.116.11 to 18.104.22.168).
Configure a L2TPv3 tunnel between PE1 (New York) and PE2 (Chicago) to establish remote access VPN (Ethernet-based) from a company’s HQ (i.e., CE1) to its remote branch Site-A (i.e., CE2)
PE1# ping 22.214.171.124 source 126.96.36.199
First we have to ensure the end to end reachability between PE1 (New York) & PE2 (Chicago); the following command might be useful to check this:
PE1# ping 188.8.131.52 source 184.108.40.206
If you get echo replies from PE2 router, it means the provider’s network is fine with its internal connectivity, and I am sure you will get the echo replies in response to the ping command because everything is properly configured with the above GNS3 file.
An L2TPv3 VPN can be deployed with the following simple steps:
Step 1: Create pseudo-wire class on PE routers (PE1 and PE2 in my topology); the following set of commands is required to configure a pseudo-wire class:
Router(config)# pseudowire-class Router(config)# encapsulation l2tpv3 Router(config)# ip local interface
The pseudo-wire class name can be different on both PE routers and the interface-id should be source loopback id.
Step 2: Configure xconnect peering between PE routers (over the interfaces which are connected to CE routers), as shown in Fig. 2 below:
Router(config)# interface Router(config)# xconnect encapsulation l2tpv3 pw-class
Note: The virtual circuit identification number (vc-id) must be the same at both ends of the pseudo-wire peers and the class name must be properly configured, as it is case-sensitive.
So, what we are waiting for? Let’s complete the given objective; the following set of commands will be required to establish L2TPv3 VPN between PE1 & PE2:
PE1(config)# pseudowire-class infosec /** here I am using class name as “infosec” PE1(config-pw-class)# encapsulation l2tpv3 PE1(config-pw-class)# ip local interface Loopback0 PE1(config-pw-class)# exit PE1(config)# interface FastEthernet0/0 PE1(config-if)# xconnect 220.127.116.11 123 encapsulation l2tpv3 pw-class infosec /** vc-id is 123 PE1(config-if-xconn)#exit PE1(config-if)#exit
PE2(config)# pseudowire-class infosec /** here I am using class name as “infosec” PE2(config-pw-class)# encapsulation l2tpv3 PE2(config-pw-class)# ip local interface Loopback0 PE2(config-pw-class)# exit PE2(config)# interface FastEthernet0/0 PE2(config-if)# xconnect 18.104.22.168 123 encapsulation l2tpv3 pw-class infosec /** vc-id is 123 PE2(config-if-xconn)#exit PE2(config-if)#exit
After configuring the above commands; you can verify your VPN status using commands “show l2tp tunnel” and “show l2tp session.” I am sure you will see the following outputs after executing these show commands.
Verification checks at PE routers
Figure 3 displays the output result of “show l2tp tunnel” and you can see the status of L2TPv3 connection as established with destination peer 22.214.171.124 on router PE1.
Figure 4 displays the output result of “show l2tp session” on router PE1, here you can see that VPN state is established and it is also showing the information of virtual circuit id, that is, 123:
Verification checks at Client end
Figure 5 displays the list of CDP neighbors on router CE1 and it is clearly showing router CE2 as its CDP neighbor with its local interface “f0/0,” which means routers CE1 & CE2 are logically connected.
Figure 6 displays the verification of its logical end to end connectivity between CE1 to CE2 with “ping” and “trace” command.
As you know, it supports multi-protocol transportation, including IPv6. So if you just configure IPv6 addresses on CE routers, L2TPv3 will also process IPv6 transportation without involving any additional configuration over the service provider’s cloud and it can be verified using the following configuration:
Step A: Configure IPv6 addresses on CE routers over interfaces connected to the Provider’s routers (the following set of commands can be used as reference to configure IPv6 addresses):
CE1(config)# interface FastEthernet0/0 CE1(config-if)# ipv6 address 2001:12::1/112 CE1(config-if)#exit
CE2(config)# interface FastEthernet0/0 CE2(config-if)# ipv6 address 2001:12::2/112 CE2(config-if)#exit
Step B: Verify CE1 to CE2 IPv6 transportation using “ping” or “traceroute” commands
Figure 7 displays the output result of testing command “ping 2001:12::2 source 2001:12::1” from router CE1 to CE2 (2001:12::2) and you can see the result with 100% success rate in following figure.
Benefits of Using L2TPv3
- Easy deployment
- Industry standard tunneling protocol
- Can be deployed without MPLS backbone, means more revenue
Supports multi traffic payloads for, e.g., “transport IPv6 over IPv4 backbone or vice-versa”
Most service providers use L2TPv3 or MPLS-based pseudo-wires to offer Ethernet services where Enterprises use pseudo-wire connectivity to extend layer-2 circuits over their layer-3 networks. I hope this article will be a great help for those who always wanted to learn a hands-on L2TPv3 implementation and I hope that you have gained some new conceptual technical knowledge from this article. I will try to publish some more articles on L2TP technologies with practical deployments.
Now it’s your time to write feedback and comments about the throughput of this article. I am eagerly waiting to read your feedback and you can also share your Intenseschool.com experience.
And don’t forget to spread the link to this article on your Facebook, Twitter & LinkedIn so that the maximum of people can get this exclusive piece of information. Keep reading @ Instanseschool.com and you can join our Facebook group, http://www.facebook.com/intenseschool, to get updates on new posts.
Apart from my work experience & knowledge, the following sources helped me a lot in designing this exclusive content.
Layer 2 VPN Architectures (Cisco Press) written by Dmitry Bokotey, Wei Luo, Anthony Chan and Carlos Pignataro
L2TP: Implementation and Operation by Richard Shea
PPP and L2TP: Remote Access Communications by Uyless D. Black