Cisco881G l2tpv3
For the last week im trying to accomplish a tunnel between a dynamic 3g cellular ip and our outside company ip.
So far seen the only way to make this work is by using l2tpv3 client initiated dynamic tunneling.
so far i need an answer for some for others maybe simple questions. is l2tpv3 the good technique to make a tunnel over a cellular network? because with ipsec gre i need to provide my client and host while my client ip is dynamic in a cellular network.
So far i am trying to understand the technique but missing some key elements.
Using xconnect as a dynamic session setup i am trying to talk to my endpunt of the tunnel but where does the ip address of the endpunt go?
here is what i have worked out so far:
Router#show running-config
Building configuration...
Current configuration : 1832 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
logging message-counter syslog
no aaa new-model
ip source-route
ip cef
l2tp-class Company.Class.To.Mainsite
authentication
password 7 111A1C0605171F
no ipv6 cef
multilink bundle-name authenticated
chat-script internet "" "ATDT*99*1#" TIMEOUT 30 CONNECT
archive
log config
hidekeys
pseudowire-class Company.PW.To.Mainsite
encapsulation l2tpv3
protocol l2tpv3 Company.Class.To.Mainsite
ip local interface Loopback0
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
interface Cellular0
no ip address
ip virtual-reassembly
encapsulation ppp
load-interval 60
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
interface Vlan1
no ip address
xconnect 100.200.100.200 123 encapsulation l2tpv3 pw-class Company.PW.To.Mainsite
interface Dialer1
ip address negotiated
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string internet
dialer persistent
dialer-group 1
ppp authentication chap callin
ppp chap hostname dummy
ppp chap password 0 dummy
ppp ipcp dns request
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
control-plane
line con 0
no modem enable
line aux 0
line 3
exec-timeout 0 0
password cisco
script dialer internet
login
modem InOut
no exec
transport input all
line vty 0 4
login
scheduler max-task-time 5000
end
For the last week im trying to accomplish a tunnel between a dynamic 3g cellular ip and our outside company ip.
So far seen the only way to make this work is by using l2tpv3 client initiated dynamic tunneling.
so far i need an answer for some for others maybe simple questions. is l2tpv3 the good technique to make a tunnel over a cellular network? because with ipsec gre i need to provide my client and host while my client ip is dynamic in a cellular network.
So far i am trying to understand the technique but missing some key elements.
Using xconnect as a dynamic session setup i am trying to talk to my endpunt of the tunnel but where does the ip address of the endpunt go?
here is what i have worked out so far:
Router#show running-config
Building configuration...
Current configuration : 1832 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
logging message-counter syslog
no aaa new-model
ip source-route
ip cef
l2tp-class Company.Class.To.Mainsite
authentication
password 7 111A1C0605171F
no ipv6 cef
multilink bundle-name authenticated
chat-script internet "" "ATDT*99*1#" TIMEOUT 30 CONNECT
archive
log config
hidekeys
pseudowire-class Company.PW.To.Mainsite
encapsulation l2tpv3
protocol l2tpv3 Company.Class.To.Mainsite
ip local interface Loopback0
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
interface Cellular0
no ip address
ip virtual-reassembly
encapsulation ppp
load-interval 60
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
interface Vlan1
no ip address
xconnect 100.200.100.200 123 encapsulation l2tpv3 pw-class Company.PW.To.Mainsite
interface Dialer1
ip address negotiated
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string internet
dialer persistent
dialer-group 1
ppp authentication chap callin
ppp chap hostname dummy
ppp chap password 0 dummy
ppp ipcp dns request
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
control-plane
line con 0
no modem enable
line aux 0
line 3
exec-timeout 0 0
password cisco
script dialer internet
login
modem InOut
no exec
transport input all
line vty 0 4
login
scheduler max-task-time 5000
end
Similar Messages
-
IPSec secured L2TPv3 - one way traffic in L2 tunnel
Sigh... after 7 hours battling coming here because I've exhausted all my options to find an answer for my problem.
So here is the topology - standard (boring) IPSec secured L2TPv3 tunnel: on one side - 897 connected to a DSL box, on another side - 1921 with two interfaces.
Purpose to setup a plain L2TPv3 tunnel between those locations so computers plugged into the 897's 8-port switch interface can communicate with number of devices connected to 1921 on other side.
897:
crypto ikev2 keyring key1
peer destination_ip_address
address local_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 1921_outside_ip_address 255.255.255.255
identity local address 897_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
controller VDSL 0
ip ssh rsa keypair-name router-key
ip ssh version 2
pseudowire-class DZD
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 1921_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.1 255.255.255.255
interface ATM0
no ip address
no atm ilmi-keepalive
interface Ethernet0
no ip address
interface GigabitEthernet0
no ip address
interface GigabitEthernet1
no ip address
interface GigabitEthernet2
no ip address
interface GigabitEthernet3
no ip address
xconnect 172.16.1.2 1 encapsulation l2tpv3 pw-class DZD
interface GigabitEthernet4
no ip address
interface GigabitEthernet5
no ip address
interface GigabitEthernet6
no ip address
interface GigabitEthernet7
no ip address
interface GigabitEthernet8
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Wlan-GigabitEthernet8
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
ip address 10.97.2.29 255.255.255.0
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ppp authentication pap callin
ppp pap sent-username DSL_username password DSL_password
crypto map local
ip forward-protocol nd
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 130 permit ip host 172.16.1.1 host 172.16.1.2
dialer-list 1 protocol ip permit
c897#
1921:
crypto ikev2 keyring key1
peer 897_outside_ip_address
address 897_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 897_outside_ip_address 255.255.255.255
identity local address 1921_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
ip ssh version 2
lldp run
pseudowire-class ZRH
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 897_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.2 255.255.255.255
interface Embedded-Service-Engine0/0
no ip address
interface GigabitEthernet0/0
description WAN-ACC
ip address 1921_outside_ip_address 255.255.255.0
duplex auto
speed auto
crypto map local
interface GigabitEthernet0/1
description LAN-Trunk
no ip address
duplex auto
speed auto
xconnect 172.16.1.1 1 encapsulation l2tpv3 pw-class ZRH
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 default_gateway_of_1921
logging host 10.96.2.21
access-list 130 permit ip host 172.16.1.2 host 172.16.1.1
pnc01921#
Note - 1921 is connected to the Nexus 2248TP FEX, here is the config of the interface of the FEX:
pnc00001# sh run int e101/1/6
!Time: Thu May 1 06:15:02 2014
version 5.0(3)N2(2b)
interface Ethernet101/1/6
switchport access vlan 702
Now, IPsec tunnel comes up and does pass traffic - I can ping from one l1 another l1, below is the output from 897:
sh cry ike sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 897_outside_ip_address/500 1921_outside_ip_address/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/76 sec
IPv6 Crypto IKEv2 SA
#sh cry ips sa
interface: Dialer1
Crypto map tag: local, local addr 897_outside_ip_address
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/0/0)
current_peer 1921_outside_ip_address port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 897_outside_ip_address, remote crypto endpt.: 1921_outside_ip_address
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x852BF1F2(2234249714)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5D9DFB1A(1570634522)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190855/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x852BF1F2(2234249714)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190863/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
#ping 172.16.1.2 sour l1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/24 ms
Now, L2 tunnel shows to be up on both ends as well (output from 897 here)
#sh xconnect all
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP ac Gi3(Ethernet) UP l2tp 172.16.1.2:1 UP
However, if you look at detailed output of l2tunn, you will see that the tunnel receives traffic from 1921, but does not send anything:
#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 3504576447 is up, remote id is 2898810219, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 00:19:34
Tunnel transport is IP (115)
Remote tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
Local tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
0 packets sent, 763 received
0 bytes sent, 65693 received
Last clearing of counters never
Counters, ignoring last clear:
0 packets sent, 763 received
0 bytes sent, 65693 received
Control Ns 18, Nr 9
Local RWS 512 (default), Remote RWS 512 (max)
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 8
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
Mirrored situation on other side - 1921 sends packets, but nothing is received:
pnc01921#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 2898810219 is up, remote id is 3504576447, 1 active sessions
Remotely initiated tunnel
Tunnel state is established, time since change 00:21:15
Tunnel transport is IP (115)
Remote tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
Local tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
815 packets sent, 0 received
69988 bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
815 packets sent, 0 received
69988 bytes sent, 0 received
Control Ns 9, Nr 20
Local RWS 1024 (default), Remote RWS 512
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 1
Total resends 0, ZLB ACKs sent 18
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
There is a Windows box plugged into 897's G3 with IP address 10.97.2.25. I can ping from it 897's VLAN1 at 10.97.2.29. However I can't ping anything across the L2TPv3 tunnel. At the same time on that Windows box I can see broadcast traffic coming across the tunnel.
I give up. Anyone has some reasonable suggestion what might be wrong? I suspect that something is wrong at 897's side.
One last question - how can I create svi on 1921 and assign ip address from 10.97.2.0/24 network on it?Anybody? Opened ticket #630128425, no response from Cisco yet..
-
L2TPv3 tunnel up but pings are failing
Hi,
I have configured an L2TP tunnel between loopbacks on an ASR1004 and an ASR1001. The tunnel gets established, and even shows me some two-way traffic counters (they don't increment in line with ICMP requests so don't know if they represent my ping attempts per se).
When I generate ICMP traffic, I learn MAC addresses on both ends, including within the ARP tables on the hosts. However, the pings time out. I have attached a diagram and have pasted some show outputs below.
Any ideas or suggestions would be greatly appreciated, thanks!
Wlg-COR-02#show ver
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.1(1)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Mon 22-Nov-10 12:32 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2010 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
Wlg-COR-02 uptime is 2 weeks, 6 days, 14 hours, 59 minutes
Uptime for this control processor is 2 weeks, 6 days, 15 hours, 0 minutes
System returned to ROM by reload at 17:33:31 NZST Tue Aug 12 2014
System restarted at 00:22:39 NZDT Thu Oct 9 2014
System image file is "bootflash:/asr1001-universal.03.02.00.S.151-1.S.bin"
Last reload reason: PowerOn
License Info:
License UDI:
Device# PID SN UDI
*0 ASR1001 JAE15290CAP ASR1001:JAE15290CAP
License Package Information for Module:'asr1001'
Module name Image level Priority Configured Valid license
asr1001 adventerprise 1 NO adventerprise
advipservices 2 NO advipservices
ipbase 3 NO ipbase
Current License Level: advipservices
cisco ASR1001 (1RU) processor with 1217912K/6147K bytes of memory.
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7782399K bytes of eUSB flash at bootflash:.
Configuration register is 0x2102
Wlg-COR-02#show l2tun session all
L2TP Session Information Total tunnels 1 sessions 1
Session id 3769661188 is up, logical session id 65548, tunnel id 3529463940
Remote session id is 1878828549, remote tunnel id 1043662242
Remotely initiated session
Unique ID is 12
Session Layer 2 circuit, type is Ethernet Vlan, name is Port-channel2.532:532
Session vcid is 532
Circuit state is UP
Local circuit state is UP
Remote circuit state is UP
Call serial number is 2074100010
Remote tunnel name is Air-COR-01
Internet address is 210.48.12.100
Local tunnel name is Wlg-COR-02
Internet address is 210.48.12.105
IP protocol 115
Session is L2TP signaled
Session state is established, time since change 03:41:52
57 Packets sent, 48 received
8190 Bytes sent, 6645 received
Last clearing of counters never
Counters, ignoring last clear:
57 Packets sent, 48 received
8190 Bytes sent, 6645 received
Receive packets dropped:
out-of-order: 0
other: 0
total: 0
Send packets dropped:
exceeded session MTU: 0
other: 0
total: 0
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
Sending UDP checksums are disabled
Received UDP checksums are verified
No session cookie information available
FS cached header information:
encap size = 24 bytes
45000014 00000000 ff73fe48 d2300c69
d2300c64 6ffca605
Sequencing is off
Conditional debugging is disabled
SSM switch id is 8197, SSM segment id is 8201
Wlg-COR-02#
Wlg-COR-02#
Wlg-COR-02#show run inter
Wlg-COR-02#show run interface Po2.532
Building configuration...
Current configuration : 123 bytes
interface Port-channel2.532
encapsulation dot1Q 532
xconnect 210.48.12.100 532 encapsulation l2tpv3 pw-class l2tp
end
Wlg-COR-02#
Wlg-COR-02#
Wlg-COR-02#show run | beg pseudowire
pseudowire-class mpls-ethernet
encapsulation mpls
interworking ethernet
pseudowire-class l2tp
encapsulation l2tpv3
ip local interface Loopback4770
Air-COR-01#show version
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.2(4)S4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Sun 01-Sep-13 09:53 by mcpre
IOS XE Version: 03.07.04.S
Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
Air-COR-01 uptime is 35 weeks, 1 day, 15 hours, 26 minutes
Uptime for this control processor is 35 weeks, 1 day, 15 hours, 29 minutes
System returned to ROM by reload at 23:57:45 NZDT Mon Feb 24 2014
System restarted at 00:01:45 NZDT Tue Feb 25 2014
System image file is "bootflash:asr1000rp1-advipservicesk9.03.07.04.S.152-4.S4.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco ASR1004 (RP1) processor with 1688640K/6147K bytes of memory.
Processor board ID FOX1544G2KE
16 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
937983K bytes of eUSB flash at bootflash:.
39004543K bytes of SATA hard disk at harddisk:.
Configuration register is 0x2102
Air-COR-01#show l2tun session all
L2TP Session Information Total tunnels 1 sessions 1
Session id 1878828549 is up, logical session id 42736, tunnel id 1043662242
Remote session id is 3769661188, remote tunnel id 3529463940
Locally initiated session
Unique ID is 0
Session Layer 2 circuit, type is Ethernet Vlan, name is Port-channel2.532:532
Session vcid is 532
Circuit state is UP
Local circuit state is UP
Remote circuit state is UP
Call serial number is 2074100010
Remote tunnel name is Wlg-COR-02
Internet address is 210.48.12.105
Local tunnel name is Air-COR-01
Internet address is 210.48.12.100
IP protocol 115
Session is L2TP signaled
Session state is established, time since change 03:47:28
48 Packets sent, 58 received
6645 Bytes sent, 8437 received
Last clearing of counters never
Counters, ignoring last clear:
48 Packets sent, 58 received
6645 Bytes sent, 8437 received
Receive packets dropped:
out-of-order: 0
other: 0
total: 0
Send packets dropped:
exceeded session MTU: 0
other: 0
total: 0
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
Sending UDP checksums are disabled
Received UDP checksums are verified
No session cookie information available
FS cached header information:
encap size = 24 bytes
45000014 00000000 ff73fe48 d2300c64
d2300c69 e0b07704
Sequencing is off
Conditional debugging is disabled
SSM switch id is 14061, SSM segment id is 5875
%No active PPTP tunnels
Air-COR-01#
Air-COR-01#
Air-COR-01#
Air-COR-01#
Air-COR-01#show run int
Air-COR-01#show run interface Po2.532
Building configuration...
Current configuration : 123 bytes
interface Port-channel2.532
encapsulation dot1Q 532
xconnect 210.48.12.105 532 encapsulation l2tpv3 pw-class l2tp
end
Air-COR-01#
Air-COR-01#
Air-COR-01#show run | beg pseudowire
pseudowire-class l2tp
encapsulation l2tpv3
ip local interface Loopback4770
air-agg-1-1#show mac address-table vlan 532
Legend: * - primary entry
age - seconds since last seen
n/a - not available
S - secure entry
R - router's gateway mac address entry
D - Duplicate mac address entry
Displaying entries from DFC switch [1] linecard [1]:
vlan mac address type learn age ports
----+----+---------------+-------+-----+----------+-----------------------------
532 0050.569e.681d dynamic Yes 150 Po7
532 0050.5695.0f0c dynamic Yes 320 Po7
R 532 0008.e3ff.fc04 static No - Router
WLG-AGG-01#show mac address-table vlan 532
Mac Address Table
Vlan Mac Address Type Ports
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
532 0050.5695.0f0c DYNAMIC Po2
532 0050.569e.681d DYNAMIC Po4
Total Mac Addresses for this criterion: 22
WLG-AGG-01#What does your ACL statement look like for defining access from your Celerra_Replication network, to your GP_Celerra_Replication network?
Also, do you reference that ACL in your crypto map?
A sanitized config may help me help you
-Chris -
Are L2TPv3 endpoints not supported to source from VRFs?
Hi,
I have a customer that needs to tunnel serial data from remote sites to a central site. This serial data is HDLC encapsulated and the remote site has a Cisco 1921 router with HWIC4A/S.
The central router is a Cisco 2951, also with HWIC4A/S.
This customer has several VPNs carried by a service provider through MPLS. One VPN is for operational traffic, one is for test traffic and so on.
They want to send the tunneled traffic through the operational VPN on the router doing tunneling through VRF lite. This does however not seem to be supported but I can't find any restrictions in the Cisco documentation.
Here is a working configuration:
pseudowire-class PW
encapsulation l2tpv3
sequencing transmit
protocol none
ip local interface loopback0
ip tos value 128
ip ttl 10
interface Loopback0
ip address x.x.x.x 255.255.255.255
interface Serial0/0/0
description ### redacted ###
no ip address
no keepalive
ignore dtr
clock rate 19200
no cdp enable
xconnect y.y.y.y 1001 encapsulation l2tpv3 manual pw-class PW
l2tp id 61001 101
redacted#show l2tun session all
Session id 61001 is up, logical session id 65668, tunnel id n/a
Remote session id is 101, remote tunnel id n/a
Locally initiated session
Unique ID is 24
Session Layer 2 circuit, type is HDLC, name is Serial0/0/0
Session vcid is 1001
Circuit state is UP
Local circuit state is UP
Remote circuit state is UP
Call serial number is 0
Remote tunnel name is
Internet address is y.y.y.y
Local tunnel name is
Internet address is x.x.x.x
IP protocol 115
Session is manually signaled
Session state is established, time since change 19:04:36
1087277 Packets sent, 0 received
21281118 Bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
1087277 Packets sent, 0 received
21281118 Bytes sent, 0 received
Receive packets dropped:
out-of-order: 0
other: 0
total: 0
Send packets dropped:
exceeded session MTU: 0
other: 0
total: 0
DF bit off, ToS reflect disabled, ToS value 128, TTL value 10
Sending UDP checksums are disabled
Received UDP checksums are verified
No session cookie information available
FS cached header information:
encap size = 28 bytes
45800014 00000000 0a738706 0a741822
0a74fbe7 00000065 00000000
Sequencing is on
Ns 1087268, Nr 0, 0 out of order packets received
Packets switched/dropped by secondary path: Tx 0, Rx 0
Conditional debugging is disabled
SSM switch id is 4226, SSM segment id is 12422
The traffic is unidirectional so it's expected to only have packets sent and not received. This works fine. However, if put the loopback in a VRF, the tunnel still comes up but no traffic is forwarded.
int loopback 0
ip vrf forwarding OPER
This would stop the traffic from passing through the tunnel. I suspect that the Cisco implementation of L2TPv3 is not VRF aware but have been unable to get any confirmation so far.
Has anyone else tried to deploy this when sourcing from a VRF?Hi All,
I could solve it myself. Thanks for the time.
The problem was I tried to navigate directly from the component ''BT125H_TASK' to the component 'CRMCMP_CMG', as I could not find any parent for BT125H_TASK earlier.
Now I could find its parent component which is 'BT110M_ACT'.
The outbound plug created in the task component has to be added to the component usage of 'BT110M_ACT' and the delegation should be done. The other things are the same. It works fine.
Regards
Vidhya -
L2tpv3 dialing from cisco router
I have requirement where customer wants ip dialing to LNS from cisco router with the help of l2tpv3.
Could anyone tell me how to configure this.
regards
shivlu jainHello Shivlu,
in one of our routers the backup link is configured in this way
pseudowire-class netvision-l2tp
encapsulation l2tpv2
interface Virtual-PPP1
description NETVISION DIALER
ip address negotiated
ip nat outside
ip virtual-reassembly
no cdp enable
ppp pap sent-username password 0 41003827
pseudowire x.x.x.x 2 pw-class netvision-l2tp
crypto map VPN_MAP
where x.x.x.x is a public ip address
ip route x.x.x.x 255.255.255.255 g0/1
completes this solution where this g0/1
sh run int gi0/1
Building configuration...
Current configuration : 157 bytes
interface GigabitEthernet0/1
description CONNECTION TO CABLE MODEM
ip address dhcp
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
end
and it receives a private ip address from DHCP on a cable modem access network.
but it uses l2tpv2 not L2tpv3 and I've always seen l2tpv2 in this context.
Hope to help
Giuseppe -
I have created L2TPv3 tunnel between two routers. Now i don't know that the tunnel is up or down. I have run the command but it is giving the following output:
R2#show l2tp tunnel
%No active L2TP tunnels
Can anyone tell me how can we check L2TPv3 tunnel is up or down?
Is there any show command or debug command to check the status of tunnel?
Regards,
Mukesh Kumar
Network Engineer
Spooster IT ServicesMukesh,
The only problem I can see is that you have VLAN 5 on the subinterface, but not on the main interface, this means that the traffic might not get to the other end due to the Dot1q encapsulation. If you were to set both to the same dot1q tag it should come up.
Regards,
Alex Sanchez
CCIE R&S #37454 -
L2TPv3 on a 3900-SPE200/K9
Hi... Im trying to configure a l2tpv3 tunnel between a ASR1001 and a C3925. Im not able to find the way to activate te command pseudowire-class on the 3925. I try installing a license for security and data, but still nothing... Any clues?
Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 20-Jun-13 14:38 by prod_rel_team
ROM: System Bootstrap, Version 15.1(1r)T5, RELEASE SOFTWARE (fc1)
TEST-OSPF uptime is 23 hours, 43 minutes
System returned to ROM by reload at 14:55:47 UTC Thu Mar 26 2015
System image file is "flash0:c3900e-universalk9-mz.SPA.152-4.M4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO3925-CHASSIS (revision 1.0) with C3900-SPE200/K9 with 755712K/292864K bytes of memory.
Processor board ID FTX1740AHUY
4 Gigabit Ethernet interfaces
DRAM configuration is 72 bits wide with parity enabled.
256K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 C3900-SPE200/K9 FOC173466SN
Technology Package License Information for Module:'c3900e'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc None None None
data None None None -
Good morning everyone.... I was wondering if someone could help me out with this?
I have setup a dev lab setup to test some stuff out before I go forward and move to production but I have hit a brick wall...
Here is a general setup Diagram.
HQ_SW-CE
|
HQ_RTR-PE
branch2_rtr branch3_rtr
| |
BR2_SW-CE BR3_SW-CE
Here is the hardware
HQ-2811 with HWIC-4ESW ios adventerprisek9-mz.151-3.T1.bin
Branch2-2811 ios adventerprisek9-mz.151-3.T1.bin
Branch3-1841 ios advipservicesk9-mz.151-4.M.bin
Switches are 3560G but in production will probably be 2960s and 2950s
I started out with L2TPv3 which worked and did not work. If I went to the HQ_SW and show cdp and STP for VLAN 42 which is a MGMT vlan.
HQ_SW>show cdp ne
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
HQ_RTR Gig 0/2 178 R S I 2811 Fas 0/2/2
HQ_RTR Gig 0/1 157 R S I 2811 Fas 0/2/1
BRANCH3_SW Gig 0/2 129 R S I WS-C3560G Gig 0/14
BRANCH2_SW Gig 0/1 130 R S I WS-C3560G Gig 0/11
HQ_SW>show spanning-tree vlan 42
VLAN0042
Spanning tree enabled protocol ieee
Root ID Priority 32810
Address 001e.79d1.c880
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32810 (priority 32768 sys-id-ext 42)
Address 001e.79d1.c880
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
Gi0/1 Desg FWD 19 128.1 P2p
Gi0/2 Desg FWD 19 128.2 P2p
Now if if I try and ping 172.42.1.2 (BRANCH 2 INT VLAN 42) I get no where...
HQ_SW>ping 172.42.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.42.1.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
HQ_SW>ping 172.42.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.42.1.3, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Also I Have a mac address table but the l2 MACs for the remote switches do not show up, arps for those ip addresses show up as incomplete as well.
I switched to EoMPLS and had the same issue.
What we are trying to do is setup a backup link for a server should a main link fail. the HQ Router should be able to terminate MANY L2 tunnels. Basically I see that the HQ_PE router almost like a switch and interface 1 will go to NY, int 2 will go to Chicago, int 3 will go to Dallas, etc. Since this is a backup connection we are trying to deploy it as cheaply as possible. We did this with a 4esw/9esw on the HQ router because it will support up to 15 or so sites that we want to do. The issue is that even when the xconnect line is added to the hwic it does not want to pass traffic. EoMPLS is the same thing.... Can anyone help me out? Also does anyone know if I went to a older ME-sw for the HQ if it would support the MPLS commands from the HQ router?
Also the l2tun and mpls all show up see below
BRANCH2#show l2tun
L2TP Tunnel and Session Information Total tunnels 1 sessions 1
LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/
Count VPDN Group
1543017164 4034467245 HQ_RTR est 10.0.0.1 1 l2tp_default_cl
LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
908667366 3759587721 1543017164 104, Fa0/1 est 00:58:18 4I am positive the ipsec tunnel is good to go as I have set them up before tons of times, same with the GRE. Here is the requested information however.
HQ_RTR#show crypto ipsec sa peer 192.168.2.2. The reason you will see two is because of the ACLs i have
Extended IP access list 102
10 permit ip host 10.0.0.1 host 10.0.0.2 (19462 matches)
20 permit ip host 10.0.0.2 host 10.0.0.1
Extended IP access list 103
10 permit ip host 10.0.0.1 host 10.0.0.3 (17404 matches)
20 permit ip host 10.0.0.3 host 10.0.0.1
HQ_RTR#
You should look at only the ACLs witht he matchs so no the first SA but the second for the same peer see below
interface: FastEthernet0/0
Crypto map tag: VPN, local addr 192.168.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
current_peer 192.168.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
current_peer 192.168.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4548, #pkts encrypt: 4548, #pkts digest: 4548
#pkts decaps: 5004, #pkts decrypt: 5004, #pkts verify: 5004
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD5EFC998(3589261720)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x692F80B1(1764720817)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4390208/1595)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD5EFC998(3589261720)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4390276/1595)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
HQ_RTR#ping 10.0.0.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
HQ_RTR#show crypto ipsec sa peer 192.168.2.2
interface: FastEthernet0/0
Crypto map tag: VPN, local addr 192.168.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
current_peer 192.168.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
current_peer 192.168.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4583, #pkts encrypt: 4583, #pkts digest: 4583
#pkts decaps: 5042, #pkts decrypt: 5042, #pkts verify: 5042
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD5EFC998(3589261720)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x692F80B1(1764720817)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4390204/1582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD5EFC998(3589261720)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4390272/1582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
HQ_RTR#
HQ_RTR#
Also right now with the L2TPv3 setup I am not using the GRE I had it setup for when I was using EoMPLS. I know the two work as I can see the multicast of the cdp but nothing beyond that.. -
L2TPv3 vs MPLS in the CORE....
Hi:
Are there any real pros or cons with using L2TPv3 in the Core vs using MPLS?
Why would one utilize L2TPv3 over MPLS in the core?
Both work but what would be the deciding factors for an engineer to deploy on over the other.
Thanks !!Utlize L2TPv3 in the Core?..can you please elaborate a little on the query.
On a overview note:
1) L2TPv3 is a different technology which caters more for L2 forwarding between edges,
where as MPLS is more of a Core technology.
Having many service features under it like, L3VPN,L2VPN,MVPN, TE etc.. So they can not be compared, or other way round its comparing apples to oranges.
Lines can be drawn only between L2VPN and L2TPv3 for comparision.
L2VPN has to be provided to the end user by a service provider (end use also can do it, if he can lay MPLS core between his end sites), where as L2TPv3 can be implemented on your own with plain IP reachability between the end points.
HTH-Cheers,
Swaroop -
I can't get L2TPv3 to work from the SM-X backplane interface on an ISR 4K (4331/4451).
The tunnel/session both show established, but no egress packets are being sent.
The same configuration works fine if I move the xconnect to a dot1q subinterface on one of the ISR 4K physical interfaces (i.e. gi0/0/1.199), but I'd rather not have to use a physical cable going from one of the router's interfaces to the SM-X interfaces...
Anyone know if this is the correct method for configuring L2TPv3 on the SM-X backplane interface?
Thanks!
l2tp-class L2-VLAN199-CLASS
authentication
password asdfasdf
pseudowire-class L2-VLAN199-PW
encapsulation l2tpv3
protocol l2tpv3 L2-VLAN199-CLASS
ip local interface Loopback199
ip pmtu
interface Ethernet-Internal1/0/0
service instance 199 ethernet
encapsulation dot1q 199
rewrite ingress tag pop 1 symmetric
xconnect 172.16.199.1 199 encapsulation l2tpv3 pw-class L2-VLAN199-PW
interface Loopback199
ip address 172.17.199.1 255.255.255.255I opened a TAC case and it turns out this is not yet supported. Still waiting on an ETA for a feature update. In the meantime, a workaround will have to be physically cabling one of the ISR 4K ports to the SM-X to use as a trunk rather than the backplane interface. Boo!
-
Hi,
I am configuring staic L2TPv3 on Cisco 881. According to the feature navigator it is supported and I can configure without any problem. The L2TPv3 session seems to be UP but apparently there is no data I can send accross this L2TPv3 tunnel.
Anyone can give suggestion ?
thanks in advance.Please post on WAN, Routing and Switching community.
Shelley. -
Multipoint L2TPv3 (LAN-to-LAN extension)
Scenario: extend multiple layer 2 vlans to multiple locations (at least 3) over IPSEC.
I used L2TPv3 to accomplish this goal for a single vlan. The solution works great, but I’ve been given a new requirement to extend multiple vlans over the same physical links (point-to-point fiber).
Question: Is it possible to trunk vlans over L2TPv3? If so, is it possible to do so with sub interfaces (on the LAN side of the router), or will I need physical ports for the pseudowires/xconnects? If I can’t trunk the vlans or use sub interfaces, then I’ll end up having to use physical ports to create the pseudowire mesh (which is how I originally implemented this scenario for the single vlan). That brings me to my next, and probably most important, question:
Question: Is there a better way to approach this scenario?
Thanks for any help you can offer.
JasonYou can replicate 802.1q tagged frames from one physical interface to another site or choose to use xconnect on a subinterface. It's up to you, both works.
-
Dot1 tunnelled VLAN via L2TPv3 IP routed enviroment problem
I have an objective to transparently interconnect two Cat 6506 switches using dot1q trunk via ethernet switched and IP routed enviroment.
6506 trunk - 3560 dot1q tunnel via vlan 2 - 7206 terminating vlan 2 and xconnect to neighbor 7206 - 3560 with vlan 2/dot1q tunnel - 6506 trunk.
I've divided problem to 2 possible stages - QinQ and L2TPv3.
Realized QinQ works well by assigning/pinging first 7206 IP terminating dot1q tunnel.
Now I have tunnel up, dynamically negotiated with ip mtu, ip sequencing both etc, all default, but I only see sent bytes at first 7206 and no received and received/no sent bytes at the second 7206.
So it actually looks like bytes go just via one direction, from 1 7206 to 2 7206 and not the opposite direction.
What are these counters for? Only for tunneled VLAN or whole L2TPv3 tunnel? Cos hellos should create both traffic sent and received on both 72xx's.
I am confused and can't ping/trunk from the remote 3560. It's under ISP responcibility.I also cant SPAN/VSPAN for some reason to ethereal/analyze it.
Any gurus?Counters indicate total packets sent and receive for the current session.Sometimes MTU sizes could be a reason for the tunnel not working.Refer URL for configuring MTU forhttp://www.cisco.com/en/US/customer/tech/tk801/tk703/technologies_tech_note09186a0080094c4f.shtml#frag_example
-
Dot1 q tunnel via L2TPv3 problem
I have an objective to transparently interconnect two Cat 6506 switches using dot1q trunk via ethernet switched and IP routed enviroment.
6506 trunk - 3560 dot1q tunnel via vlan 2 - 7206 terminating vlan 2 and xconnect to neighbor 7206 - 3560 with vlan 2/dot1q tunnel - 6506 trunk.
I've divided problem to 2 possible stages - QinQ and L2TPv3.
Realized QinQ works well by assigning/pinging first 7206 IP terminating dot1q tunnel.
Now I have tunnel up, dynamically negotiated with ip mtu, ip sequencing both etc, all default, but I only see sent bytes at first 7206 and no received and received/no sent bytes at the second 7206.
So it actually looks like bytes go just via one direction, from 1 7206 to 2 7206 and not the opposite direction.
What are these counters for? Only for tunneled VLAN or whole L2TPv3 tunnel? Cos hellos should create both traffic sent and received on both 72xx's.
I am confused and can't ping/trunk from the remote 3560. It's under ISP responcibility.I also cant SPAN/VSPAN for some reason to ethereal/analyze it.
Any gurus?Packet counters shows the number of packets sent and received from the remote end.Look for the configuration on the other end of the router.Refer URL http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_book09186a008035322e.html for more information.
-
Hello,
Is there a way or simple solution to terminate a bunch of "plain" L2TPv3 pseudowires to a BVI, to have a sort of VPLS? (VPLS/MPLS is not an option in my setup).
My deal is to have a distributed L2 architecture (I have a protocol that works only on L2), and it must traverse a non-ethernet IP based network. (traffic is quite low - max 1 mbps)
It can easily done with a simple linux box, terminating l2tpv3 tunnels to a bridge interface, but I would like to do that on a cisco device.
A very dirty solution can be to have a set of sub-interfaces (with xconnect) and a cable to another interface on the same router, having sub-interfaces terminated on a BVI.
Something like that:
GigaEthernet 0/0 is cabled to GigaEthernet 0/1
interface Giga 0/0.1301
encap dot1q 1301
xconnect 10.10.13.1 1301 pw-class pw1301
interface gig 0/0.1302
encap dot1q 1302
xconnect 10.10.13.2 1302 pw-class pw1302
interface gig 0/1.1301
encap dot1q 1301
bridge-group 1
interface gig 0/1.1302
encap dot1q 1302
bridge-group 1
bridge 1 protocol ieee
bridge 1 route ip
interface BVI 1
ip address 192.168.1.254 255.255.255.0
Is there a simple way to accomplish that?
thanks in advance,
stefanoI cannot implement this type of configuration with a 3945 router...it's a shame...I really need this config for a site.
Maybe you are looking for
-
Looking for a maps application that does a few extra things...
Hello, I am looking for an app which would allow me to pin a bunch of address on a map and keep them there all at the same time as opposed to the google maps app where I can keep on the map only 2 addresses at best and only when getting directions. W
-
I tried to update my iPhone 4 to iOS and it was going fine intell it got to the part where the screen was black with the apple logo and had the loading bar and it didn't load then it shut off for 30 seconds and turned on and said connect to iTunes I
-
my problem is: at selection screen fields is vbrk-FKDAT & VBRK-KUNRG( NO. OF CUSTOMERS ) FOR THIS SELECTION SELECT BILLING DOCUMENT NO. FROM VBRK WHERE THE BILLING DOCUMENT TYPE IS FP, ZFP, SI. THE SELECTION DATE SHALL BE EQUAL TO BIL
-
Ipod nano keeps turning on and off
My ipod nano keeps turning off and on automatically and when I push a button once its on then it freezes, and when I reset it then it starts turning on and off again....what do I do someone please help me
-
Sun contracting Purchase Info record
Dear All , Pl give me the Table name containing :Material Purchase infor record price and Change in purchse infor record Price ?