Cisco881G l2tpv3

For the last week im trying to accomplish a tunnel between a dynamic 3g cellular ip and our outside company ip.
So far seen the only way to make this work is by using l2tpv3 client initiated dynamic tunneling.
so far i need an answer for some for others maybe simple questions. is l2tpv3 the good technique to make a tunnel over a cellular network? because with ipsec gre i need to provide my client and host while my client ip is dynamic in a cellular network.
So far i am trying to understand the technique but missing some key elements.
Using xconnect as a dynamic session setup i am trying to talk to my endpunt of the tunnel but where does the ip address of the endpunt go?
here is what i have worked out so far:
Router#show running-config
Building configuration...
Current configuration : 1832 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
logging message-counter syslog
no aaa new-model
ip source-route
ip cef
l2tp-class Company.Class.To.Mainsite
authentication
password 7 111A1C0605171F
no ipv6 cef
multilink bundle-name authenticated
chat-script internet "" "ATDT*99*1#" TIMEOUT 30 CONNECT
archive
log config
hidekeys
pseudowire-class Company.PW.To.Mainsite
encapsulation l2tpv3
protocol l2tpv3 Company.Class.To.Mainsite
ip local interface Loopback0
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
interface Cellular0
no ip address
ip virtual-reassembly
encapsulation ppp
load-interval 60
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
interface Vlan1
no ip address
xconnect 100.200.100.200 123 encapsulation l2tpv3 pw-class Company.PW.To.Mainsite
interface Dialer1
ip address negotiated
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string internet
dialer persistent
dialer-group 1
ppp authentication chap callin
ppp chap hostname dummy
ppp chap password 0 dummy
ppp ipcp dns request
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
control-plane
line con 0
no modem enable
line aux 0
line 3
exec-timeout 0 0
password cisco
script dialer internet
login
modem InOut
no exec
transport input all
line vty 0 4
login
scheduler max-task-time 5000
end

Similar Messages

IPSec secured L2TPv3 - one way traffic in L2 tunnel

Sigh... after 7 hours battling coming here because I've exhausted all my options to find an answer for my problem.
So here is the topology - standard (boring) IPSec secured L2TPv3 tunnel: on one side - 897 connected to a DSL box, on another side - 1921 with two interfaces.
Purpose to setup a plain L2TPv3 tunnel between those locations so computers plugged into the 897's 8-port switch interface can communicate with number of devices connected to 1921 on other side.
897:
crypto ikev2 keyring key1
peer destination_ip_address
address local_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 1921_outside_ip_address 255.255.255.255
identity local address 897_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
controller VDSL 0
ip ssh rsa keypair-name router-key
ip ssh version 2
pseudowire-class DZD
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 1921_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.1 255.255.255.255
interface ATM0
no ip address
no atm ilmi-keepalive
interface Ethernet0
no ip address
interface GigabitEthernet0
no ip address
interface GigabitEthernet1
no ip address
interface GigabitEthernet2
no ip address
interface GigabitEthernet3
no ip address
xconnect 172.16.1.2 1 encapsulation l2tpv3 pw-class DZD
interface GigabitEthernet4
no ip address
interface GigabitEthernet5
no ip address
interface GigabitEthernet6
no ip address
interface GigabitEthernet7
no ip address
interface GigabitEthernet8
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Wlan-GigabitEthernet8
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
ip address 10.97.2.29 255.255.255.0
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ppp authentication pap callin
ppp pap sent-username DSL_username password DSL_password
crypto map local
ip forward-protocol nd
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 130 permit ip host 172.16.1.1 host 172.16.1.2
dialer-list 1 protocol ip permit
c897#
1921:
crypto ikev2 keyring key1
peer 897_outside_ip_address
address 897_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 897_outside_ip_address 255.255.255.255
identity local address 1921_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
ip ssh version 2
lldp run
pseudowire-class ZRH
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 897_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.2 255.255.255.255
interface Embedded-Service-Engine0/0
no ip address
interface GigabitEthernet0/0
description WAN-ACC
ip address 1921_outside_ip_address 255.255.255.0
duplex auto
speed auto
crypto map local
interface GigabitEthernet0/1
description LAN-Trunk
no ip address
duplex auto
speed auto
xconnect 172.16.1.1 1 encapsulation l2tpv3 pw-class ZRH
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 default_gateway_of_1921
logging host 10.96.2.21
access-list 130 permit ip host 172.16.1.2 host 172.16.1.1
pnc01921#
Note - 1921 is connected to the Nexus 2248TP FEX, here is the config of the interface of the FEX:
pnc00001# sh run int e101/1/6
!Time: Thu May 1 06:15:02 2014
version 5.0(3)N2(2b)
interface Ethernet101/1/6
switchport access vlan 702
Now, IPsec tunnel comes up and does pass traffic - I can ping from one l1 another l1, below is the output from 897:
sh cry ike sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 897_outside_ip_address/500 1921_outside_ip_address/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/76 sec
IPv6 Crypto IKEv2 SA
#sh cry ips sa
interface: Dialer1
Crypto map tag: local, local addr 897_outside_ip_address
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/0/0)
current_peer 1921_outside_ip_address port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 897_outside_ip_address, remote crypto endpt.: 1921_outside_ip_address
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x852BF1F2(2234249714)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5D9DFB1A(1570634522)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190855/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x852BF1F2(2234249714)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190863/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
#ping 172.16.1.2 sour l1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/24 ms
Now, L2 tunnel shows to be up on both ends as well (output from 897 here)
#sh xconnect all
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP ac Gi3(Ethernet) UP l2tp 172.16.1.2:1 UP
However, if you look at detailed output of l2tunn, you will see that the tunnel receives traffic from 1921, but does not send anything:
#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 3504576447 is up, remote id is 2898810219, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 00:19:34
Tunnel transport is IP (115)
Remote tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
Local tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
0 packets sent, 763 received
0 bytes sent, 65693 received
Last clearing of counters never
Counters, ignoring last clear:
0 packets sent, 763 received
0 bytes sent, 65693 received
Control Ns 18, Nr 9
Local RWS 512 (default), Remote RWS 512 (max)
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 8
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
Mirrored situation on other side - 1921 sends packets, but nothing is received:
pnc01921#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 2898810219 is up, remote id is 3504576447, 1 active sessions
Remotely initiated tunnel
Tunnel state is established, time since change 00:21:15
Tunnel transport is IP (115)
Remote tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
Local tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
815 packets sent, 0 received
69988 bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
815 packets sent, 0 received
69988 bytes sent, 0 received
Control Ns 9, Nr 20
Local RWS 1024 (default), Remote RWS 512
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 1
Total resends 0, ZLB ACKs sent 18
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
There is a Windows box plugged into 897's G3 with IP address 10.97.2.25. I can ping from it 897's VLAN1 at 10.97.2.29. However I can't ping anything across the L2TPv3 tunnel. At the same time on that Windows box I can see broadcast traffic coming across the tunnel.
I give up. Anyone has some reasonable suggestion what might be wrong? I suspect that something is wrong at 897's side.
One last question - how can I create svi on 1921 and assign ip address from 10.97.2.0/24 network on it?

Anybody? Opened ticket #630128425, no response from Cisco yet..

L2TPv3 tunnel up but pings are failing

Hi,
I have configured an L2TP tunnel between loopbacks on an ASR1004 and an ASR1001. The tunnel gets established, and even shows me some two-way traffic counters (they don't increment in line with ICMP requests so don't know if they represent my ping attempts per se).
When I generate ICMP traffic, I learn MAC addresses on both ends, including within the ARP tables on the hosts. However, the pings time out. I have attached a diagram and have pasted some show outputs below.
Any ideas or suggestions would be greatly appreciated, thanks!
Wlg-COR-02#show ver
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.1(1)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Mon 22-Nov-10 12:32 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2010 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
Wlg-COR-02 uptime is 2 weeks, 6 days, 14 hours, 59 minutes
Uptime for this control processor is 2 weeks, 6 days, 15 hours, 0 minutes
System returned to ROM by reload at 17:33:31 NZST Tue Aug 12 2014
System restarted at 00:22:39 NZDT Thu Oct 9 2014
System image file is "bootflash:/asr1001-universal.03.02.00.S.151-1.S.bin"
Last reload reason: PowerOn
License Info:
License UDI:
Device# PID                     SN                      UDI
*0      ASR1001                 JAE15290CAP             ASR1001:JAE15290CAP
License Package Information for Module:'asr1001'
Module name   Image level          Priority   Configured   Valid license
asr1001       adventerprise        1          NO           adventerprise
              advipservices        2          NO           advipservices
              ipbase               3          NO           ipbase
Current License Level: advipservices
cisco ASR1001 (1RU) processor with 1217912K/6147K bytes of memory.
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7782399K bytes of eUSB flash at bootflash:.
Configuration register is 0x2102
Wlg-COR-02#show l2tun session all
L2TP Session Information Total tunnels 1 sessions 1
Session id 3769661188 is up, logical session id 65548, tunnel id 3529463940
Remote session id is 1878828549, remote tunnel id 1043662242
Remotely initiated session
Unique ID is 12
Session Layer 2 circuit, type is Ethernet Vlan, name is Port-channel2.532:532
Session vcid is 532
Circuit state is UP
    Local circuit state is UP
    Remote circuit state is UP
Call serial number is 2074100010
Remote tunnel name is Air-COR-01
Internet address is 210.48.12.100
Local tunnel name is Wlg-COR-02
Internet address is 210.48.12.105
IP protocol 115
Session is L2TP signaled
Session state is established, time since change 03:41:52
    57 Packets sent, 48 received
    8190 Bytes sent, 6645 received
Last clearing of counters never
Counters, ignoring last clear:
    57 Packets sent, 48 received
    8190 Bytes sent, 6645 received
    Receive packets dropped:
      out-of-order:             0
      other:                    0
      total:                    0
    Send packets dropped:
      exceeded session MTU:     0
      other:                    0
      total:                    0
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
Sending UDP checksums are disabled
Received UDP checksums are verified
No session cookie information available
FS cached header information:
    encap size = 24 bytes
    45000014 00000000 ff73fe48 d2300c69
    d2300c64 6ffca605
Sequencing is off
Conditional debugging is disabled
SSM switch id is 8197, SSM segment id is 8201
Wlg-COR-02#
Wlg-COR-02#
Wlg-COR-02#show run inter
Wlg-COR-02#show run interface Po2.532
Building configuration...
Current configuration : 123 bytes
interface Port-channel2.532
encapsulation dot1Q 532
xconnect 210.48.12.100 532 encapsulation l2tpv3 pw-class l2tp
end
Wlg-COR-02#
Wlg-COR-02#
Wlg-COR-02#show run | beg pseudowire
pseudowire-class mpls-ethernet
encapsulation mpls
interworking ethernet
pseudowire-class l2tp
encapsulation l2tpv3
ip local interface Loopback4770
Air-COR-01#show version
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.2(4)S4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Sun 01-Sep-13 09:53 by mcpre
IOS XE Version: 03.07.04.S
Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
Air-COR-01 uptime is 35 weeks, 1 day, 15 hours, 26 minutes
Uptime for this control processor is 35 weeks, 1 day, 15 hours, 29 minutes
System returned to ROM by reload at 23:57:45 NZDT Mon Feb 24 2014
System restarted at 00:01:45 NZDT Tue Feb 25 2014
System image file is "bootflash:asr1000rp1-advipservicesk9.03.07.04.S.152-4.S4.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco ASR1004 (RP1) processor with 1688640K/6147K bytes of memory.
Processor board ID FOX1544G2KE
16 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
937983K bytes of eUSB flash at bootflash:.
39004543K bytes of SATA hard disk at harddisk:.
Configuration register is 0x2102
Air-COR-01#show l2tun session all
L2TP Session Information Total tunnels 1 sessions 1
Session id 1878828549 is up, logical session id 42736, tunnel id 1043662242
Remote session id is 3769661188, remote tunnel id 3529463940
Locally initiated session
Unique ID is 0
Session Layer 2 circuit, type is Ethernet Vlan, name is Port-channel2.532:532
Session vcid is 532
Circuit state is UP
    Local circuit state is UP
    Remote circuit state is UP
Call serial number is 2074100010
Remote tunnel name is Wlg-COR-02
Internet address is 210.48.12.105
Local tunnel name is Air-COR-01
Internet address is 210.48.12.100
IP protocol 115
Session is L2TP signaled
Session state is established, time since change 03:47:28
    48 Packets sent, 58 received
    6645 Bytes sent, 8437 received
Last clearing of counters never
Counters, ignoring last clear:
    48 Packets sent, 58 received
    6645 Bytes sent, 8437 received
    Receive packets dropped:
      out-of-order:             0
      other:                    0
      total:                    0
    Send packets dropped:
      exceeded session MTU:     0
      other:                    0
      total:                    0
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
Sending UDP checksums are disabled
Received UDP checksums are verified
No session cookie information available
FS cached header information:
    encap size = 24 bytes
    45000014 00000000 ff73fe48 d2300c64
    d2300c69 e0b07704
Sequencing is off
Conditional debugging is disabled
SSM switch id is 14061, SSM segment id is 5875
%No active PPTP tunnels
Air-COR-01#
Air-COR-01#
Air-COR-01#
Air-COR-01#
Air-COR-01#show run int
Air-COR-01#show run interface Po2.532
Building configuration...
Current configuration : 123 bytes
interface Port-channel2.532
encapsulation dot1Q 532
xconnect 210.48.12.105 532 encapsulation l2tpv3 pw-class l2tp
end
Air-COR-01#
Air-COR-01#
Air-COR-01#show run | beg pseudowire
pseudowire-class l2tp
encapsulation l2tpv3
ip local interface Loopback4770
air-agg-1-1#show mac address-table vlan 532
Legend: * - primary entry
        age - seconds since last seen
        n/a - not available
        S - secure entry
        R - router's gateway mac address entry
        D - Duplicate mac address entry
Displaying entries from DFC switch [1] linecard [1]:
     vlan   mac address    type   learn    age                 ports
----+----+---------------+-------+-----+----------+-----------------------------
      532 0050.569e.681d dynamic Yes      150     Po7
      532 0050.5695.0f0c dynamic Yes      320     Po7
R   532 0008.e3ff.fc04   static   No       -      Router
WLG-AGG-01#show mac address-table vlan 532
          Mac Address Table
Vlan    Mac Address       Type        Ports
All    0100.0ccc.cccc    STATIC      CPU
All    0100.0ccc.cccd    STATIC      CPU
All    0180.c200.0000    STATIC      CPU
All    0180.c200.0001    STATIC      CPU
All    0180.c200.0002    STATIC      CPU
All    0180.c200.0003    STATIC      CPU
All    0180.c200.0004    STATIC      CPU
All    0180.c200.0005    STATIC      CPU
All    0180.c200.0006    STATIC      CPU
All    0180.c200.0007    STATIC      CPU
All    0180.c200.0008    STATIC      CPU
All    0180.c200.0009    STATIC      CPU
All    0180.c200.000a    STATIC      CPU
All    0180.c200.000b    STATIC      CPU
All    0180.c200.000c    STATIC      CPU
All    0180.c200.000d    STATIC      CPU
All    0180.c200.000e    STATIC      CPU
All    0180.c200.000f    STATIC      CPU
All    0180.c200.0010    STATIC      CPU
All    ffff.ffff.ffff    STATIC      CPU
532    0050.5695.0f0c    DYNAMIC     Po2
532    0050.569e.681d    DYNAMIC     Po4
Total Mac Addresses for this criterion: 22
WLG-AGG-01#

What does your ACL statement look like for defining access from your Celerra_Replication network, to your GP_Celerra_Replication network?
Also, do you reference that ACL in your crypto map?
A sanitized config may help me help you
-Chris

Are L2TPv3 endpoints not supported to source from VRFs?

Hi,
I have a customer that needs to tunnel serial data from remote sites to a central site. This serial data is HDLC encapsulated and the remote site has a Cisco 1921 router with HWIC4A/S.
The central router is a Cisco 2951, also with HWIC4A/S.
This customer has several VPNs carried by a service provider through MPLS. One VPN is for operational traffic, one is for test traffic and so on.
They want to send the tunneled traffic through the operational VPN on the router doing tunneling through VRF lite. This does however not seem to be supported but I can't find any restrictions in the Cisco documentation.
Here is a working configuration:
pseudowire-class PW
encapsulation l2tpv3
sequencing transmit
protocol none
ip local interface loopback0
ip tos value 128
ip ttl 10
interface Loopback0
ip address x.x.x.x 255.255.255.255
interface Serial0/0/0
description ### redacted ###
no ip address
no keepalive
ignore dtr
clock rate 19200
no cdp enable
xconnect y.y.y.y 1001 encapsulation l2tpv3 manual pw-class PW
l2tp id 61001 101
redacted#show l2tun session all
Session id 61001 is up, logical session id 65668, tunnel id n/a
Remote session id is 101, remote tunnel id n/a
Locally initiated session
Unique ID is 24
Session Layer 2 circuit, type is HDLC, name is Serial0/0/0
Session vcid is 1001
Circuit state is UP
    Local circuit state is UP
    Remote circuit state is UP
Call serial number is 0
Remote tunnel name is
Internet address is y.y.y.y
Local tunnel name is
Internet address is x.x.x.x
IP protocol 115
Session is manually signaled
Session state is established, time since change 19:04:36
    1087277 Packets sent, 0 received
    21281118 Bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
    1087277 Packets sent, 0 received
    21281118 Bytes sent, 0 received
    Receive packets dropped:
      out-of-order:             0
      other:                    0
      total:                    0
    Send packets dropped:
      exceeded session MTU:     0
      other:                    0
      total:                    0
DF bit off, ToS reflect disabled, ToS value 128, TTL value 10
Sending UDP checksums are disabled
Received UDP checksums are verified
No session cookie information available
FS cached header information:
    encap size = 28 bytes
    45800014 00000000 0a738706 0a741822
    0a74fbe7 00000065 00000000
Sequencing is on
    Ns 1087268, Nr 0, 0 out of order packets received
    Packets switched/dropped by secondary path: Tx 0, Rx 0
Conditional debugging is disabled
SSM switch id is 4226, SSM segment id is 12422
The traffic is unidirectional so it's expected to only have packets sent and not received. This works fine. However, if put the loopback in a VRF, the tunnel still comes up but no traffic is forwarded.
int loopback 0
ip vrf forwarding OPER
This would stop the traffic from passing through the tunnel. I suspect that the Cisco implementation of L2TPv3 is not VRF aware but have been unable to get any confirmation so far.
Has anyone else tried to deploy this when sourcing from a VRF?

Hi All,
I could solve it myself. Thanks for the time.
The problem was I tried to navigate directly from the component ''BT125H_TASK' to the component 'CRMCMP_CMG', as I could not find any parent for BT125H_TASK earlier.
Now I could find its parent component which is 'BT110M_ACT'.
The outbound plug created in the task component has to be added to the component usage of 'BT110M_ACT' and the delegation should be done. The other things are the same. It works fine.
Regards
Vidhya

L2tpv3 dialing from cisco router

I have requirement where customer wants ip dialing to LNS from cisco router with the help of l2tpv3.
Could anyone tell me how to configure this.
regards
shivlu jain

Hello Shivlu,
in one of our routers the backup link is configured in this way
pseudowire-class netvision-l2tp
encapsulation l2tpv2
interface Virtual-PPP1
description NETVISION DIALER
ip address negotiated
ip nat outside
ip virtual-reassembly
no cdp enable
ppp pap sent-username password 0 41003827
pseudowire x.x.x.x 2 pw-class netvision-l2tp
crypto map VPN_MAP
where x.x.x.x is a public ip address
ip route x.x.x.x 255.255.255.255 g0/1
completes this solution where this g0/1
sh run int gi0/1
Building configuration...
Current configuration : 157 bytes
interface GigabitEthernet0/1
description CONNECTION TO CABLE MODEM
ip address dhcp
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
end
and it receives a private ip address from DHCP on a cable modem access network.
but it uses l2tpv2 not L2tpv3 and I've always seen l2tpv2 in this context.
Hope to help
Giuseppe

L2TPv3 tunnel

I have created L2TPv3 tunnel between two routers. Now i don't know that the tunnel is up or down. I have run the command but it is giving the following output:
R2#show l2tp tunnel
%No active L2TP tunnels
Can anyone tell me how can we check L2TPv3 tunnel is up or down?
Is there any show command or debug command to check the status of tunnel?
Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services

Mukesh,
The only problem I can see is that you have VLAN 5 on the subinterface, but not on the main interface, this means that the traffic might not get to the other end due to the Dot1q encapsulation. If you were to set both to the same dot1q tag it should come up.
Regards,
Alex Sanchez
CCIE R&S #37454

L2TPv3 on a 3900-SPE200/K9

Hi... Im trying to configure a l2tpv3 tunnel between a ASR1001 and a C3925. Im not able to find the way to activate te command pseudowire-class on the 3925. I try installing a license for security and data, but still nothing... Any clues?

Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 20-Jun-13 14:38 by prod_rel_team
ROM: System Bootstrap, Version 15.1(1r)T5, RELEASE SOFTWARE (fc1)
TEST-OSPF uptime is 23 hours, 43 minutes
System returned to ROM by reload at 14:55:47 UTC Thu Mar 26 2015
System image file is "flash0:c3900e-universalk9-mz.SPA.152-4.M4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO3925-CHASSIS (revision 1.0) with C3900-SPE200/K9 with 755712K/292864K bytes of memory.
Processor board ID FTX1740AHUY
4 Gigabit Ethernet interfaces
DRAM configuration is 72 bits wide with parity enabled.
256K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 C3900-SPE200/K9 FOC173466SN
Technology Package License Information for Module:'c3900e'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc None None None
data None None None

EoMPLS and L2TPv3

Good morning everyone.... I was wondering if someone could help me out with this?
I have setup a dev lab setup to test some stuff out before I go forward and move to production but I have hit a brick wall...
Here is a general setup Diagram.
                         HQ_SW-CE
                                  |
                         HQ_RTR-PE
               branch2_rtr     branch3_rtr
                       |                    |
               BR2_SW-CE     BR3_SW-CE
Here is the hardware
HQ-2811 with HWIC-4ESW ios adventerprisek9-mz.151-3.T1.bin
Branch2-2811 ios adventerprisek9-mz.151-3.T1.bin
Branch3-1841 ios advipservicesk9-mz.151-4.M.bin
Switches are 3560G but in production will probably be 2960s and 2950s
I started out with L2TPv3 which worked and did not work. If I went to the HQ_SW and show cdp and STP for VLAN 42 which is a MGMT vlan.
HQ_SW>show cdp ne
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID        Local Intrfce     Holdtme    Capability Platform Port ID
HQ_RTR           Gig 0/2           178             R S I 2811      Fas 0/2/2
HQ_RTR           Gig 0/1           157             R S I 2811      Fas 0/2/1
BRANCH3_SW       Gig 0/2           129             R S I WS-C3560G Gig 0/14
BRANCH2_SW       Gig 0/1           130             R S I WS-C3560G Gig 0/11
HQ_SW>show spanning-tree vlan 42
VLAN0042
Spanning tree enabled protocol ieee
Root ID    Priority    32810
             Address     001e.79d1.c880
             This bridge is the root
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority    32810 (priority 32768 sys-id-ext 42)
             Address     001e.79d1.c880
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300 sec
Interface           Role Sts Cost      Prio.Nbr Type
Gi0/1               Desg FWD 19        128.1    P2p
Gi0/2               Desg FWD 19        128.2    P2p
Now if if I try and ping 172.42.1.2 (BRANCH 2 INT VLAN 42) I get no where...
HQ_SW>ping 172.42.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.42.1.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
HQ_SW>ping 172.42.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.42.1.3, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Also I Have a mac address table but the l2 MACs for the remote switches do not show up, arps for those ip addresses show up as incomplete as well.
I switched to EoMPLS and had the same issue.
What we are trying to do is setup a backup link for a server should a main link fail. the HQ Router should be able to terminate MANY L2 tunnels. Basically I see that the HQ_PE router almost like a switch and interface 1 will go to NY, int 2 will go to Chicago, int 3 will go to Dallas, etc. Since this is a backup connection we are trying to deploy it as cheaply as possible. We did this with a 4esw/9esw on the HQ router because it will support up to 15 or so sites that we want to do. The issue is that even when the xconnect line is added to the hwic it does not want to pass traffic. EoMPLS is the same thing.... Can anyone help me out? Also does anyone know if I went to a older ME-sw for the HQ if it would support the MPLS commands from the HQ router?
Also the l2tun and mpls all show up see below
BRANCH2#show l2tun
L2TP Tunnel and Session Information Total tunnels 1 sessions 1
LocTunID   RemTunID   Remote Name   State Remote Address Sessn L2TP Class/
                                                           Count VPDN Group
1543017164 4034467245 HQ_RTR        est    10.0.0.1        1     l2tp_default_cl
LocID      RemID      TunID      Username, Intf/      State Last Chg Uniq ID
                                 Vcid, Circuit
908667366 3759587721 1543017164 104, Fa0/1           est    00:58:18 4

I am positive the ipsec tunnel is good to go as I have set them up before tons of times, same with the GRE. Here is the requested information however.
HQ_RTR#show crypto ipsec sa peer 192.168.2.2. The reason you will see two is because of the ACLs i have
Extended IP access list 102
    10 permit ip host 10.0.0.1 host 10.0.0.2 (19462 matches)
    20 permit ip host 10.0.0.2 host 10.0.0.1
Extended IP access list 103
    10 permit ip host 10.0.0.1 host 10.0.0.3 (17404 matches)
    20 permit ip host 10.0.0.3 host 10.0.0.1
HQ_RTR#
You should look at only the ACLs witht he matchs so no the first SA but the second for the same peer see below
interface: FastEthernet0/0
    Crypto map tag: VPN, local addr 192.168.1.2
   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
   current_peer 192.168.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
   current_peer 192.168.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4548, #pkts encrypt: 4548, #pkts digest: 4548
    #pkts decaps: 5004, #pkts decrypt: 5004, #pkts verify: 5004
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0
     local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xD5EFC998(3589261720)
     PFS (Y/N): Y, DH group: group2
     inbound esp sas:
      spi: 0x692F80B1(1764720817)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4390208/1595)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xD5EFC998(3589261720)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4390276/1595)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
HQ_RTR#ping 10.0.0.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
HQ_RTR#show crypto ipsec sa peer 192.168.2.2
interface: FastEthernet0/0
    Crypto map tag: VPN, local addr 192.168.1.2
   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
   current_peer 192.168.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
   current_peer 192.168.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4583, #pkts encrypt: 4583, #pkts digest: 4583
    #pkts decaps: 5042, #pkts decrypt: 5042, #pkts verify: 5042
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0
     local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xD5EFC998(3589261720)
     PFS (Y/N): Y, DH group: group2
     inbound esp sas:
      spi: 0x692F80B1(1764720817)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4390204/1582)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xD5EFC998(3589261720)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4390272/1582)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
HQ_RTR#
HQ_RTR#
Also right now with the L2TPv3 setup I am not using the GRE I had it setup for when I was using EoMPLS. I know the two work as I can see the multicast of the cdp but nothing beyond that..

L2TPv3 vs MPLS in the CORE....

Hi:
Are there any real pros or cons with using L2TPv3 in the Core vs using MPLS?
Why would one utilize L2TPv3 over MPLS in the core?
Both work but what would be the deciding factors for an engineer to deploy on over the other.
Thanks !!

Utlize L2TPv3 in the Core?..can you please elaborate a little on the query.
On a overview note:
1) L2TPv3 is a different technology which caters more for L2 forwarding between edges,
where as MPLS is more of a Core technology.
Having many service features under it like, L3VPN,L2VPN,MVPN, TE etc.. So they can not be compared, or other way round its comparing apples to oranges.
Lines can be drawn only between L2VPN and L2TPv3 for comparision.
L2VPN has to be provided to the end user by a service provider (end use also can do it, if he can lay MPLS core between his end sites), where as L2TPv3 can be implemented on your own with plain IP reachability between the end points.
HTH-Cheers,
Swaroop

IOS-XE ISR 4K L2TPv3 and SM-X

I can't get L2TPv3 to work from the SM-X backplane interface on an ISR 4K (4331/4451).
The tunnel/session both show established, but no egress packets are being sent.
The same configuration works fine if I move the xconnect to a dot1q subinterface on one of the ISR 4K physical interfaces (i.e. gi0/0/1.199), but I'd rather not have to use a physical cable going from one of the router's interfaces to the SM-X interfaces...
Anyone know if this is the correct method for configuring L2TPv3 on the SM-X backplane interface?
Thanks!
l2tp-class L2-VLAN199-CLASS
authentication
password asdfasdf
pseudowire-class L2-VLAN199-PW
encapsulation l2tpv3
protocol l2tpv3 L2-VLAN199-CLASS
ip local interface Loopback199
ip pmtu
interface Ethernet-Internal1/0/0
service instance 199 ethernet
encapsulation dot1q 199
rewrite ingress tag pop 1 symmetric
xconnect 172.16.199.1 199 encapsulation l2tpv3 pw-class L2-VLAN199-PW
interface Loopback199
ip address 172.17.199.1 255.255.255.255

I opened a TAC case and it turns out this is not yet supported. Still waiting on an ETA for a feature update. In the meantime, a workaround will have to be physically cabling one of the ISR 4K ports to the SM-X to use as a trunk rather than the backplane interface. Boo!

L2TPv3 on Cisco 881

Hi,
I am configuring staic L2TPv3 on Cisco 881. According to the feature navigator it is supported and I can configure without any problem. The L2TPv3 session seems to be UP but apparently there is no data I can send accross this L2TPv3 tunnel.
Anyone can give suggestion ?
thanks in advance.

Please post on WAN, Routing and Switching community.
Shelley.

Multipoint L2TPv3 (LAN-to-LAN extension)

Scenario: extend multiple layer 2 vlans to multiple locations (at least 3) over IPSEC.
I used L2TPv3 to accomplish this goal for a single vlan. The solution works great, but I’ve been given a new requirement to extend multiple vlans over the same physical links (point-to-point fiber).
Question: Is it possible to trunk vlans over L2TPv3? If so, is it possible to do so with sub interfaces (on the LAN side of the router), or will I need physical ports for the pseudowires/xconnects? If I can’t trunk the vlans or use sub interfaces, then I’ll end up having to use physical ports to create the pseudowire mesh (which is how I originally implemented this scenario for the single vlan). That brings me to my next, and probably most important, question:
Question: Is there a better way to approach this scenario?
Thanks for any help you can offer.
Jason

You can replicate 802.1q tagged frames from one physical interface to another site or choose to use xconnect on a subinterface. It's up to you, both works.

Dot1 tunnelled VLAN via L2TPv3 IP routed enviroment problem

I have an objective to transparently interconnect two Cat 6506 switches using dot1q trunk via ethernet switched and IP routed enviroment.
6506 trunk - 3560 dot1q tunnel via vlan 2 - 7206 terminating vlan 2 and xconnect to neighbor 7206 - 3560 with vlan 2/dot1q tunnel - 6506 trunk.
I've divided problem to 2 possible stages - QinQ and L2TPv3.
Realized QinQ works well by assigning/pinging first 7206 IP terminating dot1q tunnel.
Now I have tunnel up, dynamically negotiated with ip mtu, ip sequencing both etc, all default, but I only see sent bytes at first 7206 and no received and received/no sent bytes at the second 7206.
So it actually looks like bytes go just via one direction, from 1 7206 to 2 7206 and not the opposite direction.
What are these counters for? Only for tunneled VLAN or whole L2TPv3 tunnel? Cos hellos should create both traffic sent and received on both 72xx's.
I am confused and can't ping/trunk from the remote 3560. It's under ISP responcibility.I also cant SPAN/VSPAN for some reason to ethereal/analyze it.
Any gurus?

Counters indicate total packets sent and receive for the current session.Sometimes MTU sizes could be a reason for the tunnel not working.Refer URL for configuring MTU forhttp://www.cisco.com/en/US/customer/tech/tk801/tk703/technologies_tech_note09186a0080094c4f.shtml#frag_example

Dot1 q tunnel via L2TPv3 problem

I have an objective to transparently interconnect two Cat 6506 switches using dot1q trunk via ethernet switched and IP routed enviroment.
6506 trunk - 3560 dot1q tunnel via vlan 2 - 7206 terminating vlan 2 and xconnect to neighbor 7206 - 3560 with vlan 2/dot1q tunnel - 6506 trunk.
I've divided problem to 2 possible stages - QinQ and L2TPv3.
Realized QinQ works well by assigning/pinging first 7206 IP terminating dot1q tunnel.
Now I have tunnel up, dynamically negotiated with ip mtu, ip sequencing both etc, all default, but I only see sent bytes at first 7206 and no received and received/no sent bytes at the second 7206.
So it actually looks like bytes go just via one direction, from 1 7206 to 2 7206 and not the opposite direction.
What are these counters for? Only for tunneled VLAN or whole L2TPv3 tunnel? Cos hellos should create both traffic sent and received on both 72xx's.
I am confused and can't ping/trunk from the remote 3560. It's under ISP responcibility.I also cant SPAN/VSPAN for some reason to ethereal/analyze it.
Any gurus?

Packet counters shows the number of packets sent and received from the remote end.Look for the configuration on the other end of the router.Refer URL http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_book09186a008035322e.html for more information.

L2TPv3 pseudowire + BVI

Hello,
Is there a way or simple solution to terminate a bunch of "plain" L2TPv3 pseudowires to a BVI, to have a sort of VPLS? (VPLS/MPLS is not an option in my setup).
My deal is to have a distributed L2 architecture (I have a protocol that works only on L2), and it must traverse a non-ethernet IP based network. (traffic is quite low - max 1 mbps)
It can easily done with a simple linux box, terminating l2tpv3 tunnels to a bridge interface, but I would like to do that on a cisco device.
A very dirty solution can be to have a set of sub-interfaces (with xconnect) and a cable to another interface on the same router, having sub-interfaces terminated on a BVI.
Something like that:
GigaEthernet 0/0 is cabled to GigaEthernet 0/1
interface Giga 0/0.1301
encap dot1q 1301
xconnect 10.10.13.1 1301 pw-class pw1301
interface gig 0/0.1302
encap dot1q 1302
xconnect 10.10.13.2 1302 pw-class pw1302
interface gig 0/1.1301
encap dot1q 1301
bridge-group 1
interface gig 0/1.1302
encap dot1q 1302
bridge-group 1
bridge 1 protocol ieee
bridge 1 route ip
interface BVI 1
ip address 192.168.1.254 255.255.255.0
Is there a simple way to accomplish that?
thanks in advance,
stefano

I cannot implement this type of configuration with a 3945 router...it's a shame...I really need this config for a site.

Cisco881G l2tpv3

Similar Messages

Maybe you are looking for